I am trying to develop a plugin, that checks if a
SecurityWebFilterChain bean was defined and if so, check that all http paths should be authenticated. I found the SpringSecurityDisableCSRFCheck, which can be adapted to fit the second part of my requirement, but I am having trouble finding a way the implement the existence check.
Is there a way to implement this in a plugin? Perhaps there is a way to search the AST for all bean definitions and report an issue, if this bean is not found?
Thanks in advance
Thank you for reaching out. To make sure I understand, the custom rule you would be interested in building would raise an issue code that has both 1) declared a
SecurityWebFilterChain bean AND 2) unauthenticated HTTP paths. Is that correct?
Unfortunately, your plugin would only be able to visit the module file by file, without any guarantee on the order of files visited, and it would make it difficult for you to verify 1) before confirming 2).
An approach you could take is based on the EndOfAnalsysis where you collect all the HTTP paths that are not authenticated and the expected bean during the visit.
When you are called back at the end of module analysis, if your collection of paths is not empty and the bean has been found, you can raise an issue at the project level.
The precise location of the bean declaration and the infringing path would be lost but the rule could still bring some valuable information on an actual issue in the code base.
Beware that keeping state across files visited can be problematic, especially on larger code bases where the accumulation of data could lead to poor memory usage.