ProviderManager Uses CollectionUtils#contains

Closes gh-8689

Author: yukihane

core/src/main/java/org/springframework/security/authentication/ProviderManager.java

@@ -30,6 +30,7 @@
 import org.springframework.security.core.CredentialsContainer;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 
 /**
  * Iterates an {@link Authentication} request through a list of
@@ -145,7 +146,7 @@ private void checkState() {
 			throw new IllegalArgumentException(
 					"A parent AuthenticationManager or a list "
 							+ "of AuthenticationProviders is required");
-		} else if (providers.contains(null)) {
+		} else if (CollectionUtils.contains(providers.iterator(), null)) {
 			throw new IllegalArgumentException(
 					"providers list cannot contain null values");
 		}

core/src/test/java/org/springframework/security/authentication/ProviderManagerTests.java

@@ -102,6 +102,31 @@ public void testStartupFailsIfProvidersNotSetAsVarargs() {
 		new ProviderManager((AuthenticationProvider) null);
 	}
 
+	@Test(expected = IllegalArgumentException.class)
+	public void testStartupFailsIfProvidersContainNullElement() {
+		new ProviderManager(Arrays.asList(mock(AuthenticationProvider.class), null));
+	}
+
+	@Test
+	public void testUsingNullNotPermittedList() {
+		// imitated Java9 List.of(e) object, which disallows null elements and
+		// throws NPE when contains(null) called
+		List<AuthenticationProvider> providers = new ArrayList<AuthenticationProvider>() {
+			private static final long serialVersionUID = 1L;
+
+			@Override
+			public boolean contains(Object o) {
+				if (o == null) {
+					throw new NullPointerException();
+				}
+				return super.contains(o);
+			}
+		};
+
+		providers.add(mock(AuthenticationProvider.class));
+		new ProviderManager(providers);
+	}
+
 	@Test
 	public void detailsAreNotSetOnAuthenticationTokenIfAlreadySetByProvider() {
 		Object requestDetails = "(Request Details)";