diff --git a/itest/web/itest-web.gradle b/itest/web/itest-web.gradle
index 5747579623..d9e19962b6 100644
--- a/itest/web/itest-web.gradle
+++ b/itest/web/itest-web.gradle
@@ -7,31 +7,18 @@ dependencies {
 
 	testCompile project(':spring-security-core'),
 				project(':spring-security-web'),
-				project(':spring-security-taglibs'),
+				project(':spring-security-test'),
 				"org.springframework:spring-beans:$springVersion",
 				"org.springframework:spring-webmvc:$springVersion",
-				"org.mortbay.jetty:jetty-util:$jettyVersion",
-				"org.testng:testng:6.8.21"
-	testCompile ("org.mortbay.jetty:jetty:$jettyVersion") {
-	}
-	testCompile ('net.sourceforge.jwebunit:jwebunit-core:2.2') {
-		exclude group: 'javax.servlet', module: 'servlet-api'
-		exclude group: 'regexp', module: 'regexp'
-	}
+				"org.springframework:spring-test:$springVersion"
 
 	testRuntime project(':spring-security-config'),
-				project(':spring-security-ldap'),
-				"org.mortbay.jetty:jsp-2.1-jetty:$jettyVersion",
-	testRuntime ('net.sourceforge.jwebunit:jwebunit-htmlunit-plugin:2.2') {
-		exclude group: 'javax.servlet', module: 'servlet-api'
-	}
+				project(':spring-security-ldap')
 }
 
 integrationTest {
-	useTestNG();
 	options {
 		jvmArgs = ["-ea", '-Xms128m', '-Xmx500m']
-		systemProperties = ['webapp.dir': "$projectDir/src/main/webapp"]
 	}
 	maxParallelForks = 1
 }
diff --git a/itest/web/src/integration-test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java b/itest/web/src/integration-test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java
index 3421452aca..f022b97876 100644
--- a/itest/web/src/integration-test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java
+++ b/itest/web/src/integration-test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java
@@ -15,26 +15,14 @@
  */
 package org.springframework.security.integration;
 
-import java.util.List;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
 
-import javax.servlet.ServletContext;
-import javax.servlet.http.Cookie;
-
-import net.sourceforge.jwebunit.junit.WebTester;
-
-import org.mortbay.jetty.Server;
-import org.mortbay.jetty.servlet.ServletHolder;
-import org.mortbay.jetty.webapp.WebAppContext;
-import org.springframework.security.web.session.HttpSessionEventPublisher;
-import org.springframework.util.StringUtils;
-import org.springframework.web.context.ContextLoaderListener;
-import org.springframework.web.context.WebApplicationContext;
-import org.springframework.web.context.support.WebApplicationContextUtils;
-import org.springframework.web.servlet.DispatcherServlet;
-import org.testng.annotations.AfterClass;
-import org.testng.annotations.AfterMethod;
-import org.testng.annotations.BeforeClass;
-import org.testng.annotations.BeforeMethod;
+import org.junit.After;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.mock.web.MockServletContext;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.support.XmlWebApplicationContext;
 
 /**
  * Base class which allows the application to be started with a particular Spring
@@ -45,131 +33,29 @@ import org.testng.annotations.BeforeMethod;
  * @author Luke Taylor
  */
 public abstract class AbstractWebServerIntegrationTests {
-	private Server server;
-	private final Object SERVER_LOCK = new Object();
-	protected final WebTester tester = new WebTester();
+	protected ConfigurableApplicationContext context;
 
-	/**
-	 * Override to set the application context files that should be loaded or return null
-	 * to use web.xml.
-	 */
-	protected abstract String getContextConfigLocations();
-
-	protected String getContextPath() {
-		return "/testapp";
-	}
-
-	@BeforeClass
-	public void startServer() throws Exception {
-		synchronized (SERVER_LOCK) {
-			if (server == null) {
-				// System.setProperty("DEBUG", "true");
-				// System.setProperty("VERBOSE", "true");
-				// System.setProperty("IGNORED", "true");
-				server = new Server(0);
-				server.addHandler(createWebContext());
-				server.start();
-			}
+	@After
+	public void close() {
+		if(context != null) {
+			context.close();
 		}
 	}
 
-	@SuppressWarnings("unchecked")
-	private WebAppContext createWebContext() {
-		String webappDir = System.getProperty("webapp.dir");
-
-		WebAppContext webCtx = new WebAppContext(webappDir == null ? "src/main/webapp"
-				: webappDir, getContextPath());
-
-		if (StringUtils.hasText(getContextConfigLocations())) {
-			webCtx.addEventListener(new ContextLoaderListener());
-			webCtx.addEventListener(new HttpSessionEventPublisher());
-			webCtx.getInitParams().put("contextConfigLocation",
-					getContextConfigLocations());
+	protected final MockMvc createMockMvc(String... configLocations) throws Exception {
+		if(this.context != null) {
+			throw new IllegalStateException("context is already loaded");
 		}
 
-		ServletHolder servlet = new ServletHolder();
-		servlet.setName("testapp");
-		servlet.setClassName(DispatcherServlet.class.getName());
-		webCtx.addServlet(servlet, "*.htm");
+		XmlWebApplicationContext context = new XmlWebApplicationContext();
+		context.setConfigLocations(configLocations);
+		context.setServletContext(new MockServletContext());
+		context.refresh();
+		this.context = context;
 
-		return webCtx;
-	}
-
-	@AfterClass
-	public void stopServer() throws Exception {
-		synchronized (SERVER_LOCK) {
-			if (server != null) {
-				server.stop();
-			}
-			server = null;
-		}
-	}
-
-	@BeforeMethod
-	public void initializeTester() {
-		tester.getTestContext().setBaseUrl(getBaseUrl());
-	}
-
-	@AfterMethod
-	public void resetWebConversation() {
-		tester.closeBrowser();
-		tester.setTestContext(null);
-	}
-
-	protected final String getBaseUrl() {
-		int port = server.getConnectors()[0].getLocalPort();
-		return "http://localhost:" + port + getContextPath() + "/";
-	}
-
-	protected final Object getBean(String beanName) {
-		return getAppContext().getBean(beanName);
-	}
-
-	protected final WebApplicationContext getAppContext() {
-		ServletContext servletCtx = ((WebAppContext) server.getHandler())
-				.getServletContext();
-		WebApplicationContext appCtx = WebApplicationContextUtils
-				.getRequiredWebApplicationContext(servletCtx);
-		return appCtx;
-	}
-
-	@SuppressWarnings("unchecked")
-	protected Cookie getRememberMeCookie() {
-		List<Cookie> cookies = (List<Cookie>) tester.getTestingEngine().getCookies();
-		for (Cookie c : cookies) {
-			if (c.getName().equals("remember-me")) {
-				return c;
-			}
-		}
-		return null;
-	}
-
-	protected final void submit() {
-		tester.submit();
-	}
-
-	protected final void beginAt(String url) {
-		tester.beginAt(url);
-	}
-
-	protected final void setTextField(String name, String value) {
-		tester.setTextField(name, value);
-	}
-
-	protected final void assertFormPresent() {
-		tester.assertFormPresent();
-	}
-
-	protected final void assertTextPresent(String text) {
-		tester.assertTextPresent(text);
-	}
-
-	// Security-specific utility methods
-
-	protected void login(String username, String password) {
-		assertFormPresent();
-		setTextField("username", username);
-		setTextField("password", password);
-		submit();
+		return MockMvcBuilders
+			.webAppContextSetup(context)
+			.apply(springSecurity())
+			.build();
 	}
 }
diff --git a/itest/web/src/integration-test/java/org/springframework/security/integration/BasicAuthenticationTests.java b/itest/web/src/integration-test/java/org/springframework/security/integration/BasicAuthenticationTests.java
index 7da704dee7..81f5719f8c 100644
--- a/itest/web/src/integration-test/java/org/springframework/security/integration/BasicAuthenticationTests.java
+++ b/itest/web/src/integration-test/java/org/springframework/security/integration/BasicAuthenticationTests.java
@@ -15,25 +15,29 @@
  */
 package org.springframework.security.integration;
 
-import org.testng.annotations.Test;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.junit.Test;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 
 public class BasicAuthenticationTests extends AbstractWebServerIntegrationTests {
 
-	@Override
-	protected String getContextConfigLocations() {
-		return "/WEB-INF/http-security-basic.xml /WEB-INF/in-memory-provider.xml";
+	@Test
+	public void httpBasicWhenAuthenticationRequiredAndNotAuthenticatedThen401() throws Exception {
+		MockMvc mockMvc = createMockMvc("classpath:/spring/http-security-basic.xml", "classpath:/spring/in-memory-provider.xml", "classpath:/spring/testapp-servlet.xml");
+		mockMvc.perform(get("secure/index"))
+			.andExpect(status().isUnauthorized());
 	}
 
 	@Test
-	public void basicAuthenticationIsSuccessful() throws Exception {
-		tester.setIgnoreFailingStatusCodes(true);
-		beginAt("secure/index.html");
-		// Ignore the 401
-		tester.setIgnoreFailingStatusCodes(false);
-		tester.assertHeaderEquals("WWW-Authenticate",
-				"Basic realm=\"Spring Security Application\"");
-		tester.getTestContext().setAuthorization("johnc", "johncspassword");
-		beginAt("secure/index.html");
+	public void httpBasicWhenProvidedThen200() throws Exception {
+		MockMvc mockMvc = createMockMvc("classpath:/spring/http-security-basic.xml", "classpath:/spring/in-memory-provider.xml", "classpath:/spring/testapp-servlet.xml");
+		MockHttpServletRequestBuilder request = get("/secure/index")
+				.with(httpBasic("johnc", "johncspassword"));
+		mockMvc.perform(request)
+			.andExpect(status().isOk());
 	}
-
 }
diff --git a/itest/web/src/integration-test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java b/itest/web/src/integration-test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java
index 034017d7fb..2888be09ae 100644
--- a/itest/web/src/integration-test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java
+++ b/itest/web/src/integration-test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java
@@ -15,44 +15,93 @@
  */
 package org.springframework.security.integration;
 
-import net.sourceforge.jwebunit.junit.WebTester;
-import org.testng.annotations.Test;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import java.util.Collections;
+import java.util.List;
+
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.session.SessionDestroyedEvent;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.ResultHandler;
+import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 
 /**
  * @author Luke Taylor
  */
 public class ConcurrentSessionManagementTests extends AbstractWebServerIntegrationTests {
 
-	protected String getContextConfigLocations() {
-		return "/WEB-INF/http-security-concurrency.xml /WEB-INF/in-memory-provider.xml";
-	}
-
 	@Test
 	public void maxConcurrentLoginsValueIsRespected() throws Exception {
-		System.out.println("Client: ******* First login ******* ");
-		beginAt("secure/index.html");
-		login("jimi", "jimispassword");
-		// Login again
-		System.out.println("Client: ******* Second login ******* ");
-		WebTester tester2 = new WebTester();
-		tester2.getTestContext().setBaseUrl(getBaseUrl());
-		tester2.beginAt("secure/index.html");
-		// seems to be a bug in checking for form here (it fails)
-		// tester2.assertFormPresent();
-		tester2.setTextField("username", "jimi");
-		tester2.setTextField("password", "jimispassword");
-		// tester2.submit() also fails to detect the form
-		tester2.getTestingEngine().submit();
-		tester2.assertTextPresent("Maximum sessions of 1 for this principal exceeded");
+		final MockHttpSession session1 = new MockHttpSession();
+		final MockHttpSession session2 = new MockHttpSession();
+
+		MockMvc mockMvc = createMockMvc("classpath:/spring/http-security-concurrency.xml","classpath:/spring/in-memory-provider.xml", "classpath:/spring/testapp-servlet.xml");
+
+		mockMvc.perform(get("secure/index").session(session1))
+			.andExpect(status().is3xxRedirection());
+
+		MockHttpServletRequestBuilder login1 = login()
+				.session(session1);
+		mockMvc.
+			perform(login1)
+			.andExpect(authenticated().withUsername("jimi"));
+
+
+		MockHttpServletRequestBuilder login2 = login()
+				.session(session2);
+		mockMvc.perform(login2)
+			.andExpect(redirectedUrl("/login.jsp?login_error=true"));
+		Exception exception = (Exception) session2.getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
+		assertThat(exception).isNotNull();
+		assertThat(exception.getMessage()).contains("Maximum sessions of 1 for this principal exceeded");
 
 		// Now logout to kill first session
-		tester.gotoPage("/logout");
+		mockMvc.perform(post("/logout").with(csrf()))
+			.andExpect(status().is3xxRedirection())
+			.andDo(new ResultHandler() {
+				@SuppressWarnings("serial")
+				@Override
+				public void handle(MvcResult result) throws Exception {
+					context.publishEvent(new SessionDestroyedEvent(session1) {
+						@Override
+						public List<SecurityContext> getSecurityContexts() {
+							return Collections.emptyList();
+						}
+
+						@Override
+						public String getId() {
+							return session1.getId();
+						}
+					});
+				}
+			});
 
 		// Try second session again
-		tester2.setTextField("username", "jimi");
-		tester2.setTextField("password", "jimispassword");
-		// tester2.submit() also fails to detect the form
-		tester2.getTestingEngine().submit();
-		tester2.assertTextPresent("A Secure Page");
+		login2 = login()
+				.session(session2);
+		mockMvc.perform(login2)
+			.andExpect(authenticated().withUsername("jimi"));
+
+		mockMvc.perform(get("/secure/index").session(session2))
+			.andExpect(content().string(containsString("A Secure Page")));
+	}
+
+	private MockHttpServletRequestBuilder login() {
+		return post("/login")
+		.param("username", "jimi")
+		.param("password", "jimispassword")
+		.with(csrf());
 	}
 }
diff --git a/itest/web/src/integration-test/java/org/springframework/security/integration/CustomConcurrentSessionManagementTests.java b/itest/web/src/integration-test/java/org/springframework/security/integration/CustomConcurrentSessionManagementTests.java
deleted file mode 100644
index b088dc7418..0000000000
--- a/itest/web/src/integration-test/java/org/springframework/security/integration/CustomConcurrentSessionManagementTests.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright 2002-2016 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.integration;
-
-import net.sourceforge.jwebunit.junit.WebTester;
-
-import static org.assertj.core.api.Assertions.*;
-
-import org.springframework.security.core.session.SessionRegistry;
-import org.testng.annotations.Test;
-
-/**
- * @author Luke Taylor
- */
-public class CustomConcurrentSessionManagementTests extends
-		AbstractWebServerIntegrationTests {
-
-	protected String getContextConfigLocations() {
-		return "/WEB-INF/http-security-custom-concurrency.xml /WEB-INF/in-memory-provider.xml";
-	}
-
-	@Test
-	public void maxConcurrentLoginsValueIsRespected() throws Exception {
-		beginAt("secure/index.html");
-		login("jimi", "jimispassword");
-		// Login again
-		System.out.println("Client: ******* Second login ******* ");
-		WebTester tester2 = new WebTester();
-		tester2.getTestContext().setBaseUrl(getBaseUrl());
-		tester2.beginAt("secure/index.html");
-		tester2.setTextField("username", "jimi");
-		tester2.setTextField("password", "jimispassword");
-		tester2.setIgnoreFailingStatusCodes(true);
-		tester2.submit();
-		assertThat(tester2.getServerResponse()).contains(
-				"Maximum sessions of 1 for this principal exceeded");
-	}
-
-	@Test
-	public void logoutClearsSessionRegistryAndAllowsSecondLogin() throws Exception {
-		beginAt("secure/index.html");
-		login("bessie", "bessiespassword");
-		SessionRegistry reg = getAppContext().getBean(SessionRegistry.class);
-
-		tester.gotoPage("/logout");
-
-		// Login again
-		System.out.println("Client: ******* Second login ******* ");
-		WebTester tester2 = new WebTester();
-		tester2.getTestContext().setBaseUrl(getBaseUrl());
-		tester2.beginAt("secure/index.html");
-		tester2.setTextField("username", "bessie");
-		tester2.setTextField("password", "bessiespassword");
-		tester2.setIgnoreFailingStatusCodes(true);
-		tester2.submit();
-		assertThat(tester2.getServerResponse()).contains("A secure page");
-	}
-}
diff --git a/itest/web/src/integration-test/java/org/springframework/security/integration/InMemoryProviderWebAppTests.java b/itest/web/src/integration-test/java/org/springframework/security/integration/InMemoryProviderWebAppTests.java
deleted file mode 100644
index b92dee4082..0000000000
--- a/itest/web/src/integration-test/java/org/springframework/security/integration/InMemoryProviderWebAppTests.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright 2002-2016 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.integration;
-
-
-import static org.assertj.core.api.Assertions.*;
-
-import javax.servlet.http.Cookie;
-
-import org.testng.annotations.Test;
-
-/**
- * @author Luke Taylor
- */
-public class InMemoryProviderWebAppTests extends AbstractWebServerIntegrationTests {
-
-	protected String getContextConfigLocations() {
-		return "/WEB-INF/http-security.xml /WEB-INF/in-memory-provider.xml";
-	}
-
-	@Test
-	public void loginFailsWithinvalidPassword() {
-		beginAt("secure/index.html");
-		login("jimi", "wrongPassword");
-		assertTextPresent("Your login attempt was not successful");
-	}
-
-	@Test
-	public void loginSucceedsWithCorrectPassword() {
-		beginAt("secure/index.html");
-		login("jimi", "jimispassword");
-		assertTextPresent("A Secure Page");
-		tester.gotoPage("/logout");
-	}
-
-	@Test
-	public void basicAuthenticationIsSuccessful() throws Exception {
-		tester.getTestContext().setAuthorization("johnc", "johncspassword");
-		beginAt("secure/index.html");
-		beginAt("secure/index.html");
-	}
-
-	/*
-	 * Checks use of <jsp:include> with parameters in the secured page.
-	 */
-	@Test
-	public void savedRequestWithJspIncludeSeesCorrectParams() {
-		beginAt("secure/secure1.jsp?x=0");
-		login("jimi", "jimispassword");
-		// Included JSP has params ?x=1&y=2
-		assertTextPresent("Params: x=1, y=2");
-		assertTextPresent("xcount=2");
-	}
-
-	// SEC-1255
-	@Test
-	public void redirectToUrlWithSpecialCharsInFilenameWorksOk() throws Exception {
-		beginAt("secure/file%3Fwith%3Fspecial%3Fchars.htm?someArg=1");
-		login("jimi", "jimispassword");
-		assertTextPresent("I'm file?with?special?chars.htm");
-	}
-
-	@Test
-	public void persistentLoginIsSuccesful() throws Exception {
-		beginAt("secure/index.html");
-		tester.checkCheckbox("remember-me");
-		login("jimi", "jimispassword");
-		Cookie rememberMe = getRememberMeCookie();
-		assertThat(rememberMe).isNotNull();
-		tester.closeBrowser();
-
-		tester.getTestContext().addCookie(rememberMe);
-		beginAt("secure/index.html");
-		assertTextPresent("A Secure Page");
-	}
-}
diff --git a/itest/web/src/integration-test/java/org/springframework/security/integration/JspTaglibTests.java b/itest/web/src/integration-test/java/org/springframework/security/integration/JspTaglibTests.java
deleted file mode 100644
index d550e80fa5..0000000000
--- a/itest/web/src/integration-test/java/org/springframework/security/integration/JspTaglibTests.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright 2002-2016 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.integration;
-
-
-import static org.assertj.core.api.Assertions.*;
-
-import org.testng.annotations.Test;
-
-/**
- *
- * @author Luke Taylor
- */
-public final class JspTaglibTests extends AbstractWebServerIntegrationTests {
-
-	@Override
-	protected String getContextConfigLocations() {
-		return "/WEB-INF/http-security.xml /WEB-INF/in-memory-provider.xml";
-	}
-
-	@Test
-	public void authenticationTagEscapingWorksCorrectly() {
-		beginAt("secure/authenticationTagTestPage.jsp");
-		login("theescapist<>&.", "theescapistspassword");
-		String response = tester.getServerResponse();
-		assertThat(response)
-				.contains("This is the unescaped authentication name: theescapist<>&.");
-		assertThat(response)
-				.contains("This is the unescaped principal.username: theescapist<>&.");
-		assertThat(response)
-				.contains("This is the authentication name: theescapist&lt;&gt;&amp;&#46;");
-		assertThat(response)
-				.contains("This is the principal.username: theescapist&lt;&gt;&amp;&#46;");
-	}
-
-	@Test
-	public void authorizationTagEvaluatesExpressionCorrectlyAndWritesValueToVariable() {
-		beginAt("secure/authorizationTagTestPage.jsp");
-		login("bessie", "bessiespassword");
-		String response = tester.getServerResponse();
-		assertThat(response)
-				.contains("Users can see this and 'allowed' variable is true.");
-		assertThat(response).doesNotContain("Role X users (nobody) can see this.");
-		assertThat(response).contains("Role X expression evaluates to false");
-	}
-
-}
diff --git a/itest/web/src/integration-test/java/org/springframework/security/integration/LdapWebAppTests.java b/itest/web/src/integration-test/java/org/springframework/security/integration/LdapWebAppTests.java
deleted file mode 100644
index 2e66704bf1..0000000000
--- a/itest/web/src/integration-test/java/org/springframework/security/integration/LdapWebAppTests.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright 2002-2016 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.integration;
-
-import org.testng.annotations.*;
-
-/**
- * @author Luke Taylor
- */
-public class LdapWebAppTests extends AbstractWebServerIntegrationTests {
-
-	protected String getContextConfigLocations() {
-		return "/WEB-INF/http-security.xml /WEB-INF/ldap-provider.xml";
-	}
-
-	@Test
-	public void doSomething() {
-
-	}
-
-}
diff --git a/itest/web/src/main/webapp/WEB-INF/http-security-basic.xml b/itest/web/src/integration-test/resources/spring/http-security-basic.xml
similarity index 100%
rename from itest/web/src/main/webapp/WEB-INF/http-security-basic.xml
rename to itest/web/src/integration-test/resources/spring/http-security-basic.xml
diff --git a/itest/web/src/main/webapp/WEB-INF/http-security-concurrency.xml b/itest/web/src/integration-test/resources/spring/http-security-concurrency.xml
similarity index 100%
rename from itest/web/src/main/webapp/WEB-INF/http-security-concurrency.xml
rename to itest/web/src/integration-test/resources/spring/http-security-concurrency.xml
diff --git a/itest/web/src/main/webapp/WEB-INF/http-security.xml b/itest/web/src/integration-test/resources/spring/http-security.xml
similarity index 98%
rename from itest/web/src/main/webapp/WEB-INF/http-security.xml
rename to itest/web/src/integration-test/resources/spring/http-security.xml
index 9d31e84f4a..94789db78c 100644
--- a/itest/web/src/main/webapp/WEB-INF/http-security.xml
+++ b/itest/web/src/integration-test/resources/spring/http-security.xml
@@ -27,8 +27,6 @@
 		</session-management>
 
 		<remember-me key="doesntmatter" token-repository-ref="tokenRepo"/>
-
-		<csrf disabled="true"/>
 	</http>
 
 	<beans:bean name="tokenRepo" class="org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl"/>
diff --git a/itest/web/src/main/webapp/WEB-INF/in-memory-provider.xml b/itest/web/src/integration-test/resources/spring/in-memory-provider.xml
similarity index 100%
rename from itest/web/src/main/webapp/WEB-INF/in-memory-provider.xml
rename to itest/web/src/integration-test/resources/spring/in-memory-provider.xml
diff --git a/itest/web/src/main/webapp/WEB-INF/testapp-servlet.xml b/itest/web/src/integration-test/resources/spring/testapp-servlet.xml
similarity index 100%
rename from itest/web/src/main/webapp/WEB-INF/testapp-servlet.xml
rename to itest/web/src/integration-test/resources/spring/testapp-servlet.xml
diff --git a/itest/web/src/main/java/org/springframework/security/itest/web/TestController.java b/itest/web/src/main/java/org/springframework/security/itest/web/TestController.java
index d7f111f9c1..6b0e8823db 100644
--- a/itest/web/src/main/java/org/springframework/security/itest/web/TestController.java
+++ b/itest/web/src/main/java/org/springframework/security/itest/web/TestController.java
@@ -17,18 +17,27 @@ package org.springframework.security.itest.web;
 
 import java.io.IOException;
 
-import javax.servlet.http.HttpServletResponse;
-
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
-@Controller
+@RestController
 public class TestController {
 
 	@RequestMapping(value = "/secure/file?with?special?chars.htm", method = RequestMethod.GET)
-	public void sec1255TestUrl(HttpServletResponse response) throws IOException {
-		response.getWriter().append("I'm file?with?special?chars.htm");
+	public String sec1255TestUrl() throws IOException {
+		return "I'm file?with?special?chars.htm";
 	}
 
+	@RequestMapping("/")
+	public String home() {
+		return "home";
+	}
+
+	@RequestMapping("/secure/index")
+	@ResponseBody
+	public String secure() {
+		return "A Secure Page";
+	}
 }
diff --git a/itest/web/src/main/webapp/META-INF/MANIFEST.MF b/itest/web/src/main/webapp/META-INF/MANIFEST.MF
deleted file mode 100644
index 5e9495128c..0000000000
--- a/itest/web/src/main/webapp/META-INF/MANIFEST.MF
+++ /dev/null
@@ -1,3 +0,0 @@
-Manifest-Version: 1.0
-Class-Path: 
-
diff --git a/itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml b/itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml
deleted file mode 100644
index caf9f7b5d5..0000000000
--- a/itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml
+++ /dev/null
@@ -1,56 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<beans:beans xmlns="http://www.springframework.org/schema/security"
-	xmlns:beans="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
-
-	<http pattern="/login.jsp" security="none" />
-
-	<http entry-point-ref="aep" use-expressions="false">
-		<intercept-url pattern="/**" access="ROLE_DEVELOPER,ROLE_USER" />
-
-		<session-management session-authentication-strategy-ref="sas"/>
-		<logout />
-
-		<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
-		<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
-
-		<csrf disabled="true"/>
-	</http>
-
-	<beans:bean id="aep" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
-		<beans:constructor-arg value="/login.jsp" />
-	</beans:bean>
-
-	<beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
-		<beans:property name="sessionAuthenticationStrategy" ref="sas" />
-		<beans:property name="authenticationManager" ref="authenticationManager" />
-	</beans:bean>
-
-	<beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
-		<beans:constructor-arg ref="sessionRegistry" />
-		<beans:constructor-arg value="/session-expired.htm" />
-	</beans:bean>
-
-	<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
-		<beans:constructor-arg>
-			<beans:list>
-				<beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
-					<beans:constructor-arg ref="sessionRegistry"/>
-					<beans:property name="maximumSessions" value="1" />
-					<beans:property name="exceptionIfMaximumExceeded" value="true" />
-				</beans:bean>
-				<beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
-				</beans:bean>
-				<beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
-					<beans:constructor-arg ref="sessionRegistry"/>
-				</beans:bean>
-			</beans:list>
-		</beans:constructor-arg>
-	</beans:bean>
-
-	<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
-
-</beans:beans>
diff --git a/itest/web/src/main/webapp/WEB-INF/ldap-provider.xml b/itest/web/src/main/webapp/WEB-INF/ldap-provider.xml
deleted file mode 100644
index 5cfbcb4a1d..0000000000
--- a/itest/web/src/main/webapp/WEB-INF/ldap-provider.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!--
-  - LDAP Provider configuration snippet
-  -
-  -->
-
-<beans:beans xmlns="http://www.springframework.org/schema/security"
-	xmlns:beans="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
-
-	<ldap-server ldif="classpath*:test-server.ldif"/>
-
-	<authentication-manager alias="authenticationManager">
-		<ldap-authentication-provider user-search-filter="(uid={0})" group-role-attribute="ou" />
-	</authentication-manager>
-
-	<ldap-user-service user-search-filter="(uid={0})" group-role-attribute="ou"/>
-
-</beans:beans>
diff --git a/itest/web/src/main/webapp/WEB-INF/security.tld b/itest/web/src/main/webapp/WEB-INF/security.tld
deleted file mode 100644
index 01961e8968..0000000000
--- a/itest/web/src/main/webapp/WEB-INF/security.tld
+++ /dev/null
@@ -1,150 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1" ?>
-
-<taglib xmlns="http://java.sun.com/xml/ns/j2ee"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
-        version="2.0">
-    <description>Spring Security Authorization Tag Library</description>
-
-    <tlib-version>3.1</tlib-version>
-    <short-name>security</short-name>
-    <uri>http://www.springframework.org/security/tags</uri>
-
-    <tag>
-        <description>
-            A tag which outputs the body of the tag if the configured access expression
-            evaluates to true for the currently authenticated principal.
-        </description>
-        <name>authorize</name>
-        <tag-class>org.springframework.security.taglibs.authz.JspAuthorizeTag</tag-class>
-        <body-content>JSP</body-content>
-
-        <attribute>
-            <description>
-                A Spring-EL expression which is supported by the WebSecurityExpressionHandler
-                in the application context. The latter will be used to evaluate the expression.
-            </description>
-            <name>access</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
-        </attribute>
-
-        <attribute>
-            <description>
-                A URL within the application. If the user has access to this URL (as determined by
-                the AccessDecisionManager), the tag body will be evaluated. If not, it will
-                be skipped.
-            </description>
-            <name>url</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
-        </attribute>
-
-        <attribute>
-            <description>
-                Can optionally be used to narrow down the HTTP method (typically GET or POST) to which the URL
-                applies to. Only has any meaning when used in combination with the "url" attribute.
-            </description>
-            <name>method</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
-        </attribute>
-
-        <attribute>
-            <description>
-                A page scoped variable into which the boolean result of the tag evaluation will be written, allowing the
-                same condition to be reused subsequently in the page without re-evaluation.
-            </description>
-            <name>var</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
-        </attribute>
-
-    </tag>
-
-    <tag>
-        <description>
-            Allows access to the current Authentication object.
-        </description>
-        <name>authentication</name>
-        <tag-class>org.springframework.security.taglibs.authz.AuthenticationTag</tag-class>
-        <body-content>empty</body-content>
-
-        <attribute>
-            <description>
-                Property of the Authentication object which should be output. Supports nested
-                properties. For example if the principal object is an instance of UserDetails,
-                the property "principal.username" will return the username. Alternatively, using
-                "name" will call getName method on the Authentication object directly.
-            </description>
-            <name>property</name>
-            <required>true</required>
-            <rtexprvalue>true</rtexprvalue>
-        </attribute>
-        <attribute>
-            <description>
-                Name of the exported scoped variable which will contain the
-                evaluated property of the Authentication object.
-            </description>
-            <name>var</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
-        </attribute>
-        <attribute>
-            <description>
-                Set HTML escaping for this tag, as a boolean value.
-            </description>
-            <name>htmlEscape</name>
-            <required>false</required>
-            <rtexprvalue>true</rtexprvalue>
-        </attribute>
-        <attribute>
-            <description>
-                Scope for var.
-            </description>
-            <name>scope</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
-        </attribute>
-    </tag>
-
-    <tag>
-        <description>
-            Allows inclusion of a tag body if the current Authentication
-            has one of the specified permissions to the presented
-            domain object instance.
-        </description>
-        <name>accesscontrollist</name>
-        <tag-class>org.springframework.security.taglibs.authz.AccessControlListTag</tag-class>
-        <body-content>JSP</body-content>
-
-        <attribute>
-            <description>
-                A comma separated list of permissions, which will be converted to
-                Permission instances by the configured PermissionFactory.
-            </description>
-            <name>hasPermission</name>
-            <required>true</required>
-            <rtexprvalue>true</rtexprvalue>
-        </attribute>
-        <attribute>
-            <description>
-                The actual domain object instance for which permissions
-                are being evaluated.
-            </description>
-            <name>domainObject</name>
-            <required>true</required>
-            <rtexprvalue>true</rtexprvalue>
-        </attribute>
-        <attribute>
-            <description>
-                A page scoped variable into which the boolean result of the tag evaluation will be written, allowing the
-                same condition to be reused subsequently in the page without re-evaluation.
-            </description>
-            <name>var</name>
-            <required>false</required>
-            <rtexprvalue>false</rtexprvalue>
-        </attribute>
-    </tag>
-
-</taglib>
diff --git a/itest/web/src/main/webapp/WEB-INF/web.xml b/itest/web/src/main/webapp/WEB-INF/web.xml
deleted file mode 100644
index cb136efed5..0000000000
--- a/itest/web/src/main/webapp/WEB-INF/web.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-
-
-<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
-http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
-
-	<display-name>Integration Tests Webapp</display-name>
-
-	<filter>
-		<filter-name>springSecurityFilterChain</filter-name>
-		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-	</filter>
-
-	<filter-mapping>
-		<filter-name>springSecurityFilterChain</filter-name>
-		<url-pattern>/*</url-pattern>
-	</filter-mapping>
-
-	<!-- Don't add a context loader listener or config location. These are set programmatically -->
-
-</web-app>
diff --git a/itest/web/src/main/webapp/login.jsp b/itest/web/src/main/webapp/login.jsp
deleted file mode 100644
index a14630fa6b..0000000000
--- a/itest/web/src/main/webapp/login.jsp
+++ /dev/null
@@ -1,31 +0,0 @@
-<!-- Not used unless you declare a <form-login login-page="/login.jsp"/> element -->
-
-<html>
-<head>
-  <title>Custom Spring Security Login</title>
-</head>
-
-<body>
-  <h1>Custom Spring Security Login</h1>
-
-<%
-  if (request.getParameter("login_error") != null) {
-%>
-Your login attempt was not successful, try again. ${SPRING_SECURITY_LAST_EXCEPTION.message}<br/><br/>
-<%
-  }
-%>
-
-<form action="login" method="POST">
-  <table>
-    <tr><td>User:</td><td><input type='text' name='username' value=''/></td></tr>
-    <tr><td>Password:</td><td><input type='password' name='password'></td></tr>
-    <tr><td><input type="checkbox" name="remember-me"></td><td>Don't ask for my password for two weeks</td></tr>
-    <tr><td colspan='2'><input name="submit" type="submit"></td></tr>
-    <tr><td colspan='2'><input name="reset" type="reset"></td></tr>
-  </table>
-</form>
-
-</body>
-
-</html>
diff --git a/itest/web/src/main/webapp/secure/authenticationTagTestPage.jsp b/itest/web/src/main/webapp/secure/authenticationTagTestPage.jsp
deleted file mode 100644
index 9137061d27..0000000000
--- a/itest/web/src/main/webapp/secure/authenticationTagTestPage.jsp
+++ /dev/null
@@ -1,17 +0,0 @@
-<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
-<html>
-<body>
-<h1>Authentication Tag Test Page</h1>
-
-<ul>
-<li>This is the authentication name: <sec:authentication property="name"/></li>
-<li>This is the principal.username: <sec:authentication property="principal.username"/></li>
-<li>This is the unescaped authentication name: <sec:authentication property="name" htmlEscape="false"/></li>
-<li>This is the unescaped principal.username: <sec:authentication property="principal.username" htmlEscape="false"/></li>
-
-</ul>
-</body>
-
-</html>
-
-
diff --git a/itest/web/src/main/webapp/secure/authorizationTagTestPage.jsp b/itest/web/src/main/webapp/secure/authorizationTagTestPage.jsp
deleted file mode 100644
index b2beb7667c..0000000000
--- a/itest/web/src/main/webapp/secure/authorizationTagTestPage.jsp
+++ /dev/null
@@ -1,21 +0,0 @@
-<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
-<html>
-<body>
-<h1>Authorization Tag Test Page</h1>
-
-<sec:authorize access="hasRole('ROLE_USER')" var="allowed">
-Users can see this and 'allowed' variable is ${allowed}.
-</sec:authorize>
-
-<sec:authorize access="hasRole('ROLE_X')" var="allowed">
-Role X users (nobody) can see this.
-</sec:authorize>
-
-Role X expression evaluates to ${allowed}.
-
-
-</body>
-
-</html>
-
-
diff --git a/itest/web/src/main/webapp/secure/index.html b/itest/web/src/main/webapp/secure/index.html
deleted file mode 100644
index a74431b097..0000000000
--- a/itest/web/src/main/webapp/secure/index.html
+++ /dev/null
@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html
-     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
-     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-  <head>
-    <title>A secure page</title>
-  </head>
-  <body>
-    A Secure Page.
-  </body>
-</html>
\ No newline at end of file
diff --git a/itest/web/src/main/webapp/secure/secure1.jsp b/itest/web/src/main/webapp/secure/secure1.jsp
deleted file mode 100644
index 250567a1d0..0000000000
--- a/itest/web/src/main/webapp/secure/secure1.jsp
+++ /dev/null
@@ -1,15 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html
-     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
-     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-  <head>
-    <title>A secure page</title>
-  </head>
-  <body>
-    <jsp:include page="secure1body.jsp">
-        <jsp:param name="x" value="1" />
-        <jsp:param name="y" value="2" />
-    </jsp:include>
-  </body>
-</html>
\ No newline at end of file
diff --git a/itest/web/src/main/webapp/secure/secure1body.jsp b/itest/web/src/main/webapp/secure/secure1body.jsp
deleted file mode 100644
index 1c68bc82f4..0000000000
--- a/itest/web/src/main/webapp/secure/secure1body.jsp
+++ /dev/null
@@ -1,2 +0,0 @@
-Params: x=<%= request.getParameter("x") %>, y=<%= request.getParameter("y") %>
-xcount=<%= request.getParameterValues("x").length %>