Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 but
not on 6.6 nor on the master branch 7.x.
On 6.6, after basic auth, a popup asks for the Yubikey pin and then, when I
press the register button,the flow breaks at POST
https://xxxxxxx.xx/cas/webauthn/register/finish.
(FF : err 400 strict-origin-when-cross-origin)
(The service app I use for my tests is the same when I wetn thru every CAS
version)
webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as you
did
here is my build.gradle webauthn section :
// MFA FIDO2 WEBAUTHN
implementation
"org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}"
(this one in order to comment out @PreAuthorize("isAuthenticated()") as
you did in
src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java )
//MFA TRUSTED DEVICE
implementation
"org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}"
(John, what are the extra dependencies that you implement in your
build.gradle cas overlay to be able to modify the
src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
<https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437>
? Compilation breaks)
Regards,
Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit :
> Circling back to this, it also fails on 7.x current and master. Same
> issue, I believe I have found the source which is related to the csrf
> token. It works by excluding the /register from csrf to the ignored
> endpoints on
>
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>
> with the below,
>
> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
> WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>
>
>
>
>
> On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote:
>
>> Since we don't use any of the actuators, all disabled except for whatever
>> cas sets as default, I am leaving my change by commenting out
>> @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just
>> going along finishing upgrade testing for us and will circle back to this
>> later before we upgrade prod.
>>
>> However, I do see some changes made below, I haven't had time to test if
>> it will resolve this issue yet, maybe it will be part of next 7.x RC but
>> for now its only in master. If I get some time I will switch to master and
>> give it a go.
>>
>>
>> https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
>>
>>
>> On Friday, February 3, 2023 at 7:11:44 AM UTC-6 micha...@gmail.com wrote:
>>
>>> Yes, I have the same registration issue.
>>>
>>> I thought I have caused this error by meddling with the spring security
>>> settings, but it looks like it is not the case.
>>>
>>> However, after setting up spring security for the webAuthnDevices
>>> actuator like this
>>>
>>> spring.security.user.name=XXX
>>>
>>> spring.security.user.password=YYY
>>>
>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
>>>
>>>
>>> then registration starts to work, but requires HTTP basic authentication.
>>>
>>>
>>> This is spring security filter chain for /webauthn/register endpoint
>>> without any additional configuration:
>>>
>>> Security filter chain: [
>>>
>>> ChannelProcessingFilter
>>>
>>> WebAsyncManagerIntegrationFilter
>>>
>>> CorsFilter
>>>
>>> CsrfFilter
>>>
>>> SecurityContextHolderAwareRequestFilter
>>>
>>> AnonymousAuthenticationFilter
>>>
>>> ExceptionTranslationFilter
>>>
>>> AuthorizationFilter
>>>
>>> ]
>>>
>>> And the chain with the spring security settings as above:
>>>
>>> Security filter chain: [
>>>
>>> ChannelProcessingFilter
>>>
>>> WebAsyncManagerIntegrationFilter
>>>
>>> CorsFilter
>>>
>>> CsrfFilter
>>>
>>> BasicAuthenticationFilter
>>>
>>> SecurityContextHolderAwareRequestFilter
>>>
>>> AnonymousAuthenticationFilter
>>>
>>> ExceptionTranslationFilter
>>>
>>> AuthorizationFilter
>>>
>>> ]
>>>
>>>
>>> I would say that
>>>
>>> 1) setting the actuator access really influences the processing for
>>> registration endpoint (and it should not),
>>>
>>> 2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps
>>> it does not satisfy the @PreAuthorize("isAuthenticated()") requirement
>>>
>>> I wonder how the registration endpoint should be authenticated; I guess
>>> it can not be left unprotected but I fail to see how to set it up.
>>>
>>> Regards,
>>>
>>> Michal V.
>>>
>>> On 1/31/23 16:14, John wrote:
>>>
>>> I have nothing configured or defined for endpoints or actuators besides
>>> what is default set by cas, we have never used those. I went back and
>>> configured according to
>>>
>>> management.endpoint.webAuthnDevices.enabled=true
>>> management.endpoints.web.exposure.include=*
>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
>>>
>>> even tried ANONYMOUS below, which makes all actuators work, I can even
>>> pull /cas/actuator/webAuthnDevices/username anonymously and gets devices
>>> for user. I don't think the endpoint webAuthnDevices controls the end user
>>> registration page as it falls under/webauthn/register and NOT
>>> /cas/actuator/webAuthnDevices
>>>
>>> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
>>>
>>> Below is debug output,
>>>
>>> 2023-01-31 09:05:41,149 DEBUG
>>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
>>> received exception
>>> [org.springframework.security.access.AccessDeniedException: Access is
>>> denied] due to a type mismatch with handler
>>> [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String,
>>> String, String, boolean, String, HttpServletRequest, HttpServletResponse)]>
>>>
>>> And browser POST response to /webauthn/register , base64 decoded is
>>>
>>> --- !<java.util.LinkedHashMap>
>>> timestamp: "2023-01-31T15:05:41.161+00:00"
>>> status: 403
>>> error: "Forbidden"
>>> path: "/cas/webauthn/register"
>>>
>>>
>>> On Monday, January 30, 2023 at 11:16:42 PM UTC-6 micha...@gmail.com
>>> wrote:
>>>
>>>> Hi,
>>>> have you, by any chance, configured spring security for the webauthn
>>>> endpoint?
>>>>
>>>> Best regards,
>>>>
>>>> Michal Vocu
>>>>
>>>> On 1/26/23 19:03, John wrote:
>>>>
>>>> When trying to register a new device, the POST request to
>>>> /webauthn/register is failing from spring security, access denied, http
>>>> 403.
>>>>
>>>> Commenting out the below within
>>>> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
>>>>
>>>> got it working again,
>>>>
>>>> @PreAuthorize("isAuthenticated()")
>>>>
>>>> Looks like it was added in 6.4.x release, is anyone else not having a
>>>> registration issue?
>>>>
>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to cas-user+u...@apereo.org.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org
>>>>
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>>
>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b485ce31-89cf-409b-9f18-6d8e8357951bn%40apereo.org.
