Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use dependency injection in webauthn filters to allow for customization #16369

Closed
levimiller-qhrtech opened this issue Jan 7, 2025 · 3 comments
Closed

Use dependency injection in webauthn filters to allow for customization #16369

levimiller-qhrtech opened this issue Jan 7, 2025 · 3 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Comments

@levimiller-qhrtech
Copy link

levimiller-qhrtech commented Jan 7, 2025
edited
Loading

Expected Behavior
I expect to be able to provide my own implementations for PublicKeyCredentialCreationOptionsRepository and HttpMessageConverter when using passkeys/webauthn, specifically to be able to save/load the options outside of a session.

e.g.,

@Bean
SecurityFilterChain webAuthnFilterChain(HttpSecurity http) throws Exception {
  return http.webAuthn(webAuthn -> { ... }).build();
}
  
@Bean
B2cPublicKeyCredentialCreationOptionsRepository customCreationOptionsRepo() {
  return new MyCustomB2cPublicKeyCredentialCreationOptionsRepository();
}

Current Behavior
The webauthn filters just initialize their own instances on construction:
https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/webauthn/registration/PublicKeyCredentialCreationOptionsFilter.java#L59

WebAuthnRegistrationFilter at least has a setter to update it, but I'd have to use reflection to update PublicKeyCredentialCreationOptionsFilter.

Context
I have another server forwarding the webauthn requests to a spring boot server, and will be storing the state externally and not in a session. My current workaround is to use reflection to update the private fields to use my implementation of B2cPublicKeyCredentialCreationOptionsRepository, but I feel that dependencies should be injected so they can be customized.
@levimiller-qhrtech levimiller-qhrtech added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jan 7, 2025
kse-music added a commit to kse-music/spring-security that referenced this issue Jan 8, 2025
@kse-music
Apply ObjectPostProcessor to the filter in WebAuthnConfigurer
2f271eb 
Closes spring-projectsgh-16369

Signed-off-by: DingHao <[email protected]>
@kse-music kse-music mentioned this issue Jan 8, 2025
Closed
@rwinch
Copy link
Member

rwinch commented Jan 10, 2025

@levimiller-qhrtech Thanks for creating this ticket. I agree with the requests you have made (we will split it into two features though).

@kse-music put together a PR, but I asked for some changes. I'm waiting to see if he will make some changes I requested (I'm hopeful he will as he is very active/excellent contributor).

@rwinch rwinch added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 10, 2025
kse-music added a commit to kse-music/spring-security that referenced this issue Jan 12, 2025
@kse-music
Set PublicKeyCredentialCreationOptionsRepository by DSL or Bean
462ecb5 
Closes spring-projectsgh-16369

Signed-off-by: DingHao <[email protected]>
@kse-music kse-music mentioned this issue Jan 12, 2025
Closed
kse-music added a commit to kse-music/spring-security that referenced this issue Jan 12, 2025
@kse-music
Set HttpMessageConverter by DSL
cbd77e0 
Closes spring-projectsgh-16369

Signed-off-by: DingHao <[email protected]>
@kse-music kse-music mentioned this issue Jan 12, 2025
Closed
kse-music added a commit to kse-music/spring-security that referenced this issue Jan 12, 2025
@kse-music
Set HttpMessageConverter by DSL
18d4d8b 
Closes spring-projectsgh-16369

Signed-off-by: DingHao <[email protected]>
@kse-music
Copy link
Contributor

@rwinch I have split it into two PR (#16396 and #16397 ), can you help me review the code.

@rwinch rwinch closed this as completed in 8181cec Jan 18, 2025
rwinch pushed a commit that referenced this issue Jan 18, 2025
@kse-music @rwinch
Set PublicKeyCredentialCreationOptionsRepository by DSL or Bean
f4491f3 
Closes gh-16369

Signed-off-by: DingHao <[email protected]>
@rwinch rwinch self-assigned this Jan 18, 2025
@rwinch
Copy link
Member

rwinch commented Jan 18, 2025

Thanks to @kse-music this is now resolved in main!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
3 participants
@rwinch @kse-music @levimiller-qhrtech