SEC-1792: Fixed NullPointerException in RunAsUserToken#toString()

core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java

@@ -71,7 +71,8 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
 
     public String toString() {
         StringBuilder sb = new StringBuilder(super.toString());
-        sb.append("; Original Class: ").append(this.originalAuthentication.getName());
+        String className = this.originalAuthentication == null ? null : this.originalAuthentication.getName();
+        sb.append("; Original Class: ").append(className);
 
         return sb.toString();
     }

core/src/test/java/org/springframework/security/access/intercept/RunAsUserTokenTests.java

@@ -58,6 +58,13 @@ public class RunAsUserTokenTests extends TestCase {
     public void testToString() {
         RunAsUserToken token = new RunAsUserToken("my_password", "Test", "Password",
                 AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"), UsernamePasswordAuthenticationToken.class);
-        assertTrue(token.toString().lastIndexOf("Original Class:") != -1);
+        assertTrue(token.toString().lastIndexOf("Original Class: "+UsernamePasswordAuthenticationToken.class.getName().toString()) != -1);
+    }
+
+    // SEC-1792
+    public void testToStringNullOriginalAuthentication() {
+        RunAsUserToken token = new RunAsUserToken("my_password", "Test", "Password",
+                AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"), null);
+        assertTrue(token.toString().lastIndexOf("Original Class: null") != -1);
     }
 }