网站集约化建设情况汇报,用模板快速建站,淘宝客网站怎么做分销,免费咨询律师不收费的平台WebAuthn是无密码身份验证技术#xff0c;解决了密码泄露的风险#xff0c;主流的浏览器都支持。有很多开源的类库实现了WebAuthn规范#xff0c;Java下流行的类库有#xff1a;webauthn4jjava-webauthn-serververtx-authSpring Security官方暂时未支持WebAuthn#xff0c…WebAuthn是无密码身份验证技术解决了密码泄露的风险主流的浏览器都支持。有很多开源的类库实现了WebAuthn规范Java下流行的类库有webauthn4jjava-webauthn-serververtx-authSpring Security官方暂时未支持WebAuthn可以用webauthn4j的webauthn4j-spring-security项目它将webauthn4j和Spring Security打通项目还处于开发阶段设计上可能还会调整。但我们可以通过项目里的demo很好的学习怎么实现WebAuthn。简单介绍一下webauthn4j-spring-security中例子的打开方式。demo启动流程克隆项目git clone gitgithub.com:webauthn4j/webauthn4j-spring-security.git打包前端资源cd webauthn4j-spring-security/samples/lib/spa-angular-client
npm installPS: 这里可能会碰到打包异常是angular/cdk包版本和其他模块版本冲突了将angular/cdk改成“13.3.9”就能正常打包npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: sample-angular-client0.0.0
npm ERR! Found: angular/common13.3.12
npm ERR! node_modules/angular/common
npm ERR! angular/common^13.3.11 from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer angular/common^15.0.0 || ^16.0.0 from angular/cdk15.2.1
npm ERR! node_modules/angular/cdk
npm ERR! angular/cdk^15.1.2 from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.启动项目cd webauthn4j-spring-security
./gradlew build
./gradlew samples:spa:bootRun查看登录页访问http://localhost:8080/就会自动跳转到[http://localhost:8080/angular/login](http://localhost:8080/angular/login)HttpSecurity核心配置Bean
public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {// WebAuthn Loginhttp.apply(WebAuthnLoginConfigurer.webAuthnLogin()).usernameParameter(username).passwordParameter(password).credentialIdParameter(credentialId).clientDataJSONParameter(clientDataJSON).authenticatorDataParameter(authenticatorData).signatureParameter(signature).clientExtensionsJSONParameter(clientExtensionsJSON).loginProcessingUrl(/login).attestationOptionsEndpoint().rp().name(WebAuthn4J Spring Security Sample).and().pubKeyCredParams(new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS256), // Windows Hellonew PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256) // FIDO U2F Key, etc).extensions().credProps(true).and().assertionOptionsEndpoint().and().successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler).and().authenticationManager(authenticationManager);http.headers(headers - {// publickey-credentials-get * allows getting WebAuthn credentials to all nested browsing contexts (iframes) regardless of their origin.headers.permissionsPolicy(config - config.policy(publickey-credentials-get *));// Disable X-Frame-Options to allow cross-origin iframe accessheaders.frameOptions().disable();});// Logouthttp.logout().logoutUrl(/logout).logoutSuccessHandler(logoutSuccessHandler);// Authorizationhttp.authorizeRequests().mvcMatchers(/).permitAll().mvcMatchers(/static/**).permitAll().mvcMatchers(/angular/**).permitAll().mvcMatchers(/webjars/**).permitAll().mvcMatchers(/favicon.ico).permitAll().mvcMatchers(/api/auth/status).permitAll().mvcMatchers(HttpMethod.GET, /login).permitAll().mvcMatchers(HttpMethod.POST, /api/profile).permitAll().mvcMatchers(/health/**).permitAll().mvcMatchers(/info/**).permitAll().mvcMatchers(/h2-console/**).denyAll().mvcMatchers(/api/admin/**).access(hasRole(ADMIN_ROLE) and isAuthenticated()).anyRequest().access(webAuthnSecurityExpression.isWebAuthnAuthenticated(authentication) || hasAuthority(SINGLE_FACTOR_AUTHN_ALLOWED));http.sessionManagement().sessionAuthenticationFailureHandler(authenticationFailureHandler);http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).accessDeniedHandler(accessDeniedHandler);// As WebAuthn has its own CSRF protection mechanism (challenge), CSRF token is disabled herehttp.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());http.csrf().ignoringAntMatchers(/webauthn/**);return http.build();
}这个方法将SpringSecurity需要的配置基本都说清楚了除了#1、#2跟WebAuthn直接相关其他几点都是SpringSecurity常规配置。添加了自定义的WebAuthnLoginConfigurer描述登录页面的URL、字段名等信息通过pubKeyCredParams描述服务器可接受的公钥类型的对象数组。设置自定义的authenticationManager、successHandler、failureHandler等设置http的header设置authorizeRequests控制权限设置session和exceptionHandling设置Csrf配置引用体验WebAuthn登录https://webauthn.io/
