Add MultifactorAuthenticationToken

to indicate the state of principal which passed first step of multi step
(factor) authentication.

Author: ynojima

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java

@@ -40,6 +40,8 @@
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.authentication.MFATokenEvaluator;
+import org.springframework.security.authentication.MFATokenEvaluatorImpl;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
@@ -113,6 +115,7 @@ public <T> T postProcess(T object) {
 	private boolean authenticationManagerInitialized;
 	private AuthenticationManager authenticationManager;
 	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+	private MFATokenEvaluator mfaTokenEvaluator = new MFATokenEvaluatorImpl();
 	private HttpSecurity http;
 	private boolean disableDefaults;
 
@@ -391,6 +394,11 @@ public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
 		this.trustResolver = trustResolver;
 	}
 
+	@Autowired(required = false)
+	public void setMfaTokenEvaluator(MFATokenEvaluator mfaTokenEvaluator){
+		this.mfaTokenEvaluator = mfaTokenEvaluator;
+	}
+
 	@Autowired(required = false)
 	public void setContentNegotationStrategy(
 			ContentNegotiationStrategy contentNegotiationStrategy) {
@@ -420,6 +428,7 @@ private Map<Class<? extends Object>, Object> createSharedObjects() {
 		sharedObjects.put(ApplicationContext.class, context);
 		sharedObjects.put(ContentNegotiationStrategy.class, contentNegotiationStrategy);
 		sharedObjects.put(AuthenticationTrustResolver.class, trustResolver);
+		sharedObjects.put(MFATokenEvaluator.class, mfaTokenEvaluator);
 		return sharedObjects;
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurer.java

@@ -17,6 +17,7 @@
 
 import java.util.LinkedHashMap;
 
+import org.springframework.security.authentication.MFATokenEvaluator;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -67,6 +68,8 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private AuthenticationEntryPoint authenticationEntryPoint;
 
+	private MFATokenEvaluator mfaTokenEvaluator;
+
 	private AccessDeniedHandler accessDeniedHandler;
 
 	private LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> defaultEntryPointMappings = new LinkedHashMap<>();
@@ -151,6 +154,18 @@ public ExceptionHandlingConfigurer<H> authenticationEntryPoint(
 		return this;
 	}
 
+	/**
+	 * Specifies the {@link MFATokenEvaluator} to be used
+	 *
+	 * @param mfaTokenEvaluator the {@link MFATokenEvaluator} to be used
+	 * @return the {@link ExceptionHandlingConfigurer} for further customization
+	 */
+	public ExceptionHandlingConfigurer<H> mfaTokenEvaluator(
+			MFATokenEvaluator mfaTokenEvaluator) {
+		this.mfaTokenEvaluator = mfaTokenEvaluator;
+		return this;
+	}
+
 	/**
 	 * Sets a default {@link AuthenticationEntryPoint} to be used which prefers being
 	 * invoked for the provided {@link RequestMatcher}. If only a single default
@@ -194,6 +209,9 @@ public void configure(H http) throws Exception {
 				entryPoint, getRequestCache(http));
 		AccessDeniedHandler deniedHandler = getAccessDeniedHandler(http);
 		exceptionTranslationFilter.setAccessDeniedHandler(deniedHandler);
+		if(mfaTokenEvaluator != null){
+			exceptionTranslationFilter.setMFATokenEvaluator(mfaTokenEvaluator);
+		}
 		exceptionTranslationFilter = postProcess(exceptionTranslationFilter);
 		http.addFilter(exceptionTranslationFilter);
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

@@ -26,6 +26,7 @@
 import org.springframework.context.event.GenericApplicationListenerAdapter;
 import org.springframework.context.event.SmartApplicationListener;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.MFATokenEvaluator;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -425,6 +426,11 @@ public void init(H http) throws Exception {
 				if (trustResolver != null) {
 					httpSecurityRepository.setTrustResolver(trustResolver);
 				}
+				MFATokenEvaluator mfaTokenEvaluator = http
+						.getSharedObject(MFATokenEvaluator.class);
+				if(mfaTokenEvaluator != null){
+					httpSecurityRepository.setMFATokenEvaluator(mfaTokenEvaluator);
+				}
 				http.setSharedObject(SecurityContextRepository.class,
 						httpSecurityRepository);
 			}

core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolverImpl.java

@@ -36,6 +36,8 @@ public class AuthenticationTrustResolverImpl implements AuthenticationTrustResol
 	private Class<? extends Authentication> anonymousClass = AnonymousAuthenticationToken.class;
 	private Class<? extends Authentication> rememberMeClass = RememberMeAuthenticationToken.class;
 
+	private MFATokenEvaluator mfaTokenEvaluator = new MFATokenEvaluatorImpl();
+
 	// ~ Methods
 	// ========================================================================================================
 
@@ -52,6 +54,10 @@ public boolean isAnonymous(Authentication authentication) {
 			return false;
 		}
 
+		if(mfaTokenEvaluator != null && mfaTokenEvaluator.isMultiFactorAuthentication(authentication)){
+			return true;
+		}
+
 		return anonymousClass.isAssignableFrom(authentication.getClass());
 	}
 
@@ -70,4 +76,8 @@ public void setAnonymousClass(Class<? extends Authentication> anonymousClass) {
 	public void setRememberMeClass(Class<? extends Authentication> rememberMeClass) {
 		this.rememberMeClass = rememberMeClass;
 	}
+
+	public void setMFATokenEvaluator(MFATokenEvaluator mfaTokenEvaluator){
+		this.mfaTokenEvaluator = mfaTokenEvaluator;
+	}
 }

core/src/main/java/org/springframework/security/authentication/MFATokenEvaluator.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication;
+
+import org.springframework.security.core.Authentication;
+
+/**
+ * Evaluates <code>Authentication</code> tokens
+ *
+ * @author Yoshikazu Nojima
+ */
+public interface MFATokenEvaluator {
+
+	/**
+	 * Indicates whether the passed <code>Authentication</code> token represents a
+	 * user in the middle of multi factor authentication process.
+     *
+	 * @param authentication to test (may be <code>null</code> in which case the method
+	 * will always return <code>false</code>)
+	 *
+	 * @return <code>true</code> the passed authentication token represented a principal
+	 * in the middle of multi factor authentication process, <code>false</code> otherwise
+	 */
+	boolean isMultiFactorAuthentication(Authentication authentication);
+}

core/src/main/java/org/springframework/security/authentication/MFATokenEvaluatorImpl.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication;
+
+import org.springframework.security.core.Authentication;
+
+/**
+ * Basic implementation of {@link MFATokenEvaluator}.
+ * <p>
+ * Makes trust decisions based on whether the passed <code>Authentication</code> is an
+ * instance of a defined class.
+ * <p>
+ * If {@link #multiFactorClass} is <code>null</code>, the
+ * corresponding method will always return <code>false</code>.
+ *
+ * @author Yoshikazu Nojima
+ */
+public class MFATokenEvaluatorImpl implements MFATokenEvaluator {
+
+	private Class<? extends Authentication> multiFactorClass = MultiFactorAuthenticationToken.class;
+
+	Class<? extends Authentication> getMultiFactorClass() { return multiFactorClass; }
+
+	@Override
+	public boolean isMultiFactorAuthentication(Authentication authentication) {
+		if ((multiFactorClass == null) || (authentication == null)) {
+			return false;
+		}
+
+		return multiFactorClass.isAssignableFrom(authentication.getClass());
+	}
+
+	public void setMultiFactorClass(Class<? extends Authentication> multiFactorClass) {this.multiFactorClass = multiFactorClass; }
+
+}

core/src/main/java/org/springframework/security/authentication/MultiFactorAuthenticationToken.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
+
+import java.util.Collection;
+
+/**
+ * Represents a principal in the middle of multi factor (step) authentication
+ *
+ * @author Yoshikazu Nojima
+ */
+public class MultiFactorAuthenticationToken extends AbstractAuthenticationToken {
+
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
+	private Object principal;
+	private Object credentials;
+
+	// ~ Constructors
+	// ===================================================================================================
+	public MultiFactorAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
+		super(authorities);
+		this.principal = principal;
+		this.credentials = credentials;
+		setAuthenticated(true);
+	}
+
+	// ~ Methods
+	// ========================================================================================================
+
+	@Override
+	public Object getPrincipal() {
+		return principal;
+	}
+
+	@Override
+	public Object getCredentials() {
+		return credentials;
+	}
+
+	@Override
+	public void eraseCredentials() {
+		super.eraseCredentials();
+		credentials = null;
+	}
+
+}

core/src/test/java/org/springframework/security/authentication/MFATokenEvaluatorImplTests.java

@@ -0,0 +1,72 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication;
+
+import org.junit.Test;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.MFAUserDetails;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class MFATokenEvaluatorImplTests {
+
+	// ~ Methods
+	// ========================================================================================================
+	@Test
+	public void testCorrectOperationIsAnonymous() {
+		MFATokenEvaluatorImpl mfaTokenEvaluator = new MFATokenEvaluatorImpl();
+		assertThat(mfaTokenEvaluator.isMultiFactorAuthentication(new MultiFactorAuthenticationToken("ignored",
+				"ignored", AuthorityUtils.createAuthorityList("ignored")))).isTrue();
+		assertThat(mfaTokenEvaluator.isMultiFactorAuthentication(new TestingAuthenticationToken("ignored",
+				"ignored", AuthorityUtils.createAuthorityList("ignored")))).isFalse();
+	}
+
+	@Test
+	public void testIsSingleFactorAuthenticationAllowedWithNonMFAUserDetailsPrincipal(){
+		MFATokenEvaluatorImpl mfaTokenEvaluator = new MFATokenEvaluatorImpl();
+		boolean result = mfaTokenEvaluator.isSingleFactorAuthenticationAllowed(new TestingAuthenticationToken("", ""));
+		assertThat(result).isFalse();
+	}
+
+	@Test
+	public void testIsSingleFactorAuthenticationAllowedWithMFAUserDetailsPrincipal(){
+		MFAUserDetails mfaUserDetails = mock(MFAUserDetails.class);
+		when(mfaUserDetails.isSingleFactorAuthenticationAllowed()).thenReturn(true);
+		MFATokenEvaluatorImpl mfaTokenEvaluator = new MFATokenEvaluatorImpl();
+		boolean result = mfaTokenEvaluator.isSingleFactorAuthenticationAllowed(new TestingAuthenticationToken(mfaUserDetails, ""));
+		assertThat(result).isTrue();
+	}
+
+	@Test
+	public void testGettersSetters() {
+		MFATokenEvaluatorImpl mfaTokenEvaluator = new MFATokenEvaluatorImpl();
+
+		assertThat(MultiFactorAuthenticationToken.class).isEqualTo(
+				mfaTokenEvaluator.getMultiFactorClass());
+		mfaTokenEvaluator.setMultiFactorClass(TestingAuthenticationToken.class);
+		assertThat(mfaTokenEvaluator.getMultiFactorClass()).isEqualTo(
+				TestingAuthenticationToken.class);
+
+		assertThat(mfaTokenEvaluator.isSingleFactorAuthenticationAllowed()).isTrue();
+		mfaTokenEvaluator.setSingleFactorAuthenticationAllowed(false);
+		assertThat(mfaTokenEvaluator.isSingleFactorAuthenticationAllowed()).isFalse();
+
+	}
+
+}