Beefing Up Your Spring Security with Two-Factor Authentication

0485

Two-factor authentication adds an extra layer of security to your web application by asking users to provide a second form of identification. Common second factors include:

  • Authenticator codes
  • Biometrics
  • Email or Text Message codes

Let’s explore how you can add two-factor authentication to an existing web application by utilizing Nexmo.

Before you begin

In order to follow along with the tutorial you will need the following:

Get the Code

Clone the getting-started branch. 

git clone https://github.com/cr0wst/demo-twofactor.git <span>-b</span> getting-started
<span>cd </span>demo-twofactor
git clone https://github.com/cr0wst/demo-twofactor.git <span>-b</span> getting-started
<span>cd </span>demo-twofactor
git clone https://github.com/cr0wst/demo-twofactor.git -b getting-started
cd demo-twofactor

Let’s See What We’re Working With

The example application is built using Spring Boot. If you have Gradle installed on your system, you should be able to execute the bootRun task to start the application.

If not, no worries; the repository contains a Gradle wrapper which will still allow you to execute tasks. 

./gradlew bootRun
./gradlew bootRun
./gradlew bootRun

This will download any dependencies, compile the application, and start the embedded server.

Once the server has been started, you should be able to navigate to http://localhost:8080 to see the sample application.

There are three pages:

  • The home page – accessible by everybody.
  • The login page – allows users to enter a username and password (default is demo/demo).
  • The secret page – accessible only by users with the Role.USERS role.

Adding Two-Factor Authentication

When users log in, our only acceptance criteria is that they have provided a username and a password. What if this information was stolen? What is something that we could use which is physically located near the user?

There is something that I guarantee almost 90% of you, and our users, have within arm’s reach. A mobile phone.

Here’s how it’s going to work:

  1. The user will log in to our application as they normally do.
  2. They will be prompted to enter a four-digit verification code.
  3. Simultaneously, a four-digit verification code will be sent to the phone number on their account. If they don’t have a phone number on their account, we will allow them to bypass the two-factor authentication.
  4. The code that they enter will be checked to make sure it is the same one that we sent them.

We are going to utilize the Nexmo Verify API to generate the code and to check and see if the code they entered is valid.

Creating a New Role

The first step will be to create a new role. This role will be used to hold the authenticated user in a purgatory state until we have verified their identity.

Add the PRE_VERIFICATION_USER role to the Role enum. 

<span>// src/main/net/smcrow/demo/twofactor/user/Role.java</span>
<span>public</span> <span>enum</span> <span>Role</span> <span>implements</span> <span>GrantedAuthority</span> <span>{</span>
    <span>USER</span><span>,</span> <span>PRE_VERIFICATION_USER</span><span>;</span>
    <span>// ...</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/user/Role.java</span>
<span>public</span> <span>enum</span> <span>Role</span> <span>implements</span> <span>GrantedAuthority</span> <span>{</span>
    <span>USER</span><span>,</span> <span>PRE_VERIFICATION_USER</span><span>;</span>
    <span>// ...</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/user/Role.java
public enum Role implements GrantedAuthority {
    USER, PRE_VERIFICATION_USER;
    // ...
}

In order for it to be applied as the default role, we need to update the getAuthorities() method of the StandardUserDetails class. 

<span>// src/main/net/smcrow/demo/twofactor/user/StandardUserDetails.java</span>
<span>@Override</span>
<span>public</span> <span>Collection</span><span><?</span> <span>extends</span> <span>GrantedAuthority</span><span>></span> <span>getAuthorities</span><span>()</span> <span>{</span>
    <span>Set</span><span><</span><span>GrantedAuthority</span><span>></span> <span>authorities</span> <span>=</span> <span>new</span> <span>HashSet</span><span><>();</span>
    <span>authorities</span><span>.</span><span>add</span><span>(</span><span>Role</span><span>.</span><span>PRE_VERIFICATION_USER</span><span>);</span>
    <span>return</span> <span>authorities</span><span>;</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/user/StandardUserDetails.java</span>
<span>@Override</span>
<span>public</span> <span>Collection</span><span><?</span> <span>extends</span> <span>GrantedAuthority</span><span>></span> <span>getAuthorities</span><span>()</span> <span>{</span>
    <span>Set</span><span><</span><span>GrantedAuthority</span><span>></span> <span>authorities</span> <span>=</span> <span>new</span> <span>HashSet</span><span><>();</span>
    <span>authorities</span><span>.</span><span>add</span><span>(</span><span>Role</span><span>.</span><span>PRE_VERIFICATION_USER</span><span>);</span>
    <span>return</span> <span>authorities</span><span>;</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/user/StandardUserDetails.java
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    Set<GrantedAuthority> authorities = new HashSet<>();
    authorities.add(Role.PRE_VERIFICATION_USER);
    return authorities;
}

Handling Verification Information

Nexmo will provide us with a request id that will be used when confirming the code provided by the user. There are a variety of ways we can store this information. In this tutorial, we will be persisting it into a database.

Storing Verification Information

First, create a Verification class in the verify package. 

<span>// src/main/net/smcrow/demo/twofactor/verify/Verification.java</span>
<span>@Entity</span>
<span>public</span> <span>class</span> <span>Verification</span> <span>{</span>
    <span>@Id</span>
    <span>@Column</span><span>(</span><span>unique</span> <span>=</span> <span>true</span><span>,</span> <span>nullable</span> <span>=</span> <span>false</span><span>)</span>
    <span>private</span> <span>String</span> <span>phone</span><span>;</span>
    <span>@Column</span><span>(</span><span>nullable</span> <span>=</span> <span>false</span><span>)</span>
    <span>private</span> <span>String</span> <span>requestId</span><span>;</span>
    <span>@Column</span><span>(</span><span>nullable</span> <span>=</span> <span>false</span><span>)</span>
    <span>private</span> <span>Date</span> <span>expirationDate</span><span>;</span>
    <span>@PersistenceConstructor</span>
    <span>public</span> <span>Verification</span><span>()</span> <span>{</span>
        <span>// Empty constructor for JPA</span>
    <span>}</span>
    <span>public</span> <span>Verification</span><span>(</span><span>String</span> <span>phone</span><span>,</span> <span>String</span> <span>requestId</span><span>,</span> <span>Date</span> <span>expirationDate</span><span>)</span> <span>{</span>
        <span>this</span><span>.</span><span>phone</span> <span>=</span> <span>phone</span><span>;</span>
        <span>this</span><span>.</span><span>requestId</span> <span>=</span> <span>requestId</span><span>;</span>
        <span>this</span><span>.</span><span>expirationDate</span> <span>=</span> <span>expirationDate</span><span>;</span>
    <span>}</span>
    <span>// ... Getters and Setters</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/verify/Verification.java</span>
<span>@Entity</span>
<span>public</span> <span>class</span> <span>Verification</span> <span>{</span>
    <span>@Id</span>
    <span>@Column</span><span>(</span><span>unique</span> <span>=</span> <span>true</span><span>,</span> <span>nullable</span> <span>=</span> <span>false</span><span>)</span>
    <span>private</span> <span>String</span> <span>phone</span><span>;</span>

    <span>@Column</span><span>(</span><span>nullable</span> <span>=</span> <span>false</span><span>)</span>
    <span>private</span> <span>String</span> <span>requestId</span><span>;</span>

    <span>@Column</span><span>(</span><span>nullable</span> <span>=</span> <span>false</span><span>)</span>
    <span>private</span> <span>Date</span> <span>expirationDate</span><span>;</span>

    <span>@PersistenceConstructor</span>
    <span>public</span> <span>Verification</span><span>()</span> <span>{</span>
        <span>// Empty constructor for JPA</span>
    <span>}</span>

    <span>public</span> <span>Verification</span><span>(</span><span>String</span> <span>phone</span><span>,</span> <span>String</span> <span>requestId</span><span>,</span> <span>Date</span> <span>expirationDate</span><span>)</span> <span>{</span>
        <span>this</span><span>.</span><span>phone</span> <span>=</span> <span>phone</span><span>;</span>
        <span>this</span><span>.</span><span>requestId</span> <span>=</span> <span>requestId</span><span>;</span>
        <span>this</span><span>.</span><span>expirationDate</span> <span>=</span> <span>expirationDate</span><span>;</span>
    <span>}</span>

    <span>// ... Getters and Setters</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/verify/Verification.java
@Entity
public class Verification {
    @Id
    @Column(unique = true, nullable = false)
    private String phone;

    @Column(nullable = false)
    private String requestId;

    @Column(nullable = false)
    private Date expirationDate;

    @PersistenceConstructor
    public Verification() {
        // Empty constructor for JPA
    }

    public Verification(String phone, String requestId, Date expirationDate) {
        this.phone = phone;
        this.requestId = requestId;
        this.expirationDate = expirationDate;
    }

    // ... Getters and Setters
}

Notice, we are also storing the expirationDate. By default, the Verify API requests are only valid for five minutes. They will get deleted from the table when either:

  • The user has successfully verified their identity.
  • They are expired.

We will take advantage of Spring scheduler to clean them up periodically.

Working with the Verification Information

Create the VerificationRepository interface in the verify package. 

<span>// src/mainnet/smcrow/demo/twofactor/verify/VerificationRepository.java</span>
<span>@Repository</span>
<span>public</span> <span>interface</span> <span>VerificationRepository</span> <span>extends</span> <span>JpaRepository</span><span><</span><span>Verification</span><span>,</span> <span>String</span><span>></span> <span>{</span>
    <span>Optional</span><span><</span><span>Verification</span><span>></span> <span>findByPhone</span><span>(</span><span>String</span> <span>phone</span><span>);</span>
    <span>void</span> <span>deleteByExpirationDateBefore</span><span>(</span><span>Date</span> <span>date</span><span>);</span>
<span>}</span>
<span>// src/mainnet/smcrow/demo/twofactor/verify/VerificationRepository.java</span>
<span>@Repository</span>
<span>public</span> <span>interface</span> <span>VerificationRepository</span> <span>extends</span> <span>JpaRepository</span><span><</span><span>Verification</span><span>,</span> <span>String</span><span>></span> <span>{</span>
    <span>Optional</span><span><</span><span>Verification</span><span>></span> <span>findByPhone</span><span>(</span><span>String</span> <span>phone</span><span>);</span>

    <span>void</span> <span>deleteByExpirationDateBefore</span><span>(</span><span>Date</span> <span>date</span><span>);</span>
<span>}</span>
// src/mainnet/smcrow/demo/twofactor/verify/VerificationRepository.java
@Repository
public interface VerificationRepository extends JpaRepository<Verification, String> {
    Optional<Verification> findByPhone(String phone);

    void deleteByExpirationDateBefore(Date date);
}

Deleting Expired Requests

In the twofactor package, create the following configuration class. 

<span>// src/main/net/smcrow/demo/twofactor/ScheduleConfiguration.java</span>
<span>@Configuration</span>
<span>@EnableScheduling</span>
<span>public</span> <span>class</span> <span>ScheduleConfiguration</span> <span>{</span>
    <span>@Autowired</span>
    <span>private</span> <span>VerificationRepository</span> <span>verificationRepository</span><span>;</span>
    <span>@Scheduled</span><span>(</span><span>fixedDelay</span> <span>=</span> <span>1000</span><span>)</span>
    <span>@Transactional</span>
    <span>public</span> <span>void</span> <span>purgeExpiredVerifications</span><span>()</span> <span>{</span>
        <span>verificationRepository</span><span>.</span><span>deleteByExpirationDateBefore</span><span>(</span><span>new</span> <span>Date</span><span>());</span>
    <span>}</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/ScheduleConfiguration.java</span>
<span>@Configuration</span>
<span>@EnableScheduling</span>
<span>public</span> <span>class</span> <span>ScheduleConfiguration</span> <span>{</span>
    <span>@Autowired</span>
    <span>private</span> <span>VerificationRepository</span> <span>verificationRepository</span><span>;</span>

    <span>@Scheduled</span><span>(</span><span>fixedDelay</span> <span>=</span> <span>1000</span><span>)</span>
    <span>@Transactional</span>
    <span>public</span> <span>void</span> <span>purgeExpiredVerifications</span><span>()</span> <span>{</span>
        <span>verificationRepository</span><span>.</span><span>deleteByExpirationDateBefore</span><span>(</span><span>new</span> <span>Date</span><span>());</span>
    <span>}</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/ScheduleConfiguration.java
@Configuration
@EnableScheduling
public class ScheduleConfiguration {
    @Autowired
    private VerificationRepository verificationRepository;

    @Scheduled(fixedDelay = 1000)
    @Transactional
    public void purgeExpiredVerifications() {
        verificationRepository.deleteByExpirationDateBefore(new Date());
    }
}

This will set up a scheduled command to be executed every second that will query for any expired Verification entities and delete them.

Setting Up the Nexmo Client

We will be using the nexmo-java client for interacting with Nexmo.

Declare the Dependency

First, declare the following dependency in the build.gradle file. 

<span>dependencies</span> <span>{</span>
    <span>// .. other dependencies</span>
    <span>compile</span><span>(</span><span>'</span><span>com</span><span>.</span><span>nexmo</span><span>:</span><span>client:</span><span>3.3</span><span>.</span><span>0</span><span>'</span><span>)</span>
<span>}</span>
<span>dependencies</span> <span>{</span>
    <span>// .. other dependencies</span>
    <span>compile</span><span>(</span><span>'</span><span>com</span><span>.</span><span>nexmo</span><span>:</span><span>client:</span><span>3.3</span><span>.</span><span>0</span><span>'</span><span>)</span>
<span>}</span>
dependencies {
    // .. other dependencies
    compile('com.nexmo:client:3.3.0')
}

Provide Information

Now, define the following information in the application.properties file. 

<span># Add your nexmo credentials</span>
nexmo.api.key<span>=</span>your-api-key
nexmo.api.secret<span>=</span>your-api-secret
<span># Add your nexmo credentials</span>
nexmo.api.key<span>=</span>your-api-key
nexmo.api.secret<span>=</span>your-api-secret
# Add your nexmo credentials
nexmo.api.key=your-api-key
nexmo.api.secret=your-api-secret

Define the Beans

Next, we are going to define the NexmoClient and VerifyClient as beans. This will allow Spring to inject them as dependencies into our NexmoVerificationService.

Add the following definitions to the TwoFactorApplication class. 

<span>// src/main/net/smcrow/demo/twofactor/TwofactorApplication.java</span>
<span>@Bean</span>
<span>public</span> <span>NexmoClient</span> <span>nexmoClient</span><span>(</span><span>Environment</span> <span>environment</span><span>)</span> <span>{</span>
    <span>AuthMethod</span> <span>auth</span> <span>=</span> <span>new</span> <span>TokenAuthMethod</span><span>(</span>
            <span>environment</span><span>.</span><span>getProperty</span><span>(</span><span>"nexmo.api.key"</span><span>),</span>
            <span>environment</span><span>.</span><span>getProperty</span><span>(</span><span>"nexmo.api.secret"</span><span>)</span>
    <span>);</span>
    <span>return</span> <span>new</span> <span>NexmoClient</span><span>(</span><span>auth</span><span>);</span>
<span>}</span>
<span>@Bean</span>
<span>public</span> <span>VerifyClient</span> <span>nexmoVerifyClient</span><span>(</span><span>NexmoClient</span> <span>nexmoClient</span><span>)</span> <span>{</span>
    <span>return</span> <span>nexmoClient</span><span>.</span><span>getVerifyClient</span><span>();</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/TwofactorApplication.java</span>
<span>@Bean</span>
<span>public</span> <span>NexmoClient</span> <span>nexmoClient</span><span>(</span><span>Environment</span> <span>environment</span><span>)</span> <span>{</span>
    <span>AuthMethod</span> <span>auth</span> <span>=</span> <span>new</span> <span>TokenAuthMethod</span><span>(</span>
            <span>environment</span><span>.</span><span>getProperty</span><span>(</span><span>"nexmo.api.key"</span><span>),</span>
            <span>environment</span><span>.</span><span>getProperty</span><span>(</span><span>"nexmo.api.secret"</span><span>)</span>
    <span>);</span>
    <span>return</span> <span>new</span> <span>NexmoClient</span><span>(</span><span>auth</span><span>);</span>
<span>}</span>

<span>@Bean</span>
<span>public</span> <span>VerifyClient</span> <span>nexmoVerifyClient</span><span>(</span><span>NexmoClient</span> <span>nexmoClient</span><span>)</span> <span>{</span>
    <span>return</span> <span>nexmoClient</span><span>.</span><span>getVerifyClient</span><span>();</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/TwofactorApplication.java
@Bean
public NexmoClient nexmoClient(Environment environment) {
    AuthMethod auth = new TokenAuthMethod(
            environment.getProperty("nexmo.api.key"),
            environment.getProperty("nexmo.api.secret")
    );
    return new NexmoClient(auth);
}

@Bean
public VerifyClient nexmoVerifyClient(NexmoClient nexmoClient) {
    return nexmoClient.getVerifyClient();
}

Create the NexmoVerificationService

We are going to create a service that will allow us to instruct the client to make requests.

Add the NexmoVerificationService to the verify package. 

<span>// src/main/net/smcrow/demo/twofactor/verify/NexmoVerificationService.java</span>
<span>@Service</span>
<span>public</span> <span>class</span> <span>NexmoVerificationService</span> <span>{</span>
    <span>private</span> <span>static</span> <span>final</span> <span>String</span> <span>APPLICATION_BRAND</span> <span>=</span> <span>"2FA Demo"</span><span>;</span>
    <span>private</span> <span>static</span> <span>final</span> <span>int</span> <span>EXPIRATION_INTERVALS</span> <span>=</span> <span>Calendar</span><span>.</span><span>MINUTE</span><span>;</span>
    <span>private</span> <span>static</span> <span>final</span> <span>int</span> <span>EXPIRATION_INCREMENT</span> <span>=</span> <span>5</span><span>;</span>
    <span>@Autowired</span>
    <span>private</span> <span>VerificationRepository</span> <span>verificationRepository</span><span>;</span>
    <span>@Autowired</span>
    <span>private</span> <span>UserRepository</span> <span>userRepository</span><span>;</span>
    <span>@Autowired</span>
    <span>private</span> <span>VerifyClient</span> <span>verifyClient</span><span>;</span>
    <span>public</span> <span>Verification</span> <span>requestVerification</span><span>(</span><span>String</span> <span>phone</span><span>)</span> <span>throws</span> <span>VerificationRequestFailedException</span> <span>{</span>
        <span>Optional</span><span><</span><span>Verification</span><span>></span> <span>matches</span> <span>=</span> <span>verificationRepository</span><span>.</span><span>findByPhone</span><span>(</span><span>phone</span><span>);</span>
        <span>if</span> <span>(</span><span>matches</span><span>.</span><span>isPresent</span><span>())</span> <span>{</span>
            <span>return</span> <span>matches</span><span>.</span><span>get</span><span>();</span>
        <span>}</span>
        <span>return</span> <span>generateAndSaveNewVerification</span><span>(</span><span>phone</span><span>);</span>
    <span>}</span>
    <span>public</span> <span>boolean</span> <span>verify</span><span>(</span><span>String</span> <span>phone</span><span>,</span> <span>String</span> <span>code</span><span>)</span> <span>throws</span> <span>VerificationRequestFailedException</span> <span>{</span>
        <span>try</span> <span>{</span>
            <span>Verification</span> <span>verification</span> <span>=</span> <span>retrieveVerification</span><span>(</span><span>phone</span><span>);</span>
            <span>if</span> <span>(</span><span>verifyClient</span><span>.</span><span>check</span><span>(</span><span>verification</span><span>.</span><span>getRequestId</span><span>(),</span> <span>code</span><span>).</span><span>getStatus</span><span>()</span> <span>==</span> <span>0</span><span>)</span> <span>{</span>
                <span>verificationRepository</span><span>.</span><span>delete</span><span>(</span><span>phone</span><span>);</span>
                <span>return</span> <span>true</span><span>;</span>
            <span>}</span>
            <span>return</span> <span>false</span><span>;</span>
        <span>}</span> <span>catch</span> <span>(</span><span>VerificationNotFoundException</span> <span>e</span><span>)</span> <span>{</span>
            <span>requestVerification</span><span>(</span><span>phone</span><span>);</span>
            <span>return</span> <span>false</span><span>;</span>
        <span>}</span> <span>catch</span> <span>(</span><span>IOException</span> <span>|</span> <span>NexmoClientException</span> <span>e</span><span>)</span> <span>{</span>
            <span>throw</span> <span>new</span> <span>VerificationRequestFailedException</span><span>(</span><span>e</span><span>);</span>
        <span>}</span>
    <span>}</span>
    <span>private</span> <span>Verification</span> <span>retrieveVerification</span><span>(</span><span>String</span> <span>phone</span><span>)</span> <span>throws</span> <span>VerificationNotFoundException</span> <span>{</span>
        <span>Optional</span><span><</span><span>Verification</span><span>></span> <span>matches</span> <span>=</span> <span>verificationRepository</span><span>.</span><span>findByPhone</span><span>(</span><span>phone</span><span>);</span>
        <span>if</span> <span>(</span><span>matches</span><span>.</span><span>isPresent</span><span>())</span> <span>{</span>
            <span>return</span> <span>matches</span><span>.</span><span>get</span><span>();</span>
        <span>}</span>
        <span>throw</span> <span>new</span> <span>VerificationNotFoundException</span><span>();</span>
    <span>}</span>
    <span>private</span> <span>Verification</span> <span>generateAndSaveNewVerification</span><span>(</span><span>String</span> <span>phone</span><span>)</span> <span>throws</span> <span>VerificationRequestFailedException</span> <span>{</span>
        <span>try</span> <span>{</span>
            <span>VerifyResult</span> <span>result</span> <span>=</span> <span>verifyClient</span><span>.</span><span>verify</span><span>(</span><span>phone</span><span>,</span> <span>APPLICATION_BRAND</span><span>);</span>
            <span>if</span> <span>(</span><span>StringUtils</span><span>.</span><span>isBlank</span><span>(</span><span>result</span><span>.</span><span>getErrorText</span><span>()))</span> <span>{</span>
                <span>String</span> <span>requestId</span> <span>=</span> <span>result</span><span>.</span><span>getRequestId</span><span>();</span>
                <span>Calendar</span> <span>now</span> <span>=</span> <span>Calendar</span><span>.</span><span>getInstance</span><span>();</span>
                <span>now</span><span>.</span><span>add</span><span>(</span><span>EXPIRATION_INTERVALS</span><span>,</span> <span>EXPIRATION_INCREMENT</span><span>);</span>
                <span>Verification</span> <span>verification</span> <span>=</span> <span>new</span> <span>Verification</span><span>(</span><span>phone</span><span>,</span> <span>requestId</span><span>,</span> <span>now</span><span>.</span><span>getTime</span><span>());</span>
                <span>return</span> <span>verificationRepository</span><span>.</span><span>save</span><span>(</span><span>verification</span><span>);</span>
            <span>}</span>
        <span>}</span> <span>catch</span> <span>(</span><span>IOException</span> <span>|</span> <span>NexmoClientException</span> <span>e</span><span>)</span> <span>{</span>
            <span>throw</span> <span>new</span> <span>VerificationRequestFailedException</span><span>(</span><span>e</span><span>);</span>
        <span>}</span>
        <span>throw</span> <span>new</span> <span>VerificationRequestFailedException</span><span>();</span>
    <span>}</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/verify/NexmoVerificationService.java</span>
<span>@Service</span>
<span>public</span> <span>class</span> <span>NexmoVerificationService</span> <span>{</span>
    <span>private</span> <span>static</span> <span>final</span> <span>String</span> <span>APPLICATION_BRAND</span> <span>=</span> <span>"2FA Demo"</span><span>;</span>
    <span>private</span> <span>static</span> <span>final</span> <span>int</span> <span>EXPIRATION_INTERVALS</span> <span>=</span> <span>Calendar</span><span>.</span><span>MINUTE</span><span>;</span>
    <span>private</span> <span>static</span> <span>final</span> <span>int</span> <span>EXPIRATION_INCREMENT</span> <span>=</span> <span>5</span><span>;</span>
    <span>@Autowired</span>
    <span>private</span> <span>VerificationRepository</span> <span>verificationRepository</span><span>;</span>

    <span>@Autowired</span>
    <span>private</span> <span>UserRepository</span> <span>userRepository</span><span>;</span>

    <span>@Autowired</span>
    <span>private</span> <span>VerifyClient</span> <span>verifyClient</span><span>;</span>

    <span>public</span> <span>Verification</span> <span>requestVerification</span><span>(</span><span>String</span> <span>phone</span><span>)</span> <span>throws</span> <span>VerificationRequestFailedException</span> <span>{</span>
        <span>Optional</span><span><</span><span>Verification</span><span>></span> <span>matches</span> <span>=</span> <span>verificationRepository</span><span>.</span><span>findByPhone</span><span>(</span><span>phone</span><span>);</span>
        <span>if</span> <span>(</span><span>matches</span><span>.</span><span>isPresent</span><span>())</span> <span>{</span>
            <span>return</span> <span>matches</span><span>.</span><span>get</span><span>();</span>
        <span>}</span>

        <span>return</span> <span>generateAndSaveNewVerification</span><span>(</span><span>phone</span><span>);</span>
    <span>}</span>

    <span>public</span> <span>boolean</span> <span>verify</span><span>(</span><span>String</span> <span>phone</span><span>,</span> <span>String</span> <span>code</span><span>)</span> <span>throws</span> <span>VerificationRequestFailedException</span> <span>{</span>
        <span>try</span> <span>{</span>
            <span>Verification</span> <span>verification</span> <span>=</span> <span>retrieveVerification</span><span>(</span><span>phone</span><span>);</span>
            <span>if</span> <span>(</span><span>verifyClient</span><span>.</span><span>check</span><span>(</span><span>verification</span><span>.</span><span>getRequestId</span><span>(),</span> <span>code</span><span>).</span><span>getStatus</span><span>()</span> <span>==</span> <span>0</span><span>)</span> <span>{</span>
                <span>verificationRepository</span><span>.</span><span>delete</span><span>(</span><span>phone</span><span>);</span>
                <span>return</span> <span>true</span><span>;</span>
            <span>}</span>

            <span>return</span> <span>false</span><span>;</span>
        <span>}</span> <span>catch</span> <span>(</span><span>VerificationNotFoundException</span> <span>e</span><span>)</span> <span>{</span>
            <span>requestVerification</span><span>(</span><span>phone</span><span>);</span>
            <span>return</span> <span>false</span><span>;</span>
        <span>}</span> <span>catch</span> <span>(</span><span>IOException</span> <span>|</span> <span>NexmoClientException</span> <span>e</span><span>)</span> <span>{</span>
            <span>throw</span> <span>new</span> <span>VerificationRequestFailedException</span><span>(</span><span>e</span><span>);</span>
        <span>}</span>
    <span>}</span>

    <span>private</span> <span>Verification</span> <span>retrieveVerification</span><span>(</span><span>String</span> <span>phone</span><span>)</span> <span>throws</span> <span>VerificationNotFoundException</span> <span>{</span>
        <span>Optional</span><span><</span><span>Verification</span><span>></span> <span>matches</span> <span>=</span> <span>verificationRepository</span><span>.</span><span>findByPhone</span><span>(</span><span>phone</span><span>);</span>
        <span>if</span> <span>(</span><span>matches</span><span>.</span><span>isPresent</span><span>())</span> <span>{</span>
            <span>return</span> <span>matches</span><span>.</span><span>get</span><span>();</span>
        <span>}</span>

        <span>throw</span> <span>new</span> <span>VerificationNotFoundException</span><span>();</span>
    <span>}</span>

    <span>private</span> <span>Verification</span> <span>generateAndSaveNewVerification</span><span>(</span><span>String</span> <span>phone</span><span>)</span> <span>throws</span> <span>VerificationRequestFailedException</span> <span>{</span>
        <span>try</span> <span>{</span>
            <span>VerifyResult</span> <span>result</span> <span>=</span> <span>verifyClient</span><span>.</span><span>verify</span><span>(</span><span>phone</span><span>,</span> <span>APPLICATION_BRAND</span><span>);</span>
            <span>if</span> <span>(</span><span>StringUtils</span><span>.</span><span>isBlank</span><span>(</span><span>result</span><span>.</span><span>getErrorText</span><span>()))</span> <span>{</span>
                <span>String</span> <span>requestId</span> <span>=</span> <span>result</span><span>.</span><span>getRequestId</span><span>();</span>
                <span>Calendar</span> <span>now</span> <span>=</span> <span>Calendar</span><span>.</span><span>getInstance</span><span>();</span>
                <span>now</span><span>.</span><span>add</span><span>(</span><span>EXPIRATION_INTERVALS</span><span>,</span> <span>EXPIRATION_INCREMENT</span><span>);</span>

                <span>Verification</span> <span>verification</span> <span>=</span> <span>new</span> <span>Verification</span><span>(</span><span>phone</span><span>,</span> <span>requestId</span><span>,</span> <span>now</span><span>.</span><span>getTime</span><span>());</span>
                <span>return</span> <span>verificationRepository</span><span>.</span><span>save</span><span>(</span><span>verification</span><span>);</span>
            <span>}</span>
        <span>}</span> <span>catch</span> <span>(</span><span>IOException</span> <span>|</span> <span>NexmoClientException</span> <span>e</span><span>)</span> <span>{</span>
            <span>throw</span> <span>new</span> <span>VerificationRequestFailedException</span><span>(</span><span>e</span><span>);</span>
        <span>}</span>

        <span>throw</span> <span>new</span> <span>VerificationRequestFailedException</span><span>();</span>
    <span>}</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/verify/NexmoVerificationService.java
@Service
public class NexmoVerificationService {
    private static final String APPLICATION_BRAND = "2FA Demo";
    private static final int EXPIRATION_INTERVALS = Calendar.MINUTE;
    private static final int EXPIRATION_INCREMENT = 5;
    @Autowired
    private VerificationRepository verificationRepository;

    @Autowired
    private UserRepository userRepository;

    @Autowired
    private VerifyClient verifyClient;

    public Verification requestVerification(String phone) throws VerificationRequestFailedException {
        Optional<Verification> matches = verificationRepository.findByPhone(phone);
        if (matches.isPresent()) {
            return matches.get();
        }

        return generateAndSaveNewVerification(phone);
    }

    public boolean verify(String phone, String code) throws VerificationRequestFailedException {
        try {
            Verification verification = retrieveVerification(phone);
            if (verifyClient.check(verification.getRequestId(), code).getStatus() == 0) {
                verificationRepository.delete(phone);
                return true;
            }

            return false;
        } catch (VerificationNotFoundException e) {
            requestVerification(phone);
            return false;
        } catch (IOException | NexmoClientException e) {
            throw new VerificationRequestFailedException(e);
        }
    }

    private Verification retrieveVerification(String phone) throws VerificationNotFoundException {
        Optional<Verification> matches = verificationRepository.findByPhone(phone);
        if (matches.isPresent()) {
            return matches.get();
        }

        throw new VerificationNotFoundException();
    }

    private Verification generateAndSaveNewVerification(String phone) throws VerificationRequestFailedException {
        try {
            VerifyResult result = verifyClient.verify(phone, APPLICATION_BRAND);
            if (StringUtils.isBlank(result.getErrorText())) {
                String requestId = result.getRequestId();
                Calendar now = Calendar.getInstance();
                now.add(EXPIRATION_INTERVALS, EXPIRATION_INCREMENT);

                Verification verification = new Verification(phone, requestId, now.getTime());
                return verificationRepository.save(verification);
            }
        } catch (IOException | NexmoClientException e) {
            throw new VerificationRequestFailedException(e);
        }

        throw new VerificationRequestFailedException();
    }
}

There are two main methods in this class:

  • requestVerficiation which is used to, well, request verification.
  • verify which is used to verify the provided code provided by the user.

The requestVerification Method

The method first checks to see if we already have a pending verification request for the user’s phone number. This allows us to serve the same request id to the user if they attempt to log in to the application again.

If there isn’t any prior verification, then a new verification code is requested and saved to the database. If for some reason, we are unable to assign them a new code a VerificationRequestFailedException is thrown.

Add this exception to the verify package. 

<span>// src/main/net/smcrow/demo/twofactor/verify/VerificationRequestFailedException.java</span>
<span>public</span> <span>class</span> <span>VerificationRequestFailedException</span> <span>extends</span> <span>Throwable</span> <span>{</span>
    <span>public</span> <span>VerificationRequestFailedException</span><span>()</span> <span>{</span>
        <span>this</span><span>(</span><span>"Failed to verify request."</span><span>);</span>
    <span>}</span>
    <span>public</span> <span>VerificationRequestFailedException</span><span>(</span><span>String</span> <span>message</span><span>)</span> <span>{</span>
        <span>super</span><span>(</span><span>message</span><span>);</span>
    <span>}</span>
    <span>public</span> <span>VerificationRequestFailedException</span><span>(</span><span>Throwable</span> <span>cause</span><span>)</span> <span>{</span>
        <span>super</span><span>(</span><span>cause</span><span>);</span>
    <span>}</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/verify/VerificationRequestFailedException.java</span>
<span>public</span> <span>class</span> <span>VerificationRequestFailedException</span> <span>extends</span> <span>Throwable</span> <span>{</span>
    <span>public</span> <span>VerificationRequestFailedException</span><span>()</span> <span>{</span>
        <span>this</span><span>(</span><span>"Failed to verify request."</span><span>);</span>
    <span>}</span>

    <span>public</span> <span>VerificationRequestFailedException</span><span>(</span><span>String</span> <span>message</span><span>)</span> <span>{</span>
        <span>super</span><span>(</span><span>message</span><span>);</span>
    <span>}</span>

    <span>public</span> <span>VerificationRequestFailedException</span><span>(</span><span>Throwable</span> <span>cause</span><span>)</span> <span>{</span>
        <span>super</span><span>(</span><span>cause</span><span>);</span>
    <span>}</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/verify/VerificationRequestFailedException.java
public class VerificationRequestFailedException extends Throwable {
    public VerificationRequestFailedException() {
        this("Failed to verify request.");
    }

    public VerificationRequestFailedException(String message) {
        super(message);
    }

    public VerificationRequestFailedException(Throwable cause) {
        super(cause);
    }
}

The verify Method

The verify method sends the request id and code to Nexmo for verification. Nexmo returns a status of zero if the verification was successful. On successful verification, the Verification entity is removed from the database, and true is returned.

If we were unable to find the Verification entity, maybe it expired, we request a new one and return false. If there are any issues verifying, we throw a VerificationRequestFailedException.

The retrieveVerification method will throw a VerificationNotFoundException if the Verification wasn’t found.

Add this exception to the verify package. 

<span>// src/main/net/smcrow/demo/twofactor/verify/VerificationNotFoundException.java</span>
<span>public</span> <span>class</span> <span>VerificationNotFoundException</span> <span>extends</span> <span>Throwable</span> <span>{</span>
    <span>public</span> <span>VerificationNotFoundException</span><span>()</span> <span>{</span>
        <span>this</span><span>(</span><span>"Failed to find verification."</span><span>);</span>
    <span>}</span>
    <span>public</span> <span>VerificationNotFoundException</span><span>(</span><span>String</span> <span>message</span><span>)</span> <span>{</span>
        <span>super</span><span>(</span><span>message</span><span>);</span>
    <span>}</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/verify/VerificationNotFoundException.java</span>

<span>public</span> <span>class</span> <span>VerificationNotFoundException</span> <span>extends</span> <span>Throwable</span> <span>{</span>
    <span>public</span> <span>VerificationNotFoundException</span><span>()</span> <span>{</span>
        <span>this</span><span>(</span><span>"Failed to find verification."</span><span>);</span>
    <span>}</span>

    <span>public</span> <span>VerificationNotFoundException</span><span>(</span><span>String</span> <span>message</span><span>)</span> <span>{</span>
        <span>super</span><span>(</span><span>message</span><span>);</span>
    <span>}</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/verify/VerificationNotFoundException.java

public class VerificationNotFoundException extends Throwable {
    public VerificationNotFoundException() {
        this("Failed to find verification.");
    }

    public VerificationNotFoundException(String message) {
        super(message);
    }
}

Using the NexmoVerificationService

We’re going to use the service for both sending a code and verifying the code. Sending a code is done after a successful authentication.

Triggering the Request for Verification

Let’s implement a custom AuthenticationSuccessHandler which will be called after the user has successfully authenticated.

Add the TwoFactorAuthenticationSuccessHandler to the verify package. 

<span>// src/main/net/smcrow/demo/twofactor/verify/TwoFactorAuthenticationSuccessHandler.java</span>
<span>@Component</span>
<span>public</span> <span>class</span> <span>TwoFactorAuthenticationSuccessHandler</span> <span>implements</span> <span>AuthenticationSuccessHandler</span> <span>{</span>
    <span>private</span> <span>static</span> <span>final</span> <span>String</span> <span>VERIFICATION_URL</span> <span>=</span> <span>"/verify"</span><span>;</span>
    <span>private</span> <span>static</span> <span>final</span> <span>String</span> <span>INDEX_URL</span> <span>=</span> <span>"/"</span><span>;</span>
    <span>@Autowired</span>
    <span>private</span> <span>NexmoVerificationService</span> <span>verificationService</span><span>;</span>
    <span>@Autowired</span>
    <span>private</span> <span>UserRepository</span> <span>userRepository</span><span>;</span>
    <span>@Override</span>
    <span>public</span> <span>void</span> <span>onAuthenticationSuccess</span><span>(</span><span>HttpServletRequest</span> <span>request</span><span>,</span> <span>HttpServletResponse</span> <span>response</span><span>,</span> <span>Authentication</span> <span>authentication</span><span>)</span> <span>throws</span> <span>IOException</span> <span>{</span>
        <span>String</span> <span>phone</span> <span>=</span> <span>((</span><span>StandardUserDetails</span><span>)</span> <span>authentication</span><span>.</span><span>getPrincipal</span><span>()).</span><span>getUser</span><span>().</span><span>getPhone</span><span>();</span>
        <span>if</span> <span>(</span><span>phone</span> <span>==</span> <span>null</span> <span>||</span> <span>!</span><span>requestAndRegisterVerification</span><span>(</span><span>phone</span><span>))</span> <span>{</span>
            <span>bypassVerification</span><span>(</span><span>request</span><span>,</span> <span>response</span><span>,</span> <span>authentication</span><span>);</span>
            <span>return</span><span>;</span>
        <span>}</span>
        <span>new</span> <span>DefaultRedirectStrategy</span><span>().</span><span>sendRedirect</span><span>(</span><span>request</span><span>,</span> <span>response</span><span>,</span> <span>VERIFICATION_URL</span><span>);</span>
    <span>}</span>
    <span>private</span> <span>boolean</span> <span>requestAndRegisterVerification</span><span>(</span><span>String</span> <span>phone</span><span>)</span> <span>{</span>
        <span>try</span> <span>{</span>
            <span>return</span> <span>verificationService</span><span>.</span><span>requestVerification</span><span>(</span><span>phone</span><span>)</span> <span>!=</span> <span>null</span><span>;</span>
        <span>}</span> <span>catch</span> <span>(</span><span>VerificationRequestFailedException</span> <span>e</span><span>)</span> <span>{</span>
            <span>return</span> <span>false</span><span>;</span>
        <span>}</span>
    <span>}</span>
    <span>private</span> <span>void</span> <span>bypassVerification</span><span>(</span><span>HttpServletRequest</span> <span>request</span><span>,</span> <span>HttpServletResponse</span> <span>response</span><span>,</span> <span>Authentication</span> <span>authentication</span><span>)</span> <span>throws</span> <span>IOException</span> <span>{</span>
        <span>verificationService</span><span>.</span><span>updateAuthentication</span><span>(</span><span>authentication</span><span>);</span>
        <span>new</span> <span>DefaultRedirectStrategy</span><span>().</span><span>sendRedirect</span><span>(</span><span>request</span><span>,</span> <span>response</span><span>,</span> <span>INDEX_URL</span><span>);</span>
    <span>}</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/verify/TwoFactorAuthenticationSuccessHandler.java</span>
<span>@Component</span>
<span>public</span> <span>class</span> <span>TwoFactorAuthenticationSuccessHandler</span> <span>implements</span> <span>AuthenticationSuccessHandler</span> <span>{</span>
    <span>private</span> <span>static</span> <span>final</span> <span>String</span> <span>VERIFICATION_URL</span> <span>=</span> <span>"/verify"</span><span>;</span>
    <span>private</span> <span>static</span> <span>final</span> <span>String</span> <span>INDEX_URL</span> <span>=</span> <span>"/"</span><span>;</span>

    <span>@Autowired</span>
    <span>private</span> <span>NexmoVerificationService</span> <span>verificationService</span><span>;</span>

    <span>@Autowired</span>
    <span>private</span> <span>UserRepository</span> <span>userRepository</span><span>;</span>

    <span>@Override</span>
    <span>public</span> <span>void</span> <span>onAuthenticationSuccess</span><span>(</span><span>HttpServletRequest</span> <span>request</span><span>,</span> <span>HttpServletResponse</span> <span>response</span><span>,</span> <span>Authentication</span> <span>authentication</span><span>)</span> <span>throws</span> <span>IOException</span> <span>{</span>
        <span>String</span> <span>phone</span> <span>=</span> <span>((</span><span>StandardUserDetails</span><span>)</span> <span>authentication</span><span>.</span><span>getPrincipal</span><span>()).</span><span>getUser</span><span>().</span><span>getPhone</span><span>();</span>
        <span>if</span> <span>(</span><span>phone</span> <span>==</span> <span>null</span> <span>||</span> <span>!</span><span>requestAndRegisterVerification</span><span>(</span><span>phone</span><span>))</span> <span>{</span>
            <span>bypassVerification</span><span>(</span><span>request</span><span>,</span> <span>response</span><span>,</span> <span>authentication</span><span>);</span>
            <span>return</span><span>;</span>
        <span>}</span>

        <span>new</span> <span>DefaultRedirectStrategy</span><span>().</span><span>sendRedirect</span><span>(</span><span>request</span><span>,</span> <span>response</span><span>,</span> <span>VERIFICATION_URL</span><span>);</span>
    <span>}</span>

    <span>private</span> <span>boolean</span> <span>requestAndRegisterVerification</span><span>(</span><span>String</span> <span>phone</span><span>)</span> <span>{</span>
        <span>try</span> <span>{</span>
            <span>return</span> <span>verificationService</span><span>.</span><span>requestVerification</span><span>(</span><span>phone</span><span>)</span> <span>!=</span> <span>null</span><span>;</span>
        <span>}</span> <span>catch</span> <span>(</span><span>VerificationRequestFailedException</span> <span>e</span><span>)</span> <span>{</span>
            <span>return</span> <span>false</span><span>;</span>
        <span>}</span>
    <span>}</span>

    <span>private</span> <span>void</span> <span>bypassVerification</span><span>(</span><span>HttpServletRequest</span> <span>request</span><span>,</span> <span>HttpServletResponse</span> <span>response</span><span>,</span> <span>Authentication</span> <span>authentication</span><span>)</span> <span>throws</span> <span>IOException</span> <span>{</span>
        <span>verificationService</span><span>.</span><span>updateAuthentication</span><span>(</span><span>authentication</span><span>);</span>
        <span>new</span> <span>DefaultRedirectStrategy</span><span>().</span><span>sendRedirect</span><span>(</span><span>request</span><span>,</span> <span>response</span><span>,</span> <span>INDEX_URL</span><span>);</span>
    <span>}</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/verify/TwoFactorAuthenticationSuccessHandler.java
@Component
public class TwoFactorAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
    private static final String VERIFICATION_URL = "/verify";
    private static final String INDEX_URL = "/";

    @Autowired
    private NexmoVerificationService verificationService;

    @Autowired
    private UserRepository userRepository;

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
        String phone = ((StandardUserDetails) authentication.getPrincipal()).getUser().getPhone();
        if (phone == null || !requestAndRegisterVerification(phone)) {
            bypassVerification(request, response, authentication);
            return;
        }

        new DefaultRedirectStrategy().sendRedirect(request, response, VERIFICATION_URL);
    }

    private boolean requestAndRegisterVerification(String phone) {
        try {
            return verificationService.requestVerification(phone) != null;
        } catch (VerificationRequestFailedException e) {
            return false;
        }
    }

    private void bypassVerification(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
        verificationService.updateAuthentication(authentication);
        new DefaultRedirectStrategy().sendRedirect(request, response, INDEX_URL);
    }
}

When a user has successfully authenticated, we check to see if they have a phone number.

If they have a phone number, a code is sent to their device. If they don’t have a phone number, or we are unable to send a code, we allow them to bypass verification.

The bypassVerification method relies on the updateAuthentication method of the NexmoVerificationService.

Add this to the NexmoVerificationService: 

<span>// src/main/net/smcrow/demo/twofactor/verify/NexmoVerificationService.java</span>
<span>public</span> <span>void</span> <span>updateAuthentication</span><span>(</span><span>Authentication</span> <span>authentication</span><span>)</span> <span>{</span>
    <span>Role</span> <span>role</span> <span>=</span> <span>retrieveRoleFromDatabase</span><span>(</span><span>authentication</span><span>.</span><span>getName</span><span>());</span>
    <span>List</span><span><</span><span>GrantedAuthority</span><span>></span> <span>authorities</span> <span>=</span> <span>new</span> <span>ArrayList</span><span><>();</span>
    <span>authorities</span><span>.</span><span>add</span><span>(</span><span>role</span><span>);</span>
    <span>Authentication</span> <span>newAuthentication</span> <span>=</span> <span>new</span> <span>UsernamePasswordAuthenticationToken</span><span>(</span>
            <span>authentication</span><span>.</span><span>getPrincipal</span><span>(),</span>
            <span>authentication</span><span>.</span><span>getCredentials</span><span>(),</span>
            <span>authorities</span>
    <span>);</span>
    <span>SecurityContextHolder</span><span>.</span><span>getContext</span><span>().</span><span>setAuthentication</span><span>(</span><span>newAuthentication</span><span>);</span>
<span>}</span>
<span>private</span> <span>Role</span> <span>retrieveRoleFromDatabase</span><span>(</span><span>String</span> <span>username</span><span>)</span> <span>{</span>
    <span>Optional</span><span><</span><span>User</span><span>></span> <span>match</span> <span>=</span> <span>userRepository</span><span>.</span><span>findByUsername</span><span>(</span><span>username</span><span>);</span>
    <span>if</span> <span>(</span><span>match</span><span>.</span><span>isPresent</span><span>())</span> <span>{</span>
        <span>return</span> <span>match</span><span>.</span><span>get</span><span>().</span><span>getRole</span><span>();</span>
    <span>}</span>
    <span>throw</span> <span>new</span> <span>UsernameNotFoundException</span><span>(</span><span>"Username not found."</span><span>);</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/verify/NexmoVerificationService.java</span>
<span>public</span> <span>void</span> <span>updateAuthentication</span><span>(</span><span>Authentication</span> <span>authentication</span><span>)</span> <span>{</span>
    <span>Role</span> <span>role</span> <span>=</span> <span>retrieveRoleFromDatabase</span><span>(</span><span>authentication</span><span>.</span><span>getName</span><span>());</span>
    <span>List</span><span><</span><span>GrantedAuthority</span><span>></span> <span>authorities</span> <span>=</span> <span>new</span> <span>ArrayList</span><span><>();</span>
    <span>authorities</span><span>.</span><span>add</span><span>(</span><span>role</span><span>);</span>

    <span>Authentication</span> <span>newAuthentication</span> <span>=</span> <span>new</span> <span>UsernamePasswordAuthenticationToken</span><span>(</span>
            <span>authentication</span><span>.</span><span>getPrincipal</span><span>(),</span>
            <span>authentication</span><span>.</span><span>getCredentials</span><span>(),</span>
            <span>authorities</span>
    <span>);</span>

    <span>SecurityContextHolder</span><span>.</span><span>getContext</span><span>().</span><span>setAuthentication</span><span>(</span><span>newAuthentication</span><span>);</span>
<span>}</span>

<span>private</span> <span>Role</span> <span>retrieveRoleFromDatabase</span><span>(</span><span>String</span> <span>username</span><span>)</span> <span>{</span>
    <span>Optional</span><span><</span><span>User</span><span>></span> <span>match</span> <span>=</span> <span>userRepository</span><span>.</span><span>findByUsername</span><span>(</span><span>username</span><span>);</span>
    <span>if</span> <span>(</span><span>match</span><span>.</span><span>isPresent</span><span>())</span> <span>{</span>
        <span>return</span> <span>match</span><span>.</span><span>get</span><span>().</span><span>getRole</span><span>();</span>
    <span>}</span>

    <span>throw</span> <span>new</span> <span>UsernameNotFoundException</span><span>(</span><span>"Username not found."</span><span>);</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/verify/NexmoVerificationService.java
public void updateAuthentication(Authentication authentication) {
    Role role = retrieveRoleFromDatabase(authentication.getName());
    List<GrantedAuthority> authorities = new ArrayList<>();
    authorities.add(role);

    Authentication newAuthentication = new UsernamePasswordAuthenticationToken(
            authentication.getPrincipal(),
            authentication.getCredentials(),
            authorities
    );

    SecurityContextHolder.getContext().setAuthentication(newAuthentication);
}

private Role retrieveRoleFromDatabase(String username) {
    Optional<User> match = userRepository.findByUsername(username);
    if (match.isPresent()) {
        return match.get().getRole();
    }

    throw new UsernameNotFoundException("Username not found.");
}

This method is used to assign the role defined in the database to the current user and removes the PRE_VERIFICATION_USER role.

Prompting The User for a Code

Once the user has been sent a code, they are forwarded to the verification page. Let’s work on creating that page next.

Create a new HTML file called verify.html in the resources/templates directory. 

<span><!DOCTYPE html></span>
<span><html</span> <span>lang=</span><span>"en"</span>
      <span>xmlns:th=</span><span>"http://www.thymeleaf.org"</span>
      <span>xmlns:layout=</span><span>"http://www.ultraq.net.nz/thymeleaf/layout"</span>
      <span>layout:decorator=</span><span>"default"</span><span>></span>
<span><head></span>
    <span><meta</span> <span>charset=</span><span>"UTF-8"</span> <span>/></span>
    <span><title></span>Two Factor Authorization Demo<span></title></span>
<span></head></span>
<span><body></span>
<span><div</span> <span>layout:fragment=</span><span>"content"</span> <span>class=</span><span>"container"</span><span>></span>
    <span><div</span> <span>class=</span><span>"col-lg-12 alert alert-danger text-center"</span> <span>th:if=</span><span>"${param.error}"</span><span>></span>There was an error with your login.<span></div></span>
    <span><div</span> <span>class=</span><span>"col-lg-4 offset-lg-4 text-left"</span><span>></span>
        <span><form</span> <span>th:action=</span><span>"@{/verify}"</span> <span>method=</span><span>"post"</span><span>></span>
            <span><h1></span>Verify<span></h1></span>
            <span><p></span>A text message has been sent to your mobile device. Please enter the code below:<span></p></span>
            <span><div</span> <span>class=</span><span>"form-group"</span><span>></span>
                <span><label</span> <span>for=</span><span>"code"</span><span>></span>Verification Code<span></label></span>
                <span><input</span> <span>type=</span><span>"text"</span> <span>class=</span><span>"form-control"</span> <span>id=</span><span>"code"</span> <span>name=</span><span>"code"</span> <span>placeholder=</span><span>"4-Digit Code"</span> <span>/></span>
            <span></div></span>
            <span><button</span> <span>type=</span><span>"submit"</span> <span>class=</span><span>"btn btn-primary"</span><span>></span>Verify<span></button></span>
        <span></form></span>
    <span></div></span>
<span></div></span>
<span></body></span>
<span></html></span>
<span><!DOCTYPE html></span>
<span><html</span> <span>lang=</span><span>"en"</span>
      <span>xmlns:th=</span><span>"http://www.thymeleaf.org"</span>
      <span>xmlns:layout=</span><span>"http://www.ultraq.net.nz/thymeleaf/layout"</span>
      <span>layout:decorator=</span><span>"default"</span><span>></span>
<span><head></span>
    <span><meta</span> <span>charset=</span><span>"UTF-8"</span> <span>/></span>
    <span><title></span>Two Factor Authorization Demo<span></title></span>
<span></head></span>
<span><body></span>
<span><div</span> <span>layout:fragment=</span><span>"content"</span> <span>class=</span><span>"container"</span><span>></span>
    <span><div</span> <span>class=</span><span>"col-lg-12 alert alert-danger text-center"</span> <span>th:if=</span><span>"${param.error}"</span><span>></span>There was an error with your login.<span></div></span>
    <span><div</span> <span>class=</span><span>"col-lg-4 offset-lg-4 text-left"</span><span>></span>
        <span><form</span> <span>th:action=</span><span>"@{/verify}"</span> <span>method=</span><span>"post"</span><span>></span>
            <span><h1></span>Verify<span></h1></span>
            <span><p></span>A text message has been sent to your mobile device. Please enter the code below:<span></p></span>
            <span><div</span> <span>class=</span><span>"form-group"</span><span>></span>
                <span><label</span> <span>for=</span><span>"code"</span><span>></span>Verification Code<span></label></span>
                <span><input</span> <span>type=</span><span>"text"</span> <span>class=</span><span>"form-control"</span> <span>id=</span><span>"code"</span> <span>name=</span><span>"code"</span> <span>placeholder=</span><span>"4-Digit Code"</span> <span>/></span>
            <span></div></span>
            <span><button</span> <span>type=</span><span>"submit"</span> <span>class=</span><span>"btn btn-primary"</span><span>></span>Verify<span></button></span>
        <span></form></span>
    <span></div></span>
<span></div></span>
<span></body></span>
<span></html></span>
<!DOCTYPE html>
<html lang="en"
      xmlns:th="http://www.thymeleaf.org"
      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
      layout:decorator="default">
<head>
    <meta charset="UTF-8" />
    <title>Two Factor Authorization Demo</title>
</head>
<body>
<div layout:fragment="content" class="container">
    <div class="col-lg-12 alert alert-danger text-center" th:if="${param.error}">There was an error with your login.</div>
    <div class="col-lg-4 offset-lg-4 text-left">
        <form th:action="@{/verify}" method="post">
            <h1>Verify</h1>
            <p>A text message has been sent to your mobile device. Please enter the code below:</p>
            <div class="form-group">
                <label for="code">Verification Code</label>
                <input type="text" class="form-control" id="code" name="code" placeholder="4-Digit Code" />
            </div>
            <button type="submit" class="btn btn-primary">Verify</button>
        </form>
    </div>
</div>
</body>
</html>

We also need a controller to serve the page to the user. Create the VerificationController in the verify package. 

<span>// src/main/net/smcrow/demo/twofactor/verify/VerificationController.java</span>
<span>@Controller</span>
<span>public</span> <span>class</span> <span>VerificationController</span> <span>{</span>
    <span>@Autowired</span>
    <span>private</span> <span>NexmoVerificationService</span> <span>verificationService</span><span>;</span>
    <span>@PreAuthorize</span><span>(</span><span>"hasRole('PRE_VERIFICATION_USER')"</span><span>)</span>
    <span>@GetMapping</span><span>(</span><span>"/verify"</span><span>)</span>
    <span>public</span> <span>String</span> <span>index</span><span>()</span> <span>{</span>
        <span>return</span> <span>"verify"</span><span>;</span>
    <span>}</span>
    <span>@PreAuthorize</span><span>(</span><span>"hasRole('PRE_VERIFICATION_USER')"</span><span>)</span>
    <span>@PostMapping</span><span>(</span><span>"/verify"</span><span>)</span>
    <span>public</span> <span>String</span> <span>verify</span><span>(</span><span>@RequestParam</span><span>(</span><span>"code"</span><span>)</span> <span>String</span> <span>code</span><span>,</span> <span>Authentication</span> <span>authentication</span><span>)</span> <span>{</span>
        <span>User</span> <span>user</span> <span>=</span> <span>((</span><span>StandardUserDetails</span><span>)</span> <span>authentication</span><span>.</span><span>getPrincipal</span><span>()).</span><span>getUser</span><span>();</span>
        <span>try</span> <span>{</span>
            <span>if</span> <span>(</span><span>verificationService</span><span>.</span><span>verify</span><span>(</span><span>user</span><span>.</span><span>getPhone</span><span>(),</span> <span>code</span><span>))</span> <span>{</span>
                <span>verificationService</span><span>.</span><span>updateAuthentication</span><span>(</span><span>authentication</span><span>);</span>
                <span>return</span> <span>"redirect:/"</span><span>;</span>
            <span>}</span>
            <span>return</span> <span>"redirect:verify?error"</span><span>;</span>
        <span>}</span> <span>catch</span> <span>(</span><span>VerificationRequestFailedException</span> <span>e</span><span>)</span> <span>{</span>
            <span>// Having issues generating keys let them through.</span>
            <span>verificationService</span><span>.</span><span>updateAuthentication</span><span>(</span><span>authentication</span><span>);</span>
            <span>return</span> <span>"redirect:/"</span><span>;</span>
        <span>}</span>
    <span>}</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/verify/VerificationController.java</span>
<span>@Controller</span>
<span>public</span> <span>class</span> <span>VerificationController</span> <span>{</span>
    <span>@Autowired</span>
    <span>private</span> <span>NexmoVerificationService</span> <span>verificationService</span><span>;</span>

    <span>@PreAuthorize</span><span>(</span><span>"hasRole('PRE_VERIFICATION_USER')"</span><span>)</span>
    <span>@GetMapping</span><span>(</span><span>"/verify"</span><span>)</span>
    <span>public</span> <span>String</span> <span>index</span><span>()</span> <span>{</span>
        <span>return</span> <span>"verify"</span><span>;</span>
    <span>}</span>

    <span>@PreAuthorize</span><span>(</span><span>"hasRole('PRE_VERIFICATION_USER')"</span><span>)</span>
    <span>@PostMapping</span><span>(</span><span>"/verify"</span><span>)</span>
    <span>public</span> <span>String</span> <span>verify</span><span>(</span><span>@RequestParam</span><span>(</span><span>"code"</span><span>)</span> <span>String</span> <span>code</span><span>,</span> <span>Authentication</span> <span>authentication</span><span>)</span> <span>{</span>
        <span>User</span> <span>user</span> <span>=</span> <span>((</span><span>StandardUserDetails</span><span>)</span> <span>authentication</span><span>.</span><span>getPrincipal</span><span>()).</span><span>getUser</span><span>();</span>
        <span>try</span> <span>{</span>
            <span>if</span> <span>(</span><span>verificationService</span><span>.</span><span>verify</span><span>(</span><span>user</span><span>.</span><span>getPhone</span><span>(),</span> <span>code</span><span>))</span> <span>{</span>
                <span>verificationService</span><span>.</span><span>updateAuthentication</span><span>(</span><span>authentication</span><span>);</span>
                <span>return</span> <span>"redirect:/"</span><span>;</span>
            <span>}</span>

            <span>return</span> <span>"redirect:verify?error"</span><span>;</span>
        <span>}</span> <span>catch</span> <span>(</span><span>VerificationRequestFailedException</span> <span>e</span><span>)</span> <span>{</span>
            <span>// Having issues generating keys let them through.</span>
            <span>verificationService</span><span>.</span><span>updateAuthentication</span><span>(</span><span>authentication</span><span>);</span>
            <span>return</span> <span>"redirect:/"</span><span>;</span>
        <span>}</span>
    <span>}</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/verify/VerificationController.java
@Controller
public class VerificationController {
    @Autowired
    private NexmoVerificationService verificationService;

    @PreAuthorize("hasRole('PRE_VERIFICATION_USER')")
    @GetMapping("/verify")
    public String index() {
        return "verify";
    }

    @PreAuthorize("hasRole('PRE_VERIFICATION_USER')")
    @PostMapping("/verify")
    public String verify(@RequestParam("code") String code, Authentication authentication) {
        User user = ((StandardUserDetails) authentication.getPrincipal()).getUser();
        try {
            if (verificationService.verify(user.getPhone(), code)) {
                verificationService.updateAuthentication(authentication);
                return "redirect:/";
            }

            return "redirect:verify?error";
        } catch (VerificationRequestFailedException e) {
            // Having issues generating keys let them through.
            verificationService.updateAuthentication(authentication);
            return "redirect:/";
        }
    }
}

This controller serves the verification page via the index method, and it handles the form submission via the verify method.

This page is only accessible to users with the PRE_VERIFICATION_USER role. On successful verification, the updateAuthentication method is, once again, used to replace this role with their persisted one.

Finishing Up the Verification Chain

The final step is to update the AppSecurityConfiguration to use our TwoFactorAuthenticationSuccessHandler.

Modify the AppSecurityConfiguration to wire in our handler and use it via the successHandler method. 

<span>// src/main/net/smcrow/demo/twofactor/AppSecurityConfiguration.java</span>
<span>@Autowired</span>
<span>private</span> <span>TwoFactorAuthenticationSuccessHandler</span> <span>twoFactorAuthenticationSuccessHandler</span><span>;</span>
<span>@Override</span>
<span>protected</span> <span>void</span> <span>configure</span><span>(</span><span>HttpSecurity</span> <span>httpSecurity</span><span>)</span> <span>throws</span> <span>Exception</span> <span>{</span>
    <span>// Webjar resources</span>
    <span>httpSecurity</span><span>.</span><span>authorizeRequests</span><span>().</span><span>antMatchers</span><span>(</span><span>"/webjars/**"</span><span>).</span><span>permitAll</span><span>()</span>
    <span>.</span><span>and</span><span>().</span><span>formLogin</span><span>().</span><span>loginPage</span><span>(</span><span>"/login"</span><span>).</span><span>permitAll</span><span>()</span>
            <span>.</span><span>successHandler</span><span>(</span><span>twoFactorAuthenticationSuccessHandler</span><span>)</span>
    <span>.</span><span>and</span><span>().</span><span>logout</span><span>().</span><span>permitAll</span><span>();</span>
<span>}</span>
<span>// src/main/net/smcrow/demo/twofactor/AppSecurityConfiguration.java</span>
<span>@Autowired</span>
<span>private</span> <span>TwoFactorAuthenticationSuccessHandler</span> <span>twoFactorAuthenticationSuccessHandler</span><span>;</span>

<span>@Override</span>
<span>protected</span> <span>void</span> <span>configure</span><span>(</span><span>HttpSecurity</span> <span>httpSecurity</span><span>)</span> <span>throws</span> <span>Exception</span> <span>{</span>
    <span>// Webjar resources</span>
    <span>httpSecurity</span><span>.</span><span>authorizeRequests</span><span>().</span><span>antMatchers</span><span>(</span><span>"/webjars/**"</span><span>).</span><span>permitAll</span><span>()</span>
    <span>.</span><span>and</span><span>().</span><span>formLogin</span><span>().</span><span>loginPage</span><span>(</span><span>"/login"</span><span>).</span><span>permitAll</span><span>()</span>
            <span>.</span><span>successHandler</span><span>(</span><span>twoFactorAuthenticationSuccessHandler</span><span>)</span>
    <span>.</span><span>and</span><span>().</span><span>logout</span><span>().</span><span>permitAll</span><span>();</span>
<span>}</span>
// src/main/net/smcrow/demo/twofactor/AppSecurityConfiguration.java
@Autowired
private TwoFactorAuthenticationSuccessHandler twoFactorAuthenticationSuccessHandler;

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    // Webjar resources
    httpSecurity.authorizeRequests().antMatchers("/webjars/**").permitAll()
    .and().formLogin().loginPage("/login").permitAll()
            .successHandler(twoFactorAuthenticationSuccessHandler)
    .and().logout().permitAll();
}

Try it Out!

You will need to add your phone number to the data.sql file.

We aren’t going to be doing any validation on the phone number, and it needs to be in E.164 format. 

<span>INSERT</span> <span>INTO</span> <span>user</span> <span>(</span><span>username</span><span>,</span> <span>password</span><span>,</span> <span>role</span><span>,</span> <span>phone</span><span>)</span> <span>VALUES</span>
    <span>(</span><span>'phone'</span><span>,</span> <span>'phone'</span><span>,</span> <span>'USER'</span><span>,</span> <span>15555555555</span><span>);</span>
<span>INSERT</span> <span>INTO</span> <span>user</span> <span>(</span><span>username</span><span>,</span> <span>password</span><span>,</span> <span>role</span><span>,</span> <span>phone</span><span>)</span> <span>VALUES</span>
    <span>(</span><span>'phone'</span><span>,</span> <span>'phone'</span><span>,</span> <span>'USER'</span><span>,</span> <span>15555555555</span><span>);</span>
INSERT INTO user (username, password, role, phone) VALUES
    ('phone', 'phone', 'USER', 15555555555);

You should now be up and running. Boot up the application, and try to log in. Assuming that your API key, API secret, and seeded phone number are correct; you should receive a text message with a four-digit code.

What Did We Do?

We did a lot of things.

In short, we implemented two-factor authentication to better secure our application. We did this by:

  • Creating a custom AuthenticationSuccessHandler to forward the user to a verification page after serving them a code.
  • Using the nexmo-java library, by wrapping it in a NexmoVerificationService, to send verification codes to our users.
  • Taking advantage of the Spring Scheduler to delete expired verification codes.
  • Building a page for the user to enter their verification code.

Check out the final code from this tutorial on GitHub.

Looking Ahead

There are various ways that two-factor authentication can be implemented. If you’re curious about any of the frameworks and technologies used in the sample code, here’s a rundown:

Don’t forget that you can be a Nexmo contributor to the nexmo-java client.

原文链接:Beefing Up Your Spring Security with Two-Factor Authentication

展开阅读全文
© 版权声明
文章版权声明 1、本网站名称:拾光赋
2、本站永久网址:https://www.blogs.ink
3、本网站的文章部分内容可能来源于网络,仅供大家学习与参考,如有侵权,请联系站长QQ:805375623进行删除处理。
4、本站一切资源不代表本站立场,并不代表本站赞同其观点和对其真实性负责。
5、本站一律禁止以任何方式发布或转载任何违法的相关信息,访客发现请向站长举报
6、本站资源大多存储在云盘,如发现链接失效,请联系我们我们会第一时间更新。

THE END
Java(EN)
# java# Spring# security# nexmo
喜欢就支持一下吧
点赞5 分享
Smash the waves would rather get in the way of the reef hill, also not willing to take a step back.
海浪宁可在挡路的礁山上撞得粉碎,也不肯后退一步
评论 抢沙发

请登录后发表评论

    暂无评论内容

文章目录
kity的头像-拾光赋
文章目录
今日剩余 88.8%
本周剩余 12.7%
本月剩余 36.3%
本年剩余 70.1%
最近评论
杀人蜂的头像-拾光赋

杀人蜂6天前0

我很好奇这个网站能提供什么
Vito的头像-拾光赋

Vito6个月前2

你就是我心中的那首忐忑,总是让我惊心动魄
Jason.Meng的头像-拾光赋钻石会员

Jason.Meng徽章-人气大使-拾光赋6个月前2

总是会在人生的不同阶段反复爱上大佬的文章~
每日一言
It is by acts and not by ideas that people live.
行动是根本,想法锦上添花