Merge pull request #414 from webauthn4j/make-fido-conformance-test-tool-pass-again

Make FIDO conformance test tool pass again

Author: ynojima

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/fido/server/endpoint/FidoServerAssertionOptionsEndpointFilter.java

@@ -26,14 +26,14 @@
 import com.webauthn4j.springframework.security.challenge.ChallengeRepository;
 import com.webauthn4j.springframework.security.options.AssertionOptionsProvider;
 import com.webauthn4j.util.Base64UrlUtil;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.util.Assert;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.UncheckedIOException;
+import java.util.Collections;
 import java.util.List;
 import java.util.stream.Collectors;
 
@@ -86,8 +86,8 @@ protected ServerResponse processRequest(HttpServletRequest request) {
                     objectConverter.getJsonConverter().readValue(inputStream, ServerPublicKeyCredentialGetOptionsRequest.class);
             Challenge challenge = serverEndpointFilterUtil.encodeUserVerification(new DefaultChallenge(), serverRequest.getUserVerification());
             challengeRepository.saveChallenge(challenge, request);
-            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-            PublicKeyCredentialRequestOptions options = optionsProvider.getAssertionOptions(request, authentication);
+            //TODO: UsernamePasswordAuthenticationToken should not be used here in this way
+            PublicKeyCredentialRequestOptions options = optionsProvider.getAssertionOptions(request, new UsernamePasswordAuthenticationToken(serverRequest.getUsername(), null, Collections.emptyList()));
             List<ServerPublicKeyCredentialDescriptor> credentials = options.getAllowCredentials().stream()
                     .map(credential -> new ServerPublicKeyCredentialDescriptor(credential.getType(), Base64UrlUtil.encodeToString(credential.getId()), credential.getTransports()))
                     .collect(Collectors.toList());

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/fido/server/endpoint/FidoServerAttestationOptionsEndpointFilter.java

@@ -26,15 +26,15 @@
 import com.webauthn4j.springframework.security.challenge.ChallengeRepository;
 import com.webauthn4j.springframework.security.options.AttestationOptionsProvider;
 import com.webauthn4j.util.Base64UrlUtil;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.util.Assert;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.UncheckedIOException;
 import java.nio.ByteBuffer;
+import java.util.Collections;
 import java.util.List;
 import java.util.UUID;
 import java.util.stream.Collectors;
@@ -85,12 +85,12 @@ protected ServerResponse processRequest(HttpServletRequest request) {
         try {
             ServerPublicKeyCredentialCreationOptionsRequest serverRequest = objectConverter.getJsonConverter()
                     .readValue(inputStream, ServerPublicKeyCredentialCreationOptionsRequest.class);
-            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-            String username = authentication.getName();
+            String username = serverRequest.getUsername();
             String displayName = serverRequest.getDisplayName();
             Challenge challenge = serverEndpointFilterUtil.encodeUsername(new DefaultChallenge(), username);
             challengeRepository.saveChallenge(challenge, request);
-            PublicKeyCredentialCreationOptions attestationOptions = optionsProvider.getAttestationOptions(request, authentication);
+            //TODO: UsernamePasswordAuthenticationToken should not be used here in this way
+            PublicKeyCredentialCreationOptions attestationOptions = optionsProvider.getAttestationOptions(request, new UsernamePasswordAuthenticationToken(username, null, Collections.emptyList()));
             String userHandle;
             if (attestationOptions.getUser() == null) {
                 userHandle = Base64UrlUtil.encodeToString(generateUserHandle());

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/fido/server/endpoint/FidoServerAttestationResultEndpointFilter.java

@@ -118,7 +118,7 @@ protected ServerResponse processRequest(HttpServletRequest request) {
             WebAuthnAuthenticatorImpl webAuthnAuthenticator =
                     new WebAuthnAuthenticatorImpl(
                             "Authenticator",
-                            userDetails,
+                            loginUsername,
                             attestationObject.getAuthenticatorData().getAttestedCredentialData(),
                             attestationObject.getAttestationStatement(),
                             attestationObject.getAuthenticatorData().getSignCount()

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/SampleWebApplication.java

@@ -17,8 +17,6 @@
 package com.webauthn4j.springframework.security.webauthn.sample;
 
 import com.webauthn4j.springframework.security.webauthn.sample.app.config.AppConfig;
-import com.webauthn4j.springframework.security.webauthn.sample.domain.config.DomainConfig;
-import com.webauthn4j.springframework.security.webauthn.sample.infrastructure.config.InfrastructureConfig;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.SpringBootConfiguration;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
@@ -27,7 +25,7 @@
 /**
  * SampleWebApplication
  */
-@Import({AppConfig.class, DomainConfig.class, InfrastructureConfig.class})
+@Import({AppConfig.class})
 @SpringBootConfiguration
 @EnableAutoConfiguration
 public class SampleWebApplication {

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityBeanConfig.java

@@ -27,6 +27,8 @@
 import com.webauthn4j.metadata.*;
 import com.webauthn4j.metadata.converter.jackson.WebAuthnMetadataJSONModule;
 import com.webauthn4j.springframework.security.WebAuthnRegistrationRequestValidator;
+import com.webauthn4j.springframework.security.authenticator.InMemoryWebAuthnAuthenticatorManager;
+import com.webauthn4j.springframework.security.authenticator.WebAuthnAuthenticatorManager;
 import com.webauthn4j.springframework.security.authenticator.WebAuthnAuthenticatorService;
 import com.webauthn4j.springframework.security.challenge.ChallengeRepository;
 import com.webauthn4j.springframework.security.challenge.HttpSessionChallengeRepository;
@@ -53,35 +55,35 @@
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.core.io.support.ResourcePatternUtils;
-import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
-import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.access.AccessDeniedHandler;
-import org.springframework.security.web.access.AccessDeniedHandlerImpl;
-import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
-import org.springframework.security.web.authentication.*;
-import org.springframework.security.web.authentication.logout.ForwardLogoutSuccessHandler;
-import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
-import org.springframework.security.web.csrf.InvalidCsrfTokenException;
-import org.springframework.security.web.csrf.MissingCsrfTokenException;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.provisioning.UserDetailsManager;
 import org.springframework.web.client.RestTemplate;
 
 import java.io.IOException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.LinkedHashMap;
 import java.util.List;
 
 @Configuration
 public class WebSecurityBeanConfig {
 
+    @Bean
+    public WebAuthnAuthenticatorManager webAuthnAuthenticatorManager(){
+        return new InMemoryWebAuthnAuthenticatorManager();
+    }
+
+    @Bean
+    public UserDetailsManager userDetailsManager(){
+        return new InMemoryUserDetailsManager();
+    }
+
     @Bean
     public WebAuthnRegistrationRequestValidator webAuthnRegistrationRequestValidator(WebAuthnManager webAuthnManager, ServerPropertyProvider serverPropertyProvider) {
         return new WebAuthnRegistrationRequestValidator(webAuthnManager, serverPropertyProvider);
@@ -242,57 +244,4 @@ public ObjectConverter objectConverter() {
         return new ObjectConverter(jsonMapper, cborMapper);
     }
 
-
-    @Bean
-    public AuthenticationSuccessHandler authenticationSuccessHandler() {
-        return new ForwardAuthenticationSuccessHandler("/api/status/200");
-    }
-
-    @Bean
-    public AuthenticationFailureHandler authenticationFailureHandler() {
-        LinkedHashMap<Class<? extends AuthenticationException>, AuthenticationFailureHandler> authenticationFailureHandlers = new LinkedHashMap<>();
-
-        // authenticator error handler
-        ForwardAuthenticationFailureHandler authenticationFailureHandler = new ForwardAuthenticationFailureHandler("/api/status/401");
-        authenticationFailureHandlers.put(AuthenticationException.class, authenticationFailureHandler);
-
-        // default error handler
-        AuthenticationFailureHandler defaultAuthenticationFailureHandler = new ForwardAuthenticationFailureHandler("/api/status/401");
-
-        return new DelegatingAuthenticationFailureHandler(authenticationFailureHandlers, defaultAuthenticationFailureHandler);
-    }
-
-    @Bean
-    public LogoutSuccessHandler logoutSuccessHandler() {
-        return new ForwardLogoutSuccessHandler("/api/status/200");
-    }
-
-    @Bean
-    public AccessDeniedHandler accessDeniedHandler() {
-        LinkedHashMap<Class<? extends AccessDeniedException>, AccessDeniedHandler> errorHandlers = new LinkedHashMap<>();
-
-        // invalid csrf authenticator error handler
-        AccessDeniedHandlerImpl invalidCsrfTokenErrorHandler = new AccessDeniedHandlerImpl();
-        invalidCsrfTokenErrorHandler.setErrorPage("/api/status/403");
-        errorHandlers.put(InvalidCsrfTokenException.class, invalidCsrfTokenErrorHandler);
-
-        // missing csrf authenticator error handler
-        AccessDeniedHandlerImpl missingCsrfTokenErrorHandler = new AccessDeniedHandlerImpl();
-        missingCsrfTokenErrorHandler.setErrorPage("/api/status/403");
-        errorHandlers.put(MissingCsrfTokenException.class, missingCsrfTokenErrorHandler);
-
-        // default error handler
-        AccessDeniedHandlerImpl defaultErrorHandler = new AccessDeniedHandlerImpl();
-        defaultErrorHandler.setErrorPage("/api/status/403");
-
-        return new DelegatingAccessDeniedHandler(errorHandlers, defaultErrorHandler);
-    }
-
-    @Bean
-    public AuthenticationEntryPoint authenticationEntryPoint() {
-        LoginUrlAuthenticationEntryPoint authenticationEntryPoint = new LoginUrlAuthenticationEntryPoint("/api/status/401");
-        authenticationEntryPoint.setUseForward(true);
-        return authenticationEntryPoint;
-    }
-
 }

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java

@@ -35,24 +35,18 @@
 import com.webauthn4j.springframework.security.options.AttestationOptionsProvider;
 import com.webauthn4j.springframework.security.server.ServerPropertyProvider;
 import com.webauthn4j.springframework.security.webauthn.sample.app.security.SampleUsernameNotFoundHandler;
-import com.webauthn4j.springframework.security.webauthn.sample.domain.component.UserManager;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.access.AccessDeniedHandler;
-import org.springframework.security.web.authentication.AuthenticationFailureHandler;
-import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
-import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+import org.springframework.security.provisioning.UserDetailsManager;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.session.SessionManagementFilter;
 
@@ -68,24 +62,6 @@
 
     private static final String ADMIN_ROLE = "ADMIN";
 
-    @Autowired
-    private AuthenticationSuccessHandler authenticationSuccessHandler;
-
-    @Autowired
-    private AuthenticationFailureHandler authenticationFailureHandler;
-
-    @Autowired
-    private AccessDeniedHandler accessDeniedHandler;
-
-    @Autowired
-    private LogoutSuccessHandler logoutSuccessHandler;
-
-    @Autowired
-    private AuthenticationEntryPoint authenticationEntryPoint;
-
-    @Autowired
-    private DaoAuthenticationProvider daoAuthenticationProvider;
-
     @Autowired
     private WebAuthnAuthenticatorService authenticatorService;
 
@@ -96,7 +72,7 @@
     private WebAuthnRegistrationRequestValidator webAuthnRegistrationRequestValidator;
 
     @Autowired
-    private UserManager userManager;
+    private UserDetailsManager userDetailsManager;
 
     @Autowired
     private ObjectConverter objectConverter;
@@ -164,8 +140,8 @@ protected void configure(HttpSecurity http) throws Exception {
 
 
         FidoServerAttestationOptionsEndpointFilter fidoServerAttestationOptionsEndpointFilter = new FidoServerAttestationOptionsEndpointFilter(objectConverter, attestationOptionsProvider, challengeRepository);
-        FidoServerAttestationResultEndpointFilter fidoServerAttestationResultEndpointFilter = new FidoServerAttestationResultEndpointFilter(objectConverter, userManager, webAuthnAuthenticatorManager, webAuthnRegistrationRequestValidator);
-        fidoServerAttestationResultEndpointFilter.setUsernameNotFoundHandler(new SampleUsernameNotFoundHandler(userManager));
+        FidoServerAttestationResultEndpointFilter fidoServerAttestationResultEndpointFilter = new FidoServerAttestationResultEndpointFilter(objectConverter, userDetailsManager, webAuthnAuthenticatorManager, webAuthnRegistrationRequestValidator);
+        fidoServerAttestationResultEndpointFilter.setUsernameNotFoundHandler(new SampleUsernameNotFoundHandler(userDetailsManager));
         FidoServerAssertionOptionsEndpointFilter fidoServerAssertionOptionsEndpointFilter = new FidoServerAssertionOptionsEndpointFilter(objectConverter, assertionOptionsProvider, challengeRepository);
         FidoServerAssertionResultEndpointFilter fidoServerAssertionResultEndpointFilter = new FidoServerAssertionResultEndpointFilter(objectConverter, serverPropertyProvider);
         fidoServerAssertionResultEndpointFilter.setAuthenticationManager(authenticationManagerBean());
@@ -175,19 +151,6 @@ protected void configure(HttpSecurity http) throws Exception {
         http.addFilterAfter(fidoServerAssertionOptionsEndpointFilter, SessionManagementFilter.class);
         http.addFilterAfter(fidoServerAssertionResultEndpointFilter, SessionManagementFilter.class);
 
-
-//        // FIDO Server Endpoints
-//        http.apply(fidoServer())
-//                .fidoServerAttestationOptionsEndpoint()
-//                .and()
-//                .fidoServerAttestationResultEndpointConfig()
-//                .webAuthnRegistrationRequestValidator(webAuthnRegistrationRequestValidator)
-//                .usernameNotFoundHandler(new SampleUsernameNotFoundHandler(userManager))
-//                .and()
-//                .fidoServerAssertionOptionsEndpointConfig()
-//                .and()
-//                .fidoServerAssertionResultEndpoint();
-
         // Authorization
         http.authorizeRequests()
                 .mvcMatchers("/").permitAll()
@@ -200,13 +163,6 @@ protected void configure(HttpSecurity http) throws Exception {
                 .mvcMatchers("/api/admin/**").hasRole(ADMIN_ROLE)
                 .anyRequest().fullyAuthenticated();
 
-        http.sessionManagement()
-                .sessionAuthenticationFailureHandler(authenticationFailureHandler);
-
-        http.exceptionHandling()
-                .authenticationEntryPoint(authenticationEntryPoint)
-                .accessDeniedHandler(accessDeniedHandler);
-
         //TODO:
         http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
 

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/security/SampleUsernameNotFoundHandler.java

@@ -17,32 +17,22 @@
 package com.webauthn4j.springframework.security.webauthn.sample.app.security;
 
 import com.webauthn4j.springframework.security.fido.server.endpoint.UsernameNotFoundHandler;
-import com.webauthn4j.springframework.security.webauthn.sample.domain.component.UserManager;
-import com.webauthn4j.springframework.security.webauthn.sample.domain.entity.UserEntity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.provisioning.UserDetailsManager;
 
 import java.util.Collections;
 
 public class SampleUsernameNotFoundHandler implements UsernameNotFoundHandler {
 
-    private final UserManager userManager;
+    private final UserDetailsManager userDetailsManager;
 
-    public SampleUsernameNotFoundHandler(UserManager userManager) {
-        this.userManager = userManager;
+    public SampleUsernameNotFoundHandler(UserDetailsManager userDetailsManager) {
+        this.userDetailsManager = userDetailsManager;
     }
 
     @Override
     public void onUsernameNotFound(String loginUsername) {
-        byte[] userHandle = new byte[0]; //TODO
-        UserEntity userEntity = new UserEntity();
-        userEntity.setUserHandle(userHandle);
-        userEntity.setEmailAddress(loginUsername);
-        userEntity.setLastName("dummy");
-        userEntity.setFirstName("dummy");
-        userEntity.setSingleFactorAuthenticationAllowed(false);
-        userEntity.setPassword("dummy");
-        userEntity.setGroups(Collections.emptyList());
-        userEntity.setAuthorities(Collections.emptyList());
-        userEntity.setAuthenticators(Collections.emptyList());
-        userManager.createUser(userEntity);
+        User user = new User(loginUsername, "dummy", Collections.emptyList());
+        userDetailsManager.createUser(user);
     }
 }