Merge Fix: Handle null authority string in AuthoritiesAuthorizationManager into 7.0.x

2026-02-24 22:25:18 +00:00 · 2026-02-23 10:51:39 -06:00 · 2026-02-23 10:51:39 -06:00 · 151bcf3b0b
commit 151bcf3b0b
parent 2eb948d9b5 1116241ee3
2 changed files with 25 additions and 1 deletions
--- a/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java
@ -69,7 +69,11 @@ public final class AuthoritiesAuthorizationManager implements AuthorizationManag

 	private boolean isAuthorized(Authentication authentication, Collection<String> authorities) {
 		for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) {
-			if (authorities.contains(grantedAuthority.getAuthority())) {
+			String authority = grantedAuthority.getAuthority();
+			if (authority == null) {
+				continue;
+			}
+			if (authorities.contains(authority)) {
 				return true;
 			}
 		}
--- a/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java
+++ b/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java
@ -17,7 +17,9 @@
 package org.springframework.security.authorization;

 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
+import java.util.Set;
 import java.util.function.Supplier;

 import org.junit.jupiter.api.Test;
@ -30,11 +32,13 @@ import org.springframework.security.core.Authentication;

 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
+import static org.assertj.core.api.Assertions.assertThatNullPointerException;

 /**
 * Tests for {@link AuthoritiesAuthorizationManager}.
 *
 * @author Evgeniy Cheban
+ * @author Khyojae
 */
 class AuthoritiesAuthorizationManagerTests {

@ -83,4 +87,20 @@ class AuthoritiesAuthorizationManagerTests {
 		assertThat(manager.authorize(authentication, Collections.singleton("ROLE_USER")).isGranted()).isTrue();
 	}

+	@Test
+	// gh-18543
+	void authorizeWhenAuthorityIsNullThenDoesNotThrowNullPointerException() {
+		AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager();
+
+		Authentication authentication = new TestingAuthenticationToken("user", "password",
+				Collections.singletonList(() -> null));
+
+		Collection<String> authoritiesContainsThrowsNPE = Set.of("ROLE_USER");
+
+		// must be Collection that throws NPE when .contains(null) is invoked
+		// to replicate the issue in gh-18543
+		assertThatNullPointerException().isThrownBy(() -> authoritiesContainsThrowsNPE.contains(null));
+		assertThat(manager.authorize(() -> authentication, authoritiesContainsThrowsNPE).isGranted()).isFalse();
+	}
+
 }