界: Environment
本節包括原始程式碼之外的所有內容,但對於建立中產品的安全性仍至關重要。由於此領域所涵蓋的問題與原始程式碼沒有直接關係,因此我們將其與其他領域分開。
J2EE Misconfiguration: Duplicate Security Role
Abstract
存在擁有相同名稱的多個安全性角色。相同的安全性角色通常表示沒有被除錯程式碼或拼字錯誤。
Explanation
相同的安全性角色並無意義,因為只會套用特定安全性角色的最後定義。
範例 1:在
範例 1:在
web.xml 檔案中的項目定義了兩個 admin 角色。
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminPage</web-resource-name>
<description>Admin only pages</description>
<url-pattern>/auth/noaccess/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Administrators only</description>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
...
<security-role>
<description>Administrator</description>
<role-name>admin</role-name>
</security-role>
<security-role>
<description>Non-Administrator</description>
<role-name>admin</role-name>
</security-role>
References
[1] Sun Microsystems, Inc. Java Servlet Specification 2.4
[2] Standards Mapping - Common Weakness Enumeration CWE ID 284
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.j2ee_misconfiguration_duplicate_security_role