spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Improve authoritiesClaimName validation in JwtGrantedAuthoritiesConverter

Open chanbinme opened this issue 7 months ago • 2 comments

Summary

Use StringUtils.hasText() instead of null check in getAuthoritiesClaimName() to properly handle empty strings and whitespace-only strings.

Problem

The current null check (!= null) incorrectly treats empty strings ("") and whitespace-only strings (" ") as valid claim names. While setAuthoritiesClaimName() validates with Assert.hasText(), the field can be set through other means (reflection, constructors, etc.) that bypass this validation.

Changes

  • Replace != null check with StringUtils.hasText()
  • Add comprehensive test coverage for blank claim names

Testing

Added parameterized tests covering empty strings, whitespace strings, and null values using ReflectionTestUtils to simulate edge cases.

Impact

  • Fixes edge case bugs with blank claim names
  • Maintains full backward compatibility
  • Follows defensive programming principles
  • All existing tests pass

This is a straightforward bug fix that improves robustness without breaking changes.

chanbinme avatar Jun 14 '25 17:06 chanbinme

Hi @jzheaux,

Thank you so much for your helpful feedback! I've incorporated your suggestions and pushed the changes. When you have a moment, could you please take another look? I've also left some comments on the inline feedback for further discussion.

Thanks again for your time and support!

chanbinme avatar Jun 18 '25 15:06 chanbinme

Thanks for the PR, @chanbinme! I've left my feedback inline.

Hi @jzheaux 👋

No rush at all, just wanted to make sure this didn't get lost in notifications. Happy to address any additional feedback when you have time.

chanbinme avatar Jun 25 '25 23:06 chanbinme

Thanks for the updates, @chanbinme! This is now merged into main.

jzheaux avatar Aug 13 '25 16:08 jzheaux