Consider only merging authorities if non-empty #18021
Description
Expected Behavior
AbstractAuthenticationProcessingFilter would ideally only merge authorities if the current authentication has authorities to merge and they are not already present in the authentication result. I believe this would make a custom toBuilder() method needed only if there are actually authorities that need to be merged.
Current Behavior
In AbstractAuthenticationProcessingFilter, the Authentication is mutated with toBuilder() to merge authorities from the current/existing authentication into the returned authentication result (see below).
This doesn't seem to be necessary in cases where there are no authorities to merge (current.getAuthorities().isEmpty()) or they are already in the result (authenticationResult.getAuthorities().containsAll(current.getAuthorities())).
Context
When an application is using a custom Authentication (instead of a custom Authentication#getPrincipal()), it becomes necessary to implement the new Authentication#toBuilder() method to preserve the existing type when the builder is used to mutate the authentication. This can be surprising for users when upgrading to Spring Security 7 and they see a SimpleAuthentication (from the default implementation) returned instead of the expected custom type. It can also be difficult to spot the issue, since application's may be using instanceof checks to handle one or more custom types, similar to how a custom principal is often handled. For example, the following code in an application could unexpectedly behave differently in Spring Security 7.
public static String getCustomValue(Authentication authentication) {
if (authentication instanceof MyAuthentication myAuthentication) {
return myAuthentication.getCustomValue();
} else {
return "unknown";
}
}