Add MFA to Existing Authentication Mechanisms

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java

@@ -72,6 +72,8 @@
 public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
 		AbstractAuthenticationFilterConfigurer<H, FormLoginConfigurer<H>, UsernamePasswordAuthenticationFilter> {
 
+	private MfaConfigurer<H> mfa;
+
 	/**
 	 * Creates a new instance
 	 * @see HttpSecurity#formLogin(Customizer)
@@ -227,8 +229,20 @@ public FormLoginConfigurer<H> successForwardUrl(String forwardUrl) {
 		return this;
 	}
 
+	public FormLoginConfigurer<H> factor(Customizer<MfaConfigurer<H>> customizer) {
+		if (this.mfa == null) {
+			this.mfa = new MfaConfigurer<>("AUTHN_FORM", this);
+			this.mfa.authenticationEntryPoint(this::getAuthenticationEntryPoint);
+		}
+		customizer.customize(this.mfa);
+		return this;
+	}
+
 	@Override
 	public void init(H http) throws Exception {
+		if (this.mfa != null) {
+			this.mfa.init(http);
+		}
 		super.init(http);
 		initDefaultLoginFilter(http);
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -89,6 +89,8 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>>
 
 	private static final String DEFAULT_REALM = "Realm";
 
+	private MfaConfigurer<B> mfa;
+
 	private AuthenticationEntryPoint authenticationEntryPoint;
 
 	private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;
@@ -161,8 +163,20 @@ public HttpBasicConfigurer<B> securityContextRepository(SecurityContextRepositor
 		return this;
 	}
 
+	public HttpBasicConfigurer<B> factor(Customizer<MfaConfigurer<B>> customizer) {
+		if (this.mfa == null) {
+			this.mfa = new MfaConfigurer<>("AUTHN_BASIC", this);
+			this.mfa.authenticationEntryPoint(() -> this.authenticationEntryPoint);
+		}
+		customizer.customize(this.mfa);
+		return this;
+	}
+
 	@Override
 	public void init(B http) {
+		if (this.mfa != null) {
+			this.mfa.init(http);
+		}
 		registerDefaults(http);
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java

@@ -26,9 +26,11 @@
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@@ -59,6 +61,8 @@
 public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<WebAuthnConfigurer<H>, H> {
 
+	private MfaConfigurer<H> mfa;
+
 	private String rpId;
 
 	private String rpName;
@@ -151,6 +155,22 @@ public WebAuthnConfigurer<H> creationOptionsRepository(
 		return this;
 	}
 
+	public WebAuthnConfigurer<H> factor(Customizer<MfaConfigurer<H>> customizer) {
+		if (this.mfa == null) {
+			this.mfa = new MfaConfigurer<>("AUTHN_WEBAUTHN", this)
+				.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"));
+		}
+		customizer.customize(this.mfa);
+		return this;
+	}
+
+	@Override
+	public void init(H http) throws Exception {
+		if (this.mfa != null) {
+			this.mfa.init(http);
+		}
+	}
+
 	@Override
 	public void configure(H http) throws Exception {
 		UserDetailsService userDetailsService = getSharedOrBean(http, UserDetailsService.class)

config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java

@@ -37,6 +37,7 @@
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
 import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 
 /**
  * Adds X509 based pre authentication to an application. Since validating the certificate
@@ -80,6 +81,8 @@
 public final class X509Configurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<X509Configurer<H>, H> {
 
+	private MfaConfigurer<H> mfa;
+
 	private X509AuthenticationFilter x509AuthenticationFilter;
 
 	private X509PrincipalExtractor x509PrincipalExtractor;
@@ -173,12 +176,27 @@ public X509Configurer<H> subjectPrincipalRegex(String subjectPrincipalRegex) {
 		return this;
 	}
 
+	public X509Configurer<H> factor(Customizer<MfaConfigurer<H>> customizer) {
+		if (this.mfa == null) {
+			this.mfa = new MfaConfigurer<>("AUTHN_X509", this);
+		}
+		customizer.customize(this.mfa);
+		return this;
+	}
+
 	@Override
 	public void init(H http) {
 		PreAuthenticatedAuthenticationProvider authenticationProvider = new PreAuthenticatedAuthenticationProvider();
 		authenticationProvider.setPreAuthenticatedUserDetailsService(getAuthenticationUserDetailsService(http));
 		http.authenticationProvider(authenticationProvider)
 			.setSharedObject(AuthenticationEntryPoint.class, new Http403ForbiddenEntryPoint());
+		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptions != null) {
+			exceptions.defaultAuthenticationEntryPointFor(new Http403ForbiddenEntryPoint(), AnyRequestMatcher.INSTANCE);
+		}
+		if (this.mfa != null) {
+			this.mfa.init(http);
+		}
 	}
 
 	@Override

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -41,6 +41,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.MfaConfigurer;
 import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer;
 import org.springframework.security.context.DelegatingApplicationListener;
 import org.springframework.security.core.Authentication;
@@ -172,6 +173,8 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 
 	private final UserInfoEndpointConfig userInfoEndpointConfig = new UserInfoEndpointConfig();
 
+	private MfaConfigurer<B> mfa;
+
 	private String loginPage;
 
 	private String loginProcessingUrl = OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI;
@@ -305,8 +308,20 @@ public OAuth2LoginConfigurer<B> userInfoEndpoint(Customizer<UserInfoEndpointConf
 		return this;
 	}
 
+	public OAuth2LoginConfigurer<B> factor(Customizer<MfaConfigurer<B>> customizer) {
+		if (this.mfa == null) {
+			this.mfa = new MfaConfigurer<>("AUTHN_OAUTH2", this);
+			this.mfa.authenticationEntryPoint(this::getAuthenticationEntryPoint);
+		}
+		customizer.customize(this.mfa);
+		return this;
+	}
+
 	@Override
 	public void init(B http) throws Exception {
+		if (this.mfa != null) {
+			this.mfa.init(http);
+		}
 		OAuth2LoginAuthenticationFilter authenticationFilter = new OAuth2LoginAuthenticationFilter(
 				this.getClientRegistrationRepository(), this.getAuthorizedClientRepository(), this.loginProcessingUrl);
 		RequestMatcher processUri = getRequestMatcherBuilder().matcher(this.loginProcessingUrl);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -36,6 +36,7 @@
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
+import org.springframework.security.config.annotation.web.configurers.MfaConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
@@ -161,6 +162,8 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 	private static final RequestHeaderRequestMatcher X_REQUESTED_WITH = new RequestHeaderRequestMatcher(
 			"X-Requested-With", "XMLHttpRequest");
 
+	private MfaConfigurer<H> mfa;
+
 	private final ApplicationContext context;
 
 	private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
@@ -249,8 +252,20 @@ public OAuth2ResourceServerConfigurer<H> opaqueToken(Customizer<OpaqueTokenConfi
 		return this;
 	}
 
+	public OAuth2ResourceServerConfigurer<H> factor(Customizer<MfaConfigurer<H>> customizer) {
+		if (this.mfa == null) {
+			this.mfa = new MfaConfigurer<>("AUTHN_BEARER", this);
+			this.mfa.authenticationEntryPoint(() -> this.authenticationEntryPoint);
+		}
+		customizer.customize(this.mfa);
+		return this;
+	}
+
 	@Override
 	public void init(H http) {
+		if (this.mfa != null) {
+			this.mfa.init(http);
+		}
 		validateConfiguration();
 		registerDefaultAccessDeniedHandler(http);
 		registerDefaultEntryPoint(http);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java

@@ -35,11 +35,14 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.MfaConfigurer;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.PostAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.ott.DefaultGenerateOneTimeTokenRequestResolver;
@@ -104,6 +107,8 @@ public final class OneTimeTokenLoginConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private final ApplicationContext context;
 
+	private MfaConfigurer<H> mfa;
+
 	private OneTimeTokenService oneTimeTokenService;
 
 	private String defaultSubmitPageUrl = DefaultOneTimeTokenSubmitPageGeneratingFilter.DEFAULT_SUBMIT_PAGE_URL;
@@ -127,6 +132,9 @@ public OneTimeTokenLoginConfigurer(ApplicationContext context) {
 
 	@Override
 	public void init(H http) throws Exception {
+		if (this.mfa != null) {
+			this.mfa.init(http);
+		}
 		if (getLoginProcessingUrl() == null) {
 			loginProcessingUrl(OneTimeTokenAuthenticationFilter.DEFAULT_LOGIN_PROCESSING_URL);
 		}
@@ -359,6 +367,20 @@ public OneTimeTokenLoginConfigurer<H> generateRequestResolver(GenerateOneTimeTok
 		return this;
 	}
 
+	public OneTimeTokenLoginConfigurer<H> factor(Customizer<MfaConfigurer<H>> customizer) {
+		if (this.mfa == null) {
+			this.mfa = new MfaConfigurer<>("AUTHN_OTT", this);
+			this.mfa.authenticationEntryPoint(this::getPostAuthenticationEntryPoint);
+		}
+		customizer.customize(this.mfa);
+		return this;
+	}
+
+	private AuthenticationEntryPoint getPostAuthenticationEntryPoint() {
+		String postUrl = this.tokenGeneratingUrl + "?username={u}";
+		return new PostAuthenticationEntryPoint(postUrl, Map.of("u", Authentication::getName));
+	}
+
 	private GenerateOneTimeTokenRequestResolver getGenerateRequestResolver() {
 		if (this.requestResolver != null) {
 			return this.requestResolver;

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -33,6 +33,7 @@
 import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
+import org.springframework.security.config.annotation.web.configurers.MfaConfigurer;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
@@ -121,6 +122,8 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 
 	private static final boolean USE_OPENSAML_5 = Version.getVersion().startsWith("5");
 
+	private MfaConfigurer<B> mfa;
+
 	private String loginPage;
 
 	private String authenticationRequestUri = "/saml2/authenticate";
@@ -256,6 +259,15 @@ public Saml2LoginConfigurer<B> loginProcessingUrl(String loginProcessingUrl) {
 		return this;
 	}
 
+	public Saml2LoginConfigurer<B> factor(Customizer<MfaConfigurer<B>> customizer) {
+		if (this.mfa == null) {
+			this.mfa = new MfaConfigurer<>("AUTHN_SAML2", this);
+			this.mfa.authenticationEntryPoint(this::getAuthenticationEntryPoint);
+		}
+		customizer.customize(this.mfa);
+		return this;
+	}
+
 	@Override
 	protected RequestMatcher createLoginProcessingUrlMatcher(String loginProcessingUrl) {
 		return getRequestMatcherBuilder().matcher(loginProcessingUrl);
@@ -276,6 +288,9 @@ protected RequestMatcher createLoginProcessingUrlMatcher(String loginProcessingU
 	 */
 	@Override
 	public void init(B http) throws Exception {
+		if (this.mfa != null) {
+			this.mfa.init(http);
+		}
 		registerDefaultCsrfOverride(http);
 		relyingPartyRegistrationRepository(http);
 		this.saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(getAuthenticationConverter(http));