SPRING.AUTHZ.ABSENT
This checker verifies whether the code performs authorization for protected resources and flags instances where the project API configuration doesn't include a protected resource.
Vulnerability and risk
An attacker may gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
Mitigation and prevention
Identify all privileged assets within your application, for example, web pages that display sensitive data, website sections that contain privileged or administrative functionality, and so on. Identify user roles within the application and their access permissions. Always check whether the user should have privileges to access an asset. Always perform the proper setup for APIs that require authorization in your project.
Vulnerable code example
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.POST,"/version ").hasAnyRole("ADMIN","USER")
.antMatchers(HttpMethod.PUT ,"/admin/*").hasRole("ADMIN")
.and().httpBasic();
}
Klocwork reports a SPRING.AUTHZ.ABSENT defect on line 6, indicating, "Protected resource 'setting' is missed from configuration". Because the The "/setting" api is not present in any antMatchers(), a user can access the "/setting" api without authorization.
Fixed code example
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.POST,"/version ").hasAnyRole("ADMIN","USER")
.antMatchers(HttpMethod.PUT ,"/admin/*").hasRole("ADMIN")
.antMatchers("/setting").hasRole("ADMIN")
.and().httpBasic();
}
In this fixed example, Klocwork no longer reports a defect because every element from the protected resource list is present in the configuration.
Related checkers
External guidance
Extension
This checker must be tuned to check whether a user is authorized to access protected APIs that are used in the project. You can do this by using the @CheckerParam option in a .jkb file. See Tuning Java analysis for more information.