SEC-3128: RoleVoter supports null Authentication

10 years ago · edd2751ff1
2 changed files with 13 additions and 0 deletions
--- a/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java
+++ b/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java
@ -95,6 +95,9 @@ public class RoleVoter implements AccessDecisionVoter<Object> {
				@@ -95,6 +95,9 @@ public class RoleVoter implements AccessDecisionVoter<Object> {

 	public int vote(Authentication authentication, Object object,
 			Collection<ConfigAttribute> attributes) {
+		if(authentication == null) {
+			return ACCESS_DENIED;
+		}
 		int result = ACCESS_ABSTAIN;
 		Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);

--- a/core/src/test/java/org/springframework/security/access/vote/RoleVoterTests.java
+++ b/core/src/test/java/org/springframework/security/access/vote/RoleVoterTests.java
@ -1,5 +1,6 @@
				@@ -1,5 +1,6 @@
 package org.springframework.security.access.vote;

+import static org.fest.assertions.Assertions.assertThat;
 import static org.junit.Assert.*;

 import org.junit.Test;
@ -22,4 +23,13 @@ public class RoleVoterTests {
				@@ -22,4 +23,13 @@ public class RoleVoterTests {
 		assertEquals(AccessDecisionVoter.ACCESS_GRANTED,
 				voter.vote(userAB, this, SecurityConfig.createList("A", "C")));
 	}
+
+	// SEC-3128
+	@Test
+	public void nullAuthenticationDenies() {
+		RoleVoter voter = new RoleVoter();
+		voter.setRolePrefix("");
+		Authentication notAuthenitcated = null;
+		assertThat(voter.vote(notAuthenitcated, this, SecurityConfig.createList("A"))).isEqualTo(AccessDecisionVoter.ACCESS_DENIED);
+	}
 }