I have scanned my application and I have some security hotspots about PreAuthorized annotation use.
Secured annotation creates a security hotspots too.
I don’t need more control permissions in my application than PreAuthorize annotation.
So, do you have an idea to erase these security hotspots ?
Piece of code :
@ PostMapping
@ ApiOperation(value = “Get all the auditTrails”, authorizations = { @ Authorization(value = “auth-token”) })
@ PreAuthorize(“hasPermission(null, ‘All’) OR hasPermission(null, ‘IngesterActivityReadWrite’)”)
@ AuditAction(action = ServiceProviderConstants.Audit.Action.GET_ALL, resource = “AuditTrails”)
I’d suggest you study the rule documentation to be sure you truly don’t need it in your application. If you think it might be valuable to review other cases this rule covers, consider using the ability to ignore issues in certain files or blocks to kill the noise. If you truly don’t need the review suggested by this hotspot at all, then you can deactivate the rule in a custom Quality Profile.
If I understand, there is no other option that deactivate the rule ?
I need security hotspots scan but I dont’ find, how fix differents issues with PreAuthorize annotation?
Is there a problem with this use of @PreAuthorize? I cannot tell because I do not know the context of the code. If you don’t need to actually make a code change to fix a security risk here, you may mark the security hotspot as safe using the Security Hotspots tab in your project by clicking the large Status: To Review button and changing the value of the status to Safe.
If you think the use of the annotation here is risky, you’ll have to decide which change to make in the code yourself.
I know that, but @PreAuthorize is not secured enough ?
Why @PreAuthorized is a security hotspots ?
It is a secured annotation from Spring, but in Sonar it is a security hotspots…
Maybe, is it normal to have a security hotspots on @PreAuthorized ?
Finally, I just want an idea, how to fix that security hotspot !
The security-hotspot java:S4834 is “a generic rule” which raises on all methods used to control authorizations of a web application, the idea is to encourage you to check if the permissions set up are good or not.
So you are right, there is nothing wrong when using @PreAuthorize annotation by itself, it’s just a way to incite you to do a review. At the same time, we recently worked on more precise rules for Java related to access control, so maybe S4834 can be deprecated in favor of this new rules. We will let you know.