Polish MFA Samples

This commit removes unneeded AuthorizationManagerFactory
implementations, simplifies the custom AuthorizationManagerFactory
example, and updates usage of hasAllAuthorities.

Issue gh-17934

Author: jzheaux

docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/ListAuthoritiesEverywhereConfiguration.java

@@ -13,10 +13,6 @@
 import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
 import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenGenerationSuccessHandler;
 
-import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasAuthority;
-import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole;
-import static org.springframework.security.authorization.AuthorizationManagers.allOf;
-
 @EnableWebSecurity
 @Configuration(proxyBeanMethods = false)
 public class ListAuthoritiesEverywhereConfiguration {
@@ -27,8 +23,8 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize
-				.requestMatchers("/admin/**").access(allOf(hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY), hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY), hasRole("ADMIN"))) // <1>
-				.anyRequest().access(allOf(hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY), hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY)))
+				.requestMatchers("/admin/**").hasAllAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY, "ROLE_ADMIN") // <1>
+				.anyRequest().hasAllAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY)
 			)
 			.formLogin(Customizer.withDefaults())
 			.oneTimeTokenLogin(Customizer.withDefaults());

docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactory.java

@@ -1,16 +1,12 @@
 package org.springframework.security.docs.servlet.authentication.customauthorizationmanagerfactory;
 
-import java.util.Collection;
 import java.util.function.Supplier;
 
-import org.jspecify.annotations.NullMarked;
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.access.expression.SecurityExpressionOperations;
-import org.springframework.security.access.expression.SecurityExpressionRoot;
-import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManagerFactory;
@@ -21,10 +17,9 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthorities;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
 import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenGenerationSuccessHandler;
@@ -51,50 +46,31 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 
 	// tag::authorizationManager[]
 	@Component
-	class OptInToMfaAuthorizationManager implements AuthorizationManager<Object> {
+	class UserBasedOttAuthorizationManager implements AuthorizationManager<Object> {
 		@Override
 		public AuthorizationResult authorize(Supplier<? extends @Nullable Authentication> authentication, Object context) {
-			MyPrincipal principal = (MyPrincipal) authentication.get().getPrincipal();
-			if (principal.optedIn()) {
-				SecurityExpressionOperations sec = new SecurityExpressionRoot<>(authentication, context) {};
-				return new AuthorityAuthorizationDecision(sec.hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY),
-						AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_OTT_AUTHORITY));
+			if ("admin".equals(authentication.get().getName())) {
+				return AuthorityAuthorizationManager.hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+						.authorize(authentication, context);
+			} else {
+				return new AuthorizationDecision(true);
 			}
-			return new AuthorizationDecision(true);
 		}
 	}
 	// end::authorizationManager[]
 
 	// tag::authorizationManagerFactory[]
 	@Bean
-	AuthorizationManagerFactory<Object> authorizationManagerFactory(OptInToMfaAuthorizationManager optIn) {
+	AuthorizationManagerFactory<Object> authorizationManagerFactory(UserBasedOttAuthorizationManager optIn) {
 		DefaultAuthorizationManagerFactory<Object> defaults = new DefaultAuthorizationManagerFactory<>();
 		defaults.setAdditionalAuthorization(optIn);
 		return defaults;
 	}
 	// end::authorizationManagerFactory[]
 
-	@NullMarked
-	record MyPrincipal(String username, boolean optedIn) implements UserDetails {
-		@Override
-		public Collection<? extends GrantedAuthority> getAuthorities() {
-			return AuthorityUtils.createAuthorityList("app");
-		}
-
-		@Override
-		public @Nullable String getPassword() {
-			return null;
-		}
-
-		@Override
-		public String getUsername() {
-			return this.username;
-		}
-	}
-
 	@Bean
-	UserDetailsService users() {
-		return (username) -> new MyPrincipal(username, username.equals("optedin"));
+	public UserDetailsService users() {
+		return new InMemoryUserDetailsManager(PasswordEncodedUser.user(), PasswordEncodedUser.admin());
 	}
 
 	@Bean

docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactoryTests.java

@@ -20,19 +20,18 @@
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.GrantedAuthorities;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
+import org.springframework.test.context.TestExecutionListeners;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
-import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
@@ -43,48 +42,45 @@
  *
  * @author Rob Winch
  */
-@ExtendWith(SpringTestContextExtension.class)
+@ExtendWith({SpringExtension.class, SpringTestContextExtension.class})
+@TestExecutionListeners(WithSecurityContextTestExecutionListener.class)
 public class CustomAuthorizationManagerFactoryTests {
 
 	public final SpringTestContext spring = new SpringTestContext(this);
 
 	@Autowired
 	MockMvc mockMvc;
 
-	@Autowired
-	UserDetailsService users;
-
 	@Test
-	void getWhenOptedInThenRedirectsToOtt() throws Exception {
+	@WithMockUser(username = "admin")
+	void getWhenAdminThenRedirectsToOtt() throws Exception {
 		this.spring.register(CustomAuthorizationManagerFactory.class, Http200Controller.class).autowire();
-		UserDetails user = this.users.loadUserByUsername("optedin");
 		// @formatter:off
-		this.mockMvc.perform(get("/").with(user(user)))
+		this.mockMvc.perform(get("/"))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("http://localhost/login?factor=ott"));
 		// @formatter:on
 	}
 
 	@Test
-	void getWhenNotOptedInThenAllows() throws Exception {
+	@WithMockUser
+	void getWhenNotAdminThenAllows() throws Exception {
 		this.spring.register(CustomAuthorizationManagerFactory.class, Http200Controller.class).autowire();
-		UserDetails user = this.users.loadUserByUsername("user");
 		// @formatter:off
-		this.mockMvc.perform(get("/").with(user(user)))
+		this.mockMvc.perform(get("/"))
 			.andExpect(status().isOk())
 			.andExpect(authenticated().withUsername("user"));
 		// @formatter:on
 	}
 
 	@Test
-	void getWhenOptedAndHasFactorThenAllows() throws Exception {
+	@WithMockUser(username = "admin", authorities = GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+	void getWhenAdminAndHasFactorThenAllows() throws Exception {
 		this.spring.register(CustomAuthorizationManagerFactory.class, Http200Controller.class).autowire();
-		UserDetails user = this.users.loadUserByUsername("optedin");
-		TestingAuthenticationToken token = new TestingAuthenticationToken(user, "", GrantedAuthorities.FACTOR_OTT_AUTHORITY);
 		// @formatter:off
-		this.mockMvc.perform(get("/").with(authentication(token)))
+		this.mockMvc.perform(get("/"))
 			.andExpect(status().isOk())
-			.andExpect(authenticated().withUsername("optedin"));
+			.andExpect(authenticated().withUsername("admin"));
 		// @formatter:on
 	}
 

docs/src/test/java/org/springframework/security/docs/servlet/authentication/multifactorauthentication/ListAuthoritiesConfiguration.java

@@ -13,9 +13,6 @@
 import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
 import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenGenerationSuccessHandler;
 
-import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasAuthority;
-import static org.springframework.security.authorization.AuthorizationManagers.allOf;
-
 @EnableWebSecurity
 @Configuration(proxyBeanMethods = false)
 class ListAuthoritiesConfiguration {
@@ -26,7 +23,7 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().access(allOf(hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY), hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY))) // <1>
+				.anyRequest().hasAllAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY) // <1>
 			)
 			.formLogin(Customizer.withDefaults())
 			.oneTimeTokenLogin(Customizer.withDefaults());
@@ -36,7 +33,7 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	// end::httpSecurity[]
 
 	@Bean
-	UserDetailsService userDetailsService() {
+	UserDetailsService users() {
 		return new InMemoryUserDetailsManager(
 				User.withDefaultPasswordEncoder()
 						.username("user")

docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java

@@ -8,8 +8,6 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManagerFactory;
 import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.config.Customizer;
@@ -22,12 +20,8 @@
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 import org.springframework.stereotype.Component;
 
-import static org.springframework.security.authorization.AllAuthoritiesAuthorizationManager.hasAllAuthorities;
-import static org.springframework.security.authorization.AuthorizationManagers.allOf;
-
 @EnableWebSecurity
 @Configuration(proxyBeanMethods = false)
 class MissingAuthorityConfiguration {
@@ -53,83 +47,13 @@ SecurityFilterChain securityFilterChain(HttpSecurity http, ScopeRetrievingAuthen
 
 	// tag::authorizationManagerFactoryBean[]
 	@Bean
-	AuthorizationManagerFactory<RequestAuthorizationContext> authz() {
-		return new FactorAuthorizationManagerFactory(hasAllAuthorities(GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY));
+	AuthorizationManagerFactory<Object> authz() {
+		return DefaultAuthorizationManagerFactory.builder()
+				.requireAdditionalAuthorities(GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY)
+				.build();
 	}
 	// end::authorizationManagerFactoryBean[]
 
-	// tag::authorizationManagerFactory[]
-	class FactorAuthorizationManagerFactory implements AuthorizationManagerFactory<RequestAuthorizationContext> {
-		private final AuthorizationManager<RequestAuthorizationContext> hasAuthorities;
-		private final DefaultAuthorizationManagerFactory<RequestAuthorizationContext> delegate =
-				new DefaultAuthorizationManagerFactory<>();
-
-		FactorAuthorizationManagerFactory(AuthorizationManager<RequestAuthorizationContext> hasAuthorities) {
-			this.hasAuthorities = hasAuthorities;
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> permitAll() {
-			return this.delegate.permitAll();
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> denyAll() {
-			return this.delegate.denyAll();
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> hasRole(String role) {
-			return hasAnyRole(role);
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> hasAnyRole(String... roles) {
-			return allOf(new AuthorizationDecision(false), this.hasAuthorities, this.delegate.hasAnyRole(roles));
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> hasAllRoles(String... roles) {
-			return allOf(new AuthorizationDecision(false), this.hasAuthorities, this.delegate.hasAllRoles(roles));
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> hasAuthority(String authority) {
-			return hasAnyAuthority(authority);
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> hasAnyAuthority(String... authorities) {
-			return allOf(new AuthorizationDecision(false), this.hasAuthorities, this.delegate.hasAnyAuthority(authorities));
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> hasAllAuthorities(String... authorities) {
-			return allOf(new AuthorizationDecision(false), this.hasAuthorities, this.delegate.hasAllAuthorities(authorities));
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> authenticated() {
-			return allOf(new AuthorizationDecision(false), this.hasAuthorities, this.delegate.authenticated());
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> fullyAuthenticated() {
-			return allOf(new AuthorizationDecision(false), this.hasAuthorities, this.delegate.fullyAuthenticated());
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> rememberMe() {
-			return allOf(new AuthorizationDecision(false), this.hasAuthorities, this.delegate.rememberMe());
-		}
-
-		@Override
-		public AuthorizationManager<RequestAuthorizationContext> anonymous() {
-			return this.delegate.anonymous();
-		}
-	}
-	// end::authorizationManagerFactory[]
-
 	// tag::authenticationEntryPoint[]
 	@Component
 	class ScopeRetrievingAuthenticationEntryPoint implements AuthenticationEntryPoint {