界: Security Features
软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。
Acegi Misconfiguration: Run-As Authentication Replacement
Abstract
在 Acegi 中使用 Run-As 身份验证替换功能可能引发权限提升漏洞。
Explanation
Acegi Security 允许在安全对象回调阶段临时替换 SecurityContext 中的身份验证对象。仅当 AuthenticationManager 和 AccessDecisionManager 成功处理原始身份验证对象时才会发生这种情况。RunAsManager 创建此身份验证对象。
通常,方法调用期间,开发人员使用 RunAsManager 为通过身份验证的用户配置一个或多个额外角色。此方法适用于需要访问远程应用程序的安全 Bean。由于远程应用程序可能需要不同的凭据,因而可以在调用角色与远程应用程序所需的角色之间进行转换,以便成功实施远程访问。直接接受新 Authentication 对象(称为 RunAsUserToken)作为有效 Authentication 对象,无需任何进一步的身份验证或授权检查。
为新 Authentication 对象新增角色或权限可暂时提升用户权限,允许用户采取未经授权的操作。
以下配置展示了使用 RunAsManager 针对角色为“ROLE_PEON”的用户添加角色“UBER_BOSS”,从而暂时提升此用户的权限,使其具备管理员权限,确保所有人员都能从 PrivateCatalog 中获取数据。
通常,方法调用期间,开发人员使用 RunAsManager 为通过身份验证的用户配置一个或多个额外角色。此方法适用于需要访问远程应用程序的安全 Bean。由于远程应用程序可能需要不同的凭据,因而可以在调用角色与远程应用程序所需的角色之间进行转换,以便成功实施远程访问。直接接受新 Authentication 对象(称为 RunAsUserToken)作为有效 Authentication 对象,无需任何进一步的身份验证或授权检查。
为新 Authentication 对象新增角色或权限可暂时提升用户权限,允许用户采取未经授权的操作。
以下配置展示了使用 RunAsManager 针对角色为“ROLE_PEON”的用户添加角色“UBER_BOSS”,从而暂时提升此用户的权限,使其具备管理员权限,确保所有人员都能从 PrivateCatalog 中获取数据。
<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
...
<property name="objectDefinitionSource">
<value>
com.example.service.PrivateCatalog.getData=ROLE_PEON,RUN_AS_UBER_BOSS
...
</value>
</property>
</bean>
References
[1] Ben Alex Acegi Security - Run-As Authentication Replacement
[2] Standards Mapping - Common Weakness Enumeration CWE ID 724
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002038, CCI-002039
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-11 Re-Authentication (P0), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-7 Least Functionality, SC-11 Trusted Path, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[14] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001410 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.acegi_misconfiguration_run_as_authentication_replacement