Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-29 15:22:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains

Browse Source 
Closes gh-10950
This commit is contained in:
Marcus Da Coregio 2022-03-09 15:20:14 -03:00
parent 35ac1dd71e
commit 44508df940
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
View File

@ -51,7 +51,7 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method); FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
AuthorizationDecision decision = this.authorizationManager.check(() -> authentication, AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
filterInvocation.getHttpRequest()); filterInvocation.getHttpRequest());
return decision != null && decision.isGranted(); return decision == null || decision.isGranted();
} }
} }

7
web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
View File

@ -65,4 +65,11 @@ public class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
assertThat(allowed).isFalse(); assertThat(allowed).isFalse();
} }
@Test
public void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
given(this.authorizationManager.check(any(), any())).willReturn(null);
boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
assertThat(allowed).isTrue();
}
} }