WebAuthn4J Spring Security provides Web Authentication specification support for your Spring application by using WebAuthn4J library. Users can login with WebAuthn compliant authenticator.
This project is under active development. API signature may change.
You can find out more details from the reference.
If you are using Maven, just add the webauthn4j-spring-security as a dependency:
<properties>
...
<!-- Use the latest version whenever possible. -->
<webauthn4j-spring-security.version>0.10.0.RELEASE</webauthn4j-spring-security.version>
...
</properties>
<dependency>
<groupId>com.webauthn4j</groupId>
<artifactId>webauthn4j-spring-security-core</artifactId>
<version>${webauthn4j-spring-security.version}</version>
</dependency>
WebAuthn4J Spring Security uses a Gradle based build system.
In the instructions below, gradlew
is invoked from the root of the source tree and serves as a cross-platform,
self-contained bootstrap mechanism for the build.
- Java8 or later
- Spring Framework 5.0 or later
git clone https://github.com/webauthn4j/webauthn4j-spring-security
./gradlew build
./gradlew samples:spa:bootRun
WebAuthn4J Spring Security can be configured through Spring Security Java Config.
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public WebAuthnAuthenticationProvider webAuthnAuthenticationProvider(WebAuthnCredentialRecordService webAuthnCredentialRecordService, WebAuthnManager webAuthnManager){
return new WebAuthnAuthenticationProvider(webAuthnCredentialRecordService, webAuthnManager);
}
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider(UserDetailsService userDetailsService){
DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
daoAuthenticationProvider.setUserDetailsService(userDetailsService);
daoAuthenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());
return daoAuthenticationProvider;
}
@Bean
public AuthenticationManager authenticationManager(List<AuthenticationProvider> providers){
return new ProviderManager(providers);
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
// WebAuthn Login
http.apply(WebAuthnLoginConfigurer.webAuthnLogin())
.loginPage("/login")
.usernameParameter("username")
.passwordParameter("rawPassword")
.credentialIdParameter("credentialId")
.clientDataJSONParameter("clientDataJSON")
.authenticatorDataParameter("authenticatorData")
.signatureParameter("signature")
.clientExtensionsJSONParameter("clientExtensionsJSON")
.loginProcessingUrl("/login")
.rpId("example.com")
.attestationOptionsEndpoint()
.attestationOptionsProvider(attestationOptionsProvider)
.processingUrl("/webauthn/attestation/options")
.rp()
.name("example")
.and()
.pubKeyCredParams(
new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256),
new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS1)
)
.authenticatorSelection()
.authenticatorAttachment(AuthenticatorAttachment.CROSS_PLATFORM)
.residentKey(ResidentKeyRequirement.PREFERRED)
.userVerification(UserVerificationRequirement.PREFERRED)
.and()
.attestation(AttestationConveyancePreference.DIRECT)
.extensions()
.credProps(true)
.uvm(true)
.and()
.assertionOptionsEndpoint()
.assertionOptionsProvider(assertionOptionsProvider)
.processingUrl("/webauthn/assertion/options")
.rpId("example.com")
.userVerification(UserVerificationRequirement.PREFERRED)
.and()
.authenticationManager(authenticationManager);
}
}
WebAuthn4J Spring Security is Open Source software released under the Apache 2.0 license.