Link Search Menu Expand Document

Broken Authentication in Java

Spring

Vulnerable example

The following Spring controller does not explicitly enforce any authentication:

@RestController
@RequestMapping(path = "/admin")
public class AdminApi {
    @PostMapping(path = "action")
    public ResponseEntity doAction() {
        // ...
    }
}

In these cases, other mechanisms take place. In the following example, some endpoints are explicitly marked as public:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatchers(HttpMethod.GET, "/", "/index.html", "/css/**", "/js/**").permitAll();
            .antMatchers(HttpMethod.GET, "/admin/other-action").authenticated();

        // ...
    }

But any other (unlisted) endpoint is made public as well, including the /admin/action specified by the above controller.

Prevention

It is fundamental to implement an exhaustive authentication mechanism in which some endpoints are allowed, and all others are explicitly forbidden so as to make the application more resilient to changes:

http
    .antMatchers(HttpMethod.GET, "/", "/index.html", "/css/**", "/js/**").permitAll();
    .anyRequest().authenticated();

Apply the recommended authentication and authorization controls depending on the web framework of choice.

References

https://cwe.mitre.org/data/definitions/285.html https://cwe.mitre.org/data/definitions/287.html https://www.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema_%28OTG-AUTHN-004%29 https://www.baeldung.com/security-none-filters-none-access-permitAll