Link Search Menu Expand Document

Broken Authentication in Java


Vulnerable example

The following Spring controller does not explicitly enforce any authentication:

@RequestMapping(path = "/admin")
public class AdminApi {
    @PostMapping(path = "action")
    public ResponseEntity doAction() {
        // ...

In these cases, other mechanisms take place. In the following example, some endpoints are explicitly marked as public:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
            .antMatchers(HttpMethod.GET, "/", "/index.html", "/css/**", "/js/**").permitAll();
            .antMatchers(HttpMethod.GET, "/admin/other-action").authenticated();

        // ...

But any other (unlisted) endpoint is made public as well, including the /admin/action specified by the above controller.


It is fundamental to implement an exhaustive authentication mechanism in which some endpoints are allowed, and all others are explicitly forbidden so as to make the application more resilient to changes:

    .antMatchers(HttpMethod.GET, "/", "/index.html", "/css/**", "/js/**").permitAll();

Apply the recommended authentication and authorization controls depending on the web framework of choice.