Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-01 09:42:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains

Browse Source 
Closes gh-10950
This commit is contained in:
Marcus Da Coregio 2022-03-09 15:20:14 -03:00
parent 660da6f4a0
commit 8c94c2e15a
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
View File

@ -51,7 +51,7 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method); FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
AuthorizationDecision decision = this.authorizationManager.check(() -> authentication, AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
filterInvocation.getHttpRequest()); filterInvocation.getHttpRequest());
return decision != null && decision.isGranted(); return decision == null || decision.isGranted();
} }
} }

7
web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
View File

@ -65,4 +65,11 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
assertThat(allowed).isFalse(); assertThat(allowed).isFalse();
} }
@Test
void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
given(this.authorizationManager.check(any(), any())).willReturn(null);
boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
assertThat(allowed).isTrue();
}
} }