rspec/rules/S4502/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html[Spring Security] provides by default a protection against CSRF attacks which can be disabled:

----
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable(); // Sensitive: csrf protection is entirely disabled
   // or
    http.csrf().ignoringAntMatchers("/route/"); // Sensitive: csrf protection is disabled for specific routes
  }
}
----

== Compliant Solution

https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html[Spring Security]  CSRF protection is enabled by default, do not disable it:

----
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // http.csrf().disable(); // Compliant
  }
}
----

include::../see.adoc[]
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

Add coveredLanguages field 2021-01-29 15:53:23 +01:00			`https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html[Spring Security] provides by default a protection against CSRF attacks which can be disabled:`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00
			`----`
			`@EnableWebSecurity`
			`public class WebSecurityConfig extends WebSecurityConfigurerAdapter {`

			`@Override`
			`protected void configure(HttpSecurity http) throws Exception {`
Add coveredLanguages field 2021-01-29 15:53:23 +01:00			`http.csrf().disable(); // Sensitive: csrf protection is entirely disabled`
			`// or`
			`http.csrf().ignoringAntMatchers("/route/"); // Sensitive: csrf protection is disabled for specific routes`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`}`
			`}`
			`----`

			`== Compliant Solution`

Add coveredLanguages field 2021-01-29 15:53:23 +01:00			`https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html[Spring Security] CSRF protection is enabled by default, do not disable it:`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00
			`----`
			`@EnableWebSecurity`
			`public class WebSecurityConfig extends WebSecurityConfigurerAdapter {`

			`@Override`
			`protected void configure(HttpSecurity http) throws Exception {`
			`// http.csrf().disable(); // Compliant`
			`}`
			`}`
			`----`

			`include::../see.adoc[]`