Our Work

Liferay Multi Factor Authentication (MFA)

Updated 17 days ago

Overview

  • Liferay provides default authentication mechanism (with username and password).
  • In some scenarios we might required to provide other methods to identify User’s claimed identity.
  • MFA could be achieved in various ways like                   
    • 2FA
    • 3FA
  • Liferay doesn’t support this feature by Out of the box. This can be achieved with minor tweaks to Liferay.

       

Modules

We need implement 3 modules in order to achieve MFA with in Liferay. We used Liferay 7.0 CE to implement this module.

  • Service Builder                   
    • To persist information of
  • Authentication Module                   
    • This module is to extend Liferay authentication functionality in order to stop user access after initial login process/ 
  • Filter   
    • To accept MFA request from SMS or an email link

Let’s see how this has been implemented

Service Builder

  • As mentioned above this is used to persist MFA records in our database. Please refer Service Builder full documentation here
  • Typically service.xml file contain below schema
<service-builder package-path="com.webakte.mfa">
    <author>srikanth.shanigaram</author>
    <namespace>mfa</namespace>
    <entity local-service="true" name="Mfa" table="wk_mfa" remote-service="true" uuid="true">
        <column name="mfaId" primary="true" type="long" />
        <column name="userId" type="long" />
        <column name="custUniqueId" type="String" />
        <column name="orgId" type="long" />
        <column name="createDate" type="Date" />
        <column name="modifiedDate" type="Date" />
        <column name="verificationType" type="String" />
        <column name="verificationData" type="String" />
        <column name="mfaType" type="String" />
        <column name="expirationDate" type="Date" />
        <column name="status" type="String" />
    </entity>
</service-builder>
  • For each new login, we are creating mfa record in this table and maintaining the status for login.
  • Whenever user accepts link or fully authenticated then status will be updated to success.

MFA Authentication module :

  • This module concentrates on extending default Liferay authentication by keeping an additional layer on top of it.

  • We need to implement below in this module                   
    • Override MVC Action command                                   
      • Which will be triggered after user logged into the portal. And validates the user whether he has MFA configured by checking his Role.
      • If MFA not configured then he can access the portal.
      • If MFA configured then a mfa link will be sent through the configured channels.
      • One session variable (canAccess) updated with false
MFA Validator 
  • MFA Validator is a servlet filter and this class is reponsible to restricts user access by checking the session variable (canAccess).
  • If session variable validates as TRUE then true then it will be redirected to portal or else it will be redirected to MFA status page.
  • Use below properties in filter configuation
MFA Resend Filter   
  • MFA Resend Filter is used to resend notification link through configured channels.

MFA Status Check Filter
  • This filter will be called every one minute from mfa Verification.jsp

  • Logic behind this filter is to validate Session variable continuously and provide response to mfaVerification.jsp file for required navigation.

MFA Verification Filter 
  • This filter executes its business logic when user clicks on verification link.

  • MFA verification filter is responsible to to update session variable (canAccess) as true or false and also it validates the link whether it is expired or not.

MFA Hook

  • Required to implement 2 JSPs
Verification.jsp      
  • This page will be shown to user until they are authorized (by clicking on verification link).
Status.jsp 
  • After clicking the verification link, the user will be redirected to status.jsp which shows the status as successfully authenticated or failed to authenticate or verification link was expired.   

KTree is one of top most Liferay Development company from India which specializes in developing Liferay Portlets using Liferay 6.x / 7 CE / DXP.
KTree is a best offshore Liferay development company with extensive experience in Liferay Portal Development services along with Upgrade & Migration. Hire Liferay developers or Liferay development services from Liferay developer.