How to find apps that use Spring auto-binding

  • Updated

Objective

Use Contrast Protect to identify applications in your portfolio which use Spring auto-binding.

Process

Contrast Protect includes the ability to create log enhancers. These are instrumentation instructions that allow the Contrast agent to log additional parameters and data in the application, without requiring any source code changes.

In order to apply a log enhancer which detects the use of Spring auto-binding:

  1. Follow instructions at this docs page to set up a new log enhancer.

    • In the API field, enter:
      org.springframework.web.bind.WebDataBinder.doBind(org.springframework.beans.MutablePropertyValues)

    • In the Format field, enter Spring Autobinding Detected. There isn't anything in the method parameter, binder, etc that could make the log entry more useful for its intended purpose of identifying which applications use Spring autobinding, so we don't recommend attempting to parameterize the Format field.

    • For Log Type, select SECURITY.

    • For Log Level, select WARN.

  2. Once the log enhancer is set up, the log enhancer will be enabled following the next agent restart.

Pulling the resulting information out of your security.log file will vary, depending on how you consume logs. In general, filter all logs for Contrast Agent Java and Autobinding Detected, then group by app to get the list of all potentially affected applications.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request