Add FormLogin + OTT MFA Sample

servlet/spring-boot/java/authentication/mfa/formLogin+ott/.gitignore

@@ -0,0 +1,37 @@
+HELP.md
+.gradle
+build/
+!gradle/wrapper/gradle-wrapper.jar
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+bin/
+!**/src/main/**/bin/
+!**/src/test/**/bin/
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+out/
+!**/src/main/**/out/
+!**/src/test/**/out/
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+
+### VS Code ###
+.vscode/

servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.adoc

@@ -0,0 +1,61 @@
+= Form Login + One-Time-Token Login MFA Sample
+
+This sample demonstrates Spring Security's support for multifactor authentication, specifically when using username/password and one-time-token as the two factors.
+
+[[usage]]
+== Usage
+
+To use the application, please run:
+
+[source,bash]
+----
+./gradlew :bootRun
+----
+
+You can then navigate to http://localhost:8080 where you will be presented with the default page, showing both the login and ott forms.
+
+You can start with either; once authenticated, you'll be asked to give the other as well.
+
+=== Username/Password Login
+
+The username/password is `user/password`.
+
+=== One-Time-Token Login
+
+The username is `user`.
+
+After clicking the submission button, you will be redirected to a page where you can enter the code given.
+You can find the code in the logs like so:
+
+[source,bash]
+----
+********************************************************
+
+Use this one-time token: 1319c31d-c5e0-4123-9b1f-3ffc34aba673
+
+********************************************************
+----
+
+== Configuring
+
+There are three profiles in this sample; `default`, `custom-pages`, and `elevated-security`.
+
+`default` is the arrangement described in <<usage>>.
+
+`custom-pages` shows the same, but with a custom page for login and a custom page for one-time-token.
+
+This can be launched with:
+
+[source,bash]
+----
+./gradlew :bootRun --args='spring.profiles.active=custom-pages'
+----
+
+`elevated-security` allows login with either, and will ask for one-time-token login for only the `/profile` page.
+
+This can be launched with:
+
+[source,bash]
+----
+./gradlew :bootRun --args='spring.profiles.active=elevated-security'
+----

servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle

@@ -0,0 +1,31 @@
+plugins {
+	id 'java'
+	alias(libs.plugins.io.spring.dependency.management)
+	alias(libs.plugins.org.springframework.boot)
+}
+
+java {
+	toolchain {
+		languageVersion = JavaLanguageVersion.of(17)
+	}
+}
+
+repositories {
+	mavenCentral()
+	maven { url "https://repo.spring.io/milestone" }
+	maven { url "https://repo.spring.io/snapshot" }
+}
+
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
+	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+}
+
+tasks.named('test') {
+	useJUnitPlatform()
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle.properties

@@ -0,0 +1,4 @@
+version=6.1.1
+spring-security.version=7.0.0-SNAPSHOT
+org.gradle.jvmargs=-Xmx6g -XX:+HeapDumpOnOutOfMemoryError
+org.gradle.caching=true

servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/libs.versions.toml

@@ -0,0 +1 @@
+../../../../../../../gradle/libs.versions.toml

servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,7 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists

servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew

@@ -0,0 +1,249 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+#
+#   Gradle start up script for POSIX generated by Gradle.
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
+    [ -h "$app_path" ]
+do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
+done
+
+# This is normally unused
+# shellcheck disable=SC2034
+APP_BASE_NAME=${0##*/}
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+    echo "$*"
+} >&2
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in                #(
+  CYGWIN* )         cygwin=true  ;; #(
+  Darwin* )         darwin=true  ;; #(
+  MSYS* | MINGW* )  msys=true    ;; #(
+  NONSTOP* )        nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+        JAVACMD=$JAVA_HOME/bin/java
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD=java
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+    case $MAX_FD in #(
+      max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        MAX_FD=$( ulimit -H -n ) ||
+            warn "Could not query maximum file descriptor limit"
+    esac
+    case $MAX_FD in  #(
+      '' | soft) :;; #(
+      *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        ulimit -n "$MAX_FD" ||
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
+    esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+#   * args from the command line
+#   * the main class name
+#   * -classpath
+#   * -D...appname settings
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
+
+exec "$JAVACMD" "$@"

servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew.bat

@@ -0,0 +1,92 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega

servlet/spring-boot/java/authentication/mfa/formLogin+ott/settings.gradle

@@ -0,0 +1,8 @@
+pluginManagement {
+    repositories {
+        mavenCentral()
+        gradlePluginPortal()
+        maven { url 'https://repo.spring.io/milestone' }
+        maven { url "https://repo.spring.io/snapshot" }
+    }
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/example/CustomPagesSecurityConfig.java

@@ -0,0 +1,44 @@
+package example;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.authorization.EnableGlobalMultiFactorAuthentication;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_OTT_AUTHORITY;
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
+
+@Profile("custom-pages")
+@Configuration(proxyBeanMethods = false)
+@EnableGlobalMultiFactorAuthentication(authorities = { FACTOR_PASSWORD_AUTHORITY, FACTOR_OTT_AUTHORITY })
+public class CustomPagesSecurityConfig {
+
+	@Controller
+	@Profile("custom-pages")
+	static class LoginController {
+		@GetMapping("/auth/{path}")
+		public String auth(@PathVariable("path") String path) {
+			return path;
+		}
+	}
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authorize) -> authorize
+				.requestMatchers("/auth/**").permitAll()
+				.anyRequest().authenticated()
+			)
+			.formLogin((form) -> form.loginPage("/auth/password"))
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/auth/ott"));
+		// @formatter:on
+		return http.build();
+	}
+
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/example/DefaultSecurityConfig.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.authorization.EnableGlobalMultiFactorAuthentication;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_OTT_AUTHORITY;
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
+
+@Profile("default")
+@Configuration(proxyBeanMethods = false)
+@EnableGlobalMultiFactorAuthentication(authorities = { FACTOR_PASSWORD_AUTHORITY, FACTOR_OTT_AUTHORITY })
+class DefaultSecurityConfig {
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
+			.formLogin(Customizer.withDefaults())
+			.oneTimeTokenLogin(Customizer.withDefaults());
+		// @formatter:on
+		return http.build();
+	}
+
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/example/ElevatedSecurityPageSecurityConfig.java

@@ -0,0 +1,41 @@
+package example;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+
+@Profile("elevated-security")
+@Configuration(proxyBeanMethods = false)
+public class ElevatedSecurityPageSecurityConfig {
+
+	@Controller
+	@Profile("elevated-security")
+	static class LoginController {
+		@GetMapping("/auth/{path}")
+		public String auth(@PathVariable("path") String path) {
+			return path;
+		}
+	}
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authorize) -> authorize
+				.requestMatchers("/auth/**").permitAll()
+				.requestMatchers("/profile").hasAuthority("FACTOR_OTT")
+				.anyRequest().authenticated()
+			)
+			.formLogin((form) -> form.loginPage("/auth/password"))
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/auth/ott"));
+
+		// @formatter:on
+		return http.build();
+	}
+
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/example/FormLoginOttMfaApplication.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@SpringBootApplication
+public class FormLoginOttMfaApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(FormLoginOttMfaApplication.class, args);
+	}
+
+	@Controller
+	static class AppController {
+		@GetMapping("/profile")
+		String profile() {
+			return "profile";
+		}
+	}
+
+	@Bean
+	UserDetailsService users() {
+		UserDetails user = User.withDefaultPasswordEncoder()
+			.username("user")
+			.password("password")
+			.authorities("app")
+			.build();
+		return new InMemoryUserDetailsManager(user);
+	}
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/example/LoggingOneTimeTokenGenerationSuccessHandler.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import java.io.IOException;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.security.authentication.ott.OneTimeToken;
+import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
+import org.springframework.stereotype.Component;
+
+@Component
+public class LoggingOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
+
+	private static final String TOKEN_TEMPLATE = """
+		********************************************************
+		
+		Use this one-time token: %s
+		
+		********************************************************""";
+
+	private final Log logger = LogFactory.getLog(this.getClass());
+
+	@Override
+	public void handle(HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken)
+			throws IOException {
+		this.logger.info(String.format(TOKEN_TEMPLATE, oneTimeToken.getTokenValue()));
+		response.sendRedirect("/login/ott");
+	}
+
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml

@@ -0,0 +1 @@
+# logging.level.org.springframework.security: TRACE

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/static/css/default-ui.css

@@ -0,0 +1,172 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* General layout */
+body {
+    font-family: system-ui, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+    background-color: #eee;
+    padding: 40px 0;
+    margin: 0;
+    line-height: 1.5;
+}
+
+h2 {
+    margin-top: 0;
+    margin-bottom: 0.5rem;
+    font-size: 2rem;
+    font-weight: 500;
+    line-height: 2rem;
+}
+
+.content {
+    margin-right: auto;
+    margin-left: auto;
+    padding-right: 15px;
+    padding-left: 15px;
+    width: 100%;
+    box-sizing: border-box;
+}
+
+@media (min-width: 800px) {
+    .content {
+        max-width: 760px;
+    }
+}
+
+.v-middle {
+    vertical-align: middle;
+}
+
+.center {
+    text-align: center;
+}
+
+.no-margin {
+    margin: 0;
+}
+
+/* Components */
+a,
+a:visited {
+    text-decoration: none;
+    color: #06f;
+}
+
+a:hover {
+    text-decoration: underline;
+    color: #003c97;
+}
+
+input[type="text"],
+input[type="password"] {
+    height: auto;
+    width: 100%;
+    font-size: 1rem;
+    padding: 0.5rem;
+    box-sizing: border-box;
+}
+
+button {
+    padding: 0.5rem 1rem;
+    font-size: 1.25rem;
+    line-height: 1.5;
+    border: none;
+    border-radius: 0.1rem;
+    width: 100%;
+    cursor: pointer;
+}
+
+button.primary {
+    color: #fff;
+    background-color: #06f;
+}
+
+button.small {
+    padding: .25rem .5rem;
+    font-size: .875rem;
+    line-height: 1.5;
+}
+
+.alert {
+    padding: 0.75rem 1rem;
+    margin-bottom: 1rem;
+    line-height: 1.5;
+    border-radius: 0.1rem;
+    width: 100%;
+    box-sizing: border-box;
+    border-width: 1px;
+    border-style: solid;
+}
+
+.alert.alert-danger {
+    color: #6b1922;
+    background-color: #f7d5d7;
+    border-color: #eab6bb;
+}
+
+.alert.alert-success {
+    color: #145222;
+    background-color: #d1f0d9;
+    border-color: #c2ebcb;
+}
+
+.screenreader {
+    position: absolute;
+    clip: rect(0 0 0 0);
+    height: 1px;
+    width: 1px;
+    padding: 0;
+    border: 0;
+    overflow: hidden;
+}
+
+table {
+    width: 100%;
+    max-width: 100%;
+    margin-bottom: 2rem;
+    border-collapse: collapse;
+}
+
+.table-striped th {
+    padding: .75rem;
+}
+
+.table-striped tr:nth-of-type(2n + 1) {
+    background-color: #e1e1e1;
+}
+
+.table-striped > thead > tr:first-child {
+    background-color: inherit;
+}
+
+td {
+    padding: 0.75rem;
+    vertical-align: top;
+}
+
+tr.v-middle > td {
+    vertical-align: middle;
+}
+
+/* Login / logout layouts */
+.login-form,
+.logout-form,
+.default-form {
+    max-width: 340px;
+    padding: 0 15px 15px 15px;
+    margin: 0 auto 2rem auto;
+    box-sizing: border-box;
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/index.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
+    <head>
+        <title>Hello Spring Security</title>
+        <meta charset="utf-8" />
+    </head>
+    <body>
+        <div th:fragment="logout" sec:authorize="isAuthenticated()">
+            Logged in user: <span sec:authentication="name"></span> |
+            Roles: <span sec:authentication="principal.authorities"></span>
+            <div>
+                <form action="#" th:action="@{/logout}" method="post">
+                    <input type="submit" value="Logout" />
+                </form>
+            </div>
+        </div>
+        <h1>Hello Spring Security</h1>
+        <p>This is a secured page</p>
+        <p>Visit the <a href="/profile">profile</a> page</p>
+    </body>
+</html>

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html xmlns:th="https://www.thymeleaf.org" lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/default-ui.css" rel="stylesheet" />
+</head>
+<body>
+<div class="content">
+    <form class="ott" method="post" th:action="@{/ott/generate}">
+        <h2>Please click below to send a one-time token</h2>
+
+        <p>
+            <label for="username" class="screenreader">Username</label>
+            <input type="text" id="username" name="username" th:value="${#authentication.name}" placeholder="Username" required autofocus>
+        </p>
+
+        <button type="submit" class="primary">Send Token</button>
+    </form>
+</div>
+</body>
+</html>

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/password.html

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html xmlns:th="https://www.thymeleaf.org" lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/default-ui.css" rel="stylesheet" />
+</head>
+<body>
+<div class="content">
+    <form class="login-form" method="post" th:action="@{/auth/password}">
+        <h2>Please sign in</h2>
+
+        <p>
+            <label for="username" class="screenreader">Username</label>
+            <input type="text" id="username" name="username" th:value="${username}" placeholder="Username" required autofocus>
+        </p>
+        <p>
+            <label for="password" class="screenreader">Password</label>
+            <input type="password" id="password" name="password" placeholder="Password" required>
+        </p>
+
+        <button type="submit" class="primary">Sign in</button>
+    </form>
+</div>
+</body>
+</html>

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/profile.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/default-ui.css" rel="stylesheet" />
+</head>
+<body>
+<div class="content">
+    <p>This is a page that requires elevated security</p>
+</div>
+</body>
+</html>

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/example/CustomPagesConfigTests.java

@@ -0,0 +1,55 @@
+package example;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_OTT_AUTHORITY;
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@SpringBootTest
+@AutoConfigureMockMvc
+@ActiveProfiles("custom-pages")
+class CustomPagesConfigTests {
+	@Autowired
+	private MockMvc mvc;
+
+	@Test
+	void indexWhenUnauthenticatedThenRedirectsToLogin() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/auth/password"));
+	}
+
+	@Test
+	@WithMockUser
+	void indexWhenAuthenticatedButNoFactorsThenRedirectsToLogin() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/auth/password?factor=password"));
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_OTT_AUTHORITY)
+	void indexWhenAuthenticatedWithX509ThenRedirectsToLogin() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/auth/password?factor=password"));
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_PASSWORD_AUTHORITY)
+	void indexWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/auth/ott?factor=ott"));
+	}
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/example/DefaultConfigTests.java

@@ -0,0 +1,55 @@
+package example;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_OTT_AUTHORITY;
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@SpringBootTest
+@AutoConfigureMockMvc
+@ActiveProfiles("default")
+class DefaultConfigTests {
+	@Autowired
+	private MockMvc mvc;
+
+	@Test
+	void indexWhenUnauthenticatedThenRedirectsToLogin() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/login"));
+	}
+
+	@Test
+	@WithMockUser
+	void indexWhenAuthenticatedButNoFactorsThenRedirectsToLogin() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/login?factor=password"));
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_OTT_AUTHORITY)
+	void indexWhenAuthenticatedWithX509ThenRedirectsToLogin() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/login?factor=password"));
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_PASSWORD_AUTHORITY)
+	void indexWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/login?factor=ott"));
+	}
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/example/ElevatedSecurityPageConfigTests.java

@@ -0,0 +1,67 @@
+package example;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_OTT_AUTHORITY;
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@SpringBootTest
+@AutoConfigureMockMvc
+@ActiveProfiles("elevated-security")
+class ElevatedSecurityPageConfigTests {
+	@Autowired
+	private MockMvc mvc;
+
+	@Test
+	void indexWhenUnauthenticatedThenRedirectsToLogin() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/auth/password"));
+	}
+
+	@Test
+	@WithMockUser
+	void indexWhenAuthenticatedButNoFactorsThenAllows() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().isOk());
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_OTT_AUTHORITY)
+	void indexWhenAuthenticatedWithOttThenAllows() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().isOk());
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_PASSWORD_AUTHORITY)
+	void indexWhenAuthenticatedWithPasswordThenAllows() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().isOk());
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_PASSWORD_AUTHORITY)
+	void profileWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
+		this.mvc.perform(get("/profile"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/auth/ott?factor=ott"));
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_OTT_AUTHORITY)
+	void profileWhenAuthenticatedWithOttThenAllows() throws Exception {
+		this.mvc.perform(get("/profile"))
+			.andExpect(status().isOk());
+	}
+}

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml

@@ -0,0 +1 @@
+

settings.gradle

@@ -52,6 +52,7 @@ include ":servlet:spring-boot:java:acl"
 include ":servlet:spring-boot:java:aot:data"
 include ":servlet:spring-boot:java:authentication:username-password:user-details-service:custom-user"
 include ":servlet:spring-boot:java:authentication:username-password:mfa"
+include ":servlet:spring-boot:java:authentication:mfa:formLogin+ott"
 include ":servlet:spring-boot:java:authentication:username-password:compromised-password-checker"
 include ":servlet:spring-boot:java:authentication:one-time-token:magic-link"
 include ":servlet:spring-boot:java:data"