diff --git a/CODE_OF_CONDUCT.adoc b/CODE_OF_CONDUCT.adoc index f013d6f36b..17783c7c06 100644 --- a/CODE_OF_CONDUCT.adoc +++ b/CODE_OF_CONDUCT.adoc @@ -40,5 +40,5 @@ appropriate to the circumstances. Maintainers are obligated to maintain confiden with regard to the reporter of an incident. This Code of Conduct is adapted from the -http://contributor-covenant.org[Contributor Covenant], version 1.3.0, available at -http://contributor-covenant.org/version/1/3/0/[contributor-covenant.org/version/1/3/0/] +https://contributor-covenant.org[Contributor Covenant], version 1.3.0, available at +https://contributor-covenant.org/version/1/3/0/[contributor-covenant.org/version/1/3/0/] diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6de8600c9f..273ffb8a98 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -12,7 +12,7 @@ Each Spring module is slightly different than another in terms of team size, num # Importing into IDE -The following provides information on setting up a development environment that can run the sample in [Spring Tool Suite 3.6.0+](http://www.springsource.org/sts). Other IDE's should work using Gradle's IDE support, but have not been tested. +The following provides information on setting up a development environment that can run the sample in [Spring Tool Suite 3.6.0+](https://www.springsource.org/sts). Other IDE's should work using Gradle's IDE support, but have not been tested. * IDE Setup * Install Spring Tool Suite 3.6.0+ @@ -25,7 +25,7 @@ The following provides information on setting up a development environment that As of new versions of Spring Tool Suite, you might need to install Groovy Eclipse pointing directly to the updates plugin location. To install Groovy Eclipse on Spring Tool Suite based on Eclipse Oxigen you must do the following steps: Help->Install New Software...->Add the following URL into _Work with_ field: -http://dist.springsource.org/snapshot/GRECLIPSE/e4.7/ +https://dist.springsource.org/snapshot/GRECLIPSE/e4.7/ # Understand the basics Not sure what a pull request is, or how to submit one? Take a look at GitHub's excellent [help documentation first](https://help.github.com/articles/using-pull-requests). @@ -64,8 +64,8 @@ Please carefully follow the whitespace and formatting conventions already presen Whitespace management tips -1. You can use the [AnyEdit Eclipse plugin](http://marketplace.eclipse.org/content/anyedit-tools) to ensure spaces are used and to clean up trailing whitespaces. -1. Use git's pre-commit.sample hook to prevent invalid whitespace from being pushed out. You can enable it by moving ~/spring-security/.git/hooks/pre-commit.sample to ~/spring-security/.git/hooks/pre-commit and ensuring it is executable. For more information on hooks refer to [Pro Git's Pre-Commit Hook's section](http://git-scm.com/book/cs/ch7-3.html) +1. You can use the [AnyEdit Eclipse plugin](https://marketplace.eclipse.org/content/anyedit-tools) to ensure spaces are used and to clean up trailing whitespaces. +1. Use git's pre-commit.sample hook to prevent invalid whitespace from being pushed out. You can enable it by moving ~/spring-security/.git/hooks/pre-commit.sample to ~/spring-security/.git/hooks/pre-commit and ensuring it is executable. For more information on hooks refer to [Pro Git's Pre-Commit Hook's section](https://git-scm.com/book/cs/ch7-3.html) # Add Apache license header to all new classes @@ -116,7 +116,7 @@ Search the codebase to find related unit tests and add additional `@Test` method 2. New test methods should not start with test. This is an old JUnit3 convention and is not necessary since the method is annotated with @Test. # Update spring-security-x.y.rnc for schema changes -Update the [RELAX NG](http://www.relaxng.org) schema `spring-security-x.y.rnc` instead of `spring-security-x.y.xsd` if you contribute changes to supported XML configuration. The XML schema file can be generated the following Gradle task: +Update the [RELAX NG](https://relaxng.org/) schema `spring-security-x.y.rnc` instead of `spring-security-x.y.xsd` if you contribute changes to supported XML configuration. The XML schema file can be generated the following Gradle task: 
 ./gradlew spring-security-config:rncToXsd
@@ -125,7 +125,7 @@ Update the [RELAX NG](http://www.relaxng.org) schema `spring-security-x.y.rnc` i
 Changes to the XML schema will be overwritten by the Gradle build task.
 
 # Squash commits
-Use git rebase --interactive, git add --patch and other tools to "squash" multiple commits into atomic changes. In addition to the man pages for git, there are many resources online to help you understand how these tools work. Here is one: http://book.git-scm.com/4_interactive_rebasing.html.
+Use git rebase --interactive, git add --patch and other tools to "squash" multiple commits into atomic changes. In addition to the man pages for git, there are many resources online to help you understand how these tools work. Here is one: https://book.git-scm.com/4_interactive_rebasing.html.
 
 # Use real name in git commits
 Please configure git to use your real first and last name for any commits you intend to submit as pull requests. For example, this is not acceptable:
diff --git a/README.adoc b/README.adoc
index 8c9dbd24e4..3f363c6c2e 100644
--- a/README.adoc
+++ b/README.adoc
@@ -4,10 +4,10 @@ image:https://travis-ci.org/spring-projects/spring-security.svg?branch=master["B
 
 = Spring Security
 
-Spring Security provides security services for the http://docs.spring.io[Spring IO Platform]. Spring Security 5.0 requires Spring 5.0 as
+Spring Security provides security services for the https://docs.spring.io[Spring IO Platform]. Spring Security 5.0 requires Spring 5.0 as
 a minimum and also requires Java 8.
 
-For a detailed list of features and access to the latest release, please visit http://spring.io/projects[Spring projects].
+For a detailed list of features and access to the latest release, please visit https://spring.io/projects[Spring projects].
 
 == Code of Conduct
 This project adheres to the Contributor Covenant link:CODE_OF_CONDUCT.adoc[code of conduct].
@@ -17,19 +17,19 @@ By participating, you  are expected to uphold this code. Please report unaccepta
 See https://github.com/spring-projects/spring-framework/wiki/Downloading-Spring-artifacts[downloading Spring artifacts] for Maven repository information.
 
 == Documentation
-Be sure to read the http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference].
-Extensive JavaDoc for the Spring Security code is also available in the http://docs.spring.io/spring-security/site/docs/current/apidocs/[Spring Security API Documentation].
+Be sure to read the https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference].
+Extensive JavaDoc for the Spring Security code is also available in the https://docs.spring.io/spring-security/site/docs/current/apidocs/[Spring Security API Documentation].
 
 == Quick Start
-We recommend you visit http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference] and read the "Getting Started" page.
+We recommend you visit https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference] and read the "Getting Started" page.
 
 == Building from Source
-Spring Security uses a http://gradle.org[Gradle]-based build system.
-In the instructions below, http://vimeo.com/34436402[`./gradlew`] is invoked from the root of the source tree and serves as
+Spring Security uses a https://gradle.org[Gradle]-based build system.
+In the instructions below, https://vimeo.com/34436402[`./gradlew`] is invoked from the root of the source tree and serves as
 a cross-platform, self-contained bootstrap mechanism for the build.
 
 === Prerequisites
-http://help.github.com/set-up-git-redirect[Git] and the http://www.oracle.com/technetwork/java/javase/downloads[JDK8 build].
+https://help.github.com/set-up-git-redirect[Git] and the https://www.oracle.com/technetwork/java/javase/downloads[JDK8 build].
 
 Be sure that your `JAVA_HOME` environment variable points to the `jdk1.8.0` folder extracted from the JDK download.
 
@@ -55,11 +55,11 @@ Discover more commands with `./gradlew tasks`.
 See also the https://github.com/spring-projects/spring-framework/wiki/Gradle-build-and-release-FAQ[Gradle build and release FAQ].
 
 == Getting Support
-Check out the http://stackoverflow.com/questions/tagged/spring-security[Spring Security tags on Stack Overflow].
-http://spring.io/services[Commercial support] is available too.
+Check out the https://stackoverflow.com/questions/tagged/spring-security[Spring Security tags on Stack Overflow].
+https://spring.io/services[Commercial support] is available too.
 
 == Contributing
-http://help.github.com/send-pull-requests[Pull requests] are welcome; see the https://github.com/spring-projects/spring-security/blob/master/CONTRIBUTING.md[contributor guidelines] for details.
+https://help.github.com/send-pull-requests[Pull requests] are welcome; see the https://github.com/spring-projects/spring-security/blob/master/CONTRIBUTING.md[contributor guidelines] for details.
 
 == License
 Spring Security is Open Source software released under the
diff --git a/cas/src/main/java/org/springframework/security/cas/authentication/EhCacheBasedTicketCache.java b/cas/src/main/java/org/springframework/security/cas/authentication/EhCacheBasedTicketCache.java
index a2e2eba360..a530a88e2d 100644
--- a/cas/src/main/java/org/springframework/security/cas/authentication/EhCacheBasedTicketCache.java
+++ b/cas/src/main/java/org/springframework/security/cas/authentication/EhCacheBasedTicketCache.java
@@ -26,7 +26,7 @@ import org.springframework.util.Assert;
 
 /**
  * Caches tickets using a Spring IoC defined EHCACHE.
+ * href="https://www.ehcache.org/">EHCACHE.
  *
  * @author Ben Alex
  */
diff --git a/cas/src/main/java/org/springframework/security/cas/package-info.java b/cas/src/main/java/org/springframework/security/cas/package-info.java
index b621df675c..8ce8a88b5a 100644
--- a/cas/src/main/java/org/springframework/security/cas/package-info.java
+++ b/cas/src/main/java/org/springframework/security/cas/package-info.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 /**
- * Spring Security support for Jasig's Central Authentication Service (CAS).
+ * Spring Security support for Jasig's Central Authentication Service (CAS).
  */
 package org.springframework.security.cas;
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java
index 943c663c89..d910db7eb5 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java
@@ -141,8 +141,8 @@ public class AuthenticationManagerBuilder
 	 *
 	 * 

 	 * When using with a persistent data store, it is best to add users external of
-	 * configuration using something like Flyway or Liquibase to create the schema and adding
+	 * configuration using something like Flyway or Liquibase to create the schema and adding
 	 * users to ensure these steps are only done once and that the optimal SQL is used.
 	 * 

 	 *
@@ -151,7 +151,7 @@ public class AuthenticationManagerBuilder
 	 * {@link #getDefaultUserDetailsService()} method. Note that additional
 	 * {@link UserDetailsService}'s may override this {@link UserDetailsService} as the
 	 * default. See the User Schema section of the reference for the default schema.
 	 * 

 	 *
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
index fc6ccf4b21..016a8c35be 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@@ -202,17 +202,17 @@ public final class HttpSecurity extends
 	 * 				.authenticationUserDetailsService(
 	 * 						new AutoProvisioningUserDetailsService())
 	 * 				.attributeExchange("https://www.google.com/.*").attribute("email")
-	 * 				.type("http://axschema.org/contact/email").required(true).and()
-	 * 				.attribute("firstname").type("http://axschema.org/namePerson/first")
+	 * 				.type("https://axschema.org/contact/email").required(true).and()
+	 * 				.attribute("firstname").type("https://axschema.org/namePerson/first")
 	 * 				.required(true).and().attribute("lastname")
-	 * 				.type("http://axschema.org/namePerson/last").required(true).and().and()
+	 * 				.type("https://axschema.org/namePerson/last").required(true).and().and()
 	 * 				.attributeExchange(".*yahoo.com.*").attribute("email")
-	 * 				.type("http://schema.openid.net/contact/email").required(true).and()
-	 * 				.attribute("fullname").type("http://axschema.org/namePerson")
+	 * 				.type("https://schema.openid.net/contact/email").required(true).and()
+	 * 				.attribute("fullname").type("https://axschema.org/namePerson")
 	 * 				.required(true).and().and().attributeExchange(".*myopenid.com.*")
-	 * 				.attribute("email").type("http://schema.openid.net/contact/email")
+	 * 				.attribute("email").type("https://schema.openid.net/contact/email")
 	 * 				.required(true).and().attribute("fullname")
-	 * 				.type("http://schema.openid.net/namePerson").required(true);
+	 * 				.type("https://schema.openid.net/namePerson").required(true);
 	 * 	}
 	 * }
 	 *
@@ -904,7 +904,7 @@ public final class HttpSecurity extends
 	 *
 	 * The "authentication flow" is implemented using the Authorization Code Grant, as specified in the
 	 * OAuth 2.0 Authorization Framework
-	 * and OpenID Connect Core 1.0
+	 * and OpenID Connect Core 1.0
 	 * specification.
 	 * 

 	 * 

@@ -981,7 +981,7 @@ public final class HttpSecurity extends
 	 * @author Joe Grandja
 	 * @since 5.0
 	 * @see Section 4.1 Authorization Code Grant
-	 * @see Section 3.1 Authorization Code Flow
+	 * @see Section 3.1 Authorization Code Flow
 	 * @see org.springframework.security.oauth2.client.registration.ClientRegistration
 	 * @see org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
 	 * @return the {@link OAuth2LoginConfigurer} for further customizations
@@ -1001,7 +1001,7 @@ public final class HttpSecurity extends
 	 * requiring HTTPS for some requests is supported, but not recommended since an
 	 * application that allows for HTTP introduces many security vulnerabilities. For one
 	 * such example, read about Firesheep.
+	 * href="https://en.wikipedia.org/wiki/Firesheep">Firesheep.
 	 *
 	 * 
 	 * @Configuration
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
index d4e4fdd0ae..9522ef57a0 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
@@ -371,7 +371,7 @@ public final class ExpressionUrlAuthorizationConfigurersubnet.
 		 *
 		 * @param ipaddressExpression the ipaddress (i.e. 192.168.1.79) or local subnet
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
index 393d3fa165..610d9af5ed 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
@@ -104,7 +104,7 @@ public class HeadersConfigurer> extends
 
 	/**
 	 * Configures the {@link XContentTypeOptionsHeaderWriter} which inserts the X-Content-Type-Options:
 	 *
 	 * 
@@ -160,7 +160,7 @@ public class HeadersConfigurer> extends
 	 *
 	 * 

 	 * Allows customizing the {@link XXssProtectionHeaderWriter} which adds the X-XSS-Protection header
 	 * 

 	 *
@@ -306,7 +306,7 @@ public class HeadersConfigurer> extends
 
 	/**
 	 * Allows customizing the {@link HstsHeaderWriter} which provides support for HTTP Strict Transport Security
+	 * href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security
 	 * (HSTS).
 	 *
 	 * @return the {@link HeadersConfigurer} for additional customizations
@@ -331,7 +331,7 @@ public class HeadersConfigurer> extends
 		 * 

 		 * This instructs browsers how long to remember to keep this domain as a known
 		 * HSTS Host. See Section 6.1.1 for
+		 * href="https://tools.ietf.org/html/rfc6797#section-6.1.1">Section 6.1.1 for
 		 * additional details.
 		 * 

 		 *
@@ -364,7 +364,7 @@ public class HeadersConfigurer> extends
 		 * 

 		 *
 		 * 

-		 * See Section
+		 * See Section
 		 * 6.1.2 for additional details.
 		 * 

 		 *
@@ -483,7 +483,7 @@ public class HeadersConfigurer> extends
 
 	/**
 	 * Allows customizing the {@link HpkpHeaderWriter} which provides support for HTTP Public Key Pinning (HPKP).
+	 * href="https://tools.ietf.org/html/rfc7469">HTTP Public Key Pinning (HPKP).
 	 *
 	 * @return the {@link HeadersConfigurer} for additional customizations
 	 *
@@ -506,7 +506,7 @@ public class HeadersConfigurer> extends
 		 * 

 		 * The pin directive specifies a way for web host operators to indicate
 		 * a cryptographic identity that should be bound to a given web host.
-		 * See Section 2.1.1 for additional details.
+		 * See Section 2.1.1 for additional details.
 		 * 

 		 *
 		 * @param pins the map of base64-encoded SPKI fingerprint & cryptographic hash algorithm pairs.
@@ -525,7 +525,7 @@ public class HeadersConfigurer> extends
 		 * 

 		 * The pin directive specifies a way for web host operators to indicate
 		 * a cryptographic identity that should be bound to a given web host.
-		 * See Section 2.1.1 for additional details.
+		 * See Section 2.1.1 for additional details.
 		 * 

 		 *
 		 * @param pins a list of base64-encoded SPKI fingerprints.
@@ -544,7 +544,7 @@ public class HeadersConfigurer> extends
 		 *
 		 * 

 		 * This instructs browsers how long they should regard the host (from whom the message was received)
-		 * as a known pinned host. See Section
+		 * as a known pinned host. See Section
 		 * 2.1.2 for additional details.
 		 * 

 		 *
@@ -564,7 +564,7 @@ public class HeadersConfigurer> extends
 		 * 

 		 *
 		 * 

-		 * See Section 2.1.3
+		 * See Section 2.1.3
 		 * for additional details.
 		 * 

 		 *
@@ -581,7 +581,7 @@ public class HeadersConfigurer> extends
 		 * 

 		 *
 		 * 

-		 * See Section 2.1
+		 * See Section 2.1
 		 * for additional details.
 		 * 

 		 *
@@ -598,7 +598,7 @@ public class HeadersConfigurer> extends
 		 * 

 		 *
 		 * 

-		 * See Section 2.1.4
+		 * See Section 2.1.4
 		 * for additional details.
 		 * 

 		 *
@@ -615,7 +615,7 @@ public class HeadersConfigurer> extends
 		 * 

 		 *
 		 * 

-		 * See Section 2.1.4
+		 * See Section 2.1.4
 		 * for additional details.
 		 * 

 		 *
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java
index 375c165e51..05fde99080 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java
@@ -129,7 +129,7 @@ public final class LogoutConfigurer> extends
 	 * 

 	 * It is considered best practice to use an HTTP POST on any action that changes state
 	 * (i.e. log out) to protect against CSRF attacks. If
+	 * href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF attacks. If
 	 * you really want to use an HTTP GET, you can use
 	 * logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));
 	 * 

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
index 3034640297..1f091496c0 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
@@ -566,7 +566,7 @@ public final class OAuth2LoginConfigurer> exten
 			OAuth2LoginAuthenticationToken authorizationCodeAuthentication =
 				(OAuth2LoginAuthenticationToken) authentication;
 
-			// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+			// Section 3.1.2.1 Authentication Request - https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 			// scope
 			// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
 			if (authorizationCodeAuthentication.getAuthorizationExchange()
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
index 8d1b683e2a..c36eb2b7b1 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
@@ -1,4 +1,4 @@
-namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
+namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
 datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
 
 default namespace = "http://www.springframework.org/schema/security"
@@ -444,7 +444,7 @@ openid-attribute.attlist &=
     ## Specifies the name of the attribute that you wish to get back. For example, email.
     attribute name {xsd:token}
 openid-attribute.attlist &=
-    ## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
+    ## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
     attribute type {xsd:token}
 openid-attribute.attlist &=
     ## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
index 05e95ca75c..0cd1701232 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
@@ -1439,7 +1439,7 @@
       
       
          
-            Specifies the attribute type. For example, http://axschema.org/contact/email. See your
+            Specifies the attribute type. For example, https://axschema.org/contact/email. See your
                 OP's documentation for valid attribute types.
                 
          
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
index 14d16d92d5..561608643a 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
@@ -1,4 +1,4 @@
-namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
+namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
 datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
 
 default namespace = "http://www.springframework.org/schema/security"
@@ -444,7 +444,7 @@ openid-attribute.attlist &=
     ## Specifies the name of the attribute that you wish to get back. For example, email.
     attribute name {xsd:token}
 openid-attribute.attlist &=
-    ## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
+    ## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
     attribute type {xsd:token}
 openid-attribute.attlist &=
     ## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
index bdd4cdf143..ab98b07d64 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
@@ -1441,7 +1441,7 @@
       
       
          
-            Specifies the attribute type. For example, http://axschema.org/contact/email. See your
+            Specifies the attribute type. For example, https://axschema.org/contact/email. See your
                 OP's documentation for valid attribute types.
                 
          
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
index f25f69c42c..4795353a40 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
@@ -1,4 +1,4 @@
-namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
+namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
 datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
 
 default namespace = "http://www.springframework.org/schema/security"
@@ -460,7 +460,7 @@ openid-attribute.attlist &=
 	## Specifies the name of the attribute that you wish to get back. For example, email.
 	attribute name {xsd:token}
 openid-attribute.attlist &=
-	## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
+	## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
 	attribute type {xsd:token}
 openid-attribute.attlist &=
 	## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
index cdaf952df7..3780ac26fc 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
@@ -1509,7 +1509,7 @@
       
       
          
-            Specifies the attribute type. For example, http://axschema.org/contact/email. See your
+            Specifies the attribute type. For example, https://axschema.org/contact/email. See your
                 OP's documentation for valid attribute types.
                 
          
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc
index 9f3bbe98a1..33909473fa 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc
@@ -1,4 +1,4 @@
-namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
+namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
 datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
 
 default namespace = "http://www.springframework.org/schema/security"
@@ -469,7 +469,7 @@ openid-attribute.attlist &=
 	## Specifies the name of the attribute that you wish to get back. For example, email.
 	attribute name {xsd:token}
 openid-attribute.attlist &=
-	## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
+	## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
 	attribute type {xsd:token}
 openid-attribute.attlist &=
 	## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.1.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-4.1.xsd
index 4e13923540..9f87deecd8 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.1.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.1.xsd
@@ -1534,7 +1534,7 @@
       
       
          
-            Specifies the attribute type. For example, http://axschema.org/contact/email. See your
+            Specifies the attribute type. For example, https://axschema.org/contact/email. See your
                 OP's documentation for valid attribute types.
                 
          
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.rnc
index 330bb68be8..9f65df684a 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.rnc
@@ -1,4 +1,4 @@
-namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
+namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
 datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
 
 default namespace = "http://www.springframework.org/schema/security"
@@ -468,7 +468,7 @@ openid-attribute.attlist &=
 	## Specifies the name of the attribute that you wish to get back. For example, email.
 	attribute name {xsd:token}
 openid-attribute.attlist &=
-	## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
+	## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
 	attribute type {xsd:token}
 openid-attribute.attlist &=
 	## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd
index a7efae9f5d..83d77e1875 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd
@@ -1539,7 +1539,7 @@
       
       
          
-            Specifies the attribute type. For example, http://axschema.org/contact/email. See your
+            Specifies the attribute type. For example, https://axschema.org/contact/email. See your
                 OP's documentation for valid attribute types.
                 
          
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc
index 32788775f7..12a8b3331d 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc
@@ -1,4 +1,4 @@
-namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
+namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
 datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
 
 default namespace = "http://www.springframework.org/schema/security"
@@ -458,7 +458,7 @@ openid-attribute.attlist &=
 	## Specifies the name of the attribute that you wish to get back. For example, email.
 	attribute name {xsd:token}
 openid-attribute.attlist &=
-	## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
+	## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
 	attribute type {xsd:token}
 openid-attribute.attlist &=
 	## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd
index d8ffb9beaf..c566ea52f4 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd
@@ -1494,7 +1494,7 @@
       
       
          
-            Specifies the attribute type. For example, http://axschema.org/contact/email. See your
+            Specifies the attribute type. For example, https://axschema.org/contact/email. See your
                 OP's documentation for valid attribute types.
                 
          
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.groovy
index 504275cb72..7aa9dc884c 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.groovy
@@ -351,7 +351,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
 		when:
 			springSecurityFilterChain.doFilter(request,response,chain)
 		then:
-			responseHeaders == ['Public-Key-Pins-Report-Only' : 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; report-uri="http://example.net/pkp-report"']
+			responseHeaders == ['Public-Key-Pins-Report-Only' : 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; report-uri="https://example.net/pkp-report"']
 	}
 
 	@EnableWebSecurity
@@ -364,7 +364,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
 					.defaultsDisabled()
 					.httpPublicKeyPinning()
 					.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=")
-					.reportUri(new URI("http://example.net/pkp-report"))
+					.reportUri(new URI("https://example.net/pkp-report"))
 		}
 	}
 
@@ -375,7 +375,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
 		when:
 			springSecurityFilterChain.doFilter(request,response,chain)
 		then:
-			responseHeaders == ['Public-Key-Pins-Report-Only' : 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; report-uri="http://example.net/pkp-report"']
+			responseHeaders == ['Public-Key-Pins-Report-Only' : 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; report-uri="https://example.net/pkp-report"']
 	}
 
 	@EnableWebSecurity
@@ -388,7 +388,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
 					.defaultsDisabled()
 					.httpPublicKeyPinning()
 					.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=")
-					.reportUri("http://example.net/pkp-report")
+					.reportUri("https://example.net/pkp-report")
 		}
 	}
 
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpOpenIDLoginTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpOpenIDLoginTests.groovy
index f3d8605671..b791fff57c 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpOpenIDLoginTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpOpenIDLoginTests.groovy
@@ -83,21 +83,21 @@ public class NamespaceHttpOpenIDLoginTests extends BaseSpringSpec {
 
 			def googleAttrs = consumer.attributesToFetchFactory.createAttributeList("https://www.google.com/1")
 			googleAttrs[0].name == "email"
-			googleAttrs[0].type == "http://axschema.org/contact/email"
+			googleAttrs[0].type == "https://axschema.org/contact/email"
 			googleAttrs[0].required
 			googleAttrs[1].name == "firstname"
-			googleAttrs[1].type == "http://axschema.org/namePerson/first"
+			googleAttrs[1].type == "https://axschema.org/namePerson/first"
 			googleAttrs[1].required
 			googleAttrs[2].name == "lastname"
-			googleAttrs[2].type == "http://axschema.org/namePerson/last"
+			googleAttrs[2].type == "https://axschema.org/namePerson/last"
 			googleAttrs[2].required
 
 			def yahooAttrs = consumer.attributesToFetchFactory.createAttributeList("https://rwinch.yahoo.com/rwinch/id")
 			yahooAttrs[0].name == "email"
-			yahooAttrs[0].type == "http://schema.openid.net/contact/email"
+			yahooAttrs[0].type == "https://schema.openid.net/contact/email"
 			yahooAttrs[0].required
 			yahooAttrs[1].name == "fullname"
-			yahooAttrs[1].type == "http://axschema.org/namePerson"
+			yahooAttrs[1].type == "https://axschema.org/namePerson"
 			yahooAttrs[1].required
 		when:
 			springSecurityFilterChain.doFilter(request,response,chain)
@@ -122,26 +122,26 @@ public class NamespaceHttpOpenIDLoginTests extends BaseSpringSpec {
 				.openidLogin()
 					.attributeExchange("https://www.google.com/.*") // attribute-exchange@identifier-match
 						.attribute("email") // openid-attribute@name
-							.type("http://axschema.org/contact/email") // openid-attribute@type
+							.type("https://axschema.org/contact/email") // openid-attribute@type
 							.required(true) // openid-attribute@required
 							.count(1) // openid-attribute@count
 							.and()
 						.attribute("firstname")
-							.type("http://axschema.org/namePerson/first")
+							.type("https://axschema.org/namePerson/first")
 							.required(true)
 							.and()
 						.attribute("lastname")
-							.type("http://axschema.org/namePerson/last")
+							.type("https://axschema.org/namePerson/last")
 							.required(true)
 							.and()
 						.and()
 					.attributeExchange(".*yahoo.com.*")
 						.attribute("email")
-							.type("http://schema.openid.net/contact/email")
+							.type("https://schema.openid.net/contact/email")
 							.required(true)
 							.and()
 						.attribute("fullname")
-							.type("http://axschema.org/namePerson")
+							.type("https://axschema.org/namePerson")
 							.required(true)
 							.and()
 						.and()
diff --git a/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
index d093f1a2b4..fa6ad18799 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
@@ -624,7 +624,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
 				setup:
 						httpAutoConfig {
 								'headers'('defaults-disabled':true) {
-										'hpkp'('report-uri':'http://example.net/pkp-report') {
+										'hpkp'('report-uri':'https://example.net/pkp-report') {
 												'pins'() {
 														'pin'('algorithm':'sha256', 'E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=')
 												}
@@ -637,7 +637,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
 				when:
 						springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure: true), response, new MockFilterChain())
 				then:
-						assertHeaders(response, ['Public-Key-Pins-Report-Only': 'max-age=5184000 ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" ; report-uri="http://example.net/pkp-report"'])
+						assertHeaders(response, ['Public-Key-Pins-Report-Only': 'max-age=5184000 ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" ; report-uri="https://example.net/pkp-report"'])
 		}
 
 	// --- disable single default header ---
diff --git a/config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy
index 1f4c03b8ac..919b73999c 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/HttpOpenIDConfigTests.groovy
@@ -118,7 +118,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		response.getContentAsString().contains(AbstractRememberMeServices.DEFAULT_PARAMETER)
 		when: "Login is submitted with remember-me selected"
 		request.servletPath = "/login/openid"
-		request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://hey.openid.com/")
+		request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://ww1.openid.com")
 		request.setParameter(AbstractRememberMeServices.DEFAULT_PARAMETER, "on")
 		response = new MockHttpServletResponse();
 		fc.doFilter(request, response, new MockFilterChain());
@@ -133,8 +133,8 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		xml.http() {
 			'openid-login'() {
 				'attribute-exchange'() {
-					'openid-attribute'(name: 'nickname', type: 'http://schema.openid.net/namePerson/friendly')
-					'openid-attribute'(name: 'email', type: 'http://schema.openid.net/contact/email', required: 'true',
+					'openid-attribute'(name: 'nickname', type: 'https://schema.openid.net/namePerson/friendly')
+					'openid-attribute'(name: 'email', type: 'https://schema.openid.net/contact/email', required: 'true',
 							'count': '2')
 				}
 			}
@@ -146,7 +146,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
 		expect:
 		attributes.size() == 2
 		attributes[0].name == 'nickname'
-		attributes[0].type == 'http://schema.openid.net/namePerson/friendly'
+		attributes[0].type == 'https://schema.openid.net/namePerson/friendly'
 		!attributes[0].required
 		attributes[1].required
 		attributes[1].getCount() == 2
diff --git a/config/src/test/java/org/springframework/security/config/authentication/UserServiceBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/authentication/UserServiceBeanDefinitionParserTests.java
index f8f878be6d..b3791d7f1d 100644
--- a/config/src/test/java/org/springframework/security/config/authentication/UserServiceBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/authentication/UserServiceBeanDefinitionParserTests.java
@@ -89,14 +89,14 @@ public class UserServiceBeanDefinitionParserTests {
 	@Test
 	public void worksWithOpenIDUrlsAsNames() {
 		setContext(""
-				+ "    "
+				+ "    "
 				+ "    "
 				+ "");
 		UserDetailsService userService = (UserDetailsService) appContext
 				.getBean("service");
 		assertThat(
-				userService.loadUserByUsername("http://joe.myopenid.com/").getUsername())
-				.isEqualTo("http://joe.myopenid.com/");
+				userService.loadUserByUsername("https://joe.myopenid.com/").getUsername())
+				.isEqualTo("https://joe.myopenid.com/");
 		assertThat(
 				userService.loadUserByUsername(
 						"https://www.google.com/accounts/o8/id?id=MPtOaenBIk5yzW9n7n9")
diff --git a/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java b/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java
index a2c29e99c5..fabe77aeeb 100644
--- a/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java
+++ b/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java
@@ -106,18 +106,18 @@ public class CommonOAuth2ProviderTests {
 	@Test
 	public void getBuilderWhenOktaShouldHaveOktaSettings() throws Exception {
 		ClientRegistration registration = builder(CommonOAuth2Provider.OKTA)
-			.authorizationUri("http://example.com/auth")
-			.tokenUri("http://example.com/token")
-			.userInfoUri("http://example.com/info")
-			.jwkSetUri("http://example.com/jwkset").build();
+			.authorizationUri("https://example.com/auth")
+			.tokenUri("https://example.com/token")
+			.userInfoUri("https://example.com/info")
+			.jwkSetUri("https://example.com/jwkset").build();
 		ProviderDetails providerDetails = registration.getProviderDetails();
 		assertThat(providerDetails.getAuthorizationUri())
-			.isEqualTo("http://example.com/auth");
-		assertThat(providerDetails.getTokenUri()).isEqualTo("http://example.com/token");
-		assertThat(providerDetails.getUserInfoEndpoint().getUri()).isEqualTo("http://example.com/info");
+			.isEqualTo("https://example.com/auth");
+		assertThat(providerDetails.getTokenUri()).isEqualTo("https://example.com/token");
+		assertThat(providerDetails.getUserInfoEndpoint().getUri()).isEqualTo("https://example.com/info");
 		assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName())
 			.isEqualTo(IdTokenClaimNames.SUB);
-		assertThat(providerDetails.getJwkSetUri()).isEqualTo("http://example.com/jwkset");
+		assertThat(providerDetails.getJwkSetUri()).isEqualTo("https://example.com/jwkset");
 		assertThat(registration.getClientAuthenticationMethod())
 			.isEqualTo(ClientAuthenticationMethod.BASIC);
 		assertThat(registration.getAuthorizationGrantType())
diff --git a/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java b/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java
index 64d201f3b0..4336af0cc8 100644
--- a/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java
+++ b/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java
@@ -32,11 +32,11 @@ public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext
 			+ "    xmlns:mvc='http://www.springframework.org/schema/mvc'\n"
 			+ "    xmlns:websocket='http://www.springframework.org/schema/websocket'\n"
 			+ "    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'\n"
-			+ "    xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd\n"
-			+ "http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd\n"
-			+ "http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd\n"
-			+ "http://www.springframework.org/schema/websocket http://www.springframework.org/schema/websocket/spring-websocket.xsd\n"
-			+ "http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd\n"
+			+ "    xsi:schemaLocation='http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans-2.5.xsd\n"
+			+ "http://www.springframework.org/schema/aop https://www.springframework.org/schema/aop/spring-aop-2.5.xsd\n"
+			+ "http://www.springframework.org/schema/mvc https://www.springframework.org/schema/mvc/spring-mvc.xsd\n"
+			+ "http://www.springframework.org/schema/websocket https://www.springframework.org/schema/websocket/spring-websocket.xsd\n"
+			+ "http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context-2.5.xsd\n"
 			+ "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-";
 	static final String BEANS_CLOSE = "\n";
 
diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
index 473b94c087..1b92dceb28 100644
--- a/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
@@ -58,16 +58,16 @@ import org.springframework.util.ObjectUtils;
  *
  * 

  * This implementation is backed by a
- * 
+ * 
  * JAAS configuration that is provided by a subclass's implementation of
  * {@link #createLoginContext(CallbackHandler)}.
  *
  * 

  * When using JAAS login modules as the authentication source, sometimes the 
+ * "https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html" >
  * LoginContext will require CallbackHandlers. The
  * AbstractJaasAuthenticationProvider uses an internal CallbackHandler  to wrap the {@link JaasAuthenticationCallbackHandler}s configured
  * in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
  * control is passed to each {@link JaasAuthenticationCallbackHandler} for each Callback
diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationCallbackHandler.java b/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationCallbackHandler.java
index da82a14e41..101bdcef9e 100644
--- a/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationCallbackHandler.java
+++ b/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationCallbackHandler.java
@@ -41,9 +41,9 @@ import javax.security.auth.callback.UnsupportedCallbackException;
  * @see JaasNameCallbackHandler
  * @see JaasPasswordCallbackHandler
  * @see Callback
+ * href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html">Callback
  * @see 
+ * href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/CallbackHandler.html">
  * CallbackHandler
  */
 public interface JaasAuthenticationCallbackHandler {
@@ -52,7 +52,7 @@ public interface JaasAuthenticationCallbackHandler {
 
 	/**
 	 * Handle the Callback. The handle method will be called for every callback instance sent
 	 * from the LoginContext. Meaning that The handle method may be called multiple times
 	 * for a given JaasAuthenticationCallbackHandler.
diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java
index 421eb1795b..ef2b6fc5bc 100644
--- a/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java
@@ -48,7 +48,7 @@ import org.springframework.util.Assert;
  * 

  * 

  * This implementation is backed by a
- * 
+ * 
  * JAAS configuration. The loginConfig property must be set to a given JAAS
  * configuration file. This setter accepts a Spring
  * {@link org.springframework.core.io.Resource} instance. It should point to a JAAS
@@ -84,10 +84,10 @@ import org.springframework.util.Assert;
  *
  * 

  * When using JAAS login modules as the authentication source, sometimes the 
+ * "https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html" >
  * LoginContext will require CallbackHandlers. The JaasAuthenticationProvider
  * uses an internal CallbackHandler  to wrap the {@link JaasAuthenticationCallbackHandler}s configured
  * in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
  * control is passed to each {@link JaasAuthenticationCallbackHandler} for each Callback
@@ -163,7 +163,7 @@ public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvid
 		configureJaas(this.loginConfig);
 
 		Assert.notNull(Configuration.getConfiguration(),
-				"As per http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html "
+				"As per https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html "
 						+ "\"If a Configuration object was set via the Configuration.setConfiguration method, then that object is "
 						+ "returned. Otherwise, a default Configuration object is returned\". Your JRE returned null to "
 						+ "Configuration.getConfiguration().");
@@ -266,7 +266,7 @@ public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvid
 	 * @param loginConfig
 	 *
 	 * @see JAAS
+	 * "https://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html">JAAS
 	 * Reference
 	 */
 	public void setLoginConfig(Resource loginConfig) {
diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/JaasNameCallbackHandler.java b/core/src/main/java/org/springframework/security/authentication/jaas/JaasNameCallbackHandler.java
index 4ad6cd88ed..fe068805ba 100644
--- a/core/src/main/java/org/springframework/security/authentication/jaas/JaasNameCallbackHandler.java
+++ b/core/src/main/java/org/springframework/security/authentication/jaas/JaasNameCallbackHandler.java
@@ -33,9 +33,9 @@ import javax.security.auth.callback.UnsupportedCallbackException;
  * @author Ray Krueger
  *
  * @see Callback
+ * href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html">Callback
  * @see NameCallback
+ * href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/NameCallback.html">NameCallback
  */
 public class JaasNameCallbackHandler implements JaasAuthenticationCallbackHandler {
 	// ~ Methods
diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/JaasPasswordCallbackHandler.java b/core/src/main/java/org/springframework/security/authentication/jaas/JaasPasswordCallbackHandler.java
index 306f909a62..bf5d69b167 100644
--- a/core/src/main/java/org/springframework/security/authentication/jaas/JaasPasswordCallbackHandler.java
+++ b/core/src/main/java/org/springframework/security/authentication/jaas/JaasPasswordCallbackHandler.java
@@ -32,9 +32,9 @@ import javax.security.auth.callback.UnsupportedCallbackException;
  * @author Ray Krueger
  *
  * @see Callback
+ * href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html">Callback
  * @see 
+ * href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/PasswordCallback.html">
  * PasswordCallback
  */
 public class JaasPasswordCallbackHandler implements JaasAuthenticationCallbackHandler {
diff --git a/core/src/main/java/org/springframework/security/core/userdetails/cache/EhCacheBasedUserCache.java b/core/src/main/java/org/springframework/security/core/userdetails/cache/EhCacheBasedUserCache.java
index a2a69df26b..196136b389 100644
--- a/core/src/main/java/org/springframework/security/core/userdetails/cache/EhCacheBasedUserCache.java
+++ b/core/src/main/java/org/springframework/security/core/userdetails/cache/EhCacheBasedUserCache.java
@@ -28,7 +28,7 @@ import org.springframework.util.Assert;
 
 /**
  * Caches User objects using a Spring IoC defined EHCACHE.
+ * HREF="https://www.ehcache.org/">EHCACHE.
  *
  * @author Ben Alex
  */
diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
index 80477c0f56..bca8af3b86 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
@@ -452,7 +452,7 @@ public class BCrypt {
 
 	/**
 	 * Perform the "enhanced key schedule" step described by Provos and Mazieres in
-	 * "A Future-Adaptable Password Scheme" http://www.openbsd.org/papers/bcrypt-paper.ps
+	 * "A Future-Adaptable Password Scheme" https://www.openbsd.org/papers/bcrypt-paper.ps
 	 * @param data salt information
 	 * @param key password information
 	 */
diff --git a/crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java b/crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java
index ea203f97db..8e07c87c7b 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java
@@ -18,7 +18,7 @@ package org.springframework.security.crypto.codec;
 /**
  * Base64 encoder which is a reduced version of Robert Harder's public domain
  * implementation (version 2.3.7). See http://iharder.net/base64 for more information.
+ * href="http://iharder.sourceforge.net/current/java/base64/">http://iharder.sourceforge.net/current/java/base64/ for more information.
  * 

  * For internal use only.
  *
@@ -44,7 +44,7 @@ public final class Base64 {
 	/**
 	 * Encode using Base64-like encoding that is URL- and Filename-safe as described in
 	 * Section 4 of RFC3548: http://www.faqs
+	 * href="http://www.faqs.org/rfcs/rfc3548.html">https://www.faqs
 	 * .org/rfcs/rfc3548.html. It is important to note that data encoded this way is
 	 * not officially valid Base64, or at the very least should not be called
 	 * Base64 without also specifying that is was encoded using the URL- and Filename-safe
@@ -194,7 +194,7 @@ public final class Base64 {
 	/**
 	 * I don't get the point of this technique, but someone requested it, and it is
 	 * described here: http://www.faqs.org/
+	 * href="http://www.faqs.org/qa/rfcc-1940.html">http://www.faqs.org/faqs/
 	 * qa/rfcc-1940.html.
 	 */
 	private final static byte[] _ORDERED_ALPHABET = { (byte) '-', (byte) '0', (byte) '1',
diff --git a/crypto/src/main/java/org/springframework/security/crypto/password/MessageDigestPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/password/MessageDigestPasswordEncoder.java
index 979e1403d9..50fc276a26 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/password/MessageDigestPasswordEncoder.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/password/MessageDigestPasswordEncoder.java
@@ -90,7 +90,7 @@ public class MessageDigestPasswordEncoder implements PasswordEncoder {
 
 	/**
 	 * The digest algorithm to use Supports the named
-	 * 
+	 * 
 	 * Message Digest Algorithms in the Java environment.
 	 *
 	 * @param algorithm
diff --git a/crypto/src/main/java/org/springframework/security/crypto/password/Pbkdf2PasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/password/Pbkdf2PasswordEncoder.java
index 90df3bdb66..b22c480774 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/password/Pbkdf2PasswordEncoder.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/password/Pbkdf2PasswordEncoder.java
@@ -92,7 +92,7 @@ public class Pbkdf2PasswordEncoder implements PasswordEncoder {
 
 	/**
 	 * Sets the algorithm to use. See
-	 * SecretKeyFactory Algorithms
+	 * SecretKeyFactory Algorithms
 	 * @param secretKeyFactoryAlgorithm the algorithm to use (i.e.
 	 * {@code SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA1},
 	 * {@code SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA256},
diff --git a/crypto/src/main/java/org/springframework/security/crypto/scrypt/SCryptPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/scrypt/SCryptPasswordEncoder.java
index 41b927c0f3..198f91adf1 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/scrypt/SCryptPasswordEncoder.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/scrypt/SCryptPasswordEncoder.java
@@ -45,7 +45,7 @@ import org.springframework.security.crypto.password.PasswordEncoder;
  * 
  • Scrypt is based on Salsa20 which performs poorly in Java (on par with
  * AES) but performs awesome (~4-5x faster) on SIMD capable platforms
    • 
  * 
  • While there are some that would disagree, consider reading -
- * 
+ * 
  * Why I Don't Recommend Scrypt (for password storage)
    • 
  * 
  *
diff --git a/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-boot.asc b/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-boot.asc
index d6e27d82a3..674917664e 100644
--- a/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-boot.asc
+++ b/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-boot.asc
@@ -32,7 +32,7 @@ In order to use Spring Security you must add the necessary dependencies. For the
 
 ----
 
-<1> We are using http://www.thymeleaf.org/[Thymeleaf] for our view template engine
+<1> We are using https://www.thymeleaf.org/[Thymeleaf] for our view template engine
 and need to add an additional dependency for the https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration module].
 
 After you have completed this, you need to ensure that STS knows about the updated dependencies by:
@@ -101,18 +101,18 @@ The <> will:
 * Specifies the URL to send users to for form-based login
 * Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
 * Allow the user to logout
-* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
-* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
+* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
+* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
 * Security Header integration
-** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
-** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
+** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
+** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
 ** Cache Control (can be overridden later by your application to allow caching of your static resources)
-** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
-** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
+** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
+** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
 * Integrate with the following Servlet API methods
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
 
diff --git a/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-javaconfig.asc b/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-javaconfig.asc
index 67ff008038..7dc183a393 100644
--- a/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-javaconfig.asc
+++ b/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-javaconfig.asc
@@ -75,18 +75,18 @@ The <> will:
 * Generate a login form for you
 * Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
 * Allow the user to logout
-* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
-* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
+* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
+* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
 * Security Header integration
-** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
-** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
+** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
+** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
 ** Cache Control (can be overridden later by your application to allow caching of your static resources)
-** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
-** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
+** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
+** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
 * Integrate with the following Servlet API methods
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
 
diff --git a/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-xml.asc b/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-xml.asc
index 1119a3482d..0d47daf040 100644
--- a/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-xml.asc
+++ b/docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-xml.asc
@@ -53,8 +53,8 @@ The next step is to create a Spring Security configuration.
 
+		 xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
+						http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
 
 	
 
@@ -72,18 +72,18 @@ The <> will:
 * Generate a login form for you
 * Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
 * Allow the user to logout
-* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
-* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
+* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
+* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
 * Security Header integration
-** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
-** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
+** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
+** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
 ** Cache Control (can be overridden later by your application to allow caching of your static resources)
-** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
-** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
+** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
+** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
 * Integrate with the following Servlet API methods
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
-** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
+** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
 
diff --git a/docs/guides/src/docs/asciidoc/form-javaconfig.asc b/docs/guides/src/docs/asciidoc/form-javaconfig.asc
index cbaa43e719..845185f633 100644
--- a/docs/guides/src/docs/asciidoc/form-javaconfig.asc
+++ b/docs/guides/src/docs/asciidoc/form-javaconfig.asc
@@ -162,7 +162,7 @@ Our existing configuration means that all we need to do is create a *login.html*
 .src/main/resources/views/login.html
 [source,xml]
 ----
-
+
   
     Please Login
   
diff --git a/docs/guides/src/docs/asciidoc/hellomvc-javaconfig.asc b/docs/guides/src/docs/asciidoc/hellomvc-javaconfig.asc
index 258269866d..c913e2c4ad 100644
--- a/docs/guides/src/docs/asciidoc/hellomvc-javaconfig.asc
+++ b/docs/guides/src/docs/asciidoc/hellomvc-javaconfig.asc
@@ -97,9 +97,9 @@ Now that we have authenticated, let's see how our application is displaying the
 
 ----
 
-In our samples we use http://www.thymeleaf.org/[Thymeleaf], but any view technology will work. Any technology can inspect the `HttpServletRequest#getRemoteUser()` to view the current user since Spring Security integrates with the <>.
+In our samples we use https://www.thymeleaf.org/[Thymeleaf], but any view technology will work. Any technology can inspect the `HttpServletRequest#getRemoteUser()` to view the current user since Spring Security integrates with the <>.
 
-WARNING: The Thymeleaf ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
+WARNING: The Thymeleaf ensures the username is escaped to avoid https://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
 
 ==== Logging out
 
@@ -113,7 +113,7 @@ We can view the user name, but how are we able to log out? Below you can see how
 
 ----
 
-In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
+In order to help protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
 
 * the HTTP method must be a POST
 * the CSRF token must be added to the request. Since we have used `@EnableWebSecurity` and are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it).
diff --git a/docs/guides/src/docs/asciidoc/helloworld-boot.asc b/docs/guides/src/docs/asciidoc/helloworld-boot.asc
index 33619ddb26..2704e7d18f 100644
--- a/docs/guides/src/docs/asciidoc/helloworld-boot.asc
+++ b/docs/guides/src/docs/asciidoc/helloworld-boot.asc
@@ -32,7 +32,7 @@ Now that we have authenticated, let's update the application to display the user
 [source,html]
 ----
 
-
+
     
         Hello Spring Security
         
@@ -57,7 +57,7 @@ Now that we have authenticated, let's update the application to display the user
 
 ----
 
-NOTE: We are using http://www.thymeleaf.org/[Thymeleaf] for our view template engine and
+NOTE: We are using https://www.thymeleaf.org/[Thymeleaf] for our view template engine and
 https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration modules]
 in order to utilize the _sec:authentication_ and _sec:authorize_ attributes.
 
@@ -76,7 +76,7 @@ The last step is to update the _secured_ page to also display the currently auth
 [source,html]
 ----
 
-
+
     
         Hello Spring Security
         
diff --git a/docs/guides/src/docs/asciidoc/helloworld-javaconfig.asc b/docs/guides/src/docs/asciidoc/helloworld-javaconfig.asc
index 5fdee917c2..d418e918a2 100644
--- a/docs/guides/src/docs/asciidoc/helloworld-javaconfig.asc
+++ b/docs/guides/src/docs/asciidoc/helloworld-javaconfig.asc
@@ -73,7 +73,7 @@ Now that we have authenticated, let's update the application to display the user
 
 ----
 
-WARNING: The `` tag ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
+WARNING: The `` tag ensures the username is escaped to avoid https://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
 
 Refresh the page at http://localhost:8080/sample/ and you will see the user name displayed. This works because Spring Security integrates with the <>
 
@@ -99,7 +99,7 @@ Now that we can view the user name, let's update the application to allow loggin
 
 ----
 
-In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
+In order to help protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
 
 * the HTTP method must be a POST
 * the CSRF token must be added to the request. You can access it on the ServletRequest using the attribute _csrf as illustrated above.
diff --git a/docs/guides/src/docs/asciidoc/helloworld-xml.asc b/docs/guides/src/docs/asciidoc/helloworld-xml.asc
index 78f5e69f2d..c04f05a5fe 100644
--- a/docs/guides/src/docs/asciidoc/helloworld-xml.asc
+++ b/docs/guides/src/docs/asciidoc/helloworld-xml.asc
@@ -37,7 +37,7 @@ We have created the Spring Security configuration, but we still need to register
 
+  https://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
 
 	
 ` block, where you
 
 			// using XMLHttpRequest directly to send an x-www-form-urlencoded request
 			var ajax = new XMLHttpRequest();
-			ajax.open("POST", "http://www.example.org/do/something", true);
+			ajax.open("POST", "https://www.example.org/do/something", true);
 			ajax.setRequestHeader("Content-Type", "application/x-www-form-urlencoded data");
 			ajax.send(csrfParameter + "=" + csrfToken + "&name=John&...");
 
 			// using XMLHttpRequest directly to send a non-x-www-form-urlencoded request
 			var ajax = new XMLHttpRequest();
-			ajax.open("POST", "http://www.example.org/do/something", true);
+			ajax.open("POST", "https://www.example.org/do/something", true);
 			ajax.setRequestHeader(csrfHeader, csrfToken);
 			ajax.send("...");
 
@@ -7351,7 +7351,7 @@ You should place `csrfMetaTags` within an HTML `` block, where you
 			data["name"] = "John";
 			...
 			$.ajax({
-				url: "http://www.example.org/do/something",
+				url: "https://www.example.org/do/something",
 				type: "POST",
 				data: data,
 				...
@@ -7361,7 +7361,7 @@ You should place `csrfMetaTags` within an HTML `` block, where you
 			var headers = {};
 			headers[csrfHeader] = csrfToken;
 			$.ajax({
-				url: "http://www.example.org/do/something",
+				url: "https://www.example.org/do/something",
 				type: "POST",
 				headers: headers,
 				...
@@ -7473,7 +7473,7 @@ class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticatio
 
 [[jaas-jaasauthenticationprovider]]
 === JaasAuthenticationProvider
-The `JaasAuthenticationProvider` assumes the default `Configuration` is an instance of http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html[ ConfigFile]. This assumption is made in order to attempt to update the `Configuration`. The `JaasAuthenticationProvider` then uses the default `Configuration` to create the `LoginContext`.
+The `JaasAuthenticationProvider` assumes the default `Configuration` is an instance of https://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html[ ConfigFile]. This assumption is made in order to attempt to update the `Configuration`. The `JaasAuthenticationProvider` then uses the default `Configuration` to create the `LoginContext`.
 
 Let's assume we have a JAAS login configuration file, `/WEB-INF/login.conf`, with the following contents:
 
@@ -7527,7 +7527,7 @@ This integration can easily be configured using the <> to provide transp
 
 ==== Automatic Token Inclusion
 
-Spring Security will automatically <> within forms that use the http://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag]. For example, the following JSP:
+Spring Security will automatically <> within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag]. For example, the following JSP:
 
 [source,xml]
 ----
@@ -8982,7 +8982,7 @@ END;
 
 [[appendix-namespace]]
 == The Security Namespace
-This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document). If you haven't used the namespace before, please read the <> on namespace configuration, as this is intended as a supplement to the information there. Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose. The namespace is written in http://www.relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema. If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/master/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc[schema file] directly.
+This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document). If you haven't used the namespace before, please read the <> on namespace configuration, as this is intended as a supplement to the information there. Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose. The namespace is written in https://relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema. If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/master/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc[schema file] directly.
 
 [[nsa-web]]
 === Web Application Security
@@ -9173,9 +9173,9 @@ This element allows for configuring additional (security) headers to be send wit
 
 ** `Cache-Control`, `Pragma`, and `Expires` - Can be set using the <> element. This ensures that the browser does not cache your secured pages.
 ** `Strict-Transport-Security` - Can be set using the <> element. This ensures that the browser automatically requests HTTPS for future requests.
-** `X-Frame-Options` - Can be set using the <> element. The http://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options[X-Frame-Options] header can be used to prevent clickjacking attacks.
-** `X-XSS-Protection` - Can be set using the <> element. The http://en.wikipedia.org/wiki/Cross-site_scripting[X-XSS-Protection ] header can be used by browser to do basic control.
-** `X-Content-Type-Options` - Can be set using the <> element. The http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx[X-Content-Type-Options] header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.
+** `X-Frame-Options` - Can be set using the <> element. The https://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options[X-Frame-Options] header can be used to prevent clickjacking attacks.
+** `X-XSS-Protection` - Can be set using the <> element. The https://en.wikipedia.org/wiki/Cross-site_scripting[X-XSS-Protection ] header can be used by browser to do basic control.
+** `X-Content-Type-Options` - Can be set using the <> element. The https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx[X-Content-Type-Options] header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.
 ** `Public-Key-Pinning` or `Public-Key-Pinning-Report-Only` - Can be set using the <> element. This allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
 ** `Content-Security-Policy` or `Content-Security-Policy-Report-Only` - Can be set using the <> element. https://www.w3.org/TR/CSP2/[Content Security Policy (CSP)] is a mechanism that web applications can leverage to mitigate content injection vulnerabilities, such as cross-site scripting (XSS).
 ** `Referrer-Policy` - Can be set using the <> element, https://www.w3.org/TR/referrer-policy/[Referrer-Policy] is a mechanism that web applications can leverage to manage the referrer field, which contains the last page the user was on.
@@ -9240,7 +9240,7 @@ Specifies if Cache Control should be disabled. Default false.
 
 [[nsa-hsts]]
 ==== 
-When enabled adds the http://tools.ietf.org/html/rfc6797[Strict-Transport-Security] header to the response for any secure request. This allows the server to instruct browsers to automatically use HTTPS for future requests.
+When enabled adds the https://tools.ietf.org/html/rfc6797[Strict-Transport-Security] header to the response for any secure request. This allows the server to instruct browsers to automatically use HTTPS for future requests.
 
 
 [[nsa-hsts-attributes]]
@@ -9382,7 +9382,7 @@ The policy for the Referrer-Policy header. Default "no-referrer".
 
 [[nsa-frame-options]]
 ==== 
-When enabled adds the http://tools.ietf.org/html/draft-ietf-websec-x-frame-options[X-Frame-Options header] to the response, this allows newer browsers to do some security checks and prevent http://en.wikipedia.org/wiki/Clickjacking[clickjacking] attacks.
+When enabled adds the https://tools.ietf.org/html/draft-ietf-websec-x-frame-options[X-Frame-Options header] to the response, this allows newer browsers to do some security checks and prevent https://en.wikipedia.org/wiki/Clickjacking[clickjacking] attacks.
 
 
 [[nsa-frame-options-attributes]]
@@ -9437,7 +9437,7 @@ Specify the name of the request parameter to use when using regexp or whitelist
 
 [[nsa-xss-protection]]
 ==== 
-Adds the http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx[X-XSS-Protection header] to the response to assist in protecting against http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] attacks. This is in no-way a full protection to XSS attacks!
+Adds the https://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx[X-XSS-Protection header] to the response to assist in protecting against https://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] attacks. This is in no-way a full protection to XSS attacks!
 
 
 [[nsa-xss-protection-attributes]]
@@ -9446,12 +9446,12 @@ Adds the http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-
 
 [[nsa-xss-protection-disabled]]
 * **xss-protection-disabled**
-Do not include the header for http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] protection.
+Do not include the header for https://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] protection.
 
 
 [[nsa-xss-protection-enabled]]
 * **xss-protection-enabled**
-Explicitly enable or disable http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] protection.
+Explicitly enable or disable https://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] protection.
 
 
 [[nsa-xss-protection-block]]
@@ -9468,7 +9468,7 @@ When true and xss-protection-enabled is true, adds mode=block to the header. Thi
 
 [[nsa-content-type-options]]
 ==== 
-Add the X-Content-Type-Options header with the value of nosniff to the response. This http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx[disables MIME-sniffing] for IE8+ and Chrome extensions.
+Add the X-Content-Type-Options header with the value of nosniff to the response. This https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx[disables MIME-sniffing] for IE8+ and Chrome extensions.
 
 
 [[nsa-content-type-options-attributes]]
@@ -9557,7 +9557,7 @@ The username that should be assigned to the anonymous request. This allows the p
 
 [[nsa-csrf]]
 ==== 
-This element will add http://en.wikipedia.org/wiki/Cross-site_request_forgery[Cross Site Request Forger (CSRF)] protection to the application. It also updates the default RequestCache to only replay "GET" requests upon successful authentication. Additional information can be found in the <> section of the reference.
+This element will add https://en.wikipedia.org/wiki/Cross-site_request_forgery[Cross Site Request Forger (CSRF)] protection to the application. It also updates the default RequestCache to only replay "GET" requests upon successful authentication. Additional information can be found in the <> section of the reference.
 
 
 [[nsa-csrf-parents]]
@@ -10016,7 +10016,7 @@ A regular expression which will be compared against the claimed identity, when d
 
 [[nsa-openid-attribute]]
 ==== 
-Attributes used when making an OpenID AX http://openid.net/specs/openid-attribute-exchange-1_0.html#fetch_request[ Fetch Request]
+Attributes used when making an OpenID AX https://openid.net/specs/openid-attribute-exchange-1_0.html#fetch_request[ Fetch Request]
 
 
 [[nsa-openid-attribute-parents]]
@@ -10048,7 +10048,7 @@ Specifies if this attribute is required to the OP, but does not error out if the
 
 [[nsa-openid-attribute-type]]
 * **type**
-Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
+Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
 
 
 [[nsa-port-mappings]]
diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.java
index 2a2f77c7d9..8381f2efcb 100644
--- a/ldap/src/main/java/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.java
@@ -108,7 +108,7 @@ import org.springframework.util.Assert;
  * this means that if the LDAP directory is configured to allow unauthenticated access, it
  * might be possible to authenticate as any user just by supplying an empty
  * password. More information on the misuse of unauthenticated access can be found in
- *  draft
+ *  draft
  * -ietf-ldapbis-authmeth-19.txt.
  *
  *
diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java
index 44119a846c..f23c304d0c 100644
--- a/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java
@@ -52,7 +52,7 @@ import java.util.regex.Pattern;
  * conventions.
  * 
    
  * It will authenticate using the Active Directory 
+ * href="https://msdn.microsoft.com/en-us/library/ms680857%28VS.85%29.aspx">
  * {@code userPrincipalName} or a custom {@link #setSearchFilter(String) searchFilter}
  * in the form {@code username@domain}. If the username does not already end with the
  * domain name, the {@code userPrincipalName} will be built by appending the configured
diff --git a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java
index 95caaefae3..9d45957fa3 100755
--- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java
@@ -23,7 +23,7 @@ import javax.naming.ldap.Control;
  * A Password Policy request control.
  * 
    
  * Based on the information in the corresponding  internet draft on LDAP password policy
  *
  * @author Stefan Zoerner
diff --git a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java
index f7c9ae2a44..86e3240a18 100755
--- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java
@@ -46,7 +46,7 @@ import org.springframework.dao.DataRetrievalFailureException;
  * @author Luke Taylor
  *
  * @see org.springframework.security.ldap.ppolicy.PasswordPolicyControl
- * @see Stefan
+ * @see Stefan
  * Zoerner's IBM developerworks article on LDAP controls.
  */
 public class PasswordPolicyResponseControl extends PasswordPolicyControl {
diff --git a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/package-info.java b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/package-info.java
index 5780575f61..8bbbc99b7a 100644
--- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/package-info.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/package-info.java
@@ -15,7 +15,7 @@
  */
 /**
  * Implementation of password policy functionality based on the
- * 
+ * 
  * Password Policy for LDAP Directories.
  * 
    
  * This code will not work with servers such as Active Directory, which do not implement this standard.
diff --git a/notice.txt b/notice.txt
index dde652c658..2336a37696 100644
--- a/notice.txt
+++ b/notice.txt
@@ -7,7 +7,7 @@
    must include the following acknowledgement:
 
      "This product includes software developed by Spring Security
-      Project (http://www.springframework.org/security)."
+      Project (https://www.springframework.org/security)."
 
    Alternately, this acknowledgement may appear in the software itself,
    if and wherever such third-party acknowledgements normally appear.
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java
index d301b752ad..356d8c844b 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java
@@ -87,7 +87,7 @@ public class OAuth2LoginAuthenticationProvider implements AuthenticationProvider
 		OAuth2LoginAuthenticationToken authorizationCodeAuthentication =
 			(OAuth2LoginAuthenticationToken) authentication;
 
-		// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+		// Section 3.1.2.1 Authentication Request - https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		// scope
 		// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
 		if (authorizationCodeAuthentication.getAuthorizationExchange()
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.java
index a80c49c92c..a4b4a14e6b 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.java
@@ -71,9 +71,9 @@ import java.util.concurrent.ConcurrentHashMap;
  * @see OAuth2AccessTokenResponseClient
  * @see OidcUserService
  * @see OidcUser
- * @see Section 3.1 Authorization Code Grant Flow
- * @see Section 3.1.3.1 Token Request
- * @see Section 3.1.3.3 Token Response
+ * @see Section 3.1 Authorization Code Grant Flow
+ * @see Section 3.1.3.1 Token Request
+ * @see Section 3.1.3.3 Token Response
  */
 public class OidcAuthorizationCodeAuthenticationProvider implements AuthenticationProvider {
 	private static final String INVALID_STATE_PARAMETER_ERROR_CODE = "invalid_state_parameter";
@@ -106,7 +106,7 @@ public class OidcAuthorizationCodeAuthenticationProvider implements Authenticati
 		OAuth2LoginAuthenticationToken authorizationCodeAuthentication =
 			(OAuth2LoginAuthenticationToken) authentication;
 
-		// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+		// Section 3.1.2.1 Authentication Request - https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		// scope
 		// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
 		if (!authorizationCodeAuthentication.getAuthorizationExchange()
@@ -213,7 +213,7 @@ public class OidcAuthorizationCodeAuthenticationProvider implements Authenticati
 
 	private void validateIdToken(OidcIdToken idToken, ClientRegistration clientRegistration) {
 		// 3.1.3.7  ID Token Validation
-		// http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+		// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
 
 		// Validate REQUIRED Claims
 		URL issuer = idToken.getIssuer();
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java
index f704f2ecf7..0e1623acfc 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java
@@ -61,7 +61,7 @@ public class OidcUserService implements OAuth2UserService userAttributes = this.userInfoResponseClient.getUserInfoResponse(userRequest, typeReference);
 			userInfo = new OidcUserInfo(userAttributes);
 
-			// http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
+			// https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
 			// Due to the possibility of token substitution attacks (see Section 16.11),
 			// the UserInfo Response is not guaranteed to be about the End-User
 			// identified by the sub (subject) element of the ID Token.
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java
index bcdd4a4613..5f9de83ec5 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java
@@ -87,8 +87,8 @@ public class OAuth2LoginAuthenticationProviderTests {
 		when(this.authorizationRequest.getScopes()).thenReturn(new LinkedHashSet<>(Arrays.asList("scope1", "scope2")));
 		when(this.authorizationRequest.getState()).thenReturn("12345");
 		when(this.authorizationResponse.getState()).thenReturn("12345");
-		when(this.authorizationRequest.getRedirectUri()).thenReturn("http://example.com");
-		when(this.authorizationResponse.getRedirectUri()).thenReturn("http://example.com");
+		when(this.authorizationRequest.getRedirectUri()).thenReturn("https://example.com");
+		when(this.authorizationResponse.getRedirectUri()).thenReturn("https://example.com");
 	}
 
 	@Test
@@ -154,8 +154,8 @@ public class OAuth2LoginAuthenticationProviderTests {
 		this.exception.expect(OAuth2AuthenticationException.class);
 		this.exception.expectMessage(containsString("invalid_redirect_uri_parameter"));
 
-		when(this.authorizationRequest.getRedirectUri()).thenReturn("http://example.com");
-		when(this.authorizationResponse.getRedirectUri()).thenReturn("http://example2.com");
+		when(this.authorizationRequest.getRedirectUri()).thenReturn("https://example.com");
+		when(this.authorizationResponse.getRedirectUri()).thenReturn("https://example2.com");
 
 		this.authenticationProvider.authenticate(
 			new OAuth2LoginAuthenticationToken(this.clientRegistration, this.authorizationExchange));
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClientTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClientTests.java
index 75e4368693..a8def5ef90 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClientTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClientTests.java
@@ -78,7 +78,7 @@ public class NimbusAuthorizationCodeTokenResponseClientTests {
 		when(this.clientRegistration.getClientId()).thenReturn("client-id");
 		when(this.clientRegistration.getClientSecret()).thenReturn("secret");
 		when(this.clientRegistration.getClientAuthenticationMethod()).thenReturn(ClientAuthenticationMethod.BASIC);
-		when(this.authorizationRequest.getRedirectUri()).thenReturn("http://example.com");
+		when(this.authorizationRequest.getRedirectUri()).thenReturn("https://example.com");
 		when(this.authorizationResponse.getCode()).thenReturn("code");
 	}
 
@@ -178,7 +178,7 @@ public class NimbusAuthorizationCodeTokenResponseClientTests {
 	public void getTokenResponseWhenTokenUriInvalidThenThrowAuthenticationServiceException() throws Exception {
 		this.exception.expect(AuthenticationServiceException.class);
 
-		String tokenUri = "http://invalid-provider.com/oauth2/token";
+		String tokenUri = "https://invalid-provider.com/oauth2/token";
 		when(this.providerDetails.getTokenUri()).thenReturn(tokenUri);
 
 		this.tokenResponseClient.getTokenResponse(
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProviderTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProviderTests.java
index c3694c872d..8c2b9a5b55 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProviderTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProviderTests.java
@@ -106,8 +106,8 @@ public class OidcAuthorizationCodeAuthenticationProviderTests {
 		when(this.authorizationRequest.getScopes()).thenReturn(new LinkedHashSet<>(Arrays.asList("openid", "profile", "email")));
 		when(this.authorizationRequest.getState()).thenReturn("12345");
 		when(this.authorizationResponse.getState()).thenReturn("12345");
-		when(this.authorizationRequest.getRedirectUri()).thenReturn("http://example.com");
-		when(this.authorizationResponse.getRedirectUri()).thenReturn("http://example.com");
+		when(this.authorizationRequest.getRedirectUri()).thenReturn("https://example.com");
+		when(this.authorizationResponse.getRedirectUri()).thenReturn("https://example.com");
 		when(this.accessTokenResponse.getAccessToken()).thenReturn(this.accessToken);
 		Map additionalParameters = new HashMap<>();
 		additionalParameters.put(OidcParameterNames.ID_TOKEN, "id-token");
@@ -178,8 +178,8 @@ public class OidcAuthorizationCodeAuthenticationProviderTests {
 		this.exception.expect(OAuth2AuthenticationException.class);
 		this.exception.expectMessage(containsString("invalid_redirect_uri_parameter"));
 
-		when(this.authorizationRequest.getRedirectUri()).thenReturn("http://example1.com");
-		when(this.authorizationResponse.getRedirectUri()).thenReturn("http://example2.com");
+		when(this.authorizationRequest.getRedirectUri()).thenReturn("https://example1.com");
+		when(this.authorizationResponse.getRedirectUri()).thenReturn("https://example2.com");
 
 		this.authenticationProvider.authenticate(
 			new OAuth2LoginAuthenticationToken(this.clientRegistration, this.authorizationExchange));
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserServiceTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserServiceTests.java
index 81de5fa8f6..7041848eb7 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserServiceTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserServiceTests.java
@@ -111,7 +111,7 @@ public class OidcUserServiceTests {
 		Set authorizedScopes = new LinkedHashSet<>(Arrays.asList("scope1", "scope2"));
 		when(this.accessToken.getScopes()).thenReturn(authorizedScopes);
 
-		when(this.userInfoEndpoint.getUri()).thenReturn("http://provider.com/user");
+		when(this.userInfoEndpoint.getUri()).thenReturn("https://provider.com/user");
 
 		OidcUser user = this.userService.loadUser(
 			new OidcUserRequest(this.clientRegistration, this.accessToken, this.idToken));
@@ -252,7 +252,7 @@ public class OidcUserServiceTests {
 	public void loadUserWhenUserInfoUriInvalidThenThrowAuthenticationServiceException() throws Exception {
 		this.exception.expect(AuthenticationServiceException.class);
 
-		String userInfoUri = "http://invalid-provider.com/user";
+		String userInfoUri = "https://invalid-provider.com/user";
 
 		when(this.userInfoEndpoint.getUri()).thenReturn(userInfoUri);
 		when(this.accessToken.getTokenValue()).thenReturn("access-token");
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/CustomUserTypesOAuth2UserServiceTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/CustomUserTypesOAuth2UserServiceTests.java
index 8efe2792d9..624acea4e9 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/CustomUserTypesOAuth2UserServiceTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/CustomUserTypesOAuth2UserServiceTests.java
@@ -198,7 +198,7 @@ public class CustomUserTypesOAuth2UserServiceTests {
 	public void loadUserWhenUserInfoUriInvalidThenThrowAuthenticationServiceException() throws Exception {
 		this.exception.expect(AuthenticationServiceException.class);
 
-		String userInfoUri = "http://invalid-provider.com/user";
+		String userInfoUri = "https://invalid-provider.com/user";
 
 		when(this.userInfoEndpoint.getUri()).thenReturn(userInfoUri);
 		when(this.accessToken.getTokenValue()).thenReturn("access-token");
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/DefaultOAuth2UserServiceTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/DefaultOAuth2UserServiceTests.java
index 006ea17cce..f3c71042af 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/DefaultOAuth2UserServiceTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/DefaultOAuth2UserServiceTests.java
@@ -89,7 +89,7 @@ public class DefaultOAuth2UserServiceTests {
 		this.exception.expect(OAuth2AuthenticationException.class);
 		this.exception.expectMessage(containsString("missing_user_name_attribute"));
 
-		when(this.userInfoEndpoint.getUri()).thenReturn("http://provider.com/user");
+		when(this.userInfoEndpoint.getUri()).thenReturn("https://provider.com/user");
 		when(this.userInfoEndpoint.getUserNameAttributeName()).thenReturn(null);
 		this.userService.loadUser(new OAuth2UserRequest(this.clientRegistration, this.accessToken));
 	}
@@ -198,7 +198,7 @@ public class DefaultOAuth2UserServiceTests {
 	public void loadUserWhenUserInfoUriInvalidThenThrowAuthenticationServiceException() throws Exception {
 		this.exception.expect(AuthenticationServiceException.class);
 
-		String userInfoUri = "http://invalid-provider.com/user";
+		String userInfoUri = "https://invalid-provider.com/user";
 
 		when(this.userInfoEndpoint.getUri()).thenReturn(userInfoUri);
 		when(this.userInfoEndpoint.getUserNameAttributeName()).thenReturn("user-name");
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/AddressStandardClaim.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/AddressStandardClaim.java
index ec75da2e02..47037a3127 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/AddressStandardClaim.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/AddressStandardClaim.java
@@ -21,9 +21,9 @@ package org.springframework.security.oauth2.core.oidc;
  *
  * @author Joe Grandja
  * @since 5.0
- * @see Address Claim
- * @see UserInfo Response
- * @see ID Token
+ * @see Address Claim
+ * @see UserInfo Response
+ * @see ID Token
  */
 public interface AddressStandardClaim {
 
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/IdTokenClaimAccessor.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/IdTokenClaimAccessor.java
index 61a4e87e75..0170f933ec 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/IdTokenClaimAccessor.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/IdTokenClaimAccessor.java
@@ -30,8 +30,8 @@ import java.util.List;
  * @see StandardClaimNames
  * @see IdTokenClaimNames
  * @see OidcIdToken
- * @see ID Token
- * @see Standard Claims
+ * @see ID Token
+ * @see Standard Claims
  * @author Joe Grandja
  * @since 5.0
  */
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/IdTokenClaimNames.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/IdTokenClaimNames.java
index 15a351f22c..c73b604f3d 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/IdTokenClaimNames.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/IdTokenClaimNames.java
@@ -22,7 +22,7 @@ package org.springframework.security.oauth2.core.oidc;
  * @author Joe Grandja
  * @since 5.0
  * @see OidcIdToken
- * @see ID Token
+ * @see ID Token
  */
 
 public interface IdTokenClaimNames {
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcIdToken.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcIdToken.java
index 27a6b09b57..6e1297862d 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcIdToken.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcIdToken.java
@@ -35,8 +35,8 @@ import java.util.Map;
  * @see AbstractOAuth2Token
  * @see IdTokenClaimAccessor
  * @see StandardClaimAccessor
- * @see ID Token
- * @see Standard Claims
+ * @see ID Token
+ * @see Standard Claims
  */
 public class OidcIdToken extends AbstractOAuth2Token implements IdTokenClaimAccessor {
 	private final Map claims;
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcScopes.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcScopes.java
index c546f8ebbf..e8b70c757a 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcScopes.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcScopes.java
@@ -28,7 +28,7 @@ import org.springframework.security.oauth2.core.OAuth2AccessToken;
  * @author Joe Grandja
  * @since 5.0
  * @see StandardClaimNames
- * @see Requesting Claims using Scope Values
+ * @see Requesting Claims using Scope Values
  */
 public interface OidcScopes {
 
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcUserInfo.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcUserInfo.java
index 5b2fd36886..0d3ba43183 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcUserInfo.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcUserInfo.java
@@ -33,9 +33,9 @@ import java.util.Map;
  * @author Joe Grandja
  * @since 5.0
  * @see StandardClaimAccessor
- * @see UserInfo Response
- * @see UserInfo Endpoint
- * @see Standard Claims
+ * @see UserInfo Response
+ * @see UserInfo Endpoint
+ * @see Standard Claims
  */
 public class OidcUserInfo implements StandardClaimAccessor, Serializable {
 	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/StandardClaimAccessor.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/StandardClaimAccessor.java
index 31d0bc1bdd..455e0f8f36 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/StandardClaimAccessor.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/StandardClaimAccessor.java
@@ -28,8 +28,8 @@ import java.util.Map;
  * @see ClaimAccessor
  * @see StandardClaimNames
  * @see OidcUserInfo
- * @see UserInfo Response
- * @see Standard Claims
+ * @see UserInfo Response
+ * @see Standard Claims
  * @author Joe Grandja
  * @since 5.0
  */
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/StandardClaimNames.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/StandardClaimNames.java
index 3ac3d142e9..e57b4df7a0 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/StandardClaimNames.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/StandardClaimNames.java
@@ -21,9 +21,9 @@ package org.springframework.security.oauth2.core.oidc;
  *
  * @author Joe Grandja
  * @since 5.0
- * @see Standard Claims
- * @see UserInfo Response
- * @see ID Token
+ * @see Standard Claims
+ * @see UserInfo Response
+ * @see ID Token
  */
 public interface StandardClaimNames {
 
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/endpoint/OidcParameterNames.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/endpoint/OidcParameterNames.java
index 8d1e400de8..13c37441c8 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/endpoint/OidcParameterNames.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/endpoint/OidcParameterNames.java
@@ -21,7 +21,7 @@ package org.springframework.security.oauth2.core.oidc.endpoint;
  *
  * @author Joe Grandja
  * @since 5.0
- * @see 18.2 OAuth Parameters Registration
+ * @see 18.2 OAuth Parameters Registration
  */
 public interface OidcParameterNames {
 
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/user/OidcUser.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/user/OidcUser.java
index fe11e95a2a..15b3014061 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/user/OidcUser.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/user/OidcUser.java
@@ -46,8 +46,8 @@ import java.util.Map;
  * @see OidcUserInfo
  * @see IdTokenClaimAccessor
  * @see StandardClaimAccessor
- * @see ID Token
- * @see Standard Claims
+ * @see ID Token
+ * @see Standard Claims
  */
 public interface OidcUser extends OAuth2User, IdTokenClaimAccessor {
 
diff --git a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequestTests.java b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequestTests.java
index 2d6e31325c..2a5a2ac1cc 100644
--- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequestTests.java
+++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequestTests.java
@@ -41,7 +41,7 @@ import static org.assertj.core.api.Assertions.assertThatCode;
 public class OAuth2AuthorizationRequestTests {
 	private static final String AUTHORIZATION_URI = "https://provider.com/oauth2/authorize";
 	private static final String CLIENT_ID = "client-id";
-	private static final String REDIRECT_URI = "http://example.com";
+	private static final String REDIRECT_URI = "https://example.com";
 	private static final Set SCOPES = new LinkedHashSet<>(Arrays.asList("scope1", "scope2"));
 	private static final String STATE = "state";
 
diff --git a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseTests.java b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseTests.java
index 8a876675a1..00bd042b70 100644
--- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseTests.java
+++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseTests.java
@@ -27,7 +27,7 @@ import static org.assertj.core.api.Assertions.assertThatCode;
  */
 public class OAuth2AuthorizationResponseTests {
 	private static final String AUTH_CODE = "auth-code";
-	private static final String REDIRECT_URI = "http://example.com";
+	private static final String REDIRECT_URI = "https://example.com";
 	private static final String STATE = "state";
 	private static final String ERROR_CODE = "error-code";
 	private static final String ERROR_DESCRIPTION = "error-description";
diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java
index 652ed3b8e3..de49db5a4a 100644
--- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java
+++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java
@@ -249,12 +249,12 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing
 	 * Maps the return_to url to a realm, for example:
 	 *
 	 * 
    -	 * http://www.example.com/login/openid -> http://www.example.com/realm
+	 * https://www.example.com/login/openid -> https://www.example.com/realm
 	 * 
    
 	 *
 	 * If no mapping is provided then the returnToUrl will be parsed to extract the
 	 * protocol, hostname and port followed by a trailing slash. This means that
-	 * http://www.example.com/login/openid will automatically become
+	 * https://www.example.com/login/openid will automatically become
 	 * http://www.example.com:80/
 	 *
 	 * @param realmMapping containing returnToUrl -> realm mappings
diff --git a/openid/src/main/java/org/springframework/security/openid/package.html b/openid/src/main/java/org/springframework/security/openid/package.html
index c940ab8aee..80e7f0c0f4 100644
--- a/openid/src/main/java/org/springframework/security/openid/package.html
+++ b/openid/src/main/java/org/springframework/security/openid/package.html
@@ -1,5 +1,5 @@
 
 
-Authenticates standard web browser users via OpenID.
+Authenticates standard web browser users via OpenID.
 
 
\ No newline at end of file
diff --git a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java
index 85be75fa12..1622c3ff59 100644
--- a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java
+++ b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java
@@ -36,8 +36,8 @@ import org.springframework.security.web.authentication.SavedRequestAwareAuthenti
 public class OpenIDAuthenticationFilterTests {
 
 	OpenIDAuthenticationFilter filter;
-	private static final String REDIRECT_URL = "http://www.example.com/redirect";
-	private static final String CLAIMED_IDENTITY_URL = "http://www.example.com/identity";
+	private static final String REDIRECT_URL = "https://www.example.com/redirect";
+	private static final String CLAIMED_IDENTITY_URL = "https://www.example.com/identity";
 	private static final String REQUEST_PATH = "/login/openid";
 	private static final String FILTER_PROCESS_URL = "http://localhost:8080"
 			+ REQUEST_PATH;
@@ -95,7 +95,7 @@ public class OpenIDAuthenticationFilterTests {
 	public void encodesUrlParameters() throws Exception {
 		// Arbitrary parameter name and value that will both need to be encoded:
 		String paramName = "foo&bar";
-		String paramValue = "http://example.com/path?a=b&c=d";
+		String paramValue = "https://example.com/path?a=b&c=d";
 		MockHttpServletRequest req = new MockHttpServletRequest("GET", REQUEST_PATH);
 		req.addParameter(paramName, paramValue);
 		filter.setReturnToUrlParameters(Collections.singleton(paramName));
diff --git a/remoting/src/main/java/org/springframework/security/remoting/dns/DnsResolver.java b/remoting/src/main/java/org/springframework/security/remoting/dns/DnsResolver.java
index 63d88a0379..f5d689cc59 100644
--- a/remoting/src/main/java/org/springframework/security/remoting/dns/DnsResolver.java
+++ b/remoting/src/main/java/org/springframework/security/remoting/dns/DnsResolver.java
@@ -57,7 +57,7 @@ public interface DnsResolver {
 	 * number in the DNS record) and if there are more than one records with the same
 	 * priority, it will return the one with the highest weight. You will find more
 	 * informatione about DNS service records at Wikipedia.
+	 * href="https://en.wikipedia.org/wiki/SRV_record">Wikipedia.
 	 *
 	 * @param serviceType The service type you are searching for, e.g. ldap, kerberos, ...
 	 * @param domain The domain, in which you are searching for the service
diff --git a/remoting/src/test/java/org/springframework/security/remoting/dns/JndiDnsResolverTests.java b/remoting/src/test/java/org/springframework/security/remoting/dns/JndiDnsResolverTests.java
index 314d0bfc9c..4f2aee1959 100644
--- a/remoting/src/test/java/org/springframework/security/remoting/dns/JndiDnsResolverTests.java
+++ b/remoting/src/test/java/org/springframework/security/remoting/dns/JndiDnsResolverTests.java
@@ -113,7 +113,7 @@ public class JndiDnsResolverTests {
 		BasicAttribute record = new BasicAttribute("SRV");
 		// the structure of the service records is:
 		// priority weight port hostname
-		// for more information: http://en.wikipedia.org/wiki/SRV_record
+		// for more information: https://en.wikipedia.org/wiki/SRV_record
 		record.add("20 80 389 kdc3.springsource.com.");
 		record.add("10 70 389 kdc.springsource.com.");
 		record.add("20 20 389 kdc4.springsource.com.");
diff --git a/samples/boot/helloworld/src/main/resources/templates/index.html b/samples/boot/helloworld/src/main/resources/templates/index.html
index cf6b234bb9..06df86fb13 100644
--- a/samples/boot/helloworld/src/main/resources/templates/index.html
+++ b/samples/boot/helloworld/src/main/resources/templates/index.html
@@ -1,5 +1,5 @@
 
-
+
     
         Hello Spring Security
         
diff --git a/samples/boot/helloworld/src/main/resources/templates/login.html b/samples/boot/helloworld/src/main/resources/templates/login.html
index d5a8c9520f..cec2b5b0da 100644
--- a/samples/boot/helloworld/src/main/resources/templates/login.html
+++ b/samples/boot/helloworld/src/main/resources/templates/login.html
@@ -1,5 +1,5 @@
 
-
+
     
         Login page
         
diff --git a/samples/boot/helloworld/src/main/resources/templates/user/index.html b/samples/boot/helloworld/src/main/resources/templates/user/index.html
index f0329e7bd6..53dd9319a5 100644
--- a/samples/boot/helloworld/src/main/resources/templates/user/index.html
+++ b/samples/boot/helloworld/src/main/resources/templates/user/index.html
@@ -1,5 +1,5 @@
 
-
+
     
         Hello Spring Security
         
diff --git a/samples/boot/insecure/src/main/resources/templates/index.html b/samples/boot/insecure/src/main/resources/templates/index.html
index edd7137287..ee9ccec618 100644
--- a/samples/boot/insecure/src/main/resources/templates/index.html
+++ b/samples/boot/insecure/src/main/resources/templates/index.html
@@ -1,5 +1,5 @@
 
-
+
     
         Hello Spring Security
         
diff --git a/samples/boot/insecure/src/main/resources/templates/login.html b/samples/boot/insecure/src/main/resources/templates/login.html
index d5a8c9520f..cec2b5b0da 100644
--- a/samples/boot/insecure/src/main/resources/templates/login.html
+++ b/samples/boot/insecure/src/main/resources/templates/login.html
@@ -1,5 +1,5 @@
 
-
+
     
         Login page
         
diff --git a/samples/boot/insecure/src/main/resources/templates/user/index.html b/samples/boot/insecure/src/main/resources/templates/user/index.html
index f00768aab1..3fd4ccc1a3 100644
--- a/samples/boot/insecure/src/main/resources/templates/user/index.html
+++ b/samples/boot/insecure/src/main/resources/templates/user/index.html
@@ -1,5 +1,5 @@
 
-
+
     
         Hello Spring Security
         
diff --git a/samples/boot/oauth2login/README.adoc b/samples/boot/oauth2login/README.adoc
index 914b0b71a9..81d8fd2e90 100644
--- a/samples/boot/oauth2login/README.adoc
+++ b/samples/boot/oauth2login/README.adoc
@@ -26,7 +26,7 @@ This section shows how to configure the sample application using Google as the A
 To use Google's OAuth 2.0 authentication system for login, you must set up a project in the Google API Console to obtain OAuth 2.0 credentials.
 
 NOTE: https://developers.google.com/identity/protocols/OpenIDConnect[Google's OAuth 2.0 implementation] for authentication conforms to the
- http://openid.net/connect/[OpenID Connect 1.0] specification and is http://openid.net/certification/[OpenID Certified].
+ https://openid.net/connect/[OpenID Connect 1.0] specification and is https://openid.net/certification/[OpenID Certified].
 
 Follow the instructions on the https://developers.google.com/identity/protocols/OpenIDConnect[OpenID Connect] page, starting in the section, "Setting up OAuth 2.0".
 
@@ -83,7 +83,7 @@ The Consent screen asks you to either allow or deny access to the OAuth Client y
 Click *Allow* to authorize the OAuth Client to access your email address and basic profile information.
 
 At this point, the OAuth Client retrieves your email address and basic profile information
-from the http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] and establishes an authenticated session.
+from the https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] and establishes an authenticated session.
 
 [[github-login]]
 == Login with GitHub
@@ -306,4 +306,4 @@ You are then redirected to the default _auto-generated_ login page, which displa
 Click on the Okta link, and you are then redirected to Okta for authentication.
 
 After authenticating with your Okta account credentials, the OAuth Client retrieves your email address and basic profile information
-from the http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] and establishes an authenticated session.
+from the https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] and establishes an authenticated session.
diff --git a/samples/boot/oauth2login/src/main/resources/templates/index.html b/samples/boot/oauth2login/src/main/resources/templates/index.html
index c30b73de69..66dc820776 100644
--- a/samples/boot/oauth2login/src/main/resources/templates/index.html
+++ b/samples/boot/oauth2login/src/main/resources/templates/index.html
@@ -1,5 +1,5 @@
 
-
+
 
 	Spring Security - OAuth 2.0 Login
 	
diff --git a/samples/boot/oauth2login/src/main/resources/templates/userinfo.html b/samples/boot/oauth2login/src/main/resources/templates/userinfo.html
index 2f7102469b..f20d5d005b 100644
--- a/samples/boot/oauth2login/src/main/resources/templates/userinfo.html
+++ b/samples/boot/oauth2login/src/main/resources/templates/userinfo.html
@@ -1,5 +1,5 @@
 
-
+
 
 	Spring Security - OAuth 2.0 User Info
 	
diff --git a/samples/javaconfig/form/src/main/resources/views/login.html b/samples/javaconfig/form/src/main/resources/views/login.html
index 18ac1b2b9c..c28c5b2add 100644
--- a/samples/javaconfig/form/src/main/resources/views/login.html
+++ b/samples/javaconfig/form/src/main/resources/views/login.html
@@ -1,4 +1,4 @@
-
+
 	
 		Please Login
 	
diff --git a/samples/javaconfig/hellojs/src/main/resources/resources/js/bootstrap.js b/samples/javaconfig/hellojs/src/main/resources/resources/js/bootstrap.js
index 3c639f57d3..ee5a14587b 100644
--- a/samples/javaconfig/hellojs/src/main/resources/resources/js/bootstrap.js
+++ b/samples/javaconfig/hellojs/src/main/resources/resources/js/bootstrap.js
@@ -1,6 +1,6 @@
 /* ===================================================
  * bootstrap-transition.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#transitions
+ * https://twitter.github.com/bootstrap/javascript.html#transitions
  * ===================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -23,7 +23,7 @@
   "use strict"; // jshint ;_;
 
 
-  /* CSS TRANSITION SUPPORT (http://www.modernizr.com/)
+  /* CSS TRANSITION SUPPORT (https://www.modernizr.com/)
    * ======================================================= */
 
   $(function () {
@@ -59,7 +59,7 @@
 
 }(window.jQuery);/* ==========================================================
  * bootstrap-alert.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#alerts
+ * https://twitter.github.com/bootstrap/javascript.html#alerts
  * ==========================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -157,7 +157,7 @@
 
 }(window.jQuery);/* ============================================================
  * bootstrap-button.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#buttons
+ * https://twitter.github.com/bootstrap/javascript.html#buttons
  * ============================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -261,7 +261,7 @@
 
 }(window.jQuery);/* ==========================================================
  * bootstrap-carousel.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#carousel
+ * https://twitter.github.com/bootstrap/javascript.html#carousel
  * ==========================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -467,7 +467,7 @@
 
 }(window.jQuery);/* =============================================================
  * bootstrap-collapse.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#collapse
+ * https://twitter.github.com/bootstrap/javascript.html#collapse
  * =============================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -633,7 +633,7 @@
 
 }(window.jQuery);/* ============================================================
  * bootstrap-dropdown.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#dropdowns
+ * https://twitter.github.com/bootstrap/javascript.html#dropdowns
  * ============================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -802,7 +802,7 @@
 }(window.jQuery);
 /* =========================================================
  * bootstrap-modal.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#modals
+ * https://twitter.github.com/bootstrap/javascript.html#modals
  * =========================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -1049,7 +1049,7 @@
 }(window.jQuery);
 /* ===========================================================
  * bootstrap-tooltip.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#tooltips
+ * https://twitter.github.com/bootstrap/javascript.html#tooltips
  * Inspired by the original jQuery.tipsy by Jason Frame
  * ===========================================================
  * Copyright 2012 Twitter, Inc.
@@ -1410,7 +1410,7 @@
 }(window.jQuery);
 /* ===========================================================
  * bootstrap-popover.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#popovers
+ * https://twitter.github.com/bootstrap/javascript.html#popovers
  * ===========================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -1524,7 +1524,7 @@
 }(window.jQuery);
 /* =============================================================
  * bootstrap-scrollspy.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#scrollspy
+ * https://twitter.github.com/bootstrap/javascript.html#scrollspy
  * =============================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -1685,7 +1685,7 @@
 
 }(window.jQuery);/* ========================================================
  * bootstrap-tab.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#tabs
+ * https://twitter.github.com/bootstrap/javascript.html#tabs
  * ========================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -1828,7 +1828,7 @@
 
 }(window.jQuery);/* =============================================================
  * bootstrap-typeahead.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#typeahead
+ * https://twitter.github.com/bootstrap/javascript.html#typeahead
  * =============================================================
  * Copyright 2012 Twitter, Inc.
  *
@@ -2163,7 +2163,7 @@
 }(window.jQuery);
 /* ==========================================================
  * bootstrap-affix.js v2.3.2
- * http://twitter.github.com/bootstrap/javascript.html#affix
+ * https://twitter.github.com/bootstrap/javascript.html#affix
  * ==========================================================
  * Copyright 2012 Twitter, Inc.
  *
diff --git a/samples/javaconfig/hellojs/src/main/resources/resources/js/jquery-1.8.3.js b/samples/javaconfig/hellojs/src/main/resources/resources/js/jquery-1.8.3.js
index e6e07fc6b7..29d7a3efe7 100644
--- a/samples/javaconfig/hellojs/src/main/resources/resources/js/jquery-1.8.3.js
+++ b/samples/javaconfig/hellojs/src/main/resources/resources/js/jquery-1.8.3.js
@@ -1,13 +1,13 @@
 /*!
  * jQuery JavaScript Library v1.8.3
- * http://jquery.com/
+ * https://jquery.com/
  *
  * Includes Sizzle.js
- * http://sizzlejs.com/
+ * https://sizzlejs.com/
  *
  * Copyright 2012 jQuery Foundation and other contributors
  * Released under the MIT license
- * http://jquery.org/license
+ * https://jquery.org/license
  *
  * Date: Tue Nov 13 2012 08:20:33 GMT-0500 (Eastern Standard Time)
  */
@@ -515,7 +515,7 @@ jQuery.extend({
 		}
 
 		// Make sure the incoming data is actual JSON
-		// Logic borrowed from http://json.org/json2.js
+		// Logic borrowed from https://json.org/json2.js
 		if ( rvalidchars.test( data.replace( rvalidescape, "@" )
 			.replace( rvalidtokens, "]" )
 			.replace( rvalidbraces, "")) ) {
@@ -554,7 +554,7 @@ jQuery.extend({
 
 	// Evaluates a script in a global context
 	// Workarounds based on findings by Jim Driscoll
-	// http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
+	// https://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
 	globalEval: function( data ) {
 		if ( data && core_rnotwhite.test( data ) ) {
 			// We use execScript on Internet Explorer
@@ -846,7 +846,7 @@ jQuery.ready.promise = function( obj ) {
 
 		// Catch cases where $(document).ready() is called after the browser event has already occurred.
 		// we once tried to use readyState "interactive" here, but it caused issues like the one
-		// discovered by ChrisS here: http://bugs.jquery.com/ticket/12282#comment:15
+		// discovered by ChrisS here: https://bugs.jquery.com/ticket/12282#comment:15
 		if ( document.readyState === "complete" ) {
 			// Handle it asynchronously to allow scripts the opportunity to delay ready
 			setTimeout( jQuery.ready, 1 );
@@ -1945,7 +1945,7 @@ jQuery.fn.extend({
 		});
 	},
 	// Based off of the plugin by Clint Helfers, with permission.
-	// http://blindsignals.com/index.php/2009/07/jquery-delay/
+	// http://blindsignals.com
 	delay: function( time, type ) {
 		time = jQuery.fx ? jQuery.fx.speeds[ time ] || time : time;
 		type = type || "fx";
@@ -2452,7 +2452,7 @@ jQuery.extend({
 		tabIndex: {
 			get: function( elem ) {
 				// elem.tabIndex doesn't always return the correct value when it hasn't been explicitly set
-				// http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/
+				// https://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/
 				var attributeNode = elem.getAttributeNode("tabindex");
 
 				return attributeNode && attributeNode.specified ?
@@ -3279,7 +3279,7 @@ function returnTrue() {
 }
 
 // jQuery.Event is based on DOM3 Events as specified by the ECMAScript Language Binding
-// http://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html
+// https://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html
 jQuery.Event.prototype = {
 	preventDefault: function() {
 		this.isDefaultPrevented = returnTrue;
@@ -3664,7 +3664,7 @@ jQuery.each( ("blur focus focusin focusout load resize scroll unload click dblcl
  * Sizzle CSS Selector Engine
  * Copyright 2012 jQuery Foundation and other contributors
  * Released under the MIT license
- * http://sizzlejs.com/
+ * https://sizzlejs.com/
  */
 (function( window, undefined ) {
 
@@ -3731,17 +3731,17 @@ var cachedruns,
 
 	// Regex
 
-	// Whitespace characters http://www.w3.org/TR/css3-selectors/#whitespace
+	// Whitespace characters https://www.w3.org/TR/css3-selectors/#whitespace
 	whitespace = "[\\x20\\t\\r\\n\\f]",
-	// http://www.w3.org/TR/css3-syntax/#characters
+	// https://www.w3.org/TR/css3-syntax/#characters
 	characterEncoding = "(?:\\\\.|[-\\w]|[^\\x00-\\xa0])+",
 
 	// Loosely modeled on CSS identifier characters
-	// An unquoted value should be a CSS identifier (http://www.w3.org/TR/css3-selectors/#attribute-selectors)
-	// Proper syntax: http://www.w3.org/TR/CSS21/syndata.html#value-def-identifier
+	// An unquoted value should be a CSS identifier (https://www.w3.org/TR/css3-selectors/#attribute-selectors)
+	// Proper syntax: https://www.w3.org/TR/CSS21/syndata.html#value-def-identifier
 	identifier = characterEncoding.replace( "w", "w#" ),
 
-	// Acceptable operators http://www.w3.org/TR/selectors/#attribute-selectors
+	// Acceptable operators https://www.w3.org/TR/selectors/#attribute-selectors
 	operators = "([*^$|!~]?=)",
 	attributes = "\\[" + whitespace + "*(" + characterEncoding + ")" + whitespace +
 		"*(?:" + operators + whitespace + "*(?:(['\"])((?:\\\\.|[^\\\\])*?)\\3|(" + identifier + ")|)|)" + whitespace + "*\\]",
@@ -4350,7 +4350,7 @@ Expr = Sizzle.selectors = {
 
 		"PSEUDO": function( pseudo, argument ) {
 			// pseudo-class names are case-insensitive
-			// http://www.w3.org/TR/selectors/#pseudo-classes
+			// https://www.w3.org/TR/selectors/#pseudo-classes
 			// Prioritize by case sensitivity in case custom pseudos are added with uppercase letters
 			// Remember that setFilters inherits from pseudos
 			var args,
@@ -4437,7 +4437,7 @@ Expr = Sizzle.selectors = {
 
 		"checked": function( elem ) {
 			// In CSS3, :checked should return both checked and selected elements
-			// http://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked
+			// https://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked
 			var nodeName = elem.nodeName.toLowerCase();
 			return (nodeName === "input" && !!elem.checked) || (nodeName === "option" && !!elem.selected);
 		},
@@ -4457,7 +4457,7 @@ Expr = Sizzle.selectors = {
 		},
 
 		"empty": function( elem ) {
-			// http://www.w3.org/TR/selectors/#empty-pseudo
+			// https://www.w3.org/TR/selectors/#empty-pseudo
 			// :empty is only affected by element nodes and content nodes(including text(3), cdata(4)),
 			//   not comment, processing instructions, or others
 			// Thanks to Diego Perini for the nodeName shortcut
@@ -5202,7 +5202,7 @@ if ( document.querySelectorAll ) {
 			// This is to test IE's treatment of not explictly
 			// setting a boolean content attribute,
 			// since its presence should be enough
-			// http://bugs.jquery.com/ticket/12359
+			// https://bugs.jquery.com/ticket/12359
 			div.innerHTML = "";
 
 			// IE8 - Some boolean attributes are not treated correctly
@@ -5211,7 +5211,7 @@ if ( document.querySelectorAll ) {
 			}
 
 			// Webkit/Opera - :checked should return selected option elements
-			// http://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked
+			// https://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked
 			// IE8 throws error here (do not put tests after this one)
 			if ( !div.querySelectorAll(":checked").length ) {
 				rbuggyQSA.push(":checked");
@@ -6478,7 +6478,7 @@ jQuery.extend({
 var matched, browser;
 
 // Use of jQuery.browser is frowned upon.
-// More details: http://api.jquery.com/jQuery.browser
+// More details: https://api.jquery.com/jQuery.browser
 // jQuery.uaMatch maintained for back-compat
 jQuery.uaMatch = function( ua ) {
 	ua = ua.toLowerCase();
@@ -6837,7 +6837,7 @@ if ( window.getComputedStyle ) {
 			// A tribute to the "awesome hack by Dean Edwards"
 			// Chrome < 17 and Safari 5.0 uses "computed value" instead of "used value" for margin-right
 			// Safari 5.1.7 (at least) returns percentage for a larger set of values, but width seems to be reliably pixels
-			// this is against the CSSOM draft spec: http://dev.w3.org/csswg/cssom/#resolved-values
+			// this is against the CSSOM draft spec: https://dev.w3.org/csswg/cssom/#resolved-values
 			if ( rnumnonpx.test( ret ) && rmargin.test( name ) ) {
 				width = style.width;
 				minWidth = style.minWidth;
@@ -8444,7 +8444,7 @@ if ( jQuery.support.ajax ) {
 
 						// Firefox throws exceptions when accessing properties
 						// of an xhr when a network error occurred
-						// http://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_(NS_ERROR_NOT_AVAILABLE)
+						// https://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_(NS_ERROR_NOT_AVAILABLE)
 						try {
 
 							// Was never called and is aborted or complete
diff --git a/samples/javaconfig/hellojs/src/main/resources/resources/js/knockout-2.3.0.js b/samples/javaconfig/hellojs/src/main/resources/resources/js/knockout-2.3.0.js
index 73fd0e2d93..752a084f99 100644
--- a/samples/javaconfig/hellojs/src/main/resources/resources/js/knockout-2.3.0.js
+++ b/samples/javaconfig/hellojs/src/main/resources/resources/js/knockout-2.3.0.js
@@ -1,6 +1,6 @@
 // Knockout JavaScript library v2.3.0
-// (c) Steven Sanderson - http://knockoutjs.com/
-// License: MIT (http://www.opensource.org/licenses/mit-license.php)
+// (c) Steven Sanderson - https://knockoutjs.com/
+// License: MIT (https://www.opensource.org/licenses/mit-license.php)
 
 (function() {function F(q){return function(){return q}};(function(q){var w=this||(0,eval)("this"),s=w.document,H=w.navigator,t=w.jQuery,y=w.JSON;(function(q){"function"===typeof require&&"object"===typeof exports&&"object"===typeof module?q(module.exports||exports):"function"===typeof define&&define.amd?define(["exports"],q):q(w.ko={})})(function(C){function G(b,c,d,f){a.d[b]={init:function(b){a.a.f.set(b,I,{});return{controlsDescendantBindings:!0}},update:function(b,e,m,h,k){m=a.a.f.get(b,I);e=a.a.c(e());h=!d!==!e;var l=!m.fb;if(l||c||h!==m.vb)l&&(m.fb=
 a.a.Oa(a.e.childNodes(b),!0)),h?(l||a.e.P(b,a.a.Oa(m.fb)),a.Ja(f?f(k,e):k,b)):a.e.ba(b),m.vb=h}};a.g.S[b]=!1;a.e.L[b]=!0}function J(b,c,d){d&&c!==a.h.n(b)&&a.h.W(b,c);c!==a.h.n(b)&&a.q.I(a.a.Ga,null,[b,"change"])}var a="undefined"!==typeof C?C:{};a.b=function(b,c){for(var d=b.split("."),f=a,g=0;g=e)try{a.mergeAttributes(s.createElement(""),!1)}catch(c){}},Bb:function(a){9<=e&&(a=1==a.nodeType?a:a.parentNode,a.style&&(a.style.zoom=a.style.zoom))},zb:function(a){if(e){var b=a.style.width;a.style.width=0;a.style.width=
 b}},Qb:function(b,e){b=a.a.c(b);e=a.a.c(e);for(var c=[],d=b;d<=e;d++)c.push(d);return c},N:function(a){for(var b=[],e=0,c=a.length;e
+
   
     SecureMail
     
@@ -66,7 +66,7 @@
 
     
     
     
     
diff --git a/samples/javaconfig/helloworld/src/main/webapp/index.jsp b/samples/javaconfig/helloworld/src/main/webapp/index.jsp
index 4cec889f1f..8b4d7a3983 100644
--- a/samples/javaconfig/helloworld/src/main/webapp/index.jsp
+++ b/samples/javaconfig/helloworld/src/main/webapp/index.jsp
@@ -17,7 +17,7 @@
     
     
     
   
 
diff --git a/samples/javaconfig/messages/src/main/resources/views/layout.html b/samples/javaconfig/messages/src/main/resources/views/layout.html
index 1d56e76cf1..19ca32e283 100644
--- a/samples/javaconfig/messages/src/main/resources/views/layout.html
+++ b/samples/javaconfig/messages/src/main/resources/views/layout.html
@@ -1,6 +1,6 @@
-
+
 
+      xmlns:th="https://www.thymeleaf.org">
   
     SecureMail: <th:block th:include="${title}"></th:block>
     
@@ -68,7 +68,7 @@
 
     
     
     
   
@@ -114,7 +114,7 @@
 
     
   
diff --git a/samples/javaconfig/messages/src/main/resources/views/messages/compose.html b/samples/javaconfig/messages/src/main/resources/views/messages/compose.html
index 959d381eab..4e098d306f 100644
--- a/samples/javaconfig/messages/src/main/resources/views/messages/compose.html
+++ b/samples/javaconfig/messages/src/main/resources/views/messages/compose.html
@@ -1,4 +1,4 @@
-
+
   
       Create
   
diff --git a/samples/javaconfig/messages/src/main/resources/views/messages/inbox.html b/samples/javaconfig/messages/src/main/resources/views/messages/inbox.html
index 939c54a0f1..2b759bd90f 100644
--- a/samples/javaconfig/messages/src/main/resources/views/messages/inbox.html
+++ b/samples/javaconfig/messages/src/main/resources/views/messages/inbox.html
@@ -1,4 +1,4 @@
-
+
   
       View All
   
diff --git a/samples/javaconfig/messages/src/main/resources/views/messages/show.html b/samples/javaconfig/messages/src/main/resources/views/messages/show.html
index 8e8f9774e1..9c04cc7ae9 100644
--- a/samples/javaconfig/messages/src/main/resources/views/messages/show.html
+++ b/samples/javaconfig/messages/src/main/resources/views/messages/show.html
@@ -1,4 +1,4 @@
-
+
   
       Create
   
diff --git a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
index 002464c63b..0b21d482e9 100644
--- a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@@ -36,35 +36,35 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 				.authenticationUserDetailsService(new CustomUserDetailsService())
 				.attributeExchange("https://www.google.com/.*")
 					.attribute("email")
-						.type("http://axschema.org/contact/email")
+						.type("https://axschema.org/contact/email")
 						.required(true)
 						.and()
 					.attribute("firstname")
-						.type("http://axschema.org/namePerson/first")
+						.type("https://axschema.org/namePerson/first")
 						.required(true)
 						.and()
 					.attribute("lastname")
-						.type("http://axschema.org/namePerson/last")
+						.type("https://axschema.org/namePerson/last")
 						.required(true)
 						.and()
 					.and()
 				.attributeExchange(".*yahoo.com.*")
 					.attribute("email")
-						.type("http://axschema.org/contact/email")
+						.type("https://axschema.org/contact/email")
 						.required(true)
 						.and()
 					.attribute("fullname")
-						.type("http://axschema.org/namePerson")
+						.type("https://axschema.org/namePerson")
 						.required(true)
 						.and()
 					.and()
 				.attributeExchange(".*myopenid.com.*")
 					.attribute("email")
-						.type("http://schema.openid.net/contact/email")
+						.type("https://schema.openid.net/contact/email")
 						.required(true)
 						.and()
 					.attribute("fullname")
-						.type("http://schema.openid.net/namePerson")
+						.type("https://schema.openid.net/namePerson")
 						.required(true);
 	}
 	// @formatter:on
diff --git a/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/jquery.query-2.1.3.js b/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/jquery.query-2.1.3.js
index 07519d134e..29611c080b 100644
--- a/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/jquery.query-2.1.3.js
+++ b/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/jquery.query-2.1.3.js
@@ -1,7 +1,7 @@
 /**
  * jQuery.query - Query String Modification and Creation for jQuery
  * Written by Blair Mitchelmore (blair DOT mitchelmore AT gmail DOT com)
- * Licensed under the WTFPL (http://sam.zoy.org/wtfpl/).
+ * Licensed under the WTFPL (http://www.wtfpl.net/).
  * Date: 2009/02/08
  *
  * @author Blair Mitchelmore
diff --git a/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/openid-client-config.js b/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/openid-client-config.js
index f8ffd07027..4cb0920c8e 100644
--- a/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/openid-client-config.js
+++ b/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/openid-client-config.js
@@ -1,7 +1,7 @@
 /*
 Defines the base of where the OpenID Provider redirects its response to.
  */
-var server_root = "http://openid-selector.googlecode.com/svn/trunk/"
+var server_root = "https://openid-selector.googlecode.com/svn/trunk/"
 
 /*
 On the server-side you'd accept an OpenID URL and perform discovery
@@ -16,5 +16,5 @@ var providers_endpoint = {
 	google: 'https://www.google.com/accounts/o8/ud',
 	yahoo: 'https://open.login.yahooapis.com/openid/op/auth',
 	aol: 'https://api.screenname.aol.com/auth/openidServer',
-	verisign: 'http://pip.verisignlabs.com/server'
+	verisign: 'https://pip.verisignlabs.com/server'
 }
\ No newline at end of file
diff --git a/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/openid-client.js b/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/openid-client.js
index 92c1d17c87..63f4f75bf6 100644
--- a/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/openid-client.js
+++ b/samples/javaconfig/openid/src/main/resources/resources/js/openid-client/openid-client.js
@@ -41,14 +41,14 @@ function getBaseOpenIDProviderURL(provider, claimed, immediate) {
 	var providerEndpoint = providers_endpoint[provider];
     var providerURL = providerEndpoint; //From previous discovery
     providerURL += "?";
-    providerURL += "openid.ns=" + encodeURIComponent("http://specs.openid.net/auth/2.0");
+    providerURL += "openid.ns=" + encodeURIComponent("https://specs.openid.net/auth/2.0");
     if(providers[provider].label) {
         providerURL += "&openid.claimed_id=" + encodeURIComponent(claimed);
         providerURL += "&openid.identity=" + encodeURIComponent(claimed);    	
     }
     else {
-        providerURL += "&openid.claimed_id=" + encodeURIComponent("http://specs.openid.net/auth/2.0/identifier_select");
-        providerURL += "&openid.identity=" + encodeURIComponent("http://specs.openid.net/auth/2.0/identifier_select");
+        providerURL += "&openid.claimed_id=" + encodeURIComponent("https://specs.openid.net/auth/2.0/identifier_select");
+        providerURL += "&openid.identity=" + encodeURIComponent("https://specs.openid.net/auth/2.0/identifier_select");
     }
     if(immediate) {
         providerURL += "&openid.return_to=" + encodeURIComponent(server_root + "openid-client/checkid_immediate_response.html");
diff --git a/samples/javaconfig/openid/src/main/resources/resources/js/openid-jquery.js b/samples/javaconfig/openid/src/main/resources/resources/js/openid-jquery.js
index 82a19ec24d..e46d233e33 100644
--- a/samples/javaconfig/openid/src/main/resources/resources/js/openid-jquery.js
+++ b/samples/javaconfig/openid/src/main/resources/resources/js/openid-jquery.js
@@ -1,6 +1,6 @@
 /*
 Simple OpenID Plugin
-http://code.google.com/p/openid-selector/
+https://code.google.com/p/openid-selector/
 
 This code is licenced under the New BSD License.
 */
@@ -17,7 +17,7 @@ var providers_large = {
     aol: {
         name: 'AOL',
         label: 'Enter your AOL screenname.',
-        url: 'http://openid.aol.com/{username}'
+        url: 'https://openid.aol.com/{username}'
     },
     verisign: {
         name: 'Verisign',
@@ -44,12 +44,12 @@ var providers_small = {
     flickr: {
         name: 'Flickr',
         label: 'Enter your Flickr username.',
-        url: 'http://flickr.com/{username}/'
+        url: 'https://flickr.com/{username}/'
     },
     technorati: {
         name: 'Technorati',
         label: 'Enter your Technorati username.',
-        url: 'http://technorati.com/people/technorati/{username}/'
+        url: 'https://technorati.com/people/technorati/{username}/'
     },
     wordpress: {
         name: 'Wordpress',
@@ -69,7 +69,7 @@ var providers_small = {
     claimid: {
         name: 'ClaimID',
         label: 'Your ClaimID username',
-        url: 'http://claimid.com/{username}'
+        url: 'https://claimid.com/{username}'
     }
 };
 var providers = $.extend({}, providers_large, providers_small);
diff --git a/samples/javaconfig/openid/src/main/resources/views/login.html b/samples/javaconfig/openid/src/main/resources/views/login.html
index fb3aadb6e5..0d46e3b163 100644
--- a/samples/javaconfig/openid/src/main/resources/views/login.html
+++ b/samples/javaconfig/openid/src/main/resources/views/login.html
@@ -1,4 +1,4 @@
-
+
   
     Messages : Login
     
@@ -28,7 +28,7 @@
                 
                 
 	        
 	    
diff --git a/samples/javaconfig/openid/src/main/resources/views/user/show.html b/samples/javaconfig/openid/src/main/resources/views/user/show.html
index 9f2dc81bc5..d2a14f7ad4 100644
--- a/samples/javaconfig/openid/src/main/resources/views/user/show.html
+++ b/samples/javaconfig/openid/src/main/resources/views/user/show.html
@@ -1,4 +1,4 @@
-
+
   
     Messages : Login
     
diff --git a/samples/javaconfig/preauth/src/main/resources/views/login.html b/samples/javaconfig/preauth/src/main/resources/views/login.html
index 32e355ed04..225e08832b 100644
--- a/samples/javaconfig/preauth/src/main/resources/views/login.html
+++ b/samples/javaconfig/preauth/src/main/resources/views/login.html
@@ -1,4 +1,4 @@
-
+
     
         Please Login
     
diff --git a/samples/javaconfig/rememberme/src/main/resources/views/login.html b/samples/javaconfig/rememberme/src/main/resources/views/login.html
index f807b051ea..55b40468e3 100644
--- a/samples/javaconfig/rememberme/src/main/resources/views/login.html
+++ b/samples/javaconfig/rememberme/src/main/resources/views/login.html
@@ -1,4 +1,4 @@
-
+
 	
 		Please Login
 	
diff --git a/samples/javaconfig/webflux-form/src/main/resources/templates/login.html b/samples/javaconfig/webflux-form/src/main/resources/templates/login.html
index c28b4c97eb..4fa5c65688 100644
--- a/samples/javaconfig/webflux-form/src/main/resources/templates/login.html
+++ b/samples/javaconfig/webflux-form/src/main/resources/templates/login.html
@@ -7,7 +7,7 @@
 	
 	Please Log In
 	
-	
+	
 
 
 
    
diff --git a/samples/javaconfig/x509/src/main/webapp/WEB-INF/decorators/main.jsp b/samples/javaconfig/x509/src/main/webapp/WEB-INF/decorators/main.jsp
index 29e25eb9d0..20726cb81e 100644
--- a/samples/javaconfig/x509/src/main/webapp/WEB-INF/decorators/main.jsp
+++ b/samples/javaconfig/x509/src/main/webapp/WEB-INF/decorators/main.jsp
@@ -2,8 +2,8 @@
 
     
   
 
diff --git a/samples/javaconfig/x509/src/main/webapp/WEB-INF/web.xml- b/samples/javaconfig/x509/src/main/webapp/WEB-INF/web.xml-
index c6fe21d9b3..b87ff75318 100644
--- a/samples/javaconfig/x509/src/main/webapp/WEB-INF/web.xml-
+++ b/samples/javaconfig/x509/src/main/webapp/WEB-INF/web.xml-
@@ -1,7 +1,7 @@
 
 
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee https://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 
     
         FORM
diff --git a/samples/xml/contacts/src/main/webapp/WEB-INF/jsp/frames.jsp b/samples/xml/contacts/src/main/webapp/WEB-INF/jsp/frames.jsp
index 96e928967d..cf3ad2066a 100644
--- a/samples/xml/contacts/src/main/webapp/WEB-INF/jsp/frames.jsp
+++ b/samples/xml/contacts/src/main/webapp/WEB-INF/jsp/frames.jsp
@@ -3,8 +3,8 @@
 Frames
 
 
-
    This contains frames, but the frames will not be loaded due to the X-Frame-Options
-being specified as denied. This protects against clickjacking attacks
    
+
    This contains frames, but the frames will not be loaded due to the X-Frame-Options
+being specified as denied. This protects against clickjacking attacks
    
 
 
 
\ No newline at end of file
diff --git a/samples/xml/contacts/src/main/webapp/WEB-INF/spring.tld b/samples/xml/contacts/src/main/webapp/WEB-INF/spring.tld
index 1bc7091f03..9580c330a8 100644
--- a/samples/xml/contacts/src/main/webapp/WEB-INF/spring.tld
+++ b/samples/xml/contacts/src/main/webapp/WEB-INF/spring.tld
@@ -1,5 +1,5 @@
 
-
+
 
 
 
diff --git a/samples/xml/helloworld/src/main/webapp/index.jsp b/samples/xml/helloworld/src/main/webapp/index.jsp
index 4cec889f1f..8b4d7a3983 100644
--- a/samples/xml/helloworld/src/main/webapp/index.jsp
+++ b/samples/xml/helloworld/src/main/webapp/index.jsp
@@ -17,7 +17,7 @@
     
     
     
   
 
diff --git a/samples/xml/insecure/src/main/webapp/index.jsp b/samples/xml/insecure/src/main/webapp/index.jsp
index f07b5771c5..431136a503 100644
--- a/samples/xml/insecure/src/main/webapp/index.jsp
+++ b/samples/xml/insecure/src/main/webapp/index.jsp
@@ -17,7 +17,7 @@
     
     
     
   
 
diff --git a/samples/xml/openid/src/main/webapp/js/openid-client/jquery.query-2.1.3.js b/samples/xml/openid/src/main/webapp/js/openid-client/jquery.query-2.1.3.js
index 07519d134e..29611c080b 100644
--- a/samples/xml/openid/src/main/webapp/js/openid-client/jquery.query-2.1.3.js
+++ b/samples/xml/openid/src/main/webapp/js/openid-client/jquery.query-2.1.3.js
@@ -1,7 +1,7 @@
 /**
  * jQuery.query - Query String Modification and Creation for jQuery
  * Written by Blair Mitchelmore (blair DOT mitchelmore AT gmail DOT com)
- * Licensed under the WTFPL (http://sam.zoy.org/wtfpl/).
+ * Licensed under the WTFPL (http://www.wtfpl.net/).
  * Date: 2009/02/08
  *
  * @author Blair Mitchelmore
diff --git a/samples/xml/openid/src/main/webapp/js/openid-client/openid-client-config.js b/samples/xml/openid/src/main/webapp/js/openid-client/openid-client-config.js
index f8ffd07027..4cb0920c8e 100644
--- a/samples/xml/openid/src/main/webapp/js/openid-client/openid-client-config.js
+++ b/samples/xml/openid/src/main/webapp/js/openid-client/openid-client-config.js
@@ -1,7 +1,7 @@
 /*
 Defines the base of where the OpenID Provider redirects its response to.
  */
-var server_root = "http://openid-selector.googlecode.com/svn/trunk/"
+var server_root = "https://openid-selector.googlecode.com/svn/trunk/"
 
 /*
 On the server-side you'd accept an OpenID URL and perform discovery
@@ -16,5 +16,5 @@ var providers_endpoint = {
 	google: 'https://www.google.com/accounts/o8/ud',
 	yahoo: 'https://open.login.yahooapis.com/openid/op/auth',
 	aol: 'https://api.screenname.aol.com/auth/openidServer',
-	verisign: 'http://pip.verisignlabs.com/server'
+	verisign: 'https://pip.verisignlabs.com/server'
 }
\ No newline at end of file
diff --git a/samples/xml/openid/src/main/webapp/js/openid-client/openid-client.js b/samples/xml/openid/src/main/webapp/js/openid-client/openid-client.js
index 92c1d17c87..63f4f75bf6 100644
--- a/samples/xml/openid/src/main/webapp/js/openid-client/openid-client.js
+++ b/samples/xml/openid/src/main/webapp/js/openid-client/openid-client.js
@@ -41,14 +41,14 @@ function getBaseOpenIDProviderURL(provider, claimed, immediate) {
 	var providerEndpoint = providers_endpoint[provider];
     var providerURL = providerEndpoint; //From previous discovery
     providerURL += "?";
-    providerURL += "openid.ns=" + encodeURIComponent("http://specs.openid.net/auth/2.0");
+    providerURL += "openid.ns=" + encodeURIComponent("https://specs.openid.net/auth/2.0");
     if(providers[provider].label) {
         providerURL += "&openid.claimed_id=" + encodeURIComponent(claimed);
         providerURL += "&openid.identity=" + encodeURIComponent(claimed);    	
     }
     else {
-        providerURL += "&openid.claimed_id=" + encodeURIComponent("http://specs.openid.net/auth/2.0/identifier_select");
-        providerURL += "&openid.identity=" + encodeURIComponent("http://specs.openid.net/auth/2.0/identifier_select");
+        providerURL += "&openid.claimed_id=" + encodeURIComponent("https://specs.openid.net/auth/2.0/identifier_select");
+        providerURL += "&openid.identity=" + encodeURIComponent("https://specs.openid.net/auth/2.0/identifier_select");
     }
     if(immediate) {
         providerURL += "&openid.return_to=" + encodeURIComponent(server_root + "openid-client/checkid_immediate_response.html");
diff --git a/samples/xml/openid/src/main/webapp/js/openid-jquery.js b/samples/xml/openid/src/main/webapp/js/openid-jquery.js
index 3a333daa60..e64a7ea90a 100644
--- a/samples/xml/openid/src/main/webapp/js/openid-jquery.js
+++ b/samples/xml/openid/src/main/webapp/js/openid-jquery.js
@@ -1,6 +1,6 @@
 /*
 Simple OpenID Plugin
-http://code.google.com/p/openid-selector/
+https://code.google.com/p/openid-selector/
 
 This code is licenced under the New BSD License.
 */
@@ -17,7 +17,7 @@ var providers_large = {
     aol: {
         name: 'AOL',     
         label: 'Enter your AOL screenname.',
-        url: 'http://openid.aol.com/{username}'
+        url: 'https://openid.aol.com/{username}'
     },
     verisign: {
         name: 'Verisign',
@@ -44,12 +44,12 @@ var providers_small = {
     flickr: {
         name: 'Flickr',        
         label: 'Enter your Flickr username.',
-        url: 'http://flickr.com/{username}/'
+        url: 'https://flickr.com/{username}/'
     },
     technorati: {
         name: 'Technorati',
         label: 'Enter your Technorati username.',
-        url: 'http://technorati.com/people/technorati/{username}/'
+        url: 'https://technorati.com/people/technorati/{username}/'
     },
     wordpress: {
         name: 'Wordpress',
@@ -69,7 +69,7 @@ var providers_small = {
     claimid: {
         name: 'ClaimID',
         label: 'Your ClaimID username',
-        url: 'http://claimid.com/{username}'
+        url: 'https://claimid.com/{username}'
     }
 };
 var providers = $.extend({}, providers_large, providers_small);
diff --git a/samples/xml/openid/src/main/webapp/openidlogin.jsp b/samples/xml/openid/src/main/webapp/openidlogin.jsp
index 8abc898910..17fde568ff 100644
--- a/samples/xml/openid/src/main/webapp/openidlogin.jsp
+++ b/samples/xml/openid/src/main/webapp/openidlogin.jsp
@@ -1,7 +1,7 @@
 <%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %>
 <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
 
-
+
 
 
     OpenID Login
@@ -55,7 +55,7 @@
             
    
             
     
 
diff --git a/taglibs/src/main/resources/META-INF/security.tld b/taglibs/src/main/resources/META-INF/security.tld
index a427c710ec..718fcb4679 100644
--- a/taglibs/src/main/resources/META-INF/security.tld
+++ b/taglibs/src/main/resources/META-INF/security.tld
@@ -16,7 +16,7 @@
 -->
 
     Spring Security Authorization Tag Library
 
diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
index 3f8427ff8d..5f7cf4b839 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
@@ -245,7 +245,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
 	 * current invocation.
 	 * 
    
 	 * It strips any parameters from the "path" section of the request URL (such as the
-	 * jsessionid parameter in http://host/myapp/index.html;jsessionid=blah)
+	 * jsessionid parameter in https://host/myapp/index.html;jsessionid=blah)
 	 * before matching against the filterProcessesUrl property.
 	 * 
    
 	 * Subclasses may override for special requirements, such as Tapestry integration.
diff --git a/web/src/main/java/org/springframework/security/web/authentication/RememberMeServices.java b/web/src/main/java/org/springframework/security/web/authentication/RememberMeServices.java
index cf7c1fd212..2dd1464e7f 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/RememberMeServices.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/RememberMeServices.java
@@ -34,8 +34,8 @@ import org.springframework.security.core.Authentication;
  * 
    
  * Implementations may implement any type of remember-me capability they wish. Rolling
  * cookies (as per 
- * http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice) can
+ * href="https://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice">
+ * https://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice) can
  * be used, as can simple implementations that don't require a persistent store.
  * Implementations also determine the validity period of a remember-me cookie. This
  * interface has been designed to accommodate any of these remember-me models.
diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/RequestAttributeAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/RequestAttributeAuthenticationFilter.java
index 05d5b897a2..4769060bc8 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/preauth/RequestAttributeAuthenticationFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/RequestAttributeAuthenticationFilter.java
@@ -22,7 +22,7 @@ import org.springframework.util.Assert;
 /**
  * A simple pre-authenticated filter which obtains the username from request attributes,
  * for use with SSO systems such as
- * Stanford WebAuth or
+ * Stanford WebAuth or
  * Shibboleth.
  * 
    
  * As with most pre-authenticated scenarios, it is essential that the external
diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/package-info.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/package-info.java
index 370fccc067..b45f6feb1c 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/package-info.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/package-info.java
@@ -17,7 +17,7 @@
  * Support for remembering a user between different web sessions.
  * 
    
  * Comes with two default implementations. See the
- * Remember-Me
+ * Remember-Me
  * Authentication chapter of the reference manual.
  */
 package org.springframework.security.web.authentication.rememberme;
diff --git a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java
index 7921e1657a..a108d760ec 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java
@@ -57,7 +57,7 @@ import org.springframework.web.filter.GenericFilterBean;
  * SecurityContextHolder.
  * 
    
  * For a detailed background on what this filter is designed to process, refer to
- * RFC 2617 (which superseded RFC 2069,
+ * RFC 2617 (which superseded RFC 2069,
  * although this filter support clients that implement either RFC 2617 or RFC 2069).
  * 
    
  * This filter can be used to provide Digest authentication services to both remoting
diff --git a/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java b/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
index deac47bd00..b08ad8c1af 100644
--- a/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
+++ b/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
@@ -252,7 +252,7 @@ public abstract class AbstractSecurityWebApplicationInitializer
 	 *
 	 * 
    
 	 * Note that {@link SessionTrackingMode#URL} is intentionally omitted to help
-	 * protected against session
+	 * protected against session
 	 * fixation attacks. {@link SessionTrackingMode#SSL} is omitted because SSL
 	 * configuration is required for this to work.
 	 * 
    
diff --git a/web/src/main/java/org/springframework/security/web/firewall/DefaultHttpFirewall.java b/web/src/main/java/org/springframework/security/web/firewall/DefaultHttpFirewall.java
index 5d57500a73..c7efac6b90 100644
--- a/web/src/main/java/org/springframework/security/web/firewall/DefaultHttpFirewall.java
+++ b/web/src/main/java/org/springframework/security/web/firewall/DefaultHttpFirewall.java
@@ -27,7 +27,7 @@ import javax.servlet.http.HttpServletResponse;
  * Default implementation which wraps requests in order to provide consistent
  * values of the {@code servletPath} and {@code pathInfo}, which do not contain
  * path parameters (as defined in
- * RFC 2396). Different
+ * RFC 2396). Different
  * servlet containers interpret the servlet spec differently as to how path
  * parameters are treated and it is possible they might be added in order to
  * bypass particular security constraints. When using this implementation, they
diff --git a/web/src/main/java/org/springframework/security/web/firewall/RequestWrapper.java b/web/src/main/java/org/springframework/security/web/firewall/RequestWrapper.java
index 1b6608fe8d..a5a1d76b35 100644
--- a/web/src/main/java/org/springframework/security/web/firewall/RequestWrapper.java
+++ b/web/src/main/java/org/springframework/security/web/firewall/RequestWrapper.java
@@ -30,7 +30,7 @@ import java.util.*;
  * and extra consecutive '/' characters.
  *
  * 
    Path Parameters
     Parameters (as defined in RFC 2396) are stripped from the path
+ * href="https://www.ietf.org/rfc/rfc2396.txt">RFC 2396) are stripped from the path
  * segments of the {@code servletPath} and {@code pathInfo} values of the request.
  * 
    
  * The parameter sequence is demarcated by a semi-colon, so each segment is checked for
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java
index 0f3d305c64..1d8f7c497b 100644
--- a/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java
+++ b/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java
@@ -29,16 +29,16 @@ import java.util.LinkedHashMap;
 import java.util.Map;
 
 /**
- * Provides support for HTTP Public Key Pinning (HPKP).
+ * Provides support for HTTP Public Key Pinning (HPKP).
  *
  * 
    
- * Since Section 4.1 states
+ * Since Section 4.1 states
  * that a value on the order of 60 days (5,184,000 seconds) may be considered a good balance,
  * we use this value as the default. This can be customized using {@link #setMaxAgeInSeconds(long)}.
  * 
    
  *
  * 
    
- * Because Appendix B recommends
+ * Because Appendix B recommends
  * that operators should first deploy public key pinning by using the report-only mode,
  * we opted to use this mode as default. This can be customized using {@link #setReportOnly(boolean)}.
  * 
    
@@ -84,7 +84,7 @@ import java.util.Map;
  * Public-Key-Pins: max-age=5184000;
  * 		pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
  * 		pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
- * 		report-uri="http://example.com/pkp-report"
+ * 		report-uri="https://example.com/pkp-report"
  *
  * Public-Key-Pins-Report-Only: max-age=5184000;
  * 		pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
@@ -192,7 +192,7 @@ public final class HpkpHeaderWriter implements HeaderWriter {
 	 * 
    
 	 * The pin directive specifies a way for web host operators to indicate
 	 * a cryptographic identity that should be bound to a given web host.
-	 * See Section 2.1.1 for additional details.
+	 * See Section 2.1.1 for additional details.
 	 * 
    
 	 *
 	 * 
    
@@ -228,7 +228,7 @@ public final class HpkpHeaderWriter implements HeaderWriter {
 	 * 
    
 	 * The pin directive specifies a way for web host operators to indicate
 	 * a cryptographic identity that should be bound to a given web host.
-	 * See Section 2.1.1 for additional details.
+	 * See Section 2.1.1 for additional details.
 	 * 
    
 	 *
 	 * 
    
@@ -262,7 +262,7 @@ public final class HpkpHeaderWriter implements HeaderWriter {
 	 *
 	 * 
    
 	 * This instructs browsers how long they should regard the host (from whom the message was received)
-	 * as a known pinned host. See Section
+	 * as a known pinned host. See Section
 	 * 2.1.2 for additional details.
 	 * 
    
 	 *
@@ -299,7 +299,7 @@ public final class HpkpHeaderWriter implements HeaderWriter {
 	 * 
    
 	 *
 	 * 
    
-	 * See Section 2.1.3
+	 * See Section 2.1.3
 	 * for additional details.
 	 * 
    
 	 *
@@ -329,7 +329,7 @@ public final class HpkpHeaderWriter implements HeaderWriter {
 	 * 
    
 	 *
 	 * 
    
-	 * See Section 2.1
+	 * See Section 2.1
 	 * for additional details.
 	 * 
    
 	 *
@@ -355,7 +355,7 @@ public final class HpkpHeaderWriter implements HeaderWriter {
 	 * 
    
 	 *
 	 * 
    
-	 * See Section 2.1.4
+	 * See Section 2.1.4
 	 * for additional details.
 	 * 
    
 	 *
@@ -386,7 +386,7 @@ public final class HpkpHeaderWriter implements HeaderWriter {
 	 * 
    
 	 *
 	 * 
    
-	 * See Section 2.1.4
+	 * See Section 2.1.4
 	 * for additional details.
 	 * 
    
 	 *
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/HstsHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/HstsHeaderWriter.java
index b8b422be60..1314b42b39 100644
--- a/web/src/main/java/org/springframework/security/web/header/writers/HstsHeaderWriter.java
+++ b/web/src/main/java/org/springframework/security/web/header/writers/HstsHeaderWriter.java
@@ -26,7 +26,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
 /**
- * Provides support for HTTP Strict Transport
+ * Provides support for HTTP Strict Transport
  * Security (HSTS).
  *
  * 
    
@@ -36,7 +36,7 @@ import org.springframework.util.Assert;
  * 
    
  *
  * 
    
- * Since section 7.2 states
+ * Since section 7.2 states
  * that HSTS Host MUST NOT include the STS header in HTTP responses, the default behavior
  * is that the "Strict-Transport-Security" will only be added when
  * {@link HttpServletRequest#isSecure()} returns {@code true} . At times this may need to
@@ -153,7 +153,7 @@ public final class HstsHeaderWriter implements HeaderWriter {
 	 *
 	 * 
    
 	 * This instructs browsers how long to remember to keep this domain as a known HSTS
-	 * Host. See Section
+	 * Host. See Section
 	 * 6.1.1 for additional details.
 	 * 
    
 	 *
@@ -176,7 +176,7 @@ public final class HstsHeaderWriter implements HeaderWriter {
 	 * 
    
 	 *
 	 * 
    
-	 * See Section 6.1.2
+	 * See Section 6.1.2
 	 * for additional details.
 	 * 
    
 	 *
diff --git a/web/src/main/java/org/springframework/security/web/header/writers/XXssProtectionHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/XXssProtectionHeaderWriter.java
index d93015d415..5b4a87527b 100644
--- a/web/src/main/java/org/springframework/security/web/header/writers/XXssProtectionHeaderWriter.java
+++ b/web/src/main/java/org/springframework/security/web/header/writers/XXssProtectionHeaderWriter.java
@@ -22,7 +22,7 @@ import org.springframework.security.web.header.HeaderWriter;
 
 /**
  * Renders the X-XSS-Protection header.
  *
  * @author Rob Winch
diff --git a/web/src/main/java/org/springframework/security/web/server/ui/LoginPageGeneratingWebFilter.java b/web/src/main/java/org/springframework/security/web/server/ui/LoginPageGeneratingWebFilter.java
index 69a4ba4067..b46d7490c5 100644
--- a/web/src/main/java/org/springframework/security/web/server/ui/LoginPageGeneratingWebFilter.java
+++ b/web/src/main/java/org/springframework/security/web/server/ui/LoginPageGeneratingWebFilter.java
@@ -84,7 +84,7 @@ public class LoginPageGeneratingWebFilter implements WebFilter {
 			+ "    \n"
 			+ "    Please sign in\n"
 			+ "    \n"
-			+ "    \n"
+			+ "    \n"
 			+ "  \n"
 			+ "  \n"
 			+ "     
    \n"
diff --git a/web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java b/web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java
index 0ebb94990c..53b213ab03 100644
--- a/web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java
+++ b/web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java
@@ -80,7 +80,7 @@ public class LogoutPageGeneratingWebFilter implements WebFilter {
 			+ "    \n"
 			+ "    Confirm Log Out?\n"
 			+ "    \n"
-			+ "    \n"
+			+ "    \n"
 			+ "  \n"
 			+ "  \n"
 			+ "     
    \n"
diff --git a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
index 11e4e7cc1b..c542b070c9 100644
--- a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
+++ b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
@@ -36,7 +36,7 @@ public class DefaultRedirectStrategyTests {
 		request.setContextPath("/context");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
-		rds.sendRedirect(request, response, "http://context.blah.com/context/remainder");
+		rds.sendRedirect(request, response, "https://context.blah.com/context/remainder");
 
 		assertThat(response.getRedirectedUrl()).isEqualTo("remainder");
 	}
@@ -52,7 +52,7 @@ public class DefaultRedirectStrategyTests {
 		MockHttpServletResponse response = new MockHttpServletResponse();
 
 		rds.sendRedirect(request, response,
-				"http://http://context.blah.com/context/remainder");
+				"https://http://context.blah.com/context/remainder");
 
 		assertThat(response.getRedirectedUrl()).isEqualTo("remainder");
 	}
diff --git a/web/src/test/java/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandlerTests.java
index 1e207c65ed..91ed96eb0b 100644
--- a/web/src/test/java/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandlerTests.java
@@ -33,7 +33,7 @@ public class SavedRequestAwareAuthenticationSuccessHandlerTests {
 		SavedRequestAwareAuthenticationSuccessHandler handler = new SavedRequestAwareAuthenticationSuccessHandler();
 
 		handler.setDefaultTargetUrl("/acceptableRelativeUrl");
-		handler.setDefaultTargetUrl("http://some.site.org/index.html");
+		handler.setDefaultTargetUrl("https://some.site.org/index.html");
 		handler.setDefaultTargetUrl("https://some.site.org/index.html");
 
 		try {
diff --git a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java
index 0769e537af..775f4251d3 100644
--- a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java
@@ -81,10 +81,10 @@ public class SimpleUrlAuthenticationSuccessHandlerTests {
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		ash.setUseReferer(true);
-		request.addHeader("Referer", "http://www.springsource.com/");
+		request.addHeader("Referer", "https://www.springsource.com/");
 
 		ash.onAuthenticationSuccess(request, response, mock(Authentication.class));
-		assertThat(response.getRedirectedUrl()).isEqualTo("http://www.springsource.com/");
+		assertThat(response.getRedirectedUrl()).isEqualTo("https://www.springsource.com/");
 	}
 
 	/**
diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
index 0ef851e10a..a90bbe412b 100644
--- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
@@ -103,13 +103,13 @@ public class AbstractRememberMeServicesTests {
 
 	@Test
 	public void cookieWithOpenIDidentifierAsNameIsEncodedAndDecoded() throws Exception {
-		String[] cookie = new String[] { "http://id.openid.zz", "cookie", "tokens",
+		String[] cookie = new String[] { "https://id.openid.zz", "cookie", "tokens",
 			"blah" };
 		MockRememberMeServices services = new MockRememberMeServices(uds);
 
 		String[] decoded = services.decodeCookie(services.encodeCookie(cookie));
 		assertThat(decoded).hasSize(4);
-		assertThat(decoded[0]).isEqualTo("http://id.openid.zz");
+		assertThat(decoded[0]).isEqualTo("https://id.openid.zz");
 
 		// Check https (SEC-1410)
 		cookie[0] = "https://id.openid.zz";
diff --git a/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java b/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java
index 1465f304db..785e9cc720 100644
--- a/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java
@@ -330,7 +330,7 @@ public class CsrfFilterTests {
 
 	/**
 	 * SEC-2292 Should not allow other cases through since spec states HTTP method is case
-	 * sensitive http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
+	 * sensitive https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
 	 * @throws Exception if an error occurs
 	 *
 	 */
diff --git a/web/src/test/java/org/springframework/security/web/header/writers/HpkpHeaderWriterTests.java b/web/src/test/java/org/springframework/security/web/header/writers/HpkpHeaderWriterTests.java
index 29020b0798..1246255dc1 100644
--- a/web/src/test/java/org/springframework/security/web/header/writers/HpkpHeaderWriterTests.java
+++ b/web/src/test/java/org/springframework/security/web/header/writers/HpkpHeaderWriterTests.java
@@ -142,25 +142,25 @@ public class HpkpHeaderWriterTests {
 	@Test
 	public void writeHeadersTerminateConnectionWithURI() throws URISyntaxException {
 		writer.setReportOnly(false);
-		writer.setReportUri(new URI("http://example.com/pkp-report"));
+		writer.setReportUri(new URI("https://example.com/pkp-report"));
 
 		writer.writeHeaders(request, response);
 
 		assertThat(response.getHeaderNames()).hasSize(1);
 		assertThat(response.getHeader("Public-Key-Pins")).isEqualTo(
-				"max-age=5184000 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\" ; report-uri=\"http://example.com/pkp-report\"");
+				"max-age=5184000 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\" ; report-uri=\"https://example.com/pkp-report\"");
 	}
 
 	@Test
 	public void writeHeadersTerminateConnectionWithURIAsString() throws URISyntaxException {
 		writer.setReportOnly(false);
-		writer.setReportUri("http://example.com/pkp-report");
+		writer.setReportUri("https://example.com/pkp-report");
 
 		writer.writeHeaders(request, response);
 
 		assertThat(response.getHeaderNames()).hasSize(1);
 		assertThat(response.getHeader("Public-Key-Pins")).isEqualTo(
-				"max-age=5184000 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\" ; report-uri=\"http://example.com/pkp-report\"");
+				"max-age=5184000 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\" ; report-uri=\"https://example.com/pkp-report\"");
 	}
 
 	@Test
diff --git a/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategyTests.java b/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategyTests.java
index ae928b7d54..bacc63c825 100644
--- a/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategyTests.java
+++ b/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategyTests.java
@@ -45,13 +45,13 @@ public class RegExpAllowFromStrategyTests {
 		strategy.setAllowFromParameterName("from");
 		MockHttpServletRequest request = new MockHttpServletRequest();
 
-		request.setParameter("from", "http://abc.test.com");
+		request.setParameter("from", "http://www.test.com");
 		String result1 = strategy.getAllowFromValue(request);
-		assertThat(result1).isEqualTo("http://abc.test.com");
+		assertThat(result1).isEqualTo("http://www.test.com");
 
-		request.setParameter("from", "http://foo.test.com");
+		request.setParameter("from", "http://abc.test.com");
 		String result2 = strategy.getAllowFromValue(request);
-		assertThat(result2).isEqualTo("http://foo.test.com");
+		assertThat(result2).isEqualTo("http://abc.test.com");
 
 		request.setParameter("from", "http://test.foobar.com");
 		String result3 = strategy.getAllowFromValue(request);
diff --git a/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategyTests.java b/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategyTests.java
index e3e250d07d..7d38c3b36f 100644
--- a/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategyTests.java
+++ b/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategyTests.java
@@ -33,7 +33,7 @@ public class StaticAllowFromStrategyTests {
 
 	@Test
 	public void shouldReturnUri() {
-		String uri = "http://www.test.com";
+		String uri = "https://www.test.com";
 		StaticAllowFromStrategy strategy = new StaticAllowFromStrategy(URI.create(uri));
 		assertThat(strategy.getAllowFromValue(new MockHttpServletRequest())).isEqualTo(uri);
 	}
diff --git a/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategyTests.java b/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategyTests.java
index 308207525f..c67a047792 100644
--- a/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategyTests.java
+++ b/web/src/test/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategyTests.java
@@ -44,38 +44,38 @@ public class WhiteListedAllowFromStrategyTests {
 	@Test
 	public void listWithSingleElementShouldMatch() {
 		List allowed = new ArrayList<>();
-		allowed.add("http://www.test.com");
+		allowed.add("https://www.test.com");
 		WhiteListedAllowFromStrategy strategy = new WhiteListedAllowFromStrategy(allowed);
 		strategy.setAllowFromParameterName("from");
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setParameter("from", "http://www.test.com");
+		request.setParameter("from", "https://www.test.com");
 
 		String result = strategy.getAllowFromValue(request);
-		assertThat(result).isEqualTo("http://www.test.com");
+		assertThat(result).isEqualTo("https://www.test.com");
 	}
 
 	@Test
 	public void listWithMultipleElementShouldMatch() {
 		List allowed = new ArrayList<>();
-		allowed.add("http://www.test.com");
-		allowed.add("http://www.springsource.org");
+		allowed.add("https://www.test.com");
+		allowed.add("https://www.springsource.org");
 		WhiteListedAllowFromStrategy strategy = new WhiteListedAllowFromStrategy(allowed);
 		strategy.setAllowFromParameterName("from");
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setParameter("from", "http://www.test.com");
+		request.setParameter("from", "https://www.test.com");
 
 		String result = strategy.getAllowFromValue(request);
-		assertThat(result).isEqualTo("http://www.test.com");
+		assertThat(result).isEqualTo("https://www.test.com");
 	}
 
 	@Test
 	public void listWithSingleElementShouldNotMatch() {
 		List allowed = new ArrayList<>();
-		allowed.add("http://www.test.com");
+		allowed.add("https://www.test.com");
 		WhiteListedAllowFromStrategy strategy = new WhiteListedAllowFromStrategy(allowed);
 		strategy.setAllowFromParameterName("from");
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setParameter("from", "http://www.test123.com");
+		request.setParameter("from", "https://www.test123.com");
 
 		String result = strategy.getAllowFromValue(request);
 		assertThat(result).isEqualTo("DENY");
@@ -84,7 +84,7 @@ public class WhiteListedAllowFromStrategyTests {
 	@Test
 	public void requestWithoutParameterShouldNotMatch() {
 		List allowed = new ArrayList<>();
-		allowed.add("http://www.test.com");
+		allowed.add("https://www.test.com");
 		WhiteListedAllowFromStrategy strategy = new WhiteListedAllowFromStrategy(allowed);
 		strategy.setAllowFromParameterName("from");
 		MockHttpServletRequest request = new MockHttpServletRequest();