Skip to content

Consider preventing null defaultRolePrefix in SecurityExpressionRoot #17782

New issue
New issue
Open
Open
Consider preventing null defaultRolePrefix in SecurityExpressionRoot#17782
Labels
in: coreAn issue in spring-security-coretype: breaks-passivityA change that breaks passivity with the previous releasetype: enhancementA general enhancement
Milestone
7.0.x
@sjohnr

Description

@sjohnr
sjohnr
opened on Aug 20, 2025

As a follow-up to gh-17585, consider preventing a null defaultRolePrefix in SecurityExpressionRoot and subclasses of AbstractSecurityExpressionHandler for more consistent behavior. This would break passivity in Spring Security 7.

Context:

Currently, SecurityExpressionRoot and subclasses of AbstractSecurityExpressionHandler allow a null defaultRolePrefix to be configured. The javadoc states:

If null or empty, then no default role prefix is used.

When switching to using an AuthorizationManager created by AuthorizationManagerFactory in SecurityExpressionRoot, we can no longer set a null role prefix. To work around this for passivity, we can set the role prefix to blank before setting it on an AuthorizationManagerFactory. See updates to SecurityExpressionRoot in #17673 for context.

Instead, we can consider throwing an IllegalArgumentException when null is passed into any setDefaultRolePrefix method.

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: coreAn issue in spring-security-coretype: breaks-passivityA change that breaks passivity with the previous releasetype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions