Add Null Guard for Setting ReactiveUserDetailsPasswordService

This use case specifically arises when using `ReactiveUserDetailsService` without `ReactiveUserDetailsPasswordService`. Closes gh-17986 Signed-off-by: Ronny Perinke <23166289+sephiroth-j@users.noreply.github.com>
2026-03-11 00:54:32 +00:00 · 2025-12-08 21:22:06 +01:00 · 2025-12-08 21:22:06 +01:00 · e8e0da1ec6
commit e8e0da1ec6
parent 2f81d2d99e
2 changed files with 24 additions and 2 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java
@ -255,7 +255,9 @@ class ServerHttpSecurityConfiguration {
 			if (this.passwordEncoder != null) {
 				manager.setPasswordEncoder(this.passwordEncoder);
 			}
-			manager.setUserDetailsPasswordService(this.userDetailsPasswordService);
+			if (this.userDetailsPasswordService != null) {
+				manager.setUserDetailsPasswordService(this.userDetailsPasswordService);
+			}
 			manager.setCompromisedPasswordChecker(this.compromisedPasswordChecker);
 			return this.postProcessor.postProcess(manager);
 		}
--- a/config/src/test/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfigurationTests.java
@ -107,7 +107,7 @@ public class ServerHttpSecurityConfigurationTests {
 	}

 	@Test
-	public void loadConfigWhenReactiveUserDetailsServiceConfiguredThenServerHttpSecurityExists() {
+	public void loadConfigWhenReactiveUserAuthenticationServiceConfiguredThenServerHttpSecurityExists() {
 		this.spring
 			.register(ServerHttpSecurityConfiguration.class, ReactiveAuthenticationTestConfiguration.class,
 					WebFluxSecurityConfiguration.class)
@ -116,6 +116,16 @@ public class ServerHttpSecurityConfigurationTests {
 		assertThat(serverHttpSecurity).isNotNull();
 	}

+	@Test
+	public void loadConfigWhenOnlyReactiveUserDetailsServiceConfiguredThenServerHttpSecurityExists() {
+		this.spring
+			.register(ServerHttpSecurityConfiguration.class, ReactiveUserDetailsServiceOnlyTestConfiguration.class,
+					WebFluxSecurityConfiguration.class)
+			.autowire();
+		ServerHttpSecurity serverHttpSecurity = this.spring.getContext().getBean(ServerHttpSecurity.class);
+		assertThat(serverHttpSecurity).isNotNull();
+	}
+
 	@Test
 	public void loadConfigWhenProxyingEnabledAndSubclassThenServerHttpSecurityExists() {
 		this.spring
@ -581,4 +591,14 @@ public class ServerHttpSecurityConfigurationTests {

 	}

+	@Configuration(proxyBeanMethods = false)
+	static class ReactiveUserDetailsServiceOnlyTestConfiguration {
+
+		@Bean
+		static ReactiveUserDetailsService userDetailsService() {
+			return (username) -> Mono.just(PasswordEncodedUser.user());
+		}
+
+	}
+
 }