spring-projects
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
Lines changed: 2 additions & 0 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
Lines changed: 2 additions & 0 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java
Lines changed: 6 additions & 0 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java
Lines changed: 6 additions & 0 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
Lines changed: 9 additions & 1 deletion b/‎config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
Lines changed: 9 additions & 1 deletion
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java
Lines changed: 304 additions & 0 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java
Lines changed: 304 additions & 0 deletions
@@ -32,6 +32,7 @@
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationFilter;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
@@ -150,6 +151,7 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>>
 	 * {@docRoot}/org/springframework/security/cas/web/CasAuthenticationFilter.html">CasAuthenticationFilter</a></li>
 	 * <li>{@link org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter}</li>
 	 * <li>{@link org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter}</li>
+	 * <li>{@link OneTimeTokenAuthenticationFilter}</li>
 	 * <li>{@link UsernamePasswordAuthenticationFilter}</li>
 	 * <li>{@link org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter}</li>
 	 * <li>{@link org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter}</li>
 
@@ -29,12 +29,15 @@
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestFilter;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
 import org.springframework.security.web.authentication.switchuser.SwitchUserFilter;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter;
+import org.springframework.security.web.authentication.ui.DefaultOneTimeTokenSubmitPageGeneratingFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.authentication.www.DigestAuthenticationFilter;
 import org.springframework.security.web.context.SecurityContextHolderFilter;
@@ -87,6 +90,7 @@ final class FilterOrderRegistration {
 		this.filterToOrder.put(
 				"org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter",
 				order.next());
+		put(OneTimeTokenAuthenticationRequestFilter.class, order.next());
 		put(X509AuthenticationFilter.class, order.next());
 		put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
 		this.filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter", order.next());
@@ -95,10 +99,12 @@ final class FilterOrderRegistration {
 		this.filterToOrder.put(
 				"org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter",
 				order.next());
+		put(OneTimeTokenAuthenticationFilter.class, order.next());
 		put(UsernamePasswordAuthenticationFilter.class, order.next());
 		order.next(); // gh-8105
 		put(DefaultLoginPageGeneratingFilter.class, order.next());
 		put(DefaultLogoutPageGeneratingFilter.class, order.next());
+		put(DefaultOneTimeTokenSubmitPageGeneratingFilter.class, order.next());
 		put(ConcurrentSessionFilter.class, order.next());
 		put(DigestAuthenticationFilter.class, order.next());
 		this.filterToOrder.put(
 
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -72,6 +72,7 @@
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
+import org.springframework.security.config.annotation.web.configurers.ott.OneTimeTokenLoginConfigurer;
 import org.springframework.security.config.annotation.web.configurers.saml2.Saml2LoginConfigurer;
 import org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer;
 import org.springframework.security.config.annotation.web.configurers.saml2.Saml2MetadataConfigurer;
@@ -2978,6 +2979,13 @@ public HttpSecurity oauth2ResourceServer(
 		return HttpSecurity.this;
 	}
 
+	public HttpSecurity oneTimeTokenLogin(
+			Customizer<OneTimeTokenLoginConfigurer<HttpSecurity>> oneTimeTokenLoginConfigurerCustomizer)
+			throws Exception {
+		oneTimeTokenLoginConfigurerCustomizer.customize(getOrApply(new OneTimeTokenLoginConfigurer<>(getContext())));
+		return HttpSecurity.this;
+	}
+
 	/**
 	 * Configures channel security. In order for this configuration to be useful at least
 	 * one mapping to a required channel must be provided.
 
@@ -0,0 +1,304 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configurers.ott;
+
+import java.util.Collections;
+import java.util.Map;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+import org.springframework.beans.factory.NoSuchBeanDefinitionException;
+import org.springframework.context.ApplicationContext;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.ott.InMemoryOneTimeTokenService;
+import org.springframework.security.authentication.ott.OneTimeToken;
+import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationProvider;
+import org.springframework.security.authentication.ott.OneTimeTokenSender;
+import org.springframework.security.authentication.ott.OneTimeTokenService;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationConverter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestFilter;
+import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
+import org.springframework.security.web.authentication.ui.DefaultOneTimeTokenSubmitPageGeneratingFilter;
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.util.Assert;
+
+import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
+
+public final class OneTimeTokenLoginConfigurer<H extends HttpSecurityBuilder<H>>
+		extends AbstractHttpConfigurer<OneTimeTokenLoginConfigurer<H>, H> {
+
+	private final ApplicationContext context;
+
+	private OneTimeTokenService oneTimeTokenService;
+
+	private AuthenticationConverter authenticationConverter = new OneTimeTokenAuthenticationConverter();
+
+	private AuthenticationFailureHandler authenticationFailureHandler;
+
+	private AuthenticationSuccessHandler authenticationSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
+
+	private OneTimeTokenSender oneTimeTokenSender;
+
+	private String submitPageUrl = "/login/ott";
+
+	private boolean submitPageEnabled = true;
+
+	private String loginProcessingUrl = "/login/ott";
+
+	private String authenticationRequestUrl = "/ott/authenticate";
+
+	private String authenticationRequestRedirectUrl = "/login/ott";
+
+	public OneTimeTokenLoginConfigurer(ApplicationContext context) {
+		this.context = context;
+	}
+
+	@Override
+	public void init(H http) {
+		UserDetailsService userDetailsService = getContext().getBean(UserDetailsService.class);
+		OneTimeTokenAuthenticationProvider authenticationProvider = new OneTimeTokenAuthenticationProvider(
+				getOneTimeTokenService(http), userDetailsService);
+		http.authenticationProvider(postProcess(authenticationProvider));
+		configureDefaultLoginPage(http);
+	}
+
+	private void configureDefaultLoginPage(H http) {
+		DefaultLoginPageGeneratingFilter loginPageGeneratingFilter = http
+				.getSharedObject(DefaultLoginPageGeneratingFilter.class);
+		if (loginPageGeneratingFilter == null) {
+			return;
+		}
+		loginPageGeneratingFilter.setOneTimeTokenEnabled(true);
+		if (this.authenticationFailureHandler == null) {
+			this.authenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler(loginPageGeneratingFilter.getLoginPageUrl() + "?error");
+		}
+	}
+
+	@Override
+	public void configure(H http) {
+		configureSubmitPage(http);
+		configureOttAuthenticationRequestFilter(http);
+		configureOttAuthenticationFilter(http);
+	}
+
+	private void configureOttAuthenticationFilter(H http) {
+		AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
+		OneTimeTokenAuthenticationFilter oneTimeTokenAuthenticationFilter = new OneTimeTokenAuthenticationFilter(
+				authenticationManager, this.authenticationConverter);
+		oneTimeTokenAuthenticationFilter.setRequestMatcher(antMatcher(HttpMethod.POST, this.loginProcessingUrl));
+		oneTimeTokenAuthenticationFilter.setFailureHandler(getAuthenticationFailureHandler());
+		oneTimeTokenAuthenticationFilter.setSuccessHandler(this.authenticationSuccessHandler);
+		http.addFilter(postProcess(oneTimeTokenAuthenticationFilter));
+	}
+
+	private void configureOttAuthenticationRequestFilter(H http) {
+		OneTimeTokenAuthenticationRequestFilter authenticationRequestFilter = new OneTimeTokenAuthenticationRequestFilter(
+				getOneTimeTokenService(http), getOneTimeTokenSender(http));
+		authenticationRequestFilter.setRedirectUrl(this.authenticationRequestRedirectUrl);
+		authenticationRequestFilter.setRequestMatcher(antMatcher(HttpMethod.GET, this.authenticationRequestUrl));
+		http.addFilter(postProcess(authenticationRequestFilter));
+	}
+
+	private void configureSubmitPage(H http) {
+		if (!this.submitPageEnabled) {
+			return;
+		}
+		DefaultOneTimeTokenSubmitPageGeneratingFilter submitPage = new DefaultOneTimeTokenSubmitPageGeneratingFilter();
+		submitPage.setResolveHiddenInputs(this::hiddenInputs);
+		submitPage.setRequestMatcher(antMatcher(HttpMethod.GET, this.submitPageUrl));
+		submitPage.setLoginProcessingUrl(this.loginProcessingUrl);
+		http.addFilter(postProcess(submitPage));
+	}
+
+	/**
+	 * Specifies the URL that a One-Time Token authentication request will be processed.
+	 * Defaults to {@code POST /ott/authenticate}.
+	 * @param authenticationRequestUrl
+	 */
+	public void authenticationRequestUrl(String authenticationRequestUrl) {
+		Assert.hasText(authenticationRequestUrl, "authenticationRequestUrl cannot be null or empty");
+		this.authenticationRequestUrl = authenticationRequestUrl;
+	}
+
+	/**
+	 * Specifies the URL that the user-agent will be redirected after a successful One-Time Token authentication.
+	 * Defaults to {@code POST /login/ott}. If you are using the default submit page make sure that you also
+	 * configure {@link #submitPageUrl(String)} to this same URL.
+	 * @param authenticationRequestRedirectUrl
+	 */
+	public void authenticationRequestRedirectUrl(String authenticationRequestRedirectUrl) {
+		Assert.hasText(authenticationRequestRedirectUrl, "authenticationRequestRedirectUrl cannot be null or empty");
+		this.authenticationRequestRedirectUrl = authenticationRequestRedirectUrl;
+	}
+
+	/**
+	 * Specifies the URL to process the login request, defaults to {@code /login/ott}. Only POST requests are processed, for that
+	 * reason make sure that you pass a valid CSRF token if CSRF protection is enabled.
+	 * @param loginProcessingUrl
+	 * @see org.springframework.security.config.annotation.web.builders.HttpSecurity#csrf(Customizer)
+	 */
+	public void loginProcessingUrl(String loginProcessingUrl) {
+		Assert.hasText(loginProcessingUrl, "loginProcessingUrl cannot be null or empty");
+		this.loginProcessingUrl = loginProcessingUrl;
+	}
+
+	/**
+	 * Configures whether the default one-time token submit page should be shown.
+	 * This will prevent the {@link DefaultOneTimeTokenSubmitPageGeneratingFilter} to be configured.
+	 * @param show
+	 */
+	public void showSubmitPage(boolean show) {
+		this.submitPageEnabled = show;
+	}
+
+	/**
+	 * Sets the URL that the default submit page will be generated. Defaults to {@code /login/ott}.
+	 * Note that if you don't want to generate the default submit page you should use {@link #showSubmitPage(boolean)}.
+	 * @param submitPageUrl
+	 */
+	public void submitPageUrl(String submitPageUrl) {
+		Assert.hasText(submitPageUrl, "submitPageUrl cannot be null or empty");
+		this.submitPageUrl = submitPageUrl;
+	}
+
+	/**
+	 * Specifies the {@link OneTimeTokenSender} to send the generated {@link OneTimeToken}
+	 * to the user
+	 * @param oneTimeTokenSender
+	 */
+	public void oneTimeTokenSender(OneTimeTokenSender oneTimeTokenSender) {
+		Assert.notNull(oneTimeTokenSender, "oneTimeTokenSender cannot be null");
+		this.oneTimeTokenSender = oneTimeTokenSender;
+	}
+
+	/**
+	 * Configures the {@link OneTimeTokenService} used to generate and consume
+	 * {@link OneTimeToken}
+	 *
+	 * @param oneTimeTokenService
+	 */
+	public void oneTimeTokenService(OneTimeTokenService oneTimeTokenService) {
+		Assert.notNull(oneTimeTokenService, "oneTimeTokenService cannot be null");
+		this.oneTimeTokenService = oneTimeTokenService;
+	}
+
+	/**
+	 * Use this {@link AuthenticationConverter} when converting incoming requests to an
+	 * {@link Authentication}. By default, the {@link OneTimeTokenAuthenticationConverter}
+	 * is used.
+	 *
+	 * @param authenticationConverter the {@link AuthenticationConverter} to use
+	 */
+	public void authenticationConverter(AuthenticationConverter authenticationConverter) {
+		Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
+		this.authenticationConverter = authenticationConverter;
+	}
+
+	/**
+	 * Specifies the {@link AuthenticationFailureHandler} to use when authentication
+	 * fails. The default is redirecting to "/login?error" using
+	 * {@link SimpleUrlAuthenticationFailureHandler}
+	 *
+	 * @param authenticationFailureHandler the {@link AuthenticationFailureHandler} to use
+	 *                                     when authentication fails.
+	 */
+	public void authenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
+		Assert.notNull(authenticationFailureHandler, "authenticationFailureHandler cannot be null");
+		this.authenticationFailureHandler = authenticationFailureHandler;
+	}
+
+	/**
+	 * Specifies the {@link AuthenticationSuccessHandler} to be used. The default is
+	 * {@link SavedRequestAwareAuthenticationSuccessHandler} with no additional properties
+	 * set.
+	 *
+	 * @param authenticationSuccessHandler the {@link AuthenticationSuccessHandler}.
+	 */
+	public void authenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
+		Assert.notNull(authenticationSuccessHandler, "authenticationSuccessHandler cannot be null");
+		this.authenticationSuccessHandler = authenticationSuccessHandler;
+	}
+
+	private AuthenticationFailureHandler getAuthenticationFailureHandler() {
+		if (this.authenticationFailureHandler != null) {
+			return this.authenticationFailureHandler;
+		}
+		this.authenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler("/login?error");
+		return this.authenticationFailureHandler;
+	}
+
+	private OneTimeTokenService getOneTimeTokenService(H http) {
+		if (this.oneTimeTokenService != null) {
+			return this.oneTimeTokenService;
+		}
+		OneTimeTokenService bean = getBeanOrNull(http, OneTimeTokenService.class);
+		if (bean != null) {
+			this.oneTimeTokenService = bean;
+		} else {
+			this.oneTimeTokenService = new InMemoryOneTimeTokenService();
+		}
+		return this.oneTimeTokenService;
+	}
+
+	private OneTimeTokenSender getOneTimeTokenSender(H http) {
+		if (this.oneTimeTokenSender != null) {
+			return this.oneTimeTokenSender;
+		}
+		OneTimeTokenSender bean = getBeanOrNull(http, OneTimeTokenSender.class);
+		if (bean == null) {
+			throw new IllegalStateException("A OneTimeTokenSender is required for oneTimeTokenLogin(). "
+					+ "Please define a bean or pass an instance to the DSL.");
+		}
+		this.oneTimeTokenSender = bean;
+		return this.oneTimeTokenSender;
+	}
+
+	private <C> C getBeanOrNull(H http, Class<C> clazz) {
+		ApplicationContext context = http.getSharedObject(ApplicationContext.class);
+		if (context == null) {
+			return null;
+		}
+		try {
+			return context.getBean(clazz);
+		} catch (NoSuchBeanDefinitionException ex) {
+			return null;
+		}
+	}
+
+	private Map<String, String> hiddenInputs(HttpServletRequest request) {
+		CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+		return (token != null) ? Collections.singletonMap(token.getParameterName(), token.getToken())
+				: Collections.emptyMap();
+	}
+
+	public ApplicationContext getContext() {
+		return this.context;
+	}
+
+}