SEC-1577: NPE in AuthorityUtils in combination with RoleHierarchy and User with empty authorities collection #1818

Closed
spring-issuemaster opened this Issue Sep 23, 2010 · 2 comments

1 participant

@spring-issuemaster

Gert Buys (Migrated from SEC-1577) said:

If have the following intercept-url defined in my security config (with expressions):

I also use role hierarchies. After authentication the user arrives at the welcome page. When the user hasn't got any authorities, I receive a NPE because in RoleHierarchyImpl, which is called by SecurityExpressionRoot, the empty authorities Set is set to null:

public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
    if (authorities == null || authorities.isEmpty()) {
        return null;
    }

In AuthorityUtils, the size() method is called on the null collection:
public static Set authorityListToSet(Collection userAuthorities) {
Set set = new HashSet(userAuthorities.size());

java.lang.NullPointerException
at org.springframework.security.core.authority.AuthorityUtils.authorityListToSet(AuthorityUtils.java:39)
at org.springframework.security.access.expression.SecurityExpressionRoot.getAuthoritySet(SecurityExpressionRoot.java:104)
at org.springframework.security.access.expression.SecurityExpressionRoot.hasAnyRole(SecurityExpressionRoot.java:44)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:58)
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:76)
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:102)<security:intercept-url pattern="/.*

@spring-issuemaster

Luke Taylor said:

Duplicate of SEC-1507

@spring-issuemaster spring-issuemaster added this to the 3.0.4 milestone Feb 5, 2016
@spring-issuemaster

This issue duplicates #1749

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment