Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #13079

Closed
mbreevoort opened this issue Apr 24, 2023 · 1 comment
Closed

rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #13079

mbreevoort opened this issue Apr 24, 2023 · 1 comment
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
6.0.4

Comments

@mbreevoort
Copy link

mbreevoort commented Apr 24, 2023
edited

Describe the bug
In version 6.0.3 our application returns a HTTP 400 with message Administrator should not start with since is automatically prepended when using hasAnyRole. Consider using hasAnyAuthority instead. This is an IllegalArgumentException

Change is here (check on the prefix which triggers on empty string)
AuthorityAuthorizationManager.java#L128

This is because we use rolePrefix "" (empty string)

final JwtGrantedAuthoritiesConverter authoritiesConverter = new JwtGrantedAuthoritiesConverter();
        authoritiesConverter.setAuthorityPrefix("");
        ....
        
GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");
    }

When using rolePrefix empty string Jsr250AuthorizationManager it calls
return AuthorityAuthorizationManager.hasAnyRole(Jsr250AuthorizationManager.this.rolePrefix,

To Reproduce
Set rolePrefix to empty String

Expected behavior
If allowed for security reasons same behavior as version 6.0.2, allow empty string for role prefix.
@mbreevoort mbreevoort added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 24, 2023
@jzheaux jzheaux self-assigned this Apr 24, 2023
@jzheaux
Copy link
Contributor

jzheaux commented Apr 24, 2023
edited

Thanks, @mbreevoort, I've assigned this to the next maintenance release.

@jzheaux jzheaux added this to the 6.0.4 milestone Apr 24, 2023
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 24, 2023
@jzheaux jzheaux mentioned this issue Apr 24, 2023
Closed
jzheaux added a commit that referenced this issue Apr 24, 2023
@jzheaux
Polish Format
599ed3e 
Issue gh-13079
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
6.0.4
Development

No branches or pull requests
2 participants
@mbreevoort @jzheaux