The first 5 chapters are in reasonable shape (structurally speaking), but I'd like to restruture things beyond that. Something along the lines of
- Provide overview of Web application features and supported authentication methods, rather than dealing with each authentication mechanism in an individual chapter.
- Scrap current chapter 6&7. Move localization part elsewhere (either to tech intro or after everything else). Move filters, tag and channel stuff to web part.
- Cut back general "authentication" part. Web authentication mechanisms can go in the web part. Retain general back-end information. Strip out UserDetails info, schema as already covered elsewhere. Remainder of ch 8 should go in web part. Concurrent session handling should be a separate topic. Rewrite DaoAuthenitcationProvider chapter (provide headings on PasswordEncoder for indexing). Scrap "anonymous authentication" chapter and cover it in earlier section. Explain purpose and use of a "deny by default" configuration approach. Mention servlet API compatibility.
- Retain authorization part but restructure substantially. Refer back to intro and recap on main interfaces. Rewrite architecture section (voters and after-invocation) to include expression support. Explicitly configuring a FilterSecurityInterceptor should be covered in the web chapter (along with FilterChainProxy) and related to the namespace syntax. Correct interface and class names related to SecurityMetadataSource.
- Advanced Features Part (new) - CAS, LDAP, pre-authentication setups, use of role hierarchies (or this may go in earlier). Tag libraries (not really advanced but may require prior knowledge of earlier chapters for full coverage).
- Add new changes to namespace appendix.