diff --git a/samples/tutorial/src/main/java/bigbank/BankService.java b/samples/tutorial/src/main/java/bigbank/BankService.java
index e9bbce0fc2..8fa0d6ac92 100644
--- a/samples/tutorial/src/main/java/bigbank/BankService.java
+++ b/samples/tutorial/src/main/java/bigbank/BankService.java
@@ -10,7 +10,7 @@ public interface BankService {
     public Account[] findAccounts();
 
     @PreAuthorize(
-            "hasRole('ROLE_SUPERVISOR') or " +
-            "hasRole('ROLE_TELLER') and (#account.balance + #amount >= -#account.overdraft)" )
+            "hasRole('supervisor') or " +
+            "hasRole('teller') and (#account.balance + #amount >= -#account.overdraft)" )
     public Account post(Account account, double amount);
 }
diff --git a/samples/tutorial/src/main/java/bigbank/BankServiceImpl.java b/samples/tutorial/src/main/java/bigbank/BankServiceImpl.java
index d5b77a3c46..a6309564c8 100644
--- a/samples/tutorial/src/main/java/bigbank/BankServiceImpl.java
+++ b/samples/tutorial/src/main/java/bigbank/BankServiceImpl.java
@@ -17,9 +17,9 @@ public class BankServiceImpl implements BankService {
     public Account post(Account account, double amount) {
         Assert.notNull(account);
 
-        // We read account bank from DAO so it reflects the latest balance
+        // We read account back from DAO so it reflects the latest balance
         Account a = bankDao.readAccount(account.getId());
-        if (account == null) {
+        if (a == null) {
             throw new IllegalArgumentException("Couldn't find requested account");
         }
 
diff --git a/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml b/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml
index 3c307b2071..1ba55d9ecd 100644
--- a/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -18,7 +18,7 @@
     <http pattern="/loggedout.jsp" security="none"/>
 
     <http use-expressions="true">
-        <intercept-url pattern="/secure/extreme/**" access="hasRole('ROLE_SUPERVISOR')"/>
+        <intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"/>
         <intercept-url pattern="/secure/**" access="isAuthenticated()" />
         <!--
              Allow all other requests. In a real application you should
@@ -46,14 +46,16 @@
         scott/wombat
         peter/opal
     -->
+    <beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>
+
     <authentication-manager>
         <authentication-provider>
-            <password-encoder hash="md5"/>
+            <password-encoder ref="encoder"/>
             <user-service>
-                <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
-                <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
-                <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
-                <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
+                <user name="rod" password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde" authorities="supervisor, user, teller" />
+                <user name="dianne" password="957ea522524a41cbfb649a3e293d56268f840fd5b661b499b07858bc020d6d223f912e3ab303b00f" authorities="user,teller" />
+                <user name="scott" password="fb1f9e48058d30dc21c35ab4cf895e2a80f2f03fac549b51be637196dfb6b2b7276a89c65e38b7a1" authorities="user" />
+                <user name="peter" password="e175750688deee19d7179d444bfaf92129f4eea8b4503d83eb8f92a7dd9cda5fbae73638c913e420" authorities="user" />
             </user-service>
         </authentication-provider>
     </authentication-manager>
diff --git a/samples/tutorial/src/main/webapp/WEB-INF/web.xml b/samples/tutorial/src/main/webapp/WEB-INF/web.xml
index 325805a212..37b9078afa 100644
--- a/samples/tutorial/src/main/webapp/WEB-INF/web.xml
+++ b/samples/tutorial/src/main/webapp/WEB-INF/web.xml
@@ -39,8 +39,6 @@
 
     <!--
       - Loads the root application context of this web app at startup.
-      - The application context is then available via
-      - WebApplicationContextUtils.getWebApplicationContext(servletContext).
     -->
     <listener>
         <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
@@ -55,7 +53,7 @@
     </listener>
 
   <!--
-    - Provides core MVC application controller. See contacts-servlet.xml.
+    - Provides core MVC application controller. See bank-servlet.xml.
     -->
     <servlet>
         <servlet-name>bank</servlet-name>
diff --git a/samples/tutorial/src/main/webapp/secure/index.jsp b/samples/tutorial/src/main/webapp/secure/index.jsp
index e6063c64da..165f8e90dc 100644
--- a/samples/tutorial/src/main/webapp/secure/index.jsp
+++ b/samples/tutorial/src/main/webapp/secure/index.jsp
@@ -28,6 +28,7 @@ or if you've authenticated this session.
 <tr>
 <td>&lt;sec:authentication property='name' /&gt;</td><td><sec:authentication property="name"/></td>
 </tr>
+<sec:authorize access="isAuthenticated()">
 <tr>
 <td>&lt;sec:authentication property='principal.username' /&gt;</td><td><sec:authentication property="principal.username"/></td>
 </tr>
@@ -37,6 +38,7 @@ or if you've authenticated this session.
 <tr>
 <td>&lt;sec:authentication property='principal.accountNonLocked' /&gt;</td><td><sec:authentication property="principal.accountNonLocked"/></td>
 </tr>
+</sec:authorize>
 </table>