From 6a0833165accdc947d2b10d2bc98de066c5a3d2d Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Mon, 22 Jan 2018 15:16:32 -0600 Subject: [PATCH] AuthorizationWebFilter handles null Authentication If the AuthorizationManager used the Authentication and the Authentication was null the AuthorizationWebFilter would produce a NullPointerException This commit fixes the test to ensure that Authentication is subscribed to and ensures that the Authentication is not null Fixes: gh-4966 --- .../web/server/authorization/AuthorizationWebFilter.java | 1 + .../web/server/authorization/AuthorizationWebFilterTests.java | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/server/authorization/AuthorizationWebFilter.java b/web/src/main/java/org/springframework/security/web/server/authorization/AuthorizationWebFilter.java index 2eda425d44..7884343123 100644 --- a/web/src/main/java/org/springframework/security/web/server/authorization/AuthorizationWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/authorization/AuthorizationWebFilter.java @@ -40,6 +40,7 @@ public class AuthorizationWebFilter implements WebFilter { @Override public Mono filter(ServerWebExchange exchange, WebFilterChain chain) { return ReactiveSecurityContextHolder.getContext() + .filter(c -> c.getAuthentication() != null) .map(SecurityContext::getAuthentication) .as(authentication -> this.accessDecisionManager.verify(authentication, exchange)) .switchIfEmpty(chain.filter(exchange)); diff --git a/web/src/test/java/org/springframework/security/web/server/authorization/AuthorizationWebFilterTests.java b/web/src/test/java/org/springframework/security/web/server/authorization/AuthorizationWebFilterTests.java index dd5566baa9..6f49d4a3fc 100644 --- a/web/src/test/java/org/springframework/security/web/server/authorization/AuthorizationWebFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/server/authorization/AuthorizationWebFilterTests.java @@ -63,7 +63,7 @@ public class AuthorizationWebFilterTests { @Test public void filterWhenNoAuthenticationThenThrowsAccessDenied() { when(this.chain.filter(this.exchange)).thenReturn(this.chainResult.mono()); - AuthorizationWebFilter filter = new AuthorizationWebFilter((a, e) -> Mono.error(new AccessDeniedException("Denied"))); + AuthorizationWebFilter filter = new AuthorizationWebFilter((a, e) -> a.flatMap(auth -> Mono.error(new AccessDeniedException("Denied")))); Mono result = filter .filter(this.exchange, this.chain)