I don't feel very strongly about this, I agree with Jason that if the contract is non-order-dependent, then the authorities should be a set rather than an array. I agree with Ben that an array does imply something that is order-dependendent.
I agree that the conservative choice is to preserve order because some developers might implement authorization voters that use the ordering of the authorities. If the algorithm does not depend on the order, then the developer is free to ignore it but the reverse is not possible. Robert ([EMAIL PROTECTED]/[EMAIL PROTECTED]). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Alex Sent: Thursday, August 24, 2006 8:19 PM To: [email protected] Subject: Re: [Acegisecurity-developer] User.equals method requires samesequence [EMAIL PROTECTED] wrote: > The method > org.acegisecurity. userdetails.User.equals > > requires that the GrantedAuthority values on the > two instance be in the same order. > > Unless there is some order dependency in the behavior, > does it make sense to require that the order be the > same for equality? Are not two User instances with > the same GrantedAuthoritys, no matter in what order, > equal() ? We haven't expressly spelled out the UserDetails.equals(Object) contract either way. If we relaxed the iteration order restriction in User.equals(Object), it might result in inconsistent behavior if someone has configured AccessDecisionVoters or AfterInvocationProviders in complex ways that relied upon specific ordering. Namely, a developer might consider user1.equals(user2) yet receive different authorization or after invocation behavior when presenting these apparently "equal" user instances. I acknowledge that we need to specify the correct contract in the UserDetails.equals(Object) method. In terms of whether to preserve the ordering requirement or not, the conservative choice is to preserve it. Additionally, the Java Array class defines equality to mean same elements as well as same order (http://java.sun.com/j2se/1.5.0/docs/api/java/util/Arrays.html#equals(int[], %20int[])). I therefore think there is some justification for developers who may have relied upon iteration order in their configurations. Of course, I am open to persuasion if iteration order should be abandoned. I look forward to a lively debate! :-) Cheers Ben ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
