From a2abe3c33e9b5fecbeb56f7dcfa31a6b31375c29 Mon Sep 17 00:00:00 2001
From: Rob Winch <362503+rwinch@users.noreply.github.com>
Date: Fri, 17 Jan 2025 21:07:46 -0600
Subject: [PATCH] Add HttpMessageConverter WebAuthnDsl Support

Issue gh-16397
---
 .../config/annotation/web/WebAuthnDsl.kt      |  3 ++
 .../config/annotation/web/WebAuthnDslTests.kt | 38 +++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt
index c48827c92d..23447c1b6d 100644
--- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt
@@ -16,6 +16,7 @@
 
 package org.springframework.security.config.annotation.web
 
+import org.springframework.http.converter.HttpMessageConverter
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.WebAuthnConfigurer
 import org.springframework.security.web.webauthn.registration.PublicKeyCredentialCreationOptionsRepository
@@ -37,6 +38,7 @@ class WebAuthnDsl {
     var allowedOrigins: Set<String>? = null
     var disableDefaultRegistrationPage: Boolean? = false
     var creationOptionsRepository: PublicKeyCredentialCreationOptionsRepository? = null
+    var messageConverter: HttpMessageConverter<Any>? = null
 
     internal fun get(): (WebAuthnConfigurer<HttpSecurity>) -> Unit {
         return { webAuthn ->
@@ -45,6 +47,7 @@ class WebAuthnDsl {
             allowedOrigins?.also { webAuthn.allowedOrigins(allowedOrigins) }
             disableDefaultRegistrationPage?.also { webAuthn.disableDefaultRegistrationPage(disableDefaultRegistrationPage!!) }
             creationOptionsRepository?.also { webAuthn.creationOptionsRepository(creationOptionsRepository) }
+            messageConverter?.also { webAuthn.messageConverter(messageConverter) }
         }
     }
 }
diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt
index feb580e4b9..00e02f5821 100644
--- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt
@@ -22,6 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
+import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.test.SpringTestContext
@@ -69,6 +70,16 @@ class WebAuthnDslTests {
             }
     }
 
+    @Test
+    fun `explicit HttpMessageConverter`() {
+        this.spring.register(ExplicitHttpMessageConverterConfig::class.java).autowire()
+
+        this.mockMvc.post("/test1")
+            .andExpect {
+                status { isForbidden() }
+            }
+    }
+
     @Test
     fun `webauthn and formLogin configured with default registration page`() {
         spring.register(DefaultWebauthnConfig::class.java).autowire()
@@ -166,6 +177,33 @@ class WebAuthnDslTests {
         }
     }
 
+    @Configuration
+    @EnableWebSecurity
+    open class ExplicitHttpMessageConverterConfig {
+        @Bean
+        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            http {
+                webAuthn {
+                    rpName = "Spring Security Relying Party"
+                    rpId = "example.com"
+                    allowedOrigins = setOf("https://example.com")
+                    messageConverter = MappingJackson2HttpMessageConverter()
+                }
+            }
+            return http.build()
+        }
+
+        @Bean
+        open fun userDetailsService(): UserDetailsService {
+            val userDetails = User.withDefaultPasswordEncoder()
+                .username("rod")
+                .password("password")
+                .roles("USER")
+                .build()
+            return InMemoryUserDetailsManager(userDetails)
+        }
+    }
+
     @Configuration
     @EnableWebSecurity
     open class WebauthnConfig {