63 lines
2.4 KiB
Plaintext
63 lines
2.4 KiB
Plaintext
URL patterns configured on a ``++HttpSecurity.authorizeRequests()++`` method are considered in the order they were declared. It's easy to do a mistake and to declare a less restrictive configuration before a more restrictive one. Therefore, it's required to review the order of the "antMatchers" declarations. The ``++/**++`` one should be the last one if it is declared.
|
|
|
|
|
|
This rule raises an issue when:
|
|
|
|
* A pattern is preceded by another that ends with ``++**++`` and has the same beginning. E.g.: ``++/page*-admin/db/**++`` is after ``++/page*-admin/**++``
|
|
* A pattern without wildcard characters is preceded by another that matches. E.g.: ``++/page-index/db++`` is after ``++/page*/**++``
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
http.authorizeRequests()
|
|
.antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant
|
|
.antMatchers("/admin/**").hasRole("ADMIN")
|
|
.antMatchers("/admin/login").permitAll() // Noncompliant; the pattern "/admin/login" should occurs before "/admin/**"
|
|
.antMatchers("/**", "/home").permitAll()
|
|
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // Noncompliant; the pattern "/db/**" should occurs before "/**"
|
|
.and().formLogin().loginPage("/login").permitAll().and().logout().permitAll();
|
|
}
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
protected void configure(HttpSecurity http) throws Exception {
|
|
http.authorizeRequests()
|
|
.antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant
|
|
.antMatchers("/admin/login").permitAll()
|
|
.antMatchers("/admin/**").hasRole("ADMIN") // Compliant
|
|
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
|
|
.antMatchers("/**", "/home").permitAll() // Compliant; "/**" is the last one
|
|
.and().formLogin().loginPage("/login").permitAll().and().logout().permitAll();
|
|
}
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
|
|
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|