From d87dc9ae576053beaab7223ddcb64d86e8bba2ad Mon Sep 17 00:00:00 2001 From: Khyojae Date: Thu, 22 Jan 2026 03:48:06 +0900 Subject: [PATCH 1/2] Fix: Handle null authority string in AuthoritiesAuthorizationManager This prevents NPE when GrantedAuthority.getAuthority() returns null. Closes gh-18543 Signed-off-by: Khyojae --- .../AuthoritiesAuthorizationManager.java | 6 +++++- .../AuthoritiesAuthorizationManagerTests.java | 16 +++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java index 6d8b891a61..a7f469bda3 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java @@ -67,7 +67,11 @@ public final class AuthoritiesAuthorizationManager implements AuthorizationManag private boolean isAuthorized(Authentication authentication, Collection authorities) { for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) { - if (authorities.contains(grantedAuthority.getAuthority())) { + String authority = grantedAuthority.getAuthority(); + if (authority == null) { + continue; + } + if (authorities.contains(authority)) { return true; } } diff --git a/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java index 052c289776..0364f5f7e6 100644 --- a/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java @@ -14,9 +14,11 @@ * limitations under the License. */ + package org.springframework.security.authorization; import java.util.Arrays; +import java.util.Collection; import java.util.Collections; import java.util.function.Supplier; @@ -35,6 +37,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException * Tests for {@link AuthoritiesAuthorizationManager}. * * @author Evgeniy Cheban + * @author Khyojae */ class AuthoritiesAuthorizationManagerTests { @@ -42,7 +45,7 @@ class AuthoritiesAuthorizationManagerTests { void setRoleHierarchyWhenNullThenIllegalArgumentException() { AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager(); assertThatIllegalArgumentException().isThrownBy(() -> manager.setRoleHierarchy(null)) - .withMessage("roleHierarchy cannot be null"); + .withMessage("roleHierarchy cannot be null"); } @Test @@ -84,4 +87,15 @@ class AuthoritiesAuthorizationManagerTests { assertThat(manager.check(authentication, Collections.singleton("ROLE_USER")).isGranted()).isTrue(); } + @Test + void authorizeWhenAuthorityIsNullThenDoesNotThrowNullPointerException() { + AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager(); + + Authentication authentication = new TestingAuthenticationToken("user", "password", + Collections.singletonList(() -> null)); + + Collection authorities = Collections.singleton("ROLE_USER"); + + assertThat(manager.authorize(() -> authentication, authorities).isGranted()).isFalse(); + } } From 1116241ee30767efb9554af71a66aa4084f870a4 Mon Sep 17 00:00:00 2001 From: Robert Winch <362503+rwinch@users.noreply.github.com> Date: Mon, 23 Feb 2026 10:47:11 -0600 Subject: [PATCH 2/2] Fix Checks for NullPointerException in AuthoritiesAuthorizationManager - Fix checkstyle - Fix the test to use Collection that throws NullPointerException on .contains(null) to replicate the reported issue Closes gh-18544 Signed-off-by: Robert Winch <362503+rwinch@users.noreply.github.com> --- .../AuthoritiesAuthorizationManagerTests.java | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java index 0364f5f7e6..a08a095f0b 100644 --- a/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/AuthoritiesAuthorizationManagerTests.java @@ -14,12 +14,12 @@ * limitations under the License. */ - package org.springframework.security.authorization; import java.util.Arrays; import java.util.Collection; import java.util.Collections; +import java.util.Set; import java.util.function.Supplier; import org.junit.jupiter.api.Test; @@ -32,6 +32,7 @@ import org.springframework.security.core.Authentication; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; +import static org.assertj.core.api.Assertions.assertThatNullPointerException; /** * Tests for {@link AuthoritiesAuthorizationManager}. @@ -45,7 +46,7 @@ class AuthoritiesAuthorizationManagerTests { void setRoleHierarchyWhenNullThenIllegalArgumentException() { AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager(); assertThatIllegalArgumentException().isThrownBy(() -> manager.setRoleHierarchy(null)) - .withMessage("roleHierarchy cannot be null"); + .withMessage("roleHierarchy cannot be null"); } @Test @@ -88,14 +89,19 @@ class AuthoritiesAuthorizationManagerTests { } @Test + // gh-18543 void authorizeWhenAuthorityIsNullThenDoesNotThrowNullPointerException() { AuthoritiesAuthorizationManager manager = new AuthoritiesAuthorizationManager(); Authentication authentication = new TestingAuthenticationToken("user", "password", Collections.singletonList(() -> null)); - Collection authorities = Collections.singleton("ROLE_USER"); + Collection authoritiesContainsThrowsNPE = Set.of("ROLE_USER"); - assertThat(manager.authorize(() -> authentication, authorities).isGranted()).isFalse(); + // must be Collection that throws NPE when .contains(null) is invoked + // to replicate the issue in gh-18543 + assertThatNullPointerException().isThrownBy(() -> authoritiesContainsThrowsNPE.contains(null)); + assertThat(manager.authorize(() -> authentication, authoritiesContainsThrowsNPE).isGranted()).isFalse(); } + }