SEC-162: Properly handle null Authentication.

2006-01-28 01:24:52 +00:00 · 2006-01-28 01:24:52 +00:00 · 0c89822c56
parent c8c7c24822
commit 0c89822c56
1 changed files with 1 additions and 4 deletions
--- a/core/src/main/java/org/acegisecurity/intercept/method/MethodInvocationPrivilegeEvaluator.java
+++ b/core/src/main/java/org/acegisecurity/intercept/method/MethodInvocationPrivilegeEvaluator.java
@ -64,9 +64,6 @@ public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
    }

    public boolean isAllowed(MethodInvocation mi, Authentication authentication) {
-        Assert.notNull(authentication, "Authentication required");
-        Assert.notNull(authentication.getAuthorities(),
-            "Authentication must provided non-null GrantedAuthority[]s");
        Assert.notNull(mi, "MethodInvocation required");
        Assert.notNull(mi.getMethod(),
            "MethodInvocation must provide a non-null getMethod()");
@ -82,7 +79,7 @@ public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
            return true;
        }

-        if (authentication == null) {
+        if (authentication == null || authentication.getAuthorities() == null || authentication.getAuthorities().length == 0) {
            return false;
        }