Spring Security Evaluates Enum validity as @PathVariable before validating authorities in @PreAuthorize annotation

Describe the bug When using the @PreAuthorize annotation together with using an enum as a @PathVariable, as long as there is an authentication, the validity of the value sent is evaluated before the users authorities. This results in 400 BAD REQUEST being returned, even if the user does not have the authority to access the endpoint and should get a 403 FORBIDDEN instead. This is a potential security issue, as an unauthorized user could find out what values are valid and not for an endpoint.

To Reproduce Setup an endpoint using @RequestMapping, @PreAuthorize and an enum @PathVariable. Make a request using an authenticated user without the needed authority for the endpoint, and an invalid enum value. See it return 400 BAD REQUEST.

Expected behavior Any calls to an endpoint from an unauthorized user should return 403 FORBIDDEN.

Sample https://github.com/SebastianFernstedt/spring-enum-path-security-bug

Comment From: sjohnr

Hi @SebastianFernstedt, thanks for reaching out, and thanks for the sample.

While I'd have to check on a few technical details, this seems to be a chicken-and-egg problem with the style of authorization vs. the implementation of the API. In the sample, you've asked the framework to perform method-based authorization, which I believe by design would need to resolve all your method arguments. This is where the problem occurs, because it cannot be done, and more generally I believe Spring MVC is returning the 400 Bad Request.

Is your authorization expression fairly realistic or is it somewhat contrived for the sample? If it's realistic, this would easily be resolved by using the DSL to perform authorization prior to Spring MVC. If not, is there a real-world scenario that may not be as simple to resolve as the example? In any event, I would expect this type of scenario not to be compatible with method security. Also, if coercing a type reveals implementation details that are privileged information, that would need to be placed behind the authorization mechanism, either by using request-level authorization (e.g. DSL) or coercing the type after authorization at the method level is performed.

Any thoughts on that?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.