Ensure usr.exists tag is not overridden when UsernameNotFoundException is thrown

[manuel-alvarez-alvarez]

What Does This Do

This is a follow-up PR to #8374 that includes a missing operation when a org.springframework.security.core.userdetails.UsernameNotFoundException is thrown.

Motivation

Additional Notes

Contributor Checklist

• Format the title according the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any usefull labels
• Don't use close, fix or any linking keywords when referencing an issue.
  Use solves instead, and assign the PR milestone to the issue
• Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-56744

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/waf-fix-ato-usr-exists-override-2
git_commit_date	1739374674	1739435563
git_commit_sha	3fd5db0	1174072
release_version	1.47.0-SNAPSHOT~3fd5db0dc1	1.47.0-SNAPSHOT~117407285e

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1739438082	1739438082
ci_job_id	806438888	806438888
ci_pipeline_id	55776867	55776867
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-f42mxumf-project-304-concurrent-0-as6g3kaw 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-f42mxumf-project-304-concurrent-0-as6g3kaw 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 56 metrics, 7 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.47.0-SNAPSHOT~117407285e, baseline=1.47.0-SNAPSHOT~3fd5db0dc1

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.05 s) : 0, 1049878
Total [baseline] (8.658 s) : 0, 8658243
Agent [candidate] (1.039 s) : 0, 1038630
Total [candidate] (8.638 s) : 0, 8637743
section iast
Agent [baseline] (1.179 s) : 0, 1178900
Total [baseline] (9.254 s) : 0, 9253981
Agent [candidate] (1.178 s) : 0, 1177798
Total [candidate] (9.274 s) : 0, 9273555
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.182 s) : 0, 1181816
Total [baseline] (9.244 s) : 0, 9243649
Agent [candidate] (1.174 s) : 0, 1173881
Total [candidate] (9.187 s) : 0, 9186888
section iast_TELEMETRY_OFF
Agent [baseline] (1.165 s) : 0, 1164976
Total [baseline] (9.219 s) : 0, 9219221
Agent [candidate] (1.169 s) : 0, 1169192
Total [candidate] (9.251 s) : 0, 9251268

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.05 s	-
Agent	iast	1.179 s	129.022 ms (12.3%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.182 s	131.938 ms (12.6%)
Agent	iast_TELEMETRY_OFF	1.165 s	115.097 ms (11.0%)
Total	tracing	8.658 s	-
Total	iast	9.254 s	595.738 ms (6.9%)
Total	iast_HARDCODED_SECRET_DISABLED	9.244 s	585.406 ms (6.8%)
Total	iast_TELEMETRY_OFF	9.219 s	560.978 ms (6.5%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.039 s	-
Agent	iast	1.178 s	139.168 ms (13.4%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.174 s	135.251 ms (13.0%)
Agent	iast_TELEMETRY_OFF	1.169 s	130.562 ms (12.6%)
Total	tracing	8.638 s	-
Total	iast	9.274 s	635.812 ms (7.4%)
Total	iast_HARDCODED_SECRET_DISABLED	9.187 s	549.144 ms (6.4%)
Total	iast_TELEMETRY_OFF	9.251 s	613.524 ms (7.1%)

gantt
    title insecure-bank - break down per module: candidate=1.47.0-SNAPSHOT~117407285e, baseline=1.47.0-SNAPSHOT~3fd5db0dc1

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (722.134 ms) : 0, 722134
BytebuddyAgent [candidate] (715.802 ms) : 0, 715802
GlobalTracer [baseline] (241.997 ms) : 0, 241997
GlobalTracer [candidate] (240.371 ms) : 0, 240371
AppSec [baseline] (55.941 ms) : 0, 55941
AppSec [candidate] (55.066 ms) : 0, 55066
Remote Config [baseline] (717.265 µs) : 0, 717
Remote Config [candidate] (711.416 µs) : 0, 711
Telemetry [baseline] (13.612 ms) : 0, 13612
Telemetry [candidate] (11.536 ms) : 0, 11536
section iast
BytebuddyAgent [baseline] (842.0 ms) : 0, 842000
BytebuddyAgent [candidate] (842.227 ms) : 0, 842227
GlobalTracer [baseline] (232.364 ms) : 0, 232364
GlobalTracer [candidate] (231.86 ms) : 0, 231860
IAST [baseline] (22.773 ms) : 0, 22773
IAST [candidate] (22.625 ms) : 0, 22625
AppSec [baseline] (56.918 ms) : 0, 56918
AppSec [candidate] (56.393 ms) : 0, 56393
Remote Config [baseline] (620.922 µs) : 0, 621
Remote Config [candidate] (607.341 µs) : 0, 607
Telemetry [baseline] (8.82 ms) : 0, 8820
Telemetry [candidate] (8.721 ms) : 0, 8721
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (843.14 ms) : 0, 843140
BytebuddyAgent [candidate] (837.547 ms) : 0, 837547
GlobalTracer [baseline] (232.983 ms) : 0, 232983
GlobalTracer [candidate] (231.602 ms) : 0, 231602
IAST [baseline] (23.32 ms) : 0, 23320
IAST [candidate] (22.781 ms) : 0, 22781
AppSec [baseline] (57.507 ms) : 0, 57507
AppSec [candidate] (57.153 ms) : 0, 57153
Remote Config [baseline] (614.787 µs) : 0, 615
Remote Config [candidate] (616.79 µs) : 0, 617
Telemetry [baseline] (8.793 ms) : 0, 8793
Telemetry [candidate] (8.73 ms) : 0, 8730
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (830.704 ms) : 0, 830704
BytebuddyAgent [candidate] (833.626 ms) : 0, 833626
GlobalTracer [baseline] (230.518 ms) : 0, 230518
GlobalTracer [candidate] (231.688 ms) : 0, 231688
IAST [baseline] (24.541 ms) : 0, 24541
IAST [candidate] (26.293 ms) : 0, 26293
AppSec [baseline] (54.683 ms) : 0, 54683
AppSec [candidate] (53.067 ms) : 0, 53067
Remote Config [baseline] (611.834 µs) : 0, 612
Remote Config [candidate] (614.84 µs) : 0, 615
Telemetry [baseline] (8.612 ms) : 0, 8612
Telemetry [candidate] (8.592 ms) : 0, 8592

Loading

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.47.0-SNAPSHOT~117407285e, baseline=1.47.0-SNAPSHOT~3fd5db0dc1

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.042 s) : 0, 1041834
Total [baseline] (10.439 s) : 0, 10439244
Agent [candidate] (1.039 s) : 0, 1038738
Total [candidate] (10.427 s) : 0, 10426801
section appsec
Agent [baseline] (1.188 s) : 0, 1187711
Total [baseline] (10.736 s) : 0, 10735826
Agent [candidate] (1.186 s) : 0, 1186251
Total [candidate] (10.805 s) : 0, 10805042
section iast
Agent [baseline] (1.174 s) : 0, 1173992
Total [baseline] (11.061 s) : 0, 11061280
Agent [candidate] (1.17 s) : 0, 1169927
Total [candidate] (10.961 s) : 0, 10960725
section profiling
Agent [baseline] (1.261 s) : 0, 1261101
Total [baseline] (10.932 s) : 0, 10931580
Agent [candidate] (1.278 s) : 0, 1278035
Total [candidate] (10.883 s) : 0, 10883200

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.042 s	-
Agent	appsec	1.188 s	145.877 ms (14.0%)
Agent	iast	1.174 s	132.158 ms (12.7%)
Agent	profiling	1.261 s	219.267 ms (21.0%)
Total	tracing	10.439 s	-
Total	appsec	10.736 s	296.582 ms (2.8%)
Total	iast	11.061 s	622.036 ms (6.0%)
Total	profiling	10.932 s	492.336 ms (4.7%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.039 s	-
Agent	appsec	1.186 s	147.512 ms (14.2%)
Agent	iast	1.17 s	131.188 ms (12.6%)
Agent	profiling	1.278 s	239.297 ms (23.0%)
Total	tracing	10.427 s	-
Total	appsec	10.805 s	378.242 ms (3.6%)
Total	iast	10.961 s	533.924 ms (5.1%)
Total	profiling	10.883 s	456.4 ms (4.4%)

gantt
    title petclinic - break down per module: candidate=1.47.0-SNAPSHOT~117407285e, baseline=1.47.0-SNAPSHOT~3fd5db0dc1

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (716.135 ms) : 0, 716135
BytebuddyAgent [candidate] (715.969 ms) : 0, 715969
GlobalTracer [baseline] (240.829 ms) : 0, 240829
GlobalTracer [candidate] (240.2 ms) : 0, 240200
AppSec [baseline] (55.336 ms) : 0, 55336
AppSec [candidate] (55.11 ms) : 0, 55110
Remote Config [baseline] (718.917 µs) : 0, 719
Remote Config [candidate] (718.819 µs) : 0, 719
Telemetry [baseline] (13.598 ms) : 0, 13598
Telemetry [candidate] (11.596 ms) : 0, 11596
section appsec
BytebuddyAgent [baseline] (737.223 ms) : 0, 737223
BytebuddyAgent [candidate] (735.508 ms) : 0, 735508
GlobalTracer [baseline] (238.67 ms) : 0, 238670
GlobalTracer [candidate] (238.213 ms) : 0, 238213
AppSec [baseline] (176.704 ms) : 0, 176704
AppSec [candidate] (177.312 ms) : 0, 177312
Remote Config [baseline] (654.071 µs) : 0, 654
Remote Config [candidate] (657.658 µs) : 0, 658
Telemetry [baseline] (8.282 ms) : 0, 8282
Telemetry [candidate] (8.283 ms) : 0, 8283
IAST [baseline] (21.708 ms) : 0, 21708
IAST [candidate] (21.841 ms) : 0, 21841
section iast
BytebuddyAgent [baseline] (837.442 ms) : 0, 837442
BytebuddyAgent [candidate] (834.519 ms) : 0, 834519
GlobalTracer [baseline] (231.737 ms) : 0, 231737
GlobalTracer [candidate] (231.017 ms) : 0, 231017
AppSec [baseline] (57.384 ms) : 0, 57384
AppSec [candidate] (57.005 ms) : 0, 57005
Remote Config [baseline] (625.914 µs) : 0, 626
Remote Config [candidate] (618.048 µs) : 0, 618
Telemetry [baseline] (8.752 ms) : 0, 8752
Telemetry [candidate] (8.701 ms) : 0, 8701
IAST [baseline] (22.787 ms) : 0, 22787
IAST [candidate] (22.771 ms) : 0, 22771
section profiling
ProfilingAgent [baseline] (95.987 ms) : 0, 95987
ProfilingAgent [candidate] (97.749 ms) : 0, 97749
BytebuddyAgent [baseline] (706.719 ms) : 0, 706719
BytebuddyAgent [candidate] (715.855 ms) : 0, 715855
GlobalTracer [baseline] (351.38 ms) : 0, 351380
GlobalTracer [candidate] (356.419 ms) : 0, 356419
AppSec [baseline] (55.238 ms) : 0, 55238
AppSec [candidate] (55.415 ms) : 0, 55415
Remote Config [baseline] (715.604 µs) : 0, 716
Remote Config [candidate] (790.35 µs) : 0, 790
Telemetry [baseline] (8.853 ms) : 0, 8853
Telemetry [candidate] (9.066 ms) : 0, 9066
Profiling [baseline] (96.011 ms) : 0, 96011
Profiling [candidate] (97.775 ms) : 0, 97775

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-02-13T08:44:37	2025-02-13T08:51:44
git_branch	master	malvarez/waf-fix-ato-usr-exists-override-2
git_commit_date	1739374674	1739435563
git_commit_sha	3fd5db0	1174072
release_version	1.47.0-SNAPSHOT~3fd5db0dc1	1.47.0-SNAPSHOT~117407285e
start_time	2025-02-13T08:44:22	2025-02-13T08:51:29

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1739437064	1739437064
ci_job_id	806438889	806438889
ci_pipeline_id	55776867	55776867
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-f42mxumf-project-304-concurrent-1-r6kcxtl5 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-f42mxumf-project-304-concurrent-1-r6kcxtl5 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 15 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:petclinic:profiling	better [-93.270µs; -42.336µs] or [-5.847%; -2.654%]	unstable [-412.869op/s; +640.789op/s] or [-13.934%; +21.627%]	1.527ms	3076.923op/s	1.595ms	2962.963op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~117407285e, baseline=1.47.0-SNAPSHOT~3fd5db0dc1
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.345 ms) : 1325, 1364
.   : milestone, 1345,
appsec (1.755 ms) : 1731, 1779
.   : milestone, 1755,
appsec_no_iast (1.764 ms) : 1739, 1788
.   : milestone, 1764,
iast (1.52 ms) : 1496, 1544
.   : milestone, 1520,
profiling (1.595 ms) : 1571, 1620
.   : milestone, 1595,
tracing (1.493 ms) : 1467, 1519
.   : milestone, 1493,
section candidate
no_agent (1.372 ms) : 1352, 1392
.   : milestone, 1372,
appsec (1.774 ms) : 1750, 1798
.   : milestone, 1774,
appsec_no_iast (1.767 ms) : 1742, 1791
.   : milestone, 1767,
iast (1.519 ms) : 1494, 1544
.   : milestone, 1519,
profiling (1.527 ms) : 1505, 1550
.   : milestone, 1527,
tracing (1.51 ms) : 1486, 1535
.   : milestone, 1510,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.345 ms [1.325 ms, 1.364 ms]	-
appsec	1.755 ms [1.731 ms, 1.779 ms]	410.453 µs (30.5%)
appsec_no_iast	1.764 ms [1.739 ms, 1.788 ms]	419.001 µs (31.2%)
iast	1.52 ms [1.496 ms, 1.544 ms]	175.107 µs (13.0%)
profiling	1.595 ms [1.571 ms, 1.62 ms]	250.756 µs (18.7%)
tracing	1.493 ms [1.467 ms, 1.519 ms]	148.848 µs (11.1%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.372 ms [1.352 ms, 1.392 ms]	-
appsec	1.774 ms [1.75 ms, 1.798 ms]	401.738 µs (29.3%)
appsec_no_iast	1.767 ms [1.742 ms, 1.791 ms]	394.427 µs (28.7%)
iast	1.519 ms [1.494 ms, 1.544 ms]	147.0 µs (10.7%)
profiling	1.527 ms [1.505 ms, 1.55 ms]	155.375 µs (11.3%)
tracing	1.51 ms [1.486 ms, 1.535 ms]	138.111 µs (10.1%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~117407285e, baseline=1.47.0-SNAPSHOT~3fd5db0dc1
    dateFormat X
    axisFormat %s
section baseline
no_agent (383.115 µs) : 364, 403
.   : milestone, 383,
iast (515.413 µs) : 494, 537
.   : milestone, 515,
iast_FULL (748.445 µs) : 727, 770
.   : milestone, 748,
iast_GLOBAL (558.176 µs) : 536, 580
.   : milestone, 558,
iast_HARDCODED_SECRET_DISABLED (513.982 µs) : 491, 537
.   : milestone, 514,
iast_INACTIVE (473.622 µs) : 452, 495
.   : milestone, 474,
iast_TELEMETRY_OFF (503.052 µs) : 480, 526
.   : milestone, 503,
tracing (464.921 µs) : 443, 486
.   : milestone, 465,
section candidate
no_agent (384.653 µs) : 365, 404
.   : milestone, 385,
iast (517.643 µs) : 496, 540
.   : milestone, 518,
iast_FULL (750.723 µs) : 728, 773
.   : milestone, 751,
iast_GLOBAL (565.044 µs) : 542, 588
.   : milestone, 565,
iast_HARDCODED_SECRET_DISABLED (520.168 µs) : 497, 543
.   : milestone, 520,
iast_INACTIVE (473.41 µs) : 451, 496
.   : milestone, 473,
iast_TELEMETRY_OFF (504.114 µs) : 481, 527
.   : milestone, 504,
tracing (462.554 µs) : 441, 484
.   : milestone, 463,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	383.115 µs [363.636 µs, 402.594 µs]	-
iast	515.413 µs [493.764 µs, 537.062 µs]	132.298 µs (34.5%)
iast_FULL	748.445 µs [726.538 µs, 770.352 µs]	365.33 µs (95.4%)
iast_GLOBAL	558.176 µs [536.469 µs, 579.883 µs]	175.061 µs (45.7%)
iast_HARDCODED_SECRET_DISABLED	513.982 µs [491.42 µs, 536.543 µs]	130.867 µs (34.2%)
iast_INACTIVE	473.622 µs [452.127 µs, 495.118 µs]	90.508 µs (23.6%)
iast_TELEMETRY_OFF	503.052 µs [479.741 µs, 526.363 µs]	119.938 µs (31.3%)
tracing	464.921 µs [443.366 µs, 486.477 µs]	81.807 µs (21.4%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	384.653 µs [365.039 µs, 404.268 µs]	-
iast	517.643 µs [495.78 µs, 539.507 µs]	132.99 µs (34.6%)
iast_FULL	750.723 µs [728.427 µs, 773.019 µs]	366.07 µs (95.2%)
iast_GLOBAL	565.044 µs [541.792 µs, 588.296 µs]	180.391 µs (46.9%)
iast_HARDCODED_SECRET_DISABLED	520.168 µs [497.476 µs, 542.861 µs]	135.515 µs (35.2%)
iast_INACTIVE	473.41 µs [451.237 µs, 495.582 µs]	88.756 µs (23.1%)
iast_TELEMETRY_OFF	504.114 µs [481.037 µs, 527.191 µs]	119.461 µs (31.1%)
tracing	462.554 µs [441.163 µs, 483.945 µs]	77.901 µs (20.3%)

Dacapo

[jandro996]

LGTM!