spring-projects · therepanic · Oct 11, 2025 · ronodhirSoumik · Oct 11, 2025
diff --git a/...va/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.java b/...va/org/springframework/security/authorization/AllRequiredFactorsAuthorizationManager.java
@@ -99,7 +99,7 @@ public FactorAuthorizationDecision authorize(Supplier<? extends @Nullable Authen
 	private @Nullable RequiredFactorError requiredFactorError(RequiredFactor requiredFactor,
 			List<GrantedAuthority> currentFactors) {
 		Optional<GrantedAuthority> matchingAuthority = currentFactors.stream()
-			.filter((authority) -> authority.getAuthority().equals(requiredFactor.getAuthority()))
+			.filter((authority) -> Objects.equals(authority.getAuthority(), requiredFactor.getAuthority()))
 			.findFirst();
 		if (!matchingAuthority.isPresent()) {
 			return RequiredFactorError.createMissing(requiredFactor);

diff --git a/...ava/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java b/...ava/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java
@@ -17,6 +17,7 @@
 package org.springframework.security.authorization;
 
 import java.util.List;
+import java.util.Objects;
 
 import reactor.core.publisher.Mono;
 
@@ -47,8 +48,8 @@ public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication,
 		// @formatter:off
 		return authentication.filter(Authentication::isAuthenticated)
 				.flatMapIterable(Authentication::getAuthorities)
-				.map(GrantedAuthority::getAuthority)
-				.any((grantedAuthority) -> this.authorities.stream().anyMatch((authority) -> authority.getAuthority().equals(grantedAuthority)))
+				.mapNotNull(GrantedAuthority::getAuthority)
+				.any((grantedAuthority) -> this.authorities.stream().anyMatch((authority) -> Objects.equals(authority.getAuthority(), grantedAuthority)))
 				.map((granted) -> ((AuthorizationResult) new AuthorityAuthorizationDecision(granted, this.authorities)))
 				.defaultIfEmpty(new AuthorityAuthorizationDecision(false, this.authorities));
 		// @formatter:on

diff --git a/core/src/main/java/org/springframework/security/core/GrantedAuthority.java b/core/src/main/java/org/springframework/security/core/GrantedAuthority.java
@@ -18,6 +18,8 @@
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.authorization.AuthorizationManager;
 
 /**
@@ -46,6 +48,6 @@ public interface GrantedAuthority extends Serializable {
 	 * granted authority cannot be expressed as a <code>String</code> with sufficient
 	 * precision).
 	 */
-	String getAuthority();
+	@Nullable String getAuthority();
 
 }
diff --git a/.../main/java/org/springframework/security/core/authority/mapping/SimpleAuthorityMapper.java b/.../main/java/org/springframework/security/core/authority/mapping/SimpleAuthorityMapper.java
@@ -64,7 +64,10 @@ public void afterPropertiesSet() {
 	public Set<GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
 		HashSet<GrantedAuthority> mapped = new HashSet<>(authorities.size());
 		for (GrantedAuthority authority : authorities) {
-			mapped.add(mapAuthority(authority.getAuthority()));
+			String authorityStr = authority.getAuthority();
+			if (authorityStr != null) {
+				mapped.add(mapAuthority(authorityStr));
+			}
 		}
 		if (this.defaultAuthority != null) {
 			mapped.add(this.defaultAuthority);

diff --git a/...org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchers.java b/...org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchers.java
@@ -281,7 +281,8 @@ public AuthenticatedMatcher withRoles(String rolePrefix, String[] roles) {
 			for (String role : roles) {
 				withPrefix.add(new SimpleGrantedAuthority(rolePrefix + role));
 			}
-			this.ignoreAuthorities = (authority) -> !authority.getAuthority().startsWith(rolePrefix);
+			this.ignoreAuthorities = (authority) -> (authority.getAuthority() != null
+					&& !authority.getAuthority().startsWith(rolePrefix));
 			return withAuthorities(withPrefix);
 		}
 

diff --git a/...rg/springframework/security/web/access/DelegatingMissingAuthorityAccessDeniedHandler.java b/...rg/springframework/security/web/access/DelegatingMissingAuthorityAccessDeniedHandler.java
@@ -160,7 +160,7 @@ private List<AuthorityRequiredFactorErrorEntry> authorityErrors(AccessDeniedExce
 			return authorityDecision.getAuthorities().stream()
 				.map((grantedAuthority) -> {
 					String authority = grantedAuthority.getAuthority();
-					if (authority.startsWith("FACTOR_")) {
+					if (authority != null && authority.startsWith("FACTOR_")) {
 						RequiredFactor required = RequiredFactor.withAuthority(authority).build();
 						return new AuthorityRequiredFactorErrorEntry(authority, RequiredFactorError.createMissing(required));
 					}
@@ -247,17 +247,16 @@ public DelegatingMissingAuthorityAccessDeniedHandler build() {
 	 */
 	private static final class AuthorityRequiredFactorErrorEntry {
 
-		private final String authority;
+		@Nullable private final String authority;
 
 		private final @Nullable RequiredFactorError error;
 
-		private AuthorityRequiredFactorErrorEntry(String authority, @Nullable RequiredFactorError error) {
-			Assert.notNull(authority, "authority cannot be null");
+		private AuthorityRequiredFactorErrorEntry(@Nullable String authority, @Nullable RequiredFactorError error) {
 			this.authority = authority;
 			this.error = error;
 		}
 
-		private String getAuthority() {
+		@Nullable private String getAuthority() {
 			return this.authority;
 		}