Broken Authentication in Java
Spring
Vulnerable example
The following Spring controller does not explicitly enforce any authentication:
@RestController
@RequestMapping(path = "/admin")
public class AdminApi {
@PostMapping(path = "action")
public ResponseEntity doAction() {
// ...
}
}
In these cases, other mechanisms take place. In the following example, some endpoints are explicitly marked as public:
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatchers(HttpMethod.GET, "/", "/index.html", "/css/**", "/js/**").permitAll()
.antMatchers(HttpMethod.GET, "/admin/other-action").authenticated();
// ...
}
But any other (unlisted) endpoint is made public as well, including the /admin/action
specified by the above controller.
Prevention
It is fundamental to implement an exhaustive authentication mechanism in which some endpoints are allowed, and all others are explicitly forbidden so as to make the application more resilient to changes:
http
.antMatchers(HttpMethod.GET, "/", "/index.html", "/css/**", "/js/**").permitAll()
.anyRequest().authenticated();
Apply the recommended authentication and authorization controls depending on the web framework of choice.
References
CWE - CWE-287: Improper Authentication
OWASP - A07:2021 - Identification and Authentication Failures