We are brand new to Java, Spring, and Spring Security, but not new to development. We've been able to create a Spring Security-based Thymeleaf login page that uses a JNDI datasource to connect to our SQL Server database using BCrypt encrypted passwords. All of that is working without a hitch. However, the client wants a two-stage login. The first page requests a company ID that then loads a login page with specific graphics and text for that company, which allows the user to know that they are not logging into a phishing site. That login page would then request the user name and password.
We have searched extensively on here and the web as a whole and have not found a solid method for doing this. We believe that we may to have to create a custom
AuthenticationManager, but still can't see how to implement it so that:
We saw one suggestion about using Spring WebFlow with Spring Security, but without some starting point, have no idea how WebFlow works or applies to this scenario. This site helped us greatly in getting to this stage, but now we are stymied. Any help you can provide is greatly appreciated.
There should be three pages here:
I don't see this short, linear flow being sufficiently complex to warrant using Spring Web Flow.
I would just use straight Spring Web MVC for steps 1 and 2. I wouldn't use Spring Security for the initial login form, because Spring Security's login form expects a password and a login processing URL. Similarly, Spring Security doesn't provide special support for CAPTCHAs or security questions, so you can just use Spring Web MVC once again.
You can handle step 3 using Spring Security, since now you have a username and a password. The form login page should display the security image, and it should include the user-provided username as a hidden form field to make Spring Security happy when the user submits the login form. The only way to get to step 3 is to have a successful
POST submission on step 1 (and 2 if applicable).