Skip to content

Allow UserBuilder to easily build a user without any authorities #12533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
philwebb opened this issue Jan 12, 2023 · 6 comments · Fixed by #12555
Closed

Allow UserBuilder to easily build a user without any authorities #12533

philwebb opened this issue Jan 12, 2023 · 6 comments · Fixed by #12555
Assignees
@stillya
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone
6.1.0-M2

Comments

@philwebb
Copy link
Member

Expected Behavior

When using the org.springframework.security.core.userdetails.User.builder() it should be easy to create a new user without any authorities:

User.builder("name").password("pwd").build();

Current Behavior

The above fails with:

Caused by: java.lang.IllegalArgumentException: Cannot pass a null GrantedAuthority collection
	at org.springframework.util.Assert.notNull(Assert.java:201) ~[spring-core-5.3.24.jar:5.3.24]
	at org.springframework.security.core.userdetails.User.sortAuthorities(User.java:162) ~[spring-security-core-5.7.6.jar:5.7.6]
	at org.springframework.security.core.userdetails.User.<init>(User.java:118) ~[spring-security-core-5.7.6.jar:5.7.6]
	at org.springframework.security.core.userdetails.User$UserBuilder.build(User.java:504) ~[spring-security-core-5.7.6.jar:5.7.6]
	at com.example.MySecurityConfiguration.asUserDetails(MySecurityConfiguration.java:42) ~[classes/:na]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[na:1.8.0_345]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384) ~[na:1.8.0_345]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[na:1.8.0_345]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[na:1.8.0_345]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[na:1.8.0_345]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:1.8.0_345]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[na:1.8.0_345]
	at com.example.MySecurityConfiguration.inMemoryUserDetailsManager(MySecurityConfiguration.java:32) ~[classes/:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_345]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_345]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_345]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_345]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.24.jar:5.3.24]
	... 20 common frames omitted

Context

The above error makes creating a user a little more difficult than it could be. As a workaround you can do:

User.builder("name").password("pwd").roles().build();

I think that UserBuilder.authorities should default to an empty List.
@philwebb philwebb added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jan 12, 2023
@philwebb philwebb changed the title Allow UserBuilder to easily build a user without any roles Allow UserBuilder to easily build a user without any authorities Jan 12, 2023
@sjohnr sjohnr added in: core An issue in spring-security-core status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 13, 2023
@sjohnr
Copy link
Contributor

sjohnr commented Jan 13, 2023
edited
Loading

Thanks, @philwebb!

Because it's allowed using the workaround, I agree it probably should be the default. I'm not aware of anything in the framework that would prevent this change or make it seem like a bad idea, but it's possible I'm simply missing it. Hopefully not. 😉

@SaiUpadhyayula
Copy link

@philwebb @sjohnr Can I work on this issue?

@sjohnr
Copy link
Contributor

sjohnr commented Jan 17, 2023

Sure @SaiUpadhyayula! I'll assign to you.

(I will mention that I may take some time to run this change past other team members before anything is merged.)

@jzheaux jzheaux removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Jan 18, 2023
@stillya stillya mentioned this issue Jan 18, 2023
Merged
@stillya
Copy link
Contributor

stillya commented Jan 18, 2023

@philwebb @sjohnr Hi, I have created PR to close this issue, can you take a look? I'm sorry, I didn't notice this issue already assigned, I took it yesterday.

@sjohnr
Copy link
Contributor

sjohnr commented Jan 18, 2023

Thanks @stillya. Please note that it's always best to reach out prior to working on an issue for this very reason.

@SaiUpadhyayula had you already started? If not, would you be interested in taking another one?

@SaiUpadhyayula
Copy link

@sjohnr Fine for me I can check other issues.

@SaiUpadhyayula SaiUpadhyayula removed their assignment Jan 19, 2023
stillya added a commit to stillya/spring-security that referenced this issue Jan 27, 2023
@stillya
Add empty authorities by default
57053a8 
Closes spring-projectsgh-12533
@sjohnr sjohnr linked a pull request Jan 30, 2023 that will close this issue
Add empty authorities by default to easily build a user #12555
Merged
@sjohnr sjohnr added this to the 6.1.0-M2 milestone Jan 30, 2023
sjohnr pushed a commit that referenced this issue Jan 30, 2023
@stillya @sjohnr
Add empty authorities by default
3229bfa 
Closes gh-12533
@sjohnr sjohnr assigned stillya and unassigned sjohnr Jan 30, 2023
@marcusdacoregio marcusdacoregio mentioned this issue Apr 3, 2023
Closed
sjohnr pushed a commit that referenced this issue Jun 13, 2023
@dkorotych
Allow authorities to be overridden in UserBuilder
4def405 
Issue gh-12533
sjohnr pushed a commit that referenced this issue Jun 13, 2023
Polish gh-13290
1f04baa 
Issue gh-12533
@codingtim codingtim mentioned this issue Aug 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stillya stillya

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
6.1.0-M2
Development

Successfully merging a pull request may close this issue.

Add empty authorities by default to easily build a user stillya/spring-security
5 participants
@philwebb @jzheaux @SaiUpadhyayula @sjohnr @stillya