SEC-1550: Convert signatures to use Collection<? extends GrantedAuthority> where appropriate.

acl/src/main/java/org/springframework/security/acls/domain/SidRetrievalStrategyImpl.java

@@ -51,7 +51,7 @@ public class SidRetrievalStrategyImpl implements SidRetrievalStrategy {
     //~ Methods ========================================================================================================
 
     public List<Sid> getSids(Authentication authentication) {
-        Collection<GrantedAuthority> authorities = roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
+        Collection<? extends GrantedAuthority> authorities = roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
         List<Sid> sids = new ArrayList<Sid>(authorities.size() + 1);
 
         sids.add(new PrincipalSid(authentication));

acl/src/test/java/org/springframework/security/acls/sid/SidRetrievalStrategyTests.java

@@ -4,6 +4,7 @@ import static org.junit.Assert.*;
 import static org.mockito.Matchers.*;
 import static org.mockito.Mockito.*;
 
+import java.util.Collection;
 import java.util.List;
 
 import org.junit.Test;
@@ -53,8 +54,8 @@ public class SidRetrievalStrategyTests {
     @Test
     public void roleHierarchyIsUsedWhenSet() throws Exception {
         RoleHierarchy rh =  mock(RoleHierarchy.class);
-        List<GrantedAuthority> rhAuthorities = AuthorityUtils.createAuthorityList("D");
-        when(rh.getReachableGrantedAuthorities(anyList())).thenReturn(rhAuthorities);
+        List rhAuthorities = AuthorityUtils.createAuthorityList("D");
+        when(rh.getReachableGrantedAuthorities(anyCollection())).thenReturn(rhAuthorities);
         SidRetrievalStrategy strat = new SidRetrievalStrategyImpl(rh);
 
         List<Sid> sids = strat.getSids(authentication);

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -121,7 +121,7 @@ public abstract class SecurityExpressionRoot {
     private Set<String> getAuthoritySet() {
         if (roles == null) {
             roles = new HashSet<String>();
-            Collection<GrantedAuthority> userAuthorities = authentication.getAuthorities();
+            Collection<? extends GrantedAuthority> userAuthorities = authentication.getAuthorities();
 
             if (roleHierarchy != null) {
                 userAuthorities = roleHierarchy.getReachableGrantedAuthorities(userAuthorities);

core/src/main/java/org/springframework/security/access/hierarchicalroles/NullRoleHierarchy.java

@@ -11,7 +11,7 @@ import org.springframework.security.core.GrantedAuthority;
  */
 public final class NullRoleHierarchy implements RoleHierarchy {
 
-    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
+    public Collection<? extends GrantedAuthority> getReachableGrantedAuthorities(Collection<? extends GrantedAuthority> authorities) {
         return authorities;
     }
 

core/src/main/java/org/springframework/security/access/hierarchicalroles/RoleHierarchy.java

@@ -40,6 +40,6 @@ public interface RoleHierarchy {
      * @param authorities - List of the directly assigned authorities.
      * @return List of all reachable authorities given the assigned authorities.
      */
-    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities);
+    public Collection<? extends GrantedAuthority> getReachableGrantedAuthorities(Collection<? extends GrantedAuthority> authorities);
 
 }

core/src/main/java/org/springframework/security/access/hierarchicalroles/RoleHierarchyImpl.java

@@ -105,7 +105,7 @@ public class RoleHierarchyImpl implements RoleHierarchy {
         buildRolesReachableInOneOrMoreStepsMap();
     }
 
-    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
+    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<? extends GrantedAuthority> authorities) {
         if (authorities == null || authorities.isEmpty()) {
             return AuthorityUtils.NO_AUTHORITIES;
         }

core/src/main/java/org/springframework/security/access/hierarchicalroles/UserDetailsWrapper.java

@@ -49,7 +49,7 @@ public class UserDetailsWrapper implements UserDetails {
         return userDetails.isAccountNonLocked();
     }
 
-    public Collection<GrantedAuthority> getAuthorities() {
+    public Collection<? extends GrantedAuthority> getAuthorities() {
         return roleHierarchy.getReachableGrantedAuthorities(userDetails.getAuthorities());
     }
 

core/src/main/java/org/springframework/security/access/vote/RoleHierarchyVoter.java

@@ -26,7 +26,7 @@ public class RoleHierarchyVoter extends RoleVoter {
      * Calls the <tt>RoleHierarchy</tt> to obtain the complete set of user authorities.
      */
     @Override
-    Collection<GrantedAuthority> extractAuthorities(Authentication authentication) {
+    Collection<? extends GrantedAuthority> extractAuthorities(Authentication authentication) {
         return roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
     }
 }

core/src/main/java/org/springframework/security/access/vote/RoleVoter.java

@@ -93,7 +93,7 @@ public class RoleVoter implements AccessDecisionVoter {
 
     public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
         int result = ACCESS_ABSTAIN;
-        Collection<GrantedAuthority> authorities = extractAuthorities(authentication);
+        Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);
 
         for (ConfigAttribute attribute : attributes) {
             if (this.supports(attribute)) {
@@ -111,7 +111,7 @@ public class RoleVoter implements AccessDecisionVoter {
         return result;
     }
 
-    Collection<GrantedAuthority> extractAuthorities(Authentication authentication) {
+    Collection<? extends GrantedAuthority> extractAuthorities(Authentication authentication) {
         return authentication.getAuthorities();
     }
 }

core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationManager.java

@@ -30,7 +30,7 @@ public interface RemoteAuthenticationManager {
 
     /**
      * Attempts to authenticate the remote client using the presented username and password. If authentication
-     * is successful, an array of <code>GrantedAuthority[]</code> objects will be returned.
+     * is successful, a collection of {@code GrantedAuthority} objects will be returned.
      * <p>
      * In order to maximise remoting protocol compatibility, a design decision was taken to operate with minimal
      * arguments and return only the minimal amount of information required for remote clients to enable/disable
@@ -44,6 +44,6 @@ public interface RemoteAuthenticationManager {
      *
      * @throws RemoteAuthenticationException if the authentication failed.
      */
-    Collection<GrantedAuthority> attemptAuthentication(String username, String password)
+    Collection<? extends GrantedAuthority> attemptAuthentication(String username, String password)
         throws RemoteAuthenticationException;
 }

core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationManagerImpl.java

@@ -44,7 +44,7 @@ public class RemoteAuthenticationManagerImpl implements RemoteAuthenticationMana
         Assert.notNull(this.authenticationManager, "authenticationManager is required");
     }
 
-    public Collection<GrantedAuthority> attemptAuthentication(String username, String password)
+    public Collection<? extends GrantedAuthority> attemptAuthentication(String username, String password)
             throws RemoteAuthenticationException {
         UsernamePasswordAuthenticationToken request = new UsernamePasswordAuthenticationToken(username, password);
 

core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java

@@ -58,7 +58,7 @@ public class RemoteAuthenticationProvider implements AuthenticationProvider, Ini
         throws AuthenticationException {
         String username = authentication.getPrincipal().toString();
         String password = authentication.getCredentials().toString();
-        Collection<GrantedAuthority> authorities = remoteAuthenticationManager.attemptAuthentication(username, password);
+        Collection<? extends GrantedAuthority> authorities = remoteAuthenticationManager.attemptAuthentication(username, password);
 
         return new UsernamePasswordAuthenticationToken(username, password, authorities);
     }

core/src/main/java/org/springframework/security/core/Authentication.java

@@ -59,7 +59,7 @@ public interface Authentication extends Principal, Serializable {
      * @return the authorities granted to the principal, or an empty collection if the token has not been authenticated.
      * Never null.
      */
-    Collection<GrantedAuthority> getAuthorities();
+    Collection<? extends GrantedAuthority> getAuthorities();
 
     /**
      * The credentials that prove the principal is correct. This is usually a password, but could be anything

core/src/main/java/org/springframework/security/core/authority/AuthorityUtils.java

@@ -35,7 +35,7 @@ public abstract class AuthorityUtils {
      * Converts an array of GrantedAuthority objects to a Set.
      * @return a Set of the Strings obtained from each call to GrantedAuthority.getAuthority()
      */
-    public static Set<String> authorityListToSet(Collection<GrantedAuthority> userAuthorities) {
+    public static Set<String> authorityListToSet(Collection<? extends GrantedAuthority> userAuthorities) {
         Set<String> set = new HashSet<String>(userAuthorities.size());
 
         for (GrantedAuthority authority: userAuthorities) {

core/src/main/java/org/springframework/security/core/userdetails/UserDetails.java

@@ -59,7 +59,7 @@ public interface UserDetails extends Serializable {
      *
      * @return the authorities, sorted by natural key (never <code>null</code>)
      */
-    Collection<GrantedAuthority> getAuthorities();
+    Collection<? extends GrantedAuthority> getAuthorities();
 
     /**
      * Returns the password used to authenticate the user. Cannot return <code>null</code>.

core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java

@@ -493,7 +493,7 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl implements UserDetailsMa
         validateAuthorities(user.getAuthorities());
     }
 
-    private void validateAuthorities(Collection<GrantedAuthority> authorities) {
+    private void validateAuthorities(Collection<? extends GrantedAuthority> authorities) {
         Assert.notNull(authorities, "Authorities list must not be null");
 
         for (GrantedAuthority authority : authorities) {

core/src/main/java/org/springframework/security/provisioning/MutableUser.java

@@ -27,7 +27,7 @@ class MutableUser implements MutableUserDetails {
         this.password = password;
     }
 
-    public Collection<GrantedAuthority> getAuthorities() {
+    public Collection<? extends GrantedAuthority> getAuthorities() {
         return delegate.getAuthorities();
     }
 

core/src/test/java/org/springframework/security/access/expression/SecurityExpressionRootTests.java

@@ -46,7 +46,7 @@ public class SecurityExpressionRootTests {
         SecurityExpressionRoot root = new SecurityExpressionRoot(JOE) {};
 
         root.setRoleHierarchy(new RoleHierarchy() {
-            public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
+            public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<? extends GrantedAuthority> authorities) {
                 return AuthorityUtils.createAuthorityList("C");
             }
         });

core/src/test/java/org/springframework/security/access/hierarchicalroles/HierarchicalRolesTestHelper.java

@@ -28,7 +28,7 @@ import org.apache.commons.collections.CollectionUtils;
  */
 public abstract class HierarchicalRolesTestHelper {
 
-    public static boolean containTheSameGrantedAuthorities(Collection<GrantedAuthority> authorities1, Collection<GrantedAuthority> authorities2) {
+    public static boolean containTheSameGrantedAuthorities(Collection<? extends GrantedAuthority> authorities1, Collection<? extends GrantedAuthority> authorities2) {
         if (authorities1 == null && authorities2 == null) {
             return true;
         }
@@ -39,7 +39,7 @@ public abstract class HierarchicalRolesTestHelper {
         return CollectionUtils.isEqualCollection(authorities1, authorities2);
     }
 
-    public static boolean containTheSameGrantedAuthoritiesCompareByAuthorityString(Collection<GrantedAuthority> authorities1, Collection<GrantedAuthority> authorities2) {
+    public static boolean containTheSameGrantedAuthoritiesCompareByAuthorityString(Collection<? extends GrantedAuthority> authorities1, Collection<? extends GrantedAuthority> authorities2) {
         if (authorities1 == null && authorities2 == null) {
             return true;
         }
@@ -50,7 +50,7 @@ public abstract class HierarchicalRolesTestHelper {
         return CollectionUtils.isEqualCollection(toCollectionOfAuthorityStrings(authorities1), toCollectionOfAuthorityStrings(authorities2));
     }
 
-    public static List<String> toCollectionOfAuthorityStrings(Collection<GrantedAuthority> authorities) {
+    public static List<String> toCollectionOfAuthorityStrings(Collection<? extends GrantedAuthority> authorities) {
         if (authorities == null) {
             return null;
         }

core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java

@@ -192,7 +192,7 @@ public class JaasAuthenticationProviderTests {
         assertNotNull(jaasProvider.getLoginConfig());
         assertNotNull(jaasProvider.getLoginContextName());
 
-        Collection<GrantedAuthority> list = auth.getAuthorities();
+        Collection<? extends GrantedAuthority> list = auth.getAuthorities();
 
         assertTrue("GrantedAuthorities should contain ROLE_TEST1", list.contains(new GrantedAuthorityImpl("ROLE_TEST1")));
         assertTrue("GrantedAuthorities should contain ROLE_TEST2", list.contains(new GrantedAuthorityImpl("ROLE_TEST2")));

core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java

@@ -91,7 +91,7 @@ public class RemoteAuthenticationProviderTests extends TestCase {
             this.grantAccess = grantAccess;
         }
 
-        public Collection<GrantedAuthority> attemptAuthentication(String username, String password)
+        public Collection<? extends GrantedAuthority> attemptAuthentication(String username, String password)
             throws RemoteAuthenticationException {
             if (grantAccess) {
                 return AuthorityUtils.createAuthorityList("foo");

ldap/src/main/java/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.java

@@ -251,7 +251,7 @@ public class LdapAuthenticationProvider implements AuthenticationProvider, Messa
         try {
             DirContextOperations userData = getAuthenticator().authenticate(authentication);
 
-            Collection<GrantedAuthority> extraAuthorities = loadUserAuthorities(userData, username, password);
+            Collection<? extends GrantedAuthority> extraAuthorities = loadUserAuthorities(userData, username, password);
 
             UserDetails user = userDetailsContextMapper.mapUserFromContext(userData, username, extraAuthorities);
 
@@ -272,7 +272,7 @@ public class LdapAuthenticationProvider implements AuthenticationProvider, Messa
         }
     }
 
-    protected Collection<GrantedAuthority> loadUserAuthorities(DirContextOperations userData, String username, String password) {
+    protected Collection<? extends GrantedAuthority> loadUserAuthorities(DirContextOperations userData, String username, String password) {
         return getAuthoritiesPopulator().getGrantedAuthorities(userData, username);
     }
 

ldap/src/main/java/org/springframework/security/ldap/authentication/UserDetailsServiceLdapAuthoritiesPopulator.java

@@ -24,7 +24,7 @@ public class UserDetailsServiceLdapAuthoritiesPopulator implements LdapAuthoriti
         this.userDetailsService = userService;
     }
 
-    public Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
+    public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
         return userDetailsService.loadUserByUsername(username).getAuthorities();
     }
 }

ldap/src/main/java/org/springframework/security/ldap/userdetails/InetOrgPersonContextMapper.java

@@ -28,7 +28,7 @@ import org.springframework.util.Assert;
  */
 public class InetOrgPersonContextMapper implements UserDetailsContextMapper {
 
-    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authorities) {
+    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
         InetOrgPerson.Essence p = new InetOrgPerson.Essence(ctx);
 
         p.setUsername(username);

ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapAuthoritiesPopulator.java

@@ -42,5 +42,5 @@ public interface LdapAuthoritiesPopulator {
      * @return the granted authorities for the given user.
      *
      */
-    Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username);
+    Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username);
 }

ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapUserDetailsImpl.java

@@ -222,7 +222,7 @@ public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData
             instance.accountNonLocked = accountNonLocked;
         }
 
-        public void setAuthorities(Collection<GrantedAuthority> authorities) {
+        public void setAuthorities(Collection<? extends GrantedAuthority> authorities) {
             mutableAuthorities = new ArrayList<GrantedAuthority>();
             mutableAuthorities.addAll(authorities);
         }

ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapUserDetailsManager.java

@@ -310,7 +310,7 @@ public class LdapUserDetailsManager implements UserDetailsManager {
         userDetailsMapper.mapUserToContext(user, ctx);
     }
 
-    protected void addAuthorities(DistinguishedName userDn, Collection<GrantedAuthority> authorities) {
+    protected void addAuthorities(DistinguishedName userDn, Collection<? extends GrantedAuthority> authorities) {
         modifyAuthorities(userDn, authorities, DirContext.ADD_ATTRIBUTE);
     }
 
@@ -318,7 +318,7 @@ public class LdapUserDetailsManager implements UserDetailsManager {
         modifyAuthorities(userDn, authorities, DirContext.REMOVE_ATTRIBUTE);
     }
 
-    private void modifyAuthorities(final DistinguishedName userDn, final Collection<GrantedAuthority> authorities, final int modType) {
+    private void modifyAuthorities(final DistinguishedName userDn, final Collection<? extends GrantedAuthority> authorities, final int modType) {
         template.executeReadWrite(new ContextExecutor() {
             public Object executeWithContext(DirContext ctx) throws NamingException {
                 for(GrantedAuthority authority : authorities) {

ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapUserDetailsMapper.java

@@ -45,7 +45,7 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper {
 
     //~ Methods ========================================================================================================
 
-    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authorities) {
+    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
         String dn = ctx.getNameInNamespace();
 
         logger.debug("Mapping user details from context with DN: " + dn);

ldap/src/main/java/org/springframework/security/ldap/userdetails/PersonContextMapper.java

@@ -13,7 +13,7 @@ import org.springframework.util.Assert;
  */
 public class PersonContextMapper implements UserDetailsContextMapper {
 
-    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authorities) {
+    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities) {
         Person.Essence p = new Person.Essence(ctx);
 
         p.setUsername(username);

ldap/src/main/java/org/springframework/security/ldap/userdetails/UserDetailsContextMapper.java

@@ -36,10 +36,10 @@ public interface UserDetailsContextMapper {
      *
      * @param ctx the context object which contains the user information.
      * @param username the user's supplied login name.
-     * @param authority the list of authorities which the user should be given.
+     * @param authorities
      * @return the user object.
      */
-    UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authority);
+    UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<? extends GrantedAuthority> authorities);
 
     /**
      * Reverse of the above operation. Populates a context object from the supplied user object.

ldap/src/test/java/org/springframework/security/ldap/populator/UserDetailsServiceLdapAuthoritiesPopulatorTests.java

@@ -4,6 +4,7 @@ import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
 
 import java.util.Collection;
+import java.util.List;
 
 import org.junit.Test;
 import org.springframework.ldap.core.DirContextAdapter;
@@ -23,10 +24,11 @@ public class UserDetailsServiceLdapAuthoritiesPopulatorTests {
         UserDetailsService uds = mock(UserDetailsService.class);
         UserDetails user = mock(UserDetails.class);
         when(uds.loadUserByUsername("joe")).thenReturn(user);
-        when(user.getAuthorities()).thenReturn(AuthorityUtils.createAuthorityList("ROLE_USER"));
+        List authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
+        when(user.getAuthorities()).thenReturn(authorities);
 
         UserDetailsServiceLdapAuthoritiesPopulator populator = new UserDetailsServiceLdapAuthoritiesPopulator(uds);
-        Collection<GrantedAuthority> auths =  populator.getGrantedAuthorities(new DirContextAdapter(), "joe");
+        Collection<? extends GrantedAuthority> auths =  populator.getGrantedAuthorities(new DirContextAdapter(), "joe");
 
         assertEquals(1, auths.size());
         assertTrue(AuthorityUtils.authorityListToSet(auths).contains("ROLE_USER"));

taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java

@@ -45,17 +45,17 @@ import org.springframework.util.StringUtils;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
 /**
- * A base class for an <authorize> tag that is independent of the tag rendering technology (JSP, Facelets). 
- * It treats tag attributes as simple strings rather than strings that may contain expressions with the 
+ * A base class for an <authorize> tag that is independent of the tag rendering technology (JSP, Facelets).
+ * It treats tag attributes as simple strings rather than strings that may contain expressions with the
  * exception of the "access" attribute, which is always expected to contain a Spring EL expression.
- * 
+ *
  * Subclasses are expected to extract tag attribute values from the specific rendering technology, evaluate
  * them as expressions if necessary, and set the String-based attributes of this class.
- * 
+ *
  * @author Francois Beausoleil
  * @author Luke Taylor
  * @author Rossen Stoyanchev
- * 
+ *
  * @since 3.1.0
  */
 public abstract class AbstractAuthorizeTag {
@@ -94,9 +94,9 @@ public abstract class AbstractAuthorizeTag {
 	 * <li>ifAllGranted, ifAnyGranted, ifNotGranted</li>
 	 * </ul>
 	 * The above combinations are mutually exclusive and evaluated in the given order.
-	 * 
+	 *
 	 * @return the result of the authorization decision
-	 * 
+	 *
 	 * @throws IOException
 	 */
 	public boolean authorize() throws IOException {
@@ -119,7 +119,7 @@ public abstract class AbstractAuthorizeTag {
 	/**
 	 * Make an authorization decision by considering ifAllGranted, ifAnyGranted, and ifNotGranted. All 3 or any
 	 * combination can be provided. All provided attributes must evaluate to true.
-	 * 
+	 *
 	 * @return the result of the authorization decision
 	 */
 	public boolean authorizeUsingGrantedAuthorities() {
@@ -131,7 +131,7 @@ public abstract class AbstractAuthorizeTag {
 			return false;
 		}
 
-		final Collection<GrantedAuthority> granted = getPrincipalAuthorities();
+		final Collection<? extends GrantedAuthority> granted = getPrincipalAuthorities();
 
 		if (hasTextAllGranted) {
 			if (!granted.containsAll(toAuthorities(getIfAllGranted()))) {
@@ -159,9 +159,9 @@ public abstract class AbstractAuthorizeTag {
 	/**
 	 * Make an authorization decision based on a Spring EL expression. See the "Expression-Based Access Control" chapter
 	 * in Spring Security for details on what expressions can be used.
-	 * 
+	 *
 	 * @return the result of the authorization decision
-	 * 
+	 *
 	 * @throws IOException
 	 */
 	public boolean authorizeUsingAccessExpression() throws IOException {
@@ -194,9 +194,9 @@ public abstract class AbstractAuthorizeTag {
 	/**
 	 * Make an authorization decision based on the URL and HTTP method attributes. True is returned if the user is
 	 * allowed to access the given URL as defined.
-	 * 
+	 *
 	 * @return the result of the authorization decision
-	 * 
+	 *
 	 * @throws IOException
 	 */
 	public boolean authorizeUsingUrlCheck() throws IOException {
@@ -255,7 +255,7 @@ public abstract class AbstractAuthorizeTag {
 
 	/*------------- Private helper methods  -----------------*/
 
-	private Collection<GrantedAuthority> getPrincipalAuthorities() {
+	private Collection<? extends GrantedAuthority> getPrincipalAuthorities() {
 		Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
 		if (null == currentUser) {
 			return Collections.emptyList();
@@ -269,7 +269,7 @@ public abstract class AbstractAuthorizeTag {
 		return requiredAuthorities;
 	}
 
-	private Set<GrantedAuthority> retainAll(final Collection<GrantedAuthority> granted,
+	private Set<GrantedAuthority> retainAll(final Collection<? extends GrantedAuthority> granted,
 			final Set<GrantedAuthority> required) {
 		Set<String> grantedRoles = authoritiesToRoles(granted);
 		Set<String> requiredRoles = authoritiesToRoles(required);
@@ -278,7 +278,7 @@ public abstract class AbstractAuthorizeTag {
 		return rolesToAuthorities(grantedRoles, granted);
 	}
 
-	private Set<String> authoritiesToRoles(Collection<GrantedAuthority> c) {
+	private Set<String> authoritiesToRoles(Collection<? extends GrantedAuthority> c) {
 		Set<String> target = new HashSet<String>();
 		for (GrantedAuthority authority : c) {
 			if (null == authority.getAuthority()) {
@@ -291,7 +291,7 @@ public abstract class AbstractAuthorizeTag {
 		return target;
 	}
 
-	private Set<GrantedAuthority> rolesToAuthorities(Set<String> grantedRoles, Collection<GrantedAuthority> granted) {
+	private Set<GrantedAuthority> rolesToAuthorities(Set<String> grantedRoles, Collection<? extends GrantedAuthority> granted) {
 		Set<GrantedAuthority> target = new HashSet<GrantedAuthority>();
 		for (String role : grantedRoles) {
 			for (GrantedAuthority authority : granted) {
@@ -316,7 +316,7 @@ public abstract class AbstractAuthorizeTag {
 				return h;
 			}
 		}
-		
+
 		throw new IOException("No visible WebSecurityExpressionHandler instance could be found in the application "
 				+ "context. There must be at least one in order to support expressions in JSP 'authorize' tags.");
 	}

web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserAuthorityChanger.java

@@ -22,10 +22,10 @@ public interface SwitchUserAuthorityChanger {
      *
      * @param targetUser the UserDetails representing the identity being switched to
      * @param currentAuthentication the current Authentication of the principal performing the switching
-     * @param authoritiesToBeGranted all {@link GrantedAuthority} instances to be granted to the user,
+     * @param authoritiesToBeGranted all {@link org.springframework.security.core.GrantedAuthority} instances to be granted to the user,
      * excluding the special "switch user" authority that is used internally (guaranteed never null)
      *
      * @return the modified list of granted authorities.
      */
-    Collection<GrantedAuthority> modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, Collection<GrantedAuthority> authoritiesToBeGranted);
+    Collection<? extends GrantedAuthority> modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, Collection<? extends GrantedAuthority> authoritiesToBeGranted);
 }

web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java

@@ -291,7 +291,7 @@ public class SwitchUserFilter extends GenericFilterBean implements ApplicationEv
         GrantedAuthority switchAuthority = new SwitchUserGrantedAuthority(ROLE_PREVIOUS_ADMINISTRATOR, currentAuth);
 
         // get the original authorities
-        Collection<GrantedAuthority> orig = targetUser.getAuthorities();
+        Collection<? extends GrantedAuthority> orig = targetUser.getAuthorities();
 
         // Allow subclasses to change the authorities to be granted
         if (switchUserAuthorityChanger != null) {
@@ -324,7 +324,7 @@ public class SwitchUserFilter extends GenericFilterBean implements ApplicationEv
         Authentication original = null;
 
         // iterate over granted authorities and find the 'switch user' authority
-        Collection<GrantedAuthority> authorities = current.getAuthorities();
+        Collection<? extends GrantedAuthority> authorities = current.getAuthorities();
 
         for (GrantedAuthority auth : authorities) {
             // check for switch user type of authority

web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java

@@ -127,7 +127,7 @@ public class SecurityContextHolderAwareRequestWrapper extends HttpServletRequest
             return false;
         }
 
-        Collection<GrantedAuthority> authorities = auth.getAuthorities();
+        Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
 
         if (authorities == null) {
             return false;

web/src/test/java/org/springframework/security/web/authentication/preauth/websphere/WebSphere2SpringSecurityPropagationInterceptorTests.java

@@ -18,6 +18,8 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsChecker;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
 
+import java.util.List;
+
 /**
  *
  * @author Luke Taylor
@@ -54,7 +56,8 @@ public class WebSphere2SpringSecurityPropagationInterceptorTests {
         PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
         AuthenticationUserDetailsService uds = mock(AuthenticationUserDetailsService.class);
         UserDetails user = mock(UserDetails.class);
-        when(user.getAuthorities()).thenReturn(AuthorityUtils.createAuthorityList("SOME_ROLE"));
+        List authorities = AuthorityUtils.createAuthorityList("SOME_ROLE");
+        when(user.getAuthorities()).thenReturn(authorities);
         when(uds.loadUserDetails(any(Authentication.class))).thenReturn(user);
         provider.setPreAuthenticatedUserDetailsService(uds);
         provider.setUserDetailsChecker(mock(UserDetailsChecker.class));

web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java

@@ -368,7 +368,7 @@ public class SwitchUserFilterTests {
         SwitchUserFilter filter = new SwitchUserFilter();
         filter.setUserDetailsService(new MockUserDetailsService());
         filter.setSwitchUserAuthorityChanger(new SwitchUserAuthorityChanger() {
-            public Collection<GrantedAuthority> modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, Collection<GrantedAuthority> authoritiesToBeGranted) {
+            public Collection<GrantedAuthority> modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, Collection<? extends GrantedAuthority> authoritiesToBeGranted) {
                 List <GrantedAuthority>auths = new ArrayList<GrantedAuthority>();
                 auths.add(new GrantedAuthorityImpl("ROLE_NEW"));
                 return auths;