Make a foundation for multi-factor(step) authentication including WebAuthn

[ynojima]

This patch is to make a foundation for multi-factor(step) authentication including WebAuthn (#5238).

Changes

* no interface is changed

• Add MultifactorAuthenticationToken to represent a user in the middle of multi factor(step) authentication process
• Add MFATokenEvaluator/MFATokenEvaluatorImpl for Authentication type check
• Make ExceptionTranslationFilter, AuthenticationTrustResolverImpl, and HttpSessionSecurityContextRepository use MFATokenEvaluator to support multi-factor authentication
• Add MultiFactorAuthenticationProvider, which authenticates a user by delegating to another AuthenticationProvider and generates MultifactorAuthenticationToken

spring-security-webauthn is a concrete user facing code using this patch.
If possible, I'd like to send whole spring-security-webauthn as a pull-request to spring-security now, but
I understand the spring's backward compatibility policy, WebAuthn specification is still updated after the declaration of Candidate Recomendation phase, and browser implementation is still on going. It is not the time.

Meanwhile, spring-security-webauthn requires user feedbacks, and patching to spring-security core is a big roadblocks for users to try spring-security-webauthn.
I extracted minimal changes to spring-security core into this patch. and I suppose future changes to WebAuthn specification will not affect this.

[ynojima]

Hi @rwinch, just a gentle ping to see if this PR needs any more polish or anything.
Are you busy on releasing Spring Security 5.1?

[rwinch]

@ynojima Thanks for the nudge. Among other things, Spring Security 5.1 is taking a lot of my time. I have added reviewing this to my queue and will get back to you.

NOTE:

I have not looked over the code, but one thing that comes to mind is that I really look for to ensure that we provide a real feature to end users vs just infrastructure changes. This is especially true with large changes where it is hard to anticipate what the infrastructure change needs to be.

So if we have something that is providing a foundation for multifactor authentication, I want code that also can use that foundation in a real scenario ready to merge too. In these cases there will be more than one commit, but I will very rarely merge something that is large without seeing all the moving parts together. The reason is that we really want to ensure that all code is going to provide value to our end users.

[ynojima]

Thank you for your reply!

I want code that also can use that foundation in a real scenario ready to merge too.

spring-security-webauthn is a consumer of the foundation classes in a real scenario. It also has a sample application, but sad to say, it is not ready to be merged into spring-security as browser (ex. Chrome) WebAuthn implementation is still on going.
There is a room I need to change the behavior of spring-security-webauthn to fit for browser implementation, but I assume the foundation classes in this pull-request will not be affected.
These foundation classes are only used for FIDO-U2F token support, and FIDO-U2F token is already supported by WebAuthn implementation of Chrome, Firefox, and Edge, I've confirmed the foundation classes works with these browsers.

I don't mind if you don't merge this patch at this moment (I'll be more happy if you merge it :) ),
I really appriciate if you review the the direction of this patch and spring-security-webauthn again.

Thanks!

[ynojima]

As I opened a new pull-request #6842 with wider scopes (concrete use-case), I close this pull-request.