| 6753 |
31 May 22 |
nicklas |
1 |
## |
| 6753 |
31 May 22 |
nicklas |
## Configuration file for the WebAuthn login extension |
| 6753 |
31 May 22 |
nicklas |
## (should be placed in the WEB-INF/classes directory) |
| 6753 |
31 May 22 |
nicklas |
## Modifications are detected and reloaded automatically |
| 6753 |
31 May 22 |
nicklas |
## without restarting the server. |
| 6753 |
31 May 22 |
nicklas |
6 |
## |
| 6753 |
31 May 22 |
nicklas |
7 |
|
| 6753 |
31 May 22 |
nicklas |
## Comma- or whitespace separated list of application ids |
| 6753 |
31 May 22 |
nicklas |
## that should NEVER use WebAuthn for login. Note that |
| 6753 |
31 May 22 |
nicklas |
## WebAuthn typically only work for web-based clients. |
| 6753 |
31 May 22 |
nicklas |
# no-webauthn = net.sf.basedb.clients.ftp |
| 6753 |
31 May 22 |
nicklas |
12 |
|
| 6753 |
31 May 22 |
nicklas |
## Comma- or whitespace separated list of applications ids |
| 6753 |
31 May 22 |
nicklas |
## that MUST use WebAuthn for login. Users accounts that |
| 6753 |
31 May 22 |
nicklas |
## have not been configured with a security key will not be |
| 6753 |
31 May 22 |
nicklas |
## able to login with the clients (not even the ROOT user!). |
| 6753 |
31 May 22 |
nicklas |
# require-webauthn = net.sf.basedb.clients.web |
| 6753 |
31 May 22 |
nicklas |
18 |
|
| 6753 |
31 May 22 |
nicklas |
## Comma- or whitespace separated list of other authentication |
| 6753 |
31 May 22 |
nicklas |
## methods that are allowed even if a user account has been |
| 6753 |
31 May 22 |
nicklas |
## configured to login with WebAuthn. If not specified, user |
| 6753 |
31 May 22 |
nicklas |
## accounts that have configured a security key MUST use WebAuthn. |
| 6753 |
31 May 22 |
nicklas |
## This setting doesn't affect user accounts without a security key. |
| 6753 |
31 May 22 |
nicklas |
## For example: use 'password' to allow users to login with regular |
| 6753 |
31 May 22 |
nicklas |
## username and password, or use '*' as a wildcard to allow all |
| 6753 |
31 May 22 |
nicklas |
## other authentication methods. Note that this setting doesn't |
| 6753 |
31 May 22 |
nicklas |
## override the 'no-webauthn' or 'require-webauthn' settings. |
| 6753 |
31 May 22 |
nicklas |
# allow-other-authentication = |
| 6754 |
31 May 22 |
nicklas |
29 |
|
| 6754 |
31 May 22 |
nicklas |
## The ID of the RelyingParty is normally taken from the HTTP |
| 6754 |
31 May 22 |
nicklas |
## request headers. If, for some reason, that doesn't work as |
| 6754 |
31 May 22 |
nicklas |
## expected it is possible manually configure it here |
| 6754 |
31 May 22 |
nicklas |
# relying-party-id = localhost |
| 6754 |
31 May 22 |
nicklas |
34 |
|
| 6754 |
31 May 22 |
nicklas |
## A flag that can be set to allow the RelyingParty to match |
| 6754 |
31 May 22 |
nicklas |
## against any port number. Should not be needed except for |
| 6754 |
31 May 22 |
nicklas |
## developers that use non-standard ports. |
| 6754 |
31 May 22 |
nicklas |
# relying-party-allow-origin-port = 1 |
| 6754 |
31 May 22 |
nicklas |
39 |
|
| 6754 |
31 May 22 |
nicklas |
## A flag that can be set to allow the RelyingParty to match |
| 6754 |
31 May 22 |
nicklas |
## against any subdomain to the id. |
| 6754 |
31 May 22 |
nicklas |
# relying-party-allow-origin-subdomain = 1 |
| 6754 |
31 May 22 |
nicklas |
43 |
|
| 6754 |
31 May 22 |
nicklas |
## A flag for disabling validation of the signature counter |
| 6754 |
31 May 22 |
nicklas |
## This counter is an increasing number intended to prevent |
| 6754 |
31 May 22 |
nicklas |
## replay attacks. It is recommended to keep this enabled, |
| 6754 |
31 May 22 |
nicklas |
## unless it is causing problems with security keys that |
| 6754 |
31 May 22 |
nicklas |
## don't support the counter |
| 6754 |
31 May 22 |
nicklas |
# relying-party-disable-signature-counter = 1 |