SEC-1577: NPE in AuthorityUtils in combination with RoleHierarchy and User with empty authorities collection #1818

spring-issuemaster opened this Issue Sep 23, 2010 · 2 comments


None yet
1 participant

Gert Buys (Migrated from SEC-1577) said:

If have the following intercept-url defined in my security config (with expressions):
<security:intercept-url pattern="/.*/${webapp.context}/flow/welcome" access="hasRole('ROLE_USER')" />

I also use role hierarchies. After authentication the user arrives at the welcome page. When the user hasn't got any authorities, I receive a NPE because in RoleHierarchyImpl, which is called by SecurityExpressionRoot, the empty authorities Set is set to null:

public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
    if (authorities == null || authorities.isEmpty()) {
        return null;

In AuthorityUtils, the size() method is called on the null collection:
public static Set authorityListToSet(Collection userAuthorities) {
Set set = new HashSet(userAuthorities.size());

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
at java.lang.reflect.Method.invoke(
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(
at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(<security:intercept-url pattern="/.*

Luke Taylor said:

Duplicate of SEC-1507

spring-issuemaster added this to the 3.0.4 milestone Feb 5, 2016

This issue duplicates #1749

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment