diff --git a/docs/faq/src/docbook/faq.xml b/docs/faq/src/docbook/faq.xml
index 1ca985d076..66608408d4 100644
--- a/docs/faq/src/docbook/faq.xml
+++ b/docs/faq/src/docbook/faq.xml
@@ -260,6 +260,26 @@
Generally we would recommend applying method security at the
service layer rather than on individual web controllers.
+
+
+ Spring Security is creating a session somewhere, even though I've configured it not to,
+ by setting the create-session attribute to never.
+
+
+
+ This usually means that the user's application is creating a session somewhere,
+ but that they aren't aware of it. The most common culprit is a JSP. Many people aren't
+ aware that JSPs create sessions by default. To prevent a JSP from creating a session,
+ add the directive <%@ page session="false" %> to the top of the page.
+
+
+ If you are having trouble working out where a session is being created, you can add some
+ debugging code to track down the location(s). One way to do this would be to add a
+ javax.servlet.http.HttpSessionListener to your application, which
+ calls Thread.dumpStack() in the sessionCreated method.
+
+
+ Spring Security Architecture Questions
@@ -277,11 +297,13 @@
How do the namespace elements map to conventional bean
configurations?There is a general overview of what beans are created by the namespace
- in the namespace appendix of the reference guide. If want to know the full
- details then the code is in the spring-security-config
+ in the namespace appendix of the reference guide. There is also a detailed
+ blog article called Behind the Spring Security Namespace on
+ blog.springsource.com.
+ If want to know the full details then the code is in the spring-security-config
module within the Spring Security 3.0 distribution. You should probably read
the chapters on namespace parsing in the standard Spring Framework reference
- documentation first.
+ documentation first.
What does ROLE_ mean and why do I need it on my role names?
diff --git a/samples/runall.sh b/samples/runall.sh
index 784734b98d..aab851af29 100755
--- a/samples/runall.sh
+++ b/samples/runall.sh
@@ -1,5 +1,10 @@
#! /bin/sh
-# $Id$
+#
+# This script is intended for rapid checking of the sample application configurations
+# to ensure they are working. It is for development use only.
+#
+# To run the web application samples, build them as described on the web site and deploy
+# them to a servlet container, such as Apache Tomcat.
#
# See http://curl.netmirror.org/docs/httpscripting.html
#