SEC-624: Improved general consistency of ref docs. Tidied up program listings. Added namespace info on channel security.

src/docbkx/anon-auth-provider.xml

@@ -40,17 +40,17 @@
         filter and authentication provider appears as follows:</para>
     
     <para><programlisting>
-        &lt;bean id="anonymousProcessingFilter"
-        class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter"&gt;
-        &lt;property name="key"&gt;&lt;value&gt;foobar&lt;/value&gt;&lt;/property&gt;
-        &lt;property name="userAttribute"&gt;&lt;value&gt;anonymousUser,ROLE_ANONYMOUS&lt;/value&gt;&lt;/property&gt;
-        &lt;/bean&gt;
-        
-        &lt;bean id="anonymousAuthenticationProvider"
-        class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider"&gt;
-        &lt;property name="key"&gt;&lt;value&gt;foobar&lt;/value&gt;&lt;/property&gt;
-        &lt;/bean&gt;
-        
+<![CDATA[
+<bean id="anonymousProcessingFilter"
+    class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
+  <property name="key" value="foobar"/>
+  <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
+</bean>
+
+<bean id="anonymousAuthenticationProvider"
+    class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
+  <property name="key" value="foobar"/>
+</bean>]]>
     </programlisting></para>
     
     <para>The <literal>key</literal> is shared between the filter and

src/docbkx/authorization-common.xml

@@ -2,7 +2,6 @@
   
 
   <section xml:id="authorities"><info><title>Authorities</title></info>
-    
 
     <para>As briefly mentioned in the Authentication section, all
     <literal>Authentication</literal> implementations are required to
@@ -15,11 +14,11 @@
     decisions.</para>
 
     <para><literal>GrantedAuthority</literal> is an interface with only
-    one method:</para>
-
-    <para><programlisting>public String getAuthority();</programlisting></para>
-
-    <para>This method allows <literal>AccessDecisionManager</literal>s to
+    one method:
+      <programlisting>
+  String getAuthority();
+    </programlisting>
+    This method allows <literal>AccessDecisionManager</literal>s to
     obtain a precise <literal>String</literal> representation of the
     <literal>GrantedAuthority</literal>. By returning a representation as
     a <literal>String</literal>, a <literal>GrantedAuthority</literal> can
@@ -58,13 +57,13 @@
     <literal>AbstractSecurityInterceptor</literal> and is responsible for
     making final access control decisions. The
     <literal>AccessDecisionManager</literal> interface contains three
-    methods:</para>
-
-    <para><programlisting>public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;
-public boolean supports(ConfigAttribute attribute);
-public boolean supports(Class clazz);</programlisting></para>
-
-    <para>As can be seen from the first method, the
+    methods:
+      <programlisting>
+ void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;
+ boolean supports(ConfigAttribute attribute);
+ boolean supports(Class clazz);
+      </programlisting>
+    As can be seen from the first method, the
     <literal>AccessDecisionManager</literal> is passed via method
     parameters all information that is likely to be of value in assessing
     an authorization decision. In particular, passing the secure
@@ -115,13 +114,13 @@ public boolean supports(Class clazz);</programlisting></para>
     assessment of the votes.</para>
 
     <para>The <literal>AccessDecisionVoter</literal> interface has three
-    methods:</para>
-
-    <para><programlisting>public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
-public boolean supports(ConfigAttribute attribute);
-public boolean supports(Class clazz);</programlisting></para>
-
-    <para>Concrete implementations return an <literal>int</literal>, with
+    methods:
+<programlisting>
+int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
+boolean supports(ConfigAttribute attribute);
+boolean supports(Class clazz);
+</programlisting>
+    Concrete implementations return an <literal>int</literal>, with
     possible values being reflected in the
     <literal>AccessDecisionVoter</literal> static fields
     <literal>ACCESS_ABSTAIN</literal>, <literal>ACCESS_DENIED</literal>
@@ -176,34 +175,36 @@ public boolean supports(Class clazz);</programlisting></para>
     voter included with Spring Security. It integrates with Spring
     Security's <literal>AclManager</literal> (discussed later). This voter
     is designed to have multiple instances in the same application
-    context, such as:</para>
-
-    <para><programlisting>&lt;bean id="aclContactReadVoter"
-        class="org.springframework.security.vote.BasicAclEntryVoter"&gt;
-&lt;property name="processConfigAttribute"&gt;&lt;value&gt;ACL_CONTACT_READ&lt;/value&gt;&lt;/property&gt;
-&lt;property name="processDomainObjectClass"&gt;&lt;value&gt;sample.contact.Contact&lt;/value&gt;&lt;/property&gt;
-&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
-&lt;property name="requirePermission"&gt;
-&lt;list&gt;
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/&gt;
-&lt;/list&gt;
-&lt;/property&gt;
-&lt;/bean&gt;
-
-&lt;bean id="aclContactDeleteVoter" class="org.springframework.security.vote.BasicAclEntryVoter"&gt;
-&lt;property name="processConfigAttribute"&gt;&lt;value&gt;ACL_CONTACT_DELETE&lt;/value&gt;&lt;/property&gt;
-&lt;property name="processDomainObjectClass"&gt;&lt;value&gt;sample.contact.Contact&lt;/value&gt;&lt;/property&gt;
-&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
-&lt;property name="requirePermission"&gt;
-&lt;list&gt;
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/&gt;
-&lt;/list&gt;
-&lt;/property&gt;
-&lt;/bean&gt;        </programlisting></para>
-
-    <para>In the above example, you'd define
+    context, such as:
+<programlisting>
+<![CDATA[
+<bean id="aclContactReadVoter"
+    class="org.springframework.security.vote.BasicAclEntryVoter">
+  <property name="processConfigAttribute" value="ACL_CONTACT_READ"/>
+  <property name="processDomainObjectClass" value="sample.contact.Contact"/>
+  <property name="aclManager" ref="aclManager"/>
+  <property name="requirePermission">
+    <list>
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
+    </list>
+  </property>
+</bean>
+
+<bean id="aclContactDeleteVoter" 
+    class="org.springframework.security.vote.BasicAclEntryVoter">
+  <property name="processConfigAttribute" value="ACL_CONTACT_DELETE"/>
+  <property name="processDomainObjectClass" value="sample.contact.Contact"/>
+  <property name="aclManager" ref="aclManager"/>
+  <property name="requirePermission">
+    <list>
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/>
+    </list>
+  </property>
+</bean>
+]]></programlisting>
+      In the above example, you'd define
     <literal>ACL_CONTACT_READ</literal> or
     <literal>ACL_CONTACT_DELETE</literal> against some methods on a
     <literal>MethodSecurityInterceptor</literal> or
@@ -251,9 +252,8 @@ public boolean supports(Class clazz);</programlisting></para>
     to the chapter describing the new ACL implementation.</para>
   </section>
 
-  <section xml:id="after-invocation"><info><title>After Invocation Handling</title></info>
-    
-
+  <section xml:id="after-invocation">
+    <info><title>After Invocation Handling</title></info>
     <para>Whilst the <literal>AccessDecisionManager</literal> is called by
     the <literal>AbstractSecurityInterceptor</literal> before proceeding
     with the secure object invocation, some applications need a way of
@@ -274,7 +274,6 @@ public boolean supports(Class clazz);</programlisting></para>
         <imageobject>
           <imagedata role="html" align="center" fileref="images/AfterInvocation.gif" format="GIF"/>
         </imageobject>
-
         <caption>
           <para>Figure 5: After Invocation Implementation</para>
         </caption>
@@ -341,22 +340,20 @@ public boolean supports(Class clazz);</programlisting></para>
       <literal>Contact</literal> is all that is available before the
       secure object is invoked. The
       <literal>AclAfterInvocationProvider</literal> delivers a solution,
-      and is configured as follows:</para>
-
-      <para><programlisting>&lt;bean id="afterAclRead"
-          class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider"&gt;
-&lt;constructor-arg&gt;
-&lt;ref bean="aclService"/&gt;
-&lt;/constructor-arg&gt;
-&lt;constructor-arg&gt;
-&lt;list&gt;
-  &lt;ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/&gt;
-  &lt;ref local="org.springframework.security.acls.domain.BasePermission.READ"/&gt;
-&lt;/list&gt;
-&lt;/constructor-arg&gt;
-&lt;/bean&gt;      </programlisting></para>
-
-      <para>In the above example, the <literal>Contact</literal> will be
+      and is configured as follows:
+<programlisting><![CDATA[
+<bean id="afterAclRead"
+   class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider">
+  <constructor-arg ref="aclService"/>
+  <constructor-arg>
+    <list>
+      <ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
+      <ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
+    </list>
+  </constructor-arg>
+</bean>
+]]></programlisting>
+        In the above example, the <literal>Contact</literal> will be
       retrieved and passed to the
       <literal>AclEntryAfterInvocationProvider</literal>. The provider
       will thrown an <literal>AccessDeniedException</literal> if one of
@@ -373,22 +370,20 @@ public boolean supports(Class clazz);</programlisting></para>
       elements for which a principal does not have access. It never thrown
       an <literal>AccessDeniedException</literal> - simply silently
       removes the offending elements. The provider is configured as
-      follows:</para>
-
-      <para><programlisting>&lt;bean id="afterAclCollectionRead"
-          class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider"&gt;
-&lt;constructor-arg&gt;
-&lt;ref bean="aclService"/&gt;
-&lt;/constructor-arg&gt;
-&lt;constructor-arg&gt;
-&lt;list&gt;
-  &lt;ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/&gt;
-  &lt;ref local="org.springframework.security.acls.domain.BasePermission.READ"/&gt;
-&lt;/list&gt;
-&lt;/constructor-arg&gt;
-&lt;/bean&gt;    </programlisting></para>
-
-      <para>As you can imagine, the returned <literal>Object</literal>
+      follows:
+<programlisting><![CDATA[
+<bean id="afterAclCollectionRead"
+    class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
+  <constructor-arg ref="aclService"/>
+  <constructor-arg>
+    <list>
+      <ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
+      <ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
+    </list>
+  </constructor-arg>
+</bean>
+]]>    </programlisting>
+        As you can imagine, the returned <literal>Object</literal>
       must be a <literal>Collection</literal> or array for this provider
       to operate. It will remove any element if the
       <literal>AclManager</literal> indicates the
@@ -427,16 +422,18 @@ public boolean supports(Class clazz);</programlisting></para>
       <literal>BasicAclAfterInvocationProvider</literal> delivers a
       solution, and is configured as follows:</para>
 
-      <para><programlisting>&lt;bean id="afterAclRead"
-          class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider"&gt;
-&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
-&lt;property name="requirePermission"&gt;
-&lt;list&gt;
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/&gt;
-&lt;/list&gt;
-&lt;/property&gt;
-&lt;/bean&gt;       </programlisting></para>
+      <para><programlisting><![CDATA[
+<bean id="afterAclRead"
+    class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider">
+  <property name="aclManager"><ref local="aclManager"/></property>
+  <property name="requirePermission">
+    <list>
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
+    </list>
+  </property>
+</bean> 
+]]>      </programlisting></para>
 
       <para>In the above example, the <literal>Contact</literal> will be
       retrieved and passed to the
@@ -455,20 +452,20 @@ public boolean supports(Class clazz);</programlisting></para>
       elements for which a principal does not have access. It never thrown
       an <literal>AccessDeniedException</literal> - simply silently
       removes the offending elements. The provider is configured as
-      follows:</para>
-
-      <para><programlisting>&lt;bean id="afterAclCollectionRead"
-          class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider"&gt;
-&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
-&lt;property name="requirePermission"&gt;
-&lt;list&gt;
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/&gt;
-&lt;/list&gt;
-&lt;/property&gt;
-&lt;/bean&gt;       </programlisting></para>
-
-      <para>As you can imagine, the returned <literal>Object</literal>
+      follows:
+<programlisting><![CDATA[
+<bean id="afterAclCollectionRead"
+    class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider">
+  <property name="aclManager"><ref local="aclManager"/></property>
+  <property name="requirePermission">
+    <list>
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
+    </list>
+  </property>
+</bean> 
+]]></programlisting>
+        As you can imagine, the returned <literal>Object</literal>
       must be a <literal>Collection</literal> or array for this provider
       to operate. It will remove any element if the
       <literal>AclManager</literal> indicates the
@@ -490,11 +487,14 @@ public boolean supports(Class clazz);</programlisting></para>
     <para>The following JSP fragment illustrates how to use the
     <literal>AuthorizeTag</literal>:</para>
 
-    <para><programlisting>&lt;security:authorize ifAllGranted="ROLE_SUPERVISOR"&gt;
-&lt;td&gt;
-&lt;A HREF="del.htm?id=&lt;c:out value="${contact.id}"/&gt;"&gt;Del&lt;/A&gt;
-&lt;/td&gt;
-&lt;/security:authorize&gt;          </programlisting></para>
+    <para><programlisting>
+<![CDATA[
+<security:authorize ifAllGranted="ROLE_SUPERVISOR">
+<td>
+<a href="del.htm?id=<c:out value="${contact.id}"/>">Del</a>
+</td>
+</security:authorize>
+]]></programlisting></para>
 
     <para>This tag would cause the tag's body to be output if the
     principal has been granted ROLE_SUPERVISOR.</para>
@@ -551,13 +551,13 @@ public boolean supports(Class clazz);</programlisting></para>
     object.</para>
 
     <para>The following JSP fragment illustrates how to use the
-    <literal>AccessControlListTag</literal>:</para>
-
-    <para><programlisting>&lt;security:accesscontrollist domainObject="${contact}" hasPermission="8,16"&gt;
-&lt;td&gt;&lt;A HREF="&lt;c:url value="del.htm"&gt;&lt;c:param name="contactId" value="${contact.id}"/&gt;&lt;/c:url&gt;"&gt;Del&lt;/A&gt;&lt;/td&gt;
-&lt;/security:accesscontrollist&gt;</programlisting></para>
-
-    <para>This tag would cause the tag's body to be output if the
+    <literal>AccessControlListTag</literal>:
+<programlisting><![CDATA[
+<security:accesscontrollist domainObject="${contact}" hasPermission="8,16">
+<td><a href="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</a></td>
+</security:accesscontrollist>
+]]></programlisting>
+    This tag would cause the tag's body to be output if the
     principal holds either permission 16 or permission 1 for the "contact"
     domain object. The numbers are actually integers that are used with
     <literal>BasePermission</literal> bit masking. Please refer to the ACL

src/docbkx/cas-auth-provider.xml

@@ -3,7 +3,6 @@
 
   <section xml:id="cas-overview">
       <info><title>Overview</title></info>
-    
 
     <para>JA-SIG produces an enterprise-wide single sign on system known
     as CAS. Unlike other initiatives, JA-SIG's Central Authentication
@@ -15,22 +14,17 @@
     server.</para>
 
     <para>You can learn more about CAS at
-    <literal>http://www.ja-sig.org/products/cas/</literal>. You will need
-    to visit this URL to download the CAS Server files. Whilst Spring
-    Security includes two CAS libraries in the "-with-dependencies" ZIP
-    file, you will still need the CAS Java Server Pages and
-    <literal>web.xml</literal> to customise and deploy your CAS
-    server.</para>
+    <literal>http://www.ja-sig.org/products/cas/</literal>. You will also need
+    to visit this site to download the CAS Server files.</para>
   </section>
 
-  <section xml:id="cas-how-it-works"><info><title>How CAS Works</title></info>
-    
+  <section xml:id="cas-how-it-works">
+    <info><title>How CAS Works</title></info>
 
-    <para>Whilst the CAS web site above contains two documents that detail
+    <para>Whilst the CAS web site contains documents that detail
     the architecture of CAS, we present the general overview again here
-    within the context of Spring Security. The following refers to both
-    CAS 2.0 (produced by Yale) and CAS 3.0 (produced by JA-SIG), being the
-    versions of CAS that Spring Security supports.</para>
+    within the context of Spring Security. Spring Security 2.0 supports
+    CAS 3. At the time of writing, the CAS server was at version 3.2.</para>
 
     <para>Somewhere in your enterprise you will need to setup a CAS
     server. The CAS server is simply a standard WAR file, so there isn't
@@ -38,69 +32,27 @@
     you will customise the login and other single sign on pages displayed
     to users.</para>
 
-    <para>If you are deploying CAS 2.0, you will also need to specify in
-    the web.xml a <literal>PasswordHandler</literal>. The
-    <literal>PasswordHandler</literal> has a simple method that returns a
-    boolean as to whether a given username and password is valid. Your
-    <literal>PasswordHandler</literal> implementation will need to link
-    into some type of backend authentication repository, such as an LDAP
-    server or database.</para>
-
-    <para>If you are already running an existing CAS 2.0 server instance,
-    you will have already established a
-    <literal>PasswordHandler</literal>. If you do not already have a
-    <literal>PasswordHandler</literal>, you might prefer to use Spring
-    Security's <literal>CasPasswordHandler</literal> class. This class
-    delegates through to the standard Spring Security
-    <literal>AuthenticationManager</literal>, enabling you to use a
-    security configuration you might already have in place. You do not
-    need to use the <literal>CasPasswordHandler</literal> class on your
-    CAS server if you do not wish. Spring Security will function as a CAS
-    client successfully irrespective of the
-    <literal>PasswordHandler</literal> you've chosen for your CAS
-    server.</para>
-
-    <para>If you are deploying CAS 3.0, you will also need to specify an
+    <para>When deploying a CAS 3.2 server, you will also need to specify an
     <literal>AuthenticationHandler</literal> in the
-    deployerConfigContext.xml included with CAS. The
+    <filename>deployerConfigContext.xml</filename> included with CAS. The
     <literal>AuthenticationHandler</literal> has a simple method that
     returns a boolean as to whether a given set of Credentials is valid.
     Your <literal>AuthenticationHandler</literal> implementation will need
     to link into some type of backend authentication repository, such as
     an LDAP server or database. CAS itself includes numerous
     <literal>AuthenticationHandler</literal>s out of the box to assist
-    with this.</para>
-
-    <para>If you are already running an existing CAS 3.0 server instance,
-    you will have already established an
-    <literal>AuthenticationHandler</literal>. If you do not already have
-    an <literal>AuthenticationHandler</literal>, you might prefer to use
-    Spring Security <literal>CasAuthenticationHandler</literal> class.
-    This class delegates through to the standard Spring Security
-    <literal>AuthenticationManager</literal>, enabling you to use a
-    security configuration you might already have in place. You do not
-    need to use the <literal>CasAuthenticationHandler</literal> class on
-    your CAS server if you do not wish. Spring Security will function as a
-    CAS client successfully irrespective of the
-    <literal>AuthenticationHandler</literal> you've chosen for your CAS
-    server.</para>
+    with this. When you download and deploy the server war file, it is set up
+    to successfully authenticate users who enter a password matching their
+    username, which is sueful for testing.</para>
 
-    <para>Apart from the CAS server itself, the other key player is of
+    <para>Apart from the CAS server itself, the other key players are of
     course the secure web applications deployed throughout your
     enterprise. These web applications are known as "services". There are
     two types of services: standard services and proxy services. A proxy
     service is able to request resources from other services on behalf of
     the user. This will be explained more fully later.</para>
 
-    <para>Services can be developed in a large variety of languages, due
-    to CAS 2.0's very light XML-based protocol. The JA-SIG CAS home page
-    contains a clients archive which demonstrates CAS clients in Java,
-    Active Server Pages, Perl, Python and others. Naturally, Java support
-    is very strong given the CAS server is written in Java. You do not
-    need to use any of CAS' client classes in applications secured by
-    Spring Security. This is handled transparently for you.</para>
-
-    <para>The basic interaction between a web browser, CAS server and n
+    <para>The basic interaction between a web browser, CAS server and a
     Spring Security-secured service is as follows:</para>
 
     <orderedlist inheritnum="ignore" continuation="restarts">

src/docbkx/channel-security.xml

@@ -1,11 +1,10 @@
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="channel-security">
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="channel-security" xmlns:xlink="http://www.w3.org/1999/xlink">
 
 <info><title>Channel Security</title></info>
 
 <section xml:id="channel-security-overview">
     <info><title>Overview</title></info>
     
-    
     <para>In addition to coordinating the authentication and authorization
         requirements of your application, Spring Security is also able to
         ensure unauthenticated web requests have certain properties. These
@@ -35,37 +34,38 @@
         Security provides a solution to assist with the latter.</para>
 </section>
 
-<section xml:id="channel-security-config"><info><title>Configuration</title></info>
-    
-        
-    <para>To use chanel security, you should define the following the filter in your application
+<section xml:id="channel-security-config">
+    <info><title>Configuration</title></info>
+    <para>Channel security is supported by the <link xlink:href="#namespace-auto-config">security namespace</link>
+        by means of the <literal>requires-channel</literal> attribute on the <literal>&lt;intercept-url&gt;</literal>
+        element and this is the simplest (and recommended approach)</para>
+    <para>To confiure channel security explicitly, you would define the following the filter in your application
         context:</para>
     
     <para><programlisting> 
-    &lt;bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"&gt;
-        &lt;property name="channelDecisionManager" ref="channelDecisionManager"/&gt;
-        &lt;property name="filterInvocationDefinitionSource"&gt;
-            &lt;security:filter-invocation-definition-source path-type="regex"&gt;
-                &lt;security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/&gt;
-                &lt;security:intercept-url pattern="\A/acegilogin.jsp.*\" access="REQUIRES_SECURE_CHANNEL"/&gt;
-                &lt;security:intercept-url pattern="\A/j_spring_security_check.*\Z" access="REQUIRES_SECURE_CHANNEL"/&gt;
-                &lt;security:intercept-url pattern="\A/.*\Z" access="REQUIRES_INSECURE_CHANNEL"/&gt;
-            &lt;/security:filter-invocation-definition-source&gt;                
-        &lt;/property&gt;
-    &lt;/bean&gt;
-        
-    &lt;bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"&gt;
-        &lt;property name="channelProcessors"&gt;
-            &lt;list&gt;
-            &lt;ref bean="secureChannelProcessor"/&gt;
-            &lt;ref bean="insecureChannelProcessor"/&gt;
-            &lt;/list&gt;
-        &lt;/property&gt;
-    &lt;/bean&gt;
-        
-    &lt;bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/&gt;
-    &lt;bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/&gt;
-         
+&lt;bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"&gt;
+  &lt;property name="channelDecisionManager" ref="channelDecisionManager"/&gt;
+  &lt;property name="filterInvocationDefinitionSource"&gt;
+    &lt;security:filter-invocation-definition-source path-type="regex"&gt;
+      &lt;security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/&gt;
+      &lt;security:intercept-url pattern="\A/acegilogin.jsp.*\" access="REQUIRES_SECURE_CHANNEL"/&gt;
+      &lt;security:intercept-url pattern="\A/j_spring_security_check.*\Z" access="REQUIRES_SECURE_CHANNEL"/&gt;
+      &lt;security:intercept-url pattern="\A/.*\Z" access="REQUIRES_INSECURE_CHANNEL"/&gt;
+    &lt;/security:filter-invocation-definition-source&gt;                
+  &lt;/property&gt;
+  &lt;/bean&gt;
+    
+&lt;bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"&gt;
+  &lt;property name="channelProcessors"&gt;
+    &lt;list&gt;
+    &lt;ref bean="secureChannelProcessor"/&gt;
+    &lt;ref bean="insecureChannelProcessor"/&gt;
+    &lt;/list&gt;
+  &lt;/property&gt;
+&lt;/bean&gt;
+    
+&lt;bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/&gt;
+&lt;bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/&gt;         
     </programlisting></para>
     
     <para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant
@@ -124,9 +124,9 @@
         property is <literal>true</literal>.</para>
 </section>
 
-<section xml:id="channel-security-conclusion"><info><title>Conclusion</title></info>
-    
-    
+<section xml:id="channel-security-conclusion">
+    <info><title>Conclusion</title></info>
+
     <para>Once configured, using the channel security filter is very easy.
         Simply request pages without regard to the protocol (ie HTTP or HTTPS)
         or port (eg 80, 8080, 443, 8443 etc). Obviously you'll still need a

src/docbkx/common-auth-services.xml

@@ -1,9 +1,10 @@
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services">
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services" xmlns:xlink="http://www.w3.org/1999/xlink">
   <info><title>Common Authentication Services</title></info>
 
   <section xml:id="mechanisms-providers-entry-points">
-    <info><title>Mechanisms, Providers and Entry Points</title></info>
-    
+    <info>
+      <title>Mechanisms, Providers and Entry Points</title>
+    </info>
 
     <para>If you're using Spring Security-provided authentication
     approaches, you'll usually need to configure a web filter, together
@@ -20,15 +21,15 @@
     this:</para>
 
     <para><programlisting><![CDATA[
-    <filter>
-        <filter-name>filterChainProxy</filter-name>
-        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-    </filter>
-
-    <filter-mapping>
-      <filter-name>filterChainProxy</filter-name>
-      <url-pattern>/*</url-pattern>
-    </filter-mapping>]]>
+<filter>
+    <filter-name>filterChainProxy</filter-name>
+    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+</filter>
+
+<filter-mapping>
+  <filter-name>filterChainProxy</filter-name>
+  <url-pattern>/*</url-pattern>
+</filter-mapping>]]>
 </programlisting></para>
 
     <para>The above declarations will cause every web request to be passed
@@ -184,21 +185,22 @@
     header or HTTP redirect in order to start authentication. Continuing
     on with our earlier example:</para>
 
-    <para><programlisting>&lt;bean id="exceptionTranslationFilter"
-        class="org.springframework.security.ui.ExceptionTranslationFilter"&gt;
-&lt;property name="authenticationEntryPoint"&gt;&lt;ref local="authenticationProcessingFilterEntryPoint"/&gt;&lt;/property&gt;
-&lt;property name="accessDeniedHandler"&gt;
-&lt;bean class="org.springframework.security.ui.AccessDeniedHandlerImpl"&gt;
-  &lt;property name="errorPage" value="/accessDenied.jsp"/&gt;
-&lt;/bean&gt;
-&lt;/property&gt;
-&lt;/bean&gt;
-
-&lt;bean id="authenticationProcessingFilterEntryPoint"
-        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"&gt;
-&lt;property name="loginFormUrl"&gt;&lt;value&gt;/acegilogin.jsp&lt;/value&gt;&lt;/property&gt;
-&lt;property name="forceHttps"&gt;&lt;value&gt;false&lt;/value&gt;&lt;/property&gt;
-&lt;/bean&gt;</programlisting></para>
+    <para><programlisting><![CDATA[
+<bean id="exceptionTranslationFilter"
+        class="org.springframework.security.ui.ExceptionTranslationFilter">
+  <property name="authenticationEntryPoint" ref="authenticationProcessingFilterEntryPoint"/>
+  <property name="accessDeniedHandler">
+    <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
+      <property name="errorPage" value="/accessDenied.jsp"/>
+    </bean>
+  </property>
+</bean>
+
+<bean id="authenticationProcessingFilterEntryPoint"
+        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
+  <property name="loginFormUrl" value="/login.jsp"/>
+  <property name="forceHttps">< value="false"/>
+</bean>]]></programlisting></para>
 
     <para>Notice that the <literal>ExceptionTranslationFilter</literal>
     requires two collaborators. The first,
@@ -270,9 +272,8 @@
     that, Spring Security does include a couple of useful base
     implementations, which we'll look at below.</para>
 
-    <section xml:id="in-memory-service"><info><title>In-Memory Authentication</title></info>
-      
-
+    <section xml:id="in-memory-service">
+      <info><title>In-Memory Authentication</title></info>
       <para>Whilst it is easy to use create a custom
       <literal>UserDetailsService</literal> implementation that extracts
       information from a persistence engine of choice, many applications
@@ -281,52 +282,34 @@
       Security, when you don't really want to spend time configuring
       databases or writing <literal>UserDetailsService</literal>
       implementations. For this sort of situation, a simple option is to
-      configure the <literal>InMemoryDaoImpl</literal>
-      implementation:</para>
-
-      <para><programlisting>&lt;bean id="inMemoryDaoImpl"
-          class="org.springframework.security.userdetails.memory.InMemoryDaoImpl"&gt;
-&lt;property name="userMap"&gt;
-&lt;value&gt;
-  rod=koala,ROLE_TELLER,ROLE_SUPERVISOR
-  dianne=emu,ROLE_TELLER
-  scott=wombat,ROLE_TELLER
-  peter=opal,disabled,ROLE_TELLER
-&lt;/value&gt;
-&lt;/property&gt;
-&lt;/bean&gt;        </programlisting></para>
-
-      <para>In the above example, the <literal>userMap</literal> property
-      contains each of the usernames, passwords, a list of granted
-      authorities and an optional enabled/disabled keyword. Commas are
-      used to delimit each token. The username must appear to the left of
-      the equals sign, and the password must be the first token to the
-      right of the equals sign. The <literal>enabled</literal> and
-      <literal>disabled</literal> keywords (case insensitive) may appear
-      in the second or any subsequent token. Any remaining tokens are
-      treated as granted authorities, which are created as
-      <literal>GrantedAuthorityImpl</literal> objects (this is just for
-      your reference - most applications don't need custom
-      <literal>GrantedAuthority</literal> implementations, so using the
-      default implementation in this manner is just fine). Note that if a
-      user has no password and/or no granted authorities, the user will
-      not be created in the in-memory authentication repository.</para>
-
-      <para><literal>InMemoryDaoImpl</literal> also offers a
-      <literal>setUserProperties(Properties)</literal> method, which
-      allows you to externalise the
-      <literal>java.util.Properties</literal> in another Spring configured
-      bean or an external properties file. You might like to use Spring's
-      <literal>PropertiesFactoryBean</literal>, which is useful for
-      loading such external properties files. This setter might prove
-      useful for simple applications that have a larger number of users,
-      or deployment-time configuration changes, but do not wish to use a
-      full database for handling authentication details.</para>
+      use the <literal>user-service</literal> element from the security 
+        <link xlink:href="#namespace-minimal" >namespace</link>:
+<programlisting><![CDATA[
+    <user-service id="userDetailsService">
+      <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
+      <user name="bob" password="bobspassword" authorities="ROLE_USER" />
+    </user-service>
+  ]]>
+</programlisting>
+        This also suppots the use of an external properties file:
+        <programlisting><![CDATA[
+    <user-service id="userDetailsService" properties="users.properties"/>
+  ]]>
+        </programlisting>
+        The properties file should contain entries in the form
+<programlisting>
+  username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
+</programlisting>
+        For example
+<programlisting>
+  jimi=jimispassword,ROLE_USER,ROLE_ADMIN,enabled
+  bob=bobspassword,ROLE_USER,enabled  
+</programlisting>
+      </para>
     </section>
 
-    <section xml:id="jdbc-service"><info><title>JDBC Authentication</title></info>
-      
-
+    <section xml:id="jdbc-service">
+      <info><title>JDBC Authentication</title></info>
       <para>Spring Security also includes a
       <literal>UserDetailsService</literal> that can obtain authentication
       information from a JDBC data source. Internally Spring JDBC is used,
@@ -338,16 +321,18 @@
       <literal>JdbcDaoImpl</literal>, an example configuration is shown
       below:</para>
 
-      <para><programlisting>&lt;bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"&gt;
-&lt;property name="driverClassName"&gt;&lt;value&gt;org.hsqldb.jdbcDriver&lt;/value&gt;&lt;/property&gt;
-&lt;property name="url"&gt;&lt;value&gt;jdbc:hsqldb:hsql://localhost:9001&lt;/value&gt;&lt;/property&gt;
-&lt;property name="username"&gt;&lt;value&gt;sa&lt;/value&gt;&lt;/property&gt;
-&lt;property name="password"&gt;&lt;value&gt;&lt;/value&gt;&lt;/property&gt;
-&lt;/bean&gt;
+      <para><programlisting>
+<![CDATA[
+<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
+  <property name="driverClassName" value="org.hsqldb.jdbcDriver"/>
+  <property name="url" value="jdbc:hsqldb:hsql://localhost:9001"/>
+  <property name="username" value="sa"/>
+  <property name="password" value=""/>
+</bean>
 
-&lt;bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl"&gt;
-&lt;property name="dataSource"&gt;&lt;ref bean="dataSource"/&gt;&lt;/property&gt;
-&lt;/bean&gt;        </programlisting></para>
+<bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
+  <property name="dataSource" ref="dataSource"/>
+</bean> ]]>       </programlisting></para>
 
       <para>You can use different relational database management systems
       by modifying the <literal>DriverManagerDataSource</literal> shown
@@ -372,8 +357,8 @@
     </section>
   </section>
 
-  <section xml:id="concurrent-sessions"><info><title>Concurrent Session Handling</title></info>
-    
+  <section xml:id="concurrent-sessions">
+    <info><title>Concurrent Session Handling</title></info>
 
     <para>Spring Security is able to prevent a principal from concurrently
     authenticating to the same application more than a specified number of
@@ -411,40 +396,42 @@
     <literal>ConcurrentSessionControllerImpl</literal> and refer to it
     from your <literal>ProviderManager</literal> bean:</para>
 
-    <para><programlisting>&lt;bean id="authenticationManager"
-        class="org.springframework.security.providers.ProviderManager"&gt;
-&lt;property name="providers"&gt;
-&lt;!-- your providers go here --&gt;
-&lt;/property&gt;
-&lt;property name="sessionController"&gt;&lt;ref bean="concurrentSessionController"/&gt;&lt;/property&gt;
-&lt;/bean&gt;
-
-&lt;bean id="concurrentSessionController"
-        class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl"&gt;
-&lt;property name="maximumSessions"&gt;&lt;value&gt;1&lt;/value&gt;&lt;/property&gt;
-&lt;property name="sessionRegistry"&gt;&lt;ref local="sessionRegistry"/&gt;&lt;/property&gt;
-&lt;/bean&gt;
-
-&lt;bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl"/&gt;</programlisting></para>
+    <para>
+      <programlisting><![CDATA[
+<bean id="authenticationManager"
+    class="org.springframework.security.providers.ProviderManager">
+  <property name="providers">
+    <!-- your providers go here -->
+  </property>
+  <property name="sessionController" ref="concurrentSessionController"/>
+</bean>
+
+<bean id="concurrentSessionController"
+    class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
+  <property name="maximumSessions" value="1"/>
+  <property name="sessionRegistry">
+    <bean class="org.springframework.security.concurrent.SessionRegistryImpl"/>
+  <property>
+</bean>
+]]></programlisting></para>
   </section>
 
-  <section xml:id="authentication-taglibs"><info><title>Authentication Tag Libraries</title></info>
+  <section xml:id="authentication-taglibs">
+    <info><title>Authentication Tag Libraries</title></info>
     
-
     <para><literal>AuthenticationTag</literal> is used to simply output a
-    property of the current principal's
-    <literal>Authentication.getPrincipal()</literal> object to the web
+    property of the current <literal>Authentication</literal> object to the web
     page.</para>
 
     <para>The following JSP fragment illustrates how to use the
     <literal>AuthenticationTag</literal>:</para>
 
-    <para><programlisting>&lt;security:authentication operation="username"/&gt;</programlisting></para>
+    <para><programlisting>&lt;security:authentication property="principal.username"/&gt;</programlisting></para>
 
     <para>This tag would cause the principal's name to be output. Here we
     are assuming the <literal>Authentication.getPrincipal()</literal> is a
     <literal>UserDetails</literal> object, which is generally the case
-    when using the typical
-    <literal>DaoAuthenticationProvider</literal>.</para>
+    when using one of Spring Security's stadard <literal>AuthenticationProvider</literal>
+      implementations.</para>
   </section>
 </chapter>

src/docbkx/dao-auth-provider.xml

@@ -1,9 +1,10 @@
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dao-provider"><info><title>DAO Authentication Provider</title></info>
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dao-provider">
 
+<info><title>DAO Authentication Provider</title></info>
+
+<section xml:id="dao-provider-overview">
+    <info><title>Overview</title></info>
 
-<section xml:id="dao-provider-overview"><info><title>Overview</title></info>
-    
-    
     <para>Spring Security includes a production-quality
         <literal>AuthenticationProvider</literal> implementation called
         <literal>DaoAuthenticationProvider</literal>. This authentication
@@ -20,8 +21,8 @@
         object.</para>
 </section>
 
-<section xml:id="dao-provider-config"><info><title>Configuration</title></info>
-    
+<section xml:id="dao-provider-config">
+    <info><title>Configuration</title></info>
     
     <para>Aside from adding DaoAuthenticationProvider to your
         ProviderManager list (as discussed at the start of this part of the
@@ -29,12 +30,15 @@
         configured to present a UsernamePasswordAuthenticationToken, the
         configuration of the provider itself is rather simple:</para>
     
-    <para><programlisting>&lt;bean id="daoAuthenticationProvider"
-        class="org.springframework.security.providers.dao.DaoAuthenticationProvider"&gt;
-        &lt;property name="userDetailsService"&gt;&lt;ref bean="inMemoryDaoImpl"/&gt;&lt;/property&gt;
-        &lt;property name="saltSource"&gt;&lt;ref bean="saltSource"/&gt;&lt;/property&gt;
-        &lt;property name="passwordEncoder"&gt;&lt;ref bean="passwordEncoder"/&gt;&lt;/property&gt;
-        &lt;/bean&gt;        </programlisting></para>
+    <para><programlisting>
+        <![CDATA[
+<bean id="daoAuthenticationProvider"
+    class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
+  <property name="userDetailsService" ref="inMemoryDaoImpl"/>
+  <property name="saltSource" ref bean="saltSource"/>
+  <property name="passwordEncoder" ref="passwordEncoder"/>
+</bean>  ]]>      
+    </programlisting></para>
     
     <para>The <literal>PasswordEncoder</literal> and
         <literal>SaltSource</literal> are optional. A
@@ -65,31 +69,26 @@
         A usable caching implementation is also provided,
         <literal>EhCacheBasedUserCache</literal>, which is configured as
         follows:</para>
-    
-    <para><programlisting>&lt;bean id="daoAuthenticationProvider"
-        class="org.springframework.security.providers.dao.DaoAuthenticationProvider"&gt;
-        &lt;property name="userDetailsService"&gt;&lt;ref bean="userDetailsService"/&gt;&lt;/property&gt;
-        &lt;property name="userCache"&gt;&lt;ref bean="userCache"/&gt;&lt;/property&gt;
-        &lt;/bean&gt;
+    <para><programlisting><![CDATA[
+<bean id="daoAuthenticationProvider"
+    class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
+  <property name="userDetailsService"><ref bean="userDetailsService"/></property>
+  <property name="userCache"><ref bean="userCache"/></property>
+</bean>
         
-        &lt;bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"&gt;
-        &lt;property name="configLocation"&gt;
-        &lt;value&gt;classpath:/ehcache-failsafe.xml&lt;/value&gt;
-        &lt;/property&gt;
-        &lt;/bean&gt;
-        
-        &lt;bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"&gt;
-        &lt;property name="cacheManager"&gt;
-        &lt;ref local="cacheManager"/&gt;
-        &lt;/property&gt;
-        &lt;property name="cacheName"&gt;
-        &lt;value&gt;userCache&lt;/value&gt;
-        &lt;/property&gt;
-        &lt;/bean&gt;
-        
-        &lt;bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache"&gt;
-        &lt;property name="cache"&gt;&lt;ref local="userCacheBackend"/&gt;&lt;/property&gt;
-        &lt;/bean&gt;        </programlisting></para>
+<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
+  <property name="configLocation" value="classpath:/ehcache-failsafe.xml"/>
+</bean>
+    
+<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
+  <property name="cacheManager" ref="cacheManager"/>
+  <property name="cacheName" value="userCache"/>
+</bean>
+
+<bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
+  <property name="cache" ref="userCacheBackend"/>
+</bean>]]>        
+    </programlisting></para>
     
     <para>All Spring Security EH-CACHE implementations (including
         <literal>EhCacheBasedUserCache</literal>) require an EH-CACHE

src/docbkx/digest-authentication.xml

@@ -33,10 +33,11 @@
             This is a value the server generates. Spring Security's nonce adopts
             the following format:</para>
         
-        <para><programlisting>base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
+        <para><programlisting>
+    base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
             
-            expirationTime:   The date and time when the nonce expires, expressed in milliseconds
-            key:              A private key to prevent modification of the nonce token
+    expirationTime:   The date and time when the nonce expires, expressed in milliseconds
+    key:              A private key to prevent modification of the nonce token
         </programlisting></para>
         
         <para>The <literal>DigestProcessingFilterEntryPoint</literal> has a
@@ -89,18 +90,20 @@
             collaborators:</para>
         
         <para><programlisting>
-            &lt;bean id="digestProcessingFilter" class="org.springframework.security.ui.digestauth.DigestProcessingFilter"&gt;
-            &lt;property name="userDetailsService"&gt;&lt;ref local="jdbcDaoImpl"/&gt;&lt;/property&gt;
-            &lt;property name="authenticationEntryPoint"&gt;&lt;ref local="digestProcessingFilterEntryPoint"/&gt;&lt;/property&gt;
-            &lt;property name="userCache"&gt;&lt;ref local="userCache"/&gt;&lt;/property&gt;
-            &lt;/bean&gt;
-            
-            &lt;bean id="digestProcessingFilterEntryPoint"
-            class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint"&gt;
-            &lt;property name="realmName"&gt;&lt;value&gt;Contacts Realm via Digest Authentication&lt;/value&gt;&lt;/property&gt;
-            &lt;property name="key"&gt;&lt;value&gt;acegi&lt;/value&gt;&lt;/property&gt;
-            &lt;property name="nonceValiditySeconds"&gt;&lt;value&gt;10&lt;/value&gt;&lt;/property&gt;
-            &lt;/bean&gt;
+<![CDATA[
+<bean id="digestProcessingFilter" 
+    class="org.springframework.security.ui.digestauth.DigestProcessingFilter">
+  <property name="userDetailsService" ref="jdbcDaoImpl"/>
+  <property name="authenticationEntryPoint" ref="digestProcessingFilterEntryPoint"/>
+  <property name="userCache" ref="userCache"/>
+</bean>
+
+<bean id="digestProcessingFilterEntryPoint"
+    class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint">
+  <property name="realmName" value="Contacts Realm via Digest Authentication"/>
+  <property name="key" value="acegi"/>
+  <property name="nonceValiditySeconds" value="10"/>
+</bean>]]>
             
         </programlisting></para>
         

src/docbkx/form-authentication.xml

@@ -20,14 +20,14 @@
             monitored by the filter (by default
             <literal>j_spring_security_check</literal>). You should add an 
             <literal>AuthenticationProcessingFilter</literal> to you application context:
-            <programlisting>             
-    &lt;bean id="authenticationProcessingFilter"
-            class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"&gt;
-        &lt;property name="authenticationManager" ref="authenticationManager"/&gt;
-        &lt;property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/&gt;
-        &lt;property name="defaultTargetUrl" value="/"/&gt;
-        &lt;property name="filterProcessesUrl" value="/j_spring_security_check"/&gt;
-    &lt;/bean&gt;         
+            <programlisting><![CDATA[    
+<bean id="authenticationProcessingFilter"
+    class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
+  <property name="authenticationManager" ref="authenticationManager"/>
+  <property name="authenticationFailureUrl" value="/login.jsp?login_error=1"/>
+  <property name="defaultTargetUrl" value="/"/>
+  <property name="filterProcessesUrl" value="/j_spring_security_check"/>
+</bean> ]]>        
             </programlisting></para>
         
         <para>The configured <literal>AuthenticationManager</literal>

src/docbkx/jaas-auth-provider.xml

@@ -21,19 +21,16 @@
         
         <para>Let’s assume we have a JAAS login configuration file,
             <literal>/WEB-INF/login.conf</literal>, with the following
-            contents:</para>
-        
-        <para><programlisting>JAASTest {
-            sample.SampleLoginModule required;
-            };</programlisting></para>
-        
+            contents:
+<programlisting>
+JAASTest {
+    sample.SampleLoginModule required;
+};</programlisting></para>      
         <para>Like all Spring Security beans, the
             <literal>JaasAuthenticationProvider</literal> is configured via the
             application context. The following definitions would correspond to the
-            above JAAS login configuration file:</para>
-        
-        <para><programlisting>
-             <![CDATA[
+            above JAAS login configuration file:
+<programlisting><![CDATA[
 <bean id="jaasAuthenticationProvider"
             class="org.springframework.security.providers.jaas.JaasAuthenticationProvider">
   <property name="loginConfig" value="/WEB-INF/login.conf"/>
@@ -50,8 +47,7 @@
     </list>
   </property>
 </bean> 
-]]>
-        </programlisting></para>
+]]></programlisting></para>
         
         <para>The <literal>CallbackHandler</literal>s and
             <literal>AuthorityGranter</literal>s are discussed below.</para>
@@ -99,7 +95,6 @@
         <section xml:id="jaas-authoritygranter">
             <info><title xml:id="jaas-authority-granter">JAAS AuthorityGranter</title></info>
             
-            
             <para>JAAS works with principals. Even "roles" are represented as
                 principals in JAAS. Spring Security, on the other hand, works with
                 <literal>Authentication</literal> objects. Each

src/docbkx/ldap-auth-provider.xml

@@ -69,7 +69,7 @@
             <literal>url</literal>
             attribute:
             <programlisting><![CDATA[
-                <ldap-server url="ldap://springframework.org:389/dc=springframework,dc=org" />
+    <ldap-server url="ldap://springframework.org:389/dc=springframework,dc=org" />
                 ]]> 
             </programlisting>
         </para>
@@ -85,7 +85,7 @@
                 <literal>url</literal>
                 attribute:
                 <programlisting><![CDATA[
-        <ldap-server root="dc=springframework,dc=org"/>
+    <ldap-server root="dc=springframework,dc=org"/>
         ]]> 
     </programlisting>
                 Here we've specified that the root DIT of the directory should be
@@ -96,7 +96,7 @@
                 <literal>ldif</literal>
                 attribute, which defines an LDIF resource to be loaded:
                 <programlisting><![CDATA[
-        <ldap-server ldif="classpath:users.ldif" />
+    <ldap-server ldif="classpath:users.ldif" />
         ]]></programlisting>
                 This makes it a lot easier to get up and running with LDAP, since it can be
                 inconvenient to work all the time with an external server. It also insulates the
@@ -112,8 +112,8 @@
             </info>
             <para>
                 This is the most common LDAP authentication scenario.
-                <programlisting>
-        <![CDATA[<ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
+                <programlisting><![CDATA[
+    <ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
                      ]]></programlisting>
                 This simple example would obtain the DN for the user by substituting the user login
                 name in the supplied pattern and attempting to bind as that user with the login
@@ -121,7 +121,7 @@
                 directory. If instead you wished to configure an LDAP search filter to locate the
                 user, you could use the following:
                 <programlisting><![CDATA[
-                    <ldap-authentication-provider user-search-filter="(uid={0})" user-search-base="ou=people"/>
+    <ldap-authentication-provider user-search-filter="(uid={0})" user-search-base="ou=people"/>
                     ]]></programlisting>
                 If used with the server definition above, this would perform a search under the DN
                 <literal>ou=people,dc=springframework,dc=org</literal>
@@ -329,30 +329,31 @@
             </info>
             <para>A typical configuration, using some of the beans we've discussed here, might look
                 like this:
-                <programlisting>   
-<![CDATA[
+                <programlisting><![CDATA[
 <bean id="contextSource"
         class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
-    <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
-    <property name="userDn" value="cn=manager,dc=springframework,dc=org"/>
-    <property name="password" value="password"/>
+  <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
+  <property name="userDn" value="cn=manager,dc=springframework,dc=org"/>
+  <property name="password" value="password"/>
 </bean>
 
 <bean id="ldapAuthProvider"
         class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
-    <constructor-arg>
-        <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
-            <constructor-arg ref="contextSource"/>
-            <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property>
-        </bean>
-    </constructor-arg>
-    <constructor-arg>
-        <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
-            <constructor-arg ref="contextSource"/>
-            <constructor-arg value="ou=groups"/>
-            <property name="groupRoleAttribute" value="ou"/>
-        </bean>
-    </constructor-arg>
+  <constructor-arg>
+    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
+      <constructor-arg ref="contextSource"/>
+      <property name="userDnPatterns">
+        <list><value>uid={0},ou=people</value></list>
+      </property>
+    </bean>
+  </constructor-arg>
+  <constructor-arg>
+    <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
+      <constructor-arg ref="contextSource"/>
+      <constructor-arg value="ou=groups"/>
+      <property name="groupRoleAttribute" value="ou"/>
+    </bean>
+  </constructor-arg>
 </bean>]]>
                 </programlisting>
                 This would set up the provider to access an LDAP server with URL
@@ -370,14 +371,12 @@
                 <literal>(uid=&lt;user-login-name&gt;)</literal>
                 for use instead of the DN-pattern (or in addition to it), you would configure the
                 following bean
-                <programlisting>
-<![CDATA[
+                <programlisting><![CDATA[
 <bean id="userSearch"
     class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
-    <constructor-arg index="0" value=""/>
-    <constructor-arg index="1" value="(uid={0})"/>
-    <constructor-arg index="2" ref="contextSource" />
-    <property name="searchSubtree" value="true"/>
+  <constructor-arg index="0" value=""/>
+  <constructor-arg index="1" value="(uid={0})"/>
+  <constructor-arg index="2" ref="contextSource" />
 </bean> ]]>                    
                 </programlisting>
                 and use it by setting the authenticator's

src/docbkx/namespace-config.xml

@@ -141,15 +141,15 @@
   <url-pattern>/*</url-pattern>
 </filter-mapping>]]>   
       </programlisting>
-      This provides a hook into the Spring Security web infrastructure. You can find more details
+      This provides a hook into the Spring Security web infrastructure. <!-- You can find more details
       of how this works in
-      <link xlink:href="#todo">TODO</link>. You're then ready to start editing your application
+      <link xlink:href="#todo">TODO</link>-->. You're then ready to start editing your application
       context file. Web security services are configured using the <literal>&lt;http&gt;</literal>
       element. 
       </para>
     </section>
     
-    <section>
+    <section xml:id="namespace-minimal">
       <info>
         <title>A Minimal <literal>&lt;http&gt;</literal>Configuration</title>
       </info>
@@ -206,7 +206,7 @@
         login page, but the namespace offers plenty of options to allow you to customize this
         kind of thing.
       </para>
-      <section>
+      <section xml:id="namespace-auto-config">
         <title>What does <literal>auto-config</literal> Include?</title>
         <para>
           The <literal>auto-config</literal> attribute, as we have used it above, is just a 
@@ -281,13 +281,13 @@
           Often your password data will be encoded using a hashing algorithm. This is supported by the <literal>&lt;password-encoder&gt;</literal>
           element. With SHA encoded passwords, the original authentication provider configuration would look like this: 
           <programlisting><![CDATA[
-  <authentication-provider>
-    <password-encoder hash="sha"/>
-    <user-service>
-      <user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f" authorities="ROLE_USER, ROLE_ADMIN" />
-      <user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f" authorities="ROLE_USER" />
-    </user-service>
-  </authentication-provider>
+<authentication-provider>
+  <password-encoder hash="sha"/>
+  <user-service>
+    <user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f" authorities="ROLE_USER, ROLE_ADMIN" />
+    <user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f" authorities="ROLE_USER" />
+  </user-service>
+</authentication-provider>
   ]]>
           </programlisting> 
         </para>
@@ -296,9 +296,9 @@
           Ideally you would want to use a randomly generated salt value for each user, but you can use any property of the <classname>UserDetails</classname>
           object which is loaded by your <classname>UserDetailsService</classname>. For example, to use the <literal>username</literal> property, you would use
           <programlisting><![CDATA[
-    <password-encoder hash="sha">
-      <salt-source user-property="username"/>
-    </password-encoder>
+<password-encoder hash="sha">
+  <salt-source user-property="username"/>
+</password-encoder>
     ]]></programlisting>
           You can use a custom password encoder bean by using the <literal>ref</literal> attribute of <literal>password-encoder</literal>. This should
           contain the name of a bean in the application context which is an instance of Spring Security's <interfacename>PasswordEncoder</interfacename>
@@ -306,5 +306,35 @@
         </para>
       </section>
     </section>
+    <section xml:id="namespace-requires-channel">
+      <title>Adding HTTP/HTTPS Channel Security</title>
+      <para>If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is
+        directly supported using the <literal>requires-channel</literal> attribute on <literal>&lt;intercept-url&gt;</literal>:
+<programlisting><![CDATA[
+<http>
+  <intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
+  <intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>  
+  ...
+</http>]]>
+</programlisting>
+        With this configuration in place, if a user attempts to access anything matching the "/secure/**"
+        pattern using HTTP, they will first be redirected to an HTTPS URL.        
+        The available options are "http", "https" or "any". Using the value "any" means that either HTTP or HTTPS
+        can be used.
+      </para>
+      <para>
+        If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows:
+<programlisting>        
+<![CDATA[     
+<http>
+  ...
+  <port-mappings>
+    <port-mapping http="9080" https="9443"/>
+  </port-mappings>
+</http>]]>
+</programlisting>
+        You can find a more in-depth discussion of channel security in <xref xlink:href="#channel-security"/>.
+      </para>
+    </section>
   </section>
 </chapter>

src/docbkx/remember-me-authentication.xml

@@ -25,13 +25,13 @@
         via hooks in the <literal>AbstractProcessingFilter</literal>
         superclass. The hooks will invoke a concrete
         <literal>RememberMeServices</literal> at the appropriate times. The
-        interface looks like this:</para>
-    
-    <para><programlisting>public Authentication autoLogin(HttpServletRequest request, HttpServletResponse response);
-        public void loginFail(HttpServletRequest request, HttpServletResponse response);
-        public void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);</programlisting></para>
-    
-    <para>Please refer to JavaDocs for a fuller discussion on what the
+        interface looks like this:
+    <programlisting>
+  Authentication autoLogin(HttpServletRequest request, HttpServletResponse response);
+  void loginFail(HttpServletRequest request, HttpServletResponse response);
+  void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);
+    </programlisting>
+        Please refer to JavaDocs for a fuller discussion on what the
         methods do, although note at this stage
         <literal>AbstractProcessingFilter</literal> only calls the
         <literal>loginFail()</literal> and <literal>loginSuccess()</literal>
@@ -53,12 +53,13 @@
         the browser upon successful interactive authentication, with that
         cookie being composed as follows:</para>
     
-    <para><programlisting>base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
-        
-        username:         As identifiable to TokenBasedRememberMeServices.getUserDetailsService()
-        password:         That matches the relevant UserDetails retrieved from TokenBasedRememberMeServices.getUserDetailsService()
-        expirationTime:   The date and time when the remember-me token expires, expressed in milliseconds
-        key:              A private key to prevent modification of the remember-me token
+    <para><programlisting>
+base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
+
+username:         As identifiable to TokenBasedRememberMeServices.getUserDetailsService()
+password:         That matches the relevant UserDetails retrieved from TokenBasedRememberMeServices.getUserDetailsService()
+expirationTime:   The date and time when the remember-me token expires, expressed in milliseconds
+key:              A private key to prevent modification of the remember-me token
     </programlisting></para>
     
     <para>As such the remember-me token is valid only for the period
@@ -90,21 +91,22 @@
         remember-me services are as follows:</para>
     
     <para><programlisting>
-        &lt;bean id="rememberMeProcessingFilter"
-        class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter"&gt;
-        &lt;property name="rememberMeServices"&gt;&lt;ref local="rememberMeServices"/&gt;&lt;/property&gt;
-        &lt;/bean&gt;
-        
-        &lt;bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices"&gt;
-        &lt;property name="userDetailsService"&gt;&lt;ref local="jdbcDaoImpl"/&gt;&lt;/property&gt;
-        &lt;property name="key"&gt;&lt;value&gt;springRocks&lt;/value&gt;&lt;/property&gt;
-        &lt;/bean&gt;
+<![CDATA[        
+<bean id="rememberMeProcessingFilter"
+    class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
+  <property name="rememberMeServices" ref="rememberMeServices"/>
+</bean>
         
-        &lt;bean id="rememberMeAuthenticationProvider"
-        class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider"&gt;
-        &lt;property name="key"&gt;&lt;value&gt;springRocks&lt;/value&gt;&lt;/property&gt;
-        &lt;/bean&gt;
+<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
+  <property name="userDetailsService" ref="jdbcDaoImpl"/>
+  <property name="key" value="springRocks"/>
+</bean>
         
+<bean id="rememberMeAuthenticationProvider"
+    class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
+  <property name="key" value="springRocks"/>
+</bean>
+]]>        
     </programlisting>Don't forget to add your
         <literal>RememberMeServices</literal> implementation to your
         <literal>AuthenticationProcessingFilter.setRememberMeServices()</literal>

src/docbkx/runas-auth-provider.xml

@@ -1,8 +1,8 @@
 <chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="runas"><info><title>Run-As Authentication Replacement</title></info>
     
     
-    <section xml:id="runas-overview"><info><title>Overview</title></info>
-        
+    <section xml:id="runas-overview">
+        <info><title>Overview</title></info>
         
         <para>The <literal>AbstractSecurityInterceptor</literal> is able to
             temporarily replace the <literal>Authentication</literal> object in
@@ -28,15 +28,15 @@
             are particularly useful when calling remote web services</para>
     </section>
     
-    <section xml:id="runas-config"><info><title>Configuration</title></info>
-        
-        
-        <para>A <literal>RunAsManager</literal> interface is provided by Acegi
-            Security:</para>
-        
-        <para><programlisting>public Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
-            public boolean supports(ConfigAttribute attribute);
-            public boolean supports(Class clazz);</programlisting></para>
+    <section xml:id="runas-config">
+        <info><title>Configuration</title></info>
+        <para>A <literal>RunAsManager</literal> interface is provided by Spring Security:
+            <programlisting>
+  Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
+  boolean supports(ConfigAttribute attribute);
+  boolean supports(Class clazz);
+            </programlisting>
+        </para>
         
         <para>The first method returns the <literal>Authentication</literal>
             object that should replace the existing
@@ -84,20 +84,17 @@
             the hash of a key is stored in all generated tokens. The
             <literal>RunAsManagerImpl</literal> and
             <literal>RunAsImplAuthenticationProvider</literal> is created in the
-            bean context with the same key:</para>
-        
-        <para><programlisting>
-            &lt;bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl"&gt;
-            &lt;property name="key"&gt;&lt;value&gt;my_run_as_password&lt;/value&gt;&lt;/property&gt;
-            &lt;/bean&gt;
-            
-            &lt;bean id="runAsAuthenticationProvider"
-            class="org.springframework.security.runas.RunAsImplAuthenticationProvider"&gt;
-            &lt;property name="key"&gt;&lt;value&gt;my_run_as_password&lt;/value&gt;&lt;/property&gt;
-            &lt;/bean&gt;
-            
-        </programlisting></para>
-        
+            bean context with the same key:
+            <programlisting>
+<![CDATA[
+<bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl">
+  <property name="key" value="my_run_as_password"/>
+</bean>
+
+<bean id="runAsAuthenticationProvider"
+    class="org.springframework.security.runas.RunAsImplAuthenticationProvider">
+  <property name="key" value="my_run_as_password"/>
+</bean>]]></programlisting></para>
         <para>By using the same key, each <literal>RunAsUserToken</literal>
             can be validated it was created by an approved
             <literal>RunAsManagerImpl</literal>. The

src/docbkx/springsecurity.xml

@@ -117,8 +117,7 @@
     <xi:include href="supporting-infrastructure.xml" />
     
     <xi:include href="channel-security.xml" />
-    
-    <xi:include href="taglibs.xml" />
+
   </part>
 
   <part xml:id="authentication">
@@ -193,8 +192,7 @@
 
     <partintro>
       <para>In addition to this reference guide, a number of other resources
-      exist to help you learn how to use Spring Security. These resources are
-      discussed in this section.</para>
+      exist to help you learn how to use Spring Security.</para>
     </partintro>
 
     <xi:include href="samples.xml"/>

src/docbkx/supporting-infrastructure.xml

@@ -1,4 +1,6 @@
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="supporting-infrastructure"><info><title>Supporting Infrastructure</title></info>
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="supporting-infrastructure" xmlns:xlink="http://www.w3.org/1999/xlink">
+  
+  <info><title>Supporting Infrastructure</title></info>
   
 
   <para>This chapter introduces some of the supplementary and supporting
@@ -6,9 +8,8 @@
   related to security, yet included in the Spring Security project, we
   will discuss it in this chapter.</para>
 
-  <section xml:id="localization"><info><title>Localization</title></info>
-    
-
+  <section xml:id="localization">
+    <title>Localization</title>
     <para>Spring Security supports localization of exception messages that
     end users are likely to see. If your application is designed for
     English users, you don't need to do anything as by default all
@@ -36,9 +37,11 @@
     inside your application context to refer to the messages. An example
     is shown below:</para>
 
-    <para><programlisting>&lt;bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"&gt;
-&lt;property name="basename"&gt;&lt;value&gt;org/acegisecurity/messages&lt;/value&gt;&lt;/property&gt;
-&lt;/bean&gt;        </programlisting></para>
+    <para><programlisting><![CDATA[
+<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
+  <property name="basename" value="org/acegisecurity/messages"/>
+</bean>
+]]></programlisting></para>
 
     <para>The <literal>messages.properties</literal> is named in
     accordance with standard resource bundles and represents the default
@@ -73,20 +76,22 @@
     <literal>SessionLocaleResolver</literal> etc)</para>
   </section>
 
-  <section xml:id="filters"><info><title>Filters</title></info>
-    
+  <section xml:id="filters">
+    <info><title>Filters</title></info>
 
     <para>Spring Security uses many filters, as referred to throughout the
-    remainder of this reference guide. You have a choice in how these
-    filters are added to your web application, in that you can use either
-        Spring's <literal>DelegatingFilterProxy</literal> or
+      remainder of this reference guide. If you are using <link xlink:href="#namespace-config">namespace configuration</link>,
+      then the you don't usually have to declare the filter beans explicitly. There may be times when you want full control
+      over the security filter chain, either because you are using features which aren't supported in the namespace, or you
+      are using your own customized versions of classes.</para>
+    <para>In this case, you have a choice in how these filters are added to your web application, in that you can use either
+        Spring's <literal>DelegatingFilterProxy</literal> or 
     <literal>FilterChainProxy</literal>. We'll look at both below.</para>
       
     <para>When using <literal>DelegatingFilterProxy</literal>, you will see
       something like this in the web.xml file:
       
         <programlisting>
-            
     &lt;filter&gt;
         &lt;filter-name&gt;myFilter&lt;/filter-name&gt;
         &lt;filter-class&gt;org.springframework.web.filter.DelegatingFilterProxy&lt;/filter-class&gt;
@@ -96,7 +101,6 @@
       &lt;filter-name&gt;myFilter&lt;/filter-name&gt;
       &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
     &lt;/filter-mapping&gt;
-             
         </programlisting>     
        
         Notice that the filter  is actually a <literal>DelegatingFilterProxy</literal>, 
@@ -147,10 +151,12 @@
 
     <para><programlisting><![CDATA[
 <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
-    <sec:filter-chain-map path-type="ant">
-        <sec:filter-chain pattern="/webServices/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
-        <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
-    </sec:filter-chain-map>
+  <sec:filter-chain-map path-type="ant">
+     <sec:filter-chain pattern="/webServices/**" 
+         filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
+     <sec:filter-chain pattern="/**" 
+         filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
+  </sec:filter-chain-map>
 </bean>
 ]]>         
     </programlisting></para>
@@ -209,7 +215,9 @@
     any servlet container lifecycle invocations are not delegated through
     to <literal>DelegatingFilterProxy</literal>.</para>
 
-    <para>You can also omit a URI pattern from the filter chain by using
+    <para>In the same way that you can use the attribute <literal>filters = "none"</literal>
+      when using <link xlink:href="#namespace-auto-config">namespace configuration</link>,
+      you can omit a URI pattern from the filter chain by using
     the token <literal>#NONE#</literal> on the right-hand side of the
     <literal>&lt;URI Pattern&gt; = &lt;Filter Chain&gt;</literal>
     expression. For example, using the example above, if you wanted to
@@ -311,4 +319,44 @@
     <literal>SecurityContextHolder</literal> to be populated in time for
     use by SiteMesh decorators</para>
   </section>
+  
+  <section xml:id="taglib">
+    <info><title>Tag Libraries</title></info> 
+
+    <para>Spring Security comes bundled with several JSP tag libraries which provide a range of different
+      services.</para>
+    
+    <section xml:id="taglib-config">
+      <info><title>Configuration</title></info>
+      <para>All taglib classes are included in the core
+        <literal>spring-security-xx.jar</literal> file, with the
+        <literal>security.tld</literal> located in the JAR's
+        <literal>META-INF</literal> directory. This means for JSP 1.2+ web
+        containers you can simply include the JAR in the WAR's
+        <literal>WEB-INF/lib</literal> directory and it will be available. If
+        you're using a JSP 1.1 container, you'll need to declare the JSP
+        taglib in your <literal>web.xml file</literal>, and include
+        <literal>security.tld</literal> in the <literal>WEB-INF/lib</literal>
+        directory. The following fragment is added to
+        <literal>web.xml</literal>:
+<programlisting><![CDATA[
+<taglib>
+  <taglib-uri>http://www.springframework.org/security/tags</taglib-uri> 
+  <taglib-location>/WEB-INF/security.tld</taglib-location>
+</taglib>
+]]></programlisting></para>
+    </section>
+    
+    <section xml:id="taglib-usage">
+      <info><title>Usage</title></info>
+      <para>Now that you've configured the tag libraries, refer to the
+        individual reference guide sections for details on how to use them.
+        Note that when using the tags, you should include the taglib reference
+        in your JSP: 
+<programlisting>
+  &lt;%@ taglib prefix='security' uri='http://www.springframework.org/security/tags' %&gt;
+          
+        </programlisting></para>
+    </section>
+  </section>
 </chapter>

src/docbkx/taglibs.xml

@@ -2,17 +2,15 @@
     <info><title>Tag Libraries</title></info>    
     
     
-    <section xml:id="taglib-overview"><info><title>Overview</title></info>
-        
-        
+    <section xml:id="taglib-overview">
+        <info><title>Overview</title></info>
         <para>Spring Security comes bundled with several JSP tag libraries
             that eases JSP writing. The tag libraries provide a range of different
             services.</para>
     </section>
     
-    <section xml:id="taglib-config"><info><title>Configuration</title></info>
-        
-        
+    <section xml:id="taglib-config">
+        <info><title>Configuration</title></info>
         <para>All taglib classes are included in the core
             <literal>spring-security-xx.jar</literal> file, with the
             <literal>security.tld</literal> located in the JAR's
@@ -25,15 +23,16 @@
             directory. The following fragment is added to
             <literal>web.xml</literal>:</para>
         
-        <para><programlisting>&lt;taglib&gt;
-            &lt;taglib-uri&gt;http://www.springframework.org/security/tags&lt;/taglib-uri&gt;
-            &lt;taglib-location&gt;/WEB-INF/security.tld&lt;/taglib-location&gt;
-            &lt;/taglib&gt;       </programlisting></para>
+        <para><programlisting>
+&lt;taglib&gt;
+  &lt;taglib-uri&gt;http://www.springframework.org/security/tags&lt;/taglib-uri&gt;
+  &lt;taglib-location&gt;/WEB-INF/security.tld&lt;/taglib-location&gt;
+&lt;/taglib&gt;
+        </programlisting></para>
     </section>
     
-    <section xml:id="taglib-usage"><info><title>Usage</title></info>
-        
-        
+    <section xml:id="taglib-usage">
+        <info><title>Usage</title></info>
         <para>Now that you've configured the tag libraries, refer to the
             individual reference guide sections for details on how to use them.
             Note that when using the tags, you should include the taglib reference

src/docbkx/technical-overview.xml

@@ -23,8 +23,8 @@
     from one system to another and it will immediately work.</para>
   </section>
 
-  <section xml:id="shared-components"><info><title>Shared Components</title></info>
-    
+  <section xml:id="shared-components">
+    <info><title>Shared Components</title></info>
 
     <para>Let's explore some of the most important shared components in
     Spring Security. Components are considered "shared" if they are

src/docbkx/x509-auth-provider.xml

@@ -25,11 +25,11 @@
     <section><info><title>Adding X.509 Authentication to Your Web Application</title></info>
         
         <para> Enabling X.509 client authentication is very straightforward. Just add the <literal>&lt;x509/&gt;</literal> element to your http security namespace configuration. <programlisting>
-    &lt;http&gt;
-     ...
-        &lt;x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/&gt;
-     ...
-    &lt;/http&gt;
+&lt;http&gt;
+ ...
+    &lt;x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/&gt;
+ ...
+&lt;/http&gt;
             </programlisting> The element has two optional attributes: <itemizedlist>
                 <listitem>
                     <para><literal>subject-principal-regex</literal>. The regular expression used to
@@ -69,13 +69,13 @@
             tomcat <filename>conf</filename> directory and add the following connector to the
             <filename>server.xml</filename> file 
                 <programlisting> 
-    &lt;Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
-                clientAuth="true" sslProtocol="TLS" 
-                keystoreFile="${catalina.home}/conf/server.jks"
-                keystoreType="JKS" keystorePass="password"
-                truststoreFile="${catalina.home}/conf/server.jks"
-                truststoreType="JKS" truststorePass="password"
-     /&gt; 
+&lt;Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
+            clientAuth="true" sslProtocol="TLS" 
+            keystoreFile="${catalina.home}/conf/server.jks"
+            keystoreType="JKS" keystorePass="password"
+            truststoreFile="${catalina.home}/conf/server.jks"
+            truststoreType="JKS" truststorePass="password"
+/&gt; 
                 </programlisting>
             <parameter>clientAuth</parameter> can also be set to <parameter>want</parameter> if you still
             want SSL connections to succeed even if the client doesn't provide a certificate.