SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted.

16 years ago · f213cc5d9e
53 changed files with 181 additions and 175 deletions
--- a/acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java
+++ b/acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java
@ -17,6 +17,7 @@ package org.springframework.security.acls;
				@@ -17,6 +17,7 @@ package org.springframework.security.acls;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.List;

 import org.apache.commons.logging.Log;
@ -152,7 +153,7 @@ public class AclEntryVoter extends AbstractAclVoter {
				@@ -152,7 +153,7 @@ public class AclEntryVoter extends AbstractAclVoter {
        }
    }

-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {

        for(ConfigAttribute attr : attributes) {

--- a/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java
+++ b/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java
@ -73,7 +73,7 @@ public class AclEntryAfterInvocationCollectionFilteringProvider extends Abstract
				@@ -73,7 +73,7 @@ public class AclEntryAfterInvocationCollectionFilteringProvider extends Abstract
    //~ Methods ========================================================================================================

    @SuppressWarnings("unchecked")
-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
            Object returnedObject) throws AccessDeniedException {

        if (returnedObject == null) {
--- a/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java
+++ b/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java
@ -14,6 +14,7 @@
				@@ -14,6 +14,7 @@
 */
 package org.springframework.security.acls.afterinvocation;

+import java.util.Collection;
 import java.util.List;

 import org.apache.commons.logging.Log;
@ -75,7 +76,7 @@ public class AclEntryAfterInvocationProvider extends AbstractAclProvider impleme
				@@ -75,7 +76,7 @@ public class AclEntryAfterInvocationProvider extends AbstractAclProvider impleme

    //~ Methods ========================================================================================================

-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
            Object returnedObject) throws AccessDeniedException {

        if (returnedObject == null) {
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@ -7,8 +7,6 @@ import java.util.ArrayList;
				@@ -7,8 +7,6 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;

-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.BeanReference;
@ -59,8 +57,6 @@ import org.w3c.dom.Element;
				@@ -59,8 +57,6 @@ import org.w3c.dom.Element;
 * @since 3.0
 */
 class HttpConfigurationBuilder {
-    private final Log logger = LogFactory.getLog(getClass());
-
    private static final String ATT_CREATE_SESSION = "create-session";
    private static final String OPT_CREATE_SESSION_NEVER = "never";
    private static final String DEF_CREATE_SESSION_IF_REQUIRED = "ifRequired";
--- a/config/src/test/java/org/springframework/security/config/MockAfterInvocationProvider.java
+++ b/config/src/test/java/org/springframework/security/config/MockAfterInvocationProvider.java
@ -1,6 +1,6 @@
				@@ -1,6 +1,6 @@
 package org.springframework.security.config;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AfterInvocationProvider;
@ -9,7 +9,7 @@ import org.springframework.security.core.Authentication;
				@@ -9,7 +9,7 @@ import org.springframework.security.core.Authentication;

 public class MockAfterInvocationProvider implements AfterInvocationProvider {

-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config, Object returnedObject)
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject)
            throws AccessDeniedException {
        return returnedObject;
    }
--- a/config/src/test/java/org/springframework/security/config/http/FilterSecurityMetadataSourceBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/FilterSecurityMetadataSourceBeanDefinitionParserTests.java
@ -2,7 +2,7 @@ package org.springframework.security.config.http;
				@@ -2,7 +2,7 @@ package org.springframework.security.config.http;

 import static org.junit.Assert.*;

-import java.util.List;
+import java.util.Collection;

 import org.junit.After;
 import org.junit.Test;
@ -47,7 +47,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
				@@ -47,7 +47,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
                "   <intercept-url pattern='/**' access='ROLE_A'/>" +
                "</filter-security-metadata-source>");
        DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) appContext.getBean("fids");
-        List<? extends ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/anything", "GET"));
+        Collection<ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/anything", "GET"));
        assertNotNull(cad);
        assertTrue(cad.contains(new SecurityConfig("ROLE_A")));
    }
@ -61,9 +61,9 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
				@@ -61,9 +61,9 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {

        ExpressionBasedFilterInvocationSecurityMetadataSource fids =
            (ExpressionBasedFilterInvocationSecurityMetadataSource) appContext.getBean("fids");
-        List<? extends ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/anything", "GET"));
-        assertEquals(1, cad.size());
-        assertEquals("hasRole('ROLE_A')", cad.get(0).toString());
+        ConfigAttribute[] cad = fids.getAttributes(createFilterInvocation("/anything", "GET")).toArray(new ConfigAttribute[0]);
+        assertEquals(1, cad.length);
+        assertEquals("hasRole('ROLE_A')", cad[0].toString());
    }

    // SEC-1201
@ -77,10 +77,10 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
				@@ -77,10 +77,10 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
                "   <intercept-url pattern='${secure.url}' access='${secure.role}'/>" +
                "</filter-security-metadata-source>");
        DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) appContext.getBean("fids");
-        List<ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/secure", "GET"));
+        Collection<ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/secure", "GET"));
        assertNotNull(cad);
        assertEquals(1, cad.size());
-        assertEquals("ROLE_A", cad.get(0).getAttribute());
+        assertTrue(cad.contains(new SecurityConfig("ROLE_A")));
    }

    @Test
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@ -7,6 +7,7 @@ import static org.springframework.security.config.http.AuthenticationConfigBuild
				@@ -7,6 +7,7 @@ import static org.springframework.security.config.http.AuthenticationConfigBuild

 import java.lang.reflect.Method;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
@ -286,7 +287,7 @@ public class HttpSecurityBeanDefinitionParserTests {
				@@ -286,7 +287,7 @@ public class HttpSecurityBeanDefinitionParserTests {
        FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);

        FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/Secure", null));
+        Collection<ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/Secure", null));
        assertEquals(2, attrDef.size());
        assertTrue(attrDef.contains(new SecurityConfig("ROLE_A")));
        assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
@ -314,10 +315,10 @@ public class HttpSecurityBeanDefinitionParserTests {
				@@ -314,10 +315,10 @@ public class HttpSecurityBeanDefinitionParserTests {
        // Check the security attribute
        FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);
        FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/secure", null));
+        Collection<ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/secure", null));
        assertNotNull(attrs);
        assertEquals(1, attrs.size());
-        assertEquals("ROLE_A",attrs.get(0).getAttribute());
+        assertTrue(attrs.contains(new SecurityConfig("ROLE_A")));

        // Check the form login properties are set
        UsernamePasswordAuthenticationFilter apf = (UsernamePasswordAuthenticationFilter)
@ -340,7 +341,7 @@ public class HttpSecurityBeanDefinitionParserTests {
				@@ -340,7 +341,7 @@ public class HttpSecurityBeanDefinitionParserTests {

        FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);
        FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<? extends ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/secure", "POST"));
+        Collection<ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/secure", "POST"));
        assertEquals(2, attrs.size());
        assertTrue(attrs.contains(new SecurityConfig("ROLE_A")));
        assertTrue(attrs.contains(new SecurityConfig("ROLE_B")));
@ -904,7 +905,7 @@ public class HttpSecurityBeanDefinitionParserTests {
				@@ -904,7 +905,7 @@ public class HttpSecurityBeanDefinitionParserTests {
        FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);

        FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<? extends ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/someurl", null));
+        Collection<ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/someurl", null));
        assertEquals(1, attrDef.size());
        assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
    }
@ -942,7 +943,7 @@ public class HttpSecurityBeanDefinitionParserTests {
				@@ -942,7 +943,7 @@ public class HttpSecurityBeanDefinitionParserTests {
        FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);

        FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<? extends ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/secure", null));
+        Collection<ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/secure", null));
        assertEquals(1, attrDef.size());

        // Try an unprotected invocation
--- a/core/src/main/java/org/springframework/security/access/AccessDecisionManager.java
+++ b/core/src/main/java/org/springframework/security/access/AccessDecisionManager.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.core.Authentication;
@ -41,7 +41,7 @@ public interface AccessDecisionManager {
				@@ -41,7 +41,7 @@ public interface AccessDecisionManager {
     * @throws InsufficientAuthenticationException if access is denied as the authentication does not provide a
     *         sufficient level of trust
     */
-    void decide(Authentication authentication, Object object, List<ConfigAttribute> configAttributes)
+    void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
        throws AccessDeniedException, InsufficientAuthenticationException;

    /**
--- a/core/src/main/java/org/springframework/security/access/AccessDecisionVoter.java
+++ b/core/src/main/java/org/springframework/security/access/AccessDecisionVoter.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.core.Authentication;

@ -87,5 +87,5 @@ public interface AccessDecisionVoter {
				@@ -87,5 +87,5 @@ public interface AccessDecisionVoter {
     *
     * @return either {@link #ACCESS_GRANTED}, {@link #ACCESS_ABSTAIN} or {@link #ACCESS_DENIED}
     */
-    int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes);
+    int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes);
 }
--- a/core/src/main/java/org/springframework/security/access/AfterInvocationProvider.java
+++ b/core/src/main/java/org/springframework/security/access/AfterInvocationProvider.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.intercept.AfterInvocationProviderManager;
 import org.springframework.security.core.Authentication;
@ -30,7 +30,7 @@ import org.springframework.security.core.Authentication;
				@@ -30,7 +30,7 @@ import org.springframework.security.core.Authentication;
 public interface AfterInvocationProvider {
    //~ Methods ========================================================================================================

-    Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes,
        Object returnedObject) throws AccessDeniedException;

    /**
--- a/core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java
@ -16,7 +16,6 @@
				@@ -16,7 +16,6 @@
 package org.springframework.security.access;

 import java.util.Collection;
-import java.util.List;

 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
@ -44,7 +43,7 @@ public interface SecurityMetadataSource extends AopInfrastructureBean {
				@@ -44,7 +43,7 @@ public interface SecurityMetadataSource extends AopInfrastructureBean {
     * @throws IllegalArgumentException if the passed object is not of a type supported by the
     *         <code>SecurityMetadataSource</code> implementation
     */
-    List<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException;
+    Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException;

    /**
     * If available, returns all of the <code>ConfigAttribute</code>s defined by the implementing class.
--- a/core/src/main/java/org/springframework/security/access/annotation/Jsr250Voter.java
+++ b/core/src/main/java/org/springframework/security/access/annotation/Jsr250Voter.java
@ -1,6 +1,6 @@
				@@ -1,6 +1,6 @@
 package org.springframework.security.access.annotation;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
@ -43,7 +43,7 @@ public class Jsr250Voter implements AccessDecisionVoter {
				@@ -43,7 +43,7 @@ public class Jsr250Voter implements AccessDecisionVoter {
     * @param definition     The configuration definition.
     * @return The vote.
     */
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> definition) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> definition) {
        for (ConfigAttribute attribute : definition) {
            if (Jsr250SecurityConfig.PERMIT_ALL_ATTRIBUTE.equals(attribute)) {
                return ACCESS_GRANTED;
--- a/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java
+++ b/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.event;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
@ -32,7 +32,7 @@ public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizatio
				@@ -32,7 +32,7 @@ public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizatio
    //~ Instance fields ================================================================================================

    private AuthenticationCredentialsNotFoundException credentialsNotFoundException;
-    private List<ConfigAttribute> configAttribs;
+    private Collection<ConfigAttribute> configAttribs;

    //~ Constructors ===================================================================================================

@ -40,25 +40,25 @@ public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizatio
				@@ -40,25 +40,25 @@ public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizatio
     * Construct the event.
     *
     * @param secureObject the secure object
-     * @param configAttribs that apply to the secure object
+     * @param attributes that apply to the secure object
     * @param credentialsNotFoundException exception returned to the caller (contains reason)
     *
     */
-    public AuthenticationCredentialsNotFoundEvent(Object secureObject, List<ConfigAttribute> configAttribs,
+    public AuthenticationCredentialsNotFoundEvent(Object secureObject, Collection<ConfigAttribute> attributes,
            AuthenticationCredentialsNotFoundException credentialsNotFoundException) {
        super(secureObject);

-        if ((configAttribs == null) || (credentialsNotFoundException == null)) {
+        if ((attributes == null) || (credentialsNotFoundException == null)) {
            throw new IllegalArgumentException("All parameters are required and cannot be null");
        }

-        this.configAttribs = configAttribs;
+        this.configAttribs = attributes;
        this.credentialsNotFoundException = credentialsNotFoundException;
    }

    //~ Methods ========================================================================================================

-    public List<ConfigAttribute> getConfigAttributes() {
+    public Collection<ConfigAttribute> getConfigAttributes() {
        return configAttribs;
    }

--- a/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java
+++ b/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.event;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
@ -38,7 +38,7 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
				@@ -38,7 +38,7 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {

    private AccessDeniedException accessDeniedException;
    private Authentication authentication;
-    private List<ConfigAttribute> configAttributeDefinition;
+    private Collection<ConfigAttribute> configAttributes;

    //~ Constructors ===================================================================================================

@ -46,22 +46,22 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
				@@ -46,22 +46,22 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
     * Construct the event.
     *
     * @param secureObject the secure object
-     * @param configAttribs that apply to the secure object
+     * @param attributes that apply to the secure object
     * @param authentication that was found in the <code>SecurityContextHolder</code>
     * @param accessDeniedException that was returned by the
     *        <code>AccessDecisionManager</code>
     *
     * @throws IllegalArgumentException if any null arguments are presented.
     */
-    public AuthorizationFailureEvent(Object secureObject, List<ConfigAttribute> configAttribs,
+    public AuthorizationFailureEvent(Object secureObject, Collection<ConfigAttribute> attributes,
        Authentication authentication, AccessDeniedException accessDeniedException) {
        super(secureObject);

-        if ((configAttribs == null) || (authentication == null) || (accessDeniedException == null)) {
+        if ((attributes == null) || (authentication == null) || (accessDeniedException == null)) {
            throw new IllegalArgumentException("All parameters are required and cannot be null");
        }

-        this.configAttributeDefinition = configAttribs;
+        this.configAttributes = attributes;
        this.authentication = authentication;
        this.accessDeniedException = accessDeniedException;
    }
@ -76,7 +76,7 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
				@@ -76,7 +76,7 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
        return authentication;
    }

-    public List<ConfigAttribute> getConfigAttributes() {
-        return configAttributeDefinition;
+    public Collection<ConfigAttribute> getConfigAttributes() {
+        return configAttributes;
    }
 }
--- a/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java
+++ b/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.event;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@ -32,7 +32,7 @@ public class AuthorizedEvent extends AbstractAuthorizationEvent {
				@@ -32,7 +32,7 @@ public class AuthorizedEvent extends AbstractAuthorizationEvent {
    //~ Instance fields ================================================================================================

    private Authentication authentication;
-    private List<ConfigAttribute> configAttributeDefinition;
+    private Collection<ConfigAttribute> configAttributes;

    //~ Constructors ===================================================================================================

@ -40,18 +40,18 @@ public class AuthorizedEvent extends AbstractAuthorizationEvent {
				@@ -40,18 +40,18 @@ public class AuthorizedEvent extends AbstractAuthorizationEvent {
     * Construct the event.
     *
     * @param secureObject the secure object
-     * @param configAttribs that apply to the secure object
+     * @param attributes that apply to the secure object
     * @param authentication that successfully called the secure object
     *
     */
-    public AuthorizedEvent(Object secureObject, List<ConfigAttribute> configAttribs, Authentication authentication) {
+    public AuthorizedEvent(Object secureObject, Collection<ConfigAttribute> attributes, Authentication authentication) {
        super(secureObject);

-        if ((configAttribs == null) || (authentication == null)) {
+        if ((attributes == null) || (authentication == null)) {
            throw new IllegalArgumentException("All parameters are required and cannot be null");
        }

-        this.configAttributeDefinition = configAttribs;
+        this.configAttributes = attributes;
        this.authentication = authentication;
    }

@ -61,7 +61,7 @@ public class AuthorizedEvent extends AbstractAuthorizationEvent {
				@@ -61,7 +61,7 @@ public class AuthorizedEvent extends AbstractAuthorizationEvent {
        return authentication;
    }

-    public List<ConfigAttribute> getConfigAttributes() {
-        return configAttributeDefinition;
+    public Collection<ConfigAttribute> getConfigAttributes() {
+        return configAttributes;
    }
 }
--- a/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
@ -17,7 +17,6 @@ package org.springframework.security.access.intercept;
				@@ -17,7 +17,6 @@ package org.springframework.security.access.intercept;

 import java.util.Collection;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;

 import org.apache.commons.logging.Log;
@ -170,7 +169,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
				@@ -170,7 +169,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
                    + getSecureObjectClass());
        }

-        List<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);
+        Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);

        if (attributes == null) {
            if (rejectPublicInvocations) {
@ -319,7 +318,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
				@@ -319,7 +318,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
     * @param secureObject  that was being called
     * @param configAttribs that were defined for the secureObject
     */
-    private void credentialsNotFound(String reason, Object secureObject, List<ConfigAttribute> configAttribs) {
+    private void credentialsNotFound(String reason, Object secureObject, Collection<ConfigAttribute> configAttribs) {
        AuthenticationCredentialsNotFoundException exception = new AuthenticationCredentialsNotFoundException(reason);

        AuthenticationCredentialsNotFoundEvent event = new AuthenticationCredentialsNotFoundEvent(secureObject,
--- a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.intercept;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
@ -57,7 +57,7 @@ public interface AfterInvocationManager {
				@@ -57,7 +57,7 @@ public interface AfterInvocationManager {
     *
     * @param authentication the caller that invoked the method
     * @param object the secured object that was called
-     * @param config the configuration attributes associated with the secured object that was invoked
+     * @param attributes the configuration attributes associated with the secured object that was invoked
     * @param returnedObject the <code>Object</code> that was returned from the secure object invocation
     *
     * @return the <code>Object</code> that will ultimately be returned to the caller (if an implementation does not
@ -66,7 +66,7 @@ public interface AfterInvocationManager {
				@@ -66,7 +66,7 @@ public interface AfterInvocationManager {
     *
     * @throws AccessDeniedException if access is denied
     */
-    Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes,
        Object returnedObject) throws AccessDeniedException;

    /**
--- a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java
@ -16,6 +16,7 @@
				@@ -16,6 +16,7 @@
 package org.springframework.security.access.intercept;

 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;

 import org.apache.commons.logging.Log;
@ -63,7 +64,7 @@ public class AfterInvocationProviderManager implements AfterInvocationManager, I
				@@ -63,7 +64,7 @@ public class AfterInvocationProviderManager implements AfterInvocationManager, I
        }
    }

-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
            Object returnedObject) throws AccessDeniedException {

        Object result = returnedObject;
--- a/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.intercept;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@ -35,23 +35,23 @@ public class InterceptorStatusToken {
				@@ -35,23 +35,23 @@ public class InterceptorStatusToken {
    //~ Instance fields ================================================================================================

    private Authentication authentication;
-    private List<ConfigAttribute> attr;
+    private Collection<ConfigAttribute> attr;
    private Object secureObject;
    private boolean contextHolderRefreshRequired;

    //~ Constructors ===================================================================================================

    public InterceptorStatusToken(Authentication authentication, boolean contextHolderRefreshRequired,
-            List<ConfigAttribute> attr, Object secureObject) {
+            Collection<ConfigAttribute> attributes, Object secureObject) {
        this.authentication = authentication;
        this.contextHolderRefreshRequired = contextHolderRefreshRequired;
-        this.attr = attr;
+        this.attr = attributes;
        this.secureObject = secureObject;
    }

    //~ Methods ========================================================================================================

-    public List<ConfigAttribute> getAttributes() {
+    public Collection<ConfigAttribute> getAttributes() {
        return attr;
    }

--- a/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.intercept;

-import java.util.List;
+import java.util.Collection;

 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
@ -58,7 +58,7 @@ public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
				@@ -58,7 +58,7 @@ public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
        Assert.notNull(mi, "MethodInvocation required");
        Assert.notNull(mi.getMethod(), "MethodInvocation must provide a non-null getMethod()");

-        List<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(mi);
+        Collection<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(mi);

        if (attrs == null) {
            if (securityInterceptor.isRejectPublicInvocations()) {
--- a/core/src/main/java/org/springframework/security/access/intercept/NullRunAsManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/NullRunAsManager.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.intercept;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@ -32,7 +32,7 @@ import org.springframework.security.core.Authentication;
				@@ -32,7 +32,7 @@ import org.springframework.security.core.Authentication;
 final class NullRunAsManager implements RunAsManager {
    //~ Methods ========================================================================================================

-    public Authentication buildRunAs(Authentication authentication, Object object, List<ConfigAttribute> config) {
+    public Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> config) {
        return null;
    }

--- a/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.intercept;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@ -71,12 +71,12 @@ public interface RunAsManager {
				@@ -71,12 +71,12 @@ public interface RunAsManager {
     *
     * @param authentication the caller invoking the secure object
     * @param object the secured object being called
-     * @param config the configuration attributes associated with the secure object being invoked
+     * @param attributes the configuration attributes associated with the secure object being invoked
     *
     * @return a replacement object to be used for duration of the secure object invocation, or <code>null</code> if
     *         the <code>Authentication</code> should be left as is
     */
-    Authentication buildRunAs(Authentication authentication, Object object, List<ConfigAttribute> config);
+    Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> attributes);

    /**
     * Indicates whether this <code>RunAsManager</code> is able to process the passed
--- a/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java
@ -16,6 +16,7 @@
				@@ -16,6 +16,7 @@
 package org.springframework.security.access.intercept;

 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;

 import org.springframework.beans.factory.InitializingBean;
@ -61,7 +62,7 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean {
				@@ -61,7 +62,7 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean {
        Assert.notNull(key, "A Key is required and should match that configured for the RunAsImplAuthenticationProvider");
    }

-    public Authentication buildRunAs(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        List<GrantedAuthority> newAuthorities = new ArrayList<GrantedAuthority>();

        for (ConfigAttribute attribute : attributes) {
--- a/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
@ -29,7 +29,7 @@ import org.springframework.util.Assert;
				@@ -29,7 +29,7 @@ import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;

 import java.lang.reflect.Method;
-import java.util.List;
+import java.util.Collection;


 /**
@ -46,7 +46,7 @@ public abstract class AbstractMethodSecurityMetadataSource implements MethodSecu
				@@ -46,7 +46,7 @@ public abstract class AbstractMethodSecurityMetadataSource implements MethodSecu

    //~ Methods ========================================================================================================

-    public final List<ConfigAttribute> getAttributes(Object object) {
+    public final Collection<ConfigAttribute> getAttributes(Object object) {
        if (object instanceof MethodInvocation) {
            MethodInvocation mi = (MethodInvocation) object;
            Object target = mi.getThis();
--- a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java
@ -1,6 +1,6 @@
				@@ -1,6 +1,6 @@
 package org.springframework.security.access.prepost;

-import java.util.List;
+import java.util.Collection;

 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
@ -27,7 +27,7 @@ public class PostInvocationAdviceProvider implements AfterInvocationProvider {
				@@ -27,7 +27,7 @@ public class PostInvocationAdviceProvider implements AfterInvocationProvider {
        this.postAdvice = postAdvice;
    }

-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config, Object returnedObject)
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject)
            throws AccessDeniedException {

        PostInvocationAttribute pia = findPostInvocationAttribute(config);
@ -39,7 +39,7 @@ public class PostInvocationAdviceProvider implements AfterInvocationProvider {
				@@ -39,7 +39,7 @@ public class PostInvocationAdviceProvider implements AfterInvocationProvider {
        return postAdvice.after(authentication, (MethodInvocation)object, pia, returnedObject);
    }

-    private PostInvocationAttribute findPostInvocationAttribute(List<ConfigAttribute> config) {
+    private PostInvocationAttribute findPostInvocationAttribute(Collection<ConfigAttribute> config) {
        for (ConfigAttribute attribute : config) {
            if (attribute instanceof PostInvocationAttribute) {
                return (PostInvocationAttribute)attribute;
--- a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java
@ -1,6 +1,6 @@
				@@ -1,6 +1,6 @@
 package org.springframework.security.access.prepost;

-import java.util.List;
+import java.util.Collection;

 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
@ -39,7 +39,7 @@ public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVote
				@@ -39,7 +39,7 @@ public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVote
        return clazz.isAssignableFrom(MethodInvocation.class);
    }

-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {

        // Find prefilter and preauth (or combined) attributes
        // if both null, abstain
@ -57,7 +57,7 @@ public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVote
				@@ -57,7 +57,7 @@ public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVote
        return allowed ? ACCESS_GRANTED : ACCESS_DENIED;
    }

-    private PreInvocationAttribute findPreInvocationAttribute(List<ConfigAttribute> config) {
+    private PreInvocationAttribute findPreInvocationAttribute(Collection<ConfigAttribute> config) {
        for (ConfigAttribute attribute : config) {
            if (attribute instanceof PreInvocationAttribute) {
                return (PreInvocationAttribute)attribute;
--- a/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java
+++ b/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.vote;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AccessDeniedException;
@ -42,7 +42,7 @@ public class AffirmativeBased extends AbstractAccessDecisionManager {
				@@ -42,7 +42,7 @@ public class AffirmativeBased extends AbstractAccessDecisionManager {
     *
     * @throws AccessDeniedException if access is denied
     */
-    public void decide(Authentication authentication, Object object, List<ConfigAttribute> configAttributes)
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
            throws AccessDeniedException {
        int deny = 0;

--- a/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java
+++ b/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.vote;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
@ -86,7 +86,7 @@ public class AuthenticatedVoter implements AccessDecisionVoter {
				@@ -86,7 +86,7 @@ public class AuthenticatedVoter implements AccessDecisionVoter {
        return true;
    }

-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        int result = ACCESS_ABSTAIN;

        for (ConfigAttribute attribute : attributes) {
--- a/core/src/main/java/org/springframework/security/access/vote/ConsensusBased.java
+++ b/core/src/main/java/org/springframework/security/access/vote/ConsensusBased.java
@ -15,7 +15,7 @@
				@@ -15,7 +15,7 @@

 package org.springframework.security.access.vote;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AccessDeniedException;
@ -52,7 +52,7 @@ public class ConsensusBased extends AbstractAccessDecisionManager {
				@@ -52,7 +52,7 @@ public class ConsensusBased extends AbstractAccessDecisionManager {
     *
     * @throws AccessDeniedException if access is denied
     */
-    public void decide(Authentication authentication, Object object, List<ConfigAttribute> configAttributes)
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
            throws AccessDeniedException {
        int grant = 0;
        int deny = 0;
--- a/core/src/main/java/org/springframework/security/access/vote/LabelBasedAclVoter.java
+++ b/core/src/main/java/org/springframework/security/access/vote/LabelBasedAclVoter.java
@ -15,6 +15,7 @@
				@@ -15,6 +15,7 @@
 package org.springframework.security.access.vote;

 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;

@ -163,7 +164,7 @@ public class LabelBasedAclVoter extends AbstractAclVoter {
				@@ -163,7 +164,7 @@ public class LabelBasedAclVoter extends AbstractAclVoter {
     *
     * @return ACCESS_ABSTAIN, ACCESS_GRANTED, or ACCESS_DENIED.
     */
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        int result = ACCESS_ABSTAIN;

        if (logger.isDebugEnabled()) {
--- a/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java
+++ b/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java
@ -16,7 +16,6 @@
				@@ -16,7 +16,6 @@
 package org.springframework.security.access.vote;

 import java.util.Collection;
-import java.util.List;

 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
@ -93,7 +92,7 @@ public class RoleVoter implements AccessDecisionVoter {
				@@ -93,7 +92,7 @@ public class RoleVoter implements AccessDecisionVoter {
        return true;
    }

-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        int result = ACCESS_ABSTAIN;
        Collection<GrantedAuthority> authorities = extractAuthorities(authentication);

--- a/core/src/main/java/org/springframework/security/access/vote/UnanimousBased.java
+++ b/core/src/main/java/org/springframework/security/access/vote/UnanimousBased.java
@ -16,6 +16,7 @@
				@@ -16,6 +16,7 @@
 package org.springframework.security.access.vote;

 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;

 import org.springframework.security.access.AccessDecisionVoter;
@ -48,7 +49,7 @@ public class UnanimousBased extends AbstractAccessDecisionManager {
				@@ -48,7 +49,7 @@ public class UnanimousBased extends AbstractAccessDecisionManager {
     *
     * @throws AccessDeniedException if access is denied
     */
-    public void decide(Authentication authentication, Object object, List<ConfigAttribute> attributes)
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
             throws AccessDeniedException {

        int grant = 0;
--- a/core/src/test/java/org/springframework/security/access/annotation/MethodDefinitionSourceEditorTigerTests.java
+++ b/core/src/test/java/org/springframework/security/access/annotation/MethodDefinitionSourceEditorTigerTests.java
@ -17,6 +17,7 @@ package org.springframework.security.access.annotation;
				@@ -17,6 +17,7 @@ package org.springframework.security.access.annotation;

 import static org.junit.Assert.assertEquals;

+import java.util.Collection;
 import java.util.List;

 import org.junit.Before;
@ -59,12 +60,12 @@ public class MethodDefinitionSourceEditorTigerTests {
				@@ -59,12 +60,12 @@ public class MethodDefinitionSourceEditorTigerTests {
        MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
        assertEquals(3, map.getMethodMapSize());

-        List<? extends ConfigAttribute> returnedMakeLower = map.getAttributes(makeLower);
-        List<? extends ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_FROM_INTERFACE");
+        Collection<ConfigAttribute> returnedMakeLower = map.getAttributes(makeLower);
+        List<ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_FROM_INTERFACE");
        assertEquals(expectedMakeLower, returnedMakeLower);

-        List<? extends ConfigAttribute> returnedMakeUpper = map.getAttributes(makeUpper);
-        List<? extends ConfigAttribute> expectedMakeUpper = SecurityConfig.createList(new String[]{"ROLE_FROM_IMPLEMENTATION"});
+        Collection<ConfigAttribute> returnedMakeUpper = map.getAttributes(makeUpper);
+        List<ConfigAttribute> expectedMakeUpper = SecurityConfig.createList(new String[]{"ROLE_FROM_IMPLEMENTATION"});
        assertEquals(expectedMakeUpper, returnedMakeUpper);
    }

@ -79,8 +80,8 @@ public class MethodDefinitionSourceEditorTigerTests {
				@@ -79,8 +80,8 @@ public class MethodDefinitionSourceEditorTigerTests {
        MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
        assertEquals(3, map.getMethodMapSize());

-        List<? extends ConfigAttribute> returnedMakeUpper = map.getAttributes(makeUpper);
-        List<? extends ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_FROM_PSI");
+        Collection<ConfigAttribute> returnedMakeUpper = map.getAttributes(makeUpper);
+        List<ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_FROM_PSI");
        assertEquals(expectedMakeUpper, returnedMakeUpper);
    }

--- a/core/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java
+++ b/core/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java
@ -43,11 +43,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
				@@ -43,11 +43,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {

    @Test
    public void classLevelPreAnnotationIsPickedUpWhenNoMethodLevelExists() throws Exception {
-        List<ConfigAttribute> attrs = mds.getAttributes(voidImpl1);
+        ConfigAttribute[] attrs = mds.getAttributes(voidImpl1).toArray(new ConfigAttribute[0]);

-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0];
        assertNotNull(pre.getAuthorizeExpression());
        assertEquals("someExpression", pre.getAuthorizeExpression().getExpressionString());
        assertNull(pre.getFilterExpression());
@ -55,11 +55,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
				@@ -55,11 +55,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {

    @Test
    public void mixedClassAndMethodPreAnnotationsAreBothIncluded() {
-        List<ConfigAttribute> attrs = mds.getAttributes(voidImpl2);
+        ConfigAttribute[] attrs = mds.getAttributes(voidImpl2).toArray(new ConfigAttribute[0]);

-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0];
        assertEquals("someExpression", pre.getAuthorizeExpression().getExpressionString());
        assertNotNull(pre.getFilterExpression());
        assertEquals("somePreFilterExpression", pre.getFilterExpression().getExpressionString());
@ -67,11 +67,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
				@@ -67,11 +67,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {

    @Test
    public void methodWithPreFilterOnlyIsAllowed() {
-        List<ConfigAttribute> attrs = mds.getAttributes(voidImpl3);
+        ConfigAttribute[] attrs = mds.getAttributes(voidImpl3).toArray(new ConfigAttribute[0]);

-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0];
        assertEquals("permitAll", pre.getAuthorizeExpression().getExpressionString());
        assertNotNull(pre.getFilterExpression());
        assertEquals("somePreFilterExpression", pre.getFilterExpression().getExpressionString());
@ -79,13 +79,13 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
				@@ -79,13 +79,13 @@ public class PrePostAnnotationSecurityMetadataSourceTests {

    @Test
    public void methodWithPostFilterOnlyIsAllowed() {
-        List<ConfigAttribute> attrs = mds.getAttributes(listImpl1);
+        ConfigAttribute[] attrs = mds.getAttributes(listImpl1).toArray(new ConfigAttribute[0]);

-        assertEquals(2, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        assertTrue(attrs.get(1) instanceof PostInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
-        PostInvocationExpressionAttribute post = (PostInvocationExpressionAttribute)attrs.get(1);
+        assertEquals(2, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        assertTrue(attrs[1] instanceof PostInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0];
+        PostInvocationExpressionAttribute post = (PostInvocationExpressionAttribute) attrs[1];
        assertEquals("permitAll", pre.getAuthorizeExpression().getExpressionString());
        assertNotNull(post.getFilterExpression());
        assertEquals("somePostFilterExpression", post.getFilterExpression().getExpressionString());
@ -93,11 +93,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
				@@ -93,11 +93,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {

    @Test
    public void interfaceAttributesAreIncluded() {
-        List<ConfigAttribute> attrs = mds.getAttributes(notherListImpl1);
+        ConfigAttribute[] attrs = mds.getAttributes(notherListImpl1).toArray(new ConfigAttribute[0]);

-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs[0];
        assertNotNull(pre.getFilterExpression());
        assertNotNull(pre.getAuthorizeExpression());
        assertEquals("interfaceMethodAuthzExpression", pre.getAuthorizeExpression().getExpressionString());
@ -106,11 +106,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
				@@ -106,11 +106,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {

    @Test
    public void classAttributesTakesPrecedeceOverInterfaceAttributes() {
-        List<ConfigAttribute> attrs = mds.getAttributes(notherListImpl2);
+        ConfigAttribute[] attrs = mds.getAttributes(notherListImpl2).toArray(new ConfigAttribute[0]);

-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs[0];
        assertNotNull(pre.getFilterExpression());
        assertNotNull(pre.getAuthorizeExpression());
        assertEquals("interfaceMethodAuthzExpression", pre.getAuthorizeExpression().getExpressionString());
--- a/core/src/test/java/org/springframework/security/access/intercept/AfterInvocationProviderManagerTests.java
+++ b/core/src/test/java/org/springframework/security/access/intercept/AfterInvocationProviderManagerTests.java
@ -15,6 +15,7 @@
				@@ -15,6 +15,7 @@

 package org.springframework.security.access.intercept;

+import java.util.Collection;
 import java.util.List;
 import java.util.Vector;

@ -151,7 +152,7 @@ public class AfterInvocationProviderManagerTests extends TestCase {
				@@ -151,7 +152,7 @@ public class AfterInvocationProviderManagerTests extends TestCase {
            this.configAttribute = configAttribute;
        }

-        public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+        public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
            Object returnedObject) throws AccessDeniedException {
            if (config.contains(configAttribute)) {
                return forceReturnObject;
--- a/core/src/test/java/org/springframework/security/access/intercept/method/MethodSecurityMetadataSourceEditorTests.java
+++ b/core/src/test/java/org/springframework/security/access/intercept/method/MethodSecurityMetadataSourceEditorTests.java
@ -17,6 +17,7 @@ package org.springframework.security.access.intercept.method;
				@@ -17,6 +17,7 @@ package org.springframework.security.access.intercept.method;

 import java.lang.reflect.AccessibleObject;
 import java.lang.reflect.Method;
+import java.util.Collection;
 import java.util.List;

 import junit.framework.TestCase;
@ -56,9 +57,9 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
				@@ -56,9 +57,9 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
        Method method = clazz.getMethod("countLength", new Class[] {String.class});
        MockJoinPoint joinPoint = new MockJoinPoint(new TargetObject(), method);

-        List<? extends ConfigAttribute> returnedCountLength = map.getAttributes(joinPoint);
+        Collection<ConfigAttribute> returnedCountLength = map.getAttributes(joinPoint);

-        List<? extends ConfigAttribute> expectedCountLength = SecurityConfig.createList("ROLE_ONE", "ROLE_TWO", "RUN_AS_ENTRY");
+        List<ConfigAttribute> expectedCountLength = SecurityConfig.createList("ROLE_ONE", "ROLE_TWO", "RUN_AS_ENTRY");
        assertEquals(expectedCountLength, returnedCountLength);
    }

@ -108,16 +109,16 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
				@@ -108,16 +109,16 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
        MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
        assertEquals(6, map.getMethodMapSize());

-        List<? extends ConfigAttribute> returnedMakeLower = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "makeLowerCase", new Class[] {String.class}, new OtherTargetObject()));
-        List<? extends ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_FROM_INTERFACE");
+        Collection<ConfigAttribute> returnedMakeLower = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "makeLowerCase", new Class[] {String.class}, new OtherTargetObject()));
+        List<ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_FROM_INTERFACE");
        assertEquals(expectedMakeLower, returnedMakeLower);

-        List<? extends ConfigAttribute> returnedMakeUpper = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "makeUpperCase", new Class[] {String.class}, new OtherTargetObject()));
-        List<? extends ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_FROM_IMPLEMENTATION");
+        Collection<ConfigAttribute> returnedMakeUpper = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "makeUpperCase", new Class[] {String.class}, new OtherTargetObject()));
+        List<ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_FROM_IMPLEMENTATION");
        assertEquals(expectedMakeUpper, returnedMakeUpper);

-        List<? extends ConfigAttribute> returnedComputeHashCode = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "computeHashCode", new Class[] {String.class}, new OtherTargetObject()));
-        List<? extends ConfigAttribute> expectedComputeHashCode = SecurityConfig.createList("ROLE_FROM_OTO");
+        Collection<ConfigAttribute> returnedComputeHashCode = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "computeHashCode", new Class[] {String.class}, new OtherTargetObject()));
+        List<ConfigAttribute> expectedComputeHashCode = SecurityConfig.createList("ROLE_FROM_OTO");
        assertEquals(expectedComputeHashCode, returnedComputeHashCode);

        returnedComputeHashCode = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "computeHashCode", new Class[] {String.class}, new TargetObject()));
@ -160,19 +161,19 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
				@@ -160,19 +161,19 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
        MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
        assertEquals(14, map.getMethodMapSize());

-        List<? extends ConfigAttribute> returnedMakeLower = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
+        Collection<ConfigAttribute> returnedMakeLower = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
                    "makeLowerCase", new Class[] {String.class}, new TargetObject()));
-        List<? extends ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_LOWER");
+        List<ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_LOWER");
        assertEquals(expectedMakeLower, returnedMakeLower);

-        List<? extends ConfigAttribute> returnedMakeUpper = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
+        Collection<ConfigAttribute> returnedMakeUpper = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
                    "makeUpperCase", new Class[] {String.class}, new TargetObject()));
-        List<? extends ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_UPPER");
+        List<ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_UPPER");
        assertEquals(expectedMakeUpper, returnedMakeUpper);

-        List<? extends ConfigAttribute> returnedCountLength = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
+        Collection<ConfigAttribute> returnedCountLength = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
                    "countLength", new Class[] {String.class}, new TargetObject()));
-        List<? extends ConfigAttribute> expectedCountLength = SecurityConfig.createList("ROLE_GENERAL");
+        List<ConfigAttribute> expectedCountLength = SecurityConfig.createList("ROLE_GENERAL");
        assertEquals(expectedCountLength, returnedCountLength);
    }

@ -182,7 +183,7 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
				@@ -182,7 +183,7 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {

        MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();

-        List<? extends ConfigAttribute> configAttributeDefinition = map.getAttributes(new MockMethodInvocation(
+        Collection<ConfigAttribute> configAttributeDefinition = map.getAttributes(new MockMethodInvocation(
                    ITargetObject.class, "makeLowerCase", new Class[] {String.class}, new TargetObject()));
        assertNull(configAttributeDefinition);
    }
@ -201,7 +202,7 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
				@@ -201,7 +202,7 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {

        MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();

-        List<? extends ConfigAttribute> returnedCountLength = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
+        Collection<ConfigAttribute> returnedCountLength = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
                    "countLength", new Class[] {String.class}, new TargetObject()));
        assertEquals(SecurityConfig.createList("ROLE_ONE", "ROLE_TWO", "RUN_AS_ENTRY"), returnedCountLength);
    }
--- a/core/src/test/java/org/springframework/security/access/intercept/method/MockMethodSecurityMetadataSource.java
+++ b/core/src/test/java/org/springframework/security/access/intercept/method/MockMethodSecurityMetadataSource.java
@ -64,7 +64,7 @@ public class MockMethodSecurityMetadataSource implements MethodSecurityMetadataS
				@@ -64,7 +64,7 @@ public class MockMethodSecurityMetadataSource implements MethodSecurityMetadataS
        }
    }

-    public List<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
+    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
        throw new UnsupportedOperationException("mock method not implemented");
    }

--- a/core/src/test/java/org/springframework/security/access/vote/AbstractAccessDecisionManagerTests.java
+++ b/core/src/test/java/org/springframework/security/access/vote/AbstractAccessDecisionManagerTests.java
@ -25,6 +25,7 @@ import org.springframework.security.access.vote.AbstractAccessDecisionManager;
				@@ -25,6 +25,7 @@ import org.springframework.security.access.vote.AbstractAccessDecisionManager;
 import org.springframework.security.access.vote.RoleVoter;
 import org.springframework.security.core.Authentication;

+import java.util.Collection;
 import java.util.List;
 import java.util.Vector;

@ -148,7 +149,7 @@ public class AbstractAccessDecisionManagerTests extends TestCase {
				@@ -148,7 +149,7 @@ public class AbstractAccessDecisionManagerTests extends TestCase {
    //~ Inner Classes ==================================================================================================

    private class MockDecisionManagerImpl extends AbstractAccessDecisionManager {
-        public void decide(Authentication authentication, Object object, List<ConfigAttribute> configAttributes)
+        public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
            throws AccessDeniedException {
            return;
        }
@ -167,7 +168,7 @@ public class AbstractAccessDecisionManagerTests extends TestCase {
				@@ -167,7 +168,7 @@ public class AbstractAccessDecisionManagerTests extends TestCase {
            throw new UnsupportedOperationException("mock method not implemented");
        }

-        public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+        public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
            throw new UnsupportedOperationException("mock method not implemented");
        }
    }
--- a/core/src/test/java/org/springframework/security/access/vote/AbstractAclVoterTests.java
+++ b/core/src/test/java/org/springframework/security/access/vote/AbstractAclVoterTests.java
@ -4,7 +4,7 @@ import static org.junit.Assert.*;
				@@ -4,7 +4,7 @@ import static org.junit.Assert.*;

 import java.lang.reflect.Method;
 import java.util.ArrayList;
-import java.util.List;
+import java.util.Collection;

 import org.aopalliance.intercept.MethodInvocation;
 import org.aspectj.lang.JoinPoint;
@ -25,7 +25,7 @@ public class AbstractAclVoterTests {
				@@ -25,7 +25,7 @@ public class AbstractAclVoterTests {
        public boolean supports(ConfigAttribute attribute) {
            return false;
        }
-        public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+        public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
            return 0;
        }
    };
--- a/core/src/test/java/org/springframework/security/access/vote/DenyAgainVoter.java
+++ b/core/src/test/java/org/springframework/security/access/vote/DenyAgainVoter.java
@ -19,8 +19,8 @@ import org.springframework.security.access.AccessDecisionVoter;
				@@ -19,8 +19,8 @@ import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;

+import java.util.Collection;
 import java.util.Iterator;
-import java.util.List;

 /**
 * Implementation of an {@link AccessDecisionVoter} for unit testing.
@ -50,7 +50,7 @@ public class DenyAgainVoter implements AccessDecisionVoter {
				@@ -50,7 +50,7 @@ public class DenyAgainVoter implements AccessDecisionVoter {
        return true;
    }

-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        Iterator<ConfigAttribute> iter = attributes.iterator();

        while (iter.hasNext()) {
--- a/core/src/test/java/org/springframework/security/access/vote/DenyVoter.java
+++ b/core/src/test/java/org/springframework/security/access/vote/DenyVoter.java
@ -19,8 +19,8 @@ import org.springframework.security.access.AccessDecisionVoter;
				@@ -19,8 +19,8 @@ import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;

+import java.util.Collection;
 import java.util.Iterator;
-import java.util.List;


 /**
@ -46,7 +46,7 @@ public class DenyVoter implements AccessDecisionVoter {
				@@ -46,7 +46,7 @@ public class DenyVoter implements AccessDecisionVoter {
        return true;
    }

-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        Iterator<ConfigAttribute> iter = attributes.iterator();

        while (iter.hasNext()) {
--- a/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
@ -20,8 +20,8 @@ import java.io.IOException;
				@@ -20,8 +20,8 @@ import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.UnsupportedEncodingException;
 import java.security.Principal;
+import java.util.Collection;
 import java.util.Enumeration;
-import java.util.List;
 import java.util.Locale;
 import java.util.Map;

@ -120,7 +120,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
				@@ -120,7 +120,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
        }

        FilterInvocation fi = createFilterInvocation(contextPath, uri, method);
-        List<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(fi);
+        Collection<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(fi);

        if (attrs == null) {
            if (securityInterceptor.isRejectPublicInvocations()) {
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java
@ -19,7 +19,7 @@ import org.springframework.security.access.ConfigAttribute;
				@@ -19,7 +19,7 @@ import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;

 import java.io.IOException;
-import java.util.List;
+import java.util.Collection;

 import javax.servlet.ServletException;

@ -38,7 +38,7 @@ public interface ChannelDecisionManager {
				@@ -38,7 +38,7 @@ public interface ChannelDecisionManager {
     * security based on the requested list of <tt>ConfigAttribute</tt>s.
     *
     */
-    void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException;
+    void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException;

    /**
     * Indicates whether this <code>ChannelDecisionManager</code> is able to process the passed
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java
@ -25,6 +25,7 @@ import org.springframework.util.Assert;
				@@ -25,6 +25,7 @@ import org.springframework.util.Assert;
 import java.io.IOException;

 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;

@ -61,7 +62,7 @@ public class ChannelDecisionManagerImpl implements ChannelDecisionManager, Initi
				@@ -61,7 +62,7 @@ public class ChannelDecisionManagerImpl implements ChannelDecisionManager, Initi
        Assert.notEmpty(channelProcessors, "A list of ChannelProcessors is required");
    }

-    public void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException {
+    public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {

        Iterator<ConfigAttribute> attrs = config.iterator();

--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
@ -18,7 +18,6 @@ package org.springframework.security.web.access.channel;
				@@ -18,7 +18,6 @@ package org.springframework.security.web.access.channel;
 import java.io.IOException;
 import java.util.Collection;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;

 import javax.servlet.FilterChain;
@ -94,7 +93,7 @@ public class ChannelProcessingFilter extends GenericFilterBean {
				@@ -94,7 +93,7 @@ public class ChannelProcessingFilter extends GenericFilterBean {
        HttpServletResponse response = (HttpServletResponse) res;

        FilterInvocation fi = new FilterInvocation(request, response, chain);
-        List<ConfigAttribute> attr = this.securityMetadataSource.getAttributes(fi);
+        Collection<ConfigAttribute> attr = this.securityMetadataSource.getAttributes(fi);

        if (attr != null) {
            if (logger.isDebugEnabled()) {
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java
@ -19,7 +19,7 @@ import org.springframework.security.access.ConfigAttribute;
				@@ -19,7 +19,7 @@ import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;

 import java.io.IOException;
-import java.util.List;
+import java.util.Collection;

 import javax.servlet.ServletException;

@ -44,7 +44,7 @@ public interface ChannelProcessor {
				@@ -44,7 +44,7 @@ public interface ChannelProcessor {
     * security based on the requested list of <tt>ConfigAttribute</tt>s.
     *
     */
-    void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException;
+    void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException;

    /**
     * Indicates whether this <code>ChannelProcessor</code> is able to process the passed
--- a/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java
@ -16,7 +16,7 @@
				@@ -16,7 +16,7 @@
 package org.springframework.security.web.access.channel;

 import java.io.IOException;
-import java.util.List;
+import java.util.Collection;

 import javax.servlet.ServletException;

@ -52,7 +52,7 @@ public class InsecureChannelProcessor implements InitializingBean, ChannelProces
				@@ -52,7 +52,7 @@ public class InsecureChannelProcessor implements InitializingBean, ChannelProces
        Assert.notNull(entryPoint, "entryPoint required");
    }

-    public void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException {
+    public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
        if ((invocation == null) || (config == null)) {
            throw new IllegalArgumentException("Nulls cannot be provided");
        }
--- a/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java
@ -16,7 +16,7 @@
				@@ -16,7 +16,7 @@
 package org.springframework.security.web.access.channel;

 import java.io.IOException;
-import java.util.List;
+import java.util.Collection;

 import javax.servlet.ServletException;

@ -52,7 +52,7 @@ public class SecureChannelProcessor implements InitializingBean, ChannelProcesso
				@@ -52,7 +52,7 @@ public class SecureChannelProcessor implements InitializingBean, ChannelProcesso
        Assert.notNull(entryPoint, "entryPoint required");
    }

-    public void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException {
+    public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
        Assert.isTrue((invocation != null) && (config != null), "Nulls cannot be provided");

        for (ConfigAttribute attribute : config) {
--- a/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java
+++ b/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java
@ -1,6 +1,6 @@
				@@ -1,6 +1,6 @@
 package org.springframework.security.web.access.expression;

-import java.util.List;
+import java.util.Collection;

 import org.springframework.expression.EvaluationContext;
 import org.springframework.security.access.AccessDecisionVoter;
@ -18,7 +18,7 @@ import org.springframework.security.web.FilterInvocation;
				@@ -18,7 +18,7 @@ import org.springframework.security.web.FilterInvocation;
 public class WebExpressionVoter implements AccessDecisionVoter {
    private WebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler();

-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        assert authentication != null;
        assert object != null;
        assert attributes != null;
@ -36,7 +36,7 @@ public class WebExpressionVoter implements AccessDecisionVoter {
				@@ -36,7 +36,7 @@ public class WebExpressionVoter implements AccessDecisionVoter {
                ACCESS_GRANTED : ACCESS_DENIED;
    }

-    private WebExpressionConfigAttribute findConfigAttribute(List<ConfigAttribute> attributes) {
+    private WebExpressionConfigAttribute findConfigAttribute(Collection<ConfigAttribute> attributes) {
        for (ConfigAttribute attribute : attributes) {
            if (attribute instanceof WebExpressionConfigAttribute) {
                return (WebExpressionConfigAttribute)attribute;
--- a/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
+++ b/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
@ -138,7 +138,7 @@ public class DefaultFilterInvocationSecurityMetadataSource implements FilterInvo
				@@ -138,7 +138,7 @@ public class DefaultFilterInvocationSecurityMetadataSource implements FilterInvo
    }


-    public List<ConfigAttribute> getAttributes(Object object) {
+    public Collection<ConfigAttribute> getAttributes(Object object) {
        if ((object == null) || !this.supports(object.getClass())) {
            throw new IllegalArgumentException("Object must be a FilterInvocation");
        }
--- a/web/src/test/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImplTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImplTests.java
@ -18,6 +18,7 @@ package org.springframework.security.web.access.channel;
				@@ -18,6 +18,7 @@ package org.springframework.security.web.access.channel;
 import static org.mockito.Mockito.mock;

 import java.io.IOException;
+import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Vector;
@ -188,7 +189,7 @@ public class ChannelDecisionManagerImplTests extends TestCase {
				@@ -188,7 +189,7 @@ public class ChannelDecisionManagerImplTests extends TestCase {
            this.failIfCalled = failIfCalled;
        }

-        public void decide(FilterInvocation invocation, List<ConfigAttribute> config)
+        public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config)
                throws IOException, ServletException {
            Iterator iter = config.iterator();

--- a/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java
@ -163,7 +163,7 @@ public class ChannelProcessingFilterTests {
				@@ -163,7 +163,7 @@ public class ChannelProcessingFilterTests {
            this.supportAttribute = supportAttribute;
        }

-        public void decide(FilterInvocation invocation, List<ConfigAttribute> config)
+        public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config)
            throws IOException, ServletException {
            if (commitAResponse) {
                invocation.getHttpResponse().sendRedirect("/redirected");
--- a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java
@ -18,6 +18,7 @@ package org.springframework.security.web.access.intercept;
				@@ -18,6 +18,7 @@ package org.springframework.security.web.access.intercept;
 import static org.junit.Assert.*;
 import static org.mockito.Mockito.mock;

+import java.util.Collection;
 import java.util.LinkedHashMap;
 import java.util.List;

@ -130,7 +131,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
				@@ -130,7 +131,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
        createFids("/somepage**", "GET");

        FilterInvocation fi = createFilterInvocation("/somepage", "GET");
-        List<? extends ConfigAttribute> attrs = fids.getAttributes(fi);
+        Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
        assertEquals(def, attrs);
    }

@ -139,7 +140,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
				@@ -139,7 +140,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
        createFids("/somepage**", null);

        FilterInvocation fi = createFilterInvocation("/somepage", "GET");
-        List<? extends ConfigAttribute> attrs = fids.getAttributes(fi);
+        Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
        assertEquals(def, attrs);
    }

@ -148,7 +149,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
				@@ -148,7 +149,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
        createFids("/somepage**", "GET");

        FilterInvocation fi = createFilterInvocation("/somepage", null);
-        List<? extends ConfigAttribute> attrs = fids.getAttributes(fi);
+        Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
        assertNull(attrs);
    }

@ -161,7 +162,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
				@@ -161,7 +162,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
        requestMap.put(new RequestKey("/somepage**", "POST"), postOnlyDef);
        fids = new DefaultFilterInvocationSecurityMetadataSource(new AntUrlPathMatcher(), requestMap);

-        List<ConfigAttribute> attrs = fids.getAttributes(createFilterInvocation("/somepage", "POST"));
+        Collection<ConfigAttribute> attrs = fids.getAttributes(createFilterInvocation("/somepage", "POST"));
        assertEquals(postOnlyDef, attrs);
    }

@ -176,7 +177,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
				@@ -176,7 +177,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
        fids.setStripQueryStringFromUrls(true);

        FilterInvocation fi = createFilterInvocation("/user", "GET");
-        List<ConfigAttribute> attrs = fids.getAttributes(fi);
+        Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
        assertEquals(userAttrs, attrs);
    }