我有一个通过Java WebSphere运行的现有Java Web应用程序(我不确定该版本,但是可以找到它是否有帮助),我希望以此实现两要素身份验证。

该系统具有良好的用户基础,我想将硬件 token 分发给系统的管理员用户,以确保进行强身份验证。

希望对最终用户的影响最小,但是我想避免让管理员需要通过VPN连接。

有谁知道提供Java API且可以直接集成到现有应用程序中的产品或其他影响最小的产品?我已经讲过RSA SecurID,但是它们的系统无法直接集成,因此需要更改基础架构。任何其他想法/经验,我们将不胜感激。

最佳答案

为了后代,我刚刚发布了我的简单Java two factor authentication utility class to Github。使用它,您可以执行以下操作:

TwoFactorAuthUtil twoFactorAuthUtil = new TwoFactorAuthUtil();

// To generate a secret use:
// String base32Secret = generateBase32Secret();
String base32Secret = "NY4A5CPJZ46LXZCP";
// now we can store this in the database associated with the account

// this is the name of the key which can be displayed by the authenticator program
String keyId = "user@j256.com";
System.out.println("Image url = " + twoFactorAuthUtil.qrImageUrl(keyId, base32Secret));
// we can display this image to the user to let them load it into their auth program

// we can use the code here and compare it against user input
String code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);

// this little loop is here to show how the number changes over time
while (true) {
    long diff = TwoFactorAuthUtil.TIME_STEP_SECONDS
        - ((System.currentTimeMillis() / 1000) % TwoFactorAuthUtil.TIME_STEP_SECONDS);
    code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
    System.out.println("Secret code = " + code + ", change in " + diff + " seconds");
    Thread.sleep(1000);
}

07-28 03:38
查看更多