Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 but
not on 6.6 nor on the master branch 7.x.
On 6.6, after basic auth, a popup asks for the Yubikey pin and then, when I
press the register button,the flow breaks at POST
https://xxxxxxx.xx/cas/webauthn/register/finish.
(FF : err 400 strict-origin-when-cross-origin)
(The service app I use for my tests is the same when I wetn thru every CAS
version)
webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as you
did
here is my build.gradle webauthn section :
// MFA FIDO2 WEBAUTHN
implementation
"org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}"
(this one in order to comment out @PreAuthorize("isAuthenticated()") as
you did in
src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java )
//MFA TRUSTED DEVICE
implementation
"org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}"
(John, what are the extra dependencies that you implement in your
build.gradle cas overlay to be able to modify the
src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
<https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437>
? Compilation breaks)
Regards,
Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit :
> Circling back to this, it also fails on 7.x current and master. Same
> issue, I believe I have found the source which is related to the csrf
> token. It works by excluding the /register from csrf to the ignored
> endpoints on
>
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>
> with the below,
>
> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
> WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>
>
>
>
>
> On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote:
>
>> Since we don't use any of the actuators, all disabled except for whatever
>> cas sets as default, I am leaving my change by commenting out
>> @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just
>> going along finishing upgrade testing for us and will circle back to this
>> later before we upgrade prod.
>>
>> However, I do see some changes made below, I haven't had time to test if
>> it will resolve this issue yet, maybe it will be part of next 7.x RC but
>> for now its only in master. If I get some time I will switch to master and
>> give it a go.
>>
>>
>> https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
>>
>>
>> On Friday, February 3, 2023 at 7:11:44 AM UTC-6 [email protected] wrote:
>>
>>> Yes, I have the same registration issue.
>>>
>>> I thought I have caused this error by meddling with the spring security
>>> settings, but it looks like it is not the case.
>>>
>>> However, after setting up spring security for the webAuthnDevices
>>> actuator like this
>>>
>>> spring.security.user.name=XXX
>>>
>>> spring.security.user.password=YYY
>>>
>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
>>>
>>>
>>> then registration starts to work, but requires HTTP basic authentication.
>>>
>>>
>>> This is spring security filter chain for /webauthn/register endpoint
>>> without any additional configuration:
>>>
>>> Security filter chain: [
>>>
>>> ChannelProcessingFilter
>>>
>>> WebAsyncManagerIntegrationFilter
>>>
>>> CorsFilter
>>>
>>> CsrfFilter
>>>
>>> SecurityContextHolderAwareRequestFilter
>>>
>>> AnonymousAuthenticationFilter
>>>
>>> ExceptionTranslationFilter
>>>
>>> AuthorizationFilter
>>>
>>> ]
>>>
>>> And the chain with the spring security settings as above:
>>>
>>> Security filter chain: [
>>>
>>> ChannelProcessingFilter
>>>
>>> WebAsyncManagerIntegrationFilter
>>>
>>> CorsFilter
>>>
>>> CsrfFilter
>>>
>>> BasicAuthenticationFilter
>>>
>>> SecurityContextHolderAwareRequestFilter
>>>
>>> AnonymousAuthenticationFilter
>>>
>>> ExceptionTranslationFilter
>>>
>>> AuthorizationFilter
>>>
>>> ]
>>>
>>>
>>> I would say that
>>>
>>> 1) setting the actuator access really influences the processing for
>>> registration endpoint (and it should not),
>>>
>>> 2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps
>>> it does not satisfy the @PreAuthorize("isAuthenticated()") requirement
>>>
>>> I wonder how the registration endpoint should be authenticated; I guess
>>> it can not be left unprotected but I fail to see how to set it up.
>>>
>>> Regards,
>>>
>>> Michal V.
>>>
>>> On 1/31/23 16:14, John wrote:
>>>
>>> I have nothing configured or defined for endpoints or actuators besides
>>> what is default set by cas, we have never used those. I went back and
>>> configured according to
>>>
>>> management.endpoint.webAuthnDevices.enabled=true
>>> management.endpoints.web.exposure.include=*
>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
>>>
>>> even tried ANONYMOUS below, which makes all actuators work, I can even
>>> pull /cas/actuator/webAuthnDevices/username anonymously and gets devices
>>> for user. I don't think the endpoint webAuthnDevices controls the end user
>>> registration page as it falls under/webauthn/register and NOT
>>> /cas/actuator/webAuthnDevices
>>>
>>> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
>>>
>>> Below is debug output,
>>>
>>> 2023-01-31 09:05:41,149 DEBUG
>>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
>>> received exception
>>> [org.springframework.security.access.AccessDeniedException: Access is
>>> denied] due to a type mismatch with handler
>>> [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String,
>>> String, String, boolean, String, HttpServletRequest, HttpServletResponse)]>
>>>
>>> And browser POST response to /webauthn/register , base64 decoded is
>>>
>>> --- !<java.util.LinkedHashMap>
>>> timestamp: "2023-01-31T15:05:41.161+00:00"
>>> status: 403
>>> error: "Forbidden"
>>> path: "/cas/webauthn/register"
>>>
>>>
>>> On Monday, January 30, 2023 at 11:16:42 PM UTC-6 [email protected]
>>> wrote:
>>>
>>>> Hi,
>>>> have you, by any chance, configured spring security for the webauthn
>>>> endpoint?
>>>>
>>>> Best regards,
>>>>
>>>> Michal Vocu
>>>>
>>>> On 1/26/23 19:03, John wrote:
>>>>
>>>> When trying to register a new device, the POST request to
>>>> /webauthn/register is failing from spring security, access denied, http
>>>> 403.
>>>>
>>>> Commenting out the below within
>>>> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
>>>>
>>>> got it working again,
>>>>
>>>> @PreAuthorize("isAuthenticated()")
>>>>
>>>> Looks like it was added in 6.4.x release, is anyone else not having a
>>>> registration issue?
>>>>
>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org
>>>>
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>>
>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b485ce31-89cf-409b-9f18-6d8e8357951bn%40apereo.org.
