SEC-1125: Created separate web module spring-security-web

acl/pom.xml

@@ -56,10 +56,6 @@
             <artifactId>hsqldb</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.jmock</groupId>
-            <artifactId>jmock-junit4</artifactId>
-        </dependency>
     </dependencies>
 
 </project>

acl/src/test/java/org/springframework/security/acls/domain/PermissionTests.java

@@ -14,9 +14,8 @@
  */
 package org.springframework.security.acls.domain;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import static org.junit.Assert.*;
+
 import org.junit.Test;
 import org.springframework.security.acls.Permission;
 
@@ -28,9 +27,6 @@ import org.springframework.security.acls.Permission;
  * @version $Id${date}
  */
 public class PermissionTests {
-    private static final Log LOGGER = LogFactory.getLog(PermissionTests.class);
-
-    //~ Methods ========================================================================================================
 
     @Test
     public void basePermissionTest() {

cas/pom.xml

@@ -15,6 +15,11 @@
             <artifactId>spring-security-core</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-core</artifactId>

config/pom.xml

@@ -15,6 +15,18 @@
             <artifactId>spring-security-core</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>${project.version}</version>
+            <classifier>tests</classifier>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>commons-logging</groupId>
             <artifactId>commons-logging</artifactId>

config/src/main/java/org/springframework/security/config/AnonymousBeanDefinitionParser.java

@@ -9,7 +9,7 @@ import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider;
-import org.springframework.security.providers.anonymous.AnonymousProcessingFilter;
+import org.springframework.security.ui.anonymous.AnonymousProcessingFilter;
 import org.springframework.util.StringUtils;
 import org.w3c.dom.Element;
 

config/src/main/java/org/springframework/security/config/ConfigUtils.java

@@ -14,11 +14,11 @@ import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.afterinvocation.AfterInvocationProviderManager;
 import org.springframework.security.expression.method.MethodExpressionVoter;
-import org.springframework.security.util.UrlUtils;
 import org.springframework.security.vote.AccessDecisionVoter;
 import org.springframework.security.vote.AffirmativeBased;
 import org.springframework.security.vote.AuthenticatedVoter;
 import org.springframework.security.vote.RoleVoter;
+import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.StringUtils;
 import org.w3c.dom.Element;
 

config/src/main/java/org/springframework/security/config/FilterChainProxyPostProcessor.java

@@ -18,18 +18,18 @@ import org.springframework.core.OrderComparator;
 import org.springframework.core.Ordered;
 import org.springframework.security.ConfigAttribute;
 import org.springframework.security.config.ConfigUtils.FilterChainList;
-import org.springframework.security.context.SecurityContextPersistenceFilter;
+import org.springframework.security.context.web.SecurityContextPersistenceFilter;
 import org.springframework.security.intercept.web.DefaultFilterInvocationSecurityMetadataSource;
 import org.springframework.security.intercept.web.FilterSecurityInterceptor;
 import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken;
-import org.springframework.security.providers.anonymous.AnonymousProcessingFilter;
 import org.springframework.security.ui.ExceptionTranslationFilter;
 import org.springframework.security.ui.SessionFixationProtectionFilter;
+import org.springframework.security.ui.anonymous.AnonymousProcessingFilter;
 import org.springframework.security.ui.basicauth.BasicProcessingFilter;
 import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;
 import org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint;
 import org.springframework.security.ui.webapp.DefaultLoginPageGeneratingFilter;
-import org.springframework.security.util.FilterChainProxy;
+import org.springframework.security.web.util.FilterChainProxy;
 import org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter;
 
 /**

config/src/main/java/org/springframework/security/config/GlobalMethodSecurityBeanDefinitionParser.java

@@ -20,7 +20,7 @@ import org.springframework.security.ConfigAttribute;
 import org.springframework.security.SecurityConfig;
 import org.springframework.security.expression.method.MethodExpressionAfterInvocationProvider;
 import org.springframework.security.expression.method.MethodExpressionVoter;
-import org.springframework.security.expression.support.DefaultSecurityExpressionHandler;
+import org.springframework.security.expression.support.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.intercept.method.DelegatingMethodSecurityMetadataSource;
 import org.springframework.security.intercept.method.MapBasedMethodSecurityMetadataSource;
 import org.springframework.security.intercept.method.ProtectPointcutPostProcessor;
@@ -95,7 +95,7 @@ class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser {
             if (StringUtils.hasText(expressionHandlerRef)) {
                 logger.info("Using bean '" + expressionHandlerRef + "' as method SecurityExpressionHandler implementation");
             } else {
-                parserContext.getRegistry().registerBeanDefinition(EXPRESSION_HANDLER_ID, new RootBeanDefinition(DefaultSecurityExpressionHandler.class));
+                parserContext.getRegistry().registerBeanDefinition(EXPRESSION_HANDLER_ID, new RootBeanDefinition(DefaultMethodSecurityExpressionHandler.class));
                 logger.warn("Expressions were enabled for method security but no SecurityExpressionHandler was configured. " +
                         "All hasPermision() expressions will evaluate to false.");
                 expressionHandlerRef = EXPRESSION_HANDLER_ID;

config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java

@@ -19,8 +19,8 @@ import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.ConfigAttribute;
 import org.springframework.security.ConfigAttributeEditor;
 import org.springframework.security.SecurityConfig;
-import org.springframework.security.context.HttpSessionSecurityContextRepository;
-import org.springframework.security.context.SecurityContextPersistenceFilter;
+import org.springframework.security.context.web.HttpSessionSecurityContextRepository;
+import org.springframework.security.context.web.SecurityContextPersistenceFilter;
 import org.springframework.security.expression.web.WebExpressionVoter;
 import org.springframework.security.intercept.web.DefaultFilterInvocationSecurityMetadataSource;
 import org.springframework.security.intercept.web.FilterSecurityInterceptor;
@@ -36,12 +36,12 @@ import org.springframework.security.ui.ExceptionTranslationFilter;
 import org.springframework.security.ui.SessionFixationProtectionFilter;
 import org.springframework.security.ui.webapp.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.util.AntUrlPathMatcher;
-import org.springframework.security.util.FilterChainProxy;
 import org.springframework.security.util.RegexUrlPathMatcher;
 import org.springframework.security.util.UrlMatcher;
 import org.springframework.security.vote.AccessDecisionVoter;
 import org.springframework.security.vote.AuthenticatedVoter;
 import org.springframework.security.vote.RoleVoter;
+import org.springframework.security.web.util.FilterChainProxy;
 import org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
@@ -107,7 +107,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
     private static final String ATT_DISABLE_URL_REWRITING = "disable-url-rewriting";
 
     private static final String EXPRESSION_FIDS_CLASS = "org.springframework.security.expression.web.ExpressionBasedFilterInvocationSecurityMetadataSource";
-    private static final String EXPRESSION_HANDLER_CLASS = "org.springframework.security.expression.support.DefaultSecurityExpressionHandler";
+    private static final String EXPRESSION_HANDLER_CLASS = "org.springframework.security.expression.web.support.DefaultWebSecurityExpressionHandler";
     private static final String EXPRESSION_HANDLER_ID = "_webExpressionHandler";
 
     @SuppressWarnings("unchecked")

config/src/main/java/org/springframework/security/config/PortMappingsBeanDefinitionParser.java

@@ -1,6 +1,6 @@
 package org.springframework.security.config;
 
-import org.springframework.security.util.PortMapperImpl;
+import org.springframework.security.web.util.PortMapperImpl;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.beans.factory.config.BeanDefinition;
@@ -15,7 +15,7 @@ import java.util.Map;
 import java.util.HashMap;
 
 /**
- * Parses a port-mappings element, producing a single {@link org.springframework.security.util.PortMapperImpl}
+ * Parses a port-mappings element, producing a single {@link org.springframework.security.web.util.PortMapperImpl}
  * bean.
  *
  * @author Luke Taylor

config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java

@@ -26,21 +26,21 @@ import org.springframework.security.concurrent.ConcurrentLoginException;
 import org.springframework.security.concurrent.ConcurrentSessionControllerImpl;
 import org.springframework.security.concurrent.ConcurrentSessionFilter;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
-import org.springframework.security.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.context.SecurityContextHolder;
-import org.springframework.security.context.SecurityContextPersistenceFilter;
+import org.springframework.security.context.web.HttpSessionSecurityContextRepository;
+import org.springframework.security.context.web.SecurityContextPersistenceFilter;
 import org.springframework.security.intercept.web.FilterInvocation;
 import org.springframework.security.intercept.web.FilterInvocationSecurityMetadataSource;
 import org.springframework.security.intercept.web.FilterSecurityInterceptor;
 import org.springframework.security.providers.TestingAuthenticationToken;
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
-import org.springframework.security.providers.anonymous.AnonymousProcessingFilter;
 import org.springframework.security.securechannel.ChannelProcessingFilter;
 import org.springframework.security.ui.AuthenticationFailureHandler;
 import org.springframework.security.ui.AuthenticationSuccessHandler;
 import org.springframework.security.ui.ExceptionTranslationFilter;
 import org.springframework.security.ui.SessionFixationProtectionFilter;
 import org.springframework.security.ui.WebAuthenticationDetails;
+import org.springframework.security.ui.anonymous.AnonymousProcessingFilter;
 import org.springframework.security.ui.basicauth.BasicProcessingFilter;
 import org.springframework.security.ui.logout.LogoutFilter;
 import org.springframework.security.ui.logout.LogoutHandler;
@@ -49,9 +49,8 @@ import org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMe
 import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;
 import org.springframework.security.ui.webapp.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.util.FieldUtils;
-import org.springframework.security.util.FilterChainProxy;
-import org.springframework.security.util.MockFilter;
-import org.springframework.security.util.PortMapperImpl;
+import org.springframework.security.web.util.FilterChainProxy;
+import org.springframework.security.web.util.PortMapperImpl;
 import org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter;
 import org.springframework.util.ReflectionUtils;
 
@@ -341,20 +340,20 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "<b:bean id='userFilter' class='org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter'>" +
                 "    <custom-filter after='LOGOUT_FILTER'/>" +
                 "</b:bean>" +
-                "<b:bean id='userFilter1' class='org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter'>" +
+                "<b:bean id='userFilter1' class='org.springframework.security.context.web.SecurityContextPersistenceFilter'>" +
                 "    <custom-filter before='SESSION_CONTEXT_INTEGRATION_FILTER'/>" +
                 "</b:bean>" +
-                "<b:bean id='userFilter2' class='org.springframework.security.util.MockFilter'>" +
+                "<b:bean id='userFilter2' class='org.springframework.security.context.web.SecurityContextPersistenceFilter'>" +
                 "    <custom-filter position='FIRST'/>" +
                 "</b:bean>" +
-                "<b:bean id='userFilter3' class='org.springframework.security.util.MockFilter'/>" +
+                "<b:bean id='userFilter3' class='org.springframework.security.context.web.SecurityContextPersistenceFilter'/>" +
                 "<b:bean id='userFilter4' class='org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter'/>"
                 );
         List<Filter> filters = getFilters("/someurl");
 
         assertEquals(AUTO_CONFIG_FILTERS + 3, filters.size());
-        assertTrue(filters.get(0) instanceof MockFilter);
-        assertTrue(filters.get(1) instanceof SecurityContextHolderAwareRequestFilter);
+        assertTrue(filters.get(0) instanceof SecurityContextPersistenceFilter);
+        assertTrue(filters.get(1) instanceof SecurityContextPersistenceFilter);
         assertTrue(filters.get(4) instanceof SecurityContextHolderAwareRequestFilter);
     }
 
@@ -694,7 +693,7 @@ public class HttpSecurityBeanDefinitionParserTests {
     @Test
     public void supportsExternallyDefinedSecurityContextRepository() throws Exception {
         setContext(
-                "<b:bean id='repo' class='org.springframework.security.context.HttpSessionSecurityContextRepository'/>" +
+                "<b:bean id='repo' class='org.springframework.security.context.web.HttpSessionSecurityContextRepository'/>" +
                 "<http create-session='always' security-context-repository-ref='repo'>" +
                 "    <http-basic />" +
                 "</http>" + AUTH_PROVIDER_XML);
@@ -707,7 +706,7 @@ public class HttpSecurityBeanDefinitionParserTests {
     @Test(expected=BeanDefinitionParsingException.class)
     public void cantUseUnsupportedSessionCreationAttributeWithExternallyDefinedSecurityContextRepository() throws Exception {
         setContext(
-                "<b:bean id='repo' class='org.springframework.security.context.HttpSessionSecurityContextRepository'/>" +
+                "<b:bean id='repo' class='org.springframework.security.context.web.HttpSessionSecurityContextRepository'/>" +
                 "<http create-session='never' security-context-repository-ref='repo'>" +
                 "    <http-basic />" +
                 "</http>" + AUTH_PROVIDER_XML);

config/src/test/java/org/springframework/security/util/FilterChainProxyConfigTests.java

@@ -16,10 +16,15 @@
 package org.springframework.security.util;
 
 import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
+import static org.mockito.Matchers.*;
 
 import java.util.List;
 
 import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 import org.junit.After;
 import org.junit.Before;
@@ -29,8 +34,10 @@ import org.springframework.context.support.ClassPathXmlApplicationContext;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.MockFilterConfig;
-import org.springframework.security.context.SecurityContextPersistenceFilter;
+import org.springframework.security.context.web.SecurityContextPersistenceFilter;
 import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;
+import org.springframework.security.web.util.FilterChainProxy;
+import org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter;
 
 /**
  * Tests {@link FilterChainProxy}.
@@ -56,23 +63,6 @@ public class FilterChainProxyConfigTests {
         }
     }
 
-    @Test
-    public void testDoNotFilter() throws Exception {
-        FilterChainProxy filterChainProxy = (FilterChainProxy) appCtx.getBean("filterChain", FilterChainProxy.class);
-        MockFilter filter = (MockFilter) appCtx.getBean("mockFilter", MockFilter.class);
-
-        MockHttpServletRequest request = new MockHttpServletRequest();
-        request.setServletPath("/do/not/filter/somefile.html");
-
-        MockHttpServletResponse response = new MockHttpServletResponse();
-        MockFilterChain chain = new MockFilterChain(true);
-
-        filterChainProxy.doFilter(request, response, chain);
-        assertFalse(filter.isWasInitialized());
-        assertFalse(filter.isWasDoFiltered());
-        assertFalse(filter.isWasDestroyed());
-    }
-
     @Test(expected=BeanCreationException.class)
     public void misplacedUniversalPathShouldBeDetected() throws Exception {
         appCtx.getBean("newFilterChainProxyWrongPathOrder", FilterChainProxy.class);
@@ -126,14 +116,14 @@ public class FilterChainProxyConfigTests {
     private void checkPathAndFilterOrder(FilterChainProxy filterChainProxy) throws Exception {
         List<Filter> filters = filterChainProxy.getFilters("/foo/blah");
         assertEquals(1, filters.size());
-        assertTrue(filters.get(0) instanceof MockFilter);
+        assertTrue(filters.get(0) instanceof SecurityContextHolderAwareRequestFilter);
 
         filters = filterChainProxy.getFilters("/some/other/path/blah");
         assertNotNull(filters);
         assertEquals(3, filters.size());
         assertTrue(filters.get(0) instanceof SecurityContextPersistenceFilter);
-        assertTrue(filters.get(1) instanceof MockFilter);
-        assertTrue(filters.get(2) instanceof MockFilter);
+        assertTrue(filters.get(1) instanceof SecurityContextHolderAwareRequestFilter);
+        assertTrue(filters.get(2) instanceof SecurityContextHolderAwareRequestFilter);
 
         filters = filterChainProxy.getFilters("/do/not/filter");
         assertEquals(0, filters.size());
@@ -142,37 +132,26 @@ public class FilterChainProxyConfigTests {
         assertEquals(3, filters.size());
         assertTrue(filters.get(0) instanceof SecurityContextPersistenceFilter);
         assertTrue(filters.get(1) instanceof AuthenticationProcessingFilter);
-        assertTrue(filters.get(2) instanceof MockFilter);
+        assertTrue(filters.get(2) instanceof SecurityContextHolderAwareRequestFilter);
     }
 
     private void doNormalOperation(FilterChainProxy filterChainProxy) throws Exception {
-        MockFilter filter = (MockFilter) appCtx.getBean("mockFilter", MockFilter.class);
-        assertFalse(filter.isWasInitialized());
-        assertFalse(filter.isWasDoFiltered());
-        assertFalse(filter.isWasDestroyed());
-
         filterChainProxy.init(new MockFilterConfig());
-        assertTrue(filter.isWasInitialized());
-        assertFalse(filter.isWasDoFiltered());
-        assertFalse(filter.isWasDestroyed());
 
         MockHttpServletRequest request = new MockHttpServletRequest();
         request.setServletPath("/foo/secure/super/somefile.html");
 
         MockHttpServletResponse response = new MockHttpServletResponse();
-        MockFilterChain chain = new MockFilterChain(true);
+        FilterChain chain = mock(FilterChain.class);
 
         filterChainProxy.doFilter(request, response, chain);
-        assertTrue(filter.isWasInitialized());
-        assertTrue(filter.isWasDoFiltered());
-        assertFalse(filter.isWasDestroyed());
+        verify(chain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
 
         request.setServletPath("/a/path/which/doesnt/match/any/filter.html");
+        chain = mock(FilterChain.class);
         filterChainProxy.doFilter(request, response, chain);
+        verify(chain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
 
         filterChainProxy.destroy();
-        assertTrue(filter.isWasInitialized());
-        assertTrue(filter.isWasDoFiltered());
-        assertTrue(filter.isWasDestroyed());
     }
 }

config/src/test/resources/org/springframework/security/util/filtertest-valid.xml

@@ -24,12 +24,12 @@
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
 
-    <bean id="mockFilter" class="org.springframework.security.util.MockFilter"/>
+    <bean id="mockFilter" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter"/>
 
-    <bean id="mockFilter2" class="org.springframework.security.util.MockFilter"/>
+    <bean id="mockFilter2" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter"/>
 
     <!-- These are just here so we have filters of a specific type to check the ordering is as expected -->
-    <bean id="sif" class="org.springframework.security.context.SecurityContextPersistenceFilter"/>
+    <bean id="sif" class="org.springframework.security.context.web.SecurityContextPersistenceFilter"/>
 
     <bean id="apf" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager">
@@ -39,7 +39,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
 
     <bean id="mockNotAFilter" class="org.springframework.security.util.MockNotAFilter"/>
 
-    <bean id="filterChain" class="org.springframework.security.util.FilterChainProxy">
+    <bean id="filterChain" class="org.springframework.security.web.util.FilterChainProxy">
         <sec:filter-chain-map path-type="ant">
             <sec:filter-chain pattern="/foo/**" filters="mockFilter"/>
             <sec:filter-chain pattern="/some/other/path/**" filters="mockFilter"/>
@@ -48,7 +48,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
     </bean>
 
 <!-- TODO: Refactor to replace the above (SEC-1034: 'new' is now the only valid syntax) -->
-    <bean id="newFilterChainProxy" class="org.springframework.security.util.FilterChainProxy">
+    <bean id="newFilterChainProxy" class="org.springframework.security.web.util.FilterChainProxy">
         <sec:filter-chain-map path-type="ant">
             <sec:filter-chain pattern="/foo/**" filters="mockFilter"/>
             <sec:filter-chain pattern="/some/other/path/**" filters="sif,mockFilter,mockFilter2"/>
@@ -57,14 +57,14 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
         </sec:filter-chain-map>
     </bean>
 
-    <bean id="newFilterChainProxyNoDefaultPath" class="org.springframework.security.util.FilterChainProxy">
+    <bean id="newFilterChainProxyNoDefaultPath" class="org.springframework.security.web.util.FilterChainProxy">
         <sec:filter-chain-map path-type="ant">
             <sec:filter-chain pattern="/foo/**" filters="mockFilter"/>
             <sec:filter-chain pattern="/*.bar" filters="mockFilter,mockFilter2"/>
         </sec:filter-chain-map>
     </bean>
 
-    <bean id="newFilterChainProxyWrongPathOrder" class="org.springframework.security.util.FilterChainProxy">
+    <bean id="newFilterChainProxyWrongPathOrder" class="org.springframework.security.web.util.FilterChainProxy">
         <sec:filter-chain-map path-type="ant">
             <sec:filter-chain pattern="/foo/**" filters="mockFilter"/>
             <sec:filter-chain pattern="/**" filters="sif,apf,mockFilter"/>
@@ -72,7 +72,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
         </sec:filter-chain-map>
     </bean>
 
-    <bean id="newFilterChainProxyRegex" class="org.springframework.security.util.FilterChainProxy">
+    <bean id="newFilterChainProxyRegex" class="org.springframework.security.web.util.FilterChainProxy">
         <sec:filter-chain-map path-type="regex">
             <sec:filter-chain pattern="\A/foo/.*\Z" filters="mockFilter"/>
             <sec:filter-chain pattern="\A/s[oO]me/other/path/.*\Z" filters="sif,mockFilter,mockFilter2"/>
@@ -81,7 +81,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
         </sec:filter-chain-map>
     </bean>
 
-    <bean id="newFilterChainProxyNonNamespace" class="org.springframework.security.util.FilterChainProxy">
+    <bean id="newFilterChainProxyNonNamespace" class="org.springframework.security.web.util.FilterChainProxy">
         <property name="matcher">
             <bean class="org.springframework.security.util.AntUrlPathMatcher"/>
         </property>

core/pom.xml

@@ -61,7 +61,7 @@
         <dependency>
             <groupId>cglib</groupId>
             <artifactId>cglib-nodep</artifactId>
-            <scope>test</scope>
+            <scope>runtime</scope>
             <optional>true</optional>
         </dependency>
         <dependency>
@@ -86,16 +86,19 @@
             <artifactId>hsqldb</artifactId>
             <scope>test</scope>
         </dependency>
+
         <dependency>
             <groupId>jaxen</groupId>
             <artifactId>jaxen</artifactId>
             <version>1.1.1</version>
             <optional>true</optional>
         </dependency>
+<!--
         <dependency>
             <groupId>javax.servlet</groupId>
             <artifactId>servlet-api</artifactId>
         </dependency>
+ -->
         <dependency>
             <groupId>org.apache.tomcat</groupId>
             <artifactId>annotations-api</artifactId>
@@ -110,10 +113,6 @@
             <optional>true</optional>
         </dependency>
  -->
-        <dependency>
-            <groupId>org.jmock</groupId>
-            <artifactId>jmock-junit4</artifactId>
-        </dependency>
         <dependency>
             <groupId>log4j</groupId>
             <artifactId>log4j</artifactId>

core/src/main/java/org/springframework/security/concurrent/SessionInformation.java

@@ -23,12 +23,14 @@ import java.io.Serializable;
 
 /**
  * Represents a record of a session within the Spring Security framework.
- * <p>This is primarily used for concurrent session support.</p>
- * <p>Sessions have three states: active, expired, and destroyed. A session can that is invalidated by
+ * <p>
+ * This is primarily used for concurrent session support.
+ * <p>
+ * Sessions have three states: active, expired, and destroyed. A session can that is invalidated by
  * <code>session.invalidate()</code> or via Servlet Container management is considered "destroyed". An "expired"
  * session, on the other hand, is a session that Spring Security wants to end because it was selected for removal for
  * some reason (generally as it was the least recently used session and the maximum sessions for the user were
- * reached). An "expired" session is removed as soon as possible by a <code>Filter</code>.</p>
+ * reached). An "expired" session is removed as soon as possible by a <code>Filter</code>.
  *
  * @author Ben Alex
  * @version $Id$

core/src/main/java/org/springframework/security/context/InheritableThreadLocalSecurityContextHolderStrategy.java

@@ -26,7 +26,7 @@ import org.springframework.util.Assert;
  * @version $Id$
  *
  * @see java.lang.ThreadLocal
- * @see org.springframework.security.context.SecurityContextPersistenceFilter
+ * @see org.springframework.security.context.web.SecurityContextPersistenceFilter
  */
 public class InheritableThreadLocalSecurityContextHolderStrategy implements SecurityContextHolderStrategy {
     //~ Static fields/initializers =====================================================================================

core/src/main/java/org/springframework/security/context/SecurityContextHolder.java

@@ -43,7 +43,7 @@ import java.lang.reflect.Constructor;
  * @author Ben Alex
  * @version $Id$
  *
- * @see org.springframework.security.context.HttpSessionContextIntegrationFilter
+ * @see org.springframework.security.context.web.HttpSessionContextIntegrationFilter
  */
 public class SecurityContextHolder {
     //~ Static fields/initializers =====================================================================================
@@ -138,7 +138,7 @@ public class SecurityContextHolder {
     /**
      * Delegates the creation of a new, empty context to the configured strategy.
      */
-    static SecurityContext createEmptyContext() {
+    public static SecurityContext createEmptyContext() {
         return strategy.createEmptyContext();
     }
 

core/src/main/java/org/springframework/security/context/ThreadLocalSecurityContextHolderStrategy.java

@@ -25,7 +25,7 @@ import org.springframework.util.Assert;
  * @version $Id$
  *
  * @see java.lang.ThreadLocal
- * @see org.springframework.security.context.SecurityContextPersistenceFilter
+ * @see org.springframework.security.context.web.SecurityContextPersistenceFilter
  */
 public class ThreadLocalSecurityContextHolderStrategy implements SecurityContextHolderStrategy {
     //~ Static fields/initializers =====================================================================================

core/src/main/java/org/springframework/security/context/package.html

@@ -1,8 +1,7 @@
 <html>
 <body>
 Classes related to the establishment of a security context for the duration of a request (such as
-an HTTP or RMI invocation) and for the maintenance of the context between requests (by storing it in an HTTP sessio, for
-example).
+an HTTP or RMI invocation).
 <p>
 A security context is associated with the current execution thread for the duration of the request, making the
 authentication information it contains available throughout all the layers of an application.

core/src/main/java/org/springframework/security/event/SessionCreationEvent.java

@@ -0,0 +1,18 @@
+package org.springframework.security.event;
+
+import org.springframework.context.ApplicationEvent;
+
+/**
+ * Generic session creation event which indicates that a session (potentially
+ * represented by a security context) has begun.
+ *
+ * @author Luke Taylor
+ * @version $Id$
+ * @since 2.5
+ */
+public abstract class SessionCreationEvent extends ApplicationEvent {
+
+    public SessionCreationEvent(Object source) {
+        super(source);
+    }
+}

core/src/main/java/org/springframework/security/event/SessionDestroyedEvent.java

@@ -0,0 +1,26 @@
+package org.springframework.security.event;
+
+import org.springframework.context.ApplicationEvent;
+import org.springframework.security.context.SecurityContext;
+
+/**
+ * Generic "session termination" event which indicates that a session (potentially
+ * represented by a security context) has ended.
+ *
+ * @author Luke Taylor
+ * @version $Id$
+ * @since 2.5
+ */
+public abstract class SessionDestroyedEvent extends ApplicationEvent {
+
+    public SessionDestroyedEvent(Object source) {
+        super(source);
+    }
+
+    /**
+     * Provides the <tt>SecurityContext</tt> under which the session was running.
+     *
+     * @return the <tt>SecurityContext</tt> associated with the session, or null if there is no context.
+     */
+    public abstract SecurityContext getSecurityContext();
+}

core/src/main/java/org/springframework/security/expression/SecurityExpressionHandler.java → core/src/main/java/org/springframework/security/expression/MethodSecurityExpressionHandler.java

@@ -5,17 +5,16 @@ import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.security.Authentication;
-import org.springframework.security.intercept.web.FilterInvocation;
 
 /**
- * Facade which isolates Spring Security's requirements from the implementation of the underlying
- * expression objects.
+ * Facade which isolates Spring Security's requirements for evaluation method-security expressions
+ * from the implementation of the underlying expression objects.
  *
  * @author Luke Taylor
  * @version $Id$
  * @since 2.5
  */
-public interface SecurityExpressionHandler {
+public interface MethodSecurityExpressionHandler {
     /**
      * @return an expression parser for the expressions used by the implementation.
      */
@@ -26,11 +25,6 @@ public interface SecurityExpressionHandler {
      */
     EvaluationContext createEvaluationContext(Authentication authentication, MethodInvocation mi);
 
-    /**
-     * Provides an evaluation context in which to evaluate security expressions for a web invocation.
-     */
-    EvaluationContext createEvaluationContext(Authentication authentication, FilterInvocation fi);
-
     /**
      * Filters a target collection or array.
      * Only applies to method invocations.

core/src/main/java/org/springframework/security/expression/method/ExpressionAnnotationMethodSecurityMetadataSource.java

@@ -12,7 +12,7 @@ import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.ParseException;
 import org.springframework.expression.spel.antlr.SpelAntlrExpressionParser;
 import org.springframework.security.ConfigAttribute;
-import org.springframework.security.expression.SecurityExpressionHandler;
+import org.springframework.security.expression.MethodSecurityExpressionHandler;
 import org.springframework.security.expression.annotation.PostAuthorize;
 import org.springframework.security.expression.annotation.PostFilter;
 import org.springframework.security.expression.annotation.PreAuthorize;
@@ -45,10 +45,10 @@ public class ExpressionAnnotationMethodSecurityMetadataSource extends AbstractMe
     }
 
     /**
-     * Constructor which obtains the expression parser from the {@link SecurityExpressionHandler#getExpressionParser() }
+     * Constructor which obtains the expression parser from the {@link MethodSecurityExpressionHandler#getExpressionParser() }
      * method on the supplied <tt>SecurityExpressionHandler</tt>.
      */
-    public ExpressionAnnotationMethodSecurityMetadataSource(SecurityExpressionHandler handler) {
+    public ExpressionAnnotationMethodSecurityMetadataSource(MethodSecurityExpressionHandler handler) {
         parser = handler.getExpressionParser();
     }
 

core/src/main/java/org/springframework/security/expression/method/MethodExpressionAfterInvocationProvider.java

@@ -12,8 +12,8 @@ import org.springframework.security.Authentication;
 import org.springframework.security.ConfigAttribute;
 import org.springframework.security.afterinvocation.AfterInvocationProvider;
 import org.springframework.security.expression.ExpressionUtils;
-import org.springframework.security.expression.SecurityExpressionHandler;
-import org.springframework.security.expression.support.DefaultSecurityExpressionHandler;
+import org.springframework.security.expression.MethodSecurityExpressionHandler;
+import org.springframework.security.expression.support.DefaultMethodSecurityExpressionHandler;
 
 /**
  * AfterInvocationProvider which handles the @PostAuthorize and @PostFilter annotation expressions.
@@ -26,7 +26,7 @@ public class MethodExpressionAfterInvocationProvider implements AfterInvocationP
 
     protected final Log logger = LogFactory.getLog(getClass());
 
-    private SecurityExpressionHandler expressionHandler = new DefaultSecurityExpressionHandler();
+    private MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
 
     public Object decide(Authentication authentication, Object object, List<ConfigAttribute> config, Object returnedObject)
             throws AccessDeniedException {
@@ -90,7 +90,7 @@ public class MethodExpressionAfterInvocationProvider implements AfterInvocationP
         return clazz.isAssignableFrom(MethodInvocation.class);
     }
 
-    public void setExpressionHandler(SecurityExpressionHandler expressionHandler) {
+    public void setExpressionHandler(MethodSecurityExpressionHandler expressionHandler) {
         this.expressionHandler = expressionHandler;
     }
 }

core/src/main/java/org/springframework/security/expression/method/MethodExpressionVoter.java

@@ -11,8 +11,8 @@ import org.springframework.expression.Expression;
 import org.springframework.security.Authentication;
 import org.springframework.security.ConfigAttribute;
 import org.springframework.security.expression.ExpressionUtils;
-import org.springframework.security.expression.SecurityExpressionHandler;
-import org.springframework.security.expression.support.DefaultSecurityExpressionHandler;
+import org.springframework.security.expression.MethodSecurityExpressionHandler;
+import org.springframework.security.expression.support.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.vote.AccessDecisionVoter;
 
 /**
@@ -29,7 +29,7 @@ import org.springframework.security.vote.AccessDecisionVoter;
 public class MethodExpressionVoter implements AccessDecisionVoter {
     protected final Log logger = LogFactory.getLog(getClass());
 
-    private SecurityExpressionHandler expressionHandler = new DefaultSecurityExpressionHandler();
+    private MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
 
     public boolean supports(ConfigAttribute attribute) {
         return attribute instanceof AbstractExpressionBasedMethodConfigAttribute;
@@ -105,7 +105,7 @@ public class MethodExpressionVoter implements AccessDecisionVoter {
         return null;
     }
 
-    public void setExpressionHandler(SecurityExpressionHandler expressionHandler) {
+    public void setExpressionHandler(MethodSecurityExpressionHandler expressionHandler) {
         this.expressionHandler = expressionHandler;
     }
 }

core/src/main/java/org/springframework/security/expression/support/DefaultSecurityExpressionHandler.java → core/src/main/java/org/springframework/security/expression/support/DefaultMethodSecurityExpressionHandler.java

@@ -14,14 +14,12 @@ import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.spel.antlr.SpelAntlrExpressionParser;
-import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationTrustResolver;
 import org.springframework.security.AuthenticationTrustResolverImpl;
 import org.springframework.security.expression.ExpressionUtils;
 import org.springframework.security.expression.PermissionEvaluator;
-import org.springframework.security.expression.SecurityExpressionHandler;
-import org.springframework.security.intercept.web.FilterInvocation;
+import org.springframework.security.expression.MethodSecurityExpressionHandler;
 
 /**
  * The standard implementation of <tt>SecurityExpressionHandler</tt>.
@@ -32,7 +30,7 @@ import org.springframework.security.intercept.web.FilterInvocation;
  * @version $Id$
  * @since 2.5
  */
-public class DefaultSecurityExpressionHandler implements SecurityExpressionHandler {
+public class DefaultMethodSecurityExpressionHandler implements MethodSecurityExpressionHandler {
 
     protected final Log logger = LogFactory.getLog(getClass());
 
@@ -41,7 +39,7 @@ public class DefaultSecurityExpressionHandler implements SecurityExpressionHandl
     private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
     private ExpressionParser expressionParser = new SpelAntlrExpressionParser();
 
-    public DefaultSecurityExpressionHandler() {
+    public DefaultMethodSecurityExpressionHandler() {
     }
 
     /**
@@ -58,15 +56,6 @@ public class DefaultSecurityExpressionHandler implements SecurityExpressionHandl
         return ctx;
     }
 
-    public EvaluationContext createEvaluationContext(Authentication authentication, FilterInvocation fi) {
-        StandardEvaluationContext ctx = new StandardEvaluationContext();
-        SecurityExpressionRoot root = new WebSecurityExpressionRoot(authentication, fi);
-        root.setTrustResolver(trustResolver);
-        ctx.setRootObject(root);
-
-        return ctx;
-    }
-
     @SuppressWarnings("unchecked")
     public Object filter(Object filterTarget, Expression filterExpression, EvaluationContext ctx) {
         MethodSecurityExpressionRoot rootObject = (MethodSecurityExpressionRoot) ctx.getRootObject();

core/src/main/java/org/springframework/security/expression/support/SecurityExpressionRoot.java

@@ -15,7 +15,7 @@ import org.springframework.security.util.AuthorityUtils;
  * @version $Id$
  * @since 2.5
  */
-abstract class SecurityExpressionRoot {
+public abstract class SecurityExpressionRoot {
     protected final Authentication authentication;
     private AuthenticationTrustResolver trustResolver;
     /** Allows "permitAll" expression */
@@ -24,7 +24,7 @@ abstract class SecurityExpressionRoot {
     /** Allows "denyAll" expression */
     public final boolean denyAll = false;
 
-    SecurityExpressionRoot(Authentication a) {
+    public SecurityExpressionRoot(Authentication a) {
         if (a == null) {
             throw new IllegalArgumentException("Authentication object cannot be null");
         }

core/src/main/java/org/springframework/security/providers/jaas/JaasAuthenticationProvider.java

@@ -41,13 +41,12 @@ import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
 import org.springframework.security.GrantedAuthority;
 import org.springframework.security.SpringSecurityException;
-import org.springframework.security.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.context.SecurityContext;
+import org.springframework.security.event.SessionDestroyedEvent;
 import org.springframework.security.providers.AuthenticationProvider;
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
 import org.springframework.security.providers.jaas.event.JaasAuthenticationFailedEvent;
 import org.springframework.security.providers.jaas.event.JaasAuthenticationSuccessEvent;
-import org.springframework.security.ui.session.HttpSessionDestroyedEvent;
 import org.springframework.util.Assert;
 
 
@@ -311,9 +310,8 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
      *
      * @param event
      */
-    protected void handleLogout(HttpSessionDestroyedEvent event) {
-        SecurityContext context = (SecurityContext)
-                event.getSession().getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
+    protected void handleLogout(SessionDestroyedEvent event) {
+        SecurityContext context = event.getSecurityContext();
 
         if (context == null) {
             log.debug("The destroyed session has no SecurityContext");
@@ -343,8 +341,8 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
     }
 
     public void onApplicationEvent(ApplicationEvent applicationEvent) {
-        if (applicationEvent instanceof HttpSessionDestroyedEvent) {
-            HttpSessionDestroyedEvent event = (HttpSessionDestroyedEvent) applicationEvent;
+        if (applicationEvent instanceof SessionDestroyedEvent) {
+            SessionDestroyedEvent event = (SessionDestroyedEvent) applicationEvent;
             handleLogout(event);
         }
     }

core/src/main/java/org/springframework/security/providers/preauth/PreAuthenticatedAuthenticationProvider.java

@@ -22,7 +22,7 @@ import org.springframework.util.Assert;
  *
  * <p>
  * This authentication provider will not perform any checks on authentication
- * requests, as they should already be pre- authenticated. However, the
+ * requests, as they should already be pre-authenticated. However, the
  * AuthenticationUserDetailsService implementation may still throw a UsernameNotFoundException, for example.
  *
  * @author Ruud Senden

core/src/main/java/org/springframework/security/context/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java → core/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java

@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.context.httpinvoker;
+package org.springframework.security.remoting.httpinvoker;
 
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationCredentialsNotFoundException;

core/src/main/java/org/springframework/security/context/rmi/ContextPropagatingRemoteInvocation.java → core/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java

@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.context.rmi;
+package org.springframework.security.remoting.rmi;
 
 import org.springframework.security.context.SecurityContext;
 import org.springframework.security.context.SecurityContextHolder;

core/src/main/java/org/springframework/security/context/rmi/ContextPropagatingRemoteInvocationFactory.java → core/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationFactory.java

@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.context.rmi;
+package org.springframework.security.remoting.rmi;
 
 import org.aopalliance.intercept.MethodInvocation;
 

core/src/main/java/org/springframework/security/ui/session/HttpSessionApplicationEvent.java

@@ -1,50 +0,0 @@
-/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.ui.session;
-
-import org.springframework.context.ApplicationEvent;
-
-import javax.servlet.http.HttpSession;
-
-
-/**
- * Parent class for published HttpSession events
- *
- * @author Ray Krueger
- */
-public abstract class HttpSessionApplicationEvent extends ApplicationEvent {
-    //~ Constructors ===================================================================================================
-
-/**
-     * Base constructor for all subclasses must have an HttpSession
-     *
-     * @param httpSession The session to carry as the event source.
-     */
-    public HttpSessionApplicationEvent(HttpSession httpSession) {
-        super(httpSession);
-    }
-
-    //~ Methods ========================================================================================================
-
-    /**
-     * Get the HttpSession that is the cause of the event
-     *
-     * @return HttpSession instance
-     */
-    public HttpSession getSession() {
-        return (HttpSession) getSource();
-    }
-}

core/src/test/java/org/springframework/security/afterinvocation/AfterInvocationProviderManagerTests.java

@@ -25,7 +25,6 @@ import org.springframework.security.AccessDeniedException;
 import org.springframework.security.Authentication;
 import org.springframework.security.ConfigAttribute;
 import org.springframework.security.SecurityConfig;
-import org.springframework.security.intercept.web.FilterInvocation;
 import org.springframework.security.util.SimpleMethodInvocation;
 
 
@@ -129,7 +128,7 @@ public class AfterInvocationProviderManagerTests extends TestCase {
         manager.setProviders(list);
         manager.afterPropertiesSet();
 
-        assertFalse(manager.supports(FilterInvocation.class));
+//        assertFalse(manager.supports(FilterInvocation.class));
         assertTrue(manager.supports(MethodInvocation.class));
     }
 

core/src/test/java/org/springframework/security/providers/ProviderManagerTests.java

@@ -15,10 +15,8 @@
 
 package org.springframework.security.providers;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -32,7 +30,7 @@ import org.springframework.security.AuthenticationServiceException;
 import org.springframework.security.GrantedAuthority;
 import org.springframework.security.MockApplicationEventPublisher;
 import org.springframework.security.concurrent.ConcurrentLoginException;
-import org.springframework.security.concurrent.ConcurrentSessionControllerImpl;
+import org.springframework.security.concurrent.ConcurrentSessionController;
 import org.springframework.security.concurrent.NullConcurrentSessionController;
 import org.springframework.security.util.AuthorityUtils;
 
@@ -102,9 +100,9 @@ public class ProviderManagerTests {
         assertNotNull(target.getSessionController());
         assertTrue(target.getSessionController() instanceof NullConcurrentSessionController);
 
-        ConcurrentSessionControllerImpl impl = new ConcurrentSessionControllerImpl();
-        target.setSessionController(impl);
-        assertEquals(impl, target.getSessionController());
+        ConcurrentSessionController csc = mock(ConcurrentSessionController.class);
+        target.setSessionController(csc);
+        assertEquals(csc, target.getSessionController());
     }
 
     @Test(expected=IllegalArgumentException.class)

core/src/test/java/org/springframework/security/providers/jaas/JaasAuthenticationProviderTests.java

@@ -15,6 +15,8 @@
 
 package org.springframework.security.providers.jaas;
 
+import static org.mockito.Mockito.*;
+
 import java.net.URL;
 import java.security.Security;
 import java.util.List;
@@ -26,18 +28,16 @@ import junit.framework.TestCase;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
-import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
 import org.springframework.security.GrantedAuthority;
 import org.springframework.security.GrantedAuthorityImpl;
 import org.springframework.security.LockedException;
 import org.springframework.security.SpringSecurityException;
-import org.springframework.security.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.context.SecurityContextImpl;
+import org.springframework.security.event.SessionDestroyedEvent;
 import org.springframework.security.providers.TestingAuthenticationToken;
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
-import org.springframework.security.ui.session.HttpSessionDestroyedEvent;
 import org.springframework.security.util.AuthorityUtils;
 
 
@@ -204,10 +204,10 @@ public class JaasAuthenticationProviderTests extends TestCase {
         SecurityContextImpl context = new SecurityContextImpl();
         context.setAuthentication(token);
 
-        MockHttpSession mockSession = new MockHttpSession();
-        mockSession.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
+        SessionDestroyedEvent event = mock(SessionDestroyedEvent.class);
+        when(event.getSecurityContext()).thenReturn(context);
 
-        jaasProvider.onApplicationEvent(new HttpSessionDestroyedEvent(mockSession));
+        jaasProvider.handleLogout(event);
 
         assertTrue(loginContext.loggedOut);
     }

core/src/test/java/org/springframework/security/context/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java → core/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java

@@ -13,16 +13,16 @@
  * limitations under the License.
  */
 
-package org.springframework.security.context.httpinvoker;
+package org.springframework.security.remoting.httpinvoker;
 
 import junit.framework.TestCase;
 
 import org.springframework.security.Authentication;
 
 import org.springframework.security.context.SecurityContextHolder;
-import org.springframework.security.context.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
 
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
 
 import java.io.IOException;
 

core/src/test/java/org/springframework/security/context/rmi/ContextPropagatingRemoteInvocationTests.java → core/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java

@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.context.rmi;
+package org.springframework.security.remoting.rmi;
 
 import junit.framework.TestCase;
 
@@ -23,6 +23,8 @@ import org.springframework.security.TargetObject;
 import org.springframework.security.context.SecurityContextHolder;
 
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.remoting.rmi.ContextPropagatingRemoteInvocation;
+import org.springframework.security.remoting.rmi.ContextPropagatingRemoteInvocationFactory;
 
 import org.springframework.security.util.SimpleMethodInvocation;
 

core/src/test/java/org/springframework/security/util/MockFilterChain.java

@@ -1,56 +0,0 @@
-/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.util;
-
-import java.io.IOException;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-
-import org.junit.Assert;
-
-
-/**
- * A mock <code>FilterChain</code>.
- *
- * @author Ben Alex
- * @version $Id$
- */
-public class MockFilterChain implements FilterChain {
-    //~ Instance fields ================================================================================================
-
-    private boolean expectToProceed;
-
-    //~ Constructors ===================================================================================================
-
-    public MockFilterChain() {
-        this(true);
-    }
-
-    public MockFilterChain(boolean expectToProceed) {
-        this.expectToProceed = expectToProceed;
-    }
-
-    //~ Methods ========================================================================================================
-
-    public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
-        if (!expectToProceed) {
-            Assert.fail("Did not expect filter chain to proceed");
-        }
-    }
-}

itest/context/src/test/java/org/springframework/security/performance/FilterChainPerformanceTests.java

@@ -18,10 +18,10 @@ import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.GrantedAuthority;
 import org.springframework.security.GrantedAuthorityImpl;
-import org.springframework.security.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.context.web.HttpSessionSecurityContextRepository;
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
-import org.springframework.security.util.FilterChainProxy;
+import org.springframework.security.web.util.FilterChainProxy;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.util.StopWatch;

itest/context/src/test/resources/filter-chain-performance-app-context.xml

@@ -11,13 +11,13 @@
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
 
-    <bean id="fcpMinimalStack" class="org.springframework.security.util.FilterChainProxy">
+    <bean id="fcpMinimalStack" class="org.springframework.security.web.util.FilterChainProxy">
         <sec:filter-chain-map path-type="ant">
             <sec:filter-chain pattern="/**" filters="scpf,preAuthFilter,etf,fsi"/>
         </sec:filter-chain-map>
     </bean>
 
-    <bean id="fcpFullStack" class="org.springframework.security.util.FilterChainProxy">
+    <bean id="fcpFullStack" class="org.springframework.security.web.util.FilterChainProxy">
         <sec:filter-chain-map path-type="ant">
             <sec:filter-chain pattern="/**" filters="scpf,preAuthFilter,apf,basicPf,logoutFilter,scharf,etf,fsi"/>
         </sec:filter-chain-map>
@@ -37,7 +37,7 @@
         <sec:user name="bob" password="bobspassword" authorities="ROLE_0,ROLE_1"/>
     </sec:user-service>
 
-    <bean id="scpf" class="org.springframework.security.context.SecurityContextPersistenceFilter"/>
+    <bean id="scpf" class="org.springframework.security.context.web.SecurityContextPersistenceFilter"/>
 
     <bean id="apf" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
         <property name="authenticationManager" ref="authenticationManager"/>

ldap/pom.xml

@@ -51,10 +51,6 @@
             <scope>runtime</scope>
             <optional>true</optional>
         </dependency>
-        <dependency>
-            <groupId>org.jmock</groupId>
-            <artifactId>jmock-junit4</artifactId>
-        </dependency>
         <dependency>
             <groupId>log4j</groupId>
             <artifactId>log4j</artifactId>

ntlm/pom.xml

@@ -15,11 +15,16 @@
           <artifactId>spring-security-core</artifactId>
           <version>${project.version}</version>
         </dependency>
+        <dependency>
+          <groupId>org.springframework.security</groupId>
+          <artifactId>spring-security-web</artifactId>
+          <version>${project.version}</version>
+        </dependency>
         <dependency>
           <groupId>org.springframework.security</groupId>
           <artifactId>spring-security-ldap</artifactId>
           <version>${project.version}</version>
-        </dependency>        
+        </dependency>
         <!-- SMT NTLM-->
         <dependency>
             <groupId>org.samba.jcifs</groupId>

openid/pom.xml

@@ -14,7 +14,7 @@
     <dependencies>
         <dependency>
             <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-core</artifactId>
+            <artifactId>spring-security-web</artifactId>
             <version>${project.version}</version>
         </dependency>
         <dependency>

openid/src/test/java/org/springframework/security/ui/openid/OpenIDAuthenticationProcessingFilterTests.java

@@ -1,16 +1,22 @@
 package org.springframework.security.ui.openid;
 
-import junit.framework.TestCase;
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.*;
+
+import javax.servlet.FilterChain;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Before;
+import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.MockAuthenticationManager;
 import org.springframework.security.ui.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.ui.openid.consumers.MockOpenIDConsumer;
-import org.springframework.security.util.MockFilterChain;
 
-import javax.servlet.http.HttpServletRequest;
-
-public class OpenIDAuthenticationProcessingFilterTests extends TestCase {
+public class OpenIDAuthenticationProcessingFilterTests {
 
     OpenIDAuthenticationProcessingFilter filter;
     private static final String REDIRECT_URL = "http://www.example.com/redirect";
@@ -19,7 +25,8 @@ public class OpenIDAuthenticationProcessingFilterTests extends TestCase {
     private static final String FILTER_PROCESS_URL = "http://localhost:80" + REQUEST_PATH;
     private static final String DEFAULT_TARGET_URL = FILTER_PROCESS_URL;
 
-    protected void setUp() throws Exception {
+    @Before
+    public void setUp() throws Exception {
         filter = new OpenIDAuthenticationProcessingFilter();
         filter.setConsumer(new MockOpenIDConsumer(REDIRECT_URL));
         SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
@@ -29,6 +36,7 @@ public class OpenIDAuthenticationProcessingFilterTests extends TestCase {
         filter.afterPropertiesSet();
     }
 
+    @Test
     public void testFilterOperation() throws Exception {
         MockHttpServletRequest req = new MockHttpServletRequest("GET", REQUEST_PATH);
         MockHttpServletResponse response = new MockHttpServletResponse();
@@ -45,9 +53,10 @@ public class OpenIDAuthenticationProcessingFilterTests extends TestCase {
             }
         });
 
-        filter.doFilter(req, response, new MockFilterChain(false));
+        FilterChain fc = mock(FilterChain.class);
+        filter.doFilter(req, response, fc);
         assertEquals(REDIRECT_URL, response.getRedirectedUrl());
+        // Filter chain shouldn't proceed
+        verify(fc, never()).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
     }
-
-
 }

pom.xml

@@ -9,7 +9,7 @@
 
     <modules>
         <module>core</module>
-        <!-- module>web</module -->
+        <module>web</module>
         <module>ldap</module>
         <module>config</module>
         <module>acl</module>
@@ -300,6 +300,12 @@
             <artifactId>mockito-core</artifactId>
             <version>1.7</version>
         </dependency>
+        <dependency>
+            <groupId>org.jmock</groupId>
+            <artifactId>jmock-junit4</artifactId>
+            <version>2.5.1</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -814,12 +820,6 @@
                 <version>1.8.0.7</version>
                 <scope>runtime</scope>
             </dependency>
-            <dependency>
-                <groupId>org.jmock</groupId>
-                <artifactId>jmock-junit4</artifactId>
-                <version>2.5.1</version>
-                <scope>test</scope>
-            </dependency>
             <dependency>
                 <groupId>commons-logging</groupId>
                 <artifactId>commons-logging</artifactId>

portlet/src/test/java/org/springframework/security/ui/portlet/PortletProcessingInterceptorTests.java

@@ -39,7 +39,6 @@ import org.springframework.security.providers.TestingAuthenticationToken;
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
 import org.springframework.security.providers.portlet.PortletTestUtils;
 import org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken;
-import org.springframework.security.ui.AbstractProcessingFilter;
 import org.springframework.security.userdetails.User;
 import org.springframework.security.util.AuthorityUtils;
 
@@ -52,6 +51,7 @@ import org.springframework.security.util.AuthorityUtils;
  */
 @SuppressWarnings("unchecked")
 public class PortletProcessingInterceptorTests {
+    public static final String SPRING_SECURITY_LAST_EXCEPTION_KEY = "SPRING_SECURITY_LAST_EXCEPTION";
     //~ Methods ========================================================================================================
 
     @Before

samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -48,7 +48,7 @@
        <b:property name="targetUrl" value="/secure/index.htm"/>
     </b:bean>
 
-    <b:bean id="expressionHandler" class="org.springframework.security.expression.support.DefaultSecurityExpressionHandler">
+    <b:bean id="expressionHandler" class="org.springframework.security.expression.support.DefaultMethodSecurityExpressionHandler">
         <b:property name="permissionEvaluator" ref="permissionEvaluator" />
     </b:bean>
 

samples/contacts/src/test/resources/applicationContext-contacts-test.xml

@@ -24,7 +24,7 @@
         <jdbc-user-service data-source-ref="dataSource"/>
     </authentication-provider>
 
-    <b:bean id="expressionHandler" class="org.springframework.security.expression.support.DefaultSecurityExpressionHandler">
+    <b:bean id="expressionHandler" class="org.springframework.security.expression.support.DefaultMethodSecurityExpressionHandler">
         <b:property name="permissionEvaluator" ref="permissionEvaluator" />
     </b:bean>
 

samples/dms/src/main/java/sample/dms/DocumentDaoImpl.java

@@ -59,8 +59,8 @@ public class DocumentDaoImpl extends JdbcDaoSupport implements DocumentDao {
 
     /** Executes recursive SQL as needed to build a full Directory hierarchy of objects */
     private Directory getDirectoryWithImmediateParentPopulated(final Long id) {
-        return (Directory) getJdbcTemplate().queryForObject(SELECT_FROM_DIRECTORY_SINGLE, new Object[] {id}, new RowMapper() {
-            public Object mapRow(ResultSet rs, int rowNumber) throws SQLException {
+        return getJdbcTemplate().queryForObject(SELECT_FROM_DIRECTORY_SINGLE, new Object[] {id}, new RowMapper<Directory>() {
+            public Directory mapRow(ResultSet rs, int rowNumber) throws SQLException {
                 Long parentDirectoryId = new Long(rs.getLong("parent_directory_id"));
                 Directory parentDirectory = Directory.ROOT_DIRECTORY;
                 if (parentDirectoryId != null && !parentDirectoryId.equals(new Long(-1))) {
@@ -77,20 +77,20 @@ public class DocumentDaoImpl extends JdbcDaoSupport implements DocumentDao {
     public AbstractElement[] findElements(Directory directory) {
         Assert.notNull(directory, "Directory required (the ID can be null to refer to root)");
         if (directory.getId() == null) {
-            List directories = getJdbcTemplate().query(SELECT_FROM_DIRECTORY_NULL, new RowMapper() {
-                public Object mapRow(ResultSet rs, int rowNumber) throws SQLException {
+            List<Directory> directories = getJdbcTemplate().query(SELECT_FROM_DIRECTORY_NULL, new RowMapper<Directory>() {
+                public Directory mapRow(ResultSet rs, int rowNumber) throws SQLException {
                     return getDirectoryWithImmediateParentPopulated(new Long(rs.getLong("id")));
                 }
             });
             return (AbstractElement[]) directories.toArray(new AbstractElement[] {});
         }
-        List directories = getJdbcTemplate().query(SELECT_FROM_DIRECTORY, new Object[] {directory.getId()}, new RowMapper() {
-            public Object mapRow(ResultSet rs, int rowNumber) throws SQLException {
+        List<AbstractElement> directories = getJdbcTemplate().query(SELECT_FROM_DIRECTORY, new Object[] {directory.getId()}, new RowMapper<AbstractElement>() {
+            public Directory mapRow(ResultSet rs, int rowNumber) throws SQLException {
                 return getDirectoryWithImmediateParentPopulated(new Long(rs.getLong("id")));
             }
         });
-        List files = getJdbcTemplate().query(SELECT_FROM_FILE, new Object[] {directory.getId()}, new RowMapper() {
-            public Object mapRow(ResultSet rs, int rowNumber) throws SQLException {
+        List<File> files = getJdbcTemplate().query(SELECT_FROM_FILE, new Object[] {directory.getId()}, new RowMapper<File>() {
+            public File mapRow(ResultSet rs, int rowNumber) throws SQLException {
                 Long parentDirectoryId = new Long(rs.getLong("parent_directory_id"));
                 Directory parentDirectory = null;
                 if (parentDirectoryId != null) {

samples/dms/src/main/resources/applicationContext-dms-secure.xml

@@ -50,8 +50,6 @@
       <property name="providers">
          <list>
             <ref local="daoAuthenticationProvider"/>
-            <ref local="anonymousAuthenticationProvider"/>
-            <ref local="rememberMeAuthenticationProvider"/>
          </list>
       </property>
    </bean>
@@ -81,13 +79,11 @@
 
    <!-- Automatically receives AuthenticationEvent messages -->
    <bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
-
+<!--
    <bean id="anonymousAuthenticationProvider" class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
       <property name="key" value="foobar"/>
    </bean>
 
-   <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/>
-
    <bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
       <property name="userDetailsService" ref="jdbcDaoImpl"/>
       <property name="key" value="springRocks"/>
@@ -96,7 +92,7 @@
    <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
       <property name="key" value="springRocks"/>
    </bean>
-
+ -->
    <!-- ========================= "BEFORE INVOCATION" AUTHORIZATION DEFINITIONS ============================== -->
 
    <!-- ACL permission masks used by this application -->

samples/pom.xml

@@ -16,7 +16,7 @@
         <module>preauth</module>
         <module>openid</module>
         <module>ldap</module>
-        <module>portlet</module>
+        <!-- module>portlet</module -->
         <module>cas</module>        
     </modules>
     <dependencies>

sandbox/other/pom.xml

@@ -17,6 +17,11 @@
       <artifactId>spring-security-core</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-ldap</artifactId>
+      <version>${project.version}</version>
+    </dependency>
     <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-core</artifactId>

taglibs/pom.xml

@@ -43,10 +43,6 @@
             <artifactId>standard</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.jmock</groupId>
-            <artifactId>jmock-junit4</artifactId>
-        </dependency>
     </dependencies>
     <build>
         <resources>

web/pom.xml

@@ -0,0 +1,57 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.springframework.security</groupId>
+        <artifactId>spring-security-parent</artifactId>
+        <version>2.5.0-SNAPSHOT</version>
+    </parent>
+    <packaging>jar</packaging>
+    <artifactId>spring-security-web</artifactId>
+    <name>Spring Security - Web Application Security Module</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+            <version>${project.version}</version>
+            <classifier>tests</classifier>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>org.springframework.web</artifactId>
+            <!-- optional>true</optional -->
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>org.springframework.jdbc</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>org.springframework.test</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>jaxen</groupId>
+            <artifactId>jaxen</artifactId>
+            <version>1.1.1</version>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>hsqldb</groupId>
+            <artifactId>hsqldb</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>

core/src/main/java/org/springframework/security/concurrent/ConcurrentSessionFilter.java → web/src/main/java/org/springframework/security/concurrent/ConcurrentSessionFilter.java

@@ -21,7 +21,7 @@ import org.springframework.security.ui.FilterChainOrder;
 import org.springframework.security.ui.SpringSecurityFilter;
 import org.springframework.security.ui.logout.LogoutHandler;
 import org.springframework.security.ui.logout.SecurityContextLogoutHandler;
-import org.springframework.security.util.UrlUtils;
+import org.springframework.security.web.util.UrlUtils;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.util.Assert;
 

web/src/main/java/org/springframework/security/concurrent/package.html

@@ -0,0 +1,6 @@
+<html>
+<body>
+Concurrent session control and registration classes.
+</body>
+</html>
+

core/src/main/java/org/springframework/security/context/HttpRequestResponseHolder.java → web/src/main/java/org/springframework/security/context/web/HttpRequestResponseHolder.java

@@ -1,4 +1,4 @@
-package org.springframework.security.context;
+package org.springframework.security.context.web;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java → web/src/main/java/org/springframework/security/context/web/HttpSessionContextIntegrationFilter.java

@@ -13,11 +13,14 @@
  * limitations under the License.
  */
 
-package org.springframework.security.context;
+package org.springframework.security.context.web;
 
 import javax.servlet.ServletException;
 
 import org.springframework.beans.factory.InitializingBean;
+import org.springframework.security.context.SecurityContext;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.context.SecurityContextImpl;
 import org.springframework.security.ui.FilterChainOrder;
 
 /**

core/src/main/java/org/springframework/security/context/HttpSessionSecurityContextRepository.java → web/src/main/java/org/springframework/security/context/web/HttpSessionSecurityContextRepository.java

@@ -1,4 +1,4 @@
-package org.springframework.security.context;
+package org.springframework.security.context.web;
 
 import java.lang.reflect.Method;
 
@@ -10,6 +10,10 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.AuthenticationTrustResolver;
 import org.springframework.security.AuthenticationTrustResolverImpl;
+import org.springframework.security.context.SecurityContext;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.context.SecurityContextHolderStrategy;
+import org.springframework.security.context.SecurityContextImpl;
 import org.springframework.util.Assert;
 import org.springframework.util.ReflectionUtils;
 

core/src/main/java/org/springframework/security/context/SaveContextOnUpdateOrErrorResponseWrapper.java → web/src/main/java/org/springframework/security/context/web/SaveContextOnUpdateOrErrorResponseWrapper.java

@@ -1,10 +1,13 @@
-package org.springframework.security.context;
+package org.springframework.security.context.web;
 
 import java.io.IOException;
 
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpServletResponseWrapper;
 
+import org.springframework.security.context.SecurityContext;
+import org.springframework.security.context.SecurityContextHolder;
+
 /**
  * Base class for response wrappers which encapsulate the logic for storing a security context and which
  * store the with the <code>SecurityContext</code> when a <code>sendError()</code> or <code>sendRedirect</code>

core/src/main/java/org/springframework/security/context/SecurityContextPersistenceFilter.java → web/src/main/java/org/springframework/security/context/web/SecurityContextPersistenceFilter.java

@@ -1,4 +1,4 @@
-package org.springframework.security.context;
+package org.springframework.security.context.web;
 
 import java.io.IOException;
 
@@ -8,6 +8,8 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.springframework.security.context.SecurityContext;
+import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.security.ui.FilterChainOrder;
 import org.springframework.security.ui.SpringSecurityFilter;
 

core/src/main/java/org/springframework/security/context/SecurityContextRepository.java → web/src/main/java/org/springframework/security/context/web/SecurityContextRepository.java

@@ -1,8 +1,10 @@
-package org.springframework.security.context;
+package org.springframework.security.context.web;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.security.context.SecurityContext;
+
 /**
  * Strategy used for persisting a {@link SecurityContext} between requests.
  * <p>
@@ -43,7 +45,7 @@ public interface SecurityContextRepository {
     /**
      * Stores the security context on completion of a request.
      *
-     * @param context the non-null context which was obtained f
+     * @param context the non-null context which was obtained from the holder.
      * @param request
      * @param response
      */

core/src/main/java/org/springframework/security/expression/web/ExpressionBasedFilterInvocationSecurityMetadataSource.java → web/src/main/java/org/springframework/security/expression/web/ExpressionBasedFilterInvocationSecurityMetadataSource.java

@@ -10,7 +10,6 @@ import org.apache.commons.logging.LogFactory;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.ParseException;
 import org.springframework.security.ConfigAttribute;
-import org.springframework.security.expression.SecurityExpressionHandler;
 import org.springframework.security.intercept.web.DefaultFilterInvocationSecurityMetadataSource;
 import org.springframework.security.intercept.web.RequestKey;
 import org.springframework.security.util.UrlMatcher;
@@ -27,7 +26,7 @@ public final class ExpressionBasedFilterInvocationSecurityMetadataSource extends
     private final static Log logger = LogFactory.getLog(ExpressionBasedFilterInvocationSecurityMetadataSource.class);
 
     public ExpressionBasedFilterInvocationSecurityMetadataSource(UrlMatcher urlMatcher,
-            LinkedHashMap<RequestKey, List<ConfigAttribute>> requestMap, SecurityExpressionHandler expressionHandler) {
+            LinkedHashMap<RequestKey, List<ConfigAttribute>> requestMap, WebSecurityExpressionHandler expressionHandler) {
         super(urlMatcher, processMap(requestMap, expressionHandler.getExpressionParser()));
         Assert.notNull(expressionHandler, "A non-null SecurityExpressionHandler is required");
     }

core/src/main/java/org/springframework/security/expression/web/WebExpressionVoter.java → web/src/main/java/org/springframework/security/expression/web/WebExpressionVoter.java

@@ -6,8 +6,9 @@ import org.springframework.expression.EvaluationContext;
 import org.springframework.security.Authentication;
 import org.springframework.security.ConfigAttribute;
 import org.springframework.security.expression.ExpressionUtils;
-import org.springframework.security.expression.SecurityExpressionHandler;
-import org.springframework.security.expression.support.DefaultSecurityExpressionHandler;
+import org.springframework.security.expression.MethodSecurityExpressionHandler;
+import org.springframework.security.expression.support.DefaultMethodSecurityExpressionHandler;
+import org.springframework.security.expression.web.support.DefaultWebSecurityExpressionHandler;
 import org.springframework.security.intercept.web.FilterInvocation;
 import org.springframework.security.vote.AccessDecisionVoter;
 
@@ -18,7 +19,7 @@ import org.springframework.security.vote.AccessDecisionVoter;
  * @since 2.5
  */
 public class WebExpressionVoter implements AccessDecisionVoter {
-    private SecurityExpressionHandler expressionHandler = new DefaultSecurityExpressionHandler();
+    private WebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler();
 
     public int vote(Authentication authentication, Object object, List<ConfigAttribute> attributes) {
         assert authentication != null;
@@ -55,7 +56,7 @@ public class WebExpressionVoter implements AccessDecisionVoter {
         return clazz.isAssignableFrom(FilterInvocation.class);
     }
 
-    public void setExpressionHandler(SecurityExpressionHandler expressionHandler) {
+    public void setExpressionHandler(WebSecurityExpressionHandler expressionHandler) {
         this.expressionHandler = expressionHandler;
     }
 }

web/src/main/java/org/springframework/security/expression/web/WebSecurityExpressionHandler.java

@@ -0,0 +1,19 @@
+package org.springframework.security.expression.web;
+
+import org.springframework.expression.EvaluationContext;
+import org.springframework.expression.ExpressionParser;
+import org.springframework.security.Authentication;
+import org.springframework.security.intercept.web.FilterInvocation;
+
+public interface WebSecurityExpressionHandler {
+    /**
+     * @return an expression parser for the expressions used by the implementation.
+     */
+    ExpressionParser getExpressionParser();
+
+    /**
+     * Provides an evaluation context in which to evaluate security expressions for a web invocation.
+     */
+    EvaluationContext createEvaluationContext(Authentication authentication, FilterInvocation fi);
+
+}

web/src/main/java/org/springframework/security/expression/web/support/DefaultWebSecurityExpressionHandler.java

@@ -0,0 +1,39 @@
+package org.springframework.security.expression.web.support;
+
+import org.springframework.expression.EvaluationContext;
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.antlr.SpelAntlrExpressionParser;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
+import org.springframework.security.Authentication;
+import org.springframework.security.AuthenticationTrustResolver;
+import org.springframework.security.AuthenticationTrustResolverImpl;
+import org.springframework.security.expression.support.SecurityExpressionRoot;
+import org.springframework.security.expression.web.WebSecurityExpressionHandler;
+import org.springframework.security.intercept.web.FilterInvocation;
+
+/**
+ * Facade which isolates Spring Security's requirements for evaluating web-security expressions
+ * from the implementation of the underlying expression objects.
+ *
+ * @author Luke Taylor
+ * @version $Id$
+ * @since 2.5
+ */
+public class DefaultWebSecurityExpressionHandler implements WebSecurityExpressionHandler {
+
+    private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+    private ExpressionParser expressionParser = new SpelAntlrExpressionParser();
+
+    public ExpressionParser getExpressionParser() {
+        return expressionParser;
+    }
+
+    public EvaluationContext createEvaluationContext(Authentication authentication, FilterInvocation fi) {
+        StandardEvaluationContext ctx = new StandardEvaluationContext();
+        SecurityExpressionRoot root = new WebSecurityExpressionRoot(authentication, fi);
+        root.setTrustResolver(trustResolver);
+        ctx.setRootObject(root);
+
+        return ctx;
+    }
+}

core/src/main/java/org/springframework/security/expression/support/WebSecurityExpressionRoot.java → web/src/main/java/org/springframework/security/expression/web/support/WebSecurityExpressionRoot.java

@@ -1,10 +1,11 @@
-package org.springframework.security.expression.support;
+package org.springframework.security.expression.web.support;
 
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.Arrays;
 
 import org.springframework.security.Authentication;
+import org.springframework.security.expression.support.SecurityExpressionRoot;
 import org.springframework.security.intercept.web.FilterInvocation;
 import org.springframework.util.StringUtils;
 

core/src/main/java/org/springframework/security/intercept/web/FilterInvocation.java → web/src/main/java/org/springframework/security/intercept/web/FilterInvocation.java

@@ -15,7 +15,7 @@
 
 package org.springframework.security.intercept.web;
 
-import org.springframework.security.util.UrlUtils;
+import org.springframework.security.web.util.UrlUtils;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletRequest;
@@ -65,7 +65,7 @@ public class FilterInvocation {
      * Indicates the URL that the user agent used for this request.
      * <p>
      * The returned URL does <b>not</b> reflect the port number determined from a
-     * {@link org.springframework.security.util.PortResolver}.
+     * {@link org.springframework.security.web.util.PortResolver}.
      *
      * @return the full URL of this request
      */

core/src/main/java/org/springframework/security/securechannel/AbstractRetryEntryPoint.java → web/src/main/java/org/springframework/security/securechannel/AbstractRetryEntryPoint.java

@@ -1,9 +1,9 @@
 package org.springframework.security.securechannel;
 
-import org.springframework.security.util.PortMapper;
-import org.springframework.security.util.PortResolver;
-import org.springframework.security.util.PortMapperImpl;
-import org.springframework.security.util.PortResolverImpl;
+import org.springframework.security.web.util.PortMapper;
+import org.springframework.security.web.util.PortMapperImpl;
+import org.springframework.security.web.util.PortResolver;
+import org.springframework.security.web.util.PortResolverImpl;
 import org.springframework.util.Assert;
 
 import org.apache.commons.logging.Log;

core/src/main/java/org/springframework/security/ui/AbstractAuthenticationTargetUrlRequestHandler.java → web/src/main/java/org/springframework/security/ui/AbstractAuthenticationTargetUrlRequestHandler.java

@@ -12,8 +12,8 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.Authentication;
 import org.springframework.security.ui.logout.LogoutHandler;
-import org.springframework.security.util.RedirectUtils;
-import org.springframework.security.util.UrlUtils;
+import org.springframework.security.web.util.RedirectUtils;
+import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 

core/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java → web/src/main/java/org/springframework/security/ui/AbstractProcessingFilter.java

@@ -38,8 +38,8 @@ import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent;
 import org.springframework.security.ui.rememberme.NullRememberMeServices;
 import org.springframework.security.ui.rememberme.RememberMeServices;
-import org.springframework.security.util.SessionUtils;
-import org.springframework.security.util.UrlUtils;
+import org.springframework.security.web.util.SessionUtils;
+import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 
 /**

core/src/main/java/org/springframework/security/ui/ExceptionMappingAuthenticationFailureHandler.java → web/src/main/java/org/springframework/security/ui/ExceptionMappingAuthenticationFailureHandler.java

@@ -9,8 +9,8 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.security.AuthenticationException;
-import org.springframework.security.util.RedirectUtils;
-import org.springframework.security.util.UrlUtils;
+import org.springframework.security.web.util.RedirectUtils;
+import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 
 /**

core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java → web/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java

@@ -23,10 +23,10 @@ import org.springframework.security.AuthenticationTrustResolverImpl;
 import org.springframework.security.InsufficientAuthenticationException;
 import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.security.ui.savedrequest.SavedRequest;
-import org.springframework.security.util.PortResolver;
-import org.springframework.security.util.PortResolverImpl;
 import org.springframework.security.util.ThrowableAnalyzer;
 import org.springframework.security.util.ThrowableCauseExtractor;
+import org.springframework.security.web.util.PortResolver;
+import org.springframework.security.web.util.PortResolverImpl;
 import org.springframework.beans.factory.InitializingBean;
 
 import org.springframework.util.Assert;
@@ -176,7 +176,7 @@ public class ExceptionTranslationFilter extends SpringSecurityFilter implements
      * <code>false</code>.
      * <p>
      * Remember to also set
-     * {@link org.springframework.security.context.HttpSessionSecurityContextRepository#setAllowSessionCreation(boolean)}
+     * {@link org.springframework.security.context.web.HttpSessionSecurityContextRepository#setAllowSessionCreation(boolean)}
      * to <code>false</code> if you set this property to <code>false</code>.
      *
      * @return <code>true</code> if the <code>HttpSession</code> will be