Mark GrantedAuthority#getAuthority as @Nullable

Closes: gh-17999 Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
2025-11-10 19:48:50 +00:00 · 2025-10-11 18:42:33 +03:00 · 2025-10-11 18:42:33 +03:00 · 9b61533db2
commit 9b61533db2
parent eb43830260
6 changed files with 15 additions and 7 deletions
--- a/core/src/main/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.java
+++ b/core/src/main/java/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.java
@ -99,7 +99,7 @@ public final class AllRequiredFactorsAuthorizationManager<T> implements Authoriz
 	private @Nullable RequiredFactorError requiredFactorError(RequiredFactor requiredFactor,
 			List<GrantedAuthority> currentFactors) {
 		Optional<GrantedAuthority> matchingAuthority = currentFactors.stream()
-			.filter((authority) -> authority.getAuthority().equals(requiredFactor.getAuthority()))
+			.filter((authority) -> Objects.equals(authority.getAuthority(), requiredFactor.getAuthority()))
 			.findFirst();
 		if (!matchingAuthority.isPresent()) {
 			return RequiredFactorError.createMissing(requiredFactor);
--- a/core/src/main/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java
@ -17,6 +17,7 @@
 package org.springframework.security.authorization;

 import java.util.List;
+import java.util.Objects;

 import reactor.core.publisher.Mono;

@ -47,8 +48,8 @@ public class AuthorityReactiveAuthorizationManager<T> implements ReactiveAuthori
 		// @formatter:off
 		return authentication.filter(Authentication::isAuthenticated)
 				.flatMapIterable(Authentication::getAuthorities)
-				.map(GrantedAuthority::getAuthority)
-				.any((grantedAuthority) -> this.authorities.stream().anyMatch((authority) -> authority.getAuthority().equals(grantedAuthority)))
+				.mapNotNull(GrantedAuthority::getAuthority)
+				.any((grantedAuthority) -> this.authorities.stream().anyMatch((authority) -> Objects.equals(authority.getAuthority(), grantedAuthority)))
 				.map((granted) -> ((AuthorizationResult) new AuthorityAuthorizationDecision(granted, this.authorities)))
 				.defaultIfEmpty(new AuthorityAuthorizationDecision(false, this.authorities));
 		// @formatter:on
--- a/core/src/main/java/org/springframework/security/core/GrantedAuthority.java
+++ b/core/src/main/java/org/springframework/security/core/GrantedAuthority.java
@ -18,6 +18,8 @@ package org.springframework.security.core;

 import java.io.Serializable;

+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.authorization.AuthorizationManager;

 /**
@ -46,6 +48,6 @@ public interface GrantedAuthority extends Serializable {
 	 * granted authority cannot be expressed as a <code>String</code> with sufficient
 	 * precision).
 	 */
-	String getAuthority();
+	@Nullable String getAuthority();

 }
--- a/core/src/main/java/org/springframework/security/core/authority/mapping/SimpleAuthorityMapper.java
+++ b/core/src/main/java/org/springframework/security/core/authority/mapping/SimpleAuthorityMapper.java
@ -64,7 +64,10 @@ public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper, In
 	public Set<GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
 		HashSet<GrantedAuthority> mapped = new HashSet<>(authorities.size());
 		for (GrantedAuthority authority : authorities) {
-			mapped.add(mapAuthority(authority.getAuthority()));
+			String authorityStr = authority.getAuthority();
+			if (authorityStr != null) {
+				mapped.add(mapAuthority(authorityStr));
+			}
 		}
 		if (this.defaultAuthority != null) {
 			mapped.add(this.defaultAuthority);
--- a/test/src/main/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchers.java
+++ b/test/src/main/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchers.java
@ -281,7 +281,8 @@ public final class SecurityMockMvcResultMatchers {
 			for (String role : roles) {
 				withPrefix.add(new SimpleGrantedAuthority(rolePrefix + role));
 			}
-			this.ignoreAuthorities = (authority) -> !authority.getAuthority().startsWith(rolePrefix);
+			this.ignoreAuthorities = (authority) -> (authority.getAuthority() != null
+					&& !authority.getAuthority().startsWith(rolePrefix));
 			return withAuthorities(withPrefix);
 		}

--- a/web/src/main/java/org/springframework/security/web/access/DelegatingMissingAuthorityAccessDeniedHandler.java
+++ b/web/src/main/java/org/springframework/security/web/access/DelegatingMissingAuthorityAccessDeniedHandler.java
@ -162,6 +162,7 @@ public final class DelegatingMissingAuthorityAccessDeniedHandler implements Acce
 		if (authorizationResult instanceof AuthorityAuthorizationDecision authorityDecision) {
 			// @formatter:off
 			return authorityDecision.getAuthorities().stream()
+					.filter((ga) -> ga.getAuthority() != null)
 					.map((grantedAuthority) -> {
 					String authority = grantedAuthority.getAuthority();
 					if (authority.startsWith("FACTOR_")) {