SPRING.AUTHZ.MISSING

Missing authorization

This checker verifies whether the user is authorized to access protected resources and reports cases where the user is not authorized and is trying to access protected resources.

Vulnerability and risk

An attacker may gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.

Mitigation and prevention

Identify all privileged assets within your application, for example, web pages that display sensitive data, website sections that contain privileged or administrative functionality, and so on. Identify user roles within the application and their access permissions. Always check whether the user should have privileges to access an asset. Always perform the proper setup for protected resources (resources that require authorization) in your project.

Vulnerable code example

Spring provides a security component that ships with a mechanism for access control of resources. Spring handles requests from users by using a chain of filters. In this example, the configure() method has defined different URLs with required access roles.

1
2
3
4
5
6
7
8
9
10
11
  @Configuration
  @EnableWebSecurity
  public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
           http.authorizeRequests()
           .antMatchers(HttpMethod.POST,"/version ").hasAnyRole("ADMIN","USER")
           .antMatchers(HttpMethod.PUT ,"/admin/*").hasRole("ADMIN")
           .antMatchers("/setting").authenticated()
          .and().httpBasic();
     }

Klocwork reports a defect on line 9, indicating, 'Authorization required to access '/setting' resource.' The user needs to be authorized before accessing any protected resource. In this example, the user is authenticated to access '/setting', but is not authorized.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
  @Configuration
  @EnableWebSecurity
  public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
           
           http.authorizeRequests()
           .antMatchers(HttpMethod.POST,"/version ").hasAnyRole("ADMIN","USER")
           .antMatchers(HttpMethod.PUT ,"/admin/*").hasRole("ADMIN")
          .antMatchers("/setting").hasAuthority("ADMIN")
          .and().httpBasic();
     }

In this fixed example, Klocwork no longer reports a defect as the user is authorized for every API that requires authorization or that is a protected resource.

Related checkers

• SPRING.AUTHZ.ABSENT

External guidance

• CWE-862: Missing Authorization
• OWASP A1:2021 Broken Access Control

Extension

This checker can be tuned to check whether a user is authorized to access protected APIs that are used in the project. You can do this by using the @CheckerParam option in a .jkb file. See Tuning Java analysis for more information.