From bcb1ff8921d261abb51ed34579d757f071fd2650 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Wed, 23 Dec 2009 14:12:59 +0000
Subject: [PATCH] SEC-1342: Introduced extra factory method in SecurityConfig
 to get round problem with Spring converting a string with commas to an array

---
 .../http/FilterInvocationSecurityMetadataSourceParser.java  | 2 +-
 .../config/http/HttpSecurityBeanDefinitionParserTests.java  | 2 +-
 .../org/springframework/security/access/SecurityConfig.java | 6 +++++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java b/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
index 57693d9314..84a5ae3149 100644
--- a/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
@@ -135,7 +135,7 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
             if (useExpressions) {
                 logger.info("Creating access control expression attribute '" + access + "' for " + path);
                 // The single expression will be parsed later by the ExpressionFilterInvocationSecurityMetadataSource
-                attributeBuilder.setFactoryMethod("createList");
+                attributeBuilder.setFactoryMethod("createSingleAttributeList");
 
             } else {
                 attributeBuilder.setFactoryMethod("createListFromCommaDelimitedString");
diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
index 64c9fe4691..12f0342fcc 100644
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@@ -1004,7 +1004,7 @@ public class HttpSecurityBeanDefinitionParserTests {
     public void expressionBasedAccessAllowsAndDeniesAccessAsExpected() throws Exception {
         setContext(
                 "    <http auto-config='true' use-expressions='true'>" +
-                "        <intercept-url pattern='/secure*' access=\"hasRole('ROLE_A')\" />" +
+                "        <intercept-url pattern='/secure*' access=\"hasAnyRole('ROLE_A','ROLE_C')\" />" +
                 "        <intercept-url pattern='/**' access='permitAll()' />" +
                 "    </http>" + AUTH_PROVIDER_XML);
 
diff --git a/core/src/main/java/org/springframework/security/access/SecurityConfig.java b/core/src/main/java/org/springframework/security/access/SecurityConfig.java
index e3ac56dae3..f13300844d 100644
--- a/core/src/main/java/org/springframework/security/access/SecurityConfig.java
+++ b/core/src/main/java/org/springframework/security/access/SecurityConfig.java
@@ -67,8 +67,12 @@ public class SecurityConfig implements ConfigAttribute {
         return createList(StringUtils.commaDelimitedListToStringArray(access));
     }
 
+    public final static List<ConfigAttribute> createSingleAttributeList(String access) {
+        return createList(access);
+    }
+
     public final static List<ConfigAttribute> createList(String... attributeNames) {
-        Assert.notNull(attributeNames, "You must supply a list of argument names");
+        Assert.notNull(attributeNames, "You must supply an array of attribute names");
         List<ConfigAttribute> attributes = new ArrayList<ConfigAttribute>(attributeNames.length);
 
         for (String attribute : attributeNames) {