Skip to content

Roles and authorities are being overridden in GrantedAuthority and are not accessible within the AuthenticationManager. #17001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Roles and authorities are being overridden in GrantedAuthority and are not accessible within the AuthenticationManager. #17001

wants to merge 1 commit into from

Conversation

surajbh123
Copy link

User Builder Class Authority Override Issue

Problem Description

The User.builder() class has an issue where data gets overridden depending on the order of method calls. Specifically, there's a conflict between the .authorities() and .roles() methods.

Issue Demonstration

Scenario 1: Authorities Added First, Then Roles

java

UserDetails user = User.builder()
                .username("user")
                .password(passwordEncoder.encode("user"))
                // first adding authorities
                .authorities("read", "item:view") 
                // authorities getting overridden by role
                .roles("USER")
                .accountExpired(false)
                .accountLocked(false)
                .credentialsExpired(false)
                .disabled(false)
                .build();

Result: authorities = ["ROLE_USER"]

Scenario 2: Roles Added First, Then Authorities

java

UserDetails user = User.builder()
                .username("user")
                .password(passwordEncoder.encode("user"))
                // first adding role
                .roles("USER")
                // role getting overridden by authorities
                .authorities("read", "item:view") 
                .accountExpired(false)
                .accountLocked(false)
                .credentialsExpired(false)
                .disabled(false)
                .build();

Result: authorities = ["read", "item:view"]

Explanation

The issue occurs because both .roles() and .authorities() methods modify the same underlying collection of authorities:

  1. When .roles("USER") is called, it converts the role to "ROLE_USER" and sets it as the sole authority, overwriting any previous authorities.
  2. When .authorities("read", "item:view") is called, it sets these values as the authorities, overwriting any previous authorities including those set by .roles().
  3. The last method called takes precedence, which explains the different results in the two scenarios.

This behavior can lead to unexpected security configurations where permissions are accidentally overridden based on the order of builder method calls.

@surajbh123
Roles And Authority getting overridern and not available in authetica…
69fd67a 
…tion manager

Signed-off-by: Suraj Bhadrike <[email protected]>

Signed-off-by: surajbh <[email protected]>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 26, 2025
@surajbh123 surajbh123 mentioned this pull request Apr 26, 2025
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Apr 28, 2025

Thanks for the contribution, @surajbh123. Sadly, we won't be able to accept this PR. Please see my comments in #17002

@jzheaux jzheaux closed this Apr 28, 2025
@jzheaux jzheaux self-assigned this Apr 28, 2025
@jzheaux jzheaux added in: core An issue in spring-security-core status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@medchelios medchelios medchelios approved these changes

Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@surajbh123 @jzheaux @medchelios @spring-projects-issues