Manual URL Cleanup

config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy

@@ -88,7 +88,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		openIDFilter.setConsumer(new OpenIDConsumer() {
 			public String beginConsumption(HttpServletRequest req, String claimedIdentity, String returnToUrl, String realm)
 					throws OpenIDConsumerException {
-				return "http://testopenid.com?openid.return_to=" + returnToUrl;
+				return "https://testopenid.com?openid.return_to=" + returnToUrl;
 			}
 
 			public OpenIDAuthenticationToken endConsumption(HttpServletRequest req) throws OpenIDConsumerException {
@@ -118,7 +118,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		response.getContentAsString().contains(AbstractRememberMeServices.DEFAULT_PARAMETER)
 		when: "Login is submitted with remember-me selected"
 		request.servletPath = "/login/openid"
-		request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://ww1.openid.com")
+		request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "https://ww1.openid.com")
 		request.setParameter(AbstractRememberMeServices.DEFAULT_PARAMETER, "on")
 		response = new MockHttpServletResponse();
 		fc.doFilter(request, response, new MockFilterChain());
@@ -126,7 +126,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 										.append(AbstractRememberMeServices.DEFAULT_PARAMETER)
 										.append("=").append("on").toString();
 		then: "return_to URL contains remember-me choice"
-		response.getRedirectedUrl() == "http://testopenid.com?openid.return_to=" + expectedReturnTo
+		response.getRedirectedUrl() == "https://testopenid.com?openid.return_to=" + expectedReturnTo
 	}
 
 	def openIDWithAttributeExchangeConfigurationIsParsedCorrectly() {
@@ -141,7 +141,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		}
 		createAppContext()
 
-		List attributes = getFilter(OpenIDAuthenticationFilter).consumer.attributesToFetchFactory.createAttributeList('http://someid')
+		List attributes = getFilter(OpenIDAuthenticationFilter).consumer.attributesToFetchFactory.createAttributeList('https://someid')
 
 		expect:
 		attributes.size() == 2

crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java

@@ -44,8 +44,8 @@ public final class Base64 {
 	/**
 	 * Encode using Base64-like encoding that is URL- and Filename-safe as described in
 	 * Section 4 of RFC3548: <a
-	 * href="http://www.faqs.org/rfcs/rfc3548.html">https://www.faqs
+	 * href="https://tools.ietf.org/html/rfc3548">https://tools.ietf.org/html/rfc3548</a>.
-	 * .org/rfcs/rfc3548.html</a>. It is important to note that data encoded this way is
+	 * It is important to note that data encoded this way is
 	 * <em>not</em> officially valid Base64, or at the very least should not be called
 	 * Base64 without also specifying that is was encoded using the URL- and Filename-safe
 	 * dialect.
@@ -53,9 +53,7 @@ public final class Base64 {
 	public final static int URL_SAFE = 16;
 
 	/**
-	 * Encode using the special "ordered" dialect of Base64 described here: <a
+	 * Encode using the special "ordered" dialect of Base64.
-	 * href="http://www.faqs.org/qa/rfcc-1940.html"
-	 * >http://www.faqs.org/qa/rfcc-1940.html</a>.
 	 */
 	public final static int ORDERED = 32;
 
@@ -131,7 +129,7 @@ public final class Base64 {
 	/**
 	 * Used in the URL- and Filename-safe dialect described in Section 4 of RFC3548: <a
 	 * href
-	 * ="http://www.faqs.org/rfcs/rfc3548.html">http://www.faqs.org/rfcs/rfc3548.html</a>.
+	 * ="https://tools.ietf.org/html/rfc3548">https://tools.ietf.org/html/rfc3548</a>.
 	 * Notice that the last two bytes become "hyphen" and "underscore" instead of "plus"
 	 * and "slash."
 	 */
@@ -191,12 +189,6 @@ public final class Base64 {
 
 	/* ******** O R D E R E D B A S E 6 4 A L P H A B E T ******** */
 
-	/**
-	 * I don't get the point of this technique, but someone requested it, and it is
-	 * described here: <a
-	 * href="http://www.faqs.org/qa/rfcc-1940.html">http://www.faqs.org/faqs/
-	 * qa/rfcc-1940.html</a>.
-	 */
 	private final static byte[] _ORDERED_ALPHABET = { (byte) '-', (byte) '0', (byte) '1',
 			(byte) '2', (byte) '3', (byte) '4', (byte) '5', (byte) '6', (byte) '7',
 			(byte) '8', (byte) '9', (byte) 'A', (byte) 'B', (byte) 'C', (byte) 'D',

docs/manual/src/docs/asciidoc/index.adoc

@@ -4242,7 +4242,7 @@ $(document).ajaxSend(function(e, xhr, options) {
 });
 ----
 
-As an alternative to jQuery, we recommend using http://cujojs.com/[cujoJS's] rest.js. The https://github.com/cujojs/rest[rest.js] module provides advanced support for working with HTTP requests and responses in RESTful ways. A core capability is the ability to contextualize the HTTP client adding behavior as needed by chaining interceptors on to the client.
+As an alternative to jQuery, we recommend using https://github.com/cujojs[cujoJS's] rest.js. The https://github.com/cujojs/rest[rest.js] module provides advanced support for working with HTTP requests and responses in RESTful ways. A core capability is the ability to contextualize the HTTP client adding behavior as needed by chaining interceptors on to the client.
 
 [source,javascript]
 ----

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java

@@ -276,7 +276,7 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 			"/" + this.registration1.getRegistrationId();
 		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
 		request.setScheme("http");
-		request.setServerName("example.com");
+		request.setServerName("localhost");
 		request.setServerPort(80);
 		request.setServletPath(requestUri);
 		MockHttpServletResponse response = new MockHttpServletResponse();
@@ -286,7 +286,7 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 
 		verifyZeroInteractions(filterChain);
 
-		assertThat(response.getRedirectedUrl()).matches("https://provider.com/oauth2/authorize\\?response_type=code&client_id=client-1&scope=user&state=.{15,}&redirect_uri=http://example.com/login/oauth2/code/registration-1");
+		assertThat(response.getRedirectedUrl()).matches("https://provider.com/oauth2/authorize\\?response_type=code&client_id=client-1&scope=user&state=.{15,}&redirect_uri=http://localhost/login/oauth2/code/registration-1");
 	}
 
 	@Test

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilterTests.java

@@ -331,7 +331,7 @@ public class OAuth2LoginAuthenticationFilterTests {
 		String requestUri = "/login/oauth2/code/" + this.registration2.getRegistrationId();
 		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
 		request.setScheme("http");
-		request.setServerName("example.com");
+		request.setServerName("localhost");
 		request.setServerPort(80);
 		request.setServletPath(requestUri);
 		request.addParameter(OAuth2ParameterNames.CODE, "code");
@@ -352,7 +352,7 @@ public class OAuth2LoginAuthenticationFilterTests {
 		OAuth2AuthorizationRequest authorizationRequest = authentication.getAuthorizationExchange().getAuthorizationRequest();
 		OAuth2AuthorizationResponse authorizationResponse = authentication.getAuthorizationExchange().getAuthorizationResponse();
 
-		String expectedRedirectUri = "http://example.com/login/oauth2/code/registration-2";
+		String expectedRedirectUri = "http://localhost/login/oauth2/code/registration-2";
 		assertThat(authorizationRequest.getRedirectUri()).isEqualTo(expectedRedirectUri);
 		assertThat(authorizationResponse.getRedirectUri()).isEqualTo(expectedRedirectUri);
 	}

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java

@@ -254,8 +254,8 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing
 	 *
 	 * If no mapping is provided then the returnToUrl will be parsed to extract the
 	 * protocol, hostname and port followed by a trailing slash. This means that
-	 * <tt>https://www.example.com/login/openid</tt> will automatically become
+	 * <tt>https://foo.example.com/login/openid</tt> will automatically become
-	 * <tt>http://www.example.com:80/</tt>
+	 * <tt>http://foo.example.com:80/</tt>
 	 *
 	 * @param realmMapping containing returnToUrl -&gt; realm mappings
 	 */

remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java

@@ -57,11 +57,11 @@ public class AuthenticationSimpleHttpInvokerRequestExecutorTests {
 		// Create a connection and ensure our executor sets its
 		// properties correctly
 		AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor();
-		HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/"));
+		HttpURLConnection conn = new MockHttpURLConnection(new URL("https://localhost/"));
 		executor.prepareConnection(conn, 10);
 
 		// Check connection properties
-		// See http://www.faqs.org/rfcs/rfc1945.html section 11.1 for example
+		// See https://tools.ietf.org/html/rfc1945 section 11.1 for example
 		// we are comparing against
 		assertThat(conn.getRequestProperty("Authorization")).isEqualTo(
 				"Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==");
@@ -74,7 +74,7 @@ public class AuthenticationSimpleHttpInvokerRequestExecutorTests {
 		// Create a connection and ensure our executor sets its
 		// properties correctly
 		AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor();
-		HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/"));
+		HttpURLConnection conn = new MockHttpURLConnection(new URL("https://localhost/"));
 		executor.prepareConnection(conn, 10);
 
 		// Check connection properties (shouldn't be an Authorization header)
@@ -91,7 +91,7 @@ public class AuthenticationSimpleHttpInvokerRequestExecutorTests {
 		// Create a connection and ensure our executor sets its
 		// properties correctly
 		AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor();
-		HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/"));
+		HttpURLConnection conn = new MockHttpURLConnection(new URL("https://localhost/"));
 		executor.prepareConnection(conn, 10);
 
 		// Check connection properties (shouldn't be an Authorization header)

samples/javaconfig/hellojs/src/main/resources/resources/js/jquery-1.8.3.js

@@ -881,7 +881,7 @@ jQuery.ready.promise = function( obj ) {
 
 						try {
 							// Use the trick by Diego Perini
-							// http://javascript.nwbox.com/IEContentLoaded/
+							// https://javascript.nwbox.com/IEContentLoaded/
 							top.doScroll("left");
 						} catch(e) {
 							return setTimeout( doScrollCheck, 50 );
@@ -1390,7 +1390,7 @@ jQuery.support = (function() {
 	fragment.appendChild( div );
 
 	// Technique from Juriy Zaytsev
-	// http://perfectionkills.com/detecting-event-support-without-browser-sniffing/
+	// https://perfectionkills.com/detecting-event-support-without-browser-sniffing/
 	// We only care about the case where non-standard event systems
 	// are used, namely in IE. Short-circuiting here helps us to
 	// avoid an eval call (in setAttribute) which can cause CSP
@@ -1945,7 +1945,7 @@ jQuery.fn.extend({
 		});
 	},
 	// Based off of the plugin by Clint Helfers, with permission.
-	// http://blindsignals.com
+	// https://blindsignals.com
 	delay: function( time, type ) {
 		time = jQuery.fx ? jQuery.fx.speeds[ time ] || time : time;
 		type = type || "fx";
@@ -6867,7 +6867,7 @@ if ( window.getComputedStyle ) {
 		}
 
 		// From the awesome hack by Dean Edwards
-		// http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
+		// https://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
 
 		// If we're not dealing with a regular pixel number
 		// but a number that has a weird ending, we need to convert it to pixels

samples/javaconfig/openid/src/main/resources/resources/js/openid-client/jquery.query-2.1.3.js

@@ -1,7 +1,7 @@
 /**
  * jQuery.query - Query String Modification and Creation for jQuery
  * Written by Blair Mitchelmore (blair DOT mitchelmore AT gmail DOT com)
- * Licensed under the WTFPL (http://www.wtfpl.net/).
+ * Licensed under the WTFPL (https://www.wtfpl.net/).
  * Date: 2009/02/08
  *
  * @author Blair Mitchelmore

samples/xml/openid/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -54,7 +54,7 @@
 <!--
 	<user-service id="userService">
 		<user name="https://luke.taylor.myopenid.com/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
-		<user name="http://luke.taylor.openid.cn/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
+		<user name="https://luke.taylor.openid.cn/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
 		<user name="https://raykrueger.blogspot.com/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
 		<user name="https://spring.security.test.myopenid.com/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
 	</user-service>

samples/xml/openid/src/main/webapp/js/openid-client/jquery.query-2.1.3.js

@@ -1,7 +1,7 @@
 /**
  * jQuery.query - Query String Modification and Creation for jQuery
  * Written by Blair Mitchelmore (blair DOT mitchelmore AT gmail DOT com)
- * Licensed under the WTFPL (http://www.wtfpl.net/).
+ * Licensed under the WTFPL (https://www.wtfpl.net/).
  * Date: 2009/02/08
  *
  * @author Blair Mitchelmore

web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java

@@ -45,7 +45,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
  *
  * <p>
  * For a detailed background on what this filter is designed to process, refer to
- * <a href="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section 11.1</a>. Any realm
+ * <a href="https://tools.ietf.org/html/rfc1945">RFC 1945, Section 11.1</a>. Any realm
  * name presented in the HTTP request is ignored.
  *
  * <p>

web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java

@@ -52,7 +52,7 @@ public class DefaultRedirectStrategyTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
 		rds.sendRedirect(request, response,
-				"https://http://context.blah.com/context/remainder");
+				"https://context.blah.com/context/remainder");
 
 		assertThat(response.getRedirectedUrl()).isEqualTo("remainder");
 	}

web/src/test/java/org/springframework/security/web/access/channel/RetryWithHttpEntryPointTests.java

@@ -85,7 +85,7 @@ public class RetryWithHttpEntryPointTests {
 				"/bigWebApp/hello/pathInfo.html");
 		request.setQueryString("open=true");
 		request.setScheme("https");
-		request.setServerName("www.example.com");
+		request.setServerName("localhost");
 		request.setServerPort(443);
 
 		MockHttpServletResponse response = new MockHttpServletResponse();
@@ -96,7 +96,7 @@ public class RetryWithHttpEntryPointTests {
 
 		ep.commence(request, response);
 		assertThat(response.getRedirectedUrl()).isEqualTo(
-				"http://www.example.com/bigWebApp/hello/pathInfo.html?open=true");
+				"http://localhost/bigWebApp/hello/pathInfo.html?open=true");
 	}
 
 	@Test

web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java

@@ -385,7 +385,7 @@ public class AbstractAuthenticationProcessingFilterTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
 		MockAuthenticationFilter filter = new MockAuthenticationFilter(false);
-		successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/");
+		successHandler.setDefaultTargetUrl("https://monkeymachine.co.uk/");
 		filter.setAuthenticationSuccessHandler(successHandler);
 
 		filter.doFilter(request, response, chain);
@@ -409,7 +409,7 @@ public class AbstractAuthenticationProcessingFilterTests {
 		ReflectionTestUtils.setField(filter, "logger", logger);
 		filter.exceptionToThrow = new InternalAuthenticationServiceException(
 				"Mock requested to do so");
-		successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/");
+		successHandler.setDefaultTargetUrl("https://monkeymachine.co.uk/");
 		filter.setAuthenticationSuccessHandler(successHandler);
 
 		filter.doFilter(request, response, chain);

web/src/test/java/org/springframework/security/web/authentication/LoginUrlAuthenticationEntryPointTests.java

@@ -249,7 +249,7 @@ public class LoginUrlAuthenticationEntryPointTests {
 	// SEC-1498
 	@Test
 	public void absoluteLoginFormUrlIsSupported() throws Exception {
-		final String loginFormUrl = "http://somesite.com/login";
+		final String loginFormUrl = "https://somesite.com/login";
 		LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint(
 				loginFormUrl);
 		ep.afterPropertiesSet();
@@ -260,9 +260,9 @@ public class LoginUrlAuthenticationEntryPointTests {
 
 	@Test(expected = IllegalArgumentException.class)
 	public void absoluteLoginFormUrlCantBeUsedWithForwarding() throws Exception {
-		final String loginFormUrl = "http://somesite.com/login";
+		final String loginFormUrl = "https://somesite.com/login";
 		LoginUrlAuthenticationEntryPoint ep = new LoginUrlAuthenticationEntryPoint(
-				"http://somesite.com/login");
+				"https://somesite.com/login");
 		ep.setUseForward(true);
 		ep.afterPropertiesSet();
 	}

web/src/test/java/org/springframework/security/web/authentication/logout/SimpleUrlLogoutSuccessHandlerTests.java

@@ -45,11 +45,11 @@ public class SimpleUrlLogoutSuccessHandlerTests {
 	@Test
 	public void absoluteUrlIsSupported() throws Exception {
 		SimpleUrlLogoutSuccessHandler lsh = new SimpleUrlLogoutSuccessHandler();
-		lsh.setDefaultTargetUrl("http://someurl.com/");
+		lsh.setDefaultTargetUrl("https://someurl.com/");
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		lsh.onLogoutSuccess(request, response, mock(Authentication.class));
-		assertThat(response.getRedirectedUrl()).isEqualTo("http://someurl.com/");
+		assertThat(response.getRedirectedUrl()).isEqualTo("https://someurl.com/");
 	}
 
 }

web/src/test/java/org/springframework/security/web/server/header/StrictTransportSecurityServerHttpHeadersWriterTests.java

@@ -86,7 +86,7 @@ public class StrictTransportSecurityServerHttpHeadersWriterTests {
 
 	@Test
 	public void writeHttpHeadersWhenHttpThenNoHeaders() {
-		exchange = exchange(MockServerHttpRequest.get("http://example.com/"));
+		exchange = exchange(MockServerHttpRequest.get("http://localhost/"));
 
 		hsts.writeHttpHeaders(exchange);