It appears as though the security checks performed by Vaadin throw a NPE and fails to continue in cases where the principal has a null Granted authority.
Null granted authorities are valid according to the spring security docs:
...
Caused by: java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because the return value of "org.springframework.security.core.GrantedAuthority.getAuthority()" is null
at com.vaadin.flow.spring.AuthenticationUtil.lambda$getSecurityHolderRoleChecker$1(AuthenticationUtil.java:66)
at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
at java.base/java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1728)
at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:632)
at com.vaadin.flow.spring.AuthenticationUtil.lambda$getSecurityHolderRoleChecker$2(AuthenticationUtil.java:65)
at com.vaadin.flow.spring.security.TaskizeVaadinSecurityUtil.lambda$getRolesChecker$0(TaskizeVaadinSecurityUtil.java:23)
at com.vaadin.flow.server.auth.AccessAnnotationChecker.roleAllowed(AccessAnnotationChecker.java:265)
at com.vaadin.flow.server.auth.AccessAnnotationChecker.hasAccess(AccessAnnotationChecker.java:258)
at com.vaadin.flow.server.auth.AccessAnnotationChecker.hasAccess(AccessAnnotationChecker.java:175)
...
It wouldn't be expected for Vaadin to know how to handle these types of authorities, but it at least shouldn't error if they exist. Looks like it just needs a null check on line 42 in AuthenticationUtil#getSecurityHolderRoleChecker when dereferencing the result of getAuthority():
Thank you
Expected behavior
Should not throw a NPE with null granted authorities
Minimal reproducible example
Assign a custom granted authority with a null getAuthority value to a principal and attempt to load a route
Description of the bug
It appears as though the security checks performed by Vaadin throw a NPE and fails to continue in cases where the principal has a null Granted authority.
Null granted authorities are valid according to the spring security docs:
Partial stack trace:
It wouldn't be expected for Vaadin to know how to handle these types of authorities, but it at least shouldn't error if they exist. Looks like it just needs a null check on line 42 in
AuthenticationUtil#getSecurityHolderRoleCheckerwhen dereferencing the result ofgetAuthority():Thank you
Expected behavior
Should not throw a NPE with null granted authorities
Minimal reproducible example
Assign a custom granted authority with a null getAuthority value to a principal and attempt to load a route
Versions