diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..412eeda
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,22 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+# Custom for Visual Studio
+*.cs     diff=csharp
+*.sln    merge=union
+*.csproj merge=union
+*.vbproj merge=union
+*.fsproj merge=union
+*.dbproj merge=union
+
+# Standard to msysgit
+*.doc	 diff=astextplain
+*.DOC	 diff=astextplain
+*.docx diff=astextplain
+*.DOCX diff=astextplain
+*.dot  diff=astextplain
+*.DOT  diff=astextplain
+*.pdf  diff=astextplain
+*.PDF	 diff=astextplain
+*.rtf	 diff=astextplain
+*.RTF	 diff=astextplain
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 0000000..dd84ea7
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 22]
+
+**Smartphone (please complete the following information):**
+ - Device: [e.g. iPhone6]
+ - OS: [e.g. iOS8.1]
+ - Browser [e.g. stock browser, safari]
+ - Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 0000000..bbcbbe7
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
diff --git a/.gitignore b/.gitignore
index 1ceb81e..55805d4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,49 @@
-__pycache__
-env
-.vscode
\ No newline at end of file
+## Directory-based project format:
+.idea/
+!.idea/copyright
+!.idea/dataSources.xml
+
+## File-based project format:
+*.ipr
+*.iws
+*.iml
+
+# Output directories
+target/
+/build/
+/dist/
+bin/
+*.class
+
+# Eclipse metadata
+.metadata
+.project
+.recommenders
+.settings
+.classpath
+.loadpath
+
+# NetBeans specific
+nbproject/private/
+build/
+nbbuild/
+dist/
+nbdist/
+nbactions.xml
+nb-configuration.xml
+
+# SonarGraph metadata
+*.sonargraph
+
+# Overlays
+*overlays/
+
+# MacOS files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+_site/
diff --git a/Gemfile b/Gemfile
index 89dbd97..829a2c9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,4 +1,4 @@
 source 'https://rubygems.org' 
 group :jekyll_plugins do
     gem "github-pages"
-end
\ No newline at end of file
+end
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..8dfa293
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2011, Eric Sheridan
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/_config.yml b/_config.yml
index 5dd48ce..eb4d87f 100644
--- a/_config.yml
+++ b/_config.yml
@@ -1,3 +1,3 @@
-remote_theme: "owasp/www--site-theme"
+remote_theme: "owasp/www--site-theme@main"
 plugins:
- - jekyll-include-cache-0.2.0
\ No newline at end of file
+ - jekyll-include-cache-0.2.0
diff --git a/csrfguard-extensions/csrfguard-extension-session/pom.xml b/csrfguard-extensions/csrfguard-extension-session/pom.xml
new file mode 100644
index 0000000..ae8287f
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-extension-session/pom.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ The OWASP CSRFGuard Project, BSD License
+  ~ Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+  ~ All rights reserved.
+  ~
+  ~ Redistribution and use in source and binary forms, with or without
+  ~ modification, are permitted provided that the following conditions are met:
+  ~
+  ~     1. Redistributions of source code must retain the above copyright notice,
+  ~        this list of conditions and the following disclaimer.
+  ~     2. Redistributions in binary form must reproduce the above copyright
+  ~        notice, this list of conditions and the following disclaimer in the
+  ~        documentation and/or other materials provided with the distribution.
+  ~     3. Neither the name of OWASP nor the names of its contributors may be used
+  ~        to endorse or promote products derived from this software without specific
+  ~        prior written permission.
+  ~
+  ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  ~ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  ~ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ~ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+  ~ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  ~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+  ~ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+  ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+  ~ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+  ~ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>csrfguard-extensions</artifactId>
+        <version>4.0.2-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>csrfguard-extension-session</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>csrfguard</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+        </dependency>
+    </dependencies>
+</project>
\ No newline at end of file
diff --git a/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/CsrfGuardHttpSessionListener.java b/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/CsrfGuardHttpSessionListener.java
new file mode 100644
index 0000000..b4b1ccd
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/CsrfGuardHttpSessionListener.java
@@ -0,0 +1,54 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard;
+
+import org.owasp.csrfguard.session.ContainerSession;
+import org.owasp.csrfguard.session.LogicalSession;
+
+import javax.servlet.http.HttpSession;
+import javax.servlet.http.HttpSessionEvent;
+import javax.servlet.http.HttpSessionListener;
+
+public class CsrfGuardHttpSessionListener implements HttpSessionListener {
+
+    @Override
+    public void sessionCreated(final HttpSessionEvent event) {
+        final HttpSession session = event.getSession();
+        final LogicalSession logicalSession = new ContainerSession(session);
+        CsrfGuard.getInstance().onSessionCreated(logicalSession);
+    }
+
+    @Override
+    public void sessionDestroyed(final HttpSessionEvent event) {
+        final HttpSession session = event.getSession();
+        final LogicalSession logicalSession = new ContainerSession(session);
+        CsrfGuard.getInstance().onSessionDestroyed(logicalSession);
+    }
+}
diff --git a/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/action/SessionAttribute.java b/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/action/SessionAttribute.java
new file mode 100644
index 0000000..505ea60
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/action/SessionAttribute.java
@@ -0,0 +1,58 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.action;
+
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfGuardException;
+import org.owasp.csrfguard.config.properties.ConfigParameters;
+import org.owasp.csrfguard.session.LogicalSession;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Objects;
+
+/**
+ * Saves the thrown CsrfGuardException object after a token validation to the session, bound to the attribute name extracted from the properties file.
+ */
+public final class SessionAttribute extends AbstractAction {
+
+	private static final long serialVersionUID = 1367492926060283228L;
+
+	@Override
+	public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
+		final String attributeName = getParameter(ConfigParameters.ACTION_ATTRIBUTE_NAME);
+
+		final LogicalSession logicalSession = CsrfGuard.getInstance().getLogicalSessionExtractor().extract(request);
+
+		if (Objects.nonNull(logicalSession)) {
+			logicalSession.setAttribute(attributeName, csrfe);
+		}
+	}
+}
diff --git a/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/session/ContainerSession.java b/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/session/ContainerSession.java
new file mode 100644
index 0000000..9a2c9c1
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/session/ContainerSession.java
@@ -0,0 +1,79 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.session;
+
+import javax.servlet.http.HttpSession;
+import java.util.Objects;
+
+public class ContainerSession implements LogicalSession {
+
+    private final HttpSession httpSession;
+    private boolean areTokensGenerated;
+
+    public ContainerSession(final HttpSession httpSession) {
+        this.httpSession = httpSession;
+    }
+
+    @Override
+    public String getKey() {
+        return this.httpSession.getId();
+    }
+
+    @Override
+    public boolean isNew() {
+        return Objects.nonNull(this.httpSession) && this.httpSession.isNew();
+    }
+
+    @Override
+    public void invalidate() {
+        if (Objects.nonNull(this.httpSession)) {
+            this.httpSession.invalidate();
+        }
+    }
+
+    @Override
+    public boolean areTokensGenerated() {
+        return this.areTokensGenerated;
+    }
+
+    @Override
+    public void setTokensGenerated(final boolean areTokensGenerated) {
+        this.areTokensGenerated = areTokensGenerated;
+    }
+
+    @Override
+    public void setAttribute(final String name, final Object value) {
+        this.httpSession.setAttribute(name, value);
+    }
+
+    @Override
+    public Object getAttribute(final String attributeName) {
+        return this.httpSession.getAttribute(attributeName);
+    }
+}
diff --git a/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/session/SessionTokenKeyExtractor.java b/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/session/SessionTokenKeyExtractor.java
new file mode 100644
index 0000000..cb0406c
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/session/SessionTokenKeyExtractor.java
@@ -0,0 +1,58 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.session;
+
+import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import java.util.Objects;
+
+public class SessionTokenKeyExtractor implements LogicalSessionExtractor {
+
+    /**
+     * @param httpServletRequest the current HTTP servlet request
+     * @return a wrapped container session implementation if a session exists, null otherwise
+     */
+    @Override
+    public LogicalSession extract(final HttpServletRequest httpServletRequest) {
+        return extractOrCreate(httpServletRequest, false);
+    }
+
+    @Override
+    public LogicalSession extractOrCreate(final HttpServletRequest httpServletRequest) {
+        return extractOrCreate(httpServletRequest, true);
+    }
+
+    private LogicalSession extractOrCreate(final HttpServletRequest httpServletRequest, final boolean create) {
+        final HttpSession session = httpServletRequest.getSession(create);
+
+        return Objects.isNull(session) ? null : new ContainerSession(session);
+    }
+}
diff --git a/csrfguard-extensions/csrfguard-jsp-tags/pom.xml b/csrfguard-extensions/csrfguard-jsp-tags/pom.xml
new file mode 100644
index 0000000..a008379
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-jsp-tags/pom.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ The OWASP CSRFGuard Project, BSD License
+  ~ Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+  ~ All rights reserved.
+  ~
+  ~ Redistribution and use in source and binary forms, with or without
+  ~ modification, are permitted provided that the following conditions are met:
+  ~
+  ~     1. Redistributions of source code must retain the above copyright notice,
+  ~        this list of conditions and the following disclaimer.
+  ~     2. Redistributions in binary form must reproduce the above copyright
+  ~        notice, this list of conditions and the following disclaimer in the
+  ~        documentation and/or other materials provided with the distribution.
+  ~     3. Neither the name of OWASP nor the names of its contributors may be used
+  ~        to endorse or promote products derived from this software without specific
+  ~        prior written permission.
+  ~
+  ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  ~ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  ~ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ~ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+  ~ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  ~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+  ~ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+  ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+  ~ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+  ~ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>csrfguard-extensions</artifactId>
+        <version>4.0.2-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>csrfguard-jsp-tags</artifactId>
+
+    <build>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <includes>
+                    <include>**/*.tld</include>
+                </includes>
+                <filtering>true</filtering>
+            </resource>
+        </resources>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>csrfguard</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet.jsp</groupId>
+            <artifactId>jsp-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>jstl</artifactId>
+        </dependency>
+    </dependencies>
+</project>
\ No newline at end of file
diff --git a/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/ATag.java b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/ATag.java
new file mode 100644
index 0000000..5aff662
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/ATag.java
@@ -0,0 +1,115 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.tag;
+
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.util.BrowserEncoder;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.jsp.tagext.DynamicAttributes;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+
+public final class ATag extends AbstractUriTag implements DynamicAttributes {
+
+	private final static long serialVersionUID = 0x00202937;
+
+	private final Map<String, String> attributes = new HashMap<>();
+
+	@Override
+	public int doStartTag() {
+		final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+		final String tokenName = csrfGuard.getTokenName();
+
+		final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest());
+		final String tokenValue = Objects.nonNull(logicalSession) ? csrfGuard.getTokenService().getTokenValue(logicalSession.getKey(), buildUri(this.attributes.get("href"))) : null;
+
+		try {
+			this.pageContext.getOut().write(buildStartHtml(tokenName, tokenValue));
+		} catch (final IOException e) {
+			this.pageContext.getServletContext().log(e.getLocalizedMessage(), e);
+		}
+
+		return EVAL_BODY_INCLUDE;
+	}
+
+	@Override
+	public int doEndTag() {
+		try {
+			this.pageContext.getOut().write("</a>");
+		} catch (final IOException e) {
+			this.pageContext.getServletContext().log(e.getLocalizedMessage(), e);
+		}
+
+		return EVAL_PAGE;
+	}
+
+	@Override
+	public void setDynamicAttribute(final String arg0, final String arg1, final Object arg2) {
+		this.attributes.put(arg1.toLowerCase(), String.valueOf(arg2));
+	}
+
+	private String buildStartHtml(final String tokenName, final String tokenValue) {
+		final StringBuilder sb = new StringBuilder();
+
+		sb.append("<a ");
+
+		for (final String name : this.attributes.keySet()) {
+			final String value = this.attributes.get(name);
+
+			sb.append(BrowserEncoder.encodeForAttribute(name));
+			sb.append('=');
+			sb.append('"');
+			sb.append(BrowserEncoder.encodeForAttribute(value));
+
+			if ("href".equalsIgnoreCase(name)) {
+				if (value.indexOf('?') != -1) {
+					sb.append('&');
+				} else {
+					sb.append('?');
+				}
+
+				sb.append(tokenName);
+				sb.append('=');
+				sb.append(tokenValue);
+			}
+
+			sb.append('"');
+			sb.append(' ');
+		}
+
+		sb.append('>');
+
+		return sb.toString();
+	}
+}
diff --git a/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/AbstractTag.java b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/AbstractTag.java
new file mode 100644
index 0000000..223649f
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/AbstractTag.java
@@ -0,0 +1,61 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.tag;
+
+import org.owasp.csrfguard.CsrfValidator;
+import org.owasp.csrfguard.ProtectionResult;
+
+import javax.servlet.jsp.tagext.TagSupport;
+
+public abstract class AbstractTag extends TagSupport {
+
+	private final static long serialVersionUID = 0xadede854;
+
+	public String buildUri(final String uri) {
+		return calculateExtendedPageDescriptorUri(normalizeUri(uri));
+	}
+
+	/**
+	 * @param normalizedUri the current normalizedUri
+	 * @return if the protected/un-protected page descriptors were defined using wildcards or regexes, this method
+	 * will return the extended page descriptor definition of the normalizedUri, otherwise returns itself
+	 */
+	private String calculateExtendedPageDescriptorUri(final String normalizedUri) {
+		final ProtectionResult protectionResult = new CsrfValidator().isProtectedPage(normalizedUri);
+
+		return protectionResult.isProtected() ? protectionResult.getResourceIdentifier()
+											  : normalizedUri;
+	}
+
+	private String normalizeUri(final String uri) {
+		return uri.startsWith("/") ? uri
+								   : this.pageContext.getServletContext().getContextPath() + '/' + uri;
+	}
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/tag/AbstractUriTag.java b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/AbstractUriTag.java
similarity index 63%
rename from csrfguard/src/main/java/org/owasp/csrfguard/tag/AbstractUriTag.java
rename to csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/AbstractUriTag.java
index 6c9feb2..296e06c 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/tag/AbstractUriTag.java
+++ b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/AbstractUriTag.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,6 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.tag;
 
 public abstract class AbstractUriTag extends AbstractTag {
@@ -35,11 +36,10 @@ public abstract class AbstractUriTag extends AbstractTag {
 	private String uri = null;
 
 	public String getUri() {
-		return uri;
+		return this.uri;
 	}
 
-	public void setUri(String uri) {
+	public void setUri(final String uri) {
 		this.uri = buildUri(uri);
 	}
-	
 }
diff --git a/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/FormTag.java b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/FormTag.java
new file mode 100644
index 0000000..99aa781
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/FormTag.java
@@ -0,0 +1,110 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.tag;
+
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.util.BrowserEncoder;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.jsp.JspException;
+import javax.servlet.jsp.tagext.DynamicAttributes;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+
+public final class FormTag extends AbstractUriTag implements DynamicAttributes {
+
+	private final static long serialVersionUID = 0xbefee742;
+	
+	private final Map<String, String> attributes = new HashMap<>();
+
+	@Override
+	public int doStartTag() {
+		final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+		final String tokenName = csrfGuard.getTokenName();
+
+		final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest());
+		final String tokenValue = Objects.nonNull(logicalSession) ? csrfGuard.getTokenService().getTokenValue(logicalSession.getKey(), buildUri(this.attributes.get("action"))) : null;
+
+		try {
+			this.pageContext.getOut().write(buildStartHtml(tokenName, tokenValue));
+		} catch (final IOException e) {
+			this.pageContext.getServletContext().log(e.getLocalizedMessage(), e);
+		}
+
+		return EVAL_BODY_INCLUDE;
+	}
+
+	@Override
+	public int doEndTag() {
+		try {
+			this.pageContext.getOut().write("</form>");
+		} catch (final IOException e) {
+			this.pageContext.getServletContext().log(e.getLocalizedMessage(), e);
+		}
+
+		return EVAL_PAGE;
+	}
+
+	@Override
+	public void setDynamicAttribute(final String arg0, final String arg1, final Object arg2) throws JspException {
+		this.attributes.put(arg1.toLowerCase(), String.valueOf(arg2));
+	}
+
+	private String buildStartHtml(final String tokenName, final String tokenValue) {
+		final StringBuilder sb = new StringBuilder();
+
+		sb.append("<form ");
+
+		for (final String name : this.attributes.keySet()) {
+			final String value = this.attributes.get(name);
+
+			sb.append(BrowserEncoder.encodeForAttribute(name));
+			sb.append('=');
+			sb.append('"');
+			sb.append(BrowserEncoder.encodeForAttribute(value));
+
+			sb.append('"');
+			sb.append(' ');
+		}
+
+		sb.append('>');
+		sb.append("<input type=\"hidden\" name=\"");
+		sb.append(tokenName);
+		sb.append("\" value=\"");
+		sb.append(tokenValue);
+		sb.append("\"");
+		sb.append("/>");
+
+		return sb.toString();
+	}
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/tag/TokenNameTag.java b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenNameTag.java
similarity index 53%
rename from csrfguard/src/main/java/org/owasp/csrfguard/tag/TokenNameTag.java
rename to csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenNameTag.java
index 2fbae53..53519a8 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/tag/TokenNameTag.java
+++ b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenNameTag.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,12 +26,13 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.tag;
 
-import java.io.*;
-import javax.servlet.jsp.tagext.*;
+import org.owasp.csrfguard.CsrfGuard;
 
-import org.owasp.csrfguard.*;
+import javax.servlet.jsp.tagext.TagSupport;
+import java.io.IOException;
 
 public final class TokenNameTag extends TagSupport {
 
@@ -39,15 +40,16 @@ public final class TokenNameTag extends TagSupport {
 
 	@Override
 	public int doStartTag() {
-		String tokenName = CsrfGuard.getInstance().getTokenName();
+		final CsrfGuard csrfGuard = CsrfGuard.getInstance();
 
-		try {
-			pageContext.getOut().write(tokenName);
-		} catch (IOException e) {
-			pageContext.getServletContext().log(e.getLocalizedMessage(), e);
+		if (csrfGuard.isEnabled()) {
+			try {
+				final String tokenName = csrfGuard.getTokenName();
+				this.pageContext.getOut().write(tokenName);
+			} catch (final IOException e) {
+				this.pageContext.getServletContext().log(e.getLocalizedMessage(), e);
+			}
 		}
-
 		return SKIP_BODY;
 	}
-	
 }
diff --git a/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenTag.java b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenTag.java
new file mode 100644
index 0000000..b74fe0a
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenTag.java
@@ -0,0 +1,65 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.tag;
+
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.session.LogicalSession;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.util.Objects;
+
+public final class TokenTag extends AbstractUriTag {
+
+	private final static long serialVersionUID = 0x12164baa;
+
+	@Override
+	public int doStartTag() {
+		final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+
+		if (csrfGuard.isEnabled()) {
+			if (csrfGuard.isTokenPerPageEnabled() && Objects.isNull(getUri())) {
+				throw new IllegalStateException("Must define 'uri' attribute when token per page is enabled");
+			}
+
+			final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest());
+			final String tokenValue = Objects.nonNull(logicalSession) ? csrfGuard.getTokenService().getTokenValue(logicalSession.getKey(), getUri()) : null;
+			final String tokenName = csrfGuard.getTokenName();
+
+			try {
+				this.pageContext.getOut().write(tokenName + '=' + tokenValue);
+			} catch (final IOException e) {
+				this.pageContext.getServletContext().log(e.getLocalizedMessage(), e);
+			}
+		}
+
+		return SKIP_BODY;
+	}
+}
diff --git a/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenValueTag.java b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenValueTag.java
new file mode 100644
index 0000000..dd1e9bf
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenValueTag.java
@@ -0,0 +1,64 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.tag;
+
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.session.LogicalSession;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.util.Objects;
+
+public final class TokenValueTag extends AbstractUriTag {
+
+	private final static long serialVersionUID = 0xaaca46d3;
+
+	@Override
+	public int doStartTag() {
+		final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+
+		if (csrfGuard.isEnabled()) {
+			if (csrfGuard.isTokenPerPageEnabled() && Objects.isNull(getUri())) {
+				throw new IllegalStateException("Must define 'uri' attribute when token per page is enabled");
+			}
+
+			final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest());
+			final String tokenValue = Objects.nonNull(logicalSession) ? csrfGuard.getTokenService().getTokenValue(logicalSession.getKey(), getUri()) : null;
+
+			try {
+				this.pageContext.getOut().write(tokenValue);
+			} catch (final IOException e) {
+				this.pageContext.getServletContext().log(e.getLocalizedMessage(), e);
+			}
+		}
+
+		return SKIP_BODY;
+	}
+}
diff --git a/csrfguard-extensions/csrfguard-jsp-tags/src/main/resources/META-INF/tags/csrfguard.tld b/csrfguard-extensions/csrfguard-jsp-tags/src/main/resources/META-INF/tags/csrfguard.tld
new file mode 100644
index 0000000..42b9420
--- /dev/null
+++ b/csrfguard-extensions/csrfguard-jsp-tags/src/main/resources/META-INF/tags/csrfguard.tld
@@ -0,0 +1,70 @@
+<?xml version="1.0"?>
+<!--
+  ~ The OWASP CSRFGuard Project, BSD License
+  ~ Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+  ~ All rights reserved.
+  ~
+  ~ Redistribution and use in source and binary forms, with or without
+  ~ modification, are permitted provided that the following conditions are met:
+  ~
+  ~     1. Redistributions of source code must retain the above copyright notice,
+  ~        this list of conditions and the following disclaimer.
+  ~     2. Redistributions in binary form must reproduce the above copyright
+  ~        notice, this list of conditions and the following disclaimer in the
+  ~        documentation and/or other materials provided with the distribution.
+  ~     3. Neither the name of OWASP nor the names of its contributors may be used
+  ~        to endorse or promote products derived from this software without specific
+  ~        prior written permission.
+  ~
+  ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  ~ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  ~ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ~ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+  ~ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  ~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+  ~ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+  ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+  ~ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+  ~ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  -->
+<taglib xmlns="http://java.sun.com/xml/ns/j2ee" version="${jsp-api.version}">
+	<tlib-version>${jstl.version}</tlib-version>
+	<jsp-version>${jsp-api.version}</jsp-version>
+	<short-name>Owasp CsrfGuard Tag Library</short-name>
+	<uri>http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld</uri>
+	<tag>
+		<name>token</name>
+		<tag-class>org.owasp.csrfguard.tag.TokenTag</tag-class>
+		<body-content>empty</body-content>
+		<attribute>
+			<name>uri</name>
+			<required>false</required>
+			<rtexprvalue>true</rtexprvalue>
+		</attribute>
+	</tag>
+	<tag>
+		<name>tokenname</name>
+		<tag-class>org.owasp.csrfguard.tag.TokenNameTag</tag-class>
+		<body-content>empty</body-content>
+	</tag>
+	<tag>
+		<name>tokenvalue</name>
+		<tag-class>org.owasp.csrfguard.tag.TokenValueTag</tag-class>
+		<body-content>empty</body-content>
+		<attribute>
+			<name>uri</name>
+			<required>false</required>
+			<rtexprvalue>true</rtexprvalue>
+		</attribute>
+	</tag>
+	<tag>
+		<name>a</name>
+		<tag-class>org.owasp.csrfguard.tag.ATag</tag-class>
+		<dynamic-attributes>true</dynamic-attributes>
+	</tag>
+	<tag>
+		<name>form</name>
+		<tag-class>org.owasp.csrfguard.tag.FormTag</tag-class>
+		<dynamic-attributes>true</dynamic-attributes>
+	</tag>
+</taglib>
diff --git a/csrfguard-extensions/pom.xml b/csrfguard-extensions/pom.xml
new file mode 100644
index 0000000..203c2b7
--- /dev/null
+++ b/csrfguard-extensions/pom.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ The OWASP CSRFGuard Project, BSD License
+  ~ Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+  ~ All rights reserved.
+  ~
+  ~ Redistribution and use in source and binary forms, with or without
+  ~ modification, are permitted provided that the following conditions are met:
+  ~
+  ~     1. Redistributions of source code must retain the above copyright notice,
+  ~        this list of conditions and the following disclaimer.
+  ~     2. Redistributions in binary form must reproduce the above copyright
+  ~        notice, this list of conditions and the following disclaimer in the
+  ~        documentation and/or other materials provided with the distribution.
+  ~     3. Neither the name of OWASP nor the names of its contributors may be used
+  ~        to endorse or promote products derived from this software without specific
+  ~        prior written permission.
+  ~
+  ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  ~ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  ~ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ~ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+  ~ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  ~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+  ~ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+  ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+  ~ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+  ~ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>csrfguard-parent</artifactId>
+        <version>4.0.2-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>csrfguard-extensions</artifactId>
+    <packaging>pom</packaging>
+
+    <modules>
+        <module>csrfguard-extension-session</module>
+        <module>csrfguard-jsp-tags</module>
+    </modules>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>csrfguard</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-source-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/csrfguard-test/csrfguard-test-jsp/pom.xml b/csrfguard-test/csrfguard-test-jsp/pom.xml
new file mode 100644
index 0000000..1b8b14f
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/pom.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ The OWASP CSRFGuard Project, BSD License
+  ~ Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+  ~ All rights reserved.
+  ~
+  ~ Redistribution and use in source and binary forms, with or without
+  ~ modification, are permitted provided that the following conditions are met:
+  ~
+  ~     1. Redistributions of source code must retain the above copyright notice,
+  ~        this list of conditions and the following disclaimer.
+  ~     2. Redistributions in binary form must reproduce the above copyright
+  ~        notice, this list of conditions and the following disclaimer in the
+  ~        documentation and/or other materials provided with the distribution.
+  ~     3. Neither the name of OWASP nor the names of its contributors may be used
+  ~        to endorse or promote products derived from this software without specific
+  ~        prior written permission.
+  ~
+  ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  ~ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  ~ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ~ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+  ~ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  ~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+  ~ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+  ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+  ~ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+  ~ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>csrfguard-test</artifactId>
+        <version>4.0.2-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>csrfguard-test-jsp</artifactId>
+    <packaging>war</packaging>
+
+    <name>OWASP CSRFGuard JSP Test WebApp</name>
+
+    <properties>
+        <tomcat7-maven-plugin.version>2.1</tomcat7-maven-plugin.version>
+        <skip.run.webapp>true</skip.run.webapp>
+        <skip.create.executable.jar>true</skip.create.executable.jar>
+    </properties>
+
+    <profiles>
+        <profile>
+            <id>deploy-jsp-webapp</id>
+            <properties>
+                <skip.run.webapp>false</skip.run.webapp>
+            </properties>
+        </profile>
+    </profiles>
+
+    <dependencies>
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>csrfguard</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>csrfguard-extension-session</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>${project.groupId}</groupId>
+            <artifactId>csrfguard-jsp-tags</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet.jsp</groupId>
+            <artifactId>jsp-api</artifactId>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.tomcat.maven</groupId>
+                <artifactId>tomcat7-maven-plugin</artifactId>
+                <version>${tomcat7-maven-plugin.version}</version>
+                <configuration>
+                    <path>/</path>
+                    <port>8080</port>
+                    <skip>${skip.run.webapp}</skip>
+                </configuration>
+                <executions>
+                    <execution> <!--Create executable JAR with embedded Tomcat-->
+                        <id>create-executable-jar</id>
+                        <goals>
+                            <goal>exec-war-only</goal>
+                        </goals>
+                        <phase>package</phase>
+                        <configuration>
+                            <enableNaming>false</enableNaming>
+                            <finalName>${project.artifactId}-${project.version}-executable.jar</finalName>
+                            <skip>${skip.create.executable.jar}</skip>
+                            <charset>utf-8</charset>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>deploy-jsp-war</id>
+                        <phase>pre-integration-test</phase>
+                        <goals>
+                            <goal>run-war</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>shutdown-tomcat</id>
+                        <phase>post-integration-test</phase>
+                        <goals>
+                            <goal>shutdown</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/tag/TokenValueTag.java b/csrfguard-test/csrfguard-test-jsp/src/main/java/org/owasp/csrfguard/test/CORSFilter.java
similarity index 52%
rename from csrfguard/src/main/java/org/owasp/csrfguard/tag/TokenValueTag.java
rename to csrfguard-test/csrfguard-test-jsp/src/main/java/org/owasp/csrfguard/test/CORSFilter.java
index 89a42d1..fd49c2c 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/tag/TokenValueTag.java
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/java/org/owasp/csrfguard/test/CORSFilter.java
@@ -1,8 +1,8 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
@@ -26,35 +26,43 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard.tag;
-
-import java.io.*;
+package org.owasp.csrfguard.test;
 
-import javax.servlet.http.*;
+import org.owasp.csrfguard.CsrfGuard;
 
-import org.owasp.csrfguard.*;
+import javax.servlet.*;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 
-public final class TokenValueTag extends AbstractUriTag {
+/**
+ * Enables Cross-Origin Resource Sharing
+ * Only for testing purposes.
+ * Disabled by default through the web.xml
+ */
+public class CORSFilter implements Filter {
 
-	private final static long serialVersionUID = 0xaaca46d3;
+    @Override
+    public void init(FilterConfig filterConfig) {}
 
-	@Override
-	public int doStartTag() {
-		CsrfGuard csrfGuard = CsrfGuard.getInstance();
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        {
+            HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
+            httpResponse.addHeader("Access-Control-Allow-Origin", "*");
 
-		if (csrfGuard.isTokenPerPageEnabled() && getUri() == null) {
-			throw new IllegalStateException("must define 'uri' attribute when token per page is enabled");
-		}
+//        httpResponse.addHeader("Access-Control-Allow-Headers", "*");
+            httpResponse.addHeader("Access-Control-Allow-Headers", String.join(",", CsrfGuard.getInstance().getTokenName(),
+                                                                               "X-Requested-With"));
+        }
 
-		String tokenValue = csrfGuard.getTokenValue((HttpServletRequest) pageContext.getRequest(), getUri());
+        { // Access-Control-Allow-Credentials cannot be set to true if the Access-Control-Allow-Origin is "*"
+//        httpResponse.addHeader("Access-Control-Allow-Origin", "http://attacker.local:8080");  // sudo echo "127.0.0.1 attacker.local" >> /etc/hosts
+//        httpResponse.addHeader("Access-Control-Allow-Credentials", Boolean.toString(true));
+        }
 
-		try {
-			pageContext.getOut().write(tokenValue);
-		} catch (IOException e) {
-			pageContext.getServletContext().log(e.getLocalizedMessage(), e);
-		}
+        filterChain.doFilter(servletRequest, servletResponse);
+    }
 
-		return SKIP_BODY;
-	}
-	
+    @Override
+    public void destroy() {}
 }
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/java/org/owasp/csrfguard/test/CounterServlet.java b/csrfguard-test/csrfguard-test-jsp/src/main/java/org/owasp/csrfguard/test/CounterServlet.java
new file mode 100644
index 0000000..ffe14e3
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/java/org/owasp/csrfguard/test/CounterServlet.java
@@ -0,0 +1,98 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *    3. Neither the name of OWASP nor the names of its contributors may be used
+ *       to endorse or promote products derived from this software without specific
+ *       prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.test;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+/**
+ * Servlet implementation class HelloServlet
+ */
+public class CounterServlet extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+
+	private static final ConcurrentMap<String, Integer> COUNTER = new ConcurrentHashMap<>();
+
+    private static final String COUNTER_VALUE_MESSAGE = "Counter value: ";
+    public static final String INPUT_PARAMETER_NAME = "value";
+    public static final String NO_SESSION_MESSAGE = "The request did not contain an associated session!";
+
+    /**
+     * Default constructor.
+     */
+    public CounterServlet() {}
+
+    /**
+     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+    protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
+        final HttpSession session = request.getSession(false);
+        if (Objects.nonNull(session)) {
+            respond(response, COUNTER.compute(session.getId(), (k, v) -> Optional.ofNullable(v).orElse(0)));
+        } else {
+            System.err.println(NO_SESSION_MESSAGE);
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        }
+    }
+
+    /**
+     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
+     */
+    @Override
+    protected void doPost(final HttpServletRequest request, final HttpServletResponse response) {
+        final HttpSession session = request.getSession(false);
+        if (Objects.nonNull(session)) {
+            final String inputValue = request.getParameter(INPUT_PARAMETER_NAME);
+
+            try {
+                final int valueToIncreaseBy = Integer.parseInt(inputValue);
+                respond(response, COUNTER.compute(session.getId(), (k, v) -> Objects.isNull(v) ? valueToIncreaseBy : v + valueToIncreaseBy));
+            } catch (Exception ignored) {}
+        } else {
+            System.err.println(NO_SESSION_MESSAGE);
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        }
+    }
+
+    private void respond(HttpServletResponse response, int value) throws IOException {
+        response.setContentType("text/plain");
+        final PrintWriter writer = new PrintWriter(response.getOutputStream());
+        writer.println(COUNTER_VALUE_MESSAGE + value);
+        writer.close();
+    }
+}
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.overlay.properties b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
new file mode 100644
index 0000000..65a9439
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
@@ -0,0 +1,75 @@
+######################################################################################
+# The OWASP CSRFGuard Project, BSD License
+# Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#   1. Redistributions of source code must retain the above copyright notice,
+#      this list of conditions and the following disclaimer.
+#   2. Redistributions in binary form must reproduce the above copyright
+#      notice, this list of conditions and the following disclaimer in the
+#      documentation and/or other materials provided with the distribution.
+#   3. Neither the name of OWASP nor the names of its contributors may be used
+#      to endorse or promote products derived from this software without specific
+#      prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+######################################################################################
+
+org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory
+
+org.owasp.csrfguard.JavascriptServlet.refererPattern = http://localhost:80.*
+
+org.owasp.csrfguard.TokenPerPagePrecreate = true
+
+org.owasp.csrfguard.Rotate = true
+org.owasp.csrfguard.Ajax = true
+org.owasp.csrfguard.TokenPerPage = true
+org.owasp.csrfguard.JavascriptServlet.injectIntoDynamicNodes = true
+
+# Note: it is only enabled for the demo application, for testing purposes.
+org.owasp.csrfguard.forceSynchronousAjax = true
+
+################################################################################
+#### Scenario: everything is protected, except the resources enlisted below ####
+################################################################################
+# org.owasp.csrfguard.Protect = false
+
+org.owasp.csrfguard.unprotected.Default=%servletContext%/
+org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
+org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
+org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
+org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
+org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
+org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html
+org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
+org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
+org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
+org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
+org.owasp.csrfguard.unprotected.Favicon=%servletContext%/favicon.ico
+org.owasp.csrfguard.unprotected.ExtensionTest=*.txt
+org.owasp.csrfguard.unprotected.WildcardTest=%servletContext%/wildcardtest/*
+org.owasp.csrfguard.unprotected.InDepthTxt=^%servletContext%/regextest/.*/.*\\.txt$
+org.owasp.csrfguard.unprotected.Unprotected=^%servletContext%/.*unprotected\\..*$
+
+##################################################################################
+#### Scenario: everything is unprotected, except the resources enlisted below ####
+##################################################################################
+org.owasp.csrfguard.Protect = true
+org.owasp.csrfguard.protected.Protect=^.*/protect\\..*$
+org.owasp.csrfguard.protected.Protected=^.*/protected\\..*$
+org.owasp.csrfguard.protected.WildcardTest=%servletContext%/wildcardtest/*
+org.owasp.csrfguard.protected.CounterServlet=%servletContext%/counter/*
+org.owasp.csrfguard.protected.OwaspLogo=owasp_logo.png
+################################################################################
\ No newline at end of file
diff --git a/csrfguard-test/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties
similarity index 55%
rename from csrfguard-test/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties
rename to csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties
index 9cf4957..d5849ec 100644
--- a/csrfguard-test/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties
@@ -1,18 +1,19 @@
+######################################################################################
 # The OWASP CSRFGuard Project, BSD License
-# Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+# Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
-# 1. Redistributions of source code must retain the above copyright notice,
-#    this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-# 3. Neither the name of OWASP nor the names of its contributors may be used
-#    to endorse or promote products derived from this software without specific
-#    prior written permission.
+#   1. Redistributions of source code must retain the above copyright notice,
+#      this list of conditions and the following disclaimer.
+#   2. Redistributions in binary form must reproduce the above copyright
+#      notice, this list of conditions and the following disclaimer in the
+#      documentation and/or other materials provided with the distribution.
+#   3. Neither the name of OWASP nor the names of its contributors may be used
+#      to endorse or promote products derived from this software without specific
+#      prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -24,17 +25,19 @@
 # ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
-
-# Common substitutions
-# %servletContext%  is the servlet context (e.g. the configured app prefix or war file name, or blank.
-# e.g. if you deploy a default warfile as someApp.war, then %servletContext% will be /someApp
-# if there isnt a context it will be the empty string.  So to use this in the configuration, use e.g. %servletContext%/something.html
+######################################################################################
+
+##########################
+## Common substitutions ##
+##########################
+# %servletContext% is the servlet context (e.g. the configured app prefix or war file name, or blank.
+# e.g. if you deploy a default war file as someApp.war, then %servletContext% will be /someApp
+# if there isn't a context it will be the empty string. So to use this in the configuration, use e.g. %servletContext%/something.html
 # which will translate to e.g. /someApp/something.html
 
-# Logger
-#
+############
+## Logger ##
+############
 # The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of 
 # the object responsible for processing all log messages produced by CSRFGuard. The default
 # CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages
@@ -44,28 +47,28 @@
 # logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard
 # to capture all log messages to the console:
 #
-# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
-org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
+# org.owasp.csrfguard.Logger = org.owasp.csrfguard.log.ConsoleLogger
+org.owasp.csrfguard.Logger = org.owasp.csrfguard.log.JavaLogger
 
-# Which configuration provider factory you want to use.  The default is org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
+# Which configuration provider factory you want to use. The default is org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
 # Another configuration provider has more features including config overlays: org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory
 # The default configuration provider is: org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
 # which will look for an overlay file, it is there, and the factory inside that file is set it will use it, otherwise will be PropertiesConfigurationProviderFactory
 # it needs to implement org.owasp.csrfguard.config.ConfigurationProviderFactory
 org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
 
-
-# If csrfguard filter is enabled
+# If CSRFGuard filter is enabled
 org.owasp.csrfguard.Enabled = true
 
 # If csrf guard filter should check even if there is no session for the user
 # Note: this changed around 2014/04, the default behavior used to be to 
-# not check if there is no session.  If you want the legacy behavior (if your app
+# not check if there is no session. If you want the legacy behavior (if your app
 # is not susceptible to CSRF if the user has no session), set this to false
 org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 
-# New Token Landing Page
-#
+############################
+## New Token Landing Page ##
+############################
 # The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage) defines where
 # to send a user if the token is being generated for the first time, and the use new token landing
 # page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) determines if any redirect happens.
@@ -78,11 +81,11 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # redirect the user to %servletContext%/index.html when the user visits a protected resource
 # without having a corresponding CSRF token present in the HttpSession object:
 #
-# org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/index.html
-
+# org.owasp.csrfguard.NewTokenLandingPage = %servletContext%/index.html
 
-# Protected Methods
-#
+#######################
+## Protected Methods ##
+#######################
 # The protected methods property (org.owasp.csrfguard.ProtectedMethods) defines a comma
 # separated list of HTTP request methods that should be protected by CSRFGuard. The default
 # list is an empty list which will cause all HTTP methods to be protected, thus preserving
@@ -97,14 +100,15 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # The following configuration snippet instructs OWASP CSRFGuard to protect only the POST,
 # PUT, and DELETE HTTP methods.
 #
-# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
-
-# or you can configure all to be protected, and specify which is unprotected.  This is the preferred approach
-
-# org.owasp.csrfguard.UnprotectedMethods=GET
-
-# Unique Per-Page Tokens
+# org.owasp.csrfguard.ProtectedMethods = POST,PUT,DELETE
 #
+# or you can configure all to be protected, and specify which is unprotected. This is the preferred approach
+#
+# org.owasp.csrfguard.UnprotectedMethods = GET
+
+############################
+## Unique Per-Page Tokens ##
+############################
 # The unique token per-page property (org.owasp.csrfguard.TokenPerPage) is a boolean value that
 # determines if CSRFGuard should make use of unique per-page (i.e. URI) prevention tokens as
 # opposed to unique per-session prevention tokens. When a user requests a protected resource,
@@ -116,10 +120,17 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # the first time. All subsequent requests must have the per-page token intact or the request will
 # be treated as a CSRF attack. This behavior can be changed with the org.owasp.csrfguard.TokenPerPagePrecreate
 # property. Enabling this property will make CSRFGuard calculate the per page token prior to a first
-# visit. This option only works with JSTL token injection and is useful for preserving the validity of
-# links if the user pushes the back button. There may be a performance impact when enabling this option
-# if the .jsp has a large number of proctected links that need tokens to be calculated.
-# Use of the unique token per page property is currently experimental
+# visit.
+#
+# This option ONLY WORKS WITH JSTL token injection and is useful for preserving the validity of
+# links if the user pushes the BACK button. There may be a performance impact when enabling this option
+# if the JSP has a large number of protected links that need tokens to be calculated.
+#
+# Note: Pre-creating tokens is only available with the session bound token holder implementation,
+# because in case for stateless or custom state implementations, client could would need
+# to signal when it's ok to pre-create the tokens and this would affect the modularity/pluggability of the solution.
+#
+# Use of the unique token per page property is currently EXPERIMENTAL,
 # but provides a significant amount of improved security. Consider the exposure of a CSRF token using
 # the legacy unique per-session model. Exposure of this token facilitates the attacker's ability to
 # carry out a CSRF attack against the victim's active session for any resource exposed by the web
@@ -129,14 +140,12 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # unique token per-page property is a strong defense in depth strategy significantly reducing the
 # impact of exposed CSRF prevention tokens. The following configuration snippet instructs OWASP
 # CSRFGuard to utilize the unique token per-page model:
-#
-# org.owasp.csrfguard.TokenPerPage=true
-# org.owasp.csrfguard.TokenPerPagePrecreate=false
-org.owasp.csrfguard.TokenPerPage=true
-org.owasp.csrfguard.TokenPerPagePrecreate=true
+org.owasp.csrfguard.TokenPerPage = true
+org.owasp.csrfguard.TokenPerPagePrecreate = false
 
-# Token Rotation
-#
+####################
+## Token Rotation ##
+####################
 # The rotate token property (org.owasp.csrfguard.Rotate) is a boolean value that determines if
 # CSRFGuard should generate and utilize a new token after verifying the previous token. Rotation
 # helps minimize the window of opportunity an attacker has to leverage the victim's stolen token
@@ -146,13 +155,20 @@ org.owasp.csrfguard.TokenPerPagePrecreate=true
 # an old token causing CSRFGuard to incorrectly believe this request is a CSRF attack in progress
 # (i.e. a 'false positive'). Users can prevent this scenario by preventing the caching of HTML pages
 # containing FORM submissions using the cache-control header. However, this may also introduce
-# performance problems as the browser will have to request HTML on a more frequent basis. The following
-# configuration snippet enables token rotation:
+# performance problems as the browser will have to request HTML on a more frequent basis.
 #
-# org.owasp.csrfguard.Rotate=true
-
-# Ajax and XMLHttpRequest Support
+# Note: Rotation in case of AJAX requests is not supported currently because of possible race conditions.
+# A Single Page Application can fire multiple simultaneous requests. If rotation is enabled for AJAX requests,
+# the first request could trigger a token change before the validation of the same token within the second request,
+# causing false-positive CSRF intrusion exceptions.
+#
+# The following configuration snippet enables token rotation:
 #
+# org.owasp.csrfguard.Rotate = true
+
+#####################################
+## Ajax and XMLHttpRequest Support ##
+#####################################
 # The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that indicates whether or not OWASP
 # CSRFGuard should support the injection and verification of unique per-session prevention tokens for
 # XMLHttpRequests. To leverage Ajax support, the user must not only set this property to true but must
@@ -169,22 +185,27 @@ org.owasp.csrfguard.TokenPerPagePrecreate=true
 # the corresponding X-Requested-With and custom headers are embedded within the request. The following
 # configuration snippet instructs OWASP CSRFGuard to support Ajax requests by verifying the presence and
 # correctness of the X-Requested-With and custom headers:
-#
-# org.owasp.csrfguard.Ajax=true
-org.owasp.csrfguard.Ajax=true
+org.owasp.csrfguard.Ajax = true
 
+#######################
+## Protecting Pages  ##
+#######################
 # The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
 # If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected.
 # All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*),
 # but you only want to protect a few pages.
 #
-# org.owasp.csrfguard.Protect=false
-org.owasp.csrfguard.protected.Protected=/protect.html
-org.owasp.csrfguard.protected.Test=/test.html
-org.owasp.csrfguard.protected.Forward=/forward.jsp
-
-# Unprotected Pages:
+# org.owasp.csrfguard.Protect = true
 #
+# Defining pages to protect explicitly:
+#
+# org.owasp.csrfguard.protected.Protected = /protect.html
+# org.owasp.csrfguard.protected.Test = /test.html
+# org.owasp.csrfguard.protected.Forward = /forward.jsp
+
+#######################
+## Unprotected Pages ##
+#######################
 # The unprotected pages property (org.owasp.csrfguard.unprotected.*) defines a series of pages that
 # should not be protected by CSRFGuard. Such configurations are useful when the CsrfGuardFilter is
 # aggressively mapped (ex: /*). The syntax of the property name is org.owasp.csrfguard.unprotected.[PageName],
@@ -196,8 +217,8 @@ org.owasp.csrfguard.protected.Forward=/forward.jsp
 # Case 1: exact match between request uri and unprotected page
 # Case 2: longest path prefix match, beginning / and ending /*
 # Case 3: extension match, beginning *.
-# Case 4: if the value starts with ^ and ends with $, it will be evaulated as a regex.  Note that before the
-#   regex is compiled, any common variables will be substituted (e.g. %servletContext%)
+# Case 4: if the value starts with ^ and ends with $, it will be evaluated as a regex.
+#   Note that before the regex is compiled, any common variables will be substituted (e.g. %servletContext%)
 # Default: requested resource must be validated by CSRFGuard
 #
 # The following code snippet illustrates the four use cases over four examples. The first two examples
@@ -205,27 +226,29 @@ org.owasp.csrfguard.protected.Forward=/forward.jsp
 # ending in a .html extension. The next example (Public) looks for all resources prefixed with the URI path /MySite/Public/*.
 # The last example looks for resources that end in Public.do
 #
-# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
-# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
-# org.owasp.csrfguard.unprotected.Html=*.html
-# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
-# regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex
-# org.owasp.csrfguard.unprotected.PublicServlet=^%servletContext%/.*Public\.do$
-
-#org.owasp.csrfguard.unprotected.Default=%servletContext%/
-#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
-#org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
-#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
-#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
-#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
-#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html
-#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
-#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
-#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
-#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
-
-# Actions: Responding to Attacks
-#
+# org.owasp.csrfguard.unprotected.Tag = %servletContext%/tag.jsp
+# org.owasp.csrfguard.unprotected.JavaScriptServlet = %servletContext%/JavaScriptServlet
+# org.owasp.csrfguard.unprotected.Html = *.html
+# org.owasp.csrfguard.unprotected.Public = %servletContext%/Public/*
+#
+# Regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex:
+# org.owasp.csrfguard.unprotected.PublicServlet = ^%servletContext%/.*Public\.do$
+
+# org.owasp.csrfguard.unprotected.Default = %servletContext%/
+# org.owasp.csrfguard.unprotected.Upload = %servletContext%/upload.html
+# org.owasp.csrfguard.unprotected.JavaScriptServlet = %servletContext%/JavaScriptServlet
+# org.owasp.csrfguard.unprotected.Ajax = %servletContext%/ajax.html
+# org.owasp.csrfguard.unprotected.Error = %servletContext%/error.html
+# org.owasp.csrfguard.unprotected.Index = %servletContext%/index.html
+# org.owasp.csrfguard.unprotected.JavaScript = %servletContext%/javascript.html
+# org.owasp.csrfguard.unprotected.Tag = %servletContext%/tag.jsp
+# org.owasp.csrfguard.unprotected.Redirect = %servletContext%/redirect.jsp
+# org.owasp.csrfguard.unprotected.Forward = %servletContext%/forward.jsp
+# org.owasp.csrfguard.unprotected.Session = %servletContext%/session.jsp
+
+####################################
+## Actions: Responding to Attacks ##
+####################################
 # The actions directive (org.owasp.csrfguard.action.*) gives the user the ability to specify one or more
 # actions that should be invoked when a CSRF attack is detected. Every action must implement the
 # org.owasp.csrfguard.action.IAction interface either directly or indirectly through the
@@ -238,8 +261,8 @@ org.owasp.csrfguard.protected.Forward=/forward.jsp
 # the CSRFGuard bundle and is available via the class name org.owasp.csrfguard.actions.Redirect. In order to enable
 # this action, we capture the following declaration in the Owasp.CsrfGuard.properties file:
 #
-# syntax: org.owasp.csrfguard.action.[actionName]=[className]
-# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect
+# syntax: org.owasp.csrfguard.action.[actionName] = [className]
+# example: org.owasp.csrfguard.action.class.Redirect = org.owasp.csrfguard.actions.Redirect
 #
 # The aforementioned directive declares an action called "Redirect" (i.e. [actionName]) referencing the Java class
 # "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a CSRF attack is detected, the Redirect action
@@ -247,95 +270,89 @@ org.owasp.csrfguard.protected.Forward=/forward.jsp
 # action parameters come into play. In order to specify the redirect location, we capture the following declaration
 # in the Owasp.CsrfGuard.properties file:
 #
-# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[parameterValue]
-# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%servletContext%/error.html
+# syntax: org.owasp.csrfguard.action.[actionName].[parameterName] = [parameterValue]
+# example: org.owasp.csrfguard.action.Redirect.ErrorPage = %servletContext%/error.html
 #
 # The aforementioned directive declares an action parameter called "ErrorPage" (i.e. [parameterName]) with the value
 # of "%servletContext%/error.html" (i.e. [parameterValue]) for the action "Redirect" (i.e. [actionName]). The
 # Redirect action expects the "ErrorPage" parameter to be defined and will redirect the user to this location when
 # an attack is detected.
+# org.owasp.csrfguard.action.Empty = org.owasp.csrfguard.action.Empty
 #
-#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
-org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
-org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
-#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
-org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
-org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
-#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
-#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
-org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
-#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
-#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
-#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
-#org.owasp.csrfguard.action.Error.Code=403
-#org.owasp.csrfguard.action.Error.Message=Security violation.
-
-# Token Name
+# org.owasp.csrfguard.action.Invalidate = org.owasp.csrfguard.action.Invalidate
 #
+# org.owasp.csrfguard.action.RequestAttribute = org.owasp.csrfguard.action.RequestAttribute
+# org.owasp.csrfguard.action.RequestAttribute.AttributeName = Owasp_CsrfGuard_Exception_Key
+#
+# org.owasp.csrfguard.action.Error = org.owasp.csrfguard.action.Error
+# org.owasp.csrfguard.action.Error.Code = 403
+# org.owasp.csrfguard.action.Error.Message = Security violation.
+
+org.owasp.csrfguard.action.Log = org.owasp.csrfguard.action.Log
+org.owasp.csrfguard.action.Log.Message = potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
+
+org.owasp.csrfguard.action.Redirect = org.owasp.csrfguard.action.Redirect
+org.owasp.csrfguard.action.Redirect.Page = %servletContext%/error.html
+
+org.owasp.csrfguard.action.Rotate = org.owasp.csrfguard.action.Rotate
+
+# Extension modules can add their own actions. Please refer to their documentation to see what actions can be added.
+# Extension provided actions should be added through a configuration overlay.
+# org.owasp.csrfguard.action.SessionAttribute = org.owasp.csrfguard.action.SessionAttribute
+# org.owasp.csrfguard.action.SessionAttribute.AttributeName = Owasp_CsrfGuard_Exception_Key
+
+################
+## Token Name ##
+################
 # The token name property (org.owasp.csrfguard.TokenName) defines the name of the HTTP parameter
 # to contain the value of the OWASP CSRFGuard token for each request. The following configuration
 # snippet sets the CSRFGuard token parameter name to the value OWASP-CSRFTOKEN:
-#
-# org.owasp.csrfguard.TokenName=OWASP-CSRFTOKEN
-org.owasp.csrfguard.TokenName=OWASP-CSRFTOKEN
-
-# Session Key
-#
-# The session key property (org.owasp.csrfguard.SessionKey) defines the string literal used to save
-# and lookup the CSRFGuard token from the session. This value is used by the filter and the tag
-# libraries to retrieve and set the token value in the session. Developers can use this key to
-# programmatically lookup the token within their own code. The following configuration snippet sets
-# the session key to the value OWASP_CSRFTOKEN:
-#
-# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
-org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
+org.owasp.csrfguard.TokenName = OWASP-CSRFTOKEN
 
-# Token Length
-#
+##################
+## Token Length ##
+##################
 # The token length property (org.owasp.csrfguard.TokenLength) defines the number of characters that
 # should be found within the CSRFGuard token. Note that characters are delimited by dashes (-) in groups
 # of four. For cosmetic reasons, users are encourage to ensure the token length is divisible by four.
 # The following configuration snippet sets the token length property to 32 characters:
-#
-# org.owasp.csrfguard.TokenLength=32
-org.owasp.csrfguard.TokenLength=32
+org.owasp.csrfguard.TokenLength = 32
 
-# Pseudo-random Number Generator
-#
+####################################
+## Pseudo-random Number Generator ##
+####################################
 # The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
 # to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
 # pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
 # generator to SHA1PRNG:
-#
-# org.owasp.csrfguard.PRNG=SHA1PRNG
-org.owasp.csrfguard.PRNG=SHA1PRNG
-
-# Pseudo-random Number Generator Provider
+org.owasp.csrfguard.PRNG = SHA1PRNG
 
+#############################################
+## Pseudo-random Number Generator Provider ##
+#############################################
 # The pseudo-random number generator provider property (org.owasp.csrfguard.PRNG.Provider) defines which
 # provider's implementation of org.owasp.csrfguard.PRNG we should utilize. The following configuration
 # snippet instructs the JVM to leverage SUN's implementation of the algorithm denoted by the
 # org.owasp.csrfguard.PRNG property:
 
-# org.owasp.csrfguard.PRNG.Provider=SUN
-org.owasp.csrfguard.PRNG.Provider=SUN
+org.owasp.csrfguard.PRNG.Provider = SUN
 
 # If not specifying the print config option in the web.xml, you can specify it here, to print the config
 # on startup
 org.owasp.csrfguard.Config.Print = true
 
-###########################
-## Javascript servlet settings if not set in web.xml
-## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
-###########################
+#################################################################
+## Javascript servlet settings if not set in web.xml           ##
+## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection ##
+#################################################################
 
-# leave this blank and blank in web.xml and it will read from META-INF/csrfguard.js from the jarfile
+# leave this blank and blank in web.xml and it will read from META-INF/csrfguard.js from the jar file
 # Denotes the location of the JavaScript template file that should be consumed and dynamically 
 # augmented by the JavaScriptServlet class. The default value is WEB-INF/Owasp.CsrfGuard.js. 
 # Use of this property and the existence of the specified template file is required.
-org.owasp.csrfguard.JavascriptServlet.sourceFile = /script/csrfguard.js
+org.owasp.csrfguard.JavascriptServlet.sourceFile =
 
-# Boolean value that determines whether or not the dynamic JavaScript code should be strict 
+# Boolean value that determines whether or not the dynamic JavaScript code should be strict
 # with regards to what links it should inject the CSRF prevention token. With a value of true, 
 # the JavaScript code will only place the token in links that point to the same exact domain 
 # from which the HTML originated. With a value of false, the JavaScript code will place the 
@@ -344,11 +361,11 @@ org.owasp.csrfguard.JavascriptServlet.sourceFile = /script/csrfguard.js
 org.owasp.csrfguard.JavascriptServlet.domainStrict = true
 
 # Allows the developer to specify the value of the Cache-Control header in the HTTP response 
-# when serving the dynamic JavaScript file. The default value is private, maxage=28800. 
+# when serving the dynamic JavaScript file. The default value is private, max-age=28800.
 # Caching of the dynamic JavaScript file is intended to minimize traffic and improve performance. 
 # Note that the Cache-Control header is always set to "no-store" when either the "Rotate" 
 # "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
-org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
+org.owasp.csrfguard.JavascriptServlet.cacheControl = private, max-age=28800
 
 # Allows the developer to specify a regular expression describing the required value of the 
 # Referer header. Any attempts to access the servlet with a Referer header that does not 
@@ -359,9 +376,14 @@ org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
 # checking is implemented to achieve defense in depth.
 org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
 
-# Similar to javascript servlet referer pattern, but this will make sure the referer of the 
-# javascript servlet matches the domain of the request.  If there is no referer (proxy strips it?)
-# then it will not fail.  Generally this is a good idea to be true.
+# Used in conjunction with javascript servlet referer Match Domain, but this will make sure the referer of the
+# javascript servlet matches the protocol of the request. If the referer Match Domain property is disabled,
+# this property is not used
+org.owasp.csrfguard.JavascriptServlet.refererMatchProtocol = true
+
+# Similar to javascript servlet referer pattern, but this will make sure the referer of the
+# javascript servlet matches the domain of the request. If there is no referer (proxy strips it?)
+# then it will not fail. Generally this is a good idea to be true.
 org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
 
 # Boolean value that determines whether or not the dynamic JavaScript code should 
@@ -370,16 +392,16 @@ org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
 # as most server-side state changing actions are triggered via a POST request.
 org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
 
-# if the token should be injected in GET forms (which will be on the URL)
-# if the HTTP method GET is unprotected, then this should likely be false
+# If the token should be injected in GET forms (which will be on the URL).
+# If this property is set to true, it will enable tokens injection into forms with GET method,
+# even if the method was previously configured as unprotected.
 org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
 
 # if the token should be injected in the action in forms
 # note, if injectIntoForms is true, then this might not need to be true
 org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
 
-
-# Boolean value that determines whether or not the dynamic JavaScript code should 
+# Boolean value that determines whether or not the dynamic JavaScript code should
 # inject the CSRF prevention token in the query string of src and href attributes. 
 # Injecting the CSRF prevention token in a URL resource increases its general risk 
 # of exposure to unauthorized parties. However, most JavaEE web applications respond 
@@ -391,17 +413,43 @@ org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
 # POST requests (i.e. discarding GET requests) are strongly encouraged to disable this property.
 org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
 
+# Some applications might dynamically create new DOM elements (e.g. forms).
+# This property enables an asynchronous MutationObserver or a DOMNodeInserted event listener if MutationObservers are not supported
+# that is called when new elements are added to the DOM, then injects the CSRF tokens to it.
+# Note: using event listeners can have a significant impact on performance, hence it defaults to false.
+org.owasp.csrfguard.JavascriptServlet.injectIntoDynamicNodes = false
+
+# This property defines the custom event name that will be fired manually by the client when a DOM element
+# that requires CSRF tokens to be injected is modified or (e.g. form action changed) a new one is created.
+# Since the default MutationObserver implementation is asynchronous, there might be corner-case race conditions
+# between dynamically created and submitted forms and the time the MutationObserver is being invoked by the browser.
+# These special cases are intended to be handled with this approach, because JavaScript events are executed synchronously.
+# After a dynamic DOM element creation which requires token injection the integrator client has to manually fire an event
+# with the same name provided below.
+#
+# Example client code, where 'updatedInjectableElement' is the dynamically created element added to the DOM:
+#   const injectableNodeChangedEvent = new CustomEvent('InjectableNodeChanged', {detail: updatedInjectableElement});
+#   window.dispatchEvent(injectableNodeChangedEvent);
+#
+# Note: this property does not default to a pre-defined value and is only considered,
+# if 'org.owasp.csrfguard.JavascriptServlet.injectIntoDynamicNodes' is true.
+# org.owasp.csrfguard.JavascriptServlet.dynamicNodeCreationEventName = InjectableNodeChanged
 
 org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project
 
-###########################
-## Config overlay settings if you have the provider above set to ConfigurationOverlayProvider
-## This CSRF config provider uses Internet2 Configuration Overlays (documented on Internet2 wiki)
-## By default the configuration is read from the Owasp.CsrfGuard.properties
-## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties overlays
-## the base settings.  See the Owasp.CsrfGuard.properties for the possible
-## settings that can be applied to the Owasp.CsrfGuard.overlay.properties
-###########################
+# A comma separated list of file extensions can be added here to prevent the token from
+# being appended to them after pageload (which often causes a second copy of those static
+# resources to be downloaded). ex: "js,css,gif,png,ico,jpg"
+# org.owasp.csrfguard.JavascriptServlet.UnprotectedExtensions = js,css,gif,png,ico,jpg
+
+####################################################################################################
+## Config overlay settings if you have the provider above set to ConfigurationOverlayProvider     ##
+## This CSRF config provider uses Internet2 Configuration Overlays (documented on Internet2 wiki) ##
+## By default the configuration is read from the Owasp.CsrfGuard.properties                       ##
+## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties overlays              ##
+## the base settings. See the Owasp.CsrfGuard.properties for the possible                         ##
+## settings that can be applied to the Owasp.CsrfGuard.overlay.properties                         ##
+####################################################################################################
 
 # comma separated config files that override each other (files on the right override the left)
 # each should start with file: or classpath:
@@ -411,6 +459,52 @@ org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properti
 # seconds between checking to see if the config files are updated
 org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
 
-
-###########################
-
+##########################
+## Custom Token storage ##
+##########################
+# This parameter enables custom Token Holder implementations. It can be used when the backend has a stateless architecture.
+# The implementation has to implement the org.owasp.csrfguard.token.storage.TokenHolder interface.
+# The logic uses SPI to discover the implementation, so in the client module there should be a file called 'org.owasp.csrfguard.token.storage.TokenHolder' under the 'META-INF/services' directory that would contain
+# the fully qualified class name of the custom implementation.
+#
+# Depends on the 'org.owasp.csrfguard.token.storage.LogicalSessionExtractor' property. If the dependency is not fulfilled, then this property will be disregarded.
+# Defaults to 'org.owasp.csrfguard.token.storage.impl.InMemoryTokenHolder', which uses a ConcurrentHashMap to store the tokens.
+# TODO review
+# org.owasp.csrfguard.TokenHolder = org.owasp.csrfguard.token.storage.impl.InMemoryTokenHolder
+
+# This parameter enables defining a custom logical session extractor. The logic must implement the 'org.owasp.csrfguard.token.storage.LogicalSessionExtractor' interface.
+# TODO
+# Defaults to 'org.owasp.csrfguard.session.ContainerSession', which uses the container's HttpSession in the background. The extensions module containing this logic has to be added as a Maven dependency to the project.
+# If a custom implementation is required (e.g. stateless sessions with JWTs), the integration code should invoke the 'org.owasp.csrfguard.CsrfGuard.onSessionCreated' and 'org.owasp.csrfguard.CsrfGuard.onSessionDestroyed'
+# The 'org.owasp.csrfguard.token.storage.LogicalSessionExtractor#getKey' method should return a unique identifier for a specific request (e.g. username from JWT token)
+org.owasp.csrfguard.LogicalSessionExtractor = org.owasp.csrfguard.session.SessionTokenKeyExtractor
+
+#################
+## Concurrency ##
+#################
+# Defines for how many milliseconds the application should accept the master token instead of a newly generated page token.
+#
+# This parameter is aimed to solve the race condition when the 'org.owasp.csrfguard.TokenPerPage' option is enabled without 'org.owasp.csrfguard.TokenPerPagePrecreate'
+# when multiple simultaneous AJAX ('org.owasp.csrfguard.Ajax') requests are fired by a Single Page Applications (SPA)
+# before the initialization of the desired endpoint URIs. The first request against a specific endpoint URI is validated using the master token,
+# then a new page token is generated for future calls, but in case of multiple simultaneously requests, the logic might not have time to assign
+# the newly generated page token to the resource on the client side causing false positive intrusion exceptions.
+#
+# Note: This configuration does not (yet) enable the AJAX and Token Rotation combination. See the documentation for 'org.owasp.csrfguard.Rotate'
+#
+# Defaults to 2000 milliseconds (= 2 seconds).
+org.owasp.csrfguard.PageTokenSynchronizationTolerance = 2000
+
+# The current approach of the OWASP CSRFGuard relies on JavaScript logic for injecting CSRF tokens into HTML elements or XHR requests.
+# Forcing synchronous loading of the AJAX requests has been disabled by default, since they were deprecated
+# (see https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Synchronous_and_Asynchronous_Requests#synchronous_request)
+# due to their negative impact on the user experience. For this reason, protecting resources that would load
+# before or in parallel with the JavaScript logic (e.g. references IFrames or IMG tags) is not possible anymore.
+# In most cases this should not be a problem, because usually GET requests should not facilitate state-changing operations.
+# If case this last condition cannot be fulfilled (e.g. for legacy applications), backwards compatibility can be achieved by enabling the
+# "forceSynchronousAjax" property below, until there is browser support for it.
+#
+# Defaults to False.
+# Note: it is only enabled for the demo application, for testing purposes.
+#
+org.owasp.csrfguard.forceSynchronousAjax = false
diff --git a/csrfguard-test/src/main/webapp/WEB-INF/web.xml b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/web.xml
similarity index 63%
rename from csrfguard-test/src/main/webapp/WEB-INF/web.xml
rename to csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/web.xml
index 0596336..8c40702 100644
--- a/csrfguard-test/src/main/webapp/WEB-INF/web.xml
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/web.xml
@@ -1,5 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
+         http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+		 version="3.1">
 	<display-name>OWASP CSRFGuard Test</display-name>
 	
 	<welcome-file-list>
@@ -17,7 +21,7 @@
 	<listener>
 		<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
 	</listener>
-	
+
 	<filter>
 		<filter-name>CSRFGuard</filter-name>
 		<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
@@ -43,14 +47,22 @@
 	</servlet-mapping>
 
 	<servlet>
-		<description></description>
-		<display-name>HelloServlet</display-name>
-		<servlet-name>HelloServlet</servlet-name>
-		<servlet-class>org.owasp.csrfguard.test.HelloServlet</servlet-class>
+		<display-name>CounterServlet</display-name>
+		<servlet-name>CounterServlet</servlet-name>
+		<servlet-class>org.owasp.csrfguard.test.CounterServlet</servlet-class>
 	</servlet>
 	
 	<servlet-mapping>
-		<servlet-name>HelloServlet</servlet-name>
-		<url-pattern>/HelloServlet</url-pattern>
+		<servlet-name>CounterServlet</servlet-name>
+		<url-pattern>/counter</url-pattern>
 	</servlet-mapping>
+
+	<!--<filter> Intended only for testing
+		<filter-name>CorsFilter</filter-name>
+		<filter-class>org.owasp.csrfguard.test.CORSFilter</filter-class>
+	</filter>
+	<filter-mapping>
+		<filter-name>CorsFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>-->
 </web-app>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/ajax.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/ajax.html
new file mode 100644
index 0000000..b039adb
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/ajax.html
@@ -0,0 +1,78 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<script src="/JavaScriptServlet" type="text/javascript"></script>
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <title>Ajax Header Verification</title>
+    <script type="text/javascript">
+        function ajax(method, uri, body) {
+            const xhr = new XMLHttpRequest();
+
+            xhr.onreadystatechange = function () {
+                if (xhr.readyState === 4) {
+                    if (xhr.status === 200 && xhr.responseURL.endsWith(uri)) {
+                        alert('200: CSRF check passed!');
+                    } else {
+                        alert('CSRF check FAILED!\nStatus code: ' + xhr.status + '\nResponse URL:\n' + xhr.responseURL);
+                    }
+                }
+            }
+
+            xhr.open(method, uri, true);
+            xhr.send(body);
+        }
+
+        function sendForm() {
+            let body = 'text=' + document.getElementById('text').value;
+            body = body + '&submit=' + document.getElementById('submit').value;
+
+            ajax('POST', 'protect.html', body);
+        }
+
+        function domTest() {
+            const div = document.getElementById('ajax');
+
+            const internalAnchor = document.createElement('a');
+            internalAnchor.setAttribute('href', 'protect.html');
+            internalAnchor.appendChild(document.createTextNode('protect.html'));
+
+            div.appendChild(internalAnchor);
+            div.appendChild(document.createElement('br'));
+            div.appendChild(document.createElement('br'));
+
+            const externalAnchor = document.createElement('a');
+            externalAnchor.setAttribute('href', 'https://www.google.com');
+            externalAnchor.appendChild(document.createTextNode('google.com'));
+
+            div.appendChild(externalAnchor);
+            div.appendChild(document.createElement('br'));
+            div.appendChild(document.createElement('br'));
+        }
+    </script>
+</head>
+<body onload="domTest();">
+	<h3>Test Link(s)</h3>
+	<ul>
+		<li><a href="#" onclick="ajax('GET', 'protect.html', '')">protect.html</a></li>
+		<li><a href="#" onclick="ajax('GET', '/protect.html', '')">/protect.html</a></li>
+		<li><a href="#" onclick="ajax('GET', '/test.html', '')">test.html</a></li>
+		<li><a href="#" onclick="ajax('GET', '/regextest/protected.html', '')">/protect.html</a></li>
+		<li><a href="#" onclick="ajax('GET', 'regextest/unprotected.html', '')">regextest/unprotected.html</a></li>
+		<li><a href="#" onclick="ajax('GET', '/regextest/protected.txt', '')">/regextest/protected.txt</a></li>
+		<li><a href="#" onclick="ajax('GET', 'regextest/resources/protected.html', '')">regextest/resources/protected.html</a></li>
+		<li><a href="#" onclick="ajax('GET', '/regextest/resources/unprotected.html', '')">/regextest/resources/unprotected.html</a></li>
+		<li><a href="#" onclick="ajax('GET', '/regextest/resources/protected.txt', '')">/regextest/resources/protected.txt</a></li>
+		<li><a href="#" onclick="ajax('GET', 'wildcardtest/test.html', '')">Wildcard test.html</a></li>
+		<li><a href="#" onclick="ajax('GET', '/wildcardtest/test.txt', '')">Wildcard test.txt</a></li>
+		<li><a href="#">javascript:alert('test')</a></li>
+	</ul>
+	<br/>
+	<h3>Test Form(s)</h3>
+	<form id="form" name="test1" action="#" onsubmit="return false">
+		<input id="text" type="text" name="text" value="text"/>
+		<input id="submit" type="submit" name="submit" value="submit" onclick="sendForm()"/>
+	</form>
+	<h3>Dom Test</h3>
+	<div id="ajax"></div>
+</body>
+</html>
\ No newline at end of file
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/attack1.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/attack1.html
new file mode 100644
index 0000000..7bd7b9f
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/attack1.html
@@ -0,0 +1,28 @@
+<html lang="en">
+<head>
+    <meta name="referrer" content="no-referrer">
+</head>
+<script>
+    window.addEventListener('load', (event) => {
+        document.getElementById('incrementForm').submit()
+    });
+</script>
+<!-- Possible enctype values:
+    * application/x-www-form-urlencoded (default)
+    * multipart/form-data
+    * text/plain
+
+Firefox auto-corrects the Content-Type to application/x-www-form-urlencoded if an invalid enctype is given.
+
+Potential bypass if the target endpoint does not limit the accepted content types (http://pentestmonkey.net/blog/csrf-xml-post-request):
+<form name="buy" ENCTYPE="text/plain" action="http://localhost:8080/xmlrpc/trade.rem" method="POST">
+    <input type="hidden" name='<?xml version'
+        value='"1.0"?><methodCall><methodName>stocks.buy</methodName><params><param><value><string>MSFT</string></value></param><param><value><double>26</double></value></param></params></methodCall>'>
+</form>
+<script>document.buy.submit();</script>
+
+-->
+<form id="incrementForm" method="post" action="http://localhost:8080/counter" enctype="application/x-www-form-urlencoded">
+    <input name="value" value="100" type="hidden">
+</form>
+</html>
\ No newline at end of file
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/attack2.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/attack2.html
new file mode 100644
index 0000000..a18becf
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/attack2.html
@@ -0,0 +1,24 @@
+<html lang="en">
+<head>
+    <meta name="referrer" content="no-referrer"> <!-- Do not send a referer header with the hope that it might bypass referer validation -->
+</head>
+<script>
+    const ENDPOINT='http://localhost:8080/counter'
+
+    fetch(ENDPOINT, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded"
+            // "Content-Type": "application/json" // this triggers a pre-flight check
+        },
+        credentials: "include",
+        body: "value=1000"
+    }).catch(reason => console.error(reason))
+
+    // try the same with an XMLHttpRequest
+    const xhr = new XMLHttpRequest();
+    xhr.open('POST', ENDPOINT, true);
+    xhr.withCredentials = true;
+    xhr.send("value=1000");
+</script>
+</html>
\ No newline at end of file
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/counter.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/counter.html
new file mode 100644
index 0000000..dfc0cc2
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/counter.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <script src="/JavaScriptServlet" type="text/javascript"></script>
+    <title>Counter test</title>
+    <script type="text/javascript">
+        onGetCounterValue();
+
+        function ajax(method, value) {
+            const xhr = new XMLHttpRequest();
+
+            xhr.onreadystatechange = function () {
+                if (xhr.readyState === 4) {
+                    if (xhr.status === 200) {
+                        document.getElementById("counter-value").innerText = xhr.responseText
+                    }
+                }
+            }
+
+            xhr.open(method, '/counter', true);
+            if (value == null) {
+                xhr.send()
+            } else {
+                xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
+                xhr.send("value=" + value);
+            }
+        }
+
+        function onGetCounterValue() {
+            ajax('GET')
+        }
+
+        function onIncrementCounterValue() {
+            ajax('POST', 1)
+        }
+    </script>
+</head>
+<body>
+    <p>Get or increment the counter:</p>
+    <p>If the counter can be externally incremented, it signals that there is a vulnerability in the solution.</p>
+    <button onclick="onGetCounterValue()">AJAX Get</button>
+    <button onclick="onIncrementCounterValue()">AJAX Increment By One</button>
+    <form id="form" action="/counter" onsubmit=onGetCounterValue() method="POST">
+        <label for="text">Increment by</label><input id="text" type="text" name="value" value="100"/>
+        <input id="submit" type="submit" value="Submit Form"/>
+    </form>
+    <br/><br/>
+    <div id="counter-value"></div>
+</body>
+</html>
diff --git a/csrfguard-test/src/main/webapp/error.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/error.html
similarity index 56%
rename from csrfguard-test/src/main/webapp/error.html
rename to csrfguard-test/csrfguard-test-jsp/src/main/webapp/error.html
index 97acd83..94a5f2a 100644
--- a/csrfguard-test/src/main/webapp/error.html
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/error.html
@@ -1,10 +1,10 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
+<html lang="en">
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>CSRF Attack Detected</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <title>CSRF Attack Detected</title>
 </head>
 <body>
 CSRF Attack Detected - <a href="index.html">Home</a>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/favicon.ico b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/favicon.ico
new file mode 100644
index 0000000..ab0a666
Binary files /dev/null and b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/favicon.ico differ
diff --git a/csrfguard-test/src/main/webapp/forward.jsp b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/forward.jsp
similarity index 61%
rename from csrfguard-test/src/main/webapp/forward.jsp
rename to csrfguard-test/csrfguard-test-jsp/src/main/webapp/forward.jsp
index 4b656ef..53e63ab 100644
--- a/csrfguard-test/src/main/webapp/forward.jsp
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/forward.jsp
@@ -1,12 +1,11 @@
-<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
-    pageEncoding="ISO-8859-1"%>
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" %>
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <html>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Forward Test</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <title>Forward Test</title>
 </head>
 <body>
 <jsp:forward page="protect.html"/>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/index.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/index.html
new file mode 100644
index 0000000..58e725a
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/index.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <title>CSRFGuard Test Application</title>
+</head>
+<body>
+Welcome to the OWASP CSRFGuard Test Application! Where would you like to go?
+<br/>
+<strong>Tests:</strong>
+<ul>
+    <li><a href="javascript.html">JavaScript Token Injection</a></li>
+    <li><a href="tag.jsp">JSP Tag Token Injection</a></li>
+    <li><a href="redirect.jsp">JSP Redirect Token Injection</a>
+    <li><a href="forward.jsp">JSP Forward Token Injection</a>
+    <li><a href="ajax.html">Ajax Token Injection</a></li>
+    <li><a href="upload.html">Multipart Verification</a>
+    <li><a href="legacySyncAjaxTest.html">Image and IFrame verification with legacy synchronous AJAX</a>
+    <li><a href="counter.html">Test the counter endpoint</a>
+</ul>
+<br/>
+
+<strong>Attempt CSRF attacks against the /counter endpoint:</strong><br/>
+<p>Mimic hosting the exploits on a different domain:</p>
+<ul>
+    <li><i>sudo echo "127.0.0.1 attacker.local" >> /etc/hosts</i></li>
+    <li>Form based attack attempt at <a href="http://attacker.local:8080/attack1.html">http://attacker.local:8080/attack1.html</a></li>
+    <li>AJAX call based attack attempt at <a href="http://attacker.local:8080/attack2.html">http://attacker.local:8080/attack2.html</a></li>
+</ul>
+<br/>
+
+<strong>Utilities:</strong>
+<ul>
+    <li><a href="session.jsp?action=invalidate">Invalidate Session</a>
+</ul>
+</body>
+</html>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/javascript.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/javascript.html
new file mode 100644
index 0000000..b11f044
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/javascript.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <script src="/JavaScriptServlet" type="text/javascript"></script>
+    <title>JavaScript Token Injection</title>
+    <script type="text/javascript">
+        window.addEventListener('DOMContentLoaded', function () {
+            const observer = new MutationObserver(function (mutations) {
+                alert('If the "org.owasp.csrfguard.JavascriptServlet.domainStrict" is set to TRUE, the "Evil" form should not be modified by the CSRFGuard JS logic!');
+                console.debug(mutations);
+            });
+
+            const evilForm = document.getElementById('evilForm');
+
+            if (evilForm !== null) {
+                observer.observe(evilForm, {attributes: true, childList: true, subtree: true});
+            }
+        }, false);
+    </script>
+</head>
+<body>
+    <h3>Test Link(s)</h3>
+    <ul>
+        <li><a href="protect.html" title="test URL with absent forward slash suffix">protect.html</a></li>
+        <li><a href="/protect.html" title="test URL with forward slash prefix">/protect.html</a></li>
+        <li><a href="/regextest/protected.html">/regextest/protect.html</a></li>
+        <li><a href="/regextest/unprotected.html">/regextest/unprotected.html</a></li>
+        <li><a href="/regextest/protected.txt">/regextest/protected.txt</a></li>
+        <li><a href="/regextest/resources/protected.html">/regextest/resources/protected.html</a></li>
+        <li><a href="/regextest/resources/unprotected.html">/regextest/resources/unprotected.html</a></li>
+        <li><a href="/regextest/resources/protected.txt">/regextest/resources/protected.txt</a></li>
+        <li><a href="/wildcardtest/test.html">Wildcard test.html</a></li>
+        <li><a href="/wildcardtest/test.txt">Wildcard test.txt</a></li>
+    </ul>
+    <br/>
+
+    <h3>Test Form(s)</h3>
+    <form name="test1" action="protect.html">
+        <input type="text" name="text" value="text"/>
+        <input type="submit" name="submit" value="submit"/>
+    </form>
+    <br/><br/>
+
+    <h3>"Evil" Form(s)</h3>
+    <p>Tokens should not be injected into links referencing different domains if the domainStrict property is set to true.</p>
+    <form name="test2" id="evilForm" action="https://www.google.com/search?q=csrfguard">
+        <input type="text" name="text" value="text"/>
+        <input type="submit" name="submit" value="submit"/>
+    </form>
+    <br/><br/>
+</body>
+</html>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/legacySyncAjaxTest.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/legacySyncAjaxTest.html
new file mode 100644
index 0000000..ed41600
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/legacySyncAjaxTest.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Page for testing legacy synchronous AJAX requests</title>
+    <script src="/JavaScriptServlet" type="text/javascript"></script>
+</head>
+<body>
+    <h2>Important note: </h2>
+    <p>
+        The current approach of the OWASP CSRFGuard relies on JavaScript logic for injecting CSRF tokens into HTML elements or XHR requests.
+        Forcing synchronous loading of the AJAX requests has been disabled, since they were
+        <a href="https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Synchronous_and_Asynchronous_Requests#synchronous_request">deprecated</a>
+        due to their negative impact on the user experience. For this reason, protecting resources that would load
+        before or in parallel with the JavaScript logic (e.g. references IFrames or IMG tags) is not possible.
+        In most cases this should not be a problem, because usually GET requests should not facilitate state-changing operations.
+        If this last condition cannot be fulfilled (e.g. for legacy applications), backwards compatibility can be achieved by enabling the
+        "forceSynchronousAjax" property within the configurations, until there is browser support for it.
+    </p>
+    <h3>IFrame</h3>
+    <p>Aims to test token injection for referenced protected pages that are loaded before user interaction.<p>
+    <iframe src="/protect.html"></iframe>
+    <br/><br/>
+
+    <h3>Image Tag</h3>
+    <p>Aims to test token injection for referenced protected pages that are loaded before user interaction.<p>
+    <img src="owasp_logo.png" alt="OWASP logo"/>
+</body>
+</html>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/owasp_logo.png b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/owasp_logo.png
new file mode 100644
index 0000000..b0af38b
Binary files /dev/null and b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/owasp_logo.png differ
diff --git a/csrfguard-test/src/main/webapp/protect.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/protect.html
similarity index 60%
rename from csrfguard-test/src/main/webapp/protect.html
rename to csrfguard-test/csrfguard-test-jsp/src/main/webapp/protect.html
index 447606d..6fa151c 100644
--- a/csrfguard-test/src/main/webapp/protect.html
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/protect.html
@@ -1,10 +1,10 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
+<html lang="en">
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Protect</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <title>Protect</title>
 </head>
 <body>
 This is a resource that should be protected from CSRF attacks.
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/csrfguard-test/src/main/webapp/redirect.jsp b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/redirect.jsp
similarity index 51%
rename from csrfguard-test/src/main/webapp/redirect.jsp
rename to csrfguard-test/csrfguard-test-jsp/src/main/webapp/redirect.jsp
index 604f1f7..9994054 100644
--- a/csrfguard-test/src/main/webapp/redirect.jsp
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/redirect.jsp
@@ -1,14 +1,13 @@
-<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
-    pageEncoding="ISO-8859-1"%>
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" %>
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <html>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Redirect Test</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <title>Redirect Test</title>
 </head>
 <body>
 <%
-response.sendRedirect("protect.html");
+    response.sendRedirect("protect.html");
 %>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/protected.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/protected.html
new file mode 100644
index 0000000..3b892d0
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/protected.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>This page is meant to test protected page setup with regular expressions.</title>
+</head>
+<body>
+This page is meant to test protected page setup with regular expressions.
+</body>
+</html>
\ No newline at end of file
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/protected.txt b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/protected.txt
new file mode 100644
index 0000000..39dd5e9
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/protected.txt
@@ -0,0 +1,11 @@
+Everything under /regextest/ that starts with protected should be protected unless it's .txt
+
+see: isProtectEnabled()
+
+protected:
+^/regextest/protected\..*$
+^/regextest/.*/protected\.html$
+
+unprotected:
+^/regextest/.*\.txt$
+^/regextest/.*/.*\.txt$
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/protected.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/protected.html
new file mode 100644
index 0000000..3b892d0
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/protected.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>This page is meant to test protected page setup with regular expressions.</title>
+</head>
+<body>
+This page is meant to test protected page setup with regular expressions.
+</body>
+</html>
\ No newline at end of file
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/protected.txt b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/protected.txt
new file mode 100644
index 0000000..e69de29
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/unprotected.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/unprotected.html
new file mode 100644
index 0000000..4375aa5
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/unprotected.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>This page is meant to test un-protected page setup with regular expressions.</title>
+</head>
+<body>
+This page is meant to test un-protected page setup with regular expressions.
+</body>
+</html>
\ No newline at end of file
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/unprotected.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/unprotected.html
new file mode 100644
index 0000000..4375aa5
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/unprotected.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>This page is meant to test un-protected page setup with regular expressions.</title>
+</head>
+<body>
+This page is meant to test un-protected page setup with regular expressions.
+</body>
+</html>
\ No newline at end of file
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/session.jsp b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/session.jsp
new file mode 100644
index 0000000..2712e30
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/session.jsp
@@ -0,0 +1,19 @@
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <title>Session Utilities</title>
+</head>
+<body>
+<%
+    final String action = request.getParameter("action");
+
+    if ("invalidate".equals(action)) {
+        session.invalidate();
+        request.getSession(true);
+%><strong>Session Invalidated!</strong><%
+    }
+%>
+</body>
+</html>
diff --git a/csrfguard-test/src/main/webapp/tag.jsp b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/tag.jsp
similarity index 95%
rename from csrfguard-test/src/main/webapp/tag.jsp
rename to csrfguard-test/csrfguard-test-jsp/src/main/webapp/tag.jsp
index cda799a..db66265 100644
--- a/csrfguard-test/src/main/webapp/tag.jsp
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/tag.jsp
@@ -20,6 +20,7 @@
 </ul>
 <br/>
 <h3>Test Form(s)</h3>
+<b>Used token rotation is not supported with JSPs<b>.
 <form id="formTest1" name="formTest1" action="protect.html">
 	<input type="text" name="text" value="text"/>
 	<input type="submit" name="submit" value="submit"/>
@@ -30,4 +31,4 @@
 	<input type="submit" name="submit" value="submit"/>
 </csrf:form>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/upload.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/upload.html
new file mode 100644
index 0000000..843c88d
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/upload.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <title>File Upload Example</title>
+</head>
+<body>
+<form enctype="multipart/form-data" action="protect.html" method="POST">
+    <input name="uploadedfile" type="file"/><br/>
+    <input type="submit" value="Upload File"/>
+</form>
+<!-- OWASP CSRFGuard JavaScript Support -->
+<script src="/JavaScriptServlet" type="text/javascript"></script>
+</body>
+</html>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/wildcardtest/test.html b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/wildcardtest/test.html
new file mode 100644
index 0000000..bcdee64
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/wildcardtest/test.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>This page is meant to test protected page setup using wildcards.</title>
+</head>
+<body>
+This page is meant to test protected page setup using wildcards.
+</body>
+</html>
\ No newline at end of file
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/wildcardtest/test.txt b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/wildcardtest/test.txt
new file mode 100644
index 0000000..ae2d16c
--- /dev/null
+++ b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/wildcardtest/test.txt
@@ -0,0 +1,11 @@
+everything under /regextest/ that starts with protected should be protected unless it's .txt
+
+see: isProtectEnabled()
+
+protected:
+^/regextest/protected\..*$
+^/regextest/.*/protected\.html$
+
+unprotected:
+^/regextest/.*\.txt$
+^/regextest/.*/.*\.txt$
diff --git a/csrfguard-test/misc/eclipse/README.txt b/csrfguard-test/misc/eclipse/README.txt
deleted file mode 100644
index e5384b5..0000000
--- a/csrfguard-test/misc/eclipse/README.txt
+++ /dev/null
@@ -1 +0,0 @@
-These files put in the csrfguard-test dir work for eclipse kepler and m2e maven plugin
\ No newline at end of file
diff --git a/csrfguard-test/pom.xml b/csrfguard-test/pom.xml
index 37a3d55..10c88c4 100644
--- a/csrfguard-test/pom.xml
+++ b/csrfguard-test/pom.xml
@@ -1,148 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ The OWASP CSRFGuard Project, BSD License
+  ~ Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+  ~ All rights reserved.
+  ~
+  ~ Redistribution and use in source and binary forms, with or without
+  ~ modification, are permitted provided that the following conditions are met:
+  ~
+  ~     1. Redistributions of source code must retain the above copyright notice,
+  ~        this list of conditions and the following disclaimer.
+  ~     2. Redistributions in binary form must reproduce the above copyright
+  ~        notice, this list of conditions and the following disclaimer in the
+  ~        documentation and/or other materials provided with the distribution.
+  ~     3. Neither the name of OWASP nor the names of its contributors may be used
+  ~        to endorse or promote products derived from this software without specific
+  ~        prior written permission.
+  ~
+  ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  ~ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  ~ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ~ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+  ~ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  ~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+  ~ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+  ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+  ~ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+  ~ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  -->
+
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-	<modelVersion>4.0.0</modelVersion>
-	<groupId>org.owasp</groupId>
-	<artifactId>csrfguard-test</artifactId>
-	<version>3.1.0-SNAPSHOT</version>
-	<packaging>war</packaging>
-	<name>OWASP CSRFGuard Test Application</name>
-	<description>OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.</description>
-	<url>https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project</url>
-	<organization>
-		<name>OWASP</name>
-		<url>http://www.owasp.org</url>
-	</organization>
-	<licenses>
-		<license>
-			<name>BSD License</name>
-			<url>http://www.opensource.org/licenses/bsd-license.php</url>
-		</license>
-	</licenses>
-	<scm>
-		<url>https://github.com/esheri3/OWASP-CSRFGuard</url>
-		<connection>https://github.com/esheri3/OWASP-CSRFGuard.git</connection>
-	</scm>
-	<developers>
-		<developer>
-			<id>esheri3</id>
-			<name>Eric Sheridan</name>
-			<email>eric@infraredsecurity.com</email>
-		</developer>
-	</developers>
-	<properties>
-		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-	</properties>
-	<dependencies>
-		<dependency>
-			<groupId>javax.servlet</groupId>
-			<artifactId>servlet-api</artifactId>
-			<version>2.5</version>
-			<scope>provided</scope>
-		</dependency>
-		<dependency>
-			<groupId>javax.servlet.jsp</groupId>
-			<artifactId>jsp-api</artifactId>
-			<version>2.1</version>
-			<scope>provided</scope>
-		</dependency>
-		<dependency>
-			<groupId>org.owasp</groupId>
-			<artifactId>csrfguard</artifactId>
-			<version>${project.version}</version>
-		</dependency>
-	</dependencies>
-	<build>
-		<plugins>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.1</version>
-				<configuration>
-					<fork>true</fork>
-					<optimize>true</optimize>
-					<showDeprecation>true</showDeprecation>
-					<source>1.6</source>
-					<target>1.6</target>
-					<verbose>true</verbose>
-				</configuration>
-			</plugin>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-jar-plugin</artifactId>
-				<version>2.2</version>
-				<configuration>
-					<archive>
-						<manifest>
-							<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-							<addDefaultSpecificationEntries>false</addDefaultSpecificationEntries>
-						</manifest>
-						<manifestEntries>
-							<Project-Lead>Eric Sheridan (eric@infraredsecurity.com)</Project-Lead>
-							<Url>${project.url}</Url>
-						</manifestEntries>
-					</archive>
-				</configuration>
-			</plugin>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>2.9</version>
-				<configuration>
-				</configuration>
-				<executions>
-					<execution>
-						<id>javadoc-jar</id>
-						<phase>package</phase>
-						<goals>
-							<goal>jar</goal>
-						</goals>
-					</execution>
-				</executions>
-			</plugin>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-source-plugin</artifactId>
-				<version>2.2.1</version>
-				<configuration>
-					<encoding>UTF-8</encoding>
-					<charset>UTF-8</charset>
-					<archive>
-						<manifest>
-							<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-							<addDefaultSpecificationEntries>false</addDefaultSpecificationEntries>
-						</manifest>
-						<manifestEntries>
-							<Project-Lead>Eric Sheridan (eric@infraredsecurity.com)</Project-Lead>
-							<Url>${project.url}</Url>
-						</manifestEntries>
-					</archive>
-				</configuration>
-				<executions>
-					<execution>
-						<id>attach-sources</id>
-						<phase>package</phase>
-						<goals>
-							<goal>jar-no-fork</goal>
-						</goals>
-					</execution>
-				</executions>
-			</plugin>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-surefire-plugin</artifactId>
-				<version>2.12.4</version>
-				<configuration>
-					<skip>true</skip>
-				</configuration>
-			</plugin>
-			<plugin>
-				<groupId>org.apache.tomcat.maven</groupId>
-				<artifactId>tomcat7-maven-plugin</artifactId>
-				<version>2.1</version>
-				<configuration>
-					<path>/</path>
-					<port>8000</port>
-				</configuration>
-			</plugin>
-		</plugins>
-	</build>
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>csrfguard-parent</artifactId>
+        <version>4.0.2-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>csrfguard-test</artifactId>
+    <name>OWASP CSRFGuard Test Parent POM</name>
+    <packaging>pom</packaging>
+
+    <modules>
+        <module>csrfguard-test-jsp</module>
+    </modules>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>csrfguard</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>csrfguard-extension-session</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
 </project>
diff --git a/csrfguard-test/src/main/java/org/owasp/csrfguard/test/HelloServlet.java b/csrfguard-test/src/main/java/org/owasp/csrfguard/test/HelloServlet.java
deleted file mode 100644
index ac3e9b6..0000000
--- a/csrfguard-test/src/main/java/org/owasp/csrfguard/test/HelloServlet.java
+++ /dev/null
@@ -1,44 +0,0 @@
-package org.owasp.csrfguard.test;
-
-import java.io.IOException;
-import java.io.PrintWriter;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-/**
- * Servlet implementation class HelloServlet
- */
-public class HelloServlet extends HttpServlet {
-	private static final long serialVersionUID = 1L;
-
-    /**
-     * Default constructor. 
-     */
-    public HelloServlet() {
-        // TODO Auto-generated constructor stub
-    }
-
-	/**
-	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
-	 */
-	@Override
-	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		doPost(request, response);
-	}
-
-	/**
-	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
-	 */
-	@Override
-	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		response.setContentType("text/plain");
-		
-		PrintWriter writer = new PrintWriter(response.getOutputStream());
-		writer.println("Hello World!");
-		writer.close();
-	}
-
-}
diff --git a/csrfguard-test/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.overlay.properties b/csrfguard-test/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
deleted file mode 100644
index 104a423..0000000
--- a/csrfguard-test/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
+++ /dev/null
@@ -1,17 +0,0 @@
-
-org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory
-
-org.owasp.csrfguard.JavascriptServlet.refererPattern = http://localhost:80.*
-
-org.owasp.csrfguard.unprotected.Default=%servletContext%/
-org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
-org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
-org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
-org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
-org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
-org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html
-org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
-org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
-org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
-org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
-org.owasp.csrfguard.unprotected.Favicon=%servletContext%/favicon.ico
diff --git a/csrfguard-test/src/main/webapp/ajax.html b/csrfguard-test/src/main/webapp/ajax.html
deleted file mode 100644
index 867298d..0000000
--- a/csrfguard-test/src/main/webapp/ajax.html
+++ /dev/null
@@ -1,75 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Ajax Header Verification</title>
-<script type="text/javascript">
-function ajax(method, uri, body) {
-	var xhr = new XMLHttpRequest();
-
-	xhr.onreadystatechange = function() {
-		//alert("readyState: " + xhr.readyState + " status: " + xhr.status + " text: " + xhr.statusText);
-		if(xhr.readyState == 4) {
-			if(xhr.status == 200) {
-				alert('200: passed csrf check');
-			} else {
-				alert(xhr.status + ': failed csrf check');
-			}
-		}
-	}
-
-	xhr.open(method, uri, true);
-	xhr.send(body);
-}
-
-function sendForm() {
-	var form = document.getElementById('form');
-
-	var body = 'text=' + document.getElementById('text').value;
-	body = body + '&submit=' + document.getElementById('submit').value;
-
-	ajax('POST', 'protect.html', body);
-}
-
-function domTest() {
-	div = document.getElementById('ajax');
-
-	anchor = document.createElement('a');
-	anchor.setAttribute('href', 'protect.html');
-	anchor.appendChild(document.createTextNode('protect.html'));
-	
-	div.appendChild(anchor);
-	div.appendChild(document.createElement('br'));
-	div.appendChild(document.createElement('br'));
-	
-	anchor = document.createElement('a');
-	anchor.setAttribute('href', 'google.com');
-	anchor.appendChild(document.createTextNode('google.com'));
-	
-	div.appendChild(anchor);
-	div.appendChild(document.createElement('br'));
-	div.appendChild(document.createElement('br'));
-}
-
-</script>
-</head>
-<body onload="javascript:domTest();">
-<h3>Test Link(s)</h3>
-<ul>
-	<li><a href="#" onclick="ajax('GET', 'protect.html', '')">protect.html</a></li>
-	<li><a href="#" onclick="ajax('GET', '/protect.html', '')">/protect.html</a></li>
-	<li><a href="#" onclick="ajax('GET', 'http://localhost/test.html', '')">http://localhost/test.html</a></li>
-	<li><a href="#">javascript:alert('test')</a></li>
-</ul>
-<br/>
-<h3>Test Form(s)</h3>
-<form id="form" name="test1" action="#" onsubmit="return false">
-	<input id="text" type="text" name="text" value="text"/>
-	<input id="submit" type="submit" name="submit" value="submit" onclick="sendForm()"/>
-</form>
-<h3>Dom Test</h3>
-<div id="ajax"></div>
-</body>
-<!-- OWASP CSRFGuard Ajax Support -->
-<script src="/JavaScriptServlet"></script>
-</html>
\ No newline at end of file
diff --git a/csrfguard-test/src/main/webapp/index.html b/csrfguard-test/src/main/webapp/index.html
deleted file mode 100644
index a098fd4..0000000
--- a/csrfguard-test/src/main/webapp/index.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>CSRFGuard Test Application</title>
-</head>
-<body>
-Welcome to the OWASP CSRFGuard Test Application! Where would you like to go?
-<br/>
-<strong>Tests:</strong>
-<ul>
-	<li><a href="javascript.html">JavaScript Token Injection</a></li>
-	<li><a href="tag.jsp">JSP Tag Token Injection</a></li>
-	<li><a href="redirect.jsp">JSP Redirect Token Injection</a>
-	<li><a href="forward.jsp">JSP Forward Token Injection</a>
-	<li><a href="ajax.html">Ajax Token Injection</a></li>
-	<li><a href="upload.html">Multipart Verification</a>
-</ul>
-<br/>
-<strong>Utilities:</strong>
-<ul>
-	<li><a href="session.jsp?action=invalidate">Invalidate Session</a>
-</ul>
-</body>
-</html>
\ No newline at end of file
diff --git a/csrfguard-test/src/main/webapp/javascript.html b/csrfguard-test/src/main/webapp/javascript.html
deleted file mode 100644
index fc4bdd0..0000000
--- a/csrfguard-test/src/main/webapp/javascript.html
+++ /dev/null
@@ -1,41 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>JavaScript Token Injection</title>
-</head>
-<body>
-<h3>Test Link(s)</h3>
-<ul>
-	<li><a href="protect.html">protect.html</a></li>
-	<li><a href="/protect.html">/protect.html</a></li>
-	<li><a href="http://localhost/test.html">http://localhost/test.html</a></li>
-	<li><a href="javascript:alert('test')">javascript:alert('test')</a></li>
-</ul>
-<br/>
-<h3>Test Form(s)</h3>
-<form name="test1" action="protect.html">
-	<input type="text" name="text" value="text"/>
-	<input type="submit" name="submit" value="submit"/>
-</form>
-</body>
-<br/>
-<br/>
-<h3>Evil Form(s)</h3>
-<form name="test2" action="http://www.evilsite.com/protect.html">
-	<input type="text" name="text" value="text"/>
-	<input type="submit" name="submit" value="submit"/>
-</form>
-<br/>
-<br/>
-<h3>IFrame</h3>
-<iframe src="/protect.html"></iframe>
-<br/>
-<br/>
-<h3>Image Tag</h3>
-<img src="protect.html" />
-<img src="/protect.html" />
-</body>
-<!-- OWASP CSRFGuard JavaScript Support -->
-<script src="/JavaScriptServlet"></script>
-</html>
\ No newline at end of file
diff --git a/csrfguard-test/src/main/webapp/script/csrfguard.js b/csrfguard-test/src/main/webapp/script/csrfguard.js
deleted file mode 100644
index 78c57f5..0000000
--- a/csrfguard-test/src/main/webapp/script/csrfguard.js
+++ /dev/null
@@ -1,450 +0,0 @@
-/**
- * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-(function() {
-	/**
-	 * Code to ensure our event always gets triggered when the DOM is updated.
-	 * @param obj
-	 * @param type
-	 * @param fn
-	 * @source http://www.dustindiaz.com/rock-solid-addevent/
-	 */
-	function addEvent( obj, type, fn ) {
-	    if (obj.addEventListener) {
-	        obj.addEventListener( type, fn, false );
-	        EventCache.add(obj, type, fn);
-	    }
-	    else if (obj.attachEvent) {
-	        obj["e"+type+fn] = fn;
-	        obj[type+fn] = function() { obj["e"+type+fn]( window.event ); }
-	        obj.attachEvent( "on"+type, obj[type+fn] );
-	        EventCache.add(obj, type, fn);
-	    }
-	    else {
-	        obj["on"+type] = obj["e"+type+fn];
-	    }
-	}
-	
-	var EventCache = function(){
-	    var listEvents = [];
-	    return {
-	        listEvents : listEvents,
-	        add : function(node, sEventName, fHandler){
-	            listEvents.push(arguments);
-	        },
-	        flush : function(){
-	            var i, item;
-	            for(i = listEvents.length - 1; i >= 0; i = i - 1){
-	                item = listEvents[i];
-	                if(item[0].removeEventListener){
-	                    item[0].removeEventListener(item[1], item[2], item[3]);
-	                };
-	                if(item[1].substring(0, 2) != "on"){
-	                    item[1] = "on" + item[1];
-	                };
-	                if(item[0].detachEvent){
-	                    item[0].detachEvent(item[1], item[2]);
-	                };
-	            };
-	        }
-	    };
-	}();
-	
-	/** string utility functions **/
-	function startsWith(s, prefix) {
-		return s.indexOf(prefix) === 0;
-	}
-
-	function endsWith(s, suffix) {
-		return s.substring(s.length - suffix.length) === suffix;
-	}
-
-	/** hook using standards based prototype **/
-	function hijackStandard() {
-		XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
-		XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
-			this.url = url;
-			
-			this._open.apply(this, arguments);
-		};
-		
-		XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
-		XMLHttpRequest.prototype.send = function(data) {
-			if(this.onsend != null) {
-				this.onsend.apply(this, arguments);
-			}
-			
-			this._send.apply(this, arguments);
-		};
-	}
-
-	/** ie does not properly support prototype - wrap completely **/
-	function hijackExplorer() {
-		var _XMLHttpRequest = window.XMLHttpRequest;
-		
-		function alloc_XMLHttpRequest() {
-			this.base = _XMLHttpRequest ? new _XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
-		}
-		
-		function init_XMLHttpRequest() {
-			return new alloc_XMLHttpRequest;
-		}
-		
-		init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
-		
-		/** constants **/
-		init_XMLHttpRequest.UNSENT = 0;
-		init_XMLHttpRequest.OPENED = 1;
-		init_XMLHttpRequest.HEADERS_RECEIVED = 2;
-		init_XMLHttpRequest.LOADING = 3;
-		init_XMLHttpRequest.DONE = 4;
-		
-		/** properties **/
-		init_XMLHttpRequest.prototype.status = 0;
-		init_XMLHttpRequest.prototype.statusText = "";
-		init_XMLHttpRequest.prototype.readyState = init_XMLHttpRequest.UNSENT;
-		init_XMLHttpRequest.prototype.responseText = "";
-		init_XMLHttpRequest.prototype.responseXML = null;
-		init_XMLHttpRequest.prototype.onsend = null;
-		
-		init_XMLHttpRequest.url = null;
-		init_XMLHttpRequest.onreadystatechange = null;
-
-		/** methods **/
-		init_XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
-			var self = this;
-			this.url = url;
-			
-			this.base.onreadystatechange = function() {
-				try { self.status = self.base.status; } catch (e) { }
-				try { self.statusText = self.base.statusText; } catch (e) { }
-				try { self.readyState = self.base.readyState; } catch (e) { }
-				try { self.responseText = self.base.responseText; } catch(e) { }
-				try { self.responseXML = self.base.responseXML; } catch(e) { }
-				
-				if(self.onreadystatechange != null) {
-					self.onreadystatechange.apply(this, arguments);
-				}
-			}
-			
-			this.base.open(method, url, async, user, pass);
-		};
-		
-		init_XMLHttpRequest.prototype.send = function(data) {
-			if(this.onsend != null) {
-				this.onsend.apply(this, arguments);
-			}
-			
-			this.base.send(data);
-		};
-		
-		init_XMLHttpRequest.prototype.abort = function() {
-			this.base.abort();
-		};
-		
-		init_XMLHttpRequest.prototype.getAllResponseHeaders = function() {
-			return this.base.getAllResponseHeaders();
-		};
-		
-		init_XMLHttpRequest.prototype.getResponseHeader = function(name) {
-			return this.base.getResponseHeader(name);
-		};
-		
-		init_XMLHttpRequest.prototype.setRequestHeader = function(name, value) {
-			return this.base.setRequestHeader(name, value);
-		};
-		
-		/** hook **/
-		window.XMLHttpRequest = init_XMLHttpRequest;
-	}
-
-	/** check if valid domain based on domainStrict **/
-	function isValidDomain(current, target) {
-		var result = false;
-		
-		/** check exact or subdomain match **/
-		if(current == target) {
-			result = true;
-		} else if(%DOMAIN_STRICT% == false) {
-			if(target.charAt(0) == '.') {
-				result = endsWith(current, target);
-			} else {
-				result = endsWith(current, '.' + target);
-			}
-		}
-		
-		return result;
-	}
-
-	/** determine if uri/url points to valid domain **/
-	function isValidUrl(src) {
-		var result = false;
-		
-		/** parse out domain to make sure it points to our own **/
-		if(src.substring(0, 7) == "http://" || src.substring(0, 8) == "https://") {
-			var token = "://";
-			var index = src.indexOf(token);
-			var part = src.substring(index + token.length);
-			var domain = "";
-			
-			/** parse up to end, first slash, or anchor **/
-			for(var i=0; i<part.length; i++) {
-				var character = part.charAt(i);
-				
-				if(character == '/' || character == ':' || character == '#') {
-					break;
-				} else {
-					domain += character;
-				}
-			}
-			
-			result = isValidDomain(document.domain, domain);
-			/** explicitly skip anchors **/
-		} else if(src.charAt(0) == '#') {
-			result = false;
-			/** ensure it is a local resource without a protocol **/
-		} else if(!startsWith(src, "//") && (src.charAt(0) == '/' || src.indexOf(':') == -1)) {
-			result = true;
-		}
-		
-		return result;
-	}
-
-	/** parse uri from url **/
-	function parseUri(url) {
-		var uri = "";
-		var token = "://";
-		var index = url.indexOf(token);
-		var part = "";
-		
-		/**
-		 * ensure to skip protocol and prepend context path for non-qualified
-		 * resources (ex: "protect.html" vs
-		 * "/Owasp.CsrfGuard.Test/protect.html").
-		 */
-		if(index > 0) {
-			part = url.substring(index + token.length);
-		} else if(url.charAt(0) != '/') {
-			part = "%CONTEXT_PATH%/" + url;
-		} else {
-			part = url;
-		}
-		
-		/** parse up to end or query string **/
-		var uriContext = (index == -1);
-		
-		for(var i=0; i<part.length; i++) {
-			var character = part.charAt(i);
-			
-			if(character == '/') {
-				uriContext = true;
-			} else if(uriContext == true && (character == '?' || character == '#')) {
-				uriContext = false;
-				break;
-			}
-			
-			if(uriContext == true) {
-				uri += character;
-			}
-		}
-		
-		return uri;
-	}
-
-	/** inject tokens as hidden fields into forms **/
-	function injectTokenForm(form, tokenName, tokenValue, pageTokens,injectGetForms) {
-	  
-		if (!injectGetForms) {
-			var method = form.getAttribute("method");
-	  
-			if ((typeof method != 'undefined') && method != null && method.toLowerCase() == "get") {
-				return;
-			}
-		}
-	  
-		var value = tokenValue;
-		var action = form.getAttribute("action");
-		
-		if(action != null && isValidUrl(action)) {
-			var uri = parseUri(action);
-			value = pageTokens[uri] != null ? pageTokens[uri] : tokenValue;
-		}
-		
-		var hidden = document.createElement("input");
-		
-		hidden.setAttribute("type", "hidden");
-		hidden.setAttribute("name", tokenName);
-		hidden.setAttribute("value", value);
-		
-		form.appendChild(hidden);
-	}
-
-	/** inject tokens as query string parameters into url **/
-	function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) {
-		var location = element.getAttribute(attr);
-		
-		if(location != null && isValidUrl(location)) {
-			var uri = parseUri(location);
-			var value = (pageTokens[uri] != null ? pageTokens[uri] : tokenValue);
-			
-			if(location.indexOf('?') != -1) {
-				location = location + '&' + tokenName + '=' + value;
-			} else {
-				location = location + '?' + tokenName + '=' + value;
-			}
-
-			try {
-				element.setAttribute(attr, location);
-			} catch (e) {
-				// attempted to set/update unsupported attribute
-			}
-		}
-	}
-
-	/** inject csrf prevention tokens throughout dom **/
-	function injectTokens(tokenName, tokenValue) {
-		/** obtain reference to page tokens if enabled **/
-		var pageTokens = {};
-		
-		if(%TOKENS_PER_PAGE% == true) {
-			pageTokens = requestPageTokens();
-		}
-		
-		/** iterate over all elements and injection token **/
-		var all = document.all ? document.all : document.getElementsByTagName('*');
-		var len = all.length;
-
-		//these are read from the csrf guard config file(s)
-		var injectForms = %INJECT_FORMS%;
-		var injectGetForms = %INJECT_GET_FORMS%;
-		var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
-		var injectAttributes = %INJECT_ATTRIBUTES%;
-		
-		for(var i=0; i<len; i++) {
-			var element = all[i];
-			
-			/** inject into form **/
-			if(element.tagName.toLowerCase() == "form") {
-				if(injectForms) {
-					injectTokenForm(element, tokenName, tokenValue, pageTokens,injectGetForms);
-
-					/** adjust array length after addition of new element **/
-					len = all.length;
-				}
-				if (injectFormAttributes) {
-					injectTokenAttribute(element, "action", tokenName, tokenValue, pageTokens);
-				}
-				/** inject into attribute **/
-			} else if(injectAttributes) {
-				injectTokenAttribute(element, "src", tokenName, tokenValue, pageTokens);
-				injectTokenAttribute(element, "href", tokenName, tokenValue, pageTokens);
-			}
-		}
-	}
-
-	/** obtain array of page specific tokens **/
-	function requestPageTokens() {
-		var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
-		var pageTokens = {};
-		
-		xhr.open("POST", "%SERVLET_PATH%", false);
-		xhr.send(null);
-		
-		var text = xhr.responseText;
-		var name = "";
-		var value = "";
-		var nameContext = true;
-		
-		for(var i=0; i<text.length; i++) {
-			var character = text.charAt(i);
-			
-			if(character == ':') {
-				nameContext = false;
-			} else if(character != ',') {
-				if(nameContext == true) {
-					name += character;
-				} else {
-					value += character;
-				}
-			}
-			
-			if(character == ',' || (i + 1) >= text.length) {
-				pageTokens[name] = value;
-				name = "";
-				value = "";
-				nameContext = true;
-			}
-		}
-		
-		return pageTokens;
-	}
-	
-	/**
-	 * Only inject the tokens if the JavaScript was referenced from HTML that
-	 * was served by us. Otherwise, the code was referenced from malicious HTML
-	 * which may be trying to steal tokens using JavaScript hijacking techniques.
-	 * The token is now removed and fetched using another POST request to solve,
-	 * the token hijacking problem.
-	 */
-	if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
-		/** optionally include Ajax support **/
-		if(%INJECT_XHR% == true) {
-			if(navigator.appName == "Microsoft Internet Explorer") {
-				hijackExplorer();
-			} else {
-				hijackStandard();
-			}
-		
-		var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
-		var csrfToken = {};
-		xhr.open("POST", "%SERVLET_PATH%", false);
-		xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
-		xhr.send(null);
-		
-		var token_pair = xhr.responseText;
-		token_pair = token_pair.split(":");
-		var token_name = token_pair[0];
-		var token_value = token_pair[1];
-
-			XMLHttpRequest.prototype.onsend = function(data) {
-				if(isValidUrl(this.url)) {
-					this.setRequestHeader("X-Requested-With", "XMLHttpRequest")
-					this.setRequestHeader(token_name, token_value);
-				}
-			};
-		}
-		
-		/** update nodes in DOM after load **/
-		addEvent(window,'unload',EventCache.flush);
-		addEvent(window,'DOMContentLoaded', function() {
-			injectTokens(token_name, token_value);
-		});
-	} else {
-		alert("OWASP CSRFGuard JavaScript was included from within an unauthorized domain!");
-	}
-})();
diff --git a/csrfguard-test/src/main/webapp/session.jsp b/csrfguard-test/src/main/webapp/session.jsp
deleted file mode 100644
index 249d849..0000000
--- a/csrfguard-test/src/main/webapp/session.jsp
+++ /dev/null
@@ -1,20 +0,0 @@
-<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
-    pageEncoding="ISO-8859-1"%>
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Session Utilities</title>
-</head>
-<body>
-<%
-String action = request.getParameter("action");
-
-if("invalidate".equals(action)) {
-	session.invalidate();
-	request.getSession(true);
-	%><strong>Session Invalidated!</strong><%
-}
-%>
-</body>
-</html>
\ No newline at end of file
diff --git a/csrfguard-test/src/main/webapp/upload.html b/csrfguard-test/src/main/webapp/upload.html
deleted file mode 100644
index 7d7fe21..0000000
--- a/csrfguard-test/src/main/webapp/upload.html
+++ /dev/null
@@ -1,15 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<title>File Upload Example</title>
-</head>
-<body>
-<form enctype="multipart/form-data" action="protect.html" method="POST">
-<input name="uploadedfile" type="file" /><br />
-<input type="submit" value="Upload File" />
-</form>
-<!-- OWASP CSRFGuard JavaScript Support -->
-<script src="/JavaScriptServlet"></script>
-</body>
-</html>
\ No newline at end of file
diff --git a/csrfguard/.gitignore b/csrfguard/.gitignore
new file mode 100644
index 0000000..06ba672
--- /dev/null
+++ b/csrfguard/.gitignore
@@ -0,0 +1,2 @@
+/bin
+/target/
diff --git a/csrfguard/misc/eclipse/README.txt b/csrfguard/misc/eclipse/README.txt
deleted file mode 100644
index dcd0a99..0000000
--- a/csrfguard/misc/eclipse/README.txt
+++ /dev/null
@@ -1 +0,0 @@
-These files put in the csrfguard dir work for eclipse kepler and m2e maven plugin
\ No newline at end of file
diff --git a/csrfguard/pom.xml b/csrfguard/pom.xml
index 679b326..ea26b3f 100644
--- a/csrfguard/pom.xml
+++ b/csrfguard/pom.xml
@@ -1,133 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ The OWASP CSRFGuard Project, BSD License
+  ~ Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+  ~ All rights reserved.
+  ~
+  ~ Redistribution and use in source and binary forms, with or without
+  ~ modification, are permitted provided that the following conditions are met:
+  ~
+  ~     1. Redistributions of source code must retain the above copyright notice,
+  ~        this list of conditions and the following disclaimer.
+  ~     2. Redistributions in binary form must reproduce the above copyright
+  ~        notice, this list of conditions and the following disclaimer in the
+  ~        documentation and/or other materials provided with the distribution.
+  ~     3. Neither the name of OWASP nor the names of its contributors may be used
+  ~        to endorse or promote products derived from this software without specific
+  ~        prior written permission.
+  ~
+  ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  ~ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  ~ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ~ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+  ~ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  ~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+  ~ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+  ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+  ~ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+  ~ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  -->
+
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
-	<groupId>org.owasp</groupId>
+
+	<parent>
+		<groupId>org.owasp</groupId>
+		<artifactId>csrfguard-parent</artifactId>
+		<version>4.0.2-SNAPSHOT</version>
+	</parent>
+
 	<artifactId>csrfguard</artifactId>
-	<version>3.1.0-SNAPSHOT</version>
-	<packaging>jar</packaging>
 	<name>OWASP CSRFGuard</name>
 	<description>OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.</description>
-	<url>https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project</url>
-	<organization>
-		<name>OWASP</name>
-		<url>http://www.owasp.org</url>
-	</organization>
-	<licenses>
-		<license>
-			<name>BSD License</name>
-			<url>http://www.opensource.org/licenses/bsd-license.php</url>
-		</license>
-	</licenses>
-	<scm>
-		<url>https://github.com/esheri3/OWASP-CSRFGuard</url>
-		<connection>https://github.com/esheri3/OWASP-CSRFGuard.git</connection>
-	</scm>
-	<developers>
-		<developer>
-			<id>esheri3</id>
-			<name>Eric Sheridan</name>
-			<email>eric@infraredsecurity.com</email>
-		</developer>
-	</developers>
-	<properties>
-		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-	</properties>
+
 	<dependencies>
 		<dependency>
 			<groupId>javax.servlet</groupId>
 			<artifactId>servlet-api</artifactId>
-			<version>2.5</version>
-			<scope>provided</scope>
 		</dependency>
 		<dependency>
-			<groupId>javax.servlet.jsp</groupId>
-			<artifactId>jsp-api</artifactId>
-			<version>2.1</version>
-			<scope>provided</scope>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-lang3</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>commons-io</groupId>
+			<artifactId>commons-io</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.google.code.gson</groupId>
+			<artifactId>gson</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.junit.jupiter</groupId>
+			<artifactId>junit-jupiter-api</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.junit.jupiter</groupId>
+			<artifactId>junit-jupiter-engine</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-junit-jupiter</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-inline</artifactId>
 		</dependency>
 	</dependencies>
+
 	<build>
 		<plugins>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-compiler-plugin</artifactId>
-				<version>2.5.1</version>
-				<configuration>
-					<fork>true</fork>
-					<optimize>true</optimize>
-					<showDeprecation>true</showDeprecation>
-					<source>1.6</source>
-					<target>1.6</target>
-					<verbose>true</verbose>
-				</configuration>
-			</plugin>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-jar-plugin</artifactId>
-				<version>2.2</version>
-				<configuration>
-					<archive>
-						<manifest>
-							<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-							<addDefaultSpecificationEntries>false</addDefaultSpecificationEntries>
-						</manifest>
-						<manifestEntries>
-							<Project-Lead>Eric Sheridan (eric@infraredsecurity.com)</Project-Lead>
-							<Url>${project.url}</Url>
-						</manifestEntries>
-					</archive>
-				</configuration>
+				<artifactId>maven-source-plugin</artifactId>
 			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>2.9</version>
-				<configuration>
-				</configuration>
-				<executions>
-					<execution>
-						<id>javadoc-jar</id>
-						<phase>package</phase>
-						<goals>
-							<goal>jar</goal>
-						</goals>
-					</execution>
-				</executions>
-			</plugin>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-source-plugin</artifactId>
-				<version>2.2.1</version>
-				<configuration>
-					<encoding>UTF-8</encoding>
-					<charset>UTF-8</charset>
-					<archive>
-						<manifest>
-							<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-							<addDefaultSpecificationEntries>false</addDefaultSpecificationEntries>
-						</manifest>
-						<manifestEntries>
-							<Project-Lead>Eric Sheridan (eric@infraredsecurity.com)</Project-Lead>
-							<Url>${project.url}</Url>
-						</manifestEntries>
-					</archive>
-				</configuration>
-				<executions>
-					<execution>
-						<id>attach-sources</id>
-						<phase>package</phase>
-						<goals>
-							<goal>jar-no-fork</goal>
-						</goals>
-					</execution>
-				</executions>
 			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
-				<version>2.12.4</version>
-				<configuration>
-					<skip>true</skip>
-				</configuration>
 			</plugin>
 		</plugins>
 		<resources>
@@ -135,10 +98,10 @@
 				<directory>src/main/resources</directory>
 				<filtering>true</filtering>
 				<includes>
-          <include>csrfguard.js</include>
+					<include>csrfguard.js</include>
 					<include>csrfguard.tld</include>
 					<include>license.txt</include>
-          <include>csrfguard.properties</include>
+					<include>csrfguard.properties</include>
 				</includes>
 				<targetPath>META-INF</targetPath>
 			</resource>
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuard.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuard.java
index d8736a4..5cd8e94 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuard.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuard.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of OWASP nor the names of its contributors may be used
+ *     to endorse or promote products derived from this software without specific
+ *     prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,24 +26,8 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard;
-
-import java.io.IOException;
-import java.io.OutputStream;
-import java.io.PrintWriter;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.SecureRandom;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.regex.Pattern;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
+package org.owasp.csrfguard;
 
 import org.owasp.csrfguard.action.IAction;
 import org.owasp.csrfguard.config.ConfigurationProvider;
@@ -51,765 +35,387 @@
 import org.owasp.csrfguard.config.NullConfigurationProvider;
 import org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory;
 import org.owasp.csrfguard.config.overlay.ExpirableCache;
+import org.owasp.csrfguard.config.properties.ConfigParameters;
 import org.owasp.csrfguard.log.ILogger;
-import org.owasp.csrfguard.log.LogLevel;
-import org.owasp.csrfguard.servlet.JavaScriptServlet;
-import org.owasp.csrfguard.util.*;
-
-public final class CsrfGuard {
-
-	public final static String PAGE_TOKENS_KEY = "Owasp_CsrfGuard_Pages_Tokens_Key";
-
-	private Properties properties = null;
-
-	/**
-	 * cache the configuration for a minute
-	 */
-	private static ExpirableCache<Boolean, ConfigurationProvider> configurationProviderExpirableCache = new ExpirableCache<Boolean, ConfigurationProvider>(1);
-	
-	private ConfigurationProvider config() {
-		if (this.properties == null) {
-			return new NullConfigurationProvider();
-		}
-		
-		ConfigurationProvider configurationProvider = configurationProviderExpirableCache.get(Boolean.TRUE);
-		
-		if (configurationProvider == null) {
-
-			synchronized (CsrfGuard.class) {
-				
-				if (configurationProvider == null) {
-					
-					configurationProvider = retrieveNewConfig();
-				}
-				
-			}
-		} else if ( !configurationProvider.isCacheable()) {
-			//dont synchronize if not cacheable
-			configurationProvider = retrieveNewConfig();
-		}
-		
-		
-		return configurationProvider;
-	}
-
-	void generatePageTokensForSession(final HttpSession session) {
-		final Map<String, String> pageTokens = SessionUtils.extractPageTokensFromSession(session);
-		final Set<String> protectedPages = getProtectedPages();
-
-		for (String protectedResource : protectedPages) {
-			pageTokens.put(protectedResource, TokenUtils.getRandomToken());
-		}
-
-		SessionUtils.updatePageTokensOnSession(session, pageTokens);
-	}
-	
-	/**
-	 * @return new provider
-	 */
-	private ConfigurationProvider retrieveNewConfig() {
-		ConfigurationProvider configurationProvider = null;
-		//lets see what provider we are using
-		String configurationProviderFactoryClassName = this.properties.getProperty(
-				"org.owasp.csrfguard.configuration.provider.factory", PropertiesConfigurationProviderFactory.class.getName());
-
-		Class<ConfigurationProviderFactory> configurationProviderFactoryClass = CsrfGuardUtils.forName(configurationProviderFactoryClassName);
-		
-		ConfigurationProviderFactory configurationProviderFactory = CsrfGuardUtils.newInstance(configurationProviderFactoryClass);
-							
-		configurationProvider = configurationProviderFactory.retrieveConfiguration(this.properties);
-		configurationProviderExpirableCache.put(Boolean.TRUE, configurationProvider);
-		return configurationProvider;
-	}
-	
-	private static class SingletonHolder {
-	  public static final CsrfGuard instance = new CsrfGuard();
-	}
-
-	public static CsrfGuard getInstance() {
-		return SingletonHolder.instance;
-	}
-
-	public static void load(Properties theProperties) throws NoSuchAlgorithmException, InstantiationException, IllegalAccessException, ClassNotFoundException, IOException, NoSuchProviderException {
-
-		getInstance().properties = theProperties;
-		configurationProviderExpirableCache.clear();
-	}
-	
-	public CsrfGuard() {
-	}
-
-	public ILogger getLogger() {
-		return config().getLogger();
-	}
-
-	public String getTokenName() {
-		return config().getTokenName();
-	}
-
-	public int getTokenLength() {
-		return config().getTokenLength();
-	}
-
-	public boolean isRotateEnabled() {
-		return config().isRotateEnabled();
-	}
-
-	public boolean isTokenPerPageEnabled() {
-		return config().isTokenPerPageEnabled();
-	}
-	public boolean isTokenPerPagePrecreate() {
-		return config().isTokenPerPagePrecreateEnabled();
-	}
-
-	/**
-	 * If csrf guard filter should check even if there is no session for the user
-	 * Note: this changed in 2014/04/20, the default behavior used to be to 
-	 * not check if there is no session.  If you want the legacy behavior (if your app
-	 * is not susceptible to CSRF if the user has no session), set this to false
-	 * @return if true
-	 */
-	public boolean isValidateWhenNoSessionExists() {
-		return config().isValidateWhenNoSessionExists();
-	}
-	
-	public SecureRandom getPrng() {
-		return config().getPrng();
-	}
-
-	public String getNewTokenLandingPage() {
-		return config().getNewTokenLandingPage();
-	}
-
-	public boolean isUseNewTokenLandingPage() {
-		return config().isUseNewTokenLandingPage();
-	}
-
-	public boolean isAjaxEnabled() {
-		return config().isAjaxEnabled();
-	}
-
-	public boolean isProtectEnabled() {
-		return config().isProtectEnabled();
-	}
-
-	/**
-	 * @see ConfigurationProvider#isEnabled()
-	 * @return if enabled
-	 */
-	public boolean isEnabled() {
-		return config().isEnabled();
-	}
-	
-	public String getSessionKey() {
-		return config().getSessionKey();
-	}
-
-	public Set<String> getProtectedPages() {
-		return config().getProtectedPages();
-	}
-
-	public Set<String> getUnprotectedPages() {
-		return config().getUnprotectedPages();
-	}
-
-	/**
-	 * cache regex patterns here
-	 */
-	private Map<String, Pattern> regexPatternCache = new HashMap<String, Pattern>();
-	
-	public Set<String> getProtectedMethods () {
-		return config().getProtectedMethods();
-	}
-
-	public List<IAction> getActions() {
-		return config().getActions();
-	}
-
-	public String getJavascriptSourceFile() {
-		return config().getJavascriptSourceFile();
-	}
-
-	/**
-	 * @see ConfigurationProvider#isJavascriptInjectFormAttributes()
-	 * @return if inject
-	 */
-	public boolean isJavascriptInjectFormAttributes() {
-		return config().isJavascriptInjectFormAttributes();
-	}
-
-	/**
-	 * @see ConfigurationProvider#isJavascriptInjectGetForms()
-	 * @return if inject
-	 */
-	public boolean isJavascriptInjectGetForms() {
-		return config().isJavascriptInjectGetForms();
-	}
-	
-	public boolean isJavascriptDomainStrict() {
-		return config().isJavascriptDomainStrict();
-	}
-
-	public boolean isJavascriptRefererMatchProtocol() {
-		return config().isJavascriptRefererMatchProtocol();
-	}
-
-	public boolean isJavascriptRefererMatchDomain() {
-		return config().isJavascriptRefererMatchDomain();
-	}
-
-	public String getJavascriptCacheControl() {
-		return config().getJavascriptCacheControl();
-	}
-
-	public Pattern getJavascriptRefererPattern() {
-		return config().getJavascriptRefererPattern();
-	}
-
-	public boolean isJavascriptInjectIntoForms() {
-		return config().isJavascriptInjectIntoForms();
-	}
-
-	public boolean isJavascriptInjectIntoAttributes() {
-		return config().isJavascriptInjectIntoAttributes();
-	}
-
-	public String getJavascriptXrequestedWith() {
-		return config().getJavascriptXrequestedWith();
-	}
-
-	public String getJavascriptTemplateCode() {
-		return config().getJavascriptTemplateCode();
-	}
-	
-	public String getJavascriptUnprotectedExtensions() {
-		return config().getJavascriptUnprotectedExtensions();
-	}
-	
-	public String getTokenValue(HttpServletRequest request) {
-		return getTokenValue(request, request.getRequestURI());
-	}
-
-	public String getTokenValue(HttpServletRequest request, String uri) {
-		String tokenValue = null;
-		HttpSession session = request.getSession(false);
-
-		if (session != null) {
-			if (isTokenPerPageEnabled()) {
-
-				Map<String, String> pageTokens = SessionUtils.extractPageTokensFromSession(session);
-
-				if (pageTokens != null) {
-					if (isTokenPerPagePrecreate()) {
-						createPageToken(pageTokens,uri);
-					}
-					tokenValue = pageTokens.get(uri);
-					
-				}
-			}
-
-			if (tokenValue == null) {
-				tokenValue = (String) session.getAttribute(getSessionKey());
-			}
-		}
-
-		return tokenValue;
-	}
-
-	public boolean isValidRequest(HttpServletRequest request, HttpServletResponse response) {
-		boolean valid = !isProtectedPageAndMethod(request);
-		HttpSession session = request.getSession(true);
-		String tokenFromSession = (String) session.getAttribute(getSessionKey());
-
-		if (!valid){
-		    /** print log message - page and method are protected **/
-		    getLogger().log(String.format("CsrfGuard analyzing request %s", request.getRequestURI()));
-		}
-		
-		/** sending request to protected resource - verify token **/
-		if (tokenFromSession != null && !valid) {
-			try {
-				if (isAjaxEnabled() && isAjaxRequest(request)) {
-					verifyAjaxToken(request);
-				} else if (isTokenPerPageEnabled()) {
-					verifyPageToken(request);
-				} else {
-					verifySessionToken(request);
-				}
-				valid = true;
-			} catch (CsrfGuardException csrfe) {
-				callActionsOnError(request, response, csrfe);
-			}
-
-			/** rotate session and page tokens **/
-			if (!isAjaxRequest(request) && isRotateEnabled()) {
-				rotateTokens(request);
-			}
-			/** expected token in session - bad state and not valid **/
-		} else if (tokenFromSession == null && !valid) {
-			try {
-				throw new CsrfGuardException("CsrfGuard expects the token to exist in session at this point");
-			} catch (CsrfGuardException csrfe) {
-				callActionsOnError(request, response, csrfe);
-				
-			}
-		} else {
-			/** unprotected page - nothing to do **/
-		}
-
-		return valid;
-	}
-
-	/**
-	 * Invoked when there was a CsrfGuardException such as a token mismatch error.
-	 * Calls the configured actions.
-	 * @param request The HttpServletRequest
-	 * @param response The HttpServletResponse
-	 * @param csrfe The exception that triggered the actions call. Passed to the action.
-	 * @see IAction#execute(HttpServletRequest, HttpServletResponse, CsrfGuardException)
-	 */
-	private void callActionsOnError(HttpServletRequest request,
-			HttpServletResponse response, CsrfGuardException csrfe) {
-		for (IAction action : getActions()) {
-			try {
-				action.execute(request, response, csrfe, this);
-			} catch (CsrfGuardException exception) {
-				getLogger().log(LogLevel.Error, exception);
-			}
-		}
-	}
-
-	public void updateToken(HttpSession session) {
-		String tokenValue = (String) session.getAttribute(getSessionKey());
-
-		/** Generate a new token and store it in the session. **/
-		if (tokenValue == null) {
-			try {
-				tokenValue = RandomGenerator.generateRandomId(getPrng(), getTokenLength());
-			} catch (Exception e) {
-				throw new RuntimeException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
-			}
-
-			session.setAttribute(getSessionKey(), tokenValue);
-		}
-	}
-
-	public void updateTokens(HttpServletRequest request) {
-		/** cannot create sessions if response already committed **/
-		HttpSession session = request.getSession(false);
-
-		if (session != null) {
-			/** create master token if it does not exist **/
-			updateToken(session);
-			
-			/** create page specific token **/
-			if (isTokenPerPageEnabled()) {
-
-				Map<String, String> pageTokens = SessionUtils.extractPageTokensFromSession(session);
-
-				/** first time initialization **/
-				if (pageTokens == null) {
-					pageTokens = new HashMap<String, String>();
-					session.setAttribute(CsrfGuard.PAGE_TOKENS_KEY, pageTokens);
-				}
-
-				/** create token if it does not exist **/
-				if (isProtectedPageAndMethod(request)) {
-					createPageToken(pageTokens, request.getRequestURI());
-				}
-			}
-		}
-	}
-
-	/**
-	 * Create page token if it doesn't exist.
-	 * @param pageTokens A map of tokens. If token doesn't exist it will be added.
-	 * @param uri The key for the tokens.
-	 */
-	private void createPageToken(Map<String, String> pageTokens, String uri) {
-		
-		if(pageTokens == null)
-			return;
-		
-		/** create token if it does not exist **/
-		if (pageTokens.containsKey(uri))
-			return;
-		try {
-			pageTokens.put(uri, RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
-		} catch (Exception e) {
-			throw new RuntimeException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
-		}
-	}
-
-	public void writeLandingPage(HttpServletRequest request, HttpServletResponse response) throws IOException {
-		String landingPage = getNewTokenLandingPage();
-
-		/** default to current page **/
-		if (landingPage == null) {
-			StringBuilder sb = new StringBuilder();
-			
-			sb.append(request.getContextPath());
-			sb.append(request.getServletPath());
-			
-			landingPage = sb.toString();
-		}
-
-		/** create auto posting form **/
-		StringBuilder sb = new StringBuilder();
-
-		sb.append("<html>\r\n");
-		sb.append("<head>\r\n");
-		sb.append("<title>OWASP CSRFGuard Project - New Token Landing Page</title>\r\n");
-		sb.append("</head>\r\n");
-		sb.append("<body>\r\n");
-		sb.append("<script type=\"text/javascript\">\r\n");
-		sb.append("var form = document.createElement(\"form\");\r\n");
-		sb.append("form.setAttribute(\"method\", \"post\");\r\n");
-		sb.append("form.setAttribute(\"action\", \"");
-		sb.append(landingPage);
-		sb.append("\");\r\n");
-
-		/** only include token if needed **/
-		if (isProtectedPage(landingPage)) {
-			sb.append("var hiddenField = document.createElement(\"input\");\r\n");
-			sb.append("hiddenField.setAttribute(\"type\", \"hidden\");\r\n");
-			sb.append("hiddenField.setAttribute(\"name\", \"");
-			sb.append(getTokenName());
-			sb.append("\");\r\n");
-			sb.append("hiddenField.setAttribute(\"value\", \"");
-			sb.append(getTokenValue(request, landingPage));
-			sb.append("\");\r\n");
-			sb.append("form.appendChild(hiddenField);\r\n");
-		}
-
-		sb.append("document.body.appendChild(form);\r\n");
-		sb.append("form.submit();\r\n");
-		sb.append("</script>\r\n");
-		sb.append("</body>\r\n");
-		sb.append("</html>\r\n");
-
-		String code = sb.toString();
-
-		/** setup headers **/
-		response.setContentType("text/html");
-		response.setContentLength(code.length());
-
-		/** write auto posting form **/
-		response.getWriter().write(code);
-	}
-
-	@Override
-	public String toString() {
-		StringBuilder sb = new StringBuilder();
-
-		sb.append("\r\n*****************************************************\r\n");
-		sb.append("* Owasp.CsrfGuard Properties\r\n");
-		sb.append("*\r\n");
-		sb.append(String.format("* Logger: %s\r\n", getLogger().getClass().getName()));
-		sb.append(String.format("* NewTokenLandingPage: %s\r\n", getNewTokenLandingPage()));
-		sb.append(String.format("* PRNG: %s\r\n", getPrng().getAlgorithm()));
-		sb.append(String.format("* SessionKey: %s\r\n", getSessionKey()));
-		sb.append(String.format("* TokenLength: %s\r\n", getTokenLength()));
-		sb.append(String.format("* TokenName: %s\r\n", getTokenName()));
-		sb.append(String.format("* Ajax: %s\r\n", isAjaxEnabled()));
-		sb.append(String.format("* Rotate: %s\r\n", isRotateEnabled()));
-		sb.append(String.format("* Javascript cache control: %s\r\n", getJavascriptCacheControl()));
-		sb.append(String.format("* Javascript domain strict: %s\r\n", isJavascriptDomainStrict()));
-		sb.append(String.format("* Javascript inject attributes: %s\r\n", isJavascriptInjectIntoAttributes()));
-		sb.append(String.format("* Javascript inject forms: %s\r\n", isJavascriptInjectIntoForms()));
-		sb.append(String.format("* Javascript referer pattern: %s\r\n", getJavascriptRefererPattern()));
-		sb.append(String.format("* Javascript referer match protocol: %s\r\n", isJavascriptRefererMatchProtocol()));
-		sb.append(String.format("* Javascript referer match domain: %s\r\n", isJavascriptRefererMatchDomain()));
-		sb.append(String.format("* Javascript unprotected extensions: %s\r\n", getJavascriptUnprotectedExtensions()));
-		sb.append(String.format("* Javascript source file: %s\r\n", getJavascriptSourceFile()));
-		sb.append(String.format("* Javascript X requested with: %s\r\n", getJavascriptXrequestedWith()));
-		sb.append(String.format("* Protected methods: %s\r\n", CsrfGuardUtils.toStringForLog(getProtectedMethods())));
-		sb.append(String.format("* Protected pages size: %s\r\n", CsrfGuardUtils.length(getProtectedPages())));
-		sb.append(String.format("* Unprotected methods: %s\r\n", CsrfGuardUtils.toStringForLog(getUnprotectedMethods())));
-		sb.append(String.format("* Unprotected pages size: %s\r\n", CsrfGuardUtils.length(getUnprotectedPages())));
-		sb.append(String.format("* TokenPerPage: %s\r\n", isTokenPerPageEnabled()));
-		sb.append(String.format("* Enabled: %s\r\n", isEnabled()));
-		sb.append(String.format("* ValidateWhenNoSessionExists: %s\r\n", isValidateWhenNoSessionExists()));
-		
-		for (IAction action : getActions()) {
-			sb.append(String.format("* Action: %s\r\n", action.getClass().getName()));
-
-			for (String name : action.getParameterMap().keySet()) {
-				String value = action.getParameter(name);
-
-				sb.append(String.format("*\tParameter: %s = %s\r\n", name, value));
-			}
-		}
-		sb.append("*****************************************************\r\n");
-
-		return sb.toString();
-	}
-
-	private boolean isAjaxRequest(final HttpServletRequest request) {
-		final String header = request.getHeader("X-Requested-With");
-		if (header == null) {
-			return false;
-		}
-		final String[] headers = header.split(",");
-		for (final String requestedWithHeader: headers) {
-			if ("XMLHttpRequest".equals(requestedWithHeader.trim())) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	private void verifyAjaxToken(HttpServletRequest request) throws CsrfGuardException {
-		HttpSession session = request.getSession(true);
-		String tokenFromSession = (String) session.getAttribute(getSessionKey());
-		String tokenFromRequest = request.getHeader(getTokenName());
-
-		if (tokenFromRequest == null) {
-			/** FAIL: token is missing from the request **/
-			throw new CsrfGuardException("required token is missing from the request");
-		} else {
-			//if there are two headers, then the result is comma separated
-			if (!tokenFromSession.equals(tokenFromRequest)) {
-				if (tokenFromRequest.contains(",")) {
-					tokenFromRequest = tokenFromRequest.substring(0, tokenFromRequest.indexOf(',')).trim();
-				}
-				if (!tokenFromSession.equals(tokenFromRequest)) {
-					/** FAIL: the request token does not match the session token **/
-					throw new CsrfGuardException("request token does not match session token");
-				}
-			}
-		}
-	}
-
-	private void verifyPageToken(HttpServletRequest request) throws CsrfGuardException {
-
-		HttpSession session = request.getSession(true);
-		Map<String, String> pageTokens = SessionUtils.extractPageTokensFromSession(session);
-
-		String tokenFromPages = (pageTokens != null ? pageTokens.get(request.getRequestURI()) : null);
-		String tokenFromSession = (String) session.getAttribute(getSessionKey());
-		String tokenFromRequest = request.getParameter(getTokenName());
-
-		if (tokenFromRequest == null) {
-			/** FAIL: token is missing from the request **/
-			throw new CsrfGuardException("required token is missing from the request");
-		} else if (tokenFromPages != null) {
-			if (!tokenFromPages.equals(tokenFromRequest)) {
-				/** FAIL: request does not match page token **/
-				SessionUtils.invalidateTokenForResource(session, tokenFromPages, tokenFromRequest);
-				throw new CsrfGuardException("request token does not match page token");
-			}
-		} else if (!tokenFromSession.equals(tokenFromRequest)) {
-			/** FAIL: the request token does not match the session token **/
-			SessionUtils.invalidateSessionToken(session);
-			throw new CsrfGuardException("request token does not match session token");
-		}
-	}
-
-	private void verifySessionToken(HttpServletRequest request) throws CsrfGuardException {
-		HttpSession session = request.getSession(true);
-		String tokenFromSession = (String) session.getAttribute(getSessionKey());
-		String tokenFromRequest = request.getParameter(getTokenName());
-
-		if (tokenFromRequest == null) {
-			/** FAIL: token is missing from the request **/
-			throw new CsrfGuardException("required token is missing from the request");
-		} else if (!tokenFromSession.equals(tokenFromRequest)) {
-			/** FAIL: the request token does not match the session token **/
-			SessionUtils.invalidateSessionToken(session);
-			throw new CsrfGuardException("request token does not match session token");
-		}
-	}
-
-	private void rotateTokens(HttpServletRequest request) {
-		HttpSession session = request.getSession(true);
-
-		/** rotate master token **/
-		String tokenFromSession = null;
-
-		try {
-			tokenFromSession = RandomGenerator.generateRandomId(getPrng(), getTokenLength());
-		} catch (Exception e) {
-			throw new RuntimeException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
-		}
-
-		session.setAttribute(getSessionKey(), tokenFromSession);
-
-		/** rotate page token **/
-		if (isTokenPerPageEnabled()) {
-
-			Map<String, String> pageTokens = SessionUtils.extractPageTokensFromSession(session);
-
-			try {
-				pageTokens.put(request.getRequestURI(), RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
-			} catch (Exception e) {
-				throw new RuntimeException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
-			}
-		}
-	}
-
-	public boolean isProtectedPage(String uri) {
-
-		//if this is a javascript page, let it go through
-		if (JavaScriptServlet.getJavascriptUris().contains(uri)) {
-			return false;
-		}
-		
-		boolean retval = !isProtectEnabled();
-
-		for (String protectedPage : getProtectedPages()) {
-			if (isUriExactMatch(protectedPage, uri)) {
-				return true;
-			} else if (isUriMatch(protectedPage, uri)) {
-				retval = true;
-			}
-		}
-
-		for (String unprotectedPage : getUnprotectedPages()) {
-			if (isUriExactMatch(unprotectedPage, uri)) {
-				return false;
-			} else if (isUriMatch(unprotectedPage, uri)) {
-				retval = false;
-			}
-		}
-
-		return retval;
-	}
-
-	/**
-	 * Whether or not the HTTP method is protected, i.e. should be checked for token.
-	 * @param method The method to check for protection status
-	 * @return true when the given method name is in the protected methods set and not in the unprotected methods set
-	 */
-	public boolean isProtectedMethod(String method) {
-		boolean isProtected = true;
-
-		{
-			Set<String> theProtectedMethods = getProtectedMethods();
-			if (!theProtectedMethods.isEmpty() && !theProtectedMethods.contains(method)) {
-					isProtected = false;
-			}
-		}
-		
-		{
-			Set<String> theUnprotectedMethods = getUnprotectedMethods();
-			if (!theUnprotectedMethods.isEmpty() && theUnprotectedMethods.contains(method)) {
-					isProtected = false;
-			}
-		}
-		
-		return isProtected;
-	}
-	
-	public boolean isProtectedPageAndMethod(String page, String method) {
-		return (isProtectedPage(page) && isProtectedMethod(method));
-	}
-	
-	public boolean isProtectedPageAndMethod(HttpServletRequest request) {
-		return isProtectedPageAndMethod(request.getRequestURI(), request.getMethod());
-	}
-	
-	public boolean isPrintConfig() {
-		return config().isPrintConfig();
-	}
-	
-	public String getDomainOrigin() {
-		return config().getDomainOrigin();
-	}
-	
-	/**
-	 * FIXME: taken from Tomcat - ApplicationFilterFactory
-	 * 
-	 * @param testPath the pattern to match.
-	 * @param requestPath the current request path.
-	 * @return {@code true} if {@code requestPath} matches {@code testPath}.
-	 */
-	private boolean isUriMatch(String testPath, String requestPath) {
-
-		//case 4, if it is a regex
-		if (isTestPathRegex(testPath)) {
-			
-			Pattern pattern = this.regexPatternCache.get(testPath);
-			if (pattern == null) {
-				pattern = Pattern.compile(testPath);
-				this.regexPatternCache.put(testPath, pattern);
-			}
-			
-			return pattern.matcher(requestPath).matches();
-		}
-		
-		boolean retval = false;
-
-		/** Case 1: Exact Match
-		 *  MCH 140419: ??? isnt this checks in isUriExactMatch() ???  **/
-		if (testPath.equals(requestPath)) {
-			retval = true;
-		}
-
-		/** Case 2 - Path Match ("/.../*") **/
-		if (testPath.equals("/*")) {
-			retval = true;
-		}
-		if (testPath.endsWith("/*")) {
-			if (testPath
-					.regionMatches(0, requestPath, 0, testPath.length() - 2)) {
-				if (requestPath.length() == (testPath.length() - 2)) {
-					retval = true;
-				} else if ('/' == requestPath.charAt(testPath.length() - 2)) {
-					retval = true;
-				}
-			}
-		}
-
-		/** Case 3 - Extension Match **/
-		if (testPath.startsWith("*.")) {
-			int slash = requestPath.lastIndexOf('/');
-			int period = requestPath.lastIndexOf('.');
-
-			if ((slash >= 0)
-					&& (period > slash)
-					&& (period != requestPath.length() - 1)
-					&& ((requestPath.length() - period) == (testPath.length() - 1))) {
-				retval = testPath.regionMatches(2, requestPath, period + 1,
-						testPath.length() - 2);
-			}
-		}
-
-		return retval;
-	}
-
-	/**
-	 * see if a test path starts with ^ and ends with $ thus making it a regex
-	 * @param testPath The path string to test
-	 * @return true if regex (starts with "^" and ends with "$")
-	 */
-	private static boolean isTestPathRegex(String testPath) {
-		return testPath != null && testPath.startsWith("^") && testPath.endsWith("$");
-	}
-	
-	private boolean isUriExactMatch(String testPath, String requestPath) {
-		
-		//cant be an exact match if this is a regex
-		if (isTestPathRegex(testPath)) {
-			return false;
-		}
-		
-		boolean retval = false;
-
-		/** Case 1: Exact Match **/
-		if (testPath.equals(requestPath)) {
-			retval = true;
-		}
-
-		return retval;
-	}
-
-	/**
-	 * if there are methods specified, then they (e.g. GET) are unprotected, and all others are protected
-	 * @return the unprotected HTTP methods
-	 */
-	public Set<String> getUnprotectedMethods () {
-		return config().getUnprotectedMethods();
-	}
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.token.service.TokenService;
+import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
+import org.owasp.csrfguard.token.storage.TokenHolder;
+import org.owasp.csrfguard.util.CsrfGuardPropertiesToStringBuilder;
+import org.owasp.csrfguard.util.CsrfGuardUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.security.SecureRandom;
+import java.time.Duration;
+import java.util.*;
+import java.util.regex.Pattern;
 
+public class CsrfGuard {
+
+    /**
+     * cache the configuration for a minute
+     */
+    private static final ExpirableCache<Boolean, ConfigurationProvider> configurationProviderExpirableCache = new ExpirableCache<>(1);
+
+    /**
+     * cache regex patterns here
+     */
+    private final Map<String, Pattern> regexPatternCache = new HashMap<>();
+
+    private Properties properties = null;
+
+    public CsrfGuard() {}
+
+    public static CsrfGuard getInstance() {
+        return SingletonHolder.instance;
+    }
+
+    public static void load(final Properties theProperties) {
+        getInstance().properties = theProperties;
+        configurationProviderExpirableCache.clear();
+    }
+
+    public Map<String, Pattern> getRegexPatternCache() {
+        return this.regexPatternCache;
+    }
+
+    public ILogger getLogger() {
+        return config().getLogger();
+    }
+
+    public String getTokenName() {
+        return config().getTokenName();
+    }
+
+    public int getTokenLength() {
+        return config().getTokenLength();
+    }
+
+    public boolean isRotateEnabled() {
+        return config().isRotateEnabled();
+    }
+
+    public boolean isTokenPerPageEnabled() {
+        return config().isTokenPerPageEnabled();
+    }
+
+    public boolean isTokenPerPagePrecreate() {
+        return config().isTokenPerPagePrecreateEnabled();
+    }
+
+    /**
+     * If csrf guard filter should check even if there is no session for the user
+     * Note: this changed in 2014/04/20, the default behavior used to be to
+     * not check if there is no session.  If you want the legacy behavior (if your app
+     * is not susceptible to CSRF if the user has no session), set this to false
+     *
+     * @return if true
+     */
+    public boolean isValidateWhenNoSessionExists() {
+        return config().isValidateWhenNoSessionExists();
+    }
+
+    public SecureRandom getPrng() {
+        return config().getPrng();
+    }
+
+    public String getNewTokenLandingPage() {
+        return config().getNewTokenLandingPage();
+    }
+
+    public boolean isUseNewTokenLandingPage() {
+        return config().isUseNewTokenLandingPage();
+    }
+
+    public boolean isAjaxEnabled() {
+        return config().isAjaxEnabled();
+    }
+
+    public boolean isForceSynchronousAjax() {
+        return config().isForceSynchronousAjax();
+    }
+
+    /**
+     * @see ConfigurationProvider#isProtectEnabled()
+     */
+    public boolean isProtectEnabled() {
+        return config().isProtectEnabled();
+    }
+
+    /**
+     * @return if enabled
+     * @see ConfigurationProvider#isEnabled()
+     */
+    public boolean isEnabled() {
+        return config().isEnabled();
+    }
+
+    public Set<String> getProtectedPages() {
+        return config().getProtectedPages();
+    }
+
+    public Set<String> getUnprotectedPages() {
+        return config().getUnprotectedPages();
+    }
+
+    public TokenHolder getTokenHolder() {
+        return config().getTokenHolder();
+    }
+
+    public LogicalSessionExtractor getLogicalSessionExtractor() {
+        return config().getLogicalSessionExtractor();
+    }
+
+    public Set<String> getProtectedMethods() {
+        return config().getProtectedMethods();
+    }
+
+    public List<IAction> getActions() {
+        return config().getActions();
+    }
+
+    /**
+     * @return if inject
+     * @see ConfigurationProvider#isJavascriptInjectFormAttributes()
+     */
+    public boolean isJavascriptInjectFormAttributes() {
+        return config().isJavascriptInjectFormAttributes();
+    }
+
+    /**
+     * @return if inject
+     * @see ConfigurationProvider#isJavascriptInjectGetForms()
+     */
+    public boolean isJavascriptInjectGetForms() {
+        return config().isJavascriptInjectGetForms();
+    }
+
+    public boolean isJavascriptDomainStrict() {
+        return config().isJavascriptDomainStrict();
+    }
+
+    public boolean isJavascriptRefererMatchProtocol() {
+        return config().isJavascriptRefererMatchProtocol();
+    }
+
+    public boolean isJavascriptRefererMatchDomain() {
+        return config().isJavascriptRefererMatchDomain();
+    }
+
+    public String getJavascriptCacheControl() {
+        return config().getJavascriptCacheControl();
+    }
+
+    public Pattern getJavascriptRefererPattern() {
+        return config().getJavascriptRefererPattern();
+    }
+
+    public boolean isJavascriptInjectIntoForms() {
+        return config().isJavascriptInjectIntoForms();
+    }
+
+    public boolean isJavascriptInjectIntoAttributes() {
+        return config().isJavascriptInjectIntoAttributes();
+    }
+
+    public boolean isJavascriptInjectIntoDynamicallyCreatedNodes() {
+        return config().isJavascriptInjectIntoDynamicallyCreatedNodes();
+    }
+
+    public String getJavascriptDynamicNodeCreationEventName() {
+        return config().getJavascriptDynamicNodeCreationEventName();
+    }
+
+    public String getJavascriptXrequestedWith() {
+        return config().getJavascriptXrequestedWith();
+    }
+
+    public String getJavascriptTemplateCode() {
+        return config().getJavascriptTemplateCode();
+    }
+
+    public String getJavascriptUnprotectedExtensions() {
+        return config().getJavascriptUnprotectedExtensions();
+    }
+
+    public TokenService getTokenService() {
+        return new TokenService(this);
+    }
+
+    public boolean isPrintConfig() {
+        return config().isPrintConfig();
+    }
+
+    public String getDomainOrigin() {
+        return config().getDomainOrigin();
+    }
+
+    public Duration getPageTokenSynchronizationTolerance() {
+        return config().getPageTokenSynchronizationTolerance();
+    }
+
+    /**
+     * if there are methods specified, then they (e.g. GET) are unprotected, and all others are protected
+     *
+     * @return the unprotected HTTP methods
+     */
+    public Set<String> getUnprotectedMethods() {
+        return config().getUnprotectedMethods();
+    }
+
+    @Override
+    public String toString() {
+        return isEnabled() ? new CsrfGuardPropertiesToStringBuilder(config()).toString()
+                           : "OWASP CSRFGuard is disabled.";
+    }
+
+    /**
+     * Rotation in case of AJAX requests is not supported currently because of possible race conditions.
+     * <p>
+     * A Single Page Application can fire multiple simultaneous requests.
+     * If rotation is enabled for AJAX requests, the first request could trigger a token change before the validation of the second request with the same token, causing
+     * false-positive CSRF intrusion exceptions.
+     *
+     * @param request the current request
+     * @return True if rotation is enabled and possible
+     */
+    public boolean isRotateEnabled(final HttpServletRequest request) {
+        return isRotateEnabled() && !CsrfGuardUtils.isAjaxRequest(request);
+    }
+
+    /**
+     * Method to be called by a logical session implementation when a new session is created. <br>
+     * <p>
+     * Example: {@link javax.servlet.http.HttpSessionListener#sessionCreated(javax.servlet.http.HttpSessionEvent)}
+     *
+     * @param logicalSession a logical session implementation
+     */
+    public void onSessionCreated(final LogicalSession logicalSession) {
+        if (isEnabled()) {
+            final String logicalSessionKey = logicalSession.getKey();
+
+            final TokenService tokenService = getTokenService();
+            tokenService.createMasterTokenIfAbsent(logicalSessionKey);
+
+            if (isTokenPerPageEnabled()
+                && isTokenPerPagePrecreate()
+                && isProtectEnabled()
+                && !logicalSession.areTokensGenerated()) {
+
+                tokenService.generateProtectedPageTokens(logicalSessionKey);
+                logicalSession.setTokensGenerated(true);
+            }
+        }
+    }
+
+    /**
+     * Method to be called by a logical session implementation when a session is destroyed. <br>
+     * <p>
+     * Example: {@link javax.servlet.http.HttpSessionListener#sessionDestroyed(javax.servlet.http.HttpSessionEvent)}
+     *
+     * @param logicalSession a logical session implementation
+     */
+    public void onSessionDestroyed(final LogicalSession logicalSession) {
+        final TokenHolder tokenHolder = getTokenHolder();
+        if (Objects.nonNull(tokenHolder)) {
+            tokenHolder.remove(logicalSession.getKey());
+        }
+    }
+
+    public void writeLandingPage(final HttpServletRequest request, final HttpServletResponse response, final String logicalSessionKey) throws IOException {
+        String landingPage = getNewTokenLandingPage();
+
+        /* default to current page */
+        if (landingPage == null) {
+            landingPage = request.getContextPath() + request.getServletPath();
+        }
+
+        /* create auto posting form */
+        final StringBuilder stringBuilder = new StringBuilder();
+
+        // TODO this HTML template should rather be extracted to a separate file
+        stringBuilder.append("<html>")
+                     .append("<head>")
+                     .append("<title>OWASP CSRFGuard Project - New Token Landing Page</title>")
+                     .append("</head>")
+                     .append("<body>")
+                     .append("<script type=\"text/javascript\">")
+                     .append("var form = document.createElement(\"form\");")
+                     .append("form.setAttribute(\"method\", \"post\");")
+                     .append("form.setAttribute(\"action\", \"")
+                     .append(landingPage)
+                     .append("\");");
+
+        /* only include token if needed */
+        if (new CsrfValidator().isProtectedPage(landingPage).isProtected()) {
+            stringBuilder.append("var hiddenField = document.createElement(\"input\");")
+                         .append("hiddenField.setAttribute(\"type\", \"hidden\");")
+                         .append("hiddenField.setAttribute(\"name\", \"")
+                         .append(getTokenName())
+                         .append("\");")
+                         .append("hiddenField.setAttribute(\"value\", \"")
+                         .append(getTokenService().getTokenValue(logicalSessionKey, landingPage))
+                         .append("\");")
+                         .append("form.appendChild(hiddenField);");
+        }
+
+        stringBuilder.append("document.body.appendChild(form);")
+                     .append("form.submit();")
+                     .append("</script>")
+                     .append("</body>")
+                     .append("</html>");
+
+        final String code = stringBuilder.toString();
+
+        /* setup headers */
+        response.setContentType("text/html");
+        response.setContentLength(code.length());
+
+        /* write auto posting form */
+        response.getWriter().write(code);
+    }
+
+
+    private ConfigurationProvider config() {
+        if (this.properties == null) {
+            return new NullConfigurationProvider();
+        }
+
+        ConfigurationProvider configurationProvider = configurationProviderExpirableCache.get(Boolean.TRUE);
+
+        if (configurationProvider == null) {
+
+            synchronized (CsrfGuard.class) {
+                configurationProvider = retrieveNewConfig();
+            }
+        } else if (!configurationProvider.isCacheable()) {
+            /* don't synchronize if not cacheable */
+            configurationProvider = retrieveNewConfig();
+        }
+
+        return configurationProvider;
+    }
+
+    /**
+     * @return new provider
+     */
+    private ConfigurationProvider retrieveNewConfig() {
+        final ConfigurationProvider configurationProvider;
+        /* let's see what provider we are using */
+        final String configurationProviderFactoryClassName = this.properties.getProperty(ConfigParameters.CONFIG_PROVIDER_FACTORY_PROPERTY_NAME, PropertiesConfigurationProviderFactory.class.getName());
+
+        final Class<ConfigurationProviderFactory> configurationProviderFactoryClass = CsrfGuardUtils.forName(configurationProviderFactoryClassName);
+
+        final ConfigurationProviderFactory configurationProviderFactory = CsrfGuardUtils.newInstance(configurationProviderFactoryClass);
+
+        configurationProvider = configurationProviderFactory.retrieveConfiguration(this.properties);
+        configurationProviderExpirableCache.put(Boolean.TRUE, configurationProvider);
+        return configurationProvider;
+    }
+
+    private static final class SingletonHolder {
+        public static final CsrfGuard instance = new CsrfGuard();
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardException.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardException.java
index 547940b..f0d6990 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardException.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardException.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,22 +26,22 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard;
 
 public class CsrfGuardException extends Exception {
 
 	private static final long serialVersionUID = -4468336915273168914L;
 
-	public CsrfGuardException(String msg) {
+	public CsrfGuardException(final String msg) {
 		super(msg);
 	}
 
-	public CsrfGuardException(Exception e) {
+	public CsrfGuardException(final Exception e) {
 		super(e);
 	}
 
-	public CsrfGuardException(String msg, Exception e) {
+	public CsrfGuardException(final String msg, final Exception e) {
 		super(msg, e);
 	}
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardFilter.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardFilter.java
index d77264f..decefde 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardFilter.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardFilter.java
@@ -1,20 +1,20 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * <p>
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
- * <p>
- * 1. Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of OWASP nor the names of its contributors may be used
- * to endorse or promote products derived from this software without specific
- * prior written permission.
- * <p>
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -26,83 +26,110 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard;
 
-import java.io.IOException;
-import java.util.Objects;
+import org.owasp.csrfguard.http.InterceptRedirectResponse;
+import org.owasp.csrfguard.log.LogLevel;
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
+import org.owasp.csrfguard.token.transferobject.TokenTO;
+import org.owasp.csrfguard.util.CsrfGuardUtils;
 
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
+import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
-import org.owasp.csrfguard.http.InterceptRedirectResponse;
-import org.owasp.csrfguard.util.SessionUtils;
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Objects;
 
-public final class CsrfGuardFilter implements Filter {
+public class CsrfGuardFilter implements Filter {
 
     private FilterConfig filterConfig = null;
 
     @Override
-    public void destroy() {
-        filterConfig = null;
+    public void init(final FilterConfig filterConfig) {
+        this.filterConfig = filterConfig;
     }
 
     @Override
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain filterChain) throws IOException, ServletException {
+        final CsrfGuard csrfGuard = CsrfGuard.getInstance();
 
-        //maybe the short circuit to disable is set
-        if (!CsrfGuard.getInstance().isEnabled()) {
+        if (csrfGuard.isEnabled()) {
+            if (request instanceof HttpServletRequest && response instanceof HttpServletResponse) {
+                doFilter((HttpServletRequest) request, (HttpServletResponse) response, filterChain, csrfGuard);
+            } else {
+                handleNonHttpServletMessages(request, response, filterChain, csrfGuard);
+            }
+        } else {
             filterChain.doFilter(request, response);
-            return;
         }
+    }
 
-        /** only work with HttpServletRequest objects **/
-        if (request instanceof HttpServletRequest && response instanceof HttpServletResponse) {
-
-            HttpServletRequest httpRequest = (HttpServletRequest) request;
-            HttpSession session = httpRequest.getSession(false);
+    @Override
+    public void destroy() {
+        this.filterConfig = null;
+    }
 
-            //if there is no session and we arent validating when no session exists
-            if (session == null && !CsrfGuard.getInstance().isValidateWhenNoSessionExists()) {
-                // If there is no session, no harm can be done
-                filterChain.doFilter(httpRequest, (HttpServletResponse) response);
-                return;
-            }
+    private void doFilter(final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse, final FilterChain filterChain, final CsrfGuard csrfGuard) throws IOException, ServletException {
+        final InterceptRedirectResponse interceptRedirectResponse = new InterceptRedirectResponse(httpServletResponse, httpServletRequest, csrfGuard);
 
-            CsrfGuard csrfGuard = CsrfGuard.getInstance();
-            InterceptRedirectResponse httpResponse = new InterceptRedirectResponse((HttpServletResponse) response, httpRequest, csrfGuard);
+        final LogicalSessionExtractor sessionKeyExtractor = csrfGuard.getLogicalSessionExtractor();
+        final LogicalSession logicalSession = sessionKeyExtractor.extract(httpServletRequest);
 
-//			 if(MultipartHttpServletRequest.isMultipartRequest(httpRequest)) {
-//				 httpRequest = new MultipartHttpServletRequest(httpRequest);
-//			 }
+        if (Objects.isNull(logicalSession)) {
+            handleNoSession(httpServletRequest, httpServletResponse, interceptRedirectResponse, filterChain, csrfGuard);
+        } else {
+            handleSession(httpServletRequest, interceptRedirectResponse, filterChain, logicalSession, csrfGuard);
+        }
+    }
 
-            if ((session != null && session.isNew()) && csrfGuard.isUseNewTokenLandingPage()) {
-                csrfGuard.writeLandingPage(httpRequest, httpResponse);
-            } else if (csrfGuard.isValidRequest(httpRequest, httpResponse)) {
-                filterChain.doFilter(httpRequest, httpResponse);
-            } else {
-                /** invalid request - nothing to do - actions already executed **/
-            }
+    private void handleSession(final HttpServletRequest httpServletRequest, final InterceptRedirectResponse interceptRedirectResponse, final FilterChain filterChain,
+                               final LogicalSession logicalSession, final CsrfGuard csrfGuard) throws IOException, ServletException {
 
-            /** update tokens **/
-            csrfGuard.updateTokens(httpRequest);
+        final String logicalSessionKey = logicalSession.getKey();
 
+        if (logicalSession.isNew() && csrfGuard.isUseNewTokenLandingPage()) {
+            csrfGuard.writeLandingPage(httpServletRequest, interceptRedirectResponse, logicalSessionKey);
+        } else if (new CsrfValidator().isValid(httpServletRequest, interceptRedirectResponse)) {
+            filterChain.doFilter(httpServletRequest, interceptRedirectResponse);
         } else {
-            filterConfig.getServletContext().log(String.format("[WARNING] CsrfGuard does not know how to work with requests of class %s ", request.getClass().getName()));
+            logInvalidRequest(httpServletRequest, csrfGuard);
+        }
 
-            filterChain.doFilter(request, response);
+        // TODO this is not needed in case of un-protected pages
+        final String requestURI = httpServletRequest.getRequestURI();
+        final String generatedToken = csrfGuard.getTokenService().generateTokensIfAbsent(logicalSessionKey, httpServletRequest.getMethod(), requestURI);
+
+        CsrfGuardUtils.addResponseTokenHeader(csrfGuard, httpServletRequest, interceptRedirectResponse, new TokenTO(Collections.singletonMap(requestURI, generatedToken)));
+    }
+
+    private void handleNoSession(final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse, final InterceptRedirectResponse interceptRedirectResponse, final FilterChain filterChain,
+                                 final CsrfGuard csrfGuard) throws IOException, ServletException {
+        if (csrfGuard.isValidateWhenNoSessionExists()) {
+            if (new CsrfValidator().isValid(httpServletRequest, interceptRedirectResponse)) {
+                filterChain.doFilter(httpServletRequest, interceptRedirectResponse);
+            } else {
+                logInvalidRequest(httpServletRequest, csrfGuard);
+            }
+        } else {
+            filterChain.doFilter(httpServletRequest, httpServletResponse);
         }
     }
 
-    @Override
-    public void init(@SuppressWarnings("hiding") FilterConfig filterConfig) throws ServletException {
-        this.filterConfig = filterConfig;
+    private void handleNonHttpServletMessages(final ServletRequest request, final ServletResponse response, final FilterChain filterChain, final CsrfGuard csrfGuard) throws IOException, ServletException {
+        final String message = String.format("CSRFGuard does not know how to work with requests of class %s ", request.getClass().getName());
+        csrfGuard.getLogger().log(LogLevel.Warning, message);
+        this.filterConfig.getServletContext().log("[WARNING]" + message);
+
+        filterChain.doFilter(request, response);
     }
 
+    private void logInvalidRequest(final HttpServletRequest httpRequest, final CsrfGuard csrfGuard) {
+        final String requestURI = httpRequest.getRequestURI();
+        final String remoteAddress = httpRequest.getRemoteAddr();
+
+        csrfGuard.getLogger().log(LogLevel.Warning, String.format("Invalid request: URI: '%s' | Remote Address: '%s'", requestURI, remoteAddress));
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardHttpSessionListener.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardHttpSessionListener.java
deleted file mode 100644
index 339624b..0000000
--- a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardHttpSessionListener.java
+++ /dev/null
@@ -1,29 +0,0 @@
-package org.owasp.csrfguard;
-
-import org.owasp.csrfguard.util.SessionUtils;
-
-import javax.servlet.http.HttpSession;
-import javax.servlet.http.HttpSessionEvent;
-import javax.servlet.http.HttpSessionListener;
-
-public class CsrfGuardHttpSessionListener implements HttpSessionListener {
-
-    @Override
-    public void sessionCreated(HttpSessionEvent event) {
-        HttpSession session = event.getSession();
-        CsrfGuard csrfGuard = CsrfGuard.getInstance();
-        csrfGuard.updateToken(session);
-        // Check if should generate tokens for protected resources on current session
-        if (csrfGuard.isTokenPerPageEnabled() && csrfGuard.isTokenPerPagePrecreate()
-                && !SessionUtils.tokensGenerated(session)) {
-            csrfGuard.generatePageTokensForSession(session);
-        }
-
-    }
-
-    @Override
-    public void sessionDestroyed(HttpSessionEvent event) {
-        /** nothing to do **/
-    }
-
-}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardServletContextListener.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardServletContextListener.java
index 8301d15..56a9388 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardServletContextListener.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardServletContextListener.java
@@ -1,23 +1,51 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
 package org.owasp.csrfguard;
 
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.csrfguard.config.overlay.ConfigurationOverlayProvider;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.Objects;
 import java.util.Properties;
 
-import javax.servlet.ServletContext;
-import javax.servlet.ServletContextEvent;
-import javax.servlet.ServletContextListener;
-
-import org.owasp.csrfguard.config.overlay.ConfigurationOverlayProvider;
-import org.owasp.csrfguard.util.Streams;
-
 public class CsrfGuardServletContextListener implements ServletContextListener {
 
-	private final static String CONFIG_PARAM = "Owasp.CsrfGuard.Config";
-
-	private final static String CONFIG_PRINT_PARAM = "Owasp.CsrfGuard.Config.Print";
+	private static final String CONFIG_PARAM = "Owasp.CsrfGuard.Config";
+	private static final String CONFIG_PRINT_PARAM = "Owasp.CsrfGuard.Config.Print";
 
 	/**
 	 * servlet context (will be the empty string if it is / )
@@ -46,44 +74,43 @@ public static String getConfigFileName() {
 	}
 	
 	@Override
-	public void contextInitialized(ServletContextEvent event) {
-		ServletContext context = event.getServletContext();
+	public void contextInitialized(final ServletContextEvent event) {
+		final ServletContext context = event.getServletContext();
 		servletContext = context.getContextPath();
-		//since this is just a prefix of a path, then if there is no servlet context, it is the empty string
-		if (servletContext == null || "/".equals(servletContext)) {
+		// since this is just a prefix of a path, then if there is no servlet context, it is the empty string
+		if (StringUtils.equals(servletContext, "/")) {
 			servletContext = "";
 		}
-		
+
 		configFileName = context.getInitParameter(CONFIG_PARAM);
 
 		if (configFileName == null) {
 			configFileName = ConfigurationOverlayProvider.OWASP_CSRF_GUARD_PROPERTIES;
 		}
 
-		InputStream is = null;
-		Properties properties = new Properties();
+		try (final InputStream configFileInputStream = getResourceStream(configFileName, context, false)) {
+			if (Objects.isNull(configFileInputStream)) {
+				try (final InputStream metaInfInputStream = getResourceStream(ConfigurationOverlayProvider.META_INF_CSRFGUARD_PROPERTIES, context, false)) {
+					if (Objects.isNull(metaInfInputStream)) {
+						throw new RuntimeException("Can't find default OWASP CSRFGuard properties file: " + configFileName);
+					}
 
-		try {
-			is = getResourceStream(configFileName, context, false);
-			
-			if (is == null) {
-				is = getResourceStream(ConfigurationOverlayProvider.META_INF_CSRFGUARD_PROPERTIES, context, false);
+					loadProperties(metaInfInputStream);
+				}
 			}
 
-			if (is == null) {
-				throw new RuntimeException("Cant find default owasp csrfguard properties file: " + configFileName);
-			}
-			
-			properties.load(is);
-			CsrfGuard.load(properties);
-		} catch (Exception e) {
+			loadProperties(configFileInputStream);
+		} catch (final Exception e) {
 			throw new RuntimeException(e);
-		} finally {
-			Streams.close(is);
 		}
 
+		printConfigIfConfigured(context, "Printing properties before JavaScript servlet, note, the JavaScript properties might not be initialized yet: ");
+	}
 
-		printConfigIfConfigured(context, "Printing properties before Javascript servlet, note, the javascript properties might not be initialized yet: ");
+	private void loadProperties(final InputStream resourceStream) throws IOException {
+		final Properties properties = new Properties();
+		properties.load(resourceStream);
+		CsrfGuard.load(properties);
 	}
 
 	/**
@@ -93,57 +120,61 @@ public void contextInitialized(ServletContextEvent event) {
 	 * @param prefix  The string used as a prefix when printing the configuration to the log
 	 * @see javax.servlet.ServletContext#log(String)
 	 */
-	public static void printConfigIfConfigured(ServletContext context, String prefix) {
-		String printConfig = context.getInitParameter(CONFIG_PRINT_PARAM);
+	public static void printConfigIfConfigured(final ServletContext context, final String prefix) {
+		final CsrfGuard csrfGuard = CsrfGuard.getInstance();
 
-		if (printConfig == null || "".equals(printConfig.trim())) {
-			printConfig = CsrfGuard.getInstance().isPrintConfig() ? "true" : null;
-		}
-		
-		if (printConfig != null && Boolean.parseBoolean(printConfig)) {
-			context.log(prefix 
-					+ CsrfGuard.getInstance().toString());
+		if (csrfGuard.isEnabled()) {
+			String printConfig = context.getInitParameter(CONFIG_PRINT_PARAM);
+
+			if (StringUtils.isBlank(printConfig)) {
+				printConfig = csrfGuard.isPrintConfig() ? "true" : null;
+			}
+
+			if (Boolean.parseBoolean(printConfig)) {
+				context.log(prefix + csrfGuard);
+			}
+		} else {
+			context.log("OWASP CSRFGuard is disabled.");
 		}
 	}
 
 	@Override
-	public void contextDestroyed(ServletContextEvent event) {
-		/** nothing to do **/
+	public void contextDestroyed(final ServletContextEvent event) {
+		/* nothing to do */
 	}
 
-	private InputStream getResourceStream(String resourceName, ServletContext context, boolean failIfNotFound) throws IOException {
-		InputStream is = null;
+	private InputStream getResourceStream(final String resourceName, final ServletContext context, final boolean failIfNotFound) throws IOException {
+		InputStream inputStream;
 
-		/** try classpath **/
-		is = getClass().getClassLoader().getResourceAsStream(resourceName);
+		/* try classpath */
+		inputStream = getClass().getClassLoader().getResourceAsStream(resourceName);
 
-		/** try web context **/
-		if (is == null) {
-			String fileName = context.getRealPath(resourceName);
+		/* try web context */
+		if (inputStream == null) {
+			final String fileName = context.getRealPath(resourceName);
             if (fileName != null) {
-                File file = new File(fileName);
+                final File file = new File(fileName);
 
                 if (file.exists()) {
-                    is = new FileInputStream(fileName);
+                    inputStream = new FileInputStream(fileName);
                 }
             }
 		}
 
-		/** try current directory **/
-		if (is == null) {
-			File file = new File(resourceName);
+		/* try current directory */
+		if (inputStream == null) {
+			final File file = new File(resourceName);
 
 			if (file.exists()) {
-				is = new FileInputStream(resourceName);
+				inputStream = new FileInputStream(resourceName);
 			}
 		}
 
-		/** fail if still empty **/
-		if (is == null && failIfNotFound) {
+		/* fail if still empty */
+		if (inputStream == null && failIfNotFound) {
 			throw new IOException(String.format("unable to locate resource - %s", resourceName));
 		}
 
-		return is;
+		return inputStream;
 	}
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfValidator.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfValidator.java
new file mode 100644
index 0000000..f006070
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfValidator.java
@@ -0,0 +1,247 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard;
+
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.csrfguard.action.IAction;
+import org.owasp.csrfguard.log.ILogger;
+import org.owasp.csrfguard.log.LogLevel;
+import org.owasp.csrfguard.servlet.JavaScriptServlet;
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.token.businessobject.TokenBO;
+import org.owasp.csrfguard.token.mapper.TokenMapper;
+import org.owasp.csrfguard.token.service.TokenService;
+import org.owasp.csrfguard.token.transferobject.TokenTO;
+import org.owasp.csrfguard.util.CsrfGuardUtils;
+import org.owasp.csrfguard.util.MessageConstants;
+import org.owasp.csrfguard.util.RegexValidationUtil;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Objects;
+import java.util.Set;
+import java.util.function.UnaryOperator;
+import java.util.regex.Pattern;
+
+public final class CsrfValidator {
+
+    private final CsrfGuard csrfGuard;
+
+    public CsrfValidator() {
+        this.csrfGuard = CsrfGuard.getInstance();
+    }
+
+    public boolean isValid(final HttpServletRequest request, final HttpServletResponse response) {
+        final boolean isValid;
+
+        final ILogger logger = this.csrfGuard.getLogger();
+        final String normalizedResourceURI = CsrfGuardUtils.normalizeResourceURI(request);
+        final ProtectionResult protectionResult = isProtectedPageAndMethod(request);
+        if (protectionResult.isProtected()) {
+            logger.log(LogLevel.Debug, String.format("CSRFGuard analyzing protected resource: '%s'", normalizedResourceURI));
+            isValid = isTokenValidInRequest(request, response, protectionResult.getResourceIdentifier());
+        } else {
+            logger.log(LogLevel.Debug, String.format("Unprotected page: %s", normalizedResourceURI));
+            isValid = true;
+        }
+
+        return isValid;
+    }
+
+    public ProtectionResult isProtectedPageAndMethod(final String page, final String method) {
+        final String normalizedResourceUri = CsrfGuardUtils.normalizeResourceURI(page);
+        final ProtectionResult protectionResult = isProtectedPage(normalizedResourceUri);
+
+        return (protectionResult.isProtected() && isProtectedMethod(method)) ? protectionResult
+                                                                             : new ProtectionResult(false, normalizedResourceUri);
+    }
+
+    public ProtectionResult isProtectedPage(final String normalizedResourceUri) {
+        final ProtectionResult protectionResult;
+
+        if (JavaScriptServlet.getJavascriptUris().contains(normalizedResourceUri)) {
+            /* if this is a javascript page, let it go through */
+            protectionResult = new ProtectionResult(false, normalizedResourceUri);
+        } else if (this.csrfGuard.isProtectEnabled()) {
+            /* all links are unprotected, except the ones that were explicitly specified */
+            protectionResult = isUriMatch(normalizedResourceUri, this.csrfGuard.getProtectedPages(), v -> v, false);
+        } else {
+            /* all links are protected, except the ones were explicitly excluded */
+            protectionResult = isUriMatch(normalizedResourceUri, this.csrfGuard.getUnprotectedPages(), v -> new ProtectionResult(false, v.getResourceIdentifier()), true);
+        }
+        return protectionResult;
+    }
+
+    private static boolean isUriPathMatch(final String configuredPageUri, final String requestUri) {
+        return configuredPageUri.equals("/*") || (configuredPageUri.endsWith("/*") && (configuredPageUri.regionMatches(0, requestUri, 0, configuredPageUri.length() - 2)
+                                                                                   && ((requestUri.length() == (configuredPageUri.length() - 2)) || ('/' == requestUri.charAt(configuredPageUri.length() - 2)))));
+    }
+
+    /**
+     * FIXME: taken from Tomcat - <a href="https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/core/ApplicationFilterFactory.java">ApplicationFilterFactory#matchFiltersURL</a>
+     */
+    private static boolean isExtensionMatch(final String testPath, final String requestPath) {
+        final boolean result;
+        if (StringUtils.startsWith(testPath, "*.")) {
+            final int slash = requestPath.lastIndexOf('/');
+            final int period = requestPath.lastIndexOf('.');
+
+            if ((slash >= 0)
+                && (period > slash)
+                && (period != requestPath.length() - 1)
+                && ((requestPath.length() - period) == (testPath.length() - 1))) {
+                result = testPath.regionMatches(2, requestPath, period + 1, testPath.length() - 2);
+            } else {
+                result = false;
+            }
+        } else {
+            result = false;
+        }
+
+        return result;
+    }
+
+    private ProtectionResult isUriMatch(final String normalizedResourceUri, final Set<String> pages, final UnaryOperator<ProtectionResult> operator, final boolean isProtected) {
+        for (final String page : pages) {
+            final ProtectionResult protectionResult = isUriMatch(page, normalizedResourceUri);
+            if (protectionResult.isProtected()) {
+                return operator.apply(protectionResult);
+            }
+        }
+        return new ProtectionResult(isProtected, normalizedResourceUri);
+    }
+
+    private TokenService getTokenService() {
+        return new TokenService(this.csrfGuard);
+    }
+
+    private ProtectionResult isProtectedPageAndMethod(final HttpServletRequest request) {
+        return isProtectedPageAndMethod(request.getRequestURI(), request.getMethod());
+    }
+
+    /**
+     * Whether or not the HTTP method is protected, i.e. should be checked for token.
+     *
+     * @param method The method to check for protection status
+     * @return true when the given method name is in the protected methods set and not in the unprotected methods set
+     */
+    private boolean isProtectedMethod(final String method) {
+        boolean isProtected = true;
+
+        final Set<String> protectedMethods = this.csrfGuard.getProtectedMethods();
+        if (!protectedMethods.isEmpty() && !protectedMethods.contains(method)) {
+            isProtected = false;
+        }
+
+        final Set<String> unprotectedMethods = this.csrfGuard.getUnprotectedMethods();
+        if (!unprotectedMethods.isEmpty() && unprotectedMethods.contains(method)) {
+            isProtected = false;
+        }
+
+        return isProtected;
+    }
+
+    /**
+     * @param configuredPageUri the pattern to match.
+     * @param requestUri        the current request path.
+     * @return {@code true} if {@code requestUri} matches {@code configuredPageUri}.
+     */
+    private ProtectionResult isUriMatch(final String configuredPageUri, final String requestUri) {
+        if (Objects.nonNull(configuredPageUri)) {
+            if (configuredPageUri.equals(requestUri) || isUriPathMatch(configuredPageUri, requestUri) || isExtensionMatch(configuredPageUri, requestUri)) {
+                return new ProtectionResult(true, requestUri);
+            } else if (isUriRegexMatch(configuredPageUri, requestUri)) {
+                return new ProtectionResult(true, configuredPageUri);
+            } else {
+                return new ProtectionResult(false, requestUri);
+            }
+        } else {
+            return new ProtectionResult(false, requestUri);
+        }
+    }
+
+    private boolean isUriRegexMatch(final String configuredPageUri, final String requestUri) {
+        return RegexValidationUtil.isTestPathRegex(configuredPageUri) && this.csrfGuard.getRegexPatternCache().computeIfAbsent(configuredPageUri, k -> Pattern.compile(configuredPageUri))
+                                                                                       .matcher(requestUri)
+                                                                                       .matches();
+    }
+
+    private boolean isTokenValidInRequest(final HttpServletRequest request, final HttpServletResponse response, final String resourceIdentifier) {
+        boolean isValid = false;
+
+        final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+        final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract(request);
+
+        if (Objects.nonNull(logicalSession)) {
+            final TokenService tokenService = getTokenService();
+            final String logicalSessionKey = logicalSession.getKey();
+            final String masterToken = tokenService.getMasterToken(logicalSessionKey);
+
+            if (Objects.nonNull(masterToken)) {
+                try {
+                    final TokenBO tokenBO = tokenService.verifyToken(request, resourceIdentifier, logicalSessionKey, masterToken);
+
+                    final TokenTO tokenTO = csrfGuard.isRotateEnabled(request) ? tokenService.rotateUsedToken(logicalSessionKey, resourceIdentifier, tokenBO)
+                                                                               : TokenMapper.toTransferObject(tokenBO);
+
+                    CsrfGuardUtils.addResponseTokenHeader(csrfGuard, request, response, tokenTO);
+
+                    isValid = true;
+                } catch (final CsrfGuardException e) {
+                    callActionsOnError(request, response, e);
+                }
+            } else {
+                callActionsOnError(request, response, new CsrfGuardException(MessageConstants.TOKEN_MISSING_FROM_STORAGE_MSG));
+            }
+        } else {
+            callActionsOnError(request, response, new CsrfGuardException(MessageConstants.TOKEN_MISSING_FROM_STORAGE_MSG));
+        }
+
+        return isValid;
+    }
+
+    /**
+     * Invoked when there was a CsrfGuardException such as a token mismatch error.
+     * Calls the configured actions.
+     *
+     * @param request            The HttpServletRequest
+     * @param response           The HttpServletResponse
+     * @param csrfGuardException The exception that triggered the actions call. Passed to the action.
+     * @see IAction#execute(HttpServletRequest, HttpServletResponse, CsrfGuardException, CsrfGuard)
+     */
+    private void callActionsOnError(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException) {
+        for (final IAction action : this.csrfGuard.getActions()) {
+            try {
+                action.execute(request, response, csrfGuardException, this.csrfGuard);
+            } catch (final CsrfGuardException exception) {
+                this.csrfGuard.getLogger().log(LogLevel.Error, exception);
+            }
+        }
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/ProtectionResult.java b/csrfguard/src/main/java/org/owasp/csrfguard/ProtectionResult.java
new file mode 100644
index 0000000..47ca270
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/ProtectionResult.java
@@ -0,0 +1,48 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard;
+
+public class ProtectionResult {
+
+    private final boolean isProtected;
+    private final String resourceIdentifier;
+
+    public ProtectionResult(final boolean isProtected, final String resourceIdentifier) {
+        this.isProtected = isProtected;
+        this.resourceIdentifier = resourceIdentifier;
+    }
+
+    public boolean isProtected() {
+        return this.isProtected;
+    }
+
+    public String getResourceIdentifier() {
+        return this.resourceIdentifier;
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/AbstractAction.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/AbstractAction.java
index 9dc4da4..3e73366 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/AbstractAction.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/AbstractAction.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,9 +26,11 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.action;
 
-import java.util.*;
+import java.util.HashMap;
+import java.util.Map;
 
 public abstract class AbstractAction implements IAction {
 
@@ -36,26 +38,26 @@ public abstract class AbstractAction implements IAction {
 
 	private String name = null;
 	
-	private Map<String, String> parameters = new HashMap<String, String>();
+	private final Map<String, String> parameters = new HashMap<>();
 
 	@Override
-	public void setName(String name) {
+	public void setName(final String name) {
 		this.name = name;
 	}
 
 	@Override
 	public String getName() {
-		return name;
+		return this.name;
 	}
 
 	@Override
-	public void setParameter(String name, String value) {
-		parameters.put(name, value);
+	public void setParameter(final String name, final String value) {
+		this.parameters.put(name, value);
 	}
 
 	@Override
-	public String getParameter(String parameterName) {
-		String value = parameters.get(parameterName);
+	public String getParameter(final String parameterName) {
+		final String value = this.parameters.get(parameterName);
 
 		if (value == null) {
 			throw new RuntimeException(String.format("unable to locate expected parameter %s", parameterName));
@@ -66,7 +68,6 @@ public String getParameter(String parameterName) {
 
 	@Override
 	public Map<String, String> getParameterMap() {
-		return parameters;
+		return this.parameters;
 	}
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/Empty.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/Empty.java
index b733ee5..970f8ec 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/Empty.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/Empty.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,21 +26,24 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard.action;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+package org.owasp.csrfguard.action;
 
 import org.owasp.csrfguard.CsrfGuard;
 import org.owasp.csrfguard.CsrfGuardException;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * TODO document or why it is needed or remove this Action
+ */
 public final class Empty extends AbstractAction {
 
 	private static final long serialVersionUID = 3530383602177340966L;
 
 	@Override
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException {
+	public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
 		// nothing to do
 	}
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/Error.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/Error.java
index 2785ff1..6079076 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/Error.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/Error.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,30 +26,29 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.action;
 
-import java.io.IOException;
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfGuardException;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
-import org.owasp.csrfguard.CsrfGuard;
-import org.owasp.csrfguard.CsrfGuardException;
+import java.io.IOException;
 
 public final class Error extends AbstractAction {
 
 	private static final long serialVersionUID = 5479074081984904252L;
 
 	@Override
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException {
-		int code = Integer.parseInt(getParameter("Code"));
-		String message = getParameter("Message");
-
+	public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
 		try {
+			final int code = Integer.parseInt(getParameter("Code"));
+			final String message = getParameter("Message");
+
 			response.sendError(code, message);
-		} catch (IOException ioe) {
-			throw new CsrfGuardException(ioe);
+		} catch (final NumberFormatException | IOException e) {
+			throw new CsrfGuardException(e);
 		}
 	}
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/Forward.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/Forward.java
index 64f3803..e393485 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/Forward.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/Forward.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,32 +26,29 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.action;
 
-import java.io.IOException;
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfGuardException;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
-import org.owasp.csrfguard.CsrfGuard;
-import org.owasp.csrfguard.CsrfGuardException;
+import java.io.IOException;
 
 public final class Forward extends AbstractAction {
 
 	private static final long serialVersionUID = -3727752206497452347L;
 
 	@Override
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException {
-		String errorPage = getParameter("Page");
+	public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
+		final String errorPage = getParameter("Page");
 
 		try {
 			request.getRequestDispatcher(errorPage).forward(request, response);
-		} catch (IOException ioe) {
-			throw new CsrfGuardException(ioe);
-		} catch (ServletException se) {
-			throw new CsrfGuardException(se);
+		} catch (final IOException | ServletException e) {
+			throw new CsrfGuardException(e);
 		}
 	}
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/IAction.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/IAction.java
index 479c02b..d2471d6 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/IAction.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/IAction.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,27 +26,65 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard.action;
 
-import java.io.Serializable;
-import java.util.*;
+package org.owasp.csrfguard.action;
 
-import javax.servlet.http.*;
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfGuardException;
 
-import org.owasp.csrfguard.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.Serializable;
+import java.util.Map;
 
+/**
+ * TODO document
+ */
 public interface IAction extends Serializable {
 
-	public void setName(String name);
+	/**
+	 * TODO document
+	 *
+	 * @param name
+	 */
+	void setName(String name);
 
-	public String getName();
+	/**
+	 * TODO document
+	 *
+	 * @return
+	 */
+	String getName();
 
-	public void setParameter(String name, String value);
+	/**
+	 * TODO document
+	 *
+	 * @param name
+	 * @param value
+	 */
+	void setParameter(String name, String value);
 
-	public String getParameter(String name);
+	/**
+	 * TODO document
+	 *
+	 * @param name
+	 */
+	String getParameter(String name);
 
-	public Map<String, String> getParameterMap();
+	/**
+	 * TODO document
+	 *
+	 * @return
+	 */
+	Map<String, String> getParameterMap();
 
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException;
-	
+	/**
+	 * TODO document
+	 *
+	 * @param request
+	 * @param response
+	 * @param csrfe
+	 * @param csrfGuard
+	 */
+	void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException;
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/Invalidate.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/Invalidate.java
index 9d38af9..9e97f2b 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/Invalidate.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/Invalidate.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,23 +26,28 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.action;
 
-import javax.servlet.http.*;
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfGuardException;
+import org.owasp.csrfguard.session.LogicalSession;
 
-import org.owasp.csrfguard.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Objects;
 
 public final class Invalidate extends AbstractAction {
 
 	private static final long serialVersionUID = -3060679616261531773L;
 
 	@Override
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException {
-		HttpSession session = request.getSession(false);
+	public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
+
+		final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract(request);
 
-		if (session != null) {
-			session.invalidate();
+		if (Objects.nonNull(logicalSession)) {
+			csrfGuard.getTokenService().invalidate(logicalSession);
 		}
 	}
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/Log.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/Log.java
index ffb479b..df4509c 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/Log.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/Log.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,60 +26,69 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard.action;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+package org.owasp.csrfguard.action;
 
+import org.apache.commons.lang3.StringUtils;
 import org.owasp.csrfguard.CsrfGuard;
 import org.owasp.csrfguard.CsrfGuardException;
 import org.owasp.csrfguard.log.LogLevel;
-import org.owasp.csrfguard.util.CsrfGuardUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.security.Principal;
 
 public final class Log extends AbstractAction {
 
-	private static final long serialVersionUID = 8238761463376338707L;
-
-	@Override
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException {
-		String logMessage = getParameter("Message");
-
-		/** Exception Information **/
-		logMessage = logMessage.replace("%exception%", String.valueOf(csrfe));
-		logMessage = logMessage.replace("%exception_message%", csrfe.getLocalizedMessage());
-
-		/** Remote Network Information **/
-		logMessage = logMessage.replace("%remote_ip%", CsrfGuardUtils.defaultString(request.getRemoteAddr()));
-		logMessage = logMessage.replace("%remote_host%", CsrfGuardUtils.defaultString(request.getRemoteHost()));
-		logMessage = logMessage.replace("%remote_port%", String.valueOf(request.getRemotePort()));
-
-		/** Local Network Information **/
-		logMessage = logMessage.replace("%local_ip%", CsrfGuardUtils.defaultString(request.getLocalAddr()));
-		logMessage = logMessage.replace("%local_host%", CsrfGuardUtils.defaultString(request.getLocalName()));
-		logMessage = logMessage.replace("%local_port%", String.valueOf(request.getLocalPort()));
-
-		/** Requested Resource Information **/
-		logMessage = logMessage.replace("%request_method%", CsrfGuardUtils.defaultString(request.getMethod()));
-		logMessage = logMessage.replace("%request_uri%", CsrfGuardUtils.defaultString(request.getRequestURI()));
-		logMessage = logMessage.replace("%request_url%", request.getRequestURL().toString());
-
-		// JavaEE Principal Information
-		String user = request.getRemoteUser();
-		if (user == null || "".equals(user.trim())) {
-	        user = (String)request.getAttribute("REMOTE_USER");
-		}
-		if (user == null || "".equals(user.trim())) {
-			if (request.getUserPrincipal() != null) {
-				user = request.getUserPrincipal().getName();
-			}
-		}
-		if (user != null && !"".equals(user.trim())) {
-			logMessage = logMessage.replace("%user%", user);
-		} else {
-			logMessage = logMessage.replace("%user%", "<anonymous>");
-		}
-
-		csrfGuard.getLogger().log(LogLevel.Error, logMessage);
-	}
-	
+    private static final long serialVersionUID = 8238761463376338707L;
+
+    @Override
+    public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
+        String logMessage = getParameter("Message");
+
+        /* Exception Information */
+        logMessage = logMessage.replace("%exception%", String.valueOf(csrfe))
+                               .replace("%exception_message%", csrfe.getLocalizedMessage());
+
+        /* Remote Network Information */
+        logMessage = logMessage.replace("%remote_ip%", StringUtils.defaultString(request.getRemoteAddr()))
+                               .replace("%remote_host%", StringUtils.defaultString(request.getRemoteHost()))
+                               .replace("%remote_port%", String.valueOf(request.getRemotePort()));
+
+        /* Local Network Information */
+        logMessage = logMessage.replace("%local_ip%", StringUtils.defaultString(request.getLocalAddr()))
+                               .replace("%local_host%", StringUtils.defaultString(request.getLocalName()))
+                               .replace("%local_port%", String.valueOf(request.getLocalPort()));
+
+        /* Requested Resource Information */
+        logMessage = logMessage.replace("%request_method%", StringUtils.defaultString(request.getMethod()))
+                               .replace("%request_uri%", StringUtils.defaultString(request.getRequestURI()))
+                               .replace("%request_url%", request.getRequestURL().toString());
+
+        logMessage = logMessage.replace("%user%", getUserName(request));
+
+        csrfGuard.getLogger().log(LogLevel.Error, logMessage);
+    }
+
+    private String getUserName(final HttpServletRequest request) {
+        // JavaEE Principal Information
+        String user = request.getRemoteUser();
+
+        if (StringUtils.isBlank(user)) {
+            user = (String) request.getAttribute("REMOTE_USER");
+        }
+
+        if (StringUtils.isBlank(user)) {
+            final Principal userPrincipal = request.getUserPrincipal();
+            if (userPrincipal != null) {
+                user = userPrincipal.getName();
+            }
+        }
+
+        if (StringUtils.isBlank(user)) {
+            user = "<anonymous>";
+        }
+
+        return user;
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/Redirect.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/Redirect.java
index 81fd7ae..737f42a 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/Redirect.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/Redirect.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,29 +26,28 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.action;
 
-import java.io.IOException;
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfGuardException;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
-import org.owasp.csrfguard.CsrfGuard;
-import org.owasp.csrfguard.CsrfGuardException;
+import java.io.IOException;
 
 public final class Redirect extends AbstractAction {
 
 	private static final long serialVersionUID = -2265693822259717332L;
 
 	@Override
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException {
-		String errorPage = getParameter("Page");
+	public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
+		final String errorPage = getParameter("Page");
 
 		try {
 			response.sendRedirect(errorPage);
-		} catch (IOException ioe) {
+		} catch (final IOException ioe) {
 			throw new CsrfGuardException(ioe);
 		}
 	}
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/RequestAttribute.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/RequestAttribute.java
index 41c04bf..e5bed1b 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/RequestAttribute.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/RequestAttribute.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,23 +26,23 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard.action;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+package org.owasp.csrfguard.action;
 
 import org.owasp.csrfguard.CsrfGuard;
 import org.owasp.csrfguard.CsrfGuardException;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
 public final class RequestAttribute extends AbstractAction {
 
 	private static final long serialVersionUID = 6714855990116387348L;
 
 	@Override
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException {
-		String attributeName = getParameter("AttributeName");
+	public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
+		final String attributeName = getParameter("AttributeName");
 
 		request.setAttribute(attributeName, csrfe);
 	}
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/Rotate.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/Rotate.java
index 8962e05..2a6def5 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/Rotate.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/action/Rotate.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,70 +26,29 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.action;
 
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfGuardException;
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
-import org.owasp.csrfguard.CsrfGuard;
-import org.owasp.csrfguard.CsrfGuardException;
-import org.owasp.csrfguard.util.RandomGenerator;
+import java.util.Objects;
 
 public class Rotate extends AbstractAction {
 
-	private static final long serialVersionUID = -3164557586544451406L;
-
-	@Override
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException {
-		HttpSession session = request.getSession(false);
-
-		if (session != null) {
-			updateSessionToken(session, csrfGuard);
-
-			if (csrfGuard.isTokenPerPageEnabled()) {
-				updatePageTokens(session, csrfGuard);
-			}
-		}
-	}
-
-	private void updateSessionToken(HttpSession session, CsrfGuard csrfGuard) throws CsrfGuardException {
-		String token;
-
-		try {
-			token = RandomGenerator.generateRandomId(csrfGuard.getPrng(),
-					csrfGuard.getTokenLength());
-		} catch (Exception e) {
-			throw new CsrfGuardException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
-		}
-
-		session.setAttribute(csrfGuard.getSessionKey(), token);
-	}
-
-	private void updatePageTokens(HttpSession session, CsrfGuard csrfGuard) throws CsrfGuardException {
-		@SuppressWarnings("unchecked")
-		Map<String, String> pageTokens = (Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
-		List<String> pages = new ArrayList<String>();
-
-		if(pageTokens != null) {
-			pages.addAll(pageTokens.keySet());
-		}
+    private static final long serialVersionUID = -3164557586544451406L;
 
-		for (String page : pages) {
-			String token;
+    @Override
+    public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
+        final LogicalSessionExtractor logicalSessionExtractor = csrfGuard.getLogicalSessionExtractor();
+        final LogicalSession logicalSession = logicalSessionExtractor.extract(request);
 
-			try {
-				token = RandomGenerator.generateRandomId(csrfGuard.getPrng(), csrfGuard.getTokenLength());
-			} catch (Exception e) {
-				throw new CsrfGuardException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
-			}
-			
-			pageTokens.put(page, token);
-		}
-	}
-	
+        if (Objects.nonNull(logicalSession)) {
+            csrfGuard.getTokenService().rotateAllTokens(logicalSession.getKey());
+        }
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/action/SessionAttribute.java b/csrfguard/src/main/java/org/owasp/csrfguard/action/SessionAttribute.java
deleted file mode 100644
index 47ed620..0000000
--- a/csrfguard/src/main/java/org/owasp/csrfguard/action/SessionAttribute.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/**
- * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-package org.owasp.csrfguard.action;
-
-import javax.servlet.http.*;
-
-import org.owasp.csrfguard.*;
-
-public final class SessionAttribute extends AbstractAction {
-
-	private static final long serialVersionUID = 1367492926060283228L;
-
-	@Override
-	public void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfe, CsrfGuard csrfGuard) throws CsrfGuardException {
-		String attributeName = getParameter("AttributeName");
-		HttpSession session = request.getSession(false);
-
-		if (session != null) {
-			session.setAttribute(attributeName, csrfe);
-		}
-	}
-	
-}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProvider.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProvider.java
index fff88bc..a51d55a 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProvider.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProvider.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,124 +26,306 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.config;
 
+import org.owasp.csrfguard.action.IAction;
+import org.owasp.csrfguard.log.ILogger;
+import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
+import org.owasp.csrfguard.token.storage.TokenHolder;
+
 import java.security.SecureRandom;
+import java.time.Duration;
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
 
-import org.owasp.csrfguard.action.IAction;
-import org.owasp.csrfguard.log.ILogger;
-
+/**
+ * TODO document
+ */
 public interface ConfigurationProvider {
 
-	/** @return true when this configuration provider can be cached for a minute, i.e. it is all setup */
-	boolean isCacheable();
-	
-	boolean isPrintConfig();
-	
-	ILogger getLogger();
-
-	String getTokenName();
-
-	/**
-	 * If csrf guard filter should check even if there is no session for the user
-	 * Note: this changed around 2014/04, the default behavior used to be to 
-	 * not check if there is no session.  If you want the legacy behavior (if your app
-	 * is not susceptible to CSRF if the user has no session), set this to false
-	 * @return true when validation is performed even when no session exists
-	 */
-	public boolean isValidateWhenNoSessionExists();
-	
-	int getTokenLength();
-
-	boolean isRotateEnabled();
-
-	boolean isTokenPerPageEnabled();
-
-	boolean isTokenPerPagePrecreateEnabled();
-
-	SecureRandom getPrng();
-
-	String getNewTokenLandingPage();
-
-	boolean isUseNewTokenLandingPage();
-
-	boolean isAjaxEnabled();
-
-	boolean isProtectEnabled();
-
-	String getSessionKey();
-
-	Set<String> getProtectedPages();
-
-	Set<String> getUnprotectedPages();
-
-	Set<String> getProtectedMethods();
-
-	/**
-	 * if there are methods here, then all other HTTP methods are protected and these (e.g. GET) are unprotected
-	 * @return the unprotected methods
-	 */
-	Set<String> getUnprotectedMethods();
-
-	/**
-	 * if the filter is enabled
-	 * @return is csrf guard filter is enabled
-	 */
-	boolean isEnabled();
-	
-	List<IAction> getActions();
-	
-	String getJavascriptSourceFile();
-
-	boolean isJavascriptDomainStrict();
-	
-	String getDomainOrigin();
-
-	String getJavascriptCacheControl();
-
-	Pattern getJavascriptRefererPattern();
-	 
- 	/**
-	 * if the token should be injected in GET forms (which will be on the URL)
-	 * if the HTTP method GET is unprotected, then this should likely be false
-	 * @return true if the token should be injected in GET forms via Javascript
-	 */
-	boolean isJavascriptInjectGetForms();
- 	
-	/**
-	 * if the token should be injected in the action in forms
-	 * note, if injectIntoForms is true, then this might not need to be true
-	 * @return if inject
-	 */
-	boolean isJavascriptInjectFormAttributes();
-	
-	boolean isJavascriptInjectIntoForms();
-
-	/**
-	 * if the referer to the javascript must match match the protocol of the domain
-	 * @return true if the javascript must match the protocol of the domain
-	 */
-	boolean isJavascriptRefererMatchProtocol();
-
-	/**
-	 * if the referer to the javascript must match domain
-	 * @return true if the javascript must match domain
-	 */
-	boolean isJavascriptRefererMatchDomain();
-
-	boolean isJavascriptInjectIntoAttributes();
-
-	String getJavascriptXrequestedWith();
-
-	String getJavascriptTemplateCode();
-	
-	/**
-	 * example:"js,css,gif,png,ico,jpg"
-	 * @return
-	 */
-	String getJavascriptUnprotectedExtensions();
+    /**
+     * TODO document
+     *
+     * @return true when this configuration provider can be cached for a minute, i.e. it is all setup
+     */
+    boolean isCacheable();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    boolean isPrintConfig();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    ILogger getLogger();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    String getTokenName();
+
+    /**
+     * If csrf guard filter should check even if there is no session for the user
+     * Note: this changed around 2014/04, the default behavior used to be to
+     * not check if there is no session.  If you want the legacy behavior (if your app
+     * is not susceptible to CSRF if the user has no session), set this to false
+     *
+     * @return true when validation is performed even when no session exists
+     */
+    boolean isValidateWhenNoSessionExists();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    int getTokenLength();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    boolean isRotateEnabled();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    boolean isTokenPerPageEnabled();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    boolean isTokenPerPagePrecreateEnabled();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    SecureRandom getPrng();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    String getNewTokenLandingPage();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    boolean isUseNewTokenLandingPage();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    boolean isAjaxEnabled();
+
+    /**
+     * The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.<br>
+     * If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected.
+     * All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*),
+     * but you only want to protect a few pages.
+     *
+     * @return false if all pages are protected, true if pages are required to be explicit protected
+     */
+    boolean isProtectEnabled();
+
+    /**
+     * TODO document
+     *
+     * @return whether or not the legacy Synchronous AJAX requests are enabled
+     */
+    boolean isForceSynchronousAjax();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    Set<String> getProtectedPages();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    Set<String> getUnprotectedPages();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    Set<String> getProtectedMethods();
+
+    /**
+     * if there are methods here, then all other HTTP methods are protected and these (e.g. GET) are unprotected
+     *
+     * @return the unprotected methods
+     */
+    Set<String> getUnprotectedMethods();
+
+    /**
+     * if the filter is enabled
+     *
+     * @return is csrf guard filter is enabled
+     */
+    boolean isEnabled();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    List<IAction> getActions();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    String getJavascriptSourceFile();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    boolean isJavascriptDomainStrict();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    String getDomainOrigin();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    String getJavascriptCacheControl();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    Pattern getJavascriptRefererPattern();
+
+    /**
+     * if the token should be injected in GET forms (which will be on the URL)
+     * if the HTTP method GET is unprotected, then this should likely be false
+     *
+     *  @return true if the token should be injected in GET forms via Javascript
+     */
+    boolean isJavascriptInjectGetForms();
+
+    /**
+     * if the token should be injected in the action in forms
+     * note, if injectIntoForms is true, then this might not need to be true
+     *
+     * @return if inject
+     */
+    boolean isJavascriptInjectFormAttributes();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    boolean isJavascriptInjectIntoForms();
+
+    /**
+     * if the referer to the javascript must match the protocol of the domain
+     *
+     * @return true if the javascript must match the protocol of the domain
+     */
+    boolean isJavascriptRefererMatchProtocol();
+
+    /**
+     * if the referer to the javascript must match domain
+     *
+     *  @return true if the javascript must match domain
+     */
+    boolean isJavascriptRefererMatchDomain();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    boolean isJavascriptInjectIntoAttributes();
+
+    /**
+     * TODO
+     * @return
+     */
+    boolean isJavascriptInjectIntoDynamicallyCreatedNodes();
+
+    /**
+     * TODO
+     * @return
+     */
+    String getJavascriptDynamicNodeCreationEventName();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    String getJavascriptXrequestedWith();
+
+    /**
+     * TODO document
+     *
+     * @return
+     */
+    String getJavascriptTemplateCode();
+
+    /**
+     * TODO document
+     * example: "js,css,gif,png,ico,jpg"
+     *
+     * @return
+     */
+    String getJavascriptUnprotectedExtensions();
+
+    /**
+     * TODO document
+     * @return
+     */
+    TokenHolder getTokenHolder();
+
+    /**
+     * TODO document
+     * @return
+     */
+    LogicalSessionExtractor getLogicalSessionExtractor();
 
+    /**
+     * TODO document
+     * @return
+     */
+    Duration getPageTokenSynchronizationTolerance();
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProviderFactory.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProviderFactory.java
index 94d35fa..454c230 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProviderFactory.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProviderFactory.java
@@ -1,4 +1,33 @@
-/**
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
  * @author mchyzer
  * $Id$
  */
@@ -11,11 +40,11 @@
  */
 public interface ConfigurationProviderFactory {
 
-	/**
-	 * called when retrieving the configuration
-	 * @param properties describing the configuration
-	 * @return the configuration
-	 */
-	public ConfigurationProvider retrieveConfiguration(Properties properties);
-
+    /**
+     * Called when retrieving the configuration
+     *
+     * @param properties describing the configuration
+     * @return the configuration
+     */
+    ConfigurationProvider retrieveConfiguration(Properties properties);
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProvider.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProvider.java
index 8aed1aa..b68ed35 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProvider.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProvider.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,257 +26,234 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.config;
 
+import org.owasp.csrfguard.action.IAction;
+import org.owasp.csrfguard.config.properties.ConfigParameters;
+import org.owasp.csrfguard.log.ConsoleLogger;
+import org.owasp.csrfguard.log.ILogger;
+import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
+import org.owasp.csrfguard.token.storage.TokenHolder;
+
 import java.security.SecureRandom;
+import java.time.Duration;
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
 
-import org.owasp.csrfguard.action.IAction;
-import org.owasp.csrfguard.log.ConsoleLogger;
-import org.owasp.csrfguard.log.ILogger;
-
 /**
- * ConfigurationProvider which returns all null or empty values (except for the logger).
+ * {@link ConfigurationProvider} which returns all null or empty values (except for the logger).
  * Used before initialization has occurred.
  */
 public final class NullConfigurationProvider implements ConfigurationProvider {
 
-	private static final ILogger logger = new ConsoleLogger();
-	
-	public NullConfigurationProvider() {
-	}
-
-	@Override
-	public ILogger getLogger() {
-		return logger;
-	}
-
-	@Override
-	public String getTokenName() {
-		return null;
-	}
-
-	@Override
-	public int getTokenLength() {
-		return 0;
-	}
-
-	@Override
-	public boolean isRotateEnabled() {
-		return false;
-	}
-
-	@Override
-	public boolean isTokenPerPageEnabled() {
-		return false;
-	}
-
-	@Override
-	public boolean isTokenPerPagePrecreateEnabled() {
-		return false;
-	}
-
-	@Override
-	public SecureRandom getPrng() {
-		try {
-			return SecureRandom.getInstance("SHA1PRNG", "SUN");
-		} catch (Exception e) {
-			throw new RuntimeException(e);
-		}
-	}
-
-	@Override
-	public String getNewTokenLandingPage() {
-		return null;
-	}
-
-	@Override
-	public boolean isUseNewTokenLandingPage() {
-		return false;
-	}
-
-	@Override
-	public boolean isAjaxEnabled() {
-		return false;
-	}
-
-	@Override
-	public boolean isProtectEnabled() {
-		return false;
-	}
-
-	@Override
-	public String getSessionKey() {
-		return null;
-	}
-
-	@Override
-	public Set<String> getProtectedPages() {
-		return Collections.emptySet();
-	}
-
-	@Override
-	public Set<String> getUnprotectedPages() {
-		return Collections.emptySet();
-	}
-
-	@Override
-	public Set<String> getProtectedMethods() {
-		return Collections.emptySet();
-	}
-
-	@Override
-	public List<IAction> getActions() {
-		return Collections.emptyList();
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isPrintConfig()
-	 */
-	@Override
-	public boolean isPrintConfig() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptSourceFile()
-	 */
-	@Override
-	public String getJavascriptSourceFile() {
-		return null;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptDomainStrict()
-	 */
-	@Override
-	public boolean isJavascriptDomainStrict() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptCacheControl()
-	 */
-	@Override
-	public String getJavascriptCacheControl() {
-		return null;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptRefererPattern()
-	 */
-	@Override
-	public Pattern getJavascriptRefererPattern() {
-		return null;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectIntoForms()
-	 */
-	@Override
-	public boolean isJavascriptInjectIntoForms() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectIntoAttributes()
-	 */
-	@Override
-	public boolean isJavascriptInjectIntoAttributes() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptXrequestedWith()
-	 */
-	@Override
-	public String getJavascriptXrequestedWith() {
-		return null;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptTemplateCode()
-	 */
-	@Override
-	public String getJavascriptTemplateCode() {
-		return null;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isCacheable()
-	 */
-	public boolean isCacheable() {
-		return true;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getUnprotectedMethods()
-	 */
-	public Set<String> getUnprotectedMethods() {
-		return Collections.emptySet();
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptRefererMatchProtocol()
-	 */
-	@Override
-	public boolean isJavascriptRefererMatchProtocol() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptRefererMatchDomain()
-	 */
-	@Override
-	public boolean isJavascriptRefererMatchDomain() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isEnabled()
-	 */
-	@Override
-	public boolean isEnabled() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isValidateWhenNoSessionExists()
-	 */
-	@Override
-	public boolean isValidateWhenNoSessionExists() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectGetForms()
-	 */
-	public boolean isJavascriptInjectGetForms() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectFormAttributes()
-	 */
-	public boolean isJavascriptInjectFormAttributes() {
-		return false;
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getDomainOrigin()
-	 */
-	@Override
-	public String getDomainOrigin() {
-		return null;
-	}
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptUnprotectedExtensions()
-	 */
-	@Override
-	public String getJavascriptUnprotectedExtensions() {
-		return null;
-	}
+    private static final ILogger LOGGER = new ConsoleLogger();
+
+    public NullConfigurationProvider() {}
+
+    @Override
+    public boolean isCacheable() {
+        return true;
+    }
+
+    @Override
+    public boolean isPrintConfig() {
+        return false;
+    }
+
+    @Override
+    public ILogger getLogger() {
+        return LOGGER;
+    }
+
+    @Override
+    public String getTokenName() {
+        return null;
+    }
+
+    @Override
+    public boolean isValidateWhenNoSessionExists() {
+        return false;
+    }
+
+    @Override
+    public int getTokenLength() {
+        return 0;
+    }
+
+    @Override
+    public boolean isRotateEnabled() {
+        return false;
+    }
+
+    @Override
+    public boolean isTokenPerPageEnabled() {
+        return false;
+    }
+
+    @Override
+    public boolean isTokenPerPagePrecreateEnabled() {
+        return false;
+    }
+
+    @Override
+    public SecureRandom getPrng() {
+        try {
+            return SecureRandom.getInstance(ConfigParameters.DEFAULT_PRNG.getValue(), ConfigParameters.DEFAULT_PRNG.getKey());
+        } catch (final Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    public String getNewTokenLandingPage() {
+        return null;
+    }
+
+    @Override
+    public boolean isUseNewTokenLandingPage() {
+        return false;
+    }
+
+    @Override
+    public boolean isAjaxEnabled() {
+        return false;
+    }
+
+    @Override
+    public boolean isProtectEnabled() {
+        return false;
+    }
+
+    @Override
+    public boolean isForceSynchronousAjax() {
+        return false;
+    }
+
+    @Override
+    public Set<String> getProtectedPages() {
+        return Collections.emptySet();
+    }
+
+    @Override
+    public Set<String> getUnprotectedPages() {
+        return Collections.emptySet();
+    }
+
+    @Override
+    public Set<String> getProtectedMethods() {
+        return Collections.emptySet();
+    }
+
+    @Override
+    public Set<String> getUnprotectedMethods() {
+        return Collections.emptySet();
+    }
+
+    @Override
+    public boolean isEnabled() {
+        return false;
+    }
+
+    @Override
+    public List<IAction> getActions() {
+        return Collections.emptyList();
+    }
+
+    @Override
+    public String getJavascriptSourceFile() {
+        return null;
+    }
+
+    @Override
+    public boolean isJavascriptDomainStrict() {
+        return false;
+    }
+
+    @Override
+    public String getDomainOrigin() {
+        return null;
+    }
+
+    @Override
+    public String getJavascriptCacheControl() {
+        return null;
+    }
+
+    @Override
+    public Pattern getJavascriptRefererPattern() {
+        return null;
+    }
+
+    @Override
+    public boolean isJavascriptInjectGetForms() {
+        return false;
+    }
+
+    @Override
+    public boolean isJavascriptInjectFormAttributes() {
+        return false;
+    }
+
+    @Override
+    public boolean isJavascriptInjectIntoForms() {
+        return false;
+    }
+
+    @Override
+    public boolean isJavascriptRefererMatchProtocol() {
+        return false;
+    }
+
+    @Override
+    public boolean isJavascriptRefererMatchDomain() {
+        return false;
+    }
+
+    @Override
+    public boolean isJavascriptInjectIntoAttributes() {
+        return false;
+    }
+
+    @Override
+    public boolean isJavascriptInjectIntoDynamicallyCreatedNodes() {
+        return false;
+    }
+
+    @Override
+    public String getJavascriptDynamicNodeCreationEventName() {
+        return null;
+    }
+
+    @Override
+    public String getJavascriptXrequestedWith() {
+        return null;
+    }
+
+    @Override
+    public String getJavascriptTemplateCode() {
+        return null;
+    }
+
+    @Override
+    public String getJavascriptUnprotectedExtensions() {
+        return null;
+    }
+
+    @Override
+    public TokenHolder getTokenHolder() {
+        return null;
+    }
+
+    @Override
+    public LogicalSessionExtractor getLogicalSessionExtractor() {
+        return null;
+    }
+
+    @Override
+    public Duration getPageTokenSynchronizationTolerance() {
+        return null;
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProviderFactory.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProviderFactory.java
index 86e8923..7b6179d 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProviderFactory.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProviderFactory.java
@@ -1,36 +1,53 @@
-/**
- * @author mchyzer
- * $Id$
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.config;
 
 import java.util.Properties;
 
 /**
- *
+ * TODO document
  */
-public class NullConfigurationProviderFactory implements
-		ConfigurationProviderFactory {
+public class NullConfigurationProviderFactory implements ConfigurationProviderFactory {
 
-	/**
-	 * 
-	 */
-	public NullConfigurationProviderFactory() {
-	}
+	public NullConfigurationProviderFactory() {}
 
 	/**
-	 * cache this it doesnt change
+	 * cache this it doesn't change
 	 */
 	private static ConfigurationProvider configurationProvider = null;
 	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProviderFactory#retrieveConfiguration(java.util.Properties)
-	 */
-	public ConfigurationProvider retrieveConfiguration(Properties properties) {
+	@Override
+	public ConfigurationProvider retrieveConfiguration(final Properties properties) {
 		if (configurationProvider == null) {
 			configurationProvider = new NullConfigurationProvider();
 		}
 		return configurationProvider;
 	}
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProvider.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProvider.java
index 0d6fee8..fe37965 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProvider.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProvider.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,593 +26,641 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard.config;
-
-import java.io.IOException;
-import java.security.SecureRandom;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.regex.Pattern;
 
-import javax.servlet.ServletConfig;
+package org.owasp.csrfguard.config;
 
-import org.owasp.csrfguard.CsrfGuardServletContextListener;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.tuple.Pair;
 import org.owasp.csrfguard.action.IAction;
+import org.owasp.csrfguard.config.properties.ConfigParameters;
+import org.owasp.csrfguard.config.properties.HttpMethod;
+import org.owasp.csrfguard.config.properties.PropertyUtils;
+import org.owasp.csrfguard.config.properties.javascript.JavaScriptConfigParameters;
+import org.owasp.csrfguard.config.properties.javascript.JsConfigParameter;
 import org.owasp.csrfguard.log.ILogger;
+import org.owasp.csrfguard.log.LogLevel;
 import org.owasp.csrfguard.servlet.JavaScriptServlet;
+import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
+import org.owasp.csrfguard.token.storage.TokenHolder;
 import org.owasp.csrfguard.util.CsrfGuardUtils;
+import org.owasp.csrfguard.util.RegexValidationUtil;
+
+import javax.servlet.ServletConfig;
+import java.io.IOException;
+import java.security.*;
+import java.time.Duration;
+import java.util.*;
+import java.util.function.IntPredicate;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 /**
- * ConfifgurationProvider based on a java.util.Properties object.
- *
+ * {@link ConfigurationProvider} based on a {@link java.util.Properties} object.
  */
 public class PropertiesConfigurationProvider implements ConfigurationProvider {
 
-	private final static String ACTION_PREFIX = "org.owasp.csrfguard.action.";
+	private final ILogger logger;
 
-	private final static String PROTECTED_PAGE_PREFIX = "org.owasp.csrfguard.protected.";
-	
-	private final static String UNPROTECTED_PAGE_PREFIX = "org.owasp.csrfguard.unprotected.";
+	private final Set<String> protectedPages;
 
-	private final ILogger logger;
+	private final Set<String> unprotectedPages;
+
+	private final Set<String> protectedMethods;
 
-	private final String tokenName;
+	private final Set<String> unprotectedMethods;
 
-	private final int tokenLength;
+	private final List<IAction> actions;
 
-	private final boolean rotate;
+	private final Properties propertiesCache;
 
 	private final boolean enabled;
-	
-	private final boolean tokenPerPage;
 
-	private final boolean tokenPerPagePrecreate;
+	private String tokenName;
 
-	private final boolean printConfig;
-	
-	private final SecureRandom prng;
+	private int tokenLength;
 
-	private final String newTokenLandingPage;
+	private boolean rotate;
 
-	private final boolean useNewTokenLandingPage;
+	private boolean tokenPerPage;
 
-	private final boolean ajax;
-	
-	private final boolean protect;
-	
-	private final String sessionKey;
-	
-	private final Set<String> protectedPages;
+	private boolean tokenPerPagePrecreate;
 
-	private final Set<String> unprotectedPages;
+	private boolean printConfig;
 
-	private final Set<String> protectedMethods;
+	private SecureRandom prng;
 
-	private final Set<String> unprotectedMethods;
+	private String newTokenLandingPage;
+
+	private boolean useNewTokenLandingPage;
+
+	private boolean ajax;
+
+	private boolean protect;
+
+	private boolean forceSynchronousAjax;
 
-	private final List<IAction> actions;
-	
-	private Properties propertiesCache;
-	
 	private String domainOrigin;
-	
-	public PropertiesConfigurationProvider(Properties properties) {
+
+	private Duration pageTokenSynchronizationTolerance;
+
+	private boolean validationWhenNoSessionExists;
+
+	private boolean javascriptParamsInitialized = false;
+
+	private String javascriptTemplateCode;
+
+	private String javascriptSourceFile;
+
+	private boolean javascriptDomainStrict;
+
+	private String javascriptCacheControl;
+
+	private Pattern javascriptRefererPattern;
+
+	private boolean javascriptInjectIntoForms;
+
+	private boolean javascriptRefererMatchProtocol;
+
+	private boolean javascriptInjectIntoAttributes;
+
+	private boolean isJavascriptInjectIntoDynamicallyCreatedNodes;
+
+	private String javascriptDynamicNodeCreationEventName;
+
+	private String javascriptXrequestedWith;
+
+	private boolean javascriptInjectGetForms;
+
+	private boolean javascriptRefererMatchDomain;
+
+	private boolean javascriptInjectFormAttributes;
+
+	private String javascriptUnprotectedExtensions;
+
+	private LogicalSessionExtractor logicalSessionExtractor;
+
+	private TokenHolder tokenHolder;
+
+	public PropertiesConfigurationProvider(final Properties properties) {
 		try {
 			this.propertiesCache = properties;
-			actions = new ArrayList<IAction>();
-			protectedPages = new HashSet<String>();
-			unprotectedPages = new HashSet<String>();
-			protectedMethods = new HashSet<String>();
-			unprotectedMethods = new HashSet<String>();
-			/** load simple properties **/
-			logger = (ILogger) Class.forName(propertyString(properties, "org.owasp.csrfguard.Logger", "org.owasp.csrfguard.log.ConsoleLogger")).newInstance();
-			tokenName = propertyString(properties, "org.owasp.csrfguard.TokenName", "OWASP-CSRFGUARD");
-			tokenLength = Integer.parseInt(propertyString(properties, "org.owasp.csrfguard.TokenLength", "32"));
-			rotate = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.Rotate", "false"));
-			tokenPerPage = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.TokenPerPage", "false"));
-
-			this.validationWhenNoSessionExists = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.ValidateWhenNoSessionExists", "true"));
-			this.domainOrigin = propertyString(properties, "org.owasp.csrfguard.domainOrigin", null);
-			tokenPerPagePrecreate = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.TokenPerPagePrecreate", "false"));
-			prng = SecureRandom.getInstance(propertyString(properties, "org.owasp.csrfguard.PRNG", "SHA1PRNG"), propertyString(properties, "org.owasp.csrfguard.PRNG.Provider", "SUN"));
-			newTokenLandingPage = propertyString(properties, "org.owasp.csrfguard.NewTokenLandingPage");
-	
-			printConfig = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.Config.Print", "false"));
-
-			this.enabled = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.Enabled", "true"));
-			
-			//default to false if newTokenLandingPage is not set; default to true if set.
-			if (newTokenLandingPage == null) {
-				useNewTokenLandingPage = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.UseNewTokenLandingPage", "false"));
-			} else {
-				useNewTokenLandingPage = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.UseNewTokenLandingPage", "true"));
-			}
-			sessionKey = propertyString(properties, "org.owasp.csrfguard.SessionKey", "OWASP_CSRFGUARD_KEY");
-			ajax = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.Ajax", "false"));
-			protect = Boolean.valueOf(propertyString(properties, "org.owasp.csrfguard.Protect", "false"));
-	
-			/** first pass: instantiate actions **/
-			Map<String, IAction> actionsMap = new HashMap<String, IAction>();
-	
-			for (Object obj : properties.keySet()) {
-				String key = (String) obj;
-	
-				if (key.startsWith(ACTION_PREFIX)) {
-					String directive = key.substring(ACTION_PREFIX.length());
-					int index = directive.indexOf('.');
-	
-					/** action name/class **/
-					if (index < 0) {
-						String actionClass = propertyString(properties, key);
-						IAction action = (IAction) Class.forName(actionClass).newInstance();
-	
-						action.setName(directive);
-						actionsMap.put(action.getName(), action);
-						actions.add(action);
-					}
-				}
-			}
-	
-			/** second pass: initialize action parameters **/
-			for (Object obj : properties.keySet()) {
-				String key = (String) obj;
-	
-				if (key.startsWith(ACTION_PREFIX)) {
-					String directive = key.substring(ACTION_PREFIX.length());
-					int index = directive.indexOf('.');
-	
-					/** action name/class **/
-					if (index >= 0) {
-						String actionName = directive.substring(0, index);
-						IAction action = actionsMap.get(actionName);
-	
-						if (action == null) {
-							throw new IOException(String.format("action class %s has not yet been specified", actionName));
-						}
-	
-						String parameterName = directive.substring(index + 1);
-						String parameterValue = propertyString(properties, key);
-	
-						action.setParameter(parameterName, parameterValue);
-					}
-				}
-			}
-	
-			/** ensure at least one action was defined **/
-			if (actions.size() <= 0) {
-				throw new IOException("failure to define at least one action");
-			}
-	
-			/** initialize protected, unprotected pages **/
-			for (Object obj : properties.keySet()) {
-				String key = (String) obj;
-				
-				if (key.startsWith(PROTECTED_PAGE_PREFIX)) {
-					String directive = key.substring(PROTECTED_PAGE_PREFIX.length());
-					int index = directive.indexOf('.');
-	
-					/** page name/class **/
-					if (index < 0) {
-						String pageUri = propertyString(properties, key);
-						
-						protectedPages.add(pageUri);
-					}
-				}
-	
-				if (key.startsWith(UNPROTECTED_PAGE_PREFIX)) {
-					String directive = key.substring(UNPROTECTED_PAGE_PREFIX.length());
-					int index = directive.indexOf('.');
-	
-					/** page name/class **/
-					if (index < 0) {
-						String pageUri = propertyString(properties, key);
-						
-						unprotectedPages.add(pageUri);
-					}
-				}
-			}
-	
-			/** initialize protected methods **/
-			String methodList = propertyString(properties, "org.owasp.csrfguard.ProtectedMethods");
-			if (methodList != null && methodList.trim().length() != 0) {
-				for (String method : methodList.split(",")) {
-					protectedMethods.add(method.trim());
-				}
-			}
-			/** initialize unprotected methods **/
-			methodList = propertyString(properties, "org.owasp.csrfguard.UnprotectedMethods");
-			if (methodList != null && methodList.trim().length() != 0) {
-				for (String method : methodList.split(",")) {
-					unprotectedMethods.add(method.trim());
-				}
+			this.actions = new ArrayList<>();
+			this.protectedPages = new HashSet<>();
+			this.unprotectedPages = new HashSet<>();
+			this.protectedMethods = new HashSet<>();
+			this.unprotectedMethods = new HashSet<>();
+
+			this.logger = CsrfGuardUtils.<ILogger>forName(PropertyUtils.getProperty(properties, ConfigParameters.LOGGER)).newInstance();
+
+            this.enabled = PropertyUtils.getProperty(properties, ConfigParameters.CSRFGUARD_ENABLED);
+
+            if (this.enabled) {
+				this.tokenName = PropertyUtils.getProperty(properties, ConfigParameters.TOKEN_NAME);
+				this.tokenLength = getTokenLength(properties);
+				this.rotate = PropertyUtils.getProperty(properties, ConfigParameters.ROTATE);
+				this.tokenPerPage = PropertyUtils.getProperty(properties, ConfigParameters.TOKEN_PER_PAGE);
+
+				this.validationWhenNoSessionExists = PropertyUtils.getProperty(properties, ConfigParameters.VALIDATE_WHEN_NO_SESSION_EXISTS);
+				this.domainOrigin = PropertyUtils.getProperty(properties, ConfigParameters.DOMAIN_ORIGIN);
+				this.tokenPerPagePrecreate = PropertyUtils.getProperty(properties, ConfigParameters.TOKEN_PER_PAGE_PRECREATE);
+
+				this.prng = getSecureRandomInstance(properties);
+
+				this.printConfig = PropertyUtils.getProperty(properties, ConfigParameters.PRINT_ENABLED);
+
+				this.protect = PropertyUtils.getProperty(properties, ConfigParameters.CSRFGUARD_PROTECT);
+				this.forceSynchronousAjax = PropertyUtils.getProperty(properties, ConfigParameters.FORCE_SYNCHRONOUS_AJAX);
+
+				this.newTokenLandingPage = PropertyUtils.getProperty(properties, ConfigParameters.NEW_TOKEN_LANDING_PAGE);
+				this.useNewTokenLandingPage = PropertyUtils.getProperty(properties, ConfigParameters.getUseNewTokenLandingPage(this.newTokenLandingPage));
+
+				this.ajax = PropertyUtils.getProperty(properties, ConfigParameters.AJAX_ENABLED);
+
+				this.pageTokenSynchronizationTolerance = PropertyUtils.getProperty(properties, ConfigParameters.PAGE_TOKEN_SYNCHRONIZATION_TOLERANCE);
+
+				initializeTokenPersistenceConfigurations(properties);
+
+				initializeActionParameters(properties, instantiateActions(properties));
+
+				initializePageProtection(properties);
+
+				initializeMethodProtection(properties);
 			}
-		} catch (Exception e) {
+		} catch (final Exception e) {
 			throw new RuntimeException(e);
 		}
 	}
-	
-	private boolean javascriptParamsInitted = false;
-	
-	private void javascriptInitParamsIfNeeded() {
-		if (!this.javascriptParamsInitted) {
-			ServletConfig servletConfig = JavaScriptServlet.getStaticServletConfig();
-			
-			if (servletConfig != null) {
-				
-				this.javascriptCacheControl = CsrfGuardUtils.getInitParameter(servletConfig, "cache-control",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.cacheControl"), "private, maxage=28800");
-				this.javascriptDomainStrict = Boolean.valueOf(CsrfGuardUtils.getInitParameter(servletConfig, "domain-strict",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.domainStrict"), "true"));
-				this.javascriptInjectIntoAttributes = Boolean.valueOf(CsrfGuardUtils.getInitParameter(servletConfig, "inject-into-attributes",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes"), "true"));
-
-				this.javascriptInjectGetForms = Boolean.valueOf(CsrfGuardUtils.getInitParameter(servletConfig, "inject-get-forms",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.injectGetForms"), "true"));
-
-				this.javascriptInjectFormAttributes = Boolean.valueOf(CsrfGuardUtils.getInitParameter(servletConfig, "inject-form-attributes",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.injectFormAttributes"), "true"));
-
-				this.javascriptInjectIntoForms = Boolean.valueOf(CsrfGuardUtils.getInitParameter(servletConfig, "inject-into-forms",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.injectIntoForms"), "true"));
-				
-				this.javascriptRefererPattern = Pattern.compile(CsrfGuardUtils.getInitParameter(servletConfig, "referer-pattern",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.refererPattern"), ".*"));
-
-				this.javascriptRefererMatchProtocol = Boolean.valueOf(CsrfGuardUtils.getInitParameter(servletConfig, "referer-match-protocol",
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.refererMatchProtocol"), "true"));
-
-				this.javascriptRefererMatchDomain = Boolean.valueOf(CsrfGuardUtils.getInitParameter(servletConfig, "referer-match-domain",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.refererMatchDomain"), "true"));
-				
-				/* unprotectedExtensions - default to none unless specified */
-				this.javascriptUnprotectedExtensions = CsrfGuardUtils.getInitParameter(servletConfig, "unprotected-extensions",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.UnprotectedExtensions"), "");
-
-				this.javascriptSourceFile = CsrfGuardUtils.getInitParameter(servletConfig, "source-file",
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.sourceFile"), null);
-				this.javascriptXrequestedWith = CsrfGuardUtils.getInitParameter(servletConfig, "x-requested-with",  
-						propertyString(this.propertiesCache, "org.owasp.csrfguard.JavascriptServlet.xRequestedWith"), "OWASP CSRFGuard Project");
-	            if(this.javascriptSourceFile == null) {
-	                this.javascriptTemplateCode = CsrfGuardUtils.readResourceFileContent("META-INF/csrfguard.js", true);
-	            } else if (this.javascriptSourceFile.startsWith("META-INF/")) {
-	                this.javascriptTemplateCode = CsrfGuardUtils.readResourceFileContent(this.javascriptSourceFile, true);
-	            } else if (this.javascriptSourceFile.startsWith("classpath:")) {
-	                final String location = this.javascriptSourceFile.substring("classpath:".length()).trim();
-	                this.javascriptTemplateCode = CsrfGuardUtils.readResourceFileContent(location, true);
-	            } else if (this.javascriptSourceFile.startsWith("file:")) {
-	                final String location = this.javascriptSourceFile.substring("file:".length()).trim();
-	                this.javascriptTemplateCode = CsrfGuardUtils.readFileContent(location);
-	            } else if (servletConfig.getServletContext().getRealPath(this.javascriptSourceFile) != null) {
-	            	this.javascriptTemplateCode = CsrfGuardUtils.readFileContent(
-	            			servletConfig.getServletContext().getRealPath(this.javascriptSourceFile));
-	            } else {
-                    throw new IllegalStateException("getRealPath failed for file " + this.javascriptSourceFile);
-                }
-										
-	    		this.javascriptParamsInitted = true;
-			}
-		}
-	}
-
-	/**
-	 * property string and substitutions
-	 * @param properties The properties from which to fetch a value
-	 * @param propertyName The name of the desired property
-	 * @return the value, with common substitutions performed
-	 * @see #commonSubstitutions(String)
-	 */
-	public static String propertyString(Properties properties, String propertyName) {
-		String value = properties.getProperty(propertyName);
-		value = commonSubstitutions(value);
-		return value;
-	}
 
-	/**
-	 * property string and substitutions
-	 * @param properties The properties from which to fetch a value
-	 * @param propertyName The name of the desired property
-	 * @param defaultValue The value to use when the propertyName does not exist
-	 * @return the value, with common substitutions performed
-	 * @see #commonSubstitutions(String)
-	 */
-	public static String propertyString(Properties properties, String propertyName, String defaultValue) {
-		String value = properties.getProperty(propertyName, defaultValue);
-		value = commonSubstitutions(value);
-		return value;
-	}
-	
+	@Override
 	public ILogger getLogger() {
-		return logger;
+		return this.logger;
 	}
 
+	@Override
 	public String getTokenName() {
-		return tokenName;
+		return this.tokenName;
 	}
 
+	@Override
 	public int getTokenLength() {
-		return tokenLength;
+		return this.tokenLength;
 	}
 
+	@Override
 	public boolean isRotateEnabled() {
-		return rotate;
+		return this.rotate;
 	}
 
-	/**
-	 * @see ConfigurationProvider#isValidateWhenNoSessionExists()
-	 */
 	@Override
 	public boolean isValidateWhenNoSessionExists() {
 		return this.validationWhenNoSessionExists;
 	}
 
-	/**
-	 * If csrf guard filter should check even if there is no session for the user
-	 * Note: this changed in 2014/04, the default behavior used to be to 
-	 * not check if there is no session.  If you want the legacy behavior (if your app
-	 * is not susceptible to CSRF if the user has no session), set this to false
-	 */
-	private final boolean validationWhenNoSessionExists;
-	
+	@Override
 	public boolean isTokenPerPageEnabled() {
-		return tokenPerPage;
+		return this.tokenPerPage;
 	}
 
+	@Override
 	public boolean isTokenPerPagePrecreateEnabled() {
-		return tokenPerPagePrecreate;
+		return this.tokenPerPagePrecreate;
 	}
 
+	@Override
 	public SecureRandom getPrng() {
-		return prng;
+		return this.prng;
 	}
 
+	@Override
 	public String getNewTokenLandingPage() {
-		return newTokenLandingPage;
+		return this.newTokenLandingPage;
 	}
 
+	@Override
 	public boolean isUseNewTokenLandingPage() {
-		return useNewTokenLandingPage;
+		return this.useNewTokenLandingPage;
 	}
 
+	@Override
 	public boolean isAjaxEnabled() {
-		return ajax;
+		return this.ajax;
 	}
 
+	@Override
 	public boolean isProtectEnabled() {
-		return protect;
+		return this.protect;
 	}
 
-	public String getSessionKey() {
-		return sessionKey;
+	@Override
+	public boolean isForceSynchronousAjax() {
+		return this.forceSynchronousAjax;
 	}
 
+	@Override
 	public Set<String> getProtectedPages() {
-		return protectedPages;
+		return this.protectedPages;
 	}
 
+	@Override
 	public Set<String> getUnprotectedPages() {
-		return unprotectedPages;
+		return this.unprotectedPages;
 	}
 
+	@Override
 	public Set<String> getProtectedMethods () {
-		return protectedMethods;
+		return this.protectedMethods;
 	}
 
-	/**
-	 * if there are methods here, they are unprotected (e.g. GET), and all others are protected
-	 * @return the unprotected methods
-	 */
 	@Override
 	public Set<String> getUnprotectedMethods () {
 		return this.unprotectedMethods;
 	}
 
+	@Override
 	public List<IAction> getActions() {
-		return actions;
+		return this.actions;
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isPrintConfig()
-	 */
+	@Override
 	public boolean isPrintConfig() {
 		return this.printConfig;
 	}
 
-	private String javascriptTemplateCode;
-
-	private String javascriptSourceFile;
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptSourceFile()
-	 */
 	@Override
 	public String getJavascriptSourceFile() {
 		this.javascriptInitParamsIfNeeded();
-		return javascriptSourceFile;
+		return this.javascriptSourceFile;
 	}
 
-	private boolean javascriptDomainStrict;
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptDomainStrict()
-	 */
 	@Override
 	public boolean isJavascriptDomainStrict() {
 		this.javascriptInitParamsIfNeeded();
-		return javascriptDomainStrict;
+		return this.javascriptDomainStrict;
 	}
 
-	private String javascriptCacheControl;
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptCacheControl()
-	 */
 	@Override
 	public String getJavascriptCacheControl() {
 		this.javascriptInitParamsIfNeeded();
-		return javascriptCacheControl;
+		return this.javascriptCacheControl;
 	}
 
-	private Pattern javascriptRefererPattern;
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptRefererPattern()
-	 */
 	@Override
 	public Pattern getJavascriptRefererPattern() {
 		this.javascriptInitParamsIfNeeded();
-		return javascriptRefererPattern;
+		return this.javascriptRefererPattern;
 	}
 
-	private boolean javascriptInjectIntoForms;
-
-	private boolean javascriptRefererMatchProtocol;
-
-	/**
-	 * if the referer must match domain
-	 */
-	private boolean javascriptRefererMatchDomain;
-
-	/**
-	 * if the referer protocol must match protocol on the domain
-	 * @return the isJavascriptRefererMatchProtocol
-	 */
 	@Override
 	public boolean isJavascriptRefererMatchProtocol() {
 		this.javascriptInitParamsIfNeeded();
 		return this.javascriptRefererMatchProtocol;
 	}
 
-	/**
-	 * if the referer must match domain
-	 * @return the javascriptRefererMatchDomain
-	 */
 	@Override
 	public boolean isJavascriptRefererMatchDomain() {
 		this.javascriptInitParamsIfNeeded();
 		return this.javascriptRefererMatchDomain;
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectIntoForms()
-	 */
 	@Override
 	public boolean isJavascriptInjectIntoForms() {
 		this.javascriptInitParamsIfNeeded();
-		return javascriptInjectIntoForms;
+		return this.javascriptInjectIntoForms;
 	}
 
-	private boolean javascriptInjectIntoAttributes;
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectIntoAttributes()
-	 */
 	@Override
 	public boolean isJavascriptInjectIntoAttributes() {
 		this.javascriptInitParamsIfNeeded();
 		return this.javascriptInjectIntoAttributes;
 	}
 
-	private String javascriptXrequestedWith;
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptXrequestedWith()
-	 */
-	@Override
+    @Override
+    public boolean isJavascriptInjectIntoDynamicallyCreatedNodes() {
+		this.javascriptInitParamsIfNeeded();
+		return this.isJavascriptInjectIntoDynamicallyCreatedNodes;
+    }
+
+    @Override
+    public String getJavascriptDynamicNodeCreationEventName() {
+		this.javascriptInitParamsIfNeeded();
+		return this.javascriptDynamicNodeCreationEventName;
+    }
+
+    @Override
 	public String getJavascriptXrequestedWith() {
 		this.javascriptInitParamsIfNeeded();
-		return javascriptXrequestedWith;
+		return this.javascriptXrequestedWith;
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getJavascriptTemplateCode()
-	 */
 	@Override
 	public String getJavascriptTemplateCode() {
 		this.javascriptInitParamsIfNeeded();
 		return this.javascriptTemplateCode;
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isCacheable()
-	 */
 	public boolean isCacheable() {
-		//dont cache this until the javascript params are all set
-		//i.e. the javascript servlet is 
-		return this.javascriptParamsInitted;
-	}
-
-
-	/**
-	 * Replaces percent-bounded expressions such as "%servletContext%."
-	 * common subsitutions in config values
-	 * @param input A string with expressions that should be replaced
-	 * @return new string with "common" expressions replaced by configuration values
-	 */
-	public static String commonSubstitutions(String input) {
-		if (input == null || !input.contains("%")) {
-			return input;
-		}
-		input = input.replace("%servletContext%", CsrfGuardUtils.defaultString(CsrfGuardServletContextListener.getServletContext()));
-		return input;
+		/* don't cache this until the javascript params are all set i.e. the javascript servlet is */
+		return this.javascriptParamsInitialized;
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isEnabled()
-	 */
 	@Override
 	public boolean isEnabled() {
 		return this.enabled;
 	}
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectGetForms()
-	 */
-	private boolean javascriptInjectGetForms;
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectGetForms()
-	 */
+
+	@Override
 	public boolean isJavascriptInjectGetForms() {
 		this.javascriptInitParamsIfNeeded();
 		return this.javascriptInjectGetForms;
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectFormAttributes()
-	 */
-	private boolean javascriptInjectFormAttributes;
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#isJavascriptInjectFormAttributes()
-	 */
+	@Override
 	public boolean isJavascriptInjectFormAttributes() {
 		this.javascriptInitParamsIfNeeded();
 		return this.javascriptInjectFormAttributes;
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getDomainOrigin()
-	 */
 	@Override
 	public String getDomainOrigin() {
-		return domainOrigin;
+		return this.domainOrigin;
 	}
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getDomainOrigin()
-	 */
-	private String javascriptUnprotectedExtensions;
-	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProvider#getDomainOrigin()
-	 */
+
 	@Override
 	public String getJavascriptUnprotectedExtensions() {
 		this.javascriptInitParamsIfNeeded();
 		return this.javascriptUnprotectedExtensions;
 	}
+
+	@Override
+	public TokenHolder getTokenHolder() {
+		return this.tokenHolder;
+	}
+
+	@Override
+	public LogicalSessionExtractor getLogicalSessionExtractor() {
+		return this.logicalSessionExtractor;
+	}
+
+    @Override
+    public Duration getPageTokenSynchronizationTolerance() {
+        return this.pageTokenSynchronizationTolerance;
+    }
+
+    private Map<String, IAction> instantiateActions(final Properties properties) throws InstantiationException, IllegalAccessException {
+		final Map<String, IAction> actionsMap = new HashMap<>();
+
+		for (final Object obj : properties.keySet()) {
+			final String propertyKey = (String) obj;
+
+			final String actionProperty = getPrimaryPropertyDirective(propertyKey, ConfigParameters.ACTION_PREFIX);
+
+			if (Objects.nonNull(actionProperty)) {
+				final String actionClass = PropertyUtils.getProperty(properties, propertyKey);
+				final IAction action = CsrfGuardUtils.<IAction>forName(actionClass).newInstance();
+
+				action.setName(actionProperty);
+				actionsMap.put(action.getName(), action);
+				this.actions.add(action);
+			}
+		}
+		return actionsMap;
+	}
+
+	private void initializeMethodProtection(final Properties properties) {
+		this.protectedMethods.addAll(initializeMethodProtection(properties, ConfigParameters.PROTECTED_METHODS));
+		this.unprotectedMethods.addAll(initializeMethodProtection(properties, ConfigParameters.UNPROTECTED_METHODS));
+
+		final HashSet<String> intersection = new HashSet<>(this.protectedMethods);
+		intersection.retainAll(this.unprotectedMethods);
+
+		if (!intersection.isEmpty()) {
+			throw new IllegalArgumentException(String.format("The %s HTTP method(s) cannot be both protected and unprotected.", intersection));
+		}
+	}
+
+	private static Set<String> initializeMethodProtection(final Properties properties, final String configParameterName) {
+		final String methodProtectionValue = PropertyUtils.getProperty(properties, configParameterName);
+		if (StringUtils.isNotBlank(methodProtectionValue)) {
+			final Set<String> httpMethods = Arrays.stream(methodProtectionValue.split(",")).map(String::trim).collect(Collectors.toSet());
+			HttpMethod.validate(httpMethods);
+			return httpMethods;
+		}
+		return Collections.emptySet();
+	}
+
+	private void initializePageProtection(final Properties properties) {
+		for (final Object obj : properties.keySet()) {
+			final String propertyKey = (String) obj;
+
+			final String protectedPage = getPageProperty(properties, propertyKey, ConfigParameters.PROTECTED_PAGE_PREFIX);
+
+			if (Objects.nonNull(protectedPage)) {
+				this.protectedPages.add(protectedPage);
+			} else {
+				final String unProtectedPage = getPageProperty(properties, propertyKey, ConfigParameters.UNPROTECTED_PAGE_PREFIX);
+				if (Objects.nonNull(unProtectedPage)) {
+					this.unprotectedPages.add(unProtectedPage);
+				}
+			}
+		}
+	}
+
+	private void initializeActionParameters(final Properties properties, final Map<String, IAction> actionsMap) throws IOException {
+		for (final Object obj : properties.keySet()) {
+			final String propertyKey = (String) obj;
+
+			final Pair<String, Integer> actionParameterProperty = getParameterPropertyDirective(propertyKey, ConfigParameters.ACTION_PREFIX);
+
+			if (Objects.nonNull(actionParameterProperty)) {
+				final String directive = actionParameterProperty.getKey();
+				final int index = actionParameterProperty.getValue();
+
+				final String actionName = directive.substring(0, index);
+				final IAction action = actionsMap.get(actionName);
+
+				final String parameterName = directive.substring(index + 1);
+				final String parameterValue = PropertyUtils.getProperty(properties, propertyKey);
+
+				action.setParameter(parameterName, parameterValue);
+			}
+		}
+
+		/* ensure at least one action was defined */
+		if (this.actions.isEmpty()) {
+			throw new IOException("At least one action that will be called in case of CSRF attacks must be defined!");
+		}
+	}
+
+	private static Pair<String, Integer> getParameterPropertyDirective(final String propertyKey, final String propertyKeyPrefix) {
+		return getPropertyDirective(propertyKey, propertyKeyPrefix, i -> i >= 0);
+	}
+
+	private static String getPrimaryPropertyDirective(final String propertyKey, final String propertyKeyPrefix) {
+		final Pair<String, Integer> propertyDirective = getPropertyDirective(propertyKey, propertyKeyPrefix, i -> i < 0);
+
+		return Objects.isNull(propertyDirective) ? null : propertyDirective.getKey();
+	}
+
+	private static Pair<String, Integer> getPropertyDirective(final String propertyKey, final String propertyKeyPrefix, final IntPredicate directivePredicate) {
+		Pair<String, Integer> result = null;
+		if (propertyKey.startsWith(propertyKeyPrefix)) {
+			final String directive = propertyKey.substring(propertyKeyPrefix.length());
+			final int index = directive.indexOf('.');
+
+			if (directivePredicate.test(index)) {
+				result = Pair.of(directive, index);
+			}
+		}
+
+		return result;
+	}
+
+	private String getPageProperty(final Properties properties, final String propertyKey, final String propertyKeyPrefix) {
+		String result = null;
+		final String pageProperty = getPrimaryPropertyDirective(propertyKey, propertyKeyPrefix);
+
+		if (Objects.nonNull(pageProperty)) {
+			final String pageUri = PropertyUtils.getProperty(properties, propertyKey);
+
+			result = isSpecialUriDescriptor(pageUri) ? pageUri
+													 : CsrfGuardUtils.normalizeResourceURI(pageUri);
+		}
+
+		return result;
+	}
+
+	/**
+	 * Decides whether the given resourceUri is a static descriptor or a matching rule
+	 * Has to be in sync with org.owasp.csrfguard.CsrfValidator.isUriMatch(java.lang.String, java.lang.String) and calculatePageTokenForUri in the JS logic
+	 */
+	private boolean isSpecialUriDescriptor(final String resourceUri) {
+		if (this.tokenPerPage && (resourceUri.endsWith("/*") || resourceUri.startsWith("*."))) {
+			// FIXME implement in the JS logic (calculatePageTokenForUri)
+			this.logger.log(LogLevel.Warning, "'Extension' and 'partial path wildcard' matching for page tokens is not supported properly yet! " +
+											  "Every resource will be assigned a new unique token instead of using the defined resource matcher token. " +
+											  "Although this is not a security issue, in case of a large REST application it can have an impact on performance. " +
+											  "Consider using regular expressions instead.");
+		}
+
+		return RegexValidationUtil.isTestPathRegex(resourceUri) || resourceUri.startsWith("/*") || resourceUri.endsWith("/*") || resourceUri.startsWith("*.");
+	}
+
+	private void javascriptInitParamsIfNeeded() {
+		if (!this.javascriptParamsInitialized) {
+			final ServletConfig servletConfig = JavaScriptServlet.getStaticServletConfig();
+
+			if (servletConfig != null) {
+
+				this.javascriptCacheControl = getProperty(JavaScriptConfigParameters.CACHE_CONTROL, servletConfig);
+				this.javascriptDomainStrict = getProperty(JavaScriptConfigParameters.DOMAIN_STRICT, servletConfig);
+				this.javascriptInjectIntoAttributes = getProperty(JavaScriptConfigParameters.INJECT_INTO_ATTRIBUTES, servletConfig);
+				this.javascriptInjectGetForms = getProperty(JavaScriptConfigParameters.INJECT_GET_FORMS, servletConfig);
+				this.javascriptInjectFormAttributes = getProperty(JavaScriptConfigParameters.INJECT_FORM_ATTRIBUTES, servletConfig);
+				this.javascriptInjectIntoForms = getProperty(JavaScriptConfigParameters.INJECT_INTO_FORMS, servletConfig);
+				this.isJavascriptInjectIntoDynamicallyCreatedNodes = getProperty(JavaScriptConfigParameters.INJECT_INTO_DYNAMICALLY_CREATED_NODES, servletConfig);
+				this.javascriptDynamicNodeCreationEventName = getProperty(JavaScriptConfigParameters.DYNAMIC_NODE_CREATION_EVENT_NAME, servletConfig);
+				this.javascriptRefererPattern = Pattern.compile(getProperty(JavaScriptConfigParameters.REFERER_PATTERN, servletConfig));
+				this.javascriptRefererMatchProtocol = getProperty(JavaScriptConfigParameters.REFERER_MATCH_PROTOCOL, servletConfig);
+				this.javascriptRefererMatchDomain = getProperty(JavaScriptConfigParameters.REFERER_MATCH_DOMAIN, servletConfig);
+				this.javascriptUnprotectedExtensions = getProperty(JavaScriptConfigParameters.UNPROTECTED_EXTENSIONS, servletConfig);
+				this.javascriptSourceFile = getProperty(JavaScriptConfigParameters.SOURCE_FILE, servletConfig);
+				this.javascriptXrequestedWith = getProperty(JavaScriptConfigParameters.X_REQUESTED_WITH, servletConfig);
+
+				if (StringUtils.isBlank(this.javascriptSourceFile)) {
+					this.javascriptTemplateCode = CsrfGuardUtils.readResourceFileContent("META-INF/csrfguard.js");
+				} else if (this.javascriptSourceFile.startsWith("META-INF/")) {
+					this.javascriptTemplateCode = CsrfGuardUtils.readResourceFileContent(this.javascriptSourceFile);
+				} else if (this.javascriptSourceFile.startsWith("classpath:")) {
+					final String location = this.javascriptSourceFile.substring("classpath:".length()).trim();
+					this.javascriptTemplateCode = CsrfGuardUtils.readResourceFileContent(location);
+				} else if (this.javascriptSourceFile.startsWith("file:")) {
+					final String location = this.javascriptSourceFile.substring("file:".length()).trim();
+					this.javascriptTemplateCode = CsrfGuardUtils.readFileContent(location);
+				} else if (servletConfig.getServletContext().getRealPath(this.javascriptSourceFile) != null) {
+					this.javascriptTemplateCode = CsrfGuardUtils.readFileContent(servletConfig.getServletContext().getRealPath(this.javascriptSourceFile));
+				} else {
+					throw new IllegalStateException("getRealPath failed for file " + this.javascriptSourceFile);
+				}
+
+				this.javascriptParamsInitialized = true;
+			}
+		}
+	}
+
+	private <T> T getProperty(final JsConfigParameter<T> jsConfigParameter, final ServletConfig servletConfig) {
+		return jsConfigParameter.getProperty(servletConfig, this.propertiesCache);
+	}
+
+	private void initializeTokenPersistenceConfigurations(final Properties properties) throws InstantiationException, IllegalAccessException {
+		final String logicalSessionExtractorName = PropertyUtils.getProperty(properties, ConfigParameters.LOGICAL_SESSION_EXTRACTOR_NAME);
+		if (StringUtils.isNoneBlank(logicalSessionExtractorName)) {
+			this.logicalSessionExtractor = CsrfGuardUtils.<LogicalSessionExtractor>forName(logicalSessionExtractorName).newInstance();
+
+			final String tokenHolderClassName = StringUtils.defaultIfBlank(PropertyUtils.getProperty(properties, ConfigParameters.TOKEN_HOLDER), ConfigParameters.TOKEN_HOLDER.getValue());
+			this.tokenHolder = CsrfGuardUtils.<TokenHolder>forName(tokenHolderClassName).newInstance();
+		} else {
+			throw new IllegalArgumentException(String.format("Mandatory parameter [%s] is missing from the configuration!", ConfigParameters.LOGICAL_SESSION_EXTRACTOR_NAME));
+		}
+	}
+
+	private int getTokenLength(final Properties properties) {
+		final int tokenLength = PropertyUtils.getProperty(properties, ConfigParameters.TOKEN_LENGTH);
+
+		if (tokenLength < 4) {
+			throw new IllegalArgumentException("The token length cannot be less than 4 characters. The recommended default value is: " + ConfigParameters.TOKEN_LENGTH.getDefaultValue());
+		}
+
+		return tokenLength;
+	}
+
+    private SecureRandom getSecureRandomInstance(final Properties properties) {
+        final String algorithm = PropertyUtils.getProperty(properties, ConfigParameters.PRNG);
+        final String provider = PropertyUtils.getProperty(properties, ConfigParameters.PRNG_PROVIDER);
+
+        return getSecureRandomInstance(algorithm, provider);
+    }
+
+    private SecureRandom getSecureRandomInstance(final String algorithm, final String provider) {
+		SecureRandom secureRandom;
+		try {
+			if (Objects.nonNull(provider)) {
+				secureRandom = Objects.nonNull(algorithm) ? SecureRandom.getInstance(algorithm, provider) : getDefaultSecureRandom();
+			} else {
+				secureRandom = Objects.nonNull(algorithm) ? SecureRandom.getInstance(algorithm) : getDefaultSecureRandom();
+			}
+		} catch (final NoSuchProviderException e) {
+			this.logger.log(LogLevel.Warning, String.format("The configured Secure Random Provider '%s' was not found, trying default providers.", provider));
+			this.logger.log(LogLevel.Info, getAvailableSecureRandomProvidersAndAlgorithms());
+
+			secureRandom = getSecureRandomInstance(algorithm, null);
+			logDefaultPrngProviderAndAlgorithm(secureRandom);
+		} catch (final NoSuchAlgorithmException nse) {
+			this.logger.log(LogLevel.Warning, String.format("The configured Secure Random Algorithm '%s' was not found, reverting to system defaults.", algorithm));
+			this.logger.log(LogLevel.Info, getAvailableSecureRandomProvidersAndAlgorithms());
+
+			secureRandom = getSecureRandomInstance(null, null);
+		}
+		return secureRandom;
+	}
+
+	private SecureRandom getDefaultSecureRandom() {
+		final SecureRandom defaultSecureRandom = new SecureRandom();
+		logDefaultPrngProviderAndAlgorithm(defaultSecureRandom);
+		return defaultSecureRandom;
+	}
+
+	private void logDefaultPrngProviderAndAlgorithm(final SecureRandom defaultSecureRandom) {
+		this.logger.log(LogLevel.Info, String.format("Using default Secure Random Provider '%s' and '%s' Algorithm.", defaultSecureRandom.getProvider().getName(), defaultSecureRandom.getAlgorithm()));
+	}
+
+	private static String getAvailableSecureRandomProvidersAndAlgorithms() {
+		final String prefix = "Available Secure Random providers and algorithms:" + System.lineSeparator();
+		return Stream.of(Security.getProviders())
+					 .map(Provider::getServices)
+					 .flatMap(Collection::stream)
+					 .filter(service -> SecureRandom.class.getSimpleName().equals(service.getType()))
+					 .map(service -> String.format("\tProvider: %s | Algorithm: %s", service.getProvider().getName(), service.getAlgorithm()))
+					 .collect(Collectors.joining(System.lineSeparator(), prefix, StringUtils.EMPTY));
+	}
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProviderFactory.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProviderFactory.java
index 2fdd5a6..fd16bdb 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProviderFactory.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProviderFactory.java
@@ -1,40 +1,60 @@
-/**
- * @author mchyzer
- * $Id$
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.config;
 
 import java.util.Properties;
 
 /**
- *
+ * TODO document
  */
-public class PropertiesConfigurationProviderFactory implements
-		ConfigurationProviderFactory {
+public class PropertiesConfigurationProviderFactory implements ConfigurationProviderFactory {
 
 	/**
-	 * 
+	 * TODO document
 	 */
-	public PropertiesConfigurationProviderFactory() {
-	}
+	public PropertiesConfigurationProviderFactory() {}
 
 	/**
-	 * cache this since it doesnt change
+	 * cache this since it doesn't change
 	 */
 	private static ConfigurationProvider configurationProvider = null;
 	
-	/**
-	 * @see org.owasp.csrfguard.config.ConfigurationProviderFactory#retrieveConfiguration(java.util.Properties)
-	 */
-	public ConfigurationProvider retrieveConfiguration(Properties properties) {
+	@Override
+	public ConfigurationProvider retrieveConfiguration(final Properties properties) {
 		if (configurationProvider == null) {
 			try {
 				configurationProvider = new PropertiesConfigurationProvider(properties);
-			} catch (Exception e) {
+			} catch (final Exception e) {
 				throw new RuntimeException(e);
 			}
 		}
 		return configurationProvider;
 	}
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeBase.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeBase.java
index 605ff2a..663bedd 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeBase.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeBase.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,45 +26,31 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.config.overlay;
 
+import org.owasp.csrfguard.log.ILogger;
+import org.owasp.csrfguard.log.LogLevel;
+
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStream;
 import java.io.StringReader;
 import java.net.URL;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.LinkedHashMap;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.regex.Pattern;
-
-import org.owasp.csrfguard.log.ILogger;
-import org.owasp.csrfguard.log.LogLevel;
-import org.owasp.csrfguard.util.CsrfGuardUtils;
-
+import java.util.*;
 
 /**
  * Base class for a cascaded config.  Extend this class to have a config
  * based on a certain file. 
- * 
+ *
+ * This code is copied from the <a href="https://github.com/Internet2/grouper">Grouper</a> project
+ *
+ * see https://github.com/Internet2/grouper/blob/master/grouper-misc/grouperActivemq/dist/bin/edu/internet2/middleware/grouperActivemq/config/ConfigPropertiesCascadeBase.java
  * @author mchyzer
  *
  */
 public abstract class ConfigPropertiesCascadeBase {
 
-	/**
-	 * help subclasses manipulate properties.  note, this is only for subclasses...
-	 * @return properties
-	 */
-	protected Properties internalProperties() {
-		return this.properties;
-	}
-
 	/** if a key ends with this, then it is an EL property */
 	private static final String EL_CONFIG_SUFFIX = ".elConfig";
 
@@ -97,7 +83,6 @@ protected static <T extends ConfigPropertiesCascadeBase> T retrieveConfig(Class<
 		return (T)configPropertiesCascadeBase.retrieveFromConfigFileOrCache();
 	}
 
-
 	/**
 	 * if it's ok to put the config file in the same directory as a jar,
 	 * then return a class in the jar here
@@ -113,14 +98,8 @@ protected Class<?> getClassInSiblingJar() {
 	 */
 	protected abstract String getSecondsToCheckConfigKey();
 
-	/**
-	 * if there are things that are calculated, clear them out (e.g. if an override is set)
-	 */
-	public abstract void clearCachedCalculatedValues();
-
 	/** override map for properties in thread local to be used in a web server or the like */
-	private static ThreadLocal<Map<Class<? extends ConfigPropertiesCascadeBase>, Map<String, String>>> propertiesThreadLocalOverrideMap 
-	= null;
+	private static ThreadLocal<Map<Class<? extends ConfigPropertiesCascadeBase>, Map<String, String>>> propertiesThreadLocalOverrideMap = null;
 
 	/**
 	 * override map for properties in thread local to be used in a web server or the like, based on property class
@@ -148,20 +127,7 @@ public Map<String, String> propertiesThreadLocalOverrideMap() {
 	/** override map for properties, for testing, put properties in here, based on config class
 	 * this is static since the properties class can get reloaded, but these shouldn't
 	 */
-	private static Map<Class<? extends ConfigPropertiesCascadeBase>, Map<String, String>> propertiesOverrideMap 
-	= null;
-
-	/**
-	 * @return the set of property names
-	 * @see java.util.Hashtable#keySet()
-	 */
-	@SuppressWarnings("unchecked")
-	public Set<String> propertyNames() {    
-
-		Set<String> result = new LinkedHashSet<String>();
-		result.addAll((Set<String>)(Object)this.propertiesHelper(false).keySet());
-		return result;
-	}
+	private static Map<Class<? extends ConfigPropertiesCascadeBase>, Map<String, String>> propertiesOverrideMap = null;
 
 	/**
 	 * override map for properties for testing
@@ -241,205 +207,6 @@ protected Properties propertiesHelper(boolean setValues) {
 	/** properties from the properties file(s) */
 	private Properties properties = new Properties();
 
-	/**
-	 * get the property value as a string
-	 * @param key The property name
-	 * @return the property value, or null if not found
-	 */
-	public String propertyValueStringRequired(String key) {
-		return propertyValueString(key, null, true).getTheValue();
-	}
-
-	/**
-	 * get the property value as a string
-	 * @param key The property name
-	 * @param defaultValue The value used when such property value is found (in place of null)
-	 * @return the property value
-	 */
-	public String propertyValueString(String key, String defaultValue) {
-		return propertyValueString(key, defaultValue, false).getTheValue();
-	}
-
-	/**
-	 * get the property value as a string or null if not there
-	 * @param key The property name
-	 * @return the property value
-	 */
-	public String propertyValueString(String key) {
-		return propertyValueString(key, null, false).getTheValue();
-	}
-
-	/**
-	 * result of a property value
-	 */
-	static class PropertyValueResult {
-
-
-		/**
-		 * 
-		 * @param theValue1 property value
-		 * @param hasKey1 whether or not the key exists
-		 */
-		public PropertyValueResult(String theValue1, boolean hasKey1) {
-			super();
-			this.theValue = theValue1;
-			this.hasKey = hasKey1;
-		}
-
-
-		/** value from lookup */
-		private String theValue;
-
-		/** if there is a key in the properties file */
-		private boolean hasKey;
-
-
-		/**
-		 * value from lookup
-		 * @return the theValue
-		 */
-		public String getTheValue() {
-			return this.theValue;
-		}
-
-
-		/**
-		 * value from lookup
-		 * @param theValue1 the theValue to set
-		 */
-		public void setTheValue(String theValue1) {
-			this.theValue = theValue1;
-		}
-
-
-		/**
-		 * if there is a key in the properties file
-		 * @return the hasKey
-		 */
-		public boolean isHasKey() {
-			return this.hasKey;
-		}
-
-
-		/**
-		 * if there is a key in the properties file
-		 * @param hasKey1 the hasKey to set
-		 */
-		public void setHasKey(boolean hasKey1) {
-			this.hasKey = hasKey1;
-		}
-
-	}
-
-	/**
-	 * get the property value as a string
-	 * @param key property key
-	 * @param defaultValue value to use when key is not found
-	 * @param required When true, throw an exception if the key does not exist
-	 * @return the property value
-	 */
-	protected PropertyValueResult propertyValueString(String key, String defaultValue, boolean required) {
-		if (key.endsWith(EL_CONFIG_SUFFIX)) {
-			throw new RuntimeException("Why does key end in suffix??? " + EL_CONFIG_SUFFIX + ", " + key);
-		}
-		return propertyValueStringHelper(key, defaultValue, required);
-	}
-
-	/**
-	 * get the property value as a string
-	 * @param key property key
-	 * @param defaultValue value to use when key is not found
-	 * @param required When true, throw an exception if the key does not exist
-	 * @return the property value
-	 */
-	protected PropertyValueResult propertyValueStringHelper(String key, String defaultValue, boolean required) {
-
-		//lets look for EL
-		if (!key.endsWith(EL_CONFIG_SUFFIX)) {
-
-			PropertyValueResult elPropertyValueResult = propertyValueStringHelper(key + EL_CONFIG_SUFFIX, null, false);
-
-			if (elPropertyValueResult.isHasKey()) {
-
-				//process the EL
-				String result = ConfigPropertiesCascadeUtils.substituteExpressionLanguage(elPropertyValueResult.getTheValue(), null, true, true, true, false);
-				PropertyValueResult propertyValueResult = new PropertyValueResult(result, true);
-				return propertyValueResult;
-			}
-
-		}
-
-		//first check threadlocal map
-		boolean hasKey = false;
-		Map<String, String> overrideMap = propertiesThreadLocalOverrideMap();
-
-		hasKey = overrideMap == null ? false : overrideMap.containsKey(key);
-		String value = hasKey ? overrideMap.get(key) : null;
-		if (!hasKey) {
-
-			overrideMap = propertiesOverrideMap();
-
-			hasKey = overrideMap == null ? null : overrideMap.containsKey(key);
-			value = hasKey ? overrideMap.get(key) : null;
-		}
-		if (!hasKey) {
-			hasKey = this.properties.containsKey(key);
-			value = hasKey ? this.properties.getProperty(key) : null;
-		}
-		if (!required && !hasKey) {
-			return new PropertyValueResult(defaultValue, false);
-		}
-		if (required && !hasKey) {
-			String error = "Cant find property: " + key + " in properties file: " + this.getMainConfigClasspath() + ", it is required";
-
-			throw new RuntimeException(error);
-		}
-		value = ConfigPropertiesCascadeUtils.trim(value);
-		value = substituteCommonVars(value);
-
-		if (!required && ConfigPropertiesCascadeUtils.isBlank(value)) {
-			return new PropertyValueResult(null, true);
-		}
-
-		//do the validation if this is required
-		if (required && ConfigPropertiesCascadeUtils.isBlank(value)) {
-			String error = "Property " + key + " in properties file: " + this.getMainConfigClasspath() + ", has a blank value, it is required";
-
-			throw new RuntimeException(error);
-		}
-
-		return new PropertyValueResult(value, true);
-	}
-
-	/**
-	 * substitute common vars like $space$ and $newline$
-	 * @param string input string
-	 * @return new string with some dollar-delimited tokens replaced
-	 */
-	protected static String substituteCommonVars(String string) {
-		if (string != null && string.indexOf('$') < 0 ) {
-			//might have $space$
-			string = ConfigPropertiesCascadeUtils.replace(string, "$space$", " ");
-
-			//note, at some point we could be OS specific
-			string = ConfigPropertiesCascadeUtils.replace(string, "$newline$", "\n");
-		}
-		return string;
-	}
-
-	/**
-	 * when this config object was created
-	 */
-	private long createdTime = System.currentTimeMillis();
-
-	/**
-	 * when this config object was created
-	 * @return the createdTime
-	 */
-	long getCreatedTime() {
-		return this.createdTime;
-	}
-
 	/**
 	 * when this config object was created or last checked for changes
 	 */
@@ -572,14 +339,6 @@ protected static class ConfigFile {
 		private String originalConfig;
 
 
-		/**
-		 * keep the original config string for logging purposes, e.g. file:/a/b/c.properties
-		 * @return the originalConfig
-		 */
-		public String getOriginalConfig() {
-			return this.originalConfig;
-		}
-
 		/**
 		 * the contents when the config file was read
 		 */
@@ -613,12 +372,12 @@ public String retrieveContents(ConfigPropertiesCascadeBase configPropertiesCasca
 			} catch (Exception e) {
 				throw new RuntimeException("Problem reading config: '" + this.originalConfig + "'", e);
 			} finally {
-				CsrfGuardUtils.closeQuietly(inputStream);
+				ConfigPropertiesCascadeCommonUtils.closeQuietly(inputStream);
 			}
 		}
 
 		/**
-		 * 
+		 *
 		 * @param configFileFullConfig The config file location reference such as file:/some/path/config.properties
 		 */
 		public ConfigFile(String configFileFullConfig) {
@@ -659,25 +418,6 @@ public ConfigFile(String configFileFullConfig) {
 		private String configFileTypeConfig;
 
 
-		/**
-		 * the type of config file (file path, classpath, etc)
-		 * @return the configFileType
-		 */
-		public ConfigFileType getConfigFileType() {
-			return this.configFileType;
-		}
-
-
-		/**
-		 * the config part which says which file or classpath etc
-		 * @return the configFileTypeConfig
-		 */
-		public String getConfigFileTypeConfig() {
-			return this.configFileTypeConfig;
-		}
-
-
-
 	}
 
 	/**
@@ -717,21 +457,19 @@ protected ConfigPropertiesCascadeBase retrieveFromConfigFiles() {
 				if (ConfigPropertiesCascadeUtils.isBlank(secondsToCheckConfigString)) {
 					secondsToCheckConfigString = mainExampleConfigFile.getProperty(this.getSecondsToCheckConfigKey());
 				}
-
 			}
-
 		}
 
 		//if hasnt found yet, there is a problem
 		if (ConfigPropertiesCascadeUtils.isBlank(overrideFullConfig)) {
-			throw new RuntimeException("Cant find the hierarchy config key: " + this.getHierarchyConfigKey() 
+			throw new RuntimeException("Cant find the hierarchy config key: " + this.getHierarchyConfigKey()
 					+ " in config files: " + this.getMainConfigClasspath()
 					+ " or " + this.getMainExampleConfigClasspath());
 		}
 
 		//if hasnt found yet, there is a problem
 		if (ConfigPropertiesCascadeUtils.isBlank(secondsToCheckConfigString)) {
-			throw new RuntimeException("Cant find the seconds to check config key: " + this.getSecondsToCheckConfigKey() 
+			throw new RuntimeException("Cant find the seconds to check config key: " + this.getSecondsToCheckConfigKey()
 					+ " in config files: " + this.getMainConfigClasspath()
 					+ " or " + this.getMainExampleConfigClasspath());
 		}
@@ -743,7 +481,7 @@ protected ConfigPropertiesCascadeBase retrieveFromConfigFiles() {
 			result.timeToCheckConfigSeconds = ConfigPropertiesCascadeUtils.intValue(secondsToCheckConfigString);
 		} catch (Exception e) {
 			throw new RuntimeException("Invalid integer seconds to check config config value: " + secondsToCheckConfigString
-					+ ", key: " + this.getSecondsToCheckConfigKey() 
+					+ ", key: " + this.getSecondsToCheckConfigKey()
 					+ " in config files: " + this.getMainConfigClasspath()
 					+ " or " + this.getMainExampleConfigClasspath());
 
@@ -948,8 +686,6 @@ protected boolean filesNeedReloadingBasedOnContents() {
 		return false;
 	}
 
-
-
 	/**
 	 * get the main config classpath, e.g. csrf guard properties
 	 * @return the classpath of the main config file
@@ -968,173 +704,21 @@ protected boolean filesNeedReloadingBasedOnContents() {
 	 */
 	protected abstract String getMainExampleConfigClasspath();
 
-	/**
-	 * get a boolean and validate from csrf guard properties
-	 * @param key property key
-	 * @param defaultValue valud to use when key is missing
-	 * @return true when the property value represents an affirmative string such as {true, t, yes, y}
-	 */
-	public boolean propertyValueBoolean(String key, boolean defaultValue) {
-		return propertyValueBoolean(key, defaultValue, false);
-	}
-
-	/**
-	 * if the key is there, whether or not the value is blank
-	 * @param key property key
-	 * @return true or false
-	 */
-	public boolean containsKey(String key) {
-
-		return propertyValueString(key, null, false).isHasKey();
-
-	}
-
-	/**
-	 * get a boolean and validate from csrf guard properties or null if not there
-	 * @param key property key
-	 * @return the boolean or null
-	 */
-	public Boolean propertyValueBoolean(String key) {
-		return propertyValueBoolean(key, null, false);
-	}
-
-
-	/**
-	 * get a boolean pop and validate from the config file
-	 * @param key property key
-	 * @param defaultValue Used when no property value is found for the given key, when the 'required' option is not set
-	 * @param required Whether or not a value is required to be present
-	 * @return true when property value is string is one of {true, t, yes, y} and false when one of {false, f, no, n}
-	 */
-	protected Boolean propertyValueBoolean(String key, Boolean defaultValue, boolean required) {
-		String value = propertyValueString(key, null, false).getTheValue();
-		if (ConfigPropertiesCascadeUtils.isBlank(value) && !required) {
-			return defaultValue;
-		}
-		if (ConfigPropertiesCascadeUtils.isBlank(value) && required) {
-			throw new RuntimeException("Cant find boolean property " + key + " in properties file: " + this.getMainConfigClasspath() + ", it is required, expecting true or false");
-		}
-		if ("true".equalsIgnoreCase(value)) {
-			return true;
-		}
-		if ("false".equalsIgnoreCase(value)) {
-			return false;
-		}
-		if ("t".equalsIgnoreCase(value)) {
-			return true;
-		}
-		if ("f".equalsIgnoreCase(value)) {
-			return false;
-		}
-		if ("yes".equalsIgnoreCase(value)) {
-			return true;
-		}
-		if ("no".equalsIgnoreCase(value)) {
-			return false;
-		}
-		if ("y".equalsIgnoreCase(value)) {
-			return true;
-		}
-		if ("n".equalsIgnoreCase(value)) {
-			return false;
-		}
-		throw new RuntimeException("Invalid boolean value: '" + value + "' for property: " + key 
-				+ " in properties file: " + this.getMainConfigClasspath() + ", expecting true or false");
-
-	}
-
-	/**
-	 * get an int and validate from the config file
-	 * @param key property key
-	 * @param defaultValue Used when no property value is found for the given key, when the 'required' option is not set
-	 * @param required Whether or not a value is required to be present
-	 * @return the property value
-	 */
-	protected Integer propertyValueInt(String key, Integer defaultValue, boolean required) {
-		String value = propertyValueString(key, null, false).getTheValue();
-		if (ConfigPropertiesCascadeUtils.isBlank(value) && !required) {
-			return defaultValue;
-		}
-		if (ConfigPropertiesCascadeUtils.isBlank(value) && required) {
-			throw new RuntimeException("Cant find integer property " + key + " in config file: " + this.getMainConfigClasspath() + ", it is required");
-		}
-		try {
-			return ConfigPropertiesCascadeUtils.intValue(value);
-		} catch (Exception e) {
-
-		}
-		throw new RuntimeException("Invalid integer value: '" + value + "' for property: " 
-				+ key + " in config file: " + this.getMainConfigClasspath() + " in properties file");
-
-	}
-
-	/**
-	 * get a boolean and validate from csrf guard properties
-	 * @param key property key
-	 * @return the boolean property value 
-	 */
-	public boolean propertyValueBooleanRequired(String key) {
-
-		return propertyValueBoolean(key, false, true);
-
-	}
-
-	/**
-	 * get a boolean and validate from csrf guard properties
-	 * @param key property key
-	 * @return the integer property value 
-	 */
-	public int propertyValueIntRequired(String key) {
-
-		return propertyValueInt(key, -1, true);
-
-	}
-
-	/**
-	 * get a boolean and validate from csrf guard properties
-	 * @param key property key
-	 * @param defaultValue Used when key not found
-	 * @return the property value
-	 */
-	public int propertyValueInt(String key, int defaultValue ) {
-
-		return propertyValueInt(key, defaultValue, false);
-
-	}
-
-	/**
-	 * get a boolean and validate from csrf guard properties
-	 * @param key property key
-	 * @return the int or null if there
-	 */
-	public Integer propertyValueInt(String key ) {
-
-		return propertyValueInt(key, null, false);
-
-	}
-
 	/**
 	 * read properties from a resource, don't modify the properties returned since they are cached
 	 * @param resourceName Name of properties resource
 	 * @param exceptionIfNotExist When true, throw an exception if an URL for the resource name cannot be constructued
 	 * @return the properties or null if not exist
 	 */
-	protected static Properties propertiesFromResourceName(String resourceName, 
-			boolean exceptionIfNotExist) {
-
+	protected static Properties propertiesFromResourceName(String resourceName, boolean exceptionIfNotExist) {
 		Properties properties = new Properties();
-
 		URL url = null;
 
 		try {
-
 			url = ConfigPropertiesCascadeUtils.computeUrl(resourceName, true);
-
 		} catch (Exception e) {
-
 			//I guess this ok
 			logInfo("Problem loading config file: " + resourceName, e); 
-
 		}
 
 		if (url == null && exceptionIfNotExist) {
@@ -1159,117 +743,4 @@ protected static Properties propertiesFromResourceName(String resourceName,
 		return properties;
 	}
 
-	/**
-	 * make sure a value exists in properties
-	 * @param key property key
-	 * @return true if property exists with non-blank value, false otherwise
-	 */
-	public boolean assertPropertyValueRequired(String key) {
-		String value = propertyValueString(key);
-		if (!ConfigPropertiesCascadeUtils.isBlank(value)) {
-			return true;
-		}
-		String error = "Cant find property " + key + " in resource: " + this.getMainConfigClasspath() + ", it is required";
-		System.err.println("CSRF guard error: " + error);
-		ILogger iLogger = iLogger();
-		if (iLogger != null) {
-			iLogger.log(LogLevel.Error, error);
-		}
-		return false;
-	}
-
-	/**
-	 * make sure a value is boolean in properties
-	 * @param key property key
-	 * @param required whether or not the key is required to be present
-	 * @return true if ok, false if not
-	 */
-	public boolean assertPropertyValueBoolean(String key, boolean required) {
-
-		if (required && !assertPropertyValueRequired(key)) {
-			return false;
-		}
-
-		String value = propertyValueString(key);
-		//maybe ok not there
-		if (!required && ConfigPropertiesCascadeUtils.isBlank(value)) {
-			return true;
-		}
-		try {
-			ConfigPropertiesCascadeUtils.booleanValue(value);
-			return true;
-		} catch (Exception e) {
-
-		}
-		String error = "Expecting true or false property " + key + " in resource: " + this.getMainConfigClasspath() + ", but is '" + value + "'";
-		System.err.println("csrf guard error: " + error);
-		ILogger iLogger = iLogger();
-		if (iLogger != null) {
-			iLogger.log(LogLevel.Error, error);
-		}
-		return false;
-	}
-
-	/**
-	 * make sure a property is a class of a certain type
-	 * @param key property key
-	 * @param classType Desired class type
-	 * @param required Whether or not key must be present and have non-blank value
-	 * @return true if ok
-	 */
-	public boolean assertPropertyValueClass(
-			String key, Class<?> classType, boolean required) {
-
-		if (required && !assertPropertyValueRequired(key)) {
-			return false;
-		}
-		String value = propertyValueString(key);
-
-		//maybe ok not there
-		if (!required && ConfigPropertiesCascadeUtils.isBlank(value)) {
-			return true;
-		}
-
-		String extraError = "";
-		try {
-
-
-			Class<?> theClass = ConfigPropertiesCascadeUtils.forName(value);
-			if (classType.isAssignableFrom(theClass)) {
-				return true;
-			}
-			extraError = " does not derive from class: " + classType.getSimpleName();
-
-		} catch (Exception e) {
-			extraError = ", " + ConfigPropertiesCascadeUtils.getFullStackTrace(e);
-		}
-		String error = "Cant process property " + key + " in resource: " + this.getMainConfigClasspath() + ", the current" +
-				" value is '" + value + "', which should be of type: " 
-				+ classType.getName() + extraError;
-		System.err.println("csrf guard error: " + error);
-		ILogger iLogger = iLogger();
-		if (iLogger != null) {
-			iLogger.log(LogLevel.Error, error);
-		}
-		return false;
-	}
-
-	/**
-	 * find all keys/values with a certain pattern in a properties file.
-	 * return the keys.  if none, will return the empty set, not null set
-	 * @param pattern expression matched against property names
-	 * @return the matching keys.  if none, will return the empty set, not null set
-	 */
-	public Map<String, String> propertiesMap(Pattern pattern) {
-		Map<String, String> result = new LinkedHashMap<String, String>();
-		for (String key: propertyNames()) {
-			if (pattern.matcher(key).matches()) {
-				result.put(key, propertyValueString(key));
-			}
-		}
-
-		return result;
-	}
-
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeCommonUtils.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeCommonUtils.java
index e81fe02..55ebe7d 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeCommonUtils.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeCommonUtils.java
@@ -1,20 +1,19 @@
-
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -27,181 +26,29 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.config.overlay;
 
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
-import java.io.OutputStream;
-import java.io.PrintWriter;
-import java.io.PushbackInputStream;
-import java.io.Reader;
-import java.io.Serializable;
-import java.io.StringWriter;
-import java.io.UnsupportedEncodingException;
-import java.io.Writer;
-import java.lang.annotation.Annotation;
-import java.lang.reflect.Array;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Field;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-import java.lang.reflect.Modifier;
-import java.math.BigDecimal;
-import java.net.InetAddress;
+import java.io.*;
+import java.lang.reflect.*;
 import java.net.URL;
 import java.net.URLDecoder;
-import java.net.URLEncoder;
 import java.security.CodeSource;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.sql.Timestamp;
-import java.text.DateFormat;
-import java.text.DecimalFormat;
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
 import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Calendar;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.LinkedHashMap;
-import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.concurrent.Callable;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import java.util.concurrent.ThreadFactory;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-
 
 /**
  * utility methods for grouper.
+ *
+ * This code is copied from the <a href="https://github.com/Internet2/grouper">Grouper</a> project
+ *
  * @author mchyzer
  *
  */
 @SuppressWarnings({ "serial", "unchecked" })
 public class ConfigPropertiesCascadeCommonUtils  {
 
-  /** override map for properties in thread local to be used in a web server or the like */
-  private static ThreadLocal<Map<String, Map<String, String>>> propertiesThreadLocalOverrideMap = new ThreadLocal<Map<String, Map<String, String>>>();
-
-  /**
-   * return the arg after the argBefore, or null if not there, or exception
-   * if argBefore is not found
-   * @param args array of arguments
-   * @param argBefore the argument immediately preceeding the desired value
-   * @return the arg that appears just after argBefore
-   */
-  public static String argAfter(String[] args, String argBefore) {
-    if (length(args) <= 1) {
-      return null;
-    }
-    int argBeforeIndex = -1;
-    for (int i=0;i<args.length;i++) {
-      if (equals(args[i], argBefore)) {
-        argBeforeIndex = i;
-        break;
-      }
-    }
-    if (argBeforeIndex == -1) {
-      throw new RuntimeException("Cant find arg before");
-    }
-    if (argBeforeIndex < args.length - 1) {
-      return args[argBeforeIndex + 1];
-    }
-    return null;
-  }
-  
-  /**
-   * append and maybe put a separator in there
-   * @param result The containier for the modified StringBuilder
-   * @param separatorIfResultNotEmpty the separator string to append when adding to a non-blank result
-   * @param stringToAppend the string to append
-   */
-  public static void append(StringBuilder result, 
-      String separatorIfResultNotEmpty, String stringToAppend) {
-    if (result.length() != 0) {
-      result.append(separatorIfResultNotEmpty);
-    }
-    result.append(stringToAppend);
-  }
-  
-  /**
-   * 
-   */
-  public static final String LOG_ERROR = "Error trying to make parent dirs for logger or logging first statement, check to make " +
-                "sure you have proper file permissions, and that your servlet container is giving " +
-                "your app rights to access the log directory (e.g. for tomcat set TOMCAT5_SECURITY=no), g" +
-                "oogle it for more info";
-
-  /**
-   * The number of bytes in a kilobyte.
-   */
-  public static final long ONE_KB = 1024;
-
-  /**
-   * The number of bytes in a megabyte.
-   */
-  public static final long ONE_MB = ONE_KB * ONE_KB;
-
-  /**
-   * The number of bytes in a gigabyte.
-   */
-  public static final long ONE_GB = ONE_KB * ONE_MB;
-
-  /**
-   * Returns a human-readable version of the file size (original is in
-   * bytes).
-   *
-   * @param size The number of bytes.
-   * @return     A human-readable display value (includes units).
-   */
-
-  //TODO: need for I18N?
-  public static String byteCountToDisplaySize(long size) {
-    String displaySize;
-
-    if (size / ONE_GB > 0) {
-      displaySize = String.valueOf(size / ONE_GB) + " GB";
-    } else if (size / ONE_MB > 0) {
-      displaySize = String.valueOf(size / ONE_MB) + " MB";
-    } else if (size / ONE_KB > 0) {
-      displaySize = String.valueOf(size / ONE_KB) + " KB";
-    } else {
-      displaySize = String.valueOf(size) + " bytes";
-    }
-
-    return displaySize;
-  }
-  /**
-   * see if options have a specific option by int bits
-   * @param options The options integer that holds option flag bits
-   * @param option  The option flag bit to check
-   * @return true if the option flag is set in the options int 
-   */
-  public static boolean hasOption(int options, int option) {
-    return (options & option) > 0;
-  }
-  
   /**
    * get canonical path of file
    * @param file The file from which the canonical path will be extracted
@@ -215,230 +62,7 @@ public static String fileCanonicalPath(File file) {
       throw new RuntimeException(ioe);
     }
   }
-  
-  /**
-   * return the suffix after a char.  If the char doesn't exist, just return the string
-   * @param input string
-   * @param theChar the marker character such as "."
-   * @return Suffix of string after the last index of the specified character
-   */
-  public static String suffixAfterChar(String input, char theChar) {
-    if (input == null) {
-      return null;
-    }
-    //get the real type off the end
-    int lastIndex = input.lastIndexOf(theChar);
-    if (lastIndex > -1) {
-      input = input.substring(lastIndex + 1, input.length());
-    }
-    return input;
-  }
-
-  /**
-   * get the oracle underscore name e.g. javaNameHere &rarr; JAVA_NAME_HERE
-   *
-   * @param javaName
-   *          the java convention name, in camelCase
-   *
-   * @return the oracle underscore name based on the java name
-   */
-  public static String oracleStandardNameFromJava(String javaName) {
-  
-    StringBuilder result = new StringBuilder();
-  
-    if ((javaName == null) || (0 == "".compareTo(javaName))) {
-      return javaName;
-    }
-  
-    //if package is specified, only look at class name
-    javaName = suffixAfterChar(javaName, '.');
-  
-    //don't check the first char
-    result.append(javaName.charAt(0));
-  
-    char currChar;
-  
-    boolean previousCap = false;
-    
-    //loop through the string, looking for uppercase
-    for (int i = 1; i < javaName.length(); i++) {
-      currChar = javaName.charAt(i);
-  
-      //if uppcase append an underscore
-      if (!previousCap && (currChar >= 'A') && (currChar <= 'Z')) {
-        result.append("_");
-      }
-  
-      result.append(currChar);
-      if ((currChar >= 'A') && (currChar <= 'Z')) {
-        previousCap = true;
-      } else {
-        previousCap = false;
-      }
-    }
-  
-    //this is in upper-case
-    return result.toString().toUpperCase();
-  }
-
-  
-  /**
-   * see if two maps are the equivalent (based on number of entries, 
-   * and the equals() method of the keys and values)
-   *
-   * @param <K> key type
-   * @param <V> value type
-   * @param first the first map to compare
-   * @param second the second map to compare
-   * @return true if equal
-   */
-  public static <K,V> boolean mapEquals(Map<K,V> first, Map<K,V> second) {
-    Set<K> keysMismatch = new HashSet<K>();
-    mapDifferences(first, second, keysMismatch, null);
-    //if any keys mismatch, then not equal
-    return keysMismatch.size() == 0;
-    
-  }
-  
-  /**
-   * empty map
-   */
-  private static final Map EMPTY_MAP = Collections.unmodifiableMap(new HashMap());
-  
-  /**
-   * see if two maps are the equivalent (based on number of entries, 
-   * and the equals() method of the keys and values)
-   * @param <K> key type
-   * @param <V> value type
-   * @param first map to check diffs
-   * @param second map to check diffs
-   * @param differences set of keys (with prefix) of the diffs
-   * @param prefix for the entries in the diffs (e.g. "attribute__")
-   */
-  @SuppressWarnings("unchecked")
-  public static <K,V> void mapDifferences(Map<K,V> first, Map<K,V> second, Set<K> differences, String prefix) {
-    if (first == second) {
-      return;
-    }
-    //put the collections in new collections so we can remove and keep track
-    if (first == null) {
-      first = EMPTY_MAP;
-    }
-    if (second == null) {
-      second = EMPTY_MAP;
-    } else {
-      //make linked so the results are ordered
-      second = new LinkedHashMap<K,V>(second);
-    }
-    int firstSize = first == null ? 0 : first.size();
-    int secondSize = second == null ? 0 : second.size();
-    //if both empty then all good
-    if (firstSize == 0 && secondSize == 0) {
-      return;
-    }
-   
-    for (K key : first.keySet()) {
-
-      if (second.containsKey(key)) {
-        V firstValue = first.get(key);
-        V secondValue = second.get(key);
-        //keep track by removing from second
-        second.remove(key);
-        if (equals(firstValue, secondValue)) {
-          continue;
-        }
-      }
-      differences.add(isNotBlank(prefix) ? (K)(prefix + key) : key);
-    }
-    //add the ones left over in the second map which are not in the first map
-    for (K key : second.keySet()) {
-      differences.add(isNotBlank(prefix) ? (K)(prefix + key) : key);
-    }
-  }
-  
-  /**
-   * Sleep for the specified number of milliseconds and throw RuntimeExeption if interrupted.
-   *
-   * @param millis Number of milliseconds to sleep
-   * @see Thread#sleep
-   */
-  public static void sleep(long millis) {
-    try {
-      Thread.sleep(millis);
-    } catch (InterruptedException ie) {
-      throw new RuntimeException(ie);
-    }
-  }
-  
-  /**
-   * If we can, inject this into the exception, else return false
-   * @param t The Throwable to inject
-   * @param message The message to append to the throwable's message
-   * @return true if success, false if not
-   */
-  public static boolean injectInException(Throwable t, String message) {
-    
-    String throwableFieldName = "detailMessage";
-
-    try {
-      String currentValue = t.getMessage();
-      if (!isBlank(currentValue)) {
-        currentValue += ",\n" + message;
-      } else {
-        currentValue = message;
-      }
-      assignField(t, throwableFieldName, currentValue);
-      return true;
-    } catch (Throwable t2) {
-      //dont worry about what the problem is, return false so the caller can log
-      return false;
-    }
-    
-  }
-  
-  /**
-   * get a unique string identifier based on the current time,
-   * this is not globally unique, just unique for as long as this
-   * server is running...
-   * 
-   * @return String
-   */
-  public static String uniqueId() {
-    //this needs to be threadsafe since we are using a static field
-    synchronized (ConfigPropertiesCascadeCommonUtils.class) {
-      lastId = incrementStringInt(lastId);
-    }
-
-    return String.valueOf(lastId);
-  }
-
-  /**
-   * get a file name from a resource name
-   * 
-   * @param resourceName
-   *          is the classpath location
-   * 
-   * @return the file path on the system
-   */
-  public static File fileFromResourceName(String resourceName) {
-    
-    URL url = computeUrl(resourceName, true);
-
-    if (url == null) {
-      return null;
-    }
-
-    try {
-      String fileName = URLDecoder.decode(url.getFile(), "UTF-8");
-  
-      File configFile = new File(fileName);
 
-      return configFile;
-    } catch (UnsupportedEncodingException uee) {
-      throw new RuntimeException(uee);
-    }
-  }
-  
 
   /**
    * compute a url of a resource
@@ -479,19 +103,6 @@ public static ClassLoader classLoader() {
     return ConfigPropertiesCascadeCommonUtils.class.getClassLoader();
   }
 
-  /**
-   * make sure a array is non null.  If null, then return an empty array.
-   * Note: this will probably not work for primitive arrays (e.g. int[])
-   * @param <T> template type
-   * @param array the array to check
-   * @param theClass to make array from
-   * @return the list or empty list if null
-   */
-  @SuppressWarnings("unchecked")
-  public static <T> T[] nonNull(T[] array, Class<?> theClass) {
-    return array == null ? ((T[])Array.newInstance(theClass, 0)) : array;
-  }
-  
   /**
    * get the prefix or suffix of a string based on a separator
    * 
@@ -535,38 +146,6 @@ public static String prefixOrSuffix(String startString, String separator,
     return prefixOrSuffix;
   }
 
-  /**
-   * get the extension from name.  if name is a:b:c, name is c
-   * @param name a name, potentially containing colon separators such as "a:b:c"
-   * @return the extension a.k.a. part of the name after the last colon character
-   */
-  public static String extensionFromName(String name) {
-    if (isBlank(name)) {
-      return name;
-    }
-    int lastColonIndex = name.lastIndexOf(':');
-    if (lastColonIndex == -1) {
-      return name;
-    }
-    String extension = name.substring(lastColonIndex+1);
-    return extension;
-  }
-  
-  /**
-   * Returns the class object for the given name.
-   * @param origClassName fully qualified class name
-   * @return the class
-   */
-  public static Class forName(String origClassName) {
-        
-    try {
-      return Class.forName(origClassName);
-    } catch (Throwable t) {
-      throw new RuntimeException("Problem loading class: " + origClassName, t);
-    }
-    
-  }
-  
   /**
    * Construct a class
    * @param <T> template type
@@ -614,144 +193,8 @@ public static <T> T newInstance(Class<T> theClass, boolean allowPrivateConstruct
       throw new RuntimeException("Problem with class: " + theClass, e);
     }
   }
-  
-  /**
-   * get the parent stem name from name.  if already a root stem
-   * then just return null.  e.g. if the name is a:b:c then
-   * the return value is a:b
-   * @param name a colon-delimited name such as "a:b:c"
-   * @return the parent stem name or null if none
-   */
-  public static String parentStemNameFromName(String name) {
-    int lastColonIndex = name.lastIndexOf(':');
-    if (lastColonIndex == -1) {
-      return null;
-    }
-    String parentStemName = name.substring(0,lastColonIndex);
-    return parentStemName;
-
-  }
-  
-  /**
-   * return the string or the other if the first is blank
-   * @param string The string
-   * @param defaultStringIfBlank The string used when the first parameter is blank
-   * @return the string or the default one if the string was blank
-   */
-  public static String defaultIfBlank(String string, String defaultStringIfBlank) {
-    return isBlank(string) ? defaultStringIfBlank : string;
-  }
-  
-  /**
-   * genericized method to see if first is null, if so then return second, else first.
-   * @param <T> template type
-   * @param theValue first input
-   * @param defaultIfTheValueIsNull second input
-   * @return the first if not null, second if no
-   */
-  public static <T> T defaultIfNull(T theValue, T defaultIfTheValueIsNull) {
-    return theValue != null ? theValue : defaultIfTheValueIsNull;
-  }
-  
-  /**
-   * add each element of listToAdd if it is not already in list
-   * @param <T> template type
-   * @param list to add to
-   * @param listToAdd each element will be added to list, or null if none
-   */
-  public static <T> void addIfNotThere(Collection<T> list, Collection<T> listToAdd) {
-    //maybe nothing to do
-    if (listToAdd == null) {
-      return;
-    }
-    for (T t : listToAdd) {
-      if (!list.contains(t)) {
-        list.add(t);
-      }
-    }
-  }
 
-  
-  /**
-   * print out various types of objects
-   * 
-   * @param object the object to convert into a human-readable string
-   * @param maxChars is where it should stop when figuring out object.  note, result might be longer than max...
-   * need to abbreviate when back
-   * @param result is where to append to
-   */
-  @SuppressWarnings("unchecked")
-  private static void toStringForLogHelper(Object object, int maxChars, StringBuilder result) {
-    
-    try {
-      if (object == null) {
-        result.append("null");
-      } else if (object.getClass().isArray()) {
-        // handle arrays
-        int length = Array.getLength(object);
-        if (length == 0) {
-          result.append("Empty array");
-        } else {
-          result.append("Array size: ").append(length).append(": ");
-          for (int i = 0; i < length; i++) {
-            result.append("[").append(i).append("]: ").append(
-                Array.get(object, i)).append("\n");
-            if (maxChars != -1 && result.length() > maxChars) {
-              return;
-            }
-          }
-        }
-      } else if (object instanceof Collection) {
-        //give size and type if collection
-        Collection<Object> collection = (Collection<Object>) object;
-        int collectionSize = collection.size();
-        if (collectionSize == 0) {
-          result.append("Empty ").append(object.getClass().getSimpleName());
-        } else {
-          result.append(object.getClass().getSimpleName()).append(" size: ").append(collectionSize).append(": ");
-          int i=0;
-          for (Object collectionObject : collection) {
-            result.append("[").append(i).append("]: ").append(
-                collectionObject).append("\n");
-            if (maxChars != -1 && result.length() > maxChars) {
-              return;
-            }
-            i++;
-          }
-        }
-      } else {
-        result.append(object.toString());
-      }
-    } catch (Exception e) {
-      result.append("<<exception>> ").append(object.getClass()).append(":\n")
-        .append(getFullStackTrace(e)).append("\n");
-    }
-  }
 
-  /**
-   * convert a set to a string (comma separate)
-   * @param set the set to convert into a human-readable string
-   * @return the String
-   */
-  public static String setToString(Set set) {
-    if (set == null) {
-      return "null";
-    }
-    if (set.size() == 0) {
-      return "empty";
-    }
-    StringBuilder result = new StringBuilder();
-    boolean first = true;
-    for (Object object : set) {
-      if (!first) {
-        result.append(", ");
-      }
-      first = false;
-      result.append(object);
-    }
-    return result.toString();
-  }
-  
   /**
    * convert a set to a string (comma separate)
    * @param map the map to convert into a human-readable string
@@ -788,156 +231,34 @@ public static String mapToString(Map map) {
   }
 
   /**
-   * print out various types of objects
+   * split a string based on a separator into an array, and trim each entry (see
+   * the Commons Util trim() for more details)
+   * 
+   * @param input
+   *          is the delimited input to split and trim
+   * @param separator
+   *          is what to split on
    * 
-   * @param object the object to convert to a human-readable string
-   * @return the string value
+   * @return the array of items after split and trimmed, or null if input is null.  will be trimmed to empty
    */
-  public static String toStringForLog(Object object) {
-    StringBuilder result = new StringBuilder();
-    toStringForLogHelper(object, -1, result);
-    return result.toString();
+  public static String[] splitTrim(String input, String separator) {
+    return splitTrim(input, separator, true);
   }
 
   /**
-   * print out various types of objects
+   * split a string based on a separator into an array, and trim each entry (see
+   * the Commons Util trim() for more details)
+   * 
+   * @param input
+   *          is the delimited input to split and trim
+   * @param separator
+   *          is what to split on
    * 
-   * @param object the object to convert to a human-readable string
-   * @param maxChars is the max chars that should be returned (abbreviate if longer), or -1 for any amount
-   * @return the string value
+   * @return the list of items after split and trimmed, or null if input is null.  will be trimmed to empty
    */
-  public static String toStringForLog(Object object, int maxChars) {
-    StringBuilder result = new StringBuilder();
-    toStringForLogHelper(object, -1, result);
-    String resultString = result.toString();
-    if (maxChars != -1) {
-      return abbreviate(resultString, maxChars);
-    }
-    return resultString;
-  }
-
-  /**
-   * If batching this is the number of batches
-   * @param count is size of set
-   * @param batchSize the batch size
-   * @return the number of batches
-   */
-  public static int batchNumberOfBatches(int count, int batchSize) {
-    int batches = 1 + ((count - 1) / batchSize);
-    return batches;
-
-  }
-
-  /**
-   * If batching this is the number of batches
-   * @param collection the collection
-   * @param batchSize the batch size
-   * @return the number of batches
-   */
-  public static int batchNumberOfBatches(Collection<?> collection, int batchSize) {
-    int arrraySize = length(collection);
-    return batchNumberOfBatches(arrraySize, batchSize);
-
-  }
-
-  /**
-   * retrieve a batch by 0 index. Will return an array of size batchSize or
-   * the remainder. the array will be full of elements. Note, this requires an
-   * ordered input (so use linkedhashset not hashset if doing sets)
-   * @param <T> template type
-   * @param collection the collection
-   * @param batchSize the batch size
-   * @param batchIndex the batch index
-   * @return the list
-   *         This never returns null, only empty list
-   */
-  @SuppressWarnings("unchecked")
-  public static <T> List<T> batchList(Collection<T> collection, int batchSize,
-      int batchIndex) {
-
-    int numberOfBatches = batchNumberOfBatches(collection, batchSize);
-    int arraySize = length(collection);
-
-    // short circuit
-    if (arraySize == 0) {
-      return new ArrayList<T>();
-    }
-
-    List<T> theBatchObjects = new ArrayList<T>();
-
-    // lets get the type of the first element if possible
-//    Object first = get(arrayOrCollection, 0);
-//
-//    Class theType = first == null ? Object.class : first.getClass();
-
-    // if last batch
-    if (batchIndex == numberOfBatches - 1) {
-
-      // needs to work to 1-n
-      //int thisBatchSize = 1 + ((arraySize - 1) % batchSize);
-
-      int collectionIndex = 0;
-      for (T t : collection) {
-        if (collectionIndex++ < batchIndex * batchSize) {
-          continue;
-        }
-        //just copy the rest
-        //if (collectionIndex >= (batchIndex * batchSize) + arraySize) {
-        //  break;
-        //}
-        //we are in the copy mode
-        theBatchObjects.add(t);
-      }
-
-    } else {
-      // if non-last batch
-      //int newIndex = 0;
-      int collectionIndex = 0;
-      for (T t : collection) {
-        if (collectionIndex < batchIndex * batchSize) {
-          collectionIndex++;
-          continue;
-        }
-        //done with batch
-        if (collectionIndex >= (batchIndex + 1) * batchSize) {
-          break;
-        }
-        theBatchObjects.add(t);
-        collectionIndex++;
-      }
-    }
-    return theBatchObjects;
-  }
-  
-  /**
-   * split a string based on a separator into an array, and trim each entry (see
-   * the Commons Util trim() for more details)
-   * 
-   * @param input
-   *          is the delimited input to split and trim
-   * @param separator
-   *          is what to split on
-   * 
-   * @return the array of items after split and trimmed, or null if input is null.  will be trimmed to empty
-   */
-  public static String[] splitTrim(String input, String separator) {
-    return splitTrim(input, separator, true);
-  }
-
-  /**
-   * split a string based on a separator into an array, and trim each entry (see
-   * the Commons Util trim() for more details)
-   * 
-   * @param input
-   *          is the delimited input to split and trim
-   * @param separator
-   *          is what to split on
-   * 
-   * @return the list of items after split and trimmed, or null if input is null.  will be trimmed to empty
-   */
-  public static List<String> splitTrimToList(String input, String separator) {
-    if (isBlank(input)) {
-      return null;
+  public static List<String> splitTrimToList(String input, String separator) {
+    if (isBlank(input)) {
+      return null;
     }
     String[] array =  splitTrim(input, separator);
     return toList(array);
@@ -972,68 +293,6 @@ public static String[] splitTrim(String input, String separator, boolean treatAd
     return items;
   }
 
-  /**
-   * escape url chars (e.g. a # is %23)
-   * @param string input
-   * @return the encoded string
-   */
-  public static String escapeUrlEncode(String string) {
-    String result = null;
-    try {
-      result = URLEncoder.encode(string, "UTF-8");
-    } catch (UnsupportedEncodingException ex) {
-      throw new RuntimeException("UTF-8 not supported", ex);
-    }
-    return result;
-  }
-  
-  /**
-   * unescape url chars (e.g. a space is %20)
-   * @param string input
-   * @return the encoded string
-   */
-  public static String escapeUrlDecode(String string) {
-    String result = null;
-    try {
-      result = URLDecoder.decode(string, "UTF-8");
-    } catch (UnsupportedEncodingException ex) {
-      throw new RuntimeException("UTF-8 not supported", ex);
-    }
-    return result;
-  }
-
-  /**
-   * make sure a list is non null.  If null, then return an empty list
-   * @param <T> template type
-   * @param list the list, or null
-   * @return the list or empty list if null
-   */
-  public static <T> List<T> nonNull(List<T> list) {
-    return list == null ? new ArrayList<T>() : list;
-  }
-  
-  /**
-   * make sure a list is non null.  If null, then return an empty set
-   * @param <T> template type
-   * @param set the set, or null
-   * @return the set or empty set if null
-   */
-  public static <T> Set<T> nonNull(Set<T> set) {
-    return set == null ? new HashSet<T>() : set;
-  }
-  
-  /**
-   * make sure it is non null, if null, then give new map
-   * 
-   * @param <K> key of map
-   * @param <V> value of map
-   * @param map is map
-   * @return set non null
-   */
-  public static <K,V> Map<K,V> nonNull(Map<K,V> map) {
-    return map == null ? new HashMap<K,V>() : map;
-  }
-
   /**
    * return a list of objects from varargs.  Though if there is one
    * object, and it is a list, return it.
@@ -1059,121 +318,6 @@ public static <T> List<T> toList(T... objects) {
     return result;
   }
 
-  /**
-   * convert classes to a list
-   * @param classes The classes to be returned as a List
-   * @return list of classes
-   */
-  public static List<Class<?>> toListClasses(Class<?>... classes) {
-    return toList(classes);
-  }
-  
-
-  
-  /**
-   * return a set of objects from varargs.
-   * 
-   * @param <T> template type of the objects
-   * @param objects The objects to be returned as a Set
-   * @return the set
-   */
-  public static <T> Set<T> toSet(T... objects) {
-
-    Set<T> result = new LinkedHashSet<T>();
-    for (T object : objects) {
-      result.add(object);
-    }
-    return result;
-  }
-
-  /**
-   * cache separator
-   */
-  private static final String CACHE_SEPARATOR = "__";
-
-  /**
-   * string format of dates
-   */
-  public static final String DATE_FORMAT = "yyyyMMdd";
-
-  /**
-   * format including minutes and seconds: yyyy/MM/dd HH:mm:ss
-   */
-  public static final String DATE_MINUTES_SECONDS_FORMAT = "yyyy/MM/dd HH:mm:ss";
-
-  /**
-   * format including minutes and seconds: yyyyMMdd HH:mm:ss
-   */
-  public static final String DATE_MINUTES_SECONDS_NO_SLASH_FORMAT = "yyyyMMdd HH:mm:ss";
-
-  /**
-   * format on screen of config for milestone: yyyy/MM/dd HH:mm:ss.SSS
-   */
-  public static final String TIMESTAMP_FORMAT = "yyyy/MM/dd HH:mm:ss.SSS";
-
-  /**
-   * format on screen of config for milestone: yyyyMMdd HH:mm:ss.SSS
-   */
-  public static final String TIMESTAMP_NO_SLASH_FORMAT = "yyyyMMdd HH:mm:ss.SSS";
-
-  /**
-   * date format, make sure to synchronize
-   */
-  final static SimpleDateFormat dateFormat = new SimpleDateFormat(DATE_FORMAT);
-
-  /**
-   * synchronize code that uses this standard formatter for dates with minutes and seconds
-   */
-  final static SimpleDateFormat dateMinutesSecondsFormat = new SimpleDateFormat(
-      DATE_MINUTES_SECONDS_FORMAT);
-
-  /**
-   * synchronize code that uses this standard formatter for dates with minutes and seconds
-   */
-  final static SimpleDateFormat dateMinutesSecondsNoSlashFormat = new SimpleDateFormat(
-      DATE_MINUTES_SECONDS_NO_SLASH_FORMAT);
-
-  /**
-   * <pre> format: yyyy/MM/dd HH:mm:ss.SSS synchronize code that uses this standard formatter for timestamps </pre>
-   */
-  final static SimpleDateFormat timestampFormat = new SimpleDateFormat(TIMESTAMP_FORMAT);
-
-  /**
-   * synchronize code that uses this standard formatter for timestamps
-   */
-  final static SimpleDateFormat timestampNoSlashFormat = new SimpleDateFormat(
-      TIMESTAMP_NO_SLASH_FORMAT);
-
-  /**
-   * If false, throw an assertException, and give a reason
-   * 
-   * @param isTrue when false, throw a RuntimeException.  When true, do nothing.
-   * @param reason the message used for the exception
-   */
-  public static void assertion(boolean isTrue, String reason) {
-    if (!isTrue) {
-      throw new RuntimeException(reason);
-    }
-
-  }
-
-  /**
-   * use the field cache, expire every day (just to be sure no leaks)
-   */
-  private static ExpirableCache<String, Set<Field>> fieldSetCache = null;
-  
-  /**
-   * lazy load
-   * @return field set cache
-   */
-  private static ExpirableCache<String, Set<Field>> fieldSetCache() {
-    if (fieldSetCache == null) {
-      fieldSetCache = new ExpirableCache<String, Set<Field>>(60*24);
-    }
-    return fieldSetCache;
-  }
-    
-
   /**
    * make a cache with max size to cache declared methods
    */
@@ -1189,8129 +333,479 @@ private static ExpirableCache<Class, Method[]> declaredMethodsCache() {
     }
     return declaredMethodsCache;
   }
-  
-    
 
-  /**
-   * use the field cache, expire every day (just to be sure no leaks) 
-   */
-  private static ExpirableCache<String, Set<Method>> getterSetCache = null;
-    
 
   /**
-   * lazy load
-   * @return getter cache
+   * null safe classname method, gets the unenhanced name
+   * 
+   * @param object The object whose class name is desired
+   * @return the classname, or null if the object was null
    */
-  private static ExpirableCache<String, Set<Method>> getterSetCache() {
-    if (getterSetCache == null) {
-      getterSetCache = new ExpirableCache<String, Set<Method>>(60*24);
-    }
-    return getterSetCache;
+  public static String className(Object object) {
+    return object == null ? null : object.getClass().getName();
   }
-  
-    
-
-  /**
-   * use the field cache, expire every day (just to be sure no leaks) 
-   */
-  private static ExpirableCache<String, Set<Method>> setterSetCache = null;
-    
 
   /**
-   * lazy load
-   * @return setter cache
+   * get the decalred methods for a class, perhaps from cache
+   * 
+   * @param theClass the class
+   * @return the declared methods
    */
-  private static ExpirableCache<String, Set<Method>> setterSetCache() {
-    if (setterSetCache == null) {
-      setterSetCache = new ExpirableCache<String, Set<Method>>(60*24);
+  @SuppressWarnings("unused")
+  private static Method[] retrieveDeclaredMethods(Class theClass) {
+    Method[] methods = declaredMethodsCache().get(theClass);
+    // get from cache if we can
+    if (methods == null) {
+      methods = theClass.getDeclaredMethods();
+      declaredMethodsCache().put(theClass, methods);
     }
-    return setterSetCache;
+    return methods;
   }
-  
-  
-  /**
-   * Field lastId.
-   */
-  private static char[] lastId = convertLongToStringSmall(new Date().getTime())
-      .toCharArray();
 
-  /**
-   * cache the properties read from resource 
-   */
-  private static Map<String, Properties> resourcePropertiesCache = new HashMap<String, Properties>();
 
   /**
-   * assign data to a field
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param invokeOn
-   *            to call on or null for static
-   * @param fieldName
-   *            method name to call
-   * @param dataToAssign
-   *            data
-   * @param callOnSupers
-   *            if static and method not exists, try on supers
-   * @param overrideSecurity
-   *            true to call on protected or private etc methods
-   * @param typeCast
-   *            true if we should typecast
-   * @param annotationWithValueOverride
-   *            annotation with value of override
+   * convert an object to a int
+   * @param input the object (String or Number) to parse or convert to an int
+   * @return the number
    */
-  public static void assignField(Class theClass, Object invokeOn,
-      String fieldName, Object dataToAssign, boolean callOnSupers,
-      boolean overrideSecurity, boolean typeCast,
-      Class<? extends Annotation> annotationWithValueOverride) {
-    if (theClass == null && invokeOn != null) {
-      theClass = invokeOn.getClass();
+  public static int intValue(Object input) {
+    if (input instanceof String) {
+      String string = (String)input;
+      return Integer.parseInt(string);
+    }
+    if (input instanceof Number) {
+      return ((Number)input).intValue();
+    }
+    if (false) {
+      if (input == null) {
+        return 0;
+      }
+      if (input instanceof String || isBlank((String)input)) {
+        return 0;
+      }
     }
-    Field field = field(theClass, fieldName, callOnSupers, true);
-    assignField(field, invokeOn, dataToAssign, overrideSecurity, typeCast,
-        annotationWithValueOverride);
+    
+    throw new RuntimeException("Cannot convert to int: " + className(input));
   }
 
   /**
-   * assign data to a field. Will find the field in superclasses, will
-   * typecast, and will override security (private, protected, etc)
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param invokeOn
-   *            to call on or null for static
-   * @param fieldName
-   *            method name to call
-   * @param dataToAssign
-   *            data
-   * @param annotationWithValueOverride
-   *            annotation with value of override
+   * The name says it all.
    */
-  public static void assignField(Class theClass, Object invokeOn,
-      String fieldName, Object dataToAssign,
-      Class<? extends Annotation> annotationWithValueOverride) {
-    assignField(theClass, invokeOn, fieldName, dataToAssign, true, true,
-        true, annotationWithValueOverride);
-  }
+  public static final int DEFAULT_BUFFER_SIZE = 1024 * 4;
 
   /**
-   * assign data to a field
-   * 
-   * @param field
-   *            is the field to assign to
-   * @param invokeOn
-   *            to call on or null for static
-   * @param dataToAssign
-   *            data
-   * @param overrideSecurity
-   *            true to call on protected or private etc methods
-   * @param typeCast
-   *            true if we should typecast
+   * Unconditionally close an <code>InputStream</code>.
+   * Equivalent to {@link InputStream#close()}, except any exceptions will be ignored.
+   * @param input A (possibly null) InputStream
    */
-  @SuppressWarnings("unchecked")
-  public static void assignField(Field field, Object invokeOn,
-      Object dataToAssign, boolean overrideSecurity, boolean typeCast) {
-
+  public static void closeQuietly(InputStream input) {
+    if (input == null) {
+      return;
+    }
+  
     try {
-      Class fieldType = field.getType();
-      // typecast
-      if (typeCast) {
-        dataToAssign = 
-                 typeCast(dataToAssign, fieldType,
-                 true, true);
-      }
-      if (overrideSecurity) {
-        field.setAccessible(true);
-      }
-      field.set(invokeOn, dataToAssign);
-    } catch (Exception e) {
-      throw new RuntimeException("Cant assign reflection field: "
-          + (field == null ? null : field.getName()) + ", on: "
-          + className(invokeOn) + ", with args: "
-          + classNameCollection(dataToAssign), e);
+      input.close();
+    } catch (IOException ioe) {
     }
   }
 
   /**
-   * null safe iterator getter if the type if collection
-   * 
-   * @param collection the collection
-   * @return the iterator
+   * Get the contents of an <code>InputStream</code> as a String.
+   * @param input the <code>InputStream</code> to read from
+   * @param encoding The name of a supported character encoding. See the
+   *   <a href="http://www.iana.org/assignments/character-sets">IANA
+   *   Charset Registry</a> for a list of valid encoding types.
+   * @return the requested <code>String</code>
+   * @throws IOException In case of an I/O problem
    */
-  public static Iterator iterator(Object collection) {
-    if (collection == null) {
-      return null;
-    }
-    // array list doesnt need an iterator
-    if (collection instanceof Collection
-        && !(collection instanceof ArrayList)) {
-      return ((Collection) collection).iterator();
-    }
-    return null;
+  public static String toString(InputStream input, String encoding) throws IOException {
+    StringWriter sw = new StringWriter();
+    copy(input, sw, encoding);
+    return sw.toString();
   }
 
   /**
-   * Null safe array length or map
-   * 
-   * @param arrayOrCollection  The array, Collection, or Map for which to find the length or size.
-   * @return the length of the array (0 for null)
+   * Copy and convert bytes from an <code>InputStream</code> to chars on a
+   * <code>Writer</code>, using the specified encoding.
+   * @param input the <code>InputStream</code> to read from
+   * @param output the <code>Writer</code> to write to
+   * @param encoding The name of a supported character encoding. See the
+   * <a href="http://www.iana.org/assignments/character-sets">IANA
+   * Charset Registry</a> for a list of valid encoding types.
+   * @throws IOException In case of an I/O problem
    */
-  public static int length(Object arrayOrCollection) {
-    if (arrayOrCollection == null) {
-      return 0;
-    }
-    if (arrayOrCollection.getClass().isArray()) {
-      return Array.getLength(arrayOrCollection);
-    }
-    if (arrayOrCollection instanceof Collection) {
-      return ((Collection) arrayOrCollection).size();
-    }
-    if (arrayOrCollection instanceof Map) {
-      return ((Map) arrayOrCollection).size();
-    }
-    // simple non array non collection object
-    return 1;
+  public static void copy(InputStream input, Writer output, String encoding)
+      throws IOException {
+    InputStreamReader in = new InputStreamReader(input, encoding);
+    copy(in, output);
   }
 
   /**
-   * If array, get the element based on index, if Collection, get it based on
-   * iterator.
-   * 
-   * @param arrayOrCollection The array, ArrayList, or Collection from which to get the specified element
-   * @param iterator          for Collections, this iterator is used to find the next object
-   * @param index             The object at this specified index, or when 0, the arrayOrCollection itself
-   * @return the object
+   * Copy chars from a <code>Reader</code> to a <code>Writer</code>.
+   * @param input the <code>Reader</code> to read from
+   * @param output the <code>Writer</code> to write to
+   * @return the number of characters copied
+   * @throws IOException In case of an I/O problem
    */
-  public static Object next(Object arrayOrCollection, Iterator iterator,
-      int index) {
-    if (arrayOrCollection.getClass().isArray()) {
-      return Array.get(arrayOrCollection, index);
-    }
-    if (arrayOrCollection instanceof ArrayList) {
-      return ((ArrayList) arrayOrCollection).get(index);
-    }
-    if (arrayOrCollection instanceof Collection) {
-      return iterator.next();
-    }
-    // simple object
-    if (0 == index) {
-      return arrayOrCollection;
+  public static int copy(Reader input, Writer output) throws IOException {
+    char[] buffer = new char[DEFAULT_BUFFER_SIZE];
+    int count = 0;
+    int n = 0;
+    while (-1 != (n = input.read(buffer))) {
+      output.write(buffer, 0, n);
+      count += n;
     }
-    throw new RuntimeException("Invalid class type: "
-        + arrayOrCollection.getClass().getName());
+    return count;
   }
 
   /**
-   * Remove the iterator or index
-   * 
-   * @param arrayOrCollection The Array, List, or Collection from which to remove the object referenced by the iterator or index number
-   * @param index             Index of the item that should be removed. 
-   * @return the object list or new array
-   */
-  public static Object remove(Object arrayOrCollection, 
-      int index) {
-    return remove(arrayOrCollection, null, index);
-  }
-  
-  /**
-   * Remove the iterator or index
+   * do a case-insensitive matching
+   * @param theEnumClass class of the enum
+   * @param <E> generic type
    * 
-   * @param arrayOrCollection The Array, List, or Collection from which to remove the object referenced by the iterator or index number
-   * @param iterator          Iterator for the collection used to remove the object. Takes precedence over index parameter when non-null.
-   * @param index             Index of the item that should be removed. 
-   * @return the object list or new array
+   * @param string The name of an enum constant
+   * @param exceptionOnNotFound true if exception should be thrown on not found
+   * @return the enum or null or exception if not found
+   * @throws RuntimeException if there is a problem
    */
-  public static Object remove(Object arrayOrCollection, Iterator iterator,
-      int index) {
+  public static <E extends Enum<?>> E enumValueOfIgnoreCase(Class<E> theEnumClass, String string, 
+      boolean exceptionOnNotFound) throws RuntimeException {
     
-    //if there's an iterator, just use that
-    if (iterator != null) {
-      iterator.remove();
-      return arrayOrCollection;
+    if (!exceptionOnNotFound && isBlank(string)) {
+      return null;
     }
-    if (arrayOrCollection.getClass().isArray()) {
-      int newLength = Array.getLength(arrayOrCollection) - 1;
-      Object newArray = Array.newInstance(arrayOrCollection.getClass().getComponentType(), newLength);
-      if (newLength == 0) {
-        return newArray;
-      }
-      if (index > 0) {
-        System.arraycopy(arrayOrCollection, 0, newArray, 0, index);
-      }
-      if (index < newLength) {
-        System.arraycopy(arrayOrCollection, index+1, newArray, index, newLength - index);
+    for (E e : theEnumClass.getEnumConstants()) {
+      if (equalsIgnoreCase(string, e.name())) {
+        return e;
       }
-      return newArray;
     }
-    if (arrayOrCollection instanceof List) {
-      ((List)arrayOrCollection).remove(index);
-      return arrayOrCollection;
-    } else if (arrayOrCollection instanceof Collection) {
-      //this should work unless there are duplicates or something weird
-      ((Collection)arrayOrCollection).remove(get(arrayOrCollection, index));
-      return arrayOrCollection;
-    }
-    throw new RuntimeException("Invalid class type: "
-        + arrayOrCollection.getClass().getName());
-  }
-
-  /**
-   * print the simple names of a list of classes
-   * @param object  An array of objects
-   * @return the simple names for the objects in the array
-   * @see Class#getSimpleName()
-   */
-  public static String classesString(Object object) {
-    StringBuilder result = new StringBuilder();
-    if (object.getClass().isArray()) {
-      int length = Array.getLength(object);
-      for (int i=0;i<length;i++) {
-        result.append(((Class)object).getSimpleName());
-        if (i < length-1) {
-          result.append(", ");
-        }
-      }
-      return result.toString();
+    StringBuilder error = new StringBuilder(
+        "Cant find " + theEnumClass.getSimpleName() + " from string: '").append(string);
+    error.append("', expecting one of: ");
+    for (E e : theEnumClass.getEnumConstants()) {
+      error.append(e.name()).append(", ");
     }
-    
-    throw new RuntimeException("Not implemented: " + className(object));
-  }
+    throw new RuntimeException(error.toString());
   
-  /**
-   * null safe classname method, max out at 20
-   * 
-   * @param object  The object over which to iterate, producing a comma separated list of class names
-   * @return the classname
-   */
-  public static String classNameCollection(Object object) {
-    if (object == null) {
-      return null;
-    }
-    StringBuffer result = new StringBuffer();
-    
-    Iterator iterator = iterator(object);
-    int length = length(object);
-    for (int i = 0; i < length && i < 20; i++) {
-      result.append(className(next(object, iterator, i)));
-      if (i != length - 1) {
-        result.append(", ");
-      }
-    }
-    return result.toString();
   }
 
-  /**
-   * null safe classname method, gets the unenhanced name
-   * 
-   * @param object The object whose class name is desired
-   * @return the classname, or null if the object was null
-   */
-  public static String className(Object object) {
-    return object == null ? null : object.getClass().getName();
-  }
 
   /**
-   * assign data to a field
-   * 
-   * @param field
-   *            is the field to assign to
-   * @param invokeOn
-   *            to call on or null for static
-   * @param dataToAssign
-   *            data
-   * @param overrideSecurity
-   *            true to call on protected or private etc methods
-   * @param typeCast
-   *            true if we should typecast
-   * @param annotationWithValueOverride
-   *            annotation with value of override, or null if none
+   * null safe string compare
+   * @param first first string, or null
+   * @param second second string, or null
+   * @return true if equal
    */
-  @SuppressWarnings("unchecked")
-  public static void assignField(Field field, Object invokeOn,
-      Object dataToAssign, boolean overrideSecurity, boolean typeCast,
-      Class<? extends Annotation> annotationWithValueOverride) {
-
-    if (annotationWithValueOverride != null) {
-      // see if in annotation
-      Annotation annotation = field
-          .getAnnotation(annotationWithValueOverride);
-      if (annotation != null) {
-        
-         // type of the value, or String if not specific Class
-          // typeOfAnnotationValue = typeCast ? field.getType() :
-          // String.class; dataToAssign =
-          // AnnotationUtils.retrieveAnnotationValue(
-          // typeOfAnnotationValue, annotation, "value");
-        
-        throw new RuntimeException("Not supported");
-      }
+  public static boolean equals(String first, String second) {
+    if (first == second) {
+      return true;
     }
-    assignField(field, invokeOn, dataToAssign, overrideSecurity, typeCast);
-  }
-
-  /**
-   * assign data to a field. Will find the field in superclasses, will
-   * typecast, and will override security (private, protected, etc)
-   * 
-   * @param invokeOn
-   *            to call on or null for static
-   * @param fieldName
-   *            method name to call
-   * @param dataToAssign
-   *            data
-   */
-  public static void assignField(Object invokeOn, String fieldName,
-      Object dataToAssign) {
-    assignField(null, invokeOn, fieldName, dataToAssign, true, true, true,
-        null);
+    if (first == null || second == null) {
+      return false;
+    }
+    return first.equals(second);
   }
 
   /**
-   * get a field object for a class, potentially in superclasses
-   * 
-   * @param theClass
-   *            The class potentially containing the field 
-   * @param fieldName
-   *            The name of the desired class field
-   * @param callOnSupers
-   *            true if superclasses should be looked in for the field
-   * @param throwExceptionIfNotFound
-   *            will throw runtime exception if not found
-   * @return the field object or null if not found (or exception if param is
-   *         set)
-   * @see Class#getDeclaredField(String)
+   * <p>Checks if a String is whitespace, empty ("") or null.</p>
+   *
+   * <pre>
+   * isBlank(null)      = true
+   * isBlank("")        = true
+   * isBlank(" ")       = true
+   * isBlank("bob")     = false
+   * isBlank("  bob  ") = false
+   * </pre>
+   *
+   * @param str  the String to check, may be null
+   * @return <code>true</code> if the String is null, empty or whitespace
+   * @since 2.0
    */
-  public static Field field(Class theClass, String fieldName,
-      boolean callOnSupers, boolean throwExceptionIfNotFound) {
-    try {
-      Field field = theClass.getDeclaredField(fieldName);
-      // found it
-      return field;
-    } catch (NoSuchFieldException e) {
-      // if method not found
-      // if traversing up, and not Object, and not instance method
-      if (callOnSupers && !theClass.equals(Object.class)) {
-        return field(theClass.getSuperclass(), fieldName, callOnSupers,
-            throwExceptionIfNotFound);
-      }
+  public static boolean isBlank(String str) {
+    int strLen;
+    if (str == null || (strLen = str.length()) == 0) {
+      return true;
     }
-    // maybe throw an exception
-    if (throwExceptionIfNotFound) {
-      throw new RuntimeException("Cant find field: " + fieldName
-          + ", in: " + theClass + ", callOnSupers: " + callOnSupers);
+    for (int i = 0; i < strLen; i++) {
+      if ((Character.isWhitespace(str.charAt(i)) == false)) {
+        return false;
+      }
     }
-    return null;
-  }
-
-  /**
-   * return a set of Strings for a class and type. This is not for any
-   * supertypes, only for the type at hand. includes final fields
-   * 
-   * @param theClass the class to look for fields in
-   * @param fieldType
-   *            or null for all
-   * @param includeStaticFields when true, include static fields
-   * @return the set of strings, or the empty Set if none
-   */
-  @SuppressWarnings("unchecked")
-  public static Set<String> fieldNames(Class theClass, Class fieldType,
-      boolean includeStaticFields) {
-    return fieldNamesHelper(theClass, theClass, fieldType, true, true,
-        includeStaticFields, null, true);
+    return true;
   }
 
   /**
-   * get all field names from a class, including superclasses (if specified)
-   * 
-   * @param theClass
-   *            to look for fields in
-   * @param superclassToStopAt
-   *            to go up to or null to go up to Object
-   * @param fieldType
-   *            is the type of the field to get
-   * @param includeSuperclassToStopAt
-   *            if we should include the superclass
-   * @param includeStaticFields
-   *            if include static fields
-   * @param includeFinalFields
-   *            if final fields should be included
-   * @return the set of field names or empty set if none
+   * trim whitespace from string
+   * @param str string to trim
+   * @return trimmed string
    */
-  public static Set<String> fieldNames(Class theClass,
-      Class superclassToStopAt, Class<?> fieldType,
-      boolean includeSuperclassToStopAt, boolean includeStaticFields,
-      boolean includeFinalFields) {
-    return fieldNamesHelper(theClass, superclassToStopAt, fieldType,
-        includeSuperclassToStopAt, includeStaticFields,
-        includeFinalFields, null, true);
-
+  public static String trim(String str) {
+    return str == null ? null : str.trim();
   }
 
   /**
-   * get all field names from a class, including superclasses (if specified).
-   * ignore a certain marker annotation
-   * 
-   * @param theClass
-   *            to look for fields in
-   * @param superclassToStopAt
-   *            to go up to or null to go up to Object
-   * @param fieldType
-   *            is the type of the field to get
-   * @param includeSuperclassToStopAt
-   *            if we should include the superclass
-   * @param includeStaticFields
-   *            if include static fields
-   * @param includeFinalFields
-   *            if final fields should be included
-   * @param markerAnnotationToIngore
-   *            if this is not null, then if the field has this annotation,
-   *            then do not include in list
-   * @return the set of field names
+   * null-safe equalsignorecase
+   * @param str1 first string
+   * @param str2 second string
+   * @return true if the strings are equal ignore case
    */
-  public static Set<String> fieldNames(Class theClass,
-      Class superclassToStopAt, Class<?> fieldType,
-      boolean includeSuperclassToStopAt, boolean includeStaticFields,
-      boolean includeFinalFields,
-      Class<? extends Annotation> markerAnnotationToIngore) {
-    return fieldNamesHelper(theClass, superclassToStopAt, fieldType,
-        includeSuperclassToStopAt, includeStaticFields,
-        includeFinalFields, markerAnnotationToIngore, false);
-
+  public static boolean equalsIgnoreCase(String str1, String str2) {
+    return str1 == null ? str2 == null : str1.equalsIgnoreCase(str2);
   }
 
-  /**
-   * get all field names from a class, including superclasses (if specified)
-   * (up to and including the specified superclass). ignore a certain marker
-   * annotation. Dont get static or final field, and get fields of all types
-   * 
-   * @param theClass
-   *            to look for fields in
-   * @param superclassToStopAt
-   *            to go up to or null to go up to Object
-   * @param markerAnnotationToIngore
-   *            if this is not null, then if the field has this annotation,
-   *            then do not include in list
-   * @return the set of field names or empty set if none
-   */
-  public static Set<String> fieldNames(Class theClass,
-      Class superclassToStopAt,
-      Class<? extends Annotation> markerAnnotationToIngore) {
-    return fieldNamesHelper(theClass, superclassToStopAt, null, true,
-        false, false, markerAnnotationToIngore, false);
-  }
+  // Splitting
+  //-----------------------------------------------------------------------
 
   /**
-   * get all field names from a class, including superclasses (if specified)
-   * 
-   * @param theClass
-   *            to look for fields in
-   * @param superclassToStopAt
-   *            to go up to or null to go up to Object
-   * @param fieldType
-   *            is the type of the field to get
-   * @param includeSuperclassToStopAt
-   *            if we should include the superclass
-   * @param includeStaticFields
-   *            if include static fields
-   * @param includeFinalFields
-   *            true to include finals
-   * @param markerAnnotation
-   *            if this is not null, then if the field has this annotation,
-   *            then do not include in list (if includeAnnotation is false)
-   * @param includeAnnotation
-   *            true if the attribute should be included if annotation is
-   *            present, false if exclude
-   * @return the set of field names or empty set if none
+   * <p>Splits the provided text into an array, separators specified.
+   * This is an alternative to using StringTokenizer.</p>
+   *
+   * <p>The separator is not included in the returned String array.
+   * Adjacent separators are treated as one separator.
+   * For more control over the split use the StrTokenizer class.</p>
+   *
+   * <p>A <code>null</code> input String returns <code>null</code>.
+   * A <code>null</code> separatorChars splits on whitespace.</p>
+   *
+   * <pre>
+   * StringUtils.split(null, *)         = null
+   * StringUtils.split("", *)           = []
+   * StringUtils.split("abc def", null) = ["abc", "def"]
+   * StringUtils.split("abc def", " ")  = ["abc", "def"]
+   * StringUtils.split("abc  def", " ") = ["abc", "def"]
+   * StringUtils.split("ab:cd:ef", ":") = ["ab", "cd", "ef"]
+   * </pre>
+   *
+   * @param str  the String to parse, may be null
+   * @param separatorChars  the characters used as the delimiters,
+   *  <code>null</code> splits on whitespace
+   * @return an array of parsed Strings, <code>null</code> if null String input
    */
-  @SuppressWarnings("unchecked")
-  static Set<String> fieldNamesHelper(Class theClass,
-      Class superclassToStopAt, Class<?> fieldType,
-      boolean includeSuperclassToStopAt, boolean includeStaticFields,
-      boolean includeFinalFields,
-      Class<? extends Annotation> markerAnnotation,
-      boolean includeAnnotation) {
-    Set<Field> fieldSet = fieldsHelper(theClass, superclassToStopAt,
-        fieldType, includeSuperclassToStopAt, includeStaticFields,
-        includeFinalFields, markerAnnotation, includeAnnotation);
-    Set<String> fieldNameSet = new LinkedHashSet<String>();
-    for (Field field : fieldSet) {
-      fieldNameSet.add(field.getName());
-    }
-    return fieldNameSet;
-
+  public static String[] split(String str, String separatorChars) {
+    return splitWorker(str, separatorChars, -1, false);
   }
 
-  /**
-   * get all fields from a class, including superclasses (if specified)
-   * 
-   * @param theClass
-   *            to look for fields in
-   * @param superclassToStopAt
-   *            to go up to or null to go up to Object
-   * @param fieldType
-   *            is the type of the field to get
-   * @param includeSuperclassToStopAt
-   *            if we should include the superclass
-   * @param includeStaticFields
-   *            if include static fields
-   * @param includeFinalFields
-   *            if final fields should be included
-   * @param markerAnnotation
-   *            if this is not null, then if the field has this annotation,
-   *            then do not include in list (if includeAnnotation is false)
-   * @param includeAnnotation
-   *            true if the attribute should be included if annotation is
-   *            present, false if exclude
-   * @return the set of fields (wont return null)
-   */
-  @SuppressWarnings("unchecked")
-  public static Set<Field> fields(Class theClass, Class superclassToStopAt,
-      Class fieldType, boolean includeSuperclassToStopAt,
-      boolean includeStaticFields, boolean includeFinalFields,
-      Class<? extends Annotation> markerAnnotation,
-      boolean includeAnnotation) {
-    return fieldsHelper(theClass, superclassToStopAt, fieldType,
-        includeSuperclassToStopAt, includeStaticFields,
-        includeFinalFields, markerAnnotation, includeAnnotation);
-  }
+  //-----------------------------------------------------------------------
 
   /**
-   * get all fields from a class, including superclasses (if specified) (up to
-   * and including the specified superclass). ignore a certain marker
-   * annotation, or only include it. Dont get static or final field, and get
-   * fields of all types
-   * 
-   * @param theClass
-   *            to look for fields in
-   * @param superclassToStopAt
-   *            to go up to or null to go up to Object
-   * @param markerAnnotation
-   *            if this is not null, then if the field has this annotation,
-   *            then do not include in list (if includeAnnotation is false)
-   * @param includeAnnotation
-   *            true if the attribute should be included if annotation is
-   *            present, false if exclude
-   * @return the set of field names or empty set if none
+   * <p>Splits the provided text into an array, separators specified, 
+   * preserving all tokens, including empty tokens created by adjacent
+   * separators. This is an alternative to using StringTokenizer.</p>
+   *
+   * <p>The separator is not included in the returned String array.
+   * Adjacent separators are treated as separators for empty tokens.
+   * For more control over the split use the StrTokenizer class.</p>
+   *
+   * <p>A <code>null</code> input String returns <code>null</code>.
+   * A <code>null</code> separatorChars splits on whitespace.</p>
+   *
+   * <pre>
+   * StringUtils.splitPreserveAllTokens(null, *)           = null
+   * StringUtils.splitPreserveAllTokens("", *)             = []
+   * StringUtils.splitPreserveAllTokens("abc def", null)   = ["abc", "def"]
+   * StringUtils.splitPreserveAllTokens("abc def", " ")    = ["abc", "def"]
+   * StringUtils.splitPreserveAllTokens("abc  def", " ")   = ["abc", "", def"]
+   * StringUtils.splitPreserveAllTokens("ab:cd:ef", ":")   = ["ab", "cd", "ef"]
+   * StringUtils.splitPreserveAllTokens("ab:cd:ef:", ":")  = ["ab", "cd", "ef", ""]
+   * StringUtils.splitPreserveAllTokens("ab:cd:ef::", ":") = ["ab", "cd", "ef", "", ""]
+   * StringUtils.splitPreserveAllTokens("ab::cd:ef", ":")  = ["ab", "", cd", "ef"]
+   * StringUtils.splitPreserveAllTokens(":cd:ef", ":")     = ["", cd", "ef"]
+   * StringUtils.splitPreserveAllTokens("::cd:ef", ":")    = ["", "", cd", "ef"]
+   * StringUtils.splitPreserveAllTokens(":cd:ef:", ":")    = ["", cd", "ef", ""]
+   * </pre>
+   *
+   * @param str  the String to parse, may be <code>null</code>
+   * @param separatorChars  the characters used as the delimiters,
+   *  <code>null</code> splits on whitespace
+   * @return an array of parsed Strings, <code>null</code> if null String input
+   * @since 2.1
    */
-  @SuppressWarnings("unchecked")
-  public static Set<Field> fields(Class theClass, Class superclassToStopAt,
-      Class<? extends Annotation> markerAnnotation,
-      boolean includeAnnotation) {
-    return fieldsHelper(theClass, superclassToStopAt, null, true, false,
-        false, markerAnnotation, includeAnnotation);
+  public static String[] splitPreserveAllTokens(String str, String separatorChars) {
+    return splitWorker(str, separatorChars, -1, true);
   }
 
   /**
-   * get all fields from a class, including superclasses (if specified)
-   * 
-   * @param theClass
-   *            to look for fields in
-   * @param superclassToStopAt
-   *            to go up to or null to go up to Object
-   * @param fieldType
-   *            is the type of the field to get
-   * @param includeSuperclassToStopAt
-   *            if we should include the superclass
-   * @param includeStaticFields
-   *            if include static fields
-   * @param includeFinalFields
-   *            if final fields should be included
-   * @param markerAnnotation
-   *            if this is not null, then if the field has this annotation,
-   *            then do not include in list (if includeAnnotation is false)
-   * @param includeAnnotation
-   *            true if the attribute should be included if annotation is
-   *            present, false if exclude
-   * @return the set of fields (wont return null)
+   * Performs the logic for the <code>split</code> and 
+   * <code>splitPreserveAllTokens</code> methods that return a maximum array 
+   * length.
+   *
+   * @param str  the String to parse, may be <code>null</code>
+   * @param separatorChars the separate character
+   * @param max  the maximum number of elements to include in the
+   *  array. A zero or negative value implies no limit.
+   * @param preserveAllTokens if <code>true</code>, adjacent separators are
+   * treated as empty token separators; if <code>false</code>, adjacent
+   * separators are treated as one separator.
+   * @return an array of parsed Strings, <code>null</code> if null String input
    */
   @SuppressWarnings("unchecked")
-  static Set<Field> fieldsHelper(Class theClass, Class superclassToStopAt,
-      Class<?> fieldType, boolean includeSuperclassToStopAt,
-      boolean includeStaticFields, boolean includeFinalFields,
-      Class<? extends Annotation> markerAnnotation,
-      boolean includeAnnotation) {
-    // MAKE SURE IF ANY MORE PARAMS ARE ADDED, THE CACHE KEY IS CHANGED!
+  private static String[] splitWorker(String str, String separatorChars, int max,
+      boolean preserveAllTokens) {
+    // Performance tuned for 2.0 (JDK1.4)
+    // Direct code is quicker than StringTokenizer.
+    // Also, StringTokenizer uses isSpace() not isWhitespace()
 
-    Set<Field> fieldNameSet = null;
-    String cacheKey = theClass + CACHE_SEPARATOR + superclassToStopAt
-        + CACHE_SEPARATOR + fieldType + CACHE_SEPARATOR
-        + includeSuperclassToStopAt + CACHE_SEPARATOR
-        + includeStaticFields + CACHE_SEPARATOR + includeFinalFields
-        + CACHE_SEPARATOR + markerAnnotation + CACHE_SEPARATOR
-        + includeAnnotation;
-    fieldNameSet = fieldSetCache().get(cacheKey);
-    if (fieldNameSet != null) {
-      return fieldNameSet;
+    if (str == null) {
+      return null;
     }
-
-    fieldNameSet = new LinkedHashSet<Field>();
-    fieldsHelper(theClass, superclassToStopAt, fieldType,
-        includeSuperclassToStopAt, includeStaticFields,
-        includeFinalFields, markerAnnotation, fieldNameSet,
-        includeAnnotation);
-
-    // add to cache
-    fieldSetCache().put(cacheKey, fieldNameSet);
-
-    return fieldNameSet;
-
-  }
-
-  /**
-   * compare two objects, compare primitives, Strings, maps of string attributes.
-   * if both objects equal each others references, then return empty set.
-   * Otherwise if not, then if either is null, return all fields
-   *
-   * @param first The first object to compare.
-   * @param second The second object to compare.
-   * @param fieldsToCompare The field names on both objects that should be compared
-   * @param mapPrefix is the prefix for maps which are compared (e.g. attribute__)
-   * @return the set of fields which are different.  never returns null
-   */
-  @SuppressWarnings("unchecked")
-  public static Set<String> compareObjectFields(Object first, Object second, 
-      Set<String> fieldsToCompare, String mapPrefix) {
-    
-    Set<String> differentFields = new LinkedHashSet<String>();
-    
-    if (first == second) {
-      return differentFields;
-    }
-    
-    //if either null, then all fields are different
-    if (first == null || second == null) {
-      differentFields.addAll(fieldsToCompare);
+    int len = str.length();
+    if (len == 0) {
+      return EMPTY_STRING_ARRAY;
     }
-
-    for (String fieldName : fieldsToCompare) {
-      try {
-        Object firstValue = fieldValue(first, fieldName);
-        Object secondValue = fieldValue(second, fieldName);
-        
-        if (firstValue == secondValue) {
-          continue;
-        }
-        if (firstValue instanceof Map || secondValue instanceof Map) {
-          mapDifferences((Map)firstValue, (Map)secondValue, differentFields, mapPrefix);
+    List list = new ArrayList();
+    int sizePlus1 = 1;
+    int i = 0, start = 0;
+    boolean match = false;
+    boolean lastMatch = false;
+    if (separatorChars == null) {
+      // Null separator means use whitespace
+      while (i < len) {
+        if (Character.isWhitespace(str.charAt(i))) {
+          if (match || preserveAllTokens) {
+            lastMatch = true;
+            if (sizePlus1++ == max) {
+              i = len;
+              lastMatch = false;
+            }
+            list.add(str.substring(start, i));
+            match = false;
+          }
+          start = ++i;
           continue;
         }
-        //compare things...
-        //for strings, null is equal to empty
-        if (firstValue instanceof String || secondValue instanceof String) {
-          if (!equals(defaultString((String)firstValue),
-              defaultString((String)secondValue))) {
-            differentFields.add(fieldName);
+        lastMatch = false;
+        match = true;
+        i++;
+      }
+    } else if (separatorChars.length() == 1) {
+      // Optimise 1 character case
+      char sep = separatorChars.charAt(0);
+      while (i < len) {
+        if (str.charAt(i) == sep) {
+          if (match || preserveAllTokens) {
+            lastMatch = true;
+            if (sizePlus1++ == max) {
+              i = len;
+              lastMatch = false;
+            }
+            list.add(str.substring(start, i));
+            match = false;
           }
+          start = ++i;
           continue;
         }
-        //if one is null, that is not good
-        if (firstValue == null || secondValue == null) {
-          differentFields.add(fieldName);
+        lastMatch = false;
+        match = true;
+        i++;
+      }
+    } else {
+      // standard case
+      while (i < len) {
+        if (separatorChars.indexOf(str.charAt(i)) >= 0) {
+          if (match || preserveAllTokens) {
+            lastMatch = true;
+            if (sizePlus1++ == max) {
+              i = len;
+              lastMatch = false;
+            }
+            list.add(str.substring(start, i));
+            match = false;
+          }
+          start = ++i;
           continue;
         }
-        //everything (numbers, dates, etc) should work with equals method...
-        if (!firstValue.equals(secondValue)) {
-          differentFields.add(fieldName);
-        }
-        
-      } catch (RuntimeException re) {
-        throw new RuntimeException("Problem comparing field " + fieldName 
-            + " on objects: " + className(first) + ", " + className(second));
+        lastMatch = false;
+        match = true;
+        i++;
       }
-      
-      
-    }
-    return differentFields;
-  }
-  
-  /**
-   * clone an object, assign primitives, Strings, maps of string attributes.  Clone GrouperCloneable fields.
-   * @param <T> the type
-   * @param object  the object to clone
-   * @param fieldsToClone the desired fields from the object
-   * @return the cloned object or null if input is null
-   */
-  @SuppressWarnings("unchecked")
-  public static <T> T clone(T object, Set<String> fieldsToClone) {
-    
-    //make a return object
-    T result = (T)newInstance(object.getClass());
-    
-    cloneFields(object, result, fieldsToClone);
-    
-    return result;
-  }
-  
-  /**
-   * clone an object, assign primitives, Strings, maps of string attributes.  Clone GrouperCloneable fields.
-   * @param <T> the type
-   * @param object  the object to clone
-   * @param result  the resulting object
-   * @param fieldsToClone the desired fields from the object
-   */
-  public static <T> void cloneFields(T object, T result,
-      Set<String> fieldsToClone) {
-    
-    if (object == result) {
-      return;
-    }
-    
-    //if either null, then all fields are different
-    if (object == null || result == null) {
-      throw new RuntimeException("Cant copy from or to null: " + className(object) + ", " + className(result));
     }
-    
-    Class<?> fieldValueClass = null;
-    
-    for (String fieldName : nonNull(fieldsToClone)) {
-      try {
-        
-        Object fieldValue = fieldValue(object, fieldName);
-        fieldValueClass = fieldValue == null ? null : fieldValue.getClass();
-        
-        Object fieldValueToAssign = cloneValue(fieldValue);
-        
-        //assign the field to the clone
-        assignField(result, fieldName, fieldValueToAssign);
-        
-      } catch (RuntimeException re) {
-        throw new RuntimeException("Problem cloning field: " + object.getClass() 
-              + ", " + fieldName + ", " + fieldValueClass, re);
-      }
+    if (match || (preserveAllTokens && lastMatch)) {
+      list.add(str.substring(start, i));
     }
+    return (String[]) list.toArray(new String[list.size()]);
   }
-  
-  /**
-   * helper method to clone the value of a field.  just returns the same
-   * reference for primitives and immutables.  Will subclone GrouperCloneables, 
-   * and will throw exception if not expecting the type.  Will clone sets, lists, maps.
-   * @param <T> template
-   * 
-   * @param value The value to clone
-   * @return the cloned value
-   */
-  @SuppressWarnings("unchecked")
-  public static <T> T cloneValue(T value) {
 
-    Object clonedValue = value;
-    
-    if (value == null || value instanceof String 
-        || value.getClass().isPrimitive() || value instanceof Number
-        || value instanceof Boolean
-        || value instanceof Date) {
-      //clone things
-      //for strings, and immutable classes, just assign
-      //nothing to do, just assign the value
-    } else if (value instanceof Map) {
-      clonedValue = new LinkedHashMap();
-      Map mapValue = (Map)value;
-      Map clonedMapValue = (Map)clonedValue;
-      for (Object key : mapValue.keySet()) {
-        clonedMapValue.put(cloneValue(key), cloneValue(mapValue.get(key)));
-      }
-    } else if (value instanceof Set) {
-        clonedValue = new LinkedHashSet();
-        Set setValue = (Set)value;
-        Set clonedSetValue = (Set)clonedValue;
-        for (Object each : setValue) {
-          clonedSetValue.add(cloneValue(each));
-        }
-    } else if (value instanceof List) {
-      clonedValue = new ArrayList();
-      List listValue = (List)value;
-      List clonedListValue = (List)clonedValue;
-      for (Object each : listValue) {
-        clonedListValue.add(cloneValue(each));
-      }
-    } else if (value.getClass().isArray()) {
-      clonedValue = Array.newInstance(value.getClass().getComponentType(), Array.getLength(value));
-      for (int i=0;i<Array.getLength(value);i++) {
-        Array.set(clonedValue, i, cloneValue(Array.get(value, i)));
-      }
-      
-      
-    } else {
+  // Joining
+  //-----------------------------------------------------------------------
 
-      //this means let's add support for a new type of object
-      throw new RuntimeException("Unexpected class in clone method: " + value.getClass());
-    
-    }
-    return (T)clonedValue;
-  }
-  
   /**
-   * simple method to get method names
-   * @param theClass
-   *          class with methods
-   * @param superclassToStopAt 
-   *          when recursing, stop at this class
-   * @param includeSuperclassToStopAt 
-   *          when true, bound is inclusive of stop class
-   * @param includeStaticMethods 
-   *          when true, include static methods (otherwise static methods are excluded)
-   * @return the set of method names
+   * <p>Returns either the passed in String,
+   * or if the String is <code>null</code>, an empty String ("").</p>
+   *
+   * <pre>
+   * StringUtils.defaultString(null)  = ""
+   * StringUtils.defaultString("")    = ""
+   * StringUtils.defaultString("bat") = "bat"
+   * </pre>
+   *
+   * @see String#valueOf(Object)
+   * @param str  the String to check, may be null
+   * @return the passed in String, or the empty String if it
+   *  was <code>null</code>
    */
-  public static Set<String> methodNames(Class<?> theClass, Class<?> superclassToStopAt, 
-      boolean includeSuperclassToStopAt, boolean includeStaticMethods) {
-
-    Set<Method> methods = new LinkedHashSet<Method>();
-    methodsHelper(theClass, superclassToStopAt, includeSuperclassToStopAt, includeStaticMethods, 
-        null, false, methods);
-    Set<String> methodNames = new HashSet<String>();
-    for (Method method : methods) {
-      methodNames.add(method.getName());
-    }
-    return methodNames;
+  public static String defaultString(String str) {
+    return str == null ? "" : str;
   }
 
   /**
-   * get the set of methods and add them to the provided set
-   * @param theClass
-   *          class with methods
-   * @param superclassToStopAt 
-   *          when recursing, stop at this class
-   * @param includeSuperclassToStopAt 
-   *          when true, bound is inclusive of stop class
-   * @param includeStaticMethods
-   *          when true, include static methods (otherwise static methods are excluded)
-   * @param markerAnnotation 
-   *          a marker annotation
-   * @param includeAnnotation 
-   *          when true, include annotation
-   * @param methodSet
-   *            Holds resulting Methods
-   * @see Class#getDeclaredMethods()
+   * An empty immutable <code>String</code> array.
    */
-  public static void methodsHelper(Class<?> theClass, Class<?> superclassToStopAt, 
-      boolean includeSuperclassToStopAt,
-      boolean includeStaticMethods, Class<? extends Annotation> markerAnnotation, 
-      boolean includeAnnotation, Set<Method> methodSet) {
-    Method[] methods = theClass.getDeclaredMethods();
-    if (length(methods) != 0) {
-      for (Method method : methods) {
-        // if not static, then continue
-        if (!includeStaticMethods
-            && Modifier.isStatic(method.getModifiers())) {
-          continue;
-        }
-        // if checking for annotation
-        if (markerAnnotation != null
-            && (includeAnnotation != method
-                .isAnnotationPresent(markerAnnotation))) {
-          continue;
-        }
-        // go for it
-        methodSet.add(method);
-      }
-    }
-    // see if done recursing (if superclassToStopAt is null, then stop at
-    // Object
-    if (theClass.equals(superclassToStopAt)
-        || theClass.equals(Object.class)) {
-      return;
-    }
-    Class superclass = theClass.getSuperclass();
-    if (!includeSuperclassToStopAt && superclass.equals(superclassToStopAt)) {
-      return;
-    }
-    // recurse
-    methodsHelper(superclass, superclassToStopAt,
-        includeSuperclassToStopAt, includeStaticMethods,
-        markerAnnotation, includeAnnotation, methodSet);
-    
-  }
-  
+  public static final String[] EMPTY_STRING_ARRAY = new String[0];
+
   /**
-   * get the method
-   * @param theClass
-   *          class with methods
-   * @param methodName 
-   *          the method name
-   * @param paramTypesOrArrayOrList
-   *          types of the params
-   * @param superclassToStopAt 
-   *          the super class beyond which no more searching is performed
-   * @param includeSuperclassToStopAt 
-   *          when true, the superclassToStopAt is included in the search
-   * @param isStaticOrInstance true if static
-   * @param markerAnnotation the annotation to look for
-   * @param includeAnnotation when true, include the annotation
-   * @return the method or null if not found
-   *            
+   * get a jar file from a sample class
+   * @param sampleClass the class for which the jar is looked up
+   * @return the jar file
    */
-  public static Method method(Class<?> theClass, 
-      String methodName, Object paramTypesOrArrayOrList,
-      Class<?> superclassToStopAt, 
-      boolean includeSuperclassToStopAt,
-      boolean isStaticOrInstance, Class<? extends Annotation> markerAnnotation, 
-      boolean includeAnnotation) {
-
-    Class[] paramTypesArray = (Class[]) toArray(paramTypesOrArrayOrList);
-
-    Method method = null;
-    
+  public static File jarFile(Class sampleClass) {
     try {
-      method = theClass.getDeclaredMethod(methodName, paramTypesArray);
-    } catch (NoSuchMethodException nsme) {
-      //this is ok
-    } catch (Exception e) {
-      throw new RuntimeException("Problem retrieving method: " + theClass.getSimpleName() + ", " + methodName, e);
-    }
-    
-    if (method != null) {
-      //we found a method, make sure it is valid
-      // if not static, then return null (dont worry about superclass)
-      if (!isStaticOrInstance
-          && Modifier.isStatic(method.getModifiers())) {
-        return null;
+      CodeSource codeSource = sampleClass.getProtectionDomain().getCodeSource();
+      if (codeSource != null && codeSource.getLocation() != null) {
+        String fileName = URLDecoder.decode(codeSource.getLocation().getFile(), "UTF-8");
+        return new File(fileName);
       }
-      // if checking for annotation, if not there, then recurse
-      if (markerAnnotation == null
-          || (includeAnnotation == method
-              .isAnnotationPresent(markerAnnotation))) {
-        return method;
+      String resourcePath = sampleClass.getName();
+      resourcePath = resourcePath.replace('.', '/') + ".class";
+      URL url = computeUrl(resourcePath, true);
+      String urlPath = url.toString();
+      
+      if (urlPath.startsWith("jar:")) {
+        urlPath = urlPath.substring(4);
       }
-    }
-    // see if done recursing (if superclassToStopAt is null, then stop at
-    // Object
-    if (theClass.equals(superclassToStopAt)
-        || theClass.equals(Object.class)) {
-      return null;
-    }
-    Class superclass = theClass.getSuperclass();
-    if (!includeSuperclassToStopAt && superclass.equals(superclassToStopAt)) {
-      return null;
-    }
-    // recurse
-    return method(superclass, methodName, paramTypesArray, superclassToStopAt,
-        includeSuperclassToStopAt, isStaticOrInstance, markerAnnotation, includeAnnotation);
-  }
-  
-  /**
-   * get all field names from a class, including superclasses (if specified)
-   * 
-   * @param theClass
-   *            to look for fields in
-   * @param superclassToStopAt
-   *            to go up to or null to go up to Object
-   * @param fieldType
-   *            is the type of the field to get
-   * @param includeSuperclassToStopAt
-   *            if we should include the superclass
-   * @param includeStaticFields
-   *            if include static fields
-   * @param includeFinalFields
-   *            if final fields should be included
-   * @param markerAnnotation
-   *            if this is not null, then if the field has this annotation,
-   *            then do not include in list
-   * @param fieldSet
-   *            set to add fields to
-   * @param includeAnnotation
-   *            if include or exclude
-   */
-  @SuppressWarnings("unchecked")
-  private static void fieldsHelper(Class theClass, Class superclassToStopAt,
-      Class<?> fieldType, boolean includeSuperclassToStopAt,
-      boolean includeStaticFields, boolean includeFinalFields,
-      Class<? extends Annotation> markerAnnotation, Set<Field> fieldSet,
-      boolean includeAnnotation) {
-    Field[] fields = theClass.getDeclaredFields();
-    if (length(fields) != 0) {
-      for (Field field : fields) {
-        // if checking for type, and not right type, continue
-        if (fieldType != null
-            && !fieldType.isAssignableFrom(field.getType())) {
-          continue;
-        }
-        // if not static, then continue
-        if (!includeStaticFields
-            && Modifier.isStatic(field.getModifiers())) {
-          continue;
-        }
-        // if not final constinue
-        if (!includeFinalFields
-            && Modifier.isFinal(field.getModifiers())) {
-          continue;
-        }
-        // if checking for annotation
-        if (markerAnnotation != null
-            && (includeAnnotation != field
-                .isAnnotationPresent(markerAnnotation))) {
-          continue;
-        }
-        // go for it
-        fieldSet.add(field);
+      if (urlPath.startsWith("file:")) {
+        urlPath = urlPath.substring(5);
       }
-    }
-    // see if done recursing (if superclassToStopAt is null, then stop at
-    // Object
-    if (theClass.equals(superclassToStopAt)
-        || theClass.equals(Object.class)) {
-      return;
-    }
-    Class superclass = theClass.getSuperclass();
-    if (!includeSuperclassToStopAt && superclass.equals(superclassToStopAt)) {
-      return;
-    }
-    // recurse
-    fieldsHelper(superclass, superclassToStopAt, fieldType,
-        includeSuperclassToStopAt, includeStaticFields,
-        includeFinalFields, markerAnnotation, fieldSet,
-        includeAnnotation);
-  }
-
-  /**
-   * find out a field value
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param invokeOn
-   *            to call on or null for static
-   * @param fieldName
-   *            method name to call
-   * @param callOnSupers
-   *            if static and method not exists, try on supers
-   * @param overrideSecurity
-   *            true to call on protected or private etc methods
-   * @return the current value
-   */
-  public static Object fieldValue(Class theClass, Object invokeOn,
-      String fieldName, boolean callOnSupers, boolean overrideSecurity) {
-    Field field = null;
-
-    // only if the method exists, try to execute
-    try {
-      // ok if null
-      if (theClass == null) {
-        theClass = invokeOn.getClass();
+      urlPath = prefixOrSuffix(urlPath, "!", true); 
+  
+      urlPath = URLDecoder.decode(urlPath, "UTF-8");
+  
+      File file = new File(urlPath);
+      if (urlPath.endsWith(".jar") && file.exists() && file.isFile()) {
+        return file;
       }
-      field = field(theClass, fieldName, callOnSupers, true);
-      return fieldValue(field, invokeOn, overrideSecurity);
     } catch (Exception e) {
-      throw new RuntimeException("Cant execute reflection field: "
-          + fieldName + ", on: " + className(invokeOn), e);
     }
+    return null;
   }
 
   /**
-   * get the value of a field, override security if needbe
+   * strip the last slash (/ or \) from a string if it exists
    * 
-   * @param field the field
-   * @param invokeOn the object on which to invoke the field
-   * @return the value of the field
-   */
-  public static Object fieldValue(Field field, Object invokeOn) {
-    return fieldValue(field, invokeOn, true);
-  }
-
-  /**
-   * get the value of a field
+   * @param input A string potentially ending in '\' or '/'
    * 
-   * @param field the field
-   * @param invokeOn the object on which to invoke the field
-   * @param overrideSecurity when true, set accessible on the field
-   * @return the value of the field
-   * @see java.lang.reflect.Field#get(Object)
+   * @return input without the last / or \
    */
-  public static Object fieldValue(Field field, Object invokeOn,
-      boolean overrideSecurity) {
-    if (overrideSecurity) {
-      field.setAccessible(true);
-    }
-    try {
-      return field.get(invokeOn);
-    } catch (Exception e) {
-      throw new RuntimeException("Cant execute reflection field: "
-          + field.getName() + ", on: " + className(invokeOn), e);
-
+  public static String stripLastSlashIfExists(String input) {
+    if ((input == null) || (input.length() == 0)) {
+      return null;
     }
 
-  }
-
-  /**
-   * find out a field value (invoke on supers, override security)
-   * 
-   * @param invokeOn
-   *            to call on or null for static
-   * @param fieldName
-   *            method name to call
-   * @return the current value
-   */
-  public static Object fieldValue(Object invokeOn, String fieldName) {
-    return fieldValue(null, invokeOn, fieldName, true, true);
-  }
+    char lastChar = input.charAt(input.length() - 1);
 
-  /**
-   * get the decalred methods for a class, perhaps from cache
-   * 
-   * @param theClass the class
-   * @return the declared methods
-   */
-  @SuppressWarnings("unused")
-  private static Method[] retrieveDeclaredMethods(Class theClass) {
-    Method[] methods = declaredMethodsCache().get(theClass);
-    // get from cache if we can
-    if (methods == null) {
-      methods = theClass.getDeclaredMethods();
-      declaredMethodsCache().put(theClass, methods);
+    if ((lastChar == '\\') || (lastChar == '/')) {
+      return input.substring(0, input.length() - 1);
     }
-    return methods;
-  }
 
-  /**
-   * helper method for calling a method with no params (could be in
-   * superclass)
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param invokeOn
-   *            to call on or null for static
-   * @param methodName
-   *            method name to call
-   * @return the data
-   */
-  public static Object callMethod(Class theClass, Object invokeOn,
-      String methodName) {
-    return callMethod(theClass, invokeOn, methodName, null, null);
-  }
-
-  /**
-   * helper method for calling a method (could be in superclass)
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param invokeOn
-   *            to call on or null for static
-   * @param methodName
-   *            method name to call
-   * @param paramTypesOrArrayOrList
-   *            types of the params
-   * @param paramsOrListOrArray
-   *            data
-   * @return the data
-   */
-  public static Object callMethod(Class theClass, Object invokeOn,
-      String methodName, Object paramTypesOrArrayOrList,
-      Object paramsOrListOrArray) {
-    return callMethod(theClass, invokeOn, methodName,
-        paramTypesOrArrayOrList, paramsOrListOrArray, true);
-  }
-
-  /**
-   * helper method for calling a method
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param invokeOn
-   *            to call on or null for static
-   * @param methodName
-   *            method name to call
-   * @param paramTypesOrArrayOrList
-   *            types of the params
-   * @param paramsOrListOrArray
-   *            data
-   * @param callOnSupers
-   *            if static and method not exists, try on supers
-   * @return the data
-   */
-  public static Object callMethod(Class theClass, Object invokeOn,
-      String methodName, Object paramTypesOrArrayOrList,
-      Object paramsOrListOrArray, boolean callOnSupers) {
-    return callMethod(theClass, invokeOn, methodName,
-        paramTypesOrArrayOrList, paramsOrListOrArray, callOnSupers,
-        false);
-  }
-
-  /**
-   * construct an instance by reflection
-   * @param <T> the type 
-   * @param theClass the class
-   * @param types the types array
-   * @param args the arguments array
-   * @return the instance
-   */
-  public static <T> T construct(Class<T> theClass, Class[] types, Object[] args) {
-    try {
-      Constructor<T> constructor = theClass.getConstructor(types);
-      
-      return constructor.newInstance(args);
-      
-    } catch (Exception e) {
-      throw new RuntimeException("Having trouble with constructor for class: " + theClass.getSimpleName()
-          + " and args: " + classesString(types), e);
-     }
-  }
-  
-  /**
-   * helper method for calling a method
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param invokeOn
-   *            to call on or null for static
-   * @param methodName
-   *            method name to call
-   * @param paramTypesOrArrayOrList
-   *            types of the params
-   * @param paramsOrListOrArray
-   *            data
-   * @param callOnSupers
-   *            if static and method not exists, try on supers
-   * @param overrideSecurity
-   *            true to call on protected or private etc methods
-   * @return the data
-   */
-  public static Object callMethod(Class theClass, Object invokeOn,
-      String methodName, Object paramTypesOrArrayOrList,
-      Object paramsOrListOrArray, boolean callOnSupers,
-      boolean overrideSecurity) {
-    Method method = null;
-
-    Class[] paramTypesArray = (Class[]) toArray(paramTypesOrArrayOrList);
-
-    try {
-      method = theClass.getDeclaredMethod(methodName, paramTypesArray);
-      if (overrideSecurity) {
-        method.setAccessible(true);
-      }
-    } catch (Exception e) {
-      // if method not found
-      if (e instanceof NoSuchMethodException) {
-        // if traversing up, and not Object, and not instance method
-        // CH 070425 not sure why invokeOn needs to be null, removing
-        // this
-        if (callOnSupers /* && invokeOn == null */
-            && !theClass.equals(Object.class)) {
-          return callMethod(theClass.getSuperclass(), invokeOn,
-              methodName, paramTypesOrArrayOrList,
-              paramsOrListOrArray, callOnSupers, overrideSecurity);
-        }
-      }
-      throw new RuntimeException("Problem calling method " + methodName
-          + " on " + theClass.getName(), e);
-    }
-
-    return invokeMethod(method, invokeOn, paramsOrListOrArray);
-
-  }
-  
-  /** pass this in the invokeOn to signify no params */
-  private static final Object NO_PARAMS = new Object();
-  
-  /**
-   * Safely invoke a reflection method that takes no args
-   * 
-   * @param method
-   *            to invoke
-   * @param invokeOn the object on which to invoke the method
-   * if NO_PARAMS then will not pass in params.
-   * @return the result
-   */
-  public static Object invokeMethod(Method method, Object invokeOn) {
-    return invokeMethod(method, invokeOn, NO_PARAMS);
-  }
-
-  /**
-   * Safely invoke a reflection method
-   * 
-   * @param method
-   *            to invoke
-   * @param invokeOn the object on which to invoke the method
-   * @param paramsOrListOrArray must be an arg.  If null, will pass null.
-   * if NO_PARAMS then will not pass in params.
-   * @return the result
-   */
-  public static Object invokeMethod(Method method, Object invokeOn,
-      Object paramsOrListOrArray) {
-
-    Object[] args = paramsOrListOrArray == NO_PARAMS ? null : (Object[]) toArray(paramsOrListOrArray);
-
-    //we want to make sure things are accessible
-    method.setAccessible(true);
-
-    //only if the method exists, try to execute
-    Object result = null;
-    Exception e = null;
-    try {
-      result = method.invoke(invokeOn, args);
-    } catch (IllegalAccessException iae) {
-      e = iae;
-    } catch (IllegalArgumentException iae) {
-      e = iae;
-    } catch (InvocationTargetException ite) {
-      //this means the underlying call caused exception... its ok if runtime
-      if (ite.getCause() instanceof RuntimeException) {
-        throw (RuntimeException)ite.getCause();
-      }
-      //else throw as invocation target...
-      e = ite;
-    }
-    if (e != null) {
-      throw new RuntimeException("Cant execute reflection method: "
-          + method.getName() + ", on: " + className(invokeOn)
-          + ", with args: " + classNameCollection(args), e);
-    }
-    return result;
-  }
-
-  /**
-   * Convert a list to an array with the type of the first element e.g. if it
-   * is a list of Person objects, then the array is Person[]
-   * 
-   * @param objectOrArrayOrCollection
-   *            is a list
-   * @return the array of objects with type of the first element in the list
-   */
-  public static Object toArray(Object objectOrArrayOrCollection) {
-    // do this before length since if array with null in it, we want ti get
-    // it back
-    if (objectOrArrayOrCollection != null
-        && objectOrArrayOrCollection.getClass().isArray()) {
-      return objectOrArrayOrCollection;
-    }
-    int length = length(objectOrArrayOrCollection);
-    if (length == 0) {
-      return null;
-    }
-
-    if (objectOrArrayOrCollection instanceof Collection) {
-      Collection collection = (Collection) objectOrArrayOrCollection;
-      Object first = collection.iterator().next();
-      return toArray(collection, first == null ? Object.class : first
-          .getClass());
-    }
-    // make an array of the type of object passed in, size one
-    Object array = Array.newInstance(objectOrArrayOrCollection.getClass(),
-        1);
-    Array.set(array, 0, objectOrArrayOrCollection);
-    return array;
-  }
-
-  /**
-   * convert a list into an array of type of theClass
-   * @param <T> is the type of the array
-   * @param collection list to convert
-   * @param theClass type of array to return
-   * @return array of type theClass[] filled with the objects from list
-   */
-  @SuppressWarnings("unchecked")
-  public static <T> T[] toArray(Collection collection, Class<T> theClass) {
-    if (collection == null || collection.size() == 0) {
-      return null;
-    }
-
-    return (T[])collection.toArray((Object[]) Array.newInstance(theClass,
-        collection.size()));
-
-  }
-
-  /**
-   * helper method for calling a static method up the stack. method takes no
-   * args (could be in superclass)
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param methodName
-   *            method name to call
-   * @return the data
-   */
-  public static Object callMethod(Class theClass, String methodName) {
-    return callMethod(theClass, null, methodName, null, null);
-  }
-
-  /**
-   * helper method for calling a static method with no params
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param methodName
-   *            method name to call
-   * @param callOnSupers
-   *            if we should try the super classes if not exists in this class
-   * @return the data
-   */
-  public static Object callMethod(Class theClass, String methodName,
-      boolean callOnSupers) {
-    return callMethod(theClass, null, methodName, null, null, callOnSupers);
-  }
-
-  /**
-   * helper method for calling a static method up the stack
-   * 
-   * @param theClass
-   *            the class which has the method
-   * @param methodName
-   *            method name to call
-   * @param paramTypesOrArrayOrList
-   *            types of the params
-   * @param paramsOrListOrArray
-   *            data
-   * @return the data
-   */
-  public static Object callMethod(Class theClass, String methodName,
-      Object paramTypesOrArrayOrList, Object paramsOrListOrArray) {
-    return callMethod(theClass, null, methodName, paramTypesOrArrayOrList,
-        paramsOrListOrArray);
-  }
-
-  /**
-   * helper method for calling a method with no params (could be in
-   * superclass), will override security
-   * 
-   * @param invokeOn
-   *            instance to invoke on
-   * @param methodName
-   *            method name to call not exists in this class
-   * @return the data
-   */
-  public static Object callMethod(Object invokeOn, String methodName) {
-    if (invokeOn == null) {
-      throw new NullPointerException("invokeOn is null: " + methodName);
-    }
-    return callMethod(invokeOn.getClass(), invokeOn, methodName, null,
-        null, true, true);
-  }
-
-  /**
-   * replace a string or strings from a string, and put the output in a string
-   * buffer. This does not recurse
-   * 
-   * @param text
-   *            string to look in
-   * @param searchFor
-   *            string array to search for
-   * @param replaceWith
-   *            string array to replace with
-   * @return the string
-   */
-  public static String replace(String text, Object searchFor,
-      Object replaceWith) {
-    return replace(null, null, text, searchFor, replaceWith, false, 0,
-        false);
-  }
-
-  /**
-   * replace a string or strings from a string, and put the output in a string
-   * buffer
-   * 
-   * @param text
-   *            string to look in
-   * @param searchFor
-   *            string array to search for
-   * @param replaceWith
-   *            string array to replace with
-   * @param recurse
-   *            if true then do multiple replaces (on the replacements)
-   * @return the string
-   */
-  public static String replace(String text, Object searchFor,
-      Object replaceWith, boolean recurse) {
-    return replace(null, null, text, searchFor, replaceWith, recurse,
-        recurse ? length(searchFor) : 0, false);
-  }
-
-  /**
-   * replace a string or strings from a string, and put the output in a string
-   * buffer
-   * 
-   * @param text
-   *            string to look in
-   * @param searchFor
-   *            string array to search for
-   * @param replaceWith
-   *            string array to replace with
-   * @param recurse
-   *            if true then do multiple replaces (on the replacements)
-   * @param removeIfFound
-   *            true if removing from searchFor and replaceWith if found
-   * @return the string
-   */
-  public static String replace(String text, Object searchFor,
-      Object replaceWith, boolean recurse, boolean removeIfFound) {
-    return replace(null, null, text, searchFor, replaceWith, recurse,
-        recurse ? length(searchFor) : 0, removeIfFound);
-  }
-
-  /**
-   * <p>
-   * Replaces all occurrences of a String within another String.
-   * </p>
-   * 
-   * <p>
-   * A <code>null</code> reference passed to this method is a no-op.
-   * </p>
-   * 
-   * <pre>
-   * replace(null, *, *)        = null
-   * replace(&quot;&quot;, *, *)          = &quot;&quot;
-   * replace(&quot;any&quot;, null, *)    = &quot;any&quot;
-   * replace(&quot;any&quot;, *, null)    = &quot;any&quot;
-   * replace(&quot;any&quot;, &quot;&quot;, *)      = &quot;any&quot;
-   * replace(&quot;aba&quot;, &quot;a&quot;, null)  = &quot;aba&quot;
-   * replace(&quot;aba&quot;, &quot;a&quot;, &quot;&quot;)    = &quot;b&quot;
-   * replace(&quot;aba&quot;, &quot;a&quot;, &quot;z&quot;)   = &quot;zbz&quot;
-   * </pre>
-   * 
-   * @see #replace(String text, String repl, String with, int max)
-   * @param text
-   *            text to search and replace in, may be null
-   * @param repl
-   *            the String to search for, may be null
-   * @param with
-   *            the String to replace with, may be null
-   * @return the text with any replacements processed, <code>null</code> if
-   *         null String input
-   */
-  public static String replace(String text, String repl, String with) {
-    return replace(text, repl, with, -1);
-  }
-
-  /**
-   * <p>
-   * Replaces a String with another String inside a larger String, for the
-   * first <code>max</code> values of the search String.
-   * </p>
-   * 
-   * <p>
-   * A <code>null</code> reference passed to this method is a no-op.
-   * </p>
-   * 
-   * <pre>
-   * replace(null, *, *, *)         = null
-   * replace(&quot;&quot;, *, *, *)           = &quot;&quot;
-   * replace(&quot;any&quot;, null, *, *)     = &quot;any&quot;
-   * replace(&quot;any&quot;, *, null, *)     = &quot;any&quot;
-   * replace(&quot;any&quot;, &quot;&quot;, *, *)       = &quot;any&quot;
-   * replace(&quot;any&quot;, *, *, 0)        = &quot;any&quot;
-   * replace(&quot;abaa&quot;, &quot;a&quot;, null, -1) = &quot;abaa&quot;
-   * replace(&quot;abaa&quot;, &quot;a&quot;, &quot;&quot;, -1)   = &quot;b&quot;
-   * replace(&quot;abaa&quot;, &quot;a&quot;, &quot;z&quot;, 0)   = &quot;abaa&quot;
-   * replace(&quot;abaa&quot;, &quot;a&quot;, &quot;z&quot;, 1)   = &quot;zbaa&quot;
-   * replace(&quot;abaa&quot;, &quot;a&quot;, &quot;z&quot;, 2)   = &quot;zbza&quot;
-   * replace(&quot;abaa&quot;, &quot;a&quot;, &quot;z&quot;, -1)  = &quot;zbzz&quot;
-   * </pre>
-   * 
-   * @param text
-   *            text to search and replace in, may be null
-   * @param repl
-   *            the String to search for, may be null
-   * @param with
-   *            the String to replace with, may be null
-   * @param max
-   *            maximum number of values to replace, or <code>-1</code> if
-   *            no maximum
-   * @return the text with any replacements processed, <code>null</code> if
-   *         null String input
-   */
-  public static String replace(String text, String repl, String with, int max) {
-    if (text == null || isEmpty(repl) || with == null || max == 0) {
-      return text;
-    }
-
-    StringBuffer buf = new StringBuffer(text.length());
-    int start = 0, end = 0;
-    while ((end = text.indexOf(repl, start)) != -1) {
-      buf.append(text.substring(start, end)).append(with);
-      start = end + repl.length();
-
-      if (--max == 0) {
-        break;
-      }
-    }
-    buf.append(text.substring(start));
-    return buf.toString();
-  }
-
-  /**
-   * <p>
-   * Checks if a String is empty ("") or null.
-   * </p>
-   * 
-   * <pre>
-   * isEmpty(null)      = true
-   * isEmpty(&quot;&quot;)        = true
-   * isEmpty(&quot; &quot;)       = false
-   * isEmpty(&quot;bob&quot;)     = false
-   * isEmpty(&quot;  bob  &quot;) = false
-   * </pre>
-   * 
-   * <p>
-   * NOTE: This method changed in Lang version 2.0. It no longer trims the
-   * String. That functionality is available in isBlank().
-   * </p>
-   * 
-   * @param str
-   *            the String to check, may be null
-   * @return <code>true</code> if the String is empty or null
-   */
-  public static boolean isEmpty(String str) {
-    return str == null || str.length() == 0;
-  }
-
-  /**
-   * replace a string or strings from a string, and put the output in a string
-   * buffer. This does not recurse
-   * 
-   * @param outBuffer
-   *            stringbuffer to write to
-   * @param text
-   *            string to look in
-   * @param searchFor
-   *            string array to search for
-   * @param replaceWith
-   *            string array to replace with
-   */
-  public static void replace(StringBuffer outBuffer, String text,
-      Object searchFor, Object replaceWith) {
-    replace(outBuffer, null, text, searchFor, replaceWith, false, 0, false);
-  }
-
-  /**
-   * replace a string or strings from a string, and put the output in a string
-   * buffer
-   * 
-   * @param outBuffer
-   *            stringbuffer to write to
-   * @param text
-   *            string to look in
-   * @param searchFor
-   *            string array to search for
-   * @param replaceWith
-   *            string array to replace with
-   * @param recurse
-   *            if true then do multiple replaces (on the replacements)
-   */
-  public static void replace(StringBuffer outBuffer, String text,
-      Object searchFor, Object replaceWith, boolean recurse) {
-    replace(outBuffer, null, text, searchFor, replaceWith, recurse,
-        recurse ? length(searchFor) : 0, false);
-  }
-
-  /**
-   * replace a string with other strings, and either write to outWriter, or
-   * StringBuffer, and if StringBuffer potentially return a string. If
-   * outBuffer and outWriter are null, then return the String
-   * 
-   * @param outBuffer
-   *            stringbuffer to write to, or null to not
-   * @param outWriter
-   *            Writer to write to, or null to not.
-   * @param text
-   *            string to look in
-   * @param searchFor
-   *            string array to search for, or string, or list
-   * @param replaceWith
-   *            string array to replace with, or string, or list
-   * @param recurse
-   *            if true then do multiple replaces (on the replacements)
-   * @param timeToLive
-   *            if recursing, prevent endless loops
-   * @param removeIfFound
-   *            true if removing from searchFor and replaceWith if found
-   * @return the String if outBuffer and outWriter are null
-   * @throws IndexOutOfBoundsException
-   *             if the lengths of the arrays are not the same (null is ok,
-   *             and/or size 0)
-   * @throws IllegalArgumentException
-   *             if the search is recursive and there is an endless loop due
-   *             to outputs of one being inputs to another
-   */
-  private static String replace(StringBuffer outBuffer, Writer outWriter,
-      String text, Object searchFor, Object replaceWith, boolean recurse,
-      int timeToLive, boolean removeIfFound) {
-
-    // if recursing, we need to get the string, then print to buffer (since
-    // we need multiple passes)
-    if (!recurse) {
-      return replaceHelper(outBuffer, outWriter, text, searchFor,
-          replaceWith, recurse, timeToLive, removeIfFound);
-    }
-    // get the string
-    String result = replaceHelper(null, null, text, searchFor, replaceWith,
-        recurse, timeToLive, removeIfFound);
-    if (outBuffer != null) {
-      outBuffer.append(result);
-      return null;
-    }
-
-    if (outWriter != null) {
-      try {
-        outWriter.write(result);
-      } catch (IOException ioe) {
-        throw new RuntimeException(ioe);
-      }
-      return null;
-    }
-
-    return result;
-
-  }
-
-  /**
-   * replace a string or strings from a string, and put the output in a string
-   * buffer. This does not recurse
-   * 
-   * @param outWriter
-   *            writer to write to
-   * @param text
-   *            string to look in
-   * @param searchFor
-   *            string array to search for
-   * @param replaceWith
-   *            string array to replace with
-   */
-  public static void replace(Writer outWriter, String text, Object searchFor,
-      Object replaceWith) {
-    replace(null, outWriter, text, searchFor, replaceWith, false, 0, false);
-  }
-
-  /**
-   * replace a string or strings from a string, and put the output in a string
-   * buffer
-   * 
-   * @param outWriter
-   *            writer to write to
-   * @param text
-   *            string to look in
-   * @param searchFor
-   *            string array to search for
-   * @param replaceWith
-   *            string array to replace with
-   * @param recurse
-   *            if true then do multiple replaces (on the replacements)
-   */
-  public static void replace(Writer outWriter, String text, Object searchFor,
-      Object replaceWith, boolean recurse) {
-    replace(null, outWriter, text, searchFor, replaceWith, recurse,
-        recurse ? length(searchFor) : 0, false);
-  }
-
-  /**
-   * replace a string with other strings, and either write to outWriter, or
-   * StringBuffer, and if StringBuffer potentially return a string. If
-   * outBuffer and outWriter are null, then return the String
-   * 
-   * @param outBuffer
-   *            stringbuffer to write to, or null to not
-   * @param outWriter
-   *            Writer to write to, or null to not.
-   * @param text
-   *            string to look in
-   * @param searchFor
-   *            string array to search for, or string, or list
-   * @param replaceWith
-   *            string array to replace with, or string, or list
-   * @param recurse
-   *            if true then do multiple replaces (on the replacements)
-   * @param timeToLive
-   *            if recursing, prevent endless loops
-   * @param removeIfFound
-   *            true if removing from searchFor and replaceWith if found
-   * @return the String if outBuffer and outWriter are null
-   * @throws IllegalArgumentException
-   *             if the search is recursive and there is an endless loop due
-   *             to outputs of one being inputs to another
-   * @throws IndexOutOfBoundsException
-   *             if the lengths of the arrays are not the same (null is ok,
-   *             and/or size 0)
-   */
-  private static String replaceHelper(StringBuffer outBuffer,
-      Writer outWriter, String text, Object searchFor,
-      Object replaceWith, boolean recurse, int timeToLive,
-      boolean removeIfFound) {
-
-    try {
-      // if recursing, this shouldnt be less than 0
-      if (timeToLive < 0) {
-        throw new IllegalArgumentException("TimeToLive under 0: "
-            + timeToLive + ", " + text);
-      }
-
-      int searchForLength = length(searchFor);
-      boolean done = false;
-      // no need to do anything
-      if (isEmpty(text)) {
-        return text;
-      }
-      // need to write the input to output, later
-      if (searchForLength == 0) {
-        done = true;
-      }
-
-      boolean[] noMoreMatchesForReplIndex = null;
-      int inputIndex = -1;
-      int replaceIndex = -1;
-      long resultPacked = -1;
-
-      if (!done) {
-        // make sure lengths are ok, these need to be equal
-        if (searchForLength != length(replaceWith)) {
-          throw new IndexOutOfBoundsException("Lengths dont match: "
-              + searchForLength + ", " + length(replaceWith));
-        }
-
-        // keep track of which still have matches
-        noMoreMatchesForReplIndex = new boolean[searchForLength];
-
-        // index of replace array that will replace the search string
-        // found
-        
-
-        resultPacked = findNextIndexHelper(searchForLength, searchFor,
-            replaceWith, 
-            noMoreMatchesForReplIndex, text, 0);
-
-        inputIndex = unpackInt(resultPacked, true);
-        replaceIndex = unpackInt(resultPacked, false);
-      }
-
-      // get a good guess on the size of the result buffer so it doesnt
-      // have to double if it
-      // goes over a bit
-      boolean writeToWriter = outWriter != null;
-
-      // no search strings found, we are done
-      if (done || inputIndex == -1) {
-        if (writeToWriter) {
-          outWriter.write(text, 0, text.length());
-          return null;
-        }
-        if (outBuffer != null) {
-          appendSubstring(outBuffer, text, 0, text.length());
-          return null;
-        }
-        return text;
-      }
-
-      // no buffer if writing to writer
-      StringBuffer bufferToWriteTo = outBuffer != null ? outBuffer
-          : (writeToWriter ? null : new StringBuffer(text.length()
-              + replaceStringsBufferIncrease(text, searchFor,
-                  replaceWith)));
-
-      String searchString = null;
-      String replaceString = null;
-
-      int start = 0;
-
-      while (inputIndex != -1) {
-
-        searchString = (String) get(searchFor, replaceIndex);
-        replaceString = (String) get(replaceWith, replaceIndex);
-        if (writeToWriter) {
-          outWriter.write(text, start, inputIndex - start);
-          outWriter.write(replaceString);
-        } else {
-          appendSubstring(bufferToWriteTo, text, start, inputIndex)
-              .append(replaceString);
-        }
-
-        if (removeIfFound) {
-          // better be an iterator based find replace
-          searchFor = remove(searchFor, replaceIndex);
-          replaceWith = remove(replaceWith, replaceIndex);
-          noMoreMatchesForReplIndex = (boolean[])remove(noMoreMatchesForReplIndex, replaceIndex);
-          // we now have a lesser size if we removed one
-          searchForLength--;
-        }
-
-        start = inputIndex + searchString.length();
-
-        resultPacked = findNextIndexHelper(searchForLength, searchFor,
-            replaceWith, 
-            noMoreMatchesForReplIndex, text, start);
-        inputIndex = unpackInt(resultPacked, true);
-        replaceIndex = unpackInt(resultPacked, false);
-      }
-      if (writeToWriter) {
-        outWriter.write(text, start, text.length() - start);
-
-      } else {
-        appendSubstring(bufferToWriteTo, text, start, text.length());
-      }
-
-      // no need to convert to string if incoming buffer or writer
-      if (writeToWriter || outBuffer != null) {
-        if (recurse) {
-          throw new IllegalArgumentException(
-              "Cannot recurse and write to existing buffer or writer!");
-        }
-        return null;
-      }
-      String resultString = bufferToWriteTo.toString();
-
-      if (recurse) {
-        return replaceHelper(outBuffer, outWriter, resultString,
-            searchFor, replaceWith, recurse, timeToLive - 1, false);
-      }
-      // this might be null for writer
-      return resultString;
-    } catch (IOException ioe) {
-      throw new RuntimeException(ioe);
-    }
-  }
-
-  /**
-   * give a best guess on buffer increase for String[] replace get a good
-   * guess on the size of the result buffer so it doesnt have to double if it
-   * goes over a bit
-   * 
-   * @param text
-   * @param repl
-   * @param with
-   * @return the increase, with 20% cap
-   */
-  static int replaceStringsBufferIncrease(String text, Object repl,
-      Object with) {
-    // count the greaters
-    int increase = 0;
-    Iterator iteratorReplace = iterator(repl);
-    Iterator iteratorWith = iterator(with);
-    int replLength = length(repl);
-    String currentRepl = null;
-    String currentWith = null;
-    for (int i = 0; i < replLength; i++) {
-      currentRepl = (String) next(repl, iteratorReplace, i);
-      currentWith = (String) next(with, iteratorWith, i);
-      if (currentRepl == null || currentWith == null) {
-        throw new NullPointerException("Replace string is null: "
-            + text + ", " + currentRepl + ", " + currentWith);
-      }
-      int greater = currentWith.length() - currentRepl.length();
-      increase += greater > 0 ? 3 * greater : 0; // assume 3 matches
-    }
-    // have upper-bound at 20% increase, then let Java take over
-    increase = Math.min(increase, text.length() / 5);
-    return increase;
-  }
-
-  /**
-   * Helper method to find the next match in an array of strings replace
-   * 
-   * @param searchForLength
-   * @param searchFor
-   * @param replaceWith
-   * @param noMoreMatchesForReplIndex
-   * @param input
-   * @param start
-   *            is where to start looking
-   * @return result packed into a long, inputIndex first, then replaceIndex
-   */
-  private static long findNextIndexHelper(int searchForLength,
-      Object searchFor, Object replaceWith, boolean[] noMoreMatchesForReplIndex,
-      String input, int start) {
-
-    int inputIndex = -1;
-    int replaceIndex = -1;
-
-    Iterator iteratorSearchFor = iterator(searchFor);
-    Iterator iteratorReplaceWith = iterator(replaceWith);
-
-    String currentSearchFor = null;
-    String currentReplaceWith = null;
-    int tempIndex = -1;
-    for (int i = 0; i < searchForLength; i++) {
-      currentSearchFor = (String) next(searchFor, iteratorSearchFor, i);
-      currentReplaceWith = (String) next(replaceWith,
-          iteratorReplaceWith, i);
-      if (noMoreMatchesForReplIndex[i] || isEmpty(currentSearchFor)
-          || currentReplaceWith == null) {
-        continue;
-      }
-      tempIndex = input.indexOf(currentSearchFor, start);
-
-      // see if we need to keep searching for this
-      noMoreMatchesForReplIndex[i] = tempIndex == -1;
-
-      if (tempIndex != -1 && (inputIndex == -1 || tempIndex < inputIndex)) {
-        inputIndex = tempIndex;
-        replaceIndex = i;
-      }
-
-    }
-    // dont create an array, no more objects
-    long resultPacked = packInts(inputIndex, replaceIndex);
-    return resultPacked;
-  }
-
-  /**
-   * pack two ints into a long. Note: the first is held in the left bits, the
-   * second is held in the right bits
-   * 
-   * @param first
-   *            is first int
-   * @param second
-   *            is second int
-   * @return the long which has two ints in there
-   */
-  public static long packInts(int first, int second) {
-    long result = first;
-    result <<= 32;
-    result |= second;
-    return result;
-  }
-
-  /**
-   * take a long
-   * 
-   * @param theLong
-   *            to unpack
-   * @param isFirst
-   *            true for first, false for second
-   * @return one of the packed ints, first or second
-   */
-  public static int unpackInt(long theLong, boolean isFirst) {
-
-    int result = 0;
-    // put this in the position of the second one
-    if (isFirst) {
-      theLong >>= 32;
-    }
-    // only look at right part
-    result = (int) (theLong & 0xffffffff);
-    return result;
-  }
-
-  /**
-   * append a substring to a stringbuffer. removes dependency on substring
-   * which creates objects
-   * 
-   * @param buf
-   *            stringbuffer
-   * @param string
-   *            source string
-   * @param start
-   *            start index of source string
-   * @param end
-   *            end index of source string
-   * @return the string buffer for chaining
-   */
-  private static StringBuffer appendSubstring(StringBuffer buf,
-      String string, int start, int end) {
-    for (int i = start; i < end; i++) {
-      buf.append(string.charAt(i));
-    }
-    return buf;
-  }
-
-  /**
-   * Get a specific index of an array or collection (note for collections and
-   * iterating, it is more efficient to get an iterator and iterate
-   * 
-   * @param arrayOrCollection the array, List, or Collection
-   * @param index the index of the desired object
-   * @return the object at that index
-   */
-  public static Object get(Object arrayOrCollection, int index) {
-
-    if (arrayOrCollection == null) {
-      if (index == 0) {
-        return null;
-      }
-      throw new RuntimeException("Trying to access index " + index
-          + " of null");
-    }
-
-    // no need to iterator on list (e.g. FastProxyList has no iterator
-    if (arrayOrCollection instanceof List) {
-      return ((List) arrayOrCollection).get(index);
-    }
-    if (arrayOrCollection instanceof Collection) {
-      Iterator iterator = iterator(arrayOrCollection);
-      for (int i = 0; i < index; i++) {
-        next(arrayOrCollection, iterator, i);
-      }
-      return next(arrayOrCollection, iterator, index);
-    }
-
-    if (arrayOrCollection.getClass().isArray()) {
-      return Array.get(arrayOrCollection, index);
-    }
-
-    if (index == 0) {
-      return arrayOrCollection;
-    }
-
-    throw new RuntimeException("Trying to access index " + index
-        + " of and object: " + arrayOrCollection);
-  }
-
-
-  
-  /**
-   * fail safe toString for Exception blocks, and include the stack
-   * if there is a problem with toString()
-   * @param object object to convert to human-readable string.
-   * @return the toStringSafe string
-   */
-  @SuppressWarnings("unchecked")
-  public static String toStringSafe(Object object) {
-    if (object == null) {
-      return null;
-    }
-    
-    try {
-      //give size and type if collection
-      if (object instanceof Collection) {
-        Collection<Object> collection = (Collection<Object>) object;
-        int collectionSize = collection.size();
-        if (collectionSize == 0) {
-          return "Empty " + object.getClass().getSimpleName();
-        }
-        Object first = collection.iterator().next();
-        return object.getClass().getSimpleName() + " of size " 
-          + collectionSize + " with first type: " + 
-          (first == null ? null : first.getClass());
-      }
-    
-      return object.toString();
-    } catch (Exception e) {
-      return "<<exception>> " + object.getClass() + ":\n" + getFullStackTrace(e) + "\n";
-    }
-  }
-
-  /**
-   * get the boolean value for an object, cant be null or blank
-   * 
-   * @param object object to convert to a boolean.  Supports string values of "true", "t", "yes" and "y" as true.
-   * @return the boolean
-   */
-  public static boolean booleanValue(Object object) {
-    // first handle blanks
-    if (nullOrBlank(object)) {
-      throw new RuntimeException(
-          "Expecting something which can be converted to boolean, but is null or blank: '"
-              + object + "'");
-    }
-    // its not blank, just convert
-    if (object instanceof Boolean) {
-      return (Boolean) object;
-    }
-    if (object instanceof String) {
-      String string = (String) object;
-      if (equalsIgnoreCase(string, "true")
-          || equalsIgnoreCase(string, "t")
-          || equalsIgnoreCase(string, "yes")
-          || equalsIgnoreCase(string, "y")) {
-        return true;
-      }
-      if (equalsIgnoreCase(string, "false")
-          || equalsIgnoreCase(string, "f")
-          || equalsIgnoreCase(string, "no")
-          || equalsIgnoreCase(string, "n")) {
-        return false;
-      }
-      throw new RuntimeException(
-          "Invalid string to boolean conversion: '" + string
-              + "' expecting true|false or t|f or yes|no or y|n case insensitive");
-  
-    }
-    throw new RuntimeException("Cant convert object to boolean: "
-        + object.getClass());
-  
-  }
-
-  /**
-   * get the boolean value for an object
-   * 
-   * @param object object to convert to a boolean
-   * @param defaultBoolean
-   *            if object is null or empty
-   * @return the boolean
-   */
-  public static boolean booleanValue(Object object, boolean defaultBoolean) {
-    if (nullOrBlank(object)) {
-      return defaultBoolean;
-    }
-    return booleanValue(object);
-  }
-
-  /**
-   * get the Boolean value for an object
-   * 
-   * @param object object to convert to a boolean
-   * @return the Boolean or null if null or empty
-   */
-  public static Boolean booleanObjectValue(Object object) {
-    if (nullOrBlank(object)) {
-      return null;
-    }
-    return booleanValue(object);
-  }
-
-  /**
-   * is an object null or blank
-   * 
-   * @param object object to test for null or String to test for blank
-   * @return true if null or blank
-   */
-  public static boolean nullOrBlank(Object object) {
-    // first handle blanks and nulls
-    if (object == null) {
-      return true;
-    }
-    if (object instanceof String && isBlank(((String) object))) {
-      return true;
-    }
-    return false;
-  
-  }
-
-  /**
-   * get a getter method object for a class, potentially in superclasses
-   * @param theClass the class
-   * @param fieldName the field name
-   * @param callOnSupers true if superclasses should be looked in for the getter
-   * @param throwExceptionIfNotFound will throw runtime exception if not found
-   * @return the getter object or null if not found (or exception if param is set)
-   */
-  public static Method getter(Class theClass, String fieldName, boolean callOnSupers, 
-      boolean throwExceptionIfNotFound) {
-    String getterName = getterNameFromPropertyName(fieldName);
-    return getterHelper(theClass, fieldName, getterName, callOnSupers, throwExceptionIfNotFound);
-  }
-
-  /**
-   * get a setter method object for a class, potentially in superclasses
-   * @param theClass the class
-   * @param fieldName the field name
-   * @param getterName name of setter
-   * @param callOnSupers true if superclasses should be looked in for the setter
-   * @param throwExceptionIfNotFound will throw runtime exception if not found
-   * @return the setter object or null if not found (or exception if param is set)
-   */
-  public static Method getterHelper(Class theClass, String fieldName, String getterName, 
-      boolean callOnSupers, boolean throwExceptionIfNotFound) {
-    Method[] methods = retrieveDeclaredMethods(theClass);
-    if (methods != null) {
-      for (Method method : methods) {
-        if (equals(getterName, method.getName()) && isGetter(method)) {
-          return method;
-        }
-      }
-    }
-    //if method not found
-    //if traversing up, and not Object, and not instance method
-    if (callOnSupers && !theClass.equals(Object.class)) {
-      return getterHelper(theClass.getSuperclass(), fieldName, getterName, 
-          callOnSupers, throwExceptionIfNotFound);
-    }
-    //maybe throw an exception
-    if (throwExceptionIfNotFound) {
-      throw new RuntimeException("Cant find getter: "
-          + getterName + ", in: " + theClass
-          + ", callOnSupers: " + callOnSupers);
-    }
-    return null;
-  }
-
-  /**
-   * generate getFoo from foo
-   * @param propertyName the property name such as "foo" for which to generate method name "getFoo"
-   * @return the getter method name
-   */
-  public static String getterNameFromPropertyName(String propertyName) {
-    return "get" + capitalize(propertyName);
-  }
-
-  /**
-   * get all getters from a class, including superclasses (if specified) (up to and including the specified superclass).  
-   * ignore a certain marker annotation, or only include it.
-   * Dont get static or final getters, and get getters of all types
-   * @param theClass to look for fields in
-   * @param superclassToStopAt to go up to or null to go up to Object
-   * @param markerAnnotation if this is not null, then if the field has this annotation, then do not
-   * include in list (if includeAnnotation is false)
-   * @param includeAnnotation true if the attribute should be included if annotation is present, false if exclude
-   * @return the set of field names or empty set if none
-   */
-  @SuppressWarnings("unchecked")
-  public static Set<Method> getters(Class theClass, Class superclassToStopAt,
-      Class<? extends Annotation> markerAnnotation, Boolean includeAnnotation) {
-    return gettersHelper(theClass, superclassToStopAt, null, true, 
-        markerAnnotation, includeAnnotation);
-  }
-
-  /**
-   * get all getters from a class, including superclasses (if specified)
-   * @param theClass to look for fields in
-   * @param superclassToStopAt to go up to or null to go up to Object
-   * @param fieldType is the type of the field to get
-   * @param includeSuperclassToStopAt if we should include the superclass
-   * @param markerAnnotation if this is not null, then if the field has this annotation, then do not
-   * include in list (if includeAnnotation is false)
-   * @param includeAnnotation true if the attribute should be included if annotation is present, false if exclude
-   * @return the set of fields (wont return null)
-   */
-  @SuppressWarnings("unchecked")
-  static Set<Method> gettersHelper(Class theClass, Class superclassToStopAt, Class<?> fieldType,
-      boolean includeSuperclassToStopAt, 
-      Class<? extends Annotation> markerAnnotation, Boolean includeAnnotation) {
-    //MAKE SURE IF ANY MORE PARAMS ARE ADDED, THE CACHE KEY IS CHANGED!
-    
-    Set<Method> getterSet = null;
-    String cacheKey = theClass + CACHE_SEPARATOR + superclassToStopAt + CACHE_SEPARATOR + fieldType + CACHE_SEPARATOR
-      + includeSuperclassToStopAt + CACHE_SEPARATOR + markerAnnotation + CACHE_SEPARATOR + includeAnnotation;
-    getterSet = getterSetCache().get(cacheKey);
-    if (getterSet != null) {
-      return getterSet;
-    }
-    
-    getterSet = new LinkedHashSet<Method>();
-    gettersHelper(theClass, superclassToStopAt, fieldType, includeSuperclassToStopAt, 
-        markerAnnotation, getterSet, includeAnnotation);
-  
-    //add to cache
-    getterSetCache().put(cacheKey, getterSet);
-    
-    return getterSet;
-    
-  }
-
-  /**
-   * get all getters from a class, including superclasses (if specified)
-   * @param theClass to look for fields in
-   * @param superclassToStopAt to go up to or null to go up to Object
-   * @param propertyType is the type of the field to get
-   * @param includeSuperclassToStopAt if we should include the superclass
-   * @param markerAnnotation if this is not null, then if the field has this annotation, then do not
-   * include in list
-   * @param getterSet set to add fields to
-   * @param includeAnnotation if include or exclude
-   */
-  @SuppressWarnings("unchecked")
-  private static void gettersHelper(Class theClass, Class superclassToStopAt, Class<?> propertyType,
-      boolean includeSuperclassToStopAt,  
-      Class<? extends Annotation> markerAnnotation, Set<Method> getterSet, Boolean includeAnnotation) {
-
-    Method[] methods = retrieveDeclaredMethods(theClass);
-    if (length(methods) != 0) {
-      for (Method method: methods) {
-        //must be a getter
-        if (!isGetter(method)) {
-          continue;
-        }
-        //if checking for annotation
-        if (markerAnnotation != null
-            && (includeAnnotation != method.isAnnotationPresent(markerAnnotation))) {
-          continue;
-        }
-        //if checking for type, and not right type, continue
-        if (propertyType != null && !propertyType.isAssignableFrom(method.getReturnType())) {
-          continue;
-        }
-        
-        //go for it
-        getterSet.add(method);
-      }
-    }
-    //see if done recursing (if superclassToStopAt is null, then stop at Object
-    if (theClass.equals(superclassToStopAt) || theClass.equals(Object.class)) {
-      return;
-    }
-    Class superclass = theClass.getSuperclass();
-    if (!includeSuperclassToStopAt && superclass.equals(superclassToStopAt)) {
-      return;
-    }
-    //recurse
-    gettersHelper(superclass, superclassToStopAt, propertyType, 
-        includeSuperclassToStopAt, markerAnnotation, getterSet,
-        includeAnnotation);
-  }
-
-  /**
-   * if the method name starts with get, and takes no args, and returns something, 
-   * then getter
-   * @param method the method to check for "getter" semantics, such as starting with "get" or "is"
-   * @return true if method name starts with "get" or "is", is not static, is not void return type, and does not take arguments
-   */
-  public static boolean isGetter(Method method) {
-    
-    //must start with get
-    String methodName = method.getName();
-    if (!methodName.startsWith("get") && !methodName.startsWith("is")) {
-      return false;
-    }
-  
-    //must not be void
-    if (method.getReturnType() == Void.TYPE) {
-      return false;
-    }
-    
-    //must not take args
-    if (length(method.getParameterTypes()) != 0) {
-      return false;
-    }
-    
-    //must not be static
-    if (Modifier.isStatic(method.getModifiers())) {
-      return false;
-    }
-    
-    return true;
-  }
-
-  /**
-   * assign data to a setter.  Will find the field in superclasses, will typecast, 
-   * and will override security (private, protected, etc)
-   * @param invokeOn to call on or null for static
-   * @param fieldName method name to call
-   * @param dataToAssign data  
-   * @param typeCast will typecast if true
-   * @throws RuntimeException if not there
-   */
-  public static void assignSetter(Object invokeOn, 
-      String fieldName, Object dataToAssign, boolean typeCast) {
-    Class invokeOnClass = invokeOn.getClass();
-    try {
-      Method setter = setter(invokeOnClass, fieldName, true, true);
-      setter.setAccessible(true);
-      if (typeCast) {
-        dataToAssign = typeCast(dataToAssign, setter.getParameterTypes()[0]);
-      }
-      setter.invoke(invokeOn, new Object[]{dataToAssign});
-    } catch (Exception e) {
-      throw new RuntimeException("Problem assigning setter: " + fieldName
-          + " on class: " + invokeOnClass + ", type of data is: " + className(dataToAssign), e);
-    }
-  }
-
-  /**
-   * Test for setter method.
-   * @param method the method to test for being a setter
-   * @return true if the method starts with "set", has a void return type,
-   *         is not static, and takes only one argument.
-   */
-  public static boolean isSetter(Method method) {
-    
-    //must start with set
-    if (!method.getName().startsWith("set")) {
-      return false;
-    }
-  
-    //must be void
-    if (method.getReturnType() != Void.TYPE) {
-      return false;
-    }
-    
-    //must take one arg
-    if (length(method.getParameterTypes()) != 1) {
-      return false;
-    }
-    
-    //must not be static
-    if (Modifier.isStatic(method.getModifiers())) {
-      return false;
-    }
-    
-    return true;
-  }
-
-  /**
-   * get a setter method object for a class, potentially in superclasses
-   * @param theClass the class
-   * @param fieldName the field name
-   * @param callOnSupers true if superclasses should be looked in for the setter
-   * @param throwExceptionIfNotFound will throw runtime exception if not found
-   * @return the setter object or null if not found (or exception if param is set)
-   */
-  public static Method setter(Class theClass, String fieldName, boolean callOnSupers, 
-      boolean throwExceptionIfNotFound) {
-    String setterName = setterNameFromPropertyName(fieldName);
-    return setterHelper(theClass, fieldName, setterName, callOnSupers, throwExceptionIfNotFound);
-  }
-
-  /**
-   * get a setter method object for a class, potentially in superclasses
-   * @param theClass the class
-   * @param fieldName the field name 
-   * @param setterName name of setter
-   * @param callOnSupers true if superclasses should be looked in for the setter
-   * @param throwExceptionIfNotFound will throw runtime exception if not found
-   * @return the setter object or null if not found (or exception if param is set)
-   */
-  public static Method setterHelper(Class theClass, String fieldName, String setterName, 
-      boolean callOnSupers, boolean throwExceptionIfNotFound) {
-    Method[] methods = retrieveDeclaredMethods(theClass);
-    if (methods != null) {
-      for (Method method : methods) {
-        if (equals(setterName, method.getName()) && isSetter(method)) {
-          return method;
-        }
-      }
-    }
-    //if method not found
-    //if traversing up, and not Object, and not instance method
-    if (callOnSupers && !theClass.equals(Object.class)) {
-      return setterHelper(theClass.getSuperclass(), fieldName, setterName, 
-          callOnSupers, throwExceptionIfNotFound);
-    }
-    //maybe throw an exception
-    if (throwExceptionIfNotFound) {
-      throw new RuntimeException("Cant find setter: "
-          + setterName + ", in: " + theClass
-          + ", callOnSupers: " + callOnSupers);
-    }
-    return null;
-  }
-
-  /**
-   * generate setFoo from foo
-   * @param propertyName the property such as "foo"
-   * @return the setter method name such as "setFoo" 
-   */
-  public static String setterNameFromPropertyName(String propertyName) {
-    return "set" + capitalize(propertyName);
-  }
-
-  /**
-   * get all setters from a class, including superclasses (if specified)
-   * @param theClass to look for fields in
-   * @param superclassToStopAt to go up to or null to go up to Object
-   * @param fieldType is the type of the field to get
-   * @param includeSuperclassToStopAt if we should include the superclass
-   * @param markerAnnotation if this is not null, then if the field has this annotation, then do not
-   * include in list (if includeAnnotation is false)
-   * @param includeAnnotation true if the attribute should be included if annotation is present, false if exclude
-   * @return the set of fields (wont return null)
-   */
-  @SuppressWarnings("unchecked")
-  public static Set<Method> setters(Class theClass, Class superclassToStopAt, Class<?> fieldType,
-      boolean includeSuperclassToStopAt, 
-      Class<? extends Annotation> markerAnnotation, boolean includeAnnotation) {
-    return settersHelper(theClass, superclassToStopAt, fieldType, 
-        includeSuperclassToStopAt, markerAnnotation, includeAnnotation);
-  }
-
-  /**
-   * get all setters from a class, including superclasses (if specified)
-   * @param theClass to look for fields in
-   * @param superclassToStopAt to go up to or null to go up to Object
-   * @param fieldType is the type of the field to get
-   * @param includeSuperclassToStopAt if we should include the superclass
-   * @param markerAnnotation if this is not null, then if the field has this annotation, then do not
-   * include in list (if includeAnnotation is false)
-   * @param includeAnnotation true if the attribute should be included if annotation is present, false if exclude
-   * @return the set of fields (wont return null)
-   */
-  @SuppressWarnings("unchecked")
-  static Set<Method> settersHelper(Class theClass, Class superclassToStopAt, Class<?> fieldType,
-      boolean includeSuperclassToStopAt, 
-      Class<? extends Annotation> markerAnnotation, boolean includeAnnotation) {
-    //MAKE SURE IF ANY MORE PARAMS ARE ADDED, THE CACHE KEY IS CHANGED!
-    
-    Set<Method> setterSet = null;
-    String cacheKey = theClass + CACHE_SEPARATOR + superclassToStopAt + CACHE_SEPARATOR + fieldType + CACHE_SEPARATOR
-      + includeSuperclassToStopAt + CACHE_SEPARATOR + markerAnnotation + CACHE_SEPARATOR + includeAnnotation;
-    setterSet = setterSetCache().get(cacheKey);
-    if (setterSet != null) {
-      return setterSet;
-    }
-    
-    setterSet = new LinkedHashSet<Method>();
-    settersHelper(theClass, superclassToStopAt, fieldType, includeSuperclassToStopAt, 
-        markerAnnotation, setterSet, includeAnnotation);
-  
-    //add to cache
-    setterSetCache().put(cacheKey, setterSet);
-    
-    return setterSet;
-    
-  }
-
-  /**
-   * get all setters from a class, including superclasses (if specified)
-   * @param theClass to look for fields in
-   * @param superclassToStopAt to go up to or null to go up to Object
-   * @param propertyType is the type of the field to get
-   * @param includeSuperclassToStopAt if we should include the superclass
-   * @param markerAnnotation if this is not null, then if the field has this annotation, then do not
-   * include in list
-   * @param setterSet set to add fields to
-   * @param includeAnnotation if include or exclude (or null if not looking for annotations)
-   */
-  @SuppressWarnings("unchecked")
-  private static void settersHelper(Class theClass, Class superclassToStopAt, Class<?> propertyType,
-      boolean includeSuperclassToStopAt,  
-      Class<? extends Annotation> markerAnnotation, Set<Method> setterSet, Boolean includeAnnotation) {
-
-    Method[] methods = retrieveDeclaredMethods(theClass);
-    if (length(methods) != 0) {
-      for (Method method: methods) {
-        //must be a getter
-        if (!isSetter(method)) {
-          continue;
-        }
-        //if checking for annotation
-        if (markerAnnotation != null
-            && (includeAnnotation != method.isAnnotationPresent(markerAnnotation))) {
-          continue;
-        }
-        //if checking for type, and not right type, continue
-        if (propertyType != null && !propertyType.isAssignableFrom(method.getParameterTypes()[0])) {
-          continue;
-        }
-        
-        //go for it
-        setterSet.add(method);
-      }
-    }
-    //see if done recursing (if superclassToStopAt is null, then stop at Object
-    if (theClass.equals(superclassToStopAt) || theClass.equals(Object.class)) {
-      return;
-    }
-    Class superclass = theClass.getSuperclass();
-    if (!includeSuperclassToStopAt && superclass.equals(superclassToStopAt)) {
-      return;
-    }
-    //recurse
-    settersHelper(superclass, superclassToStopAt, propertyType, 
-        includeSuperclassToStopAt, markerAnnotation, setterSet,
-        includeAnnotation);
-  }
-
-  /**
-   * If this is a getter or setter, then get the property name
-   * @param method a method with name like "getFoo," "setFoo," or "isFoo."
-   * @return the property name inferred from the method name.  For example, "getFoo" returns "foo."
-   */
-  public static String propertyName(Method method) {
-    String methodName = method.getName();
-    boolean isGetter = methodName.startsWith("get");
-    boolean isSetter = methodName.startsWith("set");
-    boolean isIsser = methodName.startsWith("is");
-    int expectedLength = isIsser ? 2 : 3; 
-    int length = methodName.length();
-    if ((!(isGetter || isSetter || isIsser)) || (length <= expectedLength)) {
-      throw new RuntimeException("Not a getter or setter: " + methodName);
-    }
-    char fourthCharLower = Character.toLowerCase(methodName.charAt(expectedLength));
-    //if size 4, then return the string
-    if (length == expectedLength +1) {
-      return Character.toString(fourthCharLower);
-    }
-    //return the lower appended with the rest
-    return fourthCharLower + methodName.substring(expectedLength+1, length);
-  }
-
-  /**
-   * use reflection to get a property type based on getter or setter or field
-   * @param theClass the class
-   * @param propertyName the property name
-   * @return the property type
-   */
-  public static Class propertyType(Class theClass, String propertyName) {
-    Method method = getter(theClass, propertyName, true, false);
-    if (method != null) {
-      return method.getReturnType();
-    }
-    //use setter
-    method = setter(theClass, propertyName, true, false);
-    if (method != null) {
-      return method.getParameterTypes()[0];
-    }
-    //no setter or getter, use field
-    Field field = field(theClass, propertyName, true, true);
-    return field.getType();
-  }
-
-  /**
-   * If necessary, convert an object to another type.  if type is Object.class, just return the input.
-   * Do not convert null to an empty primitive
-   * @param <T> is template type
-   * @param value The object to cast
-   * @param theClass the type of class to cast to
-   * @return the object of that instance converted into something else
-   */
-  public static <T> T typeCast(Object value, Class<T> theClass) {
-    //default behavior is not to convert null to empty primitive
-    return typeCast(value, theClass, false, false);
-  }
-
-  /**
-   * <pre>
-   * make a new file in the name prefix dir.  If parent dir name is c:\temp
-   * and namePrefix is grouperDdl and nameSuffix is sql, then the file will be:
-   * 
-   * c:\temp\grouperDdl_20080721_13_45_43_123.sql
-   *  
-   * If the file exists, it will make a new filename, and create the empty file, and return it
-   * </pre>
-   *  
-   * @param parentDirName can be blank for current dir
-   * @param namePrefix the part before the date part
-   * @param nameSuffix the last part of file name (can contain dot or will be the extension
-   * @param createFile true to create the file
-   * @return the created file
-   */
-  public static File newFileUniqueName(String parentDirName, String namePrefix, String nameSuffix, boolean createFile) {
-    DateFormat fileNameFormat = new SimpleDateFormat("yyyyMMdd_HH_mm_ss_SSS");
-    if (!isBlank(parentDirName)) {
-
-      if (!parentDirName.endsWith("/") && !parentDirName.endsWith("\\")) {
-        parentDirName += File.separator;
-      }
-      
-      //make sure it exists and is a dir
-      File parentDir = new File(parentDirName);
-      if (!parentDir.exists()) {
-        if (!parentDir.mkdirs()) {
-          throw new RuntimeException("Cant make dir: " + parentDir.getAbsolutePath());
-        }
-      } else {
-        if (!parentDir.isDirectory()) {
-          throw new RuntimeException("Parent dir is not a directory: " + parentDir.getAbsolutePath());
-        } 
-      }
-      
-    } else {
-      //make it empty string so it will concatenate well
-      parentDirName = "";
-    }
-    //make sure suffix has a dot in it
-    if (!nameSuffix.contains(".")) {
-      nameSuffix = "." + nameSuffix;
-    }
-    
-    String fileName = parentDirName + namePrefix + "_" + fileNameFormat.format(new Date()) + nameSuffix;
-    int dotLocation = fileName.lastIndexOf('.');
-    String fileNamePre = fileName.substring(0,dotLocation);
-    String fileNamePost = fileName.substring(dotLocation);
-    File theFile = new File(fileName);
-
-    int i;
-    
-    for (i=0;i<1000;i++) {
-      
-      if (!theFile.exists()) {
-        break;
-      }
-      
-      fileName = fileNamePre + "_" + i + fileNamePost;
-      theFile = new File(fileName);
-      
-    }
-    
-    if (i>=1000) {
-      throw new RuntimeException("Cant find filename to create: " + fileName);
-    }
-    
-    if (createFile) {
-      try {
-        if (!theFile.createNewFile()) {
-          throw new RuntimeException("Cant create file, it returned false");
-        }
-      } catch (Exception e) {
-        throw new RuntimeException("Cant create file: " + fileName + ", make sure " +
-            "permissions and such are ok, or change file location in grouper.properties if applicable", e);
-      }
-    }
-    return theFile;
-  }
-  
-  /**
-   * <pre>
-   * Convert an object to a java.util.Date.  allows, dates, null, blank, 
-   * yyyymmdd or yyyymmdd hh24:mm:ss
-   * or yyyy/MM/dd HH:mm:ss.SSS
-   * </pre>
-   * @param inputObject
-   *          is the String or Date to convert
-   * 
-   * @return the Date
-   */
-  public static Date dateValue(Object inputObject) {
-    if (inputObject == null) {
-      return null;
-    } 
-
-    if (inputObject instanceof java.util.Date) {
-      return (Date)inputObject;
-    }
-
-    if (inputObject instanceof String) {
-      String input = (String)inputObject;
-      //trim and handle null and empty
-      if (isBlank(input)) {
-        return null;
-      }
-
-      try {
-        if (input.length() == 8) {
-          
-          return dateFormat().parse(input);
-        }
-        if (!contains(input, '.')) {
-          if (contains(input, '/')) {
-            return dateMinutesSecondsFormat.parse(input);
-          }
-          //else no slash
-          return dateMinutesSecondsNoSlashFormat.parse(input);
-        }
-        if (contains(input, '/')) {
-          //see if the period is 6 back
-          int lastDotIndex = input.lastIndexOf('.');
-          if (lastDotIndex == input.length() - 7) {
-            String nonNanoInput = input.substring(0,input.length()-3);
-            Date date = timestampFormat.parse(nonNanoInput);
-            //get the last 3
-            String lastThree = input.substring(input.length()-3,input.length());
-            int lastThreeInt = Integer.parseInt(lastThree);
-            Timestamp timestamp = new Timestamp(date.getTime());
-            timestamp.setNanos(timestamp.getNanos() + (lastThreeInt * 1000));
-            return timestamp;
-          }
-          return timestampFormat.parse(input);
-        }
-        //else no slash
-        return timestampNoSlashFormat.parse(input);
-      } catch (ParseException pe) {
-        throw new RuntimeException(errorStart + toStringForLog(input));
-      }
-    }
-    
-    throw new RuntimeException("Cannot convert Object to date : " + toStringForLog(inputObject));
-  }
-
-  /**
-   * See if the input is null or if string, if it is empty or blank (whitespace)
-   * @param input object to test for null or String to check for blank
-   * @return true if null or blank string
-   */
-  public static boolean isBlank(Object input) {
-    if (null == input) {
-      return true;
-    }
-    return (input instanceof String && isBlank((String)input));
-  }
-
-  /**
-   * If necessary, convert an object to another type.  if type is Object.class, just return the input
-   * @param <T> is the type to return
-   * @param value The object to cast
-   * @param theClass The desired cast class type
-   * @param convertNullToDefaultPrimitive if the value is null, and theClass is primitive, should we
-   * convert the null to a primitive default value
-   * @param useNewInstanceHooks if theClass is not recognized, then honor the string "null", "newInstance",
-   * or get a constructor with one param, and call it
-   * @return the object of that instance converted into something else
-   */
-  @SuppressWarnings({ "unchecked", "cast" })
-  public static <T> T typeCast(Object value, Class<T> theClass, 
-      boolean convertNullToDefaultPrimitive, boolean useNewInstanceHooks) {
-    
-    if (Object.class.equals(theClass)) {
-      return (T)value;
-    }
-    
-    if (value==null) {
-      if (convertNullToDefaultPrimitive && theClass.isPrimitive()) {
-        if ( theClass == boolean.class ) {
-          return (T)Boolean.FALSE;
-        }
-        if ( theClass == char.class ) {
-          return (T)(Object)0;
-        }
-        //convert 0 to the type
-        return typeCast(0, theClass, false, false);
-      }
-      return null;
-    }
-  
-    if (theClass.isInstance(value)) {
-      return (T)value;
-    }
-    
-    //if array, get the base class
-    if (theClass.isArray() && theClass.getComponentType() != null) {
-      theClass = (Class<T>)theClass.getComponentType();
-    }
-    Object resultValue = null;
-    //loop through and see the primitive types etc
-    if (theClass.equals(Date.class)) {
-      resultValue = dateValue(value);
-    } else if (theClass.equals(String.class)) {
-      resultValue = stringValue(value);
-    } else if (theClass.equals(Timestamp.class)) {
-      resultValue = toTimestamp(value);
-    } else if (theClass.equals(Boolean.class) || theClass.equals(boolean.class)) {
-      resultValue = booleanObjectValue(value);
-    } else if (theClass.equals(Integer.class) || theClass.equals(int.class)) {
-      resultValue = intObjectValue(value, true);
-    } else if (theClass.equals(Double.class) || theClass.equals(double.class)) {
-      resultValue = doubleObjectValue(value, true);
-    } else if (theClass.equals(Float.class) || theClass.equals(float.class)) {
-      resultValue = floatObjectValue(value, true);
-    } else if (theClass.equals(Long.class) || theClass.equals(long.class)) {
-      resultValue = longObjectValue(value, true);
-    } else if (theClass.equals(Byte.class) || theClass.equals(byte.class)) {
-      resultValue = byteObjectValue(value);
-    } else if (theClass.equals(Character.class) || theClass.equals(char.class)) {
-      resultValue = charObjectValue(value);
-    } else if (theClass.equals(Short.class) || theClass.equals(short.class)) {
-      resultValue = shortObjectValue(value);
-    } else if ( theClass.isEnum() && (value instanceof String) ) {
-      resultValue = Enum.valueOf((Class)theClass, (String) value);
-    } else if ( theClass.equals(Class.class) && (value instanceof String) ) {
-      resultValue = forName((String)value);
-    } else if (useNewInstanceHooks && value instanceof String) {
-      String stringValue = (String)value;
-      if ( equals("null", stringValue)) {
-        resultValue = null;
-      } else if (equals("newInstance", stringValue)) {
-        resultValue = newInstance(theClass);
-      } else { // instantiate using string
-        //note, we could typecast this to fit whatever is there... right now this is used for annotation
-        try {
-          Constructor constructor = theClass.getConstructor(new Class[] {String.class} );
-          resultValue = constructor.newInstance(new Object[] {stringValue} );            
-        } catch (Exception e) {
-          throw new RuntimeException("Cant find constructor with string for class: " + theClass);
-        }
-      }
-    } else {
-      throw new RuntimeException("Cannot convert from type: " + value.getClass() + " to type: " + theClass);
-    }
-  
-    return (T)resultValue;
-  }
-  
-  /**
-   * see if a class is a scalar (not bean, not array or list, etc)
-   * @param type the type to check
-   * @return true if scalar
-   */
-  public static boolean isScalar(Class<?> type) {
-    
-    if (type.isArray()) {
-      return false;
-    }
-    
-    //definitely all primitives
-    if (type.isPrimitive()) {
-      return true;
-    }
-    //Integer, Float, etc
-    if (Number.class.isAssignableFrom(type)) {
-      return true;
-    }
-    //Date, Timestamp
-    if (Date.class.isAssignableFrom(type)) {
-      return true;
-    }
-    if (Character.class.equals(type)) {
-      return true;
-    }
-    //handles strings and string builders
-    if (CharSequence.class.equals(type) || CharSequence.class.isAssignableFrom(type)) {
-      return true;
-    }
-    if (Class.class == type || Boolean.class == type || type.isEnum()) {
-      return true;
-    }
-    //appears not to be a scalar
-    return false;
-  }
-  
-  
-  /**
-   * <pre>
-   * Convert a string or object to a timestamp (could be string, date, timestamp, etc)
-   * yyyymmdd
-   * or
-   * yyyy/MM/dd HH:mm:ss
-   * or
-   * yyyy/MM/dd HH:mm:ss.SSS
-   * or
-   * yyyy/MM/dd HH:mm:ss.SSSSSS
-   * 
-   * </pre>
-   * 
-   * @param input a String, java.sql.Timestamp, or java.sql.Date
-   * @return the timestamp 
-   * @throws RuntimeException if invalid format
-   */
-  public static Timestamp toTimestamp(Object input) {
-
-    if (null == input) {
-      return null;
-    } else if (input instanceof java.sql.Timestamp) {
-      return (Timestamp) input;
-    } else if (input instanceof String) {
-      return stringToTimestamp((String) input);
-    } else if (input instanceof Date) {
-      return new Timestamp(((Date)input).getTime());
-    } else if (input instanceof java.sql.Date) {
-      return new Timestamp(((java.sql.Date)input).getTime());
-    } else {
-      throw new RuntimeException("Cannot convert Object to timestamp : " + input);
-    }
-
-  }
-
-  /**
-   * convert an object to a string
-   * 
-   * @param input
-   *          is the object to convert, such as a Timestamp, Date, or Number.
-   * 
-   * @return the String conversion of the object
-   */
-  public static String stringValue(Object input) {
-    //this isnt needed
-    if (input == null) {
-      return (String) input;
-    }
-
-    if (input instanceof Timestamp) {
-      //convert to yyyy/MM/dd HH:mm:ss.SSS
-      return timestampToString((Timestamp) input);
-    }
-
-    if (input instanceof Date) {
-      //convert to yyyymmdd
-      return stringValue((Date) input);
-    }
-
-    if (input instanceof Number) {
-      DecimalFormat decimalFormat = new DecimalFormat(
-          "###################.###############");
-      return decimalFormat.format(((Number) input).doubleValue());
-
-    }
-
-    return input.toString();
-  }
-
-  /**
-   * Convert a timestamp into a string: yyyy/MM/dd HH:mm:ss.SSS
-   * @param timestamp Date object to be formatted as a string
-   * @return the string representation
-   */
-  public synchronized static String timestampToString(Date timestamp) {
-    if (timestamp == null) {
-      return null;
-    }
-    return timestampFormat.format(timestamp);
-  }
-
-  /**
-   * get the timestamp format for this thread
-   * if you call this make sure to synchronize on FastDateUtils.class
-   * @return the timestamp format
-   */
-  synchronized static SimpleDateFormat dateFormat() {
-    return dateFormat;
-  }
-
-  /**
-   * convert a date to the standard string yyyymmdd
-   * @param date the date to format
-   * @return the string value
-   */
-  public static String stringValue(java.util.Date date) {
-    synchronized (ConfigPropertiesCascadeCommonUtils.class) {
-      if (date == null) {
-        return null;
-      }
-  
-      String theString = dateFormat().format(date);
-  
-      return theString;
-    }
-  }
-
-  /**
-   * convert a string to timestamp based on the following formats:
-   * <pre>
-   * yyyyMMdd
-   * yyyy/MM/dd HH:mm:ss
-   * yyyy/MM/dd HH:mm:ss.SSS
-   * yyyy/MM/dd HH:mm:ss.SSSSSS
-   * </pre>
-   * @param input the string to be converted into a Timestamp
-   * @return the timestamp object
-   * @see #stringToTimestampHelper(String)
-   */
-  public static Timestamp stringToTimestamp(String input) {
-    Date date = stringToTimestampHelper(input);
-    if (date == null) {
-      return null;
-    }
-    //maybe already a timestamp
-    if (date instanceof Timestamp) {
-      return (Timestamp)date; 
-    }
-    return new Timestamp(date.getTime());
-  }
-
-  /**
-   * return a date based on input, null safe.  Allow any of the three 
-   * formats:
-   * <pre>
-   * yyyyMMdd
-   * yyyy/MM/dd HH:mm:ss
-   * yyyy/MM/dd HH:mm:ss.SSS
-   * yyyy/MM/dd HH:mm:ss.SSSSSS
-   * </pre>
-   * 
-   * @param input The string to be converted into a Date
-   * @return a Date parsed from the input string
-   */
-  synchronized static Date stringToTimestampHelper(String input) {
-    //trim and handle null and empty
-    if (isBlank(input)) {
-      return null;
-    }
-  
-    try {
-      //convert mainframe
-      if (equals("99999999", input)
-          || equals("999999", input)) {
-        input = "20991231";
-      }
-      if (input.length() == 8) {
-        
-        return dateFormat().parse(input);
-      }
-      if (!contains(input, '.')) {
-        if (contains(input, '/')) {
-          return dateMinutesSecondsFormat.parse(input);
-        }
-        //else no slash
-        return dateMinutesSecondsNoSlashFormat.parse(input);
-      }
-      if (contains(input, '/')) {
-        //see if the period is 6 back
-        int lastDotIndex = input.lastIndexOf('.');
-        if (lastDotIndex == input.length() - 7) {
-          String nonNanoInput = input.substring(0,input.length()-3);
-          Date date = timestampFormat.parse(nonNanoInput);
-          //get the last 3
-          String lastThree = input.substring(input.length()-3,input.length());
-          int lastThreeInt = Integer.parseInt(lastThree);
-          Timestamp timestamp = new Timestamp(date.getTime());
-          timestamp.setNanos(timestamp.getNanos() + (lastThreeInt * 1000));
-          return timestamp;
-        }
-        return timestampFormat.parse(input);
-      }
-      //else no slash
-      return timestampNoSlashFormat.parse(input);
-    } catch (ParseException pe) {
-      throw new RuntimeException(errorStart + input);
-    }
-  }
-
-  /**
-   * start of error parsing messages
-   */
-  private static final String errorStart = "Invalid timestamp, please use any of the formats: "
-    + DATE_FORMAT + ", " + TIMESTAMP_FORMAT 
-    + ", " + DATE_MINUTES_SECONDS_FORMAT + ": ";
-
-  /**
-   * Convert an object to a BigDecimal, allow nulls
-   * @param input the object to cast, or null
-   * @return the BigDecimal value of the input object
-   * @see java.math.BigDecimal#valueOf(double)
-   */
-  public static BigDecimal bigDecimalObjectValue(Object input) {
-    if (input instanceof BigDecimal) {
-      return (BigDecimal)input;
-    }
-    if (isBlank(input)) {
-      return null;
-    }
-    return BigDecimal.valueOf(doubleValue(input));
-  }
-
-  /**
-   * Convert an object to a Byte, allow nulls
-   * @param input the object to cast, or null
-   * @return the Byte object value
-   */
-  public static Byte byteObjectValue(Object input) {
-    if (input instanceof Byte) {
-      return (Byte)input;
-    }
-    if (isBlank(input)) {
-      return null;
-    }
-    return Byte.valueOf(byteValue(input));
-  }
-
-  /**
-   * convert an object to a byte
-   * @param input the object to convert to a byte
-   * @return the byte value of the given number, or the parsed byte of the string
-   */
-  public static byte byteValue(Object input) {
-    if (input instanceof String) {
-      String string = (String)input;
-      return Byte.parseByte(string);
-    }
-    if (input instanceof Number) {
-      return ((Number)input).byteValue();
-    }
-    throw new RuntimeException("Cannot convert to byte: " + className(input));
-  }
-
-  /**
-   * get the Double value of an object
-   * 
-   * @param input
-   *          is a number or String
-   * @param allowNullBlank used to default to false, if true, return null if nul inputted 
-   * 
-   * @return the Double equivalent
-   */
-  public static Double doubleObjectValue(Object input, boolean allowNullBlank) {
-  
-    if (input instanceof Double) {
-      return (Double) input;
-    } 
-    
-    if (allowNullBlank && isBlank(input)) {
-      return null;
-    }
-    
-    return Double.valueOf(doubleValue(input));
-  }
-
-  /**
-   * get the double value of an object
-   * 
-   * @param input
-   *          is a number or String
-   * 
-   * @return the double equivalent
-   */
-  public static double doubleValue(Object input) {
-    if (input instanceof String) {
-      String string = (String)input;
-      return Double.parseDouble(string);
-    }
-    if (input instanceof Number) {
-      return ((Number)input).doubleValue();
-    }
-    throw new RuntimeException("Cannot convert to double: "  + className(input));
-  }
-
-  /**
-   * get the double value of an object, do not throw an 
-   * exception if there is an
-   * error
-   * 
-   * @param input
-   *          is a number or String
-   * 
-   * @return the double equivalent
-   */
-  public static double doubleValueNoError(Object input) {
-    if (input == null || (input instanceof String 
-        && isBlank((String)input))) {
-      return NOT_FOUND;
-    }
-  
-    try {
-      return doubleValue(input);
-    } catch (Exception e) {
-      //no need to log here
-    }
-  
-    return NOT_FOUND;
-  }
-
-  /**
-   * get the Float value of an object
-   * 
-   * @param input
-   *          is a number or String
-   * @param allowNullBlank true if allow null or blank
-   * 
-   * @return the Float equivalent
-   */
-  public static Float floatObjectValue(Object input, boolean allowNullBlank) {
-  
-    if (input instanceof Float) {
-      return (Float) input;
-    } 
-  
-    if (allowNullBlank && isBlank(input)) {
-      return null;
-    }
-    return Float.valueOf(floatValue(input));
-  }
-
-  /**
-   * get the float value of an object
-   * 
-   * @param input
-   *          is a number or String
-   * 
-   * @return the float equivalent
-   */
-  public static float floatValue(Object input) {
-    if (input instanceof String) {
-      String string = (String)input;
-      return Float.parseFloat(string);
-    }
-    if (input instanceof Number) {
-      return ((Number)input).floatValue();
-    }
-    throw new RuntimeException("Cannot convert to float: " + className(input));
-  }
-
-  /**
-   * get the float value of an object, do not throw an exception if there is an
-   * error
-   * 
-   * @param input
-   *          is a number or String
-   * 
-   * @return the float equivalent
-   */
-  public static float floatValueNoError(Object input) {
-    if (input == null || (input instanceof String 
-        && isBlank((String)input))) {
-      return NOT_FOUND;
-    }
-    try {
-      return floatValue(input);
-    } catch (Exception e) {
-      e.printStackTrace();
-    }
-  
-    return NOT_FOUND;
-  }
-
-  /**
-   * get the Integer value of an object
-   * 
-   * @param input
-   *          is a number or String
-   * @param allowNullBlank true if convert null or blank to null
-   * 
-   * @return the Integer equivalent
-   */
-  public static Integer intObjectValue(Object input, boolean allowNullBlank) {
-  
-    if (input instanceof Integer) {
-      return (Integer) input;
-    } 
-  
-    if (allowNullBlank && isBlank(input)) {
-      return null;
-    }
-    
-    return Integer.valueOf(intValue(input));
-  }
-
-  /**
-   * convert an object to a int
-   * @param input the object (String or Number) to parse or convert to an int
-   * @return the number
-   */
-  public static int intValue(Object input) {
-    if (input instanceof String) {
-      String string = (String)input;
-      return Integer.parseInt(string);
-    }
-    if (input instanceof Number) {
-      return ((Number)input).intValue();
-    }
-    if (false) {
-      if (input == null) {
-        return 0;
-      }
-      if (input instanceof String || isBlank((String)input)) {
-        return 0;
-      }
-    }
-    
-    throw new RuntimeException("Cannot convert to int: " + className(input));
-  }
-
-  /**
-   * convert an object to a int
-   * @param input the object to convert to an int
-   * @param valueIfNull is if the input is null or empty, return this value
-   * @return the integer primitive represented by the object
-   */
-  public static int intValue(Object input, int valueIfNull) {
-    if (input == null || "".equals(input)) {
-      return valueIfNull;
-    }
-    return intObjectValue(input, false);
-  }
-
-  /**
-   * get the int value of an object, do not throw an exception if there is an
-   * error
-   * 
-   * @param input
-   *          is a number or String
-   * 
-   * @return the int equivalent
-   */
-  public static int intValueNoError(Object input) {
-    if (input == null || (input instanceof String 
-        && isBlank((String)input))) {
-      return NOT_FOUND;
-    }
-    try {
-      return intValue(input);
-    } catch (Exception e) {
-      //no need to log here
-    }
-  
-    return NOT_FOUND;
-  }
-
-  /** special number when a number is not found */
-  public static final int NOT_FOUND = -999999999;
-
-  /**
-   * The name says it all.
-   */
-  public static final int DEFAULT_BUFFER_SIZE = 1024 * 4;
-
-  /**
-   * get the Long value of an object
-   * 
-   * @param input
-   *          is a number or String
-   * @param allowNullBlank true if null or blank converts to null
-   * 
-   * @return the Long equivalent
-   */
-  public static Long longObjectValue(Object input, boolean allowNullBlank) {
-  
-    if (input instanceof Long) {
-      return (Long) input;
-    } 
-  
-    if (allowNullBlank && isBlank(input)) {
-      return null;
-    } 
-    
-    return Long.valueOf(longValue(input));
-  }
-
-  /**
-   * convert an object to a long
-   * @param input String or Number
-   * @return the number
-   */
-  public static long longValue(Object input) {
-    if (input instanceof String) {
-      String string = (String)input;
-      return Long.parseLong(string);
-    }
-    if (input instanceof Number) {
-      return ((Number)input).longValue();
-    }
-    throw new RuntimeException("Cannot convert to long: " + className(input));
-  }
-
-  /**
-   * convert an object to a long
-   * @param input value to convert
-   * @param valueIfNull is if the input is null or empty, return this value
-   * @return the number
-   */
-  public static long longValue(Object input, long valueIfNull) {
-    if (input == null || "".equals(input)) {
-      return valueIfNull;
-    }
-    return longObjectValue(input, false);
-  }
-
-  /**
-   * get the long value of an object, do not throw an exception if there is an
-   * error
-   * 
-   * @param input
-   *          is a number or String
-   * 
-   * @return the long equivalent
-   */
-  public static long longValueNoError(Object input) {
-    if (input == null || (input instanceof String 
-        && isBlank((String)input))) {
-      return NOT_FOUND;
-    }
-    try {
-      return longValue(input);
-    } catch (Exception e) {
-      //no need to log here
-    }
-  
-    return NOT_FOUND;
-  }
-
-  /**
-   * get the Short value of an object.  converts null or blank to null
-   * 
-   * @param input
-   *          is a number or String
-   * 
-   * @return the Long equivalent
-   */
-  public static Short shortObjectValue(Object input) {
-  
-    if (input instanceof Short) {
-      return (Short) input;
-    }
-  
-    if (isBlank(input)) {
-      return null;
-    } 
-    
-    return Short.valueOf(shortValue(input));
-  }
-
-  /**
-   * convert an object to a short
-   * @param input String or Number value to convert
-   * @return the number
-   */
-  public static short shortValue(Object input) {
-    if (input instanceof String) {
-      String string = (String)input;
-      return Short.parseShort(string);
-    }
-    if (input instanceof Number) {
-      return ((Number)input).shortValue();
-    }
-    throw new RuntimeException("Cannot convert to short: " + className(input));
-  }
-
-  /**
-   * get the Character wrapper value for the input
-   * @param input allow null, return null
-   * @return the Character object wrapper
-   */
-  public static Character charObjectValue(Object input) {
-    if (input instanceof Character) {
-      return (Character) input;
-    }
-    if (isBlank(input)) {
-      return null;
-    }
-    return new Character(charValue(input));
-  }
-
-  /**
-   * convert an object to a char
-   * @param input Character or String
-   * @return the number
-   */
-  public static char charValue(Object input) {
-    if (input instanceof Character) {
-      return ((Character) input).charValue();
-    }
-    //if string length 1, thats ok
-    if (input instanceof String) {
-      String inputString = (String) input;
-      if (inputString.length() == 1) {
-        return inputString.charAt(0);
-      }
-    }
-    throw new RuntimeException("Cannot convert to char: "
-        + (input == null ? null : (input.getClass() + ", " + input)));
-  }
-
-  /**
-   * Create the parent directories for a file if they do not already exist
-   * @param file the File whose parent directories need creating
-   * @see File#mkdirs()
-   */
-  public static void createParentDirectories(File file) {
-    if (!file.getParentFile().exists()) {
-      if (!file.getParentFile().mkdirs()) {
-        throw new RuntimeException("Could not create directory : " + file.getParentFile());
-      }
-    }
-  }
-
-  /**
-   * save a string into a file, file does not have to exist
-   * 
-   * @param file
-   *          is the file to save to
-   * @param contents
-   *          is the contents of the file
-   */
-  public static void saveStringIntoFile(File file, String contents) {
-    try {
-      writeStringToFile(file, contents, "UTF-8");
-    } catch (IOException ioe) {
-      throw new RuntimeException(ioe);
-    }
-  }
-
-  /**
-   * save a string into a file, file does not have to exist
-   * 
-   * @param file
-   *          is the file to save to
-   * @param contents
-   *          is the contents of the file
-   * @param onlyIfDifferentContents true if only saving due to different contents
-   * @param ignoreWhitespace true to ignore whitespace
-   * @return true if contents were saved (thus different if param set)
-   */
-  public static boolean saveStringIntoFile(File file, String contents, 
-      boolean onlyIfDifferentContents, boolean ignoreWhitespace) {
-    if (onlyIfDifferentContents && file.exists()) {
-      String fileContents = readFileIntoString(file);
-      String compressedContents = contents;
-      if (ignoreWhitespace) {
-        compressedContents = replaceWhitespaceWithSpace(compressedContents);
-        fileContents = replaceWhitespaceWithSpace(fileContents);
-      }
-      
-      //they are the same, dont worry about it
-      if (equals(fileContents, compressedContents)) {
-        return false;
-      }
-  
-    }
-    saveStringIntoFile(file, contents);
-    return true;
-  }
-
-  /**
-   * <p>
-   * Writes data to a file. The file will be created if it does not exist.
-   * </p>
-   * <p>
-   * There is no readFileToString method without encoding parameter because
-   * the default encoding can differ between platforms and therefore results
-   * in inconsistent results.
-   * </p>
-   *
-   * @param file the file to write.
-   * @param data The content to write to the file.
-   * @param encoding encoding to use
-   * @throws IOException in case of an I/O error
-   * @throws UnsupportedEncodingException if the encoding is not supported
-   *   by the VM
-   */
-  public static void writeStringToFile(File file, String data, String encoding)
-      throws IOException {
-    OutputStream out = new java.io.FileOutputStream(file);
-    try {
-      out.write(data.getBytes(encoding));
-    } finally {
-      closeQuietly(out);
-    }
-  }
-
-  /**
-   * @param file
-   *          is the file to read into a string
-   * 
-   * @return String
-   */
-  public static String readFileIntoString(File file) {
-  
-    if (file == null) {
-      return null;
-    }
-    try {
-      return readFileToString(file, "UTF-8");
-    } catch (IOException ioe) {
-      throw new RuntimeException(ioe);
-    }
-  }
-
-  /**
-   * @param resourceName is the string resource from classpath to read (e.g. grouper.properties)
-   * @param allowNull is true if its ok if the resource is null or if it is not found or blank or whatever.
-   * 
-   * @return String or null if allowed or RuntimeException if not allowed
-   */
-  public static String readResourceIntoString(String resourceName, boolean allowNull) {
-    if (isBlank(resourceName)) {
-      if (allowNull) {
-        return null;
-      }
-      throw new RuntimeException("Resource name is blank");
-    }
-    URL url = computeUrl(resourceName, allowNull);
-
-    //this is ok
-    if (url == null && allowNull) {
-      return null;
-    }
-    
-    InputStream inputStream = null;
-    StringWriter stringWriter = new StringWriter();
-    try {
-      inputStream = url.openStream();
-      copy(inputStream, stringWriter, "UTF-8");
-    } catch (IOException ioe) {
-      throw new RuntimeException("Error reading resource: '" + resourceName + "'", ioe);
-    } finally {
-      closeQuietly(inputStream);
-      closeQuietly(stringWriter);
-    }
-    return stringWriter.toString();
-  }
-
-  /**
-   * read resource into string
-   * @param resourceName the resource name
-   * @param classInJar if not null, then look for the jar where this file is, and look in the same dir
-   * @return the properties or null if not exist
-   */
-  public static String readResourceIntoString(String resourceName, Class<?> classInJar) {
-
-    try {
-      return readResourceIntoString(resourceName, false);
-    } catch (Exception e) {
-      //try from jar location
-    }
-  
-    //lets look next to jar
-    File jarFile = classInJar == null ? null : jarFile(classInJar);
-    File parentDir = jarFile == null ? null : jarFile.getParentFile();
-    String fileName = parentDir == null ? null 
-        : (stripLastSlashIfExists(fileCanonicalPath(parentDir)) + File.separator + resourceName);
-    File configFile = fileName == null ? null 
-        : new File(fileName);
-
-    return readFileIntoString(configFile);
-  }
-
-  /**
-   * <p>
-   * Reads the contents of a file into a String.
-   * </p>
-   * <p>
-   * There is no readFileToString method without encoding parameter because
-   * the default encoding can differ between platforms and therefore results
-   * in inconsistent results.
-   * </p>
-   *
-   * @param file the file to read.
-   * @param encoding the encoding to use
-   * @return The file contents or null if read failed.
-   * @throws IOException in case of an I/O error
-   */
-  public static String readFileToString(File file, String encoding) throws IOException {
-    InputStream in = new java.io.FileInputStream(file);
-    try {
-      return toString(in, encoding);
-    } finally {
-      closeQuietly(in);
-    }
-  }
-
-  /**
-   * replace all consecutive whitespace with single space character
-   * @param input the input string
-   * @return the string with redundant whitespace collapsed
-   */
-  public static String replaceWhitespaceWithSpace(String input) {
-    if (input == null) {
-      return input;
-    }
-    return input.replaceAll("\\s+", " ");
-  }
-
-  /**
-   * Unconditionally close an <code>InputStream</code>.
-   * Equivalent to {@link InputStream#close()}, except any exceptions will be ignored.
-   * @param input A (possibly null) InputStream
-   */
-  public static void closeQuietly(InputStream input) {
-    if (input == null) {
-      return;
-    }
-  
-    try {
-      input.close();
-    } catch (IOException ioe) {
-    }
-  }
-
-  /**
-   * Unconditionally close an <code>OutputStream</code>.
-   * Equivalent to {@link OutputStream#close()}, except any exceptions will be ignored.
-   * @param output A (possibly null) OutputStream
-   */
-  public static void closeQuietly(OutputStream output) {
-    if (output == null) {
-      return;
-    }
-  
-    try {
-      output.close();
-    } catch (IOException ioe) {
-    }
-  }
-
-  /**
-   * Unconditionally close an <code>Reader</code>.
-   * Equivalent to {@link Reader#close()}, except any exceptions will be ignored.
-   *
-   * @param input A (possibly null) Reader
-   */
-  public static void closeQuietly(Reader input) {
-    if (input == null) {
-      return;
-    }
-  
-    try {
-      input.close();
-    } catch (IOException ioe) {
-    }
-  }
-
-  /**
-   * close a writer quietly, swallowing IOException
-   * @param writer the writer to close
-   */
-  public static void closeQuietly(Writer writer) {
-    if (writer != null) {
-      try {
-        writer.close();
-      } catch (IOException e) {
-        //swallow, its ok
-      }
-    }
-  }
-
-  /**
-   * Get the contents of an <code>InputStream</code> as a String.
-   * @param input the <code>InputStream</code> to read from
-   * @param encoding The name of a supported character encoding. See the
-   *   <a href="http://www.iana.org/assignments/character-sets">IANA
-   *   Charset Registry</a> for a list of valid encoding types.
-   * @return the requested <code>String</code>
-   * @throws IOException In case of an I/O problem
-   */
-  public static String toString(InputStream input, String encoding) throws IOException {
-    StringWriter sw = new StringWriter();
-    copy(input, sw, encoding);
-    return sw.toString();
-  }
-
-  /**
-   * Copy and convert bytes from an <code>InputStream</code> to chars on a
-   * <code>Writer</code>, using the specified encoding.
-   * @param input the <code>InputStream</code> to read from
-   * @param output the <code>Writer</code> to write to
-   * @param encoding The name of a supported character encoding. See the
-   * <a href="http://www.iana.org/assignments/character-sets">IANA
-   * Charset Registry</a> for a list of valid encoding types.
-   * @throws IOException In case of an I/O problem
-   */
-  public static void copy(InputStream input, Writer output, String encoding)
-      throws IOException {
-    InputStreamReader in = new InputStreamReader(input, encoding);
-    copy(in, output);
-  }
-
-  /**
-   * Copy chars from a <code>Reader</code> to a <code>Writer</code>.
-   * @param input the <code>Reader</code> to read from
-   * @param output the <code>Writer</code> to write to
-   * @return the number of characters copied
-   * @throws IOException In case of an I/O problem
-   */
-  public static int copy(Reader input, Writer output) throws IOException {
-    char[] buffer = new char[DEFAULT_BUFFER_SIZE];
-    int count = 0;
-    int n = 0;
-    while (-1 != (n = input.read(buffer))) {
-      output.write(buffer, 0, n);
-      count += n;
-    }
-    return count;
-  }
-
-  /**
-   * this method takes a long (less than 62) and converts it to a 1 character
-   * string (a-z, A-Z, 0-9)
-   * 
-   * @param theLong
-   *          is the long (less than 62) to convert to a 1 character string
-   * 
-   * @return a one character string
-   */
-  public static String convertLongToChar(long theLong) {
-    if ((theLong < 0) || (theLong >= 62)) {
-      throw new RuntimeException("convertLongToChar() "
-          + " invalid input (not >=0 && <62: " + theLong);
-    } else if (theLong < 26) {
-      return "" + (char) ('a' + theLong);
-    } else if (theLong < 52) {
-      return "" + (char) ('A' + (theLong - 26));
-    } else {
-      return "" + (char) ('0' + (theLong - 52));
-    }
-  }
-
-  /**
-   * this method takes a long (less than 36) and converts it to a 1 character
-   * string (A-Z, 0-9)
-   * 
-   * @param theLong
-   *          is the long (less than 36) to convert to a 1 character string
-   * 
-   * @return a one character string
-   */
-  public static String convertLongToCharSmall(long theLong) {
-    if ((theLong < 0) || (theLong >= 36)) {
-      throw new RuntimeException("convertLongToCharSmall() "
-          + " invalid input (not >=0 && <36: " + theLong);
-    } else if (theLong < 26) {
-      return "" + (char) ('A' + theLong);
-    } else {
-      return "" + (char) ('0' + (theLong - 26));
-    }
-  }
-
-  /**
-   * convert a long to a string by converting it to base 62 (26 lower, 26 upper,
-   * 10 digits)
-   * 
-   * @param theLong
-   *          is the long to convert
-   * 
-   * @return the String conversion of this
-   */
-  public static String convertLongToString(long theLong) {
-    long quotient = theLong / 62;
-    long remainder = theLong % 62;
-  
-    if (quotient == 0) {
-      return convertLongToChar(remainder);
-    }
-    StringBuffer result = new StringBuffer();
-    result.append(convertLongToString(quotient));
-    result.append(convertLongToChar(remainder));
-  
-    return result.toString();
-  }
-
-  /**
-   * convert a long to a string by converting it to base 36 (26 upper, 10
-   * digits)
-   * 
-   * @param theLong
-   *          is the long to convert
-   * 
-   * @return the String conversion of this
-   */
-  public static String convertLongToStringSmall(long theLong) {
-    long quotient = theLong / 36;
-    long remainder = theLong % 36;
-  
-    if (quotient == 0) {
-      return convertLongToCharSmall(remainder);
-    }
-    StringBuffer result = new StringBuffer();
-    result.append(convertLongToStringSmall(quotient));
-    result.append(convertLongToCharSmall(remainder));
-  
-    return result.toString();
-  }
-
-  /**
-   * increment a character (A-Z then 0-9)
-   * 
-   * @param theChar The charater to be "incremented"
-   * 
-   * @return the charcter that follows the input character, wrapping from 'Z' to '0' and '9' to 'A' in the set [A-Z0-9]
-   */
-  public static char incrementChar(char theChar) {
-    if (theChar == 'Z') {
-      return '0';
-    }
-  
-    if (theChar == '9') {
-      return 'A';
-    }
-  
-    return ++theChar;
-  }
-
-  /**
-   * Increment a string with A-Z and 0-9 (no lower case so case insensitive apps
-   * like windows IE will still work)
-   * 
-   * @param string  the character array to increment.
-   * 
-   * @return the incremented character array
-   */
-  public static char[] incrementStringInt(char[] string) {
-    if (string == null) {
-      return string;
-    }
-  
-    //loop through the string backwards
-    int i = 0;
-  
-    for (i = string.length - 1; i >= 0; i--) {
-      char inc = string[i];
-      inc = incrementChar(inc);
-      string[i] = inc;
-  
-      if (inc != 'A') {
-        break;
-      }
-    }
-  
-    //if we are at 0, then it means we hit AAAAAAA (or more)
-    if (i < 0) {
-      return ("A" + new String(string)).toCharArray();
-    }
-  
-    return string;
-  }
-
-  /**
-   * read properties from a resource, don't modify the properties returned since they are cached
-   * @param resourceName the resource name
-   * @return the properties
-   */
-  public synchronized static Properties propertiesFromResourceName(String resourceName) {
-    return propertiesFromResourceName(resourceName, true, true, null, null);
-  }
-
-  /**
-   * clear properties cache (e.g. for testing)
-   */
-  public static void propertiesCacheClear() {
-    resourcePropertiesCache.clear();
-  }
-  
-  /**
-   * read properties from file
-   * @param file the properties file
-   * @return properties
-   */
-  public static Properties propertiesFromFile(File file) {
-    Properties properties = new Properties();
-    FileInputStream fileInputStream = null;
-    try {
-      
-      fileInputStream = new FileInputStream(file);
-      properties.load(fileInputStream);
-      
-    } catch (IOException ioe) {
-      throw new RuntimeException("Problem reading file into properties: " + file.getAbsolutePath());
-    } finally {
-      closeQuietly(fileInputStream);
-    }
-    return properties;
-  }
-  
-  /**
-   * read properties from a resource, dont modify the properties returned since they are cached
-   * @param resourceName the resource name (property key)
-   * @param useCache  whether or not to use cache
-   * @param exceptionIfNotExist throw an exception if the resource does not exist
-   * @param classInJar if not null, then look for the jar where this file is, and look in the same dir
-   * @param callingLog container for "Reading resource ... from" log messages
-   * @return the properties or null if not exist
-   */
-  public synchronized static Properties propertiesFromResourceName(String resourceName, boolean useCache, 
-      boolean exceptionIfNotExist, Class<?> classInJar, StringBuilder callingLog) {
-
-    Properties properties = resourcePropertiesCache.get(resourceName);
-    
-    if (!useCache || !resourcePropertiesCache.containsKey(resourceName)) {
-  
-      properties = new Properties();
-
-      boolean success = false;
-      
-      URL url = computeUrl(resourceName, true);
-      InputStream inputStream = null;
-      try {
-        inputStream = url.openStream();
-        properties.load(inputStream);
-        success = true;
-        String theLog = "Reading resource: " + resourceName + ", from: " + url.toURI();
-        if (callingLog != null) {
-          callingLog.append(theLog);
-        }
-      } catch (Exception e) {
-        
-        //clear out just in case
-        properties.clear();
-
-        //lets look next to jar
-        File jarFile = classInJar == null ? null : jarFile(classInJar);
-        File parentDir = jarFile == null ? null : jarFile.getParentFile();
-        String fileName = parentDir == null ? null 
-            : (stripLastSlashIfExists(fileCanonicalPath(parentDir)) + File.separator + resourceName);
-        File configFile = fileName == null ? null 
-            : new File(fileName);
-
-        try {
-          //looks like we have a match
-          if (configFile != null && configFile.exists() && configFile.isFile()) {
-            inputStream = new FileInputStream(configFile);
-            properties.load(inputStream);
-            success = true;
-            String theLog = "Reading resource: " + resourceName + ", from: " + fileCanonicalPath(configFile);
-            if (callingLog != null) {
-              callingLog.append(theLog);
-            }
-          }
-          
-        } catch (Exception e2) {
-        }
-        if (!success) {
-          properties = null;
-          if (exceptionIfNotExist) {
-            throw new RuntimeException("Problem with resource: '" + resourceName + "'", e);
-          }
-        }
-      } finally {
-        closeQuietly(inputStream);
-        
-        if (useCache && properties != null && properties.size() > 0) {
-          resourcePropertiesCache.put(resourceName, properties);
-        }
-      }
-    }
-    
-    return properties;
-  }
-
-  /**
-   * do a case-insensitive matching
-   * @param theEnumClass class of the enum
-   * @param <E> generic type
-   * 
-   * @param string The name of an enum constant
-   * @param exceptionOnNotFound true if exception should be thrown on not found
-   * @return the enum or null or exception if not found
-   * @throws RuntimeException if there is a problem
-   */
-  public static <E extends Enum<?>> E enumValueOfIgnoreCase(Class<E> theEnumClass, String string, 
-      boolean exceptionOnNotFound) throws RuntimeException {
-    
-    if (!exceptionOnNotFound && isBlank(string)) {
-      return null;
-    }
-    for (E e : theEnumClass.getEnumConstants()) {
-      if (equalsIgnoreCase(string, e.name())) {
-        return e;
-      }
-    }
-    StringBuilder error = new StringBuilder(
-        "Cant find " + theEnumClass.getSimpleName() + " from string: '").append(string);
-    error.append("', expecting one of: ");
-    for (E e : theEnumClass.getEnumConstants()) {
-      error.append(e.name()).append(", ");
-    }
-    throw new RuntimeException(error.toString());
-  
-  }
-
-
-  /**
-   * this assumes the property exists, and is a simple property
-   * @param object the object
-   * @param property the property
-   * @return the value
-   */
-  public static Object propertyValue(Object object, String property)  {
-    Method getter = getter(object.getClass(), property, true, true);
-    Object result = invokeMethod(getter, object);
-    return result;
-  }
-
-  /**
-   * get a value (trimmed to e) from a property file
-   * @param properties the properties
-   * @param key the key used to lookup the property value
-   * @return the property value
-   */
-  public static String propertiesValue(Properties properties, String key) {
-    return propertiesValue(properties, null, key);
-  }
-  
-  /**
-   * get a value (trimmed to e) from a property file
-   * @param properties the properties
-   * @param overrideMap for testing, to override some properties values
-   * @param key the key used to lookup the property value
-   * @return the property value
-   */
-  public static String propertiesValue(Properties properties, Map<String, String> overrideMap, String key) {
-    return propertiesValue(properties, overrideMap, null, key);
-  }
-
-  /**
-   * get a value (trimmed to e) from a property file
-   * @param properties the properties
-   * @param overrideMap for testing or threadlocal, to override some properties values
-   * @param overrideMap2 for testing, to provide some properties values
-   * @param key the key used to lookup the property value
-   * @return the property value
-   */
-  public static String propertiesValue(Properties properties, Map<String, String> overrideMap, Map<String, String> overrideMap2, String key) {
-    String value = overrideMap == null ? null : overrideMap.get(key);
-    if (isBlank(value)) {
-      value = overrideMap2 == null ? null : overrideMap2.get(key);
-    }
-    if (isBlank(value)) {
-      value = properties.getProperty(key);
-    }
-    value = trim(value);
-    value = substituteCommonVars(value);
-    return value;
-  }
-  
-  /**
-   * substitute common vars like $space$ and $newline$
-   * @param string The string that potentially contains '$space$' and '$newline$' tokens
-   * @return the string with tokens replaced by their represented characters
-   */
-  public static String substituteCommonVars(String string) {
-    if (string == null) {
-      return string;
-    }
-    //short circuit
-    if (string.indexOf('$') < 0) {
-      return string;
-    }
-    //might have $space$
-    string = replace(string, "$space$", " ");
-    
-    //note, at some point we could be OS specific
-    string = replace(string, "$newline$", "\n"); 
-    return string;
-  }
-  
-  /**
-   * get a boolean property, or the default if can't find
-   * @param properties the properties
-   * @param propertyName the property name key
-   * @param defaultValue the value to use when key lookup is blank
-   * @return the boolean
-   */
-  public static boolean propertiesValueBoolean(Properties properties,
-      String propertyName, boolean defaultValue) {
-    return propertiesValueBoolean(properties, null, propertyName, defaultValue);
-  }
-  
-  /**
-   * get a boolean property, or the default if cant find.  Validate also with a descriptive exception if problem
-   * @param resourceName the resource name
-   * @param properties the properties
-   * @param overrideMap for testing to override properties
-   * @param propertyName the property name key
-   * @param defaultValue the value to use when key lookup is blank
-   * @param required whether or not a value is required
-   * @return the boolean
-   */
-  public static boolean propertiesValueBoolean(String resourceName, Properties properties, 
-      Map<String, String> overrideMap, String propertyName, boolean defaultValue, boolean required) {
-    propertyValidateValueBoolean(resourceName, properties, overrideMap, propertyName, required, true);
-
-    Map<String, String> threadLocalMap = propertiesThreadLocalOverrideMap(resourceName);
-    
-    return propertiesValueBoolean(properties, threadLocalMap, overrideMap, propertyName, defaultValue);
-  }
-  
-  /**
-   * get an int property, or the default if can't find.  Validate also with a descriptive exception if problem
-   * @param resourceName the resource name
-   * @param properties the properties
-   * @param overrideMap for testing to override properties
-   * @param propertyName the property name key
-   * @param defaultValue the value to use when key lookup is blank
-   * @param required whether or not a value is required
-   * @return the int
-   */
-  public static int propertiesValueInt(String resourceName, Properties properties, 
-      Map<String, String> overrideMap, String propertyName, int defaultValue, boolean required) {
-    
-    propertyValidateValueInt(resourceName, properties, overrideMap, propertyName, required, true);
-
-    Map<String, String> threadLocalMap = propertiesThreadLocalOverrideMap(resourceName);
-
-    return propertiesValueInt(properties, threadLocalMap, overrideMap, propertyName, defaultValue);
-  }
-
-  /**
-   * get a property.  Validate also with a descriptive exception if problem
-   * @param resourceName the resource name
-   * @param properties the properties
-   * @param overrideMap for threadlocal or testing to override properties
-   * @param propertyName the property name
-   * @param required whether or not a value is required
-   * @return the string
-   */
-  public static String propertiesValue(String resourceName, Properties properties, 
-      Map<String, String> overrideMap, String propertyName, boolean required) {
-
-    if (required) {
-      propertyValidateValueRequired(resourceName, properties, overrideMap, propertyName, true);
-    }
-    Map<String, String> threadLocalMap = propertiesThreadLocalOverrideMap(resourceName);
-
-    return propertiesValue(properties, threadLocalMap, overrideMap, propertyName);
-  }
-
-  /**
-   * get a int property, or the default if cant find
-   * @param properties the properties
-   * @param overrideMap for testing to override properties
-   * @param propertyName the name of the property
-   * @param defaultValue the value to use when the property value is blank
-   * @return the int
-   */
-  public static int propertiesValueInt(Properties properties, 
-      Map<String, String> overrideMap, String propertyName, int defaultValue) {
-    return propertiesValueInt(properties, overrideMap, null, propertyName, defaultValue);
-  }
-
-
-  /**
-   * get a int property, or the default if can't find
-   * @param properties the properties
-   * @param overrideMap for testing to override properties
-   * @param overrideMap2 for testing to override properties
-   * @param propertyName the name of the property
-   * @param defaultValue the value to use when the property value is blank
-   * @return the int
-   */
-  public static int propertiesValueInt(Properties properties, 
-      Map<String, String> overrideMap, Map<String, String> overrideMap2, String propertyName, int defaultValue) {
-
-    String value = propertiesValue(properties, overrideMap, overrideMap2, propertyName);
-    if (isBlank(value)) {
-      return defaultValue;
-    }
-
-    try {
-      return intValue(value);
-    } catch (Exception e) {}
-    
-    throw new RuntimeException("Invalid int value: '" + value + "' for property: " + propertyName + " in grouper.properties");
-
-  }
-  
-  /**
-   * get a boolean property, or the default if can't find
-   * @param properties the properties being searched
-   * @param overrideMap for testing to override properties
-   * @param propertyName the name of the property
-   * @param defaultValue the value to use when the property value is blank
-   * @return the boolean
-   */
-  public static boolean propertiesValueBoolean(Properties properties, 
-      Map<String, String> overrideMap, String propertyName, boolean defaultValue) {
-    return propertiesValueBoolean(properties, overrideMap, null, propertyName, defaultValue);
-  }
-
-  /**
-   * get a boolean property, or the default if can't find
-   * @param properties the properties being searched
-   * @param overrideMap for testing or threadlocal to override properties
-   * @param overrideMap2 for testing or threadlocal to override properties
-   * @param propertyName the name of the property
-   * @param defaultValue the value to use when the property value is blank
-   * @return the boolean
-   */
-  public static boolean propertiesValueBoolean(Properties properties, 
-      Map<String, String> overrideMap, Map<String, String> overrideMap2, String propertyName, boolean defaultValue) {
-    
-      
-    String value = propertiesValue(properties, overrideMap, overrideMap2, propertyName);
-    if (isBlank(value)) {
-      return defaultValue;
-    }
-    
-    if ("true".equalsIgnoreCase(value)) {
-      return true;
-    }
-    if ("false".equalsIgnoreCase(value)) {
-      return false;
-    }
-    if ("t".equalsIgnoreCase(value)) {
-      return true;
-    }
-    if ("f".equalsIgnoreCase(value)) {
-      return false;
-    }
-    throw new RuntimeException("Invalid boolean value: '" + value + "' for property: " + propertyName + " in properties file");
-
-  }
-  
-  /**
-   * close a connection null safe and don't throw exception
-   * @param connection the connection to close
-   */
-  public static void closeQuietly(Connection connection) {
-    if (connection != null) {
-      try {
-        connection.close();
-      } catch (Exception e) {
-        //ignore
-      }
-    }
-  }
-
-  /**
-   * close a statement null safe and don't throw exception
-   * @param statement the statement to close
-   */
-  public static void closeQuietly(Statement statement) {
-    if (statement != null) {
-      try {
-        statement.close();
-      } catch (Exception e) {
-        //ignore
-      }
-    }
-  }
-
-  /**
-   * close a resultSet null safe and don't throw exception
-   * @param resultSet the ResultSet to close
-   */
-  public static void closeQuietly(ResultSet resultSet) {
-    if (resultSet != null) {
-      try {
-        resultSet.close();
-      } catch (Exception e) {
-        //ignore
-      }
-    }
-  }
-
-  /** cache the hostname, it won't change */
-  private static String hostname = null;
-
-  /**
-   * get the hostname of this machine
-   * @return the hostname
-   */
-  public static String hostname() {
-  
-    if (isBlank(hostname)) {
-  
-      //get the hostname
-      hostname = "unknown";
-      try {
-        InetAddress addr = InetAddress.getLocalHost();
-  
-        // Get hostname
-        hostname = addr.getHostName();
-      } catch (Exception e) {
-        System.err.println("Cant find servers hostname: ");
-        e.printStackTrace();
-      }
-    }
-  
-    return hostname;
-  }
-
-  /**
-   * is ascii char
-   * @param input the charater to test
-   * @return true if ascii (has value below 128)
-   */
-  public static boolean isAscii(char input) {
-    return input < 128;
-  }
-
-  /**
-   * find the length of ascii chars (non ascii are counted as two)
-   * @param input the input string
-   * @return the length of ascii chars
-   */
-  public static int lengthAscii(String input) {
-    if (input == null) {
-      return 0;
-    }
-    //see what real length is
-    int utfLength = input.length();
-    //count how many non asciis
-    int extras = 0;
-    for (int i=0;i<utfLength;i++) {
-      //keep count of non ascii chars
-      if (!isAscii(input.charAt(i))) {
-        extras++;
-      }
-    }
-    return utfLength + extras;
-  }
-
-  /**
-   * rollback a connection quietly
-   * @param connection the connection to roll back
-   */
-  public static void rollbackQuietly(Connection connection) {
-    if (connection != null) {
-      try {
-        connection.rollback();
-      } catch (Exception e) {
-        //ignore
-      }
-    }
-  }
-
-  /**
-   * find the length of ascii chars (non ascii are counted as two)
-   * @param input is the string to operate on
-   * @param requiredLength length we need the string to be
-   * @return the length of ascii chars
-   */
-  public static String truncateAscii(String input, int requiredLength) {
-    if (input == null) {
-      return input;
-    }
-    //see what real length is
-    int utfLength = input.length();
-    
-    //see if not worth checking
-    if (utfLength * 2 < requiredLength) {
-      return input;
-    }
-    
-    //count how many non asciis
-    int asciiLength = 0;
-    for (int i=0;i<utfLength;i++) {
-      
-      asciiLength++;
-      
-      //keep count of non ascii chars
-      if (!isAscii(input.charAt(i))) {
-        asciiLength++;
-      }
-      
-      //see if we are over 
-      if (asciiLength > requiredLength) {
-        //do not include the current char
-        return input.substring(0,i);
-      }
-    }
-    //must have fit
-    return input;
-  }
-  
-  /**
-   * if the input is a file, read string from file.  if not, or if disabled from grouper.properties, return the input
-   * @param in A path to a file
-   * @param disableExternalFileLookup when true, no attempt is made to read the input file reference into a String
-   * @return the contents of the file referred to by the input, or the original input string
-   */
-  public static String readFromFileIfFile(String in, boolean disableExternalFileLookup) {
-    
-    String theIn = in;
-    //convert both slashes to file slashes
-    if (File.separatorChar == '/') {
-      theIn = replace(theIn, "\\", "/");
-    } else {
-      theIn = replace(theIn, "/", "\\");
-    }
-    
-    //see if it is a file reference
-    if (theIn.indexOf(File.separatorChar) != -1 && !disableExternalFileLookup) {
-      //read the contents of the file into a string
-      theIn = readFileIntoString(new File(theIn));
-      return theIn;
-    }
-    return in;
-  
-  }
-
-  /**
-   * Create directories, throw exception if not possible.
-   * This is will be ok if the directory already exists (will not delete it)
-   * @param dir the directory to create
-   */
-  public static void mkdirs(File dir) {
-    if (!dir.exists()) {
-      if (!dir.mkdirs()) {
-        throw new RuntimeException("Could not create directory : " + dir.getParentFile());
-      }
-      return;
-    }
-    if (!dir.isDirectory()) {
-      throw new RuntimeException("Should be a directory but is not: " + dir);
-    }
-  }
-  
-
-  /**
-   * null safe string compare
-   * @param first first string, or null
-   * @param second second string, or null
-   * @return true if equal
-   */
-  public static boolean equals(String first, String second) {
-    if (first == second) {
-      return true;
-    }
-    if (first == null || second == null) {
-      return false;
-    }
-    return first.equals(second);
-  }
-
-  /**
-   * <p>Checks if a String is whitespace, empty ("") or null.</p>
-   *
-   * <pre>
-   * isBlank(null)      = true
-   * isBlank("")        = true
-   * isBlank(" ")       = true
-   * isBlank("bob")     = false
-   * isBlank("  bob  ") = false
-   * </pre>
-   *
-   * @param str  the String to check, may be null
-   * @return <code>true</code> if the String is null, empty or whitespace
-   * @since 2.0
-   */
-  public static boolean isBlank(String str) {
-    int strLen;
-    if (str == null || (strLen = str.length()) == 0) {
-      return true;
-    }
-    for (int i = 0; i < strLen; i++) {
-      if ((Character.isWhitespace(str.charAt(i)) == false)) {
-        return false;
-      }
-    }
-    return true;
-  }
-
-  /**
-   * 
-   * @param str string to check
-   * @return true if not blank
-   */
-  public static boolean isNotBlank(String str) {
-    return !isBlank(str);
-  }
-
-  /**
-   * trim whitespace from string
-   * @param str string to trim
-   * @return trimmed string
-   */
-  public static String trim(String str) {
-    return str == null ? null : str.trim();
-  }
-
-  /**
-   * null-safe equalsignorecase
-   * @param str1 first string
-   * @param str2 second string
-   * @return true if the strings are equal ignore case
-   */
-  public static boolean equalsIgnoreCase(String str1, String str2) {
-    return str1 == null ? str2 == null : str1.equalsIgnoreCase(str2);
-  }
-
-  /**
-   * trim to empty, convert null to empty
-   * @param str a string containing whitespace, or null
-   * @return A trimmed string, potentially of length 0 in the case of all-whitespace or null input
-   */
-  public static String trimToEmpty(String str) {
-    return str == null ? "" : str.trim();
-  }
-
-  /**
-   * <p>Abbreviates a String using ellipses. This will turn
-   * "Now is the time for all good men" into "Now is the time for..."</p>
-   *
-   * <p>Specifically:</p>
-   * <ul>
-   *   <li>If <code>str</code> is less than <code>maxWidth</code> characters
-   *       long, return it.</li>
-   *   <li>Else abbreviate it to <code>(substring(str, 0, max-3) + "...")</code>.</li>
-   *   <li>If <code>maxWidth</code> is less than <code>4</code>, throw an
-   *       <code>IllegalArgumentException</code>.</li>
-   *   <li>In no case will it return a String of length greater than
-   *       <code>maxWidth</code>.</li>
-   * </ul>
-   *
-   * <pre>
-   * StringUtils.abbreviate(null, *)      = null
-   * StringUtils.abbreviate("", 4)        = ""
-   * StringUtils.abbreviate("abcdefg", 6) = "abc..."
-   * StringUtils.abbreviate("abcdefg", 7) = "abcdefg"
-   * StringUtils.abbreviate("abcdefg", 8) = "abcdefg"
-   * StringUtils.abbreviate("abcdefg", 4) = "a..."
-   * StringUtils.abbreviate("abcdefg", 3) = IllegalArgumentException
-   * </pre>
-   *
-   * @param str  the String to check, may be null
-   * @param maxWidth  maximum length of result String, must be at least 4
-   * @return abbreviated String, <code>null</code> if null String input
-   * @throws IllegalArgumentException if the width is too small
-   * @since 2.0
-   */
-  public static String abbreviate(String str, int maxWidth) {
-    return abbreviate(str, 0, maxWidth);
-  }
-
-  /**
-   * <p>Abbreviates a String using ellipses. This will turn
-   * "Now is the time for all good men" into "...is the time for..."</p>
-   *
-   * <p>Works like <code>abbreviate(String, int)</code>, but allows you to specify
-   * a "left edge" offset.  Note that this left edge is not necessarily going to
-   * be the leftmost character in the result, or the first character following the
-   * ellipses, but it will appear somewhere in the result.
-   *
-   * <p>In no case will it return a String of length greater than
-   * <code>maxWidth</code>.</p>
-   *
-   * <pre>
-   * StringUtils.abbreviate(null, *, *)                = null
-   * StringUtils.abbreviate("", 0, 4)                  = ""
-   * StringUtils.abbreviate("abcdefghijklmno", -1, 10) = "abcdefg..."
-   * StringUtils.abbreviate("abcdefghijklmno", 0, 10)  = "abcdefg..."
-   * StringUtils.abbreviate("abcdefghijklmno", 1, 10)  = "abcdefg..."
-   * StringUtils.abbreviate("abcdefghijklmno", 4, 10)  = "abcdefg..."
-   * StringUtils.abbreviate("abcdefghijklmno", 5, 10)  = "...fghi..."
-   * StringUtils.abbreviate("abcdefghijklmno", 6, 10)  = "...ghij..."
-   * StringUtils.abbreviate("abcdefghijklmno", 8, 10)  = "...ijklmno"
-   * StringUtils.abbreviate("abcdefghijklmno", 10, 10) = "...ijklmno"
-   * StringUtils.abbreviate("abcdefghijklmno", 12, 10) = "...ijklmno"
-   * StringUtils.abbreviate("abcdefghij", 0, 3)        = IllegalArgumentException
-   * StringUtils.abbreviate("abcdefghij", 5, 6)        = IllegalArgumentException
-   * </pre>
-   *
-   * @param str  the String to check, may be null
-   * @param offset  left edge of source String
-   * @param maxWidth  maximum length of result String, must be at least 4
-   * @return abbreviated String, <code>null</code> if null String input
-   * @throws IllegalArgumentException if the width is too small
-   * @since 2.0
-   */
-  public static String abbreviate(String str, int offset, int maxWidth) {
-    if (str == null) {
-      return null;
-    }
-    if (maxWidth < 4) {
-      throw new IllegalArgumentException("Minimum abbreviation width is 4");
-    }
-    if (str.length() <= maxWidth) {
-      return str;
-    }
-    if (offset > str.length()) {
-      offset = str.length();
-    }
-    if ((str.length() - offset) < (maxWidth - 3)) {
-      offset = str.length() - (maxWidth - 3);
-    }
-    if (offset <= 4) {
-      return str.substring(0, maxWidth - 3) + "...";
-    }
-    if (maxWidth < 7) {
-      throw new IllegalArgumentException("Minimum abbreviation width with offset is 7");
-    }
-    if ((offset + (maxWidth - 3)) < str.length()) {
-      return "..." + abbreviate(str.substring(offset), maxWidth - 3);
-    }
-    return "..." + str.substring(str.length() - (maxWidth - 3));
-  }
-
-  // Splitting
-  //-----------------------------------------------------------------------
-  /**
-   * <p>Splits the provided text into an array, using whitespace as the
-   * separator.
-   * Whitespace is defined by {@link Character#isWhitespace(char)}.</p>
-   *
-   * <p>The separator is not included in the returned String array.
-   * Adjacent separators are treated as one separator.
-   * For more control over the split use the StrTokenizer class.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.</p>
-   *
-   * <pre>
-   * StringUtils.split(null)       = null
-   * StringUtils.split("")         = []
-   * StringUtils.split("abc def")  = ["abc", "def"]
-   * StringUtils.split("abc  def") = ["abc", "def"]
-   * StringUtils.split(" abc ")    = ["abc"]
-   * </pre>
-   *
-   * @param str  the String to parse, may be null
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   */
-  public static String[] split(String str) {
-    return split(str, null, -1);
-  }
-
-  /**
-   * <p>Splits the provided text into an array, separator specified.
-   * This is an alternative to using StringTokenizer.</p>
-   *
-   * <p>The separator is not included in the returned String array.
-   * Adjacent separators are treated as one separator.
-   * For more control over the split use the StrTokenizer class.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.</p>
-   *
-   * <pre>
-   * StringUtils.split(null, *)         = null
-   * StringUtils.split("", *)           = []
-   * StringUtils.split("a.b.c", '.')    = ["a", "b", "c"]
-   * StringUtils.split("a..b.c", '.')   = ["a", "b", "c"]
-   * StringUtils.split("a:b:c", '.')    = ["a:b:c"]
-   * StringUtils.split("a\tb\nc", null) = ["a", "b", "c"]
-   * StringUtils.split("a b c", ' ')    = ["a", "b", "c"]
-   * </pre>
-   *
-   * @param str  the String to parse, may be null
-   * @param separatorChar  the character used as the delimiter,
-   *  <code>null</code> splits on whitespace
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   * @since 2.0
-   */
-  public static String[] split(String str, char separatorChar) {
-    return splitWorker(str, separatorChar, false);
-  }
-
-  /**
-   * <p>Splits the provided text into an array, separators specified.
-   * This is an alternative to using StringTokenizer.</p>
-   *
-   * <p>The separator is not included in the returned String array.
-   * Adjacent separators are treated as one separator.
-   * For more control over the split use the StrTokenizer class.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.
-   * A <code>null</code> separatorChars splits on whitespace.</p>
-   *
-   * <pre>
-   * StringUtils.split(null, *)         = null
-   * StringUtils.split("", *)           = []
-   * StringUtils.split("abc def", null) = ["abc", "def"]
-   * StringUtils.split("abc def", " ")  = ["abc", "def"]
-   * StringUtils.split("abc  def", " ") = ["abc", "def"]
-   * StringUtils.split("ab:cd:ef", ":") = ["ab", "cd", "ef"]
-   * </pre>
-   *
-   * @param str  the String to parse, may be null
-   * @param separatorChars  the characters used as the delimiters,
-   *  <code>null</code> splits on whitespace
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   */
-  public static String[] split(String str, String separatorChars) {
-    return splitWorker(str, separatorChars, -1, false);
-  }
-
-  /**
-   * <p>Splits the provided text into an array with a maximum length,
-   * separators specified.</p>
-   *
-   * <p>The separator is not included in the returned String array.
-   * Adjacent separators are treated as one separator.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.
-   * A <code>null</code> separatorChars splits on whitespace.</p>
-   *
-   * <p>If more than <code>max</code> delimited substrings are found, the last
-   * returned string includes all characters after the first <code>max - 1</code>
-   * returned strings (including separator characters).</p>
-   *
-   * <pre>
-   * StringUtils.split(null, *, *)            = null
-   * StringUtils.split("", *, *)              = []
-   * StringUtils.split("ab de fg", null, 0)   = ["ab", "cd", "ef"]
-   * StringUtils.split("ab   de fg", null, 0) = ["ab", "cd", "ef"]
-   * StringUtils.split("ab:cd:ef", ":", 0)    = ["ab", "cd", "ef"]
-   * StringUtils.split("ab:cd:ef", ":", 2)    = ["ab", "cd:ef"]
-   * </pre>
-   *
-   * @param str  the String to parse, may be null
-   * @param separatorChars  the characters used as the delimiters,
-   *  <code>null</code> splits on whitespace
-   * @param max  the maximum number of elements to include in the
-   *  array. A zero or negative value implies no limit
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   */
-  public static String[] split(String str, String separatorChars, int max) {
-    return splitWorker(str, separatorChars, max, false);
-  }
-
-  /**
-   * <p>Splits the provided text into an array, separator string specified.</p>
-   *
-   * <p>The separator(s) will not be included in the returned String array.
-   * Adjacent separators are treated as one separator.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.
-   * A <code>null</code> separator splits on whitespace.</p>
-   *
-   * <pre>
-   * StringUtils.split(null, *)            = null
-   * StringUtils.split("", *)              = []
-   * StringUtils.split("ab de fg", null)   = ["ab", "de", "fg"]
-   * StringUtils.split("ab   de fg", null) = ["ab", "de", "fg"]
-   * StringUtils.split("ab:cd:ef", ":")    = ["ab", "cd", "ef"]
-   * StringUtils.split("abstemiouslyaeiouyabstemiously", "aeiouy")  = ["bst", "m", "sl", "bst", "m", "sl"]
-   * StringUtils.split("abstemiouslyaeiouyabstemiously", "aeiouy")  = ["abstemiously", "abstemiously"]
-   * </pre>
-   *
-   * @param str  the String to parse, may be null
-   * @param separator  String containing the String to be used as a delimiter,
-   *  <code>null</code> splits on whitespace
-   * @return an array of parsed Strings, <code>null</code> if null String was input
-   */
-  public static String[] splitByWholeSeparator(String str, String separator) {
-    return splitByWholeSeparator(str, separator, -1);
-  }
-
-  /**
-   * <p>Splits the provided text into an array, separator string specified.
-   * Returns a maximum of <code>max</code> substrings.</p>
-   *
-   * <p>The separator(s) will not be included in the returned String array.
-   * Adjacent separators are treated as one separator.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.
-   * A <code>null</code> separator splits on whitespace.</p>
-   *
-   * <pre>
-   * StringUtils.splitByWholeSeparator(null, *, *)               = null
-   * StringUtils.splitByWholeSeparator("", *, *)                 = []
-   * StringUtils.splitByWholeSeparator("ab de fg", null, 0)      = ["ab", "de", "fg"]
-   * StringUtils.splitByWholeSeparator("ab   de fg", null, 0)    = ["ab", "de", "fg"]
-   * StringUtils.splitByWholeSeparator("ab:cd:ef", ":", 2)       = ["ab", "cd"]
-   * StringUtils.splitByWholeSeparator("abstemiouslyaeiouyabstemiously", "aeiouy", 2) = ["bst", "m"]
-   * StringUtils.splitByWholeSeparator("abstemiouslyaeiouyabstemiously", "aeiouy", 2)  = ["abstemiously", "abstemiously"]
-   * </pre>
-   *
-   * @param str  the String to parse, may be null
-   * @param separator  String containing the String to be used as a delimiter,
-   *  <code>null</code> splits on whitespace
-   * @param max  the maximum number of elements to include in the returned
-   *  array. A zero or negative value implies no limit.
-   * @return an array of parsed Strings, <code>null</code> if null String was input
-   */
-  @SuppressWarnings("unchecked")
-  public static String[] splitByWholeSeparator(String str, String separator, int max) {
-    if (str == null) {
-      return null;
-    }
-
-    int len = str.length();
-
-    if (len == 0) {
-      return EMPTY_STRING_ARRAY;
-    }
-
-    if ((separator == null) || ("".equals(separator))) {
-      // Split on whitespace.
-      return split(str, null, max);
-    }
-
-    int separatorLength = separator.length();
-
-    ArrayList substrings = new ArrayList();
-    int numberOfSubstrings = 0;
-    int beg = 0;
-    int end = 0;
-    while (end < len) {
-      end = str.indexOf(separator, beg);
-
-      if (end > -1) {
-        if (end > beg) {
-          numberOfSubstrings += 1;
-
-          if (numberOfSubstrings == max) {
-            end = len;
-            substrings.add(str.substring(beg));
-          } else {
-            // The following is OK, because String.substring( beg, end ) excludes
-            // the character at the position 'end'.
-            substrings.add(str.substring(beg, end));
-
-            // Set the starting point for the next search.
-            // The following is equivalent to beg = end + (separatorLength - 1) + 1,
-            // which is the right calculation:
-            beg = end + separatorLength;
-          }
-        } else {
-          // We found a consecutive occurrence of the separator, so skip it.
-          beg = end + separatorLength;
-        }
-      } else {
-        // String.substring( beg ) goes from 'beg' to the end of the String.
-        substrings.add(str.substring(beg));
-        end = len;
-      }
-    }
-
-    return (String[]) substrings.toArray(new String[substrings.size()]);
-  }
-
-  //-----------------------------------------------------------------------
-  /**
-   * <p>Splits the provided text into an array, using whitespace as the
-   * separator, preserving all tokens, including empty tokens created by 
-   * adjacent separators. This is an alternative to using StringTokenizer.
-   * Whitespace is defined by {@link Character#isWhitespace(char)}.</p>
-   *
-   * <p>The separator is not included in the returned String array.
-   * Adjacent separators are treated as separators for empty tokens.
-   * For more control over the split use the StrTokenizer class.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.</p>
-   *
-   * <pre>
-   * StringUtils.splitPreserveAllTokens(null)       = null
-   * StringUtils.splitPreserveAllTokens("")         = []
-   * StringUtils.splitPreserveAllTokens("abc def")  = ["abc", "def"]
-   * StringUtils.splitPreserveAllTokens("abc  def") = ["abc", "", "def"]
-   * StringUtils.splitPreserveAllTokens(" abc ")    = ["", "abc", ""]
-   * </pre>
-   *
-   * @param str  the String to parse, may be <code>null</code>
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   * @since 2.1
-   */
-  public static String[] splitPreserveAllTokens(String str) {
-    return splitWorker(str, null, -1, true);
-  }
-
-  /**
-   * <p>Splits the provided text into an array, separator specified,
-   * preserving all tokens, including empty tokens created by adjacent
-   * separators. This is an alternative to using StringTokenizer.</p>
-   *
-   * <p>The separator is not included in the returned String array.
-   * Adjacent separators are treated as separators for empty tokens.
-   * For more control over the split use the StrTokenizer class.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.</p>
-   *
-   * <pre>
-   * StringUtils.splitPreserveAllTokens(null, *)         = null
-   * StringUtils.splitPreserveAllTokens("", *)           = []
-   * StringUtils.splitPreserveAllTokens("a.b.c", '.')    = ["a", "b", "c"]
-   * StringUtils.splitPreserveAllTokens("a..b.c", '.')   = ["a", "b", "c"]
-   * StringUtils.splitPreserveAllTokens("a:b:c", '.')    = ["a:b:c"]
-   * StringUtils.splitPreserveAllTokens("a\tb\nc", null) = ["a", "b", "c"]
-   * StringUtils.splitPreserveAllTokens("a b c", ' ')    = ["a", "b", "c"]
-   * StringUtils.splitPreserveAllTokens("a b c ", ' ')   = ["a", "b", "c", ""]
-   * StringUtils.splitPreserveAllTokens("a b c ", ' ')   = ["a", "b", "c", "", ""]
-   * StringUtils.splitPreserveAllTokens(" a b c", ' ')   = ["", a", "b", "c"]
-   * StringUtils.splitPreserveAllTokens("  a b c", ' ')  = ["", "", a", "b", "c"]
-   * StringUtils.splitPreserveAllTokens(" a b c ", ' ')  = ["", a", "b", "c", ""]
-   * </pre>
-   *
-   * @param str  the String to parse, may be <code>null</code>
-   * @param separatorChar  the character used as the delimiter,
-   *  <code>null</code> splits on whitespace
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   * @since 2.1
-   */
-  public static String[] splitPreserveAllTokens(String str, char separatorChar) {
-    return splitWorker(str, separatorChar, true);
-  }
-
-  /**
-   * Performs the logic for the <code>split</code> and 
-   * <code>splitPreserveAllTokens</code> methods that do not return a
-   * maximum array length.
-   *
-   * @param str  the String to parse, may be <code>null</code>
-   * @param separatorChar the separate character
-   * @param preserveAllTokens if <code>true</code>, adjacent separators are
-   * treated as empty token separators; if <code>false</code>, adjacent
-   * separators are treated as one separator.
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   */
-  @SuppressWarnings("unchecked")
-  private static String[] splitWorker(String str, char separatorChar,
-      boolean preserveAllTokens) {
-    // Performance tuned for 2.0 (JDK1.4)
-
-    if (str == null) {
-      return null;
-    }
-    int len = str.length();
-    if (len == 0) {
-      return EMPTY_STRING_ARRAY;
-    }
-    List list = new ArrayList();
-    int i = 0, start = 0;
-    boolean match = false;
-    boolean lastMatch = false;
-    while (i < len) {
-      if (str.charAt(i) == separatorChar) {
-        if (match || preserveAllTokens) {
-          list.add(str.substring(start, i));
-          match = false;
-          lastMatch = true;
-        }
-        start = ++i;
-        continue;
-      }
-      lastMatch = false;
-      match = true;
-      i++;
-    }
-    if (match || (preserveAllTokens && lastMatch)) {
-      list.add(str.substring(start, i));
-    }
-    return (String[]) list.toArray(new String[list.size()]);
-  }
-
-  /**
-   * <p>Splits the provided text into an array, separators specified, 
-   * preserving all tokens, including empty tokens created by adjacent
-   * separators. This is an alternative to using StringTokenizer.</p>
-   *
-   * <p>The separator is not included in the returned String array.
-   * Adjacent separators are treated as separators for empty tokens.
-   * For more control over the split use the StrTokenizer class.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.
-   * A <code>null</code> separatorChars splits on whitespace.</p>
-   *
-   * <pre>
-   * StringUtils.splitPreserveAllTokens(null, *)           = null
-   * StringUtils.splitPreserveAllTokens("", *)             = []
-   * StringUtils.splitPreserveAllTokens("abc def", null)   = ["abc", "def"]
-   * StringUtils.splitPreserveAllTokens("abc def", " ")    = ["abc", "def"]
-   * StringUtils.splitPreserveAllTokens("abc  def", " ")   = ["abc", "", def"]
-   * StringUtils.splitPreserveAllTokens("ab:cd:ef", ":")   = ["ab", "cd", "ef"]
-   * StringUtils.splitPreserveAllTokens("ab:cd:ef:", ":")  = ["ab", "cd", "ef", ""]
-   * StringUtils.splitPreserveAllTokens("ab:cd:ef::", ":") = ["ab", "cd", "ef", "", ""]
-   * StringUtils.splitPreserveAllTokens("ab::cd:ef", ":")  = ["ab", "", cd", "ef"]
-   * StringUtils.splitPreserveAllTokens(":cd:ef", ":")     = ["", cd", "ef"]
-   * StringUtils.splitPreserveAllTokens("::cd:ef", ":")    = ["", "", cd", "ef"]
-   * StringUtils.splitPreserveAllTokens(":cd:ef:", ":")    = ["", cd", "ef", ""]
-   * </pre>
-   *
-   * @param str  the String to parse, may be <code>null</code>
-   * @param separatorChars  the characters used as the delimiters,
-   *  <code>null</code> splits on whitespace
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   * @since 2.1
-   */
-  public static String[] splitPreserveAllTokens(String str, String separatorChars) {
-    return splitWorker(str, separatorChars, -1, true);
-  }
-
-  /**
-   * <p>Splits the provided text into an array with a maximum length,
-   * separators specified, preserving all tokens, including empty tokens 
-   * created by adjacent separators.</p>
-   *
-   * <p>The separator is not included in the returned String array.
-   * Adjacent separators are treated as separators for empty tokens.
-   * Adjacent separators are treated as one separator.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.
-   * A <code>null</code> separatorChars splits on whitespace.</p>
-   *
-   * <p>If more than <code>max</code> delimited substrings are found, the last
-   * returned string includes all characters after the first <code>max - 1</code>
-   * returned strings (including separator characters).</p>
-   *
-   * <pre>
-   * StringUtils.splitPreserveAllTokens(null, *, *)            = null
-   * StringUtils.splitPreserveAllTokens("", *, *)              = []
-   * StringUtils.splitPreserveAllTokens("ab de fg", null, 0)   = ["ab", "cd", "ef"]
-   * StringUtils.splitPreserveAllTokens("ab   de fg", null, 0) = ["ab", "cd", "ef"]
-   * StringUtils.splitPreserveAllTokens("ab:cd:ef", ":", 0)    = ["ab", "cd", "ef"]
-   * StringUtils.splitPreserveAllTokens("ab:cd:ef", ":", 2)    = ["ab", "cd:ef"]
-   * StringUtils.splitPreserveAllTokens("ab   de fg", null, 2) = ["ab", "  de fg"]
-   * StringUtils.splitPreserveAllTokens("ab   de fg", null, 3) = ["ab", "", " de fg"]
-   * StringUtils.splitPreserveAllTokens("ab   de fg", null, 4) = ["ab", "", "", "de fg"]
-   * </pre>
-   *
-   * @param str  the String to parse, may be <code>null</code>
-   * @param separatorChars  the characters used as the delimiters,
-   *  <code>null</code> splits on whitespace
-   * @param max  the maximum number of elements to include in the
-   *  array. A zero or negative value implies no limit
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   * @since 2.1
-   */
-  public static String[] splitPreserveAllTokens(String str, String separatorChars, int max) {
-    return splitWorker(str, separatorChars, max, true);
-  }
-
-  /**
-   * Performs the logic for the <code>split</code> and 
-   * <code>splitPreserveAllTokens</code> methods that return a maximum array 
-   * length.
-   *
-   * @param str  the String to parse, may be <code>null</code>
-   * @param separatorChars the separate character
-   * @param max  the maximum number of elements to include in the
-   *  array. A zero or negative value implies no limit.
-   * @param preserveAllTokens if <code>true</code>, adjacent separators are
-   * treated as empty token separators; if <code>false</code>, adjacent
-   * separators are treated as one separator.
-   * @return an array of parsed Strings, <code>null</code> if null String input
-   */
-  @SuppressWarnings("unchecked")
-  private static String[] splitWorker(String str, String separatorChars, int max,
-      boolean preserveAllTokens) {
-    // Performance tuned for 2.0 (JDK1.4)
-    // Direct code is quicker than StringTokenizer.
-    // Also, StringTokenizer uses isSpace() not isWhitespace()
-
-    if (str == null) {
-      return null;
-    }
-    int len = str.length();
-    if (len == 0) {
-      return EMPTY_STRING_ARRAY;
-    }
-    List list = new ArrayList();
-    int sizePlus1 = 1;
-    int i = 0, start = 0;
-    boolean match = false;
-    boolean lastMatch = false;
-    if (separatorChars == null) {
-      // Null separator means use whitespace
-      while (i < len) {
-        if (Character.isWhitespace(str.charAt(i))) {
-          if (match || preserveAllTokens) {
-            lastMatch = true;
-            if (sizePlus1++ == max) {
-              i = len;
-              lastMatch = false;
-            }
-            list.add(str.substring(start, i));
-            match = false;
-          }
-          start = ++i;
-          continue;
-        }
-        lastMatch = false;
-        match = true;
-        i++;
-      }
-    } else if (separatorChars.length() == 1) {
-      // Optimise 1 character case
-      char sep = separatorChars.charAt(0);
-      while (i < len) {
-        if (str.charAt(i) == sep) {
-          if (match || preserveAllTokens) {
-            lastMatch = true;
-            if (sizePlus1++ == max) {
-              i = len;
-              lastMatch = false;
-            }
-            list.add(str.substring(start, i));
-            match = false;
-          }
-          start = ++i;
-          continue;
-        }
-        lastMatch = false;
-        match = true;
-        i++;
-      }
-    } else {
-      // standard case
-      while (i < len) {
-        if (separatorChars.indexOf(str.charAt(i)) >= 0) {
-          if (match || preserveAllTokens) {
-            lastMatch = true;
-            if (sizePlus1++ == max) {
-              i = len;
-              lastMatch = false;
-            }
-            list.add(str.substring(start, i));
-            match = false;
-          }
-          start = ++i;
-          continue;
-        }
-        lastMatch = false;
-        match = true;
-        i++;
-      }
-    }
-    if (match || (preserveAllTokens && lastMatch)) {
-      list.add(str.substring(start, i));
-    }
-    return (String[]) list.toArray(new String[list.size()]);
-  }
-
-  // Joining
-  //-----------------------------------------------------------------------
-
-  /**
-   * <p>Joins the elements of the provided array into a single String
-   * containing the provided list of elements.</p>
-   *
-   * <p>No separator is added to the joined String.
-   * Null objects or empty strings within the array are represented by
-   * empty strings.</p>
-   *
-   * <pre>
-   * StringUtils.join(null)            = null
-   * StringUtils.join([])              = ""
-   * StringUtils.join([null])          = ""
-   * StringUtils.join(["a", "b", "c"]) = "abc"
-   * StringUtils.join([null, "", "a"]) = "a"
-   * </pre>
-   *
-   * @param array  the array of values to join together, may be null
-   * @return the joined String, <code>null</code> if null array input
-   * @since 2.0
-   */
-  public static String join(Object[] array) {
-    return join(array, null);
-  }
-
-  /**
-   * <p>Joins the elements of the provided array into a single String
-   * containing the provided list of elements.</p>
-   *
-   * <p>No delimiter is added before or after the list.
-   * Null objects or empty strings within the array are represented by
-   * empty strings.</p>
-   *
-   * <pre>
-   * StringUtils.join(null, *)               = null
-   * StringUtils.join([], *)                 = ""
-   * StringUtils.join([null], *)             = ""
-   * StringUtils.join(["a", "b", "c"], ';')  = "a;b;c"
-   * StringUtils.join(["a", "b", "c"], null) = "abc"
-   * StringUtils.join([null, "", "a"], ';')  = ";;a"
-   * </pre>
-   *
-   * @param array  the array of values to join together, may be null
-   * @param separator  the separator character to use
-   * @return the joined String, <code>null</code> if null array input
-   * @since 2.0
-   */
-  public static String join(Object[] array, char separator) {
-    if (array == null) {
-      return null;
-    }
-    int arraySize = array.length;
-    int bufSize = (arraySize == 0 ? 0 : ((array[0] == null ? 16 : array[0].toString()
-        .length()) + 1)
-        * arraySize);
-    StringBuffer buf = new StringBuffer(bufSize);
-
-    for (int i = 0; i < arraySize; i++) {
-      if (i > 0) {
-        buf.append(separator);
-      }
-      if (array[i] != null) {
-        buf.append(array[i]);
-      }
-    }
-    return buf.toString();
-  }
-
-  /**
-   * <p>Joins the elements of the provided array into a single String
-   * containing the provided list of elements.</p>
-   *
-   * <p>No delimiter is added before or after the list.
-   * A <code>null</code> separator is the same as an empty String ("").
-   * Null objects or empty strings within the array are represented by
-   * empty strings.</p>
-   *
-   * <pre>
-   * StringUtils.join(null, *)                = null
-   * StringUtils.join([], *)                  = ""
-   * StringUtils.join([null], *)              = ""
-   * StringUtils.join(["a", "b", "c"], "--")  = "a--b--c"
-   * StringUtils.join(["a", "b", "c"], null)  = "abc"
-   * StringUtils.join(["a", "b", "c"], "")    = "abc"
-   * StringUtils.join([null, "", "a"], ',')   = ",,a"
-   * </pre>
-   *
-   * @param array  the array of values to join together, may be null
-   * @param separator  the separator character to use, null treated as ""
-   * @return the joined String, <code>null</code> if null array input
-   */
-  public static String join(Object[] array, String separator) {
-    if (array == null) {
-      return null;
-    }
-    if (separator == null) {
-      separator = "";
-    }
-    int arraySize = array.length;
-
-    // ArraySize ==  0: Len = 0
-    // ArraySize > 0:   Len = NofStrings *(len(firstString) + len(separator))
-    //           (Assuming that all Strings are roughly equally long)
-    int bufSize = ((arraySize == 0) ? 0 : arraySize
-        * ((array[0] == null ? 16 : array[0].toString().length()) + separator.length()));
-
-    StringBuffer buf = new StringBuffer(bufSize);
-
-    for (int i = 0; i < arraySize; i++) {
-      if (i > 0) {
-        buf.append(separator);
-      }
-      if (array[i] != null) {
-        buf.append(array[i]);
-      }
-    }
-    return buf.toString();
-  }
-
-  /**
-   * <p>Joins the elements of the provided <code>Iterator</code> into
-   * a single String containing the provided elements.</p>
-   *
-   * <p>No delimiter is added before or after the list. Null objects or empty
-   * strings within the iteration are represented by empty strings.</p>
-   *
-   * <p>See the examples here: {@link #join(Object[],char)}. </p>
-   *
-   * @param iterator  the <code>Iterator</code> of values to join together, may be null
-   * @param separator  the separator character to use
-   * @return the joined String, <code>null</code> if null iterator input
-   * @since 2.0
-   */
-  public static String join(Iterator iterator, char separator) {
-    if (iterator == null) {
-      return null;
-    }
-    StringBuffer buf = new StringBuffer(256); // Java default is 16, probably too small
-    while (iterator.hasNext()) {
-      Object obj = iterator.next();
-      if (obj != null) {
-        buf.append(obj);
-      }
-      if (iterator.hasNext()) {
-        buf.append(separator);
-      }
-    }
-    return buf.toString();
-  }
-
-  /**
-   * <p>Joins the elements of the provided <code>Iterator</code> into
-   * a single String containing the provided elements.</p>
-   *
-   * <p>No delimiter is added before or after the list.
-   * A <code>null</code> separator is the same as an empty String ("").</p>
-   *
-   * <p>See the examples here: {@link #join(Object[],String)}. </p>
-   *
-   * @param iterator  the <code>Iterator</code> of values to join together, may be null
-   * @param separator  the separator character to use, null treated as ""
-   * @return the joined String, <code>null</code> if null iterator input
-   */
-  public static String join(Iterator iterator, String separator) {
-    if (iterator == null) {
-      return null;
-    }
-    StringBuffer buf = new StringBuffer(256); // Java default is 16, probably too small
-    while (iterator.hasNext()) {
-      Object obj = iterator.next();
-      if (obj != null) {
-        buf.append(obj);
-      }
-      if ((separator != null) && iterator.hasNext()) {
-        buf.append(separator);
-      }
-    }
-    return buf.toString();
-  }
-
-  /**
-   * <p>Returns either the passed in String,
-   * or if the String is <code>null</code>, an empty String ("").</p>
-   *
-   * <pre>
-   * StringUtils.defaultString(null)  = ""
-   * StringUtils.defaultString("")    = ""
-   * StringUtils.defaultString("bat") = "bat"
-   * </pre>
-   *
-   * @see String#valueOf(Object)
-   * @param str  the String to check, may be null
-   * @return the passed in String, or the empty String if it
-   *  was <code>null</code>
-   */
-  public static String defaultString(String str) {
-    return str == null ? "" : str;
-  }
-
-  /**
-   * <p>Returns either the passed in String, or if the String is
-   * <code>null</code>, the value of <code>defaultStr</code>.</p>
-   *
-   * <pre>
-   * StringUtils.defaultString(null, "NULL")  = "NULL"
-   * StringUtils.defaultString("", "NULL")    = ""
-   * StringUtils.defaultString("bat", "NULL") = "bat"
-   * </pre>
-   *
-   * @see String#valueOf(Object)
-   * @param str  the String to check, may be null
-   * @param defaultStr  the default String to return
-   *  if the input is <code>null</code>, may be null
-   * @return the passed in String, or the default if it was <code>null</code>
-   */
-  public static String defaultString(String str, String defaultStr) {
-    return str == null ? defaultStr : str;
-  }
-
-  /**
-   * <p>Returns either the passed in String, or if the String is
-   * empty or <code>null</code>, the value of <code>defaultStr</code>.</p>
-   *
-   * <pre>
-   * StringUtils.defaultIfEmpty(null, "NULL")  = "NULL"
-   * StringUtils.defaultIfEmpty("", "NULL")    = "NULL"
-   * StringUtils.defaultIfEmpty("bat", "NULL") = "bat"
-   * </pre>
-   *
-   * @param str  the String to check, may be null
-   * @param defaultStr  the default String to return
-   *  if the input is empty ("") or <code>null</code>, may be null
-   * @return the passed in String, or the default
-   */
-  public static String defaultIfEmpty(String str, String defaultStr) {
-    return isEmpty(str) ? defaultStr : str;
-  }
-
-  /**
-   * <p>Capitalizes a String changing the first letter to title case as
-   * per {@link Character#toTitleCase(char)}. No other letters are changed.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.</p>
-   *
-   * <pre>
-   * StringUtils.capitalize(null)  = null
-   * StringUtils.capitalize("")    = ""
-   * StringUtils.capitalize("cat") = "Cat"
-   * StringUtils.capitalize("cAt") = "CAt"
-   * </pre>
-   *
-   * @param str  the String to capitalize, may be null
-   * @return the capitalized String, <code>null</code> if null String input
-   * @since 2.0
-   */
-  public static String capitalize(String str) {
-    int strLen;
-    if (str == null || (strLen = str.length()) == 0) {
-      return str;
-    }
-    return new StringBuffer(strLen).append(Character.toTitleCase(str.charAt(0))).append(
-        str.substring(1)).toString();
-  }
-
-  /**
-   * <p>Checks if String contains a search character, handling <code>null</code>.
-   * This method uses {@link String#indexOf(int)}.</p>
-   *
-   * <p>A <code>null</code> or empty ("") String will return <code>false</code>.</p>
-   *
-   * <pre>
-   * StringUtils.contains(null, *)    = false
-   * StringUtils.contains("", *)      = false
-   * StringUtils.contains("abc", 'a') = true
-   * StringUtils.contains("abc", 'z') = false
-   * </pre>
-   *
-   * @param str  the String to check, may be null
-   * @param searchChar  the character to find
-   * @return true if the String contains the search character,
-   *  false if not or <code>null</code> string input
-   * @since 2.0
-   */
-  public static boolean contains(String str, char searchChar) {
-    if (isEmpty(str)) {
-      return false;
-    }
-    return str.indexOf(searchChar) >= 0;
-  }
-
-  /**
-   * <p>Checks if String contains a search String, handling <code>null</code>.
-   * This method uses {@link String#indexOf(int)}.</p>
-   *
-   * <p>A <code>null</code> String will return <code>false</code>.</p>
-   *
-   * <pre>
-   * StringUtils.contains(null, *)     = false
-   * StringUtils.contains(*, null)     = false
-   * StringUtils.contains("", "")      = true
-   * StringUtils.contains("abc", "")   = true
-   * StringUtils.contains("abc", "a")  = true
-   * StringUtils.contains("abc", "z")  = false
-   * </pre>
-   *
-   * @param str  the String to check, may be null
-   * @param searchStr  the String to find, may be null
-   * @return true if the String contains the search String,
-   *  false if not or <code>null</code> string input
-   * @since 2.0
-   */
-  public static boolean contains(String str, String searchStr) {
-    if (str == null || searchStr == null) {
-      return false;
-    }
-    return str.indexOf(searchStr) >= 0;
-  }
-  
-  /**
-   * An empty immutable <code>String</code> array.
-   */
-  public static final String[] EMPTY_STRING_ARRAY = new String[0];
-
-  /**
-   * <p>Compares two objects for equality, where either one or both
-   * objects may be <code>null</code>.</p>
-   *
-   * <pre>
-   * ObjectUtils.equals(null, null)                  = true
-   * ObjectUtils.equals(null, "")                    = false
-   * ObjectUtils.equals("", null)                    = false
-   * ObjectUtils.equals("", "")                      = true
-   * ObjectUtils.equals(Boolean.TRUE, null)          = false
-   * ObjectUtils.equals(Boolean.TRUE, "true")        = false
-   * ObjectUtils.equals(Boolean.TRUE, Boolean.TRUE)  = true
-   * ObjectUtils.equals(Boolean.TRUE, Boolean.FALSE) = false
-   * </pre>
-   *
-   * @param object1  the first object, may be <code>null</code>
-   * @param object2  the second object, may be <code>null</code>
-   * @return <code>true</code> if the values of both objects are the same
-   */
-  public static boolean equals(Object object1, Object object2) {
-      if (object1 == object2) {
-          return true;
-      }
-      if ((object1 == null) || (object2 == null)) {
-          return false;
-      }
-      return object1.equals(object2);
-  }
-
-  /**
-   * <p>A way to get the entire nested stack-trace of an throwable.</p>
-   *
-   * @param throwable  the <code>Throwable</code> to be examined
-   * @return the nested stack trace, with the root cause first
-   * @since 2.0
-   */
-  public static String getFullStackTrace(Throwable throwable) {
-      StringWriter sw = new StringWriter();
-      PrintWriter pw = new PrintWriter(sw, true);
-      Throwable[] ts = getThrowables(throwable);
-      for (int i = 0; i < ts.length; i++) {
-          ts[i].printStackTrace(pw);
-          if (isNestedThrowable(ts[i])) {
-              break;
-          }
-      }
-      return sw.getBuffer().toString();
-  }
-  /**
-   * <p>Returns the list of <code>Throwable</code> objects in the
-   * exception chain.</p>
-   * 
-   * <p>A throwable without cause will return an array containing
-   * one element - the input throwable.
-   * A throwable with one cause will return an array containing
-   * two elements. - the input throwable and the cause throwable.
-   * A <code>null</code> throwable will return an array size zero.</p>
-   *
-   * @param throwable  the throwable to inspect, may be null
-   * @return the array of throwables, never null
-   */
-  @SuppressWarnings("unchecked")
-  public static Throwable[] getThrowables(Throwable throwable) {
-      List list = new ArrayList();
-      while (throwable != null) {
-          list.add(throwable);
-          throwable = getCause(throwable);
-      }
-      return (Throwable[]) list.toArray(new Throwable[list.size()]);
-  }
-  
-  /**
-   * <p>The names of methods commonly used to access a wrapped exception.</p>
-   */
-  private static String[] CAUSE_METHOD_NAMES = {
-      "getCause",
-      "getNextException",
-      "getTargetException",
-      "getException",
-      "getSourceException",
-      "getRootCause",
-      "getCausedByException",
-      "getNested",
-      "getLinkedException",
-      "getNestedException",
-      "getLinkedCause",
-      "getThrowable",
-  };
-
-  /**
-   * <p>Checks whether this <code>Throwable</code> class can store a cause.</p>
-   * 
-   * <p>This method does <b>not</b> check whether it actually does store a cause.<p>
-   *
-   * @param throwable  the <code>Throwable</code> to examine, may be null
-   * @return boolean <code>true</code> if nested otherwise <code>false</code>
-   * @since 2.0
-   */
-  public static boolean isNestedThrowable(Throwable throwable) {
-      if (throwable == null) {
-          return false;
-      }
-
-      if (throwable instanceof SQLException) {
-          return true;
-      } else if (throwable instanceof InvocationTargetException) {
-          return true;
-      } else if (isThrowableNested()) {
-          return true;
-      }
-
-      Class cls = throwable.getClass();
-      for (int i = 0, isize = CAUSE_METHOD_NAMES.length; i < isize; i++) {
-          try {
-              Method method = cls.getMethod(CAUSE_METHOD_NAMES[i], (Class[])null);
-              if (method != null && Throwable.class.isAssignableFrom(method.getReturnType())) {
-                  return true;
-              }
-          } catch (NoSuchMethodException ignored) {
-          } catch (SecurityException ignored) {
-          }
-      }
-
-      try {
-          Field field = cls.getField("detail");
-          if (field != null) {
-              return true;
-          }
-      } catch (NoSuchFieldException ignored) {
-      } catch (SecurityException ignored) {
-      }
-
-      return false;
-  }
-
-  /**
-   * <p>The Method object for JDK1.4 getCause.</p>
-   */
-  private static final Method THROWABLE_CAUSE_METHOD;
-  static {
-      Method getCauseMethod;
-      try {
-          getCauseMethod = Throwable.class.getMethod("getCause", (Class[])null);
-      } catch (Exception e) {
-          getCauseMethod = null;
-      }
-      THROWABLE_CAUSE_METHOD = getCauseMethod;
-  }
-  
-  /**
-   * <p>Checks if the Throwable class has a <code>getCause</code> method.</p>
-   * 
-   * <p>This is true for JDK 1.4 and above.</p>
-   * 
-   * @return true if Throwable is nestable
-   * @since 2.0
-   */
-  public static boolean isThrowableNested() {
-      return THROWABLE_CAUSE_METHOD != null;
-  }
-
-  /**
-   * <p>Introspects the <code>Throwable</code> to obtain the cause.</p>
-   * 
-   * <p>The method searches for methods with specific names that return a 
-   * <code>Throwable</code> object. This will pick up most wrapping exceptions,
-   * including those from JDK 1.4, and</p>
-   *
-   * <p>The default list searched for are:</p>
-   * <ul>
-   *  <li><code>getCause()</code></li>
-   *  <li><code>getNextException()</code></li>
-   *  <li><code>getTargetException()</code></li>
-   *  <li><code>getException()</code></li>
-   *  <li><code>getSourceException()</code></li>
-   *  <li><code>getRootCause()</code></li>
-   *  <li><code>getCausedByException()</code></li>
-   *  <li><code>getNested()</code></li>
-   * </ul>
-   * 
-   * <p>In the absence of any such method, the object is inspected for a
-   * <code>detail</code> field assignable to a <code>Throwable</code>.</p>
-   * 
-   * <p>If none of the above is found, returns <code>null</code>.</p>
-   *
-   * @param throwable  the throwable to introspect for a cause, may be null
-   * @return the cause of the <code>Throwable</code>,
-   *  <code>null</code> if none found or null throwable input
-   * @since 1.0
-   */
-  public static Throwable getCause(Throwable throwable) {
-      return getCause(throwable, CAUSE_METHOD_NAMES);
-  }
-
-  /**
-   * <p>Introspects the <code>Throwable</code> to obtain the cause.</p>
-   * 
-   * <ol>
-   * <li>Try known exception types.</li>
-   * <li>Try the supplied array of method names.</li>
-   * <li>Try the field 'detail'.</li>
-   * </ol>
-   * 
-   * <p>A <code>null</code> set of method names means use the default set.
-   * A <code>null</code> in the set of method names will be ignored.</p>
-   *
-   * @param throwable  the throwable to introspect for a cause, may be null
-   * @param methodNames  the method names, null treated as default set
-   * @return the cause of the <code>Throwable</code>,
-   *  <code>null</code> if none found or null throwable input
-   * @since 1.0
-   */
-  public static Throwable getCause(Throwable throwable, String[] methodNames) {
-      if (throwable == null) {
-          return null;
-      }
-      Throwable cause = getCauseUsingWellKnownTypes(throwable);
-      if (cause == null) {
-          if (methodNames == null) {
-              methodNames = CAUSE_METHOD_NAMES;
-          }
-          for (int i = 0; i < methodNames.length; i++) {
-              String methodName = methodNames[i];
-              if (methodName != null) {
-                  cause = getCauseUsingMethodName(throwable, methodName);
-                  if (cause != null) {
-                      break;
-                  }
-              }
-          }
-
-          if (cause == null) {
-              cause = getCauseUsingFieldName(throwable, "detail");
-          }
-      }
-      return cause;
-  }
-
-  /**
-   * <p>Finds a <code>Throwable</code> by method name.</p>
-   * 
-   * @param throwable  the exception to examine
-   * @param methodName  the name of the method to find and invoke
-   * @return the wrapped exception, or <code>null</code> if not found
-   */
-  private static Throwable getCauseUsingMethodName(Throwable throwable, String methodName) {
-      Method method = null;
-      try {
-          method = throwable.getClass().getMethod(methodName, (Class[])null);
-      } catch (NoSuchMethodException ignored) {
-      } catch (SecurityException ignored) {
-      }
-
-      if (method != null && Throwable.class.isAssignableFrom(method.getReturnType())) {
-          try {
-              return (Throwable) method.invoke(throwable, EMPTY_OBJECT_ARRAY);
-          } catch (IllegalAccessException ignored) {
-          } catch (IllegalArgumentException ignored) {
-          } catch (InvocationTargetException ignored) {
-          }
-      }
-      return null;
-  }
-
-  /**
-   * <p>Finds a <code>Throwable</code> by field name.</p>
-   * 
-   * @param throwable  the exception to examine
-   * @param fieldName  the name of the attribute to examine
-   * @return the wrapped exception, or <code>null</code> if not found
-   */
-  private static Throwable getCauseUsingFieldName(Throwable throwable, String fieldName) {
-      Field field = null;
-      try {
-          field = throwable.getClass().getField(fieldName);
-      } catch (NoSuchFieldException ignored) {
-      } catch (SecurityException ignored) {
-      }
-
-      if (field != null && Throwable.class.isAssignableFrom(field.getType())) {
-          try {
-              return (Throwable) field.get(throwable);
-          } catch (IllegalAccessException ignored) {
-          } catch (IllegalArgumentException ignored) {
-          }
-      }
-      return null;
-  }
-
-  /**
-   * <p>Finds a <code>Throwable</code> for known types.</p>
-   * 
-   * <p>Uses <code>instanceof</code> checks to examine the exception,
-   * looking for well known types which could contain chained or
-   * wrapped exceptions.</p>
-   *
-   * @param throwable  the exception to examine
-   * @return the wrapped exception, or <code>null</code> if not found
-   */
-  private static Throwable getCauseUsingWellKnownTypes(Throwable throwable) {
-      if (throwable instanceof SQLException) {
-          return ((SQLException) throwable).getNextException();
-      } else if (throwable instanceof InvocationTargetException) {
-          return ((InvocationTargetException) throwable).getTargetException();
-      } else {
-          return null;
-      }
-  }
-
-  /**
-   * An empty immutable <code>Object</code> array.
-   */
-  public static final Object[] EMPTY_OBJECT_ARRAY = new Object[0];
-  
-  /** 
-   * from a command line arg, get the key.  e.g. if input is --whatever=something
-   * then key is whatever, value is something 
-   * @param option string such as "--key=value"
-   * @return the key portion of the argument
-   */
-  public static String argKey(String option) {
-    int equalsIndex = option.indexOf("=");
-    if (equalsIndex == -1) {
-      throw new RuntimeException("Invalid option: " + option + ", it should look like: --someOption=someValue");
-    }
-    String key = option.substring(0,equalsIndex);
-    if (!key.startsWith("--")) {
-      throw new RuntimeException("Invalid option: " + option + ", it should look like: --someOption=someValue");
-    }
-    key = key.substring(2);
-    return key;
-  }
-
-  /** 
-   * from a command line arg, get the key.  e.g. if input is --whatever=something
-   * then key is whatever, value is something 
-   * @param option The option string such as "--someOption=value"
-   * @return the value of the option
-   */
-  public static String argValue(String option) {
-    int equalsIndex = option.indexOf("=");
-    if (equalsIndex == -1) {
-      throw new RuntimeException("Invalid option: " + option + ", it should look like: --someOption=someValue");
-    }
-    String value = option.substring(equalsIndex+1, option.length());
-    return value;
-  }
-  
-  /** add an option: --whatever=val   to a map of options where --whatever is key, and val is value 
-   * @param args Arguments array
-   * @return the map
-   */
-  public static Map<String, String> argMap(String[] args) {
-    
-    Map<String, String> result = new LinkedHashMap<String, String>();
-
-    for (String arg : nonNull(args,String.class)) {
-      String key = argKey(arg);
-      String value = argValue(arg);
-      if (result.containsKey(key)) {
-        throw new RuntimeException("Passing key twice: " + key);
-      }
-      result.put(key, value);
-    }
-    
-    return result;
-  }
-  
-  /**
-   * get the value from the argMap, throw exception if not there and required
-   * @param argMap map of argument key/values
-   * @param argMapNotUsed keeps track of unused arguments
-   * @param key the key to lookup
-   * @param required whether or not the key is required to be present
-   * @return the value or null or exception
-   */
-  public static String argMapString(Map<String, String> argMap, Map<String, String> argMapNotUsed, 
-      String key, boolean required) {
-
-    if (argMap.containsKey(key)) {
-      
-      //keep track that this is gone
-      argMapNotUsed.remove(key);
-      
-      return argMap.get(key);
-    }
-    if (required) {
-      throw new RuntimeException("Argument '--" + key + "' is required, but not specified.  e.g. --" + key + "=value");
-    }
-    return null;
-
-  }
-  
-  /**
-   * get the value from the argMap, throw exception if not there and required
-   * @param argMap map of argument key/values
-   * @param argMapNotUsed keeps track of unused arguments
-   * @param key the key to lookup
-   * @param required whether or not the key is required to be present
-   * @param defaultValue the value to use when the key lookup results in blank / null
-   * @return the value or null or exception
-   */
-  public static boolean argMapBoolean(Map<String, String> argMap, Map<String, String> argMapNotUsed, 
-      String key, boolean required, boolean defaultValue) {
-    String argString = argMapString(argMap, argMapNotUsed, key, required);
-
-    if (isBlank(argString) && required) {
-      throw new RuntimeException("Argument '--" + key + "' is required, but not specified.  e.g. --" + key + "=true");
-    }
-    return booleanValue(argString, defaultValue);
-  }
-  
-  /**
-   * get the value from the argMap, throw exception if not there and required
-   * @param argMap map of argument key/values
-   * @param argMapNotUsed keeps track of unused arguments
-   * @param key the key to lookup
-   * @return the value or null or exception
-   */
-  public static Timestamp argMapTimestamp(Map<String, String> argMap, Map<String, String> argMapNotUsed, 
-      String key) {
-    String argString = argMapString(argMap, argMapNotUsed, key, false);
-    if (isBlank(argString)) {
-      return null;
-    }
-    Date date = stringToDate2(argString);
-    return new Timestamp(date.getTime());
-  }
-  
-  /**
-   * get the value from the argMap
-   * @param argMap map of argument key/values
-   * @param argMapNotUsed keeps track of unused arguments
-   * @param key the key to lookup
-   * @return the value or null or exception
-   */
-  public static Boolean argMapBoolean(Map<String, String> argMap, Map<String, String> argMapNotUsed, 
-      String key) {
-    String argString = argMapString(argMap, argMapNotUsed, key, false);
-
-    return booleanObjectValue(argString);
-  }
-  
-  /**
-   * get the set from comma separated from the argMap, throw exception if not there and required
-   * @param argMap map of argument key/values
-   * @param argMapNotUsed keeps track of unused arguments
-   * @param key the key to lookup
-   * @param required whether or not the key is required to be present
-   * @return the value or null or exception
-   */
-  public static Set<String> argMapSet(Map<String, String> argMap, Map<String, String> argMapNotUsed, 
-      String key, boolean required) {
-    List<String> list = argMapList(argMap, argMapNotUsed, key, required);
-    return list == null ? null : new LinkedHashSet(list);
-  }
-  
-  /**
-   * get the list from comma separated from the argMap, throw exception if not there and required
-   * @param argMap map of argument key/values
-   * @param argMapNotUsed keeps track of unused arguments
-   * @param key the key to lookup
-   * @param required whether or not the key is required to be present
-   * @return the value or null or exception
-   */
-  public static List<String> argMapList(Map<String, String> argMap, Map<String, String> argMapNotUsed, 
-      String key, boolean required) {
-    String argString = argMapString(argMap, argMapNotUsed, key, required);
-    if (isBlank(argString)) {
-      return null;
-    }
-    return splitTrimToList(argString, ",");
-  }
-  
-  /**
-   * get the list from comma separated from the argMap, throw exception if not there and required
-   * @param argMap map of argument key/values
-   * @param argMapNotUsed keeps track of unused arguments
-   * @param key the key to lookup
-   * @param required whether or not the key is required to be present
-   * @return the value or null or exception
-   */
-  public static List<String> argMapFileList(Map<String, String> argMap, Map<String, String> argMapNotUsed, 
-      String key, boolean required) {
-    String argString = argMapString(argMap, argMapNotUsed, key, required);
-    if (isBlank(argString)) {
-      return null;
-    }
-    //read from file
-    File file = new File(argString);
-    try {
-      //do this by regex, since we dont know what platform we are on
-      String listString = readFileIntoString(file);
-      String[] array = listString.split("\\s+");
-      List<String> list = new ArrayList<String>();
-      for (String string : array) {
-        //dont know if any here will be blank or whatnot
-        if (!isBlank(string)) {
-          //should already be trimmed, but just in case
-          list.add(trim(string));
-        }
-      }
-      return list;
-    } catch (Exception e) {
-      throw new RuntimeException("Error reading file: '" 
-          + fileCanonicalPath(file) + "' from command line arg: " + key, e );
-    }
-  }
-  
-  /**
-   * Copy bytes from an <code>InputStream</code> to chars on a
-   * <code>Writer</code> using the default character encoding of the platform.
-   * <p>
-   * This method buffers the input internally, so there is no need to use a
-   * <code>BufferedInputStream</code>.
-   * <p>
-   * This method uses {@link InputStreamReader}.
-   *
-   * @param input  the <code>InputStream</code> to read from
-   * @param output  the <code>Writer</code> to write to
-   * @throws NullPointerException if the input or output is null
-   * @throws IOException if an I/O error occurs
-   * @since Commons IO 1.1
-   */
-  public static void copy(InputStream input, Writer output)
-          throws IOException {
-      String charsetName = "UTF-8";
-      InputStreamReader in = new InputStreamReader(input, charsetName);
-      copy(in, output);
-  }
-  
-  /**
-   * Copy bytes from an <code>InputStream</code> to an
-   * <code>OutputStream</code>.
-   * <p>
-   * This method buffers the input internally, so there is no need to use a
-   * <code>BufferedInputStream</code>.
-   * <p>
-   * Large streams (over 2GB) will return a bytes copied value of
-   * <code>-1</code> after the copy has completed since the correct
-   * number of bytes cannot be returned as an int. For large streams
-   * use the <code>copyLarge(InputStream, OutputStream)</code> method.
-   * 
-   * @param input  the <code>InputStream</code> to read from
-   * @param output  the <code>OutputStream</code> to write to
-   * @return the number of bytes copied
-   * @throws NullPointerException if the input or output is null
-   * @throws IOException if an I/O error occurs
-   * @throws ArithmeticException if the byte count is too large
-   * @since Commons IO 1.1
-   */
-  public static int copy(InputStream input, OutputStream output) throws IOException {
-      long count = copyLarge(input, output);
-      if (count > Integer.MAX_VALUE) {
-          return -1;
-      }
-      return (int) count;
-  }
-
-  /**
-   * Copy bytes from a large (over 2GB) <code>InputStream</code> to an
-   * <code>OutputStream</code>.
-   * <p>
-   * This method buffers the input internally, so there is no need to use a
-   * <code>BufferedInputStream</code>.
-   * 
-   * @param input  the <code>InputStream</code> to read from
-   * @param output  the <code>OutputStream</code> to write to
-   * @return the number of bytes copied
-   * @throws NullPointerException if the input or output is null
-   * @throws IOException if an I/O error occurs
-   * @since Commons IO 1.3
-   */
-  public static long copyLarge(InputStream input, OutputStream output)
-          throws IOException {
-      byte[] buffer = new byte[DEFAULT_BUFFER_SIZE];
-      long count = 0;
-      int n = 0;
-      while (-1 != (n = input.read(buffer))) {
-          output.write(buffer, 0, n);
-          count += n;
-      }
-      return count;
-  }
-
-  /**
-   * get a jar file from a sample class
-   * @param sampleClass the class for which the jar is looked up
-   * @return the jar file
-   */
-  public static File jarFile(Class sampleClass) {
-    try {
-      CodeSource codeSource = sampleClass.getProtectionDomain().getCodeSource();
-      if (codeSource != null && codeSource.getLocation() != null) {
-        String fileName = URLDecoder.decode(codeSource.getLocation().getFile(), "UTF-8");
-        return new File(fileName);
-      }
-      String resourcePath = sampleClass.getName();
-      resourcePath = resourcePath.replace('.', '/') + ".class";
-      URL url = computeUrl(resourcePath, true);
-      String urlPath = url.toString();
-      
-      if (urlPath.startsWith("jar:")) {
-        urlPath = urlPath.substring(4);
-      }
-      if (urlPath.startsWith("file:")) {
-        urlPath = urlPath.substring(5);
-      }
-      urlPath = prefixOrSuffix(urlPath, "!", true); 
-  
-      urlPath = URLDecoder.decode(urlPath, "UTF-8");
-  
-      File file = new File(urlPath);
-      if (urlPath.endsWith(".jar") && file.exists() && file.isFile()) {
-        return file;
-      }
-    } catch (Exception e) {
-    }
-    return null;
-  }
-
-  /**
-   * strip the last slash (/ or \) from a string if it exists
-   * 
-   * @param input A string potentially ending in '\' or '/'
-   * 
-   * @return input without the last / or \
-   */
-  public static String stripLastSlashIfExists(String input) {
-    if ((input == null) || (input.length() == 0)) {
-      return null;
-    }
-
-    char lastChar = input.charAt(input.length() - 1);
-
-    if ((lastChar == '\\') || (lastChar == '/')) {
-      return input.substring(0, input.length() - 1);
-    }
-
-    return input;
-  }
-
-  /**
-   * retrieve a password from stdin
-   * @param dontMask when true, the user's typing will appear on the screen
-   * @param prompt to print to user
-   * @return the password
-   */
-  public static String retrievePasswordFromStdin(boolean dontMask, String prompt) {
-    String passwordString = null;
-
-    if (dontMask) {
-
-      System.out.print(prompt);
-      //  open up standard input 
-      BufferedReader br = new BufferedReader(new InputStreamReader(System.in)); 
-
-      //  read the username from the command-line; need to use try/catch with the 
-      //  readLine() method 
-      try { 
-         passwordString = br.readLine(); 
-      } catch (IOException ioe) { 
-         System.out.println("IO error! " + getFullStackTrace(ioe));
-         System.exit(1); 
-      } 
-
-    } else {
-      char password[] = null;
-      try {
-        password = retrievePasswordFromStdin(System.in, prompt);
-      } catch (IOException ioe) {
-        ioe.printStackTrace();
-      }
-      passwordString = String.valueOf(password);
-    } 
-    return passwordString;
-    
-  }
-
-  /**
-   * @param in stream to be used (e.g. System.in)
-   * @param prompt The prompt to display to the user.
-   * @return The password as entered by the user.
-   * @throws IOException when there was a problem with the input stream
-   */
-  public static final char[] retrievePasswordFromStdin(InputStream in, String prompt) throws IOException {
-    MaskingThread maskingthread = new MaskingThread(prompt);
-
-    Thread thread = new Thread(maskingthread);
-    thread.start();
-
-    char[] lineBuffer;
-    char[] buf;
-
-    buf = lineBuffer = new char[128];
-
-    int room = buf.length;
-    int offset = 0;
-    int c;
-
-    loop: while (true) {
-      switch (c = in.read()) {
-        case -1:
-        case '\n':
-          break loop;
-
-        case '\r':
-          int c2 = in.read();
-          if ((c2 != '\n') && (c2 != -1)) {
-            if (!(in instanceof PushbackInputStream)) {
-              in = new PushbackInputStream(in);
-            }
-            ((PushbackInputStream) in).unread(c2);
-          } else {
-            break loop;
-          }
-
-        default:
-          if (--room < 0) {
-            buf = new char[offset + 128];
-            room = buf.length - offset - 1;
-            System.arraycopy(lineBuffer, 0, buf, 0, offset);
-            Arrays.fill(lineBuffer, ' ');
-            lineBuffer = buf;
-          }
-          buf[offset++] = (char) c;
-          break;
-      }
-    }
-    maskingthread.stopMasking();
-    if (offset == 0) {
-      return null;
-    }
-    char[] ret = new char[offset];
-    System.arraycopy(buf, 0, ret, 0, offset);
-    Arrays.fill(buf, ' ');
-    return ret;
-  }
-
-  /**
-   * thread to mask input
-   */
-  static class MaskingThread extends Thread {
-
-    /** stop */
-    private volatile boolean stop;
-
-    /** echo char, this doesnt work correctly, so make a space so people dont notice...  
-     * prints out too many */
-    private char echochar = ' ';
-
-    /**
-     *@param prompt The prompt displayed to the user
-     */
-    public MaskingThread(String prompt) {
-      System.out.print(prompt);
-    }
-
-    /**
-     * Begin masking until asked to stop.
-     */
-    @Override
-    public void run() {
-
-      int priority = Thread.currentThread().getPriority();
-      Thread.currentThread().setPriority(Thread.MAX_PRIORITY);
-
-      try {
-        this.stop = true;
-        while (this.stop) {
-          System.out.print("\010" + this.echochar);
-          try {
-            // attempt masking at this rate
-            Thread.sleep(1);
-          } catch (InterruptedException iex) {
-            Thread.currentThread().interrupt();
-            return;
-          }
-        }
-      } finally { // restore the original priority
-        Thread.currentThread().setPriority(priority);
-      }
-    }
-
-    /**
-     * Instruct the thread to stop masking.
-     */
-    public void stopMasking() {
-      this.stop = false;
-    }
-  }
-
-  /**
-   * make sure a value exists in properties
-   * @param resourceName the resource name
-   * @param properties the properties
-   * @param overrideMap a map overriding some properties, used in testing or debug
-   * @param key the property key
-   * @param exceptionOnError when true, throw an exception if property is not the proper value type 
-   * @return true if ok, false if not
-   */
-  public static boolean propertyValidateValueRequired(String resourceName, Properties properties, 
-      Map<String, String> overrideMap, String key, boolean exceptionOnError) {
-    
-    Map<String, String> threadLocalMap = propertiesThreadLocalOverrideMap(resourceName);
-
-    String value = propertiesValue(properties, threadLocalMap, overrideMap, key);
-
-    if (!isBlank(value)) {
-      return true;
-    }
-    String error = "Cant find property " + key + " in resource: " + resourceName + ", it is required";
-    
-    if (exceptionOnError) {
-      throw new RuntimeException(error);
-    }
-    
-    System.err.println("Grouper error: " + error);
-    return false;
-  }
-
-  /**
-   * make sure a value is boolean in properties
-   * @param resourceName the resource name
-   * @param properties the properties
-   * @param overrideMap a map overriding some properties, used in testing or debug
-   * @param key the property key
-   * @param required whether or not a value is required for the key
-   * @param exceptionOnError when true, throw an exception if property is not the proper value type 
-   * @return true if ok, false if not
-   */
-  public static boolean propertyValidateValueBoolean(String resourceName, Properties properties, 
-      Map<String, String> overrideMap, String key, 
-      boolean required, boolean exceptionOnError) {
-    
-    if (required && !propertyValidateValueRequired(resourceName, properties, 
-        overrideMap, key, exceptionOnError)) {
-      return false;
-    }
-  
-    Map<String, String> threadLocalMap = propertiesThreadLocalOverrideMap(resourceName);
-
-    String value = propertiesValue(properties, threadLocalMap, overrideMap, key);
-    //maybe ok not there
-    if (!required && isBlank(value)) {
-      return true;
-    }
-    try {
-      booleanValue(value);
-      return true;
-    } catch (Exception e) {
-      
-    }
-    String error = "Expecting true or false property " + key + " in resource: " + resourceName + ", but is '" + value + "'";
-    if (exceptionOnError) {
-      throw new RuntimeException(error);
-    }
-    System.err.println("Grouper error: " + error);
-    return false;
-  }
-
-  
-  /**
-   * make sure a value is int in properties
-   * @param resourceName the resource name
-   * @param properties the properties
-   * @param overrideMap a map overriding some properties, used in testing or debug
-   * @param key the property key
-   * @param required whether or not a value is required for the key
-   * @param exceptionOnError when true, throw an exception if property is not the proper value type 
-   * @return true if ok, false if not
-   */
-  public static boolean propertyValidateValueInt(String resourceName, Properties properties, 
-      Map<String, String> overrideMap, String key, 
-      boolean required, boolean exceptionOnError) {
-    
-    if (required && !propertyValidateValueRequired(resourceName, properties, 
-        overrideMap, key, exceptionOnError)) {
-      return false;
-    }
-  
-    Map<String, String> threadLocalMap = propertiesThreadLocalOverrideMap(resourceName);
-    
-    String value = propertiesValue(properties, threadLocalMap, overrideMap, key);
-    //maybe ok not there
-    if (!required && isBlank(value)) {
-      return true;
-    }
-    try {
-      intValue(value);
-      return true;
-    } catch (Exception e) {
-      
-    }
-    String error = "Expecting integer property " + key + " in resource: " + resourceName + ", but is '" + value + "'";
-    if (exceptionOnError) {
-      throw new RuntimeException(error);
-    }
-    System.err.println("Grouper error: " + error);
-    return false;
-  }
-
-  /**
-   * make sure a property is a class of a certain type
-   * @param resourceName the property resource name
-   * @param properties the set of properties 
-   * @param overrideMap for testing, to override some properties values
-   * @param key the lookup key
-   * @param classType the desired class type
-   * @param required whether or not a value is required
-   * @param exceptionOnError throw an exception when there is an error
-   * @return true if ok
-   */
-  public static boolean propertyValidateValueClass(String resourceName, Properties properties, 
-      Map<String, String> overrideMap, String key, Class<?> classType, boolean required, boolean exceptionOnError) {
-  
-    if (required && !propertyValidateValueRequired(resourceName, properties, 
-        overrideMap, key, exceptionOnError)) {
-      return false;
-    }
-    String value = propertiesValue(properties, overrideMap, key);
-  
-    //maybe ok not there
-    if (!required && isBlank(value)) {
-      return true;
-    }
-    
-    String extraError = "";
-    try {
-      
-      
-      Class<?> theClass = forName(value);
-      if (classType.isAssignableFrom(theClass)) {
-        return true;
-      }
-      extraError = " does not derive from class: " + classType.getSimpleName();
-      
-    } catch (Exception e) {
-      extraError = ", " + getFullStackTrace(e);
-    }
-    String error = "Cant process property " + key + " in resource: " + resourceName + ", the current" +
-        " value is '" + value + "', which should be of type: " 
-        + classType.getName() + extraError;
-    if (exceptionOnError) {
-      throw new RuntimeException(error);
-    }
-    System.err.println("Grouper error: " + error);
-    return false;
-
-  }
-
-  /**
-   * <p>Strips any of a set of characters from the start of a String.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.
-   * An empty string ("") input returns the empty string.</p>
-   *
-   * <p>If the stripChars String is <code>null</code>, whitespace is
-   * stripped as defined by {@link Character#isWhitespace(char)}.</p>
-   *
-   * <pre>
-   * StringUtils.stripStart(null, *)          = null
-   * StringUtils.stripStart("", *)            = ""
-   * StringUtils.stripStart("abc", "")        = "abc"
-   * StringUtils.stripStart("abc", null)      = "abc"
-   * StringUtils.stripStart("  abc", null)    = "abc"
-   * StringUtils.stripStart("abc  ", null)    = "abc  "
-   * StringUtils.stripStart(" abc ", null)    = "abc "
-   * StringUtils.stripStart("yxabc  ", "xyz") = "abc  "
-   * </pre>
-   *
-   * @param str  the String to remove characters from, may be null
-   * @param stripChars  the characters to remove, null treated as whitespace
-   * @return the stripped String, <code>null</code> if null String input
-   */
-  public static String stripStart(String str, String stripChars) {
-    int strLen;
-    if (str == null || (strLen = str.length()) == 0) {
-      return str;
-    }
-    int start = 0;
-    if (stripChars == null) {
-      while ((start != strLen) && Character.isWhitespace(str.charAt(start))) {
-        start++;
-      }
-    } else if (stripChars.length() == 0) {
-      return str;
-    } else {
-      while ((start != strLen) && (stripChars.indexOf(str.charAt(start)) != -1)) {
-        start++;
-      }
-    }
-    return str.substring(start);
-  }
-
-  /**
-   * <p>Strips any of a set of characters from the end of a String.</p>
-   *
-   * <p>A <code>null</code> input String returns <code>null</code>.
-   * An empty string ("") input returns the empty string.</p>
-   *
-   * <p>If the stripChars String is <code>null</code>, whitespace is
-   * stripped as defined by {@link Character#isWhitespace(char)}.</p>
-   *
-   * <pre>
-   * StringUtils.stripEnd(null, *)          = null
-   * StringUtils.stripEnd("", *)            = ""
-   * StringUtils.stripEnd("abc", "")        = "abc"
-   * StringUtils.stripEnd("abc", null)      = "abc"
-   * StringUtils.stripEnd("  abc", null)    = "  abc"
-   * StringUtils.stripEnd("abc  ", null)    = "abc"
-   * StringUtils.stripEnd(" abc ", null)    = " abc"
-   * StringUtils.stripEnd("  abcyx", "xyz") = "  abc"
-   * </pre>
-   *
-   * @param str  the String to remove characters from, may be null
-   * @param stripChars  the characters to remove, null treated as whitespace
-   * @return the stripped String, <code>null</code> if null String input
-   */
-  public static String stripEnd(String str, String stripChars) {
-    int end;
-    if (str == null || (end = str.length()) == 0) {
-      return str;
-    }
-
-    if (stripChars == null) {
-      while ((end != 0) && Character.isWhitespace(str.charAt(end - 1))) {
-        end--;
-      }
-    } else if (stripChars.length() == 0) {
-      return str;
-    } else {
-      while ((end != 0) && (stripChars.indexOf(str.charAt(end - 1)) != -1)) {
-        end--;
-      }
-    }
-    return str.substring(0, end);
-  }
-
-  /**
-   * The empty String <code>""</code>.
-   * @since 2.0
-   */
-  public static final String EMPTY = "";
-
-  /**
-   * Represents a failed index search.
-   * @since 2.1
-   */
-  public static final int INDEX_NOT_FOUND = -1;
-
-  /**
-   * <p>The maximum size to which the padding constant(s) can expand.</p>
-   */
-  private static final int PAD_LIMIT = 8192;
-
-  /**
-   * <p>An array of <code>String</code>s used for padding.</p>
-   *
-   * <p>Used for efficient space padding. The length of each String expands as needed.</p>
-   */
-  private static final String[] PADDING = new String[Character.MAX_VALUE];
-
-  static {
-    // space padding is most common, start with 64 chars
-    PADDING[32] = "                                                                ";
-  }
-
-  /**
-   * <p>Repeat a String <code>repeat</code> times to form a
-   * new String.</p>
-   *
-   * <pre>
-   * StringUtils.repeat(null, 2) = null
-   * StringUtils.repeat("", 0)   = ""
-   * StringUtils.repeat("", 2)   = ""
-   * StringUtils.repeat("a", 3)  = "aaa"
-   * StringUtils.repeat("ab", 2) = "abab"
-   * StringUtils.repeat("a", -2) = ""
-   * </pre>
-   *
-   * @param str  the String to repeat, may be null
-   * @param repeat  number of times to repeat str, negative treated as zero
-   * @return a new String consisting of the original String repeated,
-   *  <code>null</code> if null String input
-   */
-  public static String repeat(String str, int repeat) {
-    // Performance tuned for 2.0 (JDK1.4)
-
-    if (str == null) {
-      return null;
-    }
-    if (repeat <= 0) {
-      return EMPTY;
-    }
-    int inputLength = str.length();
-    if (repeat == 1 || inputLength == 0) {
-      return str;
-    }
-    if (inputLength == 1 && repeat <= PAD_LIMIT) {
-      return padding(repeat, str.charAt(0));
-    }
-
-    int outputLength = inputLength * repeat;
-    switch (inputLength) {
-      case 1:
-        char ch = str.charAt(0);
-        char[] output1 = new char[outputLength];
-        for (int i = repeat - 1; i >= 0; i--) {
-          output1[i] = ch;
-        }
-        return new String(output1);
-      case 2:
-        char ch0 = str.charAt(0);
-        char ch1 = str.charAt(1);
-        char[] output2 = new char[outputLength];
-        for (int i = repeat * 2 - 2; i >= 0; i--, i--) {
-          output2[i] = ch0;
-          output2[i + 1] = ch1;
-        }
-        return new String(output2);
-      default:
-        StringBuffer buf = new StringBuffer(outputLength);
-        for (int i = 0; i < repeat; i++) {
-          buf.append(str);
-        }
-        return buf.toString();
-    }
-  }
-
-  /**
-   * <p>Returns padding using the specified delimiter repeated
-   * to a given length.</p>
-   *
-   * <pre>
-   * StringUtils.padding(0, 'e')  = ""
-   * StringUtils.padding(3, 'e')  = "eee"
-   * StringUtils.padding(-2, 'e') = IndexOutOfBoundsException
-   * </pre>
-   *
-   * @param repeat  number of times to repeat delim
-   * @param padChar  character to repeat
-   * @return String with repeated character
-   * @throws IndexOutOfBoundsException if <code>repeat &lt; 0</code>
-   */
-  private static String padding(int repeat, char padChar) {
-    // be careful of synchronization in this method
-    // we are assuming that get and set from an array index is atomic
-    String pad = PADDING[padChar];
-    if (pad == null) {
-      pad = String.valueOf(padChar);
-    }
-    while (pad.length() < repeat) {
-      pad = pad.concat(pad);
-    }
-    PADDING[padChar] = pad;
-    return pad.substring(0, repeat);
-  }
-
-  /**
-   * <p>Right pad a String with spaces (' ').</p>
-   *
-   * <p>The String is padded to the size of <code>size</code>.</p>
-   *
-   * <pre>
-   * StringUtils.rightPad(null, *)   = null
-   * StringUtils.rightPad("", 3)     = "   "
-   * StringUtils.rightPad("bat", 3)  = "bat"
-   * StringUtils.rightPad("bat", 5)  = "bat  "
-   * StringUtils.rightPad("bat", 1)  = "bat"
-   * StringUtils.rightPad("bat", -1) = "bat"
-   * </pre>
-   *
-   * @param str  the String to pad out, may be null
-   * @param size  the size to pad to
-   * @return right padded String or original String if no padding is necessary,
-   *  <code>null</code> if null String input
-   */
-  public static String rightPad(String str, int size) {
-    return rightPad(str, size, ' ');
-  }
-
-  /**
-   * <p>Right pad a String with a specified character.</p>
-   *
-   * <p>The String is padded to the size of <code>size</code>.</p>
-   *
-   * <pre>
-   * StringUtils.rightPad(null, *, *)     = null
-   * StringUtils.rightPad("", 3, 'z')     = "zzz"
-   * StringUtils.rightPad("bat", 3, 'z')  = "bat"
-   * StringUtils.rightPad("bat", 5, 'z')  = "batzz"
-   * StringUtils.rightPad("bat", 1, 'z')  = "bat"
-   * StringUtils.rightPad("bat", -1, 'z') = "bat"
-   * </pre>
-   *
-   * @param str  the String to pad out, may be null
-   * @param size  the size to pad to
-   * @param padChar  the character to pad with
-   * @return right padded String or original String if no padding is necessary,
-   *  <code>null</code> if null String input
-   * @since 2.0
-   */
-  public static String rightPad(String str, int size, char padChar) {
-    if (str == null) {
-      return null;
-    }
-    int pads = size - str.length();
-    if (pads <= 0) {
-      return str; // returns original String when possible
-    }
-    if (pads > PAD_LIMIT) {
-      return rightPad(str, size, String.valueOf(padChar));
-    }
-    return str.concat(padding(pads, padChar));
-  }
-
-  /**
-   * <p>Right pad a String with a specified String.</p>
-   *
-   * <p>The String is padded to the size of <code>size</code>.</p>
-   *
-   * <pre>
-   * StringUtils.rightPad(null, *, *)      = null
-   * StringUtils.rightPad("", 3, "z")      = "zzz"
-   * StringUtils.rightPad("bat", 3, "yz")  = "bat"
-   * StringUtils.rightPad("bat", 5, "yz")  = "batyz"
-   * StringUtils.rightPad("bat", 8, "yz")  = "batyzyzy"
-   * StringUtils.rightPad("bat", 1, "yz")  = "bat"
-   * StringUtils.rightPad("bat", -1, "yz") = "bat"
-   * StringUtils.rightPad("bat", 5, null)  = "bat  "
-   * StringUtils.rightPad("bat", 5, "")    = "bat  "
-   * </pre>
-   *
-   * @param str  the String to pad out, may be null
-   * @param size  the size to pad to
-   * @param padStr  the String to pad with, null or empty treated as single space
-   * @return right padded String or original String if no padding is necessary,
-   *  <code>null</code> if null String input
-   */
-  public static String rightPad(String str, int size, String padStr) {
-    if (str == null) {
-      return null;
-    }
-    if (isEmpty(padStr)) {
-      padStr = " ";
-    }
-    int padLen = padStr.length();
-    int strLen = str.length();
-    int pads = size - strLen;
-    if (pads <= 0) {
-      return str; // returns original String when possible
-    }
-    if (padLen == 1 && pads <= PAD_LIMIT) {
-      return rightPad(str, size, padStr.charAt(0));
-    }
-
-    if (pads == padLen) {
-      return str.concat(padStr);
-    } else if (pads < padLen) {
-      return str.concat(padStr.substring(0, pads));
-    } else {
-      char[] padding = new char[pads];
-      char[] padChars = padStr.toCharArray();
-      for (int i = 0; i < pads; i++) {
-        padding[i] = padChars[i % padLen];
-      }
-      return str.concat(new String(padding));
-    }
-  }
-
-  /**
-   * <p>Left pad a String with spaces (' ').</p>
-   *
-   * <p>The String is padded to the size of <code>size</code>.</p>
-   *
-   * <pre>
-   * StringUtils.leftPad(null, *)   = null
-   * StringUtils.leftPad("", 3)     = "   "
-   * StringUtils.leftPad("bat", 3)  = "bat"
-   * StringUtils.leftPad("bat", 5)  = "  bat"
-   * StringUtils.leftPad("bat", 1)  = "bat"
-   * StringUtils.leftPad("bat", -1) = "bat"
-   * </pre>
-   *
-   * @param str  the String to pad out, may be null
-   * @param size  the size to pad to
-   * @return left padded String or original String if no padding is necessary,
-   *  <code>null</code> if null String input
-   */
-  public static String leftPad(String str, int size) {
-    return leftPad(str, size, ' ');
-  }
-
-  /**
-   * <p>Left pad a String with a specified character.</p>
-   *
-   * <p>Pad to a size of <code>size</code>.</p>
-   *
-   * <pre>
-   * StringUtils.leftPad(null, *, *)     = null
-   * StringUtils.leftPad("", 3, 'z')     = "zzz"
-   * StringUtils.leftPad("bat", 3, 'z')  = "bat"
-   * StringUtils.leftPad("bat", 5, 'z')  = "zzbat"
-   * StringUtils.leftPad("bat", 1, 'z')  = "bat"
-   * StringUtils.leftPad("bat", -1, 'z') = "bat"
-   * </pre>
-   *
-   * @param str  the String to pad out, may be null
-   * @param size  the size to pad to
-   * @param padChar  the character to pad with
-   * @return left padded String or original String if no padding is necessary,
-   *  <code>null</code> if null String input
-   * @since 2.0
-   */
-  public static String leftPad(String str, int size, char padChar) {
-    if (str == null) {
-      return null;
-    }
-    int pads = size - str.length();
-    if (pads <= 0) {
-      return str; // returns original String when possible
-    }
-    if (pads > PAD_LIMIT) {
-      return leftPad(str, size, String.valueOf(padChar));
-    }
-    return padding(pads, padChar).concat(str);
-  }
-
-  /**
-   * <p>Left pad a String with a specified String.</p>
-   *
-   * <p>Pad to a size of <code>size</code>.</p>
-   *
-   * <pre>
-   * StringUtils.leftPad(null, *, *)      = null
-   * StringUtils.leftPad("", 3, "z")      = "zzz"
-   * StringUtils.leftPad("bat", 3, "yz")  = "bat"
-   * StringUtils.leftPad("bat", 5, "yz")  = "yzbat"
-   * StringUtils.leftPad("bat", 8, "yz")  = "yzyzybat"
-   * StringUtils.leftPad("bat", 1, "yz")  = "bat"
-   * StringUtils.leftPad("bat", -1, "yz") = "bat"
-   * StringUtils.leftPad("bat", 5, null)  = "  bat"
-   * StringUtils.leftPad("bat", 5, "")    = "  bat"
-   * </pre>
-   *
-   * @param str  the String to pad out, may be null
-   * @param size  the size to pad to
-   * @param padStr  the String to pad with, null or empty treated as single space
-   * @return left padded String or original String if no padding is necessary,
-   *  <code>null</code> if null String input
-   */
-  public static String leftPad(String str, int size, String padStr) {
-    if (str == null) {
-      return null;
-    }
-    if (isEmpty(padStr)) {
-      padStr = " ";
-    }
-    int padLen = padStr.length();
-    int strLen = str.length();
-    int pads = size - strLen;
-    if (pads <= 0) {
-      return str; // returns original String when possible
-    }
-    if (padLen == 1 && pads <= PAD_LIMIT) {
-      return leftPad(str, size, padStr.charAt(0));
-    }
-
-    if (pads == padLen) {
-      return padStr.concat(str);
-    } else if (pads < padLen) {
-      return padStr.substring(0, pads).concat(str);
-    } else {
-      char[] padding = new char[pads];
-      char[] padChars = padStr.toCharArray();
-      for (int i = 0; i < pads; i++) {
-        padding[i] = padChars[i % padLen];
-      }
-      return new String(padding).concat(str);
-    }
-  }
-
-  /**
-   * convert an exception to a runtime exception
-   * @param e the exception to convert
-   */
-  public static void convertToRuntimeException(Exception e) {
-    if (e instanceof RuntimeException) {
-      throw (RuntimeException)e;
-    }
-    throw new RuntimeException(e.getMessage(), e);
-  }
-
-  /**
-   * <p>Gets the substring before the first occurrence of a separator.
-   * The separator is not returned.</p>
-   *
-   * <p>A <code>null</code> string input will return <code>null</code>.
-   * An empty ("") string input will return the empty string.
-   * A <code>null</code> separator will return the input string.</p>
-   *
-   * <pre>
-   * StringUtils.substringBefore(null, *)      = null
-   * StringUtils.substringBefore("", *)        = ""
-   * StringUtils.substringBefore("abc", "a")   = ""
-   * StringUtils.substringBefore("abcba", "b") = "a"
-   * StringUtils.substringBefore("abc", "c")   = "ab"
-   * StringUtils.substringBefore("abc", "d")   = "abc"
-   * StringUtils.substringBefore("abc", "")    = ""
-   * StringUtils.substringBefore("abc", null)  = "abc"
-   * </pre>
-   *
-   * @param str  the String to get a substring from, may be null
-   * @param separator  the String to search for, may be null
-   * @return the substring before the first occurrence of the separator,
-   *  <code>null</code> if null String input
-   * @since 2.0
-   */
-  public static String substringBefore(String str, String separator) {
-    if (isEmpty(str) || separator == null) {
-      return str;
-    }
-    if (separator.length() == 0) {
-      return EMPTY;
-    }
-    int pos = str.indexOf(separator);
-    if (pos == -1) {
-      return str;
-    }
-    return str.substring(0, pos);
-  }
-
-  /**
-   * <p>Gets the substring after the first occurrence of a separator.
-   * The separator is not returned.</p>
-   *
-   * <p>A <code>null</code> string input will return <code>null</code>.
-   * An empty ("") string input will return the empty string.
-   * A <code>null</code> separator will return the empty string if the
-   * input string is not <code>null</code>.</p>
-   *
-   * <pre>
-   * StringUtils.substringAfter(null, *)      = null
-   * StringUtils.substringAfter("", *)        = ""
-   * StringUtils.substringAfter(*, null)      = ""
-   * StringUtils.substringAfter("abc", "a")   = "bc"
-   * StringUtils.substringAfter("abcba", "b") = "cba"
-   * StringUtils.substringAfter("abc", "c")   = ""
-   * StringUtils.substringAfter("abc", "d")   = ""
-   * StringUtils.substringAfter("abc", "")    = "abc"
-   * </pre>
-   *
-   * @param str  the String to get a substring from, may be null
-   * @param separator  the String to search for, may be null
-   * @return the substring after the first occurrence of the separator,
-   *  <code>null</code> if null String input
-   * @since 2.0
-   */
-  public static String substringAfter(String str, String separator) {
-    if (isEmpty(str)) {
-      return str;
-    }
-    if (separator == null) {
-      return EMPTY;
-    }
-    int pos = str.indexOf(separator);
-    if (pos == -1) {
-      return EMPTY;
-    }
-    return str.substring(pos + separator.length());
-  }
-
-  /**
-   * <p>Gets the substring before the last occurrence of a separator.
-   * The separator is not returned.</p>
-   *
-   * <p>A <code>null</code> string input will return <code>null</code>.
-   * An empty ("") string input will return the empty string.
-   * An empty or <code>null</code> separator will return the input string.</p>
-   *
-   * <pre>
-   * StringUtils.substringBeforeLast(null, *)      = null
-   * StringUtils.substringBeforeLast("", *)        = ""
-   * StringUtils.substringBeforeLast("abcba", "b") = "abc"
-   * StringUtils.substringBeforeLast("abc", "c")   = "ab"
-   * StringUtils.substringBeforeLast("a", "a")     = ""
-   * StringUtils.substringBeforeLast("a", "z")     = "a"
-   * StringUtils.substringBeforeLast("a", null)    = "a"
-   * StringUtils.substringBeforeLast("a", "")      = "a"
-   * </pre>
-   *
-   * @param str  the String to get a substring from, may be null
-   * @param separator  the String to search for, may be null
-   * @return the substring before the last occurrence of the separator,
-   *  <code>null</code> if null String input
-   * @since 2.0
-   */
-  public static String substringBeforeLast(String str, String separator) {
-    if (isEmpty(str) || isEmpty(separator)) {
-      return str;
-    }
-    int pos = str.lastIndexOf(separator);
-    if (pos == -1) {
-      return str;
-    }
-    return str.substring(0, pos);
-  }
-
-  /**
-   * <p>Gets the substring after the last occurrence of a separator.
-   * The separator is not returned.</p>
-   *
-   * <p>A <code>null</code> string input will return <code>null</code>.
-   * An empty ("") string input will return the empty string.
-   * An empty or <code>null</code> separator will return the empty string if
-   * the input string is not <code>null</code>.</p>
-   *
-   * <pre>
-   * StringUtils.substringAfterLast(null, *)      = null
-   * StringUtils.substringAfterLast("", *)        = ""
-   * StringUtils.substringAfterLast(*, "")        = ""
-   * StringUtils.substringAfterLast(*, null)      = ""
-   * StringUtils.substringAfterLast("abc", "a")   = "bc"
-   * StringUtils.substringAfterLast("abcba", "b") = "a"
-   * StringUtils.substringAfterLast("abc", "c")   = ""
-   * StringUtils.substringAfterLast("a", "a")     = ""
-   * StringUtils.substringAfterLast("a", "z")     = ""
-   * </pre>
-   *
-   * @param str  the String to get a substring from, may be null
-   * @param separator  the String to search for, may be null
-   * @return the substring after the last occurrence of the separator,
-   *  <code>null</code> if null String input
-   * @since 2.0
-   */
-  public static String substringAfterLast(String str, String separator) {
-    if (isEmpty(str)) {
-      return str;
-    }
-    if (isEmpty(separator)) {
-      return EMPTY;
-    }
-    int pos = str.lastIndexOf(separator);
-    if (pos == -1 || pos == (str.length() - separator.length())) {
-      return EMPTY;
-    }
-    return str.substring(pos + separator.length());
-  }
-
-  /**
-   * get the value from the argMap, throw exception if not there and required
-   * @param argMap the map of arguments
-   * @param argMapNotUsed map that tracks unused arguments
-   * @param key argument key
-   * @param required wheter or not the key is required to be present
-   * @param defaultValue the value to use when the value looked up from key is blank
-   * @return the value or null or exception
-   */
-  public static Integer argMapInteger(Map<String, String> argMap, Map<String, String> argMapNotUsed, 
-      String key, boolean required, Integer defaultValue) {
-    String argString = argMapString(argMap, argMapNotUsed, key, required);
-
-    if (isBlank(argString) && required) {
-      throw new RuntimeException("Argument '--" + key + "' is required, but not specified.  e.g. --" + key + "=5");
-    }
-    if (isBlank(argString)) {
-      if (defaultValue != null) {
-        return defaultValue;
-      }
-      return null;
-    }
-    return intValue(argString);
-  }
-
-  /**
-   * null safe convert from java.util.Date to java.sql.Date
-   * @param date the java Date to be converted
-   * @return the sql date
-   */
-  public static java.sql.Date toSqlDate(Date date) {
-    if (date == null) {
-      return null;
-    }
-    return new java.sql.Date(date.getTime());
-  }
-
-  /**
-   * <p>Find the index of the given object in the array.</p>
-   *
-   * <p>This method returns <code>-1</code> if <code>null</code> array input.</p>
-   * 
-   * @param array  the array to search through for the object, may be <code>null</code>
-   * @param objectToFind  the object to find, may be <code>null</code>
-   * @return the index of the object within the array, 
-   *  <code>-1</code> if not found or <code>null</code> array input
-   */
-  public static int indexOf(Object[] array, Object objectToFind) {
-    return indexOf(array, objectToFind, 0);
-  }
-
-  /**
-   * <p>Checks if the object is in the given array.</p>
-   *
-   * <p>The method returns <code>false</code> if a <code>null</code> array is passed in.</p>
-   * 
-   * @param array  the array to search through
-   * @param objectToFind  the object to find
-   * @return <code>true</code> if the array contains the object
-   */
-  public static boolean contains(Object[] array, Object objectToFind) {
-    return indexOf(array, objectToFind) != -1;
-  }
-
-  /**
-   * <p>Find the index of the given object in the array starting at the given index.</p>
-   *
-   * <p>This method returns <code>-1</code> if <code>null</code> array input.</p>
-   *
-   * <p>A negative startIndex is treated as zero. A startIndex larger than the array
-   * length will return <code>-1</code>.</p>
-   * 
-   * @param array  the array to search through for the object, may be <code>null</code>
-   * @param objectToFind  the object to find, may be <code>null</code>
-   * @param startIndex  the index to start searching at
-   * @return the index of the object within the array starting at the index,
-   *  <code>-1</code> if not found or <code>null</code> array input
-   */
-  public static int indexOf(Object[] array, Object objectToFind, int startIndex) {
-    if (array == null) {
-      return -1;
-    }
-    if (startIndex < 0) {
-      startIndex = 0;
-    }
-    if (objectToFind == null) {
-      for (int i = startIndex; i < array.length; i++) {
-        if (array[i] == null) {
-          return i;
-        }
-      }
-    } else {
-      for (int i = startIndex; i < array.length; i++) {
-        if (objectToFind.equals(array[i])) {
-          return i;
-        }
-      }
-    }
-    return -1;
-  }
-
-  /**
-   * Note, this is web service format string
-   */
-  private static final String WS_DATE_FORMAT = "yyyy/MM/dd HH:mm:ss.SSS";
-
-  /**
-   * Note, this is web service format string
-   */
-  private static final String WS_DATE_FORMAT2 = "yyyy/MM/dd_HH:mm:ss.SSS";
-
-  /**
-   * convert a date to a string using the standard web service pattern
-   * yyyy/MM/dd HH:mm:ss.SSS Note that HH is 0-23
-   * 
-   * @param date the date to convert
-   * @return the string, or null if the date is null
-   */
-  public static String dateToString(Date date) {
-    if (date == null) {
-      return null;
-    }
-    SimpleDateFormat simpleDateFormat = new SimpleDateFormat(WS_DATE_FORMAT);
-    return simpleDateFormat.format(date);
-  }
-
-  /**
-   * convert a string to a date using the standard web service pattern Note
-   * that HH is 0-23
-   * 
-   * @param dateString the string to parse into a date
-   * @return the string, or null if the date was null
-   */
-  public static Date stringToDate(String dateString) {
-    if (isBlank(dateString)) {
-      return null;
-    }
-    SimpleDateFormat simpleDateFormat = new SimpleDateFormat(WS_DATE_FORMAT);
-    try {
-      return simpleDateFormat.parse(dateString);
-    } catch (ParseException e) {
-      SimpleDateFormat simpleDateFormat2 = new SimpleDateFormat(WS_DATE_FORMAT2);
-      try {
-        return simpleDateFormat2.parse(dateString);
-      } catch (ParseException e2) {
-        throw new RuntimeException("Cannot convert '" + dateString
-            + "' to a date based on format: " + WS_DATE_FORMAT, e);
-      }
-    }
-  }
-
-  /**
-   * match regex pattern yyyy-mm-dd or yyyy/mm/dd
-   */
-  private static Pattern datePattern_yyyy_mm_dd = Pattern.compile("^(\\d{4})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})$");
-  
-  /**
-   * match regex pattern dd-mon-yyyy or dd/mon/yyyy
-   */
-  private static Pattern datePattern_dd_mon_yyyy = Pattern.compile("^(\\d{1,2})[^\\d]+([a-zA-Z]{3,15})[^\\d]+(\\d{4})$");
-  
-  /**
-   * match regex pattern yyyy-mm-dd hh:mm:ss or yyyy/mm/dd hh:mm:ss
-   */
-  private static Pattern datePattern_yyyy_mm_dd_hhmmss = Pattern.compile("^(\\d{4})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})$");
-  
-  /**
-   * match regex pattern dd-mon-yyyy hh:mm:ss or dd/mon/yyyy hh:mm:ss
-   */
-  private static Pattern datePattern_dd_mon_yyyy_hhmmss = Pattern.compile("^(\\d{1,2})[^\\d]+([a-zA-Z]{3,15})[^\\d]+(\\d{4})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})$");
-  
-  /**
-   * match regex pattern yyyy-mm-dd hh:mm:ss.SSS or yyyy/mm/dd hh:mm:ss.SSS
-   */
-  private static Pattern datePattern_yyyy_mm_dd_hhmmss_SSS = Pattern.compile("^(\\d{4})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,3})$");
-  
-  /**
-   * match regex pattern dd-mon-yyyy hh:mm:ss.SSS or dd/mon/yyyy hh:mm:ss.SSS
-   */
-  private static Pattern datePattern_dd_mon_yyyy_hhmmss_SSS = Pattern.compile("^(\\d{1,2})[^\\d]+([a-zA-Z]{3,15})[^\\d]+(\\d{4})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,2})[^\\d]+(\\d{1,3})$");
-  
-  /**
-   * take as input:
-   * yyyy/mm/dd
-   * yyyy-mm-dd
-   * dd-mon-yyyy
-   * yyyy/mm/dd hh:mm:ss
-   * dd-mon-yyyy hh:mm:ss
-   * yyyy/mm/dd hh:mm:ss.SSS
-   * dd-mon-yyyy hh:mm:ss.SSS
-   * @param input the string to parse into a date
-   * @return the date
-   */
-  public static Date stringToDate2(String input) {
-    
-    if (isBlank(input)) {
-      return null;
-    }
-    input = input.trim();
-    Matcher matcher = null;
-    
-    int month = 0;
-    int day = 0;
-    int year = 0;
-    int hour = 0;
-    int minute = 0;
-    int second = 0;
-    int milli = 0;
-    
-    boolean foundMatch = false;
-
-    //yyyy/mm/dd
-    if (!foundMatch) {
-      matcher = datePattern_yyyy_mm_dd.matcher(input);
-      if (matcher.matches()) {
-        year = intValue(matcher.group(1));
-        month =  intValue(matcher.group(2));
-        day = intValue(matcher.group(3));
-        foundMatch = true;
-      }
-    }
-    
-    //dd-mon-yyyy
-    if (!foundMatch) {
-      matcher = datePattern_dd_mon_yyyy.matcher(input);
-      if (matcher.matches()) {
-        day = intValue(matcher.group(1));
-        month =  monthInt(matcher.group(2));
-        year = intValue(matcher.group(3));
-        foundMatch = true;
-      }
-    }
-    
-    //yyyy/mm/dd hh:mm:ss
-    if (!foundMatch) {
-      matcher = datePattern_yyyy_mm_dd_hhmmss.matcher(input);
-      if (matcher.matches()) {
-        year = intValue(matcher.group(1));
-        month =  intValue(matcher.group(2));
-        day = intValue(matcher.group(3));
-        hour = intValue(matcher.group(4));
-        minute = intValue(matcher.group(5));
-        second = intValue(matcher.group(6));
-        foundMatch = true;
-      }      
-    }
-    
-    //dd-mon-yyyy hh:mm:ss
-    if (!foundMatch) {
-      matcher = datePattern_dd_mon_yyyy_hhmmss.matcher(input);
-      if (matcher.matches()) {
-        day = intValue(matcher.group(1));
-        month =  monthInt(matcher.group(2));
-        year = intValue(matcher.group(3));
-        hour = intValue(matcher.group(4));
-        minute = intValue(matcher.group(5));
-        second = intValue(matcher.group(6));
-        foundMatch = true;
-      }
-    }
-    
-    //yyyy/mm/dd hh:mm:ss.SSS
-    if (!foundMatch) {
-      matcher = datePattern_yyyy_mm_dd_hhmmss_SSS.matcher(input);
-      if (matcher.matches()) {
-        year = intValue(matcher.group(1));
-        month =  intValue(matcher.group(2));
-        day = intValue(matcher.group(3));
-        hour = intValue(matcher.group(4));
-        minute = intValue(matcher.group(5));
-        second = intValue(matcher.group(6));
-        milli = intValue(matcher.group(7));
-        foundMatch = true;
-      }      
-    }
-    
-    //dd-mon-yyyy hh:mm:ss.SSS
-    if (!foundMatch) {
-      matcher = datePattern_dd_mon_yyyy_hhmmss_SSS.matcher(input);
-      if (matcher.matches()) {
-        day = intValue(matcher.group(1));
-        month =  monthInt(matcher.group(2));
-        year = intValue(matcher.group(3));
-        hour = intValue(matcher.group(4));
-        minute = intValue(matcher.group(5));
-        second = intValue(matcher.group(6));
-        milli = intValue(matcher.group(7));
-        foundMatch = true;
-      }
-    }
-    
-    Calendar calendar = Calendar.getInstance();
-    calendar.set(Calendar.YEAR, year);
-    calendar.set(Calendar.MONTH, month-1);
-    calendar.set(Calendar.DAY_OF_MONTH, day);
-    calendar.set(Calendar.HOUR_OF_DAY, hour);
-    calendar.set(Calendar.MINUTE, minute);
-    calendar.set(Calendar.SECOND, second);
-    calendar.set(Calendar.MILLISECOND, milli);
-    return calendar.getTime();
-  }
-
-  /**
-   * convert a month string to an int (1 indexed).
-   * e.g. if input is feb or Feb or february or February return 2
-   * @param mon English month string such as "jan, feb, march, april, may, jun, june, ..."
-   * @return the month number 1 - 12 for "january" - "december"
-   */
-  public static int monthInt(String mon) {
-    
-    if (!isBlank(mon)) {
-      mon = mon.toLowerCase();
-      
-      if (equals(mon, "jan") || equals(mon, "january")) {
-        return 1;
-      }
-      
-      if (equals(mon, "feb") || equals(mon, "february")) {
-        return 2;
-      }
-      
-      if (equals(mon, "mar") || equals(mon, "march")) {
-        return 3;
-      }
-      
-      if (equals(mon, "apr") || equals(mon, "april")) {
-        return 4;
-      }
-      
-      if (equals(mon, "may")) {
-        return 5;
-      }
-      
-      if (equals(mon, "jun") || equals(mon, "june")) {
-        return 6;
-      }
-      
-      if (equals(mon, "jul") || equals(mon, "july")) {
-        return 7;
-      }
-      
-      if (equals(mon, "aug") || equals(mon, "august")) {
-        return 8;
-      }
-      
-      if (equals(mon, "sep") || equals(mon, "september")) {
-        return 9;
-      }
-      
-      if (equals(mon, "oct") || equals(mon, "october")) {
-        return 10;
-      }
-      
-      if (equals(mon, "nov") || equals(mon, "november")) {
-        return 11;
-      }
-      
-      if (equals(mon, "dec") || equals(mon, "december")) {
-        return 12;
-      }
-      
-    }
-    
-    throw new RuntimeException("Invalid month: " + mon);
-  }
-
-  /**
-   * override map for properties in thread local to be used in a web server or the like, based on property file name
-   * @param propertiesFileName properties file name
-   * @return the override map
-   */
-  public static Map<String, String> propertiesThreadLocalOverrideMap(String propertiesFileName) {
-    Map<String, Map<String, String>> overrideMap = propertiesThreadLocalOverrideMap.get();
-    if (overrideMap == null) {
-      overrideMap = new HashMap<String, Map<String, String>>();
-      propertiesThreadLocalOverrideMap.set(overrideMap);
-    }
-    Map<String, String> propertiesOverrideMap = overrideMap.get(propertiesFileName);
-    if (propertiesOverrideMap == null) {
-      propertiesOverrideMap = new HashMap<String, String>();
-      overrideMap.put(propertiesFileName, propertiesOverrideMap);
-    }
-    return propertiesOverrideMap;
-  }
-
-  
-  /**
-   * This will execute a command, and split spaces for args (might not be what
-   * you want if you are using quotes)
-   * 
-   * @param command The command string to execute
-   */
-  public static void execCommand(String command) {
-    String[] args = splitTrim(command, " ");
-    execCommand(args);
-  }
-
-  /**
-   * Gobble up a stream from a runtime
-   * @author mchyzer
-   * @param <V> the gobbler type
-   */
-  private static class StreamGobbler<V> implements Callable<V> {
-    
-    /** stream to read */
-    InputStream inputStream;
-    
-    /** where to put the result */
-    String resultString;
-
-    /** type of the output for logging purposes */
-    String type;
-    
-    /** command to log */
-    String command;
-    /**
-     * construct
-     * @param is
-     * @param theType 
-     * @param theCommand
-     */
-    StreamGobbler(InputStream is, String theType, String theCommand) {
-      this.inputStream = is;
-      this.type = theType;
-      this.command = theCommand;
-    }
-
-    /**
-     * get the string result
-     * @return the result
-     */
-    public String getResultString() {
-      return this.resultString;
-    }
-
-    // @Override
-    public V call() throws Exception {
-      try {
-        
-        StringWriter stringWriter = new StringWriter();
-        copy(this.inputStream, stringWriter);
-        this.resultString = stringWriter.toString();
-
-      } catch (Exception e) {
-
-        throw new RuntimeException(e);
-
-      }
-      return null;
-    }
-  }
-  
-  /**
-   * <pre>This will execute a command (with args). In this method, 
-   * if the exit code of the command is not zero, an exception will be thrown.
-   * Example call: execCommand(new String[]{"/bin/bash", "-c", "cd /someFolder; runSomeScript.sh"}, true);
-   * </pre>
-   * @param arguments are the commands
-   * @return the output text of the command.
-   */
-  public static CommandResult execCommand(String[] arguments) {
-    return execCommand(arguments, true);
-  }
-  
-  /**
-   * threadpool
-   */
-  private static ExecutorService executorService = Executors.newCachedThreadPool(new DaemonThreadFactory());
-
-
-  /**
-   * 
-   * @return executor service
-   */
-  public static ExecutorService retrieveExecutorService() {
-    return executorService;
-  }
-  
-  /**
-   * <pre>This will execute a command (with args). Under normal operation, 
-   * if the exit code of the command is not zero, an exception will be thrown.
-   * If the parameter exceptionOnExitValueNeZero is set to true, the 
-   * results of the call will be returned regardless of the exit status.
-   * Example call: execCommand(new String[]{"/bin/bash", "-c", "cd /someFolder; runSomeScript.sh"}, true);
-   * </pre>
-   * @param arguments are the commands
-   * @param exceptionOnExitValueNeZero if this is set to false, the 
-   * results of the call will be returned regardless of the exit status
-   * @return the output text of the command, and the error and return code if exceptionOnExitValueNeZero is false.
-   */
-  public static CommandResult execCommand(String[] arguments, boolean exceptionOnExitValueNeZero) {
-    Process process = null;
-
-    StringBuilder commandBuilder = new StringBuilder();
-    for (int i = 0; i < arguments.length; i++) {
-      commandBuilder.append(arguments[i]).append(" ");
-    }
-    String command = commandBuilder.toString();
-    StreamGobbler<Object> outputGobbler = null;
-    StreamGobbler<Object> errorGobbler = null;
-    try {
-      process = Runtime.getRuntime().exec(arguments);
-
-      outputGobbler = new StreamGobbler<Object>(process.getInputStream(), ".out", command);
-      errorGobbler = new StreamGobbler<Object>(process.getErrorStream(), ".err", command);
-
-      Future<Object> futureOutput = retrieveExecutorService().submit(outputGobbler);
-      Future<Object> futureError = retrieveExecutorService().submit(errorGobbler);
-      
-      try {
-        process.waitFor();
-      } finally {
-        
-        //finish running these threads
-        try {
-          futureOutput.get();
-        } finally {
-          //ignore if cant get
-        }
-        try {
-          futureError.get();
-        } finally {
-          //ignore if cant get
-        }
-      }
-    } catch (Exception e) {
-      throw new RuntimeException("Error running command", e);
-    } finally {
-      try {
-        process.destroy();
-      } catch (Exception e) {
-      }
-    }
-    
-    //was not successful???
-    if (process.exitValue() != 0 && exceptionOnExitValueNeZero) {
-      String message = "Process exit status=" + process.exitValue() + ": out: " + 
-        (outputGobbler == null ? null : outputGobbler.getResultString())
-        + ", err: " + (errorGobbler == null ? null : errorGobbler.getResultString());
-      throw new RuntimeException(message);
-    }
-
-    int exitValue = process.exitValue();
-    return new CommandResult(outputGobbler.getResultString(), errorGobbler.getResultString(), exitValue);
-  }
-
-  
-  /**
-   * The results of executing a command.
-   */
-  public static class CommandResult{
-    /**
-     * If any error text was generated by the call, it will be set here.
-     */
-    private String errorText;
-    
-    /**
-     * If any output text was generated by the call, it will be set here.
-     */
-    private String outputText;
-    
-    /**
-     * If any exit code was generated by the call, it will be set here.
-     */
-    private int exitCode;
-    
-    
-    /**
-     * Create a container to hold the results of an execution.
-     * @param _errorText the error text
-     * @param _outputText the output text
-     * @param _exitCode the exit code
-     */
-    public CommandResult(String _errorText, String _outputText, int _exitCode){
-      this.errorText = _errorText;
-      this.outputText = _outputText;
-      this.exitCode = _exitCode;
-    }
-
-
-    
-    /**
-     * If any error text was generated by the call, it will be set here.
-     * @return the errorText
-     */
-    public String getErrorText() {
-      return this.errorText;
-    }
-
-
-    
-    /**
-     * If any output text was generated by the call, it will be set here.
-     * @return the outputText
-     */
-    public String getOutputText() {
-      return this.outputText;
-    }
-
-
-    
-    /**
-     * If any exit code was generated by the call, it will be set here.
-     * @return the exitCode
-     */
-    public int getExitCode() {
-      return this.exitCode;
-    }
-    
-    
-    
-  }
-
-  /**
-   * thread factory with daemon threads so the JVM exits
-   * @author mchyzer
-   *
-   */
-  private static class DaemonThreadFactory implements ThreadFactory {
-    private ThreadFactory threadFactory = Executors.defaultThreadFactory();
-  
-    @Override
-    public Thread newThread(Runnable r) {
-      Thread thread = threadFactory.newThread(r);
-      thread.setDaemon(true);
-      return thread;
-    }
-  
-  }
-
-  /**
-   * serialize an object to a file (create parent dir if necessary)
-   * @param object the serializable object
-   * @param file the destination file
-   */
-  public static void serializeObjectToFile(Serializable object, File file) {
-
-    //delete, make sure parents are there
-    deleteCreateFile(file);
-
-    FileOutputStream fos = null;
-    ObjectOutputStream out = null;
-    try {
-      fos = new FileOutputStream(file);
-      out = new ObjectOutputStream(fos);
-      out.writeObject(object);
-    } catch(IOException ex) {
-      //we had a problem, don't leave the file partway created...
-      closeQuietly(out);
-      out = null;
-      deleteFile(file);
-      throw new RuntimeException("Error writing file: " + absolutePath(file)
-          + ", " + className(object), ex);
-    } finally {
-      closeQuietly(out);
-    }
-    
-  }
-
-  /**
-   * unserialize an object from a file if it exists
-   * @param file the file containing the serialized object
-   * @param nullIfException true if null should be returned instead of exception
-   * @param deleteFileOnException true if file should be deleted on exception
-   * @return the object or null
-   */
-  public static Serializable unserializeObjectFromFile(File file, boolean nullIfException,
-      boolean deleteFileOnException) {
-    
-    if (!file.exists() || file.length() == 0) {
-      return null;
-    }
-    
-    FileInputStream fis = null;
-    ObjectInputStream ois = null;
-    try {
-      fis = new FileInputStream(file);
-      ois = new ObjectInputStream(fis);
-      return (Serializable)ois.readObject();
-    } catch(Exception ex) {
-      String error = "Error writing file: " + absolutePath(file);
-      if (!nullIfException) {
-        throw new RuntimeException(error, ex);
-      }
-      //maybe clear the file if problem
-      if (deleteFileOnException) {
-        //close before deleting
-        closeQuietly(ois);
-        ois = null;
-        deleteFile(file);
-      }
-      return null;
-    } finally {
-      closeQuietly(ois);
-    }
-    
-  }
-  
-  /**
-   * delete and create a new file.  If its a directory, delete, and create a new dir.
-   * 
-   * @param file
-   *          is the file to delete and create
-   */
-  public static void deleteCreateFile(File file) {
-
-    deleteFile(file);
-
-    createParentDirectories(file);
-
-    try {
-      if (!file.createNewFile()) {
-        throw new IOException("createNewFile returned false: ");
-      }
-    } catch (IOException ioe) {
-      throw new RuntimeException("Couldnt create new file: " + file.toString(), ioe);
-    }
-
-  }
-
-  /**
-   * Delete a file, throw exception if cannot
-   * @param file the file or directory to delete
-   */
-  public static void deleteFile(File file) {
-    //delete and create
-    if (file != null && file.exists()) {
-
-      if (file.isDirectory()) {
-        deleteRecursiveDirectory(file.getAbsolutePath());
-      } else if (!file.delete()) {
-        throw new RuntimeException("Couldnt delete file: " + file.toString());
-      }
-    }
-  }
-
-  /**
-   * copy a file to a new file
-   * @param fromFile source file
-   * @param toFile target file
-   */
-  public static void copy(File fromFile, File toFile) {
-    if (toFile.exists()) {
-      deleteFile(toFile);
-    }
-    FileInputStream fromFileStream = null;
-    FileOutputStream toFileStream = null;
-    try {
-      fromFileStream = new FileInputStream(fromFile);
-      toFileStream = new FileOutputStream(toFile);
-      copy(fromFileStream, toFileStream);
-    } catch (Exception e) {
-      throw new RuntimeException("Problem copying file: " + fromFile.getAbsolutePath() 
-          + " to file: " + toFile.getAbsolutePath());
-    }
-    // Adding finally block to ensure streams are closed
-    finally {
-      try{
-        fromFileStream.close();
-        toFileStream.close();
-      }
-      catch (IOException e) {
-        throw new RuntimeException("Problem closing FileStream while copying file: " + fromFile.getAbsolutePath()
-            + " to file: " + toFile.getAbsolutePath());
-      }
-    }
-  }
-
-  /**
-   * rename a file to another file and throw runtime exception if not ok
-   * @param fromFile source file
-   * @param toFile target file
-   */
-  public static void renameTo(File fromFile, File toFile) {
-
-    if (!fromFile.renameTo(toFile)) {
-      throw new RuntimeException("Cannot rename file: '" + fromFile.getAbsolutePath() 
-          + "', to file: '" + toFile.getAbsolutePath() + "'");
-    }
-
-  }
-
-  /**
-   * clear out all files recursively in a directory, including the directory
-   * itself
-   * @param dirName the directory name to delete
-   * 
-   * @throws RuntimeException
-   *           when something goes wrong
-   */
-  public static void deleteRecursiveDirectory(String dirName) {
-    //delete all files in the directory
-    File dir = new File(dirName);
-
-    //if it doesnt exist then we are done
-    if (!dir.exists()) {
-      return;
-    }
-
-    //see if its a directory
-    if (!dir.isDirectory()) {
-      throw new RuntimeException("The directory: " + dirName + " is not a directory");
-    }
-
-    //get the files into a vector
-    File[] allFiles = dir.listFiles();
-
-    //loop through the array
-    for (int i = 0; i < allFiles.length; i++) {
-      if (-1 < allFiles[i].getName().indexOf("..")) {
-        continue; //dont go to the parent directory
-      }
-
-      if (allFiles[i].isFile()) {
-        //delete the file
-        if (!allFiles[i].delete()) {
-          throw new RuntimeException("Could not delete file: " + allFiles[i].getPath());
-        }
-      } else {
-        //its a directory
-        deleteRecursiveDirectory(allFiles[i].getPath());
-      }
-    }
-
-    //delete the directory itself
-    if (!dir.delete()) {
-      throw new RuntimeException("Could not delete directory: " + dir.getPath());
-    }
-  }
-
-  /**
-   * absolute path null safe
-   * @param file the absolute path of the given file, or null
-   * @return absolute path null safe
-   */
-  public static String absolutePath(File file) {
-    return file == null ? null : file.getAbsolutePath();
-  }
-
-
-  /**
-   * pattern to get the file path or resource location for a file
-   */
-  private static Pattern fileLocationPattern = Pattern.compile("^(file|classpath)\\s*:(.*)$");
-  
-  /**
-   * file or classpath location
-   * @param typeAndLocation the string describing the resource. Begins with "file:" or "classpath:".
-   * @param logHint used as prefix for RuntimeException messages
-   * @return the inputstream
-   */
-  public static InputStream fileOrClasspathInputstream(String typeAndLocation, String logHint) {
-    Matcher matcher = fileLocationPattern.matcher(typeAndLocation);
-    if (!matcher.matches()) {
-      throw new RuntimeException(logHint + " must start with file: or classpath:");
-    }
-    String typeString = matcher.group(1);
-    String location = trim(matcher.group(2));
-    
-    if (equals(typeString, "file")) {
-      File file = new File(location);
-      if (!file.exists() || !file.isFile()) {
-        throw new RuntimeException(logHint + " File does not exist: " + file.getAbsolutePath());
-      }
-      try {
-        return new FileInputStream(file);
-      } catch (Exception e) {
-        throw new RuntimeException(logHint + " Problem with file: " + file.getAbsolutePath());
-      }
-    } else if (equals(typeString, "classpath")) {
-      if (!location.startsWith("/")) {
-        location = "/" + location;
-      }
-      try {
-        return ConfigPropertiesCascadeCommonUtils.class.getResourceAsStream(location);
-      } catch (Exception e) {
-        throw new RuntimeException(logHint + " Problem with classpath location: " + location);
-      }
-    } else {
-      throw new RuntimeException(logHint + " Not expecting type string: " + typeString);
-    }
-    
+    return input;
   }
-  
-
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeUtils.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeUtils.java
index 230790a..a4680ce 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeUtils.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeUtils.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,9 +26,8 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard.config.overlay;
-
 
+package org.owasp.csrfguard.config.overlay;
 
 import java.util.Map;
 
@@ -44,11 +43,8 @@ public class ConfigPropertiesCascadeUtils extends ConfigPropertiesCascadeCommonU
    * @return the string    The modified strings, with replacements
    */
   public static String substituteExpressionLanguage(String stringToParse, Map<String, Object> variableMap) {
-    
     return substituteExpressionLanguage(stringToParse, variableMap, true, true, true, false);
-    
   }
-  
 
   /**
    * substitute an EL for objects
@@ -67,6 +63,4 @@ public static String substituteExpressionLanguage(String stringToParse,
     //we don't have jexl so don't do this logic
     return stringToParse;
   }
-
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationAutodetectProviderFactory.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationAutodetectProviderFactory.java
index 3d4e22f..180f893 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationAutodetectProviderFactory.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationAutodetectProviderFactory.java
@@ -1,36 +1,62 @@
-/**
- * @author mchyzer
- * $Id$
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard.config.overlay;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.Properties;
+package org.owasp.csrfguard.config.overlay;
 
+import org.owasp.csrfguard.config.properties.ConfigParameters;
 import org.owasp.csrfguard.config.ConfigurationProvider;
 import org.owasp.csrfguard.config.ConfigurationProviderFactory;
 import org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory;
 import org.owasp.csrfguard.util.CsrfGuardUtils;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+
 /**
- * The default configuration provider is: org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
- * which will look for an overlay file, it is there, and the factory inside that file is set it will use it, otherwise will be PropertiesConfigurationProviderFactory
- * it needs to implement org.owasp.csrfguard.config.ConfigurationProviderFactory
+ * The default configuration provider is: {@link org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory}
+ * which will look for an overlay file, it is there, and the factory inside that file is set it will use it, otherwise will be {@link PropertiesConfigurationProviderFactory}
+ * it needs to implement {@link org.owasp.csrfguard.config.ConfigurationProviderFactory}
+ *
+ * @author mchyzer
  */
-public class ConfigurationAutodetectProviderFactory implements
-		ConfigurationProviderFactory {
+public class ConfigurationAutodetectProviderFactory implements ConfigurationProviderFactory {
 
 	/**
-	 * 
+	 * TODO document
 	 */
-	public ConfigurationAutodetectProviderFactory() {
-	}
+	public ConfigurationAutodetectProviderFactory() {}
 
 	/**
 	 * configuration provider cached
 	 */
-	private static ExpirableCache<Boolean, ConfigurationProvider> configurationProviderCache = new ExpirableCache<Boolean, ConfigurationProvider>(2);
+	private static ExpirableCache<Boolean, ConfigurationProvider> configurationProviderCache = new ExpirableCache<Boolean, ConfigurationProvider>(2); // TODO does this really reload the configurations in every 2 minutes?!
 	
 	/**
 	 * @see org.owasp.csrfguard.config.ConfigurationProviderFactory#retrieveConfiguration(java.util.Properties)
@@ -54,9 +80,9 @@ public ConfigurationProvider retrieveConfiguration(Properties defaultProperties)
 						} catch (IOException ioe) {
 							throw new RuntimeException("Error reading config file: " + ConfigurationOverlayProvider.OWASP_CSRF_GUARD_OVERLAY_PROPERTIES, ioe);
 						}
-						CsrfGuardUtils.closeQuietly(inputStream);
+						ConfigPropertiesCascadeCommonUtils.closeQuietly(inputStream);
 						
-						String factoryClassName = theProperties.getProperty("org.owasp.csrfguard.configuration.provider.factory");
+						String factoryClassName = theProperties.getProperty(ConfigParameters.CONFIG_PROVIDER_FACTORY_PROPERTY_NAME);
 						if (factoryClassName != null && !"".equals(factoryClassName)) {
 							if (ConfigurationAutodetectProviderFactory.class.getName().equals(factoryClassName)) {
 								throw new RuntimeException("Cannot specify auto detect factory in override file (recursion), pick the actual factory: " + factoryClassName);
@@ -79,5 +105,4 @@ public ConfigurationProvider retrieveConfiguration(Properties defaultProperties)
 		
 		return configurationProvider;
 	}
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationOverlayProvider.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationOverlayProvider.java
index e21d372..56a5a44 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationOverlayProvider.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationOverlayProvider.java
@@ -1,14 +1,43 @@
-/**
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
  * @author mchyzer
  * $Id$
  */
 package org.owasp.csrfguard.config.overlay;
 
-import java.io.InputStream;
-
+import org.apache.commons.lang3.StringUtils;
 import org.owasp.csrfguard.CsrfGuardServletContextListener;
-import org.owasp.csrfguard.util.CsrfGuardUtils;
+import org.owasp.csrfguard.config.properties.ConfigParameters;
 
+import java.io.InputStream;
 
 /**
  * Use configuration overlays that use the base properties as a default, and then decorate with an overlay file
@@ -44,35 +73,19 @@ public static ConfigurationOverlayProvider retrieveConfig() {
 	public ConfigurationOverlayProvider() {
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeBase#getSecondsToCheckConfigKey()
-	 */
 	@Override
 	protected String getSecondsToCheckConfigKey() {
-		return "org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks";
-	}
-
-	/**
-	 * @see org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeBase#clearCachedCalculatedValues()
-	 */
-	@Override
-	public void clearCachedCalculatedValues() {
+		return ConfigParameters.CONFIG_OVERLAY_UPDATE_CHECK_PROPERTY_NAME;
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeBase#getMainConfigClasspath()
-	 */
 	@Override
 	protected String getMainConfigClasspath() {
 		return OWASP_CSRF_GUARD_OVERLAY_PROPERTIES;
 	}
 
-	/**
-	 * @see org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeBase#getHierarchyConfigKey()
-	 */
 	@Override
 	protected String getHierarchyConfigKey() {
-		return "org.owasp.csrfguard.configOverlay.hierarchy";
+		return ConfigParameters.CONFIG_OVERLAY_HIERARCHY_PROPERTY_NAME;
 	}
 
 	/**
@@ -80,9 +93,6 @@ protected String getHierarchyConfigKey() {
 	 */
 	private static String mainExampleConfigClasspath = null;
 	
-	/**
-	 * @see org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeBase#getMainExampleConfigClasspath()
-	 */
 	@Override
 	protected String getMainExampleConfigClasspath() {
 
@@ -93,23 +103,20 @@ protected String getMainExampleConfigClasspath() {
 			InputStream inputStream = getClass().getClassLoader().getResourceAsStream(OWASP_CSRF_GUARD_PROPERTIES);
 			if (inputStream != null) {
 				mainExampleConfigClasspath = OWASP_CSRF_GUARD_PROPERTIES;
-				CsrfGuardUtils.closeQuietly(inputStream);
+				ConfigPropertiesCascadeCommonUtils.closeQuietly(inputStream);
 			} else {
 				inputStream = getClass().getClassLoader().getResourceAsStream(META_INF_CSRFGUARD_PROPERTIES);
 				if (inputStream != null) {
 					mainExampleConfigClasspath = META_INF_CSRFGUARD_PROPERTIES;
-					CsrfGuardUtils.closeQuietly(inputStream);
+					ConfigPropertiesCascadeCommonUtils.closeQuietly(inputStream);
 				} else {
 					//hmm, its not there, but use it anyways
 					mainExampleConfigClasspath = OWASP_CSRF_GUARD_PROPERTIES;
 				}
 			}
-			
 		}
 		
 		//generally this is Owasp.CsrfGuard.properties
-		return ConfigPropertiesCascadeUtils.defaultIfBlank(CsrfGuardServletContextListener.getConfigFileName(), 
-				mainExampleConfigClasspath);
+		return StringUtils.defaultIfBlank(CsrfGuardServletContextListener.getConfigFileName(), mainExampleConfigClasspath);
 	}
-
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationOverlayProviderFactory.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationOverlayProviderFactory.java
index be9fdd0..8566108 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationOverlayProviderFactory.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationOverlayProviderFactory.java
@@ -1,35 +1,61 @@
-/**
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
  * @author mchyzer
  * $Id$
  */
 package org.owasp.csrfguard.config.overlay;
 
-import java.util.Properties;
-
 import org.owasp.csrfguard.config.ConfigurationProvider;
 import org.owasp.csrfguard.config.ConfigurationProviderFactory;
 import org.owasp.csrfguard.config.PropertiesConfigurationProvider;
 
+import java.util.Properties;
+
 /**
- *
+ * TODO document
  */
-public class ConfigurationOverlayProviderFactory implements
-		ConfigurationProviderFactory {
+public class ConfigurationOverlayProviderFactory implements ConfigurationProviderFactory {
 
 	/**
-	 * 
+	 * TODO document
 	 */
-	public ConfigurationOverlayProviderFactory() {
-	}
+	public ConfigurationOverlayProviderFactory() {}
 
 	/**
 	 * @see org.owasp.csrfguard.config.ConfigurationProviderFactory#retrieveConfiguration(java.util.Properties)
 	 */
-	public ConfigurationProvider retrieveConfiguration(Properties originalProperties) {
-		ConfigurationOverlayProvider configurationOverlayProvider = ConfigurationOverlayProvider.retrieveConfig();
-		Properties properties = configurationOverlayProvider.properties();
+	public ConfigurationProvider retrieveConfiguration(final Properties originalProperties) {
+		final ConfigurationOverlayProvider configurationOverlayProvider = ConfigurationOverlayProvider.retrieveConfig();
+		final Properties properties = configurationOverlayProvider.properties();
 		
 		return new PropertiesConfigurationProvider(properties);
     }
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ExpirableCache.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ExpirableCache.java
index 738d34b..2b5ea6f 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ExpirableCache.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ExpirableCache.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,6 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.config.overlay;
 
 import java.io.Serializable;
@@ -232,7 +233,7 @@ synchronized void putHelper(K key, V value, long proposedTimeToLiveInMillis) {
     
     this.checkForEvictions(true);
     long newTimeToLiveInMillis = this.defaultTimeToLiveInMillis;
-    //dont use what was inputted if it is out of range
+    // don't use what was inputted if it is out of range
     if (proposedTimeToLiveInMillis > 0 
         && proposedTimeToLiveInMillis <= ExpirableCache.MAX_TIME_TO_LIVE_MILLIS) {
       newTimeToLiveInMillis = proposedTimeToLiveInMillis;
@@ -308,7 +309,7 @@ private synchronized V getHelper(K key) {
 
     ExpirableValue<V> value = this.cache.get(key);
     if (value == null) {
-      //shouldnt have a key with no value, probably doesnt exist, but just in case
+      // shouldn't have a key with no value, probably doesn't exist, but just in case
       this.cache.remove(key);
       return null;
     }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ExpirableValue.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ExpirableValue.java
index 952a38f..1d29e6c 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ExpirableValue.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ExpirableValue.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,6 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.config.overlay;
 
 import java.io.Serializable;
@@ -57,7 +58,7 @@ public class ExpirableValue<T> implements Serializable {
    */
   ExpirableValue(T theContent, long theTimeToLiveInCacheMillis) {
     super();
-    //cant be longer then the max
+    // can't be longer then the max
     if (theTimeToLiveInCacheMillis > 0 && 
         theTimeToLiveInCacheMillis <= ExpirableCache.MAX_TIME_TO_LIVE_MILLIS) {
       this.timeToLiveInCacheMillis = theTimeToLiveInCacheMillis;
@@ -66,7 +67,7 @@ public class ExpirableValue<T> implements Serializable {
   }
 
   /**
-   * dont call this on expired content!  check first.  get the content
+   * don't call this on expired content!  check first.  get the content
    * @return Returns the content.
    */
   T getContent() {
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/ConfigParameters.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/ConfigParameters.java
new file mode 100644
index 0000000..156d95d
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/ConfigParameters.java
@@ -0,0 +1,82 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.config.properties;
+
+import org.apache.commons.lang3.tuple.Pair;
+
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
+
+public final class ConfigParameters {
+
+    public static final SimpleBooleanConfigParameter ROTATE = new SimpleBooleanConfigParameter("org.owasp.csrfguard.Rotate", false);
+    public static final SimpleBooleanConfigParameter TOKEN_PER_PAGE = new SimpleBooleanConfigParameter("org.owasp.csrfguard.TokenPerPage", false);
+    public static final SimpleBooleanConfigParameter VALIDATE_WHEN_NO_SESSION_EXISTS = new SimpleBooleanConfigParameter("org.owasp.csrfguard.ValidateWhenNoSessionExists", true);
+    public static final SimpleBooleanConfigParameter TOKEN_PER_PAGE_PRECREATE = new SimpleBooleanConfigParameter("org.owasp.csrfguard.TokenPerPagePrecreate", false);
+    public static final SimpleBooleanConfigParameter PRINT_ENABLED = new SimpleBooleanConfigParameter("org.owasp.csrfguard.Config.Print", false);
+    public static final SimpleBooleanConfigParameter CSRFGUARD_ENABLED = new SimpleBooleanConfigParameter("org.owasp.csrfguard.Enabled", true);
+    public static final SimpleBooleanConfigParameter AJAX_ENABLED = new SimpleBooleanConfigParameter("org.owasp.csrfguard.Ajax", false);
+    public static final SimpleBooleanConfigParameter CSRFGUARD_PROTECT = new SimpleBooleanConfigParameter("org.owasp.csrfguard.Protect", false);
+    public static final SimpleBooleanConfigParameter FORCE_SYNCHRONOUS_AJAX = new SimpleBooleanConfigParameter("org.owasp.csrfguard.forceSynchronousAjax", false);
+
+    public static final SimpleIntConfigParameter TOKEN_LENGTH = new SimpleIntConfigParameter("org.owasp.csrfguard.TokenLength", 32);
+    public static final SimpleDurationParameter PAGE_TOKEN_SYNCHRONIZATION_TOLERANCE = new SimpleDurationParameter("org.owasp.csrfguard.PageTokenSynchronizationTolerance", Duration.of(2, ChronoUnit.SECONDS));
+
+    public static final Pair<String, String> TOKEN_NAME = Pair.of("org.owasp.csrfguard.TokenName", "OWASP-CSRFGUARD");
+    public static final Pair<String, String> LOGGER = Pair.of("org.owasp.csrfguard.Logger", "org.owasp.csrfguard.log.ConsoleLogger");
+    public static final Pair<String, String> DOMAIN_ORIGIN = Pair.of("org.owasp.csrfguard.domainOrigin", null);
+    public static final Pair<String, String> DEFAULT_PRNG = Pair.of("SUN", "SHA1PRNG");
+    public static final Pair<String, String> PRNG = Pair.of("org.owasp.csrfguard.PRNG", DEFAULT_PRNG.getValue());
+    public static final Pair<String, String> PRNG_PROVIDER = Pair.of("org.owasp.csrfguard.PRNG.Provider", DEFAULT_PRNG.getKey());
+    public static final Pair<String, String> TOKEN_HOLDER = Pair.of("org.owasp.csrfguard.TokenHolder", "org.owasp.csrfguard.token.storage.impl.InMemoryTokenHolder");
+
+    public static final String LOGICAL_SESSION_EXTRACTOR_NAME = "org.owasp.csrfguard.LogicalSessionExtractor";
+
+    public static final String NEW_TOKEN_LANDING_PAGE = "org.owasp.csrfguard.NewTokenLandingPage";
+    public static final String UNPROTECTED_METHODS = "org.owasp.csrfguard.UnprotectedMethods";
+    public static final String PROTECTED_METHODS = "org.owasp.csrfguard.ProtectedMethods";
+
+    public static final String CONFIG_OVERLAY_HIERARCHY_PROPERTY_NAME = "org.owasp.csrfguard.configOverlay.hierarchy";
+    public static final String CONFIG_OVERLAY_UPDATE_CHECK_PROPERTY_NAME = "org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks";
+    public static final String CONFIG_PROVIDER_FACTORY_PROPERTY_NAME = "org.owasp.csrfguard.configuration.provider.factory";
+
+    public static final String ACTION_PREFIX = "org.owasp.csrfguard.action.";
+    public static final String ACTION_ATTRIBUTE_NAME = "AttributeName";
+
+    public static final String PROTECTED_PAGE_PREFIX = "org.owasp.csrfguard.protected.";
+    public static final String UNPROTECTED_PAGE_PREFIX = "org.owasp.csrfguard.unprotected.";
+
+    private ConfigParameters() {}
+
+    public static SimpleBooleanConfigParameter getUseNewTokenLandingPage(final String newTokenLandingPage) {
+        final String newTokenLandingPagePropertyName = "org.owasp.csrfguard.UseNewTokenLandingPage";
+        return new SimpleBooleanConfigParameter(newTokenLandingPagePropertyName, newTokenLandingPage != null);
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/HttpMethod.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/HttpMethod.java
new file mode 100644
index 0000000..2e7c329
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/HttpMethod.java
@@ -0,0 +1,48 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.config.properties;
+
+import java.util.Arrays;
+import java.util.Collection;
+
+public enum HttpMethod {
+
+    GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, PATCH;
+
+    public static void validate(final Collection<String> httpMethods) {
+        httpMethods.forEach(HttpMethod::validate);
+    }
+
+    public static void validate(final String input) {
+        Arrays.stream(values())
+              .filter(value -> input.equalsIgnoreCase(value.toString()))
+              .findAny()
+              .orElseThrow(() -> new IllegalArgumentException(String.format("The provided input '%s' is not a valid HTTP method!", input)));
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/PropertyUtils.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/PropertyUtils.java
new file mode 100644
index 0000000..f3eaa07
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/PropertyUtils.java
@@ -0,0 +1,119 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.config.properties;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.tuple.Pair;
+import org.owasp.csrfguard.CsrfGuardServletContextListener;
+
+import java.time.Duration;
+import java.util.Objects;
+import java.util.Properties;
+import java.util.function.Function;
+
+public final class PropertyUtils {
+
+    private PropertyUtils() {}
+
+    /**
+     * property string and substitutions
+     *
+     * @param properties   The properties from which to fetch a value
+     * @param propertyName The name of the desired property
+     * @return the value, with common substitutions performed
+     * @see #commonSubstitutions(String)
+     */
+    public static String getProperty(final Properties properties, final String propertyName) {
+        return getProperty(properties, propertyName, null);
+    }
+
+    public static String getProperty(final Properties properties, final Pair<String, String> propertyWithDefaultValue) {
+        return getProperty(properties, propertyWithDefaultValue.getKey(), propertyWithDefaultValue.getValue());
+    }
+
+    public static int getProperty(final Properties properties, final SimpleIntConfigParameter configParameter) {
+        return getProperty(properties, configParameter, Integer::parseInt);
+    }
+
+    public static boolean getProperty(final Properties properties, final SimpleBooleanConfigParameter configParameter) {
+        return getProperty(properties, configParameter, Boolean::parseBoolean);
+    }
+
+    public static <T> T getProperty(final Properties properties, final SimpleConfigParameter<String, T> configParameter, final Function<String, T> function) {
+        return getProperty(properties, configParameter.getName(), configParameter.getDefaultValue(), function);
+    }
+
+    public static Duration getProperty(final Properties properties, final SimpleDurationParameter configParameter) {
+        return getProperty(properties, configParameter.getName(), configParameter.getDefaultValue(), millis -> Duration.ofMillis(Long.parseLong(millis)));
+    }
+
+    public static <T> T getProperty(final Properties properties, final String propertyName, final T defaultValue, final Function<String, T> function) {
+        final String property = getProperty(properties, propertyName);
+        return StringUtils.isBlank(property) ? defaultValue : function.apply(property);
+    }
+
+    /**
+     * property string and substitutions
+     *
+     * @param properties   The properties from which to fetch a value
+     * @param propertyName The name of the desired property
+     * @param defaultValue The value to use when the propertyName does not exist
+     * @return the value, with common substitutions performed
+     * @see #commonSubstitutions(String)
+     */
+    public static String getProperty(final Properties properties, final String propertyName, final String defaultValue) {
+        final String value;
+        if (Objects.isNull(defaultValue)) {
+            value = properties.getProperty(propertyName);
+        } else {
+            if (!properties.containsKey(propertyName)) {
+                // TODO use Logger instead when SLF4J is in place
+                System.out.printf("The '%s' property was not defined, using '%s' as default value. %n", propertyName, defaultValue);
+            }
+            value = properties.getProperty(propertyName, defaultValue);
+        }
+
+        return commonSubstitutions(value);
+    }
+
+    /**
+     * Replaces percent-bounded expressions such as "%servletContext%."
+     * common substitutions in config values
+     *
+     * @param input A string with expressions that should be replaced
+     * @return new string with "common" expressions replaced by configuration values
+     */
+    public static String commonSubstitutions(final String input) {
+        if (!StringUtils.contains(input, "%")) {
+            return input;
+        }
+        return input.replace("%servletContext%", StringUtils.defaultString(CsrfGuardServletContextListener.getServletContext()));
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleBooleanConfigParameter.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleBooleanConfigParameter.java
new file mode 100644
index 0000000..dac7de9
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleBooleanConfigParameter.java
@@ -0,0 +1,51 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.config.properties;
+
+public class SimpleBooleanConfigParameter implements SimpleConfigParameter<String, Boolean> {
+
+    private final String propertyName;
+    private final boolean propertyValue;
+
+    public SimpleBooleanConfigParameter(final String propertyName, final boolean propertyValue) {
+        this.propertyName = propertyName;
+        this.propertyValue = propertyValue;
+    }
+
+    @Override
+    public String getName() {
+        return this.propertyName;
+    }
+
+    @Override
+    public Boolean getDefaultValue() {
+        return this.propertyValue;
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/tag/AbstractTag.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleConfigParameter.java
similarity index 50%
rename from csrfguard/src/main/java/org/owasp/csrfguard/tag/AbstractTag.java
rename to csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleConfigParameter.java
index 59ecddc..e2db14a 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/tag/AbstractTag.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleConfigParameter.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,22 +26,24 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.owasp.csrfguard.tag;
-
-import javax.servlet.jsp.tagext.*;
-
-public abstract class AbstractTag extends TagSupport {
+package org.owasp.csrfguard.config.properties;
 
-	private final static long serialVersionUID = 0xadede854;
-
-	public String buildUri(String page) {
-		String uri = page;
+/**
+ * TODO
+ * @param <K>
+ * @param <V>
+ */
+public interface SimpleConfigParameter<K, V> {
 
-		if (!page.startsWith("/")) {
-			uri = pageContext.getServletContext().getContextPath() + "/" + page;
-		}
+    /**
+     * TODO
+     * @return
+     */
+    K getName();
 
-		return uri;
-	}
-	
+    /**
+     * TODO
+     * @return
+     */
+    V getDefaultValue();
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleDurationParameter.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleDurationParameter.java
new file mode 100644
index 0000000..3e56c83
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleDurationParameter.java
@@ -0,0 +1,52 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.config.properties;
+
+import java.time.Duration;
+
+public class SimpleDurationParameter implements SimpleConfigParameter<String, Duration> {
+
+    private final String name;
+    private final Duration defaultDuration;
+
+    public SimpleDurationParameter(final String name, final Duration defaultDuration) {
+        this.name = name;
+        this.defaultDuration = defaultDuration;
+    }
+
+    @Override
+    public String getName() {
+        return this.name;
+    }
+
+    @Override
+    public Duration getDefaultValue() {
+        return this.defaultDuration;
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleIntConfigParameter.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleIntConfigParameter.java
new file mode 100644
index 0000000..d020360
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleIntConfigParameter.java
@@ -0,0 +1,51 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.config.properties;
+
+public class SimpleIntConfigParameter implements SimpleConfigParameter<String, Integer> {
+
+    private final String propertyName;
+    private final int propertyValue;
+
+    public SimpleIntConfigParameter(final String propertyName, final int propertyValue) {
+        this.propertyName = propertyName;
+        this.propertyValue = propertyValue;
+    }
+
+    @Override
+    public String getName() {
+        return this.propertyName;
+    }
+
+    @Override
+    public Integer getDefaultValue() {
+        return this.propertyValue;
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/BooleanJsConfigParameter.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/BooleanJsConfigParameter.java
new file mode 100644
index 0000000..5369942
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/BooleanJsConfigParameter.java
@@ -0,0 +1,54 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.config.properties.javascript;
+
+import org.owasp.csrfguard.config.properties.PropertyUtils;
+
+import javax.servlet.ServletConfig;
+import java.util.Properties;
+
+public class BooleanJsConfigParameter extends JsConfigParameter<Boolean> {
+
+    private final String propertyName;
+    private final String propertyKey;
+    private final boolean defaultValue;
+
+    public BooleanJsConfigParameter(final String propertyName, final String propertyKey, final boolean defaultValue) {
+        this.propertyName = propertyName;
+        this.propertyKey = propertyKey;
+        this.defaultValue = defaultValue;
+    }
+
+    @Override
+    public Boolean getProperty(final ServletConfig servletConfig, final Properties propertyCache) {
+        final String configParamValue = PropertyUtils.getProperty(propertyCache, this.propertyKey);
+        return getInitParameter(servletConfig, this.propertyName, configParamValue, this.defaultValue);
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/JavaScriptConfigParameters.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/JavaScriptConfigParameters.java
new file mode 100644
index 0000000..0516f7f
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/JavaScriptConfigParameters.java
@@ -0,0 +1,57 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.config.properties.javascript;
+
+import org.apache.commons.lang3.StringUtils;
+
+public final class JavaScriptConfigParameters {
+
+    private JavaScriptConfigParameters() {}
+
+    public static final String DEFAULT_REFERER_PATTERN = ".*";
+
+    // TODO document the names of the configurations that can be used for overriding the values from the web.xml in the properties file
+
+    public static final StringJsConfigParameter CACHE_CONTROL = new StringJsConfigParameter("cache-control", "org.owasp.csrfguard.JavascriptServlet.cacheControl", "private, max-age=28800");
+    public static final StringJsConfigParameter REFERER_PATTERN  = new StringJsConfigParameter("referer-pattern", "org.owasp.csrfguard.JavascriptServlet.refererPattern", DEFAULT_REFERER_PATTERN);
+    public static final StringJsConfigParameter UNPROTECTED_EXTENSIONS = new StringJsConfigParameter("unprotected-extensions", "org.owasp.csrfguard.JavascriptServlet.UnprotectedExtensions", StringUtils.EMPTY);
+    public static final StringJsConfigParameter SOURCE_FILE = new StringJsConfigParameter("source-file", "org.owasp.csrfguard.JavascriptServlet.sourceFile", null);
+    public static final StringJsConfigParameter X_REQUESTED_WITH = new StringJsConfigParameter("x-requested-with", "org.owasp.csrfguard.JavascriptServlet.xRequestedWith", "OWASP CSRFGuard Project");
+    public static final StringJsConfigParameter DYNAMIC_NODE_CREATION_EVENT_NAME = new StringJsConfigParameter("dynamic-node-creation-event", "org.owasp.csrfguard.JavascriptServlet.dynamicNodeCreationEventName", null);
+
+    public static final BooleanJsConfigParameter DOMAIN_STRICT = new BooleanJsConfigParameter("domain-strict", "org.owasp.csrfguard.JavascriptServlet.domainStrict", true);
+    public static final BooleanJsConfigParameter INJECT_INTO_ATTRIBUTES = new BooleanJsConfigParameter("inject-into-attributes", "org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes", true);
+    public static final BooleanJsConfigParameter INJECT_GET_FORMS = new BooleanJsConfigParameter("inject-get-forms", "org.owasp.csrfguard.JavascriptServlet.injectGetForms", true);
+    public static final BooleanJsConfigParameter INJECT_FORM_ATTRIBUTES = new BooleanJsConfigParameter("inject-form-attributes", "org.owasp.csrfguard.JavascriptServlet.injectFormAttributes", true);
+    public static final BooleanJsConfigParameter INJECT_INTO_FORMS = new BooleanJsConfigParameter("inject-into-forms", "org.owasp.csrfguard.JavascriptServlet.injectIntoForms", true);
+    public static final BooleanJsConfigParameter INJECT_INTO_DYNAMICALLY_CREATED_NODES = new BooleanJsConfigParameter("inject-into-dynamic", "org.owasp.csrfguard.JavascriptServlet.injectIntoDynamicNodes", false);
+    public static final BooleanJsConfigParameter REFERER_MATCH_PROTOCOL = new BooleanJsConfigParameter("referer-match-protocol", "org.owasp.csrfguard.JavascriptServlet.refererMatchProtocol", true);
+    public static final BooleanJsConfigParameter REFERER_MATCH_DOMAIN = new BooleanJsConfigParameter("referer-match-domain", "org.owasp.csrfguard.JavascriptServlet.refererMatchDomain", true);
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/JsConfigParameter.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/JsConfigParameter.java
new file mode 100644
index 0000000..bfb38ea
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/JsConfigParameter.java
@@ -0,0 +1,64 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.config.properties.javascript;
+
+import org.apache.commons.lang3.StringUtils;
+
+import javax.servlet.ServletConfig;
+import java.util.Properties;
+import java.util.function.Function;
+
+public abstract class JsConfigParameter<T> {
+
+    public abstract T getProperty(final ServletConfig servletConfig, final Properties propertyCache);
+
+    public static String getInitParameter(final ServletConfig servletConfig, final String name, final String configFileDefaultParamValue, final String defaultValue) {
+        return getInitParameter(servletConfig, name, configFileDefaultParamValue, defaultValue, Function.identity());
+    }
+
+    public static boolean getInitParameter(final ServletConfig servletConfig, final String name, final String configFileDefaultParamValue, final boolean defaultValue) {
+        return getInitParameter(servletConfig, name, configFileDefaultParamValue, defaultValue, Boolean::parseBoolean);
+    }
+
+    public static <T> T getInitParameter(final ServletConfig servletConfig, final String name, final String configFileDefaultParamValue, final T defaultValue, final Function<String, T> function) {
+        final T result;
+
+        final String initParameter = servletConfig.getInitParameter(name);
+
+        if (StringUtils.isNotBlank(initParameter)) {
+            result = function.apply(initParameter);
+        } else if (StringUtils.isNotBlank(configFileDefaultParamValue)) {
+            result = function.apply(configFileDefaultParamValue);
+        } else {
+            result = defaultValue;
+        }
+
+        return result;
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/StringJsConfigParameter.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/StringJsConfigParameter.java
new file mode 100644
index 0000000..e41036b
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/StringJsConfigParameter.java
@@ -0,0 +1,54 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.config.properties.javascript;
+
+import org.owasp.csrfguard.config.properties.PropertyUtils;
+
+import javax.servlet.ServletConfig;
+import java.util.Properties;
+
+public class StringJsConfigParameter extends JsConfigParameter<String> {
+
+    private final String propertyName;
+    private final String propertyKey;
+    private final String defaultValue;
+
+    public StringJsConfigParameter(final String propertyName, final String propertyKey, final String defaultValue) {
+        this.propertyName = propertyName;
+        this.propertyKey = propertyKey;
+        this.defaultValue = defaultValue;
+    }
+
+    @Override
+    public String getProperty(final ServletConfig servletConfig, final Properties propertyCache) {
+        final String configParamValue = PropertyUtils.getProperty(propertyCache, this.propertyKey);
+        return getInitParameter(servletConfig, this.propertyName, configParamValue, this.defaultValue);
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/exception/CSRFGuardTokenException.java b/csrfguard/src/main/java/org/owasp/csrfguard/exception/CSRFGuardTokenException.java
new file mode 100644
index 0000000..7d01ec8
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/exception/CSRFGuardTokenException.java
@@ -0,0 +1,51 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.exception;
+
+/**
+ * CSRFGuardTokenException - Runtime Exception handling all token related errors.
+ *
+ * @author - srijas
+ * @since - 11/7/2019.
+ */
+public class CSRFGuardTokenException extends RuntimeException {
+
+    public CSRFGuardTokenException(final String message) {
+        super(message);
+    }
+
+    public CSRFGuardTokenException(final String message, final Throwable cause) {
+        super(message, cause);
+    }
+
+    public CSRFGuardTokenException(final Throwable cause) {
+        super(cause);
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/http/InterceptRedirectResponse.java b/csrfguard/src/main/java/org/owasp/csrfguard/http/InterceptRedirectResponse.java
index 45c285f..ffcc39c 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/http/InterceptRedirectResponse.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/http/InterceptRedirectResponse.java
@@ -1,72 +1,109 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
 package org.owasp.csrfguard.http;
 
-import java.io.IOException;
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfValidator;
+import org.owasp.csrfguard.ProtectionResult;
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.token.service.TokenService;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpServletResponseWrapper;
-
-import org.owasp.csrfguard.CsrfGuard;
+import java.io.IOException;
+import java.util.Objects;
 
 public class InterceptRedirectResponse extends HttpServletResponseWrapper {
 
-	private HttpServletResponse response = null;
-
-	private CsrfGuard csrfGuard;
-
-	private HttpServletRequest request;
-
-	public InterceptRedirectResponse(HttpServletResponse response, HttpServletRequest request, CsrfGuard csrfGuard) {
-		super(response);
-		this.response = response;
-		this.request = request;
-		this.csrfGuard = csrfGuard;
-	}
-
-	@Override
-	public void sendRedirect(String location) throws IOException {
-		// Remove CR and LF characters to prevent CRLF injection
-		String sanitizedLocation = location.replaceAll("(\\r|\\n|%0D|%0A|%0a|%0d)", "");
-		
-		/** ensure token included in redirects **/
-		if (!sanitizedLocation.contains("://") && csrfGuard.isProtectedPageAndMethod(sanitizedLocation, "GET")) {
-			/** update tokens **/
-			csrfGuard.updateTokens(request);
-			
-			// Separate URL fragment from path, e.g. /myPath#myFragment becomes 
-			//[0]: /myPath [1]: myFragment
-			String[] splitOnFragement = location.split("#", 2);
-			location = splitOnFragement[0];
-
-			StringBuilder sb = new StringBuilder();
-
-			if (!sanitizedLocation.startsWith("/")) {
-				sb.append(request.getContextPath() + "/" + sanitizedLocation);
-			} else {
-				sb.append(sanitizedLocation);
-			}
-			
-			if (sanitizedLocation.contains("?")) {
-				sb.append('&');
-			} else {
-				sb.append('?');
-			}
-
-			// remove any query parameters from the sanitizedLocation
-			String locationUri = sanitizedLocation.split("\\?", 2)[0];
-
-			sb.append(csrfGuard.getTokenName());
-			sb.append('=');
-			sb.append(csrfGuard.getTokenValue(request, locationUri));
-			
-			// Add back fragment, if one exists
-			if(splitOnFragement.length > 1) {
-				sb.append('#').append(splitOnFragement[1]);
-			}
-
-			response.sendRedirect(sb.toString());
-		} else {
-			response.sendRedirect(sanitizedLocation);
-		}
-	}
+    private final HttpServletResponse response;
+
+    private final CsrfGuard csrfGuard;
+
+    private final HttpServletRequest request;
+
+    public InterceptRedirectResponse(final HttpServletResponse response, final HttpServletRequest request, final CsrfGuard csrfGuard) {
+        super(response);
+        this.response = response;
+        this.request = request;
+        this.csrfGuard = csrfGuard;
+    }
+
+    @Override
+    public void sendRedirect(final String location) throws IOException {
+        // Remove CR and LF characters to prevent CRLF injection
+        final String sanitizedLocation = location.replaceAll("(\\r|\\n|%0D|%0A|%0a|%0d)", "");
+
+        /* ensure token included in redirects */
+        final ProtectionResult protectionResult = new CsrfValidator().isProtectedPageAndMethod(sanitizedLocation, "GET");
+        if (!sanitizedLocation.contains("://") && protectionResult.isProtected()) {
+            // Separate URL fragments from path, e.g. /myPath#myFragment becomes [0]: /myPath [1]: myFragment
+            final String[] splitOnFragment = location.split("#", 2);
+
+            final StringBuilder stringBuilder = new StringBuilder();
+
+            if (sanitizedLocation.startsWith("/")) {
+                stringBuilder.append(sanitizedLocation);
+            } else {
+                stringBuilder.append(this.request.getContextPath()).append('/').append(sanitizedLocation);
+            }
+
+            if (sanitizedLocation.contains("?")) {
+                stringBuilder.append('&');
+            } else {
+                stringBuilder.append('?');
+            }
+
+            // remove any query parameters from the sanitizedLocation
+            final String locationUri = sanitizedLocation.split("\\?", 2)[0];
+
+            stringBuilder.append(this.csrfGuard.getTokenName())
+                         .append('=')
+                         .append(computeTokenValue(locationUri));
+
+            // Add back fragment, if one exists
+            if (splitOnFragment.length > 1) {
+                stringBuilder.append('#').append(splitOnFragment[1]);
+            }
+
+            this.response.sendRedirect(stringBuilder.toString());
+        } else {
+            this.response.sendRedirect(sanitizedLocation);
+        }
+    }
+
+    private String computeTokenValue(final String locationUri) {
+        final TokenService tokenService = CsrfGuard.getInstance().getTokenService();
+
+        final LogicalSession logicalSession = this.csrfGuard.getLogicalSessionExtractor().extract(this.request);
+
+        return Objects.nonNull(logicalSession) ? tokenService.generateTokensIfAbsent(logicalSession.getKey(), "GET", locationUri) : null;
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/log/ConsoleLogger.java b/csrfguard/src/main/java/org/owasp/csrfguard/log/ConsoleLogger.java
index 44cc899..277fa49 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/log/ConsoleLogger.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/log/ConsoleLogger.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,40 +26,41 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.log;
 
-import java.util.*;
+import java.util.Date;
 
 public class ConsoleLogger implements ILogger {
 
-	private static final long serialVersionUID = 3139970112597740777L;
+    private static final long serialVersionUID = 3139970112597740777L;
+
+    @Override
+    public void log(final String msg) {
+        log(LogLevel.Info, sanitizeLogMessage(msg));
+    }
 
-	@Override
-	public void log(String msg) {
-		log(LogLevel.Info, msg);
-	}
+    @Override
+    public void log(final LogLevel level, final String msg) {
+        log(level, new Date(), level, sanitizeLogMessage(msg));
+    }
 
-	@Override
-	public void log(LogLevel level, String msg) {
-		if(LogLevel.Error.equals(level)) {
-			System.err.println(String.format("[%s] [%s] %s", new Date(), String.valueOf(level), msg));
-		} else {
-			System.out.println(String.format("[%s] [%s] %s", new Date(), String.valueOf(level), msg));
-		}
-	}
+    @Override
+    public void log(final Exception exception) {
+        log(LogLevel.Error, exception);
+    }
 
-	@Override
-	public void log(Exception exception) {
-		log(LogLevel.Error, exception);
-	}
+    @Override
+    public void log(final LogLevel level, final Exception exception) {
+        log(level, new Date(), level, exception);
+    }
 
-	@Override
-	public void log(LogLevel level, Exception exception) {
-		if(LogLevel.Error.equals(level)) {
-			System.err.println(String.format("[%s] [%s] %s", new Date(), String.valueOf(level), String.valueOf(exception)));
-		} else {
-			System.out.println(String.format("[%s] [%s] %s", new Date(), String.valueOf(level), String.valueOf(exception)));
-		}
-	}
-	
+    private void log(final LogLevel level, final Object... objects) {
+        final String logPattern = "[%s] [%s] %s%n";
+        if (LogLevel.Error.equals(level)) {
+            System.err.printf(logPattern, objects);
+        } else {
+            System.out.printf(logPattern, objects);
+        }
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/log/ILogger.java b/csrfguard/src/main/java/org/owasp/csrfguard/log/ILogger.java
index 1ec4fe5..b9b30f8 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/log/ILogger.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/log/ILogger.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,18 +26,48 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.log;
 
 import java.io.Serializable;
 
+/**
+ * TODO use slf4j instead
+ */
 public interface ILogger extends Serializable {
 
-	public void log(String msg);
+	/**
+	 * TODO document
+	 * @param msg
+	 */
+	void log(String msg);
+
+	/**
+	 * TODO document
+	 * @param level
+	 * @param msg
+	 */
+	void log(LogLevel level, String msg);
 
-	public void log(LogLevel level, String msg);
+	/**
+	 * TODO document
+	 * @param exception
+	 */
+	void log(Exception exception);
 
-	public void log(Exception exception);
+	/**
+	 * TODO document
+	 * @param exception
+	 * @param level
+	 */
+	void log(LogLevel level, Exception exception);
 
-	public void log(LogLevel level, Exception exception);
-	
+	/**
+	 * Removes new line characters from the loggable message to prevent forging log entries.
+	 * @param msg The message to be logged
+	 * @return Sanitized version of the input message.
+	 */
+	default String sanitizeLogMessage(String msg) {
+		return msg.replaceAll("(\\r|\\n)", "");
+	}
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/log/JavaLogger.java b/csrfguard/src/main/java/org/owasp/csrfguard/log/JavaLogger.java
index c9deaf1..e26360f 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/log/JavaLogger.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/log/JavaLogger.java
@@ -1,3 +1,32 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
 package org.owasp.csrfguard.log;
 
 import java.util.logging.Level;
@@ -7,18 +36,18 @@ public class JavaLogger implements ILogger {
 
 	private static final long serialVersionUID = -4857601483759096197L;
 	
-	private final static Logger LOGGER = Logger.getLogger("Owasp.CsrfGuard");
+	private static final Logger LOGGER = Logger.getLogger("Owasp.CsrfGuard");
 
 	@Override
-	public void log(String msg) {
-		LOGGER.info(msg.replaceAll("(\\r|\\n)", ""));
+	public void log(final String msg) {
+		LOGGER.info(sanitizeLogMessage(msg));
 	}
 
 	@Override
-	public void log(LogLevel level, String msg) {
+	public void log(final LogLevel level, final String msg) {
 		// Remove CR and LF characters to prevent CRLF injection
-		String sanitizedMsg = msg.replaceAll("(\\r|\\n)", "");
-		
+		final String sanitizedMsg = sanitizeLogMessage(msg);
+
 		switch(level) {
 			case Trace:
 				LOGGER.finest(sanitizedMsg);
@@ -30,8 +59,6 @@ public void log(LogLevel level, String msg) {
 				LOGGER.info(sanitizedMsg);
 				break;
 			case Warning:
-				LOGGER.warning(sanitizedMsg);
-				break;
 			case Error:
 				LOGGER.warning(sanitizedMsg);
 				break;
@@ -44,12 +71,12 @@ public void log(LogLevel level, String msg) {
 	}
 
 	@Override
-	public void log(Exception exception) {
+	public void log(final Exception exception) {
 		LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
 	}
 
 	@Override
-	public void log(LogLevel level, Exception exception) {
+	public void log(final LogLevel level, final Exception exception) {
 			switch(level) {
 			case Trace:
 				LOGGER.log(Level.FINEST, exception.getLocalizedMessage(), exception);
@@ -61,8 +88,6 @@ public void log(LogLevel level, Exception exception) {
 				LOGGER.log(Level.INFO, exception.getLocalizedMessage(), exception);
 				break;
 			case Warning:
-				LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
-				break;
 			case Error:
 				LOGGER.log(Level.WARNING, exception.getLocalizedMessage(), exception);
 				break;
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/log/LogLevel.java b/csrfguard/src/main/java/org/owasp/csrfguard/log/LogLevel.java
index aeed93a..f64a84c 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/log/LogLevel.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/log/LogLevel.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,15 +26,14 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.log;
 
 public enum LogLevel {
-	
 	Trace,
 	Debug,
 	Info,
 	Warning,
 	Error,
 	Fatal
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/servlet/JavaScriptServlet.java b/csrfguard/src/main/java/org/owasp/csrfguard/servlet/JavaScriptServlet.java
index fcab7c3..1a84b0d 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/servlet/JavaScriptServlet.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/servlet/JavaScriptServlet.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,235 +26,250 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.servlet;
 
+import org.apache.commons.lang3.ObjectUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.owasp.csrfguard.CsrfGuard;
 import org.owasp.csrfguard.CsrfGuardServletContextListener;
+import org.owasp.csrfguard.CsrfValidator;
+import org.owasp.csrfguard.config.properties.javascript.JavaScriptConfigParameters;
 import org.owasp.csrfguard.log.LogLevel;
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
+import org.owasp.csrfguard.token.transferobject.TokenTO;
 import org.owasp.csrfguard.util.CsrfGuardUtils;
-import org.owasp.csrfguard.util.Strings;
 
 import javax.servlet.ServletConfig;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.charset.Charset;
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 import java.util.regex.Pattern;
 
 public final class JavaScriptServlet extends HttpServlet {
 
-	private static final long serialVersionUID = -1459584282530150483L;
-	
-	private static final String TOKEN_NAME_IDENTIFIER = "%TOKEN_NAME%";
-	
-	private static final String TOKEN_VALUE_IDENTIFIER = "%TOKEN_VALUE%";
-	
-	private static final String DOMAIN_ORIGIN_IDENTIFIER = "%DOMAIN_ORIGIN%";
-	
-	private static final String DOMAIN_STRICT_IDENTIFIER = "%DOMAIN_STRICT%";
-	
-	private static final String INJECT_INTO_XHR_IDENTIFIER = "%INJECT_XHR%";
-	
-	private static final String INJECT_INTO_FORMS_IDENTIFIER = "%INJECT_FORMS%";
-
-	private static final String INJECT_GET_FORMS_IDENTIFIER = "%INJECT_GET_FORMS%";
-	
-	private static final String INJECT_FORM_ATTRIBUTES_IDENTIFIER = "%INJECT_FORM_ATTRIBUTES%";
-	
-	private static final String INJECT_INTO_ATTRIBUTES_IDENTIFIER = "%INJECT_ATTRIBUTES%";
-	
-	private static final String CONTEXT_PATH_IDENTIFIER = "%CONTEXT_PATH%";
-	
-	private static final String SERVLET_PATH_IDENTIFIER = "%SERVLET_PATH%";
-	
-	private static final String X_REQUESTED_WITH_IDENTIFIER = "%X_REQUESTED_WITH%";
-	
-	private static final String TOKENS_PER_PAGE_IDENTIFIER = "%TOKENS_PER_PAGE%";
-	
-	private static final String UNPROTECTED_EXTENSIONS_IDENTIFIER = "%UNPROTECTED_EXTENSIONS%";
-	
-	private static ServletConfig servletConfig = null;
-
-	public static ServletConfig getStaticServletConfig() {
-		return servletConfig;
-	}
-	
-	@Override
-	public void init(ServletConfig theServletConfig) {
-	  servletConfig = theServletConfig;
-	  //print again since it might change based on servlet config of javascript servlet
-	  CsrfGuardServletContextListener.printConfigIfConfigured(servletConfig.getServletContext(), 
-			  "Printing properties after Javascript servlet, note, the javascript properties have now been initialized: ");
-	}
-
-	@Override
-	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
-		String refererHeader = request.getHeader("referer");
-		boolean hasError = false;
-		Pattern javascriptRefererPattern = CsrfGuard.getInstance().getJavascriptRefererPattern();
-		if(refererHeader != null && !javascriptRefererPattern.matcher(refererHeader).matches()) {
-			CsrfGuard.getInstance().getLogger().log(LogLevel.Error, "Referer domain " + refererHeader + " does not match regex: " + javascriptRefererPattern.pattern());
-			response.sendError(404);
-			hasError = true;
-		}
-			
-		if (refererHeader != null && CsrfGuard.getInstance().isJavascriptRefererMatchDomain()) {
-			boolean isJavascriptRefererMatchProtocol = CsrfGuard.getInstance().isJavascriptRefererMatchProtocol();
-			//this is something like http://something.com/path or https://something.com/path
-			String url = request.getRequestURL().toString();
-			String requestProtocolAndDomain = CsrfGuardUtils.httpProtocolAndDomain(url, isJavascriptRefererMatchProtocol);
-			String refererProtocolAndDomain = CsrfGuardUtils.httpProtocolAndDomain(refererHeader, isJavascriptRefererMatchProtocol);
-			if (!refererProtocolAndDomain.equals(requestProtocolAndDomain)) {
-				CsrfGuard.getInstance().getLogger().log(LogLevel.Error, "Referer domain " + refererHeader + " does not match request domain: " + url);
-				hasError = true;
-				response.sendError(404);
-			}
-			
-		}
-		if (!hasError) {
-			
-			//save this path so javascript is whitelisted
-			String javascriptPath = request.getContextPath() + request.getServletPath();
-			
-			//dont know why there would be more than one... hmmm
-			if (javascriptUris.size() < 100) {
-				javascriptUris.add(javascriptPath);
-			}
-			
-			writeJavaScript(request, response);
-		}
-	}
-
-	/**
-	 * whitelist the javascript servlet from csrf errors
-	 * @return the javascriptUris
-	 */
-	public static Set<String> getJavascriptUris() {
-		return javascriptUris;
-	}
-
-	/** whitelist the javascript servlet from csrf errors */
-	private static Set<String> javascriptUris = new HashSet<String>();
-	
-
-	@Override
-	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
-		CsrfGuard csrfGuard = CsrfGuard.getInstance();
-		String isFetchCsrfToken = request.getHeader("FETCH-CSRF-TOKEN");
-		
-		if (csrfGuard != null && isFetchCsrfToken != null){
-			fetchCsrfToken(request, response);
-		} else {
-			if (csrfGuard != null && csrfGuard.isTokenPerPageEnabled()) {
-				writePageTokens(request, response);
-			} else {
-				response.sendError(404);
-			}
-		}
-	}
-
-	private void fetchCsrfToken(HttpServletRequest request, HttpServletResponse response) throws IOException {
-		HttpSession session = request.getSession(true);
-		@SuppressWarnings("unchecked")
-		CsrfGuard csrfGuard = CsrfGuard.getInstance();
-		String token_name = csrfGuard.getTokenName();
-		String token_value = (String) session.getAttribute(csrfGuard.getSessionKey());
-		String token_pair = token_name + ":" + token_value;
-
-		/** setup headers **/
-		response.setContentType("text/plain");
-
-		/** write dynamic javascript **/
-		response.getWriter().write(token_pair);
-	}
-
-
-	private void writePageTokens(HttpServletRequest request, HttpServletResponse response) throws IOException {
-		HttpSession session = request.getSession(true);
-		@SuppressWarnings("unchecked")
-		Map<String, String> pageTokens = (Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
-		String pageTokensString = (pageTokens != null ? parsePageTokens(pageTokens) : Strings.EMPTY);
-
-		/** setup headers **/
-		response.setContentType("text/plain");
-		response.setContentLength(pageTokensString.length());
-
-		/** write dynamic javascript **/
-		response.getWriter().write(pageTokensString);
-	}
-
-	private void writeJavaScript(HttpServletRequest request, HttpServletResponse response) throws IOException {
-		HttpSession session = request.getSession(true);
-		CsrfGuard csrfGuard = CsrfGuard.getInstance();
-
-		/** cannot cache if rotate or token-per-page is enabled **/
-		if (csrfGuard.isRotateEnabled() || csrfGuard.isTokenPerPageEnabled()) {
-			response.setHeader("Cache-Control", "no-cache, no-store");
-			response.setHeader("Pragma", "no-cache");
-			response.setHeader("Expires", "0");
-		} else {
-			response.setHeader("Cache-Control", CsrfGuard.getInstance().getJavascriptCacheControl());
-		}
-
-		response.setContentType("text/javascript");
-
-		/** build dynamic javascript **/
-		String code = CsrfGuard.getInstance().getJavascriptTemplateCode();
-
-		code = code.replace(TOKEN_NAME_IDENTIFIER, CsrfGuardUtils.defaultString(csrfGuard.getTokenName()));
-		code = code.replace(TOKEN_VALUE_IDENTIFIER, CsrfGuardUtils.defaultString((String) session.getAttribute(csrfGuard.getSessionKey())));
-		code = code.replace(INJECT_INTO_FORMS_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectIntoForms()));
-		code = code.replace(INJECT_GET_FORMS_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectGetForms()));
-		code = code.replace(INJECT_FORM_ATTRIBUTES_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectFormAttributes()));
-		code = code.replace(INJECT_INTO_ATTRIBUTES_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectIntoAttributes()));
-		code = code.replace(INJECT_INTO_XHR_IDENTIFIER, String.valueOf(csrfGuard.isAjaxEnabled()));
-		code = code.replace(TOKENS_PER_PAGE_IDENTIFIER, String.valueOf(csrfGuard.isTokenPerPageEnabled()));
-		code = code.replace(UNPROTECTED_EXTENSIONS_IDENTIFIER, String.valueOf(csrfGuard.getJavascriptUnprotectedExtensions()));
-		code = code.replace(DOMAIN_ORIGIN_IDENTIFIER, csrfGuard.getDomainOrigin() == null ? CsrfGuardUtils.defaultString(parseDomain(request.getRequestURL())) : csrfGuard.getDomainOrigin());
-		code = code.replace(DOMAIN_STRICT_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptDomainStrict()));
-		code = code.replace(CONTEXT_PATH_IDENTIFIER, CsrfGuardUtils.defaultString(request.getContextPath()));
-		code = code.replace(SERVLET_PATH_IDENTIFIER, CsrfGuardUtils.defaultString(request.getContextPath() + request.getServletPath()));
-		code = code.replace(X_REQUESTED_WITH_IDENTIFIER, CsrfGuardUtils.defaultString(csrfGuard.getJavascriptXrequestedWith()));
-
-		/** write dynamic javascript **/
-		response.getWriter().write(code);
-	}
-
-	private String parsePageTokens(Map<String, String> pageTokens) {
-		StringBuilder sb = new StringBuilder();
-		Iterator<String> keys = pageTokens.keySet().iterator();
-
-		while (keys.hasNext()) {
-			String key = keys.next();
-			String value = pageTokens.get(key);
-
-			sb.append(key);
-			sb.append(':');
-			sb.append(value);
-
-			if (keys.hasNext()) {
-				sb.append(',');
-			}
-		}
-
-		return sb.toString();
-	}
-	
-
-	private String parseDomain(StringBuffer url) {
-		try {
-			return new URL(url.toString()).getHost();
-		} catch (MalformedURLException e) {
-			//Should not occur. javax.servlet.http.HttpServletRequest.getRequestURL should only returns valid URLs.
-			return "INVALID_URL: " + url.toString();
-		}
-	}
-	
+    private static final long serialVersionUID = -1459584282530150483L;
+
+    private static final String TOKEN_NAME_IDENTIFIER = "%TOKEN_NAME%";
+
+    private static final String TOKEN_VALUE_IDENTIFIER = "%TOKEN_VALUE%";
+
+    private static final String DOMAIN_ORIGIN_IDENTIFIER = "%DOMAIN_ORIGIN%";
+
+    private static final String CONTEXT_PATH_IDENTIFIER = "%CONTEXT_PATH%";
+
+    private static final String SERVLET_PATH_IDENTIFIER = "%SERVLET_PATH%";
+
+    private static final String X_REQUESTED_WITH_IDENTIFIER = "%X_REQUESTED_WITH%";
+
+    private static final String UNPROTECTED_EXTENSIONS_IDENTIFIER = "%UNPROTECTED_EXTENSIONS%";
+
+    private static final String DYNAMIC_NODE_CREATION_EVENT_NAME_IDENTIFIER = "%DYNAMIC_NODE_CREATION_EVENT_NAME%";
+
+    /**
+     * Non-string configuration placeholder names that has to be replaced together with the single quotes
+     * The single quotes around the attribute names are needed so the template code would be parsable by linters and automated code minifiers.
+     */
+    private static final String DOMAIN_STRICT_IDENTIFIER = "'%DOMAIN_STRICT%'";
+
+    private static final String INJECT_INTO_XHR_IDENTIFIER = "'%INJECT_XHR%'";
+
+    private static final String INJECT_INTO_FORMS_IDENTIFIER = "'%INJECT_FORMS%'";
+
+    private static final String INJECT_GET_FORMS_IDENTIFIER = "'%INJECT_GET_FORMS%'";
+
+    private static final String INJECT_FORM_ATTRIBUTES_IDENTIFIER = "'%INJECT_FORM_ATTRIBUTES%'";
+
+    private static final String INJECT_INTO_ATTRIBUTES_IDENTIFIER = "'%INJECT_ATTRIBUTES%'";
+
+    private static final String INJECT_INTO_DYNAMIC_NODES_IDENTIFIER = "'%INJECT_DYNAMIC_NODES%'";
+
+    private static final String TOKENS_PER_PAGE_IDENTIFIER = "'%TOKENS_PER_PAGE%'";
+
+    private static final String ASYNC_XHR = "'%ASYNC_XHR%'";
+
+    /* MIME Type constants */
+    private static final String JSON_MIME_TYPE = "application/json";
+    private static final String JAVASCRIPT_MIME_TYPE = "text/javascript; charset=utf-8";
+
+    /**
+     * whitelist the javascript servlet from csrf errors
+     */
+    private static final Set<String> javascriptUris = new HashSet<>();
+
+    private static ServletConfig servletConfig = null;
+
+    public static ServletConfig getStaticServletConfig() {
+        return servletConfig;
+    }
+
+    /**
+     * whitelist the javascript servlet from csrf errors
+     *
+     * @return the javascriptUris
+     */
+    public static Set<String> getJavascriptUris() {
+        return javascriptUris;
+    }
+
+    @Override
+    public void init(final ServletConfig theServletConfig) {
+        servletConfig = theServletConfig;
+        // print again since it might change based on servlet config of javascript servlet
+        CsrfGuardServletContextListener.printConfigIfConfigured(servletConfig.getServletContext(),
+                                                                "Printing properties after JavaScript servlet, note, the javascript properties have now been initialized: ");
+    }
+
+    @Override
+    public void doGet(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
+        final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+
+        if (csrfGuard.isEnabled()) {
+            writeJavaScript(csrfGuard, request, response);
+        } else {
+            response.setContentType(JAVASCRIPT_MIME_TYPE);
+            final String javaScriptCode = "console.log('CSRFGuard is disabled');";
+            response.getWriter().write(javaScriptCode);
+        }
+    }
+
+    @Override
+    public void doPost(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
+        final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+
+        if (new CsrfValidator().isValid(request, response)) {
+            if (csrfGuard.isTokenPerPageEnabled()) {
+                // TODO pass the logical session downstream, see whether the null check can be done from here
+                final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract(request);
+                if (Objects.isNull(logicalSession)) {
+                    response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Could not create a logical session from the current request.");
+                } else {
+                    final Map<String, String> pageTokens = csrfGuard.getTokenService().getPageTokens(logicalSession.getKey());
+                    final TokenTO tokenTO = new TokenTO(pageTokens);
+                    writeTokens(response, tokenTO);
+                }
+            } else {
+                response.sendError(HttpServletResponse.SC_BAD_REQUEST, "This endpoint should not be invoked if the Token-Per-Page functionality is disabled!");
+            }
+        } else {
+            response.sendError(HttpServletResponse.SC_FORBIDDEN, "Master token missing from the request.");
+        }
+    }
+
+    private static void writeTokens(final HttpServletResponse response, final TokenTO tokenTO) throws IOException {
+        final String jsonTokenTO = tokenTO.toString();
+
+        response.setContentType(JSON_MIME_TYPE);
+        response.setContentLength(jsonTokenTO.length());
+        response.setCharacterEncoding(Charset.defaultCharset().displayName());
+
+        response.getWriter().write(jsonTokenTO);
+    }
+
+    private static void writeJavaScript(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
+        final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+
+        /* cannot cache if rotate or token-per-page is enabled */
+        if (csrfGuard.isRotateEnabled() || csrfGuard.isTokenPerPageEnabled()) {
+            response.setHeader("Cache-Control", "no-cache, no-store");
+            response.setHeader("Pragma", "no-cache");
+            response.setHeader("Expires", "0");
+        } else {
+            response.setHeader("Cache-Control", csrfGuard.getJavascriptCacheControl());
+        }
+
+        response.setContentType(JAVASCRIPT_MIME_TYPE);
+
+        String code = csrfGuard.getJavascriptTemplateCode();
+
+        code = code.replace(TOKEN_NAME_IDENTIFIER, StringUtils.defaultString(csrfGuard.getTokenName()))
+                   .replace(TOKEN_VALUE_IDENTIFIER, StringUtils.defaultString(getMasterToken(request, csrfGuard)))
+                   .replace(UNPROTECTED_EXTENSIONS_IDENTIFIER, String.valueOf(csrfGuard.getJavascriptUnprotectedExtensions()))
+                   .replace(CONTEXT_PATH_IDENTIFIER, StringUtils.defaultString(request.getContextPath()))
+                   .replace(SERVLET_PATH_IDENTIFIER, StringUtils.defaultString(request.getContextPath() + request.getServletPath()))
+                   .replace(X_REQUESTED_WITH_IDENTIFIER, StringUtils.defaultString(csrfGuard.getJavascriptXrequestedWith()))
+                   .replace(DYNAMIC_NODE_CREATION_EVENT_NAME_IDENTIFIER, StringUtils.defaultString(csrfGuard.getJavascriptDynamicNodeCreationEventName()))
+                   .replace(DOMAIN_ORIGIN_IDENTIFIER, ObjectUtils.defaultIfNull(csrfGuard.getDomainOrigin(), StringUtils.defaultString(parseDomain(request.getRequestURL()))))
+                   .replace(INJECT_INTO_FORMS_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectIntoForms()))
+                   .replace(INJECT_GET_FORMS_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectGetForms()))
+                   .replace(INJECT_FORM_ATTRIBUTES_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectFormAttributes()))
+                   .replace(INJECT_INTO_ATTRIBUTES_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectIntoAttributes()))
+                   .replace(INJECT_INTO_DYNAMIC_NODES_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectIntoDynamicallyCreatedNodes()))
+                   .replace(INJECT_INTO_XHR_IDENTIFIER, Boolean.toString(csrfGuard.isAjaxEnabled()))
+                   .replace(TOKENS_PER_PAGE_IDENTIFIER, Boolean.toString(csrfGuard.isTokenPerPageEnabled()))
+                   .replace(DOMAIN_STRICT_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptDomainStrict()))
+                   .replace(ASYNC_XHR, Boolean.toString(!csrfGuard.isForceSynchronousAjax()));
+
+        response.getWriter().write(code);
+    }
+
+    private static String getMasterToken(final HttpServletRequest request, final CsrfGuard csrfGuard) {
+        final LogicalSessionExtractor sessionKeyExtractor = csrfGuard.getLogicalSessionExtractor();
+        final LogicalSession logicalSession = sessionKeyExtractor.extractOrCreate(request);
+
+        return csrfGuard.getTokenService().getMasterToken(logicalSession.getKey());
+    }
+
+    private static String parseDomain(final StringBuffer url) {
+        try {
+            return new URL(url.toString()).getHost();
+        } catch (final MalformedURLException e) {
+            // Should not occur. javax.servlet.http.HttpServletRequest.getRequestURL should only return valid URLs.
+            return "INVALID_URL: " + url;
+        }
+    }
+
+    private void writeJavaScript(final CsrfGuard csrfGuard, final HttpServletRequest request, final HttpServletResponse response) throws IOException {
+        final String refererHeader = request.getHeader("referer");
+
+        final Pattern javascriptRefererPattern = csrfGuard.getJavascriptRefererPattern();
+        final String javaScriptReferer = javascriptRefererPattern.pattern();
+
+        if (refererHeader != null) {
+            if (!javascriptRefererPattern.matcher(refererHeader).matches()) {
+                csrfGuard.getLogger().log(LogLevel.Error, String.format("Referer domain '%s' does not match regex: '%s'", refererHeader, javaScriptReferer));
+                response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                return;
+            }
+
+            if (csrfGuard.isJavascriptRefererMatchDomain()) {
+                final boolean isJavascriptRefererMatchProtocol = csrfGuard.isJavascriptRefererMatchProtocol();
+                // this is something like http://something.com/path or https://something.com/path
+                final String url = request.getRequestURL().toString();
+                final String requestProtocolAndDomain = CsrfGuardUtils.httpProtocolAndDomain(url, isJavascriptRefererMatchProtocol);
+                final String refererProtocolAndDomain = CsrfGuardUtils.httpProtocolAndDomain(refererHeader, isJavascriptRefererMatchProtocol);
+                if (!refererProtocolAndDomain.equals(requestProtocolAndDomain)) {
+                    csrfGuard.getLogger().log(LogLevel.Error, String.format("Referer domain '%s' does not match request domain: '%s'", refererHeader, url));
+                    response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                    return;
+                }
+            }
+        } else {
+           if (!javaScriptReferer.equals(JavaScriptConfigParameters.DEFAULT_REFERER_PATTERN)) {
+               csrfGuard.getLogger().log(LogLevel.Error, String.format("Missing referer headers are not accepted if a non-default referer pattern '%s' is configured!", javaScriptReferer));
+
+               response.sendError(HttpServletResponse.SC_FORBIDDEN);
+               return;
+           }
+        }
+
+        // save this path so javascript is whitelisted
+        final String javascriptPath = request.getContextPath() + request.getServletPath();
+
+        // don't know why there would be more than one... hmmm
+        if (javascriptUris.size() < 100) {
+            javascriptUris.add(javascriptPath);
+        }
+
+        writeJavaScript(request, response);
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/session/LogicalSession.java b/csrfguard/src/main/java/org/owasp/csrfguard/session/LogicalSession.java
new file mode 100644
index 0000000..3f0862b
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/session/LogicalSession.java
@@ -0,0 +1,90 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.session;
+
+import javax.servlet.http.HttpSession;
+
+/**
+ * Represents a logical session that enables decoupling from the container's session implementation in case the client application uses a stateless approach (e.g. token based authentication)
+ */
+public interface LogicalSession {
+
+    /**
+     * Returns the logical session key
+     * @return identifier that uniquely identifies the current actor
+     */
+    String getKey();
+
+    /**
+     * Returns <code>true</code> if the client does not yet know about the
+     * session or if the client chooses not to join the session.
+     *
+     * @see javax.servlet.http.HttpSession#isNew()
+     *
+     * @return <code>true</code> if the server has created a session, but the client has not yet joined
+     */
+    boolean isNew();
+
+    /**
+     * Invalidates this session then unbinds any objects bound to it.
+     */
+    void invalidate();
+
+    /**
+     * @return whether the objects were generated or not.
+     */
+    boolean areTokensGenerated();
+
+    /**
+     * Set whether the objects were generated or not.
+     *
+     * @param areTokensGenerated set <code>true</code> if the tokens were generated, <code>false</code> otherwise
+     */
+    void setTokensGenerated(boolean areTokensGenerated);
+
+    /**
+     * Saves an object to the current session
+     *
+     * @see HttpSession#setAttribute(java.lang.String, java.lang.Object)
+     *
+     * @param attribute the name to which the object is bound; cannot be null
+     * @param value the object to be bound
+     */
+    void setAttribute(final String attribute, final Object value);
+
+    /**
+     * Retrieves an object from the session using its name
+     *
+     * @see HttpSession#getAttribute(String)
+     *
+     * @param attributeName - identifies a certain object on the session
+     * @return the object associated to the attribute name
+     */
+    Object getAttribute(String attributeName);
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/tag/ATag.java b/csrfguard/src/main/java/org/owasp/csrfguard/tag/ATag.java
deleted file mode 100644
index 725cef0..0000000
--- a/csrfguard/src/main/java/org/owasp/csrfguard/tag/ATag.java
+++ /dev/null
@@ -1,111 +0,0 @@
-/**
- * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-package org.owasp.csrfguard.tag;
-
-import java.io.*;
-import java.util.*;
-
-import javax.servlet.http.*;
-import javax.servlet.jsp.*;
-import javax.servlet.jsp.tagext.*;
-
-import org.owasp.csrfguard.*;
-import org.owasp.csrfguard.util.BrowserEncoder;
-
-public final class ATag extends AbstractUriTag implements DynamicAttributes {
-
-	private final static long serialVersionUID = 0x00202937;
-	
-	private Map<String, String> attributes = new HashMap<String, String>();
-
-	@Override
-	public int doStartTag() {
-		CsrfGuard csrfGuard = CsrfGuard.getInstance();
-		String tokenValue = csrfGuard.getTokenValue((HttpServletRequest) pageContext.getRequest(), buildUri(attributes.get("href")));
-		String tokenName = csrfGuard.getTokenName();
-
-		try {
-			pageContext.getOut().write(buildStartHtml(tokenName, tokenValue));
-		} catch (IOException e) {
-			pageContext.getServletContext().log(e.getLocalizedMessage(), e);
-		}
-
-		return EVAL_BODY_INCLUDE;
-	}
-
-	@Override
-	public int doEndTag() {
-		try {
-			pageContext.getOut().write("</a>");
-		} catch (IOException e) {
-			pageContext.getServletContext().log(e.getLocalizedMessage(), e);
-		}
-
-		return EVAL_PAGE;
-	}
-
-	@Override
-	public void setDynamicAttribute(String arg0, String arg1, Object arg2) throws JspException {
-		attributes.put(arg1.toLowerCase(), String.valueOf(arg2));
-	}
-
-	private String buildStartHtml(String tokenName, String tokenValue) {
-		StringBuilder sb = new StringBuilder();
-
-		sb.append("<a ");
-
-		for (String name : attributes.keySet()) {
-			String value = attributes.get(name);
-
-			sb.append(BrowserEncoder.encodeForAttribute(name));
-			sb.append('=');
-			sb.append('"');
-			sb.append(BrowserEncoder.encodeForAttribute(value));
-
-			if ("href".equalsIgnoreCase(name)) {
-				if (value.indexOf('?') != -1) {
-					sb.append('&');
-				} else {
-					sb.append('?');
-				}
-
-				sb.append(tokenName);
-				sb.append('=');
-				sb.append(tokenValue);
-			}
-
-			sb.append('"');
-			sb.append(' ');
-		}
-
-		sb.append(">");
-
-		return sb.toString();
-	}
-}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/tag/FormTag.java b/csrfguard/src/main/java/org/owasp/csrfguard/tag/FormTag.java
deleted file mode 100644
index 9d23478..0000000
--- a/csrfguard/src/main/java/org/owasp/csrfguard/tag/FormTag.java
+++ /dev/null
@@ -1,106 +0,0 @@
-/**
- * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-package org.owasp.csrfguard.tag;
-
-import java.io.*;
-import java.util.*;
-
-import javax.servlet.http.*;
-import javax.servlet.jsp.*;
-import javax.servlet.jsp.tagext.*;
-
-import org.owasp.csrfguard.*;
-import org.owasp.csrfguard.util.BrowserEncoder;
-
-public final class FormTag extends AbstractUriTag implements DynamicAttributes {
-
-	private final static long serialVersionUID = 0xbefee742;
-	
-	private Map<String, String> attributes = new HashMap<String, String>();
-
-	@Override
-	public int doStartTag() {
-		CsrfGuard csrfGuard = CsrfGuard.getInstance();
-		String tokenValue = csrfGuard.getTokenValue((HttpServletRequest) pageContext.getRequest(), buildUri(attributes.get("action")));
-		String tokenName = csrfGuard.getTokenName();
-
-		try {
-			pageContext.getOut().write(buildStartHtml(tokenName, tokenValue));
-		} catch (IOException e) {
-			pageContext.getServletContext().log(e.getLocalizedMessage(), e);
-		}
-
-		return EVAL_BODY_INCLUDE;
-	}
-
-	@Override
-	public int doEndTag() {
-		try {
-			pageContext.getOut().write("</form>");
-		} catch (IOException e) {
-			pageContext.getServletContext().log(e.getLocalizedMessage(), e);
-		}
-
-		return EVAL_PAGE;
-	}
-
-	@Override
-	public void setDynamicAttribute(String arg0, String arg1, Object arg2) throws JspException {
-		attributes.put(arg1.toLowerCase(), String.valueOf(arg2));
-	}
-
-	private String buildStartHtml(String tokenName, String tokenValue) {
-		StringBuilder sb = new StringBuilder();
-
-		sb.append("<form ");
-
-		for (String name : attributes.keySet()) {
-			String value = attributes.get(name);
-
-			sb.append(BrowserEncoder.encodeForAttribute(name));
-			sb.append('=');
-			sb.append('"');
-			sb.append(BrowserEncoder.encodeForAttribute(value));
-
-			sb.append('"');
-			sb.append(' ');
-		}
-
-		sb.append('>');
-		sb.append("<input type=\"hidden\" name=\"");
-		sb.append(tokenName);
-		sb.append("\" value=\"");
-		sb.append(tokenValue);
-		sb.append("\"");
-		sb.append("/>");
-
-		return sb.toString();
-	}
-	
-}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/tag/TokenTag.java b/csrfguard/src/main/java/org/owasp/csrfguard/tag/TokenTag.java
deleted file mode 100644
index 623214b..0000000
--- a/csrfguard/src/main/java/org/owasp/csrfguard/tag/TokenTag.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/**
- * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-package org.owasp.csrfguard.tag;
-
-import java.io.*;
-
-import javax.servlet.http.*;
-
-import org.owasp.csrfguard.*;
-
-public final class TokenTag extends AbstractUriTag {
-
-	private final static long serialVersionUID = 0x12164baa;
-
-	@Override
-	public int doStartTag() {
-		CsrfGuard csrfGuard = CsrfGuard.getInstance();
-		String tokenName = csrfGuard.getTokenName();
-
-		if (csrfGuard.isTokenPerPageEnabled() && getUri() == null) {
-			throw new IllegalStateException("must define 'uri' attribute when token per page is enabled");
-		}
-
-		String tokenValue = csrfGuard.getTokenValue((HttpServletRequest) pageContext.getRequest(), getUri());
-
-		try {
-			pageContext.getOut().write(tokenName + "=" + tokenValue);
-		} catch (IOException e) {
-			pageContext.getServletContext().log(e.getLocalizedMessage(), e);
-		}
-
-		return SKIP_BODY;
-	}
-	
-}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/TokenUtils.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/TokenUtils.java
new file mode 100644
index 0000000..118b01c
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/TokenUtils.java
@@ -0,0 +1,55 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.token;
+
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.exception.CSRFGuardTokenException;
+import org.owasp.csrfguard.util.MessageConstants;
+import org.owasp.csrfguard.util.RandomGenerator;
+
+public final class TokenUtils {
+
+    private TokenUtils() {}
+
+    /**
+     * Create a random token based on the configuration.
+     *
+     * @return a random token
+     */
+    public static String generateRandomToken() {
+        try {
+            final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+            return RandomGenerator.generateRandomId(csrfGuard.getPrng(), csrfGuard.getTokenLength());
+        } catch (final Exception e) {
+            final String errorLiteral = MessageConstants.RANDOM_TOKEN_FAILURE_MSG + " - " + "%s";
+            throw new CSRFGuardTokenException(String.format(errorLiteral, e.getLocalizedMessage()), e);
+        }
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/businessobject/TokenBO.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/businessobject/TokenBO.java
new file mode 100644
index 0000000..8658671
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/businessobject/TokenBO.java
@@ -0,0 +1,117 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.token.businessobject;
+
+import org.apache.commons.lang3.tuple.Pair;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+
+public class TokenBO {
+
+    private final Map<String, String> updatedPageTokens;
+
+    private String updatedMasterToken;
+
+    private Pair<TokenType, String> usedToken;
+
+    public TokenBO() {
+        this(null, new HashMap<>());
+    }
+
+    public TokenBO(final String updatedMasterToken) {
+        this(updatedMasterToken, null);
+    }
+
+    public TokenBO(final Map<String, String> updatedPageTokens) {
+        this(null, updatedPageTokens);
+    }
+
+    public TokenBO(final String updatedMasterToken, final Map<String, String> updatedPageTokens) {
+        this.updatedMasterToken = updatedMasterToken;
+        this.updatedPageTokens = updatedPageTokens;
+    }
+
+    public TokenBO setUsedPageToken(final String tokenValue) {
+        setUsedToken(TokenType.PAGE, tokenValue);
+        return this;
+    }
+
+    public TokenBO setUpdatedPageToken(final String uri, final String pageTokenValue) {
+        if (this.updatedPageTokens.containsKey(uri)) {
+            throw new IllegalStateException(String.format("Logical Error! A new value for the page token with the URI [%s] has already been prepared for update.", uri));
+        } else {
+            this.updatedPageTokens.put(uri, pageTokenValue);
+        }
+        return this;
+    }
+
+    public String getUpdatedMasterToken() {
+        return this.updatedMasterToken;
+    }
+
+    public TokenBO setUpdatedMasterToken(final String masterToken) {
+        if (Objects.isNull(this.updatedMasterToken)) {
+            this.updatedMasterToken = masterToken;
+            return this;
+        } else {
+            throw new IllegalStateException("Logical Error! A new value for the master token has already been prepared for update.");
+        }
+    }
+
+    public Map<String, String> getUpdatedPageTokens() {
+        return this.updatedPageTokens;
+    }
+
+    public boolean isUsedMasterToken() {
+        if (Objects.isNull(this.usedToken)) {
+            throw new IllegalStateException("Internal error! The token used to validate the request is not set.");
+        } else {
+            return this.usedToken.getKey() == TokenType.MASTER;
+        }
+    }
+
+    public TokenBO setUsedMasterToken(final String tokenValue) {
+        setUsedToken(TokenType.MASTER, tokenValue);
+        return this;
+    }
+
+    private void setUsedToken(final TokenType page, final String tokenValue) {
+        if (Objects.isNull(this.usedToken)) {
+            this.usedToken = Pair.of(page, tokenValue);
+        } else {
+            throw new IllegalStateException("Used token was already set. A request cannot be validated by two different tokens!");
+        }
+    }
+
+    private enum TokenType {
+        MASTER, PAGE
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/mapper/TokenMapper.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/mapper/TokenMapper.java
new file mode 100644
index 0000000..78604d9
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/mapper/TokenMapper.java
@@ -0,0 +1,41 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.token.mapper;
+
+import org.owasp.csrfguard.token.businessobject.TokenBO;
+import org.owasp.csrfguard.token.transferobject.TokenTO;
+
+public final class TokenMapper {
+
+    private TokenMapper() {}
+
+    public static TokenTO toTransferObject(final TokenBO tokenBO) {
+        return new TokenTO(tokenBO.getUpdatedMasterToken(), tokenBO.getUpdatedPageTokens());
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/service/TokenService.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/service/TokenService.java
new file mode 100644
index 0000000..9ee771b
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/service/TokenService.java
@@ -0,0 +1,297 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.token.service;
+
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfGuardException;
+import org.owasp.csrfguard.CsrfValidator;
+import org.owasp.csrfguard.ProtectionResult;
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.token.TokenUtils;
+import org.owasp.csrfguard.token.businessobject.TokenBO;
+import org.owasp.csrfguard.token.mapper.TokenMapper;
+import org.owasp.csrfguard.token.storage.Token;
+import org.owasp.csrfguard.token.storage.TokenHolder;
+import org.owasp.csrfguard.token.storage.impl.PageTokenValue;
+import org.owasp.csrfguard.token.transferobject.TokenTO;
+import org.owasp.csrfguard.util.CsrfGuardUtils;
+import org.owasp.csrfguard.util.MessageConstants;
+
+import javax.servlet.http.HttpServletRequest;
+import java.time.LocalDateTime;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+public class TokenService {
+
+    private final CsrfGuard csrfGuard;
+
+    public TokenService(final CsrfGuard csrfGuard) {
+        this.csrfGuard = csrfGuard;
+    }
+
+    /**
+     * Invalidates the logical session and removes all tokens from the storage
+     *
+     * @param logicalSession a not null logical session implementation
+     */
+    public void invalidate(final LogicalSession logicalSession) {
+        final String logicalSessionKey = logicalSession.getKey();
+
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+
+        tokenHolder.remove(logicalSessionKey);
+
+        logicalSession.invalidate();
+    }
+
+    /**
+     * Returns the master token assigned to the unique identifier extracted from the current request.
+     * This identifier could be for example the sessionId of the current user, or the username extracted from a JWT token
+     * <p>
+     *
+     * @param logicalSessionKey identifies the current logical session uniquely
+     * @return the master token
+     */
+    public String getMasterToken(final String logicalSessionKey) {
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+
+        return getMasterToken(tokenHolder, logicalSessionKey);
+    }
+
+    /**
+     * Return the page tokens if the functionality is enabled and the client has already accessed a protected resource,
+     * or if the token pre-creation is enabled.
+     * <p>
+     * Note: this method returns a copy of the page tokens in order to prevent outside modification.
+     * <p>
+     *
+     * @param logicalSessionKey identifies the current logical session uniquely
+     * @return the page tokens or an empty map
+     */
+    public Map<String, String> getPageTokens(final String logicalSessionKey) {
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+
+        return new HashMap<>(tokenHolder.getPageTokens(logicalSessionKey));
+    }
+
+    /**
+     * Generates master token and page token for the current resource if the token-per-page configuration is enabled
+     * <p>
+     *
+     * @param logicalSessionKey identifies the current logical session uniquely
+     * @param httpMethod        the current HTTP method used to request the resource
+     * @param requestURI        the URI of the desired HTTP resource
+     * @return returns the generated page or master token
+     */
+    public String generateTokensIfAbsent(final String logicalSessionKey, final String httpMethod, final String requestURI) {
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+
+        if (this.csrfGuard.isTokenPerPageEnabled()) {
+            final ProtectionResult protectionResult = new CsrfValidator().isProtectedPageAndMethod(requestURI, httpMethod);
+            if (protectionResult.isProtected()) {
+                return tokenHolder.createPageTokenIfAbsent(logicalSessionKey, protectionResult.getResourceIdentifier(), TokenUtils::generateRandomToken);
+            }
+        }
+
+        return tokenHolder.createMasterTokenIfAbsent(logicalSessionKey, TokenUtils::generateRandomToken);
+    }
+
+    /**
+     * Creates master token if it does not exist already.
+     *
+     * @param logicalSessionKey identifies the current logical session uniquely
+     */
+    public void createMasterTokenIfAbsent(final String logicalSessionKey) {
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+        tokenHolder.createMasterTokenIfAbsent(logicalSessionKey, TokenUtils::generateRandomToken);
+    }
+
+    /**
+     * Generates new random tokens for configured protected pages.
+     * This method creates a new master token if it did not exist previously.
+     * Existing page tokens with the same session key will be overwritten.
+     *
+     * @param logicalSessionKey identifies the current logical session uniquely
+     */
+    public void generateProtectedPageTokens(final String logicalSessionKey) {
+        final HashMap<String, String> generatedPageTokens = this.csrfGuard.getProtectedPages().stream()
+                                                                          .collect(Collectors.toMap(Function.identity(),
+                                                                                                    k -> TokenUtils.generateRandomToken(),
+                                                                                                    (a, b) -> b,
+                                                                                                    HashMap::new));
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+
+        tokenHolder.createMasterTokenIfAbsent(logicalSessionKey, TokenUtils::generateRandomToken);
+        tokenHolder.setPageTokens(logicalSessionKey, generatedPageTokens);
+    }
+
+    /**
+     * Rotates the used master or the currently requested page token if the token-per-page functionality is enabled.
+     *
+     * @param logicalSessionKey identifies the current logical session uniquely
+     * @param requestURI        the URI of the desired HTTP resource
+     * @param usedValidToken    a verified token that has validated the current request
+     * @return a TokenTO transfer object containing the updated token values that will be sent back to the client
+     */
+    public TokenTO rotateUsedToken(final String logicalSessionKey, final String requestURI, final TokenBO usedValidToken) {
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+
+        final String newTokenValue = TokenUtils.generateRandomToken();
+
+        if (usedValidToken.isUsedMasterToken()) {
+            tokenHolder.setMasterToken(logicalSessionKey, newTokenValue);
+            usedValidToken.setUpdatedMasterToken(newTokenValue);
+        } else {
+            tokenHolder.setPageToken(logicalSessionKey, requestURI, newTokenValue);
+            usedValidToken.setUpdatedPageToken(requestURI, newTokenValue);
+        }
+
+        return TokenMapper.toTransferObject(usedValidToken);
+    }
+
+    /**
+     * Rotates (re-generates) the master token and all page tokens if the token-per-page functionality is enabled.
+     *
+     * @param logicalSessionKey identifies the current logical session uniquely
+     */
+    public void rotateAllTokens(final String logicalSessionKey) {
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+
+        tokenHolder.setMasterToken(logicalSessionKey, TokenUtils.generateRandomToken());
+
+        tokenHolder.rotateAllPageTokens(logicalSessionKey, TokenUtils::generateRandomToken);
+    }
+
+    /**
+     * Returns the master or the page token for the associated resource depending on whether the token-per-page
+     * configuration is enabled or not.
+     * <p>
+     * If the token does not currently exists, it creates a new one.
+     * <p>
+     *
+     * @param logicalSessionKey identifies the current logical session uniquely
+     * @param resourceUri       the URI of the desired HTTP resource
+     * @return a valid token for the specified resourceUri
+     */
+    public String getTokenValue(final String logicalSessionKey, final String resourceUri) {
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+
+        return this.csrfGuard.isTokenPerPageEnabled() ? tokenHolder.createPageTokenIfAbsent(logicalSessionKey, resourceUri, TokenUtils::generateRandomToken)
+                                                      : tokenHolder.createMasterTokenIfAbsent(logicalSessionKey, TokenUtils::generateRandomToken);
+
+    }
+
+    /**
+     * Verifies the validity of the current request.
+     * <p>
+     *
+     * @param request           current HTTP Servlet Request
+     * @param resourceIdentifier the requested resource identifier
+     * @param logicalSessionKey identifies the current logical session uniquely
+     * @param masterToken       the master token
+     * @return The TokenBO business object that contains the updated tokens and the token used to validate the current request
+     * @throws CsrfGuardException if the request does not have a valid token associated
+     */
+    public TokenBO verifyToken(final HttpServletRequest request, final String resourceIdentifier, final String logicalSessionKey, final String masterToken) throws CsrfGuardException {
+        final String tokenName = this.csrfGuard.getTokenName();
+
+        final boolean isAjaxRequest = this.csrfGuard.isAjaxEnabled() && CsrfGuardUtils.isAjaxRequest(request);
+        final String tokenFromRequest = isAjaxRequest ? request.getHeader(tokenName) : request.getParameter(tokenName);
+        final TokenBO tokenBO;
+        if (Objects.isNull(tokenFromRequest)) {
+            throw new CsrfGuardException(MessageConstants.REQUEST_MISSING_TOKEN_MSG);
+        } else {
+            tokenBO = this.csrfGuard.isTokenPerPageEnabled() ? verifyPageToken(logicalSessionKey, masterToken, tokenFromRequest, resourceIdentifier, isAjaxRequest)
+                                                             : verifyMasterToken(masterToken, tokenFromRequest);
+        }
+
+        return tokenBO;
+    }
+
+    private String getMasterToken(final TokenHolder tokenHolder, final String tokenKey) {
+        final Token token = tokenHolder.getToken(tokenKey);
+        return Objects.nonNull(token) ? token.getMasterToken() : null;
+    }
+
+    private TokenBO verifyPageToken(final String logicalSessionKey, final String masterToken, final String tokenFromRequest, final String requestURI, final boolean isAjaxRequest) throws CsrfGuardException {
+        final TokenHolder tokenHolder = this.csrfGuard.getTokenHolder();
+
+        final Token token = tokenHolder.getToken(logicalSessionKey);
+        final PageTokenValue timedPageToken = token.getTimedPageToken(requestURI);
+
+        final TokenBO tokenBO;
+        if (timedPageToken == null) {
+            /* if there is no token for the current resource, create it and rely on the master token for validation */
+            final String newPageToken = TokenUtils.generateRandomToken();
+            tokenHolder.setPageToken(logicalSessionKey, requestURI, newPageToken);
+
+            tokenBO = verifyMasterToken(masterToken, tokenFromRequest).setUpdatedPageToken(requestURI, newPageToken);
+        } else {
+            final String pageToken = timedPageToken.getValue();
+            if (pageToken.equals(tokenFromRequest)) {
+                tokenBO = new TokenBO().setUsedPageToken(tokenFromRequest);
+            } else if (initIsWithinTimeTolerance(this.csrfGuard, isAjaxRequest, timedPageToken)) {
+                tokenBO = verifyMasterToken(masterToken, tokenFromRequest).setUpdatedPageToken(requestURI, pageToken);
+            } else {
+                /* TODO Is this necessary? If the Rotate action is registered, the exception handler will call it and re-generate the tokens */
+                if (masterToken.equals(pageToken)) {
+                    tokenHolder.setMasterToken(logicalSessionKey, TokenUtils.generateRandomToken());
+                }
+
+                tokenHolder.regenerateUsedPageToken(logicalSessionKey, tokenFromRequest, TokenUtils::generateRandomToken);
+
+                throw new CsrfGuardException(MessageConstants.MISMATCH_PAGE_TOKEN_MSG);
+            }
+        }
+        return tokenBO;
+    }
+
+    /**
+     * The race condition only happens in case of AJAX requests when the token pre-creation is not enabled.
+     * NOTE: If the combination of the Token Rotation and AJAX support will be implemented, this logic must also be adjusted.
+     * @return true if the page token creation is within the configured time tolerance and the application should also accept the master token for validation
+     */
+    private boolean initIsWithinTimeTolerance(final CsrfGuard csrfGuard, final boolean isAjaxRequest, final PageTokenValue tokenTimedPageToken) {
+        return isAjaxRequest
+               && !csrfGuard.isTokenPerPagePrecreate()
+               && tokenTimedPageToken.getCreationTime().plus(this.csrfGuard.getPageTokenSynchronizationTolerance()).isBefore(LocalDateTime.now());
+    }
+
+    private TokenBO verifyMasterToken(final String storedToken, final String tokenFromRequest) throws CsrfGuardException {
+        if (storedToken.equals(tokenFromRequest)) {
+            return new TokenBO().setUsedMasterToken(tokenFromRequest);
+        } else {
+            throw new CsrfGuardException(MessageConstants.MISMATCH_MASTER_TOKEN_MSG);
+        }
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/LogicalSessionExtractor.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/LogicalSessionExtractor.java
new file mode 100644
index 0000000..1a67d1a
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/LogicalSessionExtractor.java
@@ -0,0 +1,53 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.token.storage;
+
+import org.owasp.csrfguard.session.LogicalSession;
+
+import javax.servlet.http.HttpServletRequest;
+
+public interface LogicalSessionExtractor {
+
+    /**
+     * Returns a logical session implementation based on the information extracted from the current HTTP request or null if that was not possible
+     *
+     * @param httpServletRequest current request
+     *
+     * @return a logical session created based on the current request or null if that was not possible
+     */
+    LogicalSession extract(final HttpServletRequest httpServletRequest);
+
+    /**
+     * Returns a logical session implementation based on the information extracted from the current HTTP request or creates a new one
+     *
+     * @param httpServletRequest current request
+     * @return logical session implementation based on the information extracted from the current HTTP request or creates a new one
+     */
+    LogicalSession extractOrCreate(HttpServletRequest httpServletRequest);
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/Token.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/Token.java
new file mode 100644
index 0000000..9312ca2
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/Token.java
@@ -0,0 +1,105 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.token.storage;
+
+import org.owasp.csrfguard.token.storage.impl.PageTokenValue;
+
+import java.util.Map;
+import java.util.function.Supplier;
+
+/**
+ * TODO
+ */
+public interface Token {
+
+    /**
+     * TODO
+     * @return
+     */
+    String getMasterToken();
+
+    /**
+     * TODO
+     * @param masterToken
+     */
+    void setMasterToken(final String masterToken);
+
+    /**
+     * TODO
+     * @param uri
+     * @return
+     */
+    String getPageToken(final String uri);
+
+    /**
+     * TODO
+     * @param uri
+     * @return
+     */
+    PageTokenValue getTimedPageToken(final String uri);
+
+    /**
+     * TODO
+     * @param uri
+     * @param pageToken
+     */
+    void setPageToken(final String uri, final String pageToken);
+
+    /**
+     * TODO
+     * @param uri
+     * @param valueSupplier
+     * @return
+     */
+    String setPageTokenIfAbsent(final String uri, final Supplier<String> valueSupplier);
+
+    /**
+     * TODO
+     * @return
+     */
+    Map<String, String> getPageTokens();
+
+    /**
+     * TODO
+     * @param pageTokens
+     */
+    void setPageTokens(final Map<String, String> pageTokens);
+
+    /**
+     * TODO
+     * @param tokenValueSupplier
+     */
+    void rotateAllPageTokens(final Supplier<String> tokenValueSupplier);
+
+    /**
+     * TODO is it worth the added performance penalty in case of a large application with a lot of pages? What would be the risk if this would be contextual to the assigned resource?
+     * Disposes the current token from all the stored valid page tokens, disregarding to which resource it was assigned and replaces with a newly generated one.
+     */
+    void regenerateUsedPageToken(final String tokenFromRequest, final Supplier<String> tokenValueSupplier);
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/TokenHolder.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/TokenHolder.java
new file mode 100644
index 0000000..b28db64
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/TokenHolder.java
@@ -0,0 +1,140 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.token.storage;
+
+import org.owasp.csrfguard.token.service.TokenService;
+
+import java.util.Map;
+import java.util.function.Supplier;
+
+/**
+ * Interface used for storing and manipulating tokens across the solution.
+ *
+ * Methods of this class should only be used through the {@link TokenService} and its relevant subclass(es)
+ */
+public interface TokenHolder {
+
+    /**
+     * Sets or overwrites the master token bound to a specific session key.
+     * It does not overwrite the session key associated page tokens.
+     *
+     * @param sessionKey identifies the current logical session uniquely
+     * @param value the value to be used as master token
+     */
+    void setMasterToken(final String sessionKey, final String value);
+
+    /**
+     * Creates and returns a new master token bound to the provided session key if there wasn't any or returns the existing value.
+     *
+     * @param sessionKey    identifies the current logical session uniquely
+     * @param valueSupplier produces a new master token value lazily/on demand
+     * @return the created master token
+     */
+    String createMasterTokenIfAbsent(final String sessionKey, final Supplier<String> valueSupplier);
+
+    /**
+     * Creates and returns a new page token bound to the provided resource URI and mapped to the session key if there wasn't any or returns the existing value.
+     *
+     * If there are no tokens associated to the session key it also creates a new master token.
+     *
+     * @param sessionKey    identifies the current logical session uniquely
+     * @param resourceUri   the URI of the desired HTTP resource
+     * @param valueSupplier produces a new page token value lazily/on demand
+     * @return the existing or newly created page token
+     */
+    String createPageTokenIfAbsent(String sessionKey, String resourceUri, Supplier<String> valueSupplier);
+
+    /**
+     * Returns the master and page tokens associated to a logical session key
+     *
+     * @param sessionKey identifies the current logical session uniquely
+     * @return a token object containing the master and page tokens
+     */
+    Token getToken(final String sessionKey);
+
+    /**
+     * Returns the page token based on the desired HTTP resource URI and logical session key
+     *
+     * @param sessionKey  identifies the current logical session uniquely
+     * @param resourceUri the URI of the desired HTTP resource
+     * @return a page token bound to a resource URI and associated to a logical session key
+     * or NULL if there is no token with identified by the session key
+     */
+    String getPageToken(String sessionKey, String resourceUri);
+
+    /**
+     * Sets the value of a page token based on the desired HTTP resource URI and logical session key
+     *
+     * @param sessionKey  identifies the current logical session uniquely
+     * @param resourceUri the URI of the desired HTTP resource
+     * @param value the value to be used as token for the page
+     */
+    void setPageToken(String sessionKey, String resourceUri, String value);
+
+    /**
+     * Sets/overwrites the page tokens with the provided values
+     *
+     * @param sessionKey identifies the current logical session uniquely
+     * @param pageTokens page tokens mapped to their resource URIs
+     */
+    void setPageTokens(final String sessionKey, final Map<String, String> pageTokens);
+
+    /**
+     * Returns all page tokens associated to the provided logical session key
+     *
+     * @param sessionKey identifies the current logical session uniquely
+     * @return page tokens mapped to their resource URIs
+     */
+    Map<String, String> getPageTokens(String sessionKey);
+
+    /**
+     * Removes all tokens related to a specific logical session key
+     *
+     * @param sessionKey identifies the current logical session uniquely
+     */
+    void remove(String sessionKey);
+
+    /**
+     * Re-generates all existing tokens associated to the provided logical session key
+     *
+     * @param sessionKey identifies the current logical session uniquely
+     * @param tokenValueSupplier produces a new page token value lazily/on demand
+     */
+    void rotateAllPageTokens(final String sessionKey, final Supplier<String> tokenValueSupplier);
+
+    /**
+     * Re-generates the value of a used page token
+     *
+     * @param sessionKey       identifies the current logical session uniquely
+     * @param tokenFromRequest the token extracted from the request
+     * @param tokenValueSupplier produces a new page token value lazily/on demand
+     */
+    void regenerateUsedPageToken(final String sessionKey, final String tokenFromRequest, final Supplier<String> tokenValueSupplier);
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/InMemoryToken.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/InMemoryToken.java
new file mode 100644
index 0000000..cdb9c47
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/InMemoryToken.java
@@ -0,0 +1,122 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.token.storage.impl;
+
+import org.apache.commons.lang3.tuple.Pair;
+import org.owasp.csrfguard.token.storage.Token;
+
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Supplier;
+import java.util.stream.Collectors;
+
+public class InMemoryToken implements Token {
+
+    private String masterToken;
+    private Map<String, PageTokenValue> pageTokens;
+
+    public InMemoryToken(final String masterToken) {
+        this(masterToken, new ConcurrentHashMap<>());
+    }
+
+    public InMemoryToken(final String masterToken, final Pair<String, String> pageToken) {
+        this(masterToken, toMap(pageToken));
+    }
+
+    private InMemoryToken(final String masterToken, final Map<String, PageTokenValue> pageTokens) {
+        Objects.requireNonNull(masterToken, "Master token cannot be null");
+        Objects.requireNonNull(pageTokens, "Page tokens cannot be null");
+
+        this.masterToken = masterToken;
+        this.pageTokens = new ConcurrentHashMap<>(pageTokens);
+    }
+
+    @Override
+    public String getMasterToken() {
+        return this.masterToken;
+    }
+
+    @Override
+    public void setMasterToken(final String masterToken) {
+        this.masterToken = masterToken;
+    }
+
+    @Override
+    public String getPageToken(final String uri) {
+        return this.pageTokens.get(uri).getValue();
+    }
+
+    @Override
+    public PageTokenValue getTimedPageToken(final String uri) {
+        return this.pageTokens.get(uri);
+    }
+
+    @Override
+    public void setPageToken(final String uri, final String pageToken) {
+        this.pageTokens.put(uri, PageTokenValue.from(pageToken));
+    }
+
+    @Override
+    public String setPageTokenIfAbsent(final String uri, final Supplier<String> valueSupplier) {
+        return this.pageTokens.computeIfAbsent(uri, k -> PageTokenValue.from(valueSupplier.get())).getValue();
+    }
+
+    @Override
+    public Map<String, String> getPageTokens() {
+        return this.pageTokens.entrySet().stream().collect(Collectors.toMap(Map.Entry::getKey,
+                                                                            e -> e.getValue().getValue()));
+    }
+
+    @Override
+    public void setPageTokens(final Map<String, String> pageTokens) {
+        this.pageTokens = pageTokens.entrySet().stream()
+                                    .collect(Collectors.toMap(Map.Entry::getKey,
+                                                              e -> PageTokenValue.from(e.getValue()),
+                                                              (e1, e2) -> e2,
+                                                              ConcurrentHashMap::new
+                                                             ));
+    }
+
+    @Override
+    public void rotateAllPageTokens(final Supplier<String> tokenValueSupplier) {
+        this.pageTokens.entrySet().forEach(e -> e.setValue(PageTokenValue.from(tokenValueSupplier.get())));
+    }
+
+    @Override
+    public void regenerateUsedPageToken(final String tokenFromRequest, final Supplier<String> tokenValueSupplier) {
+        this.pageTokens.replaceAll((k, v) -> v.getValue().equals(tokenFromRequest) ? PageTokenValue.from(tokenValueSupplier.get()) : v);
+    }
+
+    private static Map<String, PageTokenValue> toMap(final Pair<String, String> pageToken) {
+        final Map<String, PageTokenValue> pageTokens = new ConcurrentHashMap<>();
+        pageTokens.put(pageToken.getKey(), PageTokenValue.from(pageToken.getValue()));
+        return pageTokens;
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/InMemoryTokenHolder.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/InMemoryTokenHolder.java
new file mode 100644
index 0000000..f002636
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/InMemoryTokenHolder.java
@@ -0,0 +1,132 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.token.storage.impl;
+
+import org.apache.commons.lang3.tuple.Pair;
+import org.owasp.csrfguard.token.storage.Token;
+import org.owasp.csrfguard.token.storage.TokenHolder;
+
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Supplier;
+
+public class InMemoryTokenHolder implements TokenHolder {
+
+    private static final Map<String, Token> TOKENS = new ConcurrentHashMap<>();
+
+    public InMemoryTokenHolder() {}
+
+    @Override
+    public void setMasterToken(final String sessionKey, final String value) {
+        TOKENS.compute(sessionKey, (k, v) -> {
+            final Token result;
+            if (Objects.isNull(v)) {
+                result = new InMemoryToken(value);
+            } else {
+                v.setMasterToken(value);
+                result = v;
+            }
+            return result;
+        });
+    }
+
+    @Override
+    public String createMasterTokenIfAbsent(final String sessionKey, final Supplier<String> valueSupplier) {
+        final Token token = TOKENS.computeIfAbsent(sessionKey, k -> new InMemoryToken(valueSupplier.get()));
+        return token.getMasterToken();
+    }
+
+    @Override
+    public String createPageTokenIfAbsent(final String sessionKey, final String resourceUri, final Supplier<String> valueSupplier) {
+        final Token token = TOKENS.get(sessionKey);
+        if (Objects.isNull(token)) {
+            final String newPageToken = valueSupplier.get();
+            TOKENS.computeIfAbsent(sessionKey, k -> new InMemoryToken(valueSupplier.get(), Pair.of(resourceUri, newPageToken)));
+            return newPageToken;
+        } else {
+            return token.setPageTokenIfAbsent(resourceUri, valueSupplier);
+        }
+    }
+
+    @Override
+    public Token getToken(final String sessionKey) {
+        return TOKENS.get(sessionKey);
+    }
+
+    @Override
+    public String getPageToken(final String sessionKey, final String resourceUri) {
+        final Token token = TOKENS.get(sessionKey);
+
+        return Objects.nonNull(token) ? token.getPageToken(resourceUri) : null;
+    }
+
+    @Override
+    public void setPageToken(final String sessionKey, final String resourceUri, final String value) {
+        getTokenOrException(sessionKey).setPageToken(resourceUri, value);
+    }
+
+    @Override
+    public void setPageTokens(final String sessionKey, final Map<String, String> pageTokens) {
+        getTokenOrException(sessionKey).setPageTokens(pageTokens);
+    }
+
+    @Override
+    public Map<String, String> getPageTokens(final String sessionKey) {
+        return getTokenOrException(sessionKey).getPageTokens();
+    }
+
+    @Override
+    public void remove(final String sessionKey) {
+        TOKENS.remove(sessionKey);
+    }
+
+    @Override
+    public void rotateAllPageTokens(final String sessionKey, final Supplier<String> tokenValueSupplier) {
+        final Token token = getTokenOrException(sessionKey);
+        token.rotateAllPageTokens(tokenValueSupplier);
+    }
+
+    @Override
+    public void regenerateUsedPageToken(final String sessionKey, final String tokenFromRequest, final Supplier<String> tokenValueSupplier) {
+        final Token token = getTokenOrException(sessionKey);
+        token.regenerateUsedPageToken(tokenFromRequest, tokenValueSupplier);
+    }
+
+    private Token getTokenOrException(final String sessionKey) {
+        final Token token = TOKENS.get(sessionKey);
+
+        if (Objects.isNull(token)) {
+            throw new IllegalStateException("Token with the provided session key does not exist!");
+        } else {
+            return token;
+        }
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/PageTokenValue.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/PageTokenValue.java
new file mode 100644
index 0000000..f958071
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/PageTokenValue.java
@@ -0,0 +1,62 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.token.storage.impl;
+
+import java.time.LocalDateTime;
+
+public final class PageTokenValue {
+
+    private final String pageTokenValue;
+    private final LocalDateTime localDateTime;
+
+    private PageTokenValue(final String pageTokenValue) {
+        this(pageTokenValue, LocalDateTime.now());
+    }
+
+    private PageTokenValue(final String pageTokenValue, final LocalDateTime localDateTime) {
+        this.pageTokenValue = pageTokenValue;
+        this.localDateTime = localDateTime;
+    }
+
+    public static PageTokenValue from(final String pageTokenValue) {
+        return new PageTokenValue(pageTokenValue);
+    }
+
+    public static PageTokenValue from(final String pageTokenValue, final LocalDateTime localDateTime) {
+        return new PageTokenValue(pageTokenValue, localDateTime);
+    }
+
+    public String getValue() {
+        return this.pageTokenValue;
+    }
+
+    public LocalDateTime getCreationTime() {
+        return this.localDateTime;
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/token/transferobject/TokenTO.java b/csrfguard/src/main/java/org/owasp/csrfguard/token/transferobject/TokenTO.java
new file mode 100644
index 0000000..ab285b1
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/token/transferobject/TokenTO.java
@@ -0,0 +1,64 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.token.transferobject;
+
+import com.google.gson.Gson;
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Collections;
+import java.util.Map;
+
+public class TokenTO {
+
+    private final String masterToken;
+
+    private final Map<String, String> pageTokens;
+
+    public TokenTO(final String masterToken) {
+        this(masterToken, Collections.emptyMap());
+    }
+
+    public TokenTO(final Map<String, String> pageTokens) {
+        this(null, pageTokens);
+    }
+
+    public TokenTO(final String masterToken, final Map<String, String> pageTokens) {
+        this.masterToken = masterToken;
+        this.pageTokens = pageTokens;
+    }
+
+    public boolean isEmpty() {
+        return StringUtils.isBlank(this.masterToken) && this.pageTokens.isEmpty();
+    }
+
+    @Override
+    public String toString() {
+        return new Gson().toJson(this);
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/BrowserEncoder.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/BrowserEncoder.java
index bbd1e43..ba8e02c 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/util/BrowserEncoder.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/util/BrowserEncoder.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,63 +26,71 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.util;
 
 public final class BrowserEncoder {
 
 	private BrowserEncoder() {
-		/** enforce use of static methods **/
+		/* enforce use of static methods */
 	}
 
 	@Override
 	public Object clone() throws CloneNotSupportedException {
 		throw new CloneNotSupportedException();
 	}
-	
-	public static String encodeForHtml(String s) {
-		StringBuilder sb = new StringBuilder();
-		int len = (s == null ? -1 : s.length());
-		
-		for(int i=0; i<len; i++) {
-			char c = s.charAt(i);
-			
-			if(c == '&') {
-				sb.append("&amp;");
-			} else if(c == '<') {
-				sb.append("&lt;");
-			} else if(c == '>') {
-				sb.append("&gt;");
-			} else if(c == '"') {
-				sb.append("&quot;");
-			} else if(c == '\'') {
-				sb.append("&#x27;");
-			} else if(c == '/') {
-				sb.append("&#x2F;");
-			} else {
-				sb.append(c);
+
+	public static String encodeForHtml(final String s) {
+		final StringBuilder stringBuilder = new StringBuilder();
+		final int length = (s == null ? -1 : s.length());
+
+		for (int i = 0; i < length; i++) {
+			final char c = s.charAt(i);
+
+			switch (c) {
+				case '&':
+					stringBuilder.append("&amp;");
+					break;
+				case '<':
+					stringBuilder.append("&lt;");
+					break;
+				case '>':
+					stringBuilder.append("&gt;");
+					break;
+				case '"':
+					stringBuilder.append("&quot;");
+					break;
+				case '\'':
+					stringBuilder.append("&#x27;");
+					break;
+				case '/':
+					stringBuilder.append("&#x2F;");
+					break;
+				default:
+					stringBuilder.append(c);
+					break;
 			}
 		}
-		
-		return sb.toString();
+
+		return stringBuilder.toString();
 	}
-	
-	public static String encodeForAttribute(String s) {
-		StringBuilder sb = new StringBuilder();
-		int len = (s == null ? -1 : s.length());
-		
-		for(int i=0; i<len; i++) {
-			char c = s.charAt(i);
-			
-			if(c < 256 && !Character.isLetterOrDigit((int)c)) {
+
+	public static String encodeForAttribute(final String s) {
+		final StringBuilder sb = new StringBuilder();
+		final int len = (s == null ? -1 : s.length());
+
+		for (int i = 0; i < len; i++) {
+			final char c = s.charAt(i);
+
+			if (c < 256 && !Character.isLetterOrDigit((int) c)) {
 				sb.append("&#");
-				sb.append((int)c);
+				sb.append((int) c);
 				sb.append(';');
 			} else {
 				sb.append(c);
 			}
 		}
-		
+
 		return sb.toString();
 	}
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/CsrfGuardPropertiesToStringBuilder.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/CsrfGuardPropertiesToStringBuilder.java
new file mode 100644
index 0000000..9c0a4ce
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/util/CsrfGuardPropertiesToStringBuilder.java
@@ -0,0 +1,271 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.util;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.builder.RecursiveToStringStyle;
+import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
+import org.apache.commons.lang3.builder.ToStringBuilder;
+import org.owasp.csrfguard.action.IAction;
+
+import java.security.SecureRandom;
+import java.time.Duration;
+import java.util.Collection;
+import java.util.Objects;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+public class CsrfGuardPropertiesToStringBuilder extends ReflectionToStringBuilder {
+
+    private static final String PREFIX_CHARACTER = "*";
+    private static final String PREFIX = PREFIX_CHARACTER + StringUtils.SPACE;
+    private static final int CONFIG_DELIMITER_LENGTH = 60;
+    private static final String NEW_LINE = System.lineSeparator();
+
+    private static final Function<String, String> FIELD_NAME_TRANSFORMER = fieldName -> StringUtils.capitalize(StringUtils.join(StringUtils.splitByCharacterTypeCamelCase(fieldName), StringUtils.SPACE));
+
+    private static final String[] FIELDS_TO_EXCLUDE = {"propertiesCache"};
+
+    public CsrfGuardPropertiesToStringBuilder(final Object object) {
+        super(object, new CustomStyle());
+        setExcludeFieldNames(FIELDS_TO_EXCLUDE);
+    }
+
+    @Override
+    public String toString() {
+        final String marginals = Stream.generate(() -> PREFIX_CHARACTER).limit(CONFIG_DELIMITER_LENGTH).collect(Collectors.joining(StringUtils.EMPTY, NEW_LINE, NEW_LINE));
+
+        return marginals
+               + PREFIX + "OWASP CSRFGuard properties" + NEW_LINE
+               + NEW_LINE
+               + PREFIX + super.toString()
+               + marginals;
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final boolean value) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), value);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final boolean[] array) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final boolean[] array, final boolean fullDetail) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array, fullDetail);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final byte value) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), value);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final byte[] array) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final byte[] array, final boolean fullDetail) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array, fullDetail);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final char value) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), value);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final char[] array) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final char[] array, final boolean fullDetail) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array, fullDetail);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final double value) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), value);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final double[] array) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final double[] array, final boolean fullDetail) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array, fullDetail);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final float value) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), value);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final float[] array) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final float[] array, final boolean fullDetail) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array, fullDetail);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final int value) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), value);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final int[] array) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final int[] array, final boolean fullDetail) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array, fullDetail);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final long value) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), value);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final long[] array) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final long[] array, final boolean fullDetail) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array, fullDetail);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final Object obj) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), obj);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final Object obj, final boolean fullDetail) {
+        final Object value = customToString(obj);
+        return Objects.isNull(value) ? this
+                                     : super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), value, fullDetail);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final Object[] array) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final Object[] array, final boolean fullDetail) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array, fullDetail);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final short value) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), value);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final short[] array) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array);
+    }
+
+    @Override
+    public ToStringBuilder append(final String fieldName, final short[] array, final boolean fullDetail) {
+        return super.append(FIELD_NAME_TRANSFORMER.apply(fieldName), array, fullDetail);
+    }
+
+    private Object customToString(final Object obj) {
+        return customToString(obj, StringUtils.EMPTY);
+    }
+
+    private Object customToString(final Object obj, final String prefixOffset) {
+        final Object result;
+        if (Objects.isNull(obj)) {
+            result = null;
+        } else {
+            final String className = obj.getClass().getName();
+            if (obj instanceof Collection) {
+                result = handleCollections((Collection<?>) obj);
+            } else if (obj instanceof SecureRandom) {
+                final SecureRandom secureRandom = (SecureRandom) obj;
+                result = String.format("%s(algorithm: %s, provider: %s)", secureRandom.getClass().getName(), secureRandom.getAlgorithm(), secureRandom.getProvider());
+            } else if (obj instanceof Duration) {
+                result = ((Duration) obj).toMillis() + " ms";
+            } else if (obj instanceof IAction) {
+                result = handleActions((IAction) obj, prefixOffset);
+            } else if (className.startsWith("org.owasp.csrfguard")) { // TODO extract and reuse
+                result = className;
+            } else {
+                result = obj;
+            }
+        }
+        return result;
+    }
+
+    private Object handleActions(final IAction action, final String prefixOffset) {
+        final String parameters = action.getParameterMap().entrySet().stream()
+                                        .map(e -> String.format("%s\t%sParameter: %s = %s", prefixOffset, PREFIX, e.getKey(), e.getValue()))
+                                        .collect(Collectors.joining(NEW_LINE));
+
+        final String actionString = action.getClass().getName();
+        return StringUtils.isBlank(parameters) ? actionString
+                                               : actionString + NEW_LINE + parameters;
+    }
+
+    private Object handleCollections(final Collection<?> collection) {
+        return collection.isEmpty() ? null
+                                    : collection.stream()
+                                                .map(element -> NEW_LINE + '\t' + PREFIX + customToString(element, "\t"))
+                                                .collect(Collectors.joining());
+    }
+
+    private static class CustomStyle extends RecursiveToStringStyle {
+        public CustomStyle() {
+            super();
+
+            setUseClassName(false);
+            setUseIdentityHashCode(false);
+            setFieldSeparator(NEW_LINE + PREFIX);
+            setFieldNameValueSeparator(':' + StringUtils.SPACE);
+            setContentStart(StringUtils.EMPTY);
+            setContentEnd(StringUtils.EMPTY);
+        }
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/CsrfGuardUtils.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/CsrfGuardUtils.java
index 4db32bf..0f702c1 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/util/CsrfGuardUtils.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/util/CsrfGuardUtils.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,1410 +26,134 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.util;
 
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeCommonUtils;
+import org.owasp.csrfguard.token.transferobject.TokenTO;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.PrintWriter;
-import java.io.Reader;
-import java.io.StringWriter;
-import java.io.Writer;
-import java.lang.annotation.Annotation;
-import java.lang.reflect.Array;
-import java.lang.reflect.Field;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-import java.lang.reflect.Modifier;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-
-import javax.servlet.ServletConfig;
-import javax.xml.stream.XMLStreamException;
-import javax.xml.stream.XMLStreamWriter;
+import java.nio.charset.Charset;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.Objects;
 
 /**
- *
+ * Various utility methods/helpers.
  */
-public class CsrfGuardUtils {
-
-	private CsrfGuardUtils() {}
-
-	/**
-	 * for a url, get the protocol and domain, e.g. for url https://a.b/path, will return https://a.b
-	 * @param url a string representing a URL
-	 * @param includeProtocol
-	 * @return the path with or without the protocol
-	 */
-	public static String httpProtocolAndDomain(String url, boolean includeProtocol) {
-		if (includeProtocol) {
-			return httpProtocolAndDomain(url);
-		}
-
-		return httpProtocolAndDomain(url.replaceFirst("^(http[s]?)://",""));
-	}
-
-	/**
-	 * for a url, get the protocol and domain, e.g. for url https://a.b/path, will return https://a.b
-	 * @param url a string representing a URL
-	 * @return the protocol and path
-	 */
-	public static String httpProtocolAndDomain(String url) {
-		int firstSlashAfterProtocol = url.indexOf('/', 8);
-		if (firstSlashAfterProtocol < 0) {
-			//must not have a path
-			return url;
-		}
-
-		return url.substring(0, firstSlashAfterProtocol);
-	}
-
-	/**
-	 * helper method for calling a method with no params (could be in
-	 * superclass)
-	 *
-	 * @param theClass
-	 *            the class which has the method
-	 * @param invokeOn
-	 *            to call on or null for static
-	 * @param methodName
-	 *            method name to call
-	 * @return the data
-	 */
-	public static Object callMethod(Class theClass, Object invokeOn,
-			String methodName) {
-		return callMethod(theClass, invokeOn, methodName, null, null);
-	}
-
-	/**
-	 * helper method for calling a method (could be in superclass)
-	 *
-	 * @param theClass
-	 *            the class which has the method
-	 * @param invokeOn
-	 *            to call on or null for static
-	 * @param methodName
-	 *            method name to call
-	 * @param paramTypesOrArrayOrList
-	 *            types of the params
-	 * @param paramsOrListOrArray
-	 *            data
-	 * @return the data
-	 */
-	public static Object callMethod(Class theClass, Object invokeOn,
-			String methodName, Object paramTypesOrArrayOrList,
-			Object paramsOrListOrArray) {
-		return callMethod(theClass, invokeOn, methodName,
-				paramTypesOrArrayOrList, paramsOrListOrArray, true);
-	}
-
-	/**
-	 * helper method for calling a method
-	 *
-	 * @param theClass
-	 *            the class which has the method
-	 * @param invokeOn
-	 *            to call on or null for static
-	 * @param methodName
-	 *            method name to call
-	 * @param paramTypesOrArrayOrList
-	 *            types of the params
-	 * @param paramsOrListOrArray
-	 *            data
-	 * @param callOnSupers
-	 *            if static and method not exists, try on supers
-	 * @return the data
-	 */
-	public static Object callMethod(Class theClass, Object invokeOn,
-			String methodName, Object paramTypesOrArrayOrList,
-			Object paramsOrListOrArray, boolean callOnSupers) {
-		return callMethod(theClass, invokeOn, methodName,
-				paramTypesOrArrayOrList, paramsOrListOrArray, callOnSupers,
-				false);
-	}
-
-	/**
-	 * helper method for calling a method
-	 *
-	 * @param theClass
-	 *            the class which has the method
-	 * @param invokeOn
-	 *            to call on or null for static
-	 * @param methodName
-	 *            method name to call
-	 * @param paramTypesOrArrayOrList
-	 *            types of the params
-	 * @param paramsOrListOrArray
-	 *            data
-	 * @param callOnSupers
-	 *            if static and method not exists, try on supers
-	 * @param overrideSecurity
-	 *            true to call on protected or private etc methods
-	 * @return the data
-	 */
-	public static Object callMethod(Class theClass, Object invokeOn,
-			String methodName, Object paramTypesOrArrayOrList,
-			Object paramsOrListOrArray, boolean callOnSupers,
-			boolean overrideSecurity) {
-		try {
-			Method method = null;
-
-			Class[] paramTypesArray = (Class[]) toArray(paramTypesOrArrayOrList);
-
-			try {
-				method = theClass.getDeclaredMethod(methodName, paramTypesArray);
-				if (overrideSecurity) {
-					method.setAccessible(true);
-				}
-			} catch (Exception e) {
-				// if method not found
-				if (e instanceof NoSuchMethodException) {
-					// if traversing up, and not Object, and not instance method
-					// CH 070425 not sure why invokeOn needs to be null, removing
-					// this
-					if (callOnSupers /* && invokeOn == null */
-							&& !theClass.equals(Object.class)) {
-						return callMethod(theClass.getSuperclass(), invokeOn,
-								methodName, paramTypesOrArrayOrList,
-								paramsOrListOrArray, callOnSupers, overrideSecurity);
-					}
-				}
-				throw new RuntimeException("Problem calling method " + methodName
-						+ " on " + theClass.getName(), e);
-			}
-
-			return invokeMethod(method, invokeOn, paramsOrListOrArray);
-		} catch (RuntimeException re) {
-			String message = "Problem calling method " + methodName
-					+ " on " + (theClass == null ? null : theClass.getName());
-			if (injectInException(re, message)) {
-				throw re;
-			}
-			throw new RuntimeException(message, re);
-		}
-	}
-
-
-	/**
-	 * <pre>Returns the class object.</pre>
-	 * @param origClassName is fully qualified
-	 * @return the class
-	 */
-	public static Class forName(String origClassName) {
-
-		try {
-			return Class.forName(origClassName);
-		} catch (Throwable t) {
-			throw new RuntimeException("Problem loading class: " + origClassName, t);
-		}
-
-	}
-
-	public static String getInitParameter(ServletConfig servletConfig, String name, 
-			String configFileDefaultParamValue, String defaultValue) {
-		String value = servletConfig.getInitParameter(name);
-
-		if (value == null || "".equals(value.trim())) {
-			value = configFileDefaultParamValue;
-		}
-
-		if (value == null || "".equals(value.trim())) {
-			value = defaultValue;
-		}
-
-		return value;
-	}
-
-	public static String readResourceFileContent(String resourceName, boolean errorIfNotFound) {
-		InputStream is = null;
-
-		try {
-			is = CsrfGuardUtils.class.getClassLoader().getResourceAsStream(resourceName);
-			if(is == null) {
-				if (errorIfNotFound) {
-					throw new IllegalStateException("Could not find resource " + resourceName);
-				}
-				//not error if not found?  then null
-				return null;
-			}
-			return readInputStreamContent(is);
-		} finally {
-			Streams.close(is);
-		}
-	}
-	public static String readFileContent(String fileName) {
-		InputStream is = null;
-
-		try {
-			is = new FileInputStream(fileName);
-			return readInputStreamContent(is);
-		} catch (IOException ioe) {
-			throw new RuntimeException(ioe);
-		} finally {	
-			Streams.close(is);
-		}
-	}
-	public static String readInputStreamContent(InputStream is) {
-		StringBuilder sb = new StringBuilder();
-
-		try {
-			int i;
-
-			while ((i = is.read()) > 0) {
-				sb.append((char) i);
-			}
-		} catch (IOException ioe) {
-			throw new RuntimeException(ioe);
-		}
-
-		return sb.toString();
-	}
-
-	/**
-	 * If we can, inject this into the exception, else return false
-	 * @param t the throwable
-	 * @param message the method to inject
-	 * @return true if success, false if not
-	 */
-	public static boolean injectInException(Throwable t, String message) {
-
-		//this is the field for sun java 1.5
-		String throwableFieldName = "detailMessage";
-
-		try {
-			String currentValue = t.getMessage();
-			if (!isBlank(currentValue)) {
-				currentValue += ",\n" + message;
-			} else {
-				currentValue = message;
-			}
-			assignField(t, throwableFieldName, currentValue);
-			return true;
-		} catch (Throwable t2) {
-			//dont worry about what the problem is, return false so the caller can log
-			return false;
-		}
-
-	}
-
-	/**
-	 * See if the input is null or if string, if it is empty or blank (whitespace)
-	 * @param input the object being tested for blank
-	 * @return true if blank
-	 */
-	public static boolean isBlank(Object input) {
-		if (null == input) {
-			return true;
-		}
-		return (input instanceof String && isBlank((String)input));
-	}
-
-	/**
-	 * <p>Checks if a String is whitespace, empty ("") or null.</p>
-	 *
-	 * <pre>
-	 * isBlank(null)      = true
-	 * isBlank("")        = true
-	 * isBlank(" ")       = true
-	 * isBlank("bob")     = false
-	 * isBlank("  bob  ") = false
-	 * </pre>
-	 *
-	 * @param str  the String to check, may be null
-	 * @return <code>true</code> if the String is null, empty or whitespace
-	 * @since 2.0
-	 */
-	public static boolean isBlank(String str) {
-		int strLen;
-		if (str == null || (strLen = str.length()) == 0) {
-			return true;
-		}
-		for (int i = 0; i < strLen; i++) {
-			if ((Character.isWhitespace(str.charAt(i)) == false)) {
-				return false;
-			}
-		}
-		return true;
-	}
-
-	/**
-	 * assign data to a field
-	 *
-	 * @param theClass
-	 *            the class which has the method
-	 * @param invokeOn
-	 *            to call on or null for static
-	 * @param fieldName
-	 *            method name to call
-	 * @param dataToAssign
-	 *            data
-	 * @param callOnSupers
-	 *            if static and method not exists, try on supers
-	 * @param overrideSecurity
-	 *            true to call on protected or private etc methods
-	 * @param typeCast
-	 *            true if we should typecast
-	 * @param annotationWithValueOverride
-	 *            annotation with value of override
-	 */
-	public static void assignField(Class theClass, Object invokeOn,
-			String fieldName, Object dataToAssign, boolean callOnSupers,
-			boolean overrideSecurity, boolean typeCast,
-			Class<? extends Annotation> annotationWithValueOverride) {
-		if (theClass == null && invokeOn != null) {
-			theClass = invokeOn.getClass();
-		}
-		Field field = field(theClass, fieldName, callOnSupers, true);
-		assignField(field, invokeOn, dataToAssign, overrideSecurity, typeCast,
-				annotationWithValueOverride);
-	}
-
-	/**
-	 * Convert a list to an array with the type of the first element e.g. if it
-	 * is a list of Person objects, then the array is Person[]
-	 *
-	 * @param objectOrArrayOrCollection
-	 *            is a list
-	 * @return the array of objects with type of the first element in the list
-	 */
-	public static Object toArray(Object objectOrArrayOrCollection) {
-		// do this before length since if array with null in it, we want ti get
-		// it back
-		if (objectOrArrayOrCollection != null
-				&& objectOrArrayOrCollection.getClass().isArray()) {
-			return objectOrArrayOrCollection;
-		}
-		int length = length(objectOrArrayOrCollection);
-		if (length == 0) {
-			return null;
-		}
-
-		if (objectOrArrayOrCollection instanceof Collection) {
-			Collection collection = (Collection) objectOrArrayOrCollection;
-			Object first = collection.iterator().next();
-			return toArray(collection, first == null ? Object.class : first
-					.getClass());
-		}
-		// make an array of the type of object passed in, size one
-		Object array = Array.newInstance(objectOrArrayOrCollection.getClass(),
-				1);
-		Array.set(array, 0, objectOrArrayOrCollection);
-		return array;
-	}
-
-	/**
-	 * Null safe array length or map
-	 *
-	 * @param arrayOrCollection an arrar, Collection, or Map
-	 * @return the length of the array (0 for null, 1 for non-array non-collection objects)
-	 */
-	public static int length(Object arrayOrCollection) {
-		if (arrayOrCollection == null) {
-			return 0;
-		}
-		if (arrayOrCollection.getClass().isArray()) {
-			return Array.getLength(arrayOrCollection);
-		}
-		if (arrayOrCollection instanceof Collection) {
-			return ((Collection) arrayOrCollection).size();
-		}
-		if (arrayOrCollection instanceof Map) {
-			return ((Map) arrayOrCollection).size();
-		}
-		// simple non array non collection object
-		return 1;
-	}
-
-	/**
-	 * convert a list into an array of type of theClass
-	 * @param <T> is the type of the array
-	 * @param collection list to convert
-	 * @param theClass type of array to return
-	 * @return array of type theClass[] filled with the objects from list
-	 */
-	@SuppressWarnings("unchecked")
-	public static <T> T[] toArray(Collection collection, Class<T> theClass) {
-		if (collection == null || collection.size() == 0) {
-			return null;
-		}
-
-		return (T[])collection.toArray((Object[]) Array.newInstance(theClass,
-				collection.size()));
-
-	}
-
-	/**
-	 * assign data to a field. Will find the field in superclasses, will
-	 * typecast, and will override security (private, protected, etc)
-	 *
-	 * @param invokeOn
-	 *            to call on or null for static
-	 * @param fieldName
-	 *            method name to call
-	 * @param dataToAssign
-	 *            data
-	 */
-	public static void assignField(Object invokeOn, String fieldName,
-			Object dataToAssign) {
-		assignField(null, invokeOn, fieldName, dataToAssign, true, true, true,
-				null);
-	}
-
-	/** pass this in the invokeOn to signify no params */
-	private static final Object NO_PARAMS = new Object();
-
-	/**
-	 * Safely invoke a reflection method that takes no args
-	 *
-	 * @param method
-	 *            to invoke
-	 * @param invokeOn the object on which to invoke the method
-	 * if NO_PARAMS then will not pass in params.
-	 * @return the result
-	 */
-	public static Object invokeMethod(Method method, Object invokeOn) {
-		return invokeMethod(method, invokeOn, NO_PARAMS);
-	}
-
-	/**
-	 * Safely invoke a reflection method
-	 *
-	 * @param method
-	 *            to invoke
-	 * @param invokeOn the object on which to invoke the method
-	 * @param paramsOrListOrArray must be an arg.  If null, will pass null.
-	 * if NO_PARAMS then will not pass in params.
-	 * @return the result
-	 */
-	public static Object invokeMethod(Method method, Object invokeOn,
-			Object paramsOrListOrArray) {
-
-		Object[] args = paramsOrListOrArray == NO_PARAMS ? null : (Object[]) toArray(paramsOrListOrArray);
-
-		//we want to make sure things are accessible
-		method.setAccessible(true);
-
-		//only if the method exists, try to execute
-		Object result = null;
-		Exception e = null;
-		try {
-			result = method.invoke(invokeOn, args);
-		} catch (IllegalAccessException iae) {
-			e = iae;
-		} catch (IllegalArgumentException iae) {
-			e = iae;
-		} catch (InvocationTargetException ite) {
-			//this means the underlying call caused exception... its ok if runtime
-			if (ite.getCause() instanceof RuntimeException) {
-				throw (RuntimeException)ite.getCause();
-			}
-			//else throw as invocation target...
-			e = ite;
-		}
-		if (e != null) {
-			throw new RuntimeException("Cant execute reflection method: "
-					+ method.getName() + ", on: " + className(invokeOn)
-					+ ", with args: " + classNameCollection(args), e);
-		}
-		return result;
-	}
-
-	/**
-	 * null safe classname method, gets the unenhanced name
-	 *
-	 * @param object the object for which to get the class name
-	 * @return the classname
-	 */
-	public static String className(Object object) {
-		return object == null ? null : object.getClass()
-				.getName();
-	}
-
-	/**
-	 * null safe classname method, max out at 20
-	 *
-	 * @param object the collection
-	 * @return the classname
-	 */
-	public static String classNameCollection(Object object) {
-		if (object == null) {
-			return null;
-		}
-		StringBuffer result = new StringBuffer();
-
-		Iterator iterator = iterator(object);
-		int length = length(object);
-		for (int i = 0; i < length && i < 20; i++) {
-			result.append(className(next(object, iterator, i)));
-			if (i != length - 1) {
-				result.append(", ");
-			}
-		}
-		return result.toString();
-	}
-
-	/**
-	 * null safe iterator getter if the type if collection
-	 *
-	 * @param collection the collection for which to return an iterator
-	 * @return the iterator
-	 */
-	public static Iterator iterator(Object collection) {
-		if (collection == null) {
-			return null;
-		}
-		// array list doesn't need an iterator
-		if (collection instanceof Collection
-				&& !(collection instanceof ArrayList)) {
-			return ((Collection) collection).iterator();
-		}
-		return null;
-	}
-
-	/**
-	 * If array, get the element based on index, if Collection, get it based on
-	 * iterator.
-	 *
-	 * @param arrayOrCollection an array, ArraList, or Collection
-	 * @param iterator the iterator for the collection
-	 * @param index the index into the array
-	 * @return the object at the specified index or iterator.next()
-	 */
-	public static Object next(Object arrayOrCollection, Iterator iterator,
-			int index) {
-		if (arrayOrCollection.getClass().isArray()) {
-			return Array.get(arrayOrCollection, index);
-		}
-		if (arrayOrCollection instanceof ArrayList) {
-			return ((ArrayList) arrayOrCollection).get(index);
-		}
-		if (arrayOrCollection instanceof Collection) {
-			return iterator.next();
-		}
-		// simple object
-		if (0 == index) {
-			return arrayOrCollection;
-		}
-		throw new RuntimeException("Invalid class type: "
-				+ arrayOrCollection.getClass().getName());
-	}
-
-	/**
-	 * assign data to a field
-	 *
-	 * @param field
-	 *            is the field to assign to
-	 * @param invokeOn
-	 *            to call on or null for static
-	 * @param dataToAssign
-	 *            data
-	 * @param overrideSecurity
-	 *            true to call on protected or private etc methods
-	 * @param typeCast
-	 *            true if we should typecast
-	 * @param annotationWithValueOverride
-	 *            annotation with value of override, or null if none
-	 */
-	@SuppressWarnings("unchecked")
-	public static void assignField(Field field, Object invokeOn,
-			Object dataToAssign, boolean overrideSecurity, boolean typeCast,
-			Class<? extends Annotation> annotationWithValueOverride) {
-
-		if (annotationWithValueOverride != null) {
-			// see if in annotation
-			Annotation annotation = field
-					.getAnnotation(annotationWithValueOverride);
-			if (annotation != null) {
-
-				// type of the value, or String if not specific Class
-				// typeOfAnnotationValue = typeCast ? field.getType() :
-				// String.class; dataToAssign =
-				// AnnotationUtils.retrieveAnnotationValue(
-				// typeOfAnnotationValue, annotation, "value");
-
-				throw new RuntimeException("Not supported");
-			}
-		}
-		assignField(field, invokeOn, dataToAssign, overrideSecurity, typeCast);
-	}
-
-	/**
-	 * get a field object for a class, potentially in superclasses
-	 *
-	 * @param theClass the class containing the desired field
-	 * @param fieldName the name of the field
-	 * @param callOnSupers
-	 *            true if superclasses should be looked in for the field
-	 * @param throwExceptionIfNotFound
-	 *            will throw runtime exception if not found
-	 * @return the field object or null if not found (or exception if param is
-	 *         set)
-	 */
-	public static Field field(Class theClass, String fieldName,
-			boolean callOnSupers, boolean throwExceptionIfNotFound) {
-		try {
-			Field field = theClass.getDeclaredField(fieldName);
-			// found it
-			return field;
-		} catch (NoSuchFieldException e) {
-			// if method not found
-			// if traversing up, and not Object, and not instance method
-			if (callOnSupers && !theClass.equals(Object.class)) {
-				return field(theClass.getSuperclass(), fieldName, callOnSupers,
-						throwExceptionIfNotFound);
-			}
-		}
-		// maybe throw an exception
-		if (throwExceptionIfNotFound) {
-			throw new RuntimeException("Cant find field: " + fieldName
-					+ ", in: " + theClass + ", callOnSupers: " + callOnSupers);
-		}
-		return null;
-	}
-
-	/**
-	 * assign data to a field
-	 *
-	 * @param field
-	 *            is the field to assign to
-	 * @param invokeOn
-	 *            to call on or null for static
-	 * @param dataToAssign
-	 *            data
-	 * @param overrideSecurity
-	 *            true to call on protected or private etc methods
-	 * @param typeCast
-	 *            true if we should typecast
-	 */
-	public static void assignField(Field field, Object invokeOn,
-			Object dataToAssign, boolean overrideSecurity, boolean typeCast) {
-
-		try {
-			Class fieldType = field.getType();
-			// typecast
-			if (typeCast) {
-				dataToAssign =
-						typeCast(dataToAssign, fieldType,
-								true, true);
-			}
-			if (overrideSecurity) {
-				field.setAccessible(true);
-			}
-			field.set(invokeOn, dataToAssign);
-		} catch (Exception e) {
-			throw new RuntimeException("Cant assign reflection field: "
-					+ (field == null ? null : field.getName()) + ", on: "
-					+ className(invokeOn) + ", with args: "
-					+ classNameCollection(dataToAssign), e);
-		}
-	}
-
-	/**
-	 * If necessary, convert an object to another type.  if type is Object.class, just return the input.
-	 * Do not convert null to an empty primitive
-	 * @param <T> is template type
-	 * @param value the value object
-	 * @param theClass the class type
-	 * @return the object of that instance converted into something else
-	 */
-	public static <T> T typeCast(Object value, Class<T> theClass) {
-		//default behavior is not to convert null to empty primitive
-		return typeCast(value, theClass, false, false);
-	}
-
-	/**
-	 * If necessary, convert an object to another type.  if type is Object.class, just return the input
-	 * @param <T> is the type to return
-	 * @param value the value object
-	 * @param theClass the class type
-	 * @param convertNullToDefaultPrimitive if the value is null, and theClass is primitive, should we
-	 * convert the null to a primitive default value
-	 * @param useNewInstanceHooks if theClass is not recognized, then honor the string "null", "newInstance",
-	 * or get a constructor with one param, and call it
-	 * @return the object of that instance converted into something else
-	 */
-	@SuppressWarnings("unchecked")
-	public static <T> T typeCast(Object value, Class<T> theClass,
-			boolean convertNullToDefaultPrimitive, boolean useNewInstanceHooks) {
-
-		if (Object.class.equals(theClass)) {
-			return (T)value;
-		}
-
-		if (value==null) {
-			if (convertNullToDefaultPrimitive && theClass.isPrimitive()) {
-				if ( theClass == boolean.class ) {
-					return (T)Boolean.FALSE;
-				}
-				if ( theClass == char.class ) {
-					return (T)(Object)0;
-				}
-				//convert 0 to the type
-				return typeCast(0, theClass, false, false);
-			}
-			return null;
-		}
-
-		if (theClass.isInstance(value)) {
-			return (T)value;
-		}
-
-		//if array, get the base class
-		if (theClass.isArray() && theClass.getComponentType() != null) {
-			theClass = (Class<T>)theClass.getComponentType();
-		}
-		Object resultValue = null;
-		if (theClass.equals(String.class)) {
-			resultValue = value == null ? null : value.toString();
-		} else if (theClass.equals(value.getClass())) {
-			resultValue = value;
-		} else {
-			throw new RuntimeException("Cannot convert from type: " + value.getClass() + " to type: " + theClass);
-		}
-
-		return (T)resultValue;
-	}
-
-	/**
-	 * Construct a class
-	 * @param <T> template type
-	 * @param theClass the class on which to invoke newInstance()
-	 * @return the instance
-	 */
-	public static <T> T newInstance(Class<T> theClass) {
-		try {
-			return theClass.newInstance();
-		} catch (Throwable e) {
-			if (theClass != null && Modifier.isAbstract(theClass.getModifiers())) {
-				throw new RuntimeException("Problem with class: " + theClass + ", maybe because it is abstract!", e);
-			}
-			throw new RuntimeException("Problem with class: " + theClass, e);
-		}
-	}
-
-	/**
-	 * close a connection null safe and don't throw exception
-	 * @param connection the connection to close
-	 */
-	public static void closeQuietly(Connection connection) {
-		if (connection != null) {
-			try {
-				connection.close();
-			} catch (Exception e) {
-				//ignore
-			}
-		}
-	}
-
-	/**
-	 * Unconditionally close an <code>InputStream</code>.
-	 * Equivalent to {@link InputStream#close()}, except any exceptions will be ignored.
-	 * @param input A (possibly null) InputStream
-	 */
-	public static void closeQuietly(InputStream input) {
-		if (input == null) {
-			return;
-		}
-
-		try {
-			input.close();
-		} catch (IOException ioe) {
-		}
-	}
-
-	/**
-	 * Unconditionally close an <code>OutputStream</code>.
-	 * Equivalent to {@link OutputStream#close()}, except any exceptions will be ignored.
-	 * @param output A (possibly null) OutputStream
-	 */
-	public static void closeQuietly(OutputStream output) {
-		if (output == null) {
-			return;
-		}
-
-		try {
-			output.close();
-		} catch (IOException ioe) {
-		}
-	}
-
-	/**
-	 * Unconditionally close an <code>Reader</code>.
-	 * Equivalent to {@link Reader#close()}, except any exceptions will be ignored.
-	 *
-	 * @param input A (possibly null) Reader to close
-	 */
-	public static void closeQuietly(Reader input) {
-		if (input == null) {
-			return;
-		}
-
-		try {
-			input.close();
-		} catch (IOException ioe) {
-		}
-	}
-
-	/**
-	 * close a resultSet null safe and dont throw exception
-	 * @param resultSet the result set to close
-	 */
-	public static void closeQuietly(ResultSet resultSet) {
-		if (resultSet != null) {
-			try {
-				resultSet.close();
-			} catch (Exception e) {
-				//ignore
-			}
-		}
-	}
-
-	/**
-	 * close a statement null safe and dont throw exception
-	 * @param statement the statement to close
-	 */
-	public static void closeQuietly(Statement statement) {
-		if (statement != null) {
-			try {
-				statement.close();
-			} catch (Exception e) {
-				//ignore
-			}
-		}
-	}
-
-	/**
-	 * close a writer quietly
-	 * @param writer the writer to close
-	 */
-	public static void closeQuietly(Writer writer) {
-		if (writer != null) {
-			try {
-				writer.close();
-			} catch (IOException e) {
-				//swallow, its ok
-			}
-		}
-	}
-
-	/**
-	 * close a writer quietly
-	 * @param writer the xml stream writer to close
-	 */
-	public static void closeQuietly(XMLStreamWriter writer) {
-		if (writer != null) {
-			try {
-				writer.close();
-			} catch (XMLStreamException e) {
-				//swallow, its ok
-			}
-		}
-	}
-
-	/**
-	 * print out various types of objects
-	 *
-	 * @param object the object for which to generate a string representation
-	 * @return the string value
-	 */
-	public static String toStringForLog(Object object) {
-	  StringBuilder result = new StringBuilder();
-	  toStringForLogHelper(object, -1, result);
-	  return result.toString();
-	}
-
-	/**
-	 * print out various types of objects
-	 *
-	 * @param object the object for which to generate a string representation
-	 * @param maxChars is the max chars that should be returned (abbreviate if longer), or -1 for any amount
-	 * @return the string value
-	 */
-	public static String toStringForLog(Object object, int maxChars) {
-	  StringBuilder result = new StringBuilder();
-	  toStringForLogHelper(object, -1, result);
-	  String resultString = result.toString();
-	  if (maxChars != -1) {
-	    return abbreviate(resultString, maxChars);
-	  }
-	  return resultString;
-	}
-
-	/**
-	 * print out various types of objects
-	 *
-	 * @param object the object for which to generate a string representation
-	 * @param maxChars is where it should stop when figuring out object.  note, result might be longer than max...
-	 * need to abbreviate when back
-	 * @param result is where to append to
-	 */
-	private static void toStringForLogHelper(Object object, int maxChars, StringBuilder result) {
-	
-	  try {
-	    if (object == null) {
-	      result.append("null");
-	    } else if (object.getClass().isArray()) {
-	      // handle arrays
-	      int length = Array.getLength(object);
-	      if (length == 0) {
-	        result.append("Empty array");
-	      } else {
-	        result.append("Array size: ").append(length).append(": ");
-	        for (int i = 0; i < length; i++) {
-	          result.append("[").append(i).append("]: ").append(
-	              toStringForLog(Array.get(object, i), maxChars)).append("\n");
-	          if (maxChars != -1 && result.length() > maxChars) {
-	            return;
-	          }
-	        }
-	      }
-	    } else if (object instanceof Collection) {
-	      //give size and type if collection
-	      Collection<Object> collection = (Collection<Object>) object;
-	      int collectionSize = collection.size();
-	      if (collectionSize == 0) {
-	        result.append("Empty ").append(object.getClass().getSimpleName());
-	      } else {
-	        result.append(object.getClass().getSimpleName()).append(" size: ").append(collectionSize).append(": ");
-	        int i=0;
-	        for (Object collectionObject : collection) {
-	          result.append("[").append(i).append("]: ").append(
-	              toStringForLog(collectionObject, maxChars)).append("\n");
-	          if (maxChars != -1 && result.length() > maxChars) {
-	            return;
-	          }
-	          i++;
-	        }
-	      }
-	    } else {
-	      result.append(object.toString());
-	    }
-	  } catch (Exception e) {
-	    result.append("<<exception>> ").append(object.getClass()).append(":\n")
-	      .append(getFullStackTrace(e)).append("\n");
-	  }
-	}
-
-	/**
-	 * <p>Abbreviates a String using ellipses. This will turn
-	 * "Now is the time for all good men" into "Now is the time for..."</p>
-	 *
-	 * <p>Specifically:</p>
-	 * <ul>
-	 *   <li>If <code>str</code> is less than <code>maxWidth</code> characters
-	 *       long, return it.</li>
-	 *   <li>Else abbreviate it to <code>(substring(str, 0, max-3) + "...")</code>.</li>
-	 *   <li>If <code>maxWidth</code> is less than <code>4</code>, throw an
-	 *       <code>IllegalArgumentException</code>.</li>
-	 *   <li>In no case will it return a String of length greater than
-	 *       <code>maxWidth</code>.</li>
-	 * </ul>
-	 *
-	 * <pre>
-	 * StringUtils.abbreviate(null, *)      = null
-	 * StringUtils.abbreviate("", 4)        = ""
-	 * StringUtils.abbreviate("abcdefg", 6) = "abc..."
-	 * StringUtils.abbreviate("abcdefg", 7) = "abcdefg"
-	 * StringUtils.abbreviate("abcdefg", 8) = "abcdefg"
-	 * StringUtils.abbreviate("abcdefg", 4) = "a..."
-	 * StringUtils.abbreviate("abcdefg", 3) = IllegalArgumentException
-	 * </pre>
-	 *
-	 * @param str  the String to check, may be null
-	 * @param maxWidth  maximum length of result String, must be at least 4
-	 * @return abbreviated String, <code>null</code> if null String input
-	 * @throws IllegalArgumentException if the width is too small
-	 * @since 2.0
-	 */
-	public static String abbreviate(String str, int maxWidth) {
-	  return abbreviate(str, 0, maxWidth);
-	}
-
-	/**
-	 * <p>Abbreviates a String using ellipses. This will turn
-	 * "Now is the time for all good men" into "...is the time for..."</p>
-	 *
-	 * <p>Works like <code>abbreviate(String, int)</code>, but allows you to specify
-	 * a "left edge" offset.  Note that this left edge is not necessarily going to
-	 * be the leftmost character in the result, or the first character following the
-	 * ellipses, but it will appear somewhere in the result.
-	 *
-	 * <p>In no case will it return a String of length greater than
-	 * <code>maxWidth</code>.</p>
-	 *
-	 * <pre>
-	 * StringUtils.abbreviate(null, *, *)                = null
-	 * StringUtils.abbreviate("", 0, 4)                  = ""
-	 * StringUtils.abbreviate("abcdefghijklmno", -1, 10) = "abcdefg..."
-	 * StringUtils.abbreviate("abcdefghijklmno", 0, 10)  = "abcdefg..."
-	 * StringUtils.abbreviate("abcdefghijklmno", 1, 10)  = "abcdefg..."
-	 * StringUtils.abbreviate("abcdefghijklmno", 4, 10)  = "abcdefg..."
-	 * StringUtils.abbreviate("abcdefghijklmno", 5, 10)  = "...fghi..."
-	 * StringUtils.abbreviate("abcdefghijklmno", 6, 10)  = "...ghij..."
-	 * StringUtils.abbreviate("abcdefghijklmno", 8, 10)  = "...ijklmno"
-	 * StringUtils.abbreviate("abcdefghijklmno", 10, 10) = "...ijklmno"
-	 * StringUtils.abbreviate("abcdefghijklmno", 12, 10) = "...ijklmno"
-	 * StringUtils.abbreviate("abcdefghij", 0, 3)        = IllegalArgumentException
-	 * StringUtils.abbreviate("abcdefghij", 5, 6)        = IllegalArgumentException
-	 * </pre>
-	 *
-	 * @param str  the String to check, may be null
-	 * @param offset  left edge of source String
-	 * @param maxWidth  maximum length of result String, must be at least 4
-	 * @return abbreviated String, <code>null</code> if null String input
-	 * @throws IllegalArgumentException if the width is too small
-	 * @since 2.0
-	 */
-	public static String abbreviate(String str, int offset, int maxWidth) {
-	  if (str == null) {
-	    return null;
-	  }
-	  if (maxWidth < 4) {
-	    throw new IllegalArgumentException("Minimum abbreviation width is 4");
-	  }
-	  if (str.length() <= maxWidth) {
-	    return str;
-	  }
-	  if (offset > str.length()) {
-	    offset = str.length();
-	  }
-	  if ((str.length() - offset) < (maxWidth - 3)) {
-	    offset = str.length() - (maxWidth - 3);
-	  }
-	  if (offset <= 4) {
-	    return str.substring(0, maxWidth - 3) + "...";
-	  }
-	  if (maxWidth < 7) {
-	    throw new IllegalArgumentException("Minimum abbreviation width with offset is 7");
-	  }
-	  if ((offset + (maxWidth - 3)) < str.length()) {
-	    return "..." + abbreviate(str.substring(offset), maxWidth - 3);
-	  }
-	  return "..." + str.substring(str.length() - (maxWidth - 3));
-	}
-
-	/**
-	 * <p>A way to get the entire nested stack-trace of an throwable.</p>
-	 *
-	 * @param throwable  the <code>Throwable</code> to be examined
-	 * @return the nested stack trace, with the root cause first
-	 * @since 2.0
-	 */
-	public static String getFullStackTrace(Throwable throwable) {
-	    StringWriter sw = new StringWriter();
-	    PrintWriter pw = new PrintWriter(sw, true);
-	    Throwable[] ts = getThrowables(throwable);
-	    for (int i = 0; i < ts.length; i++) {
-	        ts[i].printStackTrace(pw);
-	        if (isNestedThrowable(ts[i])) {
-	            break;
-	        }
-	    }
-	    return sw.getBuffer().toString();
-	}
-
-	/**
-	 * <p>Returns the list of <code>Throwable</code> objects in the
-	 * exception chain.</p>
-	 *
-	 * <p>A throwable without cause will return an array containing
-	 * one element - the input throwable.
-	 * A throwable with one cause will return an array containing
-	 * two elements. - the input throwable and the cause throwable.
-	 * A <code>null</code> throwable will return an array size zero.</p>
-	 *
-	 * @param throwable  the throwable to inspect, may be null
-	 * @return the array of throwables, never null
-	 */
-	public static Throwable[] getThrowables(Throwable throwable) {
-	    List list = new ArrayList();
-	    while (throwable != null) {
-	        list.add(throwable);
-	        throwable = getCause(throwable);
-	    }
-	    return (Throwable[]) list.toArray(new Throwable[list.size()]);
-	}
-
-	/**
-	 * <p>Checks whether this <code>Throwable</code> class can store a cause.</p>
-	 *
-	 * <p>This method does <b>not</b> check whether it actually does store a cause.<p>
-	 *
-	 * @param throwable  the <code>Throwable</code> to examine, may be null
-	 * @return boolean <code>true</code> if nested otherwise <code>false</code>
-	 * @since 2.0
-	 */
-	public static boolean isNestedThrowable(Throwable throwable) {
-	    if (throwable == null) {
-	        return false;
-	    }
-	
-	    if (throwable instanceof SQLException) {
-	        return true;
-	    } else if (throwable instanceof InvocationTargetException) {
-	        return true;
-	    } else if (isThrowableNested()) {
-	        return true;
-	    }
-	
-	    Class cls = throwable.getClass();
-	    for (int i = 0, isize = CAUSE_METHOD_NAMES.length; i < isize; i++) {
-	        try {
-	            Method method = cls.getMethod(CAUSE_METHOD_NAMES[i], (Class[])null);
-	            if (method != null && Throwable.class.isAssignableFrom(method.getReturnType())) {
-	                return true;
-	            }
-	        } catch (NoSuchMethodException ignored) {
-	        } catch (SecurityException ignored) {
-	        }
-	    }
-	
-	    try {
-	        Field field = cls.getField("detail");
-	        if (field != null) {
-	            return true;
-	        }
-	    } catch (NoSuchFieldException ignored) {
-	    } catch (SecurityException ignored) {
-	    }
-	
-	    return false;
-	}
-
-	/**
-	 * <p>The names of methods commonly used to access a wrapped exception.</p>
-	 */
-	private static String[] CAUSE_METHOD_NAMES = {
-	    "getCause",
-	    "getNextException",
-	    "getTargetException",
-	    "getException",
-	    "getSourceException",
-	    "getRootCause",
-	    "getCausedByException",
-	    "getNested",
-	    "getLinkedException",
-	    "getNestedException",
-	    "getLinkedCause",
-	    "getThrowable",
-	};
+public final class CsrfGuardUtils {
+
+    private CsrfGuardUtils() {}
+
+    /**
+     * for a url, get the protocol and domain, e.g. for url https://a.b/path, will return https://a.b
+     *
+     * @param url             a string representing a URL
+     * @param includeProtocol whether to include the HTTP or HTTPS protocol in the result
+     * @return the path with or without the protocol
+     */
+    public static String httpProtocolAndDomain(final String url, final boolean includeProtocol) {
+        if (includeProtocol) {
+            return httpProtocolAndDomain(url);
+        }
 
-	/**
-	 * <p>Introspects the <code>Throwable</code> to obtain the cause.</p>
-	 *
-	 * <p>The method searches for methods with specific names that return a
-	 * <code>Throwable</code> object. This will pick up most wrapping exceptions,
-	 * including those from JDK 1.4, and Apache Commons Lang&#8482; 
-	 * <a href="https://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/exception/NestableException.html">
-	 * NestableException</a>.
-	 *
-	 * <p>The default list searched for are:</p>
-	 * <ul>
-	 *  <li><code>getCause()</code></li>
-	 *  <li><code>getNextException()</code></li>
-	 *  <li><code>getTargetException()</code></li>
-	 *  <li><code>getException()</code></li>
-	 *  <li><code>getSourceException()</code></li>
-	 *  <li><code>getRootCause()</code></li>
-	 *  <li><code>getCausedByException()</code></li>
-	 *  <li><code>getNested()</code></li>
-	 * </ul>
-	 *
-	 * <p>In the absence of any such method, the object is inspected for a
-	 * <code>detail</code> field assignable to a <code>Throwable</code>.</p>
-	 *
-	 * <p>If none of the above is found, returns <code>null</code>.</p>
-	 *
-	 * @param throwable  the throwable to introspect for a cause, may be null
-	 * @return the cause of the <code>Throwable</code>,
-	 *  <code>null</code> if none found or null throwable input
-	 * @since 1.0
-	 */
-	public static Throwable getCause(Throwable throwable) {
-	    return getCause(throwable, CAUSE_METHOD_NAMES);
-	}
+        return httpProtocolAndDomain(url.replaceFirst("^(http[s]?)://", StringUtils.EMPTY));
+    }
 
-	/**
-	 * <p>Introspects the <code>Throwable</code> to obtain the cause.</p>
-	 *
-	 * <ol>
-	 * <li>Try known exception types.</li>
-	 * <li>Try the supplied array of method names.</li>
-	 * <li>Try the field 'detail'.</li>
-	 * </ol>
-	 *
-	 * <p>A <code>null</code> set of method names means use the default set.
-	 * A <code>null</code> in the set of method names will be ignored.</p>
-	 *
-	 * @param throwable  the throwable to introspect for a cause, may be null
-	 * @param methodNames  the method names, null treated as default set
-	 * @return the cause of the <code>Throwable</code>,
-	 *  <code>null</code> if none found or null throwable input
-	 * @since 1.0
-	 */
-	public static Throwable getCause(Throwable throwable, String[] methodNames) {
-	    if (throwable == null) {
-	        return null;
-	    }
-	    Throwable cause = getCauseUsingWellKnownTypes(throwable);
-	    if (cause == null) {
-	        if (methodNames == null) {
-	            methodNames = CAUSE_METHOD_NAMES;
-	        }
-	        for (int i = 0; i < methodNames.length; i++) {
-	            String methodName = methodNames[i];
-	            if (methodName != null) {
-	                cause = getCauseUsingMethodName(throwable, methodName);
-	                if (cause != null) {
-	                    break;
-	                }
-	            }
-	        }
-	
-	        if (cause == null) {
-	            cause = getCauseUsingFieldName(throwable, "detail");
-	        }
-	    }
-	    return cause;
-	}
+    /**
+     * <pre>Returns the class object.</pre>
+     *
+     * @param origClassName is fully qualified
+     * @return the class
+     */
+    public static <T> Class<T> forName(final String origClassName) {
+        try {
+            return (Class<T>) Class.forName(origClassName);
+        } catch (final Throwable t) {
+            throw new RuntimeException("Problem loading class: " + origClassName, t);
+        }
+    }
 
-	/**
-	 * <p>Finds a <code>Throwable</code> by field name.</p>
-	 *
-	 * @param throwable  the exception to examine
-	 * @param fieldName  the name of the attribute to examine
-	 * @return the wrapped exception, or <code>null</code> if not found
-	 */
-	private static Throwable getCauseUsingFieldName(Throwable throwable, String fieldName) {
-	    Field field = null;
-	    try {
-	        field = throwable.getClass().getField(fieldName);
-	    } catch (NoSuchFieldException ignored) {
-	    } catch (SecurityException ignored) {
-	    }
-	
-	    if (field != null && Throwable.class.isAssignableFrom(field.getType())) {
-	        try {
-	            return (Throwable) field.get(throwable);
-	        } catch (IllegalAccessException ignored) {
-	        } catch (IllegalArgumentException ignored) {
-	        }
-	    }
-	    return null;
-	}
+    public static String readResourceFileContent(final String resourceName) {
+        try (final InputStream inputStream = CsrfGuardUtils.class.getClassLoader().getResourceAsStream(resourceName)) {
+            if (inputStream == null) {
+                throw new IllegalStateException("Could not find resource " + resourceName);
+            } else {
+                return readInputStreamContent(inputStream);
+            }
+        } catch (final IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
 
-	/**
-	 * <p>Finds a <code>Throwable</code> by method name.</p>
-	 *
-	 * @param throwable  the exception to examine
-	 * @param methodName  the name of the method to find and invoke
-	 * @return the wrapped exception, or <code>null</code> if not found
-	 */
-	private static Throwable getCauseUsingMethodName(Throwable throwable, String methodName) {
-	    Method method = null;
-	    try {
-	        method = throwable.getClass().getMethod(methodName, (Class[])null);
-	    } catch (NoSuchMethodException ignored) {
-	    } catch (SecurityException ignored) {
-	    }
-	
-	    if (method != null && Throwable.class.isAssignableFrom(method.getReturnType())) {
-	        try {
-	            return (Throwable) method.invoke(throwable, EMPTY_OBJECT_ARRAY);
-	        } catch (IllegalAccessException ignored) {
-	        } catch (IllegalArgumentException ignored) {
-	        } catch (InvocationTargetException ignored) {
-	        }
-	    }
-	    return null;
-	}
+    public static String readFileContent(final String fileNameWithAbsolutePath) {
+        try (final InputStream inputStream = new FileInputStream(fileNameWithAbsolutePath)) {
+            return readInputStreamContent(inputStream);
+        } catch (final IOException ioe) {
+            throw new RuntimeException(ioe);
+        }
+    }
 
-	/**
-	 * <p>Finds a <code>Throwable</code> for known types.</p>
-	 *
-	 * <p>Uses <code>instanceof</code> checks to examine the exception,
-	 * looking for well known types which could contain chained or
-	 * wrapped exceptions.</p>
-	 *
-	 * @param throwable  the exception to examine
-	 * @return the wrapped exception, or <code>null</code> if not found
-	 */
-	private static Throwable getCauseUsingWellKnownTypes(Throwable throwable) {
-		if (throwable instanceof SQLException) {
-	        return ((SQLException) throwable).getNextException();
-	    } else if (throwable instanceof InvocationTargetException) {
-	        return ((InvocationTargetException) throwable).getTargetException();
-	    } else {
-	        return null;
-	    }
-	}
+    /**
+     * Construct a class
+     *
+     * @param <T>      template type
+     * @param theClass the class on which to invoke newInstance()
+     * @return the instance
+     */
+    public static <T> T newInstance(final Class<T> theClass) {
+        return ConfigPropertiesCascadeCommonUtils.newInstance(theClass);
+    }
 
-	/**
-	 * <p>The Method object for JDK1.4 getCause.</p>
-	 */
-	private static final Method THROWABLE_CAUSE_METHOD;
-	static {
-	  Method getCauseMethod;
-	  try {
-	      getCauseMethod = Throwable.class.getMethod("getCause", (Class[])null);
-	  } catch (Exception e) {
-	      getCauseMethod = null;
-	  }
-	  THROWABLE_CAUSE_METHOD = getCauseMethod;
-	}
+    public static void addResponseTokenHeader(final CsrfGuard csrfGuard, final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse, final TokenTO tokenTO) {
+        if (csrfGuard.isAjaxEnabled() && CsrfGuardUtils.isAjaxRequest(httpServletRequest)) {
+            if (!tokenTO.isEmpty()) {
+                httpServletResponse.setHeader(csrfGuard.getTokenName(), tokenTO.toString());
+            }
+        }
+    }
 
-	/**
-	 * <p>Checks if the Throwable class has a <code>getCause</code> method.</p>
-	 *
-	 * <p>This is true for JDK 1.4 and above.</p>
-	 *
-	 * @return true if Throwable is nestable
-	 * @since 2.0
-	 */
-	public static boolean isThrowableNested() {
-	    return THROWABLE_CAUSE_METHOD != null;
-	}
+    public static boolean isAjaxRequest(final HttpServletRequest request) {
+        final Enumeration<String> headers = request.getHeaders("X-Requested-With");
+        return Objects.nonNull(headers) && Collections.list(headers).stream()
+                                                      .flatMap(headerValue -> Arrays.stream(headerValue.split(",")))
+                                                      .map(String::trim)
+                                                      .anyMatch("XMLHttpRequest"::equals);
+    }
 
-	/**
-	 * An empty immutable <code>Object</code> array.
-	 */
-	public static final Object[] EMPTY_OBJECT_ARRAY = new Object[0];
+    public static String normalizeResourceURI(final HttpServletRequest httpServletRequest) {
+        return normalizeResourceURI(httpServletRequest.getRequestURI());
+    }
 
-	/**
-	   * <p>Returns either the passed in String,
-	   * or if the String is <code>null</code>, an empty String ("").</p>
-	   *
-	   * <pre>
-	   * StringUtils.defaultString(null)  = ""
-	   * StringUtils.defaultString("")    = ""
-	   * StringUtils.defaultString("bat") = "bat"
-	   * </pre>
-	   *
-	   * @see String#valueOf(Object)
-	   * @param str  the String to check, may be null
-	   * @return the passed in String, or the empty String if it
-	   *  was <code>null</code>
-	   */
-	  public static String defaultString(String str) {
-	    return str == null ? "" : str;
-	  }
+    public static String normalizeResourceURI(final String resourceURI) {
+        return resourceURI.startsWith("/") ? resourceURI : '/' + resourceURI;
+    }
 
-    @SuppressWarnings("unchecked")
-    public static <T, E> T getMapKeyByValue(Map<T, E> map, E value) {
-        for (Map.Entry<T, E> entry : map.entrySet()) {
-            if (entry.getValue().equals(value)) {
-                return entry.getKey();
-            }
+    private static String readInputStreamContent(final InputStream inputStream) {
+        try {
+            return IOUtils.toString(inputStream, Charset.defaultCharset());
+        } catch (final IOException ioe) {
+            throw new RuntimeException(ioe);
         }
-        return null;
     }
 
+    /**
+     * for a url, get the protocol and domain, e.g. for url https://a.b/path, will return https://a.b
+     *
+     * @param url a string representing a URL
+     * @return the protocol and path
+     */
+    private static String httpProtocolAndDomain(final String url) {
+        final int firstSlashAfterProtocol = url.indexOf('/', 8); // FIXME this should be rewritten..
+        return firstSlashAfterProtocol < 0 ? url // must not have a path
+                                           : url.substring(0, firstSlashAfterProtocol);
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/Streams.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/MessageConstants.java
similarity index 70%
rename from csrfguard/src/main/java/org/owasp/csrfguard/util/Streams.java
rename to csrfguard/src/main/java/org/owasp/csrfguard/util/MessageConstants.java
index e03b913..90b7fa5 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/util/Streams.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/util/MessageConstants.java
@@ -1,8 +1,8 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
@@ -28,37 +28,18 @@
  */
 package org.owasp.csrfguard.util;
 
-import java.io.*;
-
-public final class Streams {
-
-	private Streams() {
-		/** enforce use of static methods **/
-	}
-
-	@Override
-	public Object clone() throws CloneNotSupportedException {
-		throw new CloneNotSupportedException();
-	}
+/**
+ * MessageConstants - Maintains all the message constant literals.
+ */
+public final class MessageConstants {
 
-	public static void close(InputStream is) {
-		if (is != null) {
-			try {
-				is.close();
-			} catch (IOException ioe) {
-				throw new RuntimeException(ioe);
-			}
-		}
-	}
+    private MessageConstants() {
+        // Utility Class
+    }
 
-	public static void close(OutputStream os) {
-		if (os != null) {
-			try {
-				os.close();
-			} catch (IOException ioe) {
-				throw new RuntimeException(ioe);
-			}
-		}
-	}
-	
+    public static final String REQUEST_MISSING_TOKEN_MSG = "Required Token is missing from the Request";
+    public static final String MISMATCH_PAGE_TOKEN_MSG = "Request Token does not match Page Token";
+    public static final String MISMATCH_MASTER_TOKEN_MSG = "Request Token does not match the Master Token";
+    public static final String RANDOM_TOKEN_FAILURE_MSG = "Unable to generate the Random Token";
+    public static final String TOKEN_MISSING_FROM_STORAGE_MSG = "The token should exist in the storage at this point";
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/RandomGenerator.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/RandomGenerator.java
index b75e31d..2d934f0 100644
--- a/csrfguard/src/main/java/org/owasp/csrfguard/util/RandomGenerator.java
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/util/RandomGenerator.java
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,23 +26,22 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 package org.owasp.csrfguard.util;
 
+import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.SecureRandom;
-import java.security.NoSuchAlgorithmException;
 
 public final class RandomGenerator {
 
-	private final static char[] CHARSET = new char[] { 'A', 'B', 'C', 'D', 'E',
+	private static final char[] CHARSET = new char[] { 'A', 'B', 'C', 'D', 'E',
 			'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R',
 			'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4',
 			'5', '6', '7', '8', '9' };
 
 	private RandomGenerator() {
-		/**
-		 * Intentionally blank to force static usage
-		 */
+		/* Intentionally blank to force static usage */
 	}
 
 	@Override
@@ -50,24 +49,23 @@ public Object clone() throws CloneNotSupportedException {
 		throw new CloneNotSupportedException();
 	}
 
-	public static String generateRandomId(String prng, String provider, int len) throws NoSuchAlgorithmException, NoSuchProviderException {
+	public static String generateRandomId(final String prng, final String provider, final int len) throws NoSuchAlgorithmException, NoSuchProviderException {
 		return generateRandomId(SecureRandom.getInstance(prng, provider), len);
 	}
 
-	public static String generateRandomId(SecureRandom sr, int len) {
-		StringBuilder sb = new StringBuilder();
+	public static String generateRandomId(final SecureRandom secureRandom, final int len) {
+		final StringBuilder sb = new StringBuilder();
 
 		for (int i = 1; i < len + 1; i++) {
-			int index = sr.nextInt(CHARSET.length);
-			char c = CHARSET[index];
+			final int index = secureRandom.nextInt(CHARSET.length);
+			final char c = CHARSET[index];
 			sb.append(c);
 
-			if ((i % 4) == 0 && i != 0 && i < len) {
+			if ((i % 4) == 0 && i < len) {
 				sb.append('-');
 			}
 		}
 
 		return sb.toString();
 	}
-	
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/RegexValidationUtil.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/RegexValidationUtil.java
new file mode 100644
index 0000000..54de75d
--- /dev/null
+++ b/csrfguard/src/main/java/org/owasp/csrfguard/util/RegexValidationUtil.java
@@ -0,0 +1,52 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.util;
+
+/**
+ * RegexValidationUtil - All functions related to regex operations.
+ *
+ * @author - srijas
+ * @since - 11/7/2019.
+ */
+public final class RegexValidationUtil {
+
+    private RegexValidationUtil() {
+        // Utility Class
+    }
+
+    /**
+     * see if a test path starts with ^ and ends with $ thus making it a regex
+     * @param testPath The path string to test
+     * @return true if regex (starts with "^" and ends with "$")
+     */
+    public static boolean isTestPathRegex(final String testPath) {
+        return testPath != null && testPath.startsWith("^") && testPath.endsWith("$");
+    }
+}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/SessionUtils.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/SessionUtils.java
deleted file mode 100644
index b1c59fd..0000000
--- a/csrfguard/src/main/java/org/owasp/csrfguard/util/SessionUtils.java
+++ /dev/null
@@ -1,96 +0,0 @@
-package org.owasp.csrfguard.util;
-
-import org.owasp.csrfguard.CsrfGuard;
-
-import javax.servlet.http.HttpSession;
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * This class handles with logic between session and token manipulation.
- */
-public final class SessionUtils {
-
-    private SessionUtils() {
-    }
-
-    private static final String TOKENS_GENERATED = "org.owasp.csrfguard.TokensGenerated";
-
-    public static boolean tokensGenerated(final HttpSession session) {
-        return session.getAttribute(TOKENS_GENERATED) != null
-                && (Boolean) session.getAttribute(TOKENS_GENERATED);
-    }
-
-    public static void setTokensGenerated(final HttpSession session) {
-
-        if (session != null) {
-            session.setAttribute(TOKENS_GENERATED, true);
-        }
-
-    }
-
-    @SuppressWarnings("unchecked")
-    public static Map<String, String> extractPageTokensFromSession(final HttpSession session) {
-
-        final Map<String, String> pageTokens = (Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
-
-        if (pageTokens != null) {
-            return pageTokens;
-        }
-
-        return new HashMap<String, String>(CsrfGuard.getInstance().getProtectedPages().size());
-    }
-
-    public static void updatePageTokensOnSession(final HttpSession session,
-                                                 final Map<String, String> pageTokens) {
-
-        if (session != null && pageTokens != null) {
-            session.setAttribute(CsrfGuard.PAGE_TOKENS_KEY, pageTokens);
-            setTokensGenerated(session);
-        }
-
-    }
-
-    /**
-     * Invalidates the session token and the token from the resource that
-     * has experienced an access attempt with an invalid token.
-     *
-     * @param session      - current session
-     * @param sessionToken - token from session
-     * @param requestToken - token send on request (can be a invalid token or a token from another valid resource)
-     */
-    public static void invalidateTokenForResource(final HttpSession session,
-                                                  final String sessionToken,
-                                                  final String requestToken) {
-
-        final Map<String, String> pageTokens = extractPageTokensFromSession(session);
-
-        final String actualSessionToken = getSessionToken(session);
-
-        if (actualSessionToken.equals(sessionToken)) {
-            invalidateSessionToken(session);
-        }
-
-        // Invalidate request token if it's from another existing resource
-        final String existentResource = CsrfGuardUtils.getMapKeyByValue(pageTokens, requestToken);
-        if (existentResource != null) {
-            pageTokens.put(existentResource, TokenUtils.getRandomToken());
-        }
-
-        setTokensGenerated(session);
-    }
-
-    /**
-     * Overrides the current session token with a new one.
-     *
-     * @param session - current session
-     */
-    public static void invalidateSessionToken(final HttpSession session) {
-        session.setAttribute(CsrfGuard.getInstance().getSessionKey(), TokenUtils.getRandomToken());
-    }
-
-    public static String getSessionToken(final HttpSession session) {
-        return (String) session.getAttribute(CsrfGuard.getInstance().getSessionKey());
-    }
-
-}
\ No newline at end of file
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/Strings.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/Strings.java
deleted file mode 100644
index 2a97c99..0000000
--- a/csrfguard/src/main/java/org/owasp/csrfguard/util/Strings.java
+++ /dev/null
@@ -1,18 +0,0 @@
-package org.owasp.csrfguard.util;
-
-public final class Strings {
-
-	public final static String EMPTY = "";
-	
-	private Strings() {
-		/**
-		 * Intentionally blank to force static usage
-		 */
-	}
-
-	@Override
-	public Object clone() throws CloneNotSupportedException {
-		throw new CloneNotSupportedException();
-	}
-	
-}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/TokenUtils.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/TokenUtils.java
deleted file mode 100644
index 48474ce..0000000
--- a/csrfguard/src/main/java/org/owasp/csrfguard/util/TokenUtils.java
+++ /dev/null
@@ -1,20 +0,0 @@
-package org.owasp.csrfguard.util;
-
-import org.owasp.csrfguard.CsrfGuard;
-
-public final class TokenUtils {
-
-    private TokenUtils() {
-    }
-
-    /**
-     * Create a random token according with configuration.
-     *
-     * @return a random token
-     */
-    public static String getRandomToken() {
-        return RandomGenerator.generateRandomId(CsrfGuard.getInstance().getPrng(),
-                CsrfGuard.getInstance().getTokenLength());
-    }
-
-}
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/Writers.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/Writers.java
deleted file mode 100644
index de87db7..0000000
--- a/csrfguard/src/main/java/org/owasp/csrfguard/util/Writers.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-package org.owasp.csrfguard.util;
-
-import java.io.*;
-
-public final class Writers {
-
-	private Writers() {
-		/** enforce use of static methods **/
-	}
-
-	@Override
-	public Object clone() throws CloneNotSupportedException {
-		throw new CloneNotSupportedException();
-	}
-
-	public static void close(Writer writer) {
-		if (writer != null) {
-			try {
-				writer.close();
-			} catch (IOException ioe) {
-				throw new RuntimeException(ioe);
-			}
-		}
-	}
-	
-}
diff --git a/csrfguard/src/main/resources/csrfguard.js b/csrfguard/src/main/resources/csrfguard.js
index 77fb171..c7145ca 100644
--- a/csrfguard/src/main/resources/csrfguard.js
+++ b/csrfguard/src/main/resources/csrfguard.js
@@ -1,19 +1,19 @@
-/**
+/*
  * The OWASP CSRFGuard Project, BSD License
- * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *    3. Neither the name of OWASP nor the names of its contributors may be used
- *       to endorse or promote products derived from this software without specific
- *       prior written permission.
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -26,463 +26,716 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-(function() {
-	/**
-	 * Code to ensure our event always gets triggered when the DOM is updated.
-	 * @param obj
-	 * @param type
-	 * @param fn
-	 * @source http://www.dustindiaz.com/rock-solid-addevent/
-	 */
-	function addEvent( obj, type, fn ) {
-	    if (obj.addEventListener) {
-	        obj.addEventListener( type, fn, false );
-	        EventCache.add(obj, type, fn);
-	    }
-	    else if (obj.attachEvent) {
-	        obj["e"+type+fn] = fn;
-	        obj[type+fn] = function() { obj["e"+type+fn]( window.event ); }
-	        obj.attachEvent( "on"+type, obj[type+fn] );
-	        EventCache.add(obj, type, fn);
-	    }
-	    else {
-	        obj["on"+type] = obj["e"+type+fn];
-	    }
-	}
-	
-	var EventCache = function(){
-	    var listEvents = [];
-	    return {
-	        listEvents : listEvents,
-	        add : function(node, sEventName, fHandler){
-	            listEvents.push(arguments);
-	        },
-	        flush : function(){
-	            var i, item;
-	            for(i = listEvents.length - 1; i >= 0; i = i - 1){
-	                item = listEvents[i];
-	                if(item[0].removeEventListener){
-	                    item[0].removeEventListener(item[1], item[2], item[3]);
-	                };
-	                if(item[1].substring(0, 2) != "on"){
-	                    item[1] = "on" + item[1];
-	                };
-	                if(item[0].detachEvent){
-	                    item[0].detachEvent(item[1], item[2]);
-	                };
-	            };
-	        }
-	    };
-	}();
-	
-	/** string utility functions **/
-	function startsWith(s, prefix) {
-		return s.indexOf(prefix) === 0;
-	}
-
-	function endsWith(s, suffix) {
-		return s.substring(s.length - suffix.length) === suffix;
-	}
-
-	/** hook using standards based prototype **/
-	function hijackStandard() {
-		XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
-		XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
-			this.url = url;
-			
-			this._open.apply(this, arguments);
-		};
-		
-		XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
-		XMLHttpRequest.prototype.send = function(data) {
-			if(this.onsend != null) {
-				this.onsend.apply(this, arguments);
-			}
-			
-			this._send.apply(this, arguments);
-		};
-	}
-
-	/** ie does not properly support prototype - wrap completely **/
-	function hijackExplorer() {
-		var _XMLHttpRequest = window.XMLHttpRequest;
-		
-		function alloc_XMLHttpRequest() {
-			this.base = _XMLHttpRequest ? new _XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
-		}
-		
-		function init_XMLHttpRequest() {
-			return new alloc_XMLHttpRequest;
-		}
-		
-		init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
-		
-		/** constants **/
-		init_XMLHttpRequest.UNSENT = 0;
-		init_XMLHttpRequest.OPENED = 1;
-		init_XMLHttpRequest.HEADERS_RECEIVED = 2;
-		init_XMLHttpRequest.LOADING = 3;
-		init_XMLHttpRequest.DONE = 4;
-		
-		/** properties **/
-		init_XMLHttpRequest.prototype.status = 0;
-		init_XMLHttpRequest.prototype.statusText = "";
-		init_XMLHttpRequest.prototype.readyState = init_XMLHttpRequest.UNSENT;
-		init_XMLHttpRequest.prototype.responseText = "";
-		init_XMLHttpRequest.prototype.responseXML = null;
-		init_XMLHttpRequest.prototype.onsend = null;
-		
-		init_XMLHttpRequest.url = null;
-		init_XMLHttpRequest.onreadystatechange = null;
-
-		/** methods **/
-		init_XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
-			var self = this;
-			this.url = url;
-			
-			this.base.onreadystatechange = function() {
-				try { self.status = self.base.status; } catch (e) { }
-				try { self.statusText = self.base.statusText; } catch (e) { }
-				try { self.readyState = self.base.readyState; } catch (e) { }
-				try { self.responseText = self.base.responseText; } catch(e) { }
-				try { self.responseXML = self.base.responseXML; } catch(e) { }
-				
-				if(self.onreadystatechange != null) {
-					self.onreadystatechange.apply(this, arguments);
-				}
-			}
-			
-			this.base.open(method, url, async, user, pass);
-		};
-		
-		init_XMLHttpRequest.prototype.send = function(data) {
-			if(this.onsend != null) {
-				this.onsend.apply(this, arguments);
-			}
-			
-			this.base.send(data);
-		};
-		
-		init_XMLHttpRequest.prototype.abort = function() {
-			this.base.abort();
-		};
-		
-		init_XMLHttpRequest.prototype.getAllResponseHeaders = function() {
-			return this.base.getAllResponseHeaders();
-		};
-		
-		init_XMLHttpRequest.prototype.getResponseHeader = function(name) {
-			return this.base.getResponseHeader(name);
-		};
-		
-		init_XMLHttpRequest.prototype.setRequestHeader = function(name, value) {
-			return this.base.setRequestHeader(name, value);
-		};
-		
-		/** hook **/
-		window.XMLHttpRequest = init_XMLHttpRequest;
-	}
-
-	/** check if valid domain based on domainStrict **/
-	function isValidDomain(current, target) {
-		var result = false;
-		
-		/** check exact or subdomain match **/
-		if(current == target) {
-			result = true;
-		} else if(%DOMAIN_STRICT% == false) {
-			if(target.charAt(0) == '.') {
-				result = endsWith(current, target);
-			} else {
-				result = endsWith(current, '.' + target);
-			}
-		}
-		
-		return result;
-	}
-
-	/** determine if uri/url points to valid domain **/
-	function isValidUrl(src) {
-		var result = false;
-		
-		/** parse out domain to make sure it points to our own **/
-		if(src.substring(0, 7) == "http://" || src.substring(0, 8) == "https://") {
-			var token = "://";
-			var index = src.indexOf(token);
-			var part = src.substring(index + token.length);
-			var domain = "";
-			
-			/** parse up to end, first slash, or anchor **/
-			for(var i=0; i<part.length; i++) {
-				var character = part.charAt(i);
-				
-				if(character == '/' || character == ':' || character == '#') {
-					break;
-				} else {
-					domain += character;
-				}
-			}
-			
-			result = isValidDomain(document.domain, domain);
-			/** explicitly skip anchors **/
-		} else if(src.charAt(0) == '#') {
-			result = false;
-			/** ensure it is a local resource without a protocol **/
-		} else if(!startsWith(src, "//") && (src.charAt(0) == '/' || src.indexOf(':') == -1)) {
-			result = true;
-		}
-		
-		return result;
-	}
-
-	/** parse uri from url **/
-	function parseUri(url) {
-		var uri = "";
-		var token = "://";
-		var index = url.indexOf(token);
-		var part = "";
-		
-		/**
-		 * ensure to skip protocol and prepend context path for non-qualified
-		 * resources (ex: "protect.html" vs
-		 * "/Owasp.CsrfGuard.Test/protect.html").
-		 */
-		if(index > 0) {
-			part = url.substring(index + token.length);
-		} else if(url.charAt(0) != '/') {
-			part = "%CONTEXT_PATH%/" + url;
-		} else {
-			part = url;
-		}
-		
-		/** parse up to end or query string **/
-		var uriContext = (index == -1);
-		
-		for(var i=0; i<part.length; i++) {
-			var character = part.charAt(i);
-			
-			if(character == '/') {
-				uriContext = true;
-			} else if(uriContext == true && (character == '?' || character == '#')) {
-				uriContext = false;
-				break;
-			}
-			
-			if(uriContext == true) {
-				uri += character;
-			}
-		}
-		
-		return uri;
-	}
-
-	/** inject tokens as hidden fields into forms **/
-	function injectTokenForm(form, tokenName, tokenValue, pageTokens,injectGetForms) {
-	  
-		if (!injectGetForms) {
-			var method = form.getAttribute("method");
-	  
-			if ((typeof method != 'undefined') && method != null && method.toLowerCase() == "get") {
-				return;
-			}
-		}
-	  
-		var value = tokenValue;
-		var action = form.getAttribute("action");
-		
-		if(action != null && isValidUrl(action)) {
-			var uri = parseUri(action);
-			value = pageTokens[uri] != null ? pageTokens[uri] : tokenValue;
-		}
-		
-		var hidden = document.createElement("input");
-		
-		hidden.setAttribute("type", "hidden");
-		hidden.setAttribute("name", tokenName);
-		hidden.setAttribute("value", value);
-		
-		form.appendChild(hidden);
-	}
-
-	/** inject tokens as query string parameters into url **/
-	function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) {
-		var location = element.getAttribute(attr);
-		
-		if(location != null && isValidUrl(location) && !isUnprotectedExtension(location)) {
-			var uri = parseUri(location);
-			var value = (pageTokens[uri] != null ? pageTokens[uri] : tokenValue);
-			
-			if(location.indexOf('?') != -1) {
-				location = location + '&' + tokenName + '=' + value;
-			} else {
-				location = location + '?' + tokenName + '=' + value;
-			}
-
-			try {
-				element.setAttribute(attr, location);
-			} catch (e) {
-				// attempted to set/update unsupported attribute
-			}
-		}
-	}
-	/**
-	 * Added to support isUnprotectedExtension(src)
-	 * @param filename
-	 * @return extension or EMPTY
-	 */
-	function getFileExtension(filename){
-		var rc = '';
-		/* take the part before the ';' if it exists (often for UrlRewriting - ex: ;JSESSIONID=x) */
-		if(filename.indexOf(';')!==-1){
-			filename = filename.split(';')[0];
-		}
-		if(filename.indexOf('.')!==-1){
-			rc = filename.substring(filename.lastIndexOf('.')+1, filename.length) || filename;
-		}
-		return rc;
-	}
-	/**
-	 * get the file extension and match it against a list of known static file extensions
-	 * @param src
-	 * @return
-	 */
-	function isUnprotectedExtension(src){
-		var rc = false;
-		var exts = "%UNPROTECTED_EXTENSIONS%";/* example(for properties): "js,css,gif,png,ico,jpg" */
-		if(exts!==""){
-			var filename = parseUri(src);
-			var ext = getFileExtension(filename).toLowerCase();
-			var e = exts.split(',');
-			for(var i=0;i < e.length;i++){
-				if(e[i]===ext){
-					rc = true;
-					break;
-				}
-			}
-		}
-		return rc;
-	}
-	/** inject csrf prevention tokens throughout dom **/
-	function injectTokens(tokenName, tokenValue) {
-		/** obtain reference to page tokens if enabled **/
-		var pageTokens = {};
-		
-		if(%TOKENS_PER_PAGE% == true) {
-			pageTokens = requestPageTokens();
-		}
-		
-		/** iterate over all elements and injection token **/
-		var all = document.all ? document.all : document.getElementsByTagName('*');
-		var len = all.length;
-
-		//these are read from the csrf guard config file(s)
-		var injectForms = %INJECT_FORMS%;
-		var injectGetForms = %INJECT_GET_FORMS%;
-		var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
-		var injectAttributes = %INJECT_ATTRIBUTES%;
-		
-		for(var i=0; i<len; i++) {
-			var element = all[i];
-			
-			/** inject into form **/
-			if(element.tagName.toLowerCase() == "form") {
-				if(injectForms) {
-					injectTokenForm(element, tokenName, tokenValue, pageTokens,injectGetForms);
-
-					/** adjust array length after addition of new element **/
-					len = all.length;
-				}
-				if (injectFormAttributes) {
-					injectTokenAttribute(element, "action", tokenName, tokenValue, pageTokens);
-				}
-				/** inject into attribute **/
-			} else if(injectAttributes) {
-				injectTokenAttribute(element, "src", tokenName, tokenValue, pageTokens);
-				injectTokenAttribute(element, "href", tokenName, tokenValue, pageTokens);
-			}
-		}
-	}
-
-	/** obtain array of page specific tokens **/
-	function requestPageTokens() {
-		var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
-		var pageTokens = {};
-		
-		xhr.open("POST", "%SERVLET_PATH%", false);
-		xhr.send(null);
-		
-		var text = xhr.responseText;
-		var name = "";
-		var value = "";
-		var nameContext = true;
-		
-		for(var i=0; i<text.length; i++) {
-			var character = text.charAt(i);
-			
-			if(character == ':') {
-				nameContext = false;
-			} else if(character != ',') {
-				if(nameContext == true) {
-					name += character;
-				} else {
-					value += character;
-				}
-			}
-			
-			if(character == ',' || (i + 1) >= text.length) {
-				pageTokens[name] = value;
-				name = "";
-				value = "";
-				nameContext = true;
-			}
-		}
-		
-		return pageTokens;
-	}
-	
-	/**
-	 * Only inject the tokens if the JavaScript was referenced from HTML that
-	 * was served by us. Otherwise, the code was referenced from malicious HTML
-	 * which may be trying to steal tokens using JavaScript hijacking techniques.
-	 * The token is now removed and fetched using another POST request to solve,
-	 * the token hijacking problem.
-	 */
-	if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
-		var token_name = '%TOKEN_NAME%';
-		var token_value = '%TOKEN_VALUE%';
-		/** optionally include Ajax support **/
-		if(%INJECT_XHR% == true) {
-			if(navigator.appName == "Microsoft Internet Explorer") {
-				hijackExplorer();
-			} else {
-				hijackStandard();
-			}
-		
-		var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
-		var csrfToken = {};
-		xhr.open("POST", "%SERVLET_PATH%", false);
-		xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
-		xhr.send(null);
-		
-		var token_pair = xhr.responseText;
-		token_pair = token_pair.split(":");
-		token_name = token_pair[0];
-		token_value = token_pair[1];
-
-			XMLHttpRequest.prototype.onsend = function(data) {
-				if(isValidUrl(this.url)) {
-					this.setRequestHeader("X-Requested-With", "XMLHttpRequest")
-					this.setRequestHeader(token_name, token_value);
-				}
-			};
-		}
-		
-		/** update nodes in DOM after load **/
-		addEvent(window,'unload',EventCache.flush);
-		addEvent(window,'DOMContentLoaded', function() {
-			injectTokens(token_name, token_value);
-		});
-	} else {
-		alert("OWASP CSRFGuard JavaScript was included from within an unauthorized domain!");
-	}
-})();
+
+/**
+ * Issue 92: boolean check to avoid running the function multiple times.
+ * Happens if the file is included multiple times which results in
+ * Maximum call stack size exceeded
+ */
+var owaspCSRFGuardScriptHasLoaded = owaspCSRFGuardScriptHasLoaded || {};
+if (owaspCSRFGuardScriptHasLoaded !== true) {
+    (function () {
+        owaspCSRFGuardScriptHasLoaded = true;
+
+        /**
+         * Code to ensure our event always gets triggered when the DOM is updated.
+         * @param obj
+         * @param type
+         * @param fn
+         * @source http://www.dustindiaz.com/rock-solid-addevent/
+         */
+        function addEvent(obj, type, fn) {
+            if (obj.addEventListener) {
+                obj.addEventListener(type, fn, false);
+                EventCache.add(obj, type, fn);
+            } else if (obj.attachEvent) {
+                obj['e' + type + fn] = fn;
+                obj[type + fn] = function () {
+                    obj['e' + type + fn](window.event);
+                };
+                obj.attachEvent('on' + type, obj[type + fn]);
+                EventCache.add(obj, type, fn);
+            } else {
+                obj['on' + type] = obj['e' + type + fn];
+            }
+        }
+
+        var EventCache = function () {
+            var listEvents = [];
+            return {
+                listEvents: listEvents,
+                add: function (node, sEventName, fHandler) {
+                    listEvents.push(arguments);
+                },
+                flush: function () {
+                    var i, item;
+                    for (i = listEvents.length - 1; i >= 0; i = i - 1) {
+                        item = listEvents[i];
+                        if (item[0].removeEventListener) {
+                            item[0].removeEventListener(item[1], item[2], item[3]);
+                        }
+
+                        if (item[1].substring(0, 2) !== 'on') {
+                            item[1] = 'on' + item[1];
+                        }
+
+                        if (item[0].detachEvent) {
+                            item[0].detachEvent(item[1], item[2]);
+                        }
+                    }
+                }
+            };
+        }();
+
+        /* string utility functions */
+        function startsWith(s, prefix) {
+            return s.indexOf(prefix) === 0;
+        }
+
+        function endsWith(s, suffix) {
+            return s.substring(s.length - suffix.length) === suffix;
+        }
+
+        /**
+         *  hook using standards based prototype
+         */
+        function hijackStandard() {
+            XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
+            XMLHttpRequest.prototype.open = function (method, url, async, user, pass) {
+                this.url = url;
+
+                this._open.apply(this, arguments);
+            };
+
+            XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
+            XMLHttpRequest.prototype.send = function (data) {
+                if (this.onsend !== null) {
+                    this.onsend.apply(this, arguments);
+                }
+
+                this._send.apply(this, arguments);
+            };
+        }
+
+        /**
+         *  ie does not properly support prototype - wrap completely
+         */
+        function hijackExplorer() {
+            var xmlHttpRequest = window.XMLHttpRequest;
+
+            function allocXMLHttpRequest() {
+                this.base = xmlHttpRequest ? new xmlHttpRequest : new window.ActiveXObject('Microsoft.XMLHTTP');
+            }
+
+            function initXMLHttpRequest() {
+                return new allocXMLHttpRequest;
+            }
+
+            initXMLHttpRequest.prototype = allocXMLHttpRequest.prototype;
+
+            /* constants */
+            initXMLHttpRequest.UNSENT = 0;
+            initXMLHttpRequest.OPENED = 1;
+            initXMLHttpRequest.HEADERS_RECEIVED = 2;
+            initXMLHttpRequest.LOADING = 3;
+            initXMLHttpRequest.DONE = 4;
+
+            /* properties */
+            initXMLHttpRequest.prototype.status = 0;
+            initXMLHttpRequest.prototype.statusText = '';
+            initXMLHttpRequest.prototype.readyState = initXMLHttpRequest.UNSENT;
+            initXMLHttpRequest.prototype.responseText = '';
+            initXMLHttpRequest.prototype.responseXML = null;
+            initXMLHttpRequest.prototype.onsend = null;
+
+            initXMLHttpRequest.url = null;
+            initXMLHttpRequest.onreadystatechange = null;
+
+            /* methods */
+            initXMLHttpRequest.prototype.open = function (method, url, async, user, pass) {
+                var self = this;
+                this.url = url;
+
+                this.base.onreadystatechange = function () {
+                    try {
+                        self.status = self.base.status;
+                    } catch (e) {
+                    }
+                    try {
+                        self.statusText = self.base.statusText;
+                    } catch (e) {
+                    }
+                    try {
+                        self.readyState = self.base.readyState;
+                    } catch (e) {
+                    }
+                    try {
+                        self.responseText = self.base.responseText;
+                    } catch (e) {
+                    }
+                    try {
+                        self.responseXML = self.base.responseXML;
+                    } catch (e) {
+                    }
+
+                    if (self.onreadystatechange !== null) {
+                        self.onreadystatechange.apply(this, arguments);
+                    }
+                };
+
+                this.base.open(method, url, async, user, pass);
+            };
+
+            initXMLHttpRequest.prototype.send = function (data) {
+                if (this.onsend !== null) {
+                    this.onsend.apply(this, arguments);
+                }
+
+                this.base.send(data);
+            };
+
+            initXMLHttpRequest.prototype.abort = function () {
+                this.base.abort();
+            };
+
+            initXMLHttpRequest.prototype.getAllResponseHeaders = function () {
+                return this.base.getAllResponseHeaders();
+            };
+
+            initXMLHttpRequest.prototype.getResponseHeader = function (name) {
+                return this.base.getResponseHeader(name);
+            };
+
+            initXMLHttpRequest.prototype.setRequestHeader = function (name, value) {
+                return this.base.setRequestHeader(name, value);
+            };
+
+            /* hook */
+            window.XMLHttpRequest = initXMLHttpRequest;
+        }
+
+        /**
+         *  check if valid domain based on domainStrict
+         */
+        function isValidDomain(current, target) {
+            var result = false;
+
+            /* check exact or subdomain match */
+            if (current === target) {
+                result = true;
+            } else if ('%DOMAIN_STRICT%' === false) {
+                if (target.charAt(0) === '.') {
+                    result = endsWith(current, target);
+                } else {
+                    result = endsWith(current, '.' + target);
+                }
+            }
+
+            return result;
+        }
+
+        /**
+         *  determine if uri/url points to valid domain
+         */
+        function isValidUrl(src) {
+            var result = false;
+            var urlStartsWithProtocol = /^[a-zA-Z][a-zA-Z0-9.+-]*:/;
+
+            /* parse out domain to make sure it points to our own */
+            if (src.substring(0, 7) === 'http://' || src.substring(0, 8) === 'https://') {
+                var token = '://';
+                var index = src.indexOf(token);
+                var part = src.substring(index + token.length);
+                var domain = '';
+
+                /* parse up to end, first slash, or anchor */
+                for (var i = 0; i < part.length; i++) {
+                    var character = part.charAt(i);
+                    if (character === '/' || character === ':' || character === '#') {
+                        break;
+                    } else {
+                        domain += character;
+                    }
+                }
+
+                result = isValidDomain(document.domain, domain);
+                /* explicitly skip anchors */
+            } else if (src.charAt(0) === '#') {
+                result = false;
+                /* ensure it is a local resource without a protocol */
+            } else if (!startsWith(src, '//') && (src.charAt(0) === '/' || src.search(urlStartsWithProtocol) === -1)) {
+                result = true;
+            }
+
+            return result;
+        }
+
+        /* parse uri from url */
+        function parseUri(url) {
+            var uri = '';
+            var token = '://';
+            var index = url.indexOf(token);
+            var part = '';
+
+            /*
+             * ensure to skip protocol and prepend context path for non-qualified
+                 * resources (ex: 'protect.html' vs
+                 * '/Owasp.CsrfGuard.Test/protect.html').
+             */
+            if (index > 0) {
+                part = url.substring(index + token.length);
+            } else if (url.charAt(0) !== '/') {
+                part = '%CONTEXT_PATH%/' + url;
+            } else {
+                part = url;
+            }
+
+            /* parse up to end or query string */
+            var uriContext = (index === -1);
+
+            for (var i = 0; i < part.length; i++) {
+                var character = part.charAt(i);
+
+                if (character === '/') {
+                    uriContext = true;
+                } else if (uriContext === true && (character === '?' || character === '#')) {
+                    uriContext = false;
+                    break;
+                }
+
+                if (uriContext === true) {
+                    uri += character;
+                }
+            }
+
+            return uri;
+        }
+
+        function calculatePageTokenForUri(pageTokens, uri) {
+            let value = null;
+            Object.keys(pageTokens).forEach(function (pageTokenKey) {
+                var pageToken = pageTokens[pageTokenKey];
+
+                if (uri === pageTokenKey) {
+                    value = pageToken;
+                } else if (pageTokenKey.startsWith('^') && pageTokenKey.endsWith('$')) { // regex matching
+                    if (new RegExp(pageTokenKey).test(uri)) {
+                        value = pageToken;
+                    }
+                } else if (pageTokenKey.startsWith('/*')) { // full path wildcard path matching
+                    value = pageToken;
+                } else if (pageTokenKey.endsWith('/*') || pageTokenKey.startsWith('.*')) { // 'partial path wildcard' and 'extension' matching
+                    // TODO implement
+                    console.warn("'Extension' and 'partial path wildcard' matching for page tokens is not supported properly yet! " +
+                        "Every resource will be assigned a new unique token instead of using the defined resource matcher token. " +
+                        "Although this is not a security issue, in case of a large REST application it can have an impact on performance." +
+                        "Consider using regular expressions instead.");
+                }
+            });
+            return value;
+        }
+
+        /**
+         *  inject tokens as hidden fields into forms
+         */
+        function injectTokenForm(form, tokenName, tokenValue, pageTokens, injectGetForms) {
+
+            if (!injectGetForms) {
+                var method = form.getAttribute('method');
+
+                if ((typeof method !== 'undefined') && method !== null && method.toLowerCase() === 'get') {
+                    return;
+                }
+            }
+
+            var value = tokenValue;
+            var action = form.getAttribute('action');
+
+            if (action !== null && isValidUrl(action)) {
+                var uri = parseUri(action);
+                const calculatedPageToken = calculatePageTokenForUri(pageTokens, uri);
+                value = calculatedPageToken == null ? tokenValue : calculatedPageToken;
+
+                let hiddenTokenFields = Object.keys(form.elements).filter(function (i) {
+                    return form.elements[i].name === tokenName;
+                });
+
+                if (hiddenTokenFields.length === 0) {
+                    var hidden = document.createElement('input');
+
+                    hidden.setAttribute('type', 'hidden');
+                    hidden.setAttribute('name', tokenName);
+                    hidden.setAttribute('value', value);
+
+                    form.appendChild(hidden);
+                    console.debug('Hidden input element [', hidden, '] was added to the form: ', form);
+                } else {
+                    hiddenTokenFields.forEach(function (i) {
+                        return form.elements[i].value = value;
+                    });
+                    console.debug('Hidden token fields [', hiddenTokenFields, '] of form [', form, '] were updated with new token value: ', value);
+                }
+            }
+        }
+
+        /**
+         *  inject tokens as query string parameters into url
+         */
+        function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) {
+
+            const addTokenToLocation = function(location, tokenName, value) {
+                let newLocation;
+                if (location.indexOf('?') === -1) {
+                    newLocation = location + '?' + tokenName + '=' + value;
+                } else {
+                    newLocation = location + '&' + tokenName + '=' + value;
+                }
+                return newLocation;
+            }
+
+            const location = element.getAttribute && element.getAttribute(attr);
+
+            if (location != null && isValidUrl(location) && !isUnprotectedExtension(location)) {
+                const uri = parseUri(location);
+                const calculatedPageToken = calculatePageTokenForUri(pageTokens, uri);
+                const value = calculatedPageToken == null ? tokenValue : calculatedPageToken;
+
+                const tokenValueMatcher = new RegExp('(?:' + tokenName + '=)([^?|#|&]+)', 'gi');
+                const tokenMatches = tokenValueMatcher.exec(location);
+
+                if (tokenMatches === null || tokenMatches.length === 0) {
+                    let newLocation;
+
+                    const anchorIndex = location.indexOf('#');
+                    if (anchorIndex !== -1) {
+                        const baseLocation = location.split('#')[0];
+                        const anchor = location.substring(anchorIndex);
+
+                        newLocation = addTokenToLocation(baseLocation, tokenName, value) + anchor;
+                    } else {
+                        newLocation = addTokenToLocation(location, tokenName, value);
+                    }
+
+                    try {
+                        element.setAttribute(attr, newLocation);
+                        console.debug('Attribute [', attr, '] with value [', newLocation, '] set for element: ', element);
+                    } catch (e) {
+                        // attempted to set/update unsupported attribute
+                    }
+                } else {
+                    let newLocation = location;
+                    tokenMatches.slice(1).forEach(function (match) {
+                        return newLocation = newLocation.replace(match, value);
+                    });
+
+                    element.setAttribute(attr, newLocation);
+                    console.debug('Attribute [', attr, '] with value [', newLocation, '] set for element: ', element);
+                }
+            }
+        }
+
+        /**
+         * Added to support isUnprotectedExtension(src)
+         * @param filename
+         * @return extension or EMPTY
+         */
+        function getFileExtension(filename) {
+            var extension = '';
+            /* take the part before the ';' if it exists (often for UrlRewriting - ex: ;JSESSIONID=x) */
+            if (filename.indexOf(';') !== -1) {
+                filename = filename.split(';')[0];
+            }
+
+            if (filename.indexOf('.') !== -1) {
+                extension = filename.substring(filename.lastIndexOf('.') + 1, filename.length) || filename;
+            }
+            return extension;
+        }
+
+        /**
+         * get the file extension and match it against a list of known static file extensions
+         * @param src
+         * @return
+         */
+        function isUnprotectedExtension(src) {
+            var isSupported = false;
+            var exts = '%UNPROTECTED_EXTENSIONS%';/* example(for properties): 'js,css,gif,png,ico,jpg' */
+            if (exts !== '') {
+                var filename = parseUri(src);
+                var ext = getFileExtension(filename).toLowerCase();
+                var e = exts.split(',');
+                for (var i = 0; i < e.length; i++) {
+                    if (e[i] === ext) {
+                        isSupported = true;
+                        break;
+                    }
+                }
+            }
+            return isSupported;
+        }
+
+        function injectToElements(domElements, tokenName, tokenValue, pageTokens) {
+            var len = domElements.length;
+
+            var injectForms = '%INJECT_FORMS%';
+            var injectGetForms = '%INJECT_GET_FORMS%';
+            var injectFormAttributes = '%INJECT_FORM_ATTRIBUTES%';
+            var injectAttributes = '%INJECT_ATTRIBUTES%';
+
+            for (let i = 0; i < len; i++) {
+                let element = domElements[i];
+
+                if (element.tagName && element.tagName.toLowerCase() === 'form') {
+                    if (injectForms) {
+                        injectTokenForm(element, tokenName, tokenValue, pageTokens, injectGetForms);
+
+                        /* adjust array length after addition of new element */
+                        len = domElements.length; // TODO review
+                    }
+                    if (injectFormAttributes) {
+                        injectTokenAttribute(element, 'action', tokenName, tokenValue, pageTokens);
+                    }
+                    /* inject into attribute */
+                } else if (injectAttributes) {
+                    injectTokenAttribute(element, 'src', tokenName, tokenValue, pageTokens);
+                    injectTokenAttribute(element, 'href', tokenName, tokenValue, pageTokens);
+                }
+            }
+        }
+
+        /**
+         *  inject csrf prevention tokens throughout dom
+         */
+        function injectTokens(tokenName, tokenValue, existingPageTokens) {
+            /* obtain reference to page tokens if enabled */
+            var pageTokens = {};
+
+            if ('%TOKENS_PER_PAGE%') {
+                pageTokens = existingPageTokens;
+            }
+
+            /* iterate over all elements and injection token */
+            var all = document.all ? document.all : document.getElementsByTagName('*');
+
+            injectToElements(all, tokenName, tokenValue, pageTokens);
+        }
+
+        /**
+         *  obtain array of page specific tokens
+         */
+        function requestPageTokens(tokenName, tokenValue, callback) {
+            const xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject('Microsoft.XMLHTTP');
+
+            xhr.open('POST', '%SERVLET_PATH%', '%ASYNC_XHR%');
+
+            /* if AJAX is enabled, the token header will be automatically added, no need to set it again */
+            if ('%INJECT_XHR%' !== true) {
+                if (tokenName !== undefined && tokenValue !== undefined) {
+                    xhr.setRequestHeader(tokenName, tokenValue);
+                }
+            }
+
+            xhr.onreadystatechange = function () {
+                if (xhr.readyState === 4) {
+                    if (xhr.status === 200) {
+                        let pageTokens = JSON.parse(xhr.responseText)['pageTokens'];
+                        console.debug('Received page tokens: ', pageTokens);
+                        callback.call(this, pageTokens);
+                    } else {
+                        alert(xhr.status + ': CSRF check failed');
+                    }
+                }
+            };
+
+            xhr.send(null);
+        }
+
+        function handleDynamicallyCreatedNodes() {
+            const dynamicNodeCreationEventName = '%DYNAMIC_NODE_CREATION_EVENT_NAME%';
+
+            if (dynamicNodeCreationEventName && dynamicNodeCreationEventName.length > 0) {
+                addEvent(window, dynamicNodeCreationEventName, function (event) {
+                    injectToElements([event.detail], tokenName, masterTokenValue, pageTokenWrapper.pageTokens);
+                });
+            }  else {
+                if (MutationObserver) {
+                    const formMutationObserver = new MutationObserver(function (mutations, observer) {
+                        for (let i in mutations) {
+                            const mutation = mutations[i];
+                            const addedNodes = mutation.addedNodes;
+                            if (mutation.type === 'childList' && addedNodes.length && addedNodes.length > 0) {
+                                injectToElements(addedNodes, tokenName, masterTokenValue, pageTokenWrapper.pageTokens);
+                            }
+                        }
+                    });
+
+                    formMutationObserver.observe(document, {attributes: false, childList: true, subtree: true});
+                    addEvent(window, 'unload', formMutationObserver.disconnect);
+                } else {
+                    addEvent(window, 'DOMNodeInserted', function (event) {
+                        const target = event.target || event.srcElement;
+                        if (event.type === 'DOMNodeInserted') {
+                            injectToElements([target], tokenName, masterTokenValue, pageTokenWrapper.pageTokens);
+                        }
+                    });
+                }
+            }
+        }
+
+        /*
+         * Only inject the tokens if the JavaScript was referenced from HTML that
+         * was served by us. Otherwise, the code was referenced from malicious HTML
+         * which may be trying to steal tokens using JavaScript hijacking techniques.
+         * The token is now removed and fetched using another POST request to solve,
+         * the token hijacking problem.
+         */
+        if (isValidDomain(document.domain, '%DOMAIN_ORIGIN%')) {
+            var tokenName = '%TOKEN_NAME%';
+            var masterTokenValue = '%TOKEN_VALUE%';
+            console.debug('Master token [' + tokenName + ']: ', masterTokenValue);
+
+            var isLoadedWrapper = {isDomContentLoaded: false};
+
+            var pageTokenWrapper = {pageTokens: {}};
+
+            addEvent(window, 'unload', EventCache.flush);
+
+            addEvent(window, 'DOMContentLoaded', function () {
+                isLoadedWrapper.isDomContentLoaded = true;
+
+                if (pageTokenWrapper.pageTokensLoaded) {
+                    injectTokens(tokenName, masterTokenValue, pageTokenWrapper.pageTokens);
+                }
+            });
+
+            if ('%INJECT_DYNAMIC_NODES%') { // TODO should it be invoked only after the DOMContentLoaded?
+                handleDynamicallyCreatedNodes();
+            }
+
+            /* optionally include Ajax support */
+            if ('%INJECT_XHR%') {
+                if (navigator.appName === 'Microsoft Internet Explorer') {
+                    hijackExplorer();
+                } else {
+                    hijackStandard();
+                }
+
+                XMLHttpRequest.prototype.onsend = function (data) {
+                    addEvent(this, 'readystatechange', function () {
+                        if (this.readyState === 4) {
+                            let tokenResponseHeader = this.getResponseHeader(tokenName);
+                            if (tokenResponseHeader != undefined) {
+                                try {
+                                    let tokenTO = JSON.parse(tokenResponseHeader)
+
+                                    let newMasterToken = tokenTO['masterToken'];
+                                    if (newMasterToken !== undefined) {
+                                        masterTokenValue = newMasterToken;
+                                        console.debug('New master token value received: ', masterTokenValue);
+                                    }
+
+                                    let newPageTokens = tokenTO['pageTokens'];
+                                    if (newPageTokens !== undefined) {
+                                        Object.keys(newPageTokens).forEach(function (key) {
+                                            return pageTokenWrapper.pageTokens[key] = newPageTokens[key];
+                                        });
+                                        console.debug('New page token value(s) received: ', newPageTokens);
+                                    }
+
+                                    injectTokens(tokenName, masterTokenValue, pageTokenWrapper.pageTokens);
+                                } catch (e) {
+                                    console.error("Error while updating tokens from response header.")
+                                }
+                            }
+                        }
+                    });
+
+                    var computePageToken = function(pageTokens, modifiedUri) {
+                        let result = null;
+
+                        let pathWithoutLeadingSlash = window.location.pathname.substring(1); // e.g. deploymentName/service/endpoint
+                        let pathArray = pathWithoutLeadingSlash.split('/');
+
+                        let builtPath = '';
+                        for (let i = 0; i < pathArray.length - 1; i++) { // the last part of the URI (endpoint) is disregarded because the modifiedUri parameter is used instead
+                            builtPath += '/' + pathArray[i];
+                            let pageTokenValue = calculatePageTokenForUri(pageTokens, builtPath + modifiedUri);
+                            if (pageTokenValue != undefined) {
+                                result = pageTokenValue;
+                                break;
+                            }
+                        }
+
+                        return result;
+                    };
+
+                    /**
+                     * For the library to function correctly, all the URLs must start with a forward slash (/)
+                     * Parameters must be removed from the URL
+                     */
+                    var normalizeUrl = function(url) {
+                        var removeParameters = function(currentUrl, symbol) {
+                            let index = currentUrl.indexOf(symbol);
+                            return index > 0 ? currentUrl.substring(0, index) : currentUrl;
+                        }
+
+                        /*
+                         * TODO should other checks be done here like in the isValidUrl?
+                         * Could the url parameter contain full URLs with protocol domain, port etc?
+                         */
+                        let normalizedUrl = url.startsWith('/') ? url : '/' + url;
+
+                        normalizedUrl = removeParameters(normalizedUrl, '?');
+                        normalizedUrl = removeParameters(normalizedUrl, '#');
+
+                        return normalizedUrl;
+                    }
+
+                    if (isValidUrl(this.url)) {
+                        this.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
+
+                        let normalizedUrl = normalizeUrl(this.url);
+
+                        if (pageTokenWrapper.pageTokens === null) {
+                            this.setRequestHeader(tokenName, masterTokenValue);
+                        } else {
+                            let pageToken = calculatePageTokenForUri(pageTokenWrapper.pageTokens, normalizedUrl);
+                            if (pageToken == undefined) {
+                                let computedPageToken = computePageToken(pageTokenWrapper.pageTokens, normalizedUrl);
+
+                                if (computedPageToken === null) {
+                                    this.setRequestHeader(tokenName, masterTokenValue);
+                                } else {
+                                    this.setRequestHeader(tokenName, computedPageToken);
+                                }
+                            } else {
+                                this.setRequestHeader(tokenName, pageToken);
+                            }
+                        }
+                    }
+                };
+            }
+
+            if ('%TOKENS_PER_PAGE%') {
+                let pageTokenRequestCallback = function (receivedPageTokens) {
+                    pageTokenWrapper.pageTokens = receivedPageTokens;
+
+                    pageTokenWrapper.pageTokensLoaded = true;
+
+                    if (isLoadedWrapper.isDomContentLoaded) {
+                        injectTokens(tokenName, masterTokenValue, receivedPageTokens);
+                    }
+                };
+
+                requestPageTokens(tokenName, masterTokenValue, pageTokenRequestCallback);
+            } else {
+                /* update nodes in DOM after load */
+                addEvent(window, 'DOMContentLoaded', function () {
+                    injectTokens(tokenName, masterTokenValue, {});
+                });
+            }
+        } else {
+            alert('OWASP CSRFGuard JavaScript was included from within an unauthorized domain!');
+        }
+    })();
+}
diff --git a/csrfguard/src/main/resources/csrfguard.properties b/csrfguard/src/main/resources/csrfguard.properties
index 07515a7..24f2061 100644
--- a/csrfguard/src/main/resources/csrfguard.properties
+++ b/csrfguard/src/main/resources/csrfguard.properties
@@ -1,18 +1,19 @@
+######################################################################################
 # The OWASP CSRFGuard Project, BSD License
-# Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+# Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
-# 1. Redistributions of source code must retain the above copyright notice,
-#    this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-# 3. Neither the name of OWASP nor the names of its contributors may be used
-#    to endorse or promote products derived from this software without specific
-#    prior written permission.
+#   1. Redistributions of source code must retain the above copyright notice,
+#      this list of conditions and the following disclaimer.
+#   2. Redistributions in binary form must reproduce the above copyright
+#      notice, this list of conditions and the following disclaimer in the
+#      documentation and/or other materials provided with the distribution.
+#   3. Neither the name of OWASP nor the names of its contributors may be used
+#      to endorse or promote products derived from this software without specific
+#      prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -24,17 +25,19 @@
 # ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
-
-# Common substitutions
-# %servletContext%  is the servlet context (e.g. the configured app prefix or war file name, or blank.
-# e.g. if you deploy a default warfile as someApp.war, then %servletContext% will be /someApp
-# if there isnt a context it will be the empty string.  So to use this in the configuration, use e.g. %servletContext%/something.html
+######################################################################################
+
+##########################
+## Common substitutions ##
+##########################
+# %servletContext% is the servlet context (e.g. the configured app prefix or war file name, or blank.
+# e.g. if you deploy a default war file as someApp.war, then %servletContext% will be /someApp
+# if there isn't a context it will be the empty string. So to use this in the configuration, use e.g. %servletContext%/something.html
 # which will translate to e.g. /someApp/something.html
 
-# Logger
-#
+############
+## Logger ##
+############
 # The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of 
 # the object responsible for processing all log messages produced by CSRFGuard. The default
 # CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages
@@ -44,28 +47,28 @@
 # logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard
 # to capture all log messages to the console:
 #
-# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
-org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
+# org.owasp.csrfguard.Logger = org.owasp.csrfguard.log.ConsoleLogger
+org.owasp.csrfguard.Logger = org.owasp.csrfguard.log.JavaLogger
 
-# Which configuration provider factory you want to use.  The default is org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
+# Which configuration provider factory you want to use. The default is org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
 # Another configuration provider has more features including config overlays: org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory
 # The default configuration provider is: org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
 # which will look for an overlay file, it is there, and the factory inside that file is set it will use it, otherwise will be PropertiesConfigurationProviderFactory
 # it needs to implement org.owasp.csrfguard.config.ConfigurationProviderFactory
 org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
 
-
-# If csrfguard filter is enabled
+# If CSRFGuard filter is enabled
 org.owasp.csrfguard.Enabled = true
 
 # If csrf guard filter should check even if there is no session for the user
 # Note: this changed around 2014/04, the default behavior used to be to 
-# not check if there is no session.  If you want the legacy behavior (if your app
+# not check if there is no session. If you want the legacy behavior (if your app
 # is not susceptible to CSRF if the user has no session), set this to false
 org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 
-# New Token Landing Page
-#
+############################
+## New Token Landing Page ##
+############################
 # The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage) defines where
 # to send a user if the token is being generated for the first time, and the use new token landing
 # page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) determines if any redirect happens.
@@ -78,11 +81,11 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # redirect the user to %servletContext%/index.html when the user visits a protected resource
 # without having a corresponding CSRF token present in the HttpSession object:
 #
-# org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/index.html
-
+# org.owasp.csrfguard.NewTokenLandingPage = %servletContext%/index.html
 
-# Protected Methods
-#
+#######################
+## Protected Methods ##
+#######################
 # The protected methods property (org.owasp.csrfguard.ProtectedMethods) defines a comma
 # separated list of HTTP request methods that should be protected by CSRFGuard. The default
 # list is an empty list which will cause all HTTP methods to be protected, thus preserving
@@ -97,14 +100,15 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # The following configuration snippet instructs OWASP CSRFGuard to protect only the POST,
 # PUT, and DELETE HTTP methods.
 #
-# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
-
-# or you can configure all to be protected, and specify which is unprotected.  This is the preferred approach
-
-# org.owasp.csrfguard.UnprotectedMethods=GET
-
-# Unique Per-Page Tokens
+# org.owasp.csrfguard.ProtectedMethods = POST,PUT,DELETE
+#
+# or you can configure all to be protected, and specify which is unprotected. This is the preferred approach
 #
+# org.owasp.csrfguard.UnprotectedMethods = GET
+
+############################
+## Unique Per-Page Tokens ##
+############################
 # The unique token per-page property (org.owasp.csrfguard.TokenPerPage) is a boolean value that
 # determines if CSRFGuard should make use of unique per-page (i.e. URI) prevention tokens as
 # opposed to unique per-session prevention tokens. When a user requests a protected resource,
@@ -116,10 +120,17 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # the first time. All subsequent requests must have the per-page token intact or the request will
 # be treated as a CSRF attack. This behavior can be changed with the org.owasp.csrfguard.TokenPerPagePrecreate
 # property. Enabling this property will make CSRFGuard calculate the per page token prior to a first
-# visit. This option only works with JSTL token injection and is useful for preserving the validity of
-# links if the user pushes the back button. There may be a performance impact when enabling this option
-# if the .jsp has a large number of proctected links that need tokens to be calculated.
-# Use of the unique token per page property is currently experimental
+# visit.
+#
+# This option ONLY WORKS WITH JSTL token injection and is useful for preserving the validity of
+# links if the user pushes the BACK button. There may be a performance impact when enabling this option
+# if the JSP has a large number of protected links that need tokens to be calculated.
+#
+# Note: Pre-creating tokens is only available with the session bound token holder implementation,
+# because in case for stateless or custom state implementations, client could would need
+# to signal when it's ok to pre-create the tokens and this would affect the modularity/pluggability of the solution.
+#
+# Use of the unique token per page property is currently EXPERIMENTAL,
 # but provides a significant amount of improved security. Consider the exposure of a CSRF token using
 # the legacy unique per-session model. Exposure of this token facilitates the attacker's ability to
 # carry out a CSRF attack against the victim's active session for any resource exposed by the web
@@ -129,14 +140,12 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # unique token per-page property is a strong defense in depth strategy significantly reducing the
 # impact of exposed CSRF prevention tokens. The following configuration snippet instructs OWASP
 # CSRFGuard to utilize the unique token per-page model:
-#
-# org.owasp.csrfguard.TokenPerPage=true
-# org.owasp.csrfguard.TokenPerPagePrecreate=false
-org.owasp.csrfguard.TokenPerPage=true
-org.owasp.csrfguard.TokenPerPagePrecreate=false
+org.owasp.csrfguard.TokenPerPage = true
+org.owasp.csrfguard.TokenPerPagePrecreate = false
 
-# Token Rotation
-#
+####################
+## Token Rotation ##
+####################
 # The rotate token property (org.owasp.csrfguard.Rotate) is a boolean value that determines if
 # CSRFGuard should generate and utilize a new token after verifying the previous token. Rotation
 # helps minimize the window of opportunity an attacker has to leverage the victim's stolen token
@@ -146,13 +155,20 @@ org.owasp.csrfguard.TokenPerPagePrecreate=false
 # an old token causing CSRFGuard to incorrectly believe this request is a CSRF attack in progress
 # (i.e. a 'false positive'). Users can prevent this scenario by preventing the caching of HTML pages
 # containing FORM submissions using the cache-control header. However, this may also introduce
-# performance problems as the browser will have to request HTML on a more frequent basis. The following
-# configuration snippet enables token rotation:
+# performance problems as the browser will have to request HTML on a more frequent basis.
 #
-# org.owasp.csrfguard.Rotate=true
-
-# Ajax and XMLHttpRequest Support
+# Note: Rotation in case of AJAX requests is not supported currently because of possible race conditions.
+# A Single Page Application can fire multiple simultaneous requests. If rotation is enabled for AJAX requests,
+# the first request could trigger a token change before the validation of the same token within the second request,
+# causing false-positive CSRF intrusion exceptions.
 #
+# The following configuration snippet enables token rotation:
+#
+# org.owasp.csrfguard.Rotate = true
+
+#####################################
+## Ajax and XMLHttpRequest Support ##
+#####################################
 # The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that indicates whether or not OWASP
 # CSRFGuard should support the injection and verification of unique per-session prevention tokens for
 # XMLHttpRequests. To leverage Ajax support, the user must not only set this property to true but must
@@ -169,19 +185,26 @@ org.owasp.csrfguard.TokenPerPagePrecreate=false
 # the corresponding X-Requested-With and custom headers are embedded within the request. The following
 # configuration snippet instructs OWASP CSRFGuard to support Ajax requests by verifying the presence and
 # correctness of the X-Requested-With and custom headers:
-#
-# org.owasp.csrfguard.Ajax=true
-org.owasp.csrfguard.Ajax=true
+org.owasp.csrfguard.Ajax = true
 
+#######################
+## Protecting Pages  ##
+#######################
 # The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
 # If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected.
 # All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*),
 # but you only want to protect a few pages.
+# org.owasp.csrfguard.Protect = true # TODO this should be renamed because it's confusing
 #
-# org.owasp.csrfguard.Protect=true
-
-# Unprotected Pages:
+# Defining pages to protect explicitly:
 #
+# org.owasp.csrfguard.protected.Protected = /protect.html
+# org.owasp.csrfguard.protected.Test = /test.html
+# org.owasp.csrfguard.protected.Forward = /forward.jsp
+
+#######################
+## Unprotected Pages ##
+#######################
 # The unprotected pages property (org.owasp.csrfguard.unprotected.*) defines a series of pages that
 # should not be protected by CSRFGuard. Such configurations are useful when the CsrfGuardFilter is
 # aggressively mapped (ex: /*). The syntax of the property name is org.owasp.csrfguard.unprotected.[PageName],
@@ -193,8 +216,8 @@ org.owasp.csrfguard.Ajax=true
 # Case 1: exact match between request uri and unprotected page
 # Case 2: longest path prefix match, beginning / and ending /*
 # Case 3: extension match, beginning *.
-# Case 4: if the value starts with ^ and ends with $, it will be evaulated as a regex.  Note that before the
-#   regex is compiled, any common variables will be substituted (e.g. %servletContext%)
+# Case 4: if the value starts with ^ and ends with $, it will be evaluated as a regex.
+#   Note that before the regex is compiled, any common variables will be substituted (e.g. %servletContext%)
 # Default: requested resource must be validated by CSRFGuard
 #
 # The following code snippet illustrates the four use cases over four examples. The first two examples
@@ -202,27 +225,29 @@ org.owasp.csrfguard.Ajax=true
 # ending in a .html extension. The next example (Public) looks for all resources prefixed with the URI path /MySite/Public/*.
 # The last example looks for resources that end in Public.do
 #
-# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
-# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
-# org.owasp.csrfguard.unprotected.Html=*.html
-# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
-# regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex
-# org.owasp.csrfguard.unprotected.PublicServlet=^%servletContext%/.*Public\.do$
-
-#org.owasp.csrfguard.unprotected.Default=%servletContext%/
-#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
-#org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
-#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
-#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
-#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
-#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html
-#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
-#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
-#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
-#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
-
-# Actions: Responding to Attacks
-#
+# org.owasp.csrfguard.unprotected.Tag = %servletContext%/tag.jsp
+# org.owasp.csrfguard.unprotected.JavaScriptServlet = %servletContext%/JavaScriptServlet
+# org.owasp.csrfguard.unprotected.Html = *.html
+# org.owasp.csrfguard.unprotected.Public = %servletContext%/Public/*
+#
+# Regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex:
+# org.owasp.csrfguard.unprotected.PublicServlet = ^%servletContext%/.*Public\.do$
+
+# org.owasp.csrfguard.unprotected.Default = %servletContext%/
+# org.owasp.csrfguard.unprotected.Upload = %servletContext%/upload.html
+# org.owasp.csrfguard.unprotected.JavaScriptServlet = %servletContext%/JavaScriptServlet
+# org.owasp.csrfguard.unprotected.Ajax = %servletContext%/ajax.html
+# org.owasp.csrfguard.unprotected.Error = %servletContext%/error.html
+# org.owasp.csrfguard.unprotected.Index = %servletContext%/index.html
+# org.owasp.csrfguard.unprotected.JavaScript = %servletContext%/javascript.html
+# org.owasp.csrfguard.unprotected.Tag = %servletContext%/tag.jsp
+# org.owasp.csrfguard.unprotected.Redirect = %servletContext%/redirect.jsp
+# org.owasp.csrfguard.unprotected.Forward = %servletContext%/forward.jsp
+# org.owasp.csrfguard.unprotected.Session = %servletContext%/session.jsp
+
+####################################
+## Actions: Responding to Attacks ##
+####################################
 # The actions directive (org.owasp.csrfguard.action.*) gives the user the ability to specify one or more
 # actions that should be invoked when a CSRF attack is detected. Every action must implement the
 # org.owasp.csrfguard.action.IAction interface either directly or indirectly through the
@@ -235,8 +260,8 @@ org.owasp.csrfguard.Ajax=true
 # the CSRFGuard bundle and is available via the class name org.owasp.csrfguard.actions.Redirect. In order to enable
 # this action, we capture the following declaration in the Owasp.CsrfGuard.properties file:
 #
-# syntax: org.owasp.csrfguard.action.[actionName]=[className]
-# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect
+# syntax: org.owasp.csrfguard.action.[actionName] = [className]
+# example: org.owasp.csrfguard.action.class.Redirect = org.owasp.csrfguard.actions.Redirect
 #
 # The aforementioned directive declares an action called "Redirect" (i.e. [actionName]) referencing the Java class
 # "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a CSRF attack is detected, the Redirect action
@@ -244,95 +269,89 @@ org.owasp.csrfguard.Ajax=true
 # action parameters come into play. In order to specify the redirect location, we capture the following declaration
 # in the Owasp.CsrfGuard.properties file:
 #
-# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[parameterValue]
-# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%servletContext%/error.html
+# syntax: org.owasp.csrfguard.action.[actionName].[parameterName] = [parameterValue]
+# example: org.owasp.csrfguard.action.Redirect.ErrorPage = %servletContext%/error.html
 #
 # The aforementioned directive declares an action parameter called "ErrorPage" (i.e. [parameterName]) with the value
 # of "%servletContext%/error.html" (i.e. [parameterValue]) for the action "Redirect" (i.e. [actionName]). The
 # Redirect action expects the "ErrorPage" parameter to be defined and will redirect the user to this location when
 # an attack is detected.
+# org.owasp.csrfguard.action.Empty = org.owasp.csrfguard.action.Empty
+#
+# org.owasp.csrfguard.action.Invalidate = org.owasp.csrfguard.action.Invalidate
 #
-#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
-org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
-org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
-#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
-org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
-org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
-#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
-#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
-org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
-#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
-#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
-#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
-#org.owasp.csrfguard.action.Error.Code=403
-#org.owasp.csrfguard.action.Error.Message=Security violation.
-
-# Token Name
+# org.owasp.csrfguard.action.RequestAttribute = org.owasp.csrfguard.action.RequestAttribute
+# org.owasp.csrfguard.action.RequestAttribute.AttributeName = Owasp_CsrfGuard_Exception_Key
 #
+# org.owasp.csrfguard.action.Error = org.owasp.csrfguard.action.Error
+# org.owasp.csrfguard.action.Error.Code = 403
+# org.owasp.csrfguard.action.Error.Message = Security violation.
+
+org.owasp.csrfguard.action.Log = org.owasp.csrfguard.action.Log
+org.owasp.csrfguard.action.Log.Message = potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
+
+org.owasp.csrfguard.action.Redirect = org.owasp.csrfguard.action.Redirect
+org.owasp.csrfguard.action.Redirect.Page = %servletContext%/error.html
+
+org.owasp.csrfguard.action.Rotate = org.owasp.csrfguard.action.Rotate
+
+# Extension modules can add their own actions. Please refer to their documentation to see what actions can be added.
+# Extension provided actions should be added through a configuration overlay.
+# org.owasp.csrfguard.action.SessionAttribute = org.owasp.csrfguard.action.SessionAttribute
+# org.owasp.csrfguard.action.SessionAttribute.AttributeName = Owasp_CsrfGuard_Exception_Key
+
+################
+## Token Name ##
+################
 # The token name property (org.owasp.csrfguard.TokenName) defines the name of the HTTP parameter
 # to contain the value of the OWASP CSRFGuard token for each request. The following configuration
 # snippet sets the CSRFGuard token parameter name to the value OWASP-CSRFTOKEN:
-#
-# org.owasp.csrfguard.TokenName=OWASP-CSRFTOKEN
-org.owasp.csrfguard.TokenName=OWASP-CSRFTOKEN
-
-# Session Key
-#
-# The session key property (org.owasp.csrfguard.SessionKey) defines the string literal used to save
-# and lookup the CSRFGuard token from the session. This value is used by the filter and the tag
-# libraries to retrieve and set the token value in the session. Developers can use this key to
-# programmatically lookup the token within their own code. The following configuration snippet sets
-# the session key to the value OWASP_CSRFTOKEN:
-#
-# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
-org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
+org.owasp.csrfguard.TokenName = OWASP-CSRFTOKEN
 
-# Token Length
-#
+##################
+## Token Length ##
+##################
 # The token length property (org.owasp.csrfguard.TokenLength) defines the number of characters that
 # should be found within the CSRFGuard token. Note that characters are delimited by dashes (-) in groups
 # of four. For cosmetic reasons, users are encourage to ensure the token length is divisible by four.
 # The following configuration snippet sets the token length property to 32 characters:
-#
-# org.owasp.csrfguard.TokenLength=32
-org.owasp.csrfguard.TokenLength=32
+org.owasp.csrfguard.TokenLength = 32
 
-# Pseudo-random Number Generator
-#
+####################################
+## Pseudo-random Number Generator ##
+####################################
 # The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
 # to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
 # pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
 # generator to SHA1PRNG:
-#
-# org.owasp.csrfguard.PRNG=SHA1PRNG
-org.owasp.csrfguard.PRNG=SHA1PRNG
-
-# Pseudo-random Number Generator Provider
+org.owasp.csrfguard.PRNG = SHA1PRNG
 
+#############################################
+## Pseudo-random Number Generator Provider ##
+#############################################
 # The pseudo-random number generator provider property (org.owasp.csrfguard.PRNG.Provider) defines which
 # provider's implementation of org.owasp.csrfguard.PRNG we should utilize. The following configuration
 # snippet instructs the JVM to leverage SUN's implementation of the algorithm denoted by the
 # org.owasp.csrfguard.PRNG property:
 
-# org.owasp.csrfguard.PRNG.Provider=SUN
-org.owasp.csrfguard.PRNG.Provider=SUN
+org.owasp.csrfguard.PRNG.Provider = SUN
 
 # If not specifying the print config option in the web.xml, you can specify it here, to print the config
 # on startup
 org.owasp.csrfguard.Config.Print = true
 
-###########################
-## Javascript servlet settings if not set in web.xml
-## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
-###########################
+#################################################################
+## Javascript servlet settings if not set in web.xml           ##
+## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection ##
+#################################################################
 
-# leave this blank and blank in web.xml and it will read from META-INF/csrfguard.js from the jarfile
+# leave this blank and blank in web.xml and it will read from META-INF/csrfguard.js from the jar file
 # Denotes the location of the JavaScript template file that should be consumed and dynamically 
 # augmented by the JavaScriptServlet class. The default value is WEB-INF/Owasp.CsrfGuard.js. 
 # Use of this property and the existence of the specified template file is required.
 org.owasp.csrfguard.JavascriptServlet.sourceFile = 
 
-# Boolean value that determines whether or not the dynamic JavaScript code should be strict 
+# Boolean value that determines whether or not the dynamic JavaScript code should be strict
 # with regards to what links it should inject the CSRF prevention token. With a value of true, 
 # the JavaScript code will only place the token in links that point to the same exact domain 
 # from which the HTML originated. With a value of false, the JavaScript code will place the 
@@ -341,7 +360,7 @@ org.owasp.csrfguard.JavascriptServlet.sourceFile =
 org.owasp.csrfguard.JavascriptServlet.domainStrict = true
 
 # Allows the developer to specify the value of the Cache-Control header in the HTTP response 
-# when serving the dynamic JavaScript file. The default value is private, maxage=28800. 
+# when serving the dynamic JavaScript file. The default value is private, max-age=28800.
 # Caching of the dynamic JavaScript file is intended to minimize traffic and improve performance. 
 # Note that the Cache-Control header is always set to "no-store" when either the "Rotate" 
 # "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
@@ -362,8 +381,8 @@ org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
 org.owasp.csrfguard.JavascriptServlet.refererMatchProtocol = true
 
 # Similar to javascript servlet referer pattern, but this will make sure the referer of the 
-# javascript servlet matches the domain of the request.  If there is no referer (proxy strips it?)
-# then it will not fail.  Generally this is a good idea to be true.
+# javascript servlet matches the domain of the request. If there is no referer (proxy strips it?)
+# then it will not fail. Generally this is a good idea to be true.
 org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
 
 # Boolean value that determines whether or not the dynamic JavaScript code should 
@@ -372,16 +391,16 @@ org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
 # as most server-side state changing actions are triggered via a POST request.
 org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
 
-# if the token should be injected in GET forms (which will be on the URL)
-# if the HTTP method GET is unprotected, then this should likely be false
+# If the token should be injected in GET forms (which will be on the URL).
+# If this property is set to true, it will enable tokens injection into forms with GET method,
+# even if the method was previously configured as unprotected.
 org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
 
 # if the token should be injected in the action in forms
 # note, if injectIntoForms is true, then this might not need to be true
 org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
 
-
-# Boolean value that determines whether or not the dynamic JavaScript code should 
+# Boolean value that determines whether or not the dynamic JavaScript code should
 # inject the CSRF prevention token in the query string of src and href attributes. 
 # Injecting the CSRF prevention token in a URL resource increases its general risk 
 # of exposure to unauthorized parties. However, most JavaEE web applications respond 
@@ -393,22 +412,43 @@ org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
 # POST requests (i.e. discarding GET requests) are strongly encouraged to disable this property.
 org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
 
+# Some applications might dynamically create new DOM elements (e.g. forms).
+# This property enables an asynchronous MutationObserver or a DOMNodeInserted event listener if MutationObservers are not supported
+# that is called when new elements are added to the DOM, then injects the CSRF tokens to it.
+# Note: using event listeners can have a significant impact on performance, hence it defaults to false.
+org.owasp.csrfguard.JavascriptServlet.injectIntoDynamicNodes = false
+
+# This property defines the custom event name that will be fired manually by the client when a DOM element
+# that requires CSRF tokens to be injected is modified or (e.g. form action changed) a new one is created.
+# Since the default MutationObserver implementation is asynchronous, there might be corner-case race conditions
+# between dynamically created and submitted forms and the time the MutationObserver is being invoked by the browser.
+# These special cases are intended to be handled with this approach, because JavaScript events are executed synchronously.
+# After a dynamic DOM element creation which requires token injection the integrator client has to manually fire an event
+# with the same name provided below.
+#
+# Example client code, where 'updatedInjectableElement' is the dynamically created element added to the DOM:
+#   const injectableNodeChangedEvent = new CustomEvent('InjectableNodeChanged', {detail: updatedInjectableElement});
+#   window.dispatchEvent(injectableNodeChangedEvent);
+#
+# Note: this property does not default to a pre-defined value and is only considered,
+# if 'org.owasp.csrfguard.JavascriptServlet.injectIntoDynamicNodes' is true.
+# org.owasp.csrfguard.JavascriptServlet.dynamicNodeCreationEventName = InjectableNodeChanged
 
 org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project
 
 # A comma separated list of file extensions can be added here to prevent the token from 
 # being appended to them after pageload (which often causes a second copy of those static
 # resources to be downloaded). ex: "js,css,gif,png,ico,jpg"
-#org.owasp.csrfguard.JavascriptServlet.UnprotectedExtensions = js,css,gif,png,ico,jpg
+# org.owasp.csrfguard.JavascriptServlet.UnprotectedExtensions = js,css,gif,png,ico,jpg
 
-###########################
-## Config overlay settings if you have the provider above set to ConfigurationOverlayProvider
-## This CSRF config provider uses Internet2 Configuration Overlays (documented on Internet2 wiki)
-## By default the configuration is read from the Owasp.CsrfGuard.properties
-## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties overlays
-## the base settings.  See the Owasp.CsrfGuard.properties for the possible
-## settings that can be applied to the Owasp.CsrfGuard.overlay.properties
-###########################
+####################################################################################################
+## Config overlay settings if you have the provider above set to ConfigurationOverlayProvider     ##
+## This CSRF config provider uses Internet2 Configuration Overlays (documented on Internet2 wiki) ##
+## By default the configuration is read from the Owasp.CsrfGuard.properties                       ##
+## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties overlays              ##
+## the base settings. See the Owasp.CsrfGuard.properties for the possible                         ##
+## settings that can be applied to the Owasp.CsrfGuard.overlay.properties                         ##
+####################################################################################################
 
 # comma separated config files that override each other (files on the right override the left)
 # each should start with file: or classpath:
@@ -417,7 +457,51 @@ org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properti
 
 # seconds between checking to see if the config files are updated
 org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
- =
-
-###########################
 
+##########################
+## Custom Token storage ##
+##########################
+# This parameter enables custom Token Holder implementations. It can be used when the backend has a stateless architecture.
+# The implementation has to implement the org.owasp.csrfguard.token.storage.TokenHolder interface.
+# The logic uses SPI to discover the implementation, so in the client module there should be a file called 'org.owasp.csrfguard.token.storage.TokenHolder' under the 'META-INF/services' directory that would contain
+# the fully qualified class name of the custom implementation.
+#
+# Depends on the 'org.owasp.csrfguard.token.storage.LogicalSessionExtractor' property. If the dependency is not fulfilled, then this property will be disregarded.
+# Defaults to 'org.owasp.csrfguard.token.storage.impl.InMemoryTokenHolder', which uses a ConcurrentHashMap to store the tokens.
+# TODO review
+# org.owasp.csrfguard.TokenHolder = org.owasp.csrfguard.token.storage.impl.InMemoryTokenHolder
+
+# This parameter enables defining a custom logical session extractor. The logic must implement the 'org.owasp.csrfguard.token.storage.LogicalSessionExtractor' interface.
+# TODO
+# Defaults to 'org.owasp.csrfguard.session.ContainerSession', which uses the container's HttpSession in the background. The extensions module containing this logic has to be added as a Maven dependency to the project.
+# If a custom implementation is required (e.g. stateless sessions with JWTs), the integration code should invoke the 'org.owasp.csrfguard.CsrfGuard.onSessionCreated' and 'org.owasp.csrfguard.CsrfGuard.onSessionDestroyed'
+# The 'org.owasp.csrfguard.token.storage.LogicalSessionExtractor#getKey' method should return a unique identifier for a specific request (e.g. username from JWT token)
+org.owasp.csrfguard.LogicalSessionExtractor = org.owasp.csrfguard.session.SessionTokenKeyExtractor
+
+#################
+## Concurrency ##
+#################
+# Defines for how many milliseconds the application should accept the master token instead of a newly generated page token.
+#
+# This parameter is aimed to solve the race condition when the 'org.owasp.csrfguard.TokenPerPage' option is enabled without 'org.owasp.csrfguard.TokenPerPagePrecreate'
+# when multiple simultaneous AJAX ('org.owasp.csrfguard.Ajax') requests are fired by a Single Page Applications (SPA)
+# before the initialization of the desired endpoint URIs. The first request against a specific endpoint URI is validated using the master token,
+# then a new page token is generated for future calls, but in case of multiple simultaneously requests, the logic might not have time to assign
+# the newly generated page token to the resource on the client side causing false positive intrusion exceptions.
+#
+# Note: This configuration does not (yet) enable the AJAX and Token Rotation combination. See the documentation for 'org.owasp.csrfguard.Rotate'
+#
+# Defaults to 2000 milliseconds (= 2 seconds).
+org.owasp.csrfguard.PageTokenSynchronizationTolerance = 2000
+
+# The current approach of the OWASP CSRFGuard relies on JavaScript logic for injecting CSRF tokens into HTML elements or XHR requests.
+# Forcing synchronous loading of the AJAX requests has been disabled by default, since they were deprecated
+# (see https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Synchronous_and_Asynchronous_Requests#synchronous_request)
+# due to their negative impact on the user experience. For this reason, protecting resources that would load
+# before or in parallel with the JavaScript logic (e.g. references IFrames or IMG tags) is not possible anymore.
+# In most cases this should not be a problem, because usually GET requests should not facilitate state-changing operations.
+# If case this last condition cannot be fulfilled (e.g. for legacy applications), backwards compatibility can be achieved by enabling the
+# "forceSynchronousAjax" property below, until there is browser support for it.
+#
+# Defaults to False.
+org.owasp.csrfguard.forceSynchronousAjax = false
diff --git a/csrfguard/src/main/resources/csrfguard.tld b/csrfguard/src/main/resources/csrfguard.tld
deleted file mode 100644
index a49979d..0000000
--- a/csrfguard/src/main/resources/csrfguard.tld
+++ /dev/null
@@ -1,70 +0,0 @@
-<?xml version="1.0"?>
-<!--
-The OWASP CSRFGuard Project, BSD License
-Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. Neither the name of OWASP nor the names of its contributors may be used
-   to endorse or promote products derived from this software without specific
-   prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- -->
-<taglib xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd" version="2.0">
-	<tlib-version>1.2</tlib-version>
-	<jsp-version>2.0</jsp-version>
-	<short-name>Owasp CsrfGuard Tag Library</short-name>
-	<uri>http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld</uri>
-	<tag>
-		<name>token</name>
-		<tag-class>org.owasp.csrfguard.tag.TokenTag</tag-class>
-		<body-content>empty</body-content>
-		<attribute>
-			<name>uri</name>
-			<required>false</required>
-			<rtexprvalue>true</rtexprvalue>
-		</attribute>
-	</tag>
-	<tag>
-		<name>tokenname</name>
-		<tag-class>org.owasp.csrfguard.tag.TokenNameTag</tag-class>
-		<body-content>empty</body-content>
-	</tag>
-	<tag>
-		<name>tokenvalue</name>
-		<tag-class>org.owasp.csrfguard.tag.TokenValueTag</tag-class>
-		<body-content>empty</body-content>
-		<attribute>
-			<name>uri</name>
-			<required>false</required>
-			<rtexprvalue>true</rtexprvalue>
-		</attribute>
-	</tag>
-	<tag>
-		<name>a</name>
-		<tag-class>org.owasp.csrfguard.tag.ATag</tag-class>
-		<dynamic-attributes>true</dynamic-attributes>
-	</tag>
-	<tag>
-		<name>form</name>
-		<tag-class>org.owasp.csrfguard.tag.FormTag</tag-class>
-		<dynamic-attributes>true</dynamic-attributes>
-	</tag>
-</taglib>
diff --git a/csrfguard/src/main/resources/license.txt b/csrfguard/src/main/resources/license.txt
index 7f5c642..e8cae84 100644
--- a/csrfguard/src/main/resources/license.txt
+++ b/csrfguard/src/main/resources/license.txt
@@ -1,18 +1,18 @@
 The OWASP CSRFGuard Project, BSD License
-Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
+Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
 
- 1. Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the distribution.
- 3. Neither the name of OWASP nor the names of its contributors may be used
-    to endorse or promote products derived from this software without specific
-    prior written permission.
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    3. Neither the name of OWASP nor the names of its contributors may be used
+       to endorse or promote products derived from this software without specific
+       prior written permission.
 
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
diff --git a/csrfguard/src/test/java/org/owasp/csrfguard/CsrfValidatorTest.java b/csrfguard/src/test/java/org/owasp/csrfguard/CsrfValidatorTest.java
new file mode 100644
index 0000000..1e40ff9
--- /dev/null
+++ b/csrfguard/src/test/java/org/owasp/csrfguard/CsrfValidatorTest.java
@@ -0,0 +1,180 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.MockedStatic;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.csrfguard.servlet.JavaScriptServlet;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.function.Consumer;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class CsrfValidatorTest {
+
+    @Test
+    void testResourceValidationWithNoRules() {
+        final Set<String> matchingRules = Collections.emptySet();
+        final List<String> resourcesToTest = Arrays.asList("test.html", "/test.html");
+
+        testResourceValidation(matchingRules, Collections.emptyList(), resourcesToTest);
+    }
+
+    @Test
+    void testResourceValidationWithPathMatchingRule() {
+        final Set<String> matchingRules = Collections.singleton("/*");
+
+        final List<String> resourceSet = Arrays.asList("protect.html", "/protect.html", "something/protect.txt", "/something/protect.txt");
+
+        testResourceValidation(matchingRules, resourceSet, Collections.emptyList());
+    }
+
+    @Test
+    void testResourceValidationWithStaticRules() {
+        final Set<String> matchingRules = Stream.of("/unprotected.html", "/also_unprotected.jsp").collect(Collectors.toSet());
+
+        final List<String> firstResourceSet = Arrays.asList("unprotected.html", "also_unprotected.jsp", "/unprotected.html", "/also_unprotected.jsp");
+        final List<String> secondResourceSet = Arrays.asList("test.html", "/test.html", "test.jsp", "/test.jsp");
+
+        testResourceValidation(matchingRules, firstResourceSet, secondResourceSet);
+    }
+
+    @Test
+    void testResourceValidationWithRegexRules() {
+        final String matchingRule = "^.*protect\\..*$";
+        final List<String> firstResourceSet = Arrays.asList("protect.html", "/protect.html", "something/protect.txt", "/something/protect.txt");
+        final List<String> secondResourceSet = Arrays.asList("test.html", "/test.html", "/protect");
+
+        testResourceValidation(matchingRule, firstResourceSet, secondResourceSet);
+    }
+
+    @Test
+    void testResourceValidationWithPartialPathMatchingRule() {
+        final String matchingRule = "/protected/*";
+
+        final List<String> firstResourceSet = Arrays.asList("protected/test.html", "/protected/test.html");
+        final List<String> secondResourceSet = Arrays.asList("test.html", "/test.html", "/protect");
+
+        testResourceValidation(matchingRule, firstResourceSet, secondResourceSet);
+    }
+
+    @Test
+    void testResourceValidationWithExtensionMatchingRule() {
+        final String matchingRule = "*.jsp";
+
+        final List<String> firstResourceSet = Arrays.asList("protected/test.jsp", "/protected/test.jsp");
+        final List<String> secondResourceSet = Arrays.asList("something/test.html", "/test.html", "/protect");
+
+        testResourceValidation(matchingRule, firstResourceSet, secondResourceSet);
+    }
+
+    private static void executeInMockedContext(final Consumer<CsrfGuard> csrfGuardConsumer) {
+        final CsrfGuard csrfGuard = mock(CsrfGuard.class);
+
+        try (final MockedStatic<JavaScriptServlet> javaScriptServletMockedStatic = mockStatic(JavaScriptServlet.class)) {
+            javaScriptServletMockedStatic.when(JavaScriptServlet::getJavascriptUris).thenReturn(Collections.singleton("/JavaScriptServlet"));
+
+            try (final MockedStatic<CsrfGuard> csrfGuardMockedStatic = mockStatic(CsrfGuard.class)) {
+                csrfGuardMockedStatic.when(CsrfGuard::getInstance).thenReturn(csrfGuard);
+                csrfGuardConsumer.accept(CsrfGuard.getInstance());
+            }
+        }
+    }
+
+    private void testResourceValidation(final String matchingRule, final List<String> firstResourceSet, final List<String> secondResourceSet) {
+        testResourceValidation(Collections.singleton(matchingRule), firstResourceSet, secondResourceSet);
+    }
+
+    private void testResourceValidation(final Set<String> matchingRule, final List<String> firstResourceSet, final List<String> secondResourceSet) {
+        testResourceValidation(true, matchingRule, firstResourceSet, secondResourceSet);
+        testResourceValidation(false, matchingRule, secondResourceSet, firstResourceSet);
+    }
+
+    private void testResourceValidation(final boolean isProtect, final Set<String> matchingRules, final List<String> protectedResources, final List<String> unProtectedResources) {
+        executeInMockedContext(csrfGuard -> {
+            final CsrfValidator csrfValidator = initializeValidator(csrfGuard, isProtect, matchingRules);
+
+            assertPagesAreProtected(csrfValidator, protectedResources);
+            assertPagesAreNotProtected(csrfValidator, unProtectedResources);
+        });
+    }
+
+    private CsrfValidator initializeValidator(final CsrfGuard csrfGuard, final boolean isProtect, final Set<String> matchingRules) {
+        when(csrfGuard.isProtectEnabled()).thenReturn(isProtect);
+
+        if (isProtect) {
+            when(csrfGuard.getProtectedPages()).thenReturn(matchingRules);
+        } else {
+            when(csrfGuard.getUnprotectedPages()).thenReturn(matchingRules);
+        }
+
+        return new CsrfValidator();
+    }
+
+    private void assertPagesAreProtected(final CsrfValidator csrfValidator, final List<String> resources) {
+        assertPageProtection(csrfValidator, true, resources);
+    }
+
+    private void assertPagesAreNotProtected(final CsrfValidator csrfValidator, final List<String> resources) {
+        assertPageProtection(csrfValidator, false, resources);
+    }
+
+    private void assertPageProtection(final CsrfValidator csrfValidator, final boolean isProtected, final List<String> resources) {
+        resources.forEach(resource -> {
+            final ProtectionResult protectionResult = csrfValidator.isProtectedPageAndMethod(resource, "not relevant");
+
+            testResourceNormalized(resource, protectionResult);
+
+            if (isProtected != protectionResult.isProtected()) {
+                fail(String.format("The '%s' resource should %s protected!", resource, isProtected ? "be" : "not be"));
+            }
+        });
+    }
+
+    private void testResourceNormalized(final String resource, final ProtectionResult protectionResult) {
+        final String normalizedResource = protectionResult.getResourceIdentifier();
+        final Predicate<Character> normalizationTester = startingCharacter -> (normalizedResource.charAt(0) != startingCharacter) && (normalizedResource.charAt(1) != startingCharacter);
+
+        if (normalizationTester.test('/') && normalizationTester.test('^')) {
+            fail(String.format("The '%s' resource should start with a '^' character if a regular expression has matched it, '/' otherwise!", resource));
+        }
+    }
+}
diff --git a/csrfguard/src/test/java/org/owasp/csrfguard/MandatoryProperties.java b/csrfguard/src/test/java/org/owasp/csrfguard/MandatoryProperties.java
new file mode 100644
index 0000000..c9bdbc6
--- /dev/null
+++ b/csrfguard/src/test/java/org/owasp/csrfguard/MandatoryProperties.java
@@ -0,0 +1,60 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard;
+
+import org.owasp.csrfguard.config.dummy.DummyAction;
+import org.owasp.csrfguard.config.dummy.DummyLogicalSessionExtractor;
+import org.owasp.csrfguard.config.properties.ConfigParameters;
+
+import java.util.Map;
+import java.util.Properties;
+
+public class MandatoryProperties {
+
+    public final Properties properties = new Properties();
+
+    public MandatoryProperties() {
+        this.properties.setProperty(ConfigParameters.LOGICAL_SESSION_EXTRACTOR_NAME, DummyLogicalSessionExtractor.class.getName());
+        this.properties.setProperty(ConfigParameters.ACTION_PREFIX + DummyAction.class.getSimpleName(), DummyAction.class.getName());
+    }
+
+    public MandatoryProperties add(final String key, final String value) {
+        this.properties.put(key, value);
+        return this;
+    }
+
+    public MandatoryProperties add(final Map<String, String> additionalProperties) {
+        this.properties.putAll(additionalProperties);
+        return this;
+    }
+
+    public Properties get() {
+        return this.properties;
+    }
+}
diff --git a/csrfguard/src/test/java/org/owasp/csrfguard/config/PropertiesConfigurationProviderTest.java b/csrfguard/src/test/java/org/owasp/csrfguard/config/PropertiesConfigurationProviderTest.java
new file mode 100644
index 0000000..7a0777b
--- /dev/null
+++ b/csrfguard/src/test/java/org/owasp/csrfguard/config/PropertiesConfigurationProviderTest.java
@@ -0,0 +1,112 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.config;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.owasp.csrfguard.MandatoryProperties;
+import org.owasp.csrfguard.config.properties.ConfigParameters;
+
+import java.security.SecureRandom;
+import java.util.Properties;
+
+class PropertiesConfigurationProviderTest {
+
+    @Test
+    void testDefaultPRNG() {
+        final PropertiesConfigurationProvider configurationProvider = new PropertiesConfigurationProvider(new MandatoryProperties().get());
+        final SecureRandom secureRandom = configurationProvider.getPrng();
+        Assertions.assertNotNull(secureRandom);
+    }
+
+    @Test
+    void testInvalidProvider() {
+        final Properties properties = new MandatoryProperties().add(ConfigParameters.PRNG_PROVIDER.getKey(), "InvalidProvider").get();
+
+        final PropertiesConfigurationProvider configurationProvider = new PropertiesConfigurationProvider(properties);
+        final SecureRandom secureRandom = configurationProvider.getPrng();
+        Assertions.assertNotNull(secureRandom);
+    }
+
+    @Test
+    void testInvalidAlgorithm() {
+        final Properties properties = new MandatoryProperties().add(ConfigParameters.PRNG.getKey(), "InvalidAlgorithm").get();
+
+        final PropertiesConfigurationProvider configurationProvider = new PropertiesConfigurationProvider(properties);
+        final SecureRandom secureRandom = configurationProvider.getPrng();
+        Assertions.assertNotNull(secureRandom);
+    }
+
+    @Test
+    void testInvalidPRNG() {
+        final Properties properties = new MandatoryProperties().add(ConfigParameters.PRNG.getKey(), "InvalidAlgorithm")
+                                                               .add(ConfigParameters.PRNG_PROVIDER.getKey(), "InvalidProvider")
+                                                               .get();
+
+        final PropertiesConfigurationProvider configurationProvider = new PropertiesConfigurationProvider(properties);
+        final SecureRandom secureRandom = configurationProvider.getPrng();
+        Assertions.assertNotNull(secureRandom);
+    }
+
+    @Test
+    void testInvalidTokenLength() {
+        final Properties properties = new MandatoryProperties().add(ConfigParameters.TOKEN_LENGTH.getName(), String.valueOf(3)).get();
+        final RuntimeException exception = Assertions.assertThrows(RuntimeException.class, () -> new PropertiesConfigurationProvider(properties));
+
+        Assertions.assertEquals(IllegalArgumentException.class, exception.getCause().getClass());
+        Assertions.assertTrue(exception.getMessage().contains("token length"));
+    }
+
+    @Test
+    void testInvalidHttpMethods() {
+        testHttpMethods(ConfigParameters.PROTECTED_METHODS);
+        testHttpMethods(ConfigParameters.UNPROTECTED_METHODS);
+    }
+
+    @Test
+    void testHttpMethodProtectionDuplication() {
+        final String httpMethods = "POST, GET";
+        final Properties properties = new MandatoryProperties().add(ConfigParameters.PROTECTED_METHODS, httpMethods)
+                                                               .add(ConfigParameters.UNPROTECTED_METHODS, httpMethods)
+                                                               .get();
+
+        final RuntimeException exception = Assertions.assertThrows(RuntimeException.class, () -> new PropertiesConfigurationProvider(properties));
+        Assertions.assertEquals(IllegalArgumentException.class, exception.getCause().getClass());
+        Assertions.assertEquals(exception.getCause().getMessage(), "The [POST, GET] HTTP method(s) cannot be both protected and unprotected.");
+    }
+
+    private void testHttpMethods(final String protectedMethods) {
+        final Properties properties = new MandatoryProperties().add(protectedMethods, "POST, get, OpTiOns, INVALID,PATch ").get();
+        final RuntimeException exception = Assertions.assertThrows(RuntimeException.class, () -> new PropertiesConfigurationProvider(properties));
+
+        Assertions.assertEquals(IllegalArgumentException.class, exception.getCause().getClass());
+        Assertions.assertEquals(exception.getCause().getMessage(), "The provided input 'INVALID' is not a valid HTTP method!");
+    }
+}
\ No newline at end of file
diff --git a/csrfguard/src/test/java/org/owasp/csrfguard/config/dummy/DummyAction.java b/csrfguard/src/test/java/org/owasp/csrfguard/config/dummy/DummyAction.java
new file mode 100644
index 0000000..ac4a5a3
--- /dev/null
+++ b/csrfguard/src/test/java/org/owasp/csrfguard/config/dummy/DummyAction.java
@@ -0,0 +1,65 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.config.dummy;
+
+import org.owasp.csrfguard.CsrfGuard;
+import org.owasp.csrfguard.CsrfGuardException;
+import org.owasp.csrfguard.action.IAction;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Collections;
+import java.util.Map;
+
+public class DummyAction implements IAction {
+
+    @Override
+    public void setName(final String name) {}
+
+    @Override
+    public String getName() {
+        return null;
+    }
+
+    @Override
+    public void setParameter(final String name, final String value) {}
+
+    @Override
+    public String getParameter(final String name) {
+        return null;
+    }
+
+    @Override
+    public Map<String, String> getParameterMap() {
+        return Collections.emptyMap();
+    }
+
+    @Override
+    public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) {}
+}
diff --git a/csrfguard/src/test/java/org/owasp/csrfguard/config/dummy/DummyLogicalSessionExtractor.java b/csrfguard/src/test/java/org/owasp/csrfguard/config/dummy/DummyLogicalSessionExtractor.java
new file mode 100644
index 0000000..cf016e0
--- /dev/null
+++ b/csrfguard/src/test/java/org/owasp/csrfguard/config/dummy/DummyLogicalSessionExtractor.java
@@ -0,0 +1,47 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.owasp.csrfguard.config.dummy;
+
+import org.owasp.csrfguard.session.LogicalSession;
+import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
+
+import javax.servlet.http.HttpServletRequest;
+
+public class DummyLogicalSessionExtractor implements LogicalSessionExtractor {
+
+    @Override
+    public LogicalSession extract(final HttpServletRequest httpServletRequest) {
+        return null;
+    }
+
+    @Override
+    public LogicalSession extractOrCreate(final HttpServletRequest httpServletRequest) {
+        return null;
+    }
+}
diff --git a/csrfguard/src/test/java/org/owasp/csrfguard/token/transferobject/TokenTOTest.java b/csrfguard/src/test/java/org/owasp/csrfguard/token/transferobject/TokenTOTest.java
new file mode 100644
index 0000000..c75555b
--- /dev/null
+++ b/csrfguard/src/test/java/org/owasp/csrfguard/token/transferobject/TokenTOTest.java
@@ -0,0 +1,77 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.token.transferobject;
+
+import org.junit.jupiter.api.Test;
+
+import java.util.HashMap;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class TokenTOTest {
+
+    @Test
+    void testMasterTokenToJson() {
+        final TokenTO tokenTO = new TokenTO("AAAA-BBBB-CCCC-DDDD");
+
+        assertEquals(tokenTO.toString(), "{\"masterToken\":\"AAAA-BBBB-CCCC-DDDD\",\"pageTokens\":{}}");
+    }
+
+    @Test
+    void testEmptyTokenToJson() {
+        final TokenTO tokenTO = new TokenTO(null, null);
+        assertEquals(tokenTO.toString(), "{}");
+    }
+
+    @Test
+    void testPageTokensToJson() {
+        final HashMap<String, String> pageTokens = new HashMap<>();
+
+        pageTokens.put("/start", "start-Page-Token-Value");
+        pageTokens.put("/index.html", "index-Page-Token-Value");
+
+        final TokenTO tokenTO = new TokenTO(pageTokens);
+        assertEquals(tokenTO.toString(), "{\"pageTokens\":{\"/index.html\":\"index-Page-Token-Value\",\"/start\":\"start-Page-Token-Value\"}}");
+    }
+
+    @Test
+    void testMasterTokenPageTokensToJson() {
+        final HashMap<String, String> pageTokens = new HashMap<>();
+
+        pageTokens.put("/start", "start-Page-Token-Value");
+        pageTokens.put("/index.html", "index-Page-Token-Value");
+
+        final TokenTO tokenTO = new TokenTO("AAAA-BBBB-CCCC-DDDD", pageTokens);
+        final String expectedResult = "{\"masterToken\":\"AAAA-BBBB-CCCC-DDDD\"," +
+                                      "\"pageTokens\":{\"/index.html\":\"index-Page-Token-Value\"," +
+                                      "\"/start\":\"start-Page-Token-Value\"}}";
+        assertEquals(tokenTO.toString(), expectedResult);
+    }
+}
\ No newline at end of file
diff --git a/csrfguard/src/test/java/org/owasp/csrfguard/util/RandomGeneratorTest.java b/csrfguard/src/test/java/org/owasp/csrfguard/util/RandomGeneratorTest.java
new file mode 100644
index 0000000..61a4278
--- /dev/null
+++ b/csrfguard/src/test/java/org/owasp/csrfguard/util/RandomGeneratorTest.java
@@ -0,0 +1,63 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *     1. Redistributions of source code must retain the above copyright notice,
+ *        this list of conditions and the following disclaimer.
+ *     2. Redistributions in binary form must reproduce the above copyright
+ *        notice, this list of conditions and the following disclaimer in the
+ *        documentation and/or other materials provided with the distribution.
+ *     3. Neither the name of OWASP nor the names of its contributors may be used
+ *        to endorse or promote products derived from this software without specific
+ *        prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.util;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.csrfguard.MandatoryProperties;
+import org.owasp.csrfguard.config.PropertiesConfigurationProvider;
+
+import java.security.SecureRandom;
+import java.util.Properties;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class RandomGeneratorTest {
+
+    private SecureRandom secureRandom;
+
+    @BeforeEach
+    void setUp() {
+        final Properties properties = new MandatoryProperties().get();
+
+        final PropertiesConfigurationProvider configurationProvider = new PropertiesConfigurationProvider(properties);
+
+        this.secureRandom = configurationProvider.getPrng();
+    }
+
+    @Test
+    void testCustomTokenLength() {
+        final String randomToken = RandomGenerator.generateRandomId(this.secureRandom, 5);
+
+        Assertions.assertEquals(randomToken.charAt(4), '-');
+        assertEquals(randomToken.length(), 6);
+    }
+}
\ No newline at end of file
diff --git a/index.md b/index.md
index a77dcbd..f63ab82 100644
--- a/index.md
+++ b/index.md
@@ -1,17 +1,17 @@
 ---
-
 layout: col-sidebar
 title: OWASP CSRFGuard
-site_side: true
-tags: csrfguard
-project: true
+tags: csrfguard defenders breakers vulnerability-management
 level: 4
 type: tool
-
+project: true
+pitch: OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
 ---
+![Tool Project](assets/images/owasp_tool_project.png)
+
 <!-- rebuild 40 -->
 
-The OWASP CSRFGuard is one of the world’s most popular free security tools and is actively maintained by a pool of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
+The OWASP CSRFGuard is one of the world’s most popular free security tools and is actively maintained by a pool of international volunteers.
 
 Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks. 
 
@@ -21,3 +21,5 @@ It is the responsibility of OWASP CSRFGuard to ensure the token is present and i
 
 Any attempt to submit a request to a protected resource without the correct corresponding token is viewed as a CSRF attack in progress and is discarded. Prior to discarding the request, CSRFGuard can be configured to take one or more actions such as logging aspects of the request and redirecting the user to a landing page. 
 The latest release enhances this strategy to support the optional verification of HTTP requests submitted using Ajax as well as the optional verification of referrer headers.
+
+As OWASP project we follow the OWASP Code Of Conduct available here: https://owasp.org/www-policy/operational/code-of-conduct
diff --git a/info.md b/info.md
index 4c49e94..b755df6 100644
--- a/info.md
+++ b/info.md
@@ -7,23 +7,88 @@
 
 ![Tool Project](assets/images/owasp_tool_project.png)
 
-### Downloads CSRFGuard in Maven Central
+## CSRFGuard 4.0 released in April 2021
 
-You can download a binary version from Maven Central here:
+[http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project](http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project)
 
-https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~
+BSD License, All rights reserved.
 
-Thanks to Trent Schmidt and Joel Orlina (JIRA) for there help.
+## Overview
 
-### Code Repository
+Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks. The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptographically random synchronizer tokens) are submitted with the corresponding HTTP request. It is the responsibility of OWASP CSRFGuard to ensure the token is present and is valid for the current HTTP request. Any attempt to submit a request to a protected resource without the correct corresponding token is viewed as a CSRF attack in progress and is discarded. Prior to discarding the request, CSRFGuard can be configured to take one or more actions such as logging aspects of the request and redirecting the user to a landing page. The latest release enhances this strategy to support the optional verification of HTTP requests submitted using Ajax as well as the optional verification of referrer headers.
 
-* [CSFRGuard](https://github.com/aramrami/OWASP-CSRFGuard)
+## Project Leads
 
+The CSRFGuard project is run by [Azzeddine RAMRAMI](mailto:azzeddine.ramrami@owasp.org) and [Istvan ALBERT-TOTH](mailto:istvan.alberttoth@owasp.org).
 
-### Change Log
+## License
+
+OWASP CSRFGuard 4.0.0 is offered under the [BSD license](http://www.opensource.org/licenses/bsd-license.php).
+
+## Using with Maven
+OWASP CSRFGuard 4.0.0 will be available on the Maven Central Repository. Add the following dependency to your Maven POM file to use the library:
+
+```maven
+<dependency>
+    <groupId>org.owasp</groupId>
+    <artifactId>csrfguard</artifactId>
+    <version>4.0.0</version>
+</dependency>
+```
+
+## Building the code
+
+1. Make sure you have [Apache Maven](http://maven.apache.org/) 3.0.4+ and JDK 1.8+ installed
+2. Clone this repository locally
+3. Build the project by running ```mvn clean install``` in the project root directory
+4. Build and run the test JSP web application by running ```mvn pre-integration-test -Pdeploy-jsp-webapp -pl csrfguard-test/csrfguard-test-jsp``` or ```mvn -Pdeploy-jsp-webapp -pl csrfguard-test/csrfguard-test-jsp tomcat7:run```
+5. Optional: you can use ```mvnDebug``` to enable remote debugging, then connect your IDE to it (default port is 8000)
+6. Use a web browser to access ```http://localhost:8080``` to open the home page of the test project
+
+## Uploading to the Maven Central repository
+
+1. Follow the [Sonatype Open-Source Project Maven Repository Usage Guide](https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide) to create a Sonatype user account;
+2. Next, [open a support request](https://issues.sonatype.org/browse/OSSRH) to get your newly created username added to the Maven groupId ```org.owasp```;
+3. Once the support request has been completed, follow the instructions in the Sonatype Maven repository usage guide mentioned above to upload new versions to the Maven Central repository.
+
+### Maven Central repository
+
+You can download pre-compiled versions from:
+
+* [Maven Central repository](https://search.maven.org/search?q=csrfguard)
+* [OSS Sonatype Nexus repository](https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~)
+
+## Email List
+
+You can sign up for the OWASP CSRFGuard email list [here](https://groups.google.com/a/owasp.org/g/csrfguard-project).
+
+## CSRFGuard 4.0 Release Notes:
+
+* [Support for stateless web applications](https://github.com/aramrami/OWASP-CSRFGuard/issues/122)
+* [Apply "TokenPerPage" approach to AJAX](https://github.com/aramrami/OWASP-CSRFGuard/issues/123)
+* [Reduced code duplication](https://github.com/aramrami/OWASP-CSRFGuard/issues/127)
+* [Proper multi-module maven project structure](https://github.com/aramrami/OWASP-CSRFGuard/issues/128)
+* [The test JSP web application now relies on the latest development JavaScript code](https://github.com/aramrami/OWASP-CSRFGuard/issues/133)
+* [Improved code quality](https://github.com/aramrami/OWASP-CSRFGuard/issues/134)
+* [Addressing synchronous XMLHttpRequest deprecation](https://github.com/aramrami/OWASP-CSRFGuard/issues/137)
+* [Approach changed for master and page token retrieval](https://github.com/aramrami/OWASP-CSRFGuard/issues/139)
+* [Improved test coverage](https://github.com/aramrami/OWASP-CSRFGuard/issues/140)
+* [Better solution for looking up page tokens in the JS](https://github.com/aramrami/OWASP-CSRFGuard/issues/141)
+* [The javascript template is now parsable and minifiable](https://github.com/aramrami/OWASP-CSRFGuard/issues/142)
+* [Short-circuit the solution logic if CSRFGuard is disabled](https://github.com/aramrami/OWASP-CSRFGuard/issues/143)
+* [Do not generate page tokens for pages that are not protected](https://github.com/aramrami/OWASP-CSRFGuard/issues/144)
+* [Page tokens generated on first use are not sent back to the client](https://github.com/aramrami/OWASP-CSRFGuard/issues/145)
+* [Issue with the token-per-page support for REST endpoint containing path parameters](https://github.com/aramrami/OWASP-CSRFGuard/issues/146)
+* [Possible race condition on first access of endpoints when token-per-page and AJAX request options are enabled](https://github.com/aramrami/OWASP-CSRFGuard/issues/147)
+* [Tokens are not injected into dynamically created DOM elements ](https://github.com/aramrami/OWASP-CSRFGuard/issues/148)
+* [Make the configuration more resilient to errors](https://github.com/aramrami/OWASP-CSRFGuard/issues/149)
+* [Tokens should not be injected into external links if the domainStrict property is set to true](https://github.com/aramrami/OWASP-CSRFGuard/issues/150)
+* [Tokens not injected in dynamic content returned from Ajax](https://github.com/aramrami/OWASP-CSRFGuard/issues/151)
+* Heavily refactored, improved and more optimized code-base
+* Documentation update and typo fixes.
+* Copyright update and unification.
+
+The 4.0.0 release candidate can be downloaded from the [releases](https://github.com/OWASP/www-project-csrfguard/releases) section.
 
-* [CSRFGuard](https://github.com/aramrami/OWASP-CSRFGuard/commits)
 
-### Licensing
 
-OWASP CSRFGuard 3.1.0 is offered under the [BSD license](http://www.opensource.org/licenses/bsd-license.php)
diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..ca0f03d
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,360 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ The OWASP CSRFGuard Project, BSD License
+  ~ Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+  ~ All rights reserved.
+  ~
+  ~ Redistribution and use in source and binary forms, with or without
+  ~ modification, are permitted provided that the following conditions are met:
+  ~
+  ~     1. Redistributions of source code must retain the above copyright notice,
+  ~        this list of conditions and the following disclaimer.
+  ~     2. Redistributions in binary form must reproduce the above copyright
+  ~        notice, this list of conditions and the following disclaimer in the
+  ~        documentation and/or other materials provided with the distribution.
+  ~     3. Neither the name of OWASP nor the names of its contributors may be used
+  ~        to endorse or promote products derived from this software without specific
+  ~        prior written permission.
+  ~
+  ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  ~ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  ~ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ~ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+  ~ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  ~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+  ~ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+  ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+  ~ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+  ~ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.owasp</groupId>
+    <artifactId>csrfguard-parent</artifactId>
+    <version>4.0.2-SNAPSHOT</version>
+    <packaging>pom</packaging>
+
+    <name>OWASP CSRFGuard Parent POM</name>
+    <description>OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.</description>
+    <url>https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project</url>
+
+    <organization>
+        <name>OWASP</name>
+        <url>http://www.owasp.org</url>
+    </organization>
+    <licenses>
+        <license>
+            <name>BSD License</name>
+            <url>http://www.opensource.org/licenses/bsd-license.php</url>
+        </license>
+    </licenses>
+    <developers>
+        <developer>
+            <id>esheri3</id>
+            <name>Eric Sheridan</name>
+            <email>eric@infraredsecurity.com</email>
+            <roles>
+                <role>Project Inventor</role>
+            </roles>
+        </developer>
+        <developer>
+            <id>aramrami</id>
+            <name>Azzeddine Ramrami</name>
+            <email>azzeddine.ramrami@owasp.org</email>
+            <roles>
+                <role>Project Co-leader</role>
+            </roles>
+        </developer>
+        <developer>
+            <name>Istvan Albert-Toth</name>
+            <email>istvan.alberttoth@owasp.org</email>
+            <roles>
+                <role>Project Co-leader</role>
+                <role>Creator of major release v4.0</role>
+            </roles>
+        </developer>
+    </developers>
+
+    <modules>
+        <module>csrfguard</module>
+        <module>csrfguard-extensions</module>
+        <module>csrfguard-test</module>
+    </modules>
+
+    <scm>
+        <connection>scm:git:git://github.com/OWASP/www-project-csrfguard.git</connection>
+        <developerConnection>scm:git:git@github.com:OWASP/www-project-csrfguard.git</developerConnection>
+        <url>https://github.com/OWASP/www-project-csrfguard</url>
+      <tag>HEAD</tag>
+  </scm>
+
+    <issueManagement>
+        <system>GitHub Issue Tracking</system>
+        <url>https://github.com/OWASP/www-project-csrfguard/issues</url>
+    </issueManagement>
+
+    <distributionManagement>
+        <snapshotRepository>
+            <id>ossrh</id> <!-- Must match the serverId from the settings.xml -->
+            <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+        </snapshotRepository>
+        <repository>
+            <id>ossrh</id> <!-- Must match the serverId from the settings.xml -->
+            <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+        </repository>
+    </distributionManagement>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+
+        <java.version>1.8</java.version>
+
+        <maven.compiler.source>${java.version}</maven.compiler.source>
+        <maven.compiler.target>${java.version}</maven.compiler.target>
+
+        <servlet-api.version>2.5</servlet-api.version>
+        <jsp-api.version>2.1</jsp-api.version>
+        <jstl.version>1.2</jstl.version>
+
+        <maven-surefire-plugin.version>2.22.0</maven-surefire-plugin.version>
+        <maven-jar-plugin.version>3.2.0</maven-jar-plugin.version>
+        <maven-war-plugin.version>3.3.1</maven-war-plugin.version>
+        <maven-source-plugin.version>3.2.0</maven-source-plugin.version>
+        <maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version>
+        <maven-javadoc-plugin.version>3.2.0</maven-javadoc-plugin.version>
+        <maven-scm-plugin.version>1.11.2</maven-scm-plugin.version>
+        <maven-release-plugin.version>3.0.0-M1</maven-release-plugin.version>
+        <maven-deploy-plugin.version>3.0.0-M1</maven-deploy-plugin.version>
+
+        <nexus-staging-maven-plugin.version>1.6.7</nexus-staging-maven-plugin.version>
+        <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
+
+        <commons-lang3.version>3.11</commons-lang3.version>
+        <commons-io.version>2.7</commons-io.version>
+        <gson.version>2.8.6</gson.version>
+        <junit.version>5.7.0</junit.version>
+        <mockito.version>3.6.0</mockito.version>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>javax.servlet</groupId>
+                <artifactId>servlet-api</artifactId>
+                <version>${servlet-api.version}</version>
+                <scope>provided</scope>
+            </dependency>
+            <dependency>
+                <groupId>javax.servlet.jsp</groupId>
+                <artifactId>jsp-api</artifactId>
+                <version>${jsp-api.version}</version>
+                <scope>provided</scope>
+            </dependency>
+            <dependency>
+                <groupId>javax.servlet</groupId>
+                <artifactId>jstl</artifactId>
+                <version>${jstl.version}</version>
+                <scope>provided</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>${commons-lang3.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>commons-io</groupId>
+                <artifactId>commons-io</artifactId>
+                <version>${commons-io.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.google.code.gson</groupId>
+                <artifactId>gson</artifactId>
+                <version>${gson.version}</version>
+            </dependency>
+
+            <dependency>
+                <groupId>org.junit.jupiter</groupId>
+                <artifactId>junit-jupiter-api</artifactId>
+                <version>${junit.version}</version>
+                <scope>test</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.junit.jupiter</groupId>
+                <artifactId>junit-jupiter-engine</artifactId>
+                <version>${junit.version}</version>
+                <scope>test</scope>
+            </dependency>
+
+            <dependency>
+                <groupId>org.mockito</groupId>
+                <artifactId>mockito-junit-jupiter</artifactId>
+                <version>${mockito.version}</version>
+                <scope>test</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.mockito</groupId>
+                <artifactId>mockito-inline</artifactId>
+                <version>${mockito.version}</version>
+                <scope>test</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <build>
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-compiler-plugin</artifactId>
+                    <version>${maven-compiler-plugin.version}</version>
+                    <configuration>
+                        <fork>true</fork>
+                        <optimize>true</optimize>
+                        <showDeprecation>true</showDeprecation>
+                        <source>${java.version}</source>
+                        <target>${java.version}</target>
+                        <verbose>true</verbose>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-source-plugin</artifactId>
+                    <version>${maven-source-plugin.version}</version>
+                    <configuration>
+                        <encoding>UTF-8</encoding>
+                        <charset>UTF-8</charset>
+                        <attach>true</attach>
+                        <archive>
+                            <manifest>
+                                <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                                <addDefaultSpecificationEntries>false</addDefaultSpecificationEntries>
+                            </manifest>
+                            <manifestEntries>
+                                <Url>${project.url}</Url>
+                            </manifestEntries>
+                        </archive>
+                    </configuration>
+                    <executions>
+                        <execution>
+                            <id>attach-sources</id>
+                            <phase>package</phase>
+                            <goals>
+                                <goal>jar-no-fork</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-javadoc-plugin</artifactId>
+                    <version>${maven-javadoc-plugin.version}</version>
+                    <executions>
+                        <execution>
+                            <id>javadoc-jar</id>
+                            <phase>package</phase>
+                            <goals>
+                                <goal>jar</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-jar-plugin</artifactId>
+                    <version>${maven-jar-plugin.version}</version>
+                    <configuration>
+                        <archive>
+                            <manifest>
+                                <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                                <addDefaultSpecificationEntries>false</addDefaultSpecificationEntries>
+                            </manifest>
+                            <manifestEntries>
+                                <Url>${project.url}</Url>
+                            </manifestEntries>
+                        </archive>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-scm-plugin</artifactId>
+                    <version>${maven-scm-plugin.version}</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-release-plugin</artifactId>
+                    <version>${maven-release-plugin.version}</version>
+                    <configuration>
+                        <autoVersionSubmodules>true</autoVersionSubmodules>
+                        <localCheckout>true</localCheckout>
+                        <pushChanges>false</pushChanges>
+                        <mavenExecutorId>forked-path</mavenExecutorId>
+                        <arguments>-Dgpg.passphrase=${gpg.passphrase}</arguments>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.sonatype.plugins</groupId>
+                    <artifactId>nexus-staging-maven-plugin</artifactId>
+                    <version>${nexus-staging-maven-plugin.version}</version>
+                    <extensions>true</extensions>
+                    <executions>
+                        <execution>
+                            <id>default-deploy</id>
+                            <phase>deploy</phase>
+                            <goals>
+                                <goal>deploy</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                    <configuration>
+                        <serverId>ossrh</serverId> <!-- Must match the serverId from the settings.xml -->
+                        <nexusUrl>https://oss.sonatype.org/</nexusUrl>
+                        <autoReleaseAfterClose>false</autoReleaseAfterClose>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-deploy-plugin</artifactId>
+                    <version>${maven-deploy-plugin.version}</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-surefire-plugin</artifactId>
+                    <version>${maven-surefire-plugin.version}</version>
+                </plugin>
+            </plugins>
+        </pluginManagement>
+    </build>
+
+    <profiles>
+        <!-- GPG Signature on release -->
+        <profile>
+            <id>release-sign-artifacts</id>
+            <activation>
+                <property>
+                    <name>performRelease</name>
+                    <value>true</value>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-gpg-plugin</artifactId>
+                        <version>${maven-gpg-plugin.version}</version>
+                        <executions>
+                            <execution>
+                                <id>sign-artifacts</id>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+</project>
diff --git a/readme.md b/readme.md
index dbf89ad..52d9497 100644
--- a/readme.md
+++ b/readme.md
@@ -1,77 +1,178 @@
-# IMPORTANT NOTICE
+<center>
+	<img src="csrfguard-test/csrfguard-test-jsp/src/main/webapp/owasp_logo.png"/>
+</center>
 
-We are working on new version of CSRFGuard including a lot of merge request with goood proposals and also a new code to fix known issues on XSS attacks that bypass CSRFGuard.
+# [OWASP CSRFGuard 4.0.0](https://owasp.org/www-project-csrfguard)
 
-## Target date for the new relase 4.0 : end of Q2 2020
-
-## We need your help. If you want to give few hours of your time to help us please contact me.
-
-# OWASP CSRFGuard 3.1.0 
-
-[http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project](http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project)
-
-BSD License, All rights reserved.
+[![License](https://img.shields.io/badge/license-BSD-4EB1BA.svg)](http://www.opensource.org/licenses/bsd-license.php)
+[![GitHub release](https://img.shields.io/github/release/OWASP/www-project-csrfguard)](https://github.com/OWASP/www-project-csrfguard/releases)
+[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship-brightgreen.svg)](https://owasp.org/projects#div-flagships)
 
 ## Overview
 
-Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks. The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptographically random synchronizer tokens) are submitted with the corresponding HTTP request. It is the responsibility of OWASP CSRFGuard to ensure the token is present and is valid for the current HTTP request. Any attempt to submit a request to a protected resource without the correct corresponding token is viewed as a CSRF attack in progress and is discarded. Prior to discarding the request, CSRFGuard can be configured to take one or more actions such as logging aspects of the request and redirecting the user to a landing page. The latest release enhances this strategy to support the optional verification of HTTP requests submitted using Ajax as well as the optional verification of referrer headers.
+Welcome to the home of the OWASP CSRFGuard Project! OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
+The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. When a user interacts
+with this HTML, CSRF prevention tokens (i.e. cryptographically random synchronizer tokens) are submitted with the corresponding HTTP request. It is the responsibility of OWASP CSRFGuard to ensure the token is
+present and is valid for the current HTTP request. Any attempt to submit a request to a protected resource without the correct corresponding token is viewed as a CSRF attack in progress and is discarded. Prior
+to discarding the request, CSRFGuard can be configured to take one or more actions such as logging aspects of the request and redirecting the user to a landing page. The latest release enhances this strategy to
+support the optional verification of HTTP requests submitted using Ajax as well as the optional verification of referrer headers.
 
-## Project Lead
+## Project Leads
 
-The CSRFGuard project is run by Azzeddine RAMRAMI. He can be contacted at azzeddine.ramrami AT owasp.org.
-
-## License
-
-OWASP CSRFGuard 3.1.0 is offered under the [BSD license](http://www.opensource.org/licenses/bsd-license.php)
+The CSRFGuard project is run by [Azzeddine RAMRAMI](mailto:azzeddine.ramrami@owasp.org) and [Istvan ALBERT-TOTH](mailto:istvan.alberttoth@owasp.org).
 
 ## Using with Maven
-OWASP CSRFGuard 3.1.0 will be available on Maven Central.  Add the following dependency to your Maven POM file to use the library:
 
+Add the following dependency to your Maven POM file to use the library:
 
-```
+```xml
 <dependency>
     <groupId>org.owasp</groupId>
     <artifactId>csrfguard</artifactId>
-    <version>3.1.0</version>
+    <version>4.0.0</version>
+</dependency>
+
+<!-- Stateful web application support -->
+<dependency>
+	<groupId>org.owasp</groupId>
+	<artifactId>csrfguard-extension-session</artifactId>
+	<version>4.0.0</version>
+</dependency>
+
+<!-- JSP TAG support -->
+<dependency>
+	<groupId>org.owasp</groupId>
+	<artifactId>csrfguard-jsp-tags</artifactId>
+	<version>4.0.0</version>
 </dependency>
 ```
 
 ## Building the code
 
-1. Make sure that you have [Apache Maven](http://maven.apache.org/) 3.0.4 or higher installed;
-2. Make sure that you have [GPG](http://www.gnupg.org/) installed and a secret key generated with it;
-3. Clone this repository locally;
-4. Build the ```csrfguard``` project first as ```cd csrfguard``` followed by ```mvn clean install```;
-5. Build and run the ```csrfguard-test``` project as ```cd ../csrfguard-test``` followed by ```mvn clean package tomcat7:run```;
-6. Use a web browser to access ```http://localhost:8000``` to open the home page of the test project.
-
-## Uploading to the Maven Central repository
+1. Make sure you have [Apache Maven](http://maven.apache.org/) 3.0.4+ and JDK 1.8+ installed
+2. Clone this repository locally
+3. Build the project by running ```mvn clean install``` in the project root directory
+4. Build and run the test JSP web application by running one of the following commands:
+   ```shell
+   mvn pre-integration-test -Pdeploy-jsp-webapp -pl csrfguard-test/csrfguard-test-jsp
+   ```
+   ```bash
+   mvn -Pdeploy-jsp-webapp -pl csrfguard-test/csrfguard-test-jsp tomcat7:run
+   ```
+6. Optional: you can use ```mvnDebug``` to enable remote debugging, then connect your IDE to it (default port is 8000)
+7. Use a web browser to access ```http://localhost:8080``` to open the home page of the test project
+
+## Uploading to the Maven Central repository (for project leaders)
 
 1. Follow the [Sonatype Open-Source Project Maven Repository Usage Guide](https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide) to create a Sonatype user account;
 2. Next, [open a support request](https://issues.sonatype.org/browse/OSSRH) to get your newly created username added to the Maven groupId ```org.owasp```;
-3. Once the support request has been completed, follow the instructions in the Sonatype Maven repository usage guide mentioned above to upload new versions to the Maven Central repository.
-
-## Email List
-
-You can sign up for the OWASP CSRFGuard email list [here.]( https://lists.owasp.org/mailman/listinfo/owasp-csrfguard)
-
-## Last News
-
-An important security fix has been applied to the CSRFGuard version 3.0.
-
-
-Do a token pre-fetch on every page.
+3. The ticket must be approved by a CSRFGuard project leader or someone who already has permissions to deploy under the group and artifactId.
+4. Once the support request has been completed, follow the instructions in the Sonatype Maven repository usage guide mentioned above to upload new versions to the Maven Central repository.
 
-Instead of hard coding the CSRF token, we send a POST request to fetch the token and populate the JS variable.
+### GPG Key generation and distribution
+See: https://central.sonatype.org/publish/requirements/gpg/
 
-Thanks to Ahamed Nafeez <ahamednafeez@gmail.com> for this fix.
+```shell
+gpg --full-gen-key
+gpg --list-keys
+gpg --keyserver keys.gnupg.net --send-key <your_public_key_here> # you can define other supported key servers as well
+```
 
-## CSRFGuard in Maven Central
+### Example `.m2/settings.xml` snippet required for releasing:
+
+```xml
+<settings xmlns="https://maven.apache.org/SETTINGS/1.0.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="https://maven.apache.org/SETTINGS/1.0.0
+                      https://maven.apache.org/xsd/settings-1.0.0.xsd">
+    <servers>
+        <server>
+            <id>ossrh</id> <!-- the id must match with the repository id defined in distributionManagement -->
+            <username><!--your_oss_sonatype_username--></username>
+            <password><!--your_oss_sonatype_password--></password>
+        </server>
+    </servers>
+
+    <profiles>
+        <profile>
+            <id>ossrh</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <properties>
+                <gpg.passphrase><!--your_gpg_passphrase--></gpg.passphrase>
+            </properties>
+        </profile>
+    </profiles>
+</settings>
+```
 
-You can download a binary version from Maven Central here:
+### Deploying to OSS Sonatype / Maven Central
 
-https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~
+#### Deploy a `-SNAPSHOT` version:
+   ```shell
+   mvn clean deploy
+   ```
 
-Thanks to Trent Schmidt and Joel Orlina (JIRA)  for there help.
+#### Prepare a release:
+```shell
+mvn release:clean release:prepare
+```
+1. Set the version number you want to release in <_MAJOR.MINOR.PATCH_> format (e.g. `4.0.0`)
+2. Set the SCM release tag: (e.g. `4.0.0`)
+3. Set the new development version (e.g. `4.0.1`)
 
+#### Perform a release:
+```shell
+mvn release:perform
+```
+Check the created commits and tag to make sure everything looks as expected:
+   ```shell
+   git log
+   git show HEAD
+   git show HEAD^
+   git tag -l # list tags
+   ```
+#### Rollback a release:
+```shell
+mvn release:rollback # or "git reset HEAD^^ --hard"
+git tag -d <tag_name_to_delete>
+```
+#### Push the new release to :
+```shell
+git push origin master
+git push origin <tag_name>
+```
 
+### Maven repositories
+
+You can download pre-compiled versions from:
+
+* [Maven Central repository](https://search.maven.org/search?q=csrfguard)
+* [OSS Sonatype Nexus repository](https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~)
+
+## CSRFGuard 4.0.0 Release Notes
+
+* [Support for stateless web applications](https://github.com/aramrami/OWASP-CSRFGuard/issues/122)
+* [Apply "TokenPerPage" approach to AJAX](https://github.com/aramrami/OWASP-CSRFGuard/issues/123)
+* [Reduced code duplication](https://github.com/aramrami/OWASP-CSRFGuard/issues/127)
+* [Proper multi-module maven project structure](https://github.com/aramrami/OWASP-CSRFGuard/issues/128)
+* [The test JSP web application now relies on the latest development JavaScript code](https://github.com/aramrami/OWASP-CSRFGuard/issues/133)
+* [Improved code quality](https://github.com/aramrami/OWASP-CSRFGuard/issues/134)
+* [Addressing synchronous XMLHttpRequest deprecation](https://github.com/aramrami/OWASP-CSRFGuard/issues/137)
+* [Approach changed for master and page token retrieval](https://github.com/aramrami/OWASP-CSRFGuard/issues/139)
+* [Improved test coverage](https://github.com/aramrami/OWASP-CSRFGuard/issues/140)
+* [Better solution for looking up page tokens in the JS](https://github.com/aramrami/OWASP-CSRFGuard/issues/141)
+* [The javascript template is now parsable and minifiable](https://github.com/aramrami/OWASP-CSRFGuard/issues/142)
+* [Short-circuit the solution logic if CSRFGuard is disabled](https://github.com/aramrami/OWASP-CSRFGuard/issues/143)
+* [Do not generate page tokens for pages that are not protected](https://github.com/aramrami/OWASP-CSRFGuard/issues/144)
+* [Page tokens generated on first use are not sent back to the client](https://github.com/aramrami/OWASP-CSRFGuard/issues/145)
+* [Issue with the token-per-page support for REST endpoint containing path parameters](https://github.com/aramrami/OWASP-CSRFGuard/issues/146)
+* [Possible race condition on first access of endpoints when token-per-page and AJAX request options are enabled](https://github.com/aramrami/OWASP-CSRFGuard/issues/147)
+* [Tokens are not injected into dynamically created DOM elements ](https://github.com/aramrami/OWASP-CSRFGuard/issues/148)
+* [Make the configuration more resilient to errors](https://github.com/aramrami/OWASP-CSRFGuard/issues/149)
+* [Tokens should not be injected into external links if the domainStrict property is set to true](https://github.com/aramrami/OWASP-CSRFGuard/issues/150)
+* [Tokens not injected in dynamic content returned from Ajax](https://github.com/aramrami/OWASP-CSRFGuard/issues/151)
+* Heavily refactored, improved and more optimized code-base
+* Documentation update and typo fixes.
+* Copyright update and unification.
diff --git a/tab_example.md b/tab_example.md
deleted file mode 100644
index d29bc45..0000000
--- a/tab_example.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-title: Example
-layout:  null
-tab: true
-order: 1
-tags: example-tag
----
-
-## Example
-
-Put whatever you like here: news, screenshots, features, supporters, or remove this file and don't use tabs at all.
\ No newline at end of file
diff --git a/tab_features.md b/tab_features.md
index 5bd1d3e..b1bdbcc 100644
--- a/tab_features.md
+++ b/tab_features.md
@@ -7,23 +7,26 @@ tab: true
 tags: csrfguard
 
 ---
-# OWASP CSRFGuard 3.1.0
+# OWASP CSRFGuard 4.0.0
 
-![OWASP CSRFGuard 3.1.0](assets/images/csrfguard_3.1.0.png)
+![OWASP CSRFGuard 4.0.0](assets/images/csrfguard_3.1.0.png)
 
 # Some CSRGuard features
 
 ## Tags
-      <img src=“https://bank.com/fn?param=1”>
-      <iframe src=“https://bank.com/fn?param=1”>
-      <script src=“https://bank.com/fn?param=1”>
+```
+<img src=“https://bank.com/fn?param=1”>
+<iframe src=“https://bank.com/fn?param=1”>
+<script src=“https://bank.com/fn?param=1”>
+```
 
 ## Autoposting Forms
-      <body onload="document.forms[0].submit()">
-      <form method="POST" action=“https://bank.com/fn”>
-         <input type="hidden" name="sp" value="8109"/>
-      </form>
-
+```
+<body onload="document.forms[0].submit()">
+<form method="POST" action=“https://bank.com/fn”>
+   <input type="hidden" name="sp" value="8109"/>
+</form>
+```
 ## XmlHttpRequest
 Subject to same origin policy
 
diff --git a/tab_news.md b/tab_news.md
index ec67425..c7f5a7a 100644
--- a/tab_news.md
+++ b/tab_news.md
@@ -8,18 +8,8 @@ tags: csrfguard
 
 # Latest News
 
-We are working on new version of CSRFGuard including a lot of merge request with goood proposals and also a new code to fix known issues on XSS attacks that bypass CSRFGuard. See "CSFRGuard 4.0" tab for more information.
+We are working on a new version of CSRFGuard including a lot of merge request with good proposals and new code to fix known issues on XSS attacks that bypass CSRFGuard.
 
-## Target date for the new relase 4.0 : end of Q4 2021
+## Target date for the new release 4.0 : 2021
 
-We need your help. If you want to give few hours of your time to help us please contact me.
-
-## Important Security Fix
-
-An important security fix has been applied to the CSRFGuard version 3.0.
-
-Do a token pre-fetch on every page.
-
-Instead of hard coding the CSRF token, we send a POST request to fetch the token and populate the JS variable.
-
-Thanks to Ahamed Nafeez ahamednafeez@gmail.com for this fix.
+We need your help. If you want to give few hours of your time please reach out to us.
diff --git a/tab_roadmap.md b/tab_roadmap.md
index 1b257d0..83d9fde 100644
--- a/tab_roadmap.md
+++ b/tab_roadmap.md
@@ -15,7 +15,7 @@ We need first to create a complete set of installation guide for various Java Ap
 
 # CSRFGuard 4.0 features
 
-CSRFGuard 4.0 is under developpement. If you are Java développer and want to help as OWASP voloneteer please contact the project leader.
+CSRFGuard 4.0 is under development. If you are Java developer and want to help as OWASP volunteer please contact the project leaders.
 We will remove all CSRFGuard 3.1.0 limitations and release CSRFGuard 4.0
 
 ### The following roadmap will remove the following CSRFGuard 3.1.0 limitations:
@@ -23,9 +23,9 @@ We will remove all CSRFGuard 3.1.0 limitations and release CSRFGuard 4.0
 - CSRF Guard utilizes the external interface of Tomcat web server; it may not provide adequate protection for other web server applications (e.g. Internet Information Server IIS).
 - CSRF Guard can provide adequate protection against CSRF attacks; however, it can be compromised by server side vulnerabilities such as cross site scripting or client side vulnerabilities (session hijacking or clickjacking) or unintentional leverage token by unauthorized parties.
 - CSRF Guard makes the connection between a token and a session id to check the token validity, Because of this dependency on the session identifiers; it cannot defend against login CSRF attacks.
-- CSRF Guard filters input HTTP request by token pattern; therefore, it cannot check the input validation error, to effectively protect against CSRF attack, the developer needs to
+- CSRF Guard filters input HTTP requests by token pattern; therefore, it cannot check the input validation error, to effectively protect against CSRF attack, the developer needs to
 ensure the web application implements countermeasures to defense against cross scripting attacks.
 - Enhance Token Injection Process 
 - Add protection against Clickjacking
 - Add protection against Session Hijacking bypassing CSRFGuard
-- Add protection against XSS by passing CSFRGuard
+- Add protection against XSS by passing CSRFGuard
diff --git a/tab_supporters.md b/tab_supporters.md
index 8a23981..7515009 100644
--- a/tab_supporters.md
+++ b/tab_supporters.md
@@ -16,13 +16,3 @@ CSRFGuard is developed by a worldwide of volunteers in Morocco, France, India, C
 ## Special Thanks
 
 Thanks to Trent Schmidt and Joel Orlina (JIRA) for there help.
-
-## CSRFGuard integration with a JSF application
-Yi SONG create for CSRFGuard project a simple example to demostrate the CSRFGuard integration with a JSF application.
-
-The original JSF project is taken from https://mkyong.com/jsf2/jsf-2-0-hello-world-example/
-
-After integrating with csrfguard, the project has been tested on netbean 8.2 with glassfish 4.1.1
-
-Yi SONG Bio:
-Yi SONG received my master of engineering in China in 2006. Then I start work for Axalto, then Gemalto and then Thales till now. He has 3 years experience on smartcard development, 10 years experience on cryptography and hardware security module. Since end of 2018, his work is focusing on web application and cloud.