Skip to content

WebAuthn + Redis doesn't work; Redis defaults to JdkSerializationRedisSerializer, WebAuthn classes lack Serializable interface, WebAuthn mixins missing for GenericJackson2JsonRedisSerializer #16328

Open
2 of 4 issues completed
@justincranford

Description

@justincranford

Describe the bug
WebAuthn persistence only works using in-memory SessionRepository?

  1. PublicKeyCredentialCreationOptions
  2. PublicKeyCredentialRequestOptions

Persistence doesn't seem to work out-of-the-box (OOTB) if using WebAuthn + Redis.

  1. Redis defaultSerializer seems to be JdkSerializationRedisSerializer.
  2. WebAuthn data classes in https://github.com/spring-projects/spring-security/tree/fd267dfb71bfc8e1ab5bcc8270c12fbaad46fddf/web/src/main/java/org/springframework/security/web/webauthn/api don't seem to implement the Serializable interface required for JdkSerializationRedisSerializer to work.

To Reproduce
I created a GitHub repo https://github.com/justincranford/spring-security-webauthn-redis to:

  1. Reproduce and demonstrate the initial RedisSessionRepository JdkSerializationRedisSerializer issue
  2. Reproduce and demonstrate all of the issues I encountered switching Redis to GenericJackson2JsonRedisSerializer, and the incremental workarounds I had to apply to make the WebAuthn service data classes serialize/deserialize OK
  3. Demonstrate what I tried to get a custom RedisHttpSessionConfiguration redisHttpSessionConfiguration bean to work, so I can override the default UUIDSessionGenerator. I could not figure out a workaround.

Expected behavior

  1. WebAuthn service data classes should work with JdkSerializationRedisSerializer out-of-the-box.
  2. WebAuthn service data classes should work with GenericJackson2JsonRedisSerializer out-of-the-box too, or with minimal boilerplate.
  3. Document example how to configure WebAuthn + Redis to use JdkSerializationRedisSerializer.
  4. Document example how to configure WebAuthn + Redis to use GenericJackson2JsonRedisSerializer.
  5. Document example how to configure Redis to override RedisHttpSessionConfiguration.java#. I found a one-line mention in EnableRedisHttpSession.java. However, I think EnableRedisHttpSession and overriding care mutually exclusive, so it would be nice to see an example of overriding RedisHttpSessionConfiguration outside of EnableRedisHttpSession (i.e. in docs).

Sample
See GitHub repo README for a numbered list of the issues for Redis+WebAuthn JdkSerializationRedisSerializer, Redis+WebAuthn GenericJackson2JsonRedisSerializer, and RedisHttpSessionConfiguration override issue.
https://github.com/justincranford/spring-security-webauthn-redis

Timeline

  1. I posted my original question on Stack Exchange on Dec 15, 2024.
  1. I partially answered the question myself in a follow up on Dec 21, 2024.
  1. I posted links to my GitHub repo and this Spring Security Issue WebAuthn + Redis doesn't work; Redis defaults to JdkSerializationRedisSerializer, WebAuthn classes lack Serializable interface, WebAuthn mixins missing for GenericJackson2JsonRedisSerializer #16328 on Dec 23, 2024.

  2. I added two TL;DR comments, and appended this timeline, to the original description of this Spring Security Issue WebAuthn + Redis doesn't work; Redis defaults to JdkSerializationRedisSerializer, WebAuthn classes lack Serializable interface, WebAuthn mixins missing for GenericJackson2JsonRedisSerializer #16328 on Dec 26, 2024.

Sub-issues

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions