From 9cf563891419f09d93c9cfb12155a7785e5673e8 Mon Sep 17 00:00:00 2001 From: chanbinme Date: Sun, 15 Jun 2025 23:50:38 +0900 Subject: [PATCH] Add null check for authentication token in JwtAuthenticationProvider Add Assert.notNull validation to ensure the authentication token returned by jwtAuthenticationConverter is not null, preventing potential NullPointerException in subsequent operations. Signed-off-by: chanbinme --- .../JwtAuthenticationProvider.java | 1 + .../JwtAuthenticationProviderTests.java | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java index cdca4ffc0c..95d7574eb4 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java @@ -87,6 +87,7 @@ public final class JwtAuthenticationProvider implements AuthenticationProvider { BearerTokenAuthenticationToken bearer = (BearerTokenAuthenticationToken) authentication; Jwt jwt = getJwt(bearer); AbstractAuthenticationToken token = this.jwtAuthenticationConverter.convert(jwt); + Assert.notNull(token, "token cannot be null"); if (token.getDetails() == null) { token.setDetails(bearer.getDetails()); } diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProviderTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProviderTests.java index b4438ba28f..6c5912df10 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProviderTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProviderTests.java @@ -35,8 +35,7 @@ import org.springframework.security.oauth2.jwt.JwtException; import org.springframework.security.oauth2.jwt.TestJwts; import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatExceptionOfType; +import static org.assertj.core.api.Assertions.*; import static org.mockito.BDDMockito.given; import static org.mockito.Mockito.mock; @@ -152,6 +151,19 @@ public class JwtAuthenticationProviderTests { // @formatter:on } + @Test + public void authenticateWhenConverterReturnsNullThenThrowException() { + BearerTokenAuthenticationToken token = this.authentication(); + Jwt jwt = TestJwts.jwt().build(); + given(this.jwtDecoder.decode("token")).willReturn(jwt); + given(this.jwtAuthenticationConverter.convert(jwt)).willReturn(null); + // @formatter:off + assertThatIllegalArgumentException() + .isThrownBy(() -> this.provider.authenticate(token)) + .withMessageContaining("token cannot be null"); + // @formatter:on + } + @Test public void supportsWhenBearerTokenAuthenticationTokenThenReturnsTrue() { assertThat(this.provider.supports(BearerTokenAuthenticationToken.class)).isTrue();