Allow ACL to be owned by GrantedAuthoritySid

acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java

@@ -93,11 +93,17 @@ public void securityCheck(Acl acl, int changeType) {
 				&& ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
 			return;
 		}
-		// Not authorized by ACL ownership; try via adminstrative permissions
-		GrantedAuthority requiredAuthority = getRequiredAuthority(changeType);
 
 		// Iterate this principal's authorities to determine right
 		Set<String> authorities = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
+		if (acl.getOwner() instanceof GrantedAuthoritySid
+				&& authorities.contains(((GrantedAuthoritySid) acl.getOwner()).getGrantedAuthority())) {
+			return;
+		}
+
+		// Not authorized by ACL ownership; try via adminstrative permissions
+		GrantedAuthority requiredAuthority = getRequiredAuthority(changeType);
+
 		if (authorities.contains(requiredAuthority.getAuthority())) {
 			return;
 		}

acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java

@@ -31,6 +31,8 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 
+import static org.mockito.BDDMockito.given;
+
 /**
  * @author Rob Winch
  *
@@ -66,6 +68,14 @@ public void securityCheckWhenCustomAuthorityThenNameIsUsed() {
 		this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL);
 	}
 
+	// gh-9425
+	@Test
+	public void securityCheckWhenAclOwnedByGrantedAuthority() {
+		given(this.acl.getOwner()).willReturn(new GrantedAuthoritySid("ROLE_AUTH"));
+		this.strategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_SYSTEM_ADMIN"));
+		this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL);
+	}
+
 	@SuppressWarnings("serial")
 	class CustomAuthority implements GrantedAuthority {