Create SqlAllAuthoritiesAuthorizationManager #17963
Description
We should create an AuthorizationManager that can lookup authorities using a configured SQL statement given the username of the currently authenticated user. If any values are returned, then it returns those authorities otherwise it grants access to the user.
Pseudo code looks like:
List<String> additionalAuthorities = findAdditionalAuthorities(authentication.get().getName()); // lookup from SQL statement
if (additionalAuthorities.isEmpty() {
return new AccessDecision(true);
}
else {
return AllAuthoritiesAuthorizationManager.hasAllAuthorities(additionalAuthorities).authorize(authentication, object);
}NOTE: findAdditionalAuthorities should use a mapper object of sorts that can swap out. It can return some constants if the SQL returns true or it can lookup the additional authorities in SQL.
This can then be used for situations where it is a user preference to enable multi-factor authentication. We should also update the documentation to show how to use it. Something like this:
AuthorizationManager<Object> additionalAuthorization = SqlAllAuthoritiesAuthorizationManager
.whenTrue("select true from users where mfa_enabled = true and username = :username")
.additionalAuthorities("FACTOR_PASSWORD", "FACTOR_OTT")
.dataSource(dataSource)
.build()
return new DefaultAuthorizationManagerFactory.build()
.additionalAuthorization(additionalAuthorization)
.build();an additional option for users that gets the authorities from SQL:
AuthorizationManager<Object> additionalAuthorization = SqlAllAuthoritiesAuthorizationManager
.selectAuthorities("select authorities from additional_authorities where username = :username")
.dataSource(dataSource)
.build()
return new DefaultAuthorizationManagerFactory.build()
.additionalAuthorization(additionalAuthorization)
.build();