SEC-2719: Fix order sensitive authenticated().withRoles(..)

test/src/main/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchers.java

@@ -113,7 +113,8 @@ public final class SecurityMockMvcResultMatchers {
             if(this.expectedGrantedAuthorities != null) {
                 assertTrue("Authentication cannot be null", auth != null);
                 Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
-                assertEquals(this.expectedGrantedAuthorities + " does not equal " + authorities, this.expectedGrantedAuthorities, authorities);
+                assertTrue(authorities + " does not contain the same authorities as " + this.expectedGrantedAuthorities, authorities.containsAll(this.expectedGrantedAuthorities));
+                assertTrue(this.expectedGrantedAuthorities + " does not contain the same authorities as " + authorities , this.expectedGrantedAuthorities.containsAll(authorities));
             }
         }
 

test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchersTests.java

@@ -0,0 +1,75 @@
+package org.springframework.security.test.web.servlet.response;
+
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
+import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration
+@WebAppConfiguration
+public class SecurityMockMvcResultMatchersTests {
+    @Autowired
+    private WebApplicationContext context;
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        mockMvc = MockMvcBuilders.webAppContextSetup(context)
+                    .apply(springSecurity())
+                    .build();
+    }
+
+    // SEC-2719
+    @Test
+    public void withRolesNotOrderSensitive() throws Exception {
+        mockMvc.perform(formLogin())
+            .andExpect(authenticated().withRoles("USER","SELLER"))
+            .andExpect(authenticated().withRoles("SELLER","USER"));
+    }
+
+    @Test(expected = AssertionError.class)
+    public void withRolesFailsIfNotAllRoles() throws Exception {
+        mockMvc.perform(formLogin())
+            .andExpect(authenticated().withRoles("USER"));
+    }
+
+    @Configuration
+    @EnableWebMvcSecurity
+    @EnableWebMvc
+    static class Config extends WebSecurityConfigurerAdapter {
+
+        @Autowired
+        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+            auth
+                .inMemoryAuthentication()
+                    .withUser("user").roles("USER","SELLER").password("password");
+        }
+
+        @RestController
+        static class Controller {
+            @RequestMapping("/")
+            public String ok() {
+                return "ok";
+            }
+        }
+    }
+}