Skip to content

Propagate Authorities From Previous Factors #17790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Propagate Authorities From Previous Factors #17790

wants to merge 11 commits into from
+1,445 −25

Conversation

jzheaux
Copy link
Contributor

@jzheaux jzheaux commented Aug 21, 2025
edited
Loading

Applications can use AuthenticationBuilder to apply existing authentications to new ones.

For example, if the current logged in user is represented by:

Authentication firstFactor = ...

And they provide a second set of authenticated credentials, represented by:

Authentication secondFactor = ...

Then the first factor can be applied to the second factor as follows:

secondFactor = secondFactor.toBuilder().apply(firstFactor).build();

This draft PR adds a basic builder to each Authentication implementation that implements Authentication.Builder. In order to simplify upgrades, toBuilder by default returns a no-op implementation of Authentication.Builder that ultimately returns the same authentication unchanged.

@jzheaux jzheaux changed the title Authentication Builder Propagate Authorities From Previous Factors Aug 21, 2025
@jzheaux jzheaux force-pushed the authentication-builder branch 6 times, most recently from 6eb00d0 to b48b10a Compare August 22, 2025 22:25
rwinch
rwinch requested changes Aug 27, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @jzheaux! I've provided feedback inline, but my main pieces of feedback are:

  • The AuthenticationManager should not be accessing the SecurityContext. Instead, we should have the controller (e.g. Filter) that invokes the AuthenticationManager perform the merging of the two Authentication instances.
  • I think that the builder APIs should function independently of MFA and should work for any properties on the Authentication. Doing this would also allow deprecation of the setAuthenticated method.
  • I don't think we should have an Authentication.apply(Authentication) method. Especially so if it is only applying the authorities and ignoring many other properties that are on the Authentication object.

core/src/main/java/org/springframework/security/core/Authentication.java Outdated
@@ -54,6 +57,9 @@
*/
public interface Authentication extends Principal, Serializable {

@Serial
long serialVersionUID = -3884394378624019849L;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you help me to understand why this is specified?

Copy link
Contributor Author

@jzheaux jzheaux Aug 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deserialization of concrete implementations fails otherwise. With the inclusion of a default method, Java now treats it like an abstract class from a serialization perspective. From what I understand, any class, abstract or otherwise, should have a version id if it extends Serializable.

@jzheaux jzheaux force-pushed the authentication-builder branch from b48b10a to 41398f0 Compare August 29, 2025 20:28
jzheaux added 9 commits August 30, 2025 10:00
@jzheaux
Polish InteractiveAuthenticationSuccessEvent Sample
7e3bf96 
The sample better matches a value that would be used in the constructor

Issue spring-projectsgh-16276
@jzheaux
Merge branch '6.4.x' into 6.5.x
0ff9f10
@jzheaux
Replace InteractiveAuthenticationSuccessEvent 6.5.x Sample
c982753 
Given that 7e3bf96 changes
the InteractiveAuthenticationSuccessEvent serialization sample,
this commit syncs up the 6.5.x version to match.

Issue spring-projectsgh-16276
@jzheaux
Merge branch '6.5.x'
dc0ab4c
@jzheaux
Replace InteractiveAuthenticationSuccessEvent 7.0.x Sample
3534b74 
Given that 7e3bf96 changes
the InteractiveAuthenticationSuccessEvent serialization sample,
this commit syncs up the 7.0.x version to match.

Closes spring-projectsgh-16276
@jzheaux
Add Authentication.Builder
d956da5 
This commit adds a new default method to Authentication
for the purposes of creating a Builder based on the current
authentication, allowing other authentications to be
applied to it as a composite.

It also adds Builders for each one of the authentication
result classes.
@jzheaux
Propagate Previous Factor to Next One
4c72604 
This commit allows looking up the current authentication and applying
it to the latest authentication. This is specifically handy when
collecting authorities gained from each authentication factor.
@jzheaux
Pick Up SecurityContextHolderStrategy Bean
a28ab89 
This commit provides the SecurityContextHolderStrategy bean to
ProviderManager instances that the HttpSecurity DSL constructs.
@jzheaux
Polish Builders
921d7b2 
- Added remaining properties
- Removed apply method since Spring Security isn't using
it right now
- Made builders extensible since the authentications are
extensible
@jzheaux jzheaux force-pushed the authentication-builder branch from 31634e2 to 5e94df2 Compare September 2, 2025 21:27
@jzheaux jzheaux force-pushed the authentication-builder branch from 5e94df2 to 4d89979 Compare September 2, 2025 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jzheaux @rwinch