GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix Nullability in WebInvocationPrivilegeEvaluator 

Issue gh-17535
pull/17191/merge
Rob Winch 4 months ago
parent
1216ee598f
commit
f13d8d5c75
No known key found for this signature in database
4 changed files with 11 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
  2. 4
      web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
  3. 5
      web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java
  4. 6
      web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java

4
web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
Unescape View File

@ -50,13 +50,13 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
} }
@Override @Override
public boolean isAllowed(String uri, Authentication authentication) { public boolean isAllowed(String uri, @Nullable Authentication authentication) {
return isAllowed(null, uri, null, authentication); return isAllowed(null, uri, null, authentication);
} }
@Override @Override
public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method, public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
Authentication authentication) { @Nullable Authentication authentication) {
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest()); HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest());
AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest); AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest);

4
web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
Unescape View File

@ -65,7 +65,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
* be used) * be used)
*/ */
@Override @Override
public boolean isAllowed(String uri, Authentication authentication) { public boolean isAllowed(String uri, @Nullable Authentication authentication) {
return isAllowed(null, uri, null, authentication); return isAllowed(null, uri, null, authentication);
} }
@ -88,7 +88,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
*/ */
@Override @Override
public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method, public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
Authentication authentication) { @Nullable Authentication authentication) {
Assert.notNull(uri, "uri parameter is required"); Assert.notNull(uri, "uri parameter is required");
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource() Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource()

5
web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java
Unescape View File

@ -73,7 +73,7 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
* @return true if access is allowed, false if denied * @return true if access is allowed, false if denied
*/ */
@Override @Override
public boolean isAllowed(String uri, Authentication authentication) { public boolean isAllowed(String uri, @Nullable Authentication authentication) {
List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(null, uri, null); List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(null, uri, null);
if (privilegeEvaluators.isEmpty()) { if (privilegeEvaluators.isEmpty()) {
return true; return true;
@ -106,7 +106,8 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
* @return true if access is allowed, false if denied * @return true if access is allowed, false if denied
*/ */
@Override @Override
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { public boolean isAllowed(String contextPath, String uri, @Nullable String method,
@Nullable Authentication authentication) {
List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(contextPath, uri, method); List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(contextPath, uri, method);
if (privilegeEvaluators.isEmpty()) { if (privilegeEvaluators.isEmpty()) {
return true; return true;

6
web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
Unescape View File

@ -16,6 +16,8 @@
package org.springframework.security.web.access; package org.springframework.security.web.access;
import org.jspecify.annotations.Nullable;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
/** /**
@ -35,7 +37,7 @@ public interface WebInvocationPrivilegeEvaluator {
* @param uri the URI excluding the context path (a default context path setting will * @param uri the URI excluding the context path (a default context path setting will
* be used) * be used)
*/ */
boolean isAllowed(String uri, Authentication authentication); boolean isAllowed(String uri, @Nullable Authentication authentication);
/** /**
* Determines whether the user represented by the supplied <tt>Authentication</tt> * Determines whether the user represented by the supplied <tt>Authentication</tt>
@ -58,6 +60,6 @@ public interface WebInvocationPrivilegeEvaluator {
* be used in evaluation whether access should be granted. * be used in evaluation whether access should be granted.
* @return true if access is allowed, false if denied * @return true if access is allowed, false if denied
*/ */
boolean isAllowed(String contextPath, String uri, String method, Authentication authentication); boolean isAllowed(String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication);
} }

Write Preview
Loading…
Cancel
Save