[cas-user] WebAuthn + MongoDB issue (6.3.X)

Thu, 29 Apr 2021 02:36:49 -0700 

Hey!
We are in the process of evaluating WebAuthn as our main MFA provider and although it's been smooth when Yubikeys are used, we ran into an issue when we attempted to use MongoDB as the backend storage. 

Although the registration works as expected, authentication seems broken:

```


2021-04-29 12:31:11,363 ERROR [com.yubico.core.WebAuthnServer] - <Failed 
to update signature count for user "lgian", credential 
"ByteArray(cd3b1add6896273ff0bd0271f184842ac8c48ca6c9c6234e3157e557e328a51d64e1eca4e96bb2a63cd1d8be17b26c26a980821b366115498a86afd7b4186ea7)">

java.lang.reflect.UndeclaredThrowableException: null
    at com.sun.proxy.$Proxy202.updateSignatureCount(Unknown Source) ~[?:?]

    at 
com.yubico.core.WebAuthnServer.finishAuthentication(WebAuthnServer.java:550) 
~[cas-server-webauthn-helper-1.7.1.jar:?]
    at 
org.apereo.cas.webauthn.web.WebAuthnController.finishAuthentication(WebAuthnController.java:113) 
~[cas-server-support-webauthn-core-6.3.3.jar:6.3.3]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
    at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:?]
    at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:?]

    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]

    at 
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) 
~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) 
~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]

[...]

Caused by: com.fasterxml.jackson.databind.JsonMappingException: (was 
java.lang.NullPointerException) (through reference chain: 
java.util.HashSet[0]->com.yubico.data.CredentialRegistration["registrationTime"])
    at 
com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:390) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:349) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.StdSerializer.wrapAndThrow(StdSerializer.java:316) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:778) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:178) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:480) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:319) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ObjectMapper._writeValueAndClose(ObjectMapper.java:4485) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ObjectMapper.writeValueAsString(ObjectMapper.java:3740) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
org.apereo.cas.webauthn.MongoDbWebAuthnCredentialRepository.update(MongoDbWebAuthnCredentialRepository.java:81) 
~[cas-server-support-webauthn-mongo-6.3.3.jar:6.3.3]
    at 
org.apereo.cas.webauthn.storage.BaseWebAuthnCredentialRepository.updateSignatureCount(BaseWebAuthnCredentialRepository.java:89) 
~[cas-server-support-webauthn-core-6.3.3.jar:6.3.3]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
    at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:?]
    at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:?]

    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]

    at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) 
~[spring-core-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) 
~[spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]
    at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) 
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) 
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]

    ... 120 more
Caused by: java.lang.NullPointerException

    at 
com.yubico.data.CredentialRegistration.getRegistrationTimestamp(CredentialRegistration.java:58) 
~[cas-server-webauthn-helper-1.7.1.jar:?]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
    at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:?]
    at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:?]

    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]

    at 
com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:689) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:178) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:480) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:319) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ObjectMapper._writeValueAndClose(ObjectMapper.java:4485) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ObjectMapper.writeValueAsString(ObjectMapper.java:3740) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
org.apereo.cas.webauthn.MongoDbWebAuthnCredentialRepository.update(MongoDbWebAuthnCredentialRepository.java:81) 
~[cas-server-support-webauthn-mongo-6.3.3.jar:6.3.3]
    at 
org.apereo.cas.webauthn.storage.BaseWebAuthnCredentialRepository.updateSignatureCount(BaseWebAuthnCredentialRepository.java:89) 
~[cas-server-support-webauthn-core-6.3.3.jar:6.3.3]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
    at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:?]
    at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:?]

    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]

    at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) 
~[spring-core-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) 
~[spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]
    at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) 
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) 
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]

    ... 120 more

```

Also, the issue does not exist when the in-memory storage is used.


We are on version 6.3.3, but I should mention that we've worked around 
an issue that the 6.3.3 has currently.
The issue seems to be fixed on the 6.3.X branch, but the WAR overlay 
version is broken:


```

Could not find org.apereo.cas:cas-server-webauthn-helper:1.7.0.

```


After looking into it, `cas-server-webauthn-helper` exists under the 
`org.apereo` organization (and also, the 1.7.0 does not exist anymore).
Again, this commit[0] seems to be fixing the issue. But to work around 
it for our version, we did the following:


```

+    compile "org.apereo:cas-server-webauthn-helper:1.7.1"

+    compile 
("org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"){
+        exclude group: 'org.apereo.cas', module: 
'cas-server-webauthn-helper'

+    }

+    compile 
("org.apereo.cas:cas-server-support-webauthn-mongo:${project.'cas.version'}"){
+        exclude group: 'org.apereo.cas', module: 
'cas-server-webauthn-helper'

+    }

```



[0]: 
https://github.com/apereo/cas/commit/ca75765649a7383a301370f94b5ff1a6146faf8a


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d7cb9f5-7cfe-5e8d-d68b-4855099c3b91%40skroutz.gr.






















					Reply via email to