From d87dc9ae576053beaab7223ddcb64d86e8bba2ad Mon Sep 17 00:00:00 2001 From: Khyojae Date: Thu, 22 Jan 2026 03:48:06 +0900 Subject: [PATCH] Fix: Handle null authority string in AuthoritiesAuthorizationManager This prevents NPE when GrantedAuthority.getAuthority() returns null. Closes gh-18543 Signed-off-by: Khyojae --- .../AuthoritiesAuthorizationManager.java | 6 +++++- .../AuthoritiesAuthorizationManagerTests.java | 16 +++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java index 6d8b891a61..a7f469bda3 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java @@ -67,7 +67,11 @@ public final class AuthoritiesAuthorizationManager implements AuthorizationManag private boolean isAuthorized(Authentication authentication, Collection authorities) { for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) { - if (authorities.contains(grantedAuthority.getAuthority())) { + String authority = grantedAuthority.getAuthority(); + if (authority == null) { + continue; + } + if (authorities.contains(authority)) { return true; } } diff --git a/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java index 052c289776..0364f5f7e6 100644 --- a/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java @@ -14,9 +14,11 @@ * limitations under the License. */ + package org.springframework.security.authorization; import java.util.Arrays; +import java.util.Collection; import java.util.Collections; import java.util.function.Supplier; @@ -35,6 +37,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException * Tests for {@link AuthoritiesAuthorizationManager}. * * @author Evgeniy Cheban + * @author Khyojae */ class AuthoritiesAuthorizationManagerTests { @@ -42,7 +45,7 @@ class AuthoritiesAuthorizationManagerTests { void setRoleHierarchyWhenNullThenIllegalArgumentException() { AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager(); assertThatIllegalArgumentException().isThrownBy(() -> manager.setRoleHierarchy(null)) - .withMessage("roleHierarchy cannot be null"); + .withMessage("roleHierarchy cannot be null"); } @Test @@ -84,4 +87,15 @@ class AuthoritiesAuthorizationManagerTests { assertThat(manager.check(authentication, Collections.singleton("ROLE_USER")).isGranted()).isTrue(); } + @Test + void authorizeWhenAuthorityIsNullThenDoesNotThrowNullPointerException() { + AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager(); + + Authentication authentication = new TestingAuthenticationToken("user", "password", + Collections.singletonList(() -> null)); + + Collection authorities = Collections.singleton("ROLE_USER"); + + assertThat(manager.authorize(() -> authentication, authorities).isGranted()).isFalse(); + } }