From cc4add710d8615c6df6de41afc35de5f1ac71e3d Mon Sep 17 00:00:00 2001
From: Dominik Frantisek Bucik <bucik@ics.muni.cz>
Date: Thu, 27 Jan 2022 10:27:13 +0100
Subject: [PATCH 1/4] =?UTF-8?q?refactor:=20=F0=9F=92=A1=20Refactor=20sessi?=
 =?UTF-8?q?on=20invalidating?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/main/resources/logback.xml            |   2 +-
 .../webapp/WEB-INF/application-context.xml    | 308 +--------
 .../src/main/webapp/WEB-INF/authz-config.xml  |  60 --
 .../main/webapp/WEB-INF/endpoint-config.xml   |  46 --
 .../src/main/webapp/WEB-INF/local-config.xml  |  36 -
 .../src/main/webapp/WEB-INF/task-config.xml   |  25 -
 .../src/main/webapp/WEB-INF/user-context.xml  | 289 --------
 .../src/main/webapp/WEB-INF/views/approve.jsp |   2 +-
 .../webapp/WEB-INF/views/themedApprove.jsp    |   2 +-
 .../src/main/webapp/WEB-INF/web-context.xml   | 632 ++++++++++++++++++
 .../ics/discovery/web/DiscoveryEndpoint.java  |  14 +-
 .../ics/oauth2/token/DeviceTokenGranter.java  |   2 +-
 .../ics/oauth2/web/{ => api}/ScopeAPI.java    |   6 +-
 .../ics/oauth2/web/{ => api}/TokenAPI.java    |   6 +-
 .../OAuthConfirmationController.java          |   2 +-
 .../web/{ => endpoint}/DeviceEndpoint.java    |   2 +-
 .../{ => endpoint}/IntrospectionEndpoint.java |   3 +-
 .../{ => endpoint}/RevocationEndpoint.java    |   2 +-
 .../oauth2/web/{ => filter}/CorsFilter.java   |   2 +-
 .../saml/SamlInvalidateSessionFilter.java     |  28 +-
 .../ics/oidc/server/filters/FiltersUtils.java |   2 +-
 .../server/filters/PerunFilterConstants.java  |   2 +-
 .../Ga4ghPassportAndVisaClaimSource.java      |   2 +-
 .../oidc/web/controllers/ControllerUtils.java |   5 +-
 .../filter/AuthorizationRequestFilter.java    |   2 +-
 .../web/{ => api}/ApprovedSiteAPI.java        |   5 +-
 .../connect/web/{ => api}/BlacklistAPI.java   |   5 +-
 .../connect/web/{ => api}/ClientAPI.java      |   5 +-
 .../connect/web/{ => api}/WhitelistAPI.java   |   5 +-
 .../GuiController.java}                       |   4 +-
 .../web/endpoint/AuthorizationEndpoint.java   |  23 +
 .../DynamicClientRegistrationEndpoint.java    |   2 +-
 .../{ => endpoint}/EndSessionEndpoint.java    |   2 +-
 .../JWKSetPublishingEndpoint.java             |   2 +-
 ...ProtectedResourceRegistrationEndpoint.java |   2 +-
 .../web/{ => endpoint}/UserInfoEndpoint.java  |   3 +-
 .../ServerConfigInterceptor.java              |   2 +-
 .../UserInfoInterceptor.java                  |   2 +-
 38 files changed, 730 insertions(+), 814 deletions(-)
 delete mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
 delete mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
 delete mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/local-config.xml
 delete mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
 rename perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/{ => api}/ScopeAPI.java (97%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/{ => api}/TokenAPI.java (98%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/{ => controller}/OAuthConfirmationController.java (99%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/{ => endpoint}/DeviceEndpoint.java (99%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/{ => endpoint}/IntrospectionEndpoint.java (98%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/{ => endpoint}/RevocationEndpoint.java (99%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/{ => filter}/CorsFilter.java (98%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => api}/ApprovedSiteAPI.java (96%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => api}/BlacklistAPI.java (97%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => api}/ClientAPI.java (99%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => api}/WhitelistAPI.java (97%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{RootController.java => controller/GuiController.java} (95%)
 create mode 100644 perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => endpoint}/DynamicClientRegistrationEndpoint.java (99%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => endpoint}/EndSessionEndpoint.java (99%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => endpoint}/JWKSetPublishingEndpoint.java (97%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => endpoint}/ProtectedResourceRegistrationEndpoint.java (99%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => endpoint}/UserInfoEndpoint.java (98%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => interceptor}/ServerConfigInterceptor.java (97%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/{ => interceptor}/UserInfoInterceptor.java (98%)

diff --git a/perun-oidc-server-webapp/src/main/resources/logback.xml b/perun-oidc-server-webapp/src/main/resources/logback.xml
index fa230a84a..37d6367df 100644
--- a/perun-oidc-server-webapp/src/main/resources/logback.xml
+++ b/perun-oidc-server-webapp/src/main/resources/logback.xml
@@ -55,7 +55,7 @@
 	<logger name="cz.muni.ics" level="${log.level}"/>
 	<logger name="cz.muni.ics.oidc.aop.WebLoggingAspect" level="debug"/>
 	<logger name="cz.muni.ics.oidc.aop.ExecutionTimeLoggingAspect" level="trace"/>
-	<logger name="cz.muni.ics.openid.connect.web.EndSessionEndpoint" level="${log.level}"/>
+	<logger name="cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint" level="${log.level}"/>
 	<logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/>
 
 </configuration>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml
index d5ef99ee5..a6a41b25c 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml
@@ -17,104 +17,16 @@
     limitations under the License.
  -->
 <beans xmlns="http://www.springframework.org/schema/beans"
-	   xmlns:mvc="http://www.springframework.org/schema/mvc"
 	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	   xmlns:tx="http://www.springframework.org/schema/tx"
 	   xmlns:context="http://www.springframework.org/schema/context"
-	   xmlns:security="http://www.springframework.org/schema/security"
-	   xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	   xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
-		 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		 http://www.springframework.org/schema/mvc
-		 http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		 http://www.springframework.org/schema/security
-		 http://www.springframework.org/schema/security/spring-security-4.2.xsd
+	   xsi:schemaLocation="
 		 http://www.springframework.org/schema/beans
 		 http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		 http://www.springframework.org/schema/tx
-		 http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
 		 http://www.springframework.org/schema/context
 		 http://www.springframework.org/schema/context/spring-context-4.3.xsd">
 
 	<!-- Scan for components -->
-	<context:component-scan annotation-config="true" base-package="cz.muni.ics" />
-
-	<!-- Enables the Spring MVC @Controller programming model -->
-	<tx:annotation-driven transaction-manager="transactionManager" />
-	<mvc:annotation-driven ignore-default-model-on-redirect="true">
-		<mvc:message-converters>
-			<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
-			<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
-		</mvc:message-converters>
-	</mvc:annotation-driven>
-
-	<bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.UserInfoInterceptor" />
-	<bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.ServerConfigInterceptor" />
-	<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
-		<property name="paramName" value="lang"/>
-	</bean>
-	<mvc:interceptors>
-		<mvc:interceptor>
-			<mvc:mapping path="/**"/>
-			<ref bean="localeChangeInterceptor"/>
-		</mvc:interceptor>
-		<mvc:interceptor>
-			<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
-			<mvc:mapping path="/**" />
-			<mvc:exclude-mapping path="/token**"/>
-			<mvc:exclude-mapping path="/resources/**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
-			<mvc:exclude-mapping path="/saml**" />
-			<!-- Inject the UserInfo into the response -->
-			<ref bean="userInfoInterceptor" />
-		</mvc:interceptor>
-		<mvc:interceptor>
-			<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
-			<mvc:mapping path="/**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
-			<mvc:exclude-mapping path="/resources/**" />
-			<mvc:exclude-mapping path="/token**"/>
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
-			<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
-			<!-- Inject the server configuration into the response -->
-			<ref bean="serverConfigInterceptor"/>
-		</mvc:interceptor>
-	</mvc:interceptors>
-
-	<mvc:default-servlet-handler />
+	<context:component-scan base-package="cz.muni.ics" />
 
 	<!-- Bean to hold configuration properties -->
 	<import resource="server-config.xml" />
@@ -122,186 +34,6 @@
 	<!-- Import the data context -->
 	<import resource="data-context.xml" />
 
-	<!-- SPEL processors -->
-	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
-		<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
-		<security:expression-handler ref="oauthExpressionHandler" />
-	</security:global-method-security>
-
-	<oauth:expression-handler id="oauthExpressionHandler" />
-
-	<oauth:web-expression-handler id="oauthWebExpressionHandler" />
-
-	<bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
-
-	<!-- Spring Security configuration -->
-
-	<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" stateless="false" />
-
-	<security:http pattern="/token" 
-		create-session="stateless"
-		authentication-manager-ref="clientAuthenticationManager"
-		entry-point-ref="oauthAuthenticationEntryPoint"
-		use-expressions="true">
-		
-		<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
-		<security:intercept-url pattern="/token" access="isAuthenticated()" />
-		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-		<!-- include this only if you need to authenticate clients via request parameters -->
-		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
-		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<!-- Allow open access to discovery endpoints -->
-	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:csrf disabled="true"/>
-	</security:http>
-	<security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<!-- Allow open access to all static resources -->	
-	<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/resources/**" access="permitAll"/>
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:csrf disabled="true"/>
-	</security:http>
-	
-	<!-- OAuth-protect API and other endpoints -->
-	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:intercept-url pattern="/register/**" access="permitAll"/>
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:intercept-url pattern="/resource/**" access="permitAll"/>
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
- 	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-	
- 	<security:http pattern="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**"
- 		use-expressions="true" 
- 		entry-point-ref="oauthAuthenticationEntryPoint" 
- 		create-session="stateless"
- 		authentication-manager-ref="clientAuthenticationManager">
-		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-		<!-- include this only if you need to authenticate clients via request parameters -->
-		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
-		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-	
-	<security:http pattern="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**"
-			use-expressions="true" 
-			entry-point-ref="oauthAuthenticationEntryPoint" 
-			create-session="stateless"
-			authentication-manager-ref="clientAuthenticationManager">
-		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
-		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<security:http pattern="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**"
-			use-expressions="true" 
-			entry-point-ref="oauthAuthenticationEntryPoint" 
-			create-session="stateless"
-			authentication-manager-ref="clientAuthenticationManager">
-		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
-		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
-		<property name="realmName" value="openidconnect" />
-	</bean>
-
-	<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
-
-	<!-- Additional endpoints for extensions (such as UMA) -->
-	
-	<import resource="endpoint-config.xml" />
-
-	<!-- SECOAUTH Authorization Server -->
-
-	<import resource="authz-config.xml" />
-
-	<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
-
-	<bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
-		<constructor-arg name="filterProcessesUrls">
-			<set>
-				<value>/introspect</value>
-				<value>/revoke</value>
-				<value>/token</value>
-			</set>
-		</constructor-arg>
-	</bean>
-
-	<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
-		<property name="authenticationManager" ref="clientAuthenticationManager" />
-		<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
-	</bean>
-	
-	<bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
-		<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
-		<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
-	</bean>
-
-	<security:authentication-manager id="clientAuthenticationManager">
-		<security:authentication-provider user-service-ref="clientUserDetailsService" />
-		<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
-	</security:authentication-manager>
-
-	<security:authentication-manager id="clientAssertionAuthenticationManager">
-		<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
-	</security:authentication-manager>
-	
-	<bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
-
 	<!-- Configure locale information -->
 	<import resource="locale-config.xml" />
 
@@ -311,49 +43,15 @@
 	<!-- assertion processing -->
 	<import resource="assertion-config.xml" />
 
-	<!-- End Spring Security configuration -->
-
 	<!-- JPA -->
-
 	<import resource="jpa-config.xml" />
 
-	<!-- End JPA -->
-
 	<!-- Crypto -->
-
 	<import resource="crypto-config.xml" />
-
-	<!-- End Crypto -->
-
-	<!-- View configuration -->
-
-	<!-- Handles HTTP GET requests for /resources/** by efficiently serving 
-		up static resources in the ${webappRoot}/resources directory -->
-	<mvc:resources mapping="/resources/**" location="/resources/" />
-
-	<!-- Resolves views selected for rendering by @Controllers to .jsp resources 
-		in the /WEB-INF/views directory -->
-	<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
-		<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
-		<property name="prefix" value="/WEB-INF/views/" />
-		<property name="suffix" value=".jsp" />
-		<property name="order" value="2" />
-	</bean>
-
-	<!-- Resolve views based on string names -->
-	<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
-		<property name="order" value="1" />
-	</bean>
-
-	<!-- End view configuration -->
-
-	<!--Import scheduled task configuration -->
-	<import resource="task-config.xml" />
 	
 	<!-- Import configuration for front-end (JavaScript) UI components -->
 	<import resource="ui-config.xml" />
 
-	<!-- import application-local configuration information (such as bean definitions) -->
-	<import resource="local-config.xml" />
+	<import resource="web-context.xml" />
 
 </beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
deleted file mode 100644
index 4ca0109b9..000000000
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
+++ /dev/null
@@ -1,60 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Copyright 2018 The MIT Internet Trust Consortium
-   
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-   
-      http://www.apache.org/licenses/LICENSE-2.0
-   
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:tx="http://www.springframework.org/schema/tx"
-	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:security="http://www.springframework.org/schema/security"
-	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
-
-
-	<oauth:authorization-server 
-		client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
-		authorization-request-manager-ref="connectOAuth2RequestFactory" 
-		token-services-ref="defaultOAuth2ProviderTokenService" 
-		user-approval-handler-ref="tofuUserApprovalHandler" 
-		request-validator-ref="oauthRequestValidator"
-		redirect-resolver-ref="blacklistAwareRedirectResolver"
-		authorization-endpoint-url="/authorize" 
-		token-endpoint-url="/token"
-		error-page="/error">
-		
-		<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
-		<oauth:implicit/>
-		<oauth:refresh-token/>
-		<oauth:client-credentials/>
-		<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
-		<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
-		<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
-
-	</oauth:authorization-server>
-
-	<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
-
-	<bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
-
-	<!-- Error page handler. -->
-	<mvc:view-controller path="/error" view-name="error" />
-
-</beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
deleted file mode 100644
index 44390d5de..000000000
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Copyright 2018 The MIT Internet Trust Consortium
-   
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-   
-      http://www.apache.org/licenses/LICENSE-2.0
-   
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:tx="http://www.springframework.org/schema/tx"
-	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:security="http://www.springframework.org/schema/security"
-	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
-
-
-	<security:http pattern="/devicecodeMFA/**"
-				   use-expressions="true"
-				   entry-point-ref="oauthAuthenticationEntryPoint"
-				   create-session="stateless"
-				   authentication-manager-ref="clientAuthenticationManager">
-		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-		<!-- include this only if you need to authenticate clients via request parameters -->
-		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
-		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
-</beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/local-config.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/local-config.xml
deleted file mode 100644
index 3e5fef8e8..000000000
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/local-config.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Copyright 2018 The MIT Internet Trust Consortium
-   
-    Portions copyright 2011-2013 The MITRE Corporation
-   
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-   
-      http://www.apache.org/licenses/LICENSE-2.0
-   
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:tx="http://www.springframework.org/schema/tx"
-	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:security="http://www.springframework.org/schema/security"
-	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
-
-
-<!-- Empty: Override this file in your local project to change configuration options. -->
-
-</beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml
deleted file mode 100644
index 4719b08e3..000000000
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Copyright 2018 The MIT Internet Trust Consortium
-   
-    Portions copyright 2011-2013 The MITRE Corporation
-   
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-   
-      http://www.apache.org/licenses/LICENSE-2.0
-   
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:task="http://www.springframework.org/schema/task"
-	xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.3.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">
-
-</beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index 0ef67be68..e369125cc 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -474,295 +474,6 @@
 		<property name="testSpAttr" value="testSp" />
 	</bean>
 
-	<!-- authentication -->
-
-	<!--suppress SpringXmlModelInspection -->
-	<security:http auto-config="false"
-				   use-expressions="true"
-				   entry-point-ref="samlEntryPoint"
-				   create-session="always"
-				   authentication-manager-ref="authenticationManager">
-		<security:csrf disabled="true"/>
-		<security:intercept-url pattern="/saml/**" access="permitAll()"/>
-		<security:intercept-url pattern="/logout" access="permitAll()"/>
-		<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
-		<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" access="permitAll()"/>
-		<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
-		<security:custom-filter ref="mdcMuFilter" before="FIRST"/>
-		<security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
-		<security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
-		<security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
-		<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
-		<security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
-		<security:logout logout-url="/saml/logout"/>
-	</security:http>
-
-	<security:authentication-manager id="authenticationManager">
-		<security:authentication-provider ref="authenticationProvider"/>
-	</security:authentication-manager>
-
-	<bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
-
-	<!-- SAML -->
-
-	<bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
-		<constructor-arg name="oidcIssuer" value="${main.oidc.issuer.url}"/>
-		<constructor-arg name="idpEntityId" value="${saml.idp.defaultIdpEntityId}"/>
-		<constructor-arg name="proxySpEntityId" value="${saml.proxy.spEntityId}"/>
-		<constructor-arg name="internalReferrers" value="#{'${saml.internalReferrers}'.split('\s*,\s*')}"/>
-		<constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
-	</bean>
-
-	<bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
-		<property name="contextProvider" ref="samlContextProvider"/>
-		<property name="samlEntryPoint" ref="samlEntryPoint"/>
-		<property name="metadata" ref="metadata"/>
-	</bean>
-
-	<bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
-		<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
-	</bean>
-
-	<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
-		<property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
-		<property name="useForward" value="true"/>
-	</bean>
-
-	<bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
-		<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
-		<property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
-	</bean>
-
-	<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
-		<property name="clearAuthentication" value="true"/>
-		<property name="invalidateHttpSession" value="true"/>
-	</bean>
-
-	<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
-		<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
-		<constructor-arg name="handlers" ref="logoutHandler"/>
-	</bean>
-
-	<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
-		<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
-		<constructor-arg name="localHandler" ref="logoutHandler"/>
-		<constructor-arg name="globalHandlers" ref="logoutHandler"/>
-	</bean>
-
-	<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
-		<constructor-arg name="storeFile">
-			<bean class="org.springframework.core.io.FileSystemResource">
-				<constructor-arg name="path" value="${saml.keystore.location}"/>
-			</bean>
-		</constructor-arg>
-		<constructor-arg name="storePass" value="${saml.keystore.password}"/>
-		<constructor-arg name="passwords">
-			<map>
-				<entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
-			</map>
-		</constructor-arg>
-		<constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
-	</bean>
-
-	<bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
-		<property name="idpDiscoveryEnabled" value="false"/>
-	</bean>
-
-	<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
-		<constructor-arg name="generator">
-			<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
-				<property name="includeDiscoveryExtension" value="false"/>
-				<property name="entityId" value="${saml.entityID}"/>
-				<property name="extendedMetadata" ref="extendedMetadata"/>
-				<property name="wantAssertionSigned" value="true"/>
-				<property name="requestSigned" value="true"/>
-			</bean>
-		</constructor-arg>
-		<property name="normalizeBaseUrl" value="true"/>
-	</bean>
-
-	<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
-
-	<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
-		<property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
-		<property name="refreshCheckInterval" value="3600000"/>
-		<property name="refreshRequired" value="true"/>
-		<constructor-arg name="providers">
-			<list>
-				<ref bean="idpMetadata"/>
-			</list>
-		</constructor-arg>
-	</bean>
-
-	<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
-
-	<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
-
-	<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
-		<constructor-arg name="bindings">
-			<list>
-				<bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
-					<constructor-arg name="parserPool" ref="parserPool"/>
-					<constructor-arg name="encoder">
-						<bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
-							<constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
-							<constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
-						</bean>
-					</constructor-arg>
-					<constructor-arg name="decoder">
-						<bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
-							<constructor-arg name="pool" ref="parserPool"/>
-						</bean>
-					</constructor-arg>
-				</bean>
-				<bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
-					<constructor-arg name="encoder">
-						<bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
-					</constructor-arg>
-					<constructor-arg name="decoder">
-						<bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
-							<constructor-arg name="pool" ref="parserPool"/>
-						</bean>
-					</constructor-arg>
-				</bean>
-			</list>
-		</constructor-arg>
-	</bean>
-
-	<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
-		<property name="authenticationManager" ref="authenticationManager"/>
-		<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
-		<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
-	</bean>
-
-	<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
-		<constructor-arg name="filterChains">
-			<list>
-				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
-					<constructor-arg name="requestMatcher">
-						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
-							<constructor-arg name="pattern"
-											 value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
-						</bean>
-					</constructor-arg>
-					<constructor-arg name="filters">
-						<list>
-							<ref bean="metadataDisplayFilter"/>
-						</list>
-					</constructor-arg>
-				</bean>
-				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
-					<constructor-arg name="requestMatcher">
-						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
-							<constructor-arg name="pattern"
-											 value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
-						</bean>
-					</constructor-arg>
-					<constructor-arg name="filters">
-						<list>
-							<ref bean="samlWebSSOProcessingFilter"/>
-						</list>
-					</constructor-arg>
-				</bean>
-				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
-					<constructor-arg name="requestMatcher">
-						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
-							<constructor-arg name="pattern"
-											 value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
-						</bean>
-					</constructor-arg>
-					<constructor-arg name="filters">
-						<list>
-							<ref bean="samlDiscovery"/>
-						</list>
-					</constructor-arg>
-				</bean>
-				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
-					<constructor-arg name="requestMatcher">
-						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
-							<constructor-arg name="pattern"
-											 value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
-						</bean>
-					</constructor-arg>
-					<constructor-arg name="filters">
-						<list>
-							<ref bean="samlEntryPoint"/>
-						</list>
-					</constructor-arg>
-				</bean>
-				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
-					<constructor-arg name="requestMatcher">
-						<bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
-							<constructor-arg name="requestMatchers">
-								<list>
-									<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
-										<constructor-arg name="pattern"
-														 value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
-									</bean>
-									<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
-										<constructor-arg name="pattern" value="/logout"/>
-									</bean>
-								</list>
-							</constructor-arg>
-						</bean>
-					</constructor-arg>
-					<constructor-arg name="filters">
-						<list>
-							<ref bean="samlLogoutFilter"/>
-						</list>
-					</constructor-arg>
-				</bean>
-				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
-					<constructor-arg name="requestMatcher">
-						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
-							<constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
-						</bean>
-					</constructor-arg>
-					<constructor-arg name="filters">
-						<list>
-							<ref bean="samlLogoutProcessingFilter"/>
-						</list>
-					</constructor-arg>
-				</bean>
-			</list>
-		</constructor-arg>
-	</bean>
-
-	<bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
-		<property name="includeScoping" value="false"/>
-	</bean>
-
-	<bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
-		<property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
-	</bean>
-
-	<bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
-
-	<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
-		<property name="logMessagesOnException" value="true"/>
-		<property name="logErrors" value="true"/>
-	</bean>
-
-	<bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
-
-	<bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
-		<property name="enableComparison" value="${saml.acrs.enableComparison}"/>
-		<property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
-		<property name="maxAuthenticationAge" value="360"/>
-	</bean>
-
-	<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
-
-	<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
-
-	<bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
-
-	<bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
-		<constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
-	</bean>
-
-	<bean class="org.springframework.security.saml.SAMLBootstrap"/>
-
 	<!-- END SAML -->
 
 	<bean id="accessTokenClaimsModifier" class="${accessTokenClaimsModifier}"/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
index 32e2a3dba..9c6a74347 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
@@ -37,7 +37,7 @@
 		</h1>
 
 		<form name="confirmationForm"
-			action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }authorize" method="post">
+			action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/authorize" method="post">
 
 			<div class="row">
 				<div class="span5 offset1 well-small" style="text-align: left">
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp
index 8aead87e5..1ba620d71 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp
@@ -30,7 +30,7 @@
 <div id="content">
 	<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
 	<form name="confirmationForm" method="post" action="${pageContext.request.contextPath.endsWith('/') ?
-		   pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}authorize">
+		   pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}auth/authorize">
 		<p>
 			<c:if test="${not empty client.policyUri}">
 				<spring:message code="consent_privacy_policy"/>${" "}
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
new file mode 100644
index 000000000..ea927b36c
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -0,0 +1,632 @@
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:mvc="http://www.springframework.org/schema/mvc"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:tx="http://www.springframework.org/schema/tx"
+       xmlns:security="http://www.springframework.org/schema/security"
+       xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+       xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
+		 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		 http://www.springframework.org/schema/mvc
+		 http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
+		 http://www.springframework.org/schema/security
+		 http://www.springframework.org/schema/security/spring-security-4.2.xsd
+		 http://www.springframework.org/schema/beans
+		 http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+		 http://www.springframework.org/schema/tx
+		 http://www.springframework.org/schema/tx/spring-tx-4.3.xsd">
+
+    <bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.UserInfoInterceptor" />
+    <bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.ServerConfigInterceptor" />
+    <bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
+        <property name="paramName" value="lang"/>
+    </bean>
+
+    <!-- Enables the Spring MVC @Controller programming model -->
+    <tx:annotation-driven />
+
+    <bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
+
+    <!-- MVC -->
+
+    <!-- Error page handler. -->
+    <mvc:view-controller path="/error" view-name="error" />
+
+    <mvc:annotation-driven ignore-default-model-on-redirect="true">
+        <mvc:message-converters>
+            <bean class="org.springframework.http.converter.StringHttpMessageConverter" />
+            <bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
+        </mvc:message-converters>
+    </mvc:annotation-driven>
+
+    <mvc:interceptors>
+        <mvc:interceptor>
+            <mvc:mapping path="/**"/>
+            <ref bean="localeChangeInterceptor"/>
+        </mvc:interceptor>
+        <mvc:interceptor>
+            <!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
+            <mvc:mapping path="/**" />
+            <mvc:exclude-mapping path="/token**"/>
+            <mvc:exclude-mapping path="/resources/**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
+            <mvc:exclude-mapping path="/saml**" />
+            <!-- Inject the UserInfo into the response -->
+            <ref bean="userInfoInterceptor" />
+        </mvc:interceptor>
+        <mvc:interceptor>
+            <!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
+            <mvc:mapping path="/**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
+            <mvc:exclude-mapping path="/resources/**" />
+            <mvc:exclude-mapping path="/token**"/>
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
+            <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
+            <!-- Inject the server configuration into the response -->
+            <ref bean="serverConfigInterceptor"/>
+        </mvc:interceptor>
+    </mvc:interceptors>
+
+    <!-- Handles HTTP GET requests for /resources/** by efficiently serving
+    up static resources in the ${webappRoot}/resources directory -->
+    <mvc:resources mapping="/resources/**" location="/resources/" />
+
+    <mvc:default-servlet-handler />
+
+    <!-- SECURITY -->
+
+    <!-- SPEL processor -->
+    <security:global-method-security pre-post-annotations="enabled"
+                                     proxy-target-class="true"
+                                     authentication-manager-ref="authenticationManager">
+        <security:expression-handler ref="oauthExpressionHandler" />
+    </security:global-method-security>
+
+    <!-- Token endpoint -->
+    <security:http pattern="/token"
+                   create-session="stateless"
+                   authentication-manager-ref="clientAuthenticationManager"
+                   entry-point-ref="oauthAuthenticationEntryPoint"
+                   use-expressions="true">
+        <security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
+        <security:intercept-url pattern="/token" access="isAuthenticated()" />
+        <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+        <!-- include this only if you need to authenticate clients via request parameters -->
+        <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
+        <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
+        <security:access-denied-handler ref="oauthAccessDeniedHandler" />
+        <security:csrf disabled="true"/>
+    </security:http>
+
+    <!-- Userinfo endpoint -->
+    <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**"
+                   use-expressions="true"
+                   entry-point-ref="oauthAuthenticationEntryPoint"
+                   create-session="stateless">
+        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
+        <security:expression-handler ref="oauthWebExpressionHandler" />
+        <security:csrf disabled="true"/>
+    </security:http>
+
+    <!-- Introspection endpoint -->
+    <security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**"
+                   use-expressions="true"
+                   entry-point-ref="oauthAuthenticationEntryPoint"
+                   create-session="stateless"
+                   authentication-manager-ref="clientAuthenticationManager">
+        <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
+        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+        <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
+        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+        <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+        <security:csrf disabled="true"/>
+    </security:http>
+
+    <!-- Revocation endpoint -->
+    <security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**"
+                   use-expressions="true"
+                   entry-point-ref="oauthAuthenticationEntryPoint"
+                   create-session="stateless"
+                   authentication-manager-ref="clientAuthenticationManager">
+        <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
+        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+        <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
+        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+        <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+        <security:csrf disabled="true"/>
+    </security:http>
+
+    <!-- Device endpoint -->
+    <security:http pattern="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**"
+                   use-expressions="true"
+                   entry-point-ref="oauthAuthenticationEntryPoint"
+                   create-session="stateless"
+                   authentication-manager-ref="clientAuthenticationManager">
+        <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+        <!-- include this only if you need to authenticate clients via request parameters -->
+        <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
+        <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
+        <security:access-denied-handler ref="oauthAccessDeniedHandler" />
+        <security:csrf disabled="true"/>
+    </security:http>
+
+    <!-- JWK endpoint -->
+    <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**"
+                   use-expressions="true"
+                   entry-point-ref="http403EntryPoint"
+                   create-session="stateless">
+        <security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
+        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+        <security:csrf disabled="true"/>
+    </security:http>
+
+    <!-- Well-known -->
+    <security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**"
+                   use-expressions="true"
+                   entry-point-ref="http403EntryPoint"
+                   create-session="stateless">
+        <security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
+        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+        <security:csrf disabled="true"/>
+    </security:http>
+
+    <!--Static resources -->
+    <security:http pattern="/resources/**"
+                   use-expressions="true"
+                   entry-point-ref="http403EntryPoint"
+                   create-session="stateless">
+        <security:intercept-url pattern="/resources/**" access="permitAll"/>
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
+        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+        <security:csrf disabled="true"/>
+    </security:http>
+
+    <!-- GUI -->
+    <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**"
+                   use-expressions="true"
+                   entry-point-ref="oauthAuthenticationEntryPoint"
+                   create-session="never">
+        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+        <security:custom-filter ref="mdcFilter" before="FIRST"/>
+        <security:expression-handler ref="oauthWebExpressionHandler" />
+        <security:csrf disabled="true"/>
+    </security:http>
+
+    <security:http auto-config="false"
+                   use-expressions="true"
+                   entry-point-ref="samlEntryPoint"
+                   create-session="always"
+                   authentication-manager-ref="authenticationManager">
+        <security:csrf disabled="true"/>
+        <security:intercept-url pattern="/authorize" access="permitAll()"/>
+        <security:intercept-url pattern="/saml/**" access="permitAll()"/>
+        <security:intercept-url pattern="/logout" access="permitAll()"/>
+        <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
+        <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" access="permitAll()"/>
+        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
+        <security:custom-filter ref="mdcMuFilter" before="FIRST"/>
+        <security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
+        <security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
+        <security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
+        <security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
+        <security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
+        <security:logout logout-url="/saml/logout"/>
+    </security:http>
+
+    <security:authentication-manager id="clientAuthenticationManager">
+        <security:authentication-provider user-service-ref="clientUserDetailsService" />
+        <security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
+    </security:authentication-manager>
+
+    <security:authentication-manager id="clientAssertionAuthenticationManager">
+        <security:authentication-provider ref="clientAssertionAuthenticationProvider" />
+    </security:authentication-manager>
+
+    <security:authentication-manager id="authenticationManager">
+        <security:authentication-provider ref="authenticationProvider"/>
+    </security:authentication-manager>
+
+    <!-- Dynamic registration endpoint -->
+<!--    <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
+<!--        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
+<!--        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
+<!--        <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
+<!--        <security:expression-handler ref="oauthWebExpressionHandler" />-->
+<!--        <security:intercept-url pattern="/register/**" access="permitAll"/>-->
+<!--        <security:csrf disabled="true"/>-->
+<!--    </security:http>-->
+
+<!--    <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
+<!--        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
+<!--        <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
+<!--        <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
+<!--        <security:expression-handler ref="oauthWebExpressionHandler" />-->
+<!--        <security:intercept-url pattern="/resource/**" access="permitAll"/>-->
+<!--        <security:csrf disabled="true"/>-->
+<!--    </security:http>-->
+
+    <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
+        <property name="realmName" value="openidconnect" />
+    </bean>
+
+    <bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
+
+    <bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
+
+    <bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
+        <constructor-arg name="filterProcessesUrls">
+            <set>
+                <value>/introspect</value>
+                <value>/revoke</value>
+                <value>/token</value>
+            </set>
+        </constructor-arg>
+    </bean>
+
+    <bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
+        <property name="authenticationManager" ref="clientAuthenticationManager" />
+        <property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
+    </bean>
+
+    <bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
+        <constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
+        <property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
+    </bean>
+
+    <bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
+
+    <!-- Resolves views selected for rendering by @Controllers to .jsp resources
+        in the /WEB-INF/views directory -->
+    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
+        <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
+        <property name="prefix" value="/WEB-INF/views/" />
+        <property name="suffix" value=".jsp" />
+        <property name="order" value="2" />
+    </bean>
+
+    <!-- Resolve views based on string names -->
+    <bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
+        <property name="order" value="1" />
+    </bean>
+
+    <bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
+
+    <!-- SAML -->
+    <bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
+<!--    <constructor-arg name="oidcIssuer" value="${main.oidc.issuer.url}"/>-->
+<!--    <constructor-arg name="idpEntityId" value="${saml.idp.defaultIdpEntityId}"/>-->
+<!--    <constructor-arg name="proxySpEntityId" value="${saml.proxy.spEntityId}"/>-->
+<!--    <constructor-arg name="internalReferrers" value="#{'${saml.internalReferrers}'.split('\s*,\s*')}"/>-->
+    <constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
+    </bean>
+
+    <bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
+    <property name="contextProvider" ref="samlContextProvider"/>
+    <property name="samlEntryPoint" ref="samlEntryPoint"/>
+    <property name="metadata" ref="metadata"/>
+    </bean>
+
+    <bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
+        <property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
+    </bean>
+
+    <bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
+        <property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
+        <property name="useForward" value="true"/>
+    </bean>
+
+    <bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
+        <property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
+        <property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
+    </bean>
+
+    <bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
+        <property name="clearAuthentication" value="true"/>
+        <property name="invalidateHttpSession" value="true"/>
+    </bean>
+
+    <bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
+        <constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
+        <constructor-arg name="handlers" ref="logoutHandler"/>
+    </bean>
+
+    <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
+        <constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
+        <constructor-arg name="localHandler" ref="logoutHandler"/>
+        <constructor-arg name="globalHandlers" ref="logoutHandler"/>
+    </bean>
+
+    <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
+        <constructor-arg name="storeFile">
+            <bean class="org.springframework.core.io.FileSystemResource">
+                <constructor-arg name="path" value="${saml.keystore.location}"/>
+            </bean>
+        </constructor-arg>
+        <constructor-arg name="storePass" value="${saml.keystore.password}"/>
+        <constructor-arg name="passwords">
+            <map>
+                <entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
+            </map>
+        </constructor-arg>
+        <constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
+    </bean>
+
+    <bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
+        <property name="idpDiscoveryEnabled" value="false"/>
+    </bean>
+
+    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
+        <constructor-arg name="generator">
+            <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
+                <property name="includeDiscoveryExtension" value="false"/>
+                <property name="entityId" value="${saml.entityID}"/>
+                <property name="extendedMetadata" ref="extendedMetadata"/>
+                <property name="wantAssertionSigned" value="true"/>
+                <property name="requestSigned" value="true"/>
+            </bean>
+        </constructor-arg>
+        <property name="normalizeBaseUrl" value="true"/>
+    </bean>
+
+    <bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
+
+    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
+        <property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
+        <property name="refreshCheckInterval" value="3600000"/>
+        <property name="refreshRequired" value="true"/>
+        <constructor-arg name="providers">
+            <list>
+                <ref bean="idpMetadata"/>
+            </list>
+        </constructor-arg>
+    </bean>
+
+    <bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
+
+    <bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
+
+    <bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
+    <constructor-arg name="bindings">
+        <list>
+            <bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
+                <constructor-arg name="parserPool" ref="parserPool"/>
+                <constructor-arg name="encoder">
+                    <bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
+                        <constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
+                        <constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
+                    </bean>
+                </constructor-arg>
+                <constructor-arg name="decoder">
+                    <bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
+                        <constructor-arg name="pool" ref="parserPool"/>
+                    </bean>
+                </constructor-arg>
+            </bean>
+            <bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
+                <constructor-arg name="encoder">
+                    <bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
+                </constructor-arg>
+                <constructor-arg name="decoder">
+                    <bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
+                        <constructor-arg name="pool" ref="parserPool"/>
+                    </bean>
+                </constructor-arg>
+            </bean>
+        </list>
+    </constructor-arg>
+    </bean>
+
+    <bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
+        <property name="authenticationManager" ref="authenticationManager"/>
+        <property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
+        <property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
+    </bean>
+
+    <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
+        <constructor-arg name="filterChains">
+            <list>
+                <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+                    <constructor-arg name="requestMatcher">
+                        <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+                            <constructor-arg name="pattern"
+                                             value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
+                        </bean>
+                    </constructor-arg>
+                    <constructor-arg name="filters">
+                        <list>
+                            <ref bean="metadataDisplayFilter"/>
+                        </list>
+                    </constructor-arg>
+                </bean>
+                <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+                    <constructor-arg name="requestMatcher">
+                        <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+                            <constructor-arg name="pattern"
+                                             value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
+                        </bean>
+                    </constructor-arg>
+                    <constructor-arg name="filters">
+                        <list>
+                            <ref bean="samlWebSSOProcessingFilter"/>
+                        </list>
+                    </constructor-arg>
+                </bean>
+                <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+                    <constructor-arg name="requestMatcher">
+                        <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+                            <constructor-arg name="pattern"
+                                             value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
+                        </bean>
+                    </constructor-arg>
+                    <constructor-arg name="filters">
+                        <list>
+                            <ref bean="samlDiscovery"/>
+                        </list>
+                    </constructor-arg>
+                </bean>
+                <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+                    <constructor-arg name="requestMatcher">
+                        <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+                            <constructor-arg name="pattern"
+                                             value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
+                        </bean>
+                    </constructor-arg>
+                    <constructor-arg name="filters">
+                        <list>
+                            <ref bean="samlEntryPoint"/>
+                        </list>
+                    </constructor-arg>
+                </bean>
+                <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+                    <constructor-arg name="requestMatcher">
+                        <bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
+                            <constructor-arg name="requestMatchers">
+                                <list>
+                                    <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+                                        <constructor-arg name="pattern"
+                                                         value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
+                                    </bean>
+                                    <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+                                        <constructor-arg name="pattern" value="/logout"/>
+                                    </bean>
+                                </list>
+                            </constructor-arg>
+                        </bean>
+                    </constructor-arg>
+                    <constructor-arg name="filters">
+                        <list>
+                            <ref bean="samlLogoutFilter"/>
+                        </list>
+                    </constructor-arg>
+                </bean>
+                <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+                    <constructor-arg name="requestMatcher">
+                        <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+                            <constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
+                        </bean>
+                    </constructor-arg>
+                    <constructor-arg name="filters">
+                        <list>
+                            <ref bean="samlLogoutProcessingFilter"/>
+                        </list>
+                    </constructor-arg>
+                </bean>
+            </list>
+        </constructor-arg>
+    </bean>
+
+    <bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
+        <property name="includeScoping" value="false"/>
+    </bean>
+
+    <bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
+        <property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
+    </bean>
+
+    <bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
+
+    <bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
+        <property name="logMessagesOnException" value="true"/>
+        <property name="logErrors" value="true"/>
+        </bean>
+
+    <bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
+
+    <bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
+        <property name="enableComparison" value="${saml.acrs.enableComparison}"/>
+        <property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
+        <property name="maxAuthenticationAge" value="360"/>
+        </bean>
+
+    <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
+
+    <bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
+
+    <bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
+
+    <bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
+        <constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
+    </bean>
+
+    <bean class="org.springframework.security.saml.SAMLBootstrap"/>
+
+    <!-- END SAML -->
+
+    <!-- OAuth -->
+
+    <oauth:authorization-server
+            client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
+            authorization-request-manager-ref="connectOAuth2RequestFactory"
+            token-services-ref="defaultOAuth2ProviderTokenService"
+            user-approval-handler-ref="tofuUserApprovalHandler"
+            request-validator-ref="oauthRequestValidator"
+            redirect-resolver-ref="blacklistAwareRedirectResolver"
+            authorization-endpoint-url="/auth/authorize"
+            token-endpoint-url="/token"
+            error-page="/error">
+
+        <oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
+        <oauth:implicit/>
+        <oauth:refresh-token/>
+        <oauth:client-credentials/>
+        <oauth:custom-grant token-granter-ref="chainedTokenGranter" />
+        <oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
+        <oauth:custom-grant token-granter-ref="deviceTokenGranter" />
+
+    </oauth:authorization-server>
+
+    <oauth:resource-server id="resourceServerFilter"
+                           token-services-ref="defaultOAuth2ProviderTokenService"
+                           stateless="false" />
+
+    <oauth:expression-handler id="oauthExpressionHandler" />
+
+    <oauth:web-expression-handler id="oauthWebExpressionHandler" />
+
+    <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
+
+    <bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
+
+</beans>
\ No newline at end of file
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java
index fd7bca2e7..8b3e417d1 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java
@@ -28,18 +28,18 @@ import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
 import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
 import cz.muni.ics.oauth2.model.PKCEAlgorithm;
 import cz.muni.ics.oauth2.service.SystemScopeService;
-import cz.muni.ics.oauth2.web.DeviceEndpoint;
-import cz.muni.ics.oauth2.web.IntrospectionEndpoint;
-import cz.muni.ics.oauth2.web.RevocationEndpoint;
+import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
+import cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint;
+import cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint;
 import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
 import cz.muni.ics.openid.connect.model.UserInfo;
 import cz.muni.ics.openid.connect.service.UserInfoService;
 import cz.muni.ics.openid.connect.view.HttpCodeView;
 import cz.muni.ics.openid.connect.view.JsonEntityView;
-import cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint;
-import cz.muni.ics.openid.connect.web.EndSessionEndpoint;
-import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint;
-import cz.muni.ics.openid.connect.web.UserInfoEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
index c2175afe7..660c1371d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
@@ -20,7 +20,7 @@ import cz.muni.ics.oauth2.exception.AuthorizationPendingException;
 import cz.muni.ics.oauth2.exception.DeviceCodeExpiredException;
 import cz.muni.ics.oauth2.model.DeviceCode;
 import cz.muni.ics.oauth2.service.DeviceCodeService;
-import cz.muni.ics.oauth2.web.DeviceEndpoint;
+import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
 import java.util.Date;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/ScopeAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/ScopeAPI.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/ScopeAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/ScopeAPI.java
index 8feb60797..700469ade 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/ScopeAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/ScopeAPI.java
@@ -18,7 +18,7 @@
 /**
  *
  */
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.api;
 
 import com.google.gson.Gson;
 import cz.muni.ics.oauth2.model.SystemScope;
@@ -26,7 +26,7 @@ import cz.muni.ics.oauth2.service.SystemScopeService;
 import cz.muni.ics.openid.connect.view.HttpCodeView;
 import cz.muni.ics.openid.connect.view.JsonEntityView;
 import cz.muni.ics.openid.connect.view.JsonErrorView;
-import cz.muni.ics.openid.connect.web.RootController;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
 import java.util.Set;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -50,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 @Slf4j
 public class ScopeAPI {
 
-	public static final String URL = RootController.API_URL + "/scopes";
+	public static final String URL = GuiController.API_URL + "/scopes";
 
 	@Autowired
 	private SystemScopeService scopeService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/TokenAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/TokenAPI.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/TokenAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/TokenAPI.java
index 4bd657a6a..e9dae6a0a 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/TokenAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/TokenAPI.java
@@ -15,7 +15,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *******************************************************************************/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.api;
 
 import cz.muni.ics.oauth2.model.ClientDetailsEntity;
 import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
@@ -27,7 +27,7 @@ import cz.muni.ics.openid.connect.service.OIDCTokenService;
 import cz.muni.ics.openid.connect.view.HttpCodeView;
 import cz.muni.ics.openid.connect.view.JsonEntityView;
 import cz.muni.ics.openid.connect.view.JsonErrorView;
-import cz.muni.ics.openid.connect.web.RootController;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
 import java.security.Principal;
 import java.util.List;
 import java.util.Set;
@@ -53,7 +53,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 @Slf4j
 public class TokenAPI {
 
-	public static final String URL = RootController.API_URL + "/tokens";
+	public static final String URL = GuiController.API_URL + "/tokens";
 
 	@Autowired
 	private OAuth2TokenEntityService tokenService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuthConfirmationController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuthConfirmationController.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
index 2ebfb4b63..68243c78b 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuthConfirmationController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
@@ -18,7 +18,7 @@
 /**
  *
  */
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.controller;
 
 import com.google.common.base.Joiner;
 import com.google.common.base.Splitter;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
index 76655760b..019505f54 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  *******************************************************************************/
 
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.endpoint;
 
 import cz.muni.ics.oauth2.exception.DeviceCodeCreationException;
 import cz.muni.ics.oauth2.model.ClientDetailsEntity;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/IntrospectionEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/IntrospectionEndpoint.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/IntrospectionEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/IntrospectionEndpoint.java
index 45ec000ae..9de0221ad 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/IntrospectionEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/IntrospectionEndpoint.java
@@ -15,7 +15,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *******************************************************************************/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.endpoint;
 
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableMap;
@@ -26,6 +26,7 @@ import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
 import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
 import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
 import cz.muni.ics.oauth2.service.SystemScopeService;
+import cz.muni.ics.oauth2.web.AuthenticationUtilities;
 import cz.muni.ics.openid.connect.model.UserInfo;
 import cz.muni.ics.openid.connect.service.UserInfoService;
 import cz.muni.ics.openid.connect.view.HttpCodeView;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/RevocationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/RevocationEndpoint.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/RevocationEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/RevocationEndpoint.java
index 58584a35d..cd2a366a1 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/RevocationEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/RevocationEndpoint.java
@@ -15,7 +15,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *******************************************************************************/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.endpoint;
 
 import static cz.muni.ics.oauth2.web.AuthenticationUtilities.ensureOAuthScope;
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/CorsFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/filter/CorsFilter.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/CorsFilter.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/filter/CorsFilter.java
index 041ec9c74..5f93ee1e5 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/CorsFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/filter/CorsFilter.java
@@ -18,7 +18,7 @@
 /**
  *
  */
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.filter;
 
 import java.io.IOException;
 import javax.servlet.FilterChain;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
index 584e67bc4..df523801b 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
@@ -33,9 +33,15 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
     private static final RequestMatcher MATCHER = new OrRequestMatcher(
             Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
 
+    public static final RequestMatcher MATCH = new AntPathRequestMatcher("/authorize");
+
     private final SecurityContextLogoutHandler contextLogoutHandler;
     private final List<String> internalReferrers = new ArrayList<>();
 
+    public SamlInvalidateSessionFilter(SecurityContextLogoutHandler contextLogoutHandler) {
+        this.contextLogoutHandler = contextLogoutHandler;
+    }
+
     public SamlInvalidateSessionFilter(String idpEntityId,
                                        String oidcIssuer,
                                        String proxySpEntityId,
@@ -67,14 +73,24 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
     {
         HttpServletRequest req = (HttpServletRequest) request;
         HttpServletResponse res = (HttpServletResponse) response;
-        if (MATCHER.matches(req)) {
-            String referer = req.getHeader(REFERER);
-            if (!isInternalReferer(referer)) {
-                log.debug("Got external referer, clear session to reauthenticate");
-                contextLogoutHandler.logout(req, res, null);
-            }
+        if (MATCH.matches(req)) {
+            log.debug("INV_SESS - invalidate");
+            contextLogoutHandler.logout(req, res, null);
+        } else {
+            log.debug("INV_SESS - skipping");
         }
         chain.doFilter(req, res);
+
+//        HttpServletRequest req = (HttpServletRequest) request;
+//        HttpServletResponse res = (HttpServletResponse) response;
+//        if (MATCHER.matches(req)) {
+//            String referer = req.getHeader(REFERER);
+//            if (!isInternalReferer(referer)) {
+//                log.debug("Got external referer, clear session to reauthenticate");
+//                contextLogoutHandler.logout(req, res, null);
+//            }
+//        }
+//        chain.doFilter(req, res);
     }
 
     private boolean isInternalReferer(String referer) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
index 43964205d..ddbf8245f 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
@@ -1,6 +1,6 @@
 package cz.muni.ics.oidc.server.filters;
 
-import static cz.muni.ics.oauth2.web.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE;
+import static cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE;
 import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN;
 
 import cz.muni.ics.oauth2.model.ClientDetailsEntity;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
index 23a1f7426..64e494956 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
@@ -11,7 +11,7 @@ import java.util.Map;
  */
 public class PerunFilterConstants {
 
-    public static final String AUTHORIZE_REQ_PATTERN = "/authorize";
+    public static final String AUTHORIZE_REQ_PATTERN = "/auth/authorize";
     public static final String DEVICE_APPROVE_REQ_PATTERN = "/device/code";
     public static final String DEVICE_CHECK_CODE_REQ_PATTERN = "/device/checkcode";
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java
index 13307dc79..839aa3a1a 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java
@@ -16,7 +16,7 @@ import cz.muni.ics.oidc.server.claims.ClaimSource;
 import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext;
 import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext;
 import cz.muni.ics.oidc.server.connectors.Affiliation;
-import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java
index b288789c9..91982cec2 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java
@@ -1,7 +1,7 @@
 package cz.muni.ics.oidc.web.controllers;
 
-import static cz.muni.ics.oauth2.web.OAuthConfirmationController.CLAIMS;
-import static cz.muni.ics.oauth2.web.OAuthConfirmationController.SCOPES;
+import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.CLAIMS;
+import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.SCOPES;
 
 import com.google.common.base.Strings;
 import com.google.common.collect.Sets;
@@ -29,7 +29,6 @@ import java.util.Set;
 import java.util.stream.Collectors;
 import javax.servlet.http.HttpServletRequest;
 
-import cz.muni.ics.openid.connect.service.ScopeClaimTranslationService;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.http.NameValuePair;
 import org.apache.http.client.utils.URIBuilder;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java
index 844f6648d..e7b969ade 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java
@@ -78,7 +78,7 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
 	@Autowired(required = false)
 	private LoginHintExtracter loginHintExtracter = new RemoveLoginHintsWithHTTP();
 
-	private RequestMatcher requestMatcher = new AntPathRequestMatcher("/authorize");
+	private RequestMatcher requestMatcher = new AntPathRequestMatcher("/auth/authorize");
 
 	/**
 	 *
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ApprovedSiteAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ApprovedSiteAPI.java
similarity index 96%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ApprovedSiteAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ApprovedSiteAPI.java
index c95d49bee..2b61b1b97 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ApprovedSiteAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ApprovedSiteAPI.java
@@ -18,7 +18,7 @@
 /**
  *
  */
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.api;
 
 import cz.muni.ics.openid.connect.model.ApprovedSite;
 import cz.muni.ics.openid.connect.service.ApprovedSiteService;
@@ -26,6 +26,7 @@ import cz.muni.ics.openid.connect.view.HttpCodeView;
 import cz.muni.ics.openid.connect.view.JsonApprovedSiteView;
 import cz.muni.ics.openid.connect.view.JsonEntityView;
 import cz.muni.ics.openid.connect.view.JsonErrorView;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
 import java.security.Principal;
 import java.util.Collection;
 import lombok.extern.slf4j.Slf4j;
@@ -49,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 @Slf4j
 public class ApprovedSiteAPI {
 
-	public static final String URL = RootController.API_URL + "/approved";
+	public static final String URL = GuiController.API_URL + "/approved";
 
 	@Autowired
 	private ApprovedSiteService approvedSiteService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/BlacklistAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/BlacklistAPI.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/BlacklistAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/BlacklistAPI.java
index d443b1adc..716d8d56e 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/BlacklistAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/BlacklistAPI.java
@@ -18,7 +18,7 @@
 /**
  *
  */
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.api;
 
 import com.google.gson.Gson;
 import com.google.gson.JsonObject;
@@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.BlacklistedSiteService;
 import cz.muni.ics.openid.connect.view.HttpCodeView;
 import cz.muni.ics.openid.connect.view.JsonEntityView;
 import cz.muni.ics.openid.connect.view.JsonErrorView;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
 import java.security.Principal;
 import java.util.Collection;
 import lombok.extern.slf4j.Slf4j;
@@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 @Slf4j
 public class BlacklistAPI {
 
-	public static final String URL = RootController.API_URL + "/blacklist";
+	public static final String URL = GuiController.API_URL + "/blacklist";
 
 	@Autowired
 	private BlacklistedSiteService blacklistService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ClientAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ClientAPI.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ClientAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ClientAPI.java
index fe402b3b8..262e32abe 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ClientAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ClientAPI.java
@@ -15,7 +15,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.api;
 
 import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
 import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;
@@ -88,6 +88,7 @@ import cz.muni.ics.openid.connect.view.ClientEntityViewForUsers;
 import cz.muni.ics.openid.connect.view.HttpCodeView;
 import cz.muni.ics.openid.connect.view.JsonEntityView;
 import cz.muni.ics.openid.connect.view.JsonErrorView;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
 import java.lang.reflect.Type;
 import java.sql.SQLIntegrityConstraintViolationException;
 import java.text.ParseException;
@@ -120,7 +121,7 @@ import org.springframework.web.servlet.ModelAndView;
 @Slf4j
 public class ClientAPI {
 
-	public static final String URL = RootController.API_URL + "/clients";
+	public static final String URL = GuiController.API_URL + "/clients";
 
 	@Autowired
 	private ClientDetailsEntityService clientService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/WhitelistAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/WhitelistAPI.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/WhitelistAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/WhitelistAPI.java
index 7d4e6bf15..a548525fc 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/WhitelistAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/WhitelistAPI.java
@@ -18,7 +18,7 @@
 /**
  *
  */
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.api;
 
 import com.google.gson.Gson;
 import com.google.gson.JsonObject;
@@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.WhitelistedSiteService;
 import cz.muni.ics.openid.connect.view.HttpCodeView;
 import cz.muni.ics.openid.connect.view.JsonEntityView;
 import cz.muni.ics.openid.connect.view.JsonErrorView;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
 import java.security.Principal;
 import java.util.Collection;
 import lombok.extern.slf4j.Slf4j;
@@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 @Slf4j
 public class WhitelistAPI {
 
-	public static final String URL = RootController.API_URL + "/whitelist";
+	public static final String URL = GuiController.API_URL + "/whitelist";
 
 	@Autowired
 	private WhitelistedSiteService whitelistService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/RootController.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/controller/GuiController.java
similarity index 95%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/RootController.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/controller/GuiController.java
index 0d5475c22..1670e62f0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/RootController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/controller/GuiController.java
@@ -15,7 +15,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.controller;
 
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
@@ -27,7 +27,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
  */
 
 @Controller
-public class RootController {
+public class GuiController {
 
 	public static final String API_URL = "api";
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
new file mode 100644
index 000000000..4191449c6
--- /dev/null
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
@@ -0,0 +1,23 @@
+package cz.muni.ics.openid.connect.web.endpoint;
+
+import javax.servlet.http.HttpServletRequest;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.view.RedirectView;
+
+@Controller
+@Slf4j
+public class AuthorizationEndpoint {
+
+    @RequestMapping(value = "/authorize")
+    public RedirectView authorize(HttpServletRequest req) {
+        log.debug("Handling authorize in endpoint");
+        RedirectView view = new RedirectView("/auth/authorize?" + req.getQueryString());
+        view.setContextRelative(true);
+        view.setAttributesMap(req.getParameterMap());
+        log.debug("AUTH_ENDPOINT: Redirecting to: {}", view);
+        return view;
+    }
+
+}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/DynamicClientRegistrationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/DynamicClientRegistrationEndpoint.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/DynamicClientRegistrationEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/DynamicClientRegistrationEndpoint.java
index dfc335213..2d0579479 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/DynamicClientRegistrationEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/DynamicClientRegistrationEndpoint.java
@@ -15,7 +15,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
 
 import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
 import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/EndSessionEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/EndSessionEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
index 569f73c08..7432e11b0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/EndSessionEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  *******************************************************************************/
 
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
 
 import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
 import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/JWKSetPublishingEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/JWKSetPublishingEndpoint.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/JWKSetPublishingEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/JWKSetPublishingEndpoint.java
index fdf3c9bfa..455bcf66d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/JWKSetPublishingEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/JWKSetPublishingEndpoint.java
@@ -15,7 +15,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
 
 import com.nimbusds.jose.jwk.JWK;
 import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ProtectedResourceRegistrationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/ProtectedResourceRegistrationEndpoint.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/ProtectedResourceRegistrationEndpoint.java
index 9b10f06b9..1194d00ff 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/ProtectedResourceRegistrationEndpoint.java
@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
 
 import com.google.common.base.Strings;
 import com.google.gson.JsonSyntaxException;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserInfoEndpoint.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserInfoEndpoint.java
index ccdfaa7f2..b00079233 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserInfoEndpoint.java
@@ -15,11 +15,10 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
 
 import com.google.common.base.Strings;
 import cz.muni.ics.oauth2.model.ClientDetailsEntity;
-import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
 import cz.muni.ics.oauth2.model.SavedUserAuthentication;
 import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
 import cz.muni.ics.oauth2.service.SystemScopeService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ServerConfigInterceptor.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/ServerConfigInterceptor.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ServerConfigInterceptor.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/ServerConfigInterceptor.java
index eb5dd49f9..b19e3e9e8 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ServerConfigInterceptor.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/ServerConfigInterceptor.java
@@ -18,7 +18,7 @@
 /**
  *
  */
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.interceptor;
 
 import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
 import cz.muni.ics.openid.connect.config.UIConfiguration;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoInterceptor.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/UserInfoInterceptor.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoInterceptor.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/UserInfoInterceptor.java
index 9a83505bd..9cfc4a88c 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoInterceptor.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/UserInfoInterceptor.java
@@ -18,7 +18,7 @@
 /**
  *
  */
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.interceptor;
 
 import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CLIENT_ID;
 import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.SCOPE;

From cf358dc2dc69de9d5b68b7b8c3b220293775ac4f Mon Sep 17 00:00:00 2001
From: Dominik Frantisek Bucik <bucik@ics.muni.cz>
Date: Thu, 27 Jan 2022 11:04:15 +0100
Subject: [PATCH 2/4] =?UTF-8?q?refactor:=20=F0=9F=92=A1=20Refactored=20Per?=
 =?UTF-8?q?un=20filters=20as=20auth=5Fproc=20filters?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/main/webapp/WEB-INF/user-context.xml  |  2 +-
 .../src/main/webapp/WEB-INF/web-context.xml   |  2 +-
 ...RequestFilter.java => AuthProcFilter.java} | 56 ++++++++++++-------
 ...ter.java => AuthProcFiltersContainer.java} | 26 +++++----
 .../server/filters/PerunFiltersContext.java   | 16 +++---
 .../impl/PerunAuthorizationFilter.java        | 16 ++++--
 .../filters/impl/PerunEnsureVoMember.java     | 16 ++++--
 .../filters/impl/PerunForceAupFilter.java     | 30 +++++-----
 .../impl/PerunIsCesnetEligibleFilter.java     | 19 ++++---
 .../filters/impl/PerunIsTestSpFilter.java     | 20 ++++---
 .../filters/impl/ProxyStatisticsFilter.java   | 17 ++++--
 .../server/filters/impl/ValidUserFilter.java  | 20 ++++---
 .../web/endpoint/AuthorizationEndpoint.java   |  3 +-
 13 files changed, 147 insertions(+), 96 deletions(-)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/{PerunRequestFilter.java => AuthProcFilter.java} (65%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/{CallPerunFiltersFilter.java => AuthProcFiltersContainer.java} (81%)

diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index e369125cc..babcb8f80 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -489,7 +489,7 @@
 
 	<bean id="oidcTokenService" class="cz.muni.ics.oidc.server.PerunOIDCTokenService" primary="true"/>
 
-	<bean id="callPerunFiltersFilter" class="cz.muni.ics.oidc.server.filters.CallPerunFiltersFilter"/>
+	<bean id="authProcFilters" class="cz.muni.ics.oidc.server.filters.AuthProcFiltersContainer"/>
 
 	<bean id="htmlClasses" class="cz.muni.ics.oidc.web.WebHtmlClasses">
 		<constructor-arg name="perunOidcConfig" ref="perunOidcConfig"/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
index ea927b36c..39d6253a2 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -251,7 +251,7 @@
         <security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
         <security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
         <security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
-        <security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
+        <security:custom-filter ref="authProcFilters" before="LAST"/>
         <security:logout logout-url="/saml/logout"/>
     </security:http>
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
similarity index 65%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
index 3d5503c97..f7266b3a1 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
@@ -1,20 +1,14 @@
 package cz.muni.ics.oidc.server.filters;
 
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN;
-
 import java.io.IOException;
+import java.security.Principal;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.security.web.util.matcher.OrRequestMatcher;
-import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
  * Abstract class for Perun filters. All filters called in CallPerunFiltersFilter has to extend this.
@@ -39,7 +33,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
  * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
  */
 @Slf4j
-public abstract class PerunRequestFilter {
+public abstract class AuthProcFilter {
 
     private static final String DELIMITER = ",";
     private static final String CLIENT_IDS = "clientIds";
@@ -49,7 +43,7 @@ public abstract class PerunRequestFilter {
     private Set<String> clientIds = new HashSet<>();
     private Set<String> subs = new HashSet<>();
 
-    public PerunRequestFilter(PerunRequestFilterParams params) {
+    public AuthProcFilter(PerunRequestFilterParams params) {
         filterName = params.getFilterName();
 
         if (params.hasProperty(CLIENT_IDS)) {
@@ -65,6 +59,8 @@ public abstract class PerunRequestFilter {
         log.debug("{} - skip execution for clients with CLIENT_ID in: {}", filterName, clientIds);
     }
 
+    protected abstract String getSessionAppliedParamName();
+
     /**
      * In this method is done whole logic of filer
      *
@@ -73,31 +69,51 @@ public abstract class PerunRequestFilter {
      * @return boolean if filter was successfully done
      * @throws IOException this exception could be thrown because of failed or interrupted I/O operation
      */
-    protected abstract boolean process(ServletRequest request, ServletResponse response, FilterParams params)
+    protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, FilterParams params)
             throws IOException;
 
-    public boolean doFilter(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
-        HttpServletRequest request = (HttpServletRequest) req;
-        if (!skip(request)) {
+    public boolean doFilter(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
+        if (!skip(req)) {
             log.trace("{} - executing filter", filterName);
-            return this.process(req, res, params);
+            return process(req, res, params);
         } else {
             return true;
         }
     }
 
     private boolean skip(HttpServletRequest request) {
-        String sub = (request.getUserPrincipal() != null) ? request.getUserPrincipal().getName() : null;
-        String clientId = request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID);
+        if (hasBeenApplied(request.getSession(true))) {
+            return true;
+        }
+        log.debug("{} - marking filter as applied", filterName);
+        request.getSession(true).setAttribute(getSessionAppliedParamName(), true);
+        return skipForSub(request.getUserPrincipal())
+                || skipForClientId(request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID));
+    }
 
+    private boolean hasBeenApplied(HttpSession sess) {
+        String sessionParamName = getSessionAppliedParamName();
+        if (sess.getAttribute(sessionParamName) != null) {
+            log.debug("{} - skip filter execution: filter has been already applied", filterName);
+            return true;
+        }
+        return false;
+    }
+
+    private boolean skipForSub(Principal p) {
+        String sub = (p != null) ? p.getName() : null;
         if (sub != null && subs.contains(sub)) {
             log.debug("{} - skip filter execution: matched one of the ignored SUBS ({})", filterName, sub);
             return true;
-        } else if (clientId != null && clientIds.contains(clientId)){
+        }
+        return false;
+    }
+
+    private boolean skipForClientId(String clientId) {
+        if (clientId != null && clientIds.contains(clientId)){
             log.debug("{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})", filterName, clientId);
             return true;
         }
-
         return false;
     }
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
similarity index 81%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
index a4ce091d9..2faea8d35 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
@@ -16,10 +16,12 @@ import java.util.List;
 import java.util.Properties;
 import javax.annotation.PostConstruct;
 import javax.servlet.FilterChain;
+import javax.servlet.GenericFilter;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
@@ -36,7 +38,7 @@ import org.springframework.web.filter.GenericFilterBean;
  * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
  */
 @Slf4j
-public class CallPerunFiltersFilter extends GenericFilterBean {
+public class AuthProcFiltersContainer extends GenericFilterBean {
 
     private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
     private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
@@ -74,13 +76,15 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
             throws IOException, ServletException
     {
-        HttpServletRequest request = (HttpServletRequest) servletRequest;
-        if (!MATCHER.matches(request)) {
-            log.debug("Custom filters have been skipped, did not match '/authorize' nor '/device/code' request");
+        HttpServletRequest req = (HttpServletRequest) servletRequest;
+        HttpServletResponse res = (HttpServletResponse) servletResponse;
+        if (!MATCHER.matches(req)) {
+            log.debug("Custom filters have been skipped, did not match '{}' nor '{}' request", AUTHORIZE_MATCHER,
+                    AUTHORIZE_REQ_PATTERN);
         } else {
-            List<PerunRequestFilter> filters = perunFiltersContext.getFilters();
+            List<AuthProcFilter> filters = perunFiltersContext.getFilters();
             if (filters != null && !filters.isEmpty()) {
-                ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(request, authRequestFactory,
+                ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(req, authRequestFactory,
                         clientDetailsEntityService);
                 Facility facility = null;
                 if (client != null && StringUtils.hasText(client.getClientId())) {
@@ -88,20 +92,20 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
                         facility = perunAdapter.getFacilityByClientId(client.getClientId());
                     } catch (Exception e) {
                         log.warn("{} - could not fetch facility for client_id '{}'",
-                                CallPerunFiltersFilter.class.getSimpleName(), client.getClientId(), e);
+                                AuthProcFiltersContainer.class.getSimpleName(), client.getClientId(), e);
                     }
                 }
-                PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter,
+                PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter,
                         samlProperties.getUserIdentifierAttribute());
                 FilterParams params = new FilterParams(client, facility, user);
-                for (PerunRequestFilter filter : filters) {
-                    if (!filter.doFilter(servletRequest, servletResponse, params)) {
+                for (AuthProcFilter filter : filters) {
+                    if (!filter.doFilter(req, res, params)) {
                         return;
                     }
                 }
             }
         }
-        filterChain.doFilter(servletRequest, servletResponse);
+        filterChain.doFilter(req, res);
     }
 
 }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java
index 411b1ec97..04a9b5082 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java
@@ -16,7 +16,7 @@ import org.springframework.util.StringUtils;
  * Filters are configured from configuration file in following way:
  * filter.names=filterName1,filterName2,...
  *
- * @see PerunRequestFilter for configuration of filter
+ * @see AuthProcFilter for configuration of filter
  *
  * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
  */
@@ -27,7 +27,7 @@ public class PerunFiltersContext {
 	private static final String FILTER_CLASS = ".class";
 	private static final String PREFIX = "filter.";
 
-	private final List<PerunRequestFilter> filters;
+	private final List<AuthProcFilter> filters;
 	private final Properties properties;
 	private final BeanUtil beanUtil;
 
@@ -41,17 +41,17 @@ public class PerunFiltersContext {
 
 		log.debug("--------------------------------");
 		for (String filterName: filterNames.split(",")) {
-			PerunRequestFilter requestFilter = loadFilter(filterName);
+			AuthProcFilter requestFilter = loadFilter(filterName);
 			filters.add(requestFilter);
 			log.debug("--------------------------------");
 		}
 	}
 
-	public List<PerunRequestFilter> getFilters() {
+	public List<AuthProcFilter> getFilters() {
 		return filters;
 	}
 
-	private PerunRequestFilter loadFilter(String filterName) {
+	private AuthProcFilter loadFilter(String filterName) {
 		String propPrefix = PerunFiltersContext.PREFIX + filterName;
 		String filterClass = properties.getProperty(propPrefix + FILTER_CLASS, null);
 		if (!StringUtils.hasText(filterClass)) {
@@ -62,14 +62,14 @@ public class PerunFiltersContext {
 
 		try {
 			Class<?> rawClazz = Class.forName(filterClass);
-			if (!PerunRequestFilter.class.isAssignableFrom(rawClazz)) {
+			if (!AuthProcFilter.class.isAssignableFrom(rawClazz)) {
 				log.warn("{} - failed to initialized filter: class '{}' does not extend PerunRequestFilter",
 						filterName, filterClass);
 				return null;
 			}
 			
-			@SuppressWarnings("unchecked") Class<PerunRequestFilter> clazz = (Class<PerunRequestFilter>) rawClazz;
-			Constructor<PerunRequestFilter> constructor = clazz.getConstructor(PerunRequestFilterParams.class);
+			@SuppressWarnings("unchecked") Class<AuthProcFilter> clazz = (Class<AuthProcFilter>) rawClazz;
+			Constructor<AuthProcFilter> constructor = clazz.getConstructor(PerunRequestFilterParams.class);
 			PerunRequestFilterParams params = new PerunRequestFilterParams(filterName, propPrefix, properties, beanUtil);
 			return constructor.newInstance(params);
 		} catch (ClassNotFoundException e) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
index f5679b096..35fef0e17 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
@@ -9,7 +9,7 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
 import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
 import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
 import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
 import java.util.Map;
@@ -31,7 +31,9 @@ import lombok.extern.slf4j.Slf4j;
  * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
  */
 @Slf4j
-public class PerunAuthorizationFilter extends PerunRequestFilter {
+public class PerunAuthorizationFilter extends AuthProcFilter {
+
+	public static final String APPLIED = "APPLIED_" + PerunAuthorizationFilter.class.getSimpleName();
 
 	private final PerunAdapter perunAdapter;
 	private final FacilityAttrsConfig facilityAttrsConfig;
@@ -48,10 +50,12 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
 	}
 
 	@Override
-	protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
-		HttpServletRequest request = (HttpServletRequest) req;
-		HttpServletResponse response = (HttpServletResponse) res;
+	protected String getSessionAppliedParamName() {
+		return APPLIED;
+	}
 
+	@Override
+	protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
 		Facility facility = params.getFacility();
 		if (facility == null || facility.getId() == null) {
 			log.debug("{} - skip filter execution: no facility provided", filterName);
@@ -64,7 +68,7 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
 			return true;
 		}
 
-		return this.decideAccess(facility, user, request, response, params.getClientIdentifier(),
+		return this.decideAccess(facility, user, req, res, params.getClientIdentifier(),
 				perunAdapter, facilityAttrsConfig);
 	}
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
index e3467b0ef..dfae70056 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
@@ -7,7 +7,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
 import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
 import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
 import cz.muni.ics.oidc.web.controllers.ControllerUtils;
 import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
@@ -21,6 +21,7 @@ import java.util.Map;
 import java.util.Set;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.http.HttpHeaders;
@@ -39,7 +40,9 @@ import org.springframework.util.StringUtils;
  * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
  */
 @Slf4j
-public class PerunEnsureVoMember extends PerunRequestFilter {
+public class PerunEnsureVoMember extends AuthProcFilter {
+
+    public static final String APPLIED = "APPLIED_" + PerunEnsureVoMember.class.getSimpleName();
 
     private static final String TRIGGER_ATTR = "triggerAttr";
     private static final String VO_DEFS_ATTR = "voDefsAttr";
@@ -68,9 +71,12 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
     }
 
     @Override
-    protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
-        HttpServletResponse response = (HttpServletResponse) res;
+    protected String getSessionAppliedParamName() {
+        return APPLIED;
+    }
 
+    @Override
+    protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
         Facility facility = params.getFacility();
         if (facility == null || facility.getId() == null) {
             log.debug("{} - skip execution: no facility provided", filterName);
@@ -100,7 +106,7 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
             log.debug("{} - user allowed to continue", filterName);
             return true;
         } else {
-            redirect(response, getLoginUrl(facility.getId()), voShortName);
+            redirect(res, getLoginUrl(facility.getId()), voShortName);
             return false;
         }
     }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
index 25d630e81..62c912d9b 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
@@ -14,7 +14,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
 import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
 import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
 import cz.muni.ics.oidc.web.controllers.AupController;
 import java.io.IOException;
@@ -52,7 +52,9 @@ import org.springframework.util.StringUtils;
  * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
  */
 @Slf4j
-public class PerunForceAupFilter extends PerunRequestFilter {
+public class PerunForceAupFilter extends AuthProcFilter {
+
+    public static final String APPLIED = "APPLIED_" + PerunForceAupFilter.class.getSimpleName();
 
     private static final String DATE_FORMAT = "yyyy-MM-dd";
 
@@ -93,18 +95,20 @@ public class PerunForceAupFilter extends PerunRequestFilter {
     }
 
     @Override
-    protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
-        HttpServletRequest request = (HttpServletRequest) req;
-        HttpServletResponse response = (HttpServletResponse) res;
+    protected String getSessionAppliedParamName() {
+        return APPLIED;
+    }
 
-        if (request.getSession() != null && request.getSession().getAttribute(APPROVED) != null) {
-            request.getSession().removeAttribute(APPROVED);
+    @Override
+    protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
+        if (req.getSession() != null && req.getSession().getAttribute(APPROVED) != null) {
+            req.getSession().removeAttribute(APPROVED);
             log.debug("{} - skip filter execution: aups are already approved, check at next access to the service due" +
                     " to a delayed propagation to LDAP", filterName);
             return true;
         }
 
-        PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter, samlProperties.getUserIdentifierAttribute());
+        PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter, samlProperties.getUserIdentifierAttribute());
         if (user == null || user.getId() == null) {
             log.debug("{} - skip filter execution: no user provider", filterName);
             return true;
@@ -147,13 +151,13 @@ public class PerunForceAupFilter extends PerunRequestFilter {
             log.trace("{} - AUPS to be approved: '{}'", filterName, newAups);
             String newAupsString = mapper.writeValueAsString(newAups);
 
-            request.getSession().setAttribute(AupController.RETURN_URL, request.getRequestURI()
-                    .replace(request.getContextPath(), "") + '?' + request.getQueryString());
-            request.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
-            request.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
+            req.getSession().setAttribute(AupController.RETURN_URL, req.getRequestURI()
+                    .replace(req.getContextPath(), "") + '?' + req.getQueryString());
+            req.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
+            req.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
 
             log.debug("{} - redirecting user '{}' to AUPs approval page", filterName, user);
-            response.sendRedirect(request.getContextPath() + '/' + AupController.URL);
+            res.sendRedirect(req.getContextPath() + '/' + AupController.URL);
             return false;
         }
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
index a51236965..6076b4ca4 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
@@ -14,8 +14,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
 import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
 import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
 import cz.muni.ics.oidc.web.controllers.ControllerUtils;
 import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
@@ -46,7 +45,9 @@ import org.apache.http.HttpHeaders;
  * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
  */
 @Slf4j
-public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
+public class PerunIsCesnetEligibleFilter extends AuthProcFilter {
+
+    public static final String APPLIED = "APPLIED_" + PerunIsCesnetEligibleFilter.class.getSimpleName();
 
     /* CONFIGURATION PROPERTIES */
     private static final String IS_CESNET_ELIGIBLE_ATTR_NAME = "isCesnetEligibleAttr";
@@ -84,11 +85,13 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
     }
 
     @Override
-    protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
-        HttpServletRequest request = (HttpServletRequest) req;
-        HttpServletResponse response = (HttpServletResponse) res;
+    protected String getSessionAppliedParamName() {
+        return APPLIED;
+    }
 
-        if (!FiltersUtils.isScopePresent(request.getParameter(PARAM_SCOPE), triggerScope)) {
+    @Override
+    protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
+       if (!FiltersUtils.isScopePresent(req.getParameter(PARAM_SCOPE), triggerScope)) {
             log.debug("{} - skip execution: scope '{}' is not present in request", filterName, triggerScope);
             return true;
         }
@@ -124,7 +127,7 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
         }
 
         log.debug("{} - attribute '{}' value is invalid, stop user at this point", filterName, attrValue);
-        this.redirect(request, response, reason);
+        this.redirect(req, res, reason);
         return false;
     }
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
index d027eed43..2001378c9 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
@@ -10,8 +10,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
 import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
 import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
 import cz.muni.ics.oidc.web.controllers.ControllerUtils;
 import cz.muni.ics.oidc.web.controllers.IsTestSpController;
@@ -37,7 +36,9 @@ import org.apache.http.HttpHeaders;
  * @author Pavol Pluta <500348@mail.muni.cz>
  */
 @Slf4j
-public class PerunIsTestSpFilter extends PerunRequestFilter {
+public class PerunIsTestSpFilter extends AuthProcFilter {
+
+    public static final String APPLIED = "APPLIED_" + PerunIsTestSpFilter.class.getSimpleName();
 
     private static final String IS_TEST_SP_ATTR_NAME = "isTestSpAttr";
 
@@ -56,14 +57,17 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
     }
 
     @Override
-    protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
-        HttpServletRequest request = (HttpServletRequest) req;
-        HttpServletResponse response = (HttpServletResponse) res;
+    protected String getSessionAppliedParamName() {
+        return APPLIED;
+    }
+
+    @Override
+    protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
         Facility facility = params.getFacility();
         if (facility == null || facility.getId() == null) {
             log.debug("{} - skip execution: no facility provided", filterName);
             return true;
-        } else if (testSpWarningApproved(request)){
+        } else if (testSpWarningApproved(req)){
             log.debug("{} - skip execution: warning already approved", filterName);
             return true;
         }
@@ -74,7 +78,7 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
             return true;
         } else if (attrValue.valueAsBoolean()) {
             log.debug("{} - redirecting user to test SP warning page", filterName);
-            this.redirect(request, response);
+            this.redirect(req, res);
             return false;
         }
         log.debug("{} - service is not testing, let user access it", filterName);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
index 6a9f90326..771ca3e3d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
@@ -8,7 +8,7 @@ import cz.muni.ics.oidc.BeanUtil;
 import cz.muni.ics.oidc.saml.SamlProperties;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
 import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
 import java.sql.Connection;
 import java.sql.Date;
@@ -17,10 +17,10 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.time.LocalDate;
 import java.util.Objects;
-import java.util.Properties;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import javax.sql.DataSource;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.saml.SAMLCredential;
@@ -51,7 +51,9 @@ import org.springframework.util.StringUtils;
  */
 @SuppressWarnings("SqlResolve")
 @Slf4j
-public class ProxyStatisticsFilter extends PerunRequestFilter {
+public class ProxyStatisticsFilter extends AuthProcFilter {
+
+	public static final String APPLIED = "APPLIED_" + ProxyStatisticsFilter.class.getSimpleName();
 
 	/* CONFIGURATION OPTIONS */
 	private static final String IDP_NAME_ATTRIBUTE_NAME = "idpNameAttributeName";
@@ -97,9 +99,12 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
 	}
 
 	@Override
-	protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
-		HttpServletRequest request = (HttpServletRequest) req;
+	protected String getSessionAppliedParamName() {
+		return APPLIED;
+	}
 
+	@Override
+	protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
 		ClientDetailsEntity client = params.getClient();
 		if (client == null) {
 			log.warn("{} - skip execution: no client provided", filterName);
@@ -112,7 +117,7 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
 			return true;
 		}
 
-		SAMLCredential samlCredential = FiltersUtils.getSamlCredential(request);
+		SAMLCredential samlCredential = FiltersUtils.getSamlCredential(req);
 		if (samlCredential == null) {
 			log.warn("{} - skip execution: no authN object available, cannot extract user identifier and idp identifier",
 					filterName);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
index bf05d8c69..07b948f48 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
@@ -9,7 +9,7 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
 import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
 import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
 import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
 import java.util.HashSet;
@@ -46,7 +46,9 @@ import org.springframework.util.StringUtils;
  */
 @SuppressWarnings("SqlResolve")
 @Slf4j
-public class ValidUserFilter extends PerunRequestFilter {
+public class ValidUserFilter extends AuthProcFilter {
+
+	public static final String APPLIED = "APPLIED_" + ValidUserFilter.class.getSimpleName();
 
 	/* CONFIGURATION OPTIONS */
 	private static final String ALL_ENV_GROUPS = "allEnvGroups";
@@ -86,10 +88,12 @@ public class ValidUserFilter extends PerunRequestFilter {
 	}
 
 	@Override
-	protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
-		HttpServletRequest request = (HttpServletRequest) req;
-		HttpServletResponse response = (HttpServletResponse) res;
+	protected String getSessionAppliedParamName() {
+		return APPLIED;
+	}
 
+	@Override
+	protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
 		Set<Long> additionalVos = new HashSet<>();
 		Set<Long> additionalGroups = new HashSet<>();
 
@@ -106,7 +110,7 @@ public class ValidUserFilter extends PerunRequestFilter {
 			return true;
 		}
 
-		if (!checkMemberValidInGroupsAndVos(user, facility, response, params, allEnvVos, allEnvGroups,
+		if (!checkMemberValidInGroupsAndVos(user, facility, res, params, allEnvVos, allEnvGroups,
 				PerunUnapprovedController.UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS)) {
 			return false;
 		}
@@ -121,7 +125,7 @@ public class ValidUserFilter extends PerunRequestFilter {
 			additionalVos.addAll(testEnvVos);
 			additionalGroups.addAll(testEnvGroups);
 
-			if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos,
+			if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
 					additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_TEST_VOS_GROUPS)) {
 				return false;
 			}
@@ -129,7 +133,7 @@ public class ValidUserFilter extends PerunRequestFilter {
 			additionalVos.addAll(prodEnvVos);
 			additionalGroups.addAll(prodEnvGroups);
 
-			if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos,
+			if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
 					additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_PROD_VOS_GROUPS)) {
 				return false;
 			}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
index 4191449c6..f2d6022bf 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
@@ -12,7 +12,6 @@ public class AuthorizationEndpoint {
 
     @RequestMapping(value = "/authorize")
     public RedirectView authorize(HttpServletRequest req) {
-        log.debug("Handling authorize in endpoint");
         RedirectView view = new RedirectView("/auth/authorize?" + req.getQueryString());
         view.setContextRelative(true);
         view.setAttributesMap(req.getParameterMap());
@@ -20,4 +19,6 @@ public class AuthorizationEndpoint {
         return view;
     }
 
+    //TODO: handle also device endpoint
+
 }

From c0db96df7d9a27f48bbca8c67e7c25f36189454f Mon Sep 17 00:00:00 2001
From: Dominik Frantisek Bucik <bucik@ics.muni.cz>
Date: Thu, 27 Jan 2022 11:38:14 +0100
Subject: [PATCH 3/4] =?UTF-8?q?refactor:=20=F0=9F=92=A1=20Refactored=20dev?=
 =?UTF-8?q?ice=20code=20auth?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../webapp/WEB-INF/views/approveDevice.jsp    |  2 +-
 .../webapp/WEB-INF/views/requestUserCode.jsp  |  2 +-
 .../WEB-INF/views/themedApproveDevice.jsp     |  2 +-
 .../WEB-INF/views/themedRequestUserCode.jsp   |  2 +-
 .../src/main/webapp/WEB-INF/web-context.xml   |  6 +++--
 .../oauth2/web/endpoint/DeviceEndpoint.java   |  9 ++++---
 .../saml/SamlInvalidateSessionFilter.java     | 27 +++----------------
 .../filters/AuthProcFiltersContainer.java     | 10 +++----
 .../server/filters/PerunFilterConstants.java  |  3 +--
 .../web/endpoint/AuthorizationEndpoint.java   |  2 --
 .../web/endpoint/UserDeviceEndpoint.java      | 22 +++++++++++++++
 11 files changed, 44 insertions(+), 43 deletions(-)
 create mode 100644 perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserDeviceEndpoint.java

diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
index 4a5462ba5..dbcdc1108 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
@@ -37,7 +37,7 @@
 		</h1>
 
 		<form name="confirmationForm"
-			action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/approved" method="post">
+			action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
 
 			<div class="row">
 				<div class="span5 offset1 well-small" style="text-align: left">
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/requestUserCode.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/requestUserCode.jsp
index df4dd18e2..94d1eaae7 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/requestUserCode.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/requestUserCode.jsp
@@ -39,7 +39,7 @@
 	</c:if>
 
 
-		<form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/code" method="POST">
+		<form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device" method="POST">
 
 			<div class="row-fluid">
 				<div class="span12">
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApproveDevice.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApproveDevice.jsp
index 80b75a830..329c74fb6 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApproveDevice.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApproveDevice.jsp
@@ -33,7 +33,7 @@
 <div id="content">
     <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
         <form name="confirmationForm"
-              action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/approved" method="post">
+              action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
             <p>
                 <c:if test="${not empty client.policyUri}">
                     <spring:message code="device_approve_privacy"/>${" "}<a target='_blank' href='${fn:escapeXml(client.policyUri)}'><em>${fn:escapeXml(client.clientName)}</em></a>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedRequestUserCode.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedRequestUserCode.jsp
index b3130f9f8..9b3ab9611 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedRequestUserCode.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedRequestUserCode.jsp
@@ -52,7 +52,7 @@
     </c:choose>
 
     <form name="confirmationForm" class="mt-2"  method="POST"
-          action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/code">
+          action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device">
         <div class="row-fluid">
             <div class="span12">
                 <div>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
index 39d6253a2..d71d6200b 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -56,6 +56,7 @@
             <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
             <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
             <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
+            <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_INIT_URL}**" />
             <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
             <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
             <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
@@ -83,10 +84,10 @@
         <mvc:interceptor>
             <!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
             <mvc:mapping path="/**" />
+            <mvc:exclude-mapping path="/token**"/>
+            <mvc:exclude-mapping path="/resources/**" />
             <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
             <mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
-            <mvc:exclude-mapping path="/resources/**" />
-            <mvc:exclude-mapping path="/token**"/>
             <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
             <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
             <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
@@ -241,6 +242,7 @@
                    authentication-manager-ref="authenticationManager">
         <security:csrf disabled="true"/>
         <security:intercept-url pattern="/authorize" access="permitAll()"/>
+        <security:intercept-url pattern="/device" access="permitAll()"/>
         <security:intercept-url pattern="/saml/**" access="permitAll()"/>
         <security:intercept-url pattern="/logout" access="permitAll()"/>
         <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
index 019505f54..27036e3c7 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
@@ -120,9 +120,10 @@ public class DeviceEndpoint {
 	// other
 	public static final String DEFAULT = "default";
 	public static final String ENDPOINT_URL = "/devicecode";
-	public static final String REQUEST_USER_CODE_URL = "/device/code";
-	public static final String CHECK_USER_CODE_URL = "/device/checkcode";
-	public static final String DEVICE_APPROVED_URL = "/device/approved";
+	public static final String REQUEST_USER_CODE_INIT_URL = "/device";
+	public static final String REQUEST_USER_CODE_URL = "/auth/device";
+	public static final String CHECK_USER_CODE_URL = "/auth/device/authorize";
+	public static final String DEVICE_APPROVED_URL = "/auth/device/approved";
 
 	private final ClientDetailsEntityService clientService;
 	private final SystemScopeService scopeService;
@@ -184,7 +185,7 @@ public class DeviceEndpoint {
 			if (StringUtils.hasText(acrValues)) {
 				uriParams.put(ACR_VALUES, acrValues);
 			}
-			String uriBase = perunOidcConfig.getConfigBean().getIssuer(false) + REQUEST_USER_CODE_URL;
+			String uriBase = perunOidcConfig.getConfigBean().getIssuer(false) + REQUEST_USER_CODE_INIT_URL;
 			response.put(VERIFICATION_URI, constructVerificationURI(uriBase, uriParams));
 			
 			if (perunOidcConfig.getConfigBean().isAllowCompleteDeviceCodeUri()) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
index df523801b..caa993771 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
@@ -1,9 +1,5 @@
 package cz.muni.ics.oidc.saml;
 
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
-import static org.springframework.http.HttpHeaders.REFERER;
-
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -26,14 +22,10 @@ import org.springframework.web.filter.GenericFilterBean;
 @Slf4j
 public class SamlInvalidateSessionFilter extends GenericFilterBean {
 
-    private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
-    private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
-    private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN);
-    private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN + "/**");
     private static final RequestMatcher MATCHER = new OrRequestMatcher(
-            Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
-
-    public static final RequestMatcher MATCH = new AntPathRequestMatcher("/authorize");
+            new AntPathRequestMatcher("/authorize"),
+            new AntPathRequestMatcher("/device")
+    );
 
     private final SecurityContextLogoutHandler contextLogoutHandler;
     private final List<String> internalReferrers = new ArrayList<>();
@@ -73,24 +65,13 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
     {
         HttpServletRequest req = (HttpServletRequest) request;
         HttpServletResponse res = (HttpServletResponse) response;
-        if (MATCH.matches(req)) {
+        if (MATCHER.matches(req)) {
             log.debug("INV_SESS - invalidate");
             contextLogoutHandler.logout(req, res, null);
         } else {
             log.debug("INV_SESS - skipping");
         }
         chain.doFilter(req, res);
-
-//        HttpServletRequest req = (HttpServletRequest) request;
-//        HttpServletResponse res = (HttpServletResponse) response;
-//        if (MATCHER.matches(req)) {
-//            String referer = req.getHeader(REFERER);
-//            if (!isInternalReferer(referer)) {
-//                log.debug("Got external referer, clear session to reauthenticate");
-//                contextLogoutHandler.logout(req, res, null);
-//            }
-//        }
-//        chain.doFilter(req, res);
     }
 
     private boolean isInternalReferer(String referer) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
index 2faea8d35..eaa6ed5b7 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
@@ -1,7 +1,7 @@
 package cz.muni.ics.oidc.server.filters;
 
 import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN;
+import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
 
 import cz.muni.ics.oauth2.model.ClientDetailsEntity;
 import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
@@ -16,7 +16,6 @@ import java.util.List;
 import java.util.Properties;
 import javax.annotation.PostConstruct;
 import javax.servlet.FilterChain;
-import javax.servlet.GenericFilter;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
@@ -42,8 +41,8 @@ public class AuthProcFiltersContainer extends GenericFilterBean {
 
     private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
     private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
-    private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_CHECK_CODE_REQ_PATTERN);
-    private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_CHECK_CODE_REQ_PATTERN + "/**");
+    private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN);
+    private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN + "/**");
     private static final RequestMatcher MATCHER = new OrRequestMatcher(
             Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
 
@@ -79,8 +78,7 @@ public class AuthProcFiltersContainer extends GenericFilterBean {
         HttpServletRequest req = (HttpServletRequest) servletRequest;
         HttpServletResponse res = (HttpServletResponse) servletResponse;
         if (!MATCHER.matches(req)) {
-            log.debug("Custom filters have been skipped, did not match '{}' nor '{}' request", AUTHORIZE_MATCHER,
-                    AUTHORIZE_REQ_PATTERN);
+            log.debug("Custom filters have been skipped, did not match authorization nor device req URL");
         } else {
             List<AuthProcFilter> filters = perunFiltersContext.getFilters();
             if (filters != null && !filters.isEmpty()) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
index 64e494956..d623a97ee 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
@@ -12,8 +12,7 @@ import java.util.Map;
 public class PerunFilterConstants {
 
     public static final String AUTHORIZE_REQ_PATTERN = "/auth/authorize";
-    public static final String DEVICE_APPROVE_REQ_PATTERN = "/device/code";
-    public static final String DEVICE_CHECK_CODE_REQ_PATTERN = "/device/checkcode";
+    public static final String DEVICE_APPROVE_REQ_PATTERN = "/auth/device/authorize";
 
     public static final String PARAM_CLIENT_ID = "client_id";
     public static final String PARAM_SCOPE = "scope";
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
index f2d6022bf..050b07052 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
@@ -19,6 +19,4 @@ public class AuthorizationEndpoint {
         return view;
     }
 
-    //TODO: handle also device endpoint
-
 }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserDeviceEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserDeviceEndpoint.java
new file mode 100644
index 000000000..81f20091c
--- /dev/null
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserDeviceEndpoint.java
@@ -0,0 +1,22 @@
+package cz.muni.ics.openid.connect.web.endpoint;
+
+import javax.servlet.http.HttpServletRequest;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Controller;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.view.RedirectView;
+
+@Controller
+@Slf4j
+public class UserDeviceEndpoint {
+
+    @RequestMapping(value = "/device")
+    public RedirectView authorize(HttpServletRequest req) {
+        String redirect = "/auth/device" + (StringUtils.hasText(req.getQueryString()) ? '?' + req.getQueryString() : "");
+        RedirectView view = new RedirectView(redirect);
+        view.setContextRelative(true);
+        log.debug("DEVICE_ENDPOINT: Redirecting to: {}", view);
+        return view;
+    }
+}

From 0e009d9cc2e0a741935ffe1d24b46d0a4b4a6d40 Mon Sep 17 00:00:00 2001
From: Dominik Frantisek Bucik <bucik@ics.muni.cz>
Date: Thu, 27 Jan 2022 12:20:05 +0100
Subject: [PATCH 4/4] =?UTF-8?q?refactor:=20=F0=9F=92=A1=20cleanup?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/main/webapp/WEB-INF/user-context.xml  |  2 -
 .../src/main/webapp/WEB-INF/web-context.xml   | 24 +++++-----
 .../web/endpoint/AuthorizationEndpoint.java}  | 15 +++---
 .../oauth2/web/endpoint/DeviceEndpoint.java   | 14 +++++-
 .../saml/SamlInvalidateSessionFilter.java     | 47 +------------------
 .../oidc/server/filters/AuthProcFilter.java   |  2 +-
 ...rParams.java => AuthProcFilterParams.java} |  4 +-
 .../filters/AuthProcFiltersContainer.java     |  6 +--
 ...ntext.java => AuthProcFiltersContext.java} | 12 ++---
 .../ics/oidc/server/filters/FiltersUtils.java |  2 +-
 .../impl/PerunAuthorizationFilter.java        |  6 +--
 .../filters/impl/PerunEnsureVoMember.java     | 21 +--------
 .../filters/impl/PerunForceAupFilter.java     |  6 +--
 .../impl/PerunIsCesnetEligibleFilter.java     |  6 +--
 .../filters/impl/PerunIsTestSpFilter.java     |  6 +--
 .../filters/impl/ProxyStatisticsFilter.java   |  6 +--
 .../server/filters/impl/ValidUserFilter.java  |  8 ++--
 .../web/endpoint/AuthorizationEndpoint.java   | 22 ---------
 18 files changed, 62 insertions(+), 147 deletions(-)
 rename perun-oidc-server/src/main/java/cz/muni/ics/{openid/connect/web/endpoint/UserDeviceEndpoint.java => oauth2/web/endpoint/AuthorizationEndpoint.java} (50%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/{PerunRequestFilterParams.java => AuthProcFilterParams.java} (87%)
 rename perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/{PerunFiltersContext.java => AuthProcFiltersContext.java} (89%)
 delete mode 100644 perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java

diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index babcb8f80..9441f224a 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -73,8 +73,6 @@
 				<prop key="saml.idp.defaultIdpEntityId"/>
 				<prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml -->
 				<prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata -->
-				<prop key="saml.proxy.spEntityId"/>
-				<prop key="saml.internalReferrers"/> <!-- comma separated list of URLs (which are matched as prefixes) -->
 				<prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop>
 				<prop key="saml.acrs.enableComparison">false</prop>
 				<prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</prop>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
index d71d6200b..1c8371d42 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -241,12 +241,16 @@
                    create-session="always"
                    authentication-manager-ref="authenticationManager">
         <security:csrf disabled="true"/>
-        <security:intercept-url pattern="/authorize" access="permitAll()"/>
-        <security:intercept-url pattern="/device" access="permitAll()"/>
+        <security:intercept-url pattern="#{T(cz.muni.ics.oauth2.web.endpoint.AuthorizationEndpoint).ENDPOINT_INIT_URL}"
+                                access="permitAll()"/>
+        <security:intercept-url pattern="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_INIT_URL}"
+                                access="permitAll()"/>
         <security:intercept-url pattern="/saml/**" access="permitAll()"/>
         <security:intercept-url pattern="/logout" access="permitAll()"/>
-        <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
-        <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" access="permitAll()"/>
+        <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"
+                                access="permitAll()"/>
+        <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"
+                                access="permitAll()"/>
         <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
         <security:custom-filter ref="mdcMuFilter" before="FIRST"/>
         <security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
@@ -337,17 +341,13 @@
 
     <!-- SAML -->
     <bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
-<!--    <constructor-arg name="oidcIssuer" value="${main.oidc.issuer.url}"/>-->
-<!--    <constructor-arg name="idpEntityId" value="${saml.idp.defaultIdpEntityId}"/>-->
-<!--    <constructor-arg name="proxySpEntityId" value="${saml.proxy.spEntityId}"/>-->
-<!--    <constructor-arg name="internalReferrers" value="#{'${saml.internalReferrers}'.split('\s*,\s*')}"/>-->
-    <constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
+        <constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
     </bean>
 
     <bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
-    <property name="contextProvider" ref="samlContextProvider"/>
-    <property name="samlEntryPoint" ref="samlEntryPoint"/>
-    <property name="metadata" ref="metadata"/>
+        <property name="contextProvider" ref="samlContextProvider"/>
+        <property name="samlEntryPoint" ref="samlEntryPoint"/>
+        <property name="metadata" ref="metadata"/>
     </bean>
 
     <bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserDeviceEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/AuthorizationEndpoint.java
similarity index 50%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserDeviceEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/AuthorizationEndpoint.java
index 81f20091c..339a5caf0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserDeviceEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/AuthorizationEndpoint.java
@@ -1,22 +1,25 @@
-package cz.muni.ics.openid.connect.web.endpoint;
+package cz.muni.ics.oauth2.web.endpoint;
 
 import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Controller;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.servlet.view.RedirectView;
 
 @Controller
 @Slf4j
-public class UserDeviceEndpoint {
+public class AuthorizationEndpoint {
 
-    @RequestMapping(value = "/device")
+    public static final String ENDPOINT_INIT_URL = "/authorize";
+    public static final String ENDPOINT_URL = "/auth/authorize";
+
+    @RequestMapping(value = ENDPOINT_INIT_URL)
     public RedirectView authorize(HttpServletRequest req) {
-        String redirect = "/auth/device" + (StringUtils.hasText(req.getQueryString()) ? '?' + req.getQueryString() : "");
+        String redirect = ENDPOINT_URL + '?' + req.getQueryString();
         RedirectView view = new RedirectView(redirect);
         view.setContextRelative(true);
-        log.debug("DEVICE_ENDPOINT: Redirecting to: {}", view);
+        log.debug("Authorization endpoint - {}: user is being redirected to to: {}", ENDPOINT_INIT_URL, redirect);
         return view;
     }
+
 }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
index 27036e3c7..967163287 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
@@ -35,7 +35,6 @@ import cz.muni.ics.openid.connect.view.HttpCodeView;
 import cz.muni.ics.openid.connect.view.JsonEntityView;
 import cz.muni.ics.openid.connect.view.JsonErrorView;
 import java.net.URISyntaxException;
-import java.security.Principal;
 import java.util.Collection;
 import java.util.Date;
 import java.util.HashMap;
@@ -57,13 +56,14 @@ import org.springframework.security.oauth2.provider.AuthorizationRequest;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
-import org.springframework.security.saml.SAMLCredential;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.view.RedirectView;
 
 /**
  * Implements https://tools.ietf.org/html/draft-ietf-oauth-device-flow
@@ -211,6 +211,16 @@ public class DeviceEndpoint {
 		}
 	}
 
+	@RequestMapping(value = REQUEST_USER_CODE_INIT_URL)
+	public RedirectView authorize(HttpServletRequest req) {
+		String redirect = REQUEST_USER_CODE_URL
+				+ (StringUtils.hasText(req.getQueryString()) ? '?' + req.getQueryString() : "");
+		RedirectView view = new RedirectView(redirect);
+		view.setContextRelative(true);
+		log.debug("User device endpoint - {}: user is being redirected to to: {}", REQUEST_USER_CODE_INIT_URL, redirect);
+		return view;
+	}
+
 	@PreAuthorize("hasRole('ROLE_USER')")
 	@GetMapping(value = REQUEST_USER_CODE_URL)
 	public String requestUserCode(@RequestParam(value = USER_CODE, required = false) String userCode,
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
index caa993771..483e317aa 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
@@ -1,10 +1,6 @@
 package cz.muni.ics.oidc.saml;
 
 import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.stream.Collectors;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
@@ -16,7 +12,6 @@ import org.springframework.security.web.authentication.logout.SecurityContextLog
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
-import org.springframework.util.StringUtils;
 import org.springframework.web.filter.GenericFilterBean;
 
 @Slf4j
@@ -28,37 +23,11 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
     );
 
     private final SecurityContextLogoutHandler contextLogoutHandler;
-    private final List<String> internalReferrers = new ArrayList<>();
 
     public SamlInvalidateSessionFilter(SecurityContextLogoutHandler contextLogoutHandler) {
         this.contextLogoutHandler = contextLogoutHandler;
     }
 
-    public SamlInvalidateSessionFilter(String idpEntityId,
-                                       String oidcIssuer,
-                                       String proxySpEntityId,
-                                       SecurityContextLogoutHandler contextLogoutHandler,
-                                       String[] internalReferrers)
-    {
-        if (StringUtils.hasText(idpEntityId)) {
-            this.internalReferrers.add(idpEntityId);
-        }
-        if (StringUtils.hasText(oidcIssuer)) {
-            this.internalReferrers.add(oidcIssuer);
-        }
-        if (StringUtils.hasText(proxySpEntityId)) {
-            this.internalReferrers.add(proxySpEntityId);
-        }
-        this.contextLogoutHandler = contextLogoutHandler;
-        if (internalReferrers != null && internalReferrers.length > 0) {
-            List<String> referrers = Arrays.asList(internalReferrers);
-            referrers = referrers.stream().filter(StringUtils::hasText).collect(Collectors.toList());
-            if (!referrers.isEmpty()) {
-                this.internalReferrers.addAll(referrers);
-            }
-        }
-    }
-
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
         throws IOException, ServletException
@@ -66,24 +35,10 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
         HttpServletRequest req = (HttpServletRequest) request;
         HttpServletResponse res = (HttpServletResponse) response;
         if (MATCHER.matches(req)) {
-            log.debug("INV_SESS - invalidate");
+            log.debug("Invalidate session to enable SAML IdP re-authentication");
             contextLogoutHandler.logout(req, res, null);
-        } else {
-            log.debug("INV_SESS - skipping");
         }
         chain.doFilter(req, res);
     }
 
-    private boolean isInternalReferer(String referer) {
-        if (!StringUtils.hasText(referer)) {
-            return false;
-        }
-        for (String internal : internalReferrers) {
-            if (referer.startsWith(internal)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
 }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
index f7266b3a1..d736dc4f8 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
@@ -43,7 +43,7 @@ public abstract class AuthProcFilter {
     private Set<String> clientIds = new HashSet<>();
     private Set<String> subs = new HashSet<>();
 
-    public AuthProcFilter(PerunRequestFilterParams params) {
+    public AuthProcFilter(AuthProcFilterParams params) {
         filterName = params.getFilterName();
 
         if (params.hasProperty(CLIENT_IDS)) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilterParams.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java
similarity index 87%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilterParams.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java
index 5c370fc0d..749fce772 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilterParams.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java
@@ -8,7 +8,7 @@ import java.util.Properties;
  *
  * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
  */
-public class PerunRequestFilterParams {
+public class AuthProcFilterParams {
 
 	private final String filterName;
 
@@ -16,7 +16,7 @@ public class PerunRequestFilterParams {
 	private final Properties properties;
 	private final BeanUtil beanUtil;
 
-	public PerunRequestFilterParams(String filterName, String propertyPrefix, Properties properties, BeanUtil beanUtil) {
+	public AuthProcFilterParams(String filterName, String propertyPrefix, Properties properties, BeanUtil beanUtil) {
 		this.filterName = filterName;
 		this.propertyPrefix = propertyPrefix;
 		this.properties = properties;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
index eaa6ed5b7..26a6d071d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
@@ -64,11 +64,11 @@ public class AuthProcFiltersContainer extends GenericFilterBean {
     @Autowired
     private SamlProperties samlProperties;
 
-    private PerunFiltersContext perunFiltersContext;
+    private AuthProcFiltersContext perunFiltersContext;
 
     @PostConstruct
     public void postConstruct() {
-        this.perunFiltersContext = new PerunFiltersContext(coreProperties, beanUtil);
+        this.perunFiltersContext = new AuthProcFiltersContext(coreProperties, beanUtil);
     }
 
     @Override
@@ -78,7 +78,7 @@ public class AuthProcFiltersContainer extends GenericFilterBean {
         HttpServletRequest req = (HttpServletRequest) servletRequest;
         HttpServletResponse res = (HttpServletResponse) servletResponse;
         if (!MATCHER.matches(req)) {
-            log.debug("Custom filters have been skipped, did not match authorization nor device req URL");
+            log.debug("AuthProc filters have been skipped, did not match authorization nor device req URL");
         } else {
             List<AuthProcFilter> filters = perunFiltersContext.getFilters();
             if (filters != null && !filters.isEmpty()) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java
similarity index 89%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java
index 04a9b5082..c6f324a2b 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java
@@ -21,7 +21,7 @@ import org.springframework.util.StringUtils;
  * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
  */
 @Slf4j
-public class PerunFiltersContext {
+public class AuthProcFiltersContext {
 
 	private static final String FILTER_NAMES = "filter.names";
 	private static final String FILTER_CLASS = ".class";
@@ -31,7 +31,7 @@ public class PerunFiltersContext {
 	private final Properties properties;
 	private final BeanUtil beanUtil;
 
-	public PerunFiltersContext(Properties properties, BeanUtil beanUtil) {
+	public AuthProcFiltersContext(Properties properties, BeanUtil beanUtil) {
 		this.properties = properties;
 		this.beanUtil = beanUtil;
 		this.filters = new LinkedList<>();
@@ -52,7 +52,7 @@ public class PerunFiltersContext {
 	}
 
 	private AuthProcFilter loadFilter(String filterName) {
-		String propPrefix = PerunFiltersContext.PREFIX + filterName;
+		String propPrefix = AuthProcFiltersContext.PREFIX + filterName;
 		String filterClass = properties.getProperty(propPrefix + FILTER_CLASS, null);
 		if (!StringUtils.hasText(filterClass)) {
 			log.warn("{} - failed to initialized filter: no class has ben configured", filterName);
@@ -63,14 +63,14 @@ public class PerunFiltersContext {
 		try {
 			Class<?> rawClazz = Class.forName(filterClass);
 			if (!AuthProcFilter.class.isAssignableFrom(rawClazz)) {
-				log.warn("{} - failed to initialized filter: class '{}' does not extend PerunRequestFilter",
+				log.warn("{} - failed to initialized filter: class '{}' does not extend AuthProcFilter",
 						filterName, filterClass);
 				return null;
 			}
 			
 			@SuppressWarnings("unchecked") Class<AuthProcFilter> clazz = (Class<AuthProcFilter>) rawClazz;
-			Constructor<AuthProcFilter> constructor = clazz.getConstructor(PerunRequestFilterParams.class);
-			PerunRequestFilterParams params = new PerunRequestFilterParams(filterName, propPrefix, properties, beanUtil);
+			Constructor<AuthProcFilter> constructor = clazz.getConstructor(AuthProcFilterParams.class);
+			AuthProcFilterParams params = new AuthProcFilterParams(filterName, propPrefix, properties, beanUtil);
 			return constructor.newInstance(params);
 		} catch (ClassNotFoundException e) {
 			log.warn("{} - failed to initialize filter: class '{}' was not found", filterName, filterClass);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
index ddbf8245f..2da01950b 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
@@ -278,7 +278,7 @@ public class FiltersUtils {
 
 	public static String fillStringMandatoryProperty(String propertyName,
 													 String filterName,
-													 PerunRequestFilterParams params) {
+													 AuthProcFilterParams params) {
 		String filled = params.getProperty(propertyName);
 
 		if (!StringUtils.hasText(filled)) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
index 35fef0e17..4ef27d2c0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
@@ -10,11 +10,9 @@ import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
 import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
 import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
 import java.util.Map;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
@@ -40,7 +38,7 @@ public class PerunAuthorizationFilter extends AuthProcFilter {
 	private final String filterName;
 	private final PerunOidcConfig config;
 
-	public PerunAuthorizationFilter(PerunRequestFilterParams params) {
+	public PerunAuthorizationFilter(AuthProcFilterParams params) {
 		super(params);
 		BeanUtil beanUtil = params.getBeanUtil();
 		this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
index dfae70056..cb736dabe 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
@@ -8,19 +8,13 @@ import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
 import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
 import cz.muni.ics.oidc.web.controllers.ControllerUtils;
 import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
 import cz.muni.ics.oidc.web.controllers.RegistrationController;
-import java.io.IOException;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
-import java.util.Set;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
@@ -55,7 +49,7 @@ public class PerunEnsureVoMember extends AuthProcFilter {
     private final String filterName;
     private final PerunOidcConfig perunOidcConfig;
 
-    public PerunEnsureVoMember(PerunRequestFilterParams params) {
+    public PerunEnsureVoMember(AuthProcFilterParams params) {
         super(params);
         BeanUtil beanUtil = params.getBeanUtil();
 
@@ -139,17 +133,6 @@ public class PerunEnsureVoMember extends AuthProcFilter {
         return attrValue;
     }
 
-    private boolean canAccess(PerunAttributeValue attrValue, Set<String> memberShortNames) {
-        if (attrValue.valueAsJson().isArray()) {
-            Set<String> val = attrValue.valueAsList() == null ?
-                    Collections.emptySet() : new HashSet<>(attrValue.valueAsList());
-            return !Collections.disjoint(val, memberShortNames);
-        } else {
-            String val = attrValue.valueAsString();
-            return memberShortNames.contains(val);
-        }
-    }
-
     @Override
     public String toString() {
         return "PerunEnsureVoMember{" +
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
index 62c912d9b..1f738aa93 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
@@ -15,7 +15,7 @@ import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
 import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
 import cz.muni.ics.oidc.web.controllers.AupController;
 import java.io.IOException;
 import java.text.ParseException;
@@ -27,8 +27,6 @@ import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
@@ -79,7 +77,7 @@ public class PerunForceAupFilter extends AuthProcFilter {
     private final SamlProperties samlProperties;
     private final String filterName;
 
-    public PerunForceAupFilter(PerunRequestFilterParams params) {
+    public PerunForceAupFilter(AuthProcFilterParams params) {
         super(params);
         BeanUtil beanUtil = params.getBeanUtil();
         this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
index 6076b4ca4..50a41686e 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
@@ -15,7 +15,7 @@ import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
 import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
 import cz.muni.ics.oidc.web.controllers.ControllerUtils;
 import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
 import java.time.LocalDateTime;
@@ -24,8 +24,6 @@ import java.time.format.DateTimeParseException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
@@ -64,7 +62,7 @@ public class PerunIsCesnetEligibleFilter extends AuthProcFilter {
     private final PerunAdapter perunAdapter;
     private final String filterName;
 
-    public PerunIsCesnetEligibleFilter(PerunRequestFilterParams params) {
+    public PerunIsCesnetEligibleFilter(AuthProcFilterParams params) {
         super(params);
         BeanUtil beanUtil = params.getBeanUtil();
         this.config = beanUtil.getBean(PerunOidcConfig.class);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
index 2001378c9..06fc36676 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
@@ -11,14 +11,12 @@ import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
 import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
 import cz.muni.ics.oidc.web.controllers.ControllerUtils;
 import cz.muni.ics.oidc.web.controllers.IsTestSpController;
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
@@ -47,7 +45,7 @@ public class PerunIsTestSpFilter extends AuthProcFilter {
     private final String filterName;
     private final PerunOidcConfig config;
 
-    public PerunIsTestSpFilter(PerunRequestFilterParams params) {
+    public PerunIsTestSpFilter(AuthProcFilterParams params) {
         super(params);
         BeanUtil beanUtil = params.getBeanUtil();
         this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
index 771ca3e3d..19fc1f3d0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
@@ -9,7 +9,7 @@ import cz.muni.ics.oidc.saml.SamlProperties;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
 import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
 import java.sql.Connection;
 import java.sql.Date;
 import java.sql.PreparedStatement;
@@ -17,8 +17,6 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.time.LocalDate;
 import java.util.Objects;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.sql.DataSource;
@@ -79,7 +77,7 @@ public class ProxyStatisticsFilter extends AuthProcFilter {
 	private final String filterName;
 	private final SamlProperties samlProperties;
 
-	public ProxyStatisticsFilter(PerunRequestFilterParams params) {
+	public ProxyStatisticsFilter(AuthProcFilterParams params) {
 		super(params);
 		BeanUtil beanUtil = params.getBeanUtil();
 		this.mitreIdStats = beanUtil.getBean("mitreIdStats", DataSource.class);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
index 07b948f48..e3d4d2cf9 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
@@ -10,13 +10,11 @@ import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
 import cz.muni.ics.oidc.server.filters.FilterParams;
 import cz.muni.ics.oidc.server.filters.FiltersUtils;
 import cz.muni.ics.oidc.server.filters.AuthProcFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
 import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
@@ -71,7 +69,7 @@ public class ValidUserFilter extends AuthProcFilter {
 	private final String filterName;
 	private final PerunOidcConfig config;
 
-	public ValidUserFilter(PerunRequestFilterParams params) {
+	public ValidUserFilter(AuthProcFilterParams params) {
 		super(params);
 		BeanUtil beanUtil = params.getBeanUtil();
 		this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
@@ -143,7 +141,7 @@ public class ValidUserFilter extends AuthProcFilter {
 		return true;
 	}
 
-	private Set<Long> getIdsFromParam(PerunRequestFilterParams params, String propKey) {
+	private Set<Long> getIdsFromParam(AuthProcFilterParams params, String propKey) {
 		Set<Long> result = new HashSet<>();
 
 		String prop = params.getProperty(propKey);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
deleted file mode 100644
index 050b07052..000000000
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java
+++ /dev/null
@@ -1,22 +0,0 @@
-package cz.muni.ics.openid.connect.web.endpoint;
-
-import javax.servlet.http.HttpServletRequest;
-import lombok.extern.slf4j.Slf4j;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.servlet.view.RedirectView;
-
-@Controller
-@Slf4j
-public class AuthorizationEndpoint {
-
-    @RequestMapping(value = "/authorize")
-    public RedirectView authorize(HttpServletRequest req) {
-        RedirectView view = new RedirectView("/auth/authorize?" + req.getQueryString());
-        view.setContextRelative(true);
-        view.setAttributesMap(req.getParameterMap());
-        log.debug("AUTH_ENDPOINT: Redirecting to: {}", view);
-        return view;
-    }
-
-}