SPRING.AUTHC.MISSING

Missing authorization for critical function

This checker verifies whether the user is authenticated in order to access protected resources and reports cases where an anonymous user is trying to access a critical resource.

Vulnerability and risk

By not requiring authentication, an attacker can gain access to sensitive data, perform administrative functions, or even execute an arbitrary code.

Mitigation and prevention

Identify all privileged assets within your application, for example, web pages that display sensitive data, website sections that contain privileged or administrative functionality, and so on. Identify user roles within the application and their access permissions. Always check whether the user should have privileges to access an asset. Always perform the proper setup for critical and public resources.

Vulnerable code example 1

Spring provides a security component that can check authentication.

1
2
3
4
5
6
7
8
9
10
11
12
13
  @Configuration
  @EnableWebSecurity
  public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
           http.authorizeRequests()
           .antMatchers(HttpMethod.POST,"/setting/guest/create").permitAll()
           .antMatchers(HttpMethod.POST,"/api-docs").anonymous()
           .antMatchers("setting/admin/**").hasAnyRole("ADMIN")
          .antMatchers(HttpMethod.GET,"/admin/accountInfo").anonymous()
          .antMatchers(HttpMethod.PUT,"/profile").authenticated()
          .and().httpBasic();
     }

Klocwork reports a SPRING.AUTHC.MISSING defect on line 10, indicating, 'Authentication is required to access 'account/Info' resource'. In this example, a user can access '/accountInfo' without authentication. AntMatchers() is using the GET method and '/accountInfo' is not a public resource; the user needs to be authenticated to access '/accounInfo'.

Fixed code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
  @Configuration
  @EnableWebSecurity
  public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
           
           http.authorizeRequests()
           .antMatchers(HttpMethod.POST,"/setting/guest/create").permitAll()
           .antMatchers(HttpMethod.POST,"/api-docs ").anonymous()
          .antMatchers("setting/admin/**").hasAnyRole("ADMIN")
          .antMatchers(HttpMethod.GET,"/admin/accountInfo").hasAuthority("ADMIN")
          .antMatchers(HttpMethod.PUT,"/profile").authenticated()
          .and().httpBasic();
     }

In this fixed example, Klocwork no longer reports a defect because only authenticated users can access critical resources while the public resources are accessible by using anonymous requests.

Vulnerable code example 2

1
2
3
4
5
6
7
8
9
10
11
12
  @Configuration
  @EnableWebSecurity
  public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
           http.authorizeRequests()
           .antMatchers(HttpMethod.POST,"/setting/admin/*").permitAll()
           .antMatchers(HttpMethod.POST,"/api-docs").anonymous()
           .antMatchers("/setting/properties/*").hasAnyRole("ADMIN")
          .antMatchers(HttpMethod.PUT,"/profile").authenticated()
          .and().httpBasic();
     }

Klocwork reports a SPRING.AUTHC.MISSING defect on line 7, indicating, 'Authentication is required to access 'admin' resource'. In this example, a user can access '/admin' without authentication. AntMatchers() is using the POST method and '/admin' is a critical resource; the user needs to be authenticated to access '/admin'.

Fixed code example 2

1
2
3
4
5
6
7
8
9
10
11
12
13
   @Configuration
   @EnableWebSecurity
   public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
       @Override
       protected void configure(HttpSecurity http) throws Exception {
            
            http.authorizeRequests()
            .antMatchers(HttpMethod.POST,"/setting/admin/*").permitAll()
            .antMatchers(HttpMethod.POST,"/api-docs ").anonymous()
           .antMatchers("/setting/properties/*").hasAnyRole("ADMIN")
           .antMatchers(HttpMethod.PUT,"/profile").authenticated()
           .and().httpBasic();
      } 

In this fixed example, Klocwork no longer raise a defect because only authenticated users can access critical resources.

Related checkers

• SPRING.AUTHC.ABSENT

External guidance

• CWE-306: Missing Authentication for Critical Function
• OWASP A7:2021 Identification and Authentication Failures

Security training

Application security training materials provided by Secure Code Warrior.

• Improper Authentication Training Video - Test your skills with a training example

Extension

This checker can be tuned to look for critical resources used in the project and check whether a user is authenticated in order to access those resources. You can do this by using the @CheckerParam option in a .jkb file. See Tuning Java analysis for more information.