Skip to content

Propagate Authorities From Previous Factors #17790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Sep 9, 2025
Merged

Propagate Authorities From Previous Factors #17790

merged 14 commits into from
Sep 9, 2025

Conversation

jzheaux
Copy link
Contributor

@jzheaux jzheaux commented Aug 21, 2025
edited
Loading

Applications can use AuthenticationBuilder to apply existing authentications to new ones.

For example, if the current logged in user is represented by:

Authentication firstFactor = ...

And they provide a second set of authenticated credentials, represented by:

Authentication secondFactor = ...

Then the first factor can be applied to the second factor as follows:

secondFactor = secondFactor.toBuilder()
    .authorities((a) -> a.addAll(firstFactor.getAuthorities()).build();

This draft PR adds a basic builder to each Authentication implementation that implements Authentication.Builder. In order to simplify upgrades, toBuilder by default returns a no-op implementation of Authentication.Builder that ultimately returns the same authentication unchanged.

@jzheaux jzheaux changed the title Authentication Builder Propagate Authorities From Previous Factors Aug 21, 2025
@jzheaux jzheaux force-pushed the authentication-builder branch 6 times, most recently from 6eb00d0 to b48b10a Compare August 22, 2025 22:25
rwinch
rwinch requested changes Aug 27, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @jzheaux! I've provided feedback inline, but my main pieces of feedback are:

  • The AuthenticationManager should not be accessing the SecurityContext. Instead, we should have the controller (e.g. Filter) that invokes the AuthenticationManager perform the merging of the two Authentication instances.
  • I think that the builder APIs should function independently of MFA and should work for any properties on the Authentication. Doing this would also allow deprecation of the setAuthenticated method.
  • I don't think we should have an Authentication.apply(Authentication) method. Especially so if it is only applying the authorities and ignoring many other properties that are on the Authentication object.

@jzheaux jzheaux force-pushed the authentication-builder branch 3 times, most recently from 5e94df2 to 4d89979 Compare September 2, 2025 21:43
@jzheaux jzheaux self-assigned this Sep 9, 2025
@jzheaux jzheaux force-pushed the authentication-builder branch from 4d89979 to 547bbd5 Compare September 9, 2025 15:04
rwinch
rwinch requested changes Sep 9, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for all your work on this. I think that we are nearly done. I provided a minor comment inline.

I think that we should also update the reference. At minimum it should be added to whats-new.adoc and link to the Javadoc. However, I think the core APIs in servlet/authentication/architecture.adoc should be updated and the diagram description of AbstractAuthenticationProcessingFilter and the reactive equivalents.

@jzheaux jzheaux force-pushed the authentication-builder branch from 547bbd5 to 1d60b4a Compare September 9, 2025 20:19
@jzheaux jzheaux added this to the 7.0.0-M3 milestone Sep 9, 2025
@jzheaux jzheaux force-pushed the authentication-builder branch from 1d60b4a to 6af848f Compare September 9, 2025 20:48
@jzheaux
Add Authentication.Builder
a201a2b 
This commit adds a new default method to Authentication
for the purposes of creating a Builder based on the current
authentication, allowing other authentications to be
applied to it as a composite.

It also adds Builders for each one of the authentication
result classes.

Issue spring-projectsgh-17861
@jzheaux
Propagate Previous Factor to Next One
8468c6a 
This commit allows looking up the current authentication and applying
it to the latest authentication. This is specifically handy when
collecting authorities gained from each authentication factor.

Issue spring-projectsgh-17862
@jzheaux
Pick Up SecurityContextHolderStrategy Bean
44fef78 
This commit provides the SecurityContextHolderStrategy bean to
ProviderManager instances that the HttpSecurity DSL constructs.

Issue spring-projectsgh-17862
@jzheaux
Polish Builders
a0fe6a5 
- Added remaining properties
- Removed apply method since Spring Security isn't using
it right now
- Made builders extensible since the authentications are
extensible

Issue spring-projectsgh-17861
@jzheaux
Move Authority Propagation Into Filters
3f77454 
Given that the filters are the level at which the
SecurityContextHolder is consulted, this commit moves
the operation that ProviderManager was doing into each
authentication filter.

Issue spring-projectsgh-17862
@jzheaux
Add Internal Authentication Implementations
4744752 
This commit allows a default implementation of
Authentication.Builder that performs the builder
operations. In this way, authorities and other previous
authentication material can still be effectively be
propagated in the event a custom authentication does
not implement the method.

Issue spring-projectsgh-17861
@jzheaux
Remove Generic Typing From Authentication.Builder
dd50dc0 
It would be better to introduce parameter types for
principal and credentials into Authentication.Builder
at the same time as doing so for Authentication

Issue spring-projectsgh-17861
@jzheaux
Polish CAS Authentication Builder
18fbf88 
Issue spring-projectsgh-17861
@jzheaux jzheaux force-pushed the authentication-builder branch from 6af848f to c7d6a87 Compare September 9, 2025 20:49
@jzheaux
Polish WebAuthn Authentication Builder
2476875 
Issue spring-projectsgh-17861
@jzheaux
Document Authentication.Builder
b09afb3 
The commit documents the new Authentication Builder interface
and its usage in the security filter chain.

Closes spring-projectsgh-17861
Closes spring-projectsgh-17862
@jzheaux jzheaux force-pushed the authentication-builder branch from c7d6a87 to b09afb3 Compare September 9, 2025 20:59
@jzheaux jzheaux merged commit 6689798 into spring-projects:main Sep 9, 2025
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rwinch rwinch rwinch requested changes

Assignees

@jzheaux jzheaux

Labels

None yet

Projects

None yet

Milestone

7.0.0-M3

Development

Successfully merging this pull request may close these issues.

2 participants

@jzheaux @rwinch