From 918f7ca0084bb0d8c998e6c1d4496620a7ae2ece Mon Sep 17 00:00:00 2001
From: Vishal Puri <vishal.puri@springsource.com>
Date: Fri, 6 Jul 2007 13:37:18 +0000
Subject: [PATCH] SEC-271: added method authoriztion BeanDefinition parser

---
 sandbox/spring-security-config/.classpath     |  89 +++----
 sandbox/spring-security-config/pom.xml        |  17 ++
 ...thorizationMethodBeanDefinitionParser.java | 217 ++++++++++++++++++
 .../AutoConfigBeanDefinitionParser.java       |  48 ++--
 ...curityInterceptorBeanDefinitionParser.java |  24 +-
 ...incipalRepositoryBeanDefinitionParser.java |  14 ++
 .../config/SecurityNamespaceHandler.java      |   1 +
 .../util/BeanDefinitionParserUtils.java       |  40 +++-
 .../config/inmemory-users.properties          |   4 +
 .../config/spring-security-2.0.xsd            |  89 ++++++-
 .../PrincipalRepositoryNamespaceTests.java    |   6 +-
 .../config/authorization-http-config.xml      |   7 +-
 .../authorization-method-annotations.xml      |  42 ++++
 .../config/authorization-method-aspectj.xml   |  42 ++++
 .../authorization-method-attributes.xml       |  42 ++++
 .../config/authorization-method.xml           |  56 +++++
 16 files changed, 638 insertions(+), 100 deletions(-)
 create mode 100644 sandbox/spring-security-config/src/main/java/org/acegisecurity/config/AuthorizationMethodBeanDefinitionParser.java
 create mode 100644 sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/inmemory-users.properties
 create mode 100644 sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-annotations.xml
 create mode 100644 sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-aspectj.xml
 create mode 100644 sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-attributes.xml
 create mode 100644 sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method.xml

diff --git a/sandbox/spring-security-config/.classpath b/sandbox/spring-security-config/.classpath
index 1f235edf8c..921f13b43f 100644
--- a/sandbox/spring-security-config/.classpath
+++ b/sandbox/spring-security-config/.classpath
@@ -1,44 +1,47 @@
-<?xml version="1.0" encoding="UTF-8"?>
 <classpath>
-	<classpathentry kind="src" path="src/main/java"/>
-	<classpathentry excluding="**/*.java" kind="src" path="src/main/resources"/>
-	<classpathentry kind="src" output="target/test-classes" path="src/test/java"/>
-	<classpathentry excluding="**/*.java" kind="src" output="target/test-classes" path="src/test/resources"/>
-	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
-	<classpathentry kind="var" path="M2_REPO/net/sf/ehcache/ehcache/1.2.4/ehcache-1.2.4.jar" sourcepath="M2_REPO/net/sf/ehcache/ehcache/1.2.4/ehcache-1.2.4-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/aspectj/aspectjrt/1.2/aspectjrt-1.2.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-context/2.0.4/spring-context-2.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/commons-codec/commons-codec/1.3/commons-codec-1.3.jar" sourcepath="M2_REPO/commons-codec/commons-codec/1.3/commons-codec-1.3-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/antlr/antlr/2.7.6/antlr-2.7.6.jar" sourcepath="M2_REPO/antlr/antlr/2.7.6/antlr-2.7.6-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/commons-lang/commons-lang/2.1/commons-lang-2.1.jar" sourcepath="M2_REPO/commons-lang/commons-lang/2.1/commons-lang-2.1-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/slf4j/slf4j-log4j12/1.0.1/slf4j-log4j12-1.0.1.jar" sourcepath="M2_REPO/org/slf4j/slf4j-log4j12/1.0.1/slf4j-log4j12-1.0.1-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/acegisecurity/acegi-security-tiger/1.0.5-SNAPSHOT/acegi-security-tiger-1.0.5-SNAPSHOT.jar" sourcepath="M2_REPO/org/acegisecurity/acegi-security-tiger/1.0.5-SNAPSHOT/acegi-security-tiger-1.0.5-SNAPSHOT-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-beans/2.0.4/spring-beans-2.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/javax/servlet/jsp-api/2.0/jsp-api-2.0.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-remoting/2.0.4/spring-remoting-2.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-support/2.0.4/spring-support-2.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/cas/casclient/2.0.11/casclient-2.0.11.jar"/>
-	<classpathentry kind="var" path="M2_REPO/aopalliance/aopalliance/1.0/aopalliance-1.0.jar" sourcepath="M2_REPO/aopalliance/aopalliance/1.0/aopalliance-1.0-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-dao/2.0.4/spring-dao-2.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/apache/directory/server/apacheds-core-shared/1.0.0/apacheds-core-shared-1.0.0.jar"/>
-	<classpathentry kind="var" path="M2_REPO/jmock/jmock/1.0.1/jmock-1.0.1.jar" sourcepath="M2_REPO/jmock/jmock/1.0.1/jmock-1.0.1-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/acegisecurity/acegi-security/1.0.5-SNAPSHOT/acegi-security-1.0.5-SNAPSHOT.jar" sourcepath="M2_REPO/org/acegisecurity/acegi-security/1.0.5-SNAPSHOT/acegi-security-1.0.5-SNAPSHOT-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/taglibs/standard/1.0.6/standard-1.0.6.jar" sourcepath="M2_REPO/taglibs/standard/1.0.6/standard-1.0.6-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/oro/oro/2.0.8/oro-2.0.8.jar" sourcepath="M2_REPO/oro/oro/2.0.8/oro-2.0.8-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/apache/directory/shared/shared-asn1/0.9.5.3/shared-asn1-0.9.5.3.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-mock/2.0.4/spring-mock-2.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-jdbc/2.0.4/spring-jdbc-2.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-aop/2.0.4/spring-aop-2.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/hsqldb/hsqldb/1.8.0.4/hsqldb-1.8.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/javax/servlet/servlet-api/2.4/servlet-api-2.4.jar" sourcepath="M2_REPO/javax/servlet/servlet-api/2.4/servlet-api-2.4-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/apache/directory/server/apacheds-core/1.0.0/apacheds-core-1.0.0.jar"/>
-	<classpathentry kind="var" path="M2_REPO/log4j/log4j/1.2.9/log4j-1.2.9.jar" sourcepath="M2_REPO/log4j/log4j/1.2.9/log4j-1.2.9-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/jdbm/jdbm/1.0/jdbm-1.0.jar"/>
-	<classpathentry kind="var" path="M2_REPO/junit/junit/3.8.1/junit-3.8.1.jar" sourcepath="M2_REPO/junit/junit/3.8.1/junit-3.8.1-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/apache/directory/shared/shared-ldap/0.9.5.3/shared-ldap-0.9.5.3.jar"/>
-	<classpathentry kind="var" path="M2_REPO/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar" sourcepath="M2_REPO/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-web/2.0.4/spring-web-2.0.4.jar"/>
-	<classpathentry kind="var" path="M2_REPO/commons-collections/commons-collections/3.1/commons-collections-3.1.jar" sourcepath="M2_REPO/commons-collections/commons-collections/3.1/commons-collections-3.1-sources.jar"/>
-	<classpathentry kind="var" path="M2_REPO/org/springframework/spring-core/2.0.4/spring-core-2.0.4.jar" sourcepath="/spring"/>
-	<classpathentry kind="output" path="target/classes"/>
-</classpath>
+  <classpathentry kind="src" path="src/main/java"/>
+  <classpathentry kind="src" path="src/main/resources" excluding="**/*.java"/>
+  <classpathentry kind="src" path="src/test/java" output="target/test-classes"/>
+  <classpathentry kind="src" path="src/test/resources" output="target/test-classes" excluding="**/*.java"/>
+  <classpathentry kind="output" path="target/classes"/>
+  <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
+  <classpathentry kind="var" path="M2_REPO/commons-collections/commons-collections/3.1/commons-collections-3.1.jar" sourcepath="M2_REPO/commons-collections/commons-collections/3.1/commons-collections-3.1-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/apache/directory/server/apacheds-core-shared/1.0.0/apacheds-core-shared-1.0.0.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-context/2.0.4/spring-context-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/commons-codec/commons-codec/1.3/commons-codec-1.3.jar" sourcepath="M2_REPO/commons-codec/commons-codec/1.3/commons-codec-1.3-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/commons-attributes/commons-attributes-api/2.1/commons-attributes-api-2.1.jar" sourcepath="M2_REPO/commons-attributes/commons-attributes-api/2.1/commons-attributes-api-2.1-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/javax/servlet/servlet-api/2.4/servlet-api-2.4.jar" sourcepath="M2_REPO/javax/servlet/servlet-api/2.4/servlet-api-2.4-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/junit/junit/3.8.1/junit-3.8.1.jar" sourcepath="M2_REPO/junit/junit/3.8.1/junit-3.8.1-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/cas/casclient/2.0.11/casclient-2.0.11.jar"/>
+  <classpathentry kind="var" path="M2_REPO/hsqldb/hsqldb/1.8.0.4/hsqldb-1.8.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/qdox/qdox/1.5/qdox-1.5.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/apache/directory/shared/shared-ldap/0.9.5.3/shared-ldap-0.9.5.3.jar"/>
+  <classpathentry kind="var" path="M2_REPO/taglibs/standard/1.0.6/standard-1.0.6.jar" sourcepath="M2_REPO/taglibs/standard/1.0.6/standard-1.0.6-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/jmock/jmock/1.0.1/jmock-1.0.1.jar" sourcepath="M2_REPO/jmock/jmock/1.0.1/jmock-1.0.1-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/apache/directory/server/apacheds-core/1.0.0/apacheds-core-1.0.0.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/apache/directory/shared/shared-asn1/0.9.5.3/shared-asn1-0.9.5.3.jar"/>
+  <classpathentry kind="var" path="M2_REPO/javax/servlet/jsp-api/2.0/jsp-api-2.0.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-web/2.0.4/spring-web-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-support/2.0.4/spring-support-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-dao/2.0.4/spring-dao-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/acegisecurity/acegi-security/1.0.5-SNAPSHOT/acegi-security-1.0.5-SNAPSHOT.jar" sourcepath="M2_REPO/org/acegisecurity/acegi-security/1.0.5-SNAPSHOT/acegi-security-1.0.5-SNAPSHOT-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/log4j/log4j/1.2.9/log4j-1.2.9.jar" sourcepath="M2_REPO/log4j/log4j/1.2.9/log4j-1.2.9-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/commons-attributes/commons-attributes-compiler/2.1/commons-attributes-compiler-2.1.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-remoting/2.0.4/spring-remoting-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/antlr/antlr/2.7.6/antlr-2.7.6.jar" sourcepath="M2_REPO/antlr/antlr/2.7.6/antlr-2.7.6-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-mock/2.0.4/spring-mock-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/jdbm/jdbm/1.0/jdbm-1.0.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-aop/2.0.4/spring-aop-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/slf4j/slf4j-log4j12/1.0.1/slf4j-log4j12-1.0.1.jar" sourcepath="M2_REPO/org/slf4j/slf4j-log4j12/1.0.1/slf4j-log4j12-1.0.1-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-jdbc/2.0.4/spring-jdbc-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/commons-lang/commons-lang/2.1/commons-lang-2.1.jar" sourcepath="M2_REPO/commons-lang/commons-lang/2.1/commons-lang-2.1-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-beans/2.0.4/spring-beans-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/oro/oro/2.0.8/oro-2.0.8.jar" sourcepath="M2_REPO/oro/oro/2.0.8/oro-2.0.8-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/springframework/spring-core/2.0.4/spring-core-2.0.4.jar"/>
+  <classpathentry kind="var" path="M2_REPO/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar" sourcepath="M2_REPO/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/aspectj/aspectjrt/1.2/aspectjrt-1.2.jar"/>
+  <classpathentry kind="var" path="M2_REPO/ant/ant/1.5/ant-1.5.jar"/>
+  <classpathentry kind="var" path="M2_REPO/aopalliance/aopalliance/1.0/aopalliance-1.0.jar" sourcepath="M2_REPO/aopalliance/aopalliance/1.0/aopalliance-1.0-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/net/sf/ehcache/ehcache/1.2.4/ehcache-1.2.4.jar" sourcepath="M2_REPO/net/sf/ehcache/ehcache/1.2.4/ehcache-1.2.4-sources.jar"/>
+  <classpathentry kind="var" path="M2_REPO/org/acegisecurity/acegi-security-tiger/1.0.5-SNAPSHOT/acegi-security-tiger-1.0.5-SNAPSHOT.jar" sourcepath="M2_REPO/org/acegisecurity/acegi-security-tiger/1.0.5-SNAPSHOT/acegi-security-tiger-1.0.5-SNAPSHOT-sources.jar"/>
+</classpath>
\ No newline at end of file
diff --git a/sandbox/spring-security-config/pom.xml b/sandbox/spring-security-config/pom.xml
index 23e01f05e3..0e1785201d 100644
--- a/sandbox/spring-security-config/pom.xml
+++ b/sandbox/spring-security-config/pom.xml
@@ -72,6 +72,23 @@
 			<artifactId>commons-collections</artifactId>
 			<version>3.1</version>
 		</dependency>
+		<dependency>
+			<groupId>commons-attributes</groupId>
+			<artifactId>commons-attributes-compiler</artifactId>
+			<version>2.1</version>
+		</dependency>
+		<dependency>
+			<groupId>commons-attributes</groupId>
+			<artifactId>commons-attributes-api</artifactId>
+			<version>2.1</version>
+		</dependency>
+		<dependency>
+			<groupId>commons-attributes</groupId>
+			<artifactId>commons-attributes-plugin</artifactId>
+			<version>2.1</version>
+			<type>plugin</type>
+		</dependency>
+
 		<dependency>
 			<groupId>aspectj</groupId>
 			<artifactId>aspectjrt</artifactId>
diff --git a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/AuthorizationMethodBeanDefinitionParser.java b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/AuthorizationMethodBeanDefinitionParser.java
new file mode 100644
index 0000000000..9d4cbdb26f
--- /dev/null
+++ b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/AuthorizationMethodBeanDefinitionParser.java
@@ -0,0 +1,217 @@
+package org.acegisecurity.config;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
+import org.acegisecurity.annotation.SecurityAnnotationAttributes;
+import org.acegisecurity.intercept.method.MethodDefinitionAttributes;
+import org.acegisecurity.intercept.method.MethodDefinitionMap;
+import org.acegisecurity.intercept.method.MethodDefinitionSource;
+import org.acegisecurity.intercept.method.MethodDefinitionSourceMapping;
+import org.acegisecurity.intercept.method.aopalliance.MethodDefinitionSourceAdvisor;
+import org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor;
+import org.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor;
+import org.acegisecurity.runas.RunAsManagerImpl;
+import org.acegisecurity.util.BeanDefinitionParserUtils;
+import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
+import org.springframework.beans.factory.BeanDefinitionStoreException;
+import org.springframework.beans.factory.config.RuntimeBeanReference;
+import org.springframework.beans.factory.support.AbstractBeanDefinition;
+import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.beans.factory.xml.AbstractBeanDefinitionParser;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.metadata.commons.CommonsAttributes;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+import org.springframework.util.xml.DomUtils;
+import org.w3c.dom.Element;
+
+/**
+ * 
+ * @author Vishal Puri
+ * 
+ */
+
+public class AuthorizationMethodBeanDefinitionParser extends AbstractBeanDefinitionParser implements
+		BeanDefinitionParser {
+	// ~ static initializers
+	// ================================================================================================
+
+	public static final String ASPECTJ_ATTRIBUTE = "aspectj";
+
+	public static final String SPRING_AOP_ATTRIBUTE = "springAop";
+
+	public static final String SOURCE_ATTRIBUTE = "source";
+
+	public static final String SOURCE_BEAN_REF = "sourceBeanId";
+
+	public static final String ATTRIBUTE = "attribute";
+
+	private static final String CONFIGURATION_ATTRIBUTE = "configuration-attribute";
+
+	private static final String TYPE_ATTRIBUTE = "type";
+
+	// ~ Method
+	// ================================================================================================
+
+	protected AbstractBeanDefinition parseInternal(Element element, ParserContext parserContext) {
+		// <security:authorization-joinpoint aspectj="false|true"
+		// springAop="true|false">
+		// one attribute allowed, aspectj or springAop
+		Assert.isTrue(!(element.hasAttribute(SPRING_AOP_ATTRIBUTE) && element.hasAttribute(ASPECTJ_ATTRIBUTE)),
+				"only one attribute (springAop or aspectj) is allowed");
+
+		Element urlMappingEle = DomUtils.getChildElementByTagName(element, "url-mapping");
+
+		String sourceBeanId = urlMappingEle.getAttribute(SOURCE_BEAN_REF);
+		boolean isSourceBeanIdDefined = StringUtils.hasLength(sourceBeanId);
+
+		if (!isValidConfiguration(urlMappingEle, isSourceBeanIdDefined)) {
+			throw new IllegalArgumentException(
+					" 'custom' value provided by 'source' attribute need to be selected when referring to a bean by 'sourceBeanId' attribute ");
+		}
+
+		if ((element.hasAttribute(ASPECTJ_ATTRIBUTE)) && element.getAttribute(ASPECTJ_ATTRIBUTE).equals("true")) {
+			// create AspectJSecurityInterceptor
+			if (isSourceBeanIdDefined)
+				return createMethodSecurityInterceptor(AspectJSecurityInterceptor.class, new RuntimeBeanReference(
+						sourceBeanId));
+
+			return createMethodSecurityInterceptor(AspectJSecurityInterceptor.class, createObjectDefinitionSource(
+					parserContext, urlMappingEle));
+		}
+		else if ((element.hasAttribute(SPRING_AOP_ATTRIBUTE))
+				&& element.getAttribute(SPRING_AOP_ATTRIBUTE).equals("true")) {
+			// create MethodSecurityInterceptor and
+			// MethodDefinitionSourceAdvisor
+			if (isSourceBeanIdDefined)
+				return createMethodSecurityInterceptor(MethodSecurityInterceptor.class, new RuntimeBeanReference(
+						sourceBeanId));
+
+			return createMethodSecurityInterceptor(MethodSecurityInterceptor.class, createObjectDefinitionSource(
+					parserContext, urlMappingEle));
+		}
+		return null;
+	}
+
+	/**
+	 * @param parserContext
+	 * @param firstChild
+	 * @param sourceValue
+	 * @throws BeanDefinitionStoreException
+	 */
+	private MethodDefinitionSource createObjectDefinitionSource(ParserContext parserContext, Element element)
+			throws BeanDefinitionStoreException {
+		String sourceValue = element.getAttribute(SOURCE_ATTRIBUTE);
+		if (sourceValue.equals("xml")) {
+			// create MethodDefinitionSourceEditor
+			Element methodPattern = DomUtils.getChildElementByTagName(element, "method-pattern");
+			String methodToProtect = methodPattern.getAttribute(TYPE_ATTRIBUTE);
+
+			MethodDefinitionSourceMapping mapping = new MethodDefinitionSourceMapping();
+			MethodDefinitionMap source = new MethodDefinitionMap();
+			List<MethodDefinitionSourceMapping> mappings = new ArrayList<MethodDefinitionSourceMapping>();
+
+			mapping.setMethodName(methodToProtect);
+
+			List configAttributes = DomUtils.getChildElementsByTagName(methodPattern, CONFIGURATION_ATTRIBUTE);
+
+			for (Iterator iter = configAttributes.iterator(); iter.hasNext();) {
+				Element configAttribute = (Element) iter.next();
+				String configAttributeValue = configAttribute.getAttribute(ATTRIBUTE);
+				mapping.addConfigAttribute(configAttributeValue);
+			}
+			mappings.add(mapping);
+			source.setMappings(mappings);
+			return source;
+		}
+		else if (sourceValue.equals("annotations")) {
+			BeanDefinitionParserUtils.registerBeanDefinition(parserContext, new RootBeanDefinition(
+					DefaultAdvisorAutoProxyCreator.class));
+
+			MethodDefinitionAttributes source = new MethodDefinitionAttributes();
+			SecurityAnnotationAttributes attributes = new SecurityAnnotationAttributes();
+			source.setAttributes(attributes);
+			return source;
+		}
+		else if (sourceValue.equals("attributes")) {
+			// create CommonsAttributes
+			CommonsAttributes attributes = new CommonsAttributes();
+			// objectDefinitionSource and inject attributes
+			MethodDefinitionAttributes source = new MethodDefinitionAttributes();
+			source.setAttributes(attributes);
+
+			// register DefaultAdvisorAutoProxyCreator with parseContext
+			BeanDefinitionParserUtils.registerBeanDefinition(parserContext, new RootBeanDefinition(
+					DefaultAdvisorAutoProxyCreator.class));
+
+			// register MethodDefinitionSourceAdvisor autowire="constructor"
+			registerMethodDefinitionSourceAdvisor(parserContext);
+			return source;
+		}
+		return null;
+	}
+
+	/**
+	 * @param parserContext
+	 * @throws BeanDefinitionStoreException
+	 */
+	private void registerMethodDefinitionSourceAdvisor(ParserContext parserContext) throws BeanDefinitionStoreException {
+		RootBeanDefinition methodSecurityAdvisor = new RootBeanDefinition(MethodDefinitionSourceAdvisor.class);
+		methodSecurityAdvisor.setAutowireMode(AbstractBeanDefinition.AUTOWIRE_CONSTRUCTOR);
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, methodSecurityAdvisor);
+	}
+
+	/**
+	 * Creates BeanDefinition for MethodSecurityInterceptor
+	 * MethodSecurityInterceptor autodetects 'authenticationManager' and
+	 * 'accessDecisionManager'
+	 * @param name
+	 * 
+	 * @return
+	 */
+	private RootBeanDefinition createMethodSecurityInterceptor(Class interceptorType, Object object) {
+		Assert.notNull(object, "objectDefinitionSource required");
+		RootBeanDefinition securityInterceptor = new RootBeanDefinition(interceptorType);
+		if (RuntimeBeanReference.class.isAssignableFrom(object.getClass())) {
+			RuntimeBeanReference source = (RuntimeBeanReference) object;
+			securityInterceptor.getPropertyValues().addPropertyValue("objectDefinitionSource", source);
+		}
+		else if (MethodDefinitionSource.class.isAssignableFrom(object.getClass())) {
+			MethodDefinitionSource source = (MethodDefinitionSource) object;
+			securityInterceptor.getPropertyValues().addPropertyValue("objectDefinitionSource", source);
+		}
+		securityInterceptor.getPropertyValues().addPropertyValue("validateConfigAttributes", Boolean.FALSE);
+		RootBeanDefinition runAsManager = createRunAsManager();
+		securityInterceptor.getPropertyValues().addPropertyValue("runAsManager", runAsManager);
+		return securityInterceptor;
+	}
+
+	private RootBeanDefinition createRunAsManager() {
+		RootBeanDefinition runAsManager = new RootBeanDefinition(RunAsManagerImpl.class);
+		runAsManager.getPropertyValues().addPropertyValue("key", "my_run_as_password");
+		return runAsManager;
+	}
+
+	/**
+	 * Checks if 'custom' option is picked for 'source' attribute when
+	 * 'sourceBeanId' attribute is provided.
+	 * <p>
+	 * The valid configuration example:<br/> &lt;security:url-mapping
+	 * source="custom" sourceBeanId="referenceToObjectDefinitionSource"/&gt;
+	 * </p>
+	 * @param urlMappingElement
+	 * @return boolean Returns 'true' if configuration is accepted otherwise
+	 * returns 'false'
+	 */
+	private boolean isValidConfiguration(Element urlMappingElement, boolean isRefDefined) {
+		Assert.notNull(urlMappingElement, "invalid tag - expected 'url-mapping' ");
+		Assert.isTrue(urlMappingElement.getLocalName().equals("url-mapping"), "invalid tag - expected 'url-mapping' ");
+		if (isRefDefined && (urlMappingElement.getAttribute(SOURCE_ATTRIBUTE).compareTo("custom") != 0)) {
+			return false;
+		}
+		return true;
+	}
+}
diff --git a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/AutoConfigBeanDefinitionParser.java b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/AutoConfigBeanDefinitionParser.java
index 6b6f430c0e..0b6a21c22a 100644
--- a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/AutoConfigBeanDefinitionParser.java
+++ b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/AutoConfigBeanDefinitionParser.java
@@ -4,9 +4,10 @@
 package org.acegisecurity.config;
 
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
-import org.acegisecurity.AuthenticationManager;
 import org.acegisecurity.annotation.SecurityAnnotationAttributes;
 import org.acegisecurity.intercept.method.MethodDefinitionAttributes;
 import org.acegisecurity.intercept.method.aopalliance.MethodDefinitionSourceAdvisor;
@@ -16,6 +17,8 @@ import org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceMapping;
 import org.acegisecurity.intercept.web.FilterSecurityInterceptor;
 import org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap;
 import org.acegisecurity.runas.RunAsManagerImpl;
+import org.acegisecurity.userdetails.memory.InMemoryDaoImpl;
+import org.acegisecurity.util.BeanDefinitionParserUtils;
 import org.acegisecurity.vote.AffirmativeBased;
 import org.acegisecurity.vote.AuthenticatedVoter;
 import org.acegisecurity.vote.RoleVoter;
@@ -27,6 +30,7 @@ import org.springframework.beans.factory.support.ManagedList;
 import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
+import org.springframework.util.xml.DomUtils;
 import org.w3c.dom.Element;
 
 /**
@@ -73,12 +77,14 @@ public class AutoConfigBeanDefinitionParser implements BeanDefinitionParser {
 
 		// filter security interceptor
 		createAndRegisterBeanDefinitionForFilterSecurityInterceptor(parserContext, authenticationManager);
+
+		// create userDetailsService
 		return null;
 	}
 
 	private void createAndRegisterBeanDefintionForSecurityContextHolderAwareRequestFilter(ParserContext parserContext) {
 		RootBeanDefinition beanDefinition = new RootBeanDefinition(SecurityContextHolderAwareRequestFilter.class);
-		registerBeanDefinition(parserContext, beanDefinition);
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, beanDefinition);
 	}
 
 	/**
@@ -120,7 +126,7 @@ public class AutoConfigBeanDefinitionParser implements BeanDefinitionParser {
 		source.setMappings(mappings);
 		filterInvocationInterceptor.getPropertyValues().addPropertyValue("objectDefinitionSource",
 				source.getDecorated());
-		registerBeanDefinition(parserContext, filterInvocationInterceptor);
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, filterInvocationInterceptor);
 	}
 
 	private RootBeanDefinition createAccessDecisionManagerAffirmativeBased() {
@@ -133,7 +139,8 @@ public class AutoConfigBeanDefinitionParser implements BeanDefinitionParser {
 	}
 
 	private void createAndRegisterDefaultAdvisorAutoProxyCreator(ParserContext parserContext) {
-		registerBeanDefinition(parserContext, new RootBeanDefinition(DefaultAdvisorAutoProxyCreator.class));
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, new RootBeanDefinition(
+				DefaultAdvisorAutoProxyCreator.class));
 	}
 
 	private void createAndRegisterBeanDefinitinoForMethodDefinitionSourceAdvisor(ParserContext parserContext,
@@ -142,23 +149,18 @@ public class AutoConfigBeanDefinitionParser implements BeanDefinitionParser {
 
 		RootBeanDefinition securityInterceptor = createMethodSecurityInterceptor(authenticationManager);
 		methodSecurityAdvisor.getConstructorArgumentValues().addIndexedArgumentValue(0, securityInterceptor);
-		registerBeanDefinition(parserContext, methodSecurityAdvisor);
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, methodSecurityAdvisor);
 
 	}
 
 	private RootBeanDefinition createAccessDecisionManagerUnanimousBased() {
 		RootBeanDefinition accessDecisionManager = new RootBeanDefinition(UnanimousBased.class);
 		accessDecisionManager.getPropertyValues().addPropertyValue("allowIfAllAbstainDecisions", Boolean.FALSE);
-		RootBeanDefinition roleVoter = createRoleVoter();
-		decisionVoters.add(roleVoter);
+		decisionVoters.add(new RootBeanDefinition(RoleVoter.class));
 		accessDecisionManager.getPropertyValues().addPropertyValue("decisionVoters", decisionVoters);
 		return accessDecisionManager;
 	}
 
-	private RootBeanDefinition createRoleVoter() {
-		return new RootBeanDefinition(RoleVoter.class);
-	}
-
 	private RootBeanDefinition createMethodSecurityInterceptor(RootBeanDefinition authenticationManager) {
 		RootBeanDefinition securityInterceptor = new RootBeanDefinition(MethodSecurityInterceptor.class);
 		securityInterceptor.getPropertyValues().addPropertyValue("authenticationManager", authenticationManager);
@@ -190,45 +192,36 @@ public class AutoConfigBeanDefinitionParser implements BeanDefinitionParser {
 	}
 
 	private void createAndRegisterBeanDefinitionForExceptionTranslationFilter(ParserContext parserContext) {
-		registerBeanDefinition(parserContext, ExceptionTranslationFilterBeanDefinitionParser
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, ExceptionTranslationFilterBeanDefinitionParser
 				.createBeanDefinitionWithDefaults());
 	}
 
 	private void createAndRegisterBeanDefinitionForRememberMeProcessingFilter(ParserContext parserContext,
 			RootBeanDefinition authenticationManager) {
-		registerBeanDefinition(parserContext, RememberMeFilterBeanDefinitionParser.createBeanDefinitionWithDefaults(
-				parserContext, authenticationManager));
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, RememberMeFilterBeanDefinitionParser
+				.createBeanDefinitionWithDefaults(parserContext, authenticationManager));
 	}
 
 	private void createAndRegisterBeanDefinitionForAuthenticationProcessingFilter(ParserContext parserContext,
 			RootBeanDefinition authenticationManager, RootBeanDefinition rememberMeServices) {
 		RootBeanDefinition defintion = AuthenticationProcessingFilterBeanDefinitionParser
 				.createBeandefinitionWithDefaults(parserContext, authenticationManager, rememberMeServices);
-		registerBeanDefinition(parserContext, defintion);
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, defintion);
 	}
 
 	private void createAndRegisterBeanDefinitionForLogoutFilter(ParserContext parserContext,
 			RootBeanDefinition rememberMeServices) {
 		RootBeanDefinition defintion = LogoutFilterBeanDefinitionParser
 				.createBeanDefinitionWithDefaults(rememberMeServices);
-		registerBeanDefinition(parserContext, defintion);
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, defintion);
 	}
 
 	private void createAndRegisterBeanDefinitionForHttpSessionContextIntegrationFilter(ParserContext parserContext) {
 		RootBeanDefinition defintion = ContextIntegrationBeanDefinitionParser.createBeanDefinitionWithDefaults();
-		registerBeanDefinition(parserContext, defintion);
+		BeanDefinitionParserUtils.registerBeanDefinition(parserContext, defintion);
 		// retrieveBeanDefinition(parserContext, o)
 	}
 
-	/**
-	 * @param parserContext
-	 * @param defintion
-	 */
-	private void registerBeanDefinition(ParserContext parserContext, RootBeanDefinition defintion) {
-		parserContext.getRegistry().registerBeanDefinition(
-				parserContext.getReaderContext().generateBeanName(defintion), defintion);
-	}
-
 	/**
 	 * Returns a <code>BeanDefinition</code> of the specified type.
 	 * 
@@ -247,7 +240,4 @@ public class AutoConfigBeanDefinitionParser implements BeanDefinitionParser {
 		return null;
 	}
 
-	private Class ss(Object o) {
-		return o.getClass();
-	}
 }
diff --git a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/FilterSecurityInterceptorBeanDefinitionParser.java b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/FilterSecurityInterceptorBeanDefinitionParser.java
index 4e6bc5041b..9f7ba89279 100644
--- a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/FilterSecurityInterceptorBeanDefinitionParser.java
+++ b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/FilterSecurityInterceptorBeanDefinitionParser.java
@@ -26,6 +26,8 @@ import org.w3c.dom.Node;
  * 
  */
 public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanDefinitionParser {
+	// ~ static initializers
+	// ================================================================================================
 
 	private static final String OBJECT_DEFINITION_SOURCE_PROPERTY = "objectDefinitionSource";
 
@@ -37,6 +39,9 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
 
 	private static final String CONFIGURATION_ATTRIB_ATTRIBUTE = "attribute";
 
+	// ~ Methods
+	// ================================================================================================
+
 	protected AbstractBeanDefinition parseInternal(Element element, ParserContext parserContext) {
 		return createBeanDefinitionForFilterSecurityInterceptor(element, parserContext);
 	}
@@ -45,7 +50,8 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
 			ParserContext parserContext) {
 		RootBeanDefinition filterInvocationInterceptor = new RootBeanDefinition(FilterSecurityInterceptor.class);
 
-		RootBeanDefinition accessDecisionManager = AuthorizationManagerBeanDefinitionParser.createAccessDecisionManagerAffirmativeBased();
+		RootBeanDefinition accessDecisionManager = AuthorizationManagerBeanDefinitionParser
+				.createAccessDecisionManagerAffirmativeBased();
 		filterInvocationInterceptor.getPropertyValues()
 				.addPropertyValue("accessDecisionManager", accessDecisionManager);
 
@@ -56,8 +62,12 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
 		Element firstChild = DomUtils.getChildElementByTagName(element, "url-mapping");
 		// if 'url-mapping' element is defined
 		if (firstChild != null) {
-			BeanDefinitionParserUtils.setPropertyIfAvailable(firstChild, OBJECT_DEFINITION_SOURCE_REF_ATTRIBUTE,
-					OBJECT_DEFINITION_SOURCE_PROPERTY, true/* RuntimeBeanReference */, filterInvocationInterceptor);
+
+			if (BeanDefinitionParserUtils.setPropertyIfAvailable(firstChild, OBJECT_DEFINITION_SOURCE_REF_ATTRIBUTE,
+					OBJECT_DEFINITION_SOURCE_PROPERTY, true/* RuntimeBeanReference */, filterInvocationInterceptor)) {
+				return filterInvocationInterceptor;
+			}
+
 			// get 'uri-pattern' or 'path' attribute. not both can be specified
 			// together
 			List uriPatternElements = DomUtils.getChildElementsByTagName(firstChild, "uri-pattern");
@@ -118,8 +128,8 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
 				mapping.setUrl(url);
 				// get child elements 'configuration-attribute'
 				List configAttributes = DomUtils.getChildElementsByTagName(uriPattern, "configuration-attribute");
-			
-				 for (Iterator iter = configAttributes.iterator(); iter.hasNext();) {
+
+				for (Iterator iter = configAttributes.iterator(); iter.hasNext();) {
 					Element configAttribute = (Element) iter.next();
 					String configAttributeValue = configAttribute.getAttribute(CONFIGURATION_ATTRIB_ATTRIBUTE);
 					mapping.addConfigAttribute(configAttributeValue);
@@ -145,11 +155,9 @@ public class FilterSecurityInterceptorBeanDefinitionParser extends AbstractBeanD
 
 		mappings.add(mapping);
 		source.setMappings(mappings);
-		filterInvocationInterceptor.getPropertyValues().addPropertyValue("objectDefinitionSource",
+		filterInvocationInterceptor.getPropertyValues().addPropertyValue(OBJECT_DEFINITION_SOURCE_PROPERTY,
 				source.getDecorated());
 		return filterInvocationInterceptor;
 	}
 
-	
-
 }
diff --git a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/PrincipalRepositoryBeanDefinitionParser.java b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/PrincipalRepositoryBeanDefinitionParser.java
index 1076a6aa07..1796f3ba07 100644
--- a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/PrincipalRepositoryBeanDefinitionParser.java
+++ b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/PrincipalRepositoryBeanDefinitionParser.java
@@ -3,8 +3,13 @@
  */
 package org.acegisecurity.config;
 
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 import java.util.Properties;
 
+import org.acegisecurity.GrantedAuthority;
 import org.acegisecurity.GrantedAuthorityImpl;
 import org.acegisecurity.userdetails.User;
 import org.acegisecurity.userdetails.UserDetails;
@@ -142,6 +147,15 @@ public class PrincipalRepositoryBeanDefinitionParser extends AbstractBeanDefinit
 		defintion.setSource(parserContext.extractSource(ele));
 		return parserContext.getReaderContext().registerWithGeneratedName(defintion);
 	}
+	
+	protected static RootBeanDefinition createSampleUsersUsingProperties() {
+		// properties element
+		RootBeanDefinition defintion = new RootBeanDefinition(PropertiesFactoryBean.class);
+		String location = "classpath:org/acegisecurity/config/user.properties";
+		defintion.getPropertyValues().addPropertyValue("location", location);
+		return defintion;
+	}
+	
 
 	/**
 	 * 
diff --git a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java
index d56ea98b29..c694e59f4f 100644
--- a/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java
+++ b/sandbox/spring-security-config/src/main/java/org/acegisecurity/config/SecurityNamespaceHandler.java
@@ -30,6 +30,7 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport {
 		registerBeanDefinitionParser("authentication-form", new AuthenticationProcessingFilterBeanDefinitionParser());
 		registerBeanDefinitionParser("authorization-manager", new AuthorizationManagerBeanDefinitionParser());
 		registerBeanDefinitionParser("authorization-http-url", new FilterSecurityInterceptorBeanDefinitionParser());
+		registerBeanDefinitionParser("authorization-joinpoint", new AuthorizationMethodBeanDefinitionParser());
 		registerBeanDefinitionParser("autoconfig", new AutoConfigBeanDefinitionParser());
 	}
 
diff --git a/sandbox/spring-security-config/src/main/java/org/acegisecurity/util/BeanDefinitionParserUtils.java b/sandbox/spring-security-config/src/main/java/org/acegisecurity/util/BeanDefinitionParserUtils.java
index aae7f7141e..cf3141a3d6 100644
--- a/sandbox/spring-security-config/src/main/java/org/acegisecurity/util/BeanDefinitionParserUtils.java
+++ b/sandbox/spring-security-config/src/main/java/org/acegisecurity/util/BeanDefinitionParserUtils.java
@@ -4,12 +4,15 @@
 package org.acegisecurity.util;
 
 import org.springframework.beans.factory.config.RuntimeBeanNameReference;
-import org.springframework.beans.factory.support.BeanDefinitionReaderUtils;
+import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.util.StringUtils;
 import org.w3c.dom.Element;
 
 /**
+ * The convenience methods for the parsing of bean definition xml file.
+ * 
  * @author Vishal Puri
  * 
  */
@@ -40,17 +43,46 @@ public class BeanDefinitionParserUtils {
 		}
 	}
 
-	public static void setPropertyIfAvailable(Element element, String attribute, String property,
+	/**
+	 * <p>
+	 * Configure a <code>BeanDefinition</code>with the property value
+	 * retrieved from xml attribute. If the attribute is like a standard spring
+	 * 'ref' attribute as indicated by 'isRunTimeBeanReference', the property
+	 * will be resolved as a reference to the spring bean.
+	 * </p>
+	 * 
+	 * @param element The parent element.
+	 * @param attribute The child attribute.
+	 * @param property The configuration property for the BeanDefinition
+	 * @param isRunTimeBeanReference Indicates if the property is like a
+	 * standard spring 'ref' attribute.
+	 * @param definition The BeanDefinition to configure with the property
+	 * provided.
+	 * @return boolean To indicate if BeanDefinition was configured with a
+	 * property.
+	 */
+	public static boolean setPropertyIfAvailable(Element element, String attribute, String property,
 			boolean isRunTimeBeanReference, RootBeanDefinition definition) {
 		String propertyValue = element.getAttribute(attribute);
 		if (StringUtils.hasText(propertyValue)) {
 			if (!isRunTimeBeanReference) {
 				definition.getPropertyValues().addPropertyValue(property, propertyValue);
+				return true;
 			}
 			else {
-				definition.getPropertyValues().addPropertyValue(property, new RuntimeBeanNameReference(propertyValue));
+				definition.getPropertyValues().addPropertyValue(property, new RuntimeBeanReference(propertyValue));
+				return true;
 			}
-
 		}
+		return false;
+	}
+	
+	/**
+	 * @param parserContext
+	 * @param defintion
+	 */
+	public static  void registerBeanDefinition(ParserContext parserContext, RootBeanDefinition defintion) {
+		parserContext.getRegistry().registerBeanDefinition(
+				parserContext.getReaderContext().generateBeanName(defintion), defintion);
 	}
 }
diff --git a/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/inmemory-users.properties b/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/inmemory-users.properties
new file mode 100644
index 0000000000..66b97be29f
--- /dev/null
+++ b/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/inmemory-users.properties
@@ -0,0 +1,4 @@
+angelina=black,ROLE_ADMIN
+brad=grey,ROLE_TELLER,ROLE_PERMISSION_LIST
+paris=pink,ROLE_TELLER
+bono=sunny,ROLE_PERMISSION_LIST
diff --git a/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd b/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd
index 1dd2273768..76b8eb45cd 100644
--- a/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd
+++ b/sandbox/spring-security-config/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd
@@ -553,20 +553,24 @@
 			<xsd:element name="configuration-attribute"
 				type="ConfigurationAttributeType" />
 		</xsd:sequence>
-		<xsd:attribute name="path" type="xsd:string" use="optional"/>
-		<xsd:attribute name="regularExpression" type="xsd:string" use="optional"/>
+		<xsd:attribute name="path" type="xsd:string" use="optional" />
+		<xsd:attribute name="regularExpression" type="xsd:string"
+			use="optional" />
 	</xsd:complexType>
 
 	<xsd:complexType name="ConfigurationAttributeType">
 		<xsd:attribute name="attribute" type="xsd:string" />
 	</xsd:complexType>
-	
-	<xsd:element name="authorization-manager" type="AuthorizationManagerType"/>
-	
+
+	<xsd:element name="authorization-manager"
+		type="AuthorizationManagerType" />
+
 	<xsd:complexType name="AuthorizationManagerType">
 		<xsd:sequence>
-			<xsd:element name="role-voter" type="xsd:string" minOccurs="0" maxOccurs="1"/>
-			<xsd:element name="authenticated-voter" type="xsd:string" minOccurs="0" maxOccurs="1"/>
+			<xsd:element name="role-voter" type="xsd:string"
+				minOccurs="0" maxOccurs="1" />
+			<xsd:element name="authenticated-voter" type="xsd:string"
+				minOccurs="0" maxOccurs="1" />
 		</xsd:sequence>
 		<xsd:attribute name="id" type="xsd:ID">
 			<xsd:annotation>
@@ -577,9 +581,67 @@
 				</xsd:documentation>
 			</xsd:annotation>
 		</xsd:attribute>
-		<xsd:attribute name="strategy" type="response" default="affirmative"/>
+		<xsd:attribute name="strategy" type="response"
+			default="affirmative" />
 	</xsd:complexType>
-	
+
+	<!-- Authorization JointPoint -->
+	<xsd:element name="authorization-joinpoint"
+		type="AuthorizationJointPointType">
+		<xsd:annotation>
+			<xsd:documentation>
+				<![CDATA[
+				
+				]]>
+			</xsd:documentation>
+		</xsd:annotation>
+	</xsd:element>
+
+	<xsd:complexType name="AuthorizationJointPointType">
+		<xsd:sequence minOccurs="1" maxOccurs="1">
+			<xsd:element name="url-mapping"
+				type="JointPointMappingType">
+			</xsd:element>
+		</xsd:sequence>
+		<xsd:attribute name="id" type="xsd:ID">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	The unique identifier for a bean.
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+		<xsd:attribute name="springAop" type="xsd:boolean"
+			use="optional" />
+		<xsd:attribute name="aspectj" type="xsd:boolean" use="optional" />
+	</xsd:complexType>
+
+	<xsd:complexType name="JointPointMappingType">
+		<xsd:sequence minOccurs="1" maxOccurs="unbounded">
+			<xsd:element name="method-pattern" type="MethodPatternType" />
+		</xsd:sequence>
+		<xsd:attribute name="source" type="MethodInterceptorType"
+			default="xml" />
+		<xsd:attribute name="sourceBeanId" type="xsd:string">
+			<xsd:annotation>
+				<xsd:documentation>
+					<![CDATA[
+	Reference to an external ObjectDefinitionSource.
+				]]>
+				</xsd:documentation>
+			</xsd:annotation>
+		</xsd:attribute>
+	</xsd:complexType>
+
+	<xsd:complexType name="MethodPatternType">
+		<xsd:sequence minOccurs="1" maxOccurs="unbounded">
+			<xsd:element name="configuration-attribute"
+				type="ConfigurationAttributeType" />
+		</xsd:sequence>
+		<xsd:attribute name="type" type="xsd:string" />
+	</xsd:complexType>
+
 	<xsd:simpleType name="response">
 		<xsd:restriction base="xsd:NMTOKEN">
 			<xsd:enumeration value="consensus" />
@@ -588,6 +650,15 @@
 		</xsd:restriction>
 	</xsd:simpleType>
 
+	<xsd:simpleType name="MethodInterceptorType">
+		<xsd:restriction base="xsd:NMTOKEN">
+			<xsd:enumeration value="xml" />
+			<xsd:enumeration value="attributes" />
+			<xsd:enumeration value="annotations" />
+			<xsd:enumeration value="custom" />
+		</xsd:restriction>
+	</xsd:simpleType>
+
 	<!-- simple internal types -->
 	<xsd:simpleType name="defaultable-boolean">
 		<xsd:restriction base="xsd:NMTOKEN">
diff --git a/sandbox/spring-security-config/src/test/java/org/acegisecurity/config/PrincipalRepositoryNamespaceTests.java b/sandbox/spring-security-config/src/test/java/org/acegisecurity/config/PrincipalRepositoryNamespaceTests.java
index d7b089aa09..0716479ca6 100644
--- a/sandbox/spring-security-config/src/test/java/org/acegisecurity/config/PrincipalRepositoryNamespaceTests.java
+++ b/sandbox/spring-security-config/src/test/java/org/acegisecurity/config/PrincipalRepositoryNamespaceTests.java
@@ -1,4 +1,4 @@
- package org.acegisecurity.config;
+package org.acegisecurity.config;
 
 import junit.framework.TestCase;
 
@@ -9,13 +9,14 @@ import org.acegisecurity.userdetails.UserDetailsService;
 import org.acegisecurity.userdetails.memory.InMemoryDaoImpl;
 import org.acegisecurity.userdetails.memory.UserMap;
 import org.springframework.beans.PropertyValue;
+import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
 
 /**
- * @author vpuri
+ * @author Vishal Puri
  * 
  */
 public class PrincipalRepositoryNamespaceTests extends TestCase {
@@ -60,4 +61,5 @@ public class PrincipalRepositoryNamespaceTests extends TestCase {
 		assertEquals(new GrantedAuthorityImpl("ROLE_YO"), users.getUser("vishal").getAuthorities()[0]);
 		assertEquals(new GrantedAuthorityImpl("ROLE_YOYO"), users.getUser("vishal").getAuthorities()[1]);
 	}
+
 }
diff --git a/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-http-config.xml b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-http-config.xml
index 07ac8a9c58..38efe1b606 100644
--- a/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-http-config.xml
+++ b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-http-config.xml
@@ -12,9 +12,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
 	<import resource="remember-me-defaults.xml" />
 
 	<security:authorization-http-url id="authorizationhttp">
-		<security:url-mapping
-			source="xml - the default and no other options"
-			sourceBeanId="referenceToTheirObjectDefinitionSource">
+		<security:url-mapping source="xml">
 			<!-- Specify security:uri-patterns in order of processing; each pattern must specify EITHER a 
 				regularExpression OR a path, but not both and ALL patterns in the url-mapping MUST be of the 
 				SAME type (ie cannot mix a regular expression and Ant Path) - give exception if tried -->
@@ -22,8 +20,7 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
 				<security:configuration-attribute attribute="ROLE_A" />
 				<security:configuration-attribute attribute="ROLE_B" />
 			</security:uri-pattern>
-			<security:uri-pattern 
-				regularExpression="whatever">
+			<security:uri-pattern regularExpression="whatever">
 				<security:configuration-attribute attribute="ROLE_A" />
 			</security:uri-pattern>
 		</security:url-mapping>
diff --git a/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-annotations.xml b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-annotations.xml
new file mode 100644
index 0000000000..deeef05543
--- /dev/null
+++ b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-annotations.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd 
+	http://www.springframework.org/schema/util http://www.springframework.org/schema/beans/spring-util-2.0.xsd
+	http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+
+	<!-- http://www.springframework.org/schema/security file:/Users/vpuri/interface21/acegisecurity/trunk/acegisecurity/core/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd -->
+	<!-- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd" -->
+
+	<!-- 
+		the source refers to use of the relevant concete ObjectDefinitionSource; 
+		user can alternately specify their own instance and refer to it
+		via the sourceBeanId property; in that case they must specify "custom"; 
+		if unspecified, it means it's described as nested elements using the
+		security:method-pattern element, and you will therefore create it via 
+		the MethodDefinitionSourceEditor (that is what the default source=xml means, too)
+		For aspectj and springAop, that means create a MethodSecurityInterceptor and 
+		AspectJSecurityInterceptor bean definition respectively (in the case of
+		springAop, also create a MethodDefinitionSourceAdvisor); defaults to 
+		springAop=true, aspectJ=false 
+	-->
+	<import resource="remember-me-defaults.xml" />
+	<import resource="authorization-manager.xml"/>
+
+	<security:authorization-joinpoint id="methodInterceptor"
+		springAop="true" >
+		<security:url-mapping source="annotations">
+			<security:method-pattern
+				type="org.acegisecurity.BankServiceImpl.listAccounts">
+				<security:configuration-attribute attribute="ROLE_A" />
+				<security:configuration-attribute attribute="ROLE_B" />
+			</security:method-pattern>
+		</security:url-mapping>
+	</security:authorization-joinpoint>
+
+
+
+</beans>
\ No newline at end of file
diff --git a/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-aspectj.xml b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-aspectj.xml
new file mode 100644
index 0000000000..0f1233dd78
--- /dev/null
+++ b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-aspectj.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd 
+	http://www.springframework.org/schema/util http://www.springframework.org/schema/beans/spring-util-2.0.xsd
+	http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+
+	<!-- http://www.springframework.org/schema/security file:/Users/vpuri/interface21/acegisecurity/trunk/acegisecurity/core/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd -->
+	<!-- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd" -->
+
+	<!-- 
+		the source refers to use of the relevant concete ObjectDefinitionSource; 
+		user can alternately specify their own instance and refer to it
+		via the sourceBeanId property; in that case they must specify "custom"; 
+		if unspecified, it means it's described as nested elements using the
+		security:method-pattern element, and you will therefore create it via 
+		the MethodDefinitionSourceEditor (that is what the default source=xml means, too)
+		For aspectj and springAop, that means create a MethodSecurityInterceptor and 
+		AspectJSecurityInterceptor bean definition respectively (in the case of
+		springAop, also create a MethodDefinitionSourceAdvisor); defaults to 
+		springAop=true, aspectJ=false 
+	-->
+	<import resource="remember-me-defaults.xml" />
+	<import resource="authorization-manager.xml"/>
+
+	<security:authorization-joinpoint id="methodInterceptor"
+		aspectj="true" >
+		<security:url-mapping source="annotations">
+			<security:method-pattern
+				type="org.acegisecurity.BankServiceImpl.listAccounts">
+				<security:configuration-attribute attribute="ROLE_A" />
+				<security:configuration-attribute attribute="ROLE_B" />
+			</security:method-pattern>
+		</security:url-mapping>
+	</security:authorization-joinpoint>
+
+
+
+</beans>
\ No newline at end of file
diff --git a/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-attributes.xml b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-attributes.xml
new file mode 100644
index 0000000000..ff13e48ec8
--- /dev/null
+++ b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method-attributes.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd 
+	http://www.springframework.org/schema/util http://www.springframework.org/schema/beans/spring-util-2.0.xsd
+	http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+
+	<!-- http://www.springframework.org/schema/security file:/Users/vpuri/interface21/acegisecurity/trunk/acegisecurity/core/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd -->
+	<!-- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd" -->
+
+	<!-- 
+		the source refers to use of the relevant concete ObjectDefinitionSource; 
+		user can alternately specify their own instance and refer to it
+		via the sourceBeanId property; in that case they must specify "custom"; 
+		if unspecified, it means it's described as nested elements using the
+		security:method-pattern element, and you will therefore create it via 
+		the MethodDefinitionSourceEditor (that is what the default source=xml means, too)
+		For aspectj and springAop, that means create a MethodSecurityInterceptor and 
+		AspectJSecurityInterceptor bean definition respectively (in the case of
+		springAop, also create a MethodDefinitionSourceAdvisor); defaults to 
+		springAop=true, aspectJ=false 
+	-->
+	<import resource="remember-me-defaults.xml" />
+	<import resource="authorization-manager.xml"/>
+
+	<security:authorization-joinpoint id="methodInterceptor"
+		springAop="true" >
+		<security:url-mapping source="attributes">
+			<security:method-pattern
+				type="org.acegisecurity.BankServiceImpl.listAccounts">
+				<security:configuration-attribute attribute="ROLE_A" />
+				<security:configuration-attribute attribute="ROLE_B" />
+			</security:method-pattern>
+		</security:url-mapping>
+	</security:authorization-joinpoint>
+
+
+
+</beans>
\ No newline at end of file
diff --git a/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method.xml b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method.xml
new file mode 100644
index 0000000000..88d418e26f
--- /dev/null
+++ b/sandbox/spring-security-config/src/test/resources/org/acegisecurity/config/authorization-method.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd 
+	http://www.springframework.org/schema/util http://www.springframework.org/schema/beans/spring-util-2.0.xsd
+	http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+
+	<!-- http://www.springframework.org/schema/security file:/Users/vpuri/interface21/acegisecurity/trunk/acegisecurity/core/src/main/resources/org/acegisecurity/config/spring-security-2.0.xsd -->
+	<!-- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd" -->
+
+	<!-- 
+		the source refers to use of the relevant concete ObjectDefinitionSource; 
+		user can alternately specify their own instance and refer to it
+		via the sourceBeanId property; in that case they must specify "custom"; 
+		if unspecified, it means it's described as nested elements using the
+		security:method-pattern element, and you will therefore create it via 
+		the MethodDefinitionSourceEditor (that is what the default source=xml means, too)
+		For aspectj and springAop, that means create a MethodSecurityInterceptor and 
+		AspectJSecurityInterceptor bean definition respectively (in the case of
+		springAop, also create a MethodDefinitionSourceAdvisor); defaults to 
+		springAop=true, aspectJ=false 
+	-->
+	<import resource="remember-me-defaults.xml" />
+	<import resource="authorization-manager.xml"/>
+
+	<security:authorization-joinpoint id="methodInterceptor"
+		springAop="true" >
+		<security:url-mapping source="xml">
+			<security:method-pattern
+				type="org.acegisecurity.BankServiceImpl.listAccounts">
+				<security:configuration-attribute attribute="ROLE_A" />
+			</security:method-pattern>
+		</security:url-mapping>
+	</security:authorization-joinpoint>
+
+
+	<!-- 
+		<bean id="methodSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+		<property name="validateConfigAttributes"><value>true</value></property>
+		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
+		<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
+		<property name="runAsManager"><ref bean="runAsManager"/></property>
+		<property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
+		<property name="objectDefinitionSource">
+		<value>
+		org.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER
+		org.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER
+		</value>
+		</property>
+		</bean> 
+	-->
+
+</beans>
\ No newline at end of file