diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java b/server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java
index f3bb927951..08bdd82e14 100644
--- a/server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java
+++ b/server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java
@@ -26,6 +26,8 @@
import java.io.Serializable;
import java.util.UUID;
+import static java.util.Objects.requireNonNull;
+
/**
* Note: this class is serialized when user principals are stored in
* the process state. It must maintain backward compatibility.
@@ -46,8 +48,8 @@ public static UserPrincipal assertCurrent() {
private final UserEntry user;
public UserPrincipal(String realm, UserEntry user) {
- this.realm = realm;
- this.user = user;
+ this.realm = requireNonNull(realm);
+ this.user = requireNonNull(user);
}
public String getRealm() {
diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/security/apikey/ApiKeyRealm.java b/server/impl/src/main/java/com/walmartlabs/concord/server/security/apikey/ApiKeyRealm.java
index e3398c360c..8113fdeacf 100644
--- a/server/impl/src/main/java/com/walmartlabs/concord/server/security/apikey/ApiKeyRealm.java
+++ b/server/impl/src/main/java/com/walmartlabs/concord/server/security/apikey/ApiKeyRealm.java
@@ -37,7 +37,8 @@
import org.apache.shiro.subject.PrincipalCollection;
import javax.inject.Inject;
-import java.util.Arrays;
+import java.util.ArrayList;
+import java.util.List;
public class ApiKeyRealm extends AuthorizingRealm {
@@ -80,17 +81,21 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
.field("apiKeyId", t.getKeyId())
.log();
- UserPrincipal p = new UserPrincipal(REALM_NAME, u);
- return new SimpleAccount(Arrays.asList(p, t), t.getKey(), getName());
+ List