|
|
I am planning to use spring security for a site having multi step login.
Page 1 (get useridamp;password)
Page 2 (can be seen if page 1 info is correct) (display security image)
Page 3 (get pin)
So the real authentication can only be done after Page 3.
After all credentials are collected then the request will be redirected and security filter will catch that request and authentication will be done. Till that point the filter will not catch any requests.
Where should the credentials and other user info be kept till page 3 request is done? Session can be used. Can they be kept in SecurityContext Authentication object as well, is it a good approach? Or to use SecurityContext Authentication object should we wait till the user is authenticated?
yes u can use the session , but it is no good practice to use Security context object
Thanks for the reply.
If some custom roles are used for login pages do you think there is still major risks? And what do you think major risks are?
Are there anyone in this group who implemented web app with multi step login pages, if there is an you please share your knowledge? |
|
Post at 2011-4-15 15:43
| This Author's Posts Only
