Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:

Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.

This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.

More specifically it will raise issues on the following Spring code:

org.springframework.security.access.AccessDecisionVoter

org.springframework.security.access.AccessDecisionManager

org.springframework.security.access.AfterInvocationProvider

org.springframework.security.access.PermissionEvaluator

org.springframework.security.access.expression.SecurityExpressionOperations

org.springframework.security.access.expression.method.MethodSecurityExpressionHandler

org.springframework.security.core.GrantedAuthority

org.springframework.security.acls.model.PermissionGrantingStrategy

org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration

Pre-post annotations: @PreAuthorize, @PreFilter, @PostAuthorize or @PostFilter from org.springframework.security.access.prepost package.

@org.springframework.security.access.annotation.Secured

org.springframework.security.acls.model.MutableAclService: createAcl, deleteAcl, updateAcl

org.springframework.security.config.annotation.web.builders.HttpSecurity: authorizeRequests

It will also raise issue on JSR-250 annotations @RolesAllowed, @PermitAll and @DenyAll from javax.annotation.security package.

Ask Yourself Whether

You are at risk if you answered yes to the first question and any of the following ones.

Recommended Secure Coding Practices

The first step is to restrict all sensitive actions to authenticated users.

Each user should have the lowest privileges possible. The access control granularity should match the sensitivity of each resource or action. The more sensitive it is, the less people should have access to it.

Do not base the access control on a user input or on a value which might have been tampered with. For example, the developer should not read a user's permissions from an HTTP cookie as it can be modified client-side.

Check that the access to each action and resource is properly restricted.

Enable administrators to swiftly remove permissions when necessary. This enables them to reduce the time an attacker can have access to your systems when a breach occurs.

Log and monitor refused access requests as they can reveal an attack.

See