Add X.509 + WebAuthn Sample

servlet/spring-boot/java/authentication/mfa/x509+webauthn/README.adoc

@@ -0,0 +1,64 @@
+= X.509 + Form Login MFA Sample
+
+This sample demonstrates configuring Spring Security to require both an X.509 Certificate and a Username/Password Login in order to enter the site with full permissions.
+
+== Preparing to Use X.509
+
+This sample is intended to be used in a browser.
+As such, you should:
+
+1. Configure your browser to trust the `ca.crt` that accompanies this project
+2. Configure your browser with the `josh-keystore.p12` client certificate
+
+Both `api-keystore.p12` and `josh-keystore.p12` use keys signed by `ca.crt`.
+This means that after the above steps are performed, you can also use this application without getting a security warning in your browser.
+
+== Using the Sample
+
+To run, please use:
+
+.Java
+[source,java,role="primary"]
+----
+./gradlew :bootRun
+----
+
+This will start an application on 8443, meaning you will need to reach it using HTTPS.
+
+You can register a passkey at https://api.127.0.0.1.nip.io:8443/webauthn/register.
+
+With the client certificate (`josh-keystore.p12`) correctly installed in the browser, it will ask you which client certificate you want to you.
+Select `josh`.
+
+You will then be redirected to the PassKeys registration page where you can install a passkey.
+
+After that, navigate to https://api.127.0.0.1.nip.io:8443 and you will be redirected to page where you can provide a passkey.
+
+== Exploring the Sample
+
+The key configuration is found in the `HttpSecurity` DSL:
+
+.Java
+[source,java,role="primary"]
+----
+http
+    .x509(Customizer.withDefaults())
+    .webAuthn((webauthn) -> webauthn
+        // ...
+		.factor((f) -> f.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/webauthn")))
+	);
+----
+
+This reads, "This app requires both X.509 and WebAuthn to fully authorize; redirect to /webauthn to get the WebAuthn authority".
+
+You can instead try another arrangement like the following:
+
+.Java
+[source,java,role="primary"]
+----
+http
+    .x509(Customizer.withDefaults())
+    .oneTimeTokenLogin(Customizer.withDefaults())
+----
+
+Once `oneTimeTokenLogin` is correctly configured and once a client certificate is accepted, the application will generate a token and send it to the configured destination to continue with the login process.

servlet/spring-boot/java/authentication/mfa/x509+webauthn/build.gradle

@@ -0,0 +1,31 @@
+plugins {
+	alias(libs.plugins.io.spring.dependency.management)
+	alias(libs.plugins.org.springframework.boot)
+	id "nebula.integtest" version "8.2.0"
+	id 'java'
+}
+
+repositories {
+	mavenCentral()
+	maven { url "https://repo.spring.io/milestone" }
+	maven { url "https://repo.spring.io/snapshot" }
+}
+
+
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.security:spring-security-webauthn'
+
+
+	implementation "com.webauthn4j:webauthn4j-core:0.29.4.RELEASE"
+
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
+}
+
+tasks.withType(Test).configureEach {
+	useJUnitPlatform()
+	
+}

servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-keystore

@@ -0,0 +1,44 @@
+#!/bin/bash
+set -euo pipefail
+
+KEYSTORE="${1:-}"
+if [[ -z "$KEYSTORE" ]]; then
+  echo "Usage: $0 <keystore.p12>" >&2
+  exit 1
+fi
+
+PASSWORD="password"
+
+# Set up temp workspace
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+# Read input tar archive from stdin
+tar -C "$WORKDIR" -xf -
+
+ALIAS=$(cat "$WORKDIR/alias")
+CERT="$WORKDIR/cert.pem"
+KEY="$WORKDIR/key.pem"
+CHAIN="$WORKDIR/chain.pem"
+
+# Convert to PKCS#12 bundle
+PKCS12="$WORKDIR/temp.p12"
+openssl pkcs12 -export \
+  -inkey "$KEY" \
+  -in "$CERT" \
+  -certfile "$CHAIN" \
+  -name "$ALIAS" \
+  -out "$PKCS12" \
+  -passout pass:$PASSWORD
+
+# If alias exists, delete it
+if [[ -f "$KEYSTORE" ]]; then
+  keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE" \
+    -storepass "$PASSWORD" -storetype PKCS12 || true
+fi
+
+# Import new entry
+keytool -importkeystore \
+  -destkeystore "$KEYSTORE" -deststoretype PKCS12 -deststorepass "$PASSWORD" \
+  -srckeystore "$PKCS12" -srcstoretype PKCS12 -srcstorepass "$PASSWORD" \
+  -alias "$ALIAS"

servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-truststore

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+TRUSTSTORE="${1:-}"
+if [[ -z "$TRUSTSTORE" ]]; then
+  echo "Usage: $0 <truststore.p12>" >&2
+  exit 1
+fi
+
+PASSWORD="password"
+
+# Temp workspace
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+# Extract from tar input
+tar -C "$WORKDIR" -xf -
+
+ALIAS=$(cat "$WORKDIR/alias")
+CA_CERT="$WORKDIR/ca.pem"
+DER_CERT="$WORKDIR/ca.der"
+
+# Convert to DER format for keytool
+openssl x509 -in "$CA_CERT" -outform DER -out "$DER_CERT"
+
+# If alias exists, delete
+if [[ -f "$TRUSTSTORE" ]]; then
+  keytool -delete -alias "$ALIAS" -keystore "$TRUSTSTORE" \
+    -storepass "$PASSWORD" -storetype PKCS12 || true
+fi
+
+# Import into truststore
+keytool -importcert -noprompt \
+  -alias "$ALIAS" \
+  -file "$DER_CERT" \
+  -keystore "$TRUSTSTORE" \
+  -storetype PKCS12 \
+  -storepass "$PASSWORD"

servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.crt

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFDzCCAvegAwIBAgIUHzvf6/d0vmFFEYh5GHA/I8t787YwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMB4XDTI1MDcxMjE4MDM0NFoXDTM1
+MDcxMDE4MDM0NFowFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAxezzB+gvNL5WeuzVvvlv21OvbbJtdP6k08Yz
+egIddIckQ2Yguuc5gHoUnNve5BVEQZmFNQihqLlzV0lFb+4QjqiH5BWKql+U7TRG
+GCLecF4VQHup5voQv6EUnVOJglc13NAjWqbP09M5aIxPNzfRv3eeZq2jLXu3aQ6Q
++mFq/cIGSlHF6KjqTTXoK1sRngZUeZi1/fhg1/9usH4L5nQ41y3D+51c5Zl+UW3w
+7bR70XkH3aX6X4xOOfZBiyp3wxrG7uQBddQAk2zu/hMTYWNAYswT15jIEk4JLH7o
+HXrVaoM5vnL0D5SaIc66JnAhwyC3E1jc7OpioFCO0Xi5XZAt3s+E0AwOpAvSomIH
+FdryfEHcbhqSUgUVof/c9PmLwtS2fVPm3LqqLjmwagO9DPDCGroNwoOKitfoH3qQ
+EtETygsKThMYLc23tLbyYsjPs5H8ro+s41aqcsCiQIhELRXwZVyCWj53o8tE4Ihh
+hdTzbzNmrBdv0H9vb3VS9SdfHYFJ409qIu+kkmsAQ8vd6e92UJXbKd/Vchmr2ogs
+7oGLIOID9KZMqe4dKKzU+ietLz0IVTWRaPz3ea7NGRIo3/yxGDMRF/Z0UwH53H+E
+crn8w/aMWeIqMq5h6sC24D9RkcVN+E5QzxvG2VS4A7CzskIrduAWl5TrBERChbiX
+wQusjYcCAwEAAaNTMFEwHQYDVR0OBBYEFLq0yPS9u7Flbh061DkXX79lvNltMB8G
+A1UdIwQYMBaAFLq0yPS9u7Flbh061DkXX79lvNltMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggIBABMh+cLO2ge0FKNkJriiBXs3ah6w/GGWVgFK6BmU
+297fM9FSV/1bQcTUe1gpudabGRsq7TthC/aK3B+79tsfudcrPKJZrK7cFkxY06xT
+3el45RQxZNYvaHRsK7nw6gExCLlYFKAatHcdvbk6xe+XZAAr4rLYg1H1n7Ddg3p/
+K3l0a/6nAyMND7T1euzijR+40EZdiXzwsgFR3R2YIWiNmLu/z3tg0HfYIgrQaOou
+Xl06qXZ1iJW1EFuF/KoxNBxyJQpHywYTvb6UuGV2UOvI3V7SzzgyBvBxOUf4djNM
+kEK1+U5lnMqSDgHWkEzNUFMlsIwIiEWSMo+deF+/9FiAQxUX85kH9O8/7t9rqzxK
+mgVccTnzvEcYyRYgL1SsCXo1oJfZ8M4OnZ/dDY0y86kngrgkIxFpPPAh0VVpyVGn
+A9CyYU7vQxTrgwHtqITMN7kNBWEAZgA82kURbZm/DDoKX5IJdcMdwvFaVk2irSyQ
+x0Px+k5eNhSGdKctXESAAUeUADpaYhRZeRI7jJDPCJGvs5or4hiA/3O8ZI5Lum12
+fKNSau4m3jbTWrD4x7zlbVES9hRB87f/uST0/yh4NfdjrspzNINWXArxPDsYs7Sf
+HDVj3RPNKVGzJEH4+J+Ohti3JTEl8hLBO3ZoMJ2uPQ44wcJAcKVL7O3QraKOfzXu
+k1d0
+-----END CERTIFICATE-----

servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDF7PMH6C80vlZ6
+7NW++W/bU69tsm10/qTTxjN6Ah10hyRDZiC65zmAehSc297kFURBmYU1CKGouXNX
+SUVv7hCOqIfkFYqqX5TtNEYYIt5wXhVAe6nm+hC/oRSdU4mCVzXc0CNaps/T0zlo
+jE83N9G/d55mraMte7dpDpD6YWr9wgZKUcXoqOpNNegrWxGeBlR5mLX9+GDX/26w
+fgvmdDjXLcP7nVzlmX5RbfDttHvReQfdpfpfjE459kGLKnfDGsbu5AF11ACTbO7+
+ExNhY0BizBPXmMgSTgksfugdetVqgzm+cvQPlJohzromcCHDILcTWNzs6mKgUI7R
+eLldkC3ez4TQDA6kC9KiYgcV2vJ8QdxuGpJSBRWh/9z0+YvC1LZ9U+bcuqouObBq
+A70M8MIaug3Cg4qK1+gfepAS0RPKCwpOExgtzbe0tvJiyM+zkfyuj6zjVqpywKJA
+iEQtFfBlXIJaPnejy0TgiGGF1PNvM2asF2/Qf29vdVL1J18dgUnjT2oi76SSawBD
+y93p73ZQldsp39VyGavaiCzugYsg4gP0pkyp7h0orNT6J60vPQhVNZFo/Pd5rs0Z
+Eijf/LEYMxEX9nRTAfncf4RyufzD9oxZ4ioyrmHqwLbgP1GRxU34TlDPG8bZVLgD
+sLOyQit24BaXlOsEREKFuJfBC6yNhwIDAQABAoICAAkuOFFZt0f44C7ioIpYLG/r
+hMu9XbPNr/NCLdcTp3eJzuhej1eFLCShTiaaLM+H1ZH00XDMu9ZOYqw5X7Anj3Hn
+r5cWEUfLPJ1Te0DZWcVqh8RlOAq0QByhF676w7EUdaNFZNL85hhdWjvpW+Yj7WW2
+T/rBRIVgSB3BzeyWD+lmLdHxiexgEWYiAURys181gxlLpjRDHzv8edhT50LVZPPX
+UXTeeHEOfynjeuL7uk1m7Vd5m9mTllS8gY83YuwmjM/0vOm+qKnkyg9mE2Z8Bjbz
+hKQYvIcAQsYaBEXvf1wgtBpCX5rbHmzT4Kf66qqP8Fcf0xL4c6b3I1QtdTXwg63N
+nKB7IeZTeVI2k0UF4Rme4tDl9LzlhiR7SRMd76e+8684GmUAXsF7TEdXIPAlQV9y
+GsF+dit16nMZPMIhWT+M1MOV94eVLu2ncEYP1dR4bZeFprxmv6DxgtxczqVyJQ9c
+4t2ujnekssxLHnkpOrV4CbkAuD3TUJsEs3359HmjGLS+VnGJrbvjILMbqgvN5hB5
+A37Rfals4f+O0MVAyV8sToqcTv2tGORe3aIl1JeExElTMl8ij+a9sRWwUDic1xTI
+F6YsRdyWLrCpwe00mlmb+ZlHqDObFbTHTKpUQoqxKUxn3uxsxPK6sLFjLg3sCa6X
+kuUS88uZwk76l3pGwltpAoIBAQDnNx80QvApz5M4/jp6vE6sAgyyDGwoqX1850ly
+tzCiCbKC0/9uVF2wpcRScjZOjIkdQ6ROKTDZiC9fFMbdbORhCjKa1fG9OKCIr2uQ
+KKgyhtjBSyzCMpFX7djbZrkSNVAGsvlTNrg2ANUoy9amm5rJoXJfuhDwdgc50uey
+NHU6CmAWIaBUHlpEtV9ABURLh8Ipj+4QiK4ufsOJgUWNWwoaSL73x4HKVPrG7jc0
+EJ/U9oIGvSjE0Q41u6y+9LODSteN4gkp4dcHWpEJnk/xUWOojT/kbKjKfzKLTajA
++1KmLR1piAH59gx3C6zwRllFJBoB9a030cdIjU9a0XypSu+lAoIBAQDbJE9CNfRr
+es1vAA9ukNvpF6WLg8TTr1VR5mSweb4SGIlKqe+5kd87c73EhJYiE0tr7ZsqHKCF
+p6OqvhV65ICl6214Hd4qV+J5rPxWUTEs7SWxdl2JVmCGZpn3nFWFwF7DQfJYihX3
+D9HyMpzJg2HLZRv29WFrhQ4JdTdPi31/UW17ECUkqal9Z7XZSVvWR3SfbUImrI9x
+eX7SqKusindv974obJFEo01UmFITwVtInSf1T+Xc3twvqOSZD7DnABJx68vUwxyo
+EZlPKKT1fCNXlFUKQoPmG+y742IThAPiN89UfDahbecJ+HZUrfrK8UUDcVV5KkBH
+9CSFb+kHGYC7AoIBAG46rTmxH+YO+9UT/rU8yRTf9UV8/qN0CktdyHpUM29MyDnu
+77udpPzuSmYz5QgVn9i/wrkwkgVjE5J0yUoO++H3hqCilpjrQj1nxBP6DhXoi7W7
+LR94FCqjTdtrYZf4qqpG8O5nC/NS+kx0wWS0klrGCUzx29mHq3I5xhQDRk/hWmWy
+qkjwH4DaJwrSd/i6RCqkX46qWr/31yja5Fm7qVlWjRR7nLjlQplMQC0mL8zLqLml
+vKX4NJoRWw2+g0Z4i8Msm8nHzUfIOZUoUFxvvN9CV8+CrgW8FlCrOWSnbIOkxnzl
+RmvwjYjDnDMAltaLm4qLoYUXEbbZB5f4f0IGY7ECggEARS38O2mvBHMbAUyikoP2
+eGo3n4h0jWMPazBxXui/4RSP2ts0y39KWolaQfydLJqst6Cl2DB7WFYoq9EgFNCn
+8DkXMNE0/mcKHuFGM7Wj8YvX12MHekCjbipbtrhKo1OsVrWt3NeSwZDj9TKXHmJ0
+b/I2Vsr1+yxg1wmC8YCWmKfLCQt6vk01LVqdJMAs1sNuBJpIRM865Va2e6g1sd1w
+gQ9Tn41Oer2WvvrrBkOHHrBGGgIkDYrpNb56k/tJHFOAfygyC7Ogi0oq/LtXAAw1
+WAOCqR+AZhcwr8vDfWeyliqKMCCaWnHIevRN3sOhpYlvAPw5QGvfKRfgo6NFjDE3
+2wKCAQEAkd3F5feBAPiGr354kyGmKGSUC1KKmaNCQCthPxt6Wb0QRHBa4yj6sHf5
+YcoL0WLFEIftKFDsbCMPLSbLE2SvsWFQmHu7L4B7xdd+0jcAcM5eOBcTqSptCc/v
+uVMRANhYlgXQqtPHp1q2uBkC2++aE/yuGmrngyIkwP9ewyzLmsZBSpIrGB//qav6
+DzRATKwF9YI6+v67CFkBLSQ5JES07FWxQSp3aMHCiuGsKfOk+wj2yhMi7KMHZA82
+0fJ7c7heUedFu3+Gt5nJR/bdgC7Tva9iDo/UC7FTmMF0ZU18fXAtzDh2pYoTm3o3
+UZaWgz2MB+hNvTCg+8toreA0o4/SiA==
+-----END PRIVATE KEY-----

servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFDzCCAvegAwIBAgIUHzvf6/d0vmFFEYh5GHA/I8t787YwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMB4XDTI1MDcxMjE4MDM0NFoXDTM1
+MDcxMDE4MDM0NFowFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAxezzB+gvNL5WeuzVvvlv21OvbbJtdP6k08Yz
+egIddIckQ2Yguuc5gHoUnNve5BVEQZmFNQihqLlzV0lFb+4QjqiH5BWKql+U7TRG
+GCLecF4VQHup5voQv6EUnVOJglc13NAjWqbP09M5aIxPNzfRv3eeZq2jLXu3aQ6Q
++mFq/cIGSlHF6KjqTTXoK1sRngZUeZi1/fhg1/9usH4L5nQ41y3D+51c5Zl+UW3w
+7bR70XkH3aX6X4xOOfZBiyp3wxrG7uQBddQAk2zu/hMTYWNAYswT15jIEk4JLH7o
+HXrVaoM5vnL0D5SaIc66JnAhwyC3E1jc7OpioFCO0Xi5XZAt3s+E0AwOpAvSomIH
+FdryfEHcbhqSUgUVof/c9PmLwtS2fVPm3LqqLjmwagO9DPDCGroNwoOKitfoH3qQ
+EtETygsKThMYLc23tLbyYsjPs5H8ro+s41aqcsCiQIhELRXwZVyCWj53o8tE4Ihh
+hdTzbzNmrBdv0H9vb3VS9SdfHYFJ409qIu+kkmsAQ8vd6e92UJXbKd/Vchmr2ogs
+7oGLIOID9KZMqe4dKKzU+ietLz0IVTWRaPz3ea7NGRIo3/yxGDMRF/Z0UwH53H+E
+crn8w/aMWeIqMq5h6sC24D9RkcVN+E5QzxvG2VS4A7CzskIrduAWl5TrBERChbiX
+wQusjYcCAwEAAaNTMFEwHQYDVR0OBBYEFLq0yPS9u7Flbh061DkXX79lvNltMB8G
+A1UdIwQYMBaAFLq0yPS9u7Flbh061DkXX79lvNltMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggIBABMh+cLO2ge0FKNkJriiBXs3ah6w/GGWVgFK6BmU
+297fM9FSV/1bQcTUe1gpudabGRsq7TthC/aK3B+79tsfudcrPKJZrK7cFkxY06xT
+3el45RQxZNYvaHRsK7nw6gExCLlYFKAatHcdvbk6xe+XZAAr4rLYg1H1n7Ddg3p/
+K3l0a/6nAyMND7T1euzijR+40EZdiXzwsgFR3R2YIWiNmLu/z3tg0HfYIgrQaOou
+Xl06qXZ1iJW1EFuF/KoxNBxyJQpHywYTvb6UuGV2UOvI3V7SzzgyBvBxOUf4djNM
+kEK1+U5lnMqSDgHWkEzNUFMlsIwIiEWSMo+deF+/9FiAQxUX85kH9O8/7t9rqzxK
+mgVccTnzvEcYyRYgL1SsCXo1oJfZ8M4OnZ/dDY0y86kngrgkIxFpPPAh0VVpyVGn
+A9CyYU7vQxTrgwHtqITMN7kNBWEAZgA82kURbZm/DDoKX5IJdcMdwvFaVk2irSyQ
+x0Px+k5eNhSGdKctXESAAUeUADpaYhRZeRI7jJDPCJGvs5or4hiA/3O8ZI5Lum12
+fKNSau4m3jbTWrD4x7zlbVES9hRB87f/uST0/yh4NfdjrspzNINWXArxPDsYs7Sf
+HDVj3RPNKVGzJEH4+J+Ohti3JTEl8hLBO3ZoMJ2uPQ44wcJAcKVL7O3QraKOfzXu
+k1d0
+-----END CERTIFICATE-----

servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.srl

@@ -0,0 +1 @@
+3232A5577A1F2B5B0AF818CC1E125BA8B9AA228F

servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-ca

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -euo pipefail
+
+CA_KEY="ca.key"
+CA_CERT="ca.pem"
+
+if [[ -f "$CA_KEY" && -f "$CA_CERT" ]]; then
+  echo "✅ CA already exists: $CA_KEY, $CA_CERT"
+  exit 0
+fi
+
+echo "🔧 Generating root CA..."
+
+openssl genrsa -out "$CA_KEY" 4096
+
+openssl req -x509 -new -nodes -key "$CA_KEY" \
+  -sha256 -days 3650 \
+  -out "$CA_CERT" \
+  -subj "/CN=Local Dev CA"
+
+echo "✅ Root CA created: $CA_CERT"

servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-cert

@@ -0,0 +1,52 @@
+#!/bin/bash
+set -euo pipefail
+
+CN="${1:-}"
+HOST="${2:-}"
+
+if [[ -z "$CN" || -z "$HOST" ]]; then
+  echo "Usage: $0 <CN> <HOST>" >&2
+  exit 1
+fi
+
+# Set up working temp dir
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+CA_KEY="ca.key"
+CA_CERT="ca.pem"
+
+# === Ensure CA exists ===
+if [[ ! -f $CA_KEY || ! -f $CA_CERT ]]; then
+  echo "🔧 Generating CA..."
+  openssl genrsa -out $CA_KEY 4096
+  openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 3650 -out $CA_CERT \
+    -subj "/CN=Local Dev CA"
+fi
+
+# === Generate key and CSR ===
+openssl genrsa -out "$WORKDIR/key.pem" 2048
+openssl req -new -key "$WORKDIR/key.pem" -out "$WORKDIR/cert.csr" \
+  -subj "/CN=$CN"
+
+cat > "$WORKDIR/cert.ext" <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = DNS:$HOST
+EOF
+
+# === Sign cert ===
+openssl x509 -req \
+  -in "$WORKDIR/cert.csr" \
+  -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial \
+  -out "$WORKDIR/cert.pem" -days 825 -sha256 -extfile "$WORKDIR/cert.ext"
+
+# === Build full chain and mark alias ===
+cat "$WORKDIR/cert.pem" "$CA_CERT" > "$WORKDIR/chain.pem"
+cp "$CA_CERT" "$WORKDIR/ca.pem"
+echo "$CN" > "$WORKDIR/alias"
+
+# === Emit tarball to stdout ===
+tar -C "$WORKDIR" -cf - cert.pem key.pem chain.pem ca.pem alias

servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-stores

@@ -0,0 +1,56 @@
+#!/bin/bash
+set -euo pipefail
+
+# Ensure CA exists
+generate-ca
+
+# Shared configuration
+PASSWORD="password"
+HOST="localhost"
+
+# App definitions: CN, keystore name, truststore name
+declare -A APPS=(
+  [api]="api"
+  [client]="josh"
+)
+
+# Ensure required scripts are on PATH
+for cmd in generate-cert add-to-keystore add-to-truststore; do
+  if ! command -v $cmd >/dev/null 2>&1; then
+    echo "❌ Required script '$cmd' not found in PATH" >&2
+    exit 1
+  fi
+done
+
+# Generate certs and populate keystores and truststores
+for APP in "${!APPS[@]}"; do
+  CN="${APPS[$APP]}"
+  KEYSTORE="${CN}-keystore.p12"
+
+  echo "🔐 Generating and installing cert for $APP ($CN)..."
+
+  # Generate cert and install in own keystore
+  generate-cert "$CN" "$APP.127.0.0.1.nip.io" | tee >(add-to-keystore "$KEYSTORE") > "${CN}-bundle.tar"
+
+done
+
+# Second pass: truststores — each app must trust all
+for RECEIVER in "${!APPS[@]}"; do
+  RECEIVER_CN="${APPS[$RECEIVER]}"
+  TRUSTSTORE="${RECEIVER_CN}-truststore.p12"
+
+  echo "🤝 Updating truststore for $RECEIVER..."
+
+  for ISSUER in "${!APPS[@]}"; do
+    ISSUER_CN="${APPS[$ISSUER]}"
+    BUNDLE="${ISSUER_CN}-bundle.tar"
+
+    echo "  ↪ Trusting $ISSUER ($ISSUER_CN)"
+    cat "$BUNDLE" | add-to-truststore "$TRUSTSTORE"
+  done
+done
+
+# Cleanup bundles
+rm -f ./*-bundle.tar
+
+echo "✅ All keystores and truststores generated successfully."

servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle.properties

@@ -0,0 +1,4 @@
+version=6.1.1
+spring-security.version=7.0.0-SNAPSHOT
+org.gradle.jvmargs=-Xmx6g -XX:+HeapDumpOnOutOfMemoryError
+org.gradle.caching=true

servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/libs.versions.toml

@@ -0,0 +1 @@
+../../../../../../../gradle/libs.versions.toml

servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists

servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew

@@ -0,0 +1,240 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+#
+#   Gradle start up script for POSIX generated by Gradle.
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
+    [ -h "$app_path" ]
+do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
+done
+
+APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+
+APP_NAME="Gradle"
+APP_BASE_NAME=${0##*/}
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+    echo "$*"
+} >&2
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in                #(
+  CYGWIN* )         cygwin=true  ;; #(
+  Darwin* )         darwin=true  ;; #(
+  MSYS* | MINGW* )  msys=true    ;; #(
+  NONSTOP* )        nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+        JAVACMD=$JAVA_HOME/bin/java
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD=java
+    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+    case $MAX_FD in #(
+      max*)
+        MAX_FD=$( ulimit -H -n ) ||
+            warn "Could not query maximum file descriptor limit"
+    esac
+    case $MAX_FD in  #(
+      '' | soft) :;; #(
+      *)
+        ulimit -n "$MAX_FD" ||
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
+    esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+#   * args from the command line
+#   * the main class name
+#   * -classpath
+#   * -D...appname settings
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+# Collect all arguments for the java command;
+#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
+#     shell script including quotes and variable substitutions, so put them in
+#     double quotes to make sure that they get re-expanded; and
+#   * put everything else in single quotes, so that it's not re-expanded.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
+
+exec "$JAVACMD" "$@"

servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew.bat

@@ -0,0 +1,91 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega

servlet/spring-boot/java/authentication/mfa/x509+webauthn/settings.gradle

@@ -0,0 +1,8 @@
+pluginManagement {
+    repositories {
+        mavenCentral()
+        gradlePluginPortal()
+        maven { url 'https://repo.spring.io/milestone' }
+        maven { url "https://repo.spring.io/snapshot" }
+    }
+}

servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.authorization.EnableGlobalMultiFactorAuthentication;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_WEBAUTHN_AUTHORITY;
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_X509_AUTHORITY;
+
+@Configuration
+@EnableGlobalMultiFactorAuthentication(authorities = { FACTOR_X509_AUTHORITY, FACTOR_WEBAUTHN_AUTHORITY})
+public class SecurityConfig {
+
+	@Bean
+	SecurityFilterChain web(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
+			.x509(Customizer.withDefaults())
+			.formLogin(Customizer.withDefaults())
+			.webAuthn((webauthn) -> webauthn
+				.rpId("api.127.0.0.1.nip.io")
+				.rpName("X.509+WebAuthn MFA Sample")
+				.allowedOrigins("https://api.127.0.0.1.nip.io:8443")
+			);
+		// @formatter:on
+		return http.build();
+	}
+
+	@Bean
+	public UserDetailsService userDetailsService() {
+		return new InMemoryUserDetailsManager(
+			User.withDefaultPasswordEncoder()
+				.username("josh")
+				.password("password")
+				.authorities("app")
+				.build()
+		);
+	}
+
+}

servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/X509WebAuthnMfaApplication.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * Hello Security application.
+ *
+ * @author Josh Cummings
+ */
+@SpringBootApplication
+public class X509WebAuthnMfaApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(X509WebAuthnMfaApplication.class, args);
+	}
+
+}

servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-keystore.p12

@@ -0,0 +1 @@
+../../../etc/api-keystore.p12

servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-truststore.p12

@@ -0,0 +1 @@
+../../../etc/api-truststore.p12

servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/application.properties

@@ -0,0 +1,12 @@
+# logging.level.org.springframework.security=TRACE
+
+server.port=8443
+server.ssl.enabled=true
+server.ssl.key-store-type=PKCS12
+server.ssl.key-store=classpath:api-keystore.p12
+server.ssl.key-store-password=password
+server.ssl.key-alias=api
+server.ssl.trust-store-type=PKCS12
+server.ssl.trust-store=classpath:api-truststore.p12
+server.ssl.trust-store-password=password
+server.ssl.client-auth=need

servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/templates/index.html

@@ -0,0 +1,9 @@
+<html xmlns:th="https://www.thymeleaf.org">
+<head>
+    <title>Hello Security!</title>
+</head>
+<body>
+    <h1>Hello Security</h1>
+    <a th:href="@{/logout}">Log Out</a>
+</body>
+</html>

servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/test/java/example/X509WebAuthnMfaApplicationTests.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_WEBAUTHN_AUTHORITY;
+import static org.springframework.security.core.GrantedAuthorities.FACTOR_X509_AUTHORITY;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * @author Rob Winch
+ */
+@SpringBootTest
+@AutoConfigureMockMvc
+public class X509WebAuthnMfaApplicationTests {
+	@Autowired
+	private MockMvc mvc;
+
+	@Test
+	void indexWhenUnauthenticatedThenRedirectsToLogin() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/login"));
+	}
+
+	@Test
+	@WithMockUser
+	void indexWhenAuthenticatedButNoFactorsThenRedirectsToLogin() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().isForbidden());
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_WEBAUTHN_AUTHORITY)
+	void indexWhenAuthenticatedWithWebAuthnThenForbidden() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().isForbidden());
+	}
+
+	@Test
+	@WithMockUser(authorities = FACTOR_X509_AUTHORITY)
+	void indexWhenAuthenticatedWithX509ThenRedirectsToWebAuthn() throws Exception {
+		this.mvc.perform(get("/"))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("http://localhost/login?factor=webauthn"));
+	}
+
+}

settings.gradle

@@ -54,6 +54,7 @@ include ":servlet:spring-boot:java:authentication:username-password:user-details
 include ":servlet:spring-boot:java:authentication:username-password:mfa"
 include ":servlet:spring-boot:java:authentication:mfa:formLogin+ott"
 include ":servlet:spring-boot:java:authentication:mfa:x509+formLogin"
+include ":servlet:spring-boot:java:authentication:mfa:x509+webauthn"
 include ":servlet:spring-boot:java:authentication:username-password:compromised-password-checker"
 include ":servlet:spring-boot:java:authentication:one-time-token:magic-link"
 include ":servlet:spring-boot:java:data"