Fix: Handle null authority string in AuthoritiesAuthorizationManager

This prevents NPE when GrantedAuthority.getAuthority() returns null. Closes gh-18543 Signed-off-by: Khyojae <khjae201@gmail.com>
2 months ago · d87dc9ae57
2 changed files with 20 additions and 2 deletions
--- a/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java
@ -67,7 +67,11 @@ public final class AuthoritiesAuthorizationManager implements AuthorizationManag
				@@ -67,7 +67,11 @@ public final class AuthoritiesAuthorizationManager implements AuthorizationManag

 	private boolean isAuthorized(Authentication authentication, Collection<String> authorities) {
 		for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) {
-			if (authorities.contains(grantedAuthority.getAuthority())) {
+			String authority = grantedAuthority.getAuthority();
+			if (authority == null) {
+				continue;
+			}
+			if (authorities.contains(authority)) {
 				return true;
 			}
 		}
--- a/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java
+++ b/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java
@ -14,9 +14,11 @@
				@@ -14,9 +14,11 @@
 * limitations under the License.
 */

+
 package org.springframework.security.authorization;

 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.function.Supplier;

@ -35,6 +37,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
				@@ -35,6 +37,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
 * Tests for {@link AuthoritiesAuthorizationManager}.
 *
 * @author Evgeniy Cheban
+ * @author Khyojae
 */
 class AuthoritiesAuthorizationManagerTests {

@ -42,7 +45,7 @@ class AuthoritiesAuthorizationManagerTests {
				@@ -42,7 +45,7 @@ class AuthoritiesAuthorizationManagerTests {
 	void setRoleHierarchyWhenNullThenIllegalArgumentException() {
 		AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager();
 		assertThatIllegalArgumentException().isThrownBy(() -> manager.setRoleHierarchy(null))
-			.withMessage("roleHierarchy cannot be null");
+				.withMessage("roleHierarchy cannot be null");
 	}

 	@Test
@ -84,4 +87,15 @@ class AuthoritiesAuthorizationManagerTests {
				@@ -84,4 +87,15 @@ class AuthoritiesAuthorizationManagerTests {
 		assertThat(manager.check(authentication, Collections.singleton("ROLE_USER")).isGranted()).isTrue();
 	}

+	@Test
+	void authorizeWhenAuthorityIsNullThenDoesNotThrowNullPointerException() {
+		AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager();
+
+		Authentication authentication = new TestingAuthenticationToken("user", "password",
+				Collections.singletonList(() -> null));
+
+		Collection<String> authorities = Collections.singleton("ROLE_USER");
+
+		assertThat(manager.authorize(() -> authentication, authorities).isGranted()).isFalse();
+	}
 }