From dbe270f1322b68de30d69bc684c2b0f988a40234 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Mon, 20 Dec 2010 16:50:11 +0000
Subject: [PATCH] SEC-1641: Correct code and test for null groupSearchBase.

---
 .../ldap/userdetails/DefaultLdapAuthoritiesPopulator.java   | 6 ++++--
 .../populator/DefaultLdapAuthoritiesPopulatorTests.java     | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ldap/src/main/java/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.java b/ldap/src/main/java/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.java
index 2b6c3684b8..faad03d503 100644
--- a/ldap/src/main/java/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.java
@@ -146,7 +146,9 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
         ldapTemplate.setSearchControls(searchControls);
         this.groupSearchBase = groupSearchBase;
 
-        if (groupSearchBase.length() == 0) {
+        if (groupSearchBase == null) {
+            logger.info("groupSearchBase is null. No group search will be performed.");
+        } else if (groupSearchBase.length() == 0) {
             logger.info("groupSearchBase is empty. Searches will be performed from the context source base");
         }
     }
@@ -200,7 +202,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
 
     public Set<GrantedAuthority> getGroupMembershipRoles(String userDn, String username) {
         if (getGroupSearchBase() == null) {
-            return Collections.emptySet();
+            return new HashSet<GrantedAuthority>();
         }
 
         Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
diff --git a/ldap/src/test/java/org/springframework/security/ldap/populator/DefaultLdapAuthoritiesPopulatorTests.java b/ldap/src/test/java/org/springframework/security/ldap/populator/DefaultLdapAuthoritiesPopulatorTests.java
index c79240a6d5..d5088981ed 100644
--- a/ldap/src/test/java/org/springframework/security/ldap/populator/DefaultLdapAuthoritiesPopulatorTests.java
+++ b/ldap/src/test/java/org/springframework/security/ldap/populator/DefaultLdapAuthoritiesPopulatorTests.java
@@ -58,7 +58,7 @@ public class DefaultLdapAuthoritiesPopulatorTests extends AbstractLdapIntegratio
 
     @Test
     public void nullSearchBaseIsAccepted() throws Exception {
-        populator = new DefaultLdapAuthoritiesPopulator(getContextSource(), "ou=groups");
+        populator = new DefaultLdapAuthoritiesPopulator(getContextSource(), null);
         populator.setDefaultRole("ROLE_USER");
 
         Collection<GrantedAuthority> authorities = populator.getGrantedAuthorities(