Broken Authentication in Spring Boot
How Broken Authentication Manifests in Spring Boot
Broken Authentication in Spring Boot applications typically emerges through several framework-specific vulnerabilities. The most common pattern involves misconfigured authentication filters that fail to properly validate user sessions or credentials.
Consider this vulnerable Spring Boot configuration:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/public/**").permitAll()
.anyRequest().authenticated();
// Missing authentication filter configuration
}
}This configuration permits access to public endpoints but fails to properly secure the authentication flow. An attacker can exploit this by crafting requests that bypass authentication entirely.
Another Spring Boot-specific vulnerability occurs with default endpoint exposure. By default, Spring Boot Actuator exposes sensitive endpoints like /actuator/env and /actuator/health without authentication:
management.endpoints.web.exposure.include=*
management.endpoint.health.show-details=alwaysThis configuration reveals environment variables, database credentials, and system properties to unauthenticated users.
Session fixation attacks also plague Spring Boot applications when session management is improperly configured. The default HttpSession implementation doesn't regenerate session IDs after authentication:
@Controller
public class LoginController {
@PostMapping("/login")
public String login(@RequestParam String username,
@RequestParam String password,
HttpSession session) {
// No session fixation protection
if (authenticate(username, password)) {
session.setAttribute("user", username);
return "redirect:/dashboard";
}
return "login";
}
}Spring Boot's default remember-me functionality can also be exploited. Without proper token hashing or secure cookie configuration, attackers can steal authentication tokens:
@Configuration
public class SecurityConfig {
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
db.setDataSource(dataSource);
// Missing token hashing configuration
return db;
}
}Spring Boot-Specific Detection
Detecting Broken Authentication in Spring Boot requires understanding the framework's security architecture. middleBrick's scanner specifically targets Spring Boot authentication patterns through black-box testing.
The scanner first identifies Spring Boot Actuator endpoints, which are common attack vectors. It tests for unauthenticated access to /actuator/** endpoints and examines the exposure configuration in application.properties or application.yml.
For session-based vulnerabilities, middleBrick simulates session fixation attacks by establishing a session before authentication, then attempting to reuse that session ID after login. This tests whether Spring Boot properly regenerates session identifiers.
// middleBrick CLI output for session fixation detection
{
"endpoint": "/login",
"vulnerability": "Session Fixation",
"severity": "High",
"remediation": "Implement session fixation protection using session fixation protection",
"recommendation": "Use Spring Security's default session fixation protection"
}The scanner also tests remember-me token security by examining cookie attributes. It checks for Secure, HttpOnly, and SameSite flags, and attempts to decode token contents to verify proper encryption.
For authentication bypass vulnerabilities, middleBrick tests common Spring Boot patterns like missing CSRF protection on state-changing endpoints, and verifies that authentication filters are properly chained in the security configuration.
middleBrick's OpenAPI analysis is particularly effective for Spring Boot applications, as it can detect inconsistencies between the documented API security requirements and the actual runtime behavior. This catches cases where developers document authentication requirements but fail to implement them in the code.
Spring Boot-Specific Remediation
Spring Boot provides several native mechanisms to fix Broken Authentication vulnerabilities. The most critical is proper security configuration using Spring Security's built-in protections.
For session fixation protection, Spring Boot automatically handles this when using WebSecurityConfigurerAdapter or the newer SecurityFilterChain bean:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.sessionManagement(session -> session
.sessionFixation(SessionFixationProtectionStrategy.CHANGE_SESSION_ID)
)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/public/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginPage("/login")
.defaultSuccessUrl("/dashboard")
);
return http.build();
}This configuration automatically changes the session ID after successful authentication, preventing session fixation attacks.
For Actuator endpoint security, Spring Boot provides granular control:
management.endpoints.web.exposure.include=health,info
management.endpoint.health.show-details=when-authorized
management.endpoint.env.enabled=falseAlternatively, secure Actuator endpoints with authentication:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests(auth -> auth
.anyRequest().hasRole("ADMIN")
);
return http.build();
}For remember-me functionality, implement proper token hashing and secure cookie configuration:
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JpaTokenRepositoryImpl db = new JpaTokenRepositoryImpl();
db.setDataSource(dataSource);
db.setCreateTableOnStartup(false);
return db;
}
@Bean
public PersistentTokenBasedRememberMeServices rememberMeServices() {
PersistentTokenBasedRememberMeServices rememberMeServices =
new PersistentTokenBasedRememberMeServices("remember-me-key",
userDetailsService,
persistentTokenRepository());
rememberMeServices.setTokenValiditySeconds(604800); // 7 days
rememberMeServices.setAlwaysRemember(true);
rememberMeServices.setCookieDomain(".example.com");
rememberMeServices.setSecure(true);
rememberMeServices.setHttpOnly(true);
return rememberMeServices;
}CSRF protection is enabled by default in Spring Boot but requires proper configuration for APIs:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers("/api/**")
);
return http.build();
}For REST APIs, consider using JWT tokens with proper validation:
@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
return new JwtAuthenticationFilter();
}
@Bean
public JwtAuthorizationFilter jwtAuthorizationFilter() {
return new JwtAuthorizationFilter(authenticationManager());
}Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |
Frequently Asked Questions
How can I test my Spring Boot API for Broken Authentication vulnerabilities?
Does Spring Boot automatically protect against session fixation attacks?
WebSecurityConfigurerAdapter or SecurityFilterChain bean, Spring Boot automatically changes the session ID after successful authentication. However, if you implement custom authentication without these abstractions, you must manually handle session fixation protection.