Skip to content

rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #13079

New issue
New issue
Closed
Closed
rolePrefix with empty string returns HTTP 400 as of version 6.0.3#13079
Assignees
jzheaux
Labels
in: webAn issue in web modules (web, webmvc)type: bugA general bug
Milestone
 
6.0.4
@mbreevoort

Description

@mbreevoort
mbreevoort
opened on Apr 24, 2023

Describe the bug
In version 6.0.3 our application returns a HTTP 400 with message Administrator should not start with since is automatically prepended when using hasAnyRole. Consider using hasAnyAuthority instead. This is an IllegalArgumentException

Change is here (check on the prefix which triggers on empty string)
AuthorityAuthorizationManager.java#L128

This is because we use rolePrefix "" (empty string)

final JwtGrantedAuthoritiesConverter authoritiesConverter = new JwtGrantedAuthoritiesConverter();
        authoritiesConverter.setAuthorityPrefix("");
        ....
        
GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");
    }

When using rolePrefix empty string Jsr250AuthorizationManager it calls
return AuthorityAuthorizationManager.hasAnyRole(Jsr250AuthorizationManager.this.rolePrefix,

To Reproduce
Set rolePrefix to empty String

Expected behavior
If allowed for security reasons same behavior as version 6.0.2, allow empty string for role prefix.

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)type: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions