Round red and white Trust signage

Security Flaw: Don’t use @Cacheable on Methods handling Access-Control

Introduction

I recently stumbled over the following code in our codebase:

// Security flaw!
@Cacheable("permissionsOnContracts")
public boolean isAllowedToRead(ContractId contractId) {
    return expensiveOperationOrRemoteCall(contractId); 
}

The intent of the Cacheable-Annotation was obviously to reduce calls of #expensiveOperationOrRemoteCall, which makes sense in a way, especially when #isAllowedToRead is called often. Note that the #expensiveOperationOrRemoteCall determines the calling user internally by itself (eg. by using the SecurityContext, an OAuth2-Token, …).

It also introduces a severe security problem.

Read more