Spring security and probably one or 2 of the webauthn, I dont remeber at
the moment with looking at local commit history but here is all from gradle,
/** Core **/
implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-core-api-mfa"
implementation "org.apereo.cas:cas-server-core-events-configuration"
implementation "org.apereo.cas:cas-server-core-notifications"
implementation "org.apereo.cas:cas-server-core-authentication"
implementation "org.apereo.cas:cas-server-core-authentication-api"
implementation "org.apereo.cas:cas-server-core-authentication-mfa-api"
implementation "org.apereo.cas:cas-server-core-util"
implementation "org.apereo.cas:cas-server-core-web-api"
implementation "org.apereo.cas:cas-server-core-webflow"
implementation "org.apereo.cas:cas-server-core-webflow-api"
implementation "org.apereo.cas:cas-server-core-webflow-mfa-api"
implementation "org.apereo.cas:cas-server-webapp"
implementation "org.apereo.cas:cas-server-webapp-init"
implementation "org.apereo.cas:cas-server-webapp-config"
/** Rest Plugins **/
implementation
"org.apereo.cas:cas-server-support-configuration-cloud-rest"
implementation "org.apereo.cas:cas-server-support-rest-authentication"
/** LDAP Support **/
implementation "org.apereo.cas:cas-server-support-ldap"
implementation "org.apereo.cas:cas-server-support-pm-ldap"
implementation "org.apereo.cas:cas-server-support-pm-rest"
/** Database Support **/
implementation "org.apereo.cas:cas-server-support-jdbc"
implementation "org.apereo.cas:cas-server-support-jpa-util"
implementation "mysql:mysql-connector-java:${project.mysqlVerison}"
implementation
"com.microsoft.sqlserver:mssql-jdbc:${project.mssqlVersion}"
/** Interrupt Support **/
implementation "org.apereo.cas:cas-server-support-interrupt-webflow"
/** Multifactor Auth **/
implementation "org.apereo.cas:cas-server-support-gauth"
implementation "org.apereo.cas:cas-server-support-gauth-ldap"
implementation "org.apereo.cas:cas-server-support-webauthn"
implementation "org.apereo.cas:cas-server-support-webauthn-ldap"
implementation "org.apereo.cas:cas-server-support-webauthn-core"
implementation "org.apereo.cas:cas-server-support-webauthn-core-webflow"
implementation "org.apereo.cas:cas-server-support-simple-mfa"
implementation "org.apereo.cas:cas-server-support-trusted-mfa"
/** Protocols **/
implementation "org.apereo.cas:cas-server-support-ws-idp"
implementation "org.apereo.cas:cas-server-support-saml-idp"
implementation "org.apereo.cas:cas-server-support-saml-sp-integrations"
/** Services **/
/** implementation
"org.apereo.cas:cas-server-support-json-service-registry" **/
implementation "org.apereo.cas:cas-server-support-rest-service-registry"
implementation
"org.springframework.security:spring-security-config:5.7.3"
implementation "commons-net:commons-net:${project.apacheNetCom}"
On Thursday, March 23, 2023 at 2:51:11 PM UTC-5 [email protected] wrote:
> Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 but
> not on 6.6 nor on the master branch 7.x.
> On 6.6, after basic auth, a popup asks for the Yubikey pin and then, when
> I press the register button,the flow breaks at POST
> https://xxxxxxx.xx/cas/webauthn/register/finish. (FF : err 400
> strict-origin-when-cross-origin)
>
> (The service app I use for my tests is the same when I wetn thru every CAS
> version)
>
> webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as you
> did
>
> here is my build.gradle webauthn section :
> // MFA FIDO2 WEBAUTHN
> implementation
> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}"
> (this one in order to comment out @PreAuthorize("isAuthenticated()") as
> you did in
> src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java )
>
> //MFA TRUSTED DEVICE
> implementation
> "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}"
>
> (John, what are the extra dependencies that you implement in your
> build.gradle cas overlay to be able to modify the
> src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
> <https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437>
>
> ? Compilation breaks)
>
> Regards,
>
>
> Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit :
>
>> Circling back to this, it also fails on 7.x current and master. Same
>> issue, I believe I have found the source which is related to the csrf
>> token. It works by excluding the /register from csrf to the ignored
>> endpoints on
>>
>>
>> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>>
>> with the below,
>>
>> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
>> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
>> WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
>> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>>
>>
>>
>>
>>
>> On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote:
>>
>>> Since we don't use any of the actuators, all disabled except for
>>> whatever cas sets as default, I am leaving my change by commenting out
>>> @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just
>>> going along finishing upgrade testing for us and will circle back to this
>>> later before we upgrade prod.
>>>
>>> However, I do see some changes made below, I haven't had time to test if
>>> it will resolve this issue yet, maybe it will be part of next 7.x RC but
>>> for now its only in master. If I get some time I will switch to master and
>>> give it a go.
>>>
>>>
>>> https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
>>>
>>>
>>> On Friday, February 3, 2023 at 7:11:44 AM UTC-6 [email protected]
>>> wrote:
>>>
>>>> Yes, I have the same registration issue.
>>>>
>>>> I thought I have caused this error by meddling with the spring security
>>>> settings, but it looks like it is not the case.
>>>>
>>>> However, after setting up spring security for the webAuthnDevices
>>>> actuator like this
>>>>
>>>> spring.security.user.name=XXX
>>>>
>>>> spring.security.user.password=YYY
>>>>
>>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
>>>>
>>>>
>>>> then registration starts to work, but requires HTTP basic
>>>> authentication.
>>>>
>>>>
>>>> This is spring security filter chain for /webauthn/register endpoint
>>>> without any additional configuration:
>>>>
>>>> Security filter chain: [
>>>>
>>>> ChannelProcessingFilter
>>>>
>>>> WebAsyncManagerIntegrationFilter
>>>>
>>>> CorsFilter
>>>>
>>>> CsrfFilter
>>>>
>>>> SecurityContextHolderAwareRequestFilter
>>>>
>>>> AnonymousAuthenticationFilter
>>>>
>>>> ExceptionTranslationFilter
>>>>
>>>> AuthorizationFilter
>>>>
>>>> ]
>>>>
>>>> And the chain with the spring security settings as above:
>>>>
>>>> Security filter chain: [
>>>>
>>>> ChannelProcessingFilter
>>>>
>>>> WebAsyncManagerIntegrationFilter
>>>>
>>>> CorsFilter
>>>>
>>>> CsrfFilter
>>>>
>>>> BasicAuthenticationFilter
>>>>
>>>> SecurityContextHolderAwareRequestFilter
>>>>
>>>> AnonymousAuthenticationFilter
>>>>
>>>> ExceptionTranslationFilter
>>>>
>>>> AuthorizationFilter
>>>>
>>>> ]
>>>>
>>>>
>>>> I would say that
>>>>
>>>> 1) setting the actuator access really influences the processing for
>>>> registration endpoint (and it should not),
>>>>
>>>> 2) using PERMIT or ANONYMOUS is not enough to make it work, as
>>>> perhaps it does not satisfy the @PreAuthorize("isAuthenticated()")
>>>> requirement
>>>>
>>>> I wonder how the registration endpoint should be authenticated; I guess
>>>> it can not be left unprotected but I fail to see how to set it up.
>>>>
>>>> Regards,
>>>>
>>>> Michal V.
>>>>
>>>> On 1/31/23 16:14, John wrote:
>>>>
>>>> I have nothing configured or defined for endpoints or actuators besides
>>>> what is default set by cas, we have never used those. I went back and
>>>> configured according to
>>>>
>>>> management.endpoint.webAuthnDevices.enabled=true
>>>> management.endpoints.web.exposure.include=*
>>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
>>>>
>>>> even tried ANONYMOUS below, which makes all actuators work, I can even
>>>> pull /cas/actuator/webAuthnDevices/username anonymously and gets devices
>>>> for user. I don't think the endpoint webAuthnDevices controls the end user
>>>> registration page as it falls under/webauthn/register and NOT
>>>> /cas/actuator/webAuthnDevices
>>>>
>>>> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
>>>>
>>>> Below is debug output,
>>>>
>>>> 2023-01-31 09:05:41,149 DEBUG
>>>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
>>>> received exception
>>>> [org.springframework.security.access.AccessDeniedException: Access is
>>>> denied] due to a type mismatch with handler
>>>> [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String,
>>>> String, String, boolean, String, HttpServletRequest, HttpServletResponse)]>
>>>>
>>>> And browser POST response to /webauthn/register , base64 decoded is
>>>>
>>>> --- !<java.util.LinkedHashMap>
>>>> timestamp: "2023-01-31T15:05:41.161+00:00"
>>>> status: 403
>>>> error: "Forbidden"
>>>> path: "/cas/webauthn/register"
>>>>
>>>>
>>>> On Monday, January 30, 2023 at 11:16:42 PM UTC-6 [email protected]
>>>> wrote:
>>>>
>>>>> Hi,
>>>>> have you, by any chance, configured spring security for the webauthn
>>>>> endpoint?
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Michal Vocu
>>>>>
>>>>> On 1/26/23 19:03, John wrote:
>>>>>
>>>>> When trying to register a new device, the POST request to
>>>>> /webauthn/register is failing from spring security, access denied, http
>>>>> 403.
>>>>>
>>>>> Commenting out the below within
>>>>> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
>>>>>
>>>>> got it working again,
>>>>>
>>>>> @PreAuthorize("isAuthenticated()")
>>>>>
>>>>> Looks like it was added in 6.4.x release, is anyone else not having a
>>>>> registration issue?
>>>>>
>>>>> --
>>>>> - Website: https://apereo.github.io/cas
>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "CAS Community" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org
>>>>>
>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>>
>>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3b3db50c-70c3-4822-9303-94ca15f167a7n%40apereo.org.
