Fix list property to be mutable

Closes gh-7068

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementServerProperties.java

@@ -17,6 +17,7 @@
 package org.springframework.boot.actuate.autoconfigure;
 
 import java.net.InetAddress;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 
@@ -178,7 +179,7 @@ public class ManagementServerProperties implements SecurityPrerequisite {
 		/**
 		 * Comma-separated list of roles that can access the management endpoint.
 		 */
-		private List<String> roles = Collections.singletonList("ADMIN");
+		private List<String> roles = new ArrayList<String>(Collections.singletonList("ADMIN"));
 
 		/**
 		 * Session creating policy to use (always, never, if_required, stateless).
@@ -199,7 +200,7 @@ public class ManagementServerProperties implements SecurityPrerequisite {
 
 		@Deprecated
 		public void setRole(String role) {
-			this.roles = Collections.singletonList(role);
+			this.roles = new ArrayList<String>(Collections.singletonList(role));
 		}
 
 		public List<String> getRoles() {

spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementServerPropertiesAutoConfigurationTests.java

@@ -80,6 +80,13 @@ public class ManagementServerPropertiesAutoConfigurationTests {
 		assertThat(properties.getSecurity().getRoles()).containsOnly("FOO");
 	}
 
+	@Test
+	public void managementRolesAllowsIndexedAccess() {
+		ManagementServerProperties properties = load(
+				"management.security.roles[0]=FOO");
+		assertThat(properties.getSecurity().getRoles()).containsOnly("FOO");
+	}
+
 	@Test
 	public void managementRolesSetMultipleRoles() {
 		ManagementServerProperties properties = load(