Kingdom: Environment

This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.

J2EE Misconfiguration: Missing Authentication Method

Abstract
Security and authorization constraints will fail without a login configuration.
Explanation
The <login-config> element is used to configure how users authenticate to an application. A missing authentication method means the application does not know how to apply authorization constraints since no one can log in. The authentication method is specified using the <auth-method> tag, which is a child of <login-config>.

There are four authentication methods: BASIC, FORM, DIGEST, and CLIENT_CERT.

BASIC denotes HTTP Basic authentication.
FORM denotes Form-based authentication.
DIGEST is like BASIC authentication; however, in DIGEST the password is encrypted.
CLIENT_CERT requires that clients have Public Key Certificates and use SSL/TLS.

Example 1: The following configuration does not specify a login configuration.

<web-app>

    <!-- servlet declarations -->
    <servlet>...</servlet>

    <!-- servlet mappings-->
    <servlet-mapping>...</servlet-mapping>

    <!-- security-constraints-->
    <security-constraint>...</security-constraint>

    <!-- login-config goes here -->

    <!-- security-roles -->
    <security-role>...</security-role>

</web-app>
References
[1] Sun Microsystems, Inc. Java Servlet Specification 2.4
[2] Sun Microsystems, Inc. Specifying an Authentication Mechanism
[3] Standards Mapping - Common Weakness Enumeration CWE ID 284
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000778, CCI-001094, CCI-001958, CCI-001967
[5] Standards Mapping - FIPS200 IA
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.config.java.j2ee_misconfiguration_missing_authentication_method