Update FormLogin + OTT Sample

Added time-sensitive endpoint
Updated to use new static authority values
Updated to use HttpSecurity customizers

Author: jzheaux

servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.adoc

@@ -36,9 +36,14 @@ Use this one-time token: 1319c31d-c5e0-4123-9b1f-3ffc34aba673
 ********************************************************
 ----
 
+=== Time-sensitive Endpoints
+
+Navigating to `/profile` is authorized if you have entered your password within the last five minutes.
+Otherwise, you are directed back to the login page.
+
 == Configuring
 
-There are three profiles in this sample; `default`, `custom-pages`, and `elevated-security`.
+There are two profiles in this sample: `default` and `custom-pages`.
 
 `default` is the arrangement described in <<usage>>.
 

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/example/CustomPagesSecurityConfig.java

@@ -0,0 +1,30 @@
+package example;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Configuration(proxyBeanMethods = false)
+@Controller
+@Profile("custom-pages")
+class FormLoginConfig {
+    static final String PATH = "/auth/password";
+
+    @GetMapping(PATH)
+    String auth() {
+        return "password";
+    }
+
+    @Bean
+    Customizer<HttpSecurity> formLogin() {
+        // @formatter:off
+        return (http) -> http
+            .authorizeHttpRequests((authz) -> authz.requestMatchers(PATH).permitAll())
+            .formLogin((form) -> form.loginPage(PATH));
+        // @formatter:on
+    }
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/example/DefaultSecurityConfig.java

@@ -19,35 +19,29 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.authorization.EnableGlobalMultiFactorAuthentication;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 
+import static org.springframework.security.core.authority.FactorGrantedAuthority.OTT_AUTHORITY;
+import static org.springframework.security.core.authority.FactorGrantedAuthority.PASSWORD_AUTHORITY;
+
 @SpringBootApplication
 public class FormLoginOttMfaApplication {
 
 	public static void main(String[] args) {
 		SpringApplication.run(FormLoginOttMfaApplication.class, args);
 	}
 
-	@Controller
-	static class AppController {
-		@GetMapping("/profile")
-		String profile() {
-			return "profile";
-		}
-	}
-
-	@Bean
-	UserDetailsService users() {
-		UserDetails user = User.withDefaultPasswordEncoder()
-			.username("user")
-			.password("password")
-			.authorities("app")
-			.build();
-		return new InMemoryUserDetailsManager(user);
-	}
+    @Controller
+    static class AppController {
+        @GetMapping("/profile")
+        String profile() {
+            return "profile";
+        }
+    }
 }

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/example/ElevatedSecurityPageSecurityConfig.java

@@ -0,0 +1,31 @@
+package example;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Configuration(proxyBeanMethods = false)
+@Controller
+@Profile("custom-pages")
+class OttLoginConfig {
+    static final String PATH = "/auth/ott";
+
+    @GetMapping(PATH)
+    String auth() {
+        return "ott";
+    }
+
+    @Bean
+    Customizer<HttpSecurity> ottLogin() {
+        // @formatter:off
+        return (http) -> http
+            .authorizeHttpRequests((authz) -> authz.requestMatchers(PATH).permitAll())
+            .oneTimeTokenLogin((ott) -> ott.loginPage(PATH));
+        // @formatter:on
+    }
+
+}