What does your cas.log state for error? Are you using a valid ssl certificate, cas host name matches whats in config? Also, in 7.x/master you have to edit this,
https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437 with the below, return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE, WebAuthnController.BASE_ENDPOINT_WEBAUTHN + WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER); There's actually 2 bugs, maybe more. One is the PreAuthorize and the other is CSRF related to spring 6/spring boot 3 and possible another bug. I fixed the csrf issue and still working through the other as time permits. On Wednesday, March 29, 2023 at 4:29:34 AM UTC-5 [email protected] wrote: > Thank you, you saved me lots of time, actually I needed those two : > implementation "org.springframework.security:spring-security-config" > implementation "org.springframework.security:spring-security-web" > > But I still have an js issue (JSON.Parse) when registering my device : > > "Registration failed SyntaxError: JSON.parse: unexpected non-digit at line > 1 column 2 of the JSON data" after the POST request on > https://cas-xx.xxx.fr/cas/webauthn/register. > (Chrome says the same: Registration failed SyntaxError: No number after > minus sign in JSON at position 1.) > > The error is caught here : > # register https://cas-xx.xxxxxx.fr/cas/js/webauthn/webauthn.js:477. > # (Asynchrone : promise callback) / register > https://cas-xx.xxxx.fr/cas/js/webauthn/webauthn.js:475 > # > https://cas-xx.xxxxxx.fr/cas/login?service=https://node-cas-xxxxx.addomain.xxxxxxx.fr:9446/sample/&renew=true:390 > . > > (The webapp is an instance of cas-sample-java-webapp running on port 9446.) > > About JSON.Parse : > https://xxxxcas/login?service=https://xxxxx:9446/sample/&renew=true at > lines 386 and 390 : register(username, displayName, credentialNickname, > csrfToken); > > In my browser debugger, data seems present, as I can see them parsed by > the function getRegisterRequest in webauthn.js line 327: > > arguments: Arguments > 0: {…} > authenticate: "webauthn/authenticate" > register: "webauthn/register" > <prototype>: {…} > 1: "frederic.dussurget" > 2: "Frederic Dussurget" > 3: "wonderful_borg" > 4: false > callee: > length: 5 > Symbol(Symbol.iterator):values() > <get callee()>: () > <set callee()>: () > <prototype>: {… > credentialNickname: "wonderful_borg" > displayName: "Frederic Dussurget" > requireResidentKey: false > urls: {…} > authenticate: "webauthn/authenticate" > register: "webauthn/register" > <prototype>: {…} > username: "frederic.dussurget" > > I you guys have any idea ... > Regards, > Le vendredi 24 mars 2023 à 04:57:51 UTC+1, John a écrit : > >> Spring security and probably one or 2 of the webauthn, I dont remeber at >> the moment with looking at local commit history but here is all from gradle, >> >> >> /** Core **/ >> implementation >> "org.apereo.cas:cas-server-core-api-configuration-model" >> implementation "org.apereo.cas:cas-server-core-api-mfa" >> implementation "org.apereo.cas:cas-server-core-events-configuration" >> implementation "org.apereo.cas:cas-server-core-notifications" >> implementation "org.apereo.cas:cas-server-core-authentication" >> implementation "org.apereo.cas:cas-server-core-authentication-api" >> implementation "org.apereo.cas:cas-server-core-authentication-mfa-api" >> implementation "org.apereo.cas:cas-server-core-util" >> implementation "org.apereo.cas:cas-server-core-web-api" >> implementation "org.apereo.cas:cas-server-core-webflow" >> implementation "org.apereo.cas:cas-server-core-webflow-api" >> implementation "org.apereo.cas:cas-server-core-webflow-mfa-api" >> implementation "org.apereo.cas:cas-server-webapp" >> implementation "org.apereo.cas:cas-server-webapp-init" >> implementation "org.apereo.cas:cas-server-webapp-config" >> >> /** Rest Plugins **/ >> implementation >> "org.apereo.cas:cas-server-support-configuration-cloud-rest" >> implementation "org.apereo.cas:cas-server-support-rest-authentication" >> >> /** LDAP Support **/ >> implementation "org.apereo.cas:cas-server-support-ldap" >> implementation "org.apereo.cas:cas-server-support-pm-ldap" >> implementation "org.apereo.cas:cas-server-support-pm-rest" >> >> /** Database Support **/ >> implementation "org.apereo.cas:cas-server-support-jdbc" >> implementation "org.apereo.cas:cas-server-support-jpa-util" >> implementation "mysql:mysql-connector-java:${project.mysqlVerison}" >> implementation >> "com.microsoft.sqlserver:mssql-jdbc:${project.mssqlVersion}" >> >> /** Interrupt Support **/ >> implementation "org.apereo.cas:cas-server-support-interrupt-webflow" >> >> /** Multifactor Auth **/ >> implementation "org.apereo.cas:cas-server-support-gauth" >> implementation "org.apereo.cas:cas-server-support-gauth-ldap" >> implementation "org.apereo.cas:cas-server-support-webauthn" >> implementation "org.apereo.cas:cas-server-support-webauthn-ldap" >> implementation "org.apereo.cas:cas-server-support-webauthn-core" >> implementation >> "org.apereo.cas:cas-server-support-webauthn-core-webflow" >> implementation "org.apereo.cas:cas-server-support-simple-mfa" >> implementation "org.apereo.cas:cas-server-support-trusted-mfa" >> >> /** Protocols **/ >> implementation "org.apereo.cas:cas-server-support-ws-idp" >> implementation "org.apereo.cas:cas-server-support-saml-idp" >> implementation >> "org.apereo.cas:cas-server-support-saml-sp-integrations" >> >> >> /** Services **/ >> /** implementation >> "org.apereo.cas:cas-server-support-json-service-registry" **/ >> implementation >> "org.apereo.cas:cas-server-support-rest-service-registry" >> >> implementation >> "org.springframework.security:spring-security-config:5.7.3" >> implementation "commons-net:commons-net:${project.apacheNetCom}" >> On Thursday, March 23, 2023 at 2:51:11 PM UTC-5 [email protected] wrote: >> >>> Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 >>> but not on 6.6 nor on the master branch 7.x. >>> On 6.6, after basic auth, a popup asks for the Yubikey pin and then, >>> when I press the register button,the flow breaks at POST >>> https://xxxxxxx.xx/cas/webauthn/register/finish. (FF : err 400 >>> strict-origin-when-cross-origin) >>> >>> (The service app I use for my tests is the same when I wetn thru every >>> CAS version) >>> >>> webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as >>> you did >>> >>> here is my build.gradle webauthn section : >>> // MFA FIDO2 WEBAUTHN >>> implementation >>> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}" >>> implementation >>> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}" >>> implementation >>> "org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}" >>> (this one in order to comment out @PreAuthorize("isAuthenticated()") as >>> you did in >>> src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java ) >>> >>> //MFA TRUSTED DEVICE >>> implementation >>> "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}" >>> implementation >>> "org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}" >>> >>> (John, what are the extra dependencies that you implement in your >>> build.gradle cas overlay to be able to modify the >>> src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java >>> <https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437> >>> >>> ? Compilation breaks) >>> >>> Regards, >>> >>> >>> Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit : >>> >>>> Circling back to this, it also fails on 7.x current and master. Same >>>> issue, I believe I have found the source which is related to the csrf >>>> token. It works by excluding the /register from csrf to the ignored >>>> endpoints on >>>> >>>> >>>> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437 >>>> >>>> with the below, >>>> >>>> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + >>>> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE, >>>> WebAuthnController.BASE_ENDPOINT_WEBAUTHN + >>>> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER); >>>> >>>> >>>> >>>> >>>> >>>> On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote: >>>> >>>>> Since we don't use any of the actuators, all disabled except for >>>>> whatever cas sets as default, I am leaving my change by commenting out >>>>> @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just >>>>> going along finishing upgrade testing for us and will circle back to this >>>>> later before we upgrade prod. >>>>> >>>>> However, I do see some changes made below, I haven't had time to test >>>>> if it will resolve this issue yet, maybe it will be part of next 7.x RC >>>>> but >>>>> for now its only in master. If I get some time I will switch to master >>>>> and >>>>> give it a go. >>>>> >>>>> >>>>> https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java >>>>> >>>>> >>>>> On Friday, February 3, 2023 at 7:11:44 AM UTC-6 [email protected] >>>>> wrote: >>>>> >>>>>> Yes, I have the same registration issue. >>>>>> >>>>>> I thought I have caused this error by meddling with the spring >>>>>> security settings, but it looks like it is not the case. >>>>>> >>>>>> However, after setting up spring security for the webAuthnDevices >>>>>> actuator like this >>>>>> >>>>>> spring.security.user.name=XXX >>>>>> >>>>>> spring.security.user.password=YYY >>>>>> >>>>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED >>>>>> >>>>>> >>>>>> then registration starts to work, but requires HTTP basic >>>>>> authentication. >>>>>> >>>>>> >>>>>> This is spring security filter chain for /webauthn/register endpoint >>>>>> without any additional configuration: >>>>>> >>>>>> Security filter chain: [ >>>>>> >>>>>> ChannelProcessingFilter >>>>>> >>>>>> WebAsyncManagerIntegrationFilter >>>>>> >>>>>> CorsFilter >>>>>> >>>>>> CsrfFilter >>>>>> >>>>>> SecurityContextHolderAwareRequestFilter >>>>>> >>>>>> AnonymousAuthenticationFilter >>>>>> >>>>>> ExceptionTranslationFilter >>>>>> >>>>>> AuthorizationFilter >>>>>> >>>>>> ] >>>>>> >>>>>> And the chain with the spring security settings as above: >>>>>> >>>>>> Security filter chain: [ >>>>>> >>>>>> ChannelProcessingFilter >>>>>> >>>>>> WebAsyncManagerIntegrationFilter >>>>>> >>>>>> CorsFilter >>>>>> >>>>>> CsrfFilter >>>>>> >>>>>> BasicAuthenticationFilter >>>>>> >>>>>> SecurityContextHolderAwareRequestFilter >>>>>> >>>>>> AnonymousAuthenticationFilter >>>>>> >>>>>> ExceptionTranslationFilter >>>>>> >>>>>> AuthorizationFilter >>>>>> >>>>>> ] >>>>>> >>>>>> >>>>>> I would say that >>>>>> >>>>>> 1) setting the actuator access really influences the processing for >>>>>> registration endpoint (and it should not), >>>>>> >>>>>> 2) using PERMIT or ANONYMOUS is not enough to make it work, as >>>>>> perhaps it does not satisfy the @PreAuthorize("isAuthenticated()") >>>>>> requirement >>>>>> >>>>>> I wonder how the registration endpoint should be authenticated; I >>>>>> guess it can not be left unprotected but I fail to see how to set it up. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Michal V. >>>>>> >>>>>> On 1/31/23 16:14, John wrote: >>>>>> >>>>>> I have nothing configured or defined for endpoints or actuators >>>>>> besides what is default set by cas, we have never used those. I went >>>>>> back >>>>>> and configured according to >>>>>> >>>>>> management.endpoint.webAuthnDevices.enabled=true >>>>>> management.endpoints.web.exposure.include=* >>>>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT >>>>>> >>>>>> even tried ANONYMOUS below, which makes all actuators work, I can >>>>>> even pull /cas/actuator/webAuthnDevices/username anonymously and gets >>>>>> devices for user. I don't think the endpoint webAuthnDevices controls >>>>>> the >>>>>> end user registration page as it falls under/webauthn/register and NOT >>>>>> /cas/actuator/webAuthnDevices >>>>>> >>>>>> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS >>>>>> >>>>>> Below is debug output, >>>>>> >>>>>> 2023-01-31 09:05:41,149 DEBUG >>>>>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the >>>>>> received exception >>>>>> [org.springframework.security.access.AccessDeniedException: Access is >>>>>> denied] due to a type mismatch with handler >>>>>> [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String, >>>>>> >>>>>> String, String, boolean, String, HttpServletRequest, >>>>>> HttpServletResponse)]> >>>>>> >>>>>> And browser POST response to /webauthn/register , base64 decoded is >>>>>> >>>>>> --- !<java.util.LinkedHashMap> >>>>>> timestamp: "2023-01-31T15:05:41.161+00:00" >>>>>> status: 403 >>>>>> error: "Forbidden" >>>>>> path: "/cas/webauthn/register" >>>>>> >>>>>> >>>>>> On Monday, January 30, 2023 at 11:16:42 PM UTC-6 [email protected] >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> have you, by any chance, configured spring security for the >>>>>>> webauthn endpoint? >>>>>>> >>>>>>> Best regards, >>>>>>> >>>>>>> Michal Vocu >>>>>>> >>>>>>> On 1/26/23 19:03, John wrote: >>>>>>> >>>>>>> When trying to register a new device, the POST request to >>>>>>> /webauthn/register is failing from spring security, access denied, http >>>>>>> 403. >>>>>>> >>>>>>> Commenting out the below within >>>>>>> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java) >>>>>>> >>>>>>> got it working again, >>>>>>> >>>>>>> @PreAuthorize("isAuthenticated()") >>>>>>> >>>>>>> Looks like it was added in 6.4.x release, is anyone else not having >>>>>>> a registration issue? >>>>>>> >>>>>>> -- >>>>>>> - Website: https://apereo.github.io/cas >>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "CAS Community" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org >>>>>>> >>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>>> >>>>>>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/77d0047c-de33-4f32-8f55-595b14eb51aan%40apereo.org.
