OATH HOTP JAAS Plugin

Background

Java EE Java Platform, Enterprise Edition (Java EE) is the standard in community-driven enterprise software is one of today's most popular technology stacks for enterprise and web application development. It's not uncommon if LDAP integration for a Java EE application is impossible or problematic. Most often this happens with closed-source, third-party, and/or legacy applications that work with RDBMS exclusively. Nevertheless, we should be able to provide multi-factor OTP authentication for such applications.

Problem

Imagine a Java EE compliant web/enterprise application deployed to Java EE container. All the user data is stored in relational database, and standard Java EE authentication mechanisms are used. The problem is to implement OATH HOTP authentication for this application, without modifying its source code. However, database schema modification is allowed.

Solution

In Java EE, JAAS The JavaTM Authentication and Authorization Service (JAAS) was introduced as an optional package (extension) to the JavaTM 2 SDK, Standard Edition (J2SDK) (Java Authentication and Authorization Services) is responsible for custom authentication mechanisms; to enable a custom mechanism, one has to write, configure and deploy a JAAS plugin. JAAS is supported by most popular Java EE servers/containers: Tomcat Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies , GlassFish GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation , JBoss JBoss is an application server that implements the Java Platform, Enterprise Edition (Java EE) , Resin Resin is the Java Application Server for high traffic sites that require speed and scalability and others. That's why we have implemented OATH HOTP as JAAS plugin. Relational data access is implemented using JPA, a standard Java EE ORM mechanism.

Distributed under GNU GPL, version 3.0.