AuthorizationWebFilter handles null Authentication

If the AuthorizationManager used the Authentication and the Authentication was null the AuthorizationWebFilter would produce a NullPointerException This commit fixes the test to ensure that Authentication is subscribed to and ensures that the Authentication is not null Fixes: gh-4966
2018-01-22 15:16:32 -06:00 · 2018-01-22 15:16:32 -06:00 · 6a0833165a
parent e6cac604f3
commit 6a0833165a
2 changed files with 2 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/server/authorization/AuthorizationWebFilter.java
+++ b/web/src/main/java/org/springframework/security/web/server/authorization/AuthorizationWebFilter.java
@ -40,6 +40,7 @@ public class AuthorizationWebFilter implements WebFilter {
 	@Override
 	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
 		return ReactiveSecurityContextHolder.getContext()
+			.filter(c -> c.getAuthentication() != null)
 			.map(SecurityContext::getAuthentication)
 			.as(authentication -> this.accessDecisionManager.verify(authentication, exchange))
 			.switchIfEmpty(chain.filter(exchange));
--- a/web/src/test/java/org/springframework/security/web/server/authorization/AuthorizationWebFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/authorization/AuthorizationWebFilterTests.java
@ -63,7 +63,7 @@ public class AuthorizationWebFilterTests {
 	@Test
 	public void filterWhenNoAuthenticationThenThrowsAccessDenied() {
 		when(this.chain.filter(this.exchange)).thenReturn(this.chainResult.mono());
-		AuthorizationWebFilter filter = new AuthorizationWebFilter((a, e) -> Mono.error(new AccessDeniedException("Denied")));
+		AuthorizationWebFilter filter = new AuthorizationWebFilter((a, e) -> a.flatMap(auth -> Mono.error(new AccessDeniedException("Denied"))));

 		Mono<Void> result = filter
 			.filter(this.exchange, this.chain)