Add MfaConfigurer

A configurer that extends the ability of any authentication configurer
to participate as an additional authentication factor

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.config.annotation.web.configurers;
 
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 import java.util.function.Function;
 import java.util.function.Supplier;
@@ -28,11 +30,13 @@
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
+import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
 import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManagers;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.SingleResultAuthorizationManager;
 import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
 import org.springframework.security.config.ObjectPostProcessor;
@@ -139,6 +143,8 @@ public final class AuthorizationManagerRequestMatcherRegistry
 		private final RequestMatcherDelegatingAuthorizationManager.Builder managerBuilder = RequestMatcherDelegatingAuthorizationManager
 			.builder();
 
+		private final HasAllAuthoritiesAuthorizationManager<RequestAuthorizationContext> hasAuthority = new HasAllAuthoritiesAuthorizationManager<>();
+
 		private List<RequestMatcher> unmappedMatchers;
 
 		private int mappingCount;
@@ -165,6 +171,7 @@ private AuthorizationManager<HttpServletRequest> createAuthorizationManager() {
 							+ ". Try completing it with something like requestUrls().<something>.hasRole('USER')");
 			Assert.state(this.mappingCount > 0,
 					"At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())");
+			this.hasAuthority.setRoleHierarchy(AuthorizeHttpRequestsConfigurer.this.roleHierarchy.get());
 			AuthorizationManager<HttpServletRequest> manager = postProcess(
 					(AuthorizationManager<HttpServletRequest>) this.managerBuilder.build());
 			return AuthorizeHttpRequestsConfigurer.this.postProcessor.postProcess(manager);
@@ -173,7 +180,7 @@ private AuthorizationManager<HttpServletRequest> createAuthorizationManager() {
 		@Override
 		protected AuthorizedUrl chainRequestMatchers(List<RequestMatcher> requestMatchers) {
 			this.unmappedMatchers = requestMatchers;
-			return new AuthorizedUrl(requestMatchers);
+			return new AuthorizedUrl(this, requestMatchers);
 		}
 
 		/**
@@ -188,6 +195,10 @@ public AuthorizationManagerRequestMatcherRegistry withObjectPostProcessor(
 			return this;
 		}
 
+		void hasAuthority(String authority) {
+			this.hasAuthority.add(authority);
+		}
+
 	}
 
 	/**
@@ -199,6 +210,8 @@ public AuthorizationManagerRequestMatcherRegistry withObjectPostProcessor(
 	 */
 	public class AuthorizedUrl {
 
+		private final AuthorizationManagerRequestMatcherRegistry registry;
+
 		private final List<? extends RequestMatcher> matchers;
 
 		private boolean not;
@@ -207,7 +220,8 @@ public class AuthorizedUrl {
 		 * Creates an instance.
 		 * @param matchers the {@link RequestMatcher} instances to map
 		 */
-		AuthorizedUrl(List<? extends RequestMatcher> matchers) {
+		AuthorizedUrl(AuthorizationManagerRequestMatcherRegistry registry, List<? extends RequestMatcher> matchers) {
+			this.registry = registry;
 			this.matchers = matchers;
 		}
 
@@ -289,10 +303,10 @@ public AuthorizationManagerRequestMatcherRegistry hasAnyAuthority(String... auth
 			return access(withRoleHierarchy(AuthorityAuthorizationManager.hasAnyAuthority(authorities)));
 		}
 
-		private AuthorityAuthorizationManager<RequestAuthorizationContext> withRoleHierarchy(
+		private AuthorizationManager<RequestAuthorizationContext> withRoleHierarchy(
 				AuthorityAuthorizationManager<RequestAuthorizationContext> manager) {
 			manager.setRoleHierarchy(AuthorizeHttpRequestsConfigurer.this.roleHierarchy.get());
-			return manager;
+			return withAuthentication(manager);
 		}
 
 		/**
@@ -301,7 +315,7 @@ private AuthorityAuthorizationManager<RequestAuthorizationContext> withRoleHiera
 		 * customizations
 		 */
 		public AuthorizationManagerRequestMatcherRegistry authenticated() {
-			return access(AuthenticatedAuthorizationManager.authenticated());
+			return access(withAuthentication(AuthenticatedAuthorizationManager.authenticated()));
 		}
 
 		/**
@@ -313,7 +327,7 @@ public AuthorizationManagerRequestMatcherRegistry authenticated() {
 		 * @see RememberMeConfigurer
 		 */
 		public AuthorizationManagerRequestMatcherRegistry fullyAuthenticated() {
-			return access(AuthenticatedAuthorizationManager.fullyAuthenticated());
+			return access(withAuthentication(AuthenticatedAuthorizationManager.fullyAuthenticated()));
 		}
 
 		/**
@@ -324,7 +338,7 @@ public AuthorizationManagerRequestMatcherRegistry fullyAuthenticated() {
 		 * @see RememberMeConfigurer
 		 */
 		public AuthorizationManagerRequestMatcherRegistry rememberMe() {
-			return access(AuthenticatedAuthorizationManager.rememberMe());
+			return access(withAuthentication(AuthenticatedAuthorizationManager.rememberMe()));
 		}
 
 		/**
@@ -366,6 +380,11 @@ public AuthorizationManagerRequestMatcherRegistry access(
 					: AuthorizeHttpRequestsConfigurer.this.addMapping(this.matchers, manager);
 		}
 
+		private AuthorizationManager<RequestAuthorizationContext> withAuthentication(
+				AuthorizationManager<RequestAuthorizationContext> manager) {
+			return AuthorizationManagers.allOf(this.registry.hasAuthority, manager);
+		}
+
 		/**
 		 * An object that allows configuring {@link RequestMatcher}s with URI path
 		 * variables
@@ -403,4 +422,25 @@ public AuthorizationManagerRequestMatcherRegistry equalTo(Function<Authenticatio
 
 	}
 
+	private static final class HasAllAuthoritiesAuthorizationManager<T> implements AuthorizationManager<T> {
+
+		private final AuthoritiesAuthorizationManager delegate = AuthoritiesAuthorizationManager.hasAllAuthorities();
+
+		private final Collection<String> authorities = new ArrayList<>();
+
+		@Override
+		public AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
+			return this.delegate.authorize(authentication, this.authorities);
+		}
+
+		private void setRoleHierarchy(RoleHierarchy hierarchy) {
+			this.delegate.setRoleHierarchy(hierarchy);
+		}
+
+		private void add(String authority) {
+			this.authorities.add(authority);
+		}
+
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurer.java

@@ -16,12 +16,17 @@
 
 package org.springframework.security.config.annotation.web.configurers;
 
+import java.util.ArrayList;
 import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.function.Consumer;
 
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.AuthorizationEntryPoint;
+import org.springframework.security.web.AuthorizationRequestingAccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
 import org.springframework.security.web.access.ExceptionTranslationFilter;
@@ -75,13 +80,21 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private LinkedHashMap<RequestMatcher, AccessDeniedHandler> defaultDeniedHandlerMappings = new LinkedHashMap<>();
 
+	private final List<AuthorizationEntryPoint> authorizationRequestEntries = new ArrayList<>();
+
 	/**
 	 * Creates a new instance
 	 * @see HttpSecurity#exceptionHandling(Customizer)
 	 */
 	public ExceptionHandlingConfigurer() {
 	}
 
+	public ExceptionHandlingConfigurer<H> authorizationEntryPoint(
+			Consumer<List<AuthorizationEntryPoint>> entriesConsumer) {
+		entriesConsumer.accept(this.authorizationRequestEntries);
+		return this;
+	}
+
 	/**
 	 * Shortcut to specify the {@link AccessDeniedHandler} to be used is a specific error
 	 * page
@@ -203,7 +216,8 @@ public void configure(H http) {
 	AccessDeniedHandler getAccessDeniedHandler(H http) {
 		AccessDeniedHandler deniedHandler = this.accessDeniedHandler;
 		if (deniedHandler == null) {
-			deniedHandler = createDefaultDeniedHandler(http);
+			deniedHandler = createAccessDeniedHandler(http);
+
 		}
 		return deniedHandler;
 	}
@@ -223,15 +237,26 @@ AuthenticationEntryPoint getAuthenticationEntryPoint(H http) {
 		return entryPoint;
 	}
 
-	private AccessDeniedHandler createDefaultDeniedHandler(H http) {
+	private AccessDeniedHandler createAccessDeniedHandler(H http) {
+		AccessDeniedHandler defaultAccessDeniedHandler = createDefaultAccessDeniedHandler();
 		if (this.defaultDeniedHandlerMappings.isEmpty()) {
-			return new AccessDeniedHandlerImpl();
+			return defaultAccessDeniedHandler;
 		}
 		if (this.defaultDeniedHandlerMappings.size() == 1) {
-			return this.defaultDeniedHandlerMappings.values().iterator().next();
+			return defaultAccessDeniedHandler;
 		}
 		return new RequestMatcherDelegatingAccessDeniedHandler(this.defaultDeniedHandlerMappings,
-				new AccessDeniedHandlerImpl());
+				defaultAccessDeniedHandler);
+	}
+
+	private AccessDeniedHandler createDefaultAccessDeniedHandler() {
+		if (!this.authorizationRequestEntries.isEmpty()) {
+			return new AuthorizationRequestingAccessDeniedHandler(this.authorizationRequestEntries);
+		}
+		if (this.defaultDeniedHandlerMappings.isEmpty()) {
+			return new AccessDeniedHandlerImpl();
+		}
+		return this.defaultDeniedHandlerMappings.values().iterator().next();
 	}
 
 	private AuthenticationEntryPoint createDefaultEntryPoint(H http) {