Spring Security Roles and authorities in UserBuilder replace each other based on the order in which they were defined.

Description The roles and authorities in UserBuilder replace each other based on the order in which they were defined. This means that the most recently defined roles or authorities will overwrite the previous one.

To Reproduce 1. Implement UserDetailsService this way:

    @Bean
    public UserDetailsService userDetailsService() {
        var admin = User.withUsername("admin")
                .password(passwordEncoder().encode("admin123"))
                .roles("ADMIN")
                .authorities("ACCESS_TEST1", "ACCESS_TEST2")
                .build();
        return new InMemoryUserDetailsManager(admin);
    }

Here, role "ADMIN" ("ROLE_ADMIN") won't be added to List of UserBuilder because "new ArrayList(authorities)" will be created each time.

1. Add corresponding resources.
2. Try to access resources that should be accessible for ROLE_ADMIN and for ACCESS_TEST1/ACCESS_TEST2 authorities.

Expected behavior All resources should be accessible.

Sample https://github.com/Agvernus/examples

Comment From: marcusdacoregio

Hi @Agvernus, it seems that this has been implemented by https://github.com/spring-projects/spring-security/issues/12533

Therefore I'm closing this as a duplicate.