Addition of final to constructor set fields to improve immutability of authentication and user objects

core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java

@@ -33,11 +33,10 @@ import org.springframework.security.core.GrantedAuthority;
 public class RunAsUserToken extends AbstractAuthenticationToken {
     //~ Instance fields ================================================================================================
 
-    private static final long serialVersionUID = 1L;
+    private final Class<? extends Authentication> originalAuthentication;
-    private Class<? extends Authentication> originalAuthentication;
+    private final Object credentials;
-    private Object credentials;
+    private final Object principal;
-    private Object principal;
+    private final int keyHash;
-    private int keyHash;
 
     //~ Constructors ===================================================================================================
 

core/src/main/java/org/springframework/security/authentication/AbstractAuthenticationToken.java

@@ -37,7 +37,7 @@ public abstract class AbstractAuthenticationToken implements Authentication {
     //~ Instance fields ================================================================================================
 
     private Object details;
-    private List<GrantedAuthority> authorities;
+    private final List<GrantedAuthority> authorities;
     private boolean authenticated = false;
 
     //~ Constructors ===================================================================================================
@@ -53,7 +53,9 @@ public abstract class AbstractAuthenticationToken implements Authentication {
      *                    presented if the principal has not been authenticated).
      */
     public AbstractAuthenticationToken(List<GrantedAuthority> authorities) {
-        if (authorities != null) {
+        if (authorities == null) {
+            this.authorities = null;
+        } else {
             for (int i = 0; i < authorities.size(); i++) {
                 if(authorities.get(i) == null) {
                     throw new IllegalArgumentException("Granted authority element " + i

core/src/main/java/org/springframework/security/authentication/AnonymousAuthenticationToken.java

@@ -33,8 +33,8 @@ public class AnonymousAuthenticationToken extends AbstractAuthenticationToken im
     //~ Instance fields ================================================================================================
 
     private static final long serialVersionUID = 1L;
-    private Object principal;
+    private final Object principal;
-    private int keyHash;
+    private final int keyHash;
 
     //~ Constructors ===================================================================================================
 

core/src/main/java/org/springframework/security/authentication/RememberMeAuthenticationToken.java

@@ -23,8 +23,10 @@ import org.springframework.security.core.GrantedAuthority;
 
 
 /**
- * Represents a remembered <code>Authentication</code>.<p>A remembered <code>Authentication</code> must provide a
+ * Represents a remembered <code>Authentication</code>.
- * fully valid <code>Authentication</code>, including the <code>GrantedAuthority</code>[]s that apply.</p>
+ * <p>
+ * A remembered <code>Authentication</code> must provide a fully valid <code>Authentication</code>, including the
+ * <code>GrantedAuthority</code>s that apply.
  *
  * @author Ben Alex
  * @version $Id$
@@ -32,9 +34,8 @@ import org.springframework.security.core.GrantedAuthority;
 public class RememberMeAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
     //~ Instance fields ================================================================================================
 
-    private static final long serialVersionUID = 1L;
+    private final Object principal;
-    private Object principal;
+    private final int keyHash;
-    private int keyHash;
 
     //~ Constructors ===================================================================================================
 

core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java

@@ -35,9 +35,8 @@ import org.springframework.security.core.GrantedAuthority;
 public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {
     //~ Instance fields ================================================================================================
 
-    private static final long serialVersionUID = 1L;
+    private final Object credentials;
-    private Object credentials;
+    private final Object principal;
-    private Object principal;
 
     //~ Constructors ===================================================================================================
 
@@ -91,7 +90,7 @@ public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationT
     public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
         if (isAuthenticated) {
             throw new IllegalArgumentException(
-                "Cannot set this token to trusted - use constructor containing GrantedAuthority[]s instead");
+                "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
         }
 
         super.setAuthenticated(false);

core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationToken.java

@@ -32,8 +32,7 @@ import javax.security.auth.login.LoginContext;
 public class JaasAuthenticationToken extends UsernamePasswordAuthenticationToken {
     //~ Instance fields ================================================================================================
 
-    private static final long serialVersionUID = 1L;
+    private final transient LoginContext loginContext;
-    private transient LoginContext loginContext = null;
 
     //~ Constructors ===================================================================================================
 

core/src/main/java/org/springframework/security/authentication/preauth/PreAuthenticatedAuthenticationToken.java

@@ -15,9 +15,8 @@ import org.springframework.security.core.GrantedAuthority;
  * @since 2.0
  */
 public class PreAuthenticatedAuthenticationToken extends AbstractAuthenticationToken {
-    private Object principal;
+    private final Object principal;
-
+    private final Object credentials;
-    private Object credentials;
 
     /**
      * Constructor used for an authentication request. The {@link

core/src/main/java/org/springframework/security/core/userdetails/User.java

@@ -26,24 +26,24 @@ import org.springframework.security.core.GrantedAuthority;
 import org.springframework.util.Assert;
 
 /**
- * Models core user information retieved by an {@link UserDetailsService}.<p>Implemented with value object
+ * Models core user information retrieved by a {@link UserDetailsService}.
- * semantics (immutable after construction, like a <code>String</code>). Developers may use this class directly,
+ * <p>
- * subclass it, or write their own {@link UserDetails} implementation from scratch.</p>
+ * Implemented with value object semantics (immutable after construction, like a <code>String</code>).
+ * Developers may use this class directly, subclass it, or write their own {@link UserDetails} implementation from
+ * scratch.
  *
  * @author Ben Alex
  * @version $Id$
  */
 public class User implements UserDetails {
     //~ Instance fields ================================================================================================
-
+    private final String password;
-    private static final long serialVersionUID = 1L;
+    private final String username;
-    private String password;
+    private final List<GrantedAuthority> authorities;
-    private String username;
+    private final boolean accountNonExpired;
-    private List<GrantedAuthority> authorities;
+    private final boolean accountNonLocked;
-    private boolean accountNonExpired;
+    private final boolean credentialsNonExpired;
-    private boolean accountNonLocked;
+    private final boolean enabled;
-    private boolean credentialsNonExpired;
-    private boolean enabled;
 
     //~ Constructors ===================================================================================================
 
@@ -92,7 +92,7 @@ public class User implements UserDetails {
         this.accountNonExpired = accountNonExpired;
         this.credentialsNonExpired = credentialsNonExpired;
         this.accountNonLocked = accountNonLocked;
-        setAuthorities(authorities);
+        this.authorities = Collections.unmodifiableList(sortAuthorities(authorities));
     }
 
     //~ Methods ========================================================================================================
@@ -182,7 +182,7 @@ public class User implements UserDetails {
         return enabled;
     }
 
-    protected void setAuthorities(List<GrantedAuthority> authorities) {
+    private static List<GrantedAuthority> sortAuthorities(List<GrantedAuthority> authorities) {
         Assert.notNull(authorities, "Cannot pass a null GrantedAuthority array");
         // Ensure array iteration order is predictable (as per UserDetails.getAuthorities() contract and SEC-xxx)
         SortedSet<GrantedAuthority> sorter = new TreeSet<GrantedAuthority>();
@@ -195,7 +195,7 @@ public class User implements UserDetails {
         List<GrantedAuthority> sortedAuthorities = new ArrayList<GrantedAuthority>(sorter.size());
         sortedAuthorities.addAll(sorter);
 
-        this.authorities = Collections.unmodifiableList(sortedAuthorities);
+        return sortedAuthorities;
     }
 
     public String toString() {

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java

@@ -29,9 +29,9 @@ import org.springframework.security.core.GrantedAuthority;
 public class OpenIDAuthenticationToken extends AbstractAuthenticationToken {
     //~ Instance fields ================================================================================================
 
-    private OpenIDAuthenticationStatus status;
+    private final OpenIDAuthenticationStatus status;
-    private String identityUrl;
+    private final String identityUrl;
-    private String message;
+    private final String message;
 
     //~ Constructors ===================================================================================================
 
@@ -52,6 +52,7 @@ public class OpenIDAuthenticationToken extends AbstractAuthenticationToken {
         super(authorities);
         this.status = status;
         this.identityUrl = identityUrl;
+        this.message = null;
 
         setAuthenticated(true);
     }