Changeset 6769


Ignore:
Timestamp:
Jun 9, 2022, 9:13:39 AM (16 months ago)
Author:
Nicklas Nordborg
Message:

References #1396: Implement an login extension for WebAuthn?

Using POST request instead of GET when starting the login to avoid that the password is part of the URL that may be cached or logged.

Location:
extensions/net.sf.basedb.webauthn/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • extensions/net.sf.basedb.webauthn/trunk/resources/webauthn-login.js

    r6768 r6769  
    3636    var frm = document.forms['login'];
    3737    var login = frm.login.value;
    38     var pwd = frm.password.value;
     38    var password = frm.password.value;
    3939    var home = Data.get(frm, 'home');
    4040    var url = home+'/WebAuthn.servlet?ID='+App.getSessionId();
    4141    url += '&cmd=StartWebAuthnLogin';
    42     url += '&login='+encodeURIComponent(login);
    43     url += '&password='+encodeURIComponent(pwd);
    4442   
    4543    try
     
    4745      if (debug) App.debug('AJAX request: '+url);
    4846      var request = Ajax.getXmlHttpRequest();
     47      request.open("POST", url, true); 
    4948      Ajax.setReadyStateHandler(request, wa.webAuthnLoginRequestRecieved, wa.webAuthnLoginRequestRecieved);
    50       request.open("GET", url, true);
    51       request.send(null);
     49      request.setRequestHeader("Content-Type", "application/json; charset=UTF-8");
     50      request.send(JSON.stringify({'login':login, 'password': password}));
    5251    }
    5352    catch (e)

  • extensions/net.sf.basedb.webauthn/trunk/src/net/sf/basedb/webauthn/WebAuthnServlet.java

    r6768 r6769  
    6868        json.put("registrationRequest", (JSONObject)new JSONParser().parse(registrationOptions.toCredentialsCreateJson()));
    6969      }
    70       else if ("StartWebAuthnLogin".equals(cmd))
    71       {
    72         String login = StringUtil.setNotNullString(Values.getStringOrNull(req.getParameter("login")), "User.Login", User.MAX_LOGIN_LENGTH);
    73         String password = StringUtil.setNotNullString(Values.getStringOrNull(req.getParameter("password")), "User.Password", Integer.MAX_VALUE);
    74         final SessionControl sc = Application.getSessionControl(ID, "net.sf.basedb.clients.web", req.getRemoteAddr(), false);
    75        
    76         LoginRequest lr = new LoginRequest(login, password);
    77         lr.setVerifyOnly(true);
    78         lr.setAttribute("login-form", "net.sf.basedb.webauthn.pre-login");
    79         lr.setAttribute("serverName", req.getServerName());
    80         try
    81         {
    82           sc.login(lr);
    83         }
    84         catch (AssertionRequestException ex)
    85         {
    86           // This exception is expected and contains the information we need to send back to the browser
    87           json.put("assertionRequest", ex.getJson());
    88         }
    89       }
    9070    }
    9171    catch (Throwable t)
     
    11696    try
    11797    {
    118       final SessionControl sc = Application.getSessionControl(ID, "net.sf.basedb.clients.web", req.getRemoteAddr(), true);
    119 
    12098      if ("FinalizeWebAuthnRegister".equals(cmd))
    12199      {
     100        final SessionControl sc = Application.getSessionControl(ID, "net.sf.basedb.clients.web", req.getRemoteAddr(), true);
    122101        String postData = JsonUtil.parseRequestAsString(req);
    123102       
     
    133112        json.put("message", "WebAuthn registration completed!");
    134113      }
     114      else if ("StartWebAuthnLogin".equals(cmd))
     115      {
     116        final SessionControl sc = Application.getSessionControl(ID, "net.sf.basedb.clients.web", req.getRemoteAddr(), false);
     117        JSONObject jsonReq = JsonUtil.parseRequestAsJson(req);
     118       
     119        String login = StringUtil.setNotNullString((String)jsonReq.get("login"), "Login", User.MAX_LOGIN_LENGTH);
     120        String password = StringUtil.setNotNullString((String)jsonReq.get("password"), "Password", Integer.MAX_VALUE);
     121       
     122        LoginRequest lr = new LoginRequest(login, password);
     123        lr.setVerifyOnly(true);
     124        lr.setAttribute("login-form", "net.sf.basedb.webauthn.pre-login");
     125        lr.setAttribute("serverName", req.getServerName());
     126        try
     127        {
     128          // This login request should end up being handled by PreLoginAuthenticationManager
     129          // The AssertionRequestException is expected for normal operations
     130          sc.login(lr);
     131          throw new IllegalStateException("An AssertionRequest could not be created. "
     132              + "Please try later or contact a server administrator.");
     133        }
     134        catch (AssertionRequestException ex)
     135        {
     136          // This exception is expected and contains the information we need to send back to the browser
     137          json.put("assertionRequest", ex.getJson());
     138        }
     139      }
     140
    135141    }
    136142    catch (Throwable t)
Note: See TracChangeset for help on using the changeset viewer.