readme update

Author: KMilej

README.md

@@ -7,19 +7,19 @@ This project provides a server-side example of Approov token verification for a
  - `/token-binding` - requires a valid Approov token which is bound to a header value.
  - `/token-double-binding` - requires a valid Approov token which is bound to two header values.    
 
-In this example, Approov token check is implemented in `ApproovApplication.java`. The `ApproovTokenVerifier` filter is registered in Spring Security by the [SecurityConfig.securityFilterChain](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L188-L217). The responsibilities break down as follows:
+In this example, Approov token check is implemented in `ApproovApplication.java`. The `ApproovTokenVerifier` filter is registered in Spring Security by the [SecurityConfig.securityFilterChain](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L205-L224). The responsibilities break down as follows:
 
-1. **JWT Approov Token validation (signature + expiry)** is handled by [verifyApproovToken](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L291-L298) and [validateExpiration](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L340-L348). It verifies the HMAC (HS256) signature and rejects tokens that are missing or past `exp`.
+1. **JWT Approov Token validation (signature + expiry)** is handled by [verifyApproovToken](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L324-L331) and [validateExpiration](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L477-L484). It parses signed claims with the HMAC key and rejects tokens that are missing or past `exp`.
 
-2. **Token binding (pay + hash)** is implemented by [isBindingValid + hashBase64Url](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L316-L333). It computes `base64(sha256(binding_value))` and compares it to `pay`.
+2. **Token binding (pay + hash)** is implemented by [isBindingValid + hashBase64](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L451-L469). It computes `base64(sha256(binding_value))` using standard Base64 and compares it to `pay`.
 
-3. **Middleware enforcement** is done by [doFilterInternal](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L243-L289). Requests without valid token/binding are rejected with 401.
+3. **Middleware enforcement** is done by [doFilterInternal](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L252-L302). Requests without a valid token or binding are rejected with `401`.
 
-4. **Binding value selection (what gets hashed)** is in [extractBindingValue](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L304-L314). It uses `Authorization` for single binding, or `Authorization` + `SessionId` for double binding.
+4. **Binding value selection (what gets hashed)** is in [bindingHeadersForPath](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L333-L340) and [extractBindingValue](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L436-L449). It uses `Authorization` for single binding, or `Authorization` + `SessionId` for double binding, and concatenates header values in order.
 
-5. **Protected route requirements** are defined by [APPROOV_PROTECTED_PATHS](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L227-L229) and [needsBindingCheck](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L300-L302).
+5. **Protected route requirements** are defined by [APPROOV_PROTECTED_PATHS](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L235-L238) and enforced by [shouldNotFilter](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L245-L248). Binding checks are applied only when `bindingHeadersForPath` returns headers and token binding is enabled in [doFilterInternal](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L276-L286).
 
-6. **Protected routes are registered** in [ApproovController](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L147-L170).
+6. **Protected routes are registered** in [ApproovController](https://github.com/approov/quickstart-java-spring-token-check/blob/refactor/spring-quickstart/src/main/java/io/approov/ApproovApplication.java#L111-L178).
 
 ## Approov Token Verification Flow