Skip to content

Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager#18544

Merged
rwinch merged 2 commits intospring-projects:6.5.xfrom
Khyojae:gh-18543
Feb 23, 2026
Merged

Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager#18544
rwinch merged 2 commits intospring-projects:6.5.xfrom
Khyojae:gh-18543

Conversation

@Khyojae
Copy link
Copy Markdown
Contributor

@Khyojae Khyojae commented Jan 21, 2026

Check if GrantedAuthority is null before accessing it in
isAuthorized method to prevent NullPointerException.

Closes gh-18543

Signed-off-by: Khyojae khjae201@gmail.com

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 21, 2026
@Khyojae Khyojae mentioned this pull request Jan 21, 2026
Closed
@Khyojae Khyojae force-pushed the gh-18543 branch 8 times, most recently from 02aea40 to 616ab45 Compare January 23, 2026 15:41
ffray
ffray reviewed Jan 24, 2026
View reviewed changes
...rc/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java Outdated

private boolean isAuthorized(Authentication authentication, Collection<String> authorities) {
for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) {
if (grantedAuthority == null) {
Copy link
Copy Markdown

@ffray ffray Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not about the grantedAuthority itself, but the result of grantedAuthority.getAuthority() can be null.
I don't think that getGrantedAuthorities may contain a null itself, so the check should be:
if (grantedAuthority.getAuthority() == null) { continue; }

Copy link
Copy Markdown
Contributor Author

@Khyojae Khyojae Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the sharp feedback. You're right—it wasn't the grantedAuthority object itself, but the null return value of getAuthority() that caused the NPE.

I've updated the logic to check grantedAuthority.getAuthority() == null as you suggested. Additionally, I've refactored the test case to use a lambda-based GrantedAuthority that returns null, ensuring the issue is accurately reproduced without unnecessary Mockito mocks. Everything is verified with a successful local build. Please take another look

@Khyojae Khyojae force-pushed the gh-18543 branch 2 times, most recently from 420a217 to 18a38a8 Compare January 24, 2026 13:51
ffray
ffray approved these changes Jan 24, 2026
View reviewed changes
Copy link
Copy Markdown

@ffray ffray left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks for this fix. Let's see if it gets merged.

@rwinch rwinch self-assigned this Feb 23, 2026
Khyojae and others added 2 commits February 23, 2026 09:30
@Khyojae @rwinch
Fix: Handle null authority string in AuthoritiesAuthorizationManager
d87dc9a 
This prevents NPE when GrantedAuthority.getAuthority() returns null. Closes spring-projectsgh-18543

Signed-off-by: Khyojae <khjae201@gmail.com>
@rwinch
Fix Checks for NullPointerException in AuthoritiesAuthorizationManager
1116241 
- Fix checkstyle
- Fix the test to use Collection that throws NullPointerException on .contains(null) to replicate the reported issue

Closes spring-projectsgh-18544

Signed-off-by: Robert Winch <362503+rwinch@users.noreply.github.com>
@rwinch rwinch mentioned this pull request Feb 23, 2026
Merged
@rwinch rwinch added in: core An issue in spring-security-core type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 23, 2026
@rwinch rwinch changed the base branch from main to 6.5.x February 23, 2026 16:58
@rwinch rwinch added this to the 6.5.9 milestone Feb 23, 2026
@rwinch
Copy link
Copy Markdown
Member

rwinch commented Feb 23, 2026
edited
Loading

Thanks for the PR! I've:

  • changed this to point to 6.5.x since this is a bug and 6.5.x is the oldest OSS supported branch
  • Updated the PR to fix checks (checkstyle and ensure that the test is valid since the test used a Collection implementation -- Set.of() reproduces the NPE, but Collections.singleton() does not -- that did not replicate the issue). Related JDK-83331228
  • Submitted PRs for merging into 7.0.x and main

@rwinch rwinch changed the title Fix NullPointerException in AuthoritiesAuthorizationManager Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager Feb 23, 2026
@rwinch rwinch mentioned this pull request Feb 23, 2026
Merged
@rwinch rwinch merged commit d29c984 into spring-projects:6.5.x Feb 23, 2026
7 checks passed
@rwinch
Copy link
Copy Markdown
Member

rwinch commented Feb 23, 2026

This is now merged into 6.5.x, 7.0.x, and main. Thanks again for the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ffray ffray ffray approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rwinch rwinch

Labels

in: core An issue in spring-security-core type: bug A general bug

Projects

None yet

Milestone

6.5.9

Development

Successfully merging this pull request may close these issues.

AuthoritiesAuthorizationManager.authorize throws NPE if GrantedAuthority returns null

4 participants

@Khyojae @rwinch @ffray @spring-projects-issues