SEC-625: Remove references to FilterToBeanProxy

core/src/main/java/org/springframework/security/providers/anonymous/AnonymousProcessingFilter.java

@@ -43,8 +43,7 @@ import javax.servlet.http.HttpServletResponse;
 
 /**
  * Detects if there is no <code>Authentication</code> object in the <code>SecurityContextHolder</code>,  and
- * populates it with one if needed.<p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code>
- * to use the {@link org.springframework.security.util.FilterToBeanProxy}.</p>
+ * populates it with one if needed.
  *
  * @author Ben Alex
  * @version $Id$

core/src/main/java/org/springframework/security/securechannel/ChannelProcessingFilter.java

@@ -45,8 +45,6 @@ import java.util.Collection;
  * <p>Delegates the actual channel security decisions and necessary actions to the configured
  * {@link ChannelDecisionManager}. If a response is committed by the <code>ChannelDecisionManager</code>,
  * the filter chain will not proceed.</p>
- *  <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
- * org.springframework.security.util.FilterToBeanProxy}.</p>
  *
  * @author Ben Alex
  * @version $Id$

core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java

@@ -73,10 +73,6 @@ import javax.servlet.http.HttpServletResponse;
  * <li><code>portResolver</code> is used to determine the "real" port that a
  * request was received on.</li>
  * </ul>
- * <p>
- * <b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the
- * {@link org.springframework.security.util.FilterToBeanProxy}.
- * </p>
  *
  * @author Ben Alex
  * @author colin sampaleanu

core/src/main/java/org/springframework/security/ui/digestauth/DigestProcessingFilter.java

@@ -81,8 +81,6 @@ import javax.servlet.http.HttpServletResponse;
  * <p>Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution
  * than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest
  * authentication over Basic authentication, including commentary on the limitations that it still imposes.</p>
- * <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
- * org.springframework.security.util.FilterToBeanProxy}.</p>
  */
 public class DigestProcessingFilter implements Filter, InitializingBean, MessageSourceAware {
     //~ Static fields/initializers =====================================================================================

core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java

@@ -42,11 +42,7 @@ import org.springframework.util.StringUtils;
  * <p>
  * After logout, the URL specified by {@link #logoutSuccessUrl} will be shown.
  * </p>
- * <p>
- * <b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the
- * {@link org.springframework.security.util.FilterToBeanProxy}.
- * </p>
- *
+ * 
  * @author Ben Alex
  * @version $Id$
  */

core/src/main/java/org/springframework/security/ui/rememberme/RememberMeProcessingFilter.java

@@ -50,8 +50,6 @@ import java.io.IOException;
  * org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application
  * context. No events will be published if authentication was unsuccessful, because this would generally be recorded
  * via an <code>AuthenticationManager</code>-specific application event.</p>
- *  <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
- * org.springframework.security.util.FilterToBeanProxy}.</p>
  *
  * @author Ben Alex
  * @version $Id$

core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java

@@ -35,10 +35,6 @@ import javax.servlet.http.HttpSession;
  * static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY} and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.
  * The parameter names can also be changed by setting the <tt>usernameParameter</tt> and <tt>passwordParameter</tt>
  * properties.
- * </p>
- *
- * <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
- * org.springframework.security.util.FilterToBeanProxy}.</p>
  *
  * @author Ben Alex
  * @author Colin Sampaleanu

core/src/main/java/org/springframework/security/ui/webapp/SiteminderAuthenticationProcessingFilter.java

@@ -32,17 +32,18 @@ import javax.servlet.http.HttpServletResponse;
 
 /**
  * Extends Spring Security's AuthenticationProcessingFilter to pick up CA/Netegrity Siteminder headers.
- * <p>Also provides a backup form-based authentication and the ability set source key names.</p>
- * <p><b>Siteminder</b> must present two <b>headers</b> to this filter, a username and password. You must set the
+ * <p>
+ * Also provides a backup form-based authentication and the ability set source key names.
+ * <p>
+ * <b>Siteminder</b> must present two <b>headers</b> to this filter, a username and password. You must set the
  * header keys before this filter is used for authentication, otherwise Siteminder checks will be skipped. If the
  * Siteminder check is unsuccessful (i.e. if the headers are not found), then the form parameters will be checked (see
  * next paragraph). This allows applications to optionally function even when their Siteminder infrastructure is
- * unavailable, as is often the case during development.</p>
- *  <p><b>Login forms</b> must present two <b>parameters</b> to this filter: a username and password. If not
+ * unavailable, as is often the case during development.
+ * <p>
+ * <b>Login forms</b> must present two <b>parameters</b> to this filter: a username and password. If not
  * specified, the parameter names to use are contained in the static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY}
- * and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.</p>
- *  <p><b>Do not use this class directly.</b> Instead, configure <code>web.xml</code> to use the {@link
- * org.springframework.security.util.FilterToBeanProxy}.</p>
+ * and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.
  */
 public class SiteminderAuthenticationProcessingFilter extends AuthenticationProcessingFilter {
     //~ Static fields/initializers =====================================================================================

core/src/main/java/org/springframework/security/ui/x509/X509ProcessingFilter.java

@@ -62,8 +62,6 @@ import javax.servlet.FilterConfig;
  * org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application
  * context. No events will be published if authentication was unsuccessful, because this would generally be recorded
  * via an <code>AuthenticationManager</code>-specific application event.</p>
- *  <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
- * org.springframework.security.util.FilterToBeanProxy}.</p>
  *
  * @author Luke Taylor
  * @deprecated Use <tt>X509PreAuthenticatedProcessingFilter</tt> from the preauth.x509 package instead 

core/src/test/resources/webxml/NoRoles.web.xml

@@ -11,19 +11,16 @@
 		<param-value>/WEB-INF/classes/log4j.properties</param-value>
 	</context-param>
 
-	<filter>
-		<filter-name>Acegi Filter Chain Proxy</filter-name>
-		<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
-		<init-param>
-			<param-name>targetClass</param-name>
-			<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
-		</init-param>
-	</filter>
-	<filter-mapping>
-		<filter-name>Acegi Filter Chain Proxy</filter-name>
-		<url-pattern>/*</url-pattern>
-	</filter-mapping>
-
+    <filter>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+    
+    <filter-mapping>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    
 	<listener>
 		<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
 	</listener>

core/src/test/resources/webxml/Role1-4.web.xml

@@ -11,19 +11,16 @@
 		<param-value>/WEB-INF/classes/log4j.properties</param-value>
 	</context-param>
 
-	<filter>
-		<filter-name>Acegi Filter Chain Proxy</filter-name>
-		<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
-		<init-param>
-			<param-name>targetClass</param-name>
-			<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
-		</init-param>
-	</filter>
-	<filter-mapping>
-		<filter-name>Acegi Filter Chain Proxy</filter-name>
-		<url-pattern>/*</url-pattern>
-	</filter-mapping>
-
+    <filter>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+    
+    <filter-mapping>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    
 	<listener>
 		<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
 	</listener>

ntlm/web.xml

@@ -16,20 +16,16 @@
 	</context-param>
 
 <!-- 2. Setup the Spring Security Filter Chain Proxy -->
-	<filter>
-		<filter-name>Spring Security Filter Chain Proxy</filter-name>
-		<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
-		<init-param>
-			<param-name>targetClass</param-name>
-			<param-value>org.springframework.security.util.FilterChainProxy</param-value>
-		</init-param>
-	</filter>
-
-	<filter-mapping>
-		<filter-name>Spring Security Filter Chain Proxy</filter-name>
-		<url-pattern>/**</url-pattern>
-	</filter-mapping>
-
+    <filter>
+        <filter-name>filterChainProxy</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+    
+    <filter-mapping>
+        <filter-name>filterChainProxy</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    
 <!-- 3. Setup three listeners -->
 <!--    a) Setup a listener to connect spring with the web context -->
 	<listener>

src/docbkx/channel-security.xml

@@ -41,57 +41,35 @@
 
 <sect1 id="channel-security-config">
     <title>Configuration</title>
-    
-    <para>To utilise Spring Security's channel security services, add the
-        following lines to <literal>web.xml</literal>:</para>
-    
-    <para><programlisting>
-        &lt;filter&gt;
-        &lt;filter-name&gt;Spring Security Channel Processing Filter&lt;/filter-name&gt;
-        &lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt;
-        &lt;init-param&gt;
-        &lt;param-name&gt;targetClass&lt;/param-name&gt;
-        &lt;param-value&gt;org.springframework.security.securechannel.ChannelProcessingFilter&lt;/param-value&gt;
-        &lt;/init-param&gt;
-        &lt;/filter&gt;
-        
-        &lt;filter-mapping&gt;
-        &lt;filter-name&gt;Spring Security Channel Processing Filter&lt;/filter-name&gt;
-        &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
-        &lt;/filter-mapping&gt;
         
-    </programlisting></para>
-    
-    <para>As usual when running <literal>FilterToBeanProxy</literal>, you
-        will also need to configure the filter in your application
+    <para>To use chanel security, you should define the following the filter in your application
         context:</para>
     
-    <para><programlisting>
-        &lt;bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"&gt;
-        &lt;property name="channelDecisionManager"&gt;&lt;ref bean="channelDecisionManager"/&gt;&lt;/property&gt;
-        &lt;property name="filterInvocationDefinitionSource"&gt;
-        &lt;value&gt;
-        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
-        \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
-        \A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
-        \A/j_spring_security_check.*\Z=REQUIRES_SECURE_CHANNEL
-        \A.*\Z=REQUIRES_INSECURE_CHANNEL
-        &lt;/value&gt;
-        &lt;/property&gt;
-        &lt;/bean&gt;
-        
-        &lt;bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"&gt;
-        &lt;property name="channelProcessors"&gt;
-        &lt;list&gt;
-        &lt;ref bean="secureChannelProcessor"/&gt;
-        &lt;ref bean="insecureChannelProcessor"/&gt;
-        &lt;/list&gt;
-        &lt;/property&gt;
-        &lt;/bean&gt;
+    <para><programlisting><![CDATA[ 
+    <bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
+        <property name="channelDecisionManager" ref="channelDecisionManager"/>
+        <property name="filterInvocationDefinitionSource">
+            <security:filter-invocation-definition-source path-type="regex">
+                <security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
+                <security:intercept-url pattern="\A/acegilogin.jsp.*\" access="REQUIRES_SECURE_CHANNEL"/>
+                <security:intercept-url pattern="\A/j_spring_security_check.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
+                <security:intercept-url pattern="\A/.*\Z" access="REQUIRES_INSECURE_CHANNEL"/>
+            </security:filter-invocation-definition-source>                
+        </property>
+    </bean>
         
-        &lt;bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/&gt;
-        &lt;bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/&gt;
+    <bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
+        <property name="channelProcessors">
+            <list>
+            <ref bean="secureChannelProcessor"/>
+            <ref bean="insecureChannelProcessor"/>
+            </list>
+        </property>
+    </bean>
         
+    <bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
+    <bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>
+     ]]>    
     </programlisting></para>
     
     <para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant

src/docbkx/common-auth-services.xml

@@ -17,28 +17,29 @@
     user for them to login) plus BASIC authentication (ie so a web service
     or similar can access protected resources).</para>
 
-    <para>In the web.xml, this application will need a single Acegi
+    <para>In the web.xml, this application will need a single Spring
     Security filter in order to use the FilterChainProxy. Nearly every
     Spring Security application will have such an entry, and it looks like
     this:</para>
 
-    <para><programlisting>&lt;filter&gt;
-&lt;filter-name&gt;Spring Security Filter Chain Proxy&lt;/filter-name&gt;
-&lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt;
-&lt;init-param&gt;
-&lt;param-name&gt;targetClass&lt;/param-name&gt;
-&lt;param-value&gt;org.springframework.security.util.FilterChainProxy&lt;/param-value&gt;
-&lt;/init-param&gt;
-&lt;/filter&gt;
+    <para><programlisting>
+<![CDATA[ 
+    <filter>
+        <filter-name>filterChainProxy</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
 
-&lt;filter-mapping&gt;
-&lt;filter-name&gt;Spring Security Filter Chain Proxy&lt;/filter-name&gt;
-&lt;url-pattern&gt;/*&lt;/url-pattern&gt;
-&lt;/filter-mapping&gt;</programlisting></para>
+    <filter-mapping>
+      <filter-name>filterChainProxy</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
+]]></programlisting></para>
 
     <para>The above declarations will cause every web request to be passed
-    through to Spring Security's FilterChainProxy. As explained in the
-    filters section of this reference guide, the
+        through to the bean called <literal>filterChainProxy</literal>
+        which will usually be an instance of Spring Security's 
+        <classname>FilterChainProxy</classname>. 
+     As explained in the filters section of this reference guide, the
     <classname>FilterChainProxy</classname> is a generally-useful class
     that enables web requests to be passed to different filters based on
     the URL patterns. Those delegated filters are managed inside the

src/docbkx/form-authentication.xml

@@ -21,35 +21,17 @@
         <para>The login form simply contains <literal>j_username</literal> and
             <literal>j_password</literal> input fields, and posts to a URL that is
             monitored by the filter (by default
-            <literal>j_spring_security_check</literal>). The filter is defined in
-            <literal>web.xml</literal> behind a
-            <literal>FilterToBeanProxy</literal> as follows:</para>
-        
-        <para><programlisting>&lt;filter&gt;
-            &lt;filter-name&gt;Acegi Authentication Processing Filter&lt;/filter-name&gt;
-            &lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt;
-            &lt;init-param&gt;
-            &lt;param-name&gt;targetClass&lt;/param-name&gt;
-            &lt;param-value&gt;org.springframework.security.ui.webapp.AuthenticationProcessingFilter&lt;/param-value&gt;
-            &lt;/init-param&gt;
-            &lt;/filter&gt;
-            
-            &lt;filter-mapping&gt;
-            &lt;filter-name&gt;Acegi Authentication Processing Filter&lt;/filter-name&gt;
-            &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
-            &lt;/filter-mapping&gt;</programlisting></para>
-        
-        <para>For a discussion of <literal>FilterToBeanProxy</literal>, please
-            refer to the Filters section. The application context will need to
-            define the <literal>AuthenticationProcessingFilter</literal>:</para>
-        
-        <para><programlisting>&lt;bean id="authenticationProcessingFilter"
-            class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"&gt;
-            &lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
-            &lt;property name="authenticationFailureUrl"&gt;&lt;value&gt;/acegilogin.jsp?login_error=1&lt;/value&gt;&lt;/property&gt;
-            &lt;property name="defaultTargetUrl"&gt;&lt;value&gt;/&lt;/value&gt;&lt;/property&gt;
-            &lt;property name="filterProcessesUrl"&gt;&lt;value&gt;/j_spring_security_check&lt;/value&gt;&lt;/property&gt;
-            &lt;/bean&gt;        </programlisting></para>
+            <literal>j_spring_security_check</literal>). You should add an 
+            <literal>AuthenticationProcessingFilter</literal> to you application context:
+            <programlisting><![CDATA[             
+    <bean id="authenticationProcessingFilter"
+            class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
+        <property name="authenticationManager" ref="authenticationManager"/>
+        <property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/>
+        <property name="defaultTargetUrl" value="/"/>
+        <property name="filterProcessesUrl" value="/j_spring_security_check"/>
+    </bean> ]]>        
+            </programlisting></para>
         
         <para>The configured <literal>AuthenticationManager</literal>
             processes each authentication request. If authentication fails, the
@@ -57,7 +39,7 @@
             <literal>authenticationFailureUrl</literal>. The
             <literal>AuthenticationException</literal> will be placed into the
             <literal>HttpSession</literal> attribute indicated by
-            <literal>AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY</literal>,
+            <literal>AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY</literal>,
             enabling a reason to be provided to the user on the error page.</para>
         
         <para>If authentication is successful, the resulting
@@ -68,7 +50,7 @@
             updated, the browser will need to be redirected to the target URL. The
             target URL is usually indicated by the <literal>HttpSession</literal>
             attribute specified by
-            <literal>AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY</literal>.
+            <literal>AbstractProcessingFilter.SPRING_SECURITY_TARGET_URL_KEY</literal>.
             This attribute is automatically set by the
             <literal>ExceptionTranslationFilter</literal> when an
             <literal>AuthenticationException</literal> occurs, so that after login

src/docbkx/secured-objects.xml

@@ -343,56 +343,37 @@ if (this.securityInterceptor == null)
   <sect1 id="filter-invocation-authorization">
     <title>FilterInvocation Security Interceptor</title>
 
-    <para>To secure <literal>FilterInvocation</literal>s, developers need
-    to add a filter to their <literal>web.xml</literal> that delegates to
-    the <literal>FilterSecurityInterceptor</literal>. A typical
-    configuration example is provided below:</para>
-
-    <programlisting>&lt;filter&gt;
-&lt;filter-name&gt;Spring Security HTTP Request Security Filter&lt;/filter-name&gt;
-&lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt;
-&lt;init-param&gt;
-&lt;param-name&gt;targetClass&lt;/param-name&gt;
-&lt;param-value&gt;org.springframework.security.intercept.web.FilterSecurityInterceptor&lt;/param-value&gt;
-&lt;/init-param&gt;
-&lt;/filter&gt;
-
-&lt;filter-mapping&gt;
-&lt;filter-name&gt;Spring Security HTTP Request Security Filter&lt;/filter-name&gt;
-&lt;url-pattern&gt;/*&lt;/url-pattern&gt;
-&lt;/filter-mapping&gt;</programlisting>
-
-    <para>Notice that the filter is actually a
-    <literal>FilterToBeanProxy</literal>. Most of the filters used by
-    Spring Security use this class. Refer to the Filters section to learn
-    more about this bean.</para>
+      <para>To secure <classname>FilterInvocation</classname>s, developers need
+    to add a <literal>FilterSecurityInterceptor</literal> to their filter chain. 
+    A typical configuration example is provided below:</para>
 
     <para>In the application context you will need to configure three
     beans:</para>
 
-    <programlisting>&lt;bean id="exceptionTranslationFilter"
-        class="org.springframework.security.ui.ExceptionTranslationFilter"&gt;
-&lt;property name="authenticationEntryPoint"&gt;&lt;ref local="authenticationEntryPoint"/&gt;&lt;/property&gt;
-&lt;/bean&gt;
-
-&lt;bean id="authenticationEntryPoint"
-        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"&gt;
-&lt;property name="loginFormUrl"&gt;&lt;value&gt;/acegilogin.jsp&lt;/value&gt;&lt;/property&gt;
-&lt;property name="forceHttps"&gt;&lt;value&gt;false&lt;/value&gt;&lt;/property&gt;
-&lt;/bean&gt;
-
-&lt;bean id="filterSecurityInterceptor"
-        class="org.springframework.security.intercept.web.FilterSecurityInterceptor"&gt;
-&lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
-&lt;property name="accessDecisionManager"&gt;&lt;ref bean="accessDecisionManager"/&gt;&lt;/property&gt;
-&lt;property name="objectDefinitionSource"&gt;
-&lt;value&gt;
-  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
-  \A/secure/super/.*\Z=ROLE_WE_DONT_HAVE
-  \A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
-&lt;/value&gt;
-&lt;/property&gt;
-&lt;/bean&gt;        </programlisting>
+    <programlisting><![CDATA[ 
+<bean id="exceptionTranslationFilter"
+        class="org.springframework.security.ui.ExceptionTranslationFilter">
+    <property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property>
+</bean>
+
+<bean id="authenticationEntryPoint"
+        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
+    <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
+    <property name="forceHttps"><value>false</value></property>
+</bean>
+
+<bean id="filterSecurityInterceptor"
+        class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
+    <property name="authenticationManager"><ref bean="authenticationManager"/></property>
+    <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
+    <property name="objectDefinitionSource">
+    <property name="filterInvocationDefinitionSource">
+        <security:filter-invocation-definition-source path-type="regex">
+            <security:intercept-url pattern="\A/secure/super/.*\Z" access="ROLE_WE_DONT_HAVE"/>
+            <security:intercept-url pattern="\A/secure/.*\" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
+        </security:filter-invocation-definition-source>                
+    </property>
+</bean> ]]>        </programlisting>
 
     <para>The <classname>ExceptionTranslationFilter</classname> provides
     the bridge between Java exceptions and HTTP responses. It is solely

src/docbkx/supporting-infrastructure.xml

@@ -83,43 +83,35 @@
     <para>Spring Security uses many filters, as referred to throughout the
     remainder of this reference guide. You have a choice in how these
     filters are added to your web application, in that you can use either
-    <literal>FilterToBeanProxy</literal> or
+        Spring's <literal>DelegatingFilterProxy</literal> or
     <literal>FilterChainProxy</literal>. We'll look at both below.</para>
-
-    <para>Most filters are configured using the
-    <literal>FilterToBeanProxy</literal>. An example configuration from
-    <literal>web.xml</literal> follows:</para>
-
-    <para><programlisting>&lt;filter&gt;
-&lt;filter-name&gt;Spring Security HTTP Request Security Filter&lt;/filter-name&gt;
-&lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt;
-&lt;init-param&gt;
-&lt;param-name&gt;targetClass&lt;/param-name&gt;
-&lt;param-value&gt;org.springframework.security.ClassThatImplementsFilter&lt;/param-value&gt;
-&lt;/init-param&gt;
-&lt;/filter&gt;</programlisting></para>
-
-    <para>Notice that the filter in <literal>web.xml</literal> is actually
-    a <literal>FilterToBeanProxy</literal>, and not the filter that will
-    actually implement the logic of the filter. What
-    <literal>FilterToBeanProxy</literal> does is delegate the
+      
+    <para>When using <literal>DelegatingFilterProxy</literal>, you will see
+      something like this in the web.xml file:
+      
+        <programlisting>
+            <![CDATA[
+    <filter>
+        <filter-name>myFilter</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+
+    <filter-mapping>
+      <filter-name>myFilter</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
+             ]]>
+        </programlisting>     
+       
+        Notice that the filter  is actually a <literal>DelegatingFilterProxy</literal>, 
+        and not the filter that will actually implement the logic of the filter. What
+        <literal>DelegatingFilterProxy</literal> does is delegate the
     <literal>Filter</literal>'s methods through to a bean which is
     obtained from the Spring application context. This enables the bean to
-    benefit from the Spring application context lifecycle support and
+    benefit from the Spring web application context lifecycle support and
     configuration flexibility. The bean must implement
-    <literal>javax.servlet.Filter</literal>.</para>
-
-    <para>The <literal>FilterToBeanProxy</literal> only requires a single
-    initialization parameter, <literal>targetClass</literal> or
-    <literal>targetBean</literal>. The <literal>targetClass</literal>
-    parameter locates the first object in the application context of the
-    specified class, whilst <literal>targetBean</literal> locates the
-    object by bean name. Like standard Spring web applications, the
-    <literal>FilterToBeanProxy</literal> accesses the application context
-    via<literal>
-    WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>,
-    so you should configure a <literal>ContextLoaderListener</literal> in
-    <literal>web.xml</literal>.</para>
+    <literal>javax.servlet.Filter</literal> and it must have the same name as that in
+        the <literal>filter-name</literal> element.</para>
 
     <para>There is a lifecycle issue to consider when hosting
     <literal>Filter</literal>s in an IoC container instead of a servlet
@@ -139,39 +131,31 @@
     Spring interfaces (eg the <literal>destroy-method</literal> attribute
     in Spring XML). For this reason we recommend the use of Spring
     lifecycle services instead of servlet container lifecycle services
-    wherever possible. By default <literal>FilterToBeanProxy</literal>
-    will not delegate <literal>init(FilterConfig)</literal> and
-    <literal>destroy()</literal> methods through to the proxied bean. If
-    you do require such invocations to be delegated, set the
-    <literal>lifecycle</literal> initialization parameter to
-    <literal>servlet-container-managed</literal>.</para>
-
-    <para>Rather than using <literal>FilterToBeanProxy</literal>, we
+    wherever possible. Read the Javadoc for <classname>DelegatingFilterProxy</classname>
+    for more information</para>
+
+      <para>Rather than using <literal>DelegatingFilterProxy</literal>, we
     strongly recommend to use <literal>FilterChainProxy</literal> instead.
-    Whilst <literal>FilterToBeanProxy</literal> is a very useful class,
-    the problem is that the lines of code required for
+          Whilst <literal>DelegatingFilterProxy</literal> is a very useful class,
+    the problem is that the number of lines of code required for
     <literal>&lt;filter&gt;</literal> and
     <literal>&lt;filter-mapping&gt;</literal> entries in
     <literal>web.xml</literal> explodes when using more than a few
     filters. To overcome this issue, Spring Security provides a
     <literal>FilterChainProxy</literal> class. It is wired using a
-    <literal>FilterToBeanProxy</literal> (just like in the example above),
+          <literal>DelegatingFilterProxy</literal> (just like in the example above),
     but the target class is
     <literal>org.springframework.security.util.FilterChainProxy</literal>.
     The filter chain is then declared in the application context, using
     code such as this:</para>
 
-    <para><programlisting>&lt;bean id="filterChainProxy"
-        class="org.springframework.security.util.FilterChainProxy"&gt;
-&lt;property name="filterInvocationDefinitionSource"&gt;
-&lt;value&gt;
-  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
-  PATTERN_TYPE_APACHE_ANT
-  /webServices/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
-  /**=httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
-&lt;/value&gt;
-&lt;/property&gt;
-&lt;/bean&gt;        </programlisting></para>
+    <para><programlisting><![CDATA[ 
+<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
+    <sec:filter-chain-map path-type="ant">
+        <sec:filter-chain pattern="/webServices/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
+        <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
+    </sec:filter-chain-map>
+</bean> ]]>        </programlisting></para>
 
     <para>You may notice similarities with the way
     <literal>FilterSecurityInterceptor</literal> is declared. Both regular
@@ -221,11 +205,11 @@
     irrespective of how many times it is declared by the
     <literal>FilterInvocationDefinitionSource</literal>. You control the
     overall choice as to whether these methods are called or not via the
-    <literal>lifecycle</literal> initialization parameter of the
-    <literal>FilterToBeanProxy</literal> that proxies
-    <literal>FilterChainProxy</literal>. As discussed above, by default
+        <literal>targetFilterLifecycle</literal> initialization parameter of the
+        <literal>DelegatingFilterProxy</literal> that proxies
+        <literal>DelegatingFilterProxy</literal>. As discussed above, by default
     any servlet container lifecycle invocations are not delegated through
-    to <literal>FilterChainProxy</literal>.</para>
+    to <literal>DelegatingFilterProxy</literal>.</para>
 
     <para>You can also omit a URI pattern from the filter chain by using
     the token <literal>#NONE#</literal> on the right-hand side of the
@@ -317,12 +301,12 @@
     </orderedlist>
 
     <para>All of the above filters use
-    <literal>FilterToBeanProxy</literal> or
+    <literal>DelegatingFilterProxy</literal> or
     <literal>FilterChainProxy</literal>. It is recommended that a single
-    <literal>FilterToBeanProxy</literal> proxy through to a single
+        <literal>DelegatingFilterProxy</literal> proxy through to a single
     <literal>FilterChainProxy</literal> for each application, with that
     <literal>FilterChainProxy</literal> defining all of Spring Security
-    <literal>Filter</literal>s.</para>
+    filters.</para>
 
     <para>If you're using SiteMesh, ensure Spring Security filters execute
     before the SiteMesh filters are called. This enables the

src/site/apt/petclinic-tutorial.apt

@@ -55,19 +55,15 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE
 
 +------------------------------------------------------
 
-<filter>
-  <filter-name>Spring Security Filter Chain Proxy</filter-name>
-  <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
-  <init-param>
-    <param-name>targetClass</param-name>
-    <param-value>org.springframework.security.util.FilterChainProxy</param-value>
-  </init-param>
-</filter>
+    <filter>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
 
-<filter-mapping>
-  <filter-name>Spring Security Filter Chain Proxy</filter-name>
-  <url-pattern>/*</url-pattern>
-</filter-mapping>
+    <filter-mapping>
+      <filter-name>springSecurityFilterChain</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
 
 +------------------------------------------------------
 
@@ -80,7 +76,7 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE
   <param-name>contextConfigLocation</param-name>
   <param-value>
       /WEB-INF/applicationContext-jdbc.xml
-      /WEB-INF/applicationContext-acegi-security.xml
+      /WEB-INF/applicationContext-security-ns.xml
   </param-value>
 </context-param>