Recipe Name:
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true
Description:
Prevent enumeration by not throwing an exception that reveals the existence of the username
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Documentation

Set setHideUserNotFoundExceptions() to true in order to throw a BadCredentialsException instead of a UsernameNotFoundException. The former gives a more general exception message, while the latter divulges the (non-)existence of a username in the application.

Before
daoAuthenticationProvider.setHideUserNotFoundExceptions(false);
After
daoAuthenticationProvider.setHideUserNotFoundExceptions(true);
References
Recipe
id: scw:spring:authentication-user-enum-UserNotFoundException
version: 10
metadata:
  name: 'Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true'
  shortDescription: Prevent enumeration by not throwing an exception that reveals the existence of the username
  level: warning
  language: java
  scwCategory: auth:userenum
  cweCategory: 200
  enabled: true
  comment: ""
  descriptionFile: descriptions/Authentication_Username_Enumeration_setHideUserNotFoundExceptions_should_be_set_to_true.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: setHideUserNotFoundExceptions
    type: org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider
availableFixes:
- name: Set setHideUserNotFoundException to true
  actions:
  - modifyArguments:
      rewrite:
        1: "true"