Separate Namespace Servlet Docs

Issue gh-10367

config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java

@@ -16,9 +16,10 @@
 
 package org.springframework.security.config.doc;
 
+import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
-import java.nio.file.Paths;
+import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -60,7 +61,7 @@ public class XsdDocumentedTests {
 			"nsa-frame-options-from-parameter");
 	// @formatter:on
 
-	String referenceLocation = "../docs/modules/ROOT/pages/servlet/appendix/namespace.adoc";
+	String referenceLocation = "../docs/modules/ROOT/pages/servlet/appendix/namespace";
 
 	String schema31xDocumentLocation = "org/springframework/security/config/spring-security-3.1.xsd";
 
@@ -163,7 +164,7 @@ public class XsdDocumentedTests {
 	public void countReferencesWhenReviewingDocumentationThenEntireSchemaIsIncluded() throws IOException {
 		Map<String, Element> elementsByElementName = this.xml.elementsByElementName(this.schemaDocumentLocation);
 		// @formatter:off
-		List<String> documentIds = Files.lines(Paths.get(this.referenceLocation))
+		List<String> documentIds = namespaceLines()
 				.filter((line) -> line.matches("\\[\\[(nsa-.*)\\]\\]"))
 				.map((line) -> line.substring(2, line.length() - 2))
 				.collect(Collectors.toList());
@@ -189,7 +190,7 @@ public class XsdDocumentedTests {
 		Map<String, List<String>> docAttrNameToParents = new TreeMap<>();
 		String docAttrName = null;
 		Map<String, List<String>> currentDocAttrNameToElmt = null;
-		List<String> lines = Files.readAllLines(Paths.get(this.referenceLocation));
+		List<String> lines = namespaceLines().collect(Collectors.toList());
 		for (String line : lines) {
 			if (line.matches("^\\[\\[.*\\]\\]$")) {
 				String id = line.substring(2, line.length() - 2);
@@ -212,6 +213,13 @@ public class XsdDocumentedTests {
 					String elmtId = line.replaceAll(expression, "$1");
 					currentDocAttrNameToElmt.computeIfAbsent(docAttrName, (key) -> new ArrayList<>()).add(elmtId);
 				}
+				else {
+					expression = ".*xref:.*#(nsa-.*)\\[.*\\]";
+					if (line.matches(expression)) {
+						String elmtId = line.replaceAll(expression, "$1");
+						currentDocAttrNameToElmt.computeIfAbsent(docAttrName, (key) -> new ArrayList<>()).add(elmtId);
+					}
+				}
 			}
 		}
 		Map<String, Element> elementNameToElement = this.xml.elementsByElementName(this.schemaDocumentLocation);
@@ -295,4 +303,17 @@ public class XsdDocumentedTests {
 		assertThat(notDocAttrIds).isEmpty();
 	}
 
+	private Stream<String> namespaceLines() {
+		return Stream.of(new File(this.referenceLocation).listFiles()).map(File::toPath).flatMap(this::fileLines);
+	}
+
+	private Stream<String> fileLines(Path path) {
+		try {
+			return Files.lines(path);
+		}
+		catch (Exception ex) {
+			throw new RuntimeException(ex);
+		}
+	}
+
 }

docs/modules/ROOT/nav.adoc

@@ -100,7 +100,12 @@
 *** xref:servlet/test/mockmvc/result-handlers.adoc[Security ResultHandlers]
 ** xref:servlet/appendix/index.adoc[Appendix]
 *** xref:servlet/appendix/database-schema.adoc[Database Schemas]
-*** xref:servlet/appendix/namespace.adoc[XML Namespace]
+*** xref:servlet/appendix/namespace/index.adoc[XML Namespace]
+**** xref:servlet/appendix/namespace/authentication-manager.adoc[Authentication Services]
+**** xref:servlet/appendix/namespace/http.adoc[Web Security]
+**** xref:servlet/appendix/namespace/method-security.adoc[Method Security]
+**** xref:servlet/appendix/namespace/ldap.adoc[LDAP Security]
+**** xref:servlet/appendix/namespace/websocket.adoc[WebSocket Security]
 *** xref:servlet/appendix/faq.adoc[FAQ]
 * xref:reactive/index.adoc[Reactive Applications]
 ** xref:reactive/getting-started.adoc[Getting Started]

docs/modules/ROOT/pages/features/integrations/concurrency.adoc

@@ -44,7 +44,7 @@ fun run() {
 
 While very simple, it makes it seamless to transfer the SecurityContext from one Thread to another.
 This is important since, in most cases, the SecurityContextHolder acts on a per Thread basis.
-For example, you might have used Spring Security's xref:servlet/appendix/namespace.adoc#nsa-global-method-security[<global-method-security>] support to secure one of your services.
+For example, you might have used Spring Security's xref:servlet/appendix/namespace/method-security.adoc#nsa-global-method-security[<global-method-security>] support to secure one of your services.
 You can now easily transfer the `SecurityContext` of the current `Thread` to the `Thread` that invokes the secured service.
 An example of how you might do this can be found below:
 

docs/modules/ROOT/pages/servlet/appendix/index.adoc

@@ -4,5 +4,5 @@ This is an appendix for Servlet based Spring Security.
 It has the following sections:
 
 * xref:servlet/appendix/database-schema.adoc[Database Schemas]
-* xref:servlet/appendix/namespace.adoc[XML Namespace]
+* xref:servlet/appendix/namespace/index.adoc[XML Namespace]
 * xref:servlet/appendix/faq.adoc[FAQ]

docs/modules/ROOT/pages/servlet/appendix/namespace/authentication-manager.adoc

@@ -0,0 +1,292 @@
+[[nsa-authentication]]
+= Authentication Services
+Before Spring Security 3.0, an `AuthenticationManager` was automatically registered internally.
+Now you must register one explicitly using the `<authentication-manager>` element.
+This creates an instance of Spring Security's `ProviderManager` class, which needs to be configured with a list of one or more `AuthenticationProvider` instances.
+These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the `authentication-provider` element.
+
+
+[[nsa-authentication-manager]]
+== <authentication-manager>
+Every Spring Security application which uses the namespace must have include this element somewhere.
+It is responsible for registering the `AuthenticationManager` which provides authentication services to the application.
+All elements which create `AuthenticationProvider` instances should be children of this element.
+
+
+[[nsa-authentication-manager-attributes]]
+=== <authentication-manager> Attributes
+
+
+[[nsa-authentication-manager-alias]]
+* **alias**
+This attribute allows you to define an alias name for the internal instance for use in your own configuration.
+
+
+[[nsa-authentication-manager-erase-credentials]]
+* **erase-credentials**
+If set to true, the AuthenticationManager will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated.
+Literally it maps to the `eraseCredentialsAfterAuthentication` property of the xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`].
+
+
+[[nsa-authentication-manager-id]]
+* **id**
+This attribute allows you to define an id for the internal instance for use in your own configuration.
+It is the same as the alias element, but provides a more consistent experience with elements that use the id attribute.
+
+
+[[nsa-authentication-manager-children]]
+=== Child Elements of <authentication-manager>
+
+
+* <<nsa-authentication-provider,authentication-provider>>
+* xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-authentication-provider[ldap-authentication-provider]
+
+
+
+[[nsa-authentication-provider]]
+== <authentication-provider>
+Unless used with a `ref` attribute, this element is shorthand for configuring a `DaoAuthenticationProvider`.
+`DaoAuthenticationProvider` loads user information from a `UserDetailsService` and compares the username/password combination with the values supplied at login.
+The `UserDetailsService` instance can be defined either by using an available namespace element (`jdbc-user-service` or by using the `user-service-ref` attribute to point to a bean defined elsewhere in the application context).
+
+
+
+[[nsa-authentication-provider-parents]]
+=== Parent Elements of <authentication-provider>
+
+
+* <<nsa-authentication-manager,authentication-manager>>
+
+
+
+[[nsa-authentication-provider-attributes]]
+=== <authentication-provider> Attributes
+
+
+[[nsa-authentication-provider-ref]]
+* **ref**
+Defines a reference to a Spring bean that implements `AuthenticationProvider`.
+
+If you have written your own `AuthenticationProvider` implementation (or want to configure one of Spring Security's own implementations as a traditional bean for some reason, then you can use the following syntax to add it to the internal list of `ProviderManager`:
+
+[source,xml]
+----
+
+<security:authentication-manager>
+  <security:authentication-provider ref="myAuthenticationProvider" />
+</security:authentication-manager>
+<bean id="myAuthenticationProvider" class="com.something.MyAuthenticationProvider"/>
+
+----
+
+
+
+
+[[nsa-authentication-provider-user-service-ref]]
+* **user-service-ref**
+A reference to a bean that implements UserDetailsService that may be created using the standard bean element or the custom user-service element.
+
+
+[[nsa-authentication-provider-children]]
+=== Child Elements of <authentication-provider>
+
+
+* <<nsa-jdbc-user-service,jdbc-user-service>>
+* xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-user-service[ldap-user-service]
+* <<nsa-password-encoder,password-encoder>>
+* <<nsa-user-service,user-service>>
+
+
+
+[[nsa-jdbc-user-service]]
+== <jdbc-user-service>
+Causes creation of a JDBC-based UserDetailsService.
+
+
+[[nsa-jdbc-user-service-attributes]]
+=== <jdbc-user-service> Attributes
+
+
+[[nsa-jdbc-user-service-authorities-by-username-query]]
+* **authorities-by-username-query**
+An SQL statement to query for a user's granted authorities given a username.
+
+The default is
+
+[source]
+----
+select username, authority from authorities where username = ?
+----
+
+
+
+
+[[nsa-jdbc-user-service-cache-ref]]
+* **cache-ref**
+Defines a reference to a cache for use with a UserDetailsService.
+
+
+[[nsa-jdbc-user-service-data-source-ref]]
+* **data-source-ref**
+The bean ID of the DataSource which provides the required tables.
+
+
+[[nsa-jdbc-user-service-group-authorities-by-username-query]]
+* **group-authorities-by-username-query**
+An SQL statement to query user's group authorities given a username.
+The default is
+
++
+
+[source]
+----
+select
+g.id, g.group_name, ga.authority
+from
+groups g, group_members gm, group_authorities ga
+where
+gm.username = ? and g.id = ga.group_id and g.id = gm.group_id
+----
+
+
+
+
+[[nsa-jdbc-user-service-id]]
+* **id**
+A bean identifier, used for referring to the bean elsewhere in the context.
+
+
+[[nsa-jdbc-user-service-role-prefix]]
+* **role-prefix**
+A non-empty string prefix that will be added to role strings loaded from persistent storage (default is "ROLE_").
+Use the value "none" for no prefix in cases where the default is non-empty.
+
+
+[[nsa-jdbc-user-service-users-by-username-query]]
+* **users-by-username-query**
+An SQL statement to query a username, password, and enabled status given a username.
+The default is
+
++
+
+[source]
+----
+select username, password, enabled from users where username = ?
+----
+
+
+
+
+[[nsa-password-encoder]]
+== <password-encoder>
+Authentication providers can optionally be configured to use a password encoder as described in the xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage].
+This will result in the bean being injected with the appropriate `PasswordEncoder` instance.
+
+
+[[nsa-password-encoder-parents]]
+=== Parent Elements of <password-encoder>
+
+
+* <<nsa-authentication-provider,authentication-provider>>
+* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-password-compare[password-compare]
+
+
+
+[[nsa-password-encoder-attributes]]
+=== <password-encoder> Attributes
+
+
+[[nsa-password-encoder-hash]]
+* **hash**
+Defines the hashing algorithm used on user passwords.
+We recommend strongly against using MD4, as it is a very weak hashing algorithm.
+
+
+[[nsa-password-encoder-ref]]
+* **ref**
+Defines a reference to a Spring bean that implements `PasswordEncoder`.
+
+
+[[nsa-user-service]]
+== <user-service>
+Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.
+Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required.
+
+
+[[nsa-user-service-attributes]]
+=== <user-service> Attributes
+
+
+[[nsa-user-service-id]]
+* **id**
+A bean identifier, used for referring to the bean elsewhere in the context.
+
+
+[[nsa-user-service-properties]]
+* **properties**
+The location of a Properties file where each line is in the format of
+
++
+
+[source]
+----
+username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
+----
+
+
+
+
+[[nsa-user-service-children]]
+=== Child Elements of <user-service>
+
+
+* <<nsa-user,user>>
+
+
+
+[[nsa-user]]
+== <user>
+Represents a user in the application.
+
+
+[[nsa-user-parents]]
+=== Parent Elements of <user>
+
+
+* <<nsa-user-service,user-service>>
+
+
+
+[[nsa-user-attributes]]
+=== <user> Attributes
+
+
+[[nsa-user-authorities]]
+* **authorities**
+One of more authorities granted to the user.
+Separate authorities with a comma (but no space).
+For example, "ROLE_USER,ROLE_ADMINISTRATOR"
+
+
+[[nsa-user-disabled]]
+* **disabled**
+Can be set to "true" to mark an account as disabled and unusable.
+
+
+[[nsa-user-locked]]
+* **locked**
+Can be set to "true" to mark an account as locked and unusable.
+
+
+[[nsa-user-name]]
+* **name**
+The username assigned to the user.
+
+
+[[nsa-user-password]]
+* **password**
+The password assigned to the user.
+This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element).
+This attribute be omitted in the case where the data will not be used for authentication, but only for accessing authorities.
+If omitted, the namespace will generate a random value, preventing its accidental use for authentication.
+Cannot be empty.

docs/modules/ROOT/pages/servlet/appendix/namespace/index.adoc

@@ -0,0 +1,9 @@
+[[appendix-namespace]]
+= The Security Namespace
+:page-section-summary-toc: 1
+
+This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document).
+If you haven't used the namespace before, please read the xref:servlet/configuration/xml-namespace.adoc#ns-config[introductory chapter] on namespace configuration, as this is intended as a supplement to the information there.
+Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose.
+The namespace is written in https://relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema.
+If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/main/config/src/main/resources/org/springframework/security/config/spring-security-5.6.rnc[schema file] directly.

docs/modules/ROOT/pages/servlet/appendix/namespace/ldap.adoc

@@ -0,0 +1,291 @@
+[[nsa-ldap]]
+= LDAP Namespace Options
+LDAP is covered in some details in xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[its own chapter].
+We will expand on that here with some explanation of how the namespace options map to Spring beans.
+The LDAP implementation uses Spring LDAP extensively, so some familiarity with that project's API may be useful.
+
+
+[[nsa-ldap-server]]
+== Defining the LDAP Server using the
+`<ldap-server>` Element
+This element sets up a Spring LDAP `ContextSource` for use by the other LDAP beans, defining the location of the LDAP server and other information (such as a username and password, if it doesn't allow anonymous access) for connecting to it.
+It can also be used to create an embedded server for testing.
+Details of the syntax for both options are covered in the xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[LDAP chapter].
+The actual `ContextSource` implementation is `DefaultSpringSecurityContextSource` which extends Spring LDAP's `LdapContextSource` class.
+The `manager-dn` and `manager-password` attributes map to the latter's `userDn` and `password` properties respectively.
+
+If you only have one server defined in your application context, the other LDAP namespace-defined beans will use it automatically.
+Otherwise, you can give the element an "id" attribute and refer to it from other namespace beans using the `server-ref` attribute.
+This is actually the bean `id` of the `ContextSource` instance, if you want to use it in other traditional Spring beans.
+
+
+[[nsa-ldap-server-attributes]]
+=== <ldap-server> Attributes
+
+[[nsa-ldap-server-mode]]
+* **mode**
+Explicitly specifies which embedded ldap server should use. Values are `apacheds` and `unboundid`. By default, it will depends if the library is available in the classpath.
+
+[[nsa-ldap-server-id]]
+* **id**
+A bean identifier, used for referring to the bean elsewhere in the context.
+
+
+[[nsa-ldap-server-ldif]]
+* **ldif**
+Explicitly specifies an ldif file resource to load into an embedded LDAP server.
+The ldif should be a Spring resource pattern (i.e. classpath:init.ldif).
+The default is classpath*:*.ldif
+
+
+[[nsa-ldap-server-manager-dn]]
+* **manager-dn**
+Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server.
+If omitted, anonymous access will be used.
+
+
+[[nsa-ldap-server-manager-password]]
+* **manager-password**
+The password for the manager DN.
+This is required if the manager-dn is specified.
+
+
+[[nsa-ldap-server-port]]
+* **port**
+Specifies an IP port number.
+Used to configure an embedded LDAP server, for example.
+The default value is 33389.
+
+
+[[nsa-ldap-server-root]]
+* **root**
+Optional root suffix for the embedded LDAP server.
+Default is "dc=springframework,dc=org"
+
+
+[[nsa-ldap-server-url]]
+* **url**
+Specifies the ldap server URL when not using the embedded LDAP server.
+
+
+[[nsa-ldap-authentication-provider]]
+== <ldap-authentication-provider>
+This element is shorthand for the creation of an `LdapAuthenticationProvider` instance.
+By default this will be configured with a `BindAuthenticator` instance and a `DefaultAuthoritiesPopulator`.
+As with all namespace authentication providers, it must be included as a child of the `authentication-provider` element.
+
+
+[[nsa-ldap-authentication-provider-parents]]
+=== Parent Elements of <ldap-authentication-provider>
+
+
+* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-authentication-manager[authentication-manager]
+
+
+
+[[nsa-ldap-authentication-provider-attributes]]
+=== <ldap-authentication-provider> Attributes
+
+
+[[nsa-ldap-authentication-provider-group-role-attribute]]
+* **group-role-attribute**
+The LDAP attribute name which contains the role name which will be used within Spring Security.
+Maps to the ``DefaultLdapAuthoritiesPopulator``'s `groupRoleAttribute` property.
+Defaults to "cn".
+
+
+[[nsa-ldap-authentication-provider-group-search-base]]
+* **group-search-base**
+Search base for group membership searches.
+Maps to the ``DefaultLdapAuthoritiesPopulator``'s `groupSearchBase` constructor argument.
+Defaults to "" (searching from the root).
+
+
+[[nsa-ldap-authentication-provider-group-search-filter]]
+* **group-search-filter**
+Group search filter.
+Maps to the ``DefaultLdapAuthoritiesPopulator``'s `groupSearchFilter` property.
+Defaults to `+(uniqueMember={0})+`.
+The substituted parameter is the DN of the user.
+
+
+[[nsa-ldap-authentication-provider-role-prefix]]
+* **role-prefix**
+A non-empty string prefix that will be added to role strings loaded from persistent.
+Maps to the ``DefaultLdapAuthoritiesPopulator``'s `rolePrefix` property.
+Defaults to "ROLE_".
+Use the value "none" for no prefix in cases where the default is non-empty.
+
+
+[[nsa-ldap-authentication-provider-server-ref]]
+* **server-ref**
+The optional server to use.
+If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.
+
+
+[[nsa-ldap-authentication-provider-user-context-mapper-ref]]
+* **user-context-mapper-ref**
+Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user's directory entry
+
+
+[[nsa-ldap-authentication-provider-user-details-class]]
+* **user-details-class**
+Allows the objectClass of the user entry to be specified.
+If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object
+
+
+[[nsa-ldap-authentication-provider-user-dn-pattern]]
+* **user-dn-pattern**
+If your users are at a fixed location in the directory (i.e. you can work out the DN directly from the username without doing a directory search), you can use this attribute to map directly to the DN.
+It maps directly to the `userDnPatterns` property of `AbstractLdapAuthenticator`.
+The value is a specific pattern used to build the user's DN, for example `+uid={0},ou=people+`.
+The key `+{0}+` must be present and will be substituted with the username.
+
+
+[[nsa-ldap-authentication-provider-user-search-base]]
+* **user-search-base**
+Search base for user searches.
+Defaults to "".
+Only used with a 'user-search-filter'.
+
++
+
+If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search.
+The `BindAuthenticator` will be configured with a `FilterBasedLdapUserSearch` and the attribute values map directly to the first two arguments of that bean's constructor.
+If these attributes aren't set and no `user-dn-pattern` has been supplied as an alternative, then the default search values of `+user-search-filter="(uid={0})"+` and `user-search-base=""` will be used.
+
+
+[[nsa-ldap-authentication-provider-user-search-filter]]
+* **user-search-filter**
+The LDAP filter used to search for users (optional).
+For example `+(uid={0})+`.
+The substituted parameter is the user's login name.
+
++
+
+If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search.
+The `BindAuthenticator` will be configured with a `FilterBasedLdapUserSearch` and the attribute values map directly to the first two arguments of that bean's constructor.
+If these attributes aren't set and no `user-dn-pattern` has been supplied as an alternative, then the default search values of `+user-search-filter="(uid={0})"+` and `user-search-base=""` will be used.
+
+
+[[nsa-ldap-authentication-provider-children]]
+=== Child Elements of <ldap-authentication-provider>
+
+
+* <<nsa-password-compare,password-compare>>
+
+
+
+[[nsa-password-compare]]
+== <password-compare>
+This is used as child element to `<ldap-provider>` and switches the authentication strategy from `BindAuthenticator` to `PasswordComparisonAuthenticator`.
+
+
+[[nsa-password-compare-parents]]
+=== Parent Elements of <password-compare>
+
+
+* <<nsa-ldap-authentication-provider,ldap-authentication-provider>>
+
+
+
+[[nsa-password-compare-attributes]]
+=== <password-compare> Attributes
+
+
+[[nsa-password-compare-hash]]
+* **hash**
+Defines the hashing algorithm used on user passwords.
+We recommend strongly against using MD4, as it is a very weak hashing algorithm.
+
+
+[[nsa-password-compare-password-attribute]]
+* **password-attribute**
+The attribute in the directory which contains the user password.
+Defaults to "userPassword".
+
+
+[[nsa-password-compare-children]]
+=== Child Elements of <password-compare>
+
+
+* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-password-encoder[password-encoder]
+
+
+
+[[nsa-ldap-user-service]]
+== <ldap-user-service>
+This element configures an LDAP `UserDetailsService`.
+The class used is `LdapUserDetailsService` which is a combination of a `FilterBasedLdapUserSearch` and a `DefaultLdapAuthoritiesPopulator`.
+The attributes it supports have the same usage as in `<ldap-provider>`.
+
+
+[[nsa-ldap-user-service-attributes]]
+=== <ldap-user-service> Attributes
+
+
+[[nsa-ldap-user-service-cache-ref]]
+* **cache-ref**
+Defines a reference to a cache for use with a UserDetailsService.
+
+
+[[nsa-ldap-user-service-group-role-attribute]]
+* **group-role-attribute**
+The LDAP attribute name which contains the role name which will be used within Spring Security.
+Defaults to "cn".
+
+
+[[nsa-ldap-user-service-group-search-base]]
+* **group-search-base**
+Search base for group membership searches.
+Defaults to "" (searching from the root).
+
+
+[[nsa-ldap-user-service-group-search-filter]]
+* **group-search-filter**
+Group search filter.
+Defaults to `+(uniqueMember={0})+`.
+The substituted parameter is the DN of the user.
+
+
+[[nsa-ldap-user-service-id]]
+* **id**
+A bean identifier, used for referring to the bean elsewhere in the context.
+
+
+[[nsa-ldap-user-service-role-prefix]]
+* **role-prefix**
+A non-empty string prefix that will be added to role strings loaded from persistent storage (e.g.
+"ROLE_").
+Use the value "none" for no prefix in cases where the default is non-empty.
+
+
+[[nsa-ldap-user-service-server-ref]]
+* **server-ref**
+The optional server to use.
+If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.
+
+
+[[nsa-ldap-user-service-user-context-mapper-ref]]
+* **user-context-mapper-ref**
+Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user's directory entry
+
+
+[[nsa-ldap-user-service-user-details-class]]
+* **user-details-class**
+Allows the objectClass of the user entry to be specified.
+If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object
+
+
+[[nsa-ldap-user-service-user-search-base]]
+* **user-search-base**
+Search base for user searches.
+Defaults to "".
+Only used with a 'user-search-filter'.
+
+
+[[nsa-ldap-user-service-user-search-filter]]
+* **user-search-filter**
+The LDAP filter used to search for users (optional).
+For example `+(uid={0})+`.
+The substituted parameter is the user's login name.

docs/modules/ROOT/pages/servlet/appendix/namespace/method-security.adoc

@@ -0,0 +1,340 @@
+= Method Security
+
+[[nsa-method-security]]
+== <method-security>
+This element is the primary means of adding support for securing methods on Spring Security beans.
+Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts.
+
+[[nsa-method-security-attributes]]
+=== <method-security> attributes
+
+[[nsa-method-security-pre-post-enabled]]
+* **pre-post-enabled**
+Enables Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) for this application context.
+Defaults to "true".
+
+[[nsa-method-security-secured-enabled]]
+* **secured-enabled**
+Enables Spring Security's @Secured annotation for this application context.
+Defaults to "false".
+
+[[nsa-method-security-jsr250-enabled]]
+* **jsr250-enabled**
+Enables JSR-250 authorization annotations (@RolesAllowed, @PermitAll, @DenyAll) for this application context.
+Defaults to "false".
+
+[[nsa-method-security-proxy-target-class]]
+* **proxy-target-class**
+If true, class based proxying will be used instead of interface based proxying.
+Defaults to "false".
+
+[[nsa-method-security-children]]
+=== Child Elements of <method-security>
+
+* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler]
+
+[[nsa-global-method-security]]
+== <global-method-security>
+This element is the primary means of adding support for securing methods on Spring Security beans.
+Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts as child elements, using AspectJ syntax.
+
+
+[[nsa-global-method-security-attributes]]
+=== <global-method-security> Attributes
+
+
+[[nsa-global-method-security-access-decision-manager-ref]]
+* **access-decision-manager-ref**
+Method security uses the same `AccessDecisionManager` configuration as web security, but this can be overridden using this attribute.
+By default an AffirmativeBased implementation is used for with a RoleVoter and an AuthenticatedVoter.
+
+
+[[nsa-global-method-security-authentication-manager-ref]]
+* **authentication-manager-ref**
+A reference to an `AuthenticationManager` that should be used for method security.
+
+
+[[nsa-global-method-security-jsr250-annotations]]
+* **jsr250-annotations**
+Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed").
+This will require the javax.annotation.security classes on the classpath.
+Setting this to true also adds a `Jsr250Voter` to the `AccessDecisionManager`, so you need to make sure you do this if you are using a custom implementation and want to use these annotations.
+
+
+[[nsa-global-method-security-metadata-source-ref]]
+* **metadata-source-ref**
+An external `MethodSecurityMetadataSource` instance can be supplied which will take priority over other sources (such as the default annotations).
+
+
+[[nsa-global-method-security-mode]]
+* **mode**
+This attribute can be set to "aspectj" to specify that AspectJ should be used instead of the default Spring AOP.
+Secured methods must be woven with the `AnnotationSecurityAspect` from the `spring-security-aspects` module.
+
+It is important to note that AspectJ follows Java's rule that annotations on interfaces are not inherited.
+This means that methods that define the Security annotations on the interface will not be secured.
+Instead, you must place the Security annotation on the class when using AspectJ.
+
+
+[[nsa-global-method-security-order]]
+* **order**
+Allows the advice "order" to be set for the method security interceptor.
+
+
+[[nsa-global-method-security-pre-post-annotations]]
+* **pre-post-annotations**
+Specifies whether the use of Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context.
+Defaults to "disabled".
+
+
+[[nsa-global-method-security-proxy-target-class]]
+* **proxy-target-class**
+If true, class based proxying will be used instead of interface based proxying.
+
+
+[[nsa-global-method-security-run-as-manager-ref]]
+* **run-as-manager-ref**
+A reference to an optional `RunAsManager` implementation which will be used by the configured `MethodSecurityInterceptor`
+
+
+[[nsa-global-method-security-secured-annotations]]
+* **secured-annotations**
+Specifies whether the use of Spring Security's @Secured annotations should be enabled for this application context.
+Defaults to "disabled".
+
+
+[[nsa-global-method-security-children]]
+=== Child Elements of <global-method-security>
+
+
+* <<nsa-after-invocation-provider,after-invocation-provider>>
+* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler]
+* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>>
+* <<nsa-protect-pointcut,protect-pointcut>>
+
+
+
+[[nsa-after-invocation-provider]]
+== <after-invocation-provider>
+This element can be used to decorate an `AfterInvocationProvider` for use by the security interceptor maintained by the `<global-method-security>` namespace.
+You can define zero or more of these within the `global-method-security` element, each with a `ref` attribute pointing to an `AfterInvocationProvider` bean instance within your application context.
+
+
+[[nsa-after-invocation-provider-parents]]
+=== Parent Elements of <after-invocation-provider>
+
+
+* <<nsa-global-method-security,global-method-security>>
+
+
+
+[[nsa-after-invocation-provider-attributes]]
+=== <after-invocation-provider> Attributes
+
+
+[[nsa-after-invocation-provider-ref]]
+* **ref**
+Defines a reference to a Spring bean that implements `AfterInvocationProvider`.
+
+
+[[nsa-pre-post-annotation-handling]]
+== <pre-post-annotation-handling>
+Allows the default expression-based mechanism for handling Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replaced entirely.
+Only applies if these annotations are enabled.
+
+
+[[nsa-pre-post-annotation-handling-parents]]
+=== Parent Elements of <pre-post-annotation-handling>
+
+
+* <<nsa-global-method-security,global-method-security>>
+
+
+
+[[nsa-pre-post-annotation-handling-children]]
+=== Child Elements of <pre-post-annotation-handling>
+
+
+* <<nsa-invocation-attribute-factory,invocation-attribute-factory>>
+* <<nsa-post-invocation-advice,post-invocation-advice>>
+* <<nsa-pre-invocation-advice,pre-invocation-advice>>
+
+
+
+[[nsa-invocation-attribute-factory]]
+== <invocation-attribute-factory>
+Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods.
+
+
+[[nsa-invocation-attribute-factory-parents]]
+=== Parent Elements of <invocation-attribute-factory>
+
+
+* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>>
+
+
+
+[[nsa-invocation-attribute-factory-attributes]]
+=== <invocation-attribute-factory> Attributes
+
+
+[[nsa-invocation-attribute-factory-ref]]
+* **ref**
+Defines a reference to a Spring bean Id.
+
+
+[[nsa-post-invocation-advice]]
+== <post-invocation-advice>
+Customizes the `PostInvocationAdviceProvider` with the ref as the `PostInvocationAuthorizationAdvice` for the <pre-post-annotation-handling> element.
+
+
+[[nsa-post-invocation-advice-parents]]
+=== Parent Elements of <post-invocation-advice>
+
+
+* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>>
+
+
+
+[[nsa-post-invocation-advice-attributes]]
+=== <post-invocation-advice> Attributes
+
+
+[[nsa-post-invocation-advice-ref]]
+* **ref**
+Defines a reference to a Spring bean Id.
+
+
+[[nsa-pre-invocation-advice]]
+== <pre-invocation-advice>
+Customizes the `PreInvocationAuthorizationAdviceVoter` with the ref as the `PreInvocationAuthorizationAdviceVoter` for the <pre-post-annotation-handling> element.
+
+
+[[nsa-pre-invocation-advice-parents]]
+=== Parent Elements of <pre-invocation-advice>
+
+
+* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>>
+
+
+
+[[nsa-pre-invocation-advice-attributes]]
+=== <pre-invocation-advice> Attributes
+
+
+[[nsa-pre-invocation-advice-ref]]
+* **ref**
+Defines a reference to a Spring bean Id.
+
+
+[[nsa-protect-pointcut]]
+== Securing Methods using
+`<protect-pointcut>`
+Rather than defining security attributes on an individual method or class basis using the `@Secured` annotation, you can define cross-cutting security constraints across whole sets of methods and interfaces in your service layer using the `<protect-pointcut>` element.
+You can find an example in the xref:servlet/authorization/method-security.adoc#ns-protect-pointcut[namespace introduction].
+
+
+[[nsa-protect-pointcut-parents]]
+=== Parent Elements of <protect-pointcut>
+
+
+* <<nsa-global-method-security,global-method-security>>
+
+
+
+[[nsa-protect-pointcut-attributes]]
+=== <protect-pointcut> Attributes
+
+
+[[nsa-protect-pointcut-access]]
+* **access**
+Access configuration attributes list that applies to all methods matching the pointcut, e.g.
+"ROLE_A,ROLE_B"
+
+
+[[nsa-protect-pointcut-expression]]
+* **expression**
+An AspectJ expression, including the `execution` keyword.
+For example, `execution(int com.foo.TargetObject.countLength(String))`.
+
+
+[[nsa-intercept-methods]]
+== <intercept-methods>
+Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods
+
+
+[[nsa-intercept-methods-attributes]]
+=== <intercept-methods> Attributes
+
+
+[[nsa-intercept-methods-access-decision-manager-ref]]
+* **access-decision-manager-ref**
+Optional AccessDecisionManager bean ID to be used by the created method security interceptor.
+
+
+[[nsa-intercept-methods-children]]
+=== Child Elements of <intercept-methods>
+
+
+* <<nsa-protect,protect>>
+
+
+
+[[nsa-method-security-metadata-source]]
+== <method-security-metadata-source>
+Creates a MethodSecurityMetadataSource instance
+
+
+[[nsa-method-security-metadata-source-attributes]]
+=== <method-security-metadata-source> Attributes
+
+
+[[nsa-method-security-metadata-source-id]]
+* **id**
+A bean identifier, used for referring to the bean elsewhere in the context.
+
+
+[[nsa-method-security-metadata-source-use-expressions]]
+* **use-expressions**
+Enables the use of expressions in the 'access' attributes in <intercept-url> elements rather than the traditional list of configuration attributes.
+Defaults to 'false'.
+If enabled, each attribute should contain a single Boolean expression.
+If the expression evaluates to 'true', access will be granted.
+
+
+[[nsa-method-security-metadata-source-children]]
+=== Child Elements of <method-security-metadata-source>
+
+
+* <<nsa-protect,protect>>
+
+
+
+[[nsa-protect]]
+== <protect>
+Defines a protected method and the access control configuration attributes that apply to it.
+We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security".
+
+
+[[nsa-protect-parents]]
+=== Parent Elements of <protect>
+
+
+* <<nsa-intercept-methods,intercept-methods>>
+* <<nsa-method-security-metadata-source,method-security-metadata-source>>
+
+
+
+[[nsa-protect-attributes]]
+=== <protect> Attributes
+
+
+[[nsa-protect-access]]
+* **access**
+Access configuration attributes list that applies to the method, e.g.
+"ROLE_A,ROLE_B".
+
+
+[[nsa-protect-method]]
+* **method**
+A method name

docs/modules/ROOT/pages/servlet/appendix/namespace/websocket.adoc

@@ -0,0 +1,74 @@
+[[nsa-websocket-security]]
+= WebSocket Security
+
+Spring Security 4.0+ provides support for authorizing messages.
+One concrete example of where this is useful is to provide authorization in WebSocket based applications.
+
+[[nsa-websocket-message-broker]]
+== <websocket-message-broker>
+
+The websocket-message-broker element has two different modes.
+If the <<nsa-websocket-message-broker-id,websocket-message-broker@id>> is not specified, then it will do the following things:
+
+* Ensure that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver.
+This allows the use of `@AuthenticationPrincipal` to resolve the principal of the current `Authentication`
+* Ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel.
+This populates the SecurityContextHolder with the user that is found in the Message
+* Ensures that a ChannelSecurityInterceptor is registered with the clientInboundChannel.
+This allows authorization rules to be specified for a message.
+* Ensures that a CsrfChannelInterceptor is registered with the clientInboundChannel.
+This ensures that only requests from the original domain are enabled.
+* Ensures that a CsrfTokenHandshakeInterceptor is registered with WebSocketHttpRequestHandler, TransportHandlingSockJsService, or DefaultSockJsService.
+This ensures that the expected CsrfToken from the HttpServletRequest is copied into the WebSocket Session attributes.
+
+If additional control is necessary, the id can be specified and a ChannelSecurityInterceptor will be assigned to the specified id.
+All the wiring with Spring's messaging infrastructure can then be done manually.
+This is more cumbersome, but provides greater control over the configuration.
+
+
+[[nsa-websocket-message-broker-attributes]]
+=== <websocket-message-broker> Attributes
+
+[[nsa-websocket-message-broker-id]]
+* **id** A bean identifier, used for referring to the ChannelSecurityInterceptor bean elsewhere in the context.
+If specified, Spring Security requires explicit configuration within Spring Messaging.
+If not specified, Spring Security will automatically integrate with the messaging infrastructure as described in <<nsa-websocket-message-broker>>
+
+[[nsa-websocket-message-broker-same-origin-disabled]]
+* **same-origin-disabled** Disables the requirement for CSRF token to be present in the Stomp headers (default false).
+Changing the default is useful if it is necessary to allow other origins to make SockJS connections.
+
+[[nsa-websocket-message-broker-children]]
+=== Child Elements of <websocket-message-broker>
+
+
+* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler]
+* <<nsa-intercept-message,intercept-message>>
+
+[[nsa-intercept-message]]
+== <intercept-message>
+
+Defines an authorization rule for a message.
+
+
+[[nsa-intercept-message-parents]]
+=== Parent Elements of <intercept-message>
+
+
+* <<nsa-websocket-message-broker,websocket-message-broker>>
+
+
+[[nsa-intercept-message-attributes]]
+=== <intercept-message> Attributes
+
+[[nsa-intercept-message-pattern]]
+* **pattern** An ant based pattern that matches on the Message destination.
+For example, "/**" matches any Message with a destination; "/admin/**" matches any Message that has a destination that starts with "/admin/**".
+
+[[nsa-intercept-message-type]]
+* **type** The type of message to match on.
+Valid values are defined in SimpMessageType (i.e. CONNECT, CONNECT_ACK, HEARTBEAT, MESSAGE, SUBSCRIBE, UNSUBSCRIBE, DISCONNECT, DISCONNECT_ACK, OTHER).
+
+[[nsa-intercept-message-access]]
+* **access** The expression used to secure the Message.
+For example, "denyAll" will deny access to all of the matching Messages; "permitAll" will grant access to all of the matching Messages; "hasRole('ADMIN') requires the current user to have the role 'ROLE_ADMIN' for the matching Messages.

docs/modules/ROOT/pages/servlet/authentication/cas.adoc

@@ -139,7 +139,7 @@ The following beans should be configured to commence the CAS authentication proc
 ----
 
 For CAS to operate, the `ExceptionTranslationFilter` must have its `authenticationEntryPoint` property set to the `CasAuthenticationEntryPoint` bean.
-This can easily be done using xref:servlet/appendix/namespace.adoc#nsa-http-entry-point-ref[entry-point-ref] as is done in the example above.
+This can easily be done using xref:servlet/appendix/namespace/http.adoc#nsa-http-entry-point-ref[entry-point-ref] as is done in the example above.
 The `CasAuthenticationEntryPoint` must refer to the `ServiceProperties` bean (discussed above), which provides the URL to the enterprise's CAS login server.
 This is where the user's browser will be redirected.
 

docs/modules/ROOT/pages/servlet/authentication/jaas.adoc

@@ -166,5 +166,5 @@ This means that the `Subject` can be accessed using:
 Subject subject = Subject.getSubject(AccessController.getContext());
 ----
 
-This integration can easily be configured using the xref:servlet/appendix/namespace.adoc#nsa-http-jaas-api-provision[jaas-api-provision] attribute.
+This integration can easily be configured using the xref:servlet/appendix/namespace/http.adoc#nsa-http-jaas-api-provision[jaas-api-provision] attribute.
 This feature is useful when integrating with legacy or external API's that rely on the JAAS Subject being populated.

docs/modules/ROOT/pages/servlet/authentication/logout.adoc

@@ -74,7 +74,7 @@ This is a shortcut for adding a `CookieClearingLogoutHandler` explicitly.
 [NOTE]
 ====
 Logouts can of course also be configured using the XML Namespace notation.
-Please see the documentation for the xref:servlet/appendix/namespace.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section for further details.
+Please see the documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section for further details.
 ====
 
 Generally, in order to customize logout functionality, you can add
@@ -145,4 +145,4 @@ If not configured a status code 200 will be returned by default.
 - xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
 - xref:servlet/exploits/csrf.adoc#servlet-considerations-csrf-logout[ Logging Out] in section CSRF Caveats
 - Section xref:servlet/authentication/cas.adoc#cas-singlelogout[ Single Logout] (CAS protocol)
-- Documentation for the xref:servlet/appendix/namespace.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section
+- Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section

docs/modules/ROOT/pages/servlet/configuration/xml-namespace.adoc

@@ -192,7 +192,7 @@ Common problems like incorrect filter ordering are no longer an issue as the fil
 
 The `<authentication-provider>` element creates a `DaoAuthenticationProvider` bean and the `<user-service>` element creates an `InMemoryDaoImpl`.
 All `authentication-provider` elements must be children of the `<authentication-manager>` element, which creates a `ProviderManager` and registers the authentication providers with it.
-You can find more detailed information on the beans that are created in the xref:servlet/appendix/namespace.adoc#appendix-namespace[namespace appendix].
+You can find more detailed information on the beans that are created in the xref:servlet/appendix/namespace/index.adoc#appendix-namespace[namespace appendix].
 It's worth cross-checking this if you want to start understanding what the important classes in the framework are and how they are used, particularly if you want to customise things later.
 ****
 

docs/modules/ROOT/pages/servlet/exploits/csrf.adoc

@@ -375,7 +375,7 @@ For details, refer to the <<servlet-csrf-configure-custom-repository>> section.
 
 If a token does expire, you might want to customize how it is handled by specifying a custom `AccessDeniedHandler`.
 The custom `AccessDeniedHandler` can process the `InvalidCsrfTokenException` any way you like.
-For an example of how to customize the `AccessDeniedHandler` refer to the provided links for both xref:servlet/appendix/namespace.adoc#nsa-access-denied-handler[xml] and {gh-url}/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java#L64[Java configuration].
+For an example of how to customize the `AccessDeniedHandler` refer to the provided links for both xref:servlet/appendix/namespace/http.adoc#nsa-access-denied-handler[xml] and {gh-url}/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java#L64[Java configuration].
 // FIXME: We should add a custom AccessDeniedHandler section in the reference and update the links above
 
 

docs/modules/ROOT/pages/servlet/integrations/websocket.adoc

@@ -51,7 +51,7 @@ This will ensure that:
 <2> The SecurityContextHolder is populated with the user within the simpUser header attribute for any inbound request.
 <3> Our messages require the proper authorization. Specifically, any inbound message that starts with "/user/" will require ROLE_USER. Additional details on authorization can be found in <<websocket-authorization>>
 
-Spring Security also provides xref:servlet/appendix/namespace.adoc#nsa-websocket-security[XML Namespace] support for securing WebSockets.
+Spring Security also provides xref:servlet/appendix/namespace/websocket.adoc#nsa-websocket-security[XML Namespace] support for securing WebSockets.
 A comparable XML based configuration looks like the following:
 
 [source,xml]
@@ -132,7 +132,7 @@ This will ensure that:
 <5> Any other message of type MESSAGE or SUBSCRIBE is rejected. Due to 6 we do not need this step, but it illustrates how one can match on specific message types.
 <6> Any other Message is rejected. This is a good idea to ensure that you do not miss any messages.
 
-Spring Security also provides xref:servlet/appendix/namespace.adoc#nsa-websocket-security[XML Namespace] support for securing WebSockets.
+Spring Security also provides xref:servlet/appendix/namespace/websocket.adoc#nsa-websocket-security[XML Namespace] support for securing WebSockets.
 A comparable XML based configuration looks like the following:
 
 [source,xml]
@@ -360,7 +360,7 @@ SockJS may use an https://github.com/sockjs/sockjs-client/tree/v0.3.4[transport
 By default Spring Security will xref:features/exploits/headers.adoc#headers-frame-options[deny] the site from being framed to prevent Clickjacking attacks.
 To allow SockJS frame based transports to work, we need to configure Spring Security to allow the same origin to frame the content.
 
-You can customize X-Frame-Options with the xref:servlet/appendix/namespace.adoc#nsa-frame-options[frame-options] element.
+You can customize X-Frame-Options with the xref:servlet/appendix/namespace/http.adoc#nsa-frame-options[frame-options] element.
 For example, the following will instruct Spring Security to use "X-Frame-Options: SAMEORIGIN" which allows iframes within the same domain:
 
 [source,xml]
@@ -486,7 +486,7 @@ open class WebSecurityConfig : WebSecurityConfigurerAdapter() {
 ----
 ====
 
-If we are using XML based configuration, we can use the xref:servlet/appendix/namespace.adoc#nsa-csrf-request-matcher-ref[csrf@request-matcher-ref].
+If we are using XML based configuration, we can use the xref:servlet/appendix/namespace/http.adoc#nsa-csrf-request-matcher-ref[csrf@request-matcher-ref].
 For example:
 
 [source,xml]

docs/modules/ROOT/pages/servlet/oauth2/oauth2-client.adoc

@@ -74,7 +74,7 @@ class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
 
 In addition to the `HttpSecurity.oauth2Client()` DSL, XML configuration is also supported.
 
-The following code shows the complete configuration options available in the xref:servlet/appendix/namespace.adoc#nsa-oauth2-client[ security namespace]:
+The following code shows the complete configuration options available in the xref:servlet/appendix/namespace/http.adoc#nsa-oauth2-client[ security namespace]:
 
 .OAuth2 Client XML Configuration Options
 ====

docs/modules/ROOT/pages/servlet/oauth2/oauth2-login.adoc

@@ -737,7 +737,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
 
 In addition to the `oauth2Login()` DSL, XML configuration is also supported.
 
-The following code shows the complete configuration options available in the xref:servlet/appendix/namespace.adoc#nsa-oauth2-login[ security namespace]:
+The following code shows the complete configuration options available in the xref:servlet/appendix/namespace/http.adoc#nsa-oauth2-login[ security namespace]:
 
 .OAuth2 Login XML Configuration Options
 ====