SEC-1321: RoleVoter throws null pointer exception if Authentication object's granted authorities array is null #1538

Closed
spring-issuemaster opened this Issue Dec 9, 2009 · 2 comments

1 participant

@spring-issuemaster

Adam Dyga (Migrated from SEC-1321) said:

RoleVoter throws null pointer exception if Authentication object's granted authorities array is null.

java.lang.NullPointerException
at org.springframework.security.vote.RoleVoter.vote(RoleVoter.java:107)
at org.springframework.security.vote.AffirmativeBased.decide(AffirmativeBased.java:51)

If a user doesn't have any roles, there is not point in passing it 0-size array (memory inefficient), so RoleVoter should handle such situation.

@spring-issuemaster

Luke Taylor said:

I'd prefer to tighten up the contract and disallow null values in the authentication object. The argument about memory doesn't really apply in 3.0, as a single empty collection can be shared throughout the entire application.

@spring-issuemaster

Luke Taylor said:

See SEC-1325.

This isn't actually a bug in any case, as the existing contract says that the authorities should only be null in the case where the token hasn't been authentcated.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment