From 75bcd34f57f607dc7b10da7de1be91d99f8fb512 Mon Sep 17 00:00:00 2001
From: Devon Hillard <devon@digitalsanctuary.com>
Date: Sat, 21 Feb 2026 21:13:57 -0700
Subject: [PATCH 1/2] refactor(security): extract WebAuthn ObjectPostProcessor
 into helper method

Replace inline anonymous ObjectPostProcessor in setupWebAuthn() with an
extracted private method webAuthnSuccessHandlerPostProcessor(). This
removes fully-qualified type names, reduces nesting, and aligns with
the concise method-extraction style used elsewhere in WebSecurityConfig.

Closes #255
---
 .../user/security/WebSecurityConfig.java      | 27 ++++++++++++-------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java b/src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java
index 6198279e..12a05132 100644
--- a/src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java
+++ b/src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java
@@ -17,6 +17,7 @@
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.session.SessionRegistry;
@@ -26,6 +27,7 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
+import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter;
 import com.digitalsanctuary.spring.user.roles.RolesAndPrivilegesConfig;
 import com.digitalsanctuary.spring.user.service.DSOAuth2UserService;
 import com.digitalsanctuary.spring.user.service.DSOidcUserService;
@@ -224,15 +226,22 @@ private void setupWebAuthn(HttpSecurity http) throws Exception {
 
 		http.webAuthn(webAuthn -> webAuthn.rpName(webAuthnConfigProperties.getRpName()).rpId(webAuthnConfigProperties.getRpId())
 				.allowedOrigins(normalizedAllowedOrigins)
-				.withObjectPostProcessor(
-						new org.springframework.security.config.ObjectPostProcessor<org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter>() {
-							@Override
-							public <O extends org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter> O postProcess(
-									O filter) {
-								filter.setAuthenticationSuccessHandler(new WebAuthnAuthenticationSuccessHandler(userDetailsService));
-								return filter;
-							}
-						}));
+				.withObjectPostProcessor(webAuthnSuccessHandlerPostProcessor()));
+	}
+
+	/**
+	 * Creates an ObjectPostProcessor that sets our custom WebAuthn success handler on the WebAuthnAuthenticationFilter.
+	 *
+	 * @return the post processor
+	 */
+	private ObjectPostProcessor<WebAuthnAuthenticationFilter> webAuthnSuccessHandlerPostProcessor() {
+		return new ObjectPostProcessor<WebAuthnAuthenticationFilter>() {
+			@Override
+			public <O extends WebAuthnAuthenticationFilter> O postProcess(O filter) {
+				filter.setAuthenticationSuccessHandler(new WebAuthnAuthenticationSuccessHandler(userDetailsService));
+				return filter;
+			}
+		};
 	}
 
 	// Commenting this out to try adding /error to the unprotected URIs list instead

From 630bc00ea547bfda93b4e765251d7b1aac0bdda8 Mon Sep 17 00:00:00 2001
From: Devon Hillard <devon@digitalsanctuary.com>
Date: Sat, 21 Feb 2026 21:19:24 -0700
Subject: [PATCH 2/2] docs(security): improve JavaDoc return description on
 webAuthnSuccessHandlerPostProcessor

Address PR review feedback: the previous @return tag added no information
beyond the method name. Updated to describe what the post processor does.
---
 .../spring/user/security/WebSecurityConfig.java                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java b/src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java
index 12a05132..f6c275ea 100644
--- a/src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java
+++ b/src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java
@@ -232,7 +232,7 @@ private void setupWebAuthn(HttpSecurity http) throws Exception {
 	/**
 	 * Creates an ObjectPostProcessor that sets our custom WebAuthn success handler on the WebAuthnAuthenticationFilter.
 	 *
-	 * @return the post processor
+	 * @return an ObjectPostProcessor that injects a custom authentication success handler
 	 */
 	private ObjectPostProcessor<WebAuthnAuthenticationFilter> webAuthnSuccessHandlerPostProcessor() {
 		return new ObjectPostProcessor<WebAuthnAuthenticationFilter>() {