diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java index 90bf29ae45..e589959209 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java @@ -177,6 +177,7 @@ public class WebAuthnConfigurer> WebAuthnAuthenticationFilter webAuthnAuthnFilter = new WebAuthnAuthenticationFilter(); webAuthnAuthnFilter.setAuthenticationManager( new ProviderManager(new WebAuthnAuthenticationProvider(rpOperations, userDetailsService))); + webAuthnAuthnFilter = postProcess(webAuthnAuthnFilter); WebAuthnRegistrationFilter webAuthnRegistrationFilter = new WebAuthnRegistrationFilter(userCredentials, rpOperations); PublicKeyCredentialCreationOptionsFilter creationOptionsFilter = new PublicKeyCredentialCreationOptionsFilter( diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java index d8465e4e27..60674ab4ba 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java @@ -23,6 +23,7 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.config.BeanPostProcessor; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpOutputMessage; @@ -42,6 +43,7 @@ import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.ui.DefaultResourcesFilter; import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions; import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions; +import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter; import org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations; import org.springframework.security.web.webauthn.registration.HttpSessionPublicKeyCredentialCreationOptionsRepository; import org.springframework.test.web.servlet.MockMvc; @@ -88,6 +90,14 @@ public class WebAuthnConfigurerTests { .andExpect(content().string(containsString("body {"))); } + // gh-18128 + @Test + public void webAuthnAuthenticationFilterIsPostProcessed() throws Exception { + this.spring.register(DefaultWebauthnConfiguration.class, PostProcessorConfiguration.class).autowire(); + PostProcessorConfiguration postProcess = this.spring.getContext().getBean(PostProcessorConfiguration.class); + assertThat(postProcess.webauthnFilter).isNotNull(); + } + @Test public void webauthnWhenNoFormLoginAndDefaultRegistrationPageConfiguredThenServesJavascript() throws Exception { this.spring.register(NoFormLoginAndDefaultRegistrationPageConfiguration.class).autowire(); @@ -289,6 +299,26 @@ public class WebAuthnConfigurerTests { } + @Configuration(proxyBeanMethods = false) + static class PostProcessorConfiguration { + + WebAuthnAuthenticationFilter webauthnFilter; + + @Bean + BeanPostProcessor beanPostProcessor() { + return new BeanPostProcessor() { + @Override + public Object postProcessAfterInitialization(Object bean, String beanName) { + if (bean instanceof WebAuthnAuthenticationFilter filter) { + PostProcessorConfiguration.this.webauthnFilter = filter; + } + return bean; + } + }; + } + + } + @Configuration @EnableWebSecurity static class DefaultWebauthnConfiguration {