Checker Authentication   as of Julia version 2.4 (built on 23 Oct 2017)

belongs to group Basic

Identify authentication security risks


This checker identifies security issues related to authentication procedures, such as using no password for LDAP authentication or using the host name in conditions.

Action: check if the warning actually corresponds to a real security issue related to authentication and, if that is the case, use a more secure authentication procedure.

Examples


Consider the following code:

import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.UnknownHostException;

public class Authentication {

  public static void main(String[] args) throws UnknownHostException {
    boolean found = false;
    InetAddress[] addrs = Inet6Address.getAllByName("www.juliasoft.com");
    for (InetAddress addr: addrs) {
      if (addr.getCanonicalHostName().equals("231.13.35.1"))
        found = true;
      else if ("112.34.5.103".equals(addr.getCanonicalHostName()))
        found = true;

      found |= addr.getCanonicalHostName().startsWith("131.");
    }

    if (found)
      System.out.println("OK");
  }
}

This checker issues the following warnings:

Authentication.java:11: [Authentication: HostNameInConditionWarning] Call to getCanonicalHostName() is used in a condition: this might lead to a security breach
Authentication.java:13: [Authentication: HostNameInConditionWarning] Call to getCanonicalHostName() is used in a condition: this might lead to a security breach
Authentication.java:16: [Authentication: HostNameInConditionWarning] Call to getCanonicalHostName() is used in a condition: this might lead to a security breach

since the host name is used in conditions, three times. Moreover, in the following code (taken from Sun Microsystem's example):

import javax.naming.*;
import javax.naming.directory.*;

import java.util.Hashtable;

public class None {

  @SuppressWarnings({ "rawtypes", "unchecked" })
  public static void main(String[] args) {
    // Set up environment for creating initial context
    Hashtable env = new Hashtable(11);
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");

    // Use anonymous authentication
    env.put(Context.SECURITY_AUTHENTICATION, "none");

    try {
      // Create initial context
      DirContext ctx = new InitialDirContext(env);

      System.out.println(ctx.lookup("ou=NewHires"));

      // do something useful with ctx

      // Close the context when we're done
      ctx.close();
    } catch (NamingException e) {
      e.printStackTrace();
    }
  }
}

this checker issues the following warnings:

None.java:16: [Authentication: AuthenticationSetToAnonymousWarning] LDAP authentication seems set to anonymous, thus compromising security

since the LDAP password is set to none.