Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
/*
* Copyright 2004-present the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package org.springframework.security.web.webauthn.authentication;

import jakarta.servlet.http.HttpServletRequest;
import org.jspecify.annotations.Nullable;

import org.springframework.core.ResolvableType;
import org.springframework.http.converter.SmartHttpMessageConverter;
import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
import org.springframework.security.web.webauthn.api.PublicKeyCredential;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest;
import org.springframework.util.Assert;

/**
* An {@link AuthenticationConverter} that generates a
* {@link WebAuthnAuthenticationRequestToken} from a WebAuthn authentication request.
*
* @author Andrey Litvitski
* @since 7.1.0
*/
public class WebAuthnAuthenticationConverter implements AuthenticationConverter {

private SmartHttpMessageConverter<Object> converter;

private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository;

/**
* Constructs a {@link WebAuthnAuthenticationConverter} given a strategy for reading
* the {@code PublicKeyCredential} and loading the
* {@code PublicKeyCredentialRequestOptions}.
* @param converter the strategy for reading the {@code PublicKeyCredential} from the
* request
* @param requestOptionsRepository the strategy for loading the
* {@code PublicKeyCredentialRequestOptions}
*/
public WebAuthnAuthenticationConverter(SmartHttpMessageConverter<Object> converter,
PublicKeyCredentialRequestOptionsRepository requestOptionsRepository) {
Assert.notNull(converter, "converter cannot be null");
Assert.notNull(requestOptionsRepository, "requestOptionsRepository cannot be null");
this.converter = converter;
this.requestOptionsRepository = requestOptionsRepository;
}

@Override
public @Nullable WebAuthnAuthenticationRequestToken convert(HttpServletRequest request) {
ServletServerHttpRequest httpRequest = new ServletServerHttpRequest(request);
ResolvableType resolvableType = ResolvableType.forClassWithGenerics(PublicKeyCredential.class,
AuthenticatorAssertionResponse.class);
PublicKeyCredential<AuthenticatorAssertionResponse> publicKeyCredential;
try {
publicKeyCredential = (PublicKeyCredential<AuthenticatorAssertionResponse>) this.converter
.read(resolvableType, httpRequest, null);
}
catch (Exception ex) {
throw new BadCredentialsException("Unable to authenticate the PublicKeyCredential", ex);
}
PublicKeyCredentialRequestOptions requestOptions = this.requestOptionsRepository.load(request);
if (requestOptions == null) {
throw new BadCredentialsException(
"Unable to authenticate the PublicKeyCredential. No PublicKeyCredentialRequestOptions found.");
}
RelyingPartyAuthenticationRequest authenticationRequest = new RelyingPartyAuthenticationRequest(requestOptions,
publicKeyCredential);
return new WebAuthnAuthenticationRequestToken(authenticationRequest);
}

/**
* Sets the {@link SmartHttpMessageConverter} to use for reading
* {@code PublicKeyCredential<AuthenticatorAssertionResponse>} from the request. The
* default is {@link JacksonJsonHttpMessageConverter}.
* @param converter the {@link SmartHttpMessageConverter} to use. Cannot be null.
* @since 7.0
*/
public void setConverter(SmartHttpMessageConverter<Object> converter) {
Assert.notNull(converter, "converter cannot be null");
this.converter = converter;
}

/**
* Sets the {@link PublicKeyCredentialRequestOptionsRepository} to use. The default is
* {@link HttpSessionPublicKeyCredentialRequestOptionsRepository}.
* @param requestOptionsRepository the
* {@link PublicKeyCredentialRequestOptionsRepository} to use. Cannot be null.
*/
public void setRequestOptionsRepository(PublicKeyCredentialRequestOptionsRepository requestOptionsRepository) {
Assert.notNull(requestOptionsRepository, "requestOptionsRepository cannot be null");
this.requestOptionsRepository = requestOptionsRepository;
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -38,20 +38,15 @@
import org.springframework.http.converter.HttpMessageNotWritableException;
import org.springframework.http.converter.SmartHttpMessageConverter;
import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler;
import org.springframework.security.web.authentication.HttpMessageConverterAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
import org.springframework.security.web.webauthn.api.PublicKeyCredential;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
import org.springframework.security.web.webauthn.jackson.WebauthnJacksonModule;
import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest;
import org.springframework.util.Assert;

import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
Expand All @@ -78,6 +73,7 @@
* </pre>
*
* @author Rob Winch
* @author Andrey Litvitski
* @since 6.4
*/
public class WebAuthnAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
Expand All @@ -87,6 +83,11 @@ public class WebAuthnAuthenticationFilter extends AbstractAuthenticationProcessi

private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository = new HttpSessionPublicKeyCredentialRequestOptionsRepository();

private final WebAuthnAuthenticationConverter webAuthnAuthenticationConverter = new WebAuthnAuthenticationConverter(
this.converter, this.requestOptionsRepository);

private AuthenticationConverter authenticationConverter = this.webAuthnAuthenticationConverter;

public WebAuthnAuthenticationFilter() {
super(pathPattern(HttpMethod.POST, "/login/webauthn"));
setSecurityContextRepository(new HttpSessionSecurityContextRepository());
Expand All @@ -96,29 +97,14 @@ public WebAuthnAuthenticationFilter() {
}

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
public @Nullable Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException, ServletException {
ServletServerHttpRequest httpRequest = new ServletServerHttpRequest(request);
ResolvableType resolvableType = ResolvableType.forClassWithGenerics(PublicKeyCredential.class,
AuthenticatorAssertionResponse.class);
PublicKeyCredential<AuthenticatorAssertionResponse> publicKeyCredential = null;
try {
publicKeyCredential = (PublicKeyCredential<AuthenticatorAssertionResponse>) this.converter
.read(resolvableType, httpRequest, null);
}
catch (Exception ex) {
throw new BadCredentialsException("Unable to authenticate the PublicKeyCredential", ex);
}
PublicKeyCredentialRequestOptions requestOptions = this.requestOptionsRepository.load(request);
if (requestOptions == null) {
throw new BadCredentialsException(
"Unable to authenticate the PublicKeyCredential. No PublicKeyCredentialRequestOptions found.");
Authentication authentication = this.authenticationConverter.convert(request);
if (authentication == null) {
return null;
}
this.requestOptionsRepository.save(request, response, null);
RelyingPartyAuthenticationRequest authenticationRequest = new RelyingPartyAuthenticationRequest(requestOptions,
publicKeyCredential);
WebAuthnAuthenticationRequestToken token = new WebAuthnAuthenticationRequestToken(authenticationRequest);
return getAuthenticationManager().authenticate(token);
return getAuthenticationManager().authenticate(authentication);
}

/**
Expand All @@ -132,6 +118,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
public void setConverter(GenericHttpMessageConverter<Object> converter) {
Assert.notNull(converter, "converter cannot be null");
this.converter = new GenericHttpMessageConverterAdapter<>(converter);
this.webAuthnAuthenticationConverter.setConverter(this.converter);
}

/**
Expand All @@ -144,6 +131,21 @@ public void setConverter(GenericHttpMessageConverter<Object> converter) {
public void setConverter(SmartHttpMessageConverter<Object> converter) {
Assert.notNull(converter, "converter cannot be null");
this.converter = converter;
this.webAuthnAuthenticationConverter.setConverter(converter);
Comment on lines 120 to +134

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps this behavior should be better documented?

}

/**
* Sets the {@link AuthenticationConverter} to use for converting the
* {@link HttpServletRequest} into an {@link Authentication}.
* @param authenticationConverter the {@link AuthenticationConverter} to use. Cannot
* be null.
* @since 7.1
*/
@Override
public void setAuthenticationConverter(AuthenticationConverter authenticationConverter) {
Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
this.authenticationConverter = authenticationConverter;
super.setAuthenticationConverter(authenticationConverter);
}

/**
Expand All @@ -155,6 +157,7 @@ public void setConverter(SmartHttpMessageConverter<Object> converter) {
public void setRequestOptionsRepository(PublicKeyCredentialRequestOptionsRepository requestOptionsRepository) {
Assert.notNull(requestOptionsRepository, "requestOptionsRepository cannot be null");
this.requestOptionsRepository = requestOptionsRepository;
this.webAuthnAuthenticationConverter.setRequestOptionsRepository(requestOptionsRepository);
}

/**
Expand Down
Loading