Class CredentialRecordOwnerAuthorizationManager
java.lang.Object
org.springframework.security.web.webauthn.management.CredentialRecordOwnerAuthorizationManager
- All Implemented Interfaces:
org.springframework.security.authorization.AuthorizationManager<Bytes>
public final class CredentialRecordOwnerAuthorizationManager
extends Object
implements org.springframework.security.authorization.AuthorizationManager<Bytes>
An
AuthorizationManager that grants access when the CredentialRecord
identified by the provided credential id is owned by the currently authenticated user.
Per the WebAuthn
specification, a credential id must contain at least 16 bytes with at least 100
bits of entropy, making it practically unguessable. The specification also advises that
credential ids should be kept private, as exposing them can leak personally identifying
information (see
ยง 14.6.3
Privacy leak via credential IDs). This AuthorizationManager is therefore
intended as defense in depth: even if a credential id were somehow exposed, an
unauthorized user could not delete another user's credential.
- Since:
- 6.5.10
-
Constructor Summary
ConstructorsConstructorDescriptionCredentialRecordOwnerAuthorizationManager(UserCredentialRepository userCredentials, PublicKeyCredentialUserEntityRepository userEntities) Creates a new instance. -
Method Summary
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.springframework.security.authorization.AuthorizationManager
authorize, verify
-
Constructor Details
-
CredentialRecordOwnerAuthorizationManager
public CredentialRecordOwnerAuthorizationManager(UserCredentialRepository userCredentials, PublicKeyCredentialUserEntityRepository userEntities) Creates a new instance.- Parameters:
userCredentials- theUserCredentialRepositoryto useuserEntities- thePublicKeyCredentialUserEntityRepositoryto use
-
-
Method Details