PermitAll or user role should be specified to access URL(s) of the application

Rule Definition
The access to the any URL in your application should secured by using permitAll() to avoid anonymous access or by specifing the role of the user allowed to get access These expressions are responsible for defining the access control or authorization to specific URLs or methods in your application. Let’s look at the example: @Override protected void configure(final HttpSecurity http) throws Exception { ... .antMatchers("/ForumPage/*").permittAll() .antMatchers("/auth/admin/*").hasRole("ADMIN") .antMatchers("/auth/*").hasAnyRole("ADMIN","USER") ... } In this example we specify access to all links starting with /auth/ restricted to users that are logged in with role USER or role ADMIN. Moreover, to access links starting with /auth/admin/ we need to have ADMIN role in the system. However for "/ForumPage/*" : all requests are allowed on that particular path ( not anonymous one).Setting the access=”permitAll” will configure the authorization so that all requests are allowed on that particular path. This is achieved without disabling the security filters – these still run, so any Spring Security related functionality will still be available. This check is also available for the login page, we should at least specify a .permitAll() for the path login as follow .formLogin() .loginPage("/login") .permitAll()

Remediation
Add .permitAll() for the .loginPage("/login") or .antMatchers("/xxx/**") if access is allowed to any one. or Speciy the role with .hasRole("ROLE")

Violation Code Sample

@Configuration @EnableWebSecurity(debug = true) // Violation public class WebSecurityConfig extends WebSecurityConfigurerAdapter { ... }

Fixed Code Sample

You need to add .permitAll() for the .loginPage("/login") or .antMatchers("/xxx/**") if access is allowed to any one. or you have to speciy the role with .hasRole("ROLE") JAVA CONFIGURATION ----------------------------------------- protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/resources/**", "/signup", "/about").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") //here the permitall is not specified but the role is specified. .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") //here the permitall is not specified but the role is specified. .anyRequest().authenticated() .and() .loginPage("/login").permitAll() } XML CONFIGURATION ----------------------------------------- intercept-url pattern="/login*" access="permitAll"

Reference

https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control

Related Technologies

Health Factor

Total Quality Index

Technical Criterion
CWE-424 - Improper Protection of Alternate Path

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

100.00%

Financial Services

100.00%

Government

99.95%

Want more stats? Register now!