Prevent Dupliate GrantedAuthority#getAuthority()

If the GrantedAuthority is not equal, but contains a duplicate
GrantedAuthority#getAuthority() then at the time of authentication,
the Filter or WebFilter will duplicate the GrantedAuthority which leads
to a memory leak. This is important to avoid for when we add support for
a GrantedAuthority that might have an issuedAt attribute. If it is too
old, then we'd want only the new GrantedAuthority to be added and the old
instance to be removed. However, the two GrantedAuthority instances
will not be equal because the issuedAt will not be equal.

Closes gh-17981

Author: rwinch

web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java

@@ -17,6 +17,8 @@
 package org.springframework.security.web.authentication;
 
 import java.io.IOException;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
@@ -39,6 +41,7 @@
 import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -251,8 +254,19 @@ private void doFilter(HttpServletRequest request, HttpServletResponse response,
 			Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
 			if (current != null && current.isAuthenticated()) {
 				authenticationResult = authenticationResult.toBuilder()
-					.authorities((a) -> a.addAll(current.getAuthorities()))
+				// @formatter:off
+					.authorities((a) -> {
+						Set<String> newAuthorities = a.stream()
+							.map(GrantedAuthority::getAuthority)
+							.collect(Collectors.toUnmodifiableSet());
+						for (GrantedAuthority currentAuthority : current.getAuthorities()) {
+							if (!newAuthorities.contains(currentAuthority.getAuthority())) {
+								a.add(currentAuthority);
+							}
+						}
+					})
 					.build();
+					// @formatter:on
 			}
 			this.sessionStrategy.onAuthentication(authenticationResult, request, response);
 			// Authentication success

web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java

@@ -17,6 +17,8 @@
 package org.springframework.security.web.authentication;
 
 import java.io.IOException;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 import jakarta.servlet.Filter;
 import jakarta.servlet.FilterChain;
@@ -31,6 +33,7 @@
 import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -187,8 +190,19 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 			Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
 			if (current != null && current.isAuthenticated()) {
 				authenticationResult = authenticationResult.toBuilder()
-					.authorities((a) -> a.addAll(current.getAuthorities()))
+				// @formatter:off
+					.authorities((a) -> {
+						Set<String> newAuthorities = a.stream()
+							.map(GrantedAuthority::getAuthority)
+							.collect(Collectors.toUnmodifiableSet());
+						for (GrantedAuthority currentAuthority : current.getAuthorities()) {
+							if (!newAuthorities.contains(currentAuthority.getAuthority())) {
+								a.add(currentAuthority);
+							}
+						}
+					})
 					.build();
+					// @formatter:on
 			}
 			HttpSession session = request.getSession(false);
 			if (session != null) {

web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java

@@ -17,6 +17,8 @@
 package org.springframework.security.web.authentication.preauth;
 
 import java.io.IOException;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
@@ -35,6 +37,7 @@
 import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -207,8 +210,19 @@ private void doAuthenticate(HttpServletRequest request, HttpServletResponse resp
 			Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
 			if (current != null && current.isAuthenticated()) {
 				authenticationResult = authenticationResult.toBuilder()
-					.authorities((a) -> a.addAll(current.getAuthorities()))
+				// @formatter:off
+					.authorities((a) -> {
+						Set<String> newAuthorities = a.stream()
+								.map(GrantedAuthority::getAuthority)
+								.collect(Collectors.toUnmodifiableSet());
+						for (GrantedAuthority currentAuthority : current.getAuthorities()) {
+							if (!newAuthorities.contains(currentAuthority.getAuthority())) {
+								a.add(currentAuthority);
+							}
+						}
+					})
 					.build();
+					// @formatter:on
 			}
 			successfulAuthentication(request, response, authenticationResult);
 		}

web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java

@@ -18,6 +18,8 @@
 
 import java.io.IOException;
 import java.nio.charset.Charset;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
@@ -31,6 +33,7 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -188,7 +191,20 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 				Authentication authResult = this.authenticationManager.authenticate(authRequest);
 				Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
 				if (current != null && current.isAuthenticated()) {
-					authResult = authResult.toBuilder().authorities((a) -> a.addAll(current.getAuthorities())).build();
+					authResult = authResult.toBuilder()
+					// @formatter:off
+						.authorities((a) -> {
+							Set<String> newAuthorities = a.stream()
+								.map(GrantedAuthority::getAuthority)
+								.collect(Collectors.toUnmodifiableSet());
+							for (GrantedAuthority currentAuthority : current.getAuthorities()) {
+								if (!newAuthorities.contains(currentAuthority.getAuthority())) {
+									a.add(currentAuthority);
+								}
+							}
+						})
+						.build();
+						// @formatter:on
 				}
 				SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
 				context.setAuthentication(authResult);

web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java

@@ -16,7 +16,9 @@
 
 package org.springframework.security.web.server.authentication;
 
+import java.util.Set;
 import java.util.function.Function;
+import java.util.stream.Collectors;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -27,6 +29,7 @@
 import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.web.server.WebFilterExchange;
@@ -138,7 +141,20 @@ private Mono<Authentication> applyCurrentAuthenication(Authentication result) {
 			if (!current.isAuthenticated()) {
 				return result;
 			}
-			return result.toBuilder().authorities((a) -> a.addAll(current.getAuthorities())).build();
+			return result.toBuilder()
+			// @formatter:off
+				.authorities((a) -> {
+					Set<String> newAuthorities = a.stream()
+						.map(GrantedAuthority::getAuthority)
+						.collect(Collectors.toUnmodifiableSet());
+					for (GrantedAuthority currentAuthority : current.getAuthorities()) {
+						if (!newAuthorities.contains(currentAuthority.getAuthority())) {
+							a.add(currentAuthority);
+						}
+					}
+				})
+				.build();
+				// @formatter:on
 		}).switchIfEmpty(Mono.just(result));
 	}
 

web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java

@@ -16,13 +16,16 @@
 
 package org.springframework.security.web.authentication;
 
+import java.util.ArrayList;
+
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.servlet.http.HttpSession;
 import org.apache.commons.logging.Log;
+import org.jspecify.annotations.Nullable;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -35,12 +38,15 @@
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.InternalAuthenticationServiceException;
 import org.springframework.security.authentication.TestAuthentication;
+import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesTests;
 import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
@@ -438,6 +444,42 @@ public void loginErrorWithInternAuthenticationServiceExceptionLogsError() throws
 		assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
 	}
 
+	@Test
+	void doFilterWhenAuthenticatedThenCombinesAuthorities() throws Exception {
+		String ROLE_EXISTING = "ROLE_EXISTING";
+		TestingAuthenticationToken existingAuthn = new TestingAuthenticationToken("username", "password",
+				ROLE_EXISTING);
+		SecurityContextHolder.setContext(new SecurityContextImpl(existingAuthn));
+		MockHttpServletRequest request = createMockAuthenticationRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		MockAuthenticationFilter filter = new MockAuthenticationFilter(true);
+		filter.doFilter(request, response, new MockFilterChain(false));
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		assertThat(authentication.getAuthorities()).extracting(GrantedAuthority::getAuthority)
+			.containsExactlyInAnyOrder(ROLE_EXISTING, "TEST");
+	}
+
+	/**
+	 * This is critical to avoid adding duplicate GrantedAuthority instances with the
+	 * same' authority when the issuedAt is too old and a new instance is requested.
+	 * @throws Exception
+	 */
+	@Test
+	void doFilterWhenDefaultEqualsAuthorityThenNoDuplicates() throws Exception {
+		TestingAuthenticationToken existingAuthn = new TestingAuthenticationToken("username", "password",
+				new DefaultEqualsGrantedAuthority());
+		SecurityContextHolder.setContext(new SecurityContextImpl(existingAuthn));
+		MockHttpServletRequest request = createMockAuthenticationRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		MockAuthenticationFilter filter = new MockAuthenticationFilter(
+				new TestingAuthenticationToken("username", "password", new DefaultEqualsGrantedAuthority()));
+		filter.doFilter(request, response, new MockFilterChain(false));
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		assertThat(new ArrayList<GrantedAuthority>(authentication.getAuthorities()))
+			.extracting(GrantedAuthority::getAuthority)
+			.containsExactly(DefaultEqualsGrantedAuthority.AUTHORITY);
+	}
+
 	/**
 	 * https://github.com/spring-projects/spring-security/pull/3905
 	 */
@@ -453,38 +495,41 @@ private class MockAuthenticationFilter extends AbstractAuthenticationProcessingF
 
 		private AuthenticationException exceptionToThrow;
 
-		private boolean grantAccess;
+		private final @Nullable Authentication authentication;
 
-		MockAuthenticationFilter(boolean grantAccess) {
-			this();
+		MockAuthenticationFilter(Authentication authentication) {
+			super(DEFAULT_FILTER_PROCESSING_URL);
+			this.authentication = authentication;
 			setupRememberMeServicesAndAuthenticationException();
-			this.grantAccess = grantAccess;
+		}
+
+		MockAuthenticationFilter(boolean grantAccess) {
+			this(createDefaultAuthentication(grantAccess));
 		}
 
 		private MockAuthenticationFilter() {
-			super(DEFAULT_FILTER_PROCESSING_URL);
+			this(null);
 		}
 
 		private MockAuthenticationFilter(String defaultFilterProcessingUrl,
 				AuthenticationManager authenticationManager) {
 			super(defaultFilterProcessingUrl, authenticationManager);
 			setupRememberMeServicesAndAuthenticationException();
-			this.grantAccess = true;
+			this.authentication = createDefaultAuthentication(true);
 		}
 
 		private MockAuthenticationFilter(RequestMatcher requiresAuthenticationRequestMatcher,
 				AuthenticationManager authenticationManager) {
 			super(requiresAuthenticationRequestMatcher, authenticationManager);
 			setupRememberMeServicesAndAuthenticationException();
-			this.grantAccess = true;
+			this.authentication = createDefaultAuthentication(true);
 		}
 
 		@Override
 		public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 				throws AuthenticationException {
-			if (this.grantAccess) {
-				return UsernamePasswordAuthenticationToken.authenticated("test", "test",
-						AuthorityUtils.createAuthorityList("TEST"));
+			if (this.authentication != null) {
+				return this.authentication;
 			}
 			else {
 				throw this.exceptionToThrow;
@@ -496,6 +541,14 @@ private void setupRememberMeServicesAndAuthenticationException() {
 			this.exceptionToThrow = new BadCredentialsException("Mock requested to do so");
 		}
 
+		private static @Nullable Authentication createDefaultAuthentication(boolean grantAccess) {
+			if (!grantAccess) {
+				return null;
+			}
+			return UsernamePasswordAuthenticationToken.authenticated("test", "test",
+					AuthorityUtils.createAuthorityList("TEST"));
+		}
+
 	}
 
 	private class MockFilterChain implements FilterChain {

web/src/test/java/org/springframework/security/web/authentication/AuthenticationFilterTests.java

@@ -39,6 +39,7 @@
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -303,6 +304,50 @@ public void filterWhenSuccessfulAuthenticationThenNoSessionCreated() throws Exce
 		assertThat(request.getSession(false)).isNull();
 	}
 
+	@Test
+	public void doFilterWhenAuthenticatedThenCombinesAuthorities() throws Exception {
+		String ROLE_EXISTING = "ROLE_EXISTING";
+		TestingAuthenticationToken existingAuthn = new TestingAuthenticationToken("username", "password",
+				ROLE_EXISTING);
+		SecurityContextHolder.setContext(new SecurityContextImpl(existingAuthn));
+		given(this.authenticationConverter.convert(any())).willReturn(existingAuthn);
+		given(this.authenticationManager.authenticate(any()))
+			.willReturn(new TestingAuthenticationToken("user", "password", "TEST"));
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		FilterChain chain = new MockFilterChain();
+		AuthenticationFilter filter = new AuthenticationFilter(this.authenticationManager,
+				this.authenticationConverter);
+		filter.doFilter(request, response, chain);
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		assertThat(authentication.getAuthorities()).extracting(GrantedAuthority::getAuthority)
+			.containsExactlyInAnyOrder(ROLE_EXISTING, "TEST");
+	}
+
+	/**
+	 * This is critical to avoid adding duplicate GrantedAuthority instances with the
+	 * same' authority when the issuedAt is too old and a new instance is requested.
+	 * @throws Exception
+	 */
+	@Test
+	public void doFilterWhenDefaultEqualsGrantedAuthorityThenNoDuplicates() throws Exception {
+		TestingAuthenticationToken existingAuthn = new TestingAuthenticationToken("username", "password",
+				new DefaultEqualsGrantedAuthority());
+		SecurityContextHolder.setContext(new SecurityContextImpl(existingAuthn));
+		given(this.authenticationConverter.convert(any())).willReturn(existingAuthn);
+		given(this.authenticationManager.authenticate(any()))
+			.willReturn(new TestingAuthenticationToken("user", "password", new DefaultEqualsGrantedAuthority()));
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		FilterChain chain = new MockFilterChain();
+		AuthenticationFilter filter = new AuthenticationFilter(this.authenticationManager,
+				this.authenticationConverter);
+		filter.doFilter(request, response, chain);
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		assertThat(authentication.getAuthorities()).extracting(GrantedAuthority::getAuthority)
+			.containsExactlyInAnyOrder(DefaultEqualsGrantedAuthority.AUTHORITY);
+	}
+
 	@Test
 	public void filterWhenCustomSecurityContextRepositoryAndSuccessfulAuthenticationRepositoryUsed() throws Exception {
 		SecurityContextRepository securityContextRepository = mock(SecurityContextRepository.class);