Hi,
We are developing a web app to run on PASOE with OERealm SPA security model. Front end uses JSDO and Kendo UI with backend business entities exposed via REST service.
We have written a custom HybridRealm class to validate the user and password against our own user table in our database to authenticate the user, create a spring security token and login to the app which sets roles when the user is authenticated.
We want to add another layer of security by implementing a second factor for authentication so after the user enters username and password, they are sent via SMS a code.
The way I can see this working is as follows:
1) User authenticates with username and pwd to create a session id but if the back-end decides 2FA is required, sends an SMS to the user and sets a specific role on login
2) URL intercept patterns only allow access to the resources to validate 2FA code when this specific role is set
3) 2FA page asks for code which uses invoke method on back-end to validate the code for current session
4) If code is valid, role is changed so access is allowed to core app resources
The issue I have here is determing how to change the role as I can see it, this can only be done once on initial login and cant be changed/set again until the user logs out.
Any pointers/ideas would be great. Not sure what the PRE_AUTH_FILTER mechanism does, but perhaps this might help? Similar mechanism would be required for a force password change type feature.
Thanks