From de7cbc82b5af286d3763438ef656d72b1f50e744 Mon Sep 17 00:00:00 2001
From: Eleftheria Stein <eleftheria.kousathana@gmail.com>
Date: Wed, 23 Oct 2019 15:10:39 -0400
Subject: [PATCH] Clarify in Javadoc that expressionHandler should not be null

Fixes: gh-2665
---
 .../annotation/web/builders/WebSecurity.java  |  8 ++++----
 .../WebSecurityConfigurationTests.java        | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
index a09ecc9c3d..e08b1eae97 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
@@ -204,8 +204,8 @@ public final class WebSecurity extends
 	}
 
 	/**
-	 * Set the {@link WebInvocationPrivilegeEvaluator} to be used. If this is null, then a
-	 * {@link DefaultWebInvocationPrivilegeEvaluator} will be created when
+	 * Set the {@link WebInvocationPrivilegeEvaluator} to be used. If this is not specified,
+	 * then a {@link DefaultWebInvocationPrivilegeEvaluator} will be created when
 	 * {@link #securityInterceptor(FilterSecurityInterceptor)} is non null.
 	 *
 	 * @param privilegeEvaluator the {@link WebInvocationPrivilegeEvaluator} to use
@@ -218,8 +218,8 @@ public final class WebSecurity extends
 	}
 
 	/**
-	 * Set the {@link SecurityExpressionHandler} to be used. If this is null, then a
-	 * {@link DefaultWebSecurityExpressionHandler} will be used.
+	 * Set the {@link SecurityExpressionHandler} to be used. If this is not specified,
+	 * then a {@link DefaultWebSecurityExpressionHandler} will be used.
 	 *
 	 * @param expressionHandler the {@link SecurityExpressionHandler} to use
 	 * @return the {@link WebSecurity} for further customizations
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
index 230d3839d9..c27fca6201 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java
@@ -253,6 +253,25 @@ public class WebSecurityConfigurationTests {
 		}
 	}
 
+	@Test
+	public void loadConfigWhenSecurityExpressionHandlerIsNullThenException() {
+		Throwable thrown = catchThrowable(() ->
+				this.spring.register(NullWebSecurityExpressionHandlerConfig.class).autowire()
+		);
+
+		assertThat(thrown).isInstanceOf(BeanCreationException.class);
+		assertThat(thrown).hasRootCauseExactlyInstanceOf(IllegalArgumentException.class);
+	}
+
+	@EnableWebSecurity
+	static class NullWebSecurityExpressionHandlerConfig extends WebSecurityConfigurerAdapter {
+
+		@Override
+		public void configure(WebSecurity web) {
+			web.expressionHandler(null);
+		}
+	}
+
 	@Test
 	public void loadConfigWhenDefaultSecurityExpressionHandlerThenDefaultIsRegistered() {
 		this.spring.register(WebSecurityExpressionHandlerDefaultsConfig.class).autowire();