Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
More specifically it will raise issues on the following Spring code:
org.springframework.security.access.AccessDecisionVoter org.springframework.security.access.AccessDecisionManager org.springframework.security.access.AfterInvocationProvider org.springframework.security.access.PermissionEvaluator org.springframework.security.access.expression.SecurityExpressionOperations org.springframework.security.access.expression.method.MethodSecurityExpressionHandler org.springframework.security.core.GrantedAuthority org.springframework.security.acls.model.PermissionGrantingStrategy org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration @PreAuthorize, @PreFilter, @PostAuthorize or @PostFilter from
org.springframework.security.access.prepost package. @org.springframework.security.access.annotation.Secured org.springframework.security.acls.model.MutableAclService: createAcl, deleteAcl,
updateAcl org.springframework.security.config.annotation.web.builders.HttpSecurity: authorizeRequests org.springframework.security.core.GrantedAuthority or of any class
implementing this interface directly. It will also raise issue on JSR-250 annotations @RolesAllowed, @PermitAll and @DenyAll from
javax.annotation.security package.
There is a risk if you answered yes to any of those questions.
At minimum, an access control system should:
This rule is deprecated, and will eventually be removed.