GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager 

Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager
pull/18786/head
Rob Winch 4 weeks ago committed by GitHub
parent
ea1b3d819b cfb3bf38d8
commit
b451739b5c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 25 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java
  2. 20
      core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java

6
core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java
Unescape View File

@ -69,7 +69,11 @@ public final class AuthoritiesAuthorizationManager implements AuthorizationManag @@ -69,7 +69,11 @@ public final class AuthoritiesAuthorizationManager implements AuthorizationManag
private boolean isAuthorized(Authentication authentication, Collection<String> authorities) {
for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) {
if (authorities.contains(grantedAuthority.getAuthority())) {
String authority = grantedAuthority.getAuthority();
if (authority == null) {
continue;
}
if (authorities.contains(authority)) {
return true;
}
}

20
core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java
Unescape View File

@ -17,7 +17,9 @@ @@ -17,7 +17,9 @@
package org.springframework.security.authorization;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import java.util.function.Supplier;
import org.junit.jupiter.api.Test;
@ -30,11 +32,13 @@ import org.springframework.security.core.Authentication; @@ -30,11 +32,13 @@ import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.assertThatNullPointerException;
/**
* Tests for {@link AuthoritiesAuthorizationManager}.
*
* @author Evgeniy Cheban
* @author Khyojae
*/
class AuthoritiesAuthorizationManagerTests {
@ -83,4 +87,20 @@ class AuthoritiesAuthorizationManagerTests { @@ -83,4 +87,20 @@ class AuthoritiesAuthorizationManagerTests {
assertThat(manager.authorize(authentication, Collections.singleton("ROLE_USER")).isGranted()).isTrue();
}
@Test
// gh-18543
void authorizeWhenAuthorityIsNullThenDoesNotThrowNullPointerException() {
AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager();
Authentication authentication = new TestingAuthenticationToken("user", "password",
Collections.singletonList(() -> null));
Collection<String> authoritiesContainsThrowsNPE = Set.of("ROLE_USER");
// must be Collection that throws NPE when .contains(null) is invoked
// to replicate the issue in gh-18543
assertThatNullPointerException().isThrownBy(() -> authoritiesContainsThrowsNPE.contains(null));
assertThat(manager.authorize(() -> authentication, authoritiesContainsThrowsNPE).isGranted()).isFalse();
}
}

Write Preview
Loading…
Cancel
Save