Apply Additional Feedback

- This Removes the auto-post page for OTT
- This uses the now-public AccessDeniedHandler
- This also does not change the default AuthenticationEntryPoint

This also walks back certain things added to smooth the usage
of MFA for WebAuthn, OTT, and X.509. I believe there are ways
outside of MFA to do each of these that will make the considerations
moot.

That said, this commit does keep one change for X.509 that I believe
to be the original purpose of the line that sets a shared
AuthenticationEntryPoint. This would likely not be in this PR, but
it simplifies the tests while I'm investigating this claim.

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurer.java

@@ -17,7 +17,6 @@
 package org.springframework.security.config.annotation.web.configurers;
 
 import java.util.LinkedHashMap;
-import java.util.Map;
 import java.util.function.Consumer;
 
 import org.jspecify.annotations.Nullable;
@@ -80,10 +79,8 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private LinkedHashMap<RequestMatcher, AccessDeniedHandler> defaultDeniedHandlerMappings = new LinkedHashMap<>();
 
-	private Map<String, LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>> entryPoints = new LinkedHashMap<>();
-
-	private DelegatingMissingAuthorityAccessDeniedHandler.Builder missingAuthoritiesHandlerBuilder =
-			DelegatingMissingAuthorityAccessDeniedHandler.builder();
+	private final DelegatingMissingAuthorityAccessDeniedHandler.Builder missingAuthoritiesHandlerBuilder = DelegatingMissingAuthorityAccessDeniedHandler
+		.builder();
 
 	/**
 	 * Creates a new instance
@@ -106,7 +103,8 @@ public ExceptionHandlingConfigurer<H> accessDeniedPage(String accessDeniedUrl) {
 		return accessDeniedHandler(accessDeniedHandler);
 	}
 
-	public ExceptionHandlingConfigurer<H> missingAuthoritiesHandler(Consumer<DelegatingMissingAuthorityAccessDeniedHandler.Builder> consumer) {
+	public ExceptionHandlingConfigurer<H> missingAuthoritiesHandler(
+			Consumer<DelegatingMissingAuthorityAccessDeniedHandler.Builder> consumer) {
 		consumer.accept(this.missingAuthoritiesHandlerBuilder);
 		return this;
 	}
@@ -243,9 +241,6 @@ AuthenticationEntryPoint getAuthenticationEntryPoint(H http) {
 
 	private AccessDeniedHandler createDefaultDeniedHandler(H http) {
 		AccessDeniedHandler defaults = createDefaultAccessDeniedHandler(http);
-		if (this.entryPoints.isEmpty()) {
-			return defaults;
-		}
 		DelegatingMissingAuthorityAccessDeniedHandler deniedHandler = this.missingAuthoritiesHandlerBuilder.build();
 		deniedHandler.setRequestCache(getRequestCache(http));
 		deniedHandler.setDefaultAccessDeniedHandler(defaults);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java

@@ -233,11 +233,9 @@ public void init(H http) throws Exception {
 		initDefaultLoginFilter(http);
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.missingAuthoritiesHandler((commence) -> commence
-					.authorities("FACTOR_PASSWORD")
-					.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
-					.commence(getAuthenticationEntryPoint())
-			);
+			exceptions.missingAuthoritiesHandler((commence) -> commence.authorities("FACTOR_PASSWORD")
+				.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
+				.commence(getAuthenticationEntryPoint()));
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -194,11 +194,9 @@ private void registerDefaultEntryPoint(B http, RequestMatcher preferredMatcher)
 		}
 		AuthenticationEntryPoint entryPoint = postProcess(this.authenticationEntryPoint);
 		exceptionHandling.defaultAuthenticationEntryPointFor(entryPoint, preferredMatcher);
-		exceptionHandling.missingAuthoritiesHandler((handler) -> handler
-				.authorities("FACTOR_PASSWORD")
-				.whenRequestMatches(preferredMatcher)
-				.commence(entryPoint)
-		);
+		exceptionHandling.missingAuthoritiesHandler((handler) -> handler.authorities("FACTOR_PASSWORD")
+			.whenRequestMatches(preferredMatcher)
+			.commence(entryPoint));
 	}
 
 	private void registerDefaultLogoutSuccessHandler(B http, RequestMatcher preferredMatcher) {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java

@@ -155,10 +155,8 @@ public WebAuthnConfigurer<H> creationOptionsRepository(
 	public void init(H http) throws Exception {
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.missingAuthoritiesHandler((handler) -> handler
-					.authorities("FACTOR_WEBAUTHN")
-					.commence(new LoginUrlAuthenticationEntryPoint("/login"))
-			);
+			exceptions.missingAuthoritiesHandler((handler) -> handler.authorities("FACTOR_WEBAUTHN")
+				.commence(new LoginUrlAuthenticationEntryPoint("/login")));
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java

@@ -38,6 +38,7 @@
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
 import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 
 /**
  * Adds X509 based pre authentication to an application. Since validating the certificate
@@ -183,10 +184,9 @@ public void init(H http) {
 			.setSharedObject(AuthenticationEntryPoint.class, new Http403ForbiddenEntryPoint());
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.missingAuthoritiesHandler((handler) -> handler
-					.authorities("FACTOR_X509")
-					.commence(new Http403ForbiddenEntryPoint())
-			);
+			exceptions.defaultAuthenticationEntryPointFor(new Http403ForbiddenEntryPoint(), AnyRequestMatcher.INSTANCE);
+			exceptions.missingAuthoritiesHandler(
+					(handler) -> handler.authorities("FACTOR_X509").commence(new Http403ForbiddenEntryPoint()));
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -564,11 +564,9 @@ private AuthenticationEntryPoint getLoginEntryPoint(B http, String providerLogin
 		// @formatter:on
 		ExceptionHandlingConfigurer<B> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.missingAuthoritiesHandler((handler) -> handler
-					.authorities("FACTOR_AUTHORIZATION_CODE")
-					.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
-					.commence(loginEntryPoint)
-			);
+			exceptions.missingAuthoritiesHandler((handler) -> handler.authorities("FACTOR_AUTHORIZATION_CODE")
+				.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
+				.commence(loginEntryPoint));
 		}
 		return loginEntryPoint;
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -327,11 +327,9 @@ private void registerDefaultEntryPoint(H http) {
 			RequestMatcher preferredMatcher = new OrRequestMatcher(
 					Arrays.asList(this.requestMatcher, X_REQUESTED_WITH, restNotHtmlMatcher, allMatcher));
 			exceptionHandling.defaultAuthenticationEntryPointFor(this.authenticationEntryPoint, preferredMatcher);
-			exceptionHandling.missingAuthoritiesHandler((handler) -> handler
-					.authorities("FACTOR_BEARER")
-					.whenRequestMatches(preferredMatcher)
-					.commence(this.authenticationEntryPoint)
-			);
+			exceptionHandling.missingAuthoritiesHandler((handler) -> handler.authorities("FACTOR_BEARER")
+				.whenRequestMatches(preferredMatcher)
+				.commence(this.authenticationEntryPoint));
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java

@@ -16,15 +16,10 @@
 
 package org.springframework.security.config.annotation.web.configurers.ott;
 
-import java.io.IOException;
 import java.util.Collections;
 import java.util.Map;
-import java.util.function.Function;
-import java.util.stream.Collectors;
 
-import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpMethod;
@@ -42,13 +37,7 @@
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.FormPostRedirectStrategy;
-import org.springframework.security.web.RedirectStrategy;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
@@ -67,7 +56,6 @@
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
-import org.springframework.web.util.UriComponentsBuilder;
 
 /**
  * An {@link AbstractHttpConfigurer} for One-Time Token Login.
@@ -149,11 +137,9 @@ public void init(H http) throws Exception {
 		intiDefaultLoginFilter(http);
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.missingAuthoritiesHandler((handler) -> handler
-					.authorities("FACTOR_OTT")
-					.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
-					.commence(getAuthenticationEntryPoint())
-			);
+			exceptions.missingAuthoritiesHandler((handler) -> handler.authorities("FACTOR_OTT")
+				.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
+				.commence(getAuthenticationEntryPoint()));
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -351,10 +351,9 @@ private AuthenticationEntryPoint getLoginEntryPoint(B http, String providerLogin
 		// @formatter:on
 		ExceptionHandlingConfigurer<B> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.missingAuthoritiesHandler((handler) -> handler
-					.authorities("FACTOR_SAML_RESPONSE")
-					.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
-					.commence(loginEntryPoint));
+			exceptions.missingAuthoritiesHandler((handler) -> handler.authorities("FACTOR_SAML_RESPONSE")
+				.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
+				.commence(loginEntryPoint));
 		}
 		return loginEntryPoint;
 	}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java

@@ -73,7 +73,6 @@
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
-import static org.hamcrest.Matchers.containsString;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.atLeastOnce;
@@ -88,7 +87,6 @@
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.forwardedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -432,8 +430,8 @@ void requestWhenUnauthenticatedThenRequiresTwoSteps() throws Exception {
 			.andExpect(redirectedUrl("http://localhost/login"));
 		user = PasswordEncodedUser.withUserDetails(user).authorities("profile:read", "FACTOR_PASSWORD").build();
 		this.mockMvc.perform(get("/profile").with(user(user)))
-			.andExpect(status().isOk())
-			.andExpect(content().string(containsString("/ott/generate")));
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/login"));
 		user = PasswordEncodedUser.withUserDetails(user)
 			.authorities("profile:read", "FACTOR_PASSWORD", "FACTOR_OTT")
 			.build();