SEC-1231: Authentication.getAuthorities should be of type Collection<GrantedAuthority> and not List<GrantedAuthority>. Refactored the interface and related classes to match (UserDetails etc).

Author: tekul

acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java

@@ -98,12 +98,8 @@ public void securityCheck(Acl acl, int changeType) {
         }
 
         // Iterate this principal's authorities to determine right
-        List<GrantedAuthority> auths = authentication.getAuthorities();
-
-        for (int i = 0; i < auths.size(); i++) {
-            if (requiredAuthority.equals(auths.get(i))) {
-                return;
-            }
+        if (authentication.getAuthorities().contains(requiredAuthority)) {
+            return;
         }
 
         // Try to get permission via ACEs within the ACL

acl/src/main/java/org/springframework/security/acls/domain/SidRetrievalStrategyImpl.java

@@ -16,6 +16,7 @@
 package org.springframework.security.acls.domain;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
@@ -51,7 +52,7 @@ public SidRetrievalStrategyImpl(RoleHierarchy roleHierarchy) {
     //~ Methods ========================================================================================================
 
     public List<Sid> getSids(Authentication authentication) {
-        List<GrantedAuthority> authorities = roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
+        Collection<GrantedAuthority> authorities = roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
         List<Sid> sids = new ArrayList<Sid>(authorities.size() + 1);
 
         sids.add(new PrincipalSid(authentication));

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java

@@ -15,17 +15,14 @@
 
 package org.springframework.security.cas.authentication;
 
-import org.jasig.cas.client.validation.Assertion;
+import java.io.Serializable;
+import java.util.Collection;
 
+import org.jasig.cas.client.validation.Assertion;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 
-
-import java.io.Serializable;
-import java.util.Arrays;
-import java.util.List;
-
 /**
  * Represents a successful CAS <code>Authentication</code>.
  *
@@ -45,14 +42,6 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
 
     //~ Constructors ===================================================================================================
 
-    /**
-     * @deprecated
-     */
-    public CasAuthenticationToken(final String key, final Object principal, final Object credentials,
-            final GrantedAuthority[] authorities, final UserDetails userDetails, final Assertion assertion) {
-        this(key, principal, credentials, Arrays.asList(authorities), userDetails, assertion);
-    }
-
     /**
      * Constructor.
      *
@@ -71,7 +60,7 @@ public CasAuthenticationToken(final String key, final Object principal, final Ob
      * @throws IllegalArgumentException if a <code>null</code> was passed
      */
     public CasAuthenticationToken(final String key, final Object principal, final Object credentials,
-        final List<GrantedAuthority> authorities, final UserDetails userDetails, final Assertion assertion) {
+        final Collection<GrantedAuthority> authorities, final UserDetails userDetails, final Assertion assertion) {
         super(authorities);
 
         if ((key == null) || ("".equals(key)) || (principal == null) || "".equals(principal) || (credentials == null)

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java

@@ -98,8 +98,8 @@ public void statefulAuthenticationIsSuccessful() throws Exception {
         CasAuthenticationToken casResult = (CasAuthenticationToken) result;
         assertEquals(makeUserDetailsFromAuthoritiesPopulator(), casResult.getPrincipal());
         assertEquals("ST-123", casResult.getCredentials());
-        assertEquals(new GrantedAuthorityImpl("ROLE_A"), casResult.getAuthorities().get(0));
-        assertEquals(new GrantedAuthorityImpl("ROLE_B"), casResult.getAuthorities().get(1));
+        assertTrue(casResult.getAuthorities().contains(new GrantedAuthorityImpl("ROLE_A")));
+        assertTrue(casResult.getAuthorities().contains(new GrantedAuthorityImpl("ROLE_B")));
         assertEquals(cap.getKey().hashCode(), casResult.getKeyHash());
         assertEquals("details", casResult.getDetails());
 

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java

@@ -22,9 +22,9 @@
 import org.jasig.cas.client.validation.Assertion;
 import org.jasig.cas.client.validation.AssertionImpl;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 
@@ -109,8 +109,8 @@ public void testGetters() {
         assertEquals("key".hashCode(), token.getKeyHash());
         assertEquals(makeUserDetails(), token.getPrincipal());
         assertEquals("Password", token.getCredentials());
-        assertEquals("ROLE_ONE", token.getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_TWO", token.getAuthorities().get(1).getAuthority());
+        assertTrue(token.getAuthorities().contains(new GrantedAuthorityImpl("ROLE_ONE")));
+        assertTrue(token.getAuthorities().contains(new GrantedAuthorityImpl("ROLE_TWO")));
         assertEquals(assertion, token.getAssertion());
         assertEquals(makeUserDetails().getUsername(), token.getUserDetails().getUsername());
     }

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -1,7 +1,7 @@
 package org.springframework.security.access.expression;
 
+import java.util.Collection;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;
 
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
@@ -96,7 +96,7 @@ public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
     private Set<String> getAuthoritySet() {
         if (roles == null) {
             roles = new HashSet<String>();
-            List<GrantedAuthority> userAuthorities = authentication.getAuthorities();
+            Collection<GrantedAuthority> userAuthorities = authentication.getAuthorities();
 
             if (roleHierarchy != null) {
                 userAuthorities = roleHierarchy.getReachableGrantedAuthorities(userAuthorities);

core/src/main/java/org/springframework/security/access/hierarchicalroles/NullRoleHierarchy.java

@@ -1,6 +1,6 @@
 package org.springframework.security.access.hierarchicalroles;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 
@@ -12,7 +12,7 @@
  */
 public final class NullRoleHierarchy implements RoleHierarchy {
 
-    public List<GrantedAuthority> getReachableGrantedAuthorities(List<GrantedAuthority> authorities) {
+    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
         return authorities;
     }
 

core/src/main/java/org/springframework/security/access/hierarchicalroles/RoleHierarchy.java

@@ -14,7 +14,7 @@
 
 package org.springframework.security.access.hierarchicalroles;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 
@@ -40,6 +40,6 @@ public interface RoleHierarchy {
      * @param authorities - List of the directly assigned authorities.
      * @return List of all reachable authorities given the assigned authorities.
      */
-    public List<GrantedAuthority> getReachableGrantedAuthorities(List<GrantedAuthority> authorities);
+    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities);
 
 }

core/src/main/java/org/springframework/security/access/hierarchicalroles/RoleHierarchyImpl.java

@@ -15,15 +15,21 @@
 package org.springframework.security.access.hierarchicalroles;
 
 
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.GrantedAuthorityImpl;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import java.util.*;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
 
 /**
  * <p>
@@ -98,7 +104,7 @@ public void setHierarchy(String roleHierarchyStringRepresentation) {
         buildRolesReachableInOneOrMoreStepsMap();
     }
 
-    public List<GrantedAuthority> getReachableGrantedAuthorities(List<GrantedAuthority> authorities) {
+    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
         if (authorities == null || authorities.isEmpty()) {
             return null;
         }
@@ -125,40 +131,40 @@ public List<GrantedAuthority> getReachableGrantedAuthorities(List<GrantedAuthori
     }
 
     // SEC-863
-	private void addReachableRoles(Set<GrantedAuthority> reachableRoles,
-			GrantedAuthority authority) {
-		
-		Iterator<GrantedAuthority> iterator = reachableRoles.iterator();		
-		while (iterator.hasNext()) {
-			GrantedAuthority testAuthority = iterator.next(); 
-			String testKey = testAuthority.getAuthority();
-			if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
-				return;
-			}
-		}
-		reachableRoles.add(authority);
-	}
+    private void addReachableRoles(Set<GrantedAuthority> reachableRoles,
+            GrantedAuthority authority) {
+
+        Iterator<GrantedAuthority> iterator = reachableRoles.iterator();
+        while (iterator.hasNext()) {
+            GrantedAuthority testAuthority = iterator.next();
+            String testKey = testAuthority.getAuthority();
+            if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
+                return;
+            }
+        }
+        reachableRoles.add(authority);
+    }
 
     // SEC-863
-	private Set<GrantedAuthority> getRolesReachableInOneOrMoreSteps(
-			GrantedAuthority authority) {
-		
-		if (authority.getAuthority() == null) {
-			return null;
-		}
-		
-		Iterator<GrantedAuthority> iterator = rolesReachableInOneOrMoreStepsMap.keySet().iterator();		
-		while (iterator.hasNext()) {
-			GrantedAuthority testAuthority = iterator.next(); 
-			String testKey = testAuthority.getAuthority();
-			if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
-				return rolesReachableInOneOrMoreStepsMap.get(testAuthority);
-			}
-		}
-		
-		return null;
-	}
-    
+    private Set<GrantedAuthority> getRolesReachableInOneOrMoreSteps(
+            GrantedAuthority authority) {
+
+        if (authority.getAuthority() == null) {
+            return null;
+        }
+
+        Iterator<GrantedAuthority> iterator = rolesReachableInOneOrMoreStepsMap.keySet().iterator();
+        while (iterator.hasNext()) {
+            GrantedAuthority testAuthority = iterator.next();
+            String testKey = testAuthority.getAuthority();
+            if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
+                return rolesReachableInOneOrMoreStepsMap.get(testAuthority);
+            }
+        }
+
+        return null;
+    }
+
     /**
      * Parse input and build the map for the roles reachable in one step: the higher role will become a key that
      * references a set of the reachable lower roles.

core/src/main/java/org/springframework/security/access/hierarchicalroles/UserDetailsWrapper.java

@@ -14,8 +14,9 @@
 
 package org.springframework.security.access.hierarchicalroles;
 
-import java.util.List;
+import java.util.Collection;
 
+import org.springframework.security.access.vote.RoleHierarchyVoter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 
@@ -48,7 +49,7 @@ public boolean isAccountNonLocked() {
         return userDetails.isAccountNonLocked();
     }
 
-    public List<GrantedAuthority> getAuthorities() {
+    public Collection<GrantedAuthority> getAuthorities() {
         return roleHierarchy.getReachableGrantedAuthorities(userDetails.getAuthorities());
     }
 
@@ -72,4 +73,4 @@ public UserDetails getUnwrappedUserDetails() {
         return userDetails;
     }
 
-}
+}

core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java

@@ -16,8 +16,7 @@
 package org.springframework.security.access.intercept;
 
 import java.util.Arrays;
-import java.util.List;
-
+import java.util.Collection;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -45,7 +44,7 @@ public RunAsUserToken(String key, Object principal, Object credentials, GrantedA
         this(key, principal, credentials, Arrays.asList(authorities), originalAuthentication);
     }
 
-    public RunAsUserToken(String key, Object principal, Object credentials, List<GrantedAuthority> authorities,
+    public RunAsUserToken(String key, Object principal, Object credentials, Collection<GrantedAuthority> authorities,
             Class<? extends Authentication> originalAuthentication) {
         super(authorities);
         this.keyHash = key.hashCode();

core/src/main/java/org/springframework/security/access/vote/LabelBasedAclVoter.java

@@ -23,6 +23,7 @@
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.util.Assert;
 
 
@@ -177,8 +178,8 @@ public int vote(Authentication authentication, Object object, List<ConfigAttribu
              */
             List<String> userLabels = new ArrayList<String>();
 
-            for (int i = 0; i < authentication.getAuthorities().size(); i++) {
-                String userLabel = authentication.getAuthorities().get(i).getAuthority();
+            for (GrantedAuthority authority : authentication.getAuthorities()) {
+                String userLabel = authority.getAuthority();
                 if (labelMap.containsKey(userLabel)) {
                     userLabels.add(userLabel);
                     logger.debug("Adding " + userLabel + " to <<<" + authentication.getName()

core/src/main/java/org/springframework/security/access/vote/RoleHierarchyVoter.java

@@ -1,6 +1,6 @@
 package org.springframework.security.access.vote;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.core.Authentication;
@@ -26,7 +26,7 @@ public RoleHierarchyVoter(RoleHierarchy roleHierarchy) {
      * Calls the <tt>RoleHierarchy</tt> to obtain the complete set of user authorities.
      */
     @Override
-    List<GrantedAuthority> extractAuthorities(Authentication authentication) {
+    Collection<GrantedAuthority> extractAuthorities(Authentication authentication) {
         return roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
     }
 }

core/src/main/java/org/springframework/security/access/vote/RoleVoter.java

@@ -15,6 +15,7 @@
 
 package org.springframework.security.access.vote;
 
+import java.util.Collection;
 import java.util.List;
 
 import org.springframework.security.access.AccessDecisionVoter;
@@ -94,7 +95,7 @@ public boolean supports(Class<?> clazz) {
 
     public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
         int result = ACCESS_ABSTAIN;
-        List<GrantedAuthority> authorities = extractAuthorities(authentication);
+        Collection<GrantedAuthority> authorities = extractAuthorities(authentication);
 
         for (ConfigAttribute attribute : attributes) {
             if (this.supports(attribute)) {
@@ -112,7 +113,7 @@ public int vote(Authentication authentication, Object object, List<ConfigAttribu
         return result;
     }
 
-    List<GrantedAuthority> extractAuthorities(Authentication authentication) {
+    Collection<GrantedAuthority> extractAuthorities(Authentication authentication) {
         return authentication.getAuthorities();
     }
 }