Added 'heavyduty' sample to sandbox for testing

sandbox/heavyduty/certificates/Readme.txt

@@ -0,0 +1,10 @@
+This directory contains certificates and keys for use with SSL in the sample applications. Certificates are issued by
+our "Spring Security Test CA" certificate authority.
+
+ca.pem     - the certificate authority's certificate.
+server.jks - Java keystore containing the server certificate and privatekey. It Also contains the certificate authority
+             file and this is used as both keystore and truststore for they jetty server when running the samples with
+             the maven jetty plugin ("mvn jetty:run").
+
+rod.p12, dianne.p12, scott.p12 are all certificate/key combinations for client authentication and can be installed in
+your browser if you want to try out support for X.509 authentication.

sandbox/heavyduty/certificates/ca.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDojCCAoqgAwIBAgIEMKX1dzANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMC
+R0IxETAPBgNVBAgTCFNjb3RsYW5kMRAwDgYDVQQHEwdHbGFzZ293MRkwFwYDVQQK
+ExBTcHJpbmcgRnJhbWV3b3JrMRgwFgYDVQQLEw9TcHJpbmcgU2VjdXJpdHkxIDAe
+BgNVBAMTF1NwcmluZyBTZWN1cml0eSBUZXN0IENBMB4XDTA4MDEyNTExMTIyMVoX
+DTE4MDIyNTAwMDAwMFowgYkxCzAJBgNVBAYTAkdCMREwDwYDVQQIEwhTY290bGFu
+ZDEQMA4GA1UEBxMHR2xhc2dvdzEZMBcGA1UEChMQU3ByaW5nIEZyYW1ld29yazEY
+MBYGA1UECxMPU3ByaW5nIFNlY3VyaXR5MSAwHgYDVQQDExdTcHJpbmcgU2VjdXJp
+dHkgVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzl/wEe
+snYrwqaGZuB8hmwACtptazh1+eXCfd66FkioxlLF7yTnjCC7DT+vmMgSuThIEIsN
+xlxLpEgyU3bU8GIuR8wyYIyvuSMcptdFJLV7NKYuRycxpDuqimTM7Br0nfNgKVEv
+1QwguGWr6YN3aZ68/xe/D5xyPhakKu++7VFXIXw9f0+nqojdrFTqQ6l9GAVRgfX6
+h4JOaV1VFx83y2pnFj0iFneVxRcvXyWnyXlcOvJDIyVuyS/hYxb+E5rtBvp5XQ0o
+5CP4OMwCZGx/jEqlL8oO7BwEgu9aEBxKvoIKJmHDTHgWIxgawTrKabmong4utnMI
+yNrhsI77bmh2U7UCAwEAAaMQMA4wDAYDVR0PBAUDAwcGADANBgkqhkiG9w0BAQUF
+AAOCAQEAuD8W9Ukkfyi0y65mwguFVAqBC3RSTMRXcjbLQV4rMDM/Q9kjA6acY4Ta
+WgxGTwNCydqaqwDVsmn+6Je8Lp2xm9KLDLypVdNopGs+Mlfo55dhwqymXkQw1oJI
+CPhR3nBmGEnSWW0UY9bPlpxRF2D5GDVwpuxDtXvWa4baPwRRI9MxwPWHA3ITl+fc
+s9QVKy+pRAnuP9MSIp755cJ1CODOn2ElNCqnxxsZmcWcmI3LkHAwTmegl3PVvhrk
+MKMEA/neshh/M/hWGNTFt77Hoa7pU9dv5RCWFvZPqsUgPrwGrmUvcmSDir3lSWQm
+SuSED2LKVo+BFqwWS+jp49AR9b8B/Q==
+-----END CERTIFICATE-----

sandbox/heavyduty/pom.xml

@@ -0,0 +1,166 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.springframework.security</groupId>
+    <artifactId>spring-security-heavyduty</artifactId>
+    <name>Spring Security - Heavy Duty Sample</name>
+    <packaging>war</packaging>
+    <version>2.0.0</version>
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+            <version>${spring.security.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core-tiger</artifactId>
+            <version>${spring.security.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-taglibs</artifactId>
+            <version>${spring.security.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-core</artifactId>
+            <version>${spring.version}</version>
+        </dependency>                
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-context</artifactId>
+            <version>${spring.version}</version>
+        </dependency>        
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-webmvc</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-jdbc</artifactId>
+            <scope>runtime</scope>
+            <version>${spring.version}</version>    
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-orm</artifactId>
+            <version>${spring.version}</version>
+        </dependency>        
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-aop</artifactId>
+            <scope>runtime</scope>
+            <version>${spring.version}</version>
+        </dependency>
+	    <dependency>
+	      <groupId>hsqldb</groupId>
+	      <artifactId>hsqldb</artifactId>
+	      <version>1.8.0.7</version>
+	      <scope>compile</scope>
+	    </dependency>
+	    <dependency>
+	      <groupId>org.hibernate</groupId>
+	      <artifactId>hibernate-entitymanager</artifactId>
+	      <version>3.3.2.GA</version>
+	      <scope>compile</scope>
+	    </dependency>
+	    <dependency>
+	      <groupId>net.sf.ehcache</groupId>
+	      <artifactId>ehcache</artifactId>
+	      <version>1.3.0</version>
+	      <scope>compile</scope>
+	    </dependency>
+	    <dependency>
+	        <groupId>org.aspectj</groupId>
+    		<artifactId>aspectjweaver</artifactId>
+	    	<optional>true</optional>
+		    <version>1.5.4</version>
+	    </dependency>	    
+	    <dependency>
+	        <groupId>org.aspectj</groupId>
+	    	<artifactId>aspectjrt</artifactId>
+		    <version>1.5.4</version>
+	    </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+            <scope>provided</scope>
+            <version>2.4</version>
+        </dependency>        
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>jstl</artifactId>
+            <scope>runtime</scope>
+            <version>1.1.2</version>
+        </dependency>
+        <dependency>
+            <groupId>taglibs</groupId>
+            <artifactId>standard</artifactId>
+            <scope>runtime</scope>
+            <version>1.1.2</version>            
+        </dependency>
+        <dependency>
+            <groupId>log4j</groupId>
+            <artifactId>log4j</artifactId>
+            <scope>runtime</scope>
+            <version>1.2.14</version>
+        </dependency>        
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>1.5</source>
+                    <target>1.5</target>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-eclipse-plugin</artifactId>
+                <version>2.5.1</version>
+                <configuration>
+                    <downloadSources>true</downloadSources>
+                    <wtpversion>2.0</wtpversion>
+                </configuration>
+            </plugin>            
+            <plugin>
+                <groupId>org.mortbay.jetty</groupId>
+                <artifactId>maven-jetty-plugin</artifactId>
+                <version>6.1.7</version>
+                <configuration>
+                    <contextPath>/tutorial</contextPath>
+                    <connectors>
+                        <connector implementation="org.mortbay.jetty.nio.SelectChannelConnector">
+                            <port>8080</port>
+                            <confidentialPort>8443</confidentialPort>
+                        </connector>
+                        <connector implementation="org.mortbay.jetty.security.SslSocketConnector">
+                            <port>8443</port>
+                            <keystore>certificates/server.jks</keystore>
+                            <password>password</password>
+                            <keyPassword>password</keyPassword>
+                            <truststore>certificates/server.jks</truststore>
+                            <trustPassword>password</trustPassword>
+                            <wantClientAuth>true</wantClientAuth>
+                            <needClientAuth>false</needClientAuth>
+                        </connector>
+                    </connectors>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    <properties>        
+        <spring.version>2.5.3</spring.version>
+        <spring.security.version>2.0.1-SNAPSHOT</spring.security.version>
+    </properties>
+
+</project>

sandbox/heavyduty/src/main/java/bigbank/Account.java

@@ -0,0 +1,51 @@
+package bigbank;
+
+/**
+ * Note this class does not represent best practice, as we are failing to
+ * encapsulate business logic (methods) and state in the domain object.
+ * Nevertheless, this demo is intended to reflect what people usually do,
+ * as opposed to what they ideally would be doing.
+ * 
+ * @author Ben Alex
+ * @version $Id$
+ */
+public class Account {
+	private long id = -1;
+	private String holder;
+	private double balance;
+	
+	public Account(String holder) {
+		super();
+		this.holder = holder;
+	}
+
+	public long getId() {
+		return id;
+	}
+
+	public void setId(long id) {
+		this.id = id;
+	}
+
+	public String getHolder() {
+		return holder;
+	}
+
+	public void setHolder(String holder) {
+		this.holder = holder;
+	}
+
+	public double getBalance() {
+		return balance;
+	}
+
+	public void setBalance(double balance) {
+		this.balance = balance;
+	}
+
+	public String toString() {
+		return "Account[id=" + id + ",balance=" + balance +",holder=" + holder + "]";
+	}
+
+	
+}

sandbox/heavyduty/src/main/java/bigbank/BankDao.java

@@ -0,0 +1,7 @@
+package bigbank;
+
+public interface BankDao {
+	public Account readAccount(Long id);
+	public void createOrUpdateAccount(Account account);
+	public Account[] findAccounts();
+}

sandbox/heavyduty/src/main/java/bigbank/BankDaoStub.java

@@ -0,0 +1,32 @@
+package bigbank;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class BankDaoStub implements BankDao {
+	private long id = 0;
+	private Map accounts = new HashMap();
+	
+	public void createOrUpdateAccount(Account account) {
+		if (account.getId() == -1) {
+			id++;
+			account.setId(id);
+		}
+		accounts.put(new Long(account.getId()), account);
+		System.out.println("SAVE: " + account);
+	}
+
+	public Account[] findAccounts() {
+		Account[] a = (Account[]) accounts.values().toArray(new Account[] {});
+		System.out.println("Returning " + a.length + " account(s):");
+		for (int i = 0; i < a.length; i++) {
+			System.out.println(" > " + a[i]);
+		}
+		return a;
+	}
+
+	public Account readAccount(Long id) {
+		return (Account) accounts.get(id);
+	}
+
+}

sandbox/heavyduty/src/main/java/bigbank/BankService.java

@@ -0,0 +1,15 @@
+package bigbank;
+
+import org.springframework.security.annotation.Secured;
+
+public interface BankService {
+	
+	@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
+	public Account readAccount(Long id);
+		
+	@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
+	public Account[] findAccounts();
+	
+	@Secured("ROLE_TELLER")
+	public Account post(Account account, double amount);
+}

sandbox/heavyduty/src/main/java/bigbank/BankServiceImpl.java

@@ -0,0 +1,40 @@
+package bigbank;
+
+import org.aspectj.lang.annotation.Pointcut;
+import org.springframework.util.Assert;
+
+public class BankServiceImpl implements BankService {
+	private BankDao bankDao;
+
+	// Not used unless you declare a <protect-pointcut>
+	@Pointcut("execution(* bigbank.BankServiceImpl.*(..))")
+	public void myPointcut() {}
+
+	public BankServiceImpl(BankDao bankDao) {
+		Assert.notNull(bankDao);
+		this.bankDao = bankDao;
+	}
+
+	public Account[] findAccounts() {
+		return this.bankDao.findAccounts();
+	}
+
+	public Account post(Account account, double amount) {
+		Assert.notNull(account);
+		Assert.notNull(account.getId());
+		
+		// We read account bank from DAO so it reflects the latest balance
+		Account a = bankDao.readAccount(account.getId());
+		if (account == null) {
+			throw new IllegalArgumentException("Couldn't find requested account");
+		}
+		
+		a.setBalance(a.getBalance() + amount);
+		bankDao.createOrUpdateAccount(a);
+		return a;
+	}
+
+	public Account readAccount(Long id) {
+		return bankDao.readAccount(id);
+	}
+}

sandbox/heavyduty/src/main/java/bigbank/SeedData.java

@@ -0,0 +1,21 @@
+package bigbank;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.util.Assert;
+
+public class SeedData implements InitializingBean{
+	private BankDao bankDao;
+
+	public void afterPropertiesSet() throws Exception {
+		Assert.notNull(bankDao);
+		bankDao.createOrUpdateAccount(new Account("rod"));
+		bankDao.createOrUpdateAccount(new Account("dianne"));
+		bankDao.createOrUpdateAccount(new Account("scott"));
+		bankDao.createOrUpdateAccount(new Account("peter"));
+	}
+	
+	public void setBankDao(BankDao bankDao) {
+		this.bankDao = bankDao;
+	}
+	
+}

sandbox/heavyduty/src/main/java/bigbank/web/ListAccounts.java

@@ -0,0 +1,34 @@
+package bigbank.web;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.AuthenticationCredentialsNotFoundException;
+import org.springframework.util.Assert;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.mvc.Controller;
+
+import bigbank.BankService;
+
+public class ListAccounts implements Controller {
+
+	private BankService bankService;
+	
+	public ListAccounts(BankService bankService) {
+		Assert.notNull(bankService);
+		this.bankService = bankService;
+	}
+
+	public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
+		// Security check (this is unnecessary if Spring Security is performing the authorization)
+//		if (request.getUserPrincipal() == null) {
+//			throw new AuthenticationCredentialsNotFoundException("You must login to view the account list (Spring Security message)"); // only for Spring Security managed authentication
+//		}
+		
+		// Actual business logic
+		ModelAndView mav = new ModelAndView("listAccounts");
+		mav.addObject("accounts", bankService.findAccounts());
+		return mav;
+	}
+
+}

sandbox/heavyduty/src/main/java/bigbank/web/PostAccounts.java

@@ -0,0 +1,39 @@
+package bigbank.web;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.AccessDeniedException;
+import org.springframework.util.Assert;
+import org.springframework.web.bind.ServletRequestUtils;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.mvc.Controller;
+
+import bigbank.Account;
+import bigbank.BankService;
+
+public class PostAccounts implements Controller {
+
+	private BankService bankService;
+	
+	public PostAccounts(BankService bankService) {
+		Assert.notNull(bankService);
+		this.bankService = bankService;
+	}
+
+	public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
+		// Security check (this is unnecessary if Spring Security is performing the authorization)
+//		if (!request.isUserInRole("ROLE_TELLER")) {
+//			throw new AccessDeniedException("You must be a teller to post transactions (Spring Security message)"); // only for Spring Security managed authentication
+//		}
+		
+		// Actual business logic
+		Long id = ServletRequestUtils.getRequiredLongParameter(request, "id");
+		Double amount = ServletRequestUtils.getRequiredDoubleParameter(request, "amount");
+		Account a = bankService.readAccount(id);
+		bankService.post(a, amount);
+		
+		return new ModelAndView("redirect:listAccounts.html");
+	}
+
+}

sandbox/heavyduty/src/main/java/heavyduty/security/ui/HeavyDutyAuthenticationProcessingFilter.java

@@ -0,0 +1,11 @@
+package heavyduty.security.ui;
+
+import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;
+
+public class HeavyDutyAuthenticationProcessingFilter extends AuthenticationProcessingFilter {
+	
+	
+
+	
+	
+}

sandbox/heavyduty/src/main/java/heavyduty/security/ui/HeavyDutyEntryPoint.java

@@ -0,0 +1,9 @@
+package heavyduty.security.ui;
+
+import org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint;
+
+public class HeavyDutyEntryPoint extends AuthenticationProcessingFilterEntryPoint {
+
+	
+	
+}

sandbox/heavyduty/src/main/java/sample/dao/GenericDAO.java

@@ -0,0 +1,46 @@
+package sample.dao;
+
+import java.io.Serializable;
+
+
+/**
+ * The Interface GenericDAO.
+ */
+public interface GenericDAO<T extends Serializable, PK extends Serializable> 
+{
+   	/**
+   	 * persist
+   	 * @param transientInstance objet to persist
+   	 */
+	void persist(T transientInstance);
+
+	
+	/**
+   	 * refresh
+   	 * @param instance objet to refresh
+   	 */
+	void refresh(T instance);
+
+	
+	/**
+   	 * delete
+   	 * @param persistentInstance objet to delete
+   	 */
+	void delete(T persistentInstance);
+
+	
+	/**
+   	 * merge
+   	 * @param detachedInstance objet to merge
+   	 * @return merged object
+   	 */
+	T merge(T detachedInstance);
+	
+	
+	/**
+   	 * read
+   	 * @param id of object to read
+   	 * @return read object
+   	 */
+	T read(PK id);
+}

sandbox/heavyduty/src/main/java/sample/dao/UserDAO.java

@@ -0,0 +1,13 @@
+
+package sample.dao;
+
+import sample.domain.User;
+
+
+/**
+ * The Interface PatientDAO.
+ */
+public interface UserDAO extends GenericDAO<User,Long> {
+	
+	public User findByUsername(String username);
+}

sandbox/heavyduty/src/main/java/sample/dao/impl/GenericDAOImpl.java

@@ -0,0 +1,126 @@
+package sample.dao.impl;
+
+import java.io.Serializable;
+
+import javax.persistence.EntityManager;
+import javax.persistence.PersistenceContext;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import sample.dao.GenericDAO;
+
+
+public class GenericDAOImpl<T extends Serializable, PK extends Serializable>
+		implements GenericDAO<T, PK> {
+	/** type */
+	private Class<T> type;
+
+	/** the logger */
+	private static final Log LOG = LogFactory.getLog(GenericDAOImpl.class);
+
+	@PersistenceContext
+	private EntityManager entityManager;
+
+	/**
+	 * Minimal constructor
+	 * 
+	 * @param t
+	 *            type POJO hibernate
+	 */
+	public GenericDAOImpl(Class<T> t) {
+		this.type = t;
+	}
+
+	/**
+	 * read data
+	 * 
+	 * @param id
+	 *            data id
+	 * @return data
+	 */
+	@SuppressWarnings("unchecked")
+	public T read(PK id) {
+		if (id == null) {
+			throw new IllegalArgumentException("Id cannot be null or empty");
+		}
+
+		// find() au lieu de getReference() pour forcer l'initialisation de
+		// l'objet, sinon on ne recupère
+		// qu'un proxy non-initialisé !
+		return entityManager.find(type, id);
+
+	}
+
+	/**
+	 * persist data
+	 * 
+	 * @param transientInstance
+	 *            data to persist
+	 * @see sido.common.dao.GenericDAO#persist(T)
+	 */
+	public void persist(T transientInstance) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Persisting instance of "
+					+ transientInstance.getClass().getSimpleName());
+		}
+		entityManager.persist(transientInstance);
+	}
+
+	/**
+	 * 
+	 * attach clean
+	 * 
+	 * @param instance
+	 *            data to attach
+	 * @see sido.common.dao.GenericDAO#refresh(T)
+	 */
+	public void refresh(T instance) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("refreshing instance of "
+					+ instance.getClass().getSimpleName());
+		}
+		entityManager.refresh(instance);
+	}
+
+	/**
+	 * delete
+	 * 
+	 * @param persistentInstance
+	 *            data to delete
+	 * @see sido.common.dao.GenericDAO#delete(T)
+	 */
+	public void delete(T persistentInstance) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("deleting instance of "
+					+ persistentInstance.getClass().getSimpleName());
+		}
+		entityManager.remove(persistentInstance);
+	}
+
+	/**
+	 * merge
+	 * 
+	 * @param detachedInstance
+	 *            data to merge
+	 * @return the merged data
+	 * @see sido.common.dao.GenericDAO#merge(T)
+	 */
+	@SuppressWarnings("unchecked")
+	public T merge(T detachedInstance) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("merging instance of "
+					+ detachedInstance.getClass().getSimpleName());
+		}
+		return entityManager.merge(detachedInstance);
+	}
+
+	/**
+	 * @return the entityManager
+	 */
+	public EntityManager getEntityManager() {
+		return entityManager;
+	}
+
+
+}

sandbox/heavyduty/src/main/java/sample/dao/impl/UserDAOImpl.java

@@ -0,0 +1,27 @@
+package sample.dao.impl;
+
+import org.springframework.stereotype.Repository;
+
+import sample.domain.User;
+
+/**
+ * UserDAOImpl
+ */
+@Repository
+public class UserDAOImpl extends GenericDAOImpl<User, Long> implements
+		sample.dao.UserDAO {
+
+	/**
+	 * Required constructor
+	 */
+	public UserDAOImpl() {
+		super(User.class);
+	}
+
+	public User findByUsername(String username) {
+		return (User) getEntityManager().createNamedQuery("User.findByUsername")
+				.setParameter("username", username).getSingleResult();
+	}
+	
+
+}

sandbox/heavyduty/src/main/java/sample/domain/User.java

@@ -0,0 +1,106 @@
+
+
+package sample.domain;
+
+import java.io.Serializable;
+import java.util.Date;
+
+import javax.persistence.Basic;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.NamedQuery;
+
+/**
+ * The Class Patient.
+ */
+@Entity
+@NamedQuery(name = "User.findByUsername", query = "from User where username= :username")
+public class User implements Serializable {
+
+	/** serialVersionUID */
+	private static final long serialVersionUID = 7073017148588882593L;
+
+	/** The id. */
+	@Id
+	@GeneratedValue(strategy=GenerationType.IDENTITY)
+	private Long id;
+
+	/** The username. */
+	@Basic(optional = false)
+	private String username;
+
+	/** The username. */
+	@Basic(optional = false)
+	private String password;
+
+	/**
+	 * Default constructor
+	 */
+	public User() {
+		super();
+	}
+
+	/**
+	 * @param username
+	 * @param password
+	 */
+	public User(String username, String password) {
+		super();
+		this.username = username;
+		this.password = password;
+	}
+
+	/**
+	 * @return the id
+	 */
+	public Long getId() {
+		return id;
+	}
+
+	/**
+	 * @param id the id to set
+	 */
+	public void setId(Long id) {
+		this.id = id;
+	}
+
+	/**
+	 * @return the username
+	 */
+	public String getUsername() {
+		return username;
+	}
+
+	/**
+	 * @param username the username to set
+	 */
+	public void setUsername(String username) {
+		this.username = username;
+	}
+
+	/**
+	 * Full constructor
+	 * @param username
+	 */
+	public User(String username, String password, Date derniereConnexion,
+			String key) {
+		super();
+		this.username = username;
+	}
+
+	/**
+	 * @return the password
+	 */
+	public String getPassword() {
+		return password;
+	}
+
+	/**
+	 * @param password the password to set
+	 */
+	public void setPassword(String password) {
+		this.password = password;
+	}
+}

sandbox/heavyduty/src/main/java/sample/service/UserService.java

@@ -0,0 +1,16 @@
+package sample.service;
+
+import org.springframework.security.userdetails.UserDetails;
+import org.springframework.security.userdetails.UserDetailsService;
+
+public interface UserService extends UserDetailsService {
+	
+	/**
+	 * Register a new User in database
+	 * @param username
+	 */
+	public UserDetails register(String username, String password);
+	
+	
+	
+}

sandbox/heavyduty/src/main/java/sample/service/impl/UserServiceImpl.java

@@ -0,0 +1,68 @@
+/**
+ * 
+ */
+package sample.service.impl;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.AuthenticationException;
+import org.springframework.security.GrantedAuthority;
+import org.springframework.security.GrantedAuthorityImpl;
+import org.springframework.security.userdetails.UserDetails;
+import org.springframework.security.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Component;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import sample.dao.UserDAO;
+import sample.domain.User;
+import sample.service.UserService;
+
+/**
+ * @author A207119
+ * 
+ */
+@Component
+@Transactional
+public class UserServiceImpl implements UserService {
+
+	/** The logger */
+	private static final Log LOG = LogFactory.getLog(UserServiceImpl.class);
+
+	/** The User DAO */
+	@Autowired
+	private UserDAO userDAO = null;
+
+	public UserDetails loadUserByUsername(String username)
+			throws AuthenticationException {
+		try {
+			User user = userDAO.findByUsername(username);
+
+			return new org.springframework.security.userdetails.User(user
+					.getUsername(), user.getPassword(), true, true, true, true,
+					new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_USER") });
+		} catch (Exception e) {
+			LOG.error(e.getMessage(), e);
+			throw new UsernameNotFoundException("No matching account", e);
+		}
+	}
+
+	public UserDetails register(String username, String password) {
+		User user = new User(username, password);
+		userDAO.persist(user);
+		return new org.springframework.security.userdetails.User(user
+				.getUsername(), user.getPassword(), true, true, true, true,
+				new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_USER") });
+
+	}
+
+	/**
+	 * @param userDAO
+	 *            the userDAO to set
+	 */
+	public void setUserDAO(UserDAO userDAO) {
+		this.userDAO = userDAO;
+	}
+
+}

sandbox/heavyduty/src/main/resources/applicationContext-business.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+
+	<bean id="bankDao" class="bigbank.BankDaoStub"/>
+
+	<bean id="seedData" class="bigbank.SeedData">
+		<property name="bankDao" ref="bankDao"/>
+	</bean>
+
+	<bean id="bankService" class="bigbank.BankServiceImpl">
+		<constructor-arg ref="bankDao"/>
+        <!-- This will add a security interceptor to the bean
+        <security:intercept-methods>
+            <security:protect method="bigbank.BankService.*" access="IS_AUTHENTICATED_REMEMBERED" />
+            <security:protect method="bigbank.BankService.post" access="ROLE_TELLER" />
+        </security:intercept-methods>  -->
+	</bean>
+
+</beans>

sandbox/heavyduty/src/main/webapp/META-INF/MANIFEST.MF

@@ -0,0 +1,2 @@
+Manifest-Version: 1.0
+

sandbox/heavyduty/src/main/webapp/WEB-INF/appContext-misc.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  |
+  |  Miscellaneous beans added just to test configuration options
+  |
+  |  $Id$ 
+  -->
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:sec="http://www.springframework.org/schema/security"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+
+    <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
+        <property name="decisionVoters">
+            <list>
+                <bean class="org.springframework.security.vote.RoleVoter"/>
+                <bean class="org.springframework.security.vote.AuthenticatedVoter"/>
+            </list>
+        </property>
+    </bean>
+
+
+    <bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
+        <property name="authenticationManager" ref="authenticationManager"/>
+        <property name="accessDecisionManager" ref="accessDecisionManager"/>
+        <property name="objectDefinitionSource">
+            <value><![CDATA[
+                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
+                PATTERN_TYPE_APACHE_ANT
+                /secure/extreme/**=ROLE_SUPERVISOR
+                /secure/**=IS_AUTHENTICATED_REMEMBERED
+                /**=IS_AUTHENTICATED_ANONYMOUSLY
+            ]]></value>
+        </property>
+    </bean>
+    
+    <bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
+        <property name="authenticationManager" ref="authenticationManager"/>
+        <property name="authenticationEntryPoint" ref="basicProcessingFilterEntryPoint"/>
+    </bean>
+
+    <bean id="basicProcessingFilterEntryPoint" class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
+        <property name="realmName"><value>My Realm</value></property>
+    </bean>
+
+</beans>
+                        
+                        

sandbox/heavyduty/src/main/webapp/WEB-INF/appContext-persistence.xml

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xmlns:aop="http://www.springframework.org/schema/aop"
+  xmlns:config="http://www.springframework.org/schema/config"
+  xmlns:tx="http://www.springframework.org/schema/tx"
+  xmlns:context="http://www.springframework.org/schema/context"
+  xmlns:security="http://www.springframework.org/schema/security"
+  xsi:schemaLocation="
+    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
+    http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
+    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd
+    http://www.springframework.org/schema/config http://www.springframework.org/schema/config/spring-config-2.5.xsd
+    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd
+    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd">
+  
+  <bean id="AllPropertiesConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+    <property name="location">
+      <value>classpath:jdbc.properties</value>
+    </property>
+  </bean>
+
+  <tx:annotation-driven transaction-manager="transactionManager" />
+
+  <bean id="userDAO" class="sample.dao.impl.UserDAOImpl"/>
+  
+  <bean id="daoUserService" class="sample.service.impl.UserServiceImpl">
+    <property name="userDAO" ref="userDAO"/>
+  </bean>
+
+  <bean class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor">
+    <!--  property name="order" value="0"/ -->
+  </bean>
+  
+  <bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
+    <property name="entityManagerFactory" ref="entityManagerFactory" />
+    <property name="dataSource" ref="dataSource" />
+  </bean>
+
+  <bean id="entityManagerFactory"
+    class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
+    <property name="dataSource" ref="dataSource" />
+    <property name="jpaVendorAdapter">
+      <bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
+        <property name="generateDdl" value="${jpa.generateDdl}" />
+        <property name="showSql" value="${jpa.showSql}" />
+        <property name="databasePlatform" value="${jpa.dialect}" />
+      </bean>
+    </property>
+  </bean>
+
+  <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
+    <property name="driverClassName" value="${jdbc.driver}" />
+    <property name="url" value="${jdbc.url}" />
+    <property name="username" value="${jdbc.username}" />
+    <property name="password" value="${jdbc.password}" />
+  </bean>
+
+</beans>

sandbox/heavyduty/src/main/webapp/WEB-INF/appContext-security.xml

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  - Sample namespace-based configuration
+  -
+  - $Id: applicationContext-security-ns.xml 2923 2008-04-12 17:17:46Z luke_t $
+  -->
+
+<b:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:b="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+
+    <b:import resource="appContext-misc.xml"/>
+    
+	<global-method-security secured-annotations="enabled"/>		
+
+    <http entry-point-ref='customEntryPoint'>
+        <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
+        <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
+		<!-- Disable web URI authorization, as we're using <global-method-security> and have @Secured the services layer instead
+        <intercept-url pattern="/listAccounts.html" access="IS_AUTHENTICATED_REMEMBERED" />
+        <intercept-url pattern="/post.html" access="ROLE_TELLER" />
+        -->
+        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
+<!--
+    Uncomment to enable X509 client authentication support -->
+        <x509 user-service-ref="daoUserService"/> 
+
+
+        <!-- All of this is unnecessary if auto-config="true" -->
+        <form-login />
+        <anonymous />
+        <!-- http-basic / -->
+        <logout />
+<!--          <remember-me user-service-ref="daoUserService"/> -->
+
+        <!-- Uncomment to limit the number of sessions a user can have -->
+        <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
+    </http>
+    
+    <authentication-manager alias="authenticationManager"/> 
+    
+    <b:bean id="customAuthFilter" class="heavyduty.security.ui.HeavyDutyAuthenticationProcessingFilter">
+        <custom-filter after="AUTHENTICATION_PROCESSING_FILTER"/>
+        <b:property name="defaultTargetUrl" value="/"/>
+        <b:property name="authenticationManager" ref="authenticationManager"/>
+    </b:bean>
+    
+    <b:bean id="customEntryPoint" class="heavyduty.security.ui.HeavyDutyEntryPoint">
+        <b:property name="loginFormUrl" value="/login.jsp"/>
+    </b:bean>
+<!--     
+    <b:bean id="loginPageGenerator" class="org.springframework.security.ui.webapp.DefaultLoginPageGeneratingFilter">
+        <custom-filter after="AUTHENTICATION_PROCESSING_FILTER"/>
+        <b:constructor-arg ref="customAuthFilter"/>
+    </b:bean>
+ -->
+    <!--
+    Usernames/Passwords are
+        rod/koala
+        dianne/emu
+        scott/wombat
+        peter/opal
+    -->
+    
+	<authentication-provider user-service-ref="daoUserService">
+	    <password-encoder hash="md5" />
+	</authentication-provider>
+
+    <authentication-provider>
+        <password-encoder hash="md5"/>
+        <user-service>
+            <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
+	        <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
+            <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
+            <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
+	    </user-service>
+	</authentication-provider>
+
+</b:beans>

sandbox/heavyduty/src/main/webapp/WEB-INF/applicationContext-acegi-security.xml

@@ -0,0 +1,161 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
+
+<!--
+  - A simple "base bones" Acegi Security configuration.
+  -
+  - The sample includes the "popular" features that people tend to use.
+  - Specifically, form authentication, remember-me, and anonymous processing.
+  - Other features aren't setup, as these can be added later by inserting
+  - the relevant XML fragments as specified in the Reference Guide.
+  -
+  - To assist new users, the filters specified in the FilterChainProxy are
+  - declared in the application context in the same order. Collaborators
+  - required by those filters are placed at the end of the file.
+  -
+  - $Id: applicationContext-acegi-security.xml 2366 2007-12-11 19:18:44Z benalex $
+  -->
+
+<beans>
+
+	<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
+		<property name="filterInvocationDefinitionSource">
+			<value><![CDATA[
+				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
+				PATTERN_TYPE_APACHE_ANT
+				/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
+			]]></value>
+		</property>
+	</bean>
+
+	<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/>
+
+	<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
+		<constructor-arg value="/index.jsp"/> <!-- URL redirected to after logout -->
+		<constructor-arg>
+			<list>
+				<ref bean="rememberMeServices"/>
+				<bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
+			</list>
+		</constructor-arg>
+	</bean>
+
+	<bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
+		<property name="authenticationManager" ref="authenticationManager"/>
+		<property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/>
+		<property name="defaultTargetUrl" value="/"/>
+		<property name="filterProcessesUrl" value="/j_spring_security_check"/>
+		<property name="rememberMeServices" ref="rememberMeServices"/>
+	</bean>
+
+    <bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
+        <property name="authenticationManager"><ref local="authenticationManager"/></property>
+        <property name="authenticationEntryPoint"><ref local="basicProcessingFilterEntryPoint"/></property>
+    </bean>
+
+    <bean id="basicProcessingFilterEntryPoint" class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
+        <property name="realmName"><value>My Realm</value></property>
+    </bean>
+
+	<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter"/>
+
+	<bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
+		<property name="authenticationManager" ref="authenticationManager"/>
+		<property name="rememberMeServices" ref="rememberMeServices"/>
+	</bean>
+
+	<bean id="anonymousProcessingFilter" class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
+		<property name="key" value="changeThis"/>
+		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
+	</bean>
+
+	<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
+		<property name="authenticationEntryPoint">
+			<bean class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
+				<property name="loginFormUrl" value="/acegilogin.jsp"/>
+				<property name="forceHttps" value="false"/>
+			</bean>
+		</property>
+		<property name="accessDeniedHandler">
+			<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
+				<property name="errorPage" value="/accessDenied.jsp"/>
+			</bean>
+		</property>
+	</bean>
+
+	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
+		<property name="allowIfAllAbstainDecisions" value="false"/>
+		<property name="decisionVoters">
+			<list>
+				<bean class="org.springframework.security.vote.RoleVoter"/>
+				<bean class="org.springframework.security.vote.AuthenticatedVoter"/>
+			</list>
+		</property>
+	</bean>
+
+	<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
+		<property name="authenticationManager" ref="authenticationManager"/>
+		<property name="accessDecisionManager" ref="accessDecisionManager"/>
+		<property name="objectDefinitionSource">
+			<value><![CDATA[
+				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
+				PATTERN_TYPE_APACHE_ANT
+				/secure/extreme/**=ROLE_SUPERVISOR
+				/secure/**=IS_AUTHENTICATED_REMEMBERED
+				/**=IS_AUTHENTICATED_ANONYMOUSLY
+			]]></value>
+		</property>
+	</bean>
+
+	<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
+		<property name="userDetailsService" ref="userDetailsService"/>
+		<property name="key" value="changeThis"/>
+	</bean>
+
+	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
+		<property name="providers">
+			<list>
+				<ref local="daoAuthenticationProvider"/>
+				<bean class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
+					<property name="key" value="changeThis"/>
+				</bean>
+				<bean class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
+					<property name="key" value="changeThis"/>
+				</bean>
+			</list>
+		</property>
+	</bean>
+
+	<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
+		<property name="userDetailsService" ref="userDetailsService"/>
+	</bean>
+
+	<!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
+	<bean id="userDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
+		<property name="userProperties">
+			<bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+				<property name="location" value="/WEB-INF/users.properties"/>
+			</bean>
+		</property>
+	</bean>
+
+	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
+	<bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
+
+	<bean id="daacc" class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>
+
+	<bean id="attributes" class="org.springframework.security.annotation.SecurityAnnotationAttributes"/>
+
+	<bean id="objectDefinitionSource" class="org.springframework.security.intercept.method.MethodDefinitionAttributes">
+		<property name="attributes"><ref local="attributes"/></property>
+	</bean>
+
+	<bean id="securityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
+		<property name="authenticationManager"><ref local="authenticationManager"/></property>
+		<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
+		<property name="objectDefinitionSource">
+			<ref local="objectDefinitionSource"/>
+		</property>
+	</bean>
+
+</beans>

sandbox/heavyduty/src/main/webapp/WEB-INF/bank-servlet.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
+
+	<bean name="/listAccounts.html" class="bigbank.web.ListAccounts">
+		<constructor-arg ref="bankService"/>
+	</bean>
+	
+	<bean name="/post.html" class="bigbank.web.PostAccounts">
+		<constructor-arg ref="bankService"/>
+	</bean>
+	
+	<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
+		<property name="prefix" value="/WEB-INF/jsp/"/>
+		<property name="suffix" value=".jsp"/>
+	</bean>
+
+</beans>

sandbox/heavyduty/src/main/webapp/WEB-INF/classes/META-INF/persistence.xml

@@ -0,0 +1,24 @@
+<persistence xmlns="http://java.sun.com/xml/ns/persistence"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/persistence
+http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd"
+  version="1.0">
+
+  <persistence-unit name="SAMPLE" transaction-type="RESOURCE_LOCAL">
+    <provider>org.hibernate.ejb.HibernatePersistence</provider>
+    <class>sample.domain.User</class>
+    <properties>
+      <property name="hibernate.archive.autodetection" value="class" />
+      <property name="hibernate.format_sql" value="true" />
+      <property name="hibernate.dialect" value="org.hibernate.dialect.HSQLDialect" />
+      <!-- property name="hibernate.cache.provider_class"
+        value="org.hibernate.cache.EHCacheProvider" />
+      <property name="hibernate.cache.use_second_level_cache" value="true" />
+      <property name="hibernate.cache.use_query_cache" value="true" / -->
+      <property name="hibernate.max_fetch_depth" value="3" />
+      <property name="hibernate.default_batch_fetch_size" value="8" />
+      <property name="hibernate.generate_statistics" value="true" />
+    </properties>
+  </persistence-unit>
+
+</persistence>

sandbox/heavyduty/src/main/webapp/WEB-INF/classes/jdbc.properties

@@ -0,0 +1,8 @@
+jpa.dialect=org.hibernate.dialect.HSQLDialect
+jpa.generateDdl=true
+jpa.showSql=true
+
+jdbc.driver=org.hsqldb.jdbcDriver
+jdbc.url=jdbc:hsqldb:mem:.
+jdbc.username=sa
+jdbc.password=

sandbox/heavyduty/src/main/webapp/WEB-INF/classes/log4j.properties

@@ -0,0 +1,18 @@
+# Global logging configuration
+log4j.rootLogger=DEBUG, stdout
+
+log4j.logger.org.springframework.security=DEBUG, stdout
+
+# Console output...
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.conversionPattern=[%p,%c{1},%L] - %m%n
+
+# Rolling log file output...
+#log4j.appender.fileout=org.apache.log4j.RollingFileAppender
+#log4j.appender.fileout.File=spring-security-tutorial.log
+#log4j.appender.fileout.File=${webapp.root}/WEB-INF/log4j.log
+#log4j.appender.fileout.MaxFileSize=1024KB
+#log4j.appender.fileout.MaxBackupIndex=1
+#log4j.appender.fileout.layout=org.apache.log4j.PatternLayout
+#log4j.appender.fileout.layout.conversionPattern=%d{ABSOLUTE} %5p %c{1},%t:%L - %m%n

sandbox/heavyduty/src/main/webapp/WEB-INF/classes/users.ldif

@@ -0,0 +1,60 @@
+dn: ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: groups
+
+dn: ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: people
+
+dn: uid=rod,ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Rod Johnson
+sn: Johnson
+uid: rod
+userPassword: koala
+
+dn: uid=dianne,ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Dianne Emu
+sn: Emu
+uid: dianne
+userPassword: emu
+
+dn: uid=scott,ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Scott
+sn: Wombat
+uid: scott
+userPassword: wombat
+
+dn: cn=user,ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: groupOfNames
+cn: user
+member: uid=rod,ou=people,dc=springframework,dc=org
+member: uid=dianne,ou=people,dc=springframework,dc=org
+member: uid=scott,ou=people,dc=springframework,dc=org
+
+dn: cn=teller,ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: groupOfNames
+cn: teller
+member: uid=rod,ou=people,dc=springframework,dc=org
+member: dianne=rod,ou=people,dc=springframework,dc=org
+
+dn: cn=supervisor,ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: groupOfNames
+cn: supervisor
+member: uid=rod,ou=people,dc=springframework,dc=org

sandbox/heavyduty/src/main/webapp/WEB-INF/jsp/listAccounts.jsp

@@ -0,0 +1,27 @@
+<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
+
+<h1>Accounts</h1>
+
+<a href="index.jsp">Home3</a><br><br>
+
+<table>
+<c:forEach var="account" items="${accounts}">
+  <tr>
+  <td>
+      <c:out value="${account.id}"/>
+  </td>
+  <td>
+      <c:out value="${account.holder}"/>
+  </td>
+  <td>
+      <c:out value="${account.balance}"/>
+  </td>
+  <td>
+      <a href="post.html?id=<c:out value="${account.id}"/>&amount=-20.00">-$20</a>
+      <a href="post.html?id=<c:out value="${account.id}"/>&amount=-5.00">-$5</a>
+      <a href="post.html?id=<c:out value="${account.id}"/>&amount=5.00">+$5</a>
+      <a href="post.html?id=<c:out value="${account.id}"/>&amount=20.00">+$20</a>
+  </td>
+  </tr>
+</c:forEach>
+</table>

sandbox/heavyduty/src/main/webapp/WEB-INF/web.xml

@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  - Tutorial web application
+  -
+  - $Id: web.xml 2809 2008-03-26 15:27:09Z luke_t $
+  -->
+
+<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
+
+    <display-name>Spring Security Tutorial Application</display-name>
+    
+    <!--
+	  - Location of the XML file that defines the root application context
+	  - Applied by ContextLoaderListener.
+	  -->
+	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>
+			classpath:applicationContext-business.xml
+			/WEB-INF/appContext-persistence.xml
+			/WEB-INF/appContext-security.xml
+		</param-value>
+	</context-param>
+	
+    <context-param>
+        <param-name>log4jConfigLocation</param-name>
+        <param-value>/WEB-INF/classes/log4j.properties</param-value>
+    </context-param>	
+
+    <filter>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+
+    <filter-mapping>
+      <filter-name>springSecurityFilterChain</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <listener>
+        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
+    </listener>
+
+	<!--
+	  - Loads the root application context of this web app at startup.
+	  - The application context is then available via
+	  - WebApplicationContextUtils.getWebApplicationContext(servletContext).
+    -->
+	<listener>
+		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+	</listener>
+
+	<!--
+	  - Publishes events for session creation and destruction through the application
+	  - context. Optional unless concurrent session control is being used.
+      -->
+    <listener>
+        <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
+    </listener>
+
+  <!--
+	- Provides core MVC application controller.
+    -->
+	<servlet>
+		<servlet-name>bank</servlet-name>
+		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
+		<load-on-startup>1</load-on-startup>
+	</servlet>
+
+	<servlet-mapping>
+    	<servlet-name>bank</servlet-name>
+    	<url-pattern>*.html</url-pattern>
+ 	</servlet-mapping>
+
+     <welcome-file-list>
+		<welcome-file>index.jsp</welcome-file>
+	</welcome-file-list>
+
+</web-app>

sandbox/heavyduty/src/main/webapp/index.jsp

@@ -0,0 +1,18 @@
+<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
+<html>
+<body>
+<h1>Home Page</h1>
+<p>
+Anyone can view this page.
+</p>
+<p>
+If you're logged in, you can <a href="listAccounts.html">list accounts</a>.
+</p>
+<p>
+Your principal object is....: <%= request.getUserPrincipal() %>
+</p>
+
+<p><a href="secure/index.jsp">Secure page</a></p>
+<p><a href="secure/extreme/index.jsp">Extremely secure page</a></p>
+</body>
+</html>

sandbox/heavyduty/src/main/webapp/login.jsp

@@ -0,0 +1,47 @@
+<%@ taglib prefix='c' uri='http://java.sun.com/jstl/core_rt' %>
+<%@ page import="org.springframework.security.ui.AbstractProcessingFilter" %>
+<%@ page import="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" %>
+<%@ page import="org.springframework.security.AuthenticationException" %>
+
+<!-- Not used unless you declare a <form-login login-page="/login.jsp"/> element -->
+
+<html>
+  <head>
+    <title>CUSTOM SPRING SECURITY LOGIN</title>
+  </head>
+
+  <body onload="document.f.j_username.focus();">
+    <h1>CUSTOM SPRING SECURITY LOGIN</h1>
+
+	<P>Valid users:
+	<P>
+	<P>username <b>rod</b>, password <b>koala</b>
+	<br>username <b>dianne</b>, password <b>emu</b>
+	<br>username <b>scott</b>, password <b>wombat</b>
+	<br>username <b>peter</b>, password <b>opal</b>
+	<p>
+
+    <%-- this form-login-page form is also used as the
+         form-error-page to ask for a login again.
+         --%>
+	<% if (session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY) != null) { %>
+      <font color="red">
+        Your login attempt was not successful, try again.<BR><BR>
+        Reason: <%= ((AuthenticationException) session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY)).getMessage() %>
+      </font>
+    <% } %>
+
+    <form name="f" action="<c:url value='j_spring_security_check'/>" method="POST">
+      <table>
+        <tr><td>User:</td><td><input type='text' name='j_username' <% if (session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY) != null) { %>value='<%= session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY) %>'<% } %>></td></tr>
+        <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>
+        <tr><td><input type="checkbox" name="_spring_security_remember_me"></td><td>Don't ask for my password for two weeks</td></tr>
+
+        <tr><td colspan='2'><input name="submit" type="submit"></td></tr>
+        <tr><td colspan='2'><input name="reset" type="reset"></td></tr>
+      </table>
+
+    </form>
+
+  </body>
+</html>

sandbox/heavyduty/src/main/webapp/secure/extreme/index.jsp

@@ -0,0 +1,15 @@
+<%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
+
+<html>
+<body>
+<h1>VERY Secure Page</h1>
+This is a protected page. You can only see me if you are a supervisor.
+
+<authz:authorize ifAllGranted="ROLE_SUPERVISOR">
+   You have "ROLE_SUPERVISOR" (this text is surrounded by &lt;authz:authorize&gt; tags).
+</authz:authorize>
+
+<p><a href="../../">Home</a>
+<p><a href="../../j_spring_security_logout">Logout</a>
+</body>
+</html>

sandbox/heavyduty/src/main/webapp/secure/index.jsp

@@ -0,0 +1,36 @@
+<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
+
+<html>
+<body>
+<h1>Secure Page</h1>
+<p>
+This is a protected page. You can get to me if you've been remembered,
+or if you've authenticated this session.
+</p>
+
+<sec:authorize ifAllGranted="ROLE_SUPERVISOR">
+	You are a supervisor! You can therefore see the <a href="extreme/index.jsp">extremely secure page</a>.<br/><br/>
+</sec:authorize>
+
+<h3>Properties obtained using &lt;sec:authentication /&gt; tag</h3>
+<table border="1">
+<tr><th>Tag</th><th>Value</th></tr>
+<tr>
+<td>&lt;sec:authentication property='name' /&gt;</td><td><sec:authentication property="name"/></td>
+</tr>
+<tr>
+<td>&lt;sec:authentication property='principal.username' /&gt;</td><td><sec:authentication property="principal.username"/></td>
+</tr>
+<tr>
+<td>&lt;sec:authentication property='principal.enabled' /&gt;</td><td><sec:authentication property="principal.enabled"/></td>
+</tr>
+<tr>
+<td>&lt;sec:authentication property='principal.accountNonLocked' /&gt;</td><td><sec:authentication property="principal.accountNonLocked"/></td>
+</tr>
+</table>
+
+
+<p><a href="../">Home</a>
+<p><a href="../j_spring_security_logout">Logout</a>
+</body>
+</html>