Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-23 10:48:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Nullability in WebInvocationPrivilegeEvaluator

Browse Source 
Issue gh-17535
This commit is contained in:
Rob Winch 2025-08-30 20:38:58 -05:00
parent 1216ee598f
commit f13d8d5c75
No known key found for this signature in database
4 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
View File

@ -50,13 +50,13 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
}
@Override
public boolean isAllowed(String uri, Authentication authentication) {
public boolean isAllowed(String uri, @Nullable Authentication authentication) {
return isAllowed(null, uri, null, authentication);
}
@Override
public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
Authentication authentication) {
@Nullable Authentication authentication) {
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest());
AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest);

4
web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
View File

@ -65,7 +65,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
* be used)
*/
@Override
public boolean isAllowed(String uri, Authentication authentication) {
public boolean isAllowed(String uri, @Nullable Authentication authentication) {
return isAllowed(null, uri, null, authentication);
}
@ -88,7 +88,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
*/
@Override
public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
Authentication authentication) {
@Nullable Authentication authentication) {
Assert.notNull(uri, "uri parameter is required");
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource()

5
web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java
View File

@ -73,7 +73,7 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
* @return true if access is allowed, false if denied
*/
@Override
public boolean isAllowed(String uri, Authentication authentication) {
public boolean isAllowed(String uri, @Nullable Authentication authentication) {
List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(null, uri, null);
if (privilegeEvaluators.isEmpty()) {
return true;
@ -106,7 +106,8 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
* @return true if access is allowed, false if denied
*/
@Override
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
public boolean isAllowed(String contextPath, String uri, @Nullable String method,
@Nullable Authentication authentication) {
List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(contextPath, uri, method);
if (privilegeEvaluators.isEmpty()) {
return true;

6
web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
View File

@ -16,6 +16,8 @@
package org.springframework.security.web.access;
import org.jspecify.annotations.Nullable;
import org.springframework.security.core.Authentication;
/**
@ -35,7 +37,7 @@ public interface WebInvocationPrivilegeEvaluator {
* @param uri the URI excluding the context path (a default context path setting will
* be used)
*/
boolean isAllowed(String uri, Authentication authentication);
boolean isAllowed(String uri, @Nullable Authentication authentication);
/**
* Determines whether the user represented by the supplied <tt>Authentication</tt>
@ -58,6 +60,6 @@ public interface WebInvocationPrivilegeEvaluator {
* be used in evaluation whether access should be granted.
* @return true if access is allowed, false if denied
*/
boolean isAllowed(String contextPath, String uri, String method, Authentication authentication);
boolean isAllowed(String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication);
}