From 4bbe225141fac63ca98c65b6f1233571c2f83378 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 21 Jul 2025 16:18:42 -0600
Subject: [PATCH 01/21] Add X.509 + Form Login MFA Sample

---
 .../mfa/x509+formLogin/README.adoc            |  71 ++++++
 .../mfa/x509+formLogin/build.gradle           |  31 +++
 .../mfa/x509+formLogin/etc/add-to-keystore    |  44 ++++
 .../mfa/x509+formLogin/etc/add-to-truststore  |  38 +++
 .../mfa/x509+formLogin/etc/api-keystore.p12   | Bin 0 -> 4338 bytes
 .../mfa/x509+formLogin/etc/api-truststore.p12 | Bin 0 -> 3062 bytes
 .../mfa/x509+formLogin/etc/ca.crt             |  30 +++
 .../mfa/x509+formLogin/etc/ca.key             |  52 ++++
 .../mfa/x509+formLogin/etc/ca.pem             |  30 +++
 .../mfa/x509+formLogin/etc/ca.srl             |   1 +
 .../mfa/x509+formLogin/etc/generate-ca        |  21 ++
 .../mfa/x509+formLogin/etc/generate-cert      |  52 ++++
 .../mfa/x509+formLogin/etc/generate-stores    |  56 ++++
 .../mfa/x509+formLogin/etc/josh-keystore.p12  | Bin 0 -> 4340 bytes
 .../x509+formLogin/etc/josh-truststore.p12    | Bin 0 -> 3062 bytes
 .../mfa/x509+formLogin/gradle.properties      |   4 +
 .../x509+formLogin/gradle/libs.versions.toml  |   1 +
 .../gradle/wrapper/gradle-wrapper.jar         | Bin 0 -> 60756 bytes
 .../gradle/wrapper/gradle-wrapper.properties  |   5 +
 .../authentication/mfa/x509+formLogin/gradlew | 240 ++++++++++++++++++
 .../mfa/x509+formLogin/gradlew.bat            |  91 +++++++
 .../mfa/x509+formLogin/settings.gradle        |   8 +
 .../src/main/java/example/MfaApplication.java |  41 +++
 .../src/main/java/example/SecurityConfig.java |  58 +++++
 .../src/main/resources/api-keystore.p12       |   1 +
 .../src/main/resources/api-truststore.p12     |   1 +
 .../src/main/resources/application.properties |  12 +
 .../main/resources/static/css/default-ui.css  | 172 +++++++++++++
 .../src/main/resources/templates/index.html   |   9 +
 .../src/main/resources/templates/login.html   |  29 +++
 .../java/example/MfaApplicationTests.java     | 190 ++++++++++++++
 settings.gradle                               |   1 +
 32 files changed, 1289 insertions(+)
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/README.adoc
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/build.gradle
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/add-to-keystore
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/add-to-truststore
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/api-keystore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/api-truststore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.crt
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.key
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.pem
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.srl
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-ca
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-cert
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-stores
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/josh-keystore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/josh-truststore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle.properties
 create mode 120000 servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/libs.versions.toml
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.jar
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.properties
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradlew
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradlew.bat
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/settings.gradle
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/MfaApplication.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
 create mode 120000 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/api-keystore.p12
 create mode 120000 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/api-truststore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/application.properties
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/static/css/default-ui.css
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/index.html
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/login.html
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/test/java/example/MfaApplicationTests.java

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/README.adoc b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/README.adoc
new file mode 100644
index 000000000..5e5ca4d81
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/README.adoc
@@ -0,0 +1,71 @@
+= X.509 + Form Login MFA Sample
+
+This sample demonstrates configuring Spring Security to require both an X.509 Certificate and a Username/Password Login in order to enter the site with full permissions.
+
+== Preparing to Use X.509
+
+This sample is intended to be used in a browser.
+As such, you should:
+
+1. Configure your browser to trust the `ca.crt` that accompanies this project
+2. Configure your browser with the `josh-keystore.p12` client certificate
+
+Both `api-keystore.p12` and `josh-keystore.p12` use keys signed by `ca.crt`.
+This means that after the above steps are performed, you can also use this application without getting a security warning in your browser.
+
+== Using the Sample
+
+To run, please use:
+
+.Java
+[source,java,role="primary"]
+----
+./gradlew :bootRun
+----
+
+This will start an application on 8443, meaning you will need to reach it using HTTPS.
+
+You can reach the website at https://api.127.0.0.1.nip.io:8443.
+If that isn't working for you, please try https://localhost:8443.
+
+With the client certificate (`josh-keystore.p12`) correctly installed in the browser, it will ask you which client certificate you want to you.
+Select `josh`.
+
+You will then be redirected to the login page where you can use `josh/password` as the username and password.
+
+== Exploring the Sample
+
+The key configuration is found in the `HttpSecurity` DSL:
+
+.Java
+[source,java,role="primary"]
+----
+http
+    .x509((x509) -> x509.grants("form:read"))
+    .formLogin((form) -> form.needs("form:read").authenticates())
+----
+
+This reads, "X.509 grants the authority to go to the login page, Form Login grants the authority to fully log in".
+
+There is no inherent meaning in the authority names.
+So, you can also do:
+
+.Java
+[source,java,role="primary"]
+----
+http
+    .x509((x509) -> x509.grants("form:authenticate"))
+    .formLogin((form) -> form.needs("from:authenticate").authenticates())
+----
+
+You can instead try another arrangement like the following:
+
+.Java
+[source,java,role="primary"]
+----
+http
+    .x509((x509) -> x509.grants("ott:read"))
+    .oneTimeTokenLogin((ott) -> ott.needs("ott:read").authenticates())
+----
+
+Once `oneTimeTokenLogin` is correctly configured and once a client certificate is accepted, the application will generate a token and send it to the configured destination to continue with the login process.
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/build.gradle b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/build.gradle
new file mode 100644
index 000000000..5352be8d5
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/build.gradle
@@ -0,0 +1,31 @@
+plugins {
+	alias(libs.plugins.io.spring.dependency.management)
+	alias(libs.plugins.org.springframework.boot)
+	id "nebula.integtest" version "8.2.0"
+	id 'java'
+}
+
+repositories {
+	mavenLocal()
+	mavenCentral()
+	maven { url "https://repo.spring.io/milestone" }
+	maven { url "https://repo.spring.io/snapshot" }
+}
+
+
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.security:spring-security-crypto'
+
+	implementation 'com.j256.two-factor-auth:two-factor-auth:1.3'
+
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
+}
+
+tasks.withType(Test).configureEach {
+	useJUnitPlatform()
+	
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/add-to-keystore b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/add-to-keystore
new file mode 100755
index 000000000..cb133de05
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/add-to-keystore
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -euo pipefail
+
+KEYSTORE="${1:-}"
+if [[ -z "$KEYSTORE" ]]; then
+  echo "Usage: $0 <keystore.p12>" >&2
+  exit 1
+fi
+
+PASSWORD="password"
+
+# Set up temp workspace
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+# Read input tar archive from stdin
+tar -C "$WORKDIR" -xf -
+
+ALIAS=$(cat "$WORKDIR/alias")
+CERT="$WORKDIR/cert.pem"
+KEY="$WORKDIR/key.pem"
+CHAIN="$WORKDIR/chain.pem"
+
+# Convert to PKCS#12 bundle
+PKCS12="$WORKDIR/temp.p12"
+openssl pkcs12 -export \
+  -inkey "$KEY" \
+  -in "$CERT" \
+  -certfile "$CHAIN" \
+  -name "$ALIAS" \
+  -out "$PKCS12" \
+  -passout pass:$PASSWORD
+
+# If alias exists, delete it
+if [[ -f "$KEYSTORE" ]]; then
+  keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE" \
+    -storepass "$PASSWORD" -storetype PKCS12 || true
+fi
+
+# Import new entry
+keytool -importkeystore \
+  -destkeystore "$KEYSTORE" -deststoretype PKCS12 -deststorepass "$PASSWORD" \
+  -srckeystore "$PKCS12" -srcstoretype PKCS12 -srcstorepass "$PASSWORD" \
+  -alias "$ALIAS"
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/add-to-truststore b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/add-to-truststore
new file mode 100755
index 000000000..0f7393074
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/add-to-truststore
@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+TRUSTSTORE="${1:-}"
+if [[ -z "$TRUSTSTORE" ]]; then
+  echo "Usage: $0 <truststore.p12>" >&2
+  exit 1
+fi
+
+PASSWORD="password"
+
+# Temp workspace
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+# Extract from tar input
+tar -C "$WORKDIR" -xf -
+
+ALIAS=$(cat "$WORKDIR/alias")
+CA_CERT="$WORKDIR/ca.pem"
+DER_CERT="$WORKDIR/ca.der"
+
+# Convert to DER format for keytool
+openssl x509 -in "$CA_CERT" -outform DER -out "$DER_CERT"
+
+# If alias exists, delete
+if [[ -f "$TRUSTSTORE" ]]; then
+  keytool -delete -alias "$ALIAS" -keystore "$TRUSTSTORE" \
+    -storepass "$PASSWORD" -storetype PKCS12 || true
+fi
+
+# Import into truststore
+keytool -importcert -noprompt \
+  -alias "$ALIAS" \
+  -file "$DER_CERT" \
+  -keystore "$TRUSTSTORE" \
+  -storetype PKCS12 \
+  -storepass "$PASSWORD"
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/api-keystore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/api-keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..b36b72752d6f329c6028eff8862a02ad781913ec
GIT binary patch
literal 4338
zcma)=WmFW5v&PwFsijLmdWn@@aw$O?mj<b&kq+tZr9??V5Ec*wl#mVqkz7)wTe_uF
zr2pP??|I*IKi&Ib&Ybx@GxPB|a|VVYI{*T(VJNb9xCGoWsxcSD06ah*iYyL<B8&cu
zBVZ_;;{PS#WP(sQZ~x+yzmb4T_&-xbU;r==h4bVul!n>;Gl4@4Glq%(TN1%|KvWk(
z8*b8>Yi6J0vL7ALQl&q2GPVQ)p=3Y+3ycUC|Gzf^32?ArjJO1rF{%JtY!HAOM0U~K
zGis2~q5e);=&a);d>(`XjVOJHaaAVCiU}S#uKVgYLj*c0k*gmETMkH%UnU|k{z_wj
zS5oOPSZgX{SQUfe!a-I?>Du9>(vJc+<q)V^QU0!^eNdgdWBNd*HmM=RvrOiC3AVy1
zM&t2l46^PnbbeUM7n>zkX0k_I9<?BOy_Vti8n|s1))Wch&|??I^?DU@ps$}>ZeM+_
z9qoAP#N>l!K5cuLH<E4fCUYN1^xmvF#yNUqJ(t-<;s=*?d4DXeTr?@g)`YPG=4q&B
znVe2C2ccE*feOkiIZox$*vD2_;k|EtSdN*Vbze!#4kd%G!@cU~3UmAk0k%d+Bc;p}
zs$=3Zr$P?aTX}O?Ct01H&KJ3I$NBt$Ejn(3o(Y3X_Mr)*_GM`R&%12hYoFiK9dToG
zD7jpZ72=-nKb4s%c6oT%29OG35jSHm3Y66BUIL$jWh}Xwq^lEVnvmp;vXKMRHY7iv
zDf(9Ell!r$-4Dh(xU1f2rSINE_BMVs^W4@v@etYMOUHA(4$9pNNQ2jSQw=njdpEGu
zJV!3l+1`|L{^pMry%<9W8`ou*ZG2BhlZ2NR62jC`tEg$?{m)e7G*GElnu#Tv;t_XW
zS9mJDY1)FS(#N#Kwp-`yx%P??U6M~xiASEWdtE=BNSx}(+P%Q4Px5$mUT`-i2ja$C
zrW3yPTozB2=W4idTu<*<+vk4w0;s==W{>zsYzfaYxg1wULG+X0%+mMW1Dt)RE?(}D
zG#Lu^;jd*6oR7=5^BtPCIM$3FwJDV*ED#NnUL$b#OteSZIOkxtbKU6LtdOY~^xLU4
z?DHkR{w8!c(adx-*HkV8&27h&R)r$%rV$}(g(U;W4PU_8OlF#%`ZWI-x+%I$JQ<Db
zaMmfw!ZNSz;#bA=Tjs?(=V_1&5DhJ=&ka9S)MivRjI+^^yClPW;^2T3Fy>XISOZST
zUzmeilYY(`t=rxC-hjMKaTOH5;u)6qhTprU0-b}4;-4x|A))PoxF^WG&um1Lp{{h{
z>sHIGuGw@XxLhH<^rQKclOg=G+>eRPt1~FMpd&_uR@Svi9VEV1({%WTek}BZl4Z3E
ziFILl(*6t+#}3CQhX-sd4_*=)Kxz)JfMw^^HfwWovj%6|GqrZ4e#?8>tKOaQ!p^#h
zF!P+7!`A}=4gql&gpt9nOKjUoI1cN{tTmFreJ3Ra{QY12lS2hXl9}nrXDJj17Sm-B
zA>x{+I1Q0OsG_MhB}8DComuq5mcCn6k>Xf(u^u!(r|Qn8xOr{Cuukj#P|v9U6}6Sw
z$#U~Rg11&86&8dHF;lKc>=%QU*cg=w5CV*Ey~NMTeg=BVDy^Lk_Z#4(c^eUQD&=Fw
z7s0m1l|H|zO8e)4HeLvC92+F5VLqv%_1*3=-qc5HeZif5UQY!=V9dEWpqe4Wlxm2G
zZQBsk>Ph06MTD5N3l+i7exYFr854K{i<frrQn03@_fL7WN0L{z=<yLDk(o~C`9}h(
z3h-UVN@?Fi8`kmKgfw8BbLXF?qZWjzMA=-b%3;iR%Re7#{5u<p{SxANuK@20cLL&w
z_Lo09;=bKjzG9!Piaon13R9@Ynsu9PYuff%?CE@G|1&?j_s-L*j%)6Fq{QVtdzq(-
zpd^g?AG;)=62xc1#j?V3$8v<R{)?#vsX!FZ99?Z$1mU8>g2F<gLW1HFFc=Cv`cD%c
zZXOEU`4_bU0a$<2mwy$&|7Fm%)-q67Cx+6XHmiu6WaqMqh^+hnW6)u9Qq|`}m>Y)9
z6atolUx;uN_z8;Q4F7sfqX(IjiS-!aOR|rSZYhK(d?V;9+lob;P`^e7udPncKg1p#
zxg13>$Tr4i7O5OZs}^GH3kcl1Z0AfAIwW6CZatbv(lV}qSr4n|)ur&Y2k@_}Cc3oa
zD1}cPH&BGIA29n>{#i+xH~ZLT2itwKvEYMF4&qc8d#^dG^BvA-!G;Bmpu%OziIVL$
zDiUeIRVr?A;C+!WRxLod{sd&J<JOgG^!tmeil^)!NZF)GpJahA*`GR*;{^>}6MZAj
z2<vy=2;9qTSgsl(<fcRryN+l6UXrfu{c?kOiOv`J;vqV+v{yiCokd)faGm1QgQV3n
z5-WM!l0s99x>aVDF**lI|7rHTrXk7cjGt_^@HCu^T^_#>M^A_$LrVAD4|&d4AgrO%
z?XONl%na*&<c_(8Z^UJXeYJW^8VrKd{^Z!5#?QRa*rNq>1{9zJmTz5rx4jV*P7HnR
zGzGzcnX-y6JXYdRRK~P)diY{Hm{+9u{oYz=q)z=pUy89CO6?{%#R$aSUXr-zeyxH`
zClhEWWauF3)`-93vWUr~`|i^4&04G$@-B;$_x%eYo>?^YMkdV^Kl|7$&?P9+7uiFe
zXvl`C1+zCE7F2oXKzY)`R@w!wf34M2fcY%&wLBQfnf>ATx_OZz<}M}F$e_?dfl%8|
z`7Iu6lz4h6LY!}G$Qm}jwDL@GK>Yg_^gR#g#x$0DfklFF%hLLdgl6Ubhv$?%Q^uk0
zQn8N5<!!)n^=N$CQvIyLU8a)t<O0;?Y3+w&&1(@U4sy>Gs19Q#fd}4x>GaK88Jhdm
z#bCTG!vzhmPfhj;#nP36fE>=+35)8l^ztFHGtsH^!@ytu(cUC>w2oI~4-5(LDMH*w
z3NkI7Mf-@_V9<_ommJb@tW$A`y97fYOD^oF=GPd;4sIqki52`9F^v+nCy8gDSpWj`
zg}51KDU{Us6|C=mN;zoZ#gm;A&xS>1PRtj$A9`oHFQw*B9ICs%F-*^3jB)`YkyDeL
zP;$-mQ|WU{zpYOh;UrnuCL!V=+xmykZY*fkNW~ZzdsAt^w>>4>zn@~TAT}B*x*CtW
zXp?>Tx|C8Uf~mY9i@*}!)NOVlF}GMY4(qS9?fl4&S)66?_^4hGO12q?Fy;$%V&EOt
z^sDfLo?E+`wi`!N3Dtge0}@eF+UNYTmHp28w4E&@lgM`y-HkQ8yN};vo6&pVHEwxU
zJ;W5$%M~7sSvQyoyXJn+1wS4{Iv9#ctj^V2pZ8Vf`KYowDGCSl04%_VRF#aPrMy*(
zcv?sB`4XpB&OQ7MLSE$oqicPw4=zND$eN9M#6`f1mqrXY1jbh+d*`3y(<H_8?OI#(
zxLUXFOk!v`Gp16zVrg_0++?}x+7-dno$K!M6$C?AZLD_l(NON;tTg&^_R-;@eJWoP
zUwVte2BbQup=Io$$gO#3i8;-6eH1m;<f7<ub;z!*wjQqTC?>Jper{G6vUbFw^x>7}
zI|$s(?&YrfONTH0aM4zhm~_<__FM4nCJCcpPGwO6Xbx|YpqyH>AxWxH;U^+pr+oRr
zQ?Y`FTg6XZwf^+X*k>JY-D&0baIZ<se}kQO-!<A35f(TOOE5!Zwls9NKRj9F!H<!j
zsZp~-e3B*>U^my!wy2I@4=lu<qr_<b@b^`Ot2b5ygtARlyNC8YoJ<}unR3F9QN$fT
zF7B>@@_hS?L*oW=`l3au^GynCcsaD5gwEegF1!<lsoOBw#F(?Z<m>j_2`e774jrf|
z71|aUnEQg#Z<AUFFM@2c+U3J$bp!#bQlED}NtObc4DU;wc|K)cvTQK9rVfwu!h2w3
z!`sWUd$1Ig-^D6*>L0JDJ}`Wsv}xn#4I*-u`O0+je5-PSet$Jl{K+lyCv&fF6^|pF
zfx4UEoT;jN!f7B9z=kGmt;5yln>^C%3|2N9f9c9RwQ3Ml&uV#wXXE2=Da<10se#T}
z4>d+_lwL*iF>I$u_#HiRBO2eiypzDO38zrS8TCRt54E)|uJ_0QoM$x;-TB7f?BP)x
z2_Gncd^Uu_eDU0HV3ZFUs9~fNR{34Q;S0&J*%`dCg5jIdeDsLDjxV6b!l)Hi&O-)T
z#x%0EpXYS?WaI;ZVi<}a0`&`mn(jo4=C3^)YoCe^75ez3^4Y&_cUnE^Ys2EeDP{tC
zSJG)O49VhAd(^e`J$N)CswA)q|IH!M`^8mz4v;!%b^Qi&6Kh_{=Rd!+mErj|;rA5j
zTJhmDi?$TB@cp;Uw-M4~NnF#q;*<!Nwgr+_UGs+*lAE0J6ZN9ltQ&R7eS{DLB@$}y
zKr^agddLw^^T`s#wJG41rL!rtVm<CwBIxRw>Uy8-e#73>F<QO|DcnO5fw5>4d{HF~
zODG}>OPu_DL{k^y_F?s^s%|fG-dr(iy10)f+vf9RZn@ZzWDmMH$ErW2<-rvehia8&
zmk!aW2Xy632J7wha6+uHANwR%ce$9ZV2jj8^f6(@BvQI{O<mE4u!z)vQfyET#~X?*
zvTGi}_+@KxRo+-joz^-vj02v3p3xH2Px7qddtfIrsAJo*mqs^c2gY%_B+|m~BdxR6
zDbEjXEpI@@2lT#7!nV3~F%<obGL-)K^VB5Nt;RMg?6$)ivFqf}s$JAafTvdwbie;p
zrtRvZZ*r&XXJT?C)f0P@_ygATm;IEFjOs?U24(_t^kjjYlYF;FLB^0P=#<hQ#N7vi
zK>!#BU9-<`%U{kPryR`|G05?WvRa>i=%sy||2A<MK_NrJ6(sR-Fju&Fgc+^?PZ~Z!
z>NEYO7ueP<<dYR5zMT0VZo0rb_U|(dK>bzun8Pr-aiwT)H6qTaaQ%*PaQU6b+Xtq>
zn7I<tyamOLC^RY>lNhH~y-c4bY#Nj_O8Xe>y@$DHTbYkE@asYFR(W?amBjxN)Pz@g
zFe(^4a|T(I9H3dgM@)Y7JU#ir^ms&^yWReIVEgL5g77oEm2{bBCMjeBQX4`J(O&(D
z1tYACfi(2>bu(1YOH3Z`L-{xLk2GF(tf9m1mddFpu_Jz3H8k41vI%Z^Jaq4pRR`I5
zFK+i}vBHt#0=QkXnj!nUeWK<<FZrtJA_jn^JH?7{^H-L#O}$50JB;gNh7VW!`5o09
z@uX<oL}xsj7YW9?s4E}3J0&_T?36j)=l?*<ATG2GpEa^tA#aO6EnclUHD2jiIj4R5
zxYbQ*qU?pebKQQTTBOmG7R1Ayr9!!@vefr&O;mumoy_`|SCn#IbY06JZY}Rhvumn6
z|5}f=Xva1zG?y0k+_b>B$Aez%b%xhR!XE_EQebUNBVy}Y)wD(rXtsN5WNYZQBm*%X
z|2Xfr&yKQ`mf++iw3=lzECsQ1#9h{*ZCgE5tt}r)LhKtYxmtIsyeP9p%Re{|T{O_}
zo27VA<{pWiPiC*6mQy^h>A~!2>S@M|$mfaHK78&k{syK26NC}}^9KL|aIiouKVH`a
zm%n}$!NBg<E)Ynv4LN7H-(!hs{Kc{$mf$<v3Zl}|YJXH$qK56ZInNRL1-#kVpcwRD
HC+vR!?*#!U

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/api-truststore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/api-truststore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..56281f545d762d6f6ad7138b87f9c6b9f80867ea
GIT binary patch
literal 3062
zcmV<S3kmcvf(!Bj0Ru3C3!DZCDuzgg_YDCD0ic2ljRb-Vi7<i-g)o8(fd&aGhDe6@
z4FLxRpn?l>FoFwi0s#Opf(vH`2`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1Qg7{JN@wzladBF{SPY)1_mkuiv<D#ClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q2!HpXM+S^<Lw4%Ox;=Xhwj73h+z8+A=$NGh_H?zMIPit`ff|
zp@k)BHL$2;Ud26P4p2t#VCxl-NTz&aYF0U~Q^Z~TX1=0~Y>ftF;|$m0p5mp!budO;
zWIiQqZ%zgc+=m4ToXjxrVx!*`Kb;;02D%n@;so#ojsqVf)>?a!(-wn7I`>T&uF8a*
zE(dXy)BC4wgMlGQCJt@HR<9dMWQf5N0z&&X@Wr4u5<qK1^T`0VV_9JRMjFdXuuV54
zYE>B$6WI9USiM<5vhwNmZ#`5UV3>1e<b$p771js@+w2F=fejpIxV&pE(UWXxuPgUu
z{XUR(e>aP+Rxh~|FC#0aUM@kgPs_%-0J=VGoJ^E|`l#&f`w41|ruyi34n84@Xexq!
z-rv>0QwXuI!aGl|{DpL=foJ89`?jjKQ&_L&g4X}4bDqi*%YJ6?USUY6oa?In2H#t)
zOeb`Ft`8S5V)cr?CoV9UVN#jJ{a!iKocvZ4OfS#u!aF4E%E_e{QE$Lkuq}1Ju?c)A
zNob+RAQ;Ar%6jiDlzFJF{YP79_>JRNY`<Rx%SEdB%U0JnZ^5ijK8SM<epflW{bF3i
z@LU+fQ{jIha~CRiE0_XG+L}s&i7Ls>dbPuV880mwgNi*EC;Q8hc({@c8`Ak42yU+y
z>dL|TPqH|)L7vMY`?!t)k^~Y*riuIW?R`>%5l+iWmKjRm5QbaP=-u8u4E7rqold%g
zi<?7<VR8~Ak$xZDSBxMSdq|E?`(KnxFN7>0D;iNvvEyOL@DFG)al{OK>D`Dv8ZFlP
zLf!8G?C+Rcz@urIaAr?om9&TRR$PS<K}?dT>`$Gl*@4!5V8@kSGX*xS6pl>r$Zmbd
zQvMKubA|}TtQAl|4PkWHypo$7J?9(yw%(!jc!(I7>@8k`A1<0R6qI$X9!^6wxPYKj
z)GAu!0HQ$;^4m3eq+8ey1Ap1P-lshS9cqIx^#V4qIxDzhCA?2GbDs|$l}Cn+V9PgI
zm1mJoG96zmwdX7jpgf7+9dP;2LK2Vzwa8SG(^S%|4;7Px@`L{!8Q6o{RtEP`fM9I4
zWCUBWU0Gc?HWJWbnvhM5cdp;z-fs8?t^e}o0_X2@76A(}bOlBZNc(yYvGmSz!G<2Y
z-1aA;jW%`D&+-+$AyFn?uDqGJa@u}hWs}MTT>#up<WN`yTHSIWQ;WQ4SA~lMUDcc3
zjlrT51A_kTGy3LUTf%|17!N3d|B5KM#?%h2Nejjdc(%JSWH5`+WJ5w&0}@<A>*HT9
zjFUOy%d^sndFb(9t6AhGyu4+hwMM7v6lzzlcj9wv>`1V<B%=|%>{i9gkH9X*-w|fq
z++s&y@&(A*F%l9K8_5ZfvKv-D_UU31M^!q@0o94NSJSQ_rrCqVAO*bP<l%|nH`6`A
zGzT>6AOFlnL<!};=0Gkp<b7&9GmEL((T*>rJF$HiA#N1vA-i!En1X$T(o4}tJzuRU
z*<`u#+U<qm>1(>76{;kyiR1)4lc5_B5<ZzFV{8lAMu1P(l&AQzSDV2YiyiW!Q@Ghe
z#QXJB*mPih6$y#}8+4228!$lU*qu=Wc_Aq7`k&({28Z&UA0&-aG0uV?hI&LP>hK4z
z6s8f>1S{q0<@V~f|9-qhvRjRzp#Wx$*`ZM{XhxZTLXROE<OA}Ox*MBkV>x-J^B%!=
zxau&d>qN&~Z2f=ykpapUZpf#|uyxOI>sH-Ar0B;R-*punYL-RkMGQ2bi+1kigEo5q
zcVjE)zi=B_C-A>oVYf+|nxbmQ_`tYt0a2f4CRr6ADkF-+ZmF@qb(a|!#b5nL%f)&s
zyQ<S+=MLi~y@Pl*XeWh$)7WWIrcp#oD*BCJ`LmA_xMKJ>ff4>|6hd@)KD7?*-2QD|
zLMmmor!MW*T4CLNjkkXExl8Y*4DMY6v)8#qnK-Ub+di~xB(Ne)nebyA+>u=Ssn7jw
zv5uAQChSb~23EezZHw!As_Zy45;kR~0G$JEr4)>8B@~fPm$iWevR)skW5C*?7SB=H
zJK@ai<b8>_^0G%2zxp1k3+<2;venz=41m3VY{PM_pd8v4a=s4^0s#D3z!qiL^!)UB
z7C*DgXD&;BDw>BoCJhAWe2i3t4+zPOBd<(@Pvq_LC)D`%yvAw&{pqu-p>1ijbd#}{
zPE21!(8`8w*eOLhVb=2-gZvMdqQOY`X`;HoXVti|T;#Au6TR%&60hKr^TLZp4Sbe-
z)>yr1Rll5N$&!3A-y7_L{z7H}1wvP><W7MOA^O1>PbgxL_WCm@Ly;i833|Q#b&-h#
zTBIae$%~1u?0z_75JY0$pALiikpx%tF&(>I%R`#o8IYD>4^=hU6%2Cxb0u{5_vsX`
zc}VF>$lO63xws?`%KrPc*aYU~yNusciM6U7GAQ15RFV^82<i8k1NgSY*K!1?C!WYw
z4A_fTukqqz>hF?k7t+Y*kgzu;0^ko>ps`@i%!PK3exBfv8^tHf`qiwyGGjo{=Kn~S
zyQHk9ePSUECTTVxGB;C;yywN8H}o?b$&|DH$B)9=4H?gnFWU`7INeV3#fPn{+OdEQ
zjp3Q*8VNR8@>p$V=MAf^iJB=_el{IZEMg?1X3+wMKya9AlTDYOAtlX@-p85xv}mPH
zPb;_R(-%0T?cSe&%ccWWcH_^_7pS{2@?jo#fx=|L`<+9WIVue|!yjNI+MmTARP#j8
z&)4mI->;r#T;R0G1e5XETncsMz@Re{eic~CIs?axuFj9!-1EZFsXS+mk)69^7aZM7
ztd^3f?p(}1MY<6BP^Y?HWRy5<Io@2K8n%pr0AlO<lXyyJ(U-rVuq2B+ELdA|Mxjuy
z15%N@h#}Z2I=c2Y=jIYZB_X^;hL5WRLeeA&$lpC(4)`8Sec;N=2T3WG+Q)H|IaiU&
z(Ix-#v>6)RxzY_OydgmDcyK_*-5k?ay<tSWCQ-V+@N*u+kJhWhc*suSem0Un)<k!`
zhmIOf0|M)wES}AD7KCF*hztr)XJ7a8-cB>Eh=%eG7Qw$lAnXmyxe>|7$s-Uws!PMM
z@MZ+jHl@9oO(DakVjW%1IvmvQ;l~lyS7^-6+@T;1Qba`2!WyAi5gQh;u(Zl|QZB*%
z%*SY!#h2(Y7n!d^XlESVI%V1E4o8xo@205>h`m5Dnt!{`I(K&#0=O&K#Y|kO*WyFB
znJ@A0bnWUA0LQ}{AJ|i6*$Z|D`d7W)YY!JrZS)z2|I2QKe^roCi&%<p4xv$KYVjBs
zD|3)z6vL&ZMk#!MD&u|eO8}kKK%<R2Bt4Bmf>z;LHkR8YS+$}F`lw<;m1^@D*m@zp
zTDtEpy@PW!ri!y$mZHSMS>@b!M~BcUiqE#A#XxQqV-;$few^ju<<=;cwE|wtHRZa2
z&M&$Tc9R_E8N7$vgDVJ@aa)wf0a$I(3=z@Wd}=@W-vAVu!}M|;H_)F@ZzQmgI$qi9
zM`>`sX!-<4uQaVdsS(LI2js8>1!i&<fAoKP9&{V?O<iF2PZt`8XO~02f~KWjyNh2Q
z2MI@gOY?pO1b8{p5AWQ~eNFy?zR5O5ntY}LMixCXXH#P6oN{y6CC$iKqnOxkp_&an
zfPk0!m9cLY4GW&T<e)OTmn~+`ELGp(vf;R+{0Rv`zF#6$bZ}c?mPY9T8*|-c>odXi
z|C64-OZDNm5qvfBZ!YsAOtv4a^i-PD39K+pFflL<1_@w>NC9O71OfpC00bav+g$Jb
z5(?+&PYv!;_NZ|Sc{;`?>BA-Pa9+&0rLZUj6fG3>oT?k;(mj!sZXXOg{VEyO4gvxv
E5R<OIX#fBK

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.crt b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.crt
new file mode 100644
index 000000000..4c893d45d
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.crt
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFDzCCAvegAwIBAgIUHzvf6/d0vmFFEYh5GHA/I8t787YwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMB4XDTI1MDcxMjE4MDM0NFoXDTM1
+MDcxMDE4MDM0NFowFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAxezzB+gvNL5WeuzVvvlv21OvbbJtdP6k08Yz
+egIddIckQ2Yguuc5gHoUnNve5BVEQZmFNQihqLlzV0lFb+4QjqiH5BWKql+U7TRG
+GCLecF4VQHup5voQv6EUnVOJglc13NAjWqbP09M5aIxPNzfRv3eeZq2jLXu3aQ6Q
++mFq/cIGSlHF6KjqTTXoK1sRngZUeZi1/fhg1/9usH4L5nQ41y3D+51c5Zl+UW3w
+7bR70XkH3aX6X4xOOfZBiyp3wxrG7uQBddQAk2zu/hMTYWNAYswT15jIEk4JLH7o
+HXrVaoM5vnL0D5SaIc66JnAhwyC3E1jc7OpioFCO0Xi5XZAt3s+E0AwOpAvSomIH
+FdryfEHcbhqSUgUVof/c9PmLwtS2fVPm3LqqLjmwagO9DPDCGroNwoOKitfoH3qQ
+EtETygsKThMYLc23tLbyYsjPs5H8ro+s41aqcsCiQIhELRXwZVyCWj53o8tE4Ihh
+hdTzbzNmrBdv0H9vb3VS9SdfHYFJ409qIu+kkmsAQ8vd6e92UJXbKd/Vchmr2ogs
+7oGLIOID9KZMqe4dKKzU+ietLz0IVTWRaPz3ea7NGRIo3/yxGDMRF/Z0UwH53H+E
+crn8w/aMWeIqMq5h6sC24D9RkcVN+E5QzxvG2VS4A7CzskIrduAWl5TrBERChbiX
+wQusjYcCAwEAAaNTMFEwHQYDVR0OBBYEFLq0yPS9u7Flbh061DkXX79lvNltMB8G
+A1UdIwQYMBaAFLq0yPS9u7Flbh061DkXX79lvNltMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggIBABMh+cLO2ge0FKNkJriiBXs3ah6w/GGWVgFK6BmU
+297fM9FSV/1bQcTUe1gpudabGRsq7TthC/aK3B+79tsfudcrPKJZrK7cFkxY06xT
+3el45RQxZNYvaHRsK7nw6gExCLlYFKAatHcdvbk6xe+XZAAr4rLYg1H1n7Ddg3p/
+K3l0a/6nAyMND7T1euzijR+40EZdiXzwsgFR3R2YIWiNmLu/z3tg0HfYIgrQaOou
+Xl06qXZ1iJW1EFuF/KoxNBxyJQpHywYTvb6UuGV2UOvI3V7SzzgyBvBxOUf4djNM
+kEK1+U5lnMqSDgHWkEzNUFMlsIwIiEWSMo+deF+/9FiAQxUX85kH9O8/7t9rqzxK
+mgVccTnzvEcYyRYgL1SsCXo1oJfZ8M4OnZ/dDY0y86kngrgkIxFpPPAh0VVpyVGn
+A9CyYU7vQxTrgwHtqITMN7kNBWEAZgA82kURbZm/DDoKX5IJdcMdwvFaVk2irSyQ
+x0Px+k5eNhSGdKctXESAAUeUADpaYhRZeRI7jJDPCJGvs5or4hiA/3O8ZI5Lum12
+fKNSau4m3jbTWrD4x7zlbVES9hRB87f/uST0/yh4NfdjrspzNINWXArxPDsYs7Sf
+HDVj3RPNKVGzJEH4+J+Ohti3JTEl8hLBO3ZoMJ2uPQ44wcJAcKVL7O3QraKOfzXu
+k1d0
+-----END CERTIFICATE-----
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.key b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.key
new file mode 100644
index 000000000..653f8d1c1
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDF7PMH6C80vlZ6
+7NW++W/bU69tsm10/qTTxjN6Ah10hyRDZiC65zmAehSc297kFURBmYU1CKGouXNX
+SUVv7hCOqIfkFYqqX5TtNEYYIt5wXhVAe6nm+hC/oRSdU4mCVzXc0CNaps/T0zlo
+jE83N9G/d55mraMte7dpDpD6YWr9wgZKUcXoqOpNNegrWxGeBlR5mLX9+GDX/26w
+fgvmdDjXLcP7nVzlmX5RbfDttHvReQfdpfpfjE459kGLKnfDGsbu5AF11ACTbO7+
+ExNhY0BizBPXmMgSTgksfugdetVqgzm+cvQPlJohzromcCHDILcTWNzs6mKgUI7R
+eLldkC3ez4TQDA6kC9KiYgcV2vJ8QdxuGpJSBRWh/9z0+YvC1LZ9U+bcuqouObBq
+A70M8MIaug3Cg4qK1+gfepAS0RPKCwpOExgtzbe0tvJiyM+zkfyuj6zjVqpywKJA
+iEQtFfBlXIJaPnejy0TgiGGF1PNvM2asF2/Qf29vdVL1J18dgUnjT2oi76SSawBD
+y93p73ZQldsp39VyGavaiCzugYsg4gP0pkyp7h0orNT6J60vPQhVNZFo/Pd5rs0Z
+Eijf/LEYMxEX9nRTAfncf4RyufzD9oxZ4ioyrmHqwLbgP1GRxU34TlDPG8bZVLgD
+sLOyQit24BaXlOsEREKFuJfBC6yNhwIDAQABAoICAAkuOFFZt0f44C7ioIpYLG/r
+hMu9XbPNr/NCLdcTp3eJzuhej1eFLCShTiaaLM+H1ZH00XDMu9ZOYqw5X7Anj3Hn
+r5cWEUfLPJ1Te0DZWcVqh8RlOAq0QByhF676w7EUdaNFZNL85hhdWjvpW+Yj7WW2
+T/rBRIVgSB3BzeyWD+lmLdHxiexgEWYiAURys181gxlLpjRDHzv8edhT50LVZPPX
+UXTeeHEOfynjeuL7uk1m7Vd5m9mTllS8gY83YuwmjM/0vOm+qKnkyg9mE2Z8Bjbz
+hKQYvIcAQsYaBEXvf1wgtBpCX5rbHmzT4Kf66qqP8Fcf0xL4c6b3I1QtdTXwg63N
+nKB7IeZTeVI2k0UF4Rme4tDl9LzlhiR7SRMd76e+8684GmUAXsF7TEdXIPAlQV9y
+GsF+dit16nMZPMIhWT+M1MOV94eVLu2ncEYP1dR4bZeFprxmv6DxgtxczqVyJQ9c
+4t2ujnekssxLHnkpOrV4CbkAuD3TUJsEs3359HmjGLS+VnGJrbvjILMbqgvN5hB5
+A37Rfals4f+O0MVAyV8sToqcTv2tGORe3aIl1JeExElTMl8ij+a9sRWwUDic1xTI
+F6YsRdyWLrCpwe00mlmb+ZlHqDObFbTHTKpUQoqxKUxn3uxsxPK6sLFjLg3sCa6X
+kuUS88uZwk76l3pGwltpAoIBAQDnNx80QvApz5M4/jp6vE6sAgyyDGwoqX1850ly
+tzCiCbKC0/9uVF2wpcRScjZOjIkdQ6ROKTDZiC9fFMbdbORhCjKa1fG9OKCIr2uQ
+KKgyhtjBSyzCMpFX7djbZrkSNVAGsvlTNrg2ANUoy9amm5rJoXJfuhDwdgc50uey
+NHU6CmAWIaBUHlpEtV9ABURLh8Ipj+4QiK4ufsOJgUWNWwoaSL73x4HKVPrG7jc0
+EJ/U9oIGvSjE0Q41u6y+9LODSteN4gkp4dcHWpEJnk/xUWOojT/kbKjKfzKLTajA
++1KmLR1piAH59gx3C6zwRllFJBoB9a030cdIjU9a0XypSu+lAoIBAQDbJE9CNfRr
+es1vAA9ukNvpF6WLg8TTr1VR5mSweb4SGIlKqe+5kd87c73EhJYiE0tr7ZsqHKCF
+p6OqvhV65ICl6214Hd4qV+J5rPxWUTEs7SWxdl2JVmCGZpn3nFWFwF7DQfJYihX3
+D9HyMpzJg2HLZRv29WFrhQ4JdTdPi31/UW17ECUkqal9Z7XZSVvWR3SfbUImrI9x
+eX7SqKusindv974obJFEo01UmFITwVtInSf1T+Xc3twvqOSZD7DnABJx68vUwxyo
+EZlPKKT1fCNXlFUKQoPmG+y742IThAPiN89UfDahbecJ+HZUrfrK8UUDcVV5KkBH
+9CSFb+kHGYC7AoIBAG46rTmxH+YO+9UT/rU8yRTf9UV8/qN0CktdyHpUM29MyDnu
+77udpPzuSmYz5QgVn9i/wrkwkgVjE5J0yUoO++H3hqCilpjrQj1nxBP6DhXoi7W7
+LR94FCqjTdtrYZf4qqpG8O5nC/NS+kx0wWS0klrGCUzx29mHq3I5xhQDRk/hWmWy
+qkjwH4DaJwrSd/i6RCqkX46qWr/31yja5Fm7qVlWjRR7nLjlQplMQC0mL8zLqLml
+vKX4NJoRWw2+g0Z4i8Msm8nHzUfIOZUoUFxvvN9CV8+CrgW8FlCrOWSnbIOkxnzl
+RmvwjYjDnDMAltaLm4qLoYUXEbbZB5f4f0IGY7ECggEARS38O2mvBHMbAUyikoP2
+eGo3n4h0jWMPazBxXui/4RSP2ts0y39KWolaQfydLJqst6Cl2DB7WFYoq9EgFNCn
+8DkXMNE0/mcKHuFGM7Wj8YvX12MHekCjbipbtrhKo1OsVrWt3NeSwZDj9TKXHmJ0
+b/I2Vsr1+yxg1wmC8YCWmKfLCQt6vk01LVqdJMAs1sNuBJpIRM865Va2e6g1sd1w
+gQ9Tn41Oer2WvvrrBkOHHrBGGgIkDYrpNb56k/tJHFOAfygyC7Ogi0oq/LtXAAw1
+WAOCqR+AZhcwr8vDfWeyliqKMCCaWnHIevRN3sOhpYlvAPw5QGvfKRfgo6NFjDE3
+2wKCAQEAkd3F5feBAPiGr354kyGmKGSUC1KKmaNCQCthPxt6Wb0QRHBa4yj6sHf5
+YcoL0WLFEIftKFDsbCMPLSbLE2SvsWFQmHu7L4B7xdd+0jcAcM5eOBcTqSptCc/v
+uVMRANhYlgXQqtPHp1q2uBkC2++aE/yuGmrngyIkwP9ewyzLmsZBSpIrGB//qav6
+DzRATKwF9YI6+v67CFkBLSQ5JES07FWxQSp3aMHCiuGsKfOk+wj2yhMi7KMHZA82
+0fJ7c7heUedFu3+Gt5nJR/bdgC7Tva9iDo/UC7FTmMF0ZU18fXAtzDh2pYoTm3o3
+UZaWgz2MB+hNvTCg+8toreA0o4/SiA==
+-----END PRIVATE KEY-----
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.pem b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.pem
new file mode 100644
index 000000000..4c893d45d
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFDzCCAvegAwIBAgIUHzvf6/d0vmFFEYh5GHA/I8t787YwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMB4XDTI1MDcxMjE4MDM0NFoXDTM1
+MDcxMDE4MDM0NFowFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAxezzB+gvNL5WeuzVvvlv21OvbbJtdP6k08Yz
+egIddIckQ2Yguuc5gHoUnNve5BVEQZmFNQihqLlzV0lFb+4QjqiH5BWKql+U7TRG
+GCLecF4VQHup5voQv6EUnVOJglc13NAjWqbP09M5aIxPNzfRv3eeZq2jLXu3aQ6Q
++mFq/cIGSlHF6KjqTTXoK1sRngZUeZi1/fhg1/9usH4L5nQ41y3D+51c5Zl+UW3w
+7bR70XkH3aX6X4xOOfZBiyp3wxrG7uQBddQAk2zu/hMTYWNAYswT15jIEk4JLH7o
+HXrVaoM5vnL0D5SaIc66JnAhwyC3E1jc7OpioFCO0Xi5XZAt3s+E0AwOpAvSomIH
+FdryfEHcbhqSUgUVof/c9PmLwtS2fVPm3LqqLjmwagO9DPDCGroNwoOKitfoH3qQ
+EtETygsKThMYLc23tLbyYsjPs5H8ro+s41aqcsCiQIhELRXwZVyCWj53o8tE4Ihh
+hdTzbzNmrBdv0H9vb3VS9SdfHYFJ409qIu+kkmsAQ8vd6e92UJXbKd/Vchmr2ogs
+7oGLIOID9KZMqe4dKKzU+ietLz0IVTWRaPz3ea7NGRIo3/yxGDMRF/Z0UwH53H+E
+crn8w/aMWeIqMq5h6sC24D9RkcVN+E5QzxvG2VS4A7CzskIrduAWl5TrBERChbiX
+wQusjYcCAwEAAaNTMFEwHQYDVR0OBBYEFLq0yPS9u7Flbh061DkXX79lvNltMB8G
+A1UdIwQYMBaAFLq0yPS9u7Flbh061DkXX79lvNltMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggIBABMh+cLO2ge0FKNkJriiBXs3ah6w/GGWVgFK6BmU
+297fM9FSV/1bQcTUe1gpudabGRsq7TthC/aK3B+79tsfudcrPKJZrK7cFkxY06xT
+3el45RQxZNYvaHRsK7nw6gExCLlYFKAatHcdvbk6xe+XZAAr4rLYg1H1n7Ddg3p/
+K3l0a/6nAyMND7T1euzijR+40EZdiXzwsgFR3R2YIWiNmLu/z3tg0HfYIgrQaOou
+Xl06qXZ1iJW1EFuF/KoxNBxyJQpHywYTvb6UuGV2UOvI3V7SzzgyBvBxOUf4djNM
+kEK1+U5lnMqSDgHWkEzNUFMlsIwIiEWSMo+deF+/9FiAQxUX85kH9O8/7t9rqzxK
+mgVccTnzvEcYyRYgL1SsCXo1oJfZ8M4OnZ/dDY0y86kngrgkIxFpPPAh0VVpyVGn
+A9CyYU7vQxTrgwHtqITMN7kNBWEAZgA82kURbZm/DDoKX5IJdcMdwvFaVk2irSyQ
+x0Px+k5eNhSGdKctXESAAUeUADpaYhRZeRI7jJDPCJGvs5or4hiA/3O8ZI5Lum12
+fKNSau4m3jbTWrD4x7zlbVES9hRB87f/uST0/yh4NfdjrspzNINWXArxPDsYs7Sf
+HDVj3RPNKVGzJEH4+J+Ohti3JTEl8hLBO3ZoMJ2uPQ44wcJAcKVL7O3QraKOfzXu
+k1d0
+-----END CERTIFICATE-----
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.srl b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.srl
new file mode 100644
index 000000000..8b38e1c09
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/ca.srl
@@ -0,0 +1 @@
+3232A5577A1F2B5B0AF818CC1E125BA8B9AA228F
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-ca b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-ca
new file mode 100755
index 000000000..8d63e6e27
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-ca
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -euo pipefail
+
+CA_KEY="ca.key"
+CA_CERT="ca.pem"
+
+if [[ -f "$CA_KEY" && -f "$CA_CERT" ]]; then
+  echo "✅ CA already exists: $CA_KEY, $CA_CERT"
+  exit 0
+fi
+
+echo "🔧 Generating root CA..."
+
+openssl genrsa -out "$CA_KEY" 4096
+
+openssl req -x509 -new -nodes -key "$CA_KEY" \
+  -sha256 -days 3650 \
+  -out "$CA_CERT" \
+  -subj "/CN=Local Dev CA"
+
+echo "✅ Root CA created: $CA_CERT"
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-cert b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-cert
new file mode 100755
index 000000000..808158f90
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-cert
@@ -0,0 +1,52 @@
+#!/bin/bash
+set -euo pipefail
+
+CN="${1:-}"
+HOST="${2:-}"
+
+if [[ -z "$CN" || -z "$HOST" ]]; then
+  echo "Usage: $0 <CN> <HOST>" >&2
+  exit 1
+fi
+
+# Set up working temp dir
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+CA_KEY="ca.key"
+CA_CERT="ca.pem"
+
+# === Ensure CA exists ===
+if [[ ! -f $CA_KEY || ! -f $CA_CERT ]]; then
+  echo "🔧 Generating CA..."
+  openssl genrsa -out $CA_KEY 4096
+  openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 3650 -out $CA_CERT \
+    -subj "/CN=Local Dev CA"
+fi
+
+# === Generate key and CSR ===
+openssl genrsa -out "$WORKDIR/key.pem" 2048
+openssl req -new -key "$WORKDIR/key.pem" -out "$WORKDIR/cert.csr" \
+  -subj "/CN=$CN"
+
+cat > "$WORKDIR/cert.ext" <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = DNS:$HOST
+EOF
+
+# === Sign cert ===
+openssl x509 -req \
+  -in "$WORKDIR/cert.csr" \
+  -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial \
+  -out "$WORKDIR/cert.pem" -days 825 -sha256 -extfile "$WORKDIR/cert.ext"
+
+# === Build full chain and mark alias ===
+cat "$WORKDIR/cert.pem" "$CA_CERT" > "$WORKDIR/chain.pem"
+cp "$CA_CERT" "$WORKDIR/ca.pem"
+echo "$CN" > "$WORKDIR/alias"
+
+# === Emit tarball to stdout ===
+tar -C "$WORKDIR" -cf - cert.pem key.pem chain.pem ca.pem alias
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-stores b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-stores
new file mode 100755
index 000000000..95bbcb59c
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/generate-stores
@@ -0,0 +1,56 @@
+#!/bin/bash
+set -euo pipefail
+
+# Ensure CA exists
+generate-ca
+
+# Shared configuration
+PASSWORD="password"
+HOST="localhost"
+
+# App definitions: CN, keystore name, truststore name
+declare -A APPS=(
+  [api]="api"
+  [client]="josh"
+)
+
+# Ensure required scripts are on PATH
+for cmd in generate-cert add-to-keystore add-to-truststore; do
+  if ! command -v $cmd >/dev/null 2>&1; then
+    echo "❌ Required script '$cmd' not found in PATH" >&2
+    exit 1
+  fi
+done
+
+# Generate certs and populate keystores and truststores
+for APP in "${!APPS[@]}"; do
+  CN="${APPS[$APP]}"
+  KEYSTORE="${CN}-keystore.p12"
+
+  echo "🔐 Generating and installing cert for $APP ($CN)..."
+
+  # Generate cert and install in own keystore
+  generate-cert "$CN" "$APP.127.0.0.1.nip.io" | tee >(add-to-keystore "$KEYSTORE") > "${CN}-bundle.tar"
+
+done
+
+# Second pass: truststores — each app must trust all
+for RECEIVER in "${!APPS[@]}"; do
+  RECEIVER_CN="${APPS[$RECEIVER]}"
+  TRUSTSTORE="${RECEIVER_CN}-truststore.p12"
+
+  echo "🤝 Updating truststore for $RECEIVER..."
+
+  for ISSUER in "${!APPS[@]}"; do
+    ISSUER_CN="${APPS[$ISSUER]}"
+    BUNDLE="${ISSUER_CN}-bundle.tar"
+
+    echo "  ↪ Trusting $ISSUER ($ISSUER_CN)"
+    cat "$BUNDLE" | add-to-truststore "$TRUSTSTORE"
+  done
+done
+
+# Cleanup bundles
+rm -f ./*-bundle.tar
+
+echo "✅ All keystores and truststores generated successfully."
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/josh-keystore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/josh-keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..38843269954c7884fdd928c8bfc85774561f7298
GIT binary patch
literal 4340
zcma)=WmFW5v&I)#7F<ABT2M+5SOIq_5v99B$(4`}X;?sz*rk_7x+F!qL69zK>28oN
zky!HYJ@=mXJ@?bSALh)N-!n5GpEGA*D6%7596T6`ECqBA8YCZdPJ%;#^BF~k0iwu)
z|6()@g<tr;B>Yq$3P15Lj{6%?Afo@7A_n8&en#Po|Ant$7XM7(lfd*~LjRV;u%|%E
zoZr&VKORvCv!2%!$JkypOofU$;Nr5A;o>mCh(Uz^y%F~wJ^=Ozbk8_Q9>*LHhyw+Z
zc~t9OpyhKGOpU>Y{xSPhKosz2Q?*3v=^m{radVNy&crSa59{>+V!u-&D@4uMDYVKA
zrhNR;PV?*n(3QX4>XkDaoXcTZ@sK*E+r!)~vS-Uvm@@Jck$r%ga7NhT{RrKkfY(BG
zf^*ZXsh<h@WWg?r?S`KcHVlLH@7>)S`ug6vQG)Y?iDbGxAoTiuXzpybExU!-vD|RQ
zo=A4=gM{0*yH-~=E^A;1tbDg&kv~o3i2#{|y`9zV^wKZM9C1^Yy(gioxtJSti`!XM
z%cZ;DZ>zebduhr8@qo_>T_~Dzm4(&l`Z7!7pM9$b-Y=3qYTw>LBg)l_kE!f##$CD^
zRGv!Z4c2$l$>8fzXz0TXG=|nMO&*CKUUM30T&YRXa9&+lkxdF#Q*|0B$oAHalbDdT
z&(~!~{BSqniP_{P&G^}~Po~A?zv;GpnJ*>vrsS7T8HGY`z<FhI+3R7%Q=30o%a_Mo
zISxz-DboZcr(GA^>aN4gCrlE11i@Nr3O&i+G#UvzXS7mg>eJaKa<ulguQnA%B#{Ei
zI4p^bYudGMacE$*PSugurphEFGBq(HRXr;?lvJ3ZsF|gpMzf?EXJMJ#;UDb-Mi{>N
zZFGWd1XgL9XN-2`Y|-k{J5AC;DX}R|{Zf(Nv-p>G|45puj*ATMc%9(_QAwr?xCmdv
zaPf5lp&(<(1>>`UER8NMsM{>6HRhW_j@wQ*cXnM19_slEeyTIaZDQhiY53ucgJ{>A
z)6I#)rTpBluoE}gjLvkYA^(v1q6P2bJiaX3hMmT;QbRa8m$M_P3aKDSbmx3a`vFdJ
z(BOyw$Tw>`4+&Yb_hO7?)(N;oJD#RpIkbfIpoK;}ENXqNJ@SPo8K~!fB!{0I*3UjL
zh#l~FaJ?1;!%IN4G?TGkzgBxabtQ=&&S~l#x0&2B99I2$dKCHXr1lI`Yw#@4TS}G}
zLTz`$6*@h8;xOV(`3oXk^qdOF_Hu7lryf7wx^gtx!8ts1#o6VmF!(f6+r`Q!MZBw)
zFImcc=_qq#WoC=`Ceq-u;Cn-I$_KY>VABd+X^Q&-GB|T%u6$M+HNXvQtFyH2^`LMH
zd9X!bwt)Z#laL~obWhRTaoG;Qy)K&U+NK!enr}un90Y&Wr5i%k*qQv6=)2ns$`$rg
z{=xoV$A7}SuDg?ZDwN9FZJW(W<U*Do<81wb0p;vW<a)BC(_i*`jfbu6%w6upCD8Sa
zn~2$ujN@a3f@$4b;#8kKS+S<I0h_h&*61y&GXTx35}lNjEYUojG(TD<-s*S%Kz{mO
zg}N(Xz2$)-x3fv=euMeyH5?K{-A)eHtRLH89_U^KcRiSd*$o>q7^EzYo#PI^>H^cd
zKb97D7L1q8?qw(}XjWi3u|exeaHJoTSf|nnCj7L|RW=hG$z<jX<j=n7Ivp+CQ47EG
z8C?T*VEIdMWxgR5!&P)KzLcLVY?-|d)n8W&_<uB?7fAH>?PIRbY=BW$^z++!PI~F6
zBc956X)4d_g<An4#g&fe%{I+6Z-X8jzS^+Zmnq`T;{U314O+3}G2^YG?3veU#c5*m
zagQY8#k^o*X2gQr#gynzAhsZK+8~?n;l3Hf$BmK!(uxE0(UuV0fZ-ISueO8X8z9je
z9@jZ%s4n~!jOHJ^yhjNKGY|r701f~bfEA4SUx5lv2_%1GZD-B|e=fiW=i?RN<>liO
zf}y}8|1=SRKBK_xe^E0o4&ZO9`&YsFzbtxcM>9I)SI7)~-nCvv2EJFrJEgS$k44LM
zlw)8!yi4k=pr=K#a1lQgSUeG3@<)ZdM9E$)hwTlq7bvOx2MYe9cmF(LNV)sd&-H`!
z?adL3P}YO7aRX5#=q-SySoPXkrwyoi-@CH_>ltkl9qs=LRJ=&F<U2cbDi>9oBHHt2
z8=<)`j6*ehI?t;l8Srd_|7#T;EwfIvOQ>ALY+HLUsFD_)E!?NqXqSVLdG;{Isx#Zw
z%y>9_Cuyr-D(gd-vb2o03;FaD!sI3KWEiyHgQpm;{oT*0w;hp+c_@l{i+4-EilbJN
z3D%1bA*_+XcOgOQ5_M}7qYGaeYUUz!KAsL-3z-VY2Vw9>vK7oe1ZF1*ek`<iXBCLQ
zPciCB-3gjW(GBLSO|MZ<v*&}TxQ9$Kt<v4;Fe&qT>Nb+z?~}UcSeudf913{R`Id^w
zX$<!}lQCS@wY?hmeG_F%<#OiPLri0u#t_yS3t_LLif!q7R@v;yU<ZYG>zjT=1_;F9
z-#Zm9A_1Se=gnB4Gph^F39>#gkqOJNnzK8(IIS{Y%BKzY1r-oJ6K$PZ(MHfBHkg{Z
zqYydO<0p)S=VpZu*>*F!4T{K6#LKh@I%7jA!7Sp7nU1sgcG_&}%mb}2&6*&ed==78
z$9IZ%J3rZ0NCg+MaHf6j{dhBR$ZkboWWpIA4@0PSm>=+JH$2l|tb}^(kH{hem8uXH
zrp44l#iiBMqZk)ICf(J!SrWb{^ihg6|2%}ke;ST$LfOA<=3AGqnqq1B>QGl36`b{+
zZ!yj#XvH<S9d>r@eJ<WHpHRq)ND|piZoToekzM|dlwDX~^7>$zbiQ~#3Eq{_<6_$&
zTW@|tj+t^GJJz0@`U8bfl6KQ4J*9hZ0N*03^XX?R@rUp?-@RV3)xHW+sn}%3{Fa-R
z7PU8Z7F;=yb6BU}l++@-somN`j!M>{%lXF#i48Lquf&&j3-t->@6M)NCUOu^kf${T
zWjbXcVd>AePF~A8exA9d1Mkew?phTq(UmVPy=QS<`6<Y}uVpGbPU_qZ`n4oy^k#q8
zR$lRx)gPK5zwvk|9~2pH&5d?yX^j%4MqIqvd9Eb(!mI~<&gdf{Dw$(bdc78kqN6o2
zx}_S)Q_p)`AlDL~lXj`sxEw%X;OU?QtsO|9J5v&E9zIlIW6TdkuquooqXAYBjv3(k
zEBdq{L`Rnu&MD#5?R1qZDIw}Lc;q;2@f*L=HWVVhPvi`Y#+M)tUMb&h8KZmD-R?6n
zb=ttHtE~OowgGQ4SG(u5zG#1shwx!9g>$C>Qr18?>|13LeX`>yLSb!{T!FnXYxRr0
z2WM#){?hq|J2H8@w9tG^IEj-N0{zx=%M~VhQsL~F^7wONDUqXV6@d3!+f+?eLNP^0
zcD7L)qOm8|nw@%G^vtyqZ7<*jyR+`USPSPK2++wyvv`;k5r?#iR$ZO6mwSli)gSD(
z)h>+!kL;obYwJZ&+Pcos9p{qoh99eaFT2jSr@PK!3MCL!uP*u>E#5}t8OPF;uDJ|)
zRL~amsWPTvm>Uc2Z59kV(}YB@3C)~_g$zkGm)dtoDypY~o1jPS7e<xs-q0H{%7VuW
zb4>bpy$VbZJyaSGKWGk`m+SLf6SdtaLO*B56J1W)redpGv7ytG=nqjZ9vzk5qc@Kz
z3b@lcyC^;DU2S7_3w+|7Ly)q+@I(h~oHx!t`?W9KMOWbdgG@lIN?a{QBCTAD21+ga
z02Wkg@{YoHUV&5F#8H<(CSK`q{~_}n+^C245C+P(1$bIY1xoLRA$|BSoM}{dQ=L>(
zi_~OE5lALR&IyqzSa}v^a=~1wlz@2*B>bBVZq!Wfm;s^gJuB0sc$Pw}b?4tNu$OB0
zhxr7_xk3B>{{4!vAV6V+hlL!|jDO7|CZ)b7Tv--e?x1{mMkMQT#D)!2`@_uIa`gMR
zFX!_}>D*m2@o+PmGQhPJm#?4;j5G_<j@`fMar$=!r2K=?Kmwe!#u)w!iHRfXhq4g<
z!LmqHqTYNb7^0R+ovD`FnXjXh8;JQTuS2I3(G=$ij}X!G-ROU~)~e~@0~c7Lak#At
zExZc}<Gy)-!7z(v!#6W&#0Im{nz>nvV?U|qY-9AzqQ9KE%X4((VCZTZ8r%w4xxc90
zm9K2e-dTt|Q*c=w`eG)sQFbEXhWkdI<1xjGM7WIe=^C2V+;T41-a4X$vq4PkFqQ2Q
z*rDIj>9M+Zi^JJX*mBu3$7+rHy$Xl*@oRi5ICvK`E?_*X?j8MLGlEH;KYPsgEo508
zq)eZSr6V(82*8~1cdtjR9EU7DBAVmceoa-)E&(T4t@@`%1LPr1^H0S5x6Vx+eUqjp
z79izH<Za^oKWI&hGF{soz9pw}0ZhBp%WoM!?QQ7j;VZ<(`37^w+j$>Mg*W2s0d*e%
zQ`q@C*zJOzU?2BSof{MR(A<E|oM(Nj*o8LUVdA@rUi_FasNbrKItAR~KRvr#r)h8!
zP^+yxqezP<zCRU>81R3$mQe|=KYE&@IrgZ>&zVLlM$0mFN=-wp6CPalHCP!bF(e)0
z2cboAg1+Z|iFS!R<o=cridPKACUb}1j3Ev2o#@**3f#1sUil8bWJms5F|8d?dr$ni
zI+y~Hx%Q$jG%0Yak}IT{=(F0kQ49$8N201RdGAKzm|oORDq4}C{HAUKn?4Dx$XEwD
z;Ewt7kb?1$5&5gSWhbnoNS^E;%se2?iL5oBKg<;?aD?eWxalV0yj}Mbmh7Mw=Togp
zE+VcG%I>o%3djVVOt@5N8_j(JYknGy@5fzB|DLrFqn`mQaa)odf05@I*HIunK23O7
z*)r(f7UjKb43bkMDC-NCsxjc4=8nny{!UXIysa+{?q>`;IQhlE`$m-GXA8IPX8NUn
zZTd)q<+{RjLtZ}rx)cO5baa^!T0!-Yji72L^~ER+Nri3$@9LUor2b^yFadAN=DI(8
zNt3W%Hw&_q=JheH_#(}Kv~uYzkgZeKlqzwVMFPmjzIX4CayEEv1&dup4`I!(2VwD+
zLf(?&D{h|seiVC^Ecwd%IO%#<y3Iu-&a3;CAV=rcJ-@AbMOK8v;bkg?j0HIxT+q-X
z($-i9M2w$msc@9pl#?Sq)Iaj)*Tei0JxN}6w@v%_a(Q|M!ndjnlWRrI@h_)Opk^so
z=O3V=0eh_nccg_PyN+u}8(}Z84YaLU@A1rb;%kKT^@lsZx=yir{55w^>)XDd+(R5y
z4+s3$r*q<Je|pM#-K}!In28p=scq7ILTAPRsG2gm(^r1)Q}3EvPHh;@5m=HEQ-Mcy
z6@WZ)H4)YEy%k=Qfo$F60TVE~J^iy~w^dSidqj=;nHPGL&}y;5W~QWkSw62WE;NrP
zpzmGB5=T{=s>;04q(gZ;9xu@+7DJM2q6p=quM<=$tZ!JbKZ5YC4Kp0Q6V44foZ3mn
zvls{<lZfLae>%Jx%h<MAjm_A~*csSeeBF}N5hM3tE;R>{a>2nMOa%sqk^J)sz{SA_
z0GYTtNxC+?Yx<zsD=0i6*E~+?WrDSj+8tciVuv#1^oc;qz+x&X&CZruY6l9dlQ<B~
MVk#Nef1R-Z0b(mGNdN!<

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/josh-truststore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/etc/josh-truststore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..01821e03559c978d587d1d79717329a9a700320d
GIT binary patch
literal 3062
zcmV<S3kmcvf(!Bj0Ru3C3!DZCDuzgg_YDCD0ic2ljRb-Vi7<i-g)o8(fd&aGhDe6@
z4FLxRpn?l>FoFwi0s#Opf(vH`2`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1QdEA_ahfS$AwhMgLNkhq>HnyUG4$`ClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q4ek8Vkl@#Mhc1^`8E?mWzOb3h;fZrIL2^=#2&(Wjtb(%%0d>
z{EML0x-Bh?uJ9biT#>p6=i&K8PIfPD6xZ>j5Z;lT9Yi>QXVUQC6_1B2TmC(5T*t*s
zt-{C~#?}yDz*7z8L%SqH$nfCN+0S&Jz`_sn<Yf?2ROBuqo0I*!QfV%UOCZbHHje&;
zk4*pU{Z#?uKeSsA&!lyjN8Mt`q=S^OH56AE61`6Ujq=vMcCI7VFdQ;VV{Rxb)^wM#
zA6zcKMtohV_9%$?$zqNfJOQlp>4-bE)q~H}qJ(D&z!#KrgPbLH5RtHY8cXQD7wyoQ
z(&}PY8PAF0sL@Y!PrW$S?8wA99R+Z6n@EShu<6da5K<Tj)e%rlefJQ&m^DjYMv7zl
z;Z~_YQLJ&`ut#}L%PTe@Dq|CNjFs^5b|dkw%jaKF+1~`CYc;MCyv;n|u(uF#J_U+m
zrG($L#Q8T9Wl<AA;O9>HSJ@zMsGO?YW$4iRzlF+`wW>pSTLq}?LIDHHU)?$U&@-Us
znMth8Cg~>*F_dLK5L|HZI@*aIV`IJ8f2XPc=1_Eyf8zPN$Iu3Dw<o!NMrDR$k^2Hl
zmxv~m3vZwhx<%VrqEC|eK_Q}Q|DOJtr;{P4$v9>yCGVP*m{idX+Y)bteqr7Jk0j@x
z8hWkowzngq)=*$q-IXO^#MT$kAe~}KIAhwNJ#JV3Vdd+dP@qa+!`vO#>VAkz+>^Th
z@D&fk;^j&^0-{BcC|so#_H)_xmNdr{8`e`^bp9(eAs>i;*JI}zkvMucp%=xZ_)#62
z?FS?kRJkpS%legyJWJXjc6`Ce;~=x2hfznG+n%z?a5AYMlYed6?AYnd1yD%v{#5ZE
zu_XF#0O~tONUax<Pb->{bfgfg*{2Oz&i@0_o-=z+3$~hO(!>t}Z!!6{RB=_w7Cu7?
z)&XqCs9b^2gQ%q63MmCiV~)HN9#cg&QKO#N)Ij%^BeGteT}-=FnHx~H6!+W@9uVcL
zI(Rew3Z+Hs88BQ%;rpS$ss`ji=6qVTfo#MP$$5_62`#QTwZwsulx!^yIO%kT0?G1S
z@!lU@#kXyo9G3Ln!Bk#~0FKGJ3fbqlWq9q7F6(?Qae0sDSEBuUq7i2VaNr_6QP}5N
z@4*f{P7by>Kb-$lnI9=jOSYK~RWf(gE)*J1RVsh(#KMx$0tgcx=`#(un3i28tbvB^
zWT)(<m);FK8PYyKF$!tZ><ef^F4VgO)2DJT8xQP`Br>lYm$R4mHYh)wlHVa6D01^&
z@VBlFih0s%4&jqwQ%*ZUO}2c)i6h3ERcF$i#=0RvnyC^j(XynyKMqu6IfXFtr*j2u
z`9IFbqOEbB`#zc2AELe6<}IT8^;{r$prHa0yIkMTGRtzv%lD=|wP?T(Jd!iXB2XZg
zgi<p<D>@q}+nZ%%h>H3Y{P`BQksWjgdQSC4VhqvqO|{$})$P!A718f1R<j07|896}
z_>s51$c=-%_CE8Zf?h8>8apz2$a7fnbm0OdZr8Q>7;({pIhTEww$Ko6YU=X+bPV~m
z50Zq`=AAg$`f>FUYQ>Sf>NUV^uI6hlY~<oLVJ2DdR)VGCxRhCTR@6?D6)V+hC6#5^
zd|#bz1>xJ0a57U%&iOlXYZpSKJQ?*J=)~8AjQ0_qBsUsl7zZKMb8xkNz=9H6+cTDZ
z-&)I-$9SPA98>v_U35KuLCx0tPX_JnEkYjZU2$rfr(@XdJu!wbj(@%nkn;WdN)FT+
z?x%PSkOWvvaBo{?R0Z-y5OE(*!SyVac+u2(1!$SDgmI4{_CU^TD%Na|GEpjqbuW6{
z`Dm|ff_4JtSSO`W%y0I`uFYuKQ0%KZN!Sutkg%LQzNL^UmXXXAhJ^>(#xdJeWE5p_
zYVzNng#?vOCpN@4k%g76yG%T&1F2~smJXKm;2m2aKZ-sA@pa<O!ZGh0>m*>km;Gbn
z0s`{&X*Ko{PI>ln1?=}sG}eK_n7uIAUqnRL)XqBvSZn&Eicr^M#(eTwvTyau%&Z`s
zhhfMH_iAiO1|yE&tAIQZyGbW?d3XIy)<Fu-c$R~6$H=<8ovh~nw41DlN>|kpiAWyu
zVCu#m>8K5MA+k+8eHQ({&*C}YLuvMx4?x#(Y<OXMm!FXH)2IDtm;wPX#r%nkx3p&(
z537v^4m9q)N%ulFkOA+3rL)tHGpW==^PkyAe^~|z2&f$PzM%ISN5!?_>))p`Txp#y
zTPgnUjn%)kr_7LXltPBuHyuNrvM&dadIyJ}zf5*SE4bGQ{-361>FiHsD06l6)1&w=
zAWJi~h{PvM#IF*H?4Vo#9m;_{09*ajzuaTlvFfv9mncxYDd+P}T+qn<an<;{xn0pW
z!0RU}s0cwEc^p?_IDwrC*2~_7^Pm_}zr<MN3xhiqPaA7^G1@!_sq>tHBPBhKOy!f?
zT`%gl@ZL@%VnNIin_xukrAEIs(TU&6tvmCGVvLkBiW=op^SP%(F4zv0<15bEL{T~~
ztsyNwsy4U!CQ3ubtFAetmH9*@i5QUjEKDV9|98|?`lB8BMm@W;+iO2uUW`UGhW88e
zt8r}vPjJ}h>+Hoy=VGp0$t(L+lI016Wl+WPSQGQ*qVV<pU(8!BZJxLF!Pa7V^P*9S
z#FB@Rx@P|7si4umLwE~2*hoVF>1wFyD@ok4G26JABTN*Eo)i=^HjktZPdR;D%cphP
zD_$aZ?*fJ=NOBH7qN}3HLc0_k#KnUEZ4klB#bW-5w2s2`W3BJG_}d}`eA7&^6$}y&
zx3RE{7oLG<=;sSy!S3yinK7S-*HqI;G+jYTo6z$0T(kWN$6{<sY^oi4&5qKDGl2JI
z01Fof%^!HBkAT2tPPP2t6mPS8Sc!Cv>dakQ6-ncI4L)LcV;Zl?r1r)cOKj3O@>urv
z@VNN}sg;h1y#QQ{9y2+Q2Fsb;V6+4LA7!OB?5kM6wUWw`houf=Mt#J&?D8Wf1$}Bg
zq)Kp!)C*73;Liut3RTI<LUzoU%i-UZ!DxM{B2Y1+Q3CWLi(o^DP;xJHEau(3W;&8h
zZ=(w~kiPtlgc<Ptf;R&0E4po)pG?)!dRNMG-K(O<mx4;lvralV<{HTv3`Gr?2}^rL
zI@xMT-D4n+t0$`Wp>f)qm06dgWObu$NG^MsJwF;~jC|=Cxpil=$cdWS#+##<4_hYO
zJM?ms`22k%Env7D&}!(WOm#{VtN5kr$QR{3ju|KZ+#6{iNu|ky!rd|p{zYY0m>I(L
zAww4L+K}sGQcj8Y8|s>6Mk%Q457#$F(g5TMb=6y`O5uu)jN=hsKyX~A|17Vp_WEDz
z8lF}}cboE>eyksq>Ae%K>akbGfX6P{kQO8*;uTx2pW71Ce4K|76tIFJY=~~v{NaV?
z-)Mmr%f;(kNvBkB2UdS`EUbr=W7)A@T*&&$>!!j`EoA!NNF09?$dqxnNIl0UkQd8M
zc18rP{$>*Kt_)4Q+gCRy;YSxZryGbE?Dzh=P$afBXK0HYvk0?kR$dUiP{{lz1|2UF
ziY#K;NzWBly_DXsM31Hx4}FGBV1AEhWF47HM6SX4xE}0<7FpdRfydq=6_D*HhHVi=
zU#4M(IQQKg2gxs~R4V__MI|1|5J#)Q8O0z}@0-Y6;K;+0mb(timz7#pNu(F|UJuj~
zghDk5R9L`!E<loiTA@m#F`9Zhj*Y~moE0!lFflL<1_@w>NC9O71OfpC00bad$1Gtf
z0t;22@uJF%VwVEQt$A!dKLh;EM1*hhcrnie6h9-GImrsXe`+~gTufk(Z>}$xzXAd$
E5JY3tg8%>k

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle.properties b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle.properties
new file mode 100644
index 000000000..a5a6444df
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle.properties
@@ -0,0 +1,4 @@
+version=6.1.1
+spring-security.version=7.0.0-SNAPSHOT
+org.gradle.jvmargs=-Xmx6g -XX:+HeapDumpOnOutOfMemoryError
+org.gradle.caching=true
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/libs.versions.toml b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/libs.versions.toml
new file mode 120000
index 000000000..ebb52ed22
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/libs.versions.toml
@@ -0,0 +1 @@
+../../../../../../../gradle/libs.versions.toml
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.jar b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 0000000000000000000000000000000000000000..249e5832f090a2944b7473328c07c9755baa3196
GIT binary patch
literal 60756
zcmb5WV{~QRw(p$^Dz<H#6;^E9wry+0wkoz!v2EKnEB2dnp51QS&)(;ryWbCEt<_q_
z%vf{Ij$i-xF_)Yq2q+W~5CjAe5D@>@00IL3?^hro$gg*4VI_WAaTyVM5Foj~O|-84
z$;0<Gf%j{m{PRR<ei?BQVMQf6X^~s$@i8e$TDlonNm{DO@u_+RhI!`ggFoZ6!{QUt
z6V&1~-=IzbM#=jH8kEiGq(%D$R6*#ZXeb3}Hx4%r-~MIAuSNdPR|Ea}Z0lh9Z{O;l
z=Rp5sj;Vvbk(KfPIu-fvQ(YbO?d*&l{_PMsht{<6ud70f1_VU)KOZ9c-;1gK^$(==
z&28umt@Irov(&)dP=-)Hz_S{P7xEnP!ichkxx$E~7}a_a2q8(l2>6hMwt*rV;^8iB
z1~&0XWp<s4<3+-8i_yvLp=2@>YJmG?Ts^K9PC62H*`G}xom%S%yq|xvG~FIfP=9*f
zZo<U;yqPuzvK$}+n^LL;n^MT#U2$-W#`#sg?M@{@(gHfAYL^m#{&XY2t3v`wuX2Ob
zJ|E-g(=OFBrmQ4BNYySt*Qqd2Zl}{zt~_o(QZ0X@(Jm9-p$YdmymL==Ie?AQJ`?lf
z`Njkl*jD~p1=ZOtBV40hyN64OCJFd*fD3i~XsAso=-LMLs^|UBS%-sLHqPeN5cpej
zP96&U@H4ow7X*CS6N3Vk2xHMM5uO4=)iyB|+fIBqm)%MXwL_oiyPH}M@t<2mhnqdB
zpZ>DRJBm*Y0aId=qJ?7dyb)6)JGWGwe)MHeNSzhi)Ko6J<-m@v=a%NsP537lHe0R*
z`If4$aaBA#S=w!2z&m>{lpTy^Lm^mg*3?M&7HFv}7K6x*cukLIGX;bQG|QWdn{%_6
zHnwBKr84#B7Z+AnBXa16a?or^R?+>$4`}{*a_>IhbjvyTtWkHw)|ay)ahWUd-qq$~
zMbh6roVsj;_qnC-R{G+Cy6bApVOinSU-;(DxUEl!i2)1EeQ9`hrfqj(nKI7?Z>Xur
zoJz-a`PxkYit1HEbv|jy%~DO^13J-ut986EEG=66S}D3!L}Efp;Bez~7tNq{QsUMm
zh9~(HYg1pA*=37C0}n4g&bFbQ+?-h-W}onYeE{q;cIy<G6>%eZK9wZjSwGvT+&Cgv
z?~{9p(;bY_1+k|wkt_|N!@J~aoY@|U_RGoWX<;p{Nu*D*&_phw`8jYkMNpRTWx1H*
z>J-Mi_!`M468#5Aix$$u1M@rJEIOc?k^QBc?<b59)xNczO{#+_)9&wFZVex;^4Vl#
z>T(#=n&*5eS#u*Y)?L8Ha$9wRWdH^3D4|Ps)Y?m0q~SiKiSfEkJ!=^`lJ(%W3o|CZ
zSrZL-Xxc{OrmsQD&s~zPfNJOpSZUl%V8tdG%ei}lQkM+z@-4etFPR>GO<GhYd~TtJ
zwBkK^Mf~X+_zkRIz?y=<$$)%45zt~zJgiQCTcppoxe=pu88AJHVU3fzN(qJSGX29E
zfbGs2RA>H9+Y_F<3=~SXln9Kb-o~f>2a6Xz@AS3cn^;c_>l<hcV+2`3y`U@%b10Ti
zcsAuz3qW@}1&hcn9e|iQZ-*nRdQA=6HE0WZ=-IqLdFH?}s(4A4Su|ovlG8OIY!~1g
zV*}qrf+P~DZYbWlHL~*vJjRpSRBJ|RB}1Yk#lDowyB!0p;et0q>UwlK(n>z?A>NbC
z`Ud8^aQy>wy=$)w;JZzA)_*Y$Z5hU=KAG&htLw1Uh00yE!|Nu{<IBoPg2E_>EZkch
zY9O6x7Y??>!7pUNME*d!=R#s)ghr|R#41l!c?~=3CS8&zr6*aA7n9*)*PWBV2w+&I
zpW1-9fr3j{VTcls1><EmORLr6^_*km(FaYTm!{FpN(j*&ipG9#Bx7MzETdKx3MQix
zP9g$MFZr%m`tSm-g<Nl^j9AagC^~K|67C*eGSlxRu0?PgNMupvPEj}+ToIMPS(h_Y
z=br$^g2gKPI4Ilij?qSjH4rcN?$oLnmWI|kQy-!uDx_L8FFnwQg1LxHyC}zG(tlAZ
zH8z|S<;cL4*pQkj32mX3%Ut({&Q<B&y6N^XSz#?>ua}F*bbju_Xq%^v;-W~paSqlf
zolj*dt`BBjHI)H9{zrkBo<O`!SS6B=LKl>=B%>8}4jeBO<T-1a7W52S<GA6)qpHuH
zr-%V#6TJ~zK#}#SZ%KJiS%=&s@yJ4k(HVsTu!ro=zMmxYi)tO}vgJ_O50@u`M|%Ri
zphwWiXYN$*r|>~kWqO!~Thi!I1H(in=n^fS%nuL=X2+s!p}HfTU#NBGiwEBF^^tKU
zbhhv+0dE-sbK$>J#t-J!B$TMgN@Wh5wTtK2BG}4BGfsZOoRUS#G8Cxv|6EI*n&Xxq
zt{&OxCC+BNqz$9b0WM7_PyBJEVObHFh%%`~!@MNZlo*oXDCwDcFwT~Rls!aApL<)^
zbBftGKKBRhB!{?fX@l2_y~%ygNFfF(XJzHh#?`WlSL{1lK<Z@o#;*SdVGNH>T*gJM
zs>bd^H9NCxqxn(IOky5k-wALFowQr(gw%|`0991u#9jXQh?4l|l>pd6a&rx|v=fPJ
z1mutj{YzpJ_gsClbWFk(G}bSlFi-6@mwoQh-XeD*j@~huW4(8ub%^I|azA)h2t#yG
z7e_V_<4jlM3D(I+qX}yEtqj)cpzN*oCdYHa!nm%0t^wHm)EmFP*|FMw!tb@&`G-u~
zK)=Sf6z+BiTAI}}i{*_Ac$ffr*Wrv$F7_0gJkjx;@)XjYSh`RjAgrCck`x!zP>Ifu
z&%he4P|S)H*(9oB4uvH67^0}I-_ye_!w)u3v2+EY>eD3#8QR24<;7?*hj8k~rS)~7
zSXs5ww)T(0eHSp$hEIBnW|Iun<_i`}VE0Nc$|-R}wlSIs5pV{g_Dar(Zz<4X3`W?K
z6&CAIl4U(Qk-tTcK{|zYF6QG<GoVw~LX_9wmCyLIg5HrC)J9)r!7|t}PwF9G3L#(i
znq(TLP8w3<iIfL!hDIR3?YNM8r9A6!N(o8YBZ@w;24dkA6!cN#{d&#a!)STfC3#`w
zn~!m@(Thc7Y<7g`lPf7tavkY|IpA1z!Xc-);I@t+8Vv2n<pCz^dd3h3=M+#Ee$$px
z67Z%5xz9Jl=z|J4Mo=+AB<rDYZ9L~g-KY{Q-jka~-Ae^NqTXdE>5ArrEB!;5s?tW7
zrE3hcFY&k)+)e{+YOJ0X2uDE_hd2{|m_dC}kgEKqiE9Q^A-+>2UonB+L@v3$9?AYw
zVQv?X*pK;X4Ovc6Ev5Gbg{{Eu*7{N3#0@9oMI~}KnObQE#Y{&3mM4`w%wN+xrKYgD
zB-ay0Q}m{QI;iY`s1Z^NqIkjrTlf`B)B#M<jM!$tg=k5lp}=|!gJ`-A3NITdMu8RC
zj1XQSG|ZmbdcDW!n80TC;X9x@;5D9oK%Ld~mq|EemE{}fSaq-zyX$@FTX}$Oc0g22
zzETfvk4&(H@-vz=*ZPqWh};?ig{1!LM(TkY4LO&>ajZ#9u41oRBC1oM1vq0i|F59>
z#StM@bHt|#`2)cpl_rWB($DNJ3Lap}QM-+A$3pe}NyP(@+<iN(x4wVJ+_gbEd-^Zb
zWBwY%U*j*Br2PjW(*8Hx+37o((b+lJej%fixv?WP#pslTG#zE5G`)n>i1>o^<jA}~
z(^v!&G?YSwQv@?ogo0voxWugllcS<_%l`tol>fe-oxX#<wXu`21Fg;1yW>Bt`mcQc
zb?pD4W%#ep|3%CHAYnr*^M6Czg>~L4?l16H1OozM{P*en298b+`i4$|w$|4AHbzqB
zHpYUsHZET$Z0ztC;U+0*+amF!@PI%^oUIZy{`L{%O^i{Xk}X0&nl)n~tVEpcAJSJ}
zverw15zP1P-O8h9nd!&hj$zuwjg?DoxYIw{<nX*|aXj4I;Pv(W_%0{1!UxR7=>jWM
zW5_pj+wF<yrjE;j>y8Tsa9g<7Qa21WaV&;ejoYflRKcz?#fSH_)@*QVlN2l4(QNk|
z4aPnv&mrS&0|6NHq05XQw$J^RR9T{3SOcMKCXIR1iSf+xJ0E_Wv?jEc*I#ZPzyJN2
zUG0UOXHl+PikM*&g$U@g+KbG-RY>uaIl&DEtw_Q=FYq?etc!;hEC_}UX{eyh%dw2V
zTTSlap&5>PY{6I#(6`j-9`D&I#|YPP8a;(sOzgeKDWsLa!i-$frD>zr-oid!Hf&yS
z!i^cr&7tN}OOGmX2)`8k?Tn!!4=tz~3hCTq_9CdiV!NIblUDxHh(FJ$zs)B2(t5@u
z-`^RA1ShrLCkg0<B?}_ts1DQjgp}W5VwQK_f$?l4FP6>)OhfoM;4Z{&oZmAec$qV@
zGQ(7(!CBk<5;Ar%DLJ0p0!ResC#U<+3i<|vib1?{5gC<oG^96_Cm0(UK10{w?+e+7
zEH(oxs^u==fa{@(*SXRYQr1OsHi@`@+xSt3wKAa_>ebG7$F7URKZXuX-2WgF>YJ^i
zMhHDBsh9PDU8dlZ$yJKtc6JA#y!y$57%sE>4Nt+wF1lfNIWyA`=hF=9Gj%sRwi@vd
z%2eVV3y&dvAgyuJ=eNJR+*080dbO_t@BFJO<@&#yqTK&+xc|FRR;p;KVk@J3$S{p`
zGaMj6isho#%m)?pOG^G0mzOAw0z?!AEMsv=0T>WWcE>??WS=fII$t$(^PDPMU(P>o
z_*0s^W#|x)%tx8jIgZY~A2yG;US0m2ZOQt6yJqW@XNY_>_R7(Nxb<qz*Zby*O0$bc
z&bwd!3N`yA)-yDGrw923g#%FdDs9(c!1zBe1RB8u-MYi3o@&Spv(9|!3<U?#VR{nH
z(>8Ged6BdYW6{prd!|zuX$@Q2o6Ona8zzYC1u!+2!Y$Jc9a;wy+pXt}o6~Bu1oF1c
zp7Y|SBTNi@=I(K%A60PMjM#sfH$y*c{xUgeSpi#HB`?|`!Tb&-qJ3;vxS!TIz<?2E
z;?m$vD?eW$Ky=1Yq)adqhc?p&C{7b5o?=)unOeZDH>uTZs-&%#bAkAyw9m4PJgvey
zM5?up*b}eDEY+#@tKec)-c(#QF0P?MRlD1+7%Yk*jW;)`f;0a-ZJ<A1MM6Y&2Bjrl
znqSWxYPQP0xd?S^aF>6CQA?E%>i2Dt7T9?s|9ZF|KP4;CNWvaVK<?o_JIw;}zDT`U
z8L9-eX*7(^ut$2QBvx;9WC*DK4d0Kl9Aoah9FvKFLU*E)t<DB)E+Hfy@{d<s5TtbK
z3@*SWX?`UQ;LR6RwJlyE3z}ZE!swzdANx@XuTjkujJwae)D4vw=Dql$%nf#rij0A7
zPZHIZfP9Y{HHIH6!OIl6HIjQP7s$4hLQfM=Y5?9w6~3&f-&54yS(z79jhWNyU*0R2
z2LGB!DxIQ?IKWc4-r|9{@l3idCG70wl#Y>Z+Qeut;Jith_y{v*Ny6Co6!8MZx;Wgo
z=qAi%&S;8J{iyD&>3CLCQdTX*$+Rx1AwA*D_J^0>suTgBMBb=*hefV+Ar<cd*@2&D
z8;>s#mmr+YsI3#!F@Xc1t4F-gB@6aoyT+5O(qMz*zG<9Qq*f0w^V!03rpr*-WLH};
zfM{xSPJeu6D(%8HU%0GEa%waFHE$G?FH^kMS-&I3)ycx|iv{T6Wx}9$$D&6{%1N_8
z_CLw)_9+O4&u94##vI9b-HHm_95m)fa??q07`DniVjAy`t7;)4NpeyAY(aAk(+T_O
z1om+b5K2g_B&b2DCTK<>SE$Ode1DopAi)xaJjU>**AJK3hZrnhEQ9E`2=|HHe<^tv
z63e(b<X3pR+d94@m}tS^Z3?)AN+iBxpwZ<D7`?_tGq?BO;qYoIK%|`4<lnL)z<I(0
zu_t<sVb~sefyW>n#fMWuz>4erc47}!J>U58%<&N<6AOAewyzNTqi7hJc|X{782&cM
zHZYclNbBwU6673=!ClmxMfkC$(CykGR@10F!zN1S<PPl%@(Hn|^OfVI^X@u=eB4LB
zU*t+xZ0wF<m*ErqYAYp>e83LR&a~$Ht&>~43OX22mt7tcZUpa;9@q}KDX3<tKWF1f
zxw`aDW9rcd*xv(|cjctJ=r<rB$*=tRKjhAT3QznFrq0&JHcrBBhQ@YI=C=P(hmztZ
zBtRHZf@NQr^M5yLSW}<&UN$I$ud6^2LG^C;CST5(r;3;$jf|I6ACztPf?wzMlh7(R
zK$zGkcsg9U$_~E{oniYivq)0tjRjewJEOw_A7w)SdVn|$`QY&`&=C?ozE>O&Ugp6<
zLZLfIMO5;pTee1vNyVC$FGxzK2f>0Z-6hM82zKg44nWo|n}$Zk6&;5ry3`(JFEX$q
zK&KivAe${e^5ZGc3a9hOt|!UOE&OocpVryE$Y4sPcs4rJ>>Kbi2_subQ9($2VN(3o
zb~tEzMsHaBmBtaHAyES+d3A(qURgiskSSwUc9CfJ@99&MKp2sooSYZu+-0t0+L*!I
zYagjOlPgx|lep9tiU%ts&McF6b0VE57%E0Ho%2oi?=Ks<h7|XGdLNwTI)ib?N6{Eu
z;h2l5*eV93*R)?j|9)5Mw{~AJzwV0Z*IoH9lKK|_`lq|{FC-HsFD==}hu}T8I5=Nj
zMm|Nv0wu!DR!AT$4?#iVwpDaiN4hcWqWH4L{RHwRzsnYkBn73d=5jdE`3OkM-m10*
zdSrK<cD9qSi<hEpW()G6&#VKxRV)hnG-x*2O9Ur9cji6_gKVb~I_9QB{xCNxI)s~q
zuptRHAY00`Qzhr7(2tu@2-Cypx8Giobh`{rL+hNjig(}@FZ>+5%aj#au^OBwNwhec
zta6QAeQI^V!dF1C)>RHAmB`HnxyqWx?td@4sd15zPd*Fc9hpDXP23kbBenBxGeD$k
z;<D{TYW<{z_^}oSud&ZuHEyD44V>%0VBQEJ-C)&dTAw_yW@k0u?IUk*NrkJ)(XEeI
z9Y>6Vel>#s_v@=@0<{4A{p<R|0RfTyuh&=hpG-YVMbi~o8Dk@%D2pXcC$zylS8Jch
zTmbubLr&$o2Hk+p^ded~#GH{7cu^WdnjPYm>l=9cQ&Iah0iD0H`q)7NeCIRz8zx;!
z^OO;1+IqoQNak&pV`qKW+K0^Hqp!~gSohcyS)?^P`JNZXw@gc6{A3OLZ?@1Uc^I2v
z+X!^R*HCm3{7JPq{8*Tn>5;B|X7n4QQ0Bs79uTU%nbqOJh`nX(BVj!#f;#J+WZxx4
z_yM&1Y`2XzhfqkIMO7tB3raJKQS+H5F%o83bM+hxbQ<YF8%f26g@w6?b)_6@vyLk>
zeeJm=Dvix$2j|b4?mDacb67v-1^lTp${z=jc1=j~QD>7c*@+1?py>%Kj%Ejp7Y-!?
z8iYRUlGVrQPandAaxFfks53@2EC#0)%mrnmGRn&>=$H$S8q|kE_iWko4`^vCS2aWg
z#!`RHUGyOt*k?bBYu3*j3u0gB#v<VSU``i9)i((*A4_MYpA70V(O^YWl0>(3tsije
zgIuNNWNtrOkx@Pzs;A9un+2LX!zw+p3_NX^Sh09HZAf>m8l@O*rXy_82aWT$Q>iyy
zqO7Of)D=wcSn!0+467&!Hl))eff=$aneB?R!YykdKW@k^_uR!+Q1tR)+IJb`-6=jj
zymzA>Sv4>Z&g&WWu#|~GcP7qP&m*w-S$)7Xr;(duqCTe7p8H3k5>Y-n8438+%^9~K
z3r^LIT_K{i7DgEJjIocw_6d0!<;wKT`X;&vv+&msmhAAnIe!OTdybPctzcEzBy88_
zWO{6i4YT%e4<cORn@|6PX^%-74fBfvI*qb65lguos^u7L67Q8>^WQZB)KHCvA(0tS
zHu_Bg+6Ko%a9~$EjRB90`P(2~6uI@SFibxct{H#o&y40MdiXblu@VFXbhz>Nko;7R
z70Ntmm-FePqhb%9gL+7U8@(ch|JfH5Fm)5${8|`Lef>LttM_iww6LW2X61ldBmG0z
zax3y)njFe>j*T{i0s8D4=L>X^j0)({R5lMGVS#7(2C9@AxL&C-lZQx~czI7Iv+{%1
z2<eOr>hEG>RzX4S8x3v#9sgGAnPzptM)g&LB}@%E>fy0vGSa(&q0ch|=ncK<Ys%|-
z$8{E%Rw4?D_8re!3!SBF?$73?o3k7+`5vm8pITte_z3-f7CoPck#W)v4slR3Zzqx8
zNVDE$E-!|FmIAfj{mDQ%vc<UpiEaVi&qHP&p?bTbEWARJ?xHePge3YNpI92C>jNrK
z`jA~jObJhrJ^ri|-)J^HUyeZXz~XkBp$VhcTEcTdc#a2EUOGVX?@mYx#Vy*!qO$Jv
zQ4rgOJ~M*o-_Wptam=~krnmG*p^j!JAqoQ%+YsDFW7Cc9M%YPiBOrVcD^RY>m9Pd<
zu}#9M?K{+;UIO!D9qOpq9yxUquQRmQNMo0pT`@$pVt=rMvyX)ph(-CCJLvUJy71DI
z<CI*+r=tVTlgn@b%PV`RM<s@b7^3<nL0kgliJ>Bk7oc7)-%ngdj~s@76Yse3L^gV0
z2==qfp&Q~L(+%RHP0n}+xH#k(hPRx(!AdBM$JCfJ5*C=<wG1tvhicE*gpY`ZCMnhj
z1G=jh5z6O!^6nUl+c3`w0_ln^hFS56L}g>K3ts>P?@@SZ_+{U2qFZb>4kZ{Go37{#
zSQc+-dq*a-Vy4?taS&{Ht|MLRiS)Sn14JOONyXqPNnpq&2y~)6wEG0oNy>qvod$FF
z`9o&?&6uZjhZ4_*5qWVrEfu(>_n2Xi2{@Gz9MZ8!YmjYvIMasE9yVQL10NBrTCczq
zcTY1q^PF2l!Eraguf{+PtHV3=2A?Cu&NN<O6VN>&a8V(y;q(^_mFc6)%Yfn&X&~Pq
zU1?qCj^LF(EQB1F`8NxNjyV%fde}dEa(Hx=r7$~ts2dzDwyi6ByBAIx$NllB4%K=O
z$AHz1<2bTUb>(MCVPpK(E9wlLElo(aSd(Os)^Raum`d(g9Vd_+Bf&V;l=@mM=cC>)
z)9b0enb)u_7V!!E_bl>u5nf&Rl|2r=2F3rHMdb7y9E}}F82^$Rf+P8%dKnOeKh1vs
zhH^P*4Ydr^$)$h@4<HY{kkgz6jX&Mdasz@VEoye!fw>KVzxrHyy#cKmWEa9P5DJ|-
zG;!Qi35Tp7XNj60=$!S6U#!(${6hyh7d4q=pF{`0t|N^|L^d8pD{O9@tF~W;#Je*P
z&ah%W!KOIN;SyAEhAeTafJ4uEL`(RtnovM+cb(O#>xQnk?dzAjG^~4$dFn^<@-Na3
z395;wBnS{t*H;Jef2eE!2}u5Ns{AHj>WYZDgQJt8v%x?9{MXqJsGP|l%OiZqQ1aB!
z%E=*Ig`(!tHh>}4_z5IMpg{49UvD*Pp9!pxt_gdAW%sIf3k6CTycOT1McPl=_#0?8
zVjz8Hj*Vy9c5-krd-{BQ{6Xy|P$6L<o)r^R5`ZQ`GQhYqfOupFa9l!9lz>JvMuX$*
zA+@I_66_ET5l2&gk9n4$1<ixm5Z@RUb^v5fP{&E>M3LN8(yEV<DNCy-M+F%4k9cS;
zC^^RKH!iKb*+NTZ($+>iRx&mtd#LD}AqEs?RW=xKC(OCWH;~>(X6h!uDxXIPH06xh
z*`F4cVlbD<GpM@G3X6T;YA>P`A)-fzf>MuScYsmq&1LUMGaQ3bRm6i7OsJ|%uhTDT
zlvZA1M}nz*SalJWNT|`dBm1$x<Um4i*)m*aUZO##LwDk6q63h|IW;0Cr>laA>CCiQ
zK`xD-RuEn>-`Z?M{1%@wewf#8?F|(@1e0+T4>nmlSRrNK5f)BJ2H*$q(H>zGD0>eL
zQ!tl_Wk)k*e6v^m*{~A;@6+JGeWU-q9>?+L_#UNT%G?4&BnOgvm9@o7l?ov~XL+et
zbGT)|G7)KAeqb=wHSPk+J1bdg7N3$vp(ekjI1D9V$G5Cj!=R2w=3*4!z*J-r-cyeb
zd(i2KmX!|Lh<K2eIYJREpvNMi&Z#7*f45@XYFPFRp`27wgA7b{lxe_pm*^6y<RLhc
z8e%Fbj59XhBop+|s8G!j;y`1~`5Wy@K-#-nr2&8P(UZtm7KDzi`O}$kr#>ey!snRw
z?#$Gu%S^SQEKt&kep)up#j&9}e+3=JJBS(s>MH+|=R(`8xK{mmndWo_r`-w<m*k89
zcV!Q$3TQF>1#SeRD&YtAJ#GiVI*TkQZ}&aq<+bU2+coU3!jCI6E+Ad_xFW*ghnZ$q
zAoF*i&3n1j#?B8x;kjSJD${1jdRB;)R*)Ao!9bd|C7{;iqDo|T&>KSh6*hCD!rwv=
zyK#F@2+cv3=|S1Kef(E6Niv8kyLVLX&e=U;{0x{$tDfShqkjUME>f8d(5nzSkY6@!
z^<s1zrx%Y{GxOAQiaP`zX4pWwf(3Q?%k(n<-*ko(!rd%~BRbzOMd+_y^a4+aH{F5%
zJscHc3gzd06%1tHe@VXo_oCsSee^HDb^OaWE0e5ck@*pZK0RqW9B3O#2!5)9`cvEa
zg%b@5T@#X^O2>-0>DM)wa&%m#UF1F?zR`8Y3X#tA!*7Q$P3lZJ%*KNlrk_uaPkxw~
zxZ1qlE;Zo;nb@!SMazSjM>;34ROOoygo%SF);LL>rRonWwR>bmSd1XD^~sGSu$Gg#
zFZ`|yKU0%!v07dz^v(tY%;So(e`o{ZYTX`hm;@b0%8|H>VW`*cr8R%<Wzeb1B(_7j
zj%jg9z(<Muj+rwUU3J`9Kkr9fxe1hx2`oE|97F-6%bXb;NK9gbaH21ZD{h@XeCBlS
zTkbMM03Wrp)E~*3bm**>3n|ehw2`(9B+V72`>SY}9^8oh$En80mZK9T4abVG*to;E
z1_S6bgDOW?!Oy1LwYy=w3q~KKdbNtyH#d24PFjX)KYMY93{3-mPP-H>@M-_>N~DDu
zENh~reh?JBAK=TFN-SfDfT^=+{w4ea2KNWXq2Y<;?(gf(FgVp8Zp-oEjKzB<XiW@L
z4DJ=*jZ)bsSD44~x>%2Iqj;48GmY3h=bcdYJ}~&4tS`Q1sb=^emaW$IC$|R+r-8V-
zf0$gGE(CS_n4s>oicVk)MfvVg#I>iDvf~Ov8bk}sSxluG!6#^Z_zhB&U^`eIi1@j(
z^CK$z^stBHtaDDHxn+R;3u+>Lil^}fj?7eaG<FRml8CUEBOnAV8CmKw;V=T((V6h(
z;KHNVT}hTA4oyjv0NUAbK-AxArk$+6ITFf=ABoS3b^1vXdN5Y3$j$Gn7L0qB<*F>B
z&5nl^STqcaBxI@v>%zG|j))G(rVa4aY=B@^2{TFkW~YP!8!9TG#(-nOf^^X-%m9{Z
zCC?iC`G-^RcBSCuk=Z`(FaUUe?hf3{0C>>$?<OA^A&va@m6n{p_RDbpCmC44*u>Vs
z`2Uud9M+T&KB6o4o9kvdi^Q=Bw!asPdxbe#W-Oaa#_NP(qpyF@bVxv5D5))srkU#m
zj_KA+#7sqDn*Ipf!F5Byco4HOSd!Ui$l94|IbW%Ny(s1>f4|Mv^#NfB31N~kya9!k
zWCGL-$0ZQztBate^fd>R<KTx+Kn<12wUG%9I!9v@uJ1RK?y>!hXY_N9ZjYp3V~4_V
z#eB)Kjr8yW=+oG)BuNdZG?jaZlw+l_ma8aET(s+-x+=F-t#Qoiuu1i`^x8Sj>b^U}
zs<v<BrDUuc#V%G@XYC{+Sg}|bZ*&$Xmy?7Y(n?p_lr<7QNavDlGr?4z!qaMY=`TAM
zFH`)mW};}4R%}`-v*@TwSk0p!c2gBZF<0Y~yAY5urGWuSR(DcbqvUph8QXsf(x2A!
z>^z<()YMFP7CmjUC@M=&lA5W7t&cxTlzJAts*%PBDAPuqcV5o7HEnqjif_7xGt)F%
zGx2b4w{@!tE)$p=l3&?Bf#`+!-RLOleeR<bP1HAuJwpA7V6w3e&7FnVSAlVevD>k3
z7#pF|w@6_sBmn1nECqdunmG^}pr5(ZJQVvAt$6p3H(16~;vO>?sTE`Y+mq5YP&PBo
zvq!7#W$Gewy`;%6o^!Dtjz~x)T}Bdk*BS#=EY=ODD&B=V6TD2z^hj1m5^d6s)D*wk
zu$z~D7QuZ2b?5`p)<Zk5N<LwAw|NY@XF!9G7+>E8e2_L38v3WE{V`bVk;6fl#o2`)
z99JsWhh?$oVRn@$S#)uK&8DL8>An0&S<%V8hnGD7Z^;Y(%6;^9!7kDQ5bjR_V+~wp
zfx4m3z6CWmmZ<8gDGUyg3>t8wgJ5NkkiEm^(sedCicP^&3D%}6LtIUq>mXCAt{9eF
zNXL$kGcoUTf_Lhm`t;hD-SE)m=iBnxRU(NyL}f6~1uH)`K!hmYZjLI%H}AmEF5RZt
z06$wn63<H*D^}!!_~!rctzB?W+<x$IW(W<z1pS(B1aK00$0*UbQ&o~2AGrgPX{+%L
zjpNNy?injFg0d#OC9*3D`YWIJp4knE9&uEHc=jswzMs5P)Ct~!Qhd!W;4aD36N5rn
zR-$WHi87V$r>GHnApHXZZJ}s^s)j9(BM6e*7IBK6Bq(!)d~zR#rbxK9NVIlgquoMq
z=eGZ9NR<I_0;qaLkr^sqs*eI>!SEqP6=9UQg#@!rtbbSBUM#ynF);zKX+|!Zm}*{H
z+j=d?<x8+W+YzUX8`Wzx$M0@ats$ISI!}Y&e$baoEyt_PL67D-!l9jd$-U47GPlhn
zFZ(p{^KerTig5@++3nwFz)bDI^Rg#*4JrNT%{~<3KmSD&ZJ;XGkp4=fS6_`Bk^dyB
z2<kf;i`zIF+c=s#nY$P(Iysozn0`U;e|0>aZ2!?@EL7C~%B?6ouCKLnO$uWn;Y6Xz
zX8dSwj732u(o*U3F$F=7xwxm>E-B+SVZH;O-4XPuPkLSt_?S0)lb7EEg)Mglk0#eS
z9@jl(OnH4juMxY+*r03VDfPx_IM!Lmc(5hOI;`?d3<n0O2)hcsP_2=f#ul^%8WEjH
z_45k7p1r2G5<EoD-7_hh0-~>7f>jPP$?9jQQIQU@i4vuG6MagEoJrQ=RD7xt@8E;c
z<Z~cp<{k@e+=yUE(YejRT8|zYjy+~C+(wP9bf2{6?hB`L=aUc<odY()WVr`t9nSc0
zAeWGRrle!<ccgxgu=eN|0Q>eGV*+Pt+t$@pt!|McETOE$9k=_C!70uhwRS9X#b%ZK
z%q(TIUXSS^F0`4Cx?Rk07C6wI4!UVPeI~-fxY6`YH$kABdOuiRtl73MqG|~AzZ@<e
z70bZ1Xfg@ML9rX@!O{Xhvx6+$D#ej982$eGa_sxL;&>iL&^s?24iS;RK_pdlWkhcF
z@Wv-Om(Aealfg)D^adlXh9Nv<v-}opkLv5Ft~N;ilf%n_18GR>f~Uf@y;g3Y)i(YP
zEXDnb1V}1pJT5ZWyw=1i+0fni9yINurD=EqH^ciOwLUGi)C%Da)tyt=zq2P7pV5-G
zR7!oq28-Fgn5pW|<Sr(TR-f}>nlu^b!S1Z#r7!Wtr{5J5PQ>pd+2P7RSD?>(U7-|Y
z7ZQ5lhYIl_IF<9?T9^IPK<(Hp;l5bl5tF9>X-zG14_7PfsA>6<$~A338iYRT{a@r_
zuXBaT=`T5x3=s&3=RYx6NgG>No4?5KFBVjE(swfcivcIpPQFx5l+O;fiGsOrl5teR
z_Cm+;PW}O0Dwe_(4Z@XZ)O0W-v2X><&L*<~*q3dg;bQW3g7)a#3KiQP>+qj|qo*Hk
z?57>f2?f@`=Fj^nkDKeRkN2d$Z@2eNKpHo}ksj-$`QKb6n?*$^*%Fb3_Kb<??RAja
zk0V>f1(*W9K>{L$mud2WHJ=j0^=g30Xhg8$<s&?w=aRQaO9t&giJ1(RsSL3%_cC6M
z*CW9(Zh9c_42B<|)&oM^-GzGdz1}f&d3F5BYqWb4q+Sw(ib=VNbJPT@^wT=3tW(7y
zrx1-UKq0(c(u-_d3s{C`aQ&0%#$*~vtZCzBHFqiV3;VEe=EsFn^iO}7H|DQJkk9H;
zB0P{n&~U<*$_g%{-r&>#g^?36`p1fm;;1@0Lrx+8t`?vN0ZorM<NTJbjJv2{-dI;>
zS<hDSyFi<GVb++PZX@XtOI*=$j*U@=`@o~{Gi!F-NK(%gyI#{g6|hETm*WG_p}s8L
zjZRCuf%OK?g`?(Q%o?EJIq8XN^)7E@6pk&Uqpm7^VOiV00>W?rhjCE8$C|@p^sXdx
z|NOHHg+fL;HIlqyLp~SSdIF`TnSHehNCU9t89yr@)FY<~hu+X`tjg(aSVae$wDG*C
zq$nY(Y494R)hD!i1|IIyP*&PD_c2FPgeY)&mX1qujB1VHPG9`yFQpLFVQ0>EKS@Bp
zAfP5`C(sWGLI?AC{XEjLKR4FVNw(4+9b?kba95ukgR1H?w<8F7)G+6&(zUhIE5Ef%
z=fFkL3QKA~M@h{nzjRq!Y_t!%U66#L8!(2-GgFxkD1=JRRqk=n%G(yHKn%^&$dW>;
zSjAcjETMz1%205se$iH_)ZCpfg_LwvnsZQAUCS#^FExp8O4CrJb6>JquNV@qPq~3A
zZ<6dOU#6|8+fcgiA#~MDmcpIEaUO02L<Rkl`=Q>5#T$HV0$EMD94HT_eXLZ2Zi&(!
z&5E>%&|FZ`)CN10tM%tLSPD*~r#--K(H-CZqIOb99_;m|D5wdgJ<1iOJz@h2Zkq?}
z%8_KXb&hf=2Wza(Wgc;3v3TN*;HTU*q2?#z&tLn_U0Nt!y>Oo>+2T)He6%XuP;fgn
z-G!#h$Y2`9>Jtf}hbVrm6D70|ERzLAU>3zoWhJmjWfgM^))T+2u$~5>HF9jQDkrXR
z=IzX36)V75PrFjkQ%TO+iqKGCQ-DDXbaE;C#}!-CoWQx&v*vHfyI>$HNRbpvm<`O(
zlx9NBWD6_e&J%Ous4yp~s<!5el5C5+U(6q$naw*;HMpy|CU=dglNI1EQ%|HQk4H*H
z4vZmq8i&o(xLex%_9CXr+V#E5;>6)Ghni!I6)0W;9(9$y1wWu`$gs<$9Mcf$L*piP
zPR0Av*2%ul`W;?-1_-5Zy0~}?`e@Y5A&0H!^ApyVTT}BiOm4GeFo$_oPlDEyeGBbh
z1h3q&Dx~GmUS|3@4V36&$2uO8!Yp&^pD7J5&TN{?xphf*-js1fP?B|`>p_K>lh{ij
zP(?H%e}AIP?_i^f&Li=FDSQ`2<P4}YJBR3<86=L)lNLn?n<UqJ){hazu7oE1W<WpM
zkEayA#3<YDk5vng9{R3EwAsH9RNs3PX=z8hou#I@lclzVbk)C_>_NWxL+BB=nQr=$
zHojMlXNGauvvwPU>ZLq!`bX-5F4jBJ&So{kE5+ms9UEYD{66!|k~3vsP+mE}x!>%P
za98bAU0!h0&ka4EoiDvBM#CP#dRNdXJcb*(%=<(g+M@<)DZ!@v1V>;54En?igcHR2
zhubQMq}VSOK)onqHfc<PBSX0Qkle<U&d;N1BT|$4=Uqpo2tm04^j~@drYI0P7duc%
zes@lg1;1w}#p3u@$yb(xFl7Q9B8k2c_rQZ?>zM7YA@s=9*ow;k;8)&?J3@0JiGcP!
zP#00KZ1t)GyZeRJ=f0^gc+58lc4Qh*S7RqPIC6GugG1gXe$LIQMRCo8cHf^qXgAa2
z`}t>u2Cq1CbSEpLr~E=c7~=Qkc9-vLE%(v9N*&HF`(d~(0`iukl5aQ9u4rUvc8%m)
zr2GwZN4!s;{SB87lJB;veebPmqE}tSpT>+`t?<457Q9iV$th%i__Z1kOMAswFldD6
ztbOvO337S5o#ZZgN2G99_AVqPv!?Gmt3pzgD+Hp3QPQ`9qJ(g=kjvD+fUSS3upJn!
zqoG7acIKEFRX~S}3|{EWT$kdz#zrDlJU(rPkxjws_iyLKU8+v|*oS_W*-guAb&Pj1
z35Z`3z<&Jb@2Mwz=KXucNYdY#SNO$tcVFr9KdKm|%^e-TXzs6M`PBper%ajkrIyUe
zp$vVxVs9*>Vp4_1NC~Zg)WOCPmOxI1V34QlG4!aSFOH{QqS<og-9*{m%{>Vq1^1)-
z0P!Z?tT&E-ll(pwf0?=F=yOzik=@nh1Clxr9}Vij89z)ePDSCYAqw?lVI?v?+&*zH
z)p$CScFI8rrwId~`}9YWPFu0cW1Sf@vRELs&cbntRU6QfPK-SO*mqu|u~}8AJ!Q$z
znzu}50O=YbjwKCuSVBs6&CZR#0FTu)3{}qJJYX(>QPr4$RqWiwX3NT~;>cLn*_&1H
zaKpIW)JVJ>b{uo2oq>oQt3y=zJ<SzS^-D>jb%fU@wLqM{SyaC6x2snMx-}ivfU<1-
znu1Lh;i$3Tf$Kh5Uk))G!D1UhE8pvx&nO~w^fG)BC&L!_hQk%^p`Kp@F{cz>80W&T
ziOK=Sq3fdRu*V0=S53rcIfWFazI}Twj63CG(jOB;$*b`*#B9uEnBM`hDk*E<oidpi
zVi-YCX)u~YCBI+laYqXSo<EX9^<PNdjZ=BtK`_ZYngaDtG5R2}vTD}f!DiphZC8q*
z6i0u#X*zYGRu)lm1ElCpjgBvp3Ldd|#4WH$%tK2cXGR#zWyK<<eW|7%5Ju2_h*||L
zg2wp|<^Qbr0(rt`iD%~4&vfIMiU-hB(&TS(L<Ua}Ae0?Iw}pCJ-m<j9H*WOItm42P
z+4mexCkJJkqGU65>wSRdwP8?5T?xGUKs=5N83XsR*)a4|ijz|c{4tIU+4j^A5C<#5
z*$c_d=5ml~%pGxw#?*q9N7aRwPux5EyqHVkdJO=5J>84!X6P>DS8PTTz>7C#F<Zu4
zp3F5$$3=BvvzoPSkFVMT=*}cwr4^?8L-w1olVUL5gHh{)p1vygqRx_|5M(|5i$<sf
zD*3bQ%l!Ml%>O?k#edkntG<Krzma04@|w*Y9|BKCf&FeXNg|upC}{zu^oHarA7zIf
zC8{uLE&-S@l`ZxV=v;r*B3!WS4z%0OHxj5&2`?c0;8f|2cq)E6RQk=VwECk+Q<E<b
z===nd>+fJk8ZMn?pmJSO@`x-QHq;7^h6GEXLXo1TC<!%G;g|1m1_bS}WUN;u(X1H_
zC*#P|&x2L7jt9)tK*_e)O{|{ck0S}rdz!bjq~RUIX}#ve9vhD}wsXP2-}YSVJ>NhH
z8ZDH{*NLAjo3WM`xeb=X{((uv3H(8&r8fJJg_uSs_%hOH%JDD?hu*2NvWGYD+j)&`
zz#_1%O1wF^o5ryt?O0n;`lHbzp0wQ?rcbW(F1+h7_<Pe?a2+{KTPMp$CgHfSHrYCA
zK{ERTzz`pSB$~vt3tii8P;~CRII8wO)%F!tVN6C6<1n2x%4zAuytITcED<o5IyW7o
zh-G7-*3%BqRFkVI(T5y^ar95CXup=KHGy2BZYuLh)vrm>EZZ<i<-|Mk=_v8nD5m5v
zdpML`Rs@XrmR1I|!5H>9{>rePvLAPVZ_R|n@;b$;UchU=0j<6k8G9QuQf@76oiE*4
zXOLQ&n3$NR#p4<5NJMVC*S);5x2)eRbaAM%VxWu9ohlT;pGEk7;002enCbQ>2r-us
z3#bpXP9g|mE`65VrN`+3mC)M(eMj~~eOf)do<@l+fMiTR)XO}422*1S<RWVx0`Uk8
z=5;*6NK#2D`zc^JM6i=$pyv-R_l)2#3c6jS0ZcmLz1#Dg>L{wyY(%oMpBgJagtiDf
zz>O6(m;};>Hi=t8o{DVC@YigqS(Qh+ix3Rwa9aliH}a}IlOCW1@?%h_bRbq-W{KHF
z%Vo?-j@{Xi@=~Lz5uZP27==UGE15|g^0gzD|3x)SCEXrx`*MP^FDLl%pOi~~Il;dc
z^hrwp9sYeT7iZ)-ajKy@{a`kr0-5*_!XfBpXw<un0R1t>EcFGJ;%kV$0Nx;apKrur
zJN2J~CAv{Zjj%FolyurtW8RaFmpn&zKJWL>(0;;+q(%(Hx!GMW4AcfP0YJ*Vz!F4g
z!ZhMyj$BdXL@MlF%KeInmPCt~9&A!;cRw)W!Hi@0DY(GD_f?jeV{=s=cJ6e}JktJw
zQORnxxj3mBxfrH=x{`_^Z1ddDh}L#V7i}$njUFRVwOX?qOTKjfPMBO4y(WiU<)epb
zvB9L=%jW#*SL|Nd_G?E*_h1^M-$PG6Pc_&QqF0O-FIOpa4)PAEPsyvB)GKasmBoEt
z?_Q2~QCYGH+hW31x-B=@5_AN870vY#KB~3a*&{I=f);3Kv7q4Q7s)0)gVYx2#Iz<e
zcH?D}+f3Q#s`S_o+I!i;AG^@C;`0g<<}J>9g(F<Nt8qTR6vu`Q_y)iK3d>2;=+Iy4
z6KI^8GJ6D@%tpS^8boU}zpi=+(5GfIR)35PzrbuXeL1Y1N%JK7PG|^2k3qIqHfX;G
zQ}~JZ-UWx|60P5?d1e;AHx!_;#PG%d=^X(AR%i`l0jSpYOpXoKFW~7ip7|xvN;2^?
zsYC9fanpO7rO=V7+KXqVc;Q5z%Bj})xHVrgoR04s<WC19*!aSDBN9bsQ!y_RQh!2^
zM?3OYfd1?Of*;~K;fPyA-Zs2YGEobYXZSuxP}4a~sqAr!U$f%5T_yC9m}8r(jTC#Z
zlS5i1zBtiGG~ok?`vdcED-M&WdW#GCV?b8L_D^$erV#MdoMmoYt9TZ|Ht9A`j0>A2
zl~DAwv=!(()DvH*=lyhIlU^hBkA0$e*7&fJpB0|oB7)rqGK#5##2T`@_I^|O2x4GO
z;xh6ROcV<9>?e0)MI(y++$-ksV;G;Xe`lh76T#Htuia+(UrIXrf9?<emJgERw<NIn
zQ3ku})$3b}us&H98W&5x<)bV~*h&=0ffNSk1dGwNXOQ%9)}<w_ggrrd<5YvvzW{lc
z%ra;Ag$A><p>L(tZ$0BqX1>24?V$S+&kLZ`AodQ4_)P#Q3*4xg8}lMV-FLwC*cN$<
zt65Rf%7z41u^i=P*qO8>JqXPrinQFapR7qHAtp~&RZ85$>ob|Js;GS^y;S{XnGiBc
zGa4IGvDl?x%gY`vNhv8wgZnP<sGTjZeSulPuO`MCGWcs$^L3#ATO-7+><iA~BUyg7
zK%Ww`C41~DlFVr(wLNj3&@sD(X1>#UYI-w*<g2t%j8f-#L_4CY4*BdT&|1*Oi_vum
zKr_(QQ>^4YCZnxkF85@ldepk$&$#3EAhrJY0U)lR{F6sM3SONV^+$;Zx8BD&Eku3K
zKNLZyBni3)pGzU0;n(X@1fX8wYGKYMpLm<N;CLpE$mA#FhwOAwFc3Gu*Y2ijqt2Mr
zEmgb5Rj4WSTt}-IA7KmFeJ5Mjqr(gVM>Cu{N5-}epPDxClPFK#A@02WM3!myN%bkF
z|GJ4GZ}3sL{3{qXemy+#Uk{4>Kf8v11;f8I&c76+B&AQ8udd<8gU7+BeWC`akUU~U
zgXoxie>MS@rBoyY8O8Tc&8id!w+_ooxcr!1<R^L(;4reEepdzdE}95d2?7a|m*bOO
zw-e)+?=QFS<bE97C&Ii^S^W*sEa3vQg$((7STwNpoGd886wr(*z1BNi)jL%HPZ&tN
zMU1+!wKw7>?#rc$-|SBBtH6S?)1e#P#S?jFZ8u-Bs&k`yLqW|{j+%c#A4AQ>+tj$Y
z^CZajspu$F%73E68Lw5q7IVREED9r1Ijsg#@DzH>wKseye>hjsk^{n0g?3+gs@7`i
zHx+-!<a?ReO?pTi@}bP2;<uA@WM0R7zz}csHRnM~D!mg`gD>sjLx^fS;fY!ERBU+Q
zVJ!e0hJH%P)z!y%1^ZyG0>PN@5W~SV%<y=x@j^(xiknw*C+Ur&ZKl@Fn|2w}`ly8(
zz_1QrAQphp;v3{c3l!jHVeo@tq)&pO(TmgH_gydMs#0|p0EwwF+U6X@z~IpBNd*kS
z6gu9R48Qg1ZmheUKP8?FTjqJfpHv+Qzur?E>f>}c?$H8r;Sy-ui>aruVTY=bHe}$e
zi&Q4&XK!qT7-XjCrDaufT@>ieQ&4G(SShUob0Q>Gznep9fR783jGuUynAqc6$pYX;
z7*O@@JW>O6lKIk0G00xsm|=*UVTQBB`u1f=6wGAj%nHK_;Aqmfa!eAykDmi-@u%6~
z;*c!pS1@V8r@IX9j&rW&d*}wpNs96O2Ute>%yt{yv<kbv8~>>k!6zfT6pru{F1M3P
z2WN1JDYqoTB#(`kE{H676QOoX`cnqHl1Yaru)>8Ky~VU{)r#{&s86Vz5X)v15ULHA
zAZDb{99+s~qI6;-dQ5DBjHJP@GYTwn;Dv&9kE<0R!<?&2c8~t|z-P*DUzhl0`)*&h
z|Nn!A|7U$aOKIxA^!*PLm$hJHXw+OP4ZezL1tUs=phN^Q<ajb=DGRYXwnS-lEtiqY
z<frQHk&G0bcD}r@nR4F*#?F;03be|bX?NbkjK|JLXOk{3&rif|A{D1QLy-_VbXfN<
z`&SwtIfw(ew@5F}*W~2($7(fcbFJ&i{R!6o{(JXA6Go7A?f0+7=m(n5mSsl@X02PS
z-WAkN+CBDC0Juwc><R~*^;Bg@=LH+}=1lFi@bNQ@$bvI%*KR054Mda5?OV~x-9V>d
z8tf1oq$kO`_sV(NHOSbMwr=To4r^X$`sBW4$gWUov|WY?xccQJN}1DOL|GEaD_!@&
z15p?Pj+>7d`@<hmz7-`Nlqgl%etYhVq(Lsv5EWt?S5qiu*a*btqng6H#LO-oz2SH0
z^xQ6+AKHkG1#oA+26Ir>LvNIu9*^hPN)pwcv|akvYYq)ks%`G>!+!pW{-iXPZsRp8
z35LR;DhseQKWYSD`%gO&k$Dj6_6q#vjWA}rZcWtQr=Xn*)kJ9kacA=esi*I<)1>w^
zO_+E>QvjP)qiSZg9M|GNeLtO2D7xT6vsj`88sd!94j^AqxFLi}@w9!Y*?nwWARE0P
znuI_7A-saQ+%?MFA$gttMV-NAR^#tjl_e{R$N8t2NbOlX373>e7Ox=l=;y#;M7asp
zRCz*CLnrm$esvSb5{<D+-TvHfiAKWjMv@f{O6HO_6qs!bUPBzAT_=n|ZXu1_p<5Uy
z3h~@8-S?LvkCJ{s{eD*A;Sn*288f6#+AhGxs`&<L9qn^;Z22jipcEpYF_>T<$6CjY
zmZ(i{Rs_<#pWW>(HPaaYj`%YqBra=Ey3R21O7vUbzO<NIYfKSkPH64b-_2c5+D94m
z%iNp4`dUo?NvQw#46nFlJ1h6~OcEsuw4>kJJO?V`4-D*u4$Me0Bx$K(lYo`JO}gnC
zx`V}a7m-hLU9Xvb@K2ymioF)vj12<*^oAqRuG_4u%(ah?+go%$kOpfb`T96P+L$4>
zQ#S+sA%VbH&mD1k5Ak7^^dZoC>`1L%i>ZXmooA!%GI)b+$D&ziKrb)a=-ds9xk#~&
z7)3iem6I|r5+ZrTRe_W861x8JpD`DDIYZNm{$baw+$)X^Jtjnl0xlBgdnNY}x%5za
zkQ8E6T<^$sKBPtL4(1zi_Rd(tVth*3Xs!ulflX+70?gb&jRTnI8l+*Aj9{|d%qLZ+
z>~V9Z;)`8-lds*Zgs~z1?Fg?Po7|FDl(Ce<*c^2=lFQ~ahwh6rqSjtM5+$GT>3WZW
zj;u~w9xwAhOc<<rq!H2nfR^7-SzR`1qG<@9=UVA!*EEe=aj$k=;J{9<>kF}~`CJ68
z?(S5vNJa;kriPlim33{N5`C{9?NWhzsna_~^|K2k4xz1`xcu<DiNXb8<8|Z|Cq-GN
zCj)9M_ZyLriw>i*LXL-1#Y}Hi9`Oo!zQ>x-kgAX4LrPz63uZ+?uG*84@<PwZBwue+
zS_(JptfpR*pv(`dE1<lRh0d;LEi#-yNm1~qOYx|4^9!+8XC372m2S)!zRs|&NM%#C
z+GAUzg{43ESA4LWP=nq0vMI~2O-KLrb1MH&d{DNr{9l?+9m-=0Uz-DYT;s)i8TcR&
zZh}K8#36!G;6ZC+XJ@IPDh1SQ+DH`botOlr$wuj)=;;c=MU$X;yOXeWp?}z{AJeP3
z$QB6%$q~}6J8i8sO`UWW+mc=Rc6o#AK{c`V$1Y3*YS}cR>PKq-KgQlMNRwz=6Yes)
zY}>YN+qP}nwr$(CZQFjUOI=-6J$2^XGvC~EZ+vrqWaOXB$k?%Suf5k=4>AveC1aJ!
ziaW4IS%F$_B<CZJ!UX;hU#7vjr-A^#gKV?ykV>abi)kA8Y&u4F7E%99OPtm=vzw$$
zEz#9rvn`Iot_z-r3MtV>k)YvErZ<^Oa${`2>MYYODSr6?QZu+<Xr5QDI3|}c*=v!t
z7aWklHMNmj(E4@B8u*Z;TyWOKVOpxR#jrE(G|coSCa0%my~OH?4?4W3oGfzXZ^Yl8
zoBlE^JMVJSf5Id9b3E|!Jy&$Nn|?alu2G4}CVoY>be-~MBjwPGdMvGd!b!elsdi4%
z`37W*8+OGulab8YM?`KjJ8e+jM(tqLKSS@=jimq3)Ea2EB%88L8CaM+aG7;27b?5`
z4zuUWBr)f)k2o&xg{iZ$IQkJ+SK>lpq4GEacu~eOW4yNFLU!Kgc{w4&D$4ecm0f}~
zTTzquRW@`f0}|IILl`!1P+;69g^upiPA6F{)U8)muWHzexRenBU$E^9X-uIY2%&1w
z_=#5*(nmxJ9zF%styBwivi)?#KMG96-H@hD-H_&EZiRNsfk7mjBq{<vAyj;V$oY$;
zeFf@1qm*3JDo_jY%mMvJK|}hElB4>L%!E;Sqn!mVX*}kXhwH6eh;b42eD!*~upVG@
z#smUqz$ICm!Y8wY53gJeS|Iuard0=;k5i5Z_<S6ivK6}$qoRMsg7V!3nguv@i1IcG
zTip=0gi~_71}Ye%-y+=r)peyFsi|a3!G{6XxhN#Qh|@7<<1d75@UG8;<MS%cR=T4O
zoC};`)PZx1F>hSIs6tr)R4n*r*rE`>38Pw&lkv{_r!jNN=;#?WbMj|l>cU(9trCq;
z%nN~r^y7!kH^GPOf3R}?dDhO=v^3BeP5hF|%4GNQYBSwz;x({21i4OQY->1G=KFyu
z&6d`f2tT9Yl_Z8YACZaJ#v#-(gcyeqXMhYGXb=t>)M@fFa8tHp2x;ODX=Ap@a5I=U
z0G80^$N0G4=U(>W%mrrThl0DjyQ-_I>+1Tdd_AuB3qpYAqY54upwa3}owa|x5iQ^1
zEf|iTZxKNGRpI>34EwkIQ2zHDEZ=(J@lRaOH>F|2Z%V_t56<AC&&@dFD$aTcihA@L
zsrWd?<myPVagWF6k#axl>Km$PUYu^xA5#5Uj4I4RGqHD56xT%H{+P8Ag>e_3p<L4#
zGGo`21LS^`#&pLj%z6&83bF#woRX8gnyg4E`RMx;A0GPTje`oZWY-mmMzZp&3~FVT
z%&JKi++U_$aax?RigODkBI8D0f>N$4m8n>i%OyJFPNWaEnJ4McUZPa1QmOh?t8~n&
z&RulPCors8wUaqMHECG=IhB(-tU2XvHP6#NrLVyKG%Ee*mQ5Ps%wW?<IHwX<9-vb-
zW|;MpO8qp-ZnW!-s%jOBntq(xp658aSEi+O=TlVuEDFeZ;Vf58T5E5oJgpsS$z*|w
z_>mcnriTVRc4J`2YVM>$ixSF2Xi+Wn(RUZnV?mJ?GRdw%lhZ+t&3s7g!~g{%m&i<6
z5{ib-<==DYG93I(yhyv4jp*y3#*WNuDUf6`vTM%c&hiayf(%=x@4$kJ!W4MtYcE#1
zHM?3xw63;L%x3drtd?jot!8u3qeqctceX3m;tWetK+>~q7Be$h>n6riK(5@ujLgRS
zvOym)k+VAtyV^mF)$29Y`nw&ijdg~jYpkx<Yqc8N6p%GnFnUNecXA;^tBlRNJF2~8
z83k&Izk?JNwKq$7B{7SaDzJleOD3(MTg8JS?=Wa}5<9yFzA)j$wyJG`eyNKZ->%*^
z8dz`C*g=I?;clyi5|!27e2AuSa$&%UyR(J3W!A=ZgHF9OuKA34I-1U~pyD!KuRkjA
zbkN!?MfQOeN>DUPBxoy5IX}@vw`EEB->q!)8fRl_mqUVuRu|C@KD-;yl=yKc=ZT0%
zB$fMwcC|HE*0f8<f|{q<VA<GPwt+_1vdY4dp0vY!lyK4+MMzS+wPs8%Y!YQ?CyA-f
z|5A#Ax91*K+5prTyd;RpVWXU<95EBu#@OP?@CFlP#ju<zpg)t6EZ7t+Phz{i%)wGY
z8Sly%qPUn+-#Zc6fnT8&C%dW&XQx|!Q}Y8ZE~UUjv&VIXbif`Up{+OPP#QE?I~5wN
zHg1NwMkYZhg(4h)DfG}WB{D2YgF!n(>+PVlW<RX4?O?hiF?W-4C-rmr<l4%Mf}qji
zkPzoVbI6zl!<d=O(O@8ySZ)?gs-s}EQaJeWY|cHwm*h+8s-uBy$q^5SBFqHNH!Nya
zV@RFH@>Hi>M`zfsA(NQFET?LrM^pPcw`cK+Mo0%8*x8@65=CS_^$cG{GZQ#xv($7J
z??R$P)nPLodI;P!IC3eEYEHh7TV@opr#*)6A-;EU2XuogHvC;;k1aI8asq7ovoP!*
z?x%UoPrZjj<&&aWpsbr>J$Er-7!E(BmOyEv!-mbGQGeJm-U2J>74>o5x`1l;)+P&~
z>}f^=Rx(ZQ2bm+YE0u=ZYrAV@apyt=v1wb?R@`i_g64YyAwcOUl=C!i>=Lzb$`tjv
zOO-P#A+)t-JbbotGMT}arNhJmmGl-lyUpMn=2UacVZxmiG!s!6<s%>H39@~&uVokS
zG=5qWhfW-WOI9g4!R$n7!|ViL!|v3G?GN6HR0Pt_L5*>D#FEj5wM1DScz4Jv@Sxnl
zB@MPPmdI{(2D?;*wd>3#tjAirmUnQoZrVv`xM3hARuJksF(Q)wd4P$88fGYOT1p6U
z`AHSN!`S<vf~_mGQCqX)ayUeL8g`S?LD*d~o*;e7Butl14T(z{eOwARI#k6Z+()QR
zRb-Fll&T}^(XzJMq%~^W5vm%)tln8#72}u>t}}UMBT9o7i|G`r<n?jT0vW2UItF>$
zrB=s$qV3d6$W9@?L!pl0l<c#ekbP<;Y&UotwnNp9`G`wO^=Aisw282N+FetlbD$(D
z7M*F%Rd<HPvo2^kToVnJhdjmlUST#jY=_jHJl3UwxoOwN6*yj#Q|53p9z(c~{M95w
z2|XIj8-<CPgenTQC)l6Cq+N$TfYAFyPq>f%)xs%1ko^=QY$ty-57=55PvP(^6E7cc
zGJ*>m2=;fOj?F~yBf@K@9qwX0hA803Xw+b0m}+#a(>RyR8}*Y<4b+kpp|OS+!whP(
zH`v{%s>jsQI9rd$*vm)EkwOm#W_-rLTHcZRek)>AtF+~<(did)*oR1|&~1|e36d-d
zgtm5cv1O0oqgWC%Et@P4Vhm}Ndl(Y#C^MD03g#PH-TFy+7!Osv<s)+{oZ?`ap%hJ=
z*bwh1?V<z`MwG&0U7SJ4*@zJBC@n5eBU+e74xsX-sjHT`s*lOwc6j~7QTT;glq}6g
z&*%49-SpK^iuY*QN`=#PT9cA+UIO{$3ZZc%>1z^UWS9@%JhswEq~6kSr2DITo59+;
ze=ZC}i2Q?CJ~Iyu?vn|=9iKV>4j8KbxhE4&!@SQ^dVa<p=`%D$z@S%=#yKBRv78Cx
zjasr<f+hkxQ?tW2jO~X7qqFZ|M=u+1v6N#}-O}J_%RE)_BxhmClZdOv0jO$0)%AEc
ze|Be+FNW#V0(^5Jes;NbH!9p(kf|KS=`TmjGtzk>-gK@YfS9xT(0kpW*EDjYUkoj!
zE49{7H&E}k%5(>sM4uGY)Q*&3>{aitqdNnRJkbOmD5Mp5rv-hxzOn80QsG=<y&iAv
zoygUqB(HTOw-D%a7G$=rjE8g{ZQXwB7#B8Wxwbz08Jsb0u509=?`<rrdnI^FIQeST
zajiSMO#8sNw9ue(d(mgN_gC&Vg<qYQ+k22&7!tdVX?_7@F@`@;me)sGM-^Ywu1rH7
zrh<OEbzwuL!xTCj@ogj=wajI}heZh^mL#4*plBwGap)3#yRP80rCsAW+D2zjCMM5q
zqlNo=Si)901Ml@}Ixwm^bC{eJIZ?9!vFEj>HJ_atI-EaP69cacR)Uvh{G5dTpYG7d
zbtmRMq@Sexey)||UpnZ?;g_KMZq4IDCy5}@u!5&B^-=6yyY{}e4Hh3ee!ZWtL*s?G
zxG(A<f#J^YQ1Cz#m-<*_U8HvcG@jc-yMVZp(Zo}py?|jD+4D`Fd+W<A%;vg-apbky
zCI&lkC9TywfFKW;HsiG-H-QDFbT8RZIi@8evyVwL`-aRfT@rSZ(^#qGvae0S2@BTa
z!i>!<FWySf`?H|6p^KKhe*MH{y8K^`R9uZ{0qEqFRq4ez&thQ*WY!<HUw}@VSbJ69
zLD1)><9o!CL+q?u_utltPMk+hn?N2@?}xU0KlYg?Jco{Yf@|mSGC<(Zj^yHCvhmyx
z?OxOYoxbptDK()tsJ42VzXdINAMWL$0Gcw?G(g8TMB)Khw_|v9`_ql#pRd2i*?CZl
z7k1b!jQB=9-V@h%;Cnl7EKi;Y^&NhU0mWEcj8B|3L30Ku#-9389Q+(Yet0r$F=+3p
z6AKOMAIi|OHyzlHZtOm73}|ntKtFaXF2Fy|M!gOh^L4^62kGUoWS1i{9gsds_GWBc
zLw|TaLP64z3z9?=R2|T6Xh2W4_F*$cq>MtXMOy&=IPIJ`;!Tw?PqvI2b*U1)25^<2
zU_ZPoxg_V0tngA0J+mm?3;OYw{i2Zb4x}NedZug!>EoN3DC{1i)Z{Z4m*(y{ov2%-
zk(w>+scOO}MN!exSc`TN)!B=NUX`zThWO~M*ohqq;J2hx9h9}|s#?@eR!=F{QTrq~
zTcY|>azkCe$|Q0XFUdpFT=lTcyW##i;-e{}ORB4D?t@<rUy??=TuYp_*>SfqGo_cS
z->?^rh$<&n9DL!CF+h?LMZRi)qju!meugvxX*&jfD!^1XB3?E?HnwHP8$;uX{Rvp#
zh|)hM>XDv$ZGg=$1{+_bA~u-vXqlw6NH=nkpyWE0u}LQjF-3NhATL@9rRxMnpO%f7
z)EhZf{PF|mKIMFxnC?*78(}{Y)}iztV12}_OXffJ;ta!fcFIVjdchyHxH=t%ci`Xd
zX2AUB?%?poD6Zv*&BA!6c5S#|xn~DK01#XvjT!w!;&`lDXSJT4_j$}!qSPrb37vc{
z9^NfC%QvPu@vlxaZ;mIbn<z7Vac;-rGaZpnh<SqY8Q9CG{=8AL&W;*Sy0lmLjV&JM
zXa)osQ>-VHA6miwi8qJ~V;pTZkKqqOii<1Cs}0i?uUIss;hM4dKq^1O35y?Yp=l4i
zf{M!@QHH~rJ&X~8uATV><23zZUbs-J^3}$IvV_ANLS08>k`Td7aU_S1sLsfi*C-m1
z-e#S%UGs4E!;CeBT@9}aaI)qR-6NU@kvS#0r`g&UWg?fC7|b^_HyCE!8}nyh^~o@<
zpm7PDFs9yxp+byMS(JWm$NeL?DNrMCNE!I^ko-*csB+dsf4GAq{=6sfyf4wb>?v1v
zmb`F*bN1KUx-`ra1+TJ37bXNP%`-Fd`vVQFTwWpX@;s(%nDQa#oWhgk#mYlY*!d>(
zE&!|ySF!mIyfING+#%RDY3IBH_fW$}6~1%!G`s<xV|$thPk-h^=fMv&Hnp;VPWb4H
zXg`{=`?M7=Dq8myqz|0%?*$bn?$egRMQTPls(~O?p^=8tlp~~ufW)FLrAIKI*rXSW
zW3!I>uHub1kP@&DoAd5~7J55;5_noPI6eLf{t;@9Kf<{aO0`1WNKd?<)C-|?C?)3s
z><QEhe||>wEq@8=I$Wc~Mt$o;g++5qR+(6wt9GI~pyrDJ%c?gPZe)owvy^J2S=+M^
z&WhIE`g;;J^xQLVeCtf7b%Dg<YLp9$rJl%g{x?f$ghgkcL$GZMdvMR@u|x}I{Qe9_
z&q1ULjNa6Q(nZR+2Nc7yG$v_t1HN@ezTla8$YpCXrW3pKiQm{R;n=1<rvBfU^9P{3
z@$nqa83WF+{OCA+1Zn*g;2x4@KoiX%brVdz6t^EGHy~>#Z2gq9hp_%g)-%_`y*zb;
zn9`f`mUPN-Ts&fFo(aNTsXPA|J!TJ{0hZp0^;<tHD4nK@wPbS|=fM$wSV$taTPGqt
zGB^u*%|y@PNxElDVJ;aR!0wT&iI7kZpng0zO52HM*WmK30Q~Yu);w=*5<AVVovc^R
z`k-Z;-8;PJFrU7VpM3N7QZ`+O#qh*wm2>MYHLOcD=r_~~^ymS8KLCSeU3;^QzJNqS
z5{5rEAv#l(X?bvwxpU;2%pQftF`YFgrD1jt2^~Mt^~G>T*}A$yZc@(k9orlCGv&|1
zWWvVgiJsCAtamuAYT~nzs?TQFt<1LSEx!@e0~@yd6$b5!Zm(FpBl;(<fB3D_;m2?l
z3de#U|K3raz4D?vBz^xW?Wg=mvwNg@|1i>Cn>2vF<?km-o@xWuhxn3bs$Pljx=>?k
zOm#TTjFwd2D-CyA!mqR^?#Uwm{NBemP>(pHmM}9;;8`c&+_o3#E5m)JzfwN?(f-a4
zyd%xZc^oQx3XT?vcCqCX&Qrk~nu;fxs@JUoyVoi5fqpi&bUhQ2y!Ok2pzsFR(M(|U
zw3E+kH_zmTRQ9dUMZWRE%Zakiwc+lgv7Z%|YO9YxAy`y28`Aw;WU6HXBgU7fl@dnt
z-fFBV)}H-gqP!1;V@Je$WcbYre|dRdp{xt!7sL3Eoa%IA`5CAA%;Wq8PktwPdULo!
z8!sB}Qt8#jH9Sh}QiUtEPZ6H0b*7qEKGJ%ITZ|vH)5Q^2m<7o3#Z>AKc%z7_u`rXA
zqrCy{-{8;9>dfll<T^QC7i-!Fb6U7Jr)|#XOupnl(tkS3y$lcK{_fXxPcyuknfQ~x
zf@~St3JeO(?cJD*9%zow(<yIgW%x$m#slX3pj{at{@6iEH?BdH^RYnm8&dJ7wK$@@
zVWq~nxej{11A23OWBxqf9N%DH_7R<7fAS~Y3ol-7Pi{v{|9EqM&L`?kzu+YCrvBtt
z_D%ic$wLdbBkX0psXy+e8ZxCG;Pms~Doa?=r+ky&_1GWZ)usQYvh=^J`X>Lu$^M5L
z-hXs))h*qz%~ActwkIA(qOVBZl2v4lwbM>9l70Y`+T*elINFqt#>OaVWoja8RMsep
z6Or3f=oBnA3vDbn*+HNZP?8LsH2MY)x%c13@(XfuGR}R?Nu<|07{$+Lc3$Uv^I!MQ
z>6qWgd-=aG2Y^24g4{Bw9ueOR)(9h`scImD=86dD+M<j=UE|C;@sK-I;*&dQ=%}gk
z)B!@EvJAu)BjncrBD%^q6<)oeX~UkPqgBXuU#=iDAF)wuM3*6$<L0BUP6j>nSN4$6
z^U*o_mE-6Rk~Dp!ANp#5RE9n*LG(Vg`1)g6!(XtDzsov$Dvz|Gv1WU68J$CkshQhS
zCrc|cdkW~UK}5NeaWj^F4MSg<F<s`^q0<TvPF|H0&oNb>FM+@fJd{|LLM)}_O<{rj
z+?*Lm?owq?IzC%U%9EBga~h-cJbIu=#C}XuWN>OLrc%M@Gu~kFEYUi4EC6l#PR2JS
zQUkGKrrS#6H7}2l0F@S11DP`@pih0WRkRJl#F;u{c&ZC{^$Z+_*lB)r)-bPgRFE;*
zl)@hK4`tEP=P=il02x7-C7p%l=B`vkYjw?YhdJU9!P!jcmY$OtC^12w?vy3<<=tlY
zUwHJ_0lgWN9vf>1%WACBD{UT)1qHQSE2%z|JHvP{#INr13jM}oYv_5#xsnv9`)UAO
zuwgyV4YZ;O)eSc3(mka6=aRohi!HH@I#xq7kng?Acdg7S4vDJb6cI5fw?2z%3yR+|
zU5v@Hm}vy;${cBp&@D=HQ9j<G=bG8X+ilNJ?RJXvDOEMBde)25_E~7I?MU+6ykbEe
zwlwWZTbqdW7A20%*{o<J`$q1@Ycld!(_(EqnYMdl&`5dkZIC_te`M|#=Iw~8P<CJb
zRB_sFh_lP4SX6pZnM=9HIz|6*yQoYN$ysd{HU9aoSvP2U?umOV9m0QY=>7NcFaOYL
zj-wV=eYF{|XTkFNM2uz&T8uH~;)^Zo!=KP)EVyH6s9l1~4m}N%XzPpduPg|h-&lL`
zAXspR0YMOKd2yO)eMFFJ4?sQ&!`dF&!|niH*!^*Ml##o0M(0*uK9&yzekFi$+mP9s
z>W9d%Jb)PtVi&-Ha!o~Iyh@KRuKpQ@)I~L*d`{O8!kRObjO7=n+Gp36fe!66neh+7
zW*l^0tTKjLLzr`x4`_8&on?mjW-PzheTNox8Hg7Nt@*SbE-%kP2hWYmH<as3s;3dB
zGF)lQb4*{W{s~m$kJ_;7j;cfOyu}B&y0s+jVVv$_H@egmCSN7X?3gk9bYo6swHDQ9
zg-L}N$+=uhC+gRRN)XP@3cO>u#Fn@Q^J(SsPUz*|EgOoZ6<W=Bo)J0Q;m559tyuE#
zLg%v9lH_9r;=_EOdj#0`D7^XXPL;8V>byg3ew88UGdZ>9B2Tq=jF7<EJ!TXj@;|w{
zdf7ZfHx+mvI`W&PIP#=oO`B12md1xam~79(oqs4UUMnyRq{81HXVL2E;h(%Ol(A~}
z^n4*)dGf~yP6-Dv!SSnD?Mdu}C3S%8f7rg+6A3U%FuEXLg<+Iwh%-7NKl@rQpvaJ}
zHwX`+=9DZH9MoIn^aYb`vA~19+Y@$$L7>2ZaR=4u%1A6Vm{O#?@dD!(#tmR;eP(Fu
z{$0O%=Vmua7=Gjr8nY%>ul?w=FJ76O2js&17W_iq2*tb!i{<q|g+F8+dEk=7I*b$k
zfHy1#iZ?<b)WRJw_Q;_?7Qr1x1fOwWj3fU+i95=;^viGx>pt#`qZB#im9Rl>?t?0c
zicIC}et_4d+CpV<WYvG+Qy=M4fqRlShrB0ABj<1vxR!nk?HzgR{1Zy7dT(ql^LGHk
zbtwjlkw%2Sz_=?Ev5<S4+oS_d`MXZIuh9f&=WusVxCg&4M6SulVC6tXa%y3~fy$$=
zgaqCG;I2JkQp{af=&tkR1)k?Mq*~2KarL#o{N9l8`n2Q*{dFn2Aqheuy5pK*5~@dn
zAUq?gaZTTGiAPWtrINms0FE~Rk&J-igF4wai(k+!<AvEH>Px)i4~$u6N-QX3H77ez
z?ZdvXifFk|*F8~L(W$OWM~r`pSk5}#F?j_5u$Obu9lDWIknO^AGu+Blk7!9Sb;NjS
zncZA?qtASdNtzQ>z7N871IsPAk^CC?iIL}+{K|F@BuG2>qQ;_RUYV#>hHO(HUPpk@
z(bn~4|F_jiZi}Sad;_7`#4}EmD<1EiIxa48QjUuR?rC}^HRocq`OQPM@aHVKP9E#q
zy%6bmHygCpIddPjE}q_DPC`VH_2m;Eey&ZH)E6xGeStOK7H)#+9y!%-Hm|QF6w#A(
zIC0Yw%9j$s-#odxG~C*^MZ?M<+&WJ+@?B_QPUyTg9DJGtQN#NIC&-XddRsf3n^AL6
zT@P|H;PvN;ZpL0iv$bRb7|J{0o!Hq+S>_NrH4@coZtBJu#g8#CbR7|#?6uxi8d+$g
z87apN>EciJZ`%Zv2**_uiET9Vk{pny&My;+WfGDw4EVL#B!Wiw&M|A8f1<o!4D>A@
z(yFQS6jfbH{b8Z-S7D2?Ixl`j0{+ZnpT=;KzVMLW{B$`N?Gw^Fl0H6lT61%T<G)JV
zFxXraywnpF6xC3GQdEFWGnwf8cSTaqeK41;?*^^tH^znLzqXnF%VFT3@UDLz31Yt~
zt1AL1yu0;x;(?~W6+jJ9LrfK`D&ByIA}l1-7&U_j+YQ~7z`JkDZjlblA8d}I;WH{g
zC0ES-Qvh<>2AU**!sX0u?|I(yoy&Xveg7XBL&+>n6jd1##6d>TxE*<Ar(sc(Bu^|z
z9hrl)GNg{$efJd|)cea$o#jV;Q4r8b+A}r|>Vj=8lWiG$4<VK5A=k4M5~-nvjP-{O
zV8pcf=E2RAG{W@WaSbt<oK%uC(9#~x&_$sDRj@|UZmCgRQbRy`>=u{1UbAa5QD>5_
z;Te^42v7K6Mmu4IWT6Rnm>oxrl~b<~^e3vbj-GCdHLIB_>59}Ya+~OF68NiH=?}2o
zP(X7EN=quQn&)fK>M&kqF|<_*H<cwCuNRp|+zL#!8ahs~;&EDeLAe8)G*^PjIAy0l
zK-!LhT}2?RS2cld8@7BXA8OL=0Ov9pNm3Zz3)LmJLDvDNjh52-LPTzuVhjZ)*F~32
z){Y^W2Jp7@2l};<g80X*y6xQ=?e?^N18tu9n%iDKPIA*?LsU4H8AEjezYO`=Z>`}c
zk=+x)GU>{Af#vx&s?`UKUsz})g^Pc&?<rGKpJnw3;kV`E!|r0J-GJ}YEK3ik6lvJ?
zLkm)B;+6)qz)}5@`>Ka@t5$n$bqf6{r1>#mWx6Ep>9|A}VmWRnowVo`OyCr^fHsf#
zQjQ3Ttp7y#iQY8l`zEUW)(@gGQdt(~rkxlkefskT(t%@i8=|p1Y9Dc5bc+z#n$s13
zGJk|V0+&Ekh(F};PJzQKKo+FG@KV8a<$gmNSD;7rd_nRdc%?9)p!|B-@P~kxQG}~B
zi|{0}@}zKC(rlFUYp*dO1RuvPC^DQOkX4<+EwvBAC{IZQdYxoq1Za!MW7%p7gGr=j
zzWnAq%)^O2$eItftC#TTSArUyL$U54-O7e|)4_7%Q^2tZ^0-d&3J1}qCzR4dWX!)4
zzIEKjgnYgMus^>6uw4Jm8ga6>GBtMjpNRJ6CP~W=37~||gMo_p@GA@#-3)+cVYnU>
zE5=Y4kzl+EbEh%dhQokB{gqNDqx%5*qBusWV%!iprn$S!;oN_6E3?0+umADVs4ako
z?P+t?m?};gev9J<xrvMj?JFjsZtWf-quiC#u!BU{j|Z+>XQ#Q&KBpzkHPde_CGu-y
z<{}RRAx=xlv#mVi+Ibrgx~ujW$h{?zPfhz)Kp7kmYS&_|97b&H<SL`_{AO<9v%D@8
z77}Y!`#c~v^P+jNiCZgjk$Eu}e?ht~^R`2pg1iPEhXjZVjl-b|*N?0??d5-7i{PRl
z3g-#j3NiART8({yLdUJE-H38|G`rTLl78)2#f9E)ErZoi-Fv`N>&1;J-mzrBWAvY}
zh8-I8hl_RK2+nnf&}!W0P+>5?<Hy2Ocrq-T%g(e-iJ80Q4bGbph6Yn^Ms~*iS%y{)
zR2+@$12xU46My)mb>#?7>npshe<1~&l_xqKd0_>dl_^RMRq@-Myz&|TKZBj1=Q())
zF{dBjv5)h=&Z)Aevx}+i|7=R9rG^Di!sa)sZCl&ctX4&LScQ-kMncgO(9o6W6)yd<
z@Rk!vkja*X_N3H<e&P>=BavGoR0@u0<}m-7|2v!0+2h~S2Q&a=lTH91OJsvms2MT~
zY=c@LO5i`mLpBd(vh|)I&^A3TQLtr>w<oiU80F37l%jO+9L*(6rNJUMQj^mVFrb+K
zbGro$m)k-Mjv2y`V6hi@N1PB7T=%YP1zSAYt&?4uC<+;v72DJZ+TM4vL%d*d?N7Xm
zm~6OL8)rh0XIoR7pN2ODrL%*K0lO((1E{nb4eXnWhR0-4)N_A|nFyFl!4Fa367d3@
z5ruJel)z&kDcd>=zoyzTd=^f@TPu&+*2M<c+GXcqi<cQ#^OejZI|Po8an{Oh-2ytX
zK$MlFe&+@V&gTQgY2e7YqN66POe*A5=RfoUd8+16QdDQgjc}%@)Xu?E)Qo-5tDtuz
z4rP5$Edgx(g_-m&v|zI|MckDZ-*>tqE$Avf>l>}V|3-8Fp2hzo3y<)hr_|NO(&oSD
z!vEjTWBxbKTiShVl-U{n*B3#)3a8$`{~Pk}J@elZ=>Pqp|MQ}jrGv7KrNcjW%TN_<
z<z)esuQW6ysSYp|l#vPogjN7FRRzUSYY_7@QvtoS=9E#^iV5{mHb2N$06kv?{KQ4Y
z{TIb}bD_}cTt+x=_xX$O`O??h@892&xEZqrh{KpSgAqXMBaR^COdOFm;FKQkZc`(c
zwDTDp)<-#gdF+f;!ecTz69+_etlx5gTTYuJs36}MFftQ@Rn)MRhY91bCzTEgj4fv-
z1m@JGpa{H2uzVIbIvR(+jPWIY>Zz8kG{#}XoeWf7qY?D)L)8?Q-b@Na&>i=)(@uNo
zr;cH98T3$Iau8Hn*@vXi{A@YehxDE2zX~o+RY`)6-X{8~hM<uAyYp&U>pc#C`|8y>
zU8Mnv5A<tzpBv6FvrIokz@rbXa#{jdGJP~6p^wT|HfyYaG;wVV>0dNCf{Ims*|l-^
z(MRp{qoGohB34|ggDI*p!Aw|MFyJ|v+<+E3brfrI)|+l3W~CQLPbnF@G0)P~L<BK0
zSRP{4S$9zWWM`Nd;Q6_XmCkEyF=0l#GeYa7+r&_CD~4h2$_LU;yCc{i*o}5aXnx3N
zHqrCmEq3l-{2sjER%{`iHdHZ!Iy}l{>y!1TJLp}xh8uW`Q+RB-v`MRYZ9Gam3cM%{
zb4Cb*f)0deR~wtNb*8w-LlIF>kc7DAv>T0D(a3@l`k4TFnrO+g9XH7;nYOHxjc4lq
zMmaW6qpgAgy)MckYMhl?>sq;-1E)-1llUneeA!ya9KM$)DaNGu57Z5aE>=VST$#vb
zFo=uRHr$0M{-ha>h(D_boS4zId;3B|Tpqo|?B?Z@I?G(?&Iei+-{9L_A9=h=Qfn-U
z1wIUnQe9!z%_j$F_{rf&`ZFSott09gY~qrf@g3O=Y>vzAnXCyL!@(BqWa)Zqt!#_k
zfZHuwS52|&&)aK;CHq9V-t9qt0au{$#6c*R#e5n3rje0hic7c7m{kW$p(_`wB=Gw7
z4k`1Hi;Mc@yA7dp@r~?@rfw)TkjAW++|pkfOG}0N|2guek}j8Zen(!+@7?qt_7ndX
zB=BG6WJ31#F3#Vk3=aQr8T)3`{=<slU+RdlO4Hx0LKNQR4%csKlqXTo6ajrnOY1?l
z2r$(|0XiBb*T4;#8^X*fOz~r=4-{-Rg2n@oH;R!)WGF~o7e;4%=egC+*SUH9@8hON
zRPT>p9nBHlKzE0I@v`{vJ}h8pd6vby&VgFhzH|q;=aonunAXL6G2y(X^CtAhWr*jI
zGjpY@raZD<b_G8JA5s~o@XVViP=?1H?fxk4Pq8R3l2eNln--&c-a(Has8}t#E^(Q*
z=etk{kVRr~2G*+i5b{q+oG(h}R?d-3m0XJJnzvrMZ{1Tcuc{eb>Qkg*aMq}Ni6cRF
z{oWv}5`nhSAv>usX}m^GHt`f(t8@zHc?K|y5Zi=4G*UG1Sza<E8z;l0@bYZ=%a=Vj
z;(n{V1K(1!(<%HdezN^efpP}6_GMFH7m;Wi+()}?4ujb&c~IZ9n3_46*IsTeu9}IF
zAHtU!f4FyUb=kmL3?2I)J-&6Gd2ry1tzU??1iAVB#U4q&;ymb8Acc3xb>{$Dpj%X8
zzEXaKT5N6F5j4J|w#qlZP!zS7BT)9b+!ZSJdToqJts1c!)fwih4d31vfb{}W)EgcA
zH<Fzt5KT4ycl;#zc0!>2pZ^8_k$9+WD<i98{Ka+NY@mr?q>2n`6q5XbOy8>3pcYH9
z07eUB+p<MBNmyg&c4=0;V0B;H%kvu8{sr|yy1~@CobFcUpM3np-7P6;)H5)%*}VV!
zs>}YD@AH!}p!iKv><2QF-Y^&xx^PAc1F13A{nUeCDg&{hnix#FiO!fe(^&%Qcux!h
znu*S!s$&nnkeotYsDthh1d<XHQ3s(h4m+vOMx>q(iQrE|#f_=xVgfiiL&-5eAcC->
z5L0l|DVEM$#ulf{bj+Y~7iD)j<~O8CYM8GW)dQGq)!mck)Fq<!^H$Md3d7YY>oL^X
zwNdZb3->hFrbHFm?hLvut-*uK?zXn3q1z|UX{RZ;-WiLoOjnle!xs+W0-8D)kjU#R
z+S|A^HkRg$Ij%N4v~k`jyHffKaC~=wg<B%ejScY(fj1p_Et27-otoLjL&tKK?8UFN
z%LmnQSnbvpU~;3CWrogVy$oe+4WUkv3SFe(IPiTs$quv+%sU!wurQ6_fZ24IJohEM
zcoKJZay#47ydH__P37To$-Zc()PCOL+72Tm7bmvHtaIu(yG&E4_6jcPE=`5js7(E{
zHf(+WB2w4d@46GMBedn8XLGQp(O+G%3$)&`I%c&|x#vNWkyh%{DGUV$KZ2p<j&Y}k
z)Hs|`mlvf!{5N2bF{_PGj>=9)V5h=|kLQ@;^<Ah@>W!o2^K+xG&2n`XCd>OY5Ydi=
zgHH=lgy++erK8&+YeTl7VNyVm9-GfONlSlVb3)V9NW5tT!cJ8d7X)!b-$fb!s76{t
z@d=Vg-5K_sqHA@Zx-L_}wVnc@L@GL9_K~Zl(h5@AR#FAiKad8~KeWCo@mgXIQ#~u{
zgYFwNz}2b6Vu@CP0XoqJ+dm8px(5W5-Jpis97F`+KM)TuP*X8H@zwiVKDKGVp59pI
zifNHZr|B+PG|7|Y<*tqap0CvG7tbR1R>jn70t1X`XJixiMVcHf%Ez*=xm1(CrTSDt
z0cle!+{8*Ja&EOZ4@$qhBuKQ$U95Q%rc7tg$VRhk?3=pE&n+T3upZg^ZJc9~c2es%
zh7>+|mrmA-p&v}|OtxqmHIBgUxL~^0+cpfkSK2mhh+4b=^F1Xgd2)}U*Yp+H?ls#z
zrL<PO4@qqmi4_%|jPx)N+G{$0%%C1sw{T2fligwqmFd}O+TemcgfxBHvt~23Bx!g6
zxl(O6;y4BH9zTxeA;{A3a_g71v+`o{0uNyu^e>xWg<ZgPjZmPtQ00F}!Yn5nf)<mA
zPThc#yhGf@^9{9a3jZx|NAA<vxc>_hm}AfK2XYWr!rzW4g;+^^&b<P<GfK{gLe<5#
zz<cH|<aY5Fl~>W%LmbtRai9f3PjU${r@n`JThy-cphbcwn)rq9{A$Ht`lmYKxOacy
z6v2R(?gHhD5@&kB-Eg?4!hAoD7~(h>(R!s1c1Hx#s9vGPePUR|of32bS`J5U5w{F)
z>0<^ktO2UHg<0{oxkdOQ;}coZDQph8p6ruj*_?uqURCMTac;>T#v+l1Tc~%^k-Vd@
zkc5y35jVNc49vZ<e37Ty%GD$DqTd&uKFEzb4j%X5FO|fqPqoGYc%Ro7*qb9?JK#sE
zI2o9q*t*5>pZx;gG$h{%yslDI%Lqga1&&;mN{Ush1c7p>7e-(zp}6E7f-XmJb4nhk
zb8zS+{IVbL$QVF8pf8}~kQ|dHJAEATmmnrb_wLG}-yHe><YsE2_~l#l9buQgFXI0`
z(u#b`J=xeBn*3{z^^KAJhXQfvz6EP5l^cD~&vo$LApQd(9gm=munnZ7Bo%LVbi4uK
zNXnx%%rjW{zE{2bapVCkVel~q0upm?=gb{+Eu=B+Z46t{KAKTo1TyYq%j=)TaZP<&
zIfR5WHOe}iiPn?Y<W*8!U(>W|A&Y|;muy-d^t^<&)g5SJfaTH@P1%euONny=mxo+C
z4N&w#biWY41r8k~468tvuYVh&XN&d#%QtIf<GZUR`2QH9h^d*OtBuRQhWwr4nLC*}
zJIh#pCwzAQa(pUP-B<pHxsDxMcBm<`k^}{cmcTX^FsUjvw57E+0Tz}NDT+w-9BC))
zHeGkeroi7YzPFY1zKi5#bbT&jA=fhB<;*YQFRw+++(kz*-d7|)7ibRL<jGF<*B$4+
z`|k6bU2=c_Psjo4w+RtodzK>9;iVXfWY)<X+W}7GbATCgQU`%LT~<fPB3X>#j=<c2
zHd&Dex04~>l`&B~lqDT@28+Y!0E+MkfC}}H*#(WKKdJJq=O$vNYCb(ZG@p{fJgu;h
z21oHQ(14?LeT>n5)s;uD@5&ohU!@wX8w*lB6i@GEH0pM>YTG+RAIWZD;4#F1&F%Jp
zXZUml2sH0!lYJT?&sA!qwez6cXzJEd(1ZC~kT5kZSp7(@=H2$Azb_*W&6aA|9iwCL
zdX7Q=42;@dspHDwYE?miGX#L^3xD&%BI&fN9^;`v4OjQXPBaBmOF1;#C)8XA(WFlH
zycro;DS2?(G&6wkr6rqC>rqDv3nfGw3hmN_9Al>TgvmGsL8_hXx09};l9Ow@)F5@y
z#VH5WigLDwZE4nh^7&@g<bkZm_Vh{ln0@+)lYuu~qeXc#?JCYylKGH|9+kWD0ocxF
z5$1kjN2>{1FV^UZ%_LJ-s<{HN*2R$OPg@R~Z`c-ET*2}XB@9xvAjrK&hS=f|R8Gr9
zr|0TGOsI7RD+4+2{ZiwdVD@2zmg~g@^D--YL;6UYGSM8i$NbQr4!c7T9rg!8;TM0E
zT#@?&S=t>GQm)*ua|?TLT2ktj#`|R<_*FAkOu2Pz$wEc%-=Y9V*$&dg+wIei3b*O8
z2|m$!jJG!J!ZGbbIa!(Af~oSyZV+~M1qGvelMzPNE_%5?c2>;MeeG2^N?JDKjFYCy
z7SbPWH-$cWF9~fX%9~v99L!G(wi!PFp<!s7j4q$86J>>rB!9xj7=Cv<q}(vRw+mcj
z#YR4HX>|F+7CsGNwY0Q_J%FID%C^CBZQfJ9K(HK%k31j~e#&?h<VT6q$5mgm6*^>Q
zNuD6gR<d7v<P!_&8<dm-?#ek*zL2)u8J2l%4_z-z?)QXK(1d9d>kVckU)v+53-fc}
z7ZCzYN-5RG4H7;>>Hg?LU9&5_aua?A0)0dpew1#MMlu)LHe(M;OHjHIUl7|%%)YPo
z0cBk;AOY00%Fe6heoN*$(b<)Cd#^8Iu;-2v@>cE-OB$icUF9EEoaC&q8z9}jMTT2I
z8`9;jT%z0;dy4!8U;GW{i`)3!c6&oWY`J3669C!tM<5nQFFrFRglU8f)5Op$GtR-3
zn!+SPCw|04sv?%YZ(a7#L?vsdr7ss@WKAw&A*}-1S|9~cL%uA+E~>N6QklFE>8W|%
zyX-qAUGTY1hQ-+um`2|&ji0cY*(qN!zp{YpDO-r>jPk*yuVSay<)cUt`t@&FPF_&$
zcHwu1<M$nsSpFX&={p8_cnZ3@SbW>(SQ`I-l8~vYyUxm@D1UEdFJ$f5Sw^HPH7b!9
zzYT3gKMF((N(v0#4f_jPfVZ=ApN^jQJe-X$`A?X+vWjLn_%31KXE*}5_}<jt4v>d8
zw_B1+a#6T1?>M{ronLbHIlEsMf93muJ7AH5h%;i99<~JX^;EAgEB1uHralD*!aJ@F
zV2ruuFe9i2Q1C?^^kmVy921eb=tLDD43@-AgL^rQ3IO9%+vi_&R2^dpr}x{bCVPej
z7G0-0o64uyWNtr*loIvslyo0%)KSDDKjfThe0hcqs)(C-MH1>bNGBDRTW~scy_{w}
zp^aq8Qb!h9Lwielq%C1b8=?Z=&U)ST&PHbS)8Xzjh2DF?d{iAv)Eh)wsUnf>UtXN(
zL7=$%YrZ#|^c{MYmhn!zV#t*(jdmYdCpwqpZ{v&L8KIuKn`@IIZfp!uo}c;7J57N`
zAxyZ-uA4=Gzl~Ovycz%MW9ZL7N+nRo&1cfNn9(1H5eM;V_4Z_qVann7F>5f>%{rf=
zPBZFaV@_Sobl?Fy&KXyzFDV*FIdhS5`Uc~S^Gjo)aiTHgn#<0C=9o-a-}@}xDor;D
zZyZ|fvf;+=3MZd>SR1F^F`RJEZo+|MdyJYQAEauKu%WDol~ayrGU3zzbHKsnHKZ*z
zFiwUkL@DZ>!*x05ql&EBq@_Vqv83&?@~q5?lVmff<cLHceB8mp&F*ZBX}B`|c^idP
zv6n-=r1Y%9B2=MA)BHjW-LyT@+x?-|)~^RdTE*Wmt4T{X?yOR<8KMVy`_8)0^!&oF
z0$q#{$B8*<%lm210;{(CF7N)1MYU#>QZ+V-=qL+!u4Xs2Z2zdCQ3U7B&QR9_Iggy}
z(om{Y9eU;IPe`+p1ifLx-XWh?wI)xU9ik+m#g&pGdB5Bi<`PR*?92lE0+TkRuXI)z
z5LP!N2+tTc%cB6B1F-!fj#}>S!vnpgVU~3!*U<jq0(*nRRh2NkSzq|ekHqi@I{QJ4
zs$%Xz%L?KbVmRwJFka>1ej^)vjUH4s-bd^%B=ItQqDCGbrEzNQi(dJ`J}-U=2{7-d
zK8k^Rlq2N#0G?9&1?HSle2vlkj^KWSBYTwx`2?9TU_DX#J+f+qLi<D9B#g}%V$md`
zk~Ild*}viiyy2C_=6_!CJ#a=26@mjLnII|qn1r<r{`_L^h_&EQU1CrT23vw`5=3<h
zG{v(Q@`P7B9h;CVcDSU+D|~oo@NN9}HbK0D{0!wcrl#V%CP?`IzvTa!#*S)2d1$Yu
z@{MclH9z5OOC5<wLIO8&=t)9CZ5Tx0LQn&eG~9xag*+PbY)P9)O3G<cNK?wZHK1E)
zN?i&=N*5N8I0pp^Xra6>ZCqY1TXHFxXZqYMuD@RU$TgcnCC{_(vwZ-*uX)~go#%PK
z@}2Km_5aQ~(<3cXeJN6|F8X_1@L%@xTzs}$_*E|a^_URF_qcF;Pfhoe?FTFwvjm1o
z8onf@OY@jC2tVcMaZS;|T!Ks(wOgPpRzRnFS-^RZ4E!9dsnj9sFt609a|jJbb1Dt@
z<=Gal2jDEupxUSwWu6zp<<&RnAA;d&4gKVG0iu6g(DsST(4)z6R)zDpfaQ}v{5ARt
zyhwvMtF%b-YazR5XLz+oh=mn;y-Mf2a8>7?2v8qX;19y?b>Z5laGHvzH;Nu9S`B8}
zI)qN$GbXIQ1VL3lnof^6TS~<qSuZSMrS`^DczIf6i8zZ|)TzXBEwW6N#TL3wy;JuH
z4sUyCR`^Gi%H4xvNHCSXsz>rvPVg4V?Dl2Bb*K2z4E{5vy<(@@K_cN@<xbtRT8JEV
z@9ePJQ{ePgXbdj2UeTj`YQ3sQ`t(|5O?8jf1qY=&T$N1)Psvl`6fu>U>R!>aUIRnb
zL*)=787*cs#zb31zBC49x$`=fkQbMAef)L2$dR{)6BAz!t5U_B#1zZG<T23Y;GnC8
z(`aO7qQGuUkmmk=Z)LZ+)_Z;JWly1@9NQ+>`^neKSS22oJ#5B=gl%U=WeqL9REF2g
zZnfCb0?quf?Ztj$VXvDSWoK`0L=Zxem2q}!XWLoT-kYMOx)!7fcgT35uC~0pySEme
z`{wGWTkGr7>+Kb^n;W?BZH6ZP(9tQX%-7zF>vc2}LuWDI(9kh1G#7B<aO|K2FCIJg
zDao72kQAHigp@^v;eK5Vo($1jE5?KxIjn^mY57t?Pj)^$12KtO8GI3M1Ri51g3-Iv
zq`DO&g5CWDnjs~ec$i^VmaK4aG_*NghV8~x3dXdPE^36>99r4x6;_-V+k&c{nPUrR
zAXJGRiMe~aup{0qzmLNjS_BC4cB#sXjckx{%_c&^xy{M61xEb>KW_AG5VFXUOjAG4
z^>Qlm9A#1N{4snY=(AmWzatb!ngqiqPbBZ7>Uhb3)dTkSGcL#&SH>iMO-IJBPua`u
zo)LWZ>=NZLr758j{%(|uQuZ)pXq_4c!!>s|aDM9#`~1bzK3J1^^D#<2<N(j(---cE
zEy;>bNCccH7~-X}Ggi!pIIF>uFx%aPARGQsnC8ZQc8lrQ5o~smqOg>Ti^GNme94*w
z)JZy<k{OAaG~Q|lT7oS<g9V8QNt(KeJIt6&F{U!{MuJ?Xr0XzPZhzp~?qy+NBB<0G
zi_x*hCyRQ*l&365<#;!&Mnh*3`6R@-BoAUC&g|)}Bg;mxBDA&uy<fjp??k5JfO-|6
zv6$F+?VY$#@OP{;d=nLk^Vq&omh*v*bW;ukc`ca|*$h2}@kU)FNYh|cX2FdglBA{Z
zn4gmuD1Tgw4$4s2Q01t5<PSfg@h2F?GtlH6XQC>{_{#$jxG<QXLBP1mLo=v6>Q&`M
z!OMvZMHR>8*^>eS%o*6hJwn!l8VOOjZQJvh)@tnHVW&*GYPuxqXw}%M!(f-SQf`=L
z5;=5w2;%82VMH6Xi&-K3W)o&K^+vJCepWZ-rW%+Dc6X3(){z$@4zjYxQ|}8UIojeC
zYZpQ1dU{fy=oTr<4VX?$q)L<oUsl**eR4|Y=<jHUj;EzXPg2#85xDsCL@vKUk4!ok
zWGU;a1c@)SVKp{%lz7wz>P}IUmpiez^O&N3E_qPpchGTi5ZM6-2ScWlQq%V&R2Euz
zO|Q0Hx>lY1Q1cW5xHv5!0OGU~PVEqSuy#fD72d#O`N!C;o=m+YioGu-wH2k6!t<~K
zSr`E=W9)!g==~x9VV~-8{4ZN9{~-A9zJpRe%NGg$+MDuI-dH|b@BD)~>pPCGUNNzY
zMDg||0@XGQgw`YCt5C&A{_+J}mvV9Wg{6V%2n#YSRN{AP#PY?1FF1#|vO<FCmSeem
zsV>_%e+#`|2*~wGAJaeRX6=IzFNeWhz6gJc8+(03Ph4y6ELAm=AkN7TOgMUEw*N{=
z_)EIDQx5q22oUR+_b*tazu<k7qtKxTlmUW2Omzs&7j%!q->9+pX|n1c*IB-}{DqIj
z-?E|ks{o3AGRNb;+iKcHkZvYJvFsW&83RAPs1Oh@IWy%l#5x2oUP6ZCtv+b|q>jsf
zZ_9XO;V!>n`UxH1LvH8)L4?8raIvasEhkpQoJ`%!5rBs!0Tu(s_D{`4opB;57)pkX
z4$A^8CsD3U5*!|bHIEqsn~{q+Ddj$ME@Gq4JXtgVz&7l{Ok!@?EA{B3P~NAqb9)4?
zkQo30A^EbHfQ@87G5&E<g>QTd`frrwL)&Yw?%-W@uy^Gn23%j?Y!Iea2xw<-f;esq
zf%w5WN@E1}zyXtYv}}`U^B>W`>XPmdLj%4{P298|SisrE;7HvXX;A}Ffi8B#3Lr;1
zHt6zVb`8{#+e$*k?w8|O{Uh|&AG}|DG1PFo1i<Zus%ucO{sZ+tJd!u@5m`tVt$ecP
zHv;DLyGh!O(o#SF9Ho`t`aW6*4AonGVD-cOd49F6=odL=f13sFyII;4g$7X;P=IH_
z!H8wMi5nS$y>?Y*cQm$ZwtGcVgMwtBUDa{~L1KT-{jET4w60>{KZ27vXrHJ;fW{6|
z=|Y4!&UX020wU1>1iRgB@Q#m~1^Z^9<xy6Z(6L!p4YY56>CG1LqDhYBrnx%IEdIty
z!46iOoKlKs)c}<e-V4k`cP%zlS~*r)Iq=(n$n3YjsGj;U{v)@9x+s&RgYVsv=bVhB
z6KS0(1+6KVC4PB64#XkwbuM4|1~xHvpBvYVlWb?(pv$N|&u>newDG)rWUikD%j`)p
z_w9Ph&e40=(2eBy;T!}*1p1f1SAUDP9iWy^u^Ubdj21Kn{46;GR+hwLO=4D11@c~V
zI8x&(D({K~Df2<H8Q0|`g9v?%+ew{*)n&&V=&(8)k^`IVYv)Ef^74^<ekxt26g{<n
z=l9l$ysk3V&@j|Qbd9p}8=X<l&m>E)Nx_yQvYfh4<e?mHvB!$Y?%_59%1<FYEFc$b
z5ztP29y#%z;_YI`kp!lqW2R%wIG*IA1m!F1Kln&)2?~$S$Og+8eH`pJh?)s{O@cqa
zWUZ4w-ZTe!Iykv!<9ko1OVzNOZnowKP{&R2l9=@35YPW+JdW)5@C2juHH<g|8v*@b
z{zCv-5uA{lGB2+F9H+)uLjkGDsT%f9VUvf8ezafoEizvcl$?$h;@OxEC#U#_TL4w5
zDU~DSJxQ)LRv;^Z&wI+)=va(!yOlq(L+s>;MbMJ@Z}=Dt3_>iim~QZ*hZIlEs0mEb
z_54+&*?wMD`2#vsQRN3KvoT>hWofI_Vf(^C1ff-Ike@h@saEf7g}<9T`W;HAne-Nd
z>RR+&SP35w)xKn8^U$7))PsM!jKwYZ*RzEcG-OlTrX3}9a{q%#Un5E5W{{hp>w~;`
zGky+3(vJvQyGwBo`tCpmo0mo((?nM8vf9aXrrY1Ve}~TuVkB(zeds^jEfI}xGBCM2
zL1|#tycSaWCurP+0MiActG3LCas@_@tao@(<l?T*QEH-ae+wh*%6?VE!5DP~@|=`w
zUm(1<BPl}p=AbS7FTVaUy3(jy*M(D2#kTF4RBYR}of+Gx*jB~1QL*jJpu&o6JE?s6
z_S);Tw%)V%`7zq_d$iG?Hu~uO?$>R1ANlwB$4K53egNE_;!&(%@Qo$>h`^1S_!hN6
z)vZtG$8fN!|BXBJ=SI>e(LAU(y(i*PHvgQ2llulxS8>qsimv7yL}0q_E5WiAz7)(f
zC(ahFvG8&HN9+6^jGyLHM~$)7auppeWh_^zKk&C_MQ~8;N??OlyH~azgz5fe^>~7F
zl3HnPN3z-kN)I$4@`CLCMQx3sG~V8hPS^}XDXZrQA>}mQPw%7&!sd(Pp^P=tgp-s^
zjl}1-KRPNWXgV_K^HkP__SR`S-|OF0bR-N5>I%ODj&1JUeAQ3$9i;B~$S6}*^tK?=
z**%aCiH7y?xdY?{LgVP}S0HOh%0%LI$wRx;$T|~Y8R)Vdwa}kGWv8?SJVm^>r6+%I
z#lj1aR94{@MP;t-scEYQWc#xFA30^}?|BeX*W#9OL;Q9#WqaaM546j5j29((^_8Nu
z4uq}ESLr~r*O7E7$D{!k9W>`!SLoyA53i9QwRB{!pHe8um|aD<W*x(R=P_5zAElfw
zT7CEEr(t|!*czBsy>E`Cg0O*{jmor)^t)3`>V>SWN-2VJcFmj^1?~tT=JrP`fVh*t
zXHarp=8HEcR#vFe+1a%XXuK+)oFs`GDD}#Z+TJ}Ri`FvKO@ek2ayn}yaOi%(8p%2$
zpEu)v0Jym@f}U|-;}CbR=9{#<^z28PzkkTNvyKvJDZe+^VS2bES3N@Jq!-*}{oQlz
z@8bgC_KnDnT4}d#<rI9~4w*W=E-{rm^_cQeTd?VLxZpL;UgBY=7Y@N&83iL$n&#~M
zbsQBYt~+>&Cpr!%Yb?E!brx0!eVOw~;lLwUoz#Np%d$o%9scc3&zPm`%G((Le|6o1
zM(VhOw)!f84zG^)tZ1?Egv)d8cdNi+T${=5kV+j;Wf%2{3g@FHp^Gf*qO0q!u$=m9
zCaY`4mRqJ;FTH5`a$affE5dJrk~k`HTP_7nGTY@B9o9vvnbytaID;^b=Tzp7Q#DmD
zC(<aCT_(W?1O|cV&C;hpRo`~BN54GF$vUW?-%&gVawwY-k2~=6)`83yVnUbThqXoO
z#pJ&{AeMt+E`B_K+d;6!WS}aMu|XPUG^g7a(llBSlq>XEN)Ktn39z5|G!wsVNnHi)
z%^q94!lL|hF`IijA^9NR0F$@h7k5R^ljOW(;Td9grRN0Mb)l_l7##{2nPQ@?;VjXv
zaLZG}yuf$r$<79rVPp<j5%445ugcCYz(;(NT0N0@n{$og@`Uam4%uUaCP9*@QWGX9
z{P@Ag+Bgh5@F#Eg5Y9s1Tb4W8at(wr+7n>Xg?6iiieX|r#&`p#Con2i%S8*8F}(E)
zI5E6c3tG*<;m~<e=g`4E<@6ZZ8Ot+&-pVKoq@=)RHy9<I(`p<?)r&YNlEA8CnAU#=
zLQO*=y%_uKi|5n%djKteWf@r}R-KMkn1WGKj9GE)TB7@l$)5};KH)qNoDq}(AbK{}
znBj7g3J8U8H}w+i?7tr%6@z$7g2f*NiOc*m{3%|}PM)?==&#x$-Jq&uhpzZ8rtUDZ
zNmR^a5g(7wY6XKEPtNK>6>!&H!GJ6zEu<u;zM7UrmSD`Ps)7>hH7mkAzovdhLy;)q
z{H2*8I^Pb}xC4s^6Y}6bJvMu=8>g&I)7!N!5QG$xseeU#CC?ZM-TbjsHwHgDGrsD=
z{%f;@Sod+Ch66Ko2WF~;Ty)v>&x^aovCbCbD7>qF*!?BXmOV3(s|nxsb*Lx_2lpB7
zokUnzrk;P<R;aXTpYj?03<w4%%%E_Lx%w}?h6KFkYmQz_=Q!;KI~@zvyE@sz0~S{=
zc7Zp1Pg<<C5w3_-RsBETlpJWaAlby+);^?em@HJt835O5jnvwJ!Ezt?UH{GKJ#_-;
zXWyIZeRlqoB-*o!rz0dsi&bmk<~!5}rFXX!TR>=T-&kUHO}td+Zdj!3n&NR?K~cRU
zAXU!DCp?51{J4w^`cV#ye}(`SQhGQkkMu}O3M*BWt4UsC^jCFUy;wTINYmhD$AT;4
z?Xd{HaJjP`raZ39qAm;%beDbrLpbRf(mkKbANan7XsL>_pE2oo^$TgdidjRP!5-`%
zv0d!|iKN$c0(T|L0C~XD0aS8t{*&#LnhE;1Kb<9&<JFZp&cEpRA~JX*2uhno)g+lW
z)A2j^Jp=5|9|_BqD3yNfz$3!^TP^t32VmQN>=c2B+9JeLvJr*AyyRh%@jHej<V&M}
z(_rfkTF8<3M0mfUD?DaD6=7VHc94p8)f%k_sKhOPc+3w*C;t63&?zS3e((b(P6Fva
zg1a!>=AetOMSlz^=!kxX<aUab1e69e5UxkmMM!xSN{9YUYGb=H*((f4#ZL$Ijz4ZG
z=M2TpNE4&~3j}eO`*MD}g}>>>B{2B1uIrQyfd8KjJ+DBy!h)~*(!|&L4^Q_07SQ~E
zcemVP`{9CwFvPFu7pyVGCLhH?LhEVb2{7U+Z_>o25#+3<|8%1T^5dh}*4(kfJGry}
zm%r#hU+__Z;;*4fMrX=Bkc@7|v^*B<Xvhu2*uH*LPz_h!qs>;HA<UqXI?t|tCaZDB
zM}=e!+VluyMT1_wK?{{}fh!prU@u#|#$3A*>l0((IBPPii%X9+u3DDF6%<Dxg01id
zvRMgy`}RNgOUmsF(*g|!7J~5qLXiIVe!ooTZQWeHyp<$?w&ud7re6&`d1HHH%m41@
zrE0Fb;A`T35^B${Rk`^BD>bI&6?Eu$8&aWVqHIM7mK6?Uvq$1|(-T|)IV<>e?!(rY
zqkmO1MRaLeTR=)io(0GVtQT@s6rN%C6;nS3@eu;P#ry4q;^O@1ZKCJyp_Jo)Ty^QW
z+vweTx_DLm{P-XSBj~Sl<%_b^$=}odJ!S2wAc<kP=%^q`Fk3#DzIfRc20!g-U?(r0
zttu-F5dSTOh@Hh;*8<POV|23UE<I?%YD*|RoGT_RNfg)N<d$-CVBslaSc2;hu2@iM
zijnTdup@(TT6QsX1DSS%iD>xenmzFGX1t&Qp8Vxz2VT`uQsQ<N&Na@Eg(*vW-Sx0Z
zwa1eC?gP9=v{v;-el(Byq7uXErY6a?>Ytdn&_0xVivIcxZ_hnrRtwq4cZSj1c-SG9
z7vHBCA=fd0O1<4*=lu$6pn~_pVKyL@ztw1swbZi0B?spLo56ZKu5;7ZeUml1Ws1?u
zqMf1p{5myAzeX$lAi{jIUqo1g4!zWLMm9cfWcnw`k6*BR^?$2(&yW?>w;G$EmTA@a
z6?y#K$C~ZT8+v{87n5Dm&H6Pb_EQ@V0IWmG9cG=O;(;5aMWWrIPzz4Q`mhK;qQp~a
z+BbQrEQ+w{SeiuG-~Po5f=^EvlouB@_|4xQXH@A~KgpFHrwu%dwuCR)=B&C(y6J4J
zvoGk9;lLs9%iA-IJGU#Rg<oAf^xeCDGN*>nZZR+@{5lYl8(e1h6&>Vc_mvg0d@);X
zji4T|n#lB!>pfL|8tQYkw?U2bD`W{na&;*|znjmalA&f;*U++_aBYerq;&C8Kw7mI
z7tsG*?7*5j&dU)Lje;^{D_h`%(dK|pB*A*1(Jj)w^mZ9HB|vGLkF1GEFhu&rH=r=8
zMxO42e{Si6$m+Zj`_mXb&w5Q(i|Yxyg?juUrY}78uo@~3v84|8dfgbPd0iQJRdMj<
zncCNGdMEcsxu#o#B5+XD{tsg*;j-eF8`mp~K8O1J!Z0+>0=7O=4M}E?)H)ENE;P*F
z$Ox?ril_^p0g7xhDUf(q652l|562VFlC8^r8?lQv;TMvn+*<c9jlj>8I}&+hIQYh2
z1}uQQaag&!-+DZ@|C+C$bN6W;S-Z@)d1|en+XGvjbOxCa-qAF*LA=6s(Jg+g;82f$
z(Vb)8I)AH@cdjGFAR5Rqd0wiNCu!xtqWbcTx&5kslzTb^7A78~Xzw1($UV6S^VWiP
zFd{Rimd<L>-0CZC_Bu(WxBFW7+k{cOW7DxBBkJdJ;VsJ4Z@lERQr%3eVv&$%)b%<~
zCl^Y4NgO}j<COChW_}a6vln)bF3$TpaLb);b~-PYxxR%}%O<}>s@u{|o~KTgH}>!*
z_iDNqX2(As7T0xivMH|3SC1ivm8Q}6Ffcd7owUKN5lHAtz<t12Aa&#mkpHAAP7vmV
z^!AJ*2~=PgYP(Wn4Vk66dQCX+{#B-Z%T|HyH;WjNt4~Za-}DB-){PA#h!r8;?(Vb^
zk44aj#5Wa>MM4<0v+ykUT!QiowO;`@%JGv+K$bBx@*S7C8GJVqQ_K>12}M`f_Ys=S
zKFh}HM9#6Izb$Y{wYzItTy+l5U2oL%boCJn?R3?jP@n$zSIwlmyGq30Cw4QBO|14`
zW5c);AN*J3&eMFAk$SR~2k|&+&Bc$e>s%c{`?d~85S-UWjA>DS5+;UKZ}5oVa5O(N
zqqc@>)nee)+4MUjH?FGv%hm2{IlIF-QX}ym-7ok4Z9{V+ZHVZQl$A*x!(q%<2~iVv
znUa+BX35&lCb#9VE-~Y^W_<SUna+(6v_v93h$)MSc{mD`=k6;#c%#QV`lbAtfE3~q
zAtA7|n`xq>f;Xhl%vgjwdjzMy$FsSIj&ok}L+X`4>J=9BkN&nu^E*gbhj3(+D>C4E
z@Fwq_=N)^bKFSHTzZk?-gNU$@l}r}dwGyh_fNi=9b|n}J>&;G!lzilbWF4B}BBq4f
zYIOl?b)PSh#XTPp4IS5ZR_2C!E)Z`zH0OW%4;&~z7UAyA-X|sh9@~>cQW^COA9hV4
zXcA6qUo9P{bW1_2`eo6%hgbN%(G-<qHJAT=v`nNhtT>F1xTvq!sc?4wN6Q4`e9Hku
zFwvlAcRY?6h^Fj$R8zCNEDq8`=uZB8D-xn)tA<^bFFy}4$vA}Xq0jAsv1&5!h!yRA
zU()KLJya5MQ`q&LKdH#fwq&(bNFS{sKlEh_{N%{XCGO+po#(+WCLmKW6&5iOHny>g
z3*VFN?mx!16V5{zyuMWDVP8U*|BGT$(%IO|)?EF|OI*sq&RovH!N%=>i_c?K*A>>k
zyg1+~++zY4Q)J;VWN0axhoIKx;l&G$gvj(#go^pZskEVj8^}is3Jw26LzYYVos0HX
zRPvmK$dVxM8(Tc?pHFe0Z3uq){{#OK3<aeeBkf6Ls@D&>i-ra#@+;*=ui8)y6hsRv
z4Fxx1c1+fr!VI{L3DFMwXKrfl#Q8hfP@ajgEau&QMCxd{g#!T^;ATXW)nUg&$-n25
zruy3V!!;{?OTobo|0GAxe`Ac<m7!f>n3GV@W=&n;<LWwg+BOz1x0PVh(8wy5x)H%n
z);^KLwS*zuK_mXLt=05$RqxmlzBGrOU$*+pD67{&9S4nenf`=wmSIir^E~5#<>~&9
zQM>NWW~R@OYORkJAo+eq1!4vzmf9K%plR4(tB@TR<A8<4IpzFAVt^jntH)?Lln%G`
z6tiucWhgUNI?A8Udv5fHlOm9!ctl16R`GIy7|o!{GngCtp;Tz@88GLNR}tm$OZ5f}
zPju@d{;|S(Rs51!tah!+6PbnnY<$fK^X^&7uddbpg77+M3+zt^`&Wl4kC?eRy{-46
z-3%mXj1#}r%@t|kQBj7QXfN_>&FSbDoRgJ8qVcH#;7lQub*nq&?Z>7WM=oeEVjkaG
zT#f)=o!M2DO5hLR+op>t0Cix<vSdXuLLoyLNj^8w51xiOY6tARpFGMs_UAVQl{h1q
z__M5D$myTJng;^A_J=JcCX@-~s%uSop76ggk-NNPh1K-Xw6Mwq#g=?x9pSWbMg&Eg
z!IW}nRKAGc2X+4y>JCIeXH*+z{-XS|%jx)y(j&}Wo|3!l7{o)HU3m7LYyhv*xF&tq
z%IN7N;D4raue&&hm0xM=`qv`+TK@;_xAcGKuK(2|75~ar2Yw)geNLSmVxV@x89bQu
zpViVKKnl<KY)q`sT$C@o*b;pi#>kwjS&&c|-X6`~xdnh}<zE$?k&-+|)}}1-k;;{3
zWgBv<7Mg|YWBAi9*yc#1&cuZnxkZaBTj=EQ-!oi23=b7<qC?N!TC&$6!<yQuq~YaC
z_0tVTi{LC-!3@TC@6(yDt1|8;{dkSfR3rrN7be_C({Ti}0{;9qU1;it_)pV>Ps)Hs
z4VbUL^{XNLf7_|Oi>tA%?SG5zax}esF*FH3d(JH^Gvr7Rp*n=t7frH!U;!y1gJB^i
zY_M$KL_}mW&XKaDEi9K-wZR|q*L32&m+2n_8lq$xRznJ7p8}V>w+d@?uB!eS3#u<}
zIaqi!b!w}a2;_BfUUhGMy#4dPx>)_>yZ`ai?Rk`}d0>~ce-PfY-b?Csd(28yX22L%
zI7XI>OjIHYTk_@Xk;Gu^F52^Gn6E1&+?4MxDS2G_#PQ&yXPXP^<-p|2nLTb@AAQEY
zI*UQ9Pmm{Kat}wuazpj<q$kAY7_UQRU$-YKdQWJ&LyZumLzNJQ!;vvr#GB_EA<Jf@
z$2g7!{jMh`@>SyXCdnrD&|C1c5DIb1TnzF}f4KIV6D)CJ!?&l&{T)e4U%3HTSYqsQ
zo@zWB1o}ceQSV)<4G<)jM|@@YpL+XHuWsr5AYh^Q{K=wSV99D~4RRU52FufmMBMmd
z_H}L#qe(}|I9ZyPRD6kT>Ivj&2Y?qVZq<4bG_co_DP`sE*_Xw8D;+7QR$Uq(rr+u>
z8bHUWbV19i#)@@G4bCco@Xb<8u~wVDz9S`#k@ciJtlu@uP1U0X?yov8v9U3VOig2t
zL9?n$P3=1U_Emi$#slR>N5w<w?qFuOF5w}cnum+dV`a<C*;Hv>H-=J&T=EdUHA}_Z
zZIl<E_JWAQn>3nvMP*AZS9{cDqFanrA~S5BqxtNm9tlu;^`)3X&V4tMAkJ4gEIPl=
zoV!Gyx0N{3DpD@)pv^iS*dl2FwANu;1;%EDl}JQ7MbxLMAp>)UwNwe{=V}O-5C*>F
zu?Ny+F64jZn<+fKjF01}8h5H_3pey|;%bI;SFg$w8;IC<8l|3#Lz2;mNNik6sVTG3
z+Su^rIE#40C4a-587$U~%KedEEw1%r6wdvoMwpmlXH$xPnNQN#f%Z7|p)nC>WsuO=
z4zyqapLS<8(UJ~Qi9d|dQijb_xhA2)v>la)<1md5s^R1N&PiuA$^k|A<+2C?OiHbj
z>Bn$~t)>Y(Zb`8hW7q9xQ=s>Rv81V+UiuZJc<23HplI88isqRCId89fb`Kt|CxVIg
znWcwprwXnotO>3s&Oypkte^9yJjlUVVxSe%_xlzmje|mYOVPH^vjA=?6xd0vaj0Oz
zwJ4OJNiFdnHJX3rw&inskjryukl`*fRQ#SMod5J|KroJRsVXa5_$q7whSQ{gOi*s0
z1LeCy|JBWRsDPn7jCb4s(p|JZiZ8+*ExC@Vj)MF|*Vp{B(ziccSn`G1Br9bV(v!C2
z6#?eqpJBc9o@lJ#^p-`-=`4i&wFe>2)nlPK1p9yPFzJCzBQbpkcR>={YtamIw)3nt
z(QEF;+)4`>8^_LU)_Q3<u}L<{1}Pc_TC@cmCN`COOSM8a;|jWsk~1fYJv#PDsm#->
zC5_7lgi_6y>U%m)m@}Ku4C}=l^J=<<7c;99ec3p{aR+v=diuJR7uZi%aQv$oP?<K2
z4>dn?@6Yu_+*^>T0ptf(oobdL;6)N-I!TO`zg^Xbv3#L0I~sn@WGk-^SmPh5>W+<X
znt3fVJDljH9Rg;|i5lPHsR(0ho%1Z#U$BQ5Z>LB<+1PU}AKa?FCWF|qMNELOgdxR{
zbqE7@jVe+FklzdcD$!(A$&}}H*HQFTJ+AO<jQkEo4(Zr!RbHw&%VW+jartXEY{IAo
z-<Q*FbO_;b95g_K9)_94ZpWY1;<Z!iW)9JK0`6zeVbpJRc{foQfe9X-j8eQ-=DlS%
zH`!Rua7Ws)lQGR`lKbWfbJ{-A+Qsq7w~i7ifv23@y@q;f=f9BC2>rJYnhh}Yvta(B
zQ_bW4Rr;R~&6PAKwgLWXS{Bnln(vUI+~g#kl{r+_zbngT`Y3`^Qf=!PxN4IYX#iW4
zucW7@LLJA9Zh3(rj~&SyN_pjO8H&)|(v%!BnMWySBJV=eSkB3YSTCyIeJ{i;<t5`Q
zo(L{QW?hBDuaI(wY%y)W1q$B>(oc%_hk{$_l;v>nWSB)oVeg+blh=HB5JSlG_r7@P
z3q;aFoZjD_qS@zygYqC<CA@uG3$h<l#w}3@ssm8WfebtlUXE~>n=;Zxjo!?NK!%J$
z52lOP`8G3feEj+HTp@Tnn9X~nG=;tS+z}u{mQX_J0kxtr)O30YD%oo)L@wy`jpQYM
z@M>Me=95k1p*FW~rHiV1CIfVc{K8r|#Kt(ApkXKsDG$_>76UGNhHExFCw#Ky9*B-z
zNq2ga*xax!HMf_|Vp-86r{;~YgQKqu7%szk8$hpvi_2I`OVbG1doP(`gn}=W<8%Gn
z%81#&WjkH4GV;4u43EtSW>K_Ta3Zj!XF?;SO3V#q=<=><y*Ez-K*8OuEH#K1Uw04)
zm-E?#$M4Pw!5Sa^O{sRRDY-gWXv@8A@bA;l<_ks)es^2Nu>Tc^@?A`i;&`-cYj|;^
zEo#Jl5zSr~_V-4}y8pnufXLa80vZY4z2ko7fj>DR)#z=wWuS1$$W!L?(y}YC+yQ|G
z@L&`2upy3f>~*IquAjkVNU>}c10(fq#HdbK$~Q3l6|=@-eBbo>B9(6xV<PW<=*tlY
z$*pN5hHZpwqlet{tLghEZT#%M$0U({lim^-U@zba{?NJMf<93*()%m>`*)sae58*f
zym~RRVx;xoC<uxJ0zCckgSOZ<jKZfGBozv^HDI7G(HjLM<voAwa4Kh#eq6#2U!qA0
zF$%FfiP7?q!+@Q%0CG7sP{g!i5R&?DRZkOxRnqe`((<r{70*Vq2Rb6*k>G3`JV`xo
z!lFw)=t2Hy)e!IFs?0~7osWk(d%^wxq&>_XD4+U#y&-VF%4z?XH^i4w`TxpF{`XhZ
z%G}iEzf!T(l>g;W9<~K+)$g!{UvhW{E0Lis(S^%I8OF&%kr!gJ&fMOpM=&=Aj@wuL
zBX?*6i51Qb$uhkwkFYkaD_UDE+)rh1c;(&Y=B$3)J&iJfQSx!1NGgPtK!$c9OtJuu
zX(pV$bfuJpRR|K(dp@<Et6W$J6*Z#&a&;93*Ie~(LKx3oM(w;zbe{$4=AvBd2M!)G
z)q&m$-4a#zj+ntOm6x3DXKBbGe#P@0*At9SemktTX0uh;t#}60aB^D2eE!a4eDuX;
z-as`;dd|o4vBfl1>^j}i&H<lE5B-BmW0%$me#yff@sBn;ohRKEdDubkmfk_9%F#R?
zx3ZTQV}CG~;tIM9J0dPMr);>eJ<ZUgb6%5p(oB8d(S&NYcE9Fn#eq_UTAuN0jA(?H
z^D)QqC|?HmZ<MfF#1KC`+1B#aVb^f*7XyN**6k{KcrsXkYIuNItVY|XpO_RwL+pB-
zi361AR7q3_a+z(hygW-dSQ4&gyU_L%*Ad1YXBX3#1@&17te>Oh@|7lWo8^$*o~Xqo
z5Sb+<gm~yF$-E%g5?e&PX|O%&U0#MK#8=Cb4moDVt9pc5&|d_Nok|m&#&P2i0(_CN
zM^tc5)Kw#?l>!EtJ&e@6F+h&+<iRY;$9#Wr1>_1ETbg7LfP5GZjvIUIN3ibCOldAv
z)>YdO|NH$x7AC8dr=<2ekiY1%fN*r~e5h6Yaw<{XIErujKV~tiyrvV_DV0AzEknC-
zR^xKM3i<1UkvqBj3C{wDvytOd+YtDSGu!<rPOfY>gEMg+!&|8BQrT*|p)(dwQLEy+
zMtMzij3zo40)CA!BKZF~yWg?#lWhqD3@qR)gh~D{uZaJO;{OWV8XZ_)J@r3=)T|kt
zUS1pXr6-`!Z<!o63*D|NQNYak6gGf7_QJ$%QWph8(@+Md9XOp*qP{X}q91Av868w+
zGbBw!<JX87&2|tz_-<JKu<xhK)|6RN*Zk7fvZ42tj|cY?!)H@h7T?|0cVg1Q(Dzye
z>}w2QR7nP%d?ecf90;<QTfw00Ol^jhE%$`<-%SzE37_m?Tsl?x9jtF58}$iamaJPx
z;*k`q<{nE<sbhO}9jI-7R-I>K_7C3d!U<RH+{w3GCUW?FU;!Us-m^hLIJe*q&7e}1
zpDB4cxkQ^$zB~cRxh7B3$~Q``Zt;ZNw-Uj>Z`N(TZoWNN^Q~RjVhQG{Y<%E1PpV^4
z-m-K+$A~-+VDABs^Q@U*)YvhY4Znn2^w>732H?NRK(5QSS$V@D7yz2BVX4<IQ|}VZ
zL_WDk%d5E2#>)f5A04~$WbxGOam22>t&uD)JB8-~yiQW6ik;FGblY_I>SvB_z2?PS
z*Qm&qbKI{H1V@YGWzpx`!v)WeLT02};JJo*#f$a*FH?IIad-^(;9XC#YTWN6;Z6+S
zm4O1KH=#V@FJw7Pha0!9Vb%ZIM$)a`VRMoiN&C|$YA3~ZC*8ayZRY^fyuP6$n%2IU
z$#XceYZeqLTXw(m$_z|33I$B4k~NZO>pP6)H_}R{E$i%USGy{l{-jOE;%CloYPEU+
zRFxOn4;7lIOh!7ab<V}OmeeQNY6TeYO&&E^lN#TB*^`;ju1*`#<QB4aBWp8jLsn56
ztlcT6a*61b7mBGG7Pe5gFr$a2kxI4g;qf)gjt)|Y7A|WcqUTy7lmzDN21ov~uefIa
zStpXF9OSKG--%FP-n6GoKAZkk;aTNW1ae$KBstPWjSIc_V%4U0$Ln1&jVG=$ZcXgh
z#CvGTp=S;-S8-$7HKAq6%SA!$URan_Wx!1Oc!O*_!j0Q;YpHo#pr5>b23YKD+_-?O
z0FP9otcAh+oSj;=f#$&*ExUHpd&e#bSF%#8*&ItcL2H$Sa)?pt0Xtf+t)z$_u^wZi
z44oE}r4kIZGy3!Mc8q$B&6JqtnHZ>Znn!Zh@6rgIu|yU+zG8q`q9%B18|T|oN3zMq
z`l&D;U!OL~%>vo&q0>Y==~zLiCZk4v%s_7!9DxQ~id1LLE93gf*gg&2$|hB#j8;?3
z<g)eCVNaZv3$^cu;yV<qgy7Ou{HZYOe(Yy~3PLV!ZId!<`3EN$I2e|Sb}<jdw%KMG
z$~P@70$N+m@}=Mj9$ZG59AQ=JQRvLB(RM9)t()h{Tno>5v4S;oM6rT{Y;I+#FdmNw
z){d%tNM<<#GN%n9ox7B=3#;u7unZ~tLB_vRZ52a&2=IM)2VkXm=L+Iqq~uk#Dug|x
z>S84e+A7EiOY5lj*!q?6HDk<t%xgyS2(ef%dZKEIaXh3~wff^|xcGFVc_e~Sr`&nX
zB{0<Bl5W%rH&l?6tsWk=E?WK+SiGZtPex%sjw{ofyMqE~@feSemEiHmis}sLGcPDm
zIzGRXgYb$F!6<>Nh~0g;0Jy(al!ZHHDtur9T$y-~)94HelX1NHjXWIM7UAe}$?jiz
z9?P4`I0JM=G5K{3_%2jPLC^_Mlw?-<a70XR;I>kYYgb7`qGa3@dn|^1fRMwiyM@Ch
z;CB&o7&&?c5e>h`IM;Wnha0QKnEp=$hA8TJgR-07N<gl50D&l8aCL6u?F9;bt}O?Y
zClsN^P?BSo;~X-U^>~U5(>9vJzeoFs<a)64ao)eXA>SRBkDq=x(YgEMpb=l4TDD`2
zwVJpWGTA_u7}?ecW7s6%rUs&NXD3+n;jB86`X?8(l3MBo6)PdakI6V6a}22{)8ilT
zM~T*<jE3E@DmR%ike^(4fN~b2CI%ZAFJHK0>mU}__xSy|6XSrJ^%l<L`JF;YY6b4`
z;6>DAR3Lft%+<T2S<6#r`P7WA*H7H@Tkj*;CZWvGK|Ka6#=q$9VereUjcyuYAT-kE
z-4)n_C1YG2*?76Lh&eh@n+#B;0G7^rIA<P1)+|@l^eA4%oi{dOUZb8u1-}Kweut@X
z=3>yxC<CMW8Guf-*pI#2K9_;@nA>|ZUvSO_nqMX!_ul3;R#*{~4DA=h$bP)%8Yv9X
zyp><|e8=_ttI}ZAwOd#dlnSjck#6%273{E$kJuCGu=I@O)&6ID{n<VEYI|KdxCeO+
z8>WF5@gLb16sj|&Sb~+du4e4O_%_o`Ix4NRrAsyr1_}MuP94s>de8cH-OUkVPk3+K
z&jW)It9QiU-ti~AuJkL`XMca8Oh4$SyJ=`-5WU<{cIh+XVH#e4d&zive_UHC!pN>W
z3TB;Mn5i)9Qn)#6@lo4QpI3jFYc0~+jS)4AFz8fVC;lD^+idw^S~Qhq>Tg(!3$yLD
zzktzoFrU@6s4wwCMz}edpF5i5Q1IMmEJQHzp(LAt)pgN3&O!&d?3W@6U4)I^2V{;-
z6A(?zd93hS*uQmnh4T)nHnE{wVhh(=MMD(h(P4+^p83Om6t<*cUW>l(qJzr%5vp@K
zN27ka(L{JX=1~e2^)F^i=TYj&;<7jyUUR2Bek^A8+3Up*&Xwc{)1nRR5CT8vG>ExV
zHnF3UqXJOAno_?bnhCX-&kwI~Ti8t4`n0%Up>!U`ZvK^w2+0Cs-b9%w%4`$+To|k=
zKtgc&l}P`*8IS>8DOe?EB84^kx4BQp3<7P{Pq}&p%xF_81pg!l2|u=&I{AuUgmF5n
zJQCTLv}%}xbFGYtKfbba{CBo)lWW%Z>i(_NvLhoQZ*5-@2l&x>e+I~0Nld3UI9tdL
zRzu8}i;X!h8LHVvN?C+|M81e>Jr38%&*9LYQec9Ax>?NN+9(_>XSRv&6hlCYB`>Qm
z1&ygi{Y()OU4@D_jd_-7vDILR{>o|7-k)Sjdxkjgvi{@S>6GqiF|o`*Otr;P)kLHN
zZkpts;0zw_6;?f(@4S1FN=m!4^mv~W+lJA`&7RH%2$)49z0A+8@0BCHtj|yH--AEL
z0tW6G%X-+J+5a{5*WKaM0QDznf;V?L5&uQw+yegDNDP`<QwM)iHN0Ixe+C<}Kj)cT
z;ugg=7>hA;0XPYc6e0;Xv6|i|^F2<spnC^BAY#K6!R1`y8;L|-ax$>WB)Z$LR|HR4
zTQsRAby9(^Z@yATyOgcfQw7cKyr^3Tz7lc7+JEwwzA7)|2x+PtEb>nD(tpxJQm)Kn
zW9K_*r!L%~N*vS8<5T=iv|o<TQh`NS2YOm^v@YF+FhtT<a+buCZu6h6oT_Y5b`Scg
zm=4c{5~CgG?9-H=F8v%THj;pBAIcNf1w(JQ+AUi+?6F2LasjZ5Oz$7m+jvgK`zeSh
z^(f$UuqGD?j)9ZxVlSw*kzGRC;oCN&mCo&6G7ql5S{99P97)o*h$5+(ch97JLRzc!
zYD=hMW71CXeuLub2z%t|7;RjK6Ogym_1#+sTC!<7k`+%+%pXjbEt&Ewk(hGUoqGvq
zuM0wx5$A~T4SRbOQgIit7jaB@N32&;KWs00gsh)b^;UUaulO8Td<B}%0x3tW7;G##
zTMaSe*B!q#S@Od*Vy(-qm;}PAJhEq0;6w!v@t~78{dMpN>!zTe9k_2jC_j*7ik^M_
zaf%k{WX{-;0*`t`G!&`eW;gChVXnJ-Rn)To8vW-?>>a%QU1v`ZC=U)f8iA@%JG0mZ
zDqH;~mgBnrCP~1II<=V9;EBL)J+xzCoiRBaeH&J6rL!{4zIY8tZka?_FBeQeNO3q6
zyG_alW54Ba&wQf{&F1v-r1R6ID)PTsqjIBc+5MHkcW5Fnvi~{-FjKe)t1bl}Y;z@<
z=!%zvpRua>>t_x}^}z0<7MI!H2v6|XAyR9!t50q-A)xk0nflgF4*OQlCGK==4S|wc
zRMsSscNhRzHMBU8TdcHN!q^I}x0iXJ%uehac|Zs_B$p@CnF)HeXPpB_Za}F{<@6-4
zl%kml@}kHQ(ypD8FsPJ2=14x<gRLSp5jQ3zP{(QVzPLZLVm053fUe=@OltSio705;
z(#z2z>XJE|b20<nbuvWeRu7_ckN!4)4>RUIgs!2|R3>LUMGF6X*B_I|$`Qg=;zm7C
z{mEDy9dTmPbued7mlO@phdmAmJ7p@GR1bjCkMw6*G7#4+`k>fk1czdJUB!e@Q(~6#
zwo%@p@V5RL<HuH8=u8a6RDT=ORPK%+xl*V0g}ZRt7wrV&wXuQ&Kq5z5VF5~$tzh+o
zGvLCh{4xbZi*rM$H53QbbG^}e_;5ZL^rKOCECf%A3k<ba715W9GFJ3%z+y)SixW7v
zFUks)dR&u51!CgipP_*=HsXEQV|A6)MESe^nXfdde|e*3lS%iSm1?2t=&g8iM5yO0
zqGo^30JQ})=Z}tg94XEO6_<mfkScn>0ABU2LH7Asq^quDUho@H>eTZH9f*no9fY0T
zD_-9px3e}A!>>kv5wk91%C9R1J_Nh!*&Kk$J3KNxC}c_@zlgpJZ+5L)Nw|^p=2<X2
zVEH%@dRNgUT+xOlus$Jl>ue}CJtm;uj*Iqr)K})kA$xtNUEvX;4!Px*^&9T_`IN{D
z{6~QY=Nau6EzpvufB^hflc#XIsSq0Y9(nf$d~6ZwK}fal92)fr%T3=q{0mP-EyP_G
z)UR5h@IX}3Qll2b0oCAcBF>b*@Etu*aTLPU<%C>KoOrk=x?pN!#f_Og-w+;xbFgjQ
zXp`et%lDBBh<!%rmD;`)_Iw7qs}PxJE2OWnk0598{1@{z2=&M97kZ^;iS=)VbtW2e
z9{Njc%X1q_Y=7a@dL*7`HknH57C8G{SaT${ATgN~45gpu4M3g9K3K^dkc|SdjG%I{
zqBnN$pX_Ur&xe`6C5rq%1Au6o>~OcFnMKMUoox0YwBNy`N0q~bSPh@+enQ=4RUw1)
zpovN`QoV>vZ#5LvC;cl|6jPr}O5tu!Ipoyib8iXqy}TeJ;4+_7r<1kV0v5?Kv>fYp
zg>9L`;XwXa&W7-jf|9~uP2iyF5`5AJ`Q~p4eBU$MCC00`rcSF>`&0fbd^_eqR+}mK
z4n*PMMa&F<X)^G}xeJ@Gp5hPUp4))DB`D07_#V$I)>Occ)<Z1&cEZXfHKl6!0r^K=
z4G}bu(5ge=G8fwnhNItAV-;CCRA~!*Ffjtk+W5Q4($~|Ogx!7zYTJ+md_mLOIHP$a
z=Xv|*^wnVA6u+^6*Pjw-xuU)%_b=1oT;Uy*3v`{`12FsGfVli|)UZ4c+9zix>vTUR
zlDUAn-mh`ahi_`f`=39JYTNVjsTa_Y3b1GOIi)6dY)D}xeshB0T<J4O9}2CRcgST4
zu^DE1lNC^&bdTFMX*m;=F+oV62|j1N%Y(`}stx4V@A-${Nsme7gPF1VFeZ(Es(Tv1
z2eMG<3ngPbvsdfMDb6jRfMuIQ>8Eov5%UhWd1)u}kjEQ|LDo{tqKKrYIfVz~@dp!!
zMOnah@vp)%_-jDTUG09l+;{CkDCH|Q{NqX*uHa1YxFShy*1+;J`gywKaz|2Q{lG8x
zP?KBur`}r`!WL<v4v3q-kbT^ZHHV*Ab_1=$Ds`sw{p4Q5%K<O{0b-Frgl!8<-ysCa
z@55EXX6zF(6|%WdJ}w;c9q_T(h^VZr*46HXJncAUKTLi*=>KXY_<N$yy+H{DR|LP9
zF#oxrkoE0^A&|7gpQkf#W)&V7g<8v42B_@CDi{phanFo;l(u@KJ-))-pR{b)<rcd3
zf}4BFpSv=>K;C8$EWG>jY3UIh{+BLv0=2)KH%P}6xE2kg)%(-uA6lC?u8}{K(#P*c
zE9C8t*u%j2r_{;Rpe1A{9nNXU;b_N0vNgyK!EZVut~}+R2rcbsHilqsOviYh-pYX=
zHw@53nlmwYI5W5KP>&`dBZe0Jn?nAdC^HY1wlR6$u^PbpB#AS&5L6zqrXN&7*N2Q`
z+Rae1EwS)H=aVSIkr8Ek^1jy2iS2o7mqm~Mr&g5=jjt7Vxwg<tf08u&@2*nrRdWEq
z9>lQ^`h#Mx+x2v|9ZAwE$i_9918Mj<x0*Wdpb36@OAXTH9HjzBO?DU3pPWJl<5`?4
zJx95+eAmsI^}aX!MTHZ2jvyPZ%UQNWgYc&Az}*vhoE;`M;w#yci|VFS(*uY8dTed$
zmI+a!^D3~nUd`%d3v~n803|x?hdA<CAGP8+Vz0wak|gS0b(v+b_#OSxq^j=~x{U#C
zxb5$H!k6E86jdT96;Z=hlwo5iYt(l!8a^<>JxTMr?n!bZ6n$}y11u8I9COTU`Z$Fi
z!AeAQLMw^gp_{+0QTEJrhL424pVDp%wpku~XRlD3iv{vQ!lAf!_jyqd_h}+Tr1XG|
z`*FT*NbPqvHCUsYAkFnM`@l4u_QH&bszpUK#M~XLJt{%?00GXY?u_{gj3Hvs!=N(I
z(=AuWPijyoU!r?aFTsa8pLB&cx}$*%;K$e*XqF{~*rA-qn)h^!(-;e}O#B$|S~c+U
zN4vyOK0vmtx$5K!?g*+J@G1NmlEI=pyZXZ69tAv=@`<PF>t%ag_Hk{LP~OH9iE)I=
zaJ69b4kuCk<W;+Nm{1iL;Sjg&ce)b6RfuYXG6i3lmo`Xoo=yc_#4MF;W?A{F|EAlX
z*<!ti?&E?FEc4)+uE<O&ONf`XLQ^cl<<tMSmTYl1l}%xg`DIk~4?@x6!4)Pmk>V0V
zo(M0#>phpQ_)@j;h%m{-a*LGi(72TP)ws2w*@4|C-3+;=5DmC4s7Lp<h>95%n%@Ko
zfdr3-a7m*dys9iIci$A=4NPJ`HfJ;hujLgU)ZRuJI`n;Pw|yksu!#LQnJ#dJysgNb
z@@qwR^wrk(jbq4H?d!lNyy72~Dnn87KxsgQ!)|*m(DRM+eC$wh7KnS-mho3|KE)7h
zK3k;qZ;K1Lj6uEX<KEj5@nV#iauGcIh@~0bCkde*VA4<NzidV>LYUYi)1FN}F@-xJ
z@@3Hb84sl|j{4$3J}aTY@cbX@pzB_qM~AP<KHC>ljrjju6P0tY{C@<op~*H5^F|n>
zpUCOz_NFmALMv1*blCcwUD3?U6tYs+N%cmJ9<vk4wN1^{7_o-KiUksuyYPZPi6=aB
zRdD0jWfvBXoM%2g7{9p9f&t&G@^K{*T20!5)|u6mVvE8$*gT5c>8D%3)%)Xu^uvzF
zS5O!sc#X6?EwsYkvPo6A%O8&y8sCCQH<%f2togVwW&{M;PR!a(ZT_A+jVAbf{@5kL
zB@Z(hb$3<w@Z7>U{T_}SKA_CoQVU-;j>2J=L#lZ~aQCFg-d<9rzs$_gO&d5N6eFSc
z1ml8)P*FSi+k@!^M9nDWR5e@ATD8oxtDu=36Iv2!;dZzidIS(PCtEuXAtlBb1;H%Z
zwnC^Ek*D)EX4#Q>R$$WA2sxC_t(!!6Tr?C#@{3}n{<^o;9id1RA&-Pig1e-2B1XpG
zliNjgmd3c&%A}s>qf{_j#!Z`fu0xIwm4L0)OF=u(OEmp;bLCIaZX$&J_^Z%4Sq4GZ
zPn6sV_#+6pJmDN_lx@1;Zw6Md_p0w9h6mHtzpuIEwNn>OnuRSC2=>fP^Hqgc)xu^4
z<3!s`cORHJh#?!nKI`Et7{3C27+EuH)Gw1f)aoP|B3y?fuVfvpYYmmukx0ya-)TQX
zR{ggy5cN<mnVz7y7+knzNVJkt;lpc;qc>f4X|g)nl#jC9p>7|09_S7>1D2GTRBUTW
zAkQ=<vO$_umo;W8C9!}&#xkaPRO=3x>JMRogZqG#v;^=11O6@rPPwvJ<B8_C^h!$7
z1FiG#I7Fs!hS~+X_xS9av4ic?s4}I)b~+~ynqpL?4J!M0!;Lh~^{jyZ5OklQ8U2d;
z1_pNZ6|Y?X=U7!TcC`|AaWS_uvHe0n$~l-C+lqY=nw)_qUxZZ$`~TgLQeOW;@1pQ$
z701@hEqV6RKPy$?plo3XV+hmG(FFC_t(R=zC3ndGnN?AOBz^}Il*!(}YM_f?Vs)`N
zoXTGH^9k^Rs*ihNP{En)>kr{bW-Qg8`q8GoD#K`&Y+S#%&B>SGRL>;ZunM@49!}Uy
zN|bBCJ%sO;@3wl0>0gbl3L@1^O60ONObz8ZI7nder>(udj-jt`;yj^nTQ$L9`OU9W
zX4alF#$|GiR47%x@s&LV>2Sz2R6?;2R~5k6V>)nz!o_*1Y!$p>BC5&?hJg_M<tYqR
z53_xZU*2l8Pm44`5q;8sH8AJC`OhY?Pv0f<SBDF<5zRa5Pcc`28WO=W(}@uM2`X|H
zRYQaB%r|t}sRL>iE6UBy>RkVZj`9UWbRkN-Hk!S`=BS3t3uyX6)7SF#)71*}`~Ogz
z1rap5H6~dhBJ83;q-Y<5V35C2&F^JI-it(=5D#v!fAi9p#UwV~2tZQI+W(Dv?1t9?
zfh*xpxxO{-(VGB>!Q&0%^YW_<rkziH`41#l{!R-o<QMyf9_jzZ$o+58{{J}R|9zqw
zCjt0>F!@aZ<db_)!_xH)=)<rL4C7eRuqj-{Vl9!F47?8#IbbtVc$3LetR`tgCkn7O
z@PIcJnWwbNQc9I5c;Bn7#oM!PR?~3~=RhWhOCOgl{-a!vqnWp-GGc#(Z7u=0Jsb@k
zRLR8fKR?v;kdoa(!_kn<QSq40_$nei`C>S#ucP|YaD#>wd1Fv&Z*SR&mc;asi}1G)
z_H>`!akh-Zxq9#io(7%;a$)w+{QH)Y$?UK1Dt^4)up!Szcxnu}kn$0afcfJL#IL+S
z5gF_Y30j;{lNrG6m~$Ay?)*V9fZuU@3=kd40=LhazjFrau>(Y>SJNtOz>8x_X-BlA
zIpl{i>OarVGj1v(4?^1`R}aQB&WCRQzS~;7R{tDZG=HhgrW@B`W|#cdyj%YBky)P=
zpxuOZkW>S6%q7U{VsB#G(^FMsH5QuGXhb(sY+!-R8B<wCq$Ud&dR&R~YEJ18TLm54
z;iNBgol;q`1pM~hbiKQEHVg~udGsD!{32V0-F%Jl2*cE1CKaP}vYl}vY{JE1&Y`9<
zWxp@Q9z&I}X^~yDRt<yP&7ehNHUY-`mMuclQn{f;_BVk|%a!qyv`BTi_<F*shwHHm
zYMk#OgVxOZ5)F7}7!ZzzBqdqiT*o3-6bkMv(=P1min)~A$7Z{$hPM{)lRIzv{ziFg
ztAbHzmqKOklFBd-`W?q14D4v{uKrc3r#AAZ&_oCPRi9dQd_BxsU(vj^hw4-4vST=O
z-I*C6luz(vAIZ~@rb(A8AiNMr62dJzV>mv6Sx3WzSW<1MPPN1!&PurYky(@`bP9tz
z52}LH9Q?+FF5jR6-;|+GVdRA!qtd;}*-h&iIw3Tq3qF9sDIb1FFxGbo&fbG5n8$3F
zy<kUPcTI-*+R})(Lx?7E(-Km*D*#LFloydFBeh2ei+vLj63z@TMnj%!?Pc!@$=lI~
zWpQ4Fa#xXFx30*?LGzyx=<Q>Y&PWL{ys^dTO}oZ#@sIX^BKW*bon=;te9j5k+T%wJ
zNJtoN1~YVj4~Y<zc}D-ou*39R71C?0FVs3%E61z~{QYZ=p=4}v(=uH7JqP$9+LudZ
zPLki+z++>RrlZl)b&kJqp+Z`DqT!la$x&&IxgOQw#yZd-nBP3!7FijBXD|IsU8Zl^
zc6?MKpJQ+7ka|tZQLfchD$PD|;K(9FiLE|eUZX#EZxhG!S-63C$jWX1Yd!6-Yxi-u
zjULIr|0-Q%D9jz}IF~S%>0(jOqZ(Ln<$9PxiySr&2Oic7vb<8q=46)Ln%Z|<*z5&>
z3f~Zw@m;vR(bESB<=Jqkxn(=#hQw42l(7)h`vMQQTttz9XW6^|^8EK7qhju4r_c*b
zJIi`)MB$w@9epwdIfnEBR+?~);yd6C(Le<rt!q$FLriBQXByC(@5W-fyMd+G`gpkw
zo=2x;j`HUicFOMzOr+Hi-h(acwf1R^4yH6<++^$)J=B4dE@KAoZaXF)kE=0uwm3nd
z&m40{?8{tmrxQ5%Wq~$48e6Z&q%RJty{nmI+wz=hvB#pKRac&c?EYSnrDYd1X>MC&
zn&&N*?-g&BBJcV;8&UoZi4Lmxcj16ojlxR~zMrf=O_^i1wGb9X-0@6_rpjPYemIin
zmJb+;lHe;Yp=8G)Q(L1bzH*}I>}uAqhj4;g)PlvD9_e_<a@g*lf#ro&Ve1Oe9Dd~M
zzE8GyZq;U{s*VsFviyO$Mu<MkXYCJUQhOu^nB+^MD~g42i6J&pJlqN$*=O9FeOy#D
zMH(Hs0#anHAVz%4@!PpgmX|z|oRKkJQ8-ANxDXdJsPW`~G`Uz*(^?DtT&VY313h$)
z%Z_iZ<k;!|>ScR{Ipq|$8NvAvLD8MYr}xl=bU~)f%B3E>r3Bu9_t|ThF3C5~BdOve
zEbk^r&r#PT&?^V1cb{72yEWH}TXEE}w>t!cY~rA+hNOTK8FAtIEoszp!qqptS&;r$
zaYV-NX96-h$6aR@1xz6_E0^N49mU)-v#bwtGJm)ibygzJ8!7|WIrcb`$XH~^!a#s&
z{Db-0IOTFq#9!^<xwp4XVUmX2>j!n_F}#<SlrwIgws078xQpgq<=PFmW_#a3Vf1lR
zSZtW_!4KrMla?XPZ^%!uYvas5(q&p4<B~4-u7ZKo%gG=AWYrPaK~Ksf`2-Ltd1AQk
z$_l6x1x`BMZqVJH81bkQU_K4!7|CM9*e*BRdOD=<*r=%KzmW8K`FLhkaj-7c$V5Vt
z97r)f!2oBGV~&1@x<{&a6SOQM=KG6k)^{##XUT*iOlT|QkpE~1=S*FV(g_CM^s;$&
zRL7Q)Be-0f7v6$Yv*CJnQ>Z_nX{YzBK8XLPVmc&X`fT7!@$U-@2KM9soGbmOSAmqV
z{nr$L^MBo_u^Joyf0E^=eo{Rt0{{e$IFA(#*kP@SQd6l<gO0qV6sCD7Vl>WT2-#>`
zP1)7_@IO!9lk>Zt?#CU?cuhiLF&)+XEM9B)cS(gvQT!X3`wL*{fArTS;Ak`J<84du
zALKPz4}3nlG8Fo^MH0L|oK2-4xIY!~Oux~1sw!+It)&D3p;+N8AgqKI<GHze0K;7v
zH(+WEQqQ~(T0<)QjJr`7lg^24K~?@;_<cT}hEd4HZB%o_OQsl^L70Ju&(6N2Jbrfe
z{_b&PJgA)_dyARwqVQ$xthjN!Eyh&j;D~!^U-07v?ZtU+{rtxuW4xJPKdBd+XtoJk
zHGuql=D%L$>`ld6v71wy8I!eP0o~=RVcFQR2Gr(eP_JbSytoQ$Yt}l*4r@A8Me94y
z8cTDWhqlq^qoAhbOzGBXv^Wa4vUz$(7B!mX`T=x_ueKRRDfg&Uc-e1+z4x$jyW_Pm
zp?U;-R#xt^Z8Ev~`m`iL4*c#65Nn)q#=Y0l1AuD&+{|8-Gsij3LUZXpM0Bx0u7WWm
zH|%yE@-#XEph2}-$-thl+S;__ciBxSSzHveP%~v}5I%u!z_l_KoW{KRx2=eB33umE
zIYFtu^5=wGU`Jab8#}cnYry@9p5UE#U|VVvx_4l49JQ;jQdp(uw=$^A$EA$LM%vmE
zvdEOaIcp5qX8wX{mYf0;#51~imYYPn4=k&#DsKTxo{_Mg*;S495?OBY?#gv=edYC*
z^O@-sd-qa+U24xvcbL0@C7_6o!$`)sVr-jSJE4XQUQ$?L7}2(}Eixqv;L8AdJAVqc
zq}RPgpnDb@E_;?6K58r3h4-!4rT4Ab#rLHLX?eMOfluJk=3i1@Gt1i#iA=O`M0@x!
z(HtJP9BMHXEzuD93m|B&woj0g6T?f#^)>J>|I4C5?Gam>n9!8CT%~aT;=oco5d6U8
zMXl(=W;$ND_8+DD<ykE9Jy7gkqr#{X4q*TB+m~s#gS@r(GY*77ySFy{9E;{vV}3na
z%pxHTT*dvMnlo4+oTy^p7miJ3ziqr(ZOJ)L+PUs&R@+OotCT;pPyt{0jl<-}(V7Gp
zX$>*?|5bJ!;8ebESXMUKBAf7YBwNVJibGaJ*(2G`F%wx)grqVPjudiaq^Kl&g$8A2
zWMxMr@_$c}d<p;ey3Tcu>+;_B`#kUX-t|4VKH&_f^^EP0&=DPLW)H)UzBG%%Tra*5
z%$kyZe3I&S#gfie^z5)!twG={3Cuh)Fde<XTsb9xO3ZH)#ow2vM~pRh=a%Jxr4}vf
zpeoa8O2Xww;R&D4PixE%^{woC{=Bqwy7h$AGh*xb_!Z$59PhU?bnh=6>A!Kj<-9**
zvT*5%Tb`|QbE!iW-XcOuy39>D3oe6x{>&<#E$o8Ac|j)wq#kQzz|ATd=Z0K!p2$QE
zPu?jL8Lb^y3_CQE{*}sTDe!2!dtlFjq&YLY@2#4>XS`}v#PLrpvc4*@q^O{mmnr5D
zmyJq~t?8>FWU5vZdE(%4cuZuao0GNjp3~Dt*SLaxI#g_u>hu@k&9Ho*#CZP~lFJHj
z(e!SYlLigyc?&5-YxlE{uuk$9b&l6d`uIlpg_z15dPo*iU&|Khx2*A5Fp;8iK_bdP
z?T6|^7@lcx2j0T@x>X7|kuuBSB7<^zeY~R~4McconTxA2flHC0_jFxmSTv-~?zVT|
zG_|<oYEZfi84t5$?vv+%b)zg;Tm0h&qX7^OaItn%bat|_vvqef-&inSz3!+*B~MXf
zn>yDqa9lkF*B6_{j=T>=M8r<0s;@z#h)3BQ4NLl@`Xr__o7;~M&dL3J8fP&zLfDfy
z);ckcTev{@OUlZ`<a~3lY1y7T*bPTeFJ6B%#~z9?lT!*(A@tJdla9v|(yEo_D!5l3
zgWpU~zc-S_OEaBH!tqx5iHR`(p_}%5+rGBpw+VO8i%xcu<ZEk%m%_6nMT>bCo(-3?
z1u1xD`PKgSg?RqeVVsF<1SLF;XYA@Bsa&cY!I48ZJn1V<3d!?s=St?T<RZHAo{>Lo
zC0cNr`qD<Wz+@C|#V>*M#s6f~X>SCNVkva^9A2ZP>CoJ9bvgXe_c}WdX-)pHM5m7O
zrHt#g$F0AO+nGA;7dSJ?)|Mo~cf{z2L)Rz!`fpi73Zv)H=a5K)*$5sf_IZypi($P5
zsPwUc4~P-J1@^3C6-r9{V-u0Z&Sl7vNfmuMY4yy*cL>_)BmQF!8Om9Dej%cHxbIzA
zhtV0d{=%cr?;bpBPjt@4w=#<>k5ee=TiWAXM2~tUG<V}0zLoj=i_-Df@ocJ$(doRp
ztKallYpOUL#3IL6u(+quF)vpQn3m46D_;nvUCNo3?ECVPP9X(bd00g%F#AlS@SJ#4
z%8N#aRo==*hh^$QLCs*-+4DRsO2)x^3cbV3Q3KH=HsOMoWaaL-P@E2B9AQu{uH>fm
z$s&!Dm0R^V$}fOR*B^kGaipi~rx~A2cS0;t&k<A0G-}=%(v(Q0cfU+X-TJJhn(DnP
z4JUVy2A}-oOBotf4Se48>hV1a<cf@1eDWd;R?38Krle_gtcZK}=dkLCqItP$?~n+g
zae42{<6B27z2%?Bsw0ffr{rV{k~Rp8I~N^Hl7A(kh?&)UkI(~LwR%>4u38*XRUP~f
za!rZMtay8bsLt6yFYl@>-y^31(*P!L^^s@mslZy(SMsv9bVoX`O#yBgEcjCmGpyc*
zeH$Dw6vB5P*;jor+JOX@;6K#+xc)Z9B8M=x2a@Wx-{snPGpRmOC$zpsqW*JCh@M2Y
z#K+M(>=#d^>Of9C`))h<=Bsy)6zaMJ&x-t%&+Ucp<HIt~W~b;(@$>LjV`jo4R2025
z<Y{{N1{{e3B{Jn+c77XlWtbx9OBU+M_(;<8;0~=8Ph2QMs3+Zw?bSQV;q%^JEaX$e
z;Vd8f)b9ET29wV$Q>XaG8EA!0lQa)|dx-@{O)qP6`$rhCkoQqZ`^SW8g-kOwrwsK8
z3ms*AIcyj}-1x&A&vSq{r=QMyp3CHdWH35!sad#!Sm>^|-|afB+Q;|Iq@LFgqIp#Z
zD1%H+3I?6RGnk&IFo|u+E0dCxXz4yI^1i!QTu7uvIEH>i3rR{srcST`LIRwdV1P;W
z+%AN1NIf@xxvVLiSX`8ILA8MzNqE&7>%jMzGt9wm78bo9<;h*W84i29^w!>V>{N+S
zd`5Zmz^G;f=icvoOZfK5#1ctx*~UwD=ab4DGQXehQ!XYnak*dee%YN$_ZPL%KZuz$
zD;$PpT;HM^$KwtQm@7uvT`i6>Hae1CoRVM2)NL<2-k2PiX=eAx+-6j#JI?M}(tuBW
zkF%jjLR)O`gI2fcPBxF^HeI|DWwQWHVR!;;{BXXHskxh8F@BMDn`oEi-NHt;CLymW
z=KSv5)3dyzec0T5B*`g-MQ<;gz=nIWKUi9ko<|4I(-<w4I#sX{Ql80P;8bcKjlGSK
zp~yQ(;^y0s9RFCvc2u(I^#Y^!@tjudAd*v;f|XiHBQNGS6_b-95puIO<;QO*=%?{0
z;mryS)gDuCe~tZ`DPIW5W_fNj_#jL{`6lJ5cJ6SG=+^EJr^`JeJsTD;MclG_sxisZ
z?uhn5F($|2nJ7pvty*2qAtsOJRY_NI77&m{ISD+{sJ_)^o**`w`N>E0k$QncH>E4l
z**1w&#={&zv4Tvhgz#c29`m|;<Ue5bFAZpjqANUFk~kBGuYK<_JK>lU-jmaXFMC11
z*dlXDMEOG>VoLMc>!rApwOu2prKSi*!w%`yzGmS+k(zm*CsLK*wv{S_0WX^8A-rKy
zbk^Gf_92^7iB_uUF)EE+ET4d|X|>d&mdN?x@vxKAQk`O+r4Qdu>XGy(a(19g;=jU}
zFX{O*_NG>!$@jh!U369Lnc+D~qch3uT+_Amyi}*k#LAAwh}k8IPK5a-WZ81ufD>l>
z$4cF}GSz>ce`3FAic}6W4Z7m9KGO?(eWqi@L|5Hq0@L|&2flN1PVl}XgQ2q*_n2s3
zt5KtowNkTYB5b;SVuoXA@i5irXO)A&%7?V`1@HGCB&)Wgk+l|^XXChq;u(nyPB}b3
zY>m5jkxpZgi)zfbgv&ec4Zqdvm+D<<?3uny=i;xwOlAC_Tc+b0;kY7-vx;A)KO<$b
z!mM&%JEI}t>?Im*mXweS9H+V>)zF#Zp3)bhl$PbISY{5=_z!8&*Jv~NYtI-g!>fDs
zmvL5O^U%!^VaKA9gvKw|5?-jk>~%CVGvctKmP$kpnpfN{D8@X*Aazi$txfa%vd-|E
z>kYmV66W!lNekJPom29LdZ%(I+ZLZYTXzTg*to~m?7vp%{V<~>H+2}PQ?PPAq`36R
z<%wR8v6UkS>Wt#hzGk#44W<%9S=nBfB);6clKwnxY}T*w21Qc3_?IJ@4gYzC7s;WP
zVQNI(M=S=JT#xsZy7G`cR(BP9*je0bfeN8JN5~zY(DDs0t{LpHOIbN);?T-69Pf3R
zSNe*&p2%AwXHL>__g+xd4Hlc_vu<25H?(`nafS%)3UPP7_4;gk-9ckt8SJRTv5v0M
z_Hww`qPudL?ajIR&X*;$y-`<)6dxx1U~5eGS13CB!lX;3w7n&lDDiArbAhSycd}+b
zya_3p@A`$kQy;|NJZ~s44Hqo7Hwt}X86NK=(ey>lgWTtGL6k@Gy;PbO!M%1~Wcn2k
zUFP|*5d>t-X*RU8g%>|(wwj*~#l4z^Aatf^DWd1Wj#Q*AY<o|l&}{LI>0D^V@sC`M
zjJc6qXu0I7<!pZblLF~RwT5!S6dVx}2`xj{-i;+(qkgJG1)noJqLA@@RN<oLUCRPP
zxfjHQUai*rkwqrT60~IzB@%WBX02*tw3*sCrM8W>Y*2;;gGu!plAFzG=J;1%eIOdn
zQA>J&e05UN*7I5@yRhK|lbBSfJ+5Uq;!&HV@xfPZrgD}kE*1DSq^=%{o%|LChhl#0
zlMb<^a6ixzpd{kNZr|3jTGeEzuo}-eLT-)Q$#b{!vKx8Tg}swCni>{#%vDY$Ww$84
zew3c9BBovqb}_&BRo#^!G(<gf6o^lp99LD#kx<MER=<@tCX1^BFTbwM^``7(LOQY@
zEqxVCkp#2PI<XB`ov%%Q&@SoBV=IvAgzt#VzvgC(Kk;TpN40`oC^`5s%Q9iB#w=Cj
zv1+$@qJ9DCi{ddRIdFp4*=KLoO^UY)$YpX=UdXvuhtp5Oj@vhVm%-sV85eDjNH{EX
z*kvKl&?&j<QGMeW7tPWM6{1)n`=ac?#8d9f@kIV3kA+gW*^Tqv$T~yoa2DpOjcxOS
z{G<-ajSf74;}+hudPnyuH|_19-h+%2{H$u`G5T5vjwblv={62_r17YY1X@Bcq7XM-
z)mu@onGHy+sUpJW64FX6=h6@DEhZ~&X>1Eg((BScRZ}C)Oz?y`T5wOrv);)b^4XR8
zhJo7+<^7)qB>I;46!GySzdneZ>n_E1oWZY;kf94#)s)kWjuJN1c+wbVoNQcmnv}{>
zN0pF+Sl3E}UQ$}slSZeLJrwT>Sr}#V(dVaezCQl2|4LN`7L7v&siYR|r7M(*JYfR$
zst3=YaDw$FSc{g}KHO&QiKxuhEzF{f%RJLKe3p*7=oo`WNP)M(9X1zIQPP0XHhY3c
znrP{$4#Ol$A0s|4S7Gx2L23<cPp>dv*Gv2o;h((XVn+9+$qvm}s%zi6nI-_s6?mG!
zj{DV;qesJb&owKeEK?=J>UcAlYckA7Sl+I&IN=yasrZOkejir*kE@SN`fk<8Fgx*$
zy&fE6?}G)d_N`){P~U@1jRVA|2*69)KSe_}!~?+`Yb{Y=O~_+@!j<&oVQQMnhoIRU
zA0CyF1OFfkK44n*JD~!2!SCPM;PRSk%1XL=0&rz00wxPs&-_eapJy#$h!eqY%nS0{
z<se?qfQ89XwwA;8XB>!aGg58JIJP<C?-Lq`lTNsm#AgHVz-Y0s_<jRmVW9#JfaAO^
zUgrN5kYa6CiV<`BwJ8O)sIywY6(a>F3_ci%n)QSVpa2H`vIe$RD43;#IRfDV&Ibit
z+?>HW4{2wOfC6Fw)}4x}i1maDxcE1qi@BS*qcxD2gE@h3#4cgU*D-&3z7D|tVZWt=
z-Cy2+*Cm@P4GN_TPUtaVyVesbVDazF@)j8VJ4>XZv!f%}&eO1SvIgr}4`A*3#vat<
z_MoByL(qW6L7SFZ#|Gc1fFN)L2PxY+{B8tJp+pxRyz*87)vXR}*=&ahXjBlQKguuf
zX6x<<6fQulE^C*KH8~W%ptpaC0l?b=_{~*U4?5Vt;dgM4t_{&UZ1C2j?b><dx`$8!
ze4sJ^8}?7VYiLoIC$69~0MIA!!7Rwu6Dq)kX*<lHqT0U&4WX!<G&bkefpSP0=xCcO
z()hqGP~~kv6H&HvLm+kCE!Nz>b+5}{IF_CUyvz-@QZPMlJ)r_tS$9kH%RPv#2_nMb
zRLj5;chJ72*U`Z@Dqt4$@_+k$%|8m(HqLG!qT4P^DdfvGf&){gKnGCX#H0!;W=AGP
zbA&Z`-__a)VTS}k<aEJ311DSHJIu)Ndl?O_C*N_MS1q7Laqq*zlG()h4UCODa;iH4
z(XC(Z`(-cCxkOrT?MTkb=V=+hyg5L(*^!(=yP$&GArQczUu2*gZo{O9t9~>KFjWGk
z%|>yE?t*EJ!qeQ%dPk$;xIQ+P0;()PCBDgjJm6Buj{f^awNoVx+9<|lg3%-$G(*f)
zll6oOkN|yamn1uyl2*N-lnqRI1cvs_JxLTeahEK=THV$Sz*gQhKNb*p0fNoda#-&F
zB-qJgW^g}!TtM|0bS2QZekW7_tKu%GcJ!4?lObt0z_$mZ4rbQ0o=^curCs3bJK6sq
z9fu-aW-l#>z~ca(B;4yv;2RZ?tGYAU)^)Kz{L|4oP<SkWyBU+f_%F<#?yy=LhA~g^
ztueiO@sJ(BDN3Mz`8So5#&T!OUtM8qWT<xiIyfpo(&lgE-7DEcM?<Kd`UVf_*}r(8
zCzgNsXNSi)1{V0~XToTF|4Nv-??<~$G(Uy7p@qc!_j+!O;`gtF$xU(Y@7%v-yrD2q
z{qJ=kRDjxcFq_oCp_our<PFSF$4y0BpPO%|kqiZgitTQIUv=I!_}1+UsxG+!y@1>j
zdOf_?de|#yS)p2v8-N||+XL=O*%3+y)oI(HbM)Ds?q8~HPzI<h)CPl@-?j`}I~*GQ
zcLT0AdRsV9-Yt|ap{0ce+ueYFd~HkkokH(I37}yNHwen&wj}s>P(vs*G`iddbWq}!
z(2!VjP&{Z1w+%eUq^<EbM|6YYL8Gs1;NfI!i}!ad7AQ0{B*q4GUFLSsTemUjW%3QQ
z?x$O#{du(<S~Tcw-wm+KV87yz$<g}Aw&`BzzwZ7*S)lh#H&`6YcV^kz4bZzc8<<74
zTVg_=YnyK3KuZig$=*P(YT6QgZ5w5ab8RRz^rUbD`bEoj(3{T<PpIR8sX1nHE{??k
LmiCMtn7{r93&V3<

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 000000000..1e2fbf0d4
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradlew b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradlew
new file mode 100755
index 000000000..a69d9cb6c
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradlew
@@ -0,0 +1,240 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+#
+#   Gradle start up script for POSIX generated by Gradle.
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
+    [ -h "$app_path" ]
+do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
+done
+
+APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+
+APP_NAME="Gradle"
+APP_BASE_NAME=${0##*/}
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+    echo "$*"
+} >&2
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in                #(
+  CYGWIN* )         cygwin=true  ;; #(
+  Darwin* )         darwin=true  ;; #(
+  MSYS* | MINGW* )  msys=true    ;; #(
+  NONSTOP* )        nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+        JAVACMD=$JAVA_HOME/bin/java
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD=java
+    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+    case $MAX_FD in #(
+      max*)
+        MAX_FD=$( ulimit -H -n ) ||
+            warn "Could not query maximum file descriptor limit"
+    esac
+    case $MAX_FD in  #(
+      '' | soft) :;; #(
+      *)
+        ulimit -n "$MAX_FD" ||
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
+    esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+#   * args from the command line
+#   * the main class name
+#   * -classpath
+#   * -D...appname settings
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+# Collect all arguments for the java command;
+#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
+#     shell script including quotes and variable substitutions, so put them in
+#     double quotes to make sure that they get re-expanded; and
+#   * put everything else in single quotes, so that it's not re-expanded.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
+
+exec "$JAVACMD" "$@"
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradlew.bat b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradlew.bat
new file mode 100644
index 000000000..53a6b238d
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradlew.bat
@@ -0,0 +1,91 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/settings.gradle b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/settings.gradle
new file mode 100644
index 000000000..733fda690
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/settings.gradle
@@ -0,0 +1,8 @@
+pluginManagement {
+    repositories {
+        mavenCentral()
+        gradlePluginPortal()
+        maven { url 'https://repo.spring.io/milestone' }
+        maven { url "https://repo.spring.io/snapshot" }
+    }
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/MfaApplication.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/MfaApplication.java
new file mode 100644
index 000000000..09cbe28a4
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/MfaApplication.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+/**
+ * Hello Security application.
+ *
+ * @author Josh Cummings
+ */
+@SpringBootApplication
+public class MfaApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(MfaApplication.class, args);
+	}
+
+	@Controller
+	static class LoginController {
+		@GetMapping("/login")
+		String login() { return "login"; }
+	}
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
new file mode 100644
index 000000000..d7ba54d90
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.springframework.boot.security.autoconfigure.servlet.PathRequest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+public class SecurityConfig {
+
+	@Bean
+	SecurityFilterChain web(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authorize) -> authorize
+				.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
+				.anyRequest().authenticated())
+			.x509((x509) -> x509.grants("form:read"))
+			.formLogin((form) -> form
+				.loginPage("/login")
+				.needs("form:read")
+				.authenticates()
+			);
+		// @formatter:on
+		return http.build();
+	}
+
+	@Bean
+	public UserDetailsService userDetailsService() {
+		return new InMemoryUserDetailsManager(
+			User.withDefaultPasswordEncoder()
+				.username("josh")
+				.password("password")
+				.authorities("app")
+				.build()
+		);
+	}
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/api-keystore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/api-keystore.p12
new file mode 120000
index 000000000..07aa33fc9
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/api-keystore.p12
@@ -0,0 +1 @@
+../../../etc/api-keystore.p12
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/api-truststore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/api-truststore.p12
new file mode 120000
index 000000000..9d60902a6
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/api-truststore.p12
@@ -0,0 +1 @@
+../../../etc/api-truststore.p12
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/application.properties b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/application.properties
new file mode 100644
index 000000000..c8b145c1b
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/application.properties
@@ -0,0 +1,12 @@
+logging.level.org.springframework.security=TRACE
+
+server.port=8443
+server.ssl.enabled=true
+server.ssl.key-store-type=PKCS12
+server.ssl.key-store=classpath:api-keystore.p12
+server.ssl.key-store-password=password
+server.ssl.key-alias=api
+server.ssl.trust-store-type=PKCS12
+server.ssl.trust-store=classpath:api-truststore.p12
+server.ssl.trust-store-password=password
+server.ssl.client-auth=need
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/static/css/default-ui.css b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/static/css/default-ui.css
new file mode 100644
index 000000000..ec3d42bda
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/static/css/default-ui.css
@@ -0,0 +1,172 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* General layout */
+body {
+    font-family: system-ui, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+    background-color: #eee;
+    padding: 40px 0;
+    margin: 0;
+    line-height: 1.5;
+}
+
+h2 {
+    margin-top: 0;
+    margin-bottom: 0.5rem;
+    font-size: 2rem;
+    font-weight: 500;
+    line-height: 2rem;
+}
+
+.content {
+    margin-right: auto;
+    margin-left: auto;
+    padding-right: 15px;
+    padding-left: 15px;
+    width: 100%;
+    box-sizing: border-box;
+}
+
+@media (min-width: 800px) {
+    .content {
+        max-width: 760px;
+    }
+}
+
+.v-middle {
+    vertical-align: middle;
+}
+
+.center {
+    text-align: center;
+}
+
+.no-margin {
+    margin: 0;
+}
+
+/* Components */
+a,
+a:visited {
+    text-decoration: none;
+    color: #06f;
+}
+
+a:hover {
+    text-decoration: underline;
+    color: #003c97;
+}
+
+input[type="text"],
+input[type="password"] {
+    height: auto;
+    width: 100%;
+    font-size: 1rem;
+    padding: 0.5rem;
+    box-sizing: border-box;
+}
+
+button {
+    padding: 0.5rem 1rem;
+    font-size: 1.25rem;
+    line-height: 1.5;
+    border: none;
+    border-radius: 0.1rem;
+    width: 100%;
+    cursor: pointer;
+}
+
+button.primary {
+    color: #fff;
+    background-color: #06f;
+}
+
+button.small {
+    padding: .25rem .5rem;
+    font-size: .875rem;
+    line-height: 1.5;
+}
+
+.alert {
+    padding: 0.75rem 1rem;
+    margin-bottom: 1rem;
+    line-height: 1.5;
+    border-radius: 0.1rem;
+    width: 100%;
+    box-sizing: border-box;
+    border-width: 1px;
+    border-style: solid;
+}
+
+.alert.alert-danger {
+    color: #6b1922;
+    background-color: #f7d5d7;
+    border-color: #eab6bb;
+}
+
+.alert.alert-success {
+    color: #145222;
+    background-color: #d1f0d9;
+    border-color: #c2ebcb;
+}
+
+.screenreader {
+    position: absolute;
+    clip: rect(0 0 0 0);
+    height: 1px;
+    width: 1px;
+    padding: 0;
+    border: 0;
+    overflow: hidden;
+}
+
+table {
+    width: 100%;
+    max-width: 100%;
+    margin-bottom: 2rem;
+    border-collapse: collapse;
+}
+
+.table-striped th {
+    padding: .75rem;
+}
+
+.table-striped tr:nth-of-type(2n + 1) {
+    background-color: #e1e1e1;
+}
+
+.table-striped > thead > tr:first-child {
+    background-color: inherit;
+}
+
+td {
+    padding: 0.75rem;
+    vertical-align: top;
+}
+
+tr.v-middle > td {
+    vertical-align: middle;
+}
+
+/* Login / logout layouts */
+.login-form,
+.logout-form,
+.default-form {
+    max-width: 340px;
+    padding: 0 15px 15px 15px;
+    margin: 0 auto 2rem auto;
+    box-sizing: border-box;
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/index.html b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/index.html
new file mode 100644
index 000000000..4e71378a5
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/index.html
@@ -0,0 +1,9 @@
+<html xmlns:th="https://www.thymeleaf.org">
+<head>
+    <title>Hello Security!</title>
+</head>
+<body>
+    <h1>Hello Security</h1>
+    <a th:href="@{/logout}">Log Out</a>
+</body>
+</html>
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/login.html b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/login.html
new file mode 100644
index 000000000..9d4aa10d6
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/login.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html xmlns:th="https://www.thymeleaf.org" lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/css/default-ui.css" rel="stylesheet" />
+</head>
+<body>
+<div class="content">
+    <form class="login-form" method="post" th:action="@{/login}">
+        <h2>Please sign in</h2>
+
+        <p>
+            <label for="username" class="screenreader">Username</label>
+            <input type="text" id="username" name="username" placeholder="Username" required autofocus>
+        </p>
+        <p>
+            <label for="password" class="screenreader">Password</label>
+            <input type="password" id="password" name="password" placeholder="Password" required>
+        </p>
+
+        <button type="submit" class="primary">Sign in</button>
+    </form>
+</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/test/java/example/MfaApplicationTests.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/test/java/example/MfaApplicationTests.java
new file mode 100644
index 000000000..78f31ed0f
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/test/java/example/MfaApplicationTests.java
@@ -0,0 +1,190 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import com.j256.twofactorauth.TimeBasedOneTimePasswordUtil;
+import jakarta.servlet.http.HttpSession;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+
+/**
+ * @author Rob Winch
+ */
+@SpringBootTest
+@AutoConfigureMockMvc
+@Disabled
+public class MfaApplicationTests {
+
+	private static final String hexKey = "80ed266dd80bcd32564f0f4aaa8d9b149a2b1eaa";
+
+	@Autowired
+	private MockMvc mockMvc;
+
+	@Test
+	void mfaWhenAllFactorsSucceedMatchesThenWorks() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(post("/third-factor")
+				.session((MockHttpSession) session)
+				.param("answer", "smith")
+				.with(csrf()))
+				.andExpect(redirectedUrl("/"));
+		// @formatter:on
+	}
+
+	@Test
+	void mfaWhenBadCredsThenStillRequestsRemainingFactorsAndRedirects() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("wrongpassword"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(post("/third-factor")
+				.session((MockHttpSession) session)
+				.param("answer", "smith")
+				.with(csrf()))
+				.andExpect(redirectedUrl("/login?error"));
+		// @formatter:on
+	}
+
+	@Test
+	void mfaWhenWrongCodeThenRedirects() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey) - 1;
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(post("/third-factor")
+				.session((MockHttpSession) session)
+				.param("answer", "smith")
+				.with(csrf()))
+				.andExpect(redirectedUrl("/login?error"));
+		// @formatter:on
+	}
+
+	@Test
+	void mfaWhenWrongSecurityAnswerThenRedirects() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(post("/third-factor")
+				.session((MockHttpSession) session)
+				.param("answer", "wilson")
+				.with(csrf()))
+				.andExpect(redirectedUrl("/login?error"));
+		// @formatter:on
+	}
+
+	@Test
+	void mfaWhenInProcessThenCantViewOtherPages() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		this.mockMvc.perform(get("/")
+				.session((MockHttpSession) session))
+				.andExpect(redirectedUrl("http://localhost/login"));
+
+		result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(get("/")
+				.session((MockHttpSession) session))
+				.andExpect(redirectedUrl("http://localhost/login"));
+		// @formatter:on
+	}
+
+}
diff --git a/settings.gradle b/settings.gradle
index 71191ba5d..a5db7a077 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -52,6 +52,7 @@ include ":servlet:spring-boot:java:acl"
 include ":servlet:spring-boot:java:aot:data"
 include ":servlet:spring-boot:java:authentication:username-password:user-details-service:custom-user"
 include ":servlet:spring-boot:java:authentication:username-password:mfa"
+include ":servlet:spring-boot:java:authentication:mfa:x509+formLogin"
 include ":servlet:spring-boot:java:authentication:username-password:compromised-password-checker"
 include ":servlet:spring-boot:java:authentication:one-time-token:magic-link"
 include ":servlet:spring-boot:java:data"

From 421f79482e3ac20a4529ce7992f4e548641a6123 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 21 Jul 2025 18:52:30 -0600
Subject: [PATCH 02/21] Add Form Login + OTT MFA Sample

---
 .../mfa/formLogin+ott/.gitignore              |  37 +++
 .../mfa/formLogin+ott/README.md               |   3 +
 .../mfa/formLogin+ott/build.gradle            |  35 +++
 .../mfa/formLogin+ott/compose.yml             |   6 +
 .../mfa/formLogin+ott/gradle.properties       |   4 +
 .../formLogin+ott/gradle/libs.versions.toml   |   1 +
 .../gradle/wrapper/gradle-wrapper.jar         | Bin 0 -> 43453 bytes
 .../gradle/wrapper/gradle-wrapper.properties  |   7 +
 .../authentication/mfa/formLogin+ott/gradlew  | 249 ++++++++++++++++++
 .../mfa/formLogin+ott/gradlew.bat             |  92 +++++++
 .../mfa/formLogin+ott/settings.gradle         |   8 +
 .../magiclink/MagicLinkApplication.java       |  29 ++
 ...kOneTimeTokenGenerationSuccessHandler.java |  50 ++++
 .../org/example/magiclink/MailSender.java     |  41 +++
 .../org/example/magiclink/SecurityConfig.java |  63 +++++
 .../src/main/resources/application.yml        |  13 +
 .../main/resources/static/css/default-ui.css  | 172 ++++++++++++
 .../src/main/resources/templates/index.html   |  20 ++
 .../src/main/resources/templates/login.html   |  29 ++
 .../magiclink/MagicLinkApplicationTests.java  |  80 ++++++
 .../src/test/resources/application.yml        |   6 +
 settings.gradle                               |   1 +
 22 files changed, 946 insertions(+)
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/.gitignore
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.md
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle.properties
 create mode 120000 servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/libs.versions.toml
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.jar
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties
 create mode 100755 servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew.bat
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/settings.gradle
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MailSender.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/static/css/default-ui.css
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/index.html
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/.gitignore b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/.gitignore
new file mode 100644
index 000000000..c2065bc26
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/.gitignore
@@ -0,0 +1,37 @@
+HELP.md
+.gradle
+build/
+!gradle/wrapper/gradle-wrapper.jar
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+bin/
+!**/src/main/**/bin/
+!**/src/test/**/bin/
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+out/
+!**/src/main/**/out/
+!**/src/test/**/out/
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+
+### VS Code ###
+.vscode/
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.md b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.md
new file mode 100644
index 000000000..fdf74d537
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.md
@@ -0,0 +1,3 @@
+This application uses Spring Boot Docker Compose to start a [Maildev](https://github.com/maildev/maildev) container.
+
+After requesting a token on `http://localhost:8080/login`, access `http://localhost:1080` to verify the email containing the magic link.
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
new file mode 100644
index 000000000..9a8a64fbd
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
@@ -0,0 +1,35 @@
+plugins {
+	id 'java'
+	alias(libs.plugins.io.spring.dependency.management)
+	alias(libs.plugins.org.springframework.boot)
+}
+
+java {
+	toolchain {
+		languageVersion = JavaLanguageVersion.of(17)
+	}
+}
+
+repositories {
+	mavenLocal()
+	mavenCentral()
+	maven { url "https://repo.spring.io/milestone" }
+	maven { url "https://repo.spring.io/snapshot" }
+}
+
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.boot:spring-boot-starter-mail'
+	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
+	testImplementation 'com.icegreen:greenmail-junit5:2.0.1'
+	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+	runtimeOnly 'org.springframework.boot:spring-boot-docker-compose'
+}
+
+tasks.named('test') {
+	useJUnitPlatform()
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml
new file mode 100644
index 000000000..85a825b5b
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml
@@ -0,0 +1,6 @@
+services:
+  maildev:
+    image: maildev/maildev:2.1.0
+    ports:
+      - "1080:1080"
+      - "1025:1025"
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle.properties b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle.properties
new file mode 100644
index 000000000..a5a6444df
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle.properties
@@ -0,0 +1,4 @@
+version=6.1.1
+spring-security.version=7.0.0-SNAPSHOT
+org.gradle.jvmargs=-Xmx6g -XX:+HeapDumpOnOutOfMemoryError
+org.gradle.caching=true
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/libs.versions.toml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/libs.versions.toml
new file mode 120000
index 000000000..ebb52ed22
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/libs.versions.toml
@@ -0,0 +1 @@
+../../../../../../../gradle/libs.versions.toml
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.jar b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 0000000000000000000000000000000000000000..e6441136f3d4ba8a0da8d277868979cfbc8ad796
GIT binary patch
literal 43453
zcma&N1CXTcmMvW9vTb(Rwr$&4wr$(C?dmSu>@vG-+vuvg^_??!{yS%8zW-#zn-LkA
z5&1^$^{lnmUON?}LBF8_K|(?T0Ra(xUH{($5eN!MR#ZihR#HxkUPe+_R8Cn`RRs(P
z_^*#_XlXmGv7!4;*Y%p4nw?{bNp@UZHv1?Um8r6)Fei3p@ClJn0ECfg1hkeuUU@Or
zDaPa;U3fE=3L}DooL;8f;P0ipPt0Z~9P0)lbStMS)ag54=uL9ia-Lm3nh|@(Y?B`;
zx_#arJIpXH!U{fbCbI^17}6Ri*H<>OLR%c|^mh8+)*h~K8Z<V--Q23O4&HBVn~<)q
zmUaP7+TjluBM%#s1Ki#^GurGElkc7{cc6Skz+1nDVk%wAAQYx1^*wA%KSY>!9)DPf
zR2h?lbDZQ`p9P;&DQ4F0sur@TMa!Y}S8irn(%d-gi0*WxxCSk*A?3lGh=gcYN?FGl
z7D=Js!i~0=u3rox^e<cs4tSN~YA?c-d185$YFNA$Eq1&U{wh#b^OveuKoBPy0oYZ4
zAY2?B=x8yX9}pVM=cLrvugywt!e@Y3lH)i?7fvT*a`O;c)CJQ>O3i@$0=n{K1lPNU
zwmfjRVmLOCRfe=seV&P*1Iq=^i`502keY8Uy-WNPwVNNtJFx?IwA<BCEY82WDKJP<
zB^CxjFxi=mg*OyI?K3GoDfk;?-K<Z#JoxhYNeEUf896)l%7gL``44}zn)7|Rf;)SC
z_EfJr4I+3i(GiHN`R+vHqf}1wXtH?65<wKlxV1BU(#3XgtH<$Fir3S(7QeRA3)u89
zID&66K{&mq$DsB}s&o?H60{cskfh*hvn8hQW#~Q!qM04QtZvx3JEpqeKWE6|+OZW=
z(LB7}flr|t7va%>yR<KG!FYzS$bs7qXcpM&wV@~>PZo2<wCq%CszVO$mosTTuv*Mz
zOLoi?e^7B~xS22~QW8Rmnt{(AtL<HGi<_P9`0pH;3)@S9Eg`gt2X<om7C^q}pKX|*
zTy3X{nOr-xyt4=Qx1IjrzGb!_SyAv^SZcf;air&-;Ua+)5k0z=#R7@UW%)3oEjGA|
zZ#DE3px@h1k7w%|4rVIO=0Aid2A%?nBZrupg^_z5J-$$YKeDZ&q8+k7zccb<dc4D;
zz}+UYkl_eUNL3PW+reZ6UUB}=sHp~$z%Q}gZ-#ow+ffQIj|A3`B9LO*6%t@)0PV!x
ziJ=9fw_>Wo1+S(xF37LJZ~%i)kpFQ3Fw=mXfd@>%+)RpYQLnr}B~~zoof(JVm^^&f
zxKV^+3D3$A1G;qh4gPVjhrC8e(VYUHv#dy^)(RoUFM?o%W-EHxufuWf(l*@-l+7vt
z=l`qmR56K~F|v<^Pd*p~1_y^P0P^aPC##d8+HqX4IR1gu+7w#~TBFphJxF)T$2WEa
zxa?H&6=Qe7d(#tha?_1uQys2KtHQ{)Qco)qwGjrdNL7thd^G5i8Os)CHqc>iOidS}
z%nFEDdm=GXBw=yXe1W-ShHHFb?Cc70+$W~z_+}nAoHFYI1MV1wZegw*0y^tC*s%3h
zhD3tN8b=Gv&rj}!SUM6|ajSPp*58KR7MPpI{oAJCtY~JECm)*m_x>AZEu>DFgUcby
z1Qaw8lU4jZpQ_$;*7RME+gq1Ky<fW-rh4ehZ;%u960Gt5OF)<y$00S=6tVE=%Pt~(
z!&BP&2I%`@>SGG#Wql>aL~k9tLrSO()LWn*q&YxHE<sT^`N@Q|)S3y<ZACaLXO56z
zncP$~M5K!npWqz?)C50MMw=XqFtDO!3JHI*t-^8Ga&lGPHX2F0pIGdZ3w5ewE+{kf
z-&Ygi?@-h(ADD|ljIBw%VHHf1xuQ~}IeIQ5JqlA4#*Nlvd`IfDYzFa?PB=RCcFpZ4
z|HFmPZM=;^DQ_z<IPz$$+yG(H4803QQAA7vQF7;_gv|AD1bH*R-CP3f<<utDpH)Ht
zI@{uO12adp{;132YoKPx?C9{&;MtHdHb*0F0;Z~D42}#*l+WD2u?r>uzmwd1?aAtI
zBJ>P=&$=l1efe1CDU;`Fd+_;&wI07?V0aAIgc(<VS*?#8Zt!w88FJrjasA1!6>!{a
z0Jg6Y=inXc3^n!U0Atk`iCFIQooHqcWhO(qrieUOW8X(x?(RD}iYDLMjSwffH2~tB
z)oDgNBLB^AJBM1M^c5HdRx6fBfka`(LD-qrlh5jqH~);#nw|iyp)()xVYak3;Ybik
z0j`(+69aK*B>)e_p%=wu8XC&9e{AO4c~O1U`5X9}?0mrd*m$_EUek{R?DNSh(=br#
z#Q61gBzEpmy`$pA<eVn3dnmk^xq`=o2)~2c0ywsuTQsC?1WZZehsJYfK@LQ>*6!87
zSDD+=@fTY7<4A?GLqpA?Pb2z$pbCc4B4zL{BeZ?F-8`s$?>*lXXtn*NC61>|*w7J*
z$?!iB{6R-0=KFmyp1nnEmLsA-H0a6l+1uaH^g%c(p{iT&YFrbQ$&PRb8Up#X3@Zsk
zD^^&LK~111%cqlP%!_gFNa^dTYT?rhkGl}5=fL{a`UViaXWI$k-UcHJwmaH1s=S$4
z%4)PdWJX;hh5UoK?6aWoyLxX&NhNRqKam7tcOkLh{%j3K^4Mgx1@i|Pi&}<^5>hs5
zm8?uOS>%)NzT(%PjVPGa?X%`N2TQCKbeH2l;cTnHiHppPSJ<7y-yEIiC!P*ikl&!B
z%+?>VttCOQM@ShFguHVjxX^?mHX^hSaO_;pnyh^v9EumqSZTi+#f&_Vaija0Q-e*|
z7ulQj6Fs*bbmsWp{`auM04gGwsYYdNNZcg|ph0OgD>7O}Asn7^<IivRZw`Wa$`V6)
zgX@^QL9j}-Od{q5<J*k0+1U=R5+PCYj(U}4VpX+BjfI~+dttS?HJ6uZSGH#H-twTo
zaptG40+PAc$fs*zLFkOfGfc+xGs<T?rLGIA%SU7c%jh!E1SNN~*-`ccW8wo4gv2Sj
zhify^C(ygi)uGwqXDLqVbH>Z=eI>`$2*v78;sj-}oMoEj&@)9+ycEOo92xSyY344^
z11Hb8^kdOvbf^GNAK++bYioknrpdN>+u8R?JxG=!2Kd9r=YWCOJYXYuM0cOq^FhEd
zBg2puKy__7VT3-r*dG4c62Wgxi52EMCQ`bKgf*#*ou(D4-ZN$+m<X+=`m<r!lO%3T
zMp}MJd(WDoQ2&6(LClZxpv<vZPPM3Ngkye2VhB=i|B12g5ouw(%`gbWtRq8~sU|o*
z$kQ8Jb~6&{ak;r$7@?#t*q9RfAOj=^uAf1z5Y8`N%M`oM@?!~VqN{g%-u$XR1u1Im
zGE&AzFpIcER(5jtCPR%RZ)!+|*rU~jZBiOKdqYjO(%yK3Lz;{##(@QEVo>g&7$u!!
z-^<eVk1WtrWdvAzoBMHoB$s2RXJCv}%muyVFFJ``?>+Z%;-3IDwqZ|K=ah85OLwkO
zKxNBh+4QHh)u9D?MFtpbl)<T1$eOrb4-+U|WDC2BesgFRlgt`klbeQ^1S`7`r+uZ8
zH&U=geA}Si;CUcKvBA&^@<o1GQ7`{1Y(cCHZv|73JIJOvVwLOMZP%Q|)y@^j2e<+z
zWVo=#FL!4XNKS~-_1`gw*qi$0j6P7ym_LTvG>us}9+V!D%w9jfAMYEb>%$A;u)rrI
zuBudh;5PN}_6J_}l55P3l_)&RMlH{m!)ai-i$g)&*M`eN$XQMw{v^r@-125^RRCF0
z^2>|DxhQw(mtNEI2Kj(;<s2pnue6O@?^QaAp;Ze6z9nX*w}4h7342+0lU$@;Knnve
zqqY2Ci=`)@>KblC7x=JlK$@78`O~>V!`|1Lm-^JR$-5pUANAnb(5}B}JGjBsliK4&
zk6y(;$e&h)lh2)L=bvZKbvh@>vLlreBdH8No2>$#%_Wp1U0N7Ank!6$dFSi#xzh|(
zRi{U<eziQYNZ-=4ReK3@^LFvNQI~(Pdvp+X@J@g#bd~m0wFc+sW3Xf5tyA3xKp;T3
zy14<o-`F}$ET-DQ;B;yNy?d>w%-4W!{IXZ)fWx@XX6;&(m_F%c6~X8hx=BN1&q}*(
zoaNjWabE{oUPb!Bt$eyd#$5j9rItB-h*5JiNi(v^e|XKAj*8(k<5-2$&ZBR5fF|JA
z9&m4fbzNQnAU}r8ab>fFV%J0z5awe#UZ|bz?Ur)U9bCIKWEzi2%A+5CLqh?}K4JHi
z4vtM;+u<SJ)DEVF_yZnTw01M`(s#^BNx+c|MQ6ogb50Jjul0L;!#OmrYCs)iE)7(t
z?%I~O!zVNt#Bf3#O2WXsGz!B}&s@MfyDeaoqqf=GELN3g$+DA`&&GKy(`Ya~A@6vK
zn|WZ-+tB`DH^+SjI&K3KekF%-QIP%R{F)inWc~@cEO-=3Or<lm9g9}|`|ky#v{5*;
zKA5d<ecC{<o9p<U4UUK$m|+q#@(>PsVz{Lfr;78W78gC;z*yTch~4YkLr&m-7%-xc
ztw6Mh2<b07B|^BQBjvq{FXx?kyJ);`+G*=&9PMD`1uf<{+pNnnsIQx~kaB?*5<-7a
zqY)GyF_w$>d>_iO<o;tRi5=dcnU&wcur@4T5Z=-$xFUEsp-yX${|jSF|HMDPq3?MS
zw;p9zjR`yYJOfJZsK~C-S=JQ?nX{z_y@06JFIpheAo-rOG|5&Gxv)%95gpu@ESfi|
z7Auc&hjVL;&81Pc#L`^d9gJb`wEtLVH8q|h{>*$Rd8(-Cr1_V8EO1f*^@wRoSozS)
zy1UoC@pruAaC8Z_7~_w4Q6n*&B0AjOmMWa;s<dwKr_&w<X$Z*rmLmKUI3S>Iav&gu
z|J5&|{=a@vR!~k-OjKEgPFCzcJ>#A1uL&7xTDn;{X<DkOU(-L87#5hf4{m?aj!I6-
zPEt$K07IXK8mI0TYf-jhke2QjQw3v?qN5h0-#Fel0)Krq1f)#^AFsfd|K$I={`Xs9
z{JIr8M>BdeM}V=l3B8fE1--DHjSaxoSjNKEM9|U9#m2<eS=8Og#NOG$&X&%|8sOyg
zpZ6&%KPd&uh?v{hRMVvQjUL}gY3)Mk3{XQXF{><3>n{Iuo`r3UZp;>GkT2YBNAh|b
z^jTq-hJp(ebZh#Lk8hVBP%qXwv-@vbvoREX$TqRGTgEi$%_F9tZES@z8Bx}$#5eeG
zk^UsLBH{bc2VBW)*EdS({yw=?qmevwi?BL6*=12k9zM5gJv1>y#ML4!)iiPzVaH9%
zgSImetD@dam~e>{LvVh!phhzpW+iFvWpGT#CVE5TQ40n%F|p(sP5mXxna+Ev7PDwA
zamaV4m*^~*xV+&p;W749xhb_X=$|LD;FHuB&JL5?*Y2-oIT(wYY2;73<^#46S~Gx|
z^cez%V7x$81}UWqS13Gz80379Rj;6~WdiXWOSsdmzY39L;Hg3MH43o*y8ib<ko|2T
z<o~B%-$Y4Q9z_t97c`{g0veSfFt63Osbpe2Osn@<=nrAVk_JfMGt&lMGw9leshc#5
z*hkn0u>NBBH`(av4|u;YPq%{R;IuYow<+GEsf@R?=@tT@!}?#>zIIn0CoyV!hq3mw
zHj>OOjfJM3F{RG#6ujzo?y32m^tgSXf@v=J$ELdJ+=5j|=F-~hP$G&}tDZsZE?5rX
ztGj`!S>)CFmdkccxM9eGIcGnS2AfK#gXwj%esuIBNJQP1WV~b~+D7PJTmWGTSDrR`
zEAu4B8l>NPuhsk5a`rReSya2nfV<T&F{)-N{)9$`9a!^D!-03RDN<TPH!aW46TC4L
z>1EK01+G!x8aBdTs3Io$u5!6n6KX%uv@DxAp3F@{4UYg4SWJtQ-W~0MDb|j-$lwVn
znAm*Pl!?Ps&3wO=R115RWKb*JKoexo*)uhhHBncEDMSVa_PyA>k{Zm2(wMQ(5NM3#
z)jkza|GoWEQo4^s*wE(gHz?Xsg4`}HUAcs42cM1-qq_=+=!Gk^y710j=66(cSWqUe
zklbm8+zB_<cF$~mH3zum`PN7rn^cr1XvcjzxFO{ms_482AyMFYi+#o7!*vecrNhft
z48z<2q#fIw=ce!MXuptfT4+M8FP&|QfB3H@2)dceSR<*e5@hq<#7<$5tC^!RO8Zi<
zd_Wl!>syQv5A2rj!Vbw8;|$@C!vfNmNV!yJ<MblqN@23-5g1<aeoul%Um5K((_QY}
ze%_@BuNzay69}2PhmC<;m}2=FevDzrp!V!u4u|#h@B=rfKt+v!U`0k7>IWDQ>{+2x
zKjuFX`~~HKG~^6h5FntRpnnHt=D&rq0>IJ9#F0eM)Y-)GpRjiN7gkA8wvnG#K=q{q
z9dBn8_~wm4J<3J_vl|9H{7q6u2A!cW{bp#r*-f{gOV^e=8S{nc1DxMHFwuM$;aVI^
zz6A*}m8N-&x8;aunp1w7_vtB*pa+OYBw=TMc6Q<xVqo{NJ3h9-a)s5XuYMqZ=Y{7{
z$O63J`)FM-y*mko#!-UBa!3~eYtX1hjRQY2jMxAx=q5uKNm#uaKIak>K=mbA-|Cf*
zvyh8D4LRJImooUaSb7t*fVfih<97Gf@VE0|z>NcBwBQze);Rh!k3K_sfunToZY;f2
z^HmC4KjHRVg+eKYj;PRN^|E0>Gj_zagfRbrki68I^#~6-HaHg3BUW%<xsJq4AotN+
zH6twFV=)FlAbs*F6vGws^==x5Tl0AIbcP{&2yxB=)*u+bvK^L6$Vp}U2{9nj{bK~d
zee7tC)@DR<dI`D%cA(%7M9Ui3a)^iG?m=oJO0E^``<|5il2sf1fZHvy=D@e0<I)<l
zI!|d{`X3u}lz2(4Vn>+clM1<yhZZgPANro5CwhUb>xQEdPYt_g<2K+z!$>*$9nQ>;
zf9Bei{?zY^-e{q_*|W#2rJG`2fy@{%6u0i_VEWTq$*(ZN37|8lFFFt)nCG({r!q#9
z5VK_kkS<W$zJN%xs9<lngf<utn=i|I;bCdr-Lr<EzK)tkE-pYh-fc0wqKz?&U8TTN
zh_eAdl<>J3?zOH)OezMT{!YkCuSSn!<oaxO4?NS?VufjhPn>K#-Rhl$uUM(bq*jY?
zi1xbMVthJ`E>d>(f3)~fozjg^@eheMF6<)I`oeJYx4*+M&%c9VArn(OM-wp%M<-`x
z7sLP1&3^%Nld9Dhm@$3f2}87!quhI<BVn6Upp<cc;cU|)&2W%nk!Ak8tXK8aT!m*5
z^9zmeeS|PCG$hgM&Uh}0wp+#$jK3YCwOT&nx$??=a@_oQemQ~hS6nx6fB5r~bFSPp
z`alXuTYys4S5dCK)KDGR@7`I-JV^ewQ_BGM^o>@nwd@3~fZl_3LYW-B?Ia>ui`ELg
z&Qfe!7<FViITCBP{rA>m6ze=mZ<W0bN&bq-0D3>`Ia9$z|ARSw|IdMpooY4YiPN8K
z4B(ts3p%<w%rbophph+BzYj>2i(Td=<hfIaF6Ll8+9!48Ti=xpXB{FgJbk;>tgEHX
z0UQ_>URBtG+-?0E;E7Ld^dyZ;jjw0}XZ(}-QzC6+NN=40oDb2^v!L1g9xRvE#@IBR
zO!b-2N7wVfLV;mhEaXQ9XAU+>=XVA6f&T4Z-@AX!leJ8obP^P^wP0aICND?~w&N<u
ztispy>ykJ#54x3_@r7IDMdRNy4Hh;h*!u(Ol(#0bJdwEo$5437-UBjQ+j=Ic>Q2z`
zJNDf0yO6@mr6y1#n3)s(W|$iE_i8r@Gd@!DWD<Q)gT}bxTg_YpJQ5s|m8}+B)KBN6
zYnlzh>qZ7J&~gAm1#~maIGJ<sH@F<m!Fuh_fvrMbcDJNJ5~Yg;LF}NFN}&Y&LL76S
zv)~8W2?_rx`P;4LB-=JqsI{I~4U8DnSSIHWU2rHf%vWsA2-d=78An8z4q|lvgQ2iB
zhUUI!H+|C+_qp(Tjzu5usOu}cEoivZK&XA==sh0cD|Eg7eERXx?KwHI=}A9S_rx8S
zd)VLh_s!Juqi^!0xv7jH)UdSkEY~N|;QMWvs;HN`dMsdK=Dw2mtAHHcK8_+kS%a_V
zGgeQoaMM>1sls^gxL9LLG_Nh<XXk<>U!pTGty!TbhzQnu)I*S^54U6Yu%ZeCg`R>Q
zhBv$n5j<?~h)Y%y=zErI?{tl!(JWSDXxco7X8WI-6K;9Z-h&~kIv?$!6<k(g(xee?
z53>0v%O_j{QYWG!R9W?5_b&67KB$t}&e2LdMvd(PxN6Ir!H4>PNlerpBL>Zvyy!yw
z-SOo8caEpDt(}|gKPBd$qND5#a5nju^O>V&;f890?yEOfkSG^HQVmEbM3Ugzu+UtH
zC(INPDdraBN?P%kE;*Ae%Wto&sgw(crfZ#Qy(<4nk;S|hD3j{IQRI6Yq|f^basLY;
z-HB&Je%Gg}Jt@={_C{L$!RM;$$|<j7k-g{75e!h)4SlFvEZ*AkqrJI;EWu$Zx+OwM
zm{5Yk>iD6vu#3w?v?*;&()uB|I-XqEKqZPS!reW9JkLewLb!70T7n`i!gNtb1%vN-
zySZj{8-1>6E%H&=V}LM#xmt`J3XQoaD|@XygXjdZ1+P77-=;=eYpoEQ01B@L*a(uW
zrZeZz?HJsw_4g0vhUgkg@VF8<-X$B8pOqCuWAl28uB|@r`19DTUQQsb^pfqB6QtiT
z*`_UZ`fT}vtUY#%sq2{rchyfu*pCg;uec2$-$N_xgjZcoumE5vSI{+s@iLWoz^Mf;
zuI8kDP{!XY6OP~q5}%1&L}CtfH^N<3o4L@J@zg1-mt{9L`s^z$Vgb|mr{@WiwAqKg
zp#t-lhrU>F8o0s1q_9y`gQNf~Vb!F%70f}$>i7o4ho<sjDlFD=G`r<7$U?bJN+x5S
z@0&tQ=-XO1uDq(HCa$X)-l<u1!s<!W`30F78UcZaZKc8)G0af1Dsh%OOWh5)q+Q+n
zySBnE+3;9^#)U#Gq);&Cu=mtjNpsS~S0yjE@m4{Kq525G&cO_+b-_B$LeXWt_@XTq
z`)(;=^RDS@oh5dPjKyGAP?-Dbh507E5zZ=D2_C*6s^HXiA)B3f=65_M+rC&rMIUP6
zi4@u>$`uciNf=xgJ>&!gSt0g;M>*x4-`U)ysFW&Vs^Vk6m%?iuWU+o&m(2Jm26<Ea
z?or_^bK_`R)hBTfrBqA3Y^o7$K~Nzo)sh-vT%yWcc1I5wF1nkvk%!X_Vl_MK1IHC=
zt}Dt+sOmg0sH-?}kqNB|M_}ZXui7H;?;?xCCSIPSHh8@h^K8WU5X(!3W|>Y(3%TL;
zA7T)BP{WS!&xmxNw%J=$MPfn(9*^*TV;$JwRy8Zl*yUZi8jWYF>==j~&S|Xinsb%c
z2?B+kpet*muEW7@AzjBA^wAJBY8i|#C{WtO_or&Nj2{=6JTTX05}|H>N2B|Wf!*3_
z7hW*j6p3TvpghEc6-wufFiY!%-GvOx*bZrhZu+7?iSrZL5q9}igiF^*R3%DE4aCHZ
zqu>xS8LkW+Auv%z-<1Xs92u23R$nk@Pk}MU5!gT|c7vGlEA%G^2th&Q*zfg%-D^=f
z&J_}jskj|Q;73NP4<UD^T*M!yxMr=U!@&!rJfydk7CE7PGb<{)^=nM9Le#FQ=GkV~
z)_A$YPAn35??iNa@`g-wBX><4k*Y%pXPU2Thoqr+5uH1yEYM|VtBPW6lXaetokD0u
z9qVek6Q&wk)tFbQ8(^HGf3Wp16gKmr>G;#G(HRBx?F`9AIRboK+;OfHaLJ(P>IP0w
zyTbTkx_THEOs%Q&aPrxbZrJlio+hCC_HK<4%f3ZoSAyG7Dn`=X=&h@m*|UYO-4Hq0
z-Bq&+Ie!S##4A6OGoC~>ZW`Y5J)*ouaFl_e9GA*VSL!O_@xGiBw!AF}1{tB)z(w%c
zS1Hmrb9OC8>0a_$BzeiN?rkPLc9%&;1CZW*4}CDDNr2gcl_3z+WC15&H1Zc2{o~i)
z)LLW=WQ{?ricmC`G1GfJ0Yp4Dy~Ba;j6ZV4r{8xRs`13{dD!xXmr^Aga|C=iSmor%
z8hi|pTXH)5Yf&v~exp3o+sY4B^^b*eYkkCYl*T{*=-0HniSA_1F53eCb{x~1k3*`W
zr~};p1A`k{1DV9=UPnLDgz{aJH=-LQo<5%+Em!DNN252xwIf*wF_zS^!(XSm(9eoj
z=*dXG&n0>)_)N5<wxn0{TP0tnD=JAzVUcIUoR85Xt>oc6v!>-bd(2ragD8O=M|wGW
z!xJQS<)u70m&6OmrF0WSsr@I%T*c#Qo#Ha4d3COcX+9}hM5!7JIGF>7<~C(Ear^Sn
zm^ZFkV6~Ula6+8S?oOROOA6$C&q&dp`>oR-2Ym3(HT@O7Sd5c~+kjrmM)YmgPH*tL
zX+znN>`tv;5eOfX?h{AuX^LK~V#gPCu=)Tigtq9&?7Xh$qN|%A$?V*v=&-2F$zTUv
z`C#WyIrChS5|Kgm_GeudCFf;)!WH7FI60j^0o#65o6`w*S7R@)88n$1nrgU(oU0M9
zx+EuMkC>(4j1;m6N<sS-ys^qbJhGY7%0ZoC7dK=j7bGdau`J`{>oGqEkpJYJ?vc|B
zOlwT3<tNmX!mXZdsEW2s2`|?DC8;N?2tT*Lfq)F*|4vf>t&UgL!pX_P*6g36`ZXQ;
z9~Cv}ANFnJGp(;ZhS(@FT;3e)0)Kp;h^x;$*xZn*k0U6-&Fw<BqOnDKEdld8!Qk{Z
zjI1+R_ciEqL3CLOv$+J~YVpzIy`S&V{koIi$Lj}ZFEMN=!rL1?_EjSryIV+OBiiJ-
zIqT$oSMA>I=uOGaODdrsp-!K$Ac32^c{+FhI-HkYd5v=`PGsg%6I`4d9Jy)uW0y%)
zm&j^9WBAp*P8#kGJUhB!L?a%h$hJgQrx!6KCB_TRo%9{t0J7KW8!o1B!NC)VGLM5!
zpZy5Jc{`r{1e(jd%jsG7k%I+m#C<kI0i<ajCqQC!(pKlSsMl7M2N^mP%W`BGKb?hm
zBK`pddcg5+WhE#$46+K<Z!1CW-hZdo7hAw13ZUVqwW*}&ujL=eh{m~phuOy=JiBMN
z7FaCUn6boJ!M=6PtLN6%cveGkd12|1B{)kEYGTx#IiMN&re0`}NP-_{E-#FxOo3*P
zkAXSt{et292KfgGN`AR|C`p{MRpxF-I?+`ZY1Vsv>GS*BPA65ZVW~fLYw0dA-H_}O
zrkGFL&P1PG9p2(%Qi<evvBkNEkQkM%A>EWm6x;U-U&I#;Em$nx-_I^wtgw3xUPVVu
zqSuKnx&dIT-XT+T10p;yjo1Y)z(x1fb8Dzfn8e&#9yu?e%!_ptzGB|8GrCfu%p?(_
zQccdaaVK$5bz;*rnyK{_SQYM>;aES6Qs^lj9lEs6_J+%nIiuQC*fN;z8md>r_~Mfl
zU%p5Dt_YT>gQqfr@`cR!$NWr~+`CZb%dn;WtzrAOI>P_JtsB76<bUr7Lsb65vEd}g
z5JhMCmn#UeH#6Cew?bxogM)$x5ed{E)%2nWY5rb@Clvh$(JzQ#!CsQ(2I4QnhDDJ^
zYL%2bf8?`y)Ro=x{(dw<4^)(H^z7~3nfYFh-r7yBBb=l3V8dE-Dr&a%qs<OYcajo2
z(4Nw|k5_OQ@6zHmcIK%waj!yoZT(S1YlEFN?8-_lp9nf>PYe*<%H(y>qx-`Kq!X_;
z<{RpAqYhE=L1r*M<cT6p|4(5fVa-WIh|@AphR|cJ1`?N>)gNF3B8r(<%8mo*SR2hu
zccLRZwGARt)H<F*kMvg%oJV~29ud_q>lo1euqTyM>^!HK*!Q2P;4UYry<i)yWXzKa
zM^_qppY~vnIrhL_!;Z9msXMZTTwR{e`yH5t=HdD1Pni7?LqOpLoX}u5n5RfkGBvQ1
z@cdMeR4T6rp^S~>sje@;(<|$&%vQekbn|0Ruu_Io(w4#%p6ld2Yp7tlA`Y$cciThP
zKzNGIMPXX%&Ud0uQh!uQZz|FB`4KGD?3!ND?wQt6!n*f4EmCoJUh&b?;B{|lxs#F-
z31~HQ`SF4x$&v00@(P+j1pAaj5!s`)b2RDBp*PB=2IB>oBF!*6vwr7Dp%zpAx*dPr
zb@Zjq^XjN?O4QcZ*O+8>)|HlrR>oD*?WQl5ri3R#2?*W6iJ>>kH%KnnME&TT<gNU{
zn$Veg044#l=Z-&wsmEZhnw7IwT7Cd}hiZ%ke)-GzAR-Dt6)8Cb6>@Z<Y-SEE^OC5H
z=$M0HjdWR5p?n;s9OTXrEa1eGt}G;Eu)ifSop!$z#6V<>zrHS$Q%LC?n|e>V+D+8D
zYc4)QddFz7I8#}y#Wj6>4P%34dZH<AWj}HgE@5&D9Ra@o(Km_Gm}5Zb61p%9mDz1%
zya$Vd!_U~pDN*Y5%lo}-K~}4&F)rTjJ7uGyV@~kB-XNrIGRiB=UrNxJtX;JHb(EyQ
z{!R%v{vC7m|L3bx6lCRb7!mP~Is!r!q&OXpE5nKnH3@l({o}PrL`o>~OUDb?uP%-E
zwjXM(?Sg~1!|wI(RVu<h{6ESg9k500(D<HXwz52OGq(JEKS2CJR}8N&E-#%vhhaRN
zL#Q6%yUcel+!a#~g&e7w4$3s62d$Dv;SxCxhT}>xbu)-rH+O=igSho_pDCw(c6b=P
zKk4ATlB?bj9+HHlh<_!&z0rx13K3ZrAR8W)!@Y}o`?a*JJsD+twZIv`W)@Y?Amu_u
zz``@-e2X}27$i(2=9rvIu5uTUOVhzwu%mNazS|lZb&PT;XE2|B&W1>=B58#*!~D&)
zfVmJGg8UdP*fx(>Cj^?yS^zH#o-$Q-*$SnK(ZVFkw+er=>N^7!)FtP3y~Xxnu^nzY
zikgB>Nj0%;WOltWIob|}%lo?_C7<``a5hEkx&1ku$|)i>Rh6@3h*`slY=9U}(Ql_<
zaNG*J8vb&@zpdhAvv`?{=zDedJ23TD&Zg__snRAH4eh~^oawdYi6A3w8<<tS1{)`*
zH!u#2_lf&B)x2)tE$?4|aMAYUFZ{|Se7->Ozh@Kw)<E~4fKYaJ{OS+>#bdktM^GVb
zrG08?0bG?|NG+w^&JvD*7LAbjED{_Zkc`3H!My>0u5Q}m!+6VokMLXxl`Mkd=g&Xx
z-a>m*#G3SLlhbKB!)tnzfWOBV;u;ftU}S!NdD5+YtOjLg?X}dl>7m^gOpihrf1;PY
zvll&>dIuUGs{Q<Ww4SS<E23Sm*si$^C!!snD|AFym<+q$`*o0wokE?J{^g?f3>nd-
zwIR3oIrct8Va^Tm0t#(bJD7c$Z7DO9*7NnRZorrSm`b`cxz>OI<bVZt$VQ!oMxCu0
zbb7D5OIXV5Ynn@Y6)HLT=1`a=nh7{ee{vr<=$>C;jSE3DO8`hX955ui`s%||YQtt2
z5DNA&pG-V+4oI2s*x^>-$6J?p=I>C|9wZF8z;VjR??Icg?1w2v5Me+FgAeGGa8(3S
z4vg*$>zC-WIVZtJ7}o9{D-7d>zCe|z#<9>CFve-OPAYsneTb^JH!Enaza#j}^mXy1
z+ULn^10<XTm*l1Jg2Z;UvGEN!6Wq%I@OP4p{k`RNRKlKFWPt_of11^Gr%_Mg*mVP3
zm?)&3I719~aYcs)TY&q^$zmQ=xoC++VJH@~YG6>+rWLF6j2>Ya@@Kq?26>AqK{A_|
zQKb*~F1>sE*=d?A?W7N2j?L09_7n+H<SF8|SM#pTc9|9|rf1w*m4Y0Vdj643qA#D|
z!hJzb_-}IrrhkWr{zk_YC%(c-)UJl6Ma!mcbvj&~#yN-UhH?ZQ3TPq4hTVQ$(?eJ6
zNfJ_K+VJDBXN=l!7{2}lq?-$`fq|e&PEONfZDU<_SM+s2_3$vT_yqV<R&KG=K{zS}
zKQF$?mYsg%vV|E_E=a*SL!`7*AeN6GMVDXC59yPgi$F2!7&8e}EyHVLwCm{i%<pN!
zdc`SbZK}JQj7?6K&|261iHrsnVjdhxu_l_NKs&yy#;#^%8?Jlg`wcTlNZ3urUtEYd
zsFE!K0}Eg39)z+J6mLW)#Kn<ok4*6AAE=n*vh*;TpgGnnM|npykFpO|a0`4#SjP^b
z2<JG#Qk^#3FeFS`0eooK9|wEmCcvRKI*~6mamFTd^UW9Eg4!J4N9qz*C$3a#F;Sad
zi#o9LaqNG5TsiT<`SDtY^`)zkYx$(C5;&K9#(Zj}HolT_st~#C`VS8q%#q1)HN+hT
zz9IjVUdZNIp@;b88oR`~DvQL_zmsBy>Gi{VY;MoTGr_)G9)ot$p!-UY5zZ2Xtbm=t
z@dpPSGw<TLTZo~Zyx(+AKWvR~{L4S^5I;5+QT9bcQ-4cC{QnLfRBf&Pov~kv@`W6V
zA|h{EGx|7msvR1t`a-jF$JZ>gH=QtIcEulQNI>S-#ifbnO5EWkI;$A|pxJd885oM+
zGZ0_0gDvG8q2xebj+fbCHYfAXuZStH2j~|d^sBAzo46(K8n59+T6rzBwK)^rfPT+B
zyIFw)9YC-V^rhtK`!3jrhmW-sTmM+tPH+;nwjL#-SjQPUZ53L@A>y*rt(#M(qsiB2
zx6B)dI}6Wlsw%bJ8h|(lhkJVogQZA&n<jl%@&gd%^X|lsDQwDHEiKLCz}r`kC^h0t
z(!vYS%C)Ku?w$ti5R##9jSkNC#5)Juc{8XfEhczdGQy8yNrZL6+d0~%V=N|iF{V)E
zLT(gH!$j8Mf(1>{?Vgs6gNSXzuZpEyu*xySy8ro07QZ7Vk1!3tJphN_5V7qOiyK8p
z#@jcDD8nmtYi1^l8ml;AF<#IPK?!pqf9D4moYk>d99Im}Jtwj6c#+A;f)CQ*f-hZ<
z=p_T86jog%!p)D&5g9taSwYi&e<jP@@Q_fbXtVO&n9{e#)jg+D#~q=hoZ<9PIa)>P
z#JuEK%+NULWus;0w32-SYFku#i}d~+{Pkho&^{;RxzP&0!RCm3-9K6`>KZpnzS6?L
z^H^V*s!8<>x8bomvD%rh>Zp3>Db%kyin;qtl+jAv8Oo~1g~mqGAC&Qi_wy|xEt2iz
zWAJEfTV%cl2Cs<1L&DLRVVH05EDq`pH7Oh7sR<WSzBWU(MxAIA&4v~INVdLKA><BK
zwCgTxJU0mM{;1UV<^ZRk0SQNNN(;SRZsH7^EDWVUu%^mFfvW{m5jOQuQWSy`f586I
zTj}Z4e5WsvkNmBd`TJdfe=^>`NNkL%wi}8n>IXcO40hp+J+sC!W?!krJf!GJNE8uj
zg-y~Ns-<~D?yqbzVRB}G>0A^f0!^N7l=$m0OdZuqA<e9rzV|ixGyk9uS=Vov2_ECA
z^Sd0M$B)O&tv@%@UmTb%ngcl58ED9TyFp$y4JjFU+g+9EWUl?am<e#4uCGy9Tmt)z
z2Y|kWUahugFHsF<J6o!<?X(Ncsy&Wg9<QLPD}g-`PWGHWDY5P6;<Y+5J1vz2Z|PSy
zBN?Q^NkxnWq>OQq<EC8_d&#T2smn`YINd-HF@)Op)pBRHnx+Q|Hsv_BpWAPsT1>Lc
zX?AEGr1Ht+inZ-Qiwnl@Z0qukd__a!C*CKuGdy5#nD7VUBM^6OCpxCa2A(X;e0&V4
zM&WR8+wErQ7UIc6LY~Q9x%Sn*Tn>>P`^t&idaOEnOd(Ufw#>NoR^1QdhJ8s`h^|R_
zXX`c5*O~Xdvh%q;7L!_!ohf$NfEBmCde|#uVZvEo>OfEq%+Ns7&_f$OR9xsihRpBb
z+cjk8LyDm@U{YN>+r46?nn{7Gh(;WhFw6GAxtcKD+YWV?uge>;+q#Xx4!GpRkVZYu
zzsF}1)7$?%s9g9CH=Zs+B%M_)+~*j3L0&Q9u7!|+T`^O{xE6qvAP?XWv9_MrZKdo&
z%IyU)$Q95AB4!#hT!_dA>4e@zjOBD*Y=XjtMm)V|+IXzjuM;(l+8aA5#Kaz_$rR6!
zj>#&^DidYD$nUY(D$mH`9eb|dtV0b{S>H6FBfq>t5`;OxA4Nn{J(+XihF(stSch<f
zIn>e7$es&~N$epi&PDM_N`As;*9D^L==2Q7Z2zD+CiU(|+-kL*VG+&9!Yb3LgPy?A
zm<g7T4Wx!m(zMlVE_2jX$1$$5DcfL6>7Z&^qRG_JIxK7-FBzZI3Q<;{`DIxtc48k>
zc|0dmX;Z=W$+)qE)~`yn6MdoJ4co;%!`ddy+FV538Y)j(vg}5*k(WK)KWZ3WaOG!8
z!syGn=s{H$odtpqFrT#JGM*utN7B((abXnpDM6w56nhw}OY}0TiTG1#f*VFZr+^-g
zbP10`$LPq_;PvrA1XXlyx2uM^mrjTzX}w{yuLo-cOClE8MMk47T25G8M!9Z5ypOSV
zAJUBGEg5L2fY)ZGJb^E34R2z<C?_X1)4xsl9%Z|w&L9k!F(V>J?}Vf>{~gB!8=5Z)
z9y$>5c)=;o0HeHHSuE4U)#vG&KF|I%-cF6f$~pdYJWk_dD}iOA>iA$O$+4%@>JU08
zS`ep)$XLPJ+n0_i@PkF#ri6T8?ZeAot$6JIYHm&P6EB=BiaNY|aA$W0I+nz*zkz_z
zkEru!tj!QUffq%)8y0y`T&`fuus-1p>=^hnBiBqD^hXrPs`PY9tU3m0np~rISY09>
z`P3s=-kt_cYcxWd{de@}TwSqg<T-v~${38)1dqT{JCO5}Gk$$yZP*X!5)RaGFqqkZ
zeHhqUgXb37$91~LS-3Zi29CKKki0sBTh7unqEK$%FG?oo$Sp>*xVhp;E9zCsnXo6z
z?f&Sv^U7n4`xr=mXle94HzOdN!2kB~4=%)u&N!+2;z6UYKUDqi-s6AZ!haB;@&B`?
z_TRX0%@suz^TRdCb?!vNJYPY8L_}&07uySH9%W^Tc&1pia6y1q#?*Drf}GjGbPjBS
zbOPcUY#*$3sL2x4v_i*Y=N7E<UbOmi3K%)5<dOJui+{^+b*shA_w8&X4_Icv*!}kT
zW@BG{C%f{(K^kE?tjU`Led*kAj6wB_3f*UyIEV0T9TyMo4`NS;oA7Ec+71eFa;K|G
zCyaKKi1bvX9fTLQ+uAgF*@ZR8fB%|JlT8A-jK$7FMyxW>$mR}J%|GUI(>WEr+28+V
z%v5{#e!UF*6~G&%;l*q*$V?&r$Pp^sE^i-0$+RH3ERUUdQ0>rAq2(2QAbG}$y{de(
z>{qD~GGuO<V3ijl7+~xmS#nUvH{qF0*%7G(r|}BSXsu}HwrFbXWzcYJouIY*34axA
z(n@XsPrv%6;|GSbkH9Og>k559Y@%$?N^1ApVL_a704>8OD%8Y%8B;FCt%AoPu8*D1
zLB5X>b}Syz81pn;xnB}%0FnwazlWfUV<Vu@5P52pgIa+J{M)H4nAC<>)Z-~rZg6~b
z6!9J$EcE&sEbzcy?CI~=boWA&eeIa%z(7SE^qgVLz??1Vbc1*aRvc%Mri)AJaAG!p
z$X!_9Ds;Zz)f+;%s&d<S0a>RcJt2==P{^j3bf0M=nJd&xwUGlUFn?H=2W(*2I2Gdu
zv!gYCwM10aeus)`RIZSrCK=&oKaO_Ry~D1B5!y0R=%!i2*KfXGYX&gNv_u+n9wiR5
z*e$Zjju&ODRW3phN925%S(jL+bCHv6rZtc?!*`1<n2%>TyYXT6%Ju=|X;6D@lq$8T
zW{Y|e39ioPez(pBH%k)HzFITXHvnD6hw^lIoUMA;qAJ^CU?top1fo@s7xT13Fvn1H
z6JWa-6+FJF#x>~+A;D~;VDs2<i>6>^oH0EI`IYT2iagy23?nyJ==i{g4%HrAf1-*v
zK1)~@&(KkwR7TL}L(A@C_S0G;-GMDy=MJn2$FP5s<%wC)4jC5PXoxrQBFZ_k0P<n-
z??iM<JF!BTjD>{{s@<jPT1+pTPdk3<izB+}jAtjokIz)aPR$L&4%}45Et}?jz0w{(
zC4G}+Nu0D*w=ay`v91hMo+V&V8q(a!`~K-2<yR0H)sK+mcY?TAaSS8F<Q+!pSc;`*
z*c@5)+ZpT%-!K3O=Z0(hI8LH7KqK>sz+gX`-!=T8rcB(=7vW}^K6oLWMmp(rwDh}b
zwaGGd>yEy6fHv%jM$yJXo5oMAQ>c9j`**}F?MCry;T@47@r?&sKHgVe$MCqk#Z_3S
z1GZI~nOEN*P~+UaFGnj{{Jo@16`(qVNtbU>O0Hf57-P>x8Jikp=`s8xWs^dAJ9lCQ
z)GFm+=OV%AMVqVATtN@|vp61VVAHRn87}%PC^RAzJ%JngmZTasWBAWsoAqBU+8L8u
z4A&Pe?fmTm0?mK-BL9t+{y7o(7jm+RpOhL9Kn<D3v{}Wpv2i&ghEZe;t&DmOA_QYc
zM+NIUU}=*bkxOJsLKV3e^oGG8rufTpa8R~7Iki1y+fC(UT;;{l19@qfxO@0^!xMA?
z#|<YBZ6;vAb>Y#E&qu^}B6=K_dB}*VlSEiC9fn)+V=J;OnN)Ta5v66ic1rG+dGAJ1
z1%Zb_+!$=tQ~lxQrzv3x#CPb?CekEkA}0MYSgx$Jdd}q8+R=ma$|&1a#)TQ=l$1tQ
z=tL9&_^vJ)Pk}EDO-va`UCT1m#Uty1{v^A3P~83_#v^ozH}6*9mIjIr;t3Uv%@VeW
zGL6(CwCUp)Jq%G0bIG%?{_*Y#5IHf*5M@wPo6A{$Um++Co$wLC=J1aoG93&T7Ho}P
z=mGEPP7Gb<mBTnJH7dKM2CB)0*o-AW2E4i5R+rHU%4A2BTVwOqj4zmJqsb|5^*{DT
zv^HFARK6@^_1|vU{>voG!uD$k(H3A$Z))+i{Hy?QHdk>3xSBXR0j!11O^mEe9RH<y
zF3MI;^J1vHI9U>mw!pvzv?Ua~2_l2Yh~_!s1qS`|0~0)<BWX>YsbHSz8!mG)WiJE|
z2<APmuYD%tKwB@0u<C~CKyaC}XX{?mylzkDSuLMkAoj?zp*zFF7q515SrGD~s}ATn
z`Ded41yk>f($6TQtt6L_f~ApQYQKSb=`053LgrQq7G@98#igV>y#i==-nEjQ!XNu9
z<h*hnP2Pol+z>~;mE+gtj4IDDNQJ~JVk5Ux6&LCSFL!y=>79kE9=V}J7tD==Ga+IW
zX)r7>VZ9dY=V&}DR))xUoV!u(Z|%3ciQi_2jl}3=$Agc<a_3#EUXJj<z2jVv6VHGT
zV^v1FiRwA!kPmt}m$qdr&9#-6{QeZqtM3|tRl$sws3Gy`no`Kj@X-)O(^sv>(`RPb
z8kEBpvY>1FGQ9W$n>Cq=DIpski};nE)`p3IUw1Oz0|wxll^)4dq3;CCY@RyJgFgc#
zKouFh!`?Xuo{IMz^xi-h=StCis_M7y<P{h0$_I#EukRYag9%BMRXh|%Xl7C<>q$u)
z?XHvw*HP0VgR+KR6wI)jEMX|ssqYvSf*_3W8zVTQzD?3>H!#>InzpSO)@SC8q*ii-
z%%h}_#0{4JG;Jm`4zg};BPTGkYamx$Xo#O~lBirRY)q=5M45n{GCfV<Kqrcu9<z@R
zSE>7h9qwyu1NxOMoP4)jjZMxmT|IQQh0U7C$EbnMN<3)Kk?fFHYq$d|ICu>KbY_hO
zTZM+uKHe(cIZfEqyzyYSUBZa8;Fcut-GN!HSA9ius`lt<SmSV9vasBl&hE7ciOunD
z?%e1Hl-5B3e+<+8CD{j5U*D3h89nV<zn^0g+t=uRKgZiGu)3h;vu#^y`HqWe_=jGm
zW2p}*n<!QH%pQ2EV`&z|LD#BOpj0QS9R5#$q}3&-+@GL4F^wO-bcSo|J^I_{LATPF
z2$`fUCOO=XxYVD!<7Yz4te$d-_>NebF46ZX_BbZNU}}ZOm{M2&nAN<H$fJIKS=j8q
zwXlN!l^_4>L9@0qvih15(|`S~z}m&h!u4x~(%MAO$jHRWNfuxWF#B)E&g3ghSQ9|>
z(MFaLQj)NE0lowyjvg8z0#m6FIuKE9lDO~Glg}nSb7`~^&#(Lw{}GVOS>U)m8bF}x
zVjbXljBm<v)#bs=9p`s>34Cs-yM6TVusr+3kYFjr28STT3g056y3cH5Tmge~ASxBj
z%|yb>$eF;WgrcOZf569sDZOVwoo%8>XO>XQOX1OyN9I-SQgrm;U;+#3OI(zrWyow3
zk==|{<m8xZ#>lt2xrQ%FIXOTejR>;wv(Pb8u8}BUpx?yd(Abh<shPyABw|Ens8m6@
zIg($GO4)<g4x5icbki?U&2%56@tYd`zRs}Nk6R~4!AjVAihB3r8oDhQ8f)v^r}|(y
z4B&Q<ARRqYXKQGAeJa_KHe`)04jUO~B=%q#SUlU@pU?apz0v{Al@s`Cvzo)u;2>6?
zsoO3VYWkeLnF43&@*#MQ9-i-d0t*xN-UEyNKeyNMHw|A(k(_6QKO=nKMCxD(W(Yop
zsRQ)QeL4X3Lxp^L%wzi2-WVSsf61dqliPUM7srDB?Wm6Lzn0&{*}|IsKQW;02(Y&|
zaTKv|`U(pSzuvR6Rduu$wzK_W-Y-7>7s?G$)U}&uK;<>vU}^^ns@Z!p+9?St1s)dG
zK%y6xkPyyS1$~&6v{kl?Md6gwM|>mt6Upm>oa8RLD^8T{0?HC!Z>;(Bob7el(DV6x
zi`I)$&E&ngwFS@bi4^xFLAn`=fzTC;aimE^!cMI2n@Vo%Ae-ne`RF((&5y6xsjjAZ
zVguVoQ?Z9uk$2ON;ersE%PU*xGO@T*;j1BO5#TuZKEf(mB7|g7pcEA=nYJ{s3vlbg
zd4-DUlD{*6o%Gc^N!Nptgay>j6E5;3psI+C3Q!1ZIbeCubW%w4pq9)MSDyB{HLm|k
zxv-{$$A*pS@csolri$Ge<4VZ}e~78JOL-EVyrbxKra^d{?|NnPp86!q>t<&IP07?Z
z^>~IK^k#OEKgRH+LjllZXk7iA>2cfH6+(e&9ku5poo~6y{GC5>(bRK7hwjiurqAiZ
zg*DmtgY}v83IjE&AbiWgMyFbaRUPZ{lYiz$U^&Zt2YjG<%m((&_JUbZcfJ22(>bi5
z!J?<7AySj0JZ&<-qXX;mcV!f~>G=sB0KnjWca4}vrtunD^1TrpfeS^4dvFr!65knK
zZh`d;*VOkPs4*-9kL>$GP0`<?hW@{z#_gXtp%=2VbN+$~z+M($Vf(dl@)t-*82<$(
zHi{FrD1wO9L~*Rc0{A2WU%f?ar(T9V1JpQ?M0Q|&{UES|#Z~k2-mj@z)8Rw^(XeYc
zomT(B0EF!##4dQq_*NN<%Bo5)&+gCXSGZo`b>(M!j~B;#x?Ba<KDM~HJ!|Zzy=p2e
z8;av`GLw{_*RgO(W|UK-<iDeT!t_x1c=M3%wGk|fDk<e0lLe8-5ga6apKYJD`*a3G
zBl?Ps)hDb7X`7bW5S=IHr0Mm?fr|$zCf+gmZUrit$5n+)JZG>~&s6CopvO86oM?-?
zOw#dIRc;6A<R&%m3DDJhF+|tb*0Yw8mV{a-bf^E~gh66MdsMHkog<r9`fVIVE+h@O
zi)iM`rmA-Fs^c=>6T?B`Qp%^<<Dyu<%Kg0H=lq;E!p&UHzSpD1)q%^v)Y8yQkp>U5
z19x(ywSH$_N+Io!6;e?`tWaM$`=D<O;$E>b!gzx|lQ${DG!zb1Zl&|{kX0y6xvO1o
z220r<-oaS^^R2pEyY;=Qllqpmue|5yI~D|iI!IGt@iod{Opz@*ml^w2bNs)p`M(Io
z|E;;m*Xpjd9l)4G#KaWfV(t8YUn@A;nK^#xgv=LtnArX|vWQVuw3}B${h+frU2>9^
z!l6)!Uo4`5k`<<;E(ido7M6lKTgWezNLq>U*=uz<KVOwgK<qq^3FEy1LAV}ep3|Zt
z>&s=cc$1%>VrAeOoUtA|T6gO4>UNqsdK=NF*8|~*sl&wI=x9-EGiq*aqV!(VVXA57
zw9*o6Ir8Lj1npUXvlevtn(_+^X5rzdR>#(}4YcB9O50q97%rW2me5_L=%ffYPUSRc
z!vv?Kv>dH994Qi>U(a<0KF6NH5b16enCp+mw^Hb3Xs1^tThFpz!3QuN#}KBbww`(h
z7GO)1olDqy6?T$()R7y%NYx*B0k_2IBiZ14&8|JPFxeMF{vSTxF-Vi3+ZOI=Thq2}
zyQgjYY1_7^ZQHh{?P))4+qUiQJLi1&{yE>h?~jU%tjdV0h|FENbM3X(KnJdPKc?~k
zh=^Ixv*+smUll!DTWH!jrV*wSh*(mx0o6}1@JExzF(#9FXgmTXVoU+>kDe68N)dkQ
zH#_98Zv$}lQwjKL@yBd;U(UD0UCl322=pav<=6g>03{O_3oKTq;9bLFX1ia*lw;#K
zOiYDcBJf)82->83N_Y(J7Kr_3lE)hAu;)Q(nUVydv+l+nQ$?|%MWTy`t>{hav<vVD
zHx;qQ>FSQloHwiIkGK9YZ79^9?AZo0ZyQlVR#}lF%dn5n%xYksXf8gnBm=wO7g_^!
zauQ-bH1Dc@3ItZ-9D_*pH}p!IG7j8A_o<ZOCWxl^<k=*NA9oUpW$0D`yCb}VfC~vb
z4IkfiRDM@RHlIGG_SRrrd~6$XYP~2Y^<fekveOOZRCv69S{4_se`>94#~>$LR|TFq
zZ-b00*nuw|-5C2lJDCw&8p5N~Z1J&TrcyErds&!l3$eSz%`(*izc;-?HAFD9AHb-|
z>)id`QCrzRws^9(#&=pIx9OEf2rmlob8sK&xPCWS+nD~qzU|qG6KwA{zbikcfQrdH
z<yJStD<g^`?^d44p$8FFXwD2dL810^xg@~^x$C_H#3NSLs8fBVu~K)3BMKCOp^;|&
zKPz+s!|fXFr%*`Dg*#A{!QB-jnah3y4$Pe0L2%RM)706&eqyFTNAO2gMd<bcjBp>+
zQg>O<`K4L8rN7`GJB0*3<3`z({lWe#K!4AZLsI{%z#ja^OpfjU{!{)x0ZH~RB0W5X
zTwN^w=|nA!4PEU2=LR05x~}|B&ZP?#pNgDMwD*ajI6oJqv!L81gu=KpqH22avXf0w
zX3HjbCI!n9>l046)5rr5&v5ja!xkKK42zmqHzPx$9Nn_MZk`gLeSLgC=LFf;H1O#B
zn=8|^1iRrujHfbgA+8i<9jaXc;CQBAmQvMGQPhFec2H1knCK2x!T`e6soyrqCamX%
zTQ4dX_E*8so)E*TB$*io{$c6X)~{aWfaqdTh=xEeGvOAN9H&-t5tEE-qso<+C!2>+
zskX51H-H}#X{A75wqFe-J{?o8Bx|>fTBtl&tc<VVc3-U5wTq>bdR|<Uon(X?ZiT<<
zWC=zLEjacGDZ|?>132Ztqu5X0i-pisB-z8n71%q%>EF}yy5?z=Ve`}hVh{Drv1YWL
zW=%ug_&chF11gDv3D6B)Tz5g<uwqk#dj|RK7gNl@*lm*xHRBk*7MnT4(@7VIDfO0u
zB?1X+)GR^0j1A{Q#WUmQX%LN=W?aGzO$5=2@yxjXBzxbGO*{DYkV!aJ!$~-FNzvt;
z?r)HU;0!4T-%vWzAiHJ?*-ivIq!#dErMvhpJJ^QyZ5n0qmMn+}I>54H0mDHNj<FD1
z&CIP+ZDDy<;b2`JW=0_p9c4p<zwE30JFgdhO2HQiMRBb%Y9ZJ>uKZ+)CKFk4Z|$RD
zfRuKLW`1B>B?*RUfVd0+u8h3r-{@fZ{k)c!93t1b0+Q9vOaRnEn1*IL>5Z4E4dZ!7
ztp4GP-^1d>8~LMeb}bW!(aAnB1tM_*la=Xx)q(I0Y@__Zd$!KYb8T2VBRw%e$iSdZ
zkwdMwd}eV9q*;YvrBFTv1>1+}{H!JK2M*C|TNe$ZSA>UHKk);wz$(F$rXVc|sI^lD
zV^?_J!3cLM;GJuBMbftbaRUs$;F}HDEDtIeHQ)^EJJ1F9FKJTGH<(Jj`phE6OuvE)
zqK^K`;3S{Y#1M@8yRQwH`?kHMq4tHX#rJ>5lY3DM#o@or4&^_xtBC(|JpGTfrbGkA
z2Tu+AyT^pHannww!4^!$5?@5v`LYy~T`qs7SYt$JgrY(w%C+IWA;ZkwEF)u5sDvOK
zGk;G>Mh&elvXDcV69J_h02l&O;!{$({fng9Rlc3ID#tmB^FIG^w{HLUpF+iB`|<Dd
z$~}?*yaE3d3m&(}pR(IuL%&h+j{wz$6(l^GO8O{^N!08Gnw7N>NnX)EH+Nua)3Y(c
z&{(nX_ht=QbJ%DzAya}!&uNu!4V0xI)QE$SY__m)SAKcN0P(&JcoK*Lxr@P<Bj^D-
zi(H(l^zsWRcIm}YCou&G1we!7IMt1dAI3MKk4-3tybIvwniaUWp=||&s9lB&iptb>
zY&P=}&B3*UWNlc|&$Oh{BEqwK2+N2U$4WB7Fd|aIal`FGANUa9E-O)!gV`((ZGCc$
zBJA|FFrl<?%m-}hcKbonJcfriSKJrE#oY4SQUGFcnL~;J2>g~9OBp#f7aHodCe{6=
zay$6vN~zj1ddMZ9gQ4p32(7wD?(dE>KA2;SOzXRmPBiBc6g`eOsy+pVcHu=;Yd8@{
zSGgXf@%sKKQz~;!J;|2fC@emm#^_rnO0e<D`xKOl)v&1gxhN0@LroTIseY?HHF`U$
zRCxyayrK2fk|YppMxAKP{J=gze_dhnAkmEFp<%l9vvc1zcx#Lz*hP4TNeag4(W!Be
zM4c#}`np`hRl02rJ50(%WD@_u_Qk1TUrpL44g>sEn^QxXgJYd`#FPWOUU5b;9eMAF
zZhfiZb|gk8aJIw*YLp4!*(=3l8Cp{(%p?ho22*vN9+5NLV0TTazNY$B5L6UKUrd$n
zjbX%#m7&F#U?QNOBXkiiWB*_tk+H?N3`vg;1F-I+83{M2!8<^nydGr5XX}tC!10&e
z7D36bLaB56WrjL&HiiMVtpff|K%|*{t*ltt^5ood{FOG0<>k&1h95qPio)<rMG98B
zE?gDMmn^Zo(`Ek7uvNsnUgUfUfwFF7?z~>2`eL${YAGIx(b4VN*~nKn6E~SIQUuRH
zQ+5zP6jfnP$S0iJ<xI2U>@~t!Ai3o`X7biohl<ds?PbGDArmkAV12ldkGzY{P*80E
zF=Wk3w#9|J1dAeV)Rlk?%L=ol!+m5%A|(KP`fR=nD^&iHT@Z5DaZ(w0hqfh|V>i;E
zT#yXyl{bojG@-TGZzpdVDXhbmF%F9+-^YSIv|<!(knL3!Z+}F~)r$<ET0f@9KVjok
zfvU`%FUbk|yAc)S0rB`JBWTLd7hPAAqP2ltlwee5T}#_Gpbl80w-LA;|BD>MT1l3j
zrxOFq>gd2%U}?6}8mIj?M<N%?8n+3Rx8(2-`*c@op88}5-iqw*PHkqnj$k8#t^|g>
zc077Zc9fq(-)4+gXv?Az26IO6eV`RAJz8e3)SC7~>%rlzDwySVx*q$ygTR5kW2ds-
z!HBgcq0KON9*8Ff$X0wOq$`T7ml(@TF)VeoF}x1OttjuVHn3~sHrMB++}f7f9H%@f
z=|kP_?#+fve@{0MlbkC9tyvQ_R?lRdRJ@$qcB(8*jyMyeME5ns6ypVI1Xm*Zr{DuS
zZ!1)rQfa89c~;l~VkCiH<d?V{)&8(@3=6jm=fW<)H`CSQ9+iNwDH;4S!Xw4H9nux4
zKNscQ&OV9zHF_+cIJ=X)qIF;(!)}sl`hhO)dHz6nA0^W{a9q1^gzxvh-bS1(N273|
zq;PSR{n|+%3`+}9Q7}{mC7k)HXlUhkBKH%A@-sEx!4Mlk=^P1dtF=-lC3U?55B}ez
z`Fd)kItC)!X+F!>I|PCBd`S*2RLNQM8!g9L6?n`^evQNEwfO@&JJRme+uopQX0%Jo
zgd5G&#&{nX{o?TQwQvF1<^Cg3?2co;_06=~Hcb6~4XWpNFL!WU{+CK;>gH%|BLO<b
zgJpht0ltX3sE2RJAUcld5MW}&%<sw};dL~bdZ0?zVg~mRcaNBgUZe;8@DKXRQmlOf
zAIhHBNh=}LzcTdUnfgd6#GEx350bi`lb)LaBso2CW!*0Xe!UJNwIWeg)QXy=e3bwZ
zIJ8=;u}r&BGoF;ftQ-dJ!kBp#;lHIlNwC)v?OHP&#Mh~B%=jdgWQCSqpANGQEkG%n
zM?zk5@$%!-gPc55s943P-Mv1>h7@!hsa(>pNDAmpcuVO-?;Bic17R}^|6@8DahH)G
z!EmhsfunLL|3b=M0MeK2vqZ|OqUqS8npxwge$w-4pFVXFq$_EKrZY?BuP@Az@(k`L
z`<G71X#W|!P3Z{wEvg5Ob7@MbwprRM&*~yi*+R-9I8&p-;yM=Q)z$bTY1}y<i9f;W
zGBCz3n1=6)vV6bV+;GN8E|c1rg49&nk_(FLVA<i_4OxA`vE>ViQBSk`y+YwRT;&W|
z2e3UfkCo^uTA4}Qmmtqs+nk<f8_TTXgg$0%V(GO^t)<!()wOU}JKa$=7V(Fd-u5kW
zfKQU%n`CZ_1jFoAu|=do)|56^VkbaXtt)NlpAubGIJ@ET@k0K*McoNg@OCSSeKJ`(
z*rHh**zg=F3rmZ2ux+4MzedRxj4$W0VqcP)lO*|#;Iw4z!Gidd%|ry%SN>#gNr2W4
zTH%hhErhB)pkXR{B!q5P3-OM+M;qu~f>}IjtF%>w{~K-0*jPVLl?Chz&zIdxp}bjx
zStp&Iufr58FTQ36AHU)0+CmvaOpKF;W@sMTFpJ`j;3d)J_$tNQI^c<^1o<49Z(~K>
z;EZTBaVT%14(bFw2ob@?JLQ2@(1pCdg3S%E4*dJ}dA*v}_a4_P(a`cHnBFJxNobAv
zf&Zl-Yt*lhn-wjZsq<9<PjKts@j|?j*H<KG_l+Ikza{2Tyz(8wgaT$KKCTR@fUFh?
z9>v-IsXxAxMZ58C@e0!rzhJ+D@9^3~?~yllY^s$?&oNwyH!#~6x4gUrfxplCvK#!f
z$viuszW>MFEcFL?>ux*((!L$;R?xc*myjRIjgnQX7<gW>9@UPD$6Dz0jutM@7h_pq
z0Zr)#O<^y_K6jfY^X%A-ip>P%3saX{!v;fxT-*0C_j4=UMH+Xth(XVkVGiiKE#f)q
z%Jp=JT)uy{&}Iq2E*xr4YsJ5>w^=#-mRZ4vPXpI6q~1aFwi+lQcimO45V-JXP;>(Q
zo={U`{=_JF`EQj87Wf}{Qy35s8r1*9Mxg({CvOt}?Vh9d&(}iI-quvs-rm~P;eRA@
zG5?1HO}puruc@S{YNAF3vmUc2B4!k*yi))<5BQmvd3tr}cIs#9)*AX>t`=~{f#Uz0
z0&Nk!7sSZwJe}=)-R^$0{yeS!V`Dh7w{w5rZ9ir!Z7Cd7dwZcK;BT#V0bzTt>;@Cl
z#|#A!-IL6CZ@eHH!CG>OO8!%G8&8t4)Ro@}USB*k>oEUo0LsljsJ-%5Mo^MJF2I8-
z#v7a5VdJ-Cd%(a+y6QwTmi+?f8Nxtm{g-+WGL>t;s#epv7ug>inqimZCVm!uT5Pf6
ziEgQt7^%xJf#!aPWbuC_3Nxfb&CFbQy!(8ANp<Dkrrv&eXZOx^ui15L`|GC6Zo9J8
zt4l&YYgkq79`qbC=O@Wu>kWLI4oSnH?Q3f?0k1t$3d+lkQs{~(>06l&v|MpcFsyAv
zin6N!-;pggosR*vV=DO(#+}4ps|5$`u<dyVk_IJiOQUOA<$>dE%Kdmp?G7B#y%<bi
zGVk-OWo?nx8M9(n3)OkC>H`R|i8skKOd9Xzx8xgR$>Zo2R2Ytktq^w#ul4uicxW#{
zFjG_RNlBroV_n;a7U(KIpcp*{M~e~@>Q#Av90Jc5v%0c>egEdY4v3%|K1XvB{O_8G
zkTWLC>OZKf;XguMH2-Pw{BKbFzaY;4v2seZV0>^7Q~d4O=AwaPhP3h|!hw5aqOtT@
z!SNz}$of**Bl3TK209@F=T<Nh*u*7J=P_EEnnD=hbiG0v_)iQwN<!vDIogn=iGRs3
zt_h!RUdkzWHMpc*d}k%tjHimct$!p&AH8pRZ+FJo|9w~+h(n#lp$57vBXGLddx*%@
z5%Aj-8?hH;TIkF9$}Pwu0)KjO*p&uKv6>n1+mgZa8yh(Png%Zd6Mt}^NSjy)etQrF
zme*llAW=N_8R*O~d2!apJnF%(JcN??=`$qs3Y+~xs>L9x`0^NIn!8mMRFA_tg`etw
z3k{9J<p4JZCS-C}49WuHGGruT=x>Ajnl@ygIiJcNHTy02GMAvBVqEss&t2<2mnw!;
zU`J)0>lWiqVqo|ex7!+@0i>B~BSU1A_0w#Ee+2pJx0BFiZ7RDHEvE*ptc9md(B{&+
zKE>TM)+Pd>HEmdJao7U@S>nL(qq*A)#eLOuIfA<xx)>S@j`_sK0UEY6OAJJ-kOrHG
zjHx`g!9j*_jRcJ%>CE9K2MVf?BUZKFHY?EpV6ai7sET-tqk=nDFh-(65rhjtlKEY%
z@G&cQ<5BKatfdA1FKuB=i>CCC5(|9TMW%K~GbA4}80I5%B}(gck#Wlq@$nO3%@QP_
z8nvPkJFa|znk>V92cA!K1rKtr)skHEJD;k8P|R8RkCq1Rh^&}Evwa4BUJz2f!2=MH
zo4j8Y$YL2313}H~F7@J7mh>u%556Hw0VUOz-Un@ZASCL)y8}4XXS`t1AC*^>PLwIc
zUQok5PFS=*#)Z!3JZN&eZ6ZDP^-c@StY*t20JhCnbMxXf=LK#;`4KHEqMZ-Ly9KsS
zI2VUJGY&PmdbM+iT)zek)<hjl_Ql0Z<Zn_qAb)m1SGqs~RuzvnShAB@_vF{e+592q
z$DB!xBIZfcH*9&k=wlV*!)l9TjLaF6{FU=1emb_fuvC;885YA6nM5}UqhPTc%&*tY
z3h;oOpGO3Hx+t7EjPYfzaZ}+D=ndS&SDnV=GA-}a=$GiNOi~a`1gJao%JzT9!|NX9
z<CC9{n}y#@=&Y6rk@_w$wqbKs!E-bTFZW}3bqJ;f!@40M^ykqGs3;>#Qc#_i4uH43
z@T5SZBrhNCiK~~esjsO9!qBpaWK<`>!-`b71Y5R<QKZFC;tbrvH*7OQFB+SCa^&~y
zposW2PUqn>eXQ4AJU~T<enI;Gq30%Z%SsfHco3Z`w^cm#%0^~onRV&P&#QErx)JwE
z+PM!k!qYC}ESrBrHoDQz*X1YmFa#(SZW<AV$!J0LWu4IDbZ2bw=%%Iq9Hg*REoc?;
z{E60bn(-sNYKAv{(YDGA5Ne~oOSP*!BJYblyeWN+CVy8q4{fMj;2#8%D!ii%2bR=s
z%l;FFHzQ~S|A8UKuFT*34q|LzMc~~o#;)Kw9DtS!bp3JQi_@L6HQjXe7-;AjHEUja
z>2Njri1CEp5oKw;Lnm)-Y@Z3sEY}X<ceQi^_CPpPY_VEPYF+%Om#`r)SPUG}UXq2Y
zpr9=;`h)oB6MR*Xk2Eh4r7Hb|{>IgSy%xo=uek(kAAH5MsV$V3uTUsoTzxp_rF=tx
z<QsYQ(;?5S(qGqiH7>V07vlJNKtJhCu`b}*#m&5LV4TAE&%KtHViDAdv#c^x`J7bg
z&N;#I2GkF@SIGht6p-V}`!F_~lCXjl1BdTLIjD2hH$J^YFN`7f{Q?OHPFEM$65^!u
zNwkelo*5+$ZT|oQ%o%;rBX$+?xhvjb)SHgNHE_yP%wYkkvXHS{Bf$OiKJ5d1gI0j<
zF6N}Aq=(WDo(J{e-uOecxPD>XZ@|u-tgTR<972`q8;&ZD!cep^@B5CaqFz|oU!iFj
zU0;<Kr(xN%j}{P50=dczD~4jn(p0D1`)Q|ld@m)3cU?5-DDA%Lq4Vd2?$jcNa3@4}
zt0;5Pk0HJXk<P(S=!%ZtD121Ne##d}^nRI9>6fQX&~15E53EW&w1s9gQQ~Zk16X%6
zjG`j0yq}4deX2?Tr(03kg>C(!7a|b9qFI?jcE^Y>-VhudI@&LI6Qa}WQ>4H_!UVyF
z((cm&!3gmq@;BD#5P~0;_2qg<pD9=9nXg$TuH}wQh9<MTT}D~YJ$+K3jbd)SV}wix
zf+zmLDPNc@nH3C;GngJH(K9z-$bm-ym&hXvg&{t=h}^v&Zpkgh>ZhtJS|>WdtjY=q
zLnHH~Fm!cxw|Z?Vw8*~?I$g#9j&uvgm7vPr#&iZgPP~v~BI4jOv;*OQ?jYJtzO<^y
z7-#C={r7CO810!^s(MT!@@Vz_SVU)7VBi(e1%1rvS!?PTa}Uv`J!EP3s6Y!xUgM^8
z4f!fq<3Wer_#;u!5ECZ|^c1{|q_lh3m^9|nsMR1#Qm|?4Yp5~|e<cTgyd3~1T9l&*
zeQ01<P2U~{V&q4>r2?W^7~cl;_r4WSme_o68J9p03~Hc%X#VcX!xAu%1`R!dfGJCp
zV*&m47>s^%Ib0~-2f$6oSgn3jg8m%UA;ArcdcRyM5;}|r;)?a^D*lel5C`V5G=c~k
zy*w_&BfySOxE!(~PI$*dwG><<WF75p<o9EVVze~dTW<Z_^0lybcm7u?o5{_6x)ND;
zb8GQ#!>+-%KT5p?whOUMA*k<9*gi#T{h3DAxzAPxN&Xws8o9Cp*`PA5>d9*Z-ynV#
z9yY*1WR^D8|C%I@vo+d8r^pjJ$>eo|j>XiLWvTWLl(^;JHCsoPgem6PvegHb-OTf|
zvTgsHSa;BkbG=(NgPO|CZu9gUCGr$8*EoH2_Z#^BnxF0yM~t`|9ws_xZ8X8iZYqh!
zAh;HXJ)3P&)Q0(&F>!LN0g#bdbis-cQxyGn9Qgh`q+~49Fqd2epikEUw9ca<Icy-f
zOt40c5j7j)$)tP9?uvS*(MhNoK9DyuR}iw#hq(_Yg;FQNx_fxU*Eu(iTCigNUM7t<
z>M%V6WgP)532RMRW}8gNS%V%Hx7apSz}tn@bQy!<=lbhmAH=FsMD?leawbnP5BWM0
z5{)@EEIYMu5;u)!+HQ<i|FmCtfdneL-c-Zq4Plvb%6L#`yCeba4_fn4B8J3*R<jzl
zfvYN4K`&;0Sxn>WhQ;D3_Cm_NADNeb-f56}<{41aYq8p4=93d=-=q0Yx#knGYfXVt
z+kMxlus}t2T5FEyCN~!}90<Qw*O-2+V!RyNwDJ!D4}()%&9a2ilTUH&u5D!U%eI_q
zx}xGi`t`GnBsEW*ontVcR-ikx88LbjAhe<X@Zi_w7Y34lxFFrZ2Q&%wKjDtka2LVK
zHc8~1#H%sr<^E7ZD2HEuJ^9vl!WfP^A{M0b1kd0=9ymV8H)Sd)K8ApeV;=DNu1w7T
zq3y-B$08B=*qJh`RBSq*hM$V1Wi(wSS$C7SwYBw1{q+D%@|+@4!e&J2mmVQuQ$1nJ
zGVp>O_X@@PQpuy;kuGz@bWft%diBTx?d)_xWd_-(!LmVrh**oKg!1CNF&LX4{*j|)
zIvjCR0I2UUuuEXh<9}oT_zT#jOrJAHNLFT~Ilh9hGJPI1<5`C-WA{tUYlyMeoy!+U
zhA#=p!u1R7DNg9u4|QfED-2TuKI}>p#2P9--z;Bbf4Op*;Q9LCbO&aL2i<0O$ByoI
z!9;Ght733FC>Pz>$_mw(F`zU?`m@>gE`9_p*=7o=7av`-&ifU(^)UU`Kg3Kw`h9-1
z6`e6+im=|m2v`pN(2dE%%n8YyQz;#3Q-|x`91z?gj68cMrHl}C25|6(_dIGk*8cA3
zRHB|Nwv{@sP4W+Y<?>ZM)VKI>R<dU=sQkg7!lDS83Q3{+&sk$J+O!cATJ_o5Pb&W_
z)bdtK2>lB`n=Oj~Rzx~M+Khz$N$45rLn6k1nvvD^&HtsMA4`s=MmuOJID@$s8Ph4E
zAmSV^+s-z8cfv~Yd(40Sh4JG#F~aB>WFoX7ykaOr3JaJ&Lb49=B8Vk-SQT9%7TYhv
z?-Pprt{|=Y5ZQ1?od|A<_IJU93|l4oAfBm?3-wk{O<8ea+`}u%(kub(LFo2zFtd?4
zwpN|2mBNywv+d^y_8#<$r>*5+$wRTCygFLcrwT(qc^n&@9r+}Kd_u@Ithz(6Qb4}A
zWo_HdBj#V$VE#l6pD0a=NfB0l^6W^g`vm^sta>Tly?$E&{F?TTX~DsKF~poFfmN%2
z4x`Dc{u{Lkqz&y!33;X}weD}&;7p>xiI&ZUb1H9iD25a(gI|`|;G^NwJPv=1S5e)j
z;U;`?n}j<Q^Xq~o28<9wN;wOTm1lpjZMh*aUX(~T_Y3#ZnG~Ye&HG?FC8<&_!tool
z+@`jls~3x-4`e?M70izyrpLQDV~@R;Ddqa8ubupC&5hxJ!0Qn2&@6(rv>nY6rA{V^
zxTd{bK)Gi^odL3l989DQlN+Zs39Xe&otGeY(b5>rlIqfc7Ap4}EC?j<{M=hlH{1+d
zw|c}}yx88_xQr`{98Z!d^FNH77=u(p-L{W6RvIn40f-BldeF-YD>p6#)(Qzf)lfZj
z?3wAMtPPp>vMehkT`3gToPd%|D8~4`5WK{`#+}{L{jR<c)T{dJNa_2~nx}yzR>UMt
zrFz+O$C7y8$M&E4@+p+o<?<4i!4ikchlAhrd(TAazwXC#eTotZ4)SbD2SX9vq+(V^
zQt>V5c%uYzbqd2Y%SSgYy#xh4G3hQv>V*BnuKQhBa#=o<cI|?w3{ulWOpdl|%RYTA
zSx@6KnTs$R(CM2sHs-QJn!^oj_3M4<ToCw0Dysc#3eTjWBJ-T+adb-$?`_4mF<8?g
zSKY1V7KhH!;LK22fSg)B*<uJ7m~6W3CUps0^d9*o2V_Gub>ZB~w{azUB+q%bRe_R^
z>fHBilnRTUfaJ201czL8^~Ix#+qOHSO)A|xWLqOxB$dT2W~)e-r9;bm=;p;RjYahB
z*1hegN(VKK+ztr~h1}YP@6cfj{e#|sS`;3tJhIJK=tVJ-*h-5y9n*&cYCSdg#EHE#
zSIx=r#qOaLJoVVf6v;(okg6?*L_55atl^W(gm^yjR?$GplNP>BZsBYEf_>wM0Lc;T
zhf&gpzOWNxS>m+mN92N0{;4uw`P+9^*|-1~$<g_U{SU`H<rGXK<wL9(P>uXpggj4-
z^SFc4`uzj2OwdEVT@}Q`(^EcQ_5(ZtXTql*yGzdS&vrS_w<Vq*ng}zPHZxXbJ~5By
z5q!Q1MEDSMNOWX9zY-~b`9@lU+AIe>>~~ra|Nb5abwf}Y!uq6R5f&6g2ge~2p(%c<
z@O)cz%%rr4*cRJ5f`n@lvHNk@lE1a*96Kw6lJ~B-XfJW%?&-y?;E&?1AacU@`N`!O
z6}V>8^%RZ7SQnZ-<!aS@7Sy5FdEA^NVBSolPfAv!POl_VDW*<OY|VOa1x+Nt4h}kC
zF5f5bMcr5zsZz*#rv_qyg5_y;>z$(jsX`amu*5Fj8g!3RTRwK^`2_QH<oOlcTv0T*
zq^FmDESBJUwy8>e;_2y_n|6gSaGyPmI#kA0sYV<_qOZc#-2BO%hX)f$s-Z3xlI!ub
z^;3ru11DA`4heAu%}HIXo&ctujzE2!6DIGE{?Zs>2}J+p&C$rc7gJC<HidCCr+8PF
zWiTVZ>35gxhflorvsb%sGOxpuWhF)dL_&7&Z99=5M0b~Qa;Mo!j&Ti_kXW!86N%n=
zSC@6Lw>UQ__F&+&Rzv?gscwAz8IP!n63>SP)^62(HK98nGjLY2*e^OwOq`3O|C92?
z;TVhZ2SK%9AGW4ZavTB9?)mUbOoF`V7S=XM;#3EUpR+^oHtdV!GK^nXzCu>tpR|89
zdD{fnvCaN^^LL%amZ^}-E+214g&^56rpdc@yv0b<3<Gcz@z*K79?oK~*UzGlKFJXT
z{XOryj|k?!nDS(G1LtLxYD^Cq?c?_!zYn!x^#tLjQ6=Wb!)yrQsQW$6U<7{9%v7a-
zv*ocK5QN4V3`xVyd7lYi<tse4LzLtbxdam8l#%xfBL@jXus_3m`H&T(SG4<1{Xtfu
zMb*~2c3zevaj8sJ+%2=tK7#q$!xF@Xc_%7Ws0|ayo4RjQhmCcKBx<ij=1uikr$^Pt
z9|pP=(@t-<MX5uDFk4~}Y&YCR_($i(L2tZ?=zYb8^M2`}T)&sKMTvyh6Hf2vk#&E}
zXFWd3BT@?-Qm?6K=3M(cZ#LOR`xDd$o~J$T>}Ys?)f|fXN4oHf$six)-@<;W&&_kj
z-B}M5U*1sb4)77aR=@%I?|Wkn-QJVuA96an25;~!gq(g1@O-5VGo7y&E_srxL6ZfS
z*R%$gR}dyONgju*D&?geiSj7SZ@ftyA|<I`YtD1a%3oCr%5@GGkBtN{5mnwPyOw=G
z)5mh1d5f2bd0O6v9}uRb?jQWt0Hmbh{Lw~%;q96e<JYrfUt;Ww3`|kuk8YLozMnJA
zL-%S-b>}(*Y4KbvU!YLsi1EDQQCnb+-cM=K1io78o!v<D2B&P2)99nqSy|&vmf_z?
z=eWr~Nb^z}4FA|*1-U>*);o<<Bb~caN#d%78rHzz&LtUD8*+uiPJdUJ<!gd#RBLsK
z$C!13l?*$0KTH~HOk{`~({IY19$^eGtD0+`Ng;Krabee-ZmxY?a!#sR^lIs7X@lqE
z)iFHx46*Kc<U3%gK1Qg`N*=%M8g<Qr@DDqezg1<>XwjaQH%)uIP&Zm?)Nfbfn;jIr
z)d#!$gOe3QHp}2NBak@yYv3m(CPKkwI|{;d=gi552u?xj9ObCU^DJFQp4t4e1tPzM
zvsRIGZ6VF+{6PvqsplMZWhz10YwS={?`~O0Ec$`-!klNUYtzWA^f9m7tkEzCy<_nS
z=&<(awFeZvt51>@o_~>PLs05CY)$;}Oo$VDO)?l-{CS1Co=nxjqben*O1BR>#9`0^
zkwk^k-wcLCLGh|XLjdWv0_Hg54B&OzCE^3NCP}~OajK-LuRW53CkV~Su0U>zN%yQP
zH8UH#W5P3-!ToO-2k&)}nFe`t+mdqCxxAHgcifup^gKpMObbox9LFK;LP3}0dP-UW
z?Zo*^nrQ6*$FtZ(>kLCc2LY*|{!dUn$^RW~m9leoF|@Jy|M5p-G~j%+P0_#orRKf8
zvuu5<*XO!B?1E}-*SY~MOa$6c%2cM+xa8}_8x*aVn~57v&W(0mqN1W`5a7*VN{SUH
zXz98DDyCnX2EPl-`Lesf`=AQT%YSDb`$%;(jUT<emmKF_zfZmU9B12q_dyZ<_@h~k
zvEq1`Vx6X|zFHC1f>rNen$NPJrlpPDP}prI>Ml!r6bCT;mjsg<oj3+@ct5lWE*J;5
z4E~(;FwK{V8;n^S+p_aly?)G^7&y`S%eK)TJhe8?@}L_b8H};V-{Fr!7~z`5Jn&~y
zle5N-{eo+>@X^#&<}CGf0Jt<ps|x+2W>R{Ecwd&)2zuhr#nqdgHj+g2n}GK9CHuwO
zk><uMX@X}I+5rrj?NaO6BMSeLuD{-~8R-Gl2xdC9#?M&n3M8$1#r~F<bd_yU6EE{Y
z#eCFVb$%8`qmYLY$VN_bTcap4)*3IM0tVFqt0C)EHHU4$9K2ap4$RYn7cYx68f*63
zqjgq9d3s#J0z)IOp-dbsoyDl3q&F;wDIxirPuXzvw6-Mhm_%B8`dB@kd7fLXw-%?$
zoq?`st6r0!H5QKHrVxu9;wFCr4k6@&eG$(7Z2Wi#T=t;uR8LkI#eWjbL4#SB+RR!}
zkvLwWmhxM!7BIsi5NeXcxeg6+4^H8NJB5=2mJzA06v|{=fl0X|ig2$)&h*GM&JpHp
zr`8`GjG!&l9EyWchuo>oZxy{v<eHuSsx&-tHadS1q^a4f?|RTjYB^sRK14!iW+^lB
z!ebp33Hf8OUb(D`D*|G{AftC98wHP4tb?H!)=@9haZJ)F+0;HQc5`Qlnk&U!fz)-9
z%lX#G)XFlYmyE^D)O;h749_^`>cOL)$8-}L^iV<p27<5%t|ClWJe$Rd_|U|Ck(u@6
zTgwrC&(m^cFeKDxIl7TOJH#1Wo==_x;yAITBFJ1z$*I>fJHAGfwN$prHjY<ZwGVKY
zZ8+b}fUD+>V0ju}8%jWquw>}_W6j~m<}Jf!G?~r5&Rx)!9JNX!ts#SGe2HzobV5);
zpj@&`cNcO&q+%*<%D<T}5E&SDWDa4Lg;*h`<xw$&SGrTg$|CXl_i7+njSd+)yvyz7
z+0<o|PMTJL)R>7za|?m5qlmFK$=MJ_iv{aRs+BGVrs)98BlN^nMr{V_fcl_;<BiuS
ztTFCwthZrVHPPZYBIYp#EouQ9MTH{-OaLh9+PRHAG3=cqP}nnZd8AjsX8sR)@*@Na
z!0>jkzRju+c-y?gqBC_@J0dFLq-D9@VN&-`R9U;nv$Hg?>$oe4N&Ht$V_(JR3TG^!
zzJsbQb<dCovVFFYER#ii{pf+`)Dd4mJA8V_i{)g*7b35$IR9(S%Er0t1yr7X5aERc
zeK=jG4aV7X*X+)C@a&31a^^wDy<E&Lu}Ry(`Um&dxXGiHJfU<|q(iByYWWLIS^^>i
zFE6-{#9{G{+Z}ww!ycl*7rRdmU#_&|DqPfX3CR1I{Kk;bHwF6jh0opI`UV2W{*|nn
zf_Y@%wW6APb&9Rr<YY$Si*BvV^N#m{QYOko?PXQXU(La}0lCv3qWQ$bi`=<yuf89@
zA3M_;xKTP6E^K#?{F`hD*rTDZhZ!h73@a^*&yKH>bEN=PQRBEpM(N1w`81s=(xQj6
z-eO0k9=Al|>Ej|Mw&G`%q8e$2xVz1v4DXAi8G};R$y)ww638Y=9y$ZYFDM$}vzusg
zUf+~BPX>(SjA|tgaFZr_e0{)+z9i6G#lgt=F_n$d=beAt0Sa0a7>z-?vcjl3e+W}+
z1&9=|vC=$co}-Zh*%3588G?v&U7%N1<wSL*V~9}~r(eJ^+Xr3`-m(Sj@@;y|({lFw
zG+a0jI%A@viPJ_TgyiV93C-_fon>Qf-wNWJ)(v`iO5KHSkC5&g7CrKu8V}uQGcfcz
zmBz#Lbqwqy#Z~UzHgOQ;Q-rPxrRNvl(&u6ts4~0=KkeS;zqU<rCYLCOgtuj&A3yvF
z)|<)nA^eF$@T!K+ig@JbUkyVVJP%Y)>Rz%!-ERppmd%0v>iRlEf+H$yl{_8TMJzo0
z>n)`On|7=WQdsqhXI?#V{>+~}qt-cQbokEbgwV3QvSP7&hK4R{Z{aGHVS3;+h{|Hz
z6$Js}_AJr383c_+6sNR|$qu6dqHXQTc6?(XWPCVZv=)D#6_;D_8P-=zOGEN5&?~8S
zl5jQ?NL$c%O)*bOohdNwGIKM#jSAC?BVY={@A#c9GmX0=T(0G}xs`-%f3r=m6-cpK
z!%waekyAvm9C3%>sixdZj+I(wQlbB4wv9xKI*T13DYG^T%}zZYJ|0$Oj^YtY+d$V$
zAVudSc-)FMl|54n=N{BnZTM|!>=bhaja?o7s+v1*U$!v!qQ%`T-6fBvmdPbVmro&d
zk07TOp*KuxRUSTLRrBj{mjsnF8`d}rMViY8j`jo~Hp$fkv9F_g(jUo#Arp;Xw0M$~
zRIN!B22~$kx;QYmOkos@%|5k)!QypDMVe}1M9tZfkpXKGOxvKXB!=lo`p?|R1l=tA
zp(1}c6T3Fwj_CPJwVsYtgeRKg?9?}%oRq0F+r+kdB=bFUdVDRPa;<s*Z4&z%Yqy%U
zOeHw$WK*_?C+%QKv}yj&a(!5Ni>E~~>2$w}>O>v=?|e>#(-Lyx?nbg=ckJ#5U6;RT
zNvHhXk$<cTrzyFrc-kzJ80|Sr7cPKJYnxQh*Fg9@b51h^!>P}m9wSvFyU3}=7!y?Y
z=fg$PbV8d7g25&-jOcs{%}wTDKm>!Vk);&rr;O1nvO0VrU&Q?TtYVU=ir`te8SLlS
zKSNmV=+vF|ATGg`4$N1uS|n??f}C_4Sz!f|4Ly8#yTW-FBfvS48Tef|-46C(wE<BN
zM?~(EkSJJWr_!W7-HptZRmK`p&C>O_%pPhUC5$-~Y?!0vFZ^Gu`x=m7X99_?C-`|h
zfmMM&Y@zdfitA@KPw4Mc(YHcY1)3*1xv<iSQWzdA1>W9V-r4n-9ZuBpFcf{yz+SR{
zo$ZSU_|fgwF~aakGr(9Be`~A|3)B=9`$M-TWKipq-NqRDRQc}ABo*s_5kV%doIX<z
zw8f$0lCeVGD0^!OedVm2t32)213YQ46v=o)@UsVzy`KZ%hr__m!jsQbd@}{{Vg1hz
z`m2-BpqxgapTIephm4Cik^T6BeWfmt%BA@BRlvqT0ILcR0(vVdxD!}~F3BI!@Yuk*
zM2~`l5+!SvcPoj}AC@Q9McO3!2ke!m5VcW3F%a(IA*N@sL73(w3O(3~t5el4Dq{JU
z21IfDfV)n^u4cGvvfJlGe~Q~Yzeudy#8j^ja>7LRLRau_gd@Rd_aLFXGSU+U?uAqh
z8qusWW<lz^u{++i(BMS0kYpMurHwdx8=v!VDug!+!?SoQ%5#Z9_%%XQ)=}5@(OGY$
z!*NFRMlh?b0mZ-o&{hRY(q#;?AsyI_fTbU3vvt{86Gd^<UxrFKXriAuhLyoz-Rb+|
z<1fH@C7QEgQz2VdIb}M#v@~+roe%YIUs5B>cvgQ&wu{|sRXmv?sl=xc<$6AR$+cl&
zFNh5q1~kffG{3lDUdvEZu5c(aAG~+64FxdlfwY^*;JSS|m~CJusvi-!$XR`6@XtY2
znDHSz7}_Bx7zGq-^5{stTRy|I@N=>*y$zz>m^}^{d&~h;0kYiq8<^W<E|75Z!A4X;
zB0ckyjy2crb1=uu;OnTA+AN(`$!y~N){ZywsrcJ<-RJ-6@#;QH|7$vRI{)h?@p2NX
z`N+$B?J?QE9;Pm%%)e)K9b55SBEW5@Zc4|{XhN6&8tG6ODyNFgS%k;enJu!|jBjTn
zO3=N;{~$Us+^lM79~#+NVdMuMV*xv4<srsN5l%(Xfx|TFiWsSLu6VKb8+BQX%9T6)
zLIA<^s*!o98&YNSoO#lh*yl=4IaXWU@%j6|nHVJL2?PUhARrz8&IkW*Q<47%jpzTI
z4gPog-xBcuLB=pm_-|9W&~MFVz_3-f?M6(XIxnIg#$zC^5E`10kVD2)wtP_r+-MVn
zDB)nM192c6VQ(1fw5pgW;z9QPF|WVy-Pi3Kqyd;SXdDvK@g#36c@VC&u=_B=n%w}x
z9G42<h(@l93n9W)B(s=&>q7Dz0w31ShO^~LUfW6rfitR0(=3;Uue`Y%y@ex#eKPOW
zO~V?)M#AeHB2kovn1v=n^D?2{2jhIQd9t|_Q+c|ZFaWt+r&#yrOu-!4pXAJuxM+Cx
z*H&>eZ0v8Y`t}8{TV6smOj=__gFC=eah)mZt9gwz>>W$!>b3O;Rm^Ig*POZP8Rl0f
zT~o=Nu1J|lO>}xX&#P<uNYpwDdsi81$~7Dv-8cIS(lR52^!TF;6k;WMGV`thcu^6S
z@T3rgu^2l&lSgk|u&dqJ2P;_lKd-gsz+E~nyy$zL@l8HyyxzgF#YH#@jXdT>58%Yl
z83`HRs5#32Qm9mdCrMlV<JBDhyZ+y^N%S92djDerOElqpRE}K*p`=oMP>|NKNC+Z~
z9OB8xk5HJ>gBLi+m@(pvpw)<om*<*&g*ukIpJ5#uX6#7U*X+*MN|7vZ8*HK)=`Y9r
z)#d;zRimk{mmRK`xtmKSn@imtSD%un-#&@aHsi(XFSqmU+t2^tlw;mwe}X*y&#AIH
zlv#=?W?e4tr=1o`K<LAS)WBGaORGt!_L??}o8QF5X|ARAXjcw9(=`^ih&uvZ?3o=4
ztCfj-M@ZND9Dnt(PEoh14OzzWaAN5QQ)tU}4*nXvp1HQ^w*zt7KrnA5B`0hYyAdFC
zH+>1(OaVJKs*$Ou#@Knd#bk+V@y;YXT?)4eP9E5{J%KGtYinNYJUH9PU3A}66c>Xn
zZ{Bn0<;8$WCOAL$^NqTjwM?5d=RHgw3!72WRo0c;+houoUA@HWLZM;^U$&sycWrFd
zE7ekt9;kb0`lps{>R(}YnXlyGY}5pPd9zBpgXeJTY_jwaJGSJQC#-KJqmh-;ad&F-
z-Y)E>!&`Rz!HtC<wKL>z>%yO<y&s#nmyWumg2@9<En(?C^(|rjP3fstXvL7F_}@s~
zK?}vRELPAe=@^SDzf;4gMIY~6wbR)ERQj~L^17FRR>J|v(u7P*I$jqEY3}(Z-orn4
zlI?CYKNl`6I){#2P1h)y(6?i;^z`N3bxTV%wNvQW+eu|x=kbj~s8rhCR*0H=iGkSj
zk2<D*!UmdR0qg)7cV>3lr9kr|p7#qKL=UjgO`@UnvzU)`&fI>1Qs7ubq{@+lK{hH*
zvl6eSb9%yngRn^T<;jG1SVa)eA>T^XX=yUS@NCKpk?ovCW1D@!=@kn;l_BrG;hOTC
z6K&H{<8K#dI(A+zw-MWxS+~{g$tI7|SfP$EYKxA}LlVO^sT#Oby^grkdZ^^lA}uEF
zBSj$weBJG{+Bh@Yffzsw=HyChS(dtLE3i*}Zj@~!_T-Ay7z=B)+*~3|?w`Zd)Co2t
zC&4DyB<B`NVJ>!o&YgSw+fJn6`sn$e)29`kUwAc+1MND7YjV%lO;H2}fNy>hD#=gT
ze+-aFNpyKIoXY~Vq-}OWPBe?Rfu^{ps8>Xy%42r@RV#*QV~P83jdlFNgkPN=T|Kt7
zV*M`Rh*30&AWlb$;ae130e@}Tqi3zx2^JQHpM>j$6x`#{mu%tZlwx9Gj@Hc92IuY*
zarmT|*d0E~vt6<+r?W^UW0&#U&)8B6+1+;k^2|FWBRP9?C4Rk)HAh&=AS8FS|NQaZ
z2j!iZ)nbEyg4ZTp-zHwVlfLC~tXIrv(xrP8PAtR{*c;T24ycA-;auWsya-!kF~CWZ
zw_uZ|%urXgUbc@x=L=_g@QJ@m#5beS@6W195Hn7>_}z@Xt{DIEA`A&V82bc^#!q8$
zFh?z_Vn|ozJ;NPd^5uu(9tspo8t%&-U9Ckay-s@DnM*R5rtu|4)~e)`z0P-sy?)kc
zs_k&J@0&0!q4~%cKL)2l;N*T&0;mqX5T{Qy60%JtKTQZ-xb%KOcgqwJmb%MOOKk7N
zgq})R_6**{8A|6H?fO+2`#QU)p$Ei2&nbj6TpLSIT^D$|`TcSeh+)}VMb}LmvZ{O|
ze*1IdCt3+yhdYVxcM)Q_V0bIXLgr6~%JS<<&dxIgfL=Vnx4YHuU@I34JXA|+$_S3~
zy~X#gO_X!cSs^XM{yzDGNM>?v(+sF#<0;AH^YrE8smx<36bUsH<L8f?5hvib^(w-z
zQO~nQ$dVU0i#a3ki#~Zfn+z)A0X6&+uTO~YY-95PED8rYa#tnOB_5j0D(OiyL`p9s
zv+IJ_k!HYz5YcKEc7QF88Nvot?2oM%4aDY1Bzw#ErO+K${;d;Xz}Qst%^Hxe<y|{#
z0i<}um0l#qNYBrEHp~^dRc(MW&*nx$<xOZo&ngs@b)HTJL5#EBLw4XB%N{_Unwz1|
zV8i$e7agBMpxq^UD+OBzpAA4~Wm`dImRWzuo^(m(ArJer$O=jb))nZ!p#}ai;I|`b
zxh~i8wmS;I?uK@A5wM9(c}p9|(M`BOW}{O$gH|yS=WST0IY5xeK;n^|OTOu06VXGL
ziLV81^Z>bN#y57K8WEu(`qHvQ6cAZPo=J5C(lSmUCZ57Rj6cx!e^rfaI5%w}unz}4
zoX=nt)FVNV%QDJH`o!u9olLD4O5fl)xp+#RloZlaA92o3x4->?rB4`gS$;<QP`qnB
zxyR|2?xCkFimDvX6HOV?^)Ex~)EDlr;3{Zk;-f=p?%7c@-P$(ps9BR^)$rFZsteaA
z;pEqzR194rw0JOm6L~PJ9F(nNaRn+j%W1SvOz`}E|6u-%XnRuFO#whbo=$_b&QmEc
zz35A#zc{~jeDG0s#(%Oyh`}`Lr28fKNg=;!oXo#n2s2b!wHSqmp4gLtkq~?+{}p*~
zmyPE6L~1+ln$95dm03gaCX?Mx^?0LvGdEce@^Fw=4Li}NJ(PPrnJG8UTM7f;`bHcw
z$Z`@wnD>WO{R;Z3>cG3IgFX2EA?PK^M}@%1%A;?f6}s&CV$cIyEr#q5;yHdNZ9h{|
z-=dX+a5elJoDo?Eq&Og!nN6A)5yYpnGEp}?=!C-V)(*~z-+<AB{~}$sb=b_3)fww3
z1aC=mU#wAjt*hH!O=_Rq0hO_a&wY#~Xao9@|NW*<bx}+viW;viI*Z+I?~t{%B+v(!
zDDr@@d60%bC|=S0vZozViq<m)h@uyR_WM|>?kY1Q7qs#Rsy%hu_60rdbB+QQNr?S1
z?;xtjUv|*E3}HmuNyB9aFL5H~3Ho0UsmuMZELp1a#CA1g`P{-mT?B<X1H9ohvAM^;
z+8=gDne1h_tC$>chuLEtK}!QZ=3AWakRu~?f9V~3F;TV`5%9Pcs_$gq&CcU}r8gOO
zC2&SWPsSG{&o-LIGTBqp6SLQZPvYKp$$7L4WRRZ0BR$Kf0I0SCFkqveCp@f)o8W)!
z$%7D1R`&j7W9Q9CGus_)b%+B#J2G;l*FLz#s$hw{BHS~WNLODV#(!u_2Pe&tMsq={
zdm7>_WecWF#D=?eMjLj=-_z`aHMZ=3_-&E8;ibPmM}61i6J3i<Ry9$0oO(dC+M{8z
zs~&fm$9WhF63%!K_Mm6jbUbs_bSm8+)$j`QmCxcnfVz-~LWI0Pvt$(Iiice=m6f#A
znKpqTEVc`=3la-JE~IF8T$O7$xw2vGNtATg%;ITCJQ$<SdLX>s*=dKf%HC>=xbj4$
zS|Q-hWQ8T5mWde6h@;mS+?k=89?1FU<%qH9B(l&O>k|u_aD|DY*@~(`_pb|B#rJ&g
zR0(~(6<MTX1VH`>8fpUPz6TdS@4JT5MOPrqDh5_H(eX1$P2SQrkvN8sTxwV>l0)Qq
z0pzTuvtEAKRDkKGhhv^jk%|HQ1DdF%5oKq5BS>szk-CIke{%js?~%@$uaN3^Uz6Wf
z_iyx{bZ(;9y4X&>LPV=L=d+A}7I4GkK0c1Xts{rrW1Q7apHf-))`BgC^0^F(>At1*
za@e7{lq%yAkn*NH8Q1{@{lKhRg*^TfGvv!Sn*ed*x@6>M%aaqySxR|oNadYt1mpUZ
z6H(<Ni{=BqKRj2FW+}Co`K?u{@WLS%pQm3TU}Q0c616}yg+(R+@sl}k&>rupHYf&Z
z29$5g#|0MX#aR6TZ$@eGxxABRKakDYtD%5BmKp;HbG_ZbT+=81E&=XRk6m_3t9PvD
zr5Cqy(v?gHcYvYvXkNH@S#Po~q(_7MOuCAB8G$a9BC##gw^5mW16cML=T=ERL7wsk
zzNEayTG?mtB=x*wc@ifBCJ|irFVMOvH)AFRW8WE~U()QT=HBCe@s$dA9O!@`zAAT)
zaOZ7l6vyR+Nk_OOF!ZlZmjoImKh)dxFbbR~z(cM<ohJsx2;$$S(LMO!JiV@-OGlmm
z`NdjOOy9O@m26&M`?ASmTQ{@=-K%#U)U7w<-rclq>hfeX1l7S_`;h|v3gI}<v)x_w
zvu)Dq)`qX%>n9$sSQ>+3@AF<e#LTCwgPu=4ybha;DXu-e#IUo*sWeYFrWHoigJs{Q
zYu_ff&j$_|OP<X2&rv4d2FV^~F@43}*F8@FN!r^c>Ay9=B_y$)q;Wdl|C-X|VV3w8
z2S#>|5dGA8^9%Bu&fhmVRrTX>Z7{~3V&0UpJNEl0=N32euvDGCJ>#6dUSi&PxFW*s
zS`}TB>?}H(T2lxBJ!V#2taV;q%zd6fOr=SGHpoSG*4PDaiG0pdb5`jelVipkEk%FV
zThLc@Hc_AL1#D&T4D=w@UezYNJ%0=f3iVRuVL5H?eeZM}4W*bomebEU@e2d`M<~uW
zf#Bugwf`VezG|^Qbt6R_=U0}|=k;mIIakz99*>FrsQR{0aQRP6ko?5<7bkDN8evZ&
zB@_KqQG?ErKL=1*ZM9_5?Pq%lcS4uLSzN(Mr5=t6xHLS~Ym`UgM@D&VNu8e?_=<G2
z$Y^_uSNUz|Ag`4k$;;4dC>nSFtF$u@hpPSmI4Vo_t&v?>$~K4y(O~Rb*(MFy_igM7
z*~yYUyR6yQgzWnWMUgDov!!g=lInM+=lOmOk4L`O?{i&qxy&D*_qorRbDwj6?)!ef
z#JLd7F6Z2I$S0iYI={rZNk*<{HtIl^mx=h>Cim*04K4+Z4IJtd*-)%6XV2(M<qEcY
zKpTExU9W`Sp|>CscPiw_a+y*?BKbTS@BZ3AUao^%Zi#PhoY9Vib4N>SE%4>=Jco0v
zH_Miey{E;FkdlZSq)e<{`+S3W=*ttvD#hB8w=|2aV*D=yOV}<n%QCtpFj!1iP3=++
zF%bul8RQG~xNUT@7_D%fDp&f9U3+!yV(BF^EJ6M?ggfgy%D_aSJLQh<Q8L9^3Z4lP
zSliD?8{L~ZN{}ULe$or4iOcd9fCXx)uXD>(&p%0LbEWH$&@$X3x~CiF-?ejQ*N+-M
zc8zT@3iwkdRT2t(XS`d7`tJQAjRmKAhiw{WOqpuvFp`i@Q@!KMhwKgs<K(HF*wpN5
zv(vj1XA8yT@r9sbul0J^6}T8DTrg3?UvaTK(_8@BG(vOS@R#A};jf~t=|7FM{G%;V
z$moCx(glgj5-;%1QM|u%2d3FX97|2!-{zNf(~wZQL8&V6ON(xoE>A}%@sw8Xo5Y=F
zhRJZg)O4uqNWj?V&&vth*H#je6T}}p_<>!Dr#89q@uSjWv~JuW(>FqoJ5^ho0%K?E
z9?x_Q;kmcsQ@5=}z@tdljMSt9-Z3xn$k)kEjK|qXS>EfuDmu(Z8|(W?g<kN}okBu|
z`906+8rq=5w?nFA6VC1#eQVZ_=+&soKuCq9J4-B?5ajOsO<ZqBE?J2XT_J8fPV98+
zk#wtSBTro80%$s5KaeCr*oviwvkprv-mw0v@x!YSCMmDCbzwIduaRkq+nkD$>Y6-l
z@R_#M8=vxKMAoi&PwnaIYw2COJM@atcgfr=zK1bvjW?9B`-+Voe$Q+H$j!1$Tjn+*
z&LY<%)L@;zhnJlB^Og6I<R<r5yYZK!bg%i+z^Gb9&z&*Z#pVBay5jNKYESI$cqK!;
zs%j&*N?LE3ILkbKV_0UUpL<A`zeQtv+?k$&h|~*OX&e)^SV^abQ&PMGXtX3fI2kT=
z2Y%RbH`bf;|K;F8Mxo)Ov25Y*lHOz#D>&BOR-m?{IW;tyYC%FZ!&Z>kGjHJ6cqM-F
z&19n+e1=9AH1VrVeHrIzqlC`w9=*zfmrerF?JMzO&|Mmv;!4DKc(sp+jy^Dx?(8>1
zH&yS_4yL7m&GWX~mdfgH*AB4<e8V;o9`b8>{CKo;+egw=PrvkTaoBU+P-4u?E|&!c
z)DKc;>$$B6u*Zr1SjUh<mc1^2+c=@@6(J4|#?}T_|M2b62=4`4F-ba1m43BpL!aCj
zR^w2TEDEd$X7pi$++6T@mH_M(zN#-+gi}U5eaDqd^tUG_>2)FeuWLWHl5TH(UHWkf
zLs>7px!c5n;rbe^lO@ql<wf#W%s8knI~Th~JR_Kl+2&@Zoorl!op+Ba_ZYj2yD(^E
z$}7%1B7{$MlPHueM^5x<Vc5^Pd5$8yYQ@u;!UngDNs9O`zY)-uu_X-;n9-+TuAb`^
z<H1e|G%#k-<p?8qbT%m<kMd#1>YLzlDVp(z?6r<WUtyWnlD^G9B?_Ur{&KCOuHNMq
zk|B^K_<0Q-9-+@;d#BY&2k-R$to<44{eG#pW>PZel=YB)Uv&n!2{+Mb$-vQl=xKw(
zve&>xYx+jW_NJh!FV||r?;hdP<!CWxpcsZKiv4>*jOXYcLCp>DOtJ?2S^)DkM{{Eb
zS$!L$e_o0(^}n3tA1R3-$SNvgBq;DOEo}fNc|tB%%#g4RA3{|euq)p+xd3I8^4E&m
zFrD%}nvG^HUAIKe9_{tXB;tl|G<%>yk6R;8L2)KUJw4yHJXUO<O#J#etA!EQr#Ixj
zZuFu$GT+Wpqx#)|V^@Cm`sHrRN~=Je%6V#~5_a6U7SazOW-GgiQtB4%%~2(B0iBsg
z;PpJsF|+l@`Wy@y_OtfS`JgrB)rNO1MTjsxeQ7|k!FQ^3n6kbM;^~mT&4KxW*m77y
zq%{h&JwttX7mQ1|xDfr$rzHoYHzjn|^DmxVimK9<IM)^a;|9O2LO78(*WR_|D40bM
z4}thc%eqOsDqUE<D1~O4evp0zw~wzT!F>PM>(-+jxq4R;z8H#>rnJy*)8N+$wA$^F
z<U&lTYAkA<S9x1+2s?lu2|Zd2nj#EvZB!v_&9eAD+8*)ghmbT+{)~_^Px6pMeOz2X
zv~Wjk&YGtROVvA~E^msuyea-{C!TM*WVVa4lhy%2Gi&UvdDpYWzNapW2o<z2pU37x
zeudIr){wxOzdWU}R?Ue;nbpX4`c>N+H*3t)eFEgxLw+Nw3};4WV$qj&_D`%ADV2%r
zJCPCo%{=z7;`F98(us5JnT(G@sKTZ^;2FVitXyLe-S5(hV&Ium+1pIUB(CZ#h|g)u
zSLJJ<@HgrDiA-}V_6B^x1>c9B6%~847JkQ!^KLZ2skm;q*edo;UA)~?SghG8;QbHh
z_6M;ouo_1rq9=x$<`Y@EA{C%6-pEV}B(1#sDoe_e1s3^Y>n#1Sw;N|}8D|s|VPd+g
z-_$QhCz`vLxxrVMx3ape1xu3*wjx=yKSlM~nFgkNWb4?DDr*!?U)L_VeffF<+!j|b
zZ$Wn2$TDv3C3V@BHpSgv3JUif8%hk%OsGZ=OxH@8&4`bbf$`aAMchl^qN>Eyu3JH}
z9-S!x8-s4fE=lad%Pkp8hAs~u?|uRnL48O|;<hL9ZDZTaoVqCgAV4_fXA_B>*DEU!
zuS0{cpk%1E0nc__2%;apFsTm0bKtd&A0~S3Cj^?72-*Owk3V!ZG*PswDfS~}2<8le
z5+W^`Y(&R)yVF*tU_s!XMcJS`;<i5$MCe|U*GT!0%*LADX`D^%6_<=D#Ru0`TRN8+
zm@tIK)49`32a<@shitOU#x<QU%nW!IzfjK>(Tr`J0%>p=Z&InR%D3@KEzzI+-2)HK
zuoNZ&o=wUC&+*?ofPb0a(E6(<2Amd6%uSu_^-<1?hsxs~0K5^f(L<W1_uUGAdyXWF
z-9E^}>sGqgEF^+0_H=uNk9S0bb!|O8d?m5gQjUKevPaO+*VfSn^2892K~%crWM8+6
z25@V?Y@J<9w%@NXh-2!}SK_(X)O4AM1-WTg>sj1{lj5@=q&dxE^9xng1_z9w9DK>|
z6Iybcd0<ba%T-PM@iR4f+hWNy2(Dh#%r^4ZjOOcYUhl?lcc*@SuVYF<0NRX~sTl15
z&yX+gisvpMdp($7GpQ}~BtfayBnqkt65sVAS)H#))Ya=X_9qRpsELVk)K-Umx|Q>e
zy<csGv$iOY<#zt!tLyihB^h0nm-w?)HRS0&_TFyZkN{(*U!r-+J#Pt@VJw|c&+Ad7
zGuhURv<S1E^2YPq{$<>i;Ew!KBRIfGPGytQ6}z}MeXCfLY0?9%RiyagSp_D1?N&c{
zyo>VbJ4Gy`@Fv+5cKgUgs~na$>BV{*em7PU3%lloy_aEovR+J7TfQKh8BJXyL6<F;
zULuFu;b(C;CC(l^>|P8un-Jnq(ghd!_HEOh$zlv2$~y3krgeH;9zC}V3<xe_B^^Vb
z>f`uDtW(%mT#944DQa~^8ZI+zAUu4U(j0YcDfKR$bK#gvn_{JZ<YX};laf~yTsdEA
zA~Ra?VD!R`MyGN9;7}SV*B=q$h>>|gZ5+)u?T$w<UlM8Es^_5l0fa>7Q%F^;!Wk?G
z(le7r!ufT*cxS}PR6hIVtXa)i`d$-_1KkyBU>qmgz-=T};uxx&sKgv48akIWQ89F{
z0<y9Cbjk%^#=J+qPnsNw%*mP1XLirQj9jh94t22gxgVWwR*I>XiY?WM^~;|T8zBOr
zs#zuOONzH?svv*jokd5SK8wG>+yMC)LYL|vLqm^PMHcT=`}V$=nIRHe2?h)8WQa6O
zPAU}d`1y(>kZiP~Gr=mtJLMu`i<2CspL|q2DqAgAD^7*$xzM`PU4^ga`ilE134XBQ
z99P(LhHU@7qvl9Yzg$M`+dlS=x^(m-_3t|h>S}E0bcFMn=C|KamQ)=w2^e)35p`zY
zRV8X?d;s^>Cof2SPR&nP3E+-LCkS0J$H!eh8~k0qo$}00b=7!H_I2O+Ro@3O$nPdm
ztmbOO^B+IHzQ5w>@@@J4cKw5&^_w6s!s=H%&byAbUtczPQ7}wfTqxxtQNfn*u73Qw
zGuWsrky_ajPx-5`R<)6xHf>C(oqGf_Fw|-U*GfS?xLML$kv;h_pZ@Kk$y0X(S+K80
z6^|z)*`5VUkawg}=z`S;VhZhxyDfrE0$<offD>(PMurAxl~<>lfZa>JZ288ULK7D`
zl9|#L^JL}Y$j*j`0-K6kH#?bRmg#5L3iB4Z)%iF@SqT+Lp|{i`m%R-|ZE94Np7Pa5
zCqC^V3}B(FR340pmF*qaa}M}+h6}mqE~7Sh!9bDv9YRT|>vBNAqv09zXHMlcuhKD|
zcjjA(b*XCIwJ33?CB!+;{)vX@9xns_b-VO{i0y?}{!sdXj1GM8+$#v>W7nw;+O_9B
z_{4L;C6ol?(?W0<6taGEn1^uG=?Q3i29sE`RfYCaV$3DKc_;?HsL?D_fSYg}SuO5U
zOB_f4^vZ_x%o`5|C@9C5+o=mFy@au{s)sKw!UgC&L35aH(sgDxRE2De%(%OT=VUdN
ziVLEmdOvJ&5*tCMKRyXctCwQu_RH%;m<lO9)YlolKp~SHA~$RD@rJEPJ4LfFabjtz
zzIU?%C*Qz8oJB~DbsOtV|5q`38L}^8Uq{e{^Ki<?YLnvYT2b=9GoWdOL!w)E5Yy?N
zCPB}zb-LW~opI;Pm$>*$YK&m;jtbdH#Ak~13T1^f89tn`A%QEHWs~jnY~E}p_Z$XC
z=?YXLCkzVSK+Id`xZYTegb@W8_baLt-Fq`Tv|=)JPbFsKRm)4UW;yT+J`<<s6L^~#
zDKX^stn#n?Mc#=>)%#ue9DPOkje)YF2fsCilK9MIIK>p*`fkoD5nGfmLwt)!KOT+>
zOFq*VZktDDyM3P5UOg`~XL#cbzC}eL%qMB=Q5$d89MKuN<r)TznqqP**!jJ?cnTT2
zaaf?rvaC;><?H&|zm@ni*?D9zRWNdd5|h7<r<^y7j=M<<S|!iYxdgG*6u6u?mWfD3
zB)<Dfkbae`fO#+9WEYybHeZv}*cbdmPDkPU(jb+Sl1(!A;;QmZ9oNWRty}&5QMWy9
zX_w<YIby`Y;2BC{-IfA^=3f)~-*KF*rKr=krZyJeUl;NhG@Ajb2fr2VF0H7ZuP8_;
zl#_lD<2+R)LHx3c896sfpWG@kpwT@>#$6|4gx_Jt0Gfn8w&q}%lq4QU%6#jT*MRT%
zrLz~C8FYKHawn-EQWN1B75O&quS+Z81(zN)G>~vN8VwC+e+y(`>HcxC{MrJ;H1Z4k
zZWuv$w_F0-Ub%MVcpIc){4PGL^I7M{>;hS?;eH!;<Yf7EM>gmcOE66z3;Z1Phqo(t
zVP(Hg6q#0gIKgsg7L7WE!{Y#1nI(45tx2{$34dDd#!Z0NIyrm)HOn5W#7;f4pQci#
zDW!FI(g4e668kI9{2+mLwB+=#9bfqgX%!B34V-$wwSN(_cm*^{y0jQtv*4}eO^sOV
z*9xoNvX)c9isB}Tgx&ZRjp3kwhTVK?r9;n<haxnrRq){mtk9A+#MWR@iL>!x>^XYT
z@Q^7zp{rkIs{2mUSE^2!Gf6$6;j~&4=-0cSJJDizZp6LTe8b45;{AKM%v99}{{FfC
zz709%u0mC=1KXTo(=TqmZQ;c?$M3z(!xah>aywrj40sc2y3rKFw4jCq+Y+u=CH@_V
zxz|qeTwa>+<|H%8Dz5u>ZI5MmjTFwXS-Fv!TDd*`>3{krWoNVx$<133`(ftS?ZPyY
z&4@ah^3^i`vL$BZa>O|Nt?ucewzsF)0zX3qmM^|waXr=T0pfIb0*$AwU=?Ipl|1Y;
z*Pk6{C-p4MY;j@IJ|DW<V4g+WfmkDAI{!240rBm;^p*C?EK5<-i6<dFN`<4WIVA6x
zQ_A}VBKmDESd)f<tKV+_7{`O-ZQ=Kw_N>>QHZQJcp;Z~?8(Q+Kk3^0qJ}SCk^*n4W
zu9ZFwLHUx-$6xvaQ)SUQcYd6fF8&x)V`1bIuX@>{mE$b|Yd(qomn3;bPwnDUc0F=;
zh*6_((%bqAYQWQ~odER?h>1mkL4kpb3s7`0m@rDKGU*oyF)$j~Ffd4fXV$?`f~rHf
z<dmhsigJ=rWi_aV`WXyhB>B%Y)@5SXZvfwm10RY5X?TEo)PK_`L6qgBp=#>fO49$D
zDq8Ozj0q6213tV5Qq=;fZ0$|KroY{Dz=l@lU^J)?Ko@ti20TRplXzphBi>XGx4bou
zEWrkNjz0t5j!_ke{g5I#PUlEU$Km8g8TE|XK=MkU@PT4T><2OVamoK;wJ}3X0L$vX
zgd7gNa359*nc)R-0!`2X@FOTB`+oETOPc=ubp5R)VQgY+5BTZZJ2<L28T@@Z{~(FZ
zheu(w_rw1D2_zLx!dpDtOmwLC!DhBIo<Q>?9QwnO=<wr%&Gfr?0?EHFALMv;_+d?S
zzAg%@ydS-+C)WJy(gMckj>dnulIUF3gFn;BODC2)65)HeVd%t86sL7Rv^Y+nbn+&l
z6BAJY(ETvwI)Ts$aiE8rht4KD*qNyE{8{x6R|%akbTBzw;2+6<pQ&SDXNQj*or8md
z6z#{?Yky9DqRtSV0CMnGmM?NZ;=ja)lj3y_HwGOxfijBU4|3qigw`1zRQjL!B8PR+
zaRn%p#eR@M4(R@Wz!rx^(f#sKB!vBtl{_H&pMv^{xCn<;&`rM&o>Echkt+W+`u^XX
z_z&x%n<Jwv#rI=O_ITYt8jK&7Lbvimxh?Mpm*TNff4FbaUEWX?w*B~|ab(^T*a99t
zcJ#fCD8IP<V1pf_@pm2K2=}<d0_Y2*QClSUBi8yzf&VOuJ`CJAoEUwr?!mKD=5}o2
zV^&)q)<B;SMXmbXj|caU)A+-MMW5C}&8F^$XYi3}kDOaQe6Z+qH3z$S;;<vL9ydXD
zI5~P97&YCq9}$m^On$P-pTjcf#j%4IH8Sc*nG=+l4{M+gXHaFf{g{b8PUBySZmJ4r
UfUyy3EX0IC28@JalTrWuAK7&_a{vGU

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 000000000..a4413138c
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,7 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew
new file mode 100755
index 000000000..b740cf133
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew
@@ -0,0 +1,249 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+#
+#   Gradle start up script for POSIX generated by Gradle.
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
+    [ -h "$app_path" ]
+do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
+done
+
+# This is normally unused
+# shellcheck disable=SC2034
+APP_BASE_NAME=${0##*/}
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+    echo "$*"
+} >&2
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in                #(
+  CYGWIN* )         cygwin=true  ;; #(
+  Darwin* )         darwin=true  ;; #(
+  MSYS* | MINGW* )  msys=true    ;; #(
+  NONSTOP* )        nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+        JAVACMD=$JAVA_HOME/bin/java
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD=java
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+    case $MAX_FD in #(
+      max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        MAX_FD=$( ulimit -H -n ) ||
+            warn "Could not query maximum file descriptor limit"
+    esac
+    case $MAX_FD in  #(
+      '' | soft) :;; #(
+      *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        ulimit -n "$MAX_FD" ||
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
+    esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+#   * args from the command line
+#   * the main class name
+#   * -classpath
+#   * -D...appname settings
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
+
+exec "$JAVACMD" "$@"
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew.bat b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew.bat
new file mode 100644
index 000000000..25da30dbd
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradlew.bat
@@ -0,0 +1,92 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/settings.gradle b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/settings.gradle
new file mode 100644
index 000000000..733fda690
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/settings.gradle
@@ -0,0 +1,8 @@
+pluginManagement {
+    repositories {
+        mavenCentral()
+        gradlePluginPortal()
+        maven { url 'https://repo.spring.io/milestone' }
+        maven { url "https://repo.spring.io/snapshot" }
+    }
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
new file mode 100644
index 000000000..a3b4cf818
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class MagicLinkApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(MagicLinkApplication.class, args);
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
new file mode 100644
index 000000000..08c318ac0
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import java.io.IOException;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.security.authentication.ott.OneTimeToken;
+import org.springframework.security.web.DefaultRedirectStrategy;
+import org.springframework.security.web.RedirectStrategy;
+import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
+import org.springframework.stereotype.Component;
+
+@Component
+public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
+
+	private final MailSender mailSender;
+
+	private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
+
+	public MagicLinkOneTimeTokenGenerationSuccessHandler(MailSender mailSender) {
+		this.mailSender = mailSender;
+	}
+
+	@Override
+	public void handle(HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken)
+			throws IOException, ServletException {
+		this.mailSender.send("johndoe@example.com", "Your token",
+			"Please enter this token " + oneTimeToken.getTokenValue());
+		this.redirectStrategy.sendRedirect(request, response, "/login/ott");
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MailSender.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MailSender.java
new file mode 100644
index 000000000..24e51f0da
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MailSender.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import org.springframework.mail.SimpleMailMessage;
+import org.springframework.mail.javamail.JavaMailSender;
+import org.springframework.stereotype.Service;
+
+@Service("myMailSender")
+public class MailSender {
+
+	private final JavaMailSender mailSender;
+
+	public MailSender(JavaMailSender mailSender) {
+		this.mailSender = mailSender;
+	}
+
+	public void send(String to, String subject, String text) {
+		SimpleMailMessage message = new SimpleMailMessage();
+		message.setFrom("noreply@example.com");
+		message.setTo(to);
+		message.setSubject(subject);
+		message.setText(text);
+		this.mailSender.send(message);
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
new file mode 100644
index 000000000..28fabb95c
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Configuration(proxyBeanMethods = false)
+@EnableWebSecurity
+public class SecurityConfig {
+
+	@Controller
+	static class FormLoginController {
+		@GetMapping("/login")
+		String login() {
+			return "login";
+		}
+	}
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
+			.formLogin((form) -> form.grants("ott:read"))
+			.oneTimeTokenLogin((ott) -> ott.needs("ott:read").authenticates());
+		// @formatter:on
+		return http.build();
+	}
+
+	@Bean
+	InMemoryUserDetailsManager userDetailsService() {
+		UserDetails user = User.withDefaultPasswordEncoder()
+			.username("user")
+			.password("password")
+			.roles("USER")
+			.build();
+		return new InMemoryUserDetailsManager(user);
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
new file mode 100644
index 000000000..cd1f80e4c
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
@@ -0,0 +1,13 @@
+spring:
+  application:
+    name: magiclink
+  mail:
+    port: 1025
+    host: localhost
+  docker:
+    compose:
+      readiness:
+        wait: never # for some reason it does not detect whether maildev is ready
+      file: ./compose.yml
+
+logging.level.org.springframework.security: TRACE
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/static/css/default-ui.css b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/static/css/default-ui.css
new file mode 100644
index 000000000..ec3d42bda
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/static/css/default-ui.css
@@ -0,0 +1,172 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* General layout */
+body {
+    font-family: system-ui, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+    background-color: #eee;
+    padding: 40px 0;
+    margin: 0;
+    line-height: 1.5;
+}
+
+h2 {
+    margin-top: 0;
+    margin-bottom: 0.5rem;
+    font-size: 2rem;
+    font-weight: 500;
+    line-height: 2rem;
+}
+
+.content {
+    margin-right: auto;
+    margin-left: auto;
+    padding-right: 15px;
+    padding-left: 15px;
+    width: 100%;
+    box-sizing: border-box;
+}
+
+@media (min-width: 800px) {
+    .content {
+        max-width: 760px;
+    }
+}
+
+.v-middle {
+    vertical-align: middle;
+}
+
+.center {
+    text-align: center;
+}
+
+.no-margin {
+    margin: 0;
+}
+
+/* Components */
+a,
+a:visited {
+    text-decoration: none;
+    color: #06f;
+}
+
+a:hover {
+    text-decoration: underline;
+    color: #003c97;
+}
+
+input[type="text"],
+input[type="password"] {
+    height: auto;
+    width: 100%;
+    font-size: 1rem;
+    padding: 0.5rem;
+    box-sizing: border-box;
+}
+
+button {
+    padding: 0.5rem 1rem;
+    font-size: 1.25rem;
+    line-height: 1.5;
+    border: none;
+    border-radius: 0.1rem;
+    width: 100%;
+    cursor: pointer;
+}
+
+button.primary {
+    color: #fff;
+    background-color: #06f;
+}
+
+button.small {
+    padding: .25rem .5rem;
+    font-size: .875rem;
+    line-height: 1.5;
+}
+
+.alert {
+    padding: 0.75rem 1rem;
+    margin-bottom: 1rem;
+    line-height: 1.5;
+    border-radius: 0.1rem;
+    width: 100%;
+    box-sizing: border-box;
+    border-width: 1px;
+    border-style: solid;
+}
+
+.alert.alert-danger {
+    color: #6b1922;
+    background-color: #f7d5d7;
+    border-color: #eab6bb;
+}
+
+.alert.alert-success {
+    color: #145222;
+    background-color: #d1f0d9;
+    border-color: #c2ebcb;
+}
+
+.screenreader {
+    position: absolute;
+    clip: rect(0 0 0 0);
+    height: 1px;
+    width: 1px;
+    padding: 0;
+    border: 0;
+    overflow: hidden;
+}
+
+table {
+    width: 100%;
+    max-width: 100%;
+    margin-bottom: 2rem;
+    border-collapse: collapse;
+}
+
+.table-striped th {
+    padding: .75rem;
+}
+
+.table-striped tr:nth-of-type(2n + 1) {
+    background-color: #e1e1e1;
+}
+
+.table-striped > thead > tr:first-child {
+    background-color: inherit;
+}
+
+td {
+    padding: 0.75rem;
+    vertical-align: top;
+}
+
+tr.v-middle > td {
+    vertical-align: middle;
+}
+
+/* Login / logout layouts */
+.login-form,
+.logout-form,
+.default-form {
+    max-width: 340px;
+    padding: 0 15px 15px 15px;
+    margin: 0 auto 2rem auto;
+    box-sizing: border-box;
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/index.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/index.html
new file mode 100644
index 000000000..8457ea1d1
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/index.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
+    <head>
+        <title>Hello Spring Security</title>
+        <meta charset="utf-8" />
+    </head>
+    <body>
+        <div th:fragment="logout" sec:authorize="isAuthenticated()">
+            Logged in user: <span sec:authentication="name"></span> |
+            Roles: <span sec:authentication="principal.authorities"></span>
+            <div>
+                <form action="#" th:action="@{/logout}" method="post">
+                    <input type="submit" value="Logout" />
+                </form>
+            </div>
+        </div>
+        <h1>Hello Spring Security</h1>
+        <p>This is a secured page</p>
+    </body>
+</html>
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
new file mode 100644
index 000000000..9d4aa10d6
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html xmlns:th="https://www.thymeleaf.org" lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/css/default-ui.css" rel="stylesheet" />
+</head>
+<body>
+<div class="content">
+    <form class="login-form" method="post" th:action="@{/login}">
+        <h2>Please sign in</h2>
+
+        <p>
+            <label for="username" class="screenreader">Username</label>
+            <input type="text" id="username" name="username" placeholder="Username" required autofocus>
+        </p>
+        <p>
+            <label for="password" class="screenreader">Password</label>
+            <input type="password" id="password" name="password" placeholder="Password" required>
+        </p>
+
+        <button type="submit" class="primary">Sign in</button>
+    </form>
+</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java
new file mode 100644
index 000000000..fbde7025f
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import com.icegreen.greenmail.junit5.GreenMailExtension;
+import com.icegreen.greenmail.util.GreenMailUtil;
+import com.icegreen.greenmail.util.ServerSetupTest;
+import jakarta.mail.internet.MimeMessage;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.util.UriComponents;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
+import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@AutoConfigureMockMvc
+class MagicLinkApplicationTests {
+
+	@RegisterExtension
+	static GreenMailExtension greenMail = new GreenMailExtension(ServerSetupTest.SMTP);
+
+	@Autowired
+	MockMvc mockMvc;
+
+	@Test
+	void ottLoginWhenUserExistsThenSendEmailAndAuthenticate() throws Exception {
+		this.mockMvc.perform(post("/ott/generate").param("username", "user").with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/ott/sent"));
+
+		greenMail.waitForIncomingEmail(1);
+		MimeMessage receivedMessage = greenMail.getReceivedMessages()[0];
+		String content = GreenMailUtil.getBody(receivedMessage);
+		String url = content.split(": ")[1];
+		UriComponents uriComponents = UriComponentsBuilder.fromUriString(url).build();
+		String token = uriComponents.getQueryParams().get("token").get(0);
+
+		assertThat(token).isNotEmpty();
+
+		this.mockMvc.perform(post("/login/ott").param("token", token).with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/"), authenticated());
+	}
+
+	@Test
+	void ottLoginWhenInvalidTokenThenFails() throws Exception {
+		this.mockMvc.perform(post("/ott/generate").param("username", "user").with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/ott/sent"));
+
+		String token = "1234;";
+
+		this.mockMvc.perform(post("/login/ott").param("token", token).with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/login?error"), unauthenticated());
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml
new file mode 100644
index 000000000..20f8e0227
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml
@@ -0,0 +1,6 @@
+spring:
+  config:
+    import: classpath:application.yml
+  mail:
+    port: 3025
+    host: localhost
diff --git a/settings.gradle b/settings.gradle
index a5db7a077..ce164110e 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -53,6 +53,7 @@ include ":servlet:spring-boot:java:aot:data"
 include ":servlet:spring-boot:java:authentication:username-password:user-details-service:custom-user"
 include ":servlet:spring-boot:java:authentication:username-password:mfa"
 include ":servlet:spring-boot:java:authentication:mfa:x509+formLogin"
+include ":servlet:spring-boot:java:authentication:mfa:formLogin+ott"
 include ":servlet:spring-boot:java:authentication:username-password:compromised-password-checker"
 include ":servlet:spring-boot:java:authentication:one-time-token:magic-link"
 include ":servlet:spring-boot:java:data"

From 8422288e84d800c5085e1c7248e5db207ac38525 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 29 Jul 2025 16:34:14 -0600
Subject: [PATCH 03/21] Update to Latest

---
 .../org/example/magiclink/SecurityConfig.java |  14 +-
 .../src/main/java/example/MfaApplication.java |   7 -
 .../src/main/java/example/SecurityConfig.java |  13 +-
 .../main/resources/static/css/default-ui.css  | 172 ------------------
 .../src/main/resources/templates/login.html   |  29 ---
 5 files changed, 5 insertions(+), 230 deletions(-)
 delete mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/static/css/default-ui.css
 delete mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/login.html

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
index 28fabb95c..0c8bb4260 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
@@ -24,28 +24,18 @@
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
 
 @Configuration(proxyBeanMethods = false)
 @EnableWebSecurity
 public class SecurityConfig {
 
-	@Controller
-	static class FormLoginController {
-		@GetMapping("/login")
-		String login() {
-			return "login";
-		}
-	}
-
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
-			.formLogin((form) -> form.grants("ott:read"))
-			.oneTimeTokenLogin((ott) -> ott.needs("ott:read").authenticates());
+			.formLogin((form) -> form.order(1))
+			.oneTimeTokenLogin((ott) -> ott.order(2));
 		// @formatter:on
 		return http.build();
 	}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/MfaApplication.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/MfaApplication.java
index 09cbe28a4..37b0fc765 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/MfaApplication.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/MfaApplication.java
@@ -18,8 +18,6 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
 
 /**
  * Hello Security application.
@@ -33,9 +31,4 @@ public static void main(String[] args) {
 		SpringApplication.run(MfaApplication.class, args);
 	}
 
-	@Controller
-	static class LoginController {
-		@GetMapping("/login")
-		String login() { return "login"; }
-	}
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
index d7ba54d90..6217cbf44 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
@@ -16,7 +16,6 @@
 
 package example;
 
-import org.springframework.boot.security.autoconfigure.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -32,15 +31,9 @@ public class SecurityConfig {
 	SecurityFilterChain web(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
-				.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
-				.anyRequest().authenticated())
-			.x509((x509) -> x509.grants("form:read"))
-			.formLogin((form) -> form
-				.loginPage("/login")
-				.needs("form:read")
-				.authenticates()
-			);
+			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
+			.x509((x509) -> x509.order(1))
+			.formLogin((form) -> form.order(2));
 		// @formatter:on
 		return http.build();
 	}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/static/css/default-ui.css b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/static/css/default-ui.css
deleted file mode 100644
index ec3d42bda..000000000
--- a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/static/css/default-ui.css
+++ /dev/null
@@ -1,172 +0,0 @@
-/*
- * Copyright 2002-2024 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/* General layout */
-body {
-    font-family: system-ui, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
-    background-color: #eee;
-    padding: 40px 0;
-    margin: 0;
-    line-height: 1.5;
-}
-
-h2 {
-    margin-top: 0;
-    margin-bottom: 0.5rem;
-    font-size: 2rem;
-    font-weight: 500;
-    line-height: 2rem;
-}
-
-.content {
-    margin-right: auto;
-    margin-left: auto;
-    padding-right: 15px;
-    padding-left: 15px;
-    width: 100%;
-    box-sizing: border-box;
-}
-
-@media (min-width: 800px) {
-    .content {
-        max-width: 760px;
-    }
-}
-
-.v-middle {
-    vertical-align: middle;
-}
-
-.center {
-    text-align: center;
-}
-
-.no-margin {
-    margin: 0;
-}
-
-/* Components */
-a,
-a:visited {
-    text-decoration: none;
-    color: #06f;
-}
-
-a:hover {
-    text-decoration: underline;
-    color: #003c97;
-}
-
-input[type="text"],
-input[type="password"] {
-    height: auto;
-    width: 100%;
-    font-size: 1rem;
-    padding: 0.5rem;
-    box-sizing: border-box;
-}
-
-button {
-    padding: 0.5rem 1rem;
-    font-size: 1.25rem;
-    line-height: 1.5;
-    border: none;
-    border-radius: 0.1rem;
-    width: 100%;
-    cursor: pointer;
-}
-
-button.primary {
-    color: #fff;
-    background-color: #06f;
-}
-
-button.small {
-    padding: .25rem .5rem;
-    font-size: .875rem;
-    line-height: 1.5;
-}
-
-.alert {
-    padding: 0.75rem 1rem;
-    margin-bottom: 1rem;
-    line-height: 1.5;
-    border-radius: 0.1rem;
-    width: 100%;
-    box-sizing: border-box;
-    border-width: 1px;
-    border-style: solid;
-}
-
-.alert.alert-danger {
-    color: #6b1922;
-    background-color: #f7d5d7;
-    border-color: #eab6bb;
-}
-
-.alert.alert-success {
-    color: #145222;
-    background-color: #d1f0d9;
-    border-color: #c2ebcb;
-}
-
-.screenreader {
-    position: absolute;
-    clip: rect(0 0 0 0);
-    height: 1px;
-    width: 1px;
-    padding: 0;
-    border: 0;
-    overflow: hidden;
-}
-
-table {
-    width: 100%;
-    max-width: 100%;
-    margin-bottom: 2rem;
-    border-collapse: collapse;
-}
-
-.table-striped th {
-    padding: .75rem;
-}
-
-.table-striped tr:nth-of-type(2n + 1) {
-    background-color: #e1e1e1;
-}
-
-.table-striped > thead > tr:first-child {
-    background-color: inherit;
-}
-
-td {
-    padding: 0.75rem;
-    vertical-align: top;
-}
-
-tr.v-middle > td {
-    vertical-align: middle;
-}
-
-/* Login / logout layouts */
-.login-form,
-.logout-form,
-.default-form {
-    max-width: 340px;
-    padding: 0 15px 15px 15px;
-    margin: 0 auto 2rem auto;
-    box-sizing: border-box;
-}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/login.html b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/login.html
deleted file mode 100644
index 9d4aa10d6..000000000
--- a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/resources/templates/login.html
+++ /dev/null
@@ -1,29 +0,0 @@
-<!DOCTYPE html>
-<html xmlns:th="https://www.thymeleaf.org" lang="en">
-<head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
-    <meta name="description" content="">
-    <meta name="author" content="">
-    <title>Please sign in</title>
-    <link href="/css/default-ui.css" rel="stylesheet" />
-</head>
-<body>
-<div class="content">
-    <form class="login-form" method="post" th:action="@{/login}">
-        <h2>Please sign in</h2>
-
-        <p>
-            <label for="username" class="screenreader">Username</label>
-            <input type="text" id="username" name="username" placeholder="Username" required autofocus>
-        </p>
-        <p>
-            <label for="password" class="screenreader">Password</label>
-            <input type="password" id="password" name="password" placeholder="Password" required>
-        </p>
-
-        <button type="submit" class="primary">Sign in</button>
-    </form>
-</div>
-</body>
-</html>
\ No newline at end of file

From d9241a0e4d218c811fee37d80cc4dceb977b8f1f Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 5 Aug 2025 09:15:58 -0600
Subject: [PATCH 04/21] Update to Latest DSL changes

---
 .../src/main/java/org/example/magiclink/SecurityConfig.java   | 4 ++--
 .../x509+formLogin/src/main/java/example/SecurityConfig.java  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
index 0c8bb4260..46c9ad7f1 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
@@ -34,8 +34,8 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
-			.formLogin((form) -> form.order(1))
-			.oneTimeTokenLogin((ott) -> ott.order(2));
+			.formLogin((form) -> form.factor(1))
+			.oneTimeTokenLogin((ott) -> ott.factor(2));
 		// @formatter:on
 		return http.build();
 	}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
index 6217cbf44..a3e62bbc2 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
@@ -32,8 +32,8 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-			.x509((x509) -> x509.order(1))
-			.formLogin((form) -> form.order(2));
+			.x509((x509) -> x509.factor(1))
+			.formLogin((form) -> form.factor(2));
 		// @formatter:on
 		return http.build();
 	}

From a9482fa6fbe567cc4e6f6c458788d3e9b65ed064 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 11 Aug 2025 15:58:45 -0600
Subject: [PATCH 05/21] Simplify TokenGenerationSuccssHandler

- Removing boilerplate to add focus
---
 ...kOneTimeTokenGenerationSuccessHandler.java | 23 ++++++-----
 .../org/example/magiclink/MailSender.java     | 41 -------------------
 2 files changed, 12 insertions(+), 52 deletions(-)
 delete mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MailSender.java

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
index 08c318ac0..24fd7dfe3 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
@@ -18,33 +18,34 @@
 
 import java.io.IOException;
 
-import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
+import org.springframework.mail.SimpleMailMessage;
+import org.springframework.mail.javamail.JavaMailSender;
 import org.springframework.security.authentication.ott.OneTimeToken;
-import org.springframework.security.web.DefaultRedirectStrategy;
-import org.springframework.security.web.RedirectStrategy;
 import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
 import org.springframework.stereotype.Component;
 
 @Component
 public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
 
-	private final MailSender mailSender;
+	private final JavaMailSender mailSender;
 
-	private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
-
-	public MagicLinkOneTimeTokenGenerationSuccessHandler(MailSender mailSender) {
+	public MagicLinkOneTimeTokenGenerationSuccessHandler(JavaMailSender mailSender) {
 		this.mailSender = mailSender;
 	}
 
 	@Override
 	public void handle(HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken)
-			throws IOException, ServletException {
-		this.mailSender.send("johndoe@example.com", "Your token",
-			"Please enter this token " + oneTimeToken.getTokenValue());
-		this.redirectStrategy.sendRedirect(request, response, "/login/ott");
+			throws IOException {
+		SimpleMailMessage message = new SimpleMailMessage();
+		message.setFrom("noreply@example.com");
+		message.setTo("johndoe@example.com");
+		message.setSubject("Your token");
+		message.setText("Please enter this token " + oneTimeToken.getTokenValue());
+		this.mailSender.send(message);
+		response.sendRedirect("/login/ott");
 	}
 
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MailSender.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MailSender.java
deleted file mode 100644
index 24e51f0da..000000000
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MailSender.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright 2024 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.example.magiclink;
-
-import org.springframework.mail.SimpleMailMessage;
-import org.springframework.mail.javamail.JavaMailSender;
-import org.springframework.stereotype.Service;
-
-@Service("myMailSender")
-public class MailSender {
-
-	private final JavaMailSender mailSender;
-
-	public MailSender(JavaMailSender mailSender) {
-		this.mailSender = mailSender;
-	}
-
-	public void send(String to, String subject, String text) {
-		SimpleMailMessage message = new SimpleMailMessage();
-		message.setFrom("noreply@example.com");
-		message.setTo(to);
-		message.setSubject(subject);
-		message.setText(text);
-		this.mailSender.send(message);
-	}
-
-}

From 4b51da877bf31467cf45e9d220009556448098b9 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 11 Aug 2025 15:58:56 -0600
Subject: [PATCH 06/21] Update to Latest

---
 .../src/main/java/org/example/magiclink/SecurityConfig.java  | 5 +++--
 .../x509+formLogin/src/main/java/example/SecurityConfig.java | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
index 46c9ad7f1..185c6626d 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
@@ -18,6 +18,7 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
@@ -34,8 +35,8 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
-			.formLogin((form) -> form.factor(1))
-			.oneTimeTokenLogin((ott) -> ott.factor(2));
+			.formLogin((form) -> form.factor(Customizer.withDefaults()))
+			.oneTimeTokenLogin((ott) -> ott.factor(Customizer.withDefaults()));
 		// @formatter:on
 		return http.build();
 	}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
index a3e62bbc2..5d6a44172 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
@@ -18,6 +18,7 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -32,8 +33,8 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-			.x509((x509) -> x509.factor(1))
-			.formLogin((form) -> form.factor(2));
+			.x509((x509) -> x509.factor(Customizer.withDefaults()))
+			.formLogin((form) -> form.factor(Customizer.withDefaults()));
 		// @formatter:on
 		return http.build();
 	}

From cb1b716ff06ec5dde9422dc06de37e8e578fe885 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Wed, 13 Aug 2025 15:43:11 -0600
Subject: [PATCH 07/21] Moved to Use Profiles

---
 ...Config.java => DefaultSecurityConfig.java} | 18 +++------------
 .../magiclink/MagicLinkApplication.java       | 23 +++++++++++++++++++
 2 files changed, 26 insertions(+), 15 deletions(-)
 rename servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/{SecurityConfig.java => DefaultSecurityConfig.java} (70%)

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
similarity index 70%
rename from servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
rename to servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
index 185c6626d..533559cb6 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
@@ -18,17 +18,14 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 
+@Profile("default")
 @Configuration(proxyBeanMethods = false)
-@EnableWebSecurity
-public class SecurityConfig {
+class DefaultSecurityConfig {
 
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
@@ -41,14 +38,5 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 		return http.build();
 	}
 
-	@Bean
-	InMemoryUserDetailsManager userDetailsService() {
-		UserDetails user = User.withDefaultPasswordEncoder()
-			.username("user")
-			.password("password")
-			.roles("USER")
-			.build();
-		return new InMemoryUserDetailsManager(user);
-	}
 
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
index a3b4cf818..3664b1244 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
@@ -18,6 +18,12 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
 
 @SpringBootApplication
 public class MagicLinkApplication {
@@ -26,4 +32,21 @@ public static void main(String[] args) {
 		SpringApplication.run(MagicLinkApplication.class, args);
 	}
 
+	@Controller
+	static class AppController {
+		@GetMapping("/profile")
+		String profile() {
+			return "profile";
+		}
+	}
+
+	@Bean
+	InMemoryUserDetailsManager userDetailsService() {
+		UserDetails user = User.withDefaultPasswordEncoder()
+			.username("user")
+			.password("password")
+			.roles("USER")
+			.build();
+		return new InMemoryUserDetailsManager(user);
+	}
 }

From 4c5ff612a8dab51490bbe019f816a39e9565034c Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Wed, 13 Aug 2025 15:43:35 -0600
Subject: [PATCH 08/21] Add Custom Pages Sample

---
 .../magiclink/CustomPagesSecurityConfig.java  | 46 +++++++++++++++++++
 .../src/main/resources/templates/login.html   |  4 +-
 .../src/main/resources/templates/ott.html     | 25 ++++++++++
 3 files changed, 73 insertions(+), 2 deletions(-)
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
new file mode 100644
index 000000000..79d2726d7
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
@@ -0,0 +1,46 @@
+package org.example.magiclink;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Profile("custom-pages")
+@Configuration(proxyBeanMethods = false)
+public class CustomPagesSecurityConfig {
+
+	@Controller
+	@Profile("custom-pages")
+	static class LoginController {
+		@GetMapping("/login/form")
+		public String login() {
+			return "login";
+		}
+
+		@GetMapping("/login/ott")
+		public String ott() {
+			return "ott";
+		}
+	}
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
+			.formLogin((form) -> form
+				.loginPage("/login/form").permitAll()
+				.factor(Customizer.withDefaults())
+			)
+			.oneTimeTokenLogin((ott) -> ott
+				.loginPage("/login/ott").permitAll()
+				.factor(Customizer.withDefaults())
+			);
+		// @formatter:on
+		return http.build();
+	}
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
index 9d4aa10d6..7ce9bfe3e 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
@@ -6,11 +6,11 @@
     <meta name="description" content="">
     <meta name="author" content="">
     <title>Please sign in</title>
-    <link href="/css/default-ui.css" rel="stylesheet" />
+    <link href="/default-ui.css" rel="stylesheet" />
 </head>
 <body>
 <div class="content">
-    <form class="login-form" method="post" th:action="@{/login}">
+    <form class="login-form" method="post" th:action="@{/login/form}">
         <h2>Please sign in</h2>
 
         <p>
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html
new file mode 100644
index 000000000..cde487a52
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html xmlns:th="https://www.thymeleaf.org" lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/default-ui.css" rel="stylesheet" />
+</head>
+<body>
+<div class="content">
+    <form class="login-form" method="post" th:action="@{/login/ott}">
+        <h2>Please supply a token</h2>
+
+        <p>
+            <label for="token" class="screenreader">Token</label>
+            <input type="text" id="token" name="token" placeholder="Token" required autofocus>
+        </p>
+
+        <button type="submit" class="primary">Use this Token</button>
+    </form>
+</div>
+</body>
+</html>
\ No newline at end of file

From 5e60e27a5eeb41ab21f72ca65cbe4f96803322da Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Wed, 13 Aug 2025 15:43:54 -0600
Subject: [PATCH 09/21] Add Step-Up Privilege Sample

---
 .../ElevatedSecurityPageSecurityConfig.java   | 63 +++++++++++++++++++
 .../src/main/resources/templates/profile.html | 16 +++++
 2 files changed, 79 insertions(+)
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/profile.html

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
new file mode 100644
index 000000000..4cf69f4ba
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
@@ -0,0 +1,63 @@
+package org.example.magiclink;
+
+import java.time.Duration;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.MfaConfigurer;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.AuthenticationFilter;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+
+@Profile("elevated-security")
+@Configuration(proxyBeanMethods = false)
+public class ElevatedSecurityPageSecurityConfig {
+
+	@Controller
+	@Profile("elevated-security")
+	static class LoginController {
+		@GetMapping("/login/form")
+		public String login() {
+			return "login";
+		}
+
+		@GetMapping("/login/ott")
+		public String ott() {
+			return "ott";
+		}
+	}
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authz) -> authz
+				.requestMatchers("/profile").hasAuthority("profile:read")
+				.anyRequest().authenticated()
+			)
+			.formLogin((form) -> form
+				.loginPage("/login/form").permitAll()
+				.factor((f) -> f.grants(Duration.ofMinutes(1), "profile:read"))
+			)
+			.oneTimeTokenLogin((ott) -> ott
+				.loginPage("/login/ott").permitAll()
+				.factor(Customizer.withDefaults())
+			);
+
+		// @formatter:on
+		return http.build();
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/profile.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/profile.html
new file mode 100644
index 000000000..e60f88f84
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/profile.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/default-ui.css" rel="stylesheet" />
+</head>
+<body>
+<div class="content">
+    <p>This is a page that requires elevated security</p>
+</div>
+</body>
+</html>
\ No newline at end of file

From 2f9b54508a3bbd2fa638165fa10af9f1d518b66f Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Wed, 13 Aug 2025 16:41:30 -0600
Subject: [PATCH 10/21] Add X.509 + WebAuthn Sample

---
 .../mfa/x509+webauthn/README.adoc             |  64 +++++
 .../mfa/x509+webauthn/build.gradle            |  32 +++
 .../mfa/x509+webauthn/etc/add-to-keystore     |  44 ++++
 .../mfa/x509+webauthn/etc/add-to-truststore   |  38 +++
 .../mfa/x509+webauthn/etc/api-keystore.p12    | Bin 0 -> 4338 bytes
 .../mfa/x509+webauthn/etc/api-truststore.p12  | Bin 0 -> 3062 bytes
 .../mfa/x509+webauthn/etc/ca.crt              |  30 +++
 .../mfa/x509+webauthn/etc/ca.key              |  52 ++++
 .../mfa/x509+webauthn/etc/ca.pem              |  30 +++
 .../mfa/x509+webauthn/etc/ca.srl              |   1 +
 .../mfa/x509+webauthn/etc/generate-ca         |  21 ++
 .../mfa/x509+webauthn/etc/generate-cert       |  52 ++++
 .../mfa/x509+webauthn/etc/generate-stores     |  56 ++++
 .../mfa/x509+webauthn/etc/josh-keystore.p12   | Bin 0 -> 4340 bytes
 .../mfa/x509+webauthn/etc/josh-truststore.p12 | Bin 0 -> 3062 bytes
 .../mfa/x509+webauthn/gradle.properties       |   4 +
 .../x509+webauthn/gradle/libs.versions.toml   |   1 +
 .../gradle/wrapper/gradle-wrapper.jar         | Bin 0 -> 60756 bytes
 .../gradle/wrapper/gradle-wrapper.properties  |   5 +
 .../authentication/mfa/x509+webauthn/gradlew  | 240 ++++++++++++++++++
 .../mfa/x509+webauthn/gradlew.bat             |  91 +++++++
 .../mfa/x509+webauthn/settings.gradle         |   8 +
 .../src/main/java/example/SecurityConfig.java |  71 ++++++
 .../example/X509WebAuthnMfaApplication.java   |  34 +++
 .../src/main/resources/api-keystore.p12       |   1 +
 .../src/main/resources/api-truststore.p12     |   1 +
 .../src/main/resources/application.properties |  12 +
 .../src/main/resources/templates/index.html   |   9 +
 .../main/resources/templates/webauthn.html    |  32 +++
 .../X509WebAuthnMfaApplicationTests.java      | 190 ++++++++++++++
 settings.gradle                               |   1 +
 31 files changed, 1120 insertions(+)
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/README.adoc
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/build.gradle
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-keystore
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-truststore
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/api-keystore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/api-truststore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.crt
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.key
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.pem
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.srl
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-ca
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-cert
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-stores
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/josh-keystore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/josh-truststore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle.properties
 create mode 120000 servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/libs.versions.toml
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.jar
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.properties
 create mode 100755 servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew.bat
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/settings.gradle
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/X509WebAuthnMfaApplication.java
 create mode 120000 servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-keystore.p12
 create mode 120000 servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-truststore.p12
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/application.properties
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/templates/index.html
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/templates/webauthn.html
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/test/java/example/X509WebAuthnMfaApplicationTests.java

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/README.adoc b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/README.adoc
new file mode 100644
index 000000000..48ea9fafb
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/README.adoc
@@ -0,0 +1,64 @@
+= X.509 + Form Login MFA Sample
+
+This sample demonstrates configuring Spring Security to require both an X.509 Certificate and a Username/Password Login in order to enter the site with full permissions.
+
+== Preparing to Use X.509
+
+This sample is intended to be used in a browser.
+As such, you should:
+
+1. Configure your browser to trust the `ca.crt` that accompanies this project
+2. Configure your browser with the `josh-keystore.p12` client certificate
+
+Both `api-keystore.p12` and `josh-keystore.p12` use keys signed by `ca.crt`.
+This means that after the above steps are performed, you can also use this application without getting a security warning in your browser.
+
+== Using the Sample
+
+To run, please use:
+
+.Java
+[source,java,role="primary"]
+----
+./gradlew :bootRun
+----
+
+This will start an application on 8443, meaning you will need to reach it using HTTPS.
+
+You can register a passkey at https://api.127.0.0.1.nip.io:8443/webauthn/register.
+
+With the client certificate (`josh-keystore.p12`) correctly installed in the browser, it will ask you which client certificate you want to you.
+Select `josh`.
+
+You will then be redirected to the PassKeys registration page where you can install a passkey.
+
+After that, navigate to https://api.127.0.0.1.nip.io:8443 and you will be redirected to page where you can provide a passkey.
+
+== Exploring the Sample
+
+The key configuration is found in the `HttpSecurity` DSL:
+
+.Java
+[source,java,role="primary"]
+----
+http
+    .x509(Customizer.withDefaults())
+    .webAuthn((webauthn) -> webauthn
+        // ...
+		.factor((f) -> f.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/webauthn")))
+	);
+----
+
+This reads, "This app requires both X.509 and WebAuthn to fully authorize; redirect to /webauthn to get the WebAuthn authority".
+
+You can instead try another arrangement like the following:
+
+.Java
+[source,java,role="primary"]
+----
+http
+    .x509(Customizer.withDefaults())
+    .oneTimeTokenLogin(Customizer.withDefaults())
+----
+
+Once `oneTimeTokenLogin` is correctly configured and once a client certificate is accepted, the application will generate a token and send it to the configured destination to continue with the login process.
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/build.gradle b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/build.gradle
new file mode 100644
index 000000000..ced211cef
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/build.gradle
@@ -0,0 +1,32 @@
+plugins {
+	alias(libs.plugins.io.spring.dependency.management)
+	alias(libs.plugins.org.springframework.boot)
+	id "nebula.integtest" version "8.2.0"
+	id 'java'
+}
+
+repositories {
+	mavenLocal()
+	mavenCentral()
+	maven { url "https://repo.spring.io/milestone" }
+	maven { url "https://repo.spring.io/snapshot" }
+}
+
+
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.security:spring-security-webauthn'
+
+
+	implementation "com.webauthn4j:webauthn4j-core:0.29.4.RELEASE"
+
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
+}
+
+tasks.withType(Test).configureEach {
+	useJUnitPlatform()
+	
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-keystore b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-keystore
new file mode 100755
index 000000000..cb133de05
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-keystore
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -euo pipefail
+
+KEYSTORE="${1:-}"
+if [[ -z "$KEYSTORE" ]]; then
+  echo "Usage: $0 <keystore.p12>" >&2
+  exit 1
+fi
+
+PASSWORD="password"
+
+# Set up temp workspace
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+# Read input tar archive from stdin
+tar -C "$WORKDIR" -xf -
+
+ALIAS=$(cat "$WORKDIR/alias")
+CERT="$WORKDIR/cert.pem"
+KEY="$WORKDIR/key.pem"
+CHAIN="$WORKDIR/chain.pem"
+
+# Convert to PKCS#12 bundle
+PKCS12="$WORKDIR/temp.p12"
+openssl pkcs12 -export \
+  -inkey "$KEY" \
+  -in "$CERT" \
+  -certfile "$CHAIN" \
+  -name "$ALIAS" \
+  -out "$PKCS12" \
+  -passout pass:$PASSWORD
+
+# If alias exists, delete it
+if [[ -f "$KEYSTORE" ]]; then
+  keytool -delete -alias "$ALIAS" -keystore "$KEYSTORE" \
+    -storepass "$PASSWORD" -storetype PKCS12 || true
+fi
+
+# Import new entry
+keytool -importkeystore \
+  -destkeystore "$KEYSTORE" -deststoretype PKCS12 -deststorepass "$PASSWORD" \
+  -srckeystore "$PKCS12" -srcstoretype PKCS12 -srcstorepass "$PASSWORD" \
+  -alias "$ALIAS"
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-truststore b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-truststore
new file mode 100755
index 000000000..0f7393074
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/add-to-truststore
@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+TRUSTSTORE="${1:-}"
+if [[ -z "$TRUSTSTORE" ]]; then
+  echo "Usage: $0 <truststore.p12>" >&2
+  exit 1
+fi
+
+PASSWORD="password"
+
+# Temp workspace
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+# Extract from tar input
+tar -C "$WORKDIR" -xf -
+
+ALIAS=$(cat "$WORKDIR/alias")
+CA_CERT="$WORKDIR/ca.pem"
+DER_CERT="$WORKDIR/ca.der"
+
+# Convert to DER format for keytool
+openssl x509 -in "$CA_CERT" -outform DER -out "$DER_CERT"
+
+# If alias exists, delete
+if [[ -f "$TRUSTSTORE" ]]; then
+  keytool -delete -alias "$ALIAS" -keystore "$TRUSTSTORE" \
+    -storepass "$PASSWORD" -storetype PKCS12 || true
+fi
+
+# Import into truststore
+keytool -importcert -noprompt \
+  -alias "$ALIAS" \
+  -file "$DER_CERT" \
+  -keystore "$TRUSTSTORE" \
+  -storetype PKCS12 \
+  -storepass "$PASSWORD"
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/api-keystore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/api-keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..b36b72752d6f329c6028eff8862a02ad781913ec
GIT binary patch
literal 4338
zcma)=WmFW5v&PwFsijLmdWn@@aw$O?mj<b&kq+tZr9??V5Ec*wl#mVqkz7)wTe_uF
zr2pP??|I*IKi&Ib&Ybx@GxPB|a|VVYI{*T(VJNb9xCGoWsxcSD06ah*iYyL<B8&cu
zBVZ_;;{PS#WP(sQZ~x+yzmb4T_&-xbU;r==h4bVul!n>;Gl4@4Glq%(TN1%|KvWk(
z8*b8>Yi6J0vL7ALQl&q2GPVQ)p=3Y+3ycUC|Gzf^32?ArjJO1rF{%JtY!HAOM0U~K
zGis2~q5e);=&a);d>(`XjVOJHaaAVCiU}S#uKVgYLj*c0k*gmETMkH%UnU|k{z_wj
zS5oOPSZgX{SQUfe!a-I?>Du9>(vJc+<q)V^QU0!^eNdgdWBNd*HmM=RvrOiC3AVy1
zM&t2l46^PnbbeUM7n>zkX0k_I9<?BOy_Vti8n|s1))Wch&|??I^?DU@ps$}>ZeM+_
z9qoAP#N>l!K5cuLH<E4fCUYN1^xmvF#yNUqJ(t-<;s=*?d4DXeTr?@g)`YPG=4q&B
znVe2C2ccE*feOkiIZox$*vD2_;k|EtSdN*Vbze!#4kd%G!@cU~3UmAk0k%d+Bc;p}
zs$=3Zr$P?aTX}O?Ct01H&KJ3I$NBt$Ejn(3o(Y3X_Mr)*_GM`R&%12hYoFiK9dToG
zD7jpZ72=-nKb4s%c6oT%29OG35jSHm3Y66BUIL$jWh}Xwq^lEVnvmp;vXKMRHY7iv
zDf(9Ell!r$-4Dh(xU1f2rSINE_BMVs^W4@v@etYMOUHA(4$9pNNQ2jSQw=njdpEGu
zJV!3l+1`|L{^pMry%<9W8`ou*ZG2BhlZ2NR62jC`tEg$?{m)e7G*GElnu#Tv;t_XW
zS9mJDY1)FS(#N#Kwp-`yx%P??U6M~xiASEWdtE=BNSx}(+P%Q4Px5$mUT`-i2ja$C
zrW3yPTozB2=W4idTu<*<+vk4w0;s==W{>zsYzfaYxg1wULG+X0%+mMW1Dt)RE?(}D
zG#Lu^;jd*6oR7=5^BtPCIM$3FwJDV*ED#NnUL$b#OteSZIOkxtbKU6LtdOY~^xLU4
z?DHkR{w8!c(adx-*HkV8&27h&R)r$%rV$}(g(U;W4PU_8OlF#%`ZWI-x+%I$JQ<Db
zaMmfw!ZNSz;#bA=Tjs?(=V_1&5DhJ=&ka9S)MivRjI+^^yClPW;^2T3Fy>XISOZST
zUzmeilYY(`t=rxC-hjMKaTOH5;u)6qhTprU0-b}4;-4x|A))PoxF^WG&um1Lp{{h{
z>sHIGuGw@XxLhH<^rQKclOg=G+>eRPt1~FMpd&_uR@Svi9VEV1({%WTek}BZl4Z3E
ziFILl(*6t+#}3CQhX-sd4_*=)Kxz)JfMw^^HfwWovj%6|GqrZ4e#?8>tKOaQ!p^#h
zF!P+7!`A}=4gql&gpt9nOKjUoI1cN{tTmFreJ3Ra{QY12lS2hXl9}nrXDJj17Sm-B
zA>x{+I1Q0OsG_MhB}8DComuq5mcCn6k>Xf(u^u!(r|Qn8xOr{Cuukj#P|v9U6}6Sw
z$#U~Rg11&86&8dHF;lKc>=%QU*cg=w5CV*Ey~NMTeg=BVDy^Lk_Z#4(c^eUQD&=Fw
z7s0m1l|H|zO8e)4HeLvC92+F5VLqv%_1*3=-qc5HeZif5UQY!=V9dEWpqe4Wlxm2G
zZQBsk>Ph06MTD5N3l+i7exYFr854K{i<frrQn03@_fL7WN0L{z=<yLDk(o~C`9}h(
z3h-UVN@?Fi8`kmKgfw8BbLXF?qZWjzMA=-b%3;iR%Re7#{5u<p{SxANuK@20cLL&w
z_Lo09;=bKjzG9!Piaon13R9@Ynsu9PYuff%?CE@G|1&?j_s-L*j%)6Fq{QVtdzq(-
zpd^g?AG;)=62xc1#j?V3$8v<R{)?#vsX!FZ99?Z$1mU8>g2F<gLW1HFFc=Cv`cD%c
zZXOEU`4_bU0a$<2mwy$&|7Fm%)-q67Cx+6XHmiu6WaqMqh^+hnW6)u9Qq|`}m>Y)9
z6atolUx;uN_z8;Q4F7sfqX(IjiS-!aOR|rSZYhK(d?V;9+lob;P`^e7udPncKg1p#
zxg13>$Tr4i7O5OZs}^GH3kcl1Z0AfAIwW6CZatbv(lV}qSr4n|)ur&Y2k@_}Cc3oa
zD1}cPH&BGIA29n>{#i+xH~ZLT2itwKvEYMF4&qc8d#^dG^BvA-!G;Bmpu%OziIVL$
zDiUeIRVr?A;C+!WRxLod{sd&J<JOgG^!tmeil^)!NZF)GpJahA*`GR*;{^>}6MZAj
z2<vy=2;9qTSgsl(<fcRryN+l6UXrfu{c?kOiOv`J;vqV+v{yiCokd)faGm1QgQV3n
z5-WM!l0s99x>aVDF**lI|7rHTrXk7cjGt_^@HCu^T^_#>M^A_$LrVAD4|&d4AgrO%
z?XONl%na*&<c_(8Z^UJXeYJW^8VrKd{^Z!5#?QRa*rNq>1{9zJmTz5rx4jV*P7HnR
zGzGzcnX-y6JXYdRRK~P)diY{Hm{+9u{oYz=q)z=pUy89CO6?{%#R$aSUXr-zeyxH`
zClhEWWauF3)`-93vWUr~`|i^4&04G$@-B;$_x%eYo>?^YMkdV^Kl|7$&?P9+7uiFe
zXvl`C1+zCE7F2oXKzY)`R@w!wf34M2fcY%&wLBQfnf>ATx_OZz<}M}F$e_?dfl%8|
z`7Iu6lz4h6LY!}G$Qm}jwDL@GK>Yg_^gR#g#x$0DfklFF%hLLdgl6Ubhv$?%Q^uk0
zQn8N5<!!)n^=N$CQvIyLU8a)t<O0;?Y3+w&&1(@U4sy>Gs19Q#fd}4x>GaK88Jhdm
z#bCTG!vzhmPfhj;#nP36fE>=+35)8l^ztFHGtsH^!@ytu(cUC>w2oI~4-5(LDMH*w
z3NkI7Mf-@_V9<_ommJb@tW$A`y97fYOD^oF=GPd;4sIqki52`9F^v+nCy8gDSpWj`
zg}51KDU{Us6|C=mN;zoZ#gm;A&xS>1PRtj$A9`oHFQw*B9ICs%F-*^3jB)`YkyDeL
zP;$-mQ|WU{zpYOh;UrnuCL!V=+xmykZY*fkNW~ZzdsAt^w>>4>zn@~TAT}B*x*CtW
zXp?>Tx|C8Uf~mY9i@*}!)NOVlF}GMY4(qS9?fl4&S)66?_^4hGO12q?Fy;$%V&EOt
z^sDfLo?E+`wi`!N3Dtge0}@eF+UNYTmHp28w4E&@lgM`y-HkQ8yN};vo6&pVHEwxU
zJ;W5$%M~7sSvQyoyXJn+1wS4{Iv9#ctj^V2pZ8Vf`KYowDGCSl04%_VRF#aPrMy*(
zcv?sB`4XpB&OQ7MLSE$oqicPw4=zND$eN9M#6`f1mqrXY1jbh+d*`3y(<H_8?OI#(
zxLUXFOk!v`Gp16zVrg_0++?}x+7-dno$K!M6$C?AZLD_l(NON;tTg&^_R-;@eJWoP
zUwVte2BbQup=Io$$gO#3i8;-6eH1m;<f7<ub;z!*wjQqTC?>Jper{G6vUbFw^x>7}
zI|$s(?&YrfONTH0aM4zhm~_<__FM4nCJCcpPGwO6Xbx|YpqyH>AxWxH;U^+pr+oRr
zQ?Y`FTg6XZwf^+X*k>JY-D&0baIZ<se}kQO-!<A35f(TOOE5!Zwls9NKRj9F!H<!j
zsZp~-e3B*>U^my!wy2I@4=lu<qr_<b@b^`Ot2b5ygtARlyNC8YoJ<}unR3F9QN$fT
zF7B>@@_hS?L*oW=`l3au^GynCcsaD5gwEegF1!<lsoOBw#F(?Z<m>j_2`e774jrf|
z71|aUnEQg#Z<AUFFM@2c+U3J$bp!#bQlED}NtObc4DU;wc|K)cvTQK9rVfwu!h2w3
z!`sWUd$1Ig-^D6*>L0JDJ}`Wsv}xn#4I*-u`O0+je5-PSet$Jl{K+lyCv&fF6^|pF
zfx4UEoT;jN!f7B9z=kGmt;5yln>^C%3|2N9f9c9RwQ3Ml&uV#wXXE2=Da<10se#T}
z4>d+_lwL*iF>I$u_#HiRBO2eiypzDO38zrS8TCRt54E)|uJ_0QoM$x;-TB7f?BP)x
z2_Gncd^Uu_eDU0HV3ZFUs9~fNR{34Q;S0&J*%`dCg5jIdeDsLDjxV6b!l)Hi&O-)T
z#x%0EpXYS?WaI;ZVi<}a0`&`mn(jo4=C3^)YoCe^75ez3^4Y&_cUnE^Ys2EeDP{tC
zSJG)O49VhAd(^e`J$N)CswA)q|IH!M`^8mz4v;!%b^Qi&6Kh_{=Rd!+mErj|;rA5j
zTJhmDi?$TB@cp;Uw-M4~NnF#q;*<!Nwgr+_UGs+*lAE0J6ZN9ltQ&R7eS{DLB@$}y
zKr^agddLw^^T`s#wJG41rL!rtVm<CwBIxRw>Uy8-e#73>F<QO|DcnO5fw5>4d{HF~
zODG}>OPu_DL{k^y_F?s^s%|fG-dr(iy10)f+vf9RZn@ZzWDmMH$ErW2<-rvehia8&
zmk!aW2Xy632J7wha6+uHANwR%ce$9ZV2jj8^f6(@BvQI{O<mE4u!z)vQfyET#~X?*
zvTGi}_+@KxRo+-joz^-vj02v3p3xH2Px7qddtfIrsAJo*mqs^c2gY%_B+|m~BdxR6
zDbEjXEpI@@2lT#7!nV3~F%<obGL-)K^VB5Nt;RMg?6$)ivFqf}s$JAafTvdwbie;p
zrtRvZZ*r&XXJT?C)f0P@_ygATm;IEFjOs?U24(_t^kjjYlYF;FLB^0P=#<hQ#N7vi
zK>!#BU9-<`%U{kPryR`|G05?WvRa>i=%sy||2A<MK_NrJ6(sR-Fju&Fgc+^?PZ~Z!
z>NEYO7ueP<<dYR5zMT0VZo0rb_U|(dK>bzun8Pr-aiwT)H6qTaaQ%*PaQU6b+Xtq>
zn7I<tyamOLC^RY>lNhH~y-c4bY#Nj_O8Xe>y@$DHTbYkE@asYFR(W?amBjxN)Pz@g
zFe(^4a|T(I9H3dgM@)Y7JU#ir^ms&^yWReIVEgL5g77oEm2{bBCMjeBQX4`J(O&(D
z1tYACfi(2>bu(1YOH3Z`L-{xLk2GF(tf9m1mddFpu_Jz3H8k41vI%Z^Jaq4pRR`I5
zFK+i}vBHt#0=QkXnj!nUeWK<<FZrtJA_jn^JH?7{^H-L#O}$50JB;gNh7VW!`5o09
z@uX<oL}xsj7YW9?s4E}3J0&_T?36j)=l?*<ATG2GpEa^tA#aO6EnclUHD2jiIj4R5
zxYbQ*qU?pebKQQTTBOmG7R1Ayr9!!@vefr&O;mumoy_`|SCn#IbY06JZY}Rhvumn6
z|5}f=Xva1zG?y0k+_b>B$Aez%b%xhR!XE_EQebUNBVy}Y)wD(rXtsN5WNYZQBm*%X
z|2Xfr&yKQ`mf++iw3=lzECsQ1#9h{*ZCgE5tt}r)LhKtYxmtIsyeP9p%Re{|T{O_}
zo27VA<{pWiPiC*6mQy^h>A~!2>S@M|$mfaHK78&k{syK26NC}}^9KL|aIiouKVH`a
zm%n}$!NBg<E)Ynv4LN7H-(!hs{Kc{$mf$<v3Zl}|YJXH$qK56ZInNRL1-#kVpcwRD
HC+vR!?*#!U

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/api-truststore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/api-truststore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..56281f545d762d6f6ad7138b87f9c6b9f80867ea
GIT binary patch
literal 3062
zcmV<S3kmcvf(!Bj0Ru3C3!DZCDuzgg_YDCD0ic2ljRb-Vi7<i-g)o8(fd&aGhDe6@
z4FLxRpn?l>FoFwi0s#Opf(vH`2`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1Qg7{JN@wzladBF{SPY)1_mkuiv<D#ClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q2!HpXM+S^<Lw4%Ox;=Xhwj73h+z8+A=$NGh_H?zMIPit`ff|
zp@k)BHL$2;Ud26P4p2t#VCxl-NTz&aYF0U~Q^Z~TX1=0~Y>ftF;|$m0p5mp!budO;
zWIiQqZ%zgc+=m4ToXjxrVx!*`Kb;;02D%n@;so#ojsqVf)>?a!(-wn7I`>T&uF8a*
zE(dXy)BC4wgMlGQCJt@HR<9dMWQf5N0z&&X@Wr4u5<qK1^T`0VV_9JRMjFdXuuV54
zYE>B$6WI9USiM<5vhwNmZ#`5UV3>1e<b$p771js@+w2F=fejpIxV&pE(UWXxuPgUu
z{XUR(e>aP+Rxh~|FC#0aUM@kgPs_%-0J=VGoJ^E|`l#&f`w41|ruyi34n84@Xexq!
z-rv>0QwXuI!aGl|{DpL=foJ89`?jjKQ&_L&g4X}4bDqi*%YJ6?USUY6oa?In2H#t)
zOeb`Ft`8S5V)cr?CoV9UVN#jJ{a!iKocvZ4OfS#u!aF4E%E_e{QE$Lkuq}1Ju?c)A
zNob+RAQ;Ar%6jiDlzFJF{YP79_>JRNY`<Rx%SEdB%U0JnZ^5ijK8SM<epflW{bF3i
z@LU+fQ{jIha~CRiE0_XG+L}s&i7Ls>dbPuV880mwgNi*EC;Q8hc({@c8`Ak42yU+y
z>dL|TPqH|)L7vMY`?!t)k^~Y*riuIW?R`>%5l+iWmKjRm5QbaP=-u8u4E7rqold%g
zi<?7<VR8~Ak$xZDSBxMSdq|E?`(KnxFN7>0D;iNvvEyOL@DFG)al{OK>D`Dv8ZFlP
zLf!8G?C+Rcz@urIaAr?om9&TRR$PS<K}?dT>`$Gl*@4!5V8@kSGX*xS6pl>r$Zmbd
zQvMKubA|}TtQAl|4PkWHypo$7J?9(yw%(!jc!(I7>@8k`A1<0R6qI$X9!^6wxPYKj
z)GAu!0HQ$;^4m3eq+8ey1Ap1P-lshS9cqIx^#V4qIxDzhCA?2GbDs|$l}Cn+V9PgI
zm1mJoG96zmwdX7jpgf7+9dP;2LK2Vzwa8SG(^S%|4;7Px@`L{!8Q6o{RtEP`fM9I4
zWCUBWU0Gc?HWJWbnvhM5cdp;z-fs8?t^e}o0_X2@76A(}bOlBZNc(yYvGmSz!G<2Y
z-1aA;jW%`D&+-+$AyFn?uDqGJa@u}hWs}MTT>#up<WN`yTHSIWQ;WQ4SA~lMUDcc3
zjlrT51A_kTGy3LUTf%|17!N3d|B5KM#?%h2Nejjdc(%JSWH5`+WJ5w&0}@<A>*HT9
zjFUOy%d^sndFb(9t6AhGyu4+hwMM7v6lzzlcj9wv>`1V<B%=|%>{i9gkH9X*-w|fq
z++s&y@&(A*F%l9K8_5ZfvKv-D_UU31M^!q@0o94NSJSQ_rrCqVAO*bP<l%|nH`6`A
zGzT>6AOFlnL<!};=0Gkp<b7&9GmEL((T*>rJF$HiA#N1vA-i!En1X$T(o4}tJzuRU
z*<`u#+U<qm>1(>76{;kyiR1)4lc5_B5<ZzFV{8lAMu1P(l&AQzSDV2YiyiW!Q@Ghe
z#QXJB*mPih6$y#}8+4228!$lU*qu=Wc_Aq7`k&({28Z&UA0&-aG0uV?hI&LP>hK4z
z6s8f>1S{q0<@V~f|9-qhvRjRzp#Wx$*`ZM{XhxZTLXROE<OA}Ox*MBkV>x-J^B%!=
zxau&d>qN&~Z2f=ykpapUZpf#|uyxOI>sH-Ar0B;R-*punYL-RkMGQ2bi+1kigEo5q
zcVjE)zi=B_C-A>oVYf+|nxbmQ_`tYt0a2f4CRr6ADkF-+ZmF@qb(a|!#b5nL%f)&s
zyQ<S+=MLi~y@Pl*XeWh$)7WWIrcp#oD*BCJ`LmA_xMKJ>ff4>|6hd@)KD7?*-2QD|
zLMmmor!MW*T4CLNjkkXExl8Y*4DMY6v)8#qnK-Ub+di~xB(Ne)nebyA+>u=Ssn7jw
zv5uAQChSb~23EezZHw!As_Zy45;kR~0G$JEr4)>8B@~fPm$iWevR)skW5C*?7SB=H
zJK@ai<b8>_^0G%2zxp1k3+<2;venz=41m3VY{PM_pd8v4a=s4^0s#D3z!qiL^!)UB
z7C*DgXD&;BDw>BoCJhAWe2i3t4+zPOBd<(@Pvq_LC)D`%yvAw&{pqu-p>1ijbd#}{
zPE21!(8`8w*eOLhVb=2-gZvMdqQOY`X`;HoXVti|T;#Au6TR%&60hKr^TLZp4Sbe-
z)>yr1Rll5N$&!3A-y7_L{z7H}1wvP><W7MOA^O1>PbgxL_WCm@Ly;i833|Q#b&-h#
zTBIae$%~1u?0z_75JY0$pALiikpx%tF&(>I%R`#o8IYD>4^=hU6%2Cxb0u{5_vsX`
zc}VF>$lO63xws?`%KrPc*aYU~yNusciM6U7GAQ15RFV^82<i8k1NgSY*K!1?C!WYw
z4A_fTukqqz>hF?k7t+Y*kgzu;0^ko>ps`@i%!PK3exBfv8^tHf`qiwyGGjo{=Kn~S
zyQHk9ePSUECTTVxGB;C;yywN8H}o?b$&|DH$B)9=4H?gnFWU`7INeV3#fPn{+OdEQ
zjp3Q*8VNR8@>p$V=MAf^iJB=_el{IZEMg?1X3+wMKya9AlTDYOAtlX@-p85xv}mPH
zPb;_R(-%0T?cSe&%ccWWcH_^_7pS{2@?jo#fx=|L`<+9WIVue|!yjNI+MmTARP#j8
z&)4mI->;r#T;R0G1e5XETncsMz@Re{eic~CIs?axuFj9!-1EZFsXS+mk)69^7aZM7
ztd^3f?p(}1MY<6BP^Y?HWRy5<Io@2K8n%pr0AlO<lXyyJ(U-rVuq2B+ELdA|Mxjuy
z15%N@h#}Z2I=c2Y=jIYZB_X^;hL5WRLeeA&$lpC(4)`8Sec;N=2T3WG+Q)H|IaiU&
z(Ix-#v>6)RxzY_OydgmDcyK_*-5k?ay<tSWCQ-V+@N*u+kJhWhc*suSem0Un)<k!`
zhmIOf0|M)wES}AD7KCF*hztr)XJ7a8-cB>Eh=%eG7Qw$lAnXmyxe>|7$s-Uws!PMM
z@MZ+jHl@9oO(DakVjW%1IvmvQ;l~lyS7^-6+@T;1Qba`2!WyAi5gQh;u(Zl|QZB*%
z%*SY!#h2(Y7n!d^XlESVI%V1E4o8xo@205>h`m5Dnt!{`I(K&#0=O&K#Y|kO*WyFB
znJ@A0bnWUA0LQ}{AJ|i6*$Z|D`d7W)YY!JrZS)z2|I2QKe^roCi&%<p4xv$KYVjBs
zD|3)z6vL&ZMk#!MD&u|eO8}kKK%<R2Bt4Bmf>z;LHkR8YS+$}F`lw<;m1^@D*m@zp
zTDtEpy@PW!ri!y$mZHSMS>@b!M~BcUiqE#A#XxQqV-;$few^ju<<=;cwE|wtHRZa2
z&M&$Tc9R_E8N7$vgDVJ@aa)wf0a$I(3=z@Wd}=@W-vAVu!}M|;H_)F@ZzQmgI$qi9
zM`>`sX!-<4uQaVdsS(LI2js8>1!i&<fAoKP9&{V?O<iF2PZt`8XO~02f~KWjyNh2Q
z2MI@gOY?pO1b8{p5AWQ~eNFy?zR5O5ntY}LMixCXXH#P6oN{y6CC$iKqnOxkp_&an
zfPk0!m9cLY4GW&T<e)OTmn~+`ELGp(vf;R+{0Rv`zF#6$bZ}c?mPY9T8*|-c>odXi
z|C64-OZDNm5qvfBZ!YsAOtv4a^i-PD39K+pFflL<1_@w>NC9O71OfpC00bav+g$Jb
z5(?+&PYv!;_NZ|Sc{;`?>BA-Pa9+&0rLZUj6fG3>oT?k;(mj!sZXXOg{VEyO4gvxv
E5R<OIX#fBK

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.crt b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.crt
new file mode 100644
index 000000000..4c893d45d
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.crt
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFDzCCAvegAwIBAgIUHzvf6/d0vmFFEYh5GHA/I8t787YwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMB4XDTI1MDcxMjE4MDM0NFoXDTM1
+MDcxMDE4MDM0NFowFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAxezzB+gvNL5WeuzVvvlv21OvbbJtdP6k08Yz
+egIddIckQ2Yguuc5gHoUnNve5BVEQZmFNQihqLlzV0lFb+4QjqiH5BWKql+U7TRG
+GCLecF4VQHup5voQv6EUnVOJglc13NAjWqbP09M5aIxPNzfRv3eeZq2jLXu3aQ6Q
++mFq/cIGSlHF6KjqTTXoK1sRngZUeZi1/fhg1/9usH4L5nQ41y3D+51c5Zl+UW3w
+7bR70XkH3aX6X4xOOfZBiyp3wxrG7uQBddQAk2zu/hMTYWNAYswT15jIEk4JLH7o
+HXrVaoM5vnL0D5SaIc66JnAhwyC3E1jc7OpioFCO0Xi5XZAt3s+E0AwOpAvSomIH
+FdryfEHcbhqSUgUVof/c9PmLwtS2fVPm3LqqLjmwagO9DPDCGroNwoOKitfoH3qQ
+EtETygsKThMYLc23tLbyYsjPs5H8ro+s41aqcsCiQIhELRXwZVyCWj53o8tE4Ihh
+hdTzbzNmrBdv0H9vb3VS9SdfHYFJ409qIu+kkmsAQ8vd6e92UJXbKd/Vchmr2ogs
+7oGLIOID9KZMqe4dKKzU+ietLz0IVTWRaPz3ea7NGRIo3/yxGDMRF/Z0UwH53H+E
+crn8w/aMWeIqMq5h6sC24D9RkcVN+E5QzxvG2VS4A7CzskIrduAWl5TrBERChbiX
+wQusjYcCAwEAAaNTMFEwHQYDVR0OBBYEFLq0yPS9u7Flbh061DkXX79lvNltMB8G
+A1UdIwQYMBaAFLq0yPS9u7Flbh061DkXX79lvNltMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggIBABMh+cLO2ge0FKNkJriiBXs3ah6w/GGWVgFK6BmU
+297fM9FSV/1bQcTUe1gpudabGRsq7TthC/aK3B+79tsfudcrPKJZrK7cFkxY06xT
+3el45RQxZNYvaHRsK7nw6gExCLlYFKAatHcdvbk6xe+XZAAr4rLYg1H1n7Ddg3p/
+K3l0a/6nAyMND7T1euzijR+40EZdiXzwsgFR3R2YIWiNmLu/z3tg0HfYIgrQaOou
+Xl06qXZ1iJW1EFuF/KoxNBxyJQpHywYTvb6UuGV2UOvI3V7SzzgyBvBxOUf4djNM
+kEK1+U5lnMqSDgHWkEzNUFMlsIwIiEWSMo+deF+/9FiAQxUX85kH9O8/7t9rqzxK
+mgVccTnzvEcYyRYgL1SsCXo1oJfZ8M4OnZ/dDY0y86kngrgkIxFpPPAh0VVpyVGn
+A9CyYU7vQxTrgwHtqITMN7kNBWEAZgA82kURbZm/DDoKX5IJdcMdwvFaVk2irSyQ
+x0Px+k5eNhSGdKctXESAAUeUADpaYhRZeRI7jJDPCJGvs5or4hiA/3O8ZI5Lum12
+fKNSau4m3jbTWrD4x7zlbVES9hRB87f/uST0/yh4NfdjrspzNINWXArxPDsYs7Sf
+HDVj3RPNKVGzJEH4+J+Ohti3JTEl8hLBO3ZoMJ2uPQ44wcJAcKVL7O3QraKOfzXu
+k1d0
+-----END CERTIFICATE-----
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.key b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.key
new file mode 100644
index 000000000..653f8d1c1
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDF7PMH6C80vlZ6
+7NW++W/bU69tsm10/qTTxjN6Ah10hyRDZiC65zmAehSc297kFURBmYU1CKGouXNX
+SUVv7hCOqIfkFYqqX5TtNEYYIt5wXhVAe6nm+hC/oRSdU4mCVzXc0CNaps/T0zlo
+jE83N9G/d55mraMte7dpDpD6YWr9wgZKUcXoqOpNNegrWxGeBlR5mLX9+GDX/26w
+fgvmdDjXLcP7nVzlmX5RbfDttHvReQfdpfpfjE459kGLKnfDGsbu5AF11ACTbO7+
+ExNhY0BizBPXmMgSTgksfugdetVqgzm+cvQPlJohzromcCHDILcTWNzs6mKgUI7R
+eLldkC3ez4TQDA6kC9KiYgcV2vJ8QdxuGpJSBRWh/9z0+YvC1LZ9U+bcuqouObBq
+A70M8MIaug3Cg4qK1+gfepAS0RPKCwpOExgtzbe0tvJiyM+zkfyuj6zjVqpywKJA
+iEQtFfBlXIJaPnejy0TgiGGF1PNvM2asF2/Qf29vdVL1J18dgUnjT2oi76SSawBD
+y93p73ZQldsp39VyGavaiCzugYsg4gP0pkyp7h0orNT6J60vPQhVNZFo/Pd5rs0Z
+Eijf/LEYMxEX9nRTAfncf4RyufzD9oxZ4ioyrmHqwLbgP1GRxU34TlDPG8bZVLgD
+sLOyQit24BaXlOsEREKFuJfBC6yNhwIDAQABAoICAAkuOFFZt0f44C7ioIpYLG/r
+hMu9XbPNr/NCLdcTp3eJzuhej1eFLCShTiaaLM+H1ZH00XDMu9ZOYqw5X7Anj3Hn
+r5cWEUfLPJ1Te0DZWcVqh8RlOAq0QByhF676w7EUdaNFZNL85hhdWjvpW+Yj7WW2
+T/rBRIVgSB3BzeyWD+lmLdHxiexgEWYiAURys181gxlLpjRDHzv8edhT50LVZPPX
+UXTeeHEOfynjeuL7uk1m7Vd5m9mTllS8gY83YuwmjM/0vOm+qKnkyg9mE2Z8Bjbz
+hKQYvIcAQsYaBEXvf1wgtBpCX5rbHmzT4Kf66qqP8Fcf0xL4c6b3I1QtdTXwg63N
+nKB7IeZTeVI2k0UF4Rme4tDl9LzlhiR7SRMd76e+8684GmUAXsF7TEdXIPAlQV9y
+GsF+dit16nMZPMIhWT+M1MOV94eVLu2ncEYP1dR4bZeFprxmv6DxgtxczqVyJQ9c
+4t2ujnekssxLHnkpOrV4CbkAuD3TUJsEs3359HmjGLS+VnGJrbvjILMbqgvN5hB5
+A37Rfals4f+O0MVAyV8sToqcTv2tGORe3aIl1JeExElTMl8ij+a9sRWwUDic1xTI
+F6YsRdyWLrCpwe00mlmb+ZlHqDObFbTHTKpUQoqxKUxn3uxsxPK6sLFjLg3sCa6X
+kuUS88uZwk76l3pGwltpAoIBAQDnNx80QvApz5M4/jp6vE6sAgyyDGwoqX1850ly
+tzCiCbKC0/9uVF2wpcRScjZOjIkdQ6ROKTDZiC9fFMbdbORhCjKa1fG9OKCIr2uQ
+KKgyhtjBSyzCMpFX7djbZrkSNVAGsvlTNrg2ANUoy9amm5rJoXJfuhDwdgc50uey
+NHU6CmAWIaBUHlpEtV9ABURLh8Ipj+4QiK4ufsOJgUWNWwoaSL73x4HKVPrG7jc0
+EJ/U9oIGvSjE0Q41u6y+9LODSteN4gkp4dcHWpEJnk/xUWOojT/kbKjKfzKLTajA
++1KmLR1piAH59gx3C6zwRllFJBoB9a030cdIjU9a0XypSu+lAoIBAQDbJE9CNfRr
+es1vAA9ukNvpF6WLg8TTr1VR5mSweb4SGIlKqe+5kd87c73EhJYiE0tr7ZsqHKCF
+p6OqvhV65ICl6214Hd4qV+J5rPxWUTEs7SWxdl2JVmCGZpn3nFWFwF7DQfJYihX3
+D9HyMpzJg2HLZRv29WFrhQ4JdTdPi31/UW17ECUkqal9Z7XZSVvWR3SfbUImrI9x
+eX7SqKusindv974obJFEo01UmFITwVtInSf1T+Xc3twvqOSZD7DnABJx68vUwxyo
+EZlPKKT1fCNXlFUKQoPmG+y742IThAPiN89UfDahbecJ+HZUrfrK8UUDcVV5KkBH
+9CSFb+kHGYC7AoIBAG46rTmxH+YO+9UT/rU8yRTf9UV8/qN0CktdyHpUM29MyDnu
+77udpPzuSmYz5QgVn9i/wrkwkgVjE5J0yUoO++H3hqCilpjrQj1nxBP6DhXoi7W7
+LR94FCqjTdtrYZf4qqpG8O5nC/NS+kx0wWS0klrGCUzx29mHq3I5xhQDRk/hWmWy
+qkjwH4DaJwrSd/i6RCqkX46qWr/31yja5Fm7qVlWjRR7nLjlQplMQC0mL8zLqLml
+vKX4NJoRWw2+g0Z4i8Msm8nHzUfIOZUoUFxvvN9CV8+CrgW8FlCrOWSnbIOkxnzl
+RmvwjYjDnDMAltaLm4qLoYUXEbbZB5f4f0IGY7ECggEARS38O2mvBHMbAUyikoP2
+eGo3n4h0jWMPazBxXui/4RSP2ts0y39KWolaQfydLJqst6Cl2DB7WFYoq9EgFNCn
+8DkXMNE0/mcKHuFGM7Wj8YvX12MHekCjbipbtrhKo1OsVrWt3NeSwZDj9TKXHmJ0
+b/I2Vsr1+yxg1wmC8YCWmKfLCQt6vk01LVqdJMAs1sNuBJpIRM865Va2e6g1sd1w
+gQ9Tn41Oer2WvvrrBkOHHrBGGgIkDYrpNb56k/tJHFOAfygyC7Ogi0oq/LtXAAw1
+WAOCqR+AZhcwr8vDfWeyliqKMCCaWnHIevRN3sOhpYlvAPw5QGvfKRfgo6NFjDE3
+2wKCAQEAkd3F5feBAPiGr354kyGmKGSUC1KKmaNCQCthPxt6Wb0QRHBa4yj6sHf5
+YcoL0WLFEIftKFDsbCMPLSbLE2SvsWFQmHu7L4B7xdd+0jcAcM5eOBcTqSptCc/v
+uVMRANhYlgXQqtPHp1q2uBkC2++aE/yuGmrngyIkwP9ewyzLmsZBSpIrGB//qav6
+DzRATKwF9YI6+v67CFkBLSQ5JES07FWxQSp3aMHCiuGsKfOk+wj2yhMi7KMHZA82
+0fJ7c7heUedFu3+Gt5nJR/bdgC7Tva9iDo/UC7FTmMF0ZU18fXAtzDh2pYoTm3o3
+UZaWgz2MB+hNvTCg+8toreA0o4/SiA==
+-----END PRIVATE KEY-----
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.pem b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.pem
new file mode 100644
index 000000000..4c893d45d
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFDzCCAvegAwIBAgIUHzvf6/d0vmFFEYh5GHA/I8t787YwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMB4XDTI1MDcxMjE4MDM0NFoXDTM1
+MDcxMDE4MDM0NFowFzEVMBMGA1UEAwwMTG9jYWwgRGV2IENBMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAxezzB+gvNL5WeuzVvvlv21OvbbJtdP6k08Yz
+egIddIckQ2Yguuc5gHoUnNve5BVEQZmFNQihqLlzV0lFb+4QjqiH5BWKql+U7TRG
+GCLecF4VQHup5voQv6EUnVOJglc13NAjWqbP09M5aIxPNzfRv3eeZq2jLXu3aQ6Q
++mFq/cIGSlHF6KjqTTXoK1sRngZUeZi1/fhg1/9usH4L5nQ41y3D+51c5Zl+UW3w
+7bR70XkH3aX6X4xOOfZBiyp3wxrG7uQBddQAk2zu/hMTYWNAYswT15jIEk4JLH7o
+HXrVaoM5vnL0D5SaIc66JnAhwyC3E1jc7OpioFCO0Xi5XZAt3s+E0AwOpAvSomIH
+FdryfEHcbhqSUgUVof/c9PmLwtS2fVPm3LqqLjmwagO9DPDCGroNwoOKitfoH3qQ
+EtETygsKThMYLc23tLbyYsjPs5H8ro+s41aqcsCiQIhELRXwZVyCWj53o8tE4Ihh
+hdTzbzNmrBdv0H9vb3VS9SdfHYFJ409qIu+kkmsAQ8vd6e92UJXbKd/Vchmr2ogs
+7oGLIOID9KZMqe4dKKzU+ietLz0IVTWRaPz3ea7NGRIo3/yxGDMRF/Z0UwH53H+E
+crn8w/aMWeIqMq5h6sC24D9RkcVN+E5QzxvG2VS4A7CzskIrduAWl5TrBERChbiX
+wQusjYcCAwEAAaNTMFEwHQYDVR0OBBYEFLq0yPS9u7Flbh061DkXX79lvNltMB8G
+A1UdIwQYMBaAFLq0yPS9u7Flbh061DkXX79lvNltMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggIBABMh+cLO2ge0FKNkJriiBXs3ah6w/GGWVgFK6BmU
+297fM9FSV/1bQcTUe1gpudabGRsq7TthC/aK3B+79tsfudcrPKJZrK7cFkxY06xT
+3el45RQxZNYvaHRsK7nw6gExCLlYFKAatHcdvbk6xe+XZAAr4rLYg1H1n7Ddg3p/
+K3l0a/6nAyMND7T1euzijR+40EZdiXzwsgFR3R2YIWiNmLu/z3tg0HfYIgrQaOou
+Xl06qXZ1iJW1EFuF/KoxNBxyJQpHywYTvb6UuGV2UOvI3V7SzzgyBvBxOUf4djNM
+kEK1+U5lnMqSDgHWkEzNUFMlsIwIiEWSMo+deF+/9FiAQxUX85kH9O8/7t9rqzxK
+mgVccTnzvEcYyRYgL1SsCXo1oJfZ8M4OnZ/dDY0y86kngrgkIxFpPPAh0VVpyVGn
+A9CyYU7vQxTrgwHtqITMN7kNBWEAZgA82kURbZm/DDoKX5IJdcMdwvFaVk2irSyQ
+x0Px+k5eNhSGdKctXESAAUeUADpaYhRZeRI7jJDPCJGvs5or4hiA/3O8ZI5Lum12
+fKNSau4m3jbTWrD4x7zlbVES9hRB87f/uST0/yh4NfdjrspzNINWXArxPDsYs7Sf
+HDVj3RPNKVGzJEH4+J+Ohti3JTEl8hLBO3ZoMJ2uPQ44wcJAcKVL7O3QraKOfzXu
+k1d0
+-----END CERTIFICATE-----
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.srl b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.srl
new file mode 100644
index 000000000..8b38e1c09
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/ca.srl
@@ -0,0 +1 @@
+3232A5577A1F2B5B0AF818CC1E125BA8B9AA228F
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-ca b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-ca
new file mode 100755
index 000000000..8d63e6e27
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-ca
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -euo pipefail
+
+CA_KEY="ca.key"
+CA_CERT="ca.pem"
+
+if [[ -f "$CA_KEY" && -f "$CA_CERT" ]]; then
+  echo "✅ CA already exists: $CA_KEY, $CA_CERT"
+  exit 0
+fi
+
+echo "🔧 Generating root CA..."
+
+openssl genrsa -out "$CA_KEY" 4096
+
+openssl req -x509 -new -nodes -key "$CA_KEY" \
+  -sha256 -days 3650 \
+  -out "$CA_CERT" \
+  -subj "/CN=Local Dev CA"
+
+echo "✅ Root CA created: $CA_CERT"
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-cert b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-cert
new file mode 100755
index 000000000..808158f90
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-cert
@@ -0,0 +1,52 @@
+#!/bin/bash
+set -euo pipefail
+
+CN="${1:-}"
+HOST="${2:-}"
+
+if [[ -z "$CN" || -z "$HOST" ]]; then
+  echo "Usage: $0 <CN> <HOST>" >&2
+  exit 1
+fi
+
+# Set up working temp dir
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+CA_KEY="ca.key"
+CA_CERT="ca.pem"
+
+# === Ensure CA exists ===
+if [[ ! -f $CA_KEY || ! -f $CA_CERT ]]; then
+  echo "🔧 Generating CA..."
+  openssl genrsa -out $CA_KEY 4096
+  openssl req -x509 -new -nodes -key $CA_KEY -sha256 -days 3650 -out $CA_CERT \
+    -subj "/CN=Local Dev CA"
+fi
+
+# === Generate key and CSR ===
+openssl genrsa -out "$WORKDIR/key.pem" 2048
+openssl req -new -key "$WORKDIR/key.pem" -out "$WORKDIR/cert.csr" \
+  -subj "/CN=$CN"
+
+cat > "$WORKDIR/cert.ext" <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = DNS:$HOST
+EOF
+
+# === Sign cert ===
+openssl x509 -req \
+  -in "$WORKDIR/cert.csr" \
+  -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial \
+  -out "$WORKDIR/cert.pem" -days 825 -sha256 -extfile "$WORKDIR/cert.ext"
+
+# === Build full chain and mark alias ===
+cat "$WORKDIR/cert.pem" "$CA_CERT" > "$WORKDIR/chain.pem"
+cp "$CA_CERT" "$WORKDIR/ca.pem"
+echo "$CN" > "$WORKDIR/alias"
+
+# === Emit tarball to stdout ===
+tar -C "$WORKDIR" -cf - cert.pem key.pem chain.pem ca.pem alias
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-stores b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-stores
new file mode 100755
index 000000000..95bbcb59c
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/generate-stores
@@ -0,0 +1,56 @@
+#!/bin/bash
+set -euo pipefail
+
+# Ensure CA exists
+generate-ca
+
+# Shared configuration
+PASSWORD="password"
+HOST="localhost"
+
+# App definitions: CN, keystore name, truststore name
+declare -A APPS=(
+  [api]="api"
+  [client]="josh"
+)
+
+# Ensure required scripts are on PATH
+for cmd in generate-cert add-to-keystore add-to-truststore; do
+  if ! command -v $cmd >/dev/null 2>&1; then
+    echo "❌ Required script '$cmd' not found in PATH" >&2
+    exit 1
+  fi
+done
+
+# Generate certs and populate keystores and truststores
+for APP in "${!APPS[@]}"; do
+  CN="${APPS[$APP]}"
+  KEYSTORE="${CN}-keystore.p12"
+
+  echo "🔐 Generating and installing cert for $APP ($CN)..."
+
+  # Generate cert and install in own keystore
+  generate-cert "$CN" "$APP.127.0.0.1.nip.io" | tee >(add-to-keystore "$KEYSTORE") > "${CN}-bundle.tar"
+
+done
+
+# Second pass: truststores — each app must trust all
+for RECEIVER in "${!APPS[@]}"; do
+  RECEIVER_CN="${APPS[$RECEIVER]}"
+  TRUSTSTORE="${RECEIVER_CN}-truststore.p12"
+
+  echo "🤝 Updating truststore for $RECEIVER..."
+
+  for ISSUER in "${!APPS[@]}"; do
+    ISSUER_CN="${APPS[$ISSUER]}"
+    BUNDLE="${ISSUER_CN}-bundle.tar"
+
+    echo "  ↪ Trusting $ISSUER ($ISSUER_CN)"
+    cat "$BUNDLE" | add-to-truststore "$TRUSTSTORE"
+  done
+done
+
+# Cleanup bundles
+rm -f ./*-bundle.tar
+
+echo "✅ All keystores and truststores generated successfully."
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/josh-keystore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/josh-keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..38843269954c7884fdd928c8bfc85774561f7298
GIT binary patch
literal 4340
zcma)=WmFW5v&I)#7F<ABT2M+5SOIq_5v99B$(4`}X;?sz*rk_7x+F!qL69zK>28oN
zky!HYJ@=mXJ@?bSALh)N-!n5GpEGA*D6%7596T6`ECqBA8YCZdPJ%;#^BF~k0iwu)
z|6()@g<tr;B>Yq$3P15Lj{6%?Afo@7A_n8&en#Po|Ant$7XM7(lfd*~LjRV;u%|%E
zoZr&VKORvCv!2%!$JkypOofU$;Nr5A;o>mCh(Uz^y%F~wJ^=Ozbk8_Q9>*LHhyw+Z
zc~t9OpyhKGOpU>Y{xSPhKosz2Q?*3v=^m{radVNy&crSa59{>+V!u-&D@4uMDYVKA
zrhNR;PV?*n(3QX4>XkDaoXcTZ@sK*E+r!)~vS-Uvm@@Jck$r%ga7NhT{RrKkfY(BG
zf^*ZXsh<h@WWg?r?S`KcHVlLH@7>)S`ug6vQG)Y?iDbGxAoTiuXzpybExU!-vD|RQ
zo=A4=gM{0*yH-~=E^A;1tbDg&kv~o3i2#{|y`9zV^wKZM9C1^Yy(gioxtJSti`!XM
z%cZ;DZ>zebduhr8@qo_>T_~Dzm4(&l`Z7!7pM9$b-Y=3qYTw>LBg)l_kE!f##$CD^
zRGv!Z4c2$l$>8fzXz0TXG=|nMO&*CKUUM30T&YRXa9&+lkxdF#Q*|0B$oAHalbDdT
z&(~!~{BSqniP_{P&G^}~Po~A?zv;GpnJ*>vrsS7T8HGY`z<FhI+3R7%Q=30o%a_Mo
zISxz-DboZcr(GA^>aN4gCrlE11i@Nr3O&i+G#UvzXS7mg>eJaKa<ulguQnA%B#{Ei
zI4p^bYudGMacE$*PSugurphEFGBq(HRXr;?lvJ3ZsF|gpMzf?EXJMJ#;UDb-Mi{>N
zZFGWd1XgL9XN-2`Y|-k{J5AC;DX}R|{Zf(Nv-p>G|45puj*ATMc%9(_QAwr?xCmdv
zaPf5lp&(<(1>>`UER8NMsM{>6HRhW_j@wQ*cXnM19_slEeyTIaZDQhiY53ucgJ{>A
z)6I#)rTpBluoE}gjLvkYA^(v1q6P2bJiaX3hMmT;QbRa8m$M_P3aKDSbmx3a`vFdJ
z(BOyw$Tw>`4+&Yb_hO7?)(N;oJD#RpIkbfIpoK;}ENXqNJ@SPo8K~!fB!{0I*3UjL
zh#l~FaJ?1;!%IN4G?TGkzgBxabtQ=&&S~l#x0&2B99I2$dKCHXr1lI`Yw#@4TS}G}
zLTz`$6*@h8;xOV(`3oXk^qdOF_Hu7lryf7wx^gtx!8ts1#o6VmF!(f6+r`Q!MZBw)
zFImcc=_qq#WoC=`Ceq-u;Cn-I$_KY>VABd+X^Q&-GB|T%u6$M+HNXvQtFyH2^`LMH
zd9X!bwt)Z#laL~obWhRTaoG;Qy)K&U+NK!enr}un90Y&Wr5i%k*qQv6=)2ns$`$rg
z{=xoV$A7}SuDg?ZDwN9FZJW(W<U*Do<81wb0p;vW<a)BC(_i*`jfbu6%w6upCD8Sa
zn~2$ujN@a3f@$4b;#8kKS+S<I0h_h&*61y&GXTx35}lNjEYUojG(TD<-s*S%Kz{mO
zg}N(Xz2$)-x3fv=euMeyH5?K{-A)eHtRLH89_U^KcRiSd*$o>q7^EzYo#PI^>H^cd
zKb97D7L1q8?qw(}XjWi3u|exeaHJoTSf|nnCj7L|RW=hG$z<jX<j=n7Ivp+CQ47EG
z8C?T*VEIdMWxgR5!&P)KzLcLVY?-|d)n8W&_<uB?7fAH>?PIRbY=BW$^z++!PI~F6
zBc956X)4d_g<An4#g&fe%{I+6Z-X8jzS^+Zmnq`T;{U314O+3}G2^YG?3veU#c5*m
zagQY8#k^o*X2gQr#gynzAhsZK+8~?n;l3Hf$BmK!(uxE0(UuV0fZ-ISueO8X8z9je
z9@jZ%s4n~!jOHJ^yhjNKGY|r701f~bfEA4SUx5lv2_%1GZD-B|e=fiW=i?RN<>liO
zf}y}8|1=SRKBK_xe^E0o4&ZO9`&YsFzbtxcM>9I)SI7)~-nCvv2EJFrJEgS$k44LM
zlw)8!yi4k=pr=K#a1lQgSUeG3@<)ZdM9E$)hwTlq7bvOx2MYe9cmF(LNV)sd&-H`!
z?adL3P}YO7aRX5#=q-SySoPXkrwyoi-@CH_>ltkl9qs=LRJ=&F<U2cbDi>9oBHHt2
z8=<)`j6*ehI?t;l8Srd_|7#T;EwfIvOQ>ALY+HLUsFD_)E!?NqXqSVLdG;{Isx#Zw
z%y>9_Cuyr-D(gd-vb2o03;FaD!sI3KWEiyHgQpm;{oT*0w;hp+c_@l{i+4-EilbJN
z3D%1bA*_+XcOgOQ5_M}7qYGaeYUUz!KAsL-3z-VY2Vw9>vK7oe1ZF1*ek`<iXBCLQ
zPciCB-3gjW(GBLSO|MZ<v*&}TxQ9$Kt<v4;Fe&qT>Nb+z?~}UcSeudf913{R`Id^w
zX$<!}lQCS@wY?hmeG_F%<#OiPLri0u#t_yS3t_LLif!q7R@v;yU<ZYG>zjT=1_;F9
z-#Zm9A_1Se=gnB4Gph^F39>#gkqOJNnzK8(IIS{Y%BKzY1r-oJ6K$PZ(MHfBHkg{Z
zqYydO<0p)S=VpZu*>*F!4T{K6#LKh@I%7jA!7Sp7nU1sgcG_&}%mb}2&6*&ed==78
z$9IZ%J3rZ0NCg+MaHf6j{dhBR$ZkboWWpIA4@0PSm>=+JH$2l|tb}^(kH{hem8uXH
zrp44l#iiBMqZk)ICf(J!SrWb{^ihg6|2%}ke;ST$LfOA<=3AGqnqq1B>QGl36`b{+
zZ!yj#XvH<S9d>r@eJ<WHpHRq)ND|piZoToekzM|dlwDX~^7>$zbiQ~#3Eq{_<6_$&
zTW@|tj+t^GJJz0@`U8bfl6KQ4J*9hZ0N*03^XX?R@rUp?-@RV3)xHW+sn}%3{Fa-R
z7PU8Z7F;=yb6BU}l++@-somN`j!M>{%lXF#i48Lquf&&j3-t->@6M)NCUOu^kf${T
zWjbXcVd>AePF~A8exA9d1Mkew?phTq(UmVPy=QS<`6<Y}uVpGbPU_qZ`n4oy^k#q8
zR$lRx)gPK5zwvk|9~2pH&5d?yX^j%4MqIqvd9Eb(!mI~<&gdf{Dw$(bdc78kqN6o2
zx}_S)Q_p)`AlDL~lXj`sxEw%X;OU?QtsO|9J5v&E9zIlIW6TdkuquooqXAYBjv3(k
zEBdq{L`Rnu&MD#5?R1qZDIw}Lc;q;2@f*L=HWVVhPvi`Y#+M)tUMb&h8KZmD-R?6n
zb=ttHtE~OowgGQ4SG(u5zG#1shwx!9g>$C>Qr18?>|13LeX`>yLSb!{T!FnXYxRr0
z2WM#){?hq|J2H8@w9tG^IEj-N0{zx=%M~VhQsL~F^7wONDUqXV6@d3!+f+?eLNP^0
zcD7L)qOm8|nw@%G^vtyqZ7<*jyR+`USPSPK2++wyvv`;k5r?#iR$ZO6mwSli)gSD(
z)h>+!kL;obYwJZ&+Pcos9p{qoh99eaFT2jSr@PK!3MCL!uP*u>E#5}t8OPF;uDJ|)
zRL~amsWPTvm>Uc2Z59kV(}YB@3C)~_g$zkGm)dtoDypY~o1jPS7e<xs-q0H{%7VuW
zb4>bpy$VbZJyaSGKWGk`m+SLf6SdtaLO*B56J1W)redpGv7ytG=nqjZ9vzk5qc@Kz
z3b@lcyC^;DU2S7_3w+|7Ly)q+@I(h~oHx!t`?W9KMOWbdgG@lIN?a{QBCTAD21+ga
z02Wkg@{YoHUV&5F#8H<(CSK`q{~_}n+^C245C+P(1$bIY1xoLRA$|BSoM}{dQ=L>(
zi_~OE5lALR&IyqzSa}v^a=~1wlz@2*B>bBVZq!Wfm;s^gJuB0sc$Pw}b?4tNu$OB0
zhxr7_xk3B>{{4!vAV6V+hlL!|jDO7|CZ)b7Tv--e?x1{mMkMQT#D)!2`@_uIa`gMR
zFX!_}>D*m2@o+PmGQhPJm#?4;j5G_<j@`fMar$=!r2K=?Kmwe!#u)w!iHRfXhq4g<
z!LmqHqTYNb7^0R+ovD`FnXjXh8;JQTuS2I3(G=$ij}X!G-ROU~)~e~@0~c7Lak#At
zExZc}<Gy)-!7z(v!#6W&#0Im{nz>nvV?U|qY-9AzqQ9KE%X4((VCZTZ8r%w4xxc90
zm9K2e-dTt|Q*c=w`eG)sQFbEXhWkdI<1xjGM7WIe=^C2V+;T41-a4X$vq4PkFqQ2Q
z*rDIj>9M+Zi^JJX*mBu3$7+rHy$Xl*@oRi5ICvK`E?_*X?j8MLGlEH;KYPsgEo508
zq)eZSr6V(82*8~1cdtjR9EU7DBAVmceoa-)E&(T4t@@`%1LPr1^H0S5x6Vx+eUqjp
z79izH<Za^oKWI&hGF{soz9pw}0ZhBp%WoM!?QQ7j;VZ<(`37^w+j$>Mg*W2s0d*e%
zQ`q@C*zJOzU?2BSof{MR(A<E|oM(Nj*o8LUVdA@rUi_FasNbrKItAR~KRvr#r)h8!
zP^+yxqezP<zCRU>81R3$mQe|=KYE&@IrgZ>&zVLlM$0mFN=-wp6CPalHCP!bF(e)0
z2cboAg1+Z|iFS!R<o=cridPKACUb}1j3Ev2o#@**3f#1sUil8bWJms5F|8d?dr$ni
zI+y~Hx%Q$jG%0Yak}IT{=(F0kQ49$8N201RdGAKzm|oORDq4}C{HAUKn?4Dx$XEwD
z;Ewt7kb?1$5&5gSWhbnoNS^E;%se2?iL5oBKg<;?aD?eWxalV0yj}Mbmh7Mw=Togp
zE+VcG%I>o%3djVVOt@5N8_j(JYknGy@5fzB|DLrFqn`mQaa)odf05@I*HIunK23O7
z*)r(f7UjKb43bkMDC-NCsxjc4=8nny{!UXIysa+{?q>`;IQhlE`$m-GXA8IPX8NUn
zZTd)q<+{RjLtZ}rx)cO5baa^!T0!-Yji72L^~ER+Nri3$@9LUor2b^yFadAN=DI(8
zNt3W%Hw&_q=JheH_#(}Kv~uYzkgZeKlqzwVMFPmjzIX4CayEEv1&dup4`I!(2VwD+
zLf(?&D{h|seiVC^Ecwd%IO%#<y3Iu-&a3;CAV=rcJ-@AbMOK8v;bkg?j0HIxT+q-X
z($-i9M2w$msc@9pl#?Sq)Iaj)*Tei0JxN}6w@v%_a(Q|M!ndjnlWRrI@h_)Opk^so
z=O3V=0eh_nccg_PyN+u}8(}Z84YaLU@A1rb;%kKT^@lsZx=yir{55w^>)XDd+(R5y
z4+s3$r*q<Je|pM#-K}!In28p=scq7ILTAPRsG2gm(^r1)Q}3EvPHh;@5m=HEQ-Mcy
z6@WZ)H4)YEy%k=Qfo$F60TVE~J^iy~w^dSidqj=;nHPGL&}y;5W~QWkSw62WE;NrP
zpzmGB5=T{=s>;04q(gZ;9xu@+7DJM2q6p=quM<=$tZ!JbKZ5YC4Kp0Q6V44foZ3mn
zvls{<lZfLae>%Jx%h<MAjm_A~*csSeeBF}N5hM3tE;R>{a>2nMOa%sqk^J)sz{SA_
z0GYTtNxC+?Yx<zsD=0i6*E~+?WrDSj+8tciVuv#1^oc;qz+x&X&CZruY6l9dlQ<B~
MVk#Nef1R-Z0b(mGNdN!<

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/josh-truststore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/etc/josh-truststore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..01821e03559c978d587d1d79717329a9a700320d
GIT binary patch
literal 3062
zcmV<S3kmcvf(!Bj0Ru3C3!DZCDuzgg_YDCD0ic2ljRb-Vi7<i-g)o8(fd&aGhDe6@
z4FLxRpn?l>FoFwi0s#Opf(vH`2`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1QdEA_ahfS$AwhMgLNkhq>HnyUG4$`ClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q4ek8Vkl@#Mhc1^`8E?mWzOb3h;fZrIL2^=#2&(Wjtb(%%0d>
z{EML0x-Bh?uJ9biT#>p6=i&K8PIfPD6xZ>j5Z;lT9Yi>QXVUQC6_1B2TmC(5T*t*s
zt-{C~#?}yDz*7z8L%SqH$nfCN+0S&Jz`_sn<Yf?2ROBuqo0I*!QfV%UOCZbHHje&;
zk4*pU{Z#?uKeSsA&!lyjN8Mt`q=S^OH56AE61`6Ujq=vMcCI7VFdQ;VV{Rxb)^wM#
zA6zcKMtohV_9%$?$zqNfJOQlp>4-bE)q~H}qJ(D&z!#KrgPbLH5RtHY8cXQD7wyoQ
z(&}PY8PAF0sL@Y!PrW$S?8wA99R+Z6n@EShu<6da5K<Tj)e%rlefJQ&m^DjYMv7zl
z;Z~_YQLJ&`ut#}L%PTe@Dq|CNjFs^5b|dkw%jaKF+1~`CYc;MCyv;n|u(uF#J_U+m
zrG($L#Q8T9Wl<AA;O9>HSJ@zMsGO?YW$4iRzlF+`wW>pSTLq}?LIDHHU)?$U&@-Us
znMth8Cg~>*F_dLK5L|HZI@*aIV`IJ8f2XPc=1_Eyf8zPN$Iu3Dw<o!NMrDR$k^2Hl
zmxv~m3vZwhx<%VrqEC|eK_Q}Q|DOJtr;{P4$v9>yCGVP*m{idX+Y)bteqr7Jk0j@x
z8hWkowzngq)=*$q-IXO^#MT$kAe~}KIAhwNJ#JV3Vdd+dP@qa+!`vO#>VAkz+>^Th
z@D&fk;^j&^0-{BcC|so#_H)_xmNdr{8`e`^bp9(eAs>i;*JI}zkvMucp%=xZ_)#62
z?FS?kRJkpS%legyJWJXjc6`Ce;~=x2hfznG+n%z?a5AYMlYed6?AYnd1yD%v{#5ZE
zu_XF#0O~tONUax<Pb->{bfgfg*{2Oz&i@0_o-=z+3$~hO(!>t}Z!!6{RB=_w7Cu7?
z)&XqCs9b^2gQ%q63MmCiV~)HN9#cg&QKO#N)Ij%^BeGteT}-=FnHx~H6!+W@9uVcL
zI(Rew3Z+Hs88BQ%;rpS$ss`ji=6qVTfo#MP$$5_62`#QTwZwsulx!^yIO%kT0?G1S
z@!lU@#kXyo9G3Ln!Bk#~0FKGJ3fbqlWq9q7F6(?Qae0sDSEBuUq7i2VaNr_6QP}5N
z@4*f{P7by>Kb-$lnI9=jOSYK~RWf(gE)*J1RVsh(#KMx$0tgcx=`#(un3i28tbvB^
zWT)(<m);FK8PYyKF$!tZ><ef^F4VgO)2DJT8xQP`Br>lYm$R4mHYh)wlHVa6D01^&
z@VBlFih0s%4&jqwQ%*ZUO}2c)i6h3ERcF$i#=0RvnyC^j(XynyKMqu6IfXFtr*j2u
z`9IFbqOEbB`#zc2AELe6<}IT8^;{r$prHa0yIkMTGRtzv%lD=|wP?T(Jd!iXB2XZg
zgi<p<D>@q}+nZ%%h>H3Y{P`BQksWjgdQSC4VhqvqO|{$})$P!A718f1R<j07|896}
z_>s51$c=-%_CE8Zf?h8>8apz2$a7fnbm0OdZr8Q>7;({pIhTEww$Ko6YU=X+bPV~m
z50Zq`=AAg$`f>FUYQ>Sf>NUV^uI6hlY~<oLVJ2DdR)VGCxRhCTR@6?D6)V+hC6#5^
zd|#bz1>xJ0a57U%&iOlXYZpSKJQ?*J=)~8AjQ0_qBsUsl7zZKMb8xkNz=9H6+cTDZ
z-&)I-$9SPA98>v_U35KuLCx0tPX_JnEkYjZU2$rfr(@XdJu!wbj(@%nkn;WdN)FT+
z?x%PSkOWvvaBo{?R0Z-y5OE(*!SyVac+u2(1!$SDgmI4{_CU^TD%Na|GEpjqbuW6{
z`Dm|ff_4JtSSO`W%y0I`uFYuKQ0%KZN!Sutkg%LQzNL^UmXXXAhJ^>(#xdJeWE5p_
zYVzNng#?vOCpN@4k%g76yG%T&1F2~smJXKm;2m2aKZ-sA@pa<O!ZGh0>m*>km;Gbn
z0s`{&X*Ko{PI>ln1?=}sG}eK_n7uIAUqnRL)XqBvSZn&Eicr^M#(eTwvTyau%&Z`s
zhhfMH_iAiO1|yE&tAIQZyGbW?d3XIy)<Fu-c$R~6$H=<8ovh~nw41DlN>|kpiAWyu
zVCu#m>8K5MA+k+8eHQ({&*C}YLuvMx4?x#(Y<OXMm!FXH)2IDtm;wPX#r%nkx3p&(
z537v^4m9q)N%ulFkOA+3rL)tHGpW==^PkyAe^~|z2&f$PzM%ISN5!?_>))p`Txp#y
zTPgnUjn%)kr_7LXltPBuHyuNrvM&dadIyJ}zf5*SE4bGQ{-361>FiHsD06l6)1&w=
zAWJi~h{PvM#IF*H?4Vo#9m;_{09*ajzuaTlvFfv9mncxYDd+P}T+qn<an<;{xn0pW
z!0RU}s0cwEc^p?_IDwrC*2~_7^Pm_}zr<MN3xhiqPaA7^G1@!_sq>tHBPBhKOy!f?
zT`%gl@ZL@%VnNIin_xukrAEIs(TU&6tvmCGVvLkBiW=op^SP%(F4zv0<15bEL{T~~
ztsyNwsy4U!CQ3ubtFAetmH9*@i5QUjEKDV9|98|?`lB8BMm@W;+iO2uUW`UGhW88e
zt8r}vPjJ}h>+Hoy=VGp0$t(L+lI016Wl+WPSQGQ*qVV<pU(8!BZJxLF!Pa7V^P*9S
z#FB@Rx@P|7si4umLwE~2*hoVF>1wFyD@ok4G26JABTN*Eo)i=^HjktZPdR;D%cphP
zD_$aZ?*fJ=NOBH7qN}3HLc0_k#KnUEZ4klB#bW-5w2s2`W3BJG_}d}`eA7&^6$}y&
zx3RE{7oLG<=;sSy!S3yinK7S-*HqI;G+jYTo6z$0T(kWN$6{<sY^oi4&5qKDGl2JI
z01Fof%^!HBkAT2tPPP2t6mPS8Sc!Cv>dakQ6-ncI4L)LcV;Zl?r1r)cOKj3O@>urv
z@VNN}sg;h1y#QQ{9y2+Q2Fsb;V6+4LA7!OB?5kM6wUWw`houf=Mt#J&?D8Wf1$}Bg
zq)Kp!)C*73;Liut3RTI<LUzoU%i-UZ!DxM{B2Y1+Q3CWLi(o^DP;xJHEau(3W;&8h
zZ=(w~kiPtlgc<Ptf;R&0E4po)pG?)!dRNMG-K(O<mx4;lvralV<{HTv3`Gr?2}^rL
zI@xMT-D4n+t0$`Wp>f)qm06dgWObu$NG^MsJwF;~jC|=Cxpil=$cdWS#+##<4_hYO
zJM?ms`22k%Env7D&}!(WOm#{VtN5kr$QR{3ju|KZ+#6{iNu|ky!rd|p{zYY0m>I(L
zAww4L+K}sGQcj8Y8|s>6Mk%Q457#$F(g5TMb=6y`O5uu)jN=hsKyX~A|17Vp_WEDz
z8lF}}cboE>eyksq>Ae%K>akbGfX6P{kQO8*;uTx2pW71Ce4K|76tIFJY=~~v{NaV?
z-)Mmr%f;(kNvBkB2UdS`EUbr=W7)A@T*&&$>!!j`EoA!NNF09?$dqxnNIl0UkQd8M
zc18rP{$>*Kt_)4Q+gCRy;YSxZryGbE?Dzh=P$afBXK0HYvk0?kR$dUiP{{lz1|2UF
ziY#K;NzWBly_DXsM31Hx4}FGBV1AEhWF47HM6SX4xE}0<7FpdRfydq=6_D*HhHVi=
zU#4M(IQQKg2gxs~R4V__MI|1|5J#)Q8O0z}@0-Y6;K;+0mb(timz7#pNu(F|UJuj~
zghDk5R9L`!E<loiTA@m#F`9Zhj*Y~moE0!lFflL<1_@w>NC9O71OfpC00bad$1Gtf
z0t;22@uJF%VwVEQt$A!dKLh;EM1*hhcrnie6h9-GImrsXe`+~gTufk(Z>}$xzXAd$
E5JY3tg8%>k

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle.properties b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle.properties
new file mode 100644
index 000000000..a5a6444df
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle.properties
@@ -0,0 +1,4 @@
+version=6.1.1
+spring-security.version=7.0.0-SNAPSHOT
+org.gradle.jvmargs=-Xmx6g -XX:+HeapDumpOnOutOfMemoryError
+org.gradle.caching=true
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/libs.versions.toml b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/libs.versions.toml
new file mode 120000
index 000000000..ebb52ed22
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/libs.versions.toml
@@ -0,0 +1 @@
+../../../../../../../gradle/libs.versions.toml
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.jar b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 0000000000000000000000000000000000000000..249e5832f090a2944b7473328c07c9755baa3196
GIT binary patch
literal 60756
zcmb5WV{~QRw(p$^Dz<H#6;^E9wry+0wkoz!v2EKnEB2dnp51QS&)(;ryWbCEt<_q_
z%vf{Ij$i-xF_)Yq2q+W~5CjAe5D@>@00IL3?^hro$gg*4VI_WAaTyVM5Foj~O|-84
z$;0<Gf%j{m{PRR<ei?BQVMQf6X^~s$@i8e$TDlonNm{DO@u_+RhI!`ggFoZ6!{QUt
z6V&1~-=IzbM#=jH8kEiGq(%D$R6*#ZXeb3}Hx4%r-~MIAuSNdPR|Ea}Z0lh9Z{O;l
z=Rp5sj;Vvbk(KfPIu-fvQ(YbO?d*&l{_PMsht{<6ud70f1_VU)KOZ9c-;1gK^$(==
z&28umt@Irov(&)dP=-)Hz_S{P7xEnP!ichkxx$E~7}a_a2q8(l2>6hMwt*rV;^8iB
z1~&0XWp<s4<3+-8i_yvLp=2@>YJmG?Ts^K9PC62H*`G}xom%S%yq|xvG~FIfP=9*f
zZo<U;yqPuzvK$}+n^LL;n^MT#U2$-W#`#sg?M@{@(gHfAYL^m#{&XY2t3v`wuX2Ob
zJ|E-g(=OFBrmQ4BNYySt*Qqd2Zl}{zt~_o(QZ0X@(Jm9-p$YdmymL==Ie?AQJ`?lf
z`Njkl*jD~p1=ZOtBV40hyN64OCJFd*fD3i~XsAso=-LMLs^|UBS%-sLHqPeN5cpej
zP96&U@H4ow7X*CS6N3Vk2xHMM5uO4=)iyB|+fIBqm)%MXwL_oiyPH}M@t<2mhnqdB
zpZ>DRJBm*Y0aId=qJ?7dyb)6)JGWGwe)MHeNSzhi)Ko6J<-m@v=a%NsP537lHe0R*
z`If4$aaBA#S=w!2z&m>{lpTy^Lm^mg*3?M&7HFv}7K6x*cukLIGX;bQG|QWdn{%_6
zHnwBKr84#B7Z+AnBXa16a?or^R?+>$4`}{*a_>IhbjvyTtWkHw)|ay)ahWUd-qq$~
zMbh6roVsj;_qnC-R{G+Cy6bApVOinSU-;(DxUEl!i2)1EeQ9`hrfqj(nKI7?Z>Xur
zoJz-a`PxkYit1HEbv|jy%~DO^13J-ut986EEG=66S}D3!L}Efp;Bez~7tNq{QsUMm
zh9~(HYg1pA*=37C0}n4g&bFbQ+?-h-W}onYeE{q;cIy<G6>%eZK9wZjSwGvT+&Cgv
z?~{9p(;bY_1+k|wkt_|N!@J~aoY@|U_RGoWX<;p{Nu*D*&_phw`8jYkMNpRTWx1H*
z>J-Mi_!`M468#5Aix$$u1M@rJEIOc?k^QBc?<b59)xNczO{#+_)9&wFZVex;^4Vl#
z>T(#=n&*5eS#u*Y)?L8Ha$9wRWdH^3D4|Ps)Y?m0q~SiKiSfEkJ!=^`lJ(%W3o|CZ
zSrZL-Xxc{OrmsQD&s~zPfNJOpSZUl%V8tdG%ei}lQkM+z@-4etFPR>GO<GhYd~TtJ
zwBkK^Mf~X+_zkRIz?y=<$$)%45zt~zJgiQCTcppoxe=pu88AJHVU3fzN(qJSGX29E
zfbGs2RA>H9+Y_F<3=~SXln9Kb-o~f>2a6Xz@AS3cn^;c_>l<hcV+2`3y`U@%b10Ti
zcsAuz3qW@}1&hcn9e|iQZ-*nRdQA=6HE0WZ=-IqLdFH?}s(4A4Su|ovlG8OIY!~1g
zV*}qrf+P~DZYbWlHL~*vJjRpSRBJ|RB}1Yk#lDowyB!0p;et0q>UwlK(n>z?A>NbC
z`Ud8^aQy>wy=$)w;JZzA)_*Y$Z5hU=KAG&htLw1Uh00yE!|Nu{<IBoPg2E_>EZkch
zY9O6x7Y??>!7pUNME*d!=R#s)ghr|R#41l!c?~=3CS8&zr6*aA7n9*)*PWBV2w+&I
zpW1-9fr3j{VTcls1><EmORLr6^_*km(FaYTm!{FpN(j*&ipG9#Bx7MzETdKx3MQix
zP9g$MFZr%m`tSm-g<Nl^j9AagC^~K|67C*eGSlxRu0?PgNMupvPEj}+ToIMPS(h_Y
z=br$^g2gKPI4Ilij?qSjH4rcN?$oLnmWI|kQy-!uDx_L8FFnwQg1LxHyC}zG(tlAZ
zH8z|S<;cL4*pQkj32mX3%Ut({&Q<B&y6N^XSz#?>ua}F*bbju_Xq%^v;-W~paSqlf
zolj*dt`BBjHI)H9{zrkBo<O`!SS6B=LKl>=B%>8}4jeBO<T-1a7W52S<GA6)qpHuH
zr-%V#6TJ~zK#}#SZ%KJiS%=&s@yJ4k(HVsTu!ro=zMmxYi)tO}vgJ_O50@u`M|%Ri
zphwWiXYN$*r|>~kWqO!~Thi!I1H(in=n^fS%nuL=X2+s!p}HfTU#NBGiwEBF^^tKU
zbhhv+0dE-sbK$>J#t-J!B$TMgN@Wh5wTtK2BG}4BGfsZOoRUS#G8Cxv|6EI*n&Xxq
zt{&OxCC+BNqz$9b0WM7_PyBJEVObHFh%%`~!@MNZlo*oXDCwDcFwT~Rls!aApL<)^
zbBftGKKBRhB!{?fX@l2_y~%ygNFfF(XJzHh#?`WlSL{1lK<Z@o#;*SdVGNH>T*gJM
zs>bd^H9NCxqxn(IOky5k-wALFowQr(gw%|`0991u#9jXQh?4l|l>pd6a&rx|v=fPJ
z1mutj{YzpJ_gsClbWFk(G}bSlFi-6@mwoQh-XeD*j@~huW4(8ub%^I|azA)h2t#yG
z7e_V_<4jlM3D(I+qX}yEtqj)cpzN*oCdYHa!nm%0t^wHm)EmFP*|FMw!tb@&`G-u~
zK)=Sf6z+BiTAI}}i{*_Ac$ffr*Wrv$F7_0gJkjx;@)XjYSh`RjAgrCck`x!zP>Ifu
z&%he4P|S)H*(9oB4uvH67^0}I-_ye_!w)u3v2+EY>eD3#8QR24<;7?*hj8k~rS)~7
zSXs5ww)T(0eHSp$hEIBnW|Iun<_i`}VE0Nc$|-R}wlSIs5pV{g_Dar(Zz<4X3`W?K
z6&CAIl4U(Qk-tTcK{|zYF6QG<GoVw~LX_9wmCyLIg5HrC)J9)r!7|t}PwF9G3L#(i
znq(TLP8w3<iIfL!hDIR3?YNM8r9A6!N(o8YBZ@w;24dkA6!cN#{d&#a!)STfC3#`w
zn~!m@(Thc7Y<7g`lPf7tavkY|IpA1z!Xc-);I@t+8Vv2n<pCz^dd3h3=M+#Ee$$px
z67Z%5xz9Jl=z|J4Mo=+AB<rDYZ9L~g-KY{Q-jka~-Ae^NqTXdE>5ArrEB!;5s?tW7
zrE3hcFY&k)+)e{+YOJ0X2uDE_hd2{|m_dC}kgEKqiE9Q^A-+>2UonB+L@v3$9?AYw
zVQv?X*pK;X4Ovc6Ev5Gbg{{Eu*7{N3#0@9oMI~}KnObQE#Y{&3mM4`w%wN+xrKYgD
zB-ay0Q}m{QI;iY`s1Z^NqIkjrTlf`B)B#M<jM!$tg=k5lp}=|!gJ`-A3NITdMu8RC
zj1XQSG|ZmbdcDW!n80TC;X9x@;5D9oK%Ld~mq|EemE{}fSaq-zyX$@FTX}$Oc0g22
zzETfvk4&(H@-vz=*ZPqWh};?ig{1!LM(TkY4LO&>ajZ#9u41oRBC1oM1vq0i|F59>
z#StM@bHt|#`2)cpl_rWB($DNJ3Lap}QM-+A$3pe}NyP(@+<iN(x4wVJ+_gbEd-^Zb
zWBwY%U*j*Br2PjW(*8Hx+37o((b+lJej%fixv?WP#pslTG#zE5G`)n>i1>o^<jA}~
z(^v!&G?YSwQv@?ogo0voxWugllcS<_%l`tol>fe-oxX#<wXu`21Fg;1yW>Bt`mcQc
zb?pD4W%#ep|3%CHAYnr*^M6Czg>~L4?l16H1OozM{P*en298b+`i4$|w$|4AHbzqB
zHpYUsHZET$Z0ztC;U+0*+amF!@PI%^oUIZy{`L{%O^i{Xk}X0&nl)n~tVEpcAJSJ}
zverw15zP1P-O8h9nd!&hj$zuwjg?DoxYIw{<nX*|aXj4I;Pv(W_%0{1!UxR7=>jWM
zW5_pj+wF<yrjE;j>y8Tsa9g<7Qa21WaV&;ejoYflRKcz?#fSH_)@*QVlN2l4(QNk|
z4aPnv&mrS&0|6NHq05XQw$J^RR9T{3SOcMKCXIR1iSf+xJ0E_Wv?jEc*I#ZPzyJN2
zUG0UOXHl+PikM*&g$U@g+KbG-RY>uaIl&DEtw_Q=FYq?etc!;hEC_}UX{eyh%dw2V
zTTSlap&5>PY{6I#(6`j-9`D&I#|YPP8a;(sOzgeKDWsLa!i-$frD>zr-oid!Hf&yS
z!i^cr&7tN}OOGmX2)`8k?Tn!!4=tz~3hCTq_9CdiV!NIblUDxHh(FJ$zs)B2(t5@u
z-`^RA1ShrLCkg0<B?}_ts1DQjgp}W5VwQK_f$?l4FP6>)OhfoM;4Z{&oZmAec$qV@
zGQ(7(!CBk<5;Ar%DLJ0p0!ResC#U<+3i<|vib1?{5gC<oG^96_Cm0(UK10{w?+e+7
zEH(oxs^u==fa{@(*SXRYQr1OsHi@`@+xSt3wKAa_>ebG7$F7URKZXuX-2WgF>YJ^i
zMhHDBsh9PDU8dlZ$yJKtc6JA#y!y$57%sE>4Nt+wF1lfNIWyA`=hF=9Gj%sRwi@vd
z%2eVV3y&dvAgyuJ=eNJR+*080dbO_t@BFJO<@&#yqTK&+xc|FRR;p;KVk@J3$S{p`
zGaMj6isho#%m)?pOG^G0mzOAw0z?!AEMsv=0T>WWcE>??WS=fII$t$(^PDPMU(P>o
z_*0s^W#|x)%tx8jIgZY~A2yG;US0m2ZOQt6yJqW@XNY_>_R7(Nxb<qz*Zby*O0$bc
z&bwd!3N`yA)-yDGrw923g#%FdDs9(c!1zBe1RB8u-MYi3o@&Spv(9|!3<U?#VR{nH
z(>8Ged6BdYW6{prd!|zuX$@Q2o6Ona8zzYC1u!+2!Y$Jc9a;wy+pXt}o6~Bu1oF1c
zp7Y|SBTNi@=I(K%A60PMjM#sfH$y*c{xUgeSpi#HB`?|`!Tb&-qJ3;vxS!TIz<?2E
z;?m$vD?eW$Ky=1Yq)adqhc?p&C{7b5o?=)unOeZDH>uTZs-&%#bAkAyw9m4PJgvey
zM5?up*b}eDEY+#@tKec)-c(#QF0P?MRlD1+7%Yk*jW;)`f;0a-ZJ<A1MM6Y&2Bjrl
znqSWxYPQP0xd?S^aF>6CQA?E%>i2Dt7T9?s|9ZF|KP4;CNWvaVK<?o_JIw;}zDT`U
z8L9-eX*7(^ut$2QBvx;9WC*DK4d0Kl9Aoah9FvKFLU*E)t<DB)E+Hfy@{d<s5TtbK
z3@*SWX?`UQ;LR6RwJlyE3z}ZE!swzdANx@XuTjkujJwae)D4vw=Dql$%nf#rij0A7
zPZHIZfP9Y{HHIH6!OIl6HIjQP7s$4hLQfM=Y5?9w6~3&f-&54yS(z79jhWNyU*0R2
z2LGB!DxIQ?IKWc4-r|9{@l3idCG70wl#Y>Z+Qeut;Jith_y{v*Ny6Co6!8MZx;Wgo
z=qAi%&S;8J{iyD&>3CLCQdTX*$+Rx1AwA*D_J^0>suTgBMBb=*hefV+Ar<cd*@2&D
z8;>s#mmr+YsI3#!F@Xc1t4F-gB@6aoyT+5O(qMz*zG<9Qq*f0w^V!03rpr*-WLH};
zfM{xSPJeu6D(%8HU%0GEa%waFHE$G?FH^kMS-&I3)ycx|iv{T6Wx}9$$D&6{%1N_8
z_CLw)_9+O4&u94##vI9b-HHm_95m)fa??q07`DniVjAy`t7;)4NpeyAY(aAk(+T_O
z1om+b5K2g_B&b2DCTK<>SE$Ode1DopAi)xaJjU>**AJK3hZrnhEQ9E`2=|HHe<^tv
z63e(b<X3pR+d94@m}tS^Z3?)AN+iBxpwZ<D7`?_tGq?BO;qYoIK%|`4<lnL)z<I(0
zu_t<sVb~sefyW>n#fMWuz>4erc47}!J>U58%<&N<6AOAewyzNTqi7hJc|X{782&cM
zHZYclNbBwU6673=!ClmxMfkC$(CykGR@10F!zN1S<PPl%@(Hn|^OfVI^X@u=eB4LB
zU*t+xZ0wF<m*ErqYAYp>e83LR&a~$Ht&>~43OX22mt7tcZUpa;9@q}KDX3<tKWF1f
zxw`aDW9rcd*xv(|cjctJ=r<rB$*=tRKjhAT3QznFrq0&JHcrBBhQ@YI=C=P(hmztZ
zBtRHZf@NQr^M5yLSW}<&UN$I$ud6^2LG^C;CST5(r;3;$jf|I6ACztPf?wzMlh7(R
zK$zGkcsg9U$_~E{oniYivq)0tjRjewJEOw_A7w)SdVn|$`QY&`&=C?ozE>O&Ugp6<
zLZLfIMO5;pTee1vNyVC$FGxzK2f>0Z-6hM82zKg44nWo|n}$Zk6&;5ry3`(JFEX$q
zK&KivAe${e^5ZGc3a9hOt|!UOE&OocpVryE$Y4sPcs4rJ>>Kbi2_subQ9($2VN(3o
zb~tEzMsHaBmBtaHAyES+d3A(qURgiskSSwUc9CfJ@99&MKp2sooSYZu+-0t0+L*!I
zYagjOlPgx|lep9tiU%ts&McF6b0VE57%E0Ho%2oi?=Ks<h7|XGdLNwTI)ib?N6{Eu
z;h2l5*eV93*R)?j|9)5Mw{~AJzwV0Z*IoH9lKK|_`lq|{FC-HsFD==}hu}T8I5=Nj
zMm|Nv0wu!DR!AT$4?#iVwpDaiN4hcWqWH4L{RHwRzsnYkBn73d=5jdE`3OkM-m10*
zdSrK<cD9qSi<hEpW()G6&#VKxRV)hnG-x*2O9Ur9cji6_gKVb~I_9QB{xCNxI)s~q
zuptRHAY00`Qzhr7(2tu@2-Cypx8Giobh`{rL+hNjig(}@FZ>+5%aj#au^OBwNwhec
zta6QAeQI^V!dF1C)>RHAmB`HnxyqWx?td@4sd15zPd*Fc9hpDXP23kbBenBxGeD$k
z;<D{TYW<{z_^}oSud&ZuHEyD44V>%0VBQEJ-C)&dTAw_yW@k0u?IUk*NrkJ)(XEeI
z9Y>6Vel>#s_v@=@0<{4A{p<R|0RfTyuh&=hpG-YVMbi~o8Dk@%D2pXcC$zylS8Jch
zTmbubLr&$o2Hk+p^ded~#GH{7cu^WdnjPYm>l=9cQ&Iah0iD0H`q)7NeCIRz8zx;!
z^OO;1+IqoQNak&pV`qKW+K0^Hqp!~gSohcyS)?^P`JNZXw@gc6{A3OLZ?@1Uc^I2v
z+X!^R*HCm3{7JPq{8*Tn>5;B|X7n4QQ0Bs79uTU%nbqOJh`nX(BVj!#f;#J+WZxx4
z_yM&1Y`2XzhfqkIMO7tB3raJKQS+H5F%o83bM+hxbQ<YF8%f26g@w6?b)_6@vyLk>
zeeJm=Dvix$2j|b4?mDacb67v-1^lTp${z=jc1=j~QD>7c*@+1?py>%Kj%Ejp7Y-!?
z8iYRUlGVrQPandAaxFfks53@2EC#0)%mrnmGRn&>=$H$S8q|kE_iWko4`^vCS2aWg
z#!`RHUGyOt*k?bBYu3*j3u0gB#v<VSU``i9)i((*A4_MYpA70V(O^YWl0>(3tsije
zgIuNNWNtrOkx@Pzs;A9un+2LX!zw+p3_NX^Sh09HZAf>m8l@O*rXy_82aWT$Q>iyy
zqO7Of)D=wcSn!0+467&!Hl))eff=$aneB?R!YykdKW@k^_uR!+Q1tR)+IJb`-6=jj
zymzA>Sv4>Z&g&WWu#|~GcP7qP&m*w-S$)7Xr;(duqCTe7p8H3k5>Y-n8438+%^9~K
z3r^LIT_K{i7DgEJjIocw_6d0!<;wKT`X;&vv+&msmhAAnIe!OTdybPctzcEzBy88_
zWO{6i4YT%e4<cORn@|6PX^%-74fBfvI*qb65lguos^u7L67Q8>^WQZB)KHCvA(0tS
zHu_Bg+6Ko%a9~$EjRB90`P(2~6uI@SFibxct{H#o&y40MdiXblu@VFXbhz>Nko;7R
z70Ntmm-FePqhb%9gL+7U8@(ch|JfH5Fm)5${8|`Lef>LttM_iww6LW2X61ldBmG0z
zax3y)njFe>j*T{i0s8D4=L>X^j0)({R5lMGVS#7(2C9@AxL&C-lZQx~czI7Iv+{%1
z2<eOr>hEG>RzX4S8x3v#9sgGAnPzptM)g&LB}@%E>fy0vGSa(&q0ch|=ncK<Ys%|-
z$8{E%Rw4?D_8re!3!SBF?$73?o3k7+`5vm8pITte_z3-f7CoPck#W)v4slR3Zzqx8
zNVDE$E-!|FmIAfj{mDQ%vc<UpiEaVi&qHP&p?bTbEWARJ?xHePge3YNpI92C>jNrK
z`jA~jObJhrJ^ri|-)J^HUyeZXz~XkBp$VhcTEcTdc#a2EUOGVX?@mYx#Vy*!qO$Jv
zQ4rgOJ~M*o-_Wptam=~krnmG*p^j!JAqoQ%+YsDFW7Cc9M%YPiBOrVcD^RY>m9Pd<
zu}#9M?K{+;UIO!D9qOpq9yxUquQRmQNMo0pT`@$pVt=rMvyX)ph(-CCJLvUJy71DI
z<CI*+r=tVTlgn@b%PV`RM<s@b7^3<nL0kgliJ>Bk7oc7)-%ngdj~s@76Yse3L^gV0
z2==qfp&Q~L(+%RHP0n}+xH#k(hPRx(!AdBM$JCfJ5*C=<wG1tvhicE*gpY`ZCMnhj
z1G=jh5z6O!^6nUl+c3`w0_ln^hFS56L}g>K3ts>P?@@SZ_+{U2qFZb>4kZ{Go37{#
zSQc+-dq*a-Vy4?taS&{Ht|MLRiS)Sn14JOONyXqPNnpq&2y~)6wEG0oNy>qvod$FF
z`9o&?&6uZjhZ4_*5qWVrEfu(>_n2Xi2{@Gz9MZ8!YmjYvIMasE9yVQL10NBrTCczq
zcTY1q^PF2l!Eraguf{+PtHV3=2A?Cu&NN<O6VN>&a8V(y;q(^_mFc6)%Yfn&X&~Pq
zU1?qCj^LF(EQB1F`8NxNjyV%fde}dEa(Hx=r7$~ts2dzDwyi6ByBAIx$NllB4%K=O
z$AHz1<2bTUb>(MCVPpK(E9wlLElo(aSd(Os)^Raum`d(g9Vd_+Bf&V;l=@mM=cC>)
z)9b0enb)u_7V!!E_bl>u5nf&Rl|2r=2F3rHMdb7y9E}}F82^$Rf+P8%dKnOeKh1vs
zhH^P*4Ydr^$)$h@4<HY{kkgz6jX&Mdasz@VEoye!fw>KVzxrHyy#cKmWEa9P5DJ|-
zG;!Qi35Tp7XNj60=$!S6U#!(${6hyh7d4q=pF{`0t|N^|L^d8pD{O9@tF~W;#Je*P
z&ah%W!KOIN;SyAEhAeTafJ4uEL`(RtnovM+cb(O#>xQnk?dzAjG^~4$dFn^<@-Na3
z395;wBnS{t*H;Jef2eE!2}u5Ns{AHj>WYZDgQJt8v%x?9{MXqJsGP|l%OiZqQ1aB!
z%E=*Ig`(!tHh>}4_z5IMpg{49UvD*Pp9!pxt_gdAW%sIf3k6CTycOT1McPl=_#0?8
zVjz8Hj*Vy9c5-krd-{BQ{6Xy|P$6L<o)r^R5`ZQ`GQhYqfOupFa9l!9lz>JvMuX$*
zA+@I_66_ET5l2&gk9n4$1<ixm5Z@RUb^v5fP{&E>M3LN8(yEV<DNCy-M+F%4k9cS;
zC^^RKH!iKb*+NTZ($+>iRx&mtd#LD}AqEs?RW=xKC(OCWH;~>(X6h!uDxXIPH06xh
z*`F4cVlbD<GpM@G3X6T;YA>P`A)-fzf>MuScYsmq&1LUMGaQ3bRm6i7OsJ|%uhTDT
zlvZA1M}nz*SalJWNT|`dBm1$x<Um4i*)m*aUZO##LwDk6q63h|IW;0Cr>laA>CCiQ
zK`xD-RuEn>-`Z?M{1%@wewf#8?F|(@1e0+T4>nmlSRrNK5f)BJ2H*$q(H>zGD0>eL
zQ!tl_Wk)k*e6v^m*{~A;@6+JGeWU-q9>?+L_#UNT%G?4&BnOgvm9@o7l?ov~XL+et
zbGT)|G7)KAeqb=wHSPk+J1bdg7N3$vp(ekjI1D9V$G5Cj!=R2w=3*4!z*J-r-cyeb
zd(i2KmX!|Lh<K2eIYJREpvNMi&Z#7*f45@XYFPFRp`27wgA7b{lxe_pm*^6y<RLhc
z8e%Fbj59XhBop+|s8G!j;y`1~`5Wy@K-#-nr2&8P(UZtm7KDzi`O}$kr#>ey!snRw
z?#$Gu%S^SQEKt&kep)up#j&9}e+3=JJBS(s>MH+|=R(`8xK{mmndWo_r`-w<m*k89
zcV!Q$3TQF>1#SeRD&YtAJ#GiVI*TkQZ}&aq<+bU2+coU3!jCI6E+Ad_xFW*ghnZ$q
zAoF*i&3n1j#?B8x;kjSJD${1jdRB;)R*)Ao!9bd|C7{;iqDo|T&>KSh6*hCD!rwv=
zyK#F@2+cv3=|S1Kef(E6Niv8kyLVLX&e=U;{0x{$tDfShqkjUME>f8d(5nzSkY6@!
z^<s1zrx%Y{GxOAQiaP`zX4pWwf(3Q?%k(n<-*ko(!rd%~BRbzOMd+_y^a4+aH{F5%
zJscHc3gzd06%1tHe@VXo_oCsSee^HDb^OaWE0e5ck@*pZK0RqW9B3O#2!5)9`cvEa
zg%b@5T@#X^O2>-0>DM)wa&%m#UF1F?zR`8Y3X#tA!*7Q$P3lZJ%*KNlrk_uaPkxw~
zxZ1qlE;Zo;nb@!SMazSjM>;34ROOoygo%SF);LL>rRonWwR>bmSd1XD^~sGSu$Gg#
zFZ`|yKU0%!v07dz^v(tY%;So(e`o{ZYTX`hm;@b0%8|H>VW`*cr8R%<Wzeb1B(_7j
zj%jg9z(<Muj+rwUU3J`9Kkr9fxe1hx2`oE|97F-6%bXb;NK9gbaH21ZD{h@XeCBlS
zTkbMM03Wrp)E~*3bm**>3n|ehw2`(9B+V72`>SY}9^8oh$En80mZK9T4abVG*to;E
z1_S6bgDOW?!Oy1LwYy=w3q~KKdbNtyH#d24PFjX)KYMY93{3-mPP-H>@M-_>N~DDu
zENh~reh?JBAK=TFN-SfDfT^=+{w4ea2KNWXq2Y<;?(gf(FgVp8Zp-oEjKzB<XiW@L
z4DJ=*jZ)bsSD44~x>%2Iqj;48GmY3h=bcdYJ}~&4tS`Q1sb=^emaW$IC$|R+r-8V-
zf0$gGE(CS_n4s>oicVk)MfvVg#I>iDvf~Ov8bk}sSxluG!6#^Z_zhB&U^`eIi1@j(
z^CK$z^stBHtaDDHxn+R;3u+>Lil^}fj?7eaG<FRml8CUEBOnAV8CmKw;V=T((V6h(
z;KHNVT}hTA4oyjv0NUAbK-AxArk$+6ITFf=ABoS3b^1vXdN5Y3$j$Gn7L0qB<*F>B
z&5nl^STqcaBxI@v>%zG|j))G(rVa4aY=B@^2{TFkW~YP!8!9TG#(-nOf^^X-%m9{Z
zCC?iC`G-^RcBSCuk=Z`(FaUUe?hf3{0C>>$?<OA^A&va@m6n{p_RDbpCmC44*u>Vs
z`2Uud9M+T&KB6o4o9kvdi^Q=Bw!asPdxbe#W-Oaa#_NP(qpyF@bVxv5D5))srkU#m
zj_KA+#7sqDn*Ipf!F5Byco4HOSd!Ui$l94|IbW%Ny(s1>f4|Mv^#NfB31N~kya9!k
zWCGL-$0ZQztBate^fd>R<KTx+Kn<12wUG%9I!9v@uJ1RK?y>!hXY_N9ZjYp3V~4_V
z#eB)Kjr8yW=+oG)BuNdZG?jaZlw+l_ma8aET(s+-x+=F-t#Qoiuu1i`^x8Sj>b^U}
zs<v<BrDUuc#V%G@XYC{+Sg}|bZ*&$Xmy?7Y(n?p_lr<7QNavDlGr?4z!qaMY=`TAM
zFH`)mW};}4R%}`-v*@TwSk0p!c2gBZF<0Y~yAY5urGWuSR(DcbqvUph8QXsf(x2A!
z>^z<()YMFP7CmjUC@M=&lA5W7t&cxTlzJAts*%PBDAPuqcV5o7HEnqjif_7xGt)F%
zGx2b4w{@!tE)$p=l3&?Bf#`+!-RLOleeR<bP1HAuJwpA7V6w3e&7FnVSAlVevD>k3
z7#pF|w@6_sBmn1nECqdunmG^}pr5(ZJQVvAt$6p3H(16~;vO>?sTE`Y+mq5YP&PBo
zvq!7#W$Gewy`;%6o^!Dtjz~x)T}Bdk*BS#=EY=ODD&B=V6TD2z^hj1m5^d6s)D*wk
zu$z~D7QuZ2b?5`p)<Zk5N<LwAw|NY@XF!9G7+>E8e2_L38v3WE{V`bVk;6fl#o2`)
z99JsWhh?$oVRn@$S#)uK&8DL8>An0&S<%V8hnGD7Z^;Y(%6;^9!7kDQ5bjR_V+~wp
zfx4m3z6CWmmZ<8gDGUyg3>t8wgJ5NkkiEm^(sedCicP^&3D%}6LtIUq>mXCAt{9eF
zNXL$kGcoUTf_Lhm`t;hD-SE)m=iBnxRU(NyL}f6~1uH)`K!hmYZjLI%H}AmEF5RZt
z06$wn63<H*D^}!!_~!rctzB?W+<x$IW(W<z1pS(B1aK00$0*UbQ&o~2AGrgPX{+%L
zjpNNy?injFg0d#OC9*3D`YWIJp4knE9&uEHc=jswzMs5P)Ct~!Qhd!W;4aD36N5rn
zR-$WHi87V$r>GHnApHXZZJ}s^s)j9(BM6e*7IBK6Bq(!)d~zR#rbxK9NVIlgquoMq
z=eGZ9NR<I_0;qaLkr^sqs*eI>!SEqP6=9UQg#@!rtbbSBUM#ynF);zKX+|!Zm}*{H
z+j=d?<x8+W+YzUX8`Wzx$M0@ats$ISI!}Y&e$baoEyt_PL67D-!l9jd$-U47GPlhn
zFZ(p{^KerTig5@++3nwFz)bDI^Rg#*4JrNT%{~<3KmSD&ZJ;XGkp4=fS6_`Bk^dyB
z2<kf;i`zIF+c=s#nY$P(Iysozn0`U;e|0>aZ2!?@EL7C~%B?6ouCKLnO$uWn;Y6Xz
zX8dSwj732u(o*U3F$F=7xwxm>E-B+SVZH;O-4XPuPkLSt_?S0)lb7EEg)Mglk0#eS
z9@jl(OnH4juMxY+*r03VDfPx_IM!Lmc(5hOI;`?d3<n0O2)hcsP_2=f#ul^%8WEjH
z_45k7p1r2G5<EoD-7_hh0-~>7f>jPP$?9jQQIQU@i4vuG6MagEoJrQ=RD7xt@8E;c
z<Z~cp<{k@e+=yUE(YejRT8|zYjy+~C+(wP9bf2{6?hB`L=aUc<odY()WVr`t9nSc0
zAeWGRrle!<ccgxgu=eN|0Q>eGV*+Pt+t$@pt!|McETOE$9k=_C!70uhwRS9X#b%ZK
z%q(TIUXSS^F0`4Cx?Rk07C6wI4!UVPeI~-fxY6`YH$kABdOuiRtl73MqG|~AzZ@<e
z70bZ1Xfg@ML9rX@!O{Xhvx6+$D#ej982$eGa_sxL;&>iL&^s?24iS;RK_pdlWkhcF
z@Wv-Om(Aealfg)D^adlXh9Nv<v-}opkLv5Ft~N;ilf%n_18GR>f~Uf@y;g3Y)i(YP
zEXDnb1V}1pJT5ZWyw=1i+0fni9yINurD=EqH^ciOwLUGi)C%Da)tyt=zq2P7pV5-G
zR7!oq28-Fgn5pW|<Sr(TR-f}>nlu^b!S1Z#r7!Wtr{5J5PQ>pd+2P7RSD?>(U7-|Y
z7ZQ5lhYIl_IF<9?T9^IPK<(Hp;l5bl5tF9>X-zG14_7PfsA>6<$~A338iYRT{a@r_
zuXBaT=`T5x3=s&3=RYx6NgG>No4?5KFBVjE(swfcivcIpPQFx5l+O;fiGsOrl5teR
z_Cm+;PW}O0Dwe_(4Z@XZ)O0W-v2X><&L*<~*q3dg;bQW3g7)a#3KiQP>+qj|qo*Hk
z?57>f2?f@`=Fj^nkDKeRkN2d$Z@2eNKpHo}ksj-$`QKb6n?*$^*%Fb3_Kb<??RAja
zk0V>f1(*W9K>{L$mud2WHJ=j0^=g30Xhg8$<s&?w=aRQaO9t&giJ1(RsSL3%_cC6M
z*CW9(Zh9c_42B<|)&oM^-GzGdz1}f&d3F5BYqWb4q+Sw(ib=VNbJPT@^wT=3tW(7y
zrx1-UKq0(c(u-_d3s{C`aQ&0%#$*~vtZCzBHFqiV3;VEe=EsFn^iO}7H|DQJkk9H;
zB0P{n&~U<*$_g%{-r&>#g^?36`p1fm;;1@0Lrx+8t`?vN0ZorM<NTJbjJv2{-dI;>
zS<hDSyFi<GVb++PZX@XtOI*=$j*U@=`@o~{Gi!F-NK(%gyI#{g6|hETm*WG_p}s8L
zjZRCuf%OK?g`?(Q%o?EJIq8XN^)7E@6pk&Uqpm7^VOiV00>W?rhjCE8$C|@p^sXdx
z|NOHHg+fL;HIlqyLp~SSdIF`TnSHehNCU9t89yr@)FY<~hu+X`tjg(aSVae$wDG*C
zq$nY(Y494R)hD!i1|IIyP*&PD_c2FPgeY)&mX1qujB1VHPG9`yFQpLFVQ0>EKS@Bp
zAfP5`C(sWGLI?AC{XEjLKR4FVNw(4+9b?kba95ukgR1H?w<8F7)G+6&(zUhIE5Ef%
z=fFkL3QKA~M@h{nzjRq!Y_t!%U66#L8!(2-GgFxkD1=JRRqk=n%G(yHKn%^&$dW>;
zSjAcjETMz1%205se$iH_)ZCpfg_LwvnsZQAUCS#^FExp8O4CrJb6>JquNV@qPq~3A
zZ<6dOU#6|8+fcgiA#~MDmcpIEaUO02L<Rkl`=Q>5#T$HV0$EMD94HT_eXLZ2Zi&(!
z&5E>%&|FZ`)CN10tM%tLSPD*~r#--K(H-CZqIOb99_;m|D5wdgJ<1iOJz@h2Zkq?}
z%8_KXb&hf=2Wza(Wgc;3v3TN*;HTU*q2?#z&tLn_U0Nt!y>Oo>+2T)He6%XuP;fgn
z-G!#h$Y2`9>Jtf}hbVrm6D70|ERzLAU>3zoWhJmjWfgM^))T+2u$~5>HF9jQDkrXR
z=IzX36)V75PrFjkQ%TO+iqKGCQ-DDXbaE;C#}!-CoWQx&v*vHfyI>$HNRbpvm<`O(
zlx9NBWD6_e&J%Ous4yp~s<!5el5C5+U(6q$naw*;HMpy|CU=dglNI1EQ%|HQk4H*H
z4vZmq8i&o(xLex%_9CXr+V#E5;>6)Ghni!I6)0W;9(9$y1wWu`$gs<$9Mcf$L*piP
zPR0Av*2%ul`W;?-1_-5Zy0~}?`e@Y5A&0H!^ApyVTT}BiOm4GeFo$_oPlDEyeGBbh
z1h3q&Dx~GmUS|3@4V36&$2uO8!Yp&^pD7J5&TN{?xphf*-js1fP?B|`>p_K>lh{ij
zP(?H%e}AIP?_i^f&Li=FDSQ`2<P4}YJBR3<86=L)lNLn?n<UqJ){hazu7oE1W<WpM
zkEayA#3<YDk5vng9{R3EwAsH9RNs3PX=z8hou#I@lclzVbk)C_>_NWxL+BB=nQr=$
zHojMlXNGauvvwPU>ZLq!`bX-5F4jBJ&So{kE5+ms9UEYD{66!|k~3vsP+mE}x!>%P
za98bAU0!h0&ka4EoiDvBM#CP#dRNdXJcb*(%=<(g+M@<)DZ!@v1V>;54En?igcHR2
zhubQMq}VSOK)onqHfc<PBSX0Qkle<U&d;N1BT|$4=Uqpo2tm04^j~@drYI0P7duc%
zes@lg1;1w}#p3u@$yb(xFl7Q9B8k2c_rQZ?>zM7YA@s=9*ow;k;8)&?J3@0JiGcP!
zP#00KZ1t)GyZeRJ=f0^gc+58lc4Qh*S7RqPIC6GugG1gXe$LIQMRCo8cHf^qXgAa2
z`}t>u2Cq1CbSEpLr~E=c7~=Qkc9-vLE%(v9N*&HF`(d~(0`iukl5aQ9u4rUvc8%m)
zr2GwZN4!s;{SB87lJB;veebPmqE}tSpT>+`t?<457Q9iV$th%i__Z1kOMAswFldD6
ztbOvO337S5o#ZZgN2G99_AVqPv!?Gmt3pzgD+Hp3QPQ`9qJ(g=kjvD+fUSS3upJn!
zqoG7acIKEFRX~S}3|{EWT$kdz#zrDlJU(rPkxjws_iyLKU8+v|*oS_W*-guAb&Pj1
z35Z`3z<&Jb@2Mwz=KXucNYdY#SNO$tcVFr9KdKm|%^e-TXzs6M`PBper%ajkrIyUe
zp$vVxVs9*>Vp4_1NC~Zg)WOCPmOxI1V34QlG4!aSFOH{QqS<og-9*{m%{>Vq1^1)-
z0P!Z?tT&E-ll(pwf0?=F=yOzik=@nh1Clxr9}Vij89z)ePDSCYAqw?lVI?v?+&*zH
z)p$CScFI8rrwId~`}9YWPFu0cW1Sf@vRELs&cbntRU6QfPK-SO*mqu|u~}8AJ!Q$z
znzu}50O=YbjwKCuSVBs6&CZR#0FTu)3{}qJJYX(>QPr4$RqWiwX3NT~;>cLn*_&1H
zaKpIW)JVJ>b{uo2oq>oQt3y=zJ<SzS^-D>jb%fU@wLqM{SyaC6x2snMx-}ivfU<1-
znu1Lh;i$3Tf$Kh5Uk))G!D1UhE8pvx&nO~w^fG)BC&L!_hQk%^p`Kp@F{cz>80W&T
ziOK=Sq3fdRu*V0=S53rcIfWFazI}Twj63CG(jOB;$*b`*#B9uEnBM`hDk*E<oidpi
zVi-YCX)u~YCBI+laYqXSo<EX9^<PNdjZ=BtK`_ZYngaDtG5R2}vTD}f!DiphZC8q*
z6i0u#X*zYGRu)lm1ElCpjgBvp3Ldd|#4WH$%tK2cXGR#zWyK<<eW|7%5Ju2_h*||L
zg2wp|<^Qbr0(rt`iD%~4&vfIMiU-hB(&TS(L<Ua}Ae0?Iw}pCJ-m<j9H*WOItm42P
z+4mexCkJJkqGU65>wSRdwP8?5T?xGUKs=5N83XsR*)a4|ijz|c{4tIU+4j^A5C<#5
z*$c_d=5ml~%pGxw#?*q9N7aRwPux5EyqHVkdJO=5J>84!X6P>DS8PTTz>7C#F<Zu4
zp3F5$$3=BvvzoPSkFVMT=*}cwr4^?8L-w1olVUL5gHh{)p1vygqRx_|5M(|5i$<sf
zD*3bQ%l!Ml%>O?k#edkntG<Krzma04@|w*Y9|BKCf&FeXNg|upC}{zu^oHarA7zIf
zC8{uLE&-S@l`ZxV=v;r*B3!WS4z%0OHxj5&2`?c0;8f|2cq)E6RQk=VwECk+Q<E<b
z===nd>+fJk8ZMn?pmJSO@`x-QHq;7^h6GEXLXo1TC<!%G;g|1m1_bS}WUN;u(X1H_
zC*#P|&x2L7jt9)tK*_e)O{|{ck0S}rdz!bjq~RUIX}#ve9vhD}wsXP2-}YSVJ>NhH
z8ZDH{*NLAjo3WM`xeb=X{((uv3H(8&r8fJJg_uSs_%hOH%JDD?hu*2NvWGYD+j)&`
zz#_1%O1wF^o5ryt?O0n;`lHbzp0wQ?rcbW(F1+h7_<Pe?a2+{KTPMp$CgHfSHrYCA
zK{ERTzz`pSB$~vt3tii8P;~CRII8wO)%F!tVN6C6<1n2x%4zAuytITcED<o5IyW7o
zh-G7-*3%BqRFkVI(T5y^ar95CXup=KHGy2BZYuLh)vrm>EZZ<i<-|Mk=_v8nD5m5v
zdpML`Rs@XrmR1I|!5H>9{>rePvLAPVZ_R|n@;b$;UchU=0j<6k8G9QuQf@76oiE*4
zXOLQ&n3$NR#p4<5NJMVC*S);5x2)eRbaAM%VxWu9ohlT;pGEk7;002enCbQ>2r-us
z3#bpXP9g|mE`65VrN`+3mC)M(eMj~~eOf)do<@l+fMiTR)XO}422*1S<RWVx0`Uk8
z=5;*6NK#2D`zc^JM6i=$pyv-R_l)2#3c6jS0ZcmLz1#Dg>L{wyY(%oMpBgJagtiDf
zz>O6(m;};>Hi=t8o{DVC@YigqS(Qh+ix3Rwa9aliH}a}IlOCW1@?%h_bRbq-W{KHF
z%Vo?-j@{Xi@=~Lz5uZP27==UGE15|g^0gzD|3x)SCEXrx`*MP^FDLl%pOi~~Il;dc
z^hrwp9sYeT7iZ)-ajKy@{a`kr0-5*_!XfBpXw<un0R1t>EcFGJ;%kV$0Nx;apKrur
zJN2J~CAv{Zjj%FolyurtW8RaFmpn&zKJWL>(0;;+q(%(Hx!GMW4AcfP0YJ*Vz!F4g
z!ZhMyj$BdXL@MlF%KeInmPCt~9&A!;cRw)W!Hi@0DY(GD_f?jeV{=s=cJ6e}JktJw
zQORnxxj3mBxfrH=x{`_^Z1ddDh}L#V7i}$njUFRVwOX?qOTKjfPMBO4y(WiU<)epb
zvB9L=%jW#*SL|Nd_G?E*_h1^M-$PG6Pc_&QqF0O-FIOpa4)PAEPsyvB)GKasmBoEt
z?_Q2~QCYGH+hW31x-B=@5_AN870vY#KB~3a*&{I=f);3Kv7q4Q7s)0)gVYx2#Iz<e
zcH?D}+f3Q#s`S_o+I!i;AG^@C;`0g<<}J>9g(F<Nt8qTR6vu`Q_y)iK3d>2;=+Iy4
z6KI^8GJ6D@%tpS^8boU}zpi=+(5GfIR)35PzrbuXeL1Y1N%JK7PG|^2k3qIqHfX;G
zQ}~JZ-UWx|60P5?d1e;AHx!_;#PG%d=^X(AR%i`l0jSpYOpXoKFW~7ip7|xvN;2^?
zsYC9fanpO7rO=V7+KXqVc;Q5z%Bj})xHVrgoR04s<WC19*!aSDBN9bsQ!y_RQh!2^
zM?3OYfd1?Of*;~K;fPyA-Zs2YGEobYXZSuxP}4a~sqAr!U$f%5T_yC9m}8r(jTC#Z
zlS5i1zBtiGG~ok?`vdcED-M&WdW#GCV?b8L_D^$erV#MdoMmoYt9TZ|Ht9A`j0>A2
zl~DAwv=!(()DvH*=lyhIlU^hBkA0$e*7&fJpB0|oB7)rqGK#5##2T`@_I^|O2x4GO
z;xh6ROcV<9>?e0)MI(y++$-ksV;G;Xe`lh76T#Htuia+(UrIXrf9?<emJgERw<NIn
zQ3ku})$3b}us&H98W&5x<)bV~*h&=0ffNSk1dGwNXOQ%9)}<w_ggrrd<5YvvzW{lc
z%ra;Ag$A><p>L(tZ$0BqX1>24?V$S+&kLZ`AodQ4_)P#Q3*4xg8}lMV-FLwC*cN$<
zt65Rf%7z41u^i=P*qO8>JqXPrinQFapR7qHAtp~&RZ85$>ob|Js;GS^y;S{XnGiBc
zGa4IGvDl?x%gY`vNhv8wgZnP<sGTjZeSulPuO`MCGWcs$^L3#ATO-7+><iA~BUyg7
zK%Ww`C41~DlFVr(wLNj3&@sD(X1>#UYI-w*<g2t%j8f-#L_4CY4*BdT&|1*Oi_vum
zKr_(QQ>^4YCZnxkF85@ldepk$&$#3EAhrJY0U)lR{F6sM3SONV^+$;Zx8BD&Eku3K
zKNLZyBni3)pGzU0;n(X@1fX8wYGKYMpLm<N;CLpE$mA#FhwOAwFc3Gu*Y2ijqt2Mr
zEmgb5Rj4WSTt}-IA7KmFeJ5Mjqr(gVM>Cu{N5-}epPDxClPFK#A@02WM3!myN%bkF
z|GJ4GZ}3sL{3{qXemy+#Uk{4>Kf8v11;f8I&c76+B&AQ8udd<8gU7+BeWC`akUU~U
zgXoxie>MS@rBoyY8O8Tc&8id!w+_ooxcr!1<R^L(;4reEepdzdE}95d2?7a|m*bOO
zw-e)+?=QFS<bE97C&Ii^S^W*sEa3vQg$((7STwNpoGd886wr(*z1BNi)jL%HPZ&tN
zMU1+!wKw7>?#rc$-|SBBtH6S?)1e#P#S?jFZ8u-Bs&k`yLqW|{j+%c#A4AQ>+tj$Y
z^CZajspu$F%73E68Lw5q7IVREED9r1Ijsg#@DzH>wKseye>hjsk^{n0g?3+gs@7`i
zHx+-!<a?ReO?pTi@}bP2;<uA@WM0R7zz}csHRnM~D!mg`gD>sjLx^fS;fY!ERBU+Q
zVJ!e0hJH%P)z!y%1^ZyG0>PN@5W~SV%<y=x@j^(xiknw*C+Ur&ZKl@Fn|2w}`ly8(
zz_1QrAQphp;v3{c3l!jHVeo@tq)&pO(TmgH_gydMs#0|p0EwwF+U6X@z~IpBNd*kS
z6gu9R48Qg1ZmheUKP8?FTjqJfpHv+Qzur?E>f>}c?$H8r;Sy-ui>aruVTY=bHe}$e
zi&Q4&XK!qT7-XjCrDaufT@>ieQ&4G(SShUob0Q>Gznep9fR783jGuUynAqc6$pYX;
z7*O@@JW>O6lKIk0G00xsm|=*UVTQBB`u1f=6wGAj%nHK_;Aqmfa!eAykDmi-@u%6~
z;*c!pS1@V8r@IX9j&rW&d*}wpNs96O2Ute>%yt{yv<kbv8~>>k!6zfT6pru{F1M3P
z2WN1JDYqoTB#(`kE{H676QOoX`cnqHl1Yaru)>8Ky~VU{)r#{&s86Vz5X)v15ULHA
zAZDb{99+s~qI6;-dQ5DBjHJP@GYTwn;Dv&9kE<0R!<?&2c8~t|z-P*DUzhl0`)*&h
z|Nn!A|7U$aOKIxA^!*PLm$hJHXw+OP4ZezL1tUs=phN^Q<ajb=DGRYXwnS-lEtiqY
z<frQHk&G0bcD}r@nR4F*#?F;03be|bX?NbkjK|JLXOk{3&rif|A{D1QLy-_VbXfN<
z`&SwtIfw(ew@5F}*W~2($7(fcbFJ&i{R!6o{(JXA6Go7A?f0+7=m(n5mSsl@X02PS
z-WAkN+CBDC0Juwc><R~*^;Bg@=LH+}=1lFi@bNQ@$bvI%*KR054Mda5?OV~x-9V>d
z8tf1oq$kO`_sV(NHOSbMwr=To4r^X$`sBW4$gWUov|WY?xccQJN}1DOL|GEaD_!@&
z15p?Pj+>7d`@<hmz7-`Nlqgl%etYhVq(Lsv5EWt?S5qiu*a*btqng6H#LO-oz2SH0
z^xQ6+AKHkG1#oA+26Ir>LvNIu9*^hPN)pwcv|akvYYq)ks%`G>!+!pW{-iXPZsRp8
z35LR;DhseQKWYSD`%gO&k$Dj6_6q#vjWA}rZcWtQr=Xn*)kJ9kacA=esi*I<)1>w^
zO_+E>QvjP)qiSZg9M|GNeLtO2D7xT6vsj`88sd!94j^AqxFLi}@w9!Y*?nwWARE0P
znuI_7A-saQ+%?MFA$gttMV-NAR^#tjl_e{R$N8t2NbOlX373>e7Ox=l=;y#;M7asp
zRCz*CLnrm$esvSb5{<D+-TvHfiAKWjMv@f{O6HO_6qs!bUPBzAT_=n|ZXu1_p<5Uy
z3h~@8-S?LvkCJ{s{eD*A;Sn*288f6#+AhGxs`&<L9qn^;Z22jipcEpYF_>T<$6CjY
zmZ(i{Rs_<#pWW>(HPaaYj`%YqBra=Ey3R21O7vUbzO<NIYfKSkPH64b-_2c5+D94m
z%iNp4`dUo?NvQw#46nFlJ1h6~OcEsuw4>kJJO?V`4-D*u4$Me0Bx$K(lYo`JO}gnC
zx`V}a7m-hLU9Xvb@K2ymioF)vj12<*^oAqRuG_4u%(ah?+go%$kOpfb`T96P+L$4>
zQ#S+sA%VbH&mD1k5Ak7^^dZoC>`1L%i>ZXmooA!%GI)b+$D&ziKrb)a=-ds9xk#~&
z7)3iem6I|r5+ZrTRe_W861x8JpD`DDIYZNm{$baw+$)X^Jtjnl0xlBgdnNY}x%5za
zkQ8E6T<^$sKBPtL4(1zi_Rd(tVth*3Xs!ulflX+70?gb&jRTnI8l+*Aj9{|d%qLZ+
z>~V9Z;)`8-lds*Zgs~z1?Fg?Po7|FDl(Ce<*c^2=lFQ~ahwh6rqSjtM5+$GT>3WZW
zj;u~w9xwAhOc<<rq!H2nfR^7-SzR`1qG<@9=UVA!*EEe=aj$k=;J{9<>kF}~`CJ68
z?(S5vNJa;kriPlim33{N5`C{9?NWhzsna_~^|K2k4xz1`xcu<DiNXb8<8|Z|Cq-GN
zCj)9M_ZyLriw>i*LXL-1#Y}Hi9`Oo!zQ>x-kgAX4LrPz63uZ+?uG*84@<PwZBwue+
zS_(JptfpR*pv(`dE1<lRh0d;LEi#-yNm1~qOYx|4^9!+8XC372m2S)!zRs|&NM%#C
z+GAUzg{43ESA4LWP=nq0vMI~2O-KLrb1MH&d{DNr{9l?+9m-=0Uz-DYT;s)i8TcR&
zZh}K8#36!G;6ZC+XJ@IPDh1SQ+DH`botOlr$wuj)=;;c=MU$X;yOXeWp?}z{AJeP3
z$QB6%$q~}6J8i8sO`UWW+mc=Rc6o#AK{c`V$1Y3*YS}cR>PKq-KgQlMNRwz=6Yes)
zY}>YN+qP}nwr$(CZQFjUOI=-6J$2^XGvC~EZ+vrqWaOXB$k?%Suf5k=4>AveC1aJ!
ziaW4IS%F$_B<CZJ!UX;hU#7vjr-A^#gKV?ykV>abi)kA8Y&u4F7E%99OPtm=vzw$$
zEz#9rvn`Iot_z-r3MtV>k)YvErZ<^Oa${`2>MYYODSr6?QZu+<Xr5QDI3|}c*=v!t
z7aWklHMNmj(E4@B8u*Z;TyWOKVOpxR#jrE(G|coSCa0%my~OH?4?4W3oGfzXZ^Yl8
zoBlE^JMVJSf5Id9b3E|!Jy&$Nn|?alu2G4}CVoY>be-~MBjwPGdMvGd!b!elsdi4%
z`37W*8+OGulab8YM?`KjJ8e+jM(tqLKSS@=jimq3)Ea2EB%88L8CaM+aG7;27b?5`
z4zuUWBr)f)k2o&xg{iZ$IQkJ+SK>lpq4GEacu~eOW4yNFLU!Kgc{w4&D$4ecm0f}~
zTTzquRW@`f0}|IILl`!1P+;69g^upiPA6F{)U8)muWHzexRenBU$E^9X-uIY2%&1w
z_=#5*(nmxJ9zF%styBwivi)?#KMG96-H@hD-H_&EZiRNsfk7mjBq{<vAyj;V$oY$;
zeFf@1qm*3JDo_jY%mMvJK|}hElB4>L%!E;Sqn!mVX*}kXhwH6eh;b42eD!*~upVG@
z#smUqz$ICm!Y8wY53gJeS|Iuard0=;k5i5Z_<S6ivK6}$qoRMsg7V!3nguv@i1IcG
zTip=0gi~_71}Ye%-y+=r)peyFsi|a3!G{6XxhN#Qh|@7<<1d75@UG8;<MS%cR=T4O
zoC};`)PZx1F>hSIs6tr)R4n*r*rE`>38Pw&lkv{_r!jNN=;#?WbMj|l>cU(9trCq;
z%nN~r^y7!kH^GPOf3R}?dDhO=v^3BeP5hF|%4GNQYBSwz;x({21i4OQY->1G=KFyu
z&6d`f2tT9Yl_Z8YACZaJ#v#-(gcyeqXMhYGXb=t>)M@fFa8tHp2x;ODX=Ap@a5I=U
z0G80^$N0G4=U(>W%mrrThl0DjyQ-_I>+1Tdd_AuB3qpYAqY54upwa3}owa|x5iQ^1
zEf|iTZxKNGRpI>34EwkIQ2zHDEZ=(J@lRaOH>F|2Z%V_t56<AC&&@dFD$aTcihA@L
zsrWd?<myPVagWF6k#axl>Km$PUYu^xA5#5Uj4I4RGqHD56xT%H{+P8Ag>e_3p<L4#
zGGo`21LS^`#&pLj%z6&83bF#woRX8gnyg4E`RMx;A0GPTje`oZWY-mmMzZp&3~FVT
z%&JKi++U_$aax?RigODkBI8D0f>N$4m8n>i%OyJFPNWaEnJ4McUZPa1QmOh?t8~n&
z&RulPCors8wUaqMHECG=IhB(-tU2XvHP6#NrLVyKG%Ee*mQ5Ps%wW?<IHwX<9-vb-
zW|;MpO8qp-ZnW!-s%jOBntq(xp658aSEi+O=TlVuEDFeZ;Vf58T5E5oJgpsS$z*|w
z_>mcnriTVRc4J`2YVM>$ixSF2Xi+Wn(RUZnV?mJ?GRdw%lhZ+t&3s7g!~g{%m&i<6
z5{ib-<==DYG93I(yhyv4jp*y3#*WNuDUf6`vTM%c&hiayf(%=x@4$kJ!W4MtYcE#1
zHM?3xw63;L%x3drtd?jot!8u3qeqctceX3m;tWetK+>~q7Be$h>n6riK(5@ujLgRS
zvOym)k+VAtyV^mF)$29Y`nw&ijdg~jYpkx<Yqc8N6p%GnFnUNecXA;^tBlRNJF2~8
z83k&Izk?JNwKq$7B{7SaDzJleOD3(MTg8JS?=Wa}5<9yFzA)j$wyJG`eyNKZ->%*^
z8dz`C*g=I?;clyi5|!27e2AuSa$&%UyR(J3W!A=ZgHF9OuKA34I-1U~pyD!KuRkjA
zbkN!?MfQOeN>DUPBxoy5IX}@vw`EEB->q!)8fRl_mqUVuRu|C@KD-;yl=yKc=ZT0%
zB$fMwcC|HE*0f8<f|{q<VA<GPwt+_1vdY4dp0vY!lyK4+MMzS+wPs8%Y!YQ?CyA-f
z|5A#Ax91*K+5prTyd;RpVWXU<95EBu#@OP?@CFlP#ju<zpg)t6EZ7t+Phz{i%)wGY
z8Sly%qPUn+-#Zc6fnT8&C%dW&XQx|!Q}Y8ZE~UUjv&VIXbif`Up{+OPP#QE?I~5wN
zHg1NwMkYZhg(4h)DfG}WB{D2YgF!n(>+PVlW<RX4?O?hiF?W-4C-rmr<l4%Mf}qji
zkPzoVbI6zl!<d=O(O@8ySZ)?gs-s}EQaJeWY|cHwm*h+8s-uBy$q^5SBFqHNH!Nya
zV@RFH@>Hi>M`zfsA(NQFET?LrM^pPcw`cK+Mo0%8*x8@65=CS_^$cG{GZQ#xv($7J
z??R$P)nPLodI;P!IC3eEYEHh7TV@opr#*)6A-;EU2XuogHvC;;k1aI8asq7ovoP!*
z?x%UoPrZjj<&&aWpsbr>J$Er-7!E(BmOyEv!-mbGQGeJm-U2J>74>o5x`1l;)+P&~
z>}f^=Rx(ZQ2bm+YE0u=ZYrAV@apyt=v1wb?R@`i_g64YyAwcOUl=C!i>=Lzb$`tjv
zOO-P#A+)t-JbbotGMT}arNhJmmGl-lyUpMn=2UacVZxmiG!s!6<s%>H39@~&uVokS
zG=5qWhfW-WOI9g4!R$n7!|ViL!|v3G?GN6HR0Pt_L5*>D#FEj5wM1DScz4Jv@Sxnl
zB@MPPmdI{(2D?;*wd>3#tjAirmUnQoZrVv`xM3hARuJksF(Q)wd4P$88fGYOT1p6U
z`AHSN!`S<vf~_mGQCqX)ayUeL8g`S?LD*d~o*;e7Butl14T(z{eOwARI#k6Z+()QR
zRb-Fll&T}^(XzJMq%~^W5vm%)tln8#72}u>t}}UMBT9o7i|G`r<n?jT0vW2UItF>$
zrB=s$qV3d6$W9@?L!pl0l<c#ekbP<;Y&UotwnNp9`G`wO^=Aisw282N+FetlbD$(D
z7M*F%Rd<HPvo2^kToVnJhdjmlUST#jY=_jHJl3UwxoOwN6*yj#Q|53p9z(c~{M95w
z2|XIj8-<CPgenTQC)l6Cq+N$TfYAFyPq>f%)xs%1ko^=QY$ty-57=55PvP(^6E7cc
zGJ*>m2=;fOj?F~yBf@K@9qwX0hA803Xw+b0m}+#a(>RyR8}*Y<4b+kpp|OS+!whP(
zH`v{%s>jsQI9rd$*vm)EkwOm#W_-rLTHcZRek)>AtF+~<(did)*oR1|&~1|e36d-d
zgtm5cv1O0oqgWC%Et@P4Vhm}Ndl(Y#C^MD03g#PH-TFy+7!Osv<s)+{oZ?`ap%hJ=
z*bwh1?V<z`MwG&0U7SJ4*@zJBC@n5eBU+e74xsX-sjHT`s*lOwc6j~7QTT;glq}6g
z&*%49-SpK^iuY*QN`=#PT9cA+UIO{$3ZZc%>1z^UWS9@%JhswEq~6kSr2DITo59+;
ze=ZC}i2Q?CJ~Iyu?vn|=9iKV>4j8KbxhE4&!@SQ^dVa<p=`%D$z@S%=#yKBRv78Cx
zjasr<f+hkxQ?tW2jO~X7qqFZ|M=u+1v6N#}-O}J_%RE)_BxhmClZdOv0jO$0)%AEc
ze|Be+FNW#V0(^5Jes;NbH!9p(kf|KS=`TmjGtzk>-gK@YfS9xT(0kpW*EDjYUkoj!
zE49{7H&E}k%5(>sM4uGY)Q*&3>{aitqdNnRJkbOmD5Mp5rv-hxzOn80QsG=<y&iAv
zoygUqB(HTOw-D%a7G$=rjE8g{ZQXwB7#B8Wxwbz08Jsb0u509=?`<rrdnI^FIQeST
zajiSMO#8sNw9ue(d(mgN_gC&Vg<qYQ+k22&7!tdVX?_7@F@`@;me)sGM-^Ywu1rH7
zrh<OEbzwuL!xTCj@ogj=wajI}heZh^mL#4*plBwGap)3#yRP80rCsAW+D2zjCMM5q
zqlNo=Si)901Ml@}Ixwm^bC{eJIZ?9!vFEj>HJ_atI-EaP69cacR)Uvh{G5dTpYG7d
zbtmRMq@Sexey)||UpnZ?;g_KMZq4IDCy5}@u!5&B^-=6yyY{}e4Hh3ee!ZWtL*s?G
zxG(A<f#J^YQ1Cz#m-<*_U8HvcG@jc-yMVZp(Zo}py?|jD+4D`Fd+W<A%;vg-apbky
zCI&lkC9TywfFKW;HsiG-H-QDFbT8RZIi@8evyVwL`-aRfT@rSZ(^#qGvae0S2@BTa
z!i>!<FWySf`?H|6p^KKhe*MH{y8K^`R9uZ{0qEqFRq4ez&thQ*WY!<HUw}@VSbJ69
zLD1)><9o!CL+q?u_utltPMk+hn?N2@?}xU0KlYg?Jco{Yf@|mSGC<(Zj^yHCvhmyx
z?OxOYoxbptDK()tsJ42VzXdINAMWL$0Gcw?G(g8TMB)Khw_|v9`_ql#pRd2i*?CZl
z7k1b!jQB=9-V@h%;Cnl7EKi;Y^&NhU0mWEcj8B|3L30Ku#-9389Q+(Yet0r$F=+3p
z6AKOMAIi|OHyzlHZtOm73}|ntKtFaXF2Fy|M!gOh^L4^62kGUoWS1i{9gsds_GWBc
zLw|TaLP64z3z9?=R2|T6Xh2W4_F*$cq>MtXMOy&=IPIJ`;!Tw?PqvI2b*U1)25^<2
zU_ZPoxg_V0tngA0J+mm?3;OYw{i2Zb4x}NedZug!>EoN3DC{1i)Z{Z4m*(y{ov2%-
zk(w>+scOO}MN!exSc`TN)!B=NUX`zThWO~M*ohqq;J2hx9h9}|s#?@eR!=F{QTrq~
zTcY|>azkCe$|Q0XFUdpFT=lTcyW##i;-e{}ORB4D?t@<rUy??=TuYp_*>SfqGo_cS
z->?^rh$<&n9DL!CF+h?LMZRi)qju!meugvxX*&jfD!^1XB3?E?HnwHP8$;uX{Rvp#
zh|)hM>XDv$ZGg=$1{+_bA~u-vXqlw6NH=nkpyWE0u}LQjF-3NhATL@9rRxMnpO%f7
z)EhZf{PF|mKIMFxnC?*78(}{Y)}iztV12}_OXffJ;ta!fcFIVjdchyHxH=t%ci`Xd
zX2AUB?%?poD6Zv*&BA!6c5S#|xn~DK01#XvjT!w!;&`lDXSJT4_j$}!qSPrb37vc{
z9^NfC%QvPu@vlxaZ;mIbn<z7Vac;-rGaZpnh<SqY8Q9CG{=8AL&W;*Sy0lmLjV&JM
zXa)osQ>-VHA6miwi8qJ~V;pTZkKqqOii<1Cs}0i?uUIss;hM4dKq^1O35y?Yp=l4i
zf{M!@QHH~rJ&X~8uATV><23zZUbs-J^3}$IvV_ANLS08>k`Td7aU_S1sLsfi*C-m1
z-e#S%UGs4E!;CeBT@9}aaI)qR-6NU@kvS#0r`g&UWg?fC7|b^_HyCE!8}nyh^~o@<
zpm7PDFs9yxp+byMS(JWm$NeL?DNrMCNE!I^ko-*csB+dsf4GAq{=6sfyf4wb>?v1v
zmb`F*bN1KUx-`ra1+TJ37bXNP%`-Fd`vVQFTwWpX@;s(%nDQa#oWhgk#mYlY*!d>(
zE&!|ySF!mIyfING+#%RDY3IBH_fW$}6~1%!G`s<xV|$thPk-h^=fMv&Hnp;VPWb4H
zXg`{=`?M7=Dq8myqz|0%?*$bn?$egRMQTPls(~O?p^=8tlp~~ufW)FLrAIKI*rXSW
zW3!I>uHub1kP@&DoAd5~7J55;5_noPI6eLf{t;@9Kf<{aO0`1WNKd?<)C-|?C?)3s
z><QEhe||>wEq@8=I$Wc~Mt$o;g++5qR+(6wt9GI~pyrDJ%c?gPZe)owvy^J2S=+M^
z&WhIE`g;;J^xQLVeCtf7b%Dg<YLp9$rJl%g{x?f$ghgkcL$GZMdvMR@u|x}I{Qe9_
z&q1ULjNa6Q(nZR+2Nc7yG$v_t1HN@ezTla8$YpCXrW3pKiQm{R;n=1<rvBfU^9P{3
z@$nqa83WF+{OCA+1Zn*g;2x4@KoiX%brVdz6t^EGHy~>#Z2gq9hp_%g)-%_`y*zb;
zn9`f`mUPN-Ts&fFo(aNTsXPA|J!TJ{0hZp0^;<tHD4nK@wPbS|=fM$wSV$taTPGqt
zGB^u*%|y@PNxElDVJ;aR!0wT&iI7kZpng0zO52HM*WmK30Q~Yu);w=*5<AVVovc^R
z`k-Z;-8;PJFrU7VpM3N7QZ`+O#qh*wm2>MYHLOcD=r_~~^ymS8KLCSeU3;^QzJNqS
z5{5rEAv#l(X?bvwxpU;2%pQftF`YFgrD1jt2^~Mt^~G>T*}A$yZc@(k9orlCGv&|1
zWWvVgiJsCAtamuAYT~nzs?TQFt<1LSEx!@e0~@yd6$b5!Zm(FpBl;(<fB3D_;m2?l
z3de#U|K3raz4D?vBz^xW?Wg=mvwNg@|1i>Cn>2vF<?km-o@xWuhxn3bs$Pljx=>?k
zOm#TTjFwd2D-CyA!mqR^?#Uwm{NBemP>(pHmM}9;;8`c&+_o3#E5m)JzfwN?(f-a4
zyd%xZc^oQx3XT?vcCqCX&Qrk~nu;fxs@JUoyVoi5fqpi&bUhQ2y!Ok2pzsFR(M(|U
zw3E+kH_zmTRQ9dUMZWRE%Zakiwc+lgv7Z%|YO9YxAy`y28`Aw;WU6HXBgU7fl@dnt
z-fFBV)}H-gqP!1;V@Je$WcbYre|dRdp{xt!7sL3Eoa%IA`5CAA%;Wq8PktwPdULo!
z8!sB}Qt8#jH9Sh}QiUtEPZ6H0b*7qEKGJ%ITZ|vH)5Q^2m<7o3#Z>AKc%z7_u`rXA
zqrCy{-{8;9>dfll<T^QC7i-!Fb6U7Jr)|#XOupnl(tkS3y$lcK{_fXxPcyuknfQ~x
zf@~St3JeO(?cJD*9%zow(<yIgW%x$m#slX3pj{at{@6iEH?BdH^RYnm8&dJ7wK$@@
zVWq~nxej{11A23OWBxqf9N%DH_7R<7fAS~Y3ol-7Pi{v{|9EqM&L`?kzu+YCrvBtt
z_D%ic$wLdbBkX0psXy+e8ZxCG;Pms~Doa?=r+ky&_1GWZ)usQYvh=^J`X>Lu$^M5L
z-hXs))h*qz%~ActwkIA(qOVBZl2v4lwbM>9l70Y`+T*elINFqt#>OaVWoja8RMsep
z6Or3f=oBnA3vDbn*+HNZP?8LsH2MY)x%c13@(XfuGR}R?Nu<|07{$+Lc3$Uv^I!MQ
z>6qWgd-=aG2Y^24g4{Bw9ueOR)(9h`scImD=86dD+M<j=UE|C;@sK-I;*&dQ=%}gk
z)B!@EvJAu)BjncrBD%^q6<)oeX~UkPqgBXuU#=iDAF)wuM3*6$<L0BUP6j>nSN4$6
z^U*o_mE-6Rk~Dp!ANp#5RE9n*LG(Vg`1)g6!(XtDzsov$Dvz|Gv1WU68J$CkshQhS
zCrc|cdkW~UK}5NeaWj^F4MSg<F<s`^q0<TvPF|H0&oNb>FM+@fJd{|LLM)}_O<{rj
z+?*Lm?owq?IzC%U%9EBga~h-cJbIu=#C}XuWN>OLrc%M@Gu~kFEYUi4EC6l#PR2JS
zQUkGKrrS#6H7}2l0F@S11DP`@pih0WRkRJl#F;u{c&ZC{^$Z+_*lB)r)-bPgRFE;*
zl)@hK4`tEP=P=il02x7-C7p%l=B`vkYjw?YhdJU9!P!jcmY$OtC^12w?vy3<<=tlY
zUwHJ_0lgWN9vf>1%WACBD{UT)1qHQSE2%z|JHvP{#INr13jM}oYv_5#xsnv9`)UAO
zuwgyV4YZ;O)eSc3(mka6=aRohi!HH@I#xq7kng?Acdg7S4vDJb6cI5fw?2z%3yR+|
zU5v@Hm}vy;${cBp&@D=HQ9j<G=bG8X+ilNJ?RJXvDOEMBde)25_E~7I?MU+6ykbEe
zwlwWZTbqdW7A20%*{o<J`$q1@Ycld!(_(EqnYMdl&`5dkZIC_te`M|#=Iw~8P<CJb
zRB_sFh_lP4SX6pZnM=9HIz|6*yQoYN$ysd{HU9aoSvP2U?umOV9m0QY=>7NcFaOYL
zj-wV=eYF{|XTkFNM2uz&T8uH~;)^Zo!=KP)EVyH6s9l1~4m}N%XzPpduPg|h-&lL`
zAXspR0YMOKd2yO)eMFFJ4?sQ&!`dF&!|niH*!^*Ml##o0M(0*uK9&yzekFi$+mP9s
z>W9d%Jb)PtVi&-Ha!o~Iyh@KRuKpQ@)I~L*d`{O8!kRObjO7=n+Gp36fe!66neh+7
zW*l^0tTKjLLzr`x4`_8&on?mjW-PzheTNox8Hg7Nt@*SbE-%kP2hWYmH<as3s;3dB
zGF)lQb4*{W{s~m$kJ_;7j;cfOyu}B&y0s+jVVv$_H@egmCSN7X?3gk9bYo6swHDQ9
zg-L}N$+=uhC+gRRN)XP@3cO>u#Fn@Q^J(SsPUz*|EgOoZ6<W=Bo)J0Q;m559tyuE#
zLg%v9lH_9r;=_EOdj#0`D7^XXPL;8V>byg3ew88UGdZ>9B2Tq=jF7<EJ!TXj@;|w{
zdf7ZfHx+mvI`W&PIP#=oO`B12md1xam~79(oqs4UUMnyRq{81HXVL2E;h(%Ol(A~}
z^n4*)dGf~yP6-Dv!SSnD?Mdu}C3S%8f7rg+6A3U%FuEXLg<+Iwh%-7NKl@rQpvaJ}
zHwX`+=9DZH9MoIn^aYb`vA~19+Y@$$L7>2ZaR=4u%1A6Vm{O#?@dD!(#tmR;eP(Fu
z{$0O%=Vmua7=Gjr8nY%>ul?w=FJ76O2js&17W_iq2*tb!i{<q|g+F8+dEk=7I*b$k
zfHy1#iZ?<b)WRJw_Q;_?7Qr1x1fOwWj3fU+i95=;^viGx>pt#`qZB#im9Rl>?t?0c
zicIC}et_4d+CpV<WYvG+Qy=M4fqRlShrB0ABj<1vxR!nk?HzgR{1Zy7dT(ql^LGHk
zbtwjlkw%2Sz_=?Ev5<S4+oS_d`MXZIuh9f&=WusVxCg&4M6SulVC6tXa%y3~fy$$=
zgaqCG;I2JkQp{af=&tkR1)k?Mq*~2KarL#o{N9l8`n2Q*{dFn2Aqheuy5pK*5~@dn
zAUq?gaZTTGiAPWtrINms0FE~Rk&J-igF4wai(k+!<AvEH>Px)i4~$u6N-QX3H77ez
z?ZdvXifFk|*F8~L(W$OWM~r`pSk5}#F?j_5u$Obu9lDWIknO^AGu+Blk7!9Sb;NjS
zncZA?qtASdNtzQ>z7N871IsPAk^CC?iIL}+{K|F@BuG2>qQ;_RUYV#>hHO(HUPpk@
z(bn~4|F_jiZi}Sad;_7`#4}EmD<1EiIxa48QjUuR?rC}^HRocq`OQPM@aHVKP9E#q
zy%6bmHygCpIddPjE}q_DPC`VH_2m;Eey&ZH)E6xGeStOK7H)#+9y!%-Hm|QF6w#A(
zIC0Yw%9j$s-#odxG~C*^MZ?M<+&WJ+@?B_QPUyTg9DJGtQN#NIC&-XddRsf3n^AL6
zT@P|H;PvN;ZpL0iv$bRb7|J{0o!Hq+S>_NrH4@coZtBJu#g8#CbR7|#?6uxi8d+$g
z87apN>EciJZ`%Zv2**_uiET9Vk{pny&My;+WfGDw4EVL#B!Wiw&M|A8f1<o!4D>A@
z(yFQS6jfbH{b8Z-S7D2?Ixl`j0{+ZnpT=;KzVMLW{B$`N?Gw^Fl0H6lT61%T<G)JV
zFxXraywnpF6xC3GQdEFWGnwf8cSTaqeK41;?*^^tH^znLzqXnF%VFT3@UDLz31Yt~
zt1AL1yu0;x;(?~W6+jJ9LrfK`D&ByIA}l1-7&U_j+YQ~7z`JkDZjlblA8d}I;WH{g
zC0ES-Qvh<>2AU**!sX0u?|I(yoy&Xveg7XBL&+>n6jd1##6d>TxE*<Ar(sc(Bu^|z
z9hrl)GNg{$efJd|)cea$o#jV;Q4r8b+A}r|>Vj=8lWiG$4<VK5A=k4M5~-nvjP-{O
zV8pcf=E2RAG{W@WaSbt<oK%uC(9#~x&_$sDRj@|UZmCgRQbRy`>=u{1UbAa5QD>5_
z;Te^42v7K6Mmu4IWT6Rnm>oxrl~b<~^e3vbj-GCdHLIB_>59}Ya+~OF68NiH=?}2o
zP(X7EN=quQn&)fK>M&kqF|<_*H<cwCuNRp|+zL#!8ahs~;&EDeLAe8)G*^PjIAy0l
zK-!LhT}2?RS2cld8@7BXA8OL=0Ov9pNm3Zz3)LmJLDvDNjh52-LPTzuVhjZ)*F~32
z){Y^W2Jp7@2l};<g80X*y6xQ=?e?^N18tu9n%iDKPIA*?LsU4H8AEjezYO`=Z>`}c
zk=+x)GU>{Af#vx&s?`UKUsz})g^Pc&?<rGKpJnw3;kV`E!|r0J-GJ}YEK3ik6lvJ?
zLkm)B;+6)qz)}5@`>Ka@t5$n$bqf6{r1>#mWx6Ep>9|A}VmWRnowVo`OyCr^fHsf#
zQjQ3Ttp7y#iQY8l`zEUW)(@gGQdt(~rkxlkefskT(t%@i8=|p1Y9Dc5bc+z#n$s13
zGJk|V0+&Ekh(F};PJzQKKo+FG@KV8a<$gmNSD;7rd_nRdc%?9)p!|B-@P~kxQG}~B
zi|{0}@}zKC(rlFUYp*dO1RuvPC^DQOkX4<+EwvBAC{IZQdYxoq1Za!MW7%p7gGr=j
zzWnAq%)^O2$eItftC#TTSArUyL$U54-O7e|)4_7%Q^2tZ^0-d&3J1}qCzR4dWX!)4
zzIEKjgnYgMus^>6uw4Jm8ga6>GBtMjpNRJ6CP~W=37~||gMo_p@GA@#-3)+cVYnU>
zE5=Y4kzl+EbEh%dhQokB{gqNDqx%5*qBusWV%!iprn$S!;oN_6E3?0+umADVs4ako
z?P+t?m?};gev9J<xrvMj?JFjsZtWf-quiC#u!BU{j|Z+>XQ#Q&KBpzkHPde_CGu-y
z<{}RRAx=xlv#mVi+Ibrgx~ujW$h{?zPfhz)Kp7kmYS&_|97b&H<SL`_{AO<9v%D@8
z77}Y!`#c~v^P+jNiCZgjk$Eu}e?ht~^R`2pg1iPEhXjZVjl-b|*N?0??d5-7i{PRl
z3g-#j3NiART8({yLdUJE-H38|G`rTLl78)2#f9E)ErZoi-Fv`N>&1;J-mzrBWAvY}
zh8-I8hl_RK2+nnf&}!W0P+>5?<Hy2Ocrq-T%g(e-iJ80Q4bGbph6Yn^Ms~*iS%y{)
zR2+@$12xU46My)mb>#?7>npshe<1~&l_xqKd0_>dl_^RMRq@-Myz&|TKZBj1=Q())
zF{dBjv5)h=&Z)Aevx}+i|7=R9rG^Di!sa)sZCl&ctX4&LScQ-kMncgO(9o6W6)yd<
z@Rk!vkja*X_N3H<e&P>=BavGoR0@u0<}m-7|2v!0+2h~S2Q&a=lTH91OJsvms2MT~
zY=c@LO5i`mLpBd(vh|)I&^A3TQLtr>w<oiU80F37l%jO+9L*(6rNJUMQj^mVFrb+K
zbGro$m)k-Mjv2y`V6hi@N1PB7T=%YP1zSAYt&?4uC<+;v72DJZ+TM4vL%d*d?N7Xm
zm~6OL8)rh0XIoR7pN2ODrL%*K0lO((1E{nb4eXnWhR0-4)N_A|nFyFl!4Fa367d3@
z5ruJel)z&kDcd>=zoyzTd=^f@TPu&+*2M<c+GXcqi<cQ#^OejZI|Po8an{Oh-2ytX
zK$MlFe&+@V&gTQgY2e7YqN66POe*A5=RfoUd8+16QdDQgjc}%@)Xu?E)Qo-5tDtuz
z4rP5$Edgx(g_-m&v|zI|MckDZ-*>tqE$Avf>l>}V|3-8Fp2hzo3y<)hr_|NO(&oSD
z!vEjTWBxbKTiShVl-U{n*B3#)3a8$`{~Pk}J@elZ=>Pqp|MQ}jrGv7KrNcjW%TN_<
z<z)esuQW6ysSYp|l#vPogjN7FRRzUSYY_7@QvtoS=9E#^iV5{mHb2N$06kv?{KQ4Y
z{TIb}bD_}cTt+x=_xX$O`O??h@892&xEZqrh{KpSgAqXMBaR^COdOFm;FKQkZc`(c
zwDTDp)<-#gdF+f;!ecTz69+_etlx5gTTYuJs36}MFftQ@Rn)MRhY91bCzTEgj4fv-
z1m@JGpa{H2uzVIbIvR(+jPWIY>Zz8kG{#}XoeWf7qY?D)L)8?Q-b@Na&>i=)(@uNo
zr;cH98T3$Iau8Hn*@vXi{A@YehxDE2zX~o+RY`)6-X{8~hM<uAyYp&U>pc#C`|8y>
zU8Mnv5A<tzpBv6FvrIokz@rbXa#{jdGJP~6p^wT|HfyYaG;wVV>0dNCf{Ims*|l-^
z(MRp{qoGohB34|ggDI*p!Aw|MFyJ|v+<+E3brfrI)|+l3W~CQLPbnF@G0)P~L<BK0
zSRP{4S$9zWWM`Nd;Q6_XmCkEyF=0l#GeYa7+r&_CD~4h2$_LU;yCc{i*o}5aXnx3N
zHqrCmEq3l-{2sjER%{`iHdHZ!Iy}l{>y!1TJLp}xh8uW`Q+RB-v`MRYZ9Gam3cM%{
zb4Cb*f)0deR~wtNb*8w-LlIF>kc7DAv>T0D(a3@l`k4TFnrO+g9XH7;nYOHxjc4lq
zMmaW6qpgAgy)MckYMhl?>sq;-1E)-1llUneeA!ya9KM$)DaNGu57Z5aE>=VST$#vb
zFo=uRHr$0M{-ha>h(D_boS4zId;3B|Tpqo|?B?Z@I?G(?&Iei+-{9L_A9=h=Qfn-U
z1wIUnQe9!z%_j$F_{rf&`ZFSott09gY~qrf@g3O=Y>vzAnXCyL!@(BqWa)Zqt!#_k
zfZHuwS52|&&)aK;CHq9V-t9qt0au{$#6c*R#e5n3rje0hic7c7m{kW$p(_`wB=Gw7
z4k`1Hi;Mc@yA7dp@r~?@rfw)TkjAW++|pkfOG}0N|2guek}j8Zen(!+@7?qt_7ndX
zB=BG6WJ31#F3#Vk3=aQr8T)3`{=<slU+RdlO4Hx0LKNQR4%csKlqXTo6ajrnOY1?l
z2r$(|0XiBb*T4;#8^X*fOz~r=4-{-Rg2n@oH;R!)WGF~o7e;4%=egC+*SUH9@8hON
zRPT>p9nBHlKzE0I@v`{vJ}h8pd6vby&VgFhzH|q;=aonunAXL6G2y(X^CtAhWr*jI
zGjpY@raZD<b_G8JA5s~o@XVViP=?1H?fxk4Pq8R3l2eNln--&c-a(Has8}t#E^(Q*
z=etk{kVRr~2G*+i5b{q+oG(h}R?d-3m0XJJnzvrMZ{1Tcuc{eb>Qkg*aMq}Ni6cRF
z{oWv}5`nhSAv>usX}m^GHt`f(t8@zHc?K|y5Zi=4G*UG1Sza<E8z;l0@bYZ=%a=Vj
z;(n{V1K(1!(<%HdezN^efpP}6_GMFH7m;Wi+()}?4ujb&c~IZ9n3_46*IsTeu9}IF
zAHtU!f4FyUb=kmL3?2I)J-&6Gd2ry1tzU??1iAVB#U4q&;ymb8Acc3xb>{$Dpj%X8
zzEXaKT5N6F5j4J|w#qlZP!zS7BT)9b+!ZSJdToqJts1c!)fwih4d31vfb{}W)EgcA
zH<Fzt5KT4ycl;#zc0!>2pZ^8_k$9+WD<i98{Ka+NY@mr?q>2n`6q5XbOy8>3pcYH9
z07eUB+p<MBNmyg&c4=0;V0B;H%kvu8{sr|yy1~@CobFcUpM3np-7P6;)H5)%*}VV!
zs>}YD@AH!}p!iKv><2QF-Y^&xx^PAc1F13A{nUeCDg&{hnix#FiO!fe(^&%Qcux!h
znu*S!s$&nnkeotYsDthh1d<XHQ3s(h4m+vOMx>q(iQrE|#f_=xVgfiiL&-5eAcC->
z5L0l|DVEM$#ulf{bj+Y~7iD)j<~O8CYM8GW)dQGq)!mck)Fq<!^H$Md3d7YY>oL^X
zwNdZb3->hFrbHFm?hLvut-*uK?zXn3q1z|UX{RZ;-WiLoOjnle!xs+W0-8D)kjU#R
z+S|A^HkRg$Ij%N4v~k`jyHffKaC~=wg<B%ejScY(fj1p_Et27-otoLjL&tKK?8UFN
z%LmnQSnbvpU~;3CWrogVy$oe+4WUkv3SFe(IPiTs$quv+%sU!wurQ6_fZ24IJohEM
zcoKJZay#47ydH__P37To$-Zc()PCOL+72Tm7bmvHtaIu(yG&E4_6jcPE=`5js7(E{
zHf(+WB2w4d@46GMBedn8XLGQp(O+G%3$)&`I%c&|x#vNWkyh%{DGUV$KZ2p<j&Y}k
z)Hs|`mlvf!{5N2bF{_PGj>=9)V5h=|kLQ@;^<Ah@>W!o2^K+xG&2n`XCd>OY5Ydi=
zgHH=lgy++erK8&+YeTl7VNyVm9-GfONlSlVb3)V9NW5tT!cJ8d7X)!b-$fb!s76{t
z@d=Vg-5K_sqHA@Zx-L_}wVnc@L@GL9_K~Zl(h5@AR#FAiKad8~KeWCo@mgXIQ#~u{
zgYFwNz}2b6Vu@CP0XoqJ+dm8px(5W5-Jpis97F`+KM)TuP*X8H@zwiVKDKGVp59pI
zifNHZr|B+PG|7|Y<*tqap0CvG7tbR1R>jn70t1X`XJixiMVcHf%Ez*=xm1(CrTSDt
z0cle!+{8*Ja&EOZ4@$qhBuKQ$U95Q%rc7tg$VRhk?3=pE&n+T3upZg^ZJc9~c2es%
zh7>+|mrmA-p&v}|OtxqmHIBgUxL~^0+cpfkSK2mhh+4b=^F1Xgd2)}U*Yp+H?ls#z
zrL<PO4@qqmi4_%|jPx)N+G{$0%%C1sw{T2fligwqmFd}O+TemcgfxBHvt~23Bx!g6
zxl(O6;y4BH9zTxeA;{A3a_g71v+`o{0uNyu^e>xWg<ZgPjZmPtQ00F}!Yn5nf)<mA
zPThc#yhGf@^9{9a3jZx|NAA<vxc>_hm}AfK2XYWr!rzW4g;+^^&b<P<GfK{gLe<5#
zz<cH|<aY5Fl~>W%LmbtRai9f3PjU${r@n`JThy-cphbcwn)rq9{A$Ht`lmYKxOacy
z6v2R(?gHhD5@&kB-Eg?4!hAoD7~(h>(R!s1c1Hx#s9vGPePUR|of32bS`J5U5w{F)
z>0<^ktO2UHg<0{oxkdOQ;}coZDQph8p6ruj*_?uqURCMTac;>T#v+l1Tc~%^k-Vd@
zkc5y35jVNc49vZ<e37Ty%GD$DqTd&uKFEzb4j%X5FO|fqPqoGYc%Ro7*qb9?JK#sE
zI2o9q*t*5>pZx;gG$h{%yslDI%Lqga1&&;mN{Ush1c7p>7e-(zp}6E7f-XmJb4nhk
zb8zS+{IVbL$QVF8pf8}~kQ|dHJAEATmmnrb_wLG}-yHe><YsE2_~l#l9buQgFXI0`
z(u#b`J=xeBn*3{z^^KAJhXQfvz6EP5l^cD~&vo$LApQd(9gm=munnZ7Bo%LVbi4uK
zNXnx%%rjW{zE{2bapVCkVel~q0upm?=gb{+Eu=B+Z46t{KAKTo1TyYq%j=)TaZP<&
zIfR5WHOe}iiPn?Y<W*8!U(>W|A&Y|;muy-d^t^<&)g5SJfaTH@P1%euONny=mxo+C
z4N&w#biWY41r8k~468tvuYVh&XN&d#%QtIf<GZUR`2QH9h^d*OtBuRQhWwr4nLC*}
zJIh#pCwzAQa(pUP-B<pHxsDxMcBm<`k^}{cmcTX^FsUjvw57E+0Tz}NDT+w-9BC))
zHeGkeroi7YzPFY1zKi5#bbT&jA=fhB<;*YQFRw+++(kz*-d7|)7ibRL<jGF<*B$4+
z`|k6bU2=c_Psjo4w+RtodzK>9;iVXfWY)<X+W}7GbATCgQU`%LT~<fPB3X>#j=<c2
zHd&Dex04~>l`&B~lqDT@28+Y!0E+MkfC}}H*#(WKKdJJq=O$vNYCb(ZG@p{fJgu;h
z21oHQ(14?LeT>n5)s;uD@5&ohU!@wX8w*lB6i@GEH0pM>YTG+RAIWZD;4#F1&F%Jp
zXZUml2sH0!lYJT?&sA!qwez6cXzJEd(1ZC~kT5kZSp7(@=H2$Azb_*W&6aA|9iwCL
zdX7Q=42;@dspHDwYE?miGX#L^3xD&%BI&fN9^;`v4OjQXPBaBmOF1;#C)8XA(WFlH
zycro;DS2?(G&6wkr6rqC>rqDv3nfGw3hmN_9Al>TgvmGsL8_hXx09};l9Ow@)F5@y
z#VH5WigLDwZE4nh^7&@g<bkZm_Vh{ln0@+)lYuu~qeXc#?JCYylKGH|9+kWD0ocxF
z5$1kjN2>{1FV^UZ%_LJ-s<{HN*2R$OPg@R~Z`c-ET*2}XB@9xvAjrK&hS=f|R8Gr9
zr|0TGOsI7RD+4+2{ZiwdVD@2zmg~g@^D--YL;6UYGSM8i$NbQr4!c7T9rg!8;TM0E
zT#@?&S=t>GQm)*ua|?TLT2ktj#`|R<_*FAkOu2Pz$wEc%-=Y9V*$&dg+wIei3b*O8
z2|m$!jJG!J!ZGbbIa!(Af~oSyZV+~M1qGvelMzPNE_%5?c2>;MeeG2^N?JDKjFYCy
z7SbPWH-$cWF9~fX%9~v99L!G(wi!PFp<!s7j4q$86J>>rB!9xj7=Cv<q}(vRw+mcj
z#YR4HX>|F+7CsGNwY0Q_J%FID%C^CBZQfJ9K(HK%k31j~e#&?h<VT6q$5mgm6*^>Q
zNuD6gR<d7v<P!_&8<dm-?#ek*zL2)u8J2l%4_z-z?)QXK(1d9d>kVckU)v+53-fc}
z7ZCzYN-5RG4H7;>>Hg?LU9&5_aua?A0)0dpew1#MMlu)LHe(M;OHjHIUl7|%%)YPo
z0cBk;AOY00%Fe6heoN*$(b<)Cd#^8Iu;-2v@>cE-OB$icUF9EEoaC&q8z9}jMTT2I
z8`9;jT%z0;dy4!8U;GW{i`)3!c6&oWY`J3669C!tM<5nQFFrFRglU8f)5Op$GtR-3
zn!+SPCw|04sv?%YZ(a7#L?vsdr7ss@WKAw&A*}-1S|9~cL%uA+E~>N6QklFE>8W|%
zyX-qAUGTY1hQ-+um`2|&ji0cY*(qN!zp{YpDO-r>jPk*yuVSay<)cUt`t@&FPF_&$
zcHwu1<M$nsSpFX&={p8_cnZ3@SbW>(SQ`I-l8~vYyUxm@D1UEdFJ$f5Sw^HPH7b!9
zzYT3gKMF((N(v0#4f_jPfVZ=ApN^jQJe-X$`A?X+vWjLn_%31KXE*}5_}<jt4v>d8
zw_B1+a#6T1?>M{ronLbHIlEsMf93muJ7AH5h%;i99<~JX^;EAgEB1uHralD*!aJ@F
zV2ruuFe9i2Q1C?^^kmVy921eb=tLDD43@-AgL^rQ3IO9%+vi_&R2^dpr}x{bCVPej
z7G0-0o64uyWNtr*loIvslyo0%)KSDDKjfThe0hcqs)(C-MH1>bNGBDRTW~scy_{w}
zp^aq8Qb!h9Lwielq%C1b8=?Z=&U)ST&PHbS)8Xzjh2DF?d{iAv)Eh)wsUnf>UtXN(
zL7=$%YrZ#|^c{MYmhn!zV#t*(jdmYdCpwqpZ{v&L8KIuKn`@IIZfp!uo}c;7J57N`
zAxyZ-uA4=Gzl~Ovycz%MW9ZL7N+nRo&1cfNn9(1H5eM;V_4Z_qVann7F>5f>%{rf=
zPBZFaV@_Sobl?Fy&KXyzFDV*FIdhS5`Uc~S^Gjo)aiTHgn#<0C=9o-a-}@}xDor;D
zZyZ|fvf;+=3MZd>SR1F^F`RJEZo+|MdyJYQAEauKu%WDol~ayrGU3zzbHKsnHKZ*z
zFiwUkL@DZ>!*x05ql&EBq@_Vqv83&?@~q5?lVmff<cLHceB8mp&F*ZBX}B`|c^idP
zv6n-=r1Y%9B2=MA)BHjW-LyT@+x?-|)~^RdTE*Wmt4T{X?yOR<8KMVy`_8)0^!&oF
z0$q#{$B8*<%lm210;{(CF7N)1MYU#>QZ+V-=qL+!u4Xs2Z2zdCQ3U7B&QR9_Iggy}
z(om{Y9eU;IPe`+p1ifLx-XWh?wI)xU9ik+m#g&pGdB5Bi<`PR*?92lE0+TkRuXI)z
z5LP!N2+tTc%cB6B1F-!fj#}>S!vnpgVU~3!*U<jq0(*nRRh2NkSzq|ekHqi@I{QJ4
zs$%Xz%L?KbVmRwJFka>1ej^)vjUH4s-bd^%B=ItQqDCGbrEzNQi(dJ`J}-U=2{7-d
zK8k^Rlq2N#0G?9&1?HSle2vlkj^KWSBYTwx`2?9TU_DX#J+f+qLi<D9B#g}%V$md`
zk~Ild*}viiyy2C_=6_!CJ#a=26@mjLnII|qn1r<r{`_L^h_&EQU1CrT23vw`5=3<h
zG{v(Q@`P7B9h;CVcDSU+D|~oo@NN9}HbK0D{0!wcrl#V%CP?`IzvTa!#*S)2d1$Yu
z@{MclH9z5OOC5<wLIO8&=t)9CZ5Tx0LQn&eG~9xag*+PbY)P9)O3G<cNK?wZHK1E)
zN?i&=N*5N8I0pp^Xra6>ZCqY1TXHFxXZqYMuD@RU$TgcnCC{_(vwZ-*uX)~go#%PK
z@}2Km_5aQ~(<3cXeJN6|F8X_1@L%@xTzs}$_*E|a^_URF_qcF;Pfhoe?FTFwvjm1o
z8onf@OY@jC2tVcMaZS;|T!Ks(wOgPpRzRnFS-^RZ4E!9dsnj9sFt609a|jJbb1Dt@
z<=Gal2jDEupxUSwWu6zp<<&RnAA;d&4gKVG0iu6g(DsST(4)z6R)zDpfaQ}v{5ARt
zyhwvMtF%b-YazR5XLz+oh=mn;y-Mf2a8>7?2v8qX;19y?b>Z5laGHvzH;Nu9S`B8}
zI)qN$GbXIQ1VL3lnof^6TS~<qSuZSMrS`^DczIf6i8zZ|)TzXBEwW6N#TL3wy;JuH
z4sUyCR`^Gi%H4xvNHCSXsz>rvPVg4V?Dl2Bb*K2z4E{5vy<(@@K_cN@<xbtRT8JEV
z@9ePJQ{ePgXbdj2UeTj`YQ3sQ`t(|5O?8jf1qY=&T$N1)Psvl`6fu>U>R!>aUIRnb
zL*)=787*cs#zb31zBC49x$`=fkQbMAef)L2$dR{)6BAz!t5U_B#1zZG<T23Y;GnC8
z(`aO7qQGuUkmmk=Z)LZ+)_Z;JWly1@9NQ+>`^neKSS22oJ#5B=gl%U=WeqL9REF2g
zZnfCb0?quf?Ztj$VXvDSWoK`0L=Zxem2q}!XWLoT-kYMOx)!7fcgT35uC~0pySEme
z`{wGWTkGr7>+Kb^n;W?BZH6ZP(9tQX%-7zF>vc2}LuWDI(9kh1G#7B<aO|K2FCIJg
zDao72kQAHigp@^v;eK5Vo($1jE5?KxIjn^mY57t?Pj)^$12KtO8GI3M1Ri51g3-Iv
zq`DO&g5CWDnjs~ec$i^VmaK4aG_*NghV8~x3dXdPE^36>99r4x6;_-V+k&c{nPUrR
zAXJGRiMe~aup{0qzmLNjS_BC4cB#sXjckx{%_c&^xy{M61xEb>KW_AG5VFXUOjAG4
z^>Qlm9A#1N{4snY=(AmWzatb!ngqiqPbBZ7>Uhb3)dTkSGcL#&SH>iMO-IJBPua`u
zo)LWZ>=NZLr758j{%(|uQuZ)pXq_4c!!>s|aDM9#`~1bzK3J1^^D#<2<N(j(---cE
zEy;>bNCccH7~-X}Ggi!pIIF>uFx%aPARGQsnC8ZQc8lrQ5o~smqOg>Ti^GNme94*w
z)JZy<k{OAaG~Q|lT7oS<g9V8QNt(KeJIt6&F{U!{MuJ?Xr0XzPZhzp~?qy+NBB<0G
zi_x*hCyRQ*l&365<#;!&Mnh*3`6R@-BoAUC&g|)}Bg;mxBDA&uy<fjp??k5JfO-|6
zv6$F+?VY$#@OP{;d=nLk^Vq&omh*v*bW;ukc`ca|*$h2}@kU)FNYh|cX2FdglBA{Z
zn4gmuD1Tgw4$4s2Q01t5<PSfg@h2F?GtlH6XQC>{_{#$jxG<QXLBP1mLo=v6>Q&`M
z!OMvZMHR>8*^>eS%o*6hJwn!l8VOOjZQJvh)@tnHVW&*GYPuxqXw}%M!(f-SQf`=L
z5;=5w2;%82VMH6Xi&-K3W)o&K^+vJCepWZ-rW%+Dc6X3(){z$@4zjYxQ|}8UIojeC
zYZpQ1dU{fy=oTr<4VX?$q)L<oUsl**eR4|Y=<jHUj;EzXPg2#85xDsCL@vKUk4!ok
zWGU;a1c@)SVKp{%lz7wz>P}IUmpiez^O&N3E_qPpchGTi5ZM6-2ScWlQq%V&R2Euz
zO|Q0Hx>lY1Q1cW5xHv5!0OGU~PVEqSuy#fD72d#O`N!C;o=m+YioGu-wH2k6!t<~K
zSr`E=W9)!g==~x9VV~-8{4ZN9{~-A9zJpRe%NGg$+MDuI-dH|b@BD)~>pPCGUNNzY
zMDg||0@XGQgw`YCt5C&A{_+J}mvV9Wg{6V%2n#YSRN{AP#PY?1FF1#|vO<FCmSeem
zsV>_%e+#`|2*~wGAJaeRX6=IzFNeWhz6gJc8+(03Ph4y6ELAm=AkN7TOgMUEw*N{=
z_)EIDQx5q22oUR+_b*tazu<k7qtKxTlmUW2Omzs&7j%!q->9+pX|n1c*IB-}{DqIj
z-?E|ks{o3AGRNb;+iKcHkZvYJvFsW&83RAPs1Oh@IWy%l#5x2oUP6ZCtv+b|q>jsf
zZ_9XO;V!>n`UxH1LvH8)L4?8raIvasEhkpQoJ`%!5rBs!0Tu(s_D{`4opB;57)pkX
z4$A^8CsD3U5*!|bHIEqsn~{q+Ddj$ME@Gq4JXtgVz&7l{Ok!@?EA{B3P~NAqb9)4?
zkQo30A^EbHfQ@87G5&E<g>QTd`frrwL)&Yw?%-W@uy^Gn23%j?Y!Iea2xw<-f;esq
zf%w5WN@E1}zyXtYv}}`U^B>W`>XPmdLj%4{P298|SisrE;7HvXX;A}Ffi8B#3Lr;1
zHt6zVb`8{#+e$*k?w8|O{Uh|&AG}|DG1PFo1i<Zus%ucO{sZ+tJd!u@5m`tVt$ecP
zHv;DLyGh!O(o#SF9Ho`t`aW6*4AonGVD-cOd49F6=odL=f13sFyII;4g$7X;P=IH_
z!H8wMi5nS$y>?Y*cQm$ZwtGcVgMwtBUDa{~L1KT-{jET4w60>{KZ27vXrHJ;fW{6|
z=|Y4!&UX020wU1>1iRgB@Q#m~1^Z^9<xy6Z(6L!p4YY56>CG1LqDhYBrnx%IEdIty
z!46iOoKlKs)c}<e-V4k`cP%zlS~*r)Iq=(n$n3YjsGj;U{v)@9x+s&RgYVsv=bVhB
z6KS0(1+6KVC4PB64#XkwbuM4|1~xHvpBvYVlWb?(pv$N|&u>newDG)rWUikD%j`)p
z_w9Ph&e40=(2eBy;T!}*1p1f1SAUDP9iWy^u^Ubdj21Kn{46;GR+hwLO=4D11@c~V
zI8x&(D({K~Df2<H8Q0|`g9v?%+ew{*)n&&V=&(8)k^`IVYv)Ef^74^<ekxt26g{<n
z=l9l$ysk3V&@j|Qbd9p}8=X<l&m>E)Nx_yQvYfh4<e?mHvB!$Y?%_59%1<FYEFc$b
z5ztP29y#%z;_YI`kp!lqW2R%wIG*IA1m!F1Kln&)2?~$S$Og+8eH`pJh?)s{O@cqa
zWUZ4w-ZTe!Iykv!<9ko1OVzNOZnowKP{&R2l9=@35YPW+JdW)5@C2juHH<g|8v*@b
z{zCv-5uA{lGB2+F9H+)uLjkGDsT%f9VUvf8ezafoEizvcl$?$h;@OxEC#U#_TL4w5
zDU~DSJxQ)LRv;^Z&wI+)=va(!yOlq(L+s>;MbMJ@Z}=Dt3_>iim~QZ*hZIlEs0mEb
z_54+&*?wMD`2#vsQRN3KvoT>hWofI_Vf(^C1ff-Ike@h@saEf7g}<9T`W;HAne-Nd
z>RR+&SP35w)xKn8^U$7))PsM!jKwYZ*RzEcG-OlTrX3}9a{q%#Un5E5W{{hp>w~;`
zGky+3(vJvQyGwBo`tCpmo0mo((?nM8vf9aXrrY1Ve}~TuVkB(zeds^jEfI}xGBCM2
zL1|#tycSaWCurP+0MiActG3LCas@_@tao@(<l?T*QEH-ae+wh*%6?VE!5DP~@|=`w
zUm(1<BPl}p=AbS7FTVaUy3(jy*M(D2#kTF4RBYR}of+Gx*jB~1QL*jJpu&o6JE?s6
z_S);Tw%)V%`7zq_d$iG?Hu~uO?$>R1ANlwB$4K53egNE_;!&(%@Qo$>h`^1S_!hN6
z)vZtG$8fN!|BXBJ=SI>e(LAU(y(i*PHvgQ2llulxS8>qsimv7yL}0q_E5WiAz7)(f
zC(ahFvG8&HN9+6^jGyLHM~$)7auppeWh_^zKk&C_MQ~8;N??OlyH~azgz5fe^>~7F
zl3HnPN3z-kN)I$4@`CLCMQx3sG~V8hPS^}XDXZrQA>}mQPw%7&!sd(Pp^P=tgp-s^
zjl}1-KRPNWXgV_K^HkP__SR`S-|OF0bR-N5>I%ODj&1JUeAQ3$9i;B~$S6}*^tK?=
z**%aCiH7y?xdY?{LgVP}S0HOh%0%LI$wRx;$T|~Y8R)Vdwa}kGWv8?SJVm^>r6+%I
z#lj1aR94{@MP;t-scEYQWc#xFA30^}?|BeX*W#9OL;Q9#WqaaM546j5j29((^_8Nu
z4uq}ESLr~r*O7E7$D{!k9W>`!SLoyA53i9QwRB{!pHe8um|aD<W*x(R=P_5zAElfw
zT7CEEr(t|!*czBsy>E`Cg0O*{jmor)^t)3`>V>SWN-2VJcFmj^1?~tT=JrP`fVh*t
zXHarp=8HEcR#vFe+1a%XXuK+)oFs`GDD}#Z+TJ}Ri`FvKO@ek2ayn}yaOi%(8p%2$
zpEu)v0Jym@f}U|-;}CbR=9{#<^z28PzkkTNvyKvJDZe+^VS2bES3N@Jq!-*}{oQlz
z@8bgC_KnDnT4}d#<rI9~4w*W=E-{rm^_cQeTd?VLxZpL;UgBY=7Y@N&83iL$n&#~M
zbsQBYt~+>&Cpr!%Yb?E!brx0!eVOw~;lLwUoz#Np%d$o%9scc3&zPm`%G((Le|6o1
zM(VhOw)!f84zG^)tZ1?Egv)d8cdNi+T${=5kV+j;Wf%2{3g@FHp^Gf*qO0q!u$=m9
zCaY`4mRqJ;FTH5`a$affE5dJrk~k`HTP_7nGTY@B9o9vvnbytaID;^b=Tzp7Q#DmD
zC(<aCT_(W?1O|cV&C;hpRo`~BN54GF$vUW?-%&gVawwY-k2~=6)`83yVnUbThqXoO
z#pJ&{AeMt+E`B_K+d;6!WS}aMu|XPUG^g7a(llBSlq>XEN)Ktn39z5|G!wsVNnHi)
z%^q94!lL|hF`IijA^9NR0F$@h7k5R^ljOW(;Td9grRN0Mb)l_l7##{2nPQ@?;VjXv
zaLZG}yuf$r$<79rVPp<j5%445ugcCYz(;(NT0N0@n{$og@`Uam4%uUaCP9*@QWGX9
z{P@Ag+Bgh5@F#Eg5Y9s1Tb4W8at(wr+7n>Xg?6iiieX|r#&`p#Con2i%S8*8F}(E)
zI5E6c3tG*<;m~<e=g`4E<@6ZZ8Ot+&-pVKoq@=)RHy9<I(`p<?)r&YNlEA8CnAU#=
zLQO*=y%_uKi|5n%djKteWf@r}R-KMkn1WGKj9GE)TB7@l$)5};KH)qNoDq}(AbK{}
znBj7g3J8U8H}w+i?7tr%6@z$7g2f*NiOc*m{3%|}PM)?==&#x$-Jq&uhpzZ8rtUDZ
zNmR^a5g(7wY6XKEPtNK>6>!&H!GJ6zEu<u;zM7UrmSD`Ps)7>hH7mkAzovdhLy;)q
z{H2*8I^Pb}xC4s^6Y}6bJvMu=8>g&I)7!N!5QG$xseeU#CC?ZM-TbjsHwHgDGrsD=
z{%f;@Sod+Ch66Ko2WF~;Ty)v>&x^aovCbCbD7>qF*!?BXmOV3(s|nxsb*Lx_2lpB7
zokUnzrk;P<R;aXTpYj?03<w4%%%E_Lx%w}?h6KFkYmQz_=Q!;KI~@zvyE@sz0~S{=
zc7Zp1Pg<<C5w3_-RsBETlpJWaAlby+);^?em@HJt835O5jnvwJ!Ezt?UH{GKJ#_-;
zXWyIZeRlqoB-*o!rz0dsi&bmk<~!5}rFXX!TR>=T-&kUHO}td+Zdj!3n&NR?K~cRU
zAXU!DCp?51{J4w^`cV#ye}(`SQhGQkkMu}O3M*BWt4UsC^jCFUy;wTINYmhD$AT;4
z?Xd{HaJjP`raZ39qAm;%beDbrLpbRf(mkKbANan7XsL>_pE2oo^$TgdidjRP!5-`%
zv0d!|iKN$c0(T|L0C~XD0aS8t{*&#LnhE;1Kb<9&<JFZp&cEpRA~JX*2uhno)g+lW
z)A2j^Jp=5|9|_BqD3yNfz$3!^TP^t32VmQN>=c2B+9JeLvJr*AyyRh%@jHej<V&M}
z(_rfkTF8<3M0mfUD?DaD6=7VHc94p8)f%k_sKhOPc+3w*C;t63&?zS3e((b(P6Fva
zg1a!>=AetOMSlz^=!kxX<aUab1e69e5UxkmMM!xSN{9YUYGb=H*((f4#ZL$Ijz4ZG
z=M2TpNE4&~3j}eO`*MD}g}>>>B{2B1uIrQyfd8KjJ+DBy!h)~*(!|&L4^Q_07SQ~E
zcemVP`{9CwFvPFu7pyVGCLhH?LhEVb2{7U+Z_>o25#+3<|8%1T^5dh}*4(kfJGry}
zm%r#hU+__Z;;*4fMrX=Bkc@7|v^*B<Xvhu2*uH*LPz_h!qs>;HA<UqXI?t|tCaZDB
zM}=e!+VluyMT1_wK?{{}fh!prU@u#|#$3A*>l0((IBPPii%X9+u3DDF6%<Dxg01id
zvRMgy`}RNgOUmsF(*g|!7J~5qLXiIVe!ooTZQWeHyp<$?w&ud7re6&`d1HHH%m41@
zrE0Fb;A`T35^B${Rk`^BD>bI&6?Eu$8&aWVqHIM7mK6?Uvq$1|(-T|)IV<>e?!(rY
zqkmO1MRaLeTR=)io(0GVtQT@s6rN%C6;nS3@eu;P#ry4q;^O@1ZKCJyp_Jo)Ty^QW
z+vweTx_DLm{P-XSBj~Sl<%_b^$=}odJ!S2wAc<kP=%^q`Fk3#DzIfRc20!g-U?(r0
zttu-F5dSTOh@Hh;*8<POV|23UE<I?%YD*|RoGT_RNfg)N<d$-CVBslaSc2;hu2@iM
zijnTdup@(TT6QsX1DSS%iD>xenmzFGX1t&Qp8Vxz2VT`uQsQ<N&Na@Eg(*vW-Sx0Z
zwa1eC?gP9=v{v;-el(Byq7uXErY6a?>Ytdn&_0xVivIcxZ_hnrRtwq4cZSj1c-SG9
z7vHBCA=fd0O1<4*=lu$6pn~_pVKyL@ztw1swbZi0B?spLo56ZKu5;7ZeUml1Ws1?u
zqMf1p{5myAzeX$lAi{jIUqo1g4!zWLMm9cfWcnw`k6*BR^?$2(&yW?>w;G$EmTA@a
z6?y#K$C~ZT8+v{87n5Dm&H6Pb_EQ@V0IWmG9cG=O;(;5aMWWrIPzz4Q`mhK;qQp~a
z+BbQrEQ+w{SeiuG-~Po5f=^EvlouB@_|4xQXH@A~KgpFHrwu%dwuCR)=B&C(y6J4J
zvoGk9;lLs9%iA-IJGU#Rg<oAf^xeCDGN*>nZZR+@{5lYl8(e1h6&>Vc_mvg0d@);X
zji4T|n#lB!>pfL|8tQYkw?U2bD`W{na&;*|znjmalA&f;*U++_aBYerq;&C8Kw7mI
z7tsG*?7*5j&dU)Lje;^{D_h`%(dK|pB*A*1(Jj)w^mZ9HB|vGLkF1GEFhu&rH=r=8
zMxO42e{Si6$m+Zj`_mXb&w5Q(i|Yxyg?juUrY}78uo@~3v84|8dfgbPd0iQJRdMj<
zncCNGdMEcsxu#o#B5+XD{tsg*;j-eF8`mp~K8O1J!Z0+>0=7O=4M}E?)H)ENE;P*F
z$Ox?ril_^p0g7xhDUf(q652l|562VFlC8^r8?lQv;TMvn+*<c9jlj>8I}&+hIQYh2
z1}uQQaag&!-+DZ@|C+C$bN6W;S-Z@)d1|en+XGvjbOxCa-qAF*LA=6s(Jg+g;82f$
z(Vb)8I)AH@cdjGFAR5Rqd0wiNCu!xtqWbcTx&5kslzTb^7A78~Xzw1($UV6S^VWiP
zFd{Rimd<L>-0CZC_Bu(WxBFW7+k{cOW7DxBBkJdJ;VsJ4Z@lERQr%3eVv&$%)b%<~
zCl^Y4NgO}j<COChW_}a6vln)bF3$TpaLb);b~-PYxxR%}%O<}>s@u{|o~KTgH}>!*
z_iDNqX2(As7T0xivMH|3SC1ivm8Q}6Ffcd7owUKN5lHAtz<t12Aa&#mkpHAAP7vmV
z^!AJ*2~=PgYP(Wn4Vk66dQCX+{#B-Z%T|HyH;WjNt4~Za-}DB-){PA#h!r8;?(Vb^
zk44aj#5Wa>MM4<0v+ykUT!QiowO;`@%JGv+K$bBx@*S7C8GJVqQ_K>12}M`f_Ys=S
zKFh}HM9#6Izb$Y{wYzItTy+l5U2oL%boCJn?R3?jP@n$zSIwlmyGq30Cw4QBO|14`
zW5c);AN*J3&eMFAk$SR~2k|&+&Bc$e>s%c{`?d~85S-UWjA>DS5+;UKZ}5oVa5O(N
zqqc@>)nee)+4MUjH?FGv%hm2{IlIF-QX}ym-7ok4Z9{V+ZHVZQl$A*x!(q%<2~iVv
znUa+BX35&lCb#9VE-~Y^W_<SUna+(6v_v93h$)MSc{mD`=k6;#c%#QV`lbAtfE3~q
zAtA7|n`xq>f;Xhl%vgjwdjzMy$FsSIj&ok}L+X`4>J=9BkN&nu^E*gbhj3(+D>C4E
z@Fwq_=N)^bKFSHTzZk?-gNU$@l}r}dwGyh_fNi=9b|n}J>&;G!lzilbWF4B}BBq4f
zYIOl?b)PSh#XTPp4IS5ZR_2C!E)Z`zH0OW%4;&~z7UAyA-X|sh9@~>cQW^COA9hV4
zXcA6qUo9P{bW1_2`eo6%hgbN%(G-<qHJAT=v`nNhtT>F1xTvq!sc?4wN6Q4`e9Hku
zFwvlAcRY?6h^Fj$R8zCNEDq8`=uZB8D-xn)tA<^bFFy}4$vA}Xq0jAsv1&5!h!yRA
zU()KLJya5MQ`q&LKdH#fwq&(bNFS{sKlEh_{N%{XCGO+po#(+WCLmKW6&5iOHny>g
z3*VFN?mx!16V5{zyuMWDVP8U*|BGT$(%IO|)?EF|OI*sq&RovH!N%=>i_c?K*A>>k
zyg1+~++zY4Q)J;VWN0axhoIKx;l&G$gvj(#go^pZskEVj8^}is3Jw26LzYYVos0HX
zRPvmK$dVxM8(Tc?pHFe0Z3uq){{#OK3<aeeBkf6Ls@D&>i-ra#@+;*=ui8)y6hsRv
z4Fxx1c1+fr!VI{L3DFMwXKrfl#Q8hfP@ajgEau&QMCxd{g#!T^;ATXW)nUg&$-n25
zruy3V!!;{?OTobo|0GAxe`Ac<m7!f>n3GV@W=&n;<LWwg+BOz1x0PVh(8wy5x)H%n
z);^KLwS*zuK_mXLt=05$RqxmlzBGrOU$*+pD67{&9S4nenf`=wmSIir^E~5#<>~&9
zQM>NWW~R@OYORkJAo+eq1!4vzmf9K%plR4(tB@TR<A8<4IpzFAVt^jntH)?Lln%G`
z6tiucWhgUNI?A8Udv5fHlOm9!ctl16R`GIy7|o!{GngCtp;Tz@88GLNR}tm$OZ5f}
zPju@d{;|S(Rs51!tah!+6PbnnY<$fK^X^&7uddbpg77+M3+zt^`&Wl4kC?eRy{-46
z-3%mXj1#}r%@t|kQBj7QXfN_>&FSbDoRgJ8qVcH#;7lQub*nq&?Z>7WM=oeEVjkaG
zT#f)=o!M2DO5hLR+op>t0Cix<vSdXuLLoyLNj^8w51xiOY6tARpFGMs_UAVQl{h1q
z__M5D$myTJng;^A_J=JcCX@-~s%uSop76ggk-NNPh1K-Xw6Mwq#g=?x9pSWbMg&Eg
z!IW}nRKAGc2X+4y>JCIeXH*+z{-XS|%jx)y(j&}Wo|3!l7{o)HU3m7LYyhv*xF&tq
z%IN7N;D4raue&&hm0xM=`qv`+TK@;_xAcGKuK(2|75~ar2Yw)geNLSmVxV@x89bQu
zpViVKKnl<KY)q`sT$C@o*b;pi#>kwjS&&c|-X6`~xdnh}<zE$?k&-+|)}}1-k;;{3
zWgBv<7Mg|YWBAi9*yc#1&cuZnxkZaBTj=EQ-!oi23=b7<qC?N!TC&$6!<yQuq~YaC
z_0tVTi{LC-!3@TC@6(yDt1|8;{dkSfR3rrN7be_C({Ti}0{;9qU1;it_)pV>Ps)Hs
z4VbUL^{XNLf7_|Oi>tA%?SG5zax}esF*FH3d(JH^Gvr7Rp*n=t7frH!U;!y1gJB^i
zY_M$KL_}mW&XKaDEi9K-wZR|q*L32&m+2n_8lq$xRznJ7p8}V>w+d@?uB!eS3#u<}
zIaqi!b!w}a2;_BfUUhGMy#4dPx>)_>yZ`ai?Rk`}d0>~ce-PfY-b?Csd(28yX22L%
zI7XI>OjIHYTk_@Xk;Gu^F52^Gn6E1&+?4MxDS2G_#PQ&yXPXP^<-p|2nLTb@AAQEY
zI*UQ9Pmm{Kat}wuazpj<q$kAY7_UQRU$-YKdQWJ&LyZumLzNJQ!;vvr#GB_EA<Jf@
z$2g7!{jMh`@>SyXCdnrD&|C1c5DIb1TnzF}f4KIV6D)CJ!?&l&{T)e4U%3HTSYqsQ
zo@zWB1o}ceQSV)<4G<)jM|@@YpL+XHuWsr5AYh^Q{K=wSV99D~4RRU52FufmMBMmd
z_H}L#qe(}|I9ZyPRD6kT>Ivj&2Y?qVZq<4bG_co_DP`sE*_Xw8D;+7QR$Uq(rr+u>
z8bHUWbV19i#)@@G4bCco@Xb<8u~wVDz9S`#k@ciJtlu@uP1U0X?yov8v9U3VOig2t
zL9?n$P3=1U_Emi$#slR>N5w<w?qFuOF5w}cnum+dV`a<C*;Hv>H-=J&T=EdUHA}_Z
zZIl<E_JWAQn>3nvMP*AZS9{cDqFanrA~S5BqxtNm9tlu;^`)3X&V4tMAkJ4gEIPl=
zoV!Gyx0N{3DpD@)pv^iS*dl2FwANu;1;%EDl}JQ7MbxLMAp>)UwNwe{=V}O-5C*>F
zu?Ny+F64jZn<+fKjF01}8h5H_3pey|;%bI;SFg$w8;IC<8l|3#Lz2;mNNik6sVTG3
z+Su^rIE#40C4a-587$U~%KedEEw1%r6wdvoMwpmlXH$xPnNQN#f%Z7|p)nC>WsuO=
z4zyqapLS<8(UJ~Qi9d|dQijb_xhA2)v>la)<1md5s^R1N&PiuA$^k|A<+2C?OiHbj
z>Bn$~t)>Y(Zb`8hW7q9xQ=s>Rv81V+UiuZJc<23HplI88isqRCId89fb`Kt|CxVIg
znWcwprwXnotO>3s&Oypkte^9yJjlUVVxSe%_xlzmje|mYOVPH^vjA=?6xd0vaj0Oz
zwJ4OJNiFdnHJX3rw&inskjryukl`*fRQ#SMod5J|KroJRsVXa5_$q7whSQ{gOi*s0
z1LeCy|JBWRsDPn7jCb4s(p|JZiZ8+*ExC@Vj)MF|*Vp{B(ziccSn`G1Br9bV(v!C2
z6#?eqpJBc9o@lJ#^p-`-=`4i&wFe>2)nlPK1p9yPFzJCzBQbpkcR>={YtamIw)3nt
z(QEF;+)4`>8^_LU)_Q3<u}L<{1}Pc_TC@cmCN`COOSM8a;|jWsk~1fYJv#PDsm#->
zC5_7lgi_6y>U%m)m@}Ku4C}=l^J=<<7c;99ec3p{aR+v=diuJR7uZi%aQv$oP?<K2
z4>dn?@6Yu_+*^>T0ptf(oobdL;6)N-I!TO`zg^Xbv3#L0I~sn@WGk-^SmPh5>W+<X
znt3fVJDljH9Rg;|i5lPHsR(0ho%1Z#U$BQ5Z>LB<+1PU}AKa?FCWF|qMNELOgdxR{
zbqE7@jVe+FklzdcD$!(A$&}}H*HQFTJ+AO<jQkEo4(Zr!RbHw&%VW+jartXEY{IAo
z-<Q*FbO_;b95g_K9)_94ZpWY1;<Z!iW)9JK0`6zeVbpJRc{foQfe9X-j8eQ-=DlS%
zH`!Rua7Ws)lQGR`lKbWfbJ{-A+Qsq7w~i7ifv23@y@q;f=f9BC2>rJYnhh}Yvta(B
zQ_bW4Rr;R~&6PAKwgLWXS{Bnln(vUI+~g#kl{r+_zbngT`Y3`^Qf=!PxN4IYX#iW4
zucW7@LLJA9Zh3(rj~&SyN_pjO8H&)|(v%!BnMWySBJV=eSkB3YSTCyIeJ{i;<t5`Q
zo(L{QW?hBDuaI(wY%y)W1q$B>(oc%_hk{$_l;v>nWSB)oVeg+blh=HB5JSlG_r7@P
z3q;aFoZjD_qS@zygYqC<CA@uG3$h<l#w}3@ssm8WfebtlUXE~>n=;Zxjo!?NK!%J$
z52lOP`8G3feEj+HTp@Tnn9X~nG=;tS+z}u{mQX_J0kxtr)O30YD%oo)L@wy`jpQYM
z@M>Me=95k1p*FW~rHiV1CIfVc{K8r|#Kt(ApkXKsDG$_>76UGNhHExFCw#Ky9*B-z
zNq2ga*xax!HMf_|Vp-86r{;~YgQKqu7%szk8$hpvi_2I`OVbG1doP(`gn}=W<8%Gn
z%81#&WjkH4GV;4u43EtSW>K_Ta3Zj!XF?;SO3V#q=<=><y*Ez-K*8OuEH#K1Uw04)
zm-E?#$M4Pw!5Sa^O{sRRDY-gWXv@8A@bA;l<_ks)es^2Nu>Tc^@?A`i;&`-cYj|;^
zEo#Jl5zSr~_V-4}y8pnufXLa80vZY4z2ko7fj>DR)#z=wWuS1$$W!L?(y}YC+yQ|G
z@L&`2upy3f>~*IquAjkVNU>}c10(fq#HdbK$~Q3l6|=@-eBbo>B9(6xV<PW<=*tlY
z$*pN5hHZpwqlet{tLghEZT#%M$0U({lim^-U@zba{?NJMf<93*()%m>`*)sae58*f
zym~RRVx;xoC<uxJ0zCckgSOZ<jKZfGBozv^HDI7G(HjLM<voAwa4Kh#eq6#2U!qA0
zF$%FfiP7?q!+@Q%0CG7sP{g!i5R&?DRZkOxRnqe`((<r{70*Vq2Rb6*k>G3`JV`xo
z!lFw)=t2Hy)e!IFs?0~7osWk(d%^wxq&>_XD4+U#y&-VF%4z?XH^i4w`TxpF{`XhZ
z%G}iEzf!T(l>g;W9<~K+)$g!{UvhW{E0Lis(S^%I8OF&%kr!gJ&fMOpM=&=Aj@wuL
zBX?*6i51Qb$uhkwkFYkaD_UDE+)rh1c;(&Y=B$3)J&iJfQSx!1NGgPtK!$c9OtJuu
zX(pV$bfuJpRR|K(dp@<Et6W$J6*Z#&a&;93*Ie~(LKx3oM(w;zbe{$4=AvBd2M!)G
z)q&m$-4a#zj+ntOm6x3DXKBbGe#P@0*At9SemktTX0uh;t#}60aB^D2eE!a4eDuX;
z-as`;dd|o4vBfl1>^j}i&H<lE5B-BmW0%$me#yff@sBn;ohRKEdDubkmfk_9%F#R?
zx3ZTQV}CG~;tIM9J0dPMr);>eJ<ZUgb6%5p(oB8d(S&NYcE9Fn#eq_UTAuN0jA(?H
z^D)QqC|?HmZ<MfF#1KC`+1B#aVb^f*7XyN**6k{KcrsXkYIuNItVY|XpO_RwL+pB-
zi361AR7q3_a+z(hygW-dSQ4&gyU_L%*Ad1YXBX3#1@&17te>Oh@|7lWo8^$*o~Xqo
z5Sb+<gm~yF$-E%g5?e&PX|O%&U0#MK#8=Cb4moDVt9pc5&|d_Nok|m&#&P2i0(_CN
zM^tc5)Kw#?l>!EtJ&e@6F+h&+<iRY;$9#Wr1>_1ETbg7LfP5GZjvIUIN3ibCOldAv
z)>YdO|NH$x7AC8dr=<2ekiY1%fN*r~e5h6Yaw<{XIErujKV~tiyrvV_DV0AzEknC-
zR^xKM3i<1UkvqBj3C{wDvytOd+YtDSGu!<rPOfY>gEMg+!&|8BQrT*|p)(dwQLEy+
zMtMzij3zo40)CA!BKZF~yWg?#lWhqD3@qR)gh~D{uZaJO;{OWV8XZ_)J@r3=)T|kt
zUS1pXr6-`!Z<!o63*D|NQNYak6gGf7_QJ$%QWph8(@+Md9XOp*qP{X}q91Av868w+
zGbBw!<JX87&2|tz_-<JKu<xhK)|6RN*Zk7fvZ42tj|cY?!)H@h7T?|0cVg1Q(Dzye
z>}w2QR7nP%d?ecf90;<QTfw00Ol^jhE%$`<-%SzE37_m?Tsl?x9jtF58}$iamaJPx
z;*k`q<{nE<sbhO}9jI-7R-I>K_7C3d!U<RH+{w3GCUW?FU;!Us-m^hLIJe*q&7e}1
zpDB4cxkQ^$zB~cRxh7B3$~Q``Zt;ZNw-Uj>Z`N(TZoWNN^Q~RjVhQG{Y<%E1PpV^4
z-m-K+$A~-+VDABs^Q@U*)YvhY4Znn2^w>732H?NRK(5QSS$V@D7yz2BVX4<IQ|}VZ
zL_WDk%d5E2#>)f5A04~$WbxGOam22>t&uD)JB8-~yiQW6ik;FGblY_I>SvB_z2?PS
z*Qm&qbKI{H1V@YGWzpx`!v)WeLT02};JJo*#f$a*FH?IIad-^(;9XC#YTWN6;Z6+S
zm4O1KH=#V@FJw7Pha0!9Vb%ZIM$)a`VRMoiN&C|$YA3~ZC*8ayZRY^fyuP6$n%2IU
z$#XceYZeqLTXw(m$_z|33I$B4k~NZO>pP6)H_}R{E$i%USGy{l{-jOE;%CloYPEU+
zRFxOn4;7lIOh!7ab<V}OmeeQNY6TeYO&&E^lN#TB*^`;ju1*`#<QB4aBWp8jLsn56
ztlcT6a*61b7mBGG7Pe5gFr$a2kxI4g;qf)gjt)|Y7A|WcqUTy7lmzDN21ov~uefIa
zStpXF9OSKG--%FP-n6GoKAZkk;aTNW1ae$KBstPWjSIc_V%4U0$Ln1&jVG=$ZcXgh
z#CvGTp=S;-S8-$7HKAq6%SA!$URan_Wx!1Oc!O*_!j0Q;YpHo#pr5>b23YKD+_-?O
z0FP9otcAh+oSj;=f#$&*ExUHpd&e#bSF%#8*&ItcL2H$Sa)?pt0Xtf+t)z$_u^wZi
z44oE}r4kIZGy3!Mc8q$B&6JqtnHZ>Znn!Zh@6rgIu|yU+zG8q`q9%B18|T|oN3zMq
z`l&D;U!OL~%>vo&q0>Y==~zLiCZk4v%s_7!9DxQ~id1LLE93gf*gg&2$|hB#j8;?3
z<g)eCVNaZv3$^cu;yV<qgy7Ou{HZYOe(Yy~3PLV!ZId!<`3EN$I2e|Sb}<jdw%KMG
z$~P@70$N+m@}=Mj9$ZG59AQ=JQRvLB(RM9)t()h{Tno>5v4S;oM6rT{Y;I+#FdmNw
z){d%tNM<<#GN%n9ox7B=3#;u7unZ~tLB_vRZ52a&2=IM)2VkXm=L+Iqq~uk#Dug|x
z>S84e+A7EiOY5lj*!q?6HDk<t%xgyS2(ef%dZKEIaXh3~wff^|xcGFVc_e~Sr`&nX
zB{0<Bl5W%rH&l?6tsWk=E?WK+SiGZtPex%sjw{ofyMqE~@feSemEiHmis}sLGcPDm
zIzGRXgYb$F!6<>Nh~0g;0Jy(al!ZHHDtur9T$y-~)94HelX1NHjXWIM7UAe}$?jiz
z9?P4`I0JM=G5K{3_%2jPLC^_Mlw?-<a70XR;I>kYYgb7`qGa3@dn|^1fRMwiyM@Ch
z;CB&o7&&?c5e>h`IM;Wnha0QKnEp=$hA8TJgR-07N<gl50D&l8aCL6u?F9;bt}O?Y
zClsN^P?BSo;~X-U^>~U5(>9vJzeoFs<a)64ao)eXA>SRBkDq=x(YgEMpb=l4TDD`2
zwVJpWGTA_u7}?ecW7s6%rUs&NXD3+n;jB86`X?8(l3MBo6)PdakI6V6a}22{)8ilT
zM~T*<jE3E@DmR%ike^(4fN~b2CI%ZAFJHK0>mU}__xSy|6XSrJ^%l<L`JF;YY6b4`
z;6>DAR3Lft%+<T2S<6#r`P7WA*H7H@Tkj*;CZWvGK|Ka6#=q$9VereUjcyuYAT-kE
z-4)n_C1YG2*?76Lh&eh@n+#B;0G7^rIA<P1)+|@l^eA4%oi{dOUZb8u1-}Kweut@X
z=3>yxC<CMW8Guf-*pI#2K9_;@nA>|ZUvSO_nqMX!_ul3;R#*{~4DA=h$bP)%8Yv9X
zyp><|e8=_ttI}ZAwOd#dlnSjck#6%273{E$kJuCGu=I@O)&6ID{n<VEYI|KdxCeO+
z8>WF5@gLb16sj|&Sb~+du4e4O_%_o`Ix4NRrAsyr1_}MuP94s>de8cH-OUkVPk3+K
z&jW)It9QiU-ti~AuJkL`XMca8Oh4$SyJ=`-5WU<{cIh+XVH#e4d&zive_UHC!pN>W
z3TB;Mn5i)9Qn)#6@lo4QpI3jFYc0~+jS)4AFz8fVC;lD^+idw^S~Qhq>Tg(!3$yLD
zzktzoFrU@6s4wwCMz}edpF5i5Q1IMmEJQHzp(LAt)pgN3&O!&d?3W@6U4)I^2V{;-
z6A(?zd93hS*uQmnh4T)nHnE{wVhh(=MMD(h(P4+^p83Om6t<*cUW>l(qJzr%5vp@K
zN27ka(L{JX=1~e2^)F^i=TYj&;<7jyUUR2Bek^A8+3Up*&Xwc{)1nRR5CT8vG>ExV
zHnF3UqXJOAno_?bnhCX-&kwI~Ti8t4`n0%Up>!U`ZvK^w2+0Cs-b9%w%4`$+To|k=
zKtgc&l}P`*8IS>8DOe?EB84^kx4BQp3<7P{Pq}&p%xF_81pg!l2|u=&I{AuUgmF5n
zJQCTLv}%}xbFGYtKfbba{CBo)lWW%Z>i(_NvLhoQZ*5-@2l&x>e+I~0Nld3UI9tdL
zRzu8}i;X!h8LHVvN?C+|M81e>Jr38%&*9LYQec9Ax>?NN+9(_>XSRv&6hlCYB`>Qm
z1&ygi{Y()OU4@D_jd_-7vDILR{>o|7-k)Sjdxkjgvi{@S>6GqiF|o`*Otr;P)kLHN
zZkpts;0zw_6;?f(@4S1FN=m!4^mv~W+lJA`&7RH%2$)49z0A+8@0BCHtj|yH--AEL
z0tW6G%X-+J+5a{5*WKaM0QDznf;V?L5&uQw+yegDNDP`<QwM)iHN0Ixe+C<}Kj)cT
z;ugg=7>hA;0XPYc6e0;Xv6|i|^F2<spnC^BAY#K6!R1`y8;L|-ax$>WB)Z$LR|HR4
zTQsRAby9(^Z@yATyOgcfQw7cKyr^3Tz7lc7+JEwwzA7)|2x+PtEb>nD(tpxJQm)Kn
zW9K_*r!L%~N*vS8<5T=iv|o<TQh`NS2YOm^v@YF+FhtT<a+buCZu6h6oT_Y5b`Scg
zm=4c{5~CgG?9-H=F8v%THj;pBAIcNf1w(JQ+AUi+?6F2LasjZ5Oz$7m+jvgK`zeSh
z^(f$UuqGD?j)9ZxVlSw*kzGRC;oCN&mCo&6G7ql5S{99P97)o*h$5+(ch97JLRzc!
zYD=hMW71CXeuLub2z%t|7;RjK6Ogym_1#+sTC!<7k`+%+%pXjbEt&Ewk(hGUoqGvq
zuM0wx5$A~T4SRbOQgIit7jaB@N32&;KWs00gsh)b^;UUaulO8Td<B}%0x3tW7;G##
zTMaSe*B!q#S@Od*Vy(-qm;}PAJhEq0;6w!v@t~78{dMpN>!zTe9k_2jC_j*7ik^M_
zaf%k{WX{-;0*`t`G!&`eW;gChVXnJ-Rn)To8vW-?>>a%QU1v`ZC=U)f8iA@%JG0mZ
zDqH;~mgBnrCP~1II<=V9;EBL)J+xzCoiRBaeH&J6rL!{4zIY8tZka?_FBeQeNO3q6
zyG_alW54Ba&wQf{&F1v-r1R6ID)PTsqjIBc+5MHkcW5Fnvi~{-FjKe)t1bl}Y;z@<
z=!%zvpRua>>t_x}^}z0<7MI!H2v6|XAyR9!t50q-A)xk0nflgF4*OQlCGK==4S|wc
zRMsSscNhRzHMBU8TdcHN!q^I}x0iXJ%uehac|Zs_B$p@CnF)HeXPpB_Za}F{<@6-4
zl%kml@}kHQ(ypD8FsPJ2=14x<gRLSp5jQ3zP{(QVzPLZLVm053fUe=@OltSio705;
z(#z2z>XJE|b20<nbuvWeRu7_ckN!4)4>RUIgs!2|R3>LUMGF6X*B_I|$`Qg=;zm7C
z{mEDy9dTmPbued7mlO@phdmAmJ7p@GR1bjCkMw6*G7#4+`k>fk1czdJUB!e@Q(~6#
zwo%@p@V5RL<HuH8=u8a6RDT=ORPK%+xl*V0g}ZRt7wrV&wXuQ&Kq5z5VF5~$tzh+o
zGvLCh{4xbZi*rM$H53QbbG^}e_;5ZL^rKOCECf%A3k<ba715W9GFJ3%z+y)SixW7v
zFUks)dR&u51!CgipP_*=HsXEQV|A6)MESe^nXfdde|e*3lS%iSm1?2t=&g8iM5yO0
zqGo^30JQ})=Z}tg94XEO6_<mfkScn>0ABU2LH7Asq^quDUho@H>eTZH9f*no9fY0T
zD_-9px3e}A!>>kv5wk91%C9R1J_Nh!*&Kk$J3KNxC}c_@zlgpJZ+5L)Nw|^p=2<X2
zVEH%@dRNgUT+xOlus$Jl>ue}CJtm;uj*Iqr)K})kA$xtNUEvX;4!Px*^&9T_`IN{D
z{6~QY=Nau6EzpvufB^hflc#XIsSq0Y9(nf$d~6ZwK}fal92)fr%T3=q{0mP-EyP_G
z)UR5h@IX}3Qll2b0oCAcBF>b*@Etu*aTLPU<%C>KoOrk=x?pN!#f_Og-w+;xbFgjQ
zXp`et%lDBBh<!%rmD;`)_Iw7qs}PxJE2OWnk0598{1@{z2=&M97kZ^;iS=)VbtW2e
z9{Njc%X1q_Y=7a@dL*7`HknH57C8G{SaT${ATgN~45gpu4M3g9K3K^dkc|SdjG%I{
zqBnN$pX_Ur&xe`6C5rq%1Au6o>~OcFnMKMUoox0YwBNy`N0q~bSPh@+enQ=4RUw1)
zpovN`QoV>vZ#5LvC;cl|6jPr}O5tu!Ipoyib8iXqy}TeJ;4+_7r<1kV0v5?Kv>fYp
zg>9L`;XwXa&W7-jf|9~uP2iyF5`5AJ`Q~p4eBU$MCC00`rcSF>`&0fbd^_eqR+}mK
z4n*PMMa&F<X)^G}xeJ@Gp5hPUp4))DB`D07_#V$I)>Occ)<Z1&cEZXfHKl6!0r^K=
z4G}bu(5ge=G8fwnhNItAV-;CCRA~!*Ffjtk+W5Q4($~|Ogx!7zYTJ+md_mLOIHP$a
z=Xv|*^wnVA6u+^6*Pjw-xuU)%_b=1oT;Uy*3v`{`12FsGfVli|)UZ4c+9zix>vTUR
zlDUAn-mh`ahi_`f`=39JYTNVjsTa_Y3b1GOIi)6dY)D}xeshB0T<J4O9}2CRcgST4
zu^DE1lNC^&bdTFMX*m;=F+oV62|j1N%Y(`}stx4V@A-${Nsme7gPF1VFeZ(Es(Tv1
z2eMG<3ngPbvsdfMDb6jRfMuIQ>8Eov5%UhWd1)u}kjEQ|LDo{tqKKrYIfVz~@dp!!
zMOnah@vp)%_-jDTUG09l+;{CkDCH|Q{NqX*uHa1YxFShy*1+;J`gywKaz|2Q{lG8x
zP?KBur`}r`!WL<v4v3q-kbT^ZHHV*Ab_1=$Ds`sw{p4Q5%K<O{0b-Frgl!8<-ysCa
z@55EXX6zF(6|%WdJ}w;c9q_T(h^VZr*46HXJncAUKTLi*=>KXY_<N$yy+H{DR|LP9
zF#oxrkoE0^A&|7gpQkf#W)&V7g<8v42B_@CDi{phanFo;l(u@KJ-))-pR{b)<rcd3
zf}4BFpSv=>K;C8$EWG>jY3UIh{+BLv0=2)KH%P}6xE2kg)%(-uA6lC?u8}{K(#P*c
zE9C8t*u%j2r_{;Rpe1A{9nNXU;b_N0vNgyK!EZVut~}+R2rcbsHilqsOviYh-pYX=
zHw@53nlmwYI5W5KP>&`dBZe0Jn?nAdC^HY1wlR6$u^PbpB#AS&5L6zqrXN&7*N2Q`
z+Rae1EwS)H=aVSIkr8Ek^1jy2iS2o7mqm~Mr&g5=jjt7Vxwg<tf08u&@2*nrRdWEq
z9>lQ^`h#Mx+x2v|9ZAwE$i_9918Mj<x0*Wdpb36@OAXTH9HjzBO?DU3pPWJl<5`?4
zJx95+eAmsI^}aX!MTHZ2jvyPZ%UQNWgYc&Az}*vhoE;`M;w#yci|VFS(*uY8dTed$
zmI+a!^D3~nUd`%d3v~n803|x?hdA<CAGP8+Vz0wak|gS0b(v+b_#OSxq^j=~x{U#C
zxb5$H!k6E86jdT96;Z=hlwo5iYt(l!8a^<>JxTMr?n!bZ6n$}y11u8I9COTU`Z$Fi
z!AeAQLMw^gp_{+0QTEJrhL424pVDp%wpku~XRlD3iv{vQ!lAf!_jyqd_h}+Tr1XG|
z`*FT*NbPqvHCUsYAkFnM`@l4u_QH&bszpUK#M~XLJt{%?00GXY?u_{gj3Hvs!=N(I
z(=AuWPijyoU!r?aFTsa8pLB&cx}$*%;K$e*XqF{~*rA-qn)h^!(-;e}O#B$|S~c+U
zN4vyOK0vmtx$5K!?g*+J@G1NmlEI=pyZXZ69tAv=@`<PF>t%ag_Hk{LP~OH9iE)I=
zaJ69b4kuCk<W;+Nm{1iL;Sjg&ce)b6RfuYXG6i3lmo`Xoo=yc_#4MF;W?A{F|EAlX
z*<!ti?&E?FEc4)+uE<O&ONf`XLQ^cl<<tMSmTYl1l}%xg`DIk~4?@x6!4)Pmk>V0V
zo(M0#>phpQ_)@j;h%m{-a*LGi(72TP)ws2w*@4|C-3+;=5DmC4s7Lp<h>95%n%@Ko
zfdr3-a7m*dys9iIci$A=4NPJ`HfJ;hujLgU)ZRuJI`n;Pw|yksu!#LQnJ#dJysgNb
z@@qwR^wrk(jbq4H?d!lNyy72~Dnn87KxsgQ!)|*m(DRM+eC$wh7KnS-mho3|KE)7h
zK3k;qZ;K1Lj6uEX<KEj5@nV#iauGcIh@~0bCkde*VA4<NzidV>LYUYi)1FN}F@-xJ
z@@3Hb84sl|j{4$3J}aTY@cbX@pzB_qM~AP<KHC>ljrjju6P0tY{C@<op~*H5^F|n>
zpUCOz_NFmALMv1*blCcwUD3?U6tYs+N%cmJ9<vk4wN1^{7_o-KiUksuyYPZPi6=aB
zRdD0jWfvBXoM%2g7{9p9f&t&G@^K{*T20!5)|u6mVvE8$*gT5c>8D%3)%)Xu^uvzF
zS5O!sc#X6?EwsYkvPo6A%O8&y8sCCQH<%f2togVwW&{M;PR!a(ZT_A+jVAbf{@5kL
zB@Z(hb$3<w@Z7>U{T_}SKA_CoQVU-;j>2J=L#lZ~aQCFg-d<9rzs$_gO&d5N6eFSc
z1ml8)P*FSi+k@!^M9nDWR5e@ATD8oxtDu=36Iv2!;dZzidIS(PCtEuXAtlBb1;H%Z
zwnC^Ek*D)EX4#Q>R$$WA2sxC_t(!!6Tr?C#@{3}n{<^o;9id1RA&-Pig1e-2B1XpG
zliNjgmd3c&%A}s>qf{_j#!Z`fu0xIwm4L0)OF=u(OEmp;bLCIaZX$&J_^Z%4Sq4GZ
zPn6sV_#+6pJmDN_lx@1;Zw6Md_p0w9h6mHtzpuIEwNn>OnuRSC2=>fP^Hqgc)xu^4
z<3!s`cORHJh#?!nKI`Et7{3C27+EuH)Gw1f)aoP|B3y?fuVfvpYYmmukx0ya-)TQX
zR{ggy5cN<mnVz7y7+knzNVJkt;lpc;qc>f4X|g)nl#jC9p>7|09_S7>1D2GTRBUTW
zAkQ=<vO$_umo;W8C9!}&#xkaPRO=3x>JMRogZqG#v;^=11O6@rPPwvJ<B8_C^h!$7
z1FiG#I7Fs!hS~+X_xS9av4ic?s4}I)b~+~ynqpL?4J!M0!;Lh~^{jyZ5OklQ8U2d;
z1_pNZ6|Y?X=U7!TcC`|AaWS_uvHe0n$~l-C+lqY=nw)_qUxZZ$`~TgLQeOW;@1pQ$
z701@hEqV6RKPy$?plo3XV+hmG(FFC_t(R=zC3ndGnN?AOBz^}Il*!(}YM_f?Vs)`N
zoXTGH^9k^Rs*ihNP{En)>kr{bW-Qg8`q8GoD#K`&Y+S#%&B>SGRL>;ZunM@49!}Uy
zN|bBCJ%sO;@3wl0>0gbl3L@1^O60ONObz8ZI7nder>(udj-jt`;yj^nTQ$L9`OU9W
zX4alF#$|GiR47%x@s&LV>2Sz2R6?;2R~5k6V>)nz!o_*1Y!$p>BC5&?hJg_M<tYqR
z53_xZU*2l8Pm44`5q;8sH8AJC`OhY?Pv0f<SBDF<5zRa5Pcc`28WO=W(}@uM2`X|H
zRYQaB%r|t}sRL>iE6UBy>RkVZj`9UWbRkN-Hk!S`=BS3t3uyX6)7SF#)71*}`~Ogz
z1rap5H6~dhBJ83;q-Y<5V35C2&F^JI-it(=5D#v!fAi9p#UwV~2tZQI+W(Dv?1t9?
zfh*xpxxO{-(VGB>!Q&0%^YW_<rkziH`41#l{!R-o<QMyf9_jzZ$o+58{{J}R|9zqw
zCjt0>F!@aZ<db_)!_xH)=)<rL4C7eRuqj-{Vl9!F47?8#IbbtVc$3LetR`tgCkn7O
z@PIcJnWwbNQc9I5c;Bn7#oM!PR?~3~=RhWhOCOgl{-a!vqnWp-GGc#(Z7u=0Jsb@k
zRLR8fKR?v;kdoa(!_kn<QSq40_$nei`C>S#ucP|YaD#>wd1Fv&Z*SR&mc;asi}1G)
z_H>`!akh-Zxq9#io(7%;a$)w+{QH)Y$?UK1Dt^4)up!Szcxnu}kn$0afcfJL#IL+S
z5gF_Y30j;{lNrG6m~$Ay?)*V9fZuU@3=kd40=LhazjFrau>(Y>SJNtOz>8x_X-BlA
zIpl{i>OarVGj1v(4?^1`R}aQB&WCRQzS~;7R{tDZG=HhgrW@B`W|#cdyj%YBky)P=
zpxuOZkW>S6%q7U{VsB#G(^FMsH5QuGXhb(sY+!-R8B<wCq$Ud&dR&R~YEJ18TLm54
z;iNBgol;q`1pM~hbiKQEHVg~udGsD!{32V0-F%Jl2*cE1CKaP}vYl}vY{JE1&Y`9<
zWxp@Q9z&I}X^~yDRt<yP&7ehNHUY-`mMuclQn{f;_BVk|%a!qyv`BTi_<F*shwHHm
zYMk#OgVxOZ5)F7}7!ZzzBqdqiT*o3-6bkMv(=P1min)~A$7Z{$hPM{)lRIzv{ziFg
ztAbHzmqKOklFBd-`W?q14D4v{uKrc3r#AAZ&_oCPRi9dQd_BxsU(vj^hw4-4vST=O
z-I*C6luz(vAIZ~@rb(A8AiNMr62dJzV>mv6Sx3WzSW<1MPPN1!&PurYky(@`bP9tz
z52}LH9Q?+FF5jR6-;|+GVdRA!qtd;}*-h&iIw3Tq3qF9sDIb1FFxGbo&fbG5n8$3F
zy<kUPcTI-*+R})(Lx?7E(-Km*D*#LFloydFBeh2ei+vLj63z@TMnj%!?Pc!@$=lI~
zWpQ4Fa#xXFx30*?LGzyx=<Q>Y&PWL{ys^dTO}oZ#@sIX^BKW*bon=;te9j5k+T%wJ
zNJtoN1~YVj4~Y<zc}D-ou*39R71C?0FVs3%E61z~{QYZ=p=4}v(=uH7JqP$9+LudZ
zPLki+z++>RrlZl)b&kJqp+Z`DqT!la$x&&IxgOQw#yZd-nBP3!7FijBXD|IsU8Zl^
zc6?MKpJQ+7ka|tZQLfchD$PD|;K(9FiLE|eUZX#EZxhG!S-63C$jWX1Yd!6-Yxi-u
zjULIr|0-Q%D9jz}IF~S%>0(jOqZ(Ln<$9PxiySr&2Oic7vb<8q=46)Ln%Z|<*z5&>
z3f~Zw@m;vR(bESB<=Jqkxn(=#hQw42l(7)h`vMQQTttz9XW6^|^8EK7qhju4r_c*b
zJIi`)MB$w@9epwdIfnEBR+?~);yd6C(Le<rt!q$FLriBQXByC(@5W-fyMd+G`gpkw
zo=2x;j`HUicFOMzOr+Hi-h(acwf1R^4yH6<++^$)J=B4dE@KAoZaXF)kE=0uwm3nd
z&m40{?8{tmrxQ5%Wq~$48e6Z&q%RJty{nmI+wz=hvB#pKRac&c?EYSnrDYd1X>MC&
zn&&N*?-g&BBJcV;8&UoZi4Lmxcj16ojlxR~zMrf=O_^i1wGb9X-0@6_rpjPYemIin
zmJb+;lHe;Yp=8G)Q(L1bzH*}I>}uAqhj4;g)PlvD9_e_<a@g*lf#ro&Ve1Oe9Dd~M
zzE8GyZq;U{s*VsFviyO$Mu<MkXYCJUQhOu^nB+^MD~g42i6J&pJlqN$*=O9FeOy#D
zMH(Hs0#anHAVz%4@!PpgmX|z|oRKkJQ8-ANxDXdJsPW`~G`Uz*(^?DtT&VY313h$)
z%Z_iZ<k;!|>ScR{Ipq|$8NvAvLD8MYr}xl=bU~)f%B3E>r3Bu9_t|ThF3C5~BdOve
zEbk^r&r#PT&?^V1cb{72yEWH}TXEE}w>t!cY~rA+hNOTK8FAtIEoszp!qqptS&;r$
zaYV-NX96-h$6aR@1xz6_E0^N49mU)-v#bwtGJm)ibygzJ8!7|WIrcb`$XH~^!a#s&
z{Db-0IOTFq#9!^<xwp4XVUmX2>j!n_F}#<SlrwIgws078xQpgq<=PFmW_#a3Vf1lR
zSZtW_!4KrMla?XPZ^%!uYvas5(q&p4<B~4-u7ZKo%gG=AWYrPaK~Ksf`2-Ltd1AQk
z$_l6x1x`BMZqVJH81bkQU_K4!7|CM9*e*BRdOD=<*r=%KzmW8K`FLhkaj-7c$V5Vt
z97r)f!2oBGV~&1@x<{&a6SOQM=KG6k)^{##XUT*iOlT|QkpE~1=S*FV(g_CM^s;$&
zRL7Q)Be-0f7v6$Yv*CJnQ>Z_nX{YzBK8XLPVmc&X`fT7!@$U-@2KM9soGbmOSAmqV
z{nr$L^MBo_u^Joyf0E^=eo{Rt0{{e$IFA(#*kP@SQd6l<gO0qV6sCD7Vl>WT2-#>`
zP1)7_@IO!9lk>Zt?#CU?cuhiLF&)+XEM9B)cS(gvQT!X3`wL*{fArTS;Ak`J<84du
zALKPz4}3nlG8Fo^MH0L|oK2-4xIY!~Oux~1sw!+It)&D3p;+N8AgqKI<GHze0K;7v
zH(+WEQqQ~(T0<)QjJr`7lg^24K~?@;_<cT}hEd4HZB%o_OQsl^L70Ju&(6N2Jbrfe
z{_b&PJgA)_dyARwqVQ$xthjN!Eyh&j;D~!^U-07v?ZtU+{rtxuW4xJPKdBd+XtoJk
zHGuql=D%L$>`ld6v71wy8I!eP0o~=RVcFQR2Gr(eP_JbSytoQ$Yt}l*4r@A8Me94y
z8cTDWhqlq^qoAhbOzGBXv^Wa4vUz$(7B!mX`T=x_ueKRRDfg&Uc-e1+z4x$jyW_Pm
zp?U;-R#xt^Z8Ev~`m`iL4*c#65Nn)q#=Y0l1AuD&+{|8-Gsij3LUZXpM0Bx0u7WWm
zH|%yE@-#XEph2}-$-thl+S;__ciBxSSzHveP%~v}5I%u!z_l_KoW{KRx2=eB33umE
zIYFtu^5=wGU`Jab8#}cnYry@9p5UE#U|VVvx_4l49JQ;jQdp(uw=$^A$EA$LM%vmE
zvdEOaIcp5qX8wX{mYf0;#51~imYYPn4=k&#DsKTxo{_Mg*;S495?OBY?#gv=edYC*
z^O@-sd-qa+U24xvcbL0@C7_6o!$`)sVr-jSJE4XQUQ$?L7}2(}Eixqv;L8AdJAVqc
zq}RPgpnDb@E_;?6K58r3h4-!4rT4Ab#rLHLX?eMOfluJk=3i1@Gt1i#iA=O`M0@x!
z(HtJP9BMHXEzuD93m|B&woj0g6T?f#^)>J>|I4C5?Gam>n9!8CT%~aT;=oco5d6U8
zMXl(=W;$ND_8+DD<ykE9Jy7gkqr#{X4q*TB+m~s#gS@r(GY*77ySFy{9E;{vV}3na
z%pxHTT*dvMnlo4+oTy^p7miJ3ziqr(ZOJ)L+PUs&R@+OotCT;pPyt{0jl<-}(V7Gp
zX$>*?|5bJ!;8ebESXMUKBAf7YBwNVJibGaJ*(2G`F%wx)grqVPjudiaq^Kl&g$8A2
zWMxMr@_$c}d<p;ey3Tcu>+;_B`#kUX-t|4VKH&_f^^EP0&=DPLW)H)UzBG%%Tra*5
z%$kyZe3I&S#gfie^z5)!twG={3Cuh)Fde<XTsb9xO3ZH)#ow2vM~pRh=a%Jxr4}vf
zpeoa8O2Xww;R&D4PixE%^{woC{=Bqwy7h$AGh*xb_!Z$59PhU?bnh=6>A!Kj<-9**
zvT*5%Tb`|QbE!iW-XcOuy39>D3oe6x{>&<#E$o8Ac|j)wq#kQzz|ATd=Z0K!p2$QE
zPu?jL8Lb^y3_CQE{*}sTDe!2!dtlFjq&YLY@2#4>XS`}v#PLrpvc4*@q^O{mmnr5D
zmyJq~t?8>FWU5vZdE(%4cuZuao0GNjp3~Dt*SLaxI#g_u>hu@k&9Ho*#CZP~lFJHj
z(e!SYlLigyc?&5-YxlE{uuk$9b&l6d`uIlpg_z15dPo*iU&|Khx2*A5Fp;8iK_bdP
z?T6|^7@lcx2j0T@x>X7|kuuBSB7<^zeY~R~4McconTxA2flHC0_jFxmSTv-~?zVT|
zG_|<oYEZfi84t5$?vv+%b)zg;Tm0h&qX7^OaItn%bat|_vvqef-&inSz3!+*B~MXf
zn>yDqa9lkF*B6_{j=T>=M8r<0s;@z#h)3BQ4NLl@`Xr__o7;~M&dL3J8fP&zLfDfy
z);ckcTev{@OUlZ`<a~3lY1y7T*bPTeFJ6B%#~z9?lT!*(A@tJdla9v|(yEo_D!5l3
zgWpU~zc-S_OEaBH!tqx5iHR`(p_}%5+rGBpw+VO8i%xcu<ZEk%m%_6nMT>bCo(-3?
z1u1xD`PKgSg?RqeVVsF<1SLF;XYA@Bsa&cY!I48ZJn1V<3d!?s=St?T<RZHAo{>Lo
zC0cNr`qD<Wz+@C|#V>*M#s6f~X>SCNVkva^9A2ZP>CoJ9bvgXe_c}WdX-)pHM5m7O
zrHt#g$F0AO+nGA;7dSJ?)|Mo~cf{z2L)Rz!`fpi73Zv)H=a5K)*$5sf_IZypi($P5
zsPwUc4~P-J1@^3C6-r9{V-u0Z&Sl7vNfmuMY4yy*cL>_)BmQF!8Om9Dej%cHxbIzA
zhtV0d{=%cr?;bpBPjt@4w=#<>k5ee=TiWAXM2~tUG<V}0zLoj=i_-Df@ocJ$(doRp
ztKallYpOUL#3IL6u(+quF)vpQn3m46D_;nvUCNo3?ECVPP9X(bd00g%F#AlS@SJ#4
z%8N#aRo==*hh^$QLCs*-+4DRsO2)x^3cbV3Q3KH=HsOMoWaaL-P@E2B9AQu{uH>fm
z$s&!Dm0R^V$}fOR*B^kGaipi~rx~A2cS0;t&k<A0G-}=%(v(Q0cfU+X-TJJhn(DnP
z4JUVy2A}-oOBotf4Se48>hV1a<cf@1eDWd;R?38Krle_gtcZK}=dkLCqItP$?~n+g
zae42{<6B27z2%?Bsw0ffr{rV{k~Rp8I~N^Hl7A(kh?&)UkI(~LwR%>4u38*XRUP~f
za!rZMtay8bsLt6yFYl@>-y^31(*P!L^^s@mslZy(SMsv9bVoX`O#yBgEcjCmGpyc*
zeH$Dw6vB5P*;jor+JOX@;6K#+xc)Z9B8M=x2a@Wx-{snPGpRmOC$zpsqW*JCh@M2Y
z#K+M(>=#d^>Of9C`))h<=Bsy)6zaMJ&x-t%&+Ucp<HIt~W~b;(@$>LjV`jo4R2025
z<Y{{N1{{e3B{Jn+c77XlWtbx9OBU+M_(;<8;0~=8Ph2QMs3+Zw?bSQV;q%^JEaX$e
z;Vd8f)b9ET29wV$Q>XaG8EA!0lQa)|dx-@{O)qP6`$rhCkoQqZ`^SW8g-kOwrwsK8
z3ms*AIcyj}-1x&A&vSq{r=QMyp3CHdWH35!sad#!Sm>^|-|afB+Q;|Iq@LFgqIp#Z
zD1%H+3I?6RGnk&IFo|u+E0dCxXz4yI^1i!QTu7uvIEH>i3rR{srcST`LIRwdV1P;W
z+%AN1NIf@xxvVLiSX`8ILA8MzNqE&7>%jMzGt9wm78bo9<;h*W84i29^w!>V>{N+S
zd`5Zmz^G;f=icvoOZfK5#1ctx*~UwD=ab4DGQXehQ!XYnak*dee%YN$_ZPL%KZuz$
zD;$PpT;HM^$KwtQm@7uvT`i6>Hae1CoRVM2)NL<2-k2PiX=eAx+-6j#JI?M}(tuBW
zkF%jjLR)O`gI2fcPBxF^HeI|DWwQWHVR!;;{BXXHskxh8F@BMDn`oEi-NHt;CLymW
z=KSv5)3dyzec0T5B*`g-MQ<;gz=nIWKUi9ko<|4I(-<w4I#sX{Ql80P;8bcKjlGSK
zp~yQ(;^y0s9RFCvc2u(I^#Y^!@tjudAd*v;f|XiHBQNGS6_b-95puIO<;QO*=%?{0
z;mryS)gDuCe~tZ`DPIW5W_fNj_#jL{`6lJ5cJ6SG=+^EJr^`JeJsTD;MclG_sxisZ
z?uhn5F($|2nJ7pvty*2qAtsOJRY_NI77&m{ISD+{sJ_)^o**`w`N>E0k$QncH>E4l
z**1w&#={&zv4Tvhgz#c29`m|;<Ue5bFAZpjqANUFk~kBGuYK<_JK>lU-jmaXFMC11
z*dlXDMEOG>VoLMc>!rApwOu2prKSi*!w%`yzGmS+k(zm*CsLK*wv{S_0WX^8A-rKy
zbk^Gf_92^7iB_uUF)EE+ET4d|X|>d&mdN?x@vxKAQk`O+r4Qdu>XGy(a(19g;=jU}
zFX{O*_NG>!$@jh!U369Lnc+D~qch3uT+_Amyi}*k#LAAwh}k8IPK5a-WZ81ufD>l>
z$4cF}GSz>ce`3FAic}6W4Z7m9KGO?(eWqi@L|5Hq0@L|&2flN1PVl}XgQ2q*_n2s3
zt5KtowNkTYB5b;SVuoXA@i5irXO)A&%7?V`1@HGCB&)Wgk+l|^XXChq;u(nyPB}b3
zY>m5jkxpZgi)zfbgv&ec4Zqdvm+D<<?3uny=i;xwOlAC_Tc+b0;kY7-vx;A)KO<$b
z!mM&%JEI}t>?Im*mXweS9H+V>)zF#Zp3)bhl$PbISY{5=_z!8&*Jv~NYtI-g!>fDs
zmvL5O^U%!^VaKA9gvKw|5?-jk>~%CVGvctKmP$kpnpfN{D8@X*Aazi$txfa%vd-|E
z>kYmV66W!lNekJPom29LdZ%(I+ZLZYTXzTg*to~m?7vp%{V<~>H+2}PQ?PPAq`36R
z<%wR8v6UkS>Wt#hzGk#44W<%9S=nBfB);6clKwnxY}T*w21Qc3_?IJ@4gYzC7s;WP
zVQNI(M=S=JT#xsZy7G`cR(BP9*je0bfeN8JN5~zY(DDs0t{LpHOIbN);?T-69Pf3R
zSNe*&p2%AwXHL>__g+xd4Hlc_vu<25H?(`nafS%)3UPP7_4;gk-9ckt8SJRTv5v0M
z_Hww`qPudL?ajIR&X*;$y-`<)6dxx1U~5eGS13CB!lX;3w7n&lDDiArbAhSycd}+b
zya_3p@A`$kQy;|NJZ~s44Hqo7Hwt}X86NK=(ey>lgWTtGL6k@Gy;PbO!M%1~Wcn2k
zUFP|*5d>t-X*RU8g%>|(wwj*~#l4z^Aatf^DWd1Wj#Q*AY<o|l&}{LI>0D^V@sC`M
zjJc6qXu0I7<!pZblLF~RwT5!S6dVx}2`xj{-i;+(qkgJG1)noJqLA@@RN<oLUCRPP
zxfjHQUai*rkwqrT60~IzB@%WBX02*tw3*sCrM8W>Y*2;;gGu!plAFzG=J;1%eIOdn
zQA>J&e05UN*7I5@yRhK|lbBSfJ+5Uq;!&HV@xfPZrgD}kE*1DSq^=%{o%|LChhl#0
zlMb<^a6ixzpd{kNZr|3jTGeEzuo}-eLT-)Q$#b{!vKx8Tg}swCni>{#%vDY$Ww$84
zew3c9BBovqb}_&BRo#^!G(<gf6o^lp99LD#kx<MER=<@tCX1^BFTbwM^``7(LOQY@
zEqxVCkp#2PI<XB`ov%%Q&@SoBV=IvAgzt#VzvgC(Kk;TpN40`oC^`5s%Q9iB#w=Cj
zv1+$@qJ9DCi{ddRIdFp4*=KLoO^UY)$YpX=UdXvuhtp5Oj@vhVm%-sV85eDjNH{EX
z*kvKl&?&j<QGMeW7tPWM6{1)n`=ac?#8d9f@kIV3kA+gW*^Tqv$T~yoa2DpOjcxOS
z{G<-ajSf74;}+hudPnyuH|_19-h+%2{H$u`G5T5vjwblv={62_r17YY1X@Bcq7XM-
z)mu@onGHy+sUpJW64FX6=h6@DEhZ~&X>1Eg((BScRZ}C)Oz?y`T5wOrv);)b^4XR8
zhJo7+<^7)qB>I;46!GySzdneZ>n_E1oWZY;kf94#)s)kWjuJN1c+wbVoNQcmnv}{>
zN0pF+Sl3E}UQ$}slSZeLJrwT>Sr}#V(dVaezCQl2|4LN`7L7v&siYR|r7M(*JYfR$
zst3=YaDw$FSc{g}KHO&QiKxuhEzF{f%RJLKe3p*7=oo`WNP)M(9X1zIQPP0XHhY3c
znrP{$4#Ol$A0s|4S7Gx2L23<cPp>dv*Gv2o;h((XVn+9+$qvm}s%zi6nI-_s6?mG!
zj{DV;qesJb&owKeEK?=J>UcAlYckA7Sl+I&IN=yasrZOkejir*kE@SN`fk<8Fgx*$
zy&fE6?}G)d_N`){P~U@1jRVA|2*69)KSe_}!~?+`Yb{Y=O~_+@!j<&oVQQMnhoIRU
zA0CyF1OFfkK44n*JD~!2!SCPM;PRSk%1XL=0&rz00wxPs&-_eapJy#$h!eqY%nS0{
z<se?qfQ89XwwA;8XB>!aGg58JIJP<C?-Lq`lTNsm#AgHVz-Y0s_<jRmVW9#JfaAO^
zUgrN5kYa6CiV<`BwJ8O)sIywY6(a>F3_ci%n)QSVpa2H`vIe$RD43;#IRfDV&Ibit
z+?>HW4{2wOfC6Fw)}4x}i1maDxcE1qi@BS*qcxD2gE@h3#4cgU*D-&3z7D|tVZWt=
z-Cy2+*Cm@P4GN_TPUtaVyVesbVDazF@)j8VJ4>XZv!f%}&eO1SvIgr}4`A*3#vat<
z_MoByL(qW6L7SFZ#|Gc1fFN)L2PxY+{B8tJp+pxRyz*87)vXR}*=&ahXjBlQKguuf
zX6x<<6fQulE^C*KH8~W%ptpaC0l?b=_{~*U4?5Vt;dgM4t_{&UZ1C2j?b><dx`$8!
ze4sJ^8}?7VYiLoIC$69~0MIA!!7Rwu6Dq)kX*<lHqT0U&4WX!<G&bkefpSP0=xCcO
z()hqGP~~kv6H&HvLm+kCE!Nz>b+5}{IF_CUyvz-@QZPMlJ)r_tS$9kH%RPv#2_nMb
zRLj5;chJ72*U`Z@Dqt4$@_+k$%|8m(HqLG!qT4P^DdfvGf&){gKnGCX#H0!;W=AGP
zbA&Z`-__a)VTS}k<aEJ311DSHJIu)Ndl?O_C*N_MS1q7Laqq*zlG()h4UCODa;iH4
z(XC(Z`(-cCxkOrT?MTkb=V=+hyg5L(*^!(=yP$&GArQczUu2*gZo{O9t9~>KFjWGk
z%|>yE?t*EJ!qeQ%dPk$;xIQ+P0;()PCBDgjJm6Buj{f^awNoVx+9<|lg3%-$G(*f)
zll6oOkN|yamn1uyl2*N-lnqRI1cvs_JxLTeahEK=THV$Sz*gQhKNb*p0fNoda#-&F
zB-qJgW^g}!TtM|0bS2QZekW7_tKu%GcJ!4?lObt0z_$mZ4rbQ0o=^curCs3bJK6sq
z9fu-aW-l#>z~ca(B;4yv;2RZ?tGYAU)^)Kz{L|4oP<SkWyBU+f_%F<#?yy=LhA~g^
ztueiO@sJ(BDN3Mz`8So5#&T!OUtM8qWT<xiIyfpo(&lgE-7DEcM?<Kd`UVf_*}r(8
zCzgNsXNSi)1{V0~XToTF|4Nv-??<~$G(Uy7p@qc!_j+!O;`gtF$xU(Y@7%v-yrD2q
z{qJ=kRDjxcFq_oCp_our<PFSF$4y0BpPO%|kqiZgitTQIUv=I!_}1+UsxG+!y@1>j
zdOf_?de|#yS)p2v8-N||+XL=O*%3+y)oI(HbM)Ds?q8~HPzI<h)CPl@-?j`}I~*GQ
zcLT0AdRsV9-Yt|ap{0ce+ueYFd~HkkokH(I37}yNHwen&wj}s>P(vs*G`iddbWq}!
z(2!VjP&{Z1w+%eUq^<EbM|6YYL8Gs1;NfI!i}!ad7AQ0{B*q4GUFLSsTemUjW%3QQ
z?x$O#{du(<S~Tcw-wm+KV87yz$<g}Aw&`BzzwZ7*S)lh#H&`6YcV^kz4bZzc8<<74
zTVg_=YnyK3KuZig$=*P(YT6QgZ5w5ab8RRz^rUbD`bEoj(3{T<PpIR8sX1nHE{??k
LmiCMtn7{r93&V3<

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 000000000..1e2fbf0d4
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew
new file mode 100755
index 000000000..a69d9cb6c
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew
@@ -0,0 +1,240 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+#
+#   Gradle start up script for POSIX generated by Gradle.
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
+    [ -h "$app_path" ]
+do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
+done
+
+APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+
+APP_NAME="Gradle"
+APP_BASE_NAME=${0##*/}
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+    echo "$*"
+} >&2
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in                #(
+  CYGWIN* )         cygwin=true  ;; #(
+  Darwin* )         darwin=true  ;; #(
+  MSYS* | MINGW* )  msys=true    ;; #(
+  NONSTOP* )        nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+        JAVACMD=$JAVA_HOME/bin/java
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD=java
+    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+    case $MAX_FD in #(
+      max*)
+        MAX_FD=$( ulimit -H -n ) ||
+            warn "Could not query maximum file descriptor limit"
+    esac
+    case $MAX_FD in  #(
+      '' | soft) :;; #(
+      *)
+        ulimit -n "$MAX_FD" ||
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
+    esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+#   * args from the command line
+#   * the main class name
+#   * -classpath
+#   * -D...appname settings
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+# Collect all arguments for the java command;
+#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
+#     shell script including quotes and variable substitutions, so put them in
+#     double quotes to make sure that they get re-expanded; and
+#   * put everything else in single quotes, so that it's not re-expanded.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
+
+exec "$JAVACMD" "$@"
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew.bat b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew.bat
new file mode 100644
index 000000000..53a6b238d
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradlew.bat
@@ -0,0 +1,91 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/settings.gradle b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/settings.gradle
new file mode 100644
index 000000000..733fda690
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/settings.gradle
@@ -0,0 +1,8 @@
+pluginManagement {
+    repositories {
+        mavenCentral()
+        gradlePluginPortal()
+        maven { url 'https://repo.spring.io/milestone' }
+        maven { url "https://repo.spring.io/snapshot" }
+    }
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
new file mode 100644
index 000000000..0dda07bf7
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Configuration
+public class SecurityConfig {
+
+	@Controller
+	static class LoginController {
+		@GetMapping("/webauthn")
+		String webauthn() {
+			return "webauthn";
+		}
+	}
+
+	@Bean
+	SecurityFilterChain web(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authorize) -> authorize
+				.requestMatchers("/webauthn/**").permitAll()
+				.anyRequest().authenticated())
+			.x509((x509) -> x509.factor(Customizer.withDefaults()))
+			.formLogin(Customizer.withDefaults())
+			.webAuthn((webauthn) -> webauthn
+				.rpId("api.127.0.0.1.nip.io")
+				.rpName("X.509+WebAuthn MFA Sample")
+				.allowedOrigins("https://api.127.0.0.1.nip.io:8443")
+				.factor((f) -> f.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/webauthn")))
+			);
+		// @formatter:on
+		return http.build();
+	}
+
+	@Bean
+	public UserDetailsService userDetailsService() {
+		return new InMemoryUserDetailsManager(
+			User.withDefaultPasswordEncoder()
+				.username("josh")
+				.password("password")
+				.authorities("app")
+				.build()
+		);
+	}
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/X509WebAuthnMfaApplication.java b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/X509WebAuthnMfaApplication.java
new file mode 100644
index 000000000..6c9c62ac8
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/X509WebAuthnMfaApplication.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * Hello Security application.
+ *
+ * @author Josh Cummings
+ */
+@SpringBootApplication
+public class X509WebAuthnMfaApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(X509WebAuthnMfaApplication.class, args);
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-keystore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-keystore.p12
new file mode 120000
index 000000000..07aa33fc9
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-keystore.p12
@@ -0,0 +1 @@
+../../../etc/api-keystore.p12
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-truststore.p12 b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-truststore.p12
new file mode 120000
index 000000000..9d60902a6
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/api-truststore.p12
@@ -0,0 +1 @@
+../../../etc/api-truststore.p12
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/application.properties b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/application.properties
new file mode 100644
index 000000000..c8b145c1b
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/application.properties
@@ -0,0 +1,12 @@
+logging.level.org.springframework.security=TRACE
+
+server.port=8443
+server.ssl.enabled=true
+server.ssl.key-store-type=PKCS12
+server.ssl.key-store=classpath:api-keystore.p12
+server.ssl.key-store-password=password
+server.ssl.key-alias=api
+server.ssl.trust-store-type=PKCS12
+server.ssl.trust-store=classpath:api-truststore.p12
+server.ssl.trust-store-password=password
+server.ssl.client-auth=need
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/templates/index.html b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/templates/index.html
new file mode 100644
index 000000000..4e71378a5
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/templates/index.html
@@ -0,0 +1,9 @@
+<html xmlns:th="https://www.thymeleaf.org">
+<head>
+    <title>Hello Security!</title>
+</head>
+<body>
+    <h1>Hello Security</h1>
+    <a th:href="@{/logout}">Log Out</a>
+</body>
+</html>
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/templates/webauthn.html b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/templates/webauthn.html
new file mode 100644
index 000000000..be032ec96
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/resources/templates/webauthn.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html xmlns:th="https://www.thymeleaf.org" lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/default-ui.css" rel="stylesheet" />
+    <script type="text/javascript" src="/login/webauthn.js"></script>
+    <script type="text/javascript" th:inline="javascript">
+        /*<![CDATA[*/
+        document.addEventListener("DOMContentLoaded",
+            () => setupLogin({"X-CSRF-TOKEN" : [[${_csrf.token}]]},
+                "", document.getElementById('passkey-signin')));
+        /*]]>*/
+    </script>
+</head>
+<body>
+<div class="content">
+    <div class="login-form">
+        <h2>Login with Passkeys</h2>
+        <form action="/webauthn/register" method="get">
+            <button id="passkey-register" type="submit" class="primary">Register a passkey</button>
+        </form>
+        <p>
+            <button id="passkey-signin" type="submit" class="primary">Sign in with a passkey</button>
+        </p>
+    </div>
+</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/test/java/example/X509WebAuthnMfaApplicationTests.java b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/test/java/example/X509WebAuthnMfaApplicationTests.java
new file mode 100644
index 000000000..213b0d608
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/test/java/example/X509WebAuthnMfaApplicationTests.java
@@ -0,0 +1,190 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import com.j256.twofactorauth.TimeBasedOneTimePasswordUtil;
+import jakarta.servlet.http.HttpSession;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+
+/**
+ * @author Rob Winch
+ */
+@SpringBootTest
+@AutoConfigureMockMvc
+@Disabled
+public class X509WebAuthnMfaApplicationTests {
+
+	private static final String hexKey = "80ed266dd80bcd32564f0f4aaa8d9b149a2b1eaa";
+
+	@Autowired
+	private MockMvc mockMvc;
+
+	@Test
+	void mfaWhenAllFactorsSucceedMatchesThenWorks() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(post("/third-factor")
+				.session((MockHttpSession) session)
+				.param("answer", "smith")
+				.with(csrf()))
+				.andExpect(redirectedUrl("/"));
+		// @formatter:on
+	}
+
+	@Test
+	void mfaWhenBadCredsThenStillRequestsRemainingFactorsAndRedirects() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("wrongpassword"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(post("/third-factor")
+				.session((MockHttpSession) session)
+				.param("answer", "smith")
+				.with(csrf()))
+				.andExpect(redirectedUrl("/login?error"));
+		// @formatter:on
+	}
+
+	@Test
+	void mfaWhenWrongCodeThenRedirects() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey) - 1;
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(post("/third-factor")
+				.session((MockHttpSession) session)
+				.param("answer", "smith")
+				.with(csrf()))
+				.andExpect(redirectedUrl("/login?error"));
+		// @formatter:on
+	}
+
+	@Test
+	void mfaWhenWrongSecurityAnswerThenRedirects() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(post("/third-factor")
+				.session((MockHttpSession) session)
+				.param("answer", "wilson")
+				.with(csrf()))
+				.andExpect(redirectedUrl("/login?error"));
+		// @formatter:on
+	}
+
+	@Test
+	void mfaWhenInProcessThenCantViewOtherPages() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		HttpSession session = result.getRequest().getSession();
+
+		this.mockMvc.perform(get("/")
+				.session((MockHttpSession) session))
+				.andExpect(redirectedUrl("http://localhost/login"));
+
+		result = this.mockMvc.perform(formLogin()
+				.user("user@example.com")
+				.password("password"))
+				.andExpect(redirectedUrl("/second-factor"))
+				.andReturn();
+
+		session = result.getRequest().getSession();
+
+		Integer code = TimeBasedOneTimePasswordUtil.generateCurrentNumberHex(hexKey);
+		this.mockMvc.perform(post("/second-factor")
+				.session((MockHttpSession) session)
+				.param("code", String.valueOf(code))
+				.with(csrf()))
+				.andExpect(redirectedUrl("/third-factor"));
+
+		this.mockMvc.perform(get("/")
+				.session((MockHttpSession) session))
+				.andExpect(redirectedUrl("http://localhost/login"));
+		// @formatter:on
+	}
+
+}
diff --git a/settings.gradle b/settings.gradle
index ce164110e..15338b858 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -53,6 +53,7 @@ include ":servlet:spring-boot:java:aot:data"
 include ":servlet:spring-boot:java:authentication:username-password:user-details-service:custom-user"
 include ":servlet:spring-boot:java:authentication:username-password:mfa"
 include ":servlet:spring-boot:java:authentication:mfa:x509+formLogin"
+include ":servlet:spring-boot:java:authentication:mfa:x509+webauthn"
 include ":servlet:spring-boot:java:authentication:mfa:formLogin+ott"
 include ":servlet:spring-boot:java:authentication:username-password:compromised-password-checker"
 include ":servlet:spring-boot:java:authentication:one-time-token:magic-link"

From 5f2233370db633bb708d47b530259b17fcb714a7 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Wed, 13 Aug 2025 18:12:18 -0600
Subject: [PATCH 11/21] Add OAuth2 Step-Up Sample

This sample illustrates how we can request additional scopes
in a granular way should the user initially refuse.
---
 .../java/authentication/mfa/oauth2/.gitignore |  37 +++
 .../java/authentication/mfa/oauth2/README.md  |   3 +
 .../authentication/mfa/oauth2/build.gradle    |  34 +++
 .../mfa/oauth2/gradle.properties              |   4 +
 .../mfa/oauth2/gradle/libs.versions.toml      |   1 +
 .../oauth2/gradle/wrapper/gradle-wrapper.jar  | Bin 0 -> 43453 bytes
 .../gradle/wrapper/gradle-wrapper.properties  |   7 +
 .../java/authentication/mfa/oauth2/gradlew    | 249 ++++++++++++++++++
 .../authentication/mfa/oauth2/gradlew.bat     |  92 +++++++
 .../authentication/mfa/oauth2/settings.gradle |   8 +
 .../magiclink/FormLoginOAuth2Application.java |  52 ++++
 .../org/example/magiclink/SecurityConfig.java | 111 ++++++++
 .../oauth2/src/main/resources/application.yml |   5 +
 .../main/resources/static/css/default-ui.css  | 172 ++++++++++++
 .../src/main/resources/templates/index.html   |  20 ++
 .../src/main/resources/templates/login.html   |  29 ++
 .../src/main/resources/templates/profile.html |  16 ++
 .../FormLoginOAuth2ApplicationTests.java      |  80 ++++++
 .../oauth2/src/test/resources/application.yml |   6 +
 settings.gradle                               |   1 +
 20 files changed, 927 insertions(+)
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/.gitignore
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/README.md
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/build.gradle
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/gradle.properties
 create mode 120000 servlet/spring-boot/java/authentication/mfa/oauth2/gradle/libs.versions.toml
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.jar
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.properties
 create mode 100755 servlet/spring-boot/java/authentication/mfa/oauth2/gradlew
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/gradlew.bat
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/settings.gradle
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/FormLoginOAuth2Application.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/application.yml
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/static/css/default-ui.css
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/index.html
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/login.html
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/profile.html
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/src/test/java/org/example/magiclink/FormLoginOAuth2ApplicationTests.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/oauth2/src/test/resources/application.yml

diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/.gitignore b/servlet/spring-boot/java/authentication/mfa/oauth2/.gitignore
new file mode 100644
index 000000000..c2065bc26
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/.gitignore
@@ -0,0 +1,37 @@
+HELP.md
+.gradle
+build/
+!gradle/wrapper/gradle-wrapper.jar
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+bin/
+!**/src/main/**/bin/
+!**/src/test/**/bin/
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+out/
+!**/src/main/**/out/
+!**/src/test/**/out/
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+
+### VS Code ###
+.vscode/
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/README.md b/servlet/spring-boot/java/authentication/mfa/oauth2/README.md
new file mode 100644
index 000000000..fdf74d537
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/README.md
@@ -0,0 +1,3 @@
+This application uses Spring Boot Docker Compose to start a [Maildev](https://github.com/maildev/maildev) container.
+
+After requesting a token on `http://localhost:8080/login`, access `http://localhost:1080` to verify the email containing the magic link.
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/build.gradle b/servlet/spring-boot/java/authentication/mfa/oauth2/build.gradle
new file mode 100644
index 000000000..d19f311a2
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/build.gradle
@@ -0,0 +1,34 @@
+plugins {
+	id 'java'
+	alias(libs.plugins.io.spring.dependency.management)
+	alias(libs.plugins.org.springframework.boot)
+}
+
+java {
+	toolchain {
+		languageVersion = JavaLanguageVersion.of(17)
+	}
+}
+
+repositories {
+	mavenLocal()
+	mavenCentral()
+	maven { url "https://repo.spring.io/milestone" }
+	maven { url "https://repo.spring.io/snapshot" }
+}
+
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+	implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
+	testImplementation 'com.icegreen:greenmail-junit5:2.0.1'
+	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+}
+
+tasks.named('test') {
+	useJUnitPlatform()
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/gradle.properties b/servlet/spring-boot/java/authentication/mfa/oauth2/gradle.properties
new file mode 100644
index 000000000..a5a6444df
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/gradle.properties
@@ -0,0 +1,4 @@
+version=6.1.1
+spring-security.version=7.0.0-SNAPSHOT
+org.gradle.jvmargs=-Xmx6g -XX:+HeapDumpOnOutOfMemoryError
+org.gradle.caching=true
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/libs.versions.toml b/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/libs.versions.toml
new file mode 120000
index 000000000..ebb52ed22
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/libs.versions.toml
@@ -0,0 +1 @@
+../../../../../../../gradle/libs.versions.toml
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.jar b/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 0000000000000000000000000000000000000000..e6441136f3d4ba8a0da8d277868979cfbc8ad796
GIT binary patch
literal 43453
zcma&N1CXTcmMvW9vTb(Rwr$&4wr$(C?dmSu>@vG-+vuvg^_??!{yS%8zW-#zn-LkA
z5&1^$^{lnmUON?}LBF8_K|(?T0Ra(xUH{($5eN!MR#ZihR#HxkUPe+_R8Cn`RRs(P
z_^*#_XlXmGv7!4;*Y%p4nw?{bNp@UZHv1?Um8r6)Fei3p@ClJn0ECfg1hkeuUU@Or
zDaPa;U3fE=3L}DooL;8f;P0ipPt0Z~9P0)lbStMS)ag54=uL9ia-Lm3nh|@(Y?B`;
zx_#arJIpXH!U{fbCbI^17}6Ri*H<>OLR%c|^mh8+)*h~K8Z<V--Q23O4&HBVn~<)q
zmUaP7+TjluBM%#s1Ki#^GurGElkc7{cc6Skz+1nDVk%wAAQYx1^*wA%KSY>!9)DPf
zR2h?lbDZQ`p9P;&DQ4F0sur@TMa!Y}S8irn(%d-gi0*WxxCSk*A?3lGh=gcYN?FGl
z7D=Js!i~0=u3rox^e<cs4tSN~YA?c-d185$YFNA$Eq1&U{wh#b^OveuKoBPy0oYZ4
zAY2?B=x8yX9}pVM=cLrvugywt!e@Y3lH)i?7fvT*a`O;c)CJQ>O3i@$0=n{K1lPNU
zwmfjRVmLOCRfe=seV&P*1Iq=^i`502keY8Uy-WNPwVNNtJFx?IwA<BCEY82WDKJP<
zB^CxjFxi=mg*OyI?K3GoDfk;?-K<Z#JoxhYNeEUf896)l%7gL``44}zn)7|Rf;)SC
z_EfJr4I+3i(GiHN`R+vHqf}1wXtH?65<wKlxV1BU(#3XgtH<$Fir3S(7QeRA3)u89
zID&66K{&mq$DsB}s&o?H60{cskfh*hvn8hQW#~Q!qM04QtZvx3JEpqeKWE6|+OZW=
z(LB7}flr|t7va%>yR<KG!FYzS$bs7qXcpM&wV@~>PZo2<wCq%CszVO$mosTTuv*Mz
zOLoi?e^7B~xS22~QW8Rmnt{(AtL<HGi<_P9`0pH;3)@S9Eg`gt2X<om7C^q}pKX|*
zTy3X{nOr-xyt4=Qx1IjrzGb!_SyAv^SZcf;air&-;Ua+)5k0z=#R7@UW%)3oEjGA|
zZ#DE3px@h1k7w%|4rVIO=0Aid2A%?nBZrupg^_z5J-$$YKeDZ&q8+k7zccb<dc4D;
zz}+UYkl_eUNL3PW+reZ6UUB}=sHp~$z%Q}gZ-#ow+ffQIj|A3`B9LO*6%t@)0PV!x
ziJ=9fw_>Wo1+S(xF37LJZ~%i)kpFQ3Fw=mXfd@>%+)RpYQLnr}B~~zoof(JVm^^&f
zxKV^+3D3$A1G;qh4gPVjhrC8e(VYUHv#dy^)(RoUFM?o%W-EHxufuWf(l*@-l+7vt
z=l`qmR56K~F|v<^Pd*p~1_y^P0P^aPC##d8+HqX4IR1gu+7w#~TBFphJxF)T$2WEa
zxa?H&6=Qe7d(#tha?_1uQys2KtHQ{)Qco)qwGjrdNL7thd^G5i8Os)CHqc>iOidS}
z%nFEDdm=GXBw=yXe1W-ShHHFb?Cc70+$W~z_+}nAoHFYI1MV1wZegw*0y^tC*s%3h
zhD3tN8b=Gv&rj}!SUM6|ajSPp*58KR7MPpI{oAJCtY~JECm)*m_x>AZEu>DFgUcby
z1Qaw8lU4jZpQ_$;*7RME+gq1Ky<fW-rh4ehZ;%u960Gt5OF)<y$00S=6tVE=%Pt~(
z!&BP&2I%`@>SGG#Wql>aL~k9tLrSO()LWn*q&YxHE<sT^`N@Q|)S3y<ZACaLXO56z
zncP$~M5K!npWqz?)C50MMw=XqFtDO!3JHI*t-^8Ga&lGPHX2F0pIGdZ3w5ewE+{kf
z-&Ygi?@-h(ADD|ljIBw%VHHf1xuQ~}IeIQ5JqlA4#*Nlvd`IfDYzFa?PB=RCcFpZ4
z|HFmPZM=;^DQ_z<IPz$$+yG(H4803QQAA7vQF7;_gv|AD1bH*R-CP3f<<utDpH)Ht
zI@{uO12adp{;132YoKPx?C9{&;MtHdHb*0F0;Z~D42}#*l+WD2u?r>uzmwd1?aAtI
zBJ>P=&$=l1efe1CDU;`Fd+_;&wI07?V0aAIgc(<VS*?#8Zt!w88FJrjasA1!6>!{a
z0Jg6Y=inXc3^n!U0Atk`iCFIQooHqcWhO(qrieUOW8X(x?(RD}iYDLMjSwffH2~tB
z)oDgNBLB^AJBM1M^c5HdRx6fBfka`(LD-qrlh5jqH~);#nw|iyp)()xVYak3;Ybik
z0j`(+69aK*B>)e_p%=wu8XC&9e{AO4c~O1U`5X9}?0mrd*m$_EUek{R?DNSh(=br#
z#Q61gBzEpmy`$pA<eVn3dnmk^xq`=o2)~2c0ywsuTQsC?1WZZehsJYfK@LQ>*6!87
zSDD+=@fTY7<4A?GLqpA?Pb2z$pbCc4B4zL{BeZ?F-8`s$?>*lXXtn*NC61>|*w7J*
z$?!iB{6R-0=KFmyp1nnEmLsA-H0a6l+1uaH^g%c(p{iT&YFrbQ$&PRb8Up#X3@Zsk
zD^^&LK~111%cqlP%!_gFNa^dTYT?rhkGl}5=fL{a`UViaXWI$k-UcHJwmaH1s=S$4
z%4)PdWJX;hh5UoK?6aWoyLxX&NhNRqKam7tcOkLh{%j3K^4Mgx1@i|Pi&}<^5>hs5
zm8?uOS>%)NzT(%PjVPGa?X%`N2TQCKbeH2l;cTnHiHppPSJ<7y-yEIiC!P*ikl&!B
z%+?>VttCOQM@ShFguHVjxX^?mHX^hSaO_;pnyh^v9EumqSZTi+#f&_Vaija0Q-e*|
z7ulQj6Fs*bbmsWp{`auM04gGwsYYdNNZcg|ph0OgD>7O}Asn7^<IivRZw`Wa$`V6)
zgX@^QL9j}-Od{q5<J*k0+1U=R5+PCYj(U}4VpX+BjfI~+dttS?HJ6uZSGH#H-twTo
zaptG40+PAc$fs*zLFkOfGfc+xGs<T?rLGIA%SU7c%jh!E1SNN~*-`ccW8wo4gv2Sj
zhify^C(ygi)uGwqXDLqVbH>Z=eI>`$2*v78;sj-}oMoEj&@)9+ycEOo92xSyY344^
z11Hb8^kdOvbf^GNAK++bYioknrpdN>+u8R?JxG=!2Kd9r=YWCOJYXYuM0cOq^FhEd
zBg2puKy__7VT3-r*dG4c62Wgxi52EMCQ`bKgf*#*ou(D4-ZN$+m<X+=`m<r!lO%3T
zMp}MJd(WDoQ2&6(LClZxpv<vZPPM3Ngkye2VhB=i|B12g5ouw(%`gbWtRq8~sU|o*
z$kQ8Jb~6&{ak;r$7@?#t*q9RfAOj=^uAf1z5Y8`N%M`oM@?!~VqN{g%-u$XR1u1Im
zGE&AzFpIcER(5jtCPR%RZ)!+|*rU~jZBiOKdqYjO(%yK3Lz;{##(@QEVo>g&7$u!!
z-^<eVk1WtrWdvAzoBMHoB$s2RXJCv}%muyVFFJ``?>+Z%;-3IDwqZ|K=ah85OLwkO
zKxNBh+4QHh)u9D?MFtpbl)<T1$eOrb4-+U|WDC2BesgFRlgt`klbeQ^1S`7`r+uZ8
zH&U=geA}Si;CUcKvBA&^@<o1GQ7`{1Y(cCHZv|73JIJOvVwLOMZP%Q|)y@^j2e<+z
zWVo=#FL!4XNKS~-_1`gw*qi$0j6P7ym_LTvG>us}9+V!D%w9jfAMYEb>%$A;u)rrI
zuBudh;5PN}_6J_}l55P3l_)&RMlH{m!)ai-i$g)&*M`eN$XQMw{v^r@-125^RRCF0
z^2>|DxhQw(mtNEI2Kj(;<s2pnue6O@?^QaAp;Ze6z9nX*w}4h7342+0lU$@;Knnve
zqqY2Ci=`)@>KblC7x=JlK$@78`O~>V!`|1Lm-^JR$-5pUANAnb(5}B}JGjBsliK4&
zk6y(;$e&h)lh2)L=bvZKbvh@>vLlreBdH8No2>$#%_Wp1U0N7Ank!6$dFSi#xzh|(
zRi{U<eziQYNZ-=4ReK3@^LFvNQI~(Pdvp+X@J@g#bd~m0wFc+sW3Xf5tyA3xKp;T3
zy14<o-`F}$ET-DQ;B;yNy?d>w%-4W!{IXZ)fWx@XX6;&(m_F%c6~X8hx=BN1&q}*(
zoaNjWabE{oUPb!Bt$eyd#$5j9rItB-h*5JiNi(v^e|XKAj*8(k<5-2$&ZBR5fF|JA
z9&m4fbzNQnAU}r8ab>fFV%J0z5awe#UZ|bz?Ur)U9bCIKWEzi2%A+5CLqh?}K4JHi
z4vtM;+u<SJ)DEVF_yZnTw01M`(s#^BNx+c|MQ6ogb50Jjul0L;!#OmrYCs)iE)7(t
z?%I~O!zVNt#Bf3#O2WXsGz!B}&s@MfyDeaoqqf=GELN3g$+DA`&&GKy(`Ya~A@6vK
zn|WZ-+tB`DH^+SjI&K3KekF%-QIP%R{F)inWc~@cEO-=3Or<lm9g9}|`|ky#v{5*;
zKA5d<ecC{<o9p<U4UUK$m|+q#@(>PsVz{Lfr;78W78gC;z*yTch~4YkLr&m-7%-xc
ztw6Mh2<b07B|^BQBjvq{FXx?kyJ);`+G*=&9PMD`1uf<{+pNnnsIQx~kaB?*5<-7a
zqY)GyF_w$>d>_iO<o;tRi5=dcnU&wcur@4T5Z=-$xFUEsp-yX${|jSF|HMDPq3?MS
zw;p9zjR`yYJOfJZsK~C-S=JQ?nX{z_y@06JFIpheAo-rOG|5&Gxv)%95gpu@ESfi|
z7Auc&hjVL;&81Pc#L`^d9gJb`wEtLVH8q|h{>*$Rd8(-Cr1_V8EO1f*^@wRoSozS)
zy1UoC@pruAaC8Z_7~_w4Q6n*&B0AjOmMWa;s<dwKr_&w<X$Z*rmLmKUI3S>Iav&gu
z|J5&|{=a@vR!~k-OjKEgPFCzcJ>#A1uL&7xTDn;{X<DkOU(-L87#5hf4{m?aj!I6-
zPEt$K07IXK8mI0TYf-jhke2QjQw3v?qN5h0-#Fel0)Krq1f)#^AFsfd|K$I={`Xs9
z{JIr8M>BdeM}V=l3B8fE1--DHjSaxoSjNKEM9|U9#m2<eS=8Og#NOG$&X&%|8sOyg
zpZ6&%KPd&uh?v{hRMVvQjUL}gY3)Mk3{XQXF{><3>n{Iuo`r3UZp;>GkT2YBNAh|b
z^jTq-hJp(ebZh#Lk8hVBP%qXwv-@vbvoREX$TqRGTgEi$%_F9tZES@z8Bx}$#5eeG
zk^UsLBH{bc2VBW)*EdS({yw=?qmevwi?BL6*=12k9zM5gJv1>y#ML4!)iiPzVaH9%
zgSImetD@dam~e>{LvVh!phhzpW+iFvWpGT#CVE5TQ40n%F|p(sP5mXxna+Ev7PDwA
zamaV4m*^~*xV+&p;W749xhb_X=$|LD;FHuB&JL5?*Y2-oIT(wYY2;73<^#46S~Gx|
z^cez%V7x$81}UWqS13Gz80379Rj;6~WdiXWOSsdmzY39L;Hg3MH43o*y8ib<ko|2T
z<o~B%-$Y4Q9z_t97c`{g0veSfFt63Osbpe2Osn@<=nrAVk_JfMGt&lMGw9leshc#5
z*hkn0u>NBBH`(av4|u;YPq%{R;IuYow<+GEsf@R?=@tT@!}?#>zIIn0CoyV!hq3mw
zHj>OOjfJM3F{RG#6ujzo?y32m^tgSXf@v=J$ELdJ+=5j|=F-~hP$G&}tDZsZE?5rX
ztGj`!S>)CFmdkccxM9eGIcGnS2AfK#gXwj%esuIBNJQP1WV~b~+D7PJTmWGTSDrR`
zEAu4B8l>NPuhsk5a`rReSya2nfV<T&F{)-N{)9$`9a!^D!-03RDN<TPH!aW46TC4L
z>1EK01+G!x8aBdTs3Io$u5!6n6KX%uv@DxAp3F@{4UYg4SWJtQ-W~0MDb|j-$lwVn
znAm*Pl!?Ps&3wO=R115RWKb*JKoexo*)uhhHBncEDMSVa_PyA>k{Zm2(wMQ(5NM3#
z)jkza|GoWEQo4^s*wE(gHz?Xsg4`}HUAcs42cM1-qq_=+=!Gk^y710j=66(cSWqUe
zklbm8+zB_<cF$~mH3zum`PN7rn^cr1XvcjzxFO{ms_482AyMFYi+#o7!*vecrNhft
z48z<2q#fIw=ce!MXuptfT4+M8FP&|QfB3H@2)dceSR<*e5@hq<#7<$5tC^!RO8Zi<
zd_Wl!>syQv5A2rj!Vbw8;|$@C!vfNmNV!yJ<MblqN@23-5g1<aeoul%Um5K((_QY}
ze%_@BuNzay69}2PhmC<;m}2=FevDzrp!V!u4u|#h@B=rfKt+v!U`0k7>IWDQ>{+2x
zKjuFX`~~HKG~^6h5FntRpnnHt=D&rq0>IJ9#F0eM)Y-)GpRjiN7gkA8wvnG#K=q{q
z9dBn8_~wm4J<3J_vl|9H{7q6u2A!cW{bp#r*-f{gOV^e=8S{nc1DxMHFwuM$;aVI^
zz6A*}m8N-&x8;aunp1w7_vtB*pa+OYBw=TMc6Q<xVqo{NJ3h9-a)s5XuYMqZ=Y{7{
z$O63J`)FM-y*mko#!-UBa!3~eYtX1hjRQY2jMxAx=q5uKNm#uaKIak>K=mbA-|Cf*
zvyh8D4LRJImooUaSb7t*fVfih<97Gf@VE0|z>NcBwBQze);Rh!k3K_sfunToZY;f2
z^HmC4KjHRVg+eKYj;PRN^|E0>Gj_zagfRbrki68I^#~6-HaHg3BUW%<xsJq4AotN+
zH6twFV=)FlAbs*F6vGws^==x5Tl0AIbcP{&2yxB=)*u+bvK^L6$Vp}U2{9nj{bK~d
zee7tC)@DR<dI`D%cA(%7M9Ui3a)^iG?m=oJO0E^``<|5il2sf1fZHvy=D@e0<I)<l
zI!|d{`X3u}lz2(4Vn>+clM1<yhZZgPANro5CwhUb>xQEdPYt_g<2K+z!$>*$9nQ>;
zf9Bei{?zY^-e{q_*|W#2rJG`2fy@{%6u0i_VEWTq$*(ZN37|8lFFFt)nCG({r!q#9
z5VK_kkS<W$zJN%xs9<lngf<utn=i|I;bCdr-Lr<EzK)tkE-pYh-fc0wqKz?&U8TTN
zh_eAdl<>J3?zOH)OezMT{!YkCuSSn!<oaxO4?NS?VufjhPn>K#-Rhl$uUM(bq*jY?
zi1xbMVthJ`E>d>(f3)~fozjg^@eheMF6<)I`oeJYx4*+M&%c9VArn(OM-wp%M<-`x
z7sLP1&3^%Nld9Dhm@$3f2}87!quhI<BVn6Upp<cc;cU|)&2W%nk!Ak8tXK8aT!m*5
z^9zmeeS|PCG$hgM&Uh}0wp+#$jK3YCwOT&nx$??=a@_oQemQ~hS6nx6fB5r~bFSPp
z`alXuTYys4S5dCK)KDGR@7`I-JV^ewQ_BGM^o>@nwd@3~fZl_3LYW-B?Ia>ui`ELg
z&Qfe!7<FViITCBP{rA>m6ze=mZ<W0bN&bq-0D3>`Ia9$z|ARSw|IdMpooY4YiPN8K
z4B(ts3p%<w%rbophph+BzYj>2i(Td=<hfIaF6Ll8+9!48Ti=xpXB{FgJbk;>tgEHX
z0UQ_>URBtG+-?0E;E7Ld^dyZ;jjw0}XZ(}-QzC6+NN=40oDb2^v!L1g9xRvE#@IBR
zO!b-2N7wVfLV;mhEaXQ9XAU+>=XVA6f&T4Z-@AX!leJ8obP^P^wP0aICND?~w&N<u
ztispy>ykJ#54x3_@r7IDMdRNy4Hh;h*!u(Ol(#0bJdwEo$5437-UBjQ+j=Ic>Q2z`
zJNDf0yO6@mr6y1#n3)s(W|$iE_i8r@Gd@!DWD<Q)gT}bxTg_YpJQ5s|m8}+B)KBN6
zYnlzh>qZ7J&~gAm1#~maIGJ<sH@F<m!Fuh_fvrMbcDJNJ5~Yg;LF}NFN}&Y&LL76S
zv)~8W2?_rx`P;4LB-=JqsI{I~4U8DnSSIHWU2rHf%vWsA2-d=78An8z4q|lvgQ2iB
zhUUI!H+|C+_qp(Tjzu5usOu}cEoivZK&XA==sh0cD|Eg7eERXx?KwHI=}A9S_rx8S
zd)VLh_s!Juqi^!0xv7jH)UdSkEY~N|;QMWvs;HN`dMsdK=Dw2mtAHHcK8_+kS%a_V
zGgeQoaMM>1sls^gxL9LLG_Nh<XXk<>U!pTGty!TbhzQnu)I*S^54U6Yu%ZeCg`R>Q
zhBv$n5j<?~h)Y%y=zErI?{tl!(JWSDXxco7X8WI-6K;9Z-h&~kIv?$!6<k(g(xee?
z53>0v%O_j{QYWG!R9W?5_b&67KB$t}&e2LdMvd(PxN6Ir!H4>PNlerpBL>Zvyy!yw
z-SOo8caEpDt(}|gKPBd$qND5#a5nju^O>V&;f890?yEOfkSG^HQVmEbM3Ugzu+UtH
zC(INPDdraBN?P%kE;*Ae%Wto&sgw(crfZ#Qy(<4nk;S|hD3j{IQRI6Yq|f^basLY;
z-HB&Je%Gg}Jt@={_C{L$!RM;$$|<j7k-g{75e!h)4SlFvEZ*AkqrJI;EWu$Zx+OwM
zm{5Yk>iD6vu#3w?v?*;&()uB|I-XqEKqZPS!reW9JkLewLb!70T7n`i!gNtb1%vN-
zySZj{8-1>6E%H&=V}LM#xmt`J3XQoaD|@XygXjdZ1+P77-=;=eYpoEQ01B@L*a(uW
zrZeZz?HJsw_4g0vhUgkg@VF8<-X$B8pOqCuWAl28uB|@r`19DTUQQsb^pfqB6QtiT
z*`_UZ`fT}vtUY#%sq2{rchyfu*pCg;uec2$-$N_xgjZcoumE5vSI{+s@iLWoz^Mf;
zuI8kDP{!XY6OP~q5}%1&L}CtfH^N<3o4L@J@zg1-mt{9L`s^z$Vgb|mr{@WiwAqKg
zp#t-lhrU>F8o0s1q_9y`gQNf~Vb!F%70f}$>i7o4ho<sjDlFD=G`r<7$U?bJN+x5S
z@0&tQ=-XO1uDq(HCa$X)-l<u1!s<!W`30F78UcZaZKc8)G0af1Dsh%OOWh5)q+Q+n
zySBnE+3;9^#)U#Gq);&Cu=mtjNpsS~S0yjE@m4{Kq525G&cO_+b-_B$LeXWt_@XTq
z`)(;=^RDS@oh5dPjKyGAP?-Dbh507E5zZ=D2_C*6s^HXiA)B3f=65_M+rC&rMIUP6
zi4@u>$`uciNf=xgJ>&!gSt0g;M>*x4-`U)ysFW&Vs^Vk6m%?iuWU+o&m(2Jm26<Ea
z?or_^bK_`R)hBTfrBqA3Y^o7$K~Nzo)sh-vT%yWcc1I5wF1nkvk%!X_Vl_MK1IHC=
zt}Dt+sOmg0sH-?}kqNB|M_}ZXui7H;?;?xCCSIPSHh8@h^K8WU5X(!3W|>Y(3%TL;
zA7T)BP{WS!&xmxNw%J=$MPfn(9*^*TV;$JwRy8Zl*yUZi8jWYF>==j~&S|Xinsb%c
z2?B+kpet*muEW7@AzjBA^wAJBY8i|#C{WtO_or&Nj2{=6JTTX05}|H>N2B|Wf!*3_
z7hW*j6p3TvpghEc6-wufFiY!%-GvOx*bZrhZu+7?iSrZL5q9}igiF^*R3%DE4aCHZ
zqu>xS8LkW+Auv%z-<1Xs92u23R$nk@Pk}MU5!gT|c7vGlEA%G^2th&Q*zfg%-D^=f
z&J_}jskj|Q;73NP4<UD^T*M!yxMr=U!@&!rJfydk7CE7PGb<{)^=nM9Le#FQ=GkV~
z)_A$YPAn35??iNa@`g-wBX><4k*Y%pXPU2Thoqr+5uH1yEYM|VtBPW6lXaetokD0u
z9qVek6Q&wk)tFbQ8(^HGf3Wp16gKmr>G;#G(HRBx?F`9AIRboK+;OfHaLJ(P>IP0w
zyTbTkx_THEOs%Q&aPrxbZrJlio+hCC_HK<4%f3ZoSAyG7Dn`=X=&h@m*|UYO-4Hq0
z-Bq&+Ie!S##4A6OGoC~>ZW`Y5J)*ouaFl_e9GA*VSL!O_@xGiBw!AF}1{tB)z(w%c
zS1Hmrb9OC8>0a_$BzeiN?rkPLc9%&;1CZW*4}CDDNr2gcl_3z+WC15&H1Zc2{o~i)
z)LLW=WQ{?ricmC`G1GfJ0Yp4Dy~Ba;j6ZV4r{8xRs`13{dD!xXmr^Aga|C=iSmor%
z8hi|pTXH)5Yf&v~exp3o+sY4B^^b*eYkkCYl*T{*=-0HniSA_1F53eCb{x~1k3*`W
zr~};p1A`k{1DV9=UPnLDgz{aJH=-LQo<5%+Em!DNN252xwIf*wF_zS^!(XSm(9eoj
z=*dXG&n0>)_)N5<wxn0{TP0tnD=JAzVUcIUoR85Xt>oc6v!>-bd(2ragD8O=M|wGW
z!xJQS<)u70m&6OmrF0WSsr@I%T*c#Qo#Ha4d3COcX+9}hM5!7JIGF>7<~C(Ear^Sn
zm^ZFkV6~Ula6+8S?oOROOA6$C&q&dp`>oR-2Ym3(HT@O7Sd5c~+kjrmM)YmgPH*tL
zX+znN>`tv;5eOfX?h{AuX^LK~V#gPCu=)Tigtq9&?7Xh$qN|%A$?V*v=&-2F$zTUv
z`C#WyIrChS5|Kgm_GeudCFf;)!WH7FI60j^0o#65o6`w*S7R@)88n$1nrgU(oU0M9
zx+EuMkC>(4j1;m6N<sS-ys^qbJhGY7%0ZoC7dK=j7bGdau`J`{>oGqEkpJYJ?vc|B
zOlwT3<tNmX!mXZdsEW2s2`|?DC8;N?2tT*Lfq)F*|4vf>t&UgL!pX_P*6g36`ZXQ;
z9~Cv}ANFnJGp(;ZhS(@FT;3e)0)Kp;h^x;$*xZn*k0U6-&Fw<BqOnDKEdld8!Qk{Z
zjI1+R_ciEqL3CLOv$+J~YVpzIy`S&V{koIi$Lj}ZFEMN=!rL1?_EjSryIV+OBiiJ-
zIqT$oSMA>I=uOGaODdrsp-!K$Ac32^c{+FhI-HkYd5v=`PGsg%6I`4d9Jy)uW0y%)
zm&j^9WBAp*P8#kGJUhB!L?a%h$hJgQrx!6KCB_TRo%9{t0J7KW8!o1B!NC)VGLM5!
zpZy5Jc{`r{1e(jd%jsG7k%I+m#C<kI0i<ajCqQC!(pKlSsMl7M2N^mP%W`BGKb?hm
zBK`pddcg5+WhE#$46+K<Z!1CW-hZdo7hAw13ZUVqwW*}&ujL=eh{m~phuOy=JiBMN
z7FaCUn6boJ!M=6PtLN6%cveGkd12|1B{)kEYGTx#IiMN&re0`}NP-_{E-#FxOo3*P
zkAXSt{et292KfgGN`AR|C`p{MRpxF-I?+`ZY1Vsv>GS*BPA65ZVW~fLYw0dA-H_}O
zrkGFL&P1PG9p2(%Qi<evvBkNEkQkM%A>EWm6x;U-U&I#;Em$nx-_I^wtgw3xUPVVu
zqSuKnx&dIT-XT+T10p;yjo1Y)z(x1fb8Dzfn8e&#9yu?e%!_ptzGB|8GrCfu%p?(_
zQccdaaVK$5bz;*rnyK{_SQYM>;aES6Qs^lj9lEs6_J+%nIiuQC*fN;z8md>r_~Mfl
zU%p5Dt_YT>gQqfr@`cR!$NWr~+`CZb%dn;WtzrAOI>P_JtsB76<bUr7Lsb65vEd}g
z5JhMCmn#UeH#6Cew?bxogM)$x5ed{E)%2nWY5rb@Clvh$(JzQ#!CsQ(2I4QnhDDJ^
zYL%2bf8?`y)Ro=x{(dw<4^)(H^z7~3nfYFh-r7yBBb=l3V8dE-Dr&a%qs<OYcajo2
z(4Nw|k5_OQ@6zHmcIK%waj!yoZT(S1YlEFN?8-_lp9nf>PYe*<%H(y>qx-`Kq!X_;
z<{RpAqYhE=L1r*M<cT6p|4(5fVa-WIh|@AphR|cJ1`?N>)gNF3B8r(<%8mo*SR2hu
zccLRZwGARt)H<F*kMvg%oJV~29ud_q>lo1euqTyM>^!HK*!Q2P;4UYry<i)yWXzKa
zM^_qppY~vnIrhL_!;Z9msXMZTTwR{e`yH5t=HdD1Pni7?LqOpLoX}u5n5RfkGBvQ1
z@cdMeR4T6rp^S~>sje@;(<|$&%vQekbn|0Ruu_Io(w4#%p6ld2Yp7tlA`Y$cciThP
zKzNGIMPXX%&Ud0uQh!uQZz|FB`4KGD?3!ND?wQt6!n*f4EmCoJUh&b?;B{|lxs#F-
z31~HQ`SF4x$&v00@(P+j1pAaj5!s`)b2RDBp*PB=2IB>oBF!*6vwr7Dp%zpAx*dPr
zb@Zjq^XjN?O4QcZ*O+8>)|HlrR>oD*?WQl5ri3R#2?*W6iJ>>kH%KnnME&TT<gNU{
zn$Veg044#l=Z-&wsmEZhnw7IwT7Cd}hiZ%ke)-GzAR-Dt6)8Cb6>@Z<Y-SEE^OC5H
z=$M0HjdWR5p?n;s9OTXrEa1eGt}G;Eu)ifSop!$z#6V<>zrHS$Q%LC?n|e>V+D+8D
zYc4)QddFz7I8#}y#Wj6>4P%34dZH<AWj}HgE@5&D9Ra@o(Km_Gm}5Zb61p%9mDz1%
zya$Vd!_U~pDN*Y5%lo}-K~}4&F)rTjJ7uGyV@~kB-XNrIGRiB=UrNxJtX;JHb(EyQ
z{!R%v{vC7m|L3bx6lCRb7!mP~Is!r!q&OXpE5nKnH3@l({o}PrL`o>~OUDb?uP%-E
zwjXM(?Sg~1!|wI(RVu<h{6ESg9k500(D<HXwz52OGq(JEKS2CJR}8N&E-#%vhhaRN
zL#Q6%yUcel+!a#~g&e7w4$3s62d$Dv;SxCxhT}>xbu)-rH+O=igSho_pDCw(c6b=P
zKk4ATlB?bj9+HHlh<_!&z0rx13K3ZrAR8W)!@Y}o`?a*JJsD+twZIv`W)@Y?Amu_u
zz``@-e2X}27$i(2=9rvIu5uTUOVhzwu%mNazS|lZb&PT;XE2|B&W1>=B58#*!~D&)
zfVmJGg8UdP*fx(>Cj^?yS^zH#o-$Q-*$SnK(ZVFkw+er=>N^7!)FtP3y~Xxnu^nzY
zikgB>Nj0%;WOltWIob|}%lo?_C7<``a5hEkx&1ku$|)i>Rh6@3h*`slY=9U}(Ql_<
zaNG*J8vb&@zpdhAvv`?{=zDedJ23TD&Zg__snRAH4eh~^oawdYi6A3w8<<tS1{)`*
zH!u#2_lf&B)x2)tE$?4|aMAYUFZ{|Se7->Ozh@Kw)<E~4fKYaJ{OS+>#bdktM^GVb
zrG08?0bG?|NG+w^&JvD*7LAbjED{_Zkc`3H!My>0u5Q}m!+6VokMLXxl`Mkd=g&Xx
z-a>m*#G3SLlhbKB!)tnzfWOBV;u;ftU}S!NdD5+YtOjLg?X}dl>7m^gOpihrf1;PY
zvll&>dIuUGs{Q<Ww4SS<E23Sm*si$^C!!snD|AFym<+q$`*o0wokE?J{^g?f3>nd-
zwIR3oIrct8Va^Tm0t#(bJD7c$Z7DO9*7NnRZorrSm`b`cxz>OI<bVZt$VQ!oMxCu0
zbb7D5OIXV5Ynn@Y6)HLT=1`a=nh7{ee{vr<=$>C;jSE3DO8`hX955ui`s%||YQtt2
z5DNA&pG-V+4oI2s*x^>-$6J?p=I>C|9wZF8z;VjR??Icg?1w2v5Me+FgAeGGa8(3S
z4vg*$>zC-WIVZtJ7}o9{D-7d>zCe|z#<9>CFve-OPAYsneTb^JH!Enaza#j}^mXy1
z+ULn^10<XTm*l1Jg2Z;UvGEN!6Wq%I@OP4p{k`RNRKlKFWPt_of11^Gr%_Mg*mVP3
zm?)&3I719~aYcs)TY&q^$zmQ=xoC++VJH@~YG6>+rWLF6j2>Ya@@Kq?26>AqK{A_|
zQKb*~F1>sE*=d?A?W7N2j?L09_7n+H<SF8|SM#pTc9|9|rf1w*m4Y0Vdj643qA#D|
z!hJzb_-}IrrhkWr{zk_YC%(c-)UJl6Ma!mcbvj&~#yN-UhH?ZQ3TPq4hTVQ$(?eJ6
zNfJ_K+VJDBXN=l!7{2}lq?-$`fq|e&PEONfZDU<_SM+s2_3$vT_yqV<R&KG=K{zS}
zKQF$?mYsg%vV|E_E=a*SL!`7*AeN6GMVDXC59yPgi$F2!7&8e}EyHVLwCm{i%<pN!
zdc`SbZK}JQj7?6K&|261iHrsnVjdhxu_l_NKs&yy#;#^%8?Jlg`wcTlNZ3urUtEYd
zsFE!K0}Eg39)z+J6mLW)#Kn<ok4*6AAE=n*vh*;TpgGnnM|npykFpO|a0`4#SjP^b
z2<JG#Qk^#3FeFS`0eooK9|wEmCcvRKI*~6mamFTd^UW9Eg4!J4N9qz*C$3a#F;Sad
zi#o9LaqNG5TsiT<`SDtY^`)zkYx$(C5;&K9#(Zj}HolT_st~#C`VS8q%#q1)HN+hT
zz9IjVUdZNIp@;b88oR`~DvQL_zmsBy>Gi{VY;MoTGr_)G9)ot$p!-UY5zZ2Xtbm=t
z@dpPSGw<TLTZo~Zyx(+AKWvR~{L4S^5I;5+QT9bcQ-4cC{QnLfRBf&Pov~kv@`W6V
zA|h{EGx|7msvR1t`a-jF$JZ>gH=QtIcEulQNI>S-#ifbnO5EWkI;$A|pxJd885oM+
zGZ0_0gDvG8q2xebj+fbCHYfAXuZStH2j~|d^sBAzo46(K8n59+T6rzBwK)^rfPT+B
zyIFw)9YC-V^rhtK`!3jrhmW-sTmM+tPH+;nwjL#-SjQPUZ53L@A>y*rt(#M(qsiB2
zx6B)dI}6Wlsw%bJ8h|(lhkJVogQZA&n<jl%@&gd%^X|lsDQwDHEiKLCz}r`kC^h0t
z(!vYS%C)Ku?w$ti5R##9jSkNC#5)Juc{8XfEhczdGQy8yNrZL6+d0~%V=N|iF{V)E
zLT(gH!$j8Mf(1>{?Vgs6gNSXzuZpEyu*xySy8ro07QZ7Vk1!3tJphN_5V7qOiyK8p
z#@jcDD8nmtYi1^l8ml;AF<#IPK?!pqf9D4moYk>d99Im}Jtwj6c#+A;f)CQ*f-hZ<
z=p_T86jog%!p)D&5g9taSwYi&e<jP@@Q_fbXtVO&n9{e#)jg+D#~q=hoZ<9PIa)>P
z#JuEK%+NULWus;0w32-SYFku#i}d~+{Pkho&^{;RxzP&0!RCm3-9K6`>KZpnzS6?L
z^H^V*s!8<>x8bomvD%rh>Zp3>Db%kyin;qtl+jAv8Oo~1g~mqGAC&Qi_wy|xEt2iz
zWAJEfTV%cl2Cs<1L&DLRVVH05EDq`pH7Oh7sR<WSzBWU(MxAIA&4v~INVdLKA><BK
zwCgTxJU0mM{;1UV<^ZRk0SQNNN(;SRZsH7^EDWVUu%^mFfvW{m5jOQuQWSy`f586I
zTj}Z4e5WsvkNmBd`TJdfe=^>`NNkL%wi}8n>IXcO40hp+J+sC!W?!krJf!GJNE8uj
zg-y~Ns-<~D?yqbzVRB}G>0A^f0!^N7l=$m0OdZuqA<e9rzV|ixGyk9uS=Vov2_ECA
z^Sd0M$B)O&tv@%@UmTb%ngcl58ED9TyFp$y4JjFU+g+9EWUl?am<e#4uCGy9Tmt)z
z2Y|kWUahugFHsF<J6o!<?X(Ncsy&Wg9<QLPD}g-`PWGHWDY5P6;<Y+5J1vz2Z|PSy
zBN?Q^NkxnWq>OQq<EC8_d&#T2smn`YINd-HF@)Op)pBRHnx+Q|Hsv_BpWAPsT1>Lc
zX?AEGr1Ht+inZ-Qiwnl@Z0qukd__a!C*CKuGdy5#nD7VUBM^6OCpxCa2A(X;e0&V4
zM&WR8+wErQ7UIc6LY~Q9x%Sn*Tn>>P`^t&idaOEnOd(Ufw#>NoR^1QdhJ8s`h^|R_
zXX`c5*O~Xdvh%q;7L!_!ohf$NfEBmCde|#uVZvEo>OfEq%+Ns7&_f$OR9xsihRpBb
z+cjk8LyDm@U{YN>+r46?nn{7Gh(;WhFw6GAxtcKD+YWV?uge>;+q#Xx4!GpRkVZYu
zzsF}1)7$?%s9g9CH=Zs+B%M_)+~*j3L0&Q9u7!|+T`^O{xE6qvAP?XWv9_MrZKdo&
z%IyU)$Q95AB4!#hT!_dA>4e@zjOBD*Y=XjtMm)V|+IXzjuM;(l+8aA5#Kaz_$rR6!
zj>#&^DidYD$nUY(D$mH`9eb|dtV0b{S>H6FBfq>t5`;OxA4Nn{J(+XihF(stSch<f
zIn>e7$es&~N$epi&PDM_N`As;*9D^L==2Q7Z2zD+CiU(|+-kL*VG+&9!Yb3LgPy?A
zm<g7T4Wx!m(zMlVE_2jX$1$$5DcfL6>7Z&^qRG_JIxK7-FBzZI3Q<;{`DIxtc48k>
zc|0dmX;Z=W$+)qE)~`yn6MdoJ4co;%!`ddy+FV538Y)j(vg}5*k(WK)KWZ3WaOG!8
z!syGn=s{H$odtpqFrT#JGM*utN7B((abXnpDM6w56nhw}OY}0TiTG1#f*VFZr+^-g
zbP10`$LPq_;PvrA1XXlyx2uM^mrjTzX}w{yuLo-cOClE8MMk47T25G8M!9Z5ypOSV
zAJUBGEg5L2fY)ZGJb^E34R2z<C?_X1)4xsl9%Z|w&L9k!F(V>J?}Vf>{~gB!8=5Z)
z9y$>5c)=;o0HeHHSuE4U)#vG&KF|I%-cF6f$~pdYJWk_dD}iOA>iA$O$+4%@>JU08
zS`ep)$XLPJ+n0_i@PkF#ri6T8?ZeAot$6JIYHm&P6EB=BiaNY|aA$W0I+nz*zkz_z
zkEru!tj!QUffq%)8y0y`T&`fuus-1p>=^hnBiBqD^hXrPs`PY9tU3m0np~rISY09>
z`P3s=-kt_cYcxWd{de@}TwSqg<T-v~${38)1dqT{JCO5}Gk$$yZP*X!5)RaGFqqkZ
zeHhqUgXb37$91~LS-3Zi29CKKki0sBTh7unqEK$%FG?oo$Sp>*xVhp;E9zCsnXo6z
z?f&Sv^U7n4`xr=mXle94HzOdN!2kB~4=%)u&N!+2;z6UYKUDqi-s6AZ!haB;@&B`?
z_TRX0%@suz^TRdCb?!vNJYPY8L_}&07uySH9%W^Tc&1pia6y1q#?*Drf}GjGbPjBS
zbOPcUY#*$3sL2x4v_i*Y=N7E<UbOmi3K%)5<dOJui+{^+b*shA_w8&X4_Icv*!}kT
zW@BG{C%f{(K^kE?tjU`Led*kAj6wB_3f*UyIEV0T9TyMo4`NS;oA7Ec+71eFa;K|G
zCyaKKi1bvX9fTLQ+uAgF*@ZR8fB%|JlT8A-jK$7FMyxW>$mR}J%|GUI(>WEr+28+V
z%v5{#e!UF*6~G&%;l*q*$V?&r$Pp^sE^i-0$+RH3ERUUdQ0>rAq2(2QAbG}$y{de(
z>{qD~GGuO<V3ijl7+~xmS#nUvH{qF0*%7G(r|}BSXsu}HwrFbXWzcYJouIY*34axA
z(n@XsPrv%6;|GSbkH9Og>k559Y@%$?N^1ApVL_a704>8OD%8Y%8B;FCt%AoPu8*D1
zLB5X>b}Syz81pn;xnB}%0FnwazlWfUV<Vu@5P52pgIa+J{M)H4nAC<>)Z-~rZg6~b
z6!9J$EcE&sEbzcy?CI~=boWA&eeIa%z(7SE^qgVLz??1Vbc1*aRvc%Mri)AJaAG!p
z$X!_9Ds;Zz)f+;%s&d<S0a>RcJt2==P{^j3bf0M=nJd&xwUGlUFn?H=2W(*2I2Gdu
zv!gYCwM10aeus)`RIZSrCK=&oKaO_Ry~D1B5!y0R=%!i2*KfXGYX&gNv_u+n9wiR5
z*e$Zjju&ODRW3phN925%S(jL+bCHv6rZtc?!*`1<n2%>TyYXT6%Ju=|X;6D@lq$8T
zW{Y|e39ioPez(pBH%k)HzFITXHvnD6hw^lIoUMA;qAJ^CU?top1fo@s7xT13Fvn1H
z6JWa-6+FJF#x>~+A;D~;VDs2<i>6>^oH0EI`IYT2iagy23?nyJ==i{g4%HrAf1-*v
zK1)~@&(KkwR7TL}L(A@C_S0G;-GMDy=MJn2$FP5s<%wC)4jC5PXoxrQBFZ_k0P<n-
z??iM<JF!BTjD>{{s@<jPT1+pTPdk3<izB+}jAtjokIz)aPR$L&4%}45Et}?jz0w{(
zC4G}+Nu0D*w=ay`v91hMo+V&V8q(a!`~K-2<yR0H)sK+mcY?TAaSS8F<Q+!pSc;`*
z*c@5)+ZpT%-!K3O=Z0(hI8LH7KqK>sz+gX`-!=T8rcB(=7vW}^K6oLWMmp(rwDh}b
zwaGGd>yEy6fHv%jM$yJXo5oMAQ>c9j`**}F?MCry;T@47@r?&sKHgVe$MCqk#Z_3S
z1GZI~nOEN*P~+UaFGnj{{Jo@16`(qVNtbU>O0Hf57-P>x8Jikp=`s8xWs^dAJ9lCQ
z)GFm+=OV%AMVqVATtN@|vp61VVAHRn87}%PC^RAzJ%JngmZTasWBAWsoAqBU+8L8u
z4A&Pe?fmTm0?mK-BL9t+{y7o(7jm+RpOhL9Kn<D3v{}Wpv2i&ghEZe;t&DmOA_QYc
zM+NIUU}=*bkxOJsLKV3e^oGG8rufTpa8R~7Iki1y+fC(UT;;{l19@qfxO@0^!xMA?
z#|<YBZ6;vAb>Y#E&qu^}B6=K_dB}*VlSEiC9fn)+V=J;OnN)Ta5v66ic1rG+dGAJ1
z1%Zb_+!$=tQ~lxQrzv3x#CPb?CekEkA}0MYSgx$Jdd}q8+R=ma$|&1a#)TQ=l$1tQ
z=tL9&_^vJ)Pk}EDO-va`UCT1m#Uty1{v^A3P~83_#v^ozH}6*9mIjIr;t3Uv%@VeW
zGL6(CwCUp)Jq%G0bIG%?{_*Y#5IHf*5M@wPo6A{$Um++Co$wLC=J1aoG93&T7Ho}P
z=mGEPP7Gb<mBTnJH7dKM2CB)0*o-AW2E4i5R+rHU%4A2BTVwOqj4zmJqsb|5^*{DT
zv^HFARK6@^_1|vU{>voG!uD$k(H3A$Z))+i{Hy?QHdk>3xSBXR0j!11O^mEe9RH<y
zF3MI;^J1vHI9U>mw!pvzv?Ua~2_l2Yh~_!s1qS`|0~0)<BWX>YsbHSz8!mG)WiJE|
z2<APmuYD%tKwB@0u<C~CKyaC}XX{?mylzkDSuLMkAoj?zp*zFF7q515SrGD~s}ATn
z`Ded41yk>f($6TQtt6L_f~ApQYQKSb=`053LgrQq7G@98#igV>y#i==-nEjQ!XNu9
z<h*hnP2Pol+z>~;mE+gtj4IDDNQJ~JVk5Ux6&LCSFL!y=>79kE9=V}J7tD==Ga+IW
zX)r7>VZ9dY=V&}DR))xUoV!u(Z|%3ciQi_2jl}3=$Agc<a_3#EUXJj<z2jVv6VHGT
zV^v1FiRwA!kPmt}m$qdr&9#-6{QeZqtM3|tRl$sws3Gy`no`Kj@X-)O(^sv>(`RPb
z8kEBpvY>1FGQ9W$n>Cq=DIpski};nE)`p3IUw1Oz0|wxll^)4dq3;CCY@RyJgFgc#
zKouFh!`?Xuo{IMz^xi-h=StCis_M7y<P{h0$_I#EukRYag9%BMRXh|%Xl7C<>q$u)
z?XHvw*HP0VgR+KR6wI)jEMX|ssqYvSf*_3W8zVTQzD?3>H!#>InzpSO)@SC8q*ii-
z%%h}_#0{4JG;Jm`4zg};BPTGkYamx$Xo#O~lBirRY)q=5M45n{GCfV<Kqrcu9<z@R
zSE>7h9qwyu1NxOMoP4)jjZMxmT|IQQh0U7C$EbnMN<3)Kk?fFHYq$d|ICu>KbY_hO
zTZM+uKHe(cIZfEqyzyYSUBZa8;Fcut-GN!HSA9ius`lt<SmSV9vasBl&hE7ciOunD
z?%e1Hl-5B3e+<+8CD{j5U*D3h89nV<zn^0g+t=uRKgZiGu)3h;vu#^y`HqWe_=jGm
zW2p}*n<!QH%pQ2EV`&z|LD#BOpj0QS9R5#$q}3&-+@GL4F^wO-bcSo|J^I_{LATPF
z2$`fUCOO=XxYVD!<7Yz4te$d-_>NebF46ZX_BbZNU}}ZOm{M2&nAN<H$fJIKS=j8q
zwXlN!l^_4>L9@0qvih15(|`S~z}m&h!u4x~(%MAO$jHRWNfuxWF#B)E&g3ghSQ9|>
z(MFaLQj)NE0lowyjvg8z0#m6FIuKE9lDO~Glg}nSb7`~^&#(Lw{}GVOS>U)m8bF}x
zVjbXljBm<v)#bs=9p`s>34Cs-yM6TVusr+3kYFjr28STT3g056y3cH5Tmge~ASxBj
z%|yb>$eF;WgrcOZf569sDZOVwoo%8>XO>XQOX1OyN9I-SQgrm;U;+#3OI(zrWyow3
zk==|{<m8xZ#>lt2xrQ%FIXOTejR>;wv(Pb8u8}BUpx?yd(Abh<shPyABw|Ens8m6@
zIg($GO4)<g4x5icbki?U&2%56@tYd`zRs}Nk6R~4!AjVAihB3r8oDhQ8f)v^r}|(y
z4B&Q<ARRqYXKQGAeJa_KHe`)04jUO~B=%q#SUlU@pU?apz0v{Al@s`Cvzo)u;2>6?
zsoO3VYWkeLnF43&@*#MQ9-i-d0t*xN-UEyNKeyNMHw|A(k(_6QKO=nKMCxD(W(Yop
zsRQ)QeL4X3Lxp^L%wzi2-WVSsf61dqliPUM7srDB?Wm6Lzn0&{*}|IsKQW;02(Y&|
zaTKv|`U(pSzuvR6Rduu$wzK_W-Y-7>7s?G$)U}&uK;<>vU}^^ns@Z!p+9?St1s)dG
zK%y6xkPyyS1$~&6v{kl?Md6gwM|>mt6Upm>oa8RLD^8T{0?HC!Z>;(Bob7el(DV6x
zi`I)$&E&ngwFS@bi4^xFLAn`=fzTC;aimE^!cMI2n@Vo%Ae-ne`RF((&5y6xsjjAZ
zVguVoQ?Z9uk$2ON;ersE%PU*xGO@T*;j1BO5#TuZKEf(mB7|g7pcEA=nYJ{s3vlbg
zd4-DUlD{*6o%Gc^N!Nptgay>j6E5;3psI+C3Q!1ZIbeCubW%w4pq9)MSDyB{HLm|k
zxv-{$$A*pS@csolri$Ge<4VZ}e~78JOL-EVyrbxKra^d{?|NnPp86!q>t<&IP07?Z
z^>~IK^k#OEKgRH+LjllZXk7iA>2cfH6+(e&9ku5poo~6y{GC5>(bRK7hwjiurqAiZ
zg*DmtgY}v83IjE&AbiWgMyFbaRUPZ{lYiz$U^&Zt2YjG<%m((&_JUbZcfJ22(>bi5
z!J?<7AySj0JZ&<-qXX;mcV!f~>G=sB0KnjWca4}vrtunD^1TrpfeS^4dvFr!65knK
zZh`d;*VOkPs4*-9kL>$GP0`<?hW@{z#_gXtp%=2VbN+$~z+M($Vf(dl@)t-*82<$(
zHi{FrD1wO9L~*Rc0{A2WU%f?ar(T9V1JpQ?M0Q|&{UES|#Z~k2-mj@z)8Rw^(XeYc
zomT(B0EF!##4dQq_*NN<%Bo5)&+gCXSGZo`b>(M!j~B;#x?Ba<KDM~HJ!|Zzy=p2e
z8;av`GLw{_*RgO(W|UK-<iDeT!t_x1c=M3%wGk|fDk<e0lLe8-5ga6apKYJD`*a3G
zBl?Ps)hDb7X`7bW5S=IHr0Mm?fr|$zCf+gmZUrit$5n+)JZG>~&s6CopvO86oM?-?
zOw#dIRc;6A<R&%m3DDJhF+|tb*0Yw8mV{a-bf^E~gh66MdsMHkog<r9`fVIVE+h@O
zi)iM`rmA-Fs^c=>6T?B`Qp%^<<Dyu<%Kg0H=lq;E!p&UHzSpD1)q%^v)Y8yQkp>U5
z19x(ywSH$_N+Io!6;e?`tWaM$`=D<O;$E>b!gzx|lQ${DG!zb1Zl&|{kX0y6xvO1o
z220r<-oaS^^R2pEyY;=Qllqpmue|5yI~D|iI!IGt@iod{Opz@*ml^w2bNs)p`M(Io
z|E;;m*Xpjd9l)4G#KaWfV(t8YUn@A;nK^#xgv=LtnArX|vWQVuw3}B${h+frU2>9^
z!l6)!Uo4`5k`<<;E(ido7M6lKTgWezNLq>U*=uz<KVOwgK<qq^3FEy1LAV}ep3|Zt
z>&s=cc$1%>VrAeOoUtA|T6gO4>UNqsdK=NF*8|~*sl&wI=x9-EGiq*aqV!(VVXA57
zw9*o6Ir8Lj1npUXvlevtn(_+^X5rzdR>#(}4YcB9O50q97%rW2me5_L=%ffYPUSRc
z!vv?Kv>dH994Qi>U(a<0KF6NH5b16enCp+mw^Hb3Xs1^tThFpz!3QuN#}KBbww`(h
z7GO)1olDqy6?T$()R7y%NYx*B0k_2IBiZ14&8|JPFxeMF{vSTxF-Vi3+ZOI=Thq2}
zyQgjYY1_7^ZQHh{?P))4+qUiQJLi1&{yE>h?~jU%tjdV0h|FENbM3X(KnJdPKc?~k
zh=^Ixv*+smUll!DTWH!jrV*wSh*(mx0o6}1@JExzF(#9FXgmTXVoU+>kDe68N)dkQ
zH#_98Zv$}lQwjKL@yBd;U(UD0UCl322=pav<=6g>03{O_3oKTq;9bLFX1ia*lw;#K
zOiYDcBJf)82->83N_Y(J7Kr_3lE)hAu;)Q(nUVydv+l+nQ$?|%MWTy`t>{hav<vVD
zHx;qQ>FSQloHwiIkGK9YZ79^9?AZo0ZyQlVR#}lF%dn5n%xYksXf8gnBm=wO7g_^!
zauQ-bH1Dc@3ItZ-9D_*pH}p!IG7j8A_o<ZOCWxl^<k=*NA9oUpW$0D`yCb}VfC~vb
z4IkfiRDM@RHlIGG_SRrrd~6$XYP~2Y^<fekveOOZRCv69S{4_se`>94#~>$LR|TFq
zZ-b00*nuw|-5C2lJDCw&8p5N~Z1J&TrcyErds&!l3$eSz%`(*izc;-?HAFD9AHb-|
z>)id`QCrzRws^9(#&=pIx9OEf2rmlob8sK&xPCWS+nD~qzU|qG6KwA{zbikcfQrdH
z<yJStD<g^`?^d44p$8FFXwD2dL810^xg@~^x$C_H#3NSLs8fBVu~K)3BMKCOp^;|&
zKPz+s!|fXFr%*`Dg*#A{!QB-jnah3y4$Pe0L2%RM)706&eqyFTNAO2gMd<bcjBp>+
zQg>O<`K4L8rN7`GJB0*3<3`z({lWe#K!4AZLsI{%z#ja^OpfjU{!{)x0ZH~RB0W5X
zTwN^w=|nA!4PEU2=LR05x~}|B&ZP?#pNgDMwD*ajI6oJqv!L81gu=KpqH22avXf0w
zX3HjbCI!n9>l046)5rr5&v5ja!xkKK42zmqHzPx$9Nn_MZk`gLeSLgC=LFf;H1O#B
zn=8|^1iRrujHfbgA+8i<9jaXc;CQBAmQvMGQPhFec2H1knCK2x!T`e6soyrqCamX%
zTQ4dX_E*8so)E*TB$*io{$c6X)~{aWfaqdTh=xEeGvOAN9H&-t5tEE-qso<+C!2>+
zskX51H-H}#X{A75wqFe-J{?o8Bx|>fTBtl&tc<VVc3-U5wTq>bdR|<Uon(X?ZiT<<
zWC=zLEjacGDZ|?>132Ztqu5X0i-pisB-z8n71%q%>EF}yy5?z=Ve`}hVh{Drv1YWL
zW=%ug_&chF11gDv3D6B)Tz5g<uwqk#dj|RK7gNl@*lm*xHRBk*7MnT4(@7VIDfO0u
zB?1X+)GR^0j1A{Q#WUmQX%LN=W?aGzO$5=2@yxjXBzxbGO*{DYkV!aJ!$~-FNzvt;
z?r)HU;0!4T-%vWzAiHJ?*-ivIq!#dErMvhpJJ^QyZ5n0qmMn+}I>54H0mDHNj<FD1
z&CIP+ZDDy<;b2`JW=0_p9c4p<zwE30JFgdhO2HQiMRBb%Y9ZJ>uKZ+)CKFk4Z|$RD
zfRuKLW`1B>B?*RUfVd0+u8h3r-{@fZ{k)c!93t1b0+Q9vOaRnEn1*IL>5Z4E4dZ!7
ztp4GP-^1d>8~LMeb}bW!(aAnB1tM_*la=Xx)q(I0Y@__Zd$!KYb8T2VBRw%e$iSdZ
zkwdMwd}eV9q*;YvrBFTv1>1+}{H!JK2M*C|TNe$ZSA>UHKk);wz$(F$rXVc|sI^lD
zV^?_J!3cLM;GJuBMbftbaRUs$;F}HDEDtIeHQ)^EJJ1F9FKJTGH<(Jj`phE6OuvE)
zqK^K`;3S{Y#1M@8yRQwH`?kHMq4tHX#rJ>5lY3DM#o@or4&^_xtBC(|JpGTfrbGkA
z2Tu+AyT^pHannww!4^!$5?@5v`LYy~T`qs7SYt$JgrY(w%C+IWA;ZkwEF)u5sDvOK
zGk;G>Mh&elvXDcV69J_h02l&O;!{$({fng9Rlc3ID#tmB^FIG^w{HLUpF+iB`|<Dd
z$~}?*yaE3d3m&(}pR(IuL%&h+j{wz$6(l^GO8O{^N!08Gnw7N>NnX)EH+Nua)3Y(c
z&{(nX_ht=QbJ%DzAya}!&uNu!4V0xI)QE$SY__m)SAKcN0P(&JcoK*Lxr@P<Bj^D-
zi(H(l^zsWRcIm}YCou&G1we!7IMt1dAI3MKk4-3tybIvwniaUWp=||&s9lB&iptb>
zY&P=}&B3*UWNlc|&$Oh{BEqwK2+N2U$4WB7Fd|aIal`FGANUa9E-O)!gV`((ZGCc$
zBJA|FFrl<?%m-}hcKbonJcfriSKJrE#oY4SQUGFcnL~;J2>g~9OBp#f7aHodCe{6=
zay$6vN~zj1ddMZ9gQ4p32(7wD?(dE>KA2;SOzXRmPBiBc6g`eOsy+pVcHu=;Yd8@{
zSGgXf@%sKKQz~;!J;|2fC@emm#^_rnO0e<D`xKOl)v&1gxhN0@LroTIseY?HHF`U$
zRCxyayrK2fk|YppMxAKP{J=gze_dhnAkmEFp<%l9vvc1zcx#Lz*hP4TNeag4(W!Be
zM4c#}`np`hRl02rJ50(%WD@_u_Qk1TUrpL44g>sEn^QxXgJYd`#FPWOUU5b;9eMAF
zZhfiZb|gk8aJIw*YLp4!*(=3l8Cp{(%p?ho22*vN9+5NLV0TTazNY$B5L6UKUrd$n
zjbX%#m7&F#U?QNOBXkiiWB*_tk+H?N3`vg;1F-I+83{M2!8<^nydGr5XX}tC!10&e
z7D36bLaB56WrjL&HiiMVtpff|K%|*{t*ltt^5ood{FOG0<>k&1h95qPio)<rMG98B
zE?gDMmn^Zo(`Ek7uvNsnUgUfUfwFF7?z~>2`eL${YAGIx(b4VN*~nKn6E~SIQUuRH
zQ+5zP6jfnP$S0iJ<xI2U>@~t!Ai3o`X7biohl<ds?PbGDArmkAV12ldkGzY{P*80E
zF=Wk3w#9|J1dAeV)Rlk?%L=ol!+m5%A|(KP`fR=nD^&iHT@Z5DaZ(w0hqfh|V>i;E
zT#yXyl{bojG@-TGZzpdVDXhbmF%F9+-^YSIv|<!(knL3!Z+}F~)r$<ET0f@9KVjok
zfvU`%FUbk|yAc)S0rB`JBWTLd7hPAAqP2ltlwee5T}#_Gpbl80w-LA;|BD>MT1l3j
zrxOFq>gd2%U}?6}8mIj?M<N%?8n+3Rx8(2-`*c@op88}5-iqw*PHkqnj$k8#t^|g>
zc077Zc9fq(-)4+gXv?Az26IO6eV`RAJz8e3)SC7~>%rlzDwySVx*q$ygTR5kW2ds-
z!HBgcq0KON9*8Ff$X0wOq$`T7ml(@TF)VeoF}x1OttjuVHn3~sHrMB++}f7f9H%@f
z=|kP_?#+fve@{0MlbkC9tyvQ_R?lRdRJ@$qcB(8*jyMyeME5ns6ypVI1Xm*Zr{DuS
zZ!1)rQfa89c~;l~VkCiH<d?V{)&8(@3=6jm=fW<)H`CSQ9+iNwDH;4S!Xw4H9nux4
zKNscQ&OV9zHF_+cIJ=X)qIF;(!)}sl`hhO)dHz6nA0^W{a9q1^gzxvh-bS1(N273|
zq;PSR{n|+%3`+}9Q7}{mC7k)HXlUhkBKH%A@-sEx!4Mlk=^P1dtF=-lC3U?55B}ez
z`Fd)kItC)!X+F!>I|PCBd`S*2RLNQM8!g9L6?n`^evQNEwfO@&JJRme+uopQX0%Jo
zgd5G&#&{nX{o?TQwQvF1<^Cg3?2co;_06=~Hcb6~4XWpNFL!WU{+CK;>gH%|BLO<b
zgJpht0ltX3sE2RJAUcld5MW}&%<sw};dL~bdZ0?zVg~mRcaNBgUZe;8@DKXRQmlOf
zAIhHBNh=}LzcTdUnfgd6#GEx350bi`lb)LaBso2CW!*0Xe!UJNwIWeg)QXy=e3bwZ
zIJ8=;u}r&BGoF;ftQ-dJ!kBp#;lHIlNwC)v?OHP&#Mh~B%=jdgWQCSqpANGQEkG%n
zM?zk5@$%!-gPc55s943P-Mv1>h7@!hsa(>pNDAmpcuVO-?;Bic17R}^|6@8DahH)G
z!EmhsfunLL|3b=M0MeK2vqZ|OqUqS8npxwge$w-4pFVXFq$_EKrZY?BuP@Az@(k`L
z`<G71X#W|!P3Z{wEvg5Ob7@MbwprRM&*~yi*+R-9I8&p-;yM=Q)z$bTY1}y<i9f;W
zGBCz3n1=6)vV6bV+;GN8E|c1rg49&nk_(FLVA<i_4OxA`vE>ViQBSk`y+YwRT;&W|
z2e3UfkCo^uTA4}Qmmtqs+nk<f8_TTXgg$0%V(GO^t)<!()wOU}JKa$=7V(Fd-u5kW
zfKQU%n`CZ_1jFoAu|=do)|56^VkbaXtt)NlpAubGIJ@ET@k0K*McoNg@OCSSeKJ`(
z*rHh**zg=F3rmZ2ux+4MzedRxj4$W0VqcP)lO*|#;Iw4z!Gidd%|ry%SN>#gNr2W4
zTH%hhErhB)pkXR{B!q5P3-OM+M;qu~f>}IjtF%>w{~K-0*jPVLl?Chz&zIdxp}bjx
zStp&Iufr58FTQ36AHU)0+CmvaOpKF;W@sMTFpJ`j;3d)J_$tNQI^c<^1o<49Z(~K>
z;EZTBaVT%14(bFw2ob@?JLQ2@(1pCdg3S%E4*dJ}dA*v}_a4_P(a`cHnBFJxNobAv
zf&Zl-Yt*lhn-wjZsq<9<PjKts@j|?j*H<KG_l+Ikza{2Tyz(8wgaT$KKCTR@fUFh?
z9>v-IsXxAxMZ58C@e0!rzhJ+D@9^3~?~yllY^s$?&oNwyH!#~6x4gUrfxplCvK#!f
z$viuszW>MFEcFL?>ux*((!L$;R?xc*myjRIjgnQX7<gW>9@UPD$6Dz0jutM@7h_pq
z0Zr)#O<^y_K6jfY^X%A-ip>P%3saX{!v;fxT-*0C_j4=UMH+Xth(XVkVGiiKE#f)q
z%Jp=JT)uy{&}Iq2E*xr4YsJ5>w^=#-mRZ4vPXpI6q~1aFwi+lQcimO45V-JXP;>(Q
zo={U`{=_JF`EQj87Wf}{Qy35s8r1*9Mxg({CvOt}?Vh9d&(}iI-quvs-rm~P;eRA@
zG5?1HO}puruc@S{YNAF3vmUc2B4!k*yi))<5BQmvd3tr}cIs#9)*AX>t`=~{f#Uz0
z0&Nk!7sSZwJe}=)-R^$0{yeS!V`Dh7w{w5rZ9ir!Z7Cd7dwZcK;BT#V0bzTt>;@Cl
z#|#A!-IL6CZ@eHH!CG>OO8!%G8&8t4)Ro@}USB*k>oEUo0LsljsJ-%5Mo^MJF2I8-
z#v7a5VdJ-Cd%(a+y6QwTmi+?f8Nxtm{g-+WGL>t;s#epv7ug>inqimZCVm!uT5Pf6
ziEgQt7^%xJf#!aPWbuC_3Nxfb&CFbQy!(8ANp<Dkrrv&eXZOx^ui15L`|GC6Zo9J8
zt4l&YYgkq79`qbC=O@Wu>kWLI4oSnH?Q3f?0k1t$3d+lkQs{~(>06l&v|MpcFsyAv
zin6N!-;pggosR*vV=DO(#+}4ps|5$`u<dyVk_IJiOQUOA<$>dE%Kdmp?G7B#y%<bi
zGVk-OWo?nx8M9(n3)OkC>H`R|i8skKOd9Xzx8xgR$>Zo2R2Ytktq^w#ul4uicxW#{
zFjG_RNlBroV_n;a7U(KIpcp*{M~e~@>Q#Av90Jc5v%0c>egEdY4v3%|K1XvB{O_8G
zkTWLC>OZKf;XguMH2-Pw{BKbFzaY;4v2seZV0>^7Q~d4O=AwaPhP3h|!hw5aqOtT@
z!SNz}$of**Bl3TK209@F=T<Nh*u*7J=P_EEnnD=hbiG0v_)iQwN<!vDIogn=iGRs3
zt_h!RUdkzWHMpc*d}k%tjHimct$!p&AH8pRZ+FJo|9w~+h(n#lp$57vBXGLddx*%@
z5%Aj-8?hH;TIkF9$}Pwu0)KjO*p&uKv6>n1+mgZa8yh(Png%Zd6Mt}^NSjy)etQrF
zme*llAW=N_8R*O~d2!apJnF%(JcN??=`$qs3Y+~xs>L9x`0^NIn!8mMRFA_tg`etw
z3k{9J<p4JZCS-C}49WuHGGruT=x>Ajnl@ygIiJcNHTy02GMAvBVqEss&t2<2mnw!;
zU`J)0>lWiqVqo|ex7!+@0i>B~BSU1A_0w#Ee+2pJx0BFiZ7RDHEvE*ptc9md(B{&+
zKE>TM)+Pd>HEmdJao7U@S>nL(qq*A)#eLOuIfA<xx)>S@j`_sK0UEY6OAJJ-kOrHG
zjHx`g!9j*_jRcJ%>CE9K2MVf?BUZKFHY?EpV6ai7sET-tqk=nDFh-(65rhjtlKEY%
z@G&cQ<5BKatfdA1FKuB=i>CCC5(|9TMW%K~GbA4}80I5%B}(gck#Wlq@$nO3%@QP_
z8nvPkJFa|znk>V92cA!K1rKtr)skHEJD;k8P|R8RkCq1Rh^&}Evwa4BUJz2f!2=MH
zo4j8Y$YL2313}H~F7@J7mh>u%556Hw0VUOz-Un@ZASCL)y8}4XXS`t1AC*^>PLwIc
zUQok5PFS=*#)Z!3JZN&eZ6ZDP^-c@StY*t20JhCnbMxXf=LK#;`4KHEqMZ-Ly9KsS
zI2VUJGY&PmdbM+iT)zek)<hjl_Ql0Z<Zn_qAb)m1SGqs~RuzvnShAB@_vF{e+592q
z$DB!xBIZfcH*9&k=wlV*!)l9TjLaF6{FU=1emb_fuvC;885YA6nM5}UqhPTc%&*tY
z3h;oOpGO3Hx+t7EjPYfzaZ}+D=ndS&SDnV=GA-}a=$GiNOi~a`1gJao%JzT9!|NX9
z<CC9{n}y#@=&Y6rk@_w$wqbKs!E-bTFZW}3bqJ;f!@40M^ykqGs3;>#Qc#_i4uH43
z@T5SZBrhNCiK~~esjsO9!qBpaWK<`>!-`b71Y5R<QKZFC;tbrvH*7OQFB+SCa^&~y
zposW2PUqn>eXQ4AJU~T<enI;Gq30%Z%SsfHco3Z`w^cm#%0^~onRV&P&#QErx)JwE
z+PM!k!qYC}ESrBrHoDQz*X1YmFa#(SZW<AV$!J0LWu4IDbZ2bw=%%Iq9Hg*REoc?;
z{E60bn(-sNYKAv{(YDGA5Ne~oOSP*!BJYblyeWN+CVy8q4{fMj;2#8%D!ii%2bR=s
z%l;FFHzQ~S|A8UKuFT*34q|LzMc~~o#;)Kw9DtS!bp3JQi_@L6HQjXe7-;AjHEUja
z>2Njri1CEp5oKw;Lnm)-Y@Z3sEY}X<ceQi^_CPpPY_VEPYF+%Om#`r)SPUG}UXq2Y
zpr9=;`h)oB6MR*Xk2Eh4r7Hb|{>IgSy%xo=uek(kAAH5MsV$V3uTUsoTzxp_rF=tx
z<QsYQ(;?5S(qGqiH7>V07vlJNKtJhCu`b}*#m&5LV4TAE&%KtHViDAdv#c^x`J7bg
z&N;#I2GkF@SIGht6p-V}`!F_~lCXjl1BdTLIjD2hH$J^YFN`7f{Q?OHPFEM$65^!u
zNwkelo*5+$ZT|oQ%o%;rBX$+?xhvjb)SHgNHE_yP%wYkkvXHS{Bf$OiKJ5d1gI0j<
zF6N}Aq=(WDo(J{e-uOecxPD>XZ@|u-tgTR<972`q8;&ZD!cep^@B5CaqFz|oU!iFj
zU0;<Kr(xN%j}{P50=dczD~4jn(p0D1`)Q|ld@m)3cU?5-DDA%Lq4Vd2?$jcNa3@4}
zt0;5Pk0HJXk<P(S=!%ZtD121Ne##d}^nRI9>6fQX&~15E53EW&w1s9gQQ~Zk16X%6
zjG`j0yq}4deX2?Tr(03kg>C(!7a|b9qFI?jcE^Y>-VhudI@&LI6Qa}WQ>4H_!UVyF
z((cm&!3gmq@;BD#5P~0;_2qg<pD9=9nXg$TuH}wQh9<MTT}D~YJ$+K3jbd)SV}wix
zf+zmLDPNc@nH3C;GngJH(K9z-$bm-ym&hXvg&{t=h}^v&Zpkgh>ZhtJS|>WdtjY=q
zLnHH~Fm!cxw|Z?Vw8*~?I$g#9j&uvgm7vPr#&iZgPP~v~BI4jOv;*OQ?jYJtzO<^y
z7-#C={r7CO810!^s(MT!@@Vz_SVU)7VBi(e1%1rvS!?PTa}Uv`J!EP3s6Y!xUgM^8
z4f!fq<3Wer_#;u!5ECZ|^c1{|q_lh3m^9|nsMR1#Qm|?4Yp5~|e<cTgyd3~1T9l&*
zeQ01<P2U~{V&q4>r2?W^7~cl;_r4WSme_o68J9p03~Hc%X#VcX!xAu%1`R!dfGJCp
zV*&m47>s^%Ib0~-2f$6oSgn3jg8m%UA;ArcdcRyM5;}|r;)?a^D*lel5C`V5G=c~k
zy*w_&BfySOxE!(~PI$*dwG><<WF75p<o9EVVze~dTW<Z_^0lybcm7u?o5{_6x)ND;
zb8GQ#!>+-%KT5p?whOUMA*k<9*gi#T{h3DAxzAPxN&Xws8o9Cp*`PA5>d9*Z-ynV#
z9yY*1WR^D8|C%I@vo+d8r^pjJ$>eo|j>XiLWvTWLl(^;JHCsoPgem6PvegHb-OTf|
zvTgsHSa;BkbG=(NgPO|CZu9gUCGr$8*EoH2_Z#^BnxF0yM~t`|9ws_xZ8X8iZYqh!
zAh;HXJ)3P&)Q0(&F>!LN0g#bdbis-cQxyGn9Qgh`q+~49Fqd2epikEUw9ca<Icy-f
zOt40c5j7j)$)tP9?uvS*(MhNoK9DyuR}iw#hq(_Yg;FQNx_fxU*Eu(iTCigNUM7t<
z>M%V6WgP)532RMRW}8gNS%V%Hx7apSz}tn@bQy!<=lbhmAH=FsMD?leawbnP5BWM0
z5{)@EEIYMu5;u)!+HQ<i|FmCtfdneL-c-Zq4Plvb%6L#`yCeba4_fn4B8J3*R<jzl
zfvYN4K`&;0Sxn>WhQ;D3_Cm_NADNeb-f56}<{41aYq8p4=93d=-=q0Yx#knGYfXVt
z+kMxlus}t2T5FEyCN~!}90<Qw*O-2+V!RyNwDJ!D4}()%&9a2ilTUH&u5D!U%eI_q
zx}xGi`t`GnBsEW*ontVcR-ikx88LbjAhe<X@Zi_w7Y34lxFFrZ2Q&%wKjDtka2LVK
zHc8~1#H%sr<^E7ZD2HEuJ^9vl!WfP^A{M0b1kd0=9ymV8H)Sd)K8ApeV;=DNu1w7T
zq3y-B$08B=*qJh`RBSq*hM$V1Wi(wSS$C7SwYBw1{q+D%@|+@4!e&J2mmVQuQ$1nJ
zGVp>O_X@@PQpuy;kuGz@bWft%diBTx?d)_xWd_-(!LmVrh**oKg!1CNF&LX4{*j|)
zIvjCR0I2UUuuEXh<9}oT_zT#jOrJAHNLFT~Ilh9hGJPI1<5`C-WA{tUYlyMeoy!+U
zhA#=p!u1R7DNg9u4|QfED-2TuKI}>p#2P9--z;Bbf4Op*;Q9LCbO&aL2i<0O$ByoI
z!9;Ght733FC>Pz>$_mw(F`zU?`m@>gE`9_p*=7o=7av`-&ifU(^)UU`Kg3Kw`h9-1
z6`e6+im=|m2v`pN(2dE%%n8YyQz;#3Q-|x`91z?gj68cMrHl}C25|6(_dIGk*8cA3
zRHB|Nwv{@sP4W+Y<?>ZM)VKI>R<dU=sQkg7!lDS83Q3{+&sk$J+O!cATJ_o5Pb&W_
z)bdtK2>lB`n=Oj~Rzx~M+Khz$N$45rLn6k1nvvD^&HtsMA4`s=MmuOJID@$s8Ph4E
zAmSV^+s-z8cfv~Yd(40Sh4JG#F~aB>WFoX7ykaOr3JaJ&Lb49=B8Vk-SQT9%7TYhv
z?-Pprt{|=Y5ZQ1?od|A<_IJU93|l4oAfBm?3-wk{O<8ea+`}u%(kub(LFo2zFtd?4
zwpN|2mBNywv+d^y_8#<$r>*5+$wRTCygFLcrwT(qc^n&@9r+}Kd_u@Ithz(6Qb4}A
zWo_HdBj#V$VE#l6pD0a=NfB0l^6W^g`vm^sta>Tly?$E&{F?TTX~DsKF~poFfmN%2
z4x`Dc{u{Lkqz&y!33;X}weD}&;7p>xiI&ZUb1H9iD25a(gI|`|;G^NwJPv=1S5e)j
z;U;`?n}j<Q^Xq~o28<9wN;wOTm1lpjZMh*aUX(~T_Y3#ZnG~Ye&HG?FC8<&_!tool
z+@`jls~3x-4`e?M70izyrpLQDV~@R;Ddqa8ubupC&5hxJ!0Qn2&@6(rv>nY6rA{V^
zxTd{bK)Gi^odL3l989DQlN+Zs39Xe&otGeY(b5>rlIqfc7Ap4}EC?j<{M=hlH{1+d
zw|c}}yx88_xQr`{98Z!d^FNH77=u(p-L{W6RvIn40f-BldeF-YD>p6#)(Qzf)lfZj
z?3wAMtPPp>vMehkT`3gToPd%|D8~4`5WK{`#+}{L{jR<c)T{dJNa_2~nx}yzR>UMt
zrFz+O$C7y8$M&E4@+p+o<?<4i!4ikchlAhrd(TAazwXC#eTotZ4)SbD2SX9vq+(V^
zQt>V5c%uYzbqd2Y%SSgYy#xh4G3hQv>V*BnuKQhBa#=o<cI|?w3{ulWOpdl|%RYTA
zSx@6KnTs$R(CM2sHs-QJn!^oj_3M4<ToCw0Dysc#3eTjWBJ-T+adb-$?`_4mF<8?g
zSKY1V7KhH!;LK22fSg)B*<uJ7m~6W3CUps0^d9*o2V_Gub>ZB~w{azUB+q%bRe_R^
z>fHBilnRTUfaJ201czL8^~Ix#+qOHSO)A|xWLqOxB$dT2W~)e-r9;bm=;p;RjYahB
z*1hegN(VKK+ztr~h1}YP@6cfj{e#|sS`;3tJhIJK=tVJ-*h-5y9n*&cYCSdg#EHE#
zSIx=r#qOaLJoVVf6v;(okg6?*L_55atl^W(gm^yjR?$GplNP>BZsBYEf_>wM0Lc;T
zhf&gpzOWNxS>m+mN92N0{;4uw`P+9^*|-1~$<g_U{SU`H<rGXK<wL9(P>uXpggj4-
z^SFc4`uzj2OwdEVT@}Q`(^EcQ_5(ZtXTql*yGzdS&vrS_w<Vq*ng}zPHZxXbJ~5By
z5q!Q1MEDSMNOWX9zY-~b`9@lU+AIe>>~~ra|Nb5abwf}Y!uq6R5f&6g2ge~2p(%c<
z@O)cz%%rr4*cRJ5f`n@lvHNk@lE1a*96Kw6lJ~B-XfJW%?&-y?;E&?1AacU@`N`!O
z6}V>8^%RZ7SQnZ-<!aS@7Sy5FdEA^NVBSolPfAv!POl_VDW*<OY|VOa1x+Nt4h}kC
zF5f5bMcr5zsZz*#rv_qyg5_y;>z$(jsX`amu*5Fj8g!3RTRwK^`2_QH<oOlcTv0T*
zq^FmDESBJUwy8>e;_2y_n|6gSaGyPmI#kA0sYV<_qOZc#-2BO%hX)f$s-Z3xlI!ub
z^;3ru11DA`4heAu%}HIXo&ctujzE2!6DIGE{?Zs>2}J+p&C$rc7gJC<HidCCr+8PF
zWiTVZ>35gxhflorvsb%sGOxpuWhF)dL_&7&Z99=5M0b~Qa;Mo!j&Ti_kXW!86N%n=
zSC@6Lw>UQ__F&+&Rzv?gscwAz8IP!n63>SP)^62(HK98nGjLY2*e^OwOq`3O|C92?
z;TVhZ2SK%9AGW4ZavTB9?)mUbOoF`V7S=XM;#3EUpR+^oHtdV!GK^nXzCu>tpR|89
zdD{fnvCaN^^LL%amZ^}-E+214g&^56rpdc@yv0b<3<Gcz@z*K79?oK~*UzGlKFJXT
z{XOryj|k?!nDS(G1LtLxYD^Cq?c?_!zYn!x^#tLjQ6=Wb!)yrQsQW$6U<7{9%v7a-
zv*ocK5QN4V3`xVyd7lYi<tse4LzLtbxdam8l#%xfBL@jXus_3m`H&T(SG4<1{Xtfu
zMb*~2c3zevaj8sJ+%2=tK7#q$!xF@Xc_%7Ws0|ayo4RjQhmCcKBx<ij=1uikr$^Pt
z9|pP=(@t-<MX5uDFk4~}Y&YCR_($i(L2tZ?=zYb8^M2`}T)&sKMTvyh6Hf2vk#&E}
zXFWd3BT@?-Qm?6K=3M(cZ#LOR`xDd$o~J$T>}Ys?)f|fXN4oHf$six)-@<;W&&_kj
z-B}M5U*1sb4)77aR=@%I?|Wkn-QJVuA96an25;~!gq(g1@O-5VGo7y&E_srxL6ZfS
z*R%$gR}dyONgju*D&?geiSj7SZ@ftyA|<I`YtD1a%3oCr%5@GGkBtN{5mnwPyOw=G
z)5mh1d5f2bd0O6v9}uRb?jQWt0Hmbh{Lw~%;q96e<JYrfUt;Ww3`|kuk8YLozMnJA
zL-%S-b>}(*Y4KbvU!YLsi1EDQQCnb+-cM=K1io78o!v<D2B&P2)99nqSy|&vmf_z?
z=eWr~Nb^z}4FA|*1-U>*);o<<Bb~caN#d%78rHzz&LtUD8*+uiPJdUJ<!gd#RBLsK
z$C!13l?*$0KTH~HOk{`~({IY19$^eGtD0+`Ng;Krabee-ZmxY?a!#sR^lIs7X@lqE
z)iFHx46*Kc<U3%gK1Qg`N*=%M8g<Qr@DDqezg1<>XwjaQH%)uIP&Zm?)Nfbfn;jIr
z)d#!$gOe3QHp}2NBak@yYv3m(CPKkwI|{;d=gi552u?xj9ObCU^DJFQp4t4e1tPzM
zvsRIGZ6VF+{6PvqsplMZWhz10YwS={?`~O0Ec$`-!klNUYtzWA^f9m7tkEzCy<_nS
z=&<(awFeZvt51>@o_~>PLs05CY)$;}Oo$VDO)?l-{CS1Co=nxjqben*O1BR>#9`0^
zkwk^k-wcLCLGh|XLjdWv0_Hg54B&OzCE^3NCP}~OajK-LuRW53CkV~Su0U>zN%yQP
zH8UH#W5P3-!ToO-2k&)}nFe`t+mdqCxxAHgcifup^gKpMObbox9LFK;LP3}0dP-UW
z?Zo*^nrQ6*$FtZ(>kLCc2LY*|{!dUn$^RW~m9leoF|@Jy|M5p-G~j%+P0_#orRKf8
zvuu5<*XO!B?1E}-*SY~MOa$6c%2cM+xa8}_8x*aVn~57v&W(0mqN1W`5a7*VN{SUH
zXz98DDyCnX2EPl-`Lesf`=AQT%YSDb`$%;(jUT<emmKF_zfZmU9B12q_dyZ<_@h~k
zvEq1`Vx6X|zFHC1f>rNen$NPJrlpPDP}prI>Ml!r6bCT;mjsg<oj3+@ct5lWE*J;5
z4E~(;FwK{V8;n^S+p_aly?)G^7&y`S%eK)TJhe8?@}L_b8H};V-{Fr!7~z`5Jn&~y
zle5N-{eo+>@X^#&<}CGf0Jt<ps|x+2W>R{Ecwd&)2zuhr#nqdgHj+g2n}GK9CHuwO
zk><uMX@X}I+5rrj?NaO6BMSeLuD{-~8R-Gl2xdC9#?M&n3M8$1#r~F<bd_yU6EE{Y
z#eCFVb$%8`qmYLY$VN_bTcap4)*3IM0tVFqt0C)EHHU4$9K2ap4$RYn7cYx68f*63
zqjgq9d3s#J0z)IOp-dbsoyDl3q&F;wDIxirPuXzvw6-Mhm_%B8`dB@kd7fLXw-%?$
zoq?`st6r0!H5QKHrVxu9;wFCr4k6@&eG$(7Z2Wi#T=t;uR8LkI#eWjbL4#SB+RR!}
zkvLwWmhxM!7BIsi5NeXcxeg6+4^H8NJB5=2mJzA06v|{=fl0X|ig2$)&h*GM&JpHp
zr`8`GjG!&l9EyWchuo>oZxy{v<eHuSsx&-tHadS1q^a4f?|RTjYB^sRK14!iW+^lB
z!ebp33Hf8OUb(D`D*|G{AftC98wHP4tb?H!)=@9haZJ)F+0;HQc5`Qlnk&U!fz)-9
z%lX#G)XFlYmyE^D)O;h749_^`>cOL)$8-}L^iV<p27<5%t|ClWJe$Rd_|U|Ck(u@6
zTgwrC&(m^cFeKDxIl7TOJH#1Wo==_x;yAITBFJ1z$*I>fJHAGfwN$prHjY<ZwGVKY
zZ8+b}fUD+>V0ju}8%jWquw>}_W6j~m<}Jf!G?~r5&Rx)!9JNX!ts#SGe2HzobV5);
zpj@&`cNcO&q+%*<%D<T}5E&SDWDa4Lg;*h`<xw$&SGrTg$|CXl_i7+njSd+)yvyz7
z+0<o|PMTJL)R>7za|?m5qlmFK$=MJ_iv{aRs+BGVrs)98BlN^nMr{V_fcl_;<BiuS
ztTFCwthZrVHPPZYBIYp#EouQ9MTH{-OaLh9+PRHAG3=cqP}nnZd8AjsX8sR)@*@Na
z!0>jkzRju+c-y?gqBC_@J0dFLq-D9@VN&-`R9U;nv$Hg?>$oe4N&Ht$V_(JR3TG^!
zzJsbQb<dCovVFFYER#ii{pf+`)Dd4mJA8V_i{)g*7b35$IR9(S%Er0t1yr7X5aERc
zeK=jG4aV7X*X+)C@a&31a^^wDy<E&Lu}Ry(`Um&dxXGiHJfU<|q(iByYWWLIS^^>i
zFE6-{#9{G{+Z}ww!ycl*7rRdmU#_&|DqPfX3CR1I{Kk;bHwF6jh0opI`UV2W{*|nn
zf_Y@%wW6APb&9Rr<YY$Si*BvV^N#m{QYOko?PXQXU(La}0lCv3qWQ$bi`=<yuf89@
zA3M_;xKTP6E^K#?{F`hD*rTDZhZ!h73@a^*&yKH>bEN=PQRBEpM(N1w`81s=(xQj6
z-eO0k9=Al|>Ej|Mw&G`%q8e$2xVz1v4DXAi8G};R$y)ww638Y=9y$ZYFDM$}vzusg
zUf+~BPX>(SjA|tgaFZr_e0{)+z9i6G#lgt=F_n$d=beAt0Sa0a7>z-?vcjl3e+W}+
z1&9=|vC=$co}-Zh*%3588G?v&U7%N1<wSL*V~9}~r(eJ^+Xr3`-m(Sj@@;y|({lFw
zG+a0jI%A@viPJ_TgyiV93C-_fon>Qf-wNWJ)(v`iO5KHSkC5&g7CrKu8V}uQGcfcz
zmBz#Lbqwqy#Z~UzHgOQ;Q-rPxrRNvl(&u6ts4~0=KkeS;zqU<rCYLCOgtuj&A3yvF
z)|<)nA^eF$@T!K+ig@JbUkyVVJP%Y)>Rz%!-ERppmd%0v>iRlEf+H$yl{_8TMJzo0
z>n)`On|7=WQdsqhXI?#V{>+~}qt-cQbokEbgwV3QvSP7&hK4R{Z{aGHVS3;+h{|Hz
z6$Js}_AJr383c_+6sNR|$qu6dqHXQTc6?(XWPCVZv=)D#6_;D_8P-=zOGEN5&?~8S
zl5jQ?NL$c%O)*bOohdNwGIKM#jSAC?BVY={@A#c9GmX0=T(0G}xs`-%f3r=m6-cpK
z!%waekyAvm9C3%>sixdZj+I(wQlbB4wv9xKI*T13DYG^T%}zZYJ|0$Oj^YtY+d$V$
zAVudSc-)FMl|54n=N{BnZTM|!>=bhaja?o7s+v1*U$!v!qQ%`T-6fBvmdPbVmro&d
zk07TOp*KuxRUSTLRrBj{mjsnF8`d}rMViY8j`jo~Hp$fkv9F_g(jUo#Arp;Xw0M$~
zRIN!B22~$kx;QYmOkos@%|5k)!QypDMVe}1M9tZfkpXKGOxvKXB!=lo`p?|R1l=tA
zp(1}c6T3Fwj_CPJwVsYtgeRKg?9?}%oRq0F+r+kdB=bFUdVDRPa;<s*Z4&z%Yqy%U
zOeHw$WK*_?C+%QKv}yj&a(!5Ni>E~~>2$w}>O>v=?|e>#(-Lyx?nbg=ckJ#5U6;RT
zNvHhXk$<cTrzyFrc-kzJ80|Sr7cPKJYnxQh*Fg9@b51h^!>P}m9wSvFyU3}=7!y?Y
z=fg$PbV8d7g25&-jOcs{%}wTDKm>!Vk);&rr;O1nvO0VrU&Q?TtYVU=ir`te8SLlS
zKSNmV=+vF|ATGg`4$N1uS|n??f}C_4Sz!f|4Ly8#yTW-FBfvS48Tef|-46C(wE<BN
zM?~(EkSJJWr_!W7-HptZRmK`p&C>O_%pPhUC5$-~Y?!0vFZ^Gu`x=m7X99_?C-`|h
zfmMM&Y@zdfitA@KPw4Mc(YHcY1)3*1xv<iSQWzdA1>W9V-r4n-9ZuBpFcf{yz+SR{
zo$ZSU_|fgwF~aakGr(9Be`~A|3)B=9`$M-TWKipq-NqRDRQc}ABo*s_5kV%doIX<z
zw8f$0lCeVGD0^!OedVm2t32)213YQ46v=o)@UsVzy`KZ%hr__m!jsQbd@}{{Vg1hz
z`m2-BpqxgapTIephm4Cik^T6BeWfmt%BA@BRlvqT0ILcR0(vVdxD!}~F3BI!@Yuk*
zM2~`l5+!SvcPoj}AC@Q9McO3!2ke!m5VcW3F%a(IA*N@sL73(w3O(3~t5el4Dq{JU
z21IfDfV)n^u4cGvvfJlGe~Q~Yzeudy#8j^ja>7LRLRau_gd@Rd_aLFXGSU+U?uAqh
z8qusWW<lz^u{++i(BMS0kYpMurHwdx8=v!VDug!+!?SoQ%5#Z9_%%XQ)=}5@(OGY$
z!*NFRMlh?b0mZ-o&{hRY(q#;?AsyI_fTbU3vvt{86Gd^<UxrFKXriAuhLyoz-Rb+|
z<1fH@C7QEgQz2VdIb}M#v@~+roe%YIUs5B>cvgQ&wu{|sRXmv?sl=xc<$6AR$+cl&
zFNh5q1~kffG{3lDUdvEZu5c(aAG~+64FxdlfwY^*;JSS|m~CJusvi-!$XR`6@XtY2
znDHSz7}_Bx7zGq-^5{stTRy|I@N=>*y$zz>m^}^{d&~h;0kYiq8<^W<E|75Z!A4X;
zB0ckyjy2crb1=uu;OnTA+AN(`$!y~N){ZywsrcJ<-RJ-6@#;QH|7$vRI{)h?@p2NX
z`N+$B?J?QE9;Pm%%)e)K9b55SBEW5@Zc4|{XhN6&8tG6ODyNFgS%k;enJu!|jBjTn
zO3=N;{~$Us+^lM79~#+NVdMuMV*xv4<srsN5l%(Xfx|TFiWsSLu6VKb8+BQX%9T6)
zLIA<^s*!o98&YNSoO#lh*yl=4IaXWU@%j6|nHVJL2?PUhARrz8&IkW*Q<47%jpzTI
z4gPog-xBcuLB=pm_-|9W&~MFVz_3-f?M6(XIxnIg#$zC^5E`10kVD2)wtP_r+-MVn
zDB)nM192c6VQ(1fw5pgW;z9QPF|WVy-Pi3Kqyd;SXdDvK@g#36c@VC&u=_B=n%w}x
z9G42<h(@l93n9W)B(s=&>q7Dz0w31ShO^~LUfW6rfitR0(=3;Uue`Y%y@ex#eKPOW
zO~V?)M#AeHB2kovn1v=n^D?2{2jhIQd9t|_Q+c|ZFaWt+r&#yrOu-!4pXAJuxM+Cx
z*H&>eZ0v8Y`t}8{TV6smOj=__gFC=eah)mZt9gwz>>W$!>b3O;Rm^Ig*POZP8Rl0f
zT~o=Nu1J|lO>}xX&#P<uNYpwDdsi81$~7Dv-8cIS(lR52^!TF;6k;WMGV`thcu^6S
z@T3rgu^2l&lSgk|u&dqJ2P;_lKd-gsz+E~nyy$zL@l8HyyxzgF#YH#@jXdT>58%Yl
z83`HRs5#32Qm9mdCrMlV<JBDhyZ+y^N%S92djDerOElqpRE}K*p`=oMP>|NKNC+Z~
z9OB8xk5HJ>gBLi+m@(pvpw)<om*<*&g*ukIpJ5#uX6#7U*X+*MN|7vZ8*HK)=`Y9r
z)#d;zRimk{mmRK`xtmKSn@imtSD%un-#&@aHsi(XFSqmU+t2^tlw;mwe}X*y&#AIH
zlv#=?W?e4tr=1o`K<LAS)WBGaORGt!_L??}o8QF5X|ARAXjcw9(=`^ih&uvZ?3o=4
ztCfj-M@ZND9Dnt(PEoh14OzzWaAN5QQ)tU}4*nXvp1HQ^w*zt7KrnA5B`0hYyAdFC
zH+>1(OaVJKs*$Ou#@Knd#bk+V@y;YXT?)4eP9E5{J%KGtYinNYJUH9PU3A}66c>Xn
zZ{Bn0<;8$WCOAL$^NqTjwM?5d=RHgw3!72WRo0c;+houoUA@HWLZM;^U$&sycWrFd
zE7ekt9;kb0`lps{>R(}YnXlyGY}5pPd9zBpgXeJTY_jwaJGSJQC#-KJqmh-;ad&F-
z-Y)E>!&`Rz!HtC<wKL>z>%yO<y&s#nmyWumg2@9<En(?C^(|rjP3fstXvL7F_}@s~
zK?}vRELPAe=@^SDzf;4gMIY~6wbR)ERQj~L^17FRR>J|v(u7P*I$jqEY3}(Z-orn4
zlI?CYKNl`6I){#2P1h)y(6?i;^z`N3bxTV%wNvQW+eu|x=kbj~s8rhCR*0H=iGkSj
zk2<D*!UmdR0qg)7cV>3lr9kr|p7#qKL=UjgO`@UnvzU)`&fI>1Qs7ubq{@+lK{hH*
zvl6eSb9%yngRn^T<;jG1SVa)eA>T^XX=yUS@NCKpk?ovCW1D@!=@kn;l_BrG;hOTC
z6K&H{<8K#dI(A+zw-MWxS+~{g$tI7|SfP$EYKxA}LlVO^sT#Oby^grkdZ^^lA}uEF
zBSj$weBJG{+Bh@Yffzsw=HyChS(dtLE3i*}Zj@~!_T-Ay7z=B)+*~3|?w`Zd)Co2t
zC&4DyB<B`NVJ>!o&YgSw+fJn6`sn$e)29`kUwAc+1MND7YjV%lO;H2}fNy>hD#=gT
ze+-aFNpyKIoXY~Vq-}OWPBe?Rfu^{ps8>Xy%42r@RV#*QV~P83jdlFNgkPN=T|Kt7
zV*M`Rh*30&AWlb$;ae130e@}Tqi3zx2^JQHpM>j$6x`#{mu%tZlwx9Gj@Hc92IuY*
zarmT|*d0E~vt6<+r?W^UW0&#U&)8B6+1+;k^2|FWBRP9?C4Rk)HAh&=AS8FS|NQaZ
z2j!iZ)nbEyg4ZTp-zHwVlfLC~tXIrv(xrP8PAtR{*c;T24ycA-;auWsya-!kF~CWZ
zw_uZ|%urXgUbc@x=L=_g@QJ@m#5beS@6W195Hn7>_}z@Xt{DIEA`A&V82bc^#!q8$
zFh?z_Vn|ozJ;NPd^5uu(9tspo8t%&-U9Ckay-s@DnM*R5rtu|4)~e)`z0P-sy?)kc
zs_k&J@0&0!q4~%cKL)2l;N*T&0;mqX5T{Qy60%JtKTQZ-xb%KOcgqwJmb%MOOKk7N
zgq})R_6**{8A|6H?fO+2`#QU)p$Ei2&nbj6TpLSIT^D$|`TcSeh+)}VMb}LmvZ{O|
ze*1IdCt3+yhdYVxcM)Q_V0bIXLgr6~%JS<<&dxIgfL=Vnx4YHuU@I34JXA|+$_S3~
zy~X#gO_X!cSs^XM{yzDGNM>?v(+sF#<0;AH^YrE8smx<36bUsH<L8f?5hvib^(w-z
zQO~nQ$dVU0i#a3ki#~Zfn+z)A0X6&+uTO~YY-95PED8rYa#tnOB_5j0D(OiyL`p9s
zv+IJ_k!HYz5YcKEc7QF88Nvot?2oM%4aDY1Bzw#ErO+K${;d;Xz}Qst%^Hxe<y|{#
z0i<}um0l#qNYBrEHp~^dRc(MW&*nx$<xOZo&ngs@b)HTJL5#EBLw4XB%N{_Unwz1|
zV8i$e7agBMpxq^UD+OBzpAA4~Wm`dImRWzuo^(m(ArJer$O=jb))nZ!p#}ai;I|`b
zxh~i8wmS;I?uK@A5wM9(c}p9|(M`BOW}{O$gH|yS=WST0IY5xeK;n^|OTOu06VXGL
ziLV81^Z>bN#y57K8WEu(`qHvQ6cAZPo=J5C(lSmUCZ57Rj6cx!e^rfaI5%w}unz}4
zoX=nt)FVNV%QDJH`o!u9olLD4O5fl)xp+#RloZlaA92o3x4->?rB4`gS$;<QP`qnB
zxyR|2?xCkFimDvX6HOV?^)Ex~)EDlr;3{Zk;-f=p?%7c@-P$(ps9BR^)$rFZsteaA
z;pEqzR194rw0JOm6L~PJ9F(nNaRn+j%W1SvOz`}E|6u-%XnRuFO#whbo=$_b&QmEc
zz35A#zc{~jeDG0s#(%Oyh`}`Lr28fKNg=;!oXo#n2s2b!wHSqmp4gLtkq~?+{}p*~
zmyPE6L~1+ln$95dm03gaCX?Mx^?0LvGdEce@^Fw=4Li}NJ(PPrnJG8UTM7f;`bHcw
z$Z`@wnD>WO{R;Z3>cG3IgFX2EA?PK^M}@%1%A;?f6}s&CV$cIyEr#q5;yHdNZ9h{|
z-=dX+a5elJoDo?Eq&Og!nN6A)5yYpnGEp}?=!C-V)(*~z-+<AB{~}$sb=b_3)fww3
z1aC=mU#wAjt*hH!O=_Rq0hO_a&wY#~Xao9@|NW*<bx}+viW;viI*Z+I?~t{%B+v(!
zDDr@@d60%bC|=S0vZozViq<m)h@uyR_WM|>?kY1Q7qs#Rsy%hu_60rdbB+QQNr?S1
z?;xtjUv|*E3}HmuNyB9aFL5H~3Ho0UsmuMZELp1a#CA1g`P{-mT?B<X1H9ohvAM^;
z+8=gDne1h_tC$>chuLEtK}!QZ=3AWakRu~?f9V~3F;TV`5%9Pcs_$gq&CcU}r8gOO
zC2&SWPsSG{&o-LIGTBqp6SLQZPvYKp$$7L4WRRZ0BR$Kf0I0SCFkqveCp@f)o8W)!
z$%7D1R`&j7W9Q9CGus_)b%+B#J2G;l*FLz#s$hw{BHS~WNLODV#(!u_2Pe&tMsq={
zdm7>_WecWF#D=?eMjLj=-_z`aHMZ=3_-&E8;ibPmM}61i6J3i<Ry9$0oO(dC+M{8z
zs~&fm$9WhF63%!K_Mm6jbUbs_bSm8+)$j`QmCxcnfVz-~LWI0Pvt$(Iiice=m6f#A
znKpqTEVc`=3la-JE~IF8T$O7$xw2vGNtATg%;ITCJQ$<SdLX>s*=dKf%HC>=xbj4$
zS|Q-hWQ8T5mWde6h@;mS+?k=89?1FU<%qH9B(l&O>k|u_aD|DY*@~(`_pb|B#rJ&g
zR0(~(6<MTX1VH`>8fpUPz6TdS@4JT5MOPrqDh5_H(eX1$P2SQrkvN8sTxwV>l0)Qq
z0pzTuvtEAKRDkKGhhv^jk%|HQ1DdF%5oKq5BS>szk-CIke{%js?~%@$uaN3^Uz6Wf
z_iyx{bZ(;9y4X&>LPV=L=d+A}7I4GkK0c1Xts{rrW1Q7apHf-))`BgC^0^F(>At1*
za@e7{lq%yAkn*NH8Q1{@{lKhRg*^TfGvv!Sn*ed*x@6>M%aaqySxR|oNadYt1mpUZ
z6H(<Ni{=BqKRj2FW+}Co`K?u{@WLS%pQm3TU}Q0c616}yg+(R+@sl}k&>rupHYf&Z
z29$5g#|0MX#aR6TZ$@eGxxABRKakDYtD%5BmKp;HbG_ZbT+=81E&=XRk6m_3t9PvD
zr5Cqy(v?gHcYvYvXkNH@S#Po~q(_7MOuCAB8G$a9BC##gw^5mW16cML=T=ERL7wsk
zzNEayTG?mtB=x*wc@ifBCJ|irFVMOvH)AFRW8WE~U()QT=HBCe@s$dA9O!@`zAAT)
zaOZ7l6vyR+Nk_OOF!ZlZmjoImKh)dxFbbR~z(cM<ohJsx2;$$S(LMO!JiV@-OGlmm
z`NdjOOy9O@m26&M`?ASmTQ{@=-K%#U)U7w<-rclq>hfeX1l7S_`;h|v3gI}<v)x_w
zvu)Dq)`qX%>n9$sSQ>+3@AF<e#LTCwgPu=4ybha;DXu-e#IUo*sWeYFrWHoigJs{Q
zYu_ff&j$_|OP<X2&rv4d2FV^~F@43}*F8@FN!r^c>Ay9=B_y$)q;Wdl|C-X|VV3w8
z2S#>|5dGA8^9%Bu&fhmVRrTX>Z7{~3V&0UpJNEl0=N32euvDGCJ>#6dUSi&PxFW*s
zS`}TB>?}H(T2lxBJ!V#2taV;q%zd6fOr=SGHpoSG*4PDaiG0pdb5`jelVipkEk%FV
zThLc@Hc_AL1#D&T4D=w@UezYNJ%0=f3iVRuVL5H?eeZM}4W*bomebEU@e2d`M<~uW
zf#Bugwf`VezG|^Qbt6R_=U0}|=k;mIIakz99*>FrsQR{0aQRP6ko?5<7bkDN8evZ&
zB@_KqQG?ErKL=1*ZM9_5?Pq%lcS4uLSzN(Mr5=t6xHLS~Ym`UgM@D&VNu8e?_=<G2
z$Y^_uSNUz|Ag`4k$;;4dC>nSFtF$u@hpPSmI4Vo_t&v?>$~K4y(O~Rb*(MFy_igM7
z*~yYUyR6yQgzWnWMUgDov!!g=lInM+=lOmOk4L`O?{i&qxy&D*_qorRbDwj6?)!ef
z#JLd7F6Z2I$S0iYI={rZNk*<{HtIl^mx=h>Cim*04K4+Z4IJtd*-)%6XV2(M<qEcY
zKpTExU9W`Sp|>CscPiw_a+y*?BKbTS@BZ3AUao^%Zi#PhoY9Vib4N>SE%4>=Jco0v
zH_Miey{E;FkdlZSq)e<{`+S3W=*ttvD#hB8w=|2aV*D=yOV}<n%QCtpFj!1iP3=++
zF%bul8RQG~xNUT@7_D%fDp&f9U3+!yV(BF^EJ6M?ggfgy%D_aSJLQh<Q8L9^3Z4lP
zSliD?8{L~ZN{}ULe$or4iOcd9fCXx)uXD>(&p%0LbEWH$&@$X3x~CiF-?ejQ*N+-M
zc8zT@3iwkdRT2t(XS`d7`tJQAjRmKAhiw{WOqpuvFp`i@Q@!KMhwKgs<K(HF*wpN5
zv(vj1XA8yT@r9sbul0J^6}T8DTrg3?UvaTK(_8@BG(vOS@R#A};jf~t=|7FM{G%;V
z$moCx(glgj5-;%1QM|u%2d3FX97|2!-{zNf(~wZQL8&V6ON(xoE>A}%@sw8Xo5Y=F
zhRJZg)O4uqNWj?V&&vth*H#je6T}}p_<>!Dr#89q@uSjWv~JuW(>FqoJ5^ho0%K?E
z9?x_Q;kmcsQ@5=}z@tdljMSt9-Z3xn$k)kEjK|qXS>EfuDmu(Z8|(W?g<kN}okBu|
z`906+8rq=5w?nFA6VC1#eQVZ_=+&soKuCq9J4-B?5ajOsO<ZqBE?J2XT_J8fPV98+
zk#wtSBTro80%$s5KaeCr*oviwvkprv-mw0v@x!YSCMmDCbzwIduaRkq+nkD$>Y6-l
z@R_#M8=vxKMAoi&PwnaIYw2COJM@atcgfr=zK1bvjW?9B`-+Voe$Q+H$j!1$Tjn+*
z&LY<%)L@;zhnJlB^Og6I<R<r5yYZK!bg%i+z^Gb9&z&*Z#pVBay5jNKYESI$cqK!;
zs%j&*N?LE3ILkbKV_0UUpL<A`zeQtv+?k$&h|~*OX&e)^SV^abQ&PMGXtX3fI2kT=
z2Y%RbH`bf;|K;F8Mxo)Ov25Y*lHOz#D>&BOR-m?{IW;tyYC%FZ!&Z>kGjHJ6cqM-F
z&19n+e1=9AH1VrVeHrIzqlC`w9=*zfmrerF?JMzO&|Mmv;!4DKc(sp+jy^Dx?(8>1
zH&yS_4yL7m&GWX~mdfgH*AB4<e8V;o9`b8>{CKo;+egw=PrvkTaoBU+P-4u?E|&!c
z)DKc;>$$B6u*Zr1SjUh<mc1^2+c=@@6(J4|#?}T_|M2b62=4`4F-ba1m43BpL!aCj
zR^w2TEDEd$X7pi$++6T@mH_M(zN#-+gi}U5eaDqd^tUG_>2)FeuWLWHl5TH(UHWkf
zLs>7px!c5n;rbe^lO@ql<wf#W%s8knI~Th~JR_Kl+2&@Zoorl!op+Ba_ZYj2yD(^E
z$}7%1B7{$MlPHueM^5x<Vc5^Pd5$8yYQ@u;!UngDNs9O`zY)-uu_X-;n9-+TuAb`^
z<H1e|G%#k-<p?8qbT%m<kMd#1>YLzlDVp(z?6r<WUtyWnlD^G9B?_Ur{&KCOuHNMq
zk|B^K_<0Q-9-+@;d#BY&2k-R$to<44{eG#pW>PZel=YB)Uv&n!2{+Mb$-vQl=xKw(
zve&>xYx+jW_NJh!FV||r?;hdP<!CWxpcsZKiv4>*jOXYcLCp>DOtJ?2S^)DkM{{Eb
zS$!L$e_o0(^}n3tA1R3-$SNvgBq;DOEo}fNc|tB%%#g4RA3{|euq)p+xd3I8^4E&m
zFrD%}nvG^HUAIKe9_{tXB;tl|G<%>yk6R;8L2)KUJw4yHJXUO<O#J#etA!EQr#Ixj
zZuFu$GT+Wpqx#)|V^@Cm`sHrRN~=Je%6V#~5_a6U7SazOW-GgiQtB4%%~2(B0iBsg
z;PpJsF|+l@`Wy@y_OtfS`JgrB)rNO1MTjsxeQ7|k!FQ^3n6kbM;^~mT&4KxW*m77y
zq%{h&JwttX7mQ1|xDfr$rzHoYHzjn|^DmxVimK9<IM)^a;|9O2LO78(*WR_|D40bM
z4}thc%eqOsDqUE<D1~O4evp0zw~wzT!F>PM>(-+jxq4R;z8H#>rnJy*)8N+$wA$^F
z<U&lTYAkA<S9x1+2s?lu2|Zd2nj#EvZB!v_&9eAD+8*)ghmbT+{)~_^Px6pMeOz2X
zv~Wjk&YGtROVvA~E^msuyea-{C!TM*WVVa4lhy%2Gi&UvdDpYWzNapW2o<z2pU37x
zeudIr){wxOzdWU}R?Ue;nbpX4`c>N+H*3t)eFEgxLw+Nw3};4WV$qj&_D`%ADV2%r
zJCPCo%{=z7;`F98(us5JnT(G@sKTZ^;2FVitXyLe-S5(hV&Ium+1pIUB(CZ#h|g)u
zSLJJ<@HgrDiA-}V_6B^x1>c9B6%~847JkQ!^KLZ2skm;q*edo;UA)~?SghG8;QbHh
z_6M;ouo_1rq9=x$<`Y@EA{C%6-pEV}B(1#sDoe_e1s3^Y>n#1Sw;N|}8D|s|VPd+g
z-_$QhCz`vLxxrVMx3ape1xu3*wjx=yKSlM~nFgkNWb4?DDr*!?U)L_VeffF<+!j|b
zZ$Wn2$TDv3C3V@BHpSgv3JUif8%hk%OsGZ=OxH@8&4`bbf$`aAMchl^qN>Eyu3JH}
z9-S!x8-s4fE=lad%Pkp8hAs~u?|uRnL48O|;<hL9ZDZTaoVqCgAV4_fXA_B>*DEU!
zuS0{cpk%1E0nc__2%;apFsTm0bKtd&A0~S3Cj^?72-*Owk3V!ZG*PswDfS~}2<8le
z5+W^`Y(&R)yVF*tU_s!XMcJS`;<i5$MCe|U*GT!0%*LADX`D^%6_<=D#Ru0`TRN8+
zm@tIK)49`32a<@shitOU#x<QU%nW!IzfjK>(Tr`J0%>p=Z&InR%D3@KEzzI+-2)HK
zuoNZ&o=wUC&+*?ofPb0a(E6(<2Amd6%uSu_^-<1?hsxs~0K5^f(L<W1_uUGAdyXWF
z-9E^}>sGqgEF^+0_H=uNk9S0bb!|O8d?m5gQjUKevPaO+*VfSn^2892K~%crWM8+6
z25@V?Y@J<9w%@NXh-2!}SK_(X)O4AM1-WTg>sj1{lj5@=q&dxE^9xng1_z9w9DK>|
z6Iybcd0<ba%T-PM@iR4f+hWNy2(Dh#%r^4ZjOOcYUhl?lcc*@SuVYF<0NRX~sTl15
z&yX+gisvpMdp($7GpQ}~BtfayBnqkt65sVAS)H#))Ya=X_9qRpsELVk)K-Umx|Q>e
zy<csGv$iOY<#zt!tLyihB^h0nm-w?)HRS0&_TFyZkN{(*U!r-+J#Pt@VJw|c&+Ad7
zGuhURv<S1E^2YPq{$<>i;Ew!KBRIfGPGytQ6}z}MeXCfLY0?9%RiyagSp_D1?N&c{
zyo>VbJ4Gy`@Fv+5cKgUgs~na$>BV{*em7PU3%lloy_aEovR+J7TfQKh8BJXyL6<F;
zULuFu;b(C;CC(l^>|P8un-Jnq(ghd!_HEOh$zlv2$~y3krgeH;9zC}V3<xe_B^^Vb
z>f`uDtW(%mT#944DQa~^8ZI+zAUu4U(j0YcDfKR$bK#gvn_{JZ<YX};laf~yTsdEA
zA~Ra?VD!R`MyGN9;7}SV*B=q$h>>|gZ5+)u?T$w<UlM8Es^_5l0fa>7Q%F^;!Wk?G
z(le7r!ufT*cxS}PR6hIVtXa)i`d$-_1KkyBU>qmgz-=T};uxx&sKgv48akIWQ89F{
z0<y9Cbjk%^#=J+qPnsNw%*mP1XLirQj9jh94t22gxgVWwR*I>XiY?WM^~;|T8zBOr
zs#zuOONzH?svv*jokd5SK8wG>+yMC)LYL|vLqm^PMHcT=`}V$=nIRHe2?h)8WQa6O
zPAU}d`1y(>kZiP~Gr=mtJLMu`i<2CspL|q2DqAgAD^7*$xzM`PU4^ga`ilE134XBQ
z99P(LhHU@7qvl9Yzg$M`+dlS=x^(m-_3t|h>S}E0bcFMn=C|KamQ)=w2^e)35p`zY
zRV8X?d;s^>Cof2SPR&nP3E+-LCkS0J$H!eh8~k0qo$}00b=7!H_I2O+Ro@3O$nPdm
ztmbOO^B+IHzQ5w>@@@J4cKw5&^_w6s!s=H%&byAbUtczPQ7}wfTqxxtQNfn*u73Qw
zGuWsrky_ajPx-5`R<)6xHf>C(oqGf_Fw|-U*GfS?xLML$kv;h_pZ@Kk$y0X(S+K80
z6^|z)*`5VUkawg}=z`S;VhZhxyDfrE0$<offD>(PMurAxl~<>lfZa>JZ288ULK7D`
zl9|#L^JL}Y$j*j`0-K6kH#?bRmg#5L3iB4Z)%iF@SqT+Lp|{i`m%R-|ZE94Np7Pa5
zCqC^V3}B(FR340pmF*qaa}M}+h6}mqE~7Sh!9bDv9YRT|>vBNAqv09zXHMlcuhKD|
zcjjA(b*XCIwJ33?CB!+;{)vX@9xns_b-VO{i0y?}{!sdXj1GM8+$#v>W7nw;+O_9B
z_{4L;C6ol?(?W0<6taGEn1^uG=?Q3i29sE`RfYCaV$3DKc_;?HsL?D_fSYg}SuO5U
zOB_f4^vZ_x%o`5|C@9C5+o=mFy@au{s)sKw!UgC&L35aH(sgDxRE2De%(%OT=VUdN
ziVLEmdOvJ&5*tCMKRyXctCwQu_RH%;m<lO9)YlolKp~SHA~$RD@rJEPJ4LfFabjtz
zzIU?%C*Qz8oJB~DbsOtV|5q`38L}^8Uq{e{^Ki<?YLnvYT2b=9GoWdOL!w)E5Yy?N
zCPB}zb-LW~opI;Pm$>*$YK&m;jtbdH#Ak~13T1^f89tn`A%QEHWs~jnY~E}p_Z$XC
z=?YXLCkzVSK+Id`xZYTegb@W8_baLt-Fq`Tv|=)JPbFsKRm)4UW;yT+J`<<s6L^~#
zDKX^stn#n?Mc#=>)%#ue9DPOkje)YF2fsCilK9MIIK>p*`fkoD5nGfmLwt)!KOT+>
zOFq*VZktDDyM3P5UOg`~XL#cbzC}eL%qMB=Q5$d89MKuN<r)TznqqP**!jJ?cnTT2
zaaf?rvaC;><?H&|zm@ni*?D9zRWNdd5|h7<r<^y7j=M<<S|!iYxdgG*6u6u?mWfD3
zB)<Dfkbae`fO#+9WEYybHeZv}*cbdmPDkPU(jb+Sl1(!A;;QmZ9oNWRty}&5QMWy9
zX_w<YIby`Y;2BC{-IfA^=3f)~-*KF*rKr=krZyJeUl;NhG@Ajb2fr2VF0H7ZuP8_;
zl#_lD<2+R)LHx3c896sfpWG@kpwT@>#$6|4gx_Jt0Gfn8w&q}%lq4QU%6#jT*MRT%
zrLz~C8FYKHawn-EQWN1B75O&quS+Z81(zN)G>~vN8VwC+e+y(`>HcxC{MrJ;H1Z4k
zZWuv$w_F0-Ub%MVcpIc){4PGL^I7M{>;hS?;eH!;<Yf7EM>gmcOE66z3;Z1Phqo(t
zVP(Hg6q#0gIKgsg7L7WE!{Y#1nI(45tx2{$34dDd#!Z0NIyrm)HOn5W#7;f4pQci#
zDW!FI(g4e668kI9{2+mLwB+=#9bfqgX%!B34V-$wwSN(_cm*^{y0jQtv*4}eO^sOV
z*9xoNvX)c9isB}Tgx&ZRjp3kwhTVK?r9;n<haxnrRq){mtk9A+#MWR@iL>!x>^XYT
z@Q^7zp{rkIs{2mUSE^2!Gf6$6;j~&4=-0cSJJDizZp6LTe8b45;{AKM%v99}{{FfC
zz709%u0mC=1KXTo(=TqmZQ;c?$M3z(!xah>aywrj40sc2y3rKFw4jCq+Y+u=CH@_V
zxz|qeTwa>+<|H%8Dz5u>ZI5MmjTFwXS-Fv!TDd*`>3{krWoNVx$<133`(ftS?ZPyY
z&4@ah^3^i`vL$BZa>O|Nt?ucewzsF)0zX3qmM^|waXr=T0pfIb0*$AwU=?Ipl|1Y;
z*Pk6{C-p4MY;j@IJ|DW<V4g+WfmkDAI{!240rBm;^p*C?EK5<-i6<dFN`<4WIVA6x
zQ_A}VBKmDESd)f<tKV+_7{`O-ZQ=Kw_N>>QHZQJcp;Z~?8(Q+Kk3^0qJ}SCk^*n4W
zu9ZFwLHUx-$6xvaQ)SUQcYd6fF8&x)V`1bIuX@>{mE$b|Yd(qomn3;bPwnDUc0F=;
zh*6_((%bqAYQWQ~odER?h>1mkL4kpb3s7`0m@rDKGU*oyF)$j~Ffd4fXV$?`f~rHf
z<dmhsigJ=rWi_aV`WXyhB>B%Y)@5SXZvfwm10RY5X?TEo)PK_`L6qgBp=#>fO49$D
zDq8Ozj0q6213tV5Qq=;fZ0$|KroY{Dz=l@lU^J)?Ko@ti20TRplXzphBi>XGx4bou
zEWrkNjz0t5j!_ke{g5I#PUlEU$Km8g8TE|XK=MkU@PT4T><2OVamoK;wJ}3X0L$vX
zgd7gNa359*nc)R-0!`2X@FOTB`+oETOPc=ubp5R)VQgY+5BTZZJ2<L28T@@Z{~(FZ
zheu(w_rw1D2_zLx!dpDtOmwLC!DhBIo<Q>?9QwnO=<wr%&Gfr?0?EHFALMv;_+d?S
zzAg%@ydS-+C)WJy(gMckj>dnulIUF3gFn;BODC2)65)HeVd%t86sL7Rv^Y+nbn+&l
z6BAJY(ETvwI)Ts$aiE8rht4KD*qNyE{8{x6R|%akbTBzw;2+6<pQ&SDXNQj*or8md
z6z#{?Yky9DqRtSV0CMnGmM?NZ;=ja)lj3y_HwGOxfijBU4|3qigw`1zRQjL!B8PR+
zaRn%p#eR@M4(R@Wz!rx^(f#sKB!vBtl{_H&pMv^{xCn<;&`rM&o>Echkt+W+`u^XX
z_z&x%n<Jwv#rI=O_ITYt8jK&7Lbvimxh?Mpm*TNff4FbaUEWX?w*B~|ab(^T*a99t
zcJ#fCD8IP<V1pf_@pm2K2=}<d0_Y2*QClSUBi8yzf&VOuJ`CJAoEUwr?!mKD=5}o2
zV^&)q)<B;SMXmbXj|caU)A+-MMW5C}&8F^$XYi3}kDOaQe6Z+qH3z$S;;<vL9ydXD
zI5~P97&YCq9}$m^On$P-pTjcf#j%4IH8Sc*nG=+l4{M+gXHaFf{g{b8PUBySZmJ4r
UfUyy3EX0IC28@JalTrWuAK7&_a{vGU

literal 0
HcmV?d00001

diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 000000000..a4413138c
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,7 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/gradlew b/servlet/spring-boot/java/authentication/mfa/oauth2/gradlew
new file mode 100755
index 000000000..b740cf133
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/gradlew
@@ -0,0 +1,249 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+#
+#   Gradle start up script for POSIX generated by Gradle.
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
+    [ -h "$app_path" ]
+do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
+done
+
+# This is normally unused
+# shellcheck disable=SC2034
+APP_BASE_NAME=${0##*/}
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+    echo "$*"
+} >&2
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in                #(
+  CYGWIN* )         cygwin=true  ;; #(
+  Darwin* )         darwin=true  ;; #(
+  MSYS* | MINGW* )  msys=true    ;; #(
+  NONSTOP* )        nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+        JAVACMD=$JAVA_HOME/bin/java
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD=java
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+    case $MAX_FD in #(
+      max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        MAX_FD=$( ulimit -H -n ) ||
+            warn "Could not query maximum file descriptor limit"
+    esac
+    case $MAX_FD in  #(
+      '' | soft) :;; #(
+      *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
+        ulimit -n "$MAX_FD" ||
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
+    esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+#   * args from the command line
+#   * the main class name
+#   * -classpath
+#   * -D...appname settings
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
+
+exec "$JAVACMD" "$@"
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/gradlew.bat b/servlet/spring-boot/java/authentication/mfa/oauth2/gradlew.bat
new file mode 100644
index 000000000..25da30dbd
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/gradlew.bat
@@ -0,0 +1,92 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/settings.gradle b/servlet/spring-boot/java/authentication/mfa/oauth2/settings.gradle
new file mode 100644
index 000000000..733fda690
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/settings.gradle
@@ -0,0 +1,8 @@
+pluginManagement {
+    repositories {
+        mavenCentral()
+        gradlePluginPortal()
+        maven { url 'https://repo.spring.io/milestone' }
+        maven { url "https://repo.spring.io/snapshot" }
+    }
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/FormLoginOAuth2Application.java b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/FormLoginOAuth2Application.java
new file mode 100644
index 000000000..a92db69ba
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/FormLoginOAuth2Application.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@SpringBootApplication
+public class FormLoginOAuth2Application {
+
+	public static void main(String[] args) {
+		SpringApplication.run(FormLoginOAuth2Application.class, args);
+	}
+
+	@Controller
+	static class AppController {
+		@GetMapping("/profile")
+		String profile() {
+			return "profile";
+		}
+	}
+
+	@Bean
+	InMemoryUserDetailsManager userDetailsService() {
+		UserDetails user = User.withDefaultPasswordEncoder()
+			.username("user")
+			.password("password")
+			.roles("USER")
+			.build();
+		return new InMemoryUserDetailsManager(user);
+	}
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
new file mode 100644
index 000000000..5179040f0
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
@@ -0,0 +1,111 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authorization.AuthorizationRequest;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
+import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.web.AuthorizationEntryPoint;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.stereotype.Component;
+
+import static org.springframework.security.oauth2.core.authorization.OAuth2AuthorizationManagers.hasScope;
+
+@Configuration(proxyBeanMethods = false)
+class SecurityConfig {
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http, OAuth2ScopeAuthorizationEntryPoint oauth2) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authz) -> authz
+				.requestMatchers("/profile").access(hasScope("https://www.googleapis.com/auth/gmail.readonly"))
+				.anyRequest().authenticated()
+			)
+			.oauth2Login(Customizer.withDefaults())
+			.exceptionHandling((exceptions) -> exceptions.authorizationEntryPoint((a) -> a.add(oauth2)));
+		// @formatter:on
+		return http.build();
+	}
+
+	@Bean
+	ClientRegistrationRepository clients() {
+		ClientRegistration google = CommonOAuth2Provider.GOOGLE.getBuilder("google")
+			.clientId(System.getenv("GOOGLE_CLIENT_ID"))
+			.clientSecret(System.getenv("GOOGLE_CLIENT_SECRET"))
+			.scope("openid", "profile", "email", "https://www.googleapis.com/auth/gmail.readonly")
+			.build();
+		return new InMemoryClientRegistrationRepository(google);
+	}
+
+	@Component
+	static class OAuth2ScopeAuthorizationEntryPoint implements AuthorizationEntryPoint {
+
+		private final ClientRegistration google;
+
+		private final OAuth2AuthorizationRequestResolver authorizationRequestResolver;
+
+		private final AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =
+			new HttpSessionOAuth2AuthorizationRequestRepository();
+
+		public OAuth2ScopeAuthorizationEntryPoint(ClientRegistrationRepository clients) {
+			this.google = clients.findByRegistrationId("google");
+			this.authorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(clients);
+		}
+
+		@Override
+		public boolean commence(HttpServletRequest request, HttpServletResponse response, AuthorizationRequest authorizationRequest) throws IOException, ServletException {
+			Set<String> needed = AuthorityUtils.authorityListToSet(authorizationRequest.getAuthorities());
+			Set<String> scopes = new HashSet<>();
+			for (String scope : needed) {
+				if (scope.startsWith("SCOPE_")) {
+					scopes.add(scope.substring("SCOPE_".length()));
+				}
+			}
+			if (scopes.isEmpty()) {
+				return false;
+			}
+			OAuth2AuthorizationRequest oauth2 = this.authorizationRequestResolver.resolve(request, this.google.getRegistrationId());
+			oauth2 = OAuth2AuthorizationRequest.from(oauth2).scopes(scopes).build();
+			this.authorizationRequestRepository.saveAuthorizationRequest(oauth2, request, response);
+			response.sendRedirect(oauth2.getAuthorizationRequestUri());
+			return true;
+		}
+	}
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/application.yml b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/application.yml
new file mode 100644
index 000000000..d7d92ebab
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/application.yml
@@ -0,0 +1,5 @@
+spring:
+  application:
+    name: formLogin+oauth2
+
+logging.level.org.springframework.security: TRACE
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/static/css/default-ui.css b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/static/css/default-ui.css
new file mode 100644
index 000000000..ec3d42bda
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/static/css/default-ui.css
@@ -0,0 +1,172 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* General layout */
+body {
+    font-family: system-ui, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+    background-color: #eee;
+    padding: 40px 0;
+    margin: 0;
+    line-height: 1.5;
+}
+
+h2 {
+    margin-top: 0;
+    margin-bottom: 0.5rem;
+    font-size: 2rem;
+    font-weight: 500;
+    line-height: 2rem;
+}
+
+.content {
+    margin-right: auto;
+    margin-left: auto;
+    padding-right: 15px;
+    padding-left: 15px;
+    width: 100%;
+    box-sizing: border-box;
+}
+
+@media (min-width: 800px) {
+    .content {
+        max-width: 760px;
+    }
+}
+
+.v-middle {
+    vertical-align: middle;
+}
+
+.center {
+    text-align: center;
+}
+
+.no-margin {
+    margin: 0;
+}
+
+/* Components */
+a,
+a:visited {
+    text-decoration: none;
+    color: #06f;
+}
+
+a:hover {
+    text-decoration: underline;
+    color: #003c97;
+}
+
+input[type="text"],
+input[type="password"] {
+    height: auto;
+    width: 100%;
+    font-size: 1rem;
+    padding: 0.5rem;
+    box-sizing: border-box;
+}
+
+button {
+    padding: 0.5rem 1rem;
+    font-size: 1.25rem;
+    line-height: 1.5;
+    border: none;
+    border-radius: 0.1rem;
+    width: 100%;
+    cursor: pointer;
+}
+
+button.primary {
+    color: #fff;
+    background-color: #06f;
+}
+
+button.small {
+    padding: .25rem .5rem;
+    font-size: .875rem;
+    line-height: 1.5;
+}
+
+.alert {
+    padding: 0.75rem 1rem;
+    margin-bottom: 1rem;
+    line-height: 1.5;
+    border-radius: 0.1rem;
+    width: 100%;
+    box-sizing: border-box;
+    border-width: 1px;
+    border-style: solid;
+}
+
+.alert.alert-danger {
+    color: #6b1922;
+    background-color: #f7d5d7;
+    border-color: #eab6bb;
+}
+
+.alert.alert-success {
+    color: #145222;
+    background-color: #d1f0d9;
+    border-color: #c2ebcb;
+}
+
+.screenreader {
+    position: absolute;
+    clip: rect(0 0 0 0);
+    height: 1px;
+    width: 1px;
+    padding: 0;
+    border: 0;
+    overflow: hidden;
+}
+
+table {
+    width: 100%;
+    max-width: 100%;
+    margin-bottom: 2rem;
+    border-collapse: collapse;
+}
+
+.table-striped th {
+    padding: .75rem;
+}
+
+.table-striped tr:nth-of-type(2n + 1) {
+    background-color: #e1e1e1;
+}
+
+.table-striped > thead > tr:first-child {
+    background-color: inherit;
+}
+
+td {
+    padding: 0.75rem;
+    vertical-align: top;
+}
+
+tr.v-middle > td {
+    vertical-align: middle;
+}
+
+/* Login / logout layouts */
+.login-form,
+.logout-form,
+.default-form {
+    max-width: 340px;
+    padding: 0 15px 15px 15px;
+    margin: 0 auto 2rem auto;
+    box-sizing: border-box;
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/index.html b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/index.html
new file mode 100644
index 000000000..8457ea1d1
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/index.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
+    <head>
+        <title>Hello Spring Security</title>
+        <meta charset="utf-8" />
+    </head>
+    <body>
+        <div th:fragment="logout" sec:authorize="isAuthenticated()">
+            Logged in user: <span sec:authentication="name"></span> |
+            Roles: <span sec:authentication="principal.authorities"></span>
+            <div>
+                <form action="#" th:action="@{/logout}" method="post">
+                    <input type="submit" value="Logout" />
+                </form>
+            </div>
+        </div>
+        <h1>Hello Spring Security</h1>
+        <p>This is a secured page</p>
+    </body>
+</html>
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/login.html b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/login.html
new file mode 100644
index 000000000..7ce9bfe3e
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/login.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html xmlns:th="https://www.thymeleaf.org" lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/default-ui.css" rel="stylesheet" />
+</head>
+<body>
+<div class="content">
+    <form class="login-form" method="post" th:action="@{/login/form}">
+        <h2>Please sign in</h2>
+
+        <p>
+            <label for="username" class="screenreader">Username</label>
+            <input type="text" id="username" name="username" placeholder="Username" required autofocus>
+        </p>
+        <p>
+            <label for="password" class="screenreader">Password</label>
+            <input type="password" id="password" name="password" placeholder="Password" required>
+        </p>
+
+        <button type="submit" class="primary">Sign in</button>
+    </form>
+</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/profile.html b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/profile.html
new file mode 100644
index 000000000..e60f88f84
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/resources/templates/profile.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <title>Please sign in</title>
+    <link href="/default-ui.css" rel="stylesheet" />
+</head>
+<body>
+<div class="content">
+    <p>This is a page that requires elevated security</p>
+</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/test/java/org/example/magiclink/FormLoginOAuth2ApplicationTests.java b/servlet/spring-boot/java/authentication/mfa/oauth2/src/test/java/org/example/magiclink/FormLoginOAuth2ApplicationTests.java
new file mode 100644
index 000000000..beb09e0cf
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/test/java/org/example/magiclink/FormLoginOAuth2ApplicationTests.java
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import com.icegreen.greenmail.junit5.GreenMailExtension;
+import com.icegreen.greenmail.util.GreenMailUtil;
+import com.icegreen.greenmail.util.ServerSetupTest;
+import jakarta.mail.internet.MimeMessage;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.util.UriComponents;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
+import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@AutoConfigureMockMvc
+class FormLoginOAuth2ApplicationTests {
+
+	@RegisterExtension
+	static GreenMailExtension greenMail = new GreenMailExtension(ServerSetupTest.SMTP);
+
+	@Autowired
+	MockMvc mockMvc;
+
+	@Test
+	void ottLoginWhenUserExistsThenSendEmailAndAuthenticate() throws Exception {
+		this.mockMvc.perform(post("/ott/generate").param("username", "user").with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/ott/sent"));
+
+		greenMail.waitForIncomingEmail(1);
+		MimeMessage receivedMessage = greenMail.getReceivedMessages()[0];
+		String content = GreenMailUtil.getBody(receivedMessage);
+		String url = content.split(": ")[1];
+		UriComponents uriComponents = UriComponentsBuilder.fromUriString(url).build();
+		String token = uriComponents.getQueryParams().get("token").get(0);
+
+		assertThat(token).isNotEmpty();
+
+		this.mockMvc.perform(post("/login/ott").param("token", token).with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/"), authenticated());
+	}
+
+	@Test
+	void ottLoginWhenInvalidTokenThenFails() throws Exception {
+		this.mockMvc.perform(post("/ott/generate").param("username", "user").with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/ott/sent"));
+
+		String token = "1234;";
+
+		this.mockMvc.perform(post("/login/ott").param("token", token).with(csrf()))
+			.andExpectAll(status().isFound(), redirectedUrl("/login?error"), unauthenticated());
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/test/resources/application.yml b/servlet/spring-boot/java/authentication/mfa/oauth2/src/test/resources/application.yml
new file mode 100644
index 000000000..20f8e0227
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/test/resources/application.yml
@@ -0,0 +1,6 @@
+spring:
+  config:
+    import: classpath:application.yml
+  mail:
+    port: 3025
+    host: localhost
diff --git a/settings.gradle b/settings.gradle
index 15338b858..1785cb8ba 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -55,6 +55,7 @@ include ":servlet:spring-boot:java:authentication:username-password:mfa"
 include ":servlet:spring-boot:java:authentication:mfa:x509+formLogin"
 include ":servlet:spring-boot:java:authentication:mfa:x509+webauthn"
 include ":servlet:spring-boot:java:authentication:mfa:formLogin+ott"
+include ":servlet:spring-boot:java:authentication:mfa:oauth2"
 include ":servlet:spring-boot:java:authentication:username-password:compromised-password-checker"
 include ":servlet:spring-boot:java:authentication:one-time-token:magic-link"
 include ":servlet:spring-boot:java:data"

From b977133741db9085c5e9841b46fe4b81438d9e1f Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Thu, 4 Sep 2025 16:20:19 -0600
Subject: [PATCH 12/21] Update formLogin+ott To Latest

---
 .../mfa/formLogin+ott/build.gradle            |  3 -
 .../mfa/formLogin+ott/compose.yml             |  6 --
 .../gradle/wrapper/gradle-wrapper.properties  |  2 +-
 .../AuthorizationManagerFactory.java          | 64 +++++++++++++++
 .../magiclink/CustomPagesSecurityConfig.java  | 20 +++--
 .../magiclink/DefaultSecurityConfig.java      | 16 +++-
 .../ElevatedSecurityPageSecurityConfig.java   | 34 +++-----
 .../magiclink/MagicLinkApplication.java       |  7 +-
 ...kOneTimeTokenGenerationSuccessHandler.java | 17 +---
 .../magiclink/MagicLinkApplicationTests.java  | 80 -------------------
 .../src/test/resources/application.yml        |  7 +-
 11 files changed, 106 insertions(+), 150 deletions(-)
 delete mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java
 delete mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
index 9a8a64fbd..92fbcdd83 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
@@ -21,13 +21,10 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-security'
 	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
-	implementation 'org.springframework.boot:spring-boot-starter-mail'
 	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 	testImplementation 'org.springframework.security:spring-security-test'
-	testImplementation 'com.icegreen:greenmail-junit5:2.0.1'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
-	runtimeOnly 'org.springframework.boot:spring-boot-docker-compose'
 }
 
 tasks.named('test') {
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml
deleted file mode 100644
index 85a825b5b..000000000
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/compose.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-services:
-  maildev:
-    image: maildev/maildev:2.1.0
-    ports:
-      - "1080:1080"
-      - "1025:1025"
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties
index a4413138c..d4081da47 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java
new file mode 100644
index 000000000..cb0035047
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.function.Supplier;
+
+import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagers;
+import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+public final class AuthorizationManagerFactory {
+
+	private final Collection<String> authorities;
+
+	public AuthorizationManagerFactory(String... authorities) {
+		this.authorities = List.of(authorities);
+	}
+
+	public <T> AuthorizationManager<T> authenticated() {
+		AuthenticatedAuthorizationManager<T> authenticated = AuthenticatedAuthorizationManager.authenticated();
+		return AuthorizationManagers.allOf(new AuthorizationDecision(false), this::factors, authenticated);
+	}
+
+	public <T> AuthorizationManager<T> hasAuthority(String authority) {
+		AuthorityAuthorizationManager<T> authorized = AuthorityAuthorizationManager.hasAuthority(authority);
+		return AuthorizationManagers.allOf(new AuthorizationDecision(false), this::factors, authorized);
+	}
+
+	private AuthorizationResult factors(Supplier<? extends Authentication> authentication, Object context) {
+		List<String> authorities = authentication.get()
+			.getAuthorities()
+			.stream()
+			.map(GrantedAuthority::getAuthority)
+			.toList();
+		List<String> needed = new ArrayList<>(this.authorities);
+		needed.removeIf(authorities::contains);
+		return new AuthorityAuthorizationDecision(needed.isEmpty(), AuthorityUtils.createAuthorityList(needed));
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
index 79d2726d7..5834224c5 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
@@ -3,7 +3,6 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
-import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.stereotype.Controller;
@@ -28,19 +27,18 @@ public String ott() {
 	}
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
-			.formLogin((form) -> form
-				.loginPage("/login/form").permitAll()
-				.factor(Customizer.withDefaults())
-			)
-			.oneTimeTokenLogin((ott) -> ott
-				.loginPage("/login/ott").permitAll()
-				.factor(Customizer.withDefaults())
-			);
+			.authorizeHttpRequests((authorize) -> authorize.anyRequest().access(authz.authenticated()))
+			.formLogin((form) -> form.loginPage("/login/form").permitAll())
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/login/ott").permitAll());
 		// @formatter:on
 		return http.build();
 	}
+
+	@Bean
+	AuthorizationManagerFactory authz() {
+		return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	}
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
index 533559cb6..7a83cf658 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
@@ -28,15 +28,23 @@
 class DefaultSecurityConfig {
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
-			.formLogin((form) -> form.factor(Customizer.withDefaults()))
-			.oneTimeTokenLogin((ott) -> ott.factor(Customizer.withDefaults()));
+			.authorizeHttpRequests((authorize) -> authorize
+				.anyRequest().access(authz.authenticated())
+			)
+			.formLogin(Customizer.withDefaults())
+			.oneTimeTokenLogin(Customizer.withDefaults());
 		// @formatter:on
 		return http.build();
 	}
 
+	@Bean
+	AuthorizationManagerFactory authz() {
+		return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	}
+
+
 
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
index 4cf69f4ba..bb0f8653b 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
@@ -1,26 +1,13 @@
 package org.example.magiclink;
 
-import java.time.Duration;
-
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
-import org.springframework.http.HttpMethod;
-import org.springframework.security.config.Customizer;
-import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configurers.MfaConfigurer;
-import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.AuthenticationFilter;
-import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
-import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 
-import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
-
 @Profile("elevated-security")
 @Configuration(proxyBeanMethods = false)
 public class ElevatedSecurityPageSecurityConfig {
@@ -40,24 +27,21 @@ public String ott() {
 	}
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authz) -> authz
-				.requestMatchers("/profile").hasAuthority("profile:read")
-				.anyRequest().authenticated()
-			)
-			.formLogin((form) -> form
-				.loginPage("/login/form").permitAll()
-				.factor((f) -> f.grants(Duration.ofMinutes(1), "profile:read"))
+			.authorizeHttpRequests((authorize) -> authorize
+				.anyRequest().access(authz.authenticated())
 			)
-			.oneTimeTokenLogin((ott) -> ott
-				.loginPage("/login/ott").permitAll()
-				.factor(Customizer.withDefaults())
-			);
+			.formLogin((form) -> form.loginPage("/login/form").permitAll())
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/login/ott").permitAll());
 
 		// @formatter:on
 		return http.build();
 	}
 
+	@Bean
+	AuthorizationManagerFactory authz() {
+		return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	}
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
index 3664b1244..900cd1ff1 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
@@ -19,6 +19,8 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -26,6 +28,7 @@
 import org.springframework.web.bind.annotation.GetMapping;
 
 @SpringBootApplication
+@EnableMethodSecurity
 public class MagicLinkApplication {
 
 	public static void main(String[] args) {
@@ -35,6 +38,8 @@ public static void main(String[] args) {
 	@Controller
 	static class AppController {
 		@GetMapping("/profile")
+		@PreAuthorize("@authz.hasAuthority('profile:read')") 	// FIXME add hasAuthorityWithin once
+																// GrantedAuthority is timestamped
 		String profile() {
 			return "profile";
 		}
@@ -45,7 +50,7 @@ InMemoryUserDetailsManager userDetailsService() {
 		UserDetails user = User.withDefaultPasswordEncoder()
 			.username("user")
 			.password("password")
-			.roles("USER")
+			.authorities("ROLE_USER", "profile:read")
 			.build();
 		return new InMemoryUserDetailsManager(user);
 	}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
index 24fd7dfe3..1334ab0ae 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
@@ -20,9 +20,9 @@
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 
-import org.springframework.mail.SimpleMailMessage;
-import org.springframework.mail.javamail.JavaMailSender;
 import org.springframework.security.authentication.ott.OneTimeToken;
 import org.springframework.security.web.authentication.ott.OneTimeTokenGenerationSuccessHandler;
 import org.springframework.stereotype.Component;
@@ -30,21 +30,12 @@
 @Component
 public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler {
 
-	private final JavaMailSender mailSender;
-
-	public MagicLinkOneTimeTokenGenerationSuccessHandler(JavaMailSender mailSender) {
-		this.mailSender = mailSender;
-	}
+	private final Log logger = LogFactory.getLog(this.getClass());
 
 	@Override
 	public void handle(HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken)
 			throws IOException {
-		SimpleMailMessage message = new SimpleMailMessage();
-		message.setFrom("noreply@example.com");
-		message.setTo("johndoe@example.com");
-		message.setSubject("Your token");
-		message.setText("Please enter this token " + oneTimeToken.getTokenValue());
-		this.mailSender.send(message);
+		this.logger.info("Use this one-time token: " + oneTimeToken.getTokenValue());
 		response.sendRedirect("/login/ott");
 	}
 
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java
deleted file mode 100644
index fbde7025f..000000000
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/org/example/magiclink/MagicLinkApplicationTests.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright 2024 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.example.magiclink;
-
-import com.icegreen.greenmail.junit5.GreenMailExtension;
-import com.icegreen.greenmail.util.GreenMailUtil;
-import com.icegreen.greenmail.util.ServerSetupTest;
-import jakarta.mail.internet.MimeMessage;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.RegisterExtension;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
-import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.web.util.UriComponents;
-import org.springframework.web.util.UriComponentsBuilder;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
-import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
-import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
-@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
-@AutoConfigureMockMvc
-class MagicLinkApplicationTests {
-
-	@RegisterExtension
-	static GreenMailExtension greenMail = new GreenMailExtension(ServerSetupTest.SMTP);
-
-	@Autowired
-	MockMvc mockMvc;
-
-	@Test
-	void ottLoginWhenUserExistsThenSendEmailAndAuthenticate() throws Exception {
-		this.mockMvc.perform(post("/ott/generate").param("username", "user").with(csrf()))
-			.andExpectAll(status().isFound(), redirectedUrl("/ott/sent"));
-
-		greenMail.waitForIncomingEmail(1);
-		MimeMessage receivedMessage = greenMail.getReceivedMessages()[0];
-		String content = GreenMailUtil.getBody(receivedMessage);
-		String url = content.split(": ")[1];
-		UriComponents uriComponents = UriComponentsBuilder.fromUriString(url).build();
-		String token = uriComponents.getQueryParams().get("token").get(0);
-
-		assertThat(token).isNotEmpty();
-
-		this.mockMvc.perform(post("/login/ott").param("token", token).with(csrf()))
-			.andExpectAll(status().isFound(), redirectedUrl("/"), authenticated());
-	}
-
-	@Test
-	void ottLoginWhenInvalidTokenThenFails() throws Exception {
-		this.mockMvc.perform(post("/ott/generate").param("username", "user").with(csrf()))
-			.andExpectAll(status().isFound(), redirectedUrl("/ott/sent"));
-
-		String token = "1234;";
-
-		this.mockMvc.perform(post("/login/ott").param("token", token).with(csrf()))
-			.andExpectAll(status().isFound(), redirectedUrl("/login?error"), unauthenticated());
-	}
-
-}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml
index 20f8e0227..8b1378917 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/resources/application.yml
@@ -1,6 +1 @@
-spring:
-  config:
-    import: classpath:application.yml
-  mail:
-    port: 3025
-    host: localhost
+

From 844184fdee844d42d3191efffbf72b45fa2c560b Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 9 Sep 2025 17:39:23 -0600
Subject: [PATCH 13/21] Update formLogin+ott to the Latest

---
 .../AuthorizationManagerFactory.java          |  64 ---------
 .../magiclink/CustomPagesSecurityConfig.java  |   8 +-
 .../magiclink/DefaultSecurityConfig.java      |  10 +-
 .../ElevatedSecurityPageSecurityConfig.java   |  10 +-
 .../FactorAuthorizationManagerFactory.java    | 121 ++++++++++++++++++
 5 files changed, 133 insertions(+), 80 deletions(-)
 delete mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java
deleted file mode 100644
index cb0035047..000000000
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/AuthorizationManagerFactory.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright 2025 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.example.magiclink;
-
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.function.Supplier;
-
-import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
-import org.springframework.security.authorization.AuthorityAuthorizationDecision;
-import org.springframework.security.authorization.AuthorityAuthorizationManager;
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.authorization.AuthorizationManagers;
-import org.springframework.security.authorization.AuthorizationResult;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.AuthorityUtils;
-
-public final class AuthorizationManagerFactory {
-
-	private final Collection<String> authorities;
-
-	public AuthorizationManagerFactory(String... authorities) {
-		this.authorities = List.of(authorities);
-	}
-
-	public <T> AuthorizationManager<T> authenticated() {
-		AuthenticatedAuthorizationManager<T> authenticated = AuthenticatedAuthorizationManager.authenticated();
-		return AuthorizationManagers.allOf(new AuthorizationDecision(false), this::factors, authenticated);
-	}
-
-	public <T> AuthorizationManager<T> hasAuthority(String authority) {
-		AuthorityAuthorizationManager<T> authorized = AuthorityAuthorizationManager.hasAuthority(authority);
-		return AuthorizationManagers.allOf(new AuthorizationDecision(false), this::factors, authorized);
-	}
-
-	private AuthorizationResult factors(Supplier<? extends Authentication> authentication, Object context) {
-		List<String> authorities = authentication.get()
-			.getAuthorities()
-			.stream()
-			.map(GrantedAuthority::getAuthority)
-			.toList();
-		List<String> needed = new ArrayList<>(this.authorities);
-		needed.removeIf(authorities::contains);
-		return new AuthorityAuthorizationDecision(needed.isEmpty(), AuthorityUtils.createAuthorityList(needed));
-	}
-
-}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
index 5834224c5..344a43f38 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
@@ -27,10 +27,10 @@ public String ott() {
 	}
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize.anyRequest().access(authz.authenticated()))
+			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 			.formLogin((form) -> form.loginPage("/login/form").permitAll())
 			.oneTimeTokenLogin((ott) -> ott.loginPage("/login/ott").permitAll());
 		// @formatter:on
@@ -38,7 +38,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationM
 	}
 
 	@Bean
-	AuthorizationManagerFactory authz() {
-		return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	FactorAuthorizationManagerFactory authz() {
+		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
 	}
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
index 7a83cf658..520171dc0 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
@@ -28,12 +28,10 @@
 class DefaultSecurityConfig {
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().access(authz.authenticated())
-			)
+			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 			.formLogin(Customizer.withDefaults())
 			.oneTimeTokenLogin(Customizer.withDefaults());
 		// @formatter:on
@@ -41,8 +39,8 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationM
 	}
 
 	@Bean
-	AuthorizationManagerFactory authz() {
-		return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	FactorAuthorizationManagerFactory authz() {
+		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
 	}
 
 
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
index bb0f8653b..e64dd30e1 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
@@ -27,12 +27,10 @@ public String ott() {
 	}
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationManagerFactory authz) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().access(authz.authenticated())
-			)
+			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 			.formLogin((form) -> form.loginPage("/login/form").permitAll())
 			.oneTimeTokenLogin((ott) -> ott.loginPage("/login/ott").permitAll());
 
@@ -41,7 +39,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthorizationM
 	}
 
 	@Bean
-	AuthorizationManagerFactory authz() {
-		return new AuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	FactorAuthorizationManagerFactory authz() {
+		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
 	}
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java
new file mode 100644
index 000000000..4c1648f84
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java
@@ -0,0 +1,121 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.example.magiclink;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.function.Supplier;
+
+import org.jspecify.annotations.NullMarked;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.AuthorizationManagers;
+import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+@NullMarked
+public final class FactorAuthorizationManagerFactory implements AuthorizationManagerFactory<Object> {
+
+	private static final AuthorizationDecision allAbstain = new AuthorizationDecision(false);
+
+	private final AuthorizationManager<Object> factors;
+
+	private final AuthorizationManagerFactory<Object> defaults = new DefaultAuthorizationManagerFactory<>();
+
+	public FactorAuthorizationManagerFactory(String... authorities) {
+		this.factors = new HasAll(authorities);
+	}
+
+	@Override
+	public AuthorizationManager<Object> permitAll() {
+		return this.defaults.permitAll();
+	}
+
+	@Override
+	public AuthorizationManager<Object> denyAll() {
+		return this.defaults.denyAll();
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasRole(String role) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasRole(role));
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasAnyRole(String... roles) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAnyRole(roles));
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasAuthority(String authority) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAuthority(authority));
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasAnyAuthority(String... authorities) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAnyAuthority(authorities));
+	}
+
+	@Override
+	public AuthorizationManager<Object> authenticated() {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.authenticated());
+	}
+
+	@Override
+	public AuthorizationManager<Object> fullyAuthenticated() {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.fullyAuthenticated());
+	}
+
+	@Override
+	public AuthorizationManager<Object> rememberMe() {
+		return this.defaults.rememberMe();
+	}
+
+	@Override
+	public AuthorizationManager<Object> anonymous() {
+		return this.defaults.anonymous();
+	}
+
+	private static final class HasAll implements AuthorizationManager<Object> {
+		private final Collection<String> authorities;
+
+		private HasAll(String... authorities) {
+			this.authorities = List.of(authorities);
+		}
+
+		@Override
+		public AuthorizationResult authorize(Supplier<? extends @Nullable Authentication> supplier, @Nullable Object object) {
+			Authentication authentication = supplier.get();
+			List<String> authorities = List.of();
+			if (authentication != null) {
+				authorities = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList();
+			}
+			List<String> needed = new ArrayList<>(this.authorities);
+			needed.removeIf(authorities::contains);
+			return new AuthorityAuthorizationDecision(needed.isEmpty(), AuthorityUtils.createAuthorityList(needed));
+		}
+	}
+
+}

From 11943a23c11f9efbbeeccb0c9046225902dde8d0 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 9 Sep 2025 17:47:22 -0600
Subject: [PATCH 14/21] Update x509+formLogin to the Latest

---
 .../gradle/wrapper/gradle-wrapper.properties  |   2 +-
 .../FactorAuthorizationManagerFactory.java    | 121 ++++++++++++++++++
 .../src/main/java/example/SecurityConfig.java |   9 +-
 3 files changed, 129 insertions(+), 3 deletions(-)
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/FactorAuthorizationManagerFactory.java

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.properties
index 1e2fbf0d4..3ae1e2f12 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.properties
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/FactorAuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/FactorAuthorizationManagerFactory.java
new file mode 100644
index 000000000..7e9f19185
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/FactorAuthorizationManagerFactory.java
@@ -0,0 +1,121 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.function.Supplier;
+
+import org.jspecify.annotations.NullMarked;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.AuthorizationManagers;
+import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+@NullMarked
+public final class FactorAuthorizationManagerFactory implements AuthorizationManagerFactory<Object> {
+
+	private static final AuthorizationDecision allAbstain = new AuthorizationDecision(false);
+
+	private final AuthorizationManager<Object> factors;
+
+	private final AuthorizationManagerFactory<Object> defaults = new DefaultAuthorizationManagerFactory<>();
+
+	public FactorAuthorizationManagerFactory(String... authorities) {
+		this.factors = new HasAll(authorities);
+	}
+
+	@Override
+	public AuthorizationManager<Object> permitAll() {
+		return this.defaults.permitAll();
+	}
+
+	@Override
+	public AuthorizationManager<Object> denyAll() {
+		return this.defaults.denyAll();
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasRole(String role) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasRole(role));
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasAnyRole(String... roles) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAnyRole(roles));
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasAuthority(String authority) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAuthority(authority));
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasAnyAuthority(String... authorities) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAnyAuthority(authorities));
+	}
+
+	@Override
+	public AuthorizationManager<Object> authenticated() {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.authenticated());
+	}
+
+	@Override
+	public AuthorizationManager<Object> fullyAuthenticated() {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.fullyAuthenticated());
+	}
+
+	@Override
+	public AuthorizationManager<Object> rememberMe() {
+		return this.defaults.rememberMe();
+	}
+
+	@Override
+	public AuthorizationManager<Object> anonymous() {
+		return this.defaults.anonymous();
+	}
+
+	private static final class HasAll implements AuthorizationManager<Object> {
+		private final Collection<String> authorities;
+
+		private HasAll(String... authorities) {
+			this.authorities = List.of(authorities);
+		}
+
+		@Override
+		public AuthorizationResult authorize(Supplier<? extends @Nullable Authentication> supplier, @Nullable Object object) {
+			Authentication authentication = supplier.get();
+			List<String> authorities = List.of();
+			if (authentication != null) {
+				authorities = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList();
+			}
+			List<String> needed = new ArrayList<>(this.authorities);
+			needed.removeIf(authorities::contains);
+			return new AuthorityAuthorizationDecision(needed.isEmpty(), AuthorityUtils.createAuthorityList(needed));
+		}
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
index 5d6a44172..b606f0036 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/SecurityConfig.java
@@ -33,8 +33,8 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-			.x509((x509) -> x509.factor(Customizer.withDefaults()))
-			.formLogin((form) -> form.factor(Customizer.withDefaults()));
+			.x509(Customizer.withDefaults())
+			.formLogin(Customizer.withDefaults());
 		// @formatter:on
 		return http.build();
 	}
@@ -49,4 +49,9 @@ public UserDetailsService userDetailsService() {
 				.build()
 		);
 	}
+
+	@Bean
+	FactorAuthorizationManagerFactory authorizationManagerFactory() {
+		return new FactorAuthorizationManagerFactory("FACTOR_X509", "FACTOR_PASSWORD");
+	}
 }

From b14b3e0fd72449e06676fd37a432b6ba665d4292 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 9 Sep 2025 17:52:11 -0600
Subject: [PATCH 15/21] Update x509+webauthn to the Latest

---
 .../gradle/wrapper/gradle-wrapper.properties  |   2 +-
 .../FactorAuthorizationManagerFactory.java    | 121 ++++++++++++++++++
 .../src/main/java/example/SecurityConfig.java |  11 +-
 3 files changed, 131 insertions(+), 3 deletions(-)
 create mode 100644 servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/FactorAuthorizationManagerFactory.java

diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.properties
index 1e2fbf0d4..3ae1e2f12 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.properties
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/FactorAuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/FactorAuthorizationManagerFactory.java
new file mode 100644
index 000000000..7e9f19185
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/FactorAuthorizationManagerFactory.java
@@ -0,0 +1,121 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.function.Supplier;
+
+import org.jspecify.annotations.NullMarked;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.AuthorizationManagers;
+import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+@NullMarked
+public final class FactorAuthorizationManagerFactory implements AuthorizationManagerFactory<Object> {
+
+	private static final AuthorizationDecision allAbstain = new AuthorizationDecision(false);
+
+	private final AuthorizationManager<Object> factors;
+
+	private final AuthorizationManagerFactory<Object> defaults = new DefaultAuthorizationManagerFactory<>();
+
+	public FactorAuthorizationManagerFactory(String... authorities) {
+		this.factors = new HasAll(authorities);
+	}
+
+	@Override
+	public AuthorizationManager<Object> permitAll() {
+		return this.defaults.permitAll();
+	}
+
+	@Override
+	public AuthorizationManager<Object> denyAll() {
+		return this.defaults.denyAll();
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasRole(String role) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasRole(role));
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasAnyRole(String... roles) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAnyRole(roles));
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasAuthority(String authority) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAuthority(authority));
+	}
+
+	@Override
+	public AuthorizationManager<Object> hasAnyAuthority(String... authorities) {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAnyAuthority(authorities));
+	}
+
+	@Override
+	public AuthorizationManager<Object> authenticated() {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.authenticated());
+	}
+
+	@Override
+	public AuthorizationManager<Object> fullyAuthenticated() {
+		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.fullyAuthenticated());
+	}
+
+	@Override
+	public AuthorizationManager<Object> rememberMe() {
+		return this.defaults.rememberMe();
+	}
+
+	@Override
+	public AuthorizationManager<Object> anonymous() {
+		return this.defaults.anonymous();
+	}
+
+	private static final class HasAll implements AuthorizationManager<Object> {
+		private final Collection<String> authorities;
+
+		private HasAll(String... authorities) {
+			this.authorities = List.of(authorities);
+		}
+
+		@Override
+		public AuthorizationResult authorize(Supplier<? extends @Nullable Authentication> supplier, @Nullable Object object) {
+			Authentication authentication = supplier.get();
+			List<String> authorities = List.of();
+			if (authentication != null) {
+				authorities = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList();
+			}
+			List<String> needed = new ArrayList<>(this.authorities);
+			needed.removeIf(authorities::contains);
+			return new AuthorityAuthorizationDecision(needed.isEmpty(), AuthorityUtils.createAuthorityList(needed));
+		}
+	}
+
+}
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
index 0dda07bf7..786153ae1 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
@@ -46,13 +46,15 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
 			.authorizeHttpRequests((authorize) -> authorize
 				.requestMatchers("/webauthn/**").permitAll()
 				.anyRequest().authenticated())
-			.x509((x509) -> x509.factor(Customizer.withDefaults()))
+			.x509(Customizer.withDefaults())
 			.formLogin(Customizer.withDefaults())
 			.webAuthn((webauthn) -> webauthn
 				.rpId("api.127.0.0.1.nip.io")
 				.rpName("X.509+WebAuthn MFA Sample")
 				.allowedOrigins("https://api.127.0.0.1.nip.io:8443")
-				.factor((f) -> f.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/webauthn")))
+			)
+			.exceptionHandling((exceptions) -> exceptions
+				.defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint("/webauthn"), "FACTOR_WEBAUTHN")
 			);
 		// @formatter:on
 		return http.build();
@@ -68,4 +70,9 @@ public UserDetailsService userDetailsService() {
 				.build()
 		);
 	}
+
+	@Bean
+	FactorAuthorizationManagerFactory authorizationManagerFactory() {
+		return new FactorAuthorizationManagerFactory("FACTOR_X509", "FACTOR_WEBAUTHN");
+	}
 }

From 1faafd4c7ebaa18a24b131f4d27321a76a7b90c2 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 9 Sep 2025 18:04:44 -0600
Subject: [PATCH 16/21] Update oauth2 to the Latest

---
 .../gradle/wrapper/gradle-wrapper.properties  |  2 +-
 .../org/example/magiclink/SecurityConfig.java | 48 +++++++++++++------
 2 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.properties
index a4413138c..d4081da47 100644
--- a/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.properties
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
index 5179040f0..986b94e05 100644
--- a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
@@ -17,6 +17,7 @@
 package org.example.magiclink;
 
 import java.io.IOException;
+import java.nio.file.AccessDeniedException;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -26,13 +27,13 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.authorization.AuthorizationRequest;
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
-import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
@@ -41,25 +42,27 @@
 import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
-import org.springframework.security.web.AuthorizationEntryPoint;
+import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
+import org.springframework.security.web.util.ThrowableAnalyzer;
 import org.springframework.stereotype.Component;
 
-import static org.springframework.security.oauth2.core.authorization.OAuth2AuthorizationManagers.hasScope;
-
 @Configuration(proxyBeanMethods = false)
 class SecurityConfig {
 
 	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http, OAuth2ScopeAuthorizationEntryPoint oauth2) throws Exception {
+	public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthenticationEntryPoint oauth2) throws Exception {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authz) -> authz
-				.requestMatchers("/profile").access(hasScope("https://www.googleapis.com/auth/gmail.readonly"))
+				.requestMatchers("/profile").hasAuthority("SCOPE_https://www.googleapis.com/auth/gmail.readonly")
 				.anyRequest().authenticated()
 			)
 			.oauth2Login(Customizer.withDefaults())
-			.exceptionHandling((exceptions) -> exceptions.authorizationEntryPoint((a) -> a.add(oauth2)));
+			.exceptionHandling((exceptions) -> exceptions
+				.defaultAuthenticationEntryPointFor(oauth2, "SCOPE_https://www.googleapis.com/auth/gmail.readonly")
+			);
 		// @formatter:on
 		return http.build();
 	}
@@ -75,23 +78,38 @@ ClientRegistrationRepository clients() {
 	}
 
 	@Component
-	static class OAuth2ScopeAuthorizationEntryPoint implements AuthorizationEntryPoint {
+	static class OAuth2ScopeAuthenticationEntryPoint implements AuthenticationEntryPoint {
 
 		private final ClientRegistration google;
 
 		private final OAuth2AuthorizationRequestResolver authorizationRequestResolver;
 
+		private final ThrowableAnalyzer throwableAnalyzer = new ThrowableAnalyzer();
+
 		private final AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =
 			new HttpSessionOAuth2AuthorizationRequestRepository();
 
-		public OAuth2ScopeAuthorizationEntryPoint(ClientRegistrationRepository clients) {
+		private final AuthenticationEntryPoint entryPoint = new Http403ForbiddenEntryPoint();
+
+		OAuth2ScopeAuthenticationEntryPoint(ClientRegistrationRepository clients) {
 			this.google = clients.findByRegistrationId("google");
 			this.authorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(clients);
 		}
 
 		@Override
-		public boolean commence(HttpServletRequest request, HttpServletResponse response, AuthorizationRequest authorizationRequest) throws IOException, ServletException {
-			Set<String> needed = AuthorityUtils.authorityListToSet(authorizationRequest.getAuthorities());
+		public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException ex) throws IOException, ServletException {
+			Throwable[] chain = this.throwableAnalyzer.determineCauseChain(ex);
+			AuthorizationDeniedException denied = (AuthorizationDeniedException) this.throwableAnalyzer
+				.getFirstThrowableOfType(AuthorizationDeniedException.class, chain);
+			if (denied == null) {
+				this.entryPoint.commence(request, response, ex);
+				return;
+			}
+			if (!(denied.getAuthorizationResult() instanceof AuthorityAuthorizationDecision decision)) {
+				this.entryPoint.commence(request, response, ex);
+				return;
+			}
+			Set<String> needed = AuthorityUtils.authorityListToSet(decision.getAuthorities());
 			Set<String> scopes = new HashSet<>();
 			for (String scope : needed) {
 				if (scope.startsWith("SCOPE_")) {
@@ -99,13 +117,13 @@ public boolean commence(HttpServletRequest request, HttpServletResponse response
 				}
 			}
 			if (scopes.isEmpty()) {
-				return false;
+				this.entryPoint.commence(request, response, ex);
+				return;
 			}
 			OAuth2AuthorizationRequest oauth2 = this.authorizationRequestResolver.resolve(request, this.google.getRegistrationId());
 			oauth2 = OAuth2AuthorizationRequest.from(oauth2).scopes(scopes).build();
 			this.authorizationRequestRepository.saveAuthorizationRequest(oauth2, request, response);
 			response.sendRedirect(oauth2.getAuthorizationRequestUri());
-			return true;
 		}
 	}
 }

From 3712b83aa3d55bd13137da615d8e6f58cd5e1c49 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 16 Sep 2025 14:47:29 -0600
Subject: [PATCH 17/21] Update Samples to Latest

---
 .../example/magiclink/CustomPagesSecurityConfig.java | 12 +++++++++---
 .../org/example/magiclink/DefaultSecurityConfig.java |  3 ++-
 .../ElevatedSecurityPageSecurityConfig.java          | 12 +++++++++---
 ...agicLinkOneTimeTokenGenerationSuccessHandler.java |  7 ++++++-
 .../src/main/resources/templates/login.html          |  2 +-
 .../src/main/resources/templates/ott.html            | 10 +++++-----
 .../java/org/example/magiclink/SecurityConfig.java   |  5 ++++-
 .../src/main/java/example/SecurityConfig.java        |  5 ++++-
 8 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
index 344a43f38..bcaa05c0e 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
@@ -1,9 +1,12 @@
 package org.example.magiclink;
 
+import jakarta.servlet.http.HttpServletRequest;
+
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -20,8 +23,11 @@ public String login() {
 			return "login";
 		}
 
-		@GetMapping("/login/ott")
-		public String ott() {
+		@GetMapping("/commence/ott")
+		public String ott(HttpServletRequest request, Authentication authentication) {
+			if (authentication != null) {
+				request.setAttribute("username", authentication.getName());
+			}
 			return "ott";
 		}
 	}
@@ -32,7 +38,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 		http
 			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 			.formLogin((form) -> form.loginPage("/login/form").permitAll())
-			.oneTimeTokenLogin((ott) -> ott.loginPage("/login/ott").permitAll());
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/commence/ott").permitAll());
 		// @formatter:on
 		return http.build();
 	}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
index 520171dc0..917c72cc1 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
@@ -19,6 +19,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
@@ -39,7 +40,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 	}
 
 	@Bean
-	FactorAuthorizationManagerFactory authz() {
+	AuthorizationManagerFactory<?> authz() {
 		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
 	}
 
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
index e64dd30e1..59debe033 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
@@ -1,9 +1,12 @@
 package org.example.magiclink;
 
+import jakarta.servlet.http.HttpServletRequest;
+
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -20,8 +23,11 @@ public String login() {
 			return "login";
 		}
 
-		@GetMapping("/login/ott")
-		public String ott() {
+		@GetMapping("/commence/ott")
+		public String ott(HttpServletRequest request, Authentication authentication) {
+			if (authentication != null) {
+				request.setAttribute("username", authentication.getName());
+			}
 			return "ott";
 		}
 	}
@@ -32,7 +38,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 		http
 			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
 			.formLogin((form) -> form.loginPage("/login/form").permitAll())
-			.oneTimeTokenLogin((ott) -> ott.loginPage("/login/ott").permitAll());
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/commence/ott").permitAll());
 
 		// @formatter:on
 		return http.build();
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
index 1334ab0ae..a8ec5bc93 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkOneTimeTokenGenerationSuccessHandler.java
@@ -35,7 +35,12 @@ public class MagicLinkOneTimeTokenGenerationSuccessHandler implements OneTimeTok
 	@Override
 	public void handle(HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken)
 			throws IOException {
-		this.logger.info("Use this one-time token: " + oneTimeToken.getTokenValue());
+		this.logger.info(String.format("""
+		********************************************************
+		
+		Use this one-time token: %s
+		
+		********************************************************""", oneTimeToken.getTokenValue()));
 		response.sendRedirect("/login/ott");
 	}
 
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
index 7ce9bfe3e..271c74ed0 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
@@ -15,7 +15,7 @@ <h2>Please sign in</h2>
 
         <p>
             <label for="username" class="screenreader">Username</label>
-            <input type="text" id="username" name="username" placeholder="Username" required autofocus>
+            <input type="text" id="username" name="username" th:value="${username}" placeholder="Username" required autofocus>
         </p>
         <p>
             <label for="password" class="screenreader">Password</label>
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html
index cde487a52..64932f088 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html
@@ -10,15 +10,15 @@
 </head>
 <body>
 <div class="content">
-    <form class="login-form" method="post" th:action="@{/login/ott}">
-        <h2>Please supply a token</h2>
+    <form class="ott" method="post" th:action="@{/ott/generate}">
+        <h2>Please click below to send a one-time token</h2>
 
         <p>
-            <label for="token" class="screenreader">Token</label>
-            <input type="text" id="token" name="token" placeholder="Token" required autofocus>
+            <label for="username" class="screenreader">Username</label>
+            <input type="text" id="username" name="username" th:value="${username}" placeholder="Username" required autofocus>
         </p>
 
-        <button type="submit" class="primary">Use this Token</button>
+        <button type="submit" class="primary">Send Token</button>
     </form>
 </div>
 </body>
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
index 986b94e05..451ce4fb7 100644
--- a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
@@ -61,7 +61,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, Authentication
 			)
 			.oauth2Login(Customizer.withDefaults())
 			.exceptionHandling((exceptions) -> exceptions
-				.defaultAuthenticationEntryPointFor(oauth2, "SCOPE_https://www.googleapis.com/auth/gmail.readonly")
+				.missingAuthoritiesHandler((handler) -> handler
+					.authorities("SCOPE_https://www.googleapis.com/auth/gmail.readonly")
+					.commence(oauth2)
+				)
 			);
 		// @formatter:on
 		return http.build();
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
index 786153ae1..ce0a07462 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
@@ -54,7 +54,10 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
 				.allowedOrigins("https://api.127.0.0.1.nip.io:8443")
 			)
 			.exceptionHandling((exceptions) -> exceptions
-				.defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint("/webauthn"), "FACTOR_WEBAUTHN")
+				.missingAuthoritiesHandler((handler) -> handler
+					.authorities("FACTOR_WEBAUTHN")
+					.commence(new LoginUrlAuthenticationEntryPoint("/webauthn"))
+				)
 			);
 		// @formatter:on
 		return http.build();

From bc448fda4348bbf6983c8a7a48e24845d469bc21 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Thu, 18 Sep 2025 09:53:59 -0600
Subject: [PATCH 18/21] Updates to formLogin+ott

---
 .../org/example/magiclink/DefaultSecurityConfig.java |  3 +--
 .../formLogin+ott/src/main/resources/application.yml | 12 ------------
 2 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
index 917c72cc1..520171dc0 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
@@ -19,7 +19,6 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
-import org.springframework.security.authorization.AuthorizationManagerFactory;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
@@ -40,7 +39,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 	}
 
 	@Bean
-	AuthorizationManagerFactory<?> authz() {
+	FactorAuthorizationManagerFactory authz() {
 		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
 	}
 
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
index cd1f80e4c..e5c98a44b 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
@@ -1,13 +1 @@
-spring:
-  application:
-    name: magiclink
-  mail:
-    port: 1025
-    host: localhost
-  docker:
-    compose:
-      readiness:
-        wait: never # for some reason it does not detect whether maildev is ready
-      file: ./compose.yml
-
 logging.level.org.springframework.security: TRACE

From 7593a533cce095ad2193df769a2c191b61cb1500 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Thu, 18 Sep 2025 12:35:26 -0600
Subject: [PATCH 19/21] Remove TRACE Logging

---
 .../mfa/formLogin+ott/src/main/resources/application.yml         | 1 -
 1 file changed, 1 deletion(-)

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
index e5c98a44b..e69de29bb 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
@@ -1 +0,0 @@
-logging.level.org.springframework.security: TRACE

From c2d2cc89a84f5407ff52d326c0e8b45164ccf80a Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Thu, 18 Sep 2025 15:20:02 -0600
Subject: [PATCH 20/21] Update to Latest

---
 .../FactorAuthorizationManagerFactory.java    | 34 ++-----------------
 .../org/example/magiclink/SecurityConfig.java |  5 +--
 .../FactorAuthorizationManagerFactory.java    | 34 ++-----------------
 .../FactorAuthorizationManagerFactory.java    | 34 ++-----------------
 .../src/main/java/example/SecurityConfig.java |  5 +--
 5 files changed, 8 insertions(+), 104 deletions(-)

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java
index 4c1648f84..17007f801 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java
@@ -16,24 +16,14 @@
 
 package org.example.magiclink;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.function.Supplier;
-
 import org.jspecify.annotations.NullMarked;
-import org.jspecify.annotations.Nullable;
 
-import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AllAuthoritiesAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManagerFactory;
 import org.springframework.security.authorization.AuthorizationManagers;
-import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.AuthorityUtils;
 
 @NullMarked
 public final class FactorAuthorizationManagerFactory implements AuthorizationManagerFactory<Object> {
@@ -45,7 +35,7 @@ public final class FactorAuthorizationManagerFactory implements AuthorizationMan
 	private final AuthorizationManagerFactory<Object> defaults = new DefaultAuthorizationManagerFactory<>();
 
 	public FactorAuthorizationManagerFactory(String... authorities) {
-		this.factors = new HasAll(authorities);
+		this.factors = AllAuthoritiesAuthorizationManager.hasAllAuthorities(authorities);
 	}
 
 	@Override
@@ -98,24 +88,4 @@ public AuthorizationManager<Object> anonymous() {
 		return this.defaults.anonymous();
 	}
 
-	private static final class HasAll implements AuthorizationManager<Object> {
-		private final Collection<String> authorities;
-
-		private HasAll(String... authorities) {
-			this.authorities = List.of(authorities);
-		}
-
-		@Override
-		public AuthorizationResult authorize(Supplier<? extends @Nullable Authentication> supplier, @Nullable Object object) {
-			Authentication authentication = supplier.get();
-			List<String> authorities = List.of();
-			if (authentication != null) {
-				authorities = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList();
-			}
-			List<String> needed = new ArrayList<>(this.authorities);
-			needed.removeIf(authorities::contains);
-			return new AuthorityAuthorizationDecision(needed.isEmpty(), AuthorityUtils.createAuthorityList(needed));
-		}
-	}
-
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
index 451ce4fb7..986b94e05 100644
--- a/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/oauth2/src/main/java/org/example/magiclink/SecurityConfig.java
@@ -61,10 +61,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, Authentication
 			)
 			.oauth2Login(Customizer.withDefaults())
 			.exceptionHandling((exceptions) -> exceptions
-				.missingAuthoritiesHandler((handler) -> handler
-					.authorities("SCOPE_https://www.googleapis.com/auth/gmail.readonly")
-					.commence(oauth2)
-				)
+				.defaultAuthenticationEntryPointFor(oauth2, "SCOPE_https://www.googleapis.com/auth/gmail.readonly")
 			);
 		// @formatter:on
 		return http.build();
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/FactorAuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/FactorAuthorizationManagerFactory.java
index 7e9f19185..b869d0e77 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/FactorAuthorizationManagerFactory.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/main/java/example/FactorAuthorizationManagerFactory.java
@@ -16,24 +16,14 @@
 
 package example;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.function.Supplier;
-
 import org.jspecify.annotations.NullMarked;
-import org.jspecify.annotations.Nullable;
 
-import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AllAuthoritiesAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManagerFactory;
 import org.springframework.security.authorization.AuthorizationManagers;
-import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.AuthorityUtils;
 
 @NullMarked
 public final class FactorAuthorizationManagerFactory implements AuthorizationManagerFactory<Object> {
@@ -45,7 +35,7 @@ public final class FactorAuthorizationManagerFactory implements AuthorizationMan
 	private final AuthorizationManagerFactory<Object> defaults = new DefaultAuthorizationManagerFactory<>();
 
 	public FactorAuthorizationManagerFactory(String... authorities) {
-		this.factors = new HasAll(authorities);
+		this.factors = AllAuthoritiesAuthorizationManager.hasAllAuthorities(authorities);
 	}
 
 	@Override
@@ -98,24 +88,4 @@ public AuthorizationManager<Object> anonymous() {
 		return this.defaults.anonymous();
 	}
 
-	private static final class HasAll implements AuthorizationManager<Object> {
-		private final Collection<String> authorities;
-
-		private HasAll(String... authorities) {
-			this.authorities = List.of(authorities);
-		}
-
-		@Override
-		public AuthorizationResult authorize(Supplier<? extends @Nullable Authentication> supplier, @Nullable Object object) {
-			Authentication authentication = supplier.get();
-			List<String> authorities = List.of();
-			if (authentication != null) {
-				authorities = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList();
-			}
-			List<String> needed = new ArrayList<>(this.authorities);
-			needed.removeIf(authorities::contains);
-			return new AuthorityAuthorizationDecision(needed.isEmpty(), AuthorityUtils.createAuthorityList(needed));
-		}
-	}
-
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/FactorAuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/FactorAuthorizationManagerFactory.java
index 7e9f19185..b869d0e77 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/FactorAuthorizationManagerFactory.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/FactorAuthorizationManagerFactory.java
@@ -16,24 +16,14 @@
 
 package example;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.function.Supplier;
-
 import org.jspecify.annotations.NullMarked;
-import org.jspecify.annotations.Nullable;
 
-import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AllAuthoritiesAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManagerFactory;
 import org.springframework.security.authorization.AuthorizationManagers;
-import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.AuthorityUtils;
 
 @NullMarked
 public final class FactorAuthorizationManagerFactory implements AuthorizationManagerFactory<Object> {
@@ -45,7 +35,7 @@ public final class FactorAuthorizationManagerFactory implements AuthorizationMan
 	private final AuthorizationManagerFactory<Object> defaults = new DefaultAuthorizationManagerFactory<>();
 
 	public FactorAuthorizationManagerFactory(String... authorities) {
-		this.factors = new HasAll(authorities);
+		this.factors = AllAuthoritiesAuthorizationManager.hasAllAuthorities(authorities);
 	}
 
 	@Override
@@ -98,24 +88,4 @@ public AuthorizationManager<Object> anonymous() {
 		return this.defaults.anonymous();
 	}
 
-	private static final class HasAll implements AuthorizationManager<Object> {
-		private final Collection<String> authorities;
-
-		private HasAll(String... authorities) {
-			this.authorities = List.of(authorities);
-		}
-
-		@Override
-		public AuthorizationResult authorize(Supplier<? extends @Nullable Authentication> supplier, @Nullable Object object) {
-			Authentication authentication = supplier.get();
-			List<String> authorities = List.of();
-			if (authentication != null) {
-				authorities = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList();
-			}
-			List<String> needed = new ArrayList<>(this.authorities);
-			needed.removeIf(authorities::contains);
-			return new AuthorityAuthorizationDecision(needed.isEmpty(), AuthorityUtils.createAuthorityList(needed));
-		}
-	}
-
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
index ce0a07462..786153ae1 100644
--- a/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/x509+webauthn/src/main/java/example/SecurityConfig.java
@@ -54,10 +54,7 @@ SecurityFilterChain web(HttpSecurity http) throws Exception {
 				.allowedOrigins("https://api.127.0.0.1.nip.io:8443")
 			)
 			.exceptionHandling((exceptions) -> exceptions
-				.missingAuthoritiesHandler((handler) -> handler
-					.authorities("FACTOR_WEBAUTHN")
-					.commence(new LoginUrlAuthenticationEntryPoint("/webauthn"))
-				)
+				.defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint("/webauthn"), "FACTOR_WEBAUTHN")
 			);
 		// @formatter:on
 		return http.build();

From 8fad0a61a7eacd0d52a212a2a505e71426407ee0 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Wed, 24 Sep 2025 15:52:35 -0600
Subject: [PATCH 21/21] Update FormLogin+OTT to the Latest

---
 .../mfa/formLogin+ott/README.adoc             | 61 +++++++++++++
 .../mfa/formLogin+ott/README.md               |  3 -
 .../mfa/formLogin+ott/build.gradle            |  1 -
 .../magiclink/CustomPagesSecurityConfig.java  | 34 +++----
 .../magiclink/DefaultSecurityConfig.java      |  7 +-
 .../ElevatedSecurityPageSecurityConfig.java   | 29 +++---
 .../FactorAuthorizationManagerFactory.java    | 91 -------------------
 .../magiclink/MagicLinkApplication.java       |  2 -
 .../src/main/resources/application.yml        |  1 +
 .../src/main/resources/templates/index.html   |  1 +
 .../src/main/resources/templates/ott.html     |  2 +-
 .../templates/{login.html => password.html}   |  2 +-
 12 files changed, 96 insertions(+), 138 deletions(-)
 create mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.adoc
 delete mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.md
 delete mode 100644 servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java
 rename servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/{login.html => password.html} (92%)

diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.adoc b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.adoc
new file mode 100644
index 000000000..32f5a18a5
--- /dev/null
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.adoc
@@ -0,0 +1,61 @@
+= Form Login + One-Time-Token Login MFA Sample
+
+This sample demonstrates Spring Security's support for multifactor authentication, specifically when using username/password and one-time-token as the two factors.
+
+[[usage]]
+== Usage
+
+To use the application, please run:
+
+[source,bash]
+----
+./gradlew :bootRun
+----
+
+You can then navigate to http://localhost:8080 where you will be presented with the default page, showing both the login and ott forms.
+
+You can start with either; once authenticated, you'll be asked to give the other as well.
+
+=== Username/Password Login
+
+The username/password is `user/password`.
+
+=== One-Time-Token Login
+
+The username is `user`.
+
+After clicking the submission button, you will be redirected to a page where you can enter the code given.
+You can find the code in the logs like so:
+
+[source,bash]
+----
+********************************************************
+
+Use this one-time token: 1319c31d-c5e0-4123-9b1f-3ffc34aba673
+
+********************************************************
+----
+
+== Configuring
+
+There are three profiles in this sample; `default`, `custom-pages`, and `elevated-security`.
+
+`default` is the arrangement described in <<usage>>.
+
+`custom-pages` shows the same, but with a custom page for login and a custom page for one-time-token.
+
+This can be launched with:
+
+[source,bash]
+----
+./gradlew :bootRun --args='spring.profiles.active=custom-pages'
+----
+
+`elevated-security` allows login with either, and will ask for one-time-token login for only the `/profile` page.
+
+This can be launched with:
+
+[source,bash]
+----
+./gradlew :bootRun --args='spring.profiles.active=elevated-security'
+----
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.md b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.md
deleted file mode 100644
index fdf74d537..000000000
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-This application uses Spring Boot Docker Compose to start a [Maildev](https://github.com/maildev/maildev) container.
-
-After requesting a token on `http://localhost:8080/login`, access `http://localhost:1080` to verify the email containing the magic link.
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
index 92fbcdd83..2b4d726cb 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/build.gradle
@@ -11,7 +11,6 @@ java {
 }
 
 repositories {
-	mavenLocal()
 	mavenCentral()
 	maven { url "https://repo.spring.io/milestone" }
 	maven { url "https://repo.spring.io/snapshot" }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
index bcaa05c0e..7084168a1 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/CustomPagesSecurityConfig.java
@@ -1,15 +1,15 @@
 package org.example.magiclink;
 
-import jakarta.servlet.http.HttpServletRequest;
-
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.core.Authentication;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
 
 @Profile("custom-pages")
 @Configuration(proxyBeanMethods = false)
@@ -18,17 +18,9 @@ public class CustomPagesSecurityConfig {
 	@Controller
 	@Profile("custom-pages")
 	static class LoginController {
-		@GetMapping("/login/form")
-		public String login() {
-			return "login";
-		}
-
-		@GetMapping("/commence/ott")
-		public String ott(HttpServletRequest request, Authentication authentication) {
-			if (authentication != null) {
-				request.setAttribute("username", authentication.getName());
-			}
-			return "ott";
+		@GetMapping("/auth/{path}")
+		public String auth(@PathVariable("path") String path) {
+			return path;
 		}
 	}
 
@@ -36,15 +28,19 @@ public String ott(HttpServletRequest request, Authentication authentication) {
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-			.formLogin((form) -> form.loginPage("/login/form").permitAll())
-			.oneTimeTokenLogin((ott) -> ott.loginPage("/commence/ott").permitAll());
+			.authorizeHttpRequests((authorize) -> authorize
+				.requestMatchers("/auth/**").permitAll()
+				.anyRequest().authenticated()
+			)
+			.formLogin((form) -> form.loginPage("/auth/password"))
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/auth/ott"));
 		// @formatter:on
 		return http.build();
 	}
 
 	@Bean
-	FactorAuthorizationManagerFactory authz() {
-		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	AuthorizationManagerFactory<Object> factors() {
+		return DefaultAuthorizationManagerFactory.builder()
+			.requireAdditionalAuthorities("FACTOR_PASSWORD", "FACTOR_OTT").build();
 	}
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
index 520171dc0..83d1f51d3 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/DefaultSecurityConfig.java
@@ -19,6 +19,8 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.security.authorization.AuthorizationManagerFactory;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
@@ -39,8 +41,9 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
 	}
 
 	@Bean
-	FactorAuthorizationManagerFactory authz() {
-		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
+	AuthorizationManagerFactory<Object> factors() {
+		return DefaultAuthorizationManagerFactory.builder()
+				.requireAdditionalAuthorities("FACTOR_PASSWORD", "FACTOR_OTT").build();
 	}
 
 
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
index 59debe033..2357d8b55 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/ElevatedSecurityPageSecurityConfig.java
@@ -10,6 +10,7 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
 
 @Profile("elevated-security")
 @Configuration(proxyBeanMethods = false)
@@ -18,17 +19,9 @@ public class ElevatedSecurityPageSecurityConfig {
 	@Controller
 	@Profile("elevated-security")
 	static class LoginController {
-		@GetMapping("/login/form")
-		public String login() {
-			return "login";
-		}
-
-		@GetMapping("/commence/ott")
-		public String ott(HttpServletRequest request, Authentication authentication) {
-			if (authentication != null) {
-				request.setAttribute("username", authentication.getName());
-			}
-			return "ott";
+		@GetMapping("/auth/{path}")
+		public String auth(@PathVariable("path") String path) {
+			return path;
 		}
 	}
 
@@ -36,16 +29,16 @@ public String ott(HttpServletRequest request, Authentication authentication) {
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-			.formLogin((form) -> form.loginPage("/login/form").permitAll())
-			.oneTimeTokenLogin((ott) -> ott.loginPage("/commence/ott").permitAll());
+			.authorizeHttpRequests((authorize) -> authorize
+				.requestMatchers("/auth/**").permitAll()
+				.requestMatchers("/profile").hasAuthority("FACTOR_OTT")
+				.anyRequest().authenticated()
+			)
+			.formLogin((form) -> form.loginPage("/auth/password"))
+			.oneTimeTokenLogin((ott) -> ott.loginPage("/auth/ott"));
 
 		// @formatter:on
 		return http.build();
 	}
 
-	@Bean
-	FactorAuthorizationManagerFactory authz() {
-		return new FactorAuthorizationManagerFactory("FACTOR_PASSWORD", "FACTOR_OTT");
-	}
 }
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java
deleted file mode 100644
index 17007f801..000000000
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/FactorAuthorizationManagerFactory.java
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Copyright 2025 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.example.magiclink;
-
-import org.jspecify.annotations.NullMarked;
-
-import org.springframework.security.authorization.AllAuthoritiesAuthorizationManager;
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.authorization.AuthorizationManagerFactory;
-import org.springframework.security.authorization.AuthorizationManagers;
-import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
-
-@NullMarked
-public final class FactorAuthorizationManagerFactory implements AuthorizationManagerFactory<Object> {
-
-	private static final AuthorizationDecision allAbstain = new AuthorizationDecision(false);
-
-	private final AuthorizationManager<Object> factors;
-
-	private final AuthorizationManagerFactory<Object> defaults = new DefaultAuthorizationManagerFactory<>();
-
-	public FactorAuthorizationManagerFactory(String... authorities) {
-		this.factors = AllAuthoritiesAuthorizationManager.hasAllAuthorities(authorities);
-	}
-
-	@Override
-	public AuthorizationManager<Object> permitAll() {
-		return this.defaults.permitAll();
-	}
-
-	@Override
-	public AuthorizationManager<Object> denyAll() {
-		return this.defaults.denyAll();
-	}
-
-	@Override
-	public AuthorizationManager<Object> hasRole(String role) {
-		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasRole(role));
-	}
-
-	@Override
-	public AuthorizationManager<Object> hasAnyRole(String... roles) {
-		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAnyRole(roles));
-	}
-
-	@Override
-	public AuthorizationManager<Object> hasAuthority(String authority) {
-		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAuthority(authority));
-	}
-
-	@Override
-	public AuthorizationManager<Object> hasAnyAuthority(String... authorities) {
-		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.hasAnyAuthority(authorities));
-	}
-
-	@Override
-	public AuthorizationManager<Object> authenticated() {
-		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.authenticated());
-	}
-
-	@Override
-	public AuthorizationManager<Object> fullyAuthenticated() {
-		return AuthorizationManagers.allOf(allAbstain, this.factors, this.defaults.fullyAuthenticated());
-	}
-
-	@Override
-	public AuthorizationManager<Object> rememberMe() {
-		return this.defaults.rememberMe();
-	}
-
-	@Override
-	public AuthorizationManager<Object> anonymous() {
-		return this.defaults.anonymous();
-	}
-
-}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
index 900cd1ff1..39642cb03 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/java/org/example/magiclink/MagicLinkApplication.java
@@ -38,8 +38,6 @@ public static void main(String[] args) {
 	@Controller
 	static class AppController {
 		@GetMapping("/profile")
-		@PreAuthorize("@authz.hasAuthority('profile:read')") 	// FIXME add hasAuthorityWithin once
-																// GrantedAuthority is timestamped
 		String profile() {
 			return "profile";
 		}
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
index e69de29bb..e743c14e5 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/application.yml
@@ -0,0 +1 @@
+logging.level.org.springframework.security: TRACE
\ No newline at end of file
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/index.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/index.html
index 8457ea1d1..2eea74138 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/index.html
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/index.html
@@ -16,5 +16,6 @@
         </div>
         <h1>Hello Spring Security</h1>
         <p>This is a secured page</p>
+        <p>Visit the <a href="/profile">profile</a> page</p>
     </body>
 </html>
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html
index 64932f088..c75037eea 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/ott.html
@@ -15,7 +15,7 @@ <h2>Please click below to send a one-time token</h2>
 
         <p>
             <label for="username" class="screenreader">Username</label>
-            <input type="text" id="username" name="username" th:value="${username}" placeholder="Username" required autofocus>
+            <input type="text" id="username" name="username" th:value="${#authentication.name}" placeholder="Username" required autofocus>
         </p>
 
         <button type="submit" class="primary">Send Token</button>
diff --git a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/password.html
similarity index 92%
rename from servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
rename to servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/password.html
index 271c74ed0..326c1b16e 100644
--- a/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/login.html
+++ b/servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/main/resources/templates/password.html
@@ -10,7 +10,7 @@
 </head>
 <body>
 <div class="content">
-    <form class="login-form" method="post" th:action="@{/login/form}">
+    <form class="login-form" method="post" th:action="@{/auth/password}">
         <h2>Please sign in</h2>
 
         <p>