SEC-2291: Fix internal links within reference

Instead of using xlink:href="# use linkend="

config/src/test/groovy/org/springframework/security/config/doc/XsdDocumentedTests.groovy

@@ -53,9 +53,9 @@ class XsdDocumentedTests extends Specification {
             def id = delegate.@id.text().replace('-parents', '').replace('-children', '')
             result.put(id,[])
             delegate.children().breadthFirst().each { sectionChild ->
-                def href = sectionChild.@href.text()
+                def href = sectionChild.@linkend.text()
                 if(href) {
-                    result.get(id).add(href[1..-1])
+                    result.get(id).add(href)
                 }
             }
         }

docs/faq/src/docbook/faq.xml

@@ -286,7 +286,7 @@
                     <answer>
                         <para>
                             Note that the permissions for an LDAP directory often do not allow you to read the password
-                            for a user. Hence it is often not possible to use the <link xlink:href="#faq-what-is-userdetailservice"><interfacename>UserDetailsService</interfacename>
+                            for a user. Hence it is often not possible to use the <link linkend="faq-what-is-userdetailservice"><interfacename>UserDetailsService</interfacename>
                             approach</link> where Spring Security compares the stored password with the one submitted by the user.
                             The most common approach is to use LDAP <quote>bind</quote>, which is one of the operations
                             supported by <link xlink:href="http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol">the LDAP protocol</link>.
@@ -656,7 +656,7 @@
                             a <interfacename>UserDetailsService</interfacename> to allow it to load
                             the password (and other data) for a user in order to compare it with the
                             submitted value. Note that if you are using LDAP,
-                            <link xlink:href="#faq-ldap-authentication">this approach may not work</link>.</para>
+                            <link linkend="faq-ldap-authentication">this approach may not work</link>.</para>
                         <para> If you want to customize the authentication process then you should
                             implement <interfacename>AuthenticationProvider</interfacename>
                             yourself. See this <link
@@ -766,7 +766,7 @@
                     </question>
                     <answer>
                         <para>You can't (and shouldn't). You are probably misunderstanding its purpose.
-                            See <quote><link xlink:href="#faq-what-is-userdetailservice">What is a UserDetailsService?</link></quote>
+                            See <quote><link linkend="faq-what-is-userdetailservice">What is a UserDetailsService?</link></quote>
                             above.
                         </para>
                     </answer>
@@ -909,7 +909,7 @@
                             >Spring Reference Manual</link>. In order to do this, you need to know a
                             bit about which beans are created, so you should also read the blog
                             article in the above question on <link
-                            xlink:href="#faq-namespace-to-bean-mapping">how the namespace maps to
+                            linkend="faq-namespace-to-bean-mapping">how the namespace maps to
                             Spring beans</link>. </para>
                         <para> Normally, you would add the functionality you require to the
                             <methodname>postProcessBeforeInitialization</methodname> method of

docs/manual/src/docbook/anon-auth-provider.xml

@@ -126,7 +126,7 @@
             interceptor configuration replaced with <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal>,
             which is effectively the same thing when defining access controls. This is an example of
             the use of the <classname>AuthenticatedVoter</classname> which we will see in the <link
-            xlink:href="#authz-authenticated-voter">authorization chapter</link>. It uses an
+            linkend="authz-authenticated-voter">authorization chapter</link>. It uses an
             <interfacename>AuthenticationTrustResolver</interfacename> to process this particular
             configuration attribute and grant access to anonymous users. The
             <classname>AuthenticatedVoter</classname> approach is more powerful, since it allows you

docs/manual/src/docbook/appendix-db-schema.xml

@@ -58,7 +58,7 @@ create table group_members (
     <section>
         <title>Persistent Login (Remember-Me) Schema</title>
         <para> This table is used to store data used by the more secure <link
-            xlink:href="#remember-me-persistent-token">persistent token</link> remember-me
+            linkend="remember-me-persistent-token">persistent token</link> remember-me
             implementation. If you are using <classname>JdbcTokenRepositoryImpl</classname> either
             directly or through the namespace, then you will need this table.
             <programlisting xml:id="db-schema-remeber-me">
@@ -71,7 +71,7 @@ create table persistent_logins (
     </section>
     <section xml:id="dbschema-acl">
         <title>ACL Schema</title>
-        <para>There are four tables used by the Spring Security <link xlink:href="#domain-acls"
+        <para>There are four tables used by the Spring Security <link linkend="domain-acls"
             >ACL</link> implementation. <orderedlist>
             <listitem>
                 <para><literal>acl_sid</literal> stores the security identities recognised by the

docs/manual/src/docbook/appendix-namespace.xml

@@ -8,7 +8,7 @@
         and information on the underlying beans they create (a knowledge of the individual classes
         and how they work together is assumed - you can find more information in the project Javadoc
         and elsewhere in this document). If you haven't used the namespace before, please read the
-        <link xlink:href="#ns-config">introductory chapter</link> on namespace configuration, as
+        <link linkend="ns-config">introductory chapter</link> on namespace configuration, as
         this is intended as a supplement to the information there. Using a good quality XML editor
         while editing a configuration based on the schema is recommended as this will provide
         contextual information on which elements and attributes are available as well as comments
@@ -33,11 +33,11 @@
                 created and the configuration within the element is used to build a filter chain within
                 <classname>FilterChainProxy</classname>. As of Spring Security 3.1, additional
                 <literal>http</literal> elements can be used to add extra filter chains <footnote>
-                <para>See the <link xlink:href="#ns-web-xml">introductory chapter</link> for how to set
+                <para>See the <link linkend="ns-web-xml">introductory chapter</link> for how to set
                     up the mapping from your <literal>web.xml</literal></para>
                 </footnote>. Some core filters are always created in a filter chain and others will be
                 added to the stack depending on the attributes and child elements which are present. The
-                positions of the standard filters are fixed (see <link xlink:href="#filter-stack">the
+                positions of the standard filters are fixed (see <link linkend="filter-stack">the
                 filter order table</link> in the namespace introduction), removing a common source of
                 errors with previous versions of the framework when users had to configure the filter
                 chain explicitly in the <classname>FilterChainProxy</classname> bean. You can, of course,
@@ -45,7 +45,7 @@
             <para> All filters which require a reference to the
                 <interfacename>AuthenticationManager</interfacename> will be automatically injected with
                 the internal instance created by the namespace configuration (see the <link
-                xlink:href="#ns-auth-manager">introductory chapter</link> for more on the
+                linkend="ns-auth-manager">introductory chapter</link> for more on the
                 <interfacename>AuthenticationManager</interfacename>). </para>
             <para> Each <literal>&lt;http&gt;</literal> namespace block always creates an
                 <classname>SecurityContextPersistenceFilter</classname>, an
@@ -67,7 +67,7 @@
                 </section>
                 <section xml:id="nsa-http-access-denied-page">
                     <title><literal>access-denied-page</literal></title>
-                    <para> Deprecated in favour of the <link xlink:href="#nsa-access-denied-handler">access-denied-handler</link>
+                    <para> Deprecated in favour of the <link linkend="nsa-access-denied-handler">access-denied-handler</link>
                         child element.</para>
                 </section>
                 <section xml:id="nsa-http-authentication-manager-ref">
@@ -139,15 +139,15 @@
                 </section>
                 <section xml:id="nsa-http-path-type">
                     <title><literal>path-type</literal></title>
-                    <para>Deprecated in favor of <link xlink:href="#nsa-http-request-matcher">request-matcher</link>.
+                    <para>Deprecated in favor of <link linkend="nsa-http-request-matcher">request-matcher</link>.
                         </para>
                 </section>
                 <section xml:id="nsa-http-pattern">
                     <title><literal>pattern</literal></title>
-                    <para>Defining a pattern for the <link xlink:href="#nsa-http">http</link> element controls the
+                    <para>Defining a pattern for the <link linkend="nsa-http">http</link> element controls the
                         requests which will be filtered through the list of filters which it defines.
                         The interpretation is dependent on the configured <link
-                        xlink:href="#nsa-http-request-matcher">request-matcher</link>. If no pattern is defined,
+                        linkend="nsa-http-request-matcher">request-matcher</link>. If no pattern is defined,
                         all requests will be matched, so the most specific patterns should be declared
                         first.</para>
                 </section>
@@ -165,9 +165,9 @@
                         currently <literal>ant</literal>, <literal>regex</literal> and
                         <literal>ciRegex</literal>, for ant, regular-expression and case-insensitive
                         regular-expression repsectively. A separate instance is created for each
-                        <link xlink:href="#nsa-intercept-url">intercept-url</link> element using its
-                        <link xlink:href="#nsa-intercept-url-pattern">pattern</link> and
-                        <link xlink:href="#nsa-intercept-url-method">method</link> attributes. Ant paths
+                        <link linkend="nsa-intercept-url">intercept-url</link> element using its
+                        <link linkend="nsa-intercept-url-pattern">pattern</link> and
+                        <link linkend="nsa-intercept-url-method">method</link> attributes. Ant paths
                         are matched using an <classname>AntPathRequestMatcher</classname> and regular expressions
                         are matched using a <classname>RegexRequestMatcher</classname>. See the Javadoc
                         for these classes for more details on exactly how the matching is preformed. Ant
@@ -177,7 +177,7 @@
                     <title><literal>request-matcher-ref</literal></title>
                     <para>A referenece to a bean that implements <interfacename>RequestMatcher</interfacename> that
                         will determine if this <classname>FilterChain</classname> should be used. This is a more
-                        powerful alternative to <link xlink:href="#nsa-http-pattern">pattern</link>.</para>
+                        powerful alternative to <link linkend="nsa-http-pattern">pattern</link>.</para>
                 </section>
                 <section xml:id="nsa-http-security">
                     <title><literal>security</literal></title>
@@ -202,30 +202,30 @@
                 <section xml:id="nsa-http-use-expressions">
                     <title><literal>use-expressions</literal></title>
                     <para>Enables EL-expressions in the <literal>access</literal> attribute, as
-                        described in the chapter on <link xlink:href="#el-access-web">expression-based
+                        described in the chapter on <link linkend="el-access-web">expression-based
                         access-control</link>.</para>
                 </section>
             </section>
             <section xml:id="nsa-http-children">
                 <title>Child Elements of &lt;http&gt;</title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-access-denied-handler">access-denied-handler</link></listitem>
-                    <listitem><link xlink:href="#nsa-anonymous">anonymous</link></listitem>
-                    <listitem><link xlink:href="#nsa-csrf">csrf</link></listitem>
-                    <listitem><link xlink:href="#nsa-custom-filter">custom-filter</link></listitem>
-                    <listitem><link xlink:href="#nsa-expression-handler">expression-handler</link></listitem>
-                    <listitem><link xlink:href="#nsa-form-login">form-login</link></listitem>
-                    <listitem><link xlink:href="#nsa-headers">headers</link></listitem>
-                    <listitem><link xlink:href="#nsa-http-basic">http-basic</link></listitem>
-                    <listitem><link xlink:href="#nsa-intercept-url">intercept-url</link></listitem>
-                    <listitem><link xlink:href="#nsa-jee">jee</link></listitem>
-                    <listitem><link xlink:href="#nsa-logout">logout</link></listitem>
-                    <listitem><link xlink:href="#nsa-openid-login">openid-login</link></listitem>
-                    <listitem><link xlink:href="#nsa-port-mappings">port-mappings</link></listitem>
-                    <listitem><link xlink:href="#nsa-remember-me">remember-me</link></listitem>
-                    <listitem><link xlink:href="#nsa-request-cache">request-cache</link></listitem>
-                    <listitem><link xlink:href="#nsa-session-management">session-management</link></listitem>
-                    <listitem><link xlink:href="#nsa-x509">x509</link></listitem>
+                    <listitem><link linkend="nsa-access-denied-handler">access-denied-handler</link></listitem>
+                    <listitem><link linkend="nsa-anonymous">anonymous</link></listitem>
+                    <listitem><link linkend="nsa-csrf">csrf</link></listitem>
+                    <listitem><link linkend="nsa-custom-filter">custom-filter</link></listitem>
+                    <listitem><link linkend="nsa-expression-handler">expression-handler</link></listitem>
+                    <listitem><link linkend="nsa-form-login">form-login</link></listitem>
+                    <listitem><link linkend="nsa-headers">headers</link></listitem>
+                    <listitem><link linkend="nsa-http-basic">http-basic</link></listitem>
+                    <listitem><link linkend="nsa-intercept-url">intercept-url</link></listitem>
+                    <listitem><link linkend="nsa-jee">jee</link></listitem>
+                    <listitem><link linkend="nsa-logout">logout</link></listitem>
+                    <listitem><link linkend="nsa-openid-login">openid-login</link></listitem>
+                    <listitem><link linkend="nsa-port-mappings">port-mappings</link></listitem>
+                    <listitem><link linkend="nsa-remember-me">remember-me</link></listitem>
+                    <listitem><link linkend="nsa-request-cache">request-cache</link></listitem>
+                    <listitem><link linkend="nsa-session-management">session-management</link></listitem>
+                    <listitem><link linkend="nsa-x509">x509</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -234,15 +234,15 @@
             <para>This element allows you to set the <literal>errorPage</literal> property for the
                 default <interfacename>AccessDeniedHandler</interfacename> used by the
                 <classname>ExceptionTranslationFilter</classname>, using the
-                <link xlink:href="#nsa-access-denied-handler-error-page">error-page</link> attribute, or
+                <link linkend="nsa-access-denied-handler-error-page">error-page</link> attribute, or
                 to supply your own implementation using the
-                <link xlink:href="#nsa-access-denied-handler-ref">ref</link> attribute. This is discussed
-                in more detail in the section on the <link xlink:href="#access-denied-handler">
+                <link linkend="nsa-access-denied-handler-ref">ref</link> attribute. This is discussed
+                in more detail in the section on the <link linkend="access-denied-handler">
                 <classname>ExceptionTranslationFilter</classname></link>.</para>
             <section xml:id="nsa-access-denied-handler-parents">
                 <title>Parent Elements of <literal>&lt;access-denied-handler&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-access-denied-handler-attributes">
@@ -263,24 +263,24 @@
             <title><literal>&lt;headers&gt;</literal></title>
             <para>This element allows for configuring additional (security) headers to be send with the response.
                 It enables easy configuration for several headers and also allows for setting custom headers through
-                the <link xlink:href="#nsa-header">header</link> element.
+                the <link linkend="nsa-header">header</link> element.
                 <itemizedlist>
                     <listitem><literal>Cache-Control</literal> and <literal>Pragma</literal> - Can be set using the
-                        <link xlink:href="#nsa-cache-control">cache-control</link> element. This ensures that the
+                        <link linkend="nsa-cache-control">cache-control</link> element. This ensures that the
                         browser does not cache your secured pages.</listitem>
                     <listitem><literal>Strict-Transport-Security</literal> - Can be set using the
-                        <link xlink:href="#nsa-hsts">hsts</link> element. This ensures that the
+                        <link linkend="nsa-hsts">hsts</link> element. This ensures that the
                         browser automatically requests HTTPS for future requests.</listitem>
                     <listitem><literal>X-Frame-Options</literal> - Can be set using the
-                        <link xlink:href="#nsa-frame-options">frame-options</link> element. The
+                        <link linkend="nsa-frame-options">frame-options</link> element. The
                         <link xlink:href="http://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options">X-Frame-Options
                         </link> header can be used to prevent clickjacking attacks.</listitem>
                     <listitem><literal>X-XSS-Protection</literal> - Can be set using the
-                        <link xlink:href="#nsa-xss-protection">xss-protection</link> element.
+                        <link linkend="nsa-xss-protection">xss-protection</link> element.
                         The <link xlink:href="http://en.wikipedia.org/wiki/Cross-site_scripting">X-XSS-Protection
                         </link> header can be used by browser to do basic control.</listitem>
                     <listitem><literal>X-Content-Type-Options</literal> - Can be set using the
-                        <link xlink:href="#nsa-content-type-options">content-type-options</link> element. The
+                        <link linkend="nsa-content-type-options">content-type-options</link> element. The
                         <link xlink:href="http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx">X-Content-Type-Options</link>
                         header prevents Internet Explorer from MIME-sniffing a response away from the declared
                         content-type. This also applies to Google Chrome, when downloading extensions. </listitem>
@@ -289,18 +289,18 @@
             <section xml:id="nsa-headers-parents">
                 <title>Parent Elements of <literal>&lt;headers&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-headers-children">
                 <title>Child Elements of <literal>&lt;headers&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-cache-control">cache-control</link></listitem>
-                    <listitem><link xlink:href="#nsa-content-type-options">content-type-options</link></listitem>
-                    <listitem><link xlink:href="#nsa-frame-options">frame-options</link></listitem>
-                    <listitem><link xlink:href="#nsa-header">header</link></listitem>
-                    <listitem><link xlink:href="#nsa-hsts">hsts</link></listitem>
-                    <listitem><link xlink:href="#nsa-xss-protection">xss-protection</link></listitem>
+                    <listitem><link linkend="nsa-cache-control">cache-control</link></listitem>
+                    <listitem><link linkend="nsa-content-type-options">content-type-options</link></listitem>
+                    <listitem><link linkend="nsa-frame-options">frame-options</link></listitem>
+                    <listitem><link linkend="nsa-header">header</link></listitem>
+                    <listitem><link linkend="nsa-hsts">hsts</link></listitem>
+                    <listitem><link linkend="nsa-xss-protection">xss-protection</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -311,7 +311,7 @@
             <section xml:id="nsa-cache-control-parents">
                 <title>Parent Elements of <literal>&lt;cache-control&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-headers">headers</link></listitem>
+                    <listitem><link linkend="nsa-headers">headers</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -343,7 +343,7 @@
              <section xml:id="nsa-hsts-parents">
                 <title>Parent Elements of <literal>&lt;hsts&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-headers">headers</link></listitem>
+                    <listitem><link linkend="nsa-headers">headers</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -361,7 +361,7 @@
                                 the site attempting to do so. This is the default when frame-options-policy is specified.</listitem>
                             <listitem><literal>SAMEORIGIN</literal> The page can only be displayed in a frame on the
                                 same origin as the page itself</listitem>
-                            <listitem><literal>ALLOW-FROM <link xlink:href="#nsa-frame-options-origin">origin</link></literal>
+                            <listitem><literal>ALLOW-FROM <link linkend="nsa-frame-options-origin">origin</link></literal>
                                 The page can only be displayed in a frame on the specified origin.
                             </listitem>
                         </itemizedlist>
@@ -377,17 +377,17 @@
                         Select the <classname>AllowFromStrategy</classname> to use when using the ALLOW-FROM policy.
                         <itemizedlist>
                             <listitem><literal>static</literal> Use a single static ALLOW-FROM value. The value can be set
-                            through the <link xlink:href="#nsa-frame-options-value">value</link> attribute.
+                            through the <link linkend="nsa-frame-options-value">value</link> attribute.
                             </listitem>
                             <listitem><literal>regexp</literal> Use a regelur expression to validate incoming requests and
-                            if they are allowed. The regular expression can be set through the <link xlink:href="#nsa-frame-options-value">value</link>
+                            if they are allowed. The regular expression can be set through the <link linkend="nsa-frame-options-value">value</link>
                             attribute. The request parameter used to retrieve the value to validate can be specified
-                            using the <link xlink:href="#nsa-frame-options-from-parameter">from-parameter</link>.
+                            using the <link linkend="nsa-frame-options-from-parameter">from-parameter</link>.
                             </listitem>
                             <listitem><literal>whitelist</literal>A comma-seperated list containing the allowed domains.
-                                The comma-seperated list can be set through the <link xlink:href="#nsa-frame-options-value">value</link>
+                                The comma-seperated list can be set through the <link linkend="nsa-frame-options-value">value</link>
                                 attribute. The request parameter used to retrieve the value to validate can be specified
-                                using the <link xlink:href="#nsa-frame-options-from-parameter">from-parameter</link>.
+                                using the <link linkend="nsa-frame-options-from-parameter">from-parameter</link>.
                             </listitem>
                         </itemizedlist>
                     </para>
@@ -401,7 +401,7 @@
                 </section>
                 <section xml:id="nsa-frame-options-value">
                     <title><literal>frame-options-value</literal></title>
-                    <para>The value to use when ALLOW-FROM is used a <link xlink:href="#nsa-frame-options-strategy">strategy</link>.</para>
+                    <para>The value to use when ALLOW-FROM is used a <link linkend="nsa-frame-options-strategy">strategy</link>.</para>
                 </section>
                 <section xml:id="nsa-frame-options-from-parameter">
                     <title><literal>frame-options-from-parameter</literal></title>
@@ -414,7 +414,7 @@
              <section xml:id="nsa-frame-options-parents">
                 <title>Parent Elements of <literal>&lt;frame-options&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-headers">headers</link></listitem>
+                    <listitem><link linkend="nsa-headers">headers</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -439,7 +439,7 @@
             <section xml:id="nsa-xss-protection-parents">
                 <title>Parent Elements of <literal>&lt;xss-protection&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-headers">headers</link></listitem>
+                    <listitem><link linkend="nsa-headers">headers</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -451,7 +451,7 @@
             <section xml:id="nsa-content-type-options-parents">
                 <title>Parent Elements of <literal>&lt;content-type-options&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-headers">headers</link></listitem>
+                    <listitem><link linkend="nsa-headers">headers</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -476,7 +476,7 @@
             <section xml:id="nsa-header-parents">
                 <title>Parent Elements of <literal>&lt;header&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-headers">headers</link></listitem>
+                    <listitem><link linkend="nsa-headers">headers</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -488,7 +488,7 @@
             <section xml:id="nsa-anonymous-parents">
                 <title>Parent Elements of <literal>&lt;anonymous&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-anonymous-attributes">
@@ -527,7 +527,7 @@
             <section xml:id="nsa-csrf-parents">
                 <title>Parent Elements of <literal>&lt;csrf&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-csrf-attributes">
@@ -550,12 +550,12 @@
                 additional beans but is used to select a bean of type
                 <interfacename>javax.servlet.Filter</interfacename> which is already defined in the
                 application context and add that at a particular position in the filter chain
-                maintained by Spring Security. Full details can be found in the <link xlink:href="#ns-custom-filters">
+                maintained by Spring Security. Full details can be found in the <link linkend="ns-custom-filters">
                 namespace chapter</link>.</para>
             <section xml:id="nsa-custom-filter-parents">
                 <title>Parent Elements of <literal>&lt;custom-filter&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-custom-filter-attributes">
@@ -590,8 +590,8 @@
             <section xml:id="nsa-expression-handler-parents">
                 <title>Parent Elements of <literal>&lt;expression-handler&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-expression-handler-attributes">
@@ -615,12 +615,12 @@
                     <classname>DefaultLoginPageGeneratingFilter</classname> is responsible for
                     rendering the login page and will provide login forms for both normal form login
                     and/or OpenID if required.</para>
-                </footnote> The behaviour can be customized using the <link xlink:href="#nsa-form-login-attributes">
+                </footnote> The behaviour can be customized using the <link linkend="nsa-form-login-attributes">
                     <literal>&lt;form-login&gt;</literal> Attributes</link>.</para>
             <section xml:id="nsa-form-login-parents">
                 <title>Parent Elements of <literal>&lt;form-login&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-form-login-attributes">
@@ -628,7 +628,7 @@
                 <section xml:id="nsa-form-login-always-use-default-target">
                     <title><literal>always-use-default-target</literal></title>
                     <para>If set to <literal>true</literal>, the user will always start at the value given by
-                        <link xlink:href="#nsa-form-login-default-target-url">default-target-url</link>, regardless
+                        <link linkend="nsa-form-login-default-target-url">default-target-url</link>, regardless
                         of how they arrived at the login page. Maps to the <literal>alwaysUseDefaultTargetUrl</literal>
                         property of <classname>UsernamePasswordAuthenticationFilter</classname>. Default value is
                         <literal>false</literal>.</para>
@@ -641,7 +641,7 @@
                 <section xml:id="nsa-form-login-authentication-failure-handler-ref">
                     <title><literal>authentication-failure-handler-ref</literal></title>
                     <para>Can be used as an alternative to
-                        <link xlink:href="#nsa-form-login-authentication-failure-url">authentication-failure-url</link>,
+                        <link linkend="nsa-form-login-authentication-failure-url">authentication-failure-url</link>,
                         giving you full control over the navigation flow after an authentication failure. The value
                         should be he name of an <interfacename>AuthenticationFailureHandler</interfacename> bean in the
                         application context.</para>
@@ -657,13 +657,13 @@
                 <section xml:id="nsa-form-login-authentication-success-handler-ref">
                     <title><literal>authentication-success-handler-ref</literal></title>
                     <para>This can be used as an alternative to
-                        <link xlink:href="#nsa-form-login-default-target-url">default-target-url</link>
-                        and <link xlink:href="#nsa-form-login-always-use-default-target">always-use-default-target</link>,
+                        <link linkend="nsa-form-login-default-target-url">default-target-url</link>
+                        and <link linkend="nsa-form-login-always-use-default-target">always-use-default-target</link>,
                         giving you full control over the navigation flow after a successful authentication. The value
                         should be the name of an <interfacename>AuthenticationSuccessHandler</interfacename> bean in
                         the application context. By default, an implementation of
                         <classname>SavedRequestAwareAuthenticationSuccessHandler</classname> is used and
-                        injected with the <link xlink:href="#nsa-form-login-default-target-url">default-target-url
+                        injected with the <link linkend="nsa-form-login-default-target-url">default-target-url
                         </link>.</para>
                 </section>
                 <section xml:id="nsa-form-login-default-target-url">
@@ -707,7 +707,7 @@
             <section xml:id="nsa-http-basic-parents">
                 <title>Parent Elements of <literal>&lt;http-basic&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-http-basic-attributes">
@@ -752,9 +752,9 @@
             <section xml:id="nsa-intercept-url-parents">
                 <title>Parent Elements of <literal>&lt;intercept-url&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-filter-invocation-definition-source">filter-invocation-definition-source</link></listitem>
-                    <listitem><link xlink:href="#nsa-filter-security-metadata-source">filter-security-metadata-source</link></listitem>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-filter-invocation-definition-source">filter-invocation-definition-source</link></listitem>
+                    <listitem><link linkend="nsa-filter-security-metadata-source">filter-security-metadata-source</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-intercept-url-attributes">
@@ -797,7 +797,7 @@
                         <classname>ChannelProcessingFilter</classname> will be added to the filter
                         stack and its additional dependencies added to the application
                         context.<!--See the chapter on <link
-                xlink:href="#channel-security-config">channel security</link> for an example
+                linkend="channel-security-config">channel security</link> for an example
               configuration using traditional beans. --></para>
                     <para>If a <literal>&lt;port-mappings&gt;</literal> configuration is added, this
                         will be used to by the <classname>SecureChannelProcessor</classname> and
@@ -813,7 +813,7 @@
             <section xml:id="nsa-jee-parents">
                 <title>Parent Elements of <literal>&lt;jee&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-jee-attributes">
@@ -835,7 +835,7 @@
             <section xml:id="nsa-logout-parents">
                 <title>Parent Elements of <literal>&lt;logout&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-logout-attributes">
@@ -886,7 +886,7 @@
             <section xml:id="nsa-openid-login-parents">
                 <title>Parent Elements of <literal>&lt;openid-login&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-openid-login-attributes">
@@ -915,8 +915,8 @@
                     <title><literal>authentication-success-handler-ref</literal></title>
                     <para>Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful
                         authentication request. Should not be used in combination with
-                        <link xlink:href="#nsa-openid-login-default-target-url">default-target-url</link> (or
-                        <link xlink:href="#nsa-openid-login-always-use-default-target">
+                        <link linkend="nsa-openid-login-default-target-url">default-target-url</link> (or
+                        <link linkend="nsa-openid-login-always-use-default-target">
                         always-use-default-target</link>) as the implementation should always deal with navigation
                         to the subsequent destination</para>
                 </section>
@@ -952,7 +952,7 @@
             <section xml:id="nsa-openid-login-children">
                 <title>Child Elements of &lt;openid-login&gt;</title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-attribute-exchange">attribute-exchange</link></listitem>
+                    <listitem><link linkend="nsa-attribute-exchange">attribute-exchange</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -960,7 +960,7 @@
             <title><literal>&lt;attribute-exchange&gt;</literal></title>
             <para>The <literal>attribute-exchange</literal> element defines the list of
                 attributes which should be requested from the identity provider. An example can be found
-                in the <link xlink:href="#ns-openid">OpenID Support</link> section of the namespace configuration
+                in the <link linkend="ns-openid">OpenID Support</link> section of the namespace configuration
                 chapter. More than one can be used, in which case each must have an <literal>identifier-match</literal>
                 attribute, containing a regular expression which is matched against the supplied
                 OpenID identifier. This allows different attribute lists to be fetched from
@@ -968,7 +968,7 @@
             <section xml:id="nsa-attribute-exchange-parents">
                 <title>Parent Elements of <literal>&lt;attribute-exchange&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-openid-login">openid-login</link></listitem>
+                    <listitem><link linkend="nsa-openid-login">openid-login</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-attribute-exchange-attributes">
@@ -982,7 +982,7 @@
             <section xml:id="nsa-attribute-exchange-children">
                 <title>Child Elements of <literal>&lt;attribute-exchange&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-openid-attribute">openid-attribute</link></listitem>
+                    <listitem><link linkend="nsa-openid-attribute">openid-attribute</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -994,7 +994,7 @@
             <section xml:id="nsa-openid-attribute-parents">
                 <title>Parent Elements of <literal>&lt;openid-attribute&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-attribute-exchange">attribute-exchange</link></listitem>
+                    <listitem><link linkend="nsa-attribute-exchange">attribute-exchange</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-openid-attribute-attributes">
@@ -1027,18 +1027,18 @@
                 can optionally be used to override the default mappings which that class defines.
                 Each child <literal>&lt;port-mapping&gt;</literal> element defines a pair of
                 HTTP:HTTPS ports. The default mappings are 80:443 and 8080:8443. An example of
-                overriding these can be found in the <link xlink:href="#ns-requires-channel"
+                overriding these can be found in the <link linkend="ns-requires-channel"
                 >namespace introduction</link>. </para>
             <section xml:id="nsa-port-mappings-parents">
                 <title>Parent Elements of <literal>&lt;port-mappings&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-port-mappings-children">
                 <title>Child Elements of <literal>&lt;port-mappings&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-port-mapping">port-mapping</link></listitem>
+                    <listitem><link linkend="nsa-port-mapping">port-mapping</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1048,7 +1048,7 @@
             <section xml:id="nsa-port-mapping-parents">
                 <title>Parent Elements of <literal>&lt;port-mapping&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-port-mappings">port-mappings</link></listitem>
+                    <listitem><link linkend="nsa-port-mappings">port-mappings</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-port-mapping-attributes">
@@ -1074,7 +1074,7 @@
             <section xml:id="nsa-remember-me-parents">
                 <title>Parent Elements of <literal>&lt;remember-me&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-remember-me-attributes">
@@ -1166,7 +1166,7 @@
             <section xml:id="nsa-request-cache-parents">
                 <title>Parent Elements of <literal>&lt;request-cache&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-request-cache-attributes">
@@ -1184,7 +1184,7 @@
             <section xml:id="nsa-session-management-parents">
                 <title>Parent Elements of <literal>&lt;session-management&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-session-management-attributes">
@@ -1228,7 +1228,7 @@
             <section xml:id="nsa-session-management-children">
                 <title>Child elements of <literal>&lt;session-management&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-concurrency-control">concurrency-control</link></listitem>
+                    <listitem><link linkend="nsa-concurrency-control">concurrency-control</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1247,7 +1247,7 @@
             <section xml:id="nsa-concurrency-control-parents">
                 <title>Parent Elements of <literal>&lt;concurrency-control&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-session-management">session-management</link></listitem>
+                    <listitem><link linkend="nsa-session-management">session-management</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-concurrency-control-attributes">
@@ -1301,7 +1301,7 @@
             <section xml:id="nsa-x509-parents">
                 <title>Parent Elements of <literal>&lt;x509&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-http">http</link></listitem>
+                    <listitem><link linkend="nsa-http">http</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-x509-attributes">
@@ -1333,7 +1333,7 @@
                 <section xml:id="nsa-filter-chain-map-path-type">
                     <title><literal>path-type</literal></title>
                     <para>Superseded by the
-                        <link xlink:href="#nsa-filter-chain-map-request-matcher">request-matcher</link> attribute</para>
+                        <link linkend="nsa-filter-chain-map-request-matcher">request-matcher</link> attribute</para>
                 </section>
                 <section xml:id="nsa-filter-chain-map-request-matcher">
                     <title><literal>request-matcher</literal></title>
@@ -1345,7 +1345,7 @@
             <section xml:id="nsa-filter-chain-map-children">
                 <title>Child Elements of <literal>&lt;filter-chain-map&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-filter-chain">filter-chain</link></listitem>
+                    <listitem><link linkend="nsa-filter-chain">filter-chain</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1357,7 +1357,7 @@
             <section xml:id="nsa-filter-chain-parents">
                 <title>Parent Elements of <literal>&lt;filter-chain&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-filter-chain-map">filter-chain-map</link></listitem>
+                    <listitem><link linkend="nsa-filter-chain-map">filter-chain-map</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-filter-chain-attributes">
@@ -1372,7 +1372,7 @@
                 <section xml:id="nsa-filter-chain-pattern">
                     <title><literal>pattern</literal></title>
                     <para>A-pattern that creates RequestMatcher in combination with the
-                        <link xlink:href="#nsa-filter-chain-map-request-matcher">request-matcher</link></para>
+                        <link linkend="nsa-filter-chain-map-request-matcher">request-matcher</link></para>
                 </section>
                 <section xml:id="nsa-filter-chain-request-matcher-ref">
                     <title><literal>request-matcher-ref</literal></title>
@@ -1397,7 +1397,7 @@
                 <section xml:id="nsa-filter-invocation-definition-source-path-type">
                     <title><literal>path-type</literal></title>
                     <para>Superseded by
-                        <link xlink:href="#nsa-filter-invocation-definition-source-request-matcher">request-matcher</link></para>
+                        <link linkend="nsa-filter-invocation-definition-source-request-matcher">request-matcher</link></para>
                 </section>
                 <section xml:id="nsa-filter-invocation-definition-source-request-matcher">
                     <title><literal>request-matcher</literal></title>
@@ -1416,7 +1416,7 @@
             <section xml:id="nsa-filter-invocation-definition-source-children">
                 <title>Child Elements of <literal>&lt;filter-invocation-definition-source&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-intercept-url">intercept-url</link></listitem>
+                    <listitem><link linkend="nsa-intercept-url">intercept-url</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1439,7 +1439,7 @@
                 <section xml:id="nsa-filter-security-metadata-source-path-type">
                     <title><literal>path-type</literal></title>
                     <para>Superseded by
-                        <link xlink:href="#nsa-filter-security-metadata-source-request-matcher">request-matcher</link>
+                        <link linkend="nsa-filter-security-metadata-source-request-matcher">request-matcher</link>
                         </para>
                 </section>
                 <section xml:id="nsa-filter-security-metadata-source-request-matcher">
@@ -1459,7 +1459,7 @@
             <section xml:id="nsa-filter-security-metadata-source-children">
                 <title>Child Elements of <literal>&lt;filter-security-metadata-source&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-intercept-url">intercept-url</link></listitem>
+                    <listitem><link linkend="nsa-intercept-url">intercept-url</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1489,7 +1489,7 @@
                     <title><literal>alias</literal></title>
                     <para>This attribute allows you to define an alias name for the
                         internal instance for use in your own configuration. Its use is described in the
-                        <link xlink:href="#ns-auth-manager">namespace introduction</link>.</para>
+                        <link linkend="ns-auth-manager">namespace introduction</link>.</para>
                 </section>
                 <section xml:id="nsa-authentication-manager-erase-credentials">
                     <title><literal>erase-credentials</literal></title>
@@ -1497,7 +1497,7 @@
                         returned Authentication object, once the user has been authenticated. Literally it maps to
                         the <literal>eraseCredentialsAfterAuthentication</literal> property of the
                         <classname>ProviderManager</classname>. This is discussed in the <link
-                        xlink:href="#core-services-erasing-credentials">Core Services</link> chapter.</para>
+                        linkend="core-services-erasing-credentials">Core Services</link> chapter.</para>
                 </section>
                 <section xml:id="nsa-authentication-manager-id">
                     <title><literal>id</literal></title>
@@ -1509,15 +1509,15 @@
             <section xml:id="nsa-authentication-manager-children">
                 <title>Child Elements of <literal>&lt;authentication-manager&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-authentication-provider">authentication-provider</link></listitem>
-                    <listitem><link xlink:href="#nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
+                    <listitem><link linkend="nsa-authentication-provider">authentication-provider</link></listitem>
+                    <listitem><link linkend="nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
                 </itemizedlist>
             </section>
         </section>
         <section xml:id="nsa-authentication-provider">
             <title><literal>&lt;authentication-provider&gt;</literal></title>
             <para> Unless used with a <literal>ref</literal> attribute, this element is
-                shorthand for configuring a <link xlink:href="#core-services-dao-provider"
+                shorthand for configuring a <link linkend="core-services-dao-provider"
                 ><classname>DaoAuthenticationProvider</classname></link>.
                 <classname>DaoAuthenticationProvider</classname> loads user information from a
                 <interfacename>UserDetailsService</interfacename> and compares the
@@ -1526,12 +1526,12 @@
                 by using an available namespace element (<literal>jdbc-user-service</literal> or
                 by using the <literal>user-service-ref</literal> attribute to point to a bean
                 defined elsewhere in the application context). You can find examples of these
-                variations in the <link xlink:href="#ns-auth-providers">namespace
+                variations in the <link linkend="ns-auth-providers">namespace
                 introduction</link>. </para>
             <section xml:id="nsa-authentication-provider-parents">
                 <title>Parent Elements of <literal>&lt;authentication-provider&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-authentication-manager">authentication-manager</link></listitem>
+                    <listitem><link linkend="nsa-authentication-manager">authentication-manager</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-authentication-provider-attributes">
@@ -1560,10 +1560,10 @@
             <section xml:id="nsa-authentication-provider-children">
                 <title>Child Elements of <literal>&lt;authentication-provider&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-jdbc-user-service">jdbc-user-service</link></listitem>
-                    <listitem><link xlink:href="#nsa-ldap-user-service">ldap-user-service</link></listitem>
-                    <listitem><link xlink:href="#nsa-password-encoder">password-encoder</link></listitem>
-                    <listitem><link xlink:href="#nsa-user-service">user-service</link></listitem>
+                    <listitem><link linkend="nsa-jdbc-user-service">jdbc-user-service</link></listitem>
+                    <listitem><link linkend="nsa-ldap-user-service">ldap-user-service</link></listitem>
+                    <listitem><link linkend="nsa-password-encoder">password-encoder</link></listitem>
+                    <listitem><link linkend="nsa-user-service">user-service</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1617,7 +1617,7 @@ where
         <section xml:id="nsa-password-encoder">
             <title><literal>&lt;password-encoder&gt;</literal></title>
             <para>Authentication providers can optionally be configured to use a password
-                encoder as described in the <link xlink:href="#ns-password-encoder"
+                encoder as described in the <link linkend="ns-password-encoder"
                 >namespace introduction</link>. This will result in the bean being injected
                 with the appropriate <interfacename>PasswordEncoder</interfacename>
                 instance, potentially with an accompanying
@@ -1626,8 +1626,8 @@ where
             <section xml:id="nsa-password-encoder-parents">
                 <title>Parent Elements of <literal>&lt;password-encoder&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-authentication-provider">authentication-provider</link></listitem>
-                    <listitem><link xlink:href="#nsa-password-compare">password-compare</link></listitem>
+                    <listitem><link linkend="nsa-authentication-provider">authentication-provider</link></listitem>
+                    <listitem><link linkend="nsa-password-compare">password-compare</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-password-encoder-attributes">
@@ -1650,7 +1650,7 @@ where
             <section xml:id="nsa-password-encoder-children">
                 <title>Child Elements of <literal>&lt;password-encoder&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-salt-source">salt-source</link></listitem>
+                    <listitem><link linkend="nsa-salt-source">salt-source</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1661,7 +1661,7 @@ where
             <section xml:id="nsa-salt-source-parents">
                 <title>Parent Elements of <literal>&lt;salt-source&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-password-encoder">password-encoder</link></listitem>
+                    <listitem><link linkend="nsa-password-encoder">password-encoder</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-salt-source-attributes">
@@ -1701,7 +1701,7 @@ where
             <section xml:id="nsa-user-service-children">
                 <title>Child Elements of <literal>&lt;user-service&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-user">user</link></listitem>
+                    <listitem><link linkend="nsa-user">user</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1711,7 +1711,7 @@ where
             <section xml:id="nsa-user-parents">
                 <title>Parent Elements of <literal>&lt;user&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-user-service">user-service</link></listitem>
+                    <listitem><link linkend="nsa-user-service">user-service</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-user-attributes">
@@ -1820,10 +1820,10 @@ where
             <section xml:id="nsa-global-method-security-children">
                 <title>Child Elements of <literal>&lt;global-method-security&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-after-invocation-provider">after-invocation-provider</link></listitem>
-                    <listitem><link xlink:href="#nsa-expression-handler">expression-handler</link></listitem>
-                    <listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
-                    <listitem><link xlink:href="#nsa-protect-pointcut">protect-pointcut</link></listitem>
+                    <listitem><link linkend="nsa-after-invocation-provider">after-invocation-provider</link></listitem>
+                    <listitem><link linkend="nsa-expression-handler">expression-handler</link></listitem>
+                    <listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
+                    <listitem><link linkend="nsa-protect-pointcut">protect-pointcut</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1840,7 +1840,7 @@ where
                 <section xml:id="nsa-after-invocation-provider-parents">
                     <title>Parent Elements of <literal>&lt;after-invocation-provider&gt;</literal></title>
                     <itemizedlist>
-                        <listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
+                        <listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
                     </itemizedlist>
                 </section>
                 <section xml:id="nsa-after-invocation-provider-attributes">
@@ -1860,15 +1860,15 @@ where
             <section xml:id="nsa-pre-post-annotation-handling-parents">
                 <title>Parent Elements of <literal>&lt;pre-post-annotation-handling&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
+                    <listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-pre-post-annotation-handling-children">
                 <title>Child Elements of <literal>&lt;pre-post-annotation-handling&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-invocation-attribute-factory">invocation-attribute-factory</link></listitem>
-                    <listitem><link xlink:href="#nsa-post-invocation-advice">post-invocation-advice</link></listitem>
-                    <listitem><link xlink:href="#nsa-pre-invocation-advice">pre-invocation-advice</link></listitem>
+                    <listitem><link linkend="nsa-invocation-attribute-factory">invocation-attribute-factory</link></listitem>
+                    <listitem><link linkend="nsa-post-invocation-advice">post-invocation-advice</link></listitem>
+                    <listitem><link linkend="nsa-pre-invocation-advice">pre-invocation-advice</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1879,7 +1879,7 @@ where
             <section xml:id="nsa-invocation-attribute-factory-parents">
                 <title>Parent Elements of <literal>&lt;invocation-attribute-factory&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
+                    <listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-invocation-attribute-factory-attributes">
@@ -1898,7 +1898,7 @@ where
             <section xml:id="nsa-post-invocation-advice-parents">
                 <title>Parent Elements of <literal>&lt;post-invocation-advice&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
+                    <listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-post-invocation-advice-attributes">
@@ -1917,7 +1917,7 @@ where
             <section xml:id="nsa-pre-invocation-advice-parents">
                 <title>Parent Elements of <literal>&lt;pre-invocation-advice&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
+                    <listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-pre-invocation-advice-attributes">
@@ -1935,11 +1935,11 @@ where
                 cross-cutting security constraints across whole sets of methods and interfaces
                 in your service layer using the <literal>&lt;protect-pointcut&gt;</literal>
                 element. You can find an example in the <link
-                xlink:href="#ns-protect-pointcut">namespace introduction</link>.</para>
+                linkend="ns-protect-pointcut">namespace introduction</link>.</para>
             <section xml:id="nsa-protect-pointcut-parents">
                 <title>Parent Elements of <literal>&lt;protect-pointcut&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
+                    <listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-protect-pointcut-attributes">
@@ -1970,7 +1970,7 @@ where
             <section xml:id="nsa-intercept-methods-children">
                 <title>Child Elements of <literal>&lt;intercept-methods&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-protect">protect</link></listitem>
+                    <listitem><link linkend="nsa-protect">protect</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -1994,7 +1994,7 @@ where
             <section xml:id="nsa-method-security-metadata-source-children">
                 <title>Child Elements of <literal>&lt;method-security-metadata-source&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-protect">protect</link></listitem>
+                    <listitem><link linkend="nsa-protect">protect</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -2005,8 +2005,8 @@ where
             <section xml:id="nsa-protect-parents">
                 <title>Parent Elements of <literal>&lt;protect&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-intercept-methods">intercept-methods</link></listitem>
-                    <listitem><link xlink:href="#nsa-method-security-metadata-source">method-security-metadata-source</link></listitem>
+                    <listitem><link linkend="nsa-intercept-methods">intercept-methods</link></listitem>
+                    <listitem><link linkend="nsa-method-security-metadata-source">method-security-metadata-source</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-protect-attributes">
@@ -2024,7 +2024,7 @@ where
     </section>
     <section xml:id="nsa-ldap">
         <title>LDAP Namespace Options</title>
-        <para> LDAP is covered in some details in <link xlink:href="#ldap">its own
+        <para> LDAP is covered in some details in <link linkend="ldap">its own
             chapter</link>. We will expand on that here with some explanation of how the
             namespace options map to Spring beans. The LDAP implementation uses Spring LDAP
             extensively, so some familiarity with that project's API may be useful. </para>
@@ -2036,7 +2036,7 @@ where
                 defining the location of the LDAP server and other information (such as a
                 username and password, if it doesn't allow anonymous access) for connecting to
                 it. It can also be used to create an embedded server for testing. Details of the
-                syntax for both options are covered in the <link xlink:href="#ldap-server">LDAP
+                syntax for both options are covered in the <link linkend="ldap-server">LDAP
                 chapter</link>. The actual <interfacename>ContextSource</interfacename>
                 implementation is <classname>DefaultSpringSecurityContextSource</classname>
                 which extends Spring LDAP's <classname>LdapContextSource</classname> class. The
@@ -2097,7 +2097,7 @@ where
             <section xml:id="nsa-ldap-authentication-provider-parents">
                 <title>Parent Elements of <literal>&lt;ldap-authentication-provider&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-authentication-manager">authentication-manager</link></listitem>
+                    <listitem><link linkend="nsa-authentication-manager">authentication-manager</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-ldap-authentication-provider-attributes">
@@ -2185,7 +2185,7 @@ where
             <section xml:id="nsa-ldap-authentication-provider-children">
                 <title>Child Elements of <literal>&lt;ldap-authentication-provider&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-password-compare">password-compare</link></listitem>
+                    <listitem><link linkend="nsa-password-compare">password-compare</link></listitem>
                 </itemizedlist>
             </section>
         </section>
@@ -2198,7 +2198,7 @@ where
             <section xml:id="nsa-password-compare-parents">
                 <title>Parent Elements of <literal>&lt;password-compare&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
+                    <listitem><link linkend="nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
                 </itemizedlist>
             </section>
             <section xml:id="nsa-password-compare-attributes">
@@ -2217,7 +2217,7 @@ where
             <section xml:id="nsa-password-compare-children">
                 <title>Child Elements of <literal>&lt;password-compare&gt;</literal></title>
                 <itemizedlist>
-                    <listitem><link xlink:href="#nsa-password-encoder">password-encoder</link></listitem>
+                    <listitem><link linkend="nsa-password-encoder">password-encoder</link></listitem>
                 </itemizedlist>
             </section>
         </section>

docs/manual/src/docbook/authorization-common.xml

@@ -7,7 +7,7 @@
         <info>
             <title>Authorities</title>
         </info>
-        <para>As we saw in the <link xlink:href="#tech-granted-authority">technical overview</link>,
+        <para>As we saw in the <link linkend="tech-granted-authority">technical overview</link>,
             all <interfacename>Authentication</interfacename> implementations store a list of
             <interfacename>GrantedAuthority</interfacename> objects. These represent the authorities
             that have been granted to the principal. The
@@ -51,7 +51,7 @@
         <info>
             <title>Pre-Invocation Handling</title>
         </info>
-        <para> As we've also seen in the <link xlink:href="#secure-objects">Technical
+        <para> As we've also seen in the <link linkend="secure-objects">Technical
             Overview</link> chapter, Spring Security provides interceptors which control access to
             secure objects such as method invocations or web requests. A pre-invocation decision on
             whether the invocation is allowed to proceed is made by the
@@ -307,7 +307,7 @@ boolean supports(Class clazz);
         </para>
         <para>
             The use of a role-hierarchy allows you to configure which roles (or authorities) should include others.
-            An extended version of Spring Security's <link xlink:href="#authz-role-voter"><classname>RoleVoter</classname></link>,
+            An extended version of Spring Security's <link linkend="authz-role-voter"><classname>RoleVoter</classname></link>,
             <classname>RoleHierarchyVoter</classname>, is configured with a <interfacename>RoleHierarchy</interfacename>,
             from which it obtains all the <quote>reachable authorities</quote> which the user is assigned.
             A typical configuration might look like this:

docs/manual/src/docbook/cas-auth-provider.xml

@@ -196,7 +196,7 @@
       <listitem>
         <para>The user's browser is redirected to the original page that
         caused the <classname>AuthenticationException</classname> (or a
-          <link xlink:href="#form-login-flow-handling">custom destination</link> depending on
+          <link linkend="form-login-flow-handling">custom destination</link> depending on
           the configuration).</para>
       </listitem>
     </orderedlist>
@@ -213,7 +213,7 @@
             already know the basics of using Spring Security, so these are not covered again below.
             We'll assume a namespace based configuration is being used and add in the CAS beans as
             required. Each section builds upon the previous section. A full
-            <link xlink:href="#cas-sample">CAS sample application</link> can be found in the Spring
+            <link linkend="cas-sample">CAS sample application</link> can be found in the Spring
             Security Samples.</para>
         <section xml:id="cas-st">
             <info>
@@ -259,7 +259,7 @@
         <para>For CAS to operate, the <classname>ExceptionTranslationFilter</classname> must have
             its <literal>authenticationEntryPoint</literal> property set to the
             <classname>CasAuthenticationEntryPoint</classname> bean. This can easily be done using
-            <link xlink:href="#ns-entry-point-ref"><literal>entry-point-ref</literal></link> as is
+            <link linkend="ns-entry-point-ref"><literal>entry-point-ref</literal></link> as is
             done in the example above. The <classname>CasAuthenticationEntryPoint</classname> must refer to the
             <classname>ServiceProperties</classname> bean (discussed above), which provides the URL
             to the enterprise's CAS login server. This is where the user's browser will be
@@ -300,7 +300,7 @@
             here. Note that the <classname>CasAuthenticationProvider</classname> does not actually use
             the password for authentication, but it does use the authorities.</para>
          <para>The beans are all reasonably self-explanatory if you refer back to the
-              <link xlink:href="#cas-how-it-works">How CAS Works</link> section.</para>
+              <link linkend="cas-how-it-works">How CAS Works</link> section.</para>
          <para>This completes the most basic configuration for CAS. If you haven't made any
             mistakes, your web application should happily work within the
             framework of CAS single sign on. No other parts of Spring Security
@@ -448,7 +448,7 @@
                         <title>Calling a Stateless Service Using a Proxy Ticket</title>
                     </info>
                     <para>Now that Spring Security obtains PGTs, you can use them to create proxy tickets which can be used to authenticate
-                        to a stateless service. The <link xlink:href="#cas-sample">CAS sample application</link> contains a working example in
+                        to a stateless service. The <link linkend="cas-sample">CAS sample application</link> contains a working example in
                         the <classname>ProxyTicketSampleServlet</classname>. Example code can be found below:
 <programlisting language="xml"><![CDATA[
   protected void doGet(HttpServletRequest request, HttpServletResponse response)

docs/manual/src/docbook/channel-security.xml

@@ -32,7 +32,7 @@
         <info>
             <title>Configuration</title>
         </info>
-        <para>Channel security is supported by the <link xlink:href="#ns-requires-channel">security
+        <para>Channel security is supported by the <link linkend="ns-requires-channel">security
             namespace</link> by means of the <literal>requires-channel</literal> attribute on the
             <literal>&lt;intercept-url&gt;</literal> element and this is the simplest (and
             recommended approach).</para>

docs/manual/src/docbook/core-filters.xml

@@ -8,7 +8,7 @@
     <section xml:id="filter-security-interceptor">
         <title><classname>FilterSecurityInterceptor</classname></title>
         <para>We've already seen <classname>FilterSecurityInterceptor</classname> briefly when
-            discussing <link xlink:href="#tech-intro-access-control">access-control in
+            discussing <link linkend="tech-intro-access-control">access-control in
             general</link>, and we've already used it with the namespace where the
             <literal>&lt;intercept-url></literal> elements are combined to configure it internally.
             Now we'll see how to explicitly configure it for use with a
@@ -31,7 +31,7 @@
             <interfacename>AuthenticationManager</interfacename> and an
             <interfacename>AccessDecisionManager</interfacename>. It is also supplied with
             configuration attributes that apply to different HTTP URL requests. Refer back to <link
-            xlink:href="#tech-intro-config-attributes">the original discussion on these</link> in
+            linkend="tech-intro-config-attributes">the original discussion on these</link> in
             the technical introduction.</para>
         <para>The <classname>FilterSecurityInterceptor</classname> can be configured with
             configuration attributes in two ways. The first, which is shown above, is using the
@@ -165,7 +165,7 @@
                 can implement the interface yourself and use your own implementation. </para>
             <para>It's also possible to supply a custom
                 <interfacename>AccessDeniedHandler</interfacename> when you're using the namespace
-                to configure your application. See <link xlink:href="#nsa-access-denied-handler">the
+                to configure your application. See <link linkend="nsa-access-denied-handler">the
                 namespace appendix</link> for more details.</para>
         </section>
         <section xml:id="request-caching">
@@ -173,10 +173,10 @@
             <para>Another of <classname>ExceptionTranslationFilter</classname>'s responsibilities is
                 to save the current request before invoking the <interfacename>AuthenticationEntryPoint</interfacename>.
                 This allows the request to be restored after the use has authenticated (see previous overview
-                of <link xlink:href="#tech-intro-web-authentication">web authentication</link>).
+                of <link linkend="tech-intro-web-authentication">web authentication</link>).
                 A typical example would be where the user logs in with a form, and is then redirected to the
                 original URL by the default <classname>SavedRequestAwareAuthenticationSuccessHandler</classname>
-                (see <link xlink:href="#form-login-flow-handling">below</link>).
+                (see <link linkend="form-login-flow-handling">below</link>).
             </para>
             <para>The <interfacename>RequestCache</interfacename> encapsulates the functionality required for storing
                 and retrieving <interfacename>HttpServletRequest</interfacename> instances. By default
@@ -196,7 +196,7 @@
     <section xml:id="security-context-persistence-filter">
         <title><classname>SecurityContextPersistenceFilter</classname></title>
         <para> We covered the purpose of this all-important filter in the <link
-            xlink:href="#tech-intro-sec-context-persistence">Technical Overview</link> chapter so
+            linkend="tech-intro-sec-context-persistence">Technical Overview</link> chapter so
             you might want to re-read that section at this point. Let's first take a look at how you
             would configure it for use with a <classname>FilterChainProxy</classname>. A basic
             configuration only requires the bean itself <programlisting language="xml"><![CDATA[

docs/manual/src/docbook/core-services.xml

@@ -34,7 +34,7 @@
             successful authentication and stored in the <classname>SecurityContext</classname>. </para>
         <para> If you are using the namespace, an instance of <classname>ProviderManager</classname>
             is created and maintained internally, and you add providers to it by using the namespace
-            authentication provider elements (see <link xlink:href="#ns-auth-manager">the namespace
+            authentication provider elements (see <link linkend="ns-auth-manager">the namespace
             chapter</link>). In this case, you should not declare a
             <classname>ProviderManager</classname> bean in your application context. However, if you
             are not using the namespace then you would declare it like so: <programlisting language="xml"><![CDATA[
@@ -111,7 +111,7 @@
                 <interfacename>PasswordEncoder</interfacename> provides encoding and decoding of
                 passwords presented in the <interfacename>UserDetails</interfacename> object that is
                 returned from the configured <interfacename>UserDetailsService</interfacename>. This
-                will be discussed in more detail <link xlink:href="#core-services-password-encoding"
+                will be discussed in more detail <link linkend="core-services-password-encoding"
                 >below</link>. </para>
         </section>
     </section>
@@ -149,7 +149,7 @@
                 Security, when you don't really want to spend time configuring databases or writing
                 <interfacename>UserDetailsService</interfacename> implementations. For this sort of
                 situation, a simple option is to use the <literal>user-service</literal> element
-                from the security <link xlink:href="#ns-minimal">namespace</link>: <programlisting language="xml"><![CDATA[
+                from the security <link linkend="ns-minimal">namespace</link>: <programlisting language="xml"><![CDATA[
   <user-service id="userDetailsService">
     <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
     <user name="bob" password="bobspassword" authorities="ROLE_USER" />
@@ -196,7 +196,7 @@
                 <title>Authority Groups</title>
                 <para>By default, <classname>JdbcDaoImpl</classname> loads the authorities for a
                     single user with the assumption that the authorities are mapped directly to
-                    users (see the <link xlink:href="#appendix-schema">database schema
+                    users (see the <link linkend="appendix-schema">database schema
                     appendix</link>). An alternative approach is to partition the authorities into
                     groups and assign groups to the user. Some people prefer this approach as a
                     means of administering user rights. See the <classname>JdbcDaoImpl</classname>
@@ -217,7 +217,7 @@
     </section>
     <section xml:id="core-services-password-encoding">
         <title>Password Encoding</title>
-        <para xlink:href="#spring-security-crypto-passwordencoders">Spring Security's
+        <para linkend="spring-security-crypto-passwordencoders">Spring Security's
             <interfacename>PasswordEncoder</interfacename> interface is used to support the use of
             passwords which are encoded in some way in persistent storage. You should never store
             passwords in plain text. Always use a one-way password hashing algorithm such as bcrypt

docs/manual/src/docbook/csrf.xml

@@ -71,13 +71,13 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
             Security's CSRF protection are outlined below:</para>
             <orderedlist inheritnum="ignore" continuation="restarts">
               <listitem>
-                <para><link xlink:href="#csrf-use-proper-verbs">Use proper HTTP verbs</link></para>
+                <para><link linkend="csrf-use-proper-verbs">Use proper HTTP verbs</link></para>
               </listitem>
               <listitem>
-                <para><link xlink:href="#csrf-configure">Configure CSRF Protection</link></para>
+                <para><link linkend="csrf-configure">Configure CSRF Protection</link></para>
               </listitem>
               <listitem>
-                <para><link xlink:href="#csrf-include-csrf-token">Include the CSRF Token</link></para>
+                <para><link linkend="csrf-include-csrf-token">Include the CSRF Token</link></para>
               </listitem>
             </orderedlist>
             <section xml:id="csrf-use-proper-verbs">
@@ -89,7 +89,7 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
             <section xml:id="csrf-configure">
                 <title>Configure CSRF Protection</title>
                 <para>The next step is to include Spring Security's CSRF protection within your application. If you are using the XML configuration, this can be done
-                    using the <link xlink:href="#nsa-csrf">&lt;csrf /&gt;</link> element:</para>
+                    using the <link linkend="nsa-csrf">&lt;csrf /&gt;</link> element:</para>
                 <programlisting language="xml"><![CDATA[<http ...>
     ...
     <csrf />
@@ -196,7 +196,7 @@ public class WebSecurityConfig extends
         <para>Spring Security's goal is to provide defaults that protect your users from exploits. This does not mean that you are forced to accept all of its defaults.</para>
         <para>For example, you can provide a custom CsrfTokenRepository to override the way in which the <interfacename>CsrfToken</interfacename> is stored.</para>
         <para>You can also specify a custom RequestMatcher to determine which requests are protected by CSRF (i.e. perhaps you don't care if log out is exploited). In short, if
-            Spring Security's CSRF protection doesn't behave exactly as you want it, you are able to customize the behavior. Refer to the <link xlink:href="#nsa-csrf">&lt;csrf /&gt;</link>
+            Spring Security's CSRF protection doesn't behave exactly as you want it, you are able to customize the behavior. Refer to the <link linkend="nsa-csrf">&lt;csrf /&gt;</link>
             documentation for details on how to make these customizations with XML and the <classname>CsrfConfigurer</classname> javadoc for details on how to make these
             customizations when using Java configuration.</para>
     </section>

docs/manual/src/docbook/el-access.xml

@@ -150,7 +150,7 @@
                     whether the current user has the <quote>admin</quote>permission for the given
                     contact. The built-in <literal>hasPermission()</literal> expression is linked
                     into the Spring Security ACL module through the application context, as we'll
-                    <link xlink:href="#el-permission-evaluator">see below</link>. You can access any
+                    <link linkend="el-permission-evaluator">see below</link>. You can access any
                     of the method arguments by name as expression variables, provided your code has
                     debug information compiled in. Any Spring-EL functionality is available within
                     the expression, so you can also access properties on the arguments. For example,

docs/manual/src/docbook/index.xml

@@ -70,8 +70,8 @@
                 ten list of web application vulnerabilities as well as a lot of useful reference
                 information. </para>
             <para>We hope that you find this reference guide useful, and we welcome your feedback and
-                    <link xlink:href="#jira">suggestions</link>. </para>
-            <para>Finally, welcome to the Spring Security <link xlink:href="#community"
+                    <link linkend="jira">suggestions</link>. </para>
+            <para>Finally, welcome to the Spring Security <link linkend="community"
                 >community</link>. </para>
         </partintro>
     </preface>

docs/manual/src/docbook/jaas-auth-provider.xml

@@ -225,7 +225,7 @@ JAASTest {
             Subject subject = Subject.getSubject(AccessController.getContext());
 ]]></programlisting>
             This integration can easily be configured using the
-            <link xlink:href="#nsa-http-jaas-api-provision">jaas-api-provision</link> attribute. This
+            <link linkend="nsa-http-jaas-api-provision">jaas-api-provision</link> attribute. This
             feature is useful when integrating with legacy or external API's that rely on the
             JAAS Subject being populated.</para>
     </section>

docs/manual/src/docbook/namespace-config.xml

@@ -23,7 +23,7 @@
             attributes on the <literal>ldap-server</literal> element and the user is isolated from
             worrying about which beans they need to create and what the bean property names are. <footnote>
             <para>You can find out more about the use of the <literal>ldap-server</literal> element
-                in the chapter on <link xlink:href="#ldap">LDAP</link>.</para>
+                in the chapter on <link linkend="ldap">LDAP</link>.</para>
             </footnote>. Use of a good XML editor while editing the application context file should
             provide information on the attributes and elements that are available. We would
             recommend that you try out the <link
@@ -147,7 +147,7 @@
                 functionality. The <literal>&lt;intercept-url></literal> element defines a
                 <literal>pattern</literal> which is matched against the URLs of incoming requests
                 using an ant path style syntax<footnote>
-                <para>See the section on <link xlink:href="#request-matching">Request
+                <para>See the section on <link linkend="request-matching">Request
                     Matching</link> in the Web Application Infrastructure chapter for more details
                     on how matches are actually performed.</para>
                 </footnote>. You can also use regular-expression matching as an alternative (see the
@@ -162,9 +162,9 @@
                 attributes). We'll see later how the interpretation can vary<footnote>
                 <para>The interpretation of the comma-separated values in the
                     <literal>access</literal> attribute depends on the implementation of the <link
-                    xlink:href="#ns-access-manager">AccessDecisionManager</link> which is used. In
+                    linkend="ns-access-manager">AccessDecisionManager</link> which is used. In
                     Spring Security 3.0, the attribute can also be populated with an <link
-                    xlink:href="#el-access">EL expression</link>.</para>
+                    linkend="el-access">EL expression</link>.</para>
                 </footnote>.</para>
             <note>
                 <para>You can use multiple <literal>&lt;intercept-url&gt;</literal> elements to
@@ -202,7 +202,7 @@
                     <literal>&lt;authentication-manager></literal> element, which creates a
                     <classname>ProviderManager</classname> and registers the authentication
                     providers with it. You can find more detailed information on the beans that are
-                    created in the <link xlink:href="#appendix-namespace">namespace appendix</link>.
+                    created in the <link linkend="appendix-namespace">namespace appendix</link>.
                     It's worth cross-checking this if you want to start understanding what the
                     important classes in the framework are and how they are used, particularly if
                     you want to customise things later.</para>
@@ -211,7 +211,7 @@
                 the application (which will be used for access control). It is also possible to load
                 user information from a standard properties file using the
                 <literal>properties</literal> attribute on <literal>user-service</literal>. See the
-                section on <link xlink:href="#core-services-in-memory-service">in-memory
+                section on <link linkend="core-services-in-memory-service">in-memory
                 authentication</link> for more details on the file format. Using the
                 <literal>&lt;authentication-provider&gt;</literal> element means that the user
                 information will be used by the authentication manager to process authentication
@@ -241,8 +241,8 @@
     </programlisting> Also note
                 that we've added an extra <literal>intercept-url</literal> element to say that any
                 requests for the login page should be available to anonymous users <footnote>
-                <para>See the chapter on <link xlink:href="#anonymous">anonymous
-                    authentication</link> and also the <link xlink:href="#authz-authenticated-voter"
+                <para>See the chapter on <link linkend="anonymous">anonymous
+                    authentication</link> and also the <link linkend="authz-authenticated-voter"
                     >AuthenticatedVoter</link> class for more details on how the value
                     <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal> is processed.</para>
                 </footnote>. Otherwise the request would be matched by the pattern
@@ -273,7 +273,7 @@
                     <literal>intercept-url</literal> element is incompatible with this change and is
                     no longer supported in 3.1.</para>
                 </footnote>. We'll look at this new syntax in more detail in the chapter on the
-                <link xlink:href="#filter-chains-with-ns">Security Filter Chain</link>. </para>
+                <link linkend="filter-chains-with-ns">Security Filter Chain</link>. </para>
             <para> It's important to realise that these unsecured requests will be completely
                 oblivious to any Spring Security web-related configuration or additional attributes
                 such as <literal>requires-channel</literal>, so you will not be able to access
@@ -313,7 +313,7 @@
                     <literal>authentication-success-handler-ref</literal> attribute as an
                     alternative to <literal>default-target-url</literal>. The referenced bean should
                     be an instance of <interfacename>AuthenticationSuccessHandler</interfacename>.
-                    You'll find more on this in the <link xlink:href="#form-login-flow-handling"
+                    You'll find more on this in the <link linkend="form-login-flow-handling"
                     >Core Filters</link> chapter and also in the namespace appendix, as well as
                     information on how to customize the flow when authentication fails. </para>
             </section>
@@ -331,7 +331,7 @@
             <para> In practice you will need a more scalable source of user information than a few
                 names added to the application context file. Most likely you will want to store your
                 user information in something like a database or an LDAP server. LDAP namespace
-                configuration is dealt with in the <link xlink:href="#ldap">LDAP chapter</link>, so
+                configuration is dealt with in the <link linkend="ldap">LDAP chapter</link>, so
                 we won't cover it here. If you have a custom implementation of Spring Security's
                 <classname>UserDetailsService</classname>, called "myUserDetailsService" in your
                 application context, then you can authenticate against this using <programlisting language="xml"><![CDATA[
@@ -349,7 +349,7 @@
         </programlisting> Where <quote>securityDataSource</quote> is the name of a
                 <classname>DataSource</classname> bean in the application context, pointing at a
                 database containing the standard Spring Security <link
-                xlink:href="#db_schema_users_authorities">user data tables</link>. Alternatively,
+                linkend="db_schema_users_authorities">user data tables</link>. Alternatively,
                 you could configure a Spring Security <classname>JdbcDaoImpl</classname> bean and
                 point at that using the <literal>user-service-ref</literal> attribute: <programlisting language="xml"><![CDATA[
   <authentication-manager>
@@ -408,7 +408,7 @@
         <title>Advanced Web Features</title>
         <section xml:id="ns-remember-me">
             <title>Remember-Me Authentication</title>
-            <para>See the separate <link xlink:href="#remember-me">Remember-Me chapter</link> for
+            <para>See the separate <link linkend="remember-me">Remember-Me chapter</link> for
                 information on remember-me namespace configuration.</para>
         </section>
         <section xml:id="ns-requires-channel">
@@ -515,7 +515,7 @@
                     <literal>session-management</literal> element. </para>
                 <para>If you are using a customized authentication filter for form-based login, then
                     you have to configure concurrent session control support explicitly. More
-                    details can be found in the <link xlink:href="#session-mgmt">Session Management
+                    details can be found in the <link linkend="session-mgmt">Session Management
                     chapter</link>. </para>
             </section>
             <section xml:id="ns-session-fixation">
@@ -559,7 +559,7 @@
                     will <emphasis>also</emphasis> result in any
                     <classname>javax.servlet.http.HttpSessionIdListener</classname>s being notified, so
                     use caution if your code listens for both events. See the
-                    <link xlink:href="#session-mgmt">Session Management</link> chapter for additional
+                    <link linkend="session-mgmt">Session Management</link> chapter for additional
                     information.
                 </para>
             </section>
@@ -580,7 +580,7 @@
                 authenticate. It is also possible to select a specific
                 <interfacename>UserDetailsService</interfacename> bean for use OpenID by setting the
                 <literal>user-service-ref</literal> attribute on the <literal>openid-login</literal>
-                element. See the previous section on <link xlink:href="#ns-auth-providers"
+                element. See the previous section on <link linkend="ns-auth-providers"
                 >authentication providers</link> for more information. Note that we have omitted the
                 password attribute from the above user configuration, since this set of user data is
                 only being used to load the authorities for the user. A random password will be
@@ -613,7 +613,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
                     retrieved value (or values in the case of multi-valued attributes). We'll see
                     more about how the <classname>SecurityContextHolder</classname> class is used
                     when we look at core Spring Security components in the <link
-                    xlink:href="#core-components">technical overview</link> chapter. Multiple
+                    linkend="core-components">technical overview</link> chapter. Multiple
                     attribute exchange configurations are also be supported, if you wish to use
                     multiple identity providers. You can supply multiple
                     <literal>attribute-exchange</literal> elements, using an
@@ -659,7 +659,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
 </http>]]>
                 </programlisting>
             </para>
-            <para>For additional information on how to customize the headers element refer to the <link xlink:href="#nsa-headers">headers</link>
+            <para>For additional information on how to customize the headers element refer to the <link linkend="nsa-headers">headers</link>
                 section of the Security Namespace appendix.</para>
         </section>
         <section xml:id="ns-custom-filters">
@@ -826,7 +826,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
                     <classname>FilterSecurityInterceptor</classname>. Some other filters are added
                     by default, but you can disable them. An <classname>AnonymousAuthenticationFilter</classname>
                     is added by default and unless you have
-                    <link xlink:href="#ns-session-fixation">session-fixation protection</link>
+                    <link linkend="ns-session-fixation">session-fixation protection</link>
                     disabled, a <classname>SessionManagementFilter</classname> will also be added
                     to the filter chain.
                 </para>
@@ -847,7 +847,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
                 <para> The CAS sample application is a good example of the use of custom beans with
                     the namespace, including this syntax. If you aren't familiar with authentication
                     entry points, they are discussed in the <link
-                    xlink:href="#tech-intro-auth-entry-point">technical overview</link> chapter.
+                    linkend="tech-intro-auth-entry-point">technical overview</link> chapter.
                 </para>
             </section>
         </section>
@@ -857,7 +857,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
         <para>From version 2.0 onwards Spring Security has improved support substantially for adding
             security to your service layer methods. It provides support for JSR-250 annotation
             security as well as the framework's original <literal>@Secured</literal> annotation.
-            From 3.0 you can also make use of new <link xlink:href="#el-access">expression-based
+            From 3.0 you can also make use of new <link linkend="el-access">expression-based
             annotations</link>. You can apply security to a single bean, using the
             <literal>intercept-methods</literal> element to decorate the bean declaration, or you
             can secure multiple beans across the entire service layer using the AspectJ style
@@ -963,7 +963,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
         <para> The default strategy is to use an <classname>AffirmativeBased</classname>
             <interfacename>AccessDecisionManager</interfacename> with a
             <classname>RoleVoter</classname> and an <classname>AuthenticatedVoter</classname>. You
-            can find out more about these in the chapter on <link xlink:href="#authz-arch"
+            can find out more about these in the chapter on <link linkend="authz-arch"
             >authorization</link>.</para>
         <section xml:id="ns-custom-access-mgr">
             <title>Customizing the AccessDecisionManager</title>
@@ -992,7 +992,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
             <interfacename>AuthenticationManager</interfacename>. This is usually an instance of
             Spring Security's <classname>ProviderManager</classname> class, which you may already be
             familiar with if you've used the framework before. If not, it will be covered later, in
-            the <link xlink:href="#tech-intro-authentication">technical overview chapter</link>. The
+            the <link linkend="tech-intro-authentication">technical overview chapter</link>. The
             bean instance is registered using the <literal>authentication-manager</literal>
             namespace element. You can't use a custom <classname>AuthenticationManager</classname>
             if you are using either HTTP or method security through the namespace, but this should

docs/manual/src/docbook/new-3-1.xml

@@ -32,36 +32,36 @@
         <title>Spring Security 3.1 namespace updates</title>
         <para>Below you can find a summary of updates to the Spring Security 3.1 namespace.</para>
         <itemizedlist>
-            <listitem>Added support for multiple <link xlink:href="#nsa-http">&lt;http&gt;</link> elements and support for determining which one to use with
-                <link xlink:href="#nsa-http-pattern">http@pattern</link>, <link xlink:href="#nsa-http-request-matcher">http@request-matcher</link>, and
-                <link xlink:href="#nsa-http-security">http@security</link>.
-                Further information can be found in <link xlink:href="#ns-config">Namespace Configuration</link> section of the reference.</listitem>
-            <listitem>Added stateless option for <link xlink:href="#nsa-http-create-session">http@create-session</link></listitem>
-            <listitem>Added support for <link xlink:href="#nsa-http-authentication-manager-ref">http@authentication-manager-ref</link>
-                and <link xlink:href="#nsa-global-method-security-authentication-manager-ref">global-method-security@authentication-manager-ref</link>.</listitem>
-            <listitem>Added <link xlink:href="#nsa-http-name">http@name</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-http-request-matcher-ref">http@request-matcher-ref</link> and
-                <link xlink:href="#nsa-filter-chain-request-matcher-ref">filter-chain@request-matcher-ref</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-debug">&lt;debug&gt;</link></listitem>
+            <listitem>Added support for multiple <link linkend="nsa-http">&lt;http&gt;</link> elements and support for determining which one to use with
+                <link linkend="nsa-http-pattern">http@pattern</link>, <link linkend="nsa-http-request-matcher">http@request-matcher</link>, and
+                <link linkend="nsa-http-security">http@security</link>.
+                Further information can be found in <link linkend="ns-config">Namespace Configuration</link> section of the reference.</listitem>
+            <listitem>Added stateless option for <link linkend="nsa-http-create-session">http@create-session</link></listitem>
+            <listitem>Added support for <link linkend="nsa-http-authentication-manager-ref">http@authentication-manager-ref</link>
+                and <link linkend="nsa-global-method-security-authentication-manager-ref">global-method-security@authentication-manager-ref</link>.</listitem>
+            <listitem>Added <link linkend="nsa-http-name">http@name</link></listitem>
+            <listitem>Added <link linkend="nsa-http-request-matcher-ref">http@request-matcher-ref</link> and
+                <link linkend="nsa-filter-chain-request-matcher-ref">filter-chain@request-matcher-ref</link></listitem>
+            <listitem>Added <link linkend="nsa-debug">&lt;debug&gt;</link></listitem>
             <listitem>Added Support for setting the AuthenticationDetailsSource using the namespace. See
-                <link xlink:href="#nsa-form-login-authentication-details-source-ref">form-login@authentication-details-source-ref</link>,
-                <link xlink:href="#nsa-openid-login-authentication-details-source-ref">openid-login@authentication-details-source-ref</link>,
-                <link xlink:href="#nsa-http-basic-authentication-details-source-ref">http-basic@authentication-details-source-ref</link>, and
-                <link xlink:href="#nsa-x509-authentication-details-source-ref">x509@authentication-details-source-ref</link>.</listitem>
+                <link linkend="nsa-form-login-authentication-details-source-ref">form-login@authentication-details-source-ref</link>,
+                <link linkend="nsa-openid-login-authentication-details-source-ref">openid-login@authentication-details-source-ref</link>,
+                <link linkend="nsa-http-basic-authentication-details-source-ref">http-basic@authentication-details-source-ref</link>, and
+                <link linkend="nsa-x509-authentication-details-source-ref">x509@authentication-details-source-ref</link>.</listitem>
             <listitem>Added support for http/expression-handler. This allows
-                <link xlink:href="#nsa-expression-handler">&lt;expression-handler&gt;</link> to be used for web access expressions.</listitem>
-            <listitem>Added <link xlink:href="#nsa-authentication-manager-erase-credentials">authentication-manager@erase-credentials</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-http-basic-entry-point-ref">http-basic@entry-point-ref</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-logout-delete-cookies">logout@delete-cookies</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-remember-me-authentication-success-handler-ref">remember-me@authentication-success-handler-ref</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-method-security-metadata-source">&lt;metadata-source-ref&gt;</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-global-method-security-metadata-source-ref">global-method-security@metadata-source-ref</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-global-method-security-mode">global-method-security@mode</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-attribute-exchange">&lt;attribute-exchange&gt;</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-remember-me-use-secure-cookie">remember-me@use-secure-cookie</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-http-jaas-api-provision">http@jaas-api-provision</link></listitem>
-            <listitem>Added <link xlink:href="#nsa-form-login-username-parameter">form-login@username-parameter</link> and
-                <link xlink:href="#nsa-form-login-password-parameter">form-login@password-parameter</link></listitem>
+                <link linkend="nsa-expression-handler">&lt;expression-handler&gt;</link> to be used for web access expressions.</listitem>
+            <listitem>Added <link linkend="nsa-authentication-manager-erase-credentials">authentication-manager@erase-credentials</link></listitem>
+            <listitem>Added <link linkend="nsa-http-basic-entry-point-ref">http-basic@entry-point-ref</link></listitem>
+            <listitem>Added <link linkend="nsa-logout-delete-cookies">logout@delete-cookies</link></listitem>
+            <listitem>Added <link linkend="nsa-remember-me-authentication-success-handler-ref">remember-me@authentication-success-handler-ref</link></listitem>
+            <listitem>Added <link linkend="nsa-method-security-metadata-source">&lt;metadata-source-ref&gt;</link></listitem>
+            <listitem>Added <link linkend="nsa-global-method-security-metadata-source-ref">global-method-security@metadata-source-ref</link></listitem>
+            <listitem>Added <link linkend="nsa-global-method-security-mode">global-method-security@mode</link></listitem>
+            <listitem>Added <link linkend="nsa-attribute-exchange">&lt;attribute-exchange&gt;</link></listitem>
+            <listitem>Added <link linkend="nsa-remember-me-use-secure-cookie">remember-me@use-secure-cookie</link></listitem>
+            <listitem>Added <link linkend="nsa-http-jaas-api-provision">http@jaas-api-provision</link></listitem>
+            <listitem>Added <link linkend="nsa-form-login-username-parameter">form-login@username-parameter</link> and
+                <link linkend="nsa-form-login-password-parameter">form-login@password-parameter</link></listitem>
         </itemizedlist>
     </section>
 </chapter>

docs/manual/src/docbook/preauth.xml

@@ -29,7 +29,7 @@
             pre-authenticated authentication providers. This removes duplication and allows new
             implementations to be added in a structured fashion, without having to write everything
             from scratch. You don't need to know about these classes if you want to use something
-            like <link xlink:href="#x509">X.509 authentication</link>, as it already has a namespace
+            like <link linkend="x509">X.509 authentication</link>, as it already has a namespace
             configuration option which is simpler to use and get started with. If you need to use
             explicit bean configuration or are planning on writing your own implementation then an
             understanding of how the provided implementations work will be useful. You will find
@@ -107,7 +107,7 @@
         <section>
             <title>Http403ForbiddenEntryPoint</title>
             <para> The <interfacename>AuthenticationEntryPoint</interfacename> was discussed in the
-                <link xlink:href="#tech-intro-auth-entry-point">technical overview</link> chapter.
+                <link linkend="tech-intro-auth-entry-point">technical overview</link> chapter.
                 Normally it is responsible for kick-starting the authentication process for an
                 unauthenticated user (when they try to access a protected resource), but in the
                 pre-authenticated case this doesn't apply. You would only configure the
@@ -121,7 +121,7 @@
     </section>
     <section>
         <title>Concrete Implementations</title>
-        <para> X.509 authentication is covered in its <link xlink:href="#x509">own chapter</link>.
+        <para> X.509 authentication is covered in its <link linkend="x509">own chapter</link>.
             Here we'll look at some classes which provide support for other pre-authenticated
             scenarios. </para>
         <section>
@@ -169,7 +169,7 @@ class="org.springframework.security.web.authentication.preauth.PreAuthenticatedA
       <security:authentication-provider ref="preauthAuthProvider" />
     </security:authentication-manager>
 ]]>
-</programlisting> We've assumed here that the <link xlink:href="#ns-config">security namespace</link>
+</programlisting> We've assumed here that the <link linkend="ns-config">security namespace</link>
                     is being used for configuration. It's also assumed that you have added a
                     <interfacename>UserDetailsService</interfacename> (called
                     <quote>userDetailsService</quote>) to your configuration to load the user's

docs/manual/src/docbook/remember-me-authentication.xml

@@ -45,7 +45,7 @@
             more significant security is needed you should use the approach described in the next
             section. Alternatively remember-me services should simply not be used at all.</para>
         <para>If you are familiar with the topics discussed in the chapter on <link
-            xlink:href="#ns-config">namespace configuration</link>, you can enable remember-me
+            linkend="ns-config">namespace configuration</link>, you can enable remember-me
             authentication just by adding the <literal>&lt;remember-me&gt;</literal> element: <programlisting language="xml"><![CDATA[
   <http>
     ...

docs/manual/src/docbook/samples.xml

@@ -6,7 +6,7 @@
     <para> There are several sample web applications that are available with the project. To avoid
         an overly large download, only the "tutorial" and "contacts" samples are included in the
         distribution zip file. The others can be built directly from the source which you can obtain
-        as described in <link xlink:href="#get-source">the introduction</link>. It's easy to build
+        as described in <link linkend="get-source">the introduction</link>. It's easy to build
         the project yourself and there's more information on the project web site at <link
             xlink:href="http://www.springsource.org/security/">
             http://www.springsource.org/security/ </link>. All paths referred to in this chapter are
@@ -17,8 +17,8 @@
             namespace configuration throughout. The compiled application is included in the
             distribution zip file, ready to be deployed into your web container
             (<filename>spring-security-samples-tutorial-3.1.x.war</filename>). The <link
-            xlink:href="#ns-form-and-basic">form-based</link> authentication mechanism is used in
-            combination with the commonly-used <link xlink:href="#remember-me">remember-me</link>
+            linkend="ns-form-and-basic">form-based</link> authentication mechanism is used in
+            combination with the commonly-used <link linkend="remember-me">remember-me</link>
             authentication provider to automatically remember the login using cookies.</para>
         <para>We recommend you start with the tutorial sample, as the XML is minimal and easy to
             follow. Most importantly, you can easily add this one XML file (and its corresponding
@@ -122,7 +122,7 @@ Success! Your web filters appear to be properly configured!
         <title>CAS Sample</title>
         <para> The CAS sample requires that you run both a CAS server and CAS client. It isn't
             included in the distribution so you should check out the project code as described in
-            <link xlink:href="#get-source">the introduction</link>. You'll find the relevant files
+            <link linkend="get-source">the introduction</link>. You'll find the relevant files
             under the <filename>sample/cas</filename> directory. There's also a
             <filename>Readme.txt</filename> file in there which explains how to run both the server
             and the client directly from the source tree, complete with SSL support.</para>
@@ -132,12 +132,12 @@ Success! Your web filters appear to be properly configured!
         <para>The JAAS sample is very simple example of how to use a JAAS LoginModule with Spring Security. The provided LoginModule will
             successfully authenticate a user if the username equals the password otherwise a LoginException is thrown. The AuthorityGranter
             used in this example always grants the role ROLE_USER. The sample application also demonstrates how to run as the JAAS Subject
-            returned by the LoginModule by setting <link xlink:href="#nsa-http-jaas-api-provision">jaas-api-provision</link> equal to "true".</para>
+            returned by the LoginModule by setting <link linkend="nsa-http-jaas-api-provision">jaas-api-provision</link> equal to "true".</para>
     </section>
     <section xml:id="preauth-sample">
         <title>Pre-Authentication Sample</title>
         <para> This sample application demonstrates how to wire up beans from the <link
-            xlink:href="#preauth">pre-authentication</link> framework to make use of login
+            linkend="preauth">pre-authentication</link> framework to make use of login
             information from a J2EE container. The user name and roles are those setup by the
             container. </para>
         <para> The code is in <filename>samples/preauth</filename>. </para>

docs/manual/src/docbook/secured-objects.xml

@@ -9,7 +9,7 @@
         </info>
         <para> Prior to Spring Security 2.0, securing <classname>MethodInvocation</classname>s
             needed quite a lot of boiler plate configuration. Now the recommended approach for
-            method security is to use <link xlink:href="#ns-method-security">namespace
+            method security is to use <link linkend="ns-method-security">namespace
             configuration</link>. This way the method security infrastructure beans are configured
             automatically for you so you don't really need to know about the implementation classes.
             We'll just provide a quick overview of the classes that are involved here. </para>

docs/manual/src/docbook/security-filter-chain.xml

@@ -12,7 +12,7 @@
     <para> Spring Security maintains a filter chain internally where each of the filters has a
         particular responsibility and filters are added or removed from the configuration depending
         on which services are required. The ordering of the filters is important as there are
-        dependencies between them. If you have been using <link xlink:href="#ns-config">namespace
+        dependencies between them. If you have been using <link linkend="ns-config">namespace
         configuration</link>, then the filters are automatically configured for you and you don't
         have to define any Spring beans explicitly but here may be times when you want full control
         over the security filter chain, either because you are using features which aren't supported
@@ -111,7 +111,7 @@
             lifecycle methods on the filters it is configured with. We recommend you use
             Spring's application context lifecycle interfaces as an alternative, just as you
             would for any other Spring bean.</para>
-        <para> When we looked at how to set up web security using <link xlink:href="#ns-web-xml"
+        <para> When we looked at how to set up web security using <link linkend="ns-web-xml"
             >namespace configuration</link>, we used a <literal>DelegatingFilterProxy</literal> with
             the name <quote>springSecurityFilterChain</quote>. You should now be able to see that
             this is the name of the <classname>FilterChainProxy</classname> which is created by the

docs/manual/src/docbook/session-mgmt.xml

@@ -33,7 +33,7 @@
             is just to redirect to a fixed URL and this is encapsulated in the standard implementation
             <classname>SimpleRedirectInvalidSessionStrategy</classname>. The latter is also used
             when configuring an invalid session URL through the namespace,
-            <link xlink:href="#ns-session-mgmt">as described earlier</link>.</para>
+            <link linkend="ns-session-mgmt">as described earlier</link>.</para>
     </section>
     <section>
         <title><interfacename>SessionAuthenticationStrategy</interfacename></title>

docs/manual/src/docbook/taglibs.xml

@@ -16,7 +16,7 @@
             Spring Security 3.0, it can be used in two ways <footnote>
             <para>The legacy options from Spring Security 2.0 are also supported, but
                 discouraged.</para>
-            </footnote>. The first approach uses a <link xlink:href="#el-access-web">web-security
+            </footnote>. The first approach uses a <link linkend="el-access-web">web-security
             expression</link>, specified in the <literal>access</literal> attribute of the tag. The
             expression evaluation will be delegated to the
             <interfacename>SecurityExpressionHandler&lt;FilterInvocation&gt;</interfacename> defined in the application

docs/manual/src/docbook/technical-overview.xml

@@ -115,7 +115,7 @@ if (principal instanceof UserDetails) {
             <para> On successful authentication, <interfacename>UserDetails</interfacename> is used
                 to build the <interfacename>Authentication</interfacename> object that is stored in
                 the <classname>SecurityContextHolder</classname> (more on this <link
-                xlink:href="#tech-intro-authentication">below</link>). The good news is that we
+                linkend="tech-intro-authentication">below</link>). The good news is that we
                 provide a number of <interfacename>UserDetailsService</interfacename>
                 implementations, including one that uses an in-memory map
                 (<classname>InMemoryDaoImpl</classname>) and another that uses JDBC
@@ -132,7 +132,7 @@ if (principal instanceof UserDetails) {
                     to other components within the framework. In particular, it <emphasis>does not</emphasis>
                     authenticate the user, which is done by the <interfacename>AuthenticationManager</interfacename>.
                     In many cases it makes more sense to
-                    <link xlink:href="#core-services-authentication-manager">implement <interfacename>AuthenticationProvider</interfacename></link>
+                    <link linkend="core-services-authentication-manager">implement <interfacename>AuthenticationProvider</interfacename></link>
                     directly if you require a custom authentication process.
                 </para>
             </note>
@@ -355,7 +355,7 @@ Successfully authenticated. Security context contains: \
             </para>
             <para> If you're wondering how the <interfacename>AuthenticationManager</interfacename>
                  is implemented in a real world example, we'll look at that in the <link
-                xlink:href="#core-services-authentication-manager">core services
+                linkend="core-services-authentication-manager">core services
                 chapter</link>.</para>
         </section>
     </section>
@@ -600,7 +600,7 @@ Successfully authenticated. Security context contains: \
                     <classname>RoleVoter</classname>. This is only relevant when a voter-based
                     <interfacename>AccessDecisionManager</interfacename> is in use. We'll see how
                     the <interfacename>AccessDecisionManager</interfacename> is implemented in the
-                    <link xlink:href="#authz-arch">authorization chapter</link>.</para>
+                    <link linkend="authz-arch">authorization chapter</link>.</para>
             </section>
             <section>
                 <title>RunAsManager</title>