Allow UserBuilder to easily build a user without any authorities

[philwebb]

Expected Behavior

When using the org.springframework.security.core.userdetails.User.builder() it should be easy to create a new user without any authorities:

User.builder("name").password("pwd").build();

Current Behavior

The above fails with:

Caused by: java.lang.IllegalArgumentException: Cannot pass a null GrantedAuthority collection
	at org.springframework.util.Assert.notNull(Assert.java:201) ~[spring-core-5.3.24.jar:5.3.24]
	at org.springframework.security.core.userdetails.User.sortAuthorities(User.java:162) ~[spring-security-core-5.7.6.jar:5.7.6]
	at org.springframework.security.core.userdetails.User.<init>(User.java:118) ~[spring-security-core-5.7.6.jar:5.7.6]
	at org.springframework.security.core.userdetails.User$UserBuilder.build(User.java:504) ~[spring-security-core-5.7.6.jar:5.7.6]
	at com.example.MySecurityConfiguration.asUserDetails(MySecurityConfiguration.java:42) ~[classes/:na]
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[na:1.8.0_345]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384) ~[na:1.8.0_345]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[na:1.8.0_345]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[na:1.8.0_345]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[na:1.8.0_345]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:1.8.0_345]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[na:1.8.0_345]
	at com.example.MySecurityConfiguration.inMemoryUserDetailsManager(MySecurityConfiguration.java:32) ~[classes/:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_345]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_345]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_345]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_345]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.24.jar:5.3.24]
	... 20 common frames omitted

Context

The above error makes creating a user a little more difficult than it could be. As a workaround you can do:

User.builder("name").password("pwd").roles().build();

I think that UserBuilder.authorities should default to an empty List.

[sjohnr]

Thanks, @philwebb!

Because it's allowed using the workaround, I agree it probably should be the default. I'm not aware of anything in the framework that would prevent this change or make it seem like a bad idea, but it's possible I'm simply missing it. Hopefully not. 😉

[SaiUpadhyayula]

@philwebb @sjohnr Can I work on this issue?

[sjohnr]

Sure @SaiUpadhyayula! I'll assign to you.

(I will mention that I may take some time to run this change past other team members before anything is merged.)

[stillya]

@philwebb @sjohnr Hi, I have created PR to close this issue, can you take a look? I'm sorry, I didn't notice this issue already assigned, I took it yesterday.

[sjohnr]

Thanks @stillya. Please note that it's always best to reach out prior to working on an issue for this very reason.

@SaiUpadhyayula had you already started? If not, would you be interested in taking another one?