CrazyParanoid
commented
1 month ago Hi @marcusdacoregio ! I can share my implementation which I use in my projects. The security configuration looks like this:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, OneTimePasswordVerificationFilter oneTimePasswordVerificationFilter) throws Exception {
return http.httpBasic(AbstractHttpConfigurer::disable)
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/login/otp/**", "/otp/**")
.permitAll()
.anyRequest()
.authenticated())
.oauth2Login(login -> login.successHandler(new OneTimePasswordAuthenticationHandler()))
.addFilterAfter(new DefaultOneTimePasswordPageGeneratingFilter(), DefaultLoginPageGeneratingFilter.class)
.addFilterBefore(oneTimePasswordVerificationFilter, AuthorizationFilter.class)
.build();
}
@Bean
AuthenticationProvider oneTimePasswordAuthenticationProvider() {
return new OneTimePasswordAuthenticationProvider(new DefaultOneTimePasswordAuthenticationVerifier());
}
@Bean
OneTimePasswordVerificationFilter oneTimePasswordVerificationFilter(AuthenticationProvider oneTimePasswordAuthenticationProvider) {
OneTimePasswordVerificationFilter filter = new OneTimePasswordVerificationFilter(oneTimePasswordAuthenticationProvider::authenticate);
filter.setAuthenticationFailureHandler(new OneTimePasswordAuthenticationHandler());
return filter;
}
}I have several components, first of all this is a filter for verifying otp code OneTimePasswordVerificationFilter. It interacts with OneTimePasswordAuthenticationProvider, which verifies the otp code:
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();
String code = request.getParameter(otpCodeParameter);
OneTimePasswordAuthenticationToken authenticationToken = new OneTimePasswordAuthenticationToken(authentication, code);
return this.getAuthenticationManager().authenticate(authenticationToken);
}OneTimePasswordAuthenticationProvider performs verification using the OneTimePasswordAuthenticationVerifier component:
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
OneTimePasswordAuthenticationToken authenticationToken = (OneTimePasswordAuthenticationToken) authentication;
try {
oneTimePasswordAuthenticationVerifier.verify(authenticationToken);
} catch (OAuth2AuthorizationException ex) {
OAuth2Error oauth2Error = ex.getError();
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), ex);
}
return authenticationToken.getAuthentication();
}Implementation OneTimePasswordAuthenticationVerifier of depends on the authenticator chosen, for example GoogleAuthenticator.
public interface OneTimePasswordAuthenticationVerifier {
void verify(OneTimePasswordAuthenticationToken authenticationToken);
}To generate the code entry page, use DefaultOneTimePasswordPageGeneratingFilter. OneTimePasswordAuthenticationHandler provides a redirect to the page for entering the otp code after successful oauth 2.0 authorization.
I'm currently using such an implementation as part of the ouath 2.0 client along with spring cloud gateway.
evgeniycheban
marcusdacoregio
We should add support for one time token authentication, one common example is magic links sent in email or a text code to log a user in.
Note that this is not the same as https://github.com/spring-projects/spring-security/issues/3046 since it is not in the scope of this ticket to support MFA.