--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org.
spring.security.user.name=XXX
spring.security.user.password=YYY
cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
Security filter chain: [
ChannelProcessingFilter
WebAsyncManagerIntegrationFilter
CorsFilter
CsrfFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
ExceptionTranslationFilter
AuthorizationFilter
]And the chain with the spring security settings as above:
Security filter chain: [
ChannelProcessingFilter
WebAsyncManagerIntegrationFilter
CorsFilter
CsrfFilter
BasicAuthenticationFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
ExceptionTranslationFilter
AuthorizationFilter
]
I have nothing configured or defined for endpoints or actuators besides what is default set by cas, we have never used those. I went back and configured according to
management.endpoint.webAuthnDevices.enabled=true
management.endpoints.web.exposure.include=*
cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
even tried ANONYMOUS below, which makes all actuators work, I can even pull /cas/actuator/webAuthnDevices/username anonymously and gets devices for user. I don't think the endpoint webAuthnDevices controls the end user registration page as it falls under/webauthn/register and NOT /cas/actuator/webAuthnDevices
cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
Below is debug output,
2023-01-31 09:05:41,149 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [org.springframework.security.access.AccessDeniedException: Access is denied] due to a type mismatch with handler [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String, String, String, boolean, String, HttpServletRequest, HttpServletResponse)]>
And browser POST response to /webauthn/register , base64 decoded is
--- !<java.util.LinkedHashMap>
timestamp: "2023-01-31T15:05:41.161+00:00"
status: 403
error: "Forbidden"
path: "/cas/webauthn/register"
// MFA FIDO2 WEBAUTHN
implementation "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
implementation "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
web-authn:
core:
relying-party-id: mydomain.fr
relying-party-name: mynickname
allowed-origins: https://cas.mydomain.fr
trusted-device-enabled: false
application-id: https://www.mydomain.fr
monitor:
endpoints:
endpoint:
defaults:
access: AUTHENTICATED
health:
access: IP_ADDRESS
requiredIpAddresses: xx.yy.www.zz, aa.bb.cc.dd,etc.[...]registeredServices:
access: IP_ADDRESS
requiredIpAddresses: xx.yy.www.zz, aa.bb.cc.dd,etc.
importRegisteredServices:
access: IP_ADDRESS
requiredIpAddresses: xx.yy.www.zz, aa.bb.cc.dd,etc.[...]management:
endpoints:
web:
exposure:
include: '*'
enabled-by-default: true