SEC-1132: Moved remaining preauth code from core to web

config/src/main/java/org/springframework/security/config/UserDetailsServiceInjectionBeanPostProcessor.java

@@ -12,9 +12,9 @@ import org.springframework.beans.factory.config.BeanPostProcessor;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.support.RootBeanDefinition;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationProvider;
 import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
 import org.springframework.util.Assert;
 

config/src/main/java/org/springframework/security/config/X509BeanDefinitionParser.java

@@ -1,9 +1,9 @@
 package org.springframework.security.config;
 
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedProcessingFilterEntryPoint;
 import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor;
 import org.springframework.security.web.authentication.preauth.x509.X509PreAuthenticatedProcessingFilter;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationProvider;
 import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;

core/src/test/java/org/springframework/security/authentication/preauth/UserDetailsByNameServiceWrapperTests.java → core/src/test/java/org/springframework/security/core/userdetails/UserDetailsByNameServiceWrapperTests.java

@@ -1,9 +1,9 @@
-package org.springframework.security.authentication.preauth;
+package org.springframework.security.core.userdetails;
 
 import junit.framework.TestCase;
 
 import org.springframework.dao.DataAccessException;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -42,9 +42,9 @@ public class UserDetailsByNameServiceWrapperTests extends TestCase {
             }
         });
         svc.afterPropertiesSet();
-        UserDetails result1 = svc.loadUserDetails(new PreAuthenticatedAuthenticationToken("dummy", "dummy"));
+        UserDetails result1 = svc.loadUserDetails(new TestingAuthenticationToken("dummy", "dummy"));
         assertEquals("Result doesn't match original user", user, result1);
-        UserDetails result2 = svc.loadUserDetails(new PreAuthenticatedAuthenticationToken("dummy2", "dummy"));
+        UserDetails result2 = svc.loadUserDetails(new TestingAuthenticationToken("dummy2", "dummy"));
         assertNull("Result should have been null", result2);
     }
 

itest/context/src/test/resources/filter-chain-performance-app-context.xml

@@ -71,7 +71,7 @@
     </bean>
 
 
-    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationProvider">
+    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
         <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
     </bean>
 

portlet/src/main/java/org/springframework/security/portlet/PortletProcessingInterceptor.java

@@ -40,12 +40,12 @@ import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationDetailsSourceImpl;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.AbstractProcessingFilter;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.util.Assert;
 import org.springframework.web.portlet.HandlerInterceptor;
 import org.springframework.web.portlet.ModelAndView;

portlet/src/test/java/org/springframework/security/portlet/PortletProcessingInterceptorTests.java

@@ -32,11 +32,11 @@ import org.springframework.mock.web.portlet.MockActionResponse;
 import org.springframework.mock.web.portlet.MockRenderRequest;
 import org.springframework.mock.web.portlet.MockRenderResponse;
 import org.springframework.security.web.authentication.AbstractProcessingFilter;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;

portlet/src/test/java/org/springframework/security/portlet/PortletSessionContextIntegrationInterceptorTests.java

@@ -24,12 +24,12 @@ import org.springframework.mock.web.portlet.MockActionRequest;
 import org.springframework.mock.web.portlet.MockActionResponse;
 import org.springframework.mock.web.portlet.MockRenderRequest;
 import org.springframework.mock.web.portlet.MockRenderResponse;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.core.userdetails.User;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 
 /**
  * Tests {@link PortletSessionContextIntegrationInterceptor}.

portlet/src/test/java/org/springframework/security/portlet/PortletTestUtils.java

@@ -24,10 +24,10 @@ import org.springframework.mock.web.portlet.MockPortletRequest;
 import org.springframework.mock.web.portlet.MockRenderRequest;
 import org.springframework.mock.web.portlet.MockRenderResponse;
 import org.springframework.security.authentication.TestingAuthenticationToken;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 
 /**
  * Utilities for testing Portlet (JSR 168) based security.

samples/portlet/src/main/resources/portlet/securityContextPortlet.xml

@@ -60,16 +60,16 @@
     
     <sec:authentication-manager alias="authenticationManager"/>
    
-    <bean id="portletAuthProvider" class="org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationProvider">
+    <bean id="portletAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
         <sec:custom-authentication-provider/>
         <property name="preAuthenticatedUserDetailsService">
-            <bean class="org.springframework.security.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
+            <bean class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
         </property>
         <property name="throwExceptionWhenTokenRejected" value="true"/>
     </bean>
 
 <!--    
-    <bean id="portletAuthProvider" class="org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationProvider">
+    <bean id="portletAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
         <sec:custom-authentication-provider/>
         <property name="preAuthenticatedUserDetailsService">
             <bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">

samples/preauth/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -22,13 +22,13 @@
 
     <sec:authentication-manager alias="authenticationManager" />
 
-    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationProvider">
+    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
         <sec:custom-authentication-provider />
         <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
     </bean>
 
     <bean id="preAuthenticatedUserDetailsService"
-            class="org.springframework.security.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
+            class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
 
     <bean id="j2eePreAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
         <property name="authenticationManager" ref="authenticationManager"/>

src/docbkx/anon-auth-provider.xml

@@ -44,13 +44,13 @@
     <para><programlisting>
 <![CDATA[
 <bean id="anonymousProcessingFilter"
-    class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
+    class="org.springframework.security.web.authentication.AnonymousProcessingFilter">
   <property name="key" value="foobar"/>
   <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
 </bean>
 
 <bean id="anonymousAuthenticationProvider"
-    class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
+    class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
   <property name="key" value="foobar"/>
 </bean>]]>
     </programlisting></para>
@@ -71,7 +71,7 @@
     <para><programlisting>
 <![CDATA[
 <bean id="filterInvocationInterceptor"
-    class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
+    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
   <property name="authenticationManager" ref="authenticationManager"/>
   <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
   <property name="objectDefinitionSource">

src/docbkx/authorization-common.xml

@@ -184,71 +184,6 @@ boolean supports(Class clazz);
       as the <literal>ROLE_</literal> prefix.</para>
     </section>
 
-<!--
-
-    <para><literal>BasicAclEntryVoter</literal> is the other concrete
-    voter included with Spring Security. It integrates with Spring
-    Security's <literal>AclManager</literal> (discussed later). This voter
-    is designed to have multiple instances in the same application
-    context, such as:
-<programlisting>
-<![CDATA[
-<bean id="aclContactReadVoter"
-    class="org.springframework.security.vote.BasicAclEntryVoter">
-  <property name="processConfigAttribute" value="ACL_CONTACT_READ"/>
-  <property name="processDomainObjectClass" value="sample.contact.Contact"/>
-  <property name="aclManager" ref="aclManager"/>
-  <property name="requirePermission">
-    <list>
-      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
-      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
-    </list>
-  </property>
-</bean>
-
-<bean id="aclContactDeleteVoter"
-    class="org.springframework.security.vote.BasicAclEntryVoter">
-  <property name="processConfigAttribute" value="ACL_CONTACT_DELETE"/>
-  <property name="processDomainObjectClass" value="sample.contact.Contact"/>
-  <property name="aclManager" ref="aclManager"/>
-  <property name="requirePermission">
-    <list>
-      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
-      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/>
-    </list>
-  </property>
-</bean>
-]]></programlisting>
-      In the above example, you'd define
-    <literal>ACL_CONTACT_READ</literal> or
-    <literal>ACL_CONTACT_DELETE</literal> against some methods on a
-    <classname>MethodSecurityInterceptor</classname> or
-    <literal>AspectJSecurityInterceptor</literal>. When those methods are
-    invoked, the above applicable voter defined above would vote to grant
-    or deny access. The voter would look at the method invocation to
-    locate the first argument of type
-    <literal>sample.contact.Contact</literal>, and then pass that
-    <literal>Contact</literal> to the <literal>AclManager</literal>. The
-    <literal>AclManager</literal> will then return an access control list
-    (ACL) that applies to the current <interfacename>Authentication</interfacename>.
-    Assuming that ACL contains one of the listed
-    <literal>requirePermission</literal>s, the voter will vote to grant
-    access. If the ACL does not contain one of the permissions defined
-    against the voter, the voter will vote to deny access.
-    <literal>BasicAclEntryVoter</literal> is an important class as it
-    allows you to build truly complex applications with domain object
-    security entirely defined in the application context. If you're
-    interested in learning more about Spring Security's ACL capabilities
-    and how best to apply them, please see the ACL and "After Invocation"
-    sections of this reference guide, and the Contacts sample
-    application.</para>
--->
-      <!--
-        <para>TODO: Remove references to the old ACL package when it's
-        deprecated, and have all references to the replacement package limited
-        to the chapter describing the new ACL implementation.</para>
-      -->
-
       <section>
         <title>Custom Voters</title>
     <para>It is also possible to implement a custom
@@ -337,19 +272,7 @@ boolean supports(Class clazz);
     <literal>ROLE_AUTHENTICATED</literal> configuration attribute</para>
 
     <section xml:id="after-invocation-acl-aware"><info><title>ACL-Aware AfterInvocationProviders</title></info>
-
-      <para>PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new
-      ACL module. The new ACL module is a significant rewrite of the
-      existing ACL module. The new module can be found under the
-      <literal>org.springframework.security.acls</literal> package, with
-      the old ACL module under
-      <literal>org.springframework.security.acl</literal>. We encourage
-      users to consider testing with the new ACL module and build
-      applications with it. The old ACL module should be considered
-      deprecated and may be removed from a future release. The following
-      information relates to the new ACL package, and is thus
-      recommended.</para>
-
+<!-- TODO: Move to ACL section and add reference here -->
       <para>A common services layer method we've all written at one stage
       or another looks like this:</para>
 
@@ -362,11 +285,11 @@ boolean supports(Class clazz);
       not suffice. This is because the identity of the
       <literal>Contact</literal> is all that is available before the
       secure object is invoked. The
-      <literal>AclAfterInvocationProvider</literal> delivers a solution,
+        <classname>AclEntryAfterInvocationProvider</classname> delivers a solution,
       and is configured as follows:
 <programlisting><![CDATA[
 <bean id="afterAclRead"
-   class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider">
+   class="org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationProvider">
   <constructor-arg ref="aclService"/>
   <constructor-arg>
     <list>
@@ -378,25 +301,25 @@ boolean supports(Class clazz);
 ]]></programlisting>
         In the above example, the <literal>Contact</literal> will be
       retrieved and passed to the
-      <literal>AclEntryAfterInvocationProvider</literal>. The provider
-      will thrown an <literal>AccessDeniedException</literal> if one of
+      <classname>AclEntryAfterInvocationProvider</classname>. The provider
+      will thrown an <classname>AccessDeniedException</classname> if one of
       the listed <literal>requirePermission</literal>s is not held by the
       <interfacename>Authentication</interfacename>. The
-      <literal>AclEntryAfterInvocationProvider</literal> queries the
-      <literal>Acl</literal>Service to determine the ACL that applies for
+      <classname>AclEntryAfterInvocationProvider</classname> queries the
+      acl service to determine the ACL that applies for
       this domain object to this <interfacename>Authentication</interfacename>.</para>
 
       <para>Similar to the
-      <literal>AclEntryAfterInvocationProvider</literal> is
-      <literal>AclEntryAfterInvocationCollectionFilteringProvider</literal>.
+      <classname>AclEntryAfterInvocationProvider</classname> is
+      <classname>AclEntryAfterInvocationCollectionFilteringProvider</classname>.
       It is designed to remove <literal>Collection</literal> or array
       elements for which a principal does not have access. It never thrown
-      an <literal>AccessDeniedException</literal> - simply silently
+      an <classname>AccessDeniedException</classname> - simply silently
       removes the offending elements. The provider is configured as
       follows:
 <programlisting><![CDATA[
 <bean id="afterAclCollectionRead"
-    class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
+    class="org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
   <constructor-arg ref="aclService"/>
   <constructor-arg>
     <list>
@@ -416,92 +339,10 @@ boolean supports(Class clazz);
       <para>The Contacts sample application demonstrates these two
       <literal>AfterInvocationProvider</literal>s.</para>
     </section>
-
-    <section xml:id="after-invocation-acl-aware-old">
-      <info><title>ACL-Aware AfterInvocationProviders (old ACL module)</title></info>
-
-      <para>PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new
-      ACL module. The new ACL module is a significant rewrite of the
-      existing ACL module. The new module can be found under the
-      <literal>org.springframework.security.acls</literal> package, with
-      the old ACL module under
-      <literal>org.springframework.security.acl</literal>. We encourage
-      users to consider testing with the new ACL module and build
-      applications with it. The old ACL module should be considered
-      deprecated and may be removed from a future release.</para>
-
-      <para>A common services layer method we've all written at one stage
-      or another looks like this:</para>
-
-      <para><programlisting>public Contact getById(Integer id);</programlisting></para>
-
-      <para>Quite often, only principals with permission to read the
-      <literal>Contact</literal> should be allowed to obtain it. In this
-      situation the <interfacename>AccessDecisionManager</interfacename> approach
-      provided by the <classname>AbstractSecurityInterceptor</classname> will
-      not suffice. This is because the identity of the
-      <literal>Contact</literal> is all that is available before the
-      secure object is invoked. The
-      <literal>BasicAclAfterInvocationProvider</literal> delivers a
-      solution, and is configured as follows:</para>
-
-      <para><programlisting><![CDATA[
-<bean id="afterAclRead"
-    class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider">
-  <property name="aclManager" ref="aclManager"/>
-  <property name="requirePermission">
-    <list>
-      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
-      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
-    </list>
-  </property>
-</bean>
-]]>      </programlisting></para>
-
-      <para>In the above example, the <literal>Contact</literal> will be
-      retrieved and passed to the
-      <literal>BasicAclEntryAfterInvocationProvider</literal>. The
-      provider will thrown an <literal>AccessDeniedException</literal> if
-      one of the listed <literal>requirePermission</literal>s is not held
-      by the <interfacename>Authentication</interfacename>. The
-      <literal>BasicAclEntryAfterInvocationProvider</literal> queries the
-      <literal>AclManager</literal> to determine the ACL that applies for
-      this domain object to this <interfacename>Authentication</interfacename>.</para>
-
-      <para>Similar to the
-      <literal>BasicAclEntryAfterInvocationProvider</literal> is
-      <literal>BasicAclEntryAfterInvocationCollectionFilteringProvider</literal>.
-      It is designed to remove <literal>Collection</literal> or array
-      elements for which a principal does not have access. It never thrown
-      an <literal>AccessDeniedException</literal> - simply silently
-      removes the offending elements. The provider is configured as
-      follows:
-<programlisting><![CDATA[
-<bean id="afterAclCollectionRead"
-    class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider">
-  <property name="aclManager" ref="aclManager"/>
-  <property name="requirePermission">
-    <list>
-      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
-      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
-    </list>
-  </property>
-</bean>
-]]></programlisting>
-        As you can imagine, the returned <literal>Object</literal>
-      must be a <literal>Collection</literal> or array for this provider
-      to operate. It will remove any element if the
-      <literal>AclManager</literal> indicates the
-      <interfacename>Authentication</interfacename> does not hold one of the listed
-      <literal>requirePermission</literal>s.</para>
-
-      <para>The Contacts sample application demonstrates these two
-      <literal>AfterInvocationProvider</literal>s.</para>
-    </section>
   </section>
 
-  <section xml:id="authorization-taglibs"><info><title>Authorization Tag Libraries</title></info>
-
+  <section xml:id="authorization-taglibs">
+    <info><title>Authorization Tag Libraries</title></info>
 
     <para><literal>AuthorizeTag</literal> is used to include content if
     the current principal holds certain

src/docbkx/basic-authentication.xml

@@ -28,13 +28,13 @@
         collaborator:</para>
     
     <para><programlisting>
-        &lt;bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter"&gt;
+        &lt;bean id="basicProcessingFilter" class="org.springframework.security.web.authentication.www.BasicProcessingFilter"&gt;
         &lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
         &lt;property name="authenticationEntryPoint"&gt;&lt;ref bean="authenticationEntryPoint"/&gt;&lt;/property&gt;
         &lt;/bean&gt;
         
         &lt;bean id="authenticationEntryPoint"
-        class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint"&gt;
+        class="org.springframework.security.web.authentication.www.BasicProcessingFilterEntryPoint"&gt;
         &lt;property name="realmName"&gt;&lt;value&gt;Name Of Your Realm&lt;/value&gt;&lt;/property&gt;
         &lt;/bean&gt;
         

src/docbkx/cas-auth-provider.xml

@@ -274,7 +274,7 @@
     to your application context. This represents your service:</para>
 
     <para><programlisting><![CDATA[
-  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
+  <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
     <property name="service" value="https://localhost:8443/cas-sample/j_spring_cas_security_check"/>
     <property name="sendRenew" value="false"/>
   </bean>]]>
@@ -294,7 +294,7 @@
     <para><programlisting><![CDATA[
 <security:authentication-manager alias="authenticationManager"/>      
       
-<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
+<bean id="casProcessingFilter" class="org.springframework.security.cas.web.CasProcessingFilter">
   <security:custom-filter after="CAS_PROCESSING_FILTER"/>
   <property name="authenticationManager" ref="authenticationManager"/>
   <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
@@ -302,7 +302,7 @@
 </bean>
 
 <bean id="casProcessingFilterEntryPoint" 
-    class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
+    class="org.springframework.security.cas.web.CasProcessingFilterEntryPoint">
   <property name="loginUrl" value="https://localhost:9443/cas/login"/>
   <property name="serviceProperties" ref="serviceProperties"/>
 </bean>
@@ -335,7 +335,7 @@
     <para>Next you need to add a <literal>CasAuthenticationProvider</literal> and its
     collaborators:
       <programlisting><![CDATA[
-  <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
+  <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
     <security:custom-authentication-provider />
     <property name="userDetailsService" ref="userService"/>
     <property name="serviceProperties" ref="serviceProperties" />

src/docbkx/channel-security.xml

@@ -42,7 +42,7 @@
     <para>To confiure channel security explicitly, you would define the following the filter in your application
         context:
 <programlisting><![CDATA[
-<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
+<bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
   <property name="channelDecisionManager" ref="channelDecisionManager"/>
   <property name="filterInvocationDefinitionSource">
     <security:filter-invocation-definition-source path-type="regex">
@@ -54,7 +54,7 @@
   </property>
 </bean>
     
-<bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
+<bean id="channelDecisionManager" class="org.springframework.security.access.channel.ChannelDecisionManagerImpl">
   <property name="channelProcessors">
     <list>
     <ref bean="secureChannelProcessor"/>
@@ -63,8 +63,8 @@
   </property>
 </bean>
     
-<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
-<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>]]>      
+<bean id="secureChannelProcessor" class="org.springframework.security.access.channel.SecureChannelProcessor"/>
+<bean id="insecureChannelProcessor" class="org.springframework.security.access.channel.InsecureChannelProcessor"/>]]>      
 </programlisting>
         Like <classname>FilterSecurityInterceptor</classname>, Apache Ant
         style paths are also supported by the

src/docbkx/common-auth-services.xml

@@ -46,7 +46,7 @@
 
     <para><programlisting><![CDATA[
 <bean id="filterChainProxy"
-        class="org.springframework.security.util.FilterChainProxy">
+        class="org.springframework.security.web.FilterChainProxy">
   <security:filter-chain-map path-type="ant">
     <security:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter"/>
   </security:filter-chain-map>
@@ -124,7 +124,7 @@
     the example we're using in this chapter:</para>
 
     <para><programlisting>&lt;bean id="authenticationManager"
-        class="org.springframework.security.providers.ProviderManager"&gt;
+        class="org.springframework.security.authentication.ProviderManager"&gt;
 &lt;property name="providers"&gt;
 &lt;list&gt;
   &lt;ref local="daoAuthenticationProvider"/&gt;
@@ -187,17 +187,17 @@
 
     <para><programlisting><![CDATA[
 <bean id="exceptionTranslationFilter"
-        class="org.springframework.security.ui.ExceptionTranslationFilter">
+        class="org.springframework.security.web.access.ExceptionTranslationFilter">
   <property name="authenticationEntryPoint" ref="authenticationProcessingFilterEntryPoint"/>
   <property name="accessDeniedHandler">
-    <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
+    <bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
       <property name="errorPage" value="/accessDenied.jsp"/>
     </bean>
   </property>
 </bean>
 
 <bean id="authenticationProcessingFilterEntryPoint"
-        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
+        class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
   <property name="loginFormUrl" value="/login.jsp"/>
   <property name="forceHttps">< value="false"/>
 </bean>]]></programlisting></para>
@@ -335,7 +335,7 @@
   <property name="password" value=""/>
 </bean>
 
-<bean id="userDetailsService" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
+<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
   <property name="dataSource" ref="dataSource"/>
 </bean> ]]>       </programlisting></para>
 
@@ -396,13 +396,13 @@
     following to <literal>web.xml</literal>:
       <programlisting>
 &lt;listener&gt;
-    &lt;listener-class&gt;org.springframework.security.ui.session.HttpSessionEventPublisher&lt;/listener-class&gt;
+    &lt;listener-class&gt;org.springframework.security.web.session.HttpSessionEventPublisher&lt;/listener-class&gt;
 &lt;/listener&gt;        
       </programlisting>
     </para>
 
     <para>In addition, you will need to add the
-    <literal>org.springframework.security.concurrent.ConcurrentSessionFilter</literal>
+    <literal>org.springframework.security.web.authentication.concurrent.ConcurrentSessionFilter</literal>
     to your <classname>FilterChainProxy</classname>. The
     <classname>ConcurrentSessionFilter</classname> requires two
     properties, <literal>sessionRegistry</literal>, which generally points
@@ -425,7 +425,7 @@
     <para>
       <programlisting><![CDATA[
 <bean id="authenticationManager"
-    class="org.springframework.security.providers.ProviderManager">
+    class="org.springframework.security.authentication.ProviderManager">
   <property name="providers">
     <!-- your providers go here -->
   </property>
@@ -433,10 +433,10 @@
 </bean>
 
 <bean id="concurrentSessionController"
-    class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
+    class="org.springframework.security.authentication.concurrent.ConcurrentSessionControllerImpl">
   <property name="maximumSessions" value="1"/>
   <property name="sessionRegistry">
-    <bean class="org.springframework.security.concurrent.SessionRegistryImpl"/>
+    <bean class="org.springframework.security.authentication.concurrent.SessionRegistryImpl"/>
   <property>
 </bean>
 ]]></programlisting></para>

src/docbkx/dao-auth-provider.xml

@@ -33,7 +33,7 @@
     <para><programlisting>
         <![CDATA[
 <bean id="daoAuthenticationProvider"
-    class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
+    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
   <property name="userDetailsService" ref="inMemoryDaoImpl"/>
   <property name="saltSource" ref bean="saltSource"/>
   <property name="passwordEncoder" ref="passwordEncoder"/>
@@ -71,7 +71,7 @@
         follows:</para>
     <para><programlisting><![CDATA[
 <bean id="daoAuthenticationProvider"
-    class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
+    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
   <property name="userDetailsService" ref="userDetailsService"/>
   <property name="userCache" ref="userCache"/>
 </bean>
@@ -85,7 +85,7 @@
   <property name="cacheName" value="userCache"/>
 </bean>
 
-<bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
+<bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
   <property name="cache" ref="userCacheBackend"/>
 </bean>]]>        
     </programlisting></para>

src/docbkx/digest-authentication.xml

@@ -92,14 +92,14 @@
         <para><programlisting>
 <![CDATA[
 <bean id="digestProcessingFilter" 
-    class="org.springframework.security.ui.digestauth.DigestProcessingFilter">
+    class="org.springframework.security.web.authentication.www.DigestProcessingFilter">
   <property name="userDetailsService" ref="jdbcDaoImpl"/>
   <property name="authenticationEntryPoint" ref="digestProcessingFilterEntryPoint"/>
   <property name="userCache" ref="userCache"/>
 </bean>
 
 <bean id="digestProcessingFilterEntryPoint"
-    class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint">
+    class="org.springframework.security.web.authentication.www.DigestProcessingFilterEntryPoint">
   <property name="realmName" value="Contacts Realm via Digest Authentication"/>
   <property name="key" value="acegi"/>
   <property name="nonceValiditySeconds" value="10"/>

src/docbkx/domain-acls.xml

@@ -6,13 +6,6 @@
         <info>
             <title>Overview</title>
         </info>
-        <para>PLEASE NOTE: Before release 2.0.0, Spring Security was known as Acegi Security. An ACL
-            module was provided with the old Acegi Security releases under the
-                <literal>org.[acegisecurity/springsecurity].acl</literal> package. This old package
-            is now deprecated and will be removed in a future release of Spring Security. This
-            chapter covers the new ACL module, which is officially recommended from Spring Security
-            2.0.0 and above, and can be found under the
-            <literal>org.springframework.security.acls</literal> package.</para>
         <para>Complex applications often will find the need to define access permissions not simply
             at a web request or method invocation level. Instead, security decisions need to
             comprise both who (<interfacename>Authentication</interfacename>), where

src/docbkx/form-authentication.xml

@@ -22,7 +22,7 @@
             <literal>AuthenticationProcessingFilter</literal> to your application context:
             <programlisting><![CDATA[    
 <bean id="authenticationProcessingFilter"
-    class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
+    class="org.springframework.security.web.authentication.AuthenticationProcessingFilter">
   <property name="authenticationManager" ref="authenticationManager"/>
   <property name="authenticationFailureUrl" value="/login.jsp?login_error=1"/>
   <property name="defaultTargetUrl" value="/"/>

src/docbkx/jaas-auth-provider.xml

@@ -32,18 +32,18 @@ JAASTest {
             above JAAS login configuration file:
 <programlisting><![CDATA[
 <bean id="jaasAuthenticationProvider"
-            class="org.springframework.security.providers.jaas.JaasAuthenticationProvider">
+            class="org.springframework.security.authentication.jaas.JaasAuthenticationProvider">
   <property name="loginConfig" value="/WEB-INF/login.conf"/>
   <property name="loginContextName" value="JAASTest"/>
   <property name="callbackHandlers">
     <list>
-      <bean class="org.springframework.security.providers.jaas.JaasNameCallbackHandler"/>
-      <bean class="org.springframework.security.providers.jaas.JaasPasswordCallbackHandler"/>
+      <bean class="org.springframework.security.authentication.jaas.JaasNameCallbackHandler"/>
+      <bean class="org.springframework.security.authentication.jaas.JaasPasswordCallbackHandler"/>
     </list>
   </property>
   <property name="authorityGranters">
     <list>
-      <bean class="org.springframework.security.providers.jaas.TestAuthorityGranter"/>
+      <bean class="org.springframework.security.authentication.jaas.TestAuthorityGranter"/>
     </list>
   </property>
 </bean> 

src/docbkx/ldap-auth-provider.xml

@@ -196,7 +196,7 @@
         </para>
         <para>
             The main LDAP provider class is
-            <classname>org.springframework.security.providers.ldap.LdapAuthenticationProvider</classname>.
+            <classname>org.springframework.security.ldap.authentication.LdapAuthenticationProvider</classname>.
             This bean doesn't actually do much itself but delegates the work to two other beans, an
             <interfacename>LdapAuthenticator</interfacename>
             and an
@@ -261,7 +261,7 @@
                     <title>BindAuthenticator</title>
                 </info>
                 <para>The class
-                    <classname>org.springframework.security.providers.ldap.authenticator.BindAuthenticator</classname>
+                    <classname>org.springframework.security.ldap.authentication.BindAuthenticator</classname>
                     implements the bind authentication strategy. It simply attempts to bind as the
                     user.</para>
             </section>
@@ -270,7 +270,7 @@
                     <title>PasswordComparisonAuthenticator</title>
                 </info>
                 <para>The class
-                    <classname>org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator</classname>
+                    <classname>org.springframework.security.ldap.authentication.PasswordComparisonAuthenticator</classname>
                     implements the password comparison authentication strategy.</para>
             </section>
             <section xml:id="ldap-ldap-authenticators-active-directory">
@@ -350,9 +350,9 @@
 </bean>
 
 <bean id="ldapAuthProvider"
-        class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
+        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
   <constructor-arg>
-    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
+    <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
       <constructor-arg ref="contextSource"/>
       <property name="userDnPatterns">
         <list><value>uid={0},ou=people</value></list>
@@ -360,7 +360,7 @@
     </bean>
   </constructor-arg>
   <constructor-arg>
-    <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
+    <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
       <constructor-arg ref="contextSource"/>
       <constructor-arg value="ou=groups"/>
       <property name="groupRoleAttribute" value="ou"/>

web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java

@@ -13,7 +13,6 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;

core/src/main/java/org/springframework/security/authentication/preauth/PreAuthenticatedAuthenticationProvider.java → web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationProvider.java

@@ -1,4 +1,4 @@
-package org.springframework.security.authentication.preauth;
+package org.springframework.security.web.authentication.preauth;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -17,7 +17,7 @@ import org.springframework.util.Assert;
 /**
  * <p>
  * Processes a pre-authenticated authentication request. The request will
- * typically originate from a {@link org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter}
+ * typically originate from a {@link org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter}
  * subclass.
  *
  * <p>

core/src/main/java/org/springframework/security/authentication/preauth/PreAuthenticatedAuthenticationToken.java → web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationToken.java

@@ -1,4 +1,4 @@
-package org.springframework.security.authentication.preauth;
+package org.springframework.security.web.authentication.preauth;
 
 import java.util.Arrays;
 import java.util.List;

core/src/main/java/org/springframework/security/authentication/preauth/PreAuthenticatedGrantedAuthoritiesUserDetailsService.java → web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedGrantedAuthoritiesUserDetailsService.java

@@ -1,4 +1,4 @@
-package org.springframework.security.authentication.preauth;
+package org.springframework.security.web.authentication.preauth;
 
 import java.util.List;
 

web/src/main/java/org/springframework/security/web/authentication/preauth/websphere/WebSphere2SpringSecurityPropagationInterceptor.java

@@ -6,9 +6,9 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.util.Assert;
 
 /**

core/src/test/java/org/springframework/security/authentication/preauth/PreAuthenticatedAuthenticationProviderTests.java → web/src/test/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationProviderTests.java

@@ -1,4 +1,4 @@
-package org.springframework.security.authentication.preauth;
+package org.springframework.security.web.authentication.preauth;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -8,14 +8,14 @@ import static org.junit.Assert.assertTrue;
 
 import org.junit.Test;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationProvider;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 
 /**
  *

core/src/test/java/org/springframework/security/authentication/preauth/PreAuthenticatedAuthenticationTokenTests.java → web/src/test/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationTokenTests.java

@@ -1,12 +1,12 @@
-package org.springframework.security.authentication.preauth;
+package org.springframework.security.web.authentication.preauth;
 
 import java.util.List;
 
 import junit.framework.TestCase;
 
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 
 /**
  *

core/src/test/java/org/springframework/security/authentication/preauth/PreAuthenticatedGrantedAuthoritiesUserDetailsServiceTests.java → web/src/test/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedGrantedAuthoritiesUserDetailsServiceTests.java

@@ -1,16 +1,16 @@
-package org.springframework.security.authentication.preauth;
+package org.springframework.security.web.authentication.preauth;
 
 import static org.junit.Assert.*;
 
 import java.util.List;
 
 import org.junit.Test;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationToken;
-import org.springframework.security.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.GrantedAuthoritiesContainer;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService;
 
 /**
  *

web/src/test/java/org/springframework/security/web/authentication/preauth/websphere/WebSphere2SpringSecurityPropagationInterceptorTests.java

@@ -8,7 +8,6 @@ import org.junit.After;
 import org.junit.Test;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContext;
@@ -17,6 +16,7 @@ import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsChecker;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
 
 /**
  *