SEC-688: java.lang.NullPointerException in AbstractAuthenticationToken.equals()

http://jira.springframework.org/browse/SEC-688

core/src/main/java/org/springframework/security/providers/AbstractAuthenticationToken.java

@@ -110,9 +110,16 @@ public abstract class AbstractAuthenticationToken implements Authentication {
             if ((this.getCredentials() != null) && !this.getCredentials().equals(test.getCredentials())) {
                 return false;
             }
+            
+            if (this.getPrincipal() == null && test.getPrincipal() != null) {
+                return false;
+            }
 
-            return (this.getPrincipal().equals(test.getPrincipal())
-                    && (this.isAuthenticated() == test.isAuthenticated()));
+            if (this.getPrincipal() != null && !this.getPrincipal().equals(test.getPrincipal())) {
+                return false;
+            }            
+            
+            return this.isAuthenticated() == test.isAuthenticated();
         }
 
         return false;

core/src/test/java/org/springframework/security/providers/x509/X509AuthenticationTokenTests.java

@@ -45,4 +45,8 @@ public class X509AuthenticationTokenTests extends TestCase {
         token.setAuthenticated(true);
         assertTrue(token.isAuthenticated());
     }
+
+    public void testEquals() throws Exception {
+        assertEquals(X509TestUtils.createToken(), X509TestUtils.createToken());
+    }
 }

core/src/test/java/org/springframework/security/providers/x509/X509TestUtils.java

@@ -100,8 +100,7 @@ public class X509TestUtils {
         return (X509Certificate) cf.generateCertificate(in);
     }
 
-    public static X509AuthenticationToken createToken()
-        throws Exception {
+    public static X509AuthenticationToken createToken() throws Exception {
         return new X509AuthenticationToken(buildTestCertificate());
     }
 }