Reduce length of long lines in the reference manual.

Some are too long for the PDF version.

docs/manual/src/docbook/basic-and-digest-auth.xml

@@ -82,10 +82,10 @@
             following format:</para>
         <para>
             <programlisting>
-                base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
+  base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
 
-                expirationTime:   The date and time when the nonce expires, expressed in milliseconds
-                key:              A private key to prevent modification of the nonce token
+  expirationTime:   The date and time when the nonce expires, expressed in milliseconds
+  key:              A private key to prevent modification of the nonce token
             </programlisting>
         </para>
         <para>The <classname>DigestAuthenticatonEntryPoint</classname> has a property specifying the

docs/manual/src/docbook/core-filters.xml

@@ -16,7 +16,7 @@
                 <classname>ExceptionTranslationFilter</classname>. A typical configuration example
             is shown below: <programlisting language="xml"><![CDATA[
 <bean id="filterSecurityInterceptor"
-        class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
+      class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
   <property name="authenticationManager" ref="authenticationManager"/>
   <property name="accessDecisionManager" ref="accessDecisionManager"/>
   <property name="securityMetadataSource">
@@ -70,7 +70,7 @@
             be written as follows:</para>
         <programlisting language="xml"><![CDATA[
 <bean id="filterInvocationInterceptor"
-     class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
+      class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
   <property name="authenticationManager" ref="authenticationManager"/>
   <property name="accessDecisionManager" ref="accessDecisionManager"/>
   <property name="runAsManager" ref="runAsManager"/>
@@ -108,14 +108,14 @@
             doesn't do any actual security enforcement itself, but handles exceptions thrown by the
             security interceptors and provides suitable and HTTP responses. <programlisting language="xml"><![CDATA[
 <bean id="exceptionTranslationFilter"
-     class="org.springframework.security.web.access.ExceptionTranslationFilter">
-  <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
-  <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
+  class="org.springframework.security.web.access.ExceptionTranslationFilter">
+ <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
+ <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
 </bean>
 
 <bean id="authenticationEntryPoint"
-     class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
-  <property name="loginFormUrl" value="/login.jsp"/>
+  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
+ <property name="loginFormUrl" value="/login.jsp"/>
 </bean>
 
 <bean id="accessDeniedHandler"
@@ -181,7 +181,7 @@
             you would configure it for use with a <classname>FilterChainProxy</classname>. A basic
             configuration only requires the bean itself <programlisting><![CDATA[
 <bean id="securityContextPersistenceFilter"
-class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
+  class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
 ]]></programlisting> As we saw previously, this filter has two main tasks. It is responsible for
             storage of the <classname>SecurityContext</classname> contents between HTTP requests and
             for clearing the <classname>SecurityContextHolder</classname> when a request is

docs/manual/src/docbook/core-services.xml

@@ -35,7 +35,7 @@
                 <classname>SecurityContext</classname>. </para>
         <para> If you are using the namespace, an instance of
                 <classname>ProviderManager</classname> is created and maintained internally, and
-            you add providers to it by using the namespace authentication provider elements 
+            you add providers to it by using the namespace authentication provider elements
             (see <link xlink:href="#ns-auth-manager">the namespace chapter</link>). In this
             case, you should not declare a <classname>ProviderManager</classname> bean in your
             application context. However, if you are not using the namespace then you would declare
@@ -170,7 +170,8 @@
   <property name="password" value=""/>
 </bean>
 
-<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
+<bean id="userDetailsService"
+      class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
   <property name="dataSource" ref="dataSource"/>
 </bean> ]]>       </programlisting>
             </para>

docs/manual/src/docbook/el-access.xml

@@ -136,14 +136,16 @@
                 <para>The most obviously useful annotation is <literal>@PreAuthorize</literal> which
                     decides whether a method can actually be invoked or not. For example (from the
                         <quote>Contacts</quote> sample
-                    application)<programlisting>  @PreAuthorize("hasRole('ROLE_USER')")
-  public void create(Contact contact);</programlisting>which
+                    application)<programlisting>
+ @PreAuthorize("hasRole('ROLE_USER')")
+ public void create(Contact contact);</programlisting>which
                     means that access will only be allowed for users with the role "ROLE_USER".
                     Obviously the same thing could easily be achieved using a traditional
                     configuration and a simple configuration attribute for the required role. But
                     what
-                    about:<programlisting>  @PreAuthorize("hasPermission(#contact, 'admin')")
-  public void deletePermission(Contact contact, Sid recipient, Permission permission);</programlisting>Here
+                    about:<programlisting>
+ @PreAuthorize("hasPermission(#contact, 'admin')")
+ public void deletePermission(Contact contact, Sid recipient, Permission permission);</programlisting>Here
                     we're actually using a method argument as part of the expression to decide
                     whether the current user has the <quote>admin</quote>permission for the given
                     contact. The built-in <literal>hasPermission()</literal> expression is linked
@@ -154,8 +156,9 @@
                     within the expression, so you can also access properties on the arguments. For
                     example, if you wanted a particular method to only allow access to a user whose
                     username matched that of the contact, you could write</para>
-                <programlisting>  @PreAuthorize("#contact.name == principal.name)")
-  public void doSomething(Contact contact);</programlisting>
+                <programlisting>
+ @PreAuthorize("#contact.name == principal.name)")
+ public void doSomething(Contact contact);</programlisting>
                 <para>Here we are accessing another built–in expression, which is the
                         <literal>principal</literal> of the current Spring Security
                         <interfacename>Authentication</interfacename> object obtained from the
@@ -205,9 +208,13 @@
                     permissions. It has no explicit dependencies on the ACL module, so you could
                     swap that out for an alternative implementation if required. The interface has
                     two methods:
-                    <programlisting language="java">  boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission);
+                    <programlisting language="java">
+ boolean hasPermission(Authentication authentication, Object targetDomainObject,
+                             Object permission);
 
-  boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission);</programlisting>which
+ boolean hasPermission(Authentication authentication, Serializable targetId,
+                              String targetType, Object permission);
+</programlisting>which
                     map directly to the available versions of the expression, with the exception
                     that the first argument (the <interfacename>Authentication</interfacename>
                     object) is not supplied. The first is used in situations where the domain
@@ -220,14 +227,16 @@
                     long as it is consistent with how the permissions are loaded.</para>
                 <para>To use <literal>hasPermission()</literal> expressions, you have to explicitly
                     configure a <interfacename>PermissionEvaluator</interfacename> in your
-                    application context. This would look something like this:<programlisting language="xml"> <![CDATA[ <security:global-method-security pre-post-annotations="enabled">
-    <security:expression-handler ref="expressionHandler"/>
-  </security:global-method-security>
+                    application context. This would look something like this:
+<programlisting language="xml"> <![CDATA[
+<security:global-method-security pre-post-annotations="enabled">
+  <security:expression-handler ref="expressionHandler"/>
+</security:global-method-security>
 
-  <bean id="expressionHandler"
-      class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
-        <property name="permissionEvaluator" ref="myPermissionEvaluator"/>
-  </bean>]]></programlisting>Where <literal>myPermissionEvaluator</literal> is the bean which
+<bean id="expressionHandler" class=
+  "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
+     <property name="permissionEvaluator" ref="myPermissionEvaluator"/>
+</bean>]]></programlisting>Where <literal>myPermissionEvaluator</literal> is the bean which
                     implements <interfacename>PermissionEvaluator</interfacename>. Usually this will
                     be the implementation from the ACL module which is called
                         <classname>AclPermissionEvaluator</classname>. See the

docs/manual/src/docbook/namespace-config.xml

@@ -499,19 +499,22 @@
             xlink:href="http://openid.net/specs/openid-attribute-exchange-1_0.html">attribute
             exchange</link>. As an example, the following configuration would attempt to retrieve
           the email and full name from the OpenID provider, for use by the application:<programlisting language="xml"><![CDATA[
-  <openid-login>
-    <attribute-exchange>
-      <openid-attribute name="email" type="http://axschema.org/contact/email" required="true" />
-      <openid-attribute name="name" type="http://axschema.org/namePerson" />
-    </attribute-exchange>
-  </openid-login>]]></programlisting>The <quote>type</quote> of each OpenID attribute is a URI,
+ <openid-login>
+  <attribute-exchange>
+    <openid-attribute name="email" type="http://axschema.org/contact/email" required="true"/>
+    <openid-attribute name="name" type="http://axschema.org/namePerson"/>
+  </attribute-exchange>
+ </openid-login>]]></programlisting>The <quote>type</quote> of each OpenID attribute is a URI,
           determined by a particular schema, in this case <link xlink:href="http://axschema.org/"
             >http://axschema.org/</link>. If an attribute must be retrieved for successful
           authentication, the <literal>required</literal> attribute can be set. The exact schema and
           attributes supported will depend on your OpenID provider. The attribute values are
           returned as part of the authentication process and can be accessed afterwards using the
           following
-          code:<programlisting language="java">OpenIDAuthenticationToken token = (OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
+          code:
+<programlisting language="java">
+OpenIDAuthenticationToken token = 
+    (OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
 List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
             <classname>OpenIDAttribute</classname> contains the attribute type and the retrieved
           value (or values in the case of multi-valued attributes). We'll see more about how the

docs/manual/src/docbook/remember-me-authentication.xml

@@ -78,7 +78,10 @@
                 <literal>persistent_logins</literal> table, created using the following SQL (or
             equivalent):
             <programlisting>
-    create table persistent_logins (username varchar(64) not null, series varchar(64) primary key, token varchar(64) not null, last_used timestamp not null)
+    create table persistent_logins (username varchar(64) not null,
+                                    series varchar(64) primary key,
+                                    token varchar(64) not null,
+                                    last_used timestamp not null)
 </programlisting></para>
         <!-- TODO: Add more info on the implementation and behaviour when tokens are stolen etc. Also some info for admins on invalidating tokens using key, or deleting info from db -->
     </section>

docs/manual/src/docbook/secured-objects.xml

@@ -27,8 +27,8 @@
       <title>Explicit MethodSecurityInterceptor Configuration</title>
       <para> You can of course configure a <classname>MethodSecurityIterceptor</classname> directly
         in your application context for use with one of Spring AOP's proxying mechanisms: <programlisting><![CDATA[
-<bean id="bankManagerSecurity"
-    class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
+<bean id="bankManagerSecurity" class=
+    "org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
   <property name="authenticationManager" ref="authenticationManager"/>
   <property name="accessDecisionManager" ref="accessDecisionManager"/>
   <property name="afterInvocationManager" ref="afterInvocationManager"/>
@@ -60,8 +60,8 @@
     <para>Let's first consider how the <literal>AspectJSecurityInterceptor</literal> is configured
       in the Spring application context:</para>
     <programlisting><![CDATA[
-<bean id="bankManagerSecurity"
-     class="org.springframework.security.access.intercept.aspectj.AspectJSecurityInterceptor">
+<bean id="bankManagerSecurity" class=
+    "org.springframework.security.access.intercept.aspectj.AspectJSecurityInterceptor">
   <property name="authenticationManager" ref="authenticationManager"/>
   <property name="accessDecisionManager" ref="accessDecisionManager"/>
   <property name="afterInvocationManager" ref="afterInvocationManager"/>

docs/manual/src/docbook/session-mgmt.xml

@@ -38,22 +38,22 @@
         <classname>AbstractAuthenticationProcessingFilter</classname>, so if you are using a
       customized form-login class, for example, you will need to inject it into both of these. In
       this case, a typical configuration, combining the namespace and custom beans might look like this:<programlisting><![CDATA[
-  <http>
-    <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
-    <session-management session-authentication-strategy-ref="sas"/>
-  </http>
+<http>
+  <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
+  <session-management session-authentication-strategy-ref="sas"/>
+</http>
 
-  <beans:bean id="myAuthFilter"
-      class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
+<beans:bean id="myAuthFilter" class=
+  "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
     <beans:property name="sessionAuthenticationStrategy" ref="sas" />
     ...
-  </beans:bean>
+</beans:bean>
 
-  <beans:bean id="sas"
-      class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
+<beans:bean id="sas" class=
+  "org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
     <beans:property name="sessionRegistry" ref="sessionRegistry" />
     <beans:property name="maximumSessions" value="1" />
-  </beans:bean>
+</beans:bean>
 ]]>
       </programlisting></para>
   </section>
@@ -96,32 +96,33 @@
       points to the page to display when a session has expired. A configuration using the namespace
       to create the <classname>FilterChainProxy</classname> and other default beans might look like
       this: <programlisting><![CDATA[
-  <http>
-    <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
-    <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
+<http>
+  <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
+  <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
 
-    <session-management session-authentication-strategy-ref="sas"/>
-  </http>
+  <session-management session-authentication-strategy-ref="sas"/>
+</http>
 
-  <beans:bean id="concurrencyFilter"
-      class="org.springframework.security.web.session.ConcurrentSessionFilter">
-    <beans:property name="sessionRegistry" ref="sessionRegistry" />
-    <beans:property name="expiredUrl" value="/session-expired.htm" />
-  </beans:bean>
+<beans:bean id="concurrencyFilter"
+   class="org.springframework.security.web.session.ConcurrentSessionFilter">
+  <beans:property name="sessionRegistry" ref="sessionRegistry" />
+  <beans:property name="expiredUrl" value="/session-expired.htm" />
+</beans:bean>
 
-  <beans:bean id="myAuthFilter"
-      class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
-    <beans:property name="sessionAuthenticationStrategy" ref="sas" />
-    <beans:property name="authenticationManager" ref="authenticationManager" />
-  </beans:bean>
+<beans:bean id="myAuthFilter" class=
+   "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
+  <beans:property name="sessionAuthenticationStrategy" ref="sas" />
+  <beans:property name="authenticationManager" ref="authenticationManager" />
+</beans:bean>
 
-  <beans:bean id="sas"
-      class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
-    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
-    <beans:property name="maximumSessions" value="1" />
-  </beans:bean>
+<beans:bean id="sas" class=
+ "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
+  <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
+  <beans:property name="maximumSessions" value="1" />
+</beans:bean>
 
-  <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
+<beans:bean id="sessionRegistry"
+    class="org.springframework.security.core.session.SessionRegistryImpl" />
 ]]>
     </programlisting></para>
     <para>Adding the listener to <filename>web.xml</filename> causes an

docs/manual/src/docbook/technical-overview.xml

@@ -426,8 +426,8 @@ Successfully authenticated. Security context contains: \
           Even though a <classname>ThreadLocal</classname> is being used, it is the same instance
           that is retrieved from the <interfacename>HttpSession</interfacename> for each thread.
           This has implications if you wish to temporarily change the context under which a thread
-          is running. If you just use
-            <code>SecurityContextHolder.getContext().setAuthentication(anAuthentication)</code>,
+          is running. If you just use <code>SecurityContextHolder.getContext()</code>,
+           and call <code>setAuthentication(anAuthentication)</code> on the returned context object,
           then the <interfacename>Authentication</interfacename> object will change in
             <emphasis>all</emphasis> concurrent threads which share the same
             <interfacename>SecurityContext</interfacename> instance. You can customize the behaviour