Spring Security
  1. Spring Security
  2. SEC-1577

NPE in AuthorityUtils in combination with RoleHierarchy and User with empty authorities collection

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 3.0.3
    • Fix Version/s: 3.0.4
    • Component/s: Core
    • Labels:
      None
    • Environment:
      Windows XP, Java 1.6, Jetty

      Description

      If have the following intercept-url defined in my security config (with expressions):
      <security:intercept-url pattern="/.*/$

      {webapp.context}

      /flow/welcome" access="hasRole('ROLE_USER')" />

      I also use role hierarchies. After authentication the user arrives at the welcome page. When the user hasn't got any authorities, I receive a NPE because in RoleHierarchyImpl, which is called by SecurityExpressionRoot, the empty authorities Set is set to null:

      public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
      if (authorities == null || authorities.isEmpty())

      { return null; }

      In AuthorityUtils, the size() method is called on the null collection:
      public static Set<String> authorityListToSet(Collection<GrantedAuthority> userAuthorities) {
      Set<String> set = new HashSet<String>(userAuthorities.size());

      java.lang.NullPointerException
      at org.springframework.security.core.authority.AuthorityUtils.authorityListToSet(AuthorityUtils.java:39)
      at org.springframework.security.access.expression.SecurityExpressionRoot.getAuthoritySet(SecurityExpressionRoot.java:104)
      at org.springframework.security.access.expression.SecurityExpressionRoot.hasAnyRole(SecurityExpressionRoot.java:44)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:58)
      at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:76)
      at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)<security:intercept-url pattern="/.*

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          Duplicate of SEC-1507

          Show
          Luke Taylor added a comment - Duplicate of SEC-1507

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Gert Buys
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: