Target audience:

Users of the extension providing Spring Security rules.


Summary: This document provides information about the extension providing Spring Security rules.

Extension ID

com.castsoftware.springsecurity

What's new?

Please see Spring Security 1.1 - Release Notes for more information.

Description

In what situation should you install this extension?

This extension provides specific rules for the Spring Security technology. These rules are compliant with CWE and OWASP TOP 10 Standards for Security.

How to identify if an application is using Spring Security?

Check for the presence of the Spring Security Filter in the web.xml file:

<filter>
	<filter-name>springSecurityFilterChain</filter-name>
	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

Check for a dependency of spring-security-web and spring-security-config in the pom.xml file:

<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-web</artifactId>
	<version>${spring.version}</version>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-config</artifactId>
	<version>${spring.version}</version>
</dependency>

Function Point, Quality and Sizing support

This extension provides the following support:

Function Points
(transactions)
(error)
Quality and Sizing(tick)

CAST AIP compatibility

This extension is compatible with:

CAST AIP releaseSupported
8.3.x(tick)
8.2.x(tick)

Supported DBMS servers

This extension is compatible with the following DBMS servers:

DBMSSupported
CSS(tick)
Oracle(tick)
Microsoft SQL Server(error)

Supported Spring Security and Framework versions

This extension is compatible with the following Spring Security and Framework versions:

Spring Security versions3.2.0 and above
Spring Framework versions3.2.0 and above

Prerequisites

(tick)An installation of any compatible release of CAST AIP (see table above)

Download and installation instructions

Please see:

The latest release status of this extension can be seen when downloading it from the CAST Extend server.

Packaging, delivering and analyzing your source code

Once the extension is downloaded and installed, there is nothing specific to do: analyze your source code with the JEE Analyzer and the rules will be triggered.

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the normal manner.

Structural rules

The following structural rules are provided:

1.1.6https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.6
1.1.5https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.5
1.1.4https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.4
1.1.3https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.3
1.1.2https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.2
1.1.2-funcrel https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.2-funcrel
1.1.1-funcrel https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.1-funcrel 
1.1.0-funcrel https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.0-funcrel
1.1.0-beta1 https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.0-beta1
1.1.0-alpha4https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.0-alpha4
1.1.0-alpha3 https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.0-alpha3
1.1.0-alpha2https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.0-alpha2
1.1.0-alpha1https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.1.0-alpha1