Skip to content

Add not null validation for UserDetailsChecker in AbstractUserDetailsAuthenticationProvider #16710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 27, 2025
Merged

Add not null validation for UserDetailsChecker in AbstractUserDetailsAuthenticationProvider #16710

merged 1 commit into from
Mar 27, 2025

Conversation

pogihae
Copy link

@pogihae pogihae commented Mar 10, 2025
edited
Loading

Add early validation for authentication checks

Details

This PR adds validation for preAuthenticationChecks and postAuthenticationChecks in
AbstractUserDetailsAuthenticationProvider. The primary approach is to add assertions in
the afterPropertiesSet() method to detect null values early in the application lifecycle.

Currently, if these checks are set to null, a NullPointerException is thrown during the
authentication process, which might be difficult to troubleshoot. The early validation approach
ensures errors are detected at initialization time with a clear error message.

Alternative Approach Considered

As an alternative, we could add null checks before invoking the check() methods:

if (this.preAuthenticationChecks != null) {
    this.preAuthenticationChecks.check(user);
}

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 10, 2025
@franticticktick
Copy link
Contributor

Hi @pogihae , thanks for this polish. I'm not sure that such a check in afterPropertiesSet is the best solution to this problem - preAuthenticationChecks and postAuthenticationChecks already have default values, and if we haven't changed them, then there's no particular point in checking.
But we can add nonNull checks to setPostAuthenticationChecks and setPreAuthenticationChecks methods, thus we ensure that null never gets into preAuthenticationChecks and postAuthenticationChecks.

@pogihae
Copy link
Author

pogihae commented Mar 10, 2025

Hi @franticticktick . thanks for comment.

You're right. I added the null checks in afterPropertiesSet() because I noticed that other components like message source and user cache also perform null checks there despite having default values. I thought this might be a convention for the codebase, but perhaps I misunderstood.

@jzheaux
Copy link
Contributor

jzheaux commented Mar 20, 2025

Hi, @pogihae. Thanks for the PR. The convention is an older one that Spring Security is replacing with validating the setter parameters as @franticticktick explained.

That said, sticking with a class's internal convention is often helpful to maintaining the class's readability. For this PR, let's continue checking in afterPropertiesSet.

We can also open an issue to move afterPropertiesSet checks into setters/constructors in 7.

@jzheaux jzheaux added in: core An issue in spring-security-core type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 20, 2025
@jzheaux
Add validation for auth checks in AbstractUserDetailsAuthenticationPr…
5f1f7e3 
…ovider

Add assertions to validate that preAuthenticationChecks and
postAuthenticationChecks are not null during initialization.
This allows errors to be detected earlier in the application lifecycle.

Closes PR-16710

Signed-off-by: minseok.park <[email protected]>
@jzheaux jzheaux force-pushed the add_authenticationchecks_validation branch from 244b6fb to 5f1f7e3 Compare March 20, 2025 19:16
@jzheaux jzheaux added this to the 6.5.0-RC1 milestone Mar 27, 2025
@jzheaux jzheaux self-assigned this Mar 27, 2025
@jzheaux jzheaux merged commit 88a3801 into spring-projects:main Mar 27, 2025
6 checks passed
@jzheaux
Copy link
Contributor

jzheaux commented Mar 27, 2025

Thanks, @pogihae! This is now merged into main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
6.5.0-RC1
Development

Successfully merging this pull request may close these issues.
4 participants
@pogihae @franticticktick @jzheaux @spring-projects-issues