Update FormLogin+OTT to the Latest

Author: jzheaux

servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.adoc

@@ -0,0 +1,61 @@
+= Form Login + One-Time-Token Login MFA Sample
+
+This sample demonstrates Spring Security's support for multifactor authentication, specifically when using username/password and one-time-token as the two factors.
+
+[[usage]]
+== Usage
+
+To use the application, please run:
+
+[source,bash]
+----
+./gradlew :bootRun
+----
+
+You can then navigate to http://localhost:8080 where you will be presented with the default page, showing both the login and ott forms.
+
+You can start with either; once authenticated, you'll be asked to give the other as well.
+
+=== Username/Password Login
+
+The username/password is `user/password`.
+
+=== One-Time-Token Login
+
+The username is `user`.
+
+After clicking the submission button, you will be redirected to a page where you can enter the code given.
+You can find the code in the logs like so:
+
+[source,bash]
+----
+********************************************************
+
+Use this one-time token: 1319c31d-c5e0-4123-9b1f-3ffc34aba673
+
+********************************************************
+----
+
+== Configuring
+
+There are three profiles in this sample; `default`, `custom-pages`, and `elevated-security`.
+
+`default` is the arrangement described in <<usage>>.
+
+`custom-pages` shows the same, but with a custom page for login and a custom page for one-time-token.
+
+This can be launched with:
+
+[source,bash]
+----
+./gradlew :bootRun --args='spring.profiles.active=custom-pages'
+----
+
+`elevated-security` allows login with either, and will ask for one-time-token login for only the `/profile` page.
+
+This can be launched with:
+
+[source,bash]
+----
+./gradlew :bootRun --args='spring.profiles.active=elevated-security'
+----

servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.md

@@ -11,7 +11,6 @@ java {
 }
 
 repositories {
-	mavenLocal()
 	mavenCentral()
 	maven { url "https://repo.spring.io/milestone" }
 	maven { url "https://repo.spring.io/snapshot" }

servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle

@@ -1,15 +1,15 @@
 package org.example.magiclink;
 
-import jakarta.servlet.http.HttpServletRequest;
-
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.core.Authentication;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
 
 @Profile("custom-pages")
 @Configuration(proxyBeanMethods = false)
@@ -18,33 +18,29 @@ public class CustomPagesSecurityConfig {
 	@Controller
 	@Profile("custom-pages")
 	static class LoginController {
-		@GetMapping("/login/form")
-		public String login() {
-			return "login";
-		}
-
-		@GetMapping("/commence/ott")
-		public String ott(HttpServletRequest request, Authentication authentication) {
-			if (authentication != null) {
-				request.setAttribute("username", authentication.getName());
-			}
-			return "ott";
+		@GetMapping("/auth/{path}")
+		public String auth(@PathVariable("path") String path) {
+			return path;
 		}
 	}
 
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-			.formLogin((form) -> form.loginPage("/login/form").permitAll())
-			.oneTimeTokenLogin((ott) -> ott.loginPage("/commence/ott").permitAll());
+			.authorizeHttpRequests((authorize) -> authorize
+				.requestMatchers("/auth/**").permitAll()
+				.anyRequest().authenticated()
+			)
+			.formLogin((form) -> form.loginPage("/auth/password"))
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/auth/ott"));
 		// @formatter:on
 		return http.build();
 	}
 
 	@Bean
-	FactorAuthorizationManagerFactory authz() {
-		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	AuthorizationManagerFactory<Object> factors() {
+		return DefaultAuthorizationManagerFactory.builder()
+			.requireAdditionalAuthorities("FACTOR_PASSWORD", "FACTOR_OTT").build();
 	}
 }

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java

@@ -19,6 +19,8 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
@@ -39,8 +41,9 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 	}
 
 	@Bean
-	FactorAuthorizationManagerFactory authz() {
-		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	AuthorizationManagerFactory<Object> factors() {
+		return DefaultAuthorizationManagerFactory.builder()
+				.requireAdditionalAuthorities("FACTOR_PASSWORD", "FACTOR_OTT").build();
 	}
 
 

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java

@@ -10,6 +10,7 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
 
 @Profile("elevated-security")
 @Configuration(proxyBeanMethods = false)
@@ -18,34 +19,26 @@ public class ElevatedSecurityPageSecurityConfig {
 	@Controller
 	@Profile("elevated-security")
 	static class LoginController {
-		@GetMapping("/login/form")
-		public String login() {
-			return "login";
-		}
-
-		@GetMapping("/commence/ott")
-		public String ott(HttpServletRequest request, Authentication authentication) {
-			if (authentication != null) {
-				request.setAttribute("username", authentication.getName());
-			}
-			return "ott";
+		@GetMapping("/auth/{path}")
+		public String auth(@PathVariable("path") String path) {
+			return path;
 		}
 	}
 
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-			.formLogin((form) -> form.loginPage("/login/form").permitAll())
-			.oneTimeTokenLogin((ott) -> ott.loginPage("/commence/ott").permitAll());
+			.authorizeHttpRequests((authorize) -> authorize
+				.requestMatchers("/auth/**").permitAll()
+				.requestMatchers("/profile").hasAuthority("FACTOR_OTT")
+				.anyRequest().authenticated()
+			)
+			.formLogin((form) -> form.loginPage("/auth/password"))
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/auth/ott"));
 
 		// @formatter:on
 		return http.build();
 	}
 
-	@Bean
-	FactorAuthorizationManagerFactory authz() {
-		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
-	}
 }

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java

@@ -38,8 +38,6 @@ public static void main(String[] args) {
 	@Controller
 	static class AppController {
 		@GetMapping("/profile")
-		@PreAuthorize("@authz.hasAuthority('profile:read')") 	// FIXME add hasAuthorityWithin once
-																// GrantedAuthority is timestamped
 		String profile() {
 			return "profile";
 		}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java

@@ -0,0 +1 @@
+logging.level.org.springframework.security: TRACE

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java

@@ -16,5 +16,6 @@
         </div>
         <h1>Hello Spring Security</h1>
         <p>This is a secured page</p>
+        <p>Visit the <a href="/profile">profile</a> page</p>
     </body>
 </html>