[rule]
id = "java-shiro-requires-authentication"
languages = ["java"]
category = "middleware"
confidence = "high"
description = "Apache Shiro @RequiresAuthentication, @RequiresGuest, or @RequiresUser annotation"
query = """
(marker_annotation
name: [
(identifier) @anno_name
(scoped_identifier
scope: (_) @anno_scope
name: (identifier) @anno_name)
]
) @match
"""
provenance_capture = "anno_scope"
[rule.predicates.anno_name]
match = "^(RequiresAuthentication|RequiresGuest|RequiresUser)$"
[[rule.tests]]
input = """
public class SecureController {
@RequiresAuthentication
public void secureAction() { }
}
"""
expect_match = true
[[rule.tests]]
input = """
public class SecureController {
@RequiresGuest
public void guestAction() { }
}
"""
expect_match = true
[[rule.tests]]
input = """
public class SecureController {
@RequiresUser
public void userAction() { }
}
"""
expect_match = true
[[rule.tests]]
input = """
public class SecureController {
@org.apache.shiro.authz.annotation.RequiresAuthentication
public void secureAction() { }
}
"""
expect_match = true
[[rule.tests]]
input = """
public class SecureController {
@org.apache.shiro.authz.annotation.RequiresGuest
public void guestAction() { }
}
"""
expect_match = true
[[rule.tests]]
input = """
public class SecureController {
@org.apache.shiro.authz.annotation.RequiresUser
public void userAction() { }
}
"""
expect_match = true
[[rule.tests]]
input = """
public class Controller {
@Override
public void action() { }
}
"""
expect_match = false