在Java Web应用程序中实现双因素身份验证

Question

I have an existing Java web application running through IBM WebSphere (I'm unsure of the version, but could find out if it helps) that I am looking to implement two factor authentication with.

The system has a decent user base, and I wanted to distribute hardware tokens to the admin users of the system to ensure strong authentication.

Minimal impact to the end user is desirable, but I'd like to avoid having the admins need to go through a VPN connection.

Does anyone know of any products that provide Java APIs that could be directly integrated into the existing application or other products that will provide a minimal impact? I've already spoken with RSA SecurID, but their system wouldn't integrate directly and would require an infrastructure change. Any other ideas/experience is greatly appreciated.

Answer 1

For posterity, I've just posted my simple Java two factor authentication utility class to Github . With it, you can do something like the following:

TwoFactorAuthUtil twoFactorAuthUtil = new TwoFactorAuthUtil();

// To generate a secret use:
// String base32Secret = generateBase32Secret();
String base32Secret = "NY4A5CPJZ46LXZCP";
// now we can store this in the database associated with the account

// this is the name of the key which can be displayed by the authenticator program
String keyId = "user@j256.com";
System.out.println("Image url = " + twoFactorAuthUtil.qrImageUrl(keyId, base32Secret));
// we can display this image to the user to let them load it into their auth program

// we can use the code here and compare it against user input
String code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);

// this little loop is here to show how the number changes over time
while (true) {
    long diff = TwoFactorAuthUtil.TIME_STEP_SECONDS
        - ((System.currentTimeMillis() / 1000) % TwoFactorAuthUtil.TIME_STEP_SECONDS);
    code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
    System.out.println("Secret code = " + code + ", change in " + diff + " seconds");
    Thread.sleep(1000);
}

Answer 2

If you want two-factor authentication via a TLS client-certificate, there are a few hardware cryptographic tokens out there. Java can load a PKCS#11 store out of the box, although some configuration may be required. How much of it is admin configuration vs. application configuration depends on the application (and sometimes on how 'locked' the terminal is wrt to inserting a USB token or having a card reader).

There may be alternative solutions, such as One-Time Password tokens (which don't rely on certificates, but on unique passwords instead). This seems less heavy for the users. I must admit I've never tried it, but this project might be interesting: http://directory.apache.org/triplesec/ (There are also hardware OTP keyrings, usually by the same vendors who do RSA cards/USB tokens).

Answer 3

We have API packages for Java (and php, ruby, python, and C#): http://www.wikidsystems.com/downloads/network-clients for the WiKID Strong Authentication system. These packages are LGPL, so you can also use them in commercial products. They work with both our open-source community version and the commercial Enterprise version.

HTH,

Nick

Answer 4

如果您能够使用Spring Security，我们有一个插件，提供双因素身份验证（物理和软件令牌） - www.cloudseal.com