diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
index fcf1c76d4..aaeb72f2a 100644
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -1,5 +1,14 @@
 <!--
-For Security Vulnerabilities, please use https://pivotal.io/security#reporting
+******************
+Deprecation Notice
+******************
+The Spring Security OAuth project is deprecated. 
+The latest OAuth 2.0 support is provided by Spring Security. 
+See the OAuth 2.0 Migration Guide https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
+-->
+
+<!--
+For Security Vulnerabilities, please use https://spring.io/security-policy
 -->
 
 ### Summary
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 70c6c946d..570bf5e02 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,5 +1,14 @@
 <!--
-For Security Vulnerabilities, please use https://pivotal.io/security#reporting
+******************
+Deprecation Notice
+******************
+The Spring Security OAuth project is deprecated. 
+The latest OAuth 2.0 support is provided by Spring Security. 
+See the OAuth 2.0 Migration Guide https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
+-->
+
+<!--
+For Security Vulnerabilities, please use https://spring.io/security-policy
 -->
 
 <!--
diff --git a/.travis.yml b/.travis.yml
index e5186bde2..2eeabb479 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,7 +1,9 @@
 language: java
 
+dist: trusty
+
 jdk:
-  - oraclejdk8
+  - openjdk8
   - openjdk7
 
 services:
@@ -12,5 +14,6 @@ install: ./mvnw -U install --quiet -DskipTests=true -P bootstrap
 script:
   - jdk_switcher use openjdk7
   - ./mvnw clean test -P bootstrap
-  - jdk_switcher use oraclejdk8
-  - ./mvnw -f spring-security-oauth2 -U clean test -P spring5
\ No newline at end of file
+  - jdk_switcher use openjdk8
+  - ./mvnw -U clean checkstyle:check -P spring5
+  - ./mvnw -f spring-security-oauth2 -U clean test -P spring5
diff --git a/CODE_OF_CONDUCT.adoc b/CODE_OF_CONDUCT.adoc
index f013d6f36..17783c7c0 100644
--- a/CODE_OF_CONDUCT.adoc
+++ b/CODE_OF_CONDUCT.adoc
@@ -40,5 +40,5 @@ appropriate to the circumstances. Maintainers are obligated to maintain confiden
 with regard to the reporter of an incident.
 
 This Code of Conduct is adapted from the
-http://contributor-covenant.org[Contributor Covenant], version 1.3.0, available at
-http://contributor-covenant.org/version/1/3/0/[contributor-covenant.org/version/1/3/0/]
+https://contributor-covenant.org[Contributor Covenant], version 1.3.0, available at
+https://contributor-covenant.org/version/1/3/0/[contributor-covenant.org/version/1/3/0/]
diff --git a/README.md b/README.md
index 4e27d28f9..64beaafd3 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,8 @@
-[![Build Status](https://travis-ci.org/spring-projects/spring-security-oauth.svg?branch=master)](https://travis-ci.org/spring-projects/spring-security-oauth) 
+# spring-security-oauth is no longer actively maintained by VMware, Inc.
+
+## This project has been replaced by the OAuth2 support provided by [Spring Security](https://spring.io/projects/spring-security) (client and resource server) and [Spring Authorization Server](https://spring.io/projects/spring-authorization-server).
+
+# About
 
 This project provides support for using Spring Security with OAuth
 (1a) and OAuth2.  It provides features for implementing both consumers
@@ -58,22 +62,22 @@ Lists of issues addressed per release can be found in [github](https://github.co
 
 ## Additional Resources
 
-* [Spring Security OAuth User Guide](http://projects.spring.io/spring-security-oauth/docs/Home.html)
-* [Spring Security OAuth Source](http://github.com/spring-projects/spring-security-oauth)
-* [Stackoverflow](http://stackoverflow.com/questions/tagged/spring-security+spring+oauth)
+* [Spring Security OAuth User Guide](https://projects.spring.io/spring-security-oauth/docs/Home.html)
+* [Spring Security OAuth Source](https://github.com/spring-projects/spring-security-oauth)
+* [Stackoverflow](https://stackoverflow.com/questions/tagged/spring-security+spring+oauth)
 
 # Contributing to Spring Security OAuth
 
 Here are some ways for you to get involved in the community:
 
 * Get involved with the Spring community on the Spring Community Forums.  Please help out on the
-  [forum](http://forum.springsource.org/forumdisplay.php?f=79) by responding to questions and joining the debate.
+  [forum](https://forum.spring.io/forumdisplay.php?f=79) by responding to questions and joining the debate.
 * Create [github issues](https://github.com/spring-projects/spring-security-oauth/issues) for bugs and new features and comment and
   vote on the ones that you are interested in.
 * Github is for social coding: if you want to write code, we encourage contributions through pull requests from
-  [forks of this repository](http://help.github.com/forking/).  If you want to contribute code this way, please
+  [forks of this repository](https://help.github.com/forking/).  If you want to contribute code this way, please
   reference a github issue as well covering the specific issue you are addressing.
-* Watch for upcoming articles on Spring by [subscribing](http://www.springsource.org/node/feed) to springframework.org
+* Watch for upcoming articles on Spring by [subscribing](https://www.springsource.org/node/feed) to springframework.org
 
 Before we accept a non-trivial patch or pull request we will need you to sign the
 [contributor's agreement](https://support.springsource.com/spring_committer_signup).
@@ -95,4 +99,4 @@ request but before a merge.
 * Add yourself as an @author to the .java files that you modify substantially (more than cosmetic changes).
 * Add some Javadocs and, if you change the namespace, some XSD doc elements.
 * A few unit tests would help a lot as well - someone has to do it.
-* If no-one else is using your branch, please rebase it against the current master (or other target branch in the main project).
+* If no-one else is using your branch, please rebase it against the current main (or other target branch in the main project).
diff --git a/docs/Home.md b/docs/Home.md
deleted file mode 100644
index f5402ca0c..000000000
--- a/docs/Home.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Welcome
-
-OAuth for Spring Security provides an [OAuth](http://oauth.net)
-implementation for
-[Spring Security](http://projects.spring.io/spring-security/).
-Support is provided for the implementation of OAuth providers and
-OAuth consumers. There is support for [Oauth 1(a)](oauth1.html) (including
-[two-legged OAuth](twolegged.html), a.k.a. "Signed Fetch") and for
-[OAuth 2.0](oauth2.md).
-
-Applying security to an application is not for the faint of heart, and OAuth is no exception. Before you get started,
-you're going to want to make sure you understand OAuth and the problem it's designed to address. There is good
-documentation at [the OAuth site](http://oauth.net). You will also want to make sure you understand how 
-[Spring](http://springframework.org/) and [Spring Security](http://projects.spring.io/spring-security/) work.
-
-You're going to want to be quite familiar with both [OAuth](http://oauth.net) (and/or [OAuth2](http://tools.ietf.org/html/draft-ietf-oauth-v2))
-and [Spring Security](http://projects.spring.io/spring-security/), to maximize the effectiveness of this developers guide. OAuth for
-Spring Security is tightly tied to both technologies, so the more familiar you are with them, the more likely you'll be to recognize the terminology
-and patterns that are used.
-
-With that, you're ready to get started.  Here are some useful links:
-
-* For access to the binaries, use Maven ([instructions here](downloads.html))
-
-* Source code is in github
-  [at spring-projects/spring-security-oauth](https://github.com/spring-projects/spring-security-oauth).
-
-* You'll want to see OAuth for Spring Security in action, so here is a
-[tutorial](tutorial.html)
-
-* Read a more detailed explanation in the [developer's guide](devguide.html).
-
-* For more help and support, checkout the [support links](support.html).
-
diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md
deleted file mode 100644
index 981184225..000000000
--- a/docs/_Sidebar.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-* [Home](Home.html)
-* [Tuturial](tutorial.html)
-* [OAuth 1.0](oauth1.html)
-* [OAuth 2.0](oauth2.html)
-* [Downloads](downloads.html)
-* [Support](support.html)
diff --git a/docs/devguide.md b/docs/devguide.md
deleted file mode 100644
index 2c20a4938..000000000
--- a/docs/devguide.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Developers Guide
-
-## Preparation
-
-You're going to want to be quite familiar with
-[OAuth2](http://tools.ietf.org/html/draft-ietf-oauth-v2) (and/or
-[OAuth](http://oauth.net) ) and
-[Spring Security](http://projects.spring.io/spring-security/),
-to maximize the effectiveness of this developers guide. OAuth for
-Spring Security is tightly tied to both technologies, so the more
-familiar you are with them, the more likely you'll be to recognize the
-terminology and patterns that are used.
-
-## Options
-
-Your first decision is whether you need to leverage support for OAuth 1.0, OAuth 2.0, or both.
-
-So pick your poison:
-
-* [OAuth 1.0](oauth1.html)
-* [OAuth 2](oauth2.html)
diff --git a/docs/downloads.md b/docs/downloads.md
deleted file mode 100644
index b9cfb6829..000000000
--- a/docs/downloads.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Downloads
-
-You can download source code bundles from [Github], or clone the repository using git.  OAuth for Spring Security is a Maven-based project.
-
-* groupId: `org.springframework.security.oauth`
-* artifactId: `spring-security-oauth` for OAuth 1.0a and `spring-security-oauth2` for OAuth 2.0
-
-To download the jars, just look in the [Maven repository][mavenrepo].
-
-Full releases go in Maven [central], and in the SpringSource repository but milestones and snapshots go only in the SpringSource respository.  For milestones:
-
-    <repository>
-        <id>spring-milestone</id>
-        <name>Spring Maven MILESTONE Repository</name>
-        <url>http://maven.springframework.org/milestone</url>
-    </repository>
-
-and for snapshots:
-
-    <repository>
-        <id>spring-snnapshot</id>
-        <name>Spring Maven SNAPSHOT Repository</name>
-        <url>http://maven.springframework.org/snapshot</url>
-    </repository>
-
-[mavenrepo]: http://shrub.appspot.com/maven.springframework.org/release/org/springframework/security/oauth/spring-security-oauth/
-[central]: http://repo1.maven.org/maven2/org/springframework/security/oauth/spring-security-oauth/
-[Github]: https://github.com/spring-projects/spring-security-oauth
diff --git a/docs/oauth1.md b/docs/oauth1.md
deleted file mode 100644
index 8d36e833c..000000000
--- a/docs/oauth1.md
+++ /dev/null
@@ -1,299 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# OAuth 1 Developers Guide
-
-## Introduction
-
-This is the developers guide for the support for OAuth 1.0. For OAuth 2.0, everything is different, so [see it's developers guide](oauth2.html).
-
-This user guide is divided into two parts, the first for the OAuth 1.0 provider, the second for the OAuth 1.0 consumer.  Here's a
-TOC for quick navigation:
-
-## OAuth 1.0 Provider
-
-The OAuth 1.0 provider is responsible for managing the OAuth 1.0 consumers that can access its protected resources on behalf of
-a user. The provider does this by managing and verifying the OAuth 1.0 tokens that can be used to access the protected
-resources. Of course, the provider must also supply an interface for the user to confirm that a consumer can be granted
-access to the protected resources (i.e. a confirmation page).
-
-### Managing Consumers
-
-The entry point into your database of consumers is defined by the [`ConsumerDetailsService`][ConsumerDetailsService].
-You must define your own [`ConsumerDetailsService`][ConsumerDetailsService] that will load [`ConsumerDetails`][ConsumerDetails]
-by the _consumer key_.  Note the existence of an [in-memory implementation][InMemoryConsumerDetailsService] of 
-[`ConsumerDetailsService`][ConsumerDetailsService].
-
-When implementing your [`ConsumerDetailsService`][ConsumerDetailsService] consider returning instances of 
-[BaseConsumerDetails][BaseConsumerDetails] which contains additional information about the consumer that may be useful when 
-displaying a confirmation screen to the user.
-
-### Managing Tokens
-
-The [`OAuthProviderTokenServices`][OAuthProviderTokenServices] interface defines the operations that are necessary to manage 
-OAuth 1.0 tokens. Note the following:
-
-* When a request token is created, care must be taken to ensure that it is not an access token.
-* When a request token is authorized, the authentication must be stored so that the subsequent access token can reference it.
-* When an access token is created, it must reference the authentication that was used to authorized the request token that is used 
-  to create the access token.
-
-When creating your [`OAuthProviderTokenServices`][OAuthProviderTokenServices] implementation, you may want to consider extending
-the [`RandomValueProviderTokenServices`][RandomValueProviderTokenServices] which creates tokens via random value and handles 
-everything except for the persistence of the tokens.  There is also an [in-memory implementation][InMemoryProviderTokenServices]
-of the [`OAuthProviderTokenServices`][OAuthProviderTokenServices] that may be suitable, but note that when using the in-memory implementation
-a separate thread is spawned to take care of the cleanup of expired tokens.
-
-### OAuth 1.0 Provider Request Filters
-
-The requests for the tokens and for access to protected resources are handled by standard Spring Security request filters. The following filters
-are required in the Spring Security filter chain in order to implement OAuth 1.0:
-
-* The [`UnauthenticatedRequestTokenProcessingFilter`][UnauthenticatedRequestTokenProcessingFilter] is used to service the request for
-  an unauthenticated request token. Default URL: `/oauth_request_token`.
-* The [`UserAuthorizationProcessingFilter`][UserAuthorizationProcessingFilter] is used authorize a request token. The user must be
-  authenticated and it is assumed that the user has been presented with the appropriate confirmation page.
-* The [`AccessTokenProcessingFilter`][AccessTokenProcessingFilter] is used to service the request for an OAuth 1.0 access token.
-  Default URL: `/oauth_access_token`.
-* The [`ProtectedResourceProcessingFilter`][ProtectedResourceProcessingFilter] is used to load the Authentication for the request given
-  an authenticated access token.
-
-### Managing Nonces
-
-The OAuth 1.0 spec also recommends that the nonce that is supplied on every OAuth 1.0 request be checked to ensure it isn't used twice for the
-same timestamp. In order to do this, nonces must be stored and verified on every OAuth 1.0 request.  The interface that is used
-to validate nonces is [`OAuthNonceServices`][OAuthNonceServices]. The default implementation, [`ExpiringTimestampNonceServices`][ExpiringTimestampNonceServices],
-does not adhere to this recommendation, but only validates that the timestamp isn't too old. If further assurance is required, you will need
-to supply your own implementation of `OAuthNonceServices`. Note the existence of an [in-memory implementation][InMemoryNonceServices].
-
-### Managing Callbacks
-
-With the 1.0a revision of the OAuth 1.0 specification, the callback URL is provided at the time the request is made for a request token and will be used when
-redirecting the user back to the OAuth 1.0 consumer. Therefore, a means must be provided to persist the callback between requests. The interface that is used
-to persist callbacks is [`OAuthCallbackServices`][OAuthCallbackServices]. The default implementation, [`InMemoryCallbackServices`][InMemoryCallbackServices]
-persists the callbacks in-memory. You must supply your own implementation of `OAuthCallbackServices` if this is inadequate.
-
-### Managing Verifiers
-
-With the 1.0a revision of the OAuth 1.0 specification, the a verifier is provided to the consumer via the user that must be passed back
-to the provider when requesting the access token. Therefore, a means must be provided to create and persist the verifier. The interface
-that is used to this end is [`OAuthVerifierServices`][OAuthVerifierServices]. The default implementation,
-[`RandomValueInMemoryVerifierServices`][RandomValueInMemoryVerifierServices], creates a small, user-friendly (6 readable ASCII characters
-by default) verifier and persists the verifier in memory. You must supply your own implementation of `OAuthVerifierServices` if this is inadequate.
-
-### Authorization By Consumer
-
-It is sometimes required to limit access to a resource to a specific consumer or to a consumer that has specific roles. The classes in the
-[`org.springframework.security.oauth.provider.attributes`][attributes-package] package can be used to do this. Methods can be protected using the
-annotations in that package, and the [`ConsumerSecurityConfig`][ConsumerSecurityConfig] can be supplied to the standard Spring Security filter
-interceptor in order to enable the annotations. Finally, the [`ConsumerSecurityVoter`][ConsumerSecurityVoter] would need to be supplied to the
-Spring Security authentication manager.
-
-### Provider Configuration
-
-For the OAuth 1.0 provider, configuration is simplified using the custom spring configuration elements. The schema for these elements rests at
-[http://www.springframework.org/schema/security/spring-security-oauth.xsd][oauth1.xsd]. The namespace is `http://www.springframework.org/schema/security/oauth`.
-
-The following configuration elements are used to supply provider configuration:
-
-#### The "provider" element
-
-The `provider` element is used to configure the OAuth 1.0 provider mechanism. The following attributes can be applied to the `provider` element:
-
-* `consumer-details-service-ref`: The reference to the bean that defines the consumer details service. This is required if not autowired.
-* `token-services-ref`: The reference to the bean that defines the token services.
-* `request-token-url`: The URL at which a request for an unauthenticated request token will be serviced. Default value: "/oauth_request_token"
-* `authenticate-token-url`: The URL at which a request to authenticate a request token will be serviced. Default value: "/oauth_authenticate_token"
-* `access-token-url`: The URL at which a request for an access token (using an authenticated request token) will be serviced. Default value: "/oauth_access_token"
-* `access-granted-url`: The URL to which the user will be redirected upon authenticating a request token, but only if there was no callback URL supplied from the oauth consumer. Default value: "/"
-* `user-approval-url`: The URL to which the user will be redirected if for some reason authentication of a request token failed. Default behavior is to just issue a "401: unauthorized" response.
-* `nonce-services-ref`: The reference to the bean that defines the nonce services. Default is to supply an instance of `org.springframework.security.oauth.provider.nonce.ExpiringTimestampNonceServices`
-* `callback-services-ref`: The reference to the bean that defines the callback services. Default is to supply an instance of `org.springframework.security.oauth.provider.callback.InMemoryCallbackServices`
-* `verifier-services-ref`: The reference to the bean that defines the verifier services. Default is to supply an instance of `org.springframework.security.oauth.provider.verifier.RandomValueInMemoryVerifierServices`
-* `auth-handler-ref`: The reference to the bean that defines the authentication handler. Default is to supply an instance of `org.springframework.security.oauth.provider.DefaultAuthenticationHandler`
-* `support-ref`: The reference to the bean that defines the provider support logic. Default is to supply an instance of `org.springframework.security.oauth.provider.CoreOAuthProviderSupport`
-* `token-id-param`: The name of the request parameter that specifies to the 'authenticate-token-url' the id of the token that is to be authenticated. Default value: "requestToken".
-* `callback-url-param`: The name of the request parameter that specifies to the 'authenticate-token-url' the callback URL to which the user is to be redirected upon successful authentication. Default value: "callbackURL".
-
-#### The "consumer-details-service" element
-
-The `consumer-details-service` element is used to define an in-memory implementation of the consumer details service.  It takes an `id` attribute and an
-arbitrary number of `consumer` child elements that define the following attributes for each consumer:
-
-* `key`: (required) The consumer key.
-* `secret`: (required) The consumer secret.
-* `name`: The (display) name of the consumer.
-* `authorities`: Comma-separated list of authorities (e.g. roles) that are granted to the consumer.
-* `resourceName`: The name of the resource.
-* `resourceDescription`: The description of the resource.
-* `requiredToObtainAuthenticatedToken`: Whether this consumer is required to obtain an authenticated oauth token. If _true_, it means that the OAuth 1.0 consumer won't be granted access to the protected resource unless the user is directed to the token authorization page. If _false_, it means that the provider has an additional level of trust with the consumer. Not requiring an authenticated access token is also known as "2-legged" OAuth or "signed fetch". For more information, see [two-legged OAuth](./twolegged.html).
-
-#### The "token-services" element
-
-The `token-services` element is a simple element that can be used to provide an in-memory implementation of the provider token services.
-It supports an _id_ attribute (bean id) and a _cleanupInterval_ attribute that specifies how often the cleanup thread should wake up (in seconds).
-
-#### The "verifier-services" element
-
-The `verifier-services` element is a simple element that can be used to provide an in-memory implementation of the provider verifier services.
-It supports an `id` attribute (bean id) and a `verifierLengthBytes` attribute that specifies the length of the verifier.
-
-### Configuring An OAuth-Aware Expression Handler
-
-You may want to take advantage of Spring Security's [expression-based access control](http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html).
-You can register a oauth-aware expression handler with the `expression-handler` element. Use the id of the oauth expression handler to add oauth-aware
-expressions to the built-in expressions.
-
-The expressions include _oauthConsumerHasRole_, _oauthConsumerHasAnyRole_, and _denyOAuthConsumer_ which can be used to provide access based on the role of the
-oauth consumer.
-
-## OAuth 1.0 Consumer
-
-The OAuth 1.0 consumer logic is responsible for (1) obtaining an OAuth 1 access token and (2) signing requests for OAuth 1
-protected resources. OAuth for Spring Security provides a request filter for acquiring the access token, a request filter
-for ensuring that access to certain URLs is locked down to a set of acquired access token, and utilities for making a request
-for a protected resource. A consumer must be responsible for maintaing a list of protected resources that can be accessed and,
-like the provider, a consumer must be responsible for managing the OAuth 1.0 tokens.
-
-If you were discouraged by the complexity of implementing an OAuth 1.0 provider, take heart.  Implementation of an OAuth 1.0
-consumer is easier, partially because OAuth 1.0 for Spring Security provides suitable defaults for most cases.
-
-### Managing Protected Resources
-
-A database of protected resources that are accessible by a consumer must be provided through the [`ProtectedResourceDetailsService`][ProtectedResourceDetailsService].
-Each protected resource must provide all information related to obtaining access to it. This includes the URL to obtain a request token, the URL to which to
-redirect the user for authorization, the URL at which to obtain an access token, etc.  It also contains various properties that describe the provider of the
-protected resource. Consider the existence of the [`InMemoryProtectedResourceDetailsService`][InMemoryProtectedResourceDetailsService]
-and the [`BaseProtectedResourceDetails`][BaseProtectedResourceDetails] for help in creating the database of protected resources.
-
-### Managing Provider Tokens
-
-Like the provider, the consumer must be responsible for managing the OAuth tokens. The necessary interface for managing the consumer tokens is
-[`OAuthConsumerTokenServices`][OAuthConsumerTokenServices]. Assuming that the consumer can leverage an active HTTP session, the default
-[`HttpSessionBasedTokenServices`][HttpSessionBasedTokenServices] might be adequate, but if you'd like to persist access tokens longer than a user
-session, you'll have to implement your own persistent implementation of the token services.
-
-### OAuth 1.0 Consumer Request Filters
-
-There are two request filters that are applicable to the OAuth consumer logic. The first filter, [`OAuthConsumerContextFilter`][OAuthConsumerContextFilter],
-is responsible for establishing an OAuth-specific security context, very similar to Spring Security's `SecurityContext`. The security
-context simply contains a set of access tokens that have been obtained for the current user. This security context is leveraged when making requests
-for protected resources.
-
-There is another request filter, [`OAuthConsumerProcessingFilter`][OAuthConsumerProcessingFilter], that can be applied to specific URLs or
-URL patterns that require access to a remote protected resource. Putting this filter in Spring Security's filter chain
-will ensure that any access tokens needed for the specified URL patters will be obtained before allowing access to the resources.
-
-### Requesting Protected Resources
-
-The [`OAuthRestTemplate`][OAuthRestTemplate] can be used to make REST-like requests to resources protected by OAuth. It's used just like a standard
-RestTemplate (new in Spring 3), but is supplied with a specific `ProtectedResourcDetails` so it can sign its requests.
-
-### Consumer Configuration
-
-For the OAuth 1.0 consumer, configuration is simplified using the custom spring configuration elements. The schema for these elements rests at
-[http://www.springframework.org/schema/security/spring-security-oauth.xsd][oauth1.xsd].
-The namespace is `http://www.springframework.org/schema/security/oauth`.
-
-Two custom configuration elements are used to supply provider configuration:
-
-#### The "consumer" element
-
-The `consumer` element configures the OAuth 1.0 consumer mechanism. This element is used to set up the security filter(s) that will handle
-the OAuth consumer logic. The OAuth context filter establishes a context for the OAuth consumer logic. The OAuth access filter is used to
-apply OAuth constraints on specified URLs (request paths) in your application. The access filter is applied by specified one or more `url`
-child elements to the `consumer` element.
-
-The `url` element supports the following attributes:
-
-* `pattern`: (required) The URL pattern.
-* `resources`: (required) Comma-separated list of the ids of the protected resources that the URL requires access to.
-* `httpMethod`: The HTTP method that requires access. Default is all methods.
-
-The `consumer` element also supports the following attributes:
-
-* `resource-details-service-ref`: The reference to the resource details service.  This is required if not autowired.
-* `oauth-failure-page`: The page to which to redirect the user if a problem happens during OAuth 1.0 authentication.
-* `entry-point-ref`: Reference to the entry point to use if a problem happens during OAuth 1.0 authentication (overrides _oauth-failure-page_).
-* `path-type`: URL path type.  Default value: "ant".
-* `lowercase-comparisons`: Whether to use lowercase comparisons.
-* `support-ref`: Reference to the OAuth 1.0 consumer support logic.
-* `token-services-factory-ref`: Reference to the token services factory.
-
-#### The "resource-details-service" element
-
-The `resource-details-service` element configures an in-memory implementation of the resource details. It supports an "id" attribute
-and an arbitrary number of `resource` child elements which are used to define the protected resources and support the following attributes:
-
-* `id`: (required) The resource id.
-* `key`: (required) The consumer key.
-* `secret`: (required) The shared secret.
-* `request-token-url`: (required) The URL to use to get the OAuth 1.0 request token.
-* `user-authorization-url`: (required) The URL to which to redirect the user to authorize the request token.
-* `access-token-url`: (required) The URL to use to get an OAuth 1.0 access token.
-* `signature-method`: The signature method to use (e.g. "HMAC-SHA1", "PLAINTEXT", etc.). Default "HMAC-SHA1".
-* `user-authorization-token-param`: Name of the request parameter to use to pass the value of the request token when redirecting the user to the authorization page. Default value: "requestToken"
-* `user-authorization-callback-param`: Name of the request parameter to use to pass the value of the callback URL when redirecting the user to the authorization page. Default value: "callbackURL"
-* `accepts-authorization-header`: Whether the provider accepts the HTTP authorization header. Default: "true"
-* `authorization-header-realm`: The "realm" for the HTTP authorization header.
-* `use10a`: Whether the resource is protected using OAuth 1.0a. Default: "true"
-
-## Customizations Not Explicitly Supported by Namespace
- 
-The XML DSL has extension points for some of the most common use
-cases, generally specified through strategies injected through
-attributes (e.g. the `token-services-ref` in the `<provider/>`), but
-occasionally you may need to add customizations not supported in this
-way.  Other cases can be handled locally without losing the benefit of
-the namespace because the bean definitions created are all designed to
-be easy to override.  The namespace parsers create bean definitions
-with fixed bean definition names (hopefully easy to guess, but it is
-not hard to verify them by reading the source code of the parsers),
-and all you need to do to override one part of the namespace support
-is create a bean definition with the same name.  For instance, the
-`<provider/>` element creates an `OAuthProviderProcessingFilter` which
-itself has a default `ProtectedResourceProcessingFilter`, but if you
-wanted to replace it you could override the bean definition:
- 
-     <oauth:provider .../>
-     
-     <bean  id="oauthProtectedResourceFilter" class="org.springframework.security.oauth.provider.filter.ProtectedResourceProcessingFilter">
-        ...
-     </bean>
-     
-In this example, the explicit bean definition overrides the one created by the `<provider/>` because of the ordering in the application context declaration (this is a standard Spring bean factory feature). Bean definitions created by the namespace parsers follow the convention that they start with "oauth" and generally they are the class name of the default implementation provided by the framework.
-
-[ConsumerDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetailsService.html
-[ConsumerDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetails.html
-[InMemoryConsumerDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.html
-[BaseConsumerDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/BaseConsumerDetails.html
-[OAuthProviderTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.html
-[RandomValueProviderTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.html
-[InMemoryProviderTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.html
-[UnauthenticatedRequestTokenProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/UnauthenticatedRequestTokenProcessingFilter.html
-[UserAuthorizationProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/UserAuthorizationProcessingFilter.html
-[AccessTokenProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/AccessTokenProcessingFilter.html
-[ProtectedResourceProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ProtectedResourceProcessingFilter.html
-[OAuthNonceServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.html
-[ExpiringTimestampNonceServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.html
-[InMemoryNonceServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.html
-[OAuthCallbackServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/callback/OAuthCallbackServices.html
-[InMemoryCallbackServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/callback/InMemoryCallbackServices.html
-[OAuthVerifierServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.html
-[RandomValueInMemoryVerifierServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/verifier/RandomValueInMemoryVerifierServices.html
-[attributes-package]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/attributes/package-summary.html
-[ConsumerSecurityConfig]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.html
-[ConsumerSecurityVoter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.html
-[ProtectedResourceDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.html
-[InMemoryProtectedResourceDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.html
-[BaseProtectedResourceDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.html
-[OAuthConsumerTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.html
-[HttpSessionBasedTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.html
-[OAuthConsumerContextFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/OAuthConsumerContextFilter.html
-[OAuthConsumerProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/OAuthConsumerProcessingFilter.html
-[OAuthRestTemplate]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/OAuthRestTemplate.html
-[oauth1.xsd]: http://www.springframework.org/schema/security/spring-security-oauth.xsd "oauth1.xsd"
diff --git a/docs/oauth2.md b/docs/oauth2.md
deleted file mode 100644
index 7e38f2932..000000000
--- a/docs/oauth2.md
+++ /dev/null
@@ -1,292 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# OAuth 2 Developers Guide
-
-## Introduction
-
-This is the user guide for the support for [`OAuth 2.0`](http://tools.ietf.org/html/draft-ietf-oauth-v2). For OAuth 1.0, everything is different, so [see its user guide](oauth1.html).
-
-This user guide is divided into two parts, the first for the OAuth 2.0 provider, the second for the OAuth 2.0 client. For both the provider and the client, the best source of sample code is the [integration tests](https://github.com/spring-projects/spring-security-oauth/tree/master/tests) and [sample apps](https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2).
-
-## OAuth 2.0 Provider
-
-The OAuth 2.0 provider mechanism is responsible for exposing OAuth 2.0 protected resources. The configuration involves establishing the OAuth 2.0 clients that can access its protected resources independently or on behalf of a user. The provider does this by managing and verifying the OAuth 2.0 tokens used to access the protected resources. Where applicable, the provider must also supply an interface for the user to confirm that a client can be granted access to the protected resources (i.e. a confirmation page).
-
-## OAuth 2.0 Provider Implementation
-
-The provider role in OAuth 2.0 is actually split between Authorization Service and Resource Service, and while these sometimes reside in the same application, with Spring Security OAuth you have the option to split them across two applications, and also to have multiple Resource Services that share an Authorization Service. The requests for the tokens are handled by Spring MVC controller endpoints, and access to protected resources is handled by standard Spring Security request filters. The following endpoints are required in the Spring Security filter chain in order to implement OAuth 2.0 Authorization Server:
-
-* [`AuthorizationEndpoint`][AuthorizationEndpoint] is used to service requests for authorization. Default URL: `/oauth/authorize`.
-* [`TokenEndpoint`][TokenEndpoint] is used to service requests for access tokens. Default URL: `/oauth/token`.
-
-The following filter is required to implement an OAuth 2.0 Resource Server:
-
-* The [`OAuth2AuthenticationProcessingFilter`][OAuth2AuthenticationProcessingFilter] is used to load the Authentication for the request given an authenticated access token.
-
-For all the OAuth 2.0 provider features, configuration is simplified using special Spring OAuth `@Configuration` adapters.  There is also an XML namespace for OAuth configuration, and the schema resides at [http://www.springframework.org/schema/security/spring-security-oauth2.xsd][oauth2.xsd]. The namespace is `http://www.springframework.org/schema/security/oauth2`.
-
-## Authorization Server Configuration
-
-As you configure the Authorization Server, you have to consider the grant type that the client is to use to obtain an access token from the end-user (e.g. authorization code, user credentials, refresh token). The configuration of the server is used to provide implementations of the client details service and token services and to enable or disable certain aspects of the mechanism globally. Note, however, that each client can be configured specifically with permissions to be able to use certain authorization mechanisms and access grants. I.e. just because your provider is configured to support the "client credentials" grant type, doesn't mean that a specific client is authorized to use that grant type.
-
-The `@EnableAuthorizationServer` annotation is used to configure the OAuth 2.0 Authorization Server mechanism, together with any `@Beans` that implement `AuthorizationServerConfigurer` (there is a handy adapter implementation with empty methods). The following features are delegated to separate configurers that are created by Spring and passed into the `AuthorizationServerConfigurer`:
-
-* `ClientDetailsServiceConfigurer`: a configurer that defines the client details service. Client details can be initialized, or you can just refer to an existing store.
-* `AuthorizationServerSecurityConfigurer`: defines the security constraints on the token endpoint.
-* `AuthorizationServerEndpointsConfigurer`: defines the authorization and token endpoints and the token services.
-
-An important aspect of the provider configuration is the way that an authorization code is supplied to an OAuth client (in the authorization code grant). An authorization code is obtained by the OAuth client by directing the end-user to an authorization page where the user can enter her credentials, resulting in a redirection from the provider authorization server back to the OAuth client with the authorization code. Examples of this are elaborated in the OAuth 2 specification.
-
-In XML there is an `<authorization-server/>` element that is used in a similar way to configure the OAuth 2.0 Authorization Server.
-
-### Configuring Client Details
-
-The `ClientDetailsServiceConfigurer` (a callback from your `AuthorizationServerConfigurer`) can be used to define an in-memory or JDBC implementation of the client details service. Important attributes of a client are
-
-* `clientId`: (required) the client id.
-* `secret`: (required for trusted clients) the client secret, if any.
-* `scope`: The scope to which the client is limited. If scope is undefined or empty (the default) the client is not limited by scope.
-* `authorizedGrantTypes`: Grant types that are authorized for the client to use. Default value is empty.
-* `authorities`: Authorities that are granted to the client (regular Spring Security authorities).
-
-Client details can be updated in a running application by access the underlying store directly (e.g. database tables in the case of `JdbcClientDetailsService`) or through the `ClientDetailsManager` interface (which both implementations of `ClientDetailsService` also implement).
-
-> NOTE: the schema for the JDBC service is not packaged with the library (because there are too many variations you might like to use in practice), but there is an example you can start from in the [test code in github](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql).
-
-### Managing Tokens
-
-The [`AuthorizationServerTokenServices`][AuthorizationServerTokenServices] interface defines the operations that are necessary to manage OAuth 2.0 tokens. Note the following:
-
-* When an access token is created, the authentication must be stored so that resources accepting the access token can reference it later.
-* The access token is used to load the authentication that was used to authorize its creation.
-
-When creating your `AuthorizationServerTokenServices` implementation, you may want to consider using the [`DefaultTokenServices`][DefaultTokenServices] which has many strategies that can be plugged in to change the format and storage of access tokens. By default it creates tokens via random value and handles everything except for the persistence of the tokens which it delegates to a `TokenStore`. The default store is an [in-memory implementation][InMemoryTokenStore], but there are some other implementations available. Here's a description with some discussion of each of them
-
-* The default `InMemoryTokenStore` is perfectly fine for a single server (i.e. low traffic and no hot swap to a backup server in the case of failure). Most projects can start here, and maybe operate this way in development mode, to make it easy to start a server with no dependencies.
-
-* The `JdbcTokenStore` is the [JDBC version](JdbcTokenStore) of the same thing, which stores token data in a relational database. Use the JDBC version if you can share a database between servers, either scaled up instances of the same server if there is only one, or the Authorization and Resources Servers if there are multiple components. To use the `JdbcTokenStore` you need "spring-jdbc" on the classpath.
-
-* The [JSON Web Token (JWT) version](`JwtTokenStore`) of the store encodes all the data about the grant into the token itself (so no back end store at all which is a significant advantage).  One disadvantage is that you can't easily revoke an access token, so they normally are granted with short expiry and the revocation is handled at the refresh token. Another disadvantage is that the tokens can get quite large if you are storing a lot of user credential information in them. The `JwtTokenStore` is not really a "store" in the sense that it doesn't persist any data, but it plays the same role of translating betweeen token values and authentication information in the `DefaultTokenServices`.
-
-> NOTE: the schema for the JDBC service is not packaged with the library (because there are too many variations you might like to use in practice), but there is an example you can start from in the [test code in github](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql). Be sure to `@EnableTransactionManagement` to prevent clashes between client apps competing for the same rows when tokens are created. Note also that the sample schema has explicit `PRIMARY KEY` declarations - these are also necessary in a concurrent environment.
-
-### JWT Tokens
-
-To use JWT tokens you need a `JwtTokenStore` in your Authorization Server. The Resource Server also needs to be able to decode the tokens so the `JwtTokenStore` has a dependency on a `JwtAccessTokenConverter`, and the same implementation is needed by both the Authorization Server and the Resource Server. The tokens are signed by default, and the Resource Server also has to be able to verify the signature, so it either needs the same symmetric (signing) key as the Authorization Server (shared secret, or symmetric key), or it needs the public key (verifier key) that matches the private key (signing key) in the Authorization Server (public-private or asymmetric key). The public key (if available) is exposed by the Authorization Server on the `/oauth/token_key` endpoint, which is secure by default with access rule "denyAll()". You can open it up by injecting a standard SpEL expression into the `AuthorizationServerSecurityConfigurer` (e.g. "permitAll()" is probably adequate since it is a public key).
-
-To use the `JwtTokenStore` you need "spring-security-jwt" on your classpath (you can find it in the same github repository as Spring OAuth but with a different release cycle).
-
-### Grant Types
-
-The grant types supported by the `AuthorizationEndpoint` can be
-configured via the `AuthorizationServerEndpointsConfigurer`. By default
-all grant types are supported except password (see below for details of how to switch it on). The
-following properties affect grant types:
-
-* `authenticationManager`: password grants are switched on by injecting an `AuthenticationManager`.
-* `userDetailsService`: if you inject a `UserDetailsService` or if one is configured globally anyway (e.g. in a `GlobalAuthenticationManagerConfigurer`) then a refresh token grant will contain a check on the user details, to ensure that the account is still active
-* `authorizationCodeServices`: defines the authorization code services (instance of `AuthorizationCodeServices`) for the auth code grant.
-* `implicitGrantService`: manages state during the imlpicit grant.
-* `tokenGranter`: the `TokenGranter` (taking full control of the granting and ignoring the other properties above)
-
-In XML grant types are included as child elements of the `authorization-server`.
-
-### Configuring the Endpoint URLs
-
-The `AuthorizationServerEndpointsConfigurer` has a `pathMapping()` method. It takes two arguments:
-
-* The default (framework implementation) URL path for the endpoint
-* The custom path required (starting with a "/")
-
-The URL paths provided by the framework are `/oauth/authorize` (the authorization endpoint), `/oauth/token` (the token endpoint), `/oauth/confirm_access` (user posts approval for grants here), `/oauth/error` (used to render errors in the authorization server), `/oauth/check_token` (used by Resource Servers to decode access tokens), and `/oauth/token_key` (exposes public key for token verification if using JWT tokens).
-
-N.B. the Authorization endpoint `/oauth/authorize` (or its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users. For instance using a standard Spring Security `WebSecurityConfigurer`:
-
-```
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-            .authorizeRequests().antMatchers("/login").permitAll().and()
-        // default protection for all resources (including /oauth/authorize)
-            .authorizeRequests()
-            .anyRequest().hasRole("USER")
-        // ... more configuration, e.g. for form login
-}
-```
-
-> Note: if your Authorization Server is also a Resource Server then there is another security filter chain with lower priority controlling the API resources. For those requests to be protected by access tokens you need their paths *not* to be matched by the ones in the main user-facing filter chain, so be sure to include a request matcher that picks out only non-API resources in the `WebSecurityConfigurer` above.
-
-The token endpoint is protected for you by default by Spring OAuth in the `@Configuration` support using HTTP Basic authentication of the client secret. This is not the case in XML (so it should be protected explicitly).
-
-In XML the `<authorization-server/>` element has some attributes that can be used to change the default endpoint URLs in a similar way. The `/check_token` endpoint has to be explicitly enabled (with the `check-token-enabled` attribute).
-
-## Customizing the UI
-
-Most of the Authorization Server endpoints are used primarily by machines, but there are a couple of resource that need a UI and those are the GET for `/oauth/confirm_access` and the HTML response from `/oauth/error`. They  are provided using whitelabel implementations in the framework, so most real-world instances of the Authorization Server will want to provide their own so they can control the styling and content. All you need to do is provide a Spring MVC controller with `@RequestMappings` for those endpoints, and the framework defaults will take a lower priority in the dispatcher. In the `/oauth/confirm_access` endpoint you can expect an `AuthorizationRequest` bound to the session carrying all the data needed to seek approval from the user (the default implementation is `WhitelabelApprovalEndpoint` so look there for a starting point to copy). You can grab all the data from that request and render it however you like, and then all the user needs to do is POST back to `/oauth/authorize` with information about approving or denying the grant. The request parameters are passed directly to a `UserApprovalHandler` in the `AuthorizationEndpoint` so you can interpret the data more or less as you please. The default `UserApprovalHandler` depends on whether or not you have supplied an `ApprovalStore` in your `AuthorizationServerEndpointsConfigurer` (in which case it is an `ApprovalStoreUserApprovalHandler`) or not (in which case it is a `TokenStoreUserApprovalHandler`). The standard approval handlers accept the following:
-
-* `TokenStoreUserApprovalHandler`: a simple yes/no decision via `user_oauth_approval` equals to "true" or "false".
-
-* `ApprovalStoreUserApprovalHandler`: a set of `scope.*` parameter keys with "*" equal to the scopes being requested. The value of the parameter can be "true" or "approved" (if the user approved the grant) else the user is deemed to have rejected that scope. A grant is successful if at least one scope is approved.
-
-> NOTE: don't forget to include CSRF protection in your form that you render for the user. Spring Security is expecting a request parameter called "_csrf" by default (and it provides the value in a request attribute). See the Spring Security user guide for more information on that, or look at the whitelabel implementation for guidance.
-
-### Enforcing SSL
-
-Plain HTTP is fine for testing but an Authorization Server should only be used over SSL in production. You can run the app in a secure container or behind a proxy and it should work fine if you set the proxy and the container up correctly (which is nothing to do with OAuth2). You might also want to secure the endpoints using Spring Security `requiresChannel()` constraints. For the `/authorize` endpoint is up to you to do that as part of your normal application security. For the `/token` endpoint there is a flag in the `AuthorizationServerSecurityConfigurer` that you can set using the `sslOnly()` method. In both cases the secure channel setting is optional but will cause Spring Security to redirect to what it thinks is a secure channel if it detects a request on an insecure channel.
-
-## Customizing the Error Handling
-
-Error handling in an Authorization Server uses standard Spring MVC features, namely `@ExceptionHandler` methods in the endpoints themselves. Users can also provide a `WebResponseExceptionTranslator` to the endpoints themselves which is the best way to change the content of the responses as opposed to the way they are rendered. The rendering of exceptions delegates to `HttpMesssageConverters` (which can be added to the MVC configuration) in the case of token endpoint and to the OAuth error view (`/oauth/error`) in the case of the authorization endpoint. The whitelabel error endpoint is provided for HTML responses, but users probably need to provide a custom implementation (e.g. just add a `@Controller` with `@RequestMapping("/oauth/error")`).
-
-## Mapping User Roles to Scopes
-
-It is sometimes useful to limit the scope of tokens not only by the scopes assigned to the client, but also according to the user's own permissions. If you use a `DefaultOAuth2RequestFactory` in your `AuthorizationEndpoint` you can set a flag `checkUserScopes=true` to restrict permitted scopes to only those that match the user's roles. You can also inject an `OAuth2RequestFactory` into the `TokenEndpoint` but that only works (i.e. with password grants) if you also install a `TokenEndpointAuthenticationFilter` - you just need to add that filter after the HTTP `BasicAuthenticationFilter`. Of course, you can also implement your own rules for mapping scopes to roles and install your own version of the `OAuth2RequestFactory`. The `AuthorizationServerEndpointsConfigurer` allows you to inject a custom `OAuth2RequestFactory` so you can use that feature to set up a factory if you use `@EnableAuthorizationServer`.
-
-## Resource Server Configuration
-
-A Resource Server (can be the same as the Authorization Server or a separate application) serves resources that are protected by the OAuth2 token. Spring OAuth provides a Spring Security authentication filter that implements this protection. You can switch it on with `@EnableResourceServer` on an `@Configuration` class, and configure it (as necessary) using a `ResourceServerConfigurer`. The following features can be configured:
-
-* `tokenServices`: the bean that defines the token services (instance of `ResourceServerTokenServices`).
-* `resourceId`: the id for the resource (optional, but recommended and will be validated by the auth server if present).
-* other extension points for the resources server (e.g. `tokenExtractor` for extracting the tokens from incoming requests)
-* request matchers for protected resources (defaults to all)
-* access rules for protected resources (defaults to plain "authenticated")
-* other customizations for the protected resources permitted by the `HttpSecurity` configurer in Spring Security
-
-The `@EnableResourceServer` annotation adds a filter of type `OAuth2AuthenticationProcessingFilter` automatically to the Spring Security filter chain.
-
-In XML there is a `<resource-server/>` element with an `id` attribute - this is the bean id for a servlet `Filter` that can then be added manually to the standard Spring Security chain.
-
-Your `ResourceServerTokenServices` is the other half of a contract with the Authorization Server. If the Resource Server and Authorization Server are in the same application and you use `DefaultTokenServices` then you don't have to think too hard about this because it implements all the necessary interfaces so it is automatically consistent. If your Resource Server is a separate application then you have to make sure you match the capabilities of the Authorization Server and provide a `ResourceServerTokenServices` that knows how to decode the tokens correctly. As with the Authorization Server, you can often use the `DefaultTokenServices` and the choices are mostly expressed through the `TokenStore` (backend storage or local encoding). An alternative is the `RemoteTokenServices` which is a Spring OAuth features (not part of the spec) allowing Resource Servers to decode tokens through an HTTP resource on the Authorization Server (`/oauth/check_token`). `RemoteTokenServices` are convenient if there is not a huge volume of traffic in the Resource Servers (every request has to be verified with the Authorization Server), or if you can afford to cache the results. To use the `/oauth/check_token` endpoint you need to expose it by changing its access rule (default is "denyAll()") in the `AuthorizationServerSecurityConfigurer`, e.g.
-
-```
-@Override
-public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
-	oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")
-	.checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
-}
-
-```
-
-In this example we are configuring both the `/oauth/check_token` endpoint and the `/oauth/token_key` endpoint (so trusted resources can obtain the public key for JWT verification). These two endpoints are protected by HTTP Basic authentication using client credentials.
-
-### Configuring An OAuth-Aware Expression Handler
-
-You may want to take advantage of Spring Security's [expression-based access control][expressions]. An expression handler will be registered by default in the `@EnableResourceServer` setup. The expressions include _#oauth2.clientHasRole_, _#oauth2.clientHasAnyRole_, and _#oath2.denyClient_ which can be used to provide access based on the role of the oauth client (see `OAuth2SecurityExpressionMethods` for a comprehensive list). In XML you can register a oauth-aware expression handler with the `expression-handler` element of the regular `<http/>` security configuration.
-
-## OAuth 2.0 Client
-
-The OAuth 2.0 client mechanism is responsible for access the OAuth 2.0 protected resources of other servers. The configuration involves establishing the relevant protected resources to which users might have access. The client may also need to be supplied with mechanisms for storing authorization codes and access tokens for users.
-
-### Protected Resource Configuration
-
-Protected resources (or "remote resources") can be defined using bean definitions of type [`OAuth2ProtectedResourceDetails`][OAuth2ProtectedResourceDetails]. A protected resource has the following properties:
-
-* `id`: The id of the resource. The id is only used by the client to lookup the resource; it's never used in the OAuth protocol. It's also used as the id of the bean.
-* `clientId`: The OAuth client id. This is the id by which the OAuth provider identifies your client.
-* `clientSecret`: The secret associated with the resource. By default, no secret is empty.
-* `accessTokenUri`: The URI of the provider OAuth endpoint that provides the access token.
-* `scope`: Comma-separted list of strings specifying the scope of the access to the resource. By default, no scope will be specified.
-* `clientAuthenticationScheme`: The scheme used by your client to authenticate to the access token endpoint. Suggested values: "http\_basic" and "form". Default: "http\_basic". See section 2.1 of the OAuth 2 spec.
-
-Different grant types have different concrete implementations  of `OAuth2ProtectedResourceDetails` (e.g. `ClientCredentialsResource` for "client_credentials" grant type).  For grant types that require user authorization there is a further property:
-
-* `userAuthorizationUri`: The uri to which the user will be redirected if the user is ever needed to authorize access to the resource. Note that this is not always required, depending on which OAuth 2 profiles are supported.
-
-In XML there is a `<resource/>` element that can be used to create a bean of type `OAuth2ProtectedResourceDetails`. It has attributes matching all the properties above.
-
-
-### Client Configuration
-
-For the OAuth 2.0 client, configuration is simplified using `@EnableOAuth2Client`. This does 2 things:
-
-* Creates a filter bean (with ID `oauth2ClientContextFilter`) to store the current
-request and context. In the case of needing to authenticate during a
-request it manages the redirection to and from the OAuth
-authentication uri.
-
-* Creates a bean of type `AccessTokenRequest` in request scope. This
-can be used by authorization code (or implicit) grant clients to keep
-state related to individual users from colliding.
-
-The filter has to be wired into the application (e.g. using a Servlet
-initializer or `web.xml` configuration for a `DelegatingFilterProxy`
-with the same name).
-
-The `AccessTokenRequest` can be used in an
-`OAuth2RestTemplate` like this:
-
-```
-@Autowired
-private OAuth2ClientContext oauth2Context;
-
-@Bean
-public OAuth2RestTemplate sparklrRestTemplate() {
-	return new OAuth2RestTemplate(sparklr(), oauth2Context);
-}
-```
-
-The OAuth2ClientContext is placed (for you) in session scope to keep
-the state for different users separate. Without that you would have to
-manage the equivalent data structure yourself on the server, mapping
-incoming requests to users, and associating each user with a separate
-instance of the `OAuth2ClientContext`.
-
-In XML there is a `<client/>` element with an `id` attribute - this is the bean id for a servlet `Filter` that must be mapped as in the `@Configuration` case to a `DelegatingFilterProxy` (with the same name).
-
-
-### Accessing Protected Resources
-
-Once you've supplied all the configuration for the resources, you can now access those resources. The suggested method for accessing those resources is by using [the `RestTemplate` introduced in Spring 3][restTemplate]. OAuth for Spring Security has provided [an extension of RestTemplate][OAuth2RestTemplate] that only needs to be supplied an instance of [`OAuth2ProtectedResourceDetails`][OAuth2ProtectedResourceDetails].  To use it with user-tokens (authorization code grants) you should consider using the `@EnableOAuth2Client` configuration (or the XML equivalent `<oauth:rest-template/>`) which creates some request and session scoped context objects so that requests for different users do not collide at runtime.
-
-As a general rule, a web application should not use password grants, so avoid using `ResourceOwnerPasswordResourceDetails` if you can in favour of `AuthorizationCodeResourceDetails`. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your `OAuth2RestTemplate` and add the credentials to the `AccessTokenRequest` (which is a `Map` and is ephemeral) not the `ResourceOwnerPasswordResourceDetails` (which is shared between all access tokens).
-
-### Persisting Tokens in a Client
-
-A client does not *need* to persist tokens, but it can be nice for users to not be required to approve a new token grant every time the client app is restarted. The [`ClientTokenServices`](/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java) interface defines the operations that are necessary to persist OAuth 2.0 tokens for specific users. There is a JDBC implementation provided, but you can if you prefer implement your own service for storing the access tokens and associated authentication instances in a persistent database.
-If you want to use this feature you need provide a specially configured `AccessTokenProvider` to the `OAuth2RestTemplate` e.g.
-
-```java
-@Bean
-@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
-public OAuth2RestOperations restTemplate() {
-	OAuth2RestTemplate template = new OAuth2RestTemplate(resource(), new DefaultOAuth2ClientContext(accessTokenRequest));
-	AccessTokenProviderChain provider = new AccessTokenProviderChain(Arrays.asList(new AuthorizationCodeAccessTokenProvider()));
-	provider.setClientTokenServices(clientTokenServices());
-	template.setAccessTokenProvider(provider);
-	return template;
-}
-```
-
-## Customizations for Clients of External OAuth2 Providers
-
-Some external OAuth2 providers (e.g. [Facebook][Facebook]) do not quite implement the specification correctly, or else they are just stuck on an older version of the spec than Spring Security OAuth. To use those providers in your client application you might need to adapt various parts of the client-side infrastructure.
-
-To use Facebook as an example, there is a Facebook feature in the `tonr2` application (you need to change the configuration to add your own, valid, client id and secret - they are easy to generate on the Facebook website).
-
-Facebook token responses also contain a non-compliant JSON entry for the expiry time of the token (they use `expires` instead of `expires_in`), so if you want to use the expiry time in your application you will have to decode it manually using a custom `OAuth2SerializationService`.
-
-  [AuthorizationEndpoint]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.html "AuthorizationEndpoint"
-  [TokenEndpoint]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.html "TokenEndpoint"
-  [DefaultTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/DefaultTokenServices.html "DefaultTokenServices"
-  [InMemoryTokenStore]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.html "InMemoryTokenStore"
-  [JdbcTokenStore]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.html "JdbcTokenStore"
-  [ClientDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/ClientDetailsService.html "ClientDetailsService"
-  [ClientDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/ClientDetails.html "ClientDetails"
-  [InMemoryClientDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/InMemoryClientDetailsService.html "InMemoryClientDetailsService"
-  [BaseClientDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/BaseClientDetails.html "BaseClientDetails"
-  [AuthorizationServerTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.html "AuthorizationServerTokenServices"
-  [OAuth2AuthenticationProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.html "OAuth2AuthenticationProcessingFilter"
-  [oauth2.xsd]: http://www.springframework.org/schema/security/spring-security-oauth2.xsd "oauth2.xsd"
-  [expressions]: http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#el-access "Expression Access Control"
-
-  [AccessTokenProviderChain]: /spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java
-  [OAuth2RestTemplate]: /spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java
-  [OAuth2ProtectedResourceDetails]: /spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java
-  [restTemplate]: http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html "RestTemplate"
-  [Facebook]: http://developers.facebook.com/docs/authentication "Facebook"
diff --git a/docs/support.md b/docs/support.md
deleted file mode 100644
index 36817adbf..000000000
--- a/docs/support.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Support
-
-Questions about OAuth for Spring Security can be posed on
-[Stackoverflow](http://stackoverflow.com/questions/tagged/spring-security+spring+oauth)
-using tags 'spring', 'spring-security' and 'oauth'. (There is also a
-[Spring Forum](http://forum.springsource.org/forumdisplay.php?f=79)
-that might be useful, but most people prefer the interface at
-Stackoverflow).  To report bugs, submit enchancement requests or add
-something to the wish list, use
-[Github](https://github.com/spring-projects/spring-security-oauth/issues).
-
-Commercial support is available from [Pivotal](http://gopivotal.com)
-or through [Web Cohesion](http://www.webcohesion.com).
diff --git a/docs/tutorial.md b/docs/tutorial.md
deleted file mode 100644
index bad04c0b2..000000000
--- a/docs/tutorial.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Tutorial
-
-## Introduction
-
-There's a good [getting started guide](http://www.hueniverse.com/hueniverse/2007/10/beginners-gui-1.html) that illustrates OAuth
-1.0 by describing two different (but related) services.  One is a photo-sharing application.  The other is a photo-printing
-application.  In OAuth terms, the photo sharing application is the OAuth _provider_ and the photo printing application
-is the OAuth _consumer_ or _client_.
-
-For this tutorial, we will see OAuth for Spring Security in action by deploying a photo-sharing application and a
-photo-printing application on our local machine.  We'll name the photo-sharing application "Sparklr" and the
-photo-printing application "Tonr".  A user named "Marissa" (who has an account at both Sparkr and Tonr) will use Tonr
-to access her photos on Sparklr without ever giving Tonr her credentials to Sparklr.
-
-There is a Sparklr application for both OAuth 1.0 and for OAuth 2.0,
-likewise Tonr. The best way to run them is to clone or download the
-[repo on github](https://github.com/spring-projects/spring-security-oauth)
-and run from source code See the
-[samples/README.md](https://github.com/spring-projects/spring-security-oauth/tree/master/samples)
-for detailed instructions. 
-
-OAuth 1.0|OAuth 2.0
----------|---------
-Sparklr 1 | Sparklr 2
-Tonr 1 | Tonr 2
-
-Each application is a standard [Maven](http://maven.apache.org/) project, so you will need Maven installed. Each
-application is also a Spring MVC application with Spring Security integrated. If you are familiar with Spring and Spring
-Security, the configuration files will look familiar to you (the OAuth2 samples use a single application context whereas
-many MVC applications use a root context and a child for the DispatcherServlet).
-
-## Setup
-
-Checkout the Sparklr and Tonr applications, and take a look around. Note especially the Spring configuration files in `src/main/webapp/WEB-INF`.
-  
-For Sparklr, you'll notice the definition of the OAuth provider mechanism and the consumer/client details along with the
-[standard spring security configuration](http://docs.spring.io/spring-security/site/docs/4.0.x/reference/html/ns-config.html) elements.  For Tonr,
-you'll notice the definition of the OAuth consumer/client mechanism and the resource details.  For more information about the necessary
-components of an OAuth provider and consumer, see the [developers guide](devguide.html).
-
-You'll also notice the Spring Security filter chain in `applicationContext.xml` and how it's configured for OAuth support.
-
-### Deploy Sparklr
-
-{% highlight text %}
-    mvn install
-    cd samples/oauth(2)/sparklr
-    mvn tomcat7:run
-{% endhighlight %}
-
-Sparklr should be started on port 8080.  Go ahead and browse to [http://localhost:8080/sparklr](http://localhost:8080/sparklr). Note the basic
-login page and the page that can be used to browse Marissa's photos. Logout to ensure Marissa's session is no longer valid.  (Of course,
-the logout isn't mandatory; an active Sparklr session will simply bypass the step that prompts for Marissa's credentials before
-confirming authorization for Marissa's protected resources.)
-
-### Start Tonr.
-
-Shutdown sparklr (it will be launched in the same container when tonr runs), then
-
-{% highlight text %}
-    mvn install
-    cd samples/oauth(2)/tonr
-    mvn tomcat7:run
-{% endhighlight %}
-
-Tonr should be started on port 8080.  Browse to [http://localhost:8080/tonr(2)](http://localhost:8080/tonr). Note Tonr's home page has a '2' on the end if it is the oauth2 version.
-
-### Observe...
-
-Now that you've got both applications deployed, you're ready to observe OAuth in action.
-
-1. Login to Tonr.
-
-   Marissa's credentials are already hardcoded into the login form.
-
-2. Click to view Marissa's Sparklr photos.
-
-   You will be redirected to the Sparklr site where you will be prompted for Marissa's credentials.
-
-3. Login to Sparklr.
-
-   Upon successful login, you will be prompted with a confirmation screen to authorize access to Tonr
-   for Marissa's pictures.
-    
-4. Click "authorize".
-  
-   Upon authorization, you should be redirected back to Tonr where Marissa's Sparklr photos are displayed
-   (presumably to be printed).
-
diff --git a/docs/twolegged.md b/docs/twolegged.md
deleted file mode 100644
index 1ca6356c0..000000000
--- a/docs/twolegged.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# 2-Legged OAuth
-
-Two-legged OAuth (also known as "signed fetch") is basically OAuth without the user. It's a way for a consumer (i.e. client) to make a signed request
-to a provider (i.e. server) by leveraging the OAuth signature algorithm. This means that the provider has an extra level of trust with the consumer and will
-therefore provide data to the consumer without making an end-user authorize a token.
-
-This has particular applicability to gadget frameworks. For example, [OpenSocial](http://www.opensocial.org/) platforms often use 2-legged OAuth so gadget
-developers can have the gadget (the OAuth consumer) make Web service requests to their remote server (the OAuth provider). Since the gadget developer and
-the server developer are often the same entity, the server can trust the gadget without the need for the gadget to obtain special permission from the user to
-access the user's data.
-
-To implement 2-legged OAuth using _OAuth for Spring Security_, all that is needed is for the provider to indicate that a specific consumer has an extra
-level of trust. To do this, make sure your implementation of [`ConsumerDetailsService`][ConsumerDetailsService] returns instances of 
-[`ConsumerDetails`][ConsumerDetails] that implement [`ExtraTrustConsumerDetails`][ExtraTrustConsumerDetails]. Then, for each consumer
-that doesn't need to obtain a user-authorized token, make sure [`ExtraTrustConsumerDetails.isRequiredToObtainAuthenticatedToken()`][isRequiredToObtainAuthenticatedToken]
-returns `false`.
-
-In many instances, providers may want to manage the authentication that is set up in the security context. By default for 2-legged OAuth, only the consumer's
-authentication will be set up in the context. However, if a user authentication is needed in the context, provide an alternate implementation of
-`org.springframework.security.oauth.provider.OAuthAuthenticationHandler` that loads the user authentication, and provide a reference to the alternate
-implementation using the "auth-handler-ref" attribute of the "provider" configuration element.
-
-[ConsumerDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetailsService.html
-[ConsumerDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetails.html
-[ExtraTrustConsumerDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.html
-[isRequiredToObtainAuthenticatedToken]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.html#isRequiredToObtainAuthenticatedToken()
diff --git a/etc/nohttp/checkstyle.xml b/etc/nohttp/checkstyle.xml
new file mode 100644
index 000000000..4b2ef2e48
--- /dev/null
+++ b/etc/nohttp/checkstyle.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0"?>
+<!--
+  ~ Copyright 2002-2019 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!DOCTYPE module PUBLIC "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
+		"https://www.puppycrawl.com/dtds/configuration_1_3.dtd">
+<module name="Checker">
+	<property name="charset" value="UTF-8"/>
+	<property name="fileExtensions" value=""/>
+	<module name="io.spring.nohttp.checkstyle.check.NoHttpCheck">
+		<property name="whitelistFileName" value="etc/nohttp/whitelist.lines"/>
+	</module>
+</module>
\ No newline at end of file
diff --git a/etc/nohttp/whitelist.lines b/etc/nohttp/whitelist.lines
new file mode 100644
index 000000000..55860ea4f
--- /dev/null
+++ b/etc/nohttp/whitelist.lines
@@ -0,0 +1 @@
+http://junit.sourceforge.net/javadoc/
\ No newline at end of file
diff --git a/license.txt b/license.txt
index 261eeb9e9..20e4bd856 100755
--- a/license.txt
+++ b/license.txt
@@ -1,6 +1,6 @@
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
@@ -192,7 +192,7 @@
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
+       https://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/mvnw b/mvnw
index 53c0d7219..02f96acef 100755
--- a/mvnw
+++ b/mvnw
@@ -8,7 +8,7 @@
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
-#    http://www.apache.org/licenses/LICENSE-2.0
+#    https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
diff --git a/mvnw.cmd b/mvnw.cmd
index fc8302432..eb9a292a7 100644
--- a/mvnw.cmd
+++ b/mvnw.cmd
@@ -7,7 +7,7 @@
 @REM "License"); you may not use this file except in compliance
 @REM with the License.  You may obtain a copy of the License at
 @REM
-@REM    http://www.apache.org/licenses/LICENSE-2.0
+@REM    https://www.apache.org/licenses/LICENSE-2.0
 @REM
 @REM Unless required by applicable law or agreed to in writing,
 @REM software distributed under the License is distributed on an
diff --git a/notice.txt b/notice.txt
index 77391586a..9007f5823 100755
--- a/notice.txt
+++ b/notice.txt
@@ -5,16 +5,16 @@
 ======================================================================
 
 This product includes software developed by
-the Apache Software Foundation (http://www.apache.org).
+the Apache Software Foundation (https://www.apache.org).
 
 This product includes software developed by the Spring Framework
-Project (http://www.springframework.org).
+Project (https://www.springframework.org).
 
 The end-user documentation included with a redistribution, if any,
 must include the following acknowledgement:
 
   "This product includes software developed by Web Cohesion
-   (http://www.webcohesion.com)."
+   (https://www.webcohesion.com)."
 
 Alternately, this acknowledgement may appear in the software itself,
 if and wherever such third-party acknowledgements normally appear.
diff --git a/pom.xml b/pom.xml
index 32474a878..c1837e581 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,12 +1,12 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.springframework.security.oauth</groupId>
   <artifactId>spring-security-oauth-parent</artifactId>
   <name>OAuth for Spring Security</name>
   <description>Parent Project for OAuth Support for Spring Security</description>
   <packaging>pom</packaging>
-  <version>2.3.6.BUILD-SNAPSHOT</version>
-  <url>http://static.springframework.org/spring-security/oauth</url>
+  <version>2.5.3.BUILD-SNAPSHOT</version>
+  <url>https://docs.spring.io/spring-security/oauth</url>
 
   <modules>
     <module>spring-security-oauth</module>
@@ -18,29 +18,31 @@
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <commons-codec.version>1.9</commons-codec.version>
-    <spring.version>4.0.9.RELEASE</spring.version>
-    <spring.security.version>3.2.10.RELEASE</spring.security.version>
-    <spring.data.redis.version>1.5.0.RELEASE</spring.data.redis.version>
+    <commons-codec.version>1.14</commons-codec.version>
+    <spring.version>4.3.30.RELEASE</spring.version>
+    <spring.security.version>4.2.20.RELEASE</spring.security.version>
+    <spring.data.redis.version>1.5.2.RELEASE</spring.data.redis.version>
     <redis.clients.version>2.6.3</redis.clients.version>
+    <junit.version>4.12</junit.version>
+    <mockito.version>1.10.19</mockito.version>
     <java.version>1.6</java.version>
   </properties>
 
   <scm>
-    <url>http://github.com/SpringSource/spring-security-oauth</url>
+    <url>https://github.com/SpringSource/spring-security-oauth</url>
     <connection>scm:git:git://github.com/SpringSource/spring-security-oauth.git</connection>
     <developerConnection>scm:git:ssh://git@github.com/SpringSource/spring-security-oauth.git</developerConnection>
     <tag>HEAD</tag>
   </scm>
   <issueManagement>
     <system>JIRA</system>
-    <url>http://opensource.atlassian.com/projects/spring/browse/SECOAUTH</url>
+    <url>https://opensource.atlassian.com/projects/spring/browse/SECOAUTH</url>
   </issueManagement>
   <mailingLists>
     <mailingList>
       <name>Spring Security OAuth Forum</name>
-      <post>http://forum.springframework.org/forumdisplay.php?f=79</post>
-      <archive>http://forum.springframework.org/forumdisplay.php?f=79</archive>
+      <post>https://forum.springframework.org/forumdisplay.php?f=79</post>
+      <archive>https://forum.springframework.org/forumdisplay.php?f=79</archive>
     </mailingList>
   </mailingLists>
   <ciManagement>
@@ -50,7 +52,7 @@
   <licenses>
     <license>
       <name>Apache 2.0</name>
-      <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+      <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
     </license>
   </licenses>
 
@@ -94,22 +96,22 @@
         <repository>
           <id>repo.spring.io-milestone</id>
           <name>Spring Framework Milestone Repository</name>
-          <url>http://repo.spring.io/libs-milestone-local</url>
+          <url>https://repo.spring.io/libs-milestone-local</url>
         </repository>
         <repository>
           <id>repo.spring.io-release</id>
           <name>Spring Framework Release Repository</name>
-          <url>http://repo.spring.io/libs-release-local</url>
+          <url>https://repo.spring.io/libs-release-local</url>
         </repository>
         <repository>
           <id>repo.spring.io-snapshot</id>
           <name>Spring Framework Maven Snapshot Repository</name>
-          <url>http://repo.spring.io/libs-snapshot-local</url>
+          <url>https://repo.spring.io/libs-snapshot-local</url>
           <snapshots><enabled>true</enabled></snapshots>
         </repository>
         <repository>
           <id>oauth.googlecode.net</id>
-          <url>http://oauth.googlecode.com/svn/code/maven/</url>
+          <url>https://oauth.googlecode.com/svn/code/maven/</url>
         </repository>
       </repositories>
     </profile>
@@ -119,7 +121,7 @@
             <repository>
               <id>repo.spring.io</id>
               <name>Spring Milestone Repository</name>
-              <url>http://repo.spring.io/libs-milestone-local</url>
+              <url>https://repo.spring.io/libs-milestone-local</url>
             </repository>
       </distributionManagement>
     </profile>
@@ -167,7 +169,7 @@
     <profile>
       <id>spring5</id>
         <properties>
-            <spring.version>5.0.4.RELEASE</spring.version>
+            <spring.version>5.0.16.RELEASE</spring.version>
             <spring.security.version>5.0.3.RELEASE</spring.security.version>
             <spring.data.redis.version>2.0.5.RELEASE</spring.data.redis.version>
             <redis.clients.version>2.9.0</redis.clients.version>
@@ -176,15 +178,50 @@
             <repository>
                 <id>repo.spring.io-milestone</id>
                 <name>Spring Framework Milestone Repository</name>
-                <url>http://repo.spring.io/libs-milestone-local</url>
+                <url>https://repo.spring.io/libs-milestone-local</url>
             </repository>
             <repository>
                 <id>repo.spring.io-snapshot</id>
                 <name>Spring Framework Maven Snapshot Repository</name>
-                <url>http://repo.spring.io/libs-snapshot-local</url>
+                <url>https://repo.spring.io/libs-snapshot-local</url>
                 <snapshots><enabled>true</enabled></snapshots>
             </repository>
         </repositories>
+        <build>
+			<plugins>
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-checkstyle-plugin</artifactId>
+					<version>3.1.1</version>
+					<dependencies>
+						<dependency>
+							<groupId>com.puppycrawl.tools</groupId>
+							<artifactId>checkstyle</artifactId>
+							<version>8.31</version>
+						</dependency>
+						<dependency>
+							<groupId>io.spring.nohttp</groupId>
+							<artifactId>nohttp-checkstyle</artifactId>
+							<version>0.0.3.RELEASE</version>
+						</dependency>
+					</dependencies>
+					<configuration>
+						<configLocation>${maven.multiModuleProjectDirectory}/etc/nohttp/checkstyle.xml</configLocation>
+						<includes>src/**/*,*</includes>
+						<sourceDirectories>
+							<sourceDirectory>./</sourceDirectory>
+						</sourceDirectories>
+					</configuration>
+					<executions>
+						<execution>
+							<goals>
+								<goal>check</goal>
+							</goals>
+						</execution>
+					</executions>
+				</plugin>
+			</plugins>
+        </build>
     </profile>
     <profile>
         <id>default</id>
@@ -224,6 +261,27 @@
             </plugins>
         </build>
     </profile>
+    <profile>
+      <id>tests-exclude-redis</id>
+      <build>
+          <plugins>
+              <plugin>
+                  <groupId>org.apache.maven.plugins</groupId>
+                  <artifactId>maven-surefire-plugin</artifactId>
+                  <configuration>
+                      <skip>${skipTests}</skip>
+                      <includes>
+                          <include>**/*Tests.java</include>
+                      </includes>
+                      <excludes>
+                          <exclude>**/RedisTokenStorePrefixTests.java</exclude>
+                          <exclude>**/RedisTokenStoreTests.java</exclude>
+                      </excludes>
+                  </configuration>
+              </plugin>
+          </plugins>
+      </build>
+    </profile>
   </profiles>
 
   <dependencyManagement>
@@ -409,7 +467,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-site-plugin</artifactId>
-          <version>3.1</version>
+          <version>3.3</version>
           <dependencies>
             <dependency><!-- add support for ssh/scp -->
               <groupId>org.apache.maven.wagon</groupId>
@@ -421,11 +479,15 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.20</version>
           <configuration>
             <skip>${skipTests}</skip>
             <includes>
               <include>**/*Tests.java</include>
             </includes>
+            <forkCount>3</forkCount>
+            <reuseForks>true</reuseForks>
+            <argLine>-Xmx1024m -XX:MaxPermSize=256m</argLine>
           </configuration>
         </plugin>
 	  </plugins>
@@ -470,19 +532,19 @@
           <aggregate>true</aggregate>
           <breakiterator>true</breakiterator>
           <links>
-            <link>http://java.sun.com/j2ee/1.4/docs/api</link>
-            <link>http://java.sun.com/j2se/1.5.0/docs/api</link>
-            <link>http://jakarta.apache.org/commons/collections/apidocs-COLLECTIONS_3_0/</link>
-            <link>http://jakarta.apache.org/commons/dbcp/apidocs/</link>
-            <link>http://jakarta.apache.org/commons/fileupload/apidocs/</link>
-            <link>http://jakarta.apache.org/commons/httpclient/apidocs/</link>
-            <link>http://jakarta.apache.org/commons/pool/apidocs/</link>
-            <link>http://jakarta.apache.org/commons/logging/apidocs/</link>
+            <link>https://java.sun.com/j2ee/1.4/docs/api</link>
+            <link>https://java.sun.com/j2se/1.5.0/docs/api</link>
+            <link>https://jakarta.apache.org/commons/collections/apidocs-COLLECTIONS_3_0/</link>
+            <link>https://jakarta.apache.org/commons/dbcp/apidocs/</link>
+            <link>https://jakarta.apache.org/commons/fileupload/apidocs/</link>
+            <link>https://jakarta.apache.org/commons/httpclient/apidocs/</link>
+            <link>https://jakarta.apache.org/commons/pool/apidocs/</link>
+            <link>https://jakarta.apache.org/commons/logging/apidocs/</link>
             <link>http://junit.sourceforge.net/javadoc/</link>
-            <link>http://logging.apache.org/log4j/docs/api/</link>
-            <link>http://jakarta.apache.org/regexp/apidocs/</link>
-            <link>http://jakarta.apache.org/velocity/api/</link>
-            <link>http://static.springframework.org/spring/docs/2.5.x/api/</link>
+            <link>https://logging.apache.org/log4j/docs/api/</link>
+            <link>https://jakarta.apache.org/regexp/apidocs/</link>
+            <link>https://jakarta.apache.org/velocity/api/</link>
+            <link>https://docs.spring.io/spring/docs/2.5.x/api/</link>
           </links>
           <excludePackageNames>example</excludePackageNames>
         </configuration>
@@ -490,6 +552,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jxr-plugin</artifactId>
+        <version>2.4</version>
       </plugin>
     </plugins>
   </reporting>
@@ -497,20 +560,20 @@
   <distributionManagement>
 
     <site>
-      <id>static.springframework.org</id>
-      <url>scp://static.springframework.org/var/www/domains/springframework.org/static/htdocs/spring-security/oauth</url>
+      <id>static.spring.io</id>
+      <url>scp://docs-ip.spring.io/var/www/domains/spring.io/docs/htdocs/spring-security/oauth/site/docs/${project.version}</url>
     </site>
 
     <repository>
       <id>repo.spring.io</id>
       <name>Spring Release Repository</name>
-      <url>http://repo.spring.io/libs-release-local</url>
+      <url>https://repo.spring.io/libs-release-local</url>
     </repository>
 
     <snapshotRepository>
       <id>repo.spring.io</id>
       <name>Spring Snapshot Repository</name>
-      <url>http://repo.spring.io/libs-snapshot-local</url>
+      <url>https://repo.spring.io/libs-snapshot-local</url>
     </snapshotRepository>
 
   </distributionManagement>
diff --git a/samples/README.md b/samples/README.md
index 2ba26c4b4..9140c388e 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -1,3 +1,9 @@
+### Deprecation Notice
+
+The Spring Security OAuth project is deprecated. The latest OAuth 2.0 support is provided by Spring Security. See the [OAuth 2.0 Migration Guide](https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide) for further details.
+
+---
+
 These are the Spring Security OAuth sample apps and integration tests.
 They are split into OAuth (1a) and OAuth2 samples.  Look in the
 subdirectory `oauth` and `oauth2` respectively for components of the
@@ -59,7 +65,7 @@ To deploy the apps in Eclipse you will need the Maven plugin (`m2e`)
 and the Web Tools Project (WTP) plugins.  If you have SpringSource
 Toolsuite (STS) you should already have those, aso you can deploy the
 apps very simply.  (Update the WTP plugin to at least version 0.12 at
-http://download.eclipse.org/technology/m2e/releases if you have an older
+https://download.eclipse.org/technology/m2e/releases if you have an older
 one, or the context roots for the apps will be wrong.)
 
 * Ensure the Spring Security OAuth dependencies are available locally
diff --git a/samples/oauth/sparklr/pom.xml b/samples/oauth/sparklr/pom.xml
index bd44cf661..7d4bca68c 100644
--- a/samples/oauth/sparklr/pom.xml
+++ b/samples/oauth/sparklr/pom.xml
@@ -1,11 +1,11 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
 
 	<modelVersion>4.0.0</modelVersion>
 
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 
@@ -47,7 +47,7 @@
 		<repository>
 			<id>spring</id>
 			<name>Spring Framework Repository</name>
-			<url>http://repo.spring.io/libs-snapshot</url>
+			<url>https://repo.spring.io/libs-snapshot</url>
 		</repository>
 	</repositories>
 
diff --git a/samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/impl/PhotoServiceImpl.java b/samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/impl/PhotoServiceImpl.java
index f803497ed..6b96f61e3 100644
--- a/samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/impl/PhotoServiceImpl.java
+++ b/samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/impl/PhotoServiceImpl.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml b/samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml
index c23317603..f33670c75 100644
--- a/samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml
@@ -4,9 +4,9 @@
   xmlns:beans="http://www.springframework.org/schema/beans"
   xmlns:oauth="http://www.springframework.org/schema/security/oauth"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20http://www.springframework.org/schema/security/spring-security.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20http://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
+  xsi:schemaLocation="http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20https://www.springframework.org/schema/security/spring-security.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20https://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
 
   <http auto-config='true' access-denied-page="/login.jsp">
     <intercept-url pattern="/xml/photos" access="ROLE_USER" />
diff --git a/samples/oauth/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp b/samples/oauth/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp
index f88681b83..0937858eb 100644
--- a/samples/oauth/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp
+++ b/samples/oauth/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp
@@ -1,8 +1,8 @@
 <%@ page import="org.springframework.security.core.AuthenticationException" %>
-<%@ page import="org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter" %>
+<%@ page import="org.springframework.security.web.WebAttributes" %>
 <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
@@ -20,12 +20,12 @@
       <div class="error">
         <h2>Woops!</h2>
 
-        <p>Access could not be granted. (<%= ((AuthenticationException) session.getAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY)).getMessage() %>)</p>
+        <p>Access could not be granted. (<%= ((AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)).getMessage() %>)</p>
       </div>
     </c:if>
     <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION"/>
 
-    <authz:authorize ifAllGranted="ROLE_USER">
+    <authz:authorize access="hasRole('ROLE_USER')">
       <h2>Please Confirm</h2>
 
       <p>You hereby authorize "<c:out value="${consumer.consumerName}"/>" to access the following resource:</p>
@@ -44,7 +44,7 @@
     </authz:authorize>
   </div>
 
-  <div id="footer">Design by <a href="http://www.pyserwebdesigns.com/" target="_blank">Pyser Web Designs</a></div>
+  <div id="footer">Design by <a href="https://www.pyserwebdesigns.com/" target="_blank">Pyser Web Designs</a></div>
 
 
 </body>
diff --git a/samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml b/samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml
index 65bcd5a97..b364e2142 100644
--- a/samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml
+++ b/samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml
@@ -2,8 +2,8 @@
 
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xsi:schemaLocation="http://www.springframework.org/schema/mvc%20http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/mvc%20https://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<mvc:annotation-driven />
 
diff --git a/samples/oauth/sparklr/src/main/webapp/WEB-INF/web.xml b/samples/oauth/sparklr/src/main/webapp/WEB-INF/web.xml
index 8492917b3..31390bf58 100644
--- a/samples/oauth/sparklr/src/main/webapp/WEB-INF/web.xml
+++ b/samples/oauth/sparklr/src/main/webapp/WEB-INF/web.xml
@@ -2,7 +2,7 @@
 
 <!DOCTYPE web-app PUBLIC
   "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
-  "http://java.sun.com/dtd/web-app_2_3.dtd">
+  "https://java.sun.com/dtd/web-app_2_3.dtd">
 
 <web-app>
 
diff --git a/samples/oauth/sparklr/src/main/webapp/index.jsp b/samples/oauth/sparklr/src/main/webapp/index.jsp
index 62ee6dff6..1e945d215 100644
--- a/samples/oauth/sparklr/src/main/webapp/index.jsp
+++ b/samples/oauth/sparklr/src/main/webapp/index.jsp
@@ -1,13 +1,13 @@
 <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
   <title>Sparklr</title>
   <link type="text/css" rel="stylesheet" href="https://github.com/%3Cc:url%20value="/style.css"/>"/>
 
-  <authz:authorize ifAllGranted="ROLE_USER">
+  <authz:authorize access="hasRole('ROLE_USER')">
     <script type='text/javascript'>
       function pictureDisplay(json) {
         for (var i = 0; i < json.photos.length; i++) {
@@ -28,7 +28,7 @@
     <p>This is a great site to store and view your photos. Unfortunately, we don't have any services
     for printing your photos.  For that, you'll have to go to <a href="http://localhost:8888/tonr/">Tonr.com</a>.</p>
 
-    <authz:authorize ifNotGranted="ROLE_USER">
+    <authz:authorize access="!hasRole('ROLE_USER')">
       <h2>Login</h2>
       <form action="https://github.com/%3Cc:url%20value="/login.do"/>" method="post">
         <p><label>Username: <input type='text' name='j_username' value="marissa"></label></p>
@@ -37,7 +37,7 @@
         <p><input name="login" value="Login" type="submit"></p>
       </form>
     </authz:authorize>
-    <authz:authorize ifAllGranted="ROLE_USER">
+    <authz:authorize access="hasRole('ROLE_USER')">
       <div style="text-align: center"><form action="https://github.com/%3Cc:url%20value="/logout.do"/>"><input type="submit" value="Logout"></form></div>
       
       <h2>Your Photos</h2>
@@ -48,7 +48,7 @@
     </authz:authorize>
   </div>
 
-  <div id="footer">Design by <a href="http://www.pyserwebdesigns.com/" target="_blank">Pyser Web Designs</a></div>
+  <div id="footer">Design by <a href="https://www.pyserwebdesigns.com/" target="_blank">Pyser Web Designs</a></div>
 
 
 </body>
diff --git a/samples/oauth/sparklr/src/main/webapp/login.jsp b/samples/oauth/sparklr/src/main/webapp/login.jsp
index 5e3b0421e..02d5c9e07 100644
--- a/samples/oauth/sparklr/src/main/webapp/login.jsp
+++ b/samples/oauth/sparklr/src/main/webapp/login.jsp
@@ -1,12 +1,12 @@
 <%@ page import="org.springframework.security.core.AuthenticationException" %>
-<%@ page import="org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter" %>
+<%@ page import="org.springframework.security.web.WebAttributes" %>
 <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
-<authz:authorize ifAllGranted="ROLE_USER">
+<authz:authorize access="hasRole('ROLE_USER')">
   <c:redirect url="index.jsp"/>
 </authz:authorize>
 
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
@@ -23,12 +23,12 @@
       <div class="error">
 		<h2>Woops!</h2>
 
-      	<p>Your login attempt was not successful. (<%= ((AuthenticationException) session.getAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY)).getMessage() %>)</p>
+      	<p>Your login attempt was not successful. (<%= ((AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)).getMessage() %>)</p>
       </div>
     </c:if>
     <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION"/>
 
-    <authz:authorize ifNotGranted="ROLE_USER">
+    <authz:authorize access="!hasRole('ROLE_USER')">
       <h2>Login</h2>
 
       <p>We've got a grand total of 2 users: marissa and paul. Go ahead and log in. Marissa's password is "koala" and Paul's password is "emu".</p>
@@ -41,7 +41,7 @@
     </authz:authorize>
   </div>
 
-  <div id="footer">Design by <a href="http://www.pyserwebdesigns.com/" target="_blank">Pyser Web Designs</a></div>
+  <div id="footer">Design by <a href="https://www.pyserwebdesigns.com/" target="_blank">Pyser Web Designs</a></div>
 
 
 </body>
diff --git a/samples/oauth/sparklr/src/main/webapp/request_token_authorized.jsp b/samples/oauth/sparklr/src/main/webapp/request_token_authorized.jsp
index 8469790cd..2a456eb56 100644
--- a/samples/oauth/sparklr/src/main/webapp/request_token_authorized.jsp
+++ b/samples/oauth/sparklr/src/main/webapp/request_token_authorized.jsp
@@ -1,6 +1,6 @@
 <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
@@ -18,7 +18,7 @@
     <p>You have successfully authorized the request for a protected resource.</p>
   </div>
 
-  <div id="footer">Design by <a href="http://www.pyserwebdesigns.com/" target="_blank">Pyser Web Designs</a></div>
+  <div id="footer">Design by <a href="https://www.pyserwebdesigns.com/" target="_blank">Pyser Web Designs</a></div>
 
 
 </body>
diff --git a/samples/oauth/sparklr/src/main/webapp/sparklr_gadget.xml b/samples/oauth/sparklr/src/main/webapp/sparklr_gadget.xml
index 3f914b85a..e6f0b94ab 100644
--- a/samples/oauth/sparklr/src/main/webapp/sparklr_gadget.xml
+++ b/samples/oauth/sparklr/src/main/webapp/sparklr_gadget.xml
@@ -7,7 +7,7 @@
       <Service name="google">
         <Access url="${gae.application.url}/oauth/access_token" method="GET" />
         <Request url="${gae.application.url}/oauth/request_token" method="GET" />
-        <Authorization url="${gae.application.url}/oauth/confirm_access?callbackURL=http://oauth.gmodules.com/gadgets/oauthcallback" />
+        <Authorization url="${gae.application.url}/oauth/confirm_access?callbackURL=https://oauth.gmodules.com/gadgets/oauthcallback" />
       </Service>
     </OAuth>
   </ModulePrefs>
@@ -15,7 +15,7 @@
   <![CDATA[
 
   <!-- shindig oauth popup handling code -->
-  <script src="http://gadget-doc-examples.googlecode.com/svn/trunk/opensocial-gadgets/popup.js"></script>
+  <script src="https://gadget-doc-examples.googlecode.com/svn/trunk/opensocial-gadgets/popup.js"></script>
 
   <style>
   #main {
@@ -29,7 +29,7 @@
   </div>
 
   <div id="approval" style="display: none">
-    <img src="http://gadget-doc-examples.googlecode.com/svn/trunk/images/new.gif">
+    <img src="https://gadget-doc-examples.googlecode.com/svn/trunk/images/new.gif">
     <a href="#" id="personalize">Personalize this gadget</a>
   </div>
 
diff --git a/samples/oauth/tonr/pom.xml b/samples/oauth/tonr/pom.xml
index be01d9e76..69181c8a7 100644
--- a/samples/oauth/tonr/pom.xml
+++ b/samples/oauth/tonr/pom.xml
@@ -1,11 +1,11 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
 
 	<modelVersion>4.0.0</modelVersion>
 
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 
@@ -51,7 +51,7 @@
 		<repository>
 			<id>spring</id>
 			<name>Spring Framework Repository</name>
-			<url>http://repo.spring.io/libs-snapshot</url>
+			<url>https://repo.spring.io/libs-snapshot</url>
 		</repository>
 	</repositories>
 
diff --git a/samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/impl/GoogleServiceImpl.java b/samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/impl/GoogleServiceImpl.java
index cabd09160..799b13734 100644
--- a/samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/impl/GoogleServiceImpl.java
+++ b/samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/impl/GoogleServiceImpl.java
@@ -38,7 +38,7 @@ public List<String> getLastTenPicasaPictureURLs() {
       parser.parse(photosXML, new DefaultHandler() {
         @Override
         public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
-          if ("http://search.yahoo.com/mrss/".equals(uri)
+          if ("https://search.yahoo.com/mrss/".equals(uri)
             && "thumbnail".equalsIgnoreCase(localName)) {
             int width = 0;
             try {
diff --git a/samples/oauth/tonr/src/main/resources/example_picasa_feed.xml b/samples/oauth/tonr/src/main/resources/example_picasa_feed.xml
index b287d6ea5..2ce860a8e 100644
--- a/samples/oauth/tonr/src/main/resources/example_picasa_feed.xml
+++ b/samples/oauth/tonr/src/main/resources/example_picasa_feed.xml
@@ -1,25 +1,25 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<feed xmlns='http://www.w3.org/2005/Atom' xmlns:exif='http://schemas.google.com/photos/exif/2007' xmlns:gphoto='http://schemas.google.com/photos/2007'
-      xmlns:media='http://search.yahoo.com/mrss/' xmlns:openSearch='http://a9.com/-/spec/opensearchrss/1.0/'>
+<feed xmlns='http://www.w3.org/2005/Atom' xmlns:exif='https://schemas.google.com/photos/exif/2007' xmlns:gphoto='https://schemas.google.com/photos/2007'
+      xmlns:media='https://search.yahoo.com/mrss/' xmlns:openSearch='https://a9.com/-/spec/opensearchrss/1.0/'>
   <id>https://picasaweb.google.com/data/feed/api/user/default</id>
   <updated>2010-10-15T22:27:04.288Z</updated>
-  <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#user'/>
+  <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#user'/>
   <title type='text'>stoicflame</title>
   <subtitle type='text'/>
   <icon>https://lh4.googleusercontent.com/_z9SKGlPDBkg/AAAAhIbG2ns/AAAAAAAAAAA/qimDEQavf4c/s64-c/stoicflame.jpg</icon>
-  <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml' href='https://picasaweb.google.com/data/feed/api/user/stoicflame'/>
-  <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame'/>
-  <link rel='http://schemas.google.com/photos/2007#slideshow' type='application/x-shockwave-flash'
-        href='http://picasaweb.google.com/s/c/bin/slideshow.swf?host=picasaweb.google.com&amp;RGB=0x000000&amp;feed=https%3A%2F%2Fpicasaweb.google.com%2Fdata%2Ffeed%2Fapi%2Fuser%2Fstoicflame%3Falt%3Drss'/>
+  <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml' href='https://picasaweb.google.com/data/feed/api/user/stoicflame'/>
+  <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808?gsessionid=clr7rfNSarvEV15l85q1khMqSj8oDwqx'/>
+  <link rel='https://schemas.google.com/photos/2007#slideshow' type='application/x-shockwave-flash'
+        href='https://picasaweb.google.com/s/c/bin/slideshow.swf?host=picasaweb.google.com&amp;RGB=0x000000&amp;feed=https%3A%2F%2Fpicasaweb.google.com%2Fdata%2Ffeed%2Fapi%2Fuser%2Fstoicflame%3Falt%3Drss'/>
   <link rel='self' type='application/atom+xml'
         href='https://picasaweb.google.com/data/feed/api/user/stoicflame?q=&amp;start-index=1&amp;max-results=10&amp;kind=photo'/>
   <link rel='next' type='application/atom+xml'
         href='https://picasaweb.google.com/data/feed/api/user/stoicflame?q=&amp;start-index=11&amp;max-results=10&amp;kind=photo'/>
   <author>
     <name>Ryan</name>
-    <uri>http://picasaweb.google.com/stoicflame</uri>
+    <uri>/109190140453754943808?gsessionid=clr7rfNSarvEV15l85q1khMqSj8oDwqx</uri>
   </author>
-  <generator version='1.00' uri='http://picasaweb.google.com/'>Picasaweb</generator>
+  <generator version='1.00' uri='https://picasaweb.google.com/'>Picasaweb</generator>
   <openSearch:totalResults>394</openSearch:totalResults>
   <openSearch:startIndex>1</openSearch:startIndex>
   <openSearch:itemsPerPage>10</openSearch:itemsPerPage>
@@ -33,14 +33,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5381874767712259297/photoid/5416573875289209458</id>
     <published>2009-12-18T13:53:01.000Z</published>
     <updated>2009-12-18T13:53:01.731Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>CIMG1845.JPG</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh3.googleusercontent.com/_z9SKGlPDBkg/SyuJPchGOnI/AAAAAAAABvY/Q0dYomVmPfw/CIMG1845.JPG'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5381874767712259297/photoid/5416573875289209458?authkey=aEgk9ZZkNoY'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/TheHeatonHome?authkey=aEgk9ZZkNoY#5416573875289209458'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/Ioko4Z0cbBD1Dh1B7YubrA'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/TheHeatonHome?authkey=aEgk9ZZkNoY&gsessionid=1ct-z3jGjEC8oXohyjDG7FXpwPazlGXo#5416573875289209458'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/Ioko4Z0cbBD1Dh1B7YubrA'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5381874767712259297/photoid/5416573875289209458?authkey=aEgk9ZZkNoY'/>
     <link rel='edit' type='application/atom+xml'
@@ -49,8 +49,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5381874767712259297/photoid/5416573875289209458/1?authkey=aEgk9ZZkNoY'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5381874767712259297/photoid/5416573875289209458/1?authkey=aEgk9ZZkNoY'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5381874767712259297&amp;iid=5416573875289209458'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5381874767712259297&amp;iid=5416573875289209458'/>
     <gphoto:id>5416573875289209458</gphoto:id>
     <gphoto:version>1</gphoto:version>
     <gphoto:albumid>5381874767712259297</gphoto:albumid>
@@ -87,14 +87,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5381874767712259297/photoid/5398207118777306258</id>
     <published>2009-10-30T02:00:38.000Z</published>
     <updated>2009-10-30T02:00:38.489Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>CIMG1632.JPG</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh5.googleusercontent.com/_z9SKGlPDBkg/SupIxgq0zJI/AAAAAAAABuQ/cpb0QfIxwRM/CIMG1632.JPG'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5381874767712259297/photoid/5398207118777306258?authkey=aEgk9ZZkNoY'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/TheHeatonHome?authkey=aEgk9ZZkNoY#5398207118777306258'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/EpbAByEAotaQekZSdVgZQg'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/TheHeatonHome?authkey=aEgk9ZZkNoY&gsessionid=1ct-z3jGjEC8oXohyjDG7FXpwPazlGXo#5398207118777306258'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/EpbAByEAotaQekZSdVgZQg'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5381874767712259297/photoid/5398207118777306258?authkey=aEgk9ZZkNoY'/>
     <link rel='edit' type='application/atom+xml'
@@ -103,8 +103,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5381874767712259297/photoid/5398207118777306258/1?authkey=aEgk9ZZkNoY'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5381874767712259297/photoid/5398207118777306258/1?authkey=aEgk9ZZkNoY'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5381874767712259297&amp;iid=5398207118777306258'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5381874767712259297&amp;iid=5398207118777306258'/>
     <gphoto:id>5398207118777306258</gphoto:id>
     <gphoto:version>1</gphoto:version>
     <gphoto:albumid>5381874767712259297</gphoto:albumid>
@@ -132,14 +132,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186870191943938</id>
     <published>2008-01-14T04:37:56.000Z</published>
     <updated>2009-06-27T00:25:09.327Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>IMG_7581.jpg</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh4.googleusercontent.com/_z9SKGlPDBkg/R4rnJSSMcQI/AAAAAAAABBg/1OQJ3PtIgdM/IMG_7581.jpg'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186870191943938'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/HawaiiBeach#5155186870191943938'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/_rJ23c0-ev-GEsuqajvYWg'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/HawaiiBeach?gsessionid=SApB7ihRtbUnXPMYlCx4O2myoa0iD-E9#5155186870191943938'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/_rJ23c0-ev-GEsuqajvYWg'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186870191943938'/>
     <link rel='edit' type='application/atom+xml'
@@ -148,8 +148,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186870191943938/3'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186870191943938/3'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155186870191943938'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155186870191943938'/>
     <gphoto:id>5155186870191943938</gphoto:id>
     <gphoto:version>3</gphoto:version>
     <gphoto:position>1.9896023E9</gphoto:position>
@@ -190,14 +190,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186560954298610</id>
     <published>2008-01-14T04:36:44.000Z</published>
     <updated>2009-06-27T01:38:45.028Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>IMG_7578.jpg</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh4.googleusercontent.com/_z9SKGlPDBkg/R4rm3SSMcPI/AAAAAAAABBY/e-5B4T6K1WI/IMG_7578.jpg'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186560954298610'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/HawaiiBeach#5155186560954298610'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/b02iZRlngmObhiG-xVwmng'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/HawaiiBeach?gsessionid=SApB7ihRtbUnXPMYlCx4O2myoa0iD-E9#5155186560954298610'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/b02iZRlngmObhiG-xVwmng'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186560954298610'/>
     <link rel='edit' type='application/atom+xml'
@@ -206,8 +206,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186560954298610/3'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186560954298610/3'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155186560954298610'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155186560954298610'/>
     <gphoto:id>5155186560954298610</gphoto:id>
     <gphoto:version>3</gphoto:version>
     <gphoto:position>1.98953088E9</gphoto:position>
@@ -248,14 +248,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186290371358946</id>
     <published>2008-01-14T04:35:41.000Z</published>
     <updated>2009-06-26T23:31:32.814Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>IMG_7575.jpg</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh5.googleusercontent.com/_z9SKGlPDBkg/R4rmniSMcOI/AAAAAAAABBQ/POJU3icUoNg/IMG_7575.jpg'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186290371358946'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/HawaiiBeach#5155186290371358946'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/1_pPyhAE3IXRe5cb4AagZQ'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/HawaiiBeach?gsessionid=SApB7ihRtbUnXPMYlCx4O2myoa0iD-E9#5155186290371358946'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/1_pPyhAE3IXRe5cb4AagZQ'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186290371358946'/>
     <link rel='edit' type='application/atom+xml'
@@ -264,8 +264,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186290371358946/4'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186290371358946/4'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155186290371358946'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155186290371358946'/>
     <gphoto:id>5155186290371358946</gphoto:id>
     <gphoto:version>4</gphoto:version>
     <gphoto:position>1.98946752E9</gphoto:position>
@@ -306,14 +306,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186024083386578</id>
     <published>2008-01-14T04:34:40.000Z</published>
     <updated>2009-06-26T23:31:35.806Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>IMG_7573.jpg</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh3.googleusercontent.com/_z9SKGlPDBkg/R4rmYCSMcNI/AAAAAAAABBE/P1LeVs3nwTE/IMG_7573.jpg'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186024083386578'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/HawaiiBeach#5155186024083386578'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/emw168uzsXbckWn6o1NOGw'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/HawaiiBeach?gsessionid=SApB7ihRtbUnXPMYlCx4O2myoa0iD-E9#5155186024083386578'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/emw168uzsXbckWn6o1NOGw'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186024083386578'/>
     <link rel='edit' type='application/atom+xml'
@@ -322,8 +322,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186024083386578/4'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155186024083386578/4'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155186024083386578'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155186024083386578'/>
     <gphoto:id>5155186024083386578</gphoto:id>
     <gphoto:version>4</gphoto:version>
     <gphoto:position>1.98940582E9</gphoto:position>
@@ -364,14 +364,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185633241362626</id>
     <published>2008-01-14T04:33:08.000Z</published>
     <updated>2009-06-26T23:30:51.138Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>IMG_7563.jpg</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh4.googleusercontent.com/_z9SKGlPDBkg/R4rmBSSMcMI/AAAAAAAABA8/NFu6-vNFweM/IMG_7563.jpg'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185633241362626'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/HawaiiBeach#5155185633241362626'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/U7NcEx5i97pGfjxIhqlYow'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/HawaiiBeach?gsessionid=SApB7ihRtbUnXPMYlCx4O2myoa0iD-E9#5155185633241362626'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/U7NcEx5i97pGfjxIhqlYow'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185633241362626'/>
     <link rel='edit' type='application/atom+xml'
@@ -380,8 +380,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185633241362626/3'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185633241362626/3'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155185633241362626'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155185633241362626'/>
     <gphoto:id>5155185633241362626</gphoto:id>
     <gphoto:version>3</gphoto:version>
     <gphoto:position>1.98931494E9</gphoto:position>
@@ -422,14 +422,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185272464109746</id>
     <published>2008-01-14T04:31:44.000Z</published>
     <updated>2009-06-27T02:30:50.430Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>IMG_7555.jpg</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh4.googleusercontent.com/_z9SKGlPDBkg/R4rlsSSMcLI/AAAAAAAABA0/-1uFP0rGegs/IMG_7555.jpg'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185272464109746'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/HawaiiBeach#5155185272464109746'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/zU1hicDzC1JGgsnl6CMtQw'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/HawaiiBeach?gsessionid=SApB7ihRtbUnXPMYlCx4O2myoa0iD-E9#5155185272464109746'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/zU1hicDzC1JGgsnl6CMtQw'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185272464109746'/>
     <link rel='edit' type='application/atom+xml'
@@ -438,8 +438,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185272464109746/3'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155185272464109746/3'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155185272464109746'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155185272464109746'/>
     <gphoto:id>5155185272464109746</gphoto:id>
     <gphoto:version>3</gphoto:version>
     <gphoto:position>1.98923008E9</gphoto:position>
@@ -480,14 +480,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184993291235490</id>
     <published>2008-01-14T04:30:40.000Z</published>
     <updated>2009-06-24T16:28:07.161Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>IMG_7554.jpg</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh3.googleusercontent.com/_z9SKGlPDBkg/R4rlcCSMcKI/AAAAAAAABEg/zsrJTxG1wbw/IMG_7554.jpg'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184993291235490'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/HawaiiBeach#5155184993291235490'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/cyqNMsCJd4KMl9d8thlF9A'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/HawaiiBeach?gsessionid=SApB7ihRtbUnXPMYlCx4O2myoa0iD-E9#5155184993291235490'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/cyqNMsCJd4KMl9d8thlF9A'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184993291235490'/>
     <link rel='edit' type='application/atom+xml'
@@ -496,8 +496,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184993291235490/3'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184993291235490/3'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155184993291235490'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155184993291235490'/>
     <gphoto:id>5155184993291235490</gphoto:id>
     <gphoto:version>3</gphoto:version>
     <gphoto:position>1.98916557E9</gphoto:position>
@@ -538,14 +538,14 @@
     <id>https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184692643524754</id>
     <published>2008-01-14T04:29:29.000Z</published>
     <updated>2009-06-26T23:30:39.164Z</updated>
-    <category scheme='http://schemas.google.com/g/2005#kind' term='http://schemas.google.com/photos/2007#photo'/>
+    <category scheme='https://schemas.google.com/g/2005#kind' term='https://schemas.google.com/photos/2007#photo'/>
     <title type='text'>IMG_7546.jpg</title>
     <summary type='text'/>
     <content type='image/jpeg' src='https://lh5.googleusercontent.com/_z9SKGlPDBkg/R4rlKiSMcJI/AAAAAAAABAg/rChQTFtBKX8/IMG_7546.jpg'/>
-    <link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
+    <link rel='https://schemas.google.com/g/2005#feed' type='application/atom+xml'
           href='https://picasaweb.google.com/data/feed/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184692643524754'/>
-    <link rel='alternate' type='text/html' href='http://picasaweb.google.com/stoicflame/HawaiiBeach#5155184692643524754'/>
-    <link rel='http://schemas.google.com/photos/2007#canonical' type='text/html' href='http://picasaweb.google.com/lh/photo/XpvsZB33FPqLHa527Nc2hQ'/>
+    <link rel='alternate' type='text/html' href='https://github.com/109190140453754943808/HawaiiBeach?gsessionid=SApB7ihRtbUnXPMYlCx4O2myoa0iD-E9#5155184692643524754'/>
+    <link rel='https://schemas.google.com/photos/2007#canonical' type='text/html' href='https://picasaweb.google.com/lh/photo/XpvsZB33FPqLHa527Nc2hQ'/>
     <link rel='self' type='application/atom+xml'
           href='https://picasaweb.google.com/data/entry/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184692643524754'/>
     <link rel='edit' type='application/atom+xml'
@@ -554,8 +554,8 @@
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184692643524754/3'/>
     <link rel='media-edit' type='image/jpeg'
           href='https://picasaweb.google.com/data/media/api/user/stoicflame/albumid/5155181789245632497/photoid/5155184692643524754/3'/>
-    <link rel='http://schemas.google.com/photos/2007#report' type='text/html'
-          href='http://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155184692643524754'/>
+    <link rel='https://schemas.google.com/photos/2007#report' type='text/html'
+          href='https://picasaweb.google.com/lh/reportAbuse?uname=stoicflame&amp;aid=5155181789245632497&amp;iid=5155184692643524754'/>
     <gphoto:id>5155184692643524754</gphoto:id>
     <gphoto:version>3</gphoto:version>
     <gphoto:position>1.98909517E9</gphoto:position>
diff --git a/samples/oauth/tonr/src/main/webapp/WEB-INF/applicationContext.xml b/samples/oauth/tonr/src/main/webapp/WEB-INF/applicationContext.xml
index 0e1d3fc12..c5f696e72 100644
--- a/samples/oauth/tonr/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/samples/oauth/tonr/src/main/webapp/WEB-INF/applicationContext.xml
@@ -4,9 +4,9 @@
   xmlns:beans="http://www.springframework.org/schema/beans"
   xmlns:oauth="http://www.springframework.org/schema/security/oauth"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20http://www.springframework.org/schema/security/spring-security.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20http://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
+  xsi:schemaLocation="http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20https://www.springframework.org/schema/security/spring-security.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20https://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
 
   <beans:bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
     <beans:property name="location" value="/WEB-INF/sparklr.properties"/>
@@ -43,7 +43,7 @@
                     request-token-url="http://localhost:8080/sparklr/oauth/request_token"
                     user-authorization-url="http://localhost:8080/sparklr/oauth/confirm_access"
                     access-token-url="http://localhost:8080/sparklr/oauth/access_token"/>
-    <!--see http://code.google.com/apis/accounts/docs/OAuth_ref.html-->
+    <!--see https://code.google.com/apis/accounts/docs/OAuth_ref.html-->
     <oauth:resource id="google" key="anonymous" secret="anonymous"
                     request-token-url="https://www.google.com/accounts/OAuthGetRequestToken"
                     user-authorization-url="https://www.google.com/accounts/OAuthAuthorizeToken"
diff --git a/samples/oauth/tonr/src/main/webapp/WEB-INF/jsp/picasa.jsp b/samples/oauth/tonr/src/main/webapp/WEB-INF/jsp/picasa.jsp
index f832134e1..8dbcf4845 100644
--- a/samples/oauth/tonr/src/main/webapp/WEB-INF/jsp/picasa.jsp
+++ b/samples/oauth/tonr/src/main/webapp/WEB-INF/jsp/picasa.jsp
@@ -1,6 +1,6 @@
 <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <link href="https://github.com/%3Cc:url%20value="/main.css"/>" rel="stylesheet" type="text/css"/>
@@ -11,7 +11,7 @@
 
     <ul id="mainlinks">
       <li><a href="https://github.com/%3Cc:url%20value="/index.jsp"/>">home</a></li>
-      <authz:authorize ifNotGranted="ROLE_USER">
+      <authz:authorize access="!hasRole('ROLE_USER')">
         <li><a href="https://github.com/%3Cc:url%20value="/login.jsp"/>">login</a></li>
       </authz:authorize>
       <li><a href="https://github.com/%3Cc:url%20value="/sparklr/photos"/>">sparklr pics</a></li>
diff --git a/samples/oauth/tonr/src/main/webapp/WEB-INF/jsp/sparklr.jsp b/samples/oauth/tonr/src/main/webapp/WEB-INF/jsp/sparklr.jsp
index 2b58812a7..81c406d34 100644
--- a/samples/oauth/tonr/src/main/webapp/WEB-INF/jsp/sparklr.jsp
+++ b/samples/oauth/tonr/src/main/webapp/WEB-INF/jsp/sparklr.jsp
@@ -1,6 +1,6 @@
 <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <link href="https://github.com/%3Cc:url%20value="/main.css"/>" rel="stylesheet" type="text/css"/>
@@ -11,7 +11,7 @@
 
     <ul id="mainlinks">
       <li><a href="https://github.com/%3Cc:url%20value="/index.jsp"/>">home</a></li>
-      <authz:authorize ifNotGranted="ROLE_USER">
+      <authz:authorize access="!hasRole('ROLE_USER')">
         <li><a href="https://github.com/%3Cc:url%20value="/login.jsp"/>">login</a></li>
       </authz:authorize>
       <li><a href="https://github.com/%3Cc:url%20value="/sparklr/photos"/>" class="selected">sparklr pics</a></li>
diff --git a/samples/oauth/tonr/src/main/webapp/WEB-INF/spring-servlet.xml b/samples/oauth/tonr/src/main/webapp/WEB-INF/spring-servlet.xml
index 22b4cc5d7..16ca8e4f8 100644
--- a/samples/oauth/tonr/src/main/webapp/WEB-INF/spring-servlet.xml
+++ b/samples/oauth/tonr/src/main/webapp/WEB-INF/spring-servlet.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xsi:schemaLocation="http://www.springframework.org/schema/mvc%20http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/mvc%20https://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
 
 	<mvc:default-servlet-handler />
 	
diff --git a/samples/oauth/tonr/src/main/webapp/WEB-INF/web.xml b/samples/oauth/tonr/src/main/webapp/WEB-INF/web.xml
index 8492917b3..31390bf58 100644
--- a/samples/oauth/tonr/src/main/webapp/WEB-INF/web.xml
+++ b/samples/oauth/tonr/src/main/webapp/WEB-INF/web.xml
@@ -2,7 +2,7 @@
 
 <!DOCTYPE web-app PUBLIC
   "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
-  "http://java.sun.com/dtd/web-app_2_3.dtd">
+  "https://java.sun.com/dtd/web-app_2_3.dtd">
 
 <web-app>
 
diff --git a/samples/oauth/tonr/src/main/webapp/index.jsp b/samples/oauth/tonr/src/main/webapp/index.jsp
index 3bc86601d..498faaf09 100644
--- a/samples/oauth/tonr/src/main/webapp/index.jsp
+++ b/samples/oauth/tonr/src/main/webapp/index.jsp
@@ -1,6 +1,6 @@
 <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <link href="https://github.com/%3Cc:url%20value="/main.css"/>" rel="stylesheet" type="text/css"/>
@@ -11,7 +11,7 @@
 
     <ul id="mainlinks">
       <li><a href="https://github.com/%3Cc:url%20value="/index.jsp"/>" class="selected">home</a></li>
-      <authz:authorize ifNotGranted="ROLE_USER">
+      <authz:authorize access="!hasRole('ROLE_USER')">
         <li><a href="https://github.com/%3Cc:url%20value="/login.jsp"/>">login</a></li>
       </authz:authorize>
       <li><a href="https://github.com/%3Cc:url%20value="/sparklr/photos"/>">sparklr pics</a></li>
@@ -22,19 +22,19 @@
     <h1>Welcome to Tonr.com!</h1>
     
     <p>This is a website that will allow you to print your photos that you've uploaded to <a href="http://localhost:8080/sparklr/">sparklr.com</a>!
-      And since this site uses <a href="http://oauth.net/">OAuth</a> to access your photos, we will never ask you
+      And since this site uses <a href="https://oauth.net/">OAuth</a> to access your photos, we will never ask you
       for your Sparklr credentials.</p>
 
     <p>Tonr.com has only two users: "marissa" and "sam".  The password for "marissa" is password is "wombat" and for "sam" is password is "kangaroo".</p>
 
-    <authz:authorize ifNotGranted="ROLE_USER">
+    <authz:authorize access="!hasRole('ROLE_USER')">
       <p><a href="https://github.com/%3Cc:url%20value="login.jsp"/>">Login to Tonr</a></p>
     </authz:authorize>
-    <authz:authorize ifAllGranted="ROLE_USER">
+    <authz:authorize access="hasRole('ROLE_USER')">
       <p><a href="https://github.com/%3Cc:url%20value="/sparklr/photos"/>">View my Sparklr photos</a></p>
     </authz:authorize>
 
-    <p class="footer">Courtesy <a href="http://www.openwebdesign.org/">Open Web Design</a> Thanks to <a href="http://www.dubaiapartments.biz/">Dubai Hotels</a></p>
+    <p class="footer">Courtesy <a href="https://www.openwebdesign.org/">Open Web Design</a> Thanks to <a href="https://www.dubaiapartments.biz/">Dubai Hotels</a></p>
   </div>
 </div>
 </body>
diff --git a/samples/oauth/tonr/src/main/webapp/login.jsp b/samples/oauth/tonr/src/main/webapp/login.jsp
index e373a4f41..daa278fa9 100644
--- a/samples/oauth/tonr/src/main/webapp/login.jsp
+++ b/samples/oauth/tonr/src/main/webapp/login.jsp
@@ -1,11 +1,11 @@
-<%@ page import="org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter" %>
+<%@ page import="org.springframework.security.web.WebAttributes" %>
 <%@ page import="org.springframework.security.core.AuthenticationException" %>
 <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
-<authz:authorize ifAllGranted="ROLE_USER">
+<authz:authorize access="hasRole('ROLE_USER')">
   <c:redirect url="index.jsp"/>
 </authz:authorize>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <link href="https://github.com/%3Cc:url%20value="/main.css"/>" rel="stylesheet" type="text/css"/>
@@ -25,11 +25,11 @@
     <c:if test="${!empty sessionScope.SPRING_SECURITY_LAST_EXCEPTION}">
       <h1>Woops!</h1>
 
-      <p class="error">Your login attempt was not successful. (<%= ((AuthenticationException) session.getAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY)).getMessage() %>)</p>
+      <p class="error">Your login attempt was not successful. (<%= ((AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)).getMessage() %>)</p>
     </c:if>
     <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION"/>
 
-    <authz:authorize ifNotGranted="ROLE_USER">
+    <authz:authorize access="!hasRole('ROLE_USER')">
       <h1>Login</h1>
 
       <p>Tonr.com has only two users: "marissa" and "sam".  The password for "marissa" is password is "wombat" and for "sam" is password is "kangaroo".</p>
@@ -42,7 +42,7 @@
       </form>
     </authz:authorize>
 
-    <p class="footer">Courtesy <a href="http://www.openwebdesign.org/">Open Web Design</a> Thanks to <a href="http://www.dubaiapartments.biz/">Dubai Hotels</a></p>
+    <p class="footer">Courtesy <a href="https://www.openwebdesign.org/">Open Web Design</a> Thanks to <a href="https://www.dubaiapartments.biz/">Dubai Hotels</a></p>
   </div>
 </div>
 </body>
diff --git a/samples/oauth/tonr/src/main/webapp/oauth_error.jsp b/samples/oauth/tonr/src/main/webapp/oauth_error.jsp
index 70690a120..18d741d19 100644
--- a/samples/oauth/tonr/src/main/webapp/oauth_error.jsp
+++ b/samples/oauth/tonr/src/main/webapp/oauth_error.jsp
@@ -3,7 +3,7 @@
 <%@ page import="org.springframework.security.oauth.consumer.filter.OAuthConsumerContextFilter" %>
 <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
     <link href="https://github.com/%3Cc:url%20value="/main.css"/>" rel="stylesheet" type="text/css"/>
@@ -14,7 +14,7 @@
 
     <ul id="mainlinks">
         <li><a href="https://github.com/%3Cc:url%20value="/index.jsp"/>">home</a></li>
-        <authz:authorize ifNotGranted="ROLE_USER">
+        <authz:authorize access="!hasRole('ROLE_USER')">
             <li><a href="https://github.com/%3Cc:url%20value="/login.jsp"/>">login</a></li>
         </authz:authorize>
         <li><a href="https://github.com/%3Cc:url%20value="/sparklr/photos"/>">sparklr pics</a></li>
@@ -42,8 +42,8 @@
         </c:if>
         <c:remove scope="session" var="OAUTH_FAILURE_KEY"/>
 
-        <p class="footer">Courtesy <a href="http://www.openwebdesign.org/">Open Web Design</a> Thanks to <a
-                href="http://www.dubaiapartments.biz/">Dubai Hotels</a></p>
+        <p class="footer">Courtesy <a href="https://www.openwebdesign.org/">Open Web Design</a> Thanks to <a
+                href="https://www.dubaiapartments.biz/">Dubai Hotels</a></p>
     </div>
 </div>
 </body>
diff --git a/samples/oauth/tonr/src/main/webapp/template.html b/samples/oauth/tonr/src/main/webapp/template.html
index 895b8efaf..e4d433732 100644
--- a/samples/oauth/tonr/src/main/webapp/template.html
+++ b/samples/oauth/tonr/src/main/webapp/template.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <link href="https://github.com/main.css" rel="stylesheet" type="text/css"/>
@@ -11,8 +11,8 @@
       <li><a href="#">home</a></li>
       <li><a href="#">about</a></li>
       <li><a href="#" class="selected">gallery pics</a></li>
-      <li><a href="http://www.naturaldesigngroup.co.uk/">ndg</a></li>
-      <li><a href="http://www.planetphotoshop.com/">planetphotoshop</a></li>
+      <li><a href="https://www.naturaldesigngroup.co.uk/">ndg</a></li>
+      <li><a href="https://www.planetphotoshop.com/">planetphotoshop</a></li>
     </ul>
 
   <div id="content">
@@ -25,9 +25,9 @@
       <li>a garden/jungle thing<a href="#"><img src="https://github.com/images/jungle.jpg" alt="a garden/jungle thing"/></a></li>
       <li>an oryx antelope in the desert<a href="#"><img src="https://github.com/images/antelope.jpg" alt="an oryx antelope in the desert"/></a></li>
       <li>mesas in the desert<a href="#"><img src="https://github.com/images/desert.jpg" alt="mesas in the desert"/><span class="main"><!--This theme is free for distriubtion,  so long as  link to openwebdesing.org and dubaiapartments.biz  stay on the theme--> Courtesy <a
-        href="http://www.openwebdesign.org/" target="_blank">Open
-        Web Design</a><a href="http://www.dubaiapartments.biz/" target="_blank"><img src="https://github.com/spacer.gif" width="5" height="5" border="0"/></a>Thanks
-to <a href="http://www.dubaiapartments.biz/" target="_blank">Dubai Hotels</a></span></a></li>
+        href="https://www.openwebdesign.org/" target="_blank">Open
+        Web Design</a><a href="https://www.dubaiapartments.biz/" target="_blank"><img src="https://github.com/spacer.gif" width="5" height="5" border="0"/></a>Thanks
+to <a href="https://www.dubaiapartments.biz/" target="_blank">Dubai Hotels</a></span></a></li>
     </ul>
   </div>
 </div>
diff --git a/samples/oauth2/sparklr/pom.xml b/samples/oauth2/sparklr/pom.xml
index 70a1d868b..66dc607e4 100644
--- a/samples/oauth2/sparklr/pom.xml
+++ b/samples/oauth2/sparklr/pom.xml
@@ -1,11 +1,11 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
 
 	<modelVersion>4.0.0</modelVersion>
 
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 
@@ -15,18 +15,16 @@
 
 	<properties>
 		<m2eclipse.wtp.contextRoot>/sparklr2</m2eclipse.wtp.contextRoot>
-		<jackson2.version>2.3.1</jackson2.version>
+		<jackson2.version>2.10.5.1</jackson2.version>
 		<servlet-api.version>3.0.1</servlet-api.version>
-		<junit.version>4.11</junit.version>
 	</properties>
 
 	<profiles>
 		<profile>
 			<id>spring5</id>
 			<properties>
-				<jackson2.version>2.9.0.pr3</jackson2.version>
+				<jackson2.version>2.10.5.1</jackson2.version>
 				<servlet-api.version>3.1.0</servlet-api.version>
-				<junit.version>4.12</junit.version>
 			</properties>
 		</profile>
 		<profile>
@@ -110,7 +108,7 @@
 		<repository>
 			<id>spring</id>
 			<name>Spring Framework Repository</name>
-			<url>http://repo.spring.io/libs-snapshot</url>
+			<url>https://repo.spring.io/libs-snapshot</url>
 		</repository>
 	</repositories>
 
@@ -188,7 +186,7 @@
 		<dependency>
 			<groupId>org.apache.httpcomponents</groupId>
 			<artifactId>httpclient</artifactId>
-			<version>4.3.3</version>
+			<version>4.5.13</version>
 			<scope>test</scope>
 		</dependency>
 
diff --git a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/MethodSecurityConfig.java b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/MethodSecurityConfig.java
index bb396e9cc..fe085e267 100644
--- a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/MethodSecurityConfig.java
+++ b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/MethodSecurityConfig.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/OAuth2ServerConfig.java b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/OAuth2ServerConfig.java
index 15744c4ef..a054cf85c 100644
--- a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/OAuth2ServerConfig.java
+++ b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/OAuth2ServerConfig.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -131,7 +131,7 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 	 			        .authorizedGrantTypes("authorization_code", "client_credentials")
 	 			        .authorities("ROLE_CLIENT")
 	 			        .scopes("read", "trust")
-	 			        .redirectUris("http://anywhere/?key=value")
+	 			        .redirectUris("http://localhost:8080/tonr2/sparklr/photos")
 		 		    .and()
 	 		        .withClient("my-trusted-client")
  			            .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
diff --git a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/ServletInitializer.java b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/ServletInitializer.java
index ca0a61a91..1712f799c 100644
--- a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/ServletInitializer.java
+++ b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/ServletInitializer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/AdminController.java b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/AdminController.java
index 215b29653..20a37ac4c 100644
--- a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/AdminController.java
+++ b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/AdminController.java
@@ -97,8 +97,7 @@ private void checkResourceOwner(String user, Principal principal) {
 		if (principal instanceof OAuth2Authentication) {
 			OAuth2Authentication authentication = (OAuth2Authentication) principal;
 			if (!authentication.isClientOnly() && !user.equals(principal.getName())) {
-				throw new AccessDeniedException(String.format("User '%s' cannot obtain tokens for user '%s'",
-						principal.getName(), user));
+				throw new AccessDeniedException("User cannot obtain tokens for user");
 			}
 		}
 	}
diff --git a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/oauth/SparklrUserApprovalHandler.java b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/oauth/SparklrUserApprovalHandler.java
index 6ce4802b6..f9a79e655 100644
--- a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/oauth/SparklrUserApprovalHandler.java
+++ b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/oauth/SparklrUserApprovalHandler.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/samples/oauth2/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp b/samples/oauth2/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp
index dc68b3123..c8edf17a1 100644
--- a/samples/oauth2/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp
+++ b/samples/oauth2/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp
@@ -1,7 +1,7 @@
 <%@ page
 	import="org.springframework.security.core.AuthenticationException"%>
 <%@ page
-	import="org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter"%>
+    import="org.springframework.security.web.WebAttributes" %>
 <%@ page
 	import="org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException"%>
 <%@ taglib prefix="authz"
@@ -27,16 +27,16 @@
 		<h1>Sparklr</h1>
 
 		<%
-			if (session.getAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY) != null
+			if (session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) != null
 					&& !(session
-							.getAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY) instanceof UnapprovedClientAuthenticationException)) {
+							.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof UnapprovedClientAuthenticationException)) {
 		%>
 		<div class="error">
 			<h2>Woops!</h2>
 
 			<p>
 				Access could not be granted. (<%=((AuthenticationException) session
-						.getAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY))
+						.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION))
 						.getMessage()%>)
 			</p>
 		</div>
@@ -45,7 +45,7 @@
 		%>
 		<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
 
-		<authz:authorize ifAllGranted="ROLE_USER">
+		<authz:authorize access="hasRole('ROLE_USER')">
 			<h2>Please Confirm</h2>
 
 			<p>
@@ -83,7 +83,7 @@
 
 		<div class="footer">
 			Sample application for <a
-				href="http://github.com/spring-projects/spring-security-oauth"
+				href="https://github.com/spring-projects/spring-security-oauth"
 				target="_blank">Spring Security OAuth</a>
 		</div>
 
diff --git a/samples/oauth2/sparklr/src/main/webapp/WEB-INF/jsp/oauth_error.jsp b/samples/oauth2/sparklr/src/main/webapp/WEB-INF/jsp/oauth_error.jsp
index e5f23f0f1..2f246a3dc 100644
--- a/samples/oauth2/sparklr/src/main/webapp/WEB-INF/jsp/oauth_error.jsp
+++ b/samples/oauth2/sparklr/src/main/webapp/WEB-INF/jsp/oauth_error.jsp
@@ -29,7 +29,7 @@
 
 		<div class="footer">
 			Sample application for <a
-				href="http://github.com/spring-projects/spring-security-oauth"
+				href="https://github.com/spring-projects/spring-security-oauth"
 				target="_blank">Spring Security OAuth</a>
 		</div>
 
diff --git a/samples/oauth2/sparklr/src/main/webapp/index.jsp b/samples/oauth2/sparklr/src/main/webapp/index.jsp
index 3ba0caa50..877f98870 100644
--- a/samples/oauth2/sparklr/src/main/webapp/index.jsp
+++ b/samples/oauth2/sparklr/src/main/webapp/index.jsp
@@ -26,7 +26,7 @@
 			Unfortunately, we don't have any services for printing your photos.
 			For that, you'll have to go to Tonr.</p>
 
-		<authz:authorize ifAllGranted="ROLE_USER">
+		<authz:authorize access="hasRole('ROLE_USER')">
 			<div class="form-horizontal">
 				<form action="https://github.com/%3Cc:url%20value="/logout"/>" role="form" method="post">
 					<input type="hidden" name="${_csrf.parameterName}"
@@ -58,7 +58,7 @@
 
 		<div class="footer">
 			Sample application for <a
-				href="http://github.com/spring-projects/spring-security-oauth"
+				href="https://github.com/spring-projects/spring-security-oauth"
 				target="_blank">Spring Security OAuth</a>
 		</div>
 
diff --git a/samples/oauth2/sparklr/src/main/webapp/login.jsp b/samples/oauth2/sparklr/src/main/webapp/login.jsp
index e1bc1091e..5e9ceffce 100644
--- a/samples/oauth2/sparklr/src/main/webapp/login.jsp
+++ b/samples/oauth2/sparklr/src/main/webapp/login.jsp
@@ -57,7 +57,7 @@
 
 		<div class="footer">
 			Sample application for <a
-				href="http://github.com/spring-projects/spring-security-oauth"
+				href="https://github.com/spring-projects/spring-security-oauth"
 				target="_blank">Spring Security OAuth</a>
 		</div>
 
diff --git a/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/AuthorizationCodeProviderTests.java b/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/AuthorizationCodeProviderTests.java
index 12c54f673..21bed14de 100755
--- a/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/AuthorizationCodeProviderTests.java
+++ b/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -129,7 +129,7 @@ public void testResourceIsProtected() throws Exception {
 	public void testUnauthenticatedAuthorizationRequestRedirectsToLogin() throws Exception {
 
 		AccessTokenRequest request = context.getAccessTokenRequest();
-		request.setCurrentUri("http://anywhere/");
+		request.setCurrentUri("https://anywhere/");
 		request.add(OAuth2Utils.USER_OAUTH_APPROVAL, "true");
 
 		String location = null;
@@ -153,7 +153,7 @@ public void testUnauthenticatedAuthorizationRequestRedirectsToLogin() throws Exc
 	public void testSuccessfulAuthorizationCodeFlow() throws Exception {
 
 		// Once the request is ready and approved, we can continue with the access token
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 
 		// Finally everything is in place for the grant to happen...
 		assertNotNull(context.getAccessToken());
@@ -167,10 +167,10 @@ public void testSuccessfulAuthorizationCodeFlow() throws Exception {
 	@Test
 	@OAuth2ContextConfiguration(resource = MyLessTrustedClient.class, initialize = false)
 	public void testWrongRedirectUri() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 		AccessTokenRequest request = context.getAccessTokenRequest();
 		// The redirect is stored in the preserved state...
-		context.getOAuth2ClientContext().setPreservedState(request.getStateKey(), "http://nowhere/");
+		context.getOAuth2ClientContext().setPreservedState(request.getStateKey(), "https://nowhere/");
 		// Finally everything is in place for the grant to happen...
 		try {
 			assertNotNull(context.getAccessToken());
@@ -185,7 +185,7 @@ public void testWrongRedirectUri() throws Exception {
 	@Test
 	@OAuth2ContextConfiguration(resource = MyLessTrustedClient.class, initialize = false)
 	public void testUserDeniesConfirmation() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", false);
+		approveAccessTokenGrant("https://anywhere/", false);
 		String location = null;
 		try {
 			assertNotNull(context.getAccessToken());
@@ -195,7 +195,7 @@ public void testUserDeniesConfirmation() throws Exception {
 			location = e.getRedirectUri();
 		}
 		assertTrue("Wrong location: " + location, location.contains("state="));
-		assertTrue(location.startsWith("http://anywhere/"));
+		assertTrue(location.startsWith("https://anywhere/"));
 		assertTrue(location.substring(location.indexOf('?')).contains("error=access_denied"));
 		// It was a redirect that triggered our client redirect exception:
 		assertEquals(HttpStatus.FOUND, tokenEndpointResponse.getStatusCode());
@@ -203,7 +203,7 @@ public void testUserDeniesConfirmation() throws Exception {
 
 	@Test
 	public void testNoClientIdProvided() throws Exception {
-		ResponseEntity<String> response = attemptToGetConfirmationPage(null, "http://anywhere/");
+		ResponseEntity<String> response = attemptToGetConfirmationPage(null, "https://anywhere/");
 		// With no client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 		assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 		String body = response.getBody();
@@ -229,7 +229,7 @@ public void testIllegalAttemptToApproveWithoutUsingAuthorizationRequest() throws
 		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
 		headers.set("Cookie", cookie);
 
-		String authorizeUrl = getAuthorizeUrl("my-less-trusted-client", "http://anywhere.com/", "read");
+		String authorizeUrl = getAuthorizeUrl("my-less-trusted-client", "https://anywhere.com/", "read");
 		authorizeUrl = authorizeUrl + "&user_oauth_approval=true";
 		ResponseEntity<Void> response = serverRunning.postForStatus(authorizeUrl, headers,
 				new LinkedMultiValueMap<String, String>());
@@ -262,7 +262,7 @@ public void testInvalidScopeInAuthorizationRequest() throws Exception {
 		headers.set("Cookie", cookie);
 
 		String scope = "bogus";
-		String redirectUri = "http://anywhere/?key=value";
+		String redirectUri = "https://anywhere/?key=value";
 		String clientId = "my-client-with-registered-redirect";
 
 		UriBuilder uri = serverRunning.buildUri("/sparklr2/oauth/authorize").queryParam("response_type", "code")
@@ -276,7 +276,7 @@ public void testInvalidScopeInAuthorizationRequest() throws Exception {
 		ResponseEntity<String> response = serverRunning.getForString(uri.pattern(), headers, uri.params());
 		assertEquals(HttpStatus.FOUND, response.getStatusCode());
 		String location = response.getHeaders().getLocation().toString();
-		assertTrue(location.startsWith("http://anywhere/"));
+		assertTrue(location.startsWith("https://anywhere/"));
 		assertTrue(location.contains("error=invalid_scope"));
 		assertFalse(location.contains("redirect_uri="));
 	}
@@ -286,7 +286,7 @@ public void testInvalidScopeInAuthorizationRequest() throws Exception {
 	public void testInsufficientScopeInResourceRequest() throws Exception {
 		AuthorizationCodeResourceDetails resource = (AuthorizationCodeResourceDetails) context.getResource();
 		resource.setScope(Arrays.asList("trust"));
-		approveAccessTokenGrant("http://anywhere/?key=value", true);
+		approveAccessTokenGrant("https://anywhere/?key=value", true);
 		assertNotNull(context.getAccessToken());
 		try {
 			serverRunning.getForString("/sparklr2/photos?format=json");
@@ -318,7 +318,7 @@ public void testInvalidAccessToken() throws Exception {
 	@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
 	public void testRegisteredRedirectWithWrongRequestedRedirect() throws Exception {
 		try {
-			approveAccessTokenGrant("http://nowhere/", true);
+			approveAccessTokenGrant("https://nowhere/", true);
 			fail("Expected RedirectMismatchException");
 		}
 		catch (RedirectMismatchException e) {
@@ -329,9 +329,9 @@ public void testRegisteredRedirectWithWrongRequestedRedirect() throws Exception
 	@Test
 	@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
 	public void testRegisteredRedirectWithWrongOneInTokenEndpoint() throws Exception {
-		approveAccessTokenGrant("http://anywhere/?key=value", true);
+		approveAccessTokenGrant("https://anywhere/?key=value", true);
 		// Setting the redirect uri directly in the request shoiuld override the saved value
-		context.getAccessTokenRequest().set("redirect_uri", "http://nowhere.com/");
+		context.getAccessTokenRequest().set("redirect_uri", "https://nowhere.com/");
 		try {
 			assertNotNull(context.getAccessToken());
 			fail("Expected RedirectMismatchException");
@@ -452,7 +452,7 @@ static class MyClientWithRegisteredRedirect extends MyLessTrustedClient {
 		public MyClientWithRegisteredRedirect(Object target) {
 			super(target);
 			setClientId("my-client-with-registered-redirect");
-			setPreEstablishedRedirectUri("http://anywhere/?key=value");
+			setPreEstablishedRedirectUri("https://anywhere/?key=value");
 		}
 	}
 }
diff --git a/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/ImplicitProviderTests.java b/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/ImplicitProviderTests.java
index 8eb037af1..37478f706 100644
--- a/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/ImplicitProviderTests.java
+++ b/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/ImplicitProviderTests.java
@@ -113,7 +113,7 @@ public AutoApproveImplicit(Object target) {
 			super();
 			setClientId("my-less-trusted-autoapprove-client");
 			setId(getClientId());
-			setPreEstablishedRedirectUri("http://anywhere/");
+			setPreEstablishedRedirectUri("https://anywhere/");
 			ImplicitProviderTests test = (ImplicitProviderTests) target;
 			setAccessTokenUri(test.serverRunning.getUrl("/sparklr2/oauth/authorize"));
 			setUserAuthorizationUri(test.serverRunning.getUrl("/sparklr2/oauth/authorize"));
diff --git a/samples/oauth2/sparklr/src/test/java/org/springframework/security/samples/config/ApplicationConfigurationTests.java b/samples/oauth2/sparklr/src/test/java/org/springframework/security/samples/config/ApplicationConfigurationTests.java
index c0ebc612e..fe6d2ee91 100644
--- a/samples/oauth2/sparklr/src/test/java/org/springframework/security/samples/config/ApplicationConfigurationTests.java
+++ b/samples/oauth2/sparklr/src/test/java/org/springframework/security/samples/config/ApplicationConfigurationTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/samples/oauth2/tonr/pom.xml b/samples/oauth2/tonr/pom.xml
index af8c148b2..43bdf16e4 100644
--- a/samples/oauth2/tonr/pom.xml
+++ b/samples/oauth2/tonr/pom.xml
@@ -1,12 +1,12 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
 
 	<modelVersion>4.0.0</modelVersion>
 
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 
@@ -16,18 +16,16 @@
 
 	<properties>
 		<m2eclipse.wtp.contextRoot>/tonr2</m2eclipse.wtp.contextRoot>
-		<jackson2.version>2.3.2</jackson2.version>
+		<jackson2.version>2.10.5.1</jackson2.version>
 		<servlet-api.version>3.0.1</servlet-api.version>
-		<junit.version>4.11</junit.version>
 	</properties>
 
 	<profiles>
 		<profile>
 			<id>spring5</id>
 			<properties>
-				<jackson2.version>2.9.0.pr3</jackson2.version>
+				<jackson2.version>2.10.5.1</jackson2.version>
 				<servlet-api.version>3.1.0</servlet-api.version>
-				<junit.version>4.12</junit.version>
 			</properties>
 		</profile>
 		<profile>
@@ -121,7 +119,7 @@
 		<repository>
 			<id>spring</id>
 			<name>Spring Framework Repository</name>
-			<url>http://repo.spring.io/libs-snapshot</url>
+			<url>https://repo.spring.io/libs-snapshot</url>
 		</repository>
 	</repositories>
 
@@ -131,12 +129,6 @@
 			<groupId>${project.groupId}</groupId>
 			<artifactId>spring-security-oauth2</artifactId>
 			<version>${project.version}</version>
-			<exclusions>
-				<exclusion>
-					<groupId>org.codehaus.jackson</groupId>
-					<artifactId>jackson-mapper-asl</artifactId>
-				</exclusion>
-			</exclusions>
 		</dependency>
 
 		<dependency>
diff --git a/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/config/ServletInitializer.java b/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/config/ServletInitializer.java
index 9dfd544eb..73b2be0ba 100644
--- a/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/config/ServletInitializer.java
+++ b/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/config/ServletInitializer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/converter/AccessTokenRequestConverter.java b/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/converter/AccessTokenRequestConverter.java
index 4dd475bde..56056fbb9 100644
--- a/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/converter/AccessTokenRequestConverter.java
+++ b/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/converter/AccessTokenRequestConverter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/samples/oauth2/tonr/src/main/webapp/WEB-INF/jsp/facebook.jsp b/samples/oauth2/tonr/src/main/webapp/WEB-INF/jsp/facebook.jsp
index 3bd3c9c5e..a520e4677 100644
--- a/samples/oauth2/tonr/src/main/webapp/WEB-INF/jsp/facebook.jsp
+++ b/samples/oauth2/tonr/src/main/webapp/WEB-INF/jsp/facebook.jsp
@@ -1,7 +1,7 @@
 <%@ taglib prefix="authz"
 	uri="http://www.springframework.org/security/tags"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta name="viewport" content="width=device-width, initial-scale=1.0" />
@@ -30,7 +30,7 @@
 		<div class="navbar-collapse collapse">
 			<ul class="nav navbar-nav">
 				<li><a href="https://github.com/$%7Bbase%7Dindex.jsp">home</a></li>
-				<authz:authorize ifNotGranted="ROLE_USER">
+				<authz:authorize access="!hasRole('ROLE_USER')">
 					<li><a href="https://github.com/$%7Bbase%7Dlogin.jsp">login</a></li>
 				</authz:authorize>
 				<li><a href="https://github.com/$%7Bbase%7Dsparklr/photos">sparklr pics</a></li>
diff --git a/samples/oauth2/tonr/src/main/webapp/WEB-INF/jsp/sparklr.jsp b/samples/oauth2/tonr/src/main/webapp/WEB-INF/jsp/sparklr.jsp
index 884c02dfc..4d26a524f 100644
--- a/samples/oauth2/tonr/src/main/webapp/WEB-INF/jsp/sparklr.jsp
+++ b/samples/oauth2/tonr/src/main/webapp/WEB-INF/jsp/sparklr.jsp
@@ -1,7 +1,7 @@
 <%@ taglib prefix="authz"
 	uri="http://www.springframework.org/security/tags"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta name="viewport" content="width=device-width, initial-scale=1.0" />
@@ -30,7 +30,7 @@
 		<div class="navbar-collapse collapse">
 			<ul class="nav navbar-nav">
 				<li><a href="https://github.com/$%7Bbase%7Dindex.jsp">home</a></li>
-				<authz:authorize ifNotGranted="ROLE_USER">
+				<authz:authorize access="!hasRole('ROLE_USER')">
 					<li><a href="https://github.com/$%7Bbase%7Dlogin.jsp">login</a></li>
 				</authz:authorize>
 				<li><a href="https://github.com/$%7Bbase%7Dsparklr/photos" class="selected">sparklr
diff --git a/samples/oauth2/tonr/src/main/webapp/demo.html b/samples/oauth2/tonr/src/main/webapp/demo.html
index d3d99bbb1..9ede9ed42 100644
--- a/samples/oauth2/tonr/src/main/webapp/demo.html
+++ b/samples/oauth2/tonr/src/main/webapp/demo.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <title>Tonr JS Client Demo</title>
diff --git a/samples/oauth2/tonr/src/main/webapp/index.jsp b/samples/oauth2/tonr/src/main/webapp/index.jsp
index c683d8a29..0c8b14831 100644
--- a/samples/oauth2/tonr/src/main/webapp/index.jsp
+++ b/samples/oauth2/tonr/src/main/webapp/index.jsp
@@ -30,7 +30,7 @@
 		<div class="navbar-collapse collapse">
 			<ul class="nav navbar-nav">
 				<li><a href="https://github.com/$%7Bbase%7Dindex.jsp" class="selected">home</a></li>
-				<authz:authorize ifNotGranted="ROLE_USER">
+				<authz:authorize access="!hasRole('ROLE_USER')">
 					<li><a href="https://github.com/$%7Bbase%7Dlogin.jsp">login</a></li>
 				</authz:authorize>
 				<li><a href="https://github.com/$%7Bbase%7Dsparklr/photos">sparklr pics</a></li>
@@ -46,7 +46,7 @@
 		<p>
 			This is a website that will allow you to print your photos that
 			you've uploaded to <a href="http://localhost:8080/sparklr2/">Sparklr</a>!
-			And since this site uses <a href="http://oauth.net/">OAuth</a> to
+			And since this site uses <a href="https://oauth.net/">OAuth</a> to
 			access your photos, we will never ask you for your Sparklr
 			credentials.
 		</p>
@@ -55,12 +55,12 @@
 			for "marissa" is password is "wombat" and for "sam" is password is
 			"kangaroo".</p>
 
-		<authz:authorize ifNotGranted="ROLE_USER">
+		<authz:authorize access="!hasRole('ROLE_USER')">
 			<p>
 				<a href="https://github.com/%3Cc:url%20value="login.jsp"/>">Login to Tonr</a>
 			</p>
 		</authz:authorize>
-		<authz:authorize ifAllGranted="ROLE_USER">
+		<authz:authorize access="hasRole('ROLE_USER')">
 			<p>
 				<a href="https://github.com/%3Cc:url%20value="/sparklr/photos"/>">View my Sparklr
 					photos</a>
diff --git a/samples/oauth2/tonr/src/test/java/org/springframework/security/oauth/examples/tonr/AuthorizationCodeGrantTests.java b/samples/oauth2/tonr/src/test/java/org/springframework/security/oauth/examples/tonr/AuthorizationCodeGrantTests.java
index b8b5fbb18..4d8c9c5cc 100755
--- a/samples/oauth2/tonr/src/test/java/org/springframework/security/oauth/examples/tonr/AuthorizationCodeGrantTests.java
+++ b/samples/oauth2/tonr/src/test/java/org/springframework/security/oauth/examples/tonr/AuthorizationCodeGrantTests.java
@@ -50,7 +50,7 @@ public class AuthorizationCodeGrantTests {
 	public void testCannotConnectWithoutToken() throws Exception {
 
 		OAuth2RestTemplate template = new OAuth2RestTemplate(resource);
-		resource.setPreEstablishedRedirectUri("http://anywhere.com/");
+		resource.setPreEstablishedRedirectUri("https://anywhere.com/");
 		try {
 			template.getForObject(serverRunning.getUrl("/tonr2/photos"),
 					String.class);
diff --git a/samples/oauth2/tonr/src/test/java/org/springframework/security/samples/config/AdHocTests.java b/samples/oauth2/tonr/src/test/java/org/springframework/security/samples/config/AdHocTests.java
index f9fd93b8b..8133a76db 100644
--- a/samples/oauth2/tonr/src/test/java/org/springframework/security/samples/config/AdHocTests.java
+++ b/samples/oauth2/tonr/src/test/java/org/springframework/security/samples/config/AdHocTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/samples/oauth2/tonr/src/test/java/org/springframework/security/samples/config/SecurityConfigTests.java b/samples/oauth2/tonr/src/test/java/org/springframework/security/samples/config/SecurityConfigTests.java
index 3b68447f1..b08ee85a3 100644
--- a/samples/oauth2/tonr/src/test/java/org/springframework/security/samples/config/SecurityConfigTests.java
+++ b/samples/oauth2/tonr/src/test/java/org/springframework/security/samples/config/SecurityConfigTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/samples/pom.xml b/samples/pom.xml
index 6be997346..4f4e8cf28 100755
--- a/samples/pom.xml
+++ b/samples/pom.xml
@@ -1,10 +1,10 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
     <groupId>org.springframework.security.oauth</groupId>
     <artifactId>spring-security-oauth-parent</artifactId>
-    <version>2.3.6.BUILD-SNAPSHOT</version>
+    <version>2.5.3.BUILD-SNAPSHOT</version>
   </parent>
 
   <artifactId>spring-security-oauth-samples</artifactId>
@@ -19,7 +19,7 @@
     <module>oauth2/tonr</module>
   </modules>
 
-  <url>http://static.springframework.org/spring-security/oauth/samples</url>
+  <url>https://docs.spring.io/spring-security/oauth/samples</url>
 
   <build>
 	<plugins>
@@ -37,8 +37,8 @@
   <distributionManagement>
 
     <site>
-      <id>static.springframework.org</id>
-      <url>scp://static.springframework.org/var/www/domains/springframework.org/static/htdocs/spring-security/oauth/samples</url>
+        <id>static.spring.io</id>
+        <url>scp://docs-ip.spring.io/var/www/domains/spring.io/docs/htdocs/spring-security/oauth/site/docs/${project.version}</url>
     </site>
 
   </distributionManagement>
diff --git a/spring-security-jwt/mvnw b/spring-security-jwt/mvnw
index 53c0d7219..02f96acef 100755
--- a/spring-security-jwt/mvnw
+++ b/spring-security-jwt/mvnw
@@ -8,7 +8,7 @@
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
-#    http://www.apache.org/licenses/LICENSE-2.0
+#    https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
diff --git a/spring-security-jwt/mvnw.cmd b/spring-security-jwt/mvnw.cmd
index fc8302432..eb9a292a7 100644
--- a/spring-security-jwt/mvnw.cmd
+++ b/spring-security-jwt/mvnw.cmd
@@ -7,7 +7,7 @@
 @REM "License"); you may not use this file except in compliance
 @REM with the License.  You may obtain a copy of the License at
 @REM
-@REM    http://www.apache.org/licenses/LICENSE-2.0
+@REM    https://www.apache.org/licenses/LICENSE-2.0
 @REM
 @REM Unless required by applicable law or agreed to in writing,
 @REM software distributed under the License is distributed on an
diff --git a/spring-security-jwt/pom.xml b/spring-security-jwt/pom.xml
index c005d8de7..87b274878 100755
--- a/spring-security-jwt/pom.xml
+++ b/spring-security-jwt/pom.xml
@@ -1,11 +1,11 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
 
 	<modelVersion>4.0.0</modelVersion>
 
 	<groupId>org.springframework.security</groupId>
 	<artifactId>spring-security-jwt</artifactId>
-	<version>1.0.11.BUILD-SNAPSHOT</version>
+	<version>1.1.2.BUILD-SNAPSHOT</version>
 	<packaging>jar</packaging>
 	<name>Spring Security JWT Library</name>
 
@@ -13,15 +13,15 @@
 	It belongs to the family of Spring Security crypto libraries that handle encoding and decoding text as
 	a general, useful thing to be able to do.</description>
 
-	<url>http://github.com/spring-projects/spring-security-oauth</url>
+	<url>https://github.com/spring-projects/spring-security-oauth</url>
 	<organization>
 		<name>SpringSource</name>
-		<url>http://www.springsource.com</url>
+		<url>https://www.springsource.com</url>
 	</organization>
 	<licenses>
 		<license>
 			<name>Apache 2.0</name>
-			<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+			<url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
 		</license>
 	</licenses>
 
@@ -29,7 +29,7 @@
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcpkix-jdk15on</artifactId>
-			<version>1.60</version>
+			<version>1.69</version>
 		</dependency>
 
 		<dependency>
@@ -124,8 +124,8 @@
 	<distributionManagement>
 
 		<site>
-			<id>static.springframework.org</id>
-			<url>scp://static.springframework.org/var/www/domains/springframework.org/static/htdocs/spring-security/oauth</url>
+			<id>static.spring.io</id>
+			<url>scp://docs-ip.spring.io/var/www/domains/spring.io/docs/htdocs/spring-security/oauth/site/docs/${project.version}</url>
 		</site>
 
 		<repository>
@@ -178,7 +178,7 @@
 	</profiles>
 
 	<scm>
-		<url>http://github.com/spring-projects/spring-security-oauth</url>
+		<url>https://github.com/spring-projects/spring-security-oauth</url>
 		<connection>scm:git:git://github.com/spring-projects/spring-security-oauth.git</connection>
 		<developerConnection>scm:git:ssh://git@github.com/spring-projects/spring-security-oauth.git</developerConnection>
 	</scm>
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/AlgorithmMetadata.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/AlgorithmMetadata.java
index d4d72867d..da7775c2c 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/AlgorithmMetadata.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/AlgorithmMetadata.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -13,8 +13,12 @@
 package org.springframework.security.jwt;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface AlgorithmMetadata {
 	/**
 	 * @return the JCA/JCE algorithm name.
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/BinaryFormat.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/BinaryFormat.java
index aaded18a0..c570c6599 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/BinaryFormat.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/BinaryFormat.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -13,8 +13,12 @@
 package org.springframework.security.jwt;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface BinaryFormat {
 	byte[] bytes();
 }
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/Jwt.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/Jwt.java
index be3b253ef..1e1542a03 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/Jwt.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/Jwt.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -15,8 +15,12 @@
 import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface Jwt extends BinaryFormat {
 	String getClaims();
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtAlgorithms.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtAlgorithms.java
index 6d837c6e7..4ea77b416 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtAlgorithms.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtAlgorithms.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -18,8 +18,12 @@
 import org.springframework.security.jwt.crypto.cipher.CipherMetadata;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class JwtAlgorithms {
 	private static final Map<String,String> sigAlgs = new HashMap<String,String>();
 	private static final Map<String,String> javaToSigAlgs = new HashMap<String,String>();
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtHelper.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtHelper.java
index b239a68e8..04e743efb 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtHelper.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtHelper.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -29,9 +29,13 @@
 import org.springframework.security.jwt.crypto.sign.Signer;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  * @author Dave Syer
  */
+@Deprecated
 public class JwtHelper {
 	static byte[] PERIOD = utf8Encode(".");
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Base64Codec.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Base64Codec.java
index cc49155d3..9083bbcbb 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Base64Codec.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Base64Codec.java
@@ -2,7 +2,7 @@
 
 /**
  * Base64 encoder which is a reduced version of Robert Harder's public domain implementation (version 2.3.7).
- * See <a href="http://iharder.net/base64">http://iharder.net/base64</a> for more information.
+ * See <a href="https://iharder.sourceforge.net/current/java/base64/">https://iharder.sourceforge.net/current/java/base64/</a> for more information.
  *
  * @author Luke Taylor
  */
@@ -24,7 +24,7 @@ final class Base64Codec {
     /**
      * Encode using Base64-like encoding that is URL- and Filename-safe as described
      * in Section 4 of RFC3548:
-     * <a href="http://www.faqs.org/rfcs/rfc3548.html">http://www.faqs.org/rfcs/rfc3548.html</a>.
+     * <a href="https://www.faqs.org/rfcs/rfc3548.html">https://www.faqs.org/rfcs/rfc3548.html</a>.
      * It is important to note that data encoded this way is <em>not</em> officially valid Base64,
      * or at the very least should not be called Base64 without also specifying that is
      * was encoded using the URL- and Filename-safe dialect.
@@ -34,7 +34,7 @@ final class Base64Codec {
 
     /**
      * Encode using the special "ordered" dialect of Base64 described here:
-     * <a href="http://www.faqs.org/qa/rfcc-1940.html">http://www.faqs.org/qa/rfcc-1940.html</a>.
+     * <a href="https://www.faqs.org/qa/rfcc-1940.html">https://www.faqs.org/qa/rfcc-1940.html</a>.
      */
     public final static int ORDERED = 32;
 
@@ -115,7 +115,7 @@ final class Base64Codec {
 
     /**
      * Used in the URL- and Filename-safe dialect described in Section 4 of RFC3548:
-     * <a href="http://www.faqs.org/rfcs/rfc3548.html">http://www.faqs.org/rfcs/rfc3548.html</a>.
+     * <a href="https://www.faqs.org/rfcs/rfc3548.html">https://www.faqs.org/rfcs/rfc3548.html</a>.
      * Notice that the last two bytes become "hyphen" and "underscore" instead of "plus" and "slash."
      */
     private final static byte[] _URL_SAFE_ALPHABET = {
@@ -179,7 +179,7 @@ final class Base64Codec {
     /**
      * I don't get the point of this technique, but someone requested it,
      * and it is described here:
-     * <a href="http://www.faqs.org/qa/rfcc-1940.html">http://www.faqs.org/qa/rfcc-1940.html</a>.
+     * <a href="https://www.faqs.org/qa/rfcc-1940.html">https://www.faqs.org/qa/rfcc-1940.html</a>.
      */
     private final static byte[] _ORDERED_ALPHABET = {
       (byte)'-',
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Codecs.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Codecs.java
index a654e52a5..28f31c527 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Codecs.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Codecs.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -20,8 +20,12 @@
 /**
  * Functions for Hex, Base64 and Utf8 encoding/decoding
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class Codecs {
 	private static Charset UTF8 = Charset.forName("UTF-8");
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/cipher/CipherMetadata.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/cipher/CipherMetadata.java
index c8edfce77..d65e6c2eb 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/cipher/CipherMetadata.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/cipher/CipherMetadata.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -15,8 +15,12 @@
 import org.springframework.security.jwt.AlgorithmMetadata;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface CipherMetadata extends AlgorithmMetadata {
 	/**
 	 * @return Size of the key in bits.
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveKeyHelper.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveKeyHelper.java
index f9b88f411..485d06a95 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveKeyHelper.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveKeyHelper.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveSignatureHelper.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveSignatureHelper.java
index d1ee99dde..8d6b911ed 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveSignatureHelper.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveSignatureHelper.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifier.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifier.java
index 00e525829..505d6dafb 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifier.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifier.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -23,9 +23,13 @@
 /**
  * Verifies signatures using an Elliptic Curve public key.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Michael Duergner
  * @since 2.3
  */
+@Deprecated
 public class EllipticCurveVerifier implements SignatureVerifier {
 	private final ECPublicKey key;
 	private final String algorithm;
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/InvalidSignatureException.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/InvalidSignatureException.java
index 15095325c..6c7ef3e3c 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/InvalidSignatureException.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/InvalidSignatureException.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -13,8 +13,12 @@
 package org.springframework.security.jwt.crypto.sign;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class InvalidSignatureException extends RuntimeException {
     public InvalidSignatureException(String message) {
         super(message);
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/MacSigner.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/MacSigner.java
index 71f75bbef..1aabb2f42 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/MacSigner.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/MacSigner.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -18,8 +18,12 @@
 import javax.crypto.spec.SecretKeySpec;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class MacSigner implements SignerVerifier {
 	private static final String DEFAULT_ALGORITHM = "HMACSHA256";
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaKeyHelper.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaKeyHelper.java
index 41f36e47e..69a87874c 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaKeyHelper.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaKeyHelper.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -12,20 +12,23 @@
  */
 package org.springframework.security.jwt.crypto.sign;
 
-import static org.springframework.security.jwt.codec.Codecs.b64Decode;
-import static org.springframework.security.jwt.codec.Codecs.utf8Encode;
+import org.bouncycastle.asn1.ASN1Sequence;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.math.BigInteger;
 import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.*;
 import java.util.Arrays;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.bouncycastle.asn1.ASN1Sequence;
+import static org.springframework.security.jwt.codec.Codecs.b64Decode;
+import static org.springframework.security.jwt.codec.Codecs.utf8Encode;
 
 /**
  * Reads RSA key pairs using BC provider classes but without the
@@ -72,6 +75,10 @@ static KeyPair parseKeyPair(String pemData) {
 				org.bouncycastle.asn1.pkcs.RSAPublicKey key = org.bouncycastle.asn1.pkcs.RSAPublicKey.getInstance(seq);
 				RSAPublicKeySpec pubSpec = new RSAPublicKeySpec(key.getModulus(), key.getPublicExponent());
 				publicKey = fact.generatePublic(pubSpec);
+			} else if (type.equals("CERTIFICATE")) {
+				CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+				Certificate certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(content));
+				publicKey = certificate.getPublicKey();
 			} else {
 				throw new IllegalArgumentException(type + " is not a supported format");
 			}
@@ -81,12 +88,15 @@ static KeyPair parseKeyPair(String pemData) {
 		catch (InvalidKeySpecException e) {
 			throw new RuntimeException(e);
 		}
+		catch (CertificateException e) {
+			throw new RuntimeException(e);
+		}
 		catch (NoSuchAlgorithmException e) {
 			throw new IllegalStateException(e);
 		}
 	}
 
-	private static final Pattern SSH_PUB_KEY = Pattern.compile("ssh-(rsa|dsa) ([A-Za-z0-9/+]+=*) (.*)");
+	private static final Pattern SSH_PUB_KEY = Pattern.compile("ssh-(rsa|dsa) ([A-Za-z0-9/+]+=*) ?(.*)");
 
 	static RSAPublicKey parsePublicKey(String key) {
 		Matcher m = SSH_PUB_KEY.matcher(key);
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaSigner.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaSigner.java
index bbd6b240a..6439fed67 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaSigner.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaSigner.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -23,8 +23,12 @@
  * The key can be supplied directly, or as an SSH private key string (in
  * the standard format produced by <tt>ssh-keygen</tt>)
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class RsaSigner implements Signer {
 	static final String DEFAULT_ALGORITHM = "SHA256withRSA";
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaVerifier.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaVerifier.java
index faa562e1c..0e7cede4c 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaVerifier.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaVerifier.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -22,8 +22,12 @@
  * The key can be supplied directly, or as an SSH public or private key string (in
  * the standard format produced by <tt>ssh-keygen</tt>).
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class RsaVerifier implements SignatureVerifier {
 	private final RSAPublicKey key;
 	private final String algorithm;
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignatureVerifier.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignatureVerifier.java
index 4a3371676..41253fbae 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignatureVerifier.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignatureVerifier.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -15,8 +15,12 @@
 import org.springframework.security.jwt.AlgorithmMetadata;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface SignatureVerifier extends AlgorithmMetadata {
 	void verify(byte[] content, byte[] signature);
 }
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/Signer.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/Signer.java
index 2c5d98bda..ca675671f 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/Signer.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/Signer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -15,8 +15,12 @@
 import org.springframework.security.jwt.AlgorithmMetadata;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface Signer extends AlgorithmMetadata {
 	byte[] sign(byte[] bytes);
 }
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignerVerifier.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignerVerifier.java
index 00c52b713..d75dd5f7e 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignerVerifier.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignerVerifier.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -13,7 +13,11 @@
 package org.springframework.security.jwt.crypto.sign;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface SignerVerifier extends Signer, SignatureVerifier {
 }
diff --git a/spring-security-jwt/src/test/java/org/springframework/security/jwt/JwtSpecData.java b/spring-security-jwt/src/test/java/org/springframework/security/jwt/JwtSpecData.java
index a5fc71707..99139ee12 100644
--- a/spring-security-jwt/src/test/java/org/springframework/security/jwt/JwtSpecData.java
+++ b/spring-security-jwt/src/test/java/org/springframework/security/jwt/JwtSpecData.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-jwt/src/test/java/org/springframework/security/jwt/JwtTests.java b/spring-security-jwt/src/test/java/org/springframework/security/jwt/JwtTests.java
index 1cdc5793e..b3638bc11 100644
--- a/spring-security-jwt/src/test/java/org/springframework/security/jwt/JwtTests.java
+++ b/spring-security-jwt/src/test/java/org/springframework/security/jwt/JwtTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -35,7 +35,7 @@ public class JwtTests {
 	 * Sample from the JWT spec.
 	 */
 	static final String JOE_CLAIM_SEGMENT = "{\"iss\":\"joe\",\r\n" + " \"exp\":1300819380,\r\n"
-			+ " \"http://example.com/is_root/":true}";
+			+ " \"https://example.com/is_root/":true}";
 	static final String JOE_HEADER_HMAC = "{\"typ\":\"JWT\",\r\n" + " \"alg\":\"HS256\"}";
 	static final String JOE_HMAC_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."
 			+ "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ."
@@ -49,7 +49,6 @@ public class JwtTests {
 			+ "9uJdbF9CUAr7t1dnZcAcQjbKBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K0GarZR"
 			+ "mB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs9"
 			+ "8rqVt5AXLIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw";
-	static final String JOE_HEADER_RSA = "{\"alg\":\"RS256\"}";
 	static final MacSigner hmac = new MacSigner(JwtSpecData.HMAC_KEY);
 
 	@Test
@@ -102,7 +101,8 @@ public void tokenBytesCreateSameToken() throws Exception {
 
 	@Test
 	public void expectedClaimsValueIsReturned() {
-		assertEquals(JOE_CLAIM_SEGMENT, JwtHelper.decode(JOE_HMAC_TOKEN).getClaims());
+		Jwt token = JwtHelper.encode(JOE_CLAIM_SEGMENT, hmac);
+		assertEquals(JOE_CLAIM_SEGMENT, JwtHelper.decode(token.getEncoded()).getClaims());
 	}
 
 	@Test
@@ -129,8 +129,8 @@ public void hmacVerificationIsInverseOfSigning() {
 
 	@Test
 	public void rsaSignedTokenParsesAndVerifies() {
-		Jwt jwt = JwtHelper.decode(JOE_RSA_TOKEN);
-		jwt.verifySignature(new RsaVerifier(N, E));
+		Jwt jwt = JwtHelper.encode(JOE_CLAIM_SEGMENT, new RsaSigner(N, E));
+		jwt.verifySignature(new RsaVerifier(N, D));
 		assertEquals(JOE_CLAIM_SEGMENT, jwt.getClaims());
 	}
 
diff --git a/spring-security-jwt/src/test/java/org/springframework/security/jwt/RubyJwtIntegrationTests.java b/spring-security-jwt/src/test/java/org/springframework/security/jwt/RubyJwtIntegrationTests.java
index dd2f3bd74..6aa3b406a 100644
--- a/spring-security-jwt/src/test/java/org/springframework/security/jwt/RubyJwtIntegrationTests.java
+++ b/spring-security-jwt/src/test/java/org/springframework/security/jwt/RubyJwtIntegrationTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/cipher/RsaTestKeyData.java b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/cipher/RsaTestKeyData.java
index b37d29504..5efbfe88d 100644
--- a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/cipher/RsaTestKeyData.java
+++ b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/cipher/RsaTestKeyData.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -97,6 +97,12 @@ public class RsaTestKeyData {
 			+ "eJQ4nUR0pkfEaeRWOmzWE/3wC9DHoSmYoTF7B3gwyPvuBFgB5KjSk+G6AuubLkMs+jFJQZJkQcI+UJ859MC3024ThjBukLAN8OZBv7"
 			+ "2d6rtDQ/Ca0/qMWtXhVneKvZxZg5MXoVwvtkidwbdoK9fGnylRDs0+KZh3vR0Q+67V blah@blah.local";
 
+	public static final String SSH_PUBLIC_KEY_STRING_WITHOUT_COMMENT = "ssh-rsa "
+			+ "AAAAB3NzaC1yc2EAAAADAQABAAABAQDABE3hLtnRqxISPrX5Ii+1RS4eil399+d7UJtodc3GP9wjitjSTkQtnZIYIVWCbH1cAMkmFi"
+			+ "hAiY768zEUCptbHI7jkHWtlHWrQKEQVYsY+Y0H59jxOsUciMlvzvezR3YVNgM7Cy3od0o+NeQt2AYc7grV8uc7VxAcoaCUEq9zhlJW"
+			+ "eJQ4nUR0pkfEaeRWOmzWE/3wC9DHoSmYoTF7B3gwyPvuBFgB5KjSk+G6AuubLkMs+jFJQZJkQcI+UJ859MC3024ThjBukLAN8OZBv7"
+			+ "2d6rtDQ/Ca0/qMWtXhVneKvZxZg5MXoVwvtkidwbdoK9fGnylRDs0+KZh3vR0Q+67V";
+
 
 	public static final String SSH_PUBLIC_KEY_OPENSSL_PEM_STRING = "-----BEGIN PUBLIC KEY-----\n" +
 			"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwARN4S7Z0asSEj61+SIv\n" +
@@ -117,4 +123,24 @@ public class RsaTestKeyData {
 			"L7ZIncG3aCvXxp8pUQ7NPimYd70dEPuu1QIDAQAB\n" +
 			"-----END RSA PUBLIC KEY-----";
 
+	public static final String SSH_X509_CERTIFICATE_PEM_STRING = "-----BEGIN CERTIFICATE-----\n" +
+			"MIIDHDCCAgSgAwIBAgIJAK+wnYpjtdVFMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV\n" +
+			"BAMMGHNwcmluZy1zZWN1cml0eS1qd3QtdGVzdDAeFw0xODA0MTcwOTQ4MzVaFw0x\n" +
+			"ODA1MTcwOTQ4MzVaMCMxITAfBgNVBAMMGHNwcmluZy1zZWN1cml0eS1qd3QtdGVz\n" +
+			"dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAETeEu2dGrEhI+tfki\n" +
+			"L7VFLh6KXf3353tQm2h1zcY/3COK2NJORC2dkhghVYJsfVwAySYWKECJjvrzMRQK\n" +
+			"m1scjuOQda2UdatAoRBVixj5jQfn2PE6xRyIyW/O97NHdhU2AzsLLeh3Sj415C3Y\n" +
+			"BhzuCtXy5ztXEByhoJQSr3OGUlZ4lDidRHSmR8Rp5FY6bNYT/fAL0MehKZihMXsH\n" +
+			"eDDI++4EWAHkqNKT4boC65suQyz6MUlBkmRBwj5Qnzn0wLfTbhOGMG6QsA3w5kG/\n" +
+			"vZ3qu0ND8JrT+oxa1eFWd4q9nFmDkxehXC+2SJ3Bt2gr18afKVEOzT4pmHe9HRD7\n" +
+			"rtUCAwEAAaNTMFEwHQYDVR0OBBYEFPM7mHoBTz7Bgyblen9oSqd6gCVTMB8GA1Ud\n" +
+			"IwQYMBaAFPM7mHoBTz7Bgyblen9oSqd6gCVTMA8GA1UdEwEB/wQFMAMBAf8wDQYJ\n" +
+			"KoZIhvcNAQELBQADggEBAGfx6+D8YpYVHYbB9mdUDVmFKEq3rFBKaHXL8fDceHUi\n" +
+			"GOAG0dLqP+lxx/pPsgfW8dnu1h/I5+cvOsj/YmwLMlodhrGN0XpaWmATz7+ikif3\n" +
+			"VGGNXIWl/km+r30M4diFnSnycjYaOJdBqhLIkQd/w/JFFJ5J+C5b2281jYGw6Y1F\n" +
+			"Kq3pqLlQVCnQhcnDroCtwLK78hG7yZasYVBnjKilSkMB1k14Kfq8WUR3NsODRiXg\n" +
+			"EP+KsWrwS5l/cyUzkWDKgOvmlWeqSWp95WGhewuVAs34W0hzdT3JDd4TIX3NWMuw\n" +
+			"i9txCbagsrq/2+rKgsasCPlcQwFw6Umzd73HuqiHmoM=\n" +
+			"-----END CERTIFICATE-----\n";
+
 }
diff --git a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifierTests.java b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifierTests.java
index f4e581757..718c9016d 100644
--- a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifierTests.java
+++ b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifierTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/RsaSigningTests.java b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/RsaSigningTests.java
index 363dee8ef..da83c9bc3 100644
--- a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/RsaSigningTests.java
+++ b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/RsaSigningTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -12,12 +12,12 @@
  */
 package org.springframework.security.jwt.crypto.sign;
 
-import static org.junit.Assert.assertNotNull;
-
 import org.junit.Test;
 import org.springframework.security.jwt.codec.Codecs;
 import org.springframework.security.jwt.crypto.cipher.RsaTestKeyData;
 
+import static org.junit.Assert.assertNotNull;
+
 /**
  * @author Luke Taylor
  */
@@ -35,6 +35,12 @@ public void rsaSignerValidKeyWithWhitespace() throws Exception {
 		assertNotNull(signer);
 	}
 
+	@Test
+	public void rsaVerifierValidKeyWithoutComment() throws Exception {
+		RsaVerifier verifier = new RsaVerifier(RsaTestKeyData.SSH_PUBLIC_KEY_STRING_WITHOUT_COMMENT);
+		assertNotNull(verifier);
+	}
+
 	@Test
 	public void keysFromPrivateAndPublicKeyStringDataAreCorrect() throws Exception {
 		// Do a test sign and verify
@@ -56,5 +62,8 @@ public void keysFromPrivateAndPublicKeyStringDataAreCorrect() throws Exception {
 
 		verifier = new RsaVerifier(RsaTestKeyData.SSH_PUBLIC_KEY_OPENSSL_PEM_STRING);
 		verifier.verify(content, signed);
+
+		verifier = new RsaVerifier(RsaTestKeyData.SSH_X509_CERTIFICATE_PEM_STRING);
+		verifier.verify(content, signed);
 	}
 }
diff --git a/spring-security-oauth/pom.xml b/spring-security-oauth/pom.xml
index e7d99a71b..7ea72e61d 100644
--- a/spring-security-oauth/pom.xml
+++ b/spring-security-oauth/pom.xml
@@ -1,10 +1,10 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>spring-security-oauth</artifactId>
@@ -13,7 +13,6 @@
 
 	<properties>
 		<servlet-api.version>3.0.1</servlet-api.version>
-		<junit.version>4.11</junit.version>
 	</properties>
 
 	<profiles>
@@ -21,7 +20,6 @@
 			<id>spring5</id>
 			<properties>
 				<servlet-api.version>3.1.0</servlet-api.version>
-				<junit.version>4.12</junit.version>
 			</properties>
 		</profile>
 	</profiles>
@@ -143,7 +141,7 @@
 		<dependency>
 			<groupId>org.mockito</groupId>
 			<artifactId>mockito-core</artifactId>
-			<version>1.9.5</version>
+			<version>${mockito.version}</version>
 			<scope>test</scope>
 		</dependency>
 
@@ -171,7 +169,7 @@
 		<dependency>
 			<groupId>org.apache.httpcomponents</groupId>
 			<artifactId>httpclient</artifactId>
-			<version>4.3.3</version>
+			<version>4.5.13</version>
 		</dependency>
 
 		<dependency>
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthCodec.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthCodec.java
index 44ee7fc3b..393f6c3e2 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthCodec.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthCodec.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,8 +25,12 @@
 /**
  * Utility for parameter encoding according to the OAuth spec.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthCodec extends URLCodec {
 
   protected static final BitSet SAFE_CHARACTERS = (BitSet) URLCodec.WWW_FORM_URL.clone();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthConsumerParameter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthConsumerParameter.java
index c485601d5..66e6bc1f5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthConsumerParameter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthConsumerParameter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 /**
  * Enumeration for consumer parameters.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public enum OAuthConsumerParameter {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthException.java
index 7fc06de64..9c8b44a6a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,10 +20,14 @@
 
 /**
  * Base exception for OAuth processing.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuthException extends AuthenticationException {
 
   public OAuthException(String message) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthProviderParameter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthProviderParameter.java
index 30ce020ab..af5c8be4d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthProviderParameter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthProviderParameter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 /**
  * Parameters that can be used by the provider.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public enum OAuthProviderParameter {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/StringSplitUtils.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/StringSplitUtils.java
index 87ed8e914..e2a2045c9 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/StringSplitUtils.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/StringSplitUtils.java
@@ -10,7 +10,12 @@
 
 /**
  * Provides several <code>String</code> manipulation methods. Copied from deleted org.springframework.security.util.StringSplitUtils
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  */
+@Deprecated
 public class StringSplitUtils {
 
   private static final String[] EMPTY_STRING_ARRAY = new String[0];
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactory.java
index 07f4e0758..b8abb0940 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactory.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -30,8 +30,12 @@
 /**
  * Implements the signatures defined in OAuth Core 1.0. By default, PLAINTEXT signatures are not supported
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class CoreOAuthSignatureMethodFactory implements OAuthSignatureMethodFactory {
 
   private boolean supportPlainText = false;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethod.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethod.java
index 88e78edab..baf4c0b52 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethod.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethod.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -29,8 +29,12 @@
 /**
  * HMAC-SHA1 signature method.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class HMAC_SHA1SignatureMethod implements OAuthSignatureMethod {
 
   private static final Log LOG = LogFactory.getLog(HMAC_SHA1SignatureMethod.class);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/InvalidSignatureException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/InvalidSignatureException.java
index de5196961..0ff6d2cb5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/InvalidSignatureException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/InvalidSignatureException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,9 +21,13 @@
 /**
  * Thrown when a signature is invalid.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidSignatureException extends OAuthException {
 
   public InvalidSignatureException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethod.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethod.java
index 01c85c3e2..883439681 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethod.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethod.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -17,8 +17,12 @@
 package org.springframework.security.oauth.common.signature;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthSignatureMethod {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethodFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethodFactory.java
index a26a88a80..7aed490ca 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethodFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethodFactory.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 /**
  * Factory for signature methods.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthSignatureMethodFactory {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethod.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethod.java
index 4b9be8946..673b24f60 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethod.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethod.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,8 +21,12 @@
 /**
  * Plain text signature method.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class PlainTextSignatureMethod implements OAuthSignatureMethod {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSAKeySecret.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSAKeySecret.java
index 0f0da404f..e4c1d8a68 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSAKeySecret.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSAKeySecret.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -32,9 +32,13 @@
 /**
  * Signature secret for RSA.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class RSAKeySecret implements SignatureSecret {
 
   private final PrivateKey privateKey;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethod.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethod.java
index 27a63419f..f027f84df 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethod.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethod.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,8 +25,12 @@
  * RSA-SHA1 signature method. The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in RFC3447
  * section 8.2 (more simply known as PKCS#1), using SHA-1 as the hash function for EMSA-PKCS1-v1_5.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class RSA_SHA1SignatureMethod implements OAuthSignatureMethod {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SaltedConsumerSecret.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SaltedConsumerSecret.java
index 7b5250506..ad433b5f5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SaltedConsumerSecret.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SaltedConsumerSecret.java
@@ -3,8 +3,12 @@
 /**
  * Marker interface for indicating that a consumer secret has some salt.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface SaltedConsumerSecret {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecret.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecret.java
index 62423232e..ef627ccf3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecret.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecret.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,9 +19,13 @@
 /**
  * A signature secret that consists of a consumer secret and a token secret.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
- * @author <a href="http://autayeu.com/">Aliaksandr Autayeu</a>
+ * @author <a href="https://autayeu.com/">Aliaksandr Autayeu</a>
  */
+@Deprecated
 public interface SharedConsumerSecret extends SignatureSecret {
 
 	/**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecretImpl.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecretImpl.java
index dbde015ee..6eb66901f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecretImpl.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecretImpl.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,9 +19,13 @@
 /**
  * Default implementation of a signature secret.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class SharedConsumerSecretImpl implements SharedConsumerSecret {
 
   private final String consumerSecret;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecret.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecret.java
index b695d5e9c..44cde648b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecret.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecret.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,9 +20,13 @@
 
 /**
  * Marker interface for OAuth signature secrets.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface SignatureSecret extends Serializable {
 }
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecretEditor.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecretEditor.java
index 64695177b..874e3624b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecretEditor.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecretEditor.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,9 +20,13 @@
 
 /**
  * A signature secret that consists of a consumer secret and a tokent secret.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class SignatureSecretEditor extends PropertyEditorSupport {
 
 	public void setAsText(String text) throws IllegalArgumentException {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/UnsupportedSignatureMethodException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/UnsupportedSignatureMethodException.java
index 422955590..be7852485 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/UnsupportedSignatureMethodException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/UnsupportedSignatureMethodException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -17,9 +17,13 @@
 package org.springframework.security.oauth.common.signature;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnsupportedSignatureMethodException extends RuntimeException {
 
   public UnsupportedSignatureMethodException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConfigUtils.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConfigUtils.java
index 7d5e17c96..2922fad7e 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConfigUtils.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConfigUtils.java
@@ -23,8 +23,12 @@
 /**
  * Common place for OAuth namespace configuration utils.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ConfigUtils {
   private static final Method createMatcherMethod3x = ReflectionUtils.findMethod(
           MatcherType.class, "createMatcher", String.class, String.class);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerDetailsFactoryBean.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerDetailsFactoryBean.java
index 433904ccc..ad3c1e247 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerDetailsFactoryBean.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerDetailsFactoryBean.java
@@ -1,10 +1,10 @@
 /*
- * Copyright 2006-2011 the original author or authors.
+ * Copyright 2006-2019 the original author or authors.
  * 
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -13,10 +13,13 @@
 package org.springframework.security.oauth.config;
 
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.FactoryBean;
 import org.springframework.context.ResourceLoaderAware;
@@ -29,11 +32,16 @@
 import org.springframework.security.oauth.provider.ConsumerDetails;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ConsumerDetailsFactoryBean implements FactoryBean<ConsumerDetails>, ResourceLoaderAware {
-
+	
+	private static final Log logger = LogFactory.getLog(ConsumerDetailsFactoryBean.class);
 	private Object typeOfSecret;
 	private BaseConsumerDetails consumer = new BaseConsumerDetails();
 	private String secret;
@@ -81,19 +89,31 @@ public void setTypeOfSecret(Object typeOfSecret) {
 
 	public ConsumerDetails getObject() throws Exception {
 		if ("rsa-cert".equals(typeOfSecret)) {
+			InputStream inputStream = null;
 			try {
-				Certificate cert = CertificateFactory.getInstance("X.509").generateCertificate(resourceLoader.getResource(secret).getInputStream());
+				inputStream = resourceLoader.getResource(secret).getInputStream();
+				Certificate cert = CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
 				consumer.setSignatureSecret(new RSAKeySecret(cert.getPublicKey()));
 			}
 			catch (IOException e) {
-				throw new BeanCreationException("RSA certificate not found at " + secret + ".",
+				throw new BeanCreationException("RSA certificate not found",
 						e);
 			}
 			catch (CertificateException e) {
-				throw new BeanCreationException("Invalid RSA certificate at " + secret + ".", e);
+				throw new BeanCreationException("Invalid RSA certificate", e);
 			}
 			catch (NullPointerException e) {
-				throw new BeanCreationException("Could not load RSA certificate at " + secret + ".", e);
+				throw new BeanCreationException("Could not load RSA certificate", e);
+			}
+			finally {
+				try {
+					if (inputStream != null) {
+						inputStream.close();
+					}
+				} 
+				catch (IOException e) {
+					logger.warn("Cannot close open stream: ", e);
+				}
 			}
 		}
 		else {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParser.java
index de91a6097..3f03de13c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -29,10 +29,14 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  * @author Dave Syer
  */
+@Deprecated
 public class ConsumerServiceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ExpressionHandlerBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ExpressionHandlerBeanDefinitionParser.java
index 333fa1607..0bc457f54 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ExpressionHandlerBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ExpressionHandlerBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,9 +21,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ExpressionHandlerBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthConsumerBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthConsumerBeanDefinitionParser.java
index 025c3eeb0..c984e495a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthConsumerBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthConsumerBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -34,10 +34,14 @@
 /**
  * Parser for the OAuth "consumer" element.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  * @author Luke Taylor
  */
+@Deprecated
 public class OAuthConsumerBeanDefinitionParser implements BeanDefinitionParser {
 
   public BeanDefinition parse(Element element, ParserContext parserContext) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthProviderBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthProviderBeanDefinitionParser.java
index dcb201c3e..6b1721050 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthProviderBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthProviderBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -39,9 +39,13 @@
 /**
  * Parser for the OAuth "provider" element.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class OAuthProviderBeanDefinitionParser implements BeanDefinitionParser {
 
   public BeanDefinition parse(Element element, ParserContext parserContext) {
@@ -203,7 +207,7 @@ private int insertIndex(List<BeanMetadataElement> filterChain) {
       BeanMetadataElement filter = filterChain.get(i);
       if (filter instanceof BeanDefinition) {
         String beanName = ((BeanDefinition) filter).getBeanClassName();
-        if (beanName.equals(ExceptionTranslationFilter.class.getName())) {
+        if (ExceptionTranslationFilter.class.getName().equals(beanName)) {
            return i + 1;
         }
       }
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthSecurityNamespaceHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthSecurityNamespaceHandler.java
index e92a268ea..f45565316 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthSecurityNamespaceHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthSecurityNamespaceHandler.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 import org.springframework.beans.factory.xml.NamespaceHandlerSupport;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthSecurityNamespaceHandler extends NamespaceHandlerSupport {
 
   public void init() {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsBeanDefinitionParser.java
index c12d19820..4e77bbc56 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -31,8 +31,12 @@
 import java.util.Map;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ProtectedResourceDetailsBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsServiceFactoryBean.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsServiceFactoryBean.java
index 81fe4856f..e10b20015 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsServiceFactoryBean.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsServiceFactoryBean.java
@@ -12,8 +12,12 @@
 /**
  * Factory bean for the resource details service.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ProtectedResourceDetailsServiceFactoryBean extends AbstractFactoryBean<ProtectedResourceDetailsService>  {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/TokenServiceBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/TokenServiceBeanDefinitionParser.java
index 84c9095f9..a63e08ade 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/TokenServiceBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/TokenServiceBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,8 +24,12 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class TokenServiceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/VerifierServiceBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/VerifierServiceBeanDefinitionParser.java
index b22bec73d..d280e5c3d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/VerifierServiceBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/VerifierServiceBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,8 +24,12 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class VerifierServiceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/AccessTokenRequiredException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/AccessTokenRequiredException.java
index c93385391..715973b2d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/AccessTokenRequiredException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/AccessTokenRequiredException.java
@@ -3,9 +3,13 @@
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class AccessTokenRequiredException extends InsufficientAuthenticationException {
 
   private final ProtectedResourceDetails resource;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.java
index 8687c8de3..53059dda2 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,8 +24,12 @@
 /**
  * Basic implementation of protected resource details.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class BaseProtectedResourceDetails implements ProtectedResourceDetails {
 
   private String id;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.java
index 7b0ca51fe..a0c188114 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,8 +22,12 @@
 /**
  * Basic, in-memory implementation of a protected resource details service.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemoryProtectedResourceDetailsService implements ProtectedResourceDetailsService {
 
   private Map<String, ? extends ProtectedResourceDetails> resourceDetailsStore = new HashMap<String, ProtectedResourceDetails>();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InvalidOAuthRealmException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InvalidOAuthRealmException.java
index ffc5536c7..8da4d544d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InvalidOAuthRealmException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InvalidOAuthRealmException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -18,10 +18,14 @@
 
 /**
  * Thrown when a different realm appears to be the cause of the authorization failure.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidOAuthRealmException extends OAuthRequestFailedException {
 
   private final String requiredRealm;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerSupport.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerSupport.java
index 38c3dd851..4ae98786f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerSupport.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerSupport.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,8 +24,12 @@
 /**
  * Consumer-side support for OAuth.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthConsumerSupport {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerToken.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerToken.java
index 4ab2ecaaf..1e93577b5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerToken.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerToken.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,9 +21,13 @@
 
 /**
  * Interface for a consumer-side OAuth token.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthConsumerToken implements Serializable {
 
   private static final long serialVersionUID = -4057986970456346647L;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthRequestFailedException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthRequestFailedException.java
index ed92ba098..60c735d05 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthRequestFailedException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthRequestFailedException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,9 +21,13 @@
 /**
  * Thrown when an OAuth request fails.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuthRequestFailedException extends AccessDeniedException {
 
   public OAuthRequestFailedException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContext.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContext.java
index 3a5ce0789..7e2a5e34e 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContext.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContext.java
@@ -6,8 +6,12 @@
 /**
  * The OAuth 2 security context (for a specific user).
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthSecurityContext {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextHolder.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextHolder.java
index 6ed43ad66..f61b05497 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextHolder.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextHolder.java
@@ -3,8 +3,12 @@
 /**
  * Holder for the current OAuth security context.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthSecurityContextHolder {
 
   private static final ThreadLocal<OAuthSecurityContext> CURRENT_CONTEXT = new ThreadLocal<OAuthSecurityContext>();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextImpl.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextImpl.java
index 176240897..9a05d76b3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextImpl.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextImpl.java
@@ -4,8 +4,12 @@
 import java.util.Map;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthSecurityContextImpl implements OAuthSecurityContext {
 
   private Map<String, OAuthConsumerToken> accessTokens;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetails.java
index f52181a6a..901137d4a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetails.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -23,9 +23,13 @@
 /**
  * Details about a protected resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public interface ProtectedResourceDetails {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.java
index edd28ae21..a6c6037aa 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 /**
  * Service for loading protected resource details.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ProtectedResourceDetailsService {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/UnverifiedRequestTokenException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/UnverifiedRequestTokenException.java
index cf0a54262..68cd47791 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/UnverifiedRequestTokenException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/UnverifiedRequestTokenException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,9 +19,13 @@
 /**
  * Thrown when an attempt is made to use an unverified request token.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnverifiedRequestTokenException extends OAuthRequestFailedException {
 
   public UnverifiedRequestTokenException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupport.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupport.java
index 36ab3b822..cfec33cc0 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupport.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupport.java
@@ -1,11 +1,11 @@
 /*
- * Copyright 2008-2009 Web Cohesion
+ * Copyright 2008-2019 Web Cohesion
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -17,6 +17,8 @@
 package org.springframework.security.oauth.consumer.client;
 
 import org.apache.commons.codec.DecoderException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth.common.OAuthCodec;
@@ -50,11 +52,16 @@
  * OAuth provider.  A proxy will be selected, but it is assumed that the {@link javax.net.ssl.TrustManager}s
  * and other connection-related environment variables are already set up.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class CoreOAuthConsumerSupport implements OAuthConsumerSupport, InitializingBean {
 
+  private static final Log logger = LogFactory.getLog(CoreOAuthConsumerSupport.class);
   private OAuthURLStreamHandlerFactory streamHandlerFactory;
   private OAuthSignatureMethodFactory signatureFactory = new CoreOAuthSignatureMethodFactory();
   private NonceFactory nonceFactory = new UUIDNonceFactory();
@@ -131,7 +138,7 @@ public OAuthConsumerToken getAccessToken(ProtectedResourceDetails details, OAuth
     Map<String, String> additionalParameters = new TreeMap<String, String>();
     if (details.isUse10a()) {
       if (verifier == null) {
-        throw new UnverifiedRequestTokenException("Unverified request token: " + requestToken);
+        throw new UnverifiedRequestTokenException("Unverified request token");
       }
       additionalParameters.put(OAuthConsumerParameter.oauth_verifier.toString(), verifier);
     }
@@ -196,15 +203,15 @@ protected InputStream readResource(ProtectedResourceDetails details, URL url, St
 
     int responseCode;
     String responseMessage;
+    OutputStream out = null;
     try {
       connection.setDoOutput(sendOAuthParamsInRequestBody);
       connection.connect();
       if (sendOAuthParamsInRequestBody) {
         String queryString = getOAuthQueryString(details, token, url, httpMethod, additionalParameters);
-        OutputStream out = connection.getOutputStream();
+        out = connection.getOutputStream();
         out.write(queryString.getBytes("UTF-8"));
         out.flush();
-        out.close();
       }
       responseCode = connection.getResponseCode();
       responseMessage = connection.getResponseMessage();
@@ -215,6 +222,16 @@ protected InputStream readResource(ProtectedResourceDetails details, URL url, St
     catch (IOException e) {
       throw new OAuthRequestFailedException("OAuth connection failed.", e);
     }
+    finally {
+      try {
+        if (out != null) {
+          out.close();
+        }
+      }
+      catch (IOException e) {
+        logger.warn("Cannot close open stream: ", e);
+      }
+    }
 
     if (responseCode >= 200 && responseCode < 300) {
       try {
@@ -431,6 +448,16 @@ protected OAuthConsumerToken getTokenFromProvider(ProtectedResourceDetails detai
     catch (IOException e) {
       throw new OAuthRequestFailedException("Unable to read the token.", e);
     }
+    finally {
+      try {
+        if (inputStream != null) {
+          inputStream.close();
+        }
+      } 
+      catch (IOException e) {
+        logger.warn("Cannot close open stream: ", e);
+      }
+    }
 
     StringTokenizer tokenProperties = new StringTokenizer(tokenInfo, "&");
     Map<String, String> tokenPropertyValues = new TreeMap<String, String>();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthClientHttpRequestFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthClientHttpRequestFactory.java
index 1f00bf42d..d7015365c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthClientHttpRequestFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthClientHttpRequestFactory.java
@@ -20,8 +20,12 @@
 /**
  * Request factory that extends all http requests with the OAuth credentials for a specific protected resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthClientHttpRequestFactory implements ClientHttpRequestFactory {
 
   private final ClientHttpRequestFactory delegate;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplate.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplate.java
index 0d2e6b1fe..59d323394 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplate.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplate.java
@@ -9,8 +9,12 @@
 /**
  * Rest template that is able to make OAuth-authenticated REST requests with the credentials of the provided resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthRestTemplate extends RestTemplate {
 
   private final ProtectedResourceDetails resource;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilter.java
index 8fb413a1a..5d8612fa0 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -65,8 +65,12 @@
 /**
  * OAuth filter that establishes an OAuth security context.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthConsumerContextFilter implements Filter, InitializingBean, MessageSourceAware {
 
 	public static final String ACCESS_TOKENS_DEFAULT_ATTRIBUTE = "OAUTH_ACCESS_TOKENS";
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerProcessingFilter.java
index d8aa8d900..29674ce68 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerProcessingFilter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -53,9 +53,13 @@
  * When servicing a request that requires protected resources, this filter sets a request attribute (default "OAUTH_ACCESS_TOKENS") that contains
  * the list of {@link org.springframework.security.oauth.consumer.OAuthConsumerToken}s.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class OAuthConsumerProcessingFilter implements Filter, InitializingBean, MessageSourceAware {
 
   private static final Log LOG = LogFactory.getLog(OAuthConsumerProcessingFilter.class);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/DefaultOAuthURLStreamHandlerFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/DefaultOAuthURLStreamHandlerFactory.java
index eb415be7b..db424e879 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/DefaultOAuthURLStreamHandlerFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/DefaultOAuthURLStreamHandlerFactory.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -26,8 +26,12 @@
 /**
  * Default implementation.  Assumes we're running on Sun's JVM.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class DefaultOAuthURLStreamHandlerFactory implements OAuthURLStreamHandlerFactory {
 
   public URLStreamHandler getHttpStreamHandler(ProtectedResourceDetails resourceDetails, OAuthConsumerToken accessToken, OAuthConsumerSupport support, String httpMethod, Map<String, String> additionalParameters) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpURLStreamHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpURLStreamHandler.java
index 5ce53d96b..055981f69 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpURLStreamHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpURLStreamHandler.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -30,9 +30,13 @@
 /**
  * Stream handler to handle the request stream to a protected resource over HTTP.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("restriction")
+@Deprecated
 public class OAuthOverHttpURLStreamHandler extends sun.net.www.protocol.http.Handler {
 
   private final ProtectedResourceDetails resourceDetails;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpsURLStreamHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpsURLStreamHandler.java
index de6bbbbd1..7646b0f5b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpsURLStreamHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpsURLStreamHandler.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -30,9 +30,13 @@
 /**
  * Stream handler to handle the request stream to a protected resource over HTTP.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("restriction")
+@Deprecated
 public class OAuthOverHttpsURLStreamHandler extends sun.net.www.protocol.https.Handler {
 
   private final ProtectedResourceDetails resourceDetails;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthURLStreamHandlerFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthURLStreamHandlerFactory.java
index 507088b1a..b34172184 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthURLStreamHandlerFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthURLStreamHandlerFactory.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -26,8 +26,12 @@
 /**
  * Factory for a OAuth URL stream handlers.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthURLStreamHandlerFactory {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/NonceFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/NonceFactory.java
index 82ff87a52..208190451 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/NonceFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/NonceFactory.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 /**
  * A nonce factory.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface NonceFactory {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/UUIDNonceFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/UUIDNonceFactory.java
index 028a47319..af5906ad3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/UUIDNonceFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/UUIDNonceFactory.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,8 +21,12 @@
 /**
  * Nonce factory that uses a UUID to generate the nonce.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class UUIDNonceFactory implements NonceFactory {
 
   public String generateNonce() {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java
index bc218993d..b7b8a5fc1 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java
@@ -12,10 +12,14 @@
 /**
  * Default implementation of the OAuth2 rememberme services. Just stores everything in the session by default. Storing
  * access token can be suppressed to reduce long-term expose of these tokens in the underlying HTTP session.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Alex Rau
  */
+@Deprecated
 public class HttpSessionOAuthRememberMeServices implements OAuthRememberMeServices {
 
 	public static final String REMEMBERED_TOKENS_KEY = HttpSessionOAuthRememberMeServices.class.getName()
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/NoOpOAuthRememberMeServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/NoOpOAuthRememberMeServices.java
index 0d08b2513..4eb6e8e9a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/NoOpOAuthRememberMeServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/NoOpOAuthRememberMeServices.java
@@ -10,9 +10,13 @@
  * Basic, no-op implementation of the remember-me services. Not very useful in a 3-legged OAuth flow, but for a 2-legged
  * system where there are no request tokens to store in between requests it keeps the consumer stateless at the price of
  * obtaining a new access token for every request.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class NoOpOAuthRememberMeServices implements OAuthRememberMeServices {
 
 	public Map<String, OAuthConsumerToken> loadRememberedTokens(HttpServletRequest request, HttpServletResponse response) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/OAuthRememberMeServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/OAuthRememberMeServices.java
index 905367c14..f68e45448 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/OAuthRememberMeServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/OAuthRememberMeServices.java
@@ -9,8 +9,12 @@
 /**
  * Services for "remembering" the access tokens that have been obtained.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthRememberMeServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.java
index abfa1ce74..847a212c3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -27,8 +27,12 @@
 /**
  * Stores the tokens in an HTTP session.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class HttpSessionBasedTokenServices implements OAuthConsumerTokenServices {
 
   public static final String KEY_PREFIX = "OAUTH_TOKEN";
@@ -53,7 +57,7 @@ public void storeToken(String resourceId, OAuthConsumerToken token) {
     HttpSession session = getSession();
     session.setAttribute(KEY_PREFIX + "#" + resourceId, token);
 
-    //adding support for oauth session extension (http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html)
+    //adding support for oauth session extension (https://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html)
     Long expiration = null;
     String expiresInValue = token.getAdditionalParameters() != null ? token.getAdditionalParameters().get("oauth_expires_in") : null;
     if (expiresInValue != null) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.java
index 854c205e7..40422998f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,9 +21,13 @@
 
 /**
  * Token services for an OAuth consumer.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthConsumerTokenServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/BaseConsumerDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/BaseConsumerDetails.java
index 250172ff9..003bfb096 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/BaseConsumerDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/BaseConsumerDetails.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,10 +25,14 @@
 /**
  * Base implementation for consumer details.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class BaseConsumerDetails implements ResourceSpecificConsumerDetails, ExtraTrustConsumerDetails {
 
   private String consumerKey;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerAuthentication.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerAuthentication.java
index 6d5e37fce..42597b46a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerAuthentication.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerAuthentication.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,10 +22,14 @@
 
 /**
  * Authentication for an OAuth consumer.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ConsumerAuthentication extends AbstractAuthenticationToken {
 
   private final ConsumerDetails consumerDetails;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerCredentials.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerCredentials.java
index 5afe5324d..8c09f2926 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerCredentials.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerCredentials.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,9 +21,13 @@
 /**
  * The credentials for an OAuth consumer request.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ConsumerCredentials implements Serializable {
 
   private final String consumerKey;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetails.java
index c90a1baf6..a72b18fb5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetails.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,8 +25,12 @@
 /**
  * Provides core OAuth consumer information.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ConsumerDetails extends Serializable {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetailsService.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetailsService.java
index a67415592..76031a77f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetailsService.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetailsService.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,8 +21,12 @@
 /**
  * A service that provides the details about an oauth consumer.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ConsumerDetailsService {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/DefaultAuthenticationHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/DefaultAuthenticationHandler.java
index d1ad40eda..dfda4d254 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/DefaultAuthenticationHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/DefaultAuthenticationHandler.java
@@ -9,8 +9,12 @@
 /**
  * The default authentication handler.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class DefaultAuthenticationHandler implements OAuthAuthenticationHandler {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.java
index 8c82ae5d3..7ec33d13b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 /**
  * Consumer details for a specific resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ExtraTrustConsumerDetails extends ConsumerDetails {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.java
index 4a153a0a9..32be99d0c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,8 +24,12 @@
 /**
  * Basic, in-memory implementation of the consumer details service.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemoryConsumerDetailsService implements ConsumerDetailsService {
 
   private Map<String, ? extends ConsumerDetails> consumerDetailsStore = new HashMap<String, ConsumerDetails>();
@@ -33,7 +37,7 @@ public class InMemoryConsumerDetailsService implements ConsumerDetailsService {
   public ConsumerDetails loadConsumerByConsumerKey(String consumerKey) throws OAuthException {
     ConsumerDetails details = consumerDetailsStore.get(consumerKey);
     if (details == null) {
-      throw new InvalidOAuthParametersException("Consumer not found: " + consumerKey);
+      throw new InvalidOAuthParametersException("Consumer not found");
     }
     return details;
   }
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InvalidOAuthParametersException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InvalidOAuthParametersException.java
index 8c8a93f05..c26d3e776 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InvalidOAuthParametersException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InvalidOAuthParametersException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidOAuthParametersException extends OAuthException {
 
   public InvalidOAuthParametersException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationDetails.java
index 66843bcaa..c7a9d4de0 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationDetails.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,10 +22,14 @@
 
 /**
  * Authentication details and includes the details of the OAuth consumer.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuthAuthenticationDetails extends WebAuthenticationDetails {
 
   private final ConsumerDetails consumerDetails;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationHandler.java
index d0c277bb6..408a4b9c9 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationHandler.java
@@ -8,8 +8,12 @@
 /**
  * Callback interface for handing authentication details that are used when an authenticated request for a protected resource is received.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthAuthenticationHandler {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProcessingFilterEntryPoint.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProcessingFilterEntryPoint.java
index 3de65b479..9ce9becc1 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProcessingFilterEntryPoint.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProcessingFilterEntryPoint.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -28,8 +28,12 @@
 /**
  * Entry point for OAuth authentication requests.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthProcessingFilterEntryPoint implements AuthenticationEntryPoint {
 
   private String realmName;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProviderSupport.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProviderSupport.java
index f5b2af59e..6817bea5c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProviderSupport.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProviderSupport.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,9 +21,13 @@
 
 /**
  * Support logic for OAuth providers.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthProviderSupport {
   
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthVersionUnsupportedException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthVersionUnsupportedException.java
index d715ac562..aabf1722b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthVersionUnsupportedException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthVersionUnsupportedException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -17,9 +17,13 @@
 package org.springframework.security.oauth.provider;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuthVersionUnsupportedException extends InvalidOAuthParametersException {
 
   public OAuthVersionUnsupportedException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ResourceSpecificConsumerDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ResourceSpecificConsumerDetails.java
index 0cffc2c05..474a5126a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ResourceSpecificConsumerDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ResourceSpecificConsumerDetails.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 /**
  * Consumer details for a specific resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ResourceSpecificConsumerDetails extends ConsumerDetails {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerKeysAllowed.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerKeysAllowed.java
index 8a95c59f6..5f70c138e 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerKeysAllowed.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerKeysAllowed.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,10 +24,14 @@
 /**
  * The consumer keys that are allowed to access the specified method.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @Target ( { ElementType.TYPE, ElementType.METHOD } )
 @Retention ( RetentionPolicy.RUNTIME )
+@Deprecated
 public @interface ConsumerKeysAllowed {
 
   String[] value();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerRolesAllowed.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerRolesAllowed.java
index 8ed5bb49e..9e727afc3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerRolesAllowed.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerRolesAllowed.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,10 +24,14 @@
 /**
  * The consumer roles that are allowed to access the specified method.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @Target ( { ElementType.TYPE, ElementType.METHOD } )
 @Retention ( RetentionPolicy.RUNTIME )
+@Deprecated
 public @interface ConsumerRolesAllowed {
 
   String[] value();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.java
index 0fcd5869a..8d56db062 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,10 +20,14 @@
 
 /**
  * Security config for consumer authorization of a method.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ConsumerSecurityConfig extends SecurityConfig {
 
   public static final ConsumerSecurityConfig DENY_ALL_ATTRIBUTE = new ConsumerSecurityConfig(DenyAllConsumers.class.getName(), null);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityMetadataSource.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityMetadataSource.java
index 2744a95da..16d3d5e13 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityMetadataSource.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityMetadataSource.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -27,9 +27,13 @@
 import java.lang.annotation.Annotation;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class ConsumerSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource {
 
   protected List<ConfigAttribute> findAttributes(Class<?> clazz) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.java
index ffc53105b..94ee09b8e 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -26,9 +26,13 @@
 import java.util.Collection;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class ConsumerSecurityVoter implements AccessDecisionVoter<Object> {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/DenyAllConsumers.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/DenyAllConsumers.java
index 7b9709c82..9387c3c4b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/DenyAllConsumers.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/DenyAllConsumers.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,9 +24,13 @@
 /**
  * Annotation used to specify that a method is to be denied to all OAuth consumers.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @Target ( { ElementType.TYPE, ElementType.METHOD } )
 @Retention ( RetentionPolicy.RUNTIME )
+@Deprecated
 public @interface DenyAllConsumers {
 }
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/PermitAllConsumers.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/PermitAllConsumers.java
index 99f8acc4f..11e705dba 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/PermitAllConsumers.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/PermitAllConsumers.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,9 +25,13 @@
  * Annotation used to specify that a method is to be permitted to all OAuth consumers. Note that just because
  * a consumer is permitted, that doesn't mean that the user that the consumer is representing is permitted.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @Target ( { ElementType.TYPE, ElementType.METHOD } )
 @Retention ( RetentionPolicy.RUNTIME )
+@Deprecated
 public @interface PermitAllConsumers {
 }
\ No newline at end of file
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/expression/OAuthMethodSecurityExpressionHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/expression/OAuthMethodSecurityExpressionHandler.java
index 44d20e173..0f6c2e14f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/expression/OAuthMethodSecurityExpressionHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/expression/OAuthMethodSecurityExpressionHandler.java
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.provider.OAuthAuthenticationDetails;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class OAuthMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
 
 	@Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilter.java
index 0a9bf8c42..52bc18003 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -35,9 +35,13 @@
 /**
  * Processing filter for handling a request for an OAuth access token.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class AccessTokenProcessingFilter extends OAuthProviderProcessingFilter {
 
   // The OAuth spec doesn't specify a content-type of the response.  However, it's NOT
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/CoreOAuthProviderSupport.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/CoreOAuthProviderSupport.java
index b46b989aa..90ca0488b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/CoreOAuthProviderSupport.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/CoreOAuthProviderSupport.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -31,8 +31,12 @@
 /**
  * Utility for common logic for supporting an OAuth provider.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class CoreOAuthProviderSupport implements OAuthProviderSupport {
 
   private final Set<String> supportedOAuthParameters;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/OAuthProviderProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/OAuthProviderProcessingFilter.java
index 8b6055584..aac199e34 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/OAuthProviderProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/OAuthProviderProcessingFilter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -57,8 +57,12 @@
 /**
  * OAuth processing filter. This filter should be applied to requests for OAuth protected resources (see OAuth Core 1.0).
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public abstract class OAuthProviderProcessingFilter implements Filter, InitializingBean, MessageSourceAware {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilter.java
index cf7e5b5e0..6d6252192 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -41,9 +41,13 @@
  * load a different authentication request into the security context). If the protected resource is available
  * ONLY via OAuth access token, set <code>ignoreMissingCredentials</code> to <code>false</code>. 
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class ProtectedResourceProcessingFilter extends OAuthProviderProcessingFilter {
 
   private boolean allowAllMethods = true;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilter.java
index 3ac546d0d..9128a4cb8 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -36,9 +36,13 @@
  * Processing filter for handling a request for an OAuth token. The default implementation assumes a request for a new
  * unauthenticated request token. The default {@link #setFilterProcessesUrl(String) processes URL} is "/oauth_request_token".
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class UnauthenticatedRequestTokenProcessingFilter extends OAuthProviderProcessingFilter {
 
   // The OAuth spec doesn't specify a content-type of the response.  However, it's NOT
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationProcessingFilter.java
index 3e8b81e48..317a2ff13 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationProcessingFilter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -39,9 +39,13 @@
  * This filter looks for one request parameter for the token id that is being authorized. The
  * default name of the paramaters is "requestToken", but this can be configured.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class UserAuthorizationProcessingFilter extends AbstractAuthenticationProcessingFilter {
 
   protected static final String CALLBACK_ATTRIBUTE = UserAuthorizationProcessingFilter.class.getName() + "#CALLBACK";
@@ -76,12 +80,12 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 
     OAuthProviderToken token = getTokenServices().getToken(requestToken);
     if (token == null) {
-      throw new InvalidOAuthTokenException("No callback value has been provided for request token " + requestToken + ".");
+      throw new InvalidOAuthTokenException("No callback value has been provided for request token");
     }
 
     String callbackURL = token.getCallbackUrl();
     if (isRequire10a() && callbackURL == null) {
-      throw new InvalidOAuthTokenException("No callback value has been provided for request token " + requestToken + ".");
+      throw new InvalidOAuthTokenException("No callback value has been provided for request token");
     }
 
     if (callbackURL != null) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandler.java
index 0135a396a..0b228ad7b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandler.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -37,8 +37,12 @@
  * success URL. Otherwise, the oauth_verifier and oauth_token parmeters are appended to the callback URL and the user
  * is redirected.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Andrew McCall
  */
+@Deprecated
 public class UserAuthorizationSuccessfulAuthenticationHandler extends SimpleUrlAuthenticationSuccessHandler {
 
   private static Log LOG = LogFactory.getLog(UserAuthorizationSuccessfulAuthenticationHandler.class);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.java
index bfaf53972..ed53dfd64 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -28,8 +28,12 @@
  * is older than the configured validity window, the nonce is not valid. The default validity window is
  * 12 hours.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ExpiringTimestampNonceServices implements OAuthNonceServices {
 
   private long validityWindowSeconds = 60 * 60 * 12; //we'll default to a 12-hour validity window.
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.java
index dce75709e..1548017b8 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -37,9 +37,13 @@
  * this class has a per request memory overhead. Keeping the validity window short helps prevent wasting a lot of
  * memory. 10 minutes that allows for minor variations in time between servers.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Jilles van Gurp
  */
+@Deprecated
 public class InMemoryNonceServices implements OAuthNonceServices {
 
 	/**
@@ -61,7 +65,7 @@ public void validateNonce(ConsumerDetails consumerDetails, long timestamp, Strin
 
 		synchronized (NONCES) {
 			if (NONCES.contains(entry)) {
-				throw new NonceAlreadyUsedException("Nonce already used: " + nonce);
+				throw new NonceAlreadyUsedException("Nonce already used");
 			}
 			else {
 				NONCES.add(entry);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NonceAlreadyUsedException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NonceAlreadyUsedException.java
index a3d180bf3..d728bbfe7 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NonceAlreadyUsedException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NonceAlreadyUsedException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class NonceAlreadyUsedException extends OAuthException {
   public NonceAlreadyUsedException(String msg) {
     super(msg);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NullNonceServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NullNonceServices.java
index 0b2719f07..6e8d86a03 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NullNonceServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NullNonceServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -23,8 +23,12 @@
  * No-op nonce services. Assumes all nonces are valid. This leaves the provider exposed to the dangers
  * of an unlimited timestamp validity window and OAuth request replay attacks.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class NullNonceServices implements OAuthNonceServices {
 
   public void validateNonce(ConsumerDetails consumerDetails, long timestamp, String nonce) throws AuthenticationException {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.java
index 91611fc62..62de9e723 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,8 +20,12 @@
 import org.springframework.security.oauth.provider.ConsumerDetails;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthNonceServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/ExpiredOAuthTokenException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/ExpiredOAuthTokenException.java
index 37222ba5c..0eaa0a9c7 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/ExpiredOAuthTokenException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/ExpiredOAuthTokenException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ExpiredOAuthTokenException extends OAuthException {
 
   public ExpiredOAuthTokenException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.java
index f68b2e420..d73132a5d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,8 +21,12 @@
 /**
  * Implementation of TokenServices that stores tokens in memory.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemoryProviderTokenServices extends RandomValueProviderTokenServices {
 
   protected final ConcurrentHashMap<String, OAuthProviderTokenImpl> tokenStore = new ConcurrentHashMap<String, OAuthProviderTokenImpl>();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemorySelfCleaningProviderTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemorySelfCleaningProviderTokenServices.java
index 3142eaf9b..45e9c3baf 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemorySelfCleaningProviderTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemorySelfCleaningProviderTokenServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -27,8 +27,12 @@
 /**
  * Implementation of TokenServices that stores tokens in memory. The token services will schedule a thread to do cleaning up of expired tokens.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemorySelfCleaningProviderTokenServices extends InMemoryProviderTokenServices implements DisposableBean {
 
   private ScheduledExecutorService scheduler;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InvalidOAuthTokenException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InvalidOAuthTokenException.java
index 113ea14f3..7874c8b14 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InvalidOAuthTokenException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InvalidOAuthTokenException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidOAuthTokenException extends OAuthException {
 
   public InvalidOAuthTokenException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthAccessProviderToken.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthAccessProviderToken.java
index 858ae43e6..b8cbc9858 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthAccessProviderToken.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthAccessProviderToken.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 import org.springframework.security.core.Authentication;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthAccessProviderToken extends OAuthProviderToken {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderToken.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderToken.java
index 15b0f3922..375761ad5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderToken.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderToken.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,8 +19,12 @@
 import java.io.Serializable;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthProviderToken extends Serializable {
   /**
    * The value of the token.
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenImpl.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenImpl.java
index 8a5c24a86..3a9916897 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenImpl.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenImpl.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,8 +21,12 @@
 /**
  * Basic implementation for an OAuth token.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthProviderTokenImpl implements OAuthAccessProviderToken {
 
   private static final long serialVersionUID = -1794426591002744140L;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.java
index b345a9bbd..db8f42a6b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,8 +20,12 @@
 import org.springframework.security.core.AuthenticationException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthProviderTokenServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleListener.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleListener.java
index a09738624..375ba701c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleListener.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleListener.java
@@ -3,8 +3,12 @@
 /**
  * Interface for listening to the lifecycle of a token.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthTokenLifecycleListener {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleRegistry.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleRegistry.java
index 16a46a7bb..f5906a084 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleRegistry.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleRegistry.java
@@ -7,8 +7,12 @@
 /**
  * Interface for a registry of token lifecycle listeners.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthTokenLifecycleRegistry {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.java
index 8ae12b88f..67218cd99 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -32,8 +32,12 @@
  * This base implementation creates tokens that have an expiration.  For request tokens, the default validity is
  * 10 minutes.  For access tokens, the default validity is 12 hours.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public abstract class RandomValueProviderTokenServices implements OAuthProviderTokenServices, InitializingBean, OAuthTokenLifecycleRegistry {
 
   private Random random;
@@ -80,7 +84,7 @@ public OAuthProviderToken getToken(String token) throws AuthenticationException
     OAuthProviderTokenImpl tokenImpl = readToken(token);
 
     if (tokenImpl == null) {
-      throw new InvalidOAuthTokenException("Invalid token: " + token);
+      throw new InvalidOAuthTokenException("Invalid token");
     }
     else if (isExpired(tokenImpl)) {
       removeToken(token);
@@ -134,7 +138,7 @@ public void authorizeRequestToken(String requestToken, String verifier, Authenti
     OAuthProviderTokenImpl tokenImpl = readToken(requestToken);
 
     if (tokenImpl == null) {
-      throw new InvalidOAuthTokenException("Invalid token: " + requestToken);
+      throw new InvalidOAuthTokenException("Invalid token");
     }
     else if (isExpired(tokenImpl)) {
       removeToken(requestToken);
@@ -155,7 +159,7 @@ public OAuthAccessProviderToken createAccessToken(String requestToken) throws Au
     OAuthProviderTokenImpl tokenImpl = readToken(requestToken);
 
     if (tokenImpl == null) {
-      throw new InvalidOAuthTokenException("Invalid token: " + requestToken);
+      throw new InvalidOAuthTokenException("Invalid token");
     }
     else if (isExpired(tokenImpl)) {
       removeToken(requestToken);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.java
index a775b9449..020ba3a5d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.java
@@ -3,8 +3,12 @@
 /**
  * Service for generating a verifier.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthVerifierServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/RandomValueVerifierServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/RandomValueVerifierServices.java
index db3f26040..a163cec47 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/RandomValueVerifierServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/RandomValueVerifierServices.java
@@ -8,8 +8,12 @@
 /**
  * Basic implementation of the verifier services that creates a random-value verifier and stores it in an in-memory map.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class RandomValueVerifierServices implements OAuthVerifierServices, InitializingBean {
 
   private static final char[] DEFAULT_CODEC = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".toCharArray();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/VerificationFailedException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/VerificationFailedException.java
index 90d78788e..986218f40 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/VerificationFailedException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/VerificationFailedException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class VerificationFailedException extends OAuthException {
   public VerificationFailedException(String msg) {
     super(msg);
diff --git a/spring-security-oauth/src/main/resources/META-INF/spring.schemas b/spring-security-oauth/src/main/resources/META-INF/spring.schemas
index 32f6b1546..0a3b46ad4 100644
--- a/spring-security-oauth/src/main/resources/META-INF/spring.schemas
+++ b/spring-security-oauth/src/main/resources/META-INF/spring.schemas
@@ -1,2 +1,2 @@
-http\://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd=org/springframework/security/oauth/spring-security-oauth-1.0.xsd
-http\://www.springframework.org/schema/security/spring-security-oauth.xsd=org/springframework/security/oauth/spring-security-oauth-1.0.xsd
+https\://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd=org/springframework/security/oauth/spring-security-oauth-1.0.xsd
+https\://www.springframework.org/schema/security/spring-security-oauth.xsd=org/springframework/security/oauth/spring-security-oauth-1.0.xsd
diff --git a/spring-security-oauth/src/main/resources/org/springframework/security/oauth/spring-security-oauth-1.0.xsd b/spring-security-oauth/src/main/resources/org/springframework/security/oauth/spring-security-oauth-1.0.xsd
index 97ae17460..e71aedc22 100644
--- a/spring-security-oauth/src/main/resources/org/springframework/security/oauth/spring-security-oauth-1.0.xsd
+++ b/spring-security-oauth/src/main/resources/org/springframework/security/oauth/spring-security-oauth-1.0.xsd
@@ -257,7 +257,7 @@
   <xs:element name="expression-handler">
     <xs:annotation>
       <xs:documentation>
-        Element for declaring and configuring an expression handler for oauth security expressions. See http://docs.spring.io/spring-security/site/docs/4.0.x/reference/html/el-access.html
+        Element for declaring and configuring an expression handler for oauth security expressions. See https://docs.spring.io/spring-security/site/docs/4.0.x/reference/html/el-access.html
       </xs:documentation>
     </xs:annotation>
     <xs:complexType>
diff --git a/spring-security-oauth/src/test/java/net/oauth/signature/GoogleCodeCompatibilityTests.java b/spring-security-oauth/src/test/java/net/oauth/signature/GoogleCodeCompatibilityTests.java
index e8c8b3a3e..3db9d5333 100644
--- a/spring-security-oauth/src/test/java/net/oauth/signature/GoogleCodeCompatibilityTests.java
+++ b/spring-security-oauth/src/test/java/net/oauth/signature/GoogleCodeCompatibilityTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -87,13 +87,13 @@ protected String getBaseUrl(HttpServletRequest request) {
 			when(request.getParameterValues(param.getKey())).thenReturn(param.getValue());
 		}
 
-		String header = "OAuth realm=\"http://sp.example.com//","
+		String header = "OAuth realm=\"https://sp.example.com//","
 				+ "                oauth_consumer_key=\"0685bd9184jfhq22\","
 				+ "                oauth_token=\"ad180jjd733klru7\","
 				+ "                oauth_signature_method=\"HMAC-SHA1\","
 				+ "                oauth_signature=\"wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D\","
 				+ "                oauth_timestamp=\"137131200\"," + "                oauth_callback=\""
-				+ OAuthCodec.oauthEncode("http://myhost.com/callback") + "\","
+				+ OAuthCodec.oauthEncode("https://myhost.com/callback") + "\","
 				+ "                oauth_nonce=\"4572616e48616d6d65724c61686176\","
 				+ "                oauth_version=\"1.0\"";
 		when(request.getHeaders("Authorization")).thenReturn(Collections.enumeration(Arrays.asList(header)));
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/OAuthCodecTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/OAuthCodecTests.java
index 06c870332..cc55abddf 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/OAuthCodecTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/OAuthCodecTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactoryTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactoryTests.java
index 90c0b9be0..107277d77 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactoryTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactoryTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethodTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethodTests.java
index 293cad1d6..0ebf3994b 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethodTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethodTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethodTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethodTests.java
index 08927a001..fdcc840f5 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethodTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethodTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethodTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethodTests.java
index 8b8c77570..e68dd10ad 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethodTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethodTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/config/AuthorizationServerBeanDefinitionParserTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/config/AuthorizationServerBeanDefinitionParserTests.java
index d2000dd4d..322a0bad2 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/config/AuthorizationServerBeanDefinitionParserTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/config/AuthorizationServerBeanDefinitionParserTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/GoogleOAuthTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/GoogleOAuthTests.java
index 0dca1e5c2..39ff26db4 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/GoogleOAuthTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/GoogleOAuthTests.java
@@ -32,14 +32,14 @@ public void testGetRequestToken() throws Exception {
 		googleDetails.setSignatureMethod(HMAC_SHA1SignatureMethod.SIGNATURE_NAME);
 		googleDetails.setRequestTokenHttpMethod("GET");
 		HashMap<String, String> additional = new HashMap<String, String>();
-		additional.put("scope", "http://picasaweb.google.com/data");
+		additional.put("scope", "https://picasaweb.google.com/data");
 		googleDetails.setAdditionalParameters(additional);
 		detailsStore.put(googleDetails.getId(), googleDetails);
 		service.setResourceDetailsStore(detailsStore);
 		support.setProtectedResourceDetailsService(service);
 		// uncomment to see a request to google.
-		// see http://code.google.com/apis/accounts/docs/OAuth_ref.html
-		// and http://jira.codehaus.org/browse/OAUTHSS-37
+		// see https://code.google.com/apis/accounts/docs/OAuth_ref.html
+		// and https://jira.codehaus.org/browse/OAUTHSS-37
 		// OAuthConsumerToken token = support.getUnauthorizedRequestToken("google", "urn:mycallback");
 		// System.out.println(token.getValue());
 		// System.out.println(token.getSecret());
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupportTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupportTests.java
index 08673d126..bf4d76d51 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupportTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupportTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -93,7 +93,7 @@ public void testAfterPropertiesSet() throws Exception {
 	public void testReadResouce() throws Exception {
 
 		OAuthConsumerToken token = new OAuthConsumerToken();
-		URL url = new URL("http://myhost.com/resource?with=some&query=params&too");
+		URL url = new URL("https://myhost.com/resource?with=some&query=params&too");
 		final ConnectionProps connectionProps = new ConnectionProps();
 		final ByteArrayInputStream inputStream = new ByteArrayInputStream(new byte[0]);
 
@@ -446,10 +446,10 @@ public void testGetSignatureBaseString() throws Exception {
 
 		CoreOAuthConsumerSupport support = new CoreOAuthConsumerSupport();
 
-		String baseString = support.getSignatureBaseString(oauthParams, new URL("http://photos.example.net/photos"),
+		String baseString = support.getSignatureBaseString(oauthParams, new URL("https://photos.example.net/photos"),
 				"geT");
 		assertEquals(
-				"GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal",
+				"GET&https%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal",
 				baseString);
 	}
 
@@ -461,9 +461,9 @@ public void testGetSignatureBaseStringSimple() throws Exception {
 
 		CoreOAuthConsumerSupport support = new CoreOAuthConsumerSupport();
 
-		String baseString = support.getSignatureBaseString(oauthParams, new URL("http://photos.example.net/photos"),
+		String baseString = support.getSignatureBaseString(oauthParams, new URL("https://photos.example.net/photos"),
 				"get");
-		assertEquals("GET&http%3A%2F%2Fphotos.example.net%2Fphotos&bar%3D120%26bar%3D24%26foo%3Dbar", baseString);
+		assertEquals("GET&https%3A%2F%2Fphotos.example.net%2Fphotos&bar%3D120%26bar%3D24%26foo%3Dbar", baseString);
 	}
 
 	// See SECOAUTH-383
@@ -475,9 +475,9 @@ public void testGetSignatureBaseStringMultivaluedLast() throws Exception {
 
 		CoreOAuthConsumerSupport support = new CoreOAuthConsumerSupport();
 
-		String baseString = support.getSignatureBaseString(oauthParams, new URL("http://photos.example.net/photos"),
+		String baseString = support.getSignatureBaseString(oauthParams, new URL("https://photos.example.net/photos"),
 				"get");
-		assertEquals("GET&http%3A%2F%2Fphotos.example.net%2Fphotos&foo%3Dbar%26pin%3D1%26pin%3D2", baseString);
+		assertEquals("GET&https%3A%2F%2Fphotos.example.net%2Fphotos&foo%3Dbar%26pin%3D1%26pin%3D2", baseString);
 	}
 
 	static class StreamHandlerForTestingPurposes extends Handler {
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplateTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplateTests.java
index 76899c9dc..2605a37b3 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplateTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplateTests.java
@@ -29,7 +29,7 @@ public class OAuthRestTemplateTests {
 
     @Test
     public void testOAuthRestTemplateNoAdditionalParameters() {
-        String url = "http://myhost.com/resource?with=some&query=params&too";
+        String url = "https://myhost.com/resource?with=some&query=params&too";
 
         when(details.getSignatureMethod()).thenReturn("HMAC-SHA1");
         when(details.getConsumerKey()).thenReturn("consumerKey");
@@ -57,7 +57,7 @@ public void testOAuthRestTemplateNoAdditionalParameters() {
 
     @Test
     public void testOAuthRestTemplateWithAdditionalParameters() {
-        String url = "http://myhost.com/resource?with=some&query=params&too";
+        String url = "https://myhost.com/resource?with=some&query=params&too";
 
         when(details.getSignatureMethod()).thenReturn("HMAC-SHA1");
         when(details.getConsumerKey()).thenReturn("consumerKey");
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilterTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilterTests.java
index a853a36ac..c531574f2 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilterTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilterTests.java
@@ -60,15 +60,15 @@ public void testGetUserAuthorizationRedirectURL() throws Exception {
 		OAuthConsumerToken token = new OAuthConsumerToken();
 		token.setResourceId("resourceId");
 		token.setValue("mytoken");
-		when(details.getUserAuthorizationURL()).thenReturn("http://user-auth/context?with=some&queryParams");
+		when(details.getUserAuthorizationURL()).thenReturn("https://user-auth/context?with=some&queryParams");
 		when(details.isUse10a()).thenReturn(false);
 		assertEquals(
-				"http://user-auth/context?with=some&queryParams&oauth_token=mytoken&oauth_callback=urn%3A%2F%2Fcallback%3Fwith%3Dsome%26query%3Dparams",
+				"https://user-auth/context?with=some&queryParams&oauth_token=mytoken&oauth_callback=urn%3A%2F%2Fcallback%3Fwith%3Dsome%26query%3Dparams",
 				filter.getUserAuthorizationRedirectURL(details, token, "urn://callback?with=some&query=params"));
 
-		when(details.getUserAuthorizationURL()).thenReturn("http://user-auth/context?with=some&queryParams");
+		when(details.getUserAuthorizationURL()).thenReturn("https://user-auth/context?with=some&queryParams");
 		when(details.isUse10a()).thenReturn(true);
-		assertEquals("http://user-auth/context?with=some&queryParams&oauth_token=mytoken",
+		assertEquals("https://user-auth/context?with=some&queryParams&oauth_token=mytoken",
 				filter.getUserAuthorizationRedirectURL(details, token, "urn://callback?with=some&query=params"));
 	}
 
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServicesTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServicesTests.java
index 9beba686b..b20fa8e57 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServicesTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServicesTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/CoreOAuthProviderSupportTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/CoreOAuthProviderSupportTests.java
index 451e42aaf..f64270759 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/CoreOAuthProviderSupportTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/CoreOAuthProviderSupportTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -48,7 +48,7 @@ public class CoreOAuthProviderSupportTests {
 	public void testParseParameters() throws Exception {
 		CoreOAuthProviderSupport support = new CoreOAuthProviderSupport();
 		when(request.getHeaders("Authorization")).thenReturn(
-				Collections.enumeration(Arrays.asList("OAuth realm=\"http://sp.example.com//",\n"
+				Collections.enumeration(Arrays.asList("OAuth realm=\"https://sp.example.com//",\n"
 						+ "                oauth_consumer_key=\"0685bd9184jfhq22\",\n"
 						+ "                oauth_token=\"ad180jjd733klru7\",\n"
 						+ "                oauth_signature_method=\"HMAC-SHA1\",\n"
@@ -57,7 +57,7 @@ public void testParseParameters() throws Exception {
 						+ "                oauth_nonce=\"4572616e48616d6d65724c61686176\",\n"
 						+ "                oauth_version=\"1.0\"")));
 		Map<String, String> params = support.parseParameters(request);
-		assertEquals("http://sp.example.com/", params.get("realm"));
+		assertEquals("https://sp.example.com/", params.get("realm"));
 		assertEquals("0685bd9184jfhq22", params.get(OAuthConsumerParameter.oauth_consumer_key.toString()));
 		assertEquals("ad180jjd733klru7", params.get(OAuthConsumerParameter.oauth_token.toString()));
 		assertEquals("HMAC-SHA1", params.get(OAuthConsumerParameter.oauth_signature_method.toString()));
@@ -82,7 +82,7 @@ public void testGetSignatureBaseString() throws Exception {
 		}
 
 		when(request.getHeaders("Authorization")).thenReturn(
-				Collections.enumeration(Arrays.asList("OAuth realm=\"http://sp.example.com//",\n"
+				Collections.enumeration(Arrays.asList("OAuth realm=\"https://sp.example.com//",\n"
 						+ "                oauth_consumer_key=\"dpf43f3p2l4k3l03\",\n"
 						+ "                oauth_token=\"nnch734d00sl2jdk\",\n"
 						+ "                oauth_signature_method=\"HMAC-SHA1\",\n"
@@ -93,12 +93,12 @@ public void testGetSignatureBaseString() throws Exception {
 
 		when(request.getMethod()).thenReturn("gEt");
 		CoreOAuthProviderSupport support = new CoreOAuthProviderSupport();
-		support.setBaseUrl("http://photos.example.net/");
+		support.setBaseUrl("https://photos.example.net/");
 		when(request.getRequestURI()).thenReturn("photos");
 
 		String baseString = support.getSignatureBaseString(request);
 		assertEquals(
-				"GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal",
+				"GET&https%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal",
 				baseString);
 	}
 
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilterTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilterTests.java
index 0360eecfb..5199c30fe 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilterTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/OAuthProcessingFilterTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/OAuthProcessingFilterTests.java
index ab0a9ac90..b164b14bb 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/OAuthProcessingFilterTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/OAuthProcessingFilterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/OAuthUserAuthorizationProcessingFilterTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/OAuthUserAuthorizationProcessingFilterTests.java
index 76d57d0e0..ff967daed 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/OAuthUserAuthorizationProcessingFilterTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/OAuthUserAuthorizationProcessingFilterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilterTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilterTests.java
index 4f8f4cc30..8fc88f830 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilterTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilterTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilterTests.java
index c6d27c93d..fb3fc1ac3 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilterTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandlerTests.java b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandlerTests.java
index 6924e6b4d..adc112008 100644
--- a/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandlerTests.java
+++ b/spring-security-oauth/src/test/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandlerTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -45,7 +45,7 @@ public void testAuthenticationSuccess() throws Exception {
 		handler.setRedirectStrategy(redirectStrategy);
 
 		when(request.getAttribute(UserAuthorizationProcessingFilter.CALLBACK_ATTRIBUTE)).thenReturn(
-				"http://my.host.com/my/context");
+				"https://my.host.com/my/context");
 		when(request.getAttribute(UserAuthorizationProcessingFilter.VERIFIER_ATTRIBUTE)).thenReturn("myver");
 		when(request.getParameter("requestToken")).thenReturn("mytok");
 
@@ -53,19 +53,19 @@ public void testAuthenticationSuccess() throws Exception {
 		handler.onAuthenticationSuccess(request, response, null);
 
 		verify(redirectStrategy).sendRedirect(request, response,
-				"http://my.host.com/my/context?oauth_token=mytok&oauth_verifier=myver");
+				"https://my.host.com/my/context?oauth_token=mytok&oauth_verifier=myver");
 
 		handler = new UserAuthorizationSuccessfulAuthenticationHandler();
 		handler.setRedirectStrategy(redirectStrategy);
 
 		when(request.getAttribute(UserAuthorizationProcessingFilter.CALLBACK_ATTRIBUTE)).thenReturn(
-				"http://my.hosting.com/my/context?with=some&query=parameter");
+				"https://my.hosting.com/my/context?with=some&query=parameter");
 		when(request.getAttribute(UserAuthorizationProcessingFilter.VERIFIER_ATTRIBUTE)).thenReturn("myvera");
 		when(request.getParameter("requestToken")).thenReturn("mytoka");
 
 		handler.onAuthenticationSuccess(request, response, null);
 
 		verify(redirectStrategy).sendRedirect(request, response,
-				"http://my.hosting.com/my/context?with=some&query=parameter&oauth_token=mytoka&oauth_verifier=myvera");
+				"https://my.hosting.com/my/context?with=some&query=parameter&oauth_token=mytoka&oauth_verifier=myvera");
 	}
 }
diff --git a/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/AuthorizationServerBeanDefinitionParserTests-context.xml b/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/AuthorizationServerBeanDefinitionParserTests-context.xml
index 74ae58447..29aaff567 100644
--- a/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/AuthorizationServerBeanDefinitionParserTests-context.xml
+++ b/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/AuthorizationServerBeanDefinitionParserTests-context.xml
@@ -2,9 +2,9 @@
 
 <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
              xmlns:oauth="http://www.springframework.org/schema/security/oauth" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-             xsi:schemaLocation="http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20http://www.springframework.org/schema/security/spring-security.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20http://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
+             xsi:schemaLocation="http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20https://www.springframework.org/schema/security/spring-security.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20https://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
 
   <http auto-config='true' servlet-api-provision="false">
     <intercept-url pattern="/xml/photos" access="ROLE_USER" />
diff --git a/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParserTests-context.xml b/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParserTests-context.xml
index a80ba48ba..4e1bf82d7 100644
--- a/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParserTests-context.xml
+++ b/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParserTests-context.xml
@@ -2,9 +2,9 @@
 
 <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20http://www.springframework.org/schema/security/spring-security.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20http://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20https://www.springframework.org/schema/security/spring-security.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20https://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
 
 	<http auto-config='true' servlet-api-provision="false">
 		<intercept-url pattern="/xml/photos" access="ROLE_USER" />
diff --git a/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/FilterChainInitializationTests-context.xml b/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/FilterChainInitializationTests-context.xml
index 4ee38a579..cfb0a9f00 100644
--- a/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/FilterChainInitializationTests-context.xml
+++ b/spring-security-oauth/src/test/resources/org/springframework/security/oauth/config/FilterChainInitializationTests-context.xml
@@ -2,11 +2,11 @@
 <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://www.springframework.org/schema/beans-%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/beans/spring-beans.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20https://www.springframework.org/schema/beans/spring-beans.xsd%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security-%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/spring-security.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20https://www.springframework.org/schema/security/spring-security.xsd%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth-%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
+                                 https://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">
 
 	<authentication-manager alias="authenticationManager" />
 
diff --git a/spring-security-oauth2/pom.xml b/spring-security-oauth2/pom.xml
index a0af01cf6..c3bc56706 100644
--- a/spring-security-oauth2/pom.xml
+++ b/spring-security-oauth2/pom.xml
@@ -1,11 +1,11 @@
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>spring-security-oauth2</artifactId>
@@ -13,21 +13,18 @@
 	<description>Module for providing OAuth2 support to Spring Security</description>
 
 	<properties>
-		<jackson1.version>1.9.13</jackson1.version>
-		<jackson2.version>2.3.2</jackson2.version>
+		<jackson2.version>2.10.5.1</jackson2.version>
 		<servlet-api.version>3.0.1</servlet-api.version>
-		<spring.security.jwt.version>1.0.9.RELEASE</spring.security.jwt.version>
-		<junit.version>4.11</junit.version>
-		<powermock.version>1.5.4</powermock.version>
+		<spring.security.jwt.version>1.1.1.RELEASE</spring.security.jwt.version>
+		<powermock.version>1.7.4</powermock.version>
 	</properties>
 
 	<profiles>
 		<profile>
 			<id>spring5</id>
 			<properties>
-				<jackson2.version>2.9.0.pr3</jackson2.version>
+				<jackson2.version>2.10.5.1</jackson2.version>
 				<servlet-api.version>3.1.0</servlet-api.version>
-				<junit.version>4.12</junit.version>
 				<powermock.version>1.6.1</powermock.version>
 			</properties>
 		</profile>
@@ -152,12 +149,6 @@
 			<artifactId>commons-codec</artifactId>
 		</dependency>
 
-		<dependency>
-			<groupId>org.codehaus.jackson</groupId>
-			<artifactId>jackson-mapper-asl</artifactId>
-			<version>${jackson1.version}</version>
-		</dependency>
-
 		<dependency>
         	<groupId>org.springframework.data</groupId>
 			<artifactId>spring-data-redis</artifactId>
@@ -175,7 +166,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-annotations</artifactId>
-            <version>${jackson2.version}</version>
+            <version>2.10.5</version>
             <optional>true</optional>
         </dependency>
 
@@ -189,7 +180,7 @@
 		<dependency>
 			<groupId>org.apache.httpcomponents</groupId>
 			<artifactId>httpclient</artifactId>
-			<version>4.3.3</version>
+			<version>4.5.13</version>
             <optional>true</optional>
 		</dependency>
 
@@ -225,7 +216,7 @@
 		<dependency>
 			<groupId>org.mockito</groupId>
 			<artifactId>mockito-core</artifactId>
-			<version>1.9.5</version>
+			<version>${mockito.version}</version>
 			<scope>test</scope>
 		</dependency>
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java
index dc4657c2e..18b737279 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java
@@ -1,8 +1,8 @@
 package org.springframework.security.oauth2.client;
 
 import java.io.Serializable;
-import java.util.HashMap;
 import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 import org.springframework.security.oauth2.client.token.AccessTokenRequest;
 import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest;
@@ -10,9 +10,13 @@
 
 /**
  * The OAuth 2 security context (for a specific user or client or combination thereof).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultOAuth2ClientContext implements OAuth2ClientContext, Serializable {
 
 	private static final long serialVersionUID = 914967629530462926L;
@@ -21,7 +25,7 @@ public class DefaultOAuth2ClientContext implements OAuth2ClientContext, Serializ
 
 	private AccessTokenRequest accessTokenRequest;
 
-	private Map<String, Object> state = new HashMap<String, Object>();
+	private Map<String, Object> state = new ConcurrentHashMap<String, Object>();
 
 	public DefaultOAuth2ClientContext() {
 		this(new DefaultAccessTokenRequest());
@@ -50,6 +54,7 @@ public AccessTokenRequest getAccessTokenRequest() {
 	}
 
 	public void setPreservedState(String stateKey, Object preservedState) {
+		state.clear();
 		state.put(stateKey, preservedState);
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticator.java
index 92d5125f2..c6b8d5a26 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticator.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -20,9 +20,13 @@
 import org.springframework.util.StringUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class DefaultOAuth2RequestAuthenticator implements OAuth2RequestAuthenticator {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2ClientContext.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2ClientContext.java
index de2b27876..dc02aaf3a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2ClientContext.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2ClientContext.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -16,9 +16,13 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface OAuth2ClientContext {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RequestAuthenticator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RequestAuthenticator.java
index 222e85836..4cbed416d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RequestAuthenticator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RequestAuthenticator.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -17,9 +17,13 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface OAuth2RequestAuthenticator {
 
 	void authenticate(OAuth2ProtectedResourceDetails resource, OAuth2ClientContext clientContext, ClientHttpRequest request);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestOperations.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestOperations.java
index 1abea6d81..839f5fd77 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestOperations.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestOperations.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,9 +22,13 @@
 import org.springframework.web.client.RestOperations;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface OAuth2RestOperations extends RestOperations {
 
 	OAuth2AccessToken getAccessToken() throws UserRedirectRequiredException;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java
index e44efd15b..3f8c18452 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java
@@ -2,10 +2,12 @@
 
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.lang.reflect.Field;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLEncoder;
 import java.util.Arrays;
+import java.util.Calendar;
 
 import org.springframework.http.HttpMethod;
 import org.springframework.http.client.ClientHttpRequest;
@@ -24,6 +26,8 @@
 import org.springframework.security.oauth2.common.AuthenticationScheme;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.util.Assert;
+import org.springframework.util.ReflectionUtils;
 import org.springframework.web.client.RequestCallback;
 import org.springframework.web.client.ResponseErrorHandler;
 import org.springframework.web.client.ResponseExtractor;
@@ -32,10 +36,14 @@
 
 /**
  * Rest template that is able to make OAuth2-authenticated REST requests with the credentials of the provided resource.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class OAuth2RestTemplate extends RestTemplate implements OAuth2RestOperations {
 
 	private final OAuth2ProtectedResourceDetails resource;
@@ -50,6 +58,8 @@ public class OAuth2RestTemplate extends RestTemplate implements OAuth2RestOperat
 
 	private OAuth2RequestAuthenticator authenticator = new DefaultOAuth2RequestAuthenticator();
 
+	private int clockSkew = 30;
+
 	public OAuth2RestTemplate(OAuth2ProtectedResourceDetails resource) {
 		this(resource, new DefaultOAuth2ClientContext());
 	}
@@ -168,7 +178,7 @@ public OAuth2AccessToken getAccessToken() throws UserRedirectRequiredException {
 
 		OAuth2AccessToken accessToken = context.getAccessToken();
 
-		if (accessToken == null || accessToken.isExpired()) {
+		if (accessToken == null || hasTokenExpired(accessToken)) {
 			try {
 				accessToken = acquireAccessToken(context);
 			}
@@ -189,6 +199,16 @@ public OAuth2AccessToken getAccessToken() throws UserRedirectRequiredException {
 		return accessToken;
 	}
 
+	private boolean hasTokenExpired(OAuth2AccessToken accessToken) {
+		Calendar now = Calendar.getInstance();
+		Calendar expiresAt = (Calendar) now.clone();
+		if (accessToken.getExpiration() != null) {
+			expiresAt.setTime(accessToken.getExpiration());
+			expiresAt.add(Calendar.SECOND, -this.clockSkew);
+		}
+		return now.after(expiresAt);
+	}
+
 	/**
 	 * @return the context for this template
 	 */
@@ -269,6 +289,42 @@ protected URI appendQueryParameter(URI uri, OAuth2AccessToken accessToken) {
 
 	public void setAccessTokenProvider(AccessTokenProvider accessTokenProvider) {
 		this.accessTokenProvider = accessTokenProvider;
+		propagateClockSkewToAccessTokenProvider(this.clockSkew, accessTokenProvider);
+	}
+
+	/**
+	 * Sets the maximum acceptable clock skew, which is used when checking the
+	 * {@link OAuth2AccessToken access token} expiry. The default is 30 seconds.
+	 *
+	 * @param clockSkew the maximum acceptable clock skew
+	 */
+	public void setClockSkew(int clockSkew) {
+		Assert.isTrue(clockSkew >= 0, "clockSkew must be >= 0");
+		this.clockSkew = clockSkew;
+		propagateClockSkewToAccessTokenProvider(clockSkew, this.accessTokenProvider);
 	}
 
-}
+	/**
+	 * Propagates the maximum acceptable clock skew, which is used when checking the
+	 * {@link OAuth2AccessToken access token} expiry into the given {@link AccessTokenProvider} if it is an instance of
+	 * {@link AccessTokenProviderChain}.
+	 * <p>
+	 * <b>Note:</b> The clock skew value is injected via reflection as version 2.5.0 was the final minor release before EOL of
+	 * this project and the public API must not be changed in patch releases.
+	 *
+	 * @param clockSkew the maximum acceptable clock skew
+	 * @param accessTokenProvider the access token provider
+	 */
+	private static void propagateClockSkewToAccessTokenProvider(int clockSkew, AccessTokenProvider accessTokenProvider) {
+		if (!(accessTokenProvider instanceof AccessTokenProviderChain)) {
+			return;
+		}
+
+		Field field = ReflectionUtils.findField(accessTokenProvider.getClass(), "clockSkew");
+		if (field == null) {
+			return;
+		}
+		field.setAccessible(true);
+		ReflectionUtils.setField(field, accessTokenProvider, clockSkew);
+	}
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderConfiguration.java
index 7cde6f8c9..43caf5989 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderConfiguration.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,11 +21,15 @@
 /**
  * Configuration information for an <i>OAuth 2.0 Provider</i>.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see ProviderDiscoveryClient
- * @see <a target="_blank" href="http://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
+ * @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
  */
+@Deprecated
 public class ProviderConfiguration {
 	private URL issuer;
 	private URL authorizationEndpoint;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClient.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClient.java
index fc2ecbe22..d33fa7c97 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClient.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClient.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -31,11 +31,15 @@
  * <b>NOTE:</b> This is a partial implementation that only discovers a small subset
  * of the available provider configuration information.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see ProviderConfiguration
- * @see <a target="_blank" href="http://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
+ * @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
  */
+@Deprecated
 public class ProviderDiscoveryClient {
 	private static final String PROVIDER_END_PATH = "/.well-known/openid-configuration";
 	private static final String ISSUER_ATTR_NAME = "issuer";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2AuthenticationFailureEvent.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2AuthenticationFailureEvent.java
index 9d3c4f0ed..a32ccd1cc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2AuthenticationFailureEvent.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2AuthenticationFailureEvent.java
@@ -4,7 +4,13 @@
 import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
 import org.springframework.security.core.AuthenticationException;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuth2AuthenticationFailureEvent extends AbstractAuthenticationFailureEvent {
 
 	public OAuth2AuthenticationFailureEvent(AuthenticationException exception) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilter.java
index b616712ce..39e693bb0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -46,10 +46,14 @@
 /**
  * An OAuth2 client filter that can be used to acquire an OAuth2 access token from an authorization server, and load an
  * authentication object into the SecurityContext
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Vidya Valmikinathan
  * 
  */
+@Deprecated
 public class OAuth2ClientAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter {
 
 	public OAuth2RestOperations restTemplate;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilter.java
index 2aa69c30c..42ce00370 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilter.java
@@ -27,10 +27,14 @@
 
 /**
  * Security filter for an OAuth2 client.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class OAuth2ClientContextFilter implements Filter, InitializingBean {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/DefaultStateKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/DefaultStateKeyGenerator.java
index 569007200..7bf3bb131 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/DefaultStateKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/DefaultStateKeyGenerator.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -16,9 +16,13 @@
 import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class DefaultStateKeyGenerator implements StateKeyGenerator {
 
 	private RandomValueStringGenerator generator = new RandomValueStringGenerator();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/StateKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/StateKeyGenerator.java
index 58fc0638c..bb904f7e0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/StateKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/StateKeyGenerator.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -17,10 +17,14 @@
 /**
  * Stategy for generating random keys for state. The state key is important protection for client apps against
  * cross-site request forgery.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface StateKeyGenerator {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/AccessTokenRequiredException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/AccessTokenRequiredException.java
index fc4d42f72..e8509a6f9 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/AccessTokenRequiredException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/AccessTokenRequiredException.java
@@ -4,9 +4,13 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class AccessTokenRequiredException extends InsufficientAuthenticationException {
 
   private final OAuth2ProtectedResourceDetails resource;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandler.java
index af510e2ae..cfb495cfd 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandler.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -37,8 +37,13 @@
 
 /**
  * Error handler specifically for an oauth 2 response.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuth2ErrorHandler implements ResponseErrorHandler {
 
 	private final ResponseErrorHandler errorHandler;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/StringSplitUtils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/StringSplitUtils.java
index 6eab12a45..e2c592e73 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/StringSplitUtils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/StringSplitUtils.java
@@ -10,7 +10,12 @@
 
 /**
  * Provides several <code>String</code> manipulation methods. Copied from deleted org.springframework.security.util.StringSplitUtils
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  */
+@Deprecated
 public class StringSplitUtils {
 
   private static final String[] EMPTY_STRING_ARRAY = new String[0];
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/BaseOAuth2ProtectedResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/BaseOAuth2ProtectedResourceDetails.java
index 3608eb1f4..788b0b45e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/BaseOAuth2ProtectedResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/BaseOAuth2ProtectedResourceDetails.java
@@ -7,9 +7,13 @@
 import org.springframework.util.StringUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class BaseOAuth2ProtectedResourceDetails implements OAuth2ProtectedResourceDetails {
 
 	private String id;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2AccessDeniedException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2AccessDeniedException.java
index 46a489895..0037c7d40 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2AccessDeniedException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2AccessDeniedException.java
@@ -3,13 +3,17 @@
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 
 /**
- * When access is denied we usually want a 403, but we want the same treatment as all teh other OAuth2Exception types,
+ * When access is denied we usually want a 403, but we want the same treatment as all the other OAuth2Exception types,
  * so this is not a Spring Security AccessDeniedException.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuth2AccessDeniedException extends OAuth2Exception {
 
 	private OAuth2ProtectedResourceDetails resource;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java
index a539f758d..145ae383d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java
@@ -6,10 +6,14 @@
 
 /**
  * Details for an OAuth2-protected resource.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface OAuth2ProtectedResourceDetails {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserApprovalRequiredException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserApprovalRequiredException.java
index 144f9f399..d7505f946 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserApprovalRequiredException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserApprovalRequiredException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,11 +20,15 @@
 
 /**
  * Exception indicating that user approval is required, with some indication of how to signal the approval.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UserApprovalRequiredException extends RuntimeException {
 
 	private final String approvalUri;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserRedirectRequiredException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserRedirectRequiredException.java
index 3146d9199..6b8a60b9b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserRedirectRequiredException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserRedirectRequiredException.java
@@ -4,10 +4,14 @@
 
 /**
  * Special exception thrown when a user redirect is required in order to obtain an OAuth2 access token.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UserRedirectRequiredException extends RuntimeException {
 
 	private final String redirectUri;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/BeforeOAuth2Context.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/BeforeOAuth2Context.java
index f190be6ea..a289eb6ee 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/BeforeOAuth2Context.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/BeforeOAuth2Context.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -21,11 +21,15 @@
  * Marker annotation for methods to be run before the OAuth2Context is setup by the {@link OAuth2ContextSetup} rule, and
  * consequently before the regular JUnit <code>&#64;Before</code> methods, which are executed only <em>after</em> the
  * OAuth2Context is setup.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.METHOD)
+@Deprecated
 public @interface BeforeOAuth2Context {
 }
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextConfiguration.java
index f09930fa3..06a68b5db 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextConfiguration.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -30,12 +30,16 @@
  * Annotation to signal that an OAuth2 authentication should be created and and provided to the enclosing scope (method
  * or class). Used at the class level it will apply to all test methods (and {@link BeforeOAuth2Context} initializers).
  * Used at the method level it will apply only to the method, overriding any value found on the enclosing class.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Retention(RetentionPolicy.RUNTIME)
 @Target({ ElementType.TYPE, ElementType.METHOD })
+@Deprecated
 public @interface OAuth2ContextConfiguration {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextSetup.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextSetup.java
index 83529d7e6..9633ef9cf 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextSetup.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextSetup.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -76,7 +76,7 @@
  * 	public void testSomethingWithClientCredentials() {
  * 		// This call will be authenticated with the client credentials in
  * 		// MyClientDetailsResource
- * 		getRestTemplate().getForObject(&quot;http://myserver/resource&quot;, String.class);
+ * 		getRestTemplate().getForObject(&quot;https://myserver/resource&quot;, String.class);
  * 	}
  * 
  * 	// This class is used to initialize the OAuth2 context for the test methods.
@@ -92,11 +92,15 @@
  * 
  * @see OAuth2ContextConfiguration
  * @see BeforeOAuth2Context
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @SuppressWarnings("deprecation")
+@Deprecated
 public class OAuth2ContextSetup extends TestWatchman {
 
 	private static Log logger = LogFactory.getLog(OAuth2ContextSetup.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/RestTemplateHolder.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/RestTemplateHolder.java
index aa5a863cd..db8f9b513 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/RestTemplateHolder.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/RestTemplateHolder.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -16,10 +16,14 @@
 
 /**
  * Marker interface for an object that has a getter and setter for a {@link RestOperations}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface RestTemplateHolder {
 
 	void setRestTemplate(RestOperations restTemplate);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/TestAccounts.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/TestAccounts.java
index e7ca361d0..8d9706e53 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/TestAccounts.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/TestAccounts.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -17,9 +17,13 @@
 import org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface TestAccounts {
 
 	String getUserName();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProvider.java
index 025e36f55..a803c3df6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProvider.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,10 +24,14 @@
 
 /**
  * A strategy which knows how to obtain an access token for a specific resource.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface AccessTokenProvider {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java
index 5564db383..51cc6c9f3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java
@@ -1,11 +1,11 @@
 /*
- * Copyright 2002-2011 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -15,6 +15,7 @@
  */
 package org.springframework.security.oauth2.client.token;
 
+import java.util.Calendar;
 import java.util.Collections;
 import java.util.List;
 
@@ -36,9 +37,13 @@
  * chain to find the first provider that supports the resource and use it to obtain the
  * access token. Note that the order of the chain is relevant.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class AccessTokenProviderChain extends OAuth2AccessTokenSupport
 		implements AccessTokenProvider {
 
@@ -46,6 +51,8 @@ public class AccessTokenProviderChain extends OAuth2AccessTokenSupport
 
 	private ClientTokenServices clientTokenServices;
 
+	private int clockSkew = 30;
+
 	public AccessTokenProviderChain(List<? extends AccessTokenProvider> chain) {
 		this.chain = chain == null ? Collections.<AccessTokenProvider> emptyList()
 				: Collections.unmodifiableList(chain);
@@ -100,7 +107,7 @@ public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails resour
 			}
 
 			if (existingToken != null) {
-				if (existingToken.isExpired()) {
+				if (hasTokenExpired(existingToken)) {
 					if (clientTokenServices != null) {
 						clientTokenServices.removeAccessToken(resource, auth);
 					}
@@ -184,4 +191,20 @@ public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resou
 				resource);
 	}
 
+	/**
+	 * Checks if the given {@link OAuth2AccessToken access token} should be considered to have expired based on the
+	 * token's expiration time and the clock skew.
+	 *
+	 * @param token        the token to be checked
+	 * @return <code>true</code> if the token should be considered expired, <code>false</code> otherwise
+	 */
+	private boolean hasTokenExpired(OAuth2AccessToken token) {
+		Calendar now = Calendar.getInstance();
+		Calendar expiresAt = (Calendar) now.clone();
+		if (token.getExpiration() != null) {
+			expiresAt.setTime(token.getExpiration());
+			expiresAt.add(Calendar.SECOND, -this.clockSkew);
+		}
+		return now.after(expiresAt);
+	}
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenRequest.java
index cd7ead483..02c23baf8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenRequest.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,6 +21,12 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.util.MultiValueMap;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public interface AccessTokenRequest extends MultiValueMap<String, String> {
 
 	OAuth2AccessToken getExistingToken();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientKeyGenerator.java
index 9d8eb0fd0..cdc58adf2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientKeyGenerator.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -18,9 +18,13 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface ClientKeyGenerator {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java
index 95811454b..2f3937b58 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface ClientTokenServices {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultAccessTokenRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultAccessTokenRequest.java
index 90c445af1..3136fd6b4 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultAccessTokenRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultAccessTokenRequest.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,10 +25,14 @@
 /**
  * Local context for an access token request encapsulating the parameters that are sent by the client requesting the
  * token, as opposed to the more static variables representing the client itself and the resource being targeted.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultAccessTokenRequest implements AccessTokenRequest, Serializable {
 
 	private static final long serialVersionUID = 914967629530462926L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultClientKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultClientKeyGenerator.java
index 5d5264983..a083ceacf 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultClientKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultClientKeyGenerator.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -25,10 +25,14 @@
 
 /**
  * Basic key generator taking into account the client id, scope and username (principal name) if they exist.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultClientKeyGenerator implements ClientKeyGenerator {
 
 	private static final String CLIENT_ID = "client_id";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultRequestEnhancer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultRequestEnhancer.java
index f2356ae01..322d58ec7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultRequestEnhancer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultRequestEnhancer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -21,6 +21,12 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 import org.springframework.util.MultiValueMap;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public class DefaultRequestEnhancer implements RequestEnhancer {
 
 	private Set<String> parameterIncludes = Collections.emptySet();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServices.java
index fbc8c9d45..4f4474541 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServices.java
@@ -20,9 +20,13 @@
 
 /**
  * Implementation of token services that stores tokens in a database for retrieval by client applications.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class JdbcClientTokenServices implements ClientTokenServices {
 
 	private static final Log LOG = LogFactory.getLog(JdbcClientTokenServices.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupport.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupport.java
index 0cf556a34..c31822633 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupport.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupport.java
@@ -39,17 +39,21 @@
 
 /**
  * Base support logic for obtaining access tokens.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public abstract class OAuth2AccessTokenSupport {
 
 	protected final Log logger = LogFactory.getLog(getClass());
 
 	private static final FormHttpMessageConverter FORM_MESSAGE_CONVERTER = new FormHttpMessageConverter();
 
-	private RestOperations restTemplate;
+	private volatile RestOperations restTemplate;
 
 	private List<HttpMessageConverter<?>> messageConverters;
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/RequestEnhancer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/RequestEnhancer.java
index bb1a153b8..c49d1a841 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/RequestEnhancer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/RequestEnhancer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -16,6 +16,12 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 import org.springframework.util.MultiValueMap;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public interface RequestEnhancer {
 	
 	void enhance(AccessTokenRequest request, OAuth2ProtectedResourceDetails resource, MultiValueMap<String, String> form,
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/ClientAuthenticationHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/ClientAuthenticationHandler.java
index 800130dca..91b625653 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/ClientAuthenticationHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/ClientAuthenticationHandler.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -18,10 +18,14 @@
 
 /**
  * Logic for handling client authentication.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface ClientAuthenticationHandler {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/DefaultClientAuthenticationHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/DefaultClientAuthenticationHandler.java
index 88a0a6fa0..331c26f4c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/DefaultClientAuthenticationHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/DefaultClientAuthenticationHandler.java
@@ -11,10 +11,14 @@
 
 /**
  * Default implementation of the client authentication handler.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultClientAuthenticationHandler implements ClientAuthenticationHandler {
 
 	public void authenticateTokenRequest(OAuth2ProtectedResourceDetails resource, MultiValueMap<String, String> form,
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsAccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsAccessTokenProvider.java
index b7adaecb5..4d7c664c7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsAccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsAccessTokenProvider.java
@@ -13,14 +13,19 @@
 import org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport;
 import org.springframework.security.oauth2.common.OAuth2RefreshToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
 /**
  * Provider for obtaining an oauth2 access token by using client credentials.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ClientCredentialsAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {
 
 	public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
@@ -48,7 +53,7 @@ public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails detail
 	private MultiValueMap<String, String> getParametersForTokenRequest(ClientCredentialsResourceDetails resource) {
 
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.set("grant_type", "client_credentials");
+		form.set(OAuth2Utils.GRANT_TYPE, "client_credentials");
 
 		if (resource.isScoped()) {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsResourceDetails.java
index 9ddc01b8d..fe2e1a001 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsResourceDetails.java
@@ -3,8 +3,12 @@
 import org.springframework.security.oauth2.client.resource.BaseOAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ClientCredentialsResourceDetails extends BaseOAuth2ProtectedResourceDetails {
 	
 	public ClientCredentialsResourceDetails() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProvider.java
index 37743c624..4e48c9685 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProvider.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,7 +20,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -65,10 +65,14 @@
 
 /**
  * Provider for obtaining an oauth2 access token by using an authorization code.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class AuthorizationCodeAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {
 
 	private StateKeyGenerator stateKeyGenerator = new DefaultStateKeyGenerator();
@@ -215,7 +219,7 @@ public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resou
 			OAuth2RefreshToken refreshToken, AccessTokenRequest request) throws UserRedirectRequiredException,
 			OAuth2AccessDeniedException {
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.add("grant_type", "refresh_token");
+		form.add(OAuth2Utils.GRANT_TYPE, "refresh_token");
 		form.add("refresh_token", refreshToken.getValue());
 		try {
 			return retrieveToken(request, resource, form, getHeadersForTokenRequest(request));
@@ -244,7 +248,7 @@ private MultiValueMap<String, String> getParametersForTokenRequest(Authorization
 			AccessTokenRequest request) {
 
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.set("grant_type", "authorization_code");
+		form.set(OAuth2Utils.GRANT_TYPE, "authorization_code");
 		form.set("code", request.getAuthorizationCode());
 
 		Object preservedState = request.getPreservedState();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetails.java
index 1e445c178..790b6b966 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetails.java
@@ -3,9 +3,13 @@
 import org.springframework.security.oauth2.client.token.grant.redirect.AbstractRedirectResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class AuthorizationCodeResourceDetails extends AbstractRedirectResourceDetails {
 
 	public AuthorizationCodeResourceDetails() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProvider.java
index 664de42d4..35b451ebe 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProvider.java
@@ -34,9 +34,13 @@
  * parameters, together with any other information available (e.g. from a cookie), and decide if a user can be
  * authenticated and if the user has approved the grant of the access token. Only if those two conditions are met should
  * an access token be available through this provider.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ImplicitAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {
 
 	public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitResourceDetails.java
index 6acb5ba47..9593b63a7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitResourceDetails.java
@@ -3,8 +3,12 @@
 import org.springframework.security.oauth2.client.token.grant.redirect.AbstractRedirectResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ImplicitResourceDetails extends AbstractRedirectResourceDetails {
 
 	public ImplicitResourceDetails() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProvider.java
index 3fa397bcb..fb53594a7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProvider.java
@@ -13,14 +13,19 @@
 import org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport;
 import org.springframework.security.oauth2.common.OAuth2RefreshToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
 /**
  * Provider for obtaining an oauth2 access token by using resource owner password.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ResourceOwnerPasswordAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {
 
 	public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
@@ -35,7 +40,7 @@ public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resou
 			OAuth2RefreshToken refreshToken, AccessTokenRequest request) throws UserRedirectRequiredException,
 			OAuth2AccessDeniedException {
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.add("grant_type", "refresh_token");
+		form.add(OAuth2Utils.GRANT_TYPE, "refresh_token");
 		form.add("refresh_token", refreshToken.getValue());
 		return retrieveToken(request, resource, form, new HttpHeaders());
 	}
@@ -51,7 +56,7 @@ public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails detail
 	private MultiValueMap<String, String> getParametersForTokenRequest(ResourceOwnerPasswordResourceDetails resource, AccessTokenRequest request) {
 
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.set("grant_type", "password");
+		form.set(OAuth2Utils.GRANT_TYPE, "password");
 
 		form.set("username", resource.getUsername());
 		form.set("password", resource.getPassword());
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordResourceDetails.java
index b20155e8b..21ac5338f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordResourceDetails.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -18,8 +18,12 @@
 import org.springframework.security.oauth2.client.resource.BaseOAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ResourceOwnerPasswordResourceDetails extends BaseOAuth2ProtectedResourceDetails {
 	
 	private String username;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/redirect/AbstractRedirectResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/redirect/AbstractRedirectResourceDetails.java
index 8b43a2cd4..15805dbf5 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/redirect/AbstractRedirectResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/redirect/AbstractRedirectResourceDetails.java
@@ -5,8 +5,12 @@
 import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public abstract class AbstractRedirectResourceDetails extends BaseOAuth2ProtectedResourceDetails {
 
 	private String preEstablishedRedirectUri;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/AuthenticationScheme.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/AuthenticationScheme.java
index f4d75d22b..0ed5d6b67 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/AuthenticationScheme.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/AuthenticationScheme.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -14,7 +14,11 @@
 
 /**
  * Enumeration of possible methods for transmitting authentication credentials.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  */
+@Deprecated
 public enum AuthenticationScheme {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultExpiringOAuth2RefreshToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultExpiringOAuth2RefreshToken.java
index 841480d52..4806e2a4c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultExpiringOAuth2RefreshToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultExpiringOAuth2RefreshToken.java
@@ -3,8 +3,12 @@
 import java.util.Date;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class DefaultExpiringOAuth2RefreshToken extends DefaultOAuth2RefreshToken implements ExpiringOAuth2RefreshToken {
 
 	private static final long serialVersionUID = 3449554332764129719L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2AccessToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2AccessToken.java
index 4ecf4a186..eeb5b6527 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2AccessToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2AccessToken.java
@@ -11,11 +11,15 @@
 
 /**
  * Basic access token for OAuth 2.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  * @author Rob Winch
  */
+@Deprecated
 public class DefaultOAuth2AccessToken implements Serializable, OAuth2AccessToken {
 
 	private static final long serialVersionUID = 914967629530462926L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2RefreshToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2RefreshToken.java
index c8df418d1..c78bb5410 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2RefreshToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2RefreshToken.java
@@ -2,15 +2,19 @@
 
 import java.io.Serializable;
 
-import org.codehaus.jackson.annotate.JsonCreator;
-import org.codehaus.jackson.annotate.JsonValue;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
 
 /**
  * An OAuth 2 refresh token.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultOAuth2RefreshToken implements Serializable, OAuth2RefreshToken {
 
 	private static final long serialVersionUID = 8349970621900575838L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultThrowableAnalyzer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultThrowableAnalyzer.java
index 72ba20a09..2f341c2f2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultThrowableAnalyzer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultThrowableAnalyzer.java
@@ -8,7 +8,11 @@
 /**
  * Default implementation of <code>ThrowableAnalyzer</code> which is capable of also unwrapping
  * <code>ServletException</code>s.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  */
+@Deprecated
 public final class DefaultThrowableAnalyzer extends ThrowableAnalyzer {
   /**
    * @see org.springframework.security.web.util.ThrowableAnalyzer#initExtractorMap()
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/ExpiringOAuth2RefreshToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/ExpiringOAuth2RefreshToken.java
index abeb44b90..eb5fd46fe 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/ExpiringOAuth2RefreshToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/ExpiringOAuth2RefreshToken.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -15,9 +15,13 @@
 import java.util.Date;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface ExpiringOAuth2RefreshToken extends OAuth2RefreshToken {
 
 	Date getExpiration();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessToken.java
index 0d2ea97ca..de4b0ada0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessToken.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -17,14 +17,15 @@
 import java.util.Set;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
-@org.codehaus.jackson.map.annotate.JsonSerialize(using = OAuth2AccessTokenJackson1Serializer.class)
-@org.codehaus.jackson.map.annotate.JsonDeserialize(using = OAuth2AccessTokenJackson1Deserializer.class)
 @com.fasterxml.jackson.databind.annotation.JsonSerialize(using = OAuth2AccessTokenJackson2Serializer.class)
 @com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = OAuth2AccessTokenJackson2Deserializer.class)
-
+@Deprecated
 public interface OAuth2AccessToken {
 
 	public static String BEARER_TYPE = "Bearer";
@@ -38,7 +39,7 @@ public interface OAuth2AccessToken {
 
 	/**
 	 * The type of the token issued as described in <a
-	 * href="http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-7.1">Section 7.1</a>. Value is case insensitive.
+	 * href="https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-7.1">Section 7.1</a>. Value is case insensitive.
 	 * This value is REQUIRED.
 	 */
 	public static String TOKEN_TYPE = "token_type";
@@ -51,13 +52,13 @@ public interface OAuth2AccessToken {
 
 	/**
 	 * The refresh token which can be used to obtain new access tokens using the same authorization grant as described
-	 * in <a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-6">Section 6</a>. This value is OPTIONAL.
+	 * in <a href="https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-6">Section 6</a>. This value is OPTIONAL.
 	 */
 	public static String REFRESH_TOKEN = "refresh_token";
 
 	/**
 	 * The scope of the access token as described by <a
-	 * href="http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3">Section 3.3</a>
+	 * href="https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3">Section 3.3</a>
 	 */
 	public static String SCOPE = "scope";
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Deserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Deserializer.java
deleted file mode 100644
index 68bbf55e9..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Deserializer.java
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright 2006-2010 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common;
-
-import java.io.IOException;
-import java.util.Date;
-import java.util.LinkedHashMap;
-import java.util.Map;
-import java.util.Set;
-
-import org.codehaus.jackson.JsonParseException;
-import org.codehaus.jackson.JsonParser;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.JsonToken;
-import org.codehaus.jackson.map.DeserializationContext;
-import org.codehaus.jackson.map.JsonDeserializer;
-import org.codehaus.jackson.map.deser.StdDeserializer;
-import org.springframework.security.oauth2.common.util.OAuth2Utils;
-
-/**
- * <p>
- * Provides the ability to deserialize JSON response into an {@link OAuth2AccessToken} with jackson by implementing
- * {@link JsonDeserializer}.
- * </p>
- * <p>
- * The expected format of the access token is defined by <a
- * href="http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.1">Successful Response</a>.
- * </p>
- *
- * @author Rob Winch
- * @see OAuth2AccessTokenJackson1Serializer
- */
-@SuppressWarnings("deprecation")
-public final class OAuth2AccessTokenJackson1Deserializer extends StdDeserializer<OAuth2AccessToken> {
-
-	public OAuth2AccessTokenJackson1Deserializer() {
-		super(OAuth2AccessToken.class);
-	}
-
-	@Override
-	public OAuth2AccessToken deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException,
-			JsonProcessingException {
-
-		String tokenValue = null;
-		String tokenType = null;
-		String refreshToken = null;
-		Long expiresIn = null;
-		Set<String> scope = null;
-		Map<String, Object> additionalInformation = new LinkedHashMap<String, Object>();
-
-		// TODO What should occur if a parameter exists twice
-		while (jp.nextToken() != JsonToken.END_OBJECT) {
-			String name = jp.getCurrentName();
-			jp.nextToken();
-			if (OAuth2AccessToken.ACCESS_TOKEN.equals(name)) {
-				tokenValue = jp.getText();
-			}
-			else if (OAuth2AccessToken.TOKEN_TYPE.equals(name)) {
-				tokenType = jp.getText();
-			}
-			else if (OAuth2AccessToken.REFRESH_TOKEN.equals(name)) {
-				refreshToken = jp.getText();
-			}
-			else if (OAuth2AccessToken.EXPIRES_IN.equals(name)) {
-				try {
-					expiresIn = jp.getLongValue();
-				} catch (JsonParseException e) {
-					expiresIn = Long.valueOf(jp.getText());
-				}
-			}
-			else if (OAuth2AccessToken.SCOPE.equals(name)) {
-				String text = jp.getText();
-				scope = OAuth2Utils.parseParameterList(text);
-			} else {
-				additionalInformation.put(name, jp.readValueAs(Object.class));
-			}
-		}
-
-		// TODO What should occur if a required parameter (tokenValue or tokenType) is missing?
-
-		DefaultOAuth2AccessToken accessToken = new DefaultOAuth2AccessToken(tokenValue);
-		accessToken.setTokenType(tokenType);
-		if (expiresIn != null) {
-			accessToken.setExpiration(new Date(System.currentTimeMillis() + (expiresIn * 1000)));
-		}
-		if (refreshToken != null) {
-			accessToken.setRefreshToken(new DefaultOAuth2RefreshToken(refreshToken));
-		}
-		accessToken.setScope(scope);
-		accessToken.setAdditionalInformation(additionalInformation);
-
-		return accessToken;
-	}
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Serializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Serializer.java
deleted file mode 100644
index 2f2768a32..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Serializer.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright 2006-2010 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common;
-
-import java.io.IOException;
-import java.util.Date;
-import java.util.Map;
-import java.util.Set;
-
-import org.codehaus.jackson.JsonGenerationException;
-import org.codehaus.jackson.JsonGenerator;
-import org.codehaus.jackson.map.JsonSerializer;
-import org.codehaus.jackson.map.SerializerProvider;
-import org.codehaus.jackson.map.ser.SerializerBase;
-import org.springframework.util.Assert;
-
-/**
- * Provides the ability to serialize an {@link OAuth2AccessToken} with jackson by implementing {@link JsonSerializer}.
- * Refer to {@link OAuth2AccessTokenJackson1Deserializer} to learn more about the JSON format that is used.
- * 
- * @author Rob Winch
- * @see OAuth2AccessTokenJackson1Deserializer
- */
-@SuppressWarnings("deprecation")
-public final class OAuth2AccessTokenJackson1Serializer extends SerializerBase<OAuth2AccessToken> {
-
-	public OAuth2AccessTokenJackson1Serializer() {
-		super(OAuth2AccessToken.class);
-	}
-
-	@Override
-	public void serialize(OAuth2AccessToken token, JsonGenerator jgen, SerializerProvider provider) throws IOException,
-			JsonGenerationException {
-		jgen.writeStartObject();
-		jgen.writeStringField(OAuth2AccessToken.ACCESS_TOKEN, token.getValue());
-		jgen.writeStringField(OAuth2AccessToken.TOKEN_TYPE, token.getTokenType());
-		OAuth2RefreshToken refreshToken = token.getRefreshToken();
-		if (refreshToken != null) {
-			jgen.writeStringField(OAuth2AccessToken.REFRESH_TOKEN, refreshToken.getValue());
-		}
-		Date expiration = token.getExpiration();
-		if (expiration != null) {
-			long now = System.currentTimeMillis();
-			jgen.writeNumberField(OAuth2AccessToken.EXPIRES_IN, (expiration.getTime() - now) / 1000);
-		}
-		Set<String> scope = token.getScope();
-		if (scope != null && !scope.isEmpty()) {
-			StringBuffer scopes = new StringBuffer();
-			for (String s : scope) {
-				Assert.hasLength(s, "Scopes cannot be null or empty. Got " + scope + "");
-				scopes.append(s);
-				scopes.append(" ");
-			}
-			jgen.writeStringField(OAuth2AccessToken.SCOPE, scopes.substring(0, scopes.length() - 1));
-		}
-		Map<String, Object> additionalInformation = token.getAdditionalInformation();
-		for (String key : additionalInformation.keySet()) {
-			jgen.writeObjectField(key, additionalInformation.get(key));
-		}
-		jgen.writeEndObject();
-	}
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Deserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Deserializer.java
index 608422d1f..ff0084019 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Deserializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Deserializer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -36,14 +36,18 @@
  * </p>
  * <p>
  * The expected format of the access token is defined by <a
- * href="http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.1">Successful Response</a>.
+ * href="https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.1">Successful Response</a>.
  * </p>
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Brian Clozel
  * @see org.springframework.security.oauth2.common.OAuth2AccessTokenJackson2Serializer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public final class OAuth2AccessTokenJackson2Deserializer extends StdDeserializer<OAuth2AccessToken> {
 
 	public OAuth2AccessTokenJackson2Deserializer() {
@@ -92,7 +96,7 @@ else if (OAuth2AccessToken.SCOPE.equals(name)) {
 
 		DefaultOAuth2AccessToken accessToken = new DefaultOAuth2AccessToken(tokenValue);
 		accessToken.setTokenType(tokenType);
-		if (expiresIn != null) {
+		if (expiresIn != null && expiresIn != 0) {
 			accessToken.setExpiration(new Date(System.currentTimeMillis() + (expiresIn * 1000)));
 		}
 		if (refreshToken != null) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Serializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Serializer.java
index f006e3998..01fcb0921 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Serializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Serializer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -26,12 +26,17 @@
 
 /**
  * Provides the ability to serialize an {@link org.springframework.security.oauth2.common.OAuth2AccessToken} with jackson2 by implementing {@link com.fasterxml.jackson.databind.JsonDeserializer}.
- * Refer to {@link org.springframework.security.oauth2.common.OAuth2AccessTokenJackson1Deserializer} to learn more about the JSON format that is used.
+ *
+ * The expected format of the access token is defined by <a href="https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.1">Successful Response</a>.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  *
  * @author Rob Winch
  * @author Brian Clozel
  * @see org.springframework.security.oauth2.common.OAuth2AccessTokenJackson2Deserializer
  */
+@Deprecated
 public final class OAuth2AccessTokenJackson2Serializer extends StdSerializer<OAuth2AccessToken> {
 
 	public OAuth2AccessTokenJackson2Serializer() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2RefreshToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2RefreshToken.java
index 9283b5e9a..495fda30d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2RefreshToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2RefreshToken.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -12,12 +12,16 @@
  */
 package org.springframework.security.oauth2.common;
 
-import org.codehaus.jackson.annotate.JsonValue;
+import com.fasterxml.jackson.annotation.JsonValue;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface OAuth2RefreshToken {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/BadClientCredentialsException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/BadClientCredentialsException.java
index e928185f5..522af2175 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/BadClientCredentialsException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/BadClientCredentialsException.java
@@ -3,10 +3,14 @@
 /**
  * Exception thrown when a client was unable to authenticate.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class BadClientCredentialsException extends ClientAuthenticationException {
 
 	public BadClientCredentialsException() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/ClientAuthenticationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/ClientAuthenticationException.java
index 5c0eb31d6..42d8dfe24 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/ClientAuthenticationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/ClientAuthenticationException.java
@@ -2,11 +2,15 @@
 
 /**
  * Base exception
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public abstract class ClientAuthenticationException extends OAuth2Exception {
 
 	public ClientAuthenticationException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InsufficientScopeException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InsufficientScopeException.java
index c512f60aa..ff80461a2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InsufficientScopeException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InsufficientScopeException.java
@@ -8,10 +8,14 @@
 /**
  * Exception representing insufficient scope in a token when a request is handled by a Resource Server. It is akin to an
  * {@link AccessDeniedException} and should result in a 403 (FORBIDDEN) HTTP status.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InsufficientScopeException extends OAuth2Exception {
 
 	public InsufficientScopeException(String msg, Set<String> validScope) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidClientException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidClientException.java
index fd10e7b26..6aefe7d37 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidClientException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidClientException.java
@@ -3,10 +3,14 @@
 /**
  * Exception thrown when a client was unable to authenticate.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidClientException extends ClientAuthenticationException {
 
 	public InvalidClientException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidGrantException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidGrantException.java
index b492d9452..2294cdffa 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidGrantException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidGrantException.java
@@ -1,10 +1,14 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidGrantException extends ClientAuthenticationException {
 
 	public InvalidGrantException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidRequestException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidRequestException.java
index 32b14681e..7b18897f4 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidRequestException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidRequestException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidRequestException extends ClientAuthenticationException {
 
 	public InvalidRequestException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidScopeException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidScopeException.java
index f5989edd1..4a8f4b3b1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidScopeException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidScopeException.java
@@ -8,11 +8,15 @@
  * Exception representing an invalid scope in a token or authorization request (i.e. from an Authorization Server). Note
  * that this is not the same as an access denied exception if the scope presented to a Resource Server is insufficient.
  * The spec in this case mandates a 400 status code.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidScopeException extends OAuth2Exception {
 
 	public InvalidScopeException(String msg, Set<String> validScope) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidTokenException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidTokenException.java
index 527fdced8..e8cb37507 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidTokenException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidTokenException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,10 +16,14 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidTokenException extends ClientAuthenticationException {
 
 	public InvalidTokenException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2Exception.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2Exception.java
index b1a59a8fd..4b4e9a802 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2Exception.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2Exception.java
@@ -6,16 +6,18 @@
 
 /**
  * Base exception for OAuth 2 exceptions.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Rob Winch
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
-@org.codehaus.jackson.map.annotate.JsonSerialize(using = OAuth2ExceptionJackson1Serializer.class)
-@org.codehaus.jackson.map.annotate.JsonDeserialize(using = OAuth2ExceptionJackson1Deserializer.class)
 @com.fasterxml.jackson.databind.annotation.JsonSerialize(using = OAuth2ExceptionJackson2Serializer.class)
 @com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = OAuth2ExceptionJackson2Deserializer.class)
+@Deprecated
 public class OAuth2Exception extends RuntimeException {
 
 	public static final String ERROR = "error";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Deserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Deserializer.java
deleted file mode 100644
index c9f4b68ab..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Deserializer.java
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * Copyright 2006-2011 the original author or authors.
- * 
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * 
- * http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common.exceptions;
-
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.codehaus.jackson.JsonParser;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.JsonToken;
-import org.codehaus.jackson.map.DeserializationContext;
-import org.codehaus.jackson.map.JsonDeserializer;
-import org.springframework.security.oauth2.common.util.OAuth2Utils;
-
-/**
- * @author Dave Syer
- * 
- */
-public class OAuth2ExceptionJackson1Deserializer extends JsonDeserializer<OAuth2Exception> {
-
-	@Override
-	public OAuth2Exception deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException,
-			JsonProcessingException {
-
-		JsonToken t = jp.getCurrentToken();
-		if (t == JsonToken.START_OBJECT) {
-			t = jp.nextToken();
-		}
-		Map<String, Object> errorParams = new HashMap<String, Object>();
-		for (; t == JsonToken.FIELD_NAME; t = jp.nextToken()) {
-			// Must point to field name
-			String fieldName = jp.getCurrentName();
-			// And then the value...
-			t = jp.nextToken();
-			// Note: must handle null explicitly here; value deserializers won't
-			Object value;
-			if (t == JsonToken.VALUE_NULL) {
-				value = null;
-			}
-			// Some servers might send back complex content
-			else if (t == JsonToken.START_ARRAY) {
-				value = jp.readValueAs(List.class);
-			}
-			else if (t == JsonToken.START_OBJECT) {
-				value = jp.readValueAs(Map.class);
-			}
-			else {
-				value = jp.getText();
-			}
-			errorParams.put(fieldName, value);
-		}
-
-		Object errorCode = errorParams.get("error");
-		String errorMessage = errorParams.containsKey("error_description") ? errorParams.get("error_description")
-				.toString() : null;
-		if (errorMessage == null) {
-			errorMessage = errorCode == null ? "OAuth Error" : errorCode.toString();
-		}
-
-		OAuth2Exception ex;
-		if ("invalid_client".equals(errorCode)) {
-			ex = new InvalidClientException(errorMessage);
-		}
-		else if ("unauthorized_client".equals(errorCode)) {
-			ex = new UnauthorizedClientException(errorMessage);
-		}
-		else if ("invalid_grant".equals(errorCode)) {
-			if (errorMessage.toLowerCase().contains("redirect") && errorMessage.toLowerCase().contains("match")) {
-				ex = new RedirectMismatchException(errorMessage);
-			}
-			else {
-				ex = new InvalidGrantException(errorMessage);
-			}
-		}
-		else if ("invalid_scope".equals(errorCode)) {
-			ex = new InvalidScopeException(errorMessage);
-		}
-		else if ("invalid_token".equals(errorCode)) {
-			ex = new InvalidTokenException(errorMessage);
-		}
-		else if ("invalid_request".equals(errorCode)) {
-			ex = new InvalidRequestException(errorMessage);
-		}
-		else if ("redirect_uri_mismatch".equals(errorCode)) {
-			ex = new RedirectMismatchException(errorMessage);
-		}
-		else if ("unsupported_grant_type".equals(errorCode)) {
-			ex = new UnsupportedGrantTypeException(errorMessage);
-		}
-		else if ("unsupported_response_type".equals(errorCode)) {
-			ex = new UnsupportedResponseTypeException(errorMessage);
-		}
-		else if ("access_denied".equals(errorCode)) {
-			ex = new UserDeniedAuthorizationException(errorMessage);
-		}
-		else if ("insufficient_scope".equals(errorCode)) {
-			ex = new InsufficientScopeException(errorMessage, OAuth2Utils.parseParameterList((String) errorParams
-					.get("scope")));
-		}
-		else {
-			ex = new OAuth2Exception(errorMessage);
-		}
-
-		Set<Map.Entry<String, Object>> entries = errorParams.entrySet();
-		for (Map.Entry<String, Object> entry : entries) {
-			String key = entry.getKey();
-			if (!"error".equals(key) && !"error_description".equals(key)) {
-				Object value = entry.getValue();
-				ex.addAdditionalInformation(key, value == null ? null : value.toString());
-			}
-		}
-
-		return ex;
-
-	}
-
-}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Serializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Serializer.java
deleted file mode 100644
index 091068177..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Serializer.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright 2006-2011 the original author or authors.
- * 
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * 
- * http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common.exceptions;
-
-import java.io.IOException;
-import java.util.Map.Entry;
-
-import org.codehaus.jackson.JsonGenerator;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.map.JsonSerializer;
-import org.codehaus.jackson.map.SerializerProvider;
-import org.springframework.web.util.HtmlUtils;
-
-/**
- * @author Dave Syer
- *
- */
-public class OAuth2ExceptionJackson1Serializer extends JsonSerializer<OAuth2Exception> {
-
-	@Override
-	public void serialize(OAuth2Exception value, JsonGenerator jgen, SerializerProvider provider) throws IOException,
-			JsonProcessingException {
-        jgen.writeStartObject();
-		jgen.writeStringField("error", value.getOAuth2ErrorCode());
-		String errorMessage = value.getMessage();
-		if (errorMessage != null) {
-			errorMessage = HtmlUtils.htmlEscape(errorMessage);
-		}
-		jgen.writeStringField("error_description", errorMessage);
-		if (value.getAdditionalInformation()!=null) {
-			for (Entry<String, String> entry : value.getAdditionalInformation().entrySet()) {
-				String key = entry.getKey();
-				String add = entry.getValue();
-				jgen.writeStringField(key, add);				
-			}
-		}
-        jgen.writeEndObject();
-	}
-
-}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Deserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Deserializer.java
index 92a32aba6..0cd8dbba1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Deserializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Deserializer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -27,10 +27,14 @@
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Brian Clozel
  * 
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuth2ExceptionJackson2Deserializer extends StdDeserializer<OAuth2Exception> {
 
 	public OAuth2ExceptionJackson2Deserializer() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Serializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Serializer.java
index cacc95408..0ed45881d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Serializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Serializer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -19,12 +19,15 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.SerializerProvider;
 import com.fasterxml.jackson.databind.ser.std.StdSerializer;
-import org.springframework.web.util.HtmlUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Brian Clozel
  *
  */
+@Deprecated
 public class OAuth2ExceptionJackson2Serializer extends StdSerializer<OAuth2Exception> {
 
     public OAuth2ExceptionJackson2Serializer() {
@@ -36,11 +39,7 @@ public void serialize(OAuth2Exception value, JsonGenerator jgen, SerializerProvi
 			JsonProcessingException {
         jgen.writeStartObject();
 		jgen.writeStringField("error", value.getOAuth2ErrorCode());
-		String errorMessage = value.getMessage();
-		if (errorMessage != null) {
-			errorMessage = HtmlUtils.htmlEscape(errorMessage);
-		}
-		jgen.writeStringField("error_description", errorMessage);
+		jgen.writeStringField("error_description", value.getMessage());
 		if (value.getAdditionalInformation()!=null) {
 			for (Entry<String, String> entry : value.getAdditionalInformation().entrySet()) {
 				String key = entry.getKey();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/RedirectMismatchException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/RedirectMismatchException.java
index 4e66b52f2..989980291 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/RedirectMismatchException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/RedirectMismatchException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class RedirectMismatchException extends ClientAuthenticationException {
 
   public RedirectMismatchException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/SerializationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/SerializationException.java
index 2b46c26eb..14d41a53f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/SerializationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/SerializationException.java
@@ -3,9 +3,13 @@
 /**
  * Thrown during a problem serialization/deserialization.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class SerializationException extends RuntimeException {
 
   public SerializationException() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnapprovedClientAuthenticationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnapprovedClientAuthenticationException.java
index f288bc679..1a787bffd 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnapprovedClientAuthenticationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnapprovedClientAuthenticationException.java
@@ -3,9 +3,13 @@
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnapprovedClientAuthenticationException extends InsufficientAuthenticationException {
 
   public UnapprovedClientAuthenticationException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedClientException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedClientException.java
index cb25b01d5..595fe52eb 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedClientException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedClientException.java
@@ -2,10 +2,14 @@
 
 /**
  * Exception thrown when a client was unable to authenticate.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnauthorizedClientException extends ClientAuthenticationException {
 
 	public UnauthorizedClientException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedUserException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedUserException.java
index 795fe2d1a..ba0ebf466 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedUserException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedUserException.java
@@ -2,10 +2,14 @@
 
 /**
  * Exception thrown when a user was unable to authenticate.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnauthorizedUserException extends OAuth2Exception {
 
 	public UnauthorizedUserException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedGrantTypeException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedGrantTypeException.java
index 113c7fefb..4fba4ff0a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedGrantTypeException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedGrantTypeException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnsupportedGrantTypeException extends OAuth2Exception {
 
   public UnsupportedGrantTypeException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedResponseTypeException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedResponseTypeException.java
index 8129964ac..588600f88 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedResponseTypeException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedResponseTypeException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnsupportedResponseTypeException extends OAuth2Exception {
 
   public UnsupportedResponseTypeException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UserDeniedAuthorizationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UserDeniedAuthorizationException.java
index 0ec3cc75c..94715b6e7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UserDeniedAuthorizationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UserDeniedAuthorizationException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UserDeniedAuthorizationException extends OAuth2Exception {
 
   public UserDeniedAuthorizationException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultJdbcListFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultJdbcListFactory.java
index e05362f77..61a397fbc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultJdbcListFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultJdbcListFactory.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -23,9 +23,13 @@
 import org.springframework.jdbc.core.namedparam.NamedParameterJdbcOperations;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class DefaultJdbcListFactory implements JdbcListFactory {
 
 	private final NamedParameterJdbcOperations jdbcTemplate;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultSerializationStrategy.java
new file mode 100644
index 000000000..f8ade4824
--- /dev/null
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultSerializationStrategy.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+import org.springframework.core.ConfigurableObjectInputStream;
+
+import java.io.*;
+
+/**
+ * The default {@link SerializationStrategy} which uses the built-in Java serialization mechanism.
+ * <p>
+ * Note that this class should not be used if data for deserialization comes from an untrusted source.
+ * Instead, please use {@link WhitelistedSerializationStrategy} with a list of allowed classes for deserialization.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Artem Smotrakov
+ * @since 2.4
+ */
+@Deprecated
+public class DefaultSerializationStrategy implements SerializationStrategy {
+
+    public byte[] serialize(Object state) {
+        ObjectOutputStream oos = null;
+        try {
+            ByteArrayOutputStream bos = new ByteArrayOutputStream(512);
+            oos = new ObjectOutputStream(bos);
+            oos.writeObject(state);
+            oos.flush();
+            return bos.toByteArray();
+        } catch (IOException e) {
+            throw new IllegalArgumentException(e);
+        } finally {
+            if (oos != null) {
+                try {
+                    oos.close();
+                } catch (IOException e) {
+                    // eat it
+                }
+            }
+        }
+    }
+
+    public <T> T deserialize(byte[] byteArray) {
+        ObjectInputStream oip = null;
+        try {
+            oip = createObjectInputStream(byteArray);
+            @SuppressWarnings("unchecked")
+            T result = (T) oip.readObject();
+            return result;
+        } catch (IOException e) {
+            throw new IllegalArgumentException(e);
+        } catch (ClassNotFoundException e) {
+            throw new IllegalArgumentException(e);
+        } finally {
+            if (oip != null) {
+                try {
+                    oip.close();
+                } catch (IOException e) {
+                    // eat it
+                }
+            }
+        }
+    }
+
+    /**
+     * Creates an {@link ObjectInputStream} for deserialization.
+     *
+     * @param byteArray Data to be deserialized.
+     * @return An instance of {@link ObjectInputStream} which should be used for deserialization.
+     * @throws IOException If something went wrong.
+     */
+    protected ObjectInputStream createObjectInputStream(byte[] byteArray) throws IOException {
+        return new ConfigurableObjectInputStream(new ByteArrayInputStream(byteArray),
+                Thread.currentThread().getContextClassLoader());
+    }
+}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/Jackson2JsonParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/Jackson2JsonParser.java
index e755a9bdf..6537d0304 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/Jackson2JsonParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/Jackson2JsonParser.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -20,9 +20,13 @@
 
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class Jackson2JsonParser implements JsonParser {
 	
 	private ObjectMapper mapper = new ObjectMapper();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JacksonJsonParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JacksonJsonParser.java
deleted file mode 100644
index de8605c17..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JacksonJsonParser.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright 2013-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package org.springframework.security.oauth2.common.util;
-
-import java.util.Map;
-
-import org.codehaus.jackson.map.ObjectMapper;
-
-/**
- * @author Dave Syer
- *
- */
-public class JacksonJsonParser implements JsonParser {
-	
-	private ObjectMapper mapper = new ObjectMapper();
-
-	@SuppressWarnings("unchecked")
-	@Override
-	public Map<String, Object> parseMap(String json) {
-		try {
-			return mapper.readValue(json, Map.class);
-		}
-		catch (Exception e) {
-			throw new IllegalArgumentException("Cannot parse json", e);
-		}
-	}
-
-	@Override
-	public String formatMap(Map<String, ?> map) {
-		try {
-			return mapper.writeValueAsString(map);
-		}
-		catch (Exception e) {
-			throw new IllegalArgumentException("Cannot format json", e);
-		}
-	}
-
-}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JdbcListFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JdbcListFactory.java
index 1a58e4ef9..9c5b11cfe 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JdbcListFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JdbcListFactory.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,9 +22,13 @@
 import org.springframework.jdbc.core.RowMapper;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface JdbcListFactory {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateDeserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateDeserializer.java
index c17125c7d..a2b1a9705 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateDeserializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateDeserializer.java
@@ -1,40 +1,47 @@
 /*
- * Cloud Foundry 2012.02.03 Beta
- * Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+ * Copyright 2002-2019 the original author or authors.
  *
- * This product is licensed to you under the Apache License, Version 2.0 (the "License").
- * You may not use this product except in compliance with the License.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * This product includes a number of subcomponents with
- * separate copyright notices and license terms. Your use of these
- * subcomponents is subject to the terms and conditions of the
- * subcomponent's license, as noted in the LICENSE file.
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
-package org.springframework.security.oauth2.common.util;
 
-import org.codehaus.jackson.JsonParseException;
-import org.codehaus.jackson.JsonParser;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.map.DeserializationContext;
-import org.codehaus.jackson.map.JsonDeserializer;
+package org.springframework.security.oauth2.common.util;
 
 import java.io.IOException;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 
+import com.fasterxml.jackson.core.JsonParseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+
 /**
  * JSON deserializer for Jackson to handle regular date instances as timestamps in ISO format.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class JsonDateDeserializer extends JsonDeserializer<Date> {
 	 
     private static final SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
  
 	@Override
-	public Date deserialize(JsonParser parser, DeserializationContext context) throws IOException, JsonProcessingException {
+	public Date deserialize(com.fasterxml.jackson.core.JsonParser parser, DeserializationContext context) throws IOException, JsonProcessingException {
 		try {
 			synchronized (dateFormat) {				
 				return dateFormat.parse(parser.getText());
@@ -44,5 +51,4 @@ public Date deserialize(JsonParser parser, DeserializationContext context) throw
 			throw new JsonParseException("Could not parse date", parser.getCurrentLocation(), e);
 		}
 	}
- 
 }
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateSerializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateSerializer.java
index d4df5c793..11fea8daf 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateSerializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateSerializer.java
@@ -1,32 +1,40 @@
 /*
- * Cloud Foundry 2012.02.03 Beta
- * Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+ * Copyright 2002-2019 the original author or authors.
  *
- * This product is licensed to you under the Apache License, Version 2.0 (the "License").
- * You may not use this product except in compliance with the License.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * This product includes a number of subcomponents with
- * separate copyright notices and license terms. Your use of these
- * subcomponents is subject to the terms and conditions of the
- * subcomponent's license, as noted in the LICENSE file.
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
-package org.springframework.security.oauth2.common.util;
 
-import org.codehaus.jackson.JsonGenerator;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.map.JsonSerializer;
-import org.codehaus.jackson.map.SerializerProvider;
+package org.springframework.security.oauth2.common.util;
 
 import java.io.IOException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+
 /**
  * JSON serializer for Jackson to handle regular date instances as timestamps in ISO format.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class JsonDateSerializer extends JsonSerializer<Date> {
 
 	private static final SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParser.java
index 386cefd72..be1e0cc58 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParser.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -16,9 +16,13 @@
 import java.util.Map;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface JsonParser {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParserFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParserFactory.java
index 775a84379..aeadcbd7d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParserFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParserFactory.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -16,19 +16,20 @@
 import org.springframework.util.ClassUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class JsonParserFactory {
 
 	public static JsonParser create() {
 		if (ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", null)) {
 			return new Jackson2JsonParser();
 		}
-		if (ClassUtils.isPresent("org.codehaus.jackson.map.ObjectMapper", null)) {
-			return new JacksonJsonParser();
-		}
-		throw new IllegalStateException("No Jackson parser found. Please add Jackson to your classpath.");
+		throw new IllegalStateException("No Jackson 2 parser found. Please add Jackson 2 to your classpath.");
 	}
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/OAuth2Utils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/OAuth2Utils.java
index 181333022..ba9988362 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/OAuth2Utils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/OAuth2Utils.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -27,9 +27,13 @@
 import org.springframework.util.StringUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public abstract class OAuth2Utils {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/ProxyCreator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/ProxyCreator.java
index d99622c15..c3562bf52 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/ProxyCreator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/ProxyCreator.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -21,9 +21,13 @@
 import org.springframework.beans.factory.ObjectFactory;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class ProxyCreator {
 
 	@SuppressWarnings("unchecked")
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/RandomValueStringGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/RandomValueStringGenerator.java
index 6dd551d42..33a3791ae 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/RandomValueStringGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/RandomValueStringGenerator.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright 2012-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.oauth2.common.util;
 
 import java.security.SecureRandom;
@@ -5,13 +20,17 @@
 
 /**
  * Utility that generates a random-value ASCII string.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class RandomValueStringGenerator {
 
-	private static final char[] DEFAULT_CODEC = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+	private static final char[] DEFAULT_CODEC = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_"
 			.toCharArray();
 
 	private Random random = new SecureRandom();
@@ -43,7 +62,7 @@ public String generate() {
 	/**
 	 * Convert these random bytes to a verifier string. The length of the byte array can be
 	 * {@link #setLength(int) configured}. The default implementation mods the bytes to fit into the
-	 * ASCII letters 1-9, A-Z, a-z .
+	 * ASCII letters 1-9, A-Z, a-z, -_ .
 	 * 
 	 * @param verifierBytes The bytes.
 	 * @return The string.
@@ -66,11 +85,14 @@ public void setRandom(Random random) {
 	}
 	
 	/**
-	 * The length of string to generate.
+	 * The length of string to generate.  A length less than or equal to 0 will result in an {@code IllegalArgumentException}.
 	 * 
 	 * @param length the length to set
 	 */
 	public void setLength(int length) {
+		if (length <= 0) {
+			throw new IllegalArgumentException("length must be greater than 0");
+		}
 		this.length = length;
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationStrategy.java
new file mode 100644
index 000000000..72f9f6060
--- /dev/null
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationStrategy.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+/**
+ * Defines how objects are serialized and deserialized.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Artem Smotrakov
+ * @since 2.4
+ */
+@Deprecated
+public interface SerializationStrategy {
+
+    /**
+     * Serializes an object.
+     *
+     * @param object The object to be serialized.
+     * @return A byte array.
+     */
+    byte[] serialize(Object object);
+
+    /**
+     * Deserializes an object from a byte array.
+     *
+     * @param byteArray The byte array.
+     * @param <T>       The type of the object.
+     * @return The deserialized object.
+     */
+    <T> T deserialize(byte[] byteArray);
+
+}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationUtils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationUtils.java
index e622c6797..fe554e88e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationUtils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationUtils.java
@@ -1,64 +1,80 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.springframework.security.oauth2.common.util;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
+import org.springframework.core.io.support.SpringFactoriesLoader;
+import org.springframework.util.Assert;
 
-import org.springframework.core.ConfigurableObjectInputStream;
+import java.util.List;
 
+/**
+ * This is a helper class for serializing and deserializing objects with a {@link SerializationStrategy}.
+ * The class looks for the strategy in {@code META-INF/spring.factories},
+ * or the strategy can also be set by calling {@link #setSerializationStrategy(SerializationStrategy)}.
+ * If no strategy is specified, the default is {@link DefaultSerializationStrategy}.
+ * <p>
+ * Note that the default strategy allows deserializing arbitrary classes which may result in security problems
+ * if data comes from an untrusted source. To prevent possible issues, use {@link WhitelistedSerializationStrategy}
+ * with a list of allowed classes for deserialization.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public class SerializationUtils {
 
-	public static byte[] serialize(Object state) {
-		ObjectOutputStream oos = null;
-		try {
-			ByteArrayOutputStream bos = new ByteArrayOutputStream(512);
-			oos = new ObjectOutputStream(bos);
-			oos.writeObject(state);
-			oos.flush();
-			return bos.toByteArray();
-		}
-		catch (IOException e) {
-			throw new IllegalArgumentException(e);
-		}
-		finally {
-			if (oos != null) {
-				try {
-					oos.close();
-				}
-				catch (IOException e) {
-					// eat it
-				}
-			}
-		}
-	}
+    private static SerializationStrategy strategy = new DefaultSerializationStrategy();
+
+    static {
+        List<SerializationStrategy> strategies = SpringFactoriesLoader.loadFactories(
+                SerializationStrategy.class, SerializationUtils.class.getClassLoader());
+        if (strategies.size() > 1) {
+            throw new IllegalArgumentException(
+                    "Too many serialization strategies in META-INF/spring.factories");
+        }
+        if (strategies.size() == 1) {
+            strategy = strategies.get(0);
+        }
+    }
+
+    /**
+     * @return The current serialization strategy.
+     */
+    public static SerializationStrategy getSerializationStrategy() {
+        return strategy;
+    }
+
+    /**
+     * Sets a new serialization strategy.
+     *
+     * @param serializationStrategy The serialization strategy.
+     */
+    public static void setSerializationStrategy(SerializationStrategy serializationStrategy) {
+        Assert.notNull(serializationStrategy, "serializationStrategy cannot be null");
+        strategy = serializationStrategy;
+    }
+
+    public static byte[] serialize(Object object) {
+        return strategy.serialize(object);
+    }
 
-	public static <T> T deserialize(byte[] byteArray) {
-		ObjectInputStream oip = null;
-		try {
-			oip = new ConfigurableObjectInputStream(new ByteArrayInputStream(byteArray),
-					Thread.currentThread().getContextClassLoader());
-			@SuppressWarnings("unchecked")
-			T result = (T) oip.readObject();
-			return result;
-		}
-		catch (IOException e) {
-			throw new IllegalArgumentException(e);
-		}
-		catch (ClassNotFoundException e) {
-			throw new IllegalArgumentException(e);
-		}
-		finally {
-			if (oip != null) {
-				try {
-					oip.close();
-				}
-				catch (IOException e) {
-					// eat it
-				}
-			}
-		}
-	}
+    public static <T> T deserialize(byte[] byteArray) {
+        return strategy.deserialize(byteArray);
+    }
 
-}
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/WhitelistedSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/WhitelistedSerializationStrategy.java
new file mode 100644
index 000000000..f4a32ba3b
--- /dev/null
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/WhitelistedSerializationStrategy.java
@@ -0,0 +1,147 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.NotSerializableException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.springframework.util.ClassUtils;
+
+/**
+ * A {@link SerializationStrategy} which uses a whitelist of allowed classes for deserialization.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Artem Smotrakov
+ * @since 2.4
+ */
+@Deprecated
+public class WhitelistedSerializationStrategy extends DefaultSerializationStrategy {
+
+    /**
+     * A list of classes which are allowed to deserialize by default.
+     */
+    private static final List<String> DEFAULT_ALLOWED_CLASSES;
+
+    static {
+        List<String> classes = new ArrayList<String>();
+        classes.add("java.lang.");
+        classes.add("java.util.");
+        classes.add("org.springframework.security.");
+        DEFAULT_ALLOWED_CLASSES = Collections.unmodifiableList(classes);
+    }
+
+    /**
+     * A list of classes which are allowed to deserialize.
+     */
+    private final List<String> allowedClasses;
+
+    /**
+     * Initializes {@link WhitelistedSerializationStrategy} with the list of classes
+     * which are allowed to deserialize by default.
+     */
+    public WhitelistedSerializationStrategy() {
+        this(DEFAULT_ALLOWED_CLASSES);
+    }
+
+    /**
+     * Initializes {@link WhitelistedSerializationStrategy} with specified allowed classes.
+     *
+     * @param allowedClasses The allowed classes for deserialization.
+     */
+    public WhitelistedSerializationStrategy(List<String> allowedClasses) {
+        this.allowedClasses = Collections.unmodifiableList(allowedClasses);
+    }
+
+    protected ObjectInputStream createObjectInputStream(byte[] byteArray) throws IOException {
+        return new WhitelistedObjectInputStream(new ByteArrayInputStream(byteArray),
+                Thread.currentThread().getContextClassLoader(), allowedClasses);
+    }
+
+    /**
+     * Special ObjectInputStream subclass that checks if classes are allowed to deserialize. The class
+     * should be configured with a whitelist of only allowed (safe) classes to deserialize.
+     */
+    private static class WhitelistedObjectInputStream extends ObjectInputStream {
+
+        /**
+         * The list of classes which are allowed for deserialization.
+         */
+        private final List<String> allowedClasses;
+
+        /**
+         * The class loader to use for loading local classes.
+         */
+        private final ClassLoader classLoader;
+
+        /**
+         * Create a new WhitelistedObjectInputStream for the given InputStream, class loader and
+         * allowed class names.
+         *
+         * @param in             The InputStream to read from.
+         * @param classLoader    The ClassLoader to use for loading local classes.
+         * @param allowedClasses The list of allowed classes for deserialization.
+         * @throws IOException If something went wrong.
+         */
+        private WhitelistedObjectInputStream(InputStream in, ClassLoader classLoader, List<String> allowedClasses)
+                throws IOException {
+            super(in);
+            this.classLoader = classLoader;
+            this.allowedClasses = Collections.unmodifiableList(allowedClasses);
+        }
+
+        /**
+         * Resolve the class only if it's allowed to deserialize.
+         *
+         * @see ObjectInputStream#resolveClass(ObjectStreamClass)
+         */
+        @Override
+        protected Class<?> resolveClass(ObjectStreamClass classDesc)
+                throws IOException, ClassNotFoundException {
+            if (isProhibited(classDesc.getName())) {
+                throw new NotSerializableException("Not allowed to deserialize " + classDesc.getName());
+            }
+            if (this.classLoader != null) {
+                return ClassUtils.forName(classDesc.getName(), this.classLoader);
+            }
+            return super.resolveClass(classDesc);
+        }
+
+        /**
+         * Check if the class is allowed to be deserialized.
+         *
+         * @param className The class to check.
+         * @return True if the class is not allowed to be deserialized, false otherwise.
+         */
+        private boolean isProhibited(String className) {
+            for (String allowedClass : this.allowedClasses) {
+                if (className.startsWith(allowedClass)) {
+                    return false;
+                }
+            }
+            return true;
+        }
+    }
+}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java
index 6e5d72985..5296f1a55 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -34,10 +34,14 @@
 /**
  * Builder for OAuth2 client details service. Can be used to construct either an in-memory or a JDBC implementation of
  * the {@link ClientDetailsService} and populate it with data.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientDetailsServiceBuilder<B extends ClientDetailsServiceBuilder<B>> extends
 		SecurityConfigurerAdapter<ClientDetailsService, B> implements SecurityBuilder<ClientDetailsService> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/InMemoryClientDetailsServiceBuilder.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/InMemoryClientDetailsServiceBuilder.java
index da19dde33..f5ff55989 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/InMemoryClientDetailsServiceBuilder.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/InMemoryClientDetailsServiceBuilder.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -23,9 +23,13 @@
 import org.springframework.security.oauth2.provider.client.InMemoryClientDetailsService;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class InMemoryClientDetailsServiceBuilder extends
 		ClientDetailsServiceBuilder<InMemoryClientDetailsServiceBuilder> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/JdbcClientDetailsServiceBuilder.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/JdbcClientDetailsServiceBuilder.java
index a0e90f0fd..af9d2cc8a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/JdbcClientDetailsServiceBuilder.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/JdbcClientDetailsServiceBuilder.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -27,9 +27,13 @@
 import org.springframework.util.Assert;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class JdbcClientDetailsServiceBuilder extends ClientDetailsServiceBuilder<JdbcClientDetailsServiceBuilder> {
 
 	private Set<ClientDetails> clientDetails = new HashSet<ClientDetails>();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configuration/ClientDetailsServiceConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configuration/ClientDetailsServiceConfiguration.java
index a7319d4d6..da4f0a251 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configuration/ClientDetailsServiceConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configuration/ClientDetailsServiceConfiguration.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,10 +25,14 @@
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * 
  */
 @Configuration
+@Deprecated
 public class ClientDetailsServiceConfiguration {
 
 	@SuppressWarnings("rawtypes")
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configurers/ClientDetailsServiceConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configurers/ClientDetailsServiceConfigurer.java
index 398666a4d..84a080b08 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configurers/ClientDetailsServiceConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configurers/ClientDetailsServiceConfigurer.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,9 +24,13 @@
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * 
  */
+@Deprecated
 public class ClientDetailsServiceConfigurer extends
 		SecurityConfigurerAdapter<ClientDetailsService, ClientDetailsServiceBuilder<?>> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java
index 56d9d2876..3e01c32ce 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -22,10 +22,14 @@
 /**
  * Convenient strategy for configuring an OAUth2 Authorization Server. Beans of this type are applied to the Spring
  * context automatically if you {@link EnableAuthorizationServer @EnableAuthorizationServer}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface AuthorizationServerConfigurer {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurerAdapter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurerAdapter.java
index 147573b3e..9e5e3d537 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurerAdapter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurerAdapter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -18,9 +18,13 @@
 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class AuthorizationServerConfigurerAdapter implements AuthorizationServerConfigurer {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerEndpointsConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerEndpointsConfiguration.java
index b2bc71674..ccc18971d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerEndpointsConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerEndpointsConfiguration.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -57,11 +57,15 @@
 import org.springframework.stereotype.Component;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
 @Configuration
 @Import(TokenKeyEndpointRegistrar.class)
+@Deprecated
 public class AuthorizationServerEndpointsConfiguration {
 
 	private AuthorizationServerEndpointsConfigurer endpoints = new AuthorizationServerEndpointsConfigurer();
@@ -78,7 +82,7 @@ public void init() {
 			try {
 				configurer.configure(endpoints);
 			} catch (Exception e) {
-				throw new IllegalStateException("Cannot configure enpdoints", e);
+				throw new IllegalStateException("Cannot configure endpoints", e);
 			}
 		}
 		endpoints.setClientDetailsService(clientDetailsService);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerSecurityConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerSecurityConfiguration.java
index 231e1ec8b..a95b4bcf3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerSecurityConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerSecurityConfiguration.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -34,6 +34,9 @@
 import java.util.List;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Dave Syer
  * 
@@ -41,6 +44,7 @@
 @Configuration
 @Order(0)
 @Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })
+@Deprecated
 public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
 
 	@Autowired
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableAuthorizationServer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableAuthorizationServer.java
index bed46e8a3..68ce85496 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableAuthorizationServer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableAuthorizationServer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -35,7 +35,10 @@
  * &#064;EnableWebSecurity} etc.), but the Token Endpoint (/oauth/token) will be automatically secured using HTTP Basic
  * authentication on the client's credentials. Clients <em>must</em> be registered by providing a
  * {@link ClientDetailsService} through one or more AuthorizationServerConfigurers.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
@@ -43,6 +46,7 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Documented
 @Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})
+@Deprecated
 public @interface EnableAuthorizationServer {
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableOAuth2Client.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableOAuth2Client.java
index b19b31858..2b6a2c933 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableOAuth2Client.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableOAuth2Client.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -49,7 +49,10 @@
  * token when necessary. Apps that use password grants need to set the authentication properties in the
  * OAuth2ProtectedResourceDetails before using the RestOperations, and this means the resource details themselves also
  * have to be per session (assuming there are multiple users in the system).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
@@ -57,6 +60,7 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Documented
 @Import(OAuth2ClientConfiguration.class)
+@Deprecated
 public @interface EnableOAuth2Client {
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.java
index efaa1ce48..7ceef0307 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -36,7 +36,10 @@
  * The annotation creates a {@link WebSecurityConfigurerAdapter} with a hard-coded {@link Order} (of 3). It's not
  * possible to change the order right now owing to technical limitations in Spring, so you must avoid using order=3 in
  * other WebSecurityConfigurerAdapters in your application (Spring Security will let you know if you forget).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
@@ -44,6 +47,7 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Documented
 @Import(ResourceServerConfiguration.class)
+@Deprecated
 public @interface EnableResourceServer {
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/OAuth2ClientConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/OAuth2ClientConfiguration.java
index a5815fd19..a618d95ba 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/OAuth2ClientConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/OAuth2ClientConfiguration.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -30,10 +30,14 @@
 import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Configuration
+@Deprecated
 public class OAuth2ClientConfiguration {
 
 	@Bean
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java
index da4779d1f..9e1224846 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -40,10 +40,14 @@
 import org.springframework.util.ReflectionUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Configuration
+@Deprecated
 public class ResourceServerConfiguration extends WebSecurityConfigurerAdapter implements Ordered {
 
 	private int order = 3;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java
index b8f8d4d8f..490e01562 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -23,10 +23,14 @@
  * rules and paths that are protected by OAuth2 security. Applications may provide multiple instances of this interface,
  * and in general (like with other Security configurers), if more than one configures the same property, then the last
  * one wins. The configurers are sorted by {@link Order} before being applied.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface ResourceServerConfigurer {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurerAdapter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurerAdapter.java
index 1ab229281..cea39d37b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurerAdapter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurerAdapter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -16,9 +16,13 @@
 import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class ResourceServerConfigurerAdapter implements ResourceServerConfigurer {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java
index 64ee6d76e..6785fb430 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java
@@ -5,7 +5,7 @@
  * use this file except in compliance with the License. You may obtain a copy of
  * the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
@@ -81,11 +81,15 @@
 
 /**
  * Configure the properties and enhanced functionality of the Authorization Server endpoints.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Dave Syer
  * @since 2.0
  */
+@Deprecated
 public final class AuthorizationServerEndpointsConfigurer {
 
 	private AuthorizationServerTokenServices tokenServices;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerSecurityConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerSecurityConfigurer.java
index 7c34c2e3d..c0962ac73 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerSecurityConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerSecurityConfigurer.java
@@ -5,7 +5,7 @@
  * use this file except in compliance with the License. You may obtain a copy of
  * the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
@@ -22,7 +22,10 @@
 import javax.servlet.Filter;
 
 import org.springframework.http.MediaType;
+import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -47,11 +50,15 @@
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 
 /**
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Dave Syer
  * @since 2.0
  */
+@Deprecated
 public final class AuthorizationServerSecurityConfigurer extends
 		SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
 
@@ -76,7 +83,11 @@ public final class AuthorizationServerSecurityConfigurer extends
 	 * BasicAuthenticationFilter.
 	 */
 	private List<Filter> tokenEndpointAuthenticationFilters = new ArrayList<Filter>();
-
+	
+	private List<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>();
+	
+	private AuthenticationEventPublisher authenticationEventPublisher;
+	
 	public AuthorizationServerSecurityConfigurer sslOnly() {
 		this.sslOnly = true;
 		return this;
@@ -108,6 +119,29 @@ public AuthorizationServerSecurityConfigurer accessDeniedHandler(AccessDeniedHan
 		return this;
 	}
 
+	/**
+	 * Authentication provider(s) to use with the {@link AuthenticationManager}.
+	 * Adding an authentication provider here will replace the default {@link DaoAuthenticationProvider}.
+	 * 
+	 * @param authenticationProvider the authentication provider to add
+	 */	
+	public AuthorizationServerSecurityConfigurer addAuthenticationProvider(AuthenticationProvider authenticationProvider) {
+		Assert.notNull(authenticationProvider, "authenticationProvider must not be null");
+		this.authenticationProviders.add(authenticationProvider);
+		return this;
+	}
+	
+    /**
+     * {@link AuthenticationEventPublisher} to use with the {@link AuthenticationManager}.
+     * 
+     * @param authenticationEventPublisher the {@link AuthenticationEventPublisher} to use
+     */ 
+    public AuthorizationServerSecurityConfigurer authenticationEventPublisher(AuthenticationEventPublisher authenticationEventPublisher) {
+        Assert.notNull(authenticationEventPublisher, "authenticationEventPublisher must not be null");
+        this.authenticationEventPublisher = authenticationEventPublisher;
+        return this;
+    }	
+
 	public AuthorizationServerSecurityConfigurer tokenKeyAccess(String tokenKeyAccess) {
 		this.tokenKeyAccess = tokenKeyAccess;
 		return this;
@@ -128,17 +162,22 @@ public String getCheckTokenAccess() {
 
 	@Override
 	public void init(HttpSecurity http) throws Exception {
-
 		registerDefaultAuthenticationEntryPoint(http);
-		if (passwordEncoder != null) {
-			ClientDetailsUserDetailsService clientDetailsUserDetailsService = new ClientDetailsUserDetailsService(clientDetailsService());
-			clientDetailsUserDetailsService.setPasswordEncoder(passwordEncoder());
-			http.getSharedObject(AuthenticationManagerBuilder.class)
-					.userDetailsService(clientDetailsUserDetailsService)
-					.passwordEncoder(passwordEncoder());
+		AuthenticationManagerBuilder builder = http.getSharedObject(AuthenticationManagerBuilder.class);
+		if (authenticationEventPublisher != null) {
+		    builder.authenticationEventPublisher(authenticationEventPublisher);
 		}
-		else {
-			http.userDetailsService(new ClientDetailsUserDetailsService(clientDetailsService()));
+		if (authenticationProviders.isEmpty()) {
+			if (passwordEncoder != null) {
+				builder.userDetailsService(new ClientDetailsUserDetailsService(clientDetailsService()))
+					.passwordEncoder(passwordEncoder());
+			} else {
+				builder.userDetailsService(new ClientDetailsUserDetailsService(clientDetailsService()));
+			}
+		} else { 
+			for (AuthenticationProvider provider: authenticationProviders) {
+				builder.authenticationProvider(provider);
+			}
 		}
 		http.securityContext().securityContextRepository(new NullSecurityContextRepository()).and().csrf().disable()
 				.httpBasic().authenticationEntryPoint(this.authenticationEntryPoint).realmName(realm);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java
index 4f26247b6..e6b6d36b6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java
@@ -5,7 +5,7 @@
  * use this file except in compliance with the License. You may obtain a copy of
  * the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
@@ -50,12 +50,15 @@
 import javax.servlet.http.HttpServletRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  *
  * @author Rob Winch
  * @author Dave Syer
  * 
  * @since 2.0.0
  */
+@Deprecated
 public final class ResourceServerSecurityConfigurer extends
 		SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java
index 391d74a8c..78b15f304 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -41,10 +41,14 @@
 
 /**
  * Parser for the OAuth "provider" element.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class AuthorizationServerBeanDefinitionParser
 		extends ProviderBeanDefinitionParser {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientBeanDefinitionParser.java
index 347fe7099..a8796ec2f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientBeanDefinitionParser.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -24,10 +24,14 @@
 
 /**
  * Parser for the OAuth "client" element supporting client apps using {@link OAuth2RestTemplate}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ClientBeanDefinitionParser extends AbstractBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParser.java
index 5d9ec4af8..e67945547 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -30,9 +30,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class ClientDetailsServiceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ConfigUtils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ConfigUtils.java
index 77fde32c3..fc11e3d9e 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ConfigUtils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ConfigUtils.java
@@ -22,8 +22,12 @@
 /**
  * Common place for OAuth namespace configuration utils.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ConfigUtils {
   private static final Method createMatcherMethod3x = ReflectionUtils.findMethod(
           MatcherType.class, "createMatcher", String.class, String.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ExpressionHandlerBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ExpressionHandlerBeanDefinitionParser.java
index 6edfbedda..fc7880107 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ExpressionHandlerBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ExpressionHandlerBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,9 +21,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ExpressionHandlerBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2ClientContextFactoryBean.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2ClientContextFactoryBean.java
index 3663b8c05..dc865ffc0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2ClientContextFactoryBean.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2ClientContextFactoryBean.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -23,10 +23,14 @@
  * Convenience factory for OAuth2ClientContext that is aware of the need for a different context if the resource is for a
  * client credentials grant. Client credentials grants will always have the same credentials for all requests, so
  * there's no point protecting the context with session and request scopes.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2ClientContextFactoryBean implements FactoryBean<OAuth2ClientContext> {
 
 	private OAuth2ProtectedResourceDetails resource;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2SecurityNamespaceHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2SecurityNamespaceHandler.java
index f7632dcdb..b92184402 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2SecurityNamespaceHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2SecurityNamespaceHandler.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -16,9 +16,13 @@
 import org.springframework.beans.factory.xml.NamespaceHandlerSupport;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class OAuth2SecurityNamespaceHandler extends NamespaceHandlerSupport {
 
 	public void init() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ProviderBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ProviderBeanDefinitionParser.java
index 1550d3845..93b16525e 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ProviderBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ProviderBeanDefinitionParser.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -25,9 +25,13 @@
 /**
  * Parser for the OAuth "provider" element.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public abstract class ProviderBeanDefinitionParser extends AbstractBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParser.java
index d992c8aac..23c76ee29 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -36,8 +36,12 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ResourceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java
index 8301b596a..d6d8d7403 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -24,10 +24,14 @@
 /**
  * Parser for the OAuth "resource-server" element. Creates a filter that can be added to the standard Spring Security
  * filter chain.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ResourceServerBeanDefinitionParser extends ProviderBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/RestTemplateBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/RestTemplateBeanDefinitionParser.java
index 41bb2a291..7054d99df 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/RestTemplateBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/RestTemplateBeanDefinitionParser.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -25,9 +25,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class RestTemplateBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/WebExpressionHandlerBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/WebExpressionHandlerBeanDefinitionParser.java
index 17b364f56..def339b0d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/WebExpressionHandlerBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/WebExpressionHandlerBeanDefinitionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,9 +21,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class WebExpressionHandlerBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2AccessTokenMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2AccessTokenMessageConverter.java
index 6d27ee68c..6bdf83f2f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2AccessTokenMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2AccessTokenMessageConverter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -28,11 +28,15 @@
 /**
  * Converter that can handle inbound form data and convert it to an access token. Needed to support external servers,
  * like Facebook that might not send JSON token data.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class FormOAuth2AccessTokenMessageConverter extends AbstractHttpMessageConverter<OAuth2AccessToken> {
 
 	private final FormHttpMessageConverter delegateMessageConverter;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2ExceptionHttpMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2ExceptionHttpMessageConverter.java
index d66a13880..264a528d5 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2ExceptionHttpMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2ExceptionHttpMessageConverter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -31,11 +31,15 @@
 /**
  * Converter that can handle inbound form data and convert it to an OAuth2 exception. Needed to support external servers,
  * like Facebook that might not send JSON data.
- * 
-@author Rob Winch
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Rob Winch
  * @author Dave Syer
  *
  */
+@Deprecated
 public final class FormOAuth2ExceptionHttpMessageConverter implements HttpMessageConverter<OAuth2Exception> {
 
 	private static final List<MediaType> SUPPORTED_MEDIA = Collections.singletonList(MediaType.APPLICATION_FORM_URLENCODED);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/AbstractJaxbMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/AbstractJaxbMessageConverter.java
index fb2666dac..6b9e8c418 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/AbstractJaxbMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/AbstractJaxbMessageConverter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -84,7 +84,7 @@ protected final void writeToResult(E accessToken, HttpHeaders headers, Result re
 			createMarshaller().marshal(convertedAccessToken, result);
 		}
 		catch (MarshalException ex) {
-			throw new HttpMessageNotWritableException("Could not marshal [" + accessToken + "]: " + ex.getMessage(), ex);
+			throw new HttpMessageNotWritableException("Could not marshal accessToken: " + ex.getMessage(), ex);
 		}
 		catch (JAXBException ex) {
 			throw new HttpMessageConversionException("Could not instantiate JAXBContext: " + ex.getMessage(), ex);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessToken.java
index 1cbabd251..1df8ab8a0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessToken.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverter.java
index 07d898077..ac4e45724 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -19,6 +19,12 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public final class JaxbOAuth2AccessTokenMessageConverter extends AbstractJaxbMessageConverter<JaxbOAuth2AccessToken,OAuth2AccessToken> {
 
 	public JaxbOAuth2AccessTokenMessageConverter() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2Exception.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2Exception.java
index ca4f3fdd2..75dfa02bf 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2Exception.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2Exception.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverter.java
index f78313852..3b2f1146b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -14,6 +14,12 @@
 
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public final class JaxbOAuth2ExceptionMessageConverter extends
 		AbstractJaxbMessageConverter<JaxbOAuth2Exception, OAuth2Exception> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/AuthorizationRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/AuthorizationRequest.java
index ddb90e808..520f66960 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/AuthorizationRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/AuthorizationRequest.java
@@ -30,12 +30,16 @@
  * authorization request as a {@link SessionAttributes} member while the end
  * user through the authorization process (which may span several page
  * requests).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  * @author Amanda Anganes
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class AuthorizationRequest extends BaseRequest implements Serializable {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/BaseRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/BaseRequest.java
index 7fd7f28d5..47e869cca 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/BaseRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/BaseRequest.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientAlreadyExistsException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientAlreadyExistsException.java
index eae256046..2459ccd2d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientAlreadyExistsException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientAlreadyExistsException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -17,11 +17,15 @@
 
 /**
  * Exception indicating that a client registration already exists (e.g. if someone tries to create a duplicate).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ClientAlreadyExistsException extends ClientRegistrationException {
 
 	public ClientAlreadyExistsException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetails.java
index f9e8d1c2f..5aacd8917 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetails.java
@@ -9,9 +9,13 @@
 
 /**
  * Client details for OAuth 2
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ClientDetails extends Serializable {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetailsService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetailsService.java
index e08aa3540..2137fe459 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetailsService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetailsService.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,8 +20,12 @@
 /**
  * A service that provides the details about an OAuth2 client.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ClientDetailsService {
 
   /**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationException.java
index aa32bf437..29d1b6975 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,10 +16,14 @@
 package org.springframework.security.oauth2.provider;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ClientRegistrationException extends RuntimeException {
 	
 	public ClientRegistrationException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationService.java
index 4515539cf..d032db2c4 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationService.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,10 +20,14 @@
 /**
  * Interface for client registration, handling add, update and remove of {@link ClientDetails} from an Authorization
  * Server.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface ClientRegistrationService {
 
 	void addClientDetails(ClientDetails clientDetails) throws ClientAlreadyExistsException;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/CompositeTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/CompositeTokenGranter.java
index 0148e580c..a880d581d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/CompositeTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/CompositeTokenGranter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,9 +22,13 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class CompositeTokenGranter implements TokenGranter {
 
 	private final List<TokenGranter> tokenGranters;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/DefaultSecurityContextAccessor.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/DefaultSecurityContextAccessor.java
index 0bab78276..deb892923 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/DefaultSecurityContextAccessor.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/DefaultSecurityContextAccessor.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -23,10 +23,14 @@
 
 /**
  * Strategy for accessing useful information about the current security context.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultSecurityContextAccessor implements SecurityContextAccessor {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/NoSuchClientException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/NoSuchClientException.java
index ba68dee61..3712afaeb 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/NoSuchClientException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/NoSuchClientException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,10 +16,14 @@
 package org.springframework.security.oauth2.provider;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class NoSuchClientException extends ClientRegistrationException {
 
 	public NoSuchClientException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java
index d2f3cf045..d4543c853 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java
@@ -7,9 +7,13 @@
 /**
  * An OAuth 2 authentication token can contain two authentications: one for the client and one for the user. Since some
  * OAuth authorization grants don't require user authentication, the user authentication may be null.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuth2Authentication extends AbstractAuthenticationToken {
 
 	private static final long serialVersionUID = -4809832298438307309L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Request.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Request.java
index 61dcd5660..a3d2fbae3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Request.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Request.java
@@ -14,11 +14,15 @@
  * Represents a stored authorization or token request. Used as part of the OAuth2Authentication object to store a
  * request's authentication information. Does not expose public setters so that clients can not mutate state if they
  * respect the declared type of the request.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2Request extends BaseRequest implements Serializable {
 
 	private static final long serialVersionUID = 1L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestFactory.java
index d98418ab2..22762e649 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestFactory.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -17,11 +17,15 @@
 
 /**
  * Strategy for managing OAuth2 requests: {@link AuthorizationRequest}, {@link TokenRequest}, {@link OAuth2Request}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Amanda Anganes
  * 
  */
+@Deprecated
 public interface OAuth2RequestFactory {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestValidator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestValidator.java
index b88a765bf..548ab4a6d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestValidator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestValidator.java
@@ -6,10 +6,14 @@
 
 /**
  * Validation interface for OAuth2 requests to the {@link AuthorizationEndpoint} and {@link TokenEndpoint}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  *
  */
+@Deprecated
 public interface OAuth2RequestValidator {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/SecurityContextAccessor.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/SecurityContextAccessor.java
index 26862cc64..c051179f4 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/SecurityContextAccessor.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/SecurityContextAccessor.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -19,10 +19,14 @@
 
 /**
  * Strategy for accessing useful information about the current security context.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface SecurityContextAccessor {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenGranter.java
index 51b34f3f4..7c31f571c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenGranter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -21,10 +21,14 @@
 /**
  * Interface for granters of access tokens. Various grant types are defined in the specification, and each of those has
  * an implementation, leaving room for extensions to the specification as needed.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface TokenGranter {
 
 	OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenRequest.java
index ebc13a56d..b04919afe 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenRequest.java
@@ -15,12 +15,16 @@
  * In the implicit flow, a token is requested through the {@link AuthorizationEndpoint} directly, and in that case the
  * {@link AuthorizationRequest} is converted into a {@link TokenRequest} for processing through the token granting
  * chain.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  * @author Dave Syer
  * 
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class TokenRequest extends BaseRequest {
 
 	private String grantType;
@@ -90,7 +94,7 @@ public OAuth2Request createOAuth2Request(ClientDetails client) {
 		modifiable.remove("password");
 		modifiable.remove("client_secret");
 		// Add grant type so it can be retrieved from OAuth2Request
-		modifiable.put("grant_type", grantType);
+		modifiable.put(OAuth2Utils.GRANT_TYPE, grantType);
 		return new OAuth2Request(modifiable, client.getClientId(), client.getAuthorities(), true, this.getScope(),
 				client.getResourceIds(), null, null, null);
 	}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/Approval.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/Approval.java
index ffb7bd13a..c9a2503f9 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/Approval.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/Approval.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,18 +19,23 @@
 import java.util.Calendar;
 import java.util.Date;
 
-import org.codehaus.jackson.annotate.JsonIgnore;
-import org.codehaus.jackson.map.annotate.JsonDeserialize;
-import org.codehaus.jackson.map.annotate.JsonSerialize;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
 import org.springframework.security.oauth2.common.util.JsonDateDeserializer;
 import org.springframework.security.oauth2.common.util.JsonDateSerializer;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Vidya Val
  *
  */
 @JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL)
+@Deprecated
 public class Approval {
 
 	private String userId;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStore.java
index 2f6063310..85a67f4d3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStore.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,10 +19,14 @@
 
 /**
  * Interface for saving, retrieving and revoking user approvals (per client, per scope). 
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface ApprovalStore {
 
 	public boolean addApprovals(Collection<Approval> approvals);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java
index a250c3283..2bda1ae40 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -40,10 +40,14 @@
 
 /**
  * A user approval handler that remembers approval decisions by consulting existing approvals.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ApprovalStoreUserApprovalHandler implements UserApprovalHandler, InitializingBean {
 
 	private static Log logger = LogFactory.getLog(ApprovalStoreUserApprovalHandler.class);
@@ -131,7 +135,7 @@ public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizati
 				}
 			}
 			catch (ClientRegistrationException e) {
-				logger.warn("Client registration problem prevent autoapproval check for client=" + clientId);
+				logger.warn("Client registration problem prevent autoapproval check for client");
 			}
 		}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandler.java
index 4233b6796..5aa3813b1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandler.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,10 +25,14 @@
 
 /**
  * A default user approval handler that doesn't remember any decisions.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultUserApprovalHandler implements UserApprovalHandler {
 
 	private String approvalParameter = OAuth2Utils.USER_OAUTH_APPROVAL;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStore.java
index ef7e69009..51b765905 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStore.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -23,9 +23,13 @@
 import java.util.concurrent.ConcurrentMap;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class InMemoryApprovalStore implements ApprovalStore {
 
 	private ConcurrentMap<Key, Collection<Approval>> map = new ConcurrentHashMap<Key, Collection<Approval>>();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStore.java
index bc3325afe..11e5bfb7f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStore.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -37,9 +37,13 @@
 import org.springframework.util.Assert;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class JdbcApprovalStore implements ApprovalStore {
 
 	private final JdbcTemplate jdbcTemplate;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStore.java
index cf1cc2e5f..2a45946f6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStore.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -32,10 +32,14 @@
  * approvals even if they are not really represented in such a way internally. For full fine-grained control of user
  * approvals don't use a TokenStore at all, and don't use this ApprovalStore with Approval-based
  * {@link AuthorizationServerTokenServices} implementations.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class TokenApprovalStore implements ApprovalStore {
 
 	private TokenStore store;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandler.java
index 4f995a4d1..8c60bea7f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandler.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -38,10 +38,14 @@
 
 /**
  * A user approval handler that remembers approval decisions by consulting existing tokens.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class TokenStoreUserApprovalHandler implements UserApprovalHandler, InitializingBean {
 
 	private static Log logger = LogFactory.getLog(TokenStoreUserApprovalHandler.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/UserApprovalHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/UserApprovalHandler.java
index ab741bb2e..e57ebba3d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/UserApprovalHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/UserApprovalHandler.java
@@ -8,11 +8,15 @@
 /**
  * Basic interface for determining whether a given client authentication request has been
  * approved by the current user.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  * @author Amanda Anganes
  */
+@Deprecated
 public interface UserApprovalHandler {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/BearerTokenExtractor.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/BearerTokenExtractor.java
index bc2b76c29..a11c6fae9 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/BearerTokenExtractor.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/BearerTokenExtractor.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -27,10 +27,14 @@
  * {@link TokenExtractor} that strips the authenticator from a bearer token request (with an Authorization header in the
  * form "Bearer <code>&lt;TOKEN&gt;</code>", or as a request parameter if that fails). The access token is the principal in
  * the authentication token that is extracted.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class BearerTokenExtractor implements TokenExtractor {
 
 	private final static Log logger = LogFactory.getLog(BearerTokenExtractor.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetails.java
index e2adb379b..820ef1556 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetails.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -21,10 +21,14 @@
 
 /**
  * A holder of selected HTTP details related to an OAuth2 authentication request.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationDetails implements Serializable {
 	
 	private static final long serialVersionUID = -4809832298438307309L;
@@ -63,19 +67,22 @@ public OAuth2AuthenticationDetails(HttpServletRequest request) {
 		if (remoteAddress!=null) {
 			builder.append("remoteAddress=").append(remoteAddress);
 		}
-		if (builder.length()>1) {
-			builder.append(", ");
-		}
 		if (sessionId!=null) {
-			builder.append("sessionId=<SESSION>");
-			if (builder.length()>1) {
+			if (builder.length() > 1) {
 				builder.append(", ");
 			}
+			builder.append("sessionId=<SESSION>");
 		}
 		if (tokenType!=null) {
+			if (builder.length() > 1) {
+				builder.append(", ");
+			}
 			builder.append("tokenType=").append(this.tokenType);
 		}
 		if (tokenValue!=null) {
+			if (builder.length() > 1) {
+				builder.append(", ");
+			}
 			builder.append("tokenValue=<TOKEN>");
 		}
 		this.display = builder.toString();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsSource.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsSource.java
index 4dad52034..8358c77f3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsSource.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsSource.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -20,10 +20,14 @@
 
 /**
  * A source for authentication details in an OAuth2 protected Resource.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationDetailsSource implements
 		AuthenticationDetailsSource<HttpServletRequest, OAuth2AuthenticationDetails> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManager.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManager.java
index b02b6375b..4d94f0598 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManager.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManager.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -31,10 +31,14 @@
 
 /**
  * An {@link AuthenticationManager} for OAuth2 protected resources.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationManager implements AuthenticationManager, InitializingBean {
 
 	private ResourceServerTokenServices tokenServices;
@@ -82,7 +86,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		String token = (String) authentication.getPrincipal();
 		OAuth2Authentication auth = tokenServices.loadAuthentication(token);
 		if (auth == null) {
-			throw new InvalidTokenException("Invalid token: " + token);
+			throw new InvalidTokenException("Invalid token");
 		}
 
 		Collection<String> resourceIds = auth.getOAuth2Request().getResourceIds();
@@ -119,7 +123,7 @@ private void checkClientDetails(OAuth2Authentication auth) {
 			for (String scope : auth.getOAuth2Request().getScope()) {
 				if (!allowed.contains(scope)) {
 					throw new OAuth2AccessDeniedException(
-							"Invalid token contains disallowed scope (" + scope + ") for this client");
+							"Invalid token contains disallowed scope for this client");
 				}
 			}
 		}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.java
index 65278c005..7152691cb 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -47,10 +47,14 @@
  * A pre-authentication filter for OAuth2 protected resources. Extracts an OAuth2 token from the incoming request and
  * uses it to populate the Spring Security context with an {@link OAuth2Authentication} (if used in conjunction with an
  * {@link OAuth2AuthenticationManager}).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationProcessingFilter implements Filter, InitializingBean {
 
 	private final static Log logger = LogFactory.getLog(OAuth2AuthenticationProcessingFilter.class);
@@ -70,7 +74,9 @@ public class OAuth2AuthenticationProcessingFilter implements Filter, Initializin
 	/**
 	 * Flag to say that this filter guards stateless resources (default true). Set this to true if the only way the
 	 * resource can be accessed is with a token. If false then an incoming cookie can populate the security context and
-	 * allow access to a caller that isn't an OAuth2 client.
+	 * allow access to a caller that isn't an OAuth2 client. When false, remember to also allow sessions to be created
+	 * by configuring session management with a session creation policy that allows sessions to be set.
+	 * See {@link org.springframework.security.config.http.SessionCreationPolicy} for your choices.
 	 * 
 	 * @param stateless the flag to set (default true)
 	 */
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/TokenExtractor.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/TokenExtractor.java
index 8d8506a67..2537b1eb2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/TokenExtractor.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/TokenExtractor.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -18,9 +18,13 @@
 import org.springframework.security.core.Authentication;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface TokenExtractor {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/BaseClientDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/BaseClientDetails.java
index 0dccf8230..e1a82439e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/BaseClientDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/BaseClientDetails.java
@@ -19,64 +19,52 @@
 /**
  * Base implementation of
  * {@link org.springframework.security.oauth2.provider.ClientDetails}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
-@org.codehaus.jackson.map.annotate.JsonSerialize(include = org.codehaus.jackson.map.annotate.JsonSerialize.Inclusion.NON_DEFAULT)
-@org.codehaus.jackson.annotate.JsonIgnoreProperties(ignoreUnknown = true)
 @com.fasterxml.jackson.annotation.JsonInclude(com.fasterxml.jackson.annotation.JsonInclude.Include.NON_DEFAULT)
 @com.fasterxml.jackson.annotation.JsonIgnoreProperties(ignoreUnknown = true)
+@Deprecated
 public class BaseClientDetails implements ClientDetails {
 
-	@org.codehaus.jackson.annotate.JsonProperty("client_id")
 	@com.fasterxml.jackson.annotation.JsonProperty("client_id")
 	private String clientId;
 
-	@org.codehaus.jackson.annotate.JsonProperty("client_secret")
 	@com.fasterxml.jackson.annotation.JsonProperty("client_secret")
 	private String clientSecret;
 
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> scope = Collections.emptySet();
 
-	@org.codehaus.jackson.annotate.JsonProperty("resource_ids")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("resource_ids")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> resourceIds = Collections.emptySet();
 
-	@org.codehaus.jackson.annotate.JsonProperty("authorized_grant_types")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("authorized_grant_types")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> authorizedGrantTypes = Collections.emptySet();
 
-	@org.codehaus.jackson.annotate.JsonProperty("redirect_uri")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("redirect_uri")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> registeredRedirectUris;
 
-	@org.codehaus.jackson.annotate.JsonProperty("autoapprove")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("autoapprove")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> autoApproveScopes;
 
 	private List<GrantedAuthority> authorities = Collections.emptyList();
 
-	@org.codehaus.jackson.annotate.JsonProperty("access_token_validity")
 	@com.fasterxml.jackson.annotation.JsonProperty("access_token_validity")
 	private Integer accessTokenValiditySeconds;
 
-	@org.codehaus.jackson.annotate.JsonProperty("refresh_token_validity")
 	@com.fasterxml.jackson.annotation.JsonProperty("refresh_token_validity")
 	private Integer refreshTokenValiditySeconds;
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	private Map<String, Object> additionalInformation = new LinkedHashMap<String, Object>();
 
@@ -142,7 +130,6 @@ public BaseClientDetails(String clientId, String resourceIds,
 		}
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public String getClientId() {
 		return clientId;
@@ -169,19 +156,16 @@ public boolean isAutoApprove(String scope) {
 		return false;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Set<String> getAutoApproveScopes() {
 		return autoApproveScopes;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public boolean isSecretRequired() {
 		return this.clientSecret != null;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public String getClientSecret() {
 		return clientSecret;
@@ -191,7 +175,6 @@ public void setClientSecret(String clientSecret) {
 		this.clientSecret = clientSecret;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public boolean isScoped() {
 		return this.scope != null && !this.scope.isEmpty();
@@ -206,7 +189,6 @@ public void setScope(Collection<String> scope) {
 				: new LinkedHashSet<String>(scope);
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Set<String> getResourceIds() {
 		return resourceIds;
@@ -217,7 +199,6 @@ public void setResourceIds(Collection<String> resourceIds) {
 				.<String> emptySet() : new LinkedHashSet<String>(resourceIds);
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Set<String> getAuthorizedGrantTypes() {
 		return authorizedGrantTypes;
@@ -228,7 +209,6 @@ public void setAuthorizedGrantTypes(Collection<String> authorizedGrantTypes) {
 				authorizedGrantTypes);
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Set<String> getRegisteredRedirectUri() {
 		return registeredRedirectUris;
@@ -239,15 +219,12 @@ public void setRegisteredRedirectUri(Set<String> registeredRedirectUris) {
 				: new LinkedHashSet<String>(registeredRedirectUris);
 	}
 
-	@org.codehaus.jackson.annotate.JsonProperty("authorities")
 	@com.fasterxml.jackson.annotation.JsonProperty("authorities")
 	private List<String> getAuthoritiesAsStrings() {
 		return new ArrayList<String>(
 				AuthorityUtils.authorityListToSet(authorities));
 	}
 
-	@org.codehaus.jackson.annotate.JsonProperty("authorities")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("authorities")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private void setAuthoritiesAsStrings(Set<String> values) {
@@ -255,20 +232,17 @@ private void setAuthoritiesAsStrings(Set<String> values) {
 				.toArray(new String[values.size()])));
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Collection<GrantedAuthority> getAuthorities() {
 		return authorities;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public void setAuthorities(
 			Collection<? extends GrantedAuthority> authorities) {
 		this.authorities = new ArrayList<GrantedAuthority>(authorities);
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Integer getAccessTokenValiditySeconds() {
 		return accessTokenValiditySeconds;
@@ -278,7 +252,6 @@ public void setAccessTokenValiditySeconds(Integer accessTokenValiditySeconds) {
 		this.accessTokenValiditySeconds = accessTokenValiditySeconds;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Integer getRefreshTokenValiditySeconds() {
 		return refreshTokenValiditySeconds;
@@ -294,13 +267,11 @@ public void setAdditionalInformation(Map<String, ?> additionalInformation) {
 				additionalInformation);
 	}
 
-	@org.codehaus.jackson.annotate.JsonAnyGetter
 	@com.fasterxml.jackson.annotation.JsonAnyGetter
 	public Map<String, Object> getAdditionalInformation() {
 		return Collections.unmodifiableMap(this.additionalInformation);
 	}
 
-	@org.codehaus.jackson.annotate.JsonAnySetter
 	@com.fasterxml.jackson.annotation.JsonAnySetter
 	public void addAdditionalInformation(String key, Object value) {
 		this.additionalInformation.put(key, value);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java
index f032642eb..f4fb58f33 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -38,10 +38,14 @@
  * parameters if included as a security filter, as permitted by the specification (but not recommended). It is
  * recommended by the specification that you permit HTTP basic authentication for clients, and not use this filter at
  * all.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientCredentialsTokenEndpointFilter extends AbstractAuthenticationProcessingFilter {
 
 	private AuthenticationEntryPoint authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenGranter.java
index 6583e255d..e56d1593a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenGranter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,9 +25,13 @@
 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientCredentialsTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "client_credentials";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsService.java
index d088c4f64..bcc6c9967 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsService.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -22,9 +22,13 @@
 import org.springframework.security.oauth2.provider.NoSuchClientException;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientDetailsUserDetailsService implements UserDetailsService {
 
 	private final ClientDetailsService clientDetailsService;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/InMemoryClientDetailsService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/InMemoryClientDetailsService.java
index 763d9a0bb..1ce56e397 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/InMemoryClientDetailsService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/InMemoryClientDetailsService.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -27,8 +27,12 @@
 /**
  * Basic, in-memory implementation of the client details service.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemoryClientDetailsService implements ClientDetailsService {
 
   private Map<String, ClientDetails> clientDetailsStore = new HashMap<String, ClientDetails>();
@@ -36,7 +40,7 @@ public class InMemoryClientDetailsService implements ClientDetailsService {
   public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {
     ClientDetails details = clientDetailsStore.get(clientId);
     if (details == null) {
-      throw new NoSuchClientException("No client with requested id: " + clientId);
+      throw new NoSuchClientException("No client with requested id");
     }
     return details;
   }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/Jackson2ArrayOrStringDeserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/Jackson2ArrayOrStringDeserializer.java
index 20698f491..4e6285c9b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/Jackson2ArrayOrStringDeserializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/Jackson2ArrayOrStringDeserializer.java
@@ -16,7 +16,13 @@
 import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
 import com.fasterxml.jackson.databind.type.SimpleType;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
 @SuppressWarnings("serial")
+@Deprecated
 public class Jackson2ArrayOrStringDeserializer extends StdDeserializer<Set<String>> {
 
 	public Jackson2ArrayOrStringDeserializer() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JacksonArrayOrStringDeserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JacksonArrayOrStringDeserializer.java
deleted file mode 100644
index 18677562a..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JacksonArrayOrStringDeserializer.java
+++ /dev/null
@@ -1,41 +0,0 @@
-package org.springframework.security.oauth2.provider.client;
-
-import java.io.IOException;
-import java.util.Arrays;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import org.codehaus.jackson.JsonParser;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.JsonToken;
-import org.codehaus.jackson.map.DeserializationContext;
-import org.codehaus.jackson.map.deser.std.StdDeserializer;
-import org.codehaus.jackson.map.type.SimpleType;
-import org.codehaus.jackson.type.JavaType;
-import org.codehaus.jackson.type.TypeReference;
-import org.springframework.util.StringUtils;
-
-public class JacksonArrayOrStringDeserializer extends StdDeserializer<Set<String>> {
-
-	public JacksonArrayOrStringDeserializer() {
-		super(Set.class);
-	}
-
-	@Override
-	public JavaType getValueType() {
-		return SimpleType.construct(String.class);
-	}
-
-	@Override
-	public Set<String> deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException,
-			JsonProcessingException {
-		JsonToken token = jp.getCurrentToken();
-		if (token.isScalarValue()) {
-			String list = jp.getText();
-			list = list.replaceAll("\\s+", ",");
-			return new LinkedHashSet<String>(Arrays.asList(StringUtils.commaDelimitedListToStringArray(list)));
-		}
-		return jp.readValueAs(new TypeReference<Set<String>>() {
-		});
-	}
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JdbcClientDetailsService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JdbcClientDetailsService.java
index f503b9d2d..1c9439abb 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JdbcClientDetailsService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JdbcClientDetailsService.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -23,11 +23,12 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-
 import javax.sql.DataSource;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+
 import org.springframework.dao.DuplicateKeyException;
 import org.springframework.dao.EmptyResultDataAccessException;
 import org.springframework.jdbc.core.JdbcTemplate;
@@ -49,7 +50,12 @@
 
 /**
  * Basic, JDBC implementation of the client details service.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  */
+@Deprecated
 public class JdbcClientDetailsService implements ClientDetailsService, ClientRegistrationService {
 
 	private static final Log logger = LogFactory.getLog(JdbcClientDetailsService.class);
@@ -119,7 +125,7 @@ public ClientDetails loadClientByClientId(String clientId) throws InvalidClientE
 			details = jdbcTemplate.queryForObject(selectClientDetailsSql, new ClientDetailsRowMapper(), clientId);
 		}
 		catch (EmptyResultDataAccessException e) {
-			throw new NoSuchClientException("No client with requested id: " + clientId);
+			throw new NoSuchClientException("No client with requested id");
 		}
 
 		return details;
@@ -130,28 +136,28 @@ public void addClientDetails(ClientDetails clientDetails) throws ClientAlreadyEx
 			jdbcTemplate.update(insertClientDetailsSql, getFields(clientDetails));
 		}
 		catch (DuplicateKeyException e) {
-			throw new ClientAlreadyExistsException("Client already exists: " + clientDetails.getClientId(), e);
+			throw new ClientAlreadyExistsException("Client already exists", e);
 		}
 	}
 
 	public void updateClientDetails(ClientDetails clientDetails) throws NoSuchClientException {
 		int count = jdbcTemplate.update(updateClientDetailsSql, getFieldsForUpdate(clientDetails));
 		if (count != 1) {
-			throw new NoSuchClientException("No client found with id = " + clientDetails.getClientId());
+			throw new NoSuchClientException("No client found with requested id");
 		}
 	}
 
 	public void updateClientSecret(String clientId, String secret) throws NoSuchClientException {
 		int count = jdbcTemplate.update(updateClientSecretSql, passwordEncoder.encode(secret), clientId);
 		if (count != 1) {
-			throw new NoSuchClientException("No client found with id = " + clientId);
+			throw new NoSuchClientException("No client found with requested id");
 		}
 	}
 
 	public void removeClientDetails(String clientId) throws NoSuchClientException {
 		int count = jdbcTemplate.update(deleteClientDetailsSql, clientId);
 		if (count != 1) {
-			throw new NoSuchClientException("No client found with id = " + clientId);
+			throw new NoSuchClientException("No client found with requested id");
 		}
 	}
 
@@ -287,29 +293,12 @@ interface JsonMapper {
 	}
 
 	private static JsonMapper createJsonMapper() {
-		if (ClassUtils.isPresent("org.codehaus.jackson.map.ObjectMapper", null)) {
-			return new JacksonMapper();
-		}
-		else if (ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", null)) {
+		if (ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", null)) {
 			return new Jackson2Mapper();
 		}
 		return new NotSupportedJsonMapper();
 	}
 
-	private static class JacksonMapper implements JsonMapper {
-		private org.codehaus.jackson.map.ObjectMapper mapper = new org.codehaus.jackson.map.ObjectMapper();
-
-		@Override
-		public String write(Object input) throws Exception {
-			return mapper.writeValueAsString(input);
-		}
-
-		@Override
-		public <T> T read(String input, Class<T> type) throws Exception {
-			return mapper.readValue(input, type);
-		}
-	}
-
 	private static class Jackson2Mapper implements JsonMapper {
 		private com.fasterxml.jackson.databind.ObjectMapper mapper = new com.fasterxml.jackson.databind.ObjectMapper();
 
@@ -328,13 +317,13 @@ private static class NotSupportedJsonMapper implements JsonMapper {
 		@Override
 		public String write(Object input) throws Exception {
 			throw new UnsupportedOperationException(
-					"Neither Jackson 1 nor 2 is available so JSON conversion cannot be done");
+					"Jackson 2 is not available so JSON conversion cannot be done");
 		}
 
 		@Override
 		public <T> T read(String input, Class<T> type) throws Exception {
 			throw new UnsupportedOperationException(
-					"Neither Jackson 1 nor 2 is available so JSON conversion cannot be done");
+					"Jackson 2 is not available so JSON conversion cannot be done");
 		}
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeServices.java
index 3c6ee338a..809823649 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeServices.java
@@ -5,9 +5,13 @@
 
 /**
  * Services for issuing and storing authorization codes.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface AuthorizationCodeServices {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranter.java
index c76ed6d5d..968e677c8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -36,10 +36,14 @@
 
 /**
  * Token granter for the authorization code grant type.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class AuthorizationCodeTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "authorization_code";
@@ -70,7 +74,7 @@ protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, Tok
 
 		OAuth2Authentication storedAuth = authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
 		if (storedAuth == null) {
-			throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
+			throw new InvalidGrantException("Invalid authorization code");
 		}
 
 		OAuth2Request pendingOAuth2Request = storedAuth.getOAuth2Request();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/InMemoryAuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/InMemoryAuthorizationCodeServices.java
index d75dfa108..47e0d03be 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/InMemoryAuthorizationCodeServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/InMemoryAuthorizationCodeServices.java
@@ -6,10 +6,14 @@
 
 /**
  * Implementation of authorization code services that stores the codes and authentication in memory.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class InMemoryAuthorizationCodeServices extends RandomValueAuthorizationCodeServices {
 
 	protected final ConcurrentHashMap<String, OAuth2Authentication> authorizationCodeStore = new ConcurrentHashMap<String, OAuth2Authentication>();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java
index a02fef029..e7c90d42e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java
@@ -16,10 +16,14 @@
 
 /**
  * Implementation of authorization code services that stores the codes and authentication in a database.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ken Dombeck
  * @author Dave Syer
  */
+@Deprecated
 public class JdbcAuthorizationCodeServices extends RandomValueAuthorizationCodeServices {
 
 	private static final String DEFAULT_SELECT_STATEMENT = "select code, authentication from oauth_code where code = ?";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RandomValueAuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RandomValueAuthorizationCodeServices.java
index be091bab0..154d12987 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RandomValueAuthorizationCodeServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RandomValueAuthorizationCodeServices.java
@@ -6,10 +6,14 @@
 
 /**
  * Base implementation for authorization code services that generates a random-value authorization code.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public abstract class RandomValueAuthorizationCodeServices implements AuthorizationCodeServices {
 
 	private RandomValueStringGenerator generator = new RandomValueStringGenerator();
@@ -28,7 +32,7 @@ public OAuth2Authentication consumeAuthorizationCode(String code)
 			throws InvalidGrantException {
 		OAuth2Authentication auth = this.remove(code);
 		if (auth == null) {
-			throw new InvalidGrantException("Invalid authorization code: " + code);
+			throw new InvalidGrantException("Invalid authorization code");
 		}
 		return auth;
 	}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServices.java
new file mode 100644
index 000000000..083bc72ca
--- /dev/null
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServices.java
@@ -0,0 +1,143 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.provider.code;
+
+import java.lang.reflect.Method;
+import java.util.List;
+
+import org.springframework.data.redis.connection.RedisConnection;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.token.store.redis.JdkSerializationStrategy;
+import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStoreSerializationStrategy;
+import org.springframework.util.ClassUtils;
+import org.springframework.util.ReflectionUtils;
+
+/**
+ * Implementation of authorization code services that stores the codes and authentication in Redis.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Stefan Rempfer
+ */
+@Deprecated
+public class RedisAuthorizationCodeServices extends RandomValueAuthorizationCodeServices {
+
+	private static final boolean springDataRedis_2_0 = ClassUtils.isPresent(
+			"org.springframework.data.redis.connection.RedisStandaloneConfiguration",
+			RedisAuthorizationCodeServices.class.getClassLoader());
+
+	private static final String AUTH_CODE = "auth_code:";
+
+	private final RedisConnectionFactory connectionFactory;
+
+	private String prefix = "";
+
+	private RedisTokenStoreSerializationStrategy serializationStrategy = new JdkSerializationStrategy();
+
+	private Method redisConnectionSet_2_0;
+
+	/**
+	 * Default constructor.
+	 *
+	 * @param connectionFactory the connection factory which should be used to obtain a connection to Redis
+	 */
+	public RedisAuthorizationCodeServices(RedisConnectionFactory connectionFactory) {
+		this.connectionFactory = connectionFactory;
+		if (springDataRedis_2_0) {
+			this.loadRedisConnectionMethods_2_0();
+		}
+	}
+
+	@Override
+	protected void store(String code, OAuth2Authentication authentication) {
+		byte[] key = serializeKey(AUTH_CODE + code);
+		byte[] auth = serialize(authentication);
+
+		RedisConnection conn = getConnection();
+		try {
+			if (springDataRedis_2_0) {
+				try {
+					this.redisConnectionSet_2_0.invoke(conn, key, auth);
+				} catch (Exception ex) {
+					throw new RuntimeException(ex);
+				}
+			} else {
+				conn.set(key, auth);
+			}
+		}
+		finally {
+			conn.close();
+		}
+	}
+
+	@Override
+	protected OAuth2Authentication remove(String code) {
+		byte[] key = serializeKey(AUTH_CODE + code);
+
+		List<Object> results = null;
+		RedisConnection conn = getConnection();
+		try {
+			conn.openPipeline();
+			conn.get(key);
+			conn.del(key);
+			results = conn.closePipeline();
+		}
+		finally {
+			conn.close();
+		}
+
+		if (results == null) {
+			return null;
+		}
+		byte[] bytes = (byte[]) results.get(0);
+		return deserializeAuthentication(bytes);
+	}
+
+	private void loadRedisConnectionMethods_2_0() {
+		this.redisConnectionSet_2_0 = ReflectionUtils.findMethod(
+				RedisConnection.class, "set", byte[].class, byte[].class);
+	}
+
+	private byte[] serializeKey(String object) {
+		return serialize(prefix + object);
+	}
+
+	private byte[] serialize(Object object) {
+		return serializationStrategy.serialize(object);
+	}
+
+	private byte[] serialize(String string) {
+		return serializationStrategy.serialize(string);
+	}
+
+	private RedisConnection getConnection() {
+		return connectionFactory.getConnection();
+	}
+
+	private OAuth2Authentication deserializeAuthentication(byte[] bytes) {
+		return serializationStrategy.deserialize(bytes, OAuth2Authentication.class);
+	}
+
+	public void setSerializationStrategy(RedisTokenStoreSerializationStrategy serializationStrategy) {
+		this.serializationStrategy = serializationStrategy;
+	}
+
+	public void setPrefix(String prefix) {
+		this.prefix = prefix;
+	}
+}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AbstractEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AbstractEndpoint.java
index 3d7587f68..db2b85a5c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AbstractEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AbstractEndpoint.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -29,9 +29,13 @@
 import org.springframework.util.Assert;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class AbstractEndpoint implements InitializingBean {
 
 	protected final Log logger = LogFactory.getLog(getClass());
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java
index 43b5fc9ca..2cc3bbcc1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java
@@ -1,10 +1,10 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  * 
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -12,6 +12,8 @@
  */
 package org.springframework.security.oauth2.provider.endpoint;
 
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.InsufficientAuthenticationException;
@@ -53,6 +55,8 @@
 import org.springframework.web.bind.support.DefaultSessionAttributeStore;
 import org.springframework.web.bind.support.SessionAttributeStore;
 import org.springframework.web.bind.support.SessionStatus;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 import org.springframework.web.context.request.ServletWebRequest;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.View;
@@ -60,6 +64,7 @@
 import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
 
+import javax.servlet.http.HttpServletResponse;
 import java.net.URI;
 import java.security.Principal;
 import java.util.Collections;
@@ -82,13 +87,17 @@
  * This endpoint should be secured so that it is only accessible to fully authenticated users (as a minimum requirement)
  * since it represents a request from a valid user to act on his or her behalf.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Vladimir Kryachko
  * 
  */
 @FrameworkEndpoint
 @SessionAttributes({AuthorizationEndpoint.AUTHORIZATION_REQUEST_ATTR_NAME, AuthorizationEndpoint.ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME})
+@Deprecated
 public class AuthorizationEndpoint extends AbstractEndpoint {
 	static final String AUTHORIZATION_REQUEST_ATTR_NAME = "authorizationRequest";
 
@@ -130,7 +139,7 @@ public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<Strin
 		Set<String> responseTypes = authorizationRequest.getResponseTypes();
 
 		if (!responseTypes.contains("token") && !responseTypes.contains("code")) {
-			throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
+			throw new UnsupportedResponseTypeException("Unsupported response types");
 		}
 
 		if (authorizationRequest.getClientId() == null) {
@@ -260,9 +269,11 @@ public View approveOrDeny(@RequestParam Map<String, String> approvalParameters,
 			}
 
 			if (!authorizationRequest.isApproved()) {
-				return new RedirectView(getUnsuccessfulRedirect(authorizationRequest,
+				RedirectView redirectView = new RedirectView(getUnsuccessfulRedirect(authorizationRequest,
 						new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")),
 						false, true, false);
+				redirectView.setStatusCode(HttpStatus.SEE_OTHER);
+				return redirectView;
 			}
 
 			if (responseTypes.contains("token")) {
@@ -342,12 +353,17 @@ private ModelAndView getImplicitGrantResponse(AuthorizationRequest authorization
 			if (accessToken == null) {
 				throw new UnsupportedResponseTypeException("Unsupported response type: token");
 			}
-			return new ModelAndView(new RedirectView(appendAccessToken(authorizationRequest, accessToken), false, true,
-					false));
+			setCacheControlHeaders();
+			RedirectView redirectView = new RedirectView(appendAccessToken(authorizationRequest, accessToken), false, true,
+				false);
+			redirectView.setStatusCode(HttpStatus.SEE_OTHER);
+			return new ModelAndView(redirectView);
 		}
 		catch (OAuth2Exception e) {
-			return new ModelAndView(new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, true), false,
-					true, false));
+				RedirectView redirectView = new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, true), false,
+					true, false);
+				redirectView.setStatusCode(HttpStatus.SEE_OTHER);
+				return new ModelAndView(redirectView);
 		}
 	}
 
@@ -365,11 +381,15 @@ private OAuth2AccessToken getAccessTokenForImplicitGrant(TokenRequest tokenReque
 
 	private View getAuthorizationCodeResponse(AuthorizationRequest authorizationRequest, Authentication authUser) {
 		try {
-			return new RedirectView(getSuccessfulRedirect(authorizationRequest,
+				RedirectView redirectView = new RedirectView(getSuccessfulRedirect(authorizationRequest,
 					generateCode(authorizationRequest, authUser)), false, true, false);
+				redirectView.setStatusCode(HttpStatus.SEE_OTHER);
+				return redirectView;
 		}
 		catch (OAuth2Exception e) {
-			return new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, false), false, true, false);
+				RedirectView redirectView = new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, false), false, true, false);
+				redirectView.setStatusCode(HttpStatus.SEE_OTHER);
+				return redirectView;
 		}
 	}
 
@@ -396,7 +416,7 @@ private String appendAccessToken(AuthorizationRequest authorizationRequest, OAut
 		}
 		String originalScope = authorizationRequest.getRequestParameters().get(OAuth2Utils.SCOPE);
 		if (originalScope == null || !OAuth2Utils.parseParameterList(originalScope).equals(accessToken.getScope())) {
-			vars.put("scope", OAuth2Utils.formatParameterList(accessToken.getScope()));
+			vars.put(OAuth2Utils.SCOPE, OAuth2Utils.formatParameterList(accessToken.getScope()));
 		}
 		Map<String, Object> additionalInformation = accessToken.getAdditionalInformation();
 		for (String key : additionalInformation.keySet()) {
@@ -601,7 +621,9 @@ private ModelAndView handleException(Exception e, ServletWebRequest webRequest)
 			authorizationRequest.setRedirectUri(requestedRedirect);
 			String redirect = getUnsuccessfulRedirect(authorizationRequest, translate.getBody(), authorizationRequest
 					.getResponseTypes().contains("token"));
-			return new ModelAndView(new RedirectView(redirect, false, true, false));
+			RedirectView redirectView = new RedirectView(redirect, false, true, false);
+			redirectView.setStatusCode(HttpStatus.SEE_OTHER);
+			return new ModelAndView(redirectView);
 		}
 		catch (OAuth2Exception ex) {
 			// If an AuthorizationRequest cannot be created from the incoming parameters it must be
@@ -638,4 +660,13 @@ private AuthorizationRequest getAuthorizationRequestForError(ServletWebRequest w
 		}
 
 	}
+	
+	private void setCacheControlHeaders() {
+		ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+		if (servletRequestAttributes != null) {
+			HttpServletResponse servletResponse = servletRequestAttributes.getResponse();
+			servletResponse.setHeader(HttpHeaders.CACHE_CONTROL, "no-store");
+			servletResponse.setHeader(HttpHeaders.PRAGMA, "no-cache");
+		}
+	}
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpoint.java
index 75c978731..218520c06 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpoint.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -29,6 +29,7 @@
 import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
@@ -36,16 +37,20 @@
 
 /**
  * Controller which decodes access tokens for clients who are not able to do so (or where opaque token values are used).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  * @author Joel D'sa
  */
 @FrameworkEndpoint
+@Deprecated
 public class CheckTokenEndpoint {
 
 	private ResourceServerTokenServices resourceServerTokenServices;
 
-	private AccessTokenConverter accessTokenConverter = new CheckTokenAccessTokenConverter();
+	private AccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter();
 
 	protected final Log logger = LogFactory.getLog(getClass());
 
@@ -69,7 +74,7 @@ public void setAccessTokenConverter(AccessTokenConverter accessTokenConverter) {
 		this.accessTokenConverter = accessTokenConverter;
 	}
 
-	@RequestMapping(value = "/oauth/check_token")
+	@RequestMapping(value = "/oauth/check_token", method = RequestMethod.POST)
 	@ResponseBody
 	public Map<String, ?> checkToken(@RequestParam("token") String value) {
 
@@ -84,7 +89,12 @@ public void setAccessTokenConverter(AccessTokenConverter accessTokenConverter) {
 
 		OAuth2Authentication authentication = resourceServerTokenServices.loadAuthentication(token.getValue());
 
-		return accessTokenConverter.convertAccessToken(token, authentication);
+		Map<String, Object> response = (Map<String, Object>)accessTokenConverter.convertAccessToken(token, authentication);
+
+		// gh-1070
+		response.put("active", true);	// Always true if token exists and not expired
+
+		return response;
 	}
 
 	@ExceptionHandler(InvalidTokenException.class)
@@ -104,35 +114,4 @@ public int getHttpErrorCode() {
 		return exceptionTranslator.translate(e400);
 	}
 
-	static class CheckTokenAccessTokenConverter implements AccessTokenConverter {
-		private final AccessTokenConverter accessTokenConverter;
-
-		CheckTokenAccessTokenConverter() {
-			this(new DefaultAccessTokenConverter());
-		}
-
-		CheckTokenAccessTokenConverter(AccessTokenConverter accessTokenConverter) {
-			this.accessTokenConverter = accessTokenConverter;
-		}
-
-		@Override
-		public Map<String, ?> convertAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
-			Map<String, Object> claims = (Map<String, Object>) this.accessTokenConverter.convertAccessToken(token, authentication);
-
-			// gh-1070
-			claims.put("active", true);		// Always true if token exists and not expired
-
-			return claims;
-		}
-
-		@Override
-		public OAuth2AccessToken extractAccessToken(String value, Map<String, ?> map) {
-			return this.accessTokenConverter.extractAccessToken(value, map);
-		}
-
-		@Override
-		public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
-			return this.accessTokenConverter.extractAuthentication(map);
-		}
-	}
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java
index 9f12b27f1..8cf102925 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -35,15 +35,19 @@
 
 /**
  * Default implementation for a redirect resolver.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultRedirectResolver implements RedirectResolver {
 
 	private Collection<String> redirectGrantTypes = Arrays.asList("implicit", "authorization_code");
 
-	private boolean matchSubdomains = true;
+	private boolean matchSubdomains = false;
 
 	private boolean matchPorts = true;
 
@@ -171,27 +175,25 @@ private boolean matchQueryParams(MultiValueMap<String, String> registeredRedirec
 	 * @return true if strings are equal, false otherwise
 	 */
 	private boolean isEqual(String str1, String str2) {
-		if (StringUtils.isEmpty(str1) && StringUtils.isEmpty(str2)) {
-			return true;
-		} else if (!StringUtils.isEmpty(str1)) {
-			return str1.equals(str2);
+		if (StringUtils.isEmpty(str1)) {
+			return StringUtils.isEmpty(str2);
 		} else {
-			return false;
+			return str1.equals(str2);
 		}
 	}
 
 	/**
 	 * Check if host matches the registered value.
 	 * 
-	 * @param registered the registered host
-	 * @param requested the requested host
+	 * @param registered the registered host. Can be null.
+	 * @param requested the requested host. Can be null.
 	 * @return true if they match
 	 */
 	protected boolean hostMatches(String registered, String requested) {
 		if (matchSubdomains) {
-			return registered.equals(requested) || requested.endsWith("." + registered);
+			return isEqual(registered, requested) || (requested != null && requested.endsWith("." + registered));
 		}
-		return registered.equals(requested);
+		return isEqual(registered, requested);
 	}
 
 	/**
@@ -228,7 +230,6 @@ private String obtainMatchingRedirect(Set<String> redirectUris, String requested
 			}
 		}
 
-		throw new RedirectMismatchException("Invalid redirect: " + requestedRedirect
-				+ " does not match one of the registered values.");
+		throw new RedirectMismatchException("Invalid redirect uri does not match one of the registered values.");
 	}
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolver.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolver.java
index 65592dafc..a77dced83 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolver.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolver.java
@@ -6,9 +6,13 @@
  * Strict implementation for a redirect resolver which requires
  * an exact match between the registered and requested redirect_uri.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ExactMatchRedirectResolver extends DefaultRedirectResolver {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpoint.java
index ea5759aa1..328813117 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpoint.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -30,13 +30,17 @@
  * Users of the Spring Security OAuth2 XSD namespace need not use this feature explicitly as the relevant handlers will
  * be registered by the parsers.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Component
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.TYPE)
+@Deprecated
 public @interface FrameworkEndpoint {
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMapping.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMapping.java
index ed12a5b78..ea82fe2e6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMapping.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMapping.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -32,10 +32,14 @@
 
 /**
  * A handler mapping for framework endpoints (those annotated with &#64;FrameworkEndpoint).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class FrameworkEndpointHandlerMapping extends RequestMappingHandlerMapping {
 
 	private static final String REDIRECT = UrlBasedViewResolver.REDIRECT_URL_PREFIX;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/RedirectResolver.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/RedirectResolver.java
index b4869f960..c80c4a321 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/RedirectResolver.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/RedirectResolver.java
@@ -5,9 +5,13 @@
 
 /**
  * Basic interface for determining the redirect URI for a user agent.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface RedirectResolver {
 
   /**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.java
index 2fb806176..6c6cb7793 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -63,11 +63,15 @@
  * id is extracted from the authentication token. The best way to arrange this (as per the OAuth2 spec) is to use HTTP
  * basic authentication for this endpoint with standard Spring Security support.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @FrameworkEndpoint
+@Deprecated
 public class TokenEndpoint extends AbstractEndpoint {
 
 	private OAuth2RequestValidator oAuth2RequestValidator = new DefaultOAuth2RequestValidator();
@@ -75,8 +79,10 @@ public class TokenEndpoint extends AbstractEndpoint {
 	private Set<HttpMethod> allowedRequestMethods = new HashSet<HttpMethod>(Arrays.asList(HttpMethod.POST));
 
 	@RequestMapping(value = "/oauth/token", method=RequestMethod.GET)
-	public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam
-	Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
+	public ResponseEntity<OAuth2AccessToken> getAccessToken(
+			Principal principal, @RequestParam Map<String, String> parameters)
+			throws HttpRequestMethodNotSupportedException {
+
 		if (!allowedRequestMethods.contains(HttpMethod.GET)) {
 			throw new HttpRequestMethodNotSupportedException("GET");
 		}
@@ -84,8 +90,9 @@ public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @Re
 	}
 	
 	@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
-	public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
-	Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
+	public ResponseEntity<OAuth2AccessToken> postAccessToken(
+			Principal principal, @RequestParam Map<String, String> parameters)
+			throws HttpRequestMethodNotSupportedException {
 
 		if (!(principal instanceof Authentication)) {
 			throw new InsufficientAuthenticationException(
@@ -97,45 +104,42 @@ public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @R
 
 		TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient);
 
-		if (clientId != null && !clientId.equals("")) {
-			// Only validate the client details if a client authenticated during this
-			// request.
-			if (!clientId.equals(tokenRequest.getClientId())) {
-				// double check to make sure that the client ID in the token request is the same as that in the
-				// authenticated client
-				throw new InvalidClientException("Given client ID does not match authenticated client");
-			}
+		// Only validate client details if a client is authenticated during this request.
+		// Double check to make sure that the client ID is the same in the token request and authenticated client.
+		if (StringUtils.hasText(clientId) && !clientId.equals(tokenRequest.getClientId())) {
+			throw new InvalidClientException("Given client ID does not match authenticated client");
 		}
+
 		if (authenticatedClient != null) {
 			oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);
 		}
+
 		if (!StringUtils.hasText(tokenRequest.getGrantType())) {
 			throw new InvalidRequestException("Missing grant type");
 		}
+
 		if (tokenRequest.getGrantType().equals("implicit")) {
 			throw new InvalidGrantException("Implicit grant type not supported from token endpoint");
 		}
 
-		if (isAuthCodeRequest(parameters)) {
+		if (isAuthCodeRequest(parameters) && !tokenRequest.getScope().isEmpty()) {
 			// The scope was requested or determined during the authorization step
-			if (!tokenRequest.getScope().isEmpty()) {
-				logger.debug("Clearing scope of incoming token request");
-				tokenRequest.setScope(Collections.<String> emptySet());
+			logger.debug("Clearing scope of incoming token request");
+			tokenRequest.setScope(Collections.<String>emptySet());
+		} else if (isRefreshTokenRequest(parameters)) {
+			if (StringUtils.isEmpty(parameters.get("refresh_token"))) {
+				throw new InvalidRequestException("refresh_token parameter not provided");
 			}
-		}
-
-		if (isRefreshTokenRequest(parameters)) {
 			// A refresh token has its own default scopes, so we should ignore any added by the factory here.
 			tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)));
 		}
 
 		OAuth2AccessToken token = getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest);
 		if (token == null) {
-			throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType());
+			throw new UnsupportedGrantTypeException("Unsupported grant type");
 		}
 
 		return getResponse(token);
-
 	}
 
 	/**
@@ -196,11 +200,11 @@ private ResponseEntity<OAuth2AccessToken> getResponse(OAuth2AccessToken accessTo
 	}
 
 	private boolean isRefreshTokenRequest(Map<String, String> parameters) {
-		return "refresh_token".equals(parameters.get("grant_type")) && parameters.get("refresh_token") != null;
+		return "refresh_token".equals(parameters.get("grant_type"));
 	}
 
 	private boolean isAuthCodeRequest(Map<String, String> parameters) {
-		return "authorization_code".equals(parameters.get("grant_type")) && parameters.get("code") != null;
+		return "authorization_code".equals(parameters.get(OAuth2Utils.GRANT_TYPE)) && parameters.get("code") != null;
 	}
 
 	public void setOAuth2RequestValidator(OAuth2RequestValidator oAuth2RequestValidator) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
index f01295986..0b86a1961 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -66,10 +66,14 @@
  * client authentication, and the authenticated user token extracted from the request and validated using the
  * authentication manager.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class TokenEndpointAuthenticationFilter implements Filter {
 
 	private static final Log logger = LogFactory.getLog(TokenEndpointAuthenticationFilter.class);
@@ -124,7 +128,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 			if (credentials != null) {
 
 				if (debug) {
-					logger.debug("Authentication credentials found for '" + credentials.getName() + "'");
+					logger.debug("Authentication credentials found");
 				}
 
 				Authentication authResult = authenticationManager.authenticate(credentials);
@@ -203,7 +207,7 @@ protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServ
 	 * @return an authentication for validation (or null if there is no further authentication)
 	 */
 	protected Authentication extractCredentials(HttpServletRequest request) {
-		String grantType = request.getParameter("grant_type");
+		String grantType = request.getParameter(OAuth2Utils.GRANT_TYPE);
 		if (grantType != null && grantType.equals("password")) {
 			UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(
 					request.getParameter("username"), request.getParameter("password"));
@@ -214,7 +218,7 @@ protected Authentication extractCredentials(HttpServletRequest request) {
 	}
 
 	private Set<String> getScope(HttpServletRequest request) {
-		return OAuth2Utils.parseParameterList(request.getParameter("scope"));
+		return OAuth2Utils.parseParameterList(request.getParameter(OAuth2Utils.SCOPE));
 	}
 	
 	public void init(FilterConfig filterConfig) throws ServletException {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenKeyEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenKeyEndpoint.java
index ecd231cfd..f3dd2f500 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenKeyEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenKeyEndpoint.java
@@ -26,12 +26,16 @@
 
 /**
  * OAuth2 token services that produces JWT encoded token values.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Luke Taylor
  * @author Joel D'sa
  */
 @FrameworkEndpoint
+@Deprecated
 public class TokenKeyEndpoint {
 
     protected final Log logger = LogFactory.getLog(getClass());
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpoint.java
index 836b66b16..f05a9b464 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpoint.java
@@ -15,11 +15,15 @@
 
 /**
  * Controller for displaying the approval page for the authorization server.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @FrameworkEndpoint
 @SessionAttributes("authorizationRequest")
+@Deprecated
 public class WhitelabelApprovalEndpoint {
 
 	@RequestMapping("/oauth/confirm_access")
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpoint.java
index 83f626cd4..cdf911b87 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpoint.java
@@ -14,9 +14,13 @@
 /**
  * Controller for displaying the error page for the authorization server.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @FrameworkEndpoint
+@Deprecated
 public class WhitelabelErrorEndpoint {
 
 	private static final String ERROR = "<html><body><h1>OAuth Error</h1><p>%errorSummary%</p></body></html>";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/AbstractOAuth2SecurityExceptionHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/AbstractOAuth2SecurityExceptionHandler.java
index 8d1c71b14..26df70549 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/AbstractOAuth2SecurityExceptionHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/AbstractOAuth2SecurityExceptionHandler.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -28,10 +28,14 @@
 /**
  * Convenient base class containing utility methods and dependency setters for security error handling concerns specific
  * to OAuth2 resources.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public abstract class AbstractOAuth2SecurityExceptionHandler {
 
 	/** Logger available to subclasses */
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultOAuth2ExceptionRenderer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultOAuth2ExceptionRenderer.java
index 917ea5675..8c1826a89 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultOAuth2ExceptionRenderer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultOAuth2ExceptionRenderer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -42,10 +42,14 @@
  * Default implementation of {@link OAuth2ExceptionRenderer} that can render the exceptions using message converters
  * (just like regular Spring MVC endpoints). If the caller sends an appropriate Accept header he should get the right
  * result as long as an appropriate message converter is provided.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultOAuth2ExceptionRenderer implements OAuth2ExceptionRenderer {
 
 	private final Log logger = LogFactory.getLog(DefaultOAuth2ExceptionRenderer.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslator.java
index ee866ccae..af725fa8b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslator.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -32,10 +32,14 @@
 /**
  * Default translator that converts exceptions into {@link OAuth2Exception}s. The output matches the OAuth 2.0
  * specification in terms of error response format and HTTP status code.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultWebResponseExceptionTranslator implements WebResponseExceptionTranslator<OAuth2Exception> {
 
 	private ThrowableAnalyzer throwableAnalyzer = new DefaultThrowableAnalyzer();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandler.java
index 404c0b957..0d1682f4d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandler.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -25,10 +25,14 @@
  * If authorization fails and the caller has asked for a specific content type response, this entry point can send one,
  * along with a standard 403 status. Add to the Spring Security configuration as an {@link AccessDeniedHandler} in
  * the usual way.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AccessDeniedHandler extends AbstractOAuth2SecurityExceptionHandler implements AccessDeniedHandler {
 
 	public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException authException)
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPoint.java
index 02f1071be..63c760974 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPoint.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -29,10 +29,14 @@
  * If authentication fails and the caller has asked for a specific content type response, this entry point can send one,
  * along with a standard 401 status. Add to the Spring Security configuration as an {@link AuthenticationEntryPoint} in
  * the usual way.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationEntryPoint extends AbstractOAuth2SecurityExceptionHandler implements
 		AuthenticationEntryPoint {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2ExceptionRenderer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2ExceptionRenderer.java
index db17479a4..7f1a967e1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2ExceptionRenderer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2ExceptionRenderer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -19,10 +19,14 @@
 /**
  * Strategy for rendering a {@link OAuth2Exception} in cases where they cannot be rendered by the Spring dispatcher
  * servlet (i.e. usually in a filter chain).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface OAuth2ExceptionRenderer {
 	void handleHttpEntityResponse(HttpEntity<?> responseEntity, ServletWebRequest webRequest) throws Exception;
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/WebResponseExceptionTranslator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/WebResponseExceptionTranslator.java
index 1a52e89b3..05030335f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/WebResponseExceptionTranslator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/WebResponseExceptionTranslator.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -19,9 +19,14 @@
 
 /**
  * Translates exceptions into HTTP Responses.
- * 
+ *
  * @param <T> The error model that will be used as the HTTP Response body.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  */
+@Deprecated
 public interface WebResponseExceptionTranslator<T> {
 	
 	ResponseEntity<T> translate(Exception e) throws Exception;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionParser.java
index 861411969..f554c7785 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionParser.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -31,10 +31,14 @@
  * Note: The implication is that all expressions that are parsed must return a boolean result. This expectation is
  * already true since Spring Security expects the result to be a boolean.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * 
  */
+@Deprecated
 public class OAuth2ExpressionParser implements ExpressionParser {
 
 	private final ExpressionParser delegate;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionUtils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionUtils.java
index 600847150..c893053a2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionUtils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionUtils.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -22,10 +22,14 @@
 import org.springframework.security.oauth2.provider.OAuth2Request;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Radek Ostrowski
  * 
  */
+@Deprecated
 public abstract class OAuth2ExpressionUtils {
 
 	public static boolean clientHasAnyRole(Authentication authentication, String... roles) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandler.java
index cf9da9385..29035fa89 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandler.java
@@ -16,11 +16,15 @@
  * By default the {@link OAuth2ExpressionParser} is used. If this is undesirable one can inject their own
  * {@link ExpressionParser} using {@link #setExpressionParser(ExpressionParser)}.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Rob Winch
  * @see OAuth2ExpressionParser
  */
+@Deprecated
 public class OAuth2MethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
 
 	public OAuth2MethodSecurityExpressionHandler() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethods.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethods.java
index 3a56698cd..4ec9e28ff 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethods.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethods.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -24,12 +24,16 @@
 /**
  * A convenience object for security expressions in OAuth2 protected resources, providing public methods that act on the
  * current authentication.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Rob Winch
  * @author Radek Ostrowski
  * 
  */
+@Deprecated
 public class OAuth2SecurityExpressionMethods {
 
 	private final Authentication authentication;
@@ -76,7 +80,7 @@ public boolean throwOnError(boolean decision) {
 
 	/**
 	 * Check if the OAuth2 client (not the user) has the role specified. To check the user's roles see
-	 * {@link #clientHasRole(String)}.
+	 * {@link #clientHasAnyRole(String...)}.
 	 * 
 	 * @param role the role to check
 	 * @return true if the OAuth2 client has this role
@@ -87,7 +91,7 @@ public boolean clientHasRole(String role) {
 
 	/**
 	 * Check if the OAuth2 client (not the user) has one of the roles specified. To check the user's roles see
-	 * {@link #clientHasAnyRole(String...)}.
+	 * {@link OAuth2ExpressionUtils#clientHasAnyRole(Authentication, String...)}.
 	 * 
 	 * @param roles the roles to check
 	 * @return true if the OAuth2 client has one of these roles
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandler.java
index f4e458373..40881dfcc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandler.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -28,12 +28,16 @@
  * By default the {@link OAuth2ExpressionParser} is used. If this is undesirable one can inject their own
  * {@link ExpressionParser} using {@link #setExpressionParser(ExpressionParser)}.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Rob Winch
  * 
  * @see OAuth2ExpressionParser
  */
+@Deprecated
 public class OAuth2WebSecurityExpressionHandler extends DefaultWebSecurityExpressionHandler {
 	public OAuth2WebSecurityExpressionHandler() {
 		setExpressionParser(new OAuth2ExpressionParser(getExpressionParser()));
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenGranter.java
index 209bfc2a6..975ed02b8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenGranter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -31,9 +31,13 @@
 import org.springframework.util.Assert;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ImplicitTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "implicit";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenRequest.java
index b7e967f74..2da7b57fc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenRequest.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -17,12 +17,16 @@
 import org.springframework.security.oauth2.provider.TokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  * @since 2.0.2
  *
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ImplicitTokenRequest extends TokenRequest {
 
 	private OAuth2Request oauth2Request;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantService.java
index 6156fac1a..d374d144a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantService.java
@@ -7,11 +7,15 @@
 
 /**
  * In-memory implementation of the ImplicitGrantService.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  *
  */
 @SuppressWarnings("deprecation")
+@Deprecated
 public class InMemoryImplicitGrantService implements ImplicitGrantService {
 
 	protected final ConcurrentHashMap<TokenRequest, OAuth2Request> requestStore = new ConcurrentHashMap<TokenRequest, OAuth2Request>();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranter.java
index c996f1d30..d4b2cfedc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,6 +25,7 @@
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
@@ -36,9 +37,13 @@
 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ResourceOwnerPasswordTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "password";
@@ -78,8 +83,12 @@ protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, Tok
 			// If the username/password are wrong the spec says we should send 400/invalid grant
 			throw new InvalidGrantException(e.getMessage());
 		}
+		catch (UsernameNotFoundException e) {
+			// If the user is not found, report a generic error message
+			throw new InvalidGrantException("username not found");
+		}
 		if (userAuth == null || !userAuth.isAuthenticated()) {
-			throw new InvalidGrantException("Could not authenticate user: " + username);
+			throw new InvalidGrantException("Could not authenticate user");
 		}
 		
 		OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest);		
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java
index 55327ed86..242b09c32 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,7 +16,10 @@
 
 package org.springframework.security.oauth2.provider.refresh;
 
+import org.springframework.security.authentication.AccountStatusException;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
@@ -25,9 +28,13 @@
 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class RefreshTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "refresh_token";
@@ -44,7 +51,15 @@ protected RefreshTokenGranter(AuthorizationServerTokenServices tokenServices, Cl
 	@Override
 	protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) {
 		String refreshToken = tokenRequest.getRequestParameters().get("refresh_token");
-		return getTokenServices().refreshAccessToken(refreshToken, tokenRequest);
+		try {
+			return getTokenServices().refreshAccessToken(refreshToken, tokenRequest);
+		}
+		catch (AccountStatusException ase) {
+			//covers expired, locked, disabled cases (mentioned in section 5.2, draft 31)
+			throw new InvalidGrantException(ase.getMessage());
+		} catch (UsernameNotFoundException e) {
+			// If the user is not found, report a generic error message
+			throw new InvalidGrantException("user not found");
+		}
 	}
-	
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestFactory.java
index 17e9afcd3..c039aadc0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestFactory.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -32,11 +32,15 @@
 /**
  * Default implementation of {@link OAuth2RequestFactory} which initializes fields from the parameters map, validates
  * grant types and scopes, and fills in scopes with the default values from the client if they are missing.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Amanda Anganes
  * 
  */
+@Deprecated
 public class DefaultOAuth2RequestFactory implements OAuth2RequestFactory {
 
 	private final ClientDetailsService clientDetailsService;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidator.java
index ea297e336..ce24ca862 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidator.java
@@ -10,10 +10,14 @@
 
 /**
  * Default implementation of {@link OAuth2RequestValidator}. 
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  *
  */
+@Deprecated
 public class DefaultOAuth2RequestValidator implements OAuth2RequestValidator {
 
 	public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException {
@@ -29,7 +33,7 @@ private void validateScope(Set<String> requestScopes, Set<String> clientScopes)
 		if (clientScopes != null && !clientScopes.isEmpty()) {
 			for (String scope : requestScopes) {
 				if (!clientScopes.contains(scope)) {
-					throw new InvalidScopeException("Invalid scope: " + scope, clientScopes);
+					throw new InvalidScopeException("Invalid scope", clientScopes);
 				}
 			}
 		}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AbstractTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AbstractTokenGranter.java
index 5c13db131..94a931c18 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AbstractTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AbstractTokenGranter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -27,9 +27,13 @@
 import org.springframework.security.oauth2.provider.TokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public abstract class AbstractTokenGranter implements TokenGranter {
 	
 	protected final Log logger = LogFactory.getLog(getClass());
@@ -61,7 +65,7 @@ public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
 		validateGrantType(grantType, client);
 
 		if (logger.isDebugEnabled()) {
-			logger.debug("Getting access token for: " + clientId);
+			logger.debug("Getting access token for clientId");
 		}
 
 		return getAccessToken(client, tokenRequest);
@@ -81,7 +85,7 @@ protected void validateGrantType(String grantType, ClientDetails clientDetails)
 		Collection<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes();
 		if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty()
 				&& !authorizedGrantTypes.contains(grantType)) {
-			throw new InvalidClientException("Unauthorized grant type: " + grantType);
+			throw new InvalidClientException("Unauthorized grant type");
 		}
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AccessTokenConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AccessTokenConverter.java
index e981b6d1d..e3fc2a430 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AccessTokenConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AccessTokenConverter.java
@@ -19,10 +19,14 @@
 
 /**
  * Converter interface for token service implementations that store authentication data inside the token.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface AccessTokenConverter {
 
 	final String AUD = "aud";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthenticationKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthenticationKeyGenerator.java
index 8e90b4c51..4b9f515e2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthenticationKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthenticationKeyGenerator.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -16,10 +16,14 @@
 
 /**
  * Strategy interface for extracting a unique key from an {@link OAuth2Authentication}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface AuthenticationKeyGenerator {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.java
index 13549ea70..7fd9bc359 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *   http://www.apache.org/licenses/LICENSE-2.0
+ *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,9 +22,13 @@
 import org.springframework.security.oauth2.provider.TokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface AuthorizationServerTokenServices {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ConsumerTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ConsumerTokenServices.java
index 68dbb019a..f9ad8d15c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ConsumerTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ConsumerTokenServices.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -14,9 +14,13 @@
 
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface ConsumerTokenServices {
 	
 	boolean revokeToken(String tokenValue);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverter.java
index e7f5aa62d..dc97af8af 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverter.java
@@ -31,10 +31,14 @@
 
 /**
  * Default implementation of {@link AccessTokenConverter}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Vedran Pavic
  */
+@Deprecated
 public class DefaultAccessTokenConverter implements AccessTokenConverter {
 
 	private UserAuthenticationConverter userTokenConverter = new DefaultUserAuthenticationConverter();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java
index ebc766846..ae79cf2cf 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -28,9 +28,13 @@
  * Basic key generator taking into account the client id, scope, resource ids and username (principal name) if they
  * exist.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class DefaultAuthenticationKeyGenerator implements AuthenticationKeyGenerator {
 
 	private static final String CLIENT_ID = "client_id";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java
index fe3cb09a2..0132c8882 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -13,14 +13,18 @@
 
 package org.springframework.security.oauth2.provider.token;
 
+import java.nio.charset.Charset;
 import java.util.Date;
 import java.util.Set;
-import java.util.UUID;
+
+import org.apache.commons.codec.binary.Base64;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.crypto.keygen.BytesKeyGenerator;
+import org.springframework.security.crypto.keygen.KeyGenerators;
 import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
@@ -41,20 +45,28 @@
 import org.springframework.util.Assert;
 
 /**
- * Base implementation for token services using random UUID values for the access token and refresh token values. The
+ * Base implementation for token services using {@code SecureRandom} values for the access token and refresh token values. The
  * main extension point for customizations is the {@link TokenEnhancer} which will be called after the access and
  * refresh tokens have been generated but before they are stored.
  * <p>
  * Persistence is delegated to a {@code TokenStore} implementation and customization of the access token to a
  * {@link TokenEnhancer}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Luke Taylor
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices,
 		ConsumerTokenServices, InitializingBean {
 
+	private static final BytesKeyGenerator DEFAULT_TOKEN_GENERATOR = KeyGenerators.secureRandom(20);
+
+	private static final Charset US_ASCII = Charset.forName("US-ASCII");
+
 	private int refreshTokenValiditySeconds = 60 * 60 * 24 * 30; // default 30 days.
 
 	private int accessTokenValiditySeconds = 60 * 60 * 12; // default 12 hours.
@@ -134,27 +146,35 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque
 			throws AuthenticationException {
 
 		if (!supportRefreshToken) {
-			throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
+			throw new InvalidGrantException("Invalid refresh token");
 		}
 
 		OAuth2RefreshToken refreshToken = tokenStore.readRefreshToken(refreshTokenValue);
 		if (refreshToken == null) {
-			throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
+			throw new InvalidGrantException("Invalid refresh token");
 		}
 
 		OAuth2Authentication authentication = tokenStore.readAuthenticationForRefreshToken(refreshToken);
 		if (this.authenticationManager != null && !authentication.isClientOnly()) {
 			// The client has already been authenticated, but the user authentication might be old now, so give it a
 			// chance to re-authenticate.
-			Authentication user = new PreAuthenticatedAuthenticationToken(authentication.getUserAuthentication(), "", authentication.getAuthorities());
-			user = authenticationManager.authenticate(user);
+			Authentication userAuthentication = authentication.getUserAuthentication();
+			PreAuthenticatedAuthenticationToken preAuthenticatedToken = new PreAuthenticatedAuthenticationToken(
+					userAuthentication,
+					"",
+					authentication.getAuthorities()
+			);
+			if (userAuthentication.getDetails() != null) {
+				preAuthenticatedToken.setDetails(userAuthentication.getDetails());
+			}
+			Authentication user = authenticationManager.authenticate(preAuthenticatedToken);
 			Object details = authentication.getDetails();
 			authentication = new OAuth2Authentication(authentication.getOAuth2Request(), user);
 			authentication.setDetails(details);
 		}
 		String clientId = authentication.getOAuth2Request().getClientId();
 		if (clientId == null || !clientId.equals(tokenRequest.getClientId())) {
-			throw new InvalidGrantException("Wrong client for this refresh token: " + refreshTokenValue);
+			throw new InvalidGrantException("Wrong client for this refresh token");
 		}
 
 		// clear out any access tokens already associated with the refresh
@@ -163,7 +183,7 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque
 
 		if (isExpired(refreshToken)) {
 			tokenStore.removeRefreshToken(refreshToken);
-			throw new InvalidTokenException("Invalid refresh token (expired): " + refreshToken);
+			throw new InvalidTokenException("Invalid refresh token (expired)");
 		}
 
 		authentication = createRefreshedAuthentication(authentication, tokenRequest);
@@ -200,8 +220,7 @@ private OAuth2Authentication createRefreshedAuthentication(OAuth2Authentication
 		if (scope != null && !scope.isEmpty()) {
 			Set<String> originalScope = clientAuth.getScope();
 			if (originalScope == null || !originalScope.containsAll(scope)) {
-				throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope
-						+ ".", originalScope);
+				throw new InvalidScopeException("Unable to narrow the scope of the client authentication", originalScope);
 			}
 			else {
 				clientAuth = clientAuth.narrowScope(scope);
@@ -228,17 +247,17 @@ public OAuth2Authentication loadAuthentication(String accessTokenValue) throws A
 			InvalidTokenException {
 		OAuth2AccessToken accessToken = tokenStore.readAccessToken(accessTokenValue);
 		if (accessToken == null) {
-			throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
+			throw new InvalidTokenException("Invalid access token");
 		}
 		else if (accessToken.isExpired()) {
 			tokenStore.removeAccessToken(accessToken);
-			throw new InvalidTokenException("Access token expired: " + accessTokenValue);
+			throw new InvalidTokenException("Access token expired");
 		}
 
 		OAuth2Authentication result = tokenStore.readAuthentication(accessToken);
 		if (result == null) {
 			// in case of race condition
-			throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
+			throw new InvalidTokenException("Invalid access token");
 		}
 		if (clientDetailsService != null) {
 			String clientId = result.getOAuth2Request().getClientId();
@@ -246,7 +265,7 @@ else if (accessToken.isExpired()) {
 				clientDetailsService.loadClientByClientId(clientId);
 			}
 			catch (ClientRegistrationException e) {
-				throw new InvalidTokenException("Client not valid: " + clientId, e);
+				throw new InvalidTokenException("Client not valid", e);
 			}
 		}
 		return result;
@@ -255,11 +274,11 @@ else if (accessToken.isExpired()) {
 	public String getClientId(String tokenValue) {
 		OAuth2Authentication authentication = tokenStore.readAuthentication(tokenValue);
 		if (authentication == null) {
-			throw new InvalidTokenException("Invalid access token: " + tokenValue);
+			throw new InvalidTokenException("Invalid access token");
 		}
 		OAuth2Request clientAuth = authentication.getOAuth2Request();
 		if (clientAuth == null) {
-			throw new InvalidTokenException("Invalid access token (no client id): " + tokenValue);
+			throw new InvalidTokenException("Invalid access token (no client id)");
 		}
 		return clientAuth.getClientId();
 	}
@@ -281,16 +300,17 @@ private OAuth2RefreshToken createRefreshToken(OAuth2Authentication authenticatio
 			return null;
 		}
 		int validitySeconds = getRefreshTokenValiditySeconds(authentication.getOAuth2Request());
-		String value = UUID.randomUUID().toString();
+		String tokenValue = new String(Base64.encodeBase64URLSafe(DEFAULT_TOKEN_GENERATOR.generateKey()), US_ASCII);
 		if (validitySeconds > 0) {
-			return new DefaultExpiringOAuth2RefreshToken(value, new Date(System.currentTimeMillis()
+			return new DefaultExpiringOAuth2RefreshToken(tokenValue, new Date(System.currentTimeMillis()
 					+ (validitySeconds * 1000L)));
 		}
-		return new DefaultOAuth2RefreshToken(value);
+		return new DefaultOAuth2RefreshToken(tokenValue);
 	}
 
 	private OAuth2AccessToken createAccessToken(OAuth2Authentication authentication, OAuth2RefreshToken refreshToken) {
-		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
+		String tokenValue = new String(Base64.encodeBase64URLSafe(DEFAULT_TOKEN_GENERATOR.generateKey()),  US_ASCII);
+		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(tokenValue);
 		int validitySeconds = getAccessTokenValiditySeconds(authentication.getOAuth2Request());
 		if (validitySeconds > 0) {
 			token.setExpiration(new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverter.java
index c8891c48c..331114567 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverter.java
@@ -28,16 +28,22 @@
 /**
  * Default implementation of {@link UserAuthenticationConverter}. Converts to and from an Authentication using only its
  * name and authorities.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultUserAuthenticationConverter implements UserAuthenticationConverter {
 
 	private Collection<? extends GrantedAuthority> defaultAuthorities;
 
 	private UserDetailsService userDetailsService;
 
+	private String userClaimName = USERNAME;
+
 	/**
 	 * Optional {@link UserDetailsService} to use when extracting an {@link Authentication} from the incoming map.
 	 * 
@@ -47,6 +53,15 @@ public void setUserDetailsService(UserDetailsService userDetailsService) {
 		this.userDetailsService = userDetailsService;
 	}
 
+	/**
+	 * Set the name of the user claim to use when extracting an {@link Authentication} from the incoming map
+	 * or when converting an {@link Authentication} to a map.
+	 * @param claimName the claim name to use (default {@link UserAuthenticationConverter#USERNAME})
+	 */
+	public void setUserClaimName(String claimName) {
+		this.userClaimName = claimName;
+	}
+
 	/**
 	 * Default value for authorities if an Authentication is being created and the input has no data for authorities.
 	 * Note that unless this property is set, the default Authentication created by {@link #extractAuthentication(Map)}
@@ -61,7 +76,7 @@ public void setDefaultAuthorities(String[] defaultAuthorities) {
 
 	public Map<String, ?> convertUserAuthentication(Authentication authentication) {
 		Map<String, Object> response = new LinkedHashMap<String, Object>();
-		response.put(USERNAME, authentication.getName());
+		response.put(userClaimName, authentication.getName());
 		if (authentication.getAuthorities() != null && !authentication.getAuthorities().isEmpty()) {
 			response.put(AUTHORITIES, AuthorityUtils.authorityListToSet(authentication.getAuthorities()));
 		}
@@ -69,11 +84,11 @@ public void setDefaultAuthorities(String[] defaultAuthorities) {
 	}
 
 	public Authentication extractAuthentication(Map<String, ?> map) {
-		if (map.containsKey(USERNAME)) {
-			Object principal = map.get(USERNAME);
+		if (map.containsKey(userClaimName)) {
+			Object principal = map.get(userClaimName);
 			Collection<? extends GrantedAuthority> authorities = getAuthorities(map);
 			if (userDetailsService != null) {
-				UserDetails user = userDetailsService.loadUserByUsername((String) map.get(USERNAME));
+				UserDetails user = userDetailsService.loadUserByUsername((String) map.get(userClaimName));
 				authorities = user.getAuthorities();
 				principal = user;
 			}
@@ -82,7 +97,7 @@ public Authentication extractAuthentication(Map<String, ?> map) {
 		return null;
 	}
 
-	private Collection<? extends GrantedAuthority> getAuthorities(Map<String, ?> map) {
+	protected Collection<? extends GrantedAuthority> getAuthorities(Map<String, ?> map) {
 		if (!map.containsKey(AUTHORITIES)) {
 			return defaultAuthorities;
 		}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java
index 7ba183ad1..db5095892 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java
@@ -24,6 +24,7 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.DefaultResponseErrorHandler;
@@ -39,10 +40,15 @@
  *
  * If the endpoint returns a 400 response, this indicates that the token is invalid.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Luke Taylor
+ * @author Mathieu Ouellet
  *
  */
+@Deprecated
 public class RemoteTokenServices implements ResourceServerTokenServices {
 
 	protected final Log logger = LogFactory.getLog(getClass());
@@ -57,6 +63,8 @@ public class RemoteTokenServices implements ResourceServerTokenServices {
 
     private String tokenName = "token";
 
+	private Map<String, String> additionalParameters;
+
 	private AccessTokenConverter tokenConverter = new DefaultAccessTokenConverter();
 
 	public RemoteTokenServices() {
@@ -96,15 +104,30 @@ public void setTokenName(String tokenName) {
         this.tokenName = tokenName;
     }
 
-    @Override
-	public OAuth2Authentication loadAuthentication(String accessToken) throws AuthenticationException, InvalidTokenException {
+	public void setAdditionalParameters(Map<String, String> additionalParameters) {
+		this.additionalParameters = additionalParameters;
+	}
+
+	@Override
+	public OAuth2Authentication loadAuthentication(String accessToken)
+			throws AuthenticationException, InvalidTokenException {
 
 		MultiValueMap<String, String> formData = new LinkedMultiValueMap<String, String>();
+		if (additionalParameters != null) {
+			formData.setAll(additionalParameters);
+		}
 		formData.add(tokenName, accessToken);
 		HttpHeaders headers = new HttpHeaders();
 		headers.set("Authorization", getAuthorizationHeader(clientId, clientSecret));
 		Map<String, Object> map = postForMap(checkTokenEndpointUrl, formData, headers);
 
+		if (CollectionUtils.isEmpty(map)) {
+			if (logger.isDebugEnabled()) {
+				logger.debug("check_token returned empty");
+			}
+			throw new InvalidTokenException(accessToken);
+		}
+
 		if (map.containsKey("error")) {
 			if (logger.isDebugEnabled()) {
 				logger.debug("check_token returned error: " + map.get("error"));
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ResourceServerTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ResourceServerTokenServices.java
index 23795bc43..6af3f7f21 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ResourceServerTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ResourceServerTokenServices.java
@@ -5,6 +5,12 @@
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public interface ResourceServerTokenServices {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancer.java
index 6da146dfa..e33122fd6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancer.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -18,10 +18,14 @@
 /**
  * Strategy for enhancing an access token before it is stored by an {@link AuthorizationServerTokenServices}
  * implementation.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface TokenEnhancer {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancerChain.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancerChain.java
index d5dc50c4f..e9fe8b5e1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancerChain.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancerChain.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -20,10 +20,14 @@
 
 /**
  * A composite token enhancer that loops over its delegate enhancers.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class TokenEnhancerChain implements TokenEnhancer {
 
 	private List<TokenEnhancer> delegates = Collections.emptyList();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenStore.java
index 47e5d7c50..8cf2072a8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenStore.java
@@ -8,7 +8,12 @@
 
 /**
  * Persistence interface for OAuth2 tokens.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  */
+@Deprecated
 public interface TokenStore {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/UserAuthenticationConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/UserAuthenticationConverter.java
index 737bfa500..1403d5bf7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/UserAuthenticationConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/UserAuthenticationConverter.java
@@ -19,10 +19,14 @@
 
 /**
  * Utility interface for converting a user authentication to and from a Map.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface UserAuthenticationConverter {
 
 	final String AUTHORITIES = AccessTokenConverter.AUTHORITIES;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/DelegatingJwtClaimsSetVerifier.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/DelegatingJwtClaimsSetVerifier.java
index 7182fc70f..9d60b24de 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/DelegatingJwtClaimsSetVerifier.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/DelegatingJwtClaimsSetVerifier.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -27,10 +27,14 @@
  * A {@link JwtClaimsSetVerifier} that delegates claims verification
  * to it's internal <code>List</code> of {@link JwtClaimsSetVerifier}'s.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see JwtClaimsSetVerifier
  */
+@Deprecated
 public class DelegatingJwtClaimsSetVerifier implements JwtClaimsSetVerifier {
 	private final List<JwtClaimsSetVerifier> jwtClaimsSetVerifiers;
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.java
index b5ab22ee4..7f30f4d36 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.java
@@ -20,11 +20,15 @@
 
 /**
  * Implementation of token services that stores tokens in memory.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Luke Taylor
  * @author Dave Syer
  */
+@Deprecated
 public class InMemoryTokenStore implements TokenStore {
 
 	private static final int DEFAULT_FLUSH_INTERVAL = 1000;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifier.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifier.java
index 6f5936c8d..4a206382e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifier.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifier.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -26,10 +26,14 @@
  * A {@link JwtClaimsSetVerifier} that verifies the Issuer (iss) claim contained in the
  * JWT Claims Set against the <code>issuer</code> supplied to the constructor.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see JwtClaimsSetVerifier
  */
+@Deprecated
 public class IssuerClaimVerifier implements JwtClaimsSetVerifier {
 	private static final String ISS_CLAIM = "iss";
 	private final URL issuer;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java
index 4c67843d0..46305c2ad 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java
@@ -31,10 +31,14 @@
 /**
  * Implementation of token services that stores tokens in a database.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ken Dombeck
  * @author Luke Taylor
  * @author Dave Syer
  */
+@Deprecated
 public class JdbcTokenStore implements TokenStore {
 
 	private static final Log LOG = LogFactory.getLog(JdbcTokenStore.class);
@@ -125,12 +129,14 @@ public OAuth2AccessToken mapRow(ResultSet rs, int rowNum) throws SQLException {
 			LOG.error("Could not extract access token for authentication " + authentication, e);
 		}
 
-		if (accessToken != null
-				&& !key.equals(authenticationKeyGenerator.extractKey(readAuthentication(accessToken.getValue())))) {
-			removeAccessToken(accessToken.getValue());
-			// Keep the store consistent (maybe the same user is represented by this authentication but the details have
-			// changed)
-			storeAccessToken(accessToken, authentication);
+		if (accessToken != null) {
+			OAuth2Authentication oldAuthentication = readAuthentication(accessToken.getValue());
+			if (oldAuthentication == null || !key.equals(authenticationKeyGenerator.extractKey(oldAuthentication))) {
+				removeAccessToken(accessToken.getValue());
+				// Keep the store consistent (maybe the same user is represented by this authentication but the details have
+				// changed)
+				storeAccessToken(accessToken, authentication);
+			}
 		}
 		return accessToken;
 	}
@@ -165,11 +171,11 @@ public OAuth2AccessToken mapRow(ResultSet rs, int rowNum) throws SQLException {
 		}
 		catch (EmptyResultDataAccessException e) {
 			if (LOG.isInfoEnabled()) {
-				LOG.info("Failed to find access token for token " + tokenValue);
+				LOG.info("Failed to find access token");
 			}
 		}
 		catch (IllegalArgumentException e) {
-			LOG.warn("Failed to deserialize access token for " + tokenValue, e);
+			LOG.warn("Failed to deserialize access token", e);
 			removeAccessToken(tokenValue);
 		}
 
@@ -201,11 +207,11 @@ public OAuth2Authentication mapRow(ResultSet rs, int rowNum) throws SQLException
 		}
 		catch (EmptyResultDataAccessException e) {
 			if (LOG.isInfoEnabled()) {
-				LOG.info("Failed to find access token for token " + token);
+				LOG.info("Failed to find access token");
 			}
 		}
 		catch (IllegalArgumentException e) {
-			LOG.warn("Failed to deserialize authentication for " + token, e);
+			LOG.warn("Failed to deserialize authentication", e);
 			removeAccessToken(token);
 		}
 
@@ -231,11 +237,11 @@ public OAuth2RefreshToken mapRow(ResultSet rs, int rowNum) throws SQLException {
 		}
 		catch (EmptyResultDataAccessException e) {
 			if (LOG.isInfoEnabled()) {
-				LOG.info("Failed to find refresh token for token " + token);
+				LOG.info("Failed to find refresh token");
 			}
 		}
 		catch (IllegalArgumentException e) {
-			LOG.warn("Failed to deserialize refresh token for token " + token, e);
+			LOG.warn("Failed to deserialize refresh token", e);
 			removeRefreshToken(token);
 		}
 
@@ -267,11 +273,11 @@ public OAuth2Authentication mapRow(ResultSet rs, int rowNum) throws SQLException
 		}
 		catch (EmptyResultDataAccessException e) {
 			if (LOG.isInfoEnabled()) {
-				LOG.info("Failed to find access token for token " + value);
+				LOG.info("Failed to find access token");
 			}
 		}
 		catch (IllegalArgumentException e) {
-			LOG.warn("Failed to deserialize access token for " + value, e);
+			LOG.warn("Failed to deserialize access token", e);
 			removeRefreshToken(value);
 		}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java
index 4a77932c3..6ffc4acf8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java
@@ -43,12 +43,16 @@
  * information (in both directions). Also acts as a {@link TokenEnhancer} when tokens are
  * granted.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @see TokenEnhancer
  * @see AccessTokenConverter
  *
  * @author Dave Syer
  * @author Luke Taylor
  */
+@Deprecated
 public class JwtAccessTokenConverter implements TokenEnhancer, AccessTokenConverter, InitializingBean {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier.java
index 20fe97d42..61d030ba9 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,10 +24,14 @@
  * contained in a JWT Claims Set, for example, expiration time (exp),
  * not before (nbf), issuer (iss), audience (aud), subject (sub), etc.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see JwtAccessTokenConverter
  */
+@Deprecated
 public interface JwtClaimsSetVerifier {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java
index 489df3f24..9e9c4b93e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -33,10 +33,14 @@
  * nevertheless a useful tool since it translates access tokens to and from authentications. Use this wherever a
  * {@link TokenStore} is needed, but remember to use the same {@link JwtAccessTokenConverter} instance (or one with the same
  * verifier) as was used when the tokens were minted.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class JwtTokenStore implements TokenStore {
 
 	private JwtAccessTokenConverter jwtTokenEnhancer;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/KeyStoreKeyFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/KeyStoreKeyFactory.java
index 8eda6ef2a..2ca4aa271 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/KeyStoreKeyFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/KeyStoreKeyFactory.java
@@ -1,10 +1,10 @@
 /*
- * Copyright 20013-2014 the original author or authors.
+ * Copyright 2013-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -13,6 +13,8 @@
 
 package org.springframework.security.oauth2.provider.token.store;
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.security.KeyFactory;
 import java.security.KeyPair;
 import java.security.KeyStore;
@@ -20,16 +22,24 @@
 import java.security.interfaces.RSAPrivateCrtKey;
 import java.security.spec.RSAPublicKeySpec;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.core.io.Resource;
 
 /**
  * Factory for RSA key pairs from a JKS keystore file. User provides a {@link Resource} location of a keystore file and
  * the password to unlock it, and the factory grabs the keypairs from the store by name (and optionally password).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class KeyStoreKeyFactory {
+	
+	private static final Log logger = LogFactory.getLog(KeyStoreKeyFactory.class);
 
 	private Resource resource;
 
@@ -49,12 +59,14 @@ public KeyPair getKeyPair(String alias) {
 	}
 
 	public KeyPair getKeyPair(String alias, char[] password) {
+		InputStream inputStream = null;
 		try {
 			synchronized (lock) {
 				if (store == null) {
 					synchronized (lock) {
 						store = KeyStore.getInstance("jks");
-						store.load(resource.getInputStream(), this.password);
+						inputStream = resource.getInputStream();
+						store.load(inputStream, this.password);
 					}
 				}
 			}
@@ -66,6 +78,15 @@ public KeyPair getKeyPair(String alias, char[] password) {
 		catch (Exception e) {
 			throw new IllegalStateException("Cannot load keys from store: " + resource, e);
 		}
+		finally {
+			try {
+				if (inputStream != null) {
+					inputStream.close();
+				}
+			} 
+			catch (IOException e) {
+				logger.warn("Cannot close open stream: ", e);
+			}
+		}
 	}
-
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/EllipticCurveJwkDefinition.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/EllipticCurveJwkDefinition.java
index 241d0526f..360099d17 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/EllipticCurveJwkDefinition.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/EllipticCurveJwkDefinition.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -32,6 +32,7 @@ final class EllipticCurveJwkDefinition extends JwkDefinition {
 	 * Creates an instance of an Elliptic Curve JSON Web Key (JWK).
 	 *
 	 * @param keyId        the Key ID
+	 * @param x5t          the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;)
 	 * @param publicKeyUse the intended use of the Public Key
 	 * @param algorithm    the algorithm intended to be used
 	 * @param x            the x value to be used
@@ -39,12 +40,13 @@ final class EllipticCurveJwkDefinition extends JwkDefinition {
 	 * @param curve        the curve to be used
 	 */
 	EllipticCurveJwkDefinition(String keyId,
+							   String x5t,
 							   PublicKeyUse publicKeyUse,
 							   CryptoAlgorithm algorithm,
 							   String x,
 							   String y,
 							   String curve) {
-		super(keyId, KeyType.EC, publicKeyUse, algorithm);
+		super(keyId, x5t, KeyType.EC, publicKeyUse, algorithm);
 		this.x = x;
 		this.y = y;
 		this.curve = curve;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkAttributes.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkAttributes.java
index b5a2b3338..15c3f1c2c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkAttributes.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkAttributes.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -28,6 +28,11 @@ final class JwkAttributes {
 	 */
 	static final String KEY_ID = "kid";
 
+	/**
+	 * The &quot;x5t&quot; (X.509 Certificate SHA-1 Thumbprint) parameter used in a JWT header and in a JWK.
+	 */
+	static final String X5T = "x5t";
+
 	/**
 	 * The &quot;kty&quot; (key type) parameter identifies the cryptographic algorithm family
 	 * used by a JWK, for example, &quot;RSA&quot; or &quot;EC&quot;.
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinition.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinition.java
index 95e37a217..f8392fa10 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinition.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinition.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,6 +25,7 @@
  */
 abstract class JwkDefinition {
 	private final String keyId;
+	private final String x5t;
 	private final KeyType keyType;
 	private final PublicKeyUse publicKeyUse;
 	private final CryptoAlgorithm algorithm;
@@ -33,15 +34,18 @@ abstract class JwkDefinition {
 	 * Creates an instance with the common attributes of a JWK.
 	 *
 	 * @param keyId the Key ID
+	 * @param x5t the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;)
 	 * @param keyType the Key Type
 	 * @param publicKeyUse the intended use of the Public Key
 	 * @param algorithm the algorithm intended to be used
 	 */
 	protected JwkDefinition(String keyId,
+							String x5t,
 							KeyType keyType,
 							PublicKeyUse publicKeyUse,
 							CryptoAlgorithm algorithm) {
 		this.keyId = keyId;
+		this.x5t = x5t;
 		this.keyType = keyType;
 		this.publicKeyUse = publicKeyUse;
 		this.algorithm = algorithm;
@@ -54,6 +58,13 @@ String getKeyId() {
 		return this.keyId;
 	}
 
+	/**
+	 * @return the  X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;)
+	 */
+	String getX5t() {
+		return this.x5t;
+	}
+
 	/**
 	 * @return the Key Type (&quot;kty&quot;)
 	 */
@@ -89,6 +100,12 @@ public boolean equals(Object obj) {
 		if (!this.getKeyId().equals(that.getKeyId())) {
 			return false;
 		}
+		if (this.getX5t() == null) {
+			if (that.getX5t() != null)
+				return false;
+		}
+		else if (!this.getX5t().equals(that.getX5t()))
+			return false;
 
 		return this.getKeyType().equals(that.getKeyType());
 	}
@@ -97,6 +114,7 @@ public boolean equals(Object obj) {
 	public int hashCode() {
 		int result = this.getKeyId().hashCode();
 		result = 31 * result + this.getKeyType().hashCode();
+		result = 31 * result + ((this.getX5t() == null) ? 0 : this.getX5t().hashCode());
 		return result;
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSource.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSource.java
index c60d29866..8340106e3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSource.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSource.java
@@ -1,11 +1,11 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -30,6 +30,7 @@
 import java.security.spec.RSAPublicKeySpec;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Iterator;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -47,6 +48,7 @@
  *
  * @author Joe Grandja
  * @author Michael Duergner
+ * @author Bjoern Eickvonder
  */
 class JwkDefinitionSource {
 	private final List<URL> jwkSetUrls;
@@ -79,39 +81,55 @@ class JwkDefinitionSource {
 	}
 
 	/**
-	 * Returns the JWK definition matching the provided keyId (&quot;kid&quot;).
+	 * Returns the JWK definition matching the provided keyId (&quot;kid&quot;) or provided thumbprint (&quot;x5t&quot;).
 	 * If the JWK definition is not available in the internal cache then {@link #loadJwkDefinitions(URL)}
 	 * will be called (to re-load the cache) and then followed-up with a second attempt to locate the JWK definition.
 	 *
-	 * @param keyId the Key ID (&quot;kid&quot;)
+	 * @param keyId the Key ID (&quot;kid&quot;), if not given x5t will be checked
+	 * @param x5t the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;), will only be checked if keyId is not given
 	 * @return the matching {@link JwkDefinition} or null if not found
 	 */
-	JwkDefinitionHolder getDefinitionLoadIfNecessary(String keyId) {
-		JwkDefinitionHolder result = this.getDefinition(keyId);
+	JwkDefinitionHolder getDefinitionLoadIfNecessary(String keyId, String x5t) {
+		JwkDefinitionHolder result = this.getDefinition(keyId, x5t);
 		if (result != null) {
 			return result;
 		}
 		synchronized (this.jwkDefinitions) {
-			result = this.getDefinition(keyId);
+			result = this.getDefinition(keyId, x5t);
 			if (result != null) {
 				return result;
 			}
-			this.jwkDefinitions.clear();
+			Map<String, JwkDefinitionHolder> newJwkDefinitions = new LinkedHashMap<String, JwkDefinitionHolder>();
 			for (URL jwkSetUrl : jwkSetUrls) {
-				this.jwkDefinitions.putAll(loadJwkDefinitions(jwkSetUrl));
+				newJwkDefinitions.putAll(loadJwkDefinitions(jwkSetUrl));
 			}
-			return this.getDefinition(keyId);
+			this.jwkDefinitions.clear();
+			this.jwkDefinitions.putAll(newJwkDefinitions);
+			return this.getDefinition(keyId, x5t);
 		}
 	}
 
 	/**
 	 * Returns the JWK definition matching the provided keyId (&quot;kid&quot;).
 	 *
-	 * @param keyId the Key ID (&quot;kid&quot;)
+	 * @param keyId the Key ID (&quot;kid&quot;), if not given x5t will be checked
+	 * @param x5t the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;), will only be checked if keyId is not given
 	 * @return the matching {@link JwkDefinition} or null if not found
 	 */
-	private JwkDefinitionHolder getDefinition(String keyId) {
-		return this.jwkDefinitions.get(keyId);
+	private JwkDefinitionHolder getDefinition(String keyId, String x5t) {
+		JwkDefinitionHolder result = null;
+		if (keyId != null) {
+			result = this.jwkDefinitions.get(keyId);
+		} else if (x5t != null) {
+			Iterator<JwkDefinitionHolder> iter = this.jwkDefinitions.values().iterator();
+			while (result == null && iter.hasNext()) {
+				JwkDefinitionHolder entry = iter.next();
+				if (x5t.equals(entry.getJwkDefinition().getX5t())) {
+					result = entry;
+				}
+			}
+		}
+		return result;
 	}
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkException.java
index 1d3211dfb..36d56615c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkException.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,8 +20,12 @@
 /**
  * General exception for JSON Web Key (JWK) related errors.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  */
+@Deprecated
 public class JwkException extends OAuth2Exception {
 	private static final String SERVER_ERROR_ERROR_CODE = "server_error";
 	private String errorCode = SERVER_ERROR_ERROR_CODE;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java
index 2962e977a..930884c12 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -95,13 +95,13 @@ public Set<JwkDefinition> convert(InputStream jwkSetSource) {
 					}
 				}
 
-				// gh-1470 - skip unsupported public key use (enc) without discarding the entire set
+				// gh-1871 - only accept public key use (sig)
 				JwkDefinition.PublicKeyUse publicKeyUse =
 						JwkDefinition.PublicKeyUse.fromValue(attributes.get(PUBLIC_KEY_USE));
-				if (JwkDefinition.PublicKeyUse.ENC.equals(publicKeyUse)) {
+				if (!JwkDefinition.PublicKeyUse.SIG.equals(publicKeyUse)) {
 					continue;
 				}
-			
+
 				JwkDefinition jwkDefinition = null;
 				JwkDefinition.KeyType keyType =
 						JwkDefinition.KeyType.fromValue(attributes.get(KEY_TYPE));
@@ -142,13 +142,13 @@ private JwkDefinition createRsaJwkDefinition(Map<String, String> attributes) {
 		if (!StringUtils.hasText(keyId)) {
 			throw new JwkException(KEY_ID + " is a required attribute for a JWK.");
 		}
+		String x5t = attributes.get(X5T);
 
 		// use
 		JwkDefinition.PublicKeyUse publicKeyUse =
 				JwkDefinition.PublicKeyUse.fromValue(attributes.get(PUBLIC_KEY_USE));
 		if (!JwkDefinition.PublicKeyUse.SIG.equals(publicKeyUse)) {
-			throw new JwkException((publicKeyUse != null ? publicKeyUse.value() : "unknown") +
-					" (" + PUBLIC_KEY_USE + ") is currently not supported.");
+			return null;
 		}
 
 		// alg
@@ -174,7 +174,7 @@ private JwkDefinition createRsaJwkDefinition(Map<String, String> attributes) {
 		}
 
 		RsaJwkDefinition jwkDefinition = new RsaJwkDefinition(
-				keyId, publicKeyUse, algorithm, modulus, exponent);
+				keyId, x5t, publicKeyUse, algorithm, modulus, exponent);
 
 		return jwkDefinition;
 	}
@@ -192,13 +192,13 @@ private JwkDefinition createEllipticCurveJwkDefinition(Map<String, String> attri
 		if (!StringUtils.hasText(keyId)) {
 			throw new JwkException(KEY_ID + " is a required attribute for an EC JWK.");
 		}
+		String x5t = attributes.get(X5T);
 
 		// use
 		JwkDefinition.PublicKeyUse publicKeyUse =
 				JwkDefinition.PublicKeyUse.fromValue(attributes.get(PUBLIC_KEY_USE));
 		if (!JwkDefinition.PublicKeyUse.SIG.equals(publicKeyUse)) {
-			throw new JwkException((publicKeyUse != null ? publicKeyUse.value() : "unknown") +
-					" (" + PUBLIC_KEY_USE + ") is currently not supported.");
+			return null;
 		}
 
 		// alg
@@ -230,7 +230,7 @@ private JwkDefinition createEllipticCurveJwkDefinition(Map<String, String> attri
 		}
 
 		EllipticCurveJwkDefinition jwkDefinition = new EllipticCurveJwkDefinition(
-				keyId, publicKeyUse, algorithm, x, y, curve);
+				keyId, x5t, publicKeyUse, algorithm, x, y, curve);
 
 		return jwkDefinition;
 	}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStore.java
index 05c2285e9..fab93d130 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStore.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -86,8 +86,12 @@
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515">JSON Web Signature (JWS)</a>
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  */
+@Deprecated
 public final class JwkTokenStore implements TokenStore {
 	private final TokenStore delegate;
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverter.java
index 717876de9..58f166cfc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -29,6 +29,7 @@
 
 import static org.springframework.security.oauth2.provider.token.store.jwk.JwkAttributes.ALGORITHM;
 import static org.springframework.security.oauth2.provider.token.store.jwk.JwkAttributes.KEY_ID;
+import static org.springframework.security.oauth2.provider.token.store.jwk.JwkAttributes.X5T;
 
 /**
  * A specialized extension of {@link JwtAccessTokenConverter} that is responsible for verifying
@@ -42,8 +43,8 @@
  * <br>
  * <br>
  * <ol>
- *     <li>Extract the <b>&quot;kid&quot;</b> parameter from the JWT header.</li>
- *     <li>Find the matching {@link JwkDefinition} from the {@link JwkDefinitionSource} with the corresponding <b>&quot;kid&quot;</b> attribute.</li>
+ *     <li>Extract the <b>&quot;kid&quot;</b> and <b>&quot;x5t&quot;</b> parameters from the JWT header.</li>
+ *     <li>Find the matching {@link JwkDefinition} from the {@link JwkDefinitionSource} with the corresponding <b>&quot;kid&quot;</b> or <b>&quot;x5t&quot;</b> attribute.</li>
  *     <li>Obtain the {@link SignatureVerifier} associated with the {@link JwkDefinition} via the {@link JwkDefinitionSource} and verify the signature.</li>
  * </ol>
  * <br>
@@ -67,6 +68,7 @@
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515">JSON Web Signature (JWS)</a>
  *
  * @author Joe Grandja
+ * @author bjoern Eickvonder
  */
 class JwkVerifyingJwtAccessTokenConverter extends JwtAccessTokenConverter {
 	private final JwkDefinitionSource jwkDefinitionSource;
@@ -95,14 +97,15 @@ class JwkVerifyingJwtAccessTokenConverter extends JwtAccessTokenConverter {
 	protected Map<String, Object> decode(String token) {
 		Map<String, String> headers = this.jwtHeaderConverter.convert(token);
 
-		// Validate "kid" header
+		// Validate "kid" or "x5t" header
 		String keyIdHeader = headers.get(KEY_ID);
-		if (keyIdHeader == null) {
-			throw new InvalidTokenException("Invalid JWT/JWS: " + KEY_ID + " is a required JOSE Header");
+		String x5tHeader = headers.get(X5T);
+		if (keyIdHeader == null && x5tHeader == null) {
+			throw new InvalidTokenException("Invalid JWT/JWS: " + KEY_ID + " or " + X5T + " is a required JOSE Header");
 		}
-		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = this.jwkDefinitionSource.getDefinitionLoadIfNecessary(keyIdHeader);
+		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = this.jwkDefinitionSource.getDefinitionLoadIfNecessary(keyIdHeader, x5tHeader);
 		if (jwkDefinitionHolder == null) {
-			throw new InvalidTokenException("Invalid JOSE Header " + KEY_ID + " (" + keyIdHeader + ")");
+			throw new InvalidTokenException("Invalid JOSE Header " + KEY_ID + " (" + keyIdHeader + "), " + X5T + " (" + x5tHeader + ")");
 		}
 
 		JwkDefinition jwkDefinition = jwkDefinitionHolder.getJwkDefinition();
@@ -113,13 +116,18 @@ protected Map<String, Object> decode(String token) {
 		}
 		if (jwkDefinition.getAlgorithm() != null && !algorithmHeader.equals(jwkDefinition.getAlgorithm().headerParamValue())) {
 			throw new InvalidTokenException("Invalid JOSE Header " + ALGORITHM + " (" + algorithmHeader + ")" +
-					" does not match algorithm associated to JWK with " + KEY_ID + " (" + keyIdHeader + ")");
+					" does not match algorithm associated to JWK with " + KEY_ID + " (" + keyIdHeader + "), " + X5T + " (" + x5tHeader + ")");
 		}
 
 		// Verify signature
 		SignatureVerifier verifier = jwkDefinitionHolder.getSignatureVerifier();
-		Jwt jwt = JwtHelper.decode(token);
-		jwt.verifySignature(verifier);
+		Jwt jwt;
+		try {
+			jwt = JwtHelper.decode(token);
+			jwt.verifySignature(verifier);
+		} catch (Exception ex) {
+			throw new InvalidTokenException("Failed to decode/verify JWT/JWS", ex);
+		}
 
 		Map<String, Object> claims = this.jsonParser.parseMap(jwt.getClaims());
 		if (claims.containsKey(EXP) && claims.get(EXP) instanceof Integer) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverter.java
index 3083c3b92..cc435012d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinition.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinition.java
index 41655c7af..5eada32c4 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinition.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinition.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -31,18 +31,19 @@ final class RsaJwkDefinition extends JwkDefinition {
 	 * Creates an instance of a RSA JSON Web Key (JWK).
 	 *
 	 * @param keyId the Key ID
+	 * @param x5t the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;)
 	 * @param publicKeyUse the intended use of the Public Key
 	 * @param algorithm the algorithm intended to be used
 	 * @param modulus the modulus value for the Public Key
 	 * @param exponent the exponent value for the Public Key
 	 */
 	RsaJwkDefinition(String keyId,
+					 String x5t,
 					 PublicKeyUse publicKeyUse,
 					 CryptoAlgorithm algorithm,
 					 String modulus,
 					 String exponent) {
-
-		super(keyId, KeyType.RSA, publicKeyUse, algorithm);
+		super(keyId, x5t, KeyType.RSA, publicKeyUse, algorithm);
 		this.modulus = modulus;
 		this.exponent = exponent;
 	}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/BaseRedisTokenStoreSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/BaseRedisTokenStoreSerializationStrategy.java
index 4a37506f7..4a1075d8b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/BaseRedisTokenStoreSerializationStrategy.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/BaseRedisTokenStoreSerializationStrategy.java
@@ -3,8 +3,12 @@
 /**
  * Handles null/empty byte arrays on deserialize and null objects on serialize.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author efenderbosch
  */
+@Deprecated
 public abstract class BaseRedisTokenStoreSerializationStrategy implements RedisTokenStoreSerializationStrategy {
 
 	private static final byte[] EMPTY_ARRAY = new byte[0];
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java
index aae1d7b5e..373eb652e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java
@@ -1,26 +1,70 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.springframework.security.oauth2.provider.token.store.redis;
 
-import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer;
+import org.springframework.core.serializer.support.SerializationFailedException;
+
+import java.io.Serializable;
+
+import org.springframework.security.oauth2.common.util.SerializationUtils;
 
 /**
- * Serializes objects using {@link JdkSerializationRedisSerializer}
+ * Serializes and deserializes allowed objects using {@link SerializationUtils}.
  *
- * @author efenderbosch
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  *
+ * @author efenderbosch
+ * @author Artem Smotrakov
  */
+@Deprecated
 public class JdkSerializationStrategy extends StandardStringSerializationStrategy {
 
-	private static final JdkSerializationRedisSerializer OBJECT_SERIALIZER = new JdkSerializationRedisSerializer();
+    private static final byte[] EMPTY_ARRAY = new byte[0];
+
+    @Override
+    @SuppressWarnings("unchecked")
+    protected <T> T deserializeInternal(byte[] bytes, Class<T> clazz) {
+        if (bytes == null || bytes.length == 0) {
+            return null;
+        }
+        try {
+            return (T) SerializationUtils.deserialize(bytes);
+        } catch (Exception e) {
+            throw new SerializationFailedException("Failed to deserialize payload", e);
+        }
+    }
 
-	@Override
-	@SuppressWarnings("unchecked")
-	protected <T> T deserializeInternal(byte[] bytes, Class<T> clazz) {
-		return (T) OBJECT_SERIALIZER.deserialize(bytes);
-	}
+    @Override
+    protected byte[] serializeInternal(Object object) {
+        if (object == null) {
+            return EMPTY_ARRAY;
+        }
+        if (!(object instanceof Serializable)) {
+            throw new IllegalArgumentException(this.getClass().getSimpleName()
+                + " requires a Serializable payload but received an object of type ["
+                + object.getClass().getName() + "]");
+        }
 
-	@Override
-	protected byte[] serializeInternal(Object object) {
-		return OBJECT_SERIALIZER.serialize(object);
-	}
+        try {
+            return SerializationUtils.serialize(object);
+        } catch (Exception e) {
+            throw new SerializationFailedException("Failed to serialize object", e);
+        }
+    }
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java
index 9241570f7..519ffbea5 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java
@@ -22,8 +22,12 @@
 import java.util.List;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author efenderbosch
  */
+@Deprecated
 public class RedisTokenStore implements TokenStore {
 
 	private static final String ACCESS = "access:";
@@ -203,19 +207,19 @@ public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authe
 			}
 			OAuth2RefreshToken refreshToken = token.getRefreshToken();
 			if (refreshToken != null && refreshToken.getValue() != null) {
-				byte[] refresh = serialize(token.getRefreshToken().getValue());
-				byte[] auth = serialize(token.getValue());
-				byte[] refreshToAccessKey = serializeKey(REFRESH_TO_ACCESS + token.getRefreshToken().getValue());
+				byte[] refresh = serialize(refreshToken.getValue());
+				byte[] access = serialize(token.getValue());
+				byte[] refreshToAccessKey = serializeKey(REFRESH_TO_ACCESS + refreshToken.getValue());
 				byte[] accessToRefreshKey = serializeKey(ACCESS_TO_REFRESH + token.getValue());
 				if (springDataRedis_2_0) {
 					try {
-						this.redisConnectionSet_2_0.invoke(conn, refreshToAccessKey, auth);
+						this.redisConnectionSet_2_0.invoke(conn, refreshToAccessKey, access);
 						this.redisConnectionSet_2_0.invoke(conn, accessToRefreshKey, refresh);
 					} catch (Exception ex) {
 						throw new RuntimeException(ex);
 					}
 				} else {
-					conn.set(refreshToAccessKey, auth);
+					conn.set(refreshToAccessKey, access);
 					conn.set(accessToRefreshKey, refresh);
 				}
 				if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
@@ -357,15 +361,22 @@ public void removeRefreshToken(String tokenValue) {
 		byte[] refreshKey = serializeKey(REFRESH + tokenValue);
 		byte[] refreshAuthKey = serializeKey(REFRESH_AUTH + tokenValue);
 		byte[] refresh2AccessKey = serializeKey(REFRESH_TO_ACCESS + tokenValue);
-		byte[] access2RefreshKey = serializeKey(ACCESS_TO_REFRESH + tokenValue);
 		RedisConnection conn = getConnection();
 		try {
 			conn.openPipeline();
 			conn.del(refreshKey);
 			conn.del(refreshAuthKey);
+			conn.get(refresh2AccessKey);
 			conn.del(refresh2AccessKey);
-			conn.del(access2RefreshKey);
-			conn.closePipeline();
+			List<Object> results = conn.closePipeline();
+
+			byte[] accessTokenBytes = (byte[]) results.get(2);
+			if(accessTokenBytes != null) {
+				String accessTokenValue = deserializeString(accessTokenBytes);
+				byte[] access2RefreshKey = serializeKey(ACCESS_TO_REFRESH + accessTokenValue);
+				conn.del(access2RefreshKey);
+			}
+
 		} finally {
 			conn.close();
 		}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreSerializationStrategy.java
index 3d48f56f6..cf48c2373 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreSerializationStrategy.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreSerializationStrategy.java
@@ -1,8 +1,12 @@
 package org.springframework.security.oauth2.provider.token.store.redis;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author efenderbosch
  */
+@Deprecated
 public interface RedisTokenStoreSerializationStrategy {
 
 	<T> T deserialize(byte[] bytes, Class<T> clazz);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/StandardStringSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/StandardStringSerializationStrategy.java
index 72b8faf18..a50545963 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/StandardStringSerializationStrategy.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/StandardStringSerializationStrategy.java
@@ -4,10 +4,14 @@
 
 /**
  * Serializes Strings using {@link StringRedisSerializer}
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author efenderbosch
  *
  */
+@Deprecated
 public abstract class StandardStringSerializationStrategy extends BaseRedisTokenStoreSerializationStrategy {
 
 	private static final StringRedisSerializer STRING_SERIALIZER = new StringRedisSerializer();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ClientScopeVoter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ClientScopeVoter.java
index b843161ca..88f6ccd8f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ClientScopeVoter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ClientScopeVoter.java
@@ -18,10 +18,14 @@
  * This voter checks scope in request is consistent with that held by the client. If there is no user in the request
  * (client_credentials grant) it checks against authorities of client instead of scopes by default. Activate by adding
  * <code>CLIENT_HAS_SCOPE</code> to security attributes.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientScopeVoter implements AccessDecisionVoter<Object> {
 
 	private String clientHasScope = "CLIENT_HAS_SCOPE";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ScopeVoter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ScopeVoter.java
index 6198ecce3..f98ccf436 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ScopeVoter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ScopeVoter.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -49,13 +49,17 @@
  * <p>
  * All comparisons and prefixes are case insensitive so you can use (e.g.) <code>SCOPE_READ</code> for simple
  * Facebook-like scope names that might be lower case in the resource definition, or
- * <code>scope=http://my.company.com/scopes/read/</code> (<code>scopePrefix="scope="</code>) for Google-like URI scope
+ * <code>scope=https://my.company.com/scopes/read/</code> (<code>scopePrefix="scope="</code>) for Google-like URI scope
  * names.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ScopeVoter implements AccessDecisionVoter<Object> {
 
 	private String scopePrefix = "SCOPE_";
diff --git a/spring-security-oauth2/src/main/resources/META-INF/spring.schemas b/spring-security-oauth2/src/main/resources/META-INF/spring.schemas
index eead4cac7..365a2dc24 100644
--- a/spring-security-oauth2/src/main/resources/META-INF/spring.schemas
+++ b/spring-security-oauth2/src/main/resources/META-INF/spring.schemas
@@ -1,3 +1,3 @@
-http\://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd=org/springframework/security/oauth2/spring-security-oauth2-1.0.xsd
-http\://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd=org/springframework/security/oauth2/spring-security-oauth2-2.0.xsd
-http\://www.springframework.org/schema/security/spring-security-oauth2.xsd=org/springframework/security/oauth2/spring-security-oauth2-2.0.xsd
\ No newline at end of file
+https\://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd=org/springframework/security/oauth2/spring-security-oauth2-1.0.xsd
+https\://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd=org/springframework/security/oauth2/spring-security-oauth2-2.0.xsd
+https\://www.springframework.org/schema/security/spring-security-oauth2.xsd=org/springframework/security/oauth2/spring-security-oauth2-2.0.xsd
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/resources/org/springframework/security/oauth2/spring-security-oauth2-1.0.xsd b/spring-security-oauth2/src/main/resources/org/springframework/security/oauth2/spring-security-oauth2-1.0.xsd
index 71007dd0b..fe9ae6d56 100644
--- a/spring-security-oauth2/src/main/resources/org/springframework/security/oauth2/spring-security-oauth2-1.0.xsd
+++ b/spring-security-oauth2/src/main/resources/org/springframework/security/oauth2/spring-security-oauth2-1.0.xsd
@@ -3,7 +3,7 @@
 	xmlns:beans="http://www.springframework.org/schema/beans" targetNamespace="http://www.springframework.org/schema/security/oauth2"
 	elementFormDefault="qualified" attributeFormDefault="unqualified">
 
-	<xs:import namespace="http://www.springframework.org/schema/beans" schemaLocation="http://www.springframework.org/schema/beans/spring-beans-3.1.xsd" />
+	<xs:import namespace="http://www.springframework.org/schema/beans" schemaLocation="https://www.springframework.org/schema/beans/spring-beans-3.1.xsd" />
 
 	<xs:element name="rest-template">
 		<xs:annotation>
@@ -528,7 +528,7 @@
 				Element for declaring and configuring an expression
 				handler for oauth
 				security expressions. See
-				http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html
+				https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
 			</xs:documentation>
 		</xs:annotation>
 		<xs:complexType>
@@ -545,7 +545,7 @@
 				handler for oauth
 				security expressions in http
 				intercept urls. See
-				http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html
+				https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
 			</xs:documentation>
 		</xs:annotation>
 		<xs:complexType>
diff --git a/spring-security-oauth2/src/main/resources/org/springframework/security/oauth2/spring-security-oauth2-2.0.xsd b/spring-security-oauth2/src/main/resources/org/springframework/security/oauth2/spring-security-oauth2-2.0.xsd
index 6612efbb4..015710c04 100644
--- a/spring-security-oauth2/src/main/resources/org/springframework/security/oauth2/spring-security-oauth2-2.0.xsd
+++ b/spring-security-oauth2/src/main/resources/org/springframework/security/oauth2/spring-security-oauth2-2.0.xsd
@@ -3,7 +3,7 @@
 	xmlns:beans="http://www.springframework.org/schema/beans" targetNamespace="http://www.springframework.org/schema/security/oauth2"
 	elementFormDefault="qualified" attributeFormDefault="unqualified">
 
-	<xs:import namespace="http://www.springframework.org/schema/beans" schemaLocation="http://www.springframework.org/schema/beans/spring-beans-3.1.xsd" />
+	<xs:import namespace="http://www.springframework.org/schema/beans" schemaLocation="https://www.springframework.org/schema/beans/spring-beans-3.1.xsd" />
 
 	<xs:element name="rest-template">
 		<xs:annotation>
@@ -593,7 +593,7 @@
 				Element for declaring and configuring an expression
 				handler for oauth
 				security expressions. See
-				http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html
+				https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
 			</xs:documentation>
 		</xs:annotation>
 		<xs:complexType>
@@ -610,7 +610,7 @@
 				handler for oauth
 				security expressions in http
 				intercept urls. See
-				http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html
+				https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
 			</xs:documentation>
 		</xs:annotation>
 		<xs:complexType>
diff --git a/spring-security-oauth2/src/test/java/org/company/oauth2/CustomAuthentication.java b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomAuthentication.java
new file mode 100644
index 000000000..d974c5a8f
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomAuthentication.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.company.oauth2;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+
+public class CustomAuthentication extends AbstractAuthenticationToken  {
+
+    private static final long serialVersionUID = 1L;
+
+    private String principal;
+
+    public CustomAuthentication(String name, boolean authenticated) {
+        super(null);
+        setAuthenticated(authenticated);
+        this.principal = name;
+    }
+
+    public Object getCredentials() {
+        return null;
+    }
+
+    public Object getPrincipal() {
+        return this.principal;
+    }
+}
diff --git a/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2AccessToken.java b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2AccessToken.java
new file mode 100644
index 000000000..06e6f678f
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2AccessToken.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.company.oauth2;
+
+import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
+
+public class CustomOAuth2AccessToken extends DefaultOAuth2AccessToken {
+
+    public CustomOAuth2AccessToken(String value) {
+        super(value);
+    }
+}
diff --git a/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2Authentication.java b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2Authentication.java
new file mode 100644
index 000000000..95f6cb897
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2Authentication.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.company.oauth2;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+
+public class CustomOAuth2Authentication extends OAuth2Authentication {
+
+    public CustomOAuth2Authentication(
+            OAuth2Request storedRequest,
+            Authentication userAuthentication) {
+        super(storedRequest, userAuthentication);
+    }
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/AdhocTestSuite.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/AdhocTestSuite.java
index 4838bace2..91b80aa64 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/AdhocTestSuite.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/AdhocTestSuite.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java
new file mode 100644
index 000000000..9cfbfc2c6
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java
@@ -0,0 +1,21 @@
+package org.springframework.security.oauth2.client;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+public class DefaultOAuth2ClientContextTests {
+
+    @Test
+    public void resetsState() {
+        DefaultOAuth2ClientContext clientContext = new DefaultOAuth2ClientContext();
+        clientContext.setPreservedState("state1", "some-state-1");
+        clientContext.setPreservedState("state2", "some-state-2");
+        clientContext.setPreservedState("state3", "some-state-3");
+        assertNull(clientContext.removePreservedState("state1"));
+        assertNull(clientContext.removePreservedState("state2"));
+        assertEquals("some-state-3", clientContext.removePreservedState("state3"));
+    }
+
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticatorTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticatorTests.java
index eb0311ec1..6ca39d0ec 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticatorTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticatorTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/OAuth2RestTemplateTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/OAuth2RestTemplateTests.java
index 361f7b56f..1c419fde9 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/OAuth2RestTemplateTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/OAuth2RestTemplateTests.java
@@ -7,6 +7,7 @@
 import static org.junit.Assert.fail;
 
 import java.io.IOException;
+import java.lang.reflect.Field;
 import java.net.URI;
 import java.util.Collections;
 import java.util.Date;
@@ -27,10 +28,12 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 import org.springframework.security.oauth2.client.resource.UserRedirectRequiredException;
 import org.springframework.security.oauth2.client.token.AccessTokenProvider;
+import org.springframework.security.oauth2.client.token.AccessTokenProviderChain;
 import org.springframework.security.oauth2.client.token.AccessTokenRequest;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2RefreshToken;
+import org.springframework.util.ReflectionUtils;
 import org.springframework.web.client.RequestCallback;
 import org.springframework.web.client.ResponseExtractor;
 import org.springframework.web.util.UriTemplate;
@@ -166,7 +169,7 @@ public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) throws IO
 				throw new AccessTokenRequiredException(resource);
 			}
 		});
-		restTemplate.doExecute(new URI("http://foo/"), HttpMethod.GET, new NullRequestCallback(),
+		restTemplate.doExecute(new URI("https://foo/"), HttpMethod.GET, new NullRequestCallback(),
 				new SimpleResponseExtractor());
 	}
 
@@ -184,7 +187,7 @@ public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) throws IO
 				return request;
 			}
 		});
-		Boolean result = restTemplate.doExecute(new URI("http://foo/"), HttpMethod.GET, new NullRequestCallback(),
+		Boolean result = restTemplate.doExecute(new URI("https://foo/"), HttpMethod.GET, new NullRequestCallback(),
 				new SimpleResponseExtractor());
 		assertTrue(result);
 	}
@@ -200,6 +203,86 @@ public void testNewTokenAcquiredIfExpired() throws Exception {
 		assertTrue(!token.equals(newToken));
 	}
 
+	// gh-1478
+	@Test
+	public void testNewTokenAcquiredWithDefaultClockSkew() {
+		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("TEST");
+		token.setExpiration(new Date(System.currentTimeMillis() + 29000));	// Default clock skew is 30 secs
+		restTemplate.getOAuth2ClientContext().setAccessToken(token);
+		restTemplate.setAccessTokenProvider(new StubAccessTokenProvider());
+		OAuth2AccessToken newToken = restTemplate.getAccessToken();
+		assertNotNull(newToken);
+		assertTrue(!token.equals(newToken));
+	}
+
+	// gh-1478
+	@Test
+	public void testNewTokenAcquiredIfLessThanConfiguredClockSkew() {
+		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("TEST");
+		token.setExpiration(new Date(System.currentTimeMillis() + 5000));
+		restTemplate.setClockSkew(6);
+		restTemplate.getOAuth2ClientContext().setAccessToken(token);
+		restTemplate.setAccessTokenProvider(new StubAccessTokenProvider());
+		OAuth2AccessToken newToken = restTemplate.getAccessToken();
+		assertNotNull(newToken);
+		assertTrue(!token.equals(newToken));
+	}
+
+	// gh-1478
+	@Test
+	public void testNewTokenNotAcquiredIfGreaterThanConfiguredClockSkew() {
+		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("TEST");
+		token.setExpiration(new Date(System.currentTimeMillis() + 5000));
+		restTemplate.setClockSkew(4);
+		restTemplate.getOAuth2ClientContext().setAccessToken(token);
+		restTemplate.setAccessTokenProvider(new StubAccessTokenProvider());
+		OAuth2AccessToken newToken = restTemplate.getAccessToken();
+		assertNotNull(newToken);
+		assertTrue(token.equals(newToken));
+	}
+
+	// gh-1478
+	@Test(expected = IllegalArgumentException.class)
+	public void testNegativeClockSkew() {
+		restTemplate.setClockSkew(-1);
+	}
+
+	// gh-1909
+	@Test
+	public void testClockSkewPropagationIntoAccessTokenProviderChain() {
+		AccessTokenProvider accessTokenProvider = new AccessTokenProviderChain(Collections.<AccessTokenProvider>emptyList());
+		restTemplate.setAccessTokenProvider(accessTokenProvider);
+		restTemplate.setClockSkew(5);
+		
+		Field field = ReflectionUtils.findField(accessTokenProvider.getClass(), "clockSkew");
+		field.setAccessible(true);
+
+		assertEquals(5, ReflectionUtils.getField(field, accessTokenProvider));
+	}
+
+	// gh-1909
+	@Test
+	public void testApplyClockSkewOnProvidedAccessTokenProviderChain() {
+		AccessTokenProvider accessTokenProvider = new AccessTokenProviderChain(Collections.<AccessTokenProvider>emptyList());
+		restTemplate.setClockSkew(5);
+		restTemplate.setAccessTokenProvider(accessTokenProvider);
+		
+		Field field = ReflectionUtils.findField(accessTokenProvider.getClass(), "clockSkew");
+		field.setAccessible(true);
+
+		assertEquals(5, ReflectionUtils.getField(field, accessTokenProvider));
+	}
+
+	// gh-1909
+	@Test
+	public void testClockSkewPropagationSkippedForNonAccessTokenProviderChainInstances() {
+		restTemplate.setClockSkew(5);
+		restTemplate.setAccessTokenProvider(null);
+		restTemplate.setClockSkew(5);
+		restTemplate.setAccessTokenProvider(new StubAccessTokenProvider());
+		restTemplate.setClockSkew(5);
+	}
+
 	@Test
 	public void testTokenIsResetIfInvalid() throws Exception {
 		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("TEST");
@@ -209,7 +292,7 @@ public void testTokenIsResetIfInvalid() throws Exception {
 			@Override
 			public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails details,
 					AccessTokenRequest parameters) throws UserRedirectRequiredException, AccessDeniedException {
-				throw new UserRedirectRequiredException("http://foo.com/", Collections.<String, String> emptyMap());
+				throw new UserRedirectRequiredException("https://www.foo.com/", Collections.<String, String> emptyMap());
 			}
 		});
 		try {
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClientTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClientTest.java
index c3c8603ab..4a8b89e54 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClientTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClientTest.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilterTests.java
index 1b84f709d..b37e46f43 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilterTests.java
index d0938781a..111fa66aa 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilterTests.java
@@ -21,7 +21,7 @@ public class OAuth2ClientContextFilterTests {
 
 	@Test
 	public void testVanillaRedirectUri() throws Exception {
-		String redirect = "http://example.com/authorize";
+		String redirect = "https://example.com/authorize";
 		Map<String, String> params = new LinkedHashMap<String, String>();
 		params.put("foo", "bar");
 		params.put("scope", "spam");
@@ -30,7 +30,7 @@ public void testVanillaRedirectUri() throws Exception {
 
 	@Test
 	public void testTwoScopesRedirectUri() throws Exception {
-		String redirect = "http://example.com/authorize";
+		String redirect = "https://example.com/authorize";
 		Map<String, String> params = new LinkedHashMap<String, String>();
 		params.put("foo", "bar");
 		params.put("scope", "spam scope2");
@@ -39,15 +39,15 @@ public void testTwoScopesRedirectUri() throws Exception {
 
 	@Test
 	public void testRedirectUriWithUrlInParams() throws Exception {
-		String redirect = "http://example.com/authorize";
+		String redirect = "https://example.com/authorize";
 		Map<String, String> params = Collections.singletonMap("redirect",
-				"http://foo/bar");
-		testRedirectUri(redirect, params, redirect + "?redirect=http://foo/bar");
+				"https://foo/bar");
+		testRedirectUri(redirect, params, redirect + "?redirect=https://foo/bar");
 	}
 
 	@Test
 	public void testRedirectUriWithQuery() throws Exception {
-		String redirect = "http://example.com/authorize?foo=bar";
+		String redirect = "https://example.com/authorize?foo=bar";
 		Map<String, String> params = Collections.singletonMap("spam",
 				"bucket");
 		testRedirectUri(redirect, params, redirect + "&spam=bucket");
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandlerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandlerTests.java
index 4cd63d393..4f42c5dbf 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandlerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandlerTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChainTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChainTests.java
index 9c5847b96..8848ecf0b 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChainTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChainTests.java
@@ -1,10 +1,10 @@
 /*
- * Copyright 2006-2011 the original author or authors.
+ * Copyright 2006-2021 the original author or authors.
  * 
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -145,7 +145,7 @@ public void testSunnyDayWithExpiredTokenAndTokenServices() throws Exception {
 	}
 
 	@Test
-	public void testSunnyDayWIthExpiredTokenAndValidRefreshToken() throws Exception {
+	public void testSunnyDayWithExpiredTokenAndValidRefreshToken() throws Exception {
 		AccessTokenProviderChain chain = new AccessTokenProviderChain(Arrays.asList(new StubAccessTokenProvider()));
 		accessToken.setExpiration(new Date(System.currentTimeMillis() - 1000));
 		accessToken.setRefreshToken(new DefaultOAuth2RefreshToken("EXP"));
@@ -154,10 +154,37 @@ public void testSunnyDayWIthExpiredTokenAndValidRefreshToken() throws Exception
 		SecurityContextHolder.getContext().setAuthentication(user);
 		OAuth2AccessToken token = chain.obtainAccessToken(resource, request);
 		assertNotNull(token);
+		assertEquals(refreshedToken, token);
+	}
+
+	@Test
+	public void testSunnyDayWithTokenWithinClockSkewWindowAndValidRefreshToken() throws Exception {
+		AccessTokenProviderChain chain = new AccessTokenProviderChain(Arrays.asList(new StubAccessTokenProvider()));
+		accessToken.setExpiration(new Date(System.currentTimeMillis() + 1000));
+		accessToken.setRefreshToken(new DefaultOAuth2RefreshToken("EXP"));
+		AccessTokenRequest request = new DefaultAccessTokenRequest();
+		request.setExistingToken(accessToken);
+		SecurityContextHolder.getContext().setAuthentication(user);
+		OAuth2AccessToken token = chain.obtainAccessToken(resource, request);
+		assertNotNull(token);
+		assertEquals(refreshedToken, token);
+	}
+
+	@Test
+	public void testSunnyDayWithTokenOutsideClockSkewWindowAndValidRefreshToken() throws Exception {
+		AccessTokenProviderChain chain = new AccessTokenProviderChain(Arrays.asList(new StubAccessTokenProvider()));
+		accessToken.setExpiration(new Date(System.currentTimeMillis() + 31000));
+		accessToken.setRefreshToken(new DefaultOAuth2RefreshToken("EXP"));
+		AccessTokenRequest request = new DefaultAccessTokenRequest();
+		request.setExistingToken(accessToken);
+		SecurityContextHolder.getContext().setAuthentication(user);
+		OAuth2AccessToken token = chain.obtainAccessToken(resource, request);
+		assertNotNull(token);
+		assertEquals(accessToken, token);
 	}
 
 	@Test(expected = InvalidTokenException.class)
-	public void testSunnyDayWIthExpiredTokenAndExpiredRefreshToken() throws Exception {
+	public void testSunnyDayWithExpiredTokenAndExpiredRefreshToken() throws Exception {
 		AccessTokenProviderChain chain = new AccessTokenProviderChain(Arrays.asList(new StubAccessTokenProvider()));
 		accessToken.setExpiration(new Date(System.currentTimeMillis() - 1000));
 		DefaultOAuth2RefreshToken refreshToken = new DefaultExpiringOAuth2RefreshToken("EXP",
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServicesTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServicesTests.java
index b3548aee5..2195f326a 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServicesTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServicesTests.java
@@ -1,10 +1,10 @@
 package org.springframework.security.oauth2.client.token;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 
+import org.company.oauth2.CustomOAuth2AccessToken;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -15,10 +15,15 @@
 import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.SerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.WhitelistedSerializationStrategy;
+
+import static org.junit.Assert.*;
 
 /**
  * @author Dave Syer
- * 
+ * @author Artem Smotrakov
  */
 public class JdbcClientTokenServicesTests {
 
@@ -79,4 +84,58 @@ public void testSaveAndRemoveToken() throws Exception {
 		assertNull(result);
 	}
 
+	@Test
+	public void testSaveAndRetrieveCustomToken() {
+		OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+		Authentication authentication = new UsernamePasswordAuthenticationToken("marissa", "koala");
+		AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
+		resource.setClientId("client");
+		resource.setScope(Arrays.asList("foo", "bar"));
+		tokenStore.saveAccessToken(resource, authentication, accessToken);
+		OAuth2AccessToken result = tokenStore.getAccessToken(resource, authentication);
+		assertNotNull(result);
+		assertEquals(accessToken, result);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void testSaveAndRetrieveNotAllowedCustomToken() {
+		OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+		Authentication authentication = new UsernamePasswordAuthenticationToken("marissa", "koala");
+		AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
+		resource.setClientId("client");
+		resource.setScope(Arrays.asList("foo", "bar"));
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			tokenStore.saveAccessToken(resource, authentication, accessToken);
+			tokenStore.getAccessToken(resource, authentication);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
+
+	@Test
+	public void testSaveAndRetrieveCustomTokenWithCustomSerializationStrategy() {
+		List<String> allowedClasses = new ArrayList<String>();
+		allowedClasses.add("java.util.");
+		allowedClasses.add("org.springframework.security.");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2AccessToken");
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy(allowedClasses);
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+			Authentication authentication = new UsernamePasswordAuthenticationToken("marissa", "koala");
+			AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
+			resource.setClientId("client");
+			resource.setScope(Arrays.asList("foo", "bar"));
+			tokenStore.saveAccessToken(resource, authentication, accessToken);
+			OAuth2AccessToken result = tokenStore.getAccessToken(resource, authentication);
+			assertNotNull(result);
+			assertEquals(accessToken, result);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupportTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupportTests.java
index 783df39e0..c5a0c66af 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupportTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupportTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,8 +16,6 @@
 
 package org.springframework.security.oauth2.client.token;
 
-import static org.junit.Assert.assertEquals;
-
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -26,9 +24,10 @@
 import java.net.URI;
 import java.util.Arrays;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.Before;
 import org.junit.Test;
+
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
@@ -45,6 +44,8 @@
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
+import static org.junit.Assert.assertEquals;
+
 /**
  * @author Dave Syer
  * 
@@ -73,7 +74,7 @@ public class OAuth2AccessTokenSupportTests {
 	public void init() throws Exception {
 		resource.setClientId("client");
 		resource.setClientSecret("secret");
-		resource.setAccessTokenUri("http://nowhere/token");
+		resource.setAccessTokenUri("https://nowhere/token");
 		response = new StubHttpClientResponse();
 		support.setRequestFactory(new ClientHttpRequestFactory() {
 			public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) throws IOException {
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderTests.java
index deeacc458..26ac35ae3 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -99,12 +99,12 @@ public void testGetAccessTokenRequest() throws Exception {
 		request.setStateKey("bar");
 		request.setPreservedState(new Object());
 		resource.setAccessTokenUri("http://localhost/oauth/token");
-		resource.setPreEstablishedRedirectUri("http://anywhere.com/");
+		resource.setPreEstablishedRedirectUri("https://anywhere.com/");
 		assertEquals("FOO", provider.obtainAccessToken(resource, request).getValue());
 		// System.err.println(params);
 		assertEquals("authorization_code", params.getFirst("grant_type"));
 		assertEquals("foo", params.getFirst("code"));
-		assertEquals("http://anywhere.com/", params.getFirst("redirect_uri"));
+		assertEquals("https://anywhere.com/", params.getFirst("redirect_uri"));
 		// State is not set in token request
 		assertEquals(null, params.getFirst("state"));
 	}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderWithConversionTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderWithConversionTests.java
index bf09ee61e..61a645551 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderWithConversionTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderWithConversionTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -12,9 +12,6 @@
  */
 package org.springframework.security.oauth2.client.token.grant.code;
 
-import static org.hamcrest.CoreMatchers.instanceOf;
-import static org.junit.Assert.assertEquals;
-
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -23,13 +20,14 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.hamcrest.Description;
 import org.hamcrest.Matcher;
 import org.hamcrest.TypeSafeMatcher;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
+
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
@@ -44,6 +42,9 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 
+import static org.hamcrest.CoreMatchers.instanceOf;
+import static org.junit.Assert.assertEquals;
+
 /**
  * @author Dave Syer
  * 
@@ -92,7 +93,7 @@ public HttpHeaders getHeaders() {
 
 		public URI getURI() {
 			try {
-				return new URI("http://foo.com/");
+				return new URI("https://www.foo.com/");
 			}
 			catch (URISyntaxException e) {
 				throw new IllegalStateException(e);
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetailsTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetailsTests.java
index 6bde16be9..cc17ff426 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetailsTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetailsTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -29,19 +29,19 @@ public class AuthorizationCodeResourceDetailsTests {
 
 	@Test
 	public void testGetDefaultRedirectUri() {
-		details.setPreEstablishedRedirectUri("http://anywhere.com/");
+		details.setPreEstablishedRedirectUri("https://anywhere.com/");
 		DefaultAccessTokenRequest request = new DefaultAccessTokenRequest();
-		request.setCurrentUri("http://nowhere.com/");
-		assertEquals("http://nowhere.com/", details.getRedirectUri(request));
+		request.setCurrentUri("https://nowhere.com/");
+		assertEquals("https://nowhere.com/", details.getRedirectUri(request));
 	}
 
 	@Test
 	public void testGetOverrideRedirectUri() {
-		details.setPreEstablishedRedirectUri("http://anywhere.com/");
+		details.setPreEstablishedRedirectUri("https://anywhere.com/");
 		details.setUseCurrentUri(false);
 		DefaultAccessTokenRequest request = new DefaultAccessTokenRequest();
-		request.setCurrentUri("http://nowhere.com/");
-		assertEquals("http://anywhere.com/", details.getRedirectUri(request));
+		request.setCurrentUri("https://nowhere.com/");
+		assertEquals("https://anywhere.com/", details.getRedirectUri(request));
 	}
 
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProviderTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProviderTests.java
index a23b32aae..b6d3c7dfd 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProviderTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -59,11 +59,11 @@ public void testGetAccessTokenRequest() throws Exception {
 		AccessTokenRequest request = new DefaultAccessTokenRequest();
 		resource.setClientId("foo");
 		resource.setAccessTokenUri("http://localhost/oauth/authorize");
-		resource.setPreEstablishedRedirectUri("http://anywhere.com/");
+		resource.setPreEstablishedRedirectUri("https://anywhere.com/");
 		assertEquals("FOO", provider.obtainAccessToken(resource, request).getValue());
 		assertEquals("foo", params.getFirst("client_id"));
 		assertEquals("token", params.getFirst("response_type"));
-		assertEquals("http://anywhere.com/", params.getFirst("redirect_uri"));
+		assertEquals("https://anywhere.com/", params.getFirst("redirect_uri"));
 	}
 
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProviderTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProviderTests.java
index e6499ef6e..72df46099 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProviderTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/BaseOAuth2AccessTokenJacksonTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/BaseOAuth2AccessTokenJacksonTest.java
index 752a250fb..175d1150d 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/BaseOAuth2AccessTokenJacksonTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/BaseOAuth2AccessTokenJacksonTest.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -55,6 +55,8 @@ abstract class BaseOAuth2AccessTokenJacksonTest {
 
 	protected static final String ACCESS_TOKEN_ADDITIONAL_INFO = "{\"access_token\":\"token-value\",\"token_type\":\"bearer\",\"one\":\"two\",\"three\":4,\"five\":{\"six\":7}}";
 
+	protected static final String ACCESS_TOKEN_ZERO_EXPIRES = "{\"access_token\":\"token-value\",\"token_type\":\"bearer\",\"expires_in\":0}";
+
 	@Rule
 	public ExpectedException thrown = ExpectedException.none();
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/DefaultOAuth2SerializationServiceTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/DefaultOAuth2SerializationServiceTests.java
index da50f0930..9ab676c68 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/DefaultOAuth2SerializationServiceTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/DefaultOAuth2SerializationServiceTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/JsonSerializationTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/JsonSerializationTests.java
index 9c50fc5ce..c51fcc367 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/JsonSerializationTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/JsonSerializationTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,16 +16,17 @@
 
 package org.springframework.security.oauth2.common;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
 import java.util.Date;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.Test;
+
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
 /**
  * @author Dave Syer
  * 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1DeserializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1DeserializerTests.java
deleted file mode 100644
index 7d5ca3fc4..000000000
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1DeserializerTests.java
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Copyright 2011 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-
-import java.io.IOException;
-import java.util.Date;
-import java.util.HashSet;
-
-import org.codehaus.jackson.JsonGenerationException;
-import org.codehaus.jackson.map.JsonMappingException;
-import org.codehaus.jackson.map.ObjectMapper;
-import org.junit.Before;
-import org.junit.Test;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-
-/**
- * Tests deserialization of an {@link OAuth2AccessToken} using jackson.
- *
- * @author Rob Winch
- */
-@PrepareForTest(OAuth2AccessTokenJackson1Deserializer.class)
-public class OAuth2AccessTokenJackson1DeserializerTests extends BaseOAuth2AccessTokenJacksonTest {
-
-    protected ObjectMapper mapper;
-
-    @Before
-    public void createObjectMapper() {
-        mapper = new ObjectMapper();
-    }
-
-	@Test
-	public void readValueNoRefresh() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setRefreshToken(null);
-		accessToken.setScope(null);
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_NOREFRESH, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithRefresh() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setScope(null);
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_NOSCOPE, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithSingleScopes() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.getScope().remove(accessToken.getScope().iterator().next());
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_SINGLESCOPE, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithEmptyStringScope() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setScope(new HashSet<String>());
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_EMPTYSCOPE, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken, actual);
-	}
-
-	@Test
-	public void readValueWithBrokenExpiresIn() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setScope(new HashSet<String>());
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_BROKENEXPIRES, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken, actual);
-	}
-
-	@Test
-	public void readValueWithMultiScopes() throws Exception {
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_MULTISCOPE, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithMac() throws Exception {
-		accessToken.setTokenType("mac");
-		String encodedToken = ACCESS_TOKEN_MULTISCOPE.replace("bearer", accessToken.getTokenType());
-		OAuth2AccessToken actual = mapper.readValue(encodedToken, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithAdditionalInformation() throws Exception {
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_ADDITIONAL_INFO, OAuth2AccessToken.class);
-		accessToken.setAdditionalInformation(additionalInformation);
-		accessToken.setRefreshToken(null);
-		accessToken.setScope(null);
-		accessToken.setExpiration(null);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	private static void assertTokenEquals(OAuth2AccessToken expected, OAuth2AccessToken actual) {
-		assertEquals(expected.getTokenType(), actual.getTokenType());
-		assertEquals(expected.getValue(), actual.getValue());
-
-		OAuth2RefreshToken expectedRefreshToken = expected.getRefreshToken();
-		if (expectedRefreshToken == null) {
-			assertNull(actual.getRefreshToken());
-		}
-		else {
-			assertEquals(expectedRefreshToken.getValue(), actual.getRefreshToken().getValue());
-		}
-		assertEquals(expected.getScope(), actual.getScope());
-		Date expectedExpiration = expected.getExpiration();
-		if (expectedExpiration == null) {
-			assertNull(actual.getExpiration());
-		}
-		else {
-			assertEquals(expectedExpiration.getTime(), actual.getExpiration().getTime());
-		}
-		assertEquals(expected.getAdditionalInformation(), actual.getAdditionalInformation());
-	}
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1SerializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1SerializerTests.java
deleted file mode 100644
index 609c2fa3c..000000000
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1SerializerTests.java
+++ /dev/null
@@ -1,118 +0,0 @@
-package org.springframework.security.oauth2.common;
-
-import static org.junit.Assert.assertEquals;
-
-import java.io.IOException;
-
-import org.codehaus.jackson.JsonGenerationException;
-import org.codehaus.jackson.map.JsonMappingException;
-import org.codehaus.jackson.map.ObjectMapper;
-import org.junit.Before;
-import org.junit.Test;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-
-/**
- * Tests serialization of an {@link OAuth2AccessToken} using jackson.
- * 
- * @author Rob Winch
- */
-@PrepareForTest(OAuth2AccessTokenJackson1Serializer.class)
-public class OAuth2AccessTokenJackson1SerializerTests extends BaseOAuth2AccessTokenJacksonTest {
-
-    protected ObjectMapper mapper;
-
-    @Before
-    public void createObjectMapper() {
-        mapper = new ObjectMapper();
-    }
-
-	@Test
-	public void writeValueAsStringNoRefresh() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setRefreshToken(null);
-		accessToken.setScope(null);
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_NOREFRESH, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithRefresh() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setScope(null);
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_NOSCOPE, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithEmptyScope() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.getScope().clear();
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_NOSCOPE, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithSingleScopes() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.getScope().remove(accessToken.getScope().iterator().next());
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_SINGLESCOPE, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithNullScope() throws JsonGenerationException, JsonMappingException, IOException {
-		thrown.expect(JsonMappingException.class);
-		thrown.expectMessage("Scopes cannot be null or empty. Got [null]");
-
-		accessToken.getScope().clear();
-		try {
-			accessToken.getScope().add(null);
-		}
-		catch (NullPointerException e) {
-			// short circuit NPE from Java 7 (which is correct but only relevant for this test)
-			throw new JsonMappingException("Scopes cannot be null or empty. Got [null]");
-		}
-		mapper.writeValueAsString(accessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithEmptyStringScope() throws JsonGenerationException, JsonMappingException,
-			IOException {
-		thrown.expect(JsonMappingException.class);
-		thrown.expectMessage("Scopes cannot be null or empty. Got []");
-
-		accessToken.getScope().clear();
-		accessToken.getScope().add("");
-		mapper.writeValueAsString(accessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithQuoteInScope() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.getScope().add("\"");
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(
-				"{\"access_token\":\"token-value\",\"token_type\":\"bearer\",\"refresh_token\":\"refresh-value\",\"expires_in\":10,\"scope\":\"\\\" read write\"}",
-				encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithMultiScopes() throws JsonGenerationException, JsonMappingException, IOException {
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(ACCESS_TOKEN_MULTISCOPE, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithMac() throws Exception {
-		accessToken.setTokenType("mac");
-		String expectedEncodedAccessToken = ACCESS_TOKEN_MULTISCOPE.replace("bearer", accessToken.getTokenType());
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(expectedEncodedAccessToken, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueWithAdditionalInformation() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setRefreshToken(null);
-		accessToken.setScope(null);
-		accessToken.setExpiration(null);
-		accessToken.setAdditionalInformation(additionalInformation);
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_ADDITIONAL_INFO, encodedAccessToken);
-	}
-
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2DeserializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2DeserializerTests.java
index 937d895b3..b91503d47 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2DeserializerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2DeserializerTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -25,6 +25,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertFalse;
 
 /**
  * Tests deserialization of an {@link org.springframework.security.oauth2.common.OAuth2AccessToken} using jackson.
@@ -107,6 +108,12 @@ public void readValueWithAdditionalInformation() throws Exception {
 		assertTokenEquals(accessToken,actual);
 	}
 
+    @Test
+    public void readValueWithZeroExpiresAsNotExpired() throws Exception {
+        OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_ZERO_EXPIRES, OAuth2AccessToken.class);
+        assertFalse("Token with expires_in:0 must be treated as not expired.", actual.isExpired());
+    }
+
 	private static void assertTokenEquals(OAuth2AccessToken expected, OAuth2AccessToken actual) {
 		assertEquals(expected.getTokenType(), actual.getTokenType());
 		assertEquals(expected.getValue(), actual.getValue());
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionDeserializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionDeserializerTests.java
index 9e4f4c242..5fe77127e 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionDeserializerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionDeserializerTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -12,12 +12,23 @@
  */
 package org.springframework.security.oauth2.common.exception;
 
-import static org.junit.Assert.assertEquals;
-
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.BeforeClass;
 import org.junit.Test;
-import org.springframework.security.oauth2.common.exceptions.*;
+
+import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
+import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
+import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
+import org.springframework.security.oauth2.common.exceptions.UnauthorizedClientException;
+import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
+import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
+
+import static org.junit.Assert.assertEquals;
 
 /**
  *
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionJackson2DeserializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionJackson2DeserializerTests.java
index bb872494e..3e14b01fa 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionJackson2DeserializerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionJackson2DeserializerTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionSerializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionSerializerTests.java
index bae47cba3..59ed4f755 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionSerializerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionSerializerTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -12,13 +12,23 @@
  */
 package org.springframework.security.oauth2.common.exception;
 
-import static org.junit.Assert.assertEquals;
-
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.After;
 import org.junit.BeforeClass;
 import org.junit.Test;
-import org.springframework.security.oauth2.common.exceptions.*;
+
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
+import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
+import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
+import org.springframework.security.oauth2.common.exceptions.UnauthorizedClientException;
+import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
+import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
+
+import static org.junit.Assert.assertEquals;
 
 /**
  *
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/CustomSerializationStrategyTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/CustomSerializationStrategyTests.java
new file mode 100644
index 000000000..cbe70acc6
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/CustomSerializationStrategyTests.java
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+
+import org.company.oauth2.CustomAuthentication;
+import org.company.oauth2.CustomOAuth2AccessToken;
+import org.company.oauth2.CustomOAuth2Authentication;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
+import org.springframework.core.io.support.SpringFactoriesLoader;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
+import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.RequestTokenFactory;
+
+import java.io.Serializable;
+import java.util.*;
+
+import static org.junit.Assert.*;
+import static org.powermock.api.mockito.PowerMockito.spy;
+import static org.powermock.api.mockito.PowerMockito.when;
+
+@RunWith(PowerMockRunner.class)
+@PrepareForTest({ SpringFactoriesLoader.class })
+public class CustomSerializationStrategyTests {
+
+    @Test
+    public void loadCustomSerializationStrategy() {
+        spy(SpringFactoriesLoader.class);
+        when(SpringFactoriesLoader
+                .loadFactories(SerializationStrategy.class, SerializationUtils.class.getClassLoader()))
+                .thenReturn(Arrays.<SerializationStrategy>asList(new CustomSerializationStrategy()));
+
+        deserialize(new DefaultOAuth2AccessToken("access-token-" + UUID.randomUUID()));
+
+        deserialize(new OAuth2Authentication(
+                new OAuth2Request(Collections.<String, String>emptyMap(), "clientId", Collections.<GrantedAuthority>emptyList(),
+                        false, Collections.<String>emptySet(),
+                        new HashSet<String>(Arrays.asList("resourceId-1", "resourceId-2")), "redirectUri",
+                        Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap()),
+                new UsernamePasswordAuthenticationToken("test", "N/A")));
+
+        deserialize(new DefaultExpiringOAuth2RefreshToken(
+                "access-token-" + UUID.randomUUID(), new Date()));
+
+        deserialize("xyz");
+        deserialize(new HashMap<String, String>());
+
+        deserialize(new CustomOAuth2AccessToken("xyz"));
+
+        deserialize(
+                new CustomOAuth2Authentication(
+                        RequestTokenFactory.createOAuth2Request("id", false),
+                        new CustomAuthentication("test", false)));
+    }
+
+    private void deserialize(Object object) {
+        byte[] bytes = SerializationUtils.serialize(object);
+        assertNotNull(bytes);
+        assertTrue(bytes.length > 0);
+
+        Object clone = SerializationUtils.deserialize(bytes);
+        assertNotNull(clone);
+        assertEquals(object, clone);
+    }
+
+    private static class CustomSerializationStrategy extends WhitelistedSerializationStrategy {
+
+        private static final List<String> ALLOWED_CLASSES = new ArrayList<String>();
+        static {
+            ALLOWED_CLASSES.add("java.lang.");
+            ALLOWED_CLASSES.add("java.util.");
+            ALLOWED_CLASSES.add("org.springframework.security.");
+            ALLOWED_CLASSES.add("org.company.oauth2.");
+        }
+
+        CustomSerializationStrategy() {
+            super(ALLOWED_CLASSES);
+        }
+
+    }
+
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/RandomValueStringGeneratorTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/RandomValueStringGeneratorTests.java
new file mode 100644
index 000000000..7f4d8bab5
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/RandomValueStringGeneratorTests.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2012-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.common.util;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import java.security.SecureRandom;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+/**
+ * Tests for {@link RandomValueStringGenerator}
+ *
+ * @author Josh Kerr
+ */
+public class RandomValueStringGeneratorTests {
+
+    private RandomValueStringGenerator generator;
+
+    @Before
+    public void setup() {
+        generator = new RandomValueStringGenerator();
+    }
+
+    @Test
+    public void generate() {
+        String value = generator.generate();
+        assertNotNull(value);
+        assertEquals("Authorization code is not correct size", 6, value.length());
+    }
+
+    @Test
+    public void generate_LargeLengthOnConstructor() {
+        generator = new RandomValueStringGenerator(1024);
+        String value = generator.generate();
+        assertNotNull(value);
+        assertEquals("Authorization code is not correct size", 1024, value.length());
+    }
+
+    @Test
+    public void getAuthorizationCodeString() {
+        byte[] bytes = new byte[10];
+        new SecureRandom().nextBytes(bytes);
+        String value = generator.getAuthorizationCodeString(bytes);
+        assertNotNull(value);
+        assertEquals("Authorization code is not correct size", 10, value.length());
+    }
+
+    @Test
+    public void setLength() {
+        generator.setLength(12);
+        String value = generator.generate();
+        assertEquals("Authorization code is not correct size", 12, value.length());
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void setLength_NonPositiveNumber() {
+        generator.setLength(-1);
+        generator.generate();
+    }
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/SerializationUtilsTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/SerializationUtilsTests.java
new file mode 100644
index 000000000..fd73714f4
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/SerializationUtilsTests.java
@@ -0,0 +1,96 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+import org.company.oauth2.CustomOAuth2AccessToken;
+import org.junit.Test;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
+import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+
+import java.io.Serializable;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.UUID;
+
+import static org.junit.Assert.*;
+
+/**
+ * @author Artem Smotrakov
+ */
+public class SerializationUtilsTests {
+
+    @Test
+    public void deserializeAllowedClasses() {
+        deserializeAllowedClasses(new DefaultOAuth2AccessToken("access-token-" + UUID.randomUUID()));
+
+        deserializeAllowedClasses(new OAuth2Authentication(
+                new OAuth2Request(Collections.<String, String>emptyMap(), "clientId", Collections.<GrantedAuthority>emptyList(),
+                        false, Collections.<String>emptySet(),
+                        new HashSet<String>(Arrays.asList("resourceId-1", "resourceId-2")), "redirectUri",
+                        Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap()),
+                new UsernamePasswordAuthenticationToken("test", "N/A")));
+
+        deserializeAllowedClasses(new DefaultExpiringOAuth2RefreshToken(
+                "access-token-" + UUID.randomUUID(), new Date()));
+
+        deserializeAllowedClasses("xyz");
+        deserializeAllowedClasses(new HashMap<String, String>());
+    }
+
+    private void deserializeAllowedClasses(Object object) {
+        byte[] bytes = SerializationUtils.serialize(object);
+        assertNotNull(bytes);
+        assertTrue(bytes.length > 0);
+
+        Object clone = SerializationUtils.deserialize(bytes);
+        assertNotNull(clone);
+        assertEquals(object, clone);
+    }
+
+    @Test
+    public void deserializeCustomClasses() {
+        OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+        byte[] bytes = SerializationUtils.serialize(accessToken);
+        OAuth2AccessToken clone = SerializationUtils.deserialize(bytes);
+        assertNotNull(clone);
+        assertEquals(accessToken, clone);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void deserializeNotAllowedCustomClasses() {
+        OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+        WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+        SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+        try {
+            SerializationUtils.setSerializationStrategy(newStrategy);
+            byte[] bytes = SerializationUtils.serialize(accessToken);
+            OAuth2AccessToken clone = SerializationUtils.deserialize(bytes);
+            assertNotNull(clone);
+            assertEquals(accessToken, clone);
+        } finally {
+            SerializationUtils.setSerializationStrategy(oldStrategy);
+        }
+    }
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/AuthorizationServerConfigurationTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/AuthorizationServerConfigurationTests.java
index 75bc1a0d3..a5544dce6 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/AuthorizationServerConfigurationTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/AuthorizationServerConfigurationTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -27,9 +27,18 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.MockServletContext;
+import org.springframework.security.authentication.AnonymousAuthenticationProvider;
+import org.springframework.security.authentication.AuthenticationEventPublisher;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.authentication.TestingAuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
+import org.springframework.security.config.authentication.AuthenticationManagerBeanDefinitionParser;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -64,10 +73,13 @@
 import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
 import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
 import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
+import javax.servlet.Filter;
 import javax.sql.DataSource;
 import java.util.Arrays;
 import java.util.List;
@@ -112,7 +124,10 @@ public static List<Object[]> parameters() {
 				new Object[] { null, new Class<?>[] { AuthorizationServerCustomGranter.class } },
 				new Object[] { null, new Class<?>[] { AuthorizationServerSslEnabled.class } },
 				new Object[] { null, new Class<?>[] { AuthorizationServerCustomRedirectResolver.class } },
-				new Object[] { null, new Class<?>[] { AuthorizationServerDefaultRedirectResolver.class } }
+				new Object[] { null, new Class<?>[] { AuthorizationServerDefaultRedirectResolver.class } },
+				new Object[] { null, new Class<?>[] { AuthorizationServerCustomAuthenticationProvidersOnTokenEndpoint.class } },
+				new Object[] { null, new Class<?>[] { AuthorizationServerDefaultAuthenticationProviderOnTokenEndpoint.class } },
+				new Object[] { null, new Class<?>[] { AuthorizationServerCustomAuthenticationEventPublisher.class } }
 		// @formatter:on
 		);
 	}
@@ -736,4 +751,129 @@ public void configure(AuthorizationServerSecurityConfigurer security) throws Exc
 			security.sslOnly();
 		}
 	}
+
+	@Configuration
+	@EnableWebMvcSecurity
+	@EnableAuthorizationServer
+	protected static class AuthorizationServerCustomAuthenticationProvidersOnTokenEndpoint extends
+			AuthorizationServerConfigurerAdapter implements Runnable {
+
+		@Autowired
+		private ApplicationContext context; 
+
+		@Override
+		public void configure(AuthorizationServerSecurityConfigurer security)
+				throws Exception {
+			security.addAuthenticationProvider(new AuthenticationManagerBeanDefinitionParser.NullAuthenticationProvider());
+			security.addAuthenticationProvider(new TestingAuthenticationProvider());
+		}
+
+		@Override
+		public void run() { 
+			FilterChainProxy springSecurityFilterChain = context.getBean(FilterChainProxy.class);
+			List<Filter> filters = springSecurityFilterChain.getFilters("/oauth/token");
+			BasicAuthenticationFilter basicAuthenticationFilter = null;
+			for (Filter filter : filters) {
+				if (filter instanceof BasicAuthenticationFilter) {
+					basicAuthenticationFilter = (BasicAuthenticationFilter) filter;
+					break;
+				}
+			}
+
+			ProviderManager authenticationManager = (ProviderManager) ReflectionTestUtils.getField(basicAuthenticationFilter, "authenticationManager");
+			boolean nullAuthenticationProviderFound = false;
+			boolean testingAuthenticationProviderFound = false;
+			boolean anonymousAuthenticationProviderFound = false;
+			for (AuthenticationProvider provider : authenticationManager.getProviders()) {
+				if (provider instanceof AuthenticationManagerBeanDefinitionParser.NullAuthenticationProvider) {
+					nullAuthenticationProviderFound = true;
+				} else if (provider instanceof TestingAuthenticationProvider) {
+					testingAuthenticationProviderFound = true;
+				} else if (provider instanceof AnonymousAuthenticationProvider) {
+					anonymousAuthenticationProviderFound = true;
+				}
+			}
+
+			assertEquals(3, authenticationManager.getProviders().size());
+			assertTrue(testingAuthenticationProviderFound);
+			assertTrue(anonymousAuthenticationProviderFound);
+			assertTrue(nullAuthenticationProviderFound);
+		}
+	}	
+
+	@Configuration
+	@EnableWebMvcSecurity
+	@EnableAuthorizationServer
+	protected static class AuthorizationServerDefaultAuthenticationProviderOnTokenEndpoint extends
+			AuthorizationServerConfigurerAdapter implements Runnable {
+
+		@Autowired
+		private ApplicationContext context; 
+
+		@Override
+		public void run() { 
+			FilterChainProxy springSecurityFilterChain = context.getBean(FilterChainProxy.class);
+			List<Filter> filters = springSecurityFilterChain.getFilters("/oauth/token");
+			BasicAuthenticationFilter basicAuthenticationFilter = null;
+			for (Filter filter : filters) {
+				if (filter instanceof BasicAuthenticationFilter) {
+					basicAuthenticationFilter = (BasicAuthenticationFilter) filter;
+					break;
+				}
+			}
+
+			ProviderManager authenticationManager = (ProviderManager) ReflectionTestUtils.getField(basicAuthenticationFilter, "authenticationManager");
+			boolean anonymousAuthenticationProviderFound = false;
+			boolean daoAuthenticationProviderFound = false;
+
+			for (AuthenticationProvider provider : authenticationManager.getProviders()) {
+				if (provider instanceof DaoAuthenticationProvider) {
+					daoAuthenticationProviderFound = true;
+				} else if (provider instanceof AnonymousAuthenticationProvider) {
+					anonymousAuthenticationProviderFound = true;
+				}
+			}
+
+			assertEquals(2, authenticationManager.getProviders().size());
+			assertTrue(anonymousAuthenticationProviderFound);
+			assertTrue(daoAuthenticationProviderFound);
+		}
+	}
+
+	@Configuration
+	@EnableWebMvcSecurity
+	@EnableAuthorizationServer
+	protected static class AuthorizationServerCustomAuthenticationEventPublisher extends
+			AuthorizationServerConfigurerAdapter implements Runnable {
+
+		@Autowired
+		private ApplicationContext context;
+		private AuthenticationEventPublisher defaultAuthenticationEventPublisher = new DefaultAuthenticationEventPublisher();
+
+		@Override
+		public void configure(AuthorizationServerSecurityConfigurer security)
+				throws Exception {
+			security.authenticationEventPublisher(defaultAuthenticationEventPublisher);
+		}
+
+		@Override
+		public void run() {
+			FilterChainProxy springSecurityFilterChain = context.getBean(FilterChainProxy.class);
+			List<Filter> filters = springSecurityFilterChain.getFilters("/oauth/token");
+			BasicAuthenticationFilter basicAuthenticationFilter = null;
+			for (Filter filter : filters) {
+				if (filter instanceof BasicAuthenticationFilter) {
+					basicAuthenticationFilter = (BasicAuthenticationFilter) filter;
+					break;
+				}
+			}
+			
+			AuthenticationManager authenticationManager = (AuthenticationManager) ReflectionTestUtils.
+					getField(basicAuthenticationFilter, "authenticationManager");
+			AuthenticationEventPublisher authenticationEventPublisher = (AuthenticationEventPublisher) ReflectionTestUtils.
+					getField(authenticationManager, "eventPublisher");
+			
+			assertTrue(authenticationEventPublisher == defaultAuthenticationEventPublisher);
+		}
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/ClientConfigurationTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/ClientConfigurationTests.java
index 3419b272e..8714a4e79 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/ClientConfigurationTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/ClientConfigurationTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -58,7 +58,7 @@ public void testAuthCodeRedirect() throws Exception {
 				.andExpect(MockMvcResultMatchers.status().isFound())
 				.andExpect(
 						MockMvcResultMatchers.header().string("Location",
-								CoreMatchers.startsWith("http://example.com/authorize")));
+								CoreMatchers.startsWith("https://example.com/authorize")));
 		context.close();
 	}
 
@@ -75,7 +75,7 @@ protected static class ClientContext {
 		@RequestMapping("/photos")
 		@ResponseBody
 		public String photos() {
-			return restTemplate().getForObject("http://example.com/photos", String.class);
+			return restTemplate().getForObject("https://example.com/photos", String.class);
 		}
 
 		@Bean
@@ -84,8 +84,8 @@ public String photos() {
 		public OAuth2RestOperations restTemplate() {
 			AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
 			resource.setClientId("client");
-			resource.setAccessTokenUri("http://example.com/token");
-			resource.setUserAuthorizationUri("http://example.com/authorize");
+			resource.setAccessTokenUri("https://example.com/token");
+			resource.setUserAuthorizationUri("https://example.com/authorize");
 			return new OAuth2RestTemplate(resource, new DefaultOAuth2ClientContext(accessTokenRequest));
 		}
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/Gh501EnableAuthorizationServerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/Gh501EnableAuthorizationServerTests.java
index a4da13677..e3aa6a4ed 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/Gh501EnableAuthorizationServerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/Gh501EnableAuthorizationServerTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/Gh808EnableAuthorizationServerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/Gh808EnableAuthorizationServerTests.java
index 7f0f6e239..f0a9feacb 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/Gh808EnableAuthorizationServerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/Gh808EnableAuthorizationServerTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -83,7 +83,7 @@ public class Gh808EnableAuthorizationServerTests {
 	MockMvc mockMvc;
 
 	static {
-		client = new BaseClientDetails(CLIENT_ID, null, "read,write", "password,client_credentials", "ROLE_ADMIN", "http://example.com/oauth2callback");
+		client = new BaseClientDetails(CLIENT_ID, null, "read,write", "password,client_credentials", "ROLE_ADMIN", "https://example.com/oauth2callback");
 		client.setClientSecret(CLIENT_SECRET);
 		user = new User(USER_ID, USER_SECRET, Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")));
 	}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/ResourceServerConfigurationTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/ResourceServerConfigurationTests.java
index fb826eec1..0136979c4 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/ResourceServerConfigurationTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/ResourceServerConfigurationTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -27,6 +27,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@@ -118,7 +119,7 @@ public void testWithAuthServer() throws Exception {
 				.andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", containsString("Bearer")));
 		mvc.perform(MockMvcRequestBuilders.post("/oauth/token"))
 				.andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", containsString("Basic")));
-		mvc.perform(MockMvcRequestBuilders.get("/oauth/authorize"))
+		mvc.perform(MockMvcRequestBuilders.get("/oauth/authorize").accept(MediaType.TEXT_HTML))
 				.andExpect(MockMvcResultMatchers.redirectedUrl("http://localhost/login"));
 		mvc.perform(MockMvcRequestBuilders.post("/oauth/token").header("Authorization",
 				"Basic " + new String(Base64.encode("client:secret".getBytes()))))
@@ -137,7 +138,7 @@ public void testWithAuthServerCustomPath() throws Exception {
 				.andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", containsString("Bearer")));
 		mvc.perform(MockMvcRequestBuilders.post("/token"))
 				.andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", containsString("Basic")));
-		mvc.perform(MockMvcRequestBuilders.get("/authorize"))
+		mvc.perform(MockMvcRequestBuilders.get("/authorize").accept(MediaType.TEXT_HTML))
 				.andExpect(MockMvcResultMatchers.redirectedUrl("http://localhost/login"));
 		mvc.perform(MockMvcRequestBuilders.post("/token").header("Authorization",
 				"Basic " + new String(Base64.encode("client:secret".getBytes()))))
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/TokenServicesMultipleBeansTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/TokenServicesMultipleBeansTests.java
index d38593d54..83b798f89 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/TokenServicesMultipleBeansTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/TokenServicesMultipleBeansTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParserTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParserTests.java
index 25431ad8d..452458cec 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParserTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParserTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordInvalidXmlTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordInvalidXmlTests.java
index 2dd1a329e..cd9fc3b44 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordInvalidXmlTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordInvalidXmlTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordValidXmlTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordValidXmlTests.java
index fba5fa40c..f8acdc140 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordValidXmlTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordValidXmlTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -43,7 +43,6 @@
 @WebAppConfiguration
 public class AuthorizationServerClientCredentialsPasswordValidXmlTests {
 	private static final String CLIENT_ID = "acme";
-	private static final String CLIENT_SECRET = "secret";
 	private static final String USER_ID = "acme";
 	private static final String USER_SECRET = "password";
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParserTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParserTests.java
index 8e44fb9ab..8bd436f7e 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParserTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParserTests.java
@@ -84,7 +84,7 @@ public void testClientDetailsDefaultFlow() {
 		assertNotNull(clientDetailsService);
 		assertEquals("my-client-id-default-flow", clientDetails.getClientId());
 		assertEquals(1, clientDetails.getRegisteredRedirectUri().size());
-		assertEquals("http://mycompany.com/", clientDetails.getRegisteredRedirectUri().iterator().next());
+		assertEquals("https://secure.mycompany.com/", clientDetails.getRegisteredRedirectUri().iterator().next());
 
 		Set<String> grantTypes = clientDetails.getAuthorizedGrantTypes();
 		assertNotNull(grantTypes);
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/InvalidResourceBeanDefinitionParserTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/InvalidResourceBeanDefinitionParserTests.java
index 460925c8f..4f1d1cd5e 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/InvalidResourceBeanDefinitionParserTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/InvalidResourceBeanDefinitionParserTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -61,21 +61,21 @@ public void testMissingAuthorizationUriForImplicit() {
 	public void testMissingAuthorizationUriForAuthorizationCode() {
 		expected.expect(BeanDefinitionParsingException.class);
 		expected.expectMessage("authorization URI must be supplied");
-		loadContext("type='authorization_code' access-token-uri='http://somewhere.com/'");
+		loadContext("type='authorization_code' access-token-uri='https://somewhere.com/'");
 	}
 
 	@Test
 	public void testMissingUsernameForPassword() {
 		expected.expect(BeanDefinitionParsingException.class);
 		expected.expectMessage("A username must be supplied on a resource element of type password");
-		loadContext("type='password' access-token-uri='http://somewhere.com/'");
+		loadContext("type='password' access-token-uri='https://somewhere.com/'");
 	}
 
 	@Test
 	public void testMissingPasswordForPassword() {
 		expected.expect(BeanDefinitionParsingException.class);
 		expected.expectMessage("A password must be supplied on a resource element of type password");
-		loadContext("type='password' username='admin' access-token-uri='http://somewhere.com/'");
+		loadContext("type='password' username='admin' access-token-uri='https://somewhere.com/'");
 	}
 
 	private void loadContext(String attributes) {
@@ -83,7 +83,7 @@ private void loadContext(String attributes) {
 		context = new GenericXmlApplicationContext(new ByteArrayResource(config .getBytes()));
 	}
 
-	private static String HEADER = "<?xml version='1.0' encoding='UTF-8'?><beans xmlns='http://www.springframework.org/schema/beans' xmlns:oauth='http://www.springframework.org/schema/security/oauth2' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'	xsi:schemaLocation='http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsdhttp://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd'>";
+	private static String HEADER = "<?xml version='1.0' encoding='UTF-8'?><beans xmlns='http://www.springframework.org/schema/beans' xmlns:oauth='http://www.springframework.org/schema/security/oauth2' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'	xsi:schemaLocation='http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsdhttp://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd'>";
 	private static String FOOTER = "</beans>";
 	private static String TEMPLATE = "<oauth:resource id='resource' client-id='client' %s/>";
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParserTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParserTests.java
index 5e49eb870..9eed8eec9 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParserTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParserTests.java
@@ -59,7 +59,7 @@ public class ResourceBeanDefinitionParserTests {
 	public void testResourceFromNonPropertyFile() {
 		assertEquals("my-client-id-non-property-file", one.getClientId());
 		assertEquals("my-client-secret-non-property-file", one.getClientSecret());
-		assertEquals("http://somewhere.com/", one.getAccessTokenUri());
+		assertEquals("https://somewhere.com/", one.getAccessTokenUri());
 		assertEquals(2, one.getScope().size());
 		assertEquals("[none, some]", one.getScope().toString());
 	}
@@ -68,7 +68,7 @@ public void testResourceFromNonPropertyFile() {
 	public void testResourceFromPropertyFile() {
 		assertEquals("my-client-id-property-file", two.getClientId());
 		assertEquals("my-client-secret-property-file", two.getClientSecret());
-		assertEquals("http://myhost.com/", two.getAccessTokenUri());
+		assertEquals("https://myhost.com/", two.getAccessTokenUri());
 		assertEquals(2, two.getScope().size());
 		assertEquals("[none, all]", two.getScope().toString());
 	}
@@ -77,8 +77,8 @@ public void testResourceFromPropertyFile() {
 	public void testResourceWithRedirectUri() {
 		assertEquals("my-client-id", three.getClientId());
 		assertNull(three.getClientSecret());
-		assertEquals("http://somewhere.com/", three.getAccessTokenUri());
-		assertEquals("http://anywhere.com/", three.getPreEstablishedRedirectUri());
+		assertEquals("https://somewhere.com/", three.getAccessTokenUri());
+		assertEquals("https://anywhere.com/", three.getPreEstablishedRedirectUri());
 		assertFalse(three.isUseCurrentUri());
 	}
 
@@ -86,14 +86,14 @@ public void testResourceWithRedirectUri() {
 	public void testResourceWithImplicitGrant() {
 		assertEquals("my-client-id", four.getClientId());
 		assertNull(four.getClientSecret());
-		assertEquals("http://somewhere.com/", four.getUserAuthorizationUri());
+		assertEquals("https://somewhere.com/", four.getUserAuthorizationUri());
 	}
 
 	@Test
 	public void testResourceWithClientCredentialsGrant() {
 		assertEquals("my-secret-id", five.getClientId());
 		assertEquals("secret", five.getClientSecret());
-		assertEquals("http://somewhere.com/", five.getAccessTokenUri());
+		assertEquals("https://somewhere.com/", five.getAccessTokenUri());
 		assertNotNull(template.getOAuth2ClientContext().getAccessTokenRequest());
 	}
 
@@ -108,7 +108,7 @@ public void testResourceWithCurrentUriHint() {
 	public void testResourceWithPasswordGrant() {
 		assertEquals("my-client-id", seven.getClientId());
 		assertEquals("secret", seven.getClientSecret());
-		assertEquals("http://somewhere.com/", seven.getAccessTokenUri());
+		assertEquals("https://somewhere.com/", seven.getAccessTokenUri());
 		assertEquals("admin", seven.getUsername());
 		assertEquals("long-and-strong", seven.getPassword());
 	}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParserTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParserTests.java
index e70a1030a..cfae87560 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParserTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParserTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/BaseJaxbMessageConverterTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/BaseJaxbMessageConverterTest.java
index cf52a5bae..9342b5564 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/BaseJaxbMessageConverterTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/BaseJaxbMessageConverterTest.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverterTests.java
index 9e7b71e21..f2a8e17e2 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverterTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverterTests.java
index 243cd92d9..bc146c02a 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverterTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/AuthorizationRequestTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/AuthorizationRequestTests.java
index dd1363216..5f9ea7a82 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/AuthorizationRequestTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/AuthorizationRequestTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -30,7 +30,7 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
-import org.springframework.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
 import org.springframework.util.StringUtils;
 
 /**
@@ -47,7 +47,7 @@ public void prepare() {
 		parameters = new HashMap<String, String>();
 		parameters.put("client_id", "theClient");
 		parameters.put("state", "XYZ123");
-		parameters.put("redirect_uri", "http://www.callistaenterprise.se/");
+		parameters.put("redirect_uri", "https://callistaenterprise.se/");
 	}
 	
 	@Test
@@ -153,16 +153,16 @@ public void testRedirectUriDefaultsToMap() {
 
 		assertEquals("XYZ123", authorizationRequest.getState());
 		assertEquals("theClient", authorizationRequest.getClientId());
-		assertEquals("http://www.callistaenterprise.se/", authorizationRequest.getRedirectUri());
-		assertEquals("http://www.callistaenterprise.se/", authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI));
+		assertEquals("https://callistaenterprise.se/", authorizationRequest.getRedirectUri());
+		assertEquals("https://callistaenterprise.se/", authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI));
 		assertEquals("[one, two]", authorizationRequest.getScope().toString());
 	}
 
 	@Test
 	public void testSerialization() {
 		AuthorizationRequest authorizationRequest = createFromParameters(parameters);
-		AuthorizationRequest other = (AuthorizationRequest) SerializationUtils.deserialize(SerializationUtils
-				.serialize(authorizationRequest));
+		AuthorizationRequest other = SerializationUtils.deserialize(
+				SerializationUtils.serialize(authorizationRequest));
 		assertEquals(authorizationRequest, other);
 	}
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2AuthenticationTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2AuthenticationTests.java
index 068d68ac3..e2c0aadbd 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2AuthenticationTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2AuthenticationTests.java
@@ -1,14 +1,11 @@
 package org.springframework.security.oauth2.provider;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-
 import java.util.Arrays;
 import java.util.Collections;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.Test;
+
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -16,6 +13,10 @@
 import org.springframework.test.annotation.Rollback;
 import org.springframework.util.SerializationUtils;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
 public class OAuth2AuthenticationTests {
 
 	private OAuth2Request request = RequestTokenFactory.createOAuth2Request(null, "id", null, false,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2RequestTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2RequestTests.java
index 63b09d34e..1462e82af 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2RequestTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2RequestTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/AbstractTestApprovalStore.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/AbstractTestApprovalStore.java
index 68124cb0f..034b25563 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/AbstractTestApprovalStore.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/AbstractTestApprovalStore.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandlerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandlerTests.java
index 90bfbdf14..f1cb3c2bd 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandlerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandlerTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStoreTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStoreTests.java
index af74be060..730dc47fd 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStoreTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStoreTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStoreTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStoreTests.java
index a0b6eabeb..f202d9be1 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStoreTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStoreTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStoreTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStoreTests.java
index d136b380d..81dce821a 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStoreTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStoreTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandlerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandlerTests.java
index 70552058c..c52b0d9f6 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandlerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandlerTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsTests.java
index 658c958ee..3674c6e45 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManagerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManagerTests.java
index 4dc6bcdfc..9ba7107cc 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManagerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManagerTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilterTests.java
index d3b34b51f..e77bceea7 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilterTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java
index d80e9b773..9ab738793 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,18 +16,18 @@
 
 package org.springframework.security.oauth2.provider.client;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
 import java.util.Collections;
 import java.util.TreeSet;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.Test;
-import org.springframework.security.oauth2.provider.client.BaseClientDetails;
+
 import org.springframework.util.StringUtils;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
 /**
  * @author Dave Syer
  * 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilterTests.java
index 36fe64ed8..cc3054244 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilterTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsServiceTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsServiceTests.java
index ede103a46..aa4878bce 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsServiceTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsServiceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranterTests.java
index 429cefa0a..4d9a0eece 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranterTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServicesTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServicesTests.java
index b58b58d96..76a5e34c8 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServicesTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServicesTests.java
@@ -1,9 +1,24 @@
 package org.springframework.security.oauth2.provider.code;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.company.oauth2.CustomAuthentication;
+import org.company.oauth2.CustomOAuth2Authentication;
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Test;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
+import org.springframework.security.oauth2.common.util.SerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.WhitelistedSerializationStrategy;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.RequestTokenFactory;
 
 public class JdbcAuthorizationCodeServicesTests extends AuthorizationCodeServicesBaseTests {
 	private JdbcAuthorizationCodeServices authorizationCodeServices;
@@ -26,4 +41,59 @@ public void tearDown() throws Exception {
 	AuthorizationCodeServices getAuthorizationCodeServices() {
 		return authorizationCodeServices;
 	}
+
+	@Test
+	public void testCustomImplementation() {
+		OAuth2Request storedOAuth2Request = RequestTokenFactory.createOAuth2Request("id", false);
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(storedOAuth2Request,
+				new CustomAuthentication("test2", false));
+		String code = getAuthorizationCodeServices().createAuthorizationCode(expectedAuthentication);
+		assertNotNull(code);
+		OAuth2Authentication actualAuthentication = getAuthorizationCodeServices().consumeAuthorizationCode(code);
+		assertEquals(expectedAuthentication, actualAuthentication);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void testNotAllowedCustomImplementation() {
+		OAuth2Request storedOAuth2Request = RequestTokenFactory.createOAuth2Request("id", false);
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(storedOAuth2Request,
+				new CustomAuthentication("test2", false));
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			String code = getAuthorizationCodeServices().createAuthorizationCode(expectedAuthentication);
+			assertNotNull(code);
+			getAuthorizationCodeServices().consumeAuthorizationCode(code);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
+
+	@Test
+	public void testCustomImplementationWithCustomStrategy() {
+		OAuth2Request storedOAuth2Request = RequestTokenFactory.createOAuth2Request("id", false);
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(storedOAuth2Request,
+				new CustomAuthentication("test3", false));
+
+		AuthorizationCodeServices jdbcAuthorizationCodeServices = getAuthorizationCodeServices();
+		List<String> allowedClasses = new ArrayList<String>();
+		allowedClasses.add("java.util.");
+		allowedClasses.add("org.springframework.security.");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2AccessToken");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2Authentication");
+		allowedClasses.add("org.company.oauth2.CustomAuthentication");
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy(allowedClasses);
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			String code = jdbcAuthorizationCodeServices.createAuthorizationCode(expectedAuthentication);
+			assertNotNull(code);
+
+			OAuth2Authentication actualAuthentication = getAuthorizationCodeServices().consumeAuthorizationCode(code);
+			assertEquals(expectedAuthentication, actualAuthentication);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServicesTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServicesTests.java
new file mode 100644
index 000000000..815fc260f
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServicesTests.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.provider.code;
+
+import static org.hamcrest.CoreMatchers.allOf;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.RequestTokenFactory;
+
+import org.springframework.util.ClassUtils;
+import redis.clients.jedis.JedisShardInfo;
+
+/**
+ * @author Stefan Rempfer
+ */
+public class RedisAuthorizationCodeServicesTests {
+
+	private RedisAuthorizationCodeServices authorizationCodeServices;
+
+	private OAuth2Authentication authentication;
+
+	/**
+	 * Initialize test data and Class-Under-Test.
+	 */
+	@Before
+	public void setup() {
+		boolean springDataRedis_2_0 = ClassUtils.isPresent(
+				"org.springframework.data.redis.connection.RedisStandaloneConfiguration",
+				this.getClass().getClassLoader());
+
+		JedisConnectionFactory connectionFactory;
+		if (springDataRedis_2_0) {
+			connectionFactory = new JedisConnectionFactory();
+		} else {
+			JedisShardInfo shardInfo = new JedisShardInfo("localhost");
+			connectionFactory = new JedisConnectionFactory(shardInfo);
+		}
+
+		authorizationCodeServices = new RedisAuthorizationCodeServices(connectionFactory);
+
+		authentication = new OAuth2Authentication(RequestTokenFactory.createOAuth2Request("myClientId", false),
+				new TestingAuthenticationToken("myUser4Test", false));
+	}
+
+	/**
+	 * Verifies that a authorization code could be generated and stored.
+	 */
+	@Test
+	public void verifyCreateAuthorizationCode() {
+		String authorizationCode1 = authorizationCodeServices.createAuthorizationCode(authentication);
+		assertNotNull("Authorization code must not be null!", authorizationCode1);
+
+		String authorizationCode2 = authorizationCodeServices.createAuthorizationCode(authentication);
+		assertNotNull("Authorization code must not be null!", authorizationCode2);
+
+		assertNotEquals("Authorization code must be different!", authorizationCode1, authorizationCode2);
+	}
+
+	/**
+	 * Verifies that a authorization code could be retrieved and removed.
+	 */
+	@Test
+	public void verifyCreateAndConsumeAuthorizationCode() {
+
+		String authorizationCode = authorizationCodeServices.createAuthorizationCode(authentication);
+		assertNotNull("Authorization code must not be null!", authorizationCode);
+
+		OAuth2Authentication authentication = authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
+		assertNotSame("Authentication object must not be the same!", this.authentication, authentication);
+		assertEquals("Authentication object must equals to original one!", this.authentication, authentication);
+
+		try {
+			authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
+			fail("There must be an exception that the authorization code is invalid!");
+		}
+		catch (InvalidGrantException e) {
+			assertThat("Wrong error message!", e.getMessage(),
+					allOf(containsString("Invalid authorization code")));
+		}
+	}
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java
index 0f2f37196..901c03dc4 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java
@@ -7,6 +7,7 @@
 import java.util.HashSet;
 import java.util.Set;
 
+import org.junit.Before;
 import org.junit.Test;
 import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
 import org.springframework.security.oauth2.provider.client.BaseClientDetails;
@@ -14,29 +15,34 @@
 
 public class SubdomainRedirectResolverTests
 {
-	private final DefaultRedirectResolver resolver = new DefaultRedirectResolver();
+	private DefaultRedirectResolver resolver;
 	private final BaseClientDetails client = new BaseClientDetails();
 
 	{
 		client.setAuthorizedGrantTypes(Collections.singleton("authorization_code"));
 	}
 
+	@Before
+	public void setup() {
+		resolver = new DefaultRedirectResolver();
+	}
 
 	@Test
 	public void testRedirectMatch() throws Exception
 	{
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://watchdox.com/"));
+		resolver.setMatchSubdomains(true);
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://watchdox.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.watchdox.com/";
+		String requestedRedirect = "https://anywhere.watchdox.com/";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	@Test(expected=RedirectMismatchException.class)
 	public void testRedirectNoMatch() throws Exception
 	{
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://watchdox.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://watchdox.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.google.com/";
+		String requestedRedirect = "https://anywhere.google.com/";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpointTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpointTests.java
index e42a8c838..383f025b5 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpointTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpointTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -101,7 +101,7 @@ private AuthorizationRequest getAuthorizationRequest(String clientId, String red
 	@Before
 	public void init() throws Exception {
 		client = new BaseClientDetails();
-		client.setRegisteredRedirectUri(Collections.singleton("http://anywhere.com/"));
+		client.setRegisteredRedirectUri(Collections.singleton("https://anywhere.com/"));
 		client.setAuthorizedGrantTypes(Arrays.asList("authorization_code", "implicit"));
 		endpoint.setClientDetailsService(new ClientDetailsService() {
 			public ClientDetails loadClientByClientId(String clientId) throws OAuth2Exception {
@@ -155,59 +155,59 @@ public void testStartAuthorizationCodeFlowForClientCredentialsFails() throws Exc
 	@Test
 	public void testAuthorizationCodeWithFragment() throws Exception {
 		endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices());
-		AuthorizationRequest request = getAuthorizationRequest("foo", "http://anywhere.com/#bar", null, null, Collections.singleton("code"));
+		AuthorizationRequest request = getAuthorizationRequest("foo", "https://anywhere.com/#bar", null, null, Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, request);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(request));
 		View result = endpoint.approveOrDeny(Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, "true"), model,
 				sessionStatus, principal);
-		assertEquals("http://anywhere.com/?code=thecode#bar", ((RedirectView) result).getUrl());
+		assertEquals("https://anywhere.com/?code=thecode#bar", ((RedirectView) result).getUrl());
 	}
 
 	@Test
 	public void testAuthorizationCodeWithQueryParams() throws Exception {
 		endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices());
-		AuthorizationRequest request = getAuthorizationRequest("foo", "http://anywhere.com/?foo=bar", null, null, Collections.singleton("code"));
+		AuthorizationRequest request = getAuthorizationRequest("foo", "https://anywhere.com/?foo=bar", null, null, Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, request);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(request));
 		View result = endpoint.approveOrDeny(Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, "true"), model,
 				sessionStatus, principal);
-		assertEquals("http://anywhere.com/?foo=bar&code=thecode", ((RedirectView) result).getUrl());
+		assertEquals("https://anywhere.com/?foo=bar&code=thecode", ((RedirectView) result).getUrl());
 	}
 
 	@Test
 	public void testAuthorizationCodeWithTrickyState() throws Exception {
 		endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices());
-		AuthorizationRequest request = getAuthorizationRequest("foo", "http://anywhere.com/", " =?s", null, Collections.singleton("code"));
+		AuthorizationRequest request = getAuthorizationRequest("foo", "https://anywhere.com/", " =?s", null, Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, request);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(request));
 		View result = endpoint.approveOrDeny(Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, "true"), model,
 				sessionStatus, principal);
-		assertEquals("http://anywhere.com/?code=thecode&state=%20%3D?s", ((RedirectView) result).getUrl());
+		assertEquals("https://anywhere.com/?code=thecode&state=%20%3D?s", ((RedirectView) result).getUrl());
 	}
 
 	@Test
 	public void testAuthorizationCodeWithMultipleQueryParams() throws Exception {
 		endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices());
-		AuthorizationRequest request = getAuthorizationRequest("foo", "http://anywhere.com/?foo=bar&bar=foo", null, null,
+		AuthorizationRequest request = getAuthorizationRequest("foo", "https://anywhere.com/?foo=bar&bar=foo", null, null,
 				Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, request);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(request));
 		View result = endpoint.approveOrDeny(Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, "true"), model,
 				sessionStatus, principal);
-		assertEquals("http://anywhere.com/?foo=bar&bar=foo&code=thecode", ((RedirectView) result).getUrl());
+		assertEquals("https://anywhere.com/?foo=bar&bar=foo&code=thecode", ((RedirectView) result).getUrl());
 	}
 
 	@Test
 	public void testAuthorizationCodeWithTrickyQueryParams() throws Exception {
 		endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices());
-		AuthorizationRequest request = getAuthorizationRequest("foo", "http://anywhere.com/?foo=b%20=&bar=f%20$", null, null,
+		AuthorizationRequest request = getAuthorizationRequest("foo", "https://anywhere.com/?foo=b%20=&bar=f%20$", null, null,
 				Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, request);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(request));
 		View result = endpoint.approveOrDeny(Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, "true"), model,
 				sessionStatus, principal);
 		String url = ((RedirectView) result).getUrl();
-		assertEquals("http://anywhere.com/?foo=b%20=&bar=f%20http://anywhere.com?foo=b%20=&bar=f%20$&code=thecodecode=thecode", url);
+		assertEquals("https://anywhere.com/?foo=b%20=&bar=f%20https://anywhere.com?foo=b%20=&bar=f%20$&code=thecodecode=thecode", url);
 		MultiValueMap<String, String> params = UriComponentsBuilder.fromHttpUrl(url).build().getQueryParams();
 		assertEquals("[b%20=]", params.get("foo").toString());
 		assertEquals("[f%20$]", params.get("bar").toString());
@@ -217,24 +217,24 @@ public void testAuthorizationCodeWithTrickyQueryParams() throws Exception {
 	public void testAuthorizationCodeWithTrickyEncodedQueryParams() throws Exception {
 		endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices());
 		AuthorizationRequest request = getAuthorizationRequest(
-				"foo", "http://anywhere.com/path?foo=b%20%3D&bar=f%20$", null, null, Collections.singleton("code"));
+				"foo", "https://anywhere.com/path?foo=b%20%3D&bar=f%20$", null, null, Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, request);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(request));
 		View result = endpoint.approveOrDeny(Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, "true"), model,
 				sessionStatus, principal);
-		assertEquals("http://anywhere.com/path?foo=b%20%3D&bar=f%20http://anywhere.com/path?foo=b%20%3D&bar=f%20$&code=thecodecode=thecode", ((RedirectView) result).getUrl());
+		assertEquals("https://anywhere.com/path?foo=b%20%3D&bar=f%20https://anywhere.com/path?foo=b%20%3D&bar=f%20$&code=thecodecode=thecode", ((RedirectView) result).getUrl());
 	}
 
 	@Test
 	public void testAuthorizationCodeWithMoreTrickyEncodedQueryParams() throws Exception {
 		endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices());
 		AuthorizationRequest request = getAuthorizationRequest(
-				"foo", "http://anywhere/?t=a%3Db%26ep%3Dtest%2540test.me", null, null, Collections.singleton("code"));
+				"foo", "https://anywhere/?t=a%3Db%26ep%3Dtest%2540test.me", null, null, Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, request);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(request));
 		View result = endpoint.approveOrDeny(Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, "true"), model,
 				sessionStatus, principal);
-		assertEquals("http://anywhere/?t=a%3Db%26ep%3Dtest%2540test.me&code=thecode", ((RedirectView) result).getUrl());
+		assertEquals("https://anywhere/?t=a%3Db%26ep%3Dtest%2540test.me&code=thecode", ((RedirectView) result).getUrl());
 	}
 
 	@Test
@@ -262,10 +262,10 @@ public String createAuthorizationCode(OAuth2Authentication authentication) {
 		});
 		ModelAndView result = endpoint.authorize(
 				model,
-				getAuthorizationRequest("foo", "http://anywhere.com/", "mystate", "myscope",
+				getAuthorizationRequest("foo", "https://anywhere.com/", "mystate", "myscope",
 						Collections.singleton("code")).getRequestParameters(), sessionStatus, principal);
 		String url = ((RedirectView) result.getView()).getUrl();
-		assertTrue("Wrong view: " + result, url.startsWith("http://anywhere.com/"));
+		assertTrue("Wrong view: " + result, url.startsWith("https://anywhere.com/"));
 		assertTrue("No error: " + result, url.contains("?error="));
 		assertTrue("Wrong state: " + result, url.contains("&state=mystate"));
 
@@ -308,12 +308,12 @@ public boolean isApproved(AuthorizationRequest authorizationRequest, Authenticat
 				return true;
 			}
 		});
-		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com/", "mystate",
+		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "https://anywhere.com/", "mystate",
 				"myscope", Collections.singleton("token"));
 		ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus,
 				principal);
 		String url = ((RedirectView) result.getView()).getUrl();
-		assertTrue("Wrong view: " + result, url.startsWith("http://anywhere.com/"));
+		assertTrue("Wrong view: " + result, url.startsWith("https://anywhere.com/"));
 		assertTrue("Wrong state: " + result, url.contains("&state=mystate"));
 		assertTrue("Wrong token: " + result, url.contains("access_token="));
 		assertTrue("Wrong token: " + result, url.contains("foo=bar"));
@@ -343,7 +343,7 @@ public boolean isApproved(AuthorizationRequest authorizationRequest, Authenticat
 				return true;
 			}
 		});
-		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com/", "mystate",
+		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "https://anywhere.com/", "mystate",
 				"myscope", Collections.singleton("token"));
 		ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus,
 				principal);
@@ -364,7 +364,7 @@ public boolean isApproved(AuthorizationRequest authorizationRequest, Authenticat
 				return true;
 			}
 		});
-		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com/?foo=bar",
+		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "https://anywhere.com/?foo=bar",
 				"mystate", "myscope", Collections.singleton("token"));
 		ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus,
 				principal);
@@ -386,7 +386,7 @@ public boolean isApproved(AuthorizationRequest authorizationRequest, Authenticat
 				return true;
 			}
 		});
-		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com/", "mystate",
+		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "https://anywhere.com/", "mystate",
 				"myscope", Collections.singleton("token"));
 		ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus,
 				principal);
@@ -419,7 +419,7 @@ public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizati
 			}
 		});
 		client.setScope(Collections.singleton("read"));
-		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com/", "mystate",
+		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "https://anywhere.com/", "mystate",
 				null, Collections.singleton("token"));
 		ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus,
 				principal);
@@ -450,12 +450,12 @@ public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizati
 			}
 		});
 		client.setScope(Collections.singleton("smallscope"));
-		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com/", "mystate",
+		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "https://anywhere.com/", "mystate",
 				"bigscope", Collections.singleton("token"));
 		ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus,
 				principal);
 		String url = ((RedirectView) result.getView()).getUrl();
-		assertTrue("Wrong view: " + result, url.startsWith("http://anywhere.com/"));
+		assertTrue("Wrong view: " + result, url.startsWith("https://anywhere.com/"));
 	}
 
 	@Test
@@ -465,7 +465,7 @@ public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
 				return null;
 			}
 		});
-		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com/", "mystate",
+		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "https://anywhere.com/", "mystate",
 				"myscope", Collections.singleton("token"));
 		ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus,
 				principal);
@@ -494,13 +494,13 @@ public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
 				return null;
 			}
 		});
-		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com/", "mystate",
+		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "https://anywhere.com/", "mystate",
 				"myscope", Collections.singleton("token"));
 		ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus,
 				principal);
 
 		String url = ((RedirectView) result.getView()).getUrl();
-		assertTrue("Wrong view: " + result, url.startsWith("http://anywhere.com/"));
+		assertTrue("Wrong view: " + result, url.startsWith("https://anywhere.com/"));
 		assertTrue("No error: " + result, url.contains("#error="));
 		assertTrue("Wrong state: " + result, url.contains("&state=mystate"));
 
@@ -508,7 +508,7 @@ public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
 
 	@Test
 	public void testApproveOrDeny() throws Exception {
-		AuthorizationRequest request = getAuthorizationRequest("foo", "http://anywhere.com/", null, null,
+		AuthorizationRequest request = getAuthorizationRequest("foo", "https://anywhere.com/", null, null,
 				Collections.singleton("code"));
 		request.setApproved(true);
 		Map<String, String> approvalParameters = new HashMap<String, String>();
@@ -516,26 +516,26 @@ public void testApproveOrDeny() throws Exception {
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, request);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(request));
 		View result = endpoint.approveOrDeny(approvalParameters, model, sessionStatus, principal);
-		assertTrue("Wrong view: " + result, ((RedirectView) result).getUrl().startsWith("http://anywhere.com/"));
+		assertTrue("Wrong view: " + result, ((RedirectView) result).getUrl().startsWith("https://anywhere.com/"));
 	}
 
 	@Test
 	public void testApprovalDenied() throws Exception {
-		AuthorizationRequest request = getAuthorizationRequest("foo", "http://anywhere.com/", null, null, Collections.singleton("code"));
+		AuthorizationRequest request = getAuthorizationRequest("foo", "https://anywhere.com/", null, null, Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, request);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(request));
 		Map<String, String> approvalParameters = new HashMap<String, String>();
 		approvalParameters.put("user_oauth_approval", "false");
 		View result = endpoint.approveOrDeny(approvalParameters, model, sessionStatus, principal);
 		String url = ((RedirectView) result).getUrl();
-		assertTrue("Wrong view: " + result, url.startsWith("http://anywhere.com/"));
+		assertTrue("Wrong view: " + result, url.startsWith("https://anywhere.com/"));
 		assertTrue("Wrong view: " + result, url.contains("error=access_denied"));
 	}
 
 	@Test
 	public void testDirectApproval() throws Exception {
 		ModelAndView result = endpoint.authorize(model,
-				getAuthorizationRequest("foo", "http://anywhere.com/", null, "read", Collections.singleton("code"))
+				getAuthorizationRequest("foo", "https://anywhere.com/", null, "read", Collections.singleton("code"))
 						.getRequestParameters(), sessionStatus, principal);
 		// Should go to approval page (SECOAUTH-191)
 		assertFalse(result.getView() instanceof RedirectView);
@@ -550,7 +550,7 @@ public void testRedirectUriOptionalForAuthorization() throws Exception {
 		AuthorizationRequest authorizationRequest = (AuthorizationRequest) result.getModelMap().get(
 				AUTHORIZATION_REQUEST_ATTR_NAME);
 		assertNull(authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI));
-		assertEquals("http://anywhere.com/", authorizationRequest.getRedirectUri());
+		assertEquals("https://anywhere.com/", authorizationRequest.getRedirectUri());
 	}
 
 	/**
@@ -572,7 +572,7 @@ public void testApproveOrDenyWithOAuth2RequestWithoutRedirectUri() throws Except
 	@Test(expected = InvalidRequestException.class)
 	public void testApproveWithModifiedClientId() throws Exception {
 		AuthorizationRequest authorizationRequest = getAuthorizationRequest(
-				"foo", "http://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
+				"foo", "https://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, authorizationRequest);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(authorizationRequest));
 		authorizationRequest.setClientId("bar");		// Modify authorization request
@@ -584,7 +584,7 @@ public void testApproveWithModifiedClientId() throws Exception {
 	@Test(expected = InvalidRequestException.class)
 	public void testApproveWithModifiedState() throws Exception {
 		AuthorizationRequest authorizationRequest = getAuthorizationRequest(
-				"foo", "http://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
+				"foo", "https://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, authorizationRequest);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(authorizationRequest));
 		authorizationRequest.setState("state-5678");		// Modify authorization request
@@ -596,10 +596,10 @@ public void testApproveWithModifiedState() throws Exception {
 	@Test(expected = InvalidRequestException.class)
 	public void testApproveWithModifiedRedirectUri() throws Exception {
 		AuthorizationRequest authorizationRequest = getAuthorizationRequest(
-				"foo", "http://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
+				"foo", "https://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, authorizationRequest);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(authorizationRequest));
-		authorizationRequest.setRedirectUri("http://somewhere.com/");		// Modify authorization request
+		authorizationRequest.setRedirectUri("https://somewhere.com/");		// Modify authorization request
 		Map<String, String> approvalParameters = new HashMap<String, String>();
 		approvalParameters.put("user_oauth_approval", "true");
 		endpoint.approveOrDeny(approvalParameters, model, sessionStatus, principal);
@@ -608,7 +608,7 @@ public void testApproveWithModifiedRedirectUri() throws Exception {
 	@Test(expected = InvalidRequestException.class)
 	public void testApproveWithModifiedResponseTypes() throws Exception {
 		AuthorizationRequest authorizationRequest = getAuthorizationRequest(
-				"foo", "http://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
+				"foo", "https://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, authorizationRequest);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(authorizationRequest));
 		authorizationRequest.setResponseTypes(Collections.singleton("implicit"));		// Modify authorization request
@@ -620,7 +620,7 @@ public void testApproveWithModifiedResponseTypes() throws Exception {
 	@Test(expected = InvalidRequestException.class)
 	public void testApproveWithModifiedScope() throws Exception {
 		AuthorizationRequest authorizationRequest = getAuthorizationRequest(
-				"foo", "http://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
+				"foo", "https://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, authorizationRequest);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(authorizationRequest));
 		authorizationRequest.setScope(Arrays.asList("read", "write"));		// Modify authorization request
@@ -632,7 +632,7 @@ public void testApproveWithModifiedScope() throws Exception {
 	@Test(expected = InvalidRequestException.class)
 	public void testApproveWithModifiedApproved() throws Exception {
 		AuthorizationRequest authorizationRequest = getAuthorizationRequest(
-				"foo", "http://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
+				"foo", "https://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
 		authorizationRequest.setApproved(false);
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, authorizationRequest);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(authorizationRequest));
@@ -645,7 +645,7 @@ public void testApproveWithModifiedApproved() throws Exception {
 	@Test(expected = InvalidRequestException.class)
 	public void testApproveWithModifiedResourceIds() throws Exception {
 		AuthorizationRequest authorizationRequest = getAuthorizationRequest(
-				"foo", "http://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
+				"foo", "https://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, authorizationRequest);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(authorizationRequest));
 		authorizationRequest.setResourceIds(Collections.singleton("resource-other"));		// Modify authorization request
@@ -657,7 +657,7 @@ public void testApproveWithModifiedResourceIds() throws Exception {
 	@Test(expected = InvalidRequestException.class)
 	public void testApproveWithModifiedAuthorities() throws Exception {
 		AuthorizationRequest authorizationRequest = getAuthorizationRequest(
-				"foo", "http://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
+				"foo", "https://anywhere.com/", "state-1234", "read", Collections.singleton("code"));
 		model.put(AUTHORIZATION_REQUEST_ATTR_NAME, authorizationRequest);
 		model.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, endpoint.unmodifiableMap(authorizationRequest));
 		authorizationRequest.setAuthorities(AuthorityUtils.commaSeparatedStringToAuthorityList("authority-other"));		// Modify authorization request
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpointTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpointTest.java
index 5c7dfd093..125afb4b1 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpointTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpointTest.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,8 +25,8 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import static org.junit.Assert.*;
-import static org.mockito.Matchers.any;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -36,36 +36,29 @@
  */
 public class CheckTokenEndpointTest {
 	private CheckTokenEndpoint checkTokenEndpoint;
-	private AccessTokenConverter accessTokenConverter;
 
 	@Before
 	public void setUp() {
-		OAuth2AccessToken accessToken = mock(OAuth2AccessToken.class);
-		when(accessToken.isExpired()).thenReturn(false);
 		ResourceServerTokenServices resourceServerTokenServices = mock(ResourceServerTokenServices.class);
+		OAuth2AccessToken accessToken = mock(OAuth2AccessToken.class);
+		OAuth2Authentication authentication = mock(OAuth2Authentication.class);
 		when(resourceServerTokenServices.readAccessToken(anyString())).thenReturn(accessToken);
+		when(accessToken.isExpired()).thenReturn(false);
+		when(accessToken.getValue()).thenReturn("access-token-1234");
+		when(resourceServerTokenServices.loadAuthentication(accessToken.getValue())).thenReturn(authentication);
 		this.checkTokenEndpoint = new CheckTokenEndpoint(resourceServerTokenServices);
-		this.accessTokenConverter = mock(AccessTokenConverter.class);
-		when(this.accessTokenConverter.convertAccessToken(any(OAuth2AccessToken.class), any(OAuth2Authentication.class))).thenReturn(new HashMap());
-		this.checkTokenEndpoint.setAccessTokenConverter(new CheckTokenEndpoint.CheckTokenAccessTokenConverter(this.accessTokenConverter));
+
+		AccessTokenConverter accessTokenConverter = mock(AccessTokenConverter.class);
+		when(accessTokenConverter.convertAccessToken(accessToken, authentication)).thenReturn(new HashMap());
+		this.checkTokenEndpoint.setAccessTokenConverter(accessTokenConverter);
 	}
 
 	// gh-1070
 	@Test
-	public void checkTokenWhenDefaultAccessTokenConverterThenActiveAttributeReturned() throws Exception {
+	public void checkTokenWhenTokenValidThenReturnActiveAttribute() throws Exception {
 		Map<String, ?> response = this.checkTokenEndpoint.checkToken("access-token-1234");
 		Object active = response.get("active");
 		assertNotNull("active is null", active);
 		assertEquals("active not true", Boolean.TRUE, active);
 	}
-
-	// gh-1591
-	@Test
-	public void checkTokenWhenCustomAccessTokenConverterThenActiveAttributeNotReturned() throws Exception {
-		this.accessTokenConverter = mock(AccessTokenConverter.class);
-		when(this.accessTokenConverter.convertAccessToken(any(OAuth2AccessToken.class), any(OAuth2Authentication.class))).thenReturn(new HashMap());
-		this.checkTokenEndpoint.setAccessTokenConverter(this.accessTokenConverter);
-		Map<String, ?> response = this.checkTokenEndpoint.checkToken("access-token-1234");
-		assertNull("active is not null", response.get("active"));
-	}
-}
\ No newline at end of file
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java
index b65967280..026301b80 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -15,20 +15,20 @@
  */
 package org.springframework.security.oauth2.provider.endpoint;
 
-import org.junit.Before;
-import org.junit.Test;
-import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
-import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
-import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
-import org.springframework.security.oauth2.provider.client.BaseClientDetails;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
 
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
+import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
+import org.springframework.security.oauth2.provider.client.BaseClientDetails;
 
 /**
  * @author Dave Syer
@@ -48,22 +48,22 @@ public void setup() {
 
 	@Test
 	public void testRedirectMatchesRegisteredValue() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.com/";
+		String requestedRedirect = "https://anywhere.com/";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	@Test(expected = InvalidRequestException.class)
 	public void testRedirectWithNoRegisteredValue() throws Exception {
-		String requestedRedirect = "http://anywhere.com/myendpoint";
+		String requestedRedirect = "https://anywhere.com/myendpoint";
 		resolver.resolveRedirect(requestedRedirect, client);
 	}
 
 	// If only one redirect has been registered, then we should use it
 	@Test
 	public void testRedirectWithNoRequestedValue() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
 		resolver.resolveRedirect(null, client);
 	}
@@ -71,14 +71,14 @@ public void testRedirectWithNoRequestedValue() throws Exception {
 	// If multiple redirects registered, then we should get an exception
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectWithNoRequestedValueAndMultipleRegistered() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/", "http://nowhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/", "https://nowhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
 		resolver.resolveRedirect(null, client);
 	}
 
 	@Test(expected = InvalidGrantException.class)
 	public void testNoGrantType() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/", "http://nowhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/", "https://nowhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
 		client.setAuthorizedGrantTypes(Collections.<String>emptyList());
 		resolver.resolveRedirect(null, client);
@@ -86,7 +86,7 @@ public void testNoGrantType() throws Exception {
 
 	@Test(expected = InvalidGrantException.class)
 	public void testWrongGrantType() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/", "http://nowhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/", "https://nowhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
 		client.setAuthorizedGrantTypes(Collections.singleton("client_credentials"));
 		resolver.resolveRedirect(null, client);
@@ -95,23 +95,23 @@ public void testWrongGrantType() throws Exception {
 	@Test(expected = InvalidGrantException.class)
 	public void testWrongCustomGrantType() throws Exception {
 		resolver.setRedirectGrantTypes(Collections.singleton("foo"));
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/", "http://nowhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/", "https://nowhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
 		resolver.resolveRedirect(null, client);
 	}
 
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectNotMatching() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://nowhere.com/"));
-		String requestedRedirect = "http://anywhere.com/myendpoint";
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://nowhere.com/"));
+		String requestedRedirect = "https://anywhere.com/myendpoint";
 		client.setRegisteredRedirectUri(redirectUris);
 		assertEquals(redirectUris.iterator().next(), resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectNotMatchingWithTraversal() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/foo"));
-		String requestedRedirect = "http://anywhere.com/bar";
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/foo"));
+		String requestedRedirect = "https://anywhere.com/bar";
 		client.setRegisteredRedirectUri(redirectUris);
 		assertEquals(redirectUris.iterator().next(), resolver.resolveRedirect(requestedRedirect, client));
 	}
@@ -119,52 +119,61 @@ public void testRedirectNotMatchingWithTraversal() throws Exception {
 	// gh-1331
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectNotMatchingWithHexEncodedTraversal() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/foo"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/foo"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.com/";	// hexadecimal encoding of '..' represents '%2E%2E'
+		String requestedRedirect = "https://anywhere.com/";	// hexadecimal encoding of '..' represents '%2E%2E'
 		resolver.resolveRedirect(requestedRedirect, client);
 	}
 
 	// gh-747
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectNotMatchingSubdomain() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/foo"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/foo"));
 		client.setRegisteredRedirectUri(redirectUris);
-		resolver.resolveRedirect("http://2anywhere.com/foo", client);
+		resolver.resolveRedirect("https://2anywhere.com/foo", client);
 	}
 
+	// gh-747
 	// gh-747
 	@Test
 	public void testRedirectMatchingSubdomain() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/foo"));
-		String requestedRedirect = "http://2.anywhere.com/foo";
+		resolver.setMatchSubdomains(true);
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/foo"));
+		String requestedRedirect = "https://2.anywhere.com/foo";
 		client.setRegisteredRedirectUri(redirectUris);
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
+	@Test(expected = RedirectMismatchException.class)
+	public void testRedirectMatchSubdomainsDefaultsFalse() {
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/"));
+		client.setRegisteredRedirectUri(redirectUris);
+		resolver.resolveRedirect("https://2.anywhere.com/", client);
+	}
+
 	// gh-746
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectNotMatchingPort() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com:90/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com:90/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		resolver.resolveRedirect("http://anywhere.com:91/foo", client);
+		resolver.resolveRedirect("https://anywhere.com:91/foo", client);
 	}
 
 	// gh-746
 	@Test
 	public void testRedirectMatchingPort() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com:90/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com:90/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.com:90/";
+		String requestedRedirect = "https://anywhere.com:90/";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	// gh-746
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectRegisteredPortSetRequestedPortNotSet() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com:90/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com:90/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		resolver.resolveRedirect("http://anywhere.com/foo", client);
+		resolver.resolveRedirect("https://anywhere.com/foo", client);
 	}
 
 	// gh-746
@@ -179,126 +188,135 @@ public void testRedirectRegisteredPortNotSetRequestedPortSet() throws Exception
 	@Test
 	public void testRedirectMatchPortsFalse() throws Exception {
 		resolver.setMatchPorts(false);
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com:90/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com:90/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.com:91/";
+		String requestedRedirect = "https://anywhere.com:91/";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	// gh-1386
 	@Test
 	public void testRedirectNotMatchingReturnsGenericErrorMessage() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://nowhere.com/"));
-		String requestedRedirect = "http://anywhere.com/myendpoint";
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://nowhere.com/"));
+		String requestedRedirect = "https://anywhere.com/myendpoint";
 		client.setRegisteredRedirectUri(redirectUris);
 		try {
 			resolver.resolveRedirect(requestedRedirect, client);
 			fail();
 		} catch (RedirectMismatchException ex) {
-			assertEquals("Invalid redirect: http://anywhere.com/myendpoint does not match one of the registered values.", ex.getMessage());
+			assertEquals("Invalid redirect uri does not match one of the registered values.", ex.getMessage());
 		}
 	}
 
 	// gh-1566
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectRegisteredUserInfoNotMatching() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://userinfo@anywhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://userinfo@anywhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		resolver.resolveRedirect("http://otheruserinfo@anywhere.com/", client);
+		resolver.resolveRedirect("https://otheruserinfo@anywhere.com/", client);
 	}
 
 	// gh-1566
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectRegisteredNoUserInfoNotMatching() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://userinfo@anywhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://userinfo@anywhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		resolver.resolveRedirect("http://anywhere.com/", client);
+		resolver.resolveRedirect("https://anywhere.com/", client);
 	}
 
 	// gh-1566
 	@Test()
 	public void testRedirectRegisteredUserInfoMatching() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://userinfo@anywhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://userinfo@anywhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://userinfo@anywhere.com/";
+		String requestedRedirect = "https://userinfo@anywhere.com/";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	// gh-1566
 	@Test()
 	public void testRedirectRegisteredFragmentIgnoredAndStripped() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://userinfo@anywhere.com/foo/bar#baz"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://userinfo@anywhere.com/foo/bar#baz"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://userinfo@anywhere.com/foo/bar";
+		String requestedRedirect = "https://userinfo@anywhere.com/foo/bar";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect + "#bar", client));
 	}
 
 	// gh-1566
 	@Test()
 	public void testRedirectRegisteredQueryParamsMatching() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/?p1=v1&p2=v2"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/?p1=v1&p2=v2"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.com/?p1=v1&p2=v2";
+		String requestedRedirect = "https://anywhere.com/?p1=v1&p2=v2";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	// gh-1566
 	@Test()
 	public void testRedirectRegisteredQueryParamsMatchingIgnoringAdditionalParams() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/?p1=v1&p2=v2"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/?p1=v1&p2=v2"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.com/?p1=v1&p2=v2&p3=v3";
+		String requestedRedirect = "https://anywhere.com/?p1=v1&p2=v2&p3=v3";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	// gh-1566
 	@Test()
 	public void testRedirectRegisteredQueryParamsMatchingDifferentOrder() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/?p1=v1&p2=v2"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/?p1=v1&p2=v2"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.com/?p2=v2&p1=v1";
+		String requestedRedirect = "https://anywhere.com/?p2=v2&p1=v1";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	// gh-1566
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectRegisteredQueryParamsWithDifferentValues() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/?p1=v1&p2=v2"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/?p1=v1&p2=v2"));
 		client.setRegisteredRedirectUri(redirectUris);
-		resolver.resolveRedirect("http://anywhere.com/?p1=v1&p2=v3", client);
+		resolver.resolveRedirect("https://anywhere.com/?p1=v1&p2=v3", client);
 	}
 
 	// gh-1566
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectRegisteredQueryParamsNotMatching() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/?p1=v1"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/?p1=v1"));
 		client.setRegisteredRedirectUri(redirectUris);
-		resolver.resolveRedirect("http://anywhere.com/?p2=v2", client);
+		resolver.resolveRedirect("https://anywhere.com/?p2=v2", client);
 	}
 
 	// gh-1566
 	@Test(expected = RedirectMismatchException.class)
 	public void testRedirectRegisteredQueryParamsPartiallyMatching() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/?p1=v1&p2=v2"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/?p1=v1&p2=v2"));
 		client.setRegisteredRedirectUri(redirectUris);
-		resolver.resolveRedirect("http://anywhere.com/?p2=v2&p3=v3", client);
+		resolver.resolveRedirect("https://anywhere.com/?p2=v2&p3=v3", client);
 	}
 
 	// gh-1566
 	@Test
 	public void testRedirectRegisteredQueryParamsMatchingWithMultipleValuesInRegistered() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/?p1=v11&p1=v12"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/?p1=v11&p1=v12"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.com/?p1=v11&p1=v12";
+		String requestedRedirect = "https://anywhere.com/?p1=v11&p1=v12";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	// gh-1566
 	@Test
 	public void testRedirectRegisteredQueryParamsMatchingWithParamWithNoValue() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/?p1&p2=v2"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/?p1&p2=v2"));
+		client.setRegisteredRedirectUri(redirectUris);
+		String requestedRedirect = "https://anywhere.com/?p1&p2=v2";
+		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
+	}
+
+	// gh-1618
+	@Test
+	public void testRedirectNoHost() {
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("scheme:/path"));
 		client.setRegisteredRedirectUri(redirectUris);
-		String requestedRedirect = "http://anywhere.com/?p1&p2=v2";
+		String requestedRedirect = "scheme:/path";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolverTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolverTests.java
index 1e387efa3..fc2d48ace 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolverTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolverTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -40,15 +40,15 @@ public class ExactMatchRedirectResolverTests {
 
 	@Test ( expected = RedirectMismatchException.class )
 	public void testRedirectNotMatching() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/"));
-		String requestedRedirect = "http://anywhere.com/myendpoint";
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/"));
+		String requestedRedirect = "https://anywhere.com/myendpoint";
 		client.setRegisteredRedirectUri(redirectUris);
 		assertEquals(redirectUris.iterator().next(), resolver.resolveRedirect(requestedRedirect, client));
 	}
 
 	@Test(expected = InvalidRequestException.class)
 	public void testRedirectWithNoRegisteredValue() throws Exception {
-		String requestedRedirect = "http://anywhere.com/myendpoint";
+		String requestedRedirect = "https://anywhere.com/myendpoint";
 		resolver.resolveRedirect(requestedRedirect, client);
 	}
 
@@ -56,7 +56,7 @@ public void testRedirectWithNoRegisteredValue() throws Exception {
 	// If not we should expect a Oauth2Exception.
 	@Test ( expected = OAuth2Exception.class )
 	public void testRedirectWithNoRequestedValue() throws Exception {
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://anywhere.com/", "http://nowhere.com/"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("https://anywhere.com/", "https://nowhere.com/"));
 		client.setRegisteredRedirectUri(redirectUris);
 		resolver.resolveRedirect(null, client);
 	}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMappingTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMappingTests.java
index e3b89090c..8f83ebc19 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMappingTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMappingTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilterTests.java
index 954b1b5d9..154dbb5b8 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointTests.java
index ed98ad138..5b5099b63 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -45,6 +45,7 @@
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
@@ -217,4 +218,41 @@ public void testGetAccessTokenReturnsHeaderContentTypeJson() throws Exception {
 		assertEquals(HttpStatus.OK, response.getStatusCode());
 		assertEquals("application/json;charset=UTF-8", response.getHeaders().get("Content-Type").iterator().next());
 	}
+
+	@Test(expected = InvalidRequestException.class)
+	public void testRefreshTokenGrantTypeWithoutRefreshTokenParameter() throws Exception {
+		when(clientDetailsService.loadClientByClientId(clientId)).thenReturn(clientDetails);
+
+		HashMap<String, String> parameters = new HashMap<String, String>();
+		parameters.put("client_id", clientId);
+		parameters.put("scope", "read");
+		parameters.put("grant_type", "refresh_token");
+
+		when(authorizationRequestFactory.createTokenRequest(any(Map.class), eq(clientDetails))).thenReturn(
+				createFromParameters(parameters));
+
+		endpoint.postAccessToken(clientAuthentication, parameters);
+	}
+
+	@Test
+	public void testGetAccessTokenWithRefreshToken() throws Exception {
+		when(clientDetailsService.loadClientByClientId(clientId)).thenReturn(clientDetails);
+
+		HashMap<String, String> parameters = new HashMap<String, String>();
+		parameters.put("client_id", clientId);
+		parameters.put("scope", "read");
+		parameters.put("grant_type", "refresh_token");
+		parameters.put("refresh_token", "kJAHDFG");
+
+		OAuth2AccessToken expectedToken = new DefaultOAuth2AccessToken("FOO");
+
+		when(tokenGranter.grant(eq("refresh_token"), any(TokenRequest.class))).thenReturn(expectedToken);
+
+		when(authorizationRequestFactory.createTokenRequest(any(Map.class), eq(clientDetails))).thenReturn(
+				createFromParameters(parameters));
+
+		ResponseEntity<OAuth2AccessToken> response = endpoint.postAccessToken(clientAuthentication, parameters);
+
+		assertEquals(expectedToken, response.getBody());
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpointTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpointTests.java
index b37b75306..f4c408dc7 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpointTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpointTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpointTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpointTests.java
index 722ec5e0c..f97741a20 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpointTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpointTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslatorTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslatorTests.java
index a761308fc..89ed1bc08 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslatorTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslatorTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandlerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandlerTests.java
index b03239049..021e534b8 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandlerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandlerTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPointTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPointTests.java
index cba776763..71d708188 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPointTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPointTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandlerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandlerTests.java
index a5f6eddc2..5caf36640 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandlerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandlerTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethodsTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethodsTests.java
index 87e400d6f..3a34da46b 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethodsTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethodsTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandlerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandlerTests.java
index d866755e3..55acf56e7 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandlerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandlerTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantServiceTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantServiceTests.java
index 15852a7aa..74490bcc8 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantServiceTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantServiceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranterTests.java
index 160669744..123801f15 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranterTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -30,6 +30,7 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
@@ -167,4 +168,14 @@ public void testUnauthenticated() {
 		granter.grant("password", tokenRequest);
 	}
 
+	@Test(expected = InvalidGrantException.class)
+	public void testUsernameNotFound() {
+		ResourceOwnerPasswordTokenGranter granter = new ResourceOwnerPasswordTokenGranter(new AuthenticationManager() {
+			@Override
+			public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
+				throw new UsernameNotFoundException("test");
+			}
+		}, providerTokenServices, clientDetailsService, requestFactory);
+		granter.grant("password", tokenRequest);
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranterTests.java
new file mode 100644
index 000000000..77433140c
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranterTests.java
@@ -0,0 +1,124 @@
+package org.springframework.security.oauth2.provider.refresh;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.LockedException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.ClientDetails;
+import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.TokenRequest;
+import org.springframework.security.oauth2.provider.client.BaseClientDetails;
+import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
+import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertTrue;
+
+public class RefreshTokenGranterTests {
+
+	private Authentication validUser = new UsernamePasswordAuthenticationToken("foo", "bar",
+			Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER")));
+
+	private AuthenticationManager authenticationManager = new AuthenticationManager() {
+		public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+			return validUser;
+		}
+	};
+
+	private BaseClientDetails client = new BaseClientDetails("foo", "resource", "scope", "refresh_token", "ROLE_USER");
+
+	private TokenStore tokenStore = new InMemoryTokenStore();
+	private DefaultTokenServices providerTokenServices = new DefaultTokenServices();
+
+	private ClientDetailsService clientDetailsService = new ClientDetailsService() {
+		public ClientDetails loadClientByClientId(String clientId) throws OAuth2Exception {
+			return client;
+		}
+	};
+
+	private OAuth2RequestFactory requestFactory = new DefaultOAuth2RequestFactory(clientDetailsService);
+
+	private OAuth2AccessToken accessToken;
+
+	private TokenRequest validRefreshTokenRequest;
+
+	@Before
+	public void setUp() {
+		String clientId = "client";
+		BaseClientDetails clientDetails = new BaseClientDetails();
+		clientDetails.setClientId(clientId);
+
+		providerTokenServices.setTokenStore(tokenStore);
+		providerTokenServices.setSupportRefreshToken(true);
+		providerTokenServices.setAuthenticationManager(authenticationManager);
+		// Create access token to refresh
+		accessToken = providerTokenServices.createAccessToken(new OAuth2Authentication(requestFactory.createOAuth2Request(client, requestFactory.createTokenRequest(Collections.<String, String>emptyMap(), clientDetails)), validUser));
+		validRefreshTokenRequest = createRefreshTokenRequest(accessToken.getRefreshToken().getValue());
+	}
+
+	private TokenRequest createRefreshTokenRequest(String refreshToken) {
+		Map<String, String> parameters = new HashMap<String, String>();
+		parameters.put("grant_type", "refresh_token");
+		parameters.put("refresh_token", refreshToken);
+		return requestFactory.createTokenRequest(parameters, client);
+	}
+
+	@Test
+	public void testSunnyDay() {
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		OAuth2AccessToken token = granter.grant("refresh_token", validRefreshTokenRequest);
+		OAuth2Authentication authentication = providerTokenServices.loadAuthentication(token.getValue());
+		assertTrue(authentication.isAuthenticated());
+	}
+
+	@Test(expected = InvalidGrantException.class)
+	public void testBadCredentials() {
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		granter.grant("refresh_token", createRefreshTokenRequest(accessToken.getRefreshToken().getValue() + "invalid_token"));
+	}
+
+	@Test(expected = InvalidClientException.class)
+	public void testGrantTypeNotSupported() {
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		client.setAuthorizedGrantTypes(Collections.singleton("client_credentials"));
+		granter.grant("refresh_token", validRefreshTokenRequest);
+	}
+
+	@Test(expected = InvalidGrantException.class)
+	public void testAccountLocked() {
+		providerTokenServices.setAuthenticationManager(new AuthenticationManager() {
+			public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+				throw new LockedException("test");
+			}
+		});
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		granter.grant("refresh_token", validRefreshTokenRequest);
+	}
+
+	@Test(expected = InvalidGrantException.class)
+	public void testUsernameNotFound() {
+		providerTokenServices.setAuthenticationManager(new AuthenticationManager() {
+			public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+				throw new UsernameNotFoundException("test");
+			}
+		});
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		granter.grant("refresh_token", validRefreshTokenRequest);
+	}
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/request/DefaultAuthorizationRequestFactoryTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/request/DefaultAuthorizationRequestFactoryTests.java
index 61daf0520..1909b8b53 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/request/DefaultAuthorizationRequestFactoryTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/request/DefaultAuthorizationRequestFactoryTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidatorTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidatorTests.java
index f485055d4..482009c07 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidatorTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidatorTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/test/OAuth2RequestTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/test/OAuth2RequestTests.java
index 886efe82d..edfcd2bd9 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/test/OAuth2RequestTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/test/OAuth2RequestTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/AbstractDefaultTokenServicesTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/AbstractDefaultTokenServicesTests.java
index f5c071437..61b356122 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/AbstractDefaultTokenServicesTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/AbstractDefaultTokenServicesTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverterTests.java
index 75758d1c9..059a28e66 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverterTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGeneratorTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGeneratorTest.java
index 09ffcfbbc..d66cd1b59 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGeneratorTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGeneratorTest.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesAuthoritiesChangeTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesAuthoritiesChangeTests.java
index 48edeb1c2..e650c5210 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesAuthoritiesChangeTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesAuthoritiesChangeTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesTests.java
index 7eda9601b..f371f4cd7 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesTests.java
@@ -1,11 +1,32 @@
 package org.springframework.security.oauth2.provider.token;
 
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.ArgumentCaptor;
 import org.mockito.Mockito;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
+import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.OAuth2RefreshToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.TokenRequest;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+
+import java.util.Arrays;
 
 public class DefaultTokenServicesTests {
 
@@ -29,5 +50,94 @@ public void testAccidentalNullAuthentication() {
 				.thenReturn(null);
 		services.loadAuthentication("FOO");
 	}
+	
+	@Test
+	public void testRefreshAccessTokenWithReauthentication() {
+		UserDetails user = createMockUser("joeuser", "PROCESSOR");
+		UserDetailsService userDetailsService = Mockito.mock(UserDetailsService.class);
+
+		Mockito
+				.when(tokenStore.readRefreshToken(Mockito.anyString()))
+				.thenReturn(new DefaultOAuth2RefreshToken("FOO"));
+
+		Mockito
+				.when(tokenStore.readAuthenticationForRefreshToken(Mockito.any(OAuth2RefreshToken.class)))
+				.thenReturn(createMockOAuth2Authentication("myclient", user, "some more details"));
+
+		Mockito
+				.when(userDetailsService.loadUserByUsername(Mockito.anyString()))
+				.thenReturn(user);
+
+		services.setSupportRefreshToken(true);
+		services.setAuthenticationManager(createAuthenticationManager(userDetailsService));
+		
+		OAuth2AccessToken refreshedAccessToken = services.refreshAccessToken("FOO", createMockTokenRequest("myclient"));
+
+		ArgumentCaptor<OAuth2Authentication> refreshedAuthenticationCaptor = ArgumentCaptor.forClass(OAuth2Authentication.class);
+		
+		Mockito.verify(tokenStore).storeAccessToken(Mockito.eq(refreshedAccessToken), refreshedAuthenticationCaptor.capture());
+		
+		OAuth2Authentication refreshedAuthentication = refreshedAuthenticationCaptor.getValue();
+		Authentication authentication = refreshedAuthentication.getUserAuthentication();
+		Assert.assertEquals(user, authentication.getPrincipal());
+		Assert.assertEquals("some more details", authentication.getDetails());
+	}
+
+	@Test
+	public void testRefreshAccessTokenWithoutReauthentication() {
+
+		UserDetails user = createMockUser("joeuser", "PROCESSOR");
+
+		Mockito
+				.when(tokenStore.readRefreshToken(Mockito.anyString()))
+				.thenReturn(new DefaultOAuth2RefreshToken("FOO"));
+
+		Mockito
+				.when(tokenStore.readAuthenticationForRefreshToken(Mockito.any(OAuth2RefreshToken.class)))
+				.thenReturn(createMockOAuth2Authentication("myclient", user, "some more details"));
+
+		services.setSupportRefreshToken(true);
+		services.setAuthenticationManager(null);
+
+		OAuth2AccessToken refreshedAccessToken = services.refreshAccessToken("FOO", createMockTokenRequest("myclient"));
 
+		ArgumentCaptor<OAuth2Authentication> refreshedAuthenticationCaptor = ArgumentCaptor.forClass(OAuth2Authentication.class);
+
+		Mockito.verify(tokenStore).storeAccessToken(Mockito.eq(refreshedAccessToken), refreshedAuthenticationCaptor.capture());
+
+		OAuth2Authentication refreshedAuthentication = refreshedAuthenticationCaptor.getValue();
+		Authentication authentication = refreshedAuthentication.getUserAuthentication();
+		Assert.assertEquals(user, authentication.getPrincipal());
+		Assert.assertEquals("some more details", authentication.getDetails());
+	}
+	
+	private AuthenticationManager createAuthenticationManager(UserDetailsService userDetailsService) {
+		PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
+		provider.setPreAuthenticatedUserDetailsService(
+				new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(userDetailsService)
+		);
+		return new ProviderManager(Arrays.<AuthenticationProvider> asList(provider));
+	}
+
+	private TokenRequest createMockTokenRequest(String clientId) {
+		return new TokenRequest(null, clientId, null, null);
+	}
+
+	private OAuth2Request createMockOAuth2Request(String clientId) {
+		return new OAuth2Request(null, clientId, null, true, null, null, null, null, null);
+	}
+	
+	private OAuth2Authentication createMockOAuth2Authentication(String clientId, UserDetails user, String extraDetails) {
+		return new OAuth2Authentication(createMockOAuth2Request(clientId), createMockUserAuthentication(user, extraDetails));
+	}
+
+	private UsernamePasswordAuthenticationToken createMockUserAuthentication(UserDetails user, Object extraDetails) {
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, "", user.getAuthorities());
+		token.setDetails(extraDetails);
+		return token;
+	}
+	
+	private UserDetails createMockUser(String username, String ... roles) {
+		return new User(username, "", AuthorityUtils.createAuthorityList(roles));
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesWithJwtTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesWithJwtTests.java
index b7753f9b8..a7d6f31e4 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesWithJwtTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesWithJwtTests.java
@@ -84,4 +84,41 @@ public void testDoubleRefresh() throws Exception {
 				refreshTokenInfo.get(AccessTokenConverter.ATI));
 	}
 
+	// gh-1109
+	@Test
+	public void testReuseRefreshToken() {
+		getTokenServices().setReuseRefreshToken(true);
+
+		OAuth2Authentication authentication = createAuthentication();
+		OAuth2AccessToken accessToken = getTokenServices().createAccessToken(authentication);
+		ExpiringOAuth2RefreshToken refreshToken = (ExpiringOAuth2RefreshToken) accessToken.getRefreshToken();
+
+		TokenRequest tokenRequest = new TokenRequest(
+				Collections.singletonMap("client_id", "id"), "id", null, null);
+		OAuth2AccessToken refreshedAccessToken = getTokenServices().refreshAccessToken(
+				refreshToken.getValue(), tokenRequest);
+
+		JsonParser parser = JsonParserFactory.create();
+		Map<String, ?> accessTokenClaims = parser.parseMap(
+				JwtHelper.decode(refreshedAccessToken.getValue()).getClaims());
+		Map<String, ?> refreshTokenClaims = parser.parseMap(
+				JwtHelper.decode(refreshedAccessToken.getRefreshToken().getValue()).getClaims());
+
+		assertEquals("Access token ID (JTI) does not match refresh token ATI",
+				accessTokenClaims.get(AccessTokenConverter.JTI),
+				refreshTokenClaims.get(AccessTokenConverter.ATI));
+
+		Map<String, ?> previousRefreshTokenClaims = parser.parseMap(
+				JwtHelper.decode(refreshToken.getValue()).getClaims());
+
+		// The ATI claim in the refresh token is a reference to the JTI claim in the access token.
+		// So when an access token is refreshed, the ATI claim in the refresh token needs to be updated
+		// to the JTI claim in the refreshed access token.
+		// Therefore, if DefaultTokenServices.reuseRefreshToken == true,
+		// then all claims in the previous and current refresh token
+		// should be equal minus the ATI claim
+		previousRefreshTokenClaims.remove(AccessTokenConverter.ATI);
+		refreshTokenClaims.remove(AccessTokenConverter.ATI);
+		assertEquals("Refresh token not re-used", previousRefreshTokenClaims, refreshTokenClaims);
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverterTests.java
index 647324ddc..237d7e563 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverterTests.java
@@ -8,6 +8,7 @@
 
 import org.junit.Test;
 import org.mockito.Mockito;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.User;
@@ -59,4 +60,50 @@ public void shouldExtractAuthenticationWhenUserDetailsProvided() throws Exceptio
 
 		assertEquals("ROLE_SPAM", authentication.getAuthorities().iterator().next().toString());
 	}
+
+	@Test
+	public void shouldExtractWithDefaultUsernameClaimWhenNotSet() throws Exception {
+		Map<String, Object> map = new HashMap<String, Object>();
+		map.put(UserAuthenticationConverter.USERNAME, "test_user");
+
+		Authentication authentication = converter.extractAuthentication(map);
+
+		assertEquals("test_user", authentication.getPrincipal());
+	}
+
+	@Test
+	public void shouldConvertUserWithDefaultUsernameClaimWhenNotSet() throws Exception {
+		Authentication authentication = new UsernamePasswordAuthenticationToken("test_user", "");
+
+		Map<String, ?> map = converter.convertUserAuthentication(authentication);
+
+		assertEquals("test_user", map.get(UserAuthenticationConverter.USERNAME));
+	}
+
+	@Test
+	public void shouldExtractWithCustomUsernameClaimWhenSet() throws Exception {
+		String customUserClaim = "custom_user_name";
+		DefaultUserAuthenticationConverter converter = new DefaultUserAuthenticationConverter();
+		converter.setUserClaimName(customUserClaim);
+
+		Map<String, Object> map = new HashMap<String, Object>();
+		map.put(customUserClaim, "test_user");
+
+		Authentication authentication = converter.extractAuthentication(map);
+
+		assertEquals("test_user", authentication.getPrincipal());
+	}
+
+	@Test
+	public void shouldConvertUserWithCustomUsernameClaimWhenSet() throws Exception {
+		String customUserClaim = "custom_user_name";
+		DefaultUserAuthenticationConverter converter = new DefaultUserAuthenticationConverter();
+		converter.setUserClaimName(customUserClaim);
+
+		Authentication authentication = new UsernamePasswordAuthenticationToken("test_user", "");
+
+		Map<String, ?> map = converter.convertUserAuthentication(authentication);
+
+		assertEquals("test_user", map.get(customUserClaim));
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java
index 5d156fbeb..4eaaecb8c 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -17,6 +17,7 @@
 
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.ArgumentCaptor;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
@@ -26,8 +27,10 @@
 import org.springframework.web.client.RestTemplate;
 
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyString;
@@ -51,6 +54,27 @@ public void setUp() {
 		this.remoteTokenServices.setCheckTokenEndpointUrl(DEFAULT_CHECK_TOKEN_ENDPOINT_URI);
 	}
 
+	// gh-974
+	@Test
+	public void loadAuthenticationWhenAdditionalQueryParametersProvidedThenReturnAuthentication() {
+		Map additionalParameters = new HashMap();
+		additionalParameters.put("apiKey", "some-api-key");
+		this.remoteTokenServices.setAdditionalParameters(additionalParameters);
+
+		Map responseAttrs = new HashMap();
+		responseAttrs.put("active", true);		// "active" is the only required attribute as per RFC 7662 (https://tools.ietf.org/search/rfc7662#section-2.2)
+		ResponseEntity<Map> response = new ResponseEntity<Map>(responseAttrs, HttpStatus.OK);
+		RestTemplate restTemplate = mock(RestTemplate.class);
+		ArgumentCaptor<HttpEntity> requestEntityCaptor = ArgumentCaptor.forClass(HttpEntity.class);
+		when(restTemplate.exchange(anyString(), any(HttpMethod.class), requestEntityCaptor.capture(), any(Class.class))).thenReturn(response);
+		this.remoteTokenServices.setRestTemplate(restTemplate);
+
+		OAuth2Authentication authentication = this.remoteTokenServices.loadAuthentication("access-token-1234");
+		assertNotNull(authentication);
+		Map formParameters = (Map) requestEntityCaptor.getValue().getBody();
+		assertEquals("some-api-key", ((List) formParameters.get("apiKey")).get(0));
+	}
+
 	// gh-838
 	@Test
 	public void loadAuthenticationWhenIntrospectionResponseContainsActiveTrueBooleanThenReturnAuthentication() throws Exception {
@@ -78,6 +102,16 @@ public void loadAuthenticationWhenIntrospectionResponseContainsActiveTrueStringT
 		assertNotNull(authentication);
 	}
 
+	@Test(expected = InvalidTokenException.class)
+	public void loadAuthenticationWhenIntrospectionResponseNullThenThrowInvalidTokenException() throws Exception {
+		ResponseEntity<Map> response = new ResponseEntity<Map>(HttpStatus.REQUEST_TIMEOUT);
+		RestTemplate restTemplate = mock(RestTemplate.class);
+		when(restTemplate.exchange(anyString(), any(HttpMethod.class), any(HttpEntity.class), any(Class.class))).thenReturn(response);
+		this.remoteTokenServices.setRestTemplate(restTemplate);
+
+		this.remoteTokenServices.loadAuthentication("access-token-1234");
+	}
+
 	// gh-838
 	@Test(expected = InvalidTokenException.class)
 	public void loadAuthenticationWhenIntrospectionResponseContainsActiveFalseThenThrowInvalidTokenException() throws Exception {
@@ -95,6 +129,7 @@ public void loadAuthenticationWhenIntrospectionResponseContainsActiveFalseThenTh
 	@Test
 	public void loadAuthenticationWhenIntrospectionResponseMissingActiveAttributeThenReturnAuthentication() throws Exception {
 		Map responseAttrs = new HashMap();
+		responseAttrs.put("attr1", "value1");
 		ResponseEntity<Map> response = new ResponseEntity<Map>(responseAttrs, HttpStatus.OK);
 		RestTemplate restTemplate = mock(RestTemplate.class);
 		when(restTemplate.exchange(anyString(), any(HttpMethod.class), any(HttpEntity.class), any(Class.class))).thenReturn(response);
@@ -103,4 +138,4 @@ public void loadAuthenticationWhenIntrospectionResponseMissingActiveAttributeThe
 		OAuth2Authentication authentication = this.remoteTokenServices.loadAuthentication("access-token-1234");
 		assertNotNull(authentication);
 	}
-}
\ No newline at end of file
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/TokenServicesWithTokenEnhancerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/TokenServicesWithTokenEnhancerTests.java
index 680653077..999bd3dea 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/TokenServicesWithTokenEnhancerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/TokenServicesWithTokenEnhancerTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifierTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifierTest.java
index 7e340be62..aef5706b8 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifierTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifierTest.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStoreTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStoreTests.java
index ffd13fb83..f02c50687 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStoreTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStoreTests.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.provider.token.store;
 
-import static org.junit.Assert.assertEquals;
-
+import java.util.ArrayList;
 import java.util.Collection;
 
+import java.util.List;
+
+import org.company.oauth2.CustomAuthentication;
+import org.company.oauth2.CustomOAuth2AccessToken;
+import org.company.oauth2.CustomOAuth2Authentication;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -11,12 +15,18 @@
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.DefaultSerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.WhitelistedSerializationStrategy;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.RequestTokenFactory;
 
+import static org.junit.Assert.*;
+
 /**
  * @author Dave Syer
- *
+ * @author Artem Smotrakov
  */
 public class JdbcTokenStoreTests extends TokenStoreBaseTests {
 
@@ -46,6 +56,106 @@ public void testFindAccessTokensByUserName() {
 		assertEquals(1, actualOAuth2AccessTokens.size());
 	}
 
+	@Test
+	public void testCustomToken() {
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(
+				RequestTokenFactory.createOAuth2Request("id", false),
+				new TestAuthentication("test2", false));
+		OAuth2AccessToken expectedOAuth2AccessToken = new CustomOAuth2AccessToken("customToken");
+		getTokenStore().storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
+
+		Collection<OAuth2AccessToken> actualOAuth2AccessTokens = getTokenStore().findTokensByUserName("test2");
+		assertFalse(actualOAuth2AccessTokens.isEmpty());
+		for (OAuth2AccessToken token : actualOAuth2AccessTokens) {
+			if (expectedOAuth2AccessToken.equals(token)) {
+				return;
+			}
+		}
+		fail("No token found!");
+	}
+
+	@Test
+	public void testAllowedCustomTokenWithCustomStrategy() {
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(
+				RequestTokenFactory.createOAuth2Request("id", false),
+				new TestAuthentication("test3", false));
+		OAuth2AccessToken expectedOAuth2AccessToken = new CustomOAuth2AccessToken("customToken");
+		JdbcTokenStore tokenStore = getTokenStore();
+		List<String> allowedClasses = new ArrayList<String>();
+		allowedClasses.add("java.util.");
+		allowedClasses.add("org.springframework.security.");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2AccessToken");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2Authentication");
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy(allowedClasses);
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			tokenStore.storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
+
+			Collection<OAuth2AccessToken> actualOAuth2AccessTokens = getTokenStore().findTokensByUserName("test3");
+			assertEquals(1, actualOAuth2AccessTokens.size());
+
+			OAuth2AccessToken actualToken = actualOAuth2AccessTokens.iterator().next();
+			assertEquals(expectedOAuth2AccessToken, actualToken);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
+
+	@Test
+	public void testNotAllowedCustomTokenWithCustomStrategy() {
+		OAuth2Authentication authentication = new CustomOAuth2Authentication(
+				RequestTokenFactory.createOAuth2Request("id", false),
+				new CustomAuthentication("test4", false));
+		OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("customToken");
+		JdbcTokenStore tokenStore = getTokenStore();
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			tokenStore.storeAccessToken(accessToken, authentication);
+			Collection<OAuth2AccessToken> tokens = tokenStore.findTokensByUserName("test4");
+			assertTrue(tokens.isEmpty());
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
+
+	// gh-1907
+	@Test
+	public void testGetAccessTokenWithInvalidStoredAuthentication() {
+		OAuth2Authentication expectedAuthentication = new OAuth2Authentication(RequestTokenFactory.createOAuth2Request("id", false), new TestAuthentication("test2", false));
+		OAuth2AccessToken expectedOAuth2AccessToken = new DefaultOAuth2AccessToken("testToken");
+
+		// We will set a custom serialization strategy, that will write an invalid OAuth2Authentication object to the database.
+		// This way we can verify that JdbcTokenStore.getAccessToken() correctly handles this case and still returns a valid
+		// authentication if the serialized representation of Authentication objects has changed.
+		DefaultSerializationStrategy newStrategy = new DefaultSerializationStrategy(){
+			@Override
+			public byte[] serialize(Object state) {
+				if (state instanceof OAuth2Authentication) {
+					return new byte[0];
+				} else {
+					return super.serialize(state);
+				}
+			}
+		};
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			getTokenStore().storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+
+		OAuth2AccessToken actualOAuth2AccessToken = getTokenStore().getAccessToken(expectedAuthentication);
+		OAuth2Authentication actualAuthentication = getTokenStore().readAuthentication(expectedOAuth2AccessToken);
+
+		assertEquals(expectedOAuth2AccessToken, actualOAuth2AccessToken);
+		assertEquals(expectedAuthentication, actualAuthentication);
+	}
+
 	@After
 	public void tearDown() throws Exception {
 		db.shutdown();
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/TokenStoreBaseTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/TokenStoreBaseTests.java
index 4872da3e7..15a21e0d0 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/TokenStoreBaseTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/TokenStoreBaseTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITests.java
similarity index 70%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITests.java
index fa4daca28..43a9c70b3 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -25,11 +25,12 @@
 import java.util.Arrays;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertSame;
 
 /**
  * @author Rob Winch
  */
-public class JwkDefinitionSourceITest {
+public class JwkDefinitionSourceITests {
 
 	private MockWebServer server;
 
@@ -80,9 +81,9 @@ public void getDefinitionLoadIfNecessaryWhenMultipleUrlsThenBothUrlsAreLoaded()
 		String keyId1 = "key-id-1";
 		String keyId2 = "key-id-2";
 		String keyId3 = "key-id-3";
-		JwkDefinition jwkDef1 = this.source.getDefinitionLoadIfNecessary(keyId1).getJwkDefinition();
-		JwkDefinition jwkDef2 = this.source.getDefinitionLoadIfNecessary(keyId2).getJwkDefinition();
-		JwkDefinition jwkDef3 = this.source.getDefinitionLoadIfNecessary(keyId3).getJwkDefinition();
+		JwkDefinition jwkDef1 = this.source.getDefinitionLoadIfNecessary(keyId1, null).getJwkDefinition();
+		JwkDefinition jwkDef2 = this.source.getDefinitionLoadIfNecessary(keyId2, null).getJwkDefinition();
+		JwkDefinition jwkDef3 = this.source.getDefinitionLoadIfNecessary(keyId3, null).getJwkDefinition();
 
 		assertEquals(jwkDef1.getKeyId(), keyId1);
 		assertEquals(jwkDef1.getAlgorithm(), JwkDefinition.CryptoAlgorithm.RS256);
@@ -100,6 +101,36 @@ public void getDefinitionLoadIfNecessaryWhenMultipleUrlsThenBothUrlsAreLoaded()
 		assertEquals(jwkDef3.getKeyType(), JwkDefinition.KeyType.EC);
 	}
 
+	@Test
+	public void getDefinitionLoadIfNecessaryWithX5T() {
+		this.server.enqueue(new MockResponse().setHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE).setBody("{\n" +
+				"    \"keys\": [\n" +
+				"        {\n" +
+				"            \"kid\": \"key-id-1\",\n" +
+				"            \"x5t\": \"x5t-1\",\n" +
+				"            \"kty\": \"RSA\",\n" +
+				"            \"alg\": \"RS256\",\n" +
+				"            \"use\": \"sig\",\n" +
+				"            \"n\": \"rne3dowbQHcFCzg2ejWb6az5QNxWFiv6kRpd34VDzYNMhWeewfeEL5Pf5clE8Xh1KlllrDYSxtnzUQm-t9p92yEBASfV96ydTYG-ITfxfJzKtJUN-iIS5K9WGYXnDNS4eYZ_ygW-zBU_9NwFMXdwSTzRqHeJmLJrfbmmjoIuuWyfh2Ko52KzyidceR5SJxGeW0ckeyWka1lDf4cr7fv-s093Y_sd2wrNvg0-9IAkXotbxWWXcfMgXFyw0qHFT_5LrKmiwkY3HCaiV5NgEFJmC6fBIG2EOZG4rqjBoYV6LZwrfTMHknaeel9MOZesW6SR2bswtuuWN3DGq2zg0KamLw\",\n" +
+				"            \"e\": \"AQAB\"\n" +
+				"        }\n" +
+				"    ]\n" +
+				"}\n"));
+		this.source = new JwkDefinitionSource(Arrays.asList(serverUrl("/jwk1")));
+
+		String keyId1 = "key-id-1";
+		String x5t1 = "x5t-1";
+		JwkDefinition jwkDef1 = this.source.getDefinitionLoadIfNecessary(keyId1, x5t1).getJwkDefinition();
+		assertEquals(keyId1, jwkDef1.getKeyId());
+		assertEquals(x5t1, jwkDef1.getX5t());
+		assertEquals(JwkDefinition.CryptoAlgorithm.RS256, jwkDef1.getAlgorithm());
+		assertEquals(JwkDefinition.PublicKeyUse.SIG, jwkDef1.getPublicKeyUse());
+		assertEquals(JwkDefinition.KeyType.RSA, jwkDef1.getKeyType());
+
+		assertSame(jwkDef1, this.source.getDefinitionLoadIfNecessary(keyId1, null).getJwkDefinition());
+		assertSame(jwkDef1, this.source.getDefinitionLoadIfNecessary(null, x5t1).getJwkDefinition());
+	}
+
 	private String serverUrl(String path) {
 		return this.server.url(https://github.com/path).toString();
 	}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTests.java
similarity index 90%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTests.java
index ae3f2d36c..409a0ed0c 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -39,7 +39,7 @@
  */
 @RunWith(PowerMockRunner.class)
 @PrepareForTest(JwkDefinitionSource.class)
-public class JwkDefinitionSourceTest {
+public class JwkDefinitionSourceTests {
 	private static final String DEFAULT_JWK_SET_URL = "https://identity.server1.io/token_keys";
 
 	@Test(expected = IllegalArgumentException.class)
@@ -57,16 +57,16 @@ public void getDefinitionLoadIfNecessaryWhenKeyIdNotFoundThenLoadJwkDefinitions(
 		JwkDefinitionSource jwkDefinitionSource = spy(new JwkDefinitionSource(DEFAULT_JWK_SET_URL));
 		mockStatic(JwkDefinitionSource.class);
 		when(JwkDefinitionSource.loadJwkDefinitions(any(URL.class))).thenReturn(Collections.<String, JwkDefinitionSource.JwkDefinitionHolder>emptyMap());
-		jwkDefinitionSource.getDefinitionLoadIfNecessary("invalid-key-id");
+		jwkDefinitionSource.getDefinitionLoadIfNecessary("invalid-key-id", null);
 		verifyStatic();
 	}
 
 	// gh-1010
 	@Test
 	public void getVerifierWhenModulusMostSignificantBitIs1ThenVerifierStillVerifyContentSignature() throws Exception {
-		String jwkSetUrl = JwkDefinitionSourceTest.class.getResource("jwk-set.json").toString();
+		String jwkSetUrl = JwkDefinitionSourceTests.class.getResource("jwk-set.json").toString();
 		JwkDefinitionSource jwkDefinitionSource = new JwkDefinitionSource(jwkSetUrl);
-		SignatureVerifier verifier = jwkDefinitionSource.getDefinitionLoadIfNecessary("_Ci3-VfV_N0YAG22NQOgOUpFBDDcDe_rJxpu5JK702o").getSignatureVerifier();
+		SignatureVerifier verifier = jwkDefinitionSource.getDefinitionLoadIfNecessary("_Ci3-VfV_N0YAG22NQOgOUpFBDDcDe_rJxpu5JK702o", null).getSignatureVerifier();
 		String token = this.readToken("token.jwt");
 		int secondPeriodIndex = token.indexOf('.', token.indexOf('.') + 1);
 		String contentString = token.substring(0, secondPeriodIndex);
@@ -80,7 +80,7 @@ private String readToken(String resource) throws IOException {
 		StringBuilder sb = new StringBuilder();
 		InputStream in = null;
 		try {
-			in = JwkDefinitionSourceTest.class.getResourceAsStream(resource);
+			in = JwkDefinitionSourceTests.class.getResourceAsStream(resource);
 			int ch;
 			while ((ch = in.read()) != -1) {
 				sb.append((char) ch);
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTests.java
similarity index 88%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTests.java
index a6ad3d2b2..b571f4ab5 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,18 +22,20 @@
 /**
  * @author Joe Grandja
  */
-public class JwkDefinitionTest {
+public class JwkDefinitionTests {
 
 	@Test
 	public void constructorWhenArgumentsPassedThenAttributesAreCorrectlySet() throws Exception {
 		String keyId = "key-id-1";
+		String x5t = "x5t-1";
 		JwkDefinition.KeyType keyType = JwkDefinition.KeyType.RSA;
 		JwkDefinition.PublicKeyUse publicKeyUse = JwkDefinition.PublicKeyUse.SIG;
 		JwkDefinition.CryptoAlgorithm algorithm = JwkDefinition.CryptoAlgorithm.RS512;
 
-		JwkDefinition jwkDefinition = new JwkDefinition(keyId, keyType, publicKeyUse, algorithm) { };
+		JwkDefinition jwkDefinition = new JwkDefinition(keyId, x5t, keyType, publicKeyUse, algorithm) { };
 
 		assertEquals(keyId, jwkDefinition.getKeyId());
+		assertEquals(x5t, jwkDefinition.getX5t());
 		assertEquals(keyType, jwkDefinition.getKeyType());
 		assertEquals(publicKeyUse, jwkDefinition.getPublicKeyUse());
 		assertEquals(algorithm, jwkDefinition.getAlgorithm());
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTests.java
similarity index 95%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTests.java
index df1620318..61c9df70f 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -36,7 +36,7 @@
  * @author Joe Grandja
  * @author Vedran Pavic
  */
-public class JwkSetConverterTest {
+public class JwkSetConverterTests {
 	private final JwkSetConverter converter = new JwkSetConverter();
 	private final ObjectMapper objectMapper = new ObjectMapper();
 
@@ -122,25 +122,25 @@ public void convertWhenJwkSetStreamHasRSAJwkElementWithMissingKeyIdAttributeThen
 		this.thrown.expect(JwkException.class);
 		this.thrown.expectMessage("kid is a required attribute for a JWK.");
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, null);
+		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, null, JwkDefinition.PublicKeyUse.SIG);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
 		this.converter.convert(this.asInputStream(jwkSetObject));
 	}
 
 	@Test
-	public void convertWhenJwkSetStreamHasRSAJwkElementWithMissingPublicKeyUseAttributeThenThrowJwkException() throws Exception {
-		this.thrown.expect(JwkException.class);
-		this.thrown.expectMessage("unknown (use) is currently not supported.");
+	public void convertWhenJwkSetStreamHasRSAJwkElementWithENCPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, "key-id-1");
+		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, "key-id-1", JwkDefinition.PublicKeyUse.ENC);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
-		this.converter.convert(this.asInputStream(jwkSetObject));
+		Set<JwkDefinition> jwkSet = this.converter.convert(this.asInputStream(jwkSetObject));
+		assertTrue("JWK Set NOT empty", jwkSet.isEmpty());
 	}
 
+	// gh-1871
 	@Test
-	public void convertWhenJwkSetStreamHasRSAJwkElementWithENCPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
+	public void convertWhenJwkSetStreamHasRSAJwkElementWithoutPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, "key-id-1", JwkDefinition.PublicKeyUse.ENC);
+		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, "key-id-1");
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
 		Set<JwkDefinition> jwkSet = this.converter.convert(this.asInputStream(jwkSetObject));
 		assertTrue("JWK Set NOT empty", jwkSet.isEmpty());
@@ -173,25 +173,25 @@ public void convertWhenJwkSetStreamHasECJwkElementWithMissingKeyIdAttributeThenT
 		this.thrown.expect(JwkException.class);
 		this.thrown.expectMessage("kid is a required attribute for an EC JWK.");
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject(null, null, null);
+		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject(null, JwkDefinition.PublicKeyUse.SIG, null);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
 		this.converter.convert(this.asInputStream(jwkSetObject));
 	}
 
 	@Test
-	public void convertWhenJwkSetStreamHasECJwkElementWithMissingPublicKeyUseAttributeThenThrowJwkException() throws Exception {
-		this.thrown.expect(JwkException.class);
-		this.thrown.expectMessage("unknown (use) is currently not supported.");
+	public void convertWhenJwkSetStreamHasECJwkElementWithENCPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject("key-id-1", null, null);
+		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject("key-id-1", JwkDefinition.PublicKeyUse.ENC, null);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
-		this.converter.convert(this.asInputStream(jwkSetObject));
+		Set<JwkDefinition> jwkSet = this.converter.convert(this.asInputStream(jwkSetObject));
+		assertTrue("JWK Set NOT empty", jwkSet.isEmpty());
 	}
 
+	// gh-1871
 	@Test
-	public void convertWhenJwkSetStreamHasECJwkElementWithENCPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
+	public void convertWhenJwkSetStreamHasECJwkElementWithoutPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject("key-id-1", JwkDefinition.PublicKeyUse.ENC, null);
+		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject("key-id-1", null, null);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
 		Set<JwkDefinition> jwkSet = this.converter.convert(this.asInputStream(jwkSetObject));
 		assertTrue("JWK Set NOT empty", jwkSet.isEmpty());
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITests.java
similarity index 98%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITests.java
index 082edecaf..4e4dffa8d 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -38,7 +38,7 @@
 /**
  * @author Joe Grandja
  */
-public class JwkTokenStoreITest {
+public class JwkTokenStoreITests {
 	private MockWebServer server;
 
 	@Before
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTests.java
similarity index 98%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTests.java
index e1b2cdbf8..f835e110f 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -48,7 +48,7 @@
  */
 @RunWith(PowerMockRunner.class)
 @PrepareForTest(JwkTokenStore.class)
-public class JwkTokenStoreTest {
+public class JwkTokenStoreTests {
 	private JwkTokenStore jwkTokenStore = new JwkTokenStore("https://identity.server1.io/token_keys");
 
 	@Rule
@@ -129,7 +129,7 @@ public void readAccessTokenWhenJwtClaimsSetVerifierIsSetThenVerifyIsCalled() thr
 		when(jwkDefinitionHolder.getSignatureVerifier()).thenReturn(mock(SignatureVerifier.class));
 
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary(anyString())).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary(anyString(), anyString())).thenReturn(jwkDefinitionHolder);
 
 		JwkVerifyingJwtAccessTokenConverter jwtVerifyingAccessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTests.java
similarity index 62%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTests.java
index 8cf44e8e4..c534216fe 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -24,6 +24,8 @@
 import java.util.Map;
 
 import static org.junit.Assert.assertNotNull;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.springframework.security.jwt.codec.Codecs.b64UrlEncode;
@@ -34,7 +36,7 @@
 /**
  * @author Joe Grandja
  */
-public class JwkVerifyingJwtAccessTokenConverterTest {
+public class JwkVerifyingJwtAccessTokenConverterTests {
 
 	@Rule
 	public ExpectedException thrown = ExpectedException.none();
@@ -51,41 +53,41 @@ public void encodeWhenCalledThenThrowJwkException() throws Exception {
 	@Test
 	public void decodeWhenKeyIdHeaderMissingThenThrowJwkException() throws Exception {
 		this.thrown.expect(InvalidTokenException.class);
-		this.thrown.expectMessage("Invalid JWT/JWS: kid is a required JOSE Header");
+		this.thrown.expectMessage("Invalid JWT/JWS: kid or x5t is a required JOSE Header");
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(mock(JwkDefinitionSource.class));
-		String jwt = createJwt(createJwtHeader(null, JwkDefinition.CryptoAlgorithm.RS256));
+		String jwt = createJwt(createJwtHeader(null, null, JwkDefinition.CryptoAlgorithm.RS256));
 		accessTokenConverter.decode(jwt);
 	}
 
 	@Test
 	public void decodeWhenKeyIdHeaderInvalidThenThrowJwkException() throws Exception {
 		this.thrown.expect(InvalidTokenException.class);
-		this.thrown.expectMessage("Invalid JOSE Header kid (invalid-key-id)");
-		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", JwkDefinition.CryptoAlgorithm.RS256);
+		this.thrown.expectMessage("Invalid JOSE Header kid (invalid-key-id), x5t (null)");
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256);
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
 		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
 		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
-		String jwt = createJwt(createJwtHeader("invalid-key-id", JwkDefinition.CryptoAlgorithm.RS256));
+		String jwt = createJwt(createJwtHeader("invalid-key-id", null, JwkDefinition.CryptoAlgorithm.RS256));
 		accessTokenConverter.decode(jwt);
 	}
 
 	// gh-1129
 	@Test
 	public void decodeWhenJwkAlgorithmNullAndJwtAlgorithmPresentThenDecodeStillSucceeds() throws Exception {
-		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null);
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, null);
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
 		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
 		SignatureVerifier signatureVerifier = mock(SignatureVerifier.class);
 		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
 		when(jwkDefinitionHolder.getSignatureVerifier()).thenReturn(signatureVerifier);
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
-		String jwt = createJwt(createJwtHeader("key-id-1", JwkDefinition.CryptoAlgorithm.RS256));
+		String jwt = createJwt(createJwtHeader("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256));
 		String jws = jwt + "." + utf8Decode(b64UrlEncode("junkSignature".getBytes()));
 		Map<String, Object> decodedJwt = accessTokenConverter.decode(jws);
 		assertNotNull(decodedJwt);
@@ -95,14 +97,14 @@ public void decodeWhenJwkAlgorithmNullAndJwtAlgorithmPresentThenDecodeStillSucce
 	public void decodeWhenAlgorithmHeaderMissingThenThrowJwkException() throws Exception {
 		this.thrown.expect(InvalidTokenException.class);
 		this.thrown.expectMessage("Invalid JWT/JWS: alg is a required JOSE Header");
-		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", JwkDefinition.CryptoAlgorithm.RS256);
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256);
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
 		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
 		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
-		String jwt = createJwt(createJwtHeader("key-id-1", null));
+		String jwt = createJwt(createJwtHeader("key-id-1", null, null));
 		accessTokenConverter.decode(jwt);
 	}
 
@@ -111,29 +113,67 @@ public void decodeWhenAlgorithmHeaderDoesNotMatchJwkAlgorithmThenThrowJwkExcepti
 		this.thrown.expect(InvalidTokenException.class);
 		this.thrown.expectMessage("Invalid JOSE Header alg (RS512) " +
 				"does not match algorithm associated to JWK with kid (key-id-1)");
-		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", JwkDefinition.CryptoAlgorithm.RS256);
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256);
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
 		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
 		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
-		String jwt = createJwt(createJwtHeader("key-id-1", JwkDefinition.CryptoAlgorithm.RS512));
+		String jwt = createJwt(createJwtHeader("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS512));
 		accessTokenConverter.decode(jwt);
 	}
 
-	private JwkDefinition createRSAJwkDefinition(String keyId, JwkDefinition.CryptoAlgorithm algorithm) {
-		return createRSAJwkDefinition(JwkDefinition.KeyType.RSA, keyId,
+	@Test
+	public void decodeWhenKidHeaderMissingButX5tHeaderPresentThenDecodeStillSucceeds() throws Exception {
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", "x5t-1", null);
+		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
+		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
+		SignatureVerifier signatureVerifier = mock(SignatureVerifier.class);
+		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary(null, "x5t-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionHolder.getSignatureVerifier()).thenReturn(signatureVerifier);
+		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
+				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
+		String jwt = createJwt(createJwtHeader(null, "x5t-1", JwkDefinition.CryptoAlgorithm.RS256));
+		String jws = jwt + "." + utf8Decode(b64UrlEncode("junkSignature".getBytes()));
+		Map<String, Object> decodedJwt = accessTokenConverter.decode(jws);
+		assertNotNull(decodedJwt);
+	}
+
+	// gh-1522, gh-1852
+	@Test
+	public void decodeWhenVerifySignatureFailsThenThrowInvalidTokenException() throws Exception {
+		this.thrown.expect(InvalidTokenException.class);
+		this.thrown.expectMessage("Failed to decode/verify JWT/JWS");
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, null);
+		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
+		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
+		SignatureVerifier signatureVerifier = mock(SignatureVerifier.class);
+		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionHolder.getSignatureVerifier()).thenReturn(signatureVerifier);
+		doThrow(RuntimeException.class).when(signatureVerifier).verify(any(byte[].class), any(byte[].class));
+		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
+				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
+		String jwt = createJwt(createJwtHeader("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256));
+		String jws = jwt + "." + utf8Decode(b64UrlEncode("junkSignature".getBytes()));
+		accessTokenConverter.decode(jws);
+	}
+
+	private JwkDefinition createRSAJwkDefinition(String keyId, String x5t, JwkDefinition.CryptoAlgorithm algorithm) {
+		return createRSAJwkDefinition(JwkDefinition.KeyType.RSA, keyId, x5t,
 				JwkDefinition.PublicKeyUse.SIG, algorithm, "AMh-pGAj9vX2gwFDyrXot1f2YfHgh8h0Qx6w9IqLL", "AQAB");
 	}
 
 	private JwkDefinition createRSAJwkDefinition(JwkDefinition.KeyType keyType,
 												String keyId,
+												String x5t,
 												JwkDefinition.PublicKeyUse publicKeyUse,
 												JwkDefinition.CryptoAlgorithm algorithm,
 												String modulus,
 												String exponent) {
 
-		return new RsaJwkDefinition(keyId, publicKeyUse, algorithm, modulus, exponent);
+		return new RsaJwkDefinition(keyId, x5t, publicKeyUse, algorithm, modulus, exponent);
 	}
 }
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTests.java
similarity index 96%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTests.java
index 890729a87..5d44d2cc9 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -32,7 +32,7 @@
  * @author Joe Grandja
  * @author Vedran Pavic
  */
-public class JwtHeaderConverterTest {
+public class JwtHeaderConverterTests {
 	private final JwtHeaderConverter converter = new JwtHeaderConverter();
 
 	@Rule
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtTestUtil.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtTestUtil.java
index 5aab5d5e9..b8c30e1de 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtTestUtil.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtTestUtil.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -44,14 +44,17 @@ static String createJwt(byte[] jwtHeader, byte[] jwtPayload) throws Exception {
 	}
 
 	static byte[] createDefaultJwtHeader() throws Exception {
-		return createJwtHeader("key-id-1", JwkDefinition.CryptoAlgorithm.RS256);
+		return createJwtHeader("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256);
 	}
 
-	static byte[] createJwtHeader(String keyId, JwkDefinition.CryptoAlgorithm algorithm) throws Exception {
+	static byte[] createJwtHeader(String keyId, String x5t, JwkDefinition.CryptoAlgorithm algorithm) throws Exception {
 		Map<String, Object> jwtHeader = new HashMap<String, Object>();
 		if (keyId != null) {
 			jwtHeader.put(JwkAttributes.KEY_ID, keyId);
 		}
+		if (x5t != null) {
+			jwtHeader.put(JwkAttributes.X5T, x5t);
+		}
 		if (algorithm != null) {
 			jwtHeader.put(JwkAttributes.ALGORITHM, algorithm.headerParamValue());
 		}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTests.java
similarity index 87%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTests.java
index 72ca34d3c..b62eb5658 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,20 +22,22 @@
 /**
  * @author Joe Grandja
  */
-public class RsaJwkDefinitionTest {
+public class RsaJwkDefinitionTests {
 
 	@Test
 	public void constructorWhenArgumentsPassedThenAttributesAreCorrectlySet() throws Exception {
 		String keyId = "key-id-1";
+		String x5t = "x5t-1";
 		JwkDefinition.PublicKeyUse publicKeyUse = JwkDefinition.PublicKeyUse.ENC;
 		JwkDefinition.CryptoAlgorithm algorithm = JwkDefinition.CryptoAlgorithm.RS384;
 		String modulus = "AMh-pGAj9vX2gwFDyrXot1f2YfHgh8h0Qx6w9IqLL";
 		String exponent = "AQAB";
 
 		RsaJwkDefinition rsaJwkDefinition = new RsaJwkDefinition(
-				keyId, publicKeyUse, algorithm, modulus, exponent);
+				keyId, x5t, publicKeyUse, algorithm, modulus, exponent);
 
 		assertEquals(keyId, rsaJwkDefinition.getKeyId());
+		assertEquals(x5t, rsaJwkDefinition.getX5t());
 		assertEquals(JwkDefinition.KeyType.RSA, rsaJwkDefinition.getKeyType());
 		assertEquals(publicKeyUse, rsaJwkDefinition.getPublicKeyUse());
 		assertEquals(algorithm, rsaJwkDefinition.getAlgorithm());
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreCustomTokenTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreCustomTokenTests.java
new file mode 100644
index 000000000..946955c26
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreCustomTokenTests.java
@@ -0,0 +1,141 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.provider.token.store.redis;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.UUID;
+
+import org.company.oauth2.CustomOAuth2AccessToken;
+import org.company.oauth2.CustomOAuth2Authentication;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.core.serializer.support.SerializationFailedException;
+import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.SerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.WhitelistedSerializationStrategy;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.RequestTokenFactory;
+import org.springframework.util.ClassUtils;
+import redis.clients.jedis.JedisShardInfo;
+
+import static org.junit.Assert.*;
+
+/**
+ * @author Artem Smotrakov
+ */
+public class RedisTokenStoreCustomTokenTests {
+
+    private static final String CLIENT_ID = "customClient";
+
+    private static final List<String> ALLOWED_CLASSES = new ArrayList<String>();
+
+    static {
+        ALLOWED_CLASSES.add("java.util.");
+        ALLOWED_CLASSES.add("org.springframework.security.");
+        ALLOWED_CLASSES.add("org.company.oauth2.CustomOAuth2AccessToken");
+        ALLOWED_CLASSES.add("org.company.oauth2.CustomOAuth2Authentication");
+    }
+
+    private RedisTokenStore tokenStore;
+
+    @Before
+    public void setup() {
+        boolean springDataRedis_2_0 = ClassUtils.isPresent(
+                "org.springframework.data.redis.connection.RedisStandaloneConfiguration",
+                this.getClass().getClassLoader());
+
+        JedisConnectionFactory connectionFactory;
+        if (springDataRedis_2_0) {
+            connectionFactory = new JedisConnectionFactory();
+        } else {
+            JedisShardInfo shardInfo = new JedisShardInfo("localhost");
+            connectionFactory = new JedisConnectionFactory(shardInfo);
+        }
+
+        tokenStore = new RedisTokenStore(connectionFactory);
+    }
+
+    @Test
+    public void testCustomToken() {
+        OAuth2Request request = RequestTokenFactory.createOAuth2Request(CLIENT_ID, false);
+        TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
+
+        String token = "access-token-" + UUID.randomUUID();
+        OAuth2AccessToken oauth2AccessToken = new CustomOAuth2AccessToken(token);
+        OAuth2Authentication oauth2Authentication = new OAuth2Authentication(request, authentication);
+
+        tokenStore.storeAccessToken(oauth2AccessToken, oauth2Authentication);
+        Collection<OAuth2AccessToken> tokens = tokenStore.findTokensByClientId(request.getClientId());
+        assertNotNull(tokens);
+        assertFalse(tokens.isEmpty());
+        for (OAuth2AccessToken oAuth2AccessToken : tokens) {
+            if (token.equals(oAuth2AccessToken.getValue())) {
+                return;
+            }
+        }
+        fail("No token found!");
+    }
+
+    @Test(expected = SerializationFailedException.class)
+    public void testNotAllowedCustomToken() {
+        OAuth2Request request = RequestTokenFactory.createOAuth2Request(CLIENT_ID, false);
+        TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
+
+        String token = "access-token-" + UUID.randomUUID();
+        OAuth2AccessToken oauth2AccessToken = new CustomOAuth2AccessToken(token);
+        OAuth2Authentication oauth2Authentication = new OAuth2Authentication(request, authentication);
+
+        WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+        SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+        try {
+            SerializationUtils.setSerializationStrategy(newStrategy);
+            tokenStore.storeAccessToken(oauth2AccessToken, oauth2Authentication);
+            tokenStore.findTokensByClientId(request.getClientId());
+        } finally {
+            SerializationUtils.setSerializationStrategy(oldStrategy);
+        }
+    }
+
+    @Test
+    public void testCustomTokenWithCustomSerializationStrategy() {
+        OAuth2Request request = RequestTokenFactory.createOAuth2Request(CLIENT_ID, false);
+        TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
+
+        OAuth2AccessToken oauth2AccessToken = new CustomOAuth2AccessToken("access-token-" + UUID.randomUUID());
+        OAuth2Authentication oauth2Authentication = new CustomOAuth2Authentication(request, authentication);
+
+        WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy(ALLOWED_CLASSES);
+        SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+        try {
+            SerializationUtils.setSerializationStrategy(newStrategy);
+            tokenStore.storeAccessToken(oauth2AccessToken, oauth2Authentication);
+
+            OAuth2AccessToken token = tokenStore.getAccessToken(oauth2Authentication);
+            assertNotNull(token);
+            assertEquals(oauth2AccessToken, token);
+        } finally {
+            SerializationUtils.setSerializationStrategy(oldStrategy);
+        }
+    }
+
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreMockTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreMockTests.java
index 149643aa0..4baa81884 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreMockTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreMockTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -67,6 +67,13 @@ public void storeRefreshTokenRemoveRefreshTokenVerifyKeysRemoved() {
 		ArgumentCaptor<byte[]> keyArgs = ArgumentCaptor.forClass(byte[].class);
 		verify(connection, times(2)).set(keyArgs.capture(), any(byte[].class));
 
+		List<Object> result = new ArrayList<Object>();
+		result.add(Long.valueOf(1));
+		result.add(Long.valueOf(1));
+		result.add(new byte[] {42});
+		result.add(Long.valueOf(1));
+		when(connection.closePipeline()).thenReturn(result);
+
 		tokenStore.removeRefreshToken(oauth2RefreshToken);
 
 		for (byte[] key : keyArgs.getAllValues()) {
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreTests.java
index 996e15c21..ded1f1529 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreTests.java
@@ -2,6 +2,8 @@
 
 import org.junit.Before;
 import org.junit.Test;
+
+import org.springframework.data.redis.connection.RedisConnection;
 import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
@@ -28,6 +30,8 @@
  */
 public class RedisTokenStoreTests extends TokenStoreBaseTests {
 
+	private JedisConnectionFactory connectionFactory;
+	private RedisTokenStoreSerializationStrategy serializationStrategy = new JdkSerializationStrategy();
 	private RedisTokenStore tokenStore;
 
 	@Override
@@ -41,7 +45,6 @@ public void setup() throws Exception {
 				"org.springframework.data.redis.connection.RedisStandaloneConfiguration",
 				this.getClass().getClassLoader());
 
-		JedisConnectionFactory connectionFactory;
 		if (springDataRedis_2_0) {
 			connectionFactory = new JedisConnectionFactory();
 		} else {
@@ -49,7 +52,9 @@ public void setup() throws Exception {
 			connectionFactory = new JedisConnectionFactory(shardInfo);
 		}
 
+		serializationStrategy = new JdkSerializationStrategy();
 		tokenStore = new RedisTokenStore(connectionFactory);
+		tokenStore.setSerializationStrategy(serializationStrategy);
 	}
 
 	@Test
@@ -109,4 +114,46 @@ public void storeAccessTokenWithoutRefreshTokenRemoveAccessTokenVerifyTokenRemov
 		assertTrue(oauth2AccessTokens.isEmpty());
 	}
 
+	// gh-1836
+	@Test
+	public void storeAccessTokenWithRefreshTokenRemoveRefreshTokenAndAccessTokenVerifyTokenRemoved() {
+		OAuth2Request request = RequestTokenFactory.createOAuth2Request("clientId", false);
+		TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
+
+		DefaultOAuth2AccessToken oauth2AccessToken = new DefaultOAuth2AccessToken(
+				"access-token-" + UUID.randomUUID());
+		DefaultOAuth2RefreshToken oauth2RefreshToken = new DefaultOAuth2RefreshToken(
+				"refresh-token-" + UUID.randomUUID());
+		oauth2AccessToken.setRefreshToken(oauth2RefreshToken);
+
+		OAuth2Authentication oauth2Authentication = new OAuth2Authentication(request, authentication);
+
+		tokenStore.storeAccessToken(oauth2AccessToken, oauth2Authentication);
+		String accessTokenValue = getValue("refresh_to_access:" + oauth2RefreshToken.getValue());
+		assertEquals(accessTokenValue, oauth2AccessToken.getValue());
+		String refreshTokenValue = getValue("access_to_refresh:" + oauth2AccessToken.getValue());
+		assertEquals(refreshTokenValue, oauth2RefreshToken.getValue());
+
+		tokenStore.removeRefreshToken(oauth2RefreshToken);
+		accessTokenValue = getValue("refresh_to_access:" + oauth2RefreshToken.getValue());
+		assertNull("Key refresh_to_access was not deleted!", accessTokenValue);
+		refreshTokenValue = getValue("access_to_refresh:" + oauth2AccessToken.getValue());
+		assertNull("Key access_to_refresh was not deleted!", refreshTokenValue);
+
+		tokenStore.removeAccessToken(oauth2AccessToken);
+
+		Collection<OAuth2AccessToken> oauth2AccessTokens = tokenStore.findTokensByClientId(request.getClientId());
+		assertTrue(oauth2AccessTokens.isEmpty());
+	}
+
+	private String getValue(String key) {
+		RedisConnection conn = connectionFactory.getConnection();
+		try {
+			byte[] value = conn.get(key.getBytes());
+			return serializationStrategy.deserializeString(value);
+		}
+		finally {
+			conn.close();
+		}
+	}
 }
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/vote/ScopeVoterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/vote/ScopeVoterTests.java
index e54397109..a1b522122 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/vote/ScopeVoterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/vote/ScopeVoterTests.java
@@ -5,7 +5,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *      http://www.apache.org/licenses/LICENSE-2.0
+ *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParserTests-context.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParserTests-context.xml
index b142b6fa6..c4b3db37f 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParserTests-context.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParserTests-context.xml
@@ -3,8 +3,8 @@
 <beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<beans:bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
 		<beans:property name="properties">
@@ -26,7 +26,7 @@
 		<oauth:client client-id="${my.client.id.property.file}" resource-ids="foo" secret="${my.client.secret.property.file}"
 			authorized-grant-types="${my.client.flows.property.file}" scope="${my.client.scope.property.file}" authorities="${my.client.authorities.property.file}" />
 
-		<oauth:client client-id="my-client-id-default-flow" redirect-uri="http://mycompany.com/"/>
+		<oauth:client client-id="my-client-id-default-flow" redirect-uri="https://secure.mycompany.com/"/>
 
 	</oauth:client-details-service>
 
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParserTests-context.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParserTests-context.xml
index b9c65aebc..ca15e15c6 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParserTests-context.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParserTests-context.xml
@@ -2,42 +2,42 @@
 
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
 		<property name="properties">
 			<value>
 				my.client.id=my-client-id-property-file
 				my.client.secret=my-client-secret-property-file
-				access.token.uri=http://myhost.com
+				access.token.uri=https://myhost.com
 				my.client.scopes=none,all
 			</value>
 		</property>
 	</bean>
 
 	<oauth:resource id="one" client-id="my-client-id-non-property-file" client-secret="my-client-secret-non-property-file"
-		access-token-uri="http://somewhere.com/" scope="none,some" />
+		access-token-uri="https://somewhere.com/" scope="none,some" />
 
 	<oauth:resource id="two" client-id="${my.client.id}" client-secret="${my.client.secret}"
 		access-token-uri="${access.token.uri}" scope="${my.client.scopes}" />
 
-	<oauth:resource id="three" client-id="my-client-id" pre-established-redirect-uri="http://anywhere.com/"
-		access-token-uri="http://somewhere.com/" user-authorization-uri="http://somewhere.com/" scope="none,some" type="authorization_code"
+	<oauth:resource id="three" client-id="my-client-id" pre-established-redirect-uri="https://anywhere.com/"
+		access-token-uri="https://somewhere.com/" user-authorization-uri="https://somewhere.com/" scope="none,some" type="authorization_code"
 		use-current-uri="false" />
 
-	<oauth:resource id="four" client-id="my-client-id" pre-established-redirect-uri="http://anywhere.com/"
-		user-authorization-uri="http://somewhere.com/" scope="none,some" type="implicit" />
+	<oauth:resource id="four" client-id="my-client-id" pre-established-redirect-uri="https://anywhere.com/"
+		user-authorization-uri="https://somewhere.com/" scope="none,some" type="implicit" />
 
-	<oauth:resource id="five" client-id="my-secret-id" client-secret="secret" access-token-uri="http://somewhere.com/"
+	<oauth:resource id="five" client-id="my-secret-id" client-secret="secret" access-token-uri="https://somewhere.com/"
 		scope="none,some" type="client_credentials" />
 
 	<oauth:resource id="six" client-id="my-client-id" client-secret="my-client-secret-non-property-file"
-		type="authorization_code" access-token-uri="http://somewhere.com/" user-authorization-uri="http://somewhere.com/" scope="none,some"
+		type="authorization_code" access-token-uri="https://somewhere.com/" user-authorization-uri="https://somewhere.com/" scope="none,some"
 		token-name="token" client-authentication-scheme="form" use-current-uri="false" />
 
 	<oauth:resource id="seven" client-id="my-client-id" client-secret="secret" type="password"
-		access-token-uri="http://somewhere.com/" scope="none,some" username="admin" password="long-and-strong" />
+		access-token-uri="https://somewhere.com/" scope="none,some" username="admin" password="long-and-strong" />
 
 	<oauth:rest-template id="template" resource="five">
 		<property name="messageConverters">
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-check-token-custom-endpoint.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-check-token-custom-endpoint.xml
index 7b1eb7af4..45b465603 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-check-token-custom-endpoint.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-check-token-custom-endpoint.xml
@@ -2,8 +2,8 @@
 
 <beans:beans xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<oauth:authorization-server client-details-service-ref="clientDetails" check-token-enabled="true" check-token-endpoint-url="/custom_check_token">
 		<oauth:authorization-code/>
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-check-token.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-check-token.xml
index b9ee7595c..d182ae44b 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-check-token.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-check-token.xml
@@ -2,8 +2,8 @@
 
 <beans:beans xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<oauth:authorization-server client-details-service-ref="clientDetails" check-token-enabled="true" check-token-endpoint-url="/token_info">
 		<oauth:authorization-code/>
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-client-credentials-password-invalid.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-client-credentials-password-invalid.xml
index e5c7a91fd..0f727320c 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-client-credentials-password-invalid.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-client-credentials-password-invalid.xml
@@ -4,10 +4,10 @@
 		 xmlns:b="http://www.springframework.org/schema/beans"
 		 xmlns:mvc="http://www.springframework.org/schema/mvc"
 		 xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-		 xsi:schemaLocation="http://www.springframework.org/schema/security%20http://www.springframework.org/schema/security/spring-security.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd-http://www.springframework.org/schema/mvc%20http://www.springframework.org/schema/mvc/spring-mvc.xsd-http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
+		 xsi:schemaLocation="http://www.springframework.org/schema/security%20https://www.springframework.org/schema/security/spring-security.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd+http://www.springframework.org/schema/mvc%20https://www.springframework.org/schema/mvc/spring-mvc.xsd+http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd">
 
 	<!--
 		NOTE:
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-client-credentials-password-valid.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-client-credentials-password-valid.xml
index 6d2f5ce67..b499a2faa 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-client-credentials-password-valid.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-client-credentials-password-valid.xml
@@ -4,10 +4,10 @@
 		 xmlns:b="http://www.springframework.org/schema/beans"
 		 xmlns:mvc="http://www.springframework.org/schema/mvc"
 		 xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-		 xsi:schemaLocation="http://www.springframework.org/schema/security%20http://www.springframework.org/schema/security/spring-security.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd-http://www.springframework.org/schema/mvc%20http://www.springframework.org/schema/mvc/spring-mvc.xsd-http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
+		 xsi:schemaLocation="http://www.springframework.org/schema/security%20https://www.springframework.org/schema/security/spring-security.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd+http://www.springframework.org/schema/mvc%20https://www.springframework.org/schema/mvc/spring-mvc.xsd+http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd">
 
 	<http auto-config="true" use-expressions="true" authentication-manager-ref="clientsAuthenticationManager">
 		<intercept-url pattern="/" access="authenticated"/>
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-custom-grant.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-custom-grant.xml
index 540143a91..a53a9f936 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-custom-grant.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-custom-grant.xml
@@ -2,8 +2,8 @@
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd">
 
     <bean id="tokenGranter" class="org.springframework.security.oauth2.config.xml.AuthorizationServerCustomGrantParserTests.CustomTestTokenGranter" />
 
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-disable.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-disable.xml
index 0fda58d74..17fea1038 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-disable.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-disable.xml
@@ -4,9 +4,9 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xmlns:security="http://www.springframework.org/schema/security"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/security%20http://www.springframework.org/schema/security/spring-security.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/security%20https://www.springframework.org/schema/security/spring-security.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<oauth:authorization-server client-details-service-ref="clientDetails" >
 		<oauth:implicit/>
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-extras.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-extras.xml
index 03b4b9d19..0d720f6d3 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-extras.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-extras.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokens"
 		authorization-endpoint-url="/authorize" token-endpoint-url="/token" approval-parameter-name="approve" error-page="/error"
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-invalid.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-invalid.xml
index da8b5318e..a9cff5438 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-invalid.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-invalid.xml
@@ -2,8 +2,8 @@
 
 <beans:beans xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<oauth:authorization-server>
 		<oauth:authorization-code/>
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-types.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-types.xml
index c56398ff5..52d2e0a35 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-types.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-types.xml
@@ -4,9 +4,9 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xmlns:security="http://www.springframework.org/schema/security"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/security%20http://www.springframework.org/schema/security/spring-security.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/security%20https://www.springframework.org/schema/security/spring-security.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<oauth:authorization-server client-details-service-ref="clientDetails" >
 		<oauth:authorization-code authorization-code-services-ref="codes"/>
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-vanilla.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-vanilla.xml
index a6fd3f9f2..ecb24e6b3 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-vanilla.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/authorization-server-vanilla.xml
@@ -2,8 +2,8 @@
 
 <beans:beans xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<oauth:authorization-server client-details-service-ref="clientDetails" >
 		<oauth:authorization-code/>
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/resource-server-authmanager-context.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/resource-server-authmanager-context.xml
index b6b804f7e..2b5219ead 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/resource-server-authmanager-context.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/resource-server-authmanager-context.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<oauth:resource-server id="oauth2ProviderFilter" authentication-manager-ref="authenticationManager" token-extractor-ref="tokenExtractor"/>
 	
diff --git a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/resource-server-context.xml b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/resource-server-context.xml
index 52366eaa5..da0ec2296 100644
--- a/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/resource-server-context.xml
+++ b/spring-security-oauth2/src/test/resources/org/springframework/security/oauth2/config/xml/resource-server-context.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 
 	<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
 		<property name="properties">
diff --git a/src/site/site.xml b/src/site/site.xml
index 272056c42..087a3a950 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -28,10 +28,10 @@
     </menu>
 
     <menu name="Other Links">
-      <item name="OAuth 1.0" href="http://oauth.net/"/>
-      <item name="OAuth 2.0" href="http://tools.ietf.org/html/draft-ietf-oauth-v2"/>
-      <item name="Spring Security" href="http://static.springframework.org/spring-security/site/"/>
-      <item name="Spring" href="http://springframework.org/"/>
+      <item name="OAuth 1.0" href="https://oauth.net/"/>
+      <item name="OAuth 2.0" href="https://tools.ietf.org/html/draft-ietf-oauth-v2"/>
+      <item name="Spring Security" href="https://docs.spring.io/spring-security/site/"/>
+      <item name="Spring" href="https://springframework.org/"/>
     </menu>
 
 		<menu ref="reports" inheritAsRef="true"/>
diff --git a/tests/annotation/approval/pom.xml b/tests/annotation/approval/pom.xml
index d3859e818..fc2fd2aeb 100644
--- a/tests/annotation/approval/pom.xml
+++ b/tests/annotation/approval/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-approval</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/approval/src/main/java/demo/Application.java b/tests/annotation/approval/src/main/java/demo/Application.java
index 27d31526f..1505335a0 100644
--- a/tests/annotation/approval/src/main/java/demo/Application.java
+++ b/tests/annotation/approval/src/main/java/demo/Application.java
@@ -66,14 +66,14 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 		            .scopes("read", "write", "trust")
 		            .resourceIds("oauth2-resource")
 		            .accessTokenValiditySeconds(60)
-		            .redirectUris("http://anywhere/")
+		            .redirectUris("https://anywhere/")
  		    .and()
 		        .withClient("my-client-with-registered-redirect")
 		            .authorizedGrantTypes("authorization_code")
 		            .authorities("ROLE_CLIENT")
 		            .scopes("read", "trust")
 		            .resourceIds("oauth2-resource")
-		            .redirectUris("http://anywhere/?key=value")
+		            .redirectUris("https://anywhere/?key=value")
  		    .and()
 		        .withClient("my-client-with-secret")
 		            .authorizedGrantTypes("client_credentials", "password")
diff --git a/tests/annotation/approval/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/approval/src/test/java/demo/AuthorizationCodeProviderTests.java
index 2f3ddf7e7..2ecdcf333 100755
--- a/tests/annotation/approval/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/approval/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/approval/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/approval/src/test/java/demo/ProtectedResourceTests.java
index 302b30f96..be5dc3b8b 100644
--- a/tests/annotation/approval/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/approval/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/client/pom.xml b/tests/annotation/client/pom.xml
index de7f6f4e5..442e2943d 100644
--- a/tests/annotation/client/pom.xml
+++ b/tests/annotation/client/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-client</artifactId>
@@ -11,7 +11,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<properties>
diff --git a/tests/annotation/client/src/test/java/client/CombinedApplication.java b/tests/annotation/client/src/test/java/client/CombinedApplication.java
index 107fd1a5b..1a6887f42 100644
--- a/tests/annotation/client/src/test/java/client/CombinedApplication.java
+++ b/tests/annotation/client/src/test/java/client/CombinedApplication.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/common/pom.xml b/tests/annotation/common/pom.xml
index 069432372..dbd87fe58 100644
--- a/tests/annotation/common/pom.xml
+++ b/tests/annotation/common/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-common</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
@@ -57,7 +57,7 @@
 		<repository>
 			<id>spring-snapshots</id>
 			<name>Spring Snapshots</name>
-			<url>http://repo.spring.io/snapshot</url>
+			<url>https://repo.spring.io/snapshot</url>
 			<snapshots>
 				<enabled>true</enabled>
 			</snapshots>
@@ -65,7 +65,7 @@
 		<repository>
 			<id>spring-milestones</id>
 			<name>Spring Milestones</name>
-			<url>http://repo.spring.io/milestone</url>
+			<url>https://repo.spring.io/milestone</url>
 			<snapshots>
 				<enabled>false</enabled>
 			</snapshots>
@@ -75,7 +75,7 @@
 		<pluginRepository>
 			<id>spring-snapshots</id>
 			<name>Spring Snapshots</name>
-			<url>http://repo.spring.io/snapshot</url>
+			<url>https://repo.spring.io/snapshot</url>
 			<snapshots>
 				<enabled>true</enabled>
 			</snapshots>
diff --git a/tests/annotation/common/src/main/java/sparklr/common/AbstractAuthorizationCodeProviderTests.java b/tests/annotation/common/src/main/java/sparklr/common/AbstractAuthorizationCodeProviderTests.java
index 8420fc311..927064325 100755
--- a/tests/annotation/common/src/main/java/sparklr/common/AbstractAuthorizationCodeProviderTests.java
+++ b/tests/annotation/common/src/main/java/sparklr/common/AbstractAuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -48,7 +48,7 @@ public abstract class AbstractAuthorizationCodeProviderTests extends AbstractEmp
 	public void testUnauthenticatedAuthorizationRespondsUnauthorized() throws Exception {
 
 		AccessTokenRequest request = context.getAccessTokenRequest();
-		request.setCurrentUri("http://anywhere/");
+		request.setCurrentUri("https://anywhere/");
 		request.add(OAuth2Utils.USER_OAUTH_APPROVAL, "true");
 
 		try {
@@ -67,7 +67,7 @@ public void testUnauthenticatedAuthorizationRespondsUnauthorized() throws Except
 	public void testSuccessfulAuthorizationCodeFlow() throws Exception {
 
 		// Once the request is ready and approved, we can continue with the access token
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 
 		// Finally everything is in place for the grant to happen...
 		assertNotNull(context.getAccessToken());
@@ -81,10 +81,10 @@ public void testSuccessfulAuthorizationCodeFlow() throws Exception {
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testWrongRedirectUri() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 		AccessTokenRequest request = context.getAccessTokenRequest();
 		// The redirect is stored in the preserved state...
-		context.getOAuth2ClientContext().setPreservedState(request.getStateKey(), "http://nowhere/");
+		context.getOAuth2ClientContext().setPreservedState(request.getStateKey(), "https://nowhere/");
 		// Finally everything is in place for the grant to happen...
 		try {
 			assertNotNull(context.getAccessToken());
@@ -99,7 +99,7 @@ public void testWrongRedirectUri() throws Exception {
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testUserDeniesConfirmation() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", false);
+		approveAccessTokenGrant("https://anywhere/", false);
 		String location = null;
 		try {
 			assertNotNull(context.getAccessToken());
@@ -109,15 +109,15 @@ public void testUserDeniesConfirmation() throws Exception {
 			location = e.getRedirectUri();
 		}
 		assertTrue("Wrong location: " + location, location.contains("state="));
-		assertTrue(location.startsWith("http://anywhere/"));
+		assertTrue(location.startsWith("https://anywhere/"));
 		assertTrue(location.substring(location.indexOf('?')).contains("error=access_denied"));
 		// It was a redirect that triggered our client redirect exception:
-		assertEquals(HttpStatus.FOUND, getTokenEndpointResponse().getStatusCode());
+		assertEquals(HttpStatus.SEE_OTHER, getTokenEndpointResponse().getStatusCode());
 	}
 
 	@Test
 	public void testNoClientIdProvided() throws Exception {
-		ResponseEntity<String> response = attemptToGetConfirmationPage(null, "http://anywhere/");
+		ResponseEntity<String> response = attemptToGetConfirmationPage(null, "https://anywhere/");
 		// With no client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 		assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 		String body = response.getBody();
@@ -130,7 +130,7 @@ public void testIllegalAttemptToApproveWithoutUsingAuthorizationRequest() throws
 
 		HttpHeaders headers = getAuthenticatedHeaders();
 
-		String authorizeUrl = getAuthorizeUrl("my-trusted-client", "http://anywhere.com/", "read");
+		String authorizeUrl = getAuthorizeUrl("my-trusted-client", "https://anywhere.com/", "read");
 		authorizeUrl = authorizeUrl + "&user_oauth_approval=true";
 		ResponseEntity<String> response = http.postForStatus(authorizeUrl, headers,
 				new LinkedMultiValueMap<String, String>());
@@ -160,7 +160,7 @@ public void testInvalidScopeInAuthorizationRequest() throws Exception {
 		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
 
 		String scope = "bogus";
-		String redirectUri = "http://anywhere/?key=value";
+		String redirectUri = "https://anywhere/?key=value";
 		String clientId = "my-client-with-registered-redirect";
 
 		UriBuilder uri = http.buildUri(authorizePath()).queryParam("response_type", "code")
@@ -172,9 +172,9 @@ public void testInvalidScopeInAuthorizationRequest() throws Exception {
 			uri.queryParam("redirect_uri", redirectUri);
 		}
 		ResponseEntity<String> response = http.getForString(uri.pattern(), headers, uri.params());
-		assertEquals(HttpStatus.FOUND, response.getStatusCode());
+		assertEquals(HttpStatus.SEE_OTHER, response.getStatusCode());
 		String location = response.getHeaders().getLocation().toString();
-		assertTrue(location.startsWith("http://anywhere/"));
+		assertTrue(location.startsWith("https://anywhere/"));
 		assertTrue(location.contains("error=invalid_scope"));
 		assertFalse(location.contains("redirect_uri="));
 	}
@@ -200,7 +200,7 @@ public void testInvalidAccessToken() throws Exception {
 	@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
 	public void testRegisteredRedirectWithWrongRequestedRedirect() throws Exception {
 		try {
-			approveAccessTokenGrant("http://nowhere/", true);
+			approveAccessTokenGrant("https://nowhere/", true);
 			fail("Expected RedirectMismatchException");
 		}
 		catch (HttpClientErrorException e) {
@@ -211,9 +211,9 @@ public void testRegisteredRedirectWithWrongRequestedRedirect() throws Exception
 	@Test
 	@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
 	public void testRegisteredRedirectWithWrongOneInTokenEndpoint() throws Exception {
-		approveAccessTokenGrant("http://anywhere/?key=value", true);
+		approveAccessTokenGrant("https://anywhere/?key=value", true);
 		// Setting the redirect uri directly in the request should override the saved value
-		context.getAccessTokenRequest().set("redirect_uri", "http://nowhere.com/");
+		context.getAccessTokenRequest().set("redirect_uri", "https://nowhere.com/");
 		try {
 			assertNotNull(context.getAccessToken());
 			fail("Expected RedirectMismatchException");
@@ -227,7 +227,7 @@ public void testRegisteredRedirectWithWrongOneInTokenEndpoint() throws Exception
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testWrongClientIdTokenEndpoint() throws Exception {
-		approveAccessTokenGrant("http://anywhere/?key=value", true);
+		approveAccessTokenGrant("https://anywhere/?key=value", true);
 		((BaseOAuth2ProtectedResourceDetails) context.getResource()).setClientId("non-existent");
 		try {
 			assertNotNull(context.getAccessToken());
diff --git a/tests/annotation/common/src/main/java/sparklr/common/AbstractEmptyAuthorizationCodeProviderTests.java b/tests/annotation/common/src/main/java/sparklr/common/AbstractEmptyAuthorizationCodeProviderTests.java
index 1459a9817..e58b00803 100644
--- a/tests/annotation/common/src/main/java/sparklr/common/AbstractEmptyAuthorizationCodeProviderTests.java
+++ b/tests/annotation/common/src/main/java/sparklr/common/AbstractEmptyAuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -249,7 +249,7 @@ protected static class MyClientWithRegisteredRedirect extends MyTrustedClient {
 		public MyClientWithRegisteredRedirect(Object target) {
 			super(target);
 			setClientId("my-client-with-registered-redirect");
-			setPreEstablishedRedirectUri("http://anywhere/?key=value");
+			setPreEstablishedRedirectUri("https://anywhere/?key=value");
 		}
 	}
 }
diff --git a/tests/annotation/common/src/main/java/sparklr/common/AbstractImplicitProviderTests.java b/tests/annotation/common/src/main/java/sparklr/common/AbstractImplicitProviderTests.java
index 3e98cd8cb..b366c5b61 100644
--- a/tests/annotation/common/src/main/java/sparklr/common/AbstractImplicitProviderTests.java
+++ b/tests/annotation/common/src/main/java/sparklr/common/AbstractImplicitProviderTests.java
@@ -41,7 +41,7 @@ public NonAutoApproveImplicit(Object target) {
 			super();
 			setClientId("my-trusted-client");
 			setId(getClientId());
-			setPreEstablishedRedirectUri("http://anywhere/");
+			setPreEstablishedRedirectUri("https://anywhere/");
 		}
 	}
 
diff --git a/tests/annotation/common/src/main/java/sparklr/common/AbstractIntegrationTests.java b/tests/annotation/common/src/main/java/sparklr/common/AbstractIntegrationTests.java
index 023566427..c5129b5c4 100644
--- a/tests/annotation/common/src/main/java/sparklr/common/AbstractIntegrationTests.java
+++ b/tests/annotation/common/src/main/java/sparklr/common/AbstractIntegrationTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/common/src/main/java/sparklr/common/AbstractProtectedResourceTests.java b/tests/annotation/common/src/main/java/sparklr/common/AbstractProtectedResourceTests.java
index 7e37f24d9..dd29cc9e1 100644
--- a/tests/annotation/common/src/main/java/sparklr/common/AbstractProtectedResourceTests.java
+++ b/tests/annotation/common/src/main/java/sparklr/common/AbstractProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/common/src/main/java/sparklr/common/AbstractResourceOwnerPasswordProviderTests.java b/tests/annotation/common/src/main/java/sparklr/common/AbstractResourceOwnerPasswordProviderTests.java
index 15d1f2a94..c0e1e51fd 100644
--- a/tests/annotation/common/src/main/java/sparklr/common/AbstractResourceOwnerPasswordProviderTests.java
+++ b/tests/annotation/common/src/main/java/sparklr/common/AbstractResourceOwnerPasswordProviderTests.java
@@ -196,6 +196,8 @@ public void testTokenEndpointUnauthenticated() throws Exception {
 		assertEquals(HttpStatus.UNAUTHORIZED, result.getStatusCode());
 		assertTrue("Wrong body: " + result.getBody(),
 				result.getBody().toLowerCase().contains("unauthorized"));
+		assertTrue(result.getHeaders().getFirst("Cache-Control").contains("no-store"));
+		assertTrue(result.getHeaders().getFirst("Pragma").contains("no-cache"));
 	}
 
 	@Test
diff --git a/tests/annotation/custom-authentication/pom.xml b/tests/annotation/custom-authentication/pom.xml
index d7b764413..488c5b58f 100644
--- a/tests/annotation/custom-authentication/pom.xml
+++ b/tests/annotation/custom-authentication/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-custom-authentication</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/custom-authentication/src/main/java/demo/Application.java b/tests/annotation/custom-authentication/src/main/java/demo/Application.java
index b45985dc4..de9ffae97 100644
--- a/tests/annotation/custom-authentication/src/main/java/demo/Application.java
+++ b/tests/annotation/custom-authentication/src/main/java/demo/Application.java
@@ -60,7 +60,7 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 					.resourceIds("oauth2-resource").accessTokenValiditySeconds(600).and()
 					.withClient("my-client-with-registered-redirect").authorizedGrantTypes("authorization_code")
 					.authorities("ROLE_CLIENT").scopes("read", "trust").resourceIds("oauth2-resource")
-					.redirectUris("http://anywhere/?key=value").and().withClient("my-client-with-secret")
+					.redirectUris("https://anywhere/?key=value").and().withClient("my-client-with-secret")
 					.authorizedGrantTypes("client_credentials", "password").authorities("ROLE_CLIENT").scopes("read")
 					.resourceIds("oauth2-resource").secret("secret");
 			// @formatter:on
diff --git a/tests/annotation/custom-grant/pom.xml b/tests/annotation/custom-grant/pom.xml
index 14ba8b794..a6a81a4f5 100644
--- a/tests/annotation/custom-grant/pom.xml
+++ b/tests/annotation/custom-grant/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-custom-grant</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/custom-grant/src/main/java/demo/Application.java b/tests/annotation/custom-grant/src/main/java/demo/Application.java
index 788a83040..025b5f9db 100644
--- a/tests/annotation/custom-grant/src/main/java/demo/Application.java
+++ b/tests/annotation/custom-grant/src/main/java/demo/Application.java
@@ -73,14 +73,14 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 		            .scopes("read", "write", "trust")
 		            .resourceIds("oauth2-resource")
 		            .accessTokenValiditySeconds(600)
-		            .redirectUris("http://anywhere/")
+		            .redirectUris("https://anywhere/")
  		    .and()
 		        .withClient("my-client-with-registered-redirect")
 		            .authorizedGrantTypes("authorization_code")
 		            .authorities("ROLE_CLIENT")
 		            .scopes("read", "trust")
 		            .resourceIds("oauth2-resource")
-		            .redirectUris("http://anywhere/?key=value")
+		            .redirectUris("https://anywhere/?key=value")
  		    .and()
 		        .withClient("my-client-with-secret")
 		            .authorizedGrantTypes("client_credentials", "password")
diff --git a/tests/annotation/custom-grant/src/main/java/demo/CustomTokenGranter.java b/tests/annotation/custom-grant/src/main/java/demo/CustomTokenGranter.java
index cab7c0417..c61aa898c 100644
--- a/tests/annotation/custom-grant/src/main/java/demo/CustomTokenGranter.java
+++ b/tests/annotation/custom-grant/src/main/java/demo/CustomTokenGranter.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/custom-grant/src/test/java/demo/AdHocTests.java b/tests/annotation/custom-grant/src/test/java/demo/AdHocTests.java
index ee518795d..b82adb62d 100644
--- a/tests/annotation/custom-grant/src/test/java/demo/AdHocTests.java
+++ b/tests/annotation/custom-grant/src/test/java/demo/AdHocTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/custom-grant/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/custom-grant/src/test/java/demo/AuthorizationCodeProviderTests.java
index 34cdef81b..3441f471b 100755
--- a/tests/annotation/custom-grant/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/custom-grant/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -32,7 +32,7 @@ public class AuthorizationCodeProviderTests extends AbstractAuthorizationCodePro
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testPostToProtectedResource() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 		assertNotNull(context.getAccessToken());
 		LinkedMultiValueMap<String, String> form = new LinkedMultiValueMap<>();
 		form.set("foo", "bar");
@@ -41,7 +41,7 @@ public void testPostToProtectedResource() throws Exception {
 
 	@Test
 	public void testWrongClientIdProvided() throws Exception {
-		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/");
+		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/");
 		// With no client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 		assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 		String body = response.getBody();
@@ -52,7 +52,7 @@ public void testWrongClientIdProvided() throws Exception {
 	@Test
 	public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", null);
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", null);
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
@@ -63,7 +63,7 @@ public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	@Test
 	public void testWrongClientIdAndBadResponseTypeProvided() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", "unsupported");
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", "unsupported");
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
diff --git a/tests/annotation/custom-grant/src/test/java/demo/CustomProviderTests.java b/tests/annotation/custom-grant/src/test/java/demo/CustomProviderTests.java
index bd6897227..bd9987253 100644
--- a/tests/annotation/custom-grant/src/test/java/demo/CustomProviderTests.java
+++ b/tests/annotation/custom-grant/src/test/java/demo/CustomProviderTests.java
@@ -1,7 +1,7 @@
 package demo;
 
 import static org.junit.Assert.assertEquals;
-
+import static org.junit.Assert.assertTrue;
 import java.util.Map;
 
 import org.junit.Test;
@@ -27,6 +27,8 @@ public void customGrant() throws Exception {
 		@SuppressWarnings("rawtypes")
 		ResponseEntity<Map> response = http.postForMap("/oauth/token", headers, form);
 		assertEquals(HttpStatus.OK, response.getStatusCode());
+		assertTrue(response.getHeaders().getFirst("Cache-Control").contains("no-store"));
+		assertTrue(response.getHeaders().getFirst("Pragma").contains("no-cache"));
 	}
 
 	@Test
@@ -38,6 +40,8 @@ public void invalidGrant() throws Exception {
 		@SuppressWarnings("rawtypes")
 		ResponseEntity<Map> response = http.postForMap("/oauth/token", headers, form);
 		assertEquals(HttpStatus.BAD_REQUEST, response.getStatusCode());
+		assertTrue(response.getHeaders().getFirst("Cache-Control").contains("no-store"));
+		assertTrue(response.getHeaders().getFirst("Pragma").contains("no-cache"));
 	}
 
 }
diff --git a/tests/annotation/custom-grant/src/test/java/demo/ImplicitProviderTests.java b/tests/annotation/custom-grant/src/test/java/demo/ImplicitProviderTests.java
index 7b926c064..a244b89d8 100644
--- a/tests/annotation/custom-grant/src/test/java/demo/ImplicitProviderTests.java
+++ b/tests/annotation/custom-grant/src/test/java/demo/ImplicitProviderTests.java
@@ -48,15 +48,17 @@ public void run() {
 	private void getToken() {
 		Map<String, String> form = new LinkedHashMap<String, String>();
 		form.put("client_id", "my-trusted-client");
-		form.put("redirect_uri", "http://anywhere/");
+		form.put("redirect_uri", "https://anywhere/");
 		form.put("response_type", "token");
 		form.put("scope", "read");
 		ResponseEntity<Void> response = new TestRestTemplate("user", "password")
 				.getForEntity(
 						http.getUrl("/oauth/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type={response_type}&scope={scope}"),
 						Void.class, form);
-		assertEquals(HttpStatus.FOUND, response.getStatusCode());
+		assertEquals(HttpStatus.SEE_OTHER, response.getStatusCode());
 		assertTrue(response.getHeaders().getLocation().toString().contains("access_token"));
+		assertTrue(response.getHeaders().getFirst("Cache-Control").contains("no-store"));
+		assertTrue(response.getHeaders().getFirst("Pragma").contains("no-cache"));
 	}
 
 	protected static class ResourceOwner extends ResourceOwnerPasswordResourceDetails {
diff --git a/tests/annotation/custom-grant/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/custom-grant/src/test/java/demo/ProtectedResourceTests.java
index 302b30f96..be5dc3b8b 100644
--- a/tests/annotation/custom-grant/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/custom-grant/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/form/pom.xml b/tests/annotation/form/pom.xml
index 974761a37..8ecfad322 100644
--- a/tests/annotation/form/pom.xml
+++ b/tests/annotation/form/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-form</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/form/src/main/java/demo/Application.java b/tests/annotation/form/src/main/java/demo/Application.java
index 1ee0669fe..c75637ef1 100644
--- a/tests/annotation/form/src/main/java/demo/Application.java
+++ b/tests/annotation/form/src/main/java/demo/Application.java
@@ -55,14 +55,14 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 		            .scopes("read", "write", "trust")
 		            .resourceIds("oauth2-resource")
 		            .accessTokenValiditySeconds(60)
-		            .redirectUris("http://anywhere/")
+		            .redirectUris("https://anywhere/")
  		    .and()
 		        .withClient("my-client-with-registered-redirect")
 		            .authorizedGrantTypes("authorization_code")
 		            .authorities("ROLE_CLIENT")
 		            .scopes("read", "trust")
 		            .resourceIds("oauth2-resource")
-		            .redirectUris("http://anywhere/?key=value")
+		            .redirectUris("https://anywhere/?key=value")
  		    .and()
 		        .withClient("my-client-with-secret")
 		            .authorizedGrantTypes("client_credentials", "password")
diff --git a/tests/annotation/form/src/test/java/demo/AdHocTests.java b/tests/annotation/form/src/test/java/demo/AdHocTests.java
index e5bfeca13..fa3a8f21c 100644
--- a/tests/annotation/form/src/test/java/demo/AdHocTests.java
+++ b/tests/annotation/form/src/test/java/demo/AdHocTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/form/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/form/src/test/java/demo/AuthorizationCodeProviderTests.java
index 2ef50fde6..529bacd06 100755
--- a/tests/annotation/form/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/form/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/form/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/form/src/test/java/demo/ProtectedResourceTests.java
index 302b30f96..be5dc3b8b 100644
--- a/tests/annotation/form/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/form/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/jaxb/pom.xml b/tests/annotation/jaxb/pom.xml
index 02077e121..ef1ae880e 100644
--- a/tests/annotation/jaxb/pom.xml
+++ b/tests/annotation/jaxb/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-jaxb</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/jaxb/src/main/java/demo/Application.java b/tests/annotation/jaxb/src/main/java/demo/Application.java
index 3ff888b30..34b94bf17 100644
--- a/tests/annotation/jaxb/src/main/java/demo/Application.java
+++ b/tests/annotation/jaxb/src/main/java/demo/Application.java
@@ -92,14 +92,14 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 		            .scopes("read", "write", "trust")
 		            .resourceIds("oauth2-resource")
 		            .accessTokenValiditySeconds(60)
-		            .redirectUris("http://anywhere/")
+		            .redirectUris("https://anywhere/")
  		    .and()
 		        .withClient("my-client-with-registered-redirect")
 		            .authorizedGrantTypes("authorization_code")
 		            .authorities("ROLE_CLIENT")
 		            .scopes("read", "trust")
 		            .resourceIds("oauth2-resource")
-		            .redirectUris("http://anywhere/?key=value")
+		            .redirectUris("https://anywhere/?key=value")
  		    .and()
 		        .withClient("my-client-with-secret")
 		            .authorizedGrantTypes("client_credentials", "password")
diff --git a/tests/annotation/jaxb/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/jaxb/src/test/java/demo/AuthorizationCodeProviderTests.java
index 0333fa789..4a55ddd8c 100755
--- a/tests/annotation/jaxb/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/jaxb/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -31,7 +31,7 @@ public class AuthorizationCodeProviderTests extends AbstractAuthorizationCodePro
 
 	@Test
 	public void testWrongClientIdProvided() throws Exception {
-		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/");
+		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/");
 		// With no client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 		assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 		String body = response.getBody();
@@ -42,7 +42,7 @@ public void testWrongClientIdProvided() throws Exception {
 	@Test
 	public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", null);
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", null);
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
@@ -53,7 +53,7 @@ public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	@Test
 	public void testWrongClientIdAndBadResponseTypeProvided() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", "unsupported");
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", "unsupported");
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
diff --git a/tests/annotation/jaxb/src/test/java/demo/Converters.java b/tests/annotation/jaxb/src/test/java/demo/Converters.java
index e3d61a8f2..2b7542431 100644
--- a/tests/annotation/jaxb/src/test/java/demo/Converters.java
+++ b/tests/annotation/jaxb/src/test/java/demo/Converters.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/jaxb/src/test/java/demo/ImplicitProviderTests.java b/tests/annotation/jaxb/src/test/java/demo/ImplicitProviderTests.java
index 271a6b25e..0e5e62bab 100644
--- a/tests/annotation/jaxb/src/test/java/demo/ImplicitProviderTests.java
+++ b/tests/annotation/jaxb/src/test/java/demo/ImplicitProviderTests.java
@@ -54,15 +54,17 @@ protected Collection<? extends HttpMessageConverter<?>> getAdditionalConverters(
 	private void getToken() {
 		Map<String, String> form = new LinkedHashMap<String, String>();
 		form.put("client_id", "my-trusted-client");
-		form.put("redirect_uri", "http://anywhere/");
+		form.put("redirect_uri", "https://anywhere/");
 		form.put("response_type", "token");
 		form.put("scope", "read");
 		ResponseEntity<Void> response = new TestRestTemplate("user", "password")
 				.getForEntity(
 						http.getUrl("/oauth/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type={response_type}&scope={scope}"),
 						Void.class, form);
-		assertEquals(HttpStatus.FOUND, response.getStatusCode());
+		assertEquals(HttpStatus.SEE_OTHER, response.getStatusCode());
 		assertTrue(response.getHeaders().getLocation().toString().contains("access_token"));
+		assertTrue(response.getHeaders().getFirst("Cache-Control").contains("no-store"));
+		assertTrue(response.getHeaders().getFirst("Pragma").contains("no-cache"));
 	}
 
 	protected static class ResourceOwner extends ResourceOwnerPasswordResourceDetails {
diff --git a/tests/annotation/jaxb/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/jaxb/src/test/java/demo/ProtectedResourceTests.java
index 0a539c5f4..e23874743 100644
--- a/tests/annotation/jaxb/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/jaxb/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/jdbc/pom.xml b/tests/annotation/jdbc/pom.xml
index fc2510e72..2ee75f7b7 100644
--- a/tests/annotation/jdbc/pom.xml
+++ b/tests/annotation/jdbc/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-jdbc</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/jdbc/src/main/java/demo/Application.java b/tests/annotation/jdbc/src/main/java/demo/Application.java
index decef9343..56dfdf870 100644
--- a/tests/annotation/jdbc/src/main/java/demo/Application.java
+++ b/tests/annotation/jdbc/src/main/java/demo/Application.java
@@ -111,12 +111,12 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 					.scopes("read", "write", "trust")
 					.resourceIds("oauth2-resource")
 					.accessTokenValiditySeconds(60)
-					.redirectUris("http://anywhere/").and()
+					.redirectUris("https://anywhere/").and()
 				.withClient("my-client-with-registered-redirect")
 					.authorizedGrantTypes("authorization_code")
 					.authorities("ROLE_CLIENT").scopes("read", "trust")
 					.resourceIds("oauth2-resource")
-					.redirectUris("http://anywhere/?key=value").and()
+					.redirectUris("https://anywhere/?key=value").and()
 				.withClient("my-client-with-secret")
 					.authorizedGrantTypes("client_credentials", "password")
 					.authorities("ROLE_CLIENT").scopes("read")
diff --git a/tests/annotation/jdbc/src/test/java/demo/AdHocTests.java b/tests/annotation/jdbc/src/test/java/demo/AdHocTests.java
index a7d0087ca..7e52aa7b5 100644
--- a/tests/annotation/jdbc/src/test/java/demo/AdHocTests.java
+++ b/tests/annotation/jdbc/src/test/java/demo/AdHocTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/jdbc/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/jdbc/src/test/java/demo/AuthorizationCodeProviderTests.java
index 27a0a1c4e..19d4492b7 100755
--- a/tests/annotation/jdbc/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/jdbc/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/jdbc/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/jdbc/src/test/java/demo/ProtectedResourceTests.java
index 0e2acc8d9..2eb25a2cf 100644
--- a/tests/annotation/jdbc/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/jdbc/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/jpa/pom.xml b/tests/annotation/jpa/pom.xml
index 5ed4c2b2e..8473dfb66 100644
--- a/tests/annotation/jpa/pom.xml
+++ b/tests/annotation/jpa/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-jpa</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/jpa/src/main/java/demo/Application.java b/tests/annotation/jpa/src/main/java/demo/Application.java
index c88ed31a0..788f197a8 100644
--- a/tests/annotation/jpa/src/main/java/demo/Application.java
+++ b/tests/annotation/jpa/src/main/java/demo/Application.java
@@ -81,10 +81,10 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 			clients.inMemory().withClient("my-trusted-client")
 					.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
 					.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT").scopes("read", "write", "trust")
-					.resourceIds("oauth2-resource").accessTokenValiditySeconds(600).redirectUris("http://anywhere/").and()
+					.resourceIds("oauth2-resource").accessTokenValiditySeconds(600).redirectUris("https://anywhere/").and()
 					.withClient("my-client-with-registered-redirect").authorizedGrantTypes("authorization_code")
 					.authorities("ROLE_CLIENT").scopes("read", "trust").resourceIds("oauth2-resource")
-					.redirectUris("http://anywhere/?key=value").and().withClient("my-client-with-secret")
+					.redirectUris("https://anywhere/?key=value").and().withClient("my-client-with-secret")
 					.authorizedGrantTypes("client_credentials", "password").authorities("ROLE_CLIENT").scopes("read")
 					.resourceIds("oauth2-resource").secret("secret");
 			// @formatter:on
diff --git a/tests/annotation/jpa/src/test/java/demo/AdHocTests.java b/tests/annotation/jpa/src/test/java/demo/AdHocTests.java
index f3f947369..7ba4feea0 100644
--- a/tests/annotation/jpa/src/test/java/demo/AdHocTests.java
+++ b/tests/annotation/jpa/src/test/java/demo/AdHocTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/jpa/src/test/java/demo/AuthorizationCodeProviderCookieTests.java b/tests/annotation/jpa/src/test/java/demo/AuthorizationCodeProviderCookieTests.java
index 26d88d46a..e7d8078f9 100644
--- a/tests/annotation/jpa/src/test/java/demo/AuthorizationCodeProviderCookieTests.java
+++ b/tests/annotation/jpa/src/test/java/demo/AuthorizationCodeProviderCookieTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -31,7 +31,7 @@ public class AuthorizationCodeProviderCookieTests extends AbstractEmptyAuthoriza
 	@Test
 	@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
 	public void testPostToProtectedResource() throws Exception {
-		approveAccessTokenGrant("http://anywhere/?key=value", true);
+		approveAccessTokenGrant("https://anywhere/?key=value", true);
 		assertNotNull(context.getAccessToken());
 		LinkedMultiValueMap<String, String> form = new LinkedMultiValueMap<>();
 		form.set("foo", "bar");
diff --git a/tests/annotation/jpa/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/jpa/src/test/java/demo/AuthorizationCodeProviderTests.java
index 34cdef81b..3441f471b 100755
--- a/tests/annotation/jpa/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/jpa/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -32,7 +32,7 @@ public class AuthorizationCodeProviderTests extends AbstractAuthorizationCodePro
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testPostToProtectedResource() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 		assertNotNull(context.getAccessToken());
 		LinkedMultiValueMap<String, String> form = new LinkedMultiValueMap<>();
 		form.set("foo", "bar");
@@ -41,7 +41,7 @@ public void testPostToProtectedResource() throws Exception {
 
 	@Test
 	public void testWrongClientIdProvided() throws Exception {
-		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/");
+		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/");
 		// With no client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 		assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 		String body = response.getBody();
@@ -52,7 +52,7 @@ public void testWrongClientIdProvided() throws Exception {
 	@Test
 	public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", null);
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", null);
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
@@ -63,7 +63,7 @@ public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	@Test
 	public void testWrongClientIdAndBadResponseTypeProvided() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", "unsupported");
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", "unsupported");
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
diff --git a/tests/annotation/jpa/src/test/java/demo/ImplicitProviderTests.java b/tests/annotation/jpa/src/test/java/demo/ImplicitProviderTests.java
index 8ec5c2a34..e68e21cad 100644
--- a/tests/annotation/jpa/src/test/java/demo/ImplicitProviderTests.java
+++ b/tests/annotation/jpa/src/test/java/demo/ImplicitProviderTests.java
@@ -54,15 +54,17 @@ public void run() {
 	private void getToken() {
 		Map<String, String> form = new LinkedHashMap<String, String>();
 		form.put("client_id", "my-trusted-client");
-		form.put("redirect_uri", "http://anywhere/");
+		form.put("redirect_uri", "https://anywhere/");
 		form.put("response_type", "token");
 		form.put("scope", "read");
 		ResponseEntity<Void> response = new TestRestTemplate("user", "password")
 				.getForEntity(
 						http.getUrl("/oauth/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type={response_type}&scope={scope}"),
 						Void.class, form);
-		assertEquals("Wrong status: " + response.getHeaders(), HttpStatus.FOUND, response.getStatusCode());
+		assertEquals("Wrong status: " + response.getHeaders(), HttpStatus.SEE_OTHER, response.getStatusCode());
 		assertTrue(response.getHeaders().getLocation().toString().contains("access_token"));
+		assertTrue(response.getHeaders().getFirst("Cache-Control").contains("no-store"));
+		assertTrue(response.getHeaders().getFirst("Pragma").contains("no-cache"));
 	}
 
 	protected static class ResourceOwner extends ResourceOwnerPasswordResourceDetails {
diff --git a/tests/annotation/jpa/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/jpa/src/test/java/demo/ProtectedResourceTests.java
index 302b30f96..be5dc3b8b 100644
--- a/tests/annotation/jpa/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/jpa/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/jpa/src/test/java/demo/ResourceOwnerPasswordProviderTests.java b/tests/annotation/jpa/src/test/java/demo/ResourceOwnerPasswordProviderTests.java
index 31a0f75b8..47af9cddc 100644
--- a/tests/annotation/jpa/src/test/java/demo/ResourceOwnerPasswordProviderTests.java
+++ b/tests/annotation/jpa/src/test/java/demo/ResourceOwnerPasswordProviderTests.java
@@ -1,15 +1,19 @@
 package demo;
 
-import static org.junit.Assert.assertEquals;
-
 import org.junit.Test;
 import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.oauth2.client.test.OAuth2ContextConfiguration;
-
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
 import sparklr.common.AbstractResourceOwnerPasswordProviderTests;
 
+import static org.junit.Assert.assertEquals;
+
 /**
  * @author Dave Syer
  */
@@ -20,7 +24,25 @@ public class ResourceOwnerPasswordProviderTests extends AbstractResourceOwnerPas
 	public void testCheckToken() throws Exception {
 		TestRestTemplate template = new TestRestTemplate("my-trusted-client", "");
 		ResponseEntity<String> response = template.getForEntity(http.getUrl("/oauth/check_token?token={token}"), String.class, context.getAccessToken().getValue());
-		assertEquals(HttpStatus.OK, response.getStatusCode());
+		assertEquals(HttpStatus.METHOD_NOT_ALLOWED, response.getStatusCode());
 	}
 
+	/**
+	 * Note: This test is to check the POST request call to CheckTokenEndpoint. 
+	 * The main intention is to avoid passing parameters as part of the URL /oauth/check_token. Example: /oauth/check_token?token={token}
+	 * Instead making sure that the URL /oauth/check_token accepts only POST request calls so that parameters can be part of request body.
+	*/	
+	@Test
+	@OAuth2ContextConfiguration(ResourceOwner.class)
+	public void testCheckTokenPostRequestCall() throws Exception {
+		TestRestTemplate template = new TestRestTemplate("my-trusted-client", "");
+		HttpHeaders headers = new HttpHeaders();
+		headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
+		MultiValueMap<String, String> params = new LinkedMultiValueMap<>();
+		params.add("token", context.getAccessToken().getValue());
+		HttpEntity<MultiValueMap<String, String>> request = new HttpEntity<>(params, headers);
+		ResponseEntity<String> response = template.postForEntity(http.getUrl("/oauth/check_token"), request, String.class);
+		assertEquals(HttpStatus.OK, response.getStatusCode());
+	}
+	
 }
diff --git a/tests/annotation/jwt/pom.xml b/tests/annotation/jwt/pom.xml
index 50248ff34..31762c1b3 100644
--- a/tests/annotation/jwt/pom.xml
+++ b/tests/annotation/jwt/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-jwt</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/jwt/src/main/java/demo/Application.java b/tests/annotation/jwt/src/main/java/demo/Application.java
index 69bd3984a..19f50d8c0 100644
--- a/tests/annotation/jwt/src/main/java/demo/Application.java
+++ b/tests/annotation/jwt/src/main/java/demo/Application.java
@@ -63,13 +63,13 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 		            .scopes("read", "write", "trust")
 		            .accessTokenValiditySeconds(60)
 		            .refreshTokenValiditySeconds(160)
-		            .redirectUris("http://anywhere/")
+		            .redirectUris("https://anywhere/")
  		    .and()
 		        .withClient("my-client-with-registered-redirect")
 		            .authorizedGrantTypes("authorization_code")
 		            .authorities("ROLE_CLIENT")
 		            .scopes("read", "trust")
-		            .redirectUris("http://anywhere/?key=value")
+		            .redirectUris("https://anywhere/?key=value")
  		    .and()
 		        .withClient("my-client-with-secret")
 		            .authorizedGrantTypes("client_credentials", "password")
diff --git a/tests/annotation/jwt/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/jwt/src/test/java/demo/AuthorizationCodeProviderTests.java
index 2ef50fde6..529bacd06 100755
--- a/tests/annotation/jwt/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/jwt/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/jwt/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/jwt/src/test/java/demo/ProtectedResourceTests.java
index 302b30f96..be5dc3b8b 100644
--- a/tests/annotation/jwt/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/jwt/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/mappings/pom.xml b/tests/annotation/mappings/pom.xml
index db71b5234..3936cae0a 100644
--- a/tests/annotation/mappings/pom.xml
+++ b/tests/annotation/mappings/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-mappings</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/mappings/src/main/java/demo/Application.java b/tests/annotation/mappings/src/main/java/demo/Application.java
index e6c16b859..3c0feb55c 100644
--- a/tests/annotation/mappings/src/main/java/demo/Application.java
+++ b/tests/annotation/mappings/src/main/java/demo/Application.java
@@ -109,14 +109,14 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 		            .scopes("read", "write", "trust")
 		            .resourceIds("sparklr")
 		            .accessTokenValiditySeconds(60)
-		            .redirectUris("http://anywhere/")
+		            .redirectUris("https://anywhere/")
  		    .and()
 		        .withClient("my-client-with-registered-redirect")
 		            .authorizedGrantTypes("authorization_code")
 		            .authorities("ROLE_CLIENT")
 		            .scopes("read", "trust")
 		            .resourceIds("sparklr")
-		            .redirectUris("http://anywhere/?key=value")
+		            .redirectUris("https://anywhere/?key=value")
  		    .and()
 		        .withClient("my-client-with-secret")
 		            .authorizedGrantTypes("client_credentials", "password")
diff --git a/tests/annotation/mappings/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/mappings/src/test/java/demo/AuthorizationCodeProviderTests.java
index 5fba9cfe0..769fcb81b 100755
--- a/tests/annotation/mappings/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/mappings/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -35,7 +35,7 @@ public class AuthorizationCodeProviderTests extends AbstractAuthorizationCodePro
 	public void testInsufficientScopeInResourceRequest() throws Exception {
 		AuthorizationCodeResourceDetails resource = (AuthorizationCodeResourceDetails) context.getResource();
 		resource.setScope(Arrays.asList("trust"));
-		approveAccessTokenGrant("http://anywhere/?key=value", true);
+		approveAccessTokenGrant("https://anywhere/?key=value", true);
 		assertNotNull(context.getAccessToken());
 		try {
 			http.getForString("/admin/beans");
diff --git a/tests/annotation/mappings/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/mappings/src/test/java/demo/ProtectedResourceTests.java
index 4f5e357cc..f7ef5432c 100644
--- a/tests/annotation/mappings/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/mappings/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/multi/pom.xml b/tests/annotation/multi/pom.xml
index 7a2035b3a..6d4bae27f 100644
--- a/tests/annotation/multi/pom.xml
+++ b/tests/annotation/multi/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-multi</artifactId>
@@ -9,7 +9,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/multi/src/main/java/demo/Application.java b/tests/annotation/multi/src/main/java/demo/Application.java
index e1424f3ff..8071991be 100644
--- a/tests/annotation/multi/src/main/java/demo/Application.java
+++ b/tests/annotation/multi/src/main/java/demo/Application.java
@@ -116,14 +116,14 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 		            .scopes("read", "write", "trust")
 		            .resourceIds("oauth2/admin")
 		            .accessTokenValiditySeconds(60)
-		            .redirectUris("http://anywhere/")
+		            .redirectUris("https://anywhere/")
  		    .and()
 		        .withClient("my-client-with-registered-redirect")
 		            .authorizedGrantTypes("authorization_code")
 		            .authorities("ROLE_CLIENT")
 		            .scopes("read", "trust")
 		            .resourceIds("oauth2/admin")
-		            .redirectUris("http://anywhere/?key=value")
+		            .redirectUris("https://anywhere/?key=value")
  		    .and()
 		        .withClient("my-client-with-secret")
 		            .authorizedGrantTypes("client_credentials", "password")
diff --git a/tests/annotation/multi/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/multi/src/test/java/demo/AuthorizationCodeProviderTests.java
index 2ef50fde6..529bacd06 100755
--- a/tests/annotation/multi/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/multi/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/multi/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/multi/src/test/java/demo/ProtectedResourceTests.java
index bf1dfd35f..89190be29 100644
--- a/tests/annotation/multi/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/multi/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/pom.xml b/tests/annotation/pom.xml
index db787f9e2..e42187e19 100644
--- a/tests/annotation/pom.xml
+++ b/tests/annotation/pom.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<groupId>org.demo</groupId>
 	<artifactId>spring-oauth2-tests-parent</artifactId>
-	<version>2.3.6.BUILD-SNAPSHOT</version>
+	<version>2.5.3.BUILD-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -24,13 +24,19 @@
       <module>custom-authentication</module>
     </modules>
 
+	<properties>
+		<start-class>demo.Application</start-class>
+		<java.version>1.7</java.version>
+		<spring.version>4.3.30.RELEASE</spring.version>
+	</properties>
+
 	<name>spring-oauth2-tests</name>
 	<description>Demo project for OAuth2 and Spring Boot</description>
 
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>1.5.1.RELEASE</version>
+		<version>1.5.22.RELEASE</version>
 		<relativePath/>
 	</parent>
 
@@ -39,18 +45,12 @@
 		<dependency>
 			<groupId>org.springframework.security.oauth</groupId>
 			<artifactId>spring-security-oauth2</artifactId>
-			<version>2.3.6.BUILD-SNAPSHOT</version>
-			<exclusions>
-				<exclusion>
-					<artifactId>jackson-mapper-asl</artifactId>
-					<groupId>org.codehaus.jackson</groupId>
-				</exclusion>
-			</exclusions>
+			<version>2.5.3.BUILD-SNAPSHOT</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-jwt</artifactId>
-			<version>1.0.7.RELEASE</version>
+			<version>1.1.1.RELEASE</version>
 		</dependency>
 	</dependencies>
     </dependencyManagement>
@@ -85,16 +85,11 @@
       </pluginManagement>
     </build>
 
-	<properties>
-		<start-class>demo.Application</start-class>
-        <java.version>1.7</java.version>
-	</properties>
-
 	  <repositories>
 		<repository>
 		  <id>spring-snapshots</id>
 		  <name>Spring Snapshots</name>
-		  <url>http://repo.spring.io/libs-snapshot-local</url>
+		  <url>https://repo.spring.io/libs-snapshot-local</url>
 		  <snapshots>
 			<enabled>true</enabled>
 		  </snapshots>
@@ -102,7 +97,7 @@
 		<repository>
 		  <id>spring-milestones</id>
 		  <name>Spring Milestones</name>
-		  <url>http://repo.spring.io/libs-milestone-local</url>
+		  <url>https://repo.spring.io/libs-milestone-local</url>
 		  <snapshots>
 			<enabled>false</enabled>
 		  </snapshots>
@@ -110,7 +105,7 @@
 		<repository>
 		  <id>spring-releases</id>
 		  <name>Spring Releases</name>
-		  <url>http://repo.spring.io/release</url>
+		  <url>https://repo.spring.io/release</url>
 		  <snapshots>
 			<enabled>false</enabled>
 		  </snapshots>
@@ -120,7 +115,7 @@
 		<pluginRepository>
 		  <id>spring-snapshots</id>
 		  <name>Spring Snapshots</name>
-		  <url>http://repo.spring.io/libs-snapshot-local</url>
+		  <url>https://repo.spring.io/libs-snapshot-local</url>
 		  <snapshots>
 			<enabled>true</enabled>
 		  </snapshots>
@@ -128,11 +123,51 @@
 		<pluginRepository>
 		  <id>spring-milestones</id>
 		  <name>Spring Milestones</name>
-		  <url>http://repo.spring.io/libs-milestone-local</url>
+		  <url>https://repo.spring.io/libs-milestone-local</url>
 		  <snapshots>
 			<enabled>false</enabled>
 		  </snapshots>
 		</pluginRepository>
 	  </pluginRepositories>
 
+	<profiles>
+		<profile>
+			<id>spring5</id>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-checkstyle-plugin</artifactId>
+						<version>3.1.1</version>
+						<dependencies>
+							<dependency>
+								<groupId>com.puppycrawl.tools</groupId>
+								<artifactId>checkstyle</artifactId>
+								<version>8.31</version>
+							</dependency>
+							<dependency>
+								<groupId>io.spring.nohttp</groupId>
+								<artifactId>nohttp-checkstyle</artifactId>
+								<version>0.0.3.RELEASE</version>
+							</dependency>
+						</dependencies>
+						<configuration>
+							<configLocation>${maven.multiModuleProjectDirectory}/etc/nohttp/checkstyle.xml</configLocation>
+							<includes>src/**/*,*</includes>
+							<sourceDirectories>
+								<sourceDirectory>./</sourceDirectory>
+							</sourceDirectories>
+						</configuration>
+						<executions>
+							<execution>
+								<goals>
+									<goal>check</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
 </project>
diff --git a/tests/annotation/resource/pom.xml b/tests/annotation/resource/pom.xml
index c14109ae9..4639eecd4 100644
--- a/tests/annotation/resource/pom.xml
+++ b/tests/annotation/resource/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-resource</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/resource/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/resource/src/test/java/demo/ProtectedResourceTests.java
index 302b30f96..be5dc3b8b 100644
--- a/tests/annotation/resource/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/resource/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/ssl/pom.xml b/tests/annotation/ssl/pom.xml
index 490f72a27..e28d3f2a0 100644
--- a/tests/annotation/ssl/pom.xml
+++ b/tests/annotation/ssl/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-ssl</artifactId>
@@ -11,7 +11,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/ssl/src/main/java/demo/Application.java b/tests/annotation/ssl/src/main/java/demo/Application.java
index 7a1867e38..75aceb584 100644
--- a/tests/annotation/ssl/src/main/java/demo/Application.java
+++ b/tests/annotation/ssl/src/main/java/demo/Application.java
@@ -66,7 +66,7 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 		            .authorities("ROLE_CLIENT")
 		            .scopes("read", "trust")
 		            .resourceIds("oauth2-resource")
-		            .redirectUris("http://anywhere/?key=value")
+		            .redirectUris("https://anywhere/?key=value")
  		    .and()
 		        .withClient("my-client-with-secret")
 		            .authorizedGrantTypes("client_credentials", "password")
diff --git a/tests/annotation/ssl/src/test/java/demo/AuthorizationCodeProviderCookieTests.java b/tests/annotation/ssl/src/test/java/demo/AuthorizationCodeProviderCookieTests.java
index 7b614e004..89f1eee39 100644
--- a/tests/annotation/ssl/src/test/java/demo/AuthorizationCodeProviderCookieTests.java
+++ b/tests/annotation/ssl/src/test/java/demo/AuthorizationCodeProviderCookieTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -33,7 +33,7 @@ public class AuthorizationCodeProviderCookieTests extends AbstractEmptyAuthoriza
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testPostToProtectedResource() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 		assertNotNull(context.getAccessToken());
 		LinkedMultiValueMap<String, String> form = new LinkedMultiValueMap<>();
 		form.set("foo", "bar");
diff --git a/tests/annotation/ssl/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/ssl/src/test/java/demo/AuthorizationCodeProviderTests.java
index 49a38d4ab..1519a839b 100755
--- a/tests/annotation/ssl/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/ssl/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -34,7 +34,7 @@ public class AuthorizationCodeProviderTests extends AbstractAuthorizationCodePro
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testPostToProtectedResource() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 		assertNotNull(context.getAccessToken());
 		LinkedMultiValueMap<String, String> form = new LinkedMultiValueMap<>();
 		form.set("foo", "bar");
@@ -43,7 +43,7 @@ public void testPostToProtectedResource() throws Exception {
 
 	@Test
 	public void testWrongClientIdProvided() throws Exception {
-		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/");
+		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/");
 		// With no client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 		assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 		String body = response.getBody();
@@ -54,7 +54,7 @@ public void testWrongClientIdProvided() throws Exception {
 	@Test
 	public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", null);
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", null);
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
@@ -65,7 +65,7 @@ public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	@Test
 	public void testWrongClientIdAndBadResponseTypeProvided() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", "unsupported");
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", "unsupported");
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
diff --git a/tests/annotation/ssl/src/test/java/demo/ImplicitProviderTests.java b/tests/annotation/ssl/src/test/java/demo/ImplicitProviderTests.java
index 06ebe766b..fc362f5d5 100644
--- a/tests/annotation/ssl/src/test/java/demo/ImplicitProviderTests.java
+++ b/tests/annotation/ssl/src/test/java/demo/ImplicitProviderTests.java
@@ -56,7 +56,7 @@ public void run() {
 	private void getToken() {
 		Map<String, String> form = new LinkedHashMap<String, String>();
 		form.put("client_id", "my-trusted-client");
-		form.put("redirect_uri", "http://foo.com/");
+		form.put("redirect_uri", "https://www.foo.com/");
 		form.put("response_type", "token");
 		form.put("scope", "read");
 		ResponseEntity<Void> response = new TestRestTemplate("user", "password")
@@ -65,6 +65,8 @@ private void getToken() {
 						Void.class, form);
 		assertEquals("Wrong status: " + response.getHeaders(), HttpStatus.FOUND, response.getStatusCode());
 		assertTrue(response.getHeaders().getLocation().toString().contains("access_token"));
+		assertTrue(response.getHeaders().getFirst("Cache-Control").contains("no-store"));
+		assertTrue(response.getHeaders().getFirst("Pragma").contains("no-cache"));
 	}
 
 	protected static class ResourceOwner extends ResourceOwnerPasswordResourceDetails {
diff --git a/tests/annotation/ssl/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/ssl/src/test/java/demo/ProtectedResourceTests.java
index c752cbe12..e43d004e3 100644
--- a/tests/annotation/ssl/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/ssl/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/vanilla/pom.xml b/tests/annotation/vanilla/pom.xml
index 14b32c5e5..f3ab8d83f 100644
--- a/tests/annotation/vanilla/pom.xml
+++ b/tests/annotation/vanilla/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-vanilla</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/vanilla/src/main/java/demo/Application.java b/tests/annotation/vanilla/src/main/java/demo/Application.java
index 8ce14658e..912122c7c 100644
--- a/tests/annotation/vanilla/src/main/java/demo/Application.java
+++ b/tests/annotation/vanilla/src/main/java/demo/Application.java
@@ -66,14 +66,14 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 		            .scopes("read", "write", "trust")
 		            .resourceIds("oauth2-resource")
 		            .accessTokenValiditySeconds(600)
-		            .redirectUris("http://anywhere/")
+		            .redirectUris("https://anywhere/")
  		    .and()
 		        .withClient("my-client-with-registered-redirect")
 		            .authorizedGrantTypes("authorization_code")
 		            .authorities("ROLE_CLIENT")
 		            .scopes("read", "trust")
 		            .resourceIds("oauth2-resource")
-		            .redirectUris("http://anywhere/?key=value")
+		            .redirectUris("https://anywhere/?key=value")
  		    .and()
 		        .withClient("my-client-with-secret")
 		            .authorizedGrantTypes("client_credentials", "password")
diff --git a/tests/annotation/vanilla/src/test/java/demo/AdHocTests.java b/tests/annotation/vanilla/src/test/java/demo/AdHocTests.java
index f3f947369..7ba4feea0 100644
--- a/tests/annotation/vanilla/src/test/java/demo/AdHocTests.java
+++ b/tests/annotation/vanilla/src/test/java/demo/AdHocTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/vanilla/src/test/java/demo/AuthorizationCodeProviderCookieTests.java b/tests/annotation/vanilla/src/test/java/demo/AuthorizationCodeProviderCookieTests.java
index 26d88d46a..e7d8078f9 100644
--- a/tests/annotation/vanilla/src/test/java/demo/AuthorizationCodeProviderCookieTests.java
+++ b/tests/annotation/vanilla/src/test/java/demo/AuthorizationCodeProviderCookieTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -31,7 +31,7 @@ public class AuthorizationCodeProviderCookieTests extends AbstractEmptyAuthoriza
 	@Test
 	@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
 	public void testPostToProtectedResource() throws Exception {
-		approveAccessTokenGrant("http://anywhere/?key=value", true);
+		approveAccessTokenGrant("https://anywhere/?key=value", true);
 		assertNotNull(context.getAccessToken());
 		LinkedMultiValueMap<String, String> form = new LinkedMultiValueMap<>();
 		form.set("foo", "bar");
diff --git a/tests/annotation/vanilla/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/annotation/vanilla/src/test/java/demo/AuthorizationCodeProviderTests.java
index 34cdef81b..3441f471b 100755
--- a/tests/annotation/vanilla/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/annotation/vanilla/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -32,7 +32,7 @@ public class AuthorizationCodeProviderTests extends AbstractAuthorizationCodePro
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testPostToProtectedResource() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 		assertNotNull(context.getAccessToken());
 		LinkedMultiValueMap<String, String> form = new LinkedMultiValueMap<>();
 		form.set("foo", "bar");
@@ -41,7 +41,7 @@ public void testPostToProtectedResource() throws Exception {
 
 	@Test
 	public void testWrongClientIdProvided() throws Exception {
-		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/");
+		ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/");
 		// With no client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 		assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 		String body = response.getBody();
@@ -52,7 +52,7 @@ public void testWrongClientIdProvided() throws Exception {
 	@Test
 	public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", null);
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", null);
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
@@ -63,7 +63,7 @@ public void testWrongClientIdAndOmittedResponseType() throws Exception {
 	@Test
 	public void testWrongClientIdAndBadResponseTypeProvided() throws Exception {
 	    // Test wrong client id together with an omitted response_type
-	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "http://anywhere/", "unsupported");
+	    ResponseEntity<String> response = attemptToGetConfirmationPage("no-such-client", "https://anywhere/", "unsupported");
 	    // With bad client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 	    assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 	    String body = response.getBody();
diff --git a/tests/annotation/vanilla/src/test/java/demo/ImplicitProviderTests.java b/tests/annotation/vanilla/src/test/java/demo/ImplicitProviderTests.java
index 8ec5c2a34..e68e21cad 100644
--- a/tests/annotation/vanilla/src/test/java/demo/ImplicitProviderTests.java
+++ b/tests/annotation/vanilla/src/test/java/demo/ImplicitProviderTests.java
@@ -54,15 +54,17 @@ public void run() {
 	private void getToken() {
 		Map<String, String> form = new LinkedHashMap<String, String>();
 		form.put("client_id", "my-trusted-client");
-		form.put("redirect_uri", "http://anywhere/");
+		form.put("redirect_uri", "https://anywhere/");
 		form.put("response_type", "token");
 		form.put("scope", "read");
 		ResponseEntity<Void> response = new TestRestTemplate("user", "password")
 				.getForEntity(
 						http.getUrl("/oauth/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type={response_type}&scope={scope}"),
 						Void.class, form);
-		assertEquals("Wrong status: " + response.getHeaders(), HttpStatus.FOUND, response.getStatusCode());
+		assertEquals("Wrong status: " + response.getHeaders(), HttpStatus.SEE_OTHER, response.getStatusCode());
 		assertTrue(response.getHeaders().getLocation().toString().contains("access_token"));
+		assertTrue(response.getHeaders().getFirst("Cache-Control").contains("no-store"));
+		assertTrue(response.getHeaders().getFirst("Pragma").contains("no-cache"));
 	}
 
 	protected static class ResourceOwner extends ResourceOwnerPasswordResourceDetails {
diff --git a/tests/annotation/vanilla/src/test/java/demo/ProtectedResourceTests.java b/tests/annotation/vanilla/src/test/java/demo/ProtectedResourceTests.java
index 302b30f96..be5dc3b8b 100644
--- a/tests/annotation/vanilla/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/annotation/vanilla/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/annotation/vanilla/src/test/java/demo/ResourceOwnerPasswordProviderTests.java b/tests/annotation/vanilla/src/test/java/demo/ResourceOwnerPasswordProviderTests.java
index 31a0f75b8..6d6c75dd8 100644
--- a/tests/annotation/vanilla/src/test/java/demo/ResourceOwnerPasswordProviderTests.java
+++ b/tests/annotation/vanilla/src/test/java/demo/ResourceOwnerPasswordProviderTests.java
@@ -1,15 +1,19 @@
 package demo;
 
-import static org.junit.Assert.assertEquals;
-
 import org.junit.Test;
 import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.oauth2.client.test.OAuth2ContextConfiguration;
-
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
 import sparklr.common.AbstractResourceOwnerPasswordProviderTests;
 
+import static org.junit.Assert.assertEquals;
+
 /**
  * @author Dave Syer
  */
@@ -20,6 +24,24 @@ public class ResourceOwnerPasswordProviderTests extends AbstractResourceOwnerPas
 	public void testCheckToken() throws Exception {
 		TestRestTemplate template = new TestRestTemplate("my-trusted-client", "");
 		ResponseEntity<String> response = template.getForEntity(http.getUrl("/oauth/check_token?token={token}"), String.class, context.getAccessToken().getValue());
+		assertEquals(HttpStatus.METHOD_NOT_ALLOWED, response.getStatusCode());
+	}
+
+	/**
+	 * Note: This test is to check the POST request call to CheckTokenEndpoint. 
+	 * The main intention is to avoid passing parameters as part of the URL /oauth/check_token. Example: /oauth/check_token?token={token}
+	 * Instead making sure that the URL /oauth/check_token accepts only POST request calls so that parameters can be part of request body.
+	*/	
+	@Test
+	@OAuth2ContextConfiguration(ResourceOwner.class)
+	public void testCheckTokenPostRequestCall() throws Exception {
+		TestRestTemplate template = new TestRestTemplate("my-trusted-client", "");
+		HttpHeaders headers = new HttpHeaders();
+		headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
+		MultiValueMap<String, String> params = new LinkedMultiValueMap<>();
+		params.add("token", context.getAccessToken().getValue());
+		HttpEntity<MultiValueMap<String, String>> request = new HttpEntity<>(params, headers);
+		ResponseEntity<String> response = template.postForEntity(http.getUrl("/oauth/check_token"), request, String.class);
 		assertEquals(HttpStatus.OK, response.getStatusCode());
 	}
 
diff --git a/tests/pom.xml b/tests/pom.xml
index 4e9e1eb5f..8a9a2e705 100644
--- a/tests/pom.xml
+++ b/tests/pom.xml
@@ -1,10 +1,10 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
     <groupId>org.springframework.security.oauth</groupId>
     <artifactId>spring-security-oauth-parent</artifactId>
-    <version>2.3.6.BUILD-SNAPSHOT</version>
+    <version>2.5.3.BUILD-SNAPSHOT</version>
   </parent>
 
   <artifactId>spring-security-oauth-tests</artifactId>
@@ -35,8 +35,8 @@
   <distributionManagement>
 
     <site>
-      <id>static.springframework.org</id>
-      <url>scp://static.springframework.org/var/www/domains/springframework.org/static/htdocs/spring-security/oauth/tests</url>
+        <id>static.spring.io</id>
+        <url>scp://docs-ip.spring.io/var/www/domains/spring.io/docs/htdocs/spring-security/oauth/site/docs/${project.version}</url>
     </site>
 
   </distributionManagement>
diff --git a/tests/xml/approval/pom.xml b/tests/xml/approval/pom.xml
index d075f7721..cbedf4734 100644
--- a/tests/xml/approval/pom.xml
+++ b/tests/xml/approval/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-xml-approval</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/approval/src/main/resources/context.xml b/tests/xml/approval/src/main/resources/context.xml
index a583e5158..164273f59 100644
--- a/tests/xml/approval/src/main/resources/context.xml
+++ b/tests/xml/approval/src/main/resources/context.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<authorization-server client-details-service-ref="clientDetailsService"
 		xmlns="http://www.springframework.org/schema/security/oauth2" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler">
@@ -21,11 +21,11 @@
 			authorized-grant-types="password,authorization_code,refresh_token,implicit"
 			scope="read,write,trust" resource-ids="oauth2-resource"
 			access-token-validity="60" authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT"
-		    redirect-uri="http://anywhere/" />
+		    redirect-uri="https://anywhere/" />
 		<oauth2:client client-id="my-client-with-registered-redirect"
 			authorized-grant-types="authorization_code" scope="read,trust"
 			resource-ids="oauth2-resource" authorities="ROLE_CLIENT"
-			redirect-uri="http://anywhere/?key=value" />
+			redirect-uri="https://anywhere/?key=value" />
 		<oauth2:client client-id="my-client-with-secret" secret="secret"
 			authorized-grant-types="password,client_credentials" scope="read"
 			resource-ids="oauth2-resource" access-token-validity="60"
diff --git a/tests/xml/approval/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/xml/approval/src/test/java/demo/AuthorizationCodeProviderTests.java
index f336430f4..97f5ae1f5 100755
--- a/tests/xml/approval/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/xml/approval/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/approval/src/test/java/demo/ProtectedResourceTests.java b/tests/xml/approval/src/test/java/demo/ProtectedResourceTests.java
index c752cbe12..e43d004e3 100644
--- a/tests/xml/approval/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/xml/approval/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/client/pom.xml b/tests/xml/client/pom.xml
index 57b33458f..74e023154 100644
--- a/tests/xml/client/pom.xml
+++ b/tests/xml/client/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-xml-client</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/client/src/main/resources/context.xml b/tests/xml/client/src/main/resources/context.xml
index f9a6b0e1a..8f38ce7e8 100644
--- a/tests/xml/client/src/main/resources/context.xml
+++ b/tests/xml/client/src/main/resources/context.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<oauth2:resource id="resource" client-id="my-trusted-client" type="authorization_code"
 		user-authorization-uri="${oauth.authorize:http://localhost:8080/oauth/authorize}"
diff --git a/tests/xml/client/src/test/java/client/CombinedApplication.java b/tests/xml/client/src/test/java/client/CombinedApplication.java
index 9c612f760..294565e1f 100644
--- a/tests/xml/client/src/test/java/client/CombinedApplication.java
+++ b/tests/xml/client/src/test/java/client/CombinedApplication.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/common/pom.xml b/tests/xml/common/pom.xml
index 167261833..286196a8a 100644
--- a/tests/xml/common/pom.xml
+++ b/tests/xml/common/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-xml-common</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
@@ -66,7 +66,7 @@
 		<repository>
 			<id>spring-snapshots</id>
 			<name>Spring Snapshots</name>
-			<url>http://repo.spring.io/snapshot</url>
+			<url>https://repo.spring.io/snapshot</url>
 			<snapshots>
 				<enabled>true</enabled>
 			</snapshots>
@@ -74,7 +74,7 @@
 		<repository>
 			<id>spring-milestones</id>
 			<name>Spring Milestones</name>
-			<url>http://repo.spring.io/milestone</url>
+			<url>https://repo.spring.io/milestone</url>
 			<snapshots>
 				<enabled>false</enabled>
 			</snapshots>
@@ -84,7 +84,7 @@
 		<pluginRepository>
 			<id>spring-snapshots</id>
 			<name>Spring Snapshots</name>
-			<url>http://repo.spring.io/snapshot</url>
+			<url>https://repo.spring.io/snapshot</url>
 			<snapshots>
 				<enabled>true</enabled>
 			</snapshots>
diff --git a/tests/xml/common/src/main/java/sparklr/common/AbstractAuthorizationCodeProviderTests.java b/tests/xml/common/src/main/java/sparklr/common/AbstractAuthorizationCodeProviderTests.java
index 548978c72..30ae94d27 100755
--- a/tests/xml/common/src/main/java/sparklr/common/AbstractAuthorizationCodeProviderTests.java
+++ b/tests/xml/common/src/main/java/sparklr/common/AbstractAuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -118,7 +118,7 @@ public ResponseEntity<Void> extractData(ClientHttpResponse response) throws IOEx
 	public void testUnauthenticatedAuthorizationRespondsUnauthorized() throws Exception {
 
 		AccessTokenRequest request = context.getAccessTokenRequest();
-		request.setCurrentUri("http://anywhere/");
+		request.setCurrentUri("https://anywhere/");
 		request.add(OAuth2Utils.USER_OAUTH_APPROVAL, "true");
 
 		try {
@@ -137,7 +137,7 @@ public void testUnauthenticatedAuthorizationRespondsUnauthorized() throws Except
 	public void testSuccessfulAuthorizationCodeFlow() throws Exception {
 
 		// Once the request is ready and approved, we can continue with the access token
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 
 		// Finally everything is in place for the grant to happen...
 		assertNotNull(context.getAccessToken());
@@ -151,10 +151,10 @@ public void testSuccessfulAuthorizationCodeFlow() throws Exception {
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testWrongRedirectUri() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", true);
+		approveAccessTokenGrant("https://anywhere/", true);
 		AccessTokenRequest request = context.getAccessTokenRequest();
 		// The redirect is stored in the preserved state...
-		context.getOAuth2ClientContext().setPreservedState(request.getStateKey(), "http://nowhere/");
+		context.getOAuth2ClientContext().setPreservedState(request.getStateKey(), "https://nowhere/");
 		// Finally everything is in place for the grant to happen...
 		try {
 			assertNotNull(context.getAccessToken());
@@ -169,7 +169,7 @@ public void testWrongRedirectUri() throws Exception {
 	@Test
 	@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
 	public void testUserDeniesConfirmation() throws Exception {
-		approveAccessTokenGrant("http://anywhere/", false);
+		approveAccessTokenGrant("https://anywhere/", false);
 		String location = null;
 		try {
 			assertNotNull(context.getAccessToken());
@@ -179,15 +179,15 @@ public void testUserDeniesConfirmation() throws Exception {
 			location = e.getRedirectUri();
 		}
 		assertTrue("Wrong location: " + location, location.contains("state="));
-		assertTrue(location.startsWith("http://anywhere/"));
+		assertTrue(location.startsWith("https://anywhere/"));
 		assertTrue(location.substring(location.indexOf('?')).contains("error=access_denied"));
 		// It was a redirect that triggered our client redirect exception:
-		assertEquals(HttpStatus.FOUND, tokenEndpointResponse.getStatusCode());
+		assertEquals(HttpStatus.SEE_OTHER, tokenEndpointResponse.getStatusCode());
 	}
 
 	@Test
 	public void testNoClientIdProvided() throws Exception {
-		ResponseEntity<String> response = attemptToGetConfirmationPage(null, "http://anywhere/");
+		ResponseEntity<String> response = attemptToGetConfirmationPage(null, "https://anywhere/");
 		// With no client id you get an InvalidClientException on the server which is forwarded to /oauth/error
 		assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
 		String body = response.getBody();
@@ -200,7 +200,7 @@ public void testIllegalAttemptToApproveWithoutUsingAuthorizationRequest() throws
 
 		HttpHeaders headers = getAuthenticatedHeaders();
 
-		String authorizeUrl = getAuthorizeUrl("my-trusted-client", "http://anywhere.com/", "read");
+		String authorizeUrl = getAuthorizeUrl("my-trusted-client", "https://anywhere.com/", "read");
 		authorizeUrl = authorizeUrl + "&user_oauth_approval=true";
 		ResponseEntity<Void> response = http.postForStatus(authorizeUrl, headers,
 				new LinkedMultiValueMap<String, String>());
@@ -230,7 +230,7 @@ public void testInvalidScopeInAuthorizationRequest() throws Exception {
 		headers.setAccept(Arrays.asList(MediaType.TEXT_HTML));
 
 		String scope = "bogus";
-		String redirectUri = "http://anywhere/?key=value";
+		String redirectUri = "https://anywhere/?key=value";
 		String clientId = "my-client-with-registered-redirect";
 
 		UriBuilder uri = http.buildUri(authorizePath()).queryParam("response_type", "code")
@@ -242,9 +242,9 @@ public void testInvalidScopeInAuthorizationRequest() throws Exception {
 			uri.queryParam("redirect_uri", redirectUri);
 		}
 		ResponseEntity<String> response = http.getForString(uri.pattern(), headers, uri.params());
-		assertEquals(HttpStatus.FOUND, response.getStatusCode());
+		assertEquals(HttpStatus.SEE_OTHER, response.getStatusCode());
 		String location = response.getHeaders().getLocation().toString();
-		assertTrue(location.startsWith("http://anywhere/"));
+		assertTrue(location.startsWith("https://anywhere/"));
 		assertTrue(location.contains("error=invalid_scope"));
 		assertFalse(location.contains("redirect_uri="));
 	}
@@ -270,7 +270,7 @@ public void testInvalidAccessToken() throws Exception {
 	@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
 	public void testRegisteredRedirectWithWrongRequestedRedirect() throws Exception {
 		try {
-			approveAccessTokenGrant("http://nowhere/", true);
+			approveAccessTokenGrant("https://nowhere/", true);
 			fail("Expected RedirectMismatchException");
 		}
 		catch (HttpClientErrorException e) {
@@ -281,9 +281,9 @@ public void testRegisteredRedirectWithWrongRequestedRedirect() throws Exception
 	@Test
 	@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
 	public void testRegisteredRedirectWithWrongOneInTokenEndpoint() throws Exception {
-		approveAccessTokenGrant("http://anywhere/?key=value", true);
+		approveAccessTokenGrant("https://anywhere/?key=value", true);
 		// Setting the redirect uri directly in the request should override the saved value
-		context.getAccessTokenRequest().set("redirect_uri", "http://nowhere.com/");
+		context.getAccessTokenRequest().set("redirect_uri", "https://nowhere.com/");
 		try {
 			assertNotNull(context.getAccessToken());
 			fail("Expected RedirectMismatchException");
@@ -404,7 +404,7 @@ protected static class MyClientWithRegisteredRedirect extends MyTrustedClient {
 		public MyClientWithRegisteredRedirect(Object target) {
 			super(target);
 			setClientId("my-client-with-registered-redirect");
-			setPreEstablishedRedirectUri("http://anywhere/?key=value");
+			setPreEstablishedRedirectUri("https://anywhere/?key=value");
 		}
 	}
 }
diff --git a/tests/xml/common/src/main/java/sparklr/common/AbstractImplicitProviderTests.java b/tests/xml/common/src/main/java/sparklr/common/AbstractImplicitProviderTests.java
index 5e1c47d55..eab5c6189 100644
--- a/tests/xml/common/src/main/java/sparklr/common/AbstractImplicitProviderTests.java
+++ b/tests/xml/common/src/main/java/sparklr/common/AbstractImplicitProviderTests.java
@@ -42,7 +42,7 @@ public NonAutoApproveImplicit(Object target) {
 			super();
 			setClientId("my-trusted-client");
 			setId(getClientId());
-			setPreEstablishedRedirectUri("http://anywhere/");
+			setPreEstablishedRedirectUri("https://anywhere/");
 		}
 	}
 
diff --git a/tests/xml/common/src/main/java/sparklr/common/AbstractIntegrationTests.java b/tests/xml/common/src/main/java/sparklr/common/AbstractIntegrationTests.java
index ac2f12db7..b44539912 100644
--- a/tests/xml/common/src/main/java/sparklr/common/AbstractIntegrationTests.java
+++ b/tests/xml/common/src/main/java/sparklr/common/AbstractIntegrationTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/common/src/main/java/sparklr/common/AbstractProtectedResourceTests.java b/tests/xml/common/src/main/java/sparklr/common/AbstractProtectedResourceTests.java
index e267f4430..2e49192df 100644
--- a/tests/xml/common/src/main/java/sparklr/common/AbstractProtectedResourceTests.java
+++ b/tests/xml/common/src/main/java/sparklr/common/AbstractProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/form/pom.xml b/tests/xml/form/pom.xml
index 7ffa953e9..9e636fe8f 100644
--- a/tests/xml/form/pom.xml
+++ b/tests/xml/form/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-xml-form</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/form/src/main/resources/context.xml b/tests/xml/form/src/main/resources/context.xml
index 85d971719..575adac14 100644
--- a/tests/xml/form/src/main/resources/context.xml
+++ b/tests/xml/form/src/main/resources/context.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<authorization-server client-details-service-ref="clientDetailsService"
 		xmlns="http://www.springframework.org/schema/security/oauth2" token-services-ref="tokenServices" >
@@ -21,11 +21,11 @@
 			authorized-grant-types="password,authorization_code,refresh_token,implicit"
 			scope="read,write,trust" resource-ids="oauth2-resource"
 			access-token-validity="60" authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT"
-			redirect-uri="http://anywhere/" />
+			redirect-uri="https://anywhere/" />
 		<oauth2:client client-id="my-client-with-registered-redirect"
 			authorized-grant-types="authorization_code" scope="read,trust"
 			resource-ids="oauth2-resource" authorities="ROLE_CLIENT"
-			redirect-uri="http://anywhere/?key=value" />
+			redirect-uri="https://anywhere/?key=value" />
 		<oauth2:client client-id="my-client-with-secret" secret="secret"
 			authorized-grant-types="password,client_credentials" scope="read"
 			resource-ids="oauth2-resource" access-token-validity="60"
diff --git a/tests/xml/form/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/xml/form/src/test/java/demo/AuthorizationCodeProviderTests.java
index 632098bf1..8ae483f92 100755
--- a/tests/xml/form/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/xml/form/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/form/src/test/java/demo/ProtectedResourceTests.java b/tests/xml/form/src/test/java/demo/ProtectedResourceTests.java
index c752cbe12..e43d004e3 100644
--- a/tests/xml/form/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/xml/form/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/jdbc/pom.xml b/tests/xml/jdbc/pom.xml
index 0a1d67871..3b2b1f8f9 100644
--- a/tests/xml/jdbc/pom.xml
+++ b/tests/xml/jdbc/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-xml-jdbc</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/jdbc/src/main/resources/context.xml b/tests/xml/jdbc/src/main/resources/context.xml
index e09a254df..4610b027d 100644
--- a/tests/xml/jdbc/src/main/resources/context.xml
+++ b/tests/xml/jdbc/src/main/resources/context.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<authorization-server client-details-service-ref="clientDetailsService"
 		xmlns="http://www.springframework.org/schema/security/oauth2" token-services-ref="tokenServices" >
diff --git a/tests/xml/jdbc/src/main/resources/schema.sql b/tests/xml/jdbc/src/main/resources/schema.sql
index 9d8a90926..0f1a4f614 100644
--- a/tests/xml/jdbc/src/main/resources/schema.sql
+++ b/tests/xml/jdbc/src/main/resources/schema.sql
@@ -52,10 +52,10 @@ create table oauth_code (
 );
 
 insert into oauth_client_details (client_id, resource_ids, scope, authorized_grant_types, authorities, access_token_validity, web_server_redirect_uri)
-	values ('my-trusted-client', 'oauth2-resource', 'read,write,trust', 'password,authorization_code,refresh_token,implicit', 'ROLE_CLIENT,ROLE_TRUSTED_CLIENT', 60, 'http://anywhere/');
+	values ('my-trusted-client', 'oauth2-resource', 'read,write,trust', 'password,authorization_code,refresh_token,implicit', 'ROLE_CLIENT,ROLE_TRUSTED_CLIENT', 60, 'https://anywhere/');
 
 insert into oauth_client_details (client_id, resource_ids, scope, authorized_grant_types, authorities, web_server_redirect_uri) 
-	values ('my-client-with-registered-redirect', 'oauth2-resource', 'read,trust', 'authorization_code', 'ROLE_CLIENT', 'http://anywhere/?key=value');
+	values ('my-client-with-registered-redirect', 'oauth2-resource', 'read,trust', 'authorization_code', 'ROLE_CLIENT', 'https://anywhere/?key=value');
 
 insert into oauth_client_details (client_id, client_secret, resource_ids, scope, authorized_grant_types, authorities) 
 	values ('my-client-with-secret', 'secret', 'oauth2-resource', 'read', 'password,client_credentials', 'ROLE_CLIENT');
diff --git a/tests/xml/jdbc/src/test/java/demo/AdHocTests.java b/tests/xml/jdbc/src/test/java/demo/AdHocTests.java
index a7d0087ca..7e52aa7b5 100644
--- a/tests/xml/jdbc/src/test/java/demo/AdHocTests.java
+++ b/tests/xml/jdbc/src/test/java/demo/AdHocTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/jdbc/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/xml/jdbc/src/test/java/demo/AuthorizationCodeProviderTests.java
index 32cb5606d..8f1993b56 100755
--- a/tests/xml/jdbc/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/xml/jdbc/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/jdbc/src/test/java/demo/ProtectedResourceTests.java b/tests/xml/jdbc/src/test/java/demo/ProtectedResourceTests.java
index c752cbe12..e43d004e3 100644
--- a/tests/xml/jdbc/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/xml/jdbc/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/jwt/pom.xml b/tests/xml/jwt/pom.xml
index 5eaaa6a40..8e3ffe1b0 100644
--- a/tests/xml/jwt/pom.xml
+++ b/tests/xml/jwt/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-xml-jwt</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/jwt/src/main/resources/context.xml b/tests/xml/jwt/src/main/resources/context.xml
index 85d971719..575adac14 100644
--- a/tests/xml/jwt/src/main/resources/context.xml
+++ b/tests/xml/jwt/src/main/resources/context.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<authorization-server client-details-service-ref="clientDetailsService"
 		xmlns="http://www.springframework.org/schema/security/oauth2" token-services-ref="tokenServices" >
@@ -21,11 +21,11 @@
 			authorized-grant-types="password,authorization_code,refresh_token,implicit"
 			scope="read,write,trust" resource-ids="oauth2-resource"
 			access-token-validity="60" authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT"
-			redirect-uri="http://anywhere/" />
+			redirect-uri="https://anywhere/" />
 		<oauth2:client client-id="my-client-with-registered-redirect"
 			authorized-grant-types="authorization_code" scope="read,trust"
 			resource-ids="oauth2-resource" authorities="ROLE_CLIENT"
-			redirect-uri="http://anywhere/?key=value" />
+			redirect-uri="https://anywhere/?key=value" />
 		<oauth2:client client-id="my-client-with-secret" secret="secret"
 			authorized-grant-types="password,client_credentials" scope="read"
 			resource-ids="oauth2-resource" access-token-validity="60"
diff --git a/tests/xml/jwt/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/xml/jwt/src/test/java/demo/AuthorizationCodeProviderTests.java
index 632098bf1..8ae483f92 100755
--- a/tests/xml/jwt/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/xml/jwt/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/jwt/src/test/java/demo/ProtectedResourceTests.java b/tests/xml/jwt/src/test/java/demo/ProtectedResourceTests.java
index c752cbe12..e43d004e3 100644
--- a/tests/xml/jwt/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/xml/jwt/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/mappings/pom.xml b/tests/xml/mappings/pom.xml
index 486a44c8b..375fec92a 100644
--- a/tests/xml/mappings/pom.xml
+++ b/tests/xml/mappings/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-xml-mappings</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/mappings/src/main/resources/context.xml b/tests/xml/mappings/src/main/resources/context.xml
index fbf741934..a3923cb4b 100644
--- a/tests/xml/mappings/src/main/resources/context.xml
+++ b/tests/xml/mappings/src/main/resources/context.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<authorization-server client-details-service-ref="clientDetailsService"
 		token-services-ref="tokenServices" authorization-endpoint-url="${oauth.paths.authorize:/oauth/authorize}"
@@ -24,11 +24,11 @@
 			authorized-grant-types="password,authorization_code,refresh_token,implicit"
 			scope="read,write,trust" resource-ids="oauth2-resource"
 			access-token-validity="60" authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT"
-			redirect-uri="http://anywhere/" />
+			redirect-uri="https://anywhere/" />
 		<oauth2:client client-id="my-client-with-registered-redirect"
 			authorized-grant-types="authorization_code" scope="read,trust"
 			resource-ids="oauth2-resource" authorities="ROLE_CLIENT"
-			redirect-uri="http://anywhere/?key=value" />
+			redirect-uri="https://anywhere/?key=value" />
 		<oauth2:client client-id="my-client-with-secret" secret="secret"
 			authorized-grant-types="password,client_credentials" scope="read"
 			resource-ids="oauth2-resource" access-token-validity="60"
diff --git a/tests/xml/mappings/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/xml/mappings/src/test/java/demo/AuthorizationCodeProviderTests.java
index 36e02d25f..3e7127a02 100755
--- a/tests/xml/mappings/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/xml/mappings/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -37,7 +37,7 @@ public class AuthorizationCodeProviderTests extends AbstractAuthorizationCodePro
 	public void testInsufficientScopeInResourceRequest() throws Exception {
 		AuthorizationCodeResourceDetails resource = (AuthorizationCodeResourceDetails) context.getResource();
 		resource.setScope(Arrays.asList("trust"));
-		approveAccessTokenGrant("http://anywhere/?key=value", true);
+		approveAccessTokenGrant("https://anywhere/?key=value", true);
 		assertNotNull(context.getAccessToken());
 		try {
 			http.getForString("/admin/beans");
diff --git a/tests/xml/mappings/src/test/java/demo/ProtectedResourceTests.java b/tests/xml/mappings/src/test/java/demo/ProtectedResourceTests.java
index 743d9158b..fad494589 100644
--- a/tests/xml/mappings/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/xml/mappings/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/pom.xml b/tests/xml/pom.xml
index cc6330292..6d03a2e3c 100644
--- a/tests/xml/pom.xml
+++ b/tests/xml/pom.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<groupId>org.demo</groupId>
 	<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-	<version>2.3.6.BUILD-SNAPSHOT</version>
+	<version>2.5.3.BUILD-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -18,6 +18,12 @@
       <module>client</module>
     </modules>
 
+	<properties>
+		<start-class>demo.Application</start-class>
+		<java.version>1.7</java.version>
+		<spring.version>4.3.30.RELEASE</spring.version>
+	</properties>
+
 	<name>spring-oauth2-tests-xml</name>
 	<description>Demo project for OAuth2 and Spring Boot</description>
 
@@ -33,18 +39,12 @@
 		<dependency>
 			<groupId>org.springframework.security.oauth</groupId>
 			<artifactId>spring-security-oauth2</artifactId>
-			<version>2.3.6.BUILD-SNAPSHOT</version>
-			<exclusions>
-				<exclusion>
-					<artifactId>jackson-mapper-asl</artifactId>
-					<groupId>org.codehaus.jackson</groupId>
-				</exclusion>
-			</exclusions>
+			<version>2.5.3.BUILD-SNAPSHOT</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-jwt</artifactId>
-			<version>1.0.3.RELEASE</version>
+			<version>1.1.1.RELEASE</version>
 		</dependency>
 	</dependencies>
     </dependencyManagement>
@@ -79,9 +79,44 @@
       </pluginManagement>
     </build>
 
-	<properties>
-		<start-class>demo.Application</start-class>
-        <java.version>1.7</java.version>
-	</properties>
-
+	<profiles>
+		<profile>
+			<id>spring5</id>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-checkstyle-plugin</artifactId>
+						<version>3.1.1</version>
+						<dependencies>
+							<dependency>
+								<groupId>com.puppycrawl.tools</groupId>
+								<artifactId>checkstyle</artifactId>
+								<version>8.31</version>
+							</dependency>
+							<dependency>
+								<groupId>io.spring.nohttp</groupId>
+								<artifactId>nohttp-checkstyle</artifactId>
+								<version>0.0.3.RELEASE</version>
+							</dependency>
+						</dependencies>
+						<configuration>
+							<configLocation>${maven.multiModuleProjectDirectory}/etc/nohttp/checkstyle.xml</configLocation>
+							<includes>src/**/*,*</includes>
+							<sourceDirectories>
+								<sourceDirectory>./</sourceDirectory>
+							</sourceDirectories>
+						</configuration>
+						<executions>
+							<execution>
+								<goals>
+									<goal>check</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
 </project>
diff --git a/tests/xml/vanilla/pom.xml b/tests/xml/vanilla/pom.xml
index 1edef3c55..bc6c63fc6 100644
--- a/tests/xml/vanilla/pom.xml
+++ b/tests/xml/vanilla/pom.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0%20https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<artifactId>spring-oauth2-tests-xml-vanilla</artifactId>
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.6.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/vanilla/src/main/resources/context.xml b/tests/xml/vanilla/src/main/resources/context.xml
index 85d971719..575adac14 100644
--- a/tests/xml/vanilla/src/main/resources/context.xml
+++ b/tests/xml/vanilla/src/main/resources/context.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20http://www.springframework.org/schema/security/spring-security-oauth2.xsd-http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2%20https://www.springframework.org/schema/security/spring-security-oauth2.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<authorization-server client-details-service-ref="clientDetailsService"
 		xmlns="http://www.springframework.org/schema/security/oauth2" token-services-ref="tokenServices" >
@@ -21,11 +21,11 @@
 			authorized-grant-types="password,authorization_code,refresh_token,implicit"
 			scope="read,write,trust" resource-ids="oauth2-resource"
 			access-token-validity="60" authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT"
-			redirect-uri="http://anywhere/" />
+			redirect-uri="https://anywhere/" />
 		<oauth2:client client-id="my-client-with-registered-redirect"
 			authorized-grant-types="authorization_code" scope="read,trust"
 			resource-ids="oauth2-resource" authorities="ROLE_CLIENT"
-			redirect-uri="http://anywhere/?key=value" />
+			redirect-uri="https://anywhere/?key=value" />
 		<oauth2:client client-id="my-client-with-secret" secret="secret"
 			authorized-grant-types="password,client_credentials" scope="read"
 			resource-ids="oauth2-resource" access-token-validity="60"
diff --git a/tests/xml/vanilla/src/test/java/demo/AuthorizationCodeProviderTests.java b/tests/xml/vanilla/src/test/java/demo/AuthorizationCodeProviderTests.java
index 632098bf1..8ae483f92 100755
--- a/tests/xml/vanilla/src/test/java/demo/AuthorizationCodeProviderTests.java
+++ b/tests/xml/vanilla/src/test/java/demo/AuthorizationCodeProviderTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * 
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  * 
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
diff --git a/tests/xml/vanilla/src/test/java/demo/ProtectedResourceTests.java b/tests/xml/vanilla/src/test/java/demo/ProtectedResourceTests.java
index c752cbe12..e43d004e3 100644
--- a/tests/xml/vanilla/src/test/java/demo/ProtectedResourceTests.java
+++ b/tests/xml/vanilla/src/test/java/demo/ProtectedResourceTests.java
@@ -4,7 +4,7 @@
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the