Link Search Menu Expand Document

Broken Authorization in Java

Vulnerable Examples

As example, the application uses unverified data in a method call downstream to retrieve account information, introducing an horizontal authorization bypass:
statement.setString(1, request.getParameter("accountId"));

An attacker can modify the accountId parameter in the HTTP Request to retrieve the information from any user’s account.



Spring Security supports authorization semantics at both web and method level. It is possible to restrict which roles are able to execute a particular method, and it’s a great way to enforce vertical authorization controls:

public class SecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity security) throws Exception {

Security Expressions can be used to secure business functionality at the method level as well by using annotations. The annotations @PreAuthorize and @PostAuthorize support Spring Expression Language (SpEL) and provide expression-based access control:

public class AdminService {
    public List<Organization> findAllOrganizations() { ... }


MITRE - CWE 285 - Improper Authorization OWASP Top 10 2017 - Broken Access Control OWSP - Access Control Cheat Sheet Spring - Expression-Based Access Control