From 702878acae4d1157b355e802c6c376542f2d16a9 Mon Sep 17 00:00:00 2001 From: Rob Winch <362503+rwinch@users.noreply.github.com> Date: Wed, 8 Oct 2025 15:09:01 -0500 Subject: [PATCH] Create AuthorizationManagerFactories.multiFactor Closes gh-18032 --- ...ultiFactorAuthenticationConfiguration.java | 7 +- ...llRequiredFactorsAuthorizationManager.java | 6 +- .../AuthorizationManagerFactories.java | 102 ++++++++++++++++++ .../DefaultAuthorizationManagerFactory.java | 75 ------------- ...uiredFactorsAuthorizationManagerTests.java | 3 +- .../AuthorizationManagerFactoryTests.java | 44 ++------ .../servlet/authentication/architecture.adoc | 2 +- .../pages/servlet/authentication/mfa.adoc | 3 +- ...horizationManagerFactoryConfiguration.java | 6 +- .../MissingAuthorityConfiguration.java | 6 +- .../SelectiveMfaConfiguration.java | 6 +- ...uthorizationManagerFactoryConfiguration.kt | 6 +- .../MissingAuthorityConfiguration.kt | 6 +- .../selectivemfa/SelectiveMfaConfiguration.kt | 6 +- 14 files changed, 138 insertions(+), 140 deletions(-) create mode 100644 core/src/main/java/org/springframework/security/authorization/AuthorizationManagerFactories.java diff --git a/config/src/main/java/org/springframework/security/config/annotation/authorization/GlobalMultiFactorAuthenticationConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/authorization/GlobalMultiFactorAuthenticationConfiguration.java index 7ebf32f261..6ee02cf786 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/authorization/GlobalMultiFactorAuthenticationConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/authorization/GlobalMultiFactorAuthenticationConfiguration.java @@ -23,6 +23,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ImportAware; import org.springframework.core.type.AnnotationMetadata; import org.springframework.security.access.hierarchicalroles.RoleHierarchy; +import org.springframework.security.authorization.AuthorizationManagerFactories; import org.springframework.security.authorization.DefaultAuthorizationManagerFactory; /** @@ -39,9 +40,9 @@ class GlobalMultiFactorAuthenticationConfiguration implements ImportAware { @Bean DefaultAuthorizationManagerFactory authorizationManagerFactory(ObjectProvider roleHierarchy) { - DefaultAuthorizationManagerFactory.Builder builder = DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities(this.authorities); - roleHierarchy.ifAvailable(builder::roleHierarchy); + AuthorizationManagerFactories.AdditionalRequiredFactorsBuilder builder = AuthorizationManagerFactories + .multiFactor() + .requireFactors(this.authorities); return builder.build(); } diff --git a/core/src/main/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.java index 432fc943f1..2657120213 100644 --- a/core/src/main/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.java @@ -146,8 +146,8 @@ public final class AllRequiredFactorsAuthorizationManager implements Authoriz * Creates a new {@link Builder} * @return */ - public static Builder builder() { - return new Builder(); + public static Builder builder() { + return new Builder<>(); } /** @@ -156,7 +156,7 @@ public final class AllRequiredFactorsAuthorizationManager implements Authoriz * @author Rob Winch * @since 7.0 */ - public static final class Builder { + public static final class Builder { private List requiredFactors = new ArrayList<>(); diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationManagerFactories.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationManagerFactories.java new file mode 100644 index 0000000000..207a2ccc79 --- /dev/null +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationManagerFactories.java @@ -0,0 +1,102 @@ +/* + * Copyright 2002-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.authorization; + +import java.util.function.Consumer; + +/** + * Creates common {@link AuthorizationManagerFactory} instances. + * + * @author Rob Winch + * @since 7.0 + * @see DefaultAuthorizationManagerFactory + */ +public final class AuthorizationManagerFactories { + + private AuthorizationManagerFactories() { + } + + /** + * Creates a {@link AdditionalRequiredFactorsBuilder} that helps build an + * {@link AuthorizationManager} to set on + * {@link DefaultAuthorizationManagerFactory#setAdditionalAuthorization(AuthorizationManager)} + * for multifactor authentication. + *

+ * Does not affect {@code anonymous}, {@code permitAll}, or {@code denyAll}. + * @param the secured object type + * @return a factory configured with the required authorities + */ + public static AdditionalRequiredFactorsBuilder multiFactor() { + return new AdditionalRequiredFactorsBuilder<>(); + } + + /** + * A builder that allows creating {@link DefaultAuthorizationManagerFactory} with + * additional requirements for {@link RequiredFactor}s. + * + * @param the type for the {@link DefaultAuthorizationManagerFactory} + * @author Rob Winch + */ + public static final class AdditionalRequiredFactorsBuilder { + + private final AllRequiredFactorsAuthorizationManager.Builder factors = AllRequiredFactorsAuthorizationManager + .builder(); + + /** + * Add additional authorities that will be required. + * @param additionalAuthorities the additional authorities. + * @return the {@link AdditionalRequiredFactorsBuilder} to further customize. + */ + public AdditionalRequiredFactorsBuilder requireFactors(String... additionalAuthorities) { + requireFactors((factors) -> { + for (String authority : additionalAuthorities) { + factors.requireFactor((factor) -> factor.authority(authority)); + } + }); + return this; + } + + public AdditionalRequiredFactorsBuilder requireFactors( + Consumer> factors) { + factors.accept(this.factors); + return this; + } + + public AdditionalRequiredFactorsBuilder requireFactor(Consumer factor) { + this.factors.requireFactor(factor); + return this; + } + + /** + * Builds a {@link DefaultAuthorizationManagerFactory} that has the + * {@link DefaultAuthorizationManagerFactory#setAdditionalAuthorization(AuthorizationManager)} + * set. + * @return the {@link DefaultAuthorizationManagerFactory}. + */ + public DefaultAuthorizationManagerFactory build() { + DefaultAuthorizationManagerFactory result = new DefaultAuthorizationManagerFactory<>(); + AllRequiredFactorsAuthorizationManager additionalChecks = this.factors.build(); + result.setAdditionalAuthorization(additionalChecks); + return result; + } + + private AdditionalRequiredFactorsBuilder() { + } + + } + +} diff --git a/core/src/main/java/org/springframework/security/authorization/DefaultAuthorizationManagerFactory.java b/core/src/main/java/org/springframework/security/authorization/DefaultAuthorizationManagerFactory.java index 9b4892b556..f69bf242ac 100644 --- a/core/src/main/java/org/springframework/security/authorization/DefaultAuthorizationManagerFactory.java +++ b/core/src/main/java/org/springframework/security/authorization/DefaultAuthorizationManagerFactory.java @@ -16,9 +16,6 @@ package org.springframework.security.authorization; -import java.util.ArrayList; -import java.util.List; - import org.jspecify.annotations.Nullable; import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy; @@ -26,7 +23,6 @@ import org.springframework.security.access.hierarchicalroles.RoleHierarchy; import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.util.Assert; -import org.springframework.util.CollectionUtils; /** * A factory for creating different kinds of {@link AuthorizationManager} instances. @@ -153,18 +149,6 @@ public final class DefaultAuthorizationManagerFactory - * Does not affect {@code anonymous}, {@code permitAll}, or {@code denyAll}. - * @param the secured object type - * @return a factory configured with the required authorities - */ - public static Builder builder() { - return new Builder<>(); - } - private AuthorizationManager createManager(AuthorityAuthorizationManager authorizationManager) { authorizationManager.setRoleHierarchy(this.roleHierarchy); return withAdditionalAuthorization(authorizationManager); @@ -187,63 +171,4 @@ public final class DefaultAuthorizationManagerFactory the type for the {@link DefaultAuthorizationManagerFactory} - * @author Rob Winch - */ - public static final class Builder { - - private final List additionalAuthorities = new ArrayList<>(); - - private RoleHierarchy roleHierarchy = new NullRoleHierarchy(); - - /** - * Add additional authorities that will be required. - * @param additionalAuthorities the additional authorities. - * @return the {@link Builder} to further customize. - */ - public Builder requireAdditionalAuthorities(String... additionalAuthorities) { - Assert.notEmpty(additionalAuthorities, "additionalAuthorities cannot be empty"); - for (String additionalAuthority : additionalAuthorities) { - this.additionalAuthorities.add(additionalAuthority); - } - return this; - } - - /** - * The {@link RoleHierarchy} to use. - * @param roleHierarchy the non-null {@link RoleHierarchy} to use. Default is - * {@link NullRoleHierarchy}. - * @return the Builder to further customize. - */ - public Builder roleHierarchy(RoleHierarchy roleHierarchy) { - Assert.notNull(roleHierarchy, "roleHierarchy cannot be null"); - this.roleHierarchy = roleHierarchy; - return this; - } - - /** - * Builds a {@link DefaultAuthorizationManagerFactory} that has the - * {@link #setAdditionalAuthorization(AuthorizationManager)} set. - * @return the {@link DefaultAuthorizationManagerFactory}. - */ - public DefaultAuthorizationManagerFactory build() { - Assert.state(!CollectionUtils.isEmpty(this.additionalAuthorities), "additionalAuthorities cannot be empty"); - DefaultAuthorizationManagerFactory result = new DefaultAuthorizationManagerFactory<>(); - AllAuthoritiesAuthorizationManager additionalChecks = AllAuthoritiesAuthorizationManager - .hasAllAuthorities(this.additionalAuthorities); - result.setRoleHierarchy(this.roleHierarchy); - additionalChecks.setRoleHierarchy(this.roleHierarchy); - result.setAdditionalAuthorization(additionalChecks); - return result; - } - - private Builder() { - } - - } - } diff --git a/core/src/test/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManagerTests.java index 34a34d3660..8d544727d9 100644 --- a/core/src/test/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManagerTests.java @@ -30,6 +30,7 @@ import org.springframework.security.core.authority.FactorGrantedAuthority; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; +import static org.assertj.core.api.Assertions.assertThatIllegalStateException; /** * Test {@link AllRequiredFactorsAuthorizationManager}. @@ -228,7 +229,7 @@ class AllRequiredFactorsAuthorizationManagerTests { @Test void builderBuildWhenEmpty() { - assertThatIllegalArgumentException().isThrownBy(() -> AllRequiredFactorsAuthorizationManager.builder().build()); + assertThatIllegalStateException().isThrownBy(() -> AllRequiredFactorsAuthorizationManager.builder().build()); } @Test diff --git a/core/src/test/java/org/springframework/security/authorization/AuthorizationManagerFactoryTests.java b/core/src/test/java/org/springframework/security/authorization/AuthorizationManagerFactoryTests.java index cfbb3d4d33..4a00911c5f 100644 --- a/core/src/test/java/org/springframework/security/authorization/AuthorizationManagerFactoryTests.java +++ b/core/src/test/java/org/springframework/security/authorization/AuthorizationManagerFactoryTests.java @@ -16,16 +16,11 @@ package org.springframework.security.authorization; -import java.util.Collection; - import org.junit.jupiter.api.Test; -import org.springframework.security.access.hierarchicalroles.RoleHierarchy; import org.springframework.security.authentication.TestAuthentication; -import org.springframework.security.core.authority.AuthorityUtils; import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalStateException; import static org.mockito.ArgumentMatchers.any; import static org.mockito.BDDMockito.given; @@ -291,14 +286,15 @@ public class AuthorizationManagerFactoryTests { @Test public void builderWhenEmptyAdditionalAuthoritiesThenIllegalStateException() { - DefaultAuthorizationManagerFactory.Builder builder = DefaultAuthorizationManagerFactory.builder(); + AuthorizationManagerFactories.AdditionalRequiredFactorsBuilder builder = AuthorizationManagerFactories + .multiFactor(); assertThatIllegalStateException().isThrownBy(() -> builder.build()); } @Test public void builderWhenAdditionalAuthorityThenRequired() { - AuthorizationManagerFactory factory = DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities("ROLE_ADMIN") + AuthorizationManagerFactory factory = AuthorizationManagerFactories.multiFactor() + .requireFactors("ROLE_ADMIN") .build(); assertUserDenied(factory.hasRole("USER")); assertThat(factory.hasRole("USER").authorize(() -> TestAuthentication.authenticatedAdmin(), "").isGranted()) @@ -307,42 +303,14 @@ public class AuthorizationManagerFactoryTests { @Test public void builderWhenAdditionalAuthoritiesThenRequired() { - AuthorizationManagerFactory factory = DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities("ROLE_ADMIN", "ROLE_USER") + AuthorizationManagerFactory factory = AuthorizationManagerFactories.multiFactor() + .requireFactors("ROLE_ADMIN", "ROLE_USER") .build(); assertUserDenied(factory.hasRole("USER")); assertThat(factory.hasRole("USER").authorize(() -> TestAuthentication.authenticatedAdmin(), "").isGranted()) .isTrue(); } - @Test - public void builderWhenNullRoleHierachyThenIllegalArgumentException() { - DefaultAuthorizationManagerFactory.Builder builder = DefaultAuthorizationManagerFactory.builder(); - assertThatIllegalArgumentException().isThrownBy(() -> builder.roleHierarchy(null)); - } - - @Test - public void builderWhenRoleHierarchyThenUsed() { - - RoleHierarchy roleHierarchy = mock(RoleHierarchy.class); - String ROLE_HIERARCHY = "ROLE_HIERARCHY"; - Collection authorityHierarchy = AuthorityUtils.createAuthorityList(ROLE_HIERARCHY, "ROLE_USER"); - given(roleHierarchy.getReachableGrantedAuthorities(any())).willReturn(authorityHierarchy); - DefaultAuthorizationManagerFactory factory = DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities(ROLE_HIERARCHY) - .roleHierarchy(roleHierarchy) - .build(); - - // ROLE_USER is replaced with the RoleHierarchy (ROLE_USER, ROLE_HIERARCHY) - assertUserGranted(factory.hasAuthority("ROLE_USER")); - // ROLE_ADMIN is replaced with the RoleHierarchy (ROLE_USER, ROLE_HIERARCHY) - assertThat(factory.hasAuthority("ROLE_ADMIN") - .authorize(() -> TestAuthentication.authenticatedAdmin(), "") - .isGranted()).isFalse(); - - verify(roleHierarchy, times(4)).getReachableGrantedAuthorities(any()); - } - private void assertUserGranted(AuthorizationManager manager) { assertThat(manager.authorize(() -> TestAuthentication.authenticatedUser(), "").isGranted()).isTrue(); } diff --git a/docs/modules/ROOT/pages/servlet/authentication/architecture.adoc b/docs/modules/ROOT/pages/servlet/authentication/architecture.adoc index 89abe49407..259ede2376 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/architecture.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/architecture.adoc @@ -140,7 +140,7 @@ In many cases, this is cleared after the user is authenticated, to ensure that i * `authorities`: The <> instances are high-level permissions the user is granted. Two examples are roles and scopes. -It is also equipped with a `Builder` that allows you to mutate an existing `Authentication` instance and potentially merge it with another. +It is also equipped with a `AdditionalRequiredFactorsBuilder` that allows you to mutate an existing `Authentication` instance and potentially merge it with another. This is useful in scenarios like taking the authorities from one authentication step, like form login, and applying them to another, like one-time-token login, like so: include-code::./CopyAuthoritiesTests[tag=springSecurity,indent=0] diff --git a/docs/modules/ROOT/pages/servlet/authentication/mfa.adoc b/docs/modules/ROOT/pages/servlet/authentication/mfa.adoc index 1a1e8f1459..f8ac9f7063 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/mfa.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/mfa.adoc @@ -91,9 +91,10 @@ This instructs `DefaultAuthorizationManagerFactory` that any authorization rule <2> Publish `DefaultAuthorizationManagerFactory` as a Bean, so it is used globally This should feel very similar to our previous example in xref:./mfa.adoc#authorization-manager-factory[]. -The difference is that in the previous example, the `Builder` is setting `DefaultAuthorization.additionalAuthorization` with a built in `AuthorizationManager` that always requires the same authorities. +The difference is that in the previous example, the `AuthorizationManagerFactories` is setting `DefaultAuthorization.additionalAuthorization` with a built in `AuthorizationManager` that always requires the same authorities. We can now define our authorization rules which are combined with `AdminMfaAuthorizationManager`. + include-code::./AdminMfaAuthorizationManagerConfiguration[tag=httpSecurity,indent=0] <1> URLs that begin with `/admin/**` require `ROLE_ADMIN`. If the username is `admin`, then `FACTOR_OTT` and `FACTOR_PASSWORD` are also required. diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.java index 7c04174313..c4c9e046a1 100644 --- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.java +++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.java @@ -2,8 +2,8 @@ package org.springframework.security.docs.servlet.authentication.authorizationma import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.authorization.AuthorizationManagerFactories; import org.springframework.security.authorization.AuthorizationManagerFactory; -import org.springframework.security.authorization.DefaultAuthorizationManagerFactory; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @@ -38,8 +38,8 @@ class UseAuthorizationManagerFactoryConfiguration { // tag::authorizationManagerFactoryBean[] @Bean AuthorizationManagerFactory authz() { - return DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities( + return AuthorizationManagerFactories.multiFactor() + .requireFactors( FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY ) diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java index 051bb363bf..5bc935e966 100644 --- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java +++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java @@ -8,8 +8,8 @@ import jakarta.servlet.http.HttpServletResponse; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.authorization.AuthorizationManagerFactories; import org.springframework.security.authorization.AuthorizationManagerFactory; -import org.springframework.security.authorization.DefaultAuthorizationManagerFactory; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @@ -48,8 +48,8 @@ class MissingAuthorityConfiguration { // tag::authorizationManagerFactoryBean[] @Bean AuthorizationManagerFactory authz() { - return DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities(FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY) + return AuthorizationManagerFactories.multiFactor() + .requireFactors(FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY) .build(); } // end::authorizationManagerFactoryBean[] diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.java index cc72443499..86c93b2e0a 100644 --- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.java +++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.java @@ -2,8 +2,8 @@ package org.springframework.security.docs.servlet.authentication.selectivemfa; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.authorization.AuthorizationManagerFactories; import org.springframework.security.authorization.AuthorizationManagerFactory; -import org.springframework.security.authorization.DefaultAuthorizationManagerFactory; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @@ -25,8 +25,8 @@ class SelectiveMfaConfiguration { // @formatter:off // <1> AuthorizationManagerFactory mfa = - DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities( + AuthorizationManagerFactories.multiFactor() + .requireFactors( FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY ) diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.kt index cf72ba3b7f..8463e6d3c0 100644 --- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.kt +++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.kt @@ -2,8 +2,8 @@ package org.springframework.security.kt.docs.servlet.authentication.authorizatio import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration +import org.springframework.security.authorization.AuthorizationManagerFactories import org.springframework.security.authorization.AuthorizationManagerFactory -import org.springframework.security.authorization.DefaultAuthorizationManagerFactory import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity import org.springframework.security.config.annotation.web.invoke @@ -38,8 +38,8 @@ internal class UseAuthorizationManagerFactoryConfiguration { // tag::authorizationManagerFactoryBean[] @Bean fun authz(): AuthorizationManagerFactory { - return DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities( + return AuthorizationManagerFactories.multiFactor() + .requireFactors( FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY ) diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.kt index 88ebf0f096..a84c06fffa 100644 --- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.kt +++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.kt @@ -4,8 +4,8 @@ import jakarta.servlet.http.HttpServletRequest import jakarta.servlet.http.HttpServletResponse import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration +import org.springframework.security.authorization.AuthorizationManagerFactories import org.springframework.security.authorization.AuthorizationManagerFactory -import org.springframework.security.authorization.DefaultAuthorizationManagerFactory import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer @@ -54,8 +54,8 @@ internal class MissingAuthorityConfiguration { // tag::authorizationManagerFactoryBean[] @Bean fun authz(): AuthorizationManagerFactory { - return DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities( + return AuthorizationManagerFactories.multiFactor() + .requireFactors( FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY ) diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.kt index 476ec6cf39..8442a0b454 100644 --- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.kt +++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.kt @@ -2,8 +2,8 @@ package org.springframework.security.kt.docs.servlet.authentication.selectivemfa import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration +import org.springframework.security.authorization.AuthorizationManagerFactories import org.springframework.security.authorization.AuthorizationManagerFactory -import org.springframework.security.authorization.DefaultAuthorizationManagerFactory import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity import org.springframework.security.config.annotation.web.invoke @@ -25,8 +25,8 @@ internal class SelectiveMfaConfiguration { // @formatter:off // <1> val mfa: AuthorizationManagerFactory = - DefaultAuthorizationManagerFactory.builder() - .requireAdditionalAuthorities( + AuthorizationManagerFactories.multiFactor() + .requireFactors( FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY )