diff --git a/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java index 3688f01c480..ebf601ada60 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java @@ -112,7 +112,9 @@ private void addArgumentsAsVariables() { } for (int i = 0; i < args.length; i++) { - super.setVariable(paramNames[i], args[i]); + if (paramNames[i] != null) { + setVariable(paramNames[i], args[i]); + } } } diff --git a/core/src/test/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContextTests.java b/core/src/test/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContextTests.java new file mode 100644 index 00000000000..6a538814406 --- /dev/null +++ b/core/src/test/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContextTests.java @@ -0,0 +1,76 @@ +/* + * Copyright 2002-2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.access.expression.method; + +import java.lang.reflect.Method; + +import org.aopalliance.intercept.MethodInvocation; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.junit.MockitoJUnitRunner; + +import org.springframework.core.ParameterNameDiscoverer; +import org.springframework.lang.Nullable; +import org.springframework.security.core.Authentication; +import org.springframework.util.ReflectionUtils; + +import static org.mockito.Mockito.doReturn; + +/** + * @author shabarijonnalagadda + * + */ +@RunWith(MockitoJUnitRunner.class) +public class MethodSecurityEvaluationContextTests { + @Mock + private ParameterNameDiscoverer paramNameDiscoverer; + @Mock + private Authentication authentication; + @Mock + private MethodInvocation methodInvocation; + + @Test + public void lookupVariableWhenParameterNameNullThenNotSet() { + Class type = String.class; + Method method = ReflectionUtils.findMethod(String.class, "contains", CharSequence.class); + doReturn(new String[] {null}).when(paramNameDiscoverer).getParameterNames(method); + doReturn(new Object[]{null}).when(methodInvocation).getArguments(); + doReturn(type).when(methodInvocation).getThis(); + doReturn(method).when(methodInvocation).getMethod(); + NotNullVariableMethodSecurityEvaluationContext context= new NotNullVariableMethodSecurityEvaluationContext(authentication, methodInvocation, paramNameDiscoverer); + context.lookupVariable("testVariable"); + } + + private static class NotNullVariableMethodSecurityEvaluationContext + extends MethodSecurityEvaluationContext { + + public NotNullVariableMethodSecurityEvaluationContext(Authentication auth, MethodInvocation mi, + ParameterNameDiscoverer parameterNameDiscoverer) { + super(auth, mi, parameterNameDiscoverer); + } + + @Override + public void setVariable(String name, @Nullable Object value) { + if ( name == null ) { + throw new IllegalArgumentException("name should not be null"); + } + else { + super.setVariable(name, value); + } + } + } +}