Package org.springframework.security.web.webauthn.registration

Class WebAuthnRegistrationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.springframework.security.web.webauthn.registration.WebAuthnRegistrationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class WebAuthnRegistrationFilter extends org.springframework.web.filter.OncePerRequestFilter
Authenticates PublicKeyCredential<AuthenticatorAssertionResponse> that is parsed from the body of the HttpServletRequest using the setConverter(HttpMessageConverter). An example request is provided below: 
 {
        "publicKey": {
                "credential": {
                        "id": "dYF7EGnRFFIXkpXi9XU2wg",
                        "rawId": "dYF7EGnRFFIXkpXi9XU2wg",
                        "response": {
                                "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUy9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNhdAAAAALraVWanqkAfvZZFYZpVEg0AEHWBexBp0RRSF5KV4vV1NsKlAQIDJiABIVggQjmrekPGzyqtoKK9HPUH-8Z2FLpoqkklFpFPQVICQ3IiWCD6I9Jvmor685fOZOyGXqUd87tXfvJk8rxj9OhuZvUALA",
                                "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiSl9RTi10SFJYRWVKYjlNcUNrWmFPLUdOVmlibXpGVGVWMk43Z0ptQUdrQSIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5sb2NhbGhvc3Q6ODQ0MyIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
                                "transports": [
                                        "internal",
                                        "hybrid"
                                ]
                        },
                        "type": "public-key",
                        "clientExtensionResults": {},
                        "authenticatorAttachment": "platform"
                },
                "label": "1password"
 }
Since:
6.4

  • Constructor Details

  • Method Details

    • setRegisterCredentialMatcher

      public void setRegisterCredentialMatcher(RequestMatcher registerCredentialMatcher)
      Sets the RequestMatcher to trigger this filter's the credential registration operation .

      By default, the RequestMatcher is POST /webauthn/register.

      Parameters:
      registerCredentialMatcher - the RequestMatcher to use
      Since:
      6.5

    • setRemoveCredentialMatcher

      public void setRemoveCredentialMatcher(RequestMatcher removeCredentialMatcher)
      Sets the RequestMatcher to trigger this filter's the credential removal operation .

      By default, the RequestMatcher is DELETE /webauthn/register/{id}.

      Parameters:
      removeCredentialMatcher - the RequestMatcher to use
      Since:
      6.5

    • setDeleteCredentialAuthorizationManager

      public void setDeleteCredentialAuthorizationManager(org.springframework.security.authorization.AuthorizationManager<Bytes> deleteCredentialAuthorizationManager)
      Sets the AuthorizationManager used to authorize the delete credential operation. The object being authorized is the credential id as Bytes. By default, all delete requests are denied.

      Per the WebAuthn specification, a credential id must contain at least 16 bytes with at least 100 bits of entropy, making it practically unguessable. The specification also advises that credential ids should be kept private, as exposing them can leak personally identifying information (see ยง 14.6.3 Privacy leak via credential IDs). This AuthorizationManager is therefore intended as defense in depth: even if a credential id were somehow exposed, an unauthorized user could not delete another user's credential.

      Parameters:
      deleteCredentialAuthorizationManager - the AuthorizationManager to use
      Since:
      6.5.10

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default is SecurityContextHolder.getContextHolderStrategy().
      Parameters:
      securityContextHolderStrategy - the SecurityContextHolderStrategy to use
      Since:
      6.5.10

    • doFilterInternal

      protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException
      Specified by:
      doFilterInternal in class org.springframework.web.filter.OncePerRequestFilter
      Throws:
      jakarta.servlet.ServletException
      IOException

    • setConverter

      public void setConverter(org.springframework.http.converter.HttpMessageConverter<Object> converter)
      Set the HttpMessageConverter to read the WebAuthnRegistrationFilter.WebAuthnRegistrationRequest and write the response. The default is MappingJackson2HttpMessageConverter.
      Parameters:
      converter - the HttpMessageConverter to use. Cannot be null.

    • setCreationOptionsRepository

      public void setCreationOptionsRepository(PublicKeyCredentialCreationOptionsRepository creationOptionsRepository)
      Sets the PublicKeyCredentialCreationOptionsRepository to use. The default is HttpSessionPublicKeyCredentialCreationOptionsRepository.
      Parameters:
      creationOptionsRepository - the PublicKeyCredentialCreationOptionsRepository to use. Cannot be null.