SEC-624: Improved general consistency of ref docs. Tidied up program listings. Added namespace info on channel security.

2008-04-10 14:38:41 +00:00 · 2008-04-10 14:38:41 +00:00 · a7ab048f3b
parent a3de51ea51
commit a7ab048f3b
18 changed files with 555 additions and 546 deletions
--- a/src/docbkx/anon-auth-provider.xml
+++ b/src/docbkx/anon-auth-provider.xml
@ -40,17 +40,17 @@
        filter and authentication provider appears as follows:</para>
    <para><programlisting>
-        &lt;bean id="anonymousProcessingFilter"
+<![CDATA[
-        class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter"&gt;
+<bean id="anonymousProcessingFilter"
-        &lt;property name="key"&gt;&lt;value&gt;foobar&lt;/value&gt;&lt;/property&gt;
+    class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
-        &lt;property name="userAttribute"&gt;&lt;value&gt;anonymousUser,ROLE_ANONYMOUS&lt;/value&gt;&lt;/property&gt;
+  <property name="key" value="foobar"/>
-        &lt;/bean&gt;
+  <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
-        
+</bean>
        &lt;bean id="anonymousAuthenticationProvider"
        class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider"&gt;
        &lt;property name="key"&gt;&lt;value&gt;foobar&lt;/value&gt;&lt;/property&gt;
        &lt;/bean&gt;
 <bean id="anonymousAuthenticationProvider"
    class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
  <property name="key" value="foobar"/>
 </bean>]]>
    </programlisting></para>
    <para>The <literal>key</literal> is shared between the filter and
--- a/src/docbkx/authorization-common.xml
+++ b/src/docbkx/authorization-common.xml
@ -3,7 +3,6 @@
  <section xml:id="authorities"><info><title>Authorities</title></info>
    <para>As briefly mentioned in the Authentication section, all
    <literal>Authentication</literal> implementations are required to
    store an array of <literal>GrantedAuthority</literal> objects. These
@ -15,11 +14,11 @@
    decisions.</para>
    <para><literal>GrantedAuthority</literal> is an interface with only
-    one method:</para>
+    one method:
-
+      <programlisting>
-    <para><programlisting>public String getAuthority();</programlisting></para>
+  String getAuthority();
-
+    </programlisting>
-    <para>This method allows <literal>AccessDecisionManager</literal>s to
+    This method allows <literal>AccessDecisionManager</literal>s to
    obtain a precise <literal>String</literal> representation of the
    <literal>GrantedAuthority</literal>. By returning a representation as
    a <literal>String</literal>, a <literal>GrantedAuthority</literal> can
@ -58,13 +57,13 @@
    <literal>AbstractSecurityInterceptor</literal> and is responsible for
    making final access control decisions. The
    <literal>AccessDecisionManager</literal> interface contains three
-    methods:</para>
+    methods:
-
+      <programlisting>
-    <para><programlisting>public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;
+ void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;
-public boolean supports(ConfigAttribute attribute);
+ boolean supports(ConfigAttribute attribute);
-public boolean supports(Class clazz);</programlisting></para>
+ boolean supports(Class clazz);
-
+      </programlisting>
-    <para>As can be seen from the first method, the
+    As can be seen from the first method, the
    <literal>AccessDecisionManager</literal> is passed via method
    parameters all information that is likely to be of value in assessing
    an authorization decision. In particular, passing the secure
@ -115,13 +114,13 @@ public boolean supports(Class clazz);</programlisting></para>
    assessment of the votes.</para>
    <para>The <literal>AccessDecisionVoter</literal> interface has three
-    methods:</para>
+    methods:
-
+<programlisting>
-    <para><programlisting>public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
+int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
-public boolean supports(ConfigAttribute attribute);
+boolean supports(ConfigAttribute attribute);
-public boolean supports(Class clazz);</programlisting></para>
+boolean supports(Class clazz);
-
+</programlisting>
-    <para>Concrete implementations return an <literal>int</literal>, with
+    Concrete implementations return an <literal>int</literal>, with
    possible values being reflected in the
    <literal>AccessDecisionVoter</literal> static fields
    <literal>ACCESS_ABSTAIN</literal>, <literal>ACCESS_DENIED</literal>
@ -176,34 +175,36 @@ public boolean supports(Class clazz);</programlisting></para>
    voter included with Spring Security. It integrates with Spring
    Security's <literal>AclManager</literal> (discussed later). This voter
    is designed to have multiple instances in the same application
-    context, such as:</para>
+    context, such as:
 <programlisting>
 <![CDATA[
 <bean id="aclContactReadVoter"
    class="org.springframework.security.vote.BasicAclEntryVoter">
  <property name="processConfigAttribute" value="ACL_CONTACT_READ"/>
  <property name="processDomainObjectClass" value="sample.contact.Contact"/>
  <property name="aclManager" ref="aclManager"/>
  <property name="requirePermission">
    <list>
      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
    </list>
  </property>
 </bean>
-    <para><programlisting>&lt;bean id="aclContactReadVoter"
+<bean id="aclContactDeleteVoter" 
-        class="org.springframework.security.vote.BasicAclEntryVoter"&gt;
+    class="org.springframework.security.vote.BasicAclEntryVoter">
-&lt;property name="processConfigAttribute"&gt;&lt;value&gt;ACL_CONTACT_READ&lt;/value&gt;&lt;/property&gt;
+  <property name="processConfigAttribute" value="ACL_CONTACT_DELETE"/>
-&lt;property name="processDomainObjectClass"&gt;&lt;value&gt;sample.contact.Contact&lt;/value&gt;&lt;/property&gt;
+  <property name="processDomainObjectClass" value="sample.contact.Contact"/>
-&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
+  <property name="aclManager" ref="aclManager"/>
-&lt;property name="requirePermission"&gt;
+  <property name="requirePermission">
-&lt;list&gt;
+    <list>
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/&gt;
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/>
-&lt;/list&gt;
+    </list>
-&lt;/property&gt;
+  </property>
-&lt;/bean&gt;
+</bean>
-
+]]></programlisting>
-&lt;bean id="aclContactDeleteVoter" class="org.springframework.security.vote.BasicAclEntryVoter"&gt;
+      In the above example, you'd define
 &lt;property name="processConfigAttribute"&gt;&lt;value&gt;ACL_CONTACT_DELETE&lt;/value&gt;&lt;/property&gt;
 &lt;property name="processDomainObjectClass"&gt;&lt;value&gt;sample.contact.Contact&lt;/value&gt;&lt;/property&gt;
 &lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
 &lt;property name="requirePermission"&gt;
 &lt;list&gt;
  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/&gt;
 &lt;/list&gt;
 &lt;/property&gt;
 &lt;/bean&gt;        </programlisting></para>
    <para>In the above example, you'd define
    <literal>ACL_CONTACT_READ</literal> or
    <literal>ACL_CONTACT_DELETE</literal> against some methods on a
    <literal>MethodSecurityInterceptor</literal> or
@ -251,9 +252,8 @@ public boolean supports(Class clazz);</programlisting></para>
    to the chapter describing the new ACL implementation.</para>
  </section>
-  <section xml:id="after-invocation"><info><title>After Invocation Handling</title></info>
+  <section xml:id="after-invocation">
-    
+    <info><title>After Invocation Handling</title></info>
    <para>Whilst the <literal>AccessDecisionManager</literal> is called by
    the <literal>AbstractSecurityInterceptor</literal> before proceeding
    with the secure object invocation, some applications need a way of
@ -274,7 +274,6 @@ public boolean supports(Class clazz);</programlisting></para>
        <imageobject>
          <imagedata role="html" align="center" fileref="images/AfterInvocation.gif" format="GIF"/>
        </imageobject>
        <caption>
          <para>Figure 5: After Invocation Implementation</para>
        </caption>
@ -341,22 +340,20 @@ public boolean supports(Class clazz);</programlisting></para>
      <literal>Contact</literal> is all that is available before the
      secure object is invoked. The
      <literal>AclAfterInvocationProvider</literal> delivers a solution,
-      and is configured as follows:</para>
+      and is configured as follows:
-
+<programlisting><![CDATA[
-      <para><programlisting>&lt;bean id="afterAclRead"
+<bean id="afterAclRead"
-          class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider"&gt;
+   class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider">
-&lt;constructor-arg&gt;
+  <constructor-arg ref="aclService"/>
-&lt;ref bean="aclService"/&gt;
+  <constructor-arg>
-&lt;/constructor-arg&gt;
+    <list>
-&lt;constructor-arg&gt;
+      <ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
-&lt;list&gt;
+      <ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
-  &lt;ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/&gt;
+    </list>
-  &lt;ref local="org.springframework.security.acls.domain.BasePermission.READ"/&gt;
+  </constructor-arg>
-&lt;/list&gt;
+</bean>
-&lt;/constructor-arg&gt;
+]]></programlisting>
-&lt;/bean&gt;      </programlisting></para>
+        In the above example, the <literal>Contact</literal> will be
      <para>In the above example, the <literal>Contact</literal> will be
      retrieved and passed to the
      <literal>AclEntryAfterInvocationProvider</literal>. The provider
      will thrown an <literal>AccessDeniedException</literal> if one of
@ -373,22 +370,20 @@ public boolean supports(Class clazz);</programlisting></para>
      elements for which a principal does not have access. It never thrown
      an <literal>AccessDeniedException</literal> - simply silently
      removes the offending elements. The provider is configured as
-      follows:</para>
+      follows:
-
+<programlisting><![CDATA[
-      <para><programlisting>&lt;bean id="afterAclCollectionRead"
+<bean id="afterAclCollectionRead"
-          class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider"&gt;
+    class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
-&lt;constructor-arg&gt;
+  <constructor-arg ref="aclService"/>
-&lt;ref bean="aclService"/&gt;
+  <constructor-arg>
-&lt;/constructor-arg&gt;
+    <list>
-&lt;constructor-arg&gt;
+      <ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
-&lt;list&gt;
+      <ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
-  &lt;ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/&gt;
+    </list>
-  &lt;ref local="org.springframework.security.acls.domain.BasePermission.READ"/&gt;
+  </constructor-arg>
-&lt;/list&gt;
+</bean>
-&lt;/constructor-arg&gt;
+]]>    </programlisting>
-&lt;/bean&gt;    </programlisting></para>
+        As you can imagine, the returned <literal>Object</literal>
      <para>As you can imagine, the returned <literal>Object</literal>
      must be a <literal>Collection</literal> or array for this provider
      to operate. It will remove any element if the
      <literal>AclManager</literal> indicates the
@ -427,16 +422,18 @@ public boolean supports(Class clazz);</programlisting></para>
      <literal>BasicAclAfterInvocationProvider</literal> delivers a
      solution, and is configured as follows:</para>
-      <para><programlisting>&lt;bean id="afterAclRead"
+      <para><programlisting><![CDATA[
-          class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider"&gt;
+<bean id="afterAclRead"
-&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
+    class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider">
-&lt;property name="requirePermission"&gt;
+  <property name="aclManager"><ref local="aclManager"/></property>
-&lt;list&gt;
+  <property name="requirePermission">
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
+    <list>
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/&gt;
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
-&lt;/list&gt;
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
-&lt;/property&gt;
+    </list>
-&lt;/bean&gt;       </programlisting></para>
+  </property>
 </bean> 
 ]]>      </programlisting></para>
      <para>In the above example, the <literal>Contact</literal> will be
      retrieved and passed to the
@ -455,20 +452,20 @@ public boolean supports(Class clazz);</programlisting></para>
      elements for which a principal does not have access. It never thrown
      an <literal>AccessDeniedException</literal> - simply silently
      removes the offending elements. The provider is configured as
-      follows:</para>
+      follows:
-
+<programlisting><![CDATA[
-      <para><programlisting>&lt;bean id="afterAclCollectionRead"
+<bean id="afterAclCollectionRead"
-          class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider"&gt;
+    class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider">
-&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
+  <property name="aclManager"><ref local="aclManager"/></property>
-&lt;property name="requirePermission"&gt;
+  <property name="requirePermission">
-&lt;list&gt;
+    <list>
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
-  &lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/&gt;
+      <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
-&lt;/list&gt;
+    </list>
-&lt;/property&gt;
+  </property>
-&lt;/bean&gt;       </programlisting></para>
+</bean> 
-
+]]></programlisting>
-      <para>As you can imagine, the returned <literal>Object</literal>
+        As you can imagine, the returned <literal>Object</literal>
      must be a <literal>Collection</literal> or array for this provider
      to operate. It will remove any element if the
      <literal>AclManager</literal> indicates the
@ -490,11 +487,14 @@ public boolean supports(Class clazz);</programlisting></para>
    <para>The following JSP fragment illustrates how to use the
    <literal>AuthorizeTag</literal>:</para>
-    <para><programlisting>&lt;security:authorize ifAllGranted="ROLE_SUPERVISOR"&gt;
+    <para><programlisting>
-&lt;td&gt;
+<![CDATA[
-&lt;A HREF="del.htm?id=&lt;c:out value="${contact.id}"/&gt;"&gt;Del&lt;/A&gt;
+<security:authorize ifAllGranted="ROLE_SUPERVISOR">
-&lt;/td&gt;
+<td>
-&lt;/security:authorize&gt;          </programlisting></para>
+<a href="del.htm?id=<c:out value="${contact.id}"/>">Del</a>
 </td>
 </security:authorize>
 ]]></programlisting></para>
    <para>This tag would cause the tag's body to be output if the
    principal has been granted ROLE_SUPERVISOR.</para>
@ -551,13 +551,13 @@ public boolean supports(Class clazz);</programlisting></para>
    object.</para>
    <para>The following JSP fragment illustrates how to use the
-    <literal>AccessControlListTag</literal>:</para>
+    <literal>AccessControlListTag</literal>:
-
+<programlisting><![CDATA[
-    <para><programlisting>&lt;security:accesscontrollist domainObject="${contact}" hasPermission="8,16"&gt;
+<security:accesscontrollist domainObject="${contact}" hasPermission="8,16">
-&lt;td&gt;&lt;A HREF="&lt;c:url value="del.htm"&gt;&lt;c:param name="contactId" value="${contact.id}"/&gt;&lt;/c:url&gt;"&gt;Del&lt;/A&gt;&lt;/td&gt;
+<td><a href="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</a></td>
-&lt;/security:accesscontrollist&gt;</programlisting></para>
+</security:accesscontrollist>
-
+]]></programlisting>
-    <para>This tag would cause the tag's body to be output if the
+    This tag would cause the tag's body to be output if the
    principal holds either permission 16 or permission 1 for the "contact"
    domain object. The numbers are actually integers that are used with
    <literal>BasePermission</literal> bit masking. Please refer to the ACL
--- a/src/docbkx/cas-auth-provider.xml
+++ b/src/docbkx/cas-auth-provider.xml
@ -4,7 +4,6 @@
  <section xml:id="cas-overview">
      <info><title>Overview</title></info>
    <para>JA-SIG produces an enterprise-wide single sign on system known
    as CAS. Unlike other initiatives, JA-SIG's Central Authentication
    Service is open source, widely used, simple to understand, platform
@ -15,22 +14,17 @@
    server.</para>
    <para>You can learn more about CAS at
-    <literal>http://www.ja-sig.org/products/cas/</literal>. You will need
+    <literal>http://www.ja-sig.org/products/cas/</literal>. You will also need
-    to visit this URL to download the CAS Server files. Whilst Spring
+    to visit this site to download the CAS Server files.</para>
    Security includes two CAS libraries in the "-with-dependencies" ZIP
    file, you will still need the CAS Java Server Pages and
    <literal>web.xml</literal> to customise and deploy your CAS
    server.</para>
  </section>
-  <section xml:id="cas-how-it-works"><info><title>How CAS Works</title></info>
+  <section xml:id="cas-how-it-works">
    <info><title>How CAS Works</title></info>
-
+    <para>Whilst the CAS web site contains documents that detail
    <para>Whilst the CAS web site above contains two documents that detail
    the architecture of CAS, we present the general overview again here
-    within the context of Spring Security. The following refers to both
+    within the context of Spring Security. Spring Security 2.0 supports
-    CAS 2.0 (produced by Yale) and CAS 3.0 (produced by JA-SIG), being the
+    CAS 3. At the time of writing, the CAS server was at version 3.2.</para>
    versions of CAS that Spring Security supports.</para>
    <para>Somewhere in your enterprise you will need to setup a CAS
    server. The CAS server is simply a standard WAR file, so there isn't
@ -38,69 +32,27 @@
    you will customise the login and other single sign on pages displayed
    to users.</para>
-    <para>If you are deploying CAS 2.0, you will also need to specify in
+    <para>When deploying a CAS 3.2 server, you will also need to specify an
    the web.xml a <literal>PasswordHandler</literal>. The
    <literal>PasswordHandler</literal> has a simple method that returns a
    boolean as to whether a given username and password is valid. Your
    <literal>PasswordHandler</literal> implementation will need to link
    into some type of backend authentication repository, such as an LDAP
    server or database.</para>
    <para>If you are already running an existing CAS 2.0 server instance,
    you will have already established a
    <literal>PasswordHandler</literal>. If you do not already have a
    <literal>PasswordHandler</literal>, you might prefer to use Spring
    Security's <literal>CasPasswordHandler</literal> class. This class
    delegates through to the standard Spring Security
    <literal>AuthenticationManager</literal>, enabling you to use a
    security configuration you might already have in place. You do not
    need to use the <literal>CasPasswordHandler</literal> class on your
    CAS server if you do not wish. Spring Security will function as a CAS
    client successfully irrespective of the
    <literal>PasswordHandler</literal> you've chosen for your CAS
    server.</para>
    <para>If you are deploying CAS 3.0, you will also need to specify an
    <literal>AuthenticationHandler</literal> in the
-    deployerConfigContext.xml included with CAS. The
+    <filename>deployerConfigContext.xml</filename> included with CAS. The
    <literal>AuthenticationHandler</literal> has a simple method that
    returns a boolean as to whether a given set of Credentials is valid.
    Your <literal>AuthenticationHandler</literal> implementation will need
    to link into some type of backend authentication repository, such as
    an LDAP server or database. CAS itself includes numerous
    <literal>AuthenticationHandler</literal>s out of the box to assist
-    with this.</para>
+    with this. When you download and deploy the server war file, it is set up
    to successfully authenticate users who enter a password matching their
    username, which is sueful for testing.</para>
-    <para>If you are already running an existing CAS 3.0 server instance,
+    <para>Apart from the CAS server itself, the other key players are of
    you will have already established an
    <literal>AuthenticationHandler</literal>. If you do not already have
    an <literal>AuthenticationHandler</literal>, you might prefer to use
    Spring Security <literal>CasAuthenticationHandler</literal> class.
    This class delegates through to the standard Spring Security
    <literal>AuthenticationManager</literal>, enabling you to use a
    security configuration you might already have in place. You do not
    need to use the <literal>CasAuthenticationHandler</literal> class on
    your CAS server if you do not wish. Spring Security will function as a
    CAS client successfully irrespective of the
    <literal>AuthenticationHandler</literal> you've chosen for your CAS
    server.</para>
    <para>Apart from the CAS server itself, the other key player is of
    course the secure web applications deployed throughout your
    enterprise. These web applications are known as "services". There are
    two types of services: standard services and proxy services. A proxy
    service is able to request resources from other services on behalf of
    the user. This will be explained more fully later.</para>
-    <para>Services can be developed in a large variety of languages, due
+    <para>The basic interaction between a web browser, CAS server and a
    to CAS 2.0's very light XML-based protocol. The JA-SIG CAS home page
    contains a clients archive which demonstrates CAS clients in Java,
    Active Server Pages, Perl, Python and others. Naturally, Java support
    is very strong given the CAS server is written in Java. You do not
    need to use any of CAS' client classes in applications secured by
    Spring Security. This is handled transparently for you.</para>
    <para>The basic interaction between a web browser, CAS server and n
    Spring Security-secured service is as follows:</para>
    <orderedlist inheritnum="ignore" continuation="restarts">
--- a/src/docbkx/channel-security.xml
+++ b/src/docbkx/channel-security.xml
@ -1,11 +1,10 @@
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="channel-security">
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="channel-security" xmlns:xlink="http://www.w3.org/1999/xlink">
 <info><title>Channel Security</title></info>
 <section xml:id="channel-security-overview">
    <info><title>Overview</title></info>
    <para>In addition to coordinating the authentication and authorization
        requirements of your application, Spring Security is also able to
        ensure unauthenticated web requests have certain properties. These
@ -35,14 +34,16 @@
        Security provides a solution to assist with the latter.</para>
 </section>
-<section xml:id="channel-security-config"><info><title>Configuration</title></info>
+<section xml:id="channel-security-config">
-    
+    <info><title>Configuration</title></info>
-        
+    <para>Channel security is supported by the <link xlink:href="#namespace-auto-config">security namespace</link>
-    <para>To use chanel security, you should define the following the filter in your application
+        by means of the <literal>requires-channel</literal> attribute on the <literal>&lt;intercept-url&gt;</literal>
        element and this is the simplest (and recommended approach)</para>
    <para>To confiure channel security explicitly, you would define the following the filter in your application
        context:</para>
    <para><programlisting> 
-    &lt;bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"&gt;
+&lt;bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"&gt;
  &lt;property name="channelDecisionManager" ref="channelDecisionManager"/&gt;
  &lt;property name="filterInvocationDefinitionSource"&gt;
    &lt;security:filter-invocation-definition-source path-type="regex"&gt;
@ -54,18 +55,17 @@
  &lt;/property&gt;
  &lt;/bean&gt;
-    &lt;bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"&gt;
+&lt;bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"&gt;
  &lt;property name="channelProcessors"&gt;
    &lt;list&gt;
    &lt;ref bean="secureChannelProcessor"/&gt;
    &lt;ref bean="insecureChannelProcessor"/&gt;
    &lt;/list&gt;
  &lt;/property&gt;
-    &lt;/bean&gt;
+&lt;/bean&gt;
    &lt;bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/&gt;
    &lt;bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/&gt;
 &lt;bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/&gt;
 &lt;bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/&gt;         
    </programlisting></para>
    <para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant
@ -124,8 +124,8 @@
        property is <literal>true</literal>.</para>
 </section>
-<section xml:id="channel-security-conclusion"><info><title>Conclusion</title></info>
+<section xml:id="channel-security-conclusion">
-    
+    <info><title>Conclusion</title></info>
    <para>Once configured, using the channel security filter is very easy.
        Simply request pages without regard to the protocol (ie HTTP or HTTPS)
--- a/src/docbkx/common-auth-services.xml
+++ b/src/docbkx/common-auth-services.xml
@ -1,9 +1,10 @@
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services">
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services" xmlns:xlink="http://www.w3.org/1999/xlink">
  <info><title>Common Authentication Services</title></info>
  <section xml:id="mechanisms-providers-entry-points">
-    <info><title>Mechanisms, Providers and Entry Points</title></info>
+    <info>
-    
+      <title>Mechanisms, Providers and Entry Points</title>
    </info>
    <para>If you're using Spring Security-provided authentication
    approaches, you'll usually need to configure a web filter, together
@ -20,15 +21,15 @@
    this:</para>
    <para><programlisting><![CDATA[
-    <filter>
+<filter>
    <filter-name>filterChainProxy</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-    </filter>
+</filter>
-    <filter-mapping>
+<filter-mapping>
  <filter-name>filterChainProxy</filter-name>
  <url-pattern>/*</url-pattern>
-    </filter-mapping>]]>
+</filter-mapping>]]>
 </programlisting></para>
    <para>The above declarations will cause every web request to be passed
@ -184,21 +185,22 @@
    header or HTTP redirect in order to start authentication. Continuing
    on with our earlier example:</para>
-    <para><programlisting>&lt;bean id="exceptionTranslationFilter"
+    <para><programlisting><![CDATA[
-        class="org.springframework.security.ui.ExceptionTranslationFilter"&gt;
+<bean id="exceptionTranslationFilter"
-&lt;property name="authenticationEntryPoint"&gt;&lt;ref local="authenticationProcessingFilterEntryPoint"/&gt;&lt;/property&gt;
+        class="org.springframework.security.ui.ExceptionTranslationFilter">
-&lt;property name="accessDeniedHandler"&gt;
+  <property name="authenticationEntryPoint" ref="authenticationProcessingFilterEntryPoint"/>
-&lt;bean class="org.springframework.security.ui.AccessDeniedHandlerImpl"&gt;
+  <property name="accessDeniedHandler">
-  &lt;property name="errorPage" value="/accessDenied.jsp"/&gt;
+    <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
-&lt;/bean&gt;
+      <property name="errorPage" value="/accessDenied.jsp"/>
-&lt;/property&gt;
+    </bean>
-&lt;/bean&gt;
+  </property>
 </bean>
-&lt;bean id="authenticationProcessingFilterEntryPoint"
+<bean id="authenticationProcessingFilterEntryPoint"
-        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"&gt;
+        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
-&lt;property name="loginFormUrl"&gt;&lt;value&gt;/acegilogin.jsp&lt;/value&gt;&lt;/property&gt;
+  <property name="loginFormUrl" value="/login.jsp"/>
-&lt;property name="forceHttps"&gt;&lt;value&gt;false&lt;/value&gt;&lt;/property&gt;
+  <property name="forceHttps">< value="false"/>
-&lt;/bean&gt;</programlisting></para>
+</bean>]]></programlisting></para>
    <para>Notice that the <literal>ExceptionTranslationFilter</literal>
    requires two collaborators. The first,
@ -270,9 +272,8 @@
    that, Spring Security does include a couple of useful base
    implementations, which we'll look at below.</para>
-    <section xml:id="in-memory-service"><info><title>In-Memory Authentication</title></info>
+    <section xml:id="in-memory-service">
-      
+      <info><title>In-Memory Authentication</title></info>
      <para>Whilst it is easy to use create a custom
      <literal>UserDetailsService</literal> implementation that extracts
      information from a persistence engine of choice, many applications
@ -281,52 +282,34 @@
      Security, when you don't really want to spend time configuring
      databases or writing <literal>UserDetailsService</literal>
      implementations. For this sort of situation, a simple option is to
-      configure the <literal>InMemoryDaoImpl</literal>
+      use the <literal>user-service</literal> element from the security 
-      implementation:</para>
+        <link xlink:href="#namespace-minimal" >namespace</link>:
-
+<programlisting><![CDATA[
-      <para><programlisting>&lt;bean id="inMemoryDaoImpl"
+    <user-service id="userDetailsService">
-          class="org.springframework.security.userdetails.memory.InMemoryDaoImpl"&gt;
+      <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
-&lt;property name="userMap"&gt;
+      <user name="bob" password="bobspassword" authorities="ROLE_USER" />
-&lt;value&gt;
+    </user-service>
-  rod=koala,ROLE_TELLER,ROLE_SUPERVISOR
+  ]]>
-  dianne=emu,ROLE_TELLER
+</programlisting>
-  scott=wombat,ROLE_TELLER
+        This also suppots the use of an external properties file:
-  peter=opal,disabled,ROLE_TELLER
+        <programlisting><![CDATA[
-&lt;/value&gt;
+    <user-service id="userDetailsService" properties="users.properties"/>
-&lt;/property&gt;
+  ]]>
-&lt;/bean&gt;        </programlisting></para>
+        </programlisting>
-
+        The properties file should contain entries in the form
-      <para>In the above example, the <literal>userMap</literal> property
+<programlisting>
-      contains each of the usernames, passwords, a list of granted
+  username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
-      authorities and an optional enabled/disabled keyword. Commas are
+</programlisting>
-      used to delimit each token. The username must appear to the left of
+        For example
-      the equals sign, and the password must be the first token to the
+<programlisting>
-      right of the equals sign. The <literal>enabled</literal> and
+  jimi=jimispassword,ROLE_USER,ROLE_ADMIN,enabled
-      <literal>disabled</literal> keywords (case insensitive) may appear
+  bob=bobspassword,ROLE_USER,enabled  
-      in the second or any subsequent token. Any remaining tokens are
+</programlisting>
-      treated as granted authorities, which are created as
+      </para>
      <literal>GrantedAuthorityImpl</literal> objects (this is just for
      your reference - most applications don't need custom
      <literal>GrantedAuthority</literal> implementations, so using the
      default implementation in this manner is just fine). Note that if a
      user has no password and/or no granted authorities, the user will
      not be created in the in-memory authentication repository.</para>
      <para><literal>InMemoryDaoImpl</literal> also offers a
      <literal>setUserProperties(Properties)</literal> method, which
      allows you to externalise the
      <literal>java.util.Properties</literal> in another Spring configured
      bean or an external properties file. You might like to use Spring's
      <literal>PropertiesFactoryBean</literal>, which is useful for
      loading such external properties files. This setter might prove
      useful for simple applications that have a larger number of users,
      or deployment-time configuration changes, but do not wish to use a
      full database for handling authentication details.</para>
    </section>
-    <section xml:id="jdbc-service"><info><title>JDBC Authentication</title></info>
+    <section xml:id="jdbc-service">
-      
+      <info><title>JDBC Authentication</title></info>
      <para>Spring Security also includes a
      <literal>UserDetailsService</literal> that can obtain authentication
      information from a JDBC data source. Internally Spring JDBC is used,
@ -338,16 +321,18 @@
      <literal>JdbcDaoImpl</literal>, an example configuration is shown
      below:</para>
-      <para><programlisting>&lt;bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"&gt;
+      <para><programlisting>
-&lt;property name="driverClassName"&gt;&lt;value&gt;org.hsqldb.jdbcDriver&lt;/value&gt;&lt;/property&gt;
+<![CDATA[
-&lt;property name="url"&gt;&lt;value&gt;jdbc:hsqldb:hsql://localhost:9001&lt;/value&gt;&lt;/property&gt;
+<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
-&lt;property name="username"&gt;&lt;value&gt;sa&lt;/value&gt;&lt;/property&gt;
+  <property name="driverClassName" value="org.hsqldb.jdbcDriver"/>
-&lt;property name="password"&gt;&lt;value&gt;&lt;/value&gt;&lt;/property&gt;
+  <property name="url" value="jdbc:hsqldb:hsql://localhost:9001"/>
-&lt;/bean&gt;
+  <property name="username" value="sa"/>
  <property name="password" value=""/>
 </bean>
-&lt;bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl"&gt;
+<bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
-&lt;property name="dataSource"&gt;&lt;ref bean="dataSource"/&gt;&lt;/property&gt;
+  <property name="dataSource" ref="dataSource"/>
-&lt;/bean&gt;        </programlisting></para>
+</bean> ]]>       </programlisting></para>
      <para>You can use different relational database management systems
      by modifying the <literal>DriverManagerDataSource</literal> shown
@ -372,8 +357,8 @@
    </section>
  </section>
-  <section xml:id="concurrent-sessions"><info><title>Concurrent Session Handling</title></info>
+  <section xml:id="concurrent-sessions">
-    
+    <info><title>Concurrent Session Handling</title></info>
    <para>Spring Security is able to prevent a principal from concurrently
    authenticating to the same application more than a specified number of
@ -411,40 +396,42 @@
    <literal>ConcurrentSessionControllerImpl</literal> and refer to it
    from your <literal>ProviderManager</literal> bean:</para>
-    <para><programlisting>&lt;bean id="authenticationManager"
+    <para>
-        class="org.springframework.security.providers.ProviderManager"&gt;
+      <programlisting><![CDATA[
-&lt;property name="providers"&gt;
+<bean id="authenticationManager"
-&lt;!-- your providers go here --&gt;
+    class="org.springframework.security.providers.ProviderManager">
-&lt;/property&gt;
+  <property name="providers">
-&lt;property name="sessionController"&gt;&lt;ref bean="concurrentSessionController"/&gt;&lt;/property&gt;
+    <!-- your providers go here -->
-&lt;/bean&gt;
+  </property>
  <property name="sessionController" ref="concurrentSessionController"/>
 </bean>
-&lt;bean id="concurrentSessionController"
+<bean id="concurrentSessionController"
-        class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl"&gt;
+    class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
-&lt;property name="maximumSessions"&gt;&lt;value&gt;1&lt;/value&gt;&lt;/property&gt;
+  <property name="maximumSessions" value="1"/>
-&lt;property name="sessionRegistry"&gt;&lt;ref local="sessionRegistry"/&gt;&lt;/property&gt;
+  <property name="sessionRegistry">
-&lt;/bean&gt;
+    <bean class="org.springframework.security.concurrent.SessionRegistryImpl"/>
-
+  <property>
-&lt;bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl"/&gt;</programlisting></para>
+</bean>
 ]]></programlisting></para>
  </section>
-  <section xml:id="authentication-taglibs"><info><title>Authentication Tag Libraries</title></info>
+  <section xml:id="authentication-taglibs">
-    
+    <info><title>Authentication Tag Libraries</title></info>
    <para><literal>AuthenticationTag</literal> is used to simply output a
-    property of the current principal's
+    property of the current <literal>Authentication</literal> object to the web
    <literal>Authentication.getPrincipal()</literal> object to the web
    page.</para>
    <para>The following JSP fragment illustrates how to use the
    <literal>AuthenticationTag</literal>:</para>
-    <para><programlisting>&lt;security:authentication operation="username"/&gt;</programlisting></para>
+    <para><programlisting>&lt;security:authentication property="principal.username"/&gt;</programlisting></para>
    <para>This tag would cause the principal's name to be output. Here we
    are assuming the <literal>Authentication.getPrincipal()</literal> is a
    <literal>UserDetails</literal> object, which is generally the case
-    when using the typical
+    when using one of Spring Security's stadard <literal>AuthenticationProvider</literal>
-    <literal>DaoAuthenticationProvider</literal>.</para>
+      implementations.</para>
  </section>
 </chapter>
--- a/src/docbkx/dao-auth-provider.xml
+++ b/src/docbkx/dao-auth-provider.xml
@ -1,8 +1,9 @@
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dao-provider"><info><title>DAO Authentication Provider</title></info>
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dao-provider">
 <info><title>DAO Authentication Provider</title></info>
-<section xml:id="dao-provider-overview"><info><title>Overview</title></info>
+<section xml:id="dao-provider-overview">
-    
+    <info><title>Overview</title></info>
    <para>Spring Security includes a production-quality
        <literal>AuthenticationProvider</literal> implementation called
@ -20,8 +21,8 @@
        object.</para>
 </section>
-<section xml:id="dao-provider-config"><info><title>Configuration</title></info>
+<section xml:id="dao-provider-config">
-    
+    <info><title>Configuration</title></info>
    <para>Aside from adding DaoAuthenticationProvider to your
        ProviderManager list (as discussed at the start of this part of the
@ -29,12 +30,15 @@
        configured to present a UsernamePasswordAuthenticationToken, the
        configuration of the provider itself is rather simple:</para>
-    <para><programlisting>&lt;bean id="daoAuthenticationProvider"
+    <para><programlisting>
-        class="org.springframework.security.providers.dao.DaoAuthenticationProvider"&gt;
+        <![CDATA[
-        &lt;property name="userDetailsService"&gt;&lt;ref bean="inMemoryDaoImpl"/&gt;&lt;/property&gt;
+<bean id="daoAuthenticationProvider"
-        &lt;property name="saltSource"&gt;&lt;ref bean="saltSource"/&gt;&lt;/property&gt;
+    class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
-        &lt;property name="passwordEncoder"&gt;&lt;ref bean="passwordEncoder"/&gt;&lt;/property&gt;
+  <property name="userDetailsService" ref="inMemoryDaoImpl"/>
-        &lt;/bean&gt;        </programlisting></para>
+  <property name="saltSource" ref bean="saltSource"/>
  <property name="passwordEncoder" ref="passwordEncoder"/>
 </bean>  ]]>      
    </programlisting></para>
    <para>The <literal>PasswordEncoder</literal> and
        <literal>SaltSource</literal> are optional. A
@ -65,31 +69,26 @@
        A usable caching implementation is also provided,
        <literal>EhCacheBasedUserCache</literal>, which is configured as
        follows:</para>
    <para><programlisting><![CDATA[
 <bean id="daoAuthenticationProvider"
    class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
  <property name="userDetailsService"><ref bean="userDetailsService"/></property>
  <property name="userCache"><ref bean="userCache"/></property>
 </bean>
-    <para><programlisting>&lt;bean id="daoAuthenticationProvider"
+<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
-        class="org.springframework.security.providers.dao.DaoAuthenticationProvider"&gt;
+  <property name="configLocation" value="classpath:/ehcache-failsafe.xml"/>
-        &lt;property name="userDetailsService"&gt;&lt;ref bean="userDetailsService"/&gt;&lt;/property&gt;
+</bean>
        &lt;property name="userCache"&gt;&lt;ref bean="userCache"/&gt;&lt;/property&gt;
        &lt;/bean&gt;
-        &lt;bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"&gt;
+<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
-        &lt;property name="configLocation"&gt;
+  <property name="cacheManager" ref="cacheManager"/>
-        &lt;value&gt;classpath:/ehcache-failsafe.xml&lt;/value&gt;
+  <property name="cacheName" value="userCache"/>
-        &lt;/property&gt;
+</bean>
        &lt;/bean&gt;
-        &lt;bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"&gt;
+<bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
-        &lt;property name="cacheManager"&gt;
+  <property name="cache" ref="userCacheBackend"/>
-        &lt;ref local="cacheManager"/&gt;
+</bean>]]>        
-        &lt;/property&gt;
+    </programlisting></para>
        &lt;property name="cacheName"&gt;
        &lt;value&gt;userCache&lt;/value&gt;
        &lt;/property&gt;
        &lt;/bean&gt;
        &lt;bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache"&gt;
        &lt;property name="cache"&gt;&lt;ref local="userCacheBackend"/&gt;&lt;/property&gt;
        &lt;/bean&gt;        </programlisting></para>
    <para>All Spring Security EH-CACHE implementations (including
        <literal>EhCacheBasedUserCache</literal>) require an EH-CACHE
--- a/src/docbkx/digest-authentication.xml
+++ b/src/docbkx/digest-authentication.xml
@ -33,7 +33,8 @@
            This is a value the server generates. Spring Security's nonce adopts
            the following format:</para>
-        <para><programlisting>base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
+        <para><programlisting>
    base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
    expirationTime:   The date and time when the nonce expires, expressed in milliseconds
    key:              A private key to prevent modification of the nonce token
@ -89,18 +90,20 @@
            collaborators:</para>
        <para><programlisting>
-            &lt;bean id="digestProcessingFilter" class="org.springframework.security.ui.digestauth.DigestProcessingFilter"&gt;
+<![CDATA[
-            &lt;property name="userDetailsService"&gt;&lt;ref local="jdbcDaoImpl"/&gt;&lt;/property&gt;
+<bean id="digestProcessingFilter" 
-            &lt;property name="authenticationEntryPoint"&gt;&lt;ref local="digestProcessingFilterEntryPoint"/&gt;&lt;/property&gt;
+    class="org.springframework.security.ui.digestauth.DigestProcessingFilter">
-            &lt;property name="userCache"&gt;&lt;ref local="userCache"/&gt;&lt;/property&gt;
+  <property name="userDetailsService" ref="jdbcDaoImpl"/>
-            &lt;/bean&gt;
+  <property name="authenticationEntryPoint" ref="digestProcessingFilterEntryPoint"/>
  <property name="userCache" ref="userCache"/>
 </bean>
-            &lt;bean id="digestProcessingFilterEntryPoint"
+<bean id="digestProcessingFilterEntryPoint"
-            class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint"&gt;
+    class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint">
-            &lt;property name="realmName"&gt;&lt;value&gt;Contacts Realm via Digest Authentication&lt;/value&gt;&lt;/property&gt;
+  <property name="realmName" value="Contacts Realm via Digest Authentication"/>
-            &lt;property name="key"&gt;&lt;value&gt;acegi&lt;/value&gt;&lt;/property&gt;
+  <property name="key" value="acegi"/>
-            &lt;property name="nonceValiditySeconds"&gt;&lt;value&gt;10&lt;/value&gt;&lt;/property&gt;
+  <property name="nonceValiditySeconds" value="10"/>
-            &lt;/bean&gt;
+</bean>]]>
        </programlisting></para>
--- a/src/docbkx/form-authentication.xml
+++ b/src/docbkx/form-authentication.xml
@ -20,14 +20,14 @@
            monitored by the filter (by default
            <literal>j_spring_security_check</literal>). You should add an 
            <literal>AuthenticationProcessingFilter</literal> to you application context:
-            <programlisting>             
+            <programlisting><![CDATA[    
-    &lt;bean id="authenticationProcessingFilter"
+<bean id="authenticationProcessingFilter"
-            class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"&gt;
+    class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
-        &lt;property name="authenticationManager" ref="authenticationManager"/&gt;
+  <property name="authenticationManager" ref="authenticationManager"/>
-        &lt;property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/&gt;
+  <property name="authenticationFailureUrl" value="/login.jsp?login_error=1"/>
-        &lt;property name="defaultTargetUrl" value="/"/&gt;
+  <property name="defaultTargetUrl" value="/"/>
-        &lt;property name="filterProcessesUrl" value="/j_spring_security_check"/&gt;
+  <property name="filterProcessesUrl" value="/j_spring_security_check"/>
-    &lt;/bean&gt;         
+</bean> ]]>        
            </programlisting></para>
        <para>The configured <literal>AuthenticationManager</literal>
--- a/src/docbkx/jaas-auth-provider.xml
+++ b/src/docbkx/jaas-auth-provider.xml
@ -21,19 +21,16 @@
        <para>Let’s assume we have a JAAS login configuration file,
            <literal>/WEB-INF/login.conf</literal>, with the following
-            contents:</para>
+            contents:
-        
+<programlisting>
-        <para><programlisting>JAASTest {
+JAASTest {
    sample.SampleLoginModule required;
-            };</programlisting></para>
+};</programlisting></para>      
        <para>Like all Spring Security beans, the
            <literal>JaasAuthenticationProvider</literal> is configured via the
            application context. The following definitions would correspond to the
-            above JAAS login configuration file:</para>
+            above JAAS login configuration file:
-        
+<programlisting><![CDATA[
        <para><programlisting>
             <![CDATA[
 <bean id="jaasAuthenticationProvider"
            class="org.springframework.security.providers.jaas.JaasAuthenticationProvider">
  <property name="loginConfig" value="/WEB-INF/login.conf"/>
@ -50,8 +47,7 @@
    </list>
  </property>
 </bean> 
-]]>
+]]></programlisting></para>
        </programlisting></para>
        <para>The <literal>CallbackHandler</literal>s and
            <literal>AuthorityGranter</literal>s are discussed below.</para>
@ -99,7 +95,6 @@
        <section xml:id="jaas-authoritygranter">
            <info><title xml:id="jaas-authority-granter">JAAS AuthorityGranter</title></info>
            <para>JAAS works with principals. Even "roles" are represented as
                principals in JAAS. Spring Security, on the other hand, works with
                <literal>Authentication</literal> objects. Each
--- a/src/docbkx/ldap-auth-provider.xml
+++ b/src/docbkx/ldap-auth-provider.xml
@ -112,8 +112,8 @@
            </info>
            <para>
                This is the most common LDAP authentication scenario.
-                <programlisting>
+                <programlisting><![CDATA[
-        <![CDATA[<ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
+    <ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
                     ]]></programlisting>
                This simple example would obtain the DN for the user by substituting the user login
                name in the supplied pattern and attempting to bind as that user with the login
@ -329,8 +329,7 @@
            </info>
            <para>A typical configuration, using some of the beans we've discussed here, might look
                like this:
-                <programlisting>   
+                <programlisting><![CDATA[
 <![CDATA[
 <bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
@ -343,7 +342,9 @@
  <constructor-arg>
    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
      <constructor-arg ref="contextSource"/>
-            <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property>
+      <property name="userDnPatterns">
        <list><value>uid={0},ou=people</value></list>
      </property>
    </bean>
  </constructor-arg>
  <constructor-arg>
@ -370,14 +371,12 @@
                <literal>(uid=&lt;user-login-name&gt;)</literal>
                for use instead of the DN-pattern (or in addition to it), you would configure the
                following bean
-                <programlisting>
+                <programlisting><![CDATA[
 <![CDATA[
 <bean id="userSearch"
    class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <constructor-arg index="0" value=""/>
  <constructor-arg index="1" value="(uid={0})"/>
  <constructor-arg index="2" ref="contextSource" />
    <property name="searchSubtree" value="true"/>
 </bean> ]]>                    
                </programlisting>
                and use it by setting the authenticator's
--- a/src/docbkx/namespace-config.xml
+++ b/src/docbkx/namespace-config.xml
@ -141,15 +141,15 @@
  <url-pattern>/*</url-pattern>
 </filter-mapping>]]>   
      </programlisting>
-      This provides a hook into the Spring Security web infrastructure. You can find more details
+      This provides a hook into the Spring Security web infrastructure. <!-- You can find more details
      of how this works in
-      <link xlink:href="#todo">TODO</link>. You're then ready to start editing your application
+      <link xlink:href="#todo">TODO</link>-->. You're then ready to start editing your application
      context file. Web security services are configured using the <literal>&lt;http&gt;</literal>
      element. 
      </para>
    </section>
-    <section>
+    <section xml:id="namespace-minimal">
      <info>
        <title>A Minimal <literal>&lt;http&gt;</literal>Configuration</title>
      </info>
@ -206,7 +206,7 @@
        login page, but the namespace offers plenty of options to allow you to customize this
        kind of thing.
      </para>
-      <section>
+      <section xml:id="namespace-auto-config">
        <title>What does <literal>auto-config</literal> Include?</title>
        <para>
          The <literal>auto-config</literal> attribute, as we have used it above, is just a 
@ -281,13 +281,13 @@
          Often your password data will be encoded using a hashing algorithm. This is supported by the <literal>&lt;password-encoder&gt;</literal>
          element. With SHA encoded passwords, the original authentication provider configuration would look like this: 
          <programlisting><![CDATA[
-  <authentication-provider>
+<authentication-provider>
  <password-encoder hash="sha"/>
  <user-service>
    <user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f" authorities="ROLE_USER, ROLE_ADMIN" />
    <user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f" authorities="ROLE_USER" />
  </user-service>
-  </authentication-provider>
+</authentication-provider>
  ]]>
          </programlisting> 
        </para>
@ -296,9 +296,9 @@
          Ideally you would want to use a randomly generated salt value for each user, but you can use any property of the <classname>UserDetails</classname>
          object which is loaded by your <classname>UserDetailsService</classname>. For example, to use the <literal>username</literal> property, you would use
          <programlisting><![CDATA[
-    <password-encoder hash="sha">
+<password-encoder hash="sha">
  <salt-source user-property="username"/>
-    </password-encoder>
+</password-encoder>
    ]]></programlisting>
          You can use a custom password encoder bean by using the <literal>ref</literal> attribute of <literal>password-encoder</literal>. This should
          contain the name of a bean in the application context which is an instance of Spring Security's <interfacename>PasswordEncoder</interfacename>
@ -306,5 +306,35 @@
        </para>
      </section>
    </section>
    <section xml:id="namespace-requires-channel">
      <title>Adding HTTP/HTTPS Channel Security</title>
      <para>If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is
        directly supported using the <literal>requires-channel</literal> attribute on <literal>&lt;intercept-url&gt;</literal>:
 <programlisting><![CDATA[
 <http>
  <intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
  <intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>  
  ...
 </http>]]>
 </programlisting>
        With this configuration in place, if a user attempts to access anything matching the "/secure/**"
        pattern using HTTP, they will first be redirected to an HTTPS URL.        
        The available options are "http", "https" or "any". Using the value "any" means that either HTTP or HTTPS
        can be used.
      </para>
      <para>
        If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows:
 <programlisting>        
 <![CDATA[     
 <http>
  ...
  <port-mappings>
    <port-mapping http="9080" https="9443"/>
  </port-mappings>
 </http>]]>
 </programlisting>
        You can find a more in-depth discussion of channel security in <xref xlink:href="#channel-security"/>.
      </para>
    </section>
  </section>
 </chapter>
--- a/src/docbkx/remember-me-authentication.xml
+++ b/src/docbkx/remember-me-authentication.xml
@ -25,13 +25,13 @@
        via hooks in the <literal>AbstractProcessingFilter</literal>
        superclass. The hooks will invoke a concrete
        <literal>RememberMeServices</literal> at the appropriate times. The
-        interface looks like this:</para>
+        interface looks like this:
-    
+    <programlisting>
-    <para><programlisting>public Authentication autoLogin(HttpServletRequest request, HttpServletResponse response);
+  Authentication autoLogin(HttpServletRequest request, HttpServletResponse response);
-        public void loginFail(HttpServletRequest request, HttpServletResponse response);
+  void loginFail(HttpServletRequest request, HttpServletResponse response);
-        public void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);</programlisting></para>
+  void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);
-    
+    </programlisting>
-    <para>Please refer to JavaDocs for a fuller discussion on what the
+        Please refer to JavaDocs for a fuller discussion on what the
        methods do, although note at this stage
        <literal>AbstractProcessingFilter</literal> only calls the
        <literal>loginFail()</literal> and <literal>loginSuccess()</literal>
@ -53,12 +53,13 @@
        the browser upon successful interactive authentication, with that
        cookie being composed as follows:</para>
-    <para><programlisting>base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
+    <para><programlisting>
 base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
-        username:         As identifiable to TokenBasedRememberMeServices.getUserDetailsService()
+username:         As identifiable to TokenBasedRememberMeServices.getUserDetailsService()
-        password:         That matches the relevant UserDetails retrieved from TokenBasedRememberMeServices.getUserDetailsService()
+password:         That matches the relevant UserDetails retrieved from TokenBasedRememberMeServices.getUserDetailsService()
-        expirationTime:   The date and time when the remember-me token expires, expressed in milliseconds
+expirationTime:   The date and time when the remember-me token expires, expressed in milliseconds
-        key:              A private key to prevent modification of the remember-me token
+key:              A private key to prevent modification of the remember-me token
    </programlisting></para>
    <para>As such the remember-me token is valid only for the period
@ -90,21 +91,22 @@
        remember-me services are as follows:</para>
    <para><programlisting>
-        &lt;bean id="rememberMeProcessingFilter"
+<![CDATA[        
-        class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter"&gt;
+<bean id="rememberMeProcessingFilter"
-        &lt;property name="rememberMeServices"&gt;&lt;ref local="rememberMeServices"/&gt;&lt;/property&gt;
+    class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
-        &lt;/bean&gt;
+  <property name="rememberMeServices" ref="rememberMeServices"/>
 </bean>
-        &lt;bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices"&gt;
+<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
-        &lt;property name="userDetailsService"&gt;&lt;ref local="jdbcDaoImpl"/&gt;&lt;/property&gt;
+  <property name="userDetailsService" ref="jdbcDaoImpl"/>
-        &lt;property name="key"&gt;&lt;value&gt;springRocks&lt;/value&gt;&lt;/property&gt;
+  <property name="key" value="springRocks"/>
-        &lt;/bean&gt;
+</bean>
        &lt;bean id="rememberMeAuthenticationProvider"
        class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider"&gt;
        &lt;property name="key"&gt;&lt;value&gt;springRocks&lt;/value&gt;&lt;/property&gt;
        &lt;/bean&gt;
 <bean id="rememberMeAuthenticationProvider"
    class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
  <property name="key" value="springRocks"/>
 </bean>
 ]]>        
    </programlisting>Don't forget to add your
        <literal>RememberMeServices</literal> implementation to your
        <literal>AuthenticationProcessingFilter.setRememberMeServices()</literal>
--- a/src/docbkx/runas-auth-provider.xml
+++ b/src/docbkx/runas-auth-provider.xml
@ -1,8 +1,8 @@
 <chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="runas"><info><title>Run-As Authentication Replacement</title></info>
-    <section xml:id="runas-overview"><info><title>Overview</title></info>
+    <section xml:id="runas-overview">
-        
+        <info><title>Overview</title></info>
        <para>The <literal>AbstractSecurityInterceptor</literal> is able to
            temporarily replace the <literal>Authentication</literal> object in
@ -28,15 +28,15 @@
            are particularly useful when calling remote web services</para>
    </section>
-    <section xml:id="runas-config"><info><title>Configuration</title></info>
+    <section xml:id="runas-config">
-        
+        <info><title>Configuration</title></info>
-        
+        <para>A <literal>RunAsManager</literal> interface is provided by Spring Security:
-        <para>A <literal>RunAsManager</literal> interface is provided by Acegi
+            <programlisting>
-            Security:</para>
+  Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
-        
+  boolean supports(ConfigAttribute attribute);
-        <para><programlisting>public Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
+  boolean supports(Class clazz);
-            public boolean supports(ConfigAttribute attribute);
+            </programlisting>
-            public boolean supports(Class clazz);</programlisting></para>
+        </para>
        <para>The first method returns the <literal>Authentication</literal>
            object that should replace the existing
@ -84,20 +84,17 @@
            the hash of a key is stored in all generated tokens. The
            <literal>RunAsManagerImpl</literal> and
            <literal>RunAsImplAuthenticationProvider</literal> is created in the
-            bean context with the same key:</para>
+            bean context with the same key:
-        
+            <programlisting>
-        <para><programlisting>
+<![CDATA[
-            &lt;bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl"&gt;
+<bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl">
-            &lt;property name="key"&gt;&lt;value&gt;my_run_as_password&lt;/value&gt;&lt;/property&gt;
+  <property name="key" value="my_run_as_password"/>
-            &lt;/bean&gt;
+</bean>
            &lt;bean id="runAsAuthenticationProvider"
            class="org.springframework.security.runas.RunAsImplAuthenticationProvider"&gt;
            &lt;property name="key"&gt;&lt;value&gt;my_run_as_password&lt;/value&gt;&lt;/property&gt;
            &lt;/bean&gt;
        </programlisting></para>
 <bean id="runAsAuthenticationProvider"
    class="org.springframework.security.runas.RunAsImplAuthenticationProvider">
  <property name="key" value="my_run_as_password"/>
 </bean>]]></programlisting></para>
        <para>By using the same key, each <literal>RunAsUserToken</literal>
            can be validated it was created by an approved
            <literal>RunAsManagerImpl</literal>. The
--- a/src/docbkx/springsecurity.xml
+++ b/src/docbkx/springsecurity.xml
@ -118,7 +118,6 @@
    <xi:include href="channel-security.xml" />
    <xi:include href="taglibs.xml" />
  </part>
  <part xml:id="authentication">
@ -193,8 +192,7 @@
    <partintro>
      <para>In addition to this reference guide, a number of other resources
-      exist to help you learn how to use Spring Security. These resources are
+      exist to help you learn how to use Spring Security.</para>
      discussed in this section.</para>
    </partintro>
    <xi:include href="samples.xml"/>
--- a/src/docbkx/supporting-infrastructure.xml
+++ b/src/docbkx/supporting-infrastructure.xml
@ -1,4 +1,6 @@
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="supporting-infrastructure"><info><title>Supporting Infrastructure</title></info>
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="supporting-infrastructure" xmlns:xlink="http://www.w3.org/1999/xlink">
  <info><title>Supporting Infrastructure</title></info>
  <para>This chapter introduces some of the supplementary and supporting
@ -6,9 +8,8 @@
  related to security, yet included in the Spring Security project, we
  will discuss it in this chapter.</para>
-  <section xml:id="localization"><info><title>Localization</title></info>
+  <section xml:id="localization">
-    
+    <title>Localization</title>
    <para>Spring Security supports localization of exception messages that
    end users are likely to see. If your application is designed for
    English users, you don't need to do anything as by default all
@ -36,9 +37,11 @@
    inside your application context to refer to the messages. An example
    is shown below:</para>
-    <para><programlisting>&lt;bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"&gt;
+    <para><programlisting><![CDATA[
-&lt;property name="basename"&gt;&lt;value&gt;org/acegisecurity/messages&lt;/value&gt;&lt;/property&gt;
+<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
-&lt;/bean&gt;        </programlisting></para>
+  <property name="basename" value="org/acegisecurity/messages"/>
 </bean>
 ]]></programlisting></para>
    <para>The <literal>messages.properties</literal> is named in
    accordance with standard resource bundles and represents the default
@ -73,12 +76,15 @@
    <literal>SessionLocaleResolver</literal> etc)</para>
  </section>
-  <section xml:id="filters"><info><title>Filters</title></info>
+  <section xml:id="filters">
-    
+    <info><title>Filters</title></info>
    <para>Spring Security uses many filters, as referred to throughout the
-    remainder of this reference guide. You have a choice in how these
+      remainder of this reference guide. If you are using <link xlink:href="#namespace-config">namespace configuration</link>,
-    filters are added to your web application, in that you can use either
+      then the you don't usually have to declare the filter beans explicitly. There may be times when you want full control
      over the security filter chain, either because you are using features which aren't supported in the namespace, or you
      are using your own customized versions of classes.</para>
    <para>In this case, you have a choice in how these filters are added to your web application, in that you can use either
        Spring's <literal>DelegatingFilterProxy</literal> or 
    <literal>FilterChainProxy</literal>. We'll look at both below.</para>
@ -86,7 +92,6 @@
      something like this in the web.xml file:
        <programlisting>
    &lt;filter&gt;
        &lt;filter-name&gt;myFilter&lt;/filter-name&gt;
        &lt;filter-class&gt;org.springframework.web.filter.DelegatingFilterProxy&lt;/filter-class&gt;
@ -96,7 +101,6 @@
      &lt;filter-name&gt;myFilter&lt;/filter-name&gt;
      &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
    &lt;/filter-mapping&gt;
        </programlisting>     
        Notice that the filter  is actually a <literal>DelegatingFilterProxy</literal>, 
@ -148,8 +152,10 @@
    <para><programlisting><![CDATA[
 <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
  <sec:filter-chain-map path-type="ant">
-        <sec:filter-chain pattern="/webServices/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
+     <sec:filter-chain pattern="/webServices/**" 
-        <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
+         filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
     <sec:filter-chain pattern="/**" 
         filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
  </sec:filter-chain-map>
 </bean>
 ]]>         
@ -209,7 +215,9 @@
    any servlet container lifecycle invocations are not delegated through
    to <literal>DelegatingFilterProxy</literal>.</para>
-    <para>You can also omit a URI pattern from the filter chain by using
+    <para>In the same way that you can use the attribute <literal>filters = "none"</literal>
      when using <link xlink:href="#namespace-auto-config">namespace configuration</link>,
      you can omit a URI pattern from the filter chain by using
    the token <literal>#NONE#</literal> on the right-hand side of the
    <literal>&lt;URI Pattern&gt; = &lt;Filter Chain&gt;</literal>
    expression. For example, using the example above, if you wanted to
@ -311,4 +319,44 @@
    <literal>SecurityContextHolder</literal> to be populated in time for
    use by SiteMesh decorators</para>
  </section>
  <section xml:id="taglib">
    <info><title>Tag Libraries</title></info> 
    <para>Spring Security comes bundled with several JSP tag libraries which provide a range of different
      services.</para>
    <section xml:id="taglib-config">
      <info><title>Configuration</title></info>
      <para>All taglib classes are included in the core
        <literal>spring-security-xx.jar</literal> file, with the
        <literal>security.tld</literal> located in the JAR's
        <literal>META-INF</literal> directory. This means for JSP 1.2+ web
        containers you can simply include the JAR in the WAR's
        <literal>WEB-INF/lib</literal> directory and it will be available. If
        you're using a JSP 1.1 container, you'll need to declare the JSP
        taglib in your <literal>web.xml file</literal>, and include
        <literal>security.tld</literal> in the <literal>WEB-INF/lib</literal>
        directory. The following fragment is added to
        <literal>web.xml</literal>:
 <programlisting><![CDATA[
 <taglib>
  <taglib-uri>http://www.springframework.org/security/tags</taglib-uri> 
  <taglib-location>/WEB-INF/security.tld</taglib-location>
 </taglib>
 ]]></programlisting></para>
    </section>
    <section xml:id="taglib-usage">
      <info><title>Usage</title></info>
      <para>Now that you've configured the tag libraries, refer to the
        individual reference guide sections for details on how to use them.
        Note that when using the tags, you should include the taglib reference
        in your JSP: 
 <programlisting>
  &lt;%@ taglib prefix='security' uri='http://www.springframework.org/security/tags' %&gt;
        </programlisting></para>
    </section>
  </section>
 </chapter>
--- a/src/docbkx/taglibs.xml
+++ b/src/docbkx/taglibs.xml
@ -2,17 +2,15 @@
    <info><title>Tag Libraries</title></info>    
-    <section xml:id="taglib-overview"><info><title>Overview</title></info>
+    <section xml:id="taglib-overview">
-        
+        <info><title>Overview</title></info>
        <para>Spring Security comes bundled with several JSP tag libraries
            that eases JSP writing. The tag libraries provide a range of different
            services.</para>
    </section>
-    <section xml:id="taglib-config"><info><title>Configuration</title></info>
+    <section xml:id="taglib-config">
-        
+        <info><title>Configuration</title></info>
        <para>All taglib classes are included in the core
            <literal>spring-security-xx.jar</literal> file, with the
            <literal>security.tld</literal> located in the JAR's
@ -25,15 +23,16 @@
            directory. The following fragment is added to
            <literal>web.xml</literal>:</para>
-        <para><programlisting>&lt;taglib&gt;
+        <para><programlisting>
 &lt;taglib&gt;
  &lt;taglib-uri&gt;http://www.springframework.org/security/tags&lt;/taglib-uri&gt;
  &lt;taglib-location&gt;/WEB-INF/security.tld&lt;/taglib-location&gt;
-            &lt;/taglib&gt;       </programlisting></para>
+&lt;/taglib&gt;
        </programlisting></para>
    </section>
-    <section xml:id="taglib-usage"><info><title>Usage</title></info>
+    <section xml:id="taglib-usage">
-        
+        <info><title>Usage</title></info>
        <para>Now that you've configured the tag libraries, refer to the
            individual reference guide sections for details on how to use them.
            Note that when using the tags, you should include the taglib reference
--- a/src/docbkx/technical-overview.xml
+++ b/src/docbkx/technical-overview.xml
@ -23,8 +23,8 @@
    from one system to another and it will immediately work.</para>
  </section>
-  <section xml:id="shared-components"><info><title>Shared Components</title></info>
+  <section xml:id="shared-components">
-    
+    <info><title>Shared Components</title></info>
    <para>Let's explore some of the most important shared components in
    Spring Security. Components are considered "shared" if they are
--- a/src/docbkx/x509-auth-provider.xml
+++ b/src/docbkx/x509-auth-provider.xml
@ -25,11 +25,11 @@
    <section><info><title>Adding X.509 Authentication to Your Web Application</title></info>
        <para> Enabling X.509 client authentication is very straightforward. Just add the <literal>&lt;x509/&gt;</literal> element to your http security namespace configuration. <programlisting>
-    &lt;http&gt;
+&lt;http&gt;
 ...
    &lt;x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/&gt;
 ...
-    &lt;/http&gt;
+&lt;/http&gt;
            </programlisting> The element has two optional attributes: <itemizedlist>
                <listitem>
                    <para><literal>subject-principal-regex</literal>. The regular expression used to
@ -69,13 +69,13 @@
            tomcat <filename>conf</filename> directory and add the following connector to the
            <filename>server.xml</filename> file 
                <programlisting> 
-    &lt;Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
+&lt;Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
            clientAuth="true" sslProtocol="TLS" 
            keystoreFile="${catalina.home}/conf/server.jks"
            keystoreType="JKS" keystorePass="password"
            truststoreFile="${catalina.home}/conf/server.jks"
            truststoreType="JKS" truststorePass="password"
-     /&gt; 
+/&gt; 
                </programlisting>
            <parameter>clientAuth</parameter> can also be set to <parameter>want</parameter> if you still
            want SSL connections to succeed even if the client doesn't provide a certificate.