I am using Spring Security 6.4.4 for webauthn (passkey) authentication.
depenendencies {
implementation "org.springframework.security:spring-security-web"
implementation "com.webauthn4j:webauthn4j-core:0.28.6.RELEASE"
}
Therefore, the FilterChain is adjusted as follows:
@Bean
SecurityFilterChain filterChain(HttpSecurity http) {
http
// ...
.formLogin(withDefaults())
.webAuthn((webAuthn) -> webAuthn
.rpName("Spring Security Relying Party")
.rpId("localhost")
.allowedOrigins("http://localhost:9000")
);
return http.build();
}
The problem that I have, is that on successful authentication (POST /login/webauthn) I want to execute some custom logic (I want to set a JWT Token in the header).
In the constructor of WebAuthnAuthenticationFilter you can see that HttpMessageConverterAuthenticationSuccessHandler is registered as success Handler, of which I would like to overwrite the method onAuthenticationSuccess().
Is there a way to overwrite the onAuthenticationSuccess method or add another custom onAuthenticationSuccess method to the WebAuthnAuthenticationFilter?
For me it is neither clear from the documentation nor from the code how to achieve it
It seems like this it not configurable right now in Spring Security version 6.4.4
I solved it like this:
Implement a CustomConfigurer
CustomConfigurer <H extends HttpSecurityBuilder<H>> extends WebAuthnConfigurer<H>
Implement and use a CustomWebAuthnAuthenticationFilter
CustomWebAuthnAuthenticationFilter extends WebAuthnAuthenticationFilter
Set a custom CustomHttpMessageConverterAuthenticationSuccessHandler in the CustomWebAuthnAuthenticationFilter
CustomHttpMessageConverterAuthenticationSuccessHandler implements AuthenticationSuccessHandler