Fix BFLA (Broken Function Level Authorization) in Micronaut

BFLA (Broken Function Level Authorization) is an API's failure to verify if a user has the appropriate privileges to execute a specific function. In Micronaut, this vulnerability typically arises when developers rely on broad authentication checks (IS_AUTHENTICATED) instead of granular, role-based access controls (RBAC) on sensitive administrative or management endpoints.

The Vulnerable Pattern

@Controller("/api/v1/management")
public class ManagementController {
@Delete("/users/{id}")
@Secured(SecurityRule.IS_AUTHENTICATED)
public HttpResponse deleteUser(Long id) {
    // VULNERABILITY: Any logged-in user can delete any other user.
    // The system only checks if the user is authenticated, not if they are an ADMIN.
    userRepository.deleteById(id);
    return HttpResponse.noContent();
}
}

The Secure Implementation

To fix BFLA in Micronaut, you must enforce the Principle of Least Privilege. Replace generic 'IS_AUTHENTICATED' rules with specific role requirements using the @Secured annotation. For more complex scenarios, such as verifying if a user owns the resource they are trying to modify, implement a custom 'SecurityRule' bean or use method-level security with '@PreAuthorize'. Always ensure your AuthenticationProvider correctly maps database roles or LDAP groups to the 'roles' attribute in the Micronaut Authentication object.

@Controller("/api/v1/management")
public class ManagementController {
@Delete("/users/{id}")
@Secured("ROLE_ADMIN")
public HttpResponse deleteUser(Long id) {
    // SECURE: Access is restricted to users with the 'ROLE_ADMIN' authority.
    // Micronaut Security interceptors will block unauthorized roles before execution.
    userRepository.deleteById(id);
    return HttpResponse.noContent();
}
}