SEC-1231: Authentication.getAuthorities should be of type Collection<GrantedAuthority> and not List<GrantedAuthority>. Refactored the interface and related classes to match (UserDetails etc).

acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java

@@ -98,12 +98,8 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
         }
 
         // Iterate this principal's authorities to determine right
-        List<GrantedAuthority> auths = authentication.getAuthorities();
-
-        for (int i = 0; i < auths.size(); i++) {
-            if (requiredAuthority.equals(auths.get(i))) {
-                return;
-            }
+        if (authentication.getAuthorities().contains(requiredAuthority)) {
+            return;
         }
 
         // Try to get permission via ACEs within the ACL

acl/src/main/java/org/springframework/security/acls/domain/SidRetrievalStrategyImpl.java

@@ -16,6 +16,7 @@
 package org.springframework.security.acls.domain;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
@@ -51,7 +52,7 @@ public class SidRetrievalStrategyImpl implements SidRetrievalStrategy {
     //~ Methods ========================================================================================================
 
     public List<Sid> getSids(Authentication authentication) {
-        List<GrantedAuthority> authorities = roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
+        Collection<GrantedAuthority> authorities = roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
         List<Sid> sids = new ArrayList<Sid>(authorities.size() + 1);
 
         sids.add(new PrincipalSid(authentication));

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java

@@ -15,17 +15,14 @@
 
 package org.springframework.security.cas.authentication;
 
-import org.jasig.cas.client.validation.Assertion;
+import java.io.Serializable;
+import java.util.Collection;
 
+import org.jasig.cas.client.validation.Assertion;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 
-
-import java.io.Serializable;
-import java.util.Arrays;
-import java.util.List;
-
 /**
  * Represents a successful CAS <code>Authentication</code>.
  *
@@ -45,14 +42,6 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
 
     //~ Constructors ===================================================================================================
 
-    /**
-     * @deprecated
-     */
-    public CasAuthenticationToken(final String key, final Object principal, final Object credentials,
-            final GrantedAuthority[] authorities, final UserDetails userDetails, final Assertion assertion) {
-        this(key, principal, credentials, Arrays.asList(authorities), userDetails, assertion);
-    }
-
     /**
      * Constructor.
      *
@@ -71,7 +60,7 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
      * @throws IllegalArgumentException if a <code>null</code> was passed
      */
     public CasAuthenticationToken(final String key, final Object principal, final Object credentials,
-        final List<GrantedAuthority> authorities, final UserDetails userDetails, final Assertion assertion) {
+        final Collection<GrantedAuthority> authorities, final UserDetails userDetails, final Assertion assertion) {
         super(authorities);
 
         if ((key == null) || ("".equals(key)) || (principal == null) || "".equals(principal) || (credentials == null)

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java

@@ -98,8 +98,8 @@ public class CasAuthenticationProviderTests {
         CasAuthenticationToken casResult = (CasAuthenticationToken) result;
         assertEquals(makeUserDetailsFromAuthoritiesPopulator(), casResult.getPrincipal());
         assertEquals("ST-123", casResult.getCredentials());
-        assertEquals(new GrantedAuthorityImpl("ROLE_A"), casResult.getAuthorities().get(0));
-        assertEquals(new GrantedAuthorityImpl("ROLE_B"), casResult.getAuthorities().get(1));
+        assertTrue(casResult.getAuthorities().contains(new GrantedAuthorityImpl("ROLE_A")));
+        assertTrue(casResult.getAuthorities().contains(new GrantedAuthorityImpl("ROLE_B")));
         assertEquals(cap.getKey().hashCode(), casResult.getKeyHash());
         assertEquals("details", casResult.getDetails());
 

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java

@@ -22,9 +22,9 @@ import junit.framework.TestCase;
 import org.jasig.cas.client.validation.Assertion;
 import org.jasig.cas.client.validation.AssertionImpl;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 
@@ -109,8 +109,8 @@ public class CasAuthenticationTokenTests extends TestCase {
         assertEquals("key".hashCode(), token.getKeyHash());
         assertEquals(makeUserDetails(), token.getPrincipal());
         assertEquals("Password", token.getCredentials());
-        assertEquals("ROLE_ONE", token.getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_TWO", token.getAuthorities().get(1).getAuthority());
+        assertTrue(token.getAuthorities().contains(new GrantedAuthorityImpl("ROLE_ONE")));
+        assertTrue(token.getAuthorities().contains(new GrantedAuthorityImpl("ROLE_TWO")));
         assertEquals(assertion, token.getAssertion());
         assertEquals(makeUserDetails().getUsername(), token.getUserDetails().getUsername());
     }

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -1,7 +1,7 @@
 package org.springframework.security.access.expression;
 
+import java.util.Collection;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;
 
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
@@ -96,7 +96,7 @@ public abstract class SecurityExpressionRoot {
     private Set<String> getAuthoritySet() {
         if (roles == null) {
             roles = new HashSet<String>();
-            List<GrantedAuthority> userAuthorities = authentication.getAuthorities();
+            Collection<GrantedAuthority> userAuthorities = authentication.getAuthorities();
 
             if (roleHierarchy != null) {
                 userAuthorities = roleHierarchy.getReachableGrantedAuthorities(userAuthorities);

core/src/main/java/org/springframework/security/access/hierarchicalroles/NullRoleHierarchy.java

@@ -1,6 +1,6 @@
 package org.springframework.security.access.hierarchicalroles;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 
@@ -12,7 +12,7 @@ import org.springframework.security.core.GrantedAuthority;
  */
 public final class NullRoleHierarchy implements RoleHierarchy {
 
-    public List<GrantedAuthority> getReachableGrantedAuthorities(List<GrantedAuthority> authorities) {
+    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
         return authorities;
     }
 

core/src/main/java/org/springframework/security/access/hierarchicalroles/RoleHierarchy.java

@@ -14,7 +14,7 @@
 
 package org.springframework.security.access.hierarchicalroles;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 
@@ -40,6 +40,6 @@ public interface RoleHierarchy {
      * @param authorities - List of the directly assigned authorities.
      * @return List of all reachable authorities given the assigned authorities.
      */
-    public List<GrantedAuthority> getReachableGrantedAuthorities(List<GrantedAuthority> authorities);
+    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities);
 
 }

core/src/main/java/org/springframework/security/access/hierarchicalroles/RoleHierarchyImpl.java

@@ -15,15 +15,21 @@
 package org.springframework.security.access.hierarchicalroles;
 
 
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.GrantedAuthorityImpl;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import java.util.*;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
 
 /**
  * <p>
@@ -98,7 +104,7 @@ public class RoleHierarchyImpl implements RoleHierarchy {
         buildRolesReachableInOneOrMoreStepsMap();
     }
 
-    public List<GrantedAuthority> getReachableGrantedAuthorities(List<GrantedAuthority> authorities) {
+    public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
         if (authorities == null || authorities.isEmpty()) {
             return null;
         }
@@ -125,40 +131,40 @@ public class RoleHierarchyImpl implements RoleHierarchy {
     }
 
     // SEC-863
-	private void addReachableRoles(Set<GrantedAuthority> reachableRoles,
-			GrantedAuthority authority) {
-		
-		Iterator<GrantedAuthority> iterator = reachableRoles.iterator();		
-		while (iterator.hasNext()) {
-			GrantedAuthority testAuthority = iterator.next(); 
-			String testKey = testAuthority.getAuthority();
-			if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
-				return;
-			}
-		}
-		reachableRoles.add(authority);
-	}
+    private void addReachableRoles(Set<GrantedAuthority> reachableRoles,
+            GrantedAuthority authority) {
+
+        Iterator<GrantedAuthority> iterator = reachableRoles.iterator();
+        while (iterator.hasNext()) {
+            GrantedAuthority testAuthority = iterator.next();
+            String testKey = testAuthority.getAuthority();
+            if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
+                return;
+            }
+        }
+        reachableRoles.add(authority);
+    }
 
     // SEC-863
-	private Set<GrantedAuthority> getRolesReachableInOneOrMoreSteps(
-			GrantedAuthority authority) {
-		
-		if (authority.getAuthority() == null) {
-			return null;
-		}
-		
-		Iterator<GrantedAuthority> iterator = rolesReachableInOneOrMoreStepsMap.keySet().iterator();		
-		while (iterator.hasNext()) {
-			GrantedAuthority testAuthority = iterator.next(); 
-			String testKey = testAuthority.getAuthority();
-			if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
-				return rolesReachableInOneOrMoreStepsMap.get(testAuthority);
-			}
-		}
-		
-		return null;
-	}
-    
+    private Set<GrantedAuthority> getRolesReachableInOneOrMoreSteps(
+            GrantedAuthority authority) {
+
+        if (authority.getAuthority() == null) {
+            return null;
+        }
+
+        Iterator<GrantedAuthority> iterator = rolesReachableInOneOrMoreStepsMap.keySet().iterator();
+        while (iterator.hasNext()) {
+            GrantedAuthority testAuthority = iterator.next();
+            String testKey = testAuthority.getAuthority();
+            if ((testKey != null) && (testKey.equals(authority.getAuthority()))) {
+                return rolesReachableInOneOrMoreStepsMap.get(testAuthority);
+            }
+        }
+
+        return null;
+    }
+
     /**
      * Parse input and build the map for the roles reachable in one step: the higher role will become a key that
      * references a set of the reachable lower roles.

core/src/main/java/org/springframework/security/access/hierarchicalroles/UserDetailsWrapper.java

@@ -14,8 +14,9 @@
 
 package org.springframework.security.access.hierarchicalroles;
 
-import java.util.List;
+import java.util.Collection;
 
+import org.springframework.security.access.vote.RoleHierarchyVoter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 
@@ -48,7 +49,7 @@ public class UserDetailsWrapper implements UserDetails {
         return userDetails.isAccountNonLocked();
     }
 
-    public List<GrantedAuthority> getAuthorities() {
+    public Collection<GrantedAuthority> getAuthorities() {
         return roleHierarchy.getReachableGrantedAuthorities(userDetails.getAuthorities());
     }
 
@@ -72,4 +73,4 @@ public class UserDetailsWrapper implements UserDetails {
         return userDetails;
     }
 
-}
+}

core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java

@@ -16,8 +16,7 @@
 package org.springframework.security.access.intercept;
 
 import java.util.Arrays;
-import java.util.List;
-
+import java.util.Collection;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -45,7 +44,7 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
         this(key, principal, credentials, Arrays.asList(authorities), originalAuthentication);
     }
 
-    public RunAsUserToken(String key, Object principal, Object credentials, List<GrantedAuthority> authorities,
+    public RunAsUserToken(String key, Object principal, Object credentials, Collection<GrantedAuthority> authorities,
             Class<? extends Authentication> originalAuthentication) {
         super(authorities);
         this.keyHash = key.hashCode();

core/src/main/java/org/springframework/security/access/vote/LabelBasedAclVoter.java

@@ -23,6 +23,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.util.Assert;
 
 
@@ -177,8 +178,8 @@ public class LabelBasedAclVoter extends AbstractAclVoter {
              */
             List<String> userLabels = new ArrayList<String>();
 
-            for (int i = 0; i < authentication.getAuthorities().size(); i++) {
-                String userLabel = authentication.getAuthorities().get(i).getAuthority();
+            for (GrantedAuthority authority : authentication.getAuthorities()) {
+                String userLabel = authority.getAuthority();
                 if (labelMap.containsKey(userLabel)) {
                     userLabels.add(userLabel);
                     logger.debug("Adding " + userLabel + " to <<<" + authentication.getName()

core/src/main/java/org/springframework/security/access/vote/RoleHierarchyVoter.java

@@ -1,6 +1,6 @@
 package org.springframework.security.access.vote;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.core.Authentication;
@@ -26,7 +26,7 @@ public class RoleHierarchyVoter extends RoleVoter {
      * Calls the <tt>RoleHierarchy</tt> to obtain the complete set of user authorities.
      */
     @Override
-    List<GrantedAuthority> extractAuthorities(Authentication authentication) {
+    Collection<GrantedAuthority> extractAuthorities(Authentication authentication) {
         return roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
     }
 }

core/src/main/java/org/springframework/security/access/vote/RoleVoter.java

@@ -15,6 +15,7 @@
 
 package org.springframework.security.access.vote;
 
+import java.util.Collection;
 import java.util.List;
 
 import org.springframework.security.access.AccessDecisionVoter;
@@ -94,7 +95,7 @@ public class RoleVoter implements AccessDecisionVoter {
 
     public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
         int result = ACCESS_ABSTAIN;
-        List<GrantedAuthority> authorities = extractAuthorities(authentication);
+        Collection<GrantedAuthority> authorities = extractAuthorities(authentication);
 
         for (ConfigAttribute attribute : attributes) {
             if (this.supports(attribute)) {
@@ -112,7 +113,7 @@ public class RoleVoter implements AccessDecisionVoter {
         return result;
     }
 
-    List<GrantedAuthority> extractAuthorities(Authentication authentication) {
+    Collection<GrantedAuthority> extractAuthorities(Authentication authentication) {
         return authentication.getAuthorities();
     }
 }

core/src/main/java/org/springframework/security/authentication/AbstractAuthenticationToken.java

@@ -16,8 +16,9 @@
 package org.springframework.security.authentication;
 
 import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
-import java.util.List;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -37,7 +38,7 @@ public abstract class AbstractAuthenticationToken implements Authentication {
     //~ Instance fields ================================================================================================
 
     private Object details;
-    private final List<GrantedAuthority> authorities;
+    private final Collection<GrantedAuthority> authorities;
     private boolean authenticated = false;
 
     //~ Constructors ===================================================================================================
@@ -52,17 +53,18 @@ public abstract class AbstractAuthenticationToken implements Authentication {
      *                    Authentication#getAuthorities()}<code>null</code> should only be
      *                    presented if the principal has not been authenticated).
      */
-    public AbstractAuthenticationToken(List<GrantedAuthority> authorities) {
+    public AbstractAuthenticationToken(Collection<GrantedAuthority> authorities) {
         if (authorities == null) {
             this.authorities = null;
         } else {
-            for (int i = 0; i < authorities.size(); i++) {
-                if(authorities.get(i) == null) {
-                    throw new IllegalArgumentException("Granted authority element " + i
-                            + " is null - GrantedAuthority[] cannot contain any null elements");
+            for (GrantedAuthority a: authorities) {
+                if(a == null) {
+                    throw new IllegalArgumentException("Authorities collection cannot contain any null elements");
                 }
             }
-            this.authorities = Collections.unmodifiableList(authorities);
+            ArrayList<GrantedAuthority> temp = new ArrayList<GrantedAuthority>(authorities.size());
+            temp.addAll(authorities);
+            this.authorities = Collections.unmodifiableList(temp);
         }
     }
 
@@ -116,7 +118,7 @@ public abstract class AbstractAuthenticationToken implements Authentication {
         return this.isAuthenticated() == test.isAuthenticated();
     }
 
-    public List<GrantedAuthority> getAuthorities() {
+    public Collection<GrantedAuthority> getAuthorities() {
         return authorities;
     }
 

core/src/main/java/org/springframework/security/authentication/RememberMeAuthenticationToken.java

@@ -16,8 +16,7 @@
 package org.springframework.security.authentication;
 
 import java.io.Serializable;
-import java.util.Arrays;
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 
@@ -39,13 +38,6 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken i
 
     //~ Constructors ===================================================================================================
 
-    /**
-     * @deprecated
-     */
-    public RememberMeAuthenticationToken(String key, Object principal, GrantedAuthority[] authorities) {
-        this(key, principal, Arrays.asList(authorities));
-    }
-
     /**
      * Constructor.
      *
@@ -55,7 +47,7 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken i
      *
      * @throws IllegalArgumentException if a <code>null</code> was passed
      */
-    public RememberMeAuthenticationToken(String key, Object principal, List<GrantedAuthority> authorities) {
+    public RememberMeAuthenticationToken(String key, Object principal, Collection<GrantedAuthority> authorities) {
         super(authorities);
 
         if ((key == null) || ("".equals(key)) || (principal == null) || "".equals(principal)) {

core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java

@@ -16,7 +16,7 @@
 package org.springframework.security.authentication;
 
 import java.util.Arrays;
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 
@@ -69,7 +69,7 @@ public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationT
      * @param credentials
      * @param authorities
      */
-    public UsernamePasswordAuthenticationToken(Object principal, Object credentials, List<GrantedAuthority> authorities) {
+    public UsernamePasswordAuthenticationToken(Object principal, Object credentials, Collection<GrantedAuthority> authorities) {
         super(authorities);
         this.principal = principal;
         this.credentials = credentials;

core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationManager.java

@@ -15,6 +15,8 @@
 
 package org.springframework.security.authentication.rcp;
 
+import java.util.Collection;
+
 import org.springframework.security.core.GrantedAuthority;
 
 
@@ -43,6 +45,6 @@ public interface RemoteAuthenticationManager {
      *
      * @throws RemoteAuthenticationException if the authentication failed.
      */
-    GrantedAuthority[] attemptAuthentication(String username, String password)
+    Collection<GrantedAuthority> attemptAuthentication(String username, String password)
         throws RemoteAuthenticationException;
 }

core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationManagerImpl.java

@@ -15,16 +15,13 @@
 
 package org.springframework.security.authentication.rcp;
 
-import java.util.List;
-
+import java.util.Collection;
 
+import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
-
-import org.springframework.beans.factory.InitializingBean;
-
 import org.springframework.util.Assert;
 
 
@@ -48,14 +45,14 @@ public class RemoteAuthenticationManagerImpl implements RemoteAuthenticationMana
         Assert.notNull(this.authenticationManager, "authenticationManager is required");
     }
 
-    public GrantedAuthority[] attemptAuthentication(String username, String password)
+    public Collection<GrantedAuthority> attemptAuthentication(String username, String password)
             throws RemoteAuthenticationException {
         UsernamePasswordAuthenticationToken request = new UsernamePasswordAuthenticationToken(username, password);
 
         try {
-            List<GrantedAuthority> authorities = authenticationManager.authenticate(request).getAuthorities();
+            Collection<GrantedAuthority> authorities = authenticationManager.authenticate(request).getAuthorities();
 
-            return authorities == null ? null : authorities.toArray(new GrantedAuthority[authorities.size()]);
+            return authorities;
         } catch (AuthenticationException authEx) {
             throw new RemoteAuthenticationException(authEx.getMessage());
         }

core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java

@@ -15,17 +15,14 @@
 
 package org.springframework.security.authentication.rcp;
 
-import java.util.Arrays;
-
+import java.util.Collection;
 
+import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
-
-import org.springframework.beans.factory.InitializingBean;
-
 import org.springframework.util.Assert;
 
 
@@ -62,9 +59,9 @@ public class RemoteAuthenticationProvider implements AuthenticationProvider, Ini
         throws AuthenticationException {
         String username = authentication.getPrincipal().toString();
         String password = authentication.getCredentials().toString();
-        GrantedAuthority[] authorities = remoteAuthenticationManager.attemptAuthentication(username, password);
+        Collection<GrantedAuthority> authorities = remoteAuthenticationManager.attemptAuthentication(username, password);
 
-        return new UsernamePasswordAuthenticationToken(username, password, Arrays.asList(authorities));
+        return new UsernamePasswordAuthenticationToken(username, password, authorities);
     }
 
     public RemoteAuthenticationManager getRemoteAuthenticationManager() {

core/src/main/java/org/springframework/security/core/Authentication.java

@@ -18,7 +18,7 @@ package org.springframework.security.core;
 import java.io.Serializable;
 
 import java.security.Principal;
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -56,7 +56,7 @@ public interface Authentication extends Principal, Serializable {
      *
      * @return the authorities granted to the principal, or <code>null</code> if authentication has not been completed
      */
-    List<GrantedAuthority> getAuthorities();
+    Collection<GrantedAuthority> getAuthorities();
 
     /**
      * The credentials that prove the principal is correct. This is usually a password, but could be anything

core/src/main/java/org/springframework/security/core/authority/AuthorityUtils.java

@@ -1,6 +1,7 @@
 package org.springframework.security.core.authority;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
@@ -35,10 +36,10 @@ public abstract class AuthorityUtils {
      * Converts an array of GrantedAuthority objects to a Set.
      * @return a Set of the Strings obtained from each call to GrantedAuthority.getAuthority()
      */
-    public static Set<String> authorityListToSet(List<GrantedAuthority> authorities) {
-        Set<String> set = new HashSet<String>(authorities.size());
+    public static Set<String> authorityListToSet(Collection<GrantedAuthority> userAuthorities) {
+        Set<String> set = new HashSet<String>(userAuthorities.size());
 
-        for (GrantedAuthority authority: authorities) {
+        for (GrantedAuthority authority: userAuthorities) {
             set.add(authority.getAuthority());
         }
 

core/src/main/java/org/springframework/security/core/userdetails/User.java

@@ -17,6 +17,7 @@ package org.springframework.security.core.userdetails;
 
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.SortedSet;
@@ -80,7 +81,7 @@ public class User implements UserDetails {
      *         <code>GrantedAuthority[]</code> array
      */
     public User(String username, String password, boolean enabled, boolean accountNonExpired,
-            boolean credentialsNonExpired, boolean accountNonLocked, List<GrantedAuthority> authorities) {
+            boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {
 
         if (((username == null) || "".equals(username)) || (password == null)) {
             throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
@@ -118,7 +119,7 @@ public class User implements UserDetails {
                 && (this.isEnabled() == user.isEnabled()));
     }
 
-    public List<GrantedAuthority> getAuthorities() {
+    public Collection<GrantedAuthority> getAuthorities() {
         return authorities;
     }
 
@@ -182,7 +183,7 @@ public class User implements UserDetails {
         return enabled;
     }
 
-    private static List<GrantedAuthority> sortAuthorities(List<GrantedAuthority> authorities) {
+    private static List<GrantedAuthority> sortAuthorities(Collection<GrantedAuthority> authorities) {
         Assert.notNull(authorities, "Cannot pass a null GrantedAuthority array");
         // Ensure array iteration order is predictable (as per UserDetails.getAuthorities() contract and SEC-xxx)
         SortedSet<GrantedAuthority> sorter = new TreeSet<GrantedAuthority>();

core/src/main/java/org/springframework/security/core/userdetails/UserDetails.java

@@ -19,7 +19,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 
 import java.io.Serializable;
-import java.util.List;
+import java.util.Collection;
 
 
 /**
@@ -60,7 +60,7 @@ public interface UserDetails extends Serializable {
      *
      * @return the authorities, sorted by natural key (never <code>null</code>)
      */
-    List<GrantedAuthority> getAuthorities();
+    Collection<GrantedAuthority> getAuthorities();
 
     /**
      * Returns the password used to authenticate the user. Cannot return <code>null</code>.

core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java

@@ -25,6 +25,7 @@ import org.apache.commons.logging.LogFactory;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
+import java.util.Collection;
 import java.util.List;
 
 /**
@@ -171,9 +172,8 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl implements UserDetailsMa
     }
 
     private void insertUserAuthorities(UserDetails user) {
-        for (int i=0; i < user.getAuthorities().size(); i++) {
-            getJdbcTemplate().update(createAuthoritySql,
-                    new Object[] {user.getUsername(), user.getAuthorities().get(i).getAuthority()});
+        for (GrantedAuthority auth : user.getAuthorities()) {
+            getJdbcTemplate().update(createAuthoritySql, user.getUsername(), auth.getAuthority());
         }
     }
 
@@ -437,12 +437,12 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl implements UserDetailsMa
         validateAuthorities(user.getAuthorities());
     }
 
-    private void validateAuthorities(List<GrantedAuthority> authorities) {
+    private void validateAuthorities(Collection<GrantedAuthority> authorities) {
         Assert.notNull(authorities, "Authorities list must not be null");
 
-        for (int i=0; i < authorities.size(); i++) {
-            Assert.notNull(authorities.get(i), "Authorities list contains a null entry");
-            Assert.hasText(authorities.get(i).getAuthority(), "getAuthority() method must return a non-empty string");
+        for (GrantedAuthority authority : authorities) {
+            Assert.notNull(authority, "Authorities list contains a null entry");
+            Assert.hasText(authority.getAuthority(), "getAuthority() method must return a non-empty string");
         }
     }
 }

core/src/test/java/org/springframework/security/access/expression/SecurityExpressionRootTests.java

@@ -2,7 +2,7 @@ package org.springframework.security.access.expression;
 
 import static org.junit.Assert.*;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.junit.Test;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
@@ -24,7 +24,7 @@ public class SecurityExpressionRootTests {
             new SecurityExpressionRoot(new TestingAuthenticationToken("joe", "pass", "A", "B")) {};
 
         root.setRoleHierarchy(new RoleHierarchy() {
-            public List<GrantedAuthority> getReachableGrantedAuthorities(List<GrantedAuthority> authorities) {
+            public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<GrantedAuthority> authorities) {
                 return AuthorityUtils.createAuthorityList("C");
             }
         });

core/src/test/java/org/springframework/security/access/hierarchicalroles/HierarchicalRolesTestHelper.java

@@ -15,6 +15,7 @@
 package org.springframework.security.access.hierarchicalroles;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import org.springframework.security.core.GrantedAuthority;
@@ -27,7 +28,7 @@ import org.apache.commons.collections.CollectionUtils;
  */
 public abstract class HierarchicalRolesTestHelper {
 
-    public static boolean containTheSameGrantedAuthorities(List<GrantedAuthority> authorities1, List<GrantedAuthority> authorities2) {
+    public static boolean containTheSameGrantedAuthorities(Collection<GrantedAuthority> authorities1, Collection<GrantedAuthority> authorities2) {
         if (authorities1 == null && authorities2 == null) {
             return true;
         }
@@ -38,7 +39,7 @@ public abstract class HierarchicalRolesTestHelper {
         return CollectionUtils.isEqualCollection(authorities1, authorities2);
     }
 
-    public static boolean containTheSameGrantedAuthoritiesCompareByAuthorityString(List<GrantedAuthority> authorities1, List<GrantedAuthority> authorities2) {
+    public static boolean containTheSameGrantedAuthoritiesCompareByAuthorityString(Collection<GrantedAuthority> authorities1, Collection<GrantedAuthority> authorities2) {
         if (authorities1 == null && authorities2 == null) {
             return true;
         }
@@ -46,10 +47,10 @@ public abstract class HierarchicalRolesTestHelper {
         if (authorities1 == null || authorities2 == null) {
             return false;
         }
-        return CollectionUtils.isEqualCollection(toListOfAuthorityStrings(authorities1), toListOfAuthorityStrings(authorities2));
+        return CollectionUtils.isEqualCollection(toCollectionOfAuthorityStrings(authorities1), toCollectionOfAuthorityStrings(authorities2));
     }
 
-    public static List<String> toListOfAuthorityStrings(List<GrantedAuthority> authorities) {
+    public static List<String> toCollectionOfAuthorityStrings(Collection<GrantedAuthority> authorities) {
         if (authorities == null) {
             return null;
         }

core/src/test/java/org/springframework/security/access/hierarchicalroles/TestHelperTests.java

@@ -17,6 +17,7 @@ package org.springframework.security.access.hierarchicalroles;
 import static org.junit.Assert.*;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import org.apache.commons.collections.CollectionUtils;
@@ -56,11 +57,11 @@ public class TestHelperTests {
     // SEC-863
     @Test
     public void testToListOfAuthorityStrings() {
-        List<GrantedAuthority> authorities1 = AuthorityUtils.createAuthorityList("ROLE_A", "ROLE_B");
-        List<GrantedAuthority> authorities2 = AuthorityUtils.createAuthorityList("ROLE_B", "ROLE_A");
-        List<GrantedAuthority> authorities3 = AuthorityUtils.createAuthorityList("ROLE_A", "ROLE_C");
-        List<GrantedAuthority> authorities4 = AuthorityUtils.createAuthorityList("ROLE_A");
-        List<GrantedAuthority> authorities5 = AuthorityUtils.createAuthorityList("ROLE_A", "ROLE_A");
+        Collection<GrantedAuthority> authorities1 = AuthorityUtils.createAuthorityList("ROLE_A", "ROLE_B");
+        Collection<GrantedAuthority> authorities2 = AuthorityUtils.createAuthorityList("ROLE_B", "ROLE_A");
+        Collection<GrantedAuthority> authorities3 = AuthorityUtils.createAuthorityList("ROLE_A", "ROLE_C");
+        Collection<GrantedAuthority> authorities4 = AuthorityUtils.createAuthorityList("ROLE_A");
+        Collection<GrantedAuthority> authorities5 = AuthorityUtils.createAuthorityList("ROLE_A", "ROLE_A");
 
         List<String> authoritiesStrings1 = new ArrayList<String>();
         authoritiesStrings1.add("ROLE_A");
@@ -82,19 +83,19 @@ public class TestHelperTests {
         authoritiesStrings5.add("ROLE_A");
 
         assertTrue(CollectionUtils.isEqualCollection(
-                HierarchicalRolesTestHelper.toListOfAuthorityStrings(authorities1),	authoritiesStrings1));
+                HierarchicalRolesTestHelper.toCollectionOfAuthorityStrings(authorities1),	authoritiesStrings1));
 
         assertTrue(CollectionUtils.isEqualCollection(
-                HierarchicalRolesTestHelper.toListOfAuthorityStrings(authorities2),	authoritiesStrings2));
+                HierarchicalRolesTestHelper.toCollectionOfAuthorityStrings(authorities2),	authoritiesStrings2));
 
         assertTrue(CollectionUtils.isEqualCollection(
-                HierarchicalRolesTestHelper.toListOfAuthorityStrings(authorities3),	authoritiesStrings3));
+                HierarchicalRolesTestHelper.toCollectionOfAuthorityStrings(authorities3),	authoritiesStrings3));
 
         assertTrue(CollectionUtils.isEqualCollection(
-                HierarchicalRolesTestHelper.toListOfAuthorityStrings(authorities4),	authoritiesStrings4));
+                HierarchicalRolesTestHelper.toCollectionOfAuthorityStrings(authorities4),	authoritiesStrings4));
 
         assertTrue(CollectionUtils.isEqualCollection(
-                HierarchicalRolesTestHelper.toListOfAuthorityStrings(authorities5),	authoritiesStrings5));
+                HierarchicalRolesTestHelper.toCollectionOfAuthorityStrings(authorities5),	authoritiesStrings5));
     }
 
     // SEC-863

core/src/test/java/org/springframework/security/access/intercept/RunAsManagerImplTests.java

@@ -15,12 +15,11 @@
 
 package org.springframework.security.access.intercept;
 
+import java.util.Set;
+
 import junit.framework.TestCase;
 
 import org.springframework.security.access.SecurityConfig;
-import org.springframework.security.access.intercept.RunAsManager;
-import org.springframework.security.access.intercept.RunAsManagerImpl;
-import org.springframework.security.access.intercept.RunAsUserToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
@@ -57,16 +56,18 @@ public class RunAsManagerImplTests extends TestCase {
         runAs.setKey("my_password");
         runAs.setRolePrefix("FOOBAR_");
 
-        Authentication resultingToken = runAs.buildRunAs(inputToken, new Object(), SecurityConfig.createList("RUN_AS_SOMETHING"));
+        Authentication result = runAs.buildRunAs(inputToken, new Object(), SecurityConfig.createList("RUN_AS_SOMETHING"));
+
+        assertTrue("Should have returned a RunAsUserToken", result instanceof RunAsUserToken);
+        assertEquals(inputToken.getPrincipal(), result.getPrincipal());
+        assertEquals(inputToken.getCredentials(), result.getCredentials());
+        Set<String> authorities = AuthorityUtils.authorityListToSet(result.getAuthorities());
 
-        assertTrue("Should have returned a RunAsUserToken", resultingToken instanceof RunAsUserToken);
-        assertEquals(inputToken.getPrincipal(), resultingToken.getPrincipal());
-        assertEquals(inputToken.getCredentials(), resultingToken.getCredentials());
-        assertEquals("FOOBAR_RUN_AS_SOMETHING", resultingToken.getAuthorities().get(0).getAuthority());
-        assertEquals("ONE", resultingToken.getAuthorities().get(1).getAuthority());
-        assertEquals("TWO", resultingToken.getAuthorities().get(2).getAuthority());
+        assertTrue(authorities.contains("FOOBAR_RUN_AS_SOMETHING"));
+        assertTrue(authorities.contains("ONE"));
+        assertTrue(authorities.contains("TWO"));
 
-        RunAsUserToken resultCast = (RunAsUserToken) resultingToken;
+        RunAsUserToken resultCast = (RunAsUserToken) result;
         assertEquals("my_password".hashCode(), resultCast.getKeyHash());
     }
 
@@ -77,19 +78,21 @@ public class RunAsManagerImplTests extends TestCase {
         RunAsManagerImpl runAs = new RunAsManagerImpl();
         runAs.setKey("my_password");
 
-        Authentication resultingToken = runAs.buildRunAs(inputToken, new Object(), SecurityConfig.createList("RUN_AS_SOMETHING"));
+        Authentication result = runAs.buildRunAs(inputToken, new Object(), SecurityConfig.createList("RUN_AS_SOMETHING"));
 
-        if (!(resultingToken instanceof RunAsUserToken)) {
+        if (!(result instanceof RunAsUserToken)) {
             fail("Should have returned a RunAsUserToken");
         }
 
-        assertEquals(inputToken.getPrincipal(), resultingToken.getPrincipal());
-        assertEquals(inputToken.getCredentials(), resultingToken.getCredentials());
-        assertEquals("ROLE_RUN_AS_SOMETHING", resultingToken.getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_ONE", resultingToken.getAuthorities().get(1).getAuthority());
-        assertEquals("ROLE_TWO", resultingToken.getAuthorities().get(2).getAuthority());
+        assertEquals(inputToken.getPrincipal(), result.getPrincipal());
+        assertEquals(inputToken.getCredentials(), result.getCredentials());
+
+        Set<String> authorities = AuthorityUtils.authorityListToSet(result.getAuthorities());
+        assertTrue(authorities.contains("ROLE_RUN_AS_SOMETHING"));
+        assertTrue(authorities.contains("ROLE_ONE"));
+        assertTrue(authorities.contains("ROLE_TWO"));
 
-        RunAsUserToken resultCast = (RunAsUserToken) resultingToken;
+        RunAsUserToken resultCast = (RunAsUserToken) result;
         assertEquals("my_password".hashCode(), resultCast.getKeyHash());
     }
 

core/src/test/java/org/springframework/security/authentication/AbstractAuthenticationTokenTests.java

@@ -21,7 +21,6 @@ import java.util.List;
 
 import org.junit.Before;
 import org.junit.Test;
-import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.GrantedAuthorityImpl;
@@ -48,7 +47,7 @@ public class AbstractAuthenticationTokenTests {
     @Test(expected=UnsupportedOperationException.class)
     public void testAuthoritiesAreImmutable() {
         MockAuthenticationImpl token = new MockAuthenticationImpl("Test", "Password", authorities);
-        List<GrantedAuthority> gotAuthorities = token.getAuthorities();
+        List<GrantedAuthority> gotAuthorities = (List<GrantedAuthority>) token.getAuthorities();
         assertNotSame(authorities, gotAuthorities);
 
         gotAuthorities.set(0, new GrantedAuthorityImpl("ROLE_SUPER_USER"));

core/src/test/java/org/springframework/security/authentication/TestingAuthenticationProviderTests.java

@@ -20,6 +20,7 @@ import junit.framework.TestCase;
 import org.springframework.security.authentication.TestingAuthenticationProvider;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
 
 /**
  * Tests {@link TestingAuthenticationProvider}.
@@ -39,8 +40,8 @@ public class TestingAuthenticationProviderTests extends TestCase {
         TestingAuthenticationToken castResult = (TestingAuthenticationToken) result;
         assertEquals("Test", castResult.getPrincipal());
         assertEquals("Password", castResult.getCredentials());
-        assertEquals("ROLE_ONE", castResult.getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_TWO", castResult.getAuthorities().get(1).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(castResult.getAuthorities()).contains("ROLE_ONE"));
+        assertTrue(AuthorityUtils.authorityListToSet(castResult.getAuthorities()).contains("ROLE_TWO"));
     }
 
     public void testSupports() {

core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java

@@ -68,8 +68,8 @@ public class UsernamePasswordAuthenticationTokenTests {
                 AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"));
         assertEquals("Test", token.getPrincipal());
         assertEquals("Password", token.getCredentials());
-        assertEquals("ROLE_ONE", token.getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_TWO", token.getAuthorities().get(1).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(token.getAuthorities()).contains("ROLE_ONE"));
+        assertTrue(AuthorityUtils.authorityListToSet(token.getAuthorities()).contains("ROLE_TWO"));
     }
 
     @Test(expected=NoSuchMethodException.class)

core/src/test/java/org/springframework/security/authentication/anonymous/AnonymousAuthenticationTokenTests.java

@@ -76,8 +76,8 @@ public class AnonymousAuthenticationTokenTests extends TestCase {
         assertEquals("key".hashCode(), token.getKeyHash());
         assertEquals("Test", token.getPrincipal());
         assertEquals("", token.getCredentials());
-        assertEquals("ROLE_ONE", token.getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_TWO", token.getAuthorities().get(1).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(token.getAuthorities()).contains("ROLE_ONE"));
+        assertTrue(AuthorityUtils.authorityListToSet(token.getAuthorities()).contains("ROLE_TWO"));
         assertTrue(token.isAuthenticated());
     }
 

core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java

@@ -19,7 +19,8 @@ import java.util.List;
 
 import junit.framework.TestCase;
 
-
+import org.springframework.dao.DataAccessException;
+import org.springframework.dao.DataRetrievalFailureException;
 import org.springframework.security.authentication.AccountExpiredException;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -28,7 +29,6 @@ import org.springframework.security.authentication.DisabledException;
 import org.springframework.security.authentication.LockedException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -41,10 +41,6 @@ import org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache
 import org.springframework.security.core.userdetails.cache.NullUserCache;
 
 
-import org.springframework.dao.DataAccessException;
-import org.springframework.dao.DataRetrievalFailureException;
-
-
 /**
  * Tests {@link DaoAuthenticationProvider}.
  *
@@ -267,8 +263,8 @@ public class DaoAuthenticationProviderTests extends TestCase {
         UsernamePasswordAuthenticationToken castResult = (UsernamePasswordAuthenticationToken) result;
         assertEquals(User.class, castResult.getPrincipal().getClass());
         assertEquals("koala", castResult.getCredentials());
-        assertEquals("ROLE_ONE", castResult.getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_TWO", castResult.getAuthorities().get(1).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(castResult.getAuthorities()).contains("ROLE_ONE"));
+        assertTrue(AuthorityUtils.authorityListToSet(castResult.getAuthorities()).contains("ROLE_TWO"));
         assertEquals("192.168.0.1", castResult.getDetails());
     }
 
@@ -312,13 +308,12 @@ public class DaoAuthenticationProviderTests extends TestCase {
             fail("Should have returned instance of UsernamePasswordAuthenticationToken");
         }
 
-        UsernamePasswordAuthenticationToken castResult = (UsernamePasswordAuthenticationToken) result;
-        assertEquals(User.class, castResult.getPrincipal().getClass());
+        assertEquals(User.class, result.getPrincipal().getClass());
 
         // We expect original credentials user submitted to be returned
-        assertEquals("koala", castResult.getCredentials());
-        assertEquals("ROLE_ONE", castResult.getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_TWO", castResult.getAuthorities().get(1).getAuthority());
+        assertEquals("koala", result.getCredentials());
+        assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("ROLE_ONE"));
+        assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("ROLE_TWO"));
     }
 
     public void testAuthenticatesWithForcePrincipalAsString() {

core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java

@@ -23,6 +23,7 @@ import java.io.FileOutputStream;
 import java.io.PrintWriter;
 import java.net.URL;
 import java.security.Security;
+import java.util.Collection;
 import java.util.List;
 
 import javax.security.auth.login.LoginContext;
@@ -192,7 +193,7 @@ public class JaasAuthenticationProviderTests {
         assertNotNull(jaasProvider.getLoginConfig());
         assertNotNull(jaasProvider.getLoginContextName());
 
-        List<GrantedAuthority> list = auth.getAuthorities();
+        Collection<GrantedAuthority> list = auth.getAuthorities();
 
         assertTrue("GrantedAuthorities should contain ROLE_TEST1", list.contains(new GrantedAuthorityImpl("ROLE_TEST1")));
         assertTrue("GrantedAuthorities should contain ROLE_TEST2", list.contains(new GrantedAuthorityImpl("ROLE_TEST2")));
@@ -201,11 +202,9 @@ public class JaasAuthenticationProviderTests {
 
         boolean foundit = false;
 
-        for (int i = 0; i < list.size(); i++) {
-            Object obj = list.get(i);
-
-            if (obj instanceof JaasGrantedAuthority) {
-                JaasGrantedAuthority grant = (JaasGrantedAuthority) obj;
+        for (GrantedAuthority a : list) {
+            if (a instanceof JaasGrantedAuthority) {
+                JaasGrantedAuthority grant = (JaasGrantedAuthority) a;
                 assertNotNull("Principal was null on JaasGrantedAuthority", grant.getPrincipal());
                 foundit = true;
             }

core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java

@@ -15,16 +15,14 @@
 
 package org.springframework.security.authentication.rcp;
 
-import junit.framework.TestCase;
+import java.util.Collection;
 
+import junit.framework.TestCase;
 
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.authentication.rcp.RemoteAuthenticationException;
-import org.springframework.security.authentication.rcp.RemoteAuthenticationManager;
-import org.springframework.security.authentication.rcp.RemoteAuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.GrantedAuthorityImpl;
+import org.springframework.security.core.authority.AuthorityUtils;
 
 
 /**
@@ -36,14 +34,6 @@ import org.springframework.security.core.authority.GrantedAuthorityImpl;
 public class RemoteAuthenticationProviderTests extends TestCase {
     //~ Methods ========================================================================================================
 
-    public static void main(String[] args) {
-        junit.textui.TestRunner.run(RemoteAuthenticationProviderTests.class);
-    }
-
-    public final void setUp() throws Exception {
-        super.setUp();
-    }
-
     public void testExceptionsGetPassedBackToCaller() {
         RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider();
         provider.setRemoteAuthenticationManager(new MockRemoteAuthenticationManager(false));
@@ -85,7 +75,7 @@ public class RemoteAuthenticationProviderTests extends TestCase {
         Authentication result = provider.authenticate(new UsernamePasswordAuthenticationToken("rod", "password"));
         assertEquals("rod", result.getPrincipal());
         assertEquals("password", result.getCredentials());
-        assertEquals("foo", result.getAuthorities().get(0).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("foo"));
     }
 
     public void testSupports() {
@@ -102,10 +92,10 @@ public class RemoteAuthenticationProviderTests extends TestCase {
             this.grantAccess = grantAccess;
         }
 
-        public GrantedAuthority[] attemptAuthentication(String username, String password)
+        public Collection<GrantedAuthority> attemptAuthentication(String username, String password)
             throws RemoteAuthenticationException {
             if (grantAccess) {
-                return new GrantedAuthority[] {new GrantedAuthorityImpl("foo")};
+                return AuthorityUtils.createAuthorityList("foo");
             } else {
                 throw new RemoteAuthenticationException("as requested");
             }

core/src/test/java/org/springframework/security/authentication/rememberme/RememberMeAuthenticationTokenTests.java

@@ -75,8 +75,8 @@ public class RememberMeAuthenticationTokenTests extends TestCase {
         assertEquals("key".hashCode(), token.getKeyHash());
         assertEquals("Test", token.getPrincipal());
         assertEquals("", token.getCredentials());
-        assertEquals("ROLE_ONE", token.getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_TWO", token.getAuthorities().get(1).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(token.getAuthorities()).contains("ROLE_ONE"));
+        assertTrue(AuthorityUtils.authorityListToSet(token.getAuthorities()).contains("ROLE_TWO"));
         assertTrue(token.isAuthenticated());
     }
 

core/src/test/java/org/springframework/security/core/userdetails/UserTests.java

@@ -106,8 +106,8 @@ public class UserTests extends TestCase {
         assertEquals("rod", user.getUsername());
         assertEquals("koala", user.getPassword());
         assertTrue(user.isEnabled());
-        assertEquals(new GrantedAuthorityImpl("ROLE_ONE"), user.getAuthorities().get(0));
-        assertEquals(new GrantedAuthorityImpl("ROLE_TWO"), user.getAuthorities().get(1));
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_ONE"));
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_TWO"));
         assertTrue(user.toString().indexOf("rod") != -1);
     }
 

core/src/test/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImplTests.java

@@ -15,14 +15,12 @@
 
 package org.springframework.security.core.userdetails.jdbc;
 
-import java.util.HashSet;
-
 import junit.framework.TestCase;
 
 import org.springframework.security.PopulatedDatabase;
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
 
 
 /**
@@ -59,18 +57,15 @@ public class JdbcDaoImplTests extends TestCase {
         assertEquals("koala", user.getPassword());
         assertTrue(user.isEnabled());
 
-        HashSet<String> authorities = new HashSet<String>(2);
-        authorities.add(user.getAuthorities().get(0).getAuthority());
-        authorities.add(user.getAuthorities().get(1).getAuthority());
-        assertTrue(authorities.contains("ROLE_TELLER"));
-        assertTrue(authorities.contains("ROLE_SUPERVISOR"));
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_TELLER"));
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_SUPERVISOR"));
     }
 
     public void testCheckDaoOnlyReturnsGrantedAuthoritiesGrantedToUser() throws Exception {
         JdbcDaoImpl dao = makePopulatedJdbcDao();
         UserDetails user = dao.loadUserByUsername("scott");
-        assertEquals("ROLE_TELLER", user.getAuthorities().get(0).getAuthority());
         assertEquals(1, user.getAuthorities().size());
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_TELLER"));
     }
 
     public void testCheckDaoReturnsCorrectDisabledProperty() throws Exception {
@@ -124,11 +119,8 @@ public class JdbcDaoImplTests extends TestCase {
         assertEquals("rod", user.getUsername());
         assertEquals(2, user.getAuthorities().size());
 
-        HashSet<String> authorities = new HashSet<String>(2);
-        authorities.add(user.getAuthorities().get(0).getAuthority());
-        authorities.add(user.getAuthorities().get(1).getAuthority());
-        assertTrue(authorities.contains("ARBITRARY_PREFIX_ROLE_TELLER"));
-        assertTrue(authorities.contains("ARBITRARY_PREFIX_ROLE_SUPERVISOR"));
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ARBITRARY_PREFIX_ROLE_TELLER"));
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ARBITRARY_PREFIX_ROLE_SUPERVISOR"));
     }
 
     public void testGroupAuthoritiesAreLoadedCorrectly() throws Exception {

core/src/test/java/org/springframework/security/core/userdetails/memory/UserMapEditorTests.java

@@ -17,6 +17,7 @@ package org.springframework.security.core.userdetails.memory;
 
 import junit.framework.TestCase;
 
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.memory.UserMap;
 import org.springframework.security.core.userdetails.memory.UserMapEditor;
 
@@ -63,8 +64,8 @@ public class UserMapEditorTests extends TestCase {
         UserMap map = (UserMap) editor.getValue();
         assertEquals("rod", map.getUser("rod").getUsername());
         assertEquals("koala", map.getUser("rod").getPassword());
-        assertEquals("ROLE_ONE", map.getUser("rod").getAuthorities().get(0).getAuthority());
-        assertEquals("ROLE_TWO", map.getUser("rod").getAuthorities().get(1).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(map.getUser("rod").getAuthorities()).contains("ROLE_ONE"));
+        assertTrue(AuthorityUtils.authorityListToSet(map.getUser("rod").getAuthorities()).contains("ROLE_TWO"));
         assertTrue(map.getUser("rod").isEnabled());
     }
 

ldap/src/main/java/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.java

@@ -15,7 +15,7 @@
 
 package org.springframework.security.ldap.authentication;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -252,7 +252,7 @@ public class LdapAuthenticationProvider implements AuthenticationProvider, Messa
         try {
             DirContextOperations userData = getAuthenticator().authenticate(authentication);
 
-            List<GrantedAuthority> extraAuthorities = loadUserAuthorities(userData, username, password);
+            Collection<GrantedAuthority> extraAuthorities = loadUserAuthorities(userData, username, password);
 
             UserDetails user = userDetailsContextMapper.mapUserFromContext(userData, username, extraAuthorities);
 
@@ -273,7 +273,7 @@ public class LdapAuthenticationProvider implements AuthenticationProvider, Messa
         }
     }
 
-    protected List<GrantedAuthority> loadUserAuthorities(DirContextOperations userData, String username, String password) {
+    protected Collection<GrantedAuthority> loadUserAuthorities(DirContextOperations userData, String username, String password) {
         return getAuthoritiesPopulator().getGrantedAuthorities(userData, username);
     }
 

ldap/src/main/java/org/springframework/security/ldap/authentication/NullLdapAuthoritiesPopulator.java

@@ -1,6 +1,6 @@
 package org.springframework.security.ldap.authentication;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.ldap.core.DirContextOperations;
 import org.springframework.security.core.GrantedAuthority;
@@ -14,7 +14,7 @@ import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
  * @since 3.0
  */
 public final class NullLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
-    public List<GrantedAuthority> getGrantedAuthorities(DirContextOperations userDetails, String username) {
+    public Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userDetails, String username) {
         return AuthorityUtils.NO_AUTHORITIES;
     }
 }

ldap/src/main/java/org/springframework/security/ldap/authentication/UserDetailsServiceLdapAuthoritiesPopulator.java

@@ -1,6 +1,6 @@
 package org.springframework.security.ldap.authentication;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -25,7 +25,7 @@ public class UserDetailsServiceLdapAuthoritiesPopulator implements LdapAuthoriti
         this.userDetailsService = userService;
     }
 
-    public List<GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
+    public Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
         return userDetailsService.loadUserByUsername(username).getAuthorities();
     }
 }

ldap/src/main/java/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.java

@@ -29,6 +29,7 @@ import org.apache.commons.logging.LogFactory;
 import javax.naming.directory.SearchControls;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
@@ -172,7 +173,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
      * @param user the user who's authorities are required
      * @return the set of roles granted to the user.
      */
-    public final List<GrantedAuthority> getGrantedAuthorities(DirContextOperations user, String username) {
+    public final Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations user, String username) {
         String userDn = user.getNameInNamespace();
 
         if (logger.isDebugEnabled()) {

ldap/src/main/java/org/springframework/security/ldap/userdetails/InetOrgPersonContextMapper.java

@@ -14,7 +14,7 @@
  */
 package org.springframework.security.ldap.userdetails;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -29,7 +29,7 @@ import org.springframework.util.Assert;
  */
 public class InetOrgPersonContextMapper implements UserDetailsContextMapper {
 
-    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, List<GrantedAuthority> authorities) {
+    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authorities) {
         InetOrgPerson.Essence p = new InetOrgPerson.Essence(ctx);
 
         p.setUsername(username);

ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapAuthoritiesPopulator.java

@@ -15,7 +15,7 @@
 
 package org.springframework.security.ldap.userdetails;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 
@@ -43,5 +43,5 @@ public interface LdapAuthoritiesPopulator {
      * @return the granted authorities for the given user.
      *
      */
-    List<GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username);
+    Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username);
 }

ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapUserDetailsImpl.java

@@ -16,7 +16,7 @@
 package org.springframework.security.ldap.userdetails;
 
 import java.util.ArrayList;
-import java.util.List;
+import java.util.Collection;
 
 import javax.naming.Name;
 
@@ -48,7 +48,7 @@ public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData
     private String dn;
     private String password;
     private String username;
-    private List<GrantedAuthority> authorities = AuthorityUtils.NO_AUTHORITIES;
+    private Collection<GrantedAuthority> authorities = AuthorityUtils.NO_AUTHORITIES;
     private boolean accountNonExpired = true;
     private boolean accountNonLocked = true;
     private boolean credentialsNonExpired = true;
@@ -63,7 +63,7 @@ public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData
 
     //~ Methods ========================================================================================================
 
-    public List<GrantedAuthority> getAuthorities() {
+    public Collection<GrantedAuthority> getAuthorities() {
         return authorities;
     }
 
@@ -104,7 +104,7 @@ public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData
     }
 
     public String toString() {
-        StringBuffer sb = new StringBuffer();
+        StringBuilder sb = new StringBuilder();
         sb.append(super.toString()).append(": ");
         sb.append("Username: ").append(this.username).append("; ");
         sb.append("Password: [PROTECTED]; ");
@@ -115,13 +115,16 @@ public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData
 
         if (this.getAuthorities() != null) {
             sb.append("Granted Authorities: ");
+            boolean first = true;
 
-            for (int i = 0; i < this.getAuthorities().size(); i++) {
-                if (i > 0) {
+            for (Object authority : this.getAuthorities()) {
+                if (first) {
+                    first = false;
+                } else {
                     sb.append(", ");
                 }
 
-                sb.append(this.getAuthorities().get(i).toString());
+                sb.append(authority.toString());
             }
         } else {
             sb.append("Not granted any authorities");
@@ -137,7 +140,7 @@ public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData
      */
     public static class Essence {
         protected LdapUserDetailsImpl instance = createTarget();
-        private List<GrantedAuthority> mutableAuthorities = new ArrayList<GrantedAuthority>();
+        private Collection<GrantedAuthority> mutableAuthorities = new ArrayList<GrantedAuthority>();
 
         public Essence() { }
 
@@ -190,7 +193,7 @@ public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData
             return newInstance;
         }
 
-        public List<GrantedAuthority> getGrantedAuthorities() {
+        public Collection<GrantedAuthority> getGrantedAuthorities() {
             return mutableAuthorities;
         }
 
@@ -202,7 +205,7 @@ public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData
             instance.accountNonLocked = accountNonLocked;
         }
 
-        public void setAuthorities(List<GrantedAuthority> authorities) {
+        public void setAuthorities(Collection<GrantedAuthority> authorities) {
             mutableAuthorities = authorities;
         }
 

ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapUserDetailsManager.java

@@ -52,6 +52,7 @@ import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.LdapContext;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.ListIterator;
@@ -315,7 +316,7 @@ public class LdapUserDetailsManager implements UserDetailsManager {
         userDetailsMapper.mapUserToContext(user, ctx);
     }
 
-    protected void addAuthorities(DistinguishedName userDn, List<GrantedAuthority> authorities) {
+    protected void addAuthorities(DistinguishedName userDn, Collection<GrantedAuthority> authorities) {
         modifyAuthorities(userDn, authorities, DirContext.ADD_ATTRIBUTE);
     }
 
@@ -323,11 +324,10 @@ public class LdapUserDetailsManager implements UserDetailsManager {
         modifyAuthorities(userDn, authorities, DirContext.REMOVE_ATTRIBUTE);
     }
 
-    private void modifyAuthorities(final DistinguishedName userDn, final List<GrantedAuthority> authorities, final int modType) {
+    private void modifyAuthorities(final DistinguishedName userDn, final Collection<GrantedAuthority> authorities, final int modType) {
         template.executeReadWrite(new ContextExecutor() {
             public Object executeWithContext(DirContext ctx) throws NamingException {
-                for(int i=0; i < authorities.size(); i++) {
-                    GrantedAuthority authority = authorities.get(i);
+                for(GrantedAuthority authority : authorities) {
                     String group = convertAuthorityToGroup(authority);
                     DistinguishedName fullDn = LdapUtils.getFullDn(userDn, ctx);
                     ModificationItem addGroup = new ModificationItem(modType,

ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapUserDetailsMapper.java

@@ -15,7 +15,7 @@
 
 package org.springframework.security.ldap.userdetails;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -46,7 +46,7 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper {
 
     //~ Methods ========================================================================================================
 
-    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, List<GrantedAuthority> authorities) {
+    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authorities) {
         String dn = ctx.getNameInNamespace();
 
         logger.debug("Mapping user details from context with DN: " + dn);
@@ -82,8 +82,8 @@ public class LdapUserDetailsMapper implements UserDetailsContextMapper {
 
         // Add the supplied authorities
 
-        for (int i=0; i < authorities.size(); i++) {
-            essence.addAuthority(authorities.get(i));
+        for (GrantedAuthority authority : authorities) {
+            essence.addAuthority(authority);
         }
 
         // Check for PPolicy data

ldap/src/main/java/org/springframework/security/ldap/userdetails/PersonContextMapper.java

@@ -1,6 +1,6 @@
 package org.springframework.security.ldap.userdetails;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -14,7 +14,7 @@ import org.springframework.util.Assert;
  */
 public class PersonContextMapper implements UserDetailsContextMapper {
 
-    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, List<GrantedAuthority> authorities) {
+    public UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authorities) {
         Person.Essence p = new Person.Essence(ctx);
 
         p.setUsername(username);

ldap/src/main/java/org/springframework/security/ldap/userdetails/UserDetailsContextMapper.java

@@ -14,7 +14,7 @@
  */
 package org.springframework.security.ldap.userdetails;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -39,7 +39,7 @@ public interface UserDetailsContextMapper {
      * @param authority the list of authorities which the user should be given.
      * @return the user object.
      */
-    UserDetails mapUserFromContext(DirContextOperations ctx, String username, List<GrantedAuthority> authority);
+    UserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authority);
 
     /**
      * Reverse of the above operation. Populates a context object from the supplied user object.

ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java

@@ -17,8 +17,7 @@ package org.springframework.security.ldap.authentication;
 
 import static org.junit.Assert.*;
 
-import java.util.ArrayList;
-import java.util.List;
+import java.util.Collection;
 
 import org.jmock.Expectations;
 import org.jmock.Mockery;
@@ -128,12 +127,8 @@ public class LdapAuthenticationProviderTests {
         assertEquals("ben", user.getUsername());
         assertEquals("ben", populator.getRequestedUsername());
 
-        ArrayList<String> authorities = new ArrayList<String>();
-        authorities.add(user.getAuthorities().get(0).getAuthority());
-        authorities.add(user.getAuthorities().get(1).getAuthority());
-
-        assertTrue(authorities.contains("ROLE_FROM_ENTRY"));
-        assertTrue(authorities.contains("ROLE_FROM_POPULATOR"));
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_FROM_ENTRY"));
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_FROM_POPULATOR"));
     }
 
     @Test
@@ -157,7 +152,7 @@ public class LdapAuthenticationProviderTests {
         UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken("ben", "benspassword");
         UserDetails user = (UserDetails) ldapProvider.authenticate(authRequest).getPrincipal();
         assertEquals(1, user.getAuthorities().size());
-        assertEquals("ROLE_FROM_ENTRY", user.getAuthorities().get(0).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_FROM_ENTRY"));
     }
 
     //~ Inner Classes ==================================================================================================
@@ -189,7 +184,7 @@ public class LdapAuthenticationProviderTests {
     class MockAuthoritiesPopulator implements LdapAuthoritiesPopulator {
         String username;
 
-        public List<GrantedAuthority> getGrantedAuthorities(DirContextOperations userCtx, String username) {
+        public Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userCtx, String username) {
             this.username = username;
             return AuthorityUtils.createAuthorityList("ROLE_FROM_POPULATOR");
         }

ldap/src/test/java/org/springframework/security/ldap/populator/DefaultLdapAuthoritiesPopulatorTests.java

@@ -16,19 +16,18 @@
 package org.springframework.security.ldap.populator;
 
 
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.ldap.AbstractLdapIntegrationTests;
-import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
-
-import org.springframework.ldap.core.DirContextAdapter;
-import org.springframework.ldap.core.DistinguishedName;
+import static org.junit.Assert.*;
 
-import java.util.HashSet;
-import java.util.List;
+import java.util.Collection;
 import java.util.Set;
 
-import static org.junit.Assert.*;
 import org.junit.Test;
+import org.springframework.ldap.core.DirContextAdapter;
+import org.springframework.ldap.core.DistinguishedName;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.ldap.AbstractLdapIntegrationTests;
+import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 
 
 /**
@@ -53,9 +52,9 @@ public class DefaultLdapAuthoritiesPopulatorTests extends AbstractLdapIntegratio
 
         DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName("cn=notfound"));
 
-        List<GrantedAuthority> authorities = populator.getGrantedAuthorities(ctx, "notfound");
+        Collection<GrantedAuthority> authorities = populator.getGrantedAuthorities(ctx, "notfound");
         assertEquals(1, authorities.size());
-        assertEquals("ROLE_USER", authorities.get(0).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(authorities).contains("ROLE_USER"));
     }
 
     @Test
@@ -69,15 +68,12 @@ public class DefaultLdapAuthoritiesPopulatorTests extends AbstractLdapIntegratio
 
         DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName("uid=ben,ou=people,dc=springframework,dc=org"));
 
-        List<GrantedAuthority> authorities = populator.getGrantedAuthorities(ctx, "ben");
+        Set<String> authorities = AuthorityUtils.authorityListToSet(populator.getGrantedAuthorities(ctx, "ben"));
 
         assertEquals("Should have 2 roles", 2, authorities.size());
 
-        Set<String> roles = new HashSet<String>();
-        roles.add(authorities.get(0).toString());
-        roles.add(authorities.get(1).toString());
-        assertTrue(roles.contains("ROLE_DEVELOPER"));
-        assertTrue(roles.contains("ROLE_MANAGER"));
+        assertTrue(authorities.contains("ROLE_DEVELOPER"));
+        assertTrue(authorities.contains("ROLE_MANAGER"));
     }
 
     @Test
@@ -88,10 +84,10 @@ public class DefaultLdapAuthoritiesPopulatorTests extends AbstractLdapIntegratio
 
         DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName("uid=ben,ou=people,dc=springframework,dc=org"));
 
-        List<GrantedAuthority> authorities = populator.getGrantedAuthorities(ctx, "manager");
+        Set<String> authorities = AuthorityUtils.authorityListToSet(populator.getGrantedAuthorities(ctx, "manager"));
 
         assertEquals("Should have 1 role", 1, authorities.size());
-        assertEquals("ROLE_MANAGER", authorities.get(0).getAuthority());
+        assertTrue(authorities.contains("ROLE_MANAGER"));
     }
 
     @Test
@@ -101,14 +97,11 @@ public class DefaultLdapAuthoritiesPopulatorTests extends AbstractLdapIntegratio
 
         DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName("uid=ben,ou=people,dc=springframework,dc=org"));
 
-        List<GrantedAuthority> authorities = populator.getGrantedAuthorities(ctx, "manager");
+        Set<String> authorities = AuthorityUtils.authorityListToSet(populator.getGrantedAuthorities(ctx, "manager"));
 
         assertEquals("Should have 2 roles", 2, authorities.size());
-        Set<String> roles = new HashSet<String>(2);
-        roles.add(authorities.get(0).getAuthority());
-        roles.add(authorities.get(1).getAuthority());
-        assertTrue(roles.contains("ROLE_MANAGER"));
-        assertTrue(roles.contains("ROLE_DEVELOPER"));
+        assertTrue(authorities.contains("ROLE_MANAGER"));
+        assertTrue(authorities.contains("ROLE_DEVELOPER"));
     }
 
     @Test
@@ -119,16 +112,12 @@ public class DefaultLdapAuthoritiesPopulatorTests extends AbstractLdapIntegratio
 
         DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName("uid=ben,ou=people,dc=springframework,dc=org"));
 
-        List<GrantedAuthority> authorities = populator.getGrantedAuthorities(ctx, "manager");
+        Set<String> authorities = AuthorityUtils.authorityListToSet(populator.getGrantedAuthorities(ctx, "manager"));
 
         assertEquals("Should have 3 roles", 3, authorities.size());
-        Set<String> roles = new HashSet<String>(3);
-        roles.add(authorities.get(0).getAuthority());
-        roles.add(authorities.get(1).getAuthority());
-        roles.add(authorities.get(2).getAuthority());
-        assertTrue(roles.contains("ROLE_MANAGER"));
-        assertTrue(roles.contains("ROLE_DEVELOPER"));
-        assertTrue(roles.contains("ROLE_SUBMANAGER"));
+        assertTrue(authorities.contains("ROLE_MANAGER"));
+        assertTrue(authorities.contains("ROLE_SUBMANAGER"));
+        assertTrue(authorities.contains("ROLE_DEVELOPER"));
     }
 
     @Test
@@ -139,9 +128,9 @@ public class DefaultLdapAuthoritiesPopulatorTests extends AbstractLdapIntegratio
 
         DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName("cn=mouse\\, jerry,ou=people,dc=springframework,dc=org"));
 
-        List<GrantedAuthority> authorities = populator.getGrantedAuthorities(ctx, "notused");
+        Set<String> authorities = AuthorityUtils.authorityListToSet(populator.getGrantedAuthorities(ctx, "notused"));
 
         assertEquals("Should have 1 role", 1, authorities.size());
-        assertEquals("ROLE_MANAGER", authorities.get(0).getAuthority());
+        assertTrue(authorities.contains("ROLE_MANAGER"));
     }
 }

ldap/src/test/java/org/springframework/security/ldap/populator/UserDetailsServiceLdapAuthoritiesPopulatorTests.java

@@ -1,9 +1,9 @@
 package org.springframework.security.ldap.populator;
 
-import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.junit.Test;
 import org.springframework.ldap.core.DirContextAdapter;
@@ -27,9 +27,9 @@ public class UserDetailsServiceLdapAuthoritiesPopulatorTests {
         when(user.getAuthorities()).thenReturn(AuthorityUtils.createAuthorityList("ROLE_USER"));
 
         UserDetailsServiceLdapAuthoritiesPopulator populator = new UserDetailsServiceLdapAuthoritiesPopulator(uds);
-        List<GrantedAuthority> auths =  populator.getGrantedAuthorities(new DirContextAdapter(), "joe");
+        Collection<GrantedAuthority> auths =  populator.getGrantedAuthorities(new DirContextAdapter(), "joe");
 
         assertEquals(1, auths.size());
-        assertEquals("ROLE_USER", auths.get(0).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(auths).contains("ROLE_USER"));
     }
 }

ldap/src/test/java/org/springframework/security/ldap/userdetails/LdapUserDetailsMapperTests.java

@@ -23,9 +23,6 @@ import junit.framework.TestCase;
 import org.springframework.ldap.core.DirContextAdapter;
 import org.springframework.ldap.core.DistinguishedName;
 import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.ldap.userdetails.LdapUserDetails;
-import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl;
-import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
 
 /**
  * Tests {@link LdapUserDetailsMapper}.
@@ -69,7 +66,7 @@ public class LdapUserDetailsMapperTests extends TestCase {
         LdapUserDetailsImpl user = (LdapUserDetailsImpl) mapper.mapUserFromContext(ctx, "ani", AuthorityUtils.NO_AUTHORITIES);
 
         assertEquals(1, user.getAuthorities().size());
-        assertEquals("ROLE_X", user.getAuthorities().get(0).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_X"));
     }
 
     public void testPasswordAttributeIsMappedCorrectly() throws Exception {

ldap/src/test/java/org/springframework/security/ldap/userdetails/LdapUserDetailsServiceTests.java

@@ -2,7 +2,7 @@ package org.springframework.security.ldap.userdetails;
 
 import static org.junit.Assert.*;
 
-import java.util.List;
+import java.util.Collection;
 import java.util.Set;
 
 import org.junit.Test;
@@ -58,7 +58,7 @@ public class LdapUserDetailsServiceTests {
     }
 
     class MockAuthoritiesPopulator implements LdapAuthoritiesPopulator {
-        public List<GrantedAuthority> getGrantedAuthorities(DirContextOperations userCtx, String username) {
+        public Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations userCtx, String username) {
             return AuthorityUtils.createAuthorityList("ROLE_FROM_POPULATOR");
         }
     }

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java

@@ -15,6 +15,7 @@
 package org.springframework.security.openid;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
@@ -55,7 +56,7 @@ public class OpenIDAuthenticationToken extends AbstractAuthenticationToken {
      * used by the <tt>OpenIDAuthenticationProvider</tt>.
      *
      */
-    public OpenIDAuthenticationToken(Object principal, List<GrantedAuthority> authorities,
+    public OpenIDAuthenticationToken(Object principal, Collection<GrantedAuthority> authorities,
             String identityUrl, List<OpenIDAttribute> attributes) {
         super(authorities);
         this.principal = principal;

web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationToken.java

@@ -1,7 +1,6 @@
 package org.springframework.security.web.authentication.preauth;
 
-import java.util.Arrays;
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
@@ -39,13 +38,6 @@ public class PreAuthenticatedAuthenticationToken extends AbstractAuthenticationT
         this.credentials = aCredentials;
     }
 
-    /**
-     *
-     * @deprecated
-     */
-    public PreAuthenticatedAuthenticationToken(Object aPrincipal, Object aCredentials, GrantedAuthority[] anAuthorities) {
-        this(aPrincipal, aCredentials, Arrays.asList(anAuthorities));
-    }
 
     /**
      * Constructor used for an authentication response. The {@link
@@ -57,7 +49,7 @@ public class PreAuthenticatedAuthenticationToken extends AbstractAuthenticationT
      * @param anAuthorities
      *            The granted authorities
      */
-    public PreAuthenticatedAuthenticationToken(Object aPrincipal, Object aCredentials, List<GrantedAuthority> anAuthorities) {
+    public PreAuthenticatedAuthenticationToken(Object aPrincipal, Object aCredentials, Collection<GrantedAuthority> anAuthorities) {
         super(anAuthorities);
         this.principal = aPrincipal;
         this.credentials = aCredentials;

web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserAuthorityChanger.java

@@ -1,6 +1,6 @@
 package org.springframework.security.web.authentication.switchuser;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -28,5 +28,5 @@ public interface SwitchUserAuthorityChanger {
      *
      * @return the modified list of granted authorities.
      */
-    List<GrantedAuthority> modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List<GrantedAuthority> authoritiesToBeGranted);
+    Collection<GrantedAuthority> modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, Collection<GrantedAuthority> authoritiesToBeGranted);
 }

web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserProcessingFilter.java

@@ -17,6 +17,7 @@ package org.springframework.security.web.authentication.switchuser;
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import javax.servlet.FilterChain;
@@ -290,7 +291,7 @@ public class SwitchUserProcessingFilter extends GenericFilterBean implements App
         GrantedAuthority switchAuthority = new SwitchUserGrantedAuthority(ROLE_PREVIOUS_ADMINISTRATOR, currentAuth);
 
         // get the original authorities
-        List<GrantedAuthority> orig = targetUser.getAuthorities();
+        Collection<GrantedAuthority> orig = targetUser.getAuthorities();
 
         // Allow subclasses to change the authorities to be granted
         if (switchUserAuthorityChanger != null) {
@@ -323,7 +324,7 @@ public class SwitchUserProcessingFilter extends GenericFilterBean implements App
         Authentication original = null;
 
         // iterate over granted authorities and find the 'switch user' authority
-        List<GrantedAuthority> authorities = current.getAuthorities();
+        Collection<GrantedAuthority> authorities = current.getAuthorities();
 
         for (GrantedAuthority auth : authorities) {
             // check for switch user type of authority

web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java

@@ -17,7 +17,7 @@ package org.springframework.security.web.servletapi;
 
 
 import java.security.Principal;
-import java.util.List;
+import java.util.Collection;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
@@ -128,7 +128,7 @@ public class SecurityContextHolderAwareRequestWrapper extends HttpServletRequest
             return false;
         }
 
-        List<GrantedAuthority> authorities = auth.getAuthorities();
+        Collection<GrantedAuthority> authorities = auth.getAuthorities();
 
         if (authorities == null) {
             return false;

web/src/test/java/org/springframework/security/web/authentication/AnonymousProcessingFilterTests.java

@@ -33,6 +33,7 @@ import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.GrantedAuthorityImpl;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.memory.UserAttribute;
@@ -45,15 +46,6 @@ import org.springframework.security.core.userdetails.memory.UserAttribute;
  * @version $Id$
  */
 public class AnonymousProcessingFilterTests extends TestCase {
-    //~ Constructors ===================================================================================================
-
-    public AnonymousProcessingFilterTests() {
-        super();
-    }
-
-    public AnonymousProcessingFilterTests(String arg0) {
-        super(arg0);
-    }
 
     //~ Methods ========================================================================================================
 
@@ -164,7 +156,7 @@ public class AnonymousProcessingFilterTests extends TestCase {
 
         Authentication auth = SecurityContextHolder.getContext().getAuthentication();
         assertEquals("anonymousUsername", auth.getPrincipal());
-        assertEquals(new GrantedAuthorityImpl("ROLE_ANONYMOUS"), auth.getAuthorities().get(0));
+        assertTrue(AuthorityUtils.authorityListToSet(auth.getAuthorities()).contains("ROLE_ANONYMOUS"));
         SecurityContextHolder.getContext().setAuthentication(null); // so anonymous fires again
 
         // Now test operation if we have removeAfterRequest = true

web/src/test/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationTokenTests.java

@@ -1,5 +1,6 @@
 package org.springframework.security.web.authentication.preauth;
 
+import java.util.Collection;
 import java.util.List;
 
 import junit.framework.TestCase;
@@ -47,7 +48,7 @@ public class PreAuthenticatedAuthenticationTokenTests extends TestCase {
         assertEquals(credentials, token.getCredentials());
         assertNull(token.getDetails());
         assertNotNull(token.getAuthorities());
-        List<GrantedAuthority> resultColl = token.getAuthorities();
+        Collection<GrantedAuthority> resultColl = token.getAuthorities();
         assertTrue("GrantedAuthority collections do not match; result: " + resultColl + ", expected: " + gas,
                 gas.containsAll(resultColl) && resultColl.containsAll(gas));
 

web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserProcessingFilterTests.java

@@ -19,6 +19,7 @@ import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import javax.servlet.FilterChain;
@@ -368,7 +369,7 @@ public class SwitchUserProcessingFilterTests {
         SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
         filter.setUserDetailsService(new MockUserDetailsService());
         filter.setSwitchUserAuthorityChanger(new SwitchUserAuthorityChanger() {
-            public List<GrantedAuthority> modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List<GrantedAuthority> authoritiesToBeGranted) {
+            public Collection<GrantedAuthority> modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, Collection<GrantedAuthority> authoritiesToBeGranted) {
                 List <GrantedAuthority>auths = new ArrayList<GrantedAuthority>();
                 auths.add(new GrantedAuthorityImpl("ROLE_NEW"));
                 return auths;
@@ -378,7 +379,7 @@ public class SwitchUserProcessingFilterTests {
         Authentication result = filter.attemptSwitchUser(request);
         assertTrue(result != null);
         assertEquals(2, result.getAuthorities().size());
-        assertEquals("ROLE_NEW", result.getAuthorities().get(0).getAuthority());
+        assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("ROLE_NEW"));
     }