Post Process WebAuthnAuthenticationFilter

This commit ensures that WebAuthnAuthenticationFilter is post processed by BeanPostProcessors and ObjectPostProcessor. Closes gh-18128
1 month ago · 0928a60cd2
2 changed files with 31 additions and 0 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
@ -177,6 +177,7 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 		WebAuthnAuthenticationFilter webAuthnAuthnFilter = new WebAuthnAuthenticationFilter();
 		webAuthnAuthnFilter.setAuthenticationManager(
 				new ProviderManager(new WebAuthnAuthenticationProvider(rpOperations, userDetailsService)));
 		webAuthnAuthnFilter = postProcess(webAuthnAuthnFilter);
 		WebAuthnRegistrationFilter webAuthnRegistrationFilter = new WebAuthnRegistrationFilter(userCredentials,
 				rpOperations);
 		PublicKeyCredentialCreationOptionsFilter creationOptionsFilter = new PublicKeyCredentialCreationOptionsFilter(
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java
@ -23,6 +23,7 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.BeanPostProcessor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpOutputMessage;
@ -42,6 +43,7 @@ import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter;
 import org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations;
 import org.springframework.security.web.webauthn.registration.HttpSessionPublicKeyCredentialCreationOptionsRepository;
 import org.springframework.test.web.servlet.MockMvc;
@ -88,6 +90,14 @@ public class WebAuthnConfigurerTests {
 			.andExpect(content().string(containsString("body {")));
 	}
 	// gh-18128
 	@Test
 	public void webAuthnAuthenticationFilterIsPostProcessed() throws Exception {
 		this.spring.register(DefaultWebauthnConfiguration.class, PostProcessorConfiguration.class).autowire();
 		PostProcessorConfiguration postProcess = this.spring.getContext().getBean(PostProcessorConfiguration.class);
 		assertThat(postProcess.webauthnFilter).isNotNull();
 	}
 	@Test
 	public void webauthnWhenNoFormLoginAndDefaultRegistrationPageConfiguredThenServesJavascript() throws Exception {
 		this.spring.register(NoFormLoginAndDefaultRegistrationPageConfiguration.class).autowire();
@ -289,6 +299,26 @@ public class WebAuthnConfigurerTests {
 	}
 	@Configuration(proxyBeanMethods = false)
 	static class PostProcessorConfiguration {
 		WebAuthnAuthenticationFilter webauthnFilter;
 		@Bean
 		BeanPostProcessor beanPostProcessor() {
 			return new BeanPostProcessor() {
 				@Override
 				public Object postProcessAfterInitialization(Object bean, String beanName) {
 					if (bean instanceof WebAuthnAuthenticationFilter filter) {
 						PostProcessorConfiguration.this.webauthnFilter = filter;
 					}
 					return bean;
 				}
 			};
 		}
 	}
 	@Configuration
 	@EnableWebSecurity
 	static class DefaultWebauthnConfiguration {