Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:

Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.

This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.

More specifically it will raise issues on the following Spring code:

org.springframework.security.access.AccessDecisionVoter

org.springframework.security.access.AccessDecisionManager

org.springframework.security.access.AfterInvocationProvider

org.springframework.security.access.PermissionEvaluator

org.springframework.security.access.expression.SecurityExpressionOperations

org.springframework.security.access.expression.method.MethodSecurityExpressionHandler

org.springframework.security.core.GrantedAuthority

org.springframework.security.acls.model.PermissionGrantingStrategy

org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration

Pre-post annotations: @PreAuthorize, @PreFilter, @PostAuthorize or @PostFilter from org.springframework.security.access.prepost package.

@org.springframework.security.access.annotation.Secured

org.springframework.security.acls.model.MutableAclService: createAcl, deleteAcl, updateAcl

org.springframework.security.config.annotation.web.builders.HttpSecurity: authorizeRequests

It will also raise issue on JSR-250 annotations @RolesAllowed, @PermitAll and @DenyAll from javax.annotation.security package.

Ask Yourself Whether

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

At minimum, an access control system should:

See