Add WebAuthn sample application

Author: ynojima

samples/javaconfig/webauthn/spring-security-samples-javaconfig-webauthn.gradle

@@ -0,0 +1,17 @@
+plugins {
+	id "io.spring.convention.spring-sample-boot"
+}
+
+dependencies {
+	compile project(':spring-security-webauthn')
+	compile('org.springframework.boot:spring-boot-starter-web')
+
+	compile("org.slf4j:jcl-over-slf4j")
+	compile('ch.qos.logback:logback-classic')
+	compile('org.thymeleaf:thymeleaf-spring5')
+
+	compile('org.webjars:bootstrap:4.1.1')
+	compile('org.webjars:jquery:3.3.1')
+	compile('org.webjars:font-awesome:5.8.2')
+
+}

samples/javaconfig/webauthn/src/main/java/org/springframework/security/webauthn/sample/SampleWebApplication.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.webauthn.sample;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.ComponentScan;
+
+/**
+ * SampleWebApplication
+ */
+@SpringBootApplication
+@ComponentScan("org.springframework.security.webauthn.sample.app")
+@ComponentScan("org.springframework.security.webauthn.sample.domain")
+public class SampleWebApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(SampleWebApplication.class, args);
+	}
+}

samples/javaconfig/webauthn/src/main/java/org/springframework/security/webauthn/sample/app/config/WebSecurityBeanConfig.java

@@ -0,0 +1,72 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.webauthn.sample.app.config;
+
+import com.webauthn4j.validator.WebAuthnAuthenticationContextValidator;
+import com.webauthn4j.validator.WebAuthnRegistrationContextValidator;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.webauthn.WebAuthnRegistrationRequestValidator;
+import org.springframework.security.webauthn.challenge.ChallengeRepository;
+import org.springframework.security.webauthn.challenge.HttpSessionChallengeRepository;
+import org.springframework.security.webauthn.options.OptionsProvider;
+import org.springframework.security.webauthn.options.OptionsProviderImpl;
+import org.springframework.security.webauthn.server.ServerPropertyProvider;
+import org.springframework.security.webauthn.server.ServerPropertyProviderImpl;
+import org.springframework.security.webauthn.userdetails.WebAuthnUserDetailsService;
+
+@Configuration
+public class WebSecurityBeanConfig {
+
+	@Bean
+	public WebAuthnRegistrationRequestValidator webAuthnRegistrationRequestValidator(ServerPropertyProvider serverPropertyProvider) {
+		WebAuthnRegistrationContextValidator webAuthnRegistrationContextValidator = WebAuthnRegistrationContextValidator.createNonStrictRegistrationContextValidator();
+		return new WebAuthnRegistrationRequestValidator(webAuthnRegistrationContextValidator, serverPropertyProvider);
+	}
+
+	@Bean
+	public ServerPropertyProvider serverPropertyProvider(WebAuthnUserDetailsService webAuthnUserDetailsService) {
+		ChallengeRepository challengeRepository = new HttpSessionChallengeRepository();
+		OptionsProvider optionsProvider = new OptionsProviderImpl(webAuthnUserDetailsService, challengeRepository);
+		return new ServerPropertyProviderImpl(optionsProvider, challengeRepository);
+	}
+
+	@Bean
+	public WebAuthnAuthenticationContextValidator webAuthnAuthenticationContextValidator() {
+		return new WebAuthnAuthenticationContextValidator();
+	}
+
+	@Bean
+	public PasswordEncoder passwordEncoder() {
+		return new BCryptPasswordEncoder();
+	}
+
+	// Not to register DaoAuthenticationProvider to ProviderManager,
+	// initialize DaoAuthenticationProvider manually instead of using DaoAuthenticationConfigurer.
+	@Bean
+	public DaoAuthenticationProvider daoAuthenticationProvider(PasswordEncoder passwordEncoder, UserDetailsService userDetailsService) {
+		DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
+		daoAuthenticationProvider.setPasswordEncoder(passwordEncoder);
+		daoAuthenticationProvider.setUserDetailsService(userDetailsService);
+		return daoAuthenticationProvider;
+	}
+
+}

samples/javaconfig/webauthn/src/main/java/org/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java

@@ -0,0 +1,117 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.webauthn.sample.app.config;
+
+import com.webauthn4j.data.AttestationConveyancePreference;
+import com.webauthn4j.data.PublicKeyCredentialType;
+import com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier;
+import com.webauthn4j.validator.WebAuthnAuthenticationContextValidator;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configurers.mfa.MultiFactorAuthenticationProviderConfigurer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.webauthn.authenticator.WebAuthnAuthenticatorService;
+import org.springframework.security.webauthn.config.configurers.WebAuthnAuthenticationProviderConfigurer;
+import org.springframework.security.webauthn.userdetails.WebAuthnUserDetailsService;
+
+import static org.springframework.security.webauthn.config.configurers.WebAuthnLoginConfigurer.webAuthnLogin;
+
+
+/**
+ * Security Configuration
+ */
+@Configuration
+@Import(value = WebSecurityBeanConfig.class)
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+	@Autowired
+	private DaoAuthenticationProvider daoAuthenticationProvider;
+
+	@Autowired
+	private WebAuthnUserDetailsService userDetailsService;
+
+	@Autowired
+	private WebAuthnAuthenticatorService authenticatorService;
+
+	@Autowired
+	private WebAuthnAuthenticationContextValidator webAuthnAuthenticationContextValidator;
+
+	@Override
+	public void configure(AuthenticationManagerBuilder builder) throws Exception {
+		builder.apply(new WebAuthnAuthenticationProviderConfigurer<>(userDetailsService, authenticatorService, webAuthnAuthenticationContextValidator));
+		builder.apply(new MultiFactorAuthenticationProviderConfigurer<>(daoAuthenticationProvider));
+	}
+
+	@Override
+	public void configure(WebSecurity web) {
+		// ignore static resources
+		web.ignoring().antMatchers(
+				"/favicon.ico",
+				"/webjars/**",
+				"/js/**",
+				"/css/**");
+	}
+
+	/**
+	 * Configure SecurityFilterChain
+	 */
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+
+		// WebAuthn Login
+		http.apply(webAuthnLogin())
+				.rpName("Spring Security WebAuthn Sample")
+				.attestation(AttestationConveyancePreference.NONE)
+				.publicKeyCredParams()
+				.addPublicKeyCredParams(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS256)  // Windows Hello
+				.addPublicKeyCredParams(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256) // FIDO U2F Key, etc
+				.and()
+				.loginPage("/login")
+				.usernameParameter("username")
+				.passwordParameter("password")
+				.credentialIdParameter("credentialId")
+				.clientDataJSONParameter("clientDataJSON")
+				.authenticatorDataParameter("authenticatorData")
+				.signatureParameter("signature")
+				.clientExtensionsJSONParameter("clientExtensionsJSON")
+				.loginProcessingUrl("/login")
+				.defaultSuccessUrl("/dashboard");
+
+		// Logout
+		http.logout()
+				.logoutUrl("/logout");
+		// Authorization
+		http.authorizeRequests()
+				.mvcMatchers("/").permitAll()
+				.mvcMatchers("/signup").permitAll()
+				.mvcMatchers("/login").permitAll()
+				.mvcMatchers("/h2-console/**").denyAll()
+				.anyRequest().fullyAuthenticated();
+
+		http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+
+	}
+
+}

samples/javaconfig/webauthn/src/main/java/org/springframework/security/webauthn/sample/app/web/AuthenticatorCreateForm.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.webauthn.sample.app.web;
+
+import com.webauthn4j.data.AuthenticatorTransport;
+
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+import java.util.Set;
+
+public class AuthenticatorCreateForm {
+
+	@NotNull
+	@Valid
+	private String clientDataJSON;
+
+	@NotNull
+	@Valid
+	private String attestationObject;
+
+	private Set<AuthenticatorTransport> transports;
+
+	@NotNull
+	private String clientExtensions;
+
+	public String getClientDataJSON() {
+		return clientDataJSON;
+	}
+
+	public void setClientDataJSON(String clientDataJSON) {
+		this.clientDataJSON = clientDataJSON;
+	}
+
+	public String getAttestationObject() {
+		return attestationObject;
+	}
+
+	public void setAttestationObject(String attestationObject) {
+		this.attestationObject = attestationObject;
+	}
+
+	public Set<AuthenticatorTransport> getTransports() {
+		return transports;
+	}
+
+	public void setTransports(Set<AuthenticatorTransport> transports) {
+		this.transports = transports;
+	}
+
+	public String getClientExtensions() {
+		return clientExtensions;
+	}
+
+	public void setClientExtensions(String clientExtensions) {
+		this.clientExtensions = clientExtensions;
+	}
+}