Update formLogin+ott To Latest

jzheaux · jzheaux · commit b977133741db · 2025-09-04T16:20:19.000-06:00
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
@@ -21,13 +21,10 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-security'
 	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
-	implementation 'org.springframework.boot:spring-boot-starter-mail'
 	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 	testImplementation 'org.springframework.security:spring-security-test'
-	testImplementation 'com.icegreen:greenmail-junit5:2.0.1'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
-	runtimeOnly 'org.springframework.boot:spring-boot-docker-compose'
 }
 
 tasks.named('test') {
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.function.Supplier;
+
+import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagers;
+import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+public final class AuthorizationManagerFactory {
+
+	private final Collection<String> authorities;
+
+	public AuthorizationManagerFactory(String... authorities) {
+		this.authorities = List.of(authorities);
+	}
+
+	public <T> AuthorizationManager<T> authenticated() {
+		AuthenticatedAuthorizationManager<T> authenticated = AuthenticatedAuthorizationManager.authenticated();
+		return AuthorizationManagers.allOf(new AuthorizationDecision(false), this::factors, authenticated);
+	}
+
+	public <T> AuthorizationManager<T> hasAuthority(String authority) {
+		AuthorityAuthorizationManager<T> authorized = AuthorityAuthorizationManager.hasAuthority(authority);
+		return AuthorizationManagers.allOf(new AuthorizationDecision(false), this::factors, authorized);
+	}
+
+	private AuthorizationResult factors(Supplier<? extends Authentication> authentication, Object context) {
+		List<String> authorities = authentication.get()
+			.getAuthorities()
+			.stream()
+			.map(GrantedAuthority::getAuthority)
+			.toList();
+		List<String> needed = new ArrayList<>(this.authorities);
+		needed.removeIf(authorities::contains);
+		return new AuthorityAuthorizationDecision(needed.isEmpty(), AuthorityUtils.createAuthorityList(needed));
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
@@ -3,7 +3,6 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
-import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.stereotype.Controller;
@@ -28,19 +27,18 @@ public String ott() {
 	}
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
-			.formLogin((form) -> form
-				.loginPage("/login/form").permitAll()
-				.factor(Customizer.withDefaults())
-			)
-			.oneTimeTokenLogin((ott) -> ott
-				.loginPage("/login/ott").permitAll()
-				.factor(Customizer.withDefaults())
-			);
+			.authorizeHttpRequests((authorize) -> authorize.anyRequest().access(authz.authenticated()))
+			.formLogin((form) -> form.loginPage("/login/form").permitAll())
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/login/ott").permitAll());
 		// @formatter:on
 		return http.build();
 	}
+
+	@Bean
+	AuthorizationManagerFactory authz() {
+		return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	}
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
@@ -28,15 +28,23 @@
 class DefaultSecurityConfig {
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
-			.formLogin((form) -> form.factor(Customizer.withDefaults()))
-			.oneTimeTokenLogin((ott) -> ott.factor(Customizer.withDefaults()));
+			.authorizeHttpRequests((authorize) -> authorize
+				.anyRequest().access(authz.authenticated())
+			)
+			.formLogin(Customizer.withDefaults())
+			.oneTimeTokenLogin(Customizer.withDefaults());
 		// @formatter:on
 		return http.build();
 	}
 
+	@Bean
+	AuthorizationManagerFactory authz() {
+		return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	}
+
+
 
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
@@ -1,26 +1,13 @@
 package org.example.magiclink;
 
-import java.time.Duration;
-
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
-import org.springframework.http.HttpMethod;
-import org.springframework.security.config.Customizer;
-import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configurers.MfaConfigurer;
-import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.AuthenticationFilter;
-import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
-import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 
-import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
-
 @Profile("elevated-security")
 @Configuration(proxyBeanMethods = false)
 public class ElevatedSecurityPageSecurityConfig {
@@ -40,24 +27,21 @@ public String ott() {
 	}
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authz) -> authz
-				.requestMatchers("/profile").hasAuthority("profile:read")
-				.anyRequest().authenticated()
-			)
-			.formLogin((form) -> form
-				.loginPage("/login/form").permitAll()
-				.factor((f) -> f.grants(Duration.ofMinutes(1), "profile:read"))
+			.authorizeHttpRequests((authorize) -> authorize
+				.anyRequest().access(authz.authenticated())
 			)
-			.oneTimeTokenLogin((ott) -> ott
-				.loginPage("/login/ott").permitAll()
-				.factor(Customizer.withDefaults())
-			);
+			.formLogin((form) -> form.loginPage("/login/form").permitAll())
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/login/ott").permitAll());
 
 		// @formatter:on
 		return http.build();
 	}
 
+	@Bean
+	AuthorizationManagerFactory authz() {
+		return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	}
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
@@ -19,13 +19,16 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 
 @SpringBootApplication
+@EnableMethodSecurity
 public class MagicLinkApplication {
 
 	public static void main(String[] args) {
@@ -35,6 +38,8 @@ public static void main(String[] args) {
 	@Controller
 	static class AppController {
 		@GetMapping("/profile")
+		@PreAuthorize("@authz.hasAuthority('profile:read')") 	// FIXME add hasAuthorityWithin once
+																// GrantedAuthority is timestamped
 		String profile() {
 			return "profile";
 		}
@@ -45,7 +50,7 @@ InMemoryUserDetailsManager userDetailsService() {
 		UserDetails user = User.withDefaultPasswordEncoder()
 			.username("user")
 			.password("password")
-			.roles("USER")
+			.authorities("ROLE_USER", "profile:read")
 			.build();
 		return new InMemoryUserDetailsManager(user);
 	}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
@@ -20,31 +20,22 @@
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 
-import org.springframework.mail.SimpleMailMessage;
-import org.springframework.mail.javamail.JavaMailSender;
 import org.springframework.security.authentication.ott.OneTimeToken;
 import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
 import org.springframework.stereotype.Component;
 
 @Component
 public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
 
-	private final JavaMailSender mailSender;
-
-	public MagicLinkOneTimeTokenGenerationSuccessHandler(JavaMailSender mailSender) {
-		this.mailSender = mailSender;
-	}
+	private final Log logger = LogFactory.getLog(this.getClass());
 
 	@Override
 	public void handle(HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken)
 			throws IOException {
-		SimpleMailMessage message = new SimpleMailMessage();
-		message.setFrom("noreply@example.com");
-		message.setTo("johndoe@example.com");
-		message.setSubject("Your token");
-		message.setText("Please enter this token " + oneTimeToken.getTokenValue());
-		this.mailSender.send(message);
+		this.logger.info("Use this one-time token: " + oneTimeToken.getTokenValue());
 		response.sendRedirect("/login/ott");
 	}
 
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml
@@ -1,6 +1 @@
-spring:
-  config:
-    import: classpath:application.yml
-  mail:
-    port: 3025
-    host: localhost
+
