Describe the bug
When invoking the WebAuthn registration endpoint (/webauthn/register), Spring Security throws a NullPointerException if the registration payload contains an authenticator transport value that is not recognized by Spring Security.
For example, when the transport list contains "cable" (Cloud-assisted Bluetooth Low Energy), the request processing fails with:
java.lang.NullPointerException: Cannot invoke
"org.springframework.security.web.webauthn.api.AuthenticatorTransport.getValue()"
because "transport" is null
at org.springframework.security.web.webauthn.management.Webauthn4JRelyingPartyOperations.convertTransportsToString(Webauthn4JRelyingPartyOperations.java:309)
To Reproduce
- Configure a Spring Security application with WebAuthn enabled.
- Call the WebAuthn registration endpoint (/webauthn/register).
- Include an authenticator transport value that is not mapped to Spring Security's AuthenticatorTransport enum, for example:
{
...
"transports": ["cable"]
...
}
Observe that request processing fails with a NullPointerException.
Expected behavior
The framework should not throw a NullPointerException when an unknown transport is received.
Possible expected behaviors:
- Reject the request with a meaningful validation exception.
- Ignore unsupported transports.
- Preserve unknown transports as strings if supported by the implementation.
In any case, the framework should fail gracefully instead of throwing an NPE.
Analysis
The issue appears to originate in:
org.springframework.security.web.webauthn.jackson.AuthenticatorTransportDeserializer
When an unknown authenticator transport value is encountered (for example "cable"), the deserializer's deserialize() method returns null.
The resulting collection is later processed by:
org.springframework.security.web.webauthn.management.Webauthn4JRelyingPartyOperations
Specifically, in:
convertTransportsToString(...)
which assumes all transport values are non-null and invokes:
As a result, the following exception is thrown:
java.lang.NullPointerException: Cannot invoke
"org.springframework.security.web.webauthn.api.AuthenticatorTransport.getValue()"
because "transport" is null
From my analysis, the root cause is that unsupported transport values are silently converted to null during deserialization and are subsequently dereferenced without validation.
Spring Security should either:
- Reject unknown transport values with a meaningful exception during deserialization, or
- Filter/ignore unsupported values before processing, or
- Preserve unknown values in a forward-compatible manner.
Any of these approaches would prevent the NullPointerException and provide a more predictable failure mode.
Describe the bug
When invoking the WebAuthn registration endpoint (
/webauthn/register), Spring Security throws aNullPointerExceptionif the registration payload contains an authenticator transport value that is not recognized by Spring Security.For example, when the transport list contains
"cable"(Cloud-assisted Bluetooth Low Energy), the request processing fails with:To Reproduce
Observe that request processing fails with a NullPointerException.
Expected behavior
The framework should not throw a NullPointerException when an unknown transport is received.
Possible expected behaviors:
In any case, the framework should fail gracefully instead of throwing an NPE.
Analysis
The issue appears to originate in:
When an unknown authenticator transport value is encountered (for example
"cable"), the deserializer'sdeserialize()method returnsnull.The resulting collection is later processed by:
Specifically, in:
convertTransportsToString(...)which assumes all transport values are non-null and invokes:
As a result, the following exception is thrown:
From my analysis, the root cause is that unsupported transport values are silently converted to
nullduring deserialization and are subsequently dereferenced without validation.Spring Security should either:
Any of these approaches would prevent the
NullPointerExceptionand provide a more predictable failure mode.