|
| 1 | += Adaptive Authentication |
| 2 | + |
| 3 | +Since authentication needs can vary from person-to-person and even from one login attempt to the next, Spring Security supports adapting authentication requirements to each situation. |
| 4 | + |
| 5 | +Some of the most common applications of this principal are: |
| 6 | + |
| 7 | +1. *Re-authentication* - Users need to provide authentication again in order to enter an area of elevated security |
| 8 | +2. *Multi-factor Authentication* - Users need more than one authentication mechanism to pass in order to access secured resources |
| 9 | +3. *Authorizing More Scopes* - Users are allowed to consent to a subset of scopes from an OAuth 2.0 Authorization Server. |
| 10 | +Then, if later on a scope that they did not grant is needed, consent can be re-requested for just that scope. |
| 11 | +4. *Opting-in to Stronger Authentication Mechanisms* - Users may not be ready yet to start using MFA, but the application wants to allow the subset of security-minded users to opt-in. |
| 12 | +5. *Requiring Additional Steps for Suspicious Logins* - The application may notice that the user's IP address has changed, that they are behind a VPN, or some other consideration that requires additional verification |
| 13 | +
|
| 14 | +[[re-authentication]] |
| 15 | +== Re-authentication |
| 16 | + |
| 17 | +The most common of these is re-authentication. |
| 18 | +Imagine an application configured in the following way: |
| 19 | + |
| 20 | +include-code::./SimpleConfiguration[tag=httpSecurity,indent=0] |
| 21 | + |
| 22 | +By default, this application has two authentication mechanisms that it allows, meaning that the user could use either one and be fully-authenticated. |
| 23 | + |
| 24 | +If there is a set of endpoints that require a specific factor, we can specify that in `authorizeHttpRequests` as follows: |
| 25 | + |
| 26 | +include-code::./RequireOttConfiguration[tag=httpSecurity,indent=0] |
| 27 | +<1> - States that all `/profile/**` endpoints require one-time-token login to be authorized |
| 28 | + |
| 29 | +Given the above configuration, users can log in with any mechanism that you support. |
| 30 | +And, if they want to visit the profile page, then Spring Security will redirect them to the One-Time-Token Login page to obtain it. |
| 31 | + |
| 32 | +In this way, the authority given to a user is directly proportional to the amount of proof given. |
| 33 | +This adaptive approach allows users to give only the proof needed to perform their intended operations. |
| 34 | + |
| 35 | +[[multi-factor-authentication]] |
| 36 | +== Multi-Factor Authentication |
| 37 | + |
| 38 | +You may require that all users require both One-Time-Token login and Username/Password login to access any part of your site. |
| 39 | + |
| 40 | +To require both, you can state an authorization rule with `anyRequest` like so: |
| 41 | + |
| 42 | +include-code::./ListAuthoritiesConfiguration[tag=httpSecurity,indent=0] |
| 43 | +<1> - This states that both `FACTOR_PASSWORD` and `FACTOR_OTT` are needed to use any part of the application |
| 44 | + |
| 45 | +Spring Security behind the scenes knows which endpoint to go to depending on which authority is missing. |
| 46 | +If the user logged in initially with their username and password, then Spring Security redirects to the One-Time-Token Login page. |
| 47 | +If the user logged in initially with a token, then Spring Security redirects to the Username/Password Login page. |
| 48 | + |
| 49 | +[[authorization-manager-factory]] |
| 50 | +=== Requiring MFA For All Endpoints |
| 51 | + |
| 52 | +Specifying all authorities for each request pattern could be unwanted boilerplate: |
| 53 | + |
| 54 | +include-code::./ListAuthoritiesEverywhereConfiguration[tag=httpSecurity,indent=0] |
| 55 | +<1> - Since all authorities need to be specified for each endpoint, deploying MFA in this way can create unwanted boilerplate |
| 56 | + |
| 57 | +This can be remedied by publishing an `AuthorizationManagerFactory` bean like so: |
| 58 | + |
| 59 | +include-code::./UseAuthorizationManagerFactoryConfiguration[tag=authorizationManagerFactoryBean,indent=0] |
| 60 | + |
| 61 | +This yields a more familiar configuration: |
| 62 | + |
| 63 | +include-code::./UseAuthorizationManagerFactoryConfiguration[tag=httpSecurity,indent=0] |
| 64 | + |
| 65 | +[[obtaining-more-authorization]] |
| 66 | +== Authorizing More Scopes |
| 67 | + |
| 68 | +You can also configure exception handling to direct Spring Security on how to obtain a missing scope. |
| 69 | + |
| 70 | +Consider an application that requires a specific OAuth 2.0 scope for a given endpoint: |
| 71 | + |
| 72 | +include-code::./ScopeConfiguration[tag=httpSecurity,indent=0] |
| 73 | + |
| 74 | +If this is also configured with an `AuthorizationManagerFactory` bean like this one: |
| 75 | + |
| 76 | +include-code::./MissingAuthorityConfiguration[tag=authorizationManagerFactoryBean,indent=0] |
| 77 | + |
| 78 | +Then the application will require an X.509 certificate as well as authorization from an OAuth 2.0 authorization server. |
| 79 | + |
| 80 | +In the event that the user does not consent to `profile:read`, this application as it stands will issue a 403. |
| 81 | +However, if you have a way for the application to re-ask for consent, then you can implement this in an `AuthenticationEntryPoint` like the following: |
| 82 | + |
| 83 | +include-code::./MissingAuthorityConfiguration[tag=authenticationEntryPoint,indent=0] |
| 84 | + |
| 85 | +Then, your filter chain declaration can bind this entry point to the given authority like so: |
| 86 | + |
| 87 | +include-code::./MissingAuthorityConfiguration[tag=httpSecurity,indent=0] |
| 88 | + |
| 89 | +[[custom-authorization-manager-factory]] |
| 90 | +== Programmatically Decide Which Authorities Are Required |
| 91 | + |
| 92 | +`AuthorizationManager` is the core interface for making authorization decisions. |
| 93 | +Consider an authorization manager that looks at the logged in user to decide which factors are necessary: |
| 94 | + |
| 95 | +include-code::./CustomAuthorizationManagerFactory[tag=authorizationManager,indent=0] |
| 96 | + |
| 97 | +In this case, using One-Time-Token is only required for those who have opted in. |
| 98 | + |
| 99 | +This can then be enforced by a custom `AuthorizationManagerFactory` implementation: |
| 100 | + |
| 101 | +include-code::./CustomAuthorizationManagerFactory[tag=authorizationManagerFactory,indent=0] |
0 commit comments