Recipe Name:
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true
Description:
Prevent enumeration by not throwing an exception that reveals the existence of the username
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Documentation
Set setHideUserNotFoundExceptions() to true in order to throw a BadCredentialsException instead of a UsernameNotFoundException. The former gives a more general exception message, while the latter divulges the (non-)existence of a username in the application.
daoAuthenticationProvider.setHideUserNotFoundExceptions(false);After
daoAuthenticationProvider.setHideUserNotFoundExceptions(true);References
Recipe
id: scw:spring:authentication-user-enum-UserNotFoundException
version: 10
metadata:
name: 'Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true'
shortDescription: Prevent enumeration by not throwing an exception that reveals the existence of the username
level: warning
language: java
scwCategory: auth:userenum
cweCategory: 200
enabled: true
comment: ""
descriptionFile: descriptions/Authentication_Username_Enumeration_setHideUserNotFoundExceptions_should_be_set_to_true.html
tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
methodcall:
args:
1:
type: boolean
value:
stringified: "false"
name: setHideUserNotFoundExceptions
type: org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider
availableFixes:
- name: Set setHideUserNotFoundException to true
actions:
- modifyArguments:
rewrite:
1: "true"