Skip to content

Explore configuring authentication mechs declared in EnableGlobalMultifactorAuthentication #17961

New issue
New issue
Open
Open
Explore configuring authentication mechs declared in EnableGlobalMultifactorAuthentication#17961
Labels
for: team-attentionThis ticket should be discussed as a team before proceedingin: configAn issue in spring-security-configtype: enhancementA general enhancement
@jzheaux

Description

@jzheaux
jzheaux
opened on Sep 25, 2025

NOTE: This is a ticket that the Spring Security team is reviewing for inclusion. It's not considered ready to implement yet. When it is, this disclaimer will be removed and the title may change

Since authentication factors are strongly implied by the factor names, there may be value (possibly in conjuction with #17960) in configuring HttpSecurity with the mechanisms specified in the annotation.

For example,

@EnableGlobalMultifactorAuthentication(authorities = { FACTOR_X509_AUTHORITY, FACTOR_OTT_AUTHORITY })

Strongly implies that

.x509(Customizer.withDefaults())
.oneTimeTokenLogin(Customizer.withDefaults())

will be needed.

It's not clear how much this buys since many mechanisms require additional beans like UserDetailsService and TokenGenerationSuccessHandler to be fully configured. The nice thing is that it removes the need to add this customizer to HttpSecurity.

Metadata

Metadata

Assignees

No one assigned

    Labels

    for: team-attentionThis ticket should be discussed as a team before proceedingin: configAn issue in spring-security-configtype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions