mirror of
				https://github.com/spring-projects/spring-security.git
				synced 2025-10-25 03:38:43 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			239 lines
		
	
	
		
			16 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			239 lines
		
	
	
		
			16 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| = Multi-Factor Authentication
 | |
| 
 | |
| https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html[Multi-Factor Authentication (MFA)] requires that a user provide factors in order to authenticate.
 | |
| OWASP places factors into the following categories:
 | |
| 
 | |
| - Something the user knows (e.g. a password)
 | |
| - Something that the user has (e.g. access to SMS or email)
 | |
| - Something you are (e.g. biometrics)
 | |
| - Somewhere you are (e.g. geolocation)
 | |
| - Something you do (e.g. Behavior Profiling)
 | |
| 
 | |
| == `FactorGrantedAuthority`
 | |
| 
 | |
| At the time of authentication, Spring Security's authentication mechanisms add a javadoc:org.springframework.security.core.authority.FactorGrantedAuthority[].
 | |
| For example, when a user authenticates using a password a `FactorGrantedAuthority` with the `authority` of `FactorGrantedAuthority.PASSWORD_AUTHORITY` is automatically added to the `Authentiation`.
 | |
| In order to require MFA with Spring Security you must:
 | |
| 
 | |
| - Specify an authorization rule that requires multiple factors
 | |
| - Setup authentication for each of those factors
 | |
| 
 | |
| [[egmfa]]
 | |
| == @EnableGlobalMultiFactorAuthentication
 | |
| 
 | |
| javadoc:org.springframework.security.config.annotation.authorization.EnableGlobalMultiFactorAuthentication[format=annotation] simplifies Global MFA (the entire application requires MFA).
 | |
| Below you can find a configuration that adds the requirement for both passwords and OTT to every authorization rule.
 | |
| 
 | |
| include-code::./EnableGlobalMultiFactorAuthenticationConfiguration[tag=enable-global-mfa,indent=0]
 | |
| 
 | |
| We are now able to concisely create a configuration that always requires multiple factors.
 | |
| 
 | |
| include-code::./EnableGlobalMultiFactorAuthenticationConfiguration[tag=httpSecurity,indent=0]
 | |
| <1> URLs that begin with `/admin/**` require the authorities `FACTOR_OTT`, `FACTOR_PASSWORD`, `ROLE_ADMIN`.
 | |
| <2> Every other URL requires the authorities `FACTOR_OTT`, `FACTOR_PASSWORD`
 | |
| <3> Set up the authentication mechanisms that can provide the required factors.
 | |
| 
 | |
| Spring Security behind the scenes knows which endpoint to go to depending on which authority is missing.
 | |
| If the user logged in initially with their username and password, then Spring Security redirects to the One-Time-Token Login page.
 | |
| If the user logged in initially with a token, then Spring Security redirects to the Username/Password Login page.
 | |
| 
 | |
| [[authorization-manager-factory]]
 | |
| == AuthorizationManagerFactory
 | |
| 
 | |
| The `@EnableGlobalMultiFactorAuthentication` annotation is just a shortcut for publishing an javadoc:org.springframework.security.authorization.AuthorizationManagerFactory[] Bean.
 | |
| When an `AuthorizationManagerFactory` Bean is available, it is used by Spring Security to create authorization rules, like `hasAnyRole(String)`, that are defined on the `AuthorizationManagerFactory` Bean interface.
 | |
| The implementation published by `@EnableGlobalMultiFactorAuthentication` will ensure that each authorization is combined with the requirement of having the specified factors.
 | |
| 
 | |
| The `AuthorizationManagerFactory` Bean below is what is published in the previously discussed xref:./mfa.adoc#using-egmfa[`@EnableGlobalMultiFactorAuthentication` example].
 | |
| 
 | |
| include-code::./UseAuthorizationManagerFactoryConfiguration[tag=authorizationManagerFactoryBean,indent=0]
 | |
| 
 | |
| [[selective-mfa]]
 | |
| == Selectively Requiring MFA
 | |
| 
 | |
| We have demonstrated how to configure an entire application to require MFA (Global MFA) by using xref:./mfa.adoc#egmfa[`@EnableGlobalMultiFactorAuthentication`].
 | |
| However, there are times that an application only wants parts of the application to require MFA.
 | |
| Consider the following requirements:
 | |
| 
 | |
| - URLs that begin with `/admin/` should require the authorities `FACTOR_OTT`, `FACTOR_PASSWORD`, `ROLE_ADMIN`.
 | |
| - URLs that begin with `/user/settings` should require the authorities `FACTOR_OTT`, `FACTOR_PASSWORD`
 | |
| - Every other URL requires an authenticated user
 | |
| 
 | |
| In this case, some URLs require MFA while others do not.
 | |
| This means that the global approach that we saw before does not work.
 | |
| Fortunately, we can use what we learned in xref:./mfa.adoc#authorization-manager-factory[] to solve this in a concise manner.
 | |
| 
 | |
| include-code::./SelectiveMfaConfiguration[tag=httpSecurity,indent=0]
 | |
| <1> Create a `DefaultAuthorizationManagerFactory` as we did previously, but do not publish it as a Bean.
 | |
| By not publishing it as a Bean, we are able to selectively use the `AuthorizationManagerFactory` instead of using it for every authorization rule.
 | |
| <2> Explicitly use `AuthorizationManagerFactory` so that URLs that begin with `/admin/**` require `FACTOR_OTT`, `FACTOR_PASSWORD`, and `ROLE_ADMIN`.
 | |
| <3> Explicitly use `AuthorizationManagerFactory` so that URLs that begin with `/user/settings` require `FACTOR_OTT` and `FACTOR_PASSWORD`
 | |
| <4> Otherwise, the request must be authenticated.
 | |
| There is no MFA requirement, because the `AuthorizationManagerFactory` is not used.
 | |
| <5> Set up the authentication mechanisms that can provide the required factors.
 | |
| 
 | |
| [[valid-duration]]
 | |
| == Specifying a Valid Duration
 | |
| 
 | |
| At times, we may want to define authorization rules based upon how recently we authenticated.
 | |
| For example, an application may want to require that the user has authenticated within the last hour in order to allow access to the `/user/settings` endpoint.
 | |
| 
 | |
| Remember at the time of authentication, a `FactorGrantedAuthority` is added to the `Authentication`.
 | |
| The `FactorGrantedAuthority` specifies when it was `issuedAt`, but does not describe how long it is valid for.
 | |
| This is intentional, because it allows a single `FactorGrantedAuthority` to be used with different ``validDuration``s.
 | |
| 
 | |
| Let's take a look at an example that illustrates how to meet the following requirements:
 | |
| 
 | |
| - URLs that begin with `/admin/` should require that a password has been provided within the last 30 minutes
 | |
| - URLs that being with `/user/settings` should require that a password has been provided within the last hour
 | |
| - Otherwise, authentication is required, but it does not care if it is a password or how long ago authentication occurred
 | |
| 
 | |
| include-code::./ValidDurationConfiguration[tag=httpSecurity,indent=0]
 | |
| <1> First we define `passwordIn30m` as a requirement for a password within 30 minutes
 | |
| <2> Next, we define `passwordInHour` as a requirement for a password within an hour
 | |
| <3> We use `passwordIn30m` to require that URLs that begin with `/admin/` should require that a password has been provided in the last 30 minutes and that the user has the `ROLE_ADMIN` authority
 | |
| <4> We use `passwordInHour` to require that URLs that begin with `/user/settings` should require that a password has been provided in the last hour
 | |
| <5> Otherwise, authentication is required, but it does not care if it is a password or how long ago authentication occurred
 | |
| <6> Set up the authentication mechanisms that can provide the required factors.
 | |
| 
 | |
| [[programmatic-mfa]]
 | |
| == Programmatic MFA
 | |
| 
 | |
| In our previous examples, MFA is a static decision per request.
 | |
| There are times when we might want to require MFA for some users, but not others.
 | |
| Determining if MFA is enabled per user can be achieved by creating a custom `AuthorizationManager` that conditionally requires factors based upon the `Authentication`.
 | |
| 
 | |
| include-code::./AdminMfaAuthorizationManagerConfiguration[tag=authorizationManager,indent=0]
 | |
| <1> MFA is required for the user with the username `admin`
 | |
| <2> Otherwise, MFA is not required
 | |
| 
 | |
| To enable the MFA rules globally, we can publish an `AuthorizationManagerFactory` Bean.
 | |
| 
 | |
| include-code::./AdminMfaAuthorizationManagerConfiguration[tag=authorizationManagerFactory,indent=0]
 | |
| <1> Inject the custom `AuthorizationManager` as the javadoc:org.springframework.security.authorization.DefaultAuthorizationManagerFactory#setAdditionalAuthorization(org.springframework.security.authorization.AuthorizationManager)[DefaultAuthorization.additionalAuthorization].
 | |
| This instructs `DefaultAuthorizationManagerFactory` that any authorization rule should apply our custom `AuthorizationManager` along with any authorization requirements defined by the application (e.g. `hasRole("ADMIN")).
 | |
| <2> Publish `DefaultAuthorizationManagerFactory` as a Bean, so it is used globally
 | |
| 
 | |
| This should feel very similar to our previous example in xref:./mfa.adoc#authorization-manager-factory[].
 | |
| The difference is that in the previous example, the `AuthorizationManagerFactories` is setting `DefaultAuthorization.additionalAuthorization` with a built in `AuthorizationManager` that always requires the same authorities.
 | |
| 
 | |
| We can now define our authorization rules which are combined with `AdminMfaAuthorizationManager`.
 | |
| 
 | |
| include-code::./AdminMfaAuthorizationManagerConfiguration[tag=httpSecurity,indent=0]
 | |
| <1> URLs that begin with `/admin/**` require `ROLE_ADMIN`.
 | |
| If the username is `admin`, then `FACTOR_OTT` and `FACTOR_PASSWORD` are also required.
 | |
| <2> Otherwise, the request must be authenticated.
 | |
| If the username is `admin`, then `FACTOR_OTT` and `FACTOR_PASSWORD` are also required.
 | |
| 
 | |
| NOTE: MFA is enabled by username and not role because that is how we implemented `RequiredAuthoritiesAuthorizationManagerConfiguration`.
 | |
| If we preferred, we could change our logic to enable MFA based upon the roles rather than the username.
 | |
| 
 | |
| [[raam-mfa]]
 | |
| == RequiredAuthoritiesAuthorizationManager
 | |
| 
 | |
| We've demonstrated how we can dynamically determine the authorities for a particular user in xref:./mfa.adoc#programmatic-mfa[] using a custom `AuthorizationManager`.
 | |
| However, this is such a common scenario that Spring Security provides built in support using javadoc:org.springframework.security.authorization.RequiredAuthoritiesAuthorizationManager[] and javadoc:org.springframework.security.authorization.RequiredAuthoritiesRepository[].
 | |
| 
 | |
| Let's implement the same requirement that we did in xref:./mfa.adoc#programmatic-mfa[] using the built-in support.
 | |
| 
 | |
| We start by creating the `RequiredAuthoritiesAuthorizationManager` Bean to use.
 | |
| 
 | |
| include-code::./RequiredAuthoritiesAuthorizationManagerConfiguration[tag=authorizationManager,indent=0]
 | |
| <1> Create a javadoc:org.springframework.security.authorization.MapRequiredAuthoritiesRepository[] that maps users with the username `admin` to require MFA.
 | |
| <2> Return a `RequiredAuthoritiesAuthorizationManager` that is injected with the `MapRequiredAuthoritiesRepository`.
 | |
| 
 | |
| Next we can define an `AuthorizationManagerFactory` that uses the `RequiredAuthoritiesAuthorizationManager`.
 | |
| 
 | |
| include-code::./RequiredAuthoritiesAuthorizationManagerConfiguration[tag=authorizationManagerFactory,indent=0]
 | |
| <1> Inject the `RequiredAuthoritiesAuthorizationManager` as the javadoc:org.springframework.security.authorization.DefaultAuthorizationManagerFactory#setAdditionalAuthorization(org.springframework.security.authorization.AuthorizationManager)[DefaultAuthorization.additionalAuthorization].
 | |
| This instructs `DefaultAuthorizationManagerFactory` that any authorization rule should apply `RequiredAuthoritiesAuthorizationManager` along with any authorization requirements defined by the application (e.g. `hasRole("ADMIN")).
 | |
| <2> Publish `DefaultAuthorizationManagerFactory` as a Bean, so it is used globally
 | |
| 
 | |
| We can now define our authorization rules which are combined with `RequiredAuthoritiesAuthorizationManager`.
 | |
| include-code::./RequiredAuthoritiesAuthorizationManagerConfiguration[tag=httpSecurity,indent=0]
 | |
| <1> URLs that begin with `/admin/**` require `ROLE_ADMIN`.
 | |
| If the username is `admin`, then `FACTOR_OTT` and `FACTOR_PASSWORD` are also required.
 | |
| <2> Otherwise, the request must be authenticated.
 | |
| If the username is `admin`, then `FACTOR_OTT` and `FACTOR_PASSWORD` are also required.
 | |
| 
 | |
| Our example uses an in memory mapping of usernames to the additional required authorities.
 | |
| For more dynamic use cases that can be determined by the username, a custom implementation of javadoc:org.springframework.security.authorization.RequiredAuthoritiesRepository[] can be created.
 | |
| Possible examples would be looking up if a user has enabled MFA in an explicit setting, determining if a user has registered a passkey, etc.
 | |
| 
 | |
| For cases that need to determine MFA based upon the `Authentication`, a custom `AuthorizationManger` can be used as demonstrated in xref:./mfa.adoc#programmatic-mfa[]
 | |
| 
 | |
| 
 | |
| [[hasallauthorities]]
 | |
| == Using hasAllAuthorities
 | |
| 
 | |
| We've shown a lot of additional infrastructure for supporting MFA.
 | |
| However, for simple MFA use-cases, using `hasAllAuthorities` to require multiple factors is effective.
 | |
| 
 | |
| include-code::./ListAuthoritiesConfiguration[tag=httpSecurity,indent=0]
 | |
| <1> Require `FACTOR_PASSWORD` and `FACTOR_OTT` for every request
 | |
| <2> Set up the authentication mechanisms that can provide the required factors.
 | |
| 
 | |
| The configuration above works well only for the most simple use-cases.
 | |
| If you have lots of endpoints, you probably do not want to repeat the requirements for MFA in every authorization rule.
 | |
| 
 | |
| For example, consider the following configuration:
 | |
| 
 | |
| include-code::./MultipleAuthorizationRulesConfiguration[tag=httpSecurity,indent=0]
 | |
| <1> For URLs that begin with `/admin/**`, the following authorities are required `FACTOR_OTT`, `FACTOR_PASSWORD`, `ROLE_ADMIN`.
 | |
| <2> For every other URL, the following authorities are required `FACTOR_OTT`, `FACTOR_PASSWORD`, `ROLE_USER`.
 | |
| <3> Set up the authentication mechanisms that can provide the required factors.
 | |
| 
 | |
| The configuration only specifies two authorization rules, but it is enough to see that the duplication is not desirable.
 | |
| Can you imagine what it would be like to declare hundreds of rules like this?
 | |
| 
 | |
| What's more that it becomes difficult to express more complicated authorization rules.
 | |
| For example, how would you require two factors and either `ROLE_ADMIN` or `ROLE_USER`?
 | |
| 
 | |
| The answer to these questions, as we have already seen, is to use xref:./mfa.adoc#egmfa[]
 | |
| 
 | |
| [[re-authentication]]
 | |
| == Re-authentication
 | |
| 
 | |
| The most common of these is re-authentication.
 | |
| Imagine an application configured in the following way:
 | |
| 
 | |
| include-code::./SimpleConfiguration[tag=httpSecurity,indent=0]
 | |
| 
 | |
| By default, this application has two authentication mechanisms that it allows, meaning that the user could use either one and be fully-authenticated.
 | |
| 
 | |
| If there is a set of endpoints that require a specific factor, we can specify that in `authorizeHttpRequests` as follows:
 | |
| 
 | |
| include-code::./RequireOttConfiguration[tag=httpSecurity,indent=0]
 | |
| <1> - States that all `/profile/**` endpoints require one-time-token login to be authorized
 | |
| 
 | |
| Given the above configuration, users can log in with any mechanism that you support.
 | |
| And, if they want to visit the profile page, then Spring Security will redirect them to the One-Time-Token Login page to obtain it.
 | |
| 
 | |
| In this way, the authority given to a user is directly proportional to the amount of proof given.
 | |
| This adaptive approach allows users to give only the proof needed to perform their intended operations.
 | |
| 
 | |
| 
 | |
| [[obtaining-more-authorization]]
 | |
| == Authorizing More Scopes
 | |
| 
 | |
| You can also configure exception handling to direct Spring Security on how to obtain a missing scope.
 | |
| 
 | |
| Consider an application that requires a specific OAuth 2.0 scope for a given endpoint:
 | |
| 
 | |
| include-code::./ScopeConfiguration[tag=httpSecurity,indent=0]
 | |
| 
 | |
| If this is also configured with an `AuthorizationManagerFactory` bean like this one:
 | |
| 
 | |
| include-code::./MissingAuthorityConfiguration[tag=authorizationManagerFactoryBean,indent=0]
 | |
| 
 | |
| Then the application will require an X.509 certificate as well as authorization from an OAuth 2.0 authorization server.
 | |
| 
 | |
| In the event that the user does not consent to `profile:read`, this application as it stands will issue a 403.
 | |
| However, if you have a way for the application to re-ask for consent, then you can implement this in an `AuthenticationEntryPoint` like the following:
 | |
| 
 | |
| include-code::./MissingAuthorityConfiguration[tag=authenticationEntryPoint,indent=0]
 | |
| 
 | |
| Then, your filter chain declaration can bind this entry point to the given authority like so:
 | |
| 
 | |
| include-code::./MissingAuthorityConfiguration[tag=httpSecurity,indent=0]
 |