界: Security Features

軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。

Acegi Misconfiguration: Run-As Authentication Replacement

Abstract
在 Acegi 中使用 Run-As Authentication 的替代功能可能會導致權限擴大的弱點。
Explanation
Acegi Security 允許在安全物件收回 (callback) 階段暫時替換 SecurityContext 中的 Authentication 物件。僅當 AuthenticationManager 和 AccessDecisionManager 成功處理原始 Authentication 物件時,此情形才會發生。RunAsManager 會建立此項 Authentication 物件。
通常開發人員會使用 RunAsManager,在方法叫用期間內替驗證的使用者設定一個或多個額外角色。這對須要存取遠端應用程式的安全 bean 很有幫助。由於遠端應用程式可能會要求不同的憑證,因此這可讓呼叫角色與遠端應用程式所需的角色之間進行轉譯,進而使遠端存取成功。系統將完全接受新的 Authentication 物件 (稱為 RunAsUserToken) 做為有效的 Authentication 物件,而不需任何進一步的 Authentication 或授權檢查。
將新的角色或權限新增至新的 Authentication 物件,可能會暫時提升使用者的權限,讓使用者進行未授權的行動。
以下組態顯示使用 RunAsManager,將「UBER_BOSS」角色新增至角色為「ROLE_PEON」的使用者,因此暫時將該名使用者提昇至管理員權限,這會讓所有未賦予權限的使用者取得 PrivateCatalog 的資料。


<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
...
<property name="objectDefinitionSource">
<value>
com.example.service.PrivateCatalog.getData=ROLE_PEON,RUN_AS_UBER_BOSS
...
</value>
</property>
</bean>
References
[1] Ben Alex Acegi Security - Run-As Authentication Replacement
[2] Standards Mapping - Common Weakness Enumeration CWE ID 724
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002038, CCI-002039
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-11 Re-Authentication (P0), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-7 Least Functionality, SC-11 Trusted Path, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[14] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001410 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.acegi_misconfiguration_run_as_authentication_replacement