From 73a543d318322b45ae96ee3dd31951017c19eb9e Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 24 Apr 2023 12:49:30 -0600 Subject: [PATCH] Handle Empty Role Closes gh-13079 --- .../authorization/AuthorityAuthorizationManager.java | 2 +- .../authorization/AuthorityAuthorizationManagerTests.java | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java index 49935e4a19..983bee7fbe 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java @@ -130,7 +130,7 @@ public final class AuthorityAuthorizationManager implements AuthorizationMana String[] result = new String[roles.length]; for (int i = 0; i < roles.length; i++) { String role = roles[i]; - Assert.isTrue(!role.startsWith(rolePrefix), () -> role + " should not start with " + rolePrefix + " since " + Assert.isTrue(rolePrefix.isEmpty() || !role.startsWith(rolePrefix), () -> role + " should not start with " + rolePrefix + " since " + rolePrefix + " is automatically prepended when using hasAnyRole. Consider using hasAnyAuthority instead."); result[i] = rolePrefix + role; diff --git a/core/src/test/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java index 7d05d0d398..3bec282dc0 100644 --- a/core/src/test/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java @@ -266,4 +266,9 @@ public class AuthorityAuthorizationManagerTests { assertThat(manager.check(authentication, object).isGranted()).isTrue(); } + // gh-13079 + @Test + void hasAnyRoleWhenEmptyRolePrefixThenNoException() { + AuthorityAuthorizationManager.hasAnyRole("", new String[] { "USER" }); + } }