Send token after answerings questions

[GoogleCodeExporter]

The current implementation of PWM can, when enabled, send a token to the user's 
email address in order to verify the user's identity, but does so before 
letting the user answer the security questions.

We're thinking about extending the token functionality with sending the token 
by SMS in stead of email (or let the user choose the medium). Sending SMS 
messages involves cost. Therefore the questions and perhaps a captcha, would be 
a good "first line of defense" to prevent lots of unnecessary SMS messages to 
be sent.

Could the order be changed or made configurable (Questions --> Token / Token 
--> Questions)?

Original issue reported on code.google.com by menno.pi...@gmail.com on 16 Dec 2010 at 4:13

[GoogleCodeExporter]

That sounds like a good idea.   Unless there is objection I'll change the 
sequence as described above.

How are you sending SMS messages?  Is there some generic functionality that 
could be added to PWM to handle this?  I've not had a chance to look into this.

Original comment by jrivard on 16 Dec 2010 at 4:42

• Changed state: Accepted

[GoogleCodeExporter]

Well, looking at the code, it seemed that it shouldn't be too difficult to add 
some code to either use email or SMS.

Most SMS services offer an HTTP(S) based service that accepts a POST or GET 
request. For many of those, we could write a generic class that can be 
configured using a base URL, base parameters, username, password, POST/GET and 
a senderid and perhaps an HTTP(S) proxy server/port. I've done something 
similar in XPress code (Sun Identity Manager).

Original comment by menno.pi...@gmail.com on 16 Dec 2010 at 6:59

[GoogleCodeExporter]

The customer that I am implementing PWM for now has asked me when the order 
change (Questions --> Token) could be ready. They would like to start using the 
service within the next week, but based only on email tokens for now.

Of course, I would like to do something in return. As said, we are also 
planning to implement SMS. That might be the case for this customer, but that 
is not sure. There is another project, for which we will implement PWM too, but 
with the SMS support. Within the next couple of months that should also be 
ready and I will send in the code.

The things I think that should be done in order to implement SMS:
* Add some configuration items for selecting email, sms or perhaps an external 
class for sending the token
* Add some configuration items for the SMS provider (base URL, login, password, 
number format (+ccxxxx, ccxxxx, 00ccxxxx, etc.), POST/GET, sender ID)
* Modify initializeToken() in ForgottenPasswordServlet.java to allow either SMS 
or email
* Create a new class password.pwm.util.SMSQueueManager, similar to 
password.pwm.util.EmailQueueManager.
* Update ContextManager.java to add a SMSQueueManager variable and a function 
sendSMSUsingQueue(to, text).

Best regards,

Menno Pieters

Original comment by menno.pi...@gmail.com on 7 Jan 2011 at 3:46

[GoogleCodeExporter]

Since you didn't respond (comment #3), and our customer seems to be in a hurry, 
I decided to look into the code myself. At first I thought it would be 
difficult to change without thoroughly knowing the code, but it turned out to 
be less complex than I thought.

I've attached a diff for the change. Please have a look and test it. I've 
tested the code on my local system, applied some customer specific changes and 
it seems to work fine, now.

Original comment by menno.pi...@gmail.com on 12 Jan 2011 at 10:37

Attachments:

• ForgottenPasswordServlet.diff

[GoogleCodeExporter]

Great patch!  Committed as part of svn revison 102.

Original comment by jrivard on 16 Jan 2011 at 5:17

• Changed state: Fixed