Spring Security
  1. Spring Security
  2. SEC-1155

Potential NPEs in RoleVoter and RoleHierarchyVoter

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M2
    • Component/s: Core
    • Labels:
      None

      Description

      The implementations of RoleVoter and RoleHierarchyVoter can throw a NPE if called with a null authentication object. It may sometimes be desirable to call AccessDecisionManager.decide() with a null parameter, e.g. see my comment under SEC-884 for one such case where it can be used to implement the ifNotGranted feature correctly.

      These problems can be fixed trivially as follows

      In RoleVoter.java:

      GrantedAuthority[] extractAuthorities(Authentication authentication) {
      return authentication != null ? authentication.getAuthorities() : new GrantedAuthority[]{};
      }

      In RoleHierarchyVoter.java:

      GrantedAuthority[] extractAuthorities(Authentication authentication)

      { return roleHierarchy.getReachableGrantedAuthorities(super.extractAuthorities(authentication)); }

      The latter method can do the null check itself rather than calling super, but this way there is less repetition although arguably it's less clear what is happening

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          As per the discussion in SEC-884, I've clarified in the Javadoc for AccessDecisionManager that the contract of the decide() method should not allow a null Authentication object. So anything calling it should check first.

          Show
          Luke Taylor added a comment - As per the discussion in SEC-884 , I've clarified in the Javadoc for AccessDecisionManager that the contract of the decide() method should not allow a null Authentication object. So anything calling it should check first.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Pavel Tcholakov
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: