Create AuthorizationManagerFactories.multiFactor
Closes gh-18032
This commit is contained in:
Rob Winch
@@ -140,7 +140,7 @@ In many cases, this is cleared after the user is authenticated, to ensure that i
|
||||
* `authorities`: The <<servlet-authentication-granted-authority,`GrantedAuthority`>> instances are high-level permissions the user is granted.
|
||||
Two examples are roles and scopes.
|
||||
|
||||
It is also equipped with a `Builder` that allows you to mutate an existing `Authentication` instance and potentially merge it with another.
|
||||
It is also equipped with a `AdditionalRequiredFactorsBuilder` that allows you to mutate an existing `Authentication` instance and potentially merge it with another.
|
||||
This is useful in scenarios like taking the authorities from one authentication step, like form login, and applying them to another, like one-time-token login, like so:
|
||||
|
||||
include-code::./CopyAuthoritiesTests[tag=springSecurity,indent=0]
|
||||
|
||||
@@ -91,9 +91,10 @@ This instructs `DefaultAuthorizationManagerFactory` that any authorization rule
|
||||
<2> Publish `DefaultAuthorizationManagerFactory` as a Bean, so it is used globally
|
||||
|
||||
This should feel very similar to our previous example in xref:./mfa.adoc#authorization-manager-factory[].
|
||||
The difference is that in the previous example, the `Builder` is setting `DefaultAuthorization.additionalAuthorization` with a built in `AuthorizationManager` that always requires the same authorities.
|
||||
The difference is that in the previous example, the `AuthorizationManagerFactories` is setting `DefaultAuthorization.additionalAuthorization` with a built in `AuthorizationManager` that always requires the same authorities.
|
||||
|
||||
We can now define our authorization rules which are combined with `AdminMfaAuthorizationManager`.
|
||||
|
||||
include-code::./AdminMfaAuthorizationManagerConfiguration[tag=httpSecurity,indent=0]
|
||||
<1> URLs that begin with `/admin/**` require `ROLE_ADMIN`.
|
||||
If the username is `admin`, then `FACTOR_OTT` and `FACTOR_PASSWORD` are also required.
|
||||
|
||||
+3
-3
@@ -2,8 +2,8 @@ package org.springframework.security.docs.servlet.authentication.authorizationma
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactories;
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactory;
|
||||
import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
@@ -38,8 +38,8 @@ class UseAuthorizationManagerFactoryConfiguration {
|
||||
// tag::authorizationManagerFactoryBean[]
|
||||
@Bean
|
||||
AuthorizationManagerFactory<Object> authz() {
|
||||
return DefaultAuthorizationManagerFactory.builder()
|
||||
.requireAdditionalAuthorities(
|
||||
return AuthorizationManagerFactories.multiFactor()
|
||||
.requireFactors(
|
||||
FactorGrantedAuthority.PASSWORD_AUTHORITY,
|
||||
FactorGrantedAuthority.OTT_AUTHORITY
|
||||
)
|
||||
|
||||
+3
-3
@@ -8,8 +8,8 @@ import jakarta.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactories;
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactory;
|
||||
import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
@@ -48,8 +48,8 @@ class MissingAuthorityConfiguration {
|
||||
// tag::authorizationManagerFactoryBean[]
|
||||
@Bean
|
||||
AuthorizationManagerFactory<Object> authz() {
|
||||
return DefaultAuthorizationManagerFactory.builder()
|
||||
.requireAdditionalAuthorities(FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY)
|
||||
return AuthorizationManagerFactories.multiFactor()
|
||||
.requireFactors(FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY)
|
||||
.build();
|
||||
}
|
||||
// end::authorizationManagerFactoryBean[]
|
||||
|
||||
+3
-3
@@ -2,8 +2,8 @@ package org.springframework.security.docs.servlet.authentication.selectivemfa;
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactories;
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactory;
|
||||
import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
@@ -25,8 +25,8 @@ class SelectiveMfaConfiguration {
|
||||
// @formatter:off
|
||||
// <1>
|
||||
AuthorizationManagerFactory<Object> mfa =
|
||||
DefaultAuthorizationManagerFactory.<Object>builder()
|
||||
.requireAdditionalAuthorities(
|
||||
AuthorizationManagerFactories.<Object>multiFactor()
|
||||
.requireFactors(
|
||||
FactorGrantedAuthority.PASSWORD_AUTHORITY,
|
||||
FactorGrantedAuthority.OTT_AUTHORITY
|
||||
)
|
||||
|
||||
+3
-3
@@ -2,8 +2,8 @@ package org.springframework.security.kt.docs.servlet.authentication.authorizatio
|
||||
|
||||
import org.springframework.context.annotation.Bean
|
||||
import org.springframework.context.annotation.Configuration
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactories
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactory
|
||||
import org.springframework.security.authorization.DefaultAuthorizationManagerFactory
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
|
||||
import org.springframework.security.config.annotation.web.invoke
|
||||
@@ -38,8 +38,8 @@ internal class UseAuthorizationManagerFactoryConfiguration {
|
||||
// tag::authorizationManagerFactoryBean[]
|
||||
@Bean
|
||||
fun authz(): AuthorizationManagerFactory<Object> {
|
||||
return DefaultAuthorizationManagerFactory.builder<Object>()
|
||||
.requireAdditionalAuthorities(
|
||||
return AuthorizationManagerFactories.multiFactor<Object>()
|
||||
.requireFactors(
|
||||
FactorGrantedAuthority.PASSWORD_AUTHORITY,
|
||||
FactorGrantedAuthority.OTT_AUTHORITY
|
||||
)
|
||||
|
||||
+3
-3
@@ -4,8 +4,8 @@ import jakarta.servlet.http.HttpServletRequest
|
||||
import jakarta.servlet.http.HttpServletResponse
|
||||
import org.springframework.context.annotation.Bean
|
||||
import org.springframework.context.annotation.Configuration
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactories
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactory
|
||||
import org.springframework.security.authorization.DefaultAuthorizationManagerFactory
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
|
||||
import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer
|
||||
@@ -54,8 +54,8 @@ internal class MissingAuthorityConfiguration {
|
||||
// tag::authorizationManagerFactoryBean[]
|
||||
@Bean
|
||||
fun authz(): AuthorizationManagerFactory<Object> {
|
||||
return DefaultAuthorizationManagerFactory.builder<Object>()
|
||||
.requireAdditionalAuthorities(
|
||||
return AuthorizationManagerFactories.multiFactor<Object>()
|
||||
.requireFactors(
|
||||
FactorGrantedAuthority.X509_AUTHORITY,
|
||||
FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY
|
||||
)
|
||||
|
||||
+3
-3
@@ -2,8 +2,8 @@ package org.springframework.security.kt.docs.servlet.authentication.selectivemfa
|
||||
|
||||
import org.springframework.context.annotation.Bean
|
||||
import org.springframework.context.annotation.Configuration
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactories
|
||||
import org.springframework.security.authorization.AuthorizationManagerFactory
|
||||
import org.springframework.security.authorization.DefaultAuthorizationManagerFactory
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
|
||||
import org.springframework.security.config.annotation.web.invoke
|
||||
@@ -25,8 +25,8 @@ internal class SelectiveMfaConfiguration {
|
||||
// @formatter:off
|
||||
// <1>
|
||||
val mfa: AuthorizationManagerFactory<Any> =
|
||||
DefaultAuthorizationManagerFactory.builder<Any>()
|
||||
.requireAdditionalAuthorities(
|
||||
AuthorizationManagerFactories.multiFactor<Any>()
|
||||
.requireFactors(
|
||||
FactorGrantedAuthority.PASSWORD_AUTHORITY,
|
||||
FactorGrantedAuthority.OTT_AUTHORITY
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user