Polish Default Login Page

Issue gh-17901

Author: jzheaux

config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java

@@ -402,7 +402,7 @@ void requestWhenUnauthenticatedThenRequiresTwoSteps() throws Exception {
 		UserDetails user = PasswordEncodedUser.user();
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?authority=FACTOR_PASSWORD"));
+			.andExpect(redirectedUrl("http://localhost/login?factor=password"));
 		this.mockMvc
 			.perform(post("/ott/generate").param("username", "rod")
 				.with(user(user))
@@ -418,11 +418,11 @@ void requestWhenUnauthenticatedThenRequiresTwoSteps() throws Exception {
 		user = PasswordEncodedUser.withUserDetails(user).authorities("profile:read", "FACTOR_OTT").build();
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?authority=FACTOR_PASSWORD"));
+			.andExpect(redirectedUrl("http://localhost/login?factor=password"));
 		user = PasswordEncodedUser.withUserDetails(user).authorities("profile:read", "FACTOR_PASSWORD").build();
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?authority=FACTOR_OTT"));
+			.andExpect(redirectedUrl("http://localhost/login?factor=ott"));
 		user = PasswordEncodedUser.withUserDetails(user)
 			.authorities("profile:read", "FACTOR_PASSWORD", "FACTOR_OTT")
 			.build();
@@ -431,14 +431,14 @@ void requestWhenUnauthenticatedThenRequiresTwoSteps() throws Exception {
 
 	@Test
 	void requestWhenUnauthenticatedX509ThenRequiresTwoSteps() throws Exception {
-		this.spring.register(MfaDslX509Config.class, UserConfig.class, org.springframework.security.config.annotation.web.configurers.FormLoginConfigurerTests.BasicMfaController.class).autowire();
+		this.spring.register(MfaDslX509Config.class, UserConfig.class, BasicMfaController.class).autowire();
 		this.mockMvc.perform(get("/profile")).andExpect(status().isForbidden());
 		this.mockMvc.perform(get("/profile").with(user(User.withUsername("rod").authorities("profile:read").build())))
 			.andExpect(status().isForbidden());
 		this.mockMvc.perform(get("/login")).andExpect(status().isOk());
 		this.mockMvc.perform(get("/profile").with(SecurityMockMvcRequestPostProcessors.x509("rod.cer")))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?authority=FACTOR_PASSWORD"));
+			.andExpect(redirectedUrl("http://localhost/login?factor=password"));
 		this.mockMvc
 			.perform(post("/login").param("username", "rod")
 				.param("password", "password")
@@ -793,7 +793,8 @@ public <O> O postProcess(O object) {
 	static class MfaDslConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http, AuthorizationManagerFactory<RequestAuthorizationContext> authz) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http,
+				AuthorizationManagerFactory<RequestAuthorizationContext> authz) throws Exception {
 			// @formatter:off
 			http
 				.formLogin(Customizer.withDefaults())
@@ -824,7 +825,8 @@ AuthorizationManagerFactory<?> authz() {
 	static class MfaDslX509Config {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http, AuthorizationManagerFactory<RequestAuthorizationContext> authz) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http,
+				AuthorizationManagerFactory<RequestAuthorizationContext> authz) throws Exception {
 			// @formatter:off
 			http
 				.x509(Customizer.withDefaults())

core/src/main/java/org/springframework/security/core/authority/AuthorityUtils.java

@@ -21,7 +21,9 @@
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Set;
+import java.util.stream.Stream;
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.util.Assert;
@@ -39,6 +41,8 @@ public final class AuthorityUtils {
 
 	public static final List<GrantedAuthority> NO_AUTHORITIES = Collections.emptyList();
 
+	private static String[] KNOWN_PREFIXES = { "ROLE_", "SCOPE_", "FACTOR_" };
+
 	private AuthorityUtils() {
 	}
 
@@ -66,6 +70,40 @@ public static Set<String> authorityListToSet(Collection<? extends GrantedAuthori
 		return set;
 	}
 
+	/**
+	 * Return a {@link Stream} containing only the authorities of the given type;
+	 * {@code "ROLE"}, {@code "SCOPE"}, or {@code "FACTOR"}.
+	 * @param type the authority type; {@code "ROLE"}, {@code "SCOPE"}, or
+	 * {@code "FACTOR"}
+	 * @param authorities the list of authorities
+	 * @return a {@link Stream} containing the authorities of the given type
+	 */
+	public static Stream<GrantedAuthority> authoritiesOfType(String type, Collection<GrantedAuthority> authorities) {
+		return authorities.stream().filter((a) -> a.getAuthority().startsWith(type + "_"));
+	}
+
+	/**
+	 * Return the simple name of a {@link GrantedAuthority}, which is its name, less any
+	 * common prefix; that is, {@code ROLE_}, {@code SCOPE_}, or {@code FACTOR_}.
+	 * <p>
+	 * For example, if the authority is {@code ROLE_USER}, then the simple name is
+	 * {@code user}.
+	 * <p>
+	 * If the authority is {@code FACTOR_PASSWORD}, then the simple name is
+	 * {@code password}.
+	 * @param authority the granted authority
+	 * @return the simple name of the authority
+	 */
+	public static String getSimpleName(GrantedAuthority authority) {
+		String name = authority.getAuthority();
+		for (String prefix : KNOWN_PREFIXES) {
+			if (name.startsWith(prefix)) {
+				return name.substring(prefix.length()).toLowerCase(Locale.ROOT);
+			}
+		}
+		return name;
+	}
+
 	/**
 	 * Converts authorities into a List of GrantedAuthority objects.
 	 * @param authorities the authorities to convert

web/src/main/java/org/springframework/security/web/authentication/LoginUrlAuthenticationEntryPoint.java

@@ -32,6 +32,7 @@
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.DefaultRedirectStrategy;
 import org.springframework.security.web.PortMapper;
@@ -41,6 +42,7 @@
 import org.springframework.security.web.util.RedirectUrlBuilder;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.web.util.UriComponentsBuilder;
 
@@ -110,15 +112,28 @@ public void afterPropertiesSet() {
 	 * @param exception the exception
 	 * @return the URL (cannot be null or empty; defaults to {@link #getLoginFormUrl()})
 	 */
+	@SuppressWarnings("unchecked")
 	protected String determineUrlToUseForThisRequest(HttpServletRequest request, HttpServletResponse response,
 			AuthenticationException exception) {
+		Collection<GrantedAuthority> authorities = getAttribute(request, GrantedAuthority.MISSING_AUTHORITIES_ATTRIBUTE,
+				Collection.class);
+		if (CollectionUtils.isEmpty(authorities)) {
+			return getLoginFormUrl();
+		}
+		Collection<String> factors = AuthorityUtils.authoritiesOfType("FACTOR", authorities)
+			.map(AuthorityUtils::getSimpleName)
+			.toList();
+		return UriComponentsBuilder.fromUriString(getLoginFormUrl()).queryParam("factor", factors).toUriString();
+	}
+
+	private static <T> @Nullable T getAttribute(HttpServletRequest request, String name, Class<T> clazz) {
 		Object value = request.getAttribute(GrantedAuthority.MISSING_AUTHORITIES_ATTRIBUTE);
-		if (value instanceof Collection<?> authorities) {
-			return UriComponentsBuilder.fromUriString(getLoginFormUrl())
-				.queryParam("authority", authorities)
-				.toUriString();
+		if (value == null) {
+			return null;
 		}
-		return getLoginFormUrl();
+		String message = String.format("Found %s in %s, but expecting a %s", value.getClass(), name, clazz);
+		Assert.isInstanceOf(clazz, value, message);
+		return (T) value;
 	}
 
 	/**

web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java

@@ -88,7 +88,9 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
 
 	private @Nullable String rememberMeParameter;
 
-	private final Collection<String> allowedParameters = List.of("authority");
+	private final String factorParameter = "factor";
+
+	private final Collection<String> allowedParameters = List.of(this.factorParameter);
 
 	@SuppressWarnings("NullAway.Init")
 	private Map<String, String> oauth2AuthenticationUrlToClientName;
@@ -249,29 +251,29 @@ private String generateLoginPageHtml(HttpServletRequest request, boolean loginEr
 			.withRawHtml("passkeyLogin", "");
 
 		Predicate<String> wantsAuthority = wantsAuthority(request);
-		if (wantsAuthority.test("FACTOR_WEBAUTHN")) {
+		if (wantsAuthority.test("webauthn")) {
 			builder.withRawHtml("javaScript", renderJavaScript(request, contextPath))
 				.withRawHtml("passkeyLogin", renderPasskeyLogin());
 		}
-		if (wantsAuthority.test("FACTOR_PASSWORD")) {
+		if (wantsAuthority.test("password")) {
 			builder.withRawHtml("formLogin",
 					renderFormLogin(request, loginError, logoutSuccess, contextPath, errorMsg));
 		}
-		if (wantsAuthority.test("FACTOR_OTT")) {
+		if (wantsAuthority.test("ott")) {
 			builder.withRawHtml("oneTimeTokenLogin",
 					renderOneTimeTokenLogin(request, loginError, logoutSuccess, contextPath, errorMsg));
 		}
-		if (wantsAuthority.test("FACTOR_AUTHORIZATION_CODE")) {
+		if (wantsAuthority.test("authorization_code")) {
 			builder.withRawHtml("oauth2Login", renderOAuth2Login(loginError, logoutSuccess, errorMsg, contextPath));
 		}
-		if (wantsAuthority.test("FACTOR_SAML_RESPONSE")) {
+		if (wantsAuthority.test("saml_response")) {
 			builder.withRawHtml("saml2Login", renderSaml2Login(loginError, logoutSuccess, errorMsg, contextPath));
 		}
 		return builder.render();
 	}
 
 	private Predicate<String> wantsAuthority(HttpServletRequest request) {
-		String[] authorities = request.getParameterValues("authority");
+		String[] authorities = request.getParameterValues(this.factorParameter);
 		if (authorities == null) {
 			return (authority) -> true;
 		}

web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java

@@ -204,7 +204,7 @@ public void generateWhenOneTimeTokenRequestedThenOttForm() throws Exception {
 		filter.setOneTimeTokenEnabled(true);
 		filter.setOneTimeTokenGenerationUrl("/ott/authenticate");
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		filter.doFilter(TestMockHttpServletRequests.get("/login?authority=FACTOR_OTT").build(), response, this.chain);
+		filter.doFilter(TestMockHttpServletRequests.get("/login?factor=ott").build(), response, this.chain);
 		assertThat(response.getContentAsString()).contains("Request a One-Time Token");
 		assertThat(response.getContentAsString()).contains("""
 				      <form id="ott-form" class="login-form" method="post" action="/ott/authenticate">
@@ -231,9 +231,8 @@ public void generateWhenTwoAuthoritiesRequestedThenBothForms() throws Exception
 		filter.setOneTimeTokenEnabled(true);
 		filter.setOneTimeTokenGenerationUrl("/ott/authenticate");
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		filter.doFilter(
-				TestMockHttpServletRequests.get("/login?authority=FACTOR_OTT&authority=FACTOR_PASSWORD").build(),
-				response, this.chain);
+		filter.doFilter(TestMockHttpServletRequests.get("/login?factor=ott&factor=password").build(), response,
+				this.chain);
 		assertThat(response.getContentAsString()).contains("Request a One-Time Token");
 		assertThat(response.getContentAsString()).contains("""
 				      <form id="ott-form" class="login-form" method="post" action="/ott/authenticate">