SEC-1529: More user-friendly expressions on method annotations in EL chapter.

docs/manual/src/docbook/el-access.xml

@@ -157,14 +157,15 @@
                     if you wanted a particular method to only allow access to a user whose username
                     matched that of the contact, you could write</para>
                 <programlisting>
- @PreAuthorize("#contact.name == principal.name)")
+ @PreAuthorize("#contact.name == authentication.name")
  public void doSomething(Contact contact);</programlisting>
-                <para>Here we are accessing another built–in expression, which is the
-                    <literal>principal</literal> of the current Spring Security
-                    <interfacename>Authentication</interfacename> object obtained from the security
-                    context. You can also access the <interfacename>Authentication</interfacename>
-                    object itself directly using the expression name
-                    <literal>authentication</literal>.</para>
+                <para>Here we are accessing another built–in expression, <literal>authentication</literal>,
+                    which is the <interfacename>Authentication</interfacename> stored in the
+                    security context. You can also access its <quote>principal</quote> property
+                    directly, using the expression <literal>principal</literal>. The value will
+                    often be a <interfacename>UserDetails</interfacename> instance, so you might use an
+                    expression like <literal>principal.username</literal> or
+                    <literal>principal.enabled</literal>.</para>
                 <para>Less commonly, you may wish to perform an access-control check after the
                     method has been invoked. This can be achieved using the
                     <literal>@PostAuthorize</literal> annotation. To access the return value from a

docs/manual/src/docbook/introduction.xml

@@ -260,10 +260,10 @@
             </section>
             <section xml:id="spring-security-config">
                 <title>Config - <literal>spring-security-config.jar</literal></title>
-                <para>Contains the security namespace parsing code (and hence nothing that you are
-                    likely yo use directly in your application). You need it if you are using the
+                <para>Contains the security namespace parsing code. You need it if you are using the
                     Spring Security XML namespace for configuration. The main package is
-                    <literal>org.springframework.security.config</literal>.</para>
+                    <literal>org.springframework.security.config</literal>. None of the
+                    classes are intended for direct use in an application.</para>
             </section>
             <section xml:id="spring-security-ldap">
                 <title>LDAP - <literal>spring-security-ldap.jar</literal></title>