4 files changed, 63 insertions, 2 deletions

diff --git a/src/pyramid/config/__init__.py b/src/pyramid/config/__init__.py
index 072b654c4..d8961268a 100644
--- a/src/pyramid/config/__init__.py
+++ b/src/pyramid/config/__init__.py
@@ -139,13 +139,17 @@ class Configurator(
     :term:`dotted Python name` to the same.  If it is ``None``, a default
     root factory will be used.
 
+    If ``security_policy`` is passed, it should be an instance of a
+    :term:`security policy` or a :term:`dotted Python name` to the same.
+
     If ``authentication_policy`` is passed, it should be an instance
     of an :term:`authentication policy` or a :term:`dotted Python
-    name` to the same.
+    name` to the same.  (Deprecated as of Pyramid 2.0 in favor of
+    ``security_policy``.)
 
     If ``authorization_policy`` is passed, it should be an instance of
     an :term:`authorization policy` or a :term:`dotted Python name` to
-    the same.
+    the same.  (Deprecated as of Pyramid 2.0 in favor of ``security_policy``.)
 
     .. note:: A ``ConfigurationError`` will be raised when an
        authorization policy is supplied without also supplying an
@@ -278,6 +282,7 @@ class Configurator(
         package=None,
         settings=None,
         root_factory=None,
+        security_policy=None,
         authentication_policy=None,
         authorization_policy=None,
         renderers=None,
@@ -315,6 +320,7 @@ class Configurator(
                 root_factory=root_factory,
                 authentication_policy=authentication_policy,
                 authorization_policy=authorization_policy,
+                security_policy=security_policy,
                 renderers=renderers,
                 debug_logger=debug_logger,
                 locale_negotiator=locale_negotiator,
@@ -330,6 +336,7 @@ class Configurator(
         self,
         settings=None,
         root_factory=None,
+        security_policy=None,
         authentication_policy=None,
         authorization_policy=None,
         renderers=None,
@@ -415,6 +422,9 @@ class Configurator(
         if authentication_policy:
             self.set_authentication_policy(authentication_policy)
 
+        if security_policy:
+            self.set_security_policy(security_policy)
+
         if default_view_mapper is not None:
             self.set_view_mapper(default_view_mapper)
 
diff --git a/src/pyramid/config/security.py b/src/pyramid/config/security.py
index 08e7cb81a..b023917aa 100644
--- a/src/pyramid/config/security.py
+++ b/src/pyramid/config/security.py
@@ -6,6 +6,7 @@ from pyramid.interfaces import (
     ICSRFStoragePolicy,
     IDefaultCSRFOptions,
     IDefaultPermission,
+    ISecurityPolicy,
     PHASE1_CONFIG,
     PHASE2_CONFIG,
 )
@@ -22,6 +23,38 @@ class SecurityConfiguratorMixin(object):
         self.set_csrf_storage_policy(LegacySessionCSRFStoragePolicy())
 
     @action_method
+    def set_security_policy(self, policy):
+        """ Override the :app:`Pyramid` :term:`security policy` in the current
+        configuration.  The ``policy`` argument must be an instance
+        of a security policy or a :term:`dotted Python name`
+        that points at an instance of a security policy.
+
+        .. note::
+
+           Using the ``security_policy`` argument to the
+           :class:`pyramid.config.Configurator` constructor can be used to
+           achieve the same purpose.
+
+        """
+
+        def register():
+            self._set_security_policy(policy)
+
+        intr = self.introspectable(
+            'security policy',
+            None,
+            self.object_description(policy),
+            'security policy',
+        )
+        intr['policy'] = policy
+        # authentication policy used by view config (phase 3)
+        self.action(IAuthenticationPolicy, register, introspectables=(intr,))
+
+    def _set_security_policy(self, policy):
+        policy = self.maybe_dotted(policy)
+        self.registry.registerUtility(policy, ISecurityPolicy)
+
+    @action_method
     def set_authentication_policy(self, policy):
         """ Override the :app:`Pyramid` :term:`authentication policy` in the
         current configuration.  The ``policy`` argument must be an instance
diff --git a/tests/test_config/test_init.py b/tests/test_config/test_init.py
index ce2b042ec..661654ef0 100644
--- a/tests/test_config/test_init.py
+++ b/tests/test_config/test_init.py
@@ -205,6 +205,15 @@ class ConfiguratorTests(unittest.TestCase):
         result = config.registry.getUtility(IDebugLogger)
         self.assertEqual(logger, result)
 
+    def test_ctor_security_policy(self):
+        from pyramid.interfaces import ISecurityPolicy
+
+        policy = object()
+        config = self._makeOne(security_policy=policy)
+        config.commit()
+        result = config.registry.getUtility(ISecurityPolicy)
+        self.assertEqual(policy, result)
+
     def test_ctor_authentication_policy(self):
         from pyramid.interfaces import IAuthenticationPolicy
 
diff --git a/tests/test_config/test_security.py b/tests/test_config/test_security.py
index 5ebd78f8d..3062ea154 100644
--- a/tests/test_config/test_security.py
+++ b/tests/test_config/test_security.py
@@ -11,6 +11,15 @@ class ConfiguratorSecurityMethodsTests(unittest.TestCase):
         config = Configurator(*arg, **kw)
         return config
 
+    def test_set_security_policy(self):
+        from pyramid.interfaces import ISecurityPolicy
+
+        config = self._makeOne()
+        policy = object()
+        config.set_security_policy(policy)
+        config.commit()
+        self.assertEqual(config.registry.getUtility(ISecurityPolicy), policy)
+
     def test_set_authentication_policy_no_authz_policy(self):
         config = self._makeOne()
         policy = object()