SEC-1483: Change User constructor to use a generic wildcard for authorities collection.

core/src/main/java/org/springframework/security/core/userdetails/User.java

@@ -50,7 +50,7 @@ public class User implements UserDetails {
     /**
      * Calls the more complex constructor with all boolean arguments set to {@code true}.
      */
-    public User(String username, String password, Collection<GrantedAuthority> authorities) {
+    public User(String username, String password, Collection<? extends GrantedAuthority> authorities) {
         this(username, password, true, true, true, true, authorities);
     }
 
@@ -78,7 +78,7 @@ public class User implements UserDetails {
      *         <code>GrantedAuthority</code> collection
      */
     public User(String username, String password, boolean enabled, boolean accountNonExpired,
-            boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {
+            boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) {
 
         if (((username == null) || "".equals(username)) || (password == null)) {
             throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
@@ -95,27 +95,6 @@ public class User implements UserDetails {
 
     //~ Methods ========================================================================================================
 
-    public boolean equals(Object rhs) {
-        if (!(rhs instanceof User) || (rhs == null)) {
-            return false;
-        }
-
-        User user = (User) rhs;
-
-        // We rely on constructor to guarantee any User has non-null
-        // authorities
-        if (!authorities.equals(user.authorities)) {
-            return false;
-        }
-
-        // We rely on constructor to guarantee non-null username and password
-        return (this.getPassword().equals(user.getPassword()) && this.getUsername().equals(user.getUsername())
-                && (this.isAccountNonExpired() == user.isAccountNonExpired())
-                && (this.isAccountNonLocked() == user.isAccountNonLocked())
-                && (this.isCredentialsNonExpired() == user.isCredentialsNonExpired())
-                && (this.isEnabled() == user.isEnabled()));
-    }
-
     public Collection<GrantedAuthority> getAuthorities() {
         return authorities;
     }
@@ -128,40 +107,6 @@ public class User implements UserDetails {
         return username;
     }
 
-    public int hashCode() {
-        int code = 9792;
-
-        for (GrantedAuthority authority : getAuthorities()) {
-            code = code * (authority.hashCode() % 7);
-        }
-
-        if (this.getPassword() != null) {
-            code = code * (this.getPassword().hashCode() % 7);
-        }
-
-        if (this.getUsername() != null) {
-            code = code * (this.getUsername().hashCode() % 7);
-        }
-
-        if (this.isAccountNonExpired()) {
-            code = code * -2;
-        }
-
-        if (this.isAccountNonLocked()) {
-            code = code * -3;
-        }
-
-        if (this.isCredentialsNonExpired()) {
-            code = code * -5;
-        }
-
-        if (this.isEnabled()) {
-            code = code * -7;
-        }
-
-        return code;
-    }
-
     public boolean isAccountNonExpired() {
         return accountNonExpired;
     }
@@ -178,7 +123,7 @@ public class User implements UserDetails {
         return enabled;
     }
 
-    private static SortedSet<GrantedAuthority> sortAuthorities(Collection<GrantedAuthority> authorities) {
+    private static SortedSet<GrantedAuthority> sortAuthorities(Collection<? extends GrantedAuthority> authorities) {
         Assert.notNull(authorities, "Cannot pass a null GrantedAuthority collection");
         // Ensure array iteration order is predictable (as per UserDetails.getAuthorities() contract and SEC-717)
         SortedSet<GrantedAuthority> sortedAuthorities =
@@ -208,7 +153,64 @@ public class User implements UserDetails {
         }
     }
 
+    @Override
+    public boolean equals(Object rhs) {
+        if (!(rhs instanceof User) || (rhs == null)) {
+            return false;
+        }
+
+        User user = (User) rhs;
+
+        // We rely on constructor to guarantee any User has non-null
+        // authorities
+        if (!authorities.equals(user.authorities)) {
+            return false;
+        }
+
+        // We rely on constructor to guarantee non-null username and password
+        return (this.getPassword().equals(user.getPassword()) && this.getUsername().equals(user.getUsername())
+                && (this.isAccountNonExpired() == user.isAccountNonExpired())
+                && (this.isAccountNonLocked() == user.isAccountNonLocked())
+                && (this.isCredentialsNonExpired() == user.isCredentialsNonExpired())
+                && (this.isEnabled() == user.isEnabled()));
+    }
+
+    @Override
+    public int hashCode() {
+        int code = 9792;
+
+        for (GrantedAuthority authority : getAuthorities()) {
+            code = code * (authority.hashCode() % 7);
+        }
+
+        if (this.getPassword() != null) {
+            code = code * (this.getPassword().hashCode() % 7);
+        }
+
+        if (this.getUsername() != null) {
+            code = code * (this.getUsername().hashCode() % 7);
+        }
+
+        if (this.isAccountNonExpired()) {
+            code = code * -2;
+        }
+
+        if (this.isAccountNonLocked()) {
+            code = code * -3;
+        }
+
+        if (this.isCredentialsNonExpired()) {
+            code = code * -5;
+        }
+
+        if (this.isEnabled()) {
+            code = code * -7;
+        }
+
+        return code;
+    }
 
+    @Override
     public String toString() {
         StringBuilder sb = new StringBuilder();
         sb.append(super.toString()).append(": ");