Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-23 10:48:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Nullability in WebInvocationPrivilegeEvaluator

Browse Source 
Issue gh-17535
This commit is contained in:
Rob Winch 2025-08-30 20:38:58 -05:00
parent 1216ee598f
commit f13d8d5c75
No known key found for this signature in database
4 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
View File

@ -50,13 +50,13 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
} }
@Override @Override
public boolean isAllowed(String uri, Authentication authentication) { public boolean isAllowed(String uri, @Nullable Authentication authentication) {
return isAllowed(null, uri, null, authentication); return isAllowed(null, uri, null, authentication);
} }
@Override @Override
public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method, public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
Authentication authentication) { @Nullable Authentication authentication) {
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest()); HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest());
AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest); AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest);

4
web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
View File

@ -65,7 +65,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
* be used) * be used)
*/ */
@Override @Override
public boolean isAllowed(String uri, Authentication authentication) { public boolean isAllowed(String uri, @Nullable Authentication authentication) {
return isAllowed(null, uri, null, authentication); return isAllowed(null, uri, null, authentication);
} }
@ -88,7 +88,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
*/ */
@Override @Override
public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method, public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
Authentication authentication) { @Nullable Authentication authentication) {
Assert.notNull(uri, "uri parameter is required"); Assert.notNull(uri, "uri parameter is required");
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource() Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource()

5
web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java
View File

@ -73,7 +73,7 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
* @return true if access is allowed, false if denied * @return true if access is allowed, false if denied
*/ */
@Override @Override
public boolean isAllowed(String uri, Authentication authentication) { public boolean isAllowed(String uri, @Nullable Authentication authentication) {
List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(null, uri, null); List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(null, uri, null);
if (privilegeEvaluators.isEmpty()) { if (privilegeEvaluators.isEmpty()) {
return true; return true;
@ -106,7 +106,8 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
* @return true if access is allowed, false if denied * @return true if access is allowed, false if denied
*/ */
@Override @Override
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { public boolean isAllowed(String contextPath, String uri, @Nullable String method,
@Nullable Authentication authentication) {
List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(contextPath, uri, method); List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(contextPath, uri, method);
if (privilegeEvaluators.isEmpty()) { if (privilegeEvaluators.isEmpty()) {
return true; return true;

6
web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
View File

@ -16,6 +16,8 @@
package org.springframework.security.web.access; package org.springframework.security.web.access;
import org.jspecify.annotations.Nullable;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
/** /**
@ -35,7 +37,7 @@ public interface WebInvocationPrivilegeEvaluator {
* @param uri the URI excluding the context path (a default context path setting will * @param uri the URI excluding the context path (a default context path setting will
* be used) * be used)
*/ */
boolean isAllowed(String uri, Authentication authentication); boolean isAllowed(String uri, @Nullable Authentication authentication);
/** /**
* Determines whether the user represented by the supplied <tt>Authentication</tt> * Determines whether the user represented by the supplied <tt>Authentication</tt>
@ -58,6 +60,6 @@ public interface WebInvocationPrivilegeEvaluator {
* be used in evaluation whether access should be granted. * be used in evaluation whether access should be granted.
* @return true if access is allowed, false if denied * @return true if access is allowed, false if denied
*/ */
boolean isAllowed(String contextPath, String uri, String method, Authentication authentication); boolean isAllowed(String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication);
} }