Skip to content

Set PublicKeyCredentialRequestOptionsRepository by DSL or Bean #16911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Set PublicKeyCredentialRequestOptionsRepository by DSL or Bean #16911

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 31 additions & 4 deletions ...va/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialRpEntity;
import org.springframework.security.web.webauthn.authentication.PublicKeyCredentialRequestOptionsFilter;
import org.springframework.security.web.webauthn.authentication.PublicKeyCredentialRequestOptionsRepository;
import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter;
import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationProvider;
import org.springframework.security.web.webauthn.management.MapPublicKeyCredentialUserEntityRepository;
Expand Down Expand Up @@ -67,6 +68,8 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>

private PublicKeyCredentialCreationOptionsRepository creationOptionsRepository;

private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository;

private HttpMessageConverter<Object> converter;

/**
Expand Down Expand Up @@ -144,37 +147,53 @@ public WebAuthnConfigurer<H> creationOptionsRepository(
return this;
}

/**
* Sets PublicKeyCredentialRequestOptionsRepository.
* @param requestOptionsRepository the requestOptionsRepository
* @return the {@link WebAuthnConfigurer} for further customization
*/
public WebAuthnConfigurer<H> requestOptionsRepository(
PublicKeyCredentialRequestOptionsRepository requestOptionsRepository) {
this.requestOptionsRepository = requestOptionsRepository;
return this;
}

@Override
public void configure(H http) throws Exception {
UserDetailsService userDetailsService = getSharedOrBean(http, UserDetailsService.class).orElseGet(() -> {
throw new IllegalStateException("Missing UserDetailsService Bean");
});
UserDetailsService userDetailsService = getSharedOrBean(http, UserDetailsService.class)
.orElseThrow(() -> new IllegalStateException("Missing UserDetailsService Bean"));
PublicKeyCredentialUserEntityRepository userEntities = getSharedOrBean(http,
PublicKeyCredentialUserEntityRepository.class)
.orElse(userEntityRepository());
UserCredentialRepository userCredentials = getSharedOrBean(http, UserCredentialRepository.class)
.orElse(userCredentialRepository());
WebAuthnRelyingPartyOperations rpOperations = webAuthnRelyingPartyOperations(userEntities, userCredentials);
PublicKeyCredentialCreationOptionsRepository creationOptionsRepository = creationOptionsRepository();
PublicKeyCredentialRequestOptionsRepository requestOptionsRepository = requestOptionsRepository();
WebAuthnAuthenticationFilter webAuthnAuthnFilter = new WebAuthnAuthenticationFilter();
webAuthnAuthnFilter.setAuthenticationManager(
new ProviderManager(new WebAuthnAuthenticationProvider(rpOperations, userDetailsService)));
WebAuthnRegistrationFilter webAuthnRegistrationFilter = new WebAuthnRegistrationFilter(userCredentials,
rpOperations);
PublicKeyCredentialCreationOptionsFilter creationOptionsFilter = new PublicKeyCredentialCreationOptionsFilter(
rpOperations);
PublicKeyCredentialRequestOptionsFilter credentialRequestOptionsFilter = new PublicKeyCredentialRequestOptionsFilter(rpOperations);
if (creationOptionsRepository != null) {
webAuthnRegistrationFilter.setCreationOptionsRepository(creationOptionsRepository);
creationOptionsFilter.setCreationOptionsRepository(creationOptionsRepository);
}
if (requestOptionsRepository != null) {
credentialRequestOptionsFilter.setRequestOptionsRepository(requestOptionsRepository);
webAuthnAuthnFilter.setRequestOptionsRepository(requestOptionsRepository);
}
if (this.converter != null) {
webAuthnRegistrationFilter.setConverter(this.converter);
creationOptionsFilter.setConverter(this.converter);
}
http.addFilterBefore(webAuthnAuthnFilter, BasicAuthenticationFilter.class);
http.addFilterAfter(webAuthnRegistrationFilter, AuthorizationFilter.class);
http.addFilterBefore(creationOptionsFilter, AuthorizationFilter.class);
http.addFilterBefore(new PublicKeyCredentialRequestOptionsFilter(rpOperations), AuthorizationFilter.class);
http.addFilterBefore(credentialRequestOptionsFilter, AuthorizationFilter.class);

DefaultLoginPageGeneratingFilter loginPageGeneratingFilter = http
.getSharedObject(DefaultLoginPageGeneratingFilter.class);
Expand Down Expand Up @@ -208,6 +227,14 @@ private PublicKeyCredentialCreationOptionsRepository creationOptionsRepository()
return context.getBeanProvider(PublicKeyCredentialCreationOptionsRepository.class).getIfUnique();
}

private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository() {
if (this.requestOptionsRepository != null) {
return this.requestOptionsRepository;
}
ApplicationContext context = getBuilder().getSharedObject(ApplicationContext.class);
return context.getBeanProvider(PublicKeyCredentialRequestOptionsRepository.class).getIfUnique();
}

private <C> Optional<C> getSharedOrBean(H http, Class<C> type) {
C shared = http.getSharedObject(type);
return Optional.ofNullable(shared).or(() -> getBeanOrNull(type));
Expand Down
137 changes: 137 additions & 0 deletions ...g/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,22 @@
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity;
import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions;
import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions;
import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity;
import org.springframework.security.web.webauthn.authentication.HttpSessionPublicKeyCredentialRequestOptionsRepository;
import org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations;
import org.springframework.security.web.webauthn.registration.HttpSessionPublicKeyCredentialCreationOptionsRepository;
import org.springframework.test.web.servlet.MockMvc;
Expand All @@ -67,6 +74,21 @@ public class WebAuthnConfigurerTests {

public final SpringTestContext spring = new SpringTestContext(this);

private static final String WEBAUTHN_LOGIN_BODY = """
{
"id": "dYF7EGnRFFIXkpXi9XU2wg",
"rawId": "dYF7EGnRFFIXkpXi9XU2wg",
"response": {
"authenticatorData": "y9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNgdAAAAAA",
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiRFVsRzRDbU9naWhKMG1vdXZFcE9HdUk0ZVJ6MGRRWmxUQmFtbjdHQ1FTNCIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5sb2NhbGhvc3Q6ODQ0MyIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
"signature": "MEYCIQCW2BcUkRCAXDmGxwMi78jknenZ7_amWrUJEYoTkweldAIhAMD0EMp1rw2GfwhdrsFIeDsL7tfOXVPwOtfqJntjAo4z",
"userHandle": "Q3_0Xd64_HW0BlKRAJnVagJTpLKLgARCj8zjugpRnVo"
},
"clientExtensionResults": {},
"authenticatorAttachment": "platform"
}
""";

@Autowired
MockMvc mvc;

Expand Down Expand Up @@ -182,6 +204,53 @@ public void webauthnWhenConfiguredPublicKeyCredentialCreationOptionsRepositoryBe
.andExpect(request().sessionAttribute(attrName, options));
}

@Test
public void webauthnWhenConfiguredPublicKeyCredentialRequestOptionsRepositoryBeanPresent() throws Exception {
PublicKeyCredentialRequestOptions options = TestPublicKeyCredentialRequestOptions.create()
.build();
WebAuthnRelyingPartyOperations rpOperations = mock(WebAuthnRelyingPartyOperations.class);
ConfigCredentialRequestOptionsRepositoryFromBean.rpOperations = rpOperations;
given(rpOperations.createCredentialRequestOptions(any())).willReturn(options);
String attrName = "attrName";
HttpSessionPublicKeyCredentialRequestOptionsRepository requestOptionsRepository = new HttpSessionPublicKeyCredentialRequestOptionsRepository();
requestOptionsRepository.setAttrName(attrName);
ConfigCredentialRequestOptionsRepositoryFromBean.requestOptionsRepository = requestOptionsRepository;
this.spring.register(ConfigCredentialRequestOptionsRepositoryFromBean.class).autowire();
this.mvc.perform(post("/webauthn/authenticate/options"))
.andExpect(status().isOk())
.andExpect(request().sessionAttribute(attrName, options));
PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntity.userEntity().build();
given(rpOperations.authenticate(any())).willReturn(userEntity);
this.mvc.perform(post("/login/webauthn")
.content(WEBAUTHN_LOGIN_BODY)
.sessionAttr(attrName, options))
.andExpect(status().isOk());
}

@Test
public void webauthnWhenConfiguredPublicKeyCredentialRequestOptionsRepository() throws Exception {
PublicKeyCredentialRequestOptions options = TestPublicKeyCredentialRequestOptions
.create()
.build();
WebAuthnRelyingPartyOperations rpOperations = mock(WebAuthnRelyingPartyOperations.class);
ConfigCredentialRequestOptionsRepository.rpOperations = rpOperations;
given(rpOperations.createCredentialRequestOptions(any())).willReturn(options);
String attrName = "attrName";
HttpSessionPublicKeyCredentialRequestOptionsRepository requestOptionsRepository = new HttpSessionPublicKeyCredentialRequestOptionsRepository();
requestOptionsRepository.setAttrName(attrName);
ConfigCredentialRequestOptionsRepository.requestOptionsRepository = requestOptionsRepository;
this.spring.register(ConfigCredentialRequestOptionsRepository.class).autowire();
this.mvc.perform(post("/webauthn/authenticate/options"))
.andExpect(status().isOk())
.andExpect(request().sessionAttribute(attrName, options));
PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntity.userEntity().build();
given(rpOperations.authenticate(any())).willReturn(userEntity);
this.mvc.perform(post("/login/webauthn")
.content(WEBAUTHN_LOGIN_BODY)
.sessionAttr(attrName, options))
.andExpect(status().isOk());
}

@Test
public void webauthnWhenConfiguredMessageConverter() throws Exception {
TestingAuthenticationToken user = new TestingAuthenticationToken("user", "password", "ROLE_USER");
Expand Down Expand Up @@ -264,6 +333,74 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

}

@Configuration
@EnableWebSecurity
static class ConfigCredentialRequestOptionsRepositoryFromBean {

private static HttpSessionPublicKeyCredentialRequestOptionsRepository requestOptionsRepository;

private static WebAuthnRelyingPartyOperations rpOperations;

@Bean
WebAuthnRelyingPartyOperations webAuthnRelyingPartyOperations() {
return ConfigCredentialRequestOptionsRepositoryFromBean.rpOperations;
}

@Bean
UserDetailsService userDetailsService() {
InMemoryUserDetailsManager userDetailsService = new InMemoryUserDetailsManager();
userDetailsService.createUser(User.builder().username("user")
.password("{noop}password")
.authorities(AuthorityUtils.createAuthorityList("ROLE_USER"))
.build());
return userDetailsService;
}

@Bean
HttpSessionPublicKeyCredentialRequestOptionsRepository credentialRequestOptionsRepository() {
return ConfigCredentialRequestOptionsRepositoryFromBean.requestOptionsRepository;
}

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.csrf(AbstractHttpConfigurer::disable).webAuthn(Customizer.withDefaults()).build();
}

}

@Configuration
@EnableWebSecurity
static class ConfigCredentialRequestOptionsRepository {

private static HttpSessionPublicKeyCredentialRequestOptionsRepository requestOptionsRepository;

private static WebAuthnRelyingPartyOperations rpOperations;

@Bean
WebAuthnRelyingPartyOperations webAuthnRelyingPartyOperations() {
return ConfigCredentialRequestOptionsRepository.rpOperations;
}

@Bean
UserDetailsService userDetailsService() {
InMemoryUserDetailsManager userDetailsService = new InMemoryUserDetailsManager();
userDetailsService.createUser(User.builder().username("user")
.password("{noop}password")
.authorities(AuthorityUtils.createAuthorityList("ROLE_USER"))
.build());
return userDetailsService;
}

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.csrf(AbstractHttpConfigurer::disable)
.webAuthn((c) -> c.requestOptionsRepository(requestOptionsRepository))
.build();
}

}


@Configuration
@EnableWebSecurity
static class ConfigMessageConverter {
Expand Down