Saturday, February 22, 2014

Two factor authentication with Spring Security

In this blog post I would like to show you how you could implement (simulate) two factor authentication with Spring Security. If you would like to jump ahead right to the code have a look at my github profile. To easily test the simple demo application I have uploaded it to heroku. Note that by default the application will use a single dyno (Heroku's term for scalable unit) and it will go to sleep after one hour of inactivity. This causes delay of a few seconds for the first request, subsequent requests will perform normally.

I mentioned "simulate" previously since the demo application turns the two factor authentication problem into a normal authentication plus authorisation problem. When valid credentials (here: email and password) are provided the PRE_AUTH_USER role is assigned to the user. With this role the user is authorised only to access the view where the verification code can be provided. If the correct verification code is provided the user will be granted with the USER role, with which all the views can be accessed.

Below you can see how easy is to configure Spring Security with the Java config introduced in version 3.2

In order to support non-security related user information, the AccountRepository is adapted to the UserDetailsService, so Spring Security can use it as an authentication source.

For the second step verification a time based one time password (TOTP) verification algorithm is used, which is described very good here.

30 comments:

Unknown said...

Awesome that you can write out all the code for that. I am taking some html classes right now and trying to learn that. It seems very useful.

James | two factor authentication

Unknown said...

My cousin was telling me about this two factor authentication. He has been talking to me about it for awhile now too. I just want to learn more and more about this so I can actually talk to him.
Jak Manson | http://www.celestix.com

Jay said...

Thanks. But the Heroku links gives this error.

"Application Error
An error occurred in the application and your page could not be served. Please try again in a few moments.

If you are the application owner, check your logs for details."

Jay said...

Very useful article.

Is it possible to have all the 3 fields (username, password, verification code) in single page ? If all 3 combinations are correct then set the Authorities on SecurityContext else throw exceptions. I am able to implement till user / password combination. But I want to put a small piece of java code for the OTP (2factor authentication). But not sure where to put this piece of Java code. Should I use filters ?

Thanks
Jay

Unknown said...
This comment has been removed by the author.
Dipan said...

Great article. Succinct and accurate. What helped me immensely was your github code that worked as a reference. I have used this to rollout an email based OTP solution using XML namespace configuration (since that is what was there from before).

Unknown said...

Two Factor Authentication is become very necessary for the website's security. Your article give us better understanding of the 2FA verification process. It can be done through different options like Bulk SMS , Email, Voice call etc.

Unknown said...

Great article. The code help me. accurate it is.
Regards,
Elliot

Unknown said...

CloudAce high quality Two-Factor Authentication solutions safeguard your network from malicious attempts and provide extra protection for company’s most sensitive information.
Two-Factor Authentication solutions


Unknown said...


It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
Android Training in Chennai
Ios Training in Chennai

tim adam said...

Glad to know about this wonderful piece of writing. cheap generic viagra online

Unknown said...

Hi,Great post! .Thanks for sharing this information.This is very useful information for those who want to buy 2FA system. Innefu Security is a well-known supplier of 2FA system, we are also dealing in Time attendance system, face attendance system, access control system and other security devices in NCR (Delhi ,Noida, Faridabad etc).

Unknown said...

Sambung Ayam Bangkok

Rashmi said...
This comment has been removed by the author.
Rashmi said...

Such an informative article. Also visit Textlocal - www.textlocal.in

Unknown said...

Such an informative article. Also visit Textlocal - www.textlocal.in

Unknown said...

Thanks for sharing useful information... It improves security and SMS Connect also provides two way authentication.

Fennycia Lim said...

ayam jago tarung

Unknown said...

Very mind blowing post and keep sharing this kind of post as it is very useful to us.
You can visit: BULK SMS IN USA

Unknown said...

This paragraph gives clear idea for the new viewers. Thank you very much for sharing this information.

bulk sms service provider in laxmi nagar

Unknown said...

Thanks for sharing this interesting information, keep up the good work going.

bulk sms service provider in delhi

bulk sms service provider in laxmi nagar

Bulk sms service provider in india

Dinesh said...

Useful and Informative..Thanks for sharing.I would also like to share some useful information.If you are Looking for the satta result Delhi Darbar in delhi,ncr or satta result Gali, satta result Deshawar. Then open the below link for more details.

satta King Taj
satta king online
satta king online result
sattaking
satta king
satta leak fix number site

shalini said...

Its really informative post, if you want to buy bulk sms service visit my sms bazaar.

BTech Result said...

Thank You For Sharing This Informative Article

Want To Know (or) Searching For Best Earphones Under 1000 in 2019 Then Click This Link
[Top 10 ] Best Earphones Under ₹1000 in 2019

BULK SMS PLANS said...

Thanks for sharing, it's nice information.
Bulk sms Service provider in India
Bulk sms marketing
Bulk sms

Shivangi Rathore said...

Thanks for sharing !!
plz check : Msgclub Bulk sms services

vartika dubey said...

great article keep writing Bulk Sms Service providers

SMSi5 technology said...

Great article about Bulk SMS Service providers in India. keep updating.

DanceDekho said...

Such a brilliant blog, very helpful but if you are suffer from hair issues like baldness or thin hair, So now you don't have to worried about it because Kinsley Extenso have solution for you we manufacture different type of Top Quality hair Extension at reasonable price. Its easily available on your nearby location in Delhi. It manufacture different type of products like keratin Hair extensions or Human Hair wigs

Preeti Singh Sikka said...

Very Nice article ! great job. Thanks for sharing.

Increase your business, Promote your post, video, blog to know more click here!