Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use dependency injection in webauthn filters to allow for customization #16369

Open
levimiller-qhrtech opened this issue Jan 7, 2025 · 0 comments · May be fixed by #16371
Open

Use dependency injection in webauthn filters to allow for customization #16369

levimiller-qhrtech opened this issue Jan 7, 2025 · 0 comments · May be fixed by #16371
Labels
status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement

Comments

@levimiller-qhrtech
Copy link

levimiller-qhrtech commented Jan 7, 2025
edited
Loading

Expected Behavior
I expect to be able to provide my own implementations for PublicKeyCredentialCreationOptionsRepository and HttpMessageConverter when using passkeys/webauthn, specifically to be able to save/load the options outside of a session.

e.g.,

@Bean
SecurityFilterChain webAuthnFilterChain(HttpSecurity http) throws Exception {
  return http.webAuthn(webAuthn -> { ... }).build();
}
  
@Bean
B2cPublicKeyCredentialCreationOptionsRepository customCreationOptionsRepo() {
  return new MyCustomB2cPublicKeyCredentialCreationOptionsRepository();
}

Current Behavior
The webauthn filters just initialize their own instances on construction:
https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/webauthn/registration/PublicKeyCredentialCreationOptionsFilter.java#L59

WebAuthnRegistrationFilter at least has a setter to update it, but I'd have to use reflection to update PublicKeyCredentialCreationOptionsFilter.

Context
I have another server forwarding the webauthn requests to a spring boot server, and will be storing the state externally and not in a session. My current workaround is to use reflection to update the private fields to use my implementation of B2cPublicKeyCredentialCreationOptionsRepository, but I feel that dependencies should be injected so they can be customized.
@levimiller-qhrtech levimiller-qhrtech added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jan 7, 2025
kse-music added a commit to kse-music/spring-security that referenced this issue Jan 8, 2025
@kse-music
Apply ObjectPostProcessor to the filter in WebAuthnConfigurer
2f271eb 
Closes spring-projectsgh-16369

Signed-off-by: DingHao <[email protected]>
@kse-music kse-music linked a pull request Jan 8, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Apply ObjectPostProcessor to the filter in WebAuthnConfigurer kse-music/spring-security
1 participant
@levimiller-qhrtech