Hi Frédéric, Thanks for replying! I'm not in a position right now to try with the 7.0 RC. I'm still getting the error on 6.6.x. I have the following set in my cas.properties:
management.endpoint.webAuthnDevices.enabled=true management.endpoints.web.exposure.include=* management.endpoints.web.enabled-by-default: true cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT I'm not using tomcat; I'm running this in a docker container in my dev environment directly from `java -server -jar cas.war`. – Graham > On May 12, 2023, at 03:21, Frédéric Dussurget <[email protected]> wrote: > > I forgot, here is what I have about endpoints spring security management in > cas.yml : > >> monitor: >> endpoints: >> endpoint: >> defaults: >> access: AUTHENTICATED >> health: >> access: IP_ADDRESS >> requiredIpAddresses: xx.yy.www.zz, aa.bb.cc.dd,etc. >> [...] >> registeredServices: >> access: IP_ADDRESS >> requiredIpAddresses: xx.yy.www.zz, aa.bb.cc.dd,etc. >> importRegisteredServices: >> access: IP_ADDRESS >> requiredIpAddresses: xx.yy.www.zz, aa.bb.cc.dd,etc. >> [...] >> management: >> endpoints: >> web: >> exposure: >> include: '*' >> enabled-by-default: true > > > Le ven. 12 mai 2023 à 12:10, Frédéric Dussurget <[email protected] > <mailto:[email protected]>> a écrit : >> Hi Graham, >> >> I gave it a try this morning (but on branch master 7.0.0-SNAPSHOT) and ... >> it's eventually working great :) Thanks to Misagh and the dev team ! >> >> What I've done is removing every workaround we did on this topic : removed >> config/WebAuthnConfiguration.java + webauthn/web/WebAuthnController.java, >> removed the extra pack of deps linked to those two files, flushed my dev db >> and imported just one mfa-webauthn service, removed custom theme and finally >> recompiled and restarted tomcat10 (mine is not bundled, it is marked as >> external thru gradle.properties). I can now register my fido2 device and >> then login without any error. >> >> build.gradle linked deps : >> >>> // MFA FIDO2 WEBAUTHN >>> implementation >>> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}" >>> implementation >>> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}" >> >> >> cas.yml : >> >>> web-authn: >>> core: >>> relying-party-id: mydomain.fr <http://mydomain.fr/> >>> relying-party-name: mynickname >>> allowed-origins: https://cas.mydomain.fr >>> <https://cas.mydomain.fr/> >>> trusted-device-enabled: false >>> application-id: https://www.mydomain.fr <https://www.mydomain.fr/> >> >> >> >> Le ven. 12 mai 2023 à 01:41, Graham Ballantyne <[email protected] >> <mailto:[email protected]>> a écrit : >>> Hi all, >>> >>> I'm having a similar issue with webauthn device registration failing on CAS >>> 6.6.x; the /cas/webauthn/register endpoint returns a 403 error, and the >>> server logs have an invalid CSRF token error: >>> >>> web_1 | 2023-05-11 23:11:38,248 DEBUG >>> [org.springframework.security.web.access.channel.ChannelProcessingFilter] - >>> <Request: filter invocation [POST /webauthn/register]; ConfigAttributes: >>> [REQUIRES_SECURE_CHANNEL]> >>> web_1 | 2023-05-11 23:11:38,250 DEBUG >>> [org.springframework.security.web.csrf.CsrfFilter] - <Invalid CSRF token >>> found for https://cas_server/cas/webauthn/register> >>> web_1 | 2023-05-11 23:11:38,250 DEBUG >>> [org.springframework.security.web.access.AccessDeniedHandlerImpl] - >>> <Responding with 403 status code> >>> >>> I'm not able to implement the workaround here (commenting out >>> @PreAuthorize("isAuthenticated()") in WebAuthnController.java) as >>> WebAuthnController.java no longer contains that line. It looks like Misagh >>> changed how this works in a recent commit >>> (https://github.com/apereo/cas/commit/b9233b0731004fdc85994539c67fe0cd0f01c2c3). >>> >>> I've tried adding the cas.authn.mfa.web-authn.core.allowed-origins property >>> (which the docs say defaults to the server name, so I'd think it wouldn't >>> be necessary) and it still fails. My webauthn settings from cas.properties >>> are: >>> >>> cas.authn.mfa.web-authn.core.application-id=https://mycasdomain.ca >>> <https://mycasdomain.ca/> >>> cas.authn.mfa.web-authn.core.relying-party-name=Graham CAS Dev >>> cas.authn.mfa.web-authn.core.relying-party-id=mycasdomain.ca >>> <http://mycasdomain.ca/> >>> cas.authn.mfa.web-authn.core.display-name-attribute=displayName >>> cas.authn.mfa.web-authn.core.allow-primary-authentication=true >>> cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true >>> cas.authn.mfa.web-authn.core.trusted-device-enabled=true >>> cas.authn.mfa.web-authn.crypto.encryption.key=xxx >>> cas.authn.mfa.web-authn.crypto.signing.key=yyy >>> cas.authn.mfa.web-authn.core.allowed-origins:https://mycasdomain.ca >>> <https://mycasdomain.ca/> >>> >>> I'm not a Java developer so I'm a little out of my element in trying to see >>> where the problem is. Any tips would be appreciated! >>> >>> Cheers, >>> Graham. >>> >>> >>> On Thursday, April 6, 2023 at 4:59:11 AM UTC-7 [email protected] >>> <mailto:[email protected]> wrote: >>> >>> Hi, >>> I'm now able to register my webauthn device, to login, and trust my device. >>> >>> What I noticed is that the allowed-origins (device registering) property >>> and application-id extension (connect) seem now mandatory to me, (though it >>> was not in 6.5.9). >>> Without those two settings, I'm stuck. >>> >>> web-authn: >>> core: >>> relying-party-id: mydomain.fr <http://mydomain.fr/> >>> relying-party-name: myrpname >>> allowed-origins: https://cas-dev.mydomain.fr >>> <https://cas-dev.mydomain.fr/> >>> trusted-device-enabled: true >>> application-id: https://cas-dev.mydomain.fr/test >>> >>> First, I want to say that I thank you all for your precious advices ! >>> (@PreAuthorize("isAuthenticated()") + WebAuthnConfiguration.java trick) >>> This won't go in production right now, because I wonder about the security >>> impact when accessing the webauthn/register endpoint ... ? >>> >>> Regards, >>> Le mercredi 29 mars 2023 à 16:15:00 UTC+2, John a écrit : >>> What does your cas.log state for error? Are you using a valid ssl >>> certificate, cas host name matches whats in config? Also, in 7.x/master you >>> have to edit this, >>> >>> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437 >>> >>> with the below, >>> >>> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + >>> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE, >>> WebAuthnController.BASE_ENDPOINT_WEBAUTHN + >>> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER); >>> >>> There's actually 2 bugs, maybe more. One is the PreAuthorize and the other >>> is CSRF related to spring 6/spring boot 3 and possible another bug. I fixed >>> the csrf issue and still working through the other as time permits. >>> >>> >>> On Wednesday, March 29, 2023 at 4:29:34 AM UTC-5 [email protected] <> >>> wrote: >>> Thank you, you saved me lots of time, actually I needed those two : >>> implementation "org.springframework.security:spring-security-config" >>> implementation "org.springframework.security:spring-security-web" >>> >>> But I still have an js issue (JSON.Parse) when registering my device : >>> >>> "Registration failed SyntaxError: JSON.parse: unexpected non-digit at line >>> 1 column 2 of the JSON data" after the POST request on >>> https://cas-xx.xxx.fr/cas/webauthn/register. >>> (Chrome says the same: Registration failed SyntaxError: No number after >>> minus sign in JSON at position 1.) >>> >>> The error is caught here : >>> # register https://cas-xx.xxxxxx.fr/cas/js/webauthn/webauthn.js:477. >>> # (Asynchrone : promise callback) / register >>> https://cas-xx.xxxx.fr/cas/js/webauthn/webauthn.js:475 >>> # >>> https://cas-xx.xxxxxx.fr/cas/login?service=https://node-cas-xxxxx.addomain.xxxxxxx.fr:9446/sample/&renew=true:390. >>> >>> (The webapp is an instance of cas-sample-java-webapp running on port 9446.) >>> >>> About JSON.Parse : >>> https://xxxxcas/login?service=https://xxxxx:9446/sample/&renew=true at >>> lines 386 and 390 : register(username, displayName, credentialNickname, >>> csrfToken); >>> >>> In my browser debugger, data seems present, as I can see them parsed by the >>> function getRegisterRequest in webauthn.js line 327: >>> >>> arguments: Arguments >>> 0: {…} >>> authenticate: "webauthn/authenticate" >>> register: "webauthn/register" >>> <prototype>: {…} >>> 1: "frederic.dussurget" >>> 2: "Frederic Dussurget" >>> 3: "wonderful_borg" >>> 4: false >>> callee: >>> length: 5 >>> Symbol(Symbol.iterator):values() >>> <get callee()>: () >>> <set callee()>: () >>> <prototype>: {… >>> credentialNickname: "wonderful_borg" >>> displayName: "Frederic Dussurget" >>> requireResidentKey: false >>> urls: {…} >>> authenticate: "webauthn/authenticate" >>> register: "webauthn/register" >>> <prototype>: {…} >>> username: "frederic.dussurget" >>> >>> I you guys have any idea ... >>> Regards, >>> Le vendredi 24 mars 2023 à 04:57:51 UTC+1, John a écrit : >>> Spring security and probably one or 2 of the webauthn, I dont remeber at >>> the moment with looking at local commit history but here is all from gradle, >>> >>> >>> /** Core **/ >>> implementation "org.apereo.cas:cas-server-core-api-configuration-model" >>> implementation "org.apereo.cas:cas-server-core-api-mfa" >>> implementation "org.apereo.cas:cas-server-core-events-configuration" >>> implementation "org.apereo.cas:cas-server-core-notifications" >>> implementation "org.apereo.cas:cas-server-core-authentication" >>> implementation "org.apereo.cas:cas-server-core-authentication-api" >>> implementation "org.apereo.cas:cas-server-core-authentication-mfa-api" >>> implementation "org.apereo.cas:cas-server-core-util" >>> implementation "org.apereo.cas:cas-server-core-web-api" >>> implementation "org.apereo.cas:cas-server-core-webflow" >>> implementation "org.apereo.cas:cas-server-core-webflow-api" >>> implementation "org.apereo.cas:cas-server-core-webflow-mfa-api" >>> implementation "org.apereo.cas:cas-server-webapp" >>> implementation "org.apereo.cas:cas-server-webapp-init" >>> implementation "org.apereo.cas:cas-server-webapp-config" >>> >>> /** Rest Plugins **/ >>> implementation >>> "org.apereo.cas:cas-server-support-configuration-cloud-rest" >>> implementation "org.apereo.cas:cas-server-support-rest-authentication" >>> >>> /** LDAP Support **/ >>> implementation "org.apereo.cas:cas-server-support-ldap" >>> implementation "org.apereo.cas:cas-server-support-pm-ldap" >>> implementation "org.apereo.cas:cas-server-support-pm-rest" >>> >>> /** Database Support **/ >>> implementation "org.apereo.cas:cas-server-support-jdbc" >>> implementation "org.apereo.cas:cas-server-support-jpa-util" >>> implementation "mysql:mysql-connector-java:${project.mysqlVerison}" >>> implementation >>> "com.microsoft.sqlserver:mssql-jdbc:${project.mssqlVersion}" >>> >>> /** Interrupt Support **/ >>> implementation "org.apereo.cas:cas-server-support-interrupt-webflow" >>> >>> /** Multifactor Auth **/ >>> implementation "org.apereo.cas:cas-server-support-gauth" >>> implementation "org.apereo.cas:cas-server-support-gauth-ldap" >>> implementation "org.apereo.cas:cas-server-support-webauthn" >>> implementation "org.apereo.cas:cas-server-support-webauthn-ldap" >>> implementation "org.apereo.cas:cas-server-support-webauthn-core" >>> implementation "org.apereo.cas:cas-server-support-webauthn-core-webflow" >>> implementation "org.apereo.cas:cas-server-support-simple-mfa" >>> implementation "org.apereo.cas:cas-server-support-trusted-mfa" >>> >>> /** Protocols **/ >>> implementation "org.apereo.cas:cas-server-support-ws-idp" >>> implementation "org.apereo.cas:cas-server-support-saml-idp" >>> implementation "org.apereo.cas:cas-server-support-saml-sp-integrations" >>> >>> >>> /** Services **/ >>> /** implementation >>> "org.apereo.cas:cas-server-support-json-service-registry" **/ >>> implementation "org.apereo.cas:cas-server-support-rest-service-registry" >>> >>> implementation >>> "org.springframework.security:spring-security-config:5.7.3" >>> implementation "commons-net:commons-net:${project.apacheNetCom}" >>> On Thursday, March 23, 2023 at 2:51:11 PM UTC-5 [email protected] <> wrote: >>> Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 but >>> not on 6.6 nor on the master branch 7.x. >>> On 6.6, after basic auth, a popup asks for the Yubikey pin and then, when I >>> press the register button,the flow breaks at POST >>> https://xxxxxxx.xx/cas/webauthn/register/finish. (FF : err 400 >>> strict-origin-when-cross-origin) >>> >>> (The service app I use for my tests is the same when I wetn thru every CAS >>> version) >>> >>> webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as you >>> did >>> >>> here is my build.gradle webauthn section : >>> // MFA FIDO2 WEBAUTHN >>> implementation >>> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}" >>> implementation >>> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}" >>> implementation >>> "org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}" >>> (this one in order to comment out @PreAuthorize("isAuthenticated()") as >>> you did in >>> src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java ) >>> >>> //MFA TRUSTED DEVICE >>> implementation >>> "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}" >>> implementation >>> "org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}" >>> >>> (John, what are the extra dependencies that you implement in your >>> build.gradle cas overlay to be able to modify the >>> src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java >>> <https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437> >>> ? Compilation breaks) >>> >>> Regards, >>> >>> >>> Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit : >>> Circling back to this, it also fails on 7.x current and master. Same issue, >>> I believe I have found the source which is related to the csrf token. It >>> works by excluding the /register from csrf to the ignored endpoints on >>> >>> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437 >>> >>> with the below, >>> >>> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + >>> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE, >>> WebAuthnController.BASE_ENDPOINT_WEBAUTHN + >>> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER); >>> >>> >>> >>> >>> >>> On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote: >>> Since we don't use any of the actuators, all disabled except for whatever >>> cas sets as default, I am leaving my change by commenting out >>> @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just >>> going along finishing upgrade testing for us and will circle back to this >>> later before we upgrade prod. >>> >>> However, I do see some changes made below, I haven't had time to test if it >>> will resolve this issue yet, maybe it will be part of next 7.x RC but for >>> now its only in master. If I get some time I will switch to master and give >>> it a go. >>> >>> https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java >>> >>> >>> On Friday, February 3, 2023 at 7:11:44 AM UTC-6 [email protected] <> wrote: >>> Yes, I have the same registration issue. >>> >>> I thought I have caused this error by meddling with the spring security >>> settings, but it looks like it is not the case. >>> >>> However, after setting up spring security for the webAuthnDevices actuator >>> like this >>> >>> spring.security.user.name <http://spring.security.user.name/>=XXX >>> spring.security.user.password=YYY >>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED >>> >>> then registration starts to work, but requires HTTP basic authentication. >>> >>> >>> This is spring security filter chain for /webauthn/register endpoint >>> without any additional configuration: >>> >>> Security filter chain: [ ChannelProcessingFilter >>> WebAsyncManagerIntegrationFilter CorsFilter CsrfFilter >>> SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter >>> ExceptionTranslationFilter AuthorizationFilter ] And the chain with the >>> spring security settings as above: >>> Security filter chain: [ ChannelProcessingFilter >>> WebAsyncManagerIntegrationFilter CorsFilter CsrfFilter >>> BasicAuthenticationFilter SecurityContextHolderAwareRequestFilter >>> AnonymousAuthenticationFilter ExceptionTranslationFilter >>> AuthorizationFilter ] >>> >>> I would say that >>> >>> 1) setting the actuator access really influences the processing for >>> registration endpoint (and it should not), >>> >>> 2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps it >>> does not satisfy the @PreAuthorize("isAuthenticated()") requirement >>> >>> I wonder how the registration endpoint should be authenticated; I guess it >>> can not be left unprotected but I fail to see how to set it up. >>> >>> Regards, >>> >>> Michal V. >>> >>> On 1/31/23 16:14, John wrote: >>>> I have nothing configured or defined for endpoints or actuators besides >>>> what is default set by cas, we have never used those. I went back and >>>> configured according to >>>> >>>> management.endpoint.webAuthnDevices.enabled=true >>>> management.endpoints.web.exposure.include=* >>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT >>>> >>>> even tried ANONYMOUS below, which makes all actuators work, I can even >>>> pull /cas/actuator/webAuthnDevices/username anonymously and gets devices >>>> for user. I don't think the endpoint webAuthnDevices controls the end user >>>> registration page as it falls under/webauthn/register and NOT >>>> /cas/actuator/webAuthnDevices >>>> >>>> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS >>>> >>>> Below is debug output, >>>> >>>> 2023-01-31 09:05:41,149 DEBUG >>>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the >>>> received exception >>>> [org.springframework.security.access.AccessDeniedException: Access is >>>> denied] due to a type mismatch with handler >>>> [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String, >>>> String, String, boolean, String, HttpServletRequest, HttpServletResponse)]> >>>> >>>> And browser POST response to /webauthn/register , base64 decoded is >>>> >>>> --- !<java.util.LinkedHashMap> >>>> timestamp: "2023-01-31T15:05:41.161+00:00" >>>> status: 403 >>>> error: "Forbidden" >>>> path: "/cas/webauthn/register" >>> >>>> >>>> On Monday, January 30, 2023 at 11:16:42 PM UTC-6 [email protected] <> >>>> wrote: >>>> Hi, >>>> have you, by any chance, configured spring security for the webauthn >>>> endpoint? >>>> >>>> Best regards, >>>> >>>> Michal Vocu >>>> >>>> On 1/26/23 19:03, John wrote: >>>>> When trying to register a new device, the POST request to >>>>> /webauthn/register is failing from spring security, access denied, http >>>>> 403. >>>>> >>>>> Commenting out the below within >>>>> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java) >>>>> got it working again, >>>>> >>>>> @PreAuthorize("isAuthenticated()") >>>>> >>>>> Looks like it was added in 6.4.x release, is anyone else not having a >>>>> registration issue? >>>> >>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected] <>. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org >>>>> >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer>. >>>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/AF72CB35-5A1B-4AB5-B14D-CCF373CFEE9B%40grahamballantyne.com.
