Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.authentication

Avoid Spring Security chains that leave every request anonymous by default

Production HTTP security chains should not end with a broad permit-all fallback such as `anyRequest().permitAll()` or `requestMatchers("/**").permitAll()`.

#Metadata

Rule ID
java.security.spring-permit-all-default
Severity
high
Confidence
0.82
Languages
java
Presets
security, strict
Stability
experimental
Applies to
block
Tags
java, rules-catalog, security, spring, spring-security

#Why it matters

Anonymous-by-default authorization lets unauthenticated callers reach handlers that were meant to be protected, which often leads to broken access control and data exposure.

#Remediation

Replace broad permit-all with authenticated or role-based rules, keep public paths explicit, and add integration tests that assert unauthorized access is rejected.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.spring-permit-all-default.rule.yaml.

Back to directoryOpen rule in repository