Merge pull request #18544 from Khyojae/gh-18543

rwinch · web-flow · commit d29c984881ed · 2026-02-23T11:16:42.000-06:00
Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager
diff --git a/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java
@@ -67,7 +67,11 @@ private boolean isGranted(Authentication authentication, Collection<String> auth
 
 	private boolean isAuthorized(Authentication authentication, Collection<String> authorities) {
 		for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) {
-			if (authorities.contains(grantedAuthority.getAuthority())) {
+			String authority = grantedAuthority.getAuthority();
+			if (authority == null) {
+				continue;
+			}
+			if (authorities.contains(authority)) {
 				return true;
 			}
 		}
diff --git a/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java
@@ -17,7 +17,9 @@
 package org.springframework.security.authorization;
 
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
+import java.util.Set;
 import java.util.function.Supplier;
 
 import org.junit.jupiter.api.Test;
@@ -30,11 +32,13 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
+import static org.assertj.core.api.Assertions.assertThatNullPointerException;
 
 /**
  * Tests for {@link AuthoritiesAuthorizationManager}.
  *
  * @author Evgeniy Cheban
+ * @author Khyojae
  */
 class AuthoritiesAuthorizationManagerTests {
 
@@ -84,4 +88,20 @@ void checkWhenRoleHierarchySetThenGreaterRoleTakesPrecedence() {
 		assertThat(manager.check(authentication, Collections.singleton("ROLE_USER")).isGranted()).isTrue();
 	}
 
+	@Test
+	// gh-18543
+	void authorizeWhenAuthorityIsNullThenDoesNotThrowNullPointerException() {
+		AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager();
+
+		Authentication authentication = new TestingAuthenticationToken("user", "password",
+				Collections.singletonList(() -> null));
+
+		Collection<String> authoritiesContainsThrowsNPE = Set.of("ROLE_USER");
+
+		// must be Collection that throws NPE when .contains(null) is invoked
+		// to replicate the issue in gh-18543
+		assertThatNullPointerException().isThrownBy(() -> authoritiesContainsThrowsNPE.contains(null));
+		assertThat(manager.authorize(() -> authentication, authoritiesContainsThrowsNPE).isGranted()).isFalse();
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,11 @@ private boolean isGranted(Authentication authentication, Collection<String> auth`
`67`	`67`
`68`	`68`	`private boolean isAuthorized(Authentication authentication, Collection<String> authorities) {`
`69`	`69`	`for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) {`
`70`		`- if (authorities.contains(grantedAuthority.getAuthority())) {`
	`70`	`+ String authority = grantedAuthority.getAuthority();`
	`71`	`+ if (authority == null) {`
	`72`	`+ continue;`
	`73`	`+ }`
	`74`	`+ if (authorities.contains(authority)) {`
`71`	`75`	`return true;`
`72`	`76`	`}`
`73`	`77`	`}`