Skip to content

Validate Parameter in setPostAuthenticationChecks#19277

Open
big-cir wants to merge 1 commit into
spring-projects:mainfrom
big-cir:gh-19276
Open

Validate Parameter in setPostAuthenticationChecks#19277
big-cir wants to merge 1 commit into
spring-projects:mainfrom
big-cir:gh-19276

Conversation

@big-cir

@big-cir big-cir commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Overview

The null check in AbstractUserDetailsReactiveAuthenticationManager#setPostAuthenticationChecks asserts the current field value instead of the method parameter:

public void setPostAuthenticationChecks(UserDetailsChecker postAuthenticationChecks) {
	Assert.notNull(this.postAuthenticationChecks, "postAuthenticationChecks cannot be null");
	this.postAuthenticationChecks = postAuthenticationChecks;
}

Since the field is initialized to a default and can never be null at that point, the assertion always passes and null is silently accepted. The next authenticate(...) call then fails with a raw NullPointerException at .doOnNext(this.postAuthenticationChecks::check) instead of failing fast with a clear message:

manager.setPostAuthenticationChecks(null); // no exception — should throw IllegalArgumentException
manager.authenticate(token).block();       // NullPointerException

All other setters in the same class (setPasswordEncoder, setScheduler, setUserDetailsPasswordService, setMessageSource) validate the parameter. This change fixes the assertion to validate the parameter and adds a regression test.

Related Issue

Closes gh-19276

@big-cir
Validate Parameter in setPostAuthenticationChecks
c89fde8 
The null check in setPostAuthenticationChecks of
AbstractUserDetailsReactiveAuthenticationManager asserted the current
field value, which is initialized to a default and can never be null,
instead of the method parameter. As a result, null was silently
accepted and the next authenticate call failed with a raw
NullPointerException instead of failing fast with a clear message.

Closes spring-projectsgh-19276

Signed-off-by: dae won <eodnjs01477@gmail.com>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

setPostAuthenticationChecks in AbstractUserDetailsReactiveAuthenticationManager validates the field instead of the parameter

2 participants

@big-cir @spring-projects-issues