I am planning to use spring security for a site having multi step login.
Page 1 (get userid&password)
Page 2 (can be seen if page 1 info is correct) (display security image)
Page 3 (get pin)
So the real authentication can only be done after Page 3.
After all credentials are collected then the request will be redirected and security filter will catch that request and authentication will be done. Till that point the filter will not catch any requests.
Where should the credentials and other user info be kept till page 3 request is done? Session can be used. Can they be kept in SecurityContext Authentication object as well, is it a good approach? Or to use SecurityContext Authentication object should we wait till the user is authenticated?