`WebAuthnAuthenticationFilter` is not getting post-processed by `EnableMfaFiltersPostProcessor`

[zyro23]

Describe the bug
after enabling MFA with @EnableMultiFactorAuthentication, authentication filters configured by an AbstractAuthenticationFilterConfigurer as well as custom AbstractAuthenticationProcessingFilter beans are getting post-processed by by EnableMfaFiltersPostProcessor#postProcessAfterInitialization, which means MFA is enabled for the filters via filter.setMfaEnabled(true).

however, that does not apply for WebAuthnAuthenticationFilter.

from a look at the code, the cause may be that WebAuthnConfigurer (which registers WebAuthnAuthenticationFilter) is neither extending AbstractAuthenticationFilterConfigurer nor invoking ObjectPostProcessor#postProcess(WebAuthnAuthenticationFilter) explicitly.

To Reproduce

• enable MFA with @EnableMultiFactorAuthentication(authorities = {FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.WEBAUTHN_AUTHORITY})
• use a passkey as a second factor
• second-factor authentication succeeds but now password authentication is required again
  • that is because WebAuthnAuthenticationFilter.mfaEnabled is still false and so, FACTOR_WEBAUTHN is not merged into the existing Authentications authorities but replaces the existing FACTOR_PASSWORD which then is required again

Expected behavior
second-factor login via passkey works, authorities are merged because mfa is enabled.

Sample

sample app will be referenced asap (using spring-security 7.0.0-RC2):

• run
• http://localhost:8080/login (user / password)

2025-11-04T08:06:03.930+01:00 DEBUG 24984 --- [demo] [nio-8080-exec-6] w.a.UsernamePasswordAuthenticationFilter : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, CredentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=364246DC9443CCAD60A0C287200722CE], Granted Authorities=[ROLE_USER, FactorGrantedAuthority [authority=FACTOR_PASSWORD, issuedAt=2025-11-04T07:06:03.925050900Z]]]

• http://localhost:8080/webauthn/register
  • register a passkey
• http://localhost:8080
  • see redirect to http://localhost:8080/login?factor.type=password&factor.reason=missing

2025-11-04T08:06:17.588+01:00 DEBUG 24984 --- [demo] [nio-8080-exec-1] o.s.s.w.w.a.WebAuthnAuthenticationFilter : Set SecurityContextHolder to WebAuthnAuthentication [Principal=org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity@6c33c6bc, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FactorGrantedAuthority [authority=FACTOR_WEBAUTHN, issuedAt=2025-11-04T07:06:17.587178Z], ROLE_USER]]

thanks once again!

[rwinch]

Thank you for the detailed report @zyro23! I've pushed a fix to main and it is building and should be available as a fix in 7.0.0-SNAPSHOT shortly.