webauthn: introduce WebAuthnConfigurer#disableDefaultRegistrationPage

Kehrlann · Kehrlann · commit 05955a98cad8 · 2024-11-13T18:33:32.000+01:00
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
@@ -61,6 +61,8 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private Set<String> allowedOrigins = new HashSet<>();
 
+	private boolean disableDefaultRegistrationPage = false;
+
 	/**
 	 * The Relying Party id.
 	 * @param rpId the relying party id
@@ -102,6 +104,18 @@ public WebAuthnConfigurer<H> allowedOrigins(Set<String> allowedOrigins) {
 		return this;
 	}
 
+	/**
+	 * Configures whether the default webauthn registration should be disabled. Setting it
+	 * to {@code true} will prevent the configurer from registering the
+	 * {@link DefaultWebAuthnRegistrationPageGeneratingFilter}.
+	 * @param disable disable the default registration page if true, enable it otherwise
+	 * @return the {@link WebAuthnConfigurer} for further customization
+	 */
+	public WebAuthnConfigurer<H> disableDefaultRegistrationPage(boolean disable) {
+		this.disableDefaultRegistrationPage = disable;
+		return this;
+	}
+
 	@Override
 	public void configure(H http) throws Exception {
 		UserDetailsService userDetailsService = getSharedOrBean(http, UserDetailsService.class).orElseGet(() -> {
@@ -119,19 +133,24 @@ public void configure(H http) throws Exception {
 		http.addFilterBefore(webAuthnAuthnFilter, BasicAuthenticationFilter.class);
 		http.addFilterAfter(new WebAuthnRegistrationFilter(userCredentials, rpOperations), AuthorizationFilter.class);
 		http.addFilterBefore(new PublicKeyCredentialCreationOptionsFilter(rpOperations), AuthorizationFilter.class);
-		http.addFilterAfter(new DefaultWebAuthnRegistrationPageGeneratingFilter(userEntities, userCredentials),
-				AuthorizationFilter.class);
 		http.addFilterBefore(new PublicKeyCredentialRequestOptionsFilter(rpOperations), AuthorizationFilter.class);
+
 		DefaultLoginPageGeneratingFilter loginPageGeneratingFilter = http
 			.getSharedObject(DefaultLoginPageGeneratingFilter.class);
-		if (loginPageGeneratingFilter != null) {
+		if (loginPageGeneratingFilter != null && loginPageGeneratingFilter.isEnabled()) {
 			loginPageGeneratingFilter.setPasskeysEnabled(true);
 			loginPageGeneratingFilter.setResolveHeaders((request) -> {
 				CsrfToken csrfToken = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
 				return Map.of(csrfToken.getHeaderName(), csrfToken.getToken());
 			});
 			http.addFilter(DefaultResourcesFilter.webauthn());
 		}
+
+		if (!this.disableDefaultRegistrationPage) {
+			http.addFilterAfter(new DefaultWebAuthnRegistrationPageGeneratingFilter(userEntities, userCredentials),
+					AuthorizationFilter.class);
+			http.addFilter(DefaultResourcesFilter.webauthn());
+		}
 	}
 
 	private <C> Optional<C> getSharedOrBean(H http, Class<C> type) {
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java
@@ -58,6 +58,21 @@ public void javascriptWhenWebauthnConfiguredThenServesJavascript() throws Except
 			.andExpect(content().string(containsString("async function authenticate(")));
 	}
 
+	@Test
+	public void javascriptWhenWebauthnAndFormLoginThenDoesServesJavascript() throws Exception {
+		this.spring.register(FormLoginAndNoDefaultRegistrationPageConfiguration.class).autowire();
+		this.mvc.perform(get("/login/webauthn.js"))
+			.andExpect(status().isOk())
+			.andExpect(header().string("content-type", "text/javascript;charset=UTF-8"))
+			.andExpect(content().string(containsString("async function authenticate(")));
+	}
+
+	@Test
+	public void javascriptWhenWebauthnAndNoDefaultRegistrationPageThenDoesNotServeJavascript() throws Exception {
+		this.spring.register(NoDefaultRegistrationPageConfiguration.class).autowire();
+		this.mvc.perform(get("/login/webauthn.js")).andExpect(status().isNotFound());
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class DefaultWebauthnConfiguration {
@@ -74,4 +89,40 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	static class FormLoginAndNoDefaultRegistrationPageConfiguration {
+
+		@Bean
+		UserDetailsService userDetailsService() {
+			return new InMemoryUserDetailsManager();
+		}
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			return http.formLogin(Customizer.withDefaults())
+				.webAuthn((webauthn) -> webauthn.disableDefaultRegistrationPage(true))
+				.build();
+		}
+
+	}
+
+	@Configuration
+	@EnableWebSecurity
+	static class NoDefaultRegistrationPageConfiguration {
+
+		@Bean
+		UserDetailsService userDetailsService() {
+			return new InMemoryUserDetailsManager();
+		}
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			return http.formLogin((login) -> login.loginPage("/custom-login-page"))
+				.webAuthn((webauthn) -> webauthn.disableDefaultRegistrationPage(true))
+				.build();
+		}
+
+	}
+
 }
