Jan 17th, 2007, 10:20 AM
Saving Session Information in Acegi
I have a project that needs to enable a legacy JAAS authentication via a custom login module. The login module generates a challenge question from a user id and then request a response from the user based on the generated challenge. It's similar to RSA keys.
The problem is that the login module populates an object that needs to be saved in the user session so that the generated challenge key spans the life of consecutive authentication attempts.
The steps work like the following:
1) User enters userid in login screen
2) LoginModule executes and generates challenge value
3) User sees an second screen with their userid, & challenge value displayed
4) User enters challenge response
5) LoginModule execute and authenticates user
It looks like the UserDetails object is the correct place to put the additional information about the request but I don't see how to keep the information across multiple authentication invocations.
Has anyone done anything similar?
Feb 26th, 2007, 01:37 PM
I've done something similar in the past. We used to have a self-service style authentication process (basically challenge/response questions). As this process was user specific (randomly choosing questions that had been answers) it had to be a two-stage process. The first stage gathered the username went off and found the questions to ask. This was all stuffed into the session. The normal filter based Acegi process was used for the second stage. The user entered the answers to the questions and this was all sent off to the server and then was packaged up as the Authentication token. It worked quite well.