Implement W3C WebAuthentication specification

spec: https://www.w3.org/TR/webauthn-1/

Author: ynojima

gradle/dependency-management.gradle

@@ -19,6 +19,7 @@ dependencyManagement {
 	dependencies {
 		dependency 'cglib:cglib-nodep:3.2.12'
 		dependency 'com.squareup.okhttp3:mockwebserver:3.14.2'
+		dependency 'com.webauthn4j:webauthn4j-test:0.9.7.RELEASE'
 		dependency 'opensymphony:sitemesh:2.4.2'
 		dependency 'org.gebish:geb-spock:0.10.0'
 		dependency 'org.jasig.cas:cas-server-webapp:4.2.7'
@@ -61,6 +62,7 @@ dependencyManagement {
 		dependency 'com.sun.xml.bind:jaxb-core:2.3.0.1'
 		dependency 'com.sun.xml.bind:jaxb-impl:2.3.2'
 		dependency 'com.unboundid:unboundid-ldapsdk:4.0.11'
+		dependency 'com.webauthn4j:webauthn4j-core:0.9.7.RELEASE'
 		dependency 'com.vaadin.external.google:android-json:0.0.20131108.vaadin1'
 		dependency 'commons-cli:commons-cli:1.4'
 		dependency 'commons-codec:commons-codec:1.12'

webauthn/spring-security-webauthn.gradle

@@ -0,0 +1,28 @@
+apply plugin: 'io.spring.convention.spring-module'
+
+dependencies {
+    compile project(':spring-security-core')
+    compile project(':spring-security-config')
+    compile project(':spring-security-web')
+    compile springCoreDependency
+    compile("org.springframework:spring-core")
+    compile("org.springframework:spring-context")
+    compile("org.springframework:spring-aop")
+    compile("org.springframework:spring-jdbc")
+    compile("org.springframework:spring-web")
+
+    compile("com.webauthn4j:webauthn4j-core")
+
+    provided 'javax.servlet:javax.servlet-api'
+
+    compile project(':spring-security-test')
+    testCompile("com.webauthn4j:webauthn4j-test")
+    testCompile("org.skyscreamer:jsonassert")
+    testCompile("org.springframework:spring-webmvc")
+    testCompile('junit:junit')
+    testCompile('org.mockito:mockito-core')
+    testCompile('org.assertj:assertj-core')
+
+
+    testRuntime 'org.hsqldb:hsqldb'
+}

webauthn/src/main/java/org/springframework/security/webauthn/WebAuthnAssertionAuthenticationToken.java

@@ -0,0 +1,122 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.webauthn;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.webauthn.request.WebAuthnAuthenticationRequest;
+
+/**
+ * An {@link Authentication} implementation for representing WebAuthn assertion like
+ * {@link UsernamePasswordAuthenticationToken} for password authentication
+ *
+ * @author Yoshikazu Nojima
+ */
+public class WebAuthnAssertionAuthenticationToken extends AbstractAuthenticationToken {
+
+	// ~ Instance fields
+	// ================================================================================================
+	private WebAuthnAuthenticationRequest credentials;
+
+
+	// ~ Constructor
+	// ========================================================================================================
+
+	/**
+	 * This constructor can be safely used by any code that wishes to create a
+	 * <code>WebAuthnAssertionAuthenticationToken</code>, as the {@link #isAuthenticated()}
+	 * will return <code>false</code>.
+	 *
+	 * @param credentials credential
+	 */
+	public WebAuthnAssertionAuthenticationToken(WebAuthnAuthenticationRequest credentials) {
+		super(null);
+		this.credentials = credentials;
+		setAuthenticated(false);
+	}
+
+	// ~ Methods
+	// ========================================================================================================
+
+	/**
+	 * Always null
+	 *
+	 * @return null
+	 */
+	@Override
+	public String getPrincipal() {
+		return null;
+	}
+
+	/**
+	 * @return the stored WebAuthn authentication context
+	 */
+	@Override
+	public WebAuthnAuthenticationRequest getCredentials() {
+		return credentials;
+	}
+
+	/**
+	 * This object can never be authenticated, call with true result in exception.
+	 *
+	 * @param isAuthenticated only false value allowed
+	 * @throws IllegalArgumentException if isAuthenticated is true
+	 */
+	@Override
+	public void setAuthenticated(boolean isAuthenticated) {
+		if (isAuthenticated) {
+			throw new IllegalArgumentException(
+					"Cannot set this authenticator to trusted");
+		}
+
+		super.setAuthenticated(false);
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public void eraseCredentials() {
+		super.eraseCredentials();
+		credentials = null;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public boolean equals(Object o) {
+		if (this == o) return true;
+		if (!(o instanceof WebAuthnAssertionAuthenticationToken)) return false;
+		if (!super.equals(o)) return false;
+
+		WebAuthnAssertionAuthenticationToken that = (WebAuthnAssertionAuthenticationToken) o;
+
+		return credentials != null ? credentials.equals(that.credentials) : that.credentials == null;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public int hashCode() {
+		int result = super.hashCode();
+		result = 31 * result + (credentials != null ? credentials.hashCode() : 0);
+		return result;
+	}
+}