Yubikey Support

Since version 5.182

The Payara API provides a way to authenticate with two identity stores using the @TwoIdentityStoreAuthenticationMechanismDefinition annotation. By default a user is validated if they are authenticated by any identity store, this mechanism will only validate them if both do.

Usage

The mechanism is defined through the @TwoIdentityStoreAuthenticationMechanismDefinition annotation. This should be accompanied with a configuration of any two identity stores in the application. Specifying this in a valid place as defined by the Security API will create the mechanism. Often this may mean that any class is a valid position. The mechanism works in a similar way to the form-based authentication mechanisms and requires calls to the SecurityContext.authenticate() when processing the form. If there are further calls to SecurityContext.authenticate() then an IllegalStateException will be thrown.

Example

TwoIdentityStoreAuthenticationMechanismDefinition(loginToContinue
        = @LoginToContinue(loginPage = "/Login", errorPage = "/Failure")
)

@WebServlet("/Login")
public class LoginServlet extends HttpServlet {

    @Inject
    private SecurityContext securityContext;

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        PrintWriter out = resp.getWriter();
        printHeaders(out);
        out.println("<form action=\"Login\" method=\"post\">");
        out.println("Username: ");
        out.println("<input type=\"text\" name=\"username\"></br>");
        out.println("Password: ");
        out.println("<input type=\"password\" name=\"password\"></br>");
        out.println("Yubikey Code: ");
        out.println("<input type=\"password\" name=\"yubikey\"></br>");
        out.println("<input type=\"submit\" value=\"submit\"></input>");
        out.println("</form");
        out.println("</body></html>");
        out.flush();
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        Credential firstCredential = new UsernamePasswordCredential(req.getParameter("username"), req.getParameter("password"));
        Credential secondCredential = new YubikeyCredential(req.getParameter("yubikey"));
        // First call to securityContext.authenticate()
        securityContext.authenticate(req, resp, new AuthenticationParameters().credential(firstCredential));
        // Second call to securityContext.authenticate()
        AuthenticationStatus status = securityContext.authenticate(req, resp, new AuthenticationParameters().credential(secondCredential));
        PrintWriter out = resp.getWriter();
        printHeaders(out);
        if (status.equals(AuthenticationStatus.SUCCESS)){
            out.println("Successfully logged in);
        } else {
            PrintWriter out = resp.getWriter();
            printHeaders(out);
            out.println("Failed to log in");
        }
        out.flush();
    }

    private void printHeaders(PrintWriter out){
        out.println("<html>");
        out.println("<head>");
        out.println("<title>Two Idenity Stores Authentication</title>");
        out.println("</head>");
        out.println("<body>");
    }

}

Configuration

The @TwoIdentityStoreAuthenticationMechanismDefinition annotation is configured with the option as shown below.

Configuration Options

Option Required Description

loginToContinue

true

A @LoginToContinue annotation defines the login page

results matching ""

    No results matching ""