From d5f1f6cbff84656e6cb7a64f19a9455279f3f271 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gmail.com>
Date: Thu, 2 Jun 2011 21:19:01 -0500
Subject: [PATCH] SEC-1757: Updated tutorial sample to state that listing of
 accounts is allowed by anyone and to display accounts for the different types
 of access to posting to Accounts

---
 .../tutorial/src/main/webapp/WEB-INF/jsp/listAccounts.jsp | 8 ++++++++
 samples/tutorial/src/main/webapp/index.jsp                | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/samples/tutorial/src/main/webapp/WEB-INF/jsp/listAccounts.jsp b/samples/tutorial/src/main/webapp/WEB-INF/jsp/listAccounts.jsp
index b1deaa337a..4fbedda3a8 100644
--- a/samples/tutorial/src/main/webapp/WEB-INF/jsp/listAccounts.jsp
+++ b/samples/tutorial/src/main/webapp/WEB-INF/jsp/listAccounts.jsp
@@ -1,6 +1,14 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
 
 <h1>Accounts</h1>
+<p>
+Anyone can view this page, but posting to an Account requires login and must be authorized. Below are some users to try posting to Accounts with.
+</p>
+<ul>
+<li>rod/koala - can post to any Account</li>
+<li>dianne/emu - can post to Accounts as long as the balance remains above the overdraft amount</li>
+<li>scott/wombat - cannot post to any Accounts</li>
+</ul>
 
 <a href="index.jsp">Home</a><br><br>
 
diff --git a/samples/tutorial/src/main/webapp/index.jsp b/samples/tutorial/src/main/webapp/index.jsp
index 8c2e005bf9..3228c7fdd8 100644
--- a/samples/tutorial/src/main/webapp/index.jsp
+++ b/samples/tutorial/src/main/webapp/index.jsp
@@ -6,7 +6,7 @@
 Anyone can view this page.
 </p>
 <p>
-If you're logged in, you can <a href="listAccounts.html">list accounts</a>.
+While anyone can also view the <a href="listAccounts.html">list accounts</a> page, you must be authorized to post to an Account from the list accounts page.
 </p>
 <p>
 Your principal object is....: <%= request.getUserPrincipal() %>