Google auth combined with shiro two factor authentication

Login status: if Google auth is null/""/0: do not verify 1: enable dual factor authentication but not set 2: enable dual factor authentication and it has been set

After the user logs in, first verify whether the account password is correct. Here, it is not verified by shiro, and it is verified by the background itself.

After the verification, jump to different pages according to different Google auth status.

Users who need two factor authentication log in directly in the background after passing the authentication, and the code is as follows:

try {
	AuthenticationToken token = new UsernamePasswordToken(username, password.toCharArray(), false, null, null, false);
	Subject subject = UserUtils.getSubject();
	return "redirect:" + frontPath;
} catch(AuthenticationException e){
	model.addAttribute(FormAuthenticationFilter.DEFAULT_MESSAGE_PARAM, "Incorrect account password");
	return "modules/front/frontLogin";

After verification or initialization, log in to the jump home page directly. The above is the combination with shiro, very simple.

Judge whether the verification code meets the requirements:

	public static boolean isNumber(String code) {
		Pattern pattern = Pattern.compile("\\d{6}");
		boolean matches = pattern.matcher(code).matches();
		return matches;
	/**Secret key
     * Randomly generate a secret key. The secret key must be saved on the server. Users also need the secret key when configuring accounts on the mobile Google authenticator
     * @return secret key
    public static String generateSecretKey() {
        SecureRandom sr = null;
        try {
            sr = SecureRandom.getInstance(RANDOM_NUMBER_ALGORITHM);
            byte[] seedBytes = SEED.getBytes();
            byte[] buffer = sr.generateSeed(SECRET_SIZE);
            Base32 codec = new Base32();
            byte[] bEncodedKey = codec.encode(buffer);
            String encodedKey = new String(bEncodedKey);
            return encodedKey;
        }catch (NoSuchAlgorithmException e) {
            // should never occur... configuration error
        return null;
     *Return a URL to generate and display the QR code. Users scan the QR code
     *Smart phone registration authentication code of Google authentication application
     *They can also enter the secret key manually
     * @param user
     * @param host 
     * @param secret Previously generated secret key for user
     * @return url of QR code

    public static String getQRBarcodeURL(String user, String host, String secret) {
	     *   Because it is an intranet system, google cannot be accessed, so the comment
	     *    String format = "";
	     *    return String.format(format, user, host, secret);
	    //Use to generate the QR code image, and save it in a directory of the project
		// QR code content
		String content = "otpauth://totp/"+user+"@"+host+"?secret="+secret;
		// QR code width
		int width = 300;
		// QR code height
		int height = 300;
		// QR code storage address
		String imageName = "googleAuthCode_"+user+".png";
		return QRUtil.generateImageInBorderQR(content, width, height, imageName);

The specific code is as follows: link: extraction code: zya8

Tags: Programming Google Shiro codec Mobile

Posted on Mon, 11 May 2020 07:17:53 -0700 by chipmunken