webauthn4j / webauthn4j-spring-security

WebAuthn4J Extension for Spring Security
Apache License 2.0
195 stars 46 forks source link
fido fido-u2f fido2 java passkey spring spring-security webauthn webauthn4j-spring-security

WebAuthn4J Spring Security

Actions Status Coverage Maven Central license

WebAuthn4J Spring Security provides Web Authentication specification support for your Spring application by using WebAuthn4J library. Users can login with WebAuthn compliant authenticator.

Project status

This project is under active development. API signature may change.

Documentation

You can find out more details from the reference.

Getting from Maven Central

If you are using Maven, just add the webauthn4j-spring-security as a dependency:

<properties>
  ...
  <!-- Use the latest version whenever possible. -->
  <webauthn4j-spring-security.version>0.10.0.RELEASE</webauthn4j-spring-security.version>
  ...
</properties>

<dependency>
    <groupId>com.webauthn4j</groupId>
    <artifactId>webauthn4j-spring-security-core</artifactId>
    <version>${webauthn4j-spring-security.version}</version>
</dependency>

Build

WebAuthn4J Spring Security uses a Gradle based build system. In the instructions below, gradlew is invoked from the root of the source tree and serves as a cross-platform, self-contained bootstrap mechanism for the build.

Prerequisites

Checkout sources

git clone https://github.com/webauthn4j/webauthn4j-spring-security

Build all jars

./gradlew build

Execute sample application

./gradlew samples:spa:bootRun

Login view

Configuration

WebAuthn4J Spring Security can be configured through Spring Security Java Config.

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public WebAuthnAuthenticationProvider webAuthnAuthenticationProvider(WebAuthnCredentialRecordService webAuthnCredentialRecordService, WebAuthnManager webAuthnManager){
        return new WebAuthnAuthenticationProvider(webAuthnCredentialRecordService, webAuthnManager);
    }

    @Bean
    public DaoAuthenticationProvider daoAuthenticationProvider(UserDetailsService userDetailsService){
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(userDetailsService);
        daoAuthenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());
        return daoAuthenticationProvider;
    }

    @Bean
    public AuthenticationManager authenticationManager(List<AuthenticationProvider> providers){
        return new ProviderManager(providers);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
        // WebAuthn Login
        http.apply(WebAuthnLoginConfigurer.webAuthnLogin())
                .loginPage("/login")
                .usernameParameter("username")
                .passwordParameter("rawPassword")
                .credentialIdParameter("credentialId")
                .clientDataJSONParameter("clientDataJSON")
                .authenticatorDataParameter("authenticatorData")
                .signatureParameter("signature")
                .clientExtensionsJSONParameter("clientExtensionsJSON")
                .loginProcessingUrl("/login")
                .rpId("example.com")
                .attestationOptionsEndpoint()
                .attestationOptionsProvider(attestationOptionsProvider)
                .processingUrl("/webauthn/attestation/options")
                .rp()
                .name("example")
                .and()
                .pubKeyCredParams(
                        new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256),
                        new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS1)
                )
                .authenticatorSelection()
                .authenticatorAttachment(AuthenticatorAttachment.CROSS_PLATFORM)
                .residentKey(ResidentKeyRequirement.PREFERRED)
                .userVerification(UserVerificationRequirement.PREFERRED)
                .and()
                .attestation(AttestationConveyancePreference.DIRECT)
                .extensions()
                .credProps(true)
                .uvm(true)
                .and()
                .assertionOptionsEndpoint()
                .assertionOptionsProvider(assertionOptionsProvider)
                .processingUrl("/webauthn/assertion/options")
                .rpId("example.com")
                .userVerification(UserVerificationRequirement.PREFERRED)
                .and()
                .authenticationManager(authenticationManager);
    }
}

License

WebAuthn4J Spring Security is Open Source software released under the Apache 2.0 license.