SPRING.AUTHC.ABSENT

No configuration for a critical function

This checker verifies whether authentication is performed for critical issues and reports an issue when a critical resource is not included in the project API configuration.

Vulnerability and risk

If software does not perform any authentication for critical resources, an attacker can gain access to sensitive data, perform administrative functions, or even execute arbitrary code.

Mitigation and prevention

Identify all privileged assets within your application, for example, web pages that display sensitive data, website sections that contain privileged or administrative functionality, and so on. Identify user roles within the application and their access permissions. Always perform the proper setup for critical resources in the project API configuration.

Vulnerable code example

Spring provides a security component that can verify authentication.

1
2
3
4
5
6
7
8
9
10
11
12
  @Configuration
  @EnableWebSecurity
  public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
           
           http.authorizeRequests()
           .antMatchers(HttpMethod.POST,"/version ").hasAnyRole("ADMIN","USER")
           .antMatchers(HttpMethod.POST,"/api-docs ").anonymous()
          .antMatchers(HttpMethod.PUT,"/profile").authenticated()
          .and().httpBasic();
     }

Klocwork reports a SPRING.AUTHC.ABSENT defect on line 9, indicating, "Critical resource 'admin' is missed from configuration section". Because the "/admin" API is not present in any antMatchers(), a user can access the "/admin" API without an authenticating.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
13
  @Configuration
  @EnableWebSecurity
  public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
           
           http.authorizeRequests()
           .antMatchers(HttpMethod.POST,"/version ").hasAnyRole("ADMIN","USER")
           .antMatchers(HttpMethod.POST,"/api-docs ").anonymous()
          .antMatchers(HttpMethod.PUT,"/profile").authenticated()
          .antMatchers(HttpMethod.PUT ,"/admin").hasRole("admin")
          .and().httpBasic();
     }

In this fixed example, Klocwork no longer reports a defect because every element from the critical resource list is present in the configuration.

Related checkers

• SPRING.AUTHC.MISSING

External guidance

• CWE-306: Missing Authentication for Critical Function
• OWASP A7:2021 Identification and Authentication Failures

Security training

Application security training materials provided by Secure Code Warrior.

• Improper Authentication Training Video - Test your skills with a training example

Extension

This checker must be tuned to look for specific critical APIs used in the project. You can do this by using the @CheckerParam option in a .jkb file. See Tuning Java analysis for more information.