Overview

• Liferay provides default authentication mechanism (with username and password).
• In some scenarios we might required to provide other methods to identify User’s claimed identity.
• MFA could be achieved in various ways like
  • 2FA
  • 3FA
• Liferay doesn’t support this feature by Out of the box. This can be achieved with minor tweaks to Liferay.

Modules

We need implement 3 modules in order to achieve MFA with in Liferay. We used Liferay 7.0 CE to implement this module.

• Service Builder
  • To persist information of MFA passcode and status of the passcode execution.
  • Audit incidents related to MFA activities.
• Authentication Module
  • This module is to extend Liferay authentication functionality in order to stop user access after initial login process
• Filter
  • To accept MFA request from SMS or an email link

Let’s see how this has been implemented

Service Builder

• As mentioned above this is used to persist MFA records in our database. Please refer Service Builder full documentation here
• Typically service.xml file contain below schema

<service-builder package-path="com.webakte.mfa">
    <author>srikanth.shanigaram</author>
    <namespace>mfa</namespace>
    <entity local-service="true" name="Mfa" table="wk_mfa" remote-service="true" uuid="true">
        <column name="mfaId" primary="true" type="long" />
        <column name="userId" type="long" />
        <column name="custUniqueId" type="String" />
        <column name="orgId" type="long" />
        <column name="createDate" type="Date" />
        <column name="modifiedDate" type="Date" />
        <column name="verificationType" type="String" />
        <column name="verificationData" type="String" />
        <column name="mfaType" type="String" />
        <column name="expirationDate" type="Date" />
        <column name="status" type="String" />
    </entity>
</service-builder>

• For each new login, we are creating mfa record in this table and maintaining the status for login.
• Whenever user accepts link or fully authenticated then status will be updated to success.

MFA Authentication module :

• This module concentrates on extending default Liferay authentication by keeping an additional layer on top of it.

• We need to implement below in this module
  • Override MVC Action command
    • Which will be triggered after user logged into the portal. And validates the user whether he has MFA configured by checking his Role.
    • If MFA not configured then he can access the portal.
    • If MFA configured then a mfa link will be sent through the configured channels.
    • One session variable (canAccess) updated with false

MFA Validator

• MFA Validator is a servlet filter and this class is reponsible to restricts user access by checking the session variable (canAccess).
• If session variable validates as TRUE then true then it will be redirected to portal or else it will be redirected to MFA status page.
• Use below properties in filter configuation

MFA Resend Filter

• MFA Resend Filter is used to resend notification link through configured channels.

MFA Status Check Filter

• This filter will be called every one minute from mfa Verification.jsp

• Logic behind this filter is to validate Session variable continuously and provide response to mfaVerification.jsp file for required navigation.

MFA Verification Filter

• This filter executes its business logic when user clicks on verification link.

• MFA verification filter is responsible to to update session variable (canAccess) as true or false and also it validates the link whether it is expired or not.

MFA Hook

• Required to implement 2 JSPs

Verification.jsp

• This page will be shown to user until they are authorized (by clicking on verification link).

Status.jsp

• After clicking the verification link, the user will be redirected to status.jsp which shows the status as successfully authenticated or failed to authenticate or verification link was expired.