Awesome
WebAuthn4J Spring Security
WebAuthn4J Spring Security provides Web Authentication specification support for your Spring application by using WebAuthn4J library. Users can login with WebAuthn compliant authenticator.
Project status
This project is under active development. API signature may change.
Documentation
You can find out more details from the reference.
Getting from Maven Central
If you are using Maven, just add the webauthn4j-spring-security as a dependency:
<properties>
...
<!-- Use the latest version whenever possible. -->
<webauthn4j-spring-security.version>0.10.0.RELEASE</webauthn4j-spring-security.version>
...
</properties>
<dependency>
<groupId>com.webauthn4j</groupId>
<artifactId>webauthn4j-spring-security-core</artifactId>
<version>${webauthn4j-spring-security.version}</version>
</dependency>
Build
WebAuthn4J Spring Security uses a Gradle based build system.
In the instructions below, gradlew
is invoked from the root of the source tree and serves as a cross-platform,
self-contained bootstrap mechanism for the build.
Prerequisites
- Java8 or later
- Spring Framework 5.0 or later
Checkout sources
git clone https://github.com/webauthn4j/webauthn4j-spring-security
Build all jars
./gradlew build
Execute sample application
./gradlew samples:spa:bootRun
Configuration
WebAuthn4J Spring Security can be configured through Spring Security Java Config.
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public WebAuthnAuthenticationProvider webAuthnAuthenticationProvider(WebAuthnCredentialRecordService webAuthnCredentialRecordService, WebAuthnManager webAuthnManager){
return new WebAuthnAuthenticationProvider(webAuthnCredentialRecordService, webAuthnManager);
}
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider(UserDetailsService userDetailsService){
DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
daoAuthenticationProvider.setUserDetailsService(userDetailsService);
daoAuthenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());
return daoAuthenticationProvider;
}
@Bean
public AuthenticationManager authenticationManager(List<AuthenticationProvider> providers){
return new ProviderManager(providers);
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
// WebAuthn Login
http.apply(WebAuthnLoginConfigurer.webAuthnLogin())
.loginPage("/login")
.usernameParameter("username")
.passwordParameter("rawPassword")
.credentialIdParameter("credentialId")
.clientDataJSONParameter("clientDataJSON")
.authenticatorDataParameter("authenticatorData")
.signatureParameter("signature")
.clientExtensionsJSONParameter("clientExtensionsJSON")
.loginProcessingUrl("/login")
.rpId("example.com")
.attestationOptionsEndpoint()
.attestationOptionsProvider(attestationOptionsProvider)
.processingUrl("/webauthn/attestation/options")
.rp()
.name("example")
.and()
.pubKeyCredParams(
new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256),
new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS1)
)
.authenticatorSelection()
.authenticatorAttachment(AuthenticatorAttachment.CROSS_PLATFORM)
.residentKey(ResidentKeyRequirement.PREFERRED)
.userVerification(UserVerificationRequirement.PREFERRED)
.and()
.attestation(AttestationConveyancePreference.DIRECT)
.extensions()
.credProps(true)
.uvm(true)
.and()
.assertionOptionsEndpoint()
.assertionOptionsProvider(assertionOptionsProvider)
.processingUrl("/webauthn/assertion/options")
.rpId("example.com")
.userVerification(UserVerificationRequirement.PREFERRED)
.and()
.authenticationManager(authenticationManager);
}
}
License
WebAuthn4J Spring Security is Open Source software released under the Apache 2.0 license.