From 8c94c2e15a5ac330afb291fa0ec8d1f978f21bd5 Mon Sep 17 00:00:00 2001
From: Marcus Da Coregio <marcusdacoregio@gmail.com>
Date: Wed, 9 Mar 2022 15:20:14 -0300
Subject: [PATCH] AuthorizationManagerWebInvocationPrivilegeEvaluator grant
 access when AuthorizationManager abstains

Closes gh-10950
---
 ...uthorizationManagerWebInvocationPrivilegeEvaluator.java | 2 +-
 ...izationManagerWebInvocationPrivilegeEvaluatorTests.java | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
index 6f3f067eb9..516ea5ada1 100644
--- a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
@@ -51,7 +51,7 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
 		AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
 				filterInvocation.getHttpRequest());
-		return decision != null && decision.isGranted();
+		return decision == null || decision.isGranted();
 	}
 
 }
diff --git a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
index 9e24dd490f..4453cffe92 100644
--- a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
@@ -65,4 +65,11 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
 		assertThat(allowed).isFalse();
 	}
 
+	@Test
+	void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
+		given(this.authorizationManager.check(any(), any())).willReturn(null);
+		boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
+		assertThat(allowed).isTrue();
+	}
+
 }