Skip to content

Roles and authorities are being overridden in GrantedAuthority and are not accessible within the AuthenticationManager. #17002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
surajbh123 opened this issue Apr 26, 2025 · 1 comment
Open

Roles and authorities are being overridden in GrantedAuthority and are not accessible within the AuthenticationManager. #17002

surajbh123 opened this issue Apr 26, 2025 · 1 comment
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@surajbh123
Copy link

User Builder Class Authority Override Issue

Problem Description

The User.builder() class has an issue where data gets overridden depending on the order of method calls. Specifically, there's a conflict between the .authorities() and .roles() methods.

Issue Demonstration

Scenario 1: Authorities Added First, Then Roles

java

UserDetails user = User.builder()
                .username("user")
                .password(passwordEncoder.encode("user"))
                // first adding authorities
                .authorities("read", "item:view") 
                // authorities getting overridden by role
                .roles("USER")
                .accountExpired(false)
                .accountLocked(false)
                .credentialsExpired(false)
                .disabled(false)
                .build();

Result: authorities = ["ROLE_USER"]

Scenario 2: Roles Added First, Then Authorities

java

UserDetails user = User.builder()
                .username("user")
                .password(passwordEncoder.encode("user"))
                // first adding role
                .roles("USER")
                // role getting overridden by authorities
                .authorities("read", "item:view") 
                .accountExpired(false)
                .accountLocked(false)
                .credentialsExpired(false)
                .disabled(false)
                .build();

Result: authorities = ["read", "item:view"]

Explanation

The issue occurs because both .roles() and .authorities() methods modify the same underlying collection of authorities:

  1. When .roles("USER") is called, it converts the role to "ROLE_USER" and sets it as the sole authority, overwriting any previous authorities.
  2. When .authorities("read", "item:view") is called, it sets these values as the authorities, overwriting any previous authorities including those set by .roles().
  3. The last method called takes precedence, which explains the different results in the two scenarios.

This behavior can lead to unexpected security configurations where permissions are accidentally overridden based on the order of builder method calls.
@surajbh123 surajbh123 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 26, 2025
@surajbh123
Copy link
Author

PR : #17001

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@surajbh123