Since we don't use any of the actuators, all disabled except for whatever
cas sets as default, I am leaving my change by commenting out
@PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just
going along finishing upgrade testing for us and will circle back to this
later before we upgrade prod.
However, I do see some changes made below, I haven't had time to test if it
will resolve this issue yet, maybe it will be part of next 7.x RC but for
now its only in master. If I get some time I will switch to master and give
it a go.
https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
On Friday, February 3, 2023 at 7:11:44 AM UTC-6 micha...@gmail.com wrote:
> Yes, I have the same registration issue.
>
> I thought I have caused this error by meddling with the spring security
> settings, but it looks like it is not the case.
>
> However, after setting up spring security for the webAuthnDevices actuator
> like this
>
> spring.security.user.name=XXX
>
> spring.security.user.password=YYY
>
> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
>
>
> then registration starts to work, but requires HTTP basic authentication.
>
>
> This is spring security filter chain for /webauthn/register endpoint
> without any additional configuration:
>
> Security filter chain: [
>
> ChannelProcessingFilter
>
> WebAsyncManagerIntegrationFilter
>
> CorsFilter
>
> CsrfFilter
>
> SecurityContextHolderAwareRequestFilter
>
> AnonymousAuthenticationFilter
>
> ExceptionTranslationFilter
>
> AuthorizationFilter
>
> ]
>
> And the chain with the spring security settings as above:
>
> Security filter chain: [
>
> ChannelProcessingFilter
>
> WebAsyncManagerIntegrationFilter
>
> CorsFilter
>
> CsrfFilter
>
> BasicAuthenticationFilter
>
> SecurityContextHolderAwareRequestFilter
>
> AnonymousAuthenticationFilter
>
> ExceptionTranslationFilter
>
> AuthorizationFilter
>
> ]
>
>
> I would say that
>
> 1) setting the actuator access really influences the processing for
> registration endpoint (and it should not),
>
> 2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps
> it does not satisfy the @PreAuthorize("isAuthenticated()") requirement
>
> I wonder how the registration endpoint should be authenticated; I guess it
> can not be left unprotected but I fail to see how to set it up.
>
> Regards,
>
> Michal V.
>
> On 1/31/23 16:14, John wrote:
>
> I have nothing configured or defined for endpoints or actuators besides
> what is default set by cas, we have never used those. I went back and
> configured according to
>
> management.endpoint.webAuthnDevices.enabled=true
> management.endpoints.web.exposure.include=*
> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
>
> even tried ANONYMOUS below, which makes all actuators work, I can even
> pull /cas/actuator/webAuthnDevices/username anonymously and gets devices
> for user. I don't think the endpoint webAuthnDevices controls the end user
> registration page as it falls under/webauthn/register and NOT
> /cas/actuator/webAuthnDevices
>
> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
>
> Below is debug output,
>
> 2023-01-31 09:05:41,149 DEBUG
> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
> received exception
> [org.springframework.security.access.AccessDeniedException: Access is
> denied] due to a type mismatch with handler
> [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String,
> String, String, boolean, String, HttpServletRequest, HttpServletResponse)]>
>
> And browser POST response to /webauthn/register , base64 decoded is
>
> --- !<java.util.LinkedHashMap>
> timestamp: "2023-01-31T15:05:41.161+00:00"
> status: 403
> error: "Forbidden"
> path: "/cas/webauthn/register"
>
>
> On Monday, January 30, 2023 at 11:16:42 PM UTC-6 micha...@gmail.com wrote:
>
>> Hi,
>> have you, by any chance, configured spring security for the webauthn
>> endpoint?
>>
>> Best regards,
>>
>> Michal Vocu
>>
>> On 1/26/23 19:03, John wrote:
>>
>> When trying to register a new device, the POST request to
>> /webauthn/register is failing from spring security, access denied, http 403.
>>
>> Commenting out the below within
>> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
>>
>> got it working again,
>>
>> @PreAuthorize("isAuthenticated()")
>>
>> Looks like it was added in 6.4.x release, is anyone else not having a
>> registration issue?
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6086edf7-45e8-402f-8128-95e1f3b3a4e3n%40apereo.org.
