SEC-1196: Change use of <authentication-manager> to actually register the global ProviderManager instance. This element now registers the global ProviderManager instance and must contain any authentication-provider elements (or ldap-authentication-provider elements).

config/src/main/java/org/springframework/security/config/Elements.java

@@ -41,6 +41,7 @@ public abstract class Elements {
     public static final String PORT_MAPPINGS = "port-mappings";
     public static final String PORT_MAPPING = "port-mapping";
     public static final String CUSTOM_FILTER = "custom-filter";
+    @Deprecated
     public static final String CUSTOM_AUTH_PROVIDER = "custom-authentication-provider";
     public static final String CUSTOM_AFTER_INVOCATION_PROVIDER = "custom-after-invocation-provider";
     public static final String X509 = "x509";

config/src/main/java/org/springframework/security/config/authentication/AbstractUserDetailsServiceBeanDefinitionParser.java

@@ -20,7 +20,7 @@ import org.w3c.dom.Element;
  * @version $Id$
  */
 public abstract class AbstractUserDetailsServiceBeanDefinitionParser implements BeanDefinitionParser {
-    private static final String CACHE_REF = "cache-ref";
+    static final String CACHE_REF = "cache-ref";
     public static final String CACHING_SUFFIX = ".caching";
 
     /**  UserDetailsService bean Id. For use in a stateful context (i.e. in AuthenticationProviderBDP) */

config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java

@@ -1,44 +1,112 @@
 package org.springframework.security.config.authentication;
 
+import java.util.List;
+
+import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.config.RuntimeBeanReference;
+import org.springframework.beans.factory.parsing.BeanComponentDefinition;
+import org.springframework.beans.factory.parsing.CompositeComponentDefinition;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.support.ManagedList;
+import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.NamespaceHandlerResolver;
 import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.BeanIds;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
 
 /**
- * Registers an alias name for the default ProviderManager used by the namespace
- * configuration, allowing users to reference it in their beans and clearly see where the name is
- * coming from. Also allows the ConcurrentSessionController to be set on the ProviderManager.
+ * Registers the central ProviderManager used by the namespace configuration, and allows the configuration of an
+ * alias, allowing users to reference it in their beans and clearly see where the name is
+ * coming from.
  *
  * @author Luke Taylor
  * @version $Id$
  */
 public class AuthenticationManagerBeanDefinitionParser implements BeanDefinitionParser {
-    private static final String ATT_SESSION_CONTROLLER_REF = "session-controller-ref";
     private static final String ATT_ALIAS = "alias";
+    private static final String ATT_REF = "ref";
+
+    public BeanDefinition parse(Element element, ParserContext pc) {
+        Assert.state(!pc.getRegistry().containsBeanDefinition(BeanIds.AUTHENTICATION_MANAGER),
+                "AuthenticationManager has already been registered!");
+        pc.pushContainingComponent(new CompositeComponentDefinition(element.getTagName(), pc.extractSource(element)));
 
-    public BeanDefinition parse(Element element, ParserContext parserContext) {
-        ConfigUtils.registerProviderManagerIfNecessary(parserContext, element);
+        BeanDefinitionBuilder providerManagerBldr = BeanDefinitionBuilder.rootBeanDefinition(ProviderManager.class);
 
         String alias = element.getAttribute(ATT_ALIAS);
 
-        if (!StringUtils.hasText(alias)) {
-            parserContext.getReaderContext().error(ATT_ALIAS + " is required.", element );
+        checkForDeprecatedSessionControllerRef(element, pc);
+        List<BeanMetadataElement> providers = new ManagedList<BeanMetadataElement>();
+        NamespaceHandlerResolver resolver = pc.getReaderContext().getNamespaceHandlerResolver();
+
+        NodeList children = element.getChildNodes();
+
+        for (int i = 0; i < children.getLength(); i++) {
+            Node node = children.item(i);
+            if (node instanceof Element) {
+                Element providerElt = (Element)node;
+                if (StringUtils.hasText(providerElt.getAttribute(ATT_REF))) {
+                    providers.add(new RuntimeBeanReference(providerElt.getAttribute(ATT_REF)));
+                } else {
+                    BeanDefinition provider = resolver.resolve(providerElt.getNamespaceURI()).parse(providerElt, pc);
+                    Assert.notNull(provider, "Parser for " + providerElt.getNodeName() + " returned a null bean definition");
+                    providers.add(provider);
+                }
+            }
         }
 
-        String sessionControllerRef = element.getAttribute(ATT_SESSION_CONTROLLER_REF);
+        if (providers.isEmpty()) {
+            providers.add(new RootBeanDefinition(NullAuthenticationProvider.class));
+        }
 
-        if (StringUtils.hasText(sessionControllerRef)) {
-            parserContext.getReaderContext().warning(ATT_SESSION_CONTROLLER_REF + " is not supported in Spring Security " +
-                    " 3.0 and will be ignored. Use the attribute on the <concurrent-session-control> element instead.",
-                    parserContext.extractSource(element));
+        providerManagerBldr.addPropertyValue("providers", providers);
+
+        BeanDefinition authManager = providerManagerBldr.getBeanDefinition();
+        pc.getRegistry().registerBeanDefinition(BeanIds.AUTHENTICATION_MANAGER, authManager);
+        pc.registerBeanComponent(new BeanComponentDefinition(authManager, BeanIds.AUTHENTICATION_MANAGER));
+
+        if (StringUtils.hasText(alias)) {
+            pc.getRegistry().registerAlias(BeanIds.AUTHENTICATION_MANAGER, alias);
+            pc.getReaderContext().fireAliasRegistered(BeanIds.AUTHENTICATION_MANAGER, alias, pc.extractSource(element));
         }
 
-        parserContext.getRegistry().registerAlias(BeanIds.AUTHENTICATION_MANAGER, alias);
-        parserContext.getReaderContext().fireAliasRegistered(BeanIds.AUTHENTICATION_MANAGER, alias, parserContext.extractSource(element));
+        pc.popAndRegisterContainingComponent();
 
         return null;
     }
+
+    private void checkForDeprecatedSessionControllerRef(Element element, ParserContext pc) {
+        final String ATT_SESSION_CONTROLLER_REF = "session-controller-ref";
+
+        if (StringUtils.hasText(element.getAttribute(ATT_SESSION_CONTROLLER_REF))) {
+            pc.getReaderContext().warning(ATT_SESSION_CONTROLLER_REF + " is not supported in Spring Security " +
+                    " 3.0 and will be ignored. Use the attribute on the <concurrent-session-control> element instead.",
+                    pc.extractSource(element));
+        }
+    }
+
+    /**
+     * Provider which doesn't provide any service. Only used to prevent a configuration exception if the provider list
+     * is empty (usually because a child ProviderManager from the &lt;http&gt; namespace, such as OpenID, is expected
+     * to handle the request).
+     */
+    public static final class NullAuthenticationProvider implements AuthenticationProvider {
+        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+            return null;
+        }
+
+        public boolean supports(Class<? extends Object> authentication) {
+            return false;
+        }
+    }
 }

config/src/main/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParser.java

@@ -1,17 +1,10 @@
 package org.springframework.security.config.authentication;
 
-import org.springframework.beans.BeansException;
-import org.springframework.beans.PropertyValue;
 import org.springframework.beans.factory.config.BeanDefinition;
-import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
-import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
-import org.springframework.beans.factory.parsing.BeanComponentDefinition;
-import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
-import org.springframework.core.Ordered;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.Elements;
 import org.springframework.security.config.ldap.LdapUserServiceBeanDefinitionParser;
@@ -48,11 +41,6 @@ public class AuthenticationProviderBeanDefinitionParser implements BeanDefinitio
         Element jdbcUserServiceElt = DomUtils.getChildElementByTagName(element, Elements.JDBC_USER_SERVICE);
         Element ldapUserServiceElt = DomUtils.getChildElementByTagName(element, Elements.LDAP_USER_SERVICE);
 
-        // We need to register the provider to access it in the post processor to check if it has a cache
-        final String id = parserContext.getReaderContext().generateBeanName(authProvider);
-        parserContext.getRegistry().registerBeanDefinition(id, authProvider);
-        parserContext.registerComponent(new BeanComponentDefinition(authProvider, id));
-
         String ref = element.getAttribute(ATT_USER_DETAILS_REF);
 
         if (StringUtils.hasText(ref)) {
@@ -81,54 +69,67 @@ public class AuthenticationProviderBeanDefinitionParser implements BeanDefinitio
 
             parser.parse(elt, parserContext);
             ref = parser.getId();
+
+            // Pinch the cache-ref from the UserDetailService element, if set.
+            String cacheRef = elt.getAttribute(AbstractUserDetailsServiceBeanDefinitionParser.CACHE_REF);
+
+            if (StringUtils.hasText(cacheRef)) {
+                authProvider.getPropertyValues().addPropertyValue("userCache", new RuntimeBeanReference(cacheRef));
+            }
         }
 
         authProvider.getPropertyValues().addPropertyValue("userDetailsService", new RuntimeBeanReference(ref));
 
-        BeanDefinitionBuilder cacheResolverBldr = BeanDefinitionBuilder.rootBeanDefinition(AuthenticationProviderCacheResolver.class);
-        cacheResolverBldr.addConstructorArgValue(id);
-        cacheResolverBldr.addConstructorArgValue(ref);
-        cacheResolverBldr.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
-        BeanDefinition cacheResolver = cacheResolverBldr.getBeanDefinition();
+        // We need to register the provider to access it in the post processor to check if it has a cache
+//        final String id = parserContext.getReaderContext().generateBeanName(authProvider);
+//        parserContext.getRegistry().registerBeanDefinition(id, authProvider);
+//        parserContext.registerComponent(new BeanComponentDefinition(authProvider, id));
+
 
-        String name = parserContext.getReaderContext().generateBeanName(cacheResolver);
-        parserContext.getRegistry().registerBeanDefinition(name , cacheResolver);
-        parserContext.registerComponent(new BeanComponentDefinition(cacheResolver, name));
+//        BeanDefinitionBuilder cacheResolverBldr = BeanDefinitionBuilder.rootBeanDefinition(AuthenticationProviderCacheResolver.class);
+//        cacheResolverBldr.addConstructorArgValue(id);
+//        cacheResolverBldr.addConstructorArgValue(ref);
+//        cacheResolverBldr.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
+//        BeanDefinition cacheResolver = cacheResolverBldr.getBeanDefinition();
+//
+//        String name = parserContext.getReaderContext().generateBeanName(cacheResolver);
+//        parserContext.getRegistry().registerBeanDefinition(name , cacheResolver);
+//        parserContext.registerComponent(new BeanComponentDefinition(cacheResolver, name));
 
-        ConfigUtils.addAuthenticationProvider(parserContext, id, element);
+//        ConfigUtils.addAuthenticationProvider(parserContext, id, element);
 
-        return null;
+        return authProvider;
     }
 
     /**
      * Checks whether the registered user service bean has an associated cache and, if so, sets it on the
      * authentication provider.
      */
-    static class AuthenticationProviderCacheResolver implements BeanFactoryPostProcessor, Ordered {
-        private String providerId;
-        private String userServiceId;
-
-        public AuthenticationProviderCacheResolver(String providerId, String userServiceId) {
-            this.providerId = providerId;
-            this.userServiceId = userServiceId;
-        }
-
-        public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
-            RootBeanDefinition provider = (RootBeanDefinition) beanFactory.getBeanDefinition(providerId);
-
-            String cachingId = userServiceId + AbstractUserDetailsServiceBeanDefinitionParser.CACHING_SUFFIX;
-
-            if (beanFactory.containsBeanDefinition(cachingId)) {
-                RootBeanDefinition cachingUserService = (RootBeanDefinition) beanFactory.getBeanDefinition(cachingId);
-
-                PropertyValue userCacheProperty = cachingUserService.getPropertyValues().getPropertyValue("userCache");
-
-                provider.getPropertyValues().addPropertyValue(userCacheProperty);
-            }
-        }
-
-        public int getOrder() {
-            return HIGHEST_PRECEDENCE;
-        }
-    }
+//    static class AuthenticationProviderCacheResolver implements BeanFactoryPostProcessor, Ordered {
+//        private String providerId;
+//        private String userServiceId;
+//
+//        public AuthenticationProviderCacheResolver(String providerId, String userServiceId) {
+//            this.providerId = providerId;
+//            this.userServiceId = userServiceId;
+//        }
+//
+//        public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
+//            RootBeanDefinition provider = (RootBeanDefinition) beanFactory.getBeanDefinition(providerId);
+//
+//            String cachingId = userServiceId + AbstractUserDetailsServiceBeanDefinitionParser.CACHING_SUFFIX;
+//
+//            if (beanFactory.containsBeanDefinition(cachingId)) {
+//                RootBeanDefinition cachingUserService = (RootBeanDefinition) beanFactory.getBeanDefinition(cachingId);
+//
+//                PropertyValue userCacheProperty = cachingUserService.getPropertyValues().getPropertyValue("userCache");
+//
+//                provider.getPropertyValues().addPropertyValue(userCacheProperty);
+//            }
+//        }
+//
+//        public int getOrder() {
+//            return HIGHEST_PRECEDENCE;
+//        }
+//    }
 }

config/src/main/java/org/springframework/security/config/authentication/CustomAuthenticationProviderBeanDefinitionDecorator.java

@@ -3,7 +3,7 @@ package org.springframework.security.config.authentication;
 import org.springframework.beans.factory.config.BeanDefinitionHolder;
 import org.springframework.beans.factory.xml.BeanDefinitionDecorator;
 import org.springframework.beans.factory.xml.ParserContext;
-import org.w3c.dom.Element;
+import org.springframework.security.config.Elements;
 import org.w3c.dom.Node;
 
 /**
@@ -14,8 +14,12 @@ import org.w3c.dom.Node;
  * @version $Id$
  */
 public class CustomAuthenticationProviderBeanDefinitionDecorator implements BeanDefinitionDecorator {
+    @SuppressWarnings("deprecation")
     public BeanDefinitionHolder decorate(Node node, BeanDefinitionHolder holder, ParserContext parserContext) {
-        ConfigUtils.addAuthenticationProvider(parserContext, holder.getBeanName(), (Element) node);
+        //ConfigUtils.addAuthenticationProvider(parserContext, holder.getBeanName(), (Element) node);
+        parserContext.getReaderContext().warning(Elements.CUSTOM_AUTH_PROVIDER + " is deprecated in " +
+                "Spring Security 3.0 and has no effect. Authentication providers should be declared within" +
+                " the <authentication-provider> element", parserContext.extractSource(node));
 
         return holder;
     }

config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java

@@ -292,9 +292,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
             unorderedFilterChain.add(new OrderDecorator(form.filter, AUTHENTICATION_PROCESSING_FILTER));
         }
 
+        String openIDProviderId = null;
+
         if (openID.filter != null) {
             unorderedFilterChain.add(new OrderDecorator(openID.filter, OPENID_PROCESSING_FILTER));
-            authenticationProviders.add(createOpenIDProvider(element, pc));
+            BeanReference openIDProvider = createOpenIDProvider(element, pc);
+            openIDProviderId = openIDProvider.getBeanName();
+            authenticationProviders.add(openIDProvider);
         }
 
         if (loginPageGenerationFilter != null) {
@@ -350,7 +354,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
         BeanDefinitionBuilder userServiceInjector = BeanDefinitionBuilder.rootBeanDefinition(UserDetailsServiceInjectionBeanPostProcessor.class);
         userServiceInjector.addConstructorArgValue(x509ProviderId);
         userServiceInjector.addConstructorArgValue(rememberMeServicesId);
-        userServiceInjector.addConstructorArgValue(rememberMeServicesId);
+        userServiceInjector.addConstructorArgValue(openIDProviderId);
         userServiceInjector.setRole(BeanDefinition.ROLE_INFRASTRUCTURE);
         pc.getReaderContext().registerWithGeneratedName(userServiceInjector.getBeanDefinition());
 

config/src/main/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParser.java

@@ -7,9 +7,7 @@ import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
-import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.Elements;
-import org.springframework.security.config.authentication.ConfigUtils;
 import org.springframework.security.config.authentication.PasswordEncoderParser;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
@@ -102,10 +100,7 @@ public class LdapProviderBeanDefinitionParser implements BeanDefinitionParser {
         ldapProvider.addConstructorArgValue(LdapUserServiceBeanDefinitionParser.parseAuthoritiesPopulator(elt, parserContext));
         ldapProvider.addPropertyValue("userDetailsContextMapper",
                 LdapUserServiceBeanDefinitionParser.parseUserDetailsClassOrUserMapperRef(elt, parserContext));
-        parserContext.getRegistry().registerBeanDefinition(BeanIds.LDAP_AUTHENTICATION_PROVIDER, ldapProvider.getBeanDefinition());
 
-        ConfigUtils.addAuthenticationProvider(parserContext, BeanIds.LDAP_AUTHENTICATION_PROVIDER, elt);
-
-        return null;
+        return ldapProvider.getBeanDefinition();
     }
 }

config/src/main/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParser.java

@@ -39,7 +39,6 @@ import org.springframework.security.access.vote.AffirmativeBased;
 import org.springframework.security.access.vote.AuthenticatedVoter;
 import org.springframework.security.access.vote.RoleVoter;
 import org.springframework.security.config.BeanIds;
-import org.springframework.security.config.authentication.ConfigUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 import org.w3c.dom.Element;
@@ -74,7 +73,6 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
 
     @SuppressWarnings("unchecked")
     public BeanDefinition parse(Element element, ParserContext pc) {
-        ConfigUtils.registerProviderManagerIfNecessary(pc, element);
         CompositeComponentDefinition compositeDef =
             new CompositeComponentDefinition(element.getTagName(), pc.extractSource(element));
         pc.pushContainingComponent(compositeDef);

config/src/main/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecorator.java

@@ -18,7 +18,6 @@ import org.springframework.security.access.intercept.aopalliance.MethodSecurityI
 import org.springframework.security.access.method.MapBasedMethodSecurityMetadataSource;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.Elements;
-import org.springframework.security.config.authentication.ConfigUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 import org.w3c.dom.Element;
@@ -34,7 +33,6 @@ public class InterceptMethodsBeanDefinitionDecorator implements BeanDefinitionDe
     private BeanDefinitionDecorator delegate = new InternalInterceptMethodsBeanDefinitionDecorator();
 
     public BeanDefinitionHolder decorate(Node node, BeanDefinitionHolder definition, ParserContext parserContext) {
-        ConfigUtils.registerProviderManagerIfNecessary(parserContext, (Element) node);
         MethodConfigUtils.registerDefaultMethodAccessManagerIfNecessary(parserContext);
 
         return delegate.decorate(node, definition, parserContext);

config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc

@@ -488,24 +488,22 @@ x509.attlist &=
     user-service-ref?
 
 authentication-manager =
-    ## If you are using namespace configuration with Spring Security, an AuthenticationManager will automatically be registered. This element allows you to define an alias to allow you to reference the authentication-manager in your own beans. 
-    element authentication-manager {authman.attlist}
+    ## Registers the AuthenticationManager instance and allows its list of AuthenticationProviders to be defined. should use. Also allows you to define an alias to allow you to reference the AuthenticationManager in your own beans. 
+    element authentication-manager {authman.attlist, authentication-provider*, ldap-authentication-provider*}
 authman.attlist &=
     ## The alias you wish to use for the AuthenticationManager bean
-    attribute alias {xsd:ID}
+    attribute alias {xsd:ID}?
 
 authentication-provider =
     ## Indicates that the contained user-service should be used as an authentication source. 
     element authentication-provider {ap.attlist & any-user-service & password-encoder?}
+ap.attlist &=
+    ## Specifies a reference to a separately configured AuthenticationProvider instance which should be registered within the AuthenticationManager.  
+    ref?    
 ap.attlist &=
     ## Specifies a reference to a separately configured UserDetailsService from which to obtain authentication data.  
     user-service-ref?
 
-custom-authentication-provider =
-    ## Element used to decorate an AuthenticationProvider bean to add it to the internal AuthenticationManager maintained by the namespace.
-    element custom-authentication-provider {cap.attlist}
-cap.attlist &= empty
-
 user-service =
     ## Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.
     element user-service {id? & (properties-file | (user*))}

config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd

@@ -1411,17 +1411,21 @@
    </xs:attributeGroup>
    <xs:element name="authentication-manager">
       <xs:annotation>
-         <xs:documentation>If you are using namespace configuration with Spring Security, an
-            AuthenticationManager will automatically be registered. This element allows you to
-            define an alias to allow you to reference the authentication-manager in your own beans.
-         </xs:documentation>
+         <xs:documentation>Registers the AuthenticationManager instance and allows its list of
+            AuthenticationProviders to be defined. should use. Also allows you to define an alias to
+            allow you to reference the AuthenticationManager in your own beans. </xs:documentation>
       </xs:annotation>
       <xs:complexType>
+         <xs:sequence>
+            <xs:element minOccurs="0" maxOccurs="unbounded" ref="security:authentication-provider"/>
+            <xs:element minOccurs="0" maxOccurs="unbounded"
+               ref="security:ldap-authentication-provider"/>
+         </xs:sequence>
          <xs:attributeGroup ref="security:authman.attlist"/>
       </xs:complexType>
    </xs:element>
    <xs:attributeGroup name="authman.attlist">
-      <xs:attribute name="alias" use="required" type="xs:ID">
+      <xs:attribute name="alias" type="xs:ID">
          <xs:annotation>
             <xs:documentation>The alias you wish to use for the AuthenticationManager
                bean</xs:documentation>
@@ -1480,6 +1484,11 @@
       </xs:complexType>
    </xs:element>
    <xs:attributeGroup name="ap.attlist">
+      <xs:attribute name="ref" type="xs:token">
+         <xs:annotation>
+            <xs:documentation>Defines a reference to a Spring bean Id.</xs:documentation>
+         </xs:annotation>
+      </xs:attribute>
       <xs:attribute name="user-service-ref" type="xs:token">
          <xs:annotation>
             <xs:documentation>A reference to a user-service (or UserDetailsService bean)
@@ -1487,13 +1496,6 @@
          </xs:annotation>
       </xs:attribute>
    </xs:attributeGroup>
-   <xs:element name="custom-authentication-provider">
-      <xs:annotation>
-         <xs:documentation>Element used to decorate an AuthenticationProvider bean to add it to the
-            internal AuthenticationManager maintained by the namespace.</xs:documentation>
-      </xs:annotation>
-      <xs:complexType/>
-   </xs:element>
    <xs:element name="user-service" substitutionGroup="security:any-user-service">
       <xs:annotation>
          <xs:documentation>Creates an in-memory UserDetailsService from a properties file or a list

config/src/test/java/org/springframework/security/config/ConfigTestUtils.java

@@ -2,6 +2,7 @@ package org.springframework.security.config;
 
 public abstract class ConfigTestUtils {
     public static final String AUTH_PROVIDER_XML =
+        "<authentication-manager alias='authManager'>" +
         "    <authentication-provider>" +
         "        <user-service id='us'>" +
         "            <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />" +
@@ -9,5 +10,6 @@ public abstract class ConfigTestUtils {
         "            <user name='admin' password='password' authorities='ROLE_ADMIN,ROLE_USER' />" +
         "            <user name='user' password='password' authorities='ROLE_USER' />" +
         "        </user-service>" +
-        "    </authentication-provider>";
+        "    </authentication-provider>" +
+        "</authentication-manager>";
 }

config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java

@@ -1,17 +1,12 @@
 package org.springframework.security.config.authentication;
 
-import static org.junit.Assert.assertFalse;
-
 import org.junit.Test;
 import org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException;
 import org.springframework.context.support.AbstractXmlApplicationContext;
-import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.authentication.concurrent.ConcurrentSessionControllerImpl;
 import org.springframework.security.authentication.concurrent.SessionRegistryImpl;
 import org.springframework.security.config.BeanIds;
-import org.springframework.security.config.ConfigTestUtils;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
-import org.springframework.security.util.FieldUtils;
 
 /**
  *
@@ -28,24 +23,16 @@ public class AuthenticationManagerBeanDefinitionParserTests {
         "  </b:property>" +
         "</b:bean>";
 
-    @Test
-    public void sessionControllerRefAttributeIsSupportedFor204ContextButHasNoEffect() throws Exception {
-        setContext(
-          "<http auto-config='true'/>" +
-          SESSION_CONTROLLER +
-          "<authentication-manager alias='authManager' session-controller-ref='sc'/>" +
-          ConfigTestUtils.AUTH_PROVIDER_XML, "2.0.4");
-        ProviderManager pm = (ProviderManager) appContext.getBean(BeanIds.AUTHENTICATION_MANAGER);
-        assertFalse(FieldUtils.getFieldValue(pm, "sessionController") instanceof ConcurrentSessionControllerImpl);
-    }
-
     @Test(expected=XmlBeanDefinitionStoreException.class)
     public void sessionControllerRefAttributeIsRejectedFor30Context() throws Exception {
         setContext(
-          "<http auto-config='true'/>" +
-          SESSION_CONTROLLER +
-          "<authentication-manager alias='authManager' session-controller-ref='sc'/>" +
-          ConfigTestUtils.AUTH_PROVIDER_XML, "3.0");
+          "<authentication-manager session-controller-ref='sc'>" +
+          "    <authentication-provider>" +
+          "        <user-service>" +
+          "            <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />" +
+          "        </user-service>" +
+          "    </authentication-provider>" +
+          "</authentication-manager>" + SESSION_CONTROLLER, "3.0");
         appContext.getBean(BeanIds.AUTHENTICATION_MANAGER);
     }
 

config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java

@@ -47,7 +47,10 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 
     @Test
     public void externalUserServiceRefWorks() throws Exception {
-        setContext(" <authentication-provider user-service-ref='myUserService' />" +
+        appContext = new InMemoryXmlApplicationContext(
+                "    <authentication-manager>" +
+                "        <authentication-provider user-service-ref='myUserService' />" +
+                "    </authentication-manager>" +
                 "    <user-service id='myUserService'>" +
                 "       <user name='bob' password='bobspassword' authorities='ROLE_A' />" +
                 "    </user-service>");
@@ -105,11 +108,14 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 
     @Test
     public void externalUserServicePasswordEncoderAndSaltSourceWork() throws Exception {
-        setContext(" <authentication-provider user-service-ref='customUserService'>" +
+        appContext = new InMemoryXmlApplicationContext(
+                "    <authentication-manager>" +
+                "      <authentication-provider user-service-ref='customUserService'>" +
                 "        <password-encoder ref='customPasswordEncoder'>" +
                 "            <salt-source ref='saltSource'/>" +
                 "        </password-encoder>" +
-                "    </authentication-provider>" +
+                "      </authentication-provider>" +
+                "    </authentication-manager>" +
 
                 "    <b:bean id='customPasswordEncoder' " +
                             "class='org.springframework.security.authentication.encoding.Md5PasswordEncoder'/>" +
@@ -132,6 +138,6 @@ public class AuthenticationProviderBeanDefinitionParserTests {
     }
 
     private void setContext(String context) {
-        appContext = new InMemoryXmlApplicationContext(context);
+        appContext = new InMemoryXmlApplicationContext("<authentication-manager>" + context + "</authentication-manager>");
     }
 }

config/src/test/java/org/springframework/security/config/authentication/CustomAuthenticationProviderBeanDefinitionDecoratorTests.java

@@ -1,45 +1,20 @@
 package org.springframework.security.config.authentication;
 
-import static org.junit.Assert.*;
-
 import org.junit.Test;
-import org.springframework.security.authentication.ProviderManager;
-import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
 
 
 public class CustomAuthenticationProviderBeanDefinitionDecoratorTests {
 
     @Test
-    public void decoratedProviderParsesSuccessfully() {
-        InMemoryXmlApplicationContext ctx = new InMemoryXmlApplicationContext(
+    public void decoratedProviderParsesSuccessfullyWith20Namespace() {
+        new InMemoryXmlApplicationContext(
                 "<b:bean class='org.springframework.security.authentication.dao.DaoAuthenticationProvider'>" +
                 "  <custom-authentication-provider />" +
                 "  <b:property name='userDetailsService' ref='us'/>" +
-                "</b:bean>" + 
-                "<user-service id='us'>" +
-                " <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />" +
-                "</user-service>"
-        );
-        ProviderManager authMgr = (ProviderManager) ctx.getBean(BeanIds.AUTHENTICATION_MANAGER);
-        assertEquals(1, authMgr.getProviders().size());        
-    }
-    
-    
-    @Test
-    public void decoratedBeanAndRegisteredProviderAreTheSameObject() {
-        InMemoryXmlApplicationContext ctx = new InMemoryXmlApplicationContext(
-                "<b:bean id='myProvider' class='org.springframework.security.authentication.dao.DaoAuthenticationProvider'>" +
-                "  <custom-authentication-provider />" +
-                "  <b:property name='userDetailsService' ref='us'/>" +
-                "</b:bean>" + 
+                "</b:bean>" +
                 "<user-service id='us'>" +
                 " <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />" +
-                "</user-service>"
-        );
-
-        ProviderManager authMgr = (ProviderManager) ctx.getBean(BeanIds.AUTHENTICATION_MANAGER);
-        assertEquals(1, authMgr.getProviders().size());
-        assertSame(ctx.getBean("myProvider"), authMgr.getProviders().get(0));
+                "</user-service>", "2.0.4", null);
     }
 }

config/src/test/java/org/springframework/security/config/authentication/JdbcUserServiceBeanDefinitionParserTests.java

@@ -102,9 +102,11 @@ public class JdbcUserServiceBeanDefinitionParserTests {
     @Test
     public void isSupportedByAuthenticationProviderElement() {
         setContext(
-                "<authentication-provider>" +
+                "<authentication-manager>" +
+                "  <authentication-provider>" +
                 "    <jdbc-user-service data-source-ref='dataSource'/>" +
-                "</authentication-provider>" + DATA_SOURCE);
+                "  </authentication-provider>" +
+                "</authentication-manager>" + DATA_SOURCE);
         AuthenticationManager mgr = (AuthenticationManager) appContext.getBean(BeanIds.AUTHENTICATION_MANAGER);
         mgr.authenticate(new UsernamePasswordAuthenticationToken("rod", "koala"));
     }
@@ -112,9 +114,11 @@ public class JdbcUserServiceBeanDefinitionParserTests {
     @Test
     public void cacheIsInjectedIntoAuthenticationProvider() {
         setContext(
-                "<authentication-provider>" +
+                "<authentication-manager>" +
+                "  <authentication-provider>" +
                 "    <jdbc-user-service cache-ref='userCache' data-source-ref='dataSource'/>" +
-                "</authentication-provider>" + DATA_SOURCE + USER_CACHE_XML);
+                "  </authentication-provider>" +
+                "</authentication-manager>" + DATA_SOURCE + USER_CACHE_XML);
         ProviderManager mgr = (ProviderManager) appContext.getBean(BeanIds.AUTHENTICATION_MANAGER);
         DaoAuthenticationProvider provider = (DaoAuthenticationProvider) mgr.getProviders().get(0);
         assertSame(provider.getUserCache(), appContext.getBean("userCache"));

config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java

@@ -605,7 +605,6 @@ public class HttpSecurityBeanDefinitionParserTests {
     @Test(expected=BeanDefinitionParsingException.class)
     public void useOfExternalConcurrentSessionControllerRequiresSessionRegistryToBeSet() throws Exception {
         setContext(
-                "<authentication-manager alias='authManager' />" +
                 "<http auto-config='true'>" +
                 "    <concurrent-session-control session-controller-ref='sc' expired-url='/expired'/>" +
                 "</http>" +
@@ -619,7 +618,6 @@ public class HttpSecurityBeanDefinitionParserTests {
     @Test
     public void useOfExternalSessionControllerAndRegistryIsWiredCorrectly() throws Exception {
         setContext(
-                "<authentication-manager alias='authManager' />" +
                 "<http auto-config='true'>" +
                 "    <concurrent-session-control session-registry-ref='sr' session-controller-ref='sc' expired-url='/expired'/>" +
                 "</http>" +
@@ -756,7 +754,9 @@ public class HttpSecurityBeanDefinitionParserTests {
     public void httpElementDoesntInterfereWithBeanPostProcessing() {
         setContext(
                 "<http auto-config='true'/>" +
-                "<authentication-provider user-service-ref='myUserService'/>" +
+                "<authentication-manager>" +
+                "   <authentication-provider user-service-ref='myUserService'/>" +
+                "</authentication-manager>" +
                 "<b:bean id='myUserService' class='org.springframework.security.config.PostProcessedMockUserDetailsService'/>" +
                 "<b:bean id='beanPostProcessor' class='org.springframework.security.config.MockUserServiceBeanPostProcessor'/>"
         );

config/src/test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java

@@ -43,7 +43,10 @@ public class LdapProviderBeanDefinitionParserTests {
 
     @Test
     public void simpleProviderAuthenticatesCorrectly() {
-        setContext("<ldap-server /> <ldap-authentication-provider group-search-filter='member={0}' />");
+        setContext("<ldap-server />" +
+                "<authentication-manager>" +
+                "   <ldap-authentication-provider group-search-filter='member={0}' />" +
+                "</authentication-manager>");
 
         LdapAuthenticationProvider provider = getProvider();
         Authentication auth = provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword"));
@@ -61,9 +64,11 @@ public class LdapProviderBeanDefinitionParserTests {
     @Test
     public void supportsPasswordComparisonAuthentication() {
         setContext("<ldap-server /> " +
+                "<authentication-manager>" +
                 "<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>" +
                 "    <password-compare />" +
-                "</ldap-authentication-provider>");
+                "</ldap-authentication-provider>"+
+                "</authentication-manager>");
         LdapAuthenticationProvider provider = getProvider();
         provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword"));
     }
@@ -72,9 +77,11 @@ public class LdapProviderBeanDefinitionParserTests {
     @Test
     public void supportsPasswordComparisonAuthenticationWithHashAttribute() {
         setContext("<ldap-server /> " +
+                "<authentication-manager>" +
                 "<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>" +
                 "    <password-compare password-attribute='uid' hash='plaintext'/>" +
-                "</ldap-authentication-provider>");
+                "</ldap-authentication-provider>" +
+                "</authentication-manager>");
         LdapAuthenticationProvider provider = getProvider();
         provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "ben"));
     }
@@ -82,11 +89,13 @@ public class LdapProviderBeanDefinitionParserTests {
     @Test
     public void supportsPasswordComparisonAuthenticationWithPasswordEncoder() {
         setContext("<ldap-server /> " +
+                "<authentication-manager>" +
                 "<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>" +
                 "    <password-compare password-attribute='uid'>" +
                 "        <password-encoder hash='plaintext'/>" +
                 "    </password-compare>" +
-                "</ldap-authentication-provider>");
+                "</ldap-authentication-provider>" +
+                "</authentication-manager>");
         LdapAuthenticationProvider provider = getProvider();
         provider.authenticate(new UsernamePasswordAuthenticationToken("ben", "ben"));
     }
@@ -94,14 +103,18 @@ public class LdapProviderBeanDefinitionParserTests {
     @Test
     public void detectsNonStandardServerId() {
         setContext("<ldap-server id='myServer'/> " +
-                "<ldap-authentication-provider />");
+                "<authentication-manager>" +
+                "  <ldap-authentication-provider />" +
+                "</authentication-manager>");
     }
 
     @Test
     public void inetOrgContextMapperIsSupported() throws Exception {
         setContext(
                 "<ldap-server id='someServer' url='ldap://127.0.0.1:343/dc=springframework,dc=org'/>" +
-                "<ldap-authentication-provider user-details-class='inetOrgPerson'/>");
+                "<authentication-manager>" +
+                "    <ldap-authentication-provider user-details-class='inetOrgPerson'/>" +
+                "</authentication-manager>");
         LdapAuthenticationProvider provider = getProvider();
         assertTrue(FieldUtils.getFieldValue(provider, "userDetailsContextMapper") instanceof InetOrgPersonContextMapper);
     }

config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java

@@ -95,7 +95,9 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
         setContext(
                 "<b:bean id='myUserService' class='org.springframework.security.config.PostProcessedMockUserDetailsService'/>" +
                 "<global-method-security />" +
-                "<authentication-provider user-service-ref='myUserService'/>" +
+                "<authentication-manager>" +
+                "   <authentication-provider user-service-ref='myUserService'/>" +
+                "</authentication-manager>" +
                 "<b:bean id='beanPostProcessor' class='org.springframework.security.config.MockUserServiceBeanPostProcessor'/>"
         );
 
@@ -113,7 +115,9 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
                 "</global-method-security>" +
                 "<b:bean id='myUserService' class='org.springframework.security.config.PostProcessedMockUserDetailsService'/>" +
                 "<aop:aspectj-autoproxy />" +
-                "<authentication-provider user-service-ref='myUserService'/>"
+                "<authentication-manager>" +
+                "   <authentication-provider user-service-ref='myUserService'/>" +
+                "</authentication-manager>"
         );
 
         UserDetailsService service = (UserDetailsService) appContext.getBean("myUserService");

config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java

@@ -22,7 +22,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
  */
 public class InterceptMethodsBeanDefinitionDecoratorTests {
     private ClassPathXmlApplicationContext appContext;
-
     private TestBusinessBean target;
 
     @Before
@@ -50,13 +49,9 @@ public class InterceptMethodsBeanDefinitionDecoratorTests {
         target.unprotected();
     }
 
-    @Test
+    @Test(expected=AuthenticationCredentialsNotFoundException.class)
     public void targetShouldPreventProtectedMethodInvocationWithNoContext() {
-        try {
-            target.doSomething();
-            fail("Expected AuthenticationCredentialsNotFoundException");
-        } catch (AuthenticationCredentialsNotFoundException expected) {
-        }
+        target.doSomething();
     }
 
     @Test
@@ -65,20 +60,16 @@ public class InterceptMethodsBeanDefinitionDecoratorTests {
                 AuthorityUtils.createAuthorityList("ROLE_USER"));
         SecurityContextHolder.getContext().setAuthentication(token);
 
-
         target.doSomething();
     }
 
-    @Test
+    @Test(expected=AccessDeniedException.class)
     public void targetShouldPreventProtectedMethodInvocationWithIncorrectRole() {
         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password",
                 AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE"));
         SecurityContextHolder.getContext().setAuthentication(token);
 
-        try {
-            target.doSomething();
-            fail("Expected AccessDeniedException");
-        } catch (AccessDeniedException expected) {
-        }
+        target.doSomething();
+        fail("Expected AccessDeniedException");
     }
 }

config/src/test/java/org/springframework/security/intercept/method/aopalliance/MethodSecurityInterceptorWithAopConfigTests.java

@@ -19,12 +19,14 @@ import org.springframework.security.core.context.SecurityContextHolder;
  */
 public class MethodSecurityInterceptorWithAopConfigTests {
     static final String AUTH_PROVIDER_XML =
+        "<authentication-manager>" +
         "    <authentication-provider>" +
         "        <user-service>" +
         "            <user name='bob' password='bobspassword' authorities='ROLE_USER,ROLE_ADMIN' />" +
         "            <user name='bill' password='billspassword' authorities='ROLE_USER' />" +
         "        </user-service>" +
-        "    </authentication-provider>";
+        "    </authentication-provider>" +
+        "</authentication-manager>";
 
     static final String ACCESS_MANAGER_XML =
         "<b:bean id='accessDecisionManager' class='org.springframework.security.access.vote.AffirmativeBased'>" +

core/src/test/resources/org/springframework/security/config/method-security.xml → config/src/test/resources/org/springframework/security/config/method-security.xml

@@ -4,7 +4,7 @@
     xmlns:b="http://www.springframework.org/schema/beans"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
 
     <b:bean id="target" class="org.springframework.security.config.TestBusinessBeanImpl">
         <!-- This will add a security interceptor to the bean -->
@@ -15,11 +15,13 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
         </intercept-methods>
     </b:bean>
 
-    <authentication-provider>
-        <user-service>
-            <user name="bob" password="bobspassword" authorities="ROLE_A,ROLE_B" />
-            <user name="bill" password="billspassword" authorities="ROLE_A,ROLE_B,AUTH_OTHER" />
-        </user-service>
-    </authentication-provider>
+    <authentication-manager>
+        <authentication-provider>
+            <user-service>
+                <user name="bob" password="bobspassword" authorities="ROLE_A,ROLE_B" />
+                <user name="bill" password="billspassword" authorities="ROLE_A,ROLE_B,AUTH_OTHER" />
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>
 
-</b:beans>
+</b:beans>

samples/contacts/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -34,10 +34,12 @@
         <custom-filter ref="switchUserProcessingFilter" position="SWITCH_USER_FILTER"/>
     </http>
 
-    <authentication-provider>
-       <password-encoder hash="md5"/>
-       <jdbc-user-service data-source-ref="dataSource"/>
-    </authentication-provider>
+    <authentication-manager>
+        <authentication-provider>
+           <password-encoder hash="md5"/>
+           <jdbc-user-service data-source-ref="dataSource"/>
+        </authentication-provider>
+    </authentication-manager>
 
     <!-- Automatically receives AuthenticationEvent messages -->
     <b:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>

samples/contacts/src/test/resources/applicationContext-contacts-test.xml

@@ -17,10 +17,12 @@
         <expression-handler ref="expressionHandler"/>
     </global-method-security>
 
-    <authentication-provider>
-        <password-encoder hash="md5"/>
-        <jdbc-user-service data-source-ref="dataSource"/>
-    </authentication-provider>
+    <authentication-manager>
+        <authentication-provider>
+            <password-encoder hash="md5"/>
+            <jdbc-user-service data-source-ref="dataSource"/>
+        </authentication-provider>
+    </authentication-manager>
 
     <b:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
         <b:property name="permissionEvaluator">

samples/openid/pom.xml

@@ -15,6 +15,16 @@
             <artifactId>spring-security-core</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-config</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-openid</artifactId>
@@ -40,14 +50,14 @@
             <artifactId>spring-aop</artifactId>
             <scope>runtime</scope>
         </dependency>
-		<dependency>
-			<groupId>javax.servlet</groupId>
-			<artifactId>jstl</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>taglibs</groupId>
-			<artifactId>standard</artifactId>
-		</dependency>        
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>jstl</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>taglibs</groupId>
+            <artifactId>standard</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
@@ -63,4 +73,4 @@
         </plugins>
     </build>
 
-</project>
+</project>

samples/openid/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -10,33 +10,17 @@
     xmlns:b="http://www.springframework.org/schema/beans"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
 
     <http>
         <intercept-url pattern="/**" access="ROLE_USER"/>
-        <intercept-url pattern="/openidlogin.jsp*" filters="none"/>        
+        <intercept-url pattern="/openidlogin.jsp*" filters="none"/>
         <logout/>
         <openid-login login-page="/openidlogin.jsp" authentication-failure-url="/openidlogin.jsp?login_error=true" />
     </http>
 
-    <authentication-manager alias="authenticationManager"/>    
-<!-- 
-    <b:bean id="openIdFilter" class="org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter">
-        <custom-filter />        
-        <b:property name="authenticationManager" ref="authenticationManager"/>
-        <b:property name="defaultTargetUrl" value="/index.jsp"/>
-        <b:property name="authenticationFailureUrl" value="/openidlogin.jsp?login_error=true"/>
-    </b:bean>
+    <authentication-manager alias="authenticationManager"/>
 
-    <b:bean id="openIdAuthenticationProvider" class="org.springframework.security.authentication.openid.OpenIDAuthenticationProvider">
-        <custom-authentication-provider />
-        <b:property name="userDetailsService" ref="userService"/>
-    </b:bean>
-
-    <b:bean id="entryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
-        <b:property name="loginFormUrl" value="/openidlogin.jsp" />
-    </b:bean>
--->
     <user-service id="userService">
         <user name="http://luke.taylor.myopenid.com/" password="notused" authorities="ROLE_SUPERVISOR,ROLE_USER" />
         <user name="http://luke.taylor.openid.cn/" password="notused" authorities="ROLE_SUPERVISOR,ROLE_USER" />

samples/preauth/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -20,11 +20,12 @@
 
     <bean id="sif" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
 
-    <sec:authentication-manager alias="authenticationManager" />
-
-    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
-        <sec:custom-authentication-provider />
-        <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
+    <sec:authentication-manager alias="authenticationManager">
+        <sec:authentication-provider ref='preAuthenticatedAuthenticationProvider'/>
+    </sec:authentication-manager>
+
+    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
+        <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
     </bean>
 
     <bean id="preAuthenticatedUserDetailsService"

samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -38,8 +38,6 @@
 
     </http>
 
-    <authentication-manager alias="authManager"/>
-
     <!--
     Usernames/Passwords are
         rod/koala
@@ -47,14 +45,16 @@
         scott/wombat
         peter/opal
     -->
-    <authentication-provider>
-        <password-encoder hash="md5"/>
-        <user-service>
-            <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
-            <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
-            <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
-            <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
-        </user-service>
-    </authentication-provider>
+    <authentication-manager>
+        <authentication-provider>
+            <password-encoder hash="md5"/>
+            <user-service>
+                <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
+                <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
+                <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
+                <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>
 
 </beans:beans>