AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains

Closes gh-10950
2022-03-09 15:20:14 -03:00 · 2022-03-09 15:20:14 -03:00 · 44508df940
parent 35ac1dd71e
commit 44508df940
2 changed files with 8 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
@ -51,7 +51,7 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
 		AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
 				filterInvocation.getHttpRequest());
-		return decision != null && decision.isGranted();
+		return decision == null || decision.isGranted();
 	}

 }
--- a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
@ -65,4 +65,11 @@ public class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
 		assertThat(allowed).isFalse();
 	}

+	@Test
+	public void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
+		given(this.authorizationManager.check(any(), any())).willReturn(null);
+		boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
+		assertThat(allowed).isTrue();
+	}
+
 }