Rule Definition
Logging exception details is important when you need to properly diagnose error conditions with the system. You don't want this detail to be displayed on an error page because it may inadvertently aid a malicious user in an attack. Logging allows your error pages to display a simple generic message alerting end users that an error has occurred, with possibly some options for contacting support. The detail you need for assisting with these issues will be kept securely in the log store.
Remediation
Follow sample of Spring components ready to be used is specific situations:
- DelegatingAuthenticationFailureHandler delegates AuthenticationException subclasses to different AuthenticationFailureHandlers, meaning we can create different behaviors for different instances of AuthenticationException
- ExceptionMappingAuthenticationFailureHandler redirects the user to a specific URL depending on the AuthenticationException’s full class name
- ForwardAuthenticationFailureHandler will forward the user to the specified URL regardless of the type of the AuthenticationException
SimpleUrlAuthenticationFailureHandler is the component that is used by default, it will redirect the user to a failureUrl, if specified; otherwise, it will simply return a 401 response
for more details, Please refer to https://www.baeldung.com/spring-security-custom-authentication-failure-handler
Violation Code Sample
Sample 1
@Override public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
final AuthenticationRequest request=new AuthenticationRequest(authentication);
final User user;
if (request.wasExternallyAuthenticated()) {
user=authenticatedExternally(request.getUsercode());
}
else {
user=login(request.getUserEmail(),request.getPassword());
}
final List<GrantedAuthority> grantedAuthorities;
final AuthenticatedUserInfo authUser;
authUser=new AuthenticatedUserInfo(user.getId(),request.getUsername());
grantedAuthorities=getGrantedAuthority(user);
return new UsernamePasswordAuthenticationToken(authUser,null,grantedAuthorities);
}
______________________
Sample 2
/**
* Authenticate a token
*/
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if( authentication == BAD_CREDENTIALS ) {
throw new BadCredentialsException( "Bad credentials" );
} else if( authentication == LOCKED ) {
throw new LockedException( "Account is locked" );
}
return authentication;
}
_____________________
Sample 3
@ExceptionHandler(AuthenticationException.class)
public ResponseEntity<String> handleBadCredentials(AuthenticationException e) {
return new ResponseEntity<String>(HttpStatus.UNAUTHORIZED);
}
Reference
https://www.baeldung.com/spring-security-custom-authentication-failure-handler
https://www.baeldung.com/spring-security-redirect-login
https://docs.spring.io/spring-security/site/docs/4.2.6.RELEASE/apidocs/org/springframework/security/web/authentication/AuthenticationFailureHandler.html
https://docs.spring.io/spring-security/site/docs/4.2.7.RELEASE/apidocs/org/springframework/security/core/AuthenticationException.html
Related Technologies
Technical Criterion
Programming Practices - Error and Exception Handling
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.