diff --git a/Dockerfile b/Dockerfile
index fdc0f4ff2..5d530644c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,6 +27,8 @@ ENTRYPOINT [ "java", \
    "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
    "--add-opens", "java.base/java.io=ALL-UNNAMED", \
    "--add-opens", "java.base/java.util=ALL-UNNAMED", \
+   "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
    "-Drunning.in.docker=true", \
    "-Dwebgoat.host=0.0.0.0", \
    "-Dwebwolf.host=0.0.0.0", \
diff --git a/FAQ.md b/FAQ.md
new file mode 100644
index 000000000..3e2968344
--- /dev/null
+++ b/FAQ.md
@@ -0,0 +1,8 @@
+# FAQ for development
+
+## Introduction
+
+### Integration tests fail
+
+Try to run the command in the console `java -jar ...` and remove `-Dlogging.pattern.console=` from the command line.
+
diff --git a/pom.xml b/pom.xml
index 299853095..10e64c12a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,13 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>2.7.1</version>
+    <version>3.0.5</version>
   </parent>
+
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
   <version>2023.5-SNAPSHOT</version>
@@ -27,6 +27,7 @@
       <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
     </license>
   </licenses>
+
   <developers>
     <developer>
       <id>mayhew64</id>
@@ -94,7 +95,6 @@
       <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
     </mailingList>
   </mailingLists>
-
   <scm>
     <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
     <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
@@ -110,7 +110,8 @@
   <properties>
     <!-- Shared properties with plugins and version numbers across submodules-->
     <asciidoctorj.version>2.5.3</asciidoctorj.version>
-    <bootstrap.version>5.2.3</bootstrap.version>
+    <!-- Upgrading needs UI work in WebWolf -->
+    <bootstrap.version>3.3.7</bootstrap.version>
     <cglib.version>3.3.0</cglib.version>
     <!-- do not update necessary for lesson -->
     <checkstyle.version>3.2.1</checkstyle.version>
@@ -121,6 +122,7 @@
     <guava.version>31.1-jre</guava.version>
     <jacoco.version>0.8.10</jacoco.version>
     <java.version>17</java.version>
+    <jaxb.version>2.3.1</jaxb.version>
     <jjwt.version>0.9.1</jjwt.version>
     <jose4j.version>0.9.3</jose4j.version>
     <jquery.version>3.5.1</jquery.version>
@@ -137,7 +139,7 @@
     <!-- Use UTF-8 Encoding -->
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
+    <thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
     <webdriver.version>5.3.2</webdriver.version>
     <webgoat.port>8080</webgoat.port>
     <webwolf.port>9090</webwolf.port>
@@ -250,7 +252,6 @@
       </dependency>
     </dependencies>
   </dependencyManagement>
-
   <dependencies>
     <dependency>
       <groupId>org.apache.commons</groupId>
@@ -269,6 +270,7 @@
     <dependency>
       <groupId>javax.xml.bind</groupId>
       <artifactId>jaxb-api</artifactId>
+      <version>${jaxb.version}</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -310,7 +312,11 @@
     </dependency>
     <dependency>
       <groupId>org.thymeleaf.extras</groupId>
-      <artifactId>thymeleaf-extras-springsecurity5</artifactId>
+      <artifactId>thymeleaf-extras-springsecurity6</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
     </dependency>
     <dependency>
       <groupId>org.hsqldb</groupId>
@@ -369,8 +375,13 @@
       <artifactId>jquery</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.glassfish.jaxb</groupId>
-      <artifactId>jaxb-runtime</artifactId>
+      <groupId>jakarta.xml.bind</groupId>
+      <artifactId>jakarta.xml.bind-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.sun.xml.bind</groupId>
+      <artifactId>jaxb-impl</artifactId>
+      <scope>runtime</scope>
     </dependency>
 
     <dependency>
@@ -386,6 +397,7 @@
     <dependency>
       <groupId>com.github.tomakehurst</groupId>
       <artifactId>wiremock</artifactId>
+      <version>3.0.0-beta-2</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -393,6 +405,11 @@
       <artifactId>rest-assured</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-properties-migrator</artifactId>
+      <scope>runtime</scope>
+    </dependency>
   </dependencies>
 
   <repositories>
@@ -490,7 +507,8 @@
           <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
           --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
           --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
-          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
+          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
+          --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED</argLine>
           <excludes>
             <exclude>**/*IntegrationTest.java</exclude>
             <exclude>src/it/java</exclude>
@@ -678,6 +696,10 @@
                     <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>--add-opens</argument>
                     <argument>java.base/java.util=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
                   </arguments>
                   <waitForInterrupt>false</waitForInterrupt>
diff --git a/src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java b/src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
index e791634ea..c53be61f8 100644
--- a/src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
@@ -5,7 +5,6 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 import io.restassured.RestAssured;
 import java.util.Arrays;
 import java.util.Map;
-import lombok.SneakyThrows;
 import org.apache.commons.lang3.StringUtils;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.AfterEach;
@@ -16,7 +15,6 @@ import org.junit.jupiter.api.TestFactory;
 public class PasswordResetLessonIntegrationTest extends IntegrationTest {
 
   @BeforeEach
-  @SneakyThrows
   public void init() {
     startLesson("/PasswordReset");
   }
diff --git a/src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java b/src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
index 016f6b35d..1228f913c 100644
--- a/src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
@@ -29,9 +29,9 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
               .relaxedHTTPSValidation()
               .cookie("JSESSIONID", getWebGoatCookie())
               .formParams(Map.of("flag", "test"))
-              .post(url("/challenge/flag/"));
+              .post(url("/challenge/flag"));
         };
-    ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
+    ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS);
     List<? extends Callable<Response>> flagCalls =
         IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
     var responses = executorService.invokeAll(flagCalls);
diff --git a/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java b/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
index 1ed96e146..98a3eab0f 100644
--- a/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
+++ b/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
@@ -27,10 +27,10 @@
  */
 package org.owasp.webgoat.container;
 
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 
diff --git a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
index 723e8cb7c..a496a0acb 100644
--- a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
+++ b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
@@ -33,6 +33,7 @@ package org.owasp.webgoat.container;
 import static org.asciidoctor.Asciidoctor.Factory.create;
 
 import io.undertow.util.Headers;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -41,7 +42,6 @@ import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
-import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
@@ -60,7 +60,7 @@ import org.thymeleaf.templateresource.StringTemplateResource;
  * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
  *
  * <p><code>
- * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
+ * <div th:replace="~{doc:AccessControlMatrix_plan.adoc}"></div>
  * </code>
  */
 @Slf4j
diff --git a/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java b/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
index ef54ff007..65d0b144e 100644
--- a/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
@@ -50,12 +50,13 @@ public class DatabaseConfiguration {
   }
 
   @Bean
-  public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
+  public Function<String, Flyway> flywayLessons() {
     return schema ->
         Flyway.configure()
             .configuration(Map.of("driver", properties.getDriverClassName()))
             .schemas(schema)
-            .dataSource(lessonDataSource)
+            .cleanDisabled(false)
+            .dataSource(dataSource())
             .locations("lessons")
             .load();
   }
diff --git a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
index 114157a90..94353be2f 100644
--- a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
@@ -56,10 +56,10 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
 import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.thymeleaf.IEngineConfiguration;
-import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
-import org.thymeleaf.spring5.SpringTemplateEngine;
-import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
-import org.thymeleaf.spring5.view.ThymeleafViewResolver;
+import org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect;
+import org.thymeleaf.spring6.SpringTemplateEngine;
+import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver;
+import org.thymeleaf.spring6.view.ThymeleafViewResolver;
 import org.thymeleaf.templatemode.TemplateMode;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresolver.ITemplateResolver;
diff --git a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
index 59084aa2f..3621ce707 100644
--- a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
@@ -37,50 +37,49 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
 
 /** Security configuration for WebGoat. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
   private final UserService userDetailsService;
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
-        http.authorizeRequests()
-            .antMatchers(
-                "/css/**",
-                "/images/**",
-                "/js/**",
-                "fonts/**",
-                "/plugins/**",
-                "/registration",
-                "/register.mvc",
-                "/actuator/**")
-            .permitAll()
-            .anyRequest()
-            .authenticated();
-    security
-        .and()
-        .formLogin()
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests(
+        auth ->
+            auth.requestMatchers(
+                    "/css/**",
+                    "/images/**",
+                    "/js/**",
+                    "fonts/**",
+                    "/plugins/**",
+                    "/registration",
+                    "/register.mvc",
+                    "/actuator/**")
+                .permitAll()
+                .anyRequest()
+                .authenticated());
+    http.formLogin()
         .loginPage("/login")
         .defaultSuccessUrl("/welcome.mvc", true)
         .usernameParameter("username")
         .passwordParameter("password")
         .permitAll();
-    security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-    security.and().csrf().disable();
+    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
+    http.csrf().disable();
 
     http.headers().cacheControl().disable();
     http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
+    return http.build();
   }
 
   @Autowired
@@ -89,15 +88,14 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
   }
 
   @Bean
-  @Override
-  public UserDetailsService userDetailsServiceBean() throws Exception {
+  public UserDetailsService userDetailsServiceBean() {
     return userDetailsService;
   }
 
-  @Override
   @Bean
-  protected AuthenticationManager authenticationManager() throws Exception {
-    return super.authenticationManager();
+  public AuthenticationManager authenticationManager(
+      AuthenticationConfiguration authenticationConfiguration) throws Exception {
+    return authenticationConfiguration.getAuthenticationManager();
   }
 
   @SuppressWarnings("deprecation")
diff --git a/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
index 9ab0fac86..8456d6dbe 100644
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
@@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.asciidoc;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 import org.springframework.web.context.request.RequestContextHolder;
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java b/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
index 4e76af9d6..aa3cd40ce 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
@@ -75,7 +75,8 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
     } else {
       userTracker.assignmentFailed(webSession.getCurrentLesson());
     }
-    userTrackerRepository.saveAndFlush(userTracker);
+    userTrackerRepository.save(userTracker);
+
     return attackResult;
   }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java b/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
index 7d94f6044..3cdd5e8d6 100644
--- a/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
+++ b/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
@@ -31,7 +31,7 @@
  */
 package org.owasp.webgoat.container.controller;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.session.Course;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.stereotype.Controller;
diff --git a/src/main/java/org/owasp/webgoat/container/controller/Welcome.java b/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
index fddc5f640..0bebc9e70 100644
--- a/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
+++ b/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
@@ -29,8 +29,8 @@
  */
 package org.owasp.webgoat.container.controller;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.servlet.ModelAndView;
@@ -49,7 +49,7 @@ public class Welcome {
   /**
    * welcome.
    *
-   * @param request a {@link javax.servlet.http.HttpServletRequest} object.
+   * @param request a {@link jakarta.servlet.http.HttpServletRequest} object.
    * @return a {@link org.springframework.web.servlet.ModelAndView} object.
    */
   @GetMapping(path = {"welcome.mvc"})
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java b/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
index 92e8d0e9e..3c3c89d6d 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
@@ -1,9 +1,14 @@
 package org.owasp.webgoat.container.lessons;
 
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.Transient;
 import java.util.ArrayList;
 import java.util.List;
-import javax.persistence.*;
-import lombok.*;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
 
 /**
  * ************************************************************************************************
@@ -41,7 +46,7 @@ import lombok.*;
 public class Assignment {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.AUTO)
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;
 
   private String name;
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
index 3b90c963d..a8f586d56 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
@@ -4,15 +4,13 @@ import java.lang.reflect.InvocationHandler;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.sql.Connection;
-import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 /**
  * Handler which sets the correct schema for the currently bounded user. This way users are not
- * seeing each other data and we can reset data for just one particular user.
+ * seeing each other data, and we can reset data for just one particular user.
  */
-@Slf4j
 public class LessonConnectionInvocationHandler implements InvocationHandler {
 
   private final Connection targetConnection;
diff --git a/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java b/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
index 2cc0c58af..fd9af4dcf 100644
--- a/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
+++ b/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
@@ -1,8 +1,20 @@
 package org.owasp.webgoat.container.users;
 
-import java.util.*;
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.Version;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Collectors;
-import javax.persistence.*;
+import lombok.EqualsAndHashCode;
 import lombok.Getter;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@@ -39,10 +51,11 @@ import org.owasp.webgoat.container.lessons.Lesson;
  * @since October 29, 2003
  */
 @Entity
+@EqualsAndHashCode
 public class LessonTracker {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.AUTO)
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;
 
   @Getter private String lessonName;
diff --git a/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
index 4dc628f86..1678385de 100644
--- a/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
+++ b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
@@ -1,11 +1,10 @@
 package org.owasp.webgoat.container.users;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.validation.Valid;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.validation.Valid;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -23,7 +22,6 @@ public class RegistrationController {
 
   private UserValidator userValidator;
   private UserService userService;
-  private AuthenticationManager authenticationManager;
 
   @GetMapping("/registration")
   public String showForm(UserForm userForm) {
diff --git a/src/main/java/org/owasp/webgoat/container/users/UserForm.java b/src/main/java/org/owasp/webgoat/container/users/UserForm.java
index 416bba094..d0fad3626 100644
--- a/src/main/java/org/owasp/webgoat/container/users/UserForm.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserForm.java
@@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.users;
 
-import javax.validation.constraints.NotNull;
-import javax.validation.constraints.Pattern;
-import javax.validation.constraints.Size;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
 
diff --git a/src/main/java/org/owasp/webgoat/container/users/UserTracker.java b/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
index 86bdf4c14..72450f69e 100644
--- a/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
@@ -1,11 +1,19 @@
 package org.owasp.webgoat.container.users;
 
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToMany;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
-import javax.persistence.*;
+import lombok.EqualsAndHashCode;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@@ -43,10 +51,11 @@ import org.owasp.webgoat.container.lessons.Lesson;
  */
 @Slf4j
 @Entity
+@EqualsAndHashCode
 public class UserTracker {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.AUTO)
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;
 
   @Column(name = "username")
diff --git a/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java b/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
index 517e50a60..bbeec3b98 100644
--- a/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
+++ b/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
@@ -1,10 +1,10 @@
 package org.owasp.webgoat.container.users;
 
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
-import javax.persistence.Entity;
-import javax.persistence.Id;
-import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
diff --git a/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
index ed7988b13..761d40aa0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
@@ -22,13 +22,13 @@
 
 package org.owasp.webgoat.lessons.authbypass;
 
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java b/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
index 1b2c497bd..5e423cecd 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
@@ -26,8 +26,6 @@ import lombok.AllArgsConstructor;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
-import org.owasp.webgoat.container.users.UserTracker;
-import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -38,25 +36,17 @@ import org.springframework.web.bind.annotation.RestController;
 @AllArgsConstructor
 public class FlagController extends AssignmentEndpoint {
 
-  private final UserTrackerRepository userTrackerRepository;
   private final WebSession webSession;
   private final Flags flags;
 
   @PostMapping(path = "/challenge/flag", produces = MediaType.APPLICATION_JSON_VALUE)
   @ResponseBody
   public AttackResult postFlag(@RequestParam String flag) {
-    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
     Flag expectedFlag = flags.getFlag(webSession.getCurrentLesson());
-    final AttackResult attackResult;
     if (expectedFlag.isCorrect(flag)) {
-      userTracker.assignmentSolved(
-          webSession.getCurrentLesson(), "Assignment" + expectedFlag.number());
-      attackResult = success(this).feedback("challenge.flag.correct").build();
+      return success(this).feedback("challenge.flag.correct").build();
     } else {
-      userTracker.assignmentFailed(webSession.getCurrentLesson());
-      attackResult = failed(this).feedback("challenge.flag.incorrect").build();
+      return failed(this).feedback("challenge.flag.incorrect").build();
     }
-    userTrackerRepository.save(userTracker);
-    return attackResult;
   }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
index 31260e8e1..a641bff28 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
@@ -1,9 +1,9 @@
 package org.owasp.webgoat.lessons.challenges.challenge7;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.time.LocalDateTime;
-import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
index 507b7b4bd..6623ea1a0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
@@ -1,9 +1,9 @@
 package org.owasp.webgoat.lessons.challenges.challenge8;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.stream.Collectors;
-import javax.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
index bd4de62fc..9f5b42b32 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.clientsidefiltering;
 
+import jakarta.annotation.PostConstruct;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -31,7 +32,6 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import javax.annotation.PostConstruct;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
index 65c115c41..437e89959 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.Base64;
 import java.util.Random;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
index b83f931a8..266c53ffa 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Random;
-import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
index 382ee3b16..ffcb739a5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.RSAPublicKey;
-import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
index a5387efd0..4f4beb91a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
@@ -24,11 +24,11 @@ package org.owasp.webgoat.lessons.csrf;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Map;
 import java.util.UUID;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
index e2cbc90c7..2a929817b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Random;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.i18n.PluginMessages;
 import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
index 08d226245..e41409457 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
@@ -22,7 +22,7 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
index c11d43c5e..e82a46cc7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
@@ -25,6 +25,7 @@ package org.owasp.webgoat.lessons.csrf;
 import static org.springframework.http.MediaType.ALL_VALUE;
 
 import com.google.common.collect.Lists;
+import jakarta.servlet.http.HttpServletRequest;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
@@ -32,7 +33,6 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
index 00416b964..8fae4e89d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.hijacksession;
 
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
index b3ad85e95..7330c747b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
@@ -22,7 +22,7 @@
 
 package org.owasp.webgoat.lessons.httpproxies;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.HttpMethod;
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
index f216cb580..b4e8a3cbd 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.idor;
 
+import jakarta.servlet.http.HttpServletResponse;
 import java.util.HashMap;
 import java.util.Map;
-import javax.servlet.http.HttpServletResponse;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
index 02a935498..e1ac1a0d2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
@@ -31,14 +31,14 @@ import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.impl.TextCodec;
+import jakarta.annotation.PostConstruct;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
-import javax.annotation.PostConstruct;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
index 710f22f1a..a338407bf 100644
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.logging;
 
+import jakarta.annotation.PostConstruct;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.UUID;
-import javax.annotation.PostConstruct;
 import org.apache.logging.log4j.util.Strings;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
index 34b8ee856..c53931418 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.UUID;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
index 604c51fd3..4601cc78a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
@@ -1,7 +1,7 @@
 package org.owasp.webgoat.lessons.passwordreset.resetlink;
 
-import javax.validation.constraints.NotNull;
-import javax.validation.constraints.Size;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
 
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
index f52bed34a..402945f12 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
@@ -1,5 +1,7 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
+import jakarta.annotation.PostConstruct;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -8,8 +10,6 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.util.Base64;
-import javax.annotation.PostConstruct;
-import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
index 2efc739f6..a943cc7b5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.spoofcookie;
 
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 import java.util.Map;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
index 32db401fa..9678a2f9d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import jakarta.annotation.PostConstruct;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-import javax.annotation.PostConstruct;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
index 20225384f..d8cecf291 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.sql.*;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
index c6e9e0493..63764adea 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.webwolfintroduction;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
-import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
index 11da6ea19..e7df0a4ed 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.xss;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.security.SecureRandom;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.UserSessionData;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
index 90d06fdd1..12b7516b5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
@@ -22,7 +22,8 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
-import javax.xml.bind.annotation.XmlRootElement;
+import jakarta.xml.bind.annotation.XmlRootElement;
+import jakarta.xml.bind.annotation.XmlType;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -37,7 +38,8 @@ import lombok.ToString;
 @Setter
 @AllArgsConstructor
 @NoArgsConstructor
-@XmlRootElement
+@XmlRootElement(name = "comment")
+@XmlType
 @ToString
 public class Comment {
   private String user;
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
index b949f0abe..e8abf3bd3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
@@ -26,6 +26,8 @@ import static java.util.Optional.empty;
 import static java.util.Optional.of;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.xml.bind.JAXBContext;
+import jakarta.xml.bind.JAXBException;
 import java.io.IOException;
 import java.io.StringReader;
 import java.time.LocalDateTime;
@@ -36,8 +38,6 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 import javax.xml.XMLConstants;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBException;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import org.owasp.webgoat.container.session.WebSession;
@@ -93,7 +93,7 @@ public class CommentsCache {
    * progress etc). In real life the XmlMapper bean defined above will be used automatically and the
    * Comment class can be directly used in the controller method (instead of a String)
    */
-  protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
+  protected Comment parseXml(String xml) throws XMLStreamException, JAXBException {
     var jc = JAXBContext.newInstance(Comment.class);
     var xif = XMLInputFactory.newInstance();
 
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
index 2e54dc1d8..4555fcd72 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
@@ -24,7 +24,7 @@ package org.owasp.webgoat.lessons.xxe;
 
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -60,8 +60,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
   public AttackResult createNewUser(
       HttpServletRequest request,
       @RequestBody String commentStr,
-      @RequestHeader("Content-Type") String contentType)
-      throws Exception {
+      @RequestHeader("Content-Type") String contentType) {
     AttackResult attackResult = failed(this).build();
 
     if (APPLICATION_JSON_VALUE.equals(contentType)) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
index d51712cd4..53638e0d8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
@@ -25,7 +25,7 @@ package org.owasp.webgoat.lessons.xxe;
 import static org.springframework.http.MediaType.ALL_VALUE;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
index a23af4ce7..5eda1ca2b 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
@@ -24,10 +24,10 @@ package org.owasp.webgoat.webwolf;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
-import javax.servlet.http.HttpServletRequest;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
diff --git a/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java b/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
index f5fec0777..3c267bd32 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.webwolf;
 
+import jakarta.annotation.PostConstruct;
 import java.io.File;
-import javax.annotation.PostConstruct;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
diff --git a/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
index 740a34856..64f6758c7 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
@@ -29,54 +29,49 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
 
-/** Security configuration for WebGoat. */
+/** Security configuration for WebWolf. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
   private final UserService userDetailsService;
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
-        http.authorizeRequests()
-            .antMatchers(HttpMethod.POST, "/fileupload")
-            .authenticated()
-            .antMatchers(HttpMethod.GET, "/files", "/mail", "/requests")
-            .authenticated()
-            .and()
-            .authorizeRequests()
-            .anyRequest()
-            .permitAll();
-
-    security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
-    security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
-    security.and().logout().permitAll();
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests(
+        auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
+    http.authorizeHttpRequests(
+        auth ->
+            auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
+    http.authorizeHttpRequests().anyRequest().permitAll();
+    http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
+    http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
+    http.logout().permitAll();
+    return http.build();
   }
 
   @Autowired
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-    auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
+    auth.userDetailsService(userDetailsService);
   }
 
   @Bean
-  @Override
-  public UserDetailsService userDetailsServiceBean() throws Exception {
+  public UserDetailsService userDetailsServiceBean() {
     return userDetailsService;
   }
 
-  @Override
   @Bean
-  protected AuthenticationManager authenticationManager() throws Exception {
-    return super.authenticationManager();
+  public AuthenticationManager authenticationManager(
+      AuthenticationConfiguration authenticationConfiguration) throws Exception {
+    return authenticationConfiguration.getAuthenticationManager();
   }
 
   @Bean
diff --git a/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java b/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
index fa5d488a3..395f69d36 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
@@ -23,7 +23,7 @@
 package org.owasp.webgoat.webwolf;
 
 import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
-import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
+import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
@@ -37,7 +37,7 @@ import org.springframework.context.annotation.PropertySource;
 public class WebWolf {
 
   @Bean
-  public HttpTraceRepository traceRepository() {
+  public HttpExchangeRepository traceRepository() {
     return new WebWolfTraceRepository();
   }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java b/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
index 4cca7856b..dac61e427 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
@@ -23,10 +23,14 @@
 package org.owasp.webgoat.webwolf.mailbox;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
 import java.io.Serializable;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
-import javax.persistence.*;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
diff --git a/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
index e7a42214f..fb1bde0e5 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
@@ -24,7 +24,6 @@ package org.owasp.webgoat.webwolf.mailbox;
 
 import java.util.List;
 import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -38,7 +37,6 @@ import org.springframework.web.servlet.ModelAndView;
 
 @RestController
 @RequiredArgsConstructor
-@Slf4j
 public class MailboxController {
 
   private final MailboxRepository mailboxRepository;
diff --git a/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java b/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
index 6d46c014f..7bdcc1006 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.webwolf.requests;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.concurrent.Callable;
-import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
diff --git a/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java b/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
index f510ed7e9..5effa524e 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
@@ -32,8 +32,7 @@ import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
-import org.springframework.boot.actuate.trace.http.HttpTrace;
-import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
+import org.springframework.boot.actuate.web.exchanges.HttpExchange;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Controller;
@@ -78,8 +77,8 @@ public class Requests {
     return model;
   }
 
-  private boolean allowedTrace(HttpTrace t, UserDetails user) {
-    Request req = t.getRequest();
+  private boolean allowedTrace(HttpExchange t, UserDetails user) {
+    HttpExchange.Request req = t.getRequest();
     boolean allowed = true;
     /* do not show certain traces to other users in a classroom setup */
     if (req.getUri().getPath().contains("/files")
@@ -95,11 +94,11 @@ public class Requests {
     return allowed;
   }
 
-  private String path(HttpTrace t) {
+  private String path(HttpExchange t) {
     return (String) t.getRequest().getUri().getPath();
   }
 
-  private String toJsonString(HttpTrace t) {
+  private String toJsonString(HttpExchange t) {
     try {
       return objectMapper.writeValueAsString(t);
     } catch (JsonProcessingException e) {
diff --git a/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java b/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
index bba73a890..ceff13923 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
@@ -26,8 +26,8 @@ import com.google.common.collect.EvictingQueue;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.boot.actuate.trace.http.HttpTrace;
-import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
+import org.springframework.boot.actuate.web.exchanges.HttpExchange;
+import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
 
 /**
  * Keep track of all the incoming requests, we are only keeping track of request originating from
@@ -37,9 +37,9 @@ import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
  * @since 8/13/17.
  */
 @Slf4j
-public class WebWolfTraceRepository implements HttpTraceRepository {
+public class WebWolfTraceRepository implements HttpExchangeRepository {
 
-  private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
+  private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000);
   private final List<String> exclusionList =
       List.of(
           "/tmpdir",
@@ -54,11 +54,11 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
           "/mail");
 
   @Override
-  public List<HttpTrace> findAll() {
+  public List<HttpExchange> findAll() {
     return List.of();
   }
 
-  public List<HttpTrace> findAllTraces() {
+  public List<HttpExchange> findAllTraces() {
     return new ArrayList<>(traces);
   }
 
@@ -67,7 +67,7 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
   }
 
   @Override
-  public void add(HttpTrace httpTrace) {
+  public void add(HttpExchange httpTrace) {
     var path = httpTrace.getRequest().getUri().getPath();
     if (!isInExclusionList(path)) {
       traces.add(httpTrace);
diff --git a/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java b/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
index d432ff925..35f7dd92f 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.webwolf.user;
 
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
-import javax.persistence.Entity;
-import javax.persistence.Id;
-import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.User;
diff --git a/src/main/resources/application-webgoat.properties b/src/main/resources/application-webgoat.properties
index cd217395c..186c62690 100644
--- a/src/main/resources/application-webgoat.properties
+++ b/src/main/resources/application-webgoat.properties
@@ -13,11 +13,12 @@ server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
 server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
 server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
 
-spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
-spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
-spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
-spring.jpa.properties.hibernate.default_schema=CONTAINER
 spring.banner.location=classpath:banner.txt
+spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
+spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
+spring.jpa.open-in-view=false
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
+spring.jpa.properties.hibernate.default_schema=CONTAINER
 
 logging.level.org.thymeleaf=INFO
 logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
@@ -28,6 +29,7 @@ logging.level.org.springframework=INFO
 logging.level.org.springframework.boot.devtools=INFO
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webgoat=DEBUG
+logging.level.org.hidbernate.SQL=DEBUG
 
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@@ -51,11 +53,11 @@ spring.jackson.serialization.write-dates-as-timestamps=false
 #For static file refresh ... and faster dev :D
 spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
 
-exclude.categories=${EXCLUDE_CATEGORIES:none,none}
 #exclude based on the enum of the Category
+exclude.categories=${EXCLUDE_CATEGORIES:none,none}
 
-exclude.lessons=${EXCLUDE_LESSONS:none,none}
 #exclude based on the class name of a lesson e.g.: LessonTemplate
+exclude.lessons=${EXCLUDE_LESSONS:none,none}
 
 management.health.db.enabled=true
 management.endpoint.health.show-details=always
diff --git a/src/main/resources/application-webwolf.properties b/src/main/resources/application-webwolf.properties
index eedc0599b..7d7bef3d1 100644
--- a/src/main/resources/application-webwolf.properties
+++ b/src/main/resources/application-webwolf.properties
@@ -18,6 +18,7 @@ spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
+spring.jpa.open-in-view=false
 spring.messages.basename=i18n/messages
 spring.jmx.enabled=false
 
@@ -26,7 +27,7 @@ logging.level.org.springframework.boot.devtools=WARN
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webwolf=TRACE
 
-management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
+management.httpexchanges.recording.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
 management.endpoint.httptrace.enabled=true
 
 spring.thymeleaf.cache=false
diff --git a/src/main/resources/db/container/V3__id.sql b/src/main/resources/db/container/V3__id.sql
new file mode 100644
index 000000000..2787eed56
--- /dev/null
+++ b/src/main/resources/db/container/V3__id.sql
@@ -0,0 +1,4 @@
+ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
+ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
+ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
+
diff --git a/src/main/resources/lessons/authbypass/html/AuthBypass.html b/src/main/resources/lessons/authbypass/html/AuthBypass.html
index 914bd2064..1630a5981 100644
--- a/src/main/resources/lessons/authbypass/html/AuthBypass.html
+++ b/src/main/resources/lessons/authbypass/html/AuthBypass.html
@@ -4,14 +4,14 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/bypass-intro.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/2fa-bypass.adoc}"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -72,9 +72,9 @@
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-video.adoc}"></div>-->
         <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-attack.adoc}"></div>-->
 
         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
 
diff --git a/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html b/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
index 4c506a09f..de38da671 100755
--- a/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
+++ b/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
@@ -6,12 +6,12 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -59,7 +59,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 
diff --git a/src/main/resources/lessons/challenges/html/Challenge.html b/src/main/resources/lessons/challenges/html/Challenge.html
index 713d902f3..5a03f3da8 100644
--- a/src/main/resources/lessons/challenges/html/Challenge.html
+++ b/src/main/resources/lessons/challenges/html/Challenge.html
@@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
 </div>
 
 </html>
diff --git a/src/main/resources/lessons/challenges/html/Challenge1.html b/src/main/resources/lessons/challenges/html/Challenge1.html
index f69942f38..2d9e95114 100644
--- a/src/main/resources/lessons/challenges/html/Challenge1.html
+++ b/src/main/resources/lessons/challenges/html/Challenge1.html
@@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
     <div class="attack-container">
diff --git a/src/main/resources/lessons/challenges/html/Challenge5.html b/src/main/resources/lessons/challenges/html/Challenge5.html
index 9a6f42348..25ace8fc6 100644
--- a/src/main/resources/lessons/challenges/html/Challenge5.html
+++ b/src/main/resources/lessons/challenges/html/Challenge5.html
@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_5.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/src/main/resources/lessons/challenges/html/Challenge6.html b/src/main/resources/lessons/challenges/html/Challenge6.html
index 1a906c0a6..018857871 100644
--- a/src/main/resources/lessons/challenges/html/Challenge6.html
+++ b/src/main/resources/lessons/challenges/html/Challenge6.html
@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_6.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
     <div class="attack-container">
diff --git a/src/main/resources/lessons/challenges/html/Challenge7.html b/src/main/resources/lessons/challenges/html/Challenge7.html
index dec4331b1..618db5817 100644
--- a/src/main/resources/lessons/challenges/html/Challenge7.html
+++ b/src/main/resources/lessons/challenges/html/Challenge7.html
@@ -12,7 +12,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_7.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">
diff --git a/src/main/resources/lessons/challenges/html/Challenge8.html b/src/main/resources/lessons/challenges/html/Challenge8.html
index 989977d2d..c79bcc833 100644
--- a/src/main/resources/lessons/challenges/html/Challenge8.html
+++ b/src/main/resources/lessons/challenges/html/Challenge8.html
@@ -3,7 +3,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_8.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
     <script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>
 
diff --git a/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html b/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
index c83603964..1ce04f190 100644
--- a/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
+++ b/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
@@ -4,22 +4,22 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc}"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc}"></div>
 </div>
 
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc}"></div>
 </div>
 
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -35,12 +35,12 @@
 
 <!-- 5 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc}"></div>
 </div>
 
 <!-- 6 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
diff --git a/src/main/resources/lessons/cia/html/CIA.html b/src/main/resources/lessons/cia/html/CIA.html
index 219ce0e08..23c3d7330 100644
--- a/src/main/resources/lessons/cia/html/CIA.html
+++ b/src/main/resources/lessons/cia/html/CIA.html
@@ -3,19 +3,19 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_confidentiality.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_integrity.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_availability.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
@@ -23,7 +23,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_quiz.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">
diff --git a/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html b/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
index 18d965c66..a863a0edc 100644
--- a/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
+++ b/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
@@ -2,10 +2,10 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc}"></div>
 
     <br/>
 
@@ -74,7 +74,7 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
     <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
     <div class="attack-container">
diff --git a/src/main/resources/lessons/cryptography/html/Cryptography.html b/src/main/resources/lessons/cryptography/html/Cryptography.html
index 6e6f32767..19438ef6c 100644
--- a/src/main/resources/lessons/cryptography/html/Cryptography.html
+++ b/src/main/resources/lessons/cryptography/html/Cryptography.html
@@ -18,11 +18,11 @@ $(document).ready(initialise);
 <body>
 	<!-- 1. overview -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/Crypto_plan.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/Crypto_plan.adoc}"></div>
 	</div>
 	<!-- 2. encoding -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan.adoc}"></div>
 		<!-- 2. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -41,7 +41,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 3. encoding xor -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan2.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan2.adoc}"></div>
 		<!-- 3. assignment xor -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -58,7 +58,7 @@ $(document).ready(initialise);
 
 	<!-- 4. hashing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/hashing_plan.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/hashing_plan.adoc}"></div>
 		<!-- 4. weak hashing exercise -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -76,12 +76,12 @@ $(document).ready(initialise);
 	
 	<!-- 5. encryption -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encryption.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encryption.adoc}"></div>
 	</div>
 
 	<!-- 6. signing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/signing.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/signing.adoc}"></div>
 		<!-- 6. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -101,12 +101,12 @@ $(document).ready(initialise);
 	
 	<!-- 7. keystores -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/keystores.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/keystores.adoc}"></div>
 	</div>
 	
 	<!-- 8. security defaults -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/defaults.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/defaults.adoc}"></div>
 		<!-- 8. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -123,7 +123,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 9. postquantum -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/postquantum.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/postquantum.adoc}"></div>
 	</div>
 </body>
 </html>
diff --git a/src/main/resources/lessons/csrf/html/CSRF.html b/src/main/resources/lessons/csrf/html/CSRF.html
index 01fdb696c..61a6029b3 100644
--- a/src/main/resources/lessons/csrf/html/CSRF.html
+++ b/src/main/resources/lessons/csrf/html/CSRF.html
@@ -3,15 +3,15 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_GET.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_GET.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc}"></div>
 
     <form accept-charset="UNKNOWN" id="basic-csrf-get"
           method="POST" name="form1"
@@ -23,7 +23,7 @@
 
     </form>
 
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc}"></div>
 
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
@@ -54,7 +54,7 @@
 
 <div class="lesson-page-wrapper">
 
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Reviews.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Reviews.adoc}"></div>
 
     <!-- comment area -->
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@@ -121,15 +121,15 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Frameworks.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Frameworks.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_JSON.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_JSON.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_ContentType.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_ContentType.adoc}"></div>
 
     <script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script>
     <div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66;
@@ -227,7 +227,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Login.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Login.adoc}"></div>
 
     <div class="attack-container">
         <div class="assignment-success">
@@ -251,7 +251,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc}"></div>
 </div>
 
 
diff --git a/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html b/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
index 1b64172f4..43b58e9dd 100755
--- a/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
+++ b/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
@@ -3,24 +3,24 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc}"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="task"
diff --git a/src/main/resources/lessons/hijacksession/html/HijackSession.html b/src/main/resources/lessons/hijacksession/html/HijackSession.html
index a341ff809..13ac2a8dc 100644
--- a/src/main/resources/lessons/hijacksession/html/HijackSession.html
+++ b/src/main/resources/lessons/hijacksession/html/HijackSession.html
@@ -7,12 +7,12 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_plan.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_plan.adoc}"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_content0.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_content0.adoc}"></div>
 	<div class="attack-container">
 		<div class="assignment-success">
 			<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>
diff --git a/src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html b/src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
index ac8ab94d5..4d5022d0a 100644
--- a/src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
+++ b/src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
@@ -7,7 +7,7 @@
 	<div class="lesson-page-wrapper">
 		<!-- reuse this block for each 'page' of content -->
 		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:HijackSession_solution.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:HijackSession_solution.adoc}"></div>
 	</div>
 
 
diff --git a/src/main/resources/lessons/htmltampering/html/HtmlTampering.html b/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
index c40fdd68c..859de642c 100755
--- a/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
+++ b/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
@@ -3,12 +3,12 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/htmltampering/documentation/HtmlTampering_Intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Task.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/htmltampering/documentation/HtmlTampering_Task.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
@@ -143,6 +143,6 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/htmltampering/documentation/HtmlTampering_Mitigation.adoc}"></div>
 </div>
 </html>
diff --git a/src/main/resources/lessons/httpbasics/html/HttpBasics.html b/src/main/resources/lessons/httpbasics/html/HttpBasics.html
index e3dcc79c0..2171590e4 100644
--- a/src/main/resources/lessons/httpbasics/html/HttpBasics.html
+++ b/src/main/resources/lessons/httpbasics/html/HttpBasics.html
@@ -6,13 +6,13 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:lessons/httpbasics/documentation/HttpBasics_plan.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/httpbasics/documentation/HttpBasics_plan.adoc}"></div>
 	</div>
 
 	<div class="lesson-page-wrapper">
 		<!-- reuse this block for each 'page' of content -->
         <!-- sample ascii doc content for second page -->
-		<div class="adoc-content" th:replace="doc:lessons/httpbasics/documentation/HttpBasics_content1.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/httpbasics/documentation/HttpBasics_content1.adoc}"></div>
         <!-- if including attack, reuse this section, leave classes in place -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -42,7 +42,7 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:lessons/httpbasics/documentation/HttpBasics_content2.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/httpbasics/documentation/HttpBasics_content2.adoc}"></div>
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
diff --git a/src/main/resources/lessons/httpproxies/html/HttpProxies.html b/src/main/resources/lessons/httpproxies/html/HttpProxies.html
index 3b96be434..25ba2cc70 100644
--- a/src/main/resources/lessons/httpproxies/html/HttpProxies.html
+++ b/src/main/resources/lessons/httpproxies/html/HttpProxies.html
@@ -3,23 +3,23 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/0overview.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/0overview.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/1proxysetupsteps.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/1proxysetupsteps.adoc}"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/3browsersetup.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/3browsersetup.adoc}"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/5configurefilterandbreakpoints.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/5configurefilterandbreakpoints.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/6assignment.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/6assignment.adoc}"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
@@ -36,15 +36,15 @@
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/7resend.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/7resend.adoc}"></div>
     </div>
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/8httpsproxy.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/8httpsproxy.adoc}"></div>
     </div>
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/9manual.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/9manual.adoc}"></div>
     </div>
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/10burp.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/httpproxies/documentation/10burp.adoc}"></div>
     </div>
 </html>
diff --git a/src/main/resources/lessons/idor/html/IDOR.html b/src/main/resources/lessons/idor/html/IDOR.html
index b4b7f530f..9547fb00f 100644
--- a/src/main/resources/lessons/idor/html/IDOR.html
+++ b/src/main/resources/lessons/idor/html/IDOR.html
@@ -4,14 +4,14 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_login.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_login.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -46,7 +46,7 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_viewDiffs.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_viewDiffs.adoc}"></div>
     <div class="nonattack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -76,7 +76,7 @@
         <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
         <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
         <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-        <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_whatDiffs.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_whatDiffs.adoc}"></div>
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form"
               method="POST" name="diff-form"
@@ -96,7 +96,7 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_viewOwnAltPath.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_viewOwnAltPath.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -108,7 +108,7 @@
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
               action="/WebGoat/IDOR/profile/alt-path">
-            <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_inputAltPath.adoc"></div>
+            <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_inputAltPath.adoc}"></div>
             <input name="url" value="WebGoat/" type="text"/>
             <input name="submit" value="Submit" type="SUBMIT"/>
         </form>
@@ -123,7 +123,7 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_viewOtherProfile.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_viewOtherProfile.adoc}"></div>
     <div class="nonattack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -147,7 +147,7 @@
         <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
     </div>
 
-    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_editOtherProfile.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_editOtherProfile.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -176,7 +176,7 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_mitigation.adoc}"></div>
 </div>
 
 </html>
diff --git a/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html b/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
index a150a2f1c..30e04e4c7 100755
--- a/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
+++ b/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
@@ -6,12 +6,12 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/insecurelogin/documentation/InsecureLogin_Intro.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/insecurelogin/documentation/InsecureLogin_Intro.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="doc:lessons/insecurelogin/documentation/InsecureLogin_Task.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/insecurelogin/documentation/InsecureLogin_Task.adoc}"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <script th:src="@{/lesson_js/credentials.js}"></script>
diff --git a/src/main/resources/lessons/jwt/html/JWT.html b/src/main/resources/lessons/jwt/html/JWT.html
index fdf7a5fa6..c210971a2 100644
--- a/src/main/resources/lessons/jwt/html/JWT.html
+++ b/src/main/resources/lessons/jwt/html/JWT.html
@@ -3,14 +3,14 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <body>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_plan.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_plan.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_structure.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_structure.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_decode.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_decode.adoc}"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <form id="decode" class="attack-form" method="POST" name="form" action="/WebGoat/JWT/decode">
@@ -35,10 +35,10 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_login_to_token.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_login_to_token.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_signing.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_signing.adoc}"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
     <script th:src="@{/lesson_js/jwt-voting.js}" language="JavaScript"></script>
@@ -102,7 +102,7 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_signing_solution.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_signing_solution.adoc}"></div>
     </div>
 </div>
 
@@ -112,7 +112,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions_jwt.json}"/>
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_libraries_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_libraries_assignment.adoc}"></div>
     <div class="attack-container">
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
@@ -134,18 +134,18 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_libraries_assignment2.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_libraries_assignment2.adoc}"></div>
     </div>
 </div>
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_libraries_solution.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_libraries_solution.adoc}"></div>
     </div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_weak_keys"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_weak_keys}"></div>
     <script th:src="@{/lesson_js/jwt-weak-keys.js}" language="JavaScript"></script>
     <pre id="secrettoken"></pre>
 
@@ -173,11 +173,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_refresh.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_refresh.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_refresh_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_refresh_assignment.adoc}"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -299,7 +299,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_final.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_final.adoc}"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -359,7 +359,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_mitigation.adoc}"></div>
 </div>
 </body>
 
diff --git a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
index 2be501c4f..8342ffd9f 100644
--- a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
+++ b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
@@ -82,7 +82,7 @@ green when the user solves the assignment. To make this work we need to add to t
 [source]
 ----
 <div class="lesson-page-wrapper">
-  <div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>
+  <div class="adoc-content" th:replace="~{doc:lesson-template-attack.adoc}"></div>
   <div class="attack-container">
     <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
     <form class="attack-form" accept-charset="UNKNOWN"
diff --git a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-glue.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-glue.adoc
index 7fbddf68c..d77dc2602 100644
--- a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-glue.adoc
+++ b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-glue.adoc
@@ -9,16 +9,16 @@ green when the user solves the assignment. To make this work we need to add:
 <html xmlns:th="http://www.thymeleaf.org">
 
   <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/
-lesson-template-intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/
+lesson-template-intro.adoc}"></div>
   </div>
   <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/
-lesson-template-content.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/
+lesson-template-content.adoc}"></div>
   </div>
   <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/
-lesson-template-lesson-class.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/
+lesson-template-lesson-class.adoc}"></div>
   </div>
 </html>
 ----
diff --git a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-video-more.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-video-more.adoc
index eb6502f36..b3c1fa7a5 100644
--- a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-video-more.adoc
+++ b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-video-more.adoc
@@ -5,7 +5,7 @@ You can include multiple adoc files in one page, by including them in the same `
 [source]
 ----
 <div class="lesson-page-wrapper">
-  <div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>
-  <div class="adoc-content" th:replace="doc:lesson-template-video-more.adoc"></div>
+  <div class="adoc-content" th:replace="~{doc:lesson-template-video.adoc}"></div>
+  <div class="adoc-content" th:replace="~{doc:lesson-template-video-more.adoc}"></div>
 </div>
-----
\ No newline at end of file
+----
diff --git a/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html b/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
index 9b1c7557a..c6f49d651 100644
--- a/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
+++ b/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
@@ -4,38 +4,38 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-intro.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-intro.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-content.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-content.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-video.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-video.adoc}"></div>
         <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-video-more.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-video-more.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-lesson-class.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-lesson-class.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-glue.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-glue.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-attack.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-attack.adoc}"></div>
 
         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
         <div class="attack-container">
@@ -71,7 +71,7 @@
         see other lessons for other more complex examples -->
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-database.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/lessontemplate/documentation/lesson-template-database.adoc}"></div>
     </div>
 
 </html>
diff --git a/src/main/resources/lessons/logging/html/LogSpoofing.html b/src/main/resources/lessons/logging/html/LogSpoofing.html
index 68e49a064..13071ada3 100755
--- a/src/main/resources/lessons/logging/html/LogSpoofing.html
+++ b/src/main/resources/lessons/logging/html/LogSpoofing.html
@@ -6,12 +6,12 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/logging_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/logging_intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/logSpoofing_Task.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/logSpoofing_Task.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" name="task"
@@ -30,10 +30,10 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/sensitive_logging_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/sensitive_logging_intro.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/logReading_Task.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/logReading_Task.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" name="task"
@@ -50,6 +50,6 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/more_logging.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/logging/documentation/more_logging.adoc}"></div>
 </div>
 </html>
diff --git a/src/main/resources/lessons/missingac/html/MissingFunctionAC.html b/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
index bb0d1d248..8fdd8bbf8 100644
--- a/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
+++ b/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
@@ -1,12 +1,12 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-01-intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/missingac/documentation/missing-function-ac-01-intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/ac.css}"/>
-    <div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-02-client-controls.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/missingac/documentation/missing-function-ac-02-client-controls.adoc}"></div>
 
     <div class="attack-container">
         <nav class="navbar navbar-default">
@@ -70,7 +70,7 @@
 
 <div class="lesson-page-wrapper">
 
-    <div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-03-users.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/missingac/documentation/missing-function-ac-03-users.adoc}"></div>
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -92,7 +92,7 @@
 
 <div class="lesson-page-wrapper">
 
-    <div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-04-users-fixed.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/missingac/documentation/missing-function-ac-04-users-fixed.adoc}"></div>
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/src/main/resources/lessons/passwordreset/html/PasswordReset.html b/src/main/resources/lessons/passwordreset/html/PasswordReset.html
index 2acb24098..aede6282c 100644
--- a/src/main/resources/lessons/passwordreset/html/PasswordReset.html
+++ b/src/main/resources/lessons/passwordreset/html/PasswordReset.html
@@ -3,10 +3,10 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_plan.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_plan.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_simple.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_simple.adoc}"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -90,11 +90,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_wrong_message.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_wrong_message.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_known_questions.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_known_questions.adoc}"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -138,7 +138,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_SecurityQuestions.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_SecurityQuestions.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -168,7 +168,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_host_header.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_host_header.adoc}"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -260,6 +260,6 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/passwordreset/documentation/PasswordReset_mitigation.adoc}"></div>
 </div>
 </html>
diff --git a/src/main/resources/lessons/pathtraversal/html/PathTraversal.html b/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
index 5f716f71a..dcd050bb9 100644
--- a/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
+++ b/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
@@ -5,11 +5,11 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_upload.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -63,7 +63,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload_fix.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_upload_fix.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -118,7 +118,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload_remove_user_input.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_upload_remove_user_input.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -174,7 +174,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_retrieval.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_retrieval.adoc}"></div>
     <div class="attack-container">
 
         <div class="container-fluid">
@@ -212,11 +212,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -271,7 +271,7 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc}"></div>
     </div>
 </div>
 
diff --git a/src/main/resources/lessons/securepasswords/html/SecurePasswords.html b/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
index a57a21c95..fe8914202 100644
--- a/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
+++ b/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
@@ -3,19 +3,19 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_1.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_1.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_2.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_2.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_assignment_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_assignment_introduction.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -39,11 +39,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_3.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_3.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_4.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/securepasswords/documentation/SecurePasswords_4.adoc}"></div>
 </div>
 
 <script>
diff --git a/src/main/resources/lessons/spoofcookie/html/SpoofCookie.html b/src/main/resources/lessons/spoofcookie/html/SpoofCookie.html
index 9077554bf..bd6130a1a 100644
--- a/src/main/resources/lessons/spoofcookie/html/SpoofCookie.html
+++ b/src/main/resources/lessons/spoofcookie/html/SpoofCookie.html
@@ -9,12 +9,12 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/spoofcookie/documentation/SpoofCookie_plan.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/spoofcookie/documentation/SpoofCookie_plan.adoc}"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/spoofcookie/documentation/SpoofCookie_content0.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/spoofcookie/documentation/SpoofCookie_content0.adoc}"></div>
 	<div class="attack-container">
 		<div class="assignment-success">
 			<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>
diff --git a/src/main/resources/lessons/spoofcookie/lessonSolutions/html/SpoofCookie.html b/src/main/resources/lessons/spoofcookie/lessonSolutions/html/SpoofCookie.html
index c2dafc5aa..86b4a3dc2 100644
--- a/src/main/resources/lessons/spoofcookie/lessonSolutions/html/SpoofCookie.html
+++ b/src/main/resources/lessons/spoofcookie/lessonSolutions/html/SpoofCookie.html
@@ -7,8 +7,8 @@
 	<div class="lesson-page-wrapper">
 		<!-- reuse this block for each 'page' of content -->
 		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:SpoofCookie_solution.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:SpoofCookie_solution.adoc}"></div>
 	</div>
 
 
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/lessons/sqlinjection/html/SqlInjection.html b/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
index 529b54b56..c5eb4ba0a 100644
--- a/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
@@ -5,12 +5,12 @@
 
 <!--Page 1-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_plan.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_plan.adoc}"></div>
 </div>
 
 <!--Page 2-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content1.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content1.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -34,7 +34,7 @@
 
 <!--Page 3-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content2.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content2.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -58,7 +58,7 @@
 
 <!--Page 4-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content3.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content3.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -82,7 +82,7 @@
 
 <!--Page 5-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content4.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content4.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -106,7 +106,7 @@
 
 <!--Page 6-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_before.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_before.adoc}"></div>
     <div>
         <label for="username-preview">Username:</label>
         <input id="preview-input" type="text" name="username" val=""/>
@@ -123,22 +123,22 @@
             });
         </script>
     </div>
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_after.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_after.adoc}"></div>
 </div>
 
 <!--Page 7-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content6.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content6.adoc}"></div>
 </div>
 
 <!--Page 8-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content7.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content7.adoc}"></div>
 </div>
 
 <!--Page 9-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content11.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content11.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -183,7 +183,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content12.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content12.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -211,7 +211,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content8.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content8.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -239,7 +239,7 @@
 
 <!--Page 10-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content9.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content9.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -267,7 +267,7 @@
 
 <!--Page 11-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc}"></div>
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html b/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
index 040c824d9..e4bb67e23 100644
--- a/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
@@ -5,17 +5,17 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjectionAdvanced_plan.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjectionAdvanced_plan.adoc}"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content6.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content6.adoc}"></div>
 </div>
 
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content6a.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content6a.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -51,10 +51,10 @@
 
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content6c.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content6c.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_challenge.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_challenge.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge.css}"/>
     <script th:src="@{/lesson_js/challenge.js}" language="JavaScript"></script>
     <div class="attack-container">
@@ -162,7 +162,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_quiz.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_quiz.adoc}"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <div class="container-fluid">
diff --git a/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html b/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
index f989a1c05..cee95512b 100644
--- a/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
@@ -4,23 +4,23 @@
 <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content7.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content7.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content8.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content8.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content9.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content9.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content10.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content10.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10a">
@@ -40,7 +40,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc}"></div>
     <div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
         <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10b">
             <div>
@@ -60,14 +60,14 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content11.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content11.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content12.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content12.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content12a.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content12a.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -90,7 +90,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content12b.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content12b.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -114,11 +114,11 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content13.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content13.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_order_by.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_order_by.adoc}"></div>
     <script th:src="@{/lesson_js/assignment13.js}" language="JavaScript"></script>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -191,7 +191,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content14.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_content14.adoc}"></div>
 </div>
 
 </html>
diff --git a/src/main/resources/lessons/ssrf/html/SSRF.html b/src/main/resources/lessons/ssrf/html/SSRF.html
index 39d6927c6..8cab0244e 100755
--- a/src/main/resources/lessons/ssrf/html/SSRF.html
+++ b/src/main/resources/lessons/ssrf/html/SSRF.html
@@ -3,11 +3,11 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Intro.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/ssrf/documentation/SSRF_Intro.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Task1.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/ssrf/documentation/SSRF_Task1.adoc}"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN"
@@ -29,7 +29,7 @@
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Task2.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/ssrf/documentation/SSRF_Task2.adoc}"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN"
@@ -51,6 +51,6 @@
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Prevent.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/ssrf/documentation/SSRF_Prevent.adoc}"></div>
     </div>
 </html>
diff --git a/src/main/resources/lessons/vulnerablecomponents/html/VulnerableComponents.html b/src/main/resources/lessons/vulnerablecomponents/html/VulnerableComponents.html
index a281cb8d0..7f308e85b 100644
--- a/src/main/resources/lessons/vulnerablecomponents/html/VulnerableComponents.html
+++ b/src/main/resources/lessons/vulnerablecomponents/html/VulnerableComponents.html
@@ -4,20 +4,20 @@
 
     <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css" />
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_plan.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_plan.adoc}"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content0.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content0.adoc}"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content1.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content1.adoc}"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content1a.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content1a.adoc}"></div>
 	</div>
 
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content2.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content2.adoc}"></div>
 		<div class="attack-container">
 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
 			<div id="lessonContent">
@@ -45,7 +45,7 @@
 			</div>
 
 		</div>
-		<div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content2a.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content2a.adoc}"></div>
 		<div class="attack-container">
 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
 			<div id="lessonContent">
@@ -75,26 +75,26 @@
 		</div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content3.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content3.adoc}"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4.adoc}"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4a.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4a.adoc}"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4b.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4b.adoc}"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4c.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4c.adoc}"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content5.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content5.adoc}"></div>
 	</div>
 	
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc}"></div>
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<form class="attack-form" accept-charset="UNKNOWN"
@@ -120,7 +120,7 @@
 		</div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content6.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content6.adoc}"></div>
 	</div>
 	
 </html>
diff --git a/src/main/resources/lessons/webgoatintroduction/html/WebGoatIntroduction.html b/src/main/resources/lessons/webgoatintroduction/html/WebGoatIntroduction.html
index c1863ef98..1530b8788 100644
--- a/src/main/resources/lessons/webgoatintroduction/html/WebGoatIntroduction.html
+++ b/src/main/resources/lessons/webgoatintroduction/html/WebGoatIntroduction.html
@@ -2,7 +2,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webgoatintroduction/documentation/Introduction.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/webgoatintroduction/documentation/Introduction.adoc}"></div>
 </div>
 
 </html>
diff --git a/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html b/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
index 64784bc2c..138439953 100644
--- a/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
+++ b/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
@@ -2,15 +2,15 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webwolfintroduction/documentation/Uploading_files.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/webwolfintroduction/documentation/Uploading_files.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webwolfintroduction/documentation/Receiving_mail.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/webwolfintroduction/documentation/Receiving_mail.adoc}"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -66,7 +66,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webwolfintroduction/documentation/Landing_page.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/webwolfintroduction/documentation/Landing_page.adoc}"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/src/main/resources/lessons/xss/html/CrossSiteScripting.html b/src/main/resources/lessons/xss/html/CrossSiteScripting.html
index 62c7b0bae..4a25b4e2e 100644
--- a/src/main/resources/lessons/xss/html/CrossSiteScripting.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScripting.html
@@ -3,11 +3,11 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_plan.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_plan.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content1.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content1.adoc}"></div>
 	<div class="attack-container">
 		<div id="lessonContent">
 			<form class="attack-form" accept-charset="UNKNOWN"
@@ -28,20 +28,20 @@
 	</div>
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content2.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content2.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content3.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content3.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content4.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content4.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content5.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content5.adoc}"></div>
 	<img align="middle" th:src="@{/images/Reflected-XSS.png}" />
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content5a.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content5a.adoc}"></div>
 	<div class="attack-container">
 		<div id="lessonContent">
 			<form class="attack-form" accept-charset="UNKNOWN"
@@ -119,16 +119,16 @@
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content5b.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content5b.adoc}"></div>
 
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content6.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content6.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content6a.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content6a.adoc}"></div>
 	<div class="attack-container">
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<form class="attack-form" accept-charset="UNKNOWN"
@@ -143,7 +143,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content6b.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content6b.adoc}"></div>
 	<div class="attack-container">
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<form class="attack-form" accept-charset="UNKNOWN"
@@ -162,7 +162,7 @@
 	<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
 	<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
 	<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_quiz.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_quiz.adoc}"></div>
 	<div class="attack-container">
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<div class="container-fluid">
diff --git a/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html b/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
index 6d75d6541..97fbbb2a6 100644
--- a/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
@@ -3,23 +3,23 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScriptingMitigation_plan.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScriptingMitigation_plan.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content8.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content8a.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8a.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content9.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content9.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content8b.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8b.adoc}"></div>
 	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
 		<form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3">
 			<div>
@@ -39,7 +39,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content8c.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8c.adoc}"></div>
 	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
 		<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack4">
 			<div>
diff --git a/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html b/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
index 4228ba985..439dd73dc 100644
--- a/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
@@ -3,16 +3,16 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScriptingStored_plan.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScriptingStored_plan.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content7.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content7.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
 
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content7b.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content7b.adoc}"></div>
 
 	<!-- comment area -->
 	<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/stored-xss.css}"/>
@@ -59,7 +59,7 @@
 	</div>
 	<!-- end comments -->
 
-	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content7c.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content7c.adoc}"></div>
 
 	<div class="attack-container">
 		<!-- this will be where they can store the additional comment -->
diff --git a/src/main/resources/lessons/xxe/html/XXE.html b/src/main/resources/lessons/xxe/html/XXE.html
index 1360874a8..ac8cc47ec 100644
--- a/src/main/resources/lessons/xxe/html/XXE.html
+++ b/src/main/resources/lessons/xxe/html/XXE.html
@@ -5,19 +5,19 @@
 <body>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_plan.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_plan.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_simple_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_simple_introduction.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_simple.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_simple.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/xxe.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -77,16 +77,16 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_simple_solution.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_simple_solution.adoc}"></div>
     </div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_code.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_code.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_changing_content_type.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_changing_content_type.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -144,20 +144,20 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_changing_content_type_solution.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_changing_content_type_solution.adoc}"></div>
     </div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_overflow.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_overflow.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_blind.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_blind.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_blind_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_blind_assignment.adoc}"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -215,11 +215,11 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_mitigation.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_static_code_analysis.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/xxe/documentation/XXE_static_code_analysis.adoc}"></div>
     <br/>
     <a id="submitlink" class="btn btn-primary" href="" onclick="javascript:$('#patchbutton').load('/WebGoat/service/enable-security.mvc');return false;"><span id="patchbutton">Apply XXE security patch</span></a>
 </div>
diff --git a/src/main/resources/webgoat/templates/lesson_content.html b/src/main/resources/webgoat/templates/lesson_content.html
index cecb98d27..504bfcbef 100644
--- a/src/main/resources/webgoat/templates/lesson_content.html
+++ b/src/main/resources/webgoat/templates/lesson_content.html
@@ -8,6 +8,6 @@
 <div id="message" class="info" th:utext="${message}"></div>
 <br/>
 
-<div th:replace="lesson:__'lessons/' + ${lesson.package} + '/html/' + ${lesson.id} + '.html'__"></div>
+<div th:replace="~{lesson:__'lessons/' + ${lesson.package} + '/html/' + ${lesson.id} + '.html'__}"></div>
 
 </html>
diff --git a/src/main/resources/webgoat/templates/main_new.html b/src/main/resources/webgoat/templates/main_new.html
index 7a0f1d3b9..53d4fec00 100644
--- a/src/main/resources/webgoat/templates/main_new.html
+++ b/src/main/resources/webgoat/templates/main_new.html
@@ -229,7 +229,7 @@
 <!-- About WebGoat Modal -->
 <div class="modal" id="about-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
     <div class="modal-dialog modal-lg">
-        <div class="modal-content" th:replace="about :: about"></div>
+        <div class="modal-content" th:replace="~{about :: about}"></div>
     </div>
 </div>
 </body>
diff --git a/src/main/resources/webwolf/templates/error.html b/src/main/resources/webwolf/templates/error.html
index 8cd79f5f5..851f53158 100644
--- a/src/main/resources/webwolf/templates/error.html
+++ b/src/main/resources/webwolf/templates/error.html
@@ -3,12 +3,12 @@
       xmlns:th="http://www.thymeleaf.org">
 <head>
     <title>WebWolf</title>
-    <div th:replace="fragments/header :: header-css"/>
+    <div th:replace="~{fragments/header :: header-css}"/>
 </head>
 <body>
 
 
-<div th:replace="fragments/header :: header"/>
+<div th:replace="~{fragments/header :: header}"/>
 
 <div class="container">
 
@@ -36,7 +36,7 @@
 	</div>
 <!-- /.container -->
 
-<div th:replace="fragments/footer :: footer"/>
+<div th:replace="~{fragments/footer :: footer}"/>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/webwolf/templates/files.html b/src/main/resources/webwolf/templates/files.html
index 5ba247373..a34f6808a 100644
--- a/src/main/resources/webwolf/templates/files.html
+++ b/src/main/resources/webwolf/templates/files.html
@@ -1,11 +1,11 @@
 <!DOCTYPE HTML>
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
-    <div th:replace="fragments/header :: header-css"/>
+    <div th:replace="~{fragments/header :: header-css}"/>
 </head>
 <body>
 
-<div th:replace="fragments/header :: header"/>
+<div th:replace="~{fragments/header :: header}"/>
 
 <script type="text/javascript" th:src="@{/js/fileUpload.js}"></script>
 
diff --git a/src/main/resources/webwolf/templates/fragments/footer.html b/src/main/resources/webwolf/templates/fragments/footer.html
index 44523a297..34a3d18fa 100644
--- a/src/main/resources/webwolf/templates/fragments/footer.html
+++ b/src/main/resources/webwolf/templates/fragments/footer.html
@@ -3,11 +3,11 @@
 <head>
 </head>
 <body>
-<div th:fragment="footer">
+<div th:fragment="~{footer}">
 
     <div class="container">
         <footer>
-            © 2022 WebGoat - Use WebWolf at your own risk
+            © 2017 - 2023 WebGoat - Use WebWolf at your own risk
         </footer>
     </div>
 
diff --git a/src/main/resources/webwolf/templates/home.html b/src/main/resources/webwolf/templates/home.html
index 2d7007564..0d8d9d867 100644
--- a/src/main/resources/webwolf/templates/home.html
+++ b/src/main/resources/webwolf/templates/home.html
@@ -1,11 +1,11 @@
 <!DOCTYPE HTML>
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
-    <div th:replace="fragments/header :: header-css"/>
+    <div th:replace="~{fragments/header :: header-css}"/>
 </head>
 <body>
 
-<div th:replace="fragments/header :: header"/>
+<div th:replace="~{fragments/header :: header}"/>
 
 <div class="container">
 
@@ -31,7 +31,7 @@
 </div>
 <!-- /.container -->
 
-<div th:replace="fragments/footer :: footer"/>
+<div th:replace="~{fragments/footer :: footer}"/>
 
 </body>
 </html>
diff --git a/src/main/resources/webwolf/templates/jwt.html b/src/main/resources/webwolf/templates/jwt.html
index a9b19c4d7..9812b14d8 100644
--- a/src/main/resources/webwolf/templates/jwt.html
+++ b/src/main/resources/webwolf/templates/jwt.html
@@ -1,11 +1,11 @@
 <!DOCTYPE HTML>
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
-    <div th:replace="fragments/header :: header-css"/>
+    <div th:replace="~{fragments/header :: header-css}"/>
 </head>
 <body>
 
-<div th:replace="fragments/header :: header"/>
+<div th:replace="~{fragments/header :: header}"/>
 
 <script type="text/javascript" th:src="@{/js/jwt.js}"></script>
 
@@ -67,4 +67,4 @@
 
 </div>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/webwolf/templates/mailbox.html b/src/main/resources/webwolf/templates/mailbox.html
index 8a78d9697..e10452124 100644
--- a/src/main/resources/webwolf/templates/mailbox.html
+++ b/src/main/resources/webwolf/templates/mailbox.html
@@ -2,11 +2,11 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
     <title>WebWolf</title>
-    <div th:replace="fragments/header :: header-css"/>
+    <div th:replace="~{fragments/header :: header-css}"/>
 </head>
 <body>
 
-<div th:replace="fragments/header :: header"/>
+<div th:replace="~{fragments/header :: header}"/>
 
 <script type="text/javascript" th:src="@{/js/mail.js}"></script>
 
@@ -147,4 +147,4 @@
 
 </div>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/webwolf/templates/registration.html b/src/main/resources/webwolf/templates/registration.html
index 2c4d06a2a..5bbb44563 100644
--- a/src/main/resources/webwolf/templates/registration.html
+++ b/src/main/resources/webwolf/templates/registration.html
@@ -1,11 +1,11 @@
 <!DOCTYPE HTML>
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
-    <div th:replace="fragments/header :: header-css"/>
+    <div th:replace="~{fragments/header :: header-css}"/>
 </head>
 <body>
 
-<div th:replace="fragments/header :: header"/>
+<div th:replace="~{fragments/header :: header}"/>
 
 <div class="container">
 
@@ -86,4 +86,4 @@
 
 </div>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/webwolf/templates/requests.html b/src/main/resources/webwolf/templates/requests.html
index 2b982f88b..333f1faf3 100644
--- a/src/main/resources/webwolf/templates/requests.html
+++ b/src/main/resources/webwolf/templates/requests.html
@@ -1,11 +1,11 @@
 <!DOCTYPE HTML>
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
-    <div th:replace="fragments/header :: header-css"/>
+    <div th:replace="~{fragments/header :: header-css}"/>
 </head>
 <body>
 
-<div th:replace="fragments/header :: header"/>
+<div th:replace="~{fragments/header :: header}"/>
 
 <script type="text/javascript" th:src="@{js/fileUpload.js}"></script>
 
@@ -53,4 +53,4 @@
 
 </div>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/webwolf/templates/webwolf-login.html b/src/main/resources/webwolf/templates/webwolf-login.html
index e41189a16..b586027c6 100644
--- a/src/main/resources/webwolf/templates/webwolf-login.html
+++ b/src/main/resources/webwolf/templates/webwolf-login.html
@@ -4,11 +4,11 @@
 <head>
     <title>WebWolf</title>
     <link rel="icon" href="/css/img/favicon.ico"/>
-    <div th:replace="fragments/header :: header-css"/>
+    <div th:replace="~{fragments/header :: header-css}"/>
 </head>
 <body>
 
-<div th:replace="fragments/header :: header"/>
+<div th:replace="~{fragments/header :: header}"/>
 
 <div class="container">
 
@@ -45,7 +45,6 @@
                         <div class="col-xs-6 col-sm-6 col-md-6">
                         </div>
                     </div>
-                    <!--<div><b><a th:href="@{/registration}" th:text="#{register.new}"></a></b></div>-->
                 </fieldset>
             </form>
         </div>
@@ -53,7 +52,7 @@
 
 </div>
 
-<div th:replace="fragments/footer :: footer"/>
+<div th:replace="~{fragments/footer :: footer}"/>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
index 6d7ec5ed2..6466f83ed 100644
--- a/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
+++ b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
@@ -2,10 +2,10 @@ package org.owasp.webgoat.container.plugins;
 
 import static org.mockito.Mockito.when;
 
+import jakarta.annotation.PostConstruct;
 import java.util.List;
 import java.util.Locale;
 import java.util.function.Function;
-import javax.annotation.PostConstruct;
 import org.flywaydb.core.Flyway;
 import org.junit.jupiter.api.BeforeEach;
 import org.owasp.webgoat.container.WebGoat;
diff --git a/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java b/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
index fdc1d5cb3..43b54eae4 100644
--- a/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
@@ -28,7 +28,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-import javax.servlet.http.Cookie;
+import jakarta.servlet.http.Cookie;
 import org.hamcrest.core.StringContains;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
diff --git a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
index c005b411b..c5f05d4d5 100644
--- a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
@@ -30,7 +30,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
-import javax.servlet.http.Cookie;
+import jakarta.servlet.http.Cookie;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
index 2d7b4c8d5..8d82261f2 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
@@ -34,8 +34,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import com.fasterxml.jackson.databind.ObjectMapper;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
+import jakarta.servlet.http.Cookie;
 import java.util.Map;
-import javax.servlet.http.Cookie;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -250,7 +250,7 @@ public class JWTVotesEndpointTest extends LessonTest {
 
     mockMvc
         .perform(
-            MockMvcRequestBuilders.get("/JWT/votings/").cookie(new Cookie("access_token", token)))
+            MockMvcRequestBuilders.get("/JWT/votings").cookie(new Cookie("access_token", token)))
         .andExpect(status().isOk())
         .andExpect(jsonPath("$[0].numberOfVotes").doesNotExist())
         .andExpect(jsonPath("$[0].votingAllowed").doesNotExist())
diff --git a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
index 80cad9d0e..9d5e7055e 100644
--- a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
@@ -30,8 +30,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
+import jakarta.servlet.http.Cookie;
 import java.util.stream.Stream;
-import javax.servlet.http.Cookie;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
diff --git a/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
index 698755855..9a9319e24 100644
--- a/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
@@ -78,13 +78,7 @@ class BlindSendFileAssignmentTest extends LessonTest {
         .andExpect(
             jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
         .andExpect(
-            jsonPath(
-                "$.output",
-                CoreMatchers.startsWith(
-                    "javax.xml.bind.UnmarshalException\\n"
-                        + " - with linked exception:\\n"
-                        + "[javax.xml.stream.XMLStreamException: ParseError at [row,col]:[1,22]\\n"
-                        + "Message:")));
+            jsonPath("$.output", CoreMatchers.startsWith("jakarta.xml.bind.UnmarshalException")));
   }
 
   @Test
diff --git a/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java b/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
index 1900d16bd..f9454cf4f 100644
--- a/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
@@ -87,15 +87,12 @@ public class SimpleXXETest extends LessonTest {
   }
 
   @Test
-  public void postingPlainTextShouldShwoException() throws Exception {
+  public void postingPlainTextShouldThrowException() throws Exception {
     mockMvc
         .perform(MockMvcRequestBuilders.post("/xxe/simple").content("test"))
         .andExpect(status().isOk())
         .andExpect(
-            jsonPath(
-                "$.output",
-                CoreMatchers.startsWith(
-                    "javax.xml.bind.UnmarshalException\\n - with linked exception")))
+            jsonPath("$.output", CoreMatchers.startsWith("jakarta.xml.bind.UnmarshalException")))
         .andExpect(
             jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
   }
diff --git a/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java
index aa0c3c5de..d83f620d2 100644
--- a/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java
@@ -24,6 +24,7 @@ package org.owasp.webgoat.webwolf.mailbox;
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.not;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
@@ -38,15 +39,18 @@ import java.time.format.DateTimeFormatter;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
+import org.owasp.webgoat.webwolf.WebSecurityConfig;
 import org.owasp.webgoat.webwolf.user.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.context.annotation.Import;
 import org.springframework.http.MediaType;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.web.servlet.MockMvc;
 
 @WebMvcTest(MailboxController.class)
+@Import(WebSecurityConfig.class)
 public class MailboxControllerTest {
 
   @Autowired private MockMvc mvc;
@@ -63,7 +67,6 @@ public class MailboxControllerTest {
   }
 
   @Test
-  @WithMockUser
   public void sendingMailShouldStoreIt() throws Exception {
     Email email =
         Email.builder()
@@ -76,6 +79,7 @@ public class MailboxControllerTest {
     this.mvc
         .perform(
             post("/mail")
+                .with(csrf())
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(objectMapper.writeValueAsBytes(email)))
         .andExpect(status().isCreated());