Clarify in Javadoc that expressionHandler should not be null

Fixes: gh-2665
6 years ago · de7cbc82b5
2 changed files with 23 additions and 4 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
@ -204,8 +204,8 @@ public final class WebSecurity extends
				@@ -204,8 +204,8 @@ public final class WebSecurity extends
 	}

 	/**
-	 * Set the {@link WebInvocationPrivilegeEvaluator} to be used. If this is null, then a
-	 * {@link DefaultWebInvocationPrivilegeEvaluator} will be created when
+	 * Set the {@link WebInvocationPrivilegeEvaluator} to be used. If this is not specified,
+	 * then a {@link DefaultWebInvocationPrivilegeEvaluator} will be created when
 	 * {@link #securityInterceptor(FilterSecurityInterceptor)} is non null.
 	 *
 	 * @param privilegeEvaluator the {@link WebInvocationPrivilegeEvaluator} to use
@ -218,8 +218,8 @@ public final class WebSecurity extends
				@@ -218,8 +218,8 @@ public final class WebSecurity extends
 	}

 	/**
-	 * Set the {@link SecurityExpressionHandler} to be used. If this is null, then a
-	 * {@link DefaultWebSecurityExpressionHandler} will be used.
+	 * Set the {@link SecurityExpressionHandler} to be used. If this is not specified,
+	 * then a {@link DefaultWebSecurityExpressionHandler} will be used.
 	 *
 	 * @param expressionHandler the {@link SecurityExpressionHandler} to use
 	 * @return the {@link WebSecurity} for further customizations
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
@ -253,6 +253,25 @@ public class WebSecurityConfigurationTests {
				@@ -253,6 +253,25 @@ public class WebSecurityConfigurationTests {
 		}
 	}

+	@Test
+	public void loadConfigWhenSecurityExpressionHandlerIsNullThenException() {
+		Throwable thrown = catchThrowable(() ->
+				this.spring.register(NullWebSecurityExpressionHandlerConfig.class).autowire()
+		);
+
+		assertThat(thrown).isInstanceOf(BeanCreationException.class);
+		assertThat(thrown).hasRootCauseExactlyInstanceOf(IllegalArgumentException.class);
+	}
+
+	@EnableWebSecurity
+	static class NullWebSecurityExpressionHandlerConfig extends WebSecurityConfigurerAdapter {
+
+		@Override
+		public void configure(WebSecurity web) {
+			web.expressionHandler(null);
+		}
+	}
+
 	@Test
 	public void loadConfigWhenDefaultSecurityExpressionHandlerThenDefaultIsRegistered() {
 		this.spring.register(WebSecurityExpressionHandlerDefaultsConfig.class).autowire();