Sample app build adjustments to remove unwanted deps such as jsp-api, tidy up use of JSTL, make sure all are using servlet 2.5 etc.

config/config.gradle

@@ -6,7 +6,7 @@ compileTestJava.dependsOn(':spring-security-core:compileTestJava')
 
 configurations {
     // GRADLE-1124
-    compile.extendsFrom = [provided]
+    compile.extendsFrom = []
     testCompile.extendsFrom groovy
 }
 

gradle/javaprojects.gradle

@@ -16,9 +16,9 @@ configurations {
     // Configuration which is ONLY used for compileJava and will not be inherited by any others
     // Revisit post Gradle 1.0
     compileOnly
-    // Used to identify deps whcih should be marked as "provided" in maven poms
+    // Used to identify deps which should be marked as "provided" in maven poms
     provided
-    compile.extendsFrom provided
+    testCompile.extendsFrom provided
     compile.transitive = false
     testCompile.transitive = false
 }
@@ -42,6 +42,7 @@ dependencies {
 [configurations.runtime, configurations.default]*.exclude(module: 'commons-logging')
 
 sourceSets.main.compileClasspath += configurations.compileOnly
+sourceSets.main.compileClasspath += configurations.provided
 
 [compileJava, compileTestJava]*.options*.encoding = 'UTF-8'
 

gradle/maven-deployment.gradle

@@ -60,19 +60,28 @@ uploadArchives {
 
 installer = install.repositories.mavenInstaller
 
-def optionalDeps = ['commons-logging', 'ehcache', 'log4j', 'apacheds-core', 'jsp-api', 'jsr250-api', 'ldapsdk']
+def optionalDeps = ['ehcache', 'log4j', 'apacheds-core', 'jsp-api', 'jsr250-api', 'ldapsdk']
+def clogging = new org.apache.maven.model.Dependency()
+clogging.artifactId = clogging.groupId = "commons-logging"
+clogging.scope = 'compile'
+clogging.optional = true
+clogging.version = '1.1.1'
 
 [installer, deployer]*.pom.collect { pom ->
     pom.scopeMappings.addMapping(10, configurations.provided, 'provided')
 }
 
 [installer, deployer]*.pom*.whenConfigured { pom ->
+    // Remove test scope dependencies from published poms
+    pom.dependencies = pom.dependencies.findAll {it.scope != 'test'}
     pom.dependencies.findAll { dep ->
         optionalDeps.contains(dep.artifactId) ||
         dep.groupId.startsWith('org.apache.directory') ||
         dep.groupId.startsWith('org.slf4j')
     }*.optional = true
 
+    pom.dependencies.add(clogging)
+
     if (pom.artifactId == 'spring-security-config') {
         pom.dependencies.find { dep -> dep.artifactId == 'spring-security-web'}.optional = true
         pom.dependencies.find { dep -> dep.artifactId == 'spring-web'}.optional = true

samples/cas/src/main/webapp/WEB-INF/web.xml

@@ -4,10 +4,9 @@
   -
   -->
 
-<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
-
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
     <display-name>Spring Security CAS Demo Application</display-name>
 
     <!--

samples/contacts/contacts.gradle

@@ -21,6 +21,7 @@ dependencies {
             project(':spring-security-config'),
             project(':spring-security-taglibs'),
             "org.springframework:spring-context-support:$springVersion",
+            "javax.servlet:jstl:$jstlVersion",
             "net.sf.ehcache:ehcache:$ehcacheVersion",
             "hsqldb:hsqldb:$hsqlVersion",
             "org.slf4j:jcl-over-slf4j:$slf4jVersion",

samples/contacts/src/main/webapp/WEB-INF/jsp/include.jsp

@@ -1,6 +1,6 @@
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
 <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
 
-<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt" %>
-<%@ taglib prefix="fmt" uri="http://java.sun.com/jstl/fmt_rt" %>
+<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
 <%@ page pageEncoding="UTF-8" %>

samples/contacts/src/main/webapp/WEB-INF/web.xml

@@ -5,10 +5,9 @@
   -
   -->
 
-<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
-
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
     <display-name>Contacts Sample Application</display-name>
 
     <!--

samples/contacts/src/main/webapp/exitUser.jsp

@@ -1,4 +1,4 @@
-<%@ taglib prefix='c' uri='http://java.sun.com/jstl/core' %>
+<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %>
 
 <%@ page import="org.springframework.security.core.Authentication" %>
 <%@ page import="org.springframework.security.core.context.SecurityContextHolder" %>

samples/contacts/src/main/webapp/login.jsp

@@ -1,4 +1,4 @@
-<%@ taglib prefix='c' uri='http://java.sun.com/jstl/core_rt' %>
+<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 <%@ page pageEncoding="UTF-8" %>
 
 <html>

samples/ldap/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -2,7 +2,7 @@
     xmlns:s="http://www.springframework.org/schema/security"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
+    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 
     <s:http>
         <s:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>

samples/ldap/src/main/webapp/WEB-INF/web.xml

@@ -1,12 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!--
-  - Tutorial web application
-  -
-  -->
-
-<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
+
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 
     <display-name>Spring Security LDAP Demo Application</display-name>
 

samples/openid/openid.gradle

@@ -12,6 +12,7 @@ dependencies {
     runtime project(':spring-security-web'),
             project(':spring-security-config'),
             project(':spring-security-taglibs'),
+            "javax.servlet:jstl:$jstlVersion",
             "org.slf4j:jcl-over-slf4j:$slf4jVersion",
             "ch.qos.logback:logback-classic:$logbackVersion"
 }

samples/openid/src/main/webapp/WEB-INF/web.xml

@@ -1,12 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!--
-  - Tutorial web application
-  -
-  -->
-
-<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
+
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 
     <display-name>Spring Security OpenID Demo Application</display-name>
 

samples/openid/src/main/webapp/index.jsp

@@ -1,4 +1,4 @@
-<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
 <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
 
 <html>

samples/openid/src/main/webapp/openidlogin.jsp

@@ -1,4 +1,4 @@
-<%@ taglib prefix='c' uri='http://java.sun.com/jstl/core_rt' %>
+<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %>
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
@@ -53,7 +53,7 @@
                 <input id="openid_submit" type="submit" value="Sign-In"/>
             </div>
             <noscript>
-            <p>OpenID is a service that allows you to log-on to many different websites using a single indentity.
+            <p>OpenID is a service that allows you to log-on to many different websites using a single identity.
             Find out <a href="http://openid.net/what/">more about OpenID</a> and <a href="http://openid.net/get/">how to get an OpenID enabled account</a>.</p>
             </noscript>
     </fieldset>

samples/preauth/src/main/webapp/WEB-INF/web.xml

@@ -1,12 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!--
-  - Tutorial web application
-  -
-  -->
 
-<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 
     <display-name>Spring Security Preauthentication Demo Application</display-name>
 

samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -19,16 +19,18 @@
         -->
     </global-method-security>
 
+    <http pattern="/loggedout.jsp" security="none"/>
+
     <http use-expressions="true">
         <intercept-url pattern="/secure/extreme/**" access="hasRole('ROLE_SUPERVISOR')"/>
         <intercept-url pattern="/secure/**" access="isAuthenticated()" />
-        <!-- Disable web URI authorization, as we're using <global-method-security> and have @Secured the services layer instead
-        <intercept-url pattern="/listAccounts.html" access="isRememberMe()" />
-        <intercept-url pattern="/post.html" access="hasRole('ROLE_TELLER')" />
-        -->
+        <!--
+             Allow all other requests. In a real application you should
+             adopt a whitelisting approach where access is not allowed by default
+          -->
         <intercept-url pattern="/**" access="permitAll" />
         <form-login />
-        <logout />
+        <logout logout-success-url="/loggedout.jsp"/>
         <remember-me />
 <!--
     Uncomment to enable X509 client authentication support

samples/tutorial/src/main/webapp/WEB-INF/jsp/listAccounts.jsp

@@ -1,4 +1,4 @@
-<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
+<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 
 <h1>Accounts</h1>
 
@@ -14,23 +14,15 @@
 </tr>
 <c:forEach var="account" items="${accounts}">
   <tr>
+  <td>${account.id}</td>
+  <td>${account.holder}</td>
+  <td>${account.balance}</td>
+  <td>${account.overdraft}</td>
   <td>
-      <c:out value="${account.id}"/>
-  </td>
-  <td>
-      <c:out value="${account.holder}"/>
-  </td>
-  <td>
-      <c:out value="${account.balance}"/>
-  </td>
-  <td>
-      <c:out value="${account.overdraft}"/>
-  </td>
-  <td>
-      <a href="post.html?id=<c:out value="${account.id}"/>&amount=-20.00">-$20</a>
-      <a href="post.html?id=<c:out value="${account.id}"/>&amount=-5.00">-$5</a>
-      <a href="post.html?id=<c:out value="${account.id}"/>&amount=5.00">+$5</a>
-      <a href="post.html?id=<c:out value="${account.id}"/>&amount=20.00">+$20</a>
+      <a href="post.html?id=${account.id}&amp;amount=-20.00">-$20</a>
+      <a href="post.html?id=${account.id}&amp;amount=-5.00">-$5</a>
+      <a href="post.html?id=${account.id}&amp;amount=5.00">+$5</a>
+      <a href="post.html?id=${account.id}&amp;amount=20.00">+$20</a>
   </td>
   </tr>
 </c:forEach>

samples/tutorial/src/main/webapp/WEB-INF/web.xml

@@ -4,9 +4,9 @@
   -
   -->
 
-<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 
     <display-name>Spring Security Tutorial Application</display-name>
 

samples/tutorial/src/main/webapp/loggedout.jsp

@@ -0,0 +1,22 @@
+<%@page session="false" %>
+<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+
+
+<%
+    Cookie cookie = new Cookie("JSESSIONID", null);
+    cookie.setPath(request.getContextPath());
+    cookie.setMaxAge(0);
+    response.addCookie(cookie);
+%>
+
+<html>
+<head>
+<title>Logged Out</title>
+</head>
+<body>
+<h2>Logged Out</h2>
+<p>
+You have been logged out. <a href="<c:url value='/'/>">Start again</a>.
+</p>
+</body>
+</html>

samples/tutorial/src/main/webapp/timeout.jsp

@@ -1,8 +1,10 @@
 <%@page session="false" %>
-<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
+<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 
 <html>
+<head>
 <title>Session Timeout</title>
+</head>
 <body>
 <h2>Invalid Session</h2>
 

samples/tutorial/tutorial.gradle

@@ -16,6 +16,7 @@ dependencies {
     runtime project(':spring-security-web'),
             project(':spring-security-config'),
             project(':spring-security-taglibs'),
+            "javax.servlet:jstl:$jstlVersion",
             "org.slf4j:jcl-over-slf4j:$slf4jVersion",
             "ch.qos.logback:logback-core:$logbackVersion",
             "ch.qos.logback:logback-classic:$logbackVersion"

web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java

@@ -135,8 +135,7 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
                 sb.append("    <tr><td><input type='checkbox' name='").append(rememberMeParameter).append("'/></td><td>Remember me on this computer.</td></tr>\n");
             }
 
-            sb.append("    <tr><td colspan='2'><input name=\"submit\" type=\"submit\"/></td></tr>\n");
-            sb.append("    <tr><td colspan='2'><input name=\"reset\" type=\"reset\"/></td></tr>\n");
+            sb.append("    <tr><td colspan='2'><input name=\"submit\" type=\"submit\" value=\"Login\"/></td></tr>\n");
             sb.append("  </table>\n");
             sb.append("</form>");
         }
@@ -152,8 +151,7 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
                 sb.append("    <tr><td><input type='checkbox' name='").append(openIDrememberMeParameter).append("'></td><td>Remember me on this computer.</td></tr>\n");
             }
 
-            sb.append("    <tr><td colspan='2'><input name=\"submit\" type=\"submit\"/></td></tr>\n");
-            sb.append("    <tr><td colspan='2'><input name=\"reset\" type=\"reset\"/></td></tr>\n");
+            sb.append("    <tr><td colspan='2'><input name=\"submit\" type=\"submit\" value=\"Login\"/></td></tr>\n");
             sb.append("  </table>\n");
             sb.append("</form>");
         }