Address Spring Security 6.0 changes

ynojima · ynojima · commit e06d60a42468 · 2024-04-28T00:53:32.000+09:00
diff --git a/samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java b/samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java
@@ -113,23 +113,25 @@ public WebSecurityCustomizer webSecurityCustomizer() {
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
         // WebAuthn Config
-        http.apply(WebAuthnLoginConfigurer.webAuthnLogin())
-                .attestationOptionsEndpoint()
-                .rp()
-                .name("WebAuthn4J Spring Security Sample")
-                .and()
-                .pubKeyCredParams(
-                        new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256),
-                        new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS1),
-                        new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.EdDSA)
-                )
-                .extensions()
-                .entry("example.extension", "test")
-                .and()
-                .assertionOptionsEndpoint()
-                .extensions()
-                .entry("example.extension", "test")
-                .and();
+        http.with(WebAuthnLoginConfigurer.webAuthnLogin(), (customizer)->{
+            customizer
+                    .attestationOptionsEndpoint()
+                    .rp()
+                    .name("WebAuthn4J Spring Security Sample")
+                    .and()
+                    .pubKeyCredParams(
+                            new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256),
+                            new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS1),
+                            new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.EdDSA)
+                    )
+                    .extensions()
+                    .entry("example.extension", "test")
+                    .and()
+                    .assertionOptionsEndpoint()
+                    .extensions()
+                    .entry("example.extension", "test")
+                    .and();
+        });
 
         FidoServerAttestationOptionsEndpointFilter fidoServerAttestationOptionsEndpointFilter = new FidoServerAttestationOptionsEndpointFilter(objectConverter, attestationOptionsProvider, challengeRepository);
         FidoServerAttestationResultEndpointFilter fidoServerAttestationResultEndpointFilter = new FidoServerAttestationResultEndpointFilter(objectConverter, userDetailsManager, webAuthnAuthenticatorManager, webAuthnRegistrationRequestValidator);
@@ -144,21 +146,25 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager
         http.addFilterAfter(fidoServerAssertionResultEndpointFilter, SessionManagementFilter.class);
 
         // Authorization
-        http.authorizeHttpRequests()
-                .requestMatchers("/").permitAll()
-                .requestMatchers("/api/auth/status").permitAll()
-                .requestMatchers(HttpMethod.GET, "/login").permitAll()
-                .requestMatchers(HttpMethod.POST, "/api/profile").permitAll()
-                .requestMatchers("/health/**").permitAll()
-                .requestMatchers("/info/**").permitAll()
-                .requestMatchers("/h2-console/**").denyAll()
-                .requestMatchers("/api/admin/**").hasRole(ADMIN_ROLE)
-                .anyRequest().fullyAuthenticated();
+        http.authorizeHttpRequests(customizer -> {
+            customizer
+                    .requestMatchers("/").permitAll()
+                    .requestMatchers("/api/auth/status").permitAll()
+                    .requestMatchers(HttpMethod.GET, "/login").permitAll()
+                    .requestMatchers(HttpMethod.POST, "/api/profile").permitAll()
+                    .requestMatchers("/health/**").permitAll()
+                    .requestMatchers("/info/**").permitAll()
+                    .requestMatchers("/h2-console/**").denyAll()
+                    .requestMatchers("/api/admin/**").hasRole(ADMIN_ROLE)
+                    .anyRequest().fullyAuthenticated();
+        });
 
-        //TODO:
-        http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
 
-        http.csrf().ignoringRequestMatchers("/webauthn/**");
+        //TODO:
+        http.csrf(customizer -> {
+            customizer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+            customizer.ignoringRequestMatchers("/webauthn/**");
+        });
 
         http.authenticationManager(authenticationManager);
 
diff --git a/samples/mpa/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java b/samples/mpa/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java
@@ -37,6 +37,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
@@ -86,32 +87,34 @@ public WebSecurityCustomizer webSecurityCustomizer() {
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
         // WebAuthn Login
-        http.apply(WebAuthnLoginConfigurer.webAuthnLogin())
-                .defaultSuccessUrl("/", true)
-                .failureUrl("/login")
-                .attestationOptionsEndpoint()
-                .rp()
-                .name("WebAuthn4J Spring Security Sample")
-                .and()
-                .pubKeyCredParams(
-                        new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256),
-                        new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS1)
-                )
-                .attestation(AttestationConveyancePreference.NONE)
-                .extensions()
-                .uvm(true)
-                .credProps(true)
-                .extensionProviders()
-                .and()
-                .assertionOptionsEndpoint()
-                .extensions()
-                .extensionProviders();
+        http.with(WebAuthnLoginConfigurer.webAuthnLogin(), (customizer)-> {
+            customizer
+                    .defaultSuccessUrl("/", true)
+                    .failureUrl("/login")
+                    .attestationOptionsEndpoint()
+                    .rp()
+                    .name("WebAuthn4J Spring Security Sample")
+                    .and()
+                    .pubKeyCredParams(
+                            new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256),
+                            new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS1)
+                    )
+                    .attestation(AttestationConveyancePreference.NONE)
+                    .extensions()
+                    .uvm(true)
+                    .credProps(true)
+                    .extensionProviders()
+                    .and()
+                    .assertionOptionsEndpoint()
+                    .extensions()
+                    .extensionProviders();
+        });
 
         http.headers(headers -> {
             // 'publickey-credentials-get *' allows getting WebAuthn credentials to all nested browsing contexts (iframes) regardless of their origin.
             headers.permissionsPolicy(config -> config.policy("publickey-credentials-get *"));
             // Disable "X-Frame-Options" to allow cross-origin iframe access
-            headers.frameOptions().disable();
+            headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable);
         });
 
 
@@ -123,14 +126,18 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager
                 .anyRequest().access(getWebExpressionAuthorizationManager("@webAuthnSecurityExpression.isWebAuthnAuthenticated(authentication) || hasAuthority('SINGLE_FACTOR_AUTHN_ALLOWED')"))
         );
 
-        http.exceptionHandling()
-                .accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/login"));
+        http.exceptionHandling(customizer -> {
+            customizer.accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/login"));
+        });
+
 
         http.authenticationManager(authenticationManager);
 
         // As WebAuthn has its own CSRF protection mechanism (challenge), CSRF token is disabled here
-        http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
-        http.csrf().ignoringRequestMatchers("/webauthn/**");
+        http.csrf(customizer -> {
+            customizer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+            customizer.ignoringRequestMatchers("/webauthn/**");
+        });
 
         return http.build();
 
diff --git a/samples/spa/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java b/samples/spa/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java
@@ -35,6 +35,7 @@
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -97,39 +98,41 @@ public AuthenticationManager authenticationManager(List<AuthenticationProvider>
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
+
+        http.authenticationManager(authenticationManager);
         // WebAuthn Login
-        http.apply(WebAuthnLoginConfigurer.webAuthnLogin())
-                .usernameParameter("username")
-                .passwordParameter("password")
-                .credentialIdParameter("credentialId")
-                .clientDataJSONParameter("clientDataJSON")
-                .authenticatorDataParameter("authenticatorData")
-                .signatureParameter("signature")
-                .clientExtensionsJSONParameter("clientExtensionsJSON")
-                .loginProcessingUrl("/login")
-                .attestationOptionsEndpoint()
-                .rp()
-                .name("WebAuthn4J Spring Security Sample")
-                .and()
-                .pubKeyCredParams(
-                        new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS256), // Windows Hello
-                        new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256) // FIDO U2F Key, etc
-                )
-                .extensions()
-                .credProps(true)
-                .and()
-                .assertionOptionsEndpoint()
-                .and()
-                .successHandler(authenticationSuccessHandler)
-                .failureHandler(authenticationFailureHandler)
-                .and()
-                .authenticationManager(authenticationManager);
+        http.with(WebAuthnLoginConfigurer.webAuthnLogin(), (customizer) ->{
+            customizer
+                    .usernameParameter("username")
+                    .passwordParameter("password")
+                    .credentialIdParameter("credentialId")
+                    .clientDataJSONParameter("clientDataJSON")
+                    .authenticatorDataParameter("authenticatorData")
+                    .signatureParameter("signature")
+                    .clientExtensionsJSONParameter("clientExtensionsJSON")
+                    .loginProcessingUrl("/login")
+                    .attestationOptionsEndpoint()
+                    .rp()
+                        .name("WebAuthn4J Spring Security Sample")
+                    .and()
+                    .pubKeyCredParams(
+                            new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS256), // Windows Hello
+                            new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256) // FIDO U2F Key, etc
+                    )
+                    .extensions()
+                        .credProps(true)
+                    .and()
+                    .assertionOptionsEndpoint()
+                    .and()
+                    .successHandler(authenticationSuccessHandler)
+                    .failureHandler(authenticationFailureHandler);
+        });
 
         http.headers(headers -> {
             // 'publickey-credentials-get *' allows getting WebAuthn credentials to all nested browsing contexts (iframes) regardless of their origin.
             headers.permissionsPolicy(config -> config.policy("publickey-credentials-get *"));
             // Disable "X-Frame-Options" to allow cross-origin iframe access
-            headers.frameOptions().disable();
+            headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable);
         });
 
         // Authorization
@@ -151,23 +154,26 @@ public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager
         );
 
         // Logout
-        http.logout()
-                .logoutUrl("/logout")
-                .logoutSuccessHandler(logoutSuccessHandler);
+        http.logout(customizer -> {
+            customizer.logoutUrl("/logout");
+            customizer.logoutSuccessHandler(logoutSuccessHandler);
+        });
 
-        http.sessionManagement()
-                .sessionAuthenticationFailureHandler(authenticationFailureHandler);
+        http.sessionManagement(customizer -> customizer.sessionAuthenticationFailureHandler(authenticationFailureHandler));
 
-        http.exceptionHandling()
-                .authenticationEntryPoint(authenticationEntryPoint)
-                .accessDeniedHandler(accessDeniedHandler);
+        http.exceptionHandling(customizer -> {
+            customizer.authenticationEntryPoint(authenticationEntryPoint);
+            customizer.accessDeniedHandler(accessDeniedHandler);
+        });
 
         // As WebAuthn has its own CSRF protection mechanism (challenge), CSRF token is disabled here
         CsrfTokenRequestAttributeHandler csrfTokenRequestAttributeHandler = new CsrfTokenRequestAttributeHandler();
         csrfTokenRequestAttributeHandler.setCsrfRequestAttributeName(null);
-        http.csrf().csrfTokenRequestHandler(csrfTokenRequestAttributeHandler);
-        http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
-        http.csrf().ignoringRequestMatchers("/webauthn/**");
+        http.csrf(customizer ->{
+            customizer.csrfTokenRequestHandler(csrfTokenRequestAttributeHandler);
+            customizer.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+            customizer.ignoringRequestMatchers("/webauthn/**");
+        });
 
         return http.build();
     }
diff --git a/webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnAuthenticationProviderConfigurerSpringTest.java b/webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnAuthenticationProviderConfigurerSpringTest.java
@@ -86,12 +86,15 @@ public ServerPropertyProvider serverPropertyProvider(RpIdProvider rpIdProvider,
         @Bean
         public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
             // Authentication
-            http.apply(WebAuthnLoginConfigurer.webAuthnLogin());
+            http.with(WebAuthnLoginConfigurer.webAuthnLogin(), (customizer)->{
+            });
 
             // Authorization
-            http.authorizeHttpRequests()
-                    .requestMatchers("/login").permitAll()
-                    .anyRequest().authenticated();
+            http.authorizeHttpRequests((authorizeHttpRequestsCustomizer)->{
+                authorizeHttpRequestsCustomizer.requestMatchers("/login").permitAll();
+                authorizeHttpRequestsCustomizer.anyRequest().authenticated();
+            });
+
 
             return http.build();
         }
diff --git a/webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnLoginConfigurerAnotherSpringTest.java b/webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnLoginConfigurerAnotherSpringTest.java
@@ -81,12 +81,14 @@ static class Config {
 
         @Bean
         public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-            http.apply(WebAuthnLoginConfigurer.webAuthnLogin());
+            http.with(WebAuthnLoginConfigurer.webAuthnLogin(), (customizer)->{
+            });
 
             // Authorization
-            http.authorizeHttpRequests()
-                    .requestMatchers("/login").permitAll()
-                    .anyRequest().authenticated();
+            http.authorizeHttpRequests(authorizeHttpRequestsCustomizer->{
+                authorizeHttpRequestsCustomizer.requestMatchers("/login").permitAll();
+                authorizeHttpRequestsCustomizer.anyRequest().authenticated();
+            });
 
             return http.build();
         }
diff --git a/webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnLoginConfigurerMinimalConfigSpringTest.java b/webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnLoginConfigurerMinimalConfigSpringTest.java
@@ -68,12 +68,13 @@ static class Config {
         @Bean
         public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
-            http.apply(WebAuthnLoginConfigurer.webAuthnLogin());
-
+            http.with(WebAuthnLoginConfigurer.webAuthnLogin(), (customizer)->{});
             // Authorization
-            http.authorizeHttpRequests()
-                    .requestMatchers("/login").permitAll()
-                    .anyRequest().authenticated();
+            http.authorizeHttpRequests(authorizeHttpRequestsCustomizer->{
+                authorizeHttpRequestsCustomizer.requestMatchers("/login").permitAll();
+                authorizeHttpRequestsCustomizer.anyRequest().authenticated();
+            });
+
 
             return http.build();
         }
diff --git a/webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnLoginConfigurerSpringTest.java b/webauthn4j-spring-security-core/src/test/java/com/webauthn4j/springframework/security/config/configurers/WebAuthnLoginConfigurerSpringTest.java
