diff --git a/acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java b/acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java
index 5d14ae2b26..3b0205c9e8 100644
--- a/acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java
+++ b/acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java
@@ -17,6 +17,7 @@ package org.springframework.security.acls;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.List;
 
 import org.apache.commons.logging.Log;
@@ -152,7 +153,7 @@ public class AclEntryVoter extends AbstractAclVoter {
         }
     }
 
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
 
         for(ConfigAttribute attr : attributes) {
 
diff --git a/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java b/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java
index 98129d9c50..7de76111aa 100644
--- a/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java
+++ b/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java
@@ -73,7 +73,7 @@ public class AclEntryAfterInvocationCollectionFilteringProvider extends Abstract
     //~ Methods ========================================================================================================
 
     @SuppressWarnings("unchecked")
-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
             Object returnedObject) throws AccessDeniedException {
 
         if (returnedObject == null) {
diff --git a/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java b/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java
index 6f8652d7cd..57f57598f2 100644
--- a/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java
+++ b/acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java
@@ -14,6 +14,7 @@
  */
 package org.springframework.security.acls.afterinvocation;
 
+import java.util.Collection;
 import java.util.List;
 
 import org.apache.commons.logging.Log;
@@ -75,7 +76,7 @@ public class AclEntryAfterInvocationProvider extends AbstractAclProvider impleme
 
     //~ Methods ========================================================================================================
 
-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
             Object returnedObject) throws AccessDeniedException {
 
         if (returnedObject == null) {
diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
index c565528d9d..2648510db5 100644
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@@ -7,8 +7,6 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.BeanReference;
@@ -59,8 +57,6 @@ import org.w3c.dom.Element;
  * @since 3.0
  */
 class HttpConfigurationBuilder {
-    private final Log logger = LogFactory.getLog(getClass());
-
     private static final String ATT_CREATE_SESSION = "create-session";
     private static final String OPT_CREATE_SESSION_NEVER = "never";
     private static final String DEF_CREATE_SESSION_IF_REQUIRED = "ifRequired";
diff --git a/config/src/test/java/org/springframework/security/config/MockAfterInvocationProvider.java b/config/src/test/java/org/springframework/security/config/MockAfterInvocationProvider.java
index 04cc7d9a13..aa6c3305a1 100644
--- a/config/src/test/java/org/springframework/security/config/MockAfterInvocationProvider.java
+++ b/config/src/test/java/org/springframework/security/config/MockAfterInvocationProvider.java
@@ -1,6 +1,6 @@
 package org.springframework.security.config;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AfterInvocationProvider;
@@ -9,7 +9,7 @@ import org.springframework.security.core.Authentication;
 
 public class MockAfterInvocationProvider implements AfterInvocationProvider {
 
-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config, Object returnedObject)
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject)
             throws AccessDeniedException {
         return returnedObject;
     }
diff --git a/config/src/test/java/org/springframework/security/config/http/FilterSecurityMetadataSourceBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/FilterSecurityMetadataSourceBeanDefinitionParserTests.java
index 08f82ba9ec..439ea0b6a4 100644
--- a/config/src/test/java/org/springframework/security/config/http/FilterSecurityMetadataSourceBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/FilterSecurityMetadataSourceBeanDefinitionParserTests.java
@@ -2,7 +2,7 @@ package org.springframework.security.config.http;
 
 import static org.junit.Assert.*;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.junit.After;
 import org.junit.Test;
@@ -47,7 +47,7 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
                 "   <intercept-url pattern='/**' access='ROLE_A'/>" +
                 "</filter-security-metadata-source>");
         DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) appContext.getBean("fids");
-        List<? extends ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/anything", "GET"));
+        Collection<ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/anything", "GET"));
         assertNotNull(cad);
         assertTrue(cad.contains(new SecurityConfig("ROLE_A")));
     }
@@ -61,9 +61,9 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
 
         ExpressionBasedFilterInvocationSecurityMetadataSource fids =
             (ExpressionBasedFilterInvocationSecurityMetadataSource) appContext.getBean("fids");
-        List<? extends ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/anything", "GET"));
-        assertEquals(1, cad.size());
-        assertEquals("hasRole('ROLE_A')", cad.get(0).toString());
+        ConfigAttribute[] cad = fids.getAttributes(createFilterInvocation("/anything", "GET")).toArray(new ConfigAttribute[0]);
+        assertEquals(1, cad.length);
+        assertEquals("hasRole('ROLE_A')", cad[0].toString());
     }
 
     // SEC-1201
@@ -77,10 +77,10 @@ public class FilterSecurityMetadataSourceBeanDefinitionParserTests {
                 "   <intercept-url pattern='${secure.url}' access='${secure.role}'/>" +
                 "</filter-security-metadata-source>");
         DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) appContext.getBean("fids");
-        List<ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/secure", "GET"));
+        Collection<ConfigAttribute> cad = fids.getAttributes(createFilterInvocation("/secure", "GET"));
         assertNotNull(cad);
         assertEquals(1, cad.size());
-        assertEquals("ROLE_A", cad.get(0).getAttribute());
+        assertTrue(cad.contains(new SecurityConfig("ROLE_A")));
     }
 
     @Test
diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
index f6f4aa9825..e22bd6efd4 100644
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@@ -7,6 +7,7 @@ import static org.springframework.security.config.http.AuthenticationConfigBuild
 
 import java.lang.reflect.Method;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
@@ -286,7 +287,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);
 
         FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/Secure", null));
+        Collection<ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/Secure", null));
         assertEquals(2, attrDef.size());
         assertTrue(attrDef.contains(new SecurityConfig("ROLE_A")));
         assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
@@ -314,10 +315,10 @@ public class HttpSecurityBeanDefinitionParserTests {
         // Check the security attribute
         FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);
         FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/secure", null));
+        Collection<ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/secure", null));
         assertNotNull(attrs);
         assertEquals(1, attrs.size());
-        assertEquals("ROLE_A",attrs.get(0).getAttribute());
+        assertTrue(attrs.contains(new SecurityConfig("ROLE_A")));
 
         // Check the form login properties are set
         UsernamePasswordAuthenticationFilter apf = (UsernamePasswordAuthenticationFilter)
@@ -340,7 +341,7 @@ public class HttpSecurityBeanDefinitionParserTests {
 
         FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);
         FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<? extends ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/secure", "POST"));
+        Collection<ConfigAttribute> attrs = fids.getAttributes(createFilterinvocation("/secure", "POST"));
         assertEquals(2, attrs.size());
         assertTrue(attrs.contains(new SecurityConfig("ROLE_A")));
         assertTrue(attrs.contains(new SecurityConfig("ROLE_B")));
@@ -904,7 +905,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);
 
         FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<? extends ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/someurl", null));
+        Collection<ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/someurl", null));
         assertEquals(1, attrDef.size());
         assertTrue(attrDef.contains(new SecurityConfig("ROLE_B")));
     }
@@ -942,7 +943,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         FilterSecurityInterceptor fis = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class);
 
         FilterInvocationSecurityMetadataSource fids = fis.getSecurityMetadataSource();
-        List<? extends ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/secure", null));
+        Collection<ConfigAttribute> attrDef = fids.getAttributes(createFilterinvocation("/secure", null));
         assertEquals(1, attrDef.size());
 
         // Try an unprotected invocation
diff --git a/core/src/main/java/org/springframework/security/access/AccessDecisionManager.java b/core/src/main/java/org/springframework/security/access/AccessDecisionManager.java
index 852c9e3e90..ed97d2f95e 100644
--- a/core/src/main/java/org/springframework/security/access/AccessDecisionManager.java
+++ b/core/src/main/java/org/springframework/security/access/AccessDecisionManager.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.core.Authentication;
@@ -41,7 +41,7 @@ public interface AccessDecisionManager {
      * @throws InsufficientAuthenticationException if access is denied as the authentication does not provide a
      *         sufficient level of trust
      */
-    void decide(Authentication authentication, Object object, List<ConfigAttribute> configAttributes)
+    void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
         throws AccessDeniedException, InsufficientAuthenticationException;
 
     /**
diff --git a/core/src/main/java/org/springframework/security/access/AccessDecisionVoter.java b/core/src/main/java/org/springframework/security/access/AccessDecisionVoter.java
index cd3af8c015..411d0fc319 100644
--- a/core/src/main/java/org/springframework/security/access/AccessDecisionVoter.java
+++ b/core/src/main/java/org/springframework/security/access/AccessDecisionVoter.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.core.Authentication;
 
@@ -87,5 +87,5 @@ public interface AccessDecisionVoter {
      *
      * @return either {@link #ACCESS_GRANTED}, {@link #ACCESS_ABSTAIN} or {@link #ACCESS_DENIED}
      */
-    int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes);
+    int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes);
 }
diff --git a/core/src/main/java/org/springframework/security/access/AfterInvocationProvider.java b/core/src/main/java/org/springframework/security/access/AfterInvocationProvider.java
index b55cb0c07a..2070b0a157 100644
--- a/core/src/main/java/org/springframework/security/access/AfterInvocationProvider.java
+++ b/core/src/main/java/org/springframework/security/access/AfterInvocationProvider.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.intercept.AfterInvocationProviderManager;
 import org.springframework.security.core.Authentication;
@@ -30,7 +30,7 @@ import org.springframework.security.core.Authentication;
 public interface AfterInvocationProvider {
     //~ Methods ========================================================================================================
 
-    Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes,
         Object returnedObject) throws AccessDeniedException;
 
     /**
diff --git a/core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java
index 4d546a0cbe..905b643d9f 100644
--- a/core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java
@@ -16,7 +16,6 @@
 package org.springframework.security.access;
 
 import java.util.Collection;
-import java.util.List;
 
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
@@ -44,7 +43,7 @@ public interface SecurityMetadataSource extends AopInfrastructureBean {
      * @throws IllegalArgumentException if the passed object is not of a type supported by the
      *         <code>SecurityMetadataSource</code> implementation
      */
-    List<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException;
+    Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException;
 
     /**
      * If available, returns all of the <code>ConfigAttribute</code>s defined by the implementing class.
diff --git a/core/src/main/java/org/springframework/security/access/annotation/Jsr250Voter.java b/core/src/main/java/org/springframework/security/access/annotation/Jsr250Voter.java
index c62bfe6af6..697cffba65 100644
--- a/core/src/main/java/org/springframework/security/access/annotation/Jsr250Voter.java
+++ b/core/src/main/java/org/springframework/security/access/annotation/Jsr250Voter.java
@@ -1,6 +1,6 @@
 package org.springframework.security.access.annotation;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
@@ -43,7 +43,7 @@ public class Jsr250Voter implements AccessDecisionVoter {
      * @param definition     The configuration definition.
      * @return The vote.
      */
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> definition) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> definition) {
         for (ConfigAttribute attribute : definition) {
             if (Jsr250SecurityConfig.PERMIT_ALL_ATTRIBUTE.equals(attribute)) {
                 return ACCESS_GRANTED;
diff --git a/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java b/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java
index 952a739731..58a277240a 100644
--- a/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java
+++ b/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.event;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
@@ -32,7 +32,7 @@ public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizatio
     //~ Instance fields ================================================================================================
 
     private AuthenticationCredentialsNotFoundException credentialsNotFoundException;
-    private List<ConfigAttribute> configAttribs;
+    private Collection<ConfigAttribute> configAttribs;
 
     //~ Constructors ===================================================================================================
 
@@ -40,25 +40,25 @@ public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizatio
      * Construct the event.
      *
      * @param secureObject the secure object
-     * @param configAttribs that apply to the secure object
+     * @param attributes that apply to the secure object
      * @param credentialsNotFoundException exception returned to the caller (contains reason)
      *
      */
-    public AuthenticationCredentialsNotFoundEvent(Object secureObject, List<ConfigAttribute> configAttribs,
+    public AuthenticationCredentialsNotFoundEvent(Object secureObject, Collection<ConfigAttribute> attributes,
             AuthenticationCredentialsNotFoundException credentialsNotFoundException) {
         super(secureObject);
 
-        if ((configAttribs == null) || (credentialsNotFoundException == null)) {
+        if ((attributes == null) || (credentialsNotFoundException == null)) {
             throw new IllegalArgumentException("All parameters are required and cannot be null");
         }
 
-        this.configAttribs = configAttribs;
+        this.configAttribs = attributes;
         this.credentialsNotFoundException = credentialsNotFoundException;
     }
 
     //~ Methods ========================================================================================================
 
-    public List<ConfigAttribute> getConfigAttributes() {
+    public Collection<ConfigAttribute> getConfigAttributes() {
         return configAttribs;
     }
 
diff --git a/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java b/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java
index 5a4aa87fd8..f626bf9b55 100644
--- a/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java
+++ b/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.event;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
@@ -38,7 +38,7 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
 
     private AccessDeniedException accessDeniedException;
     private Authentication authentication;
-    private List<ConfigAttribute> configAttributeDefinition;
+    private Collection<ConfigAttribute> configAttributes;
 
     //~ Constructors ===================================================================================================
 
@@ -46,22 +46,22 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
      * Construct the event.
      *
      * @param secureObject the secure object
-     * @param configAttribs that apply to the secure object
+     * @param attributes that apply to the secure object
      * @param authentication that was found in the <code>SecurityContextHolder</code>
      * @param accessDeniedException that was returned by the
      *        <code>AccessDecisionManager</code>
      *
      * @throws IllegalArgumentException if any null arguments are presented.
      */
-    public AuthorizationFailureEvent(Object secureObject, List<ConfigAttribute> configAttribs,
+    public AuthorizationFailureEvent(Object secureObject, Collection<ConfigAttribute> attributes,
         Authentication authentication, AccessDeniedException accessDeniedException) {
         super(secureObject);
 
-        if ((configAttribs == null) || (authentication == null) || (accessDeniedException == null)) {
+        if ((attributes == null) || (authentication == null) || (accessDeniedException == null)) {
             throw new IllegalArgumentException("All parameters are required and cannot be null");
         }
 
-        this.configAttributeDefinition = configAttribs;
+        this.configAttributes = attributes;
         this.authentication = authentication;
         this.accessDeniedException = accessDeniedException;
     }
@@ -76,7 +76,7 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
         return authentication;
     }
 
-    public List<ConfigAttribute> getConfigAttributes() {
-        return configAttributeDefinition;
+    public Collection<ConfigAttribute> getConfigAttributes() {
+        return configAttributes;
     }
 }
diff --git a/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java b/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java
index 622d285968..b186d5bfe8 100644
--- a/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java
+++ b/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.event;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@@ -32,7 +32,7 @@ public class AuthorizedEvent extends AbstractAuthorizationEvent {
     //~ Instance fields ================================================================================================
 
     private Authentication authentication;
-    private List<ConfigAttribute> configAttributeDefinition;
+    private Collection<ConfigAttribute> configAttributes;
 
     //~ Constructors ===================================================================================================
 
@@ -40,18 +40,18 @@ public class AuthorizedEvent extends AbstractAuthorizationEvent {
      * Construct the event.
      *
      * @param secureObject the secure object
-     * @param configAttribs that apply to the secure object
+     * @param attributes that apply to the secure object
      * @param authentication that successfully called the secure object
      *
      */
-    public AuthorizedEvent(Object secureObject, List<ConfigAttribute> configAttribs, Authentication authentication) {
+    public AuthorizedEvent(Object secureObject, Collection<ConfigAttribute> attributes, Authentication authentication) {
         super(secureObject);
 
-        if ((configAttribs == null) || (authentication == null)) {
+        if ((attributes == null) || (authentication == null)) {
             throw new IllegalArgumentException("All parameters are required and cannot be null");
         }
 
-        this.configAttributeDefinition = configAttribs;
+        this.configAttributes = attributes;
         this.authentication = authentication;
     }
 
@@ -61,7 +61,7 @@ public class AuthorizedEvent extends AbstractAuthorizationEvent {
         return authentication;
     }
 
-    public List<ConfigAttribute> getConfigAttributes() {
-        return configAttributeDefinition;
+    public Collection<ConfigAttribute> getConfigAttributes() {
+        return configAttributes;
     }
 }
diff --git a/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java b/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
index 95e79d8724..9614ecec38 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
@@ -17,7 +17,6 @@ package org.springframework.security.access.intercept;
 
 import java.util.Collection;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;
 
 import org.apache.commons.logging.Log;
@@ -170,7 +169,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
                     + getSecureObjectClass());
         }
 
-        List<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);
+        Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);
 
         if (attributes == null) {
             if (rejectPublicInvocations) {
@@ -319,7 +318,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
      * @param secureObject  that was being called
      * @param configAttribs that were defined for the secureObject
      */
-    private void credentialsNotFound(String reason, Object secureObject, List<ConfigAttribute> configAttribs) {
+    private void credentialsNotFound(String reason, Object secureObject, Collection<ConfigAttribute> configAttribs) {
         AuthenticationCredentialsNotFoundException exception = new AuthenticationCredentialsNotFoundException(reason);
 
         AuthenticationCredentialsNotFoundEvent event = new AuthenticationCredentialsNotFoundEvent(secureObject,
diff --git a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java
index 944b7828ac..3bea2b0a85 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.intercept;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
@@ -57,7 +57,7 @@ public interface AfterInvocationManager {
      *
      * @param authentication the caller that invoked the method
      * @param object the secured object that was called
-     * @param config the configuration attributes associated with the secured object that was invoked
+     * @param attributes the configuration attributes associated with the secured object that was invoked
      * @param returnedObject the <code>Object</code> that was returned from the secure object invocation
      *
      * @return the <code>Object</code> that will ultimately be returned to the caller (if an implementation does not
@@ -66,7 +66,7 @@ public interface AfterInvocationManager {
      *
      * @throws AccessDeniedException if access is denied
      */
-    Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes,
         Object returnedObject) throws AccessDeniedException;
 
     /**
diff --git a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java
index 7dfd32aca1..1d9d54a0d9 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java
@@ -16,6 +16,7 @@
 package org.springframework.security.access.intercept;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import org.apache.commons.logging.Log;
@@ -63,7 +64,7 @@ public class AfterInvocationProviderManager implements AfterInvocationManager, I
         }
     }
 
-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
             Object returnedObject) throws AccessDeniedException {
 
         Object result = returnedObject;
diff --git a/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java b/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java
index ec1c2154f0..e33948f4f4 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.intercept;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@@ -35,23 +35,23 @@ public class InterceptorStatusToken {
     //~ Instance fields ================================================================================================
 
     private Authentication authentication;
-    private List<ConfigAttribute> attr;
+    private Collection<ConfigAttribute> attr;
     private Object secureObject;
     private boolean contextHolderRefreshRequired;
 
     //~ Constructors ===================================================================================================
 
     public InterceptorStatusToken(Authentication authentication, boolean contextHolderRefreshRequired,
-            List<ConfigAttribute> attr, Object secureObject) {
+            Collection<ConfigAttribute> attributes, Object secureObject) {
         this.authentication = authentication;
         this.contextHolderRefreshRequired = contextHolderRefreshRequired;
-        this.attr = attr;
+        this.attr = attributes;
         this.secureObject = secureObject;
     }
 
     //~ Methods ========================================================================================================
 
-    public List<ConfigAttribute> getAttributes() {
+    public Collection<ConfigAttribute> getAttributes() {
         return attr;
     }
 
diff --git a/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java b/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java
index 552c0d70b0..33050df604 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.intercept;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
@@ -58,7 +58,7 @@ public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
         Assert.notNull(mi, "MethodInvocation required");
         Assert.notNull(mi.getMethod(), "MethodInvocation must provide a non-null getMethod()");
 
-        List<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(mi);
+        Collection<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(mi);
 
         if (attrs == null) {
             if (securityInterceptor.isRejectPublicInvocations()) {
diff --git a/core/src/main/java/org/springframework/security/access/intercept/NullRunAsManager.java b/core/src/main/java/org/springframework/security/access/intercept/NullRunAsManager.java
index 250b0b8f2d..40d09c9f06 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/NullRunAsManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/NullRunAsManager.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.intercept;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@@ -32,7 +32,7 @@ import org.springframework.security.core.Authentication;
 final class NullRunAsManager implements RunAsManager {
     //~ Methods ========================================================================================================
 
-    public Authentication buildRunAs(Authentication authentication, Object object, List<ConfigAttribute> config) {
+    public Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> config) {
         return null;
     }
 
diff --git a/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java b/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java
index d8081d7635..b0aa87906c 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.intercept;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@@ -71,12 +71,12 @@ public interface RunAsManager {
      *
      * @param authentication the caller invoking the secure object
      * @param object the secured object being called
-     * @param config the configuration attributes associated with the secure object being invoked
+     * @param attributes the configuration attributes associated with the secure object being invoked
      *
      * @return a replacement object to be used for duration of the secure object invocation, or <code>null</code> if
      *         the <code>Authentication</code> should be left as is
      */
-    Authentication buildRunAs(Authentication authentication, Object object, List<ConfigAttribute> config);
+    Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> attributes);
 
     /**
      * Indicates whether this <code>RunAsManager</code> is able to process the passed
diff --git a/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java b/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java
index d04df0bcd2..9e7bf8a7dd 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java
@@ -16,6 +16,7 @@
 package org.springframework.security.access.intercept;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import org.springframework.beans.factory.InitializingBean;
@@ -61,7 +62,7 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean {
         Assert.notNull(key, "A Key is required and should match that configured for the RunAsImplAuthenticationProvider");
     }
 
-    public Authentication buildRunAs(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
         List<GrantedAuthority> newAuthorities = new ArrayList<GrantedAuthority>();
 
         for (ConfigAttribute attribute : attributes) {
diff --git a/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
index 10269892e1..aa8844b1b6 100644
--- a/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
@@ -29,7 +29,7 @@ import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
 
 import java.lang.reflect.Method;
-import java.util.List;
+import java.util.Collection;
 
 
 /**
@@ -46,7 +46,7 @@ public abstract class AbstractMethodSecurityMetadataSource implements MethodSecu
 
     //~ Methods ========================================================================================================
 
-    public final List<ConfigAttribute> getAttributes(Object object) {
+    public final Collection<ConfigAttribute> getAttributes(Object object) {
         if (object instanceof MethodInvocation) {
             MethodInvocation mi = (MethodInvocation) object;
             Object target = mi.getThis();
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java
index 071682a5c3..4c5436f4dd 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java
@@ -1,6 +1,6 @@
 package org.springframework.security.access.prepost;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
@@ -27,7 +27,7 @@ public class PostInvocationAdviceProvider implements AfterInvocationProvider {
         this.postAdvice = postAdvice;
     }
 
-    public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config, Object returnedObject)
+    public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject)
             throws AccessDeniedException {
 
         PostInvocationAttribute pia = findPostInvocationAttribute(config);
@@ -39,7 +39,7 @@ public class PostInvocationAdviceProvider implements AfterInvocationProvider {
         return postAdvice.after(authentication, (MethodInvocation)object, pia, returnedObject);
     }
 
-    private PostInvocationAttribute findPostInvocationAttribute(List<ConfigAttribute> config) {
+    private PostInvocationAttribute findPostInvocationAttribute(Collection<ConfigAttribute> config) {
         for (ConfigAttribute attribute : config) {
             if (attribute instanceof PostInvocationAttribute) {
                 return (PostInvocationAttribute)attribute;
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java
index 6f52ecdd72..6d114df16f 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java
@@ -1,6 +1,6 @@
 package org.springframework.security.access.prepost;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
@@ -39,7 +39,7 @@ public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVote
         return clazz.isAssignableFrom(MethodInvocation.class);
     }
 
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
 
         // Find prefilter and preauth (or combined) attributes
         // if both null, abstain
@@ -57,7 +57,7 @@ public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVote
         return allowed ? ACCESS_GRANTED : ACCESS_DENIED;
     }
 
-    private PreInvocationAttribute findPreInvocationAttribute(List<ConfigAttribute> config) {
+    private PreInvocationAttribute findPreInvocationAttribute(Collection<ConfigAttribute> config) {
         for (ConfigAttribute attribute : config) {
             if (attribute instanceof PreInvocationAttribute) {
                 return (PreInvocationAttribute)attribute;
diff --git a/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java b/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java
index 8e9b157c92..4bf7a7292c 100644
--- a/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java
+++ b/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.vote;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AccessDeniedException;
@@ -42,7 +42,7 @@ public class AffirmativeBased extends AbstractAccessDecisionManager {
      *
      * @throws AccessDeniedException if access is denied
      */
-    public void decide(Authentication authentication, Object object, List<ConfigAttribute> configAttributes)
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
             throws AccessDeniedException {
         int deny = 0;
 
diff --git a/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java b/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java
index 52458f3a0b..db2d8e55df 100644
--- a/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java
+++ b/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.vote;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
@@ -86,7 +86,7 @@ public class AuthenticatedVoter implements AccessDecisionVoter {
         return true;
     }
 
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
         int result = ACCESS_ABSTAIN;
 
         for (ConfigAttribute attribute : attributes) {
diff --git a/core/src/main/java/org/springframework/security/access/vote/ConsensusBased.java b/core/src/main/java/org/springframework/security/access/vote/ConsensusBased.java
index e70d5804eb..d34003419e 100644
--- a/core/src/main/java/org/springframework/security/access/vote/ConsensusBased.java
+++ b/core/src/main/java/org/springframework/security/access/vote/ConsensusBased.java
@@ -15,7 +15,7 @@
 
 package org.springframework.security.access.vote;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AccessDeniedException;
@@ -52,7 +52,7 @@ public class ConsensusBased extends AbstractAccessDecisionManager {
      *
      * @throws AccessDeniedException if access is denied
      */
-    public void decide(Authentication authentication, Object object, List<ConfigAttribute> configAttributes)
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
             throws AccessDeniedException {
         int grant = 0;
         int deny = 0;
diff --git a/core/src/main/java/org/springframework/security/access/vote/LabelBasedAclVoter.java b/core/src/main/java/org/springframework/security/access/vote/LabelBasedAclVoter.java
index 227a0cfb61..eb58c47bb1 100644
--- a/core/src/main/java/org/springframework/security/access/vote/LabelBasedAclVoter.java
+++ b/core/src/main/java/org/springframework/security/access/vote/LabelBasedAclVoter.java
@@ -15,6 +15,7 @@
 package org.springframework.security.access.vote;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 
@@ -163,7 +164,7 @@ public class LabelBasedAclVoter extends AbstractAclVoter {
      *
      * @return ACCESS_ABSTAIN, ACCESS_GRANTED, or ACCESS_DENIED.
      */
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
         int result = ACCESS_ABSTAIN;
 
         if (logger.isDebugEnabled()) {
diff --git a/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java b/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java
index e70fe5b3e7..e7c629c2b7 100644
--- a/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java
+++ b/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java
@@ -16,7 +16,6 @@
 package org.springframework.security.access.vote;
 
 import java.util.Collection;
-import java.util.List;
 
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
@@ -93,7 +92,7 @@ public class RoleVoter implements AccessDecisionVoter {
         return true;
     }
 
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
         int result = ACCESS_ABSTAIN;
         Collection<GrantedAuthority> authorities = extractAuthorities(authentication);
 
diff --git a/core/src/main/java/org/springframework/security/access/vote/UnanimousBased.java b/core/src/main/java/org/springframework/security/access/vote/UnanimousBased.java
index 103a104f2b..c482feb61b 100644
--- a/core/src/main/java/org/springframework/security/access/vote/UnanimousBased.java
+++ b/core/src/main/java/org/springframework/security/access/vote/UnanimousBased.java
@@ -16,6 +16,7 @@
 package org.springframework.security.access.vote;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import org.springframework.security.access.AccessDecisionVoter;
@@ -48,7 +49,7 @@ public class UnanimousBased extends AbstractAccessDecisionManager {
      *
      * @throws AccessDeniedException if access is denied
      */
-    public void decide(Authentication authentication, Object object, List<ConfigAttribute> attributes)
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
              throws AccessDeniedException {
 
         int grant = 0;
diff --git a/core/src/test/java/org/springframework/security/access/annotation/MethodDefinitionSourceEditorTigerTests.java b/core/src/test/java/org/springframework/security/access/annotation/MethodDefinitionSourceEditorTigerTests.java
index 7c1047d556..d47d456741 100644
--- a/core/src/test/java/org/springframework/security/access/annotation/MethodDefinitionSourceEditorTigerTests.java
+++ b/core/src/test/java/org/springframework/security/access/annotation/MethodDefinitionSourceEditorTigerTests.java
@@ -17,6 +17,7 @@ package org.springframework.security.access.annotation;
 
 import static org.junit.Assert.assertEquals;
 
+import java.util.Collection;
 import java.util.List;
 
 import org.junit.Before;
@@ -59,12 +60,12 @@ public class MethodDefinitionSourceEditorTigerTests {
         MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
         assertEquals(3, map.getMethodMapSize());
 
-        List<? extends ConfigAttribute> returnedMakeLower = map.getAttributes(makeLower);
-        List<? extends ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_FROM_INTERFACE");
+        Collection<ConfigAttribute> returnedMakeLower = map.getAttributes(makeLower);
+        List<ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_FROM_INTERFACE");
         assertEquals(expectedMakeLower, returnedMakeLower);
 
-        List<? extends ConfigAttribute> returnedMakeUpper = map.getAttributes(makeUpper);
-        List<? extends ConfigAttribute> expectedMakeUpper = SecurityConfig.createList(new String[]{"ROLE_FROM_IMPLEMENTATION"});
+        Collection<ConfigAttribute> returnedMakeUpper = map.getAttributes(makeUpper);
+        List<ConfigAttribute> expectedMakeUpper = SecurityConfig.createList(new String[]{"ROLE_FROM_IMPLEMENTATION"});
         assertEquals(expectedMakeUpper, returnedMakeUpper);
     }
 
@@ -79,8 +80,8 @@ public class MethodDefinitionSourceEditorTigerTests {
         MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
         assertEquals(3, map.getMethodMapSize());
 
-        List<? extends ConfigAttribute> returnedMakeUpper = map.getAttributes(makeUpper);
-        List<? extends ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_FROM_PSI");
+        Collection<ConfigAttribute> returnedMakeUpper = map.getAttributes(makeUpper);
+        List<ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_FROM_PSI");
         assertEquals(expectedMakeUpper, returnedMakeUpper);
     }
 
diff --git a/core/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java b/core/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java
index bac79a3786..801b46d4fd 100644
--- a/core/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java
+++ b/core/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java
@@ -43,11 +43,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
 
     @Test
     public void classLevelPreAnnotationIsPickedUpWhenNoMethodLevelExists() throws Exception {
-        List<ConfigAttribute> attrs = mds.getAttributes(voidImpl1);
+        ConfigAttribute[] attrs = mds.getAttributes(voidImpl1).toArray(new ConfigAttribute[0]);
 
-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0];
         assertNotNull(pre.getAuthorizeExpression());
         assertEquals("someExpression", pre.getAuthorizeExpression().getExpressionString());
         assertNull(pre.getFilterExpression());
@@ -55,11 +55,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
 
     @Test
     public void mixedClassAndMethodPreAnnotationsAreBothIncluded() {
-        List<ConfigAttribute> attrs = mds.getAttributes(voidImpl2);
+        ConfigAttribute[] attrs = mds.getAttributes(voidImpl2).toArray(new ConfigAttribute[0]);
 
-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0];
         assertEquals("someExpression", pre.getAuthorizeExpression().getExpressionString());
         assertNotNull(pre.getFilterExpression());
         assertEquals("somePreFilterExpression", pre.getFilterExpression().getExpressionString());
@@ -67,11 +67,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
 
     @Test
     public void methodWithPreFilterOnlyIsAllowed() {
-        List<ConfigAttribute> attrs = mds.getAttributes(voidImpl3);
+        ConfigAttribute[] attrs = mds.getAttributes(voidImpl3).toArray(new ConfigAttribute[0]);
 
-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0];
         assertEquals("permitAll", pre.getAuthorizeExpression().getExpressionString());
         assertNotNull(pre.getFilterExpression());
         assertEquals("somePreFilterExpression", pre.getFilterExpression().getExpressionString());
@@ -79,13 +79,13 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
 
     @Test
     public void methodWithPostFilterOnlyIsAllowed() {
-        List<ConfigAttribute> attrs = mds.getAttributes(listImpl1);
+        ConfigAttribute[] attrs = mds.getAttributes(listImpl1).toArray(new ConfigAttribute[0]);
 
-        assertEquals(2, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        assertTrue(attrs.get(1) instanceof PostInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
-        PostInvocationExpressionAttribute post = (PostInvocationExpressionAttribute)attrs.get(1);
+        assertEquals(2, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        assertTrue(attrs[1] instanceof PostInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0];
+        PostInvocationExpressionAttribute post = (PostInvocationExpressionAttribute) attrs[1];
         assertEquals("permitAll", pre.getAuthorizeExpression().getExpressionString());
         assertNotNull(post.getFilterExpression());
         assertEquals("somePostFilterExpression", post.getFilterExpression().getExpressionString());
@@ -93,11 +93,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
 
     @Test
     public void interfaceAttributesAreIncluded() {
-        List<ConfigAttribute> attrs = mds.getAttributes(notherListImpl1);
+        ConfigAttribute[] attrs = mds.getAttributes(notherListImpl1).toArray(new ConfigAttribute[0]);
 
-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs[0];
         assertNotNull(pre.getFilterExpression());
         assertNotNull(pre.getAuthorizeExpression());
         assertEquals("interfaceMethodAuthzExpression", pre.getAuthorizeExpression().getExpressionString());
@@ -106,11 +106,11 @@ public class PrePostAnnotationSecurityMetadataSourceTests {
 
     @Test
     public void classAttributesTakesPrecedeceOverInterfaceAttributes() {
-        List<ConfigAttribute> attrs = mds.getAttributes(notherListImpl2);
+        ConfigAttribute[] attrs = mds.getAttributes(notherListImpl2).toArray(new ConfigAttribute[0]);
 
-        assertEquals(1, attrs.size());
-        assertTrue(attrs.get(0) instanceof PreInvocationExpressionAttribute);
-        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs.get(0);
+        assertEquals(1, attrs.length);
+        assertTrue(attrs[0] instanceof PreInvocationExpressionAttribute);
+        PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute)attrs[0];
         assertNotNull(pre.getFilterExpression());
         assertNotNull(pre.getAuthorizeExpression());
         assertEquals("interfaceMethodAuthzExpression", pre.getAuthorizeExpression().getExpressionString());
diff --git a/core/src/test/java/org/springframework/security/access/intercept/AfterInvocationProviderManagerTests.java b/core/src/test/java/org/springframework/security/access/intercept/AfterInvocationProviderManagerTests.java
index 4515fc9c44..701ff4d0fd 100644
--- a/core/src/test/java/org/springframework/security/access/intercept/AfterInvocationProviderManagerTests.java
+++ b/core/src/test/java/org/springframework/security/access/intercept/AfterInvocationProviderManagerTests.java
@@ -15,6 +15,7 @@
 
 package org.springframework.security.access.intercept;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Vector;
 
@@ -151,7 +152,7 @@ public class AfterInvocationProviderManagerTests extends TestCase {
             this.configAttribute = configAttribute;
         }
 
-        public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config,
+        public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
             Object returnedObject) throws AccessDeniedException {
             if (config.contains(configAttribute)) {
                 return forceReturnObject;
diff --git a/core/src/test/java/org/springframework/security/access/intercept/method/MethodSecurityMetadataSourceEditorTests.java b/core/src/test/java/org/springframework/security/access/intercept/method/MethodSecurityMetadataSourceEditorTests.java
index 84890ed957..17ff50a85d 100644
--- a/core/src/test/java/org/springframework/security/access/intercept/method/MethodSecurityMetadataSourceEditorTests.java
+++ b/core/src/test/java/org/springframework/security/access/intercept/method/MethodSecurityMetadataSourceEditorTests.java
@@ -17,6 +17,7 @@ package org.springframework.security.access.intercept.method;
 
 import java.lang.reflect.AccessibleObject;
 import java.lang.reflect.Method;
+import java.util.Collection;
 import java.util.List;
 
 import junit.framework.TestCase;
@@ -56,9 +57,9 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
         Method method = clazz.getMethod("countLength", new Class[] {String.class});
         MockJoinPoint joinPoint = new MockJoinPoint(new TargetObject(), method);
 
-        List<? extends ConfigAttribute> returnedCountLength = map.getAttributes(joinPoint);
+        Collection<ConfigAttribute> returnedCountLength = map.getAttributes(joinPoint);
 
-        List<? extends ConfigAttribute> expectedCountLength = SecurityConfig.createList("ROLE_ONE", "ROLE_TWO", "RUN_AS_ENTRY");
+        List<ConfigAttribute> expectedCountLength = SecurityConfig.createList("ROLE_ONE", "ROLE_TWO", "RUN_AS_ENTRY");
         assertEquals(expectedCountLength, returnedCountLength);
     }
 
@@ -108,16 +109,16 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
         MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
         assertEquals(6, map.getMethodMapSize());
 
-        List<? extends ConfigAttribute> returnedMakeLower = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "makeLowerCase", new Class[] {String.class}, new OtherTargetObject()));
-        List<? extends ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_FROM_INTERFACE");
+        Collection<ConfigAttribute> returnedMakeLower = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "makeLowerCase", new Class[] {String.class}, new OtherTargetObject()));
+        List<ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_FROM_INTERFACE");
         assertEquals(expectedMakeLower, returnedMakeLower);
 
-        List<? extends ConfigAttribute> returnedMakeUpper = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "makeUpperCase", new Class[] {String.class}, new OtherTargetObject()));
-        List<? extends ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_FROM_IMPLEMENTATION");
+        Collection<ConfigAttribute> returnedMakeUpper = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "makeUpperCase", new Class[] {String.class}, new OtherTargetObject()));
+        List<ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_FROM_IMPLEMENTATION");
         assertEquals(expectedMakeUpper, returnedMakeUpper);
 
-        List<? extends ConfigAttribute> returnedComputeHashCode = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "computeHashCode", new Class[] {String.class}, new OtherTargetObject()));
-        List<? extends ConfigAttribute> expectedComputeHashCode = SecurityConfig.createList("ROLE_FROM_OTO");
+        Collection<ConfigAttribute> returnedComputeHashCode = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "computeHashCode", new Class[] {String.class}, new OtherTargetObject()));
+        List<ConfigAttribute> expectedComputeHashCode = SecurityConfig.createList("ROLE_FROM_OTO");
         assertEquals(expectedComputeHashCode, returnedComputeHashCode);
 
         returnedComputeHashCode = map.getAttributes(new MockMethodInvocation(ITargetObject.class, "computeHashCode", new Class[] {String.class}, new TargetObject()));
@@ -160,19 +161,19 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
         MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
         assertEquals(14, map.getMethodMapSize());
 
-        List<? extends ConfigAttribute> returnedMakeLower = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
+        Collection<ConfigAttribute> returnedMakeLower = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
                     "makeLowerCase", new Class[] {String.class}, new TargetObject()));
-        List<? extends ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_LOWER");
+        List<ConfigAttribute> expectedMakeLower = SecurityConfig.createList("ROLE_LOWER");
         assertEquals(expectedMakeLower, returnedMakeLower);
 
-        List<? extends ConfigAttribute> returnedMakeUpper = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
+        Collection<ConfigAttribute> returnedMakeUpper = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
                     "makeUpperCase", new Class[] {String.class}, new TargetObject()));
-        List<? extends ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_UPPER");
+        List<ConfigAttribute> expectedMakeUpper = SecurityConfig.createList("ROLE_UPPER");
         assertEquals(expectedMakeUpper, returnedMakeUpper);
 
-        List<? extends ConfigAttribute> returnedCountLength = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
+        Collection<ConfigAttribute> returnedCountLength = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
                     "countLength", new Class[] {String.class}, new TargetObject()));
-        List<? extends ConfigAttribute> expectedCountLength = SecurityConfig.createList("ROLE_GENERAL");
+        List<ConfigAttribute> expectedCountLength = SecurityConfig.createList("ROLE_GENERAL");
         assertEquals(expectedCountLength, returnedCountLength);
     }
 
@@ -182,7 +183,7 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
 
         MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
 
-        List<? extends ConfigAttribute> configAttributeDefinition = map.getAttributes(new MockMethodInvocation(
+        Collection<ConfigAttribute> configAttributeDefinition = map.getAttributes(new MockMethodInvocation(
                     ITargetObject.class, "makeLowerCase", new Class[] {String.class}, new TargetObject()));
         assertNull(configAttributeDefinition);
     }
@@ -201,7 +202,7 @@ public class MethodSecurityMetadataSourceEditorTests extends TestCase {
 
         MapBasedMethodSecurityMetadataSource map = (MapBasedMethodSecurityMetadataSource) editor.getValue();
 
-        List<? extends ConfigAttribute> returnedCountLength = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
+        Collection<ConfigAttribute> returnedCountLength = map.getAttributes(new MockMethodInvocation(ITargetObject.class,
                     "countLength", new Class[] {String.class}, new TargetObject()));
         assertEquals(SecurityConfig.createList("ROLE_ONE", "ROLE_TWO", "RUN_AS_ENTRY"), returnedCountLength);
     }
diff --git a/core/src/test/java/org/springframework/security/access/intercept/method/MockMethodSecurityMetadataSource.java b/core/src/test/java/org/springframework/security/access/intercept/method/MockMethodSecurityMetadataSource.java
index 5f0bdf8232..62b4b31848 100644
--- a/core/src/test/java/org/springframework/security/access/intercept/method/MockMethodSecurityMetadataSource.java
+++ b/core/src/test/java/org/springframework/security/access/intercept/method/MockMethodSecurityMetadataSource.java
@@ -64,7 +64,7 @@ public class MockMethodSecurityMetadataSource implements MethodSecurityMetadataS
         }
     }
 
-    public List<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
+    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
         throw new UnsupportedOperationException("mock method not implemented");
     }
 
diff --git a/core/src/test/java/org/springframework/security/access/vote/AbstractAccessDecisionManagerTests.java b/core/src/test/java/org/springframework/security/access/vote/AbstractAccessDecisionManagerTests.java
index 41e860485b..60f27f6e67 100644
--- a/core/src/test/java/org/springframework/security/access/vote/AbstractAccessDecisionManagerTests.java
+++ b/core/src/test/java/org/springframework/security/access/vote/AbstractAccessDecisionManagerTests.java
@@ -25,6 +25,7 @@ import org.springframework.security.access.vote.AbstractAccessDecisionManager;
 import org.springframework.security.access.vote.RoleVoter;
 import org.springframework.security.core.Authentication;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Vector;
 
@@ -148,7 +149,7 @@ public class AbstractAccessDecisionManagerTests extends TestCase {
     //~ Inner Classes ==================================================================================================
 
     private class MockDecisionManagerImpl extends AbstractAccessDecisionManager {
-        public void decide(Authentication authentication, Object object, List<ConfigAttribute> configAttributes)
+        public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
             throws AccessDeniedException {
             return;
         }
@@ -167,7 +168,7 @@ public class AbstractAccessDecisionManagerTests extends TestCase {
             throw new UnsupportedOperationException("mock method not implemented");
         }
 
-        public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+        public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
             throw new UnsupportedOperationException("mock method not implemented");
         }
     }
diff --git a/core/src/test/java/org/springframework/security/access/vote/AbstractAclVoterTests.java b/core/src/test/java/org/springframework/security/access/vote/AbstractAclVoterTests.java
index d3de5bccda..e80b2041de 100644
--- a/core/src/test/java/org/springframework/security/access/vote/AbstractAclVoterTests.java
+++ b/core/src/test/java/org/springframework/security/access/vote/AbstractAclVoterTests.java
@@ -4,7 +4,7 @@ import static org.junit.Assert.*;
 
 import java.lang.reflect.Method;
 import java.util.ArrayList;
-import java.util.List;
+import java.util.Collection;
 
 import org.aopalliance.intercept.MethodInvocation;
 import org.aspectj.lang.JoinPoint;
@@ -25,7 +25,7 @@ public class AbstractAclVoterTests {
         public boolean supports(ConfigAttribute attribute) {
             return false;
         }
-        public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+        public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
             return 0;
         }
     };
diff --git a/core/src/test/java/org/springframework/security/access/vote/DenyAgainVoter.java b/core/src/test/java/org/springframework/security/access/vote/DenyAgainVoter.java
index b7192d47a3..9d0d6abd5a 100644
--- a/core/src/test/java/org/springframework/security/access/vote/DenyAgainVoter.java
+++ b/core/src/test/java/org/springframework/security/access/vote/DenyAgainVoter.java
@@ -19,8 +19,8 @@ import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
 
+import java.util.Collection;
 import java.util.Iterator;
-import java.util.List;
 
 /**
  * Implementation of an {@link AccessDecisionVoter} for unit testing.
@@ -50,7 +50,7 @@ public class DenyAgainVoter implements AccessDecisionVoter {
         return true;
     }
 
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
         Iterator<ConfigAttribute> iter = attributes.iterator();
 
         while (iter.hasNext()) {
diff --git a/core/src/test/java/org/springframework/security/access/vote/DenyVoter.java b/core/src/test/java/org/springframework/security/access/vote/DenyVoter.java
index 1854a08151..83bb56ace1 100644
--- a/core/src/test/java/org/springframework/security/access/vote/DenyVoter.java
+++ b/core/src/test/java/org/springframework/security/access/vote/DenyVoter.java
@@ -19,8 +19,8 @@ import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
 
+import java.util.Collection;
 import java.util.Iterator;
-import java.util.List;
 
 
 /**
@@ -46,7 +46,7 @@ public class DenyVoter implements AccessDecisionVoter {
         return true;
     }
 
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
         Iterator<ConfigAttribute> iter = attributes.iterator();
 
         while (iter.hasNext()) {
diff --git a/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
index 3f8036550a..671a41966b 100644
--- a/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
@@ -20,8 +20,8 @@ import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.UnsupportedEncodingException;
 import java.security.Principal;
+import java.util.Collection;
 import java.util.Enumeration;
-import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 
@@ -120,7 +120,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
         }
 
         FilterInvocation fi = createFilterInvocation(contextPath, uri, method);
-        List<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(fi);
+        Collection<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(fi);
 
         if (attrs == null) {
             if (securityInterceptor.isRejectPublicInvocations()) {
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java
index a49d0b4e76..887069b4ae 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java
@@ -19,7 +19,7 @@ import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;
 
 import java.io.IOException;
-import java.util.List;
+import java.util.Collection;
 
 import javax.servlet.ServletException;
 
@@ -38,7 +38,7 @@ public interface ChannelDecisionManager {
      * security based on the requested list of <tt>ConfigAttribute</tt>s.
      *
      */
-    void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException;
+    void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException;
 
     /**
      * Indicates whether this <code>ChannelDecisionManager</code> is able to process the passed
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java
index 729128f38e..b21fbfb044 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java
@@ -25,6 +25,7 @@ import org.springframework.util.Assert;
 import java.io.IOException;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 
@@ -61,7 +62,7 @@ public class ChannelDecisionManagerImpl implements ChannelDecisionManager, Initi
         Assert.notEmpty(channelProcessors, "A list of ChannelProcessors is required");
     }
 
-    public void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException {
+    public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
 
         Iterator<ConfigAttribute> attrs = config.iterator();
 
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
index 4c18bc169c..782da57496 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
@@ -18,7 +18,6 @@ package org.springframework.security.web.access.channel;
 import java.io.IOException;
 import java.util.Collection;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;
 
 import javax.servlet.FilterChain;
@@ -94,7 +93,7 @@ public class ChannelProcessingFilter extends GenericFilterBean {
         HttpServletResponse response = (HttpServletResponse) res;
 
         FilterInvocation fi = new FilterInvocation(request, response, chain);
-        List<ConfigAttribute> attr = this.securityMetadataSource.getAttributes(fi);
+        Collection<ConfigAttribute> attr = this.securityMetadataSource.getAttributes(fi);
 
         if (attr != null) {
             if (logger.isDebugEnabled()) {
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java
index c7abc0d5d9..b4340b4235 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java
@@ -19,7 +19,7 @@ import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;
 
 import java.io.IOException;
-import java.util.List;
+import java.util.Collection;
 
 import javax.servlet.ServletException;
 
@@ -44,7 +44,7 @@ public interface ChannelProcessor {
      * security based on the requested list of <tt>ConfigAttribute</tt>s.
      *
      */
-    void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException;
+    void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException;
 
     /**
      * Indicates whether this <code>ChannelProcessor</code> is able to process the passed
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java b/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java
index 4dd38a5eb5..e385fbf78d 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java
@@ -16,7 +16,7 @@
 package org.springframework.security.web.access.channel;
 
 import java.io.IOException;
-import java.util.List;
+import java.util.Collection;
 
 import javax.servlet.ServletException;
 
@@ -52,7 +52,7 @@ public class InsecureChannelProcessor implements InitializingBean, ChannelProces
         Assert.notNull(entryPoint, "entryPoint required");
     }
 
-    public void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException {
+    public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
         if ((invocation == null) || (config == null)) {
             throw new IllegalArgumentException("Nulls cannot be provided");
         }
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java b/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java
index 68b64bf519..b2a4aa5704 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java
@@ -16,7 +16,7 @@
 package org.springframework.security.web.access.channel;
 
 import java.io.IOException;
-import java.util.List;
+import java.util.Collection;
 
 import javax.servlet.ServletException;
 
@@ -52,7 +52,7 @@ public class SecureChannelProcessor implements InitializingBean, ChannelProcesso
         Assert.notNull(entryPoint, "entryPoint required");
     }
 
-    public void decide(FilterInvocation invocation, List<ConfigAttribute> config) throws IOException, ServletException {
+    public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config) throws IOException, ServletException {
         Assert.isTrue((invocation != null) && (config != null), "Nulls cannot be provided");
 
         for (ConfigAttribute attribute : config) {
diff --git a/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java b/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java
index 4b2461a7c0..9df1fdc3d4 100644
--- a/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java
+++ b/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java
@@ -1,6 +1,6 @@
 package org.springframework.security.web.access.expression;
 
-import java.util.List;
+import java.util.Collection;
 
 import org.springframework.expression.EvaluationContext;
 import org.springframework.security.access.AccessDecisionVoter;
@@ -18,7 +18,7 @@ import org.springframework.security.web.FilterInvocation;
 public class WebExpressionVoter implements AccessDecisionVoter {
     private WebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler();
 
-    public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
+    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
         assert authentication != null;
         assert object != null;
         assert attributes != null;
@@ -36,7 +36,7 @@ public class WebExpressionVoter implements AccessDecisionVoter {
                 ACCESS_GRANTED : ACCESS_DENIED;
     }
 
-    private WebExpressionConfigAttribute findConfigAttribute(List<ConfigAttribute> attributes) {
+    private WebExpressionConfigAttribute findConfigAttribute(Collection<ConfigAttribute> attributes) {
         for (ConfigAttribute attribute : attributes) {
             if (attribute instanceof WebExpressionConfigAttribute) {
                 return (WebExpressionConfigAttribute)attribute;
diff --git a/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java b/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
index d5d0225028..c91af45313 100644
--- a/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
+++ b/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
@@ -138,7 +138,7 @@ public class DefaultFilterInvocationSecurityMetadataSource implements FilterInvo
     }
 
 
-    public List<ConfigAttribute> getAttributes(Object object) {
+    public Collection<ConfigAttribute> getAttributes(Object object) {
         if ((object == null) || !this.supports(object.getClass())) {
             throw new IllegalArgumentException("Object must be a FilterInvocation");
         }
diff --git a/web/src/test/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImplTests.java b/web/src/test/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImplTests.java
index 3c4dc3c433..8eadd338c3 100644
--- a/web/src/test/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImplTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImplTests.java
@@ -18,6 +18,7 @@ package org.springframework.security.web.access.channel;
 import static org.mockito.Mockito.mock;
 
 import java.io.IOException;
+import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Vector;
@@ -188,7 +189,7 @@ public class ChannelDecisionManagerImplTests extends TestCase {
             this.failIfCalled = failIfCalled;
         }
 
-        public void decide(FilterInvocation invocation, List<ConfigAttribute> config)
+        public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config)
                 throws IOException, ServletException {
             Iterator iter = config.iterator();
 
diff --git a/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java
index 50f163a16d..8e7a9afc9e 100644
--- a/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java
@@ -163,7 +163,7 @@ public class ChannelProcessingFilterTests {
             this.supportAttribute = supportAttribute;
         }
 
-        public void decide(FilterInvocation invocation, List<ConfigAttribute> config)
+        public void decide(FilterInvocation invocation, Collection<ConfigAttribute> config)
             throws IOException, ServletException {
             if (commitAResponse) {
                 invocation.getHttpResponse().sendRedirect("/redirected");
diff --git a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java
index c3e46ecedd..7f70edd9eb 100644
--- a/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java
@@ -18,6 +18,7 @@ package org.springframework.security.web.access.intercept;
 import static org.junit.Assert.*;
 import static org.mockito.Mockito.mock;
 
+import java.util.Collection;
 import java.util.LinkedHashMap;
 import java.util.List;
 
@@ -130,7 +131,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
         createFids("/somepage**", "GET");
 
         FilterInvocation fi = createFilterInvocation("/somepage", "GET");
-        List<? extends ConfigAttribute> attrs = fids.getAttributes(fi);
+        Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
         assertEquals(def, attrs);
     }
 
@@ -139,7 +140,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
         createFids("/somepage**", null);
 
         FilterInvocation fi = createFilterInvocation("/somepage", "GET");
-        List<? extends ConfigAttribute> attrs = fids.getAttributes(fi);
+        Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
         assertEquals(def, attrs);
     }
 
@@ -148,7 +149,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
         createFids("/somepage**", "GET");
 
         FilterInvocation fi = createFilterInvocation("/somepage", null);
-        List<? extends ConfigAttribute> attrs = fids.getAttributes(fi);
+        Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
         assertNull(attrs);
     }
 
@@ -161,7 +162,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
         requestMap.put(new RequestKey("/somepage**", "POST"), postOnlyDef);
         fids = new DefaultFilterInvocationSecurityMetadataSource(new AntUrlPathMatcher(), requestMap);
 
-        List<ConfigAttribute> attrs = fids.getAttributes(createFilterInvocation("/somepage", "POST"));
+        Collection<ConfigAttribute> attrs = fids.getAttributes(createFilterInvocation("/somepage", "POST"));
         assertEquals(postOnlyDef, attrs);
     }
 
@@ -176,7 +177,7 @@ public class DefaultFilterInvocationSecurityMetadataSourceTests {
         fids.setStripQueryStringFromUrls(true);
 
         FilterInvocation fi = createFilterInvocation("/user", "GET");
-        List<ConfigAttribute> attrs = fids.getAttributes(fi);
+        Collection<ConfigAttribute> attrs = fids.getAttributes(fi);
         assertEquals(userAttrs, attrs);
     }