From 98b4fdc8f7969f618160120e821fed6155f421c8 Mon Sep 17 00:00:00 2001 From: Florian BEZANNIER <48728684+flobz@users.noreply.github.com> Date: Wed, 15 Oct 2025 13:22:42 +0200 Subject: [PATCH] Fix claims NPE (#2725) * fix: npe when current claims is null eror was Object.getClass()" because "current" is null * style: fix --- .../mgmt/MgmtSecurityConfiguration.java | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java b/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java index 0b575df1d..ffc319a9a 100644 --- a/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java +++ b/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java @@ -61,7 +61,7 @@ import org.springframework.security.web.session.SessionManagementFilter; */ @Slf4j @Configuration -@EnableConfigurationProperties({HawkbitSecurityProperties.class, OidcProperties.class}) +@EnableConfigurationProperties({ HawkbitSecurityProperties.class, OidcProperties.class }) @EnableWebSecurity public class MgmtSecurityConfiguration { @@ -103,23 +103,20 @@ public class MgmtSecurityConfiguration { @Order(350) SecurityFilterChain filterChainREST( final HttpSecurity http, - @Autowired(required = false) - @Qualifier("hawkbitOAuth2ResourceServerCustomizer") final Customizer> oauth2ResourceServerCustomizer, + @Autowired(required = false) @Qualifier("hawkbitOAuth2ResourceServerCustomizer") final Customizer> oauth2ResourceServerCustomizer, // called just before build of the SecurityFilterChain. // could be used for instance to set authentication provider // Note: implementation of the customizer shall always take in account what is the already set by the hawkBit - @Autowired(required = false) - @Qualifier("hawkbitHttpSecurityCustomizer") final Customizer httpSecurityCustomizer, + @Autowired(required = false) @Qualifier("hawkbitHttpSecurityCustomizer") final Customizer httpSecurityCustomizer, final SystemManagement systemManagement, final SystemSecurityContext systemSecurityContext) throws Exception { http .securityMatcher(MgmtRestConstants.BASE_REST_MAPPING + "/**", MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**") - .authorizeHttpRequests(amrmRegistry -> - amrmRegistry - .requestMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**") - .hasAnyAuthority(SpPermission.SYSTEM_ADMIN) - .anyRequest() - .authenticated()) + .authorizeHttpRequests(amrmRegistry -> amrmRegistry + .requestMatchers(MgmtRestConstants.BASE_SYSTEM_MAPPING + "/admin/**") + .hasAnyAuthority(SpPermission.SYSTEM_ADMIN) + .anyRequest() + .authenticated()) .anonymous(AbstractHttpConfigurer::disable) .csrf(AbstractHttpConfigurer::disable) .addFilterAfter( @@ -178,7 +175,7 @@ public class MgmtSecurityConfiguration { final String tenant = tenantClaim == null ? "DEFAULT" : followPathInJwtClaims(jwt, tenantClaim, String.class); final Collection authorities = Optional .ofNullable(followPathInJwtClaims(jwt, rolesClaim, Collection.class)) - .map(resourceRoles -> ((Collection)resourceRoles).stream() + .map(resourceRoles -> ((Collection) resourceRoles).stream() .distinct() .map(SimpleGrantedAuthority::new) .map(GrantedAuthority.class::cast) @@ -192,6 +189,9 @@ public class MgmtSecurityConfiguration { private static T followPathInJwtClaims(final Jwt jwt, final String path, final Class clazz) { final String[] chunks = path.split("\\."); Object current = jwt.getClaims(); + if (current == null) { + return null; + } for (final String chunk : chunks) { if (current instanceof Map map) { current = map.get(chunk); @@ -208,7 +208,7 @@ public class MgmtSecurityConfiguration { return null; } - return (T)current; + return (T) current; } @Getter