Tolerate AuthenticationSwitchUserEvent with null target user

wilkinsona · wilkinsona · commit 8e6b4629d4e9 · 2019-02-12T16:26:19.000Z
When Spring Security is misconfigured it's possible to switch from an anonymous user to a normal user. When switching back again, the corresponding AuthenticationSwitchUserEvent will have a null target user. Previously, Actuator's AuthenticationAuditListener would throw a NullPointerException when it received such an event. This commit updates the audit listener to defensively handled events with a null target user. Closes gh-15767
diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/security/AuthenticationAuditListener.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/security/AuthenticationAuditListener.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -103,7 +103,9 @@ public void process(AuthenticationAuditListener listener,
 				if (event.getAuthentication().getDetails() != null) {
 					data.put("details", event.getAuthentication().getDetails());
 				}
-				data.put("target", event.getTargetUser().getUsername());
+				if (event.getTargetUser() != null) {
+					data.put("target", event.getTargetUser().getUsername());
+				}
 				listener.publish(new AuditEvent(event.getAuthentication().getName(),
 						AUTHENTICATION_SWITCH, data));
 			}
diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/security/AuthenticationAuditListenerTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/security/AuthenticationAuditListenerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2018 the original author or authors.
+ * Copyright 2012-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -92,6 +92,16 @@ public void testAuthenticationSwitch() {
 				.isEqualTo(AuthenticationAuditListener.AUTHENTICATION_SWITCH);
 	}
 
+	@Test
+	public void testAuthenticationSwitchBackToAnonymous() {
+		AuditApplicationEvent event = handleAuthenticationEvent(
+				new AuthenticationSwitchUserEvent(
+						new UsernamePasswordAuthenticationToken("user", "password"),
+						null));
+		assertThat(event.getAuditEvent().getType())
+				.isEqualTo(AuthenticationAuditListener.AUTHENTICATION_SWITCH);
+	}
+
 	@Test
 	public void testDetailsAreIncludedInAuditEvent() {
 		Object details = new Object();

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2012-2017 the original author or authors.`
	`2`	`+ * Copyright 2012-2019 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`
`@@ -103,7 +103,9 @@ public void process(AuthenticationAuditListener listener,`
`103`	`103`	`if (event.getAuthentication().getDetails() != null) {`
`104`	`104`	`data.put("details", event.getAuthentication().getDetails());`
`105`	`105`	`}`
`106`		`- data.put("target", event.getTargetUser().getUsername());`
	`106`	`+ if (event.getTargetUser() != null) {`
	`107`	`+ data.put("target", event.getTargetUser().getUsername());`
	`108`	`+ }`
`107`	`109`	`listener.publish(new AuditEvent(event.getAuthentication().getName(),`
`108`	`110`	`AUTHENTICATION_SWITCH, data));`
`109`	`111`	`}`