Skip to content

Explore introducing a hierarchy of factor authorities #17960

New issue
New issue
Open
Open
Explore introducing a hierarchy of factor authorities#17960
Labels
for: team-attentionThis ticket should be discussed as a team before proceedingin: coreAn issue in spring-security-coretype: enhancementA general enhancement
@jzheaux

Description

@jzheaux
jzheaux
opened on Sep 25, 2025

NOTE: This is a ticket that the Spring Security team is reviewing for inclusion. It's not considered ready to implement yet. When it is, this disclaimer will be removed and the title may change

LdapAuthenticationProvider, JaasAuthenticationProvider, and DaoAuthenticationProvider all issue FACTOR_PASSWORD as their factory authority.

This makes sense since that is the kind of credential that was used (a username and password), and this is typically what will be important when deciding level of authority.

There may be value, though, in specifically differentiating the type of authentication that was performed, and this information is available neither in the authority nor in the authentication type.

One way to address this would be to resolve authorities hierarchically, as is already done with roles. For example, LdapAuthenticationProvider could issue FACTOR_PASSWORD_LDAP, JaasAuthenticationProvider could issue FACTOR_PASSWORD_JAAS, and so on. Each of these would imply FACTOR_PASSWORD, allowing authorization rules to focus on the credential type.

Some places where this might be helpful are when similar credentials have differing security profiles. An example of this is with Bearer and DPoP tokens. For some requests, it may be valuable to indicate they require elevated security:

@EnableGlobalMultifactorAuthentication(authorities = { FACTOR_X509_AUTHORITY, FACTOR_BEARER_AUTHORITY })

// ...

@Bean
ThrowingCustomizer<HttpSecurity> sensitiveEndpoints() {
    return (http) -> http
        .authorizeHttpRequests((authorize) -> authorize
            .requestMatchers("/sensitive/endpoints/**").hasAuthority("FACTOR_BEARER_DPOP")
            .anyRequest().authenticated()
        );
}

Another example may be considering the subsystem that the user is registered in:

@Bean
ThrowingCustomizer<HttpSecurity> sensitiveEndpoints() {
    return (http) -> http
        .authorizeHttpRequests((authorize) -> authorize
            .requestMatchers("/appone/**").hasAuthority("FACTOR_PASSWORD_LDAP") 
            .anyRequest().authenticated()
        );
}

That is, only the users that are registered in LDAP may use this part of the application.

Metadata

Metadata

Assignees

No one assigned

    Labels

    for: team-attentionThis ticket should be discussed as a team before proceedingin: coreAn issue in spring-security-coretype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions