Skip to content

Commit 151bcf3

Browse files
committed
Merge Fix: Handle null authority string in AuthoritiesAuthorizationManager into 7.0.x
2 parents 2eb948d + 1116241 commit 151bcf3

2 files changed

Lines changed: 25 additions & 1 deletion

File tree

core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,11 @@ private boolean isGranted(Authentication authentication, Collection<String> auth
6969

7070
private boolean isAuthorized(Authentication authentication, Collection<String> authorities) {
7171
for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) {
72-
if (authorities.contains(grantedAuthority.getAuthority())) {
72+
String authority = grantedAuthority.getAuthority();
73+
if (authority == null) {
74+
continue;
75+
}
76+
if (authorities.contains(authority)) {
7377
return true;
7478
}
7579
}

core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,9 @@
1717
package org.springframework.security.authorization;
1818

1919
import java.util.Arrays;
20+
import java.util.Collection;
2021
import java.util.Collections;
22+
import java.util.Set;
2123
import java.util.function.Supplier;
2224

2325
import org.junit.jupiter.api.Test;
@@ -30,11 +32,13 @@
3032

3133
import static org.assertj.core.api.Assertions.assertThat;
3234
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
35+
import static org.assertj.core.api.Assertions.assertThatNullPointerException;
3336

3437
/**
3538
* Tests for {@link AuthoritiesAuthorizationManager}.
3639
*
3740
* @author Evgeniy Cheban
41+
* @author Khyojae
3842
*/
3943
class AuthoritiesAuthorizationManagerTests {
4044

@@ -83,4 +87,20 @@ void checkWhenRoleHierarchySetThenGreaterRoleTakesPrecedence() {
8387
assertThat(manager.authorize(authentication, Collections.singleton("ROLE_USER")).isGranted()).isTrue();
8488
}
8589

90+
@Test
91+
// gh-18543
92+
void authorizeWhenAuthorityIsNullThenDoesNotThrowNullPointerException() {
93+
AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager();
94+
95+
Authentication authentication = new TestingAuthenticationToken("user", "password",
96+
Collections.singletonList(() -> null));
97+
98+
Collection<String> authoritiesContainsThrowsNPE = Set.of("ROLE_USER");
99+
100+
// must be Collection that throws NPE when .contains(null) is invoked
101+
// to replicate the issue in gh-18543
102+
assertThatNullPointerException().isThrownBy(() -> authoritiesContainsThrowsNPE.contains(null));
103+
assertThat(manager.authorize(() -> authentication, authoritiesContainsThrowsNPE).isGranted()).isFalse();
104+
}
105+
86106
}

0 commit comments

Comments
 (0)