Apply SessionAuthenticationStrategy to WebAuthnAuthenticationFilter

skyhww · skyhww · commit 5129feab01d2 · 2026-04-05T01:59:16.000+08:00
WebAuthnConfigurer did not wire the shared SessionAuthenticationStrategy into WebAuthnAuthenticationFilter, so session concurrency limits were bypassed during passkey authentication. Closes gh-16685 Signed-off-by: hanweiwei <duzielww@163.com> Made-with: Cursor
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
@@ -31,6 +31,7 @@
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@@ -170,14 +171,19 @@ public void configure(H http) {
 			.orElseThrow(() -> new IllegalStateException("Missing UserDetailsService Bean"));
 		PublicKeyCredentialUserEntityRepository userEntities = getSharedOrBean(http,
 				PublicKeyCredentialUserEntityRepository.class)
-			.orElse(userEntityRepository());
+			.orElseGet(this::userEntityRepository);
 		UserCredentialRepository userCredentials = getSharedOrBean(http, UserCredentialRepository.class)
-			.orElse(userCredentialRepository());
+			.orElseGet(this::userCredentialRepository);
 		WebAuthnRelyingPartyOperations rpOperations = webAuthnRelyingPartyOperations(userEntities, userCredentials);
 		PublicKeyCredentialCreationOptionsRepository creationOptionsRepository = creationOptionsRepository();
 		WebAuthnAuthenticationFilter webAuthnAuthnFilter = new WebAuthnAuthenticationFilter();
 		webAuthnAuthnFilter.setAuthenticationManager(
 				new ProviderManager(new WebAuthnAuthenticationProvider(rpOperations, userDetailsService)));
+		SessionAuthenticationStrategy sessionAuthenticationStrategy = http
+			.getSharedObject(SessionAuthenticationStrategy.class);
+		if (sessionAuthenticationStrategy != null) {
+			webAuthnAuthnFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);
+		}
 		webAuthnAuthnFilter = postProcess(webAuthnAuthnFilter);
 		WebAuthnRegistrationFilter webAuthnRegistrationFilter = new WebAuthnRegistrationFilter(userCredentials,
 				rpOperations);
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java
@@ -42,6 +42,7 @@
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
 import org.springframework.security.web.webauthn.api.Bytes;
 import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity;
@@ -408,6 +409,50 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 
 	}
 
+	// gh-16685
+	@Test
+	public void webAuthnWhenSessionManagementConfiguredThenSessionAuthenticationStrategyApplied() {
+		this.spring.register(SessionManagementWebauthnConfiguration.class).autowire();
+		FilterChainProxy filterChain = this.spring.getContext().getBean(FilterChainProxy.class);
+		List<jakarta.servlet.Filter> filters = filterChain.getFilterChains().get(0).getFilters();
+		WebAuthnAuthenticationFilter webAuthnFilter = filters.stream()
+			.filter(WebAuthnAuthenticationFilter.class::isInstance)
+			.map(WebAuthnAuthenticationFilter.class::cast)
+			.findFirst()
+			.orElseThrow(() -> new AssertionError("WebAuthnAuthenticationFilter not found"));
+		SessionAuthenticationStrategy strategy = (SessionAuthenticationStrategy) org.springframework.test.util.ReflectionTestUtils
+			.getField(webAuthnFilter, "sessionStrategy");
+		assertThat(strategy).isNotNull();
+		assertThat(strategy).isInstanceOf(
+				org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy.class);
+	}
+
+	@Configuration
+	@EnableWebSecurity
+	static class SessionManagementWebauthnConfiguration {
+
+		@Bean
+		UserDetailsService userDetailsService() {
+			return new InMemoryUserDetailsManager();
+		}
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.formLogin(Customizer.withDefaults())
+				.sessionManagement((session) -> session
+					.maximumSessions(1)
+				)
+				.webAuthn((authn) -> authn
+					.rpId("example.com")
+				);
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class CustomRpNameWebauthnConfiguration {
