Add CredentialRecordOwnerAuthorizationManager that verifies the
credential being deleted is owned by the currently authenticated user.
Also add an AuthorizationManager<Bytes> to WebAuthnRegistrationFilter
for the delete credential operation, defaulting to deny all, and wire it
up in WebAuthnConfigurer.
Per the WebAuthn specification [1], credential ids contain at least 16
bytes with at least 100 bits of entropy, making them practically
unguessable. The specification also advises that credential ids should
be kept private, as exposing them can leak personally identifying
information [2]. The CredentialRecordOwnerAuthorizationManager serves as
defense in depth: even if a credential id were somehow exposed, an
unauthorized user could not delete another user's credential.
[1] https://www.w3.org/TR/webauthn-3/#credential-id
[2] https://www.w3.org/TR/webauthn-3/#sctn-credential-id-privacy-leak
This use case specifically arises when using `ReactiveUserDetailsService`
without `ReactiveUserDetailsPasswordService`.
Closes gh-17986
Signed-off-by: Ronny Perinke <23166289+sephiroth-j@users.noreply.github.com>
This commit refines the check for adding AuthorizationWebProxyConfiguration
to the application context. The web-based authorization proxy support is intended
for applying Spring Security Method Security primitives to Spring Web components;
as such, this implies a dependency on Spring Security Web.
Closes gh-18307
In WebAuthn L3 spec, PublicKeyCredentialEntity.name is deprecated:
> This member is deprecated because many clients do not display it,
> but it remains a required dictionary member for backwards compatibility.
> Relying Parties MAY, as a safe default, set this equal to the RP ID.
Source: https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialentity
Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
This commit ensures that MFA is only performed when users opt in. By
doing so, we allow users to decide if they will opt into the semantics
of merging two Authentication instances.
Closes gh-18126
- We should not introduce an unnecessary public API
- It would need to be removed when Jackson 2 support was removed, but
was required to configure Jackson 3 support
- There are already existing interfaces that could be used
- OAuth2AuthorizationRowMapper & OAuth2AuthorizationParametersMapper had
unnecessary breaking changes by removing getter/setter for ObjectMapper
- To prevent NoClassDefFoundErrors all optional (Jackson) dependencies
need to be on different classes & we wish to preserve the existing
accessors for ObjectMapper which is this uses subclasses
- With added TestAuthenticationTokenMixin support, no need to explicitly
add it in tests
This commit introduces classpath checks and instantiation of
JacksonJsonHttpMessageConverter (based on Jackson 3) leveraging
a new GenericHttpMessageConverterAdapter which allows to adapt
SmartHttpMessageConverter to GenericHttpMessageConverter.
See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
This commit adds support for Jackson 3 which has the following
major differences with the Jackson 2 one:
- jackson subpackage instead of jackson2
- Jackson type prefix instead of Jackson2
- JsonMapper instead of ObjectMapper
- For configuration, JsonMapper.Builder instead of ObjectMapper
since the latter is now immutable
- Remove custom support for unmodifiable collections
- Use safe default typing via a PolymorphicTypeValidator
Jackson 3 changes compared to Jackson 2 are documented in
https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a
and
https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md.
This commit does not cover webauthn which is a special case (uses
jackson sub-package for Jackson 2 support) which will be handled in
a distinct commit.
See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
Previously GrantedAuthorities had an implicit package tangle because it
was located in ~.core and FactorGrantedAuthority is in ~.core.authority
and FactorGrantedAuthority's authority property was implicitly expected
to be constants found in `GrantedAuthorities`.
This commit moves the constants to the FactorGrantedAuthority which
resolves this tangle. It wasn't initially done because
FactorGrantedAuthority did not exist at that time.
Closes gh-18030
