Changeset 6768


Ignore:
Timestamp:
Jun 9, 2022, 8:49:13 AM (12 months ago)
Author:
Nicklas Nordborg
Message:

References #1396: Implement an login extension for WebAuthn?

The password is now verified before the security key.

Location:
extensions/net.sf.basedb.webauthn/trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • extensions/net.sf.basedb.webauthn/trunk/resources/webauthn-login.js

    r6759 r6768  
    3535    event.preventDefault();
    3636    var frm = document.forms['login'];
    37     var login = frm.login.value
     37    var login = frm.login.value;
     38    var pwd = frm.password.value;
    3839    var home = Data.get(frm, 'home');
    3940    var url = home+'/WebAuthn.servlet?ID='+App.getSessionId();
    4041    url += '&cmd=StartWebAuthnLogin';
    4142    url += '&login='+encodeURIComponent(login);
     43    url += '&password='+encodeURIComponent(pwd);
    4244   
    4345    try

  • extensions/net.sf.basedb.webauthn/trunk/src/net/sf/basedb/webauthn/PreLoginAuthenticationManager.java

    r6754 r6768  
    11package net.sf.basedb.webauthn;
    2 
    3 import com.yubico.webauthn.AssertionRequest;
    42
    53import net.sf.basedb.core.AuthenticationContext;
     
    86import net.sf.basedb.core.authentication.LoginException;
    97import net.sf.basedb.core.authentication.LoginRequest;
    10 import net.sf.basedb.core.authentication.UnknownLoginException;
    118import net.sf.basedb.core.data.UserData;
    129
     
    4037    String login = request.getLogin();
    4138
    42     // Check if the user exists and has configured a security key
    43     UserData user = context.getUserByLogin(login);
    44     if (user == null) throw new UnknownLoginException(login);
     39    // Verify the login/password
     40    AuthenticatedUser auth = context.verifyUserInternal(request);
     41   
     42    // Check if a security key has been registered
     43    UserData user = context.getUserById(auth.getInternalId());
    4544    if (user.getExtended("webAuthnCredentialId") == null)
    4645    {
     
    4847    }
    4948   
     49    // Initiate the WebAuthn login process
    5050    String serverName = request.getAttribute("serverName");
    5151    LoginProcessHandler handler = new LoginProcessHandler(user, serverName);
    52     AssertionRequest assertionRequest = handler.getAssertionRequest();
    53    
    5452    context.getSessionControl().setSessionSetting("webauthn-login-handler", handler);
    55     throw new AssertionRequestException(assertionRequest);
     53    // The AssertionRequest contains the information that need to be sent to the client
     54    // This exception is catched and handled in WebAuthnServlet
     55    throw new AssertionRequestException(handler.getAssertionRequest());
    5656  }
    5757   

  • extensions/net.sf.basedb.webauthn/trunk/src/net/sf/basedb/webauthn/WebAuthnServlet.java

    r6761 r6768  
    7171      {
    7272        String login = StringUtil.setNotNullString(Values.getStringOrNull(req.getParameter("login")), "User.Login", User.MAX_LOGIN_LENGTH);
     73        String password = StringUtil.setNotNullString(Values.getStringOrNull(req.getParameter("password")), "User.Password", Integer.MAX_VALUE);
    7374        final SessionControl sc = Application.getSessionControl(ID, "net.sf.basedb.clients.web", req.getRemoteAddr(), false);
    7475       
    75         LoginRequest lr = new LoginRequest();
     76        LoginRequest lr = new LoginRequest(login, password);
    7677        lr.setVerifyOnly(true);
    77         lr.setLogin(login);
    7878        lr.setAttribute("login-form", "net.sf.basedb.webauthn.pre-login");
    7979        lr.setAttribute("serverName", req.getServerName());
Note: See TracChangeset for help on using the changeset viewer.