diff --git a/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java b/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java index 34e62babb5..4753f973f4 100644 --- a/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java +++ b/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java @@ -93,11 +93,17 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy { && ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) { return; } - // Not authorized by ACL ownership; try via adminstrative permissions - GrantedAuthority requiredAuthority = getRequiredAuthority(changeType); // Iterate this principal's authorities to determine right Set authorities = AuthorityUtils.authorityListToSet(authentication.getAuthorities()); + if (acl.getOwner() instanceof GrantedAuthoritySid + && authorities.contains(((GrantedAuthoritySid) acl.getOwner()).getGrantedAuthority())) { + return; + } + + // Not authorized by ACL ownership; try via adminstrative permissions + GrantedAuthority requiredAuthority = getRequiredAuthority(changeType); + if (authorities.contains(requiredAuthority.getAuthority())) { return; } diff --git a/acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java b/acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java index e1b06b7418..992a036569 100644 --- a/acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java +++ b/acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java @@ -31,6 +31,8 @@ import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; +import static org.mockito.BDDMockito.given; + /** * @author Rob Winch * @@ -66,6 +68,14 @@ public class AclAuthorizationStrategyImplTests { this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL); } + // gh-9425 + @Test + public void securityCheckWhenAclOwnedByGrantedAuthority() { + given(this.acl.getOwner()).willReturn(new GrantedAuthoritySid("ROLE_AUTH")); + this.strategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_SYSTEM_ADMIN")); + this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL); + } + @SuppressWarnings("serial") class CustomAuthority implements GrantedAuthority {