SPRING.AUTHC.MISSING
Missing authorization for critical function
This checker verifies whether the user is authenticated in order to access protected resources and reports cases where an anonymous user is trying to access a critical resource.
Vulnerability and risk
By not requiring authentication, an attacker can gain access to sensitive data, perform administrative functions, or even execute an arbitrary code.
Mitigation and prevention
Identify all privileged assets within your application, for example, web pages that display sensitive data, website sections that contain privileged or administrative functionality, and so on. Identify user roles within the application and their access permissions. Always check whether the user should have privileges to access an asset. Always perform the proper setup for critical and public resources.
Vulnerable code example 1
Spring provides a security component that can check authentication.
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.POST,"/setting/guest/create").permitAll()
.antMatchers(HttpMethod.POST,"/api-docs").anonymous()
.antMatchers("setting/admin/**").hasAnyRole("ADMIN")
.antMatchers(HttpMethod.GET,"/admin/accountInfo").anonymous()
.antMatchers(HttpMethod.PUT,"/profile").authenticated()
.and().httpBasic();
}
Klocwork reports a SPRING.AUTHC.MISSING defect on line 10, indicating, 'Authentication is required to access 'account/Info' resource'. In this example, a user can access '/accountInfo' without authentication. AntMatchers() is using the GET method and '/accountInfo' is not a public resource; the user needs to be authenticated to access '/accounInfo'.
Fixed code example 1
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.POST,"/setting/guest/create").permitAll()
.antMatchers(HttpMethod.POST,"/api-docs ").anonymous()
.antMatchers("setting/admin/**").hasAnyRole("ADMIN")
.antMatchers(HttpMethod.GET,"/admin/accountInfo").hasAuthority("ADMIN")
.antMatchers(HttpMethod.PUT,"/profile").authenticated()
.and().httpBasic();
}
In this fixed example, Klocwork no longer reports a defect because only authenticated users can access critical resources while the public resources are accessible by using anonymous requests.
Vulnerable code example 2
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.POST,"/setting/admin/*").permitAll()
.antMatchers(HttpMethod.POST,"/api-docs").anonymous()
.antMatchers("/setting/properties/*").hasAnyRole("ADMIN")
.antMatchers(HttpMethod.PUT,"/profile").authenticated()
.and().httpBasic();
}
Klocwork reports a SPRING.AUTHC.MISSING defect on line 7, indicating, 'Authentication is required to access 'admin' resource'. In this example, a user can access '/admin' without authentication. AntMatchers() is using the POST method and '/admin' is a critical resource; the user needs to be authenticated to access '/admin'.
Fixed code example 2
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.POST,"/setting/admin/*").permitAll()
.antMatchers(HttpMethod.POST,"/api-docs ").anonymous()
.antMatchers("/setting/properties/*").hasAnyRole("ADMIN")
.antMatchers(HttpMethod.PUT,"/profile").authenticated()
.and().httpBasic();
}
In this fixed example, Klocwork no longer raise a defect because only authenticated users can access critical resources.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be tuned to look for critical resources used in the project and check whether a user is authenticated in order to access those resources. You can do this by using the @CheckerParam option in a .jkb file. See Tuning Java analysis for more information.