Support Customizer<AdditionalRequiredFactorsBuilder<Object>>>

Closes gh-18922
2026-05-22 21:33:16 +00:00 · 2026-03-11 15:03:08 -05:00
parent c71b178f63
commit bd7171140e
9 changed files with 316 additions and 3 deletions
@@ -37,6 +37,14 @@ Spring Security behind the scenes knows which endpoint to go to depending on whi
 If the user logged in initially with their username and password, then Spring Security redirects to the One-Time-Token Login page.
 If the user logged in initially with a token, then Spring Security redirects to the Username/Password Login page.

+[[mfa-when-custom-conditions]]
+=== Custom MFA Conditions
+
+You can also publish one or more `Customizer<AdditionalRequiredFactorsBuilder<Object>>` beans to customize the factory created by `@EnableMultiFactorAuthentication`.
+For example, you can conditionally apply MFA for specific users:
+
+include-code::./CustomizerAuthorizationManagerFactoryConfiguration[tag=customizer,indent=0]
+
 [[authorization-manager-factory]]
 == AuthorizationManagerFactory

@@ -48,6 +56,7 @@ The `AuthorizationManagerFactory` Bean below is what is published in the previou

 include-code::./UseAuthorizationManagerFactoryConfiguration[tag=authorizationManagerFactoryBean,indent=0]

+
 [[selective-mfa]]
 == Selectively Requiring MFA

@@ -47,6 +47,13 @@ class UseAuthorizationManagerFactoryConfiguration {
 	}
 	// end::authorizationManagerFactoryBean[]

+	// tag::customizer[]
+	@Bean
+	Customizer<AuthorizationManagerFactories.AdditionalRequiredFactorsBuilder<Object>> additionalRequiredFactorsCustomizer() {
+		return (builder) -> builder.when((auth) -> "admin".equals(auth.getName()));
+	}
+	// end::customizer[]
+
 	@Bean
 	UserDetailsService userDetailsService() {
 		return new InMemoryUserDetailsManager(
@@ -2,6 +2,7 @@ package org.springframework.security.docs.servlet.authentication.emfa;

 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authorization.AuthorizationManagerFactories;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.authorization.EnableMultiFactorAuthentication;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -4,6 +4,7 @@ import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.authorization.AuthorizationManagerFactories
 import org.springframework.security.authorization.AuthorizationManagerFactory
+import org.springframework.security.config.Customizer
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
@@ -47,6 +48,13 @@ internal class UseAuthorizationManagerFactoryConfiguration {
    }
    // end::authorizationManagerFactoryBean[]

+    // tag::customizer[]
+    @Bean
+    fun additionalRequiredFactorsCustomizer(): Customizer<AuthorizationManagerFactories.AdditionalRequiredFactorsBuilder<Any>> {
+        return Customizer { builder -> builder.`when` { auth -> "admin" == auth.name } }
+    }
+    // end::customizer[]
+
    @Suppress("DEPRECATION")
    @Bean
    fun userDetailsService(): UserDetailsService {
@@ -2,6 +2,8 @@ package org.springframework.security.kt.docs.servlet.authentication.emfa

 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
+import org.springframework.security.authorization.AuthorizationManagerFactories
+import org.springframework.security.config.Customizer
 import org.springframework.security.config.annotation.authorization.EnableMultiFactorAuthentication
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity