AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains

marcusdacoregio · marcusdacoregio · commit 44508df940d0 · 2022-03-09T15:38:11.000-03:00
Closes gh-10950
diff --git a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
@@ -51,7 +51,7 @@ public boolean isAllowed(String contextPath, String uri, String method, Authenti
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
 		AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
 				filterInvocation.getHttpRequest());
-		return decision != null && decision.isGranted();
+		return decision == null || decision.isGranted();
 	}
 
 }
diff --git a/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java b/web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java
@@ -65,4 +65,11 @@ public void isAllowedWhenAuthorizationManagerDeniesAllowedFalse() {
 		assertThat(allowed).isFalse();
 	}
 
+	@Test
+	public void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
+		given(this.authorizationManager.check(any(), any())).willReturn(null);
+		boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
+		assertThat(allowed).isTrue();
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ public boolean isAllowed(String contextPath, String uri, String method, Authenti`
`51`	`51`	`FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);`
`52`	`52`	`AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,`
`53`	`53`	`filterInvocation.getHttpRequest());`
`54`		`- return decision != null && decision.isGranted();`
	`54`	`+ return decision == null \|\| decision.isGranted();`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -65,4 +65,11 @@ public void isAllowedWhenAuthorizationManagerDeniesAllowedFalse() {`
`65`	`65`	`assertThat(allowed).isFalse();`
`66`	`66`	`}`
`67`	`67`
	`68`	`+ @Test`
	`69`	`+ public void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {`
	`70`	`+ given(this.authorizationManager.check(any(), any())).willReturn(null);`
	`71`	`+ boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());`
	`72`	`+ assertThat(allowed).isTrue();`
	`73`	`+ }`
	`74`	`+`
`68`	`75`	`}`