root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 15 Packages Projects Releases Wiki Activity

SEC-3128: RoleVoter supports null Authentication

This commit is contained in:
Rob Winch 2015-10-29 14:03:18 -05:00
parent 6f1bb705ac
commit be303b15d1
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/src/main/java/org/springframework/security/access/vote/RoleVoter.java
View File

@ -95,6 +95,9 @@ public class RoleVoter implements AccessDecisionVoter<Object> {
public int vote(Authentication authentication, Object object,
Collection<ConfigAttribute> attributes) {
if(authentication == null) {
return ACCESS_DENIED;
}
int result = ACCESS_ABSTAIN;
Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);

10
core/src/test/java/org/springframework/security/access/vote/RoleVoterTests.java
View File

@ -1,5 +1,6 @@
package org.springframework.security.access.vote;
import static org.fest.assertions.Assertions.assertThat;
import static org.junit.Assert.*;
import org.junit.Test;
@ -22,4 +23,13 @@ public class RoleVoterTests {
assertEquals(AccessDecisionVoter.ACCESS_GRANTED,
voter.vote(userAB, this, SecurityConfig.createList("A", "C")));
}
// SEC-3128
@Test
public void nullAuthenticationDenies() {
RoleVoter voter = new RoleVoter();
voter.setRolePrefix("");
Authentication notAuthenitcated = null;
assertThat(voter.vote(notAuthenitcated, this, SecurityConfig.createList("A"))).isEqualTo(AccessDecisionVoter.ACCESS_DENIED);
}
}