WebAuthn + MongoDB issue (6.3.X)
Linos Giannopoulos
Hey!
We are in the process of evaluating WebAuthn as our main MFA
provider and although it's been smooth when Yubikeys are used,
we ran into an issue when we attempted to use MongoDB as the
backend storage.
Although the registration works as expected, authentication seems broken:
```
2021-04-29 12:31:11,363 ERROR [com.yubico.core.WebAuthnServer] -
<Failed to update signature count for user "lgian", credential
"ByteArray(cd3b1add6896273ff0bd0271f184842ac8c48ca6c9c6234e3157e557e328a51d64e1eca4e96bb2a63cd1d8be17b26c26a980821b366115498a86afd7b4186ea7)">
java.lang.reflect.UndeclaredThrowableException: null
at com.sun.proxy.$Proxy202.updateSignatureCount(Unknown
Source) ~[?:?]
at
com.yubico.core.WebAuthnServer.finishAuthentication(WebAuthnServer.java:550)
~[cas-server-webauthn-helper-1.7.1.jar:?]
at
org.apereo.cas.webauthn.web.WebAuthnController.finishAuthentication(WebAuthnController.java:113)
~[cas-server-support-webauthn-core-6.3.3.jar:6.3.3]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
[...]
Caused by: com.fasterxml.jackson.databind.JsonMappingException:
(was java.lang.NullPointerException) (through reference chain:
java.util.HashSet[0]->com.yubico.data.CredentialRegistration["registrationTime"])
at
com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:390)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:349)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.std.StdSerializer.wrapAndThrow(StdSerializer.java:316)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:778)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:178)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:480)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:319)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ObjectMapper._writeValueAndClose(ObjectMapper.java:4485)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ObjectMapper.writeValueAsString(ObjectMapper.java:3740)
~[jackson-databind-2.12.0.jar:2.12.0]
at
org.apereo.cas.webauthn.MongoDbWebAuthnCredentialRepository.update(MongoDbWebAuthnCredentialRepository.java:81)
~[cas-server-support-webauthn-mongo-6.3.3.jar:6.3.3]
at
org.apereo.cas.webauthn.storage.BaseWebAuthnCredentialRepository.updateSignatureCount(BaseWebAuthnCredentialRepository.java:89)
~[cas-server-support-webauthn-core-6.3.3.jar:6.3.3]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
~[spring-core-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)
~[spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
... 120 more
Caused by: java.lang.NullPointerException
at
com.yubico.data.CredentialRegistration.getRegistrationTimestamp(CredentialRegistration.java:58)
~[cas-server-webauthn-helper-1.7.1.jar:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:689)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:178)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:480)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:319)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ObjectMapper._writeValueAndClose(ObjectMapper.java:4485)
~[jackson-databind-2.12.0.jar:2.12.0]
at
com.fasterxml.jackson.databind.ObjectMapper.writeValueAsString(ObjectMapper.java:3740)
~[jackson-databind-2.12.0.jar:2.12.0]
at
org.apereo.cas.webauthn.MongoDbWebAuthnCredentialRepository.update(MongoDbWebAuthnCredentialRepository.java:81)
~[cas-server-support-webauthn-mongo-6.3.3.jar:6.3.3]
at
org.apereo.cas.webauthn.storage.BaseWebAuthnCredentialRepository.updateSignatureCount(BaseWebAuthnCredentialRepository.java:89)
~[cas-server-support-webauthn-core-6.3.3.jar:6.3.3]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
~[spring-core-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)
~[spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
... 120 more
```
Also, the issue does not exist when the in-memory storage is
used.
We are on version 6.3.3, but I should mention that we've worked
around an issue that the 6.3.3 has currently.
The issue seems to be fixed on the 6.3.X branch, but the WAR
overlay version is broken:
```
Could not find org.apereo.cas:cas-server-webauthn-helper:1.7.0.
```
After looking into it, `cas-server-webauthn-helper` exists under
the `org.apereo` organization (and also, the 1.7.0 does not exist
anymore).
Again, this commit[0] seems to be fixing the issue. But to work
around it for our version, we did the following:
```
+ compile "org.apereo:cas-server-webauthn-helper:1.7.1"
+ compile
("org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"){
+ exclude group: 'org.apereo.cas', module:
'cas-server-webauthn-helper'
+ }
+ compile
("org.apereo.cas:cas-server-support-webauthn-mongo:${project.'cas.version'}"){
+ exclude group: 'org.apereo.cas', module:
'cas-server-webauthn-helper'
+ }
```
[0]:
https://github.com/apereo/cas/commit/ca75765649a7383a301370f94b5ff1a6146faf8a
Linos Giannopoulos
Hi,
This seems to be fixed in 6.3.4 (Yubico's webauthn implementation
is bumped to 1.9.0)
Best regards,
Linos
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d7cb9f5-7cfe-5e8d-d68b-4855099c3b91%40skroutz.gr.