SEC-271: Added more security elements

core/src/main/java/org/acegisecurity/config/AuthenticationMechanismBeanDefinitionParser.java

@@ -44,7 +44,7 @@ public class AuthenticationMechanismBeanDefinitionParser extends AbstractBeanDef
 
 			if (node.getNodeType() == Node.ELEMENT_NODE) {
 				Element childElement = (Element) node;
-				providerExists = true;
+				this.providerExists = true;
 
 				if (AUTHENTICATION_JDBC.equals(node.getLocalName())) {
 					String attribute = childElement.getAttribute(REF);
@@ -60,7 +60,7 @@ public class AuthenticationMechanismBeanDefinitionParser extends AbstractBeanDef
 
 		}
 
-		if (!providerExists) {
+		if (!this.providerExists) {
 			RootBeanDefinition rootBeanDefinition = new RootBeanDefinition(AuthenticationProviderOrderResolver.class);
 			BeanDefinitionHolder beanDefinitionHolder = new BeanDefinitionHolder(rootBeanDefinition,
 					"providerOrderResolver");

core/src/main/java/org/acegisecurity/config/LogoutFilterBeanDefinitionParser.java

@@ -4,9 +4,6 @@
 package org.acegisecurity.config;
 
 import org.acegisecurity.ui.logout.LogoutFilter;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.config.BeanDefinitionHolder;
 import org.springframework.beans.factory.support.AbstractBeanDefinition;
 import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.AbstractBeanDefinitionParser;
@@ -34,9 +31,7 @@ public class LogoutFilterBeanDefinitionParser extends AbstractBeanDefinitionPars
 		// add the properties
 		RootBeanDefinition definition = new RootBeanDefinition(LogoutFilter.class);
 		setConstructorArgumentIfAvailable(0, element, REDIRECT_AFTER_LOGOUT_URL, "logoutSuccessUrl", definition);
-		// setPropertyIfAvailable(element,
-		// element.getAttribute(REDIRECT_AFTER_LOGOUT_URL), "logoutSuccessUrl",
-		// definition);
+		
 		setPropertyIfAvailable(element, LOGOUT_URL, "filterProcessesUrl", definition);
 
 		// register BFPP to check if LogoutFilter does not have setHandlers

core/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java

@@ -26,6 +26,8 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
 		registerBeanDefinitionParser("authentication-remember-me-services", new RememberMeServicesBeanDefinitionParser());
 		registerBeanDefinitionParser("authentication-remember-me-filter", new RememberMeFilterBeanDefinitionParser());
 		registerBeanDefinitionParser("logout-support", new LogoutFilterBeanDefinitionParser());
+		registerBeanDefinitionParser("exception-translation", new ExceptionTranslationFilterBeanDefinitionParser());
+		registerBeanDefinitionParser("authentication-form", new AuthenticationProcessingFilterBeanDefinitionParser());
 	}
 
 }

core/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd

@@ -124,6 +124,103 @@
 			type="xsd:string" use="optional" />
 	</xsd:complexType>
 
+	<!-- Logout Filter -->
+	<xsd:element name="logout-support" type="LogoutFilter" />
+
+	<xsd:complexType name="LogoutFilter">
+		<!-- Write other attributes -->
+		<xsd:attribute name="id" type="xsd:ID" />
+		<xsd:attribute name="redirectAfterLogoutUrl" type="xsd:string"
+			default="/" />
+		<xsd:attribute name="logoutUrl" type="xsd:string"
+			default="/logout" />
+	</xsd:complexType>
+
+	<!-- Exception Translation Filter -->
+	<xsd:element name="exception-translation"
+		type="ExceptionTranslation" />
+
+	<xsd:complexType name="ExceptionTranslation">
+		<xsd:all>
+			<xsd:element ref="entry-point" maxOccurs="1" />
+			<xsd:element ref="access-denied" maxOccurs="1"
+				minOccurs="0" />
+		</xsd:all>
+		<xsd:attribute name="id" type="xsd:ID">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	The unique identifier for a bean.
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+	</xsd:complexType>
+
+	<xsd:element name="entry-point">
+		<xsd:complexType>
+			<xsd:attribute name="entryPointBeanRef" type="xsd:string" />
+		</xsd:complexType>
+	</xsd:element>
+
+	<xsd:element name="access-denied">
+		<xsd:complexType>
+			<xsd:attribute name="accessDeniedUrl" type="xsd:string"
+				use="optional" />
+			<xsd:attribute name="accessDeniedBeanRef" type="xsd:string"
+				use="optional" />
+		</xsd:complexType>
+	</xsd:element>
+
+	<!-- AuthenticationProcessigFilter -->
+	<xsd:element name="authentication-form"
+		type="AuthenticationProcessingFilter" />
+
+	<xsd:complexType name="AuthenticationProcessingFilter">
+		<xsd:attribute name="id" type="xsd:ID">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	The unique identifier for a bean.
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+		<xsd:attribute name="authenticationUrl" type="xsd:string"
+			use="required">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	The URL destination that this filter intercepts and processes (usually something like
+     /login) 
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+		<xsd:attribute name="defaultTargetUrl" type="xsd:string"
+			use="required">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	Where to redirect the browser to if authentication is successful but ACEGI_SAVED_REQUEST_KEY is
+     null
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+		<xsd:attribute name="errorFormUrl" type="xsd:string"
+			use="required">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	Where to redirect the browser to if authentication fails.
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+	</xsd:complexType>
+
+
 
 	<xsd:element name="authentication-mechanism"
 		type="AuthenticationManager" />
@@ -158,30 +255,10 @@
 		</xsd:complexType>
 	</xsd:element>
 
-	<xsd:element name="logout-support" type="LogoutFilter" />
 
-	<xsd:complexType name="LogoutFilter">
-		<!-- <xsd:all>
-			<xsd:element name="clear-context" minOccurs="0" maxOccurs="1">
-			<xsd:complexType>
-			<xsd:attribute name="invalidateHttpSession"
-			type="xsd:boolean" default="true" use="optional" />
-			</xsd:complexType>
-			</xsd:element>
-			<xsd:element name="clear-remember-me" minOccurs="0" maxOccurs="1">>
-			<xsd:complexType>
-			<xsd:attribute name="rememberMeServicesBeanRef"
-			type="xsd:string" use="optional" />
-			</xsd:complexType>
-			</xsd:element>
-			</xsd:all> -->
-		<!-- Write other attributes -->
-		<xsd:attribute name="id" type="xsd:ID" />
-		<xsd:attribute name="redirectAfterLogoutUrl" type="xsd:string"
-			default="/" />
-		<xsd:attribute name="logoutUrl" type="xsd:string"
-			default="/logout" />
-	</xsd:complexType>
+
+
+
 
 	<xsd:element name="principal-repository" type="PrincipalRepository" />
 
@@ -339,6 +416,8 @@
 		</xsd:restriction>
 	</xsd:simpleType>
 
+
+
 	<xsd:simpleType name="encoders">
 		<xsd:restriction base="xsd:NMTOKEN">
 			<xsd:enumeration value="md5" />

core/src/test/java/org/acegisecurity/config/LogoutFilterBeanDefinitionParserTests.java

@@ -14,7 +14,7 @@ import junit.framework.TestCase;
  */
 public class LogoutFilterBeanDefinitionParserTests extends TestCase {
 	
-	public void testXX(){
+	public void testLogoutFilter(){
 		ApplicationContext context = new ClassPathXmlApplicationContext("org/acegisecurity/config/logout-filter-with-handlers.xml");
 	}
 

core/src/test/java/org/acegisecurity/config/RememberMeBeanDefinitionParserTest.java

@@ -7,7 +7,7 @@ import org.springframework.context.support.ClassPathXmlApplicationContext;
 
 public class RememberMeBeanDefinitionParserTest extends TestCase {
 	
-	public void testRememberMeDefaults() {
+	public void testParserDefaults() {
 		ApplicationContext context = new ClassPathXmlApplicationContext("org/acegisecurity/config/principal-repository-properties.xml");
 		
 		

core/src/test/resources/org/acegisecurity/config/authentication-dao-defaults.xml

@@ -15,14 +15,8 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
 	<!--  autocreate userDetailsService with dataSource(search in ctx) injected -->
 
 	<security:authentication-repository id="authenticationRepository">
-		<!--<security:salt-source>
-			<security:system-wide systemWideSalt="12345" />
-		</security:salt-source>
-		--><security:password-encoder encoderBeanRef="passwordEncoder"/>
-		<!-- OR <security:password-encoder>
-				<security:encoder method="md5"/>
-		</security:password-encoder>
-	--></security:authentication-repository>
+		<security:password-encoder encoderBeanRef="passwordEncoder" />
+	</security:authentication-repository>
 
 	<bean id="userDetailsService"
 		class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">

core/src/test/resources/org/acegisecurity/config/logout-filter-with-handlers.xml

@@ -14,7 +14,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
 	<!-- If LogoutFilter does not have setHandlers populated, introspect app ctx for LogoutHandlers, using Ordered (if present, otherwise assume Integer.MAX_VALUE) -->
 	<!-- The logoutUrl and redirectAfterLogout are both optional and default to that shown -->
 	<security:logout-support id="logoutFilter"
-		redirectAfterLogoutUrl="/" logoutUrl="/logout" />
+		redirectAfterLogoutUrl="/" logoutUrl="/logout"/>
 
 	<security:authentication-remember-me-services
 		id="rememberMeServices" key="someValue" />

core/src/test/resources/org/acegisecurity/config/security-namespaces.xml

@@ -12,12 +12,15 @@
 	<!-- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd" -->
 
 	<!-- introspect all bean definitions for an explicit object of a "required" type, and if not found, add it. You can turn OFF ones you dont want added via attributes -->
-	<security:security-autoconfig exceptionTranslation="disable" sessionContextIntegration="disable" logoutSupport="disable" filterChain="disable"  servletRequestEmulation="disabled" anonyomousRoleGranter="disabled"/>
+	<security:security-autoconfig exceptionTranslation="disable"
+		sessionContextIntegration="disable" logoutSupport="disable"
+		filterChain="disable" servletRequestEmulation="disabled"
+		anonyomousRoleGranter="disabled" />
 
 	<!-- autodetect attribute is the default, and an exception is thrown if false, as the expectation is they will write their own legacy <beans> format
-	FilterChainProxy bean definition is dissatisfied with the auto approach. The auto approach simply creates a bean definition similar to that shown
-	below with the AUTODETECT_ALL_ORDERED_FILTERs. As suggested, this causes a runtime check of app ctx for all javax.servlet.Filter instances, and
-	for each that also implemented Ordered, these are automatically applied to the pattern shown (which is **/* in the case of autodetect=true).*-->
+		FilterChainProxy bean definition is dissatisfied with the auto approach. The auto approach simply creates a bean definition similar to that shown
+		below with the AUTODETECT_ALL_ORDERED_FILTERs. As suggested, this causes a runtime check of app ctx for all javax.servlet.Filter instances, and
+		for each that also implemented Ordered, these are automatically applied to the pattern shown (which is **/* in the case of autodetect=true).*-->
 	<security:filter-chain id="id" />
 	<bean id="dcdc" class="FilterChainProxy">
 		<property name="chainConfig">
@@ -30,118 +33,151 @@
 	<!--  also provide an OrderedFilterAdapter, impls Filter and Ordered, and can be configured declaratively in Spring XML (eg SiteMesh), setOrder, setDelegate(Filter object) -->
 
 	<!-- creates a bean definition for an AccessDecisionManager; strategy defaults to AffirmativeBased; 
-	superclass AbstractAccessDecisionManager requires refactoring so if no setProvider(List) given, it introspects app ctx for all AccessDecisionVoters
-	and uses their Ordered interface to apply them; if one doesn't implement Ordered, assume it is Integer.MAX_VALUE -->
-	<security:authorization-manager id="id" strategy="consensus|unanimous|affirmative"/>
+		superclass AbstractAccessDecisionManager requires refactoring so if no setProvider(List) given, it introspects app ctx for all AccessDecisionVoters
+		and uses their Ordered interface to apply them; if one doesn't implement Ordered, assume it is Integer.MAX_VALUE -->
+	<security:authorization-manager id="id"
+		strategy="consensus|unanimous|affirmative" />
 
 	<!-- ======================== AUTHENTICATION ======================= -->
 
 	<!-- sessionCreation defaults to ifRequired. -->
-	<security:session-context-integration id="httpSessionContextIntegrationFilter" sessionCreation="never|ifRequired|always" />
+	<security:session-context-integration
+		id="httpSessionContextIntegrationFilter"
+		sessionCreation="never|ifRequired|always" />
 
 	<!-- The rules are:
-	     AuthenticationManager interface is implemented by ProviderManager
-	     So if you have any auto-detection, create a ProviderManager definition
-	     If ProviderManager.setProvider(List) is never called, auto-detect all AuthenticationProviders from app ctx, using Ordered to resolve their order
-	     Every authentication mechanism OR provider must start with security:authentication-something
-	     Use appropriate attrs and elements depending on provider or mechanism
-	      -->
-	<security:authentication-repository id="id" repositoryBeanRef="beanIdOfRepositoryIfUnspecifiedAutoDetectTheirUserDetailsInstance">
-		<security:salt-source saltSourceBeanRef="beanRefOfAnExternalEncoder"/> <!--  or allow it to be written inline as an inner bean -->
-		<security:password-encoder encoder="md5|md5Hex|sha|shaHex|custom" encoderBeanRef="beanRefOfAnExternalEncoder"/> <!-- same story here, inner beans allowed -->
+		AuthenticationManager interface is implemented by ProviderManager
+		So if you have any auto-detection, create a ProviderManager definition
+		If ProviderManager.setProvider(List) is never called, auto-detect all AuthenticationProviders from app ctx, using Ordered to resolve their order
+		Every authentication mechanism OR provider must start with security:authentication-something
+		Use appropriate attrs and elements depending on provider or mechanism
+	-->
+	<security:authentication-repository id="id"
+		repositoryBeanRef="beanIdOfRepositoryIfUnspecifiedAutoDetectTheirUserDetailsInstance">
+		<security:salt-source
+			saltSourceBeanRef="beanRefOfAnExternalEncoder" />
+		<!--  or allow it to be written inline as an inner bean -->
+		<security:password-encoder
+			encoder="md5|md5Hex|sha|shaHex|custom"
+			encoderBeanRef="beanRefOfAnExternalEncoder" />
+		<!-- same story here, inner beans allowed -->
 	</security:authentication-repository>
-	
+
 	<security:salt-source>
-			<security:system-wide systemWideSalt="12345"/>
-			<security-reflection userPropertyToUse="sss"/>
+		<security:system-wide systemWideSalt="12345" />
+		<security-reflection userPropertyToUse="sss" />
 	</security:salt-source>
-	
-	
+
+
 	<!--  the URLs are all mandatory and have no defaults (well, except authenticationUrl) -->
-	<security:authentication-form id="id" authenticationUrl="/login" loginFormUrl="/login.html" errorFormUrl="error.html"/>
-	
+	<security:authentication-form id="id" authenticationUrl="/login"
+		loginFormUrl="/login.html" errorFormUrl="error.html" />
+
 	<!-- AuthenticationEntryPoints handled across the system via Ordered interface; every Acegi entry point has an order; the highest order wins and
-	is used as the entry point by ExceptionTranslationFilter; for things like BasicAuthenticationfilter, they're smart enough to know they need a
-	BasicAuthenticationProcessingFilterEntryPoint, so they use that one; here we have an entryPointOrder to say when we make the BasicEntryPoint,
-	we will call setOrder(2) such that this app effectively will use somehing with a higher order as the app-wide default -->
-	<security:authentication-basic id="id" realmName="Spring Security Application" entryPointOrder="2"/>
-	
+		is used as the entry point by ExceptionTranslationFilter; for things like BasicAuthenticationfilter, they're smart enough to know they need a
+		BasicAuthenticationProcessingFilterEntryPoint, so they use that one; here we have an entryPointOrder to say when we make the BasicEntryPoint,
+		we will call setOrder(2) such that this app effectively will use somehing with a higher order as the app-wide default -->
+	<security:authentication-basic id="id"
+		realmName="Spring Security Application" entryPointOrder="2" />
+
 	<!-- This is used if they want an out-of-the-bx UserDetailsService; if they write their own, this goes away and they wire a legacy bean definition and then the various
-	beans depending on a UserDetailsService will auto-detect it at runtime OR provide a way of setUserDetailsService(UserDetailsService) if to specified explicitly.
-	If they fail to provide a repository, the security-autodetect will set one up for them with a few basic in-memory users and pwds -->
+		beans depending on a UserDetailsService will auto-detect it at runtime OR provide a way of setUserDetailsService(UserDetailsService) if to specified explicitly.
+		If they fail to provide a repository, the security-autodetect will set one up for them with a few basic in-memory users and pwds -->
 	<security:principal-repository id="id">
-		<security:ldap x="you can do the attributes and suitable nested elements"/>
-		<security:jdbc x="you can do the attributes and suitable nested elements"/>
-		<security:properties location="resourceStringToPropertiesFile"> <!-- if they specify a resource attrib, that means throw exception if they nest some user-definition data) -->
-			<security:user-definition username="ben" password="nottellingYou" enabled="true" it="more stuff if you want">
-				<security:granted-authority authority="ROLE_ANONYMOUS"/>
-				<ref bean="fooBarAuthority"/>
+		<security:ldap
+			x="you can do the attributes and suitable nested elements" />
+		<security:jdbc
+			x="you can do the attributes and suitable nested elements" />
+		<security:properties
+			location="resourceStringToPropertiesFile">
+<!-- if they specify a resource attrib, that means throw exception if they nest some user-definition data) -->
+			<security:user-definition username="ben"
+				password="nottellingYou" enabled="true"
+				it="more stuff if you want">
+				<security:granted-authority authority="ROLE_ANONYMOUS" />
+				<ref bean="fooBarAuthority" />
 			</security:user-definition>
 		</security:properties>
 	</security:principal-repository>
 
 	<!-- makes the filter, but does little else, as it auto-detects everything -->
-	<security:authentication-remember-me-filter id="id" rememberMeServicesBeanRef="theId" />
+	<security:authentication-remember-me-filter id="id"
+		rememberMeServicesBeanRef="theId" />
 
 	<!-- services should auto-detect UserDetails from app ctx if principalRepository was not specified; key is handled in same way as discussed earlier -->
-	<security:authentication-remember-me-services id="id" key="someValue" principalRepositoryBeanRef="jdbcDaoImpl" />
+	<security:authentication-remember-me-services id="id"
+		key="someValue" principalRepositoryBeanRef="jdbcDaoImpl" />
 
 	<!-- key is optional; if unspecified, in the NamespaceHandler pick a rnd int and use for all unspecified key properties for acegi beans -->
-	<security:anonymous-role-granter " id="id" key="someValue" >
-		<security:granted-authority authority="ROLE_ANONYMOUS"/>
-		<ref bean="fooBarAuthority"/>
-	</security:anonymous-role-granter>	
+	<security:anonymous-role-granter id="id" key="someValue">
+		<security:granted-authority authority="ROLE_ANONYMOUS" />
+		<ref bean="fooBarAuthority" />
+	</security:anonymous-role-granter>
 
-	<security:granted-authority id="fooBarAuthority" authority="ROLE_FOOBAR"/>
+	<security:granted-authority id="fooBarAuthority"
+		authority="ROLE_FOOBAR" />
 
 	<!-- If LogoutFilter does not have setHandlers populated, introspect app ctx for LogoutHandlers, using Ordered (if present, otherwise assume Integer.MAX_VALUE) -->
 	<!-- The logoutUrl and redirectAfterLogout are both optional and default to that shown -->
-	<security:logout-support id="logoutFilter" redirectAfterLogoutUrl="/" logoutUrl="/logout"/>
+	<security:logout-support id="logoutFilter"
+		redirectAfterLogoutUrl="/" logoutUrl="/logout" />
 
 
 	<!-- ===================== HTTP CHANNEL REQUIREMENTS ==================== -->
 
 	<!--  channel security out of scope; they use existing bean definition format; the channel filter will auto-detect and use Ordered interface as discussed above -->
-	
+
 	<!--  any kind of ACL support is out of scope; frankly it is too hard for 1.1.0 -->
 
 	<!-- ensure element name is not overlapping with portlet or spring web flow or tapestry URI patterns, as this filter is incompatible with them -->
 	<security:authorization-http-url>
-		<security:url-mapping source="xml - the default and no other options" sourceBeanId="referenceToTheirObjectDefinitionSource">
+		<security:url-mapping
+			source="xml - the default and no other options"
+			sourceBeanId="referenceToTheirObjectDefinitionSource">
 			<!-- Specify security:uri-patterns in order of processing; each pattern must specify EITHER a regularExpression OR a path, but not both
-				 and ALL patterns in the url-mapping MUST be of the SAME type (ie cannot mix a regular expression and Ant Path) - give exception if tried -->
-			<security:uri-pattern path ="/index.jsp" regularExpression="whatever">
-				<security:configuration-attribute attribute="ROLE_A"/>
-				<ref bean="someExternalConfigurationAttributeThatIsATopLevelBean"/>
+				and ALL patterns in the url-mapping MUST be of the SAME type (ie cannot mix a regular expression and Ant Path) - give exception if tried -->
+			<security:uri-pattern path="/index.jsp"
+				regularExpression="whatever">
+				<security:configuration-attribute attribute="ROLE_A" />
+				<ref
+					bean="someExternalConfigurationAttributeThatIsATopLevelBean" />
 			</security:uri-pattern>
-			<security:uri-pattern path ="/**" regularExperssion="whatever">
-				<security:configuration-attribute attribute="ROLE_A"/>
-				<ref bean="someExternalConfigurationAttributeThatIsATopLevelBean"/>
+			<security:uri-pattern path="/**"
+				regularExperssion="whatever">
+				<security:configuration-attribute attribute="ROLE_A" />
+				<ref
+					bean="someExternalConfigurationAttributeThatIsATopLevelBean" />
 			</security:uri-pattern>
 		</security:url-mapping>
 	</security:authorization-http-url>
 
 	<!-- the source refers to use of the relevant concete ObjectDefinitionSource; user can alternately specify their own instance and refer to it
-	via the sourceBeanId property; in that case they must specify "custom"; if unspecified, it means it's described as nested elements using the
-	security:method-pattern element, and you will therefore create it via the MethodDefinitionSourceEditor (that is what the default source=xml means, too)
-	For aspectj and springAop, that means create a MethodSecurityInterceptor and AspectJSecurityInterceptor bean definition respectively (in the case of
-	springAop, also create a MethodDefinitionSourceAdvisor); defaults to springAop=true, aspectJ=false -->
-	<security:authorization-joinpoint aspectj="false|true" springAop="true|false" >
-		<security:url-mapping source="custom|xml|attributes|annotations" sourceBeanId="referenceToTheirObjectDefinitionSource">
-			<security:method-pattern type="com.foo.Bar.whateverMethodNamePattern">
-				<security:configuration-attribute attribute="ROLE_A"/>
-				<ref bean="someExternalConfigurationAttributeThatIsATopLevelBean"/>
+		via the sourceBeanId property; in that case they must specify "custom"; if unspecified, it means it's described as nested elements using the
+		security:method-pattern element, and you will therefore create it via the MethodDefinitionSourceEditor (that is what the default source=xml means, too)
+		For aspectj and springAop, that means create a MethodSecurityInterceptor and AspectJSecurityInterceptor bean definition respectively (in the case of
+		springAop, also create a MethodDefinitionSourceAdvisor); defaults to springAop=true, aspectJ=false -->
+	<security:authorization-joinpoint aspectj="false|true"
+		springAop="true|false">
+		<security:url-mapping source="custom|xml|attributes|annotations"
+			sourceBeanId="referenceToTheirObjectDefinitionSource">
+			<security:method-pattern
+				type="com.foo.Bar.whateverMethodNamePattern">
+				<security:configuration-attribute attribute="ROLE_A" />
+				<ref
+					bean="someExternalConfigurationAttributeThatIsATopLevelBean" />
 			</security:method-pattern>
 		</security:url-mapping>
 		<!-- if get time, do a new security:pointcut-pattern -->
 	</security:authorization-joinpoint>
 
-	
+
 	<!-- Basically accessDeniedUrl is optional, we if unspecified impl will auto-detect any AccessDeniedHandler in ctx and use it; 
-	alternately if there are > 1 such handlers, we can nominate the one to use via accessDeniedBeanRef; provide nested elements for
-	other props; i do not mind if you move the access denied stuff to a sub-element -->
-	<security:exception-translation id="id" accessDeniedUrl="/accessDenied.jsp" accessDeniedBeanRef="theBeanToUse">
-		<security:entry-point path="/acegilogin.jsp" https="boolean"/>
+		alternately if there are > 1 such handlers, we can nominate the one to use via accessDeniedBeanRef; provide nested elements for
+		other props; i do not mind if you move the access denied stuff to a sub-element -->
+	<security:exception-translation id="id"
+		accessDeniedUrl="/accessDenied.jsp"
+		accessDeniedBeanRef="theBeanToUse">
+		<security:entry-point path="/acegilogin.jsp" https="boolean" />
 	</security:exception-translation>
 
 </beans>