Skills
skills/developerscoffee/java-cwe-security-skills/cwe-306-missing-authentication

cwe-306-missing-authentication

SKILL.md

CWE-306 Missing Authentication for Critical Function

Description

Missing Authentication for Critical Function

Reference: https://cwe.mitre.org/data/definitions/306.html

OWASP Category: A07:2021 – Identification and Authentication Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Sensitive operation without auth
@PostMapping("/user/delete/{id}")
public void deleteUser(@PathVariable Long id) {
    userRepository.deleteById(id);
}

Why it's vulnerable: This pattern is vulnerable to Missing Authentication for Critical Function

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Require authentication and authorization
@PostMapping("/user/delete/{id}")
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(@PathVariable Long id, @AuthenticationPrincipal User user) {
    auditService.log("User deletion by " + user.getUsername());
    userRepository.deleteById(id);
}

Why it's secure: Implements proper protection against Missing Authentication for Critical Function

Detection Pattern

Look for these patterns in your codebase:

# Find delete/update operations without auth
grep -rn "delete\\|update\\|create" --include="*Controller.java" | grep -v "PreAuthorize\\|Secured"

Remediation Steps

  1. Identify all critical functions

  2. Add authentication requirements to each

  3. Implement role-based access control

  4. Log all critical operations

Key Imports


import org.springframework.security.access.prepost.PreAuthorize;

import org.springframework.security.core.annotation.AuthenticationPrincipal;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-306 vulnerability
Resolve Missing Authentication for Critical Function issue
Secure this Java code against missing authentication for critical function
SAST reports CWE-306

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Weekly Installs
1
Repository
developerscoffe…y-skills
First Seen
10 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1