Merge pull request #1137 from webauthn4j/dependabot/gradle/org.springframework.security-spring-security-bom-5.8.2

chore(deps): bump org.springframework.security:spring-security-bom from 5.7.6 to 5.8.2

Author: ynojima

build.gradle

@@ -27,7 +27,7 @@ buildscript {
 
         //Libraries
         webauthn4jVersion = '0.21.0.RELEASE'
-        springSecurityVersion = '5.7.6'
+        springSecurityVersion = '5.8.2'
         hibernateValidatorVersion = '6.2.5.Final'
         thymeleafVersion = '3.0.4.RELEASE'
         modelMapperVersion = '3.1.1'

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java

@@ -103,7 +103,7 @@ public AuthenticationManager authenticationManager(List<AuthenticationProvider>
     public WebSecurityCustomizer webSecurityCustomizer() {
         return (web) -> {
             // ignore static resources
-            web.ignoring().antMatchers(
+            web.ignoring().requestMatchers(
                     "/favicon.ico",
                     "/static/**",
                     "/webjars/**");
@@ -144,21 +144,21 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager
         http.addFilterAfter(fidoServerAssertionResultEndpointFilter, SessionManagementFilter.class);
 
         // Authorization
-        http.authorizeRequests()
-                .mvcMatchers("/").permitAll()
-                .mvcMatchers("/api/auth/status").permitAll()
-                .mvcMatchers(HttpMethod.GET, "/login").permitAll()
-                .mvcMatchers(HttpMethod.POST, "/api/profile").permitAll()
-                .mvcMatchers("/health/**").permitAll()
-                .mvcMatchers("/info/**").permitAll()
-                .mvcMatchers("/h2-console/**").denyAll()
-                .mvcMatchers("/api/admin/**").hasRole(ADMIN_ROLE)
+        http.authorizeHttpRequests()
+                .requestMatchers("/").permitAll()
+                .requestMatchers("/api/auth/status").permitAll()
+                .requestMatchers(HttpMethod.GET, "/login").permitAll()
+                .requestMatchers(HttpMethod.POST, "/api/profile").permitAll()
+                .requestMatchers("/health/**").permitAll()
+                .requestMatchers("/info/**").permitAll()
+                .requestMatchers("/h2-console/**").denyAll()
+                .requestMatchers("/api/admin/**").hasRole(ADMIN_ROLE)
                 .anyRequest().fullyAuthenticated();
 
         //TODO:
         http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
 
-        http.csrf().ignoringAntMatchers("/webauthn/**");
+        http.csrf().ignoringRequestMatchers("/webauthn/**");
 
         http.authenticationManager(authenticationManager);
 

samples/mpa/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityBeanConfig.java

@@ -20,7 +20,6 @@
 import com.fasterxml.jackson.dataformat.cbor.CBORFactory;
 import com.webauthn4j.WebAuthnManager;
 import com.webauthn4j.converter.util.ObjectConverter;
-import com.webauthn4j.data.PublicKeyCredentialUserEntity;
 import com.webauthn4j.metadata.converter.jackson.WebAuthnMetadataJSONModule;
 import com.webauthn4j.springframework.security.WebAuthnRegistrationRequestValidator;
 import com.webauthn4j.springframework.security.WebAuthnSecurityExpression;
@@ -35,7 +34,6 @@
 import com.webauthn4j.springframework.security.server.ServerPropertyProviderImpl;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.core.Authentication;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;

samples/mpa/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java

@@ -24,6 +24,8 @@
 import com.webauthn4j.springframework.security.WebAuthnAuthenticationProvider;
 import com.webauthn4j.springframework.security.authenticator.WebAuthnAuthenticatorService;
 import com.webauthn4j.springframework.security.config.configurers.WebAuthnLoginConfigurer;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
@@ -34,6 +36,8 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler;
+import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 import java.util.List;
@@ -42,6 +46,9 @@
 @EnableWebSecurity
 public class WebSecurityConfig {
 
+    @Autowired
+    private ApplicationContext applicationContext;
+
     @Bean
     public WebAuthnAuthenticationProvider webAuthnAuthenticationProvider(WebAuthnAuthenticatorService authenticatorService, WebAuthnManager webAuthnManager){
         return new WebAuthnAuthenticationProvider(authenticatorService, webAuthnManager);
@@ -56,7 +63,7 @@ public AuthenticationManager authenticationManager(List<AuthenticationProvider>
     public WebSecurityCustomizer webSecurityCustomizer() {
         return (web) -> {
             // ignore static resources
-            web.ignoring().antMatchers(
+            web.ignoring().requestMatchers(
                     "/favicon.ico",
                     "/js/**",
                     "/css/**",
@@ -97,11 +104,12 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager
 
 
         // Authorization
-        http.authorizeRequests()
-                .mvcMatchers(HttpMethod.GET, "/login").permitAll()
-                .mvcMatchers(HttpMethod.GET, "/signup").permitAll()
-                .mvcMatchers(HttpMethod.POST, "/signup").permitAll()
-                .anyRequest().access("@webAuthnSecurityExpression.isWebAuthnAuthenticated(authentication) || hasAuthority('SINGLE_FACTOR_AUTHN_ALLOWED')");
+        http.authorizeHttpRequests(authz -> authz
+                .requestMatchers(HttpMethod.GET, "/login").permitAll()
+                .requestMatchers(HttpMethod.GET, "/signup").permitAll()
+                .requestMatchers(HttpMethod.POST, "/signup").permitAll()
+                .anyRequest().access(getWebExpressionAuthorizationManager("@webAuthnSecurityExpression.isWebAuthnAuthenticated(authentication) || hasAuthority('SINGLE_FACTOR_AUTHN_ALLOWED')"))
+        );
 
         http.exceptionHandling()
                 .accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/login"));
@@ -110,9 +118,17 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager
 
         // As WebAuthn has its own CSRF protection mechanism (challenge), CSRF token is disabled here
         http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
-        http.csrf().ignoringAntMatchers("/webauthn/**");
+        http.csrf().ignoringRequestMatchers("/webauthn/**");
 
         return http.build();
 
     }
+
+    private WebExpressionAuthorizationManager getWebExpressionAuthorizationManager(final String expression) {
+        DefaultHttpSecurityExpressionHandler expressionHandler = new DefaultHttpSecurityExpressionHandler();
+        expressionHandler.setApplicationContext(applicationContext);
+        WebExpressionAuthorizationManager authorizationManager = new WebExpressionAuthorizationManager(expression);
+        authorizationManager.setExpressionHandler(expressionHandler);
+        return authorizationManager;
+    }
 }

samples/spa/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java

@@ -24,6 +24,7 @@
 import com.webauthn4j.springframework.security.authenticator.WebAuthnAuthenticatorService;
 import com.webauthn4j.springframework.security.config.configurers.WebAuthnLoginConfigurer;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
@@ -39,10 +40,13 @@
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler;
+import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 
 import java.util.List;
 
@@ -55,6 +59,9 @@
 @EnableWebSecurity
 public class WebSecurityConfig {
 
+    @Autowired
+    private ApplicationContext applicationContext;
+
     @Autowired
     private AuthenticationSuccessHandler authenticationSuccessHandler;
 
@@ -125,27 +132,29 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager
             headers.frameOptions().disable();
         });
 
+        // Authorization
+        http.authorizeHttpRequests(authz -> authz
+                .requestMatchers("/").permitAll()
+                .requestMatchers("/static/**").permitAll()
+                .requestMatchers("/angular/**").permitAll()
+                .requestMatchers("/webjars/**").permitAll()
+                .requestMatchers("/favicon.ico").permitAll()
+                .requestMatchers("/api/auth/status").permitAll()
+                .requestMatchers(HttpMethod.GET, "/login").permitAll()
+                .requestMatchers(HttpMethod.POST, "/api/profile").permitAll()
+                .requestMatchers("/api/status/**").permitAll()
+                .requestMatchers("/health/**").permitAll()
+                .requestMatchers("/info/**").permitAll()
+                .requestMatchers("/h2-console/**").denyAll()
+                .requestMatchers("/api/admin/**").access(getWebExpressionAuthorizationManager("hasRole('ADMIN_ROLE') and isAuthenticated()"))
+                .anyRequest().access(getWebExpressionAuthorizationManager("@webAuthnSecurityExpression.isWebAuthnAuthenticated(authentication) || hasAuthority('SINGLE_FACTOR_AUTHN_ALLOWED')"))
+        );
+
         // Logout
         http.logout()
                 .logoutUrl("/logout")
                 .logoutSuccessHandler(logoutSuccessHandler);
 
-        // Authorization
-        http.authorizeRequests()
-                .mvcMatchers("/").permitAll()
-                .mvcMatchers("/static/**").permitAll()
-                .mvcMatchers("/angular/**").permitAll()
-                .mvcMatchers("/webjars/**").permitAll()
-                .mvcMatchers("/favicon.ico").permitAll()
-                .mvcMatchers("/api/auth/status").permitAll()
-                .mvcMatchers(HttpMethod.GET, "/login").permitAll()
-                .mvcMatchers(HttpMethod.POST, "/api/profile").permitAll()
-                .mvcMatchers("/health/**").permitAll()
-                .mvcMatchers("/info/**").permitAll()
-                .mvcMatchers("/h2-console/**").denyAll()
-                .mvcMatchers("/api/admin/**").access("hasRole('ADMIN_ROLE') and isAuthenticated()")
-                .anyRequest().access("@webAuthnSecurityExpression.isWebAuthnAuthenticated(authentication) || hasAuthority('SINGLE_FACTOR_AUTHN_ALLOWED')");
-
         http.sessionManagement()
                 .sessionAuthenticationFailureHandler(authenticationFailureHandler);
 
@@ -154,9 +163,20 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager
                 .accessDeniedHandler(accessDeniedHandler);
 
         // As WebAuthn has its own CSRF protection mechanism (challenge), CSRF token is disabled here
+        CsrfTokenRequestAttributeHandler csrfTokenRequestAttributeHandler = new CsrfTokenRequestAttributeHandler();
+        csrfTokenRequestAttributeHandler.setCsrfRequestAttributeName(null);
+        http.csrf().csrfTokenRequestHandler(csrfTokenRequestAttributeHandler);
         http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
-        http.csrf().ignoringAntMatchers("/webauthn/**");
+        http.csrf().ignoringRequestMatchers("/webauthn/**");
 
         return http.build();
     }
+
+    private WebExpressionAuthorizationManager getWebExpressionAuthorizationManager(final String expression) {
+        DefaultHttpSecurityExpressionHandler expressionHandler = new DefaultHttpSecurityExpressionHandler();
+        expressionHandler.setApplicationContext(applicationContext);
+        WebExpressionAuthorizationManager authorizationManager = new WebExpressionAuthorizationManager(expression);
+        authorizationManager.setExpressionHandler(expressionHandler);
+        return authorizationManager;
+    }
 }

samples/spa/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/util/modelmapper/StringToChallengeConverter.java

@@ -18,8 +18,8 @@
 
 import com.webauthn4j.data.client.challenge.Challenge;
 import com.webauthn4j.data.client.challenge.DefaultChallenge;
+import com.webauthn4j.util.Base64UrlUtil;
 import org.modelmapper.AbstractConverter;
-import org.springframework.util.Base64Utils;
 
 /**
  * Converter which converts from {@link String} to {@link Challenge}
@@ -28,7 +28,7 @@ public class StringToChallengeConverter extends AbstractConverter<String, Challe
 
     @Override
     protected Challenge convert(String source) {
-        byte[] challenge = Base64Utils.decodeFromUrlSafeString(source);
+        byte[] challenge = Base64UrlUtil.decode(source);
         return new DefaultChallenge(challenge);
     }
 }

webauthn4j-spring-security-core/src/main/java/com/webauthn4j/springframework/security/WebAuthnProcessingFilter.java

@@ -18,6 +18,7 @@
 
 import com.webauthn4j.server.ServerProperty;
 import com.webauthn4j.springframework.security.server.ServerPropertyProvider;
+import com.webauthn4j.util.Base64UrlUtil;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationServiceException;
@@ -27,7 +28,6 @@
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.util.Assert;
-import org.springframework.util.Base64Utils;
 import org.springframework.util.StringUtils;
 
 import javax.servlet.http.HttpServletRequest;
@@ -143,10 +143,10 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
             String signature = obtainSignatureData(request);
             String clientExtensionsJSON = obtainClientExtensionsJSON(request);
 
-            byte[] rawId = Base64Utils.decodeFromUrlSafeString(credentialId);
-            byte[] rawClientData = Base64Utils.decodeFromUrlSafeString(clientDataJSON);
-            byte[] rawAuthenticatorData = Base64Utils.decodeFromUrlSafeString(authenticatorData);
-            byte[] signatureBytes = Base64Utils.decodeFromUrlSafeString(signature);
+            byte[] rawId = Base64UrlUtil.decode(credentialId);
+            byte[] rawClientData = Base64UrlUtil.decode(clientDataJSON);
+            byte[] rawAuthenticatorData = Base64UrlUtil.decode(authenticatorData);
+            byte[] signatureBytes = Base64UrlUtil.decode(signature);
 
             ServerProperty serverProperty = serverPropertyProvider.provide(request);
 

webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnAuthenticationProviderConfigurerSpringTest.java

@@ -29,12 +29,14 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -49,6 +51,7 @@ public void test() {
         assertThat(providerManager.getProviders()).extracting("class").contains(WebAuthnAuthenticationProvider.class);
     }
 
+    @Configuration
     @EnableWebSecurity
     static class Config {
 
@@ -86,8 +89,8 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
             http.apply(WebAuthnLoginConfigurer.webAuthnLogin());
 
             // Authorization
-            http.authorizeRequests()
-                    .antMatchers("/login").permitAll()
+            http.authorizeHttpRequests()
+                    .requestMatchers("/login").permitAll()
                     .anyRequest().authenticated();
 
             return http.build();
@@ -97,5 +100,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         public AuthenticationManager authenticationManager(){
             return new ProviderManager(new WebAuthnAuthenticationProvider(authenticatorService, WebAuthnManager.createNonStrictWebAuthnManager()));
         }
+
+        @Bean(name = "mvcHandlerMappingIntrospector")
+        public HandlerMappingIntrospector mvcHandlerMappingIntrospector() {
+            return new HandlerMappingIntrospector();
+        }
     }
 }

webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnLoginConfigurerAnotherSpringTest.java

@@ -43,6 +43,7 @@
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
@@ -74,7 +75,7 @@ public void rootPath_with_authenticated_user_test() throws Exception {
 
     }
 
-
+    @Configuration
     @EnableWebSecurity
     static class Config {
 
@@ -83,8 +84,8 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
             http.apply(WebAuthnLoginConfigurer.webAuthnLogin());
 
             // Authorization
-            http.authorizeRequests()
-                    .antMatchers("/login").permitAll()
+            http.authorizeHttpRequests()
+                    .requestMatchers("/login").permitAll()
                     .anyRequest().authenticated();
 
             return http.build();
@@ -144,6 +145,11 @@ public AssertionOptionsEndpointFilter assertionOptionsEndpointFilter(AssertionOp
                 return new AssertionOptionsEndpointFilter(optionsProvider, objectConverter);
             }
 
+            @Bean(name = "mvcHandlerMappingIntrospector")
+            public HandlerMappingIntrospector mvcHandlerMappingIntrospector() {
+                return new HandlerMappingIntrospector();
+            }
+
         }
 
     }