admin管理员组文章数量:1315322
I need to implement the registration of and authentication with passkeys in my App.
I looked at WebAuthn4J and saw in their docs that they recommend to use Spring Security to make it easier.
The setup in the Spring Security Docs about Passkey seams straight forward.
Add the Spring Security dependencies, add the webauthn(...) part to the SecurityFilterChain and it should work.
But that doesn't seam to work for me.
I am somewhat familiar with the concepts in the WebAuthn context and I am confused about how to use the Spring Security Version of it.
The Spring Security docs say that after adding the webAuthn part to the filterChain, it would be enough to start the app and send a post request to /webauthn/register/options endpoint to get the challenge.
If i try that, the server just returns 400 with and empty body.
My main question is: Do I miss something that needs to be added?
My Setup looks as follows:
build.gradle (Excerpt)
dependencies {
implementation '.springframework.boot:spring-boot-starter-web'
implementation ".springframework.boot:spring-boot-starter-security"
implementation ".springframework.security:spring-security-config"
implementation ".springframework.security:spring-security-web"
implementation "com.webauthn4j:webauthn4j-core:0.28.3.RELEASE"
}
WebSecurityConfig.java
import .springframework.context.annotation.Bean;
import .springframework.context.annotation.Configuration;
import .springframework.security.config.annotation.web.builders.HttpSecurity;
import .springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import .springframework.security.web.SecurityFilterChain;
@Configuration
public class WebSecurityConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll())
.webAuthn((webAuthn) -> webAuthn
.rpName("SAVIN")
.rpId("http://localhost")
.allowedOrigins("http://localhost")
);
return http.build();
}
}
I need to implement the registration of and authentication with passkeys in my App.
I looked at WebAuthn4J and saw in their docs that they recommend to use Spring Security to make it easier.
The setup in the Spring Security Docs about Passkey seams straight forward.
Add the Spring Security dependencies, add the webauthn(...) part to the SecurityFilterChain and it should work.
But that doesn't seam to work for me.
I am somewhat familiar with the concepts in the WebAuthn context and I am confused about how to use the Spring Security Version of it.
The Spring Security docs say that after adding the webAuthn part to the filterChain, it would be enough to start the app and send a post request to /webauthn/register/options endpoint to get the challenge.
If i try that, the server just returns 400 with and empty body.
My main question is: Do I miss something that needs to be added?
My Setup looks as follows:
build.gradle (Excerpt)
dependencies {
implementation '.springframework.boot:spring-boot-starter-web'
implementation ".springframework.boot:spring-boot-starter-security"
implementation ".springframework.security:spring-security-config"
implementation ".springframework.security:spring-security-web"
implementation "com.webauthn4j:webauthn4j-core:0.28.3.RELEASE"
}
WebSecurityConfig.java
import .springframework.context.annotation.Bean;
import .springframework.context.annotation.Configuration;
import .springframework.security.config.annotation.web.builders.HttpSecurity;
import .springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import .springframework.security.web.SecurityFilterChain;
@Configuration
public class WebSecurityConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll())
.webAuthn((webAuthn) -> webAuthn
.rpName("SAVIN")
.rpId("http://localhost")
.allowedOrigins("http://localhost")
);
return http.build();
}
}
1 Answer
Reset to default 2Minimal required dependencies
implementation(".springframework.boot:spring-boot-starter-security")
implementation(".springframework.boot:spring-boot-starter-web")
implementation("com.webauthn4j:webauthn4j-core:0.28.4.RELEASE")
SecurityConfig
@Configuration
public class SecurityConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.formLogin(withDefaults())
// http://localhost:8080/webauthn/register
.webAuthn((webAuthn) -> webAuthn
.rpName("Spring Security Relying Party")
.rpId("localhost")
.allowedOrigins("http://localhost:8080")
);
return http.build();
}
@Bean
UserDetailsService userDetailsService() {
UserDetails userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(userDetails);
}
}
- Start the app
- In Chrome, navigate to http://localhost:8080/login
- In Chrome developer, select More tools | WebAuthn
- Still on http://localhost:8080/login, sign in with username/password: user/password
- Navigate to http://localhost:8080/webauthn/register
- Add a passkey label, e.g. "Testing WebAuthn" and select "Register"
- In the QR-code modal, select "Save another way" and then select "This device"
Verification
- Navigate to http://localhost:8080/logout and confirm logout
- Navigate to http://localhost:8080/login and select "Sign in with a passkey". Select the saved passkey, and you're logged in.
本文标签: How to use Spring Security WebAuthn to implement PasskeyStack Overflow
版权声明:本文标题:How to use Spring Security WebAuthn to implement Passkey? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741977482a2408208.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
@EnableWebSecurity. Currently you have a nice configuration that doesn't do anything. Next to that ditch the.springframework.securitydependencies those are already pulled in throughspring-boot-starter-security. Finally I think theallowedOriginsshould include a port (default8080I suspect). – M. Deinum Commented Jan 30 at 9:31