MiscHttpConfigTests groovy->java

Issue: gh-4939

config/src/test/groovy/org/springframework/security/config/http/MiscHttpConfigTests.groovy

@@ -1,804 +0,0 @@
-/*
- * Copyright 2002-2012 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *		http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.config.http
-
-import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter
-import org.springframework.security.web.csrf.CsrfFilter
-import org.springframework.security.web.header.HeaderWriterFilter
-
-import java.security.Principal
-import javax.servlet.Filter
-import org.springframework.beans.BeansException
-import org.springframework.beans.factory.BeanCreationException
-import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer
-import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
-import org.springframework.mock.web.MockFilterChain
-import org.springframework.mock.web.MockHttpServletRequest
-import org.springframework.mock.web.MockHttpServletResponse
-import org.springframework.security.access.AccessDeniedException
-import org.springframework.security.access.SecurityConfig
-import org.springframework.security.authentication.AnonymousAuthenticationProvider;
-import org.springframework.security.authentication.TestingAuthenticationToken
-import org.springframework.security.config.BeanIds
-import org.springframework.security.config.MockUserServiceBeanPostProcessor
-import org.springframework.security.config.PostProcessedMockUserDetailsService
-import org.springframework.security.config.util.InMemoryXmlApplicationContext
-import org.springframework.security.core.authority.AuthorityUtils
-import org.springframework.security.core.context.SecurityContext
-import org.springframework.security.core.context.SecurityContextHolder
-import org.springframework.security.openid.OpenIDAuthenticationFilter
-import org.springframework.security.util.FieldUtils
-import org.springframework.security.web.FilterChainProxy
-import org.springframework.security.web.PortMapperImpl
-import org.springframework.security.web.access.ExceptionTranslationFilter
-import org.springframework.security.web.access.channel.ChannelProcessingFilter
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor
-import org.springframework.security.web.authentication.AnonymousAuthenticationFilter
-import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
-import org.springframework.security.web.authentication.logout.LogoutFilter
-import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler
-import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter
-import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter
-import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint
-import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
-import org.springframework.security.web.context.HttpSessionSecurityContextRepository
-import org.springframework.security.web.context.SecurityContextPersistenceFilter
-import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
-import org.springframework.security.web.debug.DebugFilter;
-import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter
-import org.springframework.security.web.savedrequest.HttpSessionRequestCache
-import org.springframework.security.web.savedrequest.RequestCacheAwareFilter
-import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
-import org.springframework.security.web.session.SessionManagementFilter
-import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler
-import org.springframework.security.web.firewall.DefaultHttpFirewall
-import org.springframework.security.BeanNameCollectingPostProcessor
-import org.springframework.security.authentication.dao.DaoAuthenticationProvider
-import org.springframework.security.access.vote.RoleVoter
-import org.springframework.security.web.access.expression.WebExpressionVoter
-import org.springframework.security.access.vote.AffirmativeBased
-import org.springframework.security.access.PermissionEvaluator
-import org.springframework.security.core.Authentication
-import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher
-import org.springframework.security.authentication.AuthenticationManager
-
-
-/**
- *
- * @author Luke Taylor
- * @author Rob Winch
- */
-class MiscHttpConfigTests extends AbstractHttpConfigTests {
-
-	def 'Minimal configuration parses'() {
-		setup:
-		xml.http {
-			'http-basic'()
-		}
-		createAppContext()
-	}
-
-	def httpAutoConfigSetsUpCorrectFilterList() {
-		when:
-		xml.http('auto-config': 'true')
-		createAppContext()
-
-		then:
-		filtersMatchExpectedAutoConfigList('/anyurl');
-	}
-
-	void filtersMatchExpectedAutoConfigList(String url) {
-		def filterList = getFilters(url);
-		Iterator<Filter> filters = filterList.iterator();
-
-		assert filters.next() instanceof SecurityContextPersistenceFilter
-		assert filters.next() instanceof WebAsyncManagerIntegrationFilter
-		assert filters.next() instanceof HeaderWriterFilter
-		assert filters.next() instanceof CsrfFilter
-		assert filters.next() instanceof LogoutFilter
-		Object authProcFilter = filters.next();
-		assert authProcFilter instanceof UsernamePasswordAuthenticationFilter
-		assert filters.next() instanceof DefaultLoginPageGeneratingFilter
-		assert filters.next() instanceof DefaultLogoutPageGeneratingFilter
-		assert filters.next() instanceof BasicAuthenticationFilter
-		assert filters.next() instanceof RequestCacheAwareFilter
-		assert filters.next() instanceof SecurityContextHolderAwareRequestFilter
-		assert filters.next() instanceof AnonymousAuthenticationFilter
-		assert filters.next() instanceof SessionManagementFilter
-		assert filters.next() instanceof ExceptionTranslationFilter
-		Object fsiObj = filters.next();
-		assert fsiObj instanceof FilterSecurityInterceptor
-		def fsi = (FilterSecurityInterceptor) fsiObj;
-		assert fsi.isObserveOncePerRequest()
-	}
-
-	def filterListShouldBeEmptyForPatternWithNoFilters() {
-		xml.debug()
-		xml.http(pattern: '/unprotected', security: 'none')
-		httpAutoConfig() {}
-		createAppContext()
-
-		expect:
-		getFilters("/unprotected").size() == 0
-	}
-
-	def debugFilterHandlesMissingAndEmptyFilterChains() {
-		when:
-		xml.debug()
-		xml.http(pattern: '/unprotected', security: 'none')
-		createAppContext()
-		then:
-		Filter debugFilter = appContext.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN);
-		MockHttpServletRequest request = new MockHttpServletRequest("GET", "")
-		request.setServletPath("/unprotected");
-		debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
-		request.setServletPath("/nomatch");
-		debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
-	}
-
-	def regexPathsWorkCorrectly() {
-		xml.http(pattern: '\\A\\/[a-z]+', security: 'none', 'request-matcher': 'regex')
-		httpAutoConfig() {}
-		createAppContext()
-
-		expect:
-		getFilters('/imlowercase').size() == 0
-		filtersMatchExpectedAutoConfigList('/MixedCase');
-	}
-
-	def ciRegexPathsWorkCorrectly() {
-		when:
-		xml.http(pattern: '\\A\\/[a-z]+', security: 'none', 'request-matcher': 'ciRegex')
-		httpAutoConfig() {}
-		createAppContext()
-
-		then:
-		getFilters('/imMixedCase').size() == 0
-		filtersMatchExpectedAutoConfigList('/Im_caught_by_the_Universal_Match');
-	}
-
-	def requestMatcherRefWorksCorrectly() {
-		xml.http('request-matcher-ref': 'matcher', security: 'none')
-		bean('matcher', AntPathRequestMatcher.class.name, ['/nofilters'])
-		httpAutoConfig() {}
-		createAppContext()
-
-		expect:
-		getFilters('/nofilters').size() == 0
-		filtersMatchExpectedAutoConfigList('/somethingElse');
-	}
-
-	// SEC-1152
-	def anonymousFilterIsAddedByDefault() {
-		xml.http {
-			'form-login'()
-		}
-		createAppContext()
-
-		expect:
-		getFilters("/anything")[9] instanceof AnonymousAuthenticationFilter
-	}
-
-	def anonymousFilterIsRemovedIfDisabledFlagSet() {
-		xml.http {
-			'form-login'()
-			'anonymous'(enabled: 'false')
-		}
-		createAppContext()
-
-		expect:
-		!(getFilters("/anything").get(9) instanceof AnonymousAuthenticationFilter)
-	}
-
-	def anonymousCustomAttributesAreSetCorrectly() {
-		xml.http {
-			'form-login'()
-			'anonymous'(username: 'joe', 'granted-authority':'anonymity', key: 'customKey')
-		}
-		createAppContext()
-
-		AnonymousAuthenticationFilter filter = getFilter(AnonymousAuthenticationFilter);
-		def providers = appContext.getBeansOfType(AuthenticationManager).values()*.providers.flatten()
-
-		expect:
-		'customKey' == providers.find { it instanceof AnonymousAuthenticationProvider }.key
-		'customKey' == filter.key
-		'joe' == filter.principal
-		'anonymity' == filter.authorities[0].authority
-	}
-
-	def anonymousSupportsMultipleGrantedAuthorities() {
-		xml.http {
-			'form-login'()
-			'anonymous'(username: 'joe', 'granted-authority':'ROLE_INVITADO,ROLE_PROFILE_INVITADO,ROLE_GRUPO_PUBLICO', key: 'customKey')
-		}
-		createAppContext()
-
-		AnonymousAuthenticationFilter filter = getFilter(AnonymousAuthenticationFilter);
-		def providers = appContext.getBeansOfType(AuthenticationManager).values()*.providers.flatten()
-
-		expect:
-		'customKey' == providers.find { it instanceof AnonymousAuthenticationProvider }.key
-		'customKey' == filter.key
-		'joe' == filter.principal
-		['ROLE_INVITADO','ROLE_PROFILE_INVITADO','ROLE_GRUPO_PUBLICO'] == filter.authorities*.authority
-	}
-
-	def httpMethodMatchIsSupported() {
-		httpAutoConfig {
-			interceptUrl '/secure*', 'DELETE', 'ROLE_SUPERVISOR'
-			interceptUrl '/secure*', 'POST', 'ROLE_A,ROLE_B'
-			interceptUrl '/**', 'ROLE_C'
-		}
-		createAppContext()
-
-		def fids = getFilter(FilterSecurityInterceptor).getSecurityMetadataSource();
-		def attrs = fids.getAttributes(createFilterinvocation("/secure", "POST"));
-
-		expect:
-		attrs.size() == 2
-		attrs.contains(new SecurityConfig("ROLE_A"))
-		attrs.contains(new SecurityConfig("ROLE_B"))
-	}
-
-	 def httpMethodMatchIsSupportedForRequiresChannel() {
-		 httpAutoConfig {
-			 'intercept-url'(pattern: '/anyurl')
-			 'intercept-url'(pattern: '/anyurl', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https')
-		 }
-		 createAppContext()
-
-		 def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource();
-		 def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
-		 def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
-
-		 expect:
-		 attrs.size() == 1
-		 attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL"))
-		 attrsPost == null
-	 }
-
-	 def httpMethodMatchIsSupportedForRequiresChannelAny() {
-		 httpAutoConfig {
-			 'intercept-url'(pattern: '/**')
-			 'intercept-url'(pattern: '/**', 'method':'GET',access: 'ROLE_ADMIN', 'requires-channel': 'https')
-		 }
-		 createAppContext()
-
-		 def fids = getFilter(ChannelProcessingFilter).getSecurityMetadataSource();
-		 def attrs = fids.getAttributes(createFilterinvocation("/anyurl", "GET"));
-		 def attrsPost = fids.getAttributes(createFilterinvocation("/anyurl", "POST"));
-
-		 expect:
-		 attrs.size() == 1
-		 attrs.contains(new SecurityConfig("REQUIRES_SECURE_CHANNEL"))
-		 attrsPost == null
-	 }
-
-	def oncePerRequestAttributeIsSupported() {
-		xml.http('once-per-request': 'false') {
-			'http-basic'()
-		}
-		createAppContext()
-
-		expect:
-		!getFilter(FilterSecurityInterceptor).isObserveOncePerRequest()
-	}
-
-	def httpBasicSupportsSeparateEntryPoint() {
-		xml.http() {
-			'http-basic'('entry-point-ref': 'ep')
-		}
-		bean('ep', BasicAuthenticationEntryPoint.class.name, ['realmName':'whocares'],[:])
-		createAppContext();
-
-		def baf = getFilter(BasicAuthenticationFilter)
-		def etf = getFilter(ExceptionTranslationFilter)
-		def ep = appContext.getBean("ep")
-
-		expect:
-		baf.authenticationEntryPoint == ep
-		// Since no other authentication system is in use, this should also end up on the ETF
-		etf.authenticationEntryPoint == ep
-	}
-
-	def interceptUrlWithRequiresChannelAddsChannelFilterToStack() {
-		httpAutoConfig {
-			'intercept-url'(pattern: '/**', 'requires-channel': 'https')
-		}
-		createAppContext();
-		List filters = getFilters("/someurl");
-
-		expect:
-		filters.size() == AUTO_CONFIG_FILTERS + 1
-		filters[0] instanceof ChannelProcessingFilter
-	}
-
-	def portMappingsAreParsedCorrectly() {
-		httpAutoConfig {
-			'port-mappings'() {
-				'port-mapping'(http: '9080', https: '9443')
-			}
-		}
-		createAppContext();
-
-		def pm = (appContext.getBeansOfType(PortMapperImpl).values() as List)[0];
-
-		expect:
-		pm.getTranslatedPortMappings().size() == 1
-		pm.lookupHttpPort(9443) == 9080
-		pm.lookupHttpsPort(9080) == 9443
-	}
-
-	def externalFiltersAreTreatedCorrectly() {
-		httpAutoConfig {
-			'custom-filter'(position: 'FIRST', ref: '${customFilterRef}')
-			'custom-filter'(after: 'LOGOUT_FILTER', ref: 'userFilter')
-			'custom-filter'(before: 'SECURITY_CONTEXT_FILTER', ref: 'userFilter1')
-		}
-		bean('phc', PropertyPlaceholderConfigurer)
-		bean('userFilter', SecurityContextHolderAwareRequestFilter)
-		bean('userFilter1', SecurityContextPersistenceFilter)
-
-		System.setProperty('customFilterRef', 'userFilter')
-		createAppContext();
-
-		def filters = getFilters("/someurl");
-
-		expect:
-		AUTO_CONFIG_FILTERS + 3 == filters.size();
-		filters[0] instanceof SecurityContextHolderAwareRequestFilter
-		filters[1] instanceof SecurityContextPersistenceFilter
-		filters[7] instanceof SecurityContextHolderAwareRequestFilter
-		filters[1] instanceof SecurityContextPersistenceFilter
-	}
-
-	def twoFiltersWithSameOrderAreRejected() {
-		when:
-		httpAutoConfig {
-			'custom-filter'(position: 'LOGOUT_FILTER', ref: 'userFilter')
-		}
-		bean('userFilter', SecurityContextHolderAwareRequestFilter)
-		createAppContext();
-
-		then:
-		thrown(BeanDefinitionParsingException)
-	}
-
-	def x509SupportAddsFilterAtExpectedPosition() {
-		httpAutoConfig {
-			x509()
-		}
-		createAppContext()
-
-		expect:
-		getFilters("/someurl")[5] instanceof X509AuthenticationFilter
-	}
-
-	def x509SubjectPrincipalRegexCanBeSetUsingPropertyPlaceholder() {
-		httpAutoConfig {
-			x509('subject-principal-regex':'${subject-principal-regex}')
-		}
-		bean('phc', PropertyPlaceholderConfigurer.class.name)
-		System.setProperty("subject-principal-regex", "uid=(.*),");
-		createAppContext()
-		def filter = getFilter(X509AuthenticationFilter)
-
-		expect:
-		filter.principalExtractor.subjectDnPattern.pattern() == "uid=(.*),"
-	}
-
-	def invalidLogoutSuccessUrlIsDetected() {
-		when:
-		xml.http {
-			'form-login'()
-			'logout'('logout-success-url': 'noLeadingSlash')
-		}
-		createAppContext()
-
-		then:
-		BeanCreationException e = thrown()
-	}
-
-	def cookiesToDeleteOnLogoutUrlAddsCorrectLogoutHandler() {
-		xml.http {
-			'logout'('delete-cookies': 'JSESSIONID, mycookie')
-			'form-login'()
-		}
-		createAppContext()
-		def handlers = getFilter(LogoutFilter).handler.logoutHandlers
-
-		expect:
-		handlers[2] instanceof CookieClearingLogoutHandler
-		handlers[2].cookiesToClear[0] == 'JSESSIONID'
-		handlers[2].cookiesToClear[1] == 'mycookie'
-	}
-
-	def logoutSuccessHandlerIsSetCorrectly() {
-		xml.http {
-			'form-login'()
-			'logout'('success-handler-ref': 'logoutHandler')
-		}
-		bean('logoutHandler', SimpleUrlLogoutSuccessHandler)
-		createAppContext()
-
-		LogoutFilter filter = getFilter(LogoutFilter);
-
-		expect:
-		FieldUtils.getFieldValue(filter, "logoutSuccessHandler") == appContext.getBean("logoutHandler")
-	}
-
-	def externalRequestCacheIsConfiguredCorrectly() {
-		httpAutoConfig {
-			'request-cache'(ref: 'cache')
-		}
-		bean('cache', HttpSessionRequestCache.class.name)
-		createAppContext()
-
-		expect:
-		appContext.getBean("cache") == getFilter(ExceptionTranslationFilter.class).requestCache
-	}
-
-	def customEntryPointIsSupported() {
-		xml.http('auto-config': 'true', 'entry-point-ref': 'entryPoint') {}
-		bean('entryPoint', MockEntryPoint.class.name)
-		createAppContext()
-
-		expect:
-		getFilter(ExceptionTranslationFilter).getAuthenticationEntryPoint() instanceof MockEntryPoint
-	}
-
-	/**
-	 * See SEC-750. If the http security post processor causes beans to be instantiated too eagerly, they way miss
-	 * additional processing. In this method we have a UserDetailsService which is referenced from the namespace
-	 * and also has a post processor registered which will modify it.
-	 */
-	def httpElementDoesntInterfereWithBeanPostProcessing() {
-		xml.http('auto-config': 'true', 'entry-point-ref': 'entryPoint') {}
-		xml.'authentication-manager'() {
-			'authentication-provider'('user-service-ref': 'myUserService')
-			'authentication-provider'('ref': 'authProvider')
-		}
-		bean('authProvider', DaoAuthenticationProvider.class.name, [:], [userDetailsService: 'myUserService'])
-		bean('entryPoint', MockEntryPoint.class.name)
-		bean('myUserService', PostProcessedMockUserDetailsService)
-		bean('userServicePostProcessor', MockUserServiceBeanPostProcessor)
-		bean('nameCollectingPostProcessor', BeanNameCollectingPostProcessor)
-		createAppContext("")
-		def beanPP = appContext.getBean("nameCollectingPostProcessor")
-		Set preInitPPBeans = beanPP.beforeInitPostProcessedBeans
-		Set postInitPPBeans = beanPP.afterInitPostProcessedBeans
-		Set expectedBeans = ['authProvider', 'entryPoint', 'myUserService'] as Set
-
-		expect:
-		appContext.getBean("myUserService").getPostProcessorWasHere() == "Hello from the post processor!"
-		preInitPPBeans.containsAll(expectedBeans)
-		postInitPPBeans.containsAll(expectedBeans)
-	}
-
-	/* SEC-934 */
-	def supportsTwoIdenticalInterceptUrls() {
-		httpAutoConfig {
-			interceptUrl ('/someUrl', 'ROLE_A')
-			interceptUrl ('/someUrl', 'ROLE_B')
-		}
-		createAppContext()
-		def fis = getFilter(FilterSecurityInterceptor)
-		def fids = fis.securityMetadataSource
-		Collection attrs = fids.getAttributes(createFilterinvocation("/someUrl", null));
-
-		expect:
-		attrs.size() == 1
-		attrs.contains(new SecurityConfig("ROLE_B"))
-	}
-
-	def supportsExternallyDefinedSecurityContextRepository() {
-		xml.http('create-session': 'always', 'security-context-repository-ref': 'repo') {
-			'http-basic'()
-		}
-		bean('repo', HttpSessionSecurityContextRepository)
-		createAppContext()
-
-		def filter = getFilter(SecurityContextPersistenceFilter)
-
-		expect:
-		filter.repo == appContext.getBean('repo')
-		filter.forceEagerSessionCreation
-	}
-
-	def expressionBasedAccessAllowsAndDeniesAccessAsExpected() {
-		setup:
-		xml.http('auto-config': 'true', 'use-expressions': 'true') {
-			interceptUrl('/secure*', "hasAnyRole('ROLE_A','ROLE_C')")
-			interceptUrl('/**', 'permitAll')
-		}
-		createAppContext()
-
-		def fis = getFilter(FilterSecurityInterceptor)
-		def fids = fis.getSecurityMetadataSource()
-		Collection attrs = fids.getAttributes(createFilterinvocation("/secure", null));
-		assert 1 == attrs.size()
-
-		when: "Unprotected URL"
-		SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("joe", "", "ROLE_A"));
-		fis.invoke(createFilterinvocation("/permitallurl", null));
-		then:
-		notThrown(AccessDeniedException)
-
-		when: "Invoking secure Url as a valid user"
-		fis.invoke(createFilterinvocation("/secure", null));
-		then:
-		notThrown(AccessDeniedException)
-
-		when: "User does not have the required role"
-		SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("joe", "", "ROLE_B"));
-		fis.invoke(createFilterinvocation("/secure", null));
-		then:
-		thrown(AccessDeniedException)
-	}
-
-	def expressionBasedAccessSupportsExternalExpressionHandler() {
-		setup:
-		xml.http('auto-config': 'true', 'use-expressions': 'true') {
-			interceptUrl('/**', "hasPermission('AnyObject','R')")
-			'expression-handler'(ref: 'expressionHandler')
-		}
-		bean('expressionHandler', DefaultWebSecurityExpressionHandler.class.name, [:], [permissionEvaluator: 'pe'])
-		bean('pe', MockPermissionEvaluator)
-		createAppContext()
-
-		def fis = getFilter(FilterSecurityInterceptor)
-
-		when: "Invoking allowed URL protected by hasPermission() expression succeeds"
-		SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("joe", "", "ANY"));
-		fis.invoke(createFilterinvocation("/secure", null));
-		then:
-		notThrown(AccessDeniedException)
-	}
-
-	def protectedLoginPageReportsWarning() {
-		when:
-		xml.http('use-expressions': 'true') {
-			'form-login'('login-page': '/login')
-			interceptUrl('/login*', "hasRole('ROLE_A')")
-		}
-		createAppContext()
-		then:
-		notThrown(BeansException)
-	}
-
-	def disablingUrlRewritingThroughTheNamespaceSetsCorrectPropertyOnContextRepo() {
-		xml.http('auto-config': 'true', 'disable-url-rewriting': 'true')
-		createAppContext()
-
-		expect:
-		getFilter(SecurityContextPersistenceFilter).repo.disableUrlRewriting
-	}
-
-	def userDetailsServiceInParentContextIsLocatedSuccessfully() {
-		when:
-		createAppContext()
-		httpAutoConfig {
-			'remember-me'
-		}
-		appContext = new InMemoryXmlApplicationContext(writer.toString(), appContext)
-
-		then:
-		notThrown(BeansException)
-	}
-
-	def httpConfigWithNoAuthProvidersWorksOk() {
-		when: "Http config has no internal authentication providers"
-		xml.debug()
-		xml.http() {
-			'form-login'()
-			csrf(disabled:true)
-			anonymous(enabled: 'false')
-		}
-		createAppContext()
-		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/login");
-		request.setServletPath("/login");
-		request.addParameter("username", "bob");
-		request.addParameter("password", "bobspassword");
-		then: "App context creation and login request succeed"
-		DebugFilter debugFilter = appContext.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN);
-		debugFilter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
-		appListener.events.size() == 2
-		appListener.authenticationEvents.size() == 2
-	}
-
-	def eraseCredentialsDefaultsToTrue() {
-		xml.http() {
-			'form-login'()
-		}
-		createAppContext()
-		expect:
-		getFilter(UsernamePasswordAuthenticationFilter).authenticationManager.eraseCredentialsAfterAuthentication
-	}
-
-	def eraseCredentialsIsSetFromParentAuthenticationManager() {
-		xml.http() {
-			'form-login'()
-		}
-		createAppContext("<authentication-manager erase-credentials='false' />");
-		expect:
-		!getFilter(UsernamePasswordAuthenticationFilter).authenticationManager.eraseCredentialsAfterAuthentication
-	}
-
-	def 'SEC-2020 authentication-manager@erase-credentials with http@authentication-manager-ref'() {
-		xml.http('authentication-manager-ref':'authMgr') {
-			'form-login'()
-		}
-		createAppContext("<authentication-manager id='authMgr' erase-credentials='false' />");
-		expect:
-		def authManager = getFilter(UsernamePasswordAuthenticationFilter).authenticationManager
-		!authManager.eraseCredentialsAfterAuthentication
-		!authManager.parent.eraseCredentialsAfterAuthentication
-	}
-
-	def 'authentication-manager@erase-credentials with http@authentication-manager-ref not ProviderManager'() {
-		xml.http('authentication-manager-ref':'authMgr') {
-			'form-login'()
-		}
-		xml.'b:bean'(id: 'authMgr', 'class': MockAuthenticationManager.class.name)
-		createAppContext()
-		expect:
-		def authManager = getFilter(UsernamePasswordAuthenticationFilter).authenticationManager
-		!authManager.eraseCredentialsAfterAuthentication
-		authManager.parent instanceof MockAuthenticationManager
-	}
-
-	def jeeFilterExtractsExpectedRoles() {
-		xml.http() {
-			jee('mappable-roles': 'admin,user,a,b,c')
-		}
-		createAppContext()
-		FilterChainProxy fcp = appContext.getBean(BeanIds.FILTER_CHAIN_PROXY)
-		Principal p = Mock(Principal)
-		p.getName() >> 'joe'
-
-		when:
-
-		MockHttpServletRequest request = new MockHttpServletRequest("GET","/something")
-		request.setUserPrincipal(p)
-		request.addUserRole('admin')
-		request.addUserRole('user')
-		request.addUserRole('c')
-		request.addUserRole('notmapped')
-		fcp.doFilter(request, new MockHttpServletResponse(), new MockFilterChain())
-		SecurityContext ctx = request.getSession().getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
-		Set<String> roles = AuthorityUtils.authorityListToSet(ctx.getAuthentication().getAuthorities());
-
-		then:
-		roles.size() == 3
-		roles.contains 'ROLE_admin'
-		roles.contains 'ROLE_user'
-		roles.contains 'ROLE_c'
-	}
-
-	def authenticationDetailsSourceInjectionSucceeds() {
-		xml.http() {
-			'form-login'('authentication-details-source-ref' : 'adsr')
-			'openid-login' ('authentication-details-source-ref' : 'adsr')
-			'http-basic' ('authentication-details-source-ref' : 'adsr')
-			'x509' ('authentication-details-source-ref' : 'adsr')
-		}
-		bean('adsr', 'org.springframework.security.web.authentication.WebAuthenticationDetailsSource')
-		createAppContext()
-		def adsr = appContext.getBean('adsr')
-		expect:
-		getFilter(UsernamePasswordAuthenticationFilter).authenticationDetailsSource == adsr
-		getFilter(OpenIDAuthenticationFilter).authenticationDetailsSource == adsr
-		getFilter(BasicAuthenticationFilter).authenticationDetailsSource == adsr
-		getFilter(X509AuthenticationFilter).authenticationDetailsSource == adsr
-	}
-
-	def includeJaasApiIntegrationFilter() {
-		xml.http(['auto-config':'true','jaas-api-provision':'true'])
-		createAppContext()
-		expect:
-		getFilter(JaasApiIntegrationFilter.class) != null
-	}
-
-	def httpFirewallInjectionIsSupported() {
-		xml.'http-firewall'(ref: 'fw')
-		xml.http() {
-			 'form-login'()
-		}
-		bean('fw', DefaultHttpFirewall)
-		createAppContext()
-		FilterChainProxy fcp = appContext.getBean(BeanIds.FILTER_CHAIN_PROXY)
-		expect:
-		fcp.firewall == appContext.getBean('fw')
-	}
-
-	def customAccessDecisionManagerIsSupported() {
-		xml.http('auto-config': 'true', 'access-decision-manager-ref': 'adm')
-		xml.'b:bean'(id: 'adm', 'class': AffirmativeBased.class.name) {
-			'b:constructor-arg' {
-				'b:list'() {
-					'b:bean'('class': RoleVoter.class.name)
-					'b:bean'('class': RoleVoter.class.name)
-					'b:bean'('class': RoleVoter.class.name)
-					'b:bean'('class': WebExpressionVoter.class.name)
-				}
-			}
-		}
-		createAppContext()
-		expect:
-		getFilter(FilterSecurityInterceptor.class).accessDecisionManager.decisionVoters[3] instanceof WebExpressionVoter
-	}
-
-	def customAuthenticationManagerIsSupported() {
-		xml.http('auto-config': 'true', 'authentication-manager-ref': 'am')
-		xml.'b:bean'(id: 'am', 'class': MockAuthenticationManager.class.name)
-		createAppContext("")
-		expect:
-		getFilter(UsernamePasswordAuthenticationFilter.class).authenticationManager.parent instanceof MockAuthenticationManager
-	}
-
-	// SEC-1893
-	def customPortMappings() {
-		when: 'A custom port-mappings is registered'
-		def expectedHttpsPortMappings = [8443:8080]
-		xml.http('auto-config': 'true') {
-			'intercept-url'('pattern':'/**','requires-channel':'https')
-			'port-mappings' {
-				'port-mapping'(http:'8443',https:'8080')
-			}
-		}
-		createAppContext()
-
-		then: 'All the components created by the namespace use that port mapping'
-		getFilter(RequestCacheAwareFilter.class).requestCache.portResolver.portMapper.httpsPortMappings == expectedHttpsPortMappings
-
-		def channelProcessors = getFilter(ChannelProcessingFilter.class).channelDecisionManager.channelProcessors
-		channelProcessors.size() == 2
-		channelProcessors.each { cp->
-			cp.entryPoint.portMapper.httpsPortMappings == expectedHttpsPortMappings
-			cp.entryPoint.portResolver.portMapper.httpsPortMappings == expectedHttpsPortMappings
-		}
-
-		def authEntryPoint = getFilter(ExceptionTranslationFilter.class).authenticationEntryPoint
-		authEntryPoint.portMapper.httpsPortMappings == expectedHttpsPortMappings
-		authEntryPoint.portResolver.portMapper.httpsPortMappings == expectedHttpsPortMappings
-	}
-}
-
-class MockAuthenticationManager implements AuthenticationManager {
-	Authentication authenticate(Authentication authentication) {
-		return null
-	}
-}
-
-class MockPermissionEvaluator implements PermissionEvaluator {
-	boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
-		return true
-	}
-
-	boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
-		return true
-	}
-
-}
-
-class MockEntryPoint extends LoginUrlAuthenticationEntryPoint {
-	public MockEntryPoint() {
-		super("/notused");
-	}
-}

config/src/test/java/org/springframework/security/BeanNameCollectingPostProcessor.java

@@ -15,11 +15,12 @@
  */
 package org.springframework.security;
 
+import java.util.HashSet;
+import java.util.Set;
+
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.config.BeanPostProcessor;
 
-import java.util.*;
-
 /**
  * @author Luke Taylor
  */
@@ -42,4 +43,12 @@ public class BeanNameCollectingPostProcessor implements BeanPostProcessor {
 		}
 		return bean;
 	}
+
+	public Set<String> getBeforeInitPostProcessedBeans() {
+		return beforeInitPostProcessedBeans;
+	}
+
+	public Set<String> getAfterInitPostProcessedBeans() {
+		return afterInitPostProcessedBeans;
+	}
 }

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -0,0 +1,987 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.http;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.AccessController;
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+import javax.servlet.Filter;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.ILoggingEvent;
+import ch.qos.logback.core.Appender;
+import org.apache.http.HttpStatus;
+import org.assertj.core.api.iterable.Extractor;
+import org.junit.Rule;
+import org.junit.Test;
+import org.mockito.stubbing.Answer;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.BeanCreationException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.BeanNameCollectingPostProcessor;
+import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.authentication.jaas.AuthorityGranter;
+import org.springframework.security.config.test.SpringTestRule;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.security.openid.OpenIDAuthenticationFilter;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.access.ExceptionTranslationFilter;
+import org.springframework.security.web.access.channel.ChannelProcessingFilter;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.authentication.logout.LogoutFilter;
+import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
+import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
+import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.context.HttpRequestResponseHolder;
+import org.springframework.security.web.context.SecurityContextPersistenceFilter;
+import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.firewall.FirewalledRequest;
+import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.header.HeaderWriterFilter;
+import org.springframework.security.web.savedrequest.RequestCache;
+import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
+import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
+import org.springframework.security.web.session.SessionManagementFilter;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.support.XmlWebApplicationContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.atLeastOnce;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.x509;
+import static org.springframework.test.util.ReflectionTestUtils.getField;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+
+/**
+ *
+ * @author Luke Taylor
+ * @author Rob Winch
+ */
+public class MiscHttpConfigTests {
+	private static final String CONFIG_LOCATION_PREFIX =
+			"classpath:org/springframework/security/config/http/MiscHttpConfigTests";
+
+	@Autowired
+	MockMvc mvc;
+
+	@Rule
+	public final SpringTestRule spring = new SpringTestRule();
+
+	@Test
+	public void configureWhenUsingMinimalConfigurationThenParses() {
+		this.spring.configLocations(xml("MinimalConfiguration")).autowire();
+	}
+
+	@Test
+	public void configureWhenUsingAutoConfigThenSetsUpCorrectFilterList() {
+		this.spring.configLocations(xml("AutoConfig")).autowire();
+		assertThatFiltersMatchExpectedAutoConfigList();
+	}
+
+	@Test
+	public void configureWhenUsingSecurityNoneThenNoFiltersAreSetUp() {
+		this.spring.configLocations(xml("NoSecurityForPattern")).autowire();
+		assertThat(getFilters("/unprotected")).isEmpty();
+	}
+
+	@Test
+	public void requestWhenUsingDebugFilterAndPatternIsNotConfigureForSecurityThenRespondsOk()
+			throws Exception {
+
+		this.spring.configLocations(xml("NoSecurityForPattern")).autowire();
+
+		this.mvc.perform(get("/unprotected"))
+			.andExpect(status().isNotFound());
+
+		this.mvc.perform(get("/nomatch"))
+				.andExpect(status().isNotFound());
+	}
+
+	@Test
+	public void requestWhenHttpPatternUsesRegexMatchingThenMatchesAccordingly()
+			throws Exception {
+
+		this.spring.configLocations(xml("RegexSecurityPattern")).autowire();
+
+		this.mvc.perform(get("/protected"))
+				.andExpect(status().isUnauthorized());
+
+		this.mvc.perform(get("/unprotected"))
+				.andExpect(status().isNotFound());
+	}
+
+	@Test
+	public void requestWhenHttpPatternUsesCiRegexMatchingThenMatchesAccordingly()
+			throws Exception {
+
+		this.spring.configLocations(xml("CiRegexSecurityPattern")).autowire();
+
+		this.mvc.perform(get("/ProTectEd"))
+				.andExpect(status().isUnauthorized());
+
+		this.mvc.perform(get("/UnProTectEd"))
+				.andExpect(status().isNotFound());
+	}
+
+	@Test
+	public void requestWhenHttpPatternUsesCustomRequestMatcherThenMatchesAccordingly()
+			throws Exception {
+
+		this.spring.configLocations(xml("CustomRequestMatcher")).autowire();
+
+		this.mvc.perform(get("/protected"))
+				.andExpect(status().isUnauthorized());
+
+		this.mvc.perform(get("/unprotected"))
+				.andExpect(status().isNotFound());
+	}
+
+	/**
+	 * SEC-1152
+	 */
+	@Test
+	public void requestWhenUsingMinimalConfigurationThenHonorsAnonymousEndpoints()
+			throws Exception {
+
+		this.spring.configLocations(xml("AnonymousEndpoints")).autowire();
+
+		this.mvc.perform(get("/protected"))
+				.andExpect(status().isUnauthorized());
+
+		this.mvc.perform(get("/unprotected"))
+				.andExpect(status().isNotFound());
+
+		assertThat(getFilter(AnonymousAuthenticationFilter.class)).isNotNull();
+	}
+
+	@Test
+	public void requestWhenAnonymousIsDisabledThenRejectsAnonymousEndpoints()
+			throws Exception {
+
+		this.spring.configLocations(xml("AnonymousDisabled")).autowire();
+
+		this.mvc.perform(get("/protected"))
+				.andExpect(status().isUnauthorized());
+
+		this.mvc.perform(get("/unprotected"))
+				.andExpect(status().isUnauthorized());
+
+		assertThat(getFilter(AnonymousAuthenticationFilter.class)).isNull();
+	}
+
+	@Test
+	public void requestWhenAnonymousUsesCustomAttributesThenRespondsWithThoseAttributes()
+			throws Exception {
+
+		this.spring.configLocations(xml("AnonymousCustomAttributes")).autowire();
+
+		this.mvc.perform(get("/protected")
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isForbidden());
+
+		this.mvc.perform(get("/protected"))
+				.andExpect(status().isOk())
+				.andExpect(content().string("josh"));
+
+		this.mvc.perform(get("/customKey"))
+				.andExpect(status().isOk())
+				.andExpect(content().string(String.valueOf("myCustomKey".hashCode())));
+	}
+
+	@Test
+	public void requestWhenAnonymousUsesMultipleGrantedAuthoritiesThenRespondsWithThoseAttributes()
+			throws Exception {
+
+		this.spring.configLocations(xml("AnonymousMultipleAuthorities")).autowire();
+
+		this.mvc.perform(get("/protected")
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isForbidden());
+
+		this.mvc.perform(get("/protected"))
+				.andExpect(status().isOk())
+				.andExpect(content().string("josh"));
+
+		this.mvc.perform(get("/customKey"))
+				.andExpect(status().isOk())
+				.andExpect(content().string(String.valueOf("myCustomKey".hashCode())));
+	}
+
+	@Test
+	public void requestWhenInterceptUrlMatchesMethodThenSecuresAccordingly()
+			throws Exception {
+
+		this.spring.configLocations(xml("InterceptUrlMethod")).autowire();
+
+		this.mvc.perform(get("/protected")
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isOk());
+
+		this.mvc.perform(post("/protected")
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isForbidden());
+
+		this.mvc.perform(post("/protected")
+				.with(httpBasic("poster", "password")))
+				.andExpect(status().isOk());
+
+		this.mvc.perform(delete("/protected")
+				.with(httpBasic("poster", "password")))
+				.andExpect(status().isForbidden());
+
+		this.mvc.perform(delete("/protected")
+				.with(httpBasic("admin", "password")))
+				.andExpect(status().isOk());
+	}
+
+	@Test
+	public void requestWhenInterceptUrlMatchesMethodAndRequiresHttpsThenSecuresAccordingly()
+			throws Exception {
+
+		this.spring.configLocations(xml("InterceptUrlMethodRequiresHttps")).autowire();
+
+		this.mvc.perform(post("/protected").with(csrf()))
+				.andExpect(status().isOk());
+
+		this.mvc.perform(get("/protected")
+				.secure(true)
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isForbidden());
+
+		this.mvc.perform(get("/protected")
+				.secure(true)
+				.with(httpBasic("admin", "password")))
+				.andExpect(status().isOk());
+	}
+
+	@Test
+	public void requestWhenInterceptUrlMatchesAnyPatternAndRequiresHttpsThenSecuresAccordingly()
+			throws Exception {
+
+		this.spring.configLocations(xml("InterceptUrlMethodRequiresHttpsAny")).autowire();
+
+		this.mvc.perform(post("/protected").with(csrf()))
+				.andExpect(status().isOk());
+
+		this.mvc.perform(get("/protected")
+				.secure(true)
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isForbidden());
+
+		this.mvc.perform(get("/protected")
+				.secure(true)
+				.with(httpBasic("admin", "password")))
+				.andExpect(status().isOk());
+	}
+
+	@Test
+	public void configureWhenOncePerRequestIsFalseThenFilterSecurityInterceptorExercisedForForwards() {
+		this.spring.configLocations(xml("OncePerRequest")).autowire();
+
+		FilterSecurityInterceptor filterSecurityInterceptor = getFilter(FilterSecurityInterceptor.class);
+		assertThat(filterSecurityInterceptor.isObserveOncePerRequest()).isFalse();
+	}
+
+	@Test
+	public void requestWhenCustomHttpBasicEntryPointRefThenInvokesOnCommence()
+			throws Exception {
+
+		this.spring.configLocations(xml("CustomHttpBasicEntryPointRef")).autowire();
+
+		AuthenticationEntryPoint entryPoint = this.spring.getContext().getBean(AuthenticationEntryPoint.class);
+
+		this.mvc.perform(get("/protected"))
+			.andExpect(status().isOk());
+
+		verify(entryPoint).commence(
+				any(HttpServletRequest.class), any(HttpServletResponse.class), any(AuthenticationException.class));
+	}
+
+	@Test
+	public void configureWhenInterceptUrlWithRequiresChannelThenAddedChannelFilterToChain() {
+		this.spring.configLocations(xml("InterceptUrlMethodRequiresHttpsAny")).autowire();
+		assertThat(getFilter(ChannelProcessingFilter.class)).isNotNull();
+	}
+
+	@Test
+	public void getWhenPortsMappedThenRedirectedAccordingly() throws Exception {
+		this.spring.configLocations(xml("PortsMappedInterceptUrlMethodRequiresAny")).autowire();
+
+		this.mvc.perform(get("http://localhost:9080/protected"))
+				.andExpect(redirectedUrl("https://localhost:9443/protected"));
+	}
+
+	@Test
+	public void configureWhenCustomFiltersThenAddedToChainInCorrectOrder() {
+		System.setProperty("customFilterRef", "userFilter");
+		this.spring.configLocations(xml("CustomFilters")).autowire();
+
+		List<Filter> filters = getFilters("/");
+
+		Class<?> userFilterClass = this.spring.getContext().getBean("userFilter").getClass();
+
+		assertThat(filters)
+				.extracting((Extractor<Filter, Class<?>>) filter -> filter.getClass())
+				.containsSubsequence(
+						userFilterClass, userFilterClass,
+						SecurityContextPersistenceFilter.class, LogoutFilter.class,
+						userFilterClass);
+	}
+
+	@Test
+	public void configureWhenTwoFiltersWithSameOrderThenException() {
+		assertThatCode(() -> this.spring.configLocations(xml("CollidingFilters")).autowire())
+				.isInstanceOf(BeanDefinitionParsingException.class);
+	}
+
+	@Test
+	public void configureWhenUsingX509ThenAddsX509FilterCorrectly() {
+		this.spring.configLocations(xml("X509")).autowire();
+
+		assertThat(getFilters("/"))
+				.extracting((Extractor<Filter, Class<?>>) filter -> filter.getClass())
+				.containsSubsequence(
+						CsrfFilter.class, X509AuthenticationFilter.class, ExceptionTranslationFilter.class);
+	}
+
+
+	@Test
+	public void getWhenUsingX509AndPropertyPlaceholderThenSubjectPrincipalRegexIsConfigured() throws Exception {
+		System.setProperty("subject_principal_regex", "OU=(.*?)(?:,|$)");
+		this.spring.configLocations(xml("X509")).autowire();
+
+		this.mvc.perform(get("/protected")
+				.with(x509("classpath:org/springframework/security/config/http/MiscHttpConfigTests-certificate.pem")))
+				.andExpect(status().isOk());
+	}
+
+	@Test
+	public void configureWhenUsingInvalidLogoutSuccessUrlThenThrowsException() {
+		assertThatCode(() -> this.spring.configLocations(xml("InvalidLogoutSuccessUrl")).autowire())
+				.isInstanceOf(BeanCreationException.class);
+	}
+
+	@Test
+	public void logoutWhenSpecifyingCookiesToDeleteThenSetCookieAdded() throws Exception {
+		this.spring.configLocations(xml("DeleteCookies")).autowire();
+
+		MvcResult result =
+				this.mvc.perform(post("/logout").with(csrf())).andReturn();
+
+		List<String> values = result.getResponse().getHeaders("Set-Cookie");
+		assertThat(values.size()).isEqualTo(2);
+		assertThat(values).extracting(value -> value.split("=")[0]).contains("JSESSIONID", "mycookie");
+	}
+
+	@Test
+	public void logoutWhenSpecifyingSuccessHandlerRefThenResponseHandledAccordingly() throws Exception {
+		this.spring.configLocations(xml("LogoutSuccessHandlerRef")).autowire();
+
+		this.mvc.perform(post("/logout").with(csrf()))
+				.andExpect(redirectedUrl("/logoutSuccessEndpoint"));
+	}
+
+	@Test
+	public void getWhenUnauthenticatedThenUsesConfiguredRequestCache() throws Exception {
+		this.spring.configLocations(xml("RequestCache")).autowire();
+
+		RequestCache requestCache = this.spring.getContext().getBean(RequestCache.class);
+
+		this.mvc.perform(get("/"));
+
+		verify(requestCache).saveRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
+	}
+
+	@Test
+	public void getWhenUnauthenticatedThenUsesConfiguredAuthenticationEntryPoint() throws Exception {
+		this.spring.configLocations(xml("EntryPoint")).autowire();
+
+		AuthenticationEntryPoint entryPoint = this.spring.getContext().getBean(AuthenticationEntryPoint.class);
+
+		this.mvc.perform(get("/"));
+
+		verify(entryPoint).commence(
+				any(HttpServletRequest.class),
+				any(HttpServletResponse.class),
+				any(AuthenticationException.class));
+	}
+
+	/**
+	 * See SEC-750. If the http security post processor causes beans to be instantiated too eagerly, they way miss
+	 * additional processing. In this method we have a UserDetailsService which is referenced from the namespace
+	 * and also has a post processor registered which will modify it.
+	 */
+	@Test
+	public void configureWhenUsingCustomUserDetailsServiceThenBeanPostProcessorsAreStillApplied() {
+		this.spring.configLocations(xml("Sec750")).autowire();
+
+		BeanNameCollectingPostProcessor postProcessor =
+				this.spring.getContext().getBean(BeanNameCollectingPostProcessor.class);
+
+		assertThat(postProcessor.getBeforeInitPostProcessedBeans())
+				.contains("authenticationProvider", "userService");
+		assertThat(postProcessor.getAfterInitPostProcessedBeans())
+				.contains("authenticationProvider", "userService");
+
+	}
+
+	/* SEC-934 */
+	@Test
+	public void getWhenUsingTwoIdenticalInterceptUrlsThenTheSecondTakesPrecedence() throws Exception {
+		this.spring.configLocations(xml("Sec934")).autowire();
+
+		this.mvc.perform(get("/protected")
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isOk());
+
+		this.mvc.perform(get("/protected")
+				.with(httpBasic("admin", "password")))
+				.andExpect(status().isForbidden());
+	}
+
+	@Test
+	public void getWhenAuthenticatingThenConsultsCustomSecurityContextRepository() throws Exception {
+		this.spring.configLocations(xml("SecurityContextRepository")).autowire();
+
+		SecurityContextRepository repository = this.spring.getContext().getBean(SecurityContextRepository.class);
+		SecurityContext context = new SecurityContextImpl(new TestingAuthenticationToken("user", "password"));
+		when(repository.loadContext(any(HttpRequestResponseHolder.class))).thenReturn(context);
+
+		MvcResult result =
+			this.mvc.perform(get("/protected")
+					.with(httpBasic("user", "password")))
+					.andExpect(status().isOk())
+					.andReturn();
+
+		assertThat(result.getRequest().getSession(false)).isNotNull();
+
+		verify(repository, atLeastOnce()).saveContext(
+				any(SecurityContext.class),
+				any(HttpServletRequest.class),
+				any(HttpServletResponse.class));
+	}
+
+	@Test
+	public void getWhenUsingInterceptUrlExpressionsThenAuthorizesAccordingly() throws Exception {
+		this.spring.configLocations(xml("InterceptUrlExpressions")).autowire();
+
+		this.mvc.perform(get("/protected")
+				.with(httpBasic("admin", "password")))
+				.andExpect(status().isOk());
+
+		this.mvc.perform(get("/protected")
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isForbidden());
+
+		this.mvc.perform(get("/unprotected")
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isOk());
+
+	}
+
+	@Test
+	public void getWhenUsingCustomExpressionHandlerThenAuthorizesAccordingly() throws Exception {
+		this.spring.configLocations(xml("ExpressionHandler")).autowire();
+
+		PermissionEvaluator permissionEvaluator = this.spring.getContext().getBean(PermissionEvaluator.class);
+		when(permissionEvaluator.hasPermission(any(Authentication.class), any(Object.class), any(Object.class)))
+				.thenReturn(false);
+
+		this.mvc.perform(get("/")
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isForbidden());
+
+		verify(permissionEvaluator).hasPermission(any(Authentication.class), any(Object.class), any(Object.class));
+	}
+
+	@Test
+	public void configureWhenProtectingLoginPageThenWarningLogged() {
+		ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		redirectLogsTo(baos, DefaultFilterChainValidator.class);
+
+		this.spring.configLocations(xml("ProtectedLoginPage")).autowire();
+
+		assertThat(baos.toString()).contains("[WARN]");
+	}
+
+	@Test
+	public void configureWhenUsingDisableUrlRewritingThenRedirectIsNotEncodedByResponse()
+			throws IOException, ServletException {
+
+		this.spring.configLocations(xml("DisableUrlRewriting")).autowire();
+
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		FilterChainProxy proxy = this.spring.getContext().getBean(FilterChainProxy.class);
+
+		proxy.doFilter(
+				request,
+				new EncodeUrlDenyingHttpServletResponseWrapper(response),
+				(req, resp) -> {});
+
+		assertThat(response.getStatus()).isEqualTo(HttpStatus.SC_MOVED_TEMPORARILY);
+		assertThat(response.getRedirectedUrl()).isEqualTo("http://localhost/login");
+	}
+
+	@Test
+	public void configureWhenUserDetailsServiceInParentContextThenLocatesSuccessfully() {
+		assertThatCode(() -> this.spring.configLocations(this.xml("MissingUserDetailsService")).autowire())
+				.isInstanceOf(BeansException.class);
+
+		try ( XmlWebApplicationContext parent = new XmlWebApplicationContext() ) {
+			parent.setConfigLocations(this.xml("AutoConfig"));
+			parent.refresh();
+
+			try ( XmlWebApplicationContext child = new XmlWebApplicationContext() ) {
+				child.setParent(parent);
+				child.setConfigLocation(this.xml("MissingUserDetailsService"));
+				child.refresh();
+			}
+		}
+	}
+
+	@Test
+	public void loginWhenConfiguredWithNoInternalAuthenticationProvidersThenSuccessfullyAuthenticates()
+			throws Exception {
+
+		this.spring.configLocations(xml("NoInternalAuthenticationProviders")).autowire();
+
+		this.mvc.perform(post("/login")
+			.param("username", "user")
+			.param("password", "password"))
+				.andExpect(redirectedUrl("/"));
+	}
+
+	@Test
+	public void loginWhenUsingDefaultsThenErasesCredentialsAfterAuthentication() throws Exception {
+		this.spring.configLocations(xml("HttpBasic")).autowire();
+
+		this.mvc.perform(get("/password")
+				.with(httpBasic("user", "password")))
+				.andExpect(content().string(""));
+	}
+
+	@Test
+	public void loginWhenAuthenticationManagerConfiguredToEraseCredentialsThenErasesCredentialsAfterAuthentication()
+		throws Exception {
+
+		this.spring.configLocations(xml("AuthenticationManagerEraseCredentials")).autowire();
+
+		this.mvc.perform(get("/password")
+				.with(httpBasic("user", "password")))
+				.andExpect(content().string(""));
+	}
+
+	/**
+	 * SEC-2020
+	 */
+	@Test
+	public void loginWhenAuthenticationManagerRefConfiguredToKeepCredentialsThenKeepsCredentialsAfterAuthentication()
+		throws Exception {
+
+		this.spring.configLocations(xml("AuthenticationManagerRefKeepCredentials")).autowire();
+
+		this.mvc.perform(get("/password")
+				.with(httpBasic("user", "password")))
+				.andExpect(content().string("password"));
+	}
+
+	@Test
+	public void loginWhenAuthenticationManagerRefIsNotAProviderManagerThenKeepsCredentialsAccordingly()
+		throws Exception {
+
+		this.spring.configLocations(xml("AuthenticationManagerRefNotProviderManager")).autowire();
+
+		this.mvc.perform(get("/password")
+				.with(httpBasic("user", "password")))
+				.andExpect(content().string("password"));
+	}
+
+	@Test
+	public void loginWhenJeeFilterThenExtractsRoles() throws Exception {
+		this.spring.configLocations(xml("JeeFilter")).autowire();
+
+		Principal user = mock(Principal.class);
+		when(user.getName()).thenReturn("joe");
+
+		this.mvc.perform(get("/roles")
+				.principal(user)
+				.with(request -> {
+					request.addUserRole("admin");
+					request.addUserRole("user");
+					request.addUserRole("unmapped");
+					return request;
+				}))
+				.andExpect(content().string("ROLE_admin,ROLE_user"));
+	}
+
+	@Test
+	public void loginWhenUsingCustomAuthenticationDetailsSourceRefThenAuthenticationSourcesDetailsAccordingly()
+		throws Exception {
+
+		this.spring.configLocations(xml("CustomAuthenticationDetailsSourceRef")).autowire();
+
+		Object details = mock(Object.class);
+		AuthenticationDetailsSource source = this.spring.getContext().getBean(AuthenticationDetailsSource.class);
+		when(source.buildDetails(any(Object.class))).thenReturn(details);
+
+		this.mvc.perform(get("/details")
+				.with(httpBasic("user", "password")))
+				.andExpect(content().string(details.getClass().getName()));
+
+		this.mvc.perform(get("/details")
+				.with(x509("classpath:org/springframework/security/config/http/MiscHttpConfigTests-certificate.pem")))
+				.andExpect(content().string(details.getClass().getName()));
+
+		MockHttpSession session = (MockHttpSession)
+				this.mvc.perform(post("/login")
+						.param("username", "user")
+						.param("password", "password")
+						.with(csrf()))
+						.andReturn().getRequest().getSession(false);
+
+		this.mvc.perform(get("/details")
+				.session(session))
+				.andExpect(content().string(details.getClass().getName()));
+
+		assertThat(getField(getFilter(OpenIDAuthenticationFilter.class), "authenticationDetailsSource"))
+				.isEqualTo(source);
+	}
+
+	@Test
+	public void loginWhenUsingJaasApiProvisionThenJaasSubjectContainsUsername() throws Exception {
+		this.spring.configLocations(xml("Jaas")).autowire();
+
+		AuthorityGranter granter = this.spring.getContext().getBean(AuthorityGranter.class);
+		when(granter.grant(any(Principal.class))).thenReturn(new HashSet<>(Arrays.asList("USER")));
+
+		this.mvc.perform(get("/username")
+				.with(httpBasic("user", "password")))
+				.andExpect(content().string("user"));
+	}
+
+	@Test
+	public void getWhenUsingCustomHttpFirewallThenFirewallIsInvoked() throws Exception {
+		this.spring.configLocations(xml("HttpFirewall")).autowire();
+
+		FirewalledRequest request = new FirewalledRequest(new MockHttpServletRequest()) {
+			@Override
+			public void reset() { }
+		};
+		HttpServletResponse response = new MockHttpServletResponse();
+
+		HttpFirewall firewall = this.spring.getContext().getBean(HttpFirewall.class);
+		when(firewall.getFirewalledRequest(any(HttpServletRequest.class))).thenReturn(request);
+		when(firewall.getFirewalledResponse(any(HttpServletResponse.class))).thenReturn(response);
+		this.mvc.perform(get("/unprotected"));
+
+		verify(firewall).getFirewalledRequest(any(HttpServletRequest.class));
+		verify(firewall).getFirewalledResponse(any(HttpServletResponse.class));
+	}
+
+	@Test
+	public void getWhenUsingCustomAccessDecisionManagerThenAuthorizesAccordingly() throws Exception {
+		this.spring.configLocations(xml("CustomAccessDecisionManager")).autowire();
+
+		this.mvc.perform(get("/unprotected")
+				.with(httpBasic("user", "password")))
+				.andExpect(status().isForbidden());
+	}
+
+	/**
+	 * SEC-1893
+	 */
+	@Test
+	public void authenticateWhenUsingPortMapperThenRedirectsAppropriately() throws Exception {
+		this.spring.configLocations(xml("PortsMappedRequiresHttps")).autowire();
+
+		MockHttpSession session = (MockHttpSession)
+			this.mvc.perform(get("https://localhost:9080/protected"))
+				.andExpect(redirectedUrl("https://localhost:9443/login"))
+				.andReturn().getRequest().getSession(false);
+
+		session = (MockHttpSession)
+			this.mvc.perform(post("/login")
+					.param("username", "user")
+					.param("password", "password")
+					.session(session)
+					.with(csrf()))
+					.andExpect(redirectedUrl("https://localhost:9443/protected"))
+					.andReturn().getRequest().getSession(false);
+
+		this.mvc.perform(get("http://localhost:9080/protected")
+				.session(session))
+				.andExpect(redirectedUrl("https://localhost:9443/protected"));
+	}
+
+	@RestController
+	static class BasicController {
+		@RequestMapping("/unprotected")
+		public String unprotected() {
+			return "ok";
+		}
+
+		@RequestMapping("/protected")
+		public String protectedMethod(@AuthenticationPrincipal String name) {
+			return name;
+		}
+	}
+
+	@RestController
+	static class CustomKeyController {
+		@GetMapping("/customKey")
+		public String customKey() {
+			Authentication authentication =
+					SecurityContextHolder.getContext().getAuthentication();
+
+			if ( authentication != null &&
+					authentication instanceof AnonymousAuthenticationToken ) {
+				return String.valueOf(
+								((AnonymousAuthenticationToken) authentication).getKeyHash());
+			}
+
+			return null;
+		}
+	}
+
+	@RestController
+	static class AuthenticationController {
+		@GetMapping("/password")
+		public String password(@AuthenticationPrincipal Authentication authentication) {
+			return (String) authentication.getCredentials();
+		}
+
+		@GetMapping("/roles")
+		public String roles(@AuthenticationPrincipal Authentication authentication) {
+			return authentication.getAuthorities().stream()
+					.map(GrantedAuthority::getAuthority)
+					.collect(Collectors.joining(","));
+		}
+
+		@GetMapping("/details")
+		public String details(@AuthenticationPrincipal Authentication authentication) {
+			return authentication.getDetails().getClass().getName();
+		}
+	}
+
+	@RestController
+	static class JaasController {
+		@GetMapping("/username")
+		public String username() {
+			Subject subject = Subject.getSubject(AccessController.getContext());
+			return subject.getPrincipals().iterator().next().getName();
+		}
+	}
+
+	public static class JaasLoginModule implements LoginModule {
+		private Subject subject;
+
+		@Override
+		public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
+			this.subject = subject;
+		}
+
+		@Override
+		public boolean login() throws LoginException {
+			return this.subject.getPrincipals().add(() -> "user");
+		}
+
+		@Override
+		public boolean commit() throws LoginException {
+			return true;
+		}
+
+		@Override
+		public boolean abort() throws LoginException {
+			return true;
+		}
+
+		@Override
+		public boolean logout() throws LoginException {
+			return true;
+		}
+	}
+
+	static class MockAccessDecisionManager implements AccessDecisionManager {
+
+		@Override
+		public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
+			throw new AccessDeniedException("teapot");
+		}
+
+		@Override
+		public boolean supports(ConfigAttribute attribute) {
+			return true;
+		}
+
+		@Override
+		public boolean supports(Class<?> clazz) {
+			return true;
+		}
+	}
+
+	static class MockAuthenticationManager implements AuthenticationManager {
+		public Authentication authenticate(Authentication authentication) {
+			return new TestingAuthenticationToken(authentication.getPrincipal(),
+					authentication.getCredentials(),
+					AuthorityUtils.createAuthorityList("ROLE_USER"));
+		}
+	}
+
+	static class EncodeUrlDenyingHttpServletResponseWrapper
+			extends HttpServletResponseWrapper {
+
+		public EncodeUrlDenyingHttpServletResponseWrapper(HttpServletResponse response) {
+			super(response);
+		}
+
+		@Override
+		public String encodeURL(String url) {
+			throw new RuntimeException("Unexpected invocation of encodeURL");
+		}
+
+		@Override
+		public String encodeRedirectURL(String url) {
+			throw new RuntimeException("Unexpected invocation of encodeURL");
+		}
+
+		@Override
+		public String encodeUrl(String url) {
+			throw new RuntimeException("Unexpected invocation of encodeURL");
+		}
+
+		@Override
+		public String encodeRedirectUrl(String url) {
+			throw new RuntimeException("Unexpected invocation of encodeURL");
+		}
+	}
+
+	private void redirectLogsTo(OutputStream os, Class<?> clazz) {
+		Logger logger = (Logger) LoggerFactory.getLogger(clazz);
+		Appender<ILoggingEvent> appender = mock(Appender.class);
+		when(appender.isStarted()).thenReturn(true);
+		doAnswer(writeTo(os)).when(appender).doAppend(any(ILoggingEvent.class));
+		logger.addAppender(appender);
+	}
+
+	private Answer<ILoggingEvent> writeTo(OutputStream os) {
+		return invocation -> {
+			os.write(invocation.getArgument(0).toString().getBytes());
+			return null;
+		};
+	}
+
+	private void assertThatFiltersMatchExpectedAutoConfigList() {
+		assertThatFiltersMatchExpectedAutoConfigList("/");
+	}
+
+	private void assertThatFiltersMatchExpectedAutoConfigList(String url) {
+		Iterator<Filter> filters = getFilters(url).iterator();
+
+		assertThat(filters.next()).isInstanceOf(SecurityContextPersistenceFilter.class);
+		assertThat(filters.next()).isInstanceOf(WebAsyncManagerIntegrationFilter.class);
+		assertThat(filters.next()).isInstanceOf(HeaderWriterFilter.class);
+		assertThat(filters.next()).isInstanceOf(CsrfFilter.class);
+		assertThat(filters.next()).isInstanceOf(LogoutFilter.class);
+		assertThat(filters.next()).isInstanceOf(UsernamePasswordAuthenticationFilter.class);
+		assertThat(filters.next()).isInstanceOf(DefaultLoginPageGeneratingFilter.class);
+		assertThat(filters.next()).isInstanceOf(DefaultLogoutPageGeneratingFilter.class);
+		assertThat(filters.next()).isInstanceOf(BasicAuthenticationFilter.class);
+		assertThat(filters.next()).isInstanceOf(RequestCacheAwareFilter.class);
+		assertThat(filters.next()).isInstanceOf(SecurityContextHolderAwareRequestFilter.class);
+		assertThat(filters.next()).isInstanceOf(AnonymousAuthenticationFilter.class);
+		assertThat(filters.next()).isInstanceOf(SessionManagementFilter.class);
+		assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
+		assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
+				.hasFieldOrPropertyWithValue("observeOncePerRequest", true);
+	}
+
+	private <T extends Filter> T getFilter(Class<T> filterClass) {
+		return (T) getFilters("/").stream().filter(filterClass::isInstance).findFirst().orElse(null);
+	}
+
+	private List<Filter> getFilters(String url) {
+		FilterChainProxy proxy = this.spring.getContext().getBean(FilterChainProxy.class);
+		return proxy.getFilters(url);
+	}
+
+	private static String xml(String configName) {
+		return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
+	}
+}

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-AnonymousCustomAttributes.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<anonymous username="josh" granted-authority="ROLE_ANON" key="myCustomKey"/>
+		<http-basic/>
+		<intercept-url pattern="/protected" access="hasRole('ANON')"/>
+		<intercept-url pattern="/customKey" access="anonymous"/>
+	</http>
+
+	<b:bean class="org.springframework.security.config.http.MiscHttpConfigTests.CustomKeyController"/>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-AnonymousDisabled.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<anonymous enabled="false"/>
+		<http-basic/>
+		<intercept-url pattern="/unprotected" access="anonymous"/>
+		<intercept-url pattern="/**" access="authenticated"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-AnonymousEndpoints.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic/>
+		<intercept-url pattern="/unprotected" access="anonymous"/>
+		<intercept-url pattern="/**" access="authenticated"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-AnonymousMultipleAuthorities.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<anonymous username="josh" granted-authority="ROLE_ANON,ROLE_KEY" key="myCustomKey"/>
+		<http-basic/>
+		<intercept-url pattern="/protected" access="hasRole('ANON')"/>
+		<intercept-url pattern="/customKey" access="hasRole('KEY')"/>
+	</http>
+
+	<b:bean class="org.springframework.security.config.http.MiscHttpConfigTests.CustomKeyController"/>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-AuthenticationManagerEraseCredentials.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+
+	<authentication-manager erase-credentials="true">
+		<authentication-provider>
+			<user-service id="us">
+				<user name="user" password="{noop}password" authorities="ROLE_USER"/>
+				<user name="admin" password="{noop}password" authorities="ROLE_ADMIN"/>
+			</user-service>
+		</authentication-provider>
+	</authentication-manager>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-AuthenticationManagerRefKeepCredentials.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http authentication-manager-ref="authMgr">
+		<http-basic/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+
+	<authentication-manager id="authMgr" erase-credentials="false">
+		<authentication-provider>
+			<user-service id="us">
+				<user name="user" password="{noop}password" authorities="ROLE_USER"/>
+				<user name="admin" password="{noop}password" authorities="ROLE_ADMIN"/>
+			</user-service>
+		</authentication-provider>
+	</authentication-manager>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-AuthenticationManagerRefNotProviderManager.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http authentication-manager-ref="authMgr">
+		<http-basic/>
+	</http>
+
+	<b:bean id="authMgr" class="org.springframework.security.config.http.MiscHttpConfigTests.MockAuthenticationManager"/>
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-AutoConfig.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-CiRegexSecurityPattern.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<debug/>
+
+	<http pattern="\A\/[a-z]{10,}" security="none" request-matcher="ciRegex"/>
+	<http>
+		<intercept-url pattern="/**" access="authenticated"/>
+		<http-basic/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-CollidingFilters.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<custom-filter ref="userFilter" position="LOGOUT_FILTER"/>
+	</http>
+
+	<b:bean name="userFilter" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="javax.servlet.Filter"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-CustomAccessDecisionManager.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http access-decision-manager-ref="accessDecisionManager">
+		<http-basic/>
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
+
+	<b:bean name="accessDecisionManager"
+			class="org.springframework.security.config.http.MiscHttpConfigTests.MockAccessDecisionManager"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-CustomAuthenticationDetailsSourceRef.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic authentication-details-source-ref="authenticationDetailsSource"/>
+		<form-login authentication-details-source-ref="authenticationDetailsSource"/>
+		<x509 subject-principal-regex="OU=(.*?)(?:,|$)" authentication-details-source-ref="authenticationDetailsSource"/>
+		<openid-login authentication-details-source-ref="authenticationDetailsSource"/>
+	</http>
+
+	<b:bean name="authenticationDetailsSource" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.authentication.AuthenticationDetailsSource"/>
+	</b:bean>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-CustomFilters.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<custom-filter ref="${customFilterRef}" position="FIRST"/>
+		<custom-filter ref="userFilter" before="SECURITY_CONTEXT_FILTER"/>
+		<custom-filter ref="userFilter" after="LOGOUT_FILTER"/>
+	</http>
+
+	<b:bean name="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+	<b:bean name="userFilter" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="javax.servlet.Filter"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-CustomHttpBasicEntryPointRef.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic entry-point-ref="entryPoint"/>
+		<intercept-url pattern="/protected" access="authenticated"/>
+	</http>
+
+	<b:bean name="entryPoint" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.web.AuthenticationEntryPoint"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-CustomRequestMatcher.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<debug/>
+
+	<http request-matcher-ref="matcher" security="none"/>
+	<http>
+		<intercept-url pattern="/**" access="authenticated"/>
+		<http-basic/>
+	</http>
+
+	<b:bean name="matcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+		<b:constructor-arg value="/unprotected"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-DeleteCookies.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<logout delete-cookies="JSESSIONID, mycookie"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-DisableUrlRewriting.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true" disable-url-rewriting="true">
+		<intercept-url pattern="/**" access="authenticated"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-EntryPoint.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http entry-point-ref="entryPoint">
+		<intercept-url pattern="/**" access="authenticated"/>
+	</http>
+
+	<b:bean name="entryPoint" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.web.AuthenticationEntryPoint"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-ExpressionHandler.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<intercept-url pattern="/**" access="hasPermission('AnyObject','R')"/>
+		<expression-handler ref="expressionHandler"/>
+	</http>
+
+	<b:bean name="expressionHandler"
+			class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
+		<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
+	</b:bean>
+
+	<b:bean name="permissionEvaluator" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.access.PermissionEvaluator"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-HttpBasic.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-HttpFirewall.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http-firewall ref="firewall"/>
+
+	<http>
+		<http-basic/>
+	</http>
+
+	<b:bean name="firewall" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.web.firewall.HttpFirewall"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-InterceptUrlExpressions.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<intercept-url pattern="/protected" access="hasAnyRole('ROLE_ADMIN', 'ROLE_UNOBTAINIUM')"/>
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-InterceptUrlMethod.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http use-expressions="false">
+		<http-basic/>
+		<intercept-url pattern="/protected*" method="POST" access="ROLE_POST,ROLE_ADMIN"/>
+		<intercept-url pattern="/protected*" method="DELETE" access="ROLE_ADMIN"/>
+		<intercept-url pattern="/**" access="ROLE_USER,ROLE_POST,ROLE_ADMIN"/>
+		<csrf disabled="true"/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+
+	<user-service>
+		<user name="user" password="{noop}password" authorities="ROLE_USER"/>
+		<user name="admin" password="{noop}password" authorities="ROLE_ADMIN"/>
+		<user name="poster" password="{noop}password" authorities="ROLE_POST"/>
+	</user-service>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-InterceptUrlMethodRequiresHttps.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic/>
+		<intercept-url pattern="/protected" method="GET" access="hasRole('ADMIN')" requires-channel="https"/>
+		<intercept-url pattern="/protected" access="permitAll"/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-InterceptUrlMethodRequiresHttpsAny.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic/>
+		<intercept-url pattern="/**" method="GET" access="hasRole('ADMIN')" requires-channel="https"/>
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-InvalidLogoutSuccessUrl.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<logout logout-success-url="noLeadingSlash"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-Jaas.xml

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true" jaas-api-provision="true">
+	</http>
+
+	<b:bean class="org.springframework.security.config.http.MiscHttpConfigTests.JaasController"/>
+
+	<b:bean id="jaasAuthenticationProvider"
+		  class="org.springframework.security.authentication.jaas.JaasAuthenticationProvider">
+		<b:property name="loginConfig" value="classpath:org/springframework/security/config/http/jaas-login.conf"/>
+		<b:property name="loginContextName" value="JAASTest"/>
+		<b:property name="callbackHandlers">
+			<b:list>
+				<b:bean class="org.springframework.security.authentication.jaas.JaasNameCallbackHandler"/>
+				<b:bean class="org.springframework.security.authentication.jaas.JaasPasswordCallbackHandler"/>
+			</b:list>
+		</b:property>
+		<b:property name="authorityGranters">
+			<b:list>
+				<b:ref bean="jaasAuthorityGranter"/>
+			</b:list>
+		</b:property>
+	</b:bean>
+
+	<b:bean name="jaasAuthorityGranter" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.authentication.jaas.AuthorityGranter"/>
+	</b:bean>
+
+	<authentication-manager id="authenticationManager">
+		<authentication-provider ref="jaasAuthenticationProvider"/>
+	</authentication-manager>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-JeeFilter.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<jee mappable-roles="admin,user"/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-LogoutSuccessHandlerRef.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<logout success-handler-ref="logoutSuccessEndpoint"/>
+	</http>
+
+	<b:bean name="logoutSuccessEndpoint" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
+		<b:property name="defaultTargetUrl" value="/logoutSuccessEndpoint"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-MinimalConfiguration.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-MissingUserDetailsService.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-NoAuthProviders.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<form-login/>
+		<csrf disabled="true"/>
+		<anonymous enabled="false"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-NoInternalAuthenticationProviders.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<form-login/>
+		<csrf disabled="true"/>
+		<anonymous enabled="false"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-NoSecurityForPattern.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<debug/>
+
+	<http pattern="/unprotected" security="none"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-OncePerRequest.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http once-per-request="false">
+		<http-basic/>
+		<intercept-url pattern="/protected" access="authenticated"/>
+		<intercept-url pattern="/unprotected-forwards-to-protected" access="permitAll"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-PortsMappedInterceptUrlMethodRequiresAny.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic/>
+		<port-mappings>
+			<port-mapping http="9080" https="9443"/>
+		</port-mappings>
+		<intercept-url pattern="/**" method="GET" access="permitAll" requires-channel="https"/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-PortsMappedRequiresHttps.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<port-mappings>
+			<port-mapping http="9080" https="9443"/>
+		</port-mappings>
+		<intercept-url pattern="/**" method="GET" access="authenticated" requires-channel="https"/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-ProtectedLoginPage.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<form-login login-page="/login"/>
+		<intercept-url pattern="/login*" access="hasRole('ROLE_A')"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-RegexSecurityPattern.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<debug/>
+
+	<http pattern="\A\/[a-z]{10,}" security="none" request-matcher="regex"/>
+	<http>
+		<intercept-url pattern="/**" access="authenticated"/>
+		<http-basic/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-RequestCache.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<request-cache ref="requestCache"/>
+		<intercept-url pattern="/**" access="authenticated"/>
+	</http>
+
+	<b:bean name="requestCache" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.web.savedrequest.RequestCache"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-Sec750.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true"/>
+
+	<authentication-manager>
+		<authentication-provider user-service-ref="userService"/>
+		<authentication-provider ref="authenticationProvider"/>
+	</authentication-manager>
+
+	<b:bean name="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
+		<b:property name="userDetailsService" ref="userService"/>
+	</b:bean>
+
+	<b:bean name="userService" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.core.userdetails.UserDetailsService"/>
+	</b:bean>
+
+	<b:bean name="beanNameCollectingPostProcessor" class="org.springframework.security.BeanNameCollectingPostProcessor"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-Sec934.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<http-basic/>
+		<intercept-url pattern="/protected" access="hasRole('ROLE_ADMIN')"/>
+		<intercept-url pattern="/protected" access="hasRole('ROLE_USER')"/>
+	</http>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-SecurityContextRepository.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http create-session="always" security-context-repository-ref="repo">
+		<http-basic/>
+		<intercept-url pattern="/**" access="authenticated"/>
+	</http>
+
+	<b:bean name="repo" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.web.context.SecurityContextRepository"/>
+	</b:bean>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-X509.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			http://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<x509 subject-principal-regex="${subject_principal_regex:(.*)}"/>
+		<intercept-url pattern="/**" access="authenticated"/>
+	</http>
+
+	<b:bean name="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+	<b:import resource="MiscHttpConfigTests-controllers.xml"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-certificate.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfTCCAmWgAwIBAgIJAISE1BLq+ZUNMA0GCSqGSIb3DQEBCwUAMFUxCzAJBgNV
+BAYTAlVTMQ0wCwYDVQQIDARVdGFoMRcwFQYDVQQHDA5TYWx0IExha2UgQ2l0eTEP
+MA0GA1UECgwGU3ByaW5nMQ0wCwYDVQQLDAR1c2VyMB4XDTE4MTAwNjAwMjMyMVoX
+DTQ2MDIyMTAwMjMyMVowVTELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxFzAV
+BgNVBAcMDlNhbHQgTGFrZSBDaXR5MQ8wDQYDVQQKDAZTcHJpbmcxDTALBgNVBAsM
+BHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1pXMFNiDXHWkl
+59GMRBW7RsOyqpMzU5PqgLc8josbty4wjvxlM9td00+s94fS/S9a6m/thJi8E4pb
+MwQgckHhaUyiAYW1N3nv3Tj/3+/vhXGKoclTt2NNgTj8eFNx0x20+q0H8nyx0tJu
+7I5rFLWXf3uaOg3DPWGxxLWwN8GNDKMeusjx7/mMpoYnxYRWhcekUHxrLY4gsE6E
+rxJqa0DjmPAeaVMqBsXKBb0JKbyVI4P9t+tIGoNX0hWtudr/R14b+rnAugkfBOUH
+3GgKXS5RjtwIJsRy7RhzoZBISuNQuZsS2N3kJp6lkmveN+trr6HX0COZA5JNs8FH
+26+NVjYpAgMBAAGjUDBOMB0GA1UdDgQWBBSV8HXGF2favXivbmNoqPNDvMiwEDAf
+BgNVHSMEGDAWgBSV8HXGF2favXivbmNoqPNDvMiwEDAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQCMq2XZR2q7IcKyt6lRD+OabprBQapiwmVokovf9s23
+lVD2twEpSW27AIa3V2SpZau1lqy7Rk/KepBKfaXa2FJcxhqLtyaPwDxzYichrl4e
+0zbrpE7sHnTxPtAaefpWZog6Q+HQ4KrJcBsCKwAaol+COzrLebWa9oIn6o1MYmRj
+cNWM+uClUDmjoIRuwPCnEWHadxUcoKxnKiAmisOuer49DsN4dsskaT3Bc1MXrtqf
+5+ZzdHjFKAtLMBPikdj6zG4B6r/1Ytdm/dQv56WWbs2L0iz0BRA5ul8bx94ZZeYb
+oT/9kQxvDGRTykKR5MrQDZXW9Hsg/pQnp0f2aNNhMCw9
+-----END CERTIFICATE-----

config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-controllers.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		 xmlns:mvc="http://www.springframework.org/schema/mvc"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xmlns="http://www.springframework.org/schema/security"
+		 xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">
+
+	<mvc:annotation-driven>
+		<mvc:argument-resolvers>
+			<b:bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver"/>
+		</mvc:argument-resolvers>
+	</mvc:annotation-driven>
+
+	<b:bean class="org.springframework.security.config.http.MiscHttpConfigTests.BasicController"/>
+	<b:bean class="org.springframework.security.config.http.MiscHttpConfigTests.AuthenticationController"/>
+
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/jaas-login.conf

@@ -0,0 +1,3 @@
+JAASTest {
+	org.springframework.security.config.http.MiscHttpConfigTests$JaasLoginModule required;
+};

config/src/test/resources/org/springframework/security/config/http/key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC1pXMFNiDXHWkl
+59GMRBW7RsOyqpMzU5PqgLc8josbty4wjvxlM9td00+s94fS/S9a6m/thJi8E4pb
+MwQgckHhaUyiAYW1N3nv3Tj/3+/vhXGKoclTt2NNgTj8eFNx0x20+q0H8nyx0tJu
+7I5rFLWXf3uaOg3DPWGxxLWwN8GNDKMeusjx7/mMpoYnxYRWhcekUHxrLY4gsE6E
+rxJqa0DjmPAeaVMqBsXKBb0JKbyVI4P9t+tIGoNX0hWtudr/R14b+rnAugkfBOUH
+3GgKXS5RjtwIJsRy7RhzoZBISuNQuZsS2N3kJp6lkmveN+trr6HX0COZA5JNs8FH
+26+NVjYpAgMBAAECggEAdj9RRBg7gq3jsEhb0krUNsjXRqziDGyhAuxt3F8S0aUK
+zZOXXK5IZKjV2kx9P+2P8UhiOqWx4+V4kOwCCLk4h+vLdj81coW9vFcv7uoxwKQH
+CO9PJ09ftqmjlj8iWxvK3/C7yUuivwP19z3JbI3btNbJeNnH8cw4l8ftWtzBA/cW
+3F87sjM3J59KFMjaNwDmgpCx6xVfk1E+R1e2tcgbjGdy5h14BUkS5kMHSgk13bj4
+1Pg9QZBeV7L3oui/PPz/wt7MDY7qerI8+gJ1vR3wqbX30F+o+K1rJ4ZEYM3OaxnF
+cpdvfUGNXApZD3mdSZenDahtGhlVcLUID9IHaKjGTQKBgQDuiwlKLxPBWDpFzXU5
+WaLRInyULq0E9jj4CcMX509vl6fbRf8vsULDzg9nD3bjWF8dakJBl811iSvHsOQv
+7SaIS6aTW4cyhEpSGqWyJrv6C5EnWxrgbtED85OVcFi2HIoPpQgke+ORNur4ceZp
+33BXI2wqYF2FM/4n4MakLnu8JwKBgQDC8HwYnifV/syxhaZXHyq1P61F4C6yYqHP
+19PsE/NAiYHMz9HVKRWQznX1HuSQPdMCNKtGrmzSO9PAIt0VgOiKNUQa5Wx9s/4f
+qs8z/6FKHgw96u7T/6erzCyz/TCqJCIZpqiurJh1yibXWcv3S3KxwXHcMxuIM2UO
+QfHItOfdLwKBgHPIZI/vXcVgz5gF67oUeeTMum8qYKyh3nD2PA2kJnhhwgW6aex6
+O4/SusMpTGl5AWHDq7kut3kvRWK9x2RD1YoePhIUQQESGQjVCkv4ZREvABt8KwV4
+hFdIqP/F8ikinRiO3+7le0WGxHImxtHotBx3gw7miz4WSGyOu5wBO+nNAoGAdA8N
+MvLmMKe0YnR5piDuIl644IMqChZi1AVhLIpsJp43YyLPgKMnLcFdxQQRfDbyq7uD
+xV8PdtMbrKaVDbpjt/UiiQjSYLyKrXvaRNEKy7+79hkq+5iX0NaMPtSc5o8Apljs
+0KH9WxNxsIDLyH1o2Z+cFEdxOtOudKCaPK5H5Q0CgYBsCK4rCO3pXU+bWiwn401E
+i5SaYHGH33eBYgle+CAyzj0dNKogow+5Yfo6AkiXyng/PKY95DRXsSH3z6hGzU65
+NjbuNK2YdfCem2sdY3PRLJdIu7JK6fW3q3nQLZ6G4QUXH+9mmRDsrh9fNCNfOStl
+V6tGbgS0ay+H6oMRfUQfNw==
+-----END PRIVATE KEY-----