CWE-284 Improper Access Control

Description

Improper Access Control

Reference: https://cwe.mitre.org/data/definitions/284.html

OWASP Category: A01:2021 – Broken Access Control

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: No authorization check - IDOR
@GetMapping("/user/{id}/documents")
public List<Document> getUserDocuments(@PathVariable Long id) {
    return documentRepository.findByUserId(id);
}

Why it's vulnerable: This pattern is vulnerable to Improper Access Control

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Verify user can access requested resource
@GetMapping("/user/{id}/documents")
@PreAuthorize("@authService.canAccessUser(#id, authentication)")
public List<Document> getUserDocuments(@PathVariable Long id, Authentication auth) {
    User currentUser = (User) auth.getPrincipal();
    if (!currentUser.getId().equals(id) && !currentUser.hasRole("ADMIN")) {
        throw new AccessDeniedException("Cannot access other user's documents");
    }
    return documentRepository.findByUserId(id);
}

Why it's secure: Implements proper protection against Improper Access Control

---

Detection Pattern

Look for these patterns in your codebase:

# Find endpoints with path variables
grep -rn "@PathVariable" --include="*Controller.java" | grep -v "PreAuthorize"

---

Remediation Steps

1. Verify user is authorized to access each resource

2. Use indirect object references

3. Implement row-level security

4. Log access control failures

---

Key Imports

import org.springframework.security.access.AccessDeniedException;

import org.springframework.security.core.Authentication;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-284 vulnerability
Resolve Improper Access Control issue
Secure this Java code against improper access control
SAST reports CWE-284

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-284: Improper Access Control

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07