在 Java Web 应用程序中实现两因素身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3702379/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Implementing two-factor authentication into a Java web app
提问by BRR
I have an existing Java web application running through IBM WebSphere (I'm unsure of the version, but could find out if it helps) that I am looking to implement two factor authentication with.
我有一个通过 IBM WebSphere 运行的现有 Java Web 应用程序(我不确定版本,但可以找出它是否有帮助),我希望使用它来实现两因素身份验证。
The system has a decent user base, and I wanted to distribute hardware tokens to the admin users of the system to ensure strong authentication.
该系统有一个不错的用户群,我想将硬件令牌分发给系统的管理员用户以确保强身份验证。
Minimal impact to the end user is desirable, but I'd like to avoid having the admins need to go through a VPN connection.
对最终用户的影响最小是可取的,但我想避免管理员需要通过 VPN 连接。
Does anyone know of any products that provide Java APIs that could be directly integrated into the existing application or other products that will provide a minimal impact? I've already spoken with RSA SecurID, but their system wouldn't integrate directly and would require an infrastructure change. Any other ideas/experience is greatly appreciated.
有没有人知道任何提供 Java API 的产品可以直接集成到现有应用程序中,或者其他产品的影响最小?我已经与 RSA SecurID 谈过了,但他们的系统不会直接集成,需要更改基础架构。非常感谢任何其他想法/经验。
回答by Gray
For posterity, I've just posted my simple Java two factor authentication utility class to Github. With it, you can do something like the following:
对于后代,我刚刚将我的简单Java 两因素身份验证实用程序类发布到 Github。有了它,您可以执行以下操作:
TwoFactorAuthUtil twoFactorAuthUtil = new TwoFactorAuthUtil();
// To generate a secret use:
// String base32Secret = generateBase32Secret();
String base32Secret = "NY4A5CPJZ46LXZCP";
// now we can store this in the database associated with the account
// this is the name of the key which can be displayed by the authenticator program
String keyId = "[email protected]";
System.out.println("Image url = " + twoFactorAuthUtil.qrImageUrl(keyId, base32Secret));
// we can display this image to the user to let them load it into their auth program
// we can use the code here and compare it against user input
String code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
// this little loop is here to show how the number changes over time
while (true) {
long diff = TwoFactorAuthUtil.TIME_STEP_SECONDS
- ((System.currentTimeMillis() / 1000) % TwoFactorAuthUtil.TIME_STEP_SECONDS);
code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
System.out.println("Secret code = " + code + ", change in " + diff + " seconds");
Thread.sleep(1000);
}
回答by Bruno
If you want two-factor authentication via a TLS client-certificate, there are a few hardware cryptographic tokens out there. Java can load a PKCS#11 store out of the box, although some configuration may be required. How much of it is admin configuration vs. application configuration depends on the application (and sometimes on how 'locked' the terminal is w.r.t to inserting a USB token or having a card reader).
如果您希望通过 TLS 客户端证书进行双因素身份验证,则可以使用一些硬件加密令牌。Java 可以立即加载 PKCS#11 存储,但可能需要一些配置。管理配置与应用程序配置的多少取决于应用程序(有时取决于终端如何“锁定”以插入 USB 令牌或具有读卡器)。
There may be alternative solutions, such as One-Time Password tokens (which don't rely on certificates, but on unique passwords instead). This seems less heavy for the users. I must admit I've never tried it, but this project might be interesting: http://directory.apache.org/triplesec/(There are also hardware OTP keyrings, usually by the same vendors who do RSA cards/USB tokens).
可能有替代解决方案,例如一次性密码令牌(不依赖于证书,而是依赖于唯一的密码)。这对用户来说似乎不那么沉重。我必须承认我从未尝试过,但这个项目可能很有趣:http: //directory.apache.org/triplesec/(还有硬件 OTP 密钥环,通常由做 RSA 卡/USB 令牌的相同供应商提供) .
回答by nowen
We have API packages for Java (and php, ruby, python, and C#): http://www.wikidsystems.com/downloads/network-clientsfor the WiKID Strong Authentication system. These packages are LGPL, so you can also use them in commercial products. They work with both our open-source community version and the commercial Enterprise version.
我们有适用于 Java(以及 php、ruby、python 和 C#)的 API 包:http: //www.wikidsystems.com/downloads/network-clients用于 WiKID 强身份验证系统。这些软件包是 LGPL,因此您也可以在商业产品中使用它们。它们适用于我们的开源社区版本和商业企业版。
HTH,
哈,
Nick
缺口
回答by nowen
If you are able to use Spring Security we have a plugin which offers two factor authentication (physical and soft tokens) - www.cloudseal.com
如果您能够使用 Spring Security,我们有一个插件可以提供两因素身份验证(物理和软令牌) - www.cloudseal.com
