diff --git a/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserAuthorityChanger.java b/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserAuthorityChanger.java
index f8b01c5223..a5f386923f 100644
--- a/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserAuthorityChanger.java
+++ b/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserAuthorityChanger.java
@@ -25,6 +25,8 @@ public interface SwitchUserAuthorityChanger {
      * @param currentAuthentication the current Authentication of the principal performing the switching
      * @param authoritiesToBeGranted all {@link GrantedAuthority} instances to be granted to the user,
      * excluding the special "switch user" authority that is used internally (guaranteed never null)
+     *
+     * @return the modified list of granted authorities.
      */
-    void modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List authoritiesToBeGranted);
+    List modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List authoritiesToBeGranted);
 }
diff --git a/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilter.java
index 98e2c11f89..8f06db7769 100644
--- a/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilter.java
+++ b/core/src/main/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilter.java
@@ -25,6 +25,7 @@ import org.springframework.security.DisabledException;
 import org.springframework.security.GrantedAuthority;
 import org.springframework.security.LockedException;
 import org.springframework.security.util.RedirectUtils;
+import org.springframework.security.util.AuthorityUtils;
 
 import org.springframework.security.context.SecurityContextHolder;
 
@@ -283,15 +284,15 @@ public class SwitchUserProcessingFilter extends SpringSecurityFilter implements
 
         // Allow subclasses to change the authorities to be granted
         if (switchUserAuthorityChanger != null) {
-            switchUserAuthorityChanger.modifyGrantedAuthorities(targetUser, currentAuth, orig);
+            orig = switchUserAuthorityChanger.modifyGrantedAuthorities(targetUser, currentAuth, orig);
         }
 
         // add the new switch user authority
         List newAuths = new ArrayList(orig);
         newAuths.add(switchAuthority);
 
-        GrantedAuthority[] authorities = {};
-        authorities = (GrantedAuthority[]) newAuths.toArray(authorities);
+        GrantedAuthority[] authorities =
+                (GrantedAuthority[]) newAuths.toArray(new GrantedAuthority[newAuths.size()]);
 
         // create the new authentication token
         targetUserRequest = new UsernamePasswordAuthenticationToken(targetUser, targetUser.getPassword(), authorities);
diff --git a/core/src/test/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilterTests.java b/core/src/test/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilterTests.java
index d548b2d6c7..b859888572 100644
--- a/core/src/test/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilterTests.java
+++ b/core/src/test/java/org/springframework/security/ui/switchuser/SwitchUserProcessingFilterTests.java
@@ -41,6 +41,9 @@ import org.springframework.dao.DataAccessException;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 
+import java.util.List;
+import java.util.ArrayList;
+
 
 /**
  * Tests {@link org.springframework.security.ui.switchuser.SwitchUserProcessingFilter}.
@@ -400,6 +403,30 @@ public class SwitchUserProcessingFilterTests extends TestCase {
         assertEquals("jacklord", ((User) targetAuth.getPrincipal()).getUsername());
     }
 
+    public void testModificationOfAuthoritiesWorks() {
+        UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50");
+        SecurityContextHolder.getContext().setAuthentication(auth);
+
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.addParameter(SwitchUserProcessingFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "jacklord");
+
+        SwitchUserProcessingFilter filter = new SwitchUserProcessingFilter();
+        filter.setUserDetailsService(new MockAuthenticationDaoUserJackLord());
+        filter.setSwitchUserAuthorityChanger(new SwitchUserAuthorityChanger() {
+            public List modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List authoritiesToBeGranted) {
+                List auths = new ArrayList();
+                auths.add(new GrantedAuthorityImpl("ROLE_NEW"));
+                return auths;
+            }
+        });
+
+        Authentication result = filter.attemptSwitchUser(request);
+        assertTrue(result != null);
+        assertEquals(2, result.getAuthorities().length);
+        assertEquals("ROLE_NEW", result.getAuthorities()[0].getAuthority());
+    }
+
+
     //~ Inner Classes ==================================================================================================
 
     private class MockAuthenticationDaoUserJackLord implements UserDetailsService {