Move FACTOR_ constants to FactorGrantedAuthority

Previously GrantedAuthorities had an implicit package tangle because it
was located in ~.core and FactorGrantedAuthority is in ~.core.authority
and FactorGrantedAuthority's authority property was implicitly expected
to be constants found in `GrantedAuthorities`.

This commit moves the constants to the FactorGrantedAuthority which
resolves this tangle. It wasn't initially done because
FactorGrantedAuthority did not exist at that time.

Closes gh-18030

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java

@@ -38,7 +38,6 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.cas.ServiceProperties;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
@@ -70,7 +69,7 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
 
 	private static final Log logger = LogFactory.getLog(CasAuthenticationProvider.class);
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_CAS_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.CAS_AUTHORITY;
 
 	@SuppressWarnings("NullAway.Init")
 	private AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService;

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java

@@ -33,8 +33,8 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.cas.ServiceProperties;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.core.userdetails.User;
@@ -361,7 +361,7 @@ public class CasAuthenticationProviderTests {
 		CasServiceTicketAuthenticationToken token = CasServiceTicketAuthenticationToken.stateful("ST-123");
 		token.setDetails("details");
 		Authentication result = cap.authenticate(token);
-		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_CAS_AUTHORITY);
+		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.CAS_AUTHORITY);
 	}
 
 	private class MockAuthoritiesPopulator implements AuthenticationUserDetailsService {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java

@@ -21,7 +21,7 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler;
@@ -237,7 +237,7 @@ public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
 			AuthenticationEntryPoint entryPoint = getAuthenticationEntryPoint();
 			RequestMatcher requestMatcher = getAuthenticationEntryPointMatcher(http);
 			exceptions.defaultDeniedHandlerForMissingAuthority((ep) -> ep.addEntryPointFor(entryPoint, requestMatcher),
-					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
+					FactorGrantedAuthority.PASSWORD_AUTHORITY);
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -28,7 +28,7 @@ import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
@@ -196,8 +196,7 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>>
 		AuthenticationEntryPoint entryPoint = postProcess(this.authenticationEntryPoint);
 		exceptionHandling.defaultAuthenticationEntryPointFor(entryPoint, preferredMatcher);
 		exceptionHandling.defaultDeniedHandlerForMissingAuthority(
-				(ep) -> ep.addEntryPointFor(entryPoint, preferredMatcher),
-				GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
+				(ep) -> ep.addEntryPointFor(entryPoint, preferredMatcher), FactorGrantedAuthority.PASSWORD_AUTHORITY);
 	}
 
 	private void registerDefaultLogoutSuccessHandler(B http, RequestMatcher preferredMatcher) {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java

@@ -26,7 +26,7 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
@@ -159,7 +159,7 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 		if (exceptions != null) {
 			AuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint("/login");
 			exceptions.defaultDeniedHandlerForMissingAuthority((ep) -> ep.defaultEntryPoint(entryPoint),
-					GrantedAuthorities.FACTOR_WEBAUTHN_AUTHORITY);
+					FactorGrantedAuthority.WEBAUTHN_AUTHORITY);
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java

@@ -25,8 +25,8 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -180,14 +180,14 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>>
 		PreAuthenticatedAuthenticationProvider authenticationProvider = new PreAuthenticatedAuthenticationProvider();
 		authenticationProvider.setPreAuthenticatedUserDetailsService(getAuthenticationUserDetailsService(http));
 		authenticationProvider.setGrantedAuthoritySupplier(
-				() -> AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_X509_AUTHORITY));
+				() -> AuthorityUtils.createAuthorityList(FactorGrantedAuthority.X509_AUTHORITY));
 		http.authenticationProvider(authenticationProvider)
 			.setSharedObject(AuthenticationEntryPoint.class, new Http403ForbiddenEntryPoint());
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
 			AuthenticationEntryPoint forbidden = new Http403ForbiddenEntryPoint();
 			exceptions.defaultDeniedHandlerForMissingAuthority((ep) -> ep.defaultEntryPoint(forbidden),
-					GrantedAuthorities.FACTOR_X509_AUTHORITY);
+					FactorGrantedAuthority.X509_AUTHORITY);
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -45,7 +45,7 @@ import org.springframework.security.config.annotation.web.configurers.SessionMan
 import org.springframework.security.context.DelegatingApplicationListener;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.core.session.AbstractSessionEvent;
 import org.springframework.security.core.session.SessionDestroyedEvent;
@@ -568,7 +568,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 			RequestMatcher requestMatcher = getAuthenticationEntryPointMatcher(http);
 			exceptions.defaultDeniedHandlerForMissingAuthority(
 					(ep) -> ep.addEntryPointFor(loginEntryPoint, requestMatcher),
-					GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY);
+					FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY);
 		}
 		return loginEntryPoint;
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -39,7 +39,7 @@ import org.springframework.security.config.annotation.web.configurers.CsrfConfig
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
@@ -357,7 +357,7 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 			exceptionHandling.defaultAuthenticationEntryPointFor(this.authenticationEntryPoint, preferredMatcher);
 			exceptionHandling.defaultDeniedHandlerForMissingAuthority(
 					(ep) -> ep.addEntryPointFor(this.authenticationEntryPoint, preferredMatcher),
-					GrantedAuthorities.FACTOR_BEARER_AUTHORITY);
+					FactorGrantedAuthority.BEARER_AUTHORITY);
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java

@@ -37,7 +37,7 @@ import org.springframework.security.config.annotation.web.configurers.AbstractAu
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AuthenticationConverter;
@@ -142,7 +142,7 @@ public final class OneTimeTokenLoginConfigurer<H extends HttpSecurityBuilder<H>>
 			AuthenticationEntryPoint entryPoint = getAuthenticationEntryPoint();
 			RequestMatcher requestMatcher = getAuthenticationEntryPointMatcher(http);
 			exceptions.defaultDeniedHandlerForMissingAuthority((ep) -> ep.addEntryPointFor(entryPoint, requestMatcher),
-					GrantedAuthorities.FACTOR_OTT_AUTHORITY);
+					FactorGrantedAuthority.OTT_AUTHORITY);
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -35,7 +35,7 @@ import org.springframework.security.config.annotation.web.configurers.AbstractHt
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.OpenSaml5AuthenticationProvider;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -355,7 +355,7 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 			RequestMatcher requestMatcher = getAuthenticationEntryPointMatcher(http);
 			exceptions.defaultDeniedHandlerForMissingAuthority(
 					(ep) -> ep.addEntryPointFor(loginEntryPoint, requestMatcher),
-					GrantedAuthorities.FACTOR_SAML_RESPONSE_AUTHORITY);
+					FactorGrantedAuthority.SAML_RESPONSE_AUTHORITY);
 		}
 		return loginEntryPoint;
 	}

config/src/test/java/org/springframework/security/config/annotation/authorization/EnableGlobalMultiFactorAuthenticationTests.java

@@ -27,7 +27,7 @@ import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.context.web.WebAppConfiguration;
@@ -57,8 +57,7 @@ public class EnableGlobalMultiFactorAuthenticationTests {
 	Service service;
 
 	@Test
-	@WithMockUser(
-			authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY })
 	void webWhenAuthorized() throws Exception {
 		this.mvc.perform(get("/")).andExpect(status().isOk());
 	}
@@ -70,8 +69,7 @@ public class EnableGlobalMultiFactorAuthenticationTests {
 	}
 
 	@Test
-	@WithMockUser(
-			authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY })
 	void methodWhenAuthorized() throws Exception {
 		Assertions.assertThatNoException().isThrownBy(() -> this.service.authenticated());
 	}
@@ -87,7 +85,7 @@ public class EnableGlobalMultiFactorAuthenticationTests {
 	@EnableMethodSecurity
 	@Configuration
 	@EnableGlobalMultiFactorAuthentication(
-			authorities = { GrantedAuthorities.FACTOR_OTT_AUTHORITY, GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY })
+			authorities = { FactorGrantedAuthority.OTT_AUTHORITY, FactorGrantedAuthority.PASSWORD_AUTHORITY })
 	static class Config {
 
 		@Bean

config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java

@@ -40,7 +40,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.config.users.AuthenticationTestConfiguration;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextChangedListener;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
@@ -417,20 +417,20 @@ public class FormLoginConfigurerTests {
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("/"));
 		user = PasswordEncodedUser.withUserDetails(user)
-			.authorities("profile:read", GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+			.authorities("profile:read", FactorGrantedAuthority.OTT_AUTHORITY)
 			.build();
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("http://localhost/login?factor.type=password&factor.reason=missing"));
 		user = PasswordEncodedUser.withUserDetails(user)
-			.authorities("profile:read", GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+			.authorities("profile:read", FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.build();
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("http://localhost/login?factor.type=ott&factor.reason=missing"));
 		user = PasswordEncodedUser.withUserDetails(user)
-			.authorities("profile:read", GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-					GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+			.authorities("profile:read", FactorGrantedAuthority.PASSWORD_AUTHORITY,
+					FactorGrantedAuthority.OTT_AUTHORITY)
 			.build();
 		this.mockMvc.perform(get("/profile").with(user(user))).andExpect(status().isNotFound());
 	}
@@ -453,8 +453,8 @@ public class FormLoginConfigurerTests {
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("/"));
 		UserDetails authorized = PasswordEncodedUser.withUsername("rod")
-			.authorities("profile:read", GrantedAuthorities.FACTOR_X509_AUTHORITY,
-					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+			.authorities("profile:read", FactorGrantedAuthority.X509_AUTHORITY,
+					FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.build();
 		this.mockMvc.perform(get("/profile").with(user(authorized))).andExpect(status().isOk());
 	}
@@ -821,8 +821,8 @@ public class FormLoginConfigurerTests {
 
 		@Bean
 		AuthorizationManagerFactory<?> authz() {
-			return new AuthorizationManagerFactory<>(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-					GrantedAuthorities.FACTOR_OTT_AUTHORITY);
+			return new AuthorizationManagerFactory<>(FactorGrantedAuthority.PASSWORD_AUTHORITY,
+					FactorGrantedAuthority.OTT_AUTHORITY);
 		}
 
 	}
@@ -848,8 +848,8 @@ public class FormLoginConfigurerTests {
 
 		@Bean
 		AuthorizationManagerFactory<?> authz() {
-			return new AuthorizationManagerFactory<>(GrantedAuthorities.FACTOR_X509_AUTHORITY,
-					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
+			return new AuthorizationManagerFactory<>(FactorGrantedAuthority.X509_AUTHORITY,
+					FactorGrantedAuthority.PASSWORD_AUTHORITY);
 		}
 
 	}

core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java

@@ -36,7 +36,6 @@ import org.springframework.security.authentication.LockedException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
@@ -100,7 +99,7 @@ public abstract class AbstractUserDetailsAuthenticationProvider
 
 	private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.PASSWORD_AUTHORITY;
 
 	/**
 	 * Allows subclasses to perform any additional checks of a returned (or cached)

core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java

@@ -44,7 +44,6 @@ import org.springframework.security.authentication.jaas.event.JaasAuthentication
 import org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
@@ -122,7 +121,7 @@ import org.springframework.util.ObjectUtils;
 public abstract class AbstractJaasAuthenticationProvider implements AuthenticationProvider,
 		ApplicationEventPublisherAware, InitializingBean, ApplicationListener<SessionDestroyedEvent> {
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.PASSWORD_AUTHORITY;
 
 	private ApplicationEventPublisher applicationEventPublisher = (event) -> {
 	};

core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java

@@ -23,7 +23,6 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -41,7 +40,7 @@ import org.springframework.util.Assert;
  */
 public final class OneTimeTokenAuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_OTT_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.OTT_AUTHORITY;
 
 	private final OneTimeTokenService oneTimeTokenService;
 

core/src/main/java/org/springframework/security/core/GrantedAuthorities.java

@@ -1,78 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.core;
-
-/**
- * Constants for {@link GrantedAuthority}.
- *
- * @author Rob Winch
- * @since 7.0
- */
-public final class GrantedAuthorities {
-
-	/**
-	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that OAuth2
-	 * Authorization Code was used to authenticate.
-	 */
-	public static final String FACTOR_AUTHORIZATION_CODE_AUTHORITY = "FACTOR_AUTHORIZATION_CODE";
-
-	/**
-	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that bearer
-	 * authentication was used to authenticate.
-	 */
-	public static final String FACTOR_BEARER_AUTHORITY = "FACTOR_BEARER";
-
-	/**
-	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that CAS was
-	 * used to authenticate.
-	 */
-	public static final String FACTOR_CAS_AUTHORITY = "FACTOR_CAS";
-
-	/**
-	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that one time
-	 * token was used to authenticate.
-	 */
-	public static final String FACTOR_OTT_AUTHORITY = "FACTOR_OTT";
-
-	/**
-	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that a password
-	 * was used to authenticate.
-	 */
-	public static final String FACTOR_PASSWORD_AUTHORITY = "FACTOR_PASSWORD";
-
-	/**
-	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that SAML was
-	 * used to authenticate.
-	 */
-	public static final String FACTOR_SAML_RESPONSE_AUTHORITY = "FACTOR_SAML_RESPONSE";
-
-	/**
-	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that WebAuthn
-	 * was used to authenticate.
-	 */
-	public static final String FACTOR_WEBAUTHN_AUTHORITY = "FACTOR_WEBAUTHN";
-
-	/**
-	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that X509 was
-	 * used to authenticate.
-	 */
-	public static final String FACTOR_X509_AUTHORITY = "FACTOR_X509";
-
-	private GrantedAuthorities() {
-	}
-
-}

core/src/main/java/org/springframework/security/core/authority/FactorGrantedAuthority.java

@@ -34,6 +34,54 @@ import org.springframework.util.Assert;
  */
 public final class FactorGrantedAuthority implements GrantedAuthority {
 
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that OAuth2
+	 * Authorization Code was used to authenticate.
+	 */
+	public static final String AUTHORIZATION_CODE_AUTHORITY = "FACTOR_AUTHORIZATION_CODE";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that bearer
+	 * authentication was used to authenticate.
+	 */
+	public static final String BEARER_AUTHORITY = "FACTOR_BEARER";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that CAS was
+	 * used to authenticate.
+	 */
+	public static final String CAS_AUTHORITY = "FACTOR_CAS";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that one time
+	 * token was used to authenticate.
+	 */
+	public static final String OTT_AUTHORITY = "FACTOR_OTT";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that a password
+	 * was used to authenticate.
+	 */
+	public static final String PASSWORD_AUTHORITY = "FACTOR_PASSWORD";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that SAML was
+	 * used to authenticate.
+	 */
+	public static final String SAML_RESPONSE_AUTHORITY = "FACTOR_SAML_RESPONSE";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that WebAuthn
+	 * was used to authenticate.
+	 */
+	public static final String WEBAUTHN_AUTHORITY = "FACTOR_WEBAUTHN";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that X509 was
+	 * used to authenticate.
+	 */
+	public static final String X509_AUTHORITY = "FACTOR_X509";
+
 	private static final long serialVersionUID = 1998010439847123984L;
 
 	private final String authority;

core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java

@@ -38,9 +38,9 @@ import org.springframework.security.authentication.password.CompromisedPasswordC
 import org.springframework.security.authentication.password.CompromisedPasswordDecision;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -512,7 +512,7 @@ public class DaoAuthenticationProviderTests {
 		DaoAuthenticationProvider provider = new DaoAuthenticationProvider(withUsers(user));
 		Authentication request = new UsernamePasswordAuthenticationToken("user", "password");
 		Authentication result = provider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
+		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY);
 	}
 
 	private UserDetailsService withUsers(UserDetails... users) {

core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java

@@ -40,9 +40,9 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.session.SessionDestroyedEvent;
@@ -242,7 +242,7 @@ public class JaasAuthenticationProviderTests {
 	public void authenticateWhenSuccessThenIssuesFactor() {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password");
 		Authentication result = this.jaasProvider.authenticate(token);
-		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
+		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY);
 	}
 
 	private static class MockLoginContext extends LoginContext {

core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProviderTests.java

@@ -28,7 +28,7 @@ import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
@@ -109,7 +109,7 @@ public class OneTimeTokenAuthenticationProviderTests {
 		OneTimeTokenAuthenticationToken token = new OneTimeTokenAuthenticationToken(TOKEN);
 
 		Authentication authentication = this.provider.authenticate(token);
-		SecurityAssertions.assertThat(authentication).hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY);
+		SecurityAssertions.assertThat(authentication).hasAuthority(FactorGrantedAuthority.OTT_AUTHORITY);
 	}
 
 	@Test

core/src/test/java/org/springframework/security/authorization/AllFactorsAuthorizationManagerTests.java

@@ -26,7 +26,6 @@ import org.junit.jupiter.api.Test;
 
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -43,11 +42,11 @@ class AllFactorsAuthorizationManagerTests {
 	private static final Object DOES_NOT_MATTER = new Object();
 
 	private static RequiredFactor REQUIRED_PASSWORD = RequiredFactor
-		.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 		.build();
 
 	private static RequiredFactor EXPIRING_PASSWORD = RequiredFactor
-		.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 		.validDuration(Duration.ofHours(1))
 		.build();
 
@@ -67,10 +66,10 @@ class AllFactorsAuthorizationManagerTests {
 	@Test
 	void authorizeWhenConsumerGranted() {
 		AllFactorsAuthorizationManager<Object> allFactors = AllFactorsAuthorizationManager.builder()
-			.requiredFactor((required) -> required.authority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY))
+			.requiredFactor((required) -> required.authority(FactorGrantedAuthority.PASSWORD_AUTHORITY))
 			.build();
 		FactorGrantedAuthority passwordFactor = FactorGrantedAuthority
-			.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+			.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.issuedAt(Instant.now())
 			.build();
 		Authentication authentication = new TestingAuthenticationToken("user", "password", passwordFactor);
@@ -171,7 +170,7 @@ class AllFactorsAuthorizationManagerTests {
 		Duration expiresIn = Duration.ofHours(1);
 		Instant justExpired = now.minus(expiresIn);
 		Clock clock = Clock.fixed(now, ZoneId.systemDefault());
-		RequiredFactor expiringPassword = RequiredFactor.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		RequiredFactor expiringPassword = RequiredFactor.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.validDuration(expiresIn)
 			.build();
 		AllFactorsAuthorizationManager<Object> allFactors = AllFactorsAuthorizationManager.builder()
@@ -193,7 +192,7 @@ class AllFactorsAuthorizationManagerTests {
 		Duration expiresIn = Duration.ofHours(1);
 		Instant justExpired = now.minus(expiresIn).plus(Duration.ofNanos(1));
 		Clock clock = Clock.fixed(now, ZoneId.systemDefault());
-		RequiredFactor expiringPassword = RequiredFactor.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		RequiredFactor expiringPassword = RequiredFactor.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.validDuration(expiresIn)
 			.build();
 		AllFactorsAuthorizationManager<Object> allFactors = AllFactorsAuthorizationManager.builder()

core/src/test/java/org/springframework/security/authorization/FactorAuthorizationDecisionTests.java

@@ -21,7 +21,7 @@ import java.util.List;
 
 import org.junit.jupiter.api.Test;
 
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
@@ -42,7 +42,7 @@ class FactorAuthorizationDecisionTests {
 
 	@Test
 	void isGrantedWhenNotEmptyThenFalse() {
-		RequiredFactor requiredPassword = RequiredFactor.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		RequiredFactor requiredPassword = RequiredFactor.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.build();
 		RequiredFactorError missingPassword = RequiredFactorError.createMissing(requiredPassword);
 		FactorAuthorizationDecision decision = new FactorAuthorizationDecision(List.of(missingPassword));
@@ -51,7 +51,7 @@ class FactorAuthorizationDecisionTests {
 
 	@Test
 	void getFactorErrors() {
-		RequiredFactor requiredPassword = RequiredFactor.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		RequiredFactor requiredPassword = RequiredFactor.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.build();
 		RequiredFactorError missingPassword = RequiredFactorError.createMissing(requiredPassword);
 		List<RequiredFactorError> factorErrors = List.of(missingPassword);
@@ -67,7 +67,7 @@ class FactorAuthorizationDecisionTests {
 
 	@Test
 	void constructorWhenContainsNullThenThrowIllegalArgumentException() {
-		RequiredFactor requiredPassword = RequiredFactor.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		RequiredFactor requiredPassword = RequiredFactor.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.build();
 		RequiredFactorError missingPassword = RequiredFactorError.createMissing(requiredPassword);
 		List<RequiredFactorError> hasNullValue = Arrays.asList(missingPassword, null);

core/src/test/java/org/springframework/security/authorization/MapRequiredAuthoritiesRepositoryTests.java

@@ -20,7 +20,7 @@ import java.util.List;
 
 import org.junit.jupiter.api.Test;
 
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
@@ -37,16 +37,16 @@ class MapRequiredAuthoritiesRepositoryTests {
 
 	private String username = "user";
 
-	private List<String> authorities = List.of(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-			GrantedAuthorities.FACTOR_OTT_AUTHORITY);
+	private List<String> authorities = List.of(FactorGrantedAuthority.PASSWORD_AUTHORITY,
+			FactorGrantedAuthority.OTT_AUTHORITY);
 
 	@Test
 	void workflow() {
 		this.repository.saveRequiredAuthorities(this.username, this.authorities);
 		assertThat(this.repository.findRequiredAuthorities(this.username))
 			.containsExactlyInAnyOrderElementsOf(this.authorities);
-		List<String> otherAuthorities = List.of(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-				GrantedAuthorities.FACTOR_WEBAUTHN_AUTHORITY);
+		List<String> otherAuthorities = List.of(FactorGrantedAuthority.PASSWORD_AUTHORITY,
+				FactorGrantedAuthority.WEBAUTHN_AUTHORITY);
 		this.repository.saveRequiredAuthorities(this.username, otherAuthorities);
 		assertThat(this.repository.findRequiredAuthorities(this.username))
 			.containsExactlyInAnyOrderElementsOf(otherAuthorities);

core/src/test/java/org/springframework/security/authorization/RequiredFactorErrorTests.java

@@ -20,7 +20,7 @@ import java.time.Duration;
 
 import org.junit.jupiter.api.Test;
 
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
@@ -34,7 +34,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
 class RequiredFactorErrorTests {
 
 	public static final RequiredFactor REQUIRED_FACTOR = RequiredFactor
-		.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 		.validDuration(Duration.ofHours(1))
 		.build();
 
@@ -56,7 +56,7 @@ class RequiredFactorErrorTests {
 
 	@Test
 	void createExpiredWhenNullValidDurationThenIllegalArgumentException() {
-		RequiredFactor requiredPassword = RequiredFactor.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		RequiredFactor requiredPassword = RequiredFactor.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.build();
 		assertThatIllegalArgumentException().isThrownBy(() -> RequiredFactorError.createExpired(requiredPassword));
 	}

core/src/test/java/org/springframework/security/authorization/RequiredFactorTests.java

@@ -20,7 +20,7 @@ import java.time.Duration;
 
 import org.junit.jupiter.api.Test;
 
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
@@ -41,19 +41,19 @@ class RequiredFactorTests {
 
 	@Test
 	void withAuthorityThenEquals() {
-		RequiredFactor requiredPassword = RequiredFactor.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		RequiredFactor requiredPassword = RequiredFactor.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.build();
-		assertThat(requiredPassword.getAuthority()).isEqualTo(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
+		assertThat(requiredPassword.getAuthority()).isEqualTo(FactorGrantedAuthority.PASSWORD_AUTHORITY);
 		assertThat(requiredPassword.getValidDuration()).isNull();
 	}
 
 	@Test
 	void builderValidDurationThenEquals() {
 		Duration validDuration = Duration.ofMinutes(1);
-		RequiredFactor requiredPassword = RequiredFactor.withAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+		RequiredFactor requiredPassword = RequiredFactor.withAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.validDuration(validDuration)
 			.build();
-		assertThat(requiredPassword.getAuthority()).isEqualTo(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
+		assertThat(requiredPassword.getAuthority()).isEqualTo(FactorGrantedAuthority.PASSWORD_AUTHORITY);
 		assertThat(requiredPassword.getValidDuration()).isEqualTo(validDuration);
 	}
 

docs/modules/ROOT/pages/servlet/authentication/mfa.adoc

@@ -11,8 +11,8 @@ OWASP places factors into the following categories:
 
 == `FactorGrantedAuthority`
 
-At the time of authentication, Spring Security's authentication mechanisms add a javadoc:org.springframework.security.core.authority.FactorGrantedAuthority[] using the constants found in javadoc:org.springframework.security.core.GrantedAuthorities[].
-For example, when a user authenticates using a password a `FactorGrantedAuthority` with the `authority` of `GrantedAuthorities.FACTOR_PASSWORD` is automatically added to the `Authentiation`.
+At the time of authentication, Spring Security's authentication mechanisms add a javadoc:org.springframework.security.core.authority.FactorGrantedAuthority[].
+For example, when a user authenticates using a password a `FactorGrantedAuthority` with the `authority` of `FactorGrantedAuthority.PASSWORD_AUTHORITY` is automatically added to the `Authentiation`.
 In order to require MFA with Spring Security you must:
 
 - Specify an authorization rule that requires multiple factors

docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -52,7 +52,7 @@ public class AuthorizationManagerFactoryTests {
 	MockMvc mockMvc;
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY })
 	void getWhenAuthenticatedWithPasswordAndOttThenPermits() throws Exception {
 		this.spring.register(UseAuthorizationManagerFactoryConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -63,7 +63,7 @@ public class AuthorizationManagerFactoryTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+	@WithMockUser(authorities = FactorGrantedAuthority.PASSWORD_AUTHORITY)
 	void getWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
 		this.spring.register(UseAuthorizationManagerFactoryConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -74,7 +74,7 @@ public class AuthorizationManagerFactoryTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+	@WithMockUser(authorities = FactorGrantedAuthority.OTT_AUTHORITY)
 	void getWhenAuthenticatedWithOttThenRedirectsToPassword() throws Exception {
 		this.spring.register(UseAuthorizationManagerFactoryConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off

docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.java

@@ -7,7 +7,7 @@ import org.springframework.security.authorization.DefaultAuthorizationManagerFac
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -40,8 +40,8 @@ class UseAuthorizationManagerFactoryConfiguration {
 	AuthorizationManagerFactory<Object> authz() {
 		return DefaultAuthorizationManagerFactory.builder()
 			.requireAdditionalAuthorities(
-				GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-				GrantedAuthorities.FACTOR_OTT_AUTHORITY
+				FactorGrantedAuthority.PASSWORD_AUTHORITY,
+				FactorGrantedAuthority.OTT_AUTHORITY
 			)
 			.build();
 	}

docs/src/test/java/org/springframework/security/docs/servlet/authentication/egmfa/EnableGlobalMultiFactorAuthenticationConfiguration.java

@@ -6,7 +6,7 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.authorization.EnableGlobalMultiFactorAuthentication;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -18,8 +18,8 @@ import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenG
 @Configuration(proxyBeanMethods = false)
 // tag::enable-global-mfa[]
 @EnableGlobalMultiFactorAuthentication(authorities = {
-	GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-	GrantedAuthorities.FACTOR_OTT_AUTHORITY })
+	FactorGrantedAuthority.PASSWORD_AUTHORITY,
+	FactorGrantedAuthority.OTT_AUTHORITY })
 // end::enable-global-mfa[]
 public class EnableGlobalMultiFactorAuthenticationConfiguration {
 

docs/src/test/java/org/springframework/security/docs/servlet/authentication/egmfa/EnableGlobalMultiFactorAuthenticationTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -52,7 +52,7 @@ public class EnableGlobalMultiFactorAuthenticationTests {
 	MockMvc mockMvc;
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY, "ROLE_USER" })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY, "ROLE_USER" })
 	void getWhenAuthenticatedWithPasswordAndOttThenPermits() throws Exception {
 		this.spring.register(EnableGlobalMultiFactorAuthenticationConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -63,7 +63,7 @@ public class EnableGlobalMultiFactorAuthenticationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+	@WithMockUser(authorities = FactorGrantedAuthority.PASSWORD_AUTHORITY)
 	void getWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
 		this.spring.register(EnableGlobalMultiFactorAuthenticationConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -74,7 +74,7 @@ public class EnableGlobalMultiFactorAuthenticationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+	@WithMockUser(authorities = FactorGrantedAuthority.OTT_AUTHORITY)
 	void getWhenAuthenticatedWithOttThenRedirectsToPassword() throws Exception {
 		this.spring.register(EnableGlobalMultiFactorAuthenticationConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off

docs/src/test/java/org/springframework/security/docs/servlet/authentication/hasallauthorities/ListAuthoritiesConfiguration.java

@@ -5,7 +5,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -25,8 +25,8 @@ class ListAuthoritiesConfiguration {
 			.authorizeHttpRequests((authorize) -> authorize
 				// <1>
 				.anyRequest().hasAllAuthorities(
-					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-					GrantedAuthorities.FACTOR_OTT_AUTHORITY
+					FactorGrantedAuthority.PASSWORD_AUTHORITY,
+					FactorGrantedAuthority.OTT_AUTHORITY
 				)
 			)
 			// <2>

docs/src/test/java/org/springframework/security/docs/servlet/authentication/hasallauthorities/MultiFactorAuthenticationTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -52,7 +52,7 @@ public class MultiFactorAuthenticationTests {
 	MockMvc mockMvc;
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY })
 	void getWhenAuthenticatedWithPasswordAndOttThenPermits() throws Exception {
 		this.spring.register(ListAuthoritiesConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -63,7 +63,7 @@ public class MultiFactorAuthenticationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+	@WithMockUser(authorities = FactorGrantedAuthority.PASSWORD_AUTHORITY)
 	void getWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
 		this.spring.register(ListAuthoritiesConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -74,7 +74,7 @@ public class MultiFactorAuthenticationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+	@WithMockUser(authorities = FactorGrantedAuthority.OTT_AUTHORITY)
 	void getWhenAuthenticatedWithOttThenRedirectsToPassword() throws Exception {
 		this.spring.register(ListAuthoritiesConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off

docs/src/test/java/org/springframework/security/docs/servlet/authentication/hasallauthorities/MultipleAuthorizationRulesConfiguration.java

@@ -21,7 +21,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -42,14 +42,14 @@ public class MultipleAuthorizationRulesConfiguration {
 				// <1>
 				.requestMatchers("/admin/**").hasAllAuthorities(
 					"ROLE_ADMIN",
-					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-					GrantedAuthorities.FACTOR_OTT_AUTHORITY
+					FactorGrantedAuthority.PASSWORD_AUTHORITY,
+					FactorGrantedAuthority.OTT_AUTHORITY
 				)
 				// <2>
 				.anyRequest().hasAllAuthorities(
 					"ROLE_USER",
-					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-					GrantedAuthorities.FACTOR_OTT_AUTHORITY
+					FactorGrantedAuthority.PASSWORD_AUTHORITY,
+					FactorGrantedAuthority.OTT_AUTHORITY
 				)
 			)
 			// <3>

docs/src/test/java/org/springframework/security/docs/servlet/authentication/hasallauthorities/MultipleAuthorizationRulesConfigurationTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -52,7 +52,7 @@ public class MultipleAuthorizationRulesConfigurationTests {
 	MockMvc mockMvc;
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY, "ROLE_USER" })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY, "ROLE_USER" })
 	void getWhenAuthenticatedWithPasswordAndOttThenPermits() throws Exception {
 		this.spring.register(MultipleAuthorizationRulesConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -63,7 +63,7 @@ public class MultipleAuthorizationRulesConfigurationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+	@WithMockUser(authorities = FactorGrantedAuthority.PASSWORD_AUTHORITY)
 	void getWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
 		this.spring.register(MultipleAuthorizationRulesConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -74,7 +74,7 @@ public class MultipleAuthorizationRulesConfigurationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+	@WithMockUser(authorities = FactorGrantedAuthority.OTT_AUTHORITY)
 	void getWhenAuthenticatedWithOttThenRedirectsToPassword() throws Exception {
 		this.spring.register(MultipleAuthorizationRulesConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off

docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java

@@ -14,7 +14,7 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
@@ -49,7 +49,7 @@ class MissingAuthorityConfiguration {
 	@Bean
 	AuthorizationManagerFactory<Object> authz() {
 		return DefaultAuthorizationManagerFactory.builder()
-				.requireAdditionalAuthorities(GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY)
+				.requireAdditionalAuthorities(FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY)
 				.build();
 	}
 	// end::authorizationManagerFactoryBean[]

docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -62,7 +62,7 @@ public class ObtainingMoreAuthorizationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY })
+	@WithMockUser(authorities = { FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY })
 	void profileWhenMissingAuthorityConfigurationThenRedirectsToAuthorizationServer() throws Exception {
 		this.spring.register(MissingAuthorityConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -83,7 +83,7 @@ public class ObtainingMoreAuthorizationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY, "SCOPE_profile:read" })
+	@WithMockUser(authorities = { FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY, "SCOPE_profile:read" })
 	void profileWhenAuthenticatedAndHasScopeThenPermits() throws Exception {
 		this.spring.register(MissingAuthorityConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off

docs/src/test/java/org/springframework/security/docs/servlet/authentication/programmaticmfa/AdminMfaAuthorizationManagerConfiguration.java

@@ -16,7 +16,7 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -52,8 +52,8 @@ class AdminMfaAuthorizationManagerConfiguration {
 			if ("admin".equals(authentication.get().getName())) {
 				AuthorizationManager<Object> admins =
 					AllAuthoritiesAuthorizationManager.hasAllAuthorities(
-						GrantedAuthorities.FACTOR_OTT_AUTHORITY,
-						GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY
+						FactorGrantedAuthority.OTT_AUTHORITY,
+						FactorGrantedAuthority.PASSWORD_AUTHORITY
 					);
 				// <1>
 				return admins.authorize(authentication, context);

docs/src/test/java/org/springframework/security/docs/servlet/authentication/programmaticmfa/AdminMfaAuthorizationManagerConfigurationTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -74,7 +74,7 @@ public class AdminMfaAuthorizationManagerConfigurationTests {
 	}
 
 	@Test
-	@WithMockUser(username = "admin", authorities = { GrantedAuthorities.FACTOR_OTT_AUTHORITY, GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY })
+	@WithMockUser(username = "admin", authorities = { FactorGrantedAuthority.OTT_AUTHORITY, FactorGrantedAuthority.PASSWORD_AUTHORITY })
 	void getWhenAdminAndHasFactorThenAllows() throws Exception {
 		this.spring.register(AdminMfaAuthorizationManagerConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off

docs/src/test/java/org/springframework/security/docs/servlet/authentication/raammfa/RequiredAuthoritiesAuthorizationManagerConfiguration.java

@@ -11,7 +11,7 @@ import org.springframework.security.authorization.RequiredAuthoritiesAuthorizati
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -44,8 +44,8 @@ class RequiredAuthoritiesAuthorizationManagerConfiguration {
 		// <1>
 		MapRequiredAuthoritiesRepository authorities = new MapRequiredAuthoritiesRepository();
 		authorities.saveRequiredAuthorities("admin", List.of(
-			GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-			GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+			FactorGrantedAuthority.PASSWORD_AUTHORITY,
+			FactorGrantedAuthority.OTT_AUTHORITY)
 		);
 		// <2>
 		return new RequiredAuthoritiesAuthorizationManager<>(authorities);

docs/src/test/java/org/springframework/security/docs/servlet/authentication/raammfa/RequiredAuthoritiesAuthorizationManagerConfigurationTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -74,7 +74,7 @@ public class RequiredAuthoritiesAuthorizationManagerConfigurationTests {
 	}
 
 	@Test
-	@WithMockUser(username = "admin", authorities = { GrantedAuthorities.FACTOR_OTT_AUTHORITY, GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY })
+	@WithMockUser(username = "admin", authorities = { FactorGrantedAuthority.OTT_AUTHORITY, FactorGrantedAuthority.PASSWORD_AUTHORITY })
 	void getWhenAdminAndHasFactorThenAllows() throws Exception {
 		this.spring.register(AdminMfaAuthorizationManagerConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off

docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/ReauthenticationTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -74,7 +74,7 @@ public class ReauthenticationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+	@WithMockUser(authorities = FactorGrantedAuthority.OTT_AUTHORITY)
 	void ottWhenRequireOttConfigurationThenAllows() throws Exception {
 		this.spring.register(RequireOttConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off

docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/RequireOttConfiguration.java

@@ -5,7 +5,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -23,7 +23,7 @@ public class RequireOttConfiguration {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize
-				.requestMatchers("/profile/**").hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY) // <1>
+				.requestMatchers("/profile/**").hasAuthority(FactorGrantedAuthority.OTT_AUTHORITY) // <1>
 				.anyRequest().authenticated()
 			)
 			.formLogin(Customizer.withDefaults())

docs/src/test/java/org/springframework/security/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.java

@@ -7,7 +7,7 @@ import org.springframework.security.authorization.DefaultAuthorizationManagerFac
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -27,8 +27,8 @@ class SelectiveMfaConfiguration {
 		AuthorizationManagerFactory<Object> mfa =
 			DefaultAuthorizationManagerFactory.<Object>builder()
 				.requireAdditionalAuthorities(
-					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-					GrantedAuthorities.FACTOR_OTT_AUTHORITY
+					FactorGrantedAuthority.PASSWORD_AUTHORITY,
+					FactorGrantedAuthority.OTT_AUTHORITY
 				)
 				.build();
 		http

docs/src/test/java/org/springframework/security/docs/servlet/authentication/selectivemfa/SelectiveMfaConfigurationTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -53,7 +53,7 @@ public class SelectiveMfaConfigurationTests {
 	MockMvc mockMvc;
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, "ROLE_ADMIN" })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, "ROLE_ADMIN" })
 	void adminWhenMissingOttThenRequired() throws Exception {
 		this.spring.register(SelectiveMfaConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -64,7 +64,7 @@ public class SelectiveMfaConfigurationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY, "ROLE_ADMIN" })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY, "ROLE_ADMIN" })
 	void adminWhenMfaThenAllowed() throws Exception {
 		this.spring.register(SelectiveMfaConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -75,7 +75,7 @@ public class SelectiveMfaConfigurationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, "ROLE_ADMIN" })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, "ROLE_ADMIN" })
 	void userSettingsRequiresMfa() throws Exception {
 		this.spring.register(SelectiveMfaConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -86,7 +86,7 @@ public class SelectiveMfaConfigurationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, "ROLE_USER" })
+	@WithMockUser(authorities = { FactorGrantedAuthority.PASSWORD_AUTHORITY, "ROLE_USER" })
 	void userSettingsWhenMissingOttThenRequired() throws Exception {
 		this.spring.register(SelectiveMfaConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off

docs/src/test/java/org/springframework/security/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.java

@@ -8,8 +8,8 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthentication;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import static org.mockito.ArgumentMatchers.any;
@@ -20,10 +20,10 @@ public class CopyAuthoritiesTests {
 	@Test
 	void toBuilderWhenApplyThenCopies() {
 		UsernamePasswordAuthenticationToken previous = new UsernamePasswordAuthenticationToken("alice", "pass",
-				AuthorityUtils.createAuthorityList(	GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY));
+				AuthorityUtils.createAuthorityList(	FactorGrantedAuthority.PASSWORD_AUTHORITY));
 		SecurityContextHolder.getContext().setAuthentication(previous);
 		Authentication latest = new OneTimeTokenAuthentication("bob",
-				AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_OTT_AUTHORITY));
+				AuthorityUtils.createAuthorityList(FactorGrantedAuthority.OTT_AUTHORITY));
 		AuthenticationManager authenticationManager = mock(AuthenticationManager.class);
 		given(authenticationManager.authenticate(any())).willReturn(latest);
 		Authentication authenticationRequest = new TestingAuthenticationToken("user", "pass");
@@ -36,7 +36,8 @@ public class CopyAuthoritiesTests {
 					.build();
 		}
 		// end::springSecurity[]
-		SecurityAssertions.assertThat(lastestResult).hasAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY);
+		SecurityAssertions.assertThat(lastestResult).hasAuthorities(
+				FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY);
 		SecurityContextHolder.clearContext();
 	}
 }

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.kt

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers
@@ -47,7 +47,7 @@ class AuthorizationManagerFactoryTests {
     var mockMvc: MockMvc? = null
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordAndOttThenPermits() {
         this.spring.register(UseAuthorizationManagerFactoryConfiguration::class.java, Http200Controller::class.java)
@@ -60,7 +60,7 @@ class AuthorizationManagerFactoryTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordThenRedirectsToOtt() {
         this.spring.register(UseAuthorizationManagerFactoryConfiguration::class.java, Http200Controller::class.java)
@@ -73,7 +73,7 @@ class AuthorizationManagerFactoryTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithOttThenRedirectsToPassword() {
         this.spring.register(UseAuthorizationManagerFactoryConfiguration::class.java, Http200Controller::class.java)

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.kt

@@ -7,7 +7,7 @@ import org.springframework.security.authorization.DefaultAuthorizationManagerFac
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -40,8 +40,8 @@ internal class UseAuthorizationManagerFactoryConfiguration {
     fun authz(): AuthorizationManagerFactory<Object> {
         return DefaultAuthorizationManagerFactory.builder<Object>()
             .requireAdditionalAuthorities(
-                GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-                GrantedAuthorities.FACTOR_OTT_AUTHORITY
+                FactorGrantedAuthority.PASSWORD_AUTHORITY,
+                FactorGrantedAuthority.OTT_AUTHORITY
             )
             .build()
     }

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/egmfa/EnableGlobalMultiFactorAuthenticationConfiguration.kt

@@ -6,7 +6,7 @@ import org.springframework.security.config.annotation.authorization.EnableGlobal
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -19,8 +19,8 @@ import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenG
 
 // tag::enable-global-mfa[]
 @EnableGlobalMultiFactorAuthentication( authorities = [
-    GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-    GrantedAuthorities.FACTOR_OTT_AUTHORITY])
+    FactorGrantedAuthority.PASSWORD_AUTHORITY,
+    FactorGrantedAuthority.OTT_AUTHORITY])
 // end::enable-global-mfa[]
 internal class EnableGlobalMultiFactorAuthenticationConfiguration {
 

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/egmfa/EnableGlobalMultiFactorAuthenticationConfigurationTests.kt

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers
@@ -47,7 +47,7 @@ class EnableGlobalMultiFactorAuthenticationConfigurationTests {
     var mockMvc: MockMvc? = null
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY, "ROLE_ADMIN"])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY, "ROLE_ADMIN"])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordAndOttThenPermits() {
         this.spring.register(EnableGlobalMultiFactorAuthenticationConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -59,7 +59,7 @@ class EnableGlobalMultiFactorAuthenticationConfigurationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordThenRedirectsToOtt() {
         this.spring.register(EnableGlobalMultiFactorAuthenticationConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -71,7 +71,7 @@ class EnableGlobalMultiFactorAuthenticationConfigurationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithOttThenRedirectsToPassword() {
         this.spring.register(EnableGlobalMultiFactorAuthenticationConfiguration::class.java, Http200Controller::class.java).autowire()

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/hasallauthorities/ListAuthoritiesConfiguration.kt

@@ -5,7 +5,7 @@ import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -25,8 +25,8 @@ internal class ListAuthoritiesConfiguration {
             authorizeHttpRequests {
                 // <1>
                 authorize(anyRequest, hasAllAuthorities(
-                    GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-                    GrantedAuthorities.FACTOR_OTT_AUTHORITY
+                    FactorGrantedAuthority.PASSWORD_AUTHORITY,
+                    FactorGrantedAuthority.OTT_AUTHORITY
                 ))
             }
             // <2>

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/hasallauthorities/MultiFactorAuthenticationTests.kt

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers
@@ -47,7 +47,7 @@ class MultiFactorAuthenticationTests {
     var mockMvc: MockMvc? = null
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordAndOttThenPermits() {
         this.spring.register(ListAuthoritiesConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -59,7 +59,7 @@ class MultiFactorAuthenticationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordThenRedirectsToOtt() {
         this.spring.register(ListAuthoritiesConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -71,7 +71,7 @@ class MultiFactorAuthenticationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithOttThenRedirectsToPassword() {
         this.spring.register(ListAuthoritiesConfiguration::class.java, Http200Controller::class.java).autowire()

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/hasallauthorities/MultipleAuthorizationRulesConfiguration.kt

@@ -5,7 +5,7 @@ import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -26,14 +26,14 @@ internal class MultipleAuthorizationRulesConfiguration {
                 // <1>
                 authorize("/admin/**", hasAllAuthorities(
                     "ROLE_ADMIN",
-                    GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-                    GrantedAuthorities.FACTOR_OTT_AUTHORITY
+                    FactorGrantedAuthority.PASSWORD_AUTHORITY,
+                    FactorGrantedAuthority.OTT_AUTHORITY
                 ))
                 // <2>
                 authorize(anyRequest, hasAllAuthorities(
                     "ROLE_USER",
-                    GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-                    GrantedAuthorities.FACTOR_OTT_AUTHORITY
+                    FactorGrantedAuthority.PASSWORD_AUTHORITY,
+                    FactorGrantedAuthority.OTT_AUTHORITY
                 ))
             }
             // <3>

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/hasallauthorities/MultipleAuthorizationRulesConfigurationTests.kt

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers
@@ -47,7 +47,7 @@ class MultipleAuthorizationRulesConfigurationTests {
     var mockMvc: MockMvc? = null
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY, "ROLE_USER"])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY, "ROLE_USER"])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordAndOttThenPermits() {
         this.spring.register(MultipleAuthorizationRulesConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -59,7 +59,7 @@ class MultipleAuthorizationRulesConfigurationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordThenRedirectsToOtt() {
         this.spring.register(MultipleAuthorizationRulesConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -71,7 +71,7 @@ class MultipleAuthorizationRulesConfigurationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithOttThenRedirectsToPassword() {
         this.spring.register(MultipleAuthorizationRulesConfiguration::class.java, Http200Controller::class.java).autowire()

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.kt

@@ -11,7 +11,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer
 import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.core.AuthenticationException
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations
@@ -55,7 +55,10 @@ internal class MissingAuthorityConfiguration {
     @Bean
     fun authz(): AuthorizationManagerFactory<Object> {
         return DefaultAuthorizationManagerFactory.builder<Object>()
-                .requireAdditionalAuthorities(GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY)
+                .requireAdditionalAuthorities(
+                    FactorGrantedAuthority.X509_AUTHORITY,
+                    FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY
+                )
                 .build()
     }
     // end::authorizationManagerFactoryBean[]

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.kt

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.docs.servlet.authentication.obtainingmoreauthorization.ScopeConfiguration
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
@@ -59,7 +59,7 @@ class ObtainingMoreAuthorizationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY])
     @Throws(Exception::class)
     fun profileWhenMissingAuthorityConfigurationThenRedirectsToAuthorizationServer() {
         this.spring.register(MissingAuthorityConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -82,7 +82,7 @@ class ObtainingMoreAuthorizationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY, "SCOPE_profile:read"])
+    @WithMockUser(authorities = [FactorGrantedAuthority.X509_AUTHORITY, FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY, "SCOPE_profile:read"])
     @Throws(
         Exception::class
     )

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/programmaticmfa/AdminMfaAuthorizationManagerConfiguration.kt

@@ -7,7 +7,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.core.Authentication
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -27,7 +27,9 @@ internal class AdminMfaAuthorizationManagerConfiguration {
         // @formatter:off
         http {
             authorizeHttpRequests {
+                // <1>
                 authorize("/admin/**", hasRole("ADMIN"))
+                // <2>
                 authorize(anyRequest, authenticated)
             }
             formLogin { }
@@ -46,9 +48,8 @@ internal class AdminMfaAuthorizationManagerConfiguration {
             return if ("admin" == authentication.get().name) {
                 var admins =
                     AllAuthoritiesAuthorizationManager.hasAllAuthorities<Any>(
-                        GrantedAuthorities.FACTOR_OTT_AUTHORITY,
-                        GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY
-                    )
+                        FactorGrantedAuthority.OTT_AUTHORITY,
+                        FactorGrantedAuthority.PASSWORD_AUTHORITY)
                 // <1>
                 admins.authorize(authentication, context)
             } else {

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/programmaticmfa/AdminMfaAuthorizationManagerConfigurationTests.kt

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated
@@ -73,7 +73,7 @@ class AdminMfaAuthorizationManagerConfigurationTests {
 
     @Test
     @Throws(Exception::class)
-    @WithMockUser(username = "admin", authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY, GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY ])
+    @WithMockUser(username = "admin", authorities = [FactorGrantedAuthority.OTT_AUTHORITY, FactorGrantedAuthority.PASSWORD_AUTHORITY])
     fun getWhenAdminAndHasFactorThenAllows() {
         this.spring.register(AdminMfaAuthorizationManagerConfiguration::class.java, Http200Controller::class.java).autowire()
         // @formatter:off

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/raammfa/RequiredAuthoritiesAuthorizationManagerConfiguration.kt

@@ -9,7 +9,7 @@ import org.springframework.security.authorization.RequiredAuthoritiesAuthorizati
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -44,8 +44,8 @@ internal class RequiredAuthoritiesAuthorizationManagerConfiguration {
         // <1>
         val authorities = MapRequiredAuthoritiesRepository()
         authorities.saveRequiredAuthorities("admin", List.of(
-            GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-            GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+            FactorGrantedAuthority.PASSWORD_AUTHORITY,
+            FactorGrantedAuthority.OTT_AUTHORITY)
         )
         // <2>
         return RequiredAuthoritiesAuthorizationManager(authorities)

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/raammfa/RequiredAuthoritiesAuthorizationManagerConfigurationTests.kt

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers
@@ -75,7 +75,7 @@ class RequiredAuthoritiesAuthorizationManagerConfigurationTests {
     @Test
     @WithMockUser(
         username = "admin",
-        authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY, GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY]
+        authorities = [FactorGrantedAuthority.OTT_AUTHORITY, FactorGrantedAuthority.PASSWORD_AUTHORITY]
     )
     @Throws(
         Exception::class

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/ReauthenticationTests.kt

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.docs.servlet.authentication.reauthentication.RequireOttConfiguration
 import org.springframework.security.docs.servlet.authentication.reauthentication.SimpleConfiguration
 import org.springframework.security.test.context.support.WithMockUser
@@ -73,7 +73,7 @@ class ReauthenticationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY])
+    @WithMockUser(authorities = [FactorGrantedAuthority.OTT_AUTHORITY])
     @Throws(Exception::class)
     fun ottWhenRequireOttConfigurationThenAllows() {
         this.spring.register(RequireOttConfiguration::class.java, Http200Controller::class.java).autowire()

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/RequireOttConfiguration.kt

@@ -5,7 +5,7 @@ import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -23,7 +23,7 @@ class RequireOttConfiguration {
         // @formatter:off
         http {
             authorizeHttpRequests {
-                authorize("/profile/**", hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY)) // <1>
+                authorize("/profile/**", hasAuthority(FactorGrantedAuthority.OTT_AUTHORITY)) // <1>
                 authorize(anyRequest, authenticated)
             }
             formLogin { }

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/selectivemfa/SelectiveMfaConfiguration.kt

@@ -7,7 +7,7 @@ import org.springframework.security.authorization.DefaultAuthorizationManagerFac
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -27,8 +27,8 @@ internal class SelectiveMfaConfiguration {
         val mfa: AuthorizationManagerFactory<Any> =
             DefaultAuthorizationManagerFactory.builder<Any>()
                 .requireAdditionalAuthorities(
-        GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
-                    GrantedAuthorities.FACTOR_OTT_AUTHORITY
+                    FactorGrantedAuthority.PASSWORD_AUTHORITY,
+                    FactorGrantedAuthority.OTT_AUTHORITY
                 )
                 .build()
         http {

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/selectivemfa/SelectiveMfaConfigurationTests.kt

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
-import org.springframework.security.core.GrantedAuthorities
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers
@@ -47,7 +47,7 @@ class SelectiveMfaConfigurationTests {
     var mockMvc: MockMvc? = null
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, "ROLE_ADMIN"])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY, "ROLE_ADMIN"])
     @Throws(Exception::class)
     fun adminWhenMissingOttThenRequired() {
         this.spring.register(
@@ -61,7 +61,7 @@ class SelectiveMfaConfigurationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY, "ROLE_ADMIN"])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY, "ROLE_ADMIN"])
     @Throws(
         Exception::class
     )
@@ -77,7 +77,7 @@ class SelectiveMfaConfigurationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, "ROLE_ADMIN"])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY, "ROLE_ADMIN"])
     @Throws(Exception::class)
     fun userSettingsRequiresMfa() {
         this.spring.register(
@@ -91,7 +91,7 @@ class SelectiveMfaConfigurationTests {
     }
 
     @Test
-    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, "ROLE_USER"])
+    @WithMockUser(authorities = [FactorGrantedAuthority.PASSWORD_AUTHORITY, "ROLE_USER"])
     @Throws(Exception::class)
     fun userSettingsWhenMissingOttThenRequired() {
         this.spring.register(

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.kt

@@ -10,18 +10,18 @@ import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 import org.springframework.security.authentication.ott.OneTimeTokenAuthentication
 import org.springframework.security.core.Authentication
-import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.core.authority.AuthorityUtils
+import org.springframework.security.core.authority.FactorGrantedAuthority
 import org.springframework.security.core.context.SecurityContextHolder
 
 class CopyAuthoritiesTests {
     @Test
     fun toBuilderWhenApplyThenCopies() {
         val previous: Authentication = UsernamePasswordAuthenticationToken("alice", "pass",
-            AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY))
+            AuthorityUtils.createAuthorityList(FactorGrantedAuthority.PASSWORD_AUTHORITY))
         SecurityContextHolder.getContext().authentication = previous
         var latest: Authentication = OneTimeTokenAuthentication("bob",
-            AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_OTT_AUTHORITY))
+            AuthorityUtils.createAuthorityList(FactorGrantedAuthority.OTT_AUTHORITY))
         val authenticationManager: AuthenticationManager = Mockito.mock(AuthenticationManager::class.java)
         BDDMockito.given(authenticationManager.authenticate(ArgumentMatchers.any())).willReturn(latest)
         val authenticationRequest: Authentication = TestingAuthenticationToken("user", "pass")
@@ -34,7 +34,10 @@ class CopyAuthoritiesTests {
             }.build()
         }
         // end::springSecurity[]
-        SecurityAssertions.assertThat(latestResult).hasAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+        SecurityAssertions.assertThat(latestResult).hasAuthorities(
+            FactorGrantedAuthority.PASSWORD_AUTHORITY,
+            FactorGrantedAuthority.OTT_AUTHORITY
+        )
         SecurityContextHolder.clearContext()
     }
 }

ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java

@@ -32,7 +32,6 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
@@ -53,7 +52,7 @@ import org.springframework.util.StringUtils;
  */
 public abstract class AbstractLdapAuthenticationProvider implements AuthenticationProvider, MessageSourceAware {
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.PASSWORD_AUTHORITY;
 
 	protected final Log logger = LogFactory.getLog(getClass());
 

ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java

@@ -29,9 +29,9 @@ import org.springframework.security.authentication.InternalAuthenticationService
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
@@ -165,7 +165,7 @@ public class LdapAuthenticationProviderTests {
 		LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(authenticator, populator);
 		UsernamePasswordAuthenticationToken request = new UsernamePasswordAuthenticationToken("ben", "benspassword");
 		Authentication result = ldapProvider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
+		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY);
 	}
 
 	class MockAuthenticator implements LdapAuthenticator {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java

@@ -24,7 +24,6 @@ import java.util.Map;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
@@ -70,7 +69,7 @@ import org.springframework.util.Assert;
  */
 public class OAuth2LoginAuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY;
 
 	private final OAuth2AuthorizationCodeAuthenticationProvider authorizationCodeAuthenticationProvider;
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java

@@ -31,9 +31,9 @@ import org.mockito.stubbing.Answer;
 
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
@@ -220,7 +220,7 @@ public class OAuth2LoginAuthenticationProviderTests {
 		Authentication request = new OAuth2LoginAuthenticationToken(this.clientRegistration,
 				this.authorizationExchange);
 		Authentication result = this.authenticationProvider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY);
+		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.AUTHORIZATION_CODE_AUTHORITY);
 	}
 
 	private OAuth2AccessTokenResponse accessTokenSuccessResponse() {

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverter.java

@@ -21,7 +21,6 @@ import java.util.HashSet;
 
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -37,7 +36,7 @@ import org.springframework.util.Assert;
  */
 public class JwtAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_BEARER_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.BEARER_AUTHORITY;
 
 	private Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
 

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java

@@ -28,7 +28,6 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
@@ -75,7 +74,7 @@ import org.springframework.util.Assert;
  */
 public final class OpaqueTokenAuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_BEARER_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.BEARER_AUTHORITY;
 
 	private final Log logger = LogFactory.getLog(getClass());
 

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverterTests.java

@@ -25,8 +25,8 @@ import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.TestJwts;
@@ -116,7 +116,7 @@ public class JwtAuthenticationConverterTests {
 	public void convertWhenDefaultsThenIssuesFactor() {
 		Jwt jwt = TestJwts.jwt().build();
 		Authentication result = this.jwtAuthenticationConverter.convert(jwt);
-		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_BEARER_AUTHORITY);
+		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.BEARER_AUTHORITY);
 	}
 
 }

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProviderTests.java

@@ -29,8 +29,8 @@ import org.springframework.security.authentication.AuthenticationServiceExceptio
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames;
 import org.springframework.security.oauth2.core.TestOAuth2AuthenticatedPrincipals;
@@ -155,7 +155,7 @@ public class OpaqueTokenAuthenticationProviderTests {
 		OpaqueTokenAuthenticationProvider provider = new OpaqueTokenAuthenticationProvider(introspector);
 		Authentication request = new BearerTokenAuthenticationToken("token");
 		Authentication result = provider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_BEARER_AUTHORITY);
+		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.BEARER_AUTHORITY);
 	}
 
 	static Predicate<GrantedAuthority> isScope() {

saml2/saml2-service-provider/src/opensaml5Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProvider.java

@@ -58,7 +58,6 @@ import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
@@ -114,7 +113,7 @@ import org.springframework.util.StringUtils;
  */
 public final class OpenSaml5AuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_SAML_RESPONSE_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.SAML_RESPONSE_AUTHORITY;
 
 	private final BaseOpenSamlAuthenticationProvider delegate;
 

saml2/saml2-service-provider/src/opensaml5Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProviderTests.java

@@ -73,9 +73,9 @@ import org.opensaml.xmlsec.signature.support.SignatureConstants;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.jackson2.SecurityJackson2Modules;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
@@ -991,7 +991,7 @@ public class OpenSaml5AuthenticationProviderTests {
 		Response response = TestOpenSamlObjects.signedResponseWithOneAssertion();
 		Authentication request = token(response, verifying(registration()));
 		Authentication result = this.provider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_SAML_RESPONSE_AUTHORITY);
+		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.SAML_RESPONSE_AUTHORITY);
 	}
 
 	private <T extends XMLObject> T build(QName qName) {

test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java

@@ -27,8 +27,8 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -70,7 +70,7 @@ public class SecurityMockWithAuthoritiesMvcResultMatchersTests {
 	public void withAuthoritiesStringAllowsAnyOrderAndPermitsAnyImpl() throws Exception {
 		this.mockMvc.perform(formLogin())
 			.andExpect(authenticated().withAuthorities("ROLE_ADMIN", "ROLE_SELLER",
-					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY));
+					FactorGrantedAuthority.PASSWORD_AUTHORITY));
 	}
 
 	@Test
@@ -84,7 +84,7 @@ public class SecurityMockWithAuthoritiesMvcResultMatchersTests {
 	@Test
 	public void withAuthoritiesStringSupportsCustomAuthority() throws Exception {
 		this.mockMvc.perform(formLogin().user("custom"))
-			.andExpect(authenticated().withAuthorities(ROLE_CUSTOM, GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY));
+			.andExpect(authenticated().withAuthorities(ROLE_CUSTOM, FactorGrantedAuthority.PASSWORD_AUTHORITY));
 	}
 
 	@Configuration

web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java

@@ -33,7 +33,7 @@ import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.authorization.FactorAuthorizationDecision;
 import org.springframework.security.authorization.RequiredFactor;
 import org.springframework.security.authorization.RequiredFactorError;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.web.WebAttributes;
@@ -213,7 +213,7 @@ public class DefaultLoginPageGeneratingFilterTests {
 		filter.setOneTimeTokenGenerationUrl("/ott/authenticate");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		MockHttpServletRequest loginRequest = createLoginRequestFromMissingAuthority(
-				GrantedAuthorities.FACTOR_OTT_AUTHORITY);
+				FactorGrantedAuthority.OTT_AUTHORITY);
 		filter.doFilter(loginRequest, response, this.chain);
 		assertThat(response.getContentAsString()).contains("Request a One-Time Token");
 		assertThat(response.getContentAsString()).contains("""

webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProvider.java

@@ -23,7 +23,6 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -45,7 +44,7 @@ import org.springframework.util.Assert;
  */
 public class WebAuthnAuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = GrantedAuthorities.FACTOR_WEBAUTHN_AUTHORITY;
+	private static final String AUTHORITY = FactorGrantedAuthority.WEBAUTHN_AUTHORITY;
 
 	private final WebAuthnRelyingPartyOperations relyingPartyOperations;
 

webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProviderTests.java

@@ -20,7 +20,7 @@ import org.junit.jupiter.api.Test;
 
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthorities;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
@@ -56,7 +56,7 @@ class WebAuthnAuthenticationProviderTests {
 		given(users.loadUserByUsername(any())).willReturn(PasswordEncodedUser.user());
 		given(operations.authenticate(any())).willReturn(TestPublicKeyCredentialUserEntities.userEntity().build());
 		Authentication result = provider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_WEBAUTHN_AUTHORITY);
+		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.WEBAUTHN_AUTHORITY);
 	}
 
 }