NFC-47 NFC support for web-eid example

Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>

Author: SanderKondratjevNortal

README.md

@@ -48,7 +48,7 @@ Implement the session-backed challenge nonce store as follows:
 import org.springframework.beans.factory.ObjectFactory;
 import eu.webeid.security.challenge.ChallengeNonce;
 import eu.webeid.security.challenge.ChallengeNonceStore;
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpSession;
 
 public class SessionBackedChallengeNonceStore implements ChallengeNonceStore {
 
@@ -134,36 +134,103 @@ import eu.webeid.security.validator.AuthTokenValidatorBuilder;
 ...
 ```
 
-## 6. Add a REST endpoint for issuing challenge nonces
+## 6. Add a filter for issuing challenge nonces
 
-A REST endpoint that issues challenge nonces is required for authentication. The endpoint must support `GET` requests.
+Request Filters that issue challenge nonces for regular Web eID and  Web eID for Mobile authentication flows are required for authentication.
+The filters must support POST requests.
 
-In the following example, we are using the [Spring RESTful Web Services framework](https://spring.io/guides/gs/rest-service/) to implement the endpoint, see also the full implementation [here](example/blob/main/src/main/java/eu/webeid/example/web/rest/ChallengeController.java).
+The `WebEidChallengeNonceFilter` handles `/auth/challenge` requests and issues a new nonce for regualar Web eID authentication flow.
+See the full implementation [here](example/src/main/java/eu/webeid/example/security/WebEidChallengeNonceFilter.java).
 
 ```java
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-import eu.webeid.security.challenge.ChallengeNonceGenerator;
-...
+public final class WebEidChallengeNonceFilter extends OncePerRequestFilter {
+    private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writer();
+    private final RequestMatcher requestMatcher;
+    private final ChallengeNonceGenerator nonceGenerator;
+
+    public WebEidChallengeNonceFilter(String path, ChallengeNonceGenerator nonceGenerator) {
+        this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, path);
+        this.nonceGenerator = nonceGenerator;
+    }
+
+    @Override
+    protected void doFilterInternal(
+        @NonNull HttpServletRequest request,
+        @NonNull HttpServletResponse response,
+        @NonNull FilterChain chain
+    ) throws ServletException, IOException {
+        if (!requestMatcher.matches(request)) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        var dto = new ChallengeDTO(nonceGenerator.generateAndStoreNonce().getBase64EncodedNonce());
+
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        OBJECT_WRITER.writeValue(response.getWriter(), dto);
+    }
+
+    public record ChallengeDTO(String nonce) {}
+}
+```
 
-@RestController
-@RequestMapping("auth")
-public class ChallengeController {
+Similarly, the `WebEidMobileAuthInitFilter` handles `/auth/mobile/init` requests for Web eID for Mobile authentication flow by generating a challenge nonce and returning a deep link URI. This deep link contains both the challenge nonce and a login URI for the mobile authentication flow.
+See the full implementation [here](example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java).
 
-    @Autowired // for brevity, prefer constructor dependency injection
-    private ChallengeNonceGenerator nonceGenerator;
+```java
+public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
+    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+    private final RequestMatcher requestMatcher;
+    private final ChallengeNonceGenerator nonceGenerator;
+    private final String loginPath;
+
+    public WebEidMobileAuthInitFilter(String path, String loginPath, ChallengeNonceGenerator nonceGenerator) {
+        this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, path);
+        this.nonceGenerator = nonceGenerator;
+        this.loginPath = loginPath;
+    }
 
-    @GetMapping("challenge")
-    public ChallengeDTO challenge() {
-        // a simple DTO with a single 'nonce' field
-        final ChallengeDTO challenge = new ChallengeDTO();
-        challenge.setNonce(nonceGenerator.generateAndStoreNonce().getBase64EncodedNonce());
-        return challenge;
+    @Override
+    protected void doFilterInternal(
+        @NonNull HttpServletRequest request,
+        @NonNull HttpServletResponse response,
+        @NonNull FilterChain chain
+    ) throws IOException, ServletException {
+        if (!requestMatcher.matches(request)) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        var challenge = nonceGenerator.generateAndStoreNonce();
+
+        String loginUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+            .path(loginPath).build().toUriString();
+
+        String payloadJson = OBJECT_MAPPER.writeValueAsString(
+            new AuthPayload(challenge.getBase64EncodedNonce(), loginUri)
+        );
+        String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
+        String eidAuthUri = "web-eid-mobile://auth#" + encoded;
+
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        OBJECT_MAPPER.writeValue(response.getWriter(), new AuthUri(eidAuthUri));
     }
+
+    record AuthPayload(String challenge, @JsonProperty("login_uri") String loginUri) {}
+    record AuthUri(@JsonProperty("auth_uri") String authUri) {}
 }
 ```
 
+Both filters are registered in the Spring Security filter chain in ApplicationConfiguration
+See the full implementation [here](example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java):
+```java
+http
+  .addFilterBefore(new WebEidMobileAuthInitFilter("/auth/mobile/init", "/auth/mobile/login", challengeNonceGenerator),
+      UsernamePasswordAuthenticationFilter.class)
+  .addFilterBefore(new WebEidChallengeNonceFilter("/auth/challenge", challengeNonceGenerator),
+      UsernamePasswordAuthenticationFilter.class);
+```
+
 Also, see general guidelines for implementing secure authentication services [here](https://github.com/SK-EID/smart-id-documentation/wiki/Secure-Implementation-Guide).
 
 ## 7. Implement authentication

example/README.md

@@ -100,7 +100,8 @@ This repository contains the code of a minimal Spring Boot web application that
 -   Spring Security,
 -   the Web eID authentication token validation library [_web-eid-authtoken-validation-java_](https://github.com/web-eid/web-eid-authtoken-validation-java),
 -   the Web eID JavaScript library [_web-eid.js_](https://github.com/web-eid/web-eid.js),
--   the digital signing library [_DigiDoc4j_](https://github.com/open-eid/digidoc4j).
+-   the digital signing library [_DigiDoc4j_](https://github.com/open-eid/digidoc4j),
+-   the Android application [_MOPP-Android_](https://github.com/open-eid/MOPP-Android/).
 
 The project uses Maven for managing the dependencies and building the application. Maven project configuration file `pom.xml` is in the root of the project.
 
@@ -113,11 +114,13 @@ The source code folder `src` contains the application source code and resources
 The `src/main/java/eu/webeid/example` directory contains the Spring Boot application Java class and the following subdirectories:
 
 -   `config`: Spring and HTTP security configuration, Web eID authentication token validation library configuration, trusted CA certificates loading etc,
--   `security`: Web eID authentication token validation library integration with Spring Security via an `AuthenticationProvider` and `AuthenticationProcessingFilter`,
+-   `security`: Web eID authentication token validation library integration with Spring Security
+    -   `AuthenticationProvider` and `AuthenticationProcessingFilter` for handling Web eID authentication tokens,
+    -   `WebEidChallengeNonceFilter` for issuing the challenge nonce required by the authentication flow,
+    -   `WebEidMobileAuthInitFilter` for issuing the challenge nonce and generating the deep link with the authentication request, used to initiate the mobile authentication flow,
+    -   `WebEidAjaxLoginProcessingFilter` and `WebEidLoginPageGeneratingFilter` for handling login requests.
 -   `service`: Web eID signing service implementation that uses DigiDoc4j, and DigiDoc4j runtime configuration,
--   `web`: Spring Web MVC controller for the welcome page and Spring Web REST controllers that provide endpoints
-    -   for getting the challenge nonce used by the authentication token validation library,
-    -   for digital signing.
+-   `web`: Spring Web MVC controller for the welcome page and Spring Web REST controller that provides a digital signing endpoint.
 
 The `src/resources` directory contains the resources used by the application:
 

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -24,6 +24,10 @@
 
 import eu.webeid.example.security.AuthTokenDTOAuthenticationProvider;
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
+import eu.webeid.example.security.WebEidChallengeNonceFilter;
+import eu.webeid.example.security.WebEidMobileAuthInitFilter;
+import eu.webeid.example.security.ui.WebEidLoginPageGeneratingFilter;
+import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
@@ -34,29 +38,32 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
-import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 @EnableWebSecurity
 @EnableMethodSecurity(securedEnabled = true)
-public class ApplicationConfiguration implements WebMvcConfigurer {
+public class ApplicationConfiguration {
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig) throws Exception {
+    public SecurityFilterChain filterChain(
+        HttpSecurity http,
+        AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider,
+        AuthenticationConfiguration authConfig,
+        ChallengeNonceGenerator challengeNonceGenerator
+    ) throws Exception {
         return http
-                .authenticationProvider(authTokenDTOAuthenticationProvider)
-                .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager()),
-                        UsernamePasswordAuthenticationFilter.class)
-                .logout(logout -> logout.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
-                .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
-                .build();
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers("/css/**", "/files/**", "/img/**", "/js/**", "/scripts/**").permitAll()
+                .requestMatchers("/").permitAll()
+                .anyRequest().authenticated()
+            )
+            .authenticationProvider(authTokenDTOAuthenticationProvider)
+            .addFilterBefore(new WebEidMobileAuthInitFilter("/auth/mobile/init", "/auth/mobile/login", challengeNonceGenerator), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidChallengeNonceFilter("/auth/challenge", challengeNonceGenerator), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidLoginPageGeneratingFilter("/auth/mobile/login"), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager()), UsernamePasswordAuthenticationFilter.class)
+            .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
+            .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
+            .build();
     }
-
-    @Override
-    public void addViewControllers(ViewControllerRegistry registry) {
-        registry.addViewController("/").setViewName("index");
-        registry.addViewController("/welcome").setViewName("welcome");
-    }
-
 }

example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java

@@ -26,16 +26,15 @@
 import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
-public class SameSiteCookieConfiguration implements WebMvcConfigurer {
+public class SameSiteCookieConfiguration {
 
     @Bean
     public TomcatContextCustomizer configureSameSiteCookies() {
         return context -> {
             final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
-            cookieProcessor.setSameSiteCookies("strict");
+            cookieProcessor.setSameSiteCookies("lax");
             context.setCookieProcessor(cookieProcessor);
         };
     }

example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java

@@ -33,7 +33,9 @@
 import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
@@ -44,6 +46,7 @@
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 
 import java.io.IOException;
 
@@ -53,10 +56,10 @@ public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProce
     private final SecurityContextRepository securityContextRepository;
 
     public WebEidAjaxLoginProcessingFilter(
-            String defaultFilterProcessesUrl,
-            AuthenticationManager authenticationManager
+        String defaultFilterProcessesUrl,
+        AuthenticationManager authenticationManager
     ) {
-        super(defaultFilterProcessesUrl);
+        super(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, defaultFilterProcessesUrl));
         this.setAuthenticationManager(authenticationManager);
         this.setAuthenticationSuccessHandler(new AjaxAuthenticationSuccessHandler());
         this.setAuthenticationFailureHandler(new AjaxAuthenticationFailureHandler());
@@ -66,13 +69,9 @@ public WebEidAjaxLoginProcessingFilter(
 
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
-            throws AuthenticationException, IOException {
-        if (!HttpMethod.POST.name().equals(request.getMethod())) {
-            LOG.warn("HttpMethod not supported: {}", request.getMethod());
-            throw new AuthenticationServiceException("HttpMethod not supported: " + request.getMethod());
-        }
-        final String contentType = request.getHeader("Content-type");
-        if (contentType == null || !contentType.startsWith("application/json")) {
+        throws AuthenticationException, IOException {
+        final String contentType = request.getHeader(HttpHeaders.CONTENT_TYPE);
+        if (contentType == null || !contentType.startsWith(MediaType.APPLICATION_JSON_VALUE)) {
             LOG.warn("Content type not supported: {}", contentType);
             throw new AuthenticationServiceException("Content type not supported: " + contentType);
         }

example/src/main/java/eu/webeid/example/security/WebEidChallengeNonceFilter.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.example.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectWriter;
+import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
+import org.springframework.lang.NonNull;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+
+public final class WebEidChallengeNonceFilter extends OncePerRequestFilter {
+    private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writer();
+    private final RequestMatcher requestMatcher;
+    private final ChallengeNonceGenerator nonceGenerator;
+
+    public WebEidChallengeNonceFilter(String path, ChallengeNonceGenerator nonceGenerator) {
+        this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, path);
+        this.nonceGenerator = nonceGenerator;
+    }
+
+    @Override
+    protected void doFilterInternal(@NonNull HttpServletRequest request,
+                                    @NonNull HttpServletResponse response,
+                                    @NonNull FilterChain chain) throws ServletException, IOException {
+        if (!requestMatcher.matches(request)) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        var dto = new ChallengeDTO(nonceGenerator.generateAndStoreNonce().getBase64EncodedNonce());
+
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        OBJECT_WRITER.writeValue(response.getWriter(), dto);
+    }
+
+    public record ChallengeDTO(String nonce) {}
+}