You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Richard Wheeldon <ri...@voxsmart.com> on 2016/08/01 13:21:11 UTC

RE: Shiro and OTP / MFA

Thanks to you both for the advice. If I get something useful done I'll send you a request. I'll also take another look at StormPath,

Richard

From: Lenny Primak [mailto:lprimak@hope.nyc.ny.us]
Sent: Friday, July 29, 2016 5:27 PM
To: user@shiro.apache.org
Subject: Re: Shiro and OTP / MFA

Also, Stormpath supports this out of the box

On Jul 29, 2016, at 9:00 AM, Brian Demers <br...@gmail.com>> wrote:

Some of this is tricky  because it requires a bit of UI (which you don't get out of the box with Shiro)

And for password request, not all realms would support resetting passwords (for example some would require navigating to a different service, others the connection Shiro knows about is read only)

Restricting logins should be possible, any realm that uses a 'UsernamePasswordToken' has access to the servletRequest.remoteHost via the 'getHost()' method.

Anything that fits in Shiro itself would be welcome, send us a pull request!

I know Sonatype's Nexus<https://github.com/sonatype/nexus-public>[1], and a few other projects have password reset support, you could start there.

[1]https://github.com/sonatype/nexus-public