Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
More specifically it will raise issues on the following Spring code:
org.springframework.security.access.AccessDecisionVoter
org.springframework.security.access.AccessDecisionManager
org.springframework.security.access.AfterInvocationProvider
org.springframework.security.access.PermissionEvaluator
org.springframework.security.access.expression.SecurityExpressionOperations
org.springframework.security.access.expression.method.MethodSecurityExpressionHandler
org.springframework.security.core.GrantedAuthority
org.springframework.security.acls.model.PermissionGrantingStrategy
org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration
Pre-post annotations: @PreAuthorize
, @PreFilter
, @PostAuthorize
or
@PostFilter
from org.springframework.security.access.prepost
package.
@org.springframework.security.access.annotation.Secured
org.springframework.security.acls.model.MutableAclService
: createAcl
, deleteAcl
,
updateAcl
org.springframework.security.config.annotation.web.builders.HttpSecurity
: authorizeRequests
org.springframework.security.core.GrantedAuthority
or of any class
implementing this interface directly. It will also raise issue on JSR-250 annotations @RolesAllowed
, @PermitAll
and @DenyAll
from
javax.annotation.security
package.
You are at risk if you answered yes to any of those questions.
At minimum, an access control system should: