Yes, I have the same registration issue.
I thought I have caused this error by meddling with the spring security
settings, but it looks like it is not the case.
However, after setting up spring security for the webAuthnDevices
actuator like this
spring.security.user.name=XXX
spring.security.user.password=YYY
cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
then registration starts to work, but requires HTTP basic authentication.
This is spring security filter chain for /webauthn/register endpoint
without any additional configuration:
Security filter chain: [
ChannelProcessingFilter
WebAsyncManagerIntegrationFilter
CorsFilter
CsrfFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
ExceptionTranslationFilter
AuthorizationFilter
]
And the chain with the spring security settings as above:
Security filter chain: [
ChannelProcessingFilter
WebAsyncManagerIntegrationFilter
CorsFilter
CsrfFilter
BasicAuthenticationFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
ExceptionTranslationFilter
AuthorizationFilter
]
I would say that
1) setting the actuator access really influences the processing for
registration endpoint (and it should not),
2) using PERMIT or ANONYMOUS is not enough to make it work, as
perhaps it does not satisfy the @PreAuthorize("isAuthenticated()")
requirement
I wonder how the registration endpoint should be authenticated; I guess
it can not be left unprotected but I fail to see how to set it up.
Regards,
Michal V.
On 1/31/23 16:14, John wrote:
I have nothing configured or defined for endpoints or actuators
besides what is default set by cas, we have never used those. I went
back and configured according to
management.endpoint.webAuthnDevices.enabled=true
management.endpoints.web.exposure.include=*
cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
even tried ANONYMOUS below, which makes all actuators work, I can even
pull /cas/actuator/webAuthnDevices/username anonymously and gets
devices for user. I don't think the endpoint webAuthnDevices controls
the end user registration page as it falls under/webauthn/register and
NOT /cas/actuator/webAuthnDevices
cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
Below is debug output,
2023-01-31 09:05:41,149 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
received exception
[org.springframework.security.access.AccessDeniedException: Access is
denied] due to a type mismatch with handler
[org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String,
String, String, boolean, String, HttpServletRequest,
HttpServletResponse)]>
And browser POST response to /webauthn/register , base64 decoded is
--- !<java.util.LinkedHashMap>
timestamp: "2023-01-31T15:05:41.161+00:00"
status: 403
error: "Forbidden"
path: "/cas/webauthn/register"
On Monday, January 30, 2023 at 11:16:42 PM UTC-6 micha...@gmail.com wrote:
Hi,
have you, by any chance, configured spring security for the
webauthn endpoint?
Best regards,
Michal Vocu
On 1/26/23 19:03, John wrote:
When trying to register a new device, the POST request to
/webauthn/register is failing from spring security, access
denied, http 403.
Commenting out the below within
(support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
got it working again,
@PreAuthorize("isAuthenticated()")
Looks like it was added in 6.4.x release, is anyone else not
having a registration issue?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4139b140-7629-1e8b-5a66-634910e87af6%40gmail.com.
