Merge branch 'spring-projects:main' into feature/AbstractConfiguredSecurityBuilder-getSharedObject-nullable-ann

Author: ghusta

.github/dependabot.yml

@@ -111,11 +111,3 @@ updates:
     labels:
       - 'type: task'
       - 'in: build'
-  - package-ecosystem: npm
-    target-branch: 6.3.x
-    directory: /docs
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'

.github/workflows/continuous-integration-workflow.yml

@@ -35,13 +35,6 @@ jobs:
       should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
       default-publish-milestones-central: true
     secrets: inherit
-  deploy-docs:
-    name: Deploy Docs
-    needs: [ build ]
-    uses: spring-io/spring-security-release-tools/.github/workflows/deploy-docs.yml@v1
-    with:
-      should-deploy-docs: ${{ needs.build.outputs.should-deploy-artifacts }}
-    secrets: inherit
   deploy-schema:
     name: Deploy Schema
     needs: [ build ]
@@ -51,7 +44,7 @@ jobs:
     secrets: inherit
   perform-release:
     name: Perform Release
-    needs: [ deploy-artifacts, deploy-docs, deploy-schema ]
+    needs: [ deploy-artifacts, deploy-schema ]
     uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@v1
     with:
       should-perform-release: ${{ needs.deploy-artifacts.outputs.artifacts-deployed }}

build.gradle

@@ -42,7 +42,7 @@ springRelease {
 	weekOfMonth = 3
 	dayOfWeek = 1
 	referenceDocUrl = "https://docs.spring.io/spring-security/reference/{version}/index.html"
-	apiDocUrl = "https://docs.spring.io/spring-security/site/docs/{version}/api/"
+	apiDocUrl = "https://docs.spring.io/spring-security/reference/{version}/api/java/index.html"
 	replaceSnapshotVersionInReferenceDocUrl = true
 }
 

buildSrc/src/main/groovy/io/spring/gradle/convention/DeployDocsPlugin.groovy

@@ -17,7 +17,6 @@ public class DocsPlugin implements Plugin<Project> {
 
 		PluginManager pluginManager = project.getPluginManager();
 		pluginManager.apply(BasePlugin);
-		pluginManager.apply(DeployDocsPlugin);
 		pluginManager.apply(JavadocApiPlugin);
 
 		Task docsZip = project.tasks.create('docsZip', Zip) {

buildSrc/src/main/groovy/io/spring/gradle/convention/DocsPlugin.groovy

@@ -30,16 +30,6 @@ ossrh: {
 		}
 	}
 },
-docs: {
-	stage('Deploy Docs') {
-		node {
-			checkout scm
-			withCredentials([file(credentialsId: 'docs.spring.io-jenkins_private_ssh_key', variable: 'DEPLOY_SSH_KEY')]) {
-				sh "./gradlew deployDocs -PdeployDocsSshKeyPath=$DEPLOY_SSH_KEY -PdeployDocsSshUsername=$SPRING_DOCS_USERNAME --refresh-dependencies --no-daemon --stacktrace"
-			}
-		}
-	}
-},
 schema: {
 	stage('Deploy Schema') {
 		node {
@@ -49,4 +39,4 @@ schema: {
 			}
 		}
 	}
-}
+}

buildSrc/src/test/resources/samples/showcase/Jenkinsfile

@@ -31,6 +31,7 @@
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.openqa.selenium.By;
 import org.openqa.selenium.WebDriverException;
@@ -55,6 +56,7 @@
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.util.StringUtils;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.filter.DelegatingFilterProxy;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
@@ -67,7 +69,7 @@
  *
  * @author Daniel Garnier-Moiroux
  */
-@org.junit.jupiter.api.Disabled
+@Disabled
 class WebAuthnWebDriverTests {
 
 	private String baseUrl;
@@ -82,6 +84,8 @@ class WebAuthnWebDriverTests {
 
 	private static final String PASSWORD = "password";
 
+	private String authenticatorId = null;
+
 	@BeforeAll
 	static void startChromeDriverService() throws Exception {
 		driverService = new ChromeDriverService.Builder().usingAnyFreePort().build();
@@ -144,7 +148,7 @@ void cleanupDriver() {
 	@Test
 	void loginWhenNoValidAuthenticatorCredentialsThenRejects() {
 		createVirtualAuthenticator(true);
-		this.driver.get(this.baseUrl);
+		this.getAndWait("/", "/login");
 		this.driver.findElement(signinWithPasskeyButton()).click();
 		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/login?error"));
 	}
@@ -153,7 +157,7 @@ void loginWhenNoValidAuthenticatorCredentialsThenRejects() {
 	void registerWhenNoLabelThenRejects() {
 		login();
 
-		this.driver.get(this.baseUrl + "/webauthn/register");
+		this.getAndWait("/webauthn/register");
 
 		this.driver.findElement(registerPasskeyButton()).click();
 		assertHasAlertStartingWith("error", "Error: Passkey Label is required");
@@ -163,7 +167,7 @@ void registerWhenNoLabelThenRejects() {
 	void registerWhenAuthenticatorNoUserVerificationThenRejects() {
 		createVirtualAuthenticator(false);
 		login();
-		this.driver.get(this.baseUrl + "/webauthn/register");
+		this.getAndWait("/webauthn/register");
 		this.driver.findElement(passkeyLabel()).sendKeys("Virtual authenticator");
 		this.driver.findElement(registerPasskeyButton()).click();
 
@@ -178,7 +182,8 @@ void registerWhenAuthenticatorNoUserVerificationThenRejects() {
 	 * <li>Step 1: Log in with username / password</li>
 	 * <li>Step 2: Register a credential from the virtual authenticator</li>
 	 * <li>Step 3: Log out</li>
-	 * <li>Step 4: Log in with the authenticator</li>
+	 * <li>Step 4: Log in with the authenticator (no allowCredentials)</li>
+	 * <li>Step 5: Log in again with the same authenticator (with allowCredentials)</li>
 	 * </ul>
 	 */
 	@Test
@@ -190,7 +195,7 @@ void loginWhenAuthenticatorRegisteredThenSuccess() {
 		login();
 
 		// Step 2: register a credential from the virtual authenticator
-		this.driver.get(this.baseUrl + "/webauthn/register");
+		this.getAndWait("/webauthn/register");
 		this.driver.findElement(passkeyLabel()).sendKeys("Virtual authenticator");
 		this.driver.findElement(registerPasskeyButton()).click();
 
@@ -212,9 +217,58 @@ void loginWhenAuthenticatorRegisteredThenSuccess() {
 		logout();
 
 		// Step 4: log in with the virtual authenticator
-		this.driver.get(this.baseUrl + "/webauthn/register");
+		this.getAndWait("/webauthn/register", "/login");
 		this.driver.findElement(signinWithPasskeyButton()).click();
 		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/webauthn/register?continue"));
+
+		// Step 5: authenticate while being already logged in
+		// This simulates some use-cases with MFA. Since the user is already logged in,
+		// the "allowCredentials" property is populated
+		this.getAndWait("/login");
+		this.driver.findElement(signinWithPasskeyButton()).click();
+		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/"));
+	}
+
+	@Test
+	void registerWhenAuthenticatorAlreadyRegisteredThenRejects() {
+		createVirtualAuthenticator(true);
+		login();
+		registerAuthenticator("Virtual authenticator");
+
+		// Cannot re-register the same authenticator because excludeCredentials
+		// is not empty and contains the given authenticator
+		this.driver.findElement(passkeyLabel()).sendKeys("Same authenticator");
+		this.driver.findElement(registerPasskeyButton()).click();
+
+		await(() -> assertHasAlertStartingWith("error", "Registration failed"));
+	}
+
+	@Test
+	void registerSecondAuthenticatorThenSucceeds() {
+		createVirtualAuthenticator(true);
+		login();
+
+		registerAuthenticator("Virtual authenticator");
+		this.getAndWait("/webauthn/register");
+		List<WebElement> passkeyRows = this.driver.findElements(passkeyTableRows());
+		assertThat(passkeyRows).hasSize(1)
+			.first()
+			.extracting((row) -> row.findElement(firstCell()))
+			.extracting(WebElement::getText)
+			.isEqualTo("Virtual authenticator");
+
+		// Create second authenticator and register
+		removeAuthenticator();
+		createVirtualAuthenticator(true);
+		registerAuthenticator("Second virtual authenticator");
+
+		this.getAndWait("/webauthn/register");
+
+		passkeyRows = this.driver.findElements(passkeyTableRows());
+		assertThat(passkeyRows).hasSize(2)
+			.extracting((row) -> row.findElement(firstCell()))
+			.extracting(WebElement::getText)
+			.contains("Second virtual authenticator");
 	}
 
 	/**
@@ -231,11 +285,14 @@ void loginWhenAuthenticatorRegisteredThenSuccess() {
 	 * "https://chromedevtools.github.io/devtools-protocol/tot/WebAuthn/">https://chromedevtools.github.io/devtools-protocol/tot/WebAuthn/</a>
 	 */
 	private void createVirtualAuthenticator(boolean userIsVerified) {
+		if (StringUtils.hasText(this.authenticatorId)) {
+			throw new IllegalStateException("Authenticator already exists, please remove it before re-creating one");
+		}
 		HasCdp cdpDriver = (HasCdp) this.driver;
 		cdpDriver.executeCdpCommand("WebAuthn.enable", Map.of("enableUI", false));
 		// this.driver.addVirtualAuthenticator(createVirtualAuthenticatorOptions());
 		//@formatter:off
-		cdpDriver.executeCdpCommand("WebAuthn.addVirtualAuthenticator",
+		Map<String, Object> cmdResponse = cdpDriver.executeCdpCommand("WebAuthn.addVirtualAuthenticator",
 				Map.of(
 						"options",
 						Map.of(
@@ -248,21 +305,38 @@ private void createVirtualAuthenticator(boolean userIsVerified) {
 						)
 				));
 		//@formatter:on
+		this.authenticatorId = cmdResponse.get("authenticatorId").toString();
+	}
+
+	private void removeAuthenticator() {
+		HasCdp cdpDriver = (HasCdp) this.driver;
+		cdpDriver.executeCdpCommand("WebAuthn.removeVirtualAuthenticator",
+				Map.of("authenticatorId", this.authenticatorId));
+		this.authenticatorId = null;
 	}
 
 	private void login() {
-		this.driver.get(this.baseUrl);
+		this.getAndWait("/", "/login");
 		this.driver.findElement(usernameField()).sendKeys(USERNAME);
 		this.driver.findElement(passwordField()).sendKeys(PASSWORD);
 		this.driver.findElement(signinWithUsernamePasswordButton()).click();
+		// Ensure login has completed
+		await(() -> assertThat(this.driver.getCurrentUrl()).doesNotContain("/login"));
 	}
 
 	private void logout() {
-		this.driver.get(this.baseUrl + "/logout");
+		this.getAndWait("/logout");
 		this.driver.findElement(logoutButton()).click();
 		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/login?logout"));
 	}
 
+	private void registerAuthenticator(String passkeyName) {
+		this.getAndWait("/webauthn/register");
+		this.driver.findElement(passkeyLabel()).sendKeys(passkeyName);
+		this.driver.findElement(registerPasskeyButton()).click();
+		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/webauthn/register?success"));
+	}
+
 	private AbstractStringAssert<?> assertHasAlertStartingWith(String alertType, String alertMessage) {
 		WebElement alert = this.driver.findElement(new By.ById(alertType));
 		assertThat(alert.isDisplayed())
@@ -289,6 +363,15 @@ private void await(Supplier<AbstractAssert<?, ?>> assertion) {
 			});
 	}
 
+	private void getAndWait(String endpoint) {
+		this.getAndWait(endpoint, endpoint);
+	}
+
+	private void getAndWait(String endpoint, String redirectUrl) {
+		this.driver.get(this.baseUrl + endpoint);
+		this.await(() -> assertThat(this.driver.getCurrentUrl()).endsWith(redirectUrl));
+	}
+
 	private static By.ById passkeyLabel() {
 		return new By.ById("label");
 	}
@@ -325,6 +408,10 @@ private static By.ByCssSelector logoutButton() {
 		return new By.ByCssSelector("button");
 	}
 
+	private static By.ByCssSelector deletePasskeyButton() {
+		return new By.ByCssSelector("table > tbody > tr > button");
+	}
+
 	/**
 	 * The configuration for WebAuthN tests. It accesses the Server's current port, so we
 	 * can configurer WebAuthnConfigurer#allowedOrigin

config/src/integration-test/java/org/springframework/security/config/annotation/configurers/WebAuthnWebDriverTests.java

@@ -42,7 +42,8 @@ final class MethodSecuritySelector implements ImportSelector {
 		.isPresent("org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar", null);
 
 	private static final boolean isWebPresent = ClassUtils
-		.isPresent("org.springframework.web.servlet.DispatcherServlet", null);
+		.isPresent("org.springframework.web.servlet.DispatcherServlet", null)
+			&& ClassUtils.isPresent("org.springframework.security.web.util.ThrowableAnalyzer", null);
 
 	private static final boolean isObservabilityPresent = ClassUtils
 		.isPresent("io.micrometer.observation.ObservationRegistry", null);