SpringSecurity支持WebAuthn认证

WebAuthn是无密码身份验证技术，解决了密码泄露的风险，主流的浏览器都支持。有很多开源的类库实现了WebAuthn规范，Java下流行的类库有：

• webauthn4j

• java-webauthn-server

• vertx-auth

Spring Security官方暂时未支持WebAuthn，可以用webauthn4j的webauthn4j-spring-security项目，它将webauthn4j和Spring Security打通，项目还处于开发阶段，设计上可能还会调整。但我们可以通过项目里的demo，很好的学习怎么实现WebAuthn。简单介绍一下webauthn4j-spring-security中例子的打开方式。

demo启动流程

1. 克隆项目

git clone git@github.com:webauthn4j/webauthn4j-spring-security.git

2. 打包前端资源

cd webauthn4j-spring-security/samples/lib/spa-angular-client
npm install

PS: 这里可能会碰到打包异常，是@angular/cdk包版本和其他模块版本冲突了，将@angular/cdk改成“13.3.9”就能正常打包

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: sample-angular-client@0.0.0
npm ERR! Found: @angular/common@13.3.12
npm ERR! node_modules/@angular/common
npm ERR!   @angular/common@"^13.3.11" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @angular/common@"^15.0.0 || ^16.0.0" from @angular/cdk@15.2.1
npm ERR! node_modules/@angular/cdk
npm ERR!   @angular/cdk@"^15.1.2" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.

3. 启动项目

cd webauthn4j-spring-security
./gradlew build
./gradlew samples:spa:bootRun

4. 查看登录页

1. 访问：http://localhost:8080/，就会自动跳转到[http://localhost:8080/angular/login](http://localhost:8080/angular/login)

HttpSecurity核心配置

@Bean
public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {// WebAuthn Loginhttp.apply(WebAuthnLoginConfigurer.webAuthnLogin()).usernameParameter("username").passwordParameter("password").credentialIdParameter("credentialId").clientDataJSONParameter("clientDataJSON").authenticatorDataParameter("authenticatorData").signatureParameter("signature").clientExtensionsJSONParameter("clientExtensionsJSON").loginProcessingUrl("/login").attestationOptionsEndpoint().rp().name("WebAuthn4J Spring Security Sample").and().pubKeyCredParams(new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS256), // Windows Hellonew PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256) // FIDO U2F Key, etc).extensions().credProps(true).and().assertionOptionsEndpoint().and().successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler).and().authenticationManager(authenticationManager);http.headers(headers -> {// 'publickey-credentials-get *' allows getting WebAuthn credentials to all nested browsing contexts (iframes) regardless of their origin.headers.permissionsPolicy(config -> config.policy("publickey-credentials-get *"));// Disable "X-Frame-Options" to allow cross-origin iframe accessheaders.frameOptions().disable();});// Logouthttp.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);// Authorizationhttp.authorizeRequests().mvcMatchers("/").permitAll().mvcMatchers("/static/**").permitAll().mvcMatchers("/angular/**").permitAll().mvcMatchers("/webjars/**").permitAll().mvcMatchers("/favicon.ico").permitAll().mvcMatchers("/api/auth/status").permitAll().mvcMatchers(HttpMethod.GET, "/login").permitAll().mvcMatchers(HttpMethod.POST, "/api/profile").permitAll().mvcMatchers("/health/**").permitAll().mvcMatchers("/info/**").permitAll().mvcMatchers("/h2-console/**").denyAll().mvcMatchers("/api/admin/**").access("hasRole('ADMIN_ROLE') and isAuthenticated()").anyRequest().access("@webAuthnSecurityExpression.isWebAuthnAuthenticated(authentication) || hasAuthority('SINGLE_FACTOR_AUTHN_ALLOWED')");http.sessionManagement().sessionAuthenticationFailureHandler(authenticationFailureHandler);http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).accessDeniedHandler(accessDeniedHandler);// As WebAuthn has its own CSRF protection mechanism (challenge), CSRF token is disabled herehttp.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());http.csrf().ignoringAntMatchers("/webauthn/**");return http.build();
}

这个方法将SpringSecurity需要的配置基本都说清楚了，除了#1、#2跟WebAuthn直接相关，其他几点都是SpringSecurity常规配置。

1. 添加了自定义的WebAuthnLoginConfigurer描述登录页面的URL、字段名等信息

2. 通过pubKeyCredParams描述服务器可接受的公钥类型的对象数组。

3. 设置自定义的authenticationManager、successHandler、failureHandler等

4. 设置http的header

5. 设置authorizeRequests控制权限

6. 设置session和exceptionHandling

7. 设置Csrf配置

引用

体验WebAuthn登录：https://webauthn.io/