diff --git a/doc/src/site/resources/announcements/announcement-0.1.txt b/doc/src/site/resources/announcements/announcement-0.1.txt
new file mode 100644
index 0000000000..3847e81c63
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.1.txt
@@ -0,0 +1,16 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.1 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Initial public release  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.2.txt b/doc/src/site/resources/announcements/announcement-0.2.txt
new file mode 100644
index 0000000000..07e4456486
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.2.txt
@@ -0,0 +1,34 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.2 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Added Commons Attributes support and sample (thanks to Cameron Braid) 
+o Added JBoss container adapter 
+o Added Resin container adapter 
+o Added JDBC DAO authentication provider 
+o Added several filter implementations for container adapter integration 
+o Added SecurityInterceptor startup time validation of ConfigAttributes 
+o Added more unit tests 
+
+  Fixed bugs:
+
+o Fixed switch block in voting decision manager implementations 
+
+  Changes:
+
+o Refactored ConfigAttribute to interface and added concrete implementation 
+o Enhanced diagnostics information provided by sample application debug.jsp 
+o Modified sample application for wider container portability (Resin, JBoss) 
+o Removed Spring MVC interceptor for container adapter integration 
+o Documentation improvements  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.3.txt b/doc/src/site/resources/announcements/announcement-0.3.txt
new file mode 100644
index 0000000000..2d45aa0501
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.3.txt
@@ -0,0 +1,28 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.3 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Added "in container" unit test system for container adapters and sample app 
+o Added library extractor tool to reduce the "with deps" ZIP release sizes 
+o Added unit test to the attributes sample 
+o Added Jalopy source formatting 
+
+  Changes:
+
+o Modified all files to use net.sf.acegisecurity namespace 
+o Renamed springsecurity.xml to acegisecurity.xml for consistency 
+o Reduced length of ZIP and JAR filenames 
+o Clarified licenses and sources for all included libraries 
+o Updated documentation to reflect new file and package names 
+o Setup Sourceforge.net project and added to CVS etc  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.4.txt b/doc/src/site/resources/announcements/announcement-0.4.txt
new file mode 100644
index 0000000000..4005eeebe6
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.4.txt
@@ -0,0 +1,40 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.4 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Added HTTP session authentication as an alternative to container adapters 
+o Added HTTP request security interceptor (offers considerable flexibility) 
+o Added security taglib 
+o Added Clover test coverage instrumentation (currently 97.2%) 
+o Added support for Catalina (Tomcat) 4.1.30 to in-container integration 
+  tests 
+o Added HTML test and summary reporting to in-container integration tests 
+
+  Fixed bugs:
+
+o Fixed case handling support in data access object authentication provider 
+
+  Changes:
+
+o Updated JARs to Spring Framework release 1.0, with associated AOP changes 
+o Updated to Apache License version 2.0 
+o Updated copyright with permission of past contributors 
+o Refactored unit tests to use mock objects and focus on a single class each 
+o Refactored many classes to enable insertion of mock objects during testing 
+o Refactored core classes to ease support of new secure object types 
+o Changed package layout to better describe the role of contained items 
+o Changed the extractor to extract additional classes from JBoss and Catalina 
+o Changed Jetty container adapter configuration (see reference documentation) 
+o Improved AutoIntegrationFilter handling of deployments without JBoss JARs 
+o Documentation improvements  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.5.1.txt b/doc/src/site/resources/announcements/announcement-0.5.1.txt
new file mode 100644
index 0000000000..fb33c6ce33
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.5.1.txt
@@ -0,0 +1,37 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.5.1 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Added samples/quick-start 
+o Added NullRunAsManager and made default for AbstractSecurityInterceptor 
+o Added event notification (see net.sf.acegisecurity.providers.dao.event) 
+
+  Fixed bugs:
+
+o Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS) 
+o Fixed issue with NullPointerExceptions in taglib 
+
+  Changes:
+
+o Updated JAR to Spring 1.0.2 
+o Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release 
+o Updated GrantedAuthorityImpl to be serializable (JBoss support) 
+o Updated Authentication interface to present extra details for a request 
+o Updated Authentication interface to subclass java.security.Principal 
+o Refactored DaoAuthenticationProvider caching (refer to reference docs) 
+o Improved HttpSessionIntegrationFilter to manage additional attributes 
+o Improved URL encoding during redirects 
+o Removed DaoAuthenticationToken and session-based caching 
+o Documentation improvements 
+o Upgrade Note: DaoAuthenticationProvider no longer has a "key" property  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.5.txt b/doc/src/site/resources/announcements/announcement-0.5.txt
new file mode 100644
index 0000000000..ea221fec8d
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.5.txt
@@ -0,0 +1,42 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.5 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Added single sign on support via Yale Central Authentication Service (CAS) 
+o Added full support for HTTP Basic Authentication 
+o Added caching for DaoAuthenticationProvider successful authentications 
+o Added Burlap and Hessian remoting to Contacts sample application 
+o Added pluggable password encoders including plaintext, SHA and MD5 
+o Added pluggable salt sources to enhance security of hashed passwords 
+o Added FilterToBeanProxy to obtain filters from Spring application context 
+o Added support for prepending strings to roles created by JdbcDaoImpl 
+o Added support for user definition of SQL statements used by JdbcDaoImpl 
+o Added definable prefixes to avoid expectation of "ROLE_" GrantedAuthoritys 
+o Added pluggable AuthenticationEntryPoints to SecurityEnforcementFilter 
+o Added Apache Ant path syntax support to SecurityEnforcementFilter 
+o Added filter to automate web channel requirements (eg HTTPS redirection) 
+
+  Fixed bugs:
+
+o Fixed FilterInvocation.getRequestUrl() to also include getPathInfo() 
+o Fixed Contacts sample application tags 
+
+  Changes:
+
+o Updated JAR to Spring 1.0.1 
+o Updated several classes to use absolute (not relative) redirection URLs 
+o Refactored filters to use Spring application context lifecycle support 
+o Improved constructor detection of nulls in User and other key objects 
+o Established acegisecurity-developer mailing list 
+o Documentation improvements  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.6.1.txt b/doc/src/site/resources/announcements/announcement-0.6.1.txt
new file mode 100644
index 0000000000..780c9fc191
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.6.1.txt
@@ -0,0 +1,39 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.6.1 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Added additional DaoAuthenticationProvider event when user not found 
+o Added Authentication.getDetails() to DaoAuthenticationProvider response 
+o Added DaoAuthenticationProvider.hideUserNotFoundExceptions (default=true) 
+o Added PasswordAuthenticationProvider for password-validating DAOs (eg LDAP) 
+o Added FilterToBeanProxy compatibility with ContextLoaderServlet (lazy 
+  inits) 
+o Added convenience methods to ConfigAttributeDefinition 
+
+  Fixed bugs:
+
+o Fixed MethodDefinitionAttributes to implement ObjectDefinitionSource change 
+o Fixed EH-CACHE-based caching implementation behaviour when cache exists 
+o Fixed Ant "release" target not including project.properties 
+o Fixed GrantedAuthorityEffectiveAclsResolver if null ACLs provided to method 
+
+  Changes:
+
+o Resolved to use http://apr.apache.org/versioning.html for future versioning 
+o Improved sample applications' bean reference notation 
+o Clarified contract for ObjectDefinitionSource.getAttributes(Object) 
+o Extracted removeUserFromCache(String) to UserCache interface 
+o Improved ConfigAttributeEditor so it trims preceding and trailing spaces 
+o Refactored UsernamePasswordAuthenticationToken.getDetails() to Object 
+o Documentation improvements  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.6.txt b/doc/src/site/resources/announcements/announcement-0.6.txt
new file mode 100644
index 0000000000..363447ace6
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.6.txt
@@ -0,0 +1,50 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.6 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Added domain object instance access control list (ACL) packages 
+o Added feature so DaoAuthenticationProvider returns User in Authentication 
+o Added AbstractIntegrationFilter.secureContext property for custom contexts 
+o Added stack trace logging to SecurityEnforcementFilter 
+o Added exception-specific target URLs to AbstractProcessingFilter 
+o Added JdbcDaoImpl hook so subclasses can insert custom granted authorities 
+o Added AuthenticationProvider that wraps JAAS login modules 
+o Added support for EL expressions in the authz tag library 
+o Added failed Authentication object to AuthenticationExceptions 
+o Added signed JARs to all official release builds (see readme.txt) 
+o Added remote client authentication validation package 
+o Added protected sendAccessDeniedError method to SecurityEnforcementFilter 
+
+  Fixed bugs:
+
+o Fixed CasAuthenticationToken if proxy granting ticket callback not 
+  requested 
+o Fixed EH-CACHE handling on web context refresh 
+
+  Changes:
+
+o Updated Authentication to be serializable (Weblogic support) 
+o Updated JAR to Spring 1.1 RC 1 
+o Updated to Clover 1.3 
+o Updated to HSQLDB version 1.7.2 Release Candidate 6D 
+o Refactored User to net.sf.acegisecurity.UserDetails interface 
+o Refactored CAS package to store UserDetails in CasAuthenticationToken 
+o Improved organisation of DaoAuthenticationProvider to facilitate 
+  subclassing 
+o Improved test coverage (now 98.3%) 
+o Improved JDBC-based tests to use in-memory database rather than filesystem 
+o Fixed Linux compatibility issues (directory case sensitivity etc) 
+o Fixed AbstractProcessingFilter to handle servlet spec container differences 
+o Fixed AbstractIntegrationFilter to resolve a Weblogic compatibility issue 
+o Documentation improvements  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.7.0.txt b/doc/src/site/resources/announcements/announcement-0.7.0.txt
new file mode 100644
index 0000000000..e74befdfef
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.7.0.txt
@@ -0,0 +1,68 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.7.0 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Major CVS repository restructure to support Maven and eliminate libraries 
+o Added AfterInvocationManager to mutate objects return from invocations 
+o Added BasicAclEntryAfterInvocationProvider to ACL evaluate returned Object 
+o Added BasicAclEntryAfterInvocationCollectionFilteringProvider 
+o Added security propagation during RMI invocations (from sandbox) 
+o Added security propagation for Spring's HTTP invoker 
+o Added BasicAclEntryVoter, which votes based on AclManager permissions 
+o Added AspectJ support (especially useful for instance-level security) 
+o Added MethodDefinitionSourceAdvisor for performance and autoproxying 
+o Added MethodDefinitionMap querying of interfaces defined by secure objects 
+o Added AuthenticationProcessingFilter.setDetails for use by subclasses 
+o Added 403-causing exception to HttpSession via SecurityEnforcementFilter 
+o Added net.sf.acegisecurity.intercept.event package 
+o Added BasicAclExtendedDao interface and JdbcExtendedDaoImpl for ACL CRUD 
+o Added additional remoting protocol demonstrations to Contacts sample 
+o Added AbstractProcessingFilter property to always use defaultTargetUrl 
+o Added ContextHolderAwareRequestWrapper to integrate with getRemoteUser() 
+o Added attempted username to view if processed by 
+  AuthenticationProcessingFilter 
+o Added UserDetails account and credentials expiration methods 
+o Added exceptions and events to support new UserDetails methods 
+o Added new exceptions to JBoss container adapter 
+
+  Fixed bugs:
+
+o Fixed ambiguous column references in JdbcDaoImpl default query 
+o Fixed AbstractProcessingFilter to use removeAttribute (JRun compatibility) 
+o Fixed GrantedAuthorityEffectiveAclResolver support of UserDetails 
+  principals 
+o Fixed HttpSessionIntegrationFilter "cannot commit to container" during 
+  logoff 
+
+  Changes:
+
+o Major improvements to Contacts sample application (now demos ACL security) 
+o Improved BasicAclProvider to only respond to specified ACL object requests 
+o Refactored MethodDefinitionSource to work with Method, not MethodInvocation 
+o Refactored AbstractFilterInvocationDefinitionSource to work with URL 
+  Strings alone 
+o Refactored AbstractSecurityInterceptor to better support other AOP 
+  libraries 
+o Improved performance of JBoss container adapter (see reference docs) 
+o Made DaoAuthenticationProvider detect null in Authentication.principal 
+o Improved JaasAuthenticationProvider startup error detection 
+o Refactored EH-CACHE implementations to use Spring IoC defined caches 
+  instead 
+o AbstractProcessingFilter now has various hook methods to assist subclasses 
+o DaoAuthenticationProvider better detects AuthenticationDao interface 
+  violations 
+o The User class has a new constructor (the old constructor is deprecated) 
+o Moved MethodSecurityInterceptor to ...intercept.method.aopalliance package 
+o Documentation improvements 
+o Test coverage improvements  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.7.1.txt b/doc/src/site/resources/announcements/announcement-0.7.1.txt
new file mode 100644
index 0000000000..37c028483c
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.7.1.txt
@@ -0,0 +1,18 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.7.1 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  Fixed bugs:
+
+o AbstractIntegrationFilter elegantly handles IOExceptions and 
+  ServletExceptions within filter chain (see 
+  http://opensource.atlassian.com/projects/spring/browse/SEC-20)  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.8.0.txt b/doc/src/site/resources/announcements/announcement-0.8.0.txt
new file mode 100644
index 0000000000..d66aadb974
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.8.0.txt
@@ -0,0 +1,59 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.8.0 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o Added Digest Authentication support (RFC 2617 and RFC 2069) 
+o Added pluggable remember-me services 
+o Added pluggable mechnism to prevent concurrent login sessions 
+o FilterChainProxy added to significantly simplify web.xml configuration of 
+  Acegi Security 
+o AuthenticationProcessingFilter now provides hook for extra credentials (eg 
+  postcodes) 
+o New WebAuthenticationDetails class now used by processing filters for 
+  Authentication.setDetails() 
+o Additional debug-level logging 
+o Improved Tapestry support in AbstractProcessingFilter 
+
+  Fixed bugs:
+
+o Correct issue with JdbcDaoImpl default SQL query not using consistent case 
+  sensitivity 
+o Improve Linux and non-Sun JDK (specifically IBM JDK) compatibility 
+o Log4j now included in generated WAR artifacts (fixes issue with Log4j 
+  listener) 
+o Correct NullPointerException in FilterInvocationDefinitionSource 
+  implementations 
+
+  Changes:
+
+o Made ConfigAttributeDefinition and ConfigAttribute Serializable 
+o User now accepts blank passwords (null passwords still rejected) 
+o FilterToBeanProxy now searches hierarchical bean factories 
+o User now accepted blank passwords (null passwords still rejected) 
+o ContextHolderAwareRequestWrapper now provides a getUserPrincipal() method 
+o HttpSessionIntegrationFilter no longer creates a HttpSession unnecessarily 
+o FilterSecurityInterceptor now only executes once per request (improves 
+  performance with SiteMesh) 
+o JaasAuthenticatinProvider now uses System.property 
+  "java.security.auth.login.config" 
+o JaasAuthenticationCallbackHandler Authentication is passed to handle method 
+  setAuthentication removed 
+o Added AuthenticationException to the AutenticationEntryPoint.commence 
+  method signature 
+o Added AccessDeniedException to the 
+  SecurityEncorcementFilter.sendAccessDeniedError method signature 
+o FilterToBeanProxy now addresses lifecycle mismatch (IoC container vs 
+  servlet container) issue 
+o Significantly refactor "well-known location model" to authentication 
+  processing mechanism and HttpSessionContextIntegrationFilter model  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.8.1.1.txt b/doc/src/site/resources/announcements/announcement-0.8.1.1.txt
new file mode 100644
index 0000000000..44a55895d9
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.8.1.1.txt
@@ -0,0 +1,18 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.8.1.1 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  Fixed bugs:
+
+o HttpSessionContextIntegrationFilter elegantly handles IOExceptions and 
+  ServletExceptions within filter chain (see 
+  http://opensource.atlassian.com/projects/spring/browse/SEC-20)  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.8.1.txt b/doc/src/site/resources/announcements/announcement-0.8.1.txt
new file mode 100644
index 0000000000..1c6c1dd883
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.8.1.txt
@@ -0,0 +1,43 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.8.1 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  New Features:
+
+o X509 (certificate-based) authentication support 
+
+  Fixed bugs:
+
+o SecurityEnforcementFilter caused NullPointerException when anonymous 
+  authentication used with BasicProcessingFilterEntryPoint 
+o FilterChainProxy now supports replacement of ServletRequest and 
+  ServetResponse by Filter beans 
+o Corrected Authz parsing of whitespace in GrantedAuthoritys 
+o TokenBasedRememberMeServices now respects expired users, expired 
+  credentials and disabled users 
+o HttpSessionContextIntegrationFilter now handles HttpSession invalidation 
+  without redirection 
+o StringSplitUtils.split() ignored delimiter argument 
+o DigestProcessingFilter now provides userCache getter and setter 
+o Contacts Sample made to work with UserDetails-based Principal 
+
+  Changes:
+
+o UserDetails now advises locked accounts, with corresponding 
+  DaoAuthenticationProvider events and enforcement 
+o ContextHolderAwareRequestWrapper methods return null if user is anonymous 
+o AbstractBasicAclEntry improved compatibility with Hibernate 
+o User now provides a more useful toString() method 
+o Update to match Spring 1.1.5 official JAR dependencies (NB: now using 
+  Servlet 2.4 and related JSP/taglib JARs) 
+o Documentation improvements 
+o Test coverage improvements  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.8.2.txt b/doc/src/site/resources/announcements/announcement-0.8.2.txt
new file mode 100644
index 0000000000..97d61975bd
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.8.2.txt
@@ -0,0 +1,33 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.8.2 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  Fixed bugs:
+
+o Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in 
+  clientContext.xml 
+o TokenBasedRememberMeServices changed to use long instead of int for 
+  tokenValiditySeconds (SPR-807) 
+o Handle null Authentication.getAuthorities() in AuthorizeTag 
+o PasswordDaoAuthenticationProvider no longer stores String against 
+  Authentication.setDetails() 
+
+  Changes:
+
+o Update commons-codec dependency to 1.3 
+o AbstractProcessingFilter no longer has setters for failures, it uses the 
+  exceptionMappings property 
+o Update to match Spring 1.2-RC2 official JAR dependencies 
+o AuthenticationProcessingFilter now provides an obtainUsername method 
+o Correct PathBasedFilterInvocationDefinitionMap compatibility with Spring 
+  1.2-RC2 
+o Refactoring to leverage Spring's Assert class and mocks where possible  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.8.3.txt b/doc/src/site/resources/announcements/announcement-0.8.3.txt
new file mode 100644
index 0000000000..34dd613712
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.8.3.txt
@@ -0,0 +1,18 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.8.3 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  Fixed bugs:
+
+o HttpSessionContextIntegrationFilter elegantly handles IOExceptions and 
+  ServletExceptions within filter chain (see 
+  http://opensource.atlassian.com/projects/spring/browse/SEC-20)  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-0.9.0.txt b/doc/src/site/resources/announcements/announcement-0.9.0.txt
new file mode 100644
index 0000000000..41a958d220
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-0.9.0.txt
@@ -0,0 +1,17 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 0.9.0 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  Changes:
+
+o All changes are in JIRA at 
+  http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-1.0.0 Final.txt b/doc/src/site/resources/announcements/announcement-1.0.0 Final.txt
new file mode 100644
index 0000000000..a987b207f0
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-1.0.0 Final.txt	
@@ -0,0 +1,17 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 1.0.0 Final release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  Changes:
+
+o All changes are in JIRA at 
+  http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-1.0.0 RC1.txt b/doc/src/site/resources/announcements/announcement-1.0.0 RC1.txt
new file mode 100644
index 0000000000..38558daab4
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-1.0.0 RC1.txt	
@@ -0,0 +1,17 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 1.0.0 RC1 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  Changes:
+
+o All changes are in JIRA at 
+  http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/src/site/resources/announcements/announcement-1.0.0 RC2.txt b/doc/src/site/resources/announcements/announcement-1.0.0 RC2.txt
new file mode 100644
index 0000000000..b2da0a6d17
--- /dev/null
+++ b/doc/src/site/resources/announcements/announcement-1.0.0 RC2.txt	
@@ -0,0 +1,17 @@
+The acegi-security-doc team is pleased to announce the Acegi Security System 
+for Spring 1.0.0 RC2 release! 
+
+http://acegisecurity.org/
+
+Acegi Security System for Spring 
+
+Changes in this version include:
+
+  Changes:
+
+o All changes are in JIRA at 
+  http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040  
+
+Have fun!
+-The acegi-security-doc team
+      
\ No newline at end of file
diff --git a/doc/xdocs/articles.html b/doc/xdocs/articles.xml
similarity index 76%
rename from doc/xdocs/articles.html
rename to doc/xdocs/articles.xml
index ca6aae4a5f..d8bded020a 100644
--- a/doc/xdocs/articles.html
+++ b/doc/xdocs/articles.xml
@@ -1,175 +1,147 @@
-<!--
- * ========================================================================
- * 
- * Copyright 2004 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * 
- * ========================================================================
--->
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-
-<head>
-<title>External Web Articles covering Acegi Security</title>
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-</head>
-
-<body>
-  <h1>External Web Articles covering Acegi Security</h1>
-  <p>Here are some of the external pages mentioning Acegi Security. If you've
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>External Web Articles covering Acegi Security</title></properties><body><section name="External Web Articles covering Acegi Security"><p>Here are some of the external pages mentioning Acegi Security. If you've
 	found another, please let us know.
   <ul>
     <li><b><a href="http://forum.springframework.org">Spring Forums</a></b>:
-		The first place to look for Acegi Security support (use the 'search' function).<br><br>
+		The first place to look for Acegi Security support (use the 'search' function).<br></br><br></br>
 	</li>
     <li><b><a href="mail-lists.html">Acegi Security Mailing Lists</a></b>:
-		If you'd like to discuss development of the project.<br><br>
+		If you'd like to discuss development of the project.<br></br><br></br>
 	</li>
     <li><b><a href="powering.html">Numerous frameworks using Acegi Security</a></b>:
-		Look here first for how to integrate with major third-party frameworks...<br><br>
+		Look here first for how to integrate with major third-party frameworks...<br></br><br></br>
 	</li>
     <li><b><a href="http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html">Propagating Acegi Security's Context in a WSS UsernameToken SOAP Header via XFire using WSS4J</a></b>:
-		Thanks to Michael Vorburger.<br><br>
+		Thanks to Michael Vorburger.<br></br><br></br>
 	</li>
     <li><b><a href="http://jroller.com/page/sjivan?entry=ajax_based_login_using_aceci">AJAX-based login via Acegi Security</a></b>:
-		Sanjiv Jivan offers a way of approaching AJAX login.<br><br>
+		Sanjiv Jivan offers a way of approaching AJAX login.<br></br><br></br>
 	</li>
     <li><b><a href="http://weblog.morosystems.cz/spring/Spring-Acegi-JCaptcha-integration">Acegi Security and Captcha Layer</a></b>:
-		How to use Acegi Security with JCaptcha.<br><br>
+		How to use Acegi Security with JCaptcha.<br></br><br></br>
 	</li>
     <li><b><a href="http://java.sys-con.com/read/171482_1.htm">Introduction to Acegi: Mastering the security framework</a></b>:
-		Java Developer's Journal (JDJ) article by David Hardwick.<br><br>
+		Java Developer's Journal (JDJ) article by David Hardwick.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.javalobby.org/articles/acegisecurity/part1.jsp">Securing Your Java Applications - Acegi Security Style</a></b>:
-		Matthew Porter wrote this good introductory article for Javalobby.<br><br>
+		Matthew Porter wrote this good introductory article for Javalobby.<br></br><br></br>
 	</li>
     <li><b><a href="http://home.hccnet.nl/bart.van.riel/">Acegi Spring Tutorial</a></b>:
-		Available in PDF and HTML formats, thanks to Bart van Riel.<br><br>
+		Available in PDF and HTML formats, thanks to Bart van Riel.<br></br><br></br>
 	</li>
     <li><b><a href="http://peter.jteam.nl/wp-trackback.php?p=6">Testing Acegi Security</a></b>:
-		Peter Veentjer discussed how to test Acegi Security-protected objects in isolation.<br><br>
+		Peter Veentjer discussed how to test Acegi Security-protected objects in isolation.<br></br><br></br>
 	</li>
     <li><b><a href="http://iremia.univ-reunion.fr/intranet/wiki/Wiki.jsp?page=DWRandAcegi">Integrating DWR and Acegi Security</a></b>:
-		Explanation on using Acegi Security's MethodSecurityInterceptor with DWR.<br><br>
+		Explanation on using Acegi Security's MethodSecurityInterceptor with DWR.<br></br><br></br>
 	</li>
     <li><b><a href="http://dev.eclipse.org/mhonarc/lists/aspectj-users/msg05355.html">AspectJ with Acegi Security</a></b>:
-		AspectJ with Acegi Security thread on the AspectJ list.<br><br>
+		AspectJ with Acegi Security thread on the AspectJ list.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.acooke.org/cute/SessionLim0.html">Session Limitation with Acegi Security</a></b>:
-		Andrew Cooke discusses using concurrent sessions.<br><br>
+		Andrew Cooke discusses using concurrent sessions.<br></br><br></br>
 	</li>
     <li><b><a href="http://jroller.com/page/paskos?entry=acegi_portable_independent_and_rich">Acegi: Portable, Independent and Rich Webapp Security</a></b>:
-		Pascal Gehl relates his experience in migrating from CMA to Acegi Security.<br><br>
+		Pascal Gehl relates his experience in migrating from CMA to Acegi Security.<br></br><br></br>
 	</li>
     <li><b><a href="http://affy.blogspot.com/2005/10/how-do-i-create-private-bean-using.html">Creating a private bean with Acegi</a></b>:
-		By David Medinets.<br><br>
+		By David Medinets.<br></br><br></br>
 	</li>
     <li><b><a href="http://affy.blogspot.com/2005/10/acegi-tutorial-example-of-method-based.html">Method based access control and JUnit for testing</a></b>:
-		By David Medinets.<br><br>
+		By David Medinets.<br></br><br></br>
 	</li>
     <li><b><a href="http://affy.blogspot.com/2005/10/acegi-example-of-when-to-use.html">Acegi: When to use AffirmativeBased voting</a></b>:
-		By David Medinets.<br><br>
+		By David Medinets.<br></br><br></br>
 	</li>
     <li><b><a href="http://raibledesigns.com/page/rd/20050617#presentations_acegi_security_and_spring">Acegi Security High-Level Overview Presentation</a></b>:
-		Matt Raible has provided a nice <a href="http://www2.java.no/web/files/moter/mai05/AcegiSecurity.pdf">PDF presentation</a> comparing Acegi Security and J2EE CMA.<br><br>
+		Matt Raible has provided a nice <a href="http://www2.java.no/web/files/moter/mai05/AcegiSecurity.pdf">PDF presentation</a> comparing Acegi Security and J2EE CMA.<br></br><br></br>
 	</li>
     <li><b><a href="http://jroller.com/page/raible?entry=how_to_upgrade_to_upgrade">How to upgrade to upgrade from Acegi Security 0.9.0 to 1.0 RC1</a></b>:
-		Matt Raible's upgrade instructions.<br><br>
+		Matt Raible's upgrade instructions.<br></br><br></br>
 	</li>
     <li><b><a href="http://jaredtech.blogspot.com/2005/08/webworkvelocityacegi-config.html">Webwork + Velocity + Acegi Config</a></b>:
-		Jared Odulio offers some configuration tips.<br><br>
+		Jared Odulio offers some configuration tips.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.almaer.com/blog/archives/000640.html">Container Managed Security: If your standard covers a lowest common denominator</a></b>:
-		"For this reason I end up using something like Acegi Security", Dion Almaer comments after listing a series of missing hooks from the Servlet Spec security approach.<br><br>
+		"For this reason I end up using something like Acegi Security", Dion Almaer comments after listing a series of missing hooks from the Servlet Spec security approach.<br></br><br></br>
 	</li>
     <li><b><a href="http://opensource.atlassian.com/seraph/status.html">Seraph Development Status</a></b>:
-		The fine folks at Atlassian have noted, "for more complex needs than Seraph meets, we suggest considering alternative frameworks like ACEGI, which provides more functionality (at the cost of greater complexity)."<br><br>
+		The fine folks at Atlassian have noted, "for more complex needs than Seraph meets, we suggest considering alternative frameworks like ACEGI, which provides more functionality (at the cost of greater complexity)."<br></br><br></br>
 	</li>
     <li><b><a href="http://www.javalobby.org/java/forums/t91426.html">Implementing application-specific UserDetails in Acegi</a></b>: 
-		Andrei Tudose has provided a JavaLobby article on this common customization point.<br><br>
+		Andrei Tudose has provided a JavaLobby article on this common customization point.<br></br><br></br>
 	</li>
     <li><b><a href="http://raibledesigns.com/page/rd/20050104#re_j2ee_app_server_security">J2EE App Server Security</a></b>:
 		"After using Acegi for the last month, I think I'm going to ditch the 'standard' J2EE security stuff", blogged Matt Raible. I should note
-		our CVS tree has become stable and there are <a href="building.html">build instructions</a>.<br><br>
+		our CVS tree has become stable and there are <a href="building.html">build instructions</a>.<br></br><br></br>
 	</li>
     <li><b><a href="http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseAuthentication">AppFuse Authentication</a></b>:
-		Discusses AppFuse 1.8+'s replacement of Container-Managed Authentication (CMA) with Acegi Security.<br><br>
+		Discusses AppFuse 1.8+'s replacement of Container-Managed Authentication (CMA) with Acegi Security.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.jroller.com/page/fairTrade?entry=integrating_acegi_and_jsf_revisited"> Integrating Acegi and JSF: Revisited</a></b>:
-		Thanks to tony_k.<br><br>
+		Thanks to tony_k.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.jroller.com/page/vtatai/20050505#integrating_acegi_with_jsf">Java Server Faces (JSF) with Acegi Security</a></b>:
-		Covers using these two frameworks - thanks to Victor Tatai.<br><br>
+		Covers using these two frameworks - thanks to Victor Tatai.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.jroller.com/page/cagataycivici?entry=acegi_jsf_components_hit_the">Acegi Security Java Server Faces (JSF) components</a></b>:
-		Cagatay Civici has provided a JSF version of our taglibs.<br><br>
+		Cagatay Civici has provided a JSF version of our taglibs.<br></br><br></br>
 	</li>
     <li><b><a href="http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseSecurity">Acegi Security use with AppFuse</a></b>:
-		The popular AppFuse project now uses Acegi Security instead of container managed authentication!<br><br>
+		The popular AppFuse project now uses Acegi Security instead of container managed authentication!<br></br><br></br>
 	</li>
     <li><b><a href="http://jroller.com/page/habuma/20041124#simplifying_acegi_configuration">Simplifying Acegi Configuration</a></b>:
 		Craig Walls provides a good approach to reusing your Acegi Security configuration between projects. This has been
-		<a href="http://www.picklematrix.net/archives/000974.html">updated</a> by Seth Ladd for release 0.7.0.<br><br>
+		<a href="http://www.picklematrix.net/archives/000974.html">updated</a> by Seth Ladd for release 0.7.0.<br></br><br></br>
 	</li>
     <li><b><a href="http://confluence.sourcebeat.com/display/SPL/Update+Chapters">Spring Live Update Chapters</a></b>:
-		Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.<br><br>
+		Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.china-pub.com/computers/common/info.asp?id=24483">Mastering Spring (Chinese) Book</a></b>:
-		Acegi Security is included in Chapter 17 of this book.<br><br>
+		Acegi Security is included in Chapter 17 of this book.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.manning.com/walls2">Spring In Action</a></b>:
-		Craig Walls has also written another popular Spring book, which includes Acegi Security in Chapter 11.<br><br>
+		Craig Walls has also written another popular Spring book, which includes Acegi Security in Chapter 11.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.ja-sig.org/products/cas/client/faq.html#8">Central Authentication Service FAQ</a></b>:
-		A general overview of how Acegi Security is used with JA-SIG's CAS.<br><br>
+		A general overview of how Acegi Security is used with JA-SIG's CAS.<br></br><br></br>
 	</li>
     <li><b><a href="http://oness.sourceforge.net/JavaHispano%20Acegi%20presentacion.pdf">JavaHispano 2004 Acegi Security Presentation</a></b>:
 		Carlos Sanchez's presentation (in Spanish), delivered 17 December 2004. An
         <a href="http://oness.sourceforge.net/JavaHispano%20Acegi.pdf">article</a> was also published.
-        <br><br>
+        <br></br><br></br>
 	</li>
     <li><b><a href="http://up-u.com/?p=183">Annotations in Acegi Security</a></b>:
-		An implementation of JDK 1.5 annotations with Acegi Security's SecurityConfig.<br><br>
+		An implementation of JDK 1.5 annotations with Acegi Security's SecurityConfig.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.fstxblog.com/completely-geeked/2005/05/java-acegi-security-simple-example-v2.html">Acegi Security - The Simplest Possible Example</a></b>:
-		Reid Carlberg has provided a downloadable WAR containing the simplest possible Acegi Security 0.8.2 configuration.<br><br>
+		Reid Carlberg has provided a downloadable WAR containing the simplest possible Acegi Security 0.8.2 configuration.<br></br><br></br>
 	</li>
     <li><b><a href="http://fishdujour.typepad.com/blog/2005/02/junit_testing_w.html">JUnit Testing with Acegi Security</a></b>:
-		A tip from Gavin Terrill on unit testing with Acegi Security.<br><br>
+		A tip from Gavin Terrill on unit testing with Acegi Security.<br></br><br></br>
 	</li>
     <li><b><a href="http://jroller.com/page/carlossg/20050226#acegi_security_reducing_configuration_in">Acegi Security: reducing configuration in web.xml</a></b>:
-		Carlos Sanchez provides an overview of our new <code>FilterChainProxy</code> class.<br><br>
+		Carlos Sanchez provides an overview of our new <code>FilterChainProxy</code> class.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.manageability.org/blog/stuff/single-sign-on-in-java/view">Open Source Identity Management Solutions Written in Java</a></b>:
-		From <code>manageability.org</code>.<br><br>
+		From <code>manageability.org</code>.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.porterhome.com/blog/matthew/2005/03/13/1110732830996.html">WW Live: Integrating Acegi and WebWork</a></b>:
-		Discussion about enhancing Acegi Security and WebWork integration.<br><br>
+		Discussion about enhancing Acegi Security and WebWork integration.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.orablogs.com/fnimphius/archives/000730.html">J2EE Security: Struts "Shale" proposal does improve web application security</a></b>:
 		Frank Nimphius' blog contains some comments on Acegi Security. See
-		our <a href="faq.html">FAQ</a> for additional JAAS comments.<br><br>
+		our <a href="faq.html">FAQ</a> for additional JAAS comments.<br></br><br></br>
 	</li>
     <li><b><a href="http://jakarta.apache.org/commons/attributes/faq.html">Anyone else using C-A (Commons Attributes)?</a></b>: Acegi Security made the list
 		of projects using Jakarta Commons Attributes. Our
 		<a href="/multiproject/acegi-security-sample-attributes/index.html">Attributes Sample</a>
-		demonstrates C-A integration.<br><br>
+		demonstrates C-A integration.<br></br><br></br>
 	</li>
     <li><b><a href="http://www.arroco.com/cgi-bin/blosxom.cgi/2005/08/22#acegi-javadoc">Documenting the Future At the Expense of the Present</a></b>: 
-		Blog entry on the JavaDocs missing from Acegi release ZIPs. They're actually there. Just check /docs/multiproject/acegi-security/apidocs/.<br><br>
+		Blog entry on the JavaDocs missing from Acegi release ZIPs. They're actually there. Just check /docs/multiproject/acegi-security/apidocs/.<br></br><br></br>
 	</li>
   </ul>
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/building.html b/doc/xdocs/building.xml
similarity index 52%
rename from doc/xdocs/building.html
rename to doc/xdocs/building.xml
index 92806bd404..9d9ffdd359 100644
--- a/doc/xdocs/building.html
+++ b/doc/xdocs/building.xml
@@ -1,86 +1,36 @@
-<!--
- * ========================================================================
- * 
- * Copyright 2004 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * 
- * ========================================================================
--->
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-
-<head>
-<title>Building</title>
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-</head>
-
-<body>
-  <h1>Building Acegi Security System</h1>
-  <h2>Checking Out from Subversion (SVN)</h2>
-  <p>This project uses <a href="http://maven.apache.org">Maven</a> as project manager
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Building</title></properties><body><section name="Building Acegi Security System"><subsection name="Checking Out from Subversion (SVN)"><p>This project uses <a href="http://maven.apache.org">Maven</a> as project manager
 	and build tool.	We recommend you to install Maven 1.0.2 or greater before trying
-	the following. <b>Note there are workarounds at the bottom of this page.</b></p>
-  <p>To checkout Acegi Security from SVN, see our 
-  <a href="cvs-usage.html">CVS Usage</a> page.</p>
-  
-  <h2>Quick Build</h2>
-  <p>Often people reading this document just want to see if Acegi Security will work 
+	the following. <b>Note there are workarounds at the bottom of this page.</b></p><p>To checkout Acegi Security from SVN, see our 
+  <a href="cvs-usage.html">CVS Usage</a> page.</p></subsection><subsection name="Quick Build"><p>Often people reading this document just want to see if Acegi Security will work 
 	for their projects. They want to deploy a sample application, and that's about it
 	(after all, all the reference documentation can be read online at
 	<a href="http://acegisecurity.org">http://acegisecurity.org</a>).
-	In this case, execute:</p>
-  <ol>
+	In this case, execute:</p><ol>
 	<pre>cd $ACEGI_SECURITY/core (or cd %ACEGI_SECURITY%/core on Windows)</pre>
 	<pre>maven jar:install</pre>
 	<pre>cd $ACEGI_SECURITY/samples/contacts</pre>
 	<pre>maven multiwar:multiwar</pre>
 	<pre>copy $ACEGI_SECURITY/samples/contacts/target/acegi-security-sample-contacts-filter.war $YOUR_CONTAINER/webapps</pre>
-  </ol>
-  <p>Then load up your web container and visit
+  </ol><p>Then load up your web container and visit
 	<a href="http://localhost:8080/acegi-security-sample-contacts-filter/">http://localhost:8080/acegi-security-sample-contacts-filter/</a>
-	(or whatever location is appropriate for your web container).</p>
-
-  <h2>Installing commons-attributes-plugin</h2>
-  <p>To properly integrate Commons Attributes with Maven (as required by
+	(or whatever location is appropriate for your web container).</p></subsection><subsection name="Installing commons-attributes-plugin"><p>To properly integrate Commons Attributes with Maven (as required by
      the <a href="/multiproject/acegi-security-sample-attributes/index.html">Attributes Sample</a>),
-	 you need to install an additional plugin.</b></p>
-  <p>To install the <code>commons-attributes-plugin</code>, execute the following commands:</p>
-  <ol>
+	 you need to install an additional plugin.</p><p>To install the <code>commons-attributes-plugin</code>, execute the following commands:</p><ol>
 	<pre>cd $ACEGI_SECURITY/doc</pre>
     <pre>maven plugin:download
     -DgroupId=commons-attributes
     -DartifactId=commons-attributes-plugin
     -Dversion=2.1</pre>
-  </ol>
-  <p>The second (final) command should be executed on a single line.</p>
-
-  <h2>Building All JARs</h2>
-  <p>Sometimes people are already using Acegi Security, and they just want to build the
+  </ol><p>The second (final) command should be executed on a single line.</p></subsection><subsection name="Building All JARs"><p>Sometimes people are already using Acegi Security, and they just want to build the
 	latest code from CVS. To build all artifacts (JARs) and install them into
 	your local Maven repository, simply perform a CVS checkout and install the
 	<code>commons-attributes-plugin</code> (as detailed above), and then
-	execute:</p>
-  <ol>
+	execute:</p><ol>
 	<pre>cd $ACEGI_SECURITY/doc</pre>
 	<pre>maven multiproject:install</pre>
-  </ol>
-  <p>You can then check your <code>$HOME/.maven/repository/acegisecurity</code>
-	directory and it should contain all of the latest Acegi Security JARs.</p>
-  
-  <h2>Building The Site</h2>
-  <p>By "site" we mean the web site you can browse at 
+  </ol><p>You can then check your <code>$HOME/.maven/repository/acegisecurity</code>
+	directory and it should contain all of the latest Acegi Security JARs.</p></subsection><subsection name="Building The Site"><p>By "site" we mean the web site you can browse at 
 	<a href="http://acegisecurity.sourceforge.net">http://acegisecurity.sourceforge.net</a>,
 	which includes the reference documentation and all of the Maven reports.
 	If you'd like a local copy, simply execute:
@@ -92,29 +42,20 @@
 	-Dmaven.jar.clover-ant=1.3.3_01 
 </pre>
   </ol>
-  <p>As per the
+  </p><p>As per the
 	<a href="http://maven.apache.org/reference/plugins/changelog/">Maven Changelog Plugin Documentation</a>,
 	you must tell the plugin the "anonymous CVS pserver" password is blank. This is
 	why there is the "create-cvspass" command shown above. You should only need to
-	do this once.</p>
-
-  <h2>Memory and Clover Workarounds</h2>
-  <p>If you get an <code>OutOfMemoryError</code>, simply execute the following before
-	calling Maven:</p>
-	<ol>
+	do this once.</p></subsection><subsection name="Memory and Clover Workarounds"><p>If you get an <code>OutOfMemoryError</code>, simply execute the following before
+	calling Maven:</p><ol>
 		<pre>set MAVEN_OPTS=-Xmx1024m -XX:MaxPermSize=512m</pre>
-	</ol>
-  <p>If you get an <code>[ERROR] Invalid license: Invalid license file [E1202]</code>,
+	</ol><p>If you get an <code>[ERROR] Invalid license: Invalid license file [E1202]</code>,
 	this is because the <code>maven-clover-plugin</code> is using an old version of
 	<code>clover-ant-xxx.jar</code>. Whilst Acegi Security's <code>project.properties</code>
 	specifies a newer version, subprojects have an inheritence problem and don't pick
 	this up (as of the time of writing). To workaround this issue, you need to
 	specify those override properties on the command line. For example, to execute the
-	Clover reports for the core subproject, you would do the following:</p>
-  <ol>
+	Clover reports for the core subproject, you would do the following:</p><ol>
 	<pre>cd $ACEGI_SECURITY/core</pre>
 	<pre>maven clover:html-report -Dmaven.jar.override=on -Dmaven.jar.clover-ant=1.3.3_01</pre>
-  </ol>
-
-</body>
-</html>
+  </ol></subsection></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/cvs-usage.html b/doc/xdocs/cvs-usage.html
deleted file mode 100644
index 0c00362432..0000000000
--- a/doc/xdocs/cvs-usage.html
+++ /dev/null
@@ -1,53 +0,0 @@
-<!--
- * ========================================================================
- * 
- * Copyright 2004 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * 
- * ========================================================================
--->
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<title>CVS usage</title>
-<h1>CVS instructions for all modules</h1>
-<p>This instructions are general, check the module documentation if you need concrete instructions. </p>
-<p><em>modulename</em> can be for example:</p>
-<ul>
-  <li>acegisecurity <em>(this will check out all modules) </em></li>
-  <li>acegisecurity/core/</li>
-  <li>acegisecurity/adapters/cas</li>
-</ul>
-<h2>Web Access</h2>
-<p>
-          <a href="http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/">http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/</a>
-</p><h2>Anonymous Access with Maven</h2>
-<p> This project's CVS repository can be checked out through anonymous (pserver) CVS with the following instruction on a single line. </p>
-<pre>maven scm:checkout-project
-    -Dmaven.scm.method=svn
-    -Dmaven.scm.svn.module=modulename
-    -Dmaven.scm.svn.root=scm:svn:https://svn.sourceforge.net/svnroot/acegisecurity/trunk/acegisecurity
-    -Dmaven.scm.checkout.dir=acegisecurity</pre>
-<h2>Anonymous SVN Access</h2>
-<p>
-          This project's SVN repository can be checked out through anonymous
-          SVN with the following instruction set.
-</p><p>
-          svn co https://svn.sourceforge.net/svnroot/acegisecurity/trunk/acegisecurity</p>
-        
-        <h2>Nightly Snapshots</h2>
-        <p>If you'd prefer not to use SVN directly, please see our <a href="downloads.html">downloads page</a> for nightly snapshots.</p>
-
-</html>
\ No newline at end of file
diff --git a/doc/xdocs/cvs-usage.xml b/doc/xdocs/cvs-usage.xml
new file mode 100644
index 0000000000..3fd703d913
--- /dev/null
+++ b/doc/xdocs/cvs-usage.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>CVS usage</title></properties><body><section name="CVS instructions for all modules"><p>This instructions are general, check the module documentation if you need concrete instructions. </p><p><em>modulename</em> can be for example:</p><ul>
+  <li>acegisecurity <em>(this will check out all modules) </em></li>
+  <li>acegisecurity/core/</li>
+  <li>acegisecurity/adapters/cas</li>
+</ul><subsection name="Web Access"><p>
+          <a href="http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/">http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/</a>
+</p></subsection><subsection name="Anonymous Access with Maven"><p> This project's CVS repository can be checked out through anonymous (pserver) CVS with the following instruction on a single line. </p><source>maven scm:checkout-project
+    -Dmaven.scm.method=svn
+    -Dmaven.scm.svn.module=modulename
+    -Dmaven.scm.svn.root=scm:svn:https://svn.sourceforge.net/svnroot/acegisecurity/trunk/acegisecurity
+    -Dmaven.scm.checkout.dir=acegisecurity
+</source></subsection><subsection name="Anonymous SVN Access"><p>
+          This project's SVN repository can be checked out through anonymous
+          SVN with the following instruction set.
+</p><p>
+          svn co https://svn.sourceforge.net/svnroot/acegisecurity/trunk/acegisecurity</p></subsection><subsection name="Nightly Snapshots"><p>If you'd prefer not to use SVN directly, please see our <a href="downloads.html">downloads page</a> for nightly snapshots.</p></subsection></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/downloads.html b/doc/xdocs/downloads.html
deleted file mode 100644
index 9beddf7650..0000000000
--- a/doc/xdocs/downloads.html
+++ /dev/null
@@ -1,71 +0,0 @@
-<!--
- * ========================================================================
- * 
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * 
- * ========================================================================
--->
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-
-<head>
-<title>Acegi Security Downloads</title>
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-</head>
-
-<body>
-  <h1>Acegi Security Downloads</h1>
-  <p>If you wish to try out this project, you are probably looking for the
-  <strong>acegi-security-xx.zip</strong> file, which contains all of the officially
-  released JARs, a copy of all documentation, and two WAR artifacts. The two WAR artifacts
-  are from the Contacts Sample and the Tutorial Sample application. The Tutorial Sample
-  consists of a "bare bones" configuration that will get you up and running quickly, whereas
-  the Contacts Sample illustrates more advanced features.</p>
-  
-  <p>Please note that in order to reduce download size, we only include in the
-  release ZIP one of the WAR artifacts produced by the Contacts Sample application.
-  The WAR artifact we include is suitable for standalone deployment (specifically, it
-  does not require a CAS server, container adapter, X509 or LDAP setup). The official release ZIP
-  therefore probably contains what you need, especially if you're initially
-  evaluating the project. If you wish to deploy the other WAR artifacts produced by
-  the Contacts Sample application (ie those that target CAS, container adapters, X509 or LDAP usage),
-  you will need to build Acegi Security from source.
-  
-  <p>The acegi-security-xx-src.zip is intended for use with IDEs. It does not contain the
-  files needed to compile Acegi Security. It also does not contain the sources to the
-  sample applications. If you need any of these files, please download from SVN.</p>
-  
-  <h2>Official Releases</h2>
-  <p>The official release ZIP files are available from the
-  <a href="http://sourceforge.net/project/showfiles.php?group_id=104215">Sourceforge File Release System</a>.</p>
-  <h2>Maven Dependencies</h2>
-  <p>The Acegi Security JARs are also available via the
-  <a href="http://www.ibiblio.org/maven2/org/acegisecurity">iBiblio Maven Repository</a>.</p>
-  <h2>Building From Source</h2>
-  <p>Detailed instructions on downloading from CVS and building from source
-  are provided on the <a href="building.html">Building with Maven</a>
-  page.</p>
-  <h2>SVN Snapshots and Daily Builds</h2>
-  <p>
-  If you don't wish to access SVN directly, we provide
-  <a href="http://acegisecurity.sourceforge.net/nightly/">nightly SVN exports</a> for your convenience.
-  There is also an automated build which uploads bundle of Acegi Security jar files to the same location.
-  Both binary and source archives have the date of the build and the SVN revision number appended to the filename,
-  so you can match them up easily.
-  </p>
-
-</body>
-</html>
diff --git a/doc/xdocs/downloads.xml b/doc/xdocs/downloads.xml
new file mode 100644
index 0000000000..f70cd45ea2
--- /dev/null
+++ b/doc/xdocs/downloads.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security Downloads</title></properties><body><section name="Acegi Security Downloads"><p>If you wish to try out this project, you are probably looking for the
+  <strong>acegi-security-xx.zip</strong> file, which contains all of the officially
+  released JARs, a copy of all documentation, and two WAR artifacts. The two WAR artifacts
+  are from the Contacts Sample and the Tutorial Sample application. The Tutorial Sample
+  consists of a "bare bones" configuration that will get you up and running quickly, whereas
+  the Contacts Sample illustrates more advanced features.</p><p>Please note that in order to reduce download size, we only include in the
+  release ZIP one of the WAR artifacts produced by the Contacts Sample application.
+  The WAR artifact we include is suitable for standalone deployment (specifically, it
+  does not require a CAS server, container adapter, X509 or LDAP setup). The official release ZIP
+  therefore probably contains what you need, especially if you're initially
+  evaluating the project. If you wish to deploy the other WAR artifacts produced by
+  the Contacts Sample application (ie those that target CAS, container adapters, X509 or LDAP usage),
+  you will need to build Acegi Security from source.
+  
+  </p><p>The acegi-security-xx-src.zip is intended for use with IDEs. It does not contain the
+  files needed to compile Acegi Security. It also does not contain the sources to the
+  sample applications. If you need any of these files, please download from SVN.</p><subsection name="Official Releases"><p>The official release ZIP files are available from the
+  <a href="http://sourceforge.net/project/showfiles.php?group_id=104215">Sourceforge File Release System</a>.</p></subsection><subsection name="Maven Dependencies"><p>The Acegi Security JARs are also available via the
+  <a href="http://www.ibiblio.org/maven2/org/acegisecurity">iBiblio Maven Repository</a>.</p></subsection><subsection name="Building From Source"><p>Detailed instructions on downloading from CVS and building from source
+  are provided on the <a href="building.html">Building with Maven</a>
+  page.</p></subsection><subsection name="SVN Snapshots and Daily Builds"><p>
+  If you don't wish to access SVN directly, we provide
+  <a href="http://acegisecurity.sourceforge.net/nightly/">nightly SVN exports</a> for your convenience.
+  There is also an automated build which uploads bundle of Acegi Security jar files to the same location.
+  Both binary and source archives have the date of the build and the SVN revision number appended to the filename,
+  so you can match them up easily.
+  </p></subsection></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/faq.html b/doc/xdocs/faq.xml
similarity index 71%
rename from doc/xdocs/faq.html
rename to doc/xdocs/faq.xml
index 0c24019a8e..0133af08a6 100644
--- a/doc/xdocs/faq.html
+++ b/doc/xdocs/faq.xml
@@ -1,36 +1,5 @@
-<!--
- * ========================================================================
- * 
- * Copyright 2004 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * 
- * ========================================================================
--->
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-
-<head>
-<title>Frequently Asked Questions (FAQ) on Acegi Security</title>
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-</head>
-
-<body>
-  <h1>Frequently Asked Questions</h1>
-  
-  <h2>What is Acegi Security?</h2>
-  <p>Acegi Security is an open source project that provides comprehensive authentication
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Frequently Asked Questions (FAQ) on Acegi Security</title></properties><body><section name="Frequently Asked Questions"><subsection name="What is Acegi Security?"><p>Acegi Security is an open source project that provides comprehensive authentication
 	and authorisation services for enterprise applications based on
 	<a href="http://www.springframework.org">The Spring Framework</a>.
 	Acegi Security can authenticate using a variety of pluggable providers, and
@@ -43,10 +12,7 @@
 	servlet Filters and Java AOP frameworks. In terms of AOP framework support, Acegi
 	Security currently supports AOP Alliance (which is what the
 	Spring IoC container uses internally) and AspectJ, although additional frameworks
-	can be easily supported.</p>
-
-  <h2>Why not just use web.xml security?</h2>
-  <p>Let's assume you're developing an enterprise application based on Spring.
+	can be easily supported.</p></subsection><subsection name="Why not just use web.xml security?"><p>Let's assume you're developing an enterprise application based on Spring.
 	There are four security concerns you typically need to address: authentication,
 	web request security, service layer security (ie your methods that implement
 	business logic), and domain object instance security (ie different domain objects
@@ -63,7 +29,7 @@
 			authentication providers and mechanisms, meaning you can switch your 
 			authentication approaches at deployment time. This is particularly
 			valuable for software vendors writing products that need to work in
-			an unknown target environment.<br><br></li>
+			an unknown target environment.<br></br><br></br></li>
 		<li><b>Web request security:</b> The servlet specification provides an
 			approach to secure your request URIs. However, these URIs can only be
 			expressed in the servlet specification's own limited URI path format.
@@ -72,13 +38,13 @@
 			URI other than simply the requested page (eg you can consider HTTP GET
 			parameters), and you can implement your own runtime source of configuration
 			data. This means your web request security can be dynamically changed during
-			the actual execution of your webapp.<br><br></li>
+			the actual execution of your webapp.<br></br><br></br></li>
 		<li><b>Service layer and domain object security:</b> The absence of support 
 			in the servlet specification for services layer security or domain object 
 			instance security represent serious limitations for multi-tiered 
 			applications. Typically developers either ignore these requirements, or
 			implement security logic within their MVC controller code (or even worse,
-			inside the views). There are serious disadvantages with this approach:<br><br>
+			inside the views). There are serious disadvantages with this approach:<br></br><br></br>
 				<ol>
 					<li><i>Separation of concerns:</i> Authorization is a 
 						crosscutting concern and should be implemented as such. 
@@ -114,7 +80,7 @@
 						would offer, and in-house authorization code will typically 
 						lack the improvements that emerge from widespread deployment, 
 						peer review and new versions.
-				</ol>
+				</li></ol>
 				</li>
 	</ol>
 	For simple applications, servlet specification security may just be enough.
@@ -122,69 +88,50 @@
 	configuration requirements, limited web request security flexibility, and 
 	non-existent services layer and domain object instance security, it becomes 
 	clear why developers often look to alternative solutions.
-	</p>
-
-  <h2>How do you pronounce "Acegi"?</h2>
-  <p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.
+	</p></subsection><subsection name="How do you pronounce &quot;Acegi&quot;?"><p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.
 	Acegi isn't an acronym, name of a Greek God or anything similarly
-	impressive - it's just letters #1, #3, #5, #7 and #9 of the alphabet.</p>
-
-  <h2>Is it called "Acegi" or "Acegi Security"?</h2>
-  <p>It's official name is <i>Acegi Security System for Spring</i>,
+	impressive - it's just letters #1, #3, #5, #7 and #9 of the alphabet.</p></subsection><subsection name="Is it called &quot;Acegi&quot; or &quot;Acegi Security&quot;?"><p>It's official name is <i>Acegi Security System for Spring</i>,
 	although we're happy for it to be abbreviated to
 	<i>Acegi Security</i>. Please don't just call it <i>Acegi</i>, though,
 	as that gets confused with the name of the company that maintains Acegi
-	Security.</p>
-
-  <h2>What catches 80% of users reporting problems?</h2>
-  <p>80% of support questions are because people have not defined
+	Security.</p></subsection><subsection name="What catches 80% of users reporting problems?"><p>80% of support questions are because people have not defined
 	the necessary filters in <code>web.xml</code>, or the filters are being
 	mapped in the incorrect order. Check the 
 	<a href="reference.html">Reference Guide</a>, which
-	has a specific section on filter ordering.</p>
-  
-  <h2>I'm sure my filters are ordered correctly. What else could be wrong?</h2>
-  <p>The next most common source of problems stem from custom
+	has a specific section on filter ordering.</p></subsection><subsection name="I&apos;m sure my filters are ordered correctly. What else could be wrong?"><p>The next most common source of problems stem from custom
 	<code>AuthenticationDao</code> implementations that simply don't properly
 	implement the interface contract. For example, they return <code>null</code> instead
 	of the user not found exception, or fail to add in the
 	<code>GrantedAuthority[]</code>s. Whilst <code>DaoAuthenticationProvider</code>
 	does its best to check the <code>AuthenticationDao</code> returns a valid 
 	<code>UserDetails</code>, we suggest you write the
-	<code>UserDetails</code> object to the log and check it looks correct.</p>
-
-  <h2>Common Problem #1: My application goes into an "endless loop" when I try to login, what's going on?</h2>
-  <p>A common user problem with infinite loop and redirecting to the login page
+	<code>UserDetails</code> object to the log and check it looks correct.</p></subsection><subsection name="Common Problem #1: My application goes into an &quot;endless loop&quot; when I try to login, what&apos;s going on?"><p>A common user problem with infinite loop and redirecting to the login page
      is caused by accidently configuring the login page as a "secured" resource.
      Generally make sure you mark your login page as requiring ROLE_ANONYMOUS.
-     </p>
-
-  <h2>Common Problem #2: My application pages don't seem to be protected.</h2>
-  <p>If you are securing web resources and they dont seem to be matched in the URL patterns,
+     </p></subsection><subsection name="Common Problem #2: My application pages don&apos;t seem to be protected."><p>If you are securing web resources and they dont seem to be matched in the URL patterns,
      check the objectDefinitionSource in the FilterSecurityInterceptor.
      If you are using the <tt>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</tt> setting,
      then the URL patterns configured MUST be in lowercase.
-  <p>
+  </p><p>
      For example, making a request ending in <tt>/someAction.do</tt> will need 
      to be configured as: <tt>/someaction.do</tt> (Note the case).
 <pre>
-&lt;property name="objectDefinitionSource">
-  &lt;value>
+&lt;property name="objectDefinitionSource"&gt;
+  &lt;value&gt;
     CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
     PATTERN_TYPE_APACHE_ANT
     /index.jsp=ROLE_ANONYMOUS,ROLE_USER
     /someaction.do=ROLE_USER     			    
-  &lt;value>
-&lt;/property>     
+  &lt;value&gt;
+&lt;/property&gt;     
 </pre>
 
-  <h2>Common Problem #3: How do I disable a user after a number of failed logins?</h2>
-  <p>A common user requirement is to disable / lock an account after a number of failed login attempts.
+  </p></subsection><subsection name="Common Problem #3: How do I disable a user after a number of failed logins?"><p>A common user requirement is to disable / lock an account after a number of failed login attempts.
      Acegi itself does not provide anything "out of the box", however in your application you can implement 
      and register an <tt>org.springframework.context.ApplicationListener</tt>. Inside your application
      event listener you can then check for an instanceof the particular <tt>AuthenticationFailureEvent</tt>
      and then call your application user management interface to update the user details.
-     <p>
+     </p><p>
      For example:
      <pre>
      public void onApplicationEvent(ApplicationEvent event) {
@@ -197,91 +144,64 @@
      }
      </pre>
 
-  <h2>Common Problem #4: I am changing my password using a web controller and DAO, why is my password still not being refreshed?</h2>
-  <p>There are three things you must do to make a user password change take affect:
+  </p></subsection><subsection name="Common Problem #4: I am changing my password using a web controller and DAO, why is my password still not being refreshed?"><p>There are three things you must do to make a user password change take affect:
   <ul>
   <li> Change the password using your authentication DAO</li>
   <li> Remove the user from the User Cache (i.e. if you have a cache configured) </li>
   <li> Update the <tt>SecurityContextHolder</tt> to include the new <tt>Authentication</tt> object and password</li>
   </ul>
 
-  <h2>I need some help. What files should I post?</h2>
-  <p>The most important things to post with any support requests on the
+  </p></subsection><subsection name="I need some help. What files should I post?"><p>The most important things to post with any support requests on the
 	<a href="http://forum.springframework.org">Spring Forums</a> are your
 	<code>web.xml</code>, <code>applicationContext.xml</code> (or whichever
 	XML loads the security-related beans) as well as any custom
 	<code>AuthenticationDao</code> you might be using. For really odd problems,
-	also switch on debug-level logging and include the resulting log.</p>
-
-  <h2>How do I switch on debug-level logging?</h2>
-  <p>Acegi Security uses Commons Logging, just as Spring does. So you use the
+	also switch on debug-level logging and include the resulting log.</p></subsection><subsection name="How do I switch on debug-level logging?"><p>Acegi Security uses Commons Logging, just as Spring does. So you use the
 	same approach as you'd use for Spring. Most people output to Log4J, so
-	the following <code>log4j.properties</code> would work:</p>
-	
-	<pre>
+	the following <code>log4j.properties</code> would work:</p><source>
 		log4j.rootCategory=WARN, stdout
 		
 		log4j.appender.stdout=org.apache.log4j.ConsoleAppender
 		log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
 		log4j.appender.stdout.layout.ConversionPattern=%d %p %c - %m%n
 		
-		log4j.category.net.sf.acegisecurity=DEBUG</pre>
+		log4j.category.net.sf.acegisecurity=DEBUG
 
-  <h2>How do I store custom properties, like a user's email address?</h2>
-  <p>In most cases write an <code>AuthenticationDao</code> which returns
+  </source></subsection><subsection name="How do I store custom properties, like a user&apos;s email address?"><p>In most cases write an <code>AuthenticationDao</code> which returns
 	a subclass of <code>User</code>. Alternatively, write your own
-	<code>UserDetails</code> implementation from scratch and return that.</p>
-
-  <h2>Why doesn't Acegi Security use JAAS?</h2>
-  <p>Acegi Security targets <i>enterprise applications</i>, which are typically
+	<code>UserDetails</code> implementation from scratch and return that.</p></subsection><subsection name="Why doesn&apos;t Acegi Security use JAAS?"><p>Acegi Security targets <i>enterprise applications</i>, which are typically
 	multi-user, data-oriented applications that are important to
 	the core business. Acegi Security was designed to provide a portable and effective
 	security framework for this target application type. It was not designed for securing
-	limited privilege runtime environments, such as web browser applets.</p>
-	
-	<p>We did consider JAAS when designing Acegi Security, but it simply
+	limited privilege runtime environments, such as web browser applets.</p><p>We did consider JAAS when designing Acegi Security, but it simply
 	wasn't suitable for our purpose. We needed to avoid complex JRE configurations,
 	we needed container portability, and we wanted maximum leveraging of the Spring IoC
 	container. Particularly as limited privilege runtime environments were not
 	an actual requirement, this lead to the natural design of Acegi Security as
-	it exists today.</p>
-	
-	<p>Acegi Security already provides some JAAS integration. It can today authenticate
+	it exists today.</p><p>Acegi Security already provides some JAAS integration. It can today authenticate
 	via delegation to a JAAS login module. This means it offers the same level of JAAS
 	integration as many web containers. Indeed the container adapter model supported by
 	Acegi Security allows Acegi Security and container-managed security to happily
 	co-exist and benefit from each other. Any debate about Acegi Security and JAAS
 	should therefore centre on the authorisation issue. An evaluation of major
 	containers and security frameworks would reveal that Acegi Security is by no
-	means unusual in not using JAAS for authorisation.</p>
-	
-	<p>There are many examples of open source applications being preferred to
+	means unusual in not using JAAS for authorisation.</p><p>There are many examples of open source applications being preferred to
 	official standards. A few that come to mind in the Java community include
 	using Spring managed POJOs (rather than EJBs), Hibernate (instead of entity beans),
 	Log4J (instead of JDK logging), Tapestry (instead of JSF), and Velocity/FreeMarker
 	(instead of JSP). It's important to recognise that many open source projects do
 	develop into de facto standards, and in doing so play a legitimate and beneficial
-	role in professional software development.</p>
-
-  <h2>Do you welcome contributions?</h2>
-  <p>Yes. If you've written something and it works well, please feel free to share it.
+	role in professional software development.</p></subsection><subsection name="Do you welcome contributions?"><p>Yes. If you've written something and it works well, please feel free to share it.
 	Simply email the contribution to the 
 	<a href="mail-lists.html">acegisecurity-developers</a> list. If you haven't yet
 	written the contribution, we encourage you to send your thoughts to the same 
-	list so that you can receive some initial design feedback.</p>
-	
-	<p>For a contribution to be used, it must have appropriate unit test coverage and
+	list so that you can receive some initial design feedback.</p><p>For a contribution to be used, it must have appropriate unit test coverage and
 	detailed JavaDocs. It will ideally have some comments for the Reference Guide
 	as well (this can be sent in word processor or HTML format if desired). This
 	helps ensure the contribution maintains the same quality as the remainder of
-	the project.</p>
-	
-	<p>We also welcome documentation improvements, unit tests, illustrations,
+	the project.</p><p>We also welcome documentation improvements, unit tests, illustrations,
 	people supporting the user community (especially on the forums), design ideas,
 	articles, blog entries, presentations and alike. If you're looking for something
 	to do, you can always email the
 	<a href="mail-lists.html">acegisecurity-developers</a> list and we'll be
-	pleased to suggest something. :-)</p>
-
-</body>
-</html>
+	pleased to suggest something. :-)</p></subsection></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/index.html b/doc/xdocs/index.xml
similarity index 55%
rename from doc/xdocs/index.html
rename to doc/xdocs/index.xml
index 9d94bf14e2..866ac97a20 100644
--- a/doc/xdocs/index.html
+++ b/doc/xdocs/index.xml
@@ -1,83 +1,69 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
-<HTML><HEAD><TITLE>Acegi Security System for Spring</TITLE>
-<META http-equiv=Content-Type content="text/html; charset=windows-1252">
-<META content="MSHTML 6.00.2900.2180" name=GENERATOR></HEAD>
-<BODY>
-      <HR>
-      <B><CENTER>What is Acegi Security?</CENTER></B>
-      <HR>
-	  <BR>
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security System for Spring</title></properties><body><section name=""><b></b><center><b>What is Acegi Security?</b></center></section><section name=""><br></br><p>
 	  Acegi Security is a powerful, flexible security solution for enterprise software,
 	  with a particular emphasis on applications that use 
-	  <A href="http://www.springframework.org/">Spring</A>. Using Acegi Security provides your
+	  <a href="http://www.springframework.org/">Spring</a>. Using Acegi Security provides your
 	  applications with comprehensive authentication, authorization, instance-based access control,
 	  channel security and human user detection capabilities.
-      <BR>
-      
-      <HR>
-      <B><CENTER>Key Features</CENTER></B>
-      <HR>
-      <BR>
-      <UL>
-        <LI><B>Stable and mature.</B> Acegi Security 1.0.0 was released in May 2006 after
+      </p><br></br></section><section name=""><b></b><center><b>Key Features</b></center></section><section name=""><br></br><ul>
+        <li><b>Stable and mature.</b> Acegi Security 1.0.0 was released in May 2006 after
         more than two and a half years of use in large production software projects, 70,000+ downloads
         and hundreds of community contributions.
-        In terms of release numbering, we also use the <A 
-        href="http://apr.apache.org/versioning.html">Apache APR Project 
-        Versioning Guidelines</A> so that you can easily identify release
-        compatibility.<BR><BR>
-        <LI><B>Well documented:</B> All APIs are fully documented using 
+        In terms of release numbering, we also use the <a href="http://apr.apache.org/versioning.html">Apache APR Project 
+        Versioning Guidelines</a> so that you can easily identify release
+        compatibility.<br></br><br></br>
+        </li><li><b>Well documented:</b> All APIs are fully documented using 
         <a href="http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/index.html">JavaDoc</a>,
         with almost 100 pages of
 		<a href="reference.html">Reference Guide</a> documentation providing an easy-to-follow
         introduction. Even more documentation is provided on this web site, as
-		shown in the left hand navigation sidebar.<BR><BR>
-        <LI><B>Fast results:</B> View our <a href="suggested.html">suggested steps</a>
-        for the fastest way to develop complex, security-compliant applications.<BR><BR>
-        <LI><B>Enterprise-wide single sign on:</B> Using JA-SIG's open 
-        source <A href="http://www.ja-sig.org/products/cas/">Central Authentication 
-        Service</A> (CAS), the Acegi Security can participate 
+		shown in the left hand navigation sidebar.<br></br><br></br>
+        </li><li><b>Fast results:</b> View our <a href="suggested.html">suggested steps</a>
+        for the fastest way to develop complex, security-compliant applications.<br></br><br></br>
+        </li><li><b>Enterprise-wide single sign on:</b> Using JA-SIG's open 
+        source <a href="http://www.ja-sig.org/products/cas/">Central Authentication 
+        Service</a> (CAS), the Acegi Security can participate 
         in an enterprise-wide single sign on environment. You no longer need 
         every web application to have its own authentication database. Nor are 
         you restricted to single sign on across a single web container. Advanced 
         single sign on features like proxy support and forced refresh of logins 
-        are supported by both CAS and Acegi Security.<BR><BR>
-        <LI><B>Reuses your Spring expertise:</B> We use Spring application 
+        are supported by both CAS and Acegi Security.<br></br><br></br>
+        </li><li><b>Reuses your Spring expertise:</b> We use Spring application 
         contexts for all configuration, which should help Spring developers get 
-        up-to-speed nice and quickly.<BR><BR>
-        <LI><B>Domain object instance security:</B> In many applications it's 
+        up-to-speed nice and quickly.<br></br><br></br>
+        </li><li><b>Domain object instance security:</b> In many applications it's 
         desirable to define Access Control Lists (ACLs) for individual domain 
         object instances. We provide a comprehensive ACL package with features 
         including integer bit masking, permission inheritence (including 
         blocking), a JDBC-backed ACL repository, caching and a pluggable, 
-        interface-driven design.<BR><BR>
-        <LI><B>Non-intrusive setup:</B> The entire security system can operate 
+        interface-driven design.<br></br><br></br>
+        </li><li><b>Non-intrusive setup:</b> The entire security system can operate 
         within a single web application using the provided filters. There is no 
         need to make special changes or deploy libraries to your Servlet or EJB 
-        container.<BR><BR>
-        <LI><B>Full (but optional) container integration:</B> The credential 
+        container.<br></br><br></br>
+        </li><li><b>Full (but optional) container integration:</b> The credential 
         collection and authorization capabilities of your Servlet or EJB 
         container can be fully utilised via included "container adapters". We 
         currently support Catalina (Tomcat), Jetty, JBoss and Resin, with 
-        additional containers easily added.<BR><BR>
-        <LI><B>Keeps your objects free of security code:</B> Many applications 
+        additional containers easily added.<br></br><br></br>
+        </li><li><b>Keeps your objects free of security code:</b> Many applications 
         need to secure data at the bean level based on any combination of 
         parameters (user, time of day, authorities held, method being invoked, 
         parameter on method being invoked....). This package gives you this 
         flexibility without adding security code to your Spring business 
-        objects.<BR><BR>
-        <LI><B>After invocation security:</B> Acegi Security can not only protect
+        objects.<br></br><br></br>
+        </li><li><b>After invocation security:</b> Acegi Security can not only protect
 		methods from being invoked in the first place, but it can also
 		deal with the objects returned from the methods. Included implementations 
 		of after invocation security can throw an exception or mutate the returned
-		object based on ACLs.<BR><BR>
-        <LI><B>Secures your HTTP requests as well:</B> In addition to securing 
+		object based on ACLs.<br></br><br></br>
+        </li><li><b>Secures your HTTP requests as well:</b> In addition to securing 
         your beans, the project also secures your HTTP requests. No longer is it 
         necessary to rely on web.xml security constraints. Best of all, your 
         HTTP requests can now be secured by your choice of regular expressions 
         or Apache Ant paths, along with pluggable authentication, authorization 
-        and run-as replacement managers.<BR><BR>
-        <LI><B>Channel security:</B> Acegi Security can 
+        and run-as replacement managers.<br></br><br></br>
+        </li><li><b>Channel security:</b> Acegi Security can 
         automatically redirect requests across an appropriate transport channel. 
         Whilst flexible enough to support any of your "channel" requirements (eg 
         the remote user is a human, not a robot), a common channel security 
@@ -85,111 +71,106 @@
         HTTPS, and your public pages only over HTTP. Acegi Security also 
         supports unusual port combinations (including if accessed via an
         intermediate server like Apache) and pluggable transport decision 
-        managers.<BR><BR>
-        <LI><B>Supports HTTP BASIC authentication:</B> Perfect for remoting 
+        managers.<br></br><br></br>
+        </li><li><b>Supports HTTP BASIC authentication:</b> Perfect for remoting 
         protocols or those web applications that prefer a simple browser pop-up 
         (rather than a form login), Acegi Security can directly process HTTP 
-        BASIC authentication requests as per RFC 1945.<BR><BR>
-        <LI><B>Supports HTTP Digest authentication:</B> For greater security than
+        BASIC authentication requests as per RFC 1945.<br></br><br></br>
+        </li><li><b>Supports HTTP Digest authentication:</b> For greater security than
         offered by BASIC authentcation, Acegi Security also supports Digest Authentication
         (which never sends the user's password across the wire). Digest Authentication
         is widely supported by modern browsers. Acegi Security's implementation complies
-        with both RFC 2617 and RFC 2069.<BR><BR>
-        <LI><B>Computer Associates Siteminder support:</B> Authentication can be
+        with both RFC 2617 and RFC 2069.<br></br><br></br>
+        </li><li><b>Computer Associates Siteminder support:</b> Authentication can be
         delegated through to CA's Siteminder solution, which is common in large
-        corporate environments.<BR><BR>
-        <LI><B>X509 (Certificate) support:</B> Acegi Security can easily read
-        client-side X509 certificates for authenticating users.<BR><BR>
-        <LI><B>LDAP Support:</B> Do you have an LDAP directory? Acegi Security can
-        happily authenticate against it.<BR><BR>
-        <LI><B>Tag library support:</B> Your JSP files can use our taglib 
+        corporate environments.<br></br><br></br>
+        </li><li><b>X509 (Certificate) support:</b> Acegi Security can easily read
+        client-side X509 certificates for authenticating users.<br></br><br></br>
+        </li><li><b>LDAP Support:</b> Do you have an LDAP directory? Acegi Security can
+        happily authenticate against it.<br></br><br></br>
+        </li><li><b>Tag library support:</b> Your JSP files can use our taglib 
         to ensure that protected content like links and messages are only 
         displayed to users holding the appropriate granted authorities. The taglib
 		also fully integrates with Acegi Security's ACL services, and
-		obtaining extra information about the logged-in principal.<BR><BR>
-        <LI><B>Configuration via IoC XML, Commons Attributes, or JDK 5 Annotations:</B> You 
+		obtaining extra information about the logged-in principal.<br></br><br></br>
+        </li><li><b>Configuration via IoC XML, Commons Attributes, or JDK 5 Annotations:</b> You 
         select the method used to configure your security environment. The 
         project supports configuration via Spring application contexts, as well 
         as Jakarta Commons Attributes and Java 5's annotations feature. Some users
         (such as those building content management systems) pull configuration data
         from a database, which exemplifies Acegi Security's flexible configuration
-        metadata system.<BR><BR>
-        <LI><B>Various authentication backends:</B> We include the ability to 
+        metadata system.<br></br><br></br>
+        </li><li><b>Various authentication backends:</b> We include the ability to 
         retrieve your user and granted authority definitions from an XML 
         file, JDBC datasource or Properties file. Alternatively, you can implement the 
         single-method UserDetailsService interface and obtain authentication details from 
-        anywhere you like.<BR><BR>
-        <LI><B>Event support:</B> Building upon Spring's 
-        <CODE>ApplicationEvent</CODE> services, you can write your own listeners 
+        anywhere you like.<br></br><br></br>
+        </li><li><b>Event support:</b> Building upon Spring's 
+        <code>ApplicationEvent</code> services, you can write your own listeners 
         for authentication-related events, along with authorisation-related events.
 		This enables you to implement account lockout and audit log systems, with
-		complete decoupling from Acegi Security code.<BR><BR>
-        <LI><B>Easy integration with existing databases:</B> Our implementations 
+		complete decoupling from Acegi Security code.<br></br><br></br>
+        </li><li><b>Easy integration with existing databases:</b> Our implementations 
         have been designed to make it very easy to use your existing 
         authentication schema and data (without modification). Of course,
-		you can also provide your own Data Access Object if you wish.<BR><BR>
-        <LI><B>Caching:</B> Acegi Security integrates with Spring's <A 
-        href="http://ehcache.sourceforge.net/">EHCACHE</A> factory. 
+		you can also provide your own Data Access Object if you wish.<br></br><br></br>
+        </li><li><b>Caching:</b> Acegi Security integrates with Spring's <a href="http://ehcache.sourceforge.net/">EHCACHE</a> factory. 
         This flexibility means your database (or other authentication 
         repository) is not repeatedly queried for authentication 
-        information.<BR><BR>
-        <LI><B>Pluggable architecture:</B> Every critical aspect of the package 
+        information.<br></br><br></br>
+        </li><li><b>Pluggable architecture:</b> Every critical aspect of the package 
         has been modelled using high cohesion, loose coupling, interface-driven 
         design principles. You can easily replace, customise or extend parts of 
-        the package.<BR><BR>
-        <LI><B>Startup-time validation:</B> Every critical object dependency and 
+        the package.<br></br><br></br>
+        </li><li><b>Startup-time validation:</b> Every critical object dependency and 
         configuration parameter is validated at application context startup 
         time. Security configuration errors are therefore detected early and 
-        corrected quickly.<BR><BR>
-        <LI><B>Remoting support:</B> Does your project use a rich client? Not a 
+        corrected quickly.<br></br><br></br>
+        </li><li><b>Remoting support:</b> Does your project use a rich client? Not a 
         problem. Acegi Security integrates with standard Spring remoting 
         protocols, because it automatically processes the HTTP BASIC 
         authentication headers they present. Add our BASIC authentication filter 
         to your web.xml and you're done. You can also easily use RMI or Digest
-        authentication for your rich clients with a simple configuration statement.<BR><BR>
-        <LI><B>Advanced password encoding:</B> Of course, passwords in your 
+        authentication for your rich clients with a simple configuration statement.<br></br><br></br>
+        </li><li><b>Advanced password encoding:</b> Of course, passwords in your 
         authentication repository need not be in plain text. We support both SHA 
         and MD5 encoding, and also pluggable "salt" providers to maximise 
         password security. Acegi Security doesn't even need to see the password
         if your backend can use a bind-based strategy for authentication (such as
-        an LDAP directory, or a database login).<BR><BR>
-        <LI><B>Run-as replacement:</B> The system fully supports 
+        an LDAP directory, or a database login).<br></br><br></br>
+        </li><li><b>Run-as replacement:</b> The system fully supports 
         temporarily replacing the authenticated principal for the duration of the web 
         request or bean invocation. This enables you to build public-facing 
         object tiers with different security configurations than your backend 
-        objects.<BR><BR>
-        <LI><B>Transparent security propagation:</B> Acegi Security can automatically
+        objects.<br></br><br></br>
+        </li><li><b>Transparent security propagation:</b> Acegi Security can automatically
 		transfer its core authentication information from one machine to another,
-		using a variety of protocols including RMI and Spring's HttpInvoker.<BR><BR>
-        <LI><B>Compatible with HttpServletRequest's security methods:</B> Even though
+		using a variety of protocols including RMI and Spring's HttpInvoker.<br></br><br></br>
+        </li><li><b>Compatible with HttpServletRequest's security methods:</b> Even though
 		Acegi Security can deliver authentication using a range of pluggable mechanisms
 		(most of which require no web container configuration), we allow you to access
 		the resulting Authentication object via the getRemoteUser() and other
-		security methods on HttpServletRequest.<BR><BR>
-        <LI><B>Unit tests:</B> A must-have of any quality security project, unit 
+		security methods on HttpServletRequest.<br></br><br></br>
+        </li><li><b>Unit tests:</b> A must-have of any quality security project, unit 
         tests are included. Our unit test coverage is very high, as shown in the
-		<a href="multiproject/acegi-security/clover/index.html">coverage report</a>.<BR><BR>
-        <LI><B>Built by Maven:</B> This assists you in effectively reusing the Acegi
-		Security artifacts in your own Maven-based projects.<BR><BR>
-        <LI><B>Supports your own unit tests:</B> We provide a number of classes 
+		<a href="multiproject/acegi-security/clover/index.html">coverage report</a>.<br></br><br></br>
+        </li><li><b>Built by Maven:</b> This assists you in effectively reusing the Acegi
+		Security artifacts in your own Maven-based projects.<br></br><br></br>
+        </li><li><b>Supports your own unit tests:</b> We provide a number of classes 
         that assist with your own unit testing of secured business objects. For 
         example, you can change the authentication identity and its associated 
-        granted authorities directly within your test methods.<BR><BR>
-        <LI><B>Peer reviewed:</B> Whilst nothing is ever completely secure, 
+        granted authorities directly within your test methods.<br></br><br></br>
+        </li><li><b>Peer reviewed:</b> Whilst nothing is ever completely secure, 
         using an open source security package leverages the continuous design 
-        and code quality improvements that emerge from peer review.<BR><BR>
-        <LI><B>Community:</B> Well-known for its supportive community, Acegi Security
+        and code quality improvements that emerge from peer review.<br></br><br></br>
+        </li><li><b>Community:</b> Well-known for its supportive community, Acegi Security
         has an active group of developers and users. Visit our project resources (below)
-        to access these services.<BR><BR>
-        <LI><B>Apache license.</B> You can confidently use Acegi Security in your project.<BR><BR></LI></UL><BR><B>
-      <HR>
+        to access these services.<br></br><br></br>
+        </li><li><b>Apache license.</b> You can confidently use Acegi Security in your project.<br></br><br></br></li></ul><br></br><b>
+      <hr></hr>
 
-      <CENTER>Project Resources</CENTER></B>
-      <HR>
-      <BR>
-      <CENTER>
-      <A href="http://forum.springframework.org/"><B>Support Forums</B></A><BR><BR>
-      <A href="mail-lists.html"><B>Developer Mailing List</B></A><BR><BR>
-      <A href="downloads.html"><B>Downloads</B></A>
-      </CENTER></FONT>
-</BODY></HTML>
+      </b><center><b>Project Resources</b></center></section><section name=""><br></br><center>
+      <a href="http://forum.springframework.org/"><b>Support Forums</b></a><br></br><br></br>
+      <a href="mail-lists.html"><b>Developer Mailing List</b></a><br></br><br></br>
+      <a href="downloads.html"><b>Downloads</b></a>
+      </center></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/petclinic-tutorial.html b/doc/xdocs/petclinic-tutorial.xml
similarity index 85%
rename from doc/xdocs/petclinic-tutorial.html
rename to doc/xdocs/petclinic-tutorial.xml
index ab5c0bb49c..5b6a83bc42 100644
--- a/doc/xdocs/petclinic-tutorial.html
+++ b/doc/xdocs/petclinic-tutorial.xml
@@ -1,222 +1,168 @@
-<html>
-<head>
-<title>Tutorial: Adding Security to Spring Petclinic</title>
-</head>
-
-<body>
-<h1>Tutorial: Adding Security to Spring Petclinic</h1>
-
-<h2>Preparation</h2>
-
-<p>To complete this tutorial, you will require a servlet container (such as Tomcat)
-and a general understanding of using Spring without Acegi Security. The Petclinic
-sample itself is part of Spring and should help you learn Spring. We suggest you
-only try to learn one thing at a time, and start with Spring/Petclinic before
-Acegi Security.
-</p>
-
-<p>
-You will also need to download:
-<ul>
-<li>Spring 2.0 with dependencies ZIP file</li>
-<li>Acegi Security 1.0.2</li>
-</ul>
-</p>
-
-<p>
-Unzip both files. After unzipping Acegi Security, you'll need to unzip the
-acegi-security-sample-tutorial.war file, because we need some files that are
-included within it. In the code below, we'll refer to the respective unzipped
-locations as %spring% and %acegi% (with the latter variable referring to the
-unzipped WAR, not the original ZIP). There is no need to setup any environment
-variables to complete the tutorial.
-</p>
-
-<h2>Add required Acegi Security files to Petclinic</h2>
-
-<p>
-We now need to put some extra files into Petclinic. The following commands should work:
-<pre>
-mkdir %spring%\samples\petclinic\war\WEB-INF\lib
-copy %acegi%\acegilogin.jsp %spring%\samples\petclinic\war
-copy %acegi%\accessDenied.jsp %spring%\samples\petclinic\war
-copy %acegi%\WEB-INF\users.properties %spring%\samples\petclinic\war\WEB-INF
-copy %acegi%\WEB-INF\applicationContext-acegi-security.xml %spring%\samples\petclinic\war\WEB-INF
-copy %acegi%\WEB-INF\lib\acegi-security-1.0.0.jar %spring%\samples\petclinic\war\WEB-INF\lib
-copy %acegi%\WEB-INF\lib\oro-2.0.8.jar %spring%\samples\petclinic\war\WEB-INF\lib
-copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WEB-INF\lib
-</pre>
-</p>
-
-<h2>Configure Petclinic's files</h2>
-
-<p>Edit %spring%\samples\petclinic\war\WEB-INF\web.xml and insert the following block of code.
-<pre>
-&lt;filter&gt;
-  &lt;filter-name&gt;Acegi Filter Chain Proxy&lt;/filter-name&gt;
-  &lt;filter-class&gt;org.acegisecurity.util.FilterToBeanProxy&lt;/filter-class&gt;
-  &lt;init-param&gt;
-    &lt;param-name&gt;targetClass&lt;/param-name&gt;
-    &lt;param-value&gt;org.acegisecurity.util.FilterChainProxy&lt;/param-value&gt;
-  &lt;/init-param&gt;
-&lt;/filter&gt;
-
-&lt;filter-mapping&gt;
-  &lt;filter-name&gt;Acegi Filter Chain Proxy&lt;/filter-name&gt;
-  &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
-&lt;/filter-mapping&gt;
-</pre>
-Next, locate the "contextConfigLocation" parameter, and add a new line into the existing param-value.
-The resulting block will look like this:
-<pre>
-&lt;context-param&gt;
-  &lt;param-name&gt;contextConfigLocation&lt;/param-name&gt;
-  &lt;param-value&gt;
-    /WEB-INF/applicationContext-jdbc.xml
-    /WEB-INF/applicationContext-acegi-security.xml
-  &lt;/param-value&gt;
-&lt;/context-param&gt;
-</pre>
-</p>
-
-<p>
-To make it easier to experiment with the application, now edit
-%spring%\samples\petclinic\war\WEB-INF\jsp\footer.jsp. Add a new "logout" link, as shown:
-<pre>
-&lt;table style="width:100%"&gt;&lt;tr&gt;
-  &lt;td&gt;&lt;A href="&lt;c:url value="/welcome.htm"/&gt;"&gt;Home&lt;/A&gt;&lt;/td&gt;
-  &lt;td&gt;&lt;A href="&lt;c:url value="/j_acegi_logout"/&gt;"&gt;Logout&lt;/A&gt;&lt;/td&gt;
-  &lt;td style="text-align:right;color:silver"&gt;PetClinic :: a Spring Framework demonstration&lt;/td&gt;
-&lt;/tr&gt;&lt;/table&gt;
-</pre>
-</p>
-
-<p>
-Our last step is to specify which URLs require authorization and which do not. Let's
-edit %spring%\samples\petclinic\war\WEB-INF\applicationContext-acegi-security.xml.
-Locate the bean definition for FilterSecurityInterceptor. Edit its objectDefinitionSource
-property so that it reflects the following:
-<pre>
-&lt;property name="objectDefinitionSource"&gt;
-  &lt;value&gt;
-    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
-    PATTERN_TYPE_APACHE_ANT
-    /acegilogin.jsp=IS_AUTHENTICATED_ANONYMOUSLY
-    /**=IS_AUTHENTICATED_REMEMBERED
-  &lt;/value&gt;
-&lt;/property&gt;
-</pre>
-</p>
-
-<h2>Start Petclinic's database</h2>
-
-<p>Start the Hypersonic server (this is just normal Petclinic configuration):
-<pre>
-cd %spring%\samples\petclinic\db\hsqldb
-server
-</pre>
-</p>
-
-<p>
-Insert some data (again, normal Petclinic configuration):
-<pre>
-cd %spring%\samples\petclinic
-build setupDB
-</pre>
-</p>
-
-
-<h2>Build and deploy the Petclinic WAR file</h2>
-
-<p>
-Use Petclinic's Ant build script and deploy to your servlet container:
-<pre>
-cd %spring%\samples\petclinic
-build warfile
-copy dist\petclinic.war %TOMCAT_HOME%\webapps
-</pre>
-</p>
-
-<p>Finally, start your container and try to visit the home page.
-Your request should be intercepted and you will be forced to login.</p>
-
-<h2>Optional Bonus: Securing the Middle Tier</h2>
-<p>
-Whilst you've now secured your web requests, you might want to stop users
-from being able to add clinic visits unless authorized. We'll make it so
-you need to hold ROLE_SUPERVISOR to add a clinic visit.
-</p>
-
-<p>
-In %spring%\samples\petclinic\war\WEB-INF\applicationContext-jdbc.xml, locate
-the TransactionProxyFactoryBean definition. Add an additional property after
-the existing "preInterceptors" property:
-<pre>
-&lt;property name="postInterceptors" ref="methodSecurityInterceptor"/&gt;
-</pre>
-</p>
-
-<p>
-Finally, we need to add in the referred-to "methodSecurityInterceptor" bean definition.
-So pop an extra bean definition in, as shown below:
-<pre>
-&lt;bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"&gt;
-  &lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
-  &lt;property name="accessDecisionManager"&gt;
-    &lt;bean class="org.acegisecurity.vote.AffirmativeBased"&gt;
-      &lt;property name="allowIfAllAbstainDecisions" value="false"/&gt;
-      &lt;property name="decisionVoters"&gt;
-        &lt;list&gt;
-          &lt;bean class="org.acegisecurity.vote.RoleVoter"/&gt;
-          &lt;bean class="org.acegisecurity.vote.AuthenticatedVoter"/&gt;
-        &lt;/list&gt;
-      &lt;/property&gt;
-    &lt;/bean&gt;
-  &lt;/property&gt;
-  &lt;property name="objectDefinitionSource"&gt;
-    &lt;value&gt;
-      org.springframework.samples.petclinic.Clinic.*=IS_AUTHENTICATED_REMEMBERED
-      org.springframework.samples.petclinic.Clinic.storeVisit=ROLE_SUPERVISOR
-    &lt;/value&gt;
-  &lt;/property&gt;
-&lt;/bean&gt;
-</pre>
-</p>
-
-<p>
-Redeploy your web application. Use the earlier process to do that. Be careful to
-ensure that the old Petclinic WAR is replaced by the new Petclinic WAR in your
-servlet container. Login as "marissa", who has ROLE_SUPERVISOR. You will be able to
-then view a customer and add a visit. Logout, then login as anyone other than Marissa.
-You will receive an access denied error when you attempt to add a visit.
-</p>
-
-<p>
-To clean things up a bit, you might want to wrap up by hiding the "add visit" link
-unless you are authorized to use it. Acegi Security provides a tag library to help
-you do that. Edit %spring%\samples\petclinic\war\WEB-INF\jsp\owner.jsp. Add
-the following line to the top of the file:
-<pre>
-&lt;%@ taglib prefix="authz" uri="http://acegisecurity.org/authz" %&gt;
-</pre>
-Next, scroll down and find the link to "add visit". Modify it as follows:
-<pre>
-&lt;authz:authorize ifAllGranted="ROLE_SUPERVISOR"&gt;
-  &lt;FORM method=GET action="&lt;c:url value="/addVisit.htm"/&gt;" name="formVisitPet&lt;c:out value="${pet.id}"/&gt;"&gt;
-  &lt;INPUT type="hidden" name="petId" value="&lt;c:out value="${pet.id}"/&gt;"/&gt;
-  &lt;INPUT type="submit" value="Add Visit"/&gt;
-  &lt;/FORM&gt;
-&lt;/authz:authorize&gt;          
-</pre>
-</p>
-
-<h2>What now?</h2>
-<p>
-These steps can be applied to your own application. Although we do suggest
-that you visit <a href="http://acegisecurity.org">http://acegisecurity.org</a>
-and in particular review the "Suggested Steps" for getting started with Acegi
-Security. The suggested steps are optimized for learning Acegi Security quickly
-and applying it to your own projects. It also includes realistic time estimates
-for each step so you can plan your integration activities.</p>
-</body>
-</html>
\ No newline at end of file
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Tutorial: Adding Security to Spring Petclinic</title></properties><body><section name="Tutorial: Adding Security to Spring Petclinic"><subsection name="Preparation"><p>To complete this tutorial, you will require a servlet container (such as Tomcat)
+and a general understanding of using Spring without Acegi Security. The Petclinic
+sample itself is part of Spring and should help you learn Spring. We suggest you
+only try to learn one thing at a time, and start with Spring/Petclinic before
+Acegi Security.
+</p><p>
+You will also need to download:
+<ul>
+<li>Spring 2.0 with dependencies ZIP file</li>
+<li>Acegi Security 1.0.2</li>
+</ul>
+</p><p>
+Unzip both files. After unzipping Acegi Security, you'll need to unzip the
+acegi-security-sample-tutorial.war file, because we need some files that are
+included within it. In the code below, we'll refer to the respective unzipped
+locations as %spring% and %acegi% (with the latter variable referring to the
+unzipped WAR, not the original ZIP). There is no need to setup any environment
+variables to complete the tutorial.
+</p></subsection><subsection name="Add required Acegi Security files to Petclinic"><p>
+We now need to put some extra files into Petclinic. The following commands should work:
+<pre>
+mkdir %spring%\samples\petclinic\war\WEB-INF\lib
+copy %acegi%\acegilogin.jsp %spring%\samples\petclinic\war
+copy %acegi%\accessDenied.jsp %spring%\samples\petclinic\war
+copy %acegi%\WEB-INF\users.properties %spring%\samples\petclinic\war\WEB-INF
+copy %acegi%\WEB-INF\applicationContext-acegi-security.xml %spring%\samples\petclinic\war\WEB-INF
+copy %acegi%\WEB-INF\lib\acegi-security-1.0.0.jar %spring%\samples\petclinic\war\WEB-INF\lib
+copy %acegi%\WEB-INF\lib\oro-2.0.8.jar %spring%\samples\petclinic\war\WEB-INF\lib
+copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WEB-INF\lib
+</pre>
+</p></subsection><subsection name="Configure Petclinic&apos;s files"><p>Edit %spring%\samples\petclinic\war\WEB-INF\web.xml and insert the following block of code.
+<pre>
+&lt;filter&gt;
+  &lt;filter-name&gt;Acegi Filter Chain Proxy&lt;/filter-name&gt;
+  &lt;filter-class&gt;org.acegisecurity.util.FilterToBeanProxy&lt;/filter-class&gt;
+  &lt;init-param&gt;
+    &lt;param-name&gt;targetClass&lt;/param-name&gt;
+    &lt;param-value&gt;org.acegisecurity.util.FilterChainProxy&lt;/param-value&gt;
+  &lt;/init-param&gt;
+&lt;/filter&gt;
+
+&lt;filter-mapping&gt;
+  &lt;filter-name&gt;Acegi Filter Chain Proxy&lt;/filter-name&gt;
+  &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
+&lt;/filter-mapping&gt;
+</pre>
+Next, locate the "contextConfigLocation" parameter, and add a new line into the existing param-value.
+The resulting block will look like this:
+<pre>
+&lt;context-param&gt;
+  &lt;param-name&gt;contextConfigLocation&lt;/param-name&gt;
+  &lt;param-value&gt;
+    /WEB-INF/applicationContext-jdbc.xml
+    /WEB-INF/applicationContext-acegi-security.xml
+  &lt;/param-value&gt;
+&lt;/context-param&gt;
+</pre>
+</p><p>
+To make it easier to experiment with the application, now edit
+%spring%\samples\petclinic\war\WEB-INF\jsp\footer.jsp. Add a new "logout" link, as shown:
+<pre>
+&lt;table style="width:100%"&gt;&lt;tr&gt;
+  &lt;td&gt;&lt;A href="&lt;c:url value="/welcome.htm"/&gt;"&gt;Home&lt;/A&gt;&lt;/td&gt;
+  &lt;td&gt;&lt;A href="&lt;c:url value="/j_acegi_logout"/&gt;"&gt;Logout&lt;/A&gt;&lt;/td&gt;
+  &lt;td style="text-align:right;color:silver"&gt;PetClinic :: a Spring Framework demonstration&lt;/td&gt;
+&lt;/tr&gt;&lt;/table&gt;
+</pre>
+</p><p>
+Our last step is to specify which URLs require authorization and which do not. Let's
+edit %spring%\samples\petclinic\war\WEB-INF\applicationContext-acegi-security.xml.
+Locate the bean definition for FilterSecurityInterceptor. Edit its objectDefinitionSource
+property so that it reflects the following:
+<pre>
+&lt;property name="objectDefinitionSource"&gt;
+  &lt;value&gt;
+    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
+    PATTERN_TYPE_APACHE_ANT
+    /acegilogin.jsp=IS_AUTHENTICATED_ANONYMOUSLY
+    /**=IS_AUTHENTICATED_REMEMBERED
+  &lt;/value&gt;
+&lt;/property&gt;
+</pre>
+</p></subsection><subsection name="Start Petclinic&apos;s database"><p>Start the Hypersonic server (this is just normal Petclinic configuration):
+<pre>
+cd %spring%\samples\petclinic\db\hsqldb
+server
+</pre>
+</p><p>
+Insert some data (again, normal Petclinic configuration):
+<pre>
+cd %spring%\samples\petclinic
+build setupDB
+</pre>
+</p></subsection><subsection name="Build and deploy the Petclinic WAR file"><p>
+Use Petclinic's Ant build script and deploy to your servlet container:
+<pre>
+cd %spring%\samples\petclinic
+build warfile
+copy dist\petclinic.war %TOMCAT_HOME%\webapps
+</pre>
+</p><p>Finally, start your container and try to visit the home page.
+Your request should be intercepted and you will be forced to login.</p></subsection><subsection name="Optional Bonus: Securing the Middle Tier"><p>
+Whilst you've now secured your web requests, you might want to stop users
+from being able to add clinic visits unless authorized. We'll make it so
+you need to hold ROLE_SUPERVISOR to add a clinic visit.
+</p><p>
+In %spring%\samples\petclinic\war\WEB-INF\applicationContext-jdbc.xml, locate
+the TransactionProxyFactoryBean definition. Add an additional property after
+the existing "preInterceptors" property:
+<pre>
+&lt;property name="postInterceptors" ref="methodSecurityInterceptor"/&gt;
+</pre>
+</p><p>
+Finally, we need to add in the referred-to "methodSecurityInterceptor" bean definition.
+So pop an extra bean definition in, as shown below:
+<pre>
+&lt;bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"&gt;
+  &lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
+  &lt;property name="accessDecisionManager"&gt;
+    &lt;bean class="org.acegisecurity.vote.AffirmativeBased"&gt;
+      &lt;property name="allowIfAllAbstainDecisions" value="false"/&gt;
+      &lt;property name="decisionVoters"&gt;
+        &lt;list&gt;
+          &lt;bean class="org.acegisecurity.vote.RoleVoter"/&gt;
+          &lt;bean class="org.acegisecurity.vote.AuthenticatedVoter"/&gt;
+        &lt;/list&gt;
+      &lt;/property&gt;
+    &lt;/bean&gt;
+  &lt;/property&gt;
+  &lt;property name="objectDefinitionSource"&gt;
+    &lt;value&gt;
+      org.springframework.samples.petclinic.Clinic.*=IS_AUTHENTICATED_REMEMBERED
+      org.springframework.samples.petclinic.Clinic.storeVisit=ROLE_SUPERVISOR
+    &lt;/value&gt;
+  &lt;/property&gt;
+&lt;/bean&gt;
+</pre>
+</p><p>
+Redeploy your web application. Use the earlier process to do that. Be careful to
+ensure that the old Petclinic WAR is replaced by the new Petclinic WAR in your
+servlet container. Login as "marissa", who has ROLE_SUPERVISOR. You will be able to
+then view a customer and add a visit. Logout, then login as anyone other than Marissa.
+You will receive an access denied error when you attempt to add a visit.
+</p><p>
+To clean things up a bit, you might want to wrap up by hiding the "add visit" link
+unless you are authorized to use it. Acegi Security provides a tag library to help
+you do that. Edit %spring%\samples\petclinic\war\WEB-INF\jsp\owner.jsp. Add
+the following line to the top of the file:
+<pre>
+&lt;%@ taglib prefix="authz" uri="http://acegisecurity.org/authz" %&gt;
+</pre>
+Next, scroll down and find the link to "add visit". Modify it as follows:
+<pre>
+&lt;authz:authorize ifAllGranted="ROLE_SUPERVISOR"&gt;
+  &lt;FORM method=GET action="&lt;c:url value="/addVisit.htm"/&gt;" name="formVisitPet&lt;c:out value="${pet.id}"/&gt;"&gt;
+  &lt;INPUT type="hidden" name="petId" value="&lt;c:out value="${pet.id}"/&gt;"/&gt;
+  &lt;INPUT type="submit" value="Add Visit"/&gt;
+  &lt;/FORM&gt;
+&lt;/authz:authorize&gt;          
+</pre>
+</p></subsection><subsection name="What now?"><p>
+These steps can be applied to your own application. Although we do suggest
+that you visit <a href="http://acegisecurity.org">http://acegisecurity.org</a>
+and in particular review the "Suggested Steps" for getting started with Acegi
+Security. The suggested steps are optimized for learning Acegi Security quickly
+and applying it to your own projects. It also includes realistic time estimates
+for each step so you can plan your integration activities.</p></subsection></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/policies.html b/doc/xdocs/policies.xml
similarity index 79%
rename from doc/xdocs/policies.html
rename to doc/xdocs/policies.xml
index 252d009aad..69f9b4f82b 100644
--- a/doc/xdocs/policies.html
+++ b/doc/xdocs/policies.xml
@@ -1,38 +1,9 @@
-<!--
- * ========================================================================
- * 
- * Copyright 2005 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * 
- * ========================================================================
--->
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-
-<head>
-<title>Project Policies and Procedures</title>
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-</head>
-
-<body>
-  <h1>Project Policies and Procedures Version 1.0</h1>
-  <p>The following policies and procedures are intended to ensure that Acegi Security will
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Project Policies and Procedures</title></properties><body><section name="Project Policies and Procedures Version 1.0"><p>The following policies and procedures are intended to ensure that Acegi Security will
   continue to achieve its project objectives and support the community in the context of an
   expanding development team.
   
-  <p>
+  </p><p>
   The following was unanimously supported by the community supporting following
   <a href="http://www.mail-archive.com/acegisecurity-developer%40lists.sourceforge.net/msg01174.html">discussion</a>
   on acegisecurity-developer. The policies and procedures below represent version 1.0
@@ -40,92 +11,93 @@
   <ul type="1">
   
     <li>
-    This project uses <a href="http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040">JIRA</a>. Please log a task in JIRA for any changes you make to SVN, with the exception of very minor changes that users are unlikely to ever be interested in searching for and/or the change affects code that has never been in an officially released version of the project (eg ongoing changes to a new feature in SVN HEAD that hasn't been released previously).<br><br>
+    This project uses <a href="http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040">JIRA</a>. Please log a task in JIRA for any changes you make to SVN, with the exception of very minor changes that users are unlikely to ever be interested in searching for and/or the change affects code that has never been in an officially released version of the project (eg ongoing changes to a new feature in SVN HEAD that hasn't been released previously).<br></br><br></br>
 	</li>
 	
 	<li>
-	Any users running from SVN HEAD are warmly encouraged to <a href="http://lists.sourceforge.net/mailman/listinfo/acegisecurity-cvs">join acegisecurity-cvs</a> so that they can keep an eye on commit comments. Developers are encouraged to join acegisecurity-cvs and read the commit comments. If anyone has a concern with any commit, please raise it on <a href="http://lists.sourceforge.net/mailman/listinfo/acegisecurity-developer">acegisecurity-developer</a> so that the broader community can participate (not acegisecurity-cvs). Alternatively, contact the author of the change directly if you think that would be more appropriate or diplomatic.<br><br>
+	Any users running from SVN HEAD are warmly encouraged to <a href="http://lists.sourceforge.net/mailman/listinfo/acegisecurity-cvs">join acegisecurity-cvs</a> so that they can keep an eye on commit comments. Developers are encouraged to join acegisecurity-cvs and read the commit comments. If anyone has a concern with any commit, please raise it on <a href="http://lists.sourceforge.net/mailman/listinfo/acegisecurity-developer">acegisecurity-developer</a> so that the broader community can participate (not acegisecurity-cvs). Alternatively, contact the author of the change directly if you think that would be more appropriate or diplomatic.<br></br><br></br>
 	</li>
 	
 	<li>
-	Please make your commit comments informative, yet not too detailed. Detailed comments are ideally placed in the JIRA task. In the case of a contribution by a non-developer, please use the SVN commits to reflect who provided the contribution and add that person's name to /project.xml in the contributors section. If the contributors section does not list the name of someone who has contributed accepted code, please add them or let me know so that I can do so.<br><br>
+	Please make your commit comments informative, yet not too detailed. Detailed comments are ideally placed in the JIRA task. In the case of a contribution by a non-developer, please use the SVN commits to reflect who provided the contribution and add that person's name to /project.xml in the contributors section. If the contributors section does not list the name of someone who has contributed accepted code, please add them or let me know so that I can do so.<br></br><br></br>
 	</li>
 	
 	<li>
-	If you add a major new feature, please announce it on acegisecurity-developer. That way people using the project have an idea of what is coming up in the next release, and any implementation-specific comments can be received prior to the first release when users will start expecting some degree of consistency and stability. It also encourages people to try out your new feature.<br><br>
+	If you add a major new feature, please announce it on acegisecurity-developer. That way people using the project have an idea of what is coming up in the next release, and any implementation-specific comments can be received prior to the first release when users will start expecting some degree of consistency and stability. It also encourages people to try out your new feature.<br></br><br></br>
 	</li>
 	
 	<li>
-	Please make sure /docs/xdocs/changes.xml has a reference to JIRA for the upcoming release version.  You don't need to add the name of contributors to /doc/xdocs/changes.xml, as acknowledgement is already provided via /project.xml, source code @author tags, the SVN commit message, and typically a JIRA task.<br><br>
+	Please make sure /docs/xdocs/changes.xml has a reference to JIRA for the upcoming release version.  You don't need to add the name of contributors to /doc/xdocs/changes.xml, as acknowledgement is already provided via /project.xml, source code @author tags, the SVN commit message, and typically a JIRA task.<br></br><br></br>
 	</li>
 	
 	<li>
-	Please edit /docs/xdocs/upgrade/upgrade-xx-yy.html if you make a change that is significant and you think users who are upgrading should be aware of it. Equally, users are encouraged to consult the upgrade-xx-yy.html file before they deploy subsequent official release JARs.<br><br>
+	Please edit /docs/xdocs/upgrade/upgrade-xx-yy.html if you make a change that is significant and you think users who are upgrading should be aware of it. Equally, users are encouraged to consult the upgrade-xx-yy.html file before they deploy subsequent official release JARs.<br></br><br></br>
 	</li>
 	
 	<li>
-	Please use Jalopy with the /jalopy.xml file to format your Java code before checkin. This keeps our code consistent and ensures the license message is correct. There are plugins for all major IDEs.<br><br>
+	Please use Jalopy with the /jalopy.xml file to format your Java code before checkin. This keeps our code consistent and ensures the license message is correct. There are plugins for all major IDEs.<br></br><br></br>
 	</li>
 	
 	<li>
-	The /sandbox can be used to obtain feedback from fellow developers and the community about your code, general approach or new ideas. If you have SVN rights, please use /sandbox instead of emailing ZIP files to other developers for feedback. The community should understand that code in the sandbox is unsupported, subject to refactoring, may not have any unit tests, and may be removed at any time. The /sandbox will never be included in official release ZIPs. It's a "scratching pad" only.<br><br>
+	The /sandbox can be used to obtain feedback from fellow developers and the community about your code, general approach or new ideas. If you have SVN rights, please use /sandbox instead of emailing ZIP files to other developers for feedback. The community should understand that code in the sandbox is unsupported, subject to refactoring, may not have any unit tests, and may be removed at any time. The /sandbox will never be included in official release ZIPs. It's a "scratching pad" only.<br></br><br></br>
 	</li>
 	
 	<li>
-	Unit tests are important to any security project, and we have a good history of high coverage. You can view the <a href="http://acegisecurity.sourceforge.net/multiproject/acegi-security/clover/index.html">latest coverage report</a> online (rebuilt every 24 hours). Please keep an eye on coverage and don't hesitate to add more unit tests. Please do not check code into /core unless it has at least an exercising unit test - use the /sandbox instead.<br><br>
+	Unit tests are important to any security project, and we have a good history of high coverage. You can view the <a href="http://acegisecurity.sourceforge.net/multiproject/acegi-security/clover/index.html">latest coverage report</a> online (rebuilt every 24 hours). Please keep an eye on coverage and don't hesitate to add more unit tests. Please do not check code into /core unless it has at least an exercising unit test - use the /sandbox instead.<br></br><br></br>
 	</li>
 	
 	<li>
-	Never check in code if the unit tests fail. This means, at minimum, successfully running "maven test:test" from /core. Always name your unit test classes so they end in "*Tests" - this ensures that Maven picks them up. If there is code in SVN which you didn't write and it is breaking the unit tests, please correct it yourself - don't leave SVN "broken" whilst waiting for the responsible developer to address it (the delay causes confusing and long-running threads on the list and forum). You can always rollback to the previous working version if in doubt of how the class works (just remember to comment the commit appropriately and let the author know).<br><br>
+	Never check in code if the unit tests fail. This means, at minimum, successfully running "maven test:test" from /core. Always name your unit test classes so they end in "*Tests" - this ensures that Maven picks them up. If there is code in SVN which you didn't write and it is breaking the unit tests, please correct it yourself - don't leave SVN "broken" whilst waiting for the responsible developer to address it (the delay causes confusing and long-running threads on the list and forum). You can always rollback to the previous working version if in doubt of how the class works (just remember to comment the commit appropriately and let the author know).<br></br><br></br>
 	</li>
 	
 	<li>
-	Please update the reference guide and JavaDocs for any new major features. The JavaDocs should always be correct. The reference guide may be kept updated with less rigor, although please briefly discuss any major new features. <a href="http://www.xmlmind.com/xmleditor/">XMLmind</a> can be used if you don't have a DocBook editor.<br><br>
+	Please update the reference guide and JavaDocs for any new major features. The JavaDocs should always be correct. The reference guide may be kept updated with less rigor, although please briefly discuss any major new features. <a href="http://www.xmlmind.com/xmleditor/">XMLmind</a> can be used if you don't have a DocBook editor.<br></br><br></br>
 	</li>
 	
 	<li>
-	Developers please keep an eye on the <a href="http://forum.springframework.org">Acegi Security forum</a>. It's a very active forum, and it takes a lot of work if not shared around. Please don't hesitate to reply to users - I try to read every thread and correct/confirm the situation if someone mentions they're unsure. I also will generally send developers an email if there's a question I can't answer as I didn't write the code.<br><br>
+	Developers please keep an eye on the <a href="http://forum.springframework.org">Acegi Security forum</a>. It's a very active forum, and it takes a lot of work if not shared around. Please don't hesitate to reply to users - I try to read every thread and correct/confirm the situation if someone mentions they're unsure. I also will generally send developers an email if there's a question I can't answer as I didn't write the code.<br></br><br></br>
 	</li>
 	
 	<li>
-	In the future, I will put to vote any proposed new developers. New developers will be firstly encouraged to attach patches to JIRA tasks to illustrate their understanding of the project, or, if they're long-time users, they might be given access without this JIRA stage if they're undertaking a major new feature.<br><br>
+	In the future, I will put to vote any proposed new developers. New developers will be firstly encouraged to attach patches to JIRA tasks to illustrate their understanding of the project, or, if they're long-time users, they might be given access without this JIRA stage if they're undertaking a major new feature.<br></br><br></br>
 	</li>
 	
 	<li>
-	Developers should be subscribed to acegisecurity-developer. Obviously it would take significant time to read every thread, but reading the high priority messages (as indicated by the subject line) is needed to ensure we all have a way of communicating.<br><br>
+	Developers should be subscribed to acegisecurity-developer. Obviously it would take significant time to read every thread, but reading the high priority messages (as indicated by the subject line) is needed to ensure we all have a way of communicating.<br></br><br></br>
 	</li>
 	
 	<li>
-	Please do not hesitate to assign yourself any JIRA task that is unassigned, or assigned to me and not in the "In Progress" status. Also feel free to approach fellow developers to volunteer to work on tasks they might be assigned but haven't started.<br><br>
+	Please do not hesitate to assign yourself any JIRA task that is unassigned, or assigned to me and not in the "In Progress" status. Also feel free to approach fellow developers to volunteer to work on tasks they might be assigned but haven't started.<br></br><br></br>
 	</li>
 	
 	<li>
-	 No code in SVN is "sacred". If you have a good idea or refactoring for an area of code that someone else wrote, raise it on acegisecurity-developer or contact the author directly. Please don't commit changes to such code unless it is a unit test failure correction, or you've firstly raised it on the acegisecurity-developer list or directly with the author.<br><br>
+	 No code in SVN is "sacred". If you have a good idea or refactoring for an area of code that someone else wrote, raise it on acegisecurity-developer or contact the author directly. Please don't commit changes to such code unless it is a unit test failure correction, or you've firstly raised it on the acegisecurity-developer list or directly with the author.<br></br><br></br>
 	</li>
 	
 	<li>
-	People's priorities are ever-changing, and we're all short on time. For this reason it's perfectly understandable that over time developers will move on to other things. This is not a negative reflection in any way - just part of any long-term project. If a developer no longer has the time or inclination to participate in the project , please send an email to acegisecurity-developer or myself. I will remove the SVN rights and reassign any JIRA tasks. Importantly, this helps find a new maintainer of the former developer's code (or, in very extreme cases, their code might be relocated to the sandbox or removed).<br><br>
+	People's priorities are ever-changing, and we're all short on time. For this reason it's perfectly understandable that over time developers will move on to other things. This is not a negative reflection in any way - just part of any long-term project. If a developer no longer has the time or inclination to participate in the project , please send an email to acegisecurity-developer or myself. I will remove the SVN rights and reassign any JIRA tasks. Importantly, this helps find a new maintainer of the former developer's code (or, in very extreme cases, their code might be relocated to the sandbox or removed).<br></br><br></br>
 	</li>
 	
 	<li>
-	Use CDATA inside XML files for multi-line properties. There is no tab/space policy for XML files, although try to maintain whatever the file is already using. The tab/space policy for Java files is managed by Jalopy.<br><br>
+	Use CDATA inside XML files for multi-line properties. There is no tab/space policy for XML files, although try to maintain whatever the file is already using. The tab/space policy for Java files is managed by Jalopy.<br></br><br></br>
 	</li>
 
 	<li>
-	Keep the warm community spirit. The Spring community is a nice place to be - especially compared with some of the other open source communities out there where people are abused, ignored, insulted or excluded. No policy or procedure (including those above) should ever compromise operating in a considerate and diplomatic manner that respects the dignity of each individual member of the community. If in doubt, please contact me directly first. If I am ever guilty of this, please let me know and I will correct myself.<br><br>
+	Keep the warm community spirit. The Spring community is a nice place to be - especially compared with some of the other open source communities out there where people are abused, ignored, insulted or excluded. No policy or procedure (including those above) should ever compromise operating in a considerate and diplomatic manner that respects the dignity of each individual member of the community. If in doubt, please contact me directly first. If I am ever guilty of this, please let me know and I will correct myself.<br></br><br></br>
 	</li>
 	
   </ul>
   
-  <p>Thanks for your help in connection with the above. If you have any suggestions for improving these
+  </p><p>Thanks for your help in connection with the above. If you have any suggestions for improving these
   policies and procedures, please use the acegisecurity-developer list to raise them.
   
-  <p>
-  Ben Alex<br>
+  </p><p>
+  Ben Alex<br></br>
   Project Admin
   
-  <p>
+  </p><p>
   $Id$
   
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/powering.html b/doc/xdocs/powering.xml
similarity index 54%
rename from doc/xdocs/powering.html
rename to doc/xdocs/powering.xml
index de2b4dbcdd..3d07aeaefd 100644
--- a/doc/xdocs/powering.html
+++ b/doc/xdocs/powering.xml
@@ -1,77 +1,38 @@
-<!--
- * ========================================================================
- * 
- * Copyright 2005 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * 
- * ========================================================================
--->
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-
-<head>
-<title>Products Using Acegi Security</title>
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-</head>
-
-<body>
-  <h1>Products Using Acegi Security</h1>
-  <p>Many open source and commercial products either use Acegi Security or at least
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Products Using Acegi Security</title></properties><body><section name="Products Using Acegi Security"><p>Many open source and commercial products either use Acegi Security or at least
 	  support it. Following is a partial list of such products. If you've integrated Acegi 
 	  Security with some other product, please let us know (preferably with a URL
 	  to some page explaining the integration/use)...
 	  
-  <h2>Out-Of-the-Box Supported by Acegi Security</h2>
-  <ul>
-    <li><b><a href="http://springframework.org/">Spring Framework</a></b>: J2EE abstraction framework.<br><br></li>
-    <li><b><a href="http://eclipse.org/aspectj/">AspectJ</a></b>: AOP framework.<br><br></li>
-    <li><b><a href="http://jcaptcha.sourceforge.net/">JCaptcha</a></b>: Detects human users.<br><br></li>
-    <li><b><a href="http://www.ja-sig.org/products/cas/">JA-SIG CAS</a></b>: Single Sign On system.<br><br></li>
-    <li><b><a href="http://www3.ca.com/Solutions/Product.asp?ID=5262">SiteMinder</a></b>: Single Sign On system.<br><br></li>
-  </ul>
-
-  <h2>Open Source Projects</h2>
-  <ul>
-    <li><b><a href="http://appfuse.org/">AppFuse</a></b>: Helps jump-start application development. <a href="http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseSecurity">Integration details</a>.<br><br></li>
-    <li><b><a href="http://www.andromda.org">AndroMDA</a></b>: Code generation framework that uses model driven architecture (MDA). <a href="http://team.andromda.org/docs/andromda-spring-cartridge/howto8.html">Integration details</a>.<br><br></li>
-    <li><b><a href="http://mule.codehaus.org/">Mule</a></b>: Enterprise service bus (ESB) messaging framework. <a href="http://mule.codehaus.org/Acegi+Security">Integration details</a>.<br><br></li>
-    <li><b><a href="http://rollerweblogger.org">Roller</a></b>: Blog server. <a href="http://rollerweblogger.org/wiki/Wiki.jsp?page=Proposal_AcegiSecurity">Integration details</a>.<br><br></li>
-    <li><b><a href="http://getahead.ltd.uk/dwr/">DWR</a></b>: AJAX tool. <a href="http://getahead.ltd.uk/dwr/security">Integration details</a>.<br><br></li>
-    <li><b><a href="http://sourceforge.net/projects/oaj">OAJ (OpenAccountingJ)</a></b>: Replaces OpenAccounting PHP.<br><br></li>
-    <li><b><a href="http://oness.sourceforge.net/">ONESS</a></b>: Sample web application.<br><br></li>
-    <li><b><a href="http://sourceforge.net/projects/hispacta">HISPACTA</a></b>: Sample web application.<br><br></li>
-    <li><b><a href="https://atleap.dev.java.net/">Blandware AtLeap</a></b>: Multilingal free Java CMS.<br><br></li>
-    <li><b><a href="http://photostructure.com/">PhotoStructure</a></b>: A photo management solution.<br><br></li>
-    <li><b><a href="http://app.ess.ch/tudu/welcome.action">Tudu Lists</a></b>: AJAX and RSS powered to-do list manager.<br><br></li>
-    <li><b><a href="http://trails.dev.java.net/">Trails</a></b>: Native Java Ruby-On-Rails-like framework. <a href="http://os.inspiring.nl/confluence/display/trails/Using+Security">Integration details</a>.<br><br></li>
-    <li><b><a href="http://grails.codehaus.org/">Grails</a></b>: Native Java and Groovy Ruby-On-Rails-like framework. <a href="http://bbweblog.kevinhooke.com/BBWeblog/viewPost.do?entryID=803&instanceID=1&categoryID=111&action=detail">Integration details</a>.<br><br></li>
-    <li><b><a href="http://tapestry.apache.org/">Tapestry</a></b>: The original Java event-driven web framework. <a href="http://www.carmanconsulting.com/tapestry-acegi">Integration details</a>.<br><br></li>
-    <li><b><a href="http://jtrac.info/">JTrac</a></b>: A Java-based issue management system. <a href="http://jtrac.info/doc/html/faq.html">Integration details</a>.<br><br></li>
-    <li><b><a href="http://plazma.sourceforge.net/">Plazma</a></b>: Swing-based ERP and CRM system for SMEs.<br><br></li>
-    <li><b><a href="http://www.jasypt.org/">Jasypt</a></b>: Java encryption project. <a href="http://www.jasypt.org/faq.html#i-am-already-using-spring-security-for-encrypting-passwords">Integration details</a>.<br><br></li>
-  </ul>
-
-  <h2>Commercial Deployments</h2>
-  <ul>
-    <li>A global financial institution uses Acegi Security's SiteMinder integration in a physical security management application.<br><br></li>
-    <li>A central bank that uses Acegi Security for many of its internal applications with the CAS integration.<br><br></li>
-    <li>Several Australian Government departments use Acegi Security for securing SOAP-based web services and web applications.<br><br></li>
-    <li>Enterprise Systems and Services at Rutgers University uses Acegi Security in conjunction with JA-SIG Central Authentication Service to provide authentication and authorization capabilities to its applications including those used by staff and students as well as those utilized by web services.<br><br></li>
-	<li><a href="http://www.elasticpath.com/ecommerce/architecture/soa.jsp">Elastic Path</a> uses Acegi Security for security.<br><br></li>
-	<li>Plus many more... ;-)<br><br></li>
-  </ul>
-
-</body>
-</html>
+  </p><subsection name="Out-Of-the-Box Supported by Acegi Security"><ul>
+    <li><b><a href="http://springframework.org/">Spring Framework</a></b>: J2EE abstraction framework.<br></br><br></br></li>
+    <li><b><a href="http://eclipse.org/aspectj/">AspectJ</a></b>: AOP framework.<br></br><br></br></li>
+    <li><b><a href="http://jcaptcha.sourceforge.net/">JCaptcha</a></b>: Detects human users.<br></br><br></br></li>
+    <li><b><a href="http://www.ja-sig.org/products/cas/">JA-SIG CAS</a></b>: Single Sign On system.<br></br><br></br></li>
+    <li><b><a href="http://www3.ca.com/Solutions/Product.asp?ID=5262">SiteMinder</a></b>: Single Sign On system.<br></br><br></br></li>
+  </ul></subsection><subsection name="Open Source Projects"><ul>
+    <li><b><a href="http://appfuse.org/">AppFuse</a></b>: Helps jump-start application development. <a href="http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseSecurity">Integration details</a>.<br></br><br></br></li>
+    <li><b><a href="http://www.andromda.org">AndroMDA</a></b>: Code generation framework that uses model driven architecture (MDA). <a href="http://team.andromda.org/docs/andromda-spring-cartridge/howto8.html">Integration details</a>.<br></br><br></br></li>
+    <li><b><a href="http://mule.codehaus.org/">Mule</a></b>: Enterprise service bus (ESB) messaging framework. <a href="http://mule.codehaus.org/Acegi+Security">Integration details</a>.<br></br><br></br></li>
+    <li><b><a href="http://rollerweblogger.org">Roller</a></b>: Blog server. <a href="http://rollerweblogger.org/wiki/Wiki.jsp?page=Proposal_AcegiSecurity">Integration details</a>.<br></br><br></br></li>
+    <li><b><a href="http://getahead.ltd.uk/dwr/">DWR</a></b>: AJAX tool. <a href="http://getahead.ltd.uk/dwr/security">Integration details</a>.<br></br><br></br></li>
+    <li><b><a href="http://sourceforge.net/projects/oaj">OAJ (OpenAccountingJ)</a></b>: Replaces OpenAccounting PHP.<br></br><br></br></li>
+    <li><b><a href="http://oness.sourceforge.net/">ONESS</a></b>: Sample web application.<br></br><br></br></li>
+    <li><b><a href="http://sourceforge.net/projects/hispacta">HISPACTA</a></b>: Sample web application.<br></br><br></br></li>
+    <li><b><a href="https://atleap.dev.java.net/">Blandware AtLeap</a></b>: Multilingal free Java CMS.<br></br><br></br></li>
+    <li><b><a href="http://photostructure.com/">PhotoStructure</a></b>: A photo management solution.<br></br><br></br></li>
+    <li><b><a href="http://app.ess.ch/tudu/welcome.action">Tudu Lists</a></b>: AJAX and RSS powered to-do list manager.<br></br><br></br></li>
+    <li><b><a href="http://trails.dev.java.net/">Trails</a></b>: Native Java Ruby-On-Rails-like framework. <a href="http://os.inspiring.nl/confluence/display/trails/Using+Security">Integration details</a>.<br></br><br></br></li>
+    <li><b><a href="http://grails.codehaus.org/">Grails</a></b>: Native Java and Groovy Ruby-On-Rails-like framework. <a href="http://bbweblog.kevinhooke.com/BBWeblog/viewPost.do?entryID=803&amp;instanceID=1&amp;categoryID=111&amp;action=detail">Integration details</a>.<br></br><br></br></li>
+    <li><b><a href="http://tapestry.apache.org/">Tapestry</a></b>: The original Java event-driven web framework. <a href="http://www.carmanconsulting.com/tapestry-acegi">Integration details</a>.<br></br><br></br></li>
+    <li><b><a href="http://jtrac.info/">JTrac</a></b>: A Java-based issue management system. <a href="http://jtrac.info/doc/html/faq.html">Integration details</a>.<br></br><br></br></li>
+    <li><b><a href="http://plazma.sourceforge.net/">Plazma</a></b>: Swing-based ERP and CRM system for SMEs.<br></br><br></br></li>
+    <li><b><a href="http://www.jasypt.org/">Jasypt</a></b>: Java encryption project. <a href="http://www.jasypt.org/faq.html#i-am-already-using-spring-security-for-encrypting-passwords">Integration details</a>.<br></br><br></br></li>
+  </ul></subsection><subsection name="Commercial Deployments"><ul>
+    <li>A global financial institution uses Acegi Security's SiteMinder integration in a physical security management application.<br></br><br></br></li>
+    <li>A central bank that uses Acegi Security for many of its internal applications with the CAS integration.<br></br><br></br></li>
+    <li>Several Australian Government departments use Acegi Security for securing SOAP-based web services and web applications.<br></br><br></br></li>
+    <li>Enterprise Systems and Services at Rutgers University uses Acegi Security in conjunction with JA-SIG Central Authentication Service to provide authentication and authorization capabilities to its applications including those used by staff and students as well as those utilized by web services.<br></br><br></br></li>
+	<li><a href="http://www.elasticpath.com/ecommerce/architecture/soa.jsp">Elastic Path</a> uses Acegi Security for security.<br></br><br></br></li>
+	<li>Plus many more... ;-)<br></br><br></br></li>
+  </ul></subsection></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/standalone.html b/doc/xdocs/standalone.xml
similarity index 61%
rename from doc/xdocs/standalone.html
rename to doc/xdocs/standalone.xml
index 831dcbfb99..9e8a3e293c 100644
--- a/doc/xdocs/standalone.html
+++ b/doc/xdocs/standalone.xml
@@ -1,58 +1,18 @@
-<!--
- * ========================================================================
- * 
- * Copyright 2005 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * 
- * ========================================================================
--->
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-
-<head>
-<title>Acegi Security Use Without Spring</title>
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-</head>
-
-<body>
-  <h1>Acegi Security Use Without Spring</h1>
-  
-  <h2>Introduction</h2>
-  <p>Sometimes we get asked can Acegi Security be used without Spring.
-  This page provides a detailed answer.</p>
-  
-  <h2>History</h2>
-  <p>Acegi Security started out as a method interceptor for Spring IoC container
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security Use Without Spring</title></properties><body><section name="Acegi Security Use Without Spring"><subsection name="Introduction"><p>Sometimes we get asked can Acegi Security be used without Spring.
+  This page provides a detailed answer.</p></subsection><subsection name="History"><p>Acegi Security started out as a method interceptor for Spring IoC container
   managed beans. Typically such beans provide services layer functions.
   Over time Acegi Security grew to offer authentication services, <code>ThreadLocal</code> management,
   web request filtering, extra AOP support,
   ACL features, additional authentication mechanisms and so on (for those interested,
-  see our <a href="changes-report.html">change log</a>).</p>
-
-  <h2>Why Use Spring</h2>
-  <p>There's plenty written about why the
+  see our <a href="changes-report.html">change log</a>).</p></subsection><subsection name="Why Use Spring"><p>There's plenty written about why the
   <a href="http://www.springframework.org">Spring Framework</a> 
   is a good fit for modern applications. If you're not familiar with the benefits
   Spring offers, please take a few minutes to learn more about it. In numerous
   situations Spring will save you many months (or even years) of development time.
   Not to mention your solutions will be better architected
   (designed), better coded (implemented), and better supported (maintained) in the future.
-  </p>
-  
-  <h2>Acegi Security Dependencies on Spring</h2>
-  <p>Acegi Security relies on the Spring IoC container to wire its classes, and execute lifecycle
+  </p></subsection><subsection name="Acegi Security Dependencies on Spring"><p>Acegi Security relies on the Spring IoC container to wire its classes, and execute lifecycle
   methods such as <code>afterPropertiesSet()</code>. Some Acegi Security classes also 
   publish events to the <code>ApplicationContext</code>, although you could provide a mock
   implementation of <code>ApplicationContext</code> easily enough which no-ops the method.
@@ -60,9 +20,7 @@
   avoid its use by writing equivalent getter, setter and lifecycle invocation processes
   in standard Java code. This is a natural consequence of the Spring way of development,
   which emphasises framework independence (it is <i>not</i> because we think there are good
-  reasons people would <i>not</i> use Spring).</p>
-  
-  <p>If it sounds too hard (it's not) or counter-productive (it is) to replace Spring's IoC
+  reasons people would <i>not</i> use Spring).</p><p>If it sounds too hard (it's not) or counter-productive (it is) to replace Spring's IoC
   services, don't forget you can always deploy Acegi Security and the Spring
   IoC container solely for configuring Acegi Security. Spring does not mandate its
   use in every part of your application. It will work quite successfully doing nothing more than
@@ -70,9 +28,7 @@
   it's really no different than the traditional approach of every framework having its very
   own XML or other proprietary configuration system. The main difference is that Spring is an
   actual de facto standard, and you can gradually introduce it to other parts of your application
-  over time (if desired).</p>
-  
-  <p>Acegi Security does <i>not</i> use any other Spring capabilities. Most notably, the
+  over time (if desired).</p><p>Acegi Security does <i>not</i> use any other Spring capabilities. Most notably, the
   entire architecture is based around <code>Filter</code>s, not Spring's MVC framework.
   This allows it to be used with any MVC framework, or even with just straight JSPs.
   Acegi Security uses the AOP Alliance and AspectJ interfaces for method interception -
@@ -83,13 +39,12 @@
   even native Spring-powered applications for these to be re-implemented using the application's
   persistence framework of choice (eg Hibernate).
   
-  <h1>Conclusion</h1>
-  
-  <p>In summary, we recommend you take a look at Spring and consider using it in your
+  </p></subsection></section><section name="Conclusion"><p>In summary, we recommend you take a look at Spring and consider using it in your
   applications. Irrespective of whether you do so or not, we strongly recommend you use it
   for configuration and lifecycle management of Acegi Security. If that is also not desired,
   Acegi Security can easily be executed without Spring at all, providing you implement
   similar IoC services. Acegi Security has very minimal dependencies directly on Spring,
   with it being useful in many non-Spring applications and with non-Spring frameworks.
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/suggested.html b/doc/xdocs/suggested.xml
similarity index 74%
rename from doc/xdocs/suggested.html
rename to doc/xdocs/suggested.xml
index 4fd9f2aa9d..462ac943df 100644
--- a/doc/xdocs/suggested.html
+++ b/doc/xdocs/suggested.xml
@@ -1,51 +1,22 @@
-<!--
- * ========================================================================
- * 
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * 
- * ========================================================================
--->
-
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-
-<head>
-<title>Acegi Security Suggested Steps</title>
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-</head>
-
-<body>
-  <h1>Suggested Steps</h1>
-  <p>Presented below are the steps we encourage you to take in order to gain the most
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security Suggested Steps</title></properties><body><section name="Suggested Steps"><p>Presented below are the steps we encourage you to take in order to gain the most
   out of Acegi Security in a realistic timeframe.
   <ol>
     <li>
     First of all, deploy the "Tutorial Sample", which is included in the main distribution
     ZIP file. The sample doesn't do a great deal, but it does give you a template that can
-    be quickly and easily used to integrate into your own project.<br><br>
+    be quickly and easily used to integrate into your own project.<br></br><br></br>
 
-	Estimated time: 30 minutes.<br><br>
+	Estimated time: 30 minutes.<br></br><br></br>
 	</li>
 	
     <li>
     Next, follow the <a href="petclinic-tutorial.html">Petclinic tutorial</a>, which
     covers how to add Acegi Security to the commonly-used Petclinic sample application
     that ships with Spring. This will give you a hands-on approach to integrating
-    Acegi Security into your own application.<br><br>
+    Acegi Security into your own application.<br></br><br></br>
 
-	Estimated time: 1 hour.<br><br>
+	Estimated time: 1 hour.<br></br><br></br>
 	</li>
 	
 	<li>
@@ -54,9 +25,9 @@
 	defined in the "Tutorial Sample" and understand their main purpose within the overall
 	framework. Once you understand this, you'll have no difficulty moving on to more
 	complex examples. You can also experiment in the Petclinic tutorial that you
-	implemented in the last step.<br><br>
+	implemented in the last step.<br></br><br></br>
 
-	Estimated time: 1 day.<br><br>
+	Estimated time: 1 day.<br></br><br></br>
 	</li>
 	
 	<li>
@@ -65,11 +36,11 @@
 	as your basis (now that you understand how it works). Those with more complicated
 	requirements should review the "Contacts Sample" application.
 	This will probably involve deploying <code>acegi-security-sample-contacts-filter.war</code>,
-	which is also included in the release ZIP file.<br><br>
+	which is also included in the release ZIP file.<br></br><br></br>
 	
 	The purpose of understanding the "Contacts Sample" is to get a better feel for how method
 	security is implemented, particularly with domain object access control lists. This will
-	really round-out the rest of the framework for you.<br><br>
+	really round-out the rest of the framework for you.<br></br><br></br>
 	
 	The actual <a target="_blank" class="newWindow" href="multiproject/acegi-security-sample-contacts/xref/index.html">java code</a>
 	is a completely standard Spring application, except <code>ContactManagerBackend</code>
@@ -84,24 +55,24 @@
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/web.xml?view=auto">web.xml</a> (from the filter webapp).
 	The XML definitions are comprehensively discussed in the
 	<a href="reference.html">Reference Guide</a>.
-	<br><br>
+	<br></br><br></br>
 		
 	Please note the release ZIP files do not include the sample application Java source code. You
-	will need to download from SVN if you would like to access the Java sources.<br><br>
+	will need to download from SVN if you would like to access the Java sources.<br></br><br></br>
 	
-	Estimated time: 1-2 days.<br><br>
+	Estimated time: 1-2 days.<br></br><br></br>
 	</li>
 	
 	<li>By now you will have a good grasp on how Acegi Security works, and all that is left to
 	do is design your own application's implementation.
-	<br><br>
+	<br></br><br></br>
 		
 	We strongly recommend that you start your actual integration with the "Tutorial Sample".
 	Don't start by integrating with the "Contacts Sample", even if you have complex needs.
 	Most people reporting problems on the forums do so because of a configuration problem,
 	as they're trying to make far too many changes at once without really knowing what
 	they're doing. Instead, make changes one at a time, starting from the bare bones configuration
-	provided by the "Tutorial Sample".<br><br>
+	provided by the "Tutorial Sample".<br></br><br></br>
 	
 	If you've followed the steps above, and refer back to the 
 	<a href="reference.html">Reference Guide</a>, 
@@ -110,24 +81,25 @@
 	for help, you'll find it pretty easy to implement Acegi Security in your application.
 	Most importantly, you'll be using a security framework that offers you complete container
 	portability, flexibility, and community support - without needing to write and maintain your
-	own code.<br><br>
+	own code.<br></br><br></br>
+	
+	Estimated time: 1-5 days.<br></br><br></br>
 	
-	Estimated time: 1-5 days.<br><br>
-	</br>
 	</li>
 	
   </ol>
   
-  <p>Please note the time estimates are just that: estimates. They will vary considerably depending
+  </p><p>Please note the time estimates are just that: estimates. They will vary considerably depending
   on how much experience you have, particularly with Java and Spring. They will also vary depending
   on how complex your intended security-enabled application will be. Some people need to push the domain
   object instance access control list capabilities to the maximum, whilst others don't even need anything
   beyond web request security. The good thing is Acegi Security will either directly support your future
   needs, or provide a clearly-defined extension point for addressing them.
   
-  <p>
+  </p><p>
   We welcome your feedback about how long it has actually taken you to complete each step, so we
   can update this page and help new users better assess their project timetables in the future.
   Any other tips on what you found helpful in learning Acegi Security are also very welcome.
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/upgrade/upgrade-03-04.html b/doc/xdocs/upgrade/upgrade-03-04.xml
similarity index 80%
rename from doc/xdocs/upgrade/upgrade-03-04.html
rename to doc/xdocs/upgrade/upgrade-03-04.xml
index ceb66fe29d..71007bc590 100644
--- a/doc/xdocs/upgrade/upgrade-03-04.html
+++ b/doc/xdocs/upgrade/upgrade-03-04.xml
@@ -1,16 +1,10 @@
-<html>
-<head>
-<title>Acegi Security - Upgrading from version 0.3 to 0.4</title>
-</head>
-<body>
-<h1>Upgrading from 0.3 to 0.4</h1>
-
-<p>Several changes were made between version 0.3 and 0.4 of the project.
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security - Upgrading from version 0.3 to 0.4</title></properties><body><section name="Upgrading from 0.3 to 0.4"><p>Several changes were made between version 0.3 and 0.4 of the project.
 These changes increased the modularity of the code, enhanced unit testing,
 made package roles clearer, and added compelling alternatives to container
 adapters and using web.xml security constraints to protect HTTP resources.
 
-<p>Unfortunately, changes to the API and package locations were required. The
+</p><p>Unfortunately, changes to the API and package locations were required. The
 following should help most casual users of the project update their
 applications:
 
@@ -34,20 +28,21 @@ applications:
   net.sf.acegisecurity.intercept.web package. This will give you considerably
   more flexibility, and reuse the same concepts as you'd be familiar with
   via the method security interception system. Refer to the reference
-  documentation or Contacts sample application.</li>
+  documentation or Contacts sample application.</security-constraint></li>
 
 <li>The Contacts sample application now builds two distributions: contacts.war
   can be instantly deployed without configuring any container adapters,
   whilst contacts-container-adapter.war still uses container adapters. The
   contacts.war uses the net.sf.acegisecurity.intercept.web package to
-  protect HTTP URLs, rather than web.xml <security-constraint>s.</li>
+  protect HTTP URLs, rather than web.xml <security-constraint>s.</security-constraint></li>
 
 <li>If you're using the Jetty container adapter, please check the jetty.xml
   requirements in the reference documentation. There has been a minor change.</li>
 </ul>
 
-<p>
+</p><p>
 We hope you find the new features useful in your projects.
 
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/upgrade/upgrade-04-05.html b/doc/xdocs/upgrade/upgrade-04-05.xml
similarity index 88%
rename from doc/xdocs/upgrade/upgrade-04-05.html
rename to doc/xdocs/upgrade/upgrade-04-05.xml
index 38c698d8d1..255a9c5bb6 100644
--- a/doc/xdocs/upgrade/upgrade-04-05.html
+++ b/doc/xdocs/upgrade/upgrade-04-05.xml
@@ -1,11 +1,5 @@
-<html>
-<head>
-<title>Acegi Security - Upgrading from version 0.4 to 0.5</title>
-</head>
-<body>
-<h1>Upgrading from 0.4 to 0.5</h1>
-
-<p>The following should help most casual users of the project update their
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security - Upgrading from version 0.4 to 0.5</title></properties><body><section name="Upgrading from 0.4 to 0.5"><p>The following should help most casual users of the project update their
 applications:
 <ul>
 
@@ -48,12 +42,13 @@ applications:
   Please continue using the Spring Users mailing list for general support.</li>
 </ul>
 
-<p>
+</p><p>
 There are also lots of new features you might wish to consider for your
 projects. These include CAS integration, pluggable password encoders
 (such as MD5 and SHA), along with pluggable salt sources. We hope you find
 the new features useful in your projects.
 
 
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/upgrade/upgrade-05-06.html b/doc/xdocs/upgrade/upgrade-05-06.xml
similarity index 67%
rename from doc/xdocs/upgrade/upgrade-05-06.html
rename to doc/xdocs/upgrade/upgrade-05-06.xml
index d372ef4331..8348c29701 100644
--- a/doc/xdocs/upgrade/upgrade-05-06.html
+++ b/doc/xdocs/upgrade/upgrade-05-06.xml
@@ -1,11 +1,5 @@
-<html>
-<head>
-<title>Acegi Security - Upgrading from version 0.3 to 0.4</title>
-</head>
-<body>
-<h1>Upgrading from 0.5 to 0.6</h1>
-
-<p>
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security - Upgrading from version 0.3 to 0.4</title></properties><body><section name="Upgrading from 0.5 to 0.6"><p>
 The following should help most casual users of the project update their
 applications:
 <ul>
@@ -21,31 +15,31 @@ Locate and remove all property references to
   By default DaoAuthenticationProvider returns an Authentication object
   containing the relevant User, which allows access to additional properties.
   Where possible, we recommend you change your code to something like this,
-  so that you can leave forcePrincipalAsString to the false default:<br><br>
+  so that you can leave forcePrincipalAsString to the false default:<br></br><br></br>
     <code>
-    String username = authentication.getPrincipal();<br>
-    if (authentication.getPrincipal() instanceof User) {<br>
-      username = ((User) authentication.getPrincipal()).getUsername();<br>
-    }</br>
-	</code><br>
+    String username = authentication.getPrincipal();<br></br>
+    if (authentication.getPrincipal() instanceof User) {<br></br>
+      username = ((User) authentication.getPrincipal()).getUsername();<br></br>
+    }
+	</code><br></br>
 </li>
 
 <li>The signature of AuthenticationDaos have changed. In concrete
-  implementations, modify the User to UserDetails, as shown below:<br><br>
+  implementations, modify the User to UserDetails, as shown below:<br></br><br></br>
     <code>
-    public User loadUserByUsername(String username)<br>
-        throws UsernameNotFoundException, DataAccessException {<br><br>
+    public User loadUserByUsername(String username)<br></br>
+        throws UsernameNotFoundException, DataAccessException {<br></br><br></br>
 
-    to:<br><br>
+    to:<br></br><br></br>
   
-    public UserDetails loadUserByUsername(String username)<br>
-        throws UsernameNotFoundException, DataAccessException {<br><br>
+    public UserDetails loadUserByUsername(String username)<br></br>
+        throws UsernameNotFoundException, DataAccessException {<br></br><br></br>
 	</code>
 
   Existing concrete implementations would be returning User, which implements
   UserDetails, so no further code changes should be required.
 </li>
-<li>Similar signature changes (User -> UserDetails) are also required to any
+<li>Similar signature changes (User -&gt; UserDetails) are also required to any
   custom implementations of UserCache and SaltSource.</li>
 
 <li>Any custom event listeners relying on AuthenticationEvent should note a
@@ -59,23 +53,24 @@ Locate and remove all property references to
   Previously this class was loaded directly by web.xml as a filter. It is
   now recommended to load it via FilterToBeanProxy and define it as a
   bean in your application context. This usually involves making the entry
-  in web.xml match the following:<br><br>
+  in web.xml match the following:<br></br><br></br>
   <code>
-    &lt;filter&gt;<br>
-        &lt;filter-name&gt;Acegi Security System for Spring Auto Integration Filter&lt;/filter-name&gt;<br>
-        &lt;filter-class&gt;net.sf.acegisecurity.util.FilterToBeanProxy&lt;/filter-class&gt;<br>
-        &lt;init-param&gt;<br>
-            &lt;param-name&gt;targetClass&lt;/param-name&gt;<br>
-            &lt;param-value&gt;net.sf.acegisecurity.ui.AutoIntegrationFilter&lt;/param-value&gt;<br>
-        &lt;/init-param&gt;<br>
-    &lt;/filter&gt;<br>
+    &lt;filter&gt;<br></br>
+        &lt;filter-name&gt;Acegi Security System for Spring Auto Integration Filter&lt;/filter-name&gt;<br></br>
+        &lt;filter-class&gt;net.sf.acegisecurity.util.FilterToBeanProxy&lt;/filter-class&gt;<br></br>
+        &lt;init-param&gt;<br></br>
+            &lt;param-name&gt;targetClass&lt;/param-name&gt;<br></br>
+            &lt;param-value&gt;net.sf.acegisecurity.ui.AutoIntegrationFilter&lt;/param-value&gt;<br></br>
+        &lt;/init-param&gt;<br></br>
+    &lt;/filter&gt;<br></br>
   </code>
-  <br><br>
-  Then add the following to applicationContext.xml:  <br><br>
+  <br></br><br></br>
+  Then add the following to applicationContext.xml:  <br></br><br></br>
   <code>
-  	&lt;bean id="autoIntegrationFilter" class="net.sf.acegisecurity.ui.AutoIntegrationFilter"/&gt;<br>
+  	&lt;bean id="autoIntegrationFilter" class="net.sf.acegisecurity.ui.AutoIntegrationFilter"/&gt;<br></br>
   </code>
 </li>
 </ul>
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/upgrade/upgrade-06-070.html b/doc/xdocs/upgrade/upgrade-06-070.xml
similarity index 93%
rename from doc/xdocs/upgrade/upgrade-06-070.html
rename to doc/xdocs/upgrade/upgrade-06-070.xml
index 717e338339..73bf74289b 100644
--- a/doc/xdocs/upgrade/upgrade-06-070.html
+++ b/doc/xdocs/upgrade/upgrade-06-070.xml
@@ -1,11 +1,5 @@
-<html>
-<head>
-<title>Acegi Security - Upgrading from version 0.6 to 0.7</title>
-</head>
-<body>
-<h1>Upgrading from 0.6 to 0.7.0</h1>
-
-<p>
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security - Upgrading from version 0.6 to 0.7</title></properties><body><section name="Upgrading from 0.6 to 0.7.0"><p>
 The following should help most casual users of the project update their
 applications:
 <ul>
@@ -56,5 +50,6 @@ be correct.
 	Note the "cache" property is now required, and the old internally-managed
 	cache properties have been removed.</li>
 </ul>
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/upgrade/upgrade-070-080.html b/doc/xdocs/upgrade/upgrade-070-080.xml
similarity index 68%
rename from doc/xdocs/upgrade/upgrade-070-080.html
rename to doc/xdocs/upgrade/upgrade-070-080.xml
index cdf3c41b0a..2ce1289095 100644
--- a/doc/xdocs/upgrade/upgrade-070-080.html
+++ b/doc/xdocs/upgrade/upgrade-070-080.xml
@@ -1,11 +1,5 @@
-<html>
-<head>
-<title>Acegi Security - Upgrading from version 0.7.0 to 0.8.0</title>
-</head>
-<body>
-<h1>Upgrading from 0.7.0 to 0.8.0</h1>
-
-<p>
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security - Upgrading from version 0.7.0 to 0.8.0</title></properties><body><section name="Upgrading from 0.7.0 to 0.8.0"><p>
 The following should help most casual users of the project update their
 applications:
 
@@ -13,34 +7,35 @@ applications:
 
     <li>HttpSessionIntegrationFilter has been removed. Use net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter instead. 
     Note you will need to set the mandatory "context" property to something like "net.sf.acegisecurity.context.security.SecureContextImpl".
-    It's not the default because we want no dependencies between the context package and the rest of Acegi Security.<br><br></li>
+    It's not the default because we want no dependencies between the context package and the rest of Acegi Security.<br></br><br></br></li>
     
 	<li>Filter ordering has changed. See the reference guide for confirmation of the correct ordering. Basically you should have
-	HttpSessionContextIntegrationFilter appear before any of your authentication mechanisms.<br><br></li>
+	HttpSessionContextIntegrationFilter appear before any of your authentication mechanisms.<br></br><br></br></li>
     
 	<li>IoC container hosted filter chains can now be used instead of lengthy web.xml declarations. See the reference guide or the
-	Contacts Sample for further information.<br><br></li>
+	Contacts Sample for further information.<br></br><br></br></li>
 
 	<li>Certain classes have been moved to new packages: ContextHolderAwareRequestWrapper (and its filter),
 	AuthenticationSimpleHttpInvokerRequestExecutor, ContextPropagatingRemoteInvocation,
 	SecureContext (and its implementation). These classes were moved as part of refactorings aimed at
-	improving the simplicity of the project's design.<br><br></li>
+	improving the simplicity of the project's design.<br></br><br></br></li>
 
 	<li>If you wish to use the new ConcurrentSessionController you must declare the HttpSessionEventPublisher context listener in your
-	web.xml<br><br></li>
+	web.xml<br></br><br></br></li>
 
     <li>The JaasAuthenticationCallbackHandler interface has had it's setAuthentication method removed.
-    The handle method now takes both the Callback and Authentication objects as arguments.<br><br></li>
+    The handle method now takes both the Callback and Authentication objects as arguments.<br></br><br></br></li>
     
-    <li>Added AuthenticationException to the AutenticationEntryPoint.commence method signature.<br><br></li>
+    <li>Added AuthenticationException to the AutenticationEntryPoint.commence method signature.<br></br><br></br></li>
     
-    <li>Added AccessDeniedException to the SecurityEncorcementFilter.sendAccessDeniedError method signature.<br><br></li>
+    <li>Added AccessDeniedException to the SecurityEncorcementFilter.sendAccessDeniedError method signature.<br></br><br></br></li>
 
     <li>The Authentication.getDetails() no longer returns simply the IP address used for authentication.
     It now returns a WebAuthenticationDetails instance, which contains the IP address, session information,
-    and can be extended to store further details.<br><br></li>
+    and can be extended to store further details.<br></br><br></br></li>
 
     </ul>
 
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/upgrade/upgrade-080-090.html b/doc/xdocs/upgrade/upgrade-080-090.xml
similarity index 67%
rename from doc/xdocs/upgrade/upgrade-080-090.html
rename to doc/xdocs/upgrade/upgrade-080-090.xml
index c8cd60efde..fc3271ecd1 100644
--- a/doc/xdocs/upgrade/upgrade-080-090.html
+++ b/doc/xdocs/upgrade/upgrade-080-090.xml
@@ -1,11 +1,5 @@
-<html>
-<head>
-<title>Acegi Security - Upgrading from version 0.8.0 to 0.9.0</title>
-</head>
-<body>
-<h1>Upgrading from 0.8.0 to 0.9.0</h1>
-
-<p>
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security - Upgrading from version 0.8.0 to 0.9.0</title></properties><body><section name="Upgrading from 0.8.0 to 0.9.0"><p>
 The following should help most casual users of the project update their
 applications:
 
@@ -22,79 +16,80 @@ applications:
     SecurityContextHolder</a> and provides a single getter/setter for a
     <a href="../multiproject/acegi-security/xref/net/sf/acegisecurity/context/SecurityContextHolder.html">SecurityContext</a>.
     <code>SecurityContextHolder</code> guarantees to never return a <code>null</code> <code>SecurityContext</code>.
-    <code>SecurityContext</code> provides single getter/setter for <code>Authentication</code>.<BR><BR>
+    <code>SecurityContext</code> provides single getter/setter for <code>Authentication</code>.<br></br><br></br>
     
     To migrate, simply modify all your code that previously worked with <code>ContextHolder</code>,
     <code>SecureContext</code> and <code>Context</code> to directly call <code>SecurityContextHolder</code>
     and work with the <code>SecurityContext</code> (instead of the now removed <code>Context</code>
-    and <code>SecureContext</code> interfaces).<br><br>
+    and <code>SecureContext</code> interfaces).<br></br><br></br>
     
-    For example, change:<br>
+    For example, change:<br></br>
     <code>
-	SecureContext ctx = SecureContextUtils.getSecureContext();<br> 
+	SecureContext ctx = SecureContextUtils.getSecureContext();<br></br> 
 	</code>
-	to:<br>
+	to:<br></br>
     <code>
-	SecurityContext ctx = SecurityContextHolder.getContext();<br> 
+	SecurityContext ctx = SecurityContextHolder.getContext();<br></br> 
 	</code>
-	<br>
-    and change:<br>
+	<br></br>
+    and change:<br></br>
     <code>
-	&lt;bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter"><br> 
-        &lt;property name="context">&lt;value>net.sf.acegisecurity.context.security.SecureContextImpl&lt;/value>&lt;/property><br> 
-	&lt;/bean><br>
+	&lt;bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter"&gt;<br></br> 
+        &lt;property name="context"&gt;&lt;value&gt;net.sf.acegisecurity.context.security.SecureContextImpl&lt;/value&gt;&lt;/property&gt;<br></br> 
+	&lt;/bean&gt;<br></br>
 	</code>
-	to:<br>
+	to:<br></br>
     <code>
-	&lt;bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter"><br>
-        &lt;property name="context">&lt;value>net.sf.acegisecurity.context.SecurityContextImpl&lt;/value>&lt;/property><br>
-	&lt;/bean><br>
+	&lt;bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter"&gt;<br></br>
+        &lt;property name="context"&gt;&lt;value&gt;net.sf.acegisecurity.context.SecurityContextImpl&lt;/value&gt;&lt;/property&gt;<br></br>
+	&lt;/bean&gt;<br></br>
 	</code>
-	<br>
+	<br></br>
     
     We apologise for the inconvenience, but on a more positive note this means you receive strict
     type checking, you no longer need to mess around with casting to and from <code>Context</code>
     implementations, your applications no longer need to perform checking of <code>null</code> and
-    unexpected <code>Context</code> implementation types.<br><br></li>
+    unexpected <code>Context</code> implementation types.<br></br><br></br></li>
 
     <li><code>AbstractProcessingFilter</code> has changed its getter/setter approach used for customised
     authentication exception directions. See the <a href="../multiproject/acegi-security/xref/net/sf/acegisecurity/ui/AbstractProcessingFilter.html">
-    <code>AbstractProcessingFilter</code> JavaDocs</a> to learn more.<br><br></li>
+    <code>AbstractProcessingFilter</code> JavaDocs</a> to learn more.<br></br><br></br></li>
     
     <li><code>AnonymousProcessingFilter</code> now has a <code>removeAfterRequest</code> property, which defaults to <code>true</code>. This
     will cause the anonymous authentication token to be set to null at the end of each request, thus
     avoiding the expense of creating a <code>HttpSession</code> in <code>HttpSessionContextIntegrationFilter</code>. You may
     set this property to false if you would like the anoymous authentication token to be preserved,
-    which would be an unusual requirement.<br><br></li>
+    which would be an unusual requirement.<br></br><br></br></li>
     
 	<li>Event publishing has been refactored. New event classes have been added, and the location of
-	<code>LoggerListener</code> has changed. See the <code>net.sf.acegisecurity.event package</code>.<BR>
-	<br>
-    For example, change:<br>
+	<code>LoggerListener</code> has changed. See the <code>net.sf.acegisecurity.event package</code>.<br></br>
+	<br></br>
+    For example, change:<br></br>
     <code>
-	&lt;bean id="loggerListener" class="net.sf.acegisecurity.providers.dao.event.LoggerListener"/><br>
+	&lt;bean id="loggerListener" class="net.sf.acegisecurity.providers.dao.event.LoggerListener"/&gt;<br></br>
 	</code>
-	to:<br>
+	to:<br></br>
     <code>
-	&lt;bean id="loggerListener" class="net.sf.acegisecurity.event.authentication.LoggerListener"/> 
-	</code><br><br>	
+	&lt;bean id="loggerListener" class="net.sf.acegisecurity.event.authentication.LoggerListener"/&gt; 
+	</code><br></br><br></br>	
 	</li>
 		
-	<li>Users of the <code>&lt;authz:authentication></code> JSP tag will generally need to set the <code>operation</code>
-	property equal to "username", as reflection is now used to retrieve the property displayed.<br><br></li>
+	<li>Users of the <code>&lt;authz:authentication&gt;</code> JSP tag will generally need to set the <code>operation</code>
+	property equal to "username", as reflection is now used to retrieve the property displayed.<br></br><br></br></li>
 		
 	<li>
 	Users of <code>net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter</code> should note that it has been
-	renamed to <code>net.sf.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter</code>.<br><br>
+	renamed to <code>net.sf.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter</code>.<br></br><br></br>
 	</li>
 		
 	<li>
 	The concurrent session support handling has changed. Please refer to the Reference Guide to
-	review the new configuration requirements.<br><br>
+	review the new configuration requirements.<br></br><br></br>
 	</li>
 				
 		
     </ul>
 
-</body>
-</html>
+
+
+</p></section></body></document>
\ No newline at end of file
diff --git a/doc/xdocs/upgrade/upgrade-090-100.html b/doc/xdocs/upgrade/upgrade-090-100.xml
similarity index 90%
rename from doc/xdocs/upgrade/upgrade-090-100.html
rename to doc/xdocs/upgrade/upgrade-090-100.xml
index 93f82cf7ea..7b2d897653 100644
--- a/doc/xdocs/upgrade/upgrade-090-100.html
+++ b/doc/xdocs/upgrade/upgrade-090-100.xml
@@ -1,22 +1,8 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
-<html xmlns="http://www.w3.org/1999/xhtml">
-
-<head>
-<title>Acegi Security - Upgrading from version 0.8.0 to 1.0.0</title>
-</head>
-<body>
-<h1>Upgrading from 0.9.0 to 1.0.0</h1>
-
-<p>
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document><properties><title>Acegi Security - Upgrading from version 0.8.0 to 1.0.0</title></properties><body><section name="Upgrading from 0.9.0 to 1.0.0"><p>
 The following should help most casual users of the project update their
 applications:
-</p>
-
-<h1>Changes 0.9.0 to RC1</h1>
-
-<ul>
+</p></section><section name="Changes 0.9.0 to RC1"><ul>
 
 <li>The top level package name has changed. Simply find "net.sf.acegisecurity" and replace with
 "org.acegisecurity".</li>
@@ -46,13 +32,7 @@ you localise this file to another language, please consider attaching it to a
 <a href="http://opensource2.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040">new JIRA task</a>
 so that we can include it in future Acegi Security releases.</li>
 
-</ul>
-
-
-<h1>Changes RC1 to RC2</h1>
-
-
-<ul>
+</ul></section><section name="Changes RC1 to RC2"><ul>
 
 <li>
 org.acegisecurity.ui.rememberme.RememberMeProcessingFilter now requires an authenticationManager property. This will generally
@@ -86,13 +66,7 @@ method internally stores null, which helps avoids redeployment issue caused by t
 approaches (see SEC-159 for further details).
 </li>
 
-</ul>
-
-
-<h1>Changes RC2 to Final</h1>
-
-
-<ul>
+</ul></section><section name="Changes RC2 to Final"><ul>
 
 <li>
 AbstractProcessingFilter.onUnsuccessfulAuthentication(HttpServletRequest, HttpServletResponse)
@@ -115,7 +89,4 @@ instance. The LdapAuthoritiesPopulator interface and its default implementation
 LdapUserDetails. Any customized versions should be updated to use the new method signatures.
 </li>
 
-</ul>
-
-</body>
-</html>
+</ul></section></body></document>
\ No newline at end of file