It would be nice if DefaultAuthorizationManagerFactory could apply authorization rules automatically, like for certain authorities that are always required.

@Bean 
AuthorizationManagerFactory<Object> authorizationManagerFactory() {
    return DefaultAuthorizationManagerFactory.withAuthorities("FACTOR_PASSWORD", "FACTOR_X509");
}

These would then be applied to all authorization managers relating to authenticated users. That is, permitAll, denyAll, and anonymous are not affected.

Note, given #17932, I've updated the suggested static factory method to avoid a collision.