Inicio Explorar Ayuda
Registro Iniciar sesión
github
/
spring-security-samples
espejo de https://github.com/spring-projects/spring-security-samples
2
0
Fork 0
Archivos Incidencias 0 Wiki
Árbol: 6810915077
Ramas Etiquetas
spring-security...
/
servlet
/
spring-boot
/
java
/
authentication
/
mfa
/
x509+webauthn
/
README.adoc

README.adoc 2.1 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. = X.509 + Form Login MFA Sample
    2. 

  2. 

  3. This sample demonstrates configuring Spring Security to require both an X.509 Certificate and a Username/Password Login in order to enter the site with full permissions.
    4. 

  4. 

  5. == Preparing to Use X.509
    6. 

  6. 

  7. This sample is intended to be used in a browser.
    8. 

  8. As such, you should:
    9. 

  9. 

  10. 1. Configure your browser to trust the `ca.crt` that accompanies this project
    11. 

  11. 2. Configure your browser with the `josh-keystore.p12` client certificate
    12. 

  12. 

  13. Both `api-keystore.p12` and `josh-keystore.p12` use keys signed by `ca.crt`.
    14. 

  14. This means that after the above steps are performed, you can also use this application without getting a security warning in your browser.
    15. 

  15. 

  16. == Using the Sample
    17. 

  17. 

  18. To run, please use:
    19. 

  19. 

  20. .Java
    21. 

  21. [source,java,role="primary"]
    22. 

  22. ----
    23. 

  23. ./gradlew :bootRun
    24. 

  24. ----
    25. 

  25. 

  26. This will start an application on 8443, meaning you will need to reach it using HTTPS.
    27. 

  27. 

  28. You can register a passkey at https://api.127.0.0.1.nip.io:8443/webauthn/register.
    29. 

  29. 

  30. With the client certificate (`josh-keystore.p12`) correctly installed in the browser, it will ask you which client certificate you want to you.
    31. 

  31. Select `josh`.
    32. 

  32. 

  33. You will then be redirected to the PassKeys registration page where you can install a passkey.
    34. 

  34. 

  35. After that, navigate to https://api.127.0.0.1.nip.io:8443 and you will be redirected to page where you can provide a passkey.
    36. 

  36. 

  37. == Exploring the Sample
    38. 

  38. 

  39. The key configuration is found in the `HttpSecurity` DSL:
    40. 

  40. 

  41. .Java
    42. 

  42. [source,java,role="primary"]
    43. 

  43. ----
    44. 

  44. http
    45. 

  45.     .x509(Customizer.withDefaults())
    46. 

  46.     .webAuthn((webauthn) -> webauthn
    47. 

  47.         // ...
    48. 

  48. 		.factor((f) -> f.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/webauthn")))
    49. 

  49. 	);
    50. 

  50. ----
    51. 

  51. 

  52. This reads, "This app requires both X.509 and WebAuthn to fully authorize; redirect to /webauthn to get the WebAuthn authority".
    53. 

  53. 

  54. You can instead try another arrangement like the following:
    55. 

  55. 

  56. .Java
    57. 

  57. [source,java,role="primary"]
    58. 

  58. ----
    59. 

  59. http
    60. 

  60.     .x509(Customizer.withDefaults())
    61. 

  61.     .oneTimeTokenLogin(Customizer.withDefaults())
    62. 

  62. ----
    63. 

  63. 

  64. Once `oneTimeTokenLogin` is correctly configured and once a client certificate is accepted, the application will generate a token and send it to the configured destination to continue with the login process.
    65.