Handle Empty Role

Closes gh-13079
spring-projects · Apr 24, 2023 · 73a543d · 73a543d
1 parent e3cc8d1
commit 73a543d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/...c/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java b/...c/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java
@@ -130,7 +130,7 @@ private static String[] toNamedRolesArray(String rolePrefix, String[] roles) {
 		String[] result = new String[roles.length];
 		for (int i = 0; i < roles.length; i++) {
 			String role = roles[i];
-			Assert.isTrue(!role.startsWith(rolePrefix), () -> role + " should not start with " + rolePrefix + " since "
+			Assert.isTrue(rolePrefix.isEmpty() || !role.startsWith(rolePrefix), () -> role + " should not start with " + rolePrefix + " since "
 					+ rolePrefix
 					+ " is automatically prepended when using hasAnyRole. Consider using hasAnyAuthority instead.");
 			result[i] = rolePrefix + role;

diff --git a/...t/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java b/...t/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java
@@ -266,4 +266,9 @@ public void hasRoleWhenRoleHierarchySetThenGreaterRoleTakesPrecedence() {
 		assertThat(manager.check(authentication, object).isGranted()).isTrue();
 	}
 
+	// gh-13079
+	@Test
+	void hasAnyRoleWhenEmptyRolePrefixThenNoException() {
+		AuthorityAuthorizationManager.hasAnyRole("", new String[] { "USER" });
+	}
 }