Merge 22d8a7395f9c9cca1977ceb377f55b3fdbd76279 into 2c47f885a94b89e7c512b951dfe503c1a8c215be

2022-01-05 22:31:42 +00:00 · 2022-01-05 22:31:42 +00:00 · e2ce544642
commit e2ce544642
parent 2c47f885a9 22d8a7395f
16 changed files with 613 additions and 358 deletions
--- a/docs/modules/guides/pages/basic-auth.adoc
+++ b/docs/modules/guides/pages/basic-auth.adoc
@ -10,6 +10,27 @@ If you are new to Spring Security, this recipe is worth reviewing, to learn the
 [[security-cookbook-the-web-application]]
 == The Application to Secure
 For this guide, we build an application from scratch with Spring Boot
 To do so, navigate to the https://start.spring.io[Spring Initializr] and add the Web and Thymeleaf dependencies.
 Alternatively, you can perform the following steps on the command line:
 ====
 .Gradle
 [source,shell]
 ----
 $ curl -G https://start.spring.io/starter.tgz -d dependencies=web,thymeleaf -d name=basic-auth -d baseDir=basic-auth -d type=gradle-project | tar -xzvf -
 ----
 .Maven
 [source,shell]
 ----
 $ curl -G https://start.spring.io/starter.tgz -d dependencies=web,thymeleaf -d name=basic-auth -d baseDir=basic-auth -d type=maven-project | tar -xzvf -
 ----
 ====
 You can then import that project into your favorite IDE or work directly with the files and `./mvnw` or `./gradlew` on the command line.
 Spring Security secures applications, so we need an application to secure.
 A simple web application suffices as an example that we can then secure in the various recipes.
@ -18,102 +39,7 @@ NOTE: We use the same example that we used in the "`Securing a Web Application`"
 We use Spring Boot with the Spring Web and Thymeleaf dependencies.
 There are lots of ways to make a web application, but we know this one well, since we have documented it elsewhere.
-We start with the build files for both Maven and Gradle (in case you prefer one or the other).
+We need some HTML files.
 The following listing shows the build file for Maven (`pom.xml`):
 ====
 [source,xml]
 ----
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
 		<version>2.2.0.RELEASE</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>com.example</groupId>
 	<artifactId>securing-web</artifactId>
 	<version>0.0.1-SNAPSHOT</version>
 	<name>securing-web</name>
 	<description>Demo project for Spring Boot</description>
 	<properties>
 		<java.version>1.8</java.version>
 	</properties>
 	<dependencies>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
 			<scope>test</scope>
 			<exclusions>
 				<exclusion>
 					<groupId>org.junit.vintage</groupId>
 					<artifactId>junit-vintage-engine</artifactId>
 				</exclusion>
 			</exclusions>
 		</dependency>
 	</dependencies>
 	<build>
 		<plugins>
 			<plugin>
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-maven-plugin</artifactId>
 			</plugin>
 		</plugins>
 	</build>
 </project>
 ----
 ====
 The following listing shows the build file for Gradle (`build.gradle`):
 ====
 [source,java]
 ----
 plugins {
 	id 'org.springframework.boot' version '2.2.0.RELEASE'
 	id 'io.spring.dependency-management' version '1.0.8.RELEASE'
 	id 'java'
 }
 group = 'com.example'
 version = '0.0.1-SNAPSHOT'
 sourceCompatibility = '1.8'
 repositories {
 	mavenCentral()
 }
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	testImplementation('org.springframework.boot:spring-boot-starter-test') {
 		exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
 	}
 }
 test {
 	useJUnitPlatform()
 }
 ----
 ====
 After the build files, we need some HTML files.
 We start where a visitor would start, at `home.html`.
 IMPORTANT: The HTML files go in the `resources/templates` directory.
@ -124,86 +50,28 @@ The following listing shows our `home.html` file:
 ====
 [source,html]
 ----
-<!DOCTYPE html>
+include::../../../../servlet/spring-boot/java/basic-auth/src/main/resources/templates/home.html[]
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    <head>
        <title>Spring Security Example</title>
    </head>
    <body>
        <h1>Welcome!</h1>
        <p>Click <a th:href="@{/hello}">here</a> to see a greeting.</p>
    </body>
 </html>
 ----
 ====
 We also need a `hello.html` file, so that visitors to our web site can see the greeting we mention in the `home.html` file.
-The following listing shows the `home.html` file:
+The following listing shows the `hello.html` file:
 ====
 [source,html]
 ====
 ----
-<!DOCTYPE html>
+include::../../../../servlet/spring-boot/java/basic-auth/src/main/resources/templates/hello.html[]
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    <head>
        <title>Hello, World!</title>
    </head>
    <body>
        <h1>Hello, world!</h1>
    </body>
 </html>
 ----
 ====
 Once we have HTML pages for our visitors to see, we need to route them to the pages.
-We do that with a class that implements the `WebMvcConfigurer` (from the Spring framework).
+We do that with a class that uses the `@Controller` annotation (from the Spring framework).
-The following listing shows that class, which is called `MvcConfig`:
+The following listing shows that class, which is called `HelloController`:
 ====
 [source,java]
 ----
-package com.example.securingweb;
+include::../../../../servlet/spring-boot/java/basic-auth/src/main/java/example/HelloController.java[tag=sans-header]
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
 public class MvcConfig implements WebMvcConfigurer {
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/home").setViewName("home");
        registry.addViewController("/").setViewName("home");
        registry.addViewController("/hello").setViewName("hello");
    }
 }
 ----
 ====
 Finally, we need an application class to give us an entry point for our program.
 We call it `SecuringWebApplication`, even though it is not yet secure.
 We cover how to secure it in the various recipes.
 The following application shows the `SecuringWebApplication` class:
 ====
 [source,java]
 ----
 package com.example.securingweb;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
 public class SecuringWebApplication {
    public static void main(String[] args) throws Throwable {
        SpringApplication.run(SecuringWebApplication.class, args);
    }
 }
 ----
 ====
@ -224,41 +92,6 @@ implementation 'org.springframework.security:spring-security-test'
 ----
 ====
 The following listing shows the final `build.gradle` file:
 ====
 [source,java]
 ----
 plugins {
 	id 'org.springframework.boot' version '2.2.0.RELEASE'
 	id 'io.spring.dependency-management' version '1.0.8.RELEASE'
 	id 'java'
 }
 group = 'com.example'
 version = '0.0.1-SNAPSHOT'
 sourceCompatibility = '1.8'
 repositories {
 	mavenCentral()
 }
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	implementation 'org.springframework.boot:spring-boot-starter-security'
 	implementation 'org.springframework.security:spring-security-test'
 	testImplementation('org.springframework.boot:spring-boot-starter-test') {
 		exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
 	}
 }
 test {
 	useJUnitPlatform()
 }
 ----
 ====
 For Maven, we need to add the following two dependencies to the `dependencies` element in our `pom.xml` file:
 ====
@ -276,199 +109,53 @@ For Maven, we need to add the following two dependencies to the `dependencies` e
 ----
 ====
 The following listing shows the final `pom.xml` file:
 ====
 [source,xml]
 ----
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
 		<version>2.2.0.RELEASE</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>com.example</groupId>
 	<artifactId>securing-web</artifactId>
 	<version>0.0.1-SNAPSHOT</version>
 	<name>securing-web</name>
 	<description>Demo project for Spring Boot</description>
 	<properties>
 		<java.version>1.8</java.version>
 	</properties>
 	<dependencies>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-security</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-test</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
 			<scope>test</scope>
 			<exclusions>
 				<exclusion>
 					<groupId>org.junit.vintage</groupId>
 					<artifactId>junit-vintage-engine</artifactId>
 				</exclusion>
 			</exclusions>
 		</dependency>
 	</dependencies>
 	<build>
 		<plugins>
 			<plugin>
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-maven-plugin</artifactId>
 			</plugin>
 		</plugins>
 	</build>
 </project>
 ----
 ====
 We also need a login page. The following HTML file serves that need:
 ====
 [source,html]
 ----
-<!DOCTYPE html>
+include::../../../../servlet/spring-boot/java/basic-auth/src/main/resources/templates/login.html[]
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    <head>
        <title>Spring Security Example </title>
    </head>
    <body>
        <div th:if="${param.error}">
            Invalid username and password.
        </div>
        <div th:if="${param.logout}">
            You have been logged out.
        </div>
        <form th:action="@{/login}" method="post">
            <div><label> User Name : <input type="text" name="username"/> </label></div>
            <div><label> Password: <input type="password" name="password"/> </label></div>
            <div><input type="submit" value="Sign In"/></div>
        </form>
    </body>
 </html>
 ----
 ====
-We also need to add a line to our `MvcConfig` class, as the following listing shows:
+We also need to add another class to our application, as the following listing shows:
 ====
 [source,java]
 ----
-package com.example.securingweb;
+include::../../../../servlet/spring-boot/java/basic-auth/src/main/java/example/LoginController.java[tag=sans-header]
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
 public class MvcConfig implements WebMvcConfigurer {
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/home").setViewName("home");
        registry.addViewController("/").setViewName("home");
        registry.addViewController("/hello").setViewName("hello");
        registry.addViewController("/login").setViewName("login"); <1>
    }
 }
 ----
-<1> We need to add this line to make the `/login` path work.
+<1> We need to add this class to make the `/login` path work.
 ====
 We also need a class to configure security for our web application.
-The following listing shows that class (called `WebSecurityConfig`):
+The following listing shows that class (called `SecurityConfiguration`):
 ====
 [source,java]
 ----
-package com.example.securingweb;
+include::../../../../servlet/spring-boot/java/basic-auth/src/main/java/example/SecurityConfiguration.java[tag=sans-header]
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
@EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests() <1>
                .antMatchers("/", "/home").permitAll() <2>
                .anyRequest().authenticated() <3>
                .and()
            .formLogin() <4>
                .loginPage("/login") <5>
                .permitAll()
                .and()
            .logout() <6>
                .permitAll();
    }
    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        UserDetails user = <7>
             User.withDefaultPasswordEncoder()
                .username("user") <8>
                .password("password") <9>
                .roles("USER") <10>
                .build(); <11>
        return new InMemoryUserDetailsManager(user);
    }
 }
 ----
-<1> Turn on security by authorizing request.
+<1> Turn on security by authorizing the request.
 <2> Let anyone see the default and `home` paths.
 <3> Require that any request be authenticated. (This is where we apply security.)
 <4> Allow a login form.
 <5> Allow that form from the `/login` path.
-<6> Let anyone see the logout page.
+<6> Let anyone see the logout success page.
 <7> Define a user object.
-<8> The user's user name is `user`.
+<8> Encode the password in memory (used only for demonstration purposes -- do NOT do this in production).
-<9> The user's user name is `password`.
+<9> The user's user name is `user`.
-<10> The user's role is `USER`.
+<10> The user's password is `password`.
-<11> Build the user object.
+<11> The user's role is `USER`.
 <12> Build the user object.
 ====
 WARNING: _NEVER_ put user names and passwords in code for a real application.
 It is tolerable for demonstrations and samples, but it is very poor practice for real applications.
-The `WebSecurityConfig` class has two key parts: A `configure` method (which overrides the `configure` method in `WebSecurityConfigurerAdapter`) and a `UserDetailsService` bean.
+The `SecurityConfiguration` class has two key parts: a `configure` method (which overrides the `configure` method in `WebSecurityConfigurerAdapter`) and a `UserDetailsService` bean.
 The `configure` method has a chain of methods that define the security for the paths in our application.
-In essence, the preceding configuration says, "`Let anyone see the login and logout pages. Make everyone authenticate (log in) to see anything else.`"
+In essence, the preceding configuration says, "`Let anyone see the login and logout pages, as well as the home page. Make everyone authenticate (log in) to see anything else.`"
 We also define the one and only user who can view our web application.
-Normally, we would get user details from a database or an LDAP or OAuth server (or from some other source - many options exist).
+Normally, we would get user details from a database or an LDAP or OAuth server (or from some other source -- the other Spring Security guides cover the most common ways to get user details).
 We created this simple arrangement to show the basic outline of what happens.
--- a/servlet/spring-boot/java/basic-auth/build.gradle
+++ b/servlet/spring-boot/java/basic-auth/build.gradle
@ -0,0 +1,25 @@
 plugins {
 	id 'io.spring.dependency-management' version '1.0.10.RELEASE'
 	id 'org.springframework.boot' version '2.5.2'
 	id "nebula.integtest" version "8.2.0"
 	id 'java'
 }
 repositories {
 	jcenter()
 	maven { url "https://repo.spring.io/snapshot" }
 }
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-security'
 	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 	testImplementation 'org.springframework.security:spring-security-test'
 }
 tasks.withType(Test).configureEach {
 	useJUnitPlatform()
 	outputs.upToDateWhen { false }
 }
--- a/servlet/spring-boot/java/basic-auth/gradle.properties
+++ b/servlet/spring-boot/java/basic-auth/gradle.properties
@ -0,0 +1,2 @@
 version=5.7.0-SNAPSHOT
 spring-security.version=5.7.0-SNAPSHOT
--- a/servlet/spring-boot/java/basic-auth/gradle/wrapper/gradle-wrapper.jar
+++ b/servlet/spring-boot/java/basic-auth/gradle/wrapper/gradle-wrapper.jar
--- a/servlet/spring-boot/java/basic-auth/gradle/wrapper/gradle-wrapper.properties
+++ b/servlet/spring-boot/java/basic-auth/gradle/wrapper/gradle-wrapper.properties
@ -0,0 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 distributionUrl=https\://services.gradle.org/distributions/gradle-7.2-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
--- a/servlet/spring-boot/java/basic-auth/gradlew
+++ b/servlet/spring-boot/java/basic-auth/gradlew
@ -0,0 +1,185 @@
 #!/usr/bin/env sh
 #
 # Copyright 2015 the original author or authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 ##############################################################################
 ##
 ##  Gradle start up script for UN*X
 ##
 ##############################################################################
 # Attempt to set APP_HOME
 # Resolve links: $0 may be a link
 PRG="$0"
 # Need this for relative symlinks.
 while [ -h "$PRG" ] ; do
    ls=`ls -ld "$PRG"`
    link=`expr "$ls" : '.*-> \(.*\)$'`
    if expr "$link" : '/.*' > /dev/null; then
        PRG="$link"
    else
        PRG=`dirname "$PRG"`"/$link"
    fi
 done
 SAVED="`pwd`"
 cd "`dirname \"$PRG\"`/" >/dev/null
 APP_HOME="`pwd -P`"
 cd "$SAVED" >/dev/null
 APP_NAME="Gradle"
 APP_BASE_NAME=`basename "$0"`
 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD="maximum"
 warn () {
    echo "$*"
 }
 die () {
    echo
    echo "$*"
    echo
    exit 1
 }
 # OS specific support (must be 'true' or 'false').
 cygwin=false
 msys=false
 darwin=false
 nonstop=false
 case "`uname`" in
  CYGWIN* )
    cygwin=true
    ;;
  Darwin* )
    darwin=true
    ;;
  MINGW* )
    msys=true
    ;;
  NONSTOP* )
    nonstop=true
    ;;
 esac
 CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 # Determine the Java command to use to start the JVM.
 if [ -n "$JAVA_HOME" ] ; then
    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
        # IBM's JDK on AIX uses strange locations for the executables
        JAVACMD="$JAVA_HOME/jre/sh/java"
    else
        JAVACMD="$JAVA_HOME/bin/java"
    fi
    if [ ! -x "$JAVACMD" ] ; then
        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
    fi
 else
    JAVACMD="java"
    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
 fi
 # Increase the maximum file descriptors if we can.
 if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
    MAX_FD_LIMIT=`ulimit -H -n`
    if [ $? -eq 0 ] ; then
        if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
            MAX_FD="$MAX_FD_LIMIT"
        fi
        ulimit -n $MAX_FD
        if [ $? -ne 0 ] ; then
            warn "Could not set maximum file descriptor limit: $MAX_FD"
        fi
    else
        warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
    fi
 fi
 # For Darwin, add options to specify how the application appears in the dock
 if $darwin; then
    GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
 fi
 # For Cygwin or MSYS, switch paths to Windows format before running java
 if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
    APP_HOME=`cygpath --path --mixed "$APP_HOME"`
    CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
    JAVACMD=`cygpath --unix "$JAVACMD"`
    # We build the pattern for arguments to be converted via cygpath
    ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
    SEP=""
    for dir in $ROOTDIRSRAW ; do
        ROOTDIRS="$ROOTDIRS$SEP$dir"
        SEP="|"
    done
    OURCYGPATTERN="(^($ROOTDIRS))"
    # Add a user-defined pattern to the cygpath arguments
    if [ "$GRADLE_CYGPATTERN" != "" ] ; then
        OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
    fi
    # Now convert the arguments - kludge to limit ourselves to /bin/sh
    i=0
    for arg in "$@" ; do
        CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
        CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
        if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
            eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
        else
            eval `echo args$i`="\"$arg\""
        fi
        i=`expr $i + 1`
    done
    case $i in
        0) set -- ;;
        1) set -- "$args0" ;;
        2) set -- "$args0" "$args1" ;;
        3) set -- "$args0" "$args1" "$args2" ;;
        4) set -- "$args0" "$args1" "$args2" "$args3" ;;
        5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
        6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
        7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
        8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
        9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
    esac
 fi
 # Escape application args
 save () {
    for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
    echo " "
 }
 APP_ARGS=`save "$@"`
 # Collect all arguments for the java command, following the shell quoting and substitution rules
 eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
 exec "$JAVACMD" "$@"
--- a/servlet/spring-boot/java/basic-auth/gradlew.bat
+++ b/servlet/spring-boot/java/basic-auth/gradlew.bat
@ -0,0 +1,104 @@
@rem
@rem Copyright 2015 the original author or authors.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@rem You may obtain a copy of the License at
@rem
@rem      https://www.apache.org/licenses/LICENSE-2.0
@rem
@rem Unless required by applicable law or agreed to in writing, software
@rem distributed under the License is distributed on an "AS IS" BASIS,
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@if "%DEBUG%" == "" @echo off
@rem ##########################################################################
@rem
@rem  Gradle startup script for Windows
@rem
@rem ##########################################################################
@rem Set local scope for the variables with windows NT shell
 if "%OS%"=="Windows_NT" setlocal
 set DIRNAME=%~dp0
 if "%DIRNAME%" == "" set DIRNAME=.
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
 for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
@rem Find java.exe
 if defined JAVA_HOME goto findJavaFromJavaHome
 set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if "%ERRORLEVEL%" == "0" goto init
 echo.
 echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 echo.
 echo Please set the JAVA_HOME variable in your environment to match the
 echo location of your Java installation.
 goto fail
 :findJavaFromJavaHome
 set JAVA_HOME=%JAVA_HOME:"=%
 set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 if exist "%JAVA_EXE%" goto init
 echo.
 echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
 echo.
 echo Please set the JAVA_HOME variable in your environment to match the
 echo location of your Java installation.
 goto fail
 :init
@rem Get command-line arguments, handling Windows variants
 if not "%OS%" == "Windows_NT" goto win9xME_args
 :win9xME_args
@rem Slurp the command line arguments.
 set CMD_LINE_ARGS=
 set _SKIP=2
 :win9xME_args_slurp
 if "x%~1" == "x" goto execute
 set CMD_LINE_ARGS=%*
 :execute
@rem Setup the command line
 set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle
 "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
 :end
@rem End local scope for the variables with windows NT shell
 if "%ERRORLEVEL%"=="0" goto mainEnd
 :fail
 rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
 rem the _cmd.exe /c_ return code!
 if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
 exit /b 1
 :mainEnd
 if "%OS%"=="Windows_NT" endlocal
 :omega
--- a/servlet/spring-boot/java/basic-auth/settings.gradle
+++ b/servlet/spring-boot/java/basic-auth/settings.gradle
@ -0,0 +1 @@
--- a/servlet/spring-boot/java/basic-auth/src/main/java/example/BasicAuthApplication.java
+++ b/servlet/spring-boot/java/basic-auth/src/main/java/example/BasicAuthApplication.java
@ -0,0 +1,33 @@
 /*
 * Copyright 2012-2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package example;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 /**
 * Basic Auth application.
 *
 * @author Steve Riesenberg
 */
@SpringBootApplication
 public class BasicAuthApplication {
 	public static void main(String[] args) {
 		SpringApplication.run(BasicAuthApplication.class, args);
 	}
 }
--- a/servlet/spring-boot/java/basic-auth/src/main/java/example/HelloController.java
+++ b/servlet/spring-boot/java/basic-auth/src/main/java/example/HelloController.java
@ -0,0 +1,41 @@
 /*
 * Copyright 2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 // tag::sans-header[]
 package example;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 /**
 * Controller for home and hello resources.
 *
 * @author Steve Riesenberg
 */
@Controller
 public class HelloController {
 	@GetMapping({"/", "/home"})
 	public String home() {
 		return "home";
 	}
 	@GetMapping("/hello")
 	public String hello() {
 		return "hello";
 	}
 }
 // end::sans-header[]
--- a/servlet/spring-boot/java/basic-auth/src/main/java/example/LoginController.java
+++ b/servlet/spring-boot/java/basic-auth/src/main/java/example/LoginController.java
@ -0,0 +1,36 @@
 /*
 * Copyright 2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 // tag::sans-header[]
 package example;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 /**
 * Controller for login page.
 *
 * @author Steve Riesenberg
 */
@Controller
 public class LoginController {  // <1>
 	@GetMapping("/login")
 	public String login() {
 		return "login";
 	}
 }
 //end::sans-header[]
--- a/servlet/spring-boot/java/basic-auth/src/main/java/example/SecurityConfiguration.java
+++ b/servlet/spring-boot/java/basic-auth/src/main/java/example/SecurityConfiguration.java
@ -0,0 +1,70 @@
 /*
 * Copyright 2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 // tag::sans-header[]
 package example;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 /**
 * Spring Security configuration.
 *
 * @author Steve Riesenberg
 */
@EnableWebSecurity
 public class SecurityConfiguration {
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize     // <1>
 				.mvcMatchers("/", "/home").permitAll()          // <2>
 				.anyRequest().authenticated()                   // <3>
 			)
 			.formLogin((formLogin) -> formLogin                 // <4>
 				.loginPage("/login")                            // <5>
 				.permitAll()
 			)
 			.logout(LogoutConfigurer::permitAll);               // <6>
 		// @formatter:on
 		return http.build();
 	}
 	@Bean
 	public UserDetailsService userDetailsService() {
 		// @formatter:off
 		UserDetails userDetails =                               // <7>
 			User.withDefaultPasswordEncoder()                   // <8>
 				.username("user")                               // <9>
 				.password("password")                           // <10>
 				.roles("USER")                                  // <11>
 				.build();                                       // <12>
 		// @formatter:on
 		return new InMemoryUserDetailsManager(userDetails);
 	}
 }
 // end::sans-header[]
--- a/servlet/spring-boot/java/basic-auth/src/main/resources/templates/hello.html
+++ b/servlet/spring-boot/java/basic-auth/src/main/resources/templates/hello.html
@ -0,0 +1,17 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:th="https://www.thymeleaf.org">
 <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>Hello, World!</title>
    <link href="https://bootswatch.com/4/materia/bootstrap.min.css" rel="stylesheet" crossorigin="anonymous"/>
    <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
 </head>
 <body>
    <form class="form-signin" method="post" th:action="@{/logout}">
        <h1>Hello, world!</h1>
        <button class="btn btn-lg btn-primary btn-block" type="submit">Log Out</button>
    </form>
 </body>
 </html>
--- a/servlet/spring-boot/java/basic-auth/src/main/resources/templates/home.html
+++ b/servlet/spring-boot/java/basic-auth/src/main/resources/templates/home.html
@ -0,0 +1,17 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:th="https://www.thymeleaf.org">
 <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>Spring Security Example</title>
    <link href="https://bootswatch.com/4/materia/bootstrap.min.css" rel="stylesheet" crossorigin="anonymous"/>
    <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
 </head>
 <body>
    <div class="form-signin">
        <h1>Welcome!</h1>
        <p>Click <a th:href="@{/hello}">here</a> to see a greeting.</p>
    </div>
 </body>
 </html>
--- a/servlet/spring-boot/java/basic-auth/src/main/resources/templates/login.html
+++ b/servlet/spring-boot/java/basic-auth/src/main/resources/templates/login.html
@ -0,0 +1,31 @@
 <!DOCTYPE html>
 <html lang="en"
      xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
 <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>Spring Security Example</title>
    <link href="https://bootswatch.com/4/materia/bootstrap.min.css" rel="stylesheet" crossorigin="anonymous"/>
    <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
 </head>
 <body>
    <form class="form-signin" method="post" th:action="@{/login}">
        <div th:if="${param.error}" class="alert alert-danger">
            Invalid username or password.
        </div>
        <div th:if="${param.logout}" class="alert alert-success">
            You have been logged out.
        </div>
        <h2 class="form-signin-heading">Sign In</h2>
        <p>
            <label for="username" class="sr-only">Username</label>
            <input type="text" id="username" name="username" class="form-control" placeholder="Username" required autofocus>
        </p>
        <p>
            <label for="password" class="sr-only">Password</label>
            <input type="password" id="password" name="password" class="form-control" placeholder="Password" required>
        </p>
        <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
    </form>
 </body>
 </html>
--- a/settings.gradle
+++ b/settings.gradle
@ -42,6 +42,7 @@ include ":servlet:java-configuration:max-sessions"
 //include ":servlet:java-configuration:saml2:login"
 include ":servlet:spring-boot:java:authentication:username-password:user-details-service:custom-user"
 include ":servlet:spring-boot:java:authentication:username-password:mfa"
 include ":servlet:spring-boot:java:basic-auth"
 include ":servlet:spring-boot:java:hello"
 include ":servlet:spring-boot:java:hello-security"
 include ":servlet:spring-boot:java:hello-security-explicit"
		`@ -0,0 +1,2 @@`
							`version=5.7.0-SNAPSHOT`
							`spring-security.version=5.7.0-SNAPSHOT`