From 47e027e326888c2bbbbb02ef1a62297e7de6cb5c Mon Sep 17 00:00:00 2001
From: Christian Hilmersson <christian.hilmersson@gmail.com>
Date: Wed, 22 Feb 2012 01:46:33 +0100
Subject: [PATCH] SEC-1900: Made the role comparision be performed on sets of
 strings instead of comparing any given implementation of GrantedAuthority
 with SimpleGrantedAuthority. I.e. the ifAllGranted code is no longer
 dependent on the implementation of the equals method in
 SimpleGrantedAuthorization.

---
 .../taglibs/authz/AbstractAuthorizeTag.java   |  8 ++++---
 ...thorizeTagCustomGrantedAuthorityTests.java | 24 +++++++++++++++++++
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java
index 9fcbae62a21..78e5342197c 100644
--- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java
@@ -132,9 +132,11 @@ public boolean authorizeUsingGrantedAuthorities() {
         final Collection<? extends GrantedAuthority> granted = getPrincipalAuthorities();
 
         if (hasTextAllGranted) {
-            if (!granted.containsAll(toAuthorities(getIfAllGranted()))) {
-                return false;
-            }
+            Set<String> grantedRoles = authoritiesToRoles(granted);
+            Set<String> requiredRoles = authoritiesToRoles(toAuthorities(getIfAllGranted()));
+            if (!grantedRoles.containsAll(requiredRoles)) { 
+                return false; 
+            } 
         }
 
         if (hasTextAnyGranted) {
diff --git a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java
index fa1d65a5d4e..47414ae0249 100644
--- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java
+++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java
@@ -73,4 +73,28 @@ public String getAuthority() {
             assertTrue("expected", true);
         }
     }
+    
+    /**
+     * Tests that it is possible to use the authorize tag with any authorization
+     * object that implements GrantedAuthority.
+     * @throws JspException on tag failures (not supposed to happen in this test case)
+     */
+    @Test
+    public void testAuthorizeUsingGrantedAuthorities() throws JspException {
+        authorizeTag.setIfAnyGranted(null);
+        authorizeTag.setIfNotGranted(null);
+        authorizeTag.setIfAllGranted("ROLE_TEST");
+        List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
+        authorities.add(new GrantedAuthority() {
+                    public String getAuthority() {
+                        return "ROLE_TEST";
+                    }
+                });
+        SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("abc", "123", authorities));
+        int testResult = authorizeTag.doStartTag();
+        Assert.assertEquals("Not authorized even though having correct authorities.", 
+                Tag.EVAL_BODY_INCLUDE, testResult);
+        
+    }
+    
 }