MFA is now Opt In

This commit ensures that MFA is only performed when users opt in. By
doing so, we allow users to decide if they will opt into the semantics
of merging two Authentication instances.

Closes gh-18126

Author: rwinch

config/src/main/java/org/springframework/security/config/annotation/authorization/GlobalMultiFactorAuthenticationConfiguration.java renamed to config/src/main/java/org/springframework/security/config/annotation/authorization/AuthorizationManagerFactoryConfiguration.java

@@ -34,7 +34,7 @@
  * @since 7.0
  * @see EnableGlobalMultiFactorAuthentication
  */
-class GlobalMultiFactorAuthenticationConfiguration implements ImportAware {
+class AuthorizationManagerFactoryConfiguration implements ImportAware {
 
 	private String[] authorities;
 
@@ -51,7 +51,7 @@ public void setImportMetadata(AnnotationMetadata importMetadata) {
 		Map<String, Object> multiFactorAuthenticationAttrs = importMetadata
 			.getAnnotationAttributes(EnableGlobalMultiFactorAuthentication.class.getName());
 
-		this.authorities = (String[]) multiFactorAuthenticationAttrs.get("authorities");
+		this.authorities = (String[]) multiFactorAuthenticationAttrs.getOrDefault("authorities", new String[0]);
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/authorization/EnableGlobalMultiFactorAuthentication.java

@@ -51,13 +51,15 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.TYPE)
 @Documented
-@Import(GlobalMultiFactorAuthenticationConfiguration.class)
+@Import(GlobalMultiFactorAuthenticationSelector.class)
 public @interface EnableGlobalMultiFactorAuthentication {
 
 	/**
 	 * The additional authorities that are required.
 	 * @return the additional authorities that are required (e.g. {
-	 * FactorGrantedAuthority.FACTOR_OTT, FactorGrantedAuthority.FACTOR_PASSWORD })
+	 * FactorGrantedAuthority.FACTOR_OTT, FactorGrantedAuthority.FACTOR_PASSWORD }). Can
+	 * be null or an empty array if no additional authorities are required (if
+	 * authorization rules are not globally requiring MFA).
 	 * @see org.springframework.security.core.authority.FactorGrantedAuthority
 	 */
 	String[] authorities();

config/src/main/java/org/springframework/security/config/annotation/authorization/EnableMfaFiltersConfiguration.java

@@ -0,0 +1,65 @@
+/*
+ * Copyright 2002-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.authorization;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.config.BeanPostProcessor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.AuthenticationFilter;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+@Configuration(proxyBeanMethods = false)
+class EnableMfaFiltersConfiguration {
+
+	@Bean
+	BeanPostProcessor mfaBeanPostProcessor() {
+		return new EnableMfaFiltersPostProcessor();
+	}
+
+	/**
+	 * A {@link BeanPostProcessor} that enables MFA on authentication filters.
+	 *
+	 * @author Rob Winch
+	 * @since 7.0
+	 */
+	private static class EnableMfaFiltersPostProcessor implements BeanPostProcessor {
+
+		@Override
+		public @Nullable Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
+			if (bean instanceof AbstractAuthenticationProcessingFilter filter) {
+				filter.setMfaEnabled(true);
+			}
+			if (bean instanceof AuthenticationFilter filter) {
+				filter.setMfaEnabled(true);
+			}
+			if (bean instanceof AbstractPreAuthenticatedProcessingFilter filter) {
+				filter.setMfaEnabled(true);
+			}
+			if (bean instanceof BasicAuthenticationFilter filter) {
+				filter.setMfaEnabled(true);
+			}
+			return bean;
+		}
+
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/authorization/GlobalMultiFactorAuthenticationSelector.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.authorization;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.context.annotation.ImportSelector;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
+
+/**
+ * Uses {@link EnableGlobalMultiFactorAuthentication} to configure a
+ * {@link DefaultAuthorizationManagerFactory}.
+ *
+ * @author Rob Winch
+ * @since 7.0
+ * @see EnableGlobalMultiFactorAuthentication
+ */
+class GlobalMultiFactorAuthenticationSelector implements ImportSelector {
+
+	@Override
+	public String[] selectImports(AnnotationMetadata metadata) {
+		Map<String, Object> multiFactorAuthenticationAttrs = metadata
+			.getAnnotationAttributes(EnableGlobalMultiFactorAuthentication.class.getName());
+		String[] authorities = (String[]) multiFactorAuthenticationAttrs.getOrDefault("authorities", new String[0]);
+		List<String> imports = new ArrayList<>(2);
+		if (authorities.length > 0) {
+			imports.add(AuthorizationManagerFactoryConfiguration.class.getName());
+		}
+		imports.add(EnableMfaFiltersConfiguration.class.getName());
+		return imports.toArray(new String[imports.size()]);
+	}
+
+}

config/src/test/java/org/springframework/security/config/annotation/authorization/EnableGlobalMultiFactorAuthenticationFiltersSetTests.java

@@ -0,0 +1,158 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.authorization;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.http.HttpServletRequest;
+import org.jspecify.annotations.Nullable;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockServletContext;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.AuthenticationFilter;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationConverter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+
+/**
+ * Tests for {@link EnableGlobalMultiFactorAuthentication}.
+ *
+ * @author Rob Winch
+ */
+@ExtendWith(SpringExtension.class)
+@WebAppConfiguration
+@WithMockUser(authorities = FactorGrantedAuthority.PASSWORD_AUTHORITY)
+public class EnableGlobalMultiFactorAuthenticationFiltersSetTests {
+
+	@Autowired
+	private AuthenticationManager manager;
+
+	private TestingAuthenticationToken newAuthn = new TestingAuthenticationToken("user", "password", "ROLE_USER",
+			FactorGrantedAuthority.OTT_AUTHORITY);
+
+	@Test
+	void preAuthenticationFilter(@Autowired AbstractAuthenticationProcessingFilter filter) throws Exception {
+		assertMfaEnabled(filter);
+	}
+
+	@Test
+	void authenticationFilter(@Autowired AuthenticationFilter filter) throws Exception {
+		assertMfaEnabled(filter);
+	}
+
+	@Test
+	void preAuthnFilter(@Autowired AbstractPreAuthenticatedProcessingFilter filter) throws Exception {
+		assertMfaEnabled(filter);
+	}
+
+	@Test
+	void basicAuthnFilter(@Autowired BasicAuthenticationFilter filter) throws Exception {
+		assertMfaEnabled(filter);
+	}
+
+	private void assertMfaEnabled(Filter filter) throws Exception {
+		given(this.manager.authenticate(any())).willReturn(this.newAuthn);
+		MockHttpServletRequest request = MockMvcRequestBuilders.get("/")
+			.headers((headers) -> headers.setBasicAuth("u", "p"))
+			.buildRequest(new MockServletContext());
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		MockFilterChain chain = new MockFilterChain();
+		filter.doFilter(request, response, chain);
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		assertThat(authentication).isNotNull();
+		assertThat(authentication.getAuthorities()).extracting(GrantedAuthority::getAuthority)
+			.containsExactlyInAnyOrder(FactorGrantedAuthority.OTT_AUTHORITY, FactorGrantedAuthority.PASSWORD_AUTHORITY,
+					"ROLE_USER");
+	}
+
+	@EnableWebSecurity
+	@Configuration
+	@EnableGlobalMultiFactorAuthentication(
+			authorities = { FactorGrantedAuthority.OTT_AUTHORITY, FactorGrantedAuthority.PASSWORD_AUTHORITY })
+	static class Config {
+
+		@Bean
+		AuthenticationManager authenticationManager() {
+			return mock(AuthenticationManager.class);
+		}
+
+		@Bean
+		static AbstractAuthenticationProcessingFilter authnProcessingFilter(
+				AuthenticationManager authenticationManager) {
+			AbstractAuthenticationProcessingFilter result = new AbstractAuthenticationProcessingFilter(
+					AnyRequestMatcher.INSTANCE, authenticationManager) {
+			};
+			result.setAuthenticationConverter(new BasicAuthenticationConverter());
+			return result;
+		}
+
+		@Bean
+		static AuthenticationFilter authenticationFilter(AuthenticationManager authenticationManager) {
+			return new AuthenticationFilter(authenticationManager, new BasicAuthenticationConverter());
+		}
+
+		@Bean
+		static AbstractPreAuthenticatedProcessingFilter preAuthenticatedProcessingFilter(
+				AuthenticationManager authenticationManager) {
+			AbstractPreAuthenticatedProcessingFilter result = new AbstractPreAuthenticatedProcessingFilter() {
+				@Override
+				protected @Nullable Object getPreAuthenticatedCredentials(HttpServletRequest request) {
+					return "password";
+				}
+
+				@Override
+				protected @Nullable Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
+					return "user";
+				}
+			};
+			result.setRequiresAuthenticationRequestMatcher(AnyRequestMatcher.INSTANCE);
+			result.setAuthenticationManager(authenticationManager);
+			return result;
+		}
+
+		@Bean
+		static BasicAuthenticationFilter basicAuthenticationFilter(AuthenticationManager authenticationManager) {
+			return new BasicAuthenticationFilter(authenticationManager);
+		}
+
+	}
+
+}