spring-projects
diff --git a/‎…tiFactorAuthenticationConfiguration.java‎ ‎…rizationManagerFactoryConfiguration.java‎config/src/main/java/org/springframework/security/config/annotation/authorization/GlobalMultiFactorAuthenticationConfiguration.java renamed to config/src/main/java/org/springframework/security/config/annotation/authorization/AuthorizationManagerFactoryConfiguration.java
Lines changed: 5 additions & 5 deletions b/‎…tiFactorAuthenticationConfiguration.java‎ ‎…rizationManagerFactoryConfiguration.java‎config/src/main/java/org/springframework/security/config/annotation/authorization/GlobalMultiFactorAuthenticationConfiguration.java renamed to config/src/main/java/org/springframework/security/config/annotation/authorization/AuthorizationManagerFactoryConfiguration.java
Lines changed: 5 additions & 5 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/authorization/EnableMfaFiltersConfiguration.java‎
Lines changed: 65 additions & 0 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/authorization/EnableMfaFiltersConfiguration.java‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎…ableGlobalMultiFactorAuthentication.java‎ ‎…ion/EnableMultiFactorAuthentication.java‎config/src/main/java/org/springframework/security/config/annotation/authorization/EnableGlobalMultiFactorAuthentication.java renamed to config/src/main/java/org/springframework/security/config/annotation/authorization/EnableMultiFactorAuthentication.java
Lines changed: 12 additions & 7 deletions b/‎…ableGlobalMultiFactorAuthentication.java‎ ‎…ion/EnableMultiFactorAuthentication.java‎config/src/main/java/org/springframework/security/config/annotation/authorization/EnableGlobalMultiFactorAuthentication.java renamed to config/src/main/java/org/springframework/security/config/annotation/authorization/EnableMultiFactorAuthentication.java
Lines changed: 12 additions & 7 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/authorization/MultiFactorAuthenticationSelector.java‎
Lines changed: 50 additions & 0 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/authorization/MultiFactorAuthenticationSelector.java‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/authorization/EnableMultiFactorAuthenticationFiltersSetTests.java‎
Lines changed: 158 additions & 0 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/authorization/EnableMultiFactorAuthenticationFiltersSetTests.java‎
Lines changed: 158 additions & 0 deletions
@@ -27,14 +27,14 @@
 import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 
 /**
- * Uses {@link EnableGlobalMultiFactorAuthentication} to configure a
+ * Uses {@link EnableMultiFactorAuthentication} to configure a
  * {@link DefaultAuthorizationManagerFactory}.
  *
  * @author Rob Winch
  * @since 7.0
- * @see EnableGlobalMultiFactorAuthentication
+ * @see EnableMultiFactorAuthentication
  */
-class GlobalMultiFactorAuthenticationConfiguration implements ImportAware {
+class AuthorizationManagerFactoryConfiguration implements ImportAware {
 
 	private String[] authorities;
 
@@ -49,9 +49,9 @@ DefaultAuthorizationManagerFactory authorizationManagerFactory(ObjectProvider<Ro
 	@Override
 	public void setImportMetadata(AnnotationMetadata importMetadata) {
 		Map<String, Object> multiFactorAuthenticationAttrs = importMetadata
-			.getAnnotationAttributes(EnableGlobalMultiFactorAuthentication.class.getName());
+			.getAnnotationAttributes(EnableMultiFactorAuthentication.class.getName());
 
-		this.authorities = (String[]) multiFactorAuthenticationAttrs.get("authorities");
+		this.authorities = (String[]) multiFactorAuthenticationAttrs.getOrDefault("authorities", new String[0]);
 	}
 
 }
@@ -0,0 +1,65 @@
+/*
+ * Copyright 2002-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.authorization;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.config.BeanPostProcessor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.AuthenticationFilter;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+@Configuration(proxyBeanMethods = false)
+class EnableMfaFiltersConfiguration {
+
+	@Bean
+	BeanPostProcessor mfaBeanPostProcessor() {
+		return new EnableMfaFiltersPostProcessor();
+	}
+
+	/**
+	 * A {@link BeanPostProcessor} that enables MFA on authentication filters.
+	 *
+	 * @author Rob Winch
+	 * @since 7.0
+	 */
+	private static class EnableMfaFiltersPostProcessor implements BeanPostProcessor {
+
+		@Override
+		public @Nullable Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
+			if (bean instanceof AbstractAuthenticationProcessingFilter filter) {
+				filter.setMfaEnabled(true);
+			}
+			if (bean instanceof AuthenticationFilter filter) {
+				filter.setMfaEnabled(true);
+			}
+			if (bean instanceof AbstractPreAuthenticatedProcessingFilter filter) {
+				filter.setMfaEnabled(true);
+			}
+			if (bean instanceof BasicAuthenticationFilter filter) {
+				filter.setMfaEnabled(true);
+			}
+			return bean;
+		}
+
+	}
+
+}
@@ -26,17 +26,20 @@
 import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 
 /**
- * Exposes a {@link DefaultAuthorizationManagerFactory} as a Bean with the
- * {@link #authorities()} specified as additional required authorities. The configuration
- * will be picked up by both
+ * Enables Multi-Factor Authentication (MFA) support within Spring Security.
+ *
+ * When {@link #authorities()} is specified creates a
+ * {@link DefaultAuthorizationManagerFactory} as a Bean with the {@link #authorities()}
+ * specified as additional required authorities. The configuration will be picked up by
+ * both
  * {@link org.springframework.security.config.annotation.web.configuration.EnableWebSecurity}
  * and
  * {@link org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity}.
  *
  * <pre>
 
  * &#64;Configuration
- * &#64;EnableGlobalMultiFactorAuthentication(authorities = { GrantedAuthorities.FACTOR_OTT, GrantedAuthorities.FACTOR_PASSWORD })
+ * &#64;EnableMultiFactorAuthentication(authorities = { GrantedAuthorities.FACTOR_OTT, GrantedAuthorities.FACTOR_PASSWORD })
  * public class MyConfiguration {
  *     // ...
  * }
@@ -51,13 +54,15 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.TYPE)
 @Documented
-@Import(GlobalMultiFactorAuthenticationConfiguration.class)
-public @interface EnableGlobalMultiFactorAuthentication {
+@Import(MultiFactorAuthenticationSelector.class)
+public @interface EnableMultiFactorAuthentication {
 
 	/**
 	 * The additional authorities that are required.
 	 * @return the additional authorities that are required (e.g. {
-	 * FactorGrantedAuthority.FACTOR_OTT, FactorGrantedAuthority.FACTOR_PASSWORD })
+	 * FactorGrantedAuthority.FACTOR_OTT, FactorGrantedAuthority.FACTOR_PASSWORD }). Can
+	 * be null or an empty array if no additional authorities are required (if
+	 * authorization rules are not globally requiring MFA).
 	 * @see org.springframework.security.core.authority.FactorGrantedAuthority
 	 */
 	String[] authorities();
 
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.authorization;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.context.annotation.ImportSelector;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
+
+/**
+ * Uses {@link EnableMultiFactorAuthentication} to configure a
+ * {@link DefaultAuthorizationManagerFactory}.
+ *
+ * @author Rob Winch
+ * @since 7.0
+ * @see EnableMultiFactorAuthentication
+ */
+class MultiFactorAuthenticationSelector implements ImportSelector {
+
+	@Override
+	public String[] selectImports(AnnotationMetadata metadata) {
+		Map<String, Object> multiFactorAuthenticationAttrs = metadata
+			.getAnnotationAttributes(EnableMultiFactorAuthentication.class.getName());
+		String[] authorities = (String[]) multiFactorAuthenticationAttrs.getOrDefault("authorities", new String[0]);
+		List<String> imports = new ArrayList<>(2);
+		if (authorities.length > 0) {
+			imports.add(AuthorizationManagerFactoryConfiguration.class.getName());
+		}
+		imports.add(EnableMfaFiltersConfiguration.class.getName());
+		return imports.toArray(new String[imports.size()]);
+	}
+
+}
@@ -0,0 +1,158 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.authorization;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.http.HttpServletRequest;
+import org.jspecify.annotations.Nullable;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockServletContext;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.AuthenticationFilter;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationConverter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+
+/**
+ * Tests for {@link EnableMultiFactorAuthentication}.
+ *
+ * @author Rob Winch
+ */
+@ExtendWith(SpringExtension.class)
+@WebAppConfiguration
+@WithMockUser(authorities = FactorGrantedAuthority.PASSWORD_AUTHORITY)
+public class EnableMultiFactorAuthenticationFiltersSetTests {
+
+	@Autowired
+	private AuthenticationManager manager;
+
+	private TestingAuthenticationToken newAuthn = new TestingAuthenticationToken("user", "password", "ROLE_USER",
+			FactorGrantedAuthority.OTT_AUTHORITY);
+
+	@Test
+	void preAuthenticationFilter(@Autowired AbstractAuthenticationProcessingFilter filter) throws Exception {
+		assertMfaEnabled(filter);
+	}
+
+	@Test
+	void authenticationFilter(@Autowired AuthenticationFilter filter) throws Exception {
+		assertMfaEnabled(filter);
+	}
+
+	@Test
+	void preAuthnFilter(@Autowired AbstractPreAuthenticatedProcessingFilter filter) throws Exception {
+		assertMfaEnabled(filter);
+	}
+
+	@Test
+	void basicAuthnFilter(@Autowired BasicAuthenticationFilter filter) throws Exception {
+		assertMfaEnabled(filter);
+	}
+
+	private void assertMfaEnabled(Filter filter) throws Exception {
+		given(this.manager.authenticate(any())).willReturn(this.newAuthn);
+		MockHttpServletRequest request = MockMvcRequestBuilders.get("/")
+			.headers((headers) -> headers.setBasicAuth("u", "p"))
+			.buildRequest(new MockServletContext());
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		MockFilterChain chain = new MockFilterChain();
+		filter.doFilter(request, response, chain);
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		assertThat(authentication).isNotNull();
+		assertThat(authentication.getAuthorities()).extracting(GrantedAuthority::getAuthority)
+			.containsExactlyInAnyOrder(FactorGrantedAuthority.OTT_AUTHORITY, FactorGrantedAuthority.PASSWORD_AUTHORITY,
+					"ROLE_USER");
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	@EnableMultiFactorAuthentication(
+			authorities = { FactorGrantedAuthority.OTT_AUTHORITY, FactorGrantedAuthority.PASSWORD_AUTHORITY })
+	static class Config {
+
+		@Bean
+		AuthenticationManager authenticationManager() {
+			return mock(AuthenticationManager.class);
+		}
+
+		@Bean
+		static AbstractAuthenticationProcessingFilter authnProcessingFilter(
+				AuthenticationManager authenticationManager) {
+			AbstractAuthenticationProcessingFilter result = new AbstractAuthenticationProcessingFilter(
+					AnyRequestMatcher.INSTANCE, authenticationManager) {
+			};
+			result.setAuthenticationConverter(new BasicAuthenticationConverter());
+			return result;
+		}
+
+		@Bean
+		static AuthenticationFilter authenticationFilter(AuthenticationManager authenticationManager) {
+			return new AuthenticationFilter(authenticationManager, new BasicAuthenticationConverter());
+		}
+
+		@Bean
+		static AbstractPreAuthenticatedProcessingFilter preAuthenticatedProcessingFilter(
+				AuthenticationManager authenticationManager) {
+			AbstractPreAuthenticatedProcessingFilter result = new AbstractPreAuthenticatedProcessingFilter() {
+				@Override
+				protected @Nullable Object getPreAuthenticatedCredentials(HttpServletRequest request) {
+					return "password";
+				}
+
+				@Override
+				protected @Nullable Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
+					return "user";
+				}
+			};
+			result.setRequiresAuthenticationRequestMatcher(AnyRequestMatcher.INSTANCE);
+			result.setAuthenticationManager(authenticationManager);
+			return result;
+		}
+
+		@Bean
+		static BasicAuthenticationFilter basicAuthenticationFilter(AuthenticationManager authenticationManager) {
+			return new BasicAuthenticationFilter(authenticationManager);
+		}
+
+	}
+
+}