Updated contacts sample info and added information on ACL database schema and using it with Postgres.

src/docbkx/appendix-db-schema.xml

@@ -1,27 +1,20 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appendix version="5.0" xml:id="appendix-schema" xmlns="http://docbook.org/ns/docbook"
-  xmlns:xlink="http://www.w3.org/1999/xlink" 
-  xmlns:xi="http://www.w3.org/2001/XInclude">
-
+  xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude">
   <info>
     <title>Security Database Schema</title>
   </info>
-  <para>
-    There are various database schema used by the framework and this appendix 
-    provides a single reference point to them all. You only need to 
-    provide the tables for the areas of functonality you require. 
-  </para>
-  <para>
-    DDL statements are given for the HSQLDB database. You can use these as a guideline for defining the
-    schema for the database you are using.
-  </para>
-  
+  <para> There are various database schema used by the framework and this appendix provides a single
+    reference point to them all. You only need to provide the tables for the areas of functonality
+    you require. </para>
+  <para> DDL statements are given for the HSQLDB database. You can use these as a guideline for
+    defining the schema for the database you are using. </para>
   <section>
     <title>User Schema</title>
-    <para>
-      The standard JDBC implementation of the <interfacename>UserDetailsService</interfacename> requires tables
-      to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user.
-<programlisting xml:id="db_schema_users_authorities">
+    <para> The standard JDBC implementation of the <interfacename>UserDetailsService</interfacename>
+      requires tables to load the password, account status (enabled or disabled) and a list of
+      authorities (roles) for the user.
+      <programlisting xml:id="db_schema_users_authorities">
   create table users(
       username varchar_ignorecase(50) not null primary key,
       password varchar_ignorecase(50) not null,
@@ -32,13 +25,10 @@
       authority varchar_ignorecase(50) not null,
       constraint fk_authorities_users foreign key(username) references users(username));
       create unique index ix_auth_username on authorities (username,authority);;
-</programlisting>      
-    </para>
-    
+</programlisting></para>
     <section>
       <title>Group Authorities</title>
-      <para>
-        Spring Security 2.0 introduced support for group authorities
+      <para> Spring Security 2.0 introduced support for group authorities
         <programlisting xml:id="db-schema-groups">
 create table groups (
   id bigint generated by default as identity(start with 0) primary key, 
@@ -54,33 +44,56 @@ create table group_members (
   username varchar(50) not null, 
   group_id bigint not null, 
   constraint fk_group_members_group foreign key(group_id) references groups(id));
-        </programlisting>
-      </para>
+        </programlisting></para>
     </section>
   </section>
-
   <section>
     <title>Persistent Login (Remember-Me) Schema</title>
-    <para>
-      This table is used to store data used by the more secure
-      <link xlink:href="#remember-me-persistent-token">persistent token</link> remember-me implementation.
-      If you are using <classname>JdbcTokenRepositoryImpl</classname> either directly or through the namespace,
-      then you will need this table.
-<programlisting xml:id="db-schema-remeber-me">
+    <para> This table is used to store data used by the more secure <link
+        xlink:href="#remember-me-persistent-token">persistent token</link> remember-me
+      implementation. If you are using <classname>JdbcTokenRepositoryImpl</classname> either
+      directly or through the namespace, then you will need this table.
+      <programlisting xml:id="db-schema-remeber-me">
 create table persistent_logins (
   username varchar(64) not null, 
   series varchar(64) primary key,
   token varchar(64) not null, 
   last_used timestamp not null);
-</programlisting>      
-    </para>
+</programlisting></para>
   </section>
-
-  <section>
+  <section xml:id="dbschema-acl">
     <title>ACL Schema</title>
-    <para>
-      The tables used by the Spring Security <link xlink:href="#domain-acls">ACL</link> implementation.
-<programlisting xml:id="dbschema-acl"> 
+    <para>There are four tables used by the Spring Security <link xlink:href="#domain-acls"
+        >ACL</link> implementation. <orderedlist>
+        <listitem>
+          <para><literal>acl_sid</literal> stores the security identities recognised by the ACL
+            system. These can be unique principals or authorities which may apply to multiple
+            principals.</para>
+        </listitem>
+        <listitem>
+          <para><literal>acl_class</literal> defines the domain object types to which ACLs apply.
+            The <literal>class</literal> column stores the Java class name of the object. </para>
+        </listitem>
+        <listitem>
+          <para><literal>acl_object_identity</literal> stores the object identity definitions of
+            specific domai objects.</para>
+        </listitem>
+        <listitem>
+          <para><literal>acl_entry</literal> stores the ACL permissions which apply to a specific
+            object identity and security identity.</para>
+        </listitem>
+      </orderedlist></para>
+    <para>It is assumed that the database will auto-generate the primary keys for each of the
+      identities. The <literal>JdbcMutableAclService</literal> has to be able to retrieve these when
+      it has created a new row in the <literal>acl_sid</literal> or <literal>acl_class</literal>
+      tables. It has two properties which define the SQL needed to retrieve these values
+        <literal>classIdentityQuery</literal> and <literal>sidIdentityQuery</literal>. Both of these
+      default to <literal>call identity()</literal></para>
+    <section>
+      <title>Hypersonic SQL</title>
+      <para>The default schema works with the embedded HSQLDB database that is used in unit tests
+        within the
+        framework.<programlisting xml:id="dbschema-acl-hsql"> 
 create table acl_sid (
   id bigint generated by default as identity(start with 100) not null primary key,
   principal boolean not null,
@@ -112,12 +125,60 @@ create table acl_entry (
   constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id), 
   constraint foreign_fk_5 foreign key(sid) references acl_sid(id) );
 
-</programlisting>      
-      
-      
-    </para>
-  </section>
-  
+</programlisting></para>
+      <section>
+        <title>PostgreSQL</title>
+        <para>
+          <programlisting>create table acl_sid(
+  id bigserial not null primary key,
+  principal boolean not null,
+  sid varchar(100) not null,
+  constraint unique_uk_1 unique(sid,principal));
+
+create table acl_class(
+  id bigserial not null primary key,
+  class varchar(100) not null,
+  constraint unique_uk_2 unique(class));
 
+create table acl_object_identity(
+  id bigserial primary key,
+  object_id_class bigint not null,
+  object_id_identity bigint not null,
+  parent_object bigint,
+  owner_sid bigint,
+  entries_inheriting boolean not null,
+  constraint unique_uk_3 unique(object_id_class,object_id_identity),
+  constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
+  constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
+  constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id));
 
-</appendix>
+create table acl_entry(
+  id bigserial primary key,
+  acl_object_identity bigint not null,
+  ace_order int not null,
+  sid bigint not null,
+  mask integer not null,
+  granting boolean not null,
+  audit_success boolean not null,
+  audit_failure boolean not null,
+  constraint unique_uk_4 unique(acl_object_identity,ace_order),
+  constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
+  constraint foreign_fk_5 foreign key(sid) references acl_sid(id));
+</programlisting>
+        </para>
+        <para>You will have to set the <literal>classIdentityQuery</literal> and
+            <literal>sidIdentityQuery</literal> properties of
+            <classname>JdbcMutableAclService</classname> to the following values, respectively: <itemizedlist>
+            <listitem>
+              <para><literal>select currval(pg_get_serial_sequence('acl_class',
+                'id'))</literal></para>
+            </listitem>
+            <listitem>
+              <para><literal>select currval(pg_get_serial_sequence('acl_sid',
+                'id'))</literal></para>
+            </listitem>
+          </itemizedlist></para>
+      </section>
+    </section>
+  </section>
+</appendix>

src/docbkx/samples.xml

@@ -1,70 +1,50 @@
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="sample-apps">
-    
-<info>
-    <title xml:id="samples">Sample Applications</title>
-</info>
-    <para>
-        There are several sample web applications that are available with the
-        project. To avoid an overly large download, only the "tutorial"
-        and "contacts" samples are included in the distribution zip file. You can 
-        either build the others yourself, or you can obtain the war files 
-        individually from the central Maven repository. We'd recommend the former.
-        You can get the source as described in <link xlink:href="#get-source">the introduction</link>
-        and it's easy to build the project using Maven. There is more information
-        on the project web site at 
-        <link xlink:href="http://www.springframework.org/spring-security/">
-            http://www.springframework.org/spring-security/
-        </link> if you need it.
-        All paths referred to in this chapter are relative to the source directory, once
-        you have checked it out from subversion.
-    </para>
+<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink"
+    version="5.0" xml:id="sample-apps">
+    <info>
+        <title xml:id="samples">Sample Applications</title>
+    </info>
+    <para> There are several sample web applications that are available with the project. To avoid
+        an overly large download, only the "tutorial" and "contacts" samples are included in the
+        distribution zip file. You can either build the others yourself, or you can obtain the war
+        files individually from the central Maven repository. We'd recommend the former. You can get
+        the source as described in <link xlink:href="#get-source">the introduction</link> and it's
+        easy to build the project using Maven. There is more information on the project web site at
+            <link xlink:href="http://www.springframework.org/spring-security/">
+            http://www.springframework.org/spring-security/ </link> if you need it. All paths
+        referred to in this chapter are relative to the source directory, once you have checked it
+        out from subversion. </para>
     <section xml:id="tutorial-sample">
-    <title>Tutorial Sample</title>
-    
-    <para> The tutorial sample is a nice basic example to get you started. It uses
-        simple namespace configuration throughout. The compiled application is included in the 
-        distribution zip file, ready to be deployed into your web container 
-        (<filename>spring-security-samples-tutorial-2.0.x.war</filename>). 
-        The <link xlink:href="#form">form-based</link> 
-        authentication mechanism is used in combination with the commonly-used 
-        <link xlink:href="#remember-me">remember-me</link>
-        authentication provider to automatically remember the login using
-        cookies.</para>
-    
-    <para>We recommend you start with the tutorial sample, as the XML is
-        minimal and easy to follow. Most importantly, you can easily add 
-        this one XML file (and its corresponding <literal>web.xml</literal> entries) to your existing
-        application. Only when this basic integration is achieved do we
-        suggest you attempt adding in method authorization or domain object
-        security.</para>
+        <title>Tutorial Sample</title>
+        <para> The tutorial sample is a nice basic example to get you started. It uses simple
+            namespace configuration throughout. The compiled application is included in the
+            distribution zip file, ready to be deployed into your web container
+                (<filename>spring-security-samples-tutorial-3.0.x.war</filename>). The <link
+                xlink:href="#form">form-based</link> authentication mechanism is used in combination
+            with the commonly-used <link xlink:href="#remember-me">remember-me</link> authentication
+            provider to automatically remember the login using cookies.</para>
+        <para>We recommend you start with the tutorial sample, as the XML is minimal and easy to
+            follow. Most importantly, you can easily add this one XML file (and its corresponding
+                <literal>web.xml</literal> entries) to your existing application. Only when this
+            basic integration is achieved do we suggest you attempt adding in method authorization
+            or domain object security.</para>
     </section>
-
     <section xml:id="contacts-sample">
-    <title>Contacts</title>
-    
-    <para>
-        The Contacts Sample is quite an advanced example in that it 
-        illustrates the more powerful features of domain object access control lists
-        in addition to basic application security.
-    </para>
-    
-    <para>To deploy, simply copy the WAR file from Spring
-        Security distribution into your container’s <literal>webapps</literal>
-        directory. The war should be called <filename>spring-security-samples-contacts-2.0.0.war</filename>
-        (the appended version number will vary depending on what release you are using).
-    </para>
-    
-    <para>After starting your container, check the application can load.
-        Visit
-        <literal>http://localhost:8080/contacts</literal>
-        (or whichever URL is appropriate for your web container and the WAR
-        you deployed). </para>
-    
-    <para>Next, click "Debug". You will be prompted to authenticate, and a
-        series of usernames and passwords are suggested on that page. Simply
-        authenticate with any of these and view the resulting page. It should
-        contain a success message similar to the following:
-    <literallayout>
+        <title>Contacts</title>
+        <para> The Contacts Sample is an advanced example in that it illustrates the more powerful
+            features of domain object access control lists (ACLs) in addition to basic application
+            security. The application provides an interface with which the users are able to
+            administer a simple database of contacts (the domain objects).</para>
+        <para>To deploy, simply copy the WAR file from Spring Security distribution into your
+            container’s <literal>webapps</literal> directory. The war should be called
+                <filename>spring-security-samples-contacts-3.0.x.war</filename> (the appended
+            version number will vary depending on what release you are using). </para>
+        <para>After starting your container, check the application can load. Visit
+                <literal>http://localhost:8080/contacts</literal> (or whichever URL is appropriate
+            for your web container and the WAR you deployed). </para>
+        <para>Next, click "Debug". You will be prompted to authenticate, and a series of usernames
+            and passwords are suggested on that page. Simply authenticate with any of these and view
+            the resulting page. It should contain a success message similar to the following:
+            <literallayout>
         Authentication object is of type: org.springframework.security.providers.UsernamePasswordAuthenticationToken
         
         Authentication object as a String: 
@@ -83,21 +63,17 @@
         ROLE_USER (getAuthority(): ROLE_USER)
         
         SUCCESS! Your web filters appear to be properly configured!        
-    </literallayout>
-    </para>
-    
-    <para>Once you successfully receive the above message, return to the
-        sample application's home page and click "Manage". You can then try
-        out the application. Notice that only the contacts available to the
-        currently logged on user are displayed, and only users with
-        <literal>ROLE_SUPERVISOR</literal> are granted access to delete their
-        contacts. Behind the scenes, the
-        <classname>MethodSecurityInterceptor</classname> is securing the business
-        objects. </para>
-         <para>The application allows you to modify the access control lists associated
-        with different contacts. Be sure to give this a try and understand how
-        it works by reviewing the application context XML files.</para>
-<!--
+    </literallayout></para>
+        <para>Once you successfully receive the above message, return to the sample application's
+            home page and click "Manage". You can then try out the application. Notice that only the
+            contacts available to the currently logged on user are displayed, and only users with
+                <literal>ROLE_SUPERVISOR</literal> are granted access to delete their contacts.
+            Behind the scenes, the <classname>MethodSecurityInterceptor</classname> is securing the
+            business objects. </para>
+        <para>The application allows you to modify the access control lists associated with
+            different contacts. Be sure to give this a try and understand how it works by reviewing
+            the application context XML files.</para>
+        <!--
     TODO: Reintroduce standalone client example.
     <para>The Contacts sample application also includes a
         <literal>client</literal> directory. Inside you will find a small
@@ -110,40 +86,32 @@
         and the password to use. Note that you may need to edit
         <literal>client.properties</literal> to use a different target
         URL.</para>
--->        
-        
+-->
     </section>
-    
     <section xml:id="ldap-sample">
         <title>LDAP Sample</title>
-        <para>
-            The LDAP sample application provides a basic configuration and sets up both a namespace configuration
-            and an equivalent configuration using traditional beans, both in the same application context file.
-            This means there are actually two identical authentication providers configured in this application.
-        </para>
+        <para> The LDAP sample application provides a basic configuration and sets up both a
+            namespace configuration and an equivalent configuration using traditional beans, both in
+            the same application context file. This means there are actually two identical
+            authentication providers configured in this application. </para>
     </section>
-
     <section xml:id="cas-sample">
         <title>CAS Sample</title>
-        <para>
-            The CAS sample requires that you run both a CAS server and CAS client. It isn't included in the distribution so you should check out
-            the project code as described in <link xlink:href="get-source">the introduction</link>. You'll find the relevant files under the 
-            <filename>sample/cas</filename> directory. There's also a <filename>Readme.txt</filename> file in there which explains how to run
-            both the server and the client directly from the source tree, complete with SSL support. You have to download the CAS Server web application 
-            (a war file) from the CAS site and drop it into the <filename>samples/cas/server</filename> directory.
-        </para>
+        <para> The CAS sample requires that you run both a CAS server and CAS client. It isn't
+            included in the distribution so you should check out the project code as described in
+                <link xlink:href="get-source">the introduction</link>. You'll find the relevant
+            files under the <filename>sample/cas</filename> directory. There's also a
+                <filename>Readme.txt</filename> file in there which explains how to run both the
+            server and the client directly from the source tree, complete with SSL support. You have
+            to download the CAS Server web application (a war file) from the CAS site and drop it
+            into the <filename>samples/cas/server</filename> directory. </para>
     </section>
-    
     <section xml:id="preauth-sample">
         <title>Pre-Authentication Sample</title>
-        <para>
-            This sample application demonstrates how to wire up beans from the <link xlink:href="#preauth">pre-authentication</link> 
-            framework to make use of login information from a J2EE container. The user name and roles are those setup by the container.
-        </para>
-        <para>
-            The code is in <filename>samples/preauth</filename> .
-        </para>
+        <para> This sample application demonstrates how to wire up beans from the <link
+                xlink:href="#preauth">pre-authentication</link> framework to make use of login
+            information from a J2EE container. The user name and roles are those setup by the
+            container. </para>
+        <para> The code is in <filename>samples/preauth</filename> . </para>
     </section>
-    
-
-</chapter>
+</chapter>

src/docbkx/springsecurity.xml

@@ -1,229 +1,150 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <book version="5.0" xml:id="spring-security-reference-guide" xmlns="http://docbook.org/ns/docbook"
-    xmlns:xlink="http://www.w3.org/1999/xlink" 
-    xmlns:xi="http://www.w3.org/2001/XInclude">
-    
-    <info>
-        <title>Spring Security</title>
-        
-        <subtitle>Reference Documentation</subtitle>
-        
-        <author>
-            <personname>Ben Alex, Luke Taylor</personname>
-        </author>
-                
-        <releaseinfo>2.0.x</releaseinfo>
-        
-    </info>
-    
+  xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude">
+  <info><title>Spring Security</title><subtitle>Reference Documentation</subtitle><author>
+      <personname>Ben Alex, Luke Taylor</personname>
+    </author>
+    <releaseinfo>2.0.x</releaseinfo>
+  </info>
   <toc/>
-
   <preface xml:id="preface">
     <title>Preface</title>
-
-    <para>Spring Security provides a comprehensive security solution for
-    J2EE-based enterprise software applications. As you will discover as you
-    venture through this reference guide, we have tried to provide you a
-    useful and highly configurable security system.</para>
-
-    <para>Security is an ever-moving target, and it's important to pursue a
-    comprehensive, system-wide approach. In security circles we encourage you
-    to adopt "layers of security", so that each layer tries to be as secure as
-    possible in its own right, with successive layers providing additional
-    security. The "tighter" the security of each layer, the more robust and
-    safe your application will be. At the bottom level you'll need to deal
-    with issues such as transport security and system identification, in order
-    to mitigate man-in-the-middle attacks. Next you'll generally utilise
-    firewalls, perhaps with VPNs or IP security to ensure only authorised
-    systems can attempt to connect. In corporate environments you may deploy a
-    DMZ to separate public-facing servers from backend database and
-    application servers. Your operating system will also play a critical part,
-    addressing issues such as running processes as non-privileged users and
-    maximising file system security. An operating system will usually also be
-    configured with its own firewall. Hopefully somewhere along the way you'll
-    be trying to prevent denial of service and brute force attacks against the
-    system. An intrusion detection system will also be especially useful for
-    monitoring and responding to attacks, with such systems able to take
-    protective action such as blocking offending TCP/IP addresses in
-    real-time. Moving to the higher layers, your Java Virtual Machine will
-    hopefully be configured to minimize the permissions granted to different
-    Java types, and then your application will add its own problem
-    domain-specific security configuration. Spring Security makes this latter
-    area - application security - much easier. 
-    </para>
-
-    <para>Of course, you will need to properly address all security layers
-    mentioned above, together with managerial factors that encompass every
-    layer. A non-exhaustive list of such managerial factors would include
-    security bulletin monitoring, patching, personnel vetting, audits, change
-    control, engineering management systems, data backup, disaster recovery,
-    performance benchmarking, load monitoring, centralised logging, incident
-    response procedures etc.</para>
-
-    <para>With Spring Security being focused on helping you with the
-    enterprise application security layer, you will find that there are as
-    many different requirements as there are business problem domains. A
-    banking application has different needs from an ecommerce application. An
-    ecommerce application has different needs from a corporate sales force
-    automation tool. These custom requirements make application security
-    interesting, challenging and rewarding.
-    </para>
-
-    <para>Please read <xref linkend="getting-started"/>, in
-    its entirety to begin with. This will introduce you to the framework and the namespace-based
-    configuration system with which you can get up and running quite quickly. To get more of an understanding
-    of an in-depth understaning of how Spring Security works, and some of the classes you might
-    need to use, you should then read <xref linkend="overall-architecture"/>.
-    The remaining parts of this guide are structured in a more traditional reference style, 
-    designed to be read on an as-required basis. We'd also recommend that you read up as much as 
-    possible on application security issues in general. Spring Security is not a panacea which will
-    solve all security issues. It is important that the application is designed with security in 
-    mind from the start. Attempting to retrofit it is not a good idea. 
-    In particular, if you are building a web application, you should be aware of the many potential
-    vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should
-    be taking into account from the start. The OWASP web site (http://www.owasp.org/) maintains a
-    top ten list of web application vulnerabilities as well as a lot of useful reference information.
-    </para>
-
-    <para>We hope that you find this reference guide useful, and we welcome
-      your feedback and <link xlink:href="#jira">suggestions</link>.
-    </para>
-
-    <para>Finally, welcome to the Spring Security <link xlink:href="#community" >community</link>.
+    <para>Spring Security provides a comprehensive security solution for J2EE-based enterprise
+      software applications. As you will discover as you venture through this reference guide, we
+      have tried to provide you a useful and highly configurable security system.</para>
+    <para>Security is an ever-moving target, and it's important to pursue a comprehensive,
+      system-wide approach. In security circles we encourage you to adopt "layers of security", so
+      that each layer tries to be as secure as possible in its own right, with successive layers
+      providing additional security. The "tighter" the security of each layer, the more robust and
+      safe your application will be. At the bottom level you'll need to deal with issues such as
+      transport security and system identification, in order to mitigate man-in-the-middle attacks.
+      Next you'll generally utilise firewalls, perhaps with VPNs or IP security to ensure only
+      authorised systems can attempt to connect. In corporate environments you may deploy a DMZ to
+      separate public-facing servers from backend database and application servers. Your operating
+      system will also play a critical part, addressing issues such as running processes as
+      non-privileged users and maximising file system security. An operating system will usually
+      also be configured with its own firewall. Hopefully somewhere along the way you'll be trying
+      to prevent denial of service and brute force attacks against the system. An intrusion
+      detection system will also be especially useful for monitoring and responding to attacks, with
+      such systems able to take protective action such as blocking offending TCP/IP addresses in
+      real-time. Moving to the higher layers, your Java Virtual Machine will hopefully be configured
+      to minimize the permissions granted to different Java types, and then your application will
+      add its own problem domain-specific security configuration. Spring Security makes this latter
+      area - application security - much easier. </para>
+    <para>Of course, you will need to properly address all security layers mentioned above, together
+      with managerial factors that encompass every layer. A non-exhaustive list of such managerial
+      factors would include security bulletin monitoring, patching, personnel vetting, audits,
+      change control, engineering management systems, data backup, disaster recovery, performance
+      benchmarking, load monitoring, centralised logging, incident response procedures etc.</para>
+    <para>With Spring Security being focused on helping you with the enterprise application security
+      layer, you will find that there are as many different requirements as there are business
+      problem domains. A banking application has different needs from an ecommerce application. An
+      ecommerce application has different needs from a corporate sales force automation tool. These
+      custom requirements make application security interesting, challenging and rewarding. </para>
+    <para>Please read <xref linkend="getting-started"/>, in its entirety to begin with. This will
+      introduce you to the framework and the namespace-based configuration system with which you can
+      get up and running quite quickly. To get more of an understanding of an in-depth understaning
+      of how Spring Security works, and some of the classes you might need to use, you should then
+      read <xref linkend="overall-architecture"/>. The remaining parts of this guide are structured
+      in a more traditional reference style, designed to be read on an as-required basis. We'd also
+      recommend that you read up as much as possible on application security issues in general.
+      Spring Security is not a panacea which will solve all security issues. It is important that
+      the application is designed with security in mind from the start. Attempting to retrofit it is
+      not a good idea. In particular, if you are building a web application, you should be aware of
+      the many potential vulnerabilities such as cross-site scripting, request-forgery and
+      session-hijacking which you should be taking into account from the start. The OWASP web site
+      (http://www.owasp.org/) maintains a top ten list of web application vulnerabilities as well as
+      a lot of useful reference information. </para>
+    <para>We hope that you find this reference guide useful, and we welcome your feedback and <link
+        xlink:href="#jira">suggestions</link>. </para>
+    <para>Finally, welcome to the Spring Security <link xlink:href="#community">community</link>.
     </para>
   </preface>
-  
   <part xml:id="getting-started">
     <title>Getting Started</title>
     <partintro>
-    <para>The later parts of this guide provide an in-depth discussion of the
-      framework architecture and implementation classes, an understanding of which is important
-      if you need to do any serious customization. In this part, we'll introduce Spring Security 2.0,
-      give a brief overview of the project's history and take a slightly
-      gentler look at how to get started using the framework.
-      In particular, we'll look at namespace configuration which provides a much simpler way of securing
-      your application compared to the traditional Spring bean approach where you had to wire up all the 
-      implementation classes individually.
-    </para>
-    <para>
-      We'll also take a look at the sample applications that are available. It's worth trying to run
-      these and experimenting with them a bit even before you read the later sections - you can dip back into them
-      as your understanding of the framework increases.
-    </para>
+      <para>The later parts of this guide provide an in-depth discussion of the framework
+        architecture and implementation classes, an understanding of which is important if you need
+        to do any serious customization. In this part, we'll introduce Spring Security 2.0, give a
+        brief overview of the project's history and take a slightly gentler look at how to get
+        started using the framework. In particular, we'll look at namespace configuration which
+        provides a much simpler way of securing your application compared to the traditional Spring
+        bean approach where you had to wire up all the implementation classes individually. </para>
+      <para> We'll also take a look at the sample applications that are available. It's worth trying
+        to run these and experimenting with them a bit even before you read the later sections - you
+        can dip back into them as your understanding of the framework increases. </para>
     </partintro>
-    
-    <xi:include href="introduction.xml" />    
-    
-    <xi:include href="namespace-config.xml" />
-    
+    <xi:include href="introduction.xml"/>
+    <xi:include href="namespace-config.xml"/>
     <xi:include href="samples.xml"/>
-    
-    <xi:include href="community.xml"/>     
-
+    <xi:include href="community.xml"/>
   </part>
-
   <part xml:id="overall-architecture">
     <title>Overall Architecture</title>
-
     <partintro>
-      <para>Like most software, Spring Security has certain central
-      interfaces, classes and conceptual abstractions that are commonly used
-      throughout the framework. In this part of the reference guide we will
-      introduce Spring Security, before examining these central elements that
-      are necessary to successfully planning and executing a Spring Security
-      integration.</para>
+      <para>Like most software, Spring Security has certain central interfaces, classes and
+        conceptual abstractions that are commonly used throughout the framework. In this part of the
+        reference guide we will introduce Spring Security, before examining these central elements
+        that are necessary to successfully planning and executing a Spring Security
+        integration.</para>
     </partintro>
-    
-    <xi:include href="technical-overview.xml" />
-
-    <xi:include href="supporting-infrastructure.xml" />
-    
-    <xi:include href="channel-security.xml" />
-
+    <xi:include href="technical-overview.xml"/>
+    <xi:include href="supporting-infrastructure.xml"/>
+    <xi:include href="channel-security.xml"/>
   </part>
-
   <part xml:id="authentication">
     <title>Authentication</title>
-
     <partintro>
-      <para>We've already introduced Spring Security's authentication architecture
-        in the <link xlink:href="#technical-overview">Technical Overview</link> chapter.
-        In this part of the reference guide we will examine individual
-      authentication mechanisms and their corresponding
-      <classname>AuthenticationProvider</classname>s. We'll also look at how to
-      configure authentication more generally, including if you have several
-      authentication approaches that need to be chained together.</para>
-      <para>
-        With some exceptions, we will be discussing the full details of Spring Security
-        bean configuration rather than the shorthand
-        <link xlink:href="#ns-config">namespace syntax</link>. You should review
-        the introduction to using namespace configuration and the options it provides
-        to see if they will meet your needs. As you come to use the framework more,
-        and need to customize the internal behaviour, you will probably want to understand
-        more about how the individual services are implemented, which classes to look at
-        extending and so on. This part is more targeted at providing this kind of information.
-        We'd recommend that you supplement the content by browsing the Javadoc and the source
-        itself <footnote><para>Links to both Javadoc APIs and browsable source cross-reference
-        are available from the project web site.</para></footnote>.
-      </para>
+      <para>We've already introduced Spring Security's authentication architecture in the <link
+          xlink:href="#technical-overview">Technical Overview</link> chapter. In this part of the
+        reference guide we will examine individual authentication mechanisms and their corresponding
+          <classname>AuthenticationProvider</classname>s. We'll also look at how to configure
+        authentication more generally, including if you have several authentication approaches that
+        need to be chained together.</para>
+      <para> With some exceptions, we will be discussing the full details of Spring Security bean
+        configuration rather than the shorthand <link xlink:href="#ns-config">namespace
+          syntax</link>. You should review the introduction to using namespace configuration and the
+        options it provides to see if they will meet your needs. As you come to use the framework
+        more, and need to customize the internal behaviour, you will probably want to understand
+        more about how the individual services are implemented, which classes to look at extending
+        and so on. This part is more targeted at providing this kind of information. We'd recommend
+        that you supplement the content by browsing the Javadoc and the source itself <footnote>
+          <para>Links to both Javadoc APIs and browsable source cross-reference are available from
+            the project web site.</para>
+        </footnote>. </para>
     </partintro>
-
-    <xi:include href="common-auth-services.xml" />
-
-    <xi:include href="dao-auth-provider.xml" />    
-
+    <xi:include href="common-auth-services.xml"/>
+    <xi:include href="dao-auth-provider.xml"/>
     <xi:include href="ldap-auth-provider.xml"/>
-    
-    <xi:include href="form-authentication.xml" />
-    
-    <xi:include href="basic-authentication.xml" />
-    
-    <xi:include href="digest-authentication.xml" />
-    
-    <xi:include href="remember-me-authentication.xml" />
-
-    <xi:include href="jaas-auth-provider.xml" />
-    
-    <xi:include href="preauth.xml" />    
-    
-    <xi:include href="anon-auth-provider.xml" />    
-
+    <xi:include href="form-authentication.xml"/>
+    <xi:include href="basic-authentication.xml"/>
+    <xi:include href="digest-authentication.xml"/>
+    <xi:include href="remember-me-authentication.xml"/>
+    <xi:include href="jaas-auth-provider.xml"/>
+    <xi:include href="preauth.xml"/>
+    <xi:include href="anon-auth-provider.xml"/>
     <xi:include href="x509-auth-provider.xml"/>
-
     <xi:include href="cas-auth-provider.xml"/>
-
-    <xi:include href="runas-auth-provider.xml" />
-
+    <xi:include href="runas-auth-provider.xml"/>
   </part>
-
   <part xml:id="authorization">
     <title>Authorization</title>
-
     <partintro>
-      <para>The advanced authorization capabilities within Spring Security
-      represent one of the most compelling reasons for its popularity.
-      Irrespective of how you choose to authenticate - whether using a Spring
-      Security-provided mechanism and provider, or integrating with a
-      container or other non-Spring Security authentication authority - you
-      will find the authorization services can be used within your application
-      in a consistent and simple way.</para>
-
+      <para>The advanced authorization capabilities within Spring Security represent one of the most
+        compelling reasons for its popularity. Irrespective of how you choose to authenticate -
+        whether using a Spring Security-provided mechanism and provider, or integrating with a
+        container or other non-Spring Security authentication authority - you will find the
+        authorization services can be used within your application in a consistent and simple
+        way.</para>
       <para>In this part we'll explore the different
-      <classname>AbstractSecurityInterceptor</classname> implementations, which
-      were introduced in Part I. We then move on to explore how to fine-tune
-      authorization through use of domain access control lists.</para>
+          <classname>AbstractSecurityInterceptor</classname> implementations, which were introduced
+        in Part I. We then move on to explore how to fine-tune authorization through use of domain
+        access control lists.</para>
     </partintro>
-
-    <xi:include href="authorization-common.xml"/>    
-
+    <xi:include href="authorization-common.xml"/>
     <xi:include href="secured-objects.xml"/>
-    
     <xi:include href="domain-acls.xml"/>
-  
   </part>
-   
   <xi:include href="appendix-db-schema.xml"/>
-  
   <xi:include href="appendix-namespace.xml"/>
-
-</book>
+</book>