Manual URL Cleanup

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java

@@ -66,7 +66,7 @@ public class CasAuthenticationProviderTests {
 	private ServiceProperties makeServiceProperties() {
 		final ServiceProperties serviceProperties = new ServiceProperties();
 		serviceProperties.setSendRenew(false);
-		serviceProperties.setService("http://test.com");
+		serviceProperties.setService("https://localhost");
 
 		return serviceProperties;
 	}

config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy

@@ -88,7 +88,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		openIDFilter.setConsumer(new OpenIDConsumer() {
 			public String beginConsumption(HttpServletRequest req, String claimedIdentity, String returnToUrl, String realm)
 					throws OpenIDConsumerException {
-				return "http://testopenid.com?openid.return_to=" + returnToUrl;
+				return "https://testopenid.com?openid.return_to=" + returnToUrl;
 			}
 
 			public OpenIDAuthenticationToken endConsumption(HttpServletRequest req) throws OpenIDConsumerException {
@@ -118,7 +118,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		response.getContentAsString().contains(AbstractRememberMeServices.DEFAULT_PARAMETER)
 		when: "Login is submitted with remember-me selected"
 		request.servletPath = "/login/openid"
-		request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://ww1.openid.com")
+		request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "https://ww1.openid.com")
 		request.setParameter(AbstractRememberMeServices.DEFAULT_PARAMETER, "on")
 		response = new MockHttpServletResponse();
 		fc.doFilter(request, response, new MockFilterChain());
@@ -126,7 +126,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 										.append(AbstractRememberMeServices.DEFAULT_PARAMETER)
 										.append("=").append("on").toString();
 		then: "return_to URL contains remember-me choice"
-		response.getRedirectedUrl() == "http://testopenid.com?openid.return_to=" + expectedReturnTo
+		response.getRedirectedUrl() == "https://testopenid.com?openid.return_to=" + expectedReturnTo
 	}
 
 	def openIDWithAttributeExchangeConfigurationIsParsedCorrectly() {
@@ -141,7 +141,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		}
 		createAppContext()
 
-		List attributes = getFilter(OpenIDAuthenticationFilter).consumer.attributesToFetchFactory.createAttributeList('http://someid')
+		List attributes = getFilter(OpenIDAuthenticationFilter).consumer.attributesToFetchFactory.createAttributeList('https://someid')
 
 		expect:
 		attributes.size() == 2

crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java

@@ -41,9 +41,8 @@ public final class Base64 {
 
 	/**
 	 * Encode using Base64-like encoding that is URL- and Filename-safe as described in
-	 * Section 4 of RFC3548: <a
-	 * href="http://www.faqs.org/rfcs/rfc3548.html">https://www.faqs
-	 * .org/rfcs/rfc3548.html</a>. It is important to note that data encoded this way is
+	 * Section 4 of RFC3548: <a href="https://tools.ietf.org/html/rfc3548">https://tools.ietf.org/html/rfc3548</a>.
+	 * It is important to note that data encoded this way is
 	 * <em>not</em> officially valid Base64, or at the very least should not be called
 	 * Base64 without also specifying that is was encoded using the URL- and Filename-safe
 	 * dialect.
@@ -51,9 +50,7 @@ public final class Base64 {
 	public final static int URL_SAFE = 16;
 
 	/**
-	 * Encode using the special "ordered" dialect of Base64 described here: <a
-	 * href="http://www.faqs.org/qa/rfcc-1940.html"
-	 * >http://www.faqs.org/qa/rfcc-1940.html</a>.
+	 * Encode using the special "ordered" dialect of Base64.
 	 */
 	public final static int ORDERED = 32;
 
@@ -127,9 +124,8 @@ public final class Base64 {
 	/* ******** U R L S A F E B A S E 6 4 A L P H A B E T ******** */
 
 	/**
-	 * Used in the URL- and Filename-safe dialect described in Section 4 of RFC3548: <a
-	 * href
-	 * ="http://www.faqs.org/rfcs/rfc3548.html">http://www.faqs.org/rfcs/rfc3548.html</a>.
+	 * Used in the URL- and Filename-safe dialect described in Section 4 of RFC3548:
+	 * <a href="https://tools.ietf.org/html/rfc3548">https://tools.ietf.org/html/rfc3548</a>.
 	 * Notice that the last two bytes become "hyphen" and "underscore" instead of "plus"
 	 * and "slash."
 	 */
@@ -189,12 +185,6 @@ public final class Base64 {
 
 	/* ******** O R D E R E D B A S E 6 4 A L P H A B E T ******** */
 
-	/**
-	 * I don't get the point of this technique, but someone requested it, and it is
-	 * described here: <a
-	 * href="http://www.faqs.org/qa/rfcc-1940.html">http://www.faqs.org/faqs/
-	 * qa/rfcc-1940.html</a>.
-	 */
 	private final static byte[] _ORDERED_ALPHABET = { (byte) '-', (byte) '0', (byte) '1',
 			(byte) '2', (byte) '3', (byte) '4', (byte) '5', (byte) '6', (byte) '7',
 			(byte) '8', (byte) '9', (byte) 'A', (byte) 'B', (byte) 'C', (byte) 'D',

docs/manual/src/docs/asciidoc/_includes/faq.adoc

@@ -18,7 +18,7 @@
 [[appendix-faq-other-concerns]]
 ==== Will Spring Security take care of all my application security requirements?
 
-Spring Security provides you with a very flexible framework for your authentication and authorization requirements, but there are many other considerations for building a secure application that are outside its scope. Web applications are vulnerable to all kinds of attacks which you should be familiar with, preferably before you start development so you can design and code with them in mind from the beginning. Check out thehttp://www.owasp.org/[OWASP web site] for information on the major issues facing web application developers and the countermeasures you can use against them.
+Spring Security provides you with a very flexible framework for your authentication and authorization requirements, but there are many other considerations for building a secure application that are outside its scope. Web applications are vulnerable to all kinds of attacks which you should be familiar with, preferably before you start development so you can design and code with them in mind from the beginning. Check out the https://www.owasp.org/[OWASP web site] for information on the major issues facing web application developers and the countermeasures you can use against them.
 
 
 [[appendix-faq-web-xml]]
@@ -280,7 +280,7 @@ The prefix can be changed by setting the `rolePrefix` property of `RoleVoter`. I
 
 It will depend on what features you are using and what type of application you are developing. With Spring Security 3.0, the project jars are divided into clearly distinct areas of functionality, so it is straightforward to work out which Spring Security jars you need from your application requirements. All applications will need the `spring-security-core` jar. If you're developing a web application, you need the `spring-security-web` jar. If you're using security namespace configuration you need the `spring-security-config` jar, for LDAP support you need the `spring-security-ldap` jar and so on.
 
-For third-party jars the situation isn't always quite so obvious. A good starting point is to copy those from one of the pre-built sample applications WEB-INF/lib directories. For a basic application, you can start with the tutorial sample. If you want to use LDAP, with an embedded test server, then use the LDAP sample as a starting point. The reference manual also includeshttp://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#appendix-dependencies[an appendix] listing the first-level dependencies for each Spring Security module with some information on whether they are optional and what they are required for.
+For third-party jars the situation isn't always quite so obvious. A good starting point is to copy those from one of the pre-built sample applications WEB-INF/lib directories. For a basic application, you can start with the tutorial sample. If you want to use LDAP, with an embedded test server, then use the LDAP sample as a starting point. The reference manual also includes https://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#appendix-dependencies[an appendix] listing the first-level dependencies for each Spring Security module with some information on whether they are optional and what they are required for.
 
 If you are building your project with maven, then adding the appropriate Spring Security modules as dependencies to your pom.xml will automatically pull in the core jars that the framework requires. Any which are marked as "optional" in the Spring Security POM files will have to be added to your own pom.xml file if you need them.
 

docs/manual/src/docs/asciidoc/index.adoc

@@ -3534,7 +3534,7 @@ $(document).ajaxSend(function(e, xhr, options) {
 });
 ----
 
-As an alternative to jQuery, we recommend using http://cujojs.com/[cujoJS's] rest.js. The https://github.com/cujojs/rest[rest.js] module provides advanced support for working with HTTP requests and responses in RESTful ways. A core capability is the ability to contextualize the HTTP client adding behavior as needed by chaining interceptors on to the client.
+As an alternative to jQuery, we recommend using https://github.com/cujojs[cujoJS's] rest.js. The https://github.com/cujojs/rest[rest.js] module provides advanced support for working with HTTP requests and responses in RESTful ways. A core capability is the ability to contextualize the HTTP client adding behavior as needed by chaining interceptors on to the client.
 
 [source,javascript]
 ----

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java

@@ -254,8 +254,8 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing
 	 *
 	 * If no mapping is provided then the returnToUrl will be parsed to extract the
 	 * protocol, hostname and port followed by a trailing slash. This means that
-	 * <tt>https://www.example.com/login/openid</tt> will automatically become
-	 * <tt>http://www.example.com:80/</tt>
+	 * <tt>https://localhost/login/openid</tt> will automatically become
+	 * <tt>http://localhost:80/</tt>
 	 *
 	 * @param realmMapping containing returnToUrl -&gt; realm mappings
 	 */

remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java

@@ -61,7 +61,7 @@ public class AuthenticationSimpleHttpInvokerRequestExecutorTests {
 		executor.prepareConnection(conn, 10);
 
 		// Check connection properties
-		// See http://www.faqs.org/rfcs/rfc1945.html section 11.1 for example
+		// See https://tools.ietf.org/html/rfc1945 section 11.1 for example
 		// we are comparing against
 		assertThat(conn.getRequestProperty("Authorization")).isEqualTo(
 				"Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==");

samples/javaconfig/hellojs/src/main/resources/resources/js/jquery-1.8.3.js

@@ -881,7 +881,7 @@ jQuery.ready.promise = function( obj ) {
 
 						try {
 							// Use the trick by Diego Perini
-							// http://javascript.nwbox.com/IEContentLoaded/
+							// https://javascript.nwbox.com/IEContentLoaded/
 							top.doScroll("left");
 						} catch(e) {
 							return setTimeout( doScrollCheck, 50 );
@@ -1390,7 +1390,7 @@ jQuery.support = (function() {
 	fragment.appendChild( div );
 
 	// Technique from Juriy Zaytsev
-	// http://perfectionkills.com/detecting-event-support-without-browser-sniffing/
+	// https://perfectionkills.com/detecting-event-support-without-browser-sniffing/
 	// We only care about the case where non-standard event systems
 	// are used, namely in IE. Short-circuiting here helps us to
 	// avoid an eval call (in setAttribute) which can cause CSP
@@ -1945,7 +1945,7 @@ jQuery.fn.extend({
 		});
 	},
 	// Based off of the plugin by Clint Helfers, with permission.
-	// http://blindsignals.com
+	// https://blindsignals.com
 	delay: function( time, type ) {
 		time = jQuery.fx ? jQuery.fx.speeds[ time ] || time : time;
 		type = type || "fx";
@@ -6867,7 +6867,7 @@ if ( window.getComputedStyle ) {
 		}
 
 		// From the awesome hack by Dean Edwards
-		// http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
+		// https://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
 
 		// If we're not dealing with a regular pixel number
 		// but a number that has a weird ending, we need to convert it to pixels

samples/javaconfig/openid/src/main/resources/resources/js/openid-client/jquery.query-2.1.3.js

@@ -1,7 +1,7 @@
 /**
  * jQuery.query - Query String Modification and Creation for jQuery
  * Written by Blair Mitchelmore (blair DOT mitchelmore AT gmail DOT com)
- * Licensed under the WTFPL (http://www.wtfpl.net/).
+ * Licensed under the WTFPL (https://www.wtfpl.net/).
  * Date: 2009/02/08
  *
  * @author Blair Mitchelmore

samples/javaconfig/openid/src/main/resources/views/login.html

@@ -23,7 +23,7 @@
                 </div>
 
                 <div id="openid_input_area">
-                    <input id="openid_identifier" name="openid_identifier" type="text" value="http://" />
+                    <input id="openid_identifier" name="openid_identifier" type="text" value="https://" />
                     <input id="openid_submit" type="submit" value="Sign-In"/>
                 </div>
                 <noscript>

samples/xml/openid/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -54,7 +54,7 @@
 <!--
 	<user-service id="userService">
 		<user name="https://luke.taylor.myopenid.com/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
-		<user name="http://luke.taylor.openid.cn/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
+		<user name="https://luke.taylor.openid.cn/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
 		<user name="https://raykrueger.blogspot.com/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
 		<user name="https://spring.security.test.myopenid.com/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
 	</user-service>

samples/xml/openid/src/main/webapp/js/openid-client/jquery.query-2.1.3.js

@@ -1,7 +1,7 @@
 /**
  * jQuery.query - Query String Modification and Creation for jQuery
  * Written by Blair Mitchelmore (blair DOT mitchelmore AT gmail DOT com)
- * Licensed under the WTFPL (http://www.wtfpl.net/).
+ * Licensed under the WTFPL (https://www.wtfpl.net/).
  * Date: 2009/02/08
  *
  * @author Blair Mitchelmore

samples/xml/openid/src/main/webapp/js/openid-jquery.js

@@ -220,7 +220,7 @@ var openid = {
 		}
 		if (provider['name'] == 'OpenID') {
 			id = this.input_id;
-			value = 'http://';
+			value = 'https://';
 			style = 'background:#FFF url('+this.img_path+'openid-inputicon.gif) no-repeat scroll 0 50%; padding-left:18px;';
 		}
 		html += '<input id="'+id+'" type="text" style="'+style+'" name="'+id+'" value="'+value+'" />' + 

samples/xml/openid/src/main/webapp/openidlogin.jsp

@@ -50,7 +50,7 @@
             </div>
 
             <div id="openid_input_area">
-                <input id="openid_identifier" name="openid_identifier" type="text" value="http://" />
+                <input id="openid_identifier" name="openid_identifier" type="text" value="https://" />
                 <input id="openid_submit" type="submit" value="Sign-In"/>
             </div>
             <noscript>

web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java

@@ -45,7 +45,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
  *
  * <p>
  * For a detailed background on what this filter is designed to process, refer to
- * <a href="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</a>. Any realm
+ * <a href="https://tools.ietf.org/html/rfc1945">RFC 1945, Section 11.1</a>. Any realm
  * name presented in the HTTP request is ignored.
  *
  * <p>

web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java

@@ -52,7 +52,7 @@ public class DefaultRedirectStrategyTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
 		rds.sendRedirect(request, response,
-				"https://http://context.blah.com/context/remainder");
+				"https://context.blah.com/context/remainder");
 
 		assertThat(response.getRedirectedUrl()).isEqualTo("remainder");
 	}

web/src/test/java/org/springframework/security/web/FilterInvocationTests.java

@@ -45,7 +45,7 @@ public class FilterInvocationTests {
 		MockHttpServletRequest request = new MockHttpServletRequest(null, null);
 		request.setServletPath("/HelloWorld");
 		request.setPathInfo("/some/more/segments.html");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setScheme("http");
 		request.setServerPort(80);
 		request.setContextPath("/mycontext");
@@ -61,7 +61,7 @@ public class FilterInvocationTests {
 		assertThat(fi.getChain()).isEqualTo(chain);
 		assertThat(fi.getRequestUrl()).isEqualTo("/HelloWorld/some/more/segments.html");
 		assertThat(fi.toString()).isEqualTo("FilterInvocation: URL: /HelloWorld/some/more/segments.html");
-		assertThat(fi.getFullRequestUrl()).isEqualTo("http://www.example.com/mycontext/HelloWorld/some/more/segments.html");
+		assertThat(fi.getFullRequestUrl()).isEqualTo("http://localhost/mycontext/HelloWorld/some/more/segments.html");
 	}
 
 	@Test(expected = IllegalArgumentException.class)
@@ -91,7 +91,7 @@ public class FilterInvocationTests {
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setQueryString("foo=bar");
 		request.setServletPath("/HelloWorld");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setScheme("http");
 		request.setServerPort(80);
 		request.setContextPath("/mycontext");
@@ -102,14 +102,14 @@ public class FilterInvocationTests {
 				mock(FilterChain.class));
 		assertThat(fi.getRequestUrl()).isEqualTo("/HelloWorld?foo=bar");
 		assertThat(fi.toString()).isEqualTo("FilterInvocation: URL: /HelloWorld?foo=bar");
-		assertThat(fi.getFullRequestUrl()).isEqualTo("http://www.example.com/mycontext/HelloWorld?foo=bar");
+		assertThat(fi.getFullRequestUrl()).isEqualTo("http://localhost/mycontext/HelloWorld?foo=bar");
 	}
 
 	@Test
 	public void testStringMethodsWithoutAnyQueryString() {
 		MockHttpServletRequest request = new MockHttpServletRequest(null, null);
 		request.setServletPath("/HelloWorld");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setScheme("http");
 		request.setServerPort(80);
 		request.setContextPath("/mycontext");
@@ -120,7 +120,7 @@ public class FilterInvocationTests {
 				mock(FilterChain.class));
 		assertThat(fi.getRequestUrl()).isEqualTo("/HelloWorld");
 		assertThat(fi.toString()).isEqualTo("FilterInvocation: URL: /HelloWorld");
-		assertThat(fi.getFullRequestUrl()).isEqualTo("http://www.example.com/mycontext/HelloWorld");
+		assertThat(fi.getFullRequestUrl()).isEqualTo("http://localhost/mycontext/HelloWorld");
 	}
 
 	@Test(expected = UnsupportedOperationException.class)

web/src/test/java/org/springframework/security/web/access/ExceptionTranslationFilterTests.java

@@ -81,7 +81,7 @@ public class ExceptionTranslationFilterTests {
 		request.setServletPath("/secure/page.html");
 		request.setServerPort(80);
 		request.setScheme("http");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setContextPath("/mycontext");
 		request.setRequestURI("/mycontext/secure/page.html");
 
@@ -104,7 +104,7 @@ public class ExceptionTranslationFilterTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		filter.doFilter(request, response, fc);
 		assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/login.jsp");
-		assertThat(getSavedRequestUrl(request)).isEqualTo("http://www.example.com/mycontext/secure/page.html");
+		assertThat(getSavedRequestUrl(request)).isEqualTo("http://localhost/mycontext/secure/page.html");
 	}
 
 	@Test
@@ -114,7 +114,7 @@ public class ExceptionTranslationFilterTests {
 		request.setServletPath("/secure/page.html");
 		request.setServerPort(80);
 		request.setScheme("http");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setContextPath("/mycontext");
 		request.setRequestURI("/mycontext/secure/page.html");
 
@@ -134,7 +134,7 @@ public class ExceptionTranslationFilterTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		filter.doFilter(request, response, fc);
 		assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/login.jsp");
-		assertThat(getSavedRequestUrl(request)).isEqualTo("http://www.example.com/mycontext/secure/page.html");
+		assertThat(getSavedRequestUrl(request)).isEqualTo("http://localhost/mycontext/secure/page.html");
 	}
 
 
@@ -175,7 +175,7 @@ public class ExceptionTranslationFilterTests {
 		request.setServletPath("/secure/page.html");
 		request.setServerPort(80);
 		request.setScheme("http");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setContextPath("/mycontext");
 		request.setRequestURI("/mycontext/secure/page.html");
 
@@ -190,7 +190,7 @@ public class ExceptionTranslationFilterTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		filter.doFilter(request, response, fc);
 		assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/login.jsp");
-		assertThat(getSavedRequestUrl(request)).isEqualTo("http://www.example.com/mycontext/secure/page.html");
+		assertThat(getSavedRequestUrl(request)).isEqualTo("http://localhost/mycontext/secure/page.html");
 	}
 
 	@Test
@@ -201,7 +201,7 @@ public class ExceptionTranslationFilterTests {
 		request.setServletPath("/secure/page.html");
 		request.setServerPort(8080);
 		request.setScheme("http");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setContextPath("/mycontext");
 		request.setRequestURI("/mycontext/secure/page.html");
 
@@ -219,7 +219,7 @@ public class ExceptionTranslationFilterTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		filter.doFilter(request, response, fc);
 		assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/login.jsp");
-		assertThat(getSavedRequestUrl(request)).isEqualTo("http://www.example.com:8080/mycontext/secure/page.html");
+		assertThat(getSavedRequestUrl(request)).isEqualTo("http://localhost:8080/mycontext/secure/page.html");
 	}
 
 	@Test(expected = IllegalArgumentException.class)

web/src/test/java/org/springframework/security/web/access/channel/RetryWithHttpEntryPointTests.java

@@ -85,7 +85,7 @@ public class RetryWithHttpEntryPointTests {
 				"/bigWebApp/hello/pathInfo.html");
 		request.setQueryString("open=true");
 		request.setScheme("https");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setServerPort(443);
 
 		MockHttpServletResponse response = new MockHttpServletResponse();
@@ -96,7 +96,7 @@ public class RetryWithHttpEntryPointTests {
 
 		ep.commence(request, response);
 		assertThat(response.getRedirectedUrl()).isEqualTo(
-				"http://www.example.com/bigWebApp/hello/pathInfo.html?open=true");
+				"http://localhost/bigWebApp/hello/pathInfo.html?open=true");
 	}
 
 	@Test
@@ -104,7 +104,7 @@ public class RetryWithHttpEntryPointTests {
 		MockHttpServletRequest request = new MockHttpServletRequest("GET",
 				"/bigWebApp/hello");
 		request.setScheme("https");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setServerPort(443);
 
 		MockHttpServletResponse response = new MockHttpServletResponse();
@@ -115,7 +115,7 @@ public class RetryWithHttpEntryPointTests {
 
 		ep.commence(request, response);
 		assertThat(response.getRedirectedUrl())
-				.isEqualTo("http://www.example.com/bigWebApp/hello");
+				.isEqualTo("http://localhost/bigWebApp/hello");
 	}
 
 	@Test
@@ -142,7 +142,7 @@ public class RetryWithHttpEntryPointTests {
 				"/bigWebApp/hello/pathInfo.html");
 		request.setQueryString("open=true");
 		request.setScheme("https");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setServerPort(9999);
 
 		MockHttpServletResponse response = new MockHttpServletResponse();
@@ -158,6 +158,6 @@ public class RetryWithHttpEntryPointTests {
 
 		ep.commence(request, response);
 		assertThat(response.getRedirectedUrl()).isEqualTo(
-				"http://www.example.com:8888/bigWebApp/hello/pathInfo.html?open=true");
+				"http://localhost:8888/bigWebApp/hello/pathInfo.html?open=true");
 	}
 }

web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java

@@ -385,7 +385,7 @@ public class AbstractAuthenticationProcessingFilterTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
 		MockAuthenticationFilter filter = new MockAuthenticationFilter(false);
-		successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/");
+		successHandler.setDefaultTargetUrl("https://monkeymachine.co.uk/");
 		filter.setAuthenticationSuccessHandler(successHandler);
 
 		filter.doFilter(request, response, chain);
@@ -409,7 +409,7 @@ public class AbstractAuthenticationProcessingFilterTests {
 		ReflectionTestUtils.setField(filter, "logger", logger);
 		filter.exceptionToThrow = new InternalAuthenticationServiceException(
 				"Mock requested to do so");
-		successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/");
+		successHandler.setDefaultTargetUrl("https://monkeymachine.co.uk/");
 		filter.setAuthenticationSuccessHandler(successHandler);
 
 		filter.doFilter(request, response, chain);

web/src/test/java/org/springframework/security/web/authentication/LoginUrlAuthenticationEntryPointTests.java

@@ -166,14 +166,14 @@ public class LoginUrlAuthenticationEntryPointTests {
 		request.setRequestURI("/some_path");
 		request.setContextPath("/bigWebApp");
 		request.setScheme("http");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setContextPath("/bigWebApp");
 		request.setServerPort(80);
 
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
 		ep.commence(request, response, null);
-		assertThat(response.getRedirectedUrl()).isEqualTo("http://www.example.com/bigWebApp/hello");
+		assertThat(response.getRedirectedUrl()).isEqualTo("http://localhost/bigWebApp/hello");
 	}
 
 	@Test
@@ -188,7 +188,7 @@ public class LoginUrlAuthenticationEntryPointTests {
 		request.setRequestURI("/some_path");
 		request.setContextPath("/bigWebApp");
 		request.setScheme("http");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setContextPath("/bigWebApp");
 		request.setServerPort(8888); // NB: Port we can't resolve
 
@@ -198,7 +198,7 @@ public class LoginUrlAuthenticationEntryPointTests {
 
 		// Response doesn't switch to HTTPS, as we didn't know HTTP port 8888 to HTTP port
 		// mapping
-		assertThat(response.getRedirectedUrl()).isEqualTo("http://www.example.com:8888/bigWebApp/hello");
+		assertThat(response.getRedirectedUrl()).isEqualTo("http://localhost:8888/bigWebApp/hello");
 	}
 
 	@Test
@@ -249,7 +249,7 @@ public class LoginUrlAuthenticationEntryPointTests {
 	// SEC-1498
 	@Test
 	public void absoluteLoginFormUrlIsSupported() throws Exception {
-		final String loginFormUrl = "http://somesite.com/login";
+		final String loginFormUrl = "https://somesite.com/login";
 		LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint(
 				loginFormUrl);
 		ep.afterPropertiesSet();
@@ -260,9 +260,9 @@ public class LoginUrlAuthenticationEntryPointTests {
 
 	@Test(expected = IllegalArgumentException.class)
 	public void absoluteLoginFormUrlCantBeUsedWithForwarding() throws Exception {
-		final String loginFormUrl = "http://somesite.com/login";
+		final String loginFormUrl = "https://somesite.com/login";
 		LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint(
-				"http://somesite.com/login");
+				"https://somesite.com/login");
 		ep.setUseForward(true);
 		ep.afterPropertiesSet();
 	}

web/src/test/java/org/springframework/security/web/authentication/logout/SimpleUrlLogoutSuccessHandlerTests.java

@@ -45,11 +45,11 @@ public class SimpleUrlLogoutSuccessHandlerTests {
 	@Test
 	public void absoluteUrlIsSupported() throws Exception {
 		SimpleUrlLogoutSuccessHandler lsh = new SimpleUrlLogoutSuccessHandler();
-		lsh.setDefaultTargetUrl("http://someurl.com/");
+		lsh.setDefaultTargetUrl("https://someurl.com/");
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		lsh.onLogoutSuccess(request, response, mock(Authentication.class));
-		assertThat(response.getRedirectedUrl()).isEqualTo("http://someurl.com/");
+		assertThat(response.getRedirectedUrl()).isEqualTo("https://someurl.com/");
 	}
 
 }

web/src/test/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategyTests.java

@@ -41,19 +41,19 @@ public class RegExpAllowFromStrategyTests {
 	@Test
 	public void subdomainMatchingRegularExpression() {
 		RegExpAllowFromStrategy strategy = new RegExpAllowFromStrategy(
-				"^http://([a-z0-9]*?\\.)test\\.com");
+				"^http://([a-z0-9]*?\\.)example\\.com");
 		strategy.setAllowFromParameterName("from");
 		MockHttpServletRequest request = new MockHttpServletRequest();
 
-		request.setParameter("from", "http://www.test.com");
+		request.setParameter("from", "http://www.example.com");
 		String result1 = strategy.getAllowFromValue(request);
-		assertThat(result1).isEqualTo("http://www.test.com");
+		assertThat(result1).isEqualTo("http://www.example.com");
 
-		request.setParameter("from", "http://abc.test.com");
+		request.setParameter("from", "http://foo.example.com");
 		String result2 = strategy.getAllowFromValue(request);
-		assertThat(result2).isEqualTo("http://abc.test.com");
+		assertThat(result2).isEqualTo("http://foo.example.com");
 
-		request.setParameter("from", "http://test.foobar.com");
+		request.setParameter("from", "http://www.example2.com");
 		String result3 = strategy.getAllowFromValue(request);
 		assertThat(result3).isEqualTo("DENY");
 	}
@@ -61,7 +61,7 @@ public class RegExpAllowFromStrategyTests {
 	@Test
 	public void noParameterShouldDeny() {
 		RegExpAllowFromStrategy strategy = new RegExpAllowFromStrategy(
-				"^http://([a-z0-9]*?\\.)test\\.com");
+				"^https://([a-z0-9]*?\\.)test\\.com");
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		String result1 = strategy.getAllowFromValue(request);
 		assertThat(result1).isEqualTo("DENY");