You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/servlet/authentication/mfa.adoc
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,14 +44,14 @@ The `@EnableMultiFactorAuthentication` `authorities` property is just a shortcut
44
44
When an `AuthorizationManagerFactory` Bean is available, it is used by Spring Security to create authorization rules, like `hasAnyRole(String)`, that are defined on the `AuthorizationManagerFactory` Bean interface.
45
45
The implementation published by `@EnableMultiFactorAuthentication` will ensure that each authorization is combined with the requirement of having the specified factors.
46
46
47
-
The `AuthorizationManagerFactory` Bean below is what is published in the previously discussed <<emfa, `@EnableMultiFactorAuthentication` example>>.
47
+
The `AuthorizationManagerFactory` Bean below is what is published in the previously discussed xref:emfa[`@EnableMultiFactorAuthentication` example].
We have demonstrated how to configure an entire application to require MFA by using <<emfa, ``@EnableMultiFactorAuthentication``s>> `authorities` property.
54
+
We have demonstrated how to configure an entire application to require MFA by using xref:emfa[``@EnableMultiFactorAuthentication``s] `authorities` property.
55
55
However, there are times that an application only wants parts of the application to require MFA.
56
56
Consider the following requirements:
57
57
@@ -61,7 +61,7 @@ Consider the following requirements:
61
61
62
62
In this case, some URLs require MFA while others do not.
63
63
This means that the global approach that we saw before does not work.
64
-
Fortunately, we can use what we learned in <<authorization-manager-factory>> to solve this in a concise manner.
64
+
Fortunately, we can use what we learned in xref:authorization-manager-factory[] to solve this in a concise manner.
65
65
66
66
Start by specifying `@EnableMultiFactorAuthentication` without any authorities.
67
67
By doing so we enable MFA support, but no `AuthorizationManagerFactory` Bean is published.
This instructs `DefaultAuthorizationManagerFactory` that any authorization rule should apply our custom `AuthorizationManager` along with any authorization requirements defined by the application (e.g. `hasRole("ADMIN")`).
122
122
<2> Publish `DefaultAuthorizationManagerFactory` as a Bean, so it is used globally
123
123
124
-
This should feel very similar to our previous example in <<authorization-manager-factory>>.
124
+
This should feel very similar to our previous example in xref:authorization-manager-factory[].
125
125
The difference is that in the previous example, the `AuthorizationManagerFactories` is setting `DefaultAuthorization.additionalAuthorization` with a built in `AuthorizationManager` that always requires the same authorities.
126
126
127
127
We can now define our authorization rules which are combined with `AdminMfaAuthorizationManager`.
@@ -138,10 +138,10 @@ If we preferred, we could change our logic to enable MFA based upon the roles ra
138
138
[[raam-mfa]]
139
139
== RequiredAuthoritiesAuthorizationManager
140
140
141
-
We've demonstrated how we can dynamically determine the authorities for a particular user in <<programmatic-mfa>> using a custom `AuthorizationManager`.
141
+
We've demonstrated how we can dynamically determine the authorities for a particular user in xref:programmatic-mfa[] using a custom `AuthorizationManager`.
142
142
However, this is such a common scenario that Spring Security provides built in support using javadoc:org.springframework.security.authorization.RequiredAuthoritiesAuthorizationManager[] and javadoc:org.springframework.security.authorization.RequiredAuthoritiesRepository[].
143
143
144
-
Let's implement the same requirement that we did in <<programmatic-mfa>> using the built-in support.
144
+
Let's implement the same requirement that we did in xref:programmatic-mfa[] using the built-in support.
145
145
146
146
We start by creating the `RequiredAuthoritiesAuthorizationManager` Bean to use.
147
147
@@ -168,7 +168,7 @@ Our example uses an in memory mapping of usernames to the additional required au
168
168
For more dynamic use cases that can be determined by the username, a custom implementation of javadoc:org.springframework.security.authorization.RequiredAuthoritiesRepository[] can be created.
169
169
Possible examples would be looking up if a user has enabled MFA in an explicit setting, determining if a user has registered a passkey, etc.
170
170
171
-
For cases that need to determine MFA based upon the `Authentication`, a custom `AuthorizationManger` can be used as demonstrated in <<programmatic-mfa>>.
171
+
For cases that need to determine MFA based upon the `Authentication`, a custom `AuthorizationManger` can be used as demonstrated in xref:programmatic-mfa[].
172
172
173
173
174
174
[[hasallauthorities]]
@@ -197,7 +197,7 @@ Can you imagine what it would be like to declare hundreds of rules like this?
197
197
What's more that it becomes difficult to express more complicated authorization rules.
198
198
For example, how would you require two factors and either `ROLE_ADMIN` or `ROLE_USER`?
199
199
200
-
The answer to these questions, as we have already seen, is to use <<emfa>>
200
+
The answer to these questions, as we have already seen, is to use xref:emfa[]
0 commit comments