name

cwe-306-missing-authentication

description

Use this skill when you need to remediate CWE-306 (Missing Authentication for Critical Function) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing missing authentication for critical function issues.

version

1.0.0

license

MIT

CWE-306 Missing Authentication for Critical Function

Description

Missing Authentication for Critical Function

Reference: https://cwe.mitre.org/data/definitions/306.html

OWASP Category: A07:2021 – Identification and Authentication Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Sensitive operation without auth
@PostMapping("/user/delete/{id}")
public void deleteUser(@PathVariable Long id) {
    userRepository.deleteById(id);
}

Why it's vulnerable: This pattern is vulnerable to Missing Authentication for Critical Function

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Require authentication and authorization
@PostMapping("/user/delete/{id}")
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(@PathVariable Long id, @AuthenticationPrincipal User user) {
    auditService.log("User deletion by " + user.getUsername());
    userRepository.deleteById(id);
}

Why it's secure: Implements proper protection against Missing Authentication for Critical Function

Detection Pattern

Look for these patterns in your codebase:

# Find delete/update operations without auth
grep -rn "delete\\|update\\|create" --include="*Controller.java" | grep -v "PreAuthorize\\|Secured"

Remediation Steps

Identify all critical functions
Add authentication requirements to each
Implement role-based access control
Log all critical operations

Key Imports

import org.springframework.security.access.prepost.PreAuthorize;

import org.springframework.security.core.annotation.AuthenticationPrincipal;

Verification

After remediation:

Run SAST scanner to confirm vulnerability is resolved
Review all instances of the vulnerable pattern
Add unit tests that verify the secure implementation
Check for similar patterns in related code

Trigger Examples

Fix CWE-306 vulnerability
Resolve Missing Authentication for Critical Function issue
Secure this Java code against missing authentication for critical function
SAST reports CWE-306

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

CWE-306: Missing Authentication

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CWE-306 Missing Authentication for Critical Function

Description

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

Deterministic Fix

✅ Secure Implementation: Secure Implementation

Detection Pattern

Remediation Steps

Key Imports

Verification

Trigger Examples

Common Vulnerable Locations

References

FilesExpand file tree

SKILL.md

Latest commit

History

SKILL.md

File metadata and controls

CWE-306 Missing Authentication for Critical Function

Description

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

Deterministic Fix

✅ Secure Implementation: Secure Implementation

Detection Pattern

Remediation Steps

Key Imports

Verification

Trigger Examples

Common Vulnerable Locations

References