Merge pull request #27 from dBucik/saml_new_repo

feat: 🎸 Merge with perun-mitreid overlay, add SAML auth

openid-connect-server-webapp/src/main/webapp/WEB-INF/data-context.xml

@@ -1,128 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Copyright 2018 The MIT Internet Trust Consortium
-   
-    Portions copyright 2011-2013 The MITRE Corporation
-   
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-   
-      http://www.apache.org/licenses/LICENSE-2.0
-   
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
-	   xmlns:jdbc="http://www.springframework.org/schema/jdbc"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-       						http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-4.3.xsd">
-
-	<bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close">
-		<property name="driverClassName" value="org.hsqldb.jdbcDriver" />
-		<property name="jdbcUrl" value="jdbc:hsqldb:mem:oic;sql.syntax_mys=true" />
-<!-- 		<property name="jdbcUrl" value="jdbc:hsqldb:file:/tmp/oic;sql.syntax_mys=true" /> -->
-		<property name="username" value="oic" />
-		<property name="password" value="oic" />
-	</bean>
-
-	<!-- Use the following to set up the OIC tables in the in-memory DB
- 		   If you are using a file based HSQLDB you should not run this every time. -->
-	<jdbc:initialize-database data-source="dataSource">
-		<jdbc:script location="classpath:/db/hsql/hsql_database_tables.sql"/>
-		<!-- The following file is for the jdbc-user-service spring security implementation -->
-		<jdbc:script location="classpath:/db/hsql/security-schema.sql"/>
-		<!-- The following files are for safely bootstrapping users and clients into the database -->
-		<jdbc:script location="classpath:/db/hsql/loading_temp_tables.sql"/>
-		<jdbc:script location="classpath:/db/hsql/users.sql"/>
-		<jdbc:script location="classpath:/db/hsql/clients.sql"/>
-		<jdbc:script location="classpath:/db/hsql/scopes.sql"/>
-	</jdbc:initialize-database>
-
-	<bean id="jpaAdapter" class="org.springframework.orm.jpa.vendor.EclipseLinkJpaVendorAdapter">
- 		<property name="databasePlatform" value="org.eclipse.persistence.platform.database.HSQLPlatform" />
-		<property name="showSql" value="true" />
-	</bean>
-
-	<!--  The following is for connecting to a MySQL database that has been initialized with 
-			src/main/resources/db/mysql/mysql_database_tables.sql -->
-<!-- 	<bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close"> -->
-<!-- 		<property name="driverClassName" value="com.mysql.jdbc.Driver" /> -->
-<!-- 		<property name="jdbcUrl" value="jdbc:mysql://127.0.0.1:3306/oic" /> -->
-<!-- 		<property name="username" value="oic" /> -->
-<!-- 		<property name="password" value="oic" /> -->
-<!--  	</bean> -->
-
-<!-- 	<bean id="jpaAdapter" class="org.springframework.orm.jpa.vendor.EclipseLinkJpaVendorAdapter"> -->
-<!-- 		<property name="databasePlatform" value="org.eclipse.persistence.platform.database.MySQLPlatform" /> -->
-<!-- 		<property name="showSql" value="true" /> -->
-<!-- 	</bean> -->
-
-	<!-- You can optionally initialize the database with test values here, 
-		but this is not recommended for real systems -->
-<!-- 	<jdbc:initialize-database data-source="dataSource"> -->
-<!-- 		<jdbc:script location="classpath:/db/tables/mysql_database_tables.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/tables/security-schema.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/tables/loading_temp_tables.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/mysql/users.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/mysql/clients.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/mysql/scopes.sql"/> -->
-<!-- 	</jdbc:initialize-database> -->
-
-	<!--  The following is for connecting to a PostgreSQL database that has been initialized with
-			src/main/resources/db/psql/psql_database_tables.sql -->
-	<!--
-	<bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close">
-		<property name="driverClassName" value="org.postgresql.Driver" />
-		<property name="jdbcUrl" value="jdbc:postgresql://localhost/oic" />
-		<property name="username" value="oic" />
-		<property name="password" value="oic" />
-	</bean>
-
-
-	<bean id="jpaAdapter" class="org.springframework.orm.jpa.vendor.EclipseLinkJpaVendorAdapter">
-		<property name="databasePlatform" value="org.eclipse.persistence.platform.database.PostgreSQLPlatform" />
-		<property name="showSql" value="true" />
-	</bean>
-	-->
-	
-	<!-- You can optionally initialize the database with test values here, 
-		but this is not recommended for real systems -->
-<!-- 	<jdbc:initialize-database data-source="dataSource"> -->
-<!-- 		<jdbc:script location="classpath:/db/psql/psql_database_tables.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/psql/security-schema.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/psql/loading_temp_tables.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/psql/users.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/psql/clients.sql"/> -->
-<!-- 		<jdbc:script location="classpath:/db/psql/scopes.sql"/> -->
-<!-- 	</jdbc:initialize-database> -->
-
-	<!--  The following is for connecting to a Oracle database that has been initialized with
-			src/main/resources/db/oracle/oracle_database_tables.sql -->
-	<!--<bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close">
-		<property name="driverClassName" value="oracle.jdbc.driver.OracleDriver" />
-		<property name="jdbcUrl" value="jdbc:oracle:thin:@localhost:1521:XE" />
-		<property name="username" value="oic" />
-		<property name="password" value="oic" />
-	</bean>-->
-
-	<!--<bean id="jpaAdapter" class="org.springframework.orm.jpa.vendor.EclipseLinkJpaVendorAdapter">
-		<property name="databasePlatform" value="org.eclipse.persistence.platform.database.OraclePlatform" />
-		<property name="showSql" value="true" />
-	</bean>-->
-
-	<!-- Use the following to set up the OIC tables in the Oracle DB
-		   Below scripts are intended to be run once at startup. -->
-	<!--<jdbc:initialize-database data-source="dataSource">
-		<jdbc:script location="classpath:/db/oracle/oracle_database_tables.sql"/>
-		<jdbc:script location="classpath:/db/oracle/security-schema_oracle.sql"/>
-		<jdbc:script location="classpath:/db/oracle/loading_temp_tables_oracle.sql"/>
-		<jdbc:script location="classpath:/db/oracle/users_oracle.sql"/>
-		<jdbc:script location="classpath:/db/oracle/clients_oracle.sql"/>
-		<jdbc:script location="classpath:/db/oracle/scopes_oracle.sql"/>
-	</jdbc:initialize-database>-->
-</beans>

openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml

@@ -1,77 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Copyright 2018 The MIT Internet Trust Consortium
-   
-    Portions copyright 2011-2013 The MITRE Corporation
-   
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-   
-      http://www.apache.org/licenses/LICENSE-2.0
-   
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:tx="http://www.springframework.org/schema/tx"
-	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:security="http://www.springframework.org/schema/security"
-	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
-
-	<bean id="configBean" class="org.mitre.openid.connect.config.ConfigurationPropertiesBean">
-	    
-	    <!-- This property sets the root URL of the server, known as the issuer -->
-		<property name="issuer" value="http://localhost:8080/openid-connect-server-webapp/" />
-		
-		<!-- This property is a URL pointing to a logo image 24px high to be used in the top bar -->
- 		<property name="logoImageUrl" value="resources/images/openid_connect_small.png" />
- 		
- 		<!-- This property sets the display name of the server, displayed in the topbar and page title -->
- 		<property name="topbarTitle" value="OpenID Connect Server" />
- 		
-		<!-- This property sets the lifetime of registration access tokens, in seconds. Leave it unset (null) for no rotation. -->
-		<!-- <property name="regTokenLifeTime" value="172800" /> -->
-		
-		<!-- This property forces the issuer value to start with "https", recommended on production servers -->
-		<!-- <property name="forceHttps" value="true" /> -->
-		
-		<!-- This property sets the locale for server text -->
-		<!-- <property name="locale" value="sv" /> -->
-
-		<!-- This property sets the set of namespaces for language translation files. The default is "messages". These are checked in the order presented here. -->
-		<!-- 
-		<property name="languageNamespaces">
-			<list>
-				<value>foo</value>
-				<value>bar</value>
-				<value>messages</value>
-			</list>
-		</property>
-		-->
-
-		<!-- This property indicates if a dynamically registered client supports dual flows, such as client_credentials
-		at the same time with authorization_code or implicit -->
-		<!-- <property name="dualClient" value="true" /> -->
-		
-		<!-- This property turns on HEART compliance mode -->
-		<!-- <property name="heartMode" value="true" /> -->
-
-        <!-- This property allows the server to create and accept fully-composed 
-        user URIs (with the user-code emebedded) for the device flow -->
-        <!-- <property name="allowCompleteDeviceCodeUri" value="true" /> -->
-
-	</bean>
-	
-</beans>

openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag

@@ -1,4 +0,0 @@
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
-<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<c:if test="${ config.heartMode }"><span class="pull-left"><img src="resources/images/heart_mode.png" alt="HEART Mode" title="This server is running in HEART Compliance Mode" /></span> </c:if>
-<spring:message code="copyright" arguments="${project.version}"/>

openid-connect-server/src/main/java/org/mitre/openid/connect/web/EndSessionEndpoint.java

@@ -1,197 +0,0 @@
-/*******************************************************************************
- * Copyright 2018 The MIT Internet Trust Consortium
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *******************************************************************************/
-
-package org.mitre.openid.connect.web;
-
-import java.text.ParseException;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
-import org.mitre.jwt.assertion.AssertionValidator;
-import org.mitre.jwt.assertion.impl.SelfAssertionValidator;
-import org.mitre.oauth2.model.ClientDetailsEntity;
-import org.mitre.oauth2.service.ClientDetailsEntityService;
-import org.mitre.openid.connect.model.UserInfo;
-import org.mitre.openid.connect.service.UserInfoService;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
-import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
-import org.springframework.stereotype.Controller;
-import org.springframework.ui.Model;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.util.UriComponents;
-import org.springframework.web.util.UriComponentsBuilder;
-import org.springframework.web.util.UriUtils;
-
-import com.google.common.base.Strings;
-import com.google.common.collect.Iterables;
-import com.nimbusds.jwt.JWT;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.JWTParser;
-
-/**
- * Implementation of the End Session Endpoint from OIDC session management
- * 
- * @author jricher
- *
- */
-@Controller
-public class EndSessionEndpoint {
-
-	public static final String URL = "endsession";
-	
-	private static final String CLIENT_KEY = "client";
-	private static final String STATE_KEY = "state";
-	private static final String REDIRECT_URI_KEY = "redirectUri";
-
-	private static Logger logger = LoggerFactory.getLogger(EndSessionEndpoint.class);
-	
-	@Autowired
-	private SelfAssertionValidator validator;
-	
-	@Autowired
-	private UserInfoService userInfoService;
-	
-	@Autowired
-	private ClientDetailsEntityService clientService;
-	
-	@RequestMapping(value = "/" + URL, method = RequestMethod.GET)
-	public String endSession(@RequestParam (value = "id_token_hint", required = false) String idTokenHint,  
-		    @RequestParam (value = "post_logout_redirect_uri", required = false) String postLogoutRedirectUri,
-		    @RequestParam (value = STATE_KEY, required = false) String state,
-		    HttpServletRequest request,
-		    HttpServletResponse response,
-		    HttpSession session,
-		    Authentication auth, Model m) {
-
-		// conditionally filled variables
-		JWTClaimsSet idTokenClaims = null; // pulled from the parsed and validated ID token
-		ClientDetailsEntity client = null; // pulled from ID token's audience field
-		
-		if (!Strings.isNullOrEmpty(postLogoutRedirectUri)) {
-			session.setAttribute(REDIRECT_URI_KEY, postLogoutRedirectUri);
-		}
-		if (!Strings.isNullOrEmpty(state)) {
-			session.setAttribute(STATE_KEY, state);
-		}
-		
-		// parse the ID token hint to see if it's valid
-		if (!Strings.isNullOrEmpty(idTokenHint)) {
-			try {
-				JWT idToken = JWTParser.parse(idTokenHint);
-				
-				if (validator.isValid(idToken)) {
-					// we issued this ID token, figure out who it's for
-					idTokenClaims = idToken.getJWTClaimsSet();
-					
-					String clientId = Iterables.getOnlyElement(idTokenClaims.getAudience());
-					
-					client = clientService.loadClientByClientId(clientId);
-					
-					// save a reference in the session for us to pick up later
-					//session.setAttribute("endSession_idTokenHint_claims", idTokenClaims);
-					session.setAttribute(CLIENT_KEY, client);
-				}
-			} catch (ParseException e) {
-				// it's not a valid ID token, ignore it
-				logger.debug("Invalid id token hint", e);
-			} catch (InvalidClientException e) {
-				// couldn't find the client, ignore it
-				logger.debug("Invalid client", e);
-			}
-		}
-		
-		// are we logged in or not?
-		if (auth == null || !request.isUserInRole("ROLE_USER")) {
-			// we're not logged in anyway, process the final redirect bits if needed
-			return processLogout(null, request, response, session, auth, m);
-		} else {
-			// we are logged in, need to prompt the user before we log out
-		
-			// see who the current user is
-			UserInfo ui = userInfoService.getByUsername(auth.getName()); 
-			
-			if (idTokenClaims != null) {
-				String subject = idTokenClaims.getSubject();
-				// see if the current user is the same as the one in the ID token
-				// TODO: should we do anything different in these cases?
-				if (!Strings.isNullOrEmpty(subject) && subject.equals(ui.getSub())) {
-					// it's the same user
-				} else { 
-					// it's not the same user
-				}
-			}
-
-			m.addAttribute("client", client);
-			m.addAttribute("idToken", idTokenClaims);
-			
-			// display the log out confirmation page
-			return "logoutConfirmation";
-		}
-	}
-	
-	@RequestMapping(value = "/" + URL, method = RequestMethod.POST)
-	public String processLogout(@RequestParam(value = "approve", required = false) String approved,
-			HttpServletRequest request,
-			HttpServletResponse response,
-		    HttpSession session,
-		    Authentication auth, Model m) {
-
-		String redirectUri = (String) session.getAttribute(REDIRECT_URI_KEY);
-		String state = (String) session.getAttribute(STATE_KEY);
-		ClientDetailsEntity client = (ClientDetailsEntity) session.getAttribute(CLIENT_KEY);
-		
-		if (!Strings.isNullOrEmpty(approved)) {
-			// use approved, perform the logout
-			if (auth != null){    
-				new SecurityContextLogoutHandler().logout(request, response, auth);
-			}
-			SecurityContextHolder.getContext().setAuthentication(null);
-			// TODO: hook into other logout post-processing
-		}
-		
-		// if the user didn't approve, don't log out but hit the landing page anyway for redirect as needed
-
-		
-		
-		// if we have a client AND the client has post-logout redirect URIs
-		// registered AND the URI given is in that list, then...
-		if (!Strings.isNullOrEmpty(redirectUri) && 
-			client != null && client.getPostLogoutRedirectUris() != null) {
-			
-			if (client.getPostLogoutRedirectUris().contains(redirectUri)) {
-				// TODO: future, add the redirect URI to the model for the display page for an interstitial
-				// m.addAttribute("redirectUri", postLogoutRedirectUri);
-				
-				UriComponents uri = UriComponentsBuilder.fromHttpUrl(redirectUri).queryParam("state", state).build();
-				
-				return "redirect:" + uri;
-			}
-		}
-		
-		// otherwise, return to a nice post-logout landing page
-		return "postLogout";
-	}
-
-}

perun-oidc-server-webapp/pom.xml

@@ -19,67 +19,30 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<parent>
-		<groupId>org.mitre</groupId>
-		<artifactId>openid-connect-parent</artifactId>
+		<groupId>cz.muni.ics</groupId>
+		<artifactId>perun-oidc-parent</artifactId>
 		<version>2.0.0</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 
-	<artifactId>openid-connect-server-webapp</artifactId>
+	<artifactId>perun-oidc-server-webapp</artifactId>
 	<packaging>war</packaging>
-	<name>OpenID Connect Server Webapp</name>
 
-	<build>
-		<plugins>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-compiler-plugin</artifactId>
-				<configuration>
-					<source>${java-version}</source>
-					<target>${java-version}</target>
-				</configuration>
-			</plugin>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-war-plugin</artifactId>
-				<configuration>
-					<warName>openid-connect-server-webapp</warName>
-					<webResources>
-						<resource>
-							<directory>src/main/webapp</directory>
-							<filtering>true</filtering>
-							<includes>
-								<include>**/*.tag</include>
-								<include>**/*.jsp</include>
-							</includes>
-						</resource>
-						<resource>
-							<directory>src/main/webapp</directory>
-							<filtering>false</filtering>
-							<excludes>
-								<exclude>**/*.tag</exclude>
-								<exclude>**/*.jsp</exclude>
-							</excludes>
-						</resource>
-					</webResources>
-					<packagingExcludes>less/**</packagingExcludes>
-				</configuration>
-			</plugin>
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-dependency-plugin</artifactId>
-				<executions>
-					<execution>
-						<id>install</id>
-						<phase>install</phase>
-						<goals>
-							<goal>sources</goal>
-						</goals>
-					</execution>
-				</executions>
-			</plugin>
-		</plugins>
-	</build>
+	<properties>
+		<config.location>/etc/perun</config.location>
+		<log.to>FILE</log.to>
+		<log.contextName>oidc</log.contextName>
+		<log.facility>LOCAL7</log.facility>
+		<log.level>info</log.level>
+		<!--suppress UnresolvedMavenProperty -->
+		<log.rolling-file>${catalina.base}/logs/${CONTEXT_NAME}</log.rolling-file>
+		<!--suppress UnresolvedMavenProperty -->
+		<log.file>${catalina.base}/logs/${CONTEXT_NAME}</log.file>
+		<log.trace.file-extension>trace</log.trace.file-extension>
+		<log.file-extension>log</log.file-extension>
+		<log.times.file-extension>times</log.times.file-extension>
+		<final.name>oidc</final.name>
+	</properties>
 
 	<dependencies>
 		<dependency>
@@ -112,7 +75,78 @@
 			<groupId>com.zaxxer</groupId>
 			<artifactId>HikariCP</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>cz.muni.ics</groupId>
+			<artifactId>perun-oidc-server</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security.extensions</groupId>
+			<artifactId>spring-security-saml2-core</artifactId>
+		</dependency>
 	</dependencies>
 
-	<description>Deployable package of the OpenID Connect server</description>
+	<build>
+		<finalName>${final.name}</finalName>
+		<resources>
+			<resource>
+				<directory>src/main/resources</directory>
+				<filtering>true</filtering>
+				<includes>
+					<include>logback.xml</include>
+					<include>**/*</include>
+				</includes>
+			</resource>
+		</resources>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<configuration>
+					<source>${java-version}</source>
+					<target>${java-version}</target>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-war-plugin</artifactId>
+				<configuration>
+					<warName>openid-connect-server-webapp</warName>
+					<webResources>
+						<resource>
+							<directory>src/main/webapp</directory>
+							<filtering>true</filtering>
+							<includes>
+								<include>**/*.tag</include>
+								<include>**/*.jsp</include>
+								<include>WEB-INF/user-context.xml</include>
+							</includes>
+						</resource>
+						<resource>
+							<directory>src/main/webapp</directory>
+							<filtering>false</filtering>
+							<excludes>
+								<exclude>**/*.tag</exclude>
+								<exclude>**/*.jsp</exclude>
+							</excludes>
+						</resource>
+					</webResources>
+					<packagingExcludes>less/**</packagingExcludes>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-dependency-plugin</artifactId>
+				<executions>
+					<execution>
+						<id>install</id>
+						<phase>install</phase>
+						<goals>
+							<goal>sources</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+
 </project>

perun-oidc-server-webapp/src/main/resources/db/oracle/entity-mappings_oracle.xml

@@ -20,7 +20,7 @@
 
     <description>OpenID Connect Server entities</description>
 
-    <entity class="org.mitre.oauth2.model.AuthenticationHolderEntity" name="AuthenticationHolderEntity">
+    <entity class="cz.muni.ics.oauth2.model.AuthenticationHolderEntity" name="AuthenticationHolderEntity">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -33,7 +33,7 @@
                 <collection-table name="auth_holder_authority">
                     <join-column name="owner_id"/>
                 </collection-table>
-                <convert converter="org.mitre.oauth2.model.convert.SimpleGrantedAuthorityStringConverter"/>
+                <convert converter="cz.muni.ics.oauth2.model.convert.SimpleGrantedAuthorityStringConverter"/>
                 <column name="authority"/>
             </element-collection>
             <!-- table name too long: authentication_holder_resource_id -->
@@ -57,7 +57,7 @@
                 </collection-table>
                 <column name="val"/>
                 <map-key-column name="extension"/>
-                <convert converter="org.mitre.oauth2.model.convert.SerializableStringConverter"/>
+                <convert converter="cz.muni.ics.oauth2.model.convert.SerializableStringConverter"/>
             </element-collection>
             <!-- table name too long: authentication_holder_request_parameter -->
             <element-collection fetch="EAGER" name="requestParameters">
@@ -70,7 +70,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.oauth2.model.AuthorizationCodeEntity" name="AuthorizationCodeEntity">
+    <entity class="cz.muni.ics.oauth2.model.AuthorizationCodeEntity" name="AuthorizationCodeEntity">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -81,7 +81,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.oauth2.model.ClientDetailsEntity" name="ClientDetailsEntity">
+    <entity class="cz.muni.ics.oauth2.model.ClientDetailsEntity" name="ClientDetailsEntity">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -92,27 +92,27 @@
             <!-- column name too long: user_info_encrypted_response_alg -->
             <basic name="userInfoEncryptedResponseAlg">
                 <column name="user_info_encrypted_resp_alg"/>
-                <convert converter="org.mitre.oauth2.model.convert.JWEAlgorithmStringConverter"/>
+                <convert converter="cz.muni.ics.oauth2.model.convert.JWEAlgorithmStringConverter"/>
             </basic>
             <!-- column name too long: user_info_encrypted_response_enc -->
             <basic name="userInfoEncryptedResponseEnc">
                 <column name="user_info_encrypted_resp_enc"/>
-                <convert converter="org.mitre.oauth2.model.convert.JWEEncryptionMethodStringConverter"/>
+                <convert converter="cz.muni.ics.oauth2.model.convert.JWEEncryptionMethodStringConverter"/>
             </basic>
             <!-- column name too long: id_token_encrypted_response_alg -->
             <basic name="idTokenEncryptedResponseAlg">
                 <column name="id_token_encrypted_resp_alg"/>
-                <convert converter="org.mitre.oauth2.model.convert.JWEAlgorithmStringConverter"/>
+                <convert converter="cz.muni.ics.oauth2.model.convert.JWEAlgorithmStringConverter"/>
             </basic>
             <!-- column name too long: id_token_encrypted_response_enc -->
             <basic name="idTokenEncryptedResponseEnc">
                 <column name="id_token_encrypted_resp_enc"/>
-                <convert converter="org.mitre.oauth2.model.convert.JWEEncryptionMethodStringConverter"/>
+                <convert converter="cz.muni.ics.oauth2.model.convert.JWEEncryptionMethodStringConverter"/>
             </basic>
             <!-- column name too long: token_endpoint_auth_signing_alg -->
             <basic name="tokenEndpointAuthSigningAlg">
                 <column name="token_endpoint_auth_sign_alg"/>
-                <convert converter="org.mitre.oauth2.model.convert.JWSAlgorithmStringConverter"/>
+                <convert converter="cz.muni.ics.oauth2.model.convert.JWSAlgorithmStringConverter"/>
             </basic>
             <!-- table name too long: client_post_logout_redirect_uri -->
             <element-collection fetch="EAGER" name="postLogoutRedirectUris">
@@ -124,7 +124,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.oauth2.model.OAuth2AccessTokenEntity" name="OAuth2AccessTokenEntity">
+    <entity class="cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity" name="OAuth2AccessTokenEntity">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -135,7 +135,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.oauth2.model.OAuth2RefreshTokenEntity" name="OAuth2RefreshTokenEntity">
+    <entity class="cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity" name="OAuth2RefreshTokenEntity">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -146,7 +146,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.oauth2.model.SavedUserAuthentication" name="SavedUserAuthentication">
+    <entity class="cz.muni.ics.oauth2.model.SavedUserAuthentication" name="SavedUserAuthentication">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -157,7 +157,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.oauth2.model.SystemScope" name="SystemScope">
+    <entity class="cz.muni.ics.oauth2.model.SystemScope" name="SystemScope">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -168,7 +168,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.openid.connect.model.ApprovedSite" name="ApprovedSite">
+    <entity class="cz.muni.ics.openid.connect.model.ApprovedSite" name="ApprovedSite">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -179,7 +179,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.openid.connect.model.BlacklistedSite" name="BlacklistedSite">
+    <entity class="cz.muni.ics.openid.connect.model.BlacklistedSite" name="BlacklistedSite">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -190,7 +190,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.openid.connect.model.PairwiseIdentifier" name="PairwiseIdentifier">
+    <entity class="cz.muni.ics.openid.connect.model.PairwiseIdentifier" name="PairwiseIdentifier">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -201,7 +201,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.openid.connect.model.WhitelistedSite" name="WhitelistedSite">
+    <entity class="cz.muni.ics.openid.connect.model.WhitelistedSite" name="WhitelistedSite">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -212,7 +212,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.uma.model.Claim" name="Claim">
+    <entity class="cz.muni.ics.uma.model.Claim" name="Claim">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -223,7 +223,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.uma.model.Permission" name="Permission">
+    <entity class="cz.muni.ics.uma.model.Permission" name="Permission">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -234,7 +234,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.uma.model.PermissionTicket" name="PermissionTicket">
+    <entity class="cz.muni.ics.uma.model.PermissionTicket" name="PermissionTicket">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -245,7 +245,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.uma.model.Policy" name="Policy">
+    <entity class="cz.muni.ics.uma.model.Policy" name="Policy">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -256,7 +256,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.uma.model.ResourceSet" name="ResourceSet">
+    <entity class="cz.muni.ics.uma.model.ResourceSet" name="ResourceSet">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -267,7 +267,7 @@
         </attributes>
     </entity>
 
-    <entity class="org.mitre.uma.model.SavedRegisteredClient" name="SavedRegisteredClient">
+    <entity class="cz.muni.ics.uma.model.SavedRegisteredClient" name="SavedRegisteredClient">
         <attributes>
             <!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
             <id name="id">
@@ -278,4 +278,4 @@
         </attributes>
     </entity>
 
-</entity-mappings>
+</entity-mappings>

perun-oidc-server-webapp/src/main/resources/localization/cs.properties

@@ -0,0 +1,173 @@
+#CONSENT
+yes=Ano, akceptuji
+no=Ne, neakceptuji
+login=Login
+consent_privacy_policy=Zásady zpracování osobních údajů pro službu
+consent_header=Obsah odesílaných osobních informací službě
+consent_title=Obsah odesílaných osobních informací službě
+remember=Příště se již neptat
+
+#APPROVE_DEVICE
+device_approve_privacy=Bezpečnostní politika služby
+device_approve_header=Schválení přístupu k Vašim datům
+device_approve_title=Schválení přístupu k Vašim datům
+
+#DEVICE_APPROVED
+device_approved_approved=Zařížení bylo autorizováno
+device_approved_rejected=Zařízení byl odmítnut přístup
+device_approved_title=Autorizace zařízení dokončena
+device_approved_text_approved_start=Zařízení bylo úspěšně autorizováno. Nyní můžete pokračovat ke službě
+device_approved_text_approved_end=na Vašem zařízení. Tahle stránka může být zavřena.
+device_approved_text_rejected_start=Zařízení byl odmítnut přístup ke službě
+device_approved_text_rejected_end=Jestli jste tak nechtěli učinit, zahajte proces autorizace od začátku. Tahle stránka může být zavřena.
+
+
+#REQUEST USER CODE
+request_code_title=Zadejte autorizační kód zařízení
+request_code_header=Zadejte autorizační kód zařízení
+user_code_empty_or_not_found=Nebyl zadán žádný kód anebo zadanej kód je nesprávný.
+user_code_expired=Platnost použitého kódu vypršela. Prosíme, vyžádejte si nový a opakujte proces.
+user_code_already_approved=Zadaný kód už byl použit. Prosíme, vyžádejte si nový a opakujte proces.
+user_code_mismatch=Zadaný kód nebyl rozpoznán. Prosíme, ověřte že jste zadali správný kód.
+user_code_error=Vyskytla se chyba pri zpracování Vašeho požadavku. Zkuste jej zopakovat.
+user_code_submit=Pokračovat
+user_code_info=Zadejte autorizační kód zobrazen na zařízení z kterého se snažíte přihlásit.
+code=Kód
+
+#IsTestSpWarning
+is_test_sp_warning_title=Varování - služba je testovací
+is_test_sp_warning_header=Varování
+is_test_sp_warning_text=Přistupujete ke službě, která je v testovacím režimu.
+is_test_sp_warning_continue=Pokračovat
+
+#CLAIMS AND SCOPES
+no_scopes=Žádné data nebudou odeslány
+openid=Identifikátor uživatele na službě
+sub=Identifikátor uživatele
+profile=Profil uživatele
+email=Email
+address=Adresa
+phone=Telefonní číslo
+offline_access=Offline přístup
+perun_api=Volání Perun API ve jménu uživatele
+groupNames=Jména skupin ve kterých je uživatel členem
+eduPersonEntitlement=Oprávnění
+permissions_ega=Povolení pro EGA datasety
+permissions_rems=Povolení pro REMS datasety
+forwardedScopedAffiliations=Vztah k domovské(ým) organizaci(cím)
+bona_fide_status=Bona fide status
+country=Krajina
+ga4gh=Global Alliance For Genomics and Health
+eppns=Identifikátory osoby v organizaci
+name=Jméno uživatele
+preferred_username=Uživatelské jméno
+given_name=Křestní jméno
+middle_name=Střední jméno
+family_name=Příjmení
+locale=Jazyk
+zoneinfo=Zóna
+phone_number=Telefon
+
+#UNAPPROVED
+contact_p=V případě nejasností nás kontaktujte na
+403_header=Přístup odmítnut
+403_text=Nemáte dostatečná práva pro přístup ke službě:
+403_informationPage=Pro více informací o službě navštivte
+403_contactSupport=Pokud si myslíte že máte mít přístup, kontaktujte administrátora:
+403_subject=Problém s přihlášením do služby
+403_isCesnetEligible_notSet_hdr=Přístup zamítnut
+403_isCesnetEligible_notSet_msg=Přístup ke službě zamítnut, protože Váš účet není z české akademické instituce. Přihlaste se, prosím, pomocí svého účtu u akademické instituce.<br/><a class="mt-2 cw btn btn-primary btn-lg btn-block" href="%%TARGET%%">Znovu přihlásit</a>
+403_isCesnetEligible_expired_hdr=Přístup zamítnut
+403_isCesnetEligible_expired_msg=Přístup ke službě zamítnut, protože plynula doba 12 měsíců od Vašeho posledního přihlášení účtem z české akademické instituce. Přihlaste se, prosím, pomocí svého účtu u akademické instituce.<br/><a class="mt-2 cw btn btn-lg btn-primary btn-block" href="%%TARGET%%">Znovu přihlásit</a>
+403_ensure_vo_hdr=Přístup zamítnut
+403_ensure_vo_msg=Nemáte dostatečná práva pro přístup ke službě
+403_authorization_hdr=Přístup zamítnut
+403_authorization_msg=Tato stránka se Vám zobrazuje, protože nemáte přístup ke službě. To může být důsledkem přístupových omezení nastavených administrátorem.
+403_not_in_test_vos_groups_hdr=Přístup zamítnut
+403_not_in_test_vos_groups_msg=Tato stránka se Vám zobrazuje, protože nemáte přístup k testovacím službám AAI.
+403_not_in_prod_vos_groups_hdr=Přístup zamítnut
+403_not_in_prod_vos_groups_msg=Tato stránka se Vám zobrazuje, protože nemáte přístup ke službám AAI.
+403_not_in_mandatory_vos_groups_hdr=Přístup zamítnut
+403_not_in_mandatory_vos_groups_msg=Tato stránka se Vám zobrazuje, protože Vaše požadované členství v organizaci je nevalidní.
+403_not_logged_in_hdr=Přístup zamítnut
+403_not_logged_in_msg=Zdá se, že přihlášení selhalo. Zkuste, prosím, zavřít Váš prohlížeč a přihlásit se znovu.
+
+#GO TO REGISTRATION
+go_to_registration_title=Je vyžadována Vaše aktivita
+go_to_registration_header1=Pro přístup ke službě
+go_to_registration_header2=je vyžadována Vaše aktivita
+go_to_registration_continue=Pokračovat na stránku s doplňujícími informacemi
+
+#REGISTRATION
+registration_title=Registrace pro přístup ke službě
+registration_header1=Přístup ke službě
+registration_header2=byl zamítnut
+registration_message=Pro získání přístupu k dané službě je nutné být členem jedné z následujících skupin. Pokračujte výběrem příslušné organizace a skupiny.
+registration_select_vo=Vyberte virtuální organizaci:
+registration_select_group=Vyberte skupinu pro registraci:
+registration_continue=Pokračovat na registrační stránku do vybrané skupiny
+
+#CESNET footer specific
+footer_other_projects=OSTATNÍ PROJEKTY
+footer_helpdesk=HELPDESK
+
+#AUP
+aup_header=Formulář s podmínkami užití
+must_agree_aup=Pro pokračování musíte souhlasit s následujícími podmínkami užití:
+org_vo=Organizace / Virtuální Organizace
+see_aup=Prohlédněte si podmínky užití ve verzi
+here=zde.
+agree_aup=Souhlasím s podmínkami užití
+
+#MUNI header specific
+unif_login="Přihlášení na MU"
+go_to_login_title=Přejít k přihlášení (Klávesová zkratka: Alt + 2)
+go_to_login_text=Přejít k přihlášení
+language=Česky
+img_name=sso
+img_width=180
+img_height=34
+other_lang=en
+other_language=English
+muni_logo=MUNI Jednotné přihlášení
+
+#MUNI footer specific
+masaryk_university=&copy; Masarykova univerzita
+service=Službu
+unified_login=Jednotné přihlášení na MU
+provided=zajišťuje
+ics=Ústav výpočetní techniky MU
+
+#Logout
+logout.confirmation.submit=Odhlásit
+logout.confirmation.deny=Zůstat přihlášen(a)
+logout.confirmation.header=Potvrzení odhlášení
+logout.confirmation.explanation=Skutečně se chcete odhlásit od poskytovatele identity?
+
+#Continue in ensure_vo
+continue_direct_title=Přesměrování na registraci
+continue_direct_header=Budete přesměrován(a)
+continue_direct_heading=Zaregistrujte se pro získaní přístupu
+continue_direct_text=Nemáte dostatečná oprávnení po přístup ke službě. Kliknutím na tlačítko níže, budete přesměrován(a) na registraci pro získání přístupu.
+continue_direct_btn=Pokračovat
+
+# SAML Logout Success (/logout_success)
+logout_success_title=Odhlášení proběhlo úspěšně
+logout_success_header=Odhlášení proběhlo úspěšně
+logout_success_msg=Byl(a) jste úspěšně odhlášen(a).
+
+# SAML Login Failure (/login_failure)
+login_failure_title=Problém s přihlášením
+login_failure_header=Problém s přihlášením
+login_failure_msg=Ups! Zdá se, že jsme Vás nemohli přihlásit. Zkuste to znovu.
+login_failure_contact_us=Pokud problém přetrvává, kontaktuje nás na
+
+# SAML Login Success (/login_success)
+login_success_title=Přihlášení proběhlo úspěšně
+login_success_header=Přihlášení proběhlo úspěšně
+login_success_msg=Byl(a) jste úspěšně přihlášen(a), avšak neregistrujeme žádnou službu, na kterou jste se pokoušel(a) přistoupit.
+
+# Logout denied (endsession endpoint with clicking NO)
+logout_denied_title=Odhlášení zrušeno
+logout_denied_header=Odhlášení zrušeno
+logout_denied_msg=Proces odhlášení byl zastaven.

perun-oidc-server-webapp/src/main/resources/localization/en.properties

@@ -0,0 +1,172 @@
+#CONSENT
+yes=Yes, continue
+no=No, cancel
+login=login
+consent_privacy_policy=Privacy policy for the service
+consent_header=Consent about releasing personal information to service
+consent_title=Consent about releasing personal information to service
+remember=Do not ask again
+
+#APPROVE_DEVICE
+device_approve_privacy=Privacy policy for the service
+device_approve_header=Approve device to access your data
+device_approve_title=Approve device to access your data
+
+#DEVICE_APPROVED
+device_approved_approved=The device has been authorized.
+device_approved_rejected=The device has been rejected authorization.
+device_approved_title=Device approval result
+device_approved_text_approved_start=The device has been successfully authorized. You can now access the service
+device_approved_text_approved_end=on your device. You may now close this page.
+device_approved_text_rejected_start=The device has been denied access to the service
+device_approved_text_rejected_end=If you did not intend to do this, start the authorization process again. You may now close this page.
+
+#REQUEST USER CODE
+request_code_title=Enter the device authorization code
+request_code_header=Enter the device authorization code
+user_code_empty_or_not_found=No authorization code has been provided or it has not been recognized.
+user_code_expired=The authorization code you have used has expired. Please request a new one and restart the process.
+user_code_already_approved=The authorization code you have used has been already used. Please request a new one and restart the process.
+user_code_mismatch=The code you have used has not been recognized. Please verify your input.
+user_code_error=An error has occurred while processing your request. Please try it again.
+user_code_submit=Submit
+user_code_info=Enter the code displayed on the device you are trying to authenticate on.
+code=Code
+
+#IsTestSpWarning
+is_test_sp_warning_title=Warning - test service
+is_test_sp_warning_header=Warning
+is_test_sp_warning_text=You are about to access service, which is in testing environment.
+is_test_sp_warning_continue=Continue
+
+
+#CLAIMS AND SCOPES
+no_scopes=No data will be released
+sub=Identifier of user
+openid=Identifier of user on a service
+profile=Profile
+email=Email
+address=Adress
+phone=Phone number
+offline_access=Offline access
+perun_api=Calls to Perun API in the name of user
+groupNames=Names of groups that user is member of
+eduPersonEntitlement=Entitlement
+permissions_ega=Permissions for EGA datasets
+permissions_rems=Permissions for REMS datasets
+forwardedScopedAffiliations=Home organization affiliation
+bona_fide_status=Bona fide status
+country=Country
+eppns=Person principal names
+name=Name of user
+preferred_username=Username
+given_name=Given name
+middle_name=Middle name
+family_name=Family name
+locale=Language
+zoneinfo=Zone
+phone_number=Phone
+
+#UNAPPROVED
+contact_p=In case of any questions, do not hesitate to contact us at
+403_header=Access forbidden
+403_text=You don't meet the prerequisites for accessing the service:
+403_informationPage=For more information about this service please visit this
+403_contactSupport=If you think you should have an access contact service operator at
+403_subject=Problem with login to service:
+403_isCesnetEligible_notSet_hdr=Access denied
+403_isCesnetEligible_notSet_msg=Your account is not from Czech academic institution. Please log in with your account from academic institution.<a class="mt-2 cw btn btn-primary btn-lg btn-block" href="%%TARGET%%">Log in again</a>
+403_isCesnetEligible_expired_hdr=Access denied
+403_isCesnetEligible_expired_msg=Your last login, from Czech academic institution, has been registered 12 months ago. Please sign in with your account from academic institution.<a class="mt-2 cw btn btn-primary btn-lg btn-block" href="%%TARGET%%">Log in again</a>
+403_ensure_vo_hdr=Access denied
+403_ensure_vo_msg=You don't meet the prerequisites to access the service.
+403_authorization_hdr=Access denied
+403_authorization_msg=You see this page because you are not allowed to access the service. This situation can be a result of the access restrictions that the service administrator has set up.
+403_not_in_test_vos_groups_hdr=Access denied
+403_not_in_test_vos_groups_msg=You see this page because you are not allowed to access AAI's testing services.
+403_not_in_prod_vos_groups_hdr=Access denied
+403_not_in_prod_vos_groups_msg=You see this page because you are not allowed to access AAI's services.
+403_not_in_mandatory_vos_groups_hdr=Access denied
+403_not_in_mandatory_vos_groups_msg=You are seeing this page because your membership in the required organizational units is invalid.
+403_not_logged_in_hdr=Access denied
+403_not_logged_in_msg=It appears the login process has failed. Please close your browser and try to log in again.
+
+#GO TO REGISTRATION
+go_to_registration_title=Your activity is necessary
+go_to_registration_header1=Your activity is necessary to access the
+go_to_registration_header2=service
+go_to_registration_continue=Continue to a page with additional information
+
+#REGISTRATION
+registration_title=Registration for access to the service
+registration_header1=Access to the service
+registration_header2=has been forbidden
+registration_message=To access the service it is necessary to have a valid membership in one of the following groups. Please proceed with selection of organization and group for registration.
+registration_select_vo=Select virtual organization for registration:
+registration_select_group=Select group for registration:
+registration_continue=Continue to the registration page for selected group
+
+#CESNET footer specific
+footer_other_projects=OTHER CESNET PROJECTS
+footer_helpdesk=HELPDESK
+
+#AUP
+aup_header=Acceptable Usage Policy form
+must_agree_aup=You must agree to the following acceptable usage policies:
+org_vo=Organization / Virtual Organization
+see_aup=See the acceptable usage policy in version
+here=here.
+agree_aup=I agree with the acceptable usage policy
+
+#MUNI header specific
+unif_login=Unified MU login
+go_to_login_title=Go to login (Shortcut: Alt + 2)
+go_to_login_text=Go to login
+language=English
+img_name=sso-en
+img_width=160
+img_height=35
+other_lang=cs
+other_language=Česky
+muni_logo=MUNI Unified login
+
+#MUNI footer specific
+masaryk_university=&copy; Masaryk University
+service=The service
+unified_login=Unified MU login
+provided=is provided by
+ics=Institute of Computer Science
+
+#Logout
+logout.confirmation.submit=Log Out
+logout.confirmation.deny=Stay Logged In
+logout.confirmation.header=Confirm logout
+logout.confirmation.explanation=Do you want to log out of the identity provider?
+
+#Continue in ensure_vo
+continue_direct_title=Redirect to registration
+continue_direct_header=You will be redirected
+continue_direct_heading=Register to get access
+continue_direct_text=You don't meet the prerequisites to access the service. By clicking the button below, you will be redirected to a registration page, where you can apply for access.
+continue_direct_btn=Continue
+
+# SAML Logout Success (/logout_success)
+logout_success_title=Logout success
+logout_success_header=Logout success
+logout_success_msg=You have been successfully logged out.
+
+# SAML Login Failure (/login_failure)
+login_failure_title=Login failure
+login_failure_header=Login error
+login_failure_msg=Ooops! It seems like an error during the login. Please try to log in again.
+login_failure_contact_us=If the problem persists, contact us at
+
+# SAML Login Success (/login_success)
+login_success_title=Login success
+login_success_header=Login success
+login_success_msg=You have successfully logged in. However, it seems we have no service to forward you to.
+
+# Logout denied (endsession endpoint with clicking NO)
+logout_denied_title=Logout denied
+logout_denied_header=Logout canceled
+logout_denied_msg=You have canceled the logout process.

perun-oidc-server-webapp/src/main/resources/log4j.xml

@@ -32,28 +32,28 @@
 	</appender>
 
 	<!-- Application Loggers -->
-	<logger name="org.mitre.openid">
+	<logger name="cz.muni.ics.openid">
 		<level value="info" />
 	</logger>
-	<logger name="org.mitre.oauth2">
+	<logger name="cz.muni.ics.oauth2">
 		<level value="info" />
 	</logger>
-	<logger name="org.mitre.discovery">
+	<logger name="cz.muni.ics.discovery">
 		<level value="info" />
 	</logger>
-	<logger name="org.mitre.jose">
+	<logger name="cz.muni.ics.jose">
 		<level value="info" />
 	</logger>
-	<logger name="org.mitre.jwt">
+	<logger name="cz.muni.ics.jwt">
 		<level value="info" />
 	</logger>
-	<logger name="org.mitre.util">
+	<logger name="cz.muni.ics.util">
 		<level value="info" />
 	</logger>
-	<logger name="org.mitre.uma">
+	<logger name="cz.muni.ics.uma">
 		<level value="info" />
 	</logger>
-	<logger name="org.mitre.data">
+	<logger name="cz.muni.ics.data">
 		<level value="info" />
 	</logger>
 

perun-oidc-server-webapp/src/main/resources/logback.xml

@@ -0,0 +1,58 @@
+<configuration packagingData="true" debug="false" scan="false" scanPeriod="30 seconds">
+	<contextName>${log.contextName}</contextName>
+	<property name="PATTERN"
+			  value='%d{"yyyy-MM-dd HH:mm:ss.SSS"} %X{remoteAddr} [%X{sessionID}]: %-5level %logger{40} - %m%n%xException'/>
+	<property name="PATTERN_SYSLOG"
+			  value='%X{remoteAddr} [%X{sessionID}] %cn: %-5level %logger{40} - %m%n%xException'/>
+
+	<!-- ROLLING FILE -->
+	<appender name="ROLLING_FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
+		<file>${log.rolling-file}.${log.file-extension}</file>
+		<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+			<fileNamePattern>${log.rolling-file}.${log.file-extension}.%d{yyyy-MM-dd}</fileNamePattern>
+		</rollingPolicy>
+		<encoder>
+			<pattern>${PATTERN}</pattern>
+		</encoder>
+	</appender>
+
+	<!-- FILE -->
+	<appender name="FILE" class="ch.qos.logback.core.FileAppender">
+		<file>${log.file}.${log.file-extension}</file>
+		<encoder>
+			<pattern>${PATTERN}</pattern>
+		</encoder>
+	</appender>
+
+	<!-- SYSLOG -->
+	<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
+		<!-- PASSED FROM POM.XML / MAVEN BUILD PROPS -->
+		<facility>${log.facility}</facility>
+		<throwableExcluded>true</throwableExcluded>
+		<suffixPattern>${PATTERN_SYSLOG}</suffixPattern>
+	</appender>
+
+	<root level="${log.level}">
+		<appender-ref ref="${log.to}"/>
+	</root>
+
+	<!-- keep Spring quiet -->
+	<logger name="org.springframework" level="warn"/>
+	<logger name="org.springframework.security.core.SpringSecurityCoreVersion" level="info"/>
+	<logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/>
+	<logger name="org.apache" level="warn"/>
+	<logger name="org.apache.directory" level="warn"/>
+	<logger name="org.apache.directory.ldap.client.api.LdapNetworkConnection" level="error"/>
+	<logger name="com.zaxxer.hikari" level="warn"/>
+	<logger name="cz.muni.ics" level="info"/>
+	<logger name="org.opensaml" level="info"/>
+	<logger name="org.springframework.security.saml" level="debug"/>
+	<logger name="PROTOCOL_MESSAGE" level="warn"/>
+	<!-- PASSED FROM POM.XML / MAVEN BUILD PROPS -->
+	<logger name="cz.muni.ics.oidc" level="${log.level}"/>
+	<logger name="cz.muni.ics.oidc.aop.WebLoggingAspect" level="debug"/>
+	<logger name="cz.muni.ics.oidc.aop.ExecutionTimeLoggingAspect" level="trace"/>
+	<logger name="cz.muni.ics.openid.connect.web.EndSessionEndpoint" level="${log.level}"/>
+	<logger name="net.javacrumbs.shedlock" level="error"/>
+
+</configuration>

perun-oidc-server-webapp/src/main/resources/web_classes/web_html_classes.properties

@@ -0,0 +1,4 @@
+perun-attrname.h2.class=h4 oh mb-0 mt-0
+perun-attrname.label.class=h4 mb-0 mt-0
+perun-attrcontainer.ul.class=
+perun-attrlist.h3.class=h5 mb-0 mt-0

perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml

@@ -33,7 +33,7 @@
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
 
 	<!-- Scan for components -->
-	<context:component-scan annotation-config="true" base-package="org.mitre" />
+	<context:component-scan annotation-config="true" base-package="cz.muni.ics" />
 
 	<!-- Enables the Spring MVC @Controller programming model -->
 	<tx:annotation-driven transaction-manager="transactionManager" />
@@ -44,23 +44,23 @@
 		</mvc:message-converters>
 	</mvc:annotation-driven>
 
-	<bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
-	<bean id="serverConfigInterceptor" class="org.mitre.openid.connect.web.ServerConfigInterceptor" />
+	<bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.UserInfoInterceptor" />
+	<bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.ServerConfigInterceptor" />
 	<mvc:interceptors>
 		<mvc:interceptor>
 			<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
 			<mvc:mapping path="/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
 			<mvc:exclude-mapping path="/resources/**" />
 			<mvc:exclude-mapping path="/token**"/>
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.DeviceEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
 					 
 			<!-- Inject the UserInfo into the response -->
 			<ref bean="userInfoInterceptor"/>
@@ -68,17 +68,17 @@
 		<mvc:interceptor>
 			<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
 			<mvc:mapping path="/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
 			<mvc:exclude-mapping path="/resources/**" />
 			<mvc:exclude-mapping path="/token**"/>
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.DeviceEndpoint).URL}/**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**" />
-			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
 			<!-- Inject the server configuration into the response -->
 			<ref bean="serverConfigInterceptor"/>
 		</mvc:interceptor>
@@ -102,7 +102,7 @@
 
 	<oauth:web-expression-handler id="oauthWebExpressionHandler" />
 
-	<bean id="mdcFilter" class="org.mitre.mdc.MultiMDCFilter"/>
+	<bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
 
 	<!-- Spring Security configuration -->
 
@@ -127,14 +127,14 @@
 	</security:http>
 
 	<!-- Allow open access to discovery endpoints -->
-	<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
+	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
+		<security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:csrf disabled="true"/>
 	</security:http>
-	<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
+	<security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
+		<security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:csrf disabled="true"/>
@@ -149,7 +149,7 @@
 	</security:http>
 	
 	<!-- OAuth-protect API and other endpoints -->
-	<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
+	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="mdcFilter" before="FIRST"/>
@@ -158,7 +158,7 @@
 		<security:csrf disabled="true"/>
 	</security:http>
 
-	<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
+	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="mdcFilter" before="FIRST"/>
@@ -167,7 +167,7 @@
 		<security:csrf disabled="true"/>
 	</security:http>
 
-	<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
+	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="mdcFilter" before="FIRST"/>
@@ -175,14 +175,14 @@
 		<security:csrf disabled="true"/>
 	</security:http>
 
- 	<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
+ 	<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="mdcFilter" before="FIRST"/>
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 		<security:csrf disabled="true"/>
 	</security:http>
 	
- 	<security:http pattern="/#{T(org.mitre.oauth2.web.DeviceEndpoint).URL}/**" 
+ 	<security:http pattern="/#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).URL}/**"
  		use-expressions="true" 
  		entry-point-ref="oauthAuthenticationEntryPoint" 
  		create-session="stateless"
@@ -197,7 +197,7 @@
 		<security:csrf disabled="true"/>
 	</security:http>
 	
-	<security:http pattern="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**" 
+	<security:http pattern="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**"
 			use-expressions="true" 
 			entry-point-ref="oauthAuthenticationEntryPoint" 
 			create-session="stateless"
@@ -211,7 +211,7 @@
 		<security:csrf disabled="true"/>
 	</security:http>
 
-	<security:http pattern="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**"
+	<security:http pattern="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**"
 			use-expressions="true" 
 			entry-point-ref="oauthAuthenticationEntryPoint" 
 			create-session="stateless"
@@ -241,7 +241,7 @@
 
 	<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
 
-	<bean id="clientAuthMatcher" class="org.mitre.openid.connect.filter.MultiUrlRequestMatcher">
+	<bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
 		<constructor-arg name="filterProcessesUrls">
 			<set>
 				<value>/introspect</value>
@@ -256,7 +256,7 @@
 		<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
 	</bean>
 	
-	<bean id="clientAssertionEndpointFilter" class="org.mitre.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
+	<bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
 		<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
 		<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
 	</bean>
@@ -270,7 +270,7 @@
 		<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
 	</security:authentication-manager>
 	
-	<bean id="clientAssertionAuthenticationProvider" class="org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider" />
+	<bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
 
 	<!-- Configure locale information -->
 	<import resource="locale-config.xml" />

perun-oidc-server-webapp/src/main/webapp/WEB-INF/assertion-config.xml

@@ -29,16 +29,16 @@
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
 
 	<!-- validate incoming tokens for JWT assertions -->
-	<bean id="jwtAssertionValidator" class="org.mitre.jwt.assertion.impl.NullAssertionValidator" />
+	<bean id="jwtAssertionValidator" class="cz.muni.ics.jwt.assertion.impl.NullAssertionValidator" />
 
 	<!-- translate incoming assertions to token authorization objects -->
-	<bean id="jwtAssertionTokenFactory" class="org.mitre.oauth2.assertion.impl.DirectCopyRequestFactory" />
+	<bean id="jwtAssertionTokenFactory" class="cz.muni.ics.oauth2.assertion.impl.DirectCopyRequestFactory" />
 
 	<!-- validate client software statements for dynamic registration -->
-<!-- 	<bean id="clientAssertionValidator" class="org.mitre.jwt.assertion.impl.NullAssertionValidator" /> -->
+<!-- 	<bean id="clientAssertionValidator" class="cz.muni.ics.jwt.assertion.impl.NullAssertionValidator" /> -->
 	
 	<!-- this class will pass assertions signed by the issuers and keys in the whitelist -->
-	<bean id="clientAssertionValidator" class="org.mitre.jwt.assertion.impl.WhitelistedIssuerAssertionValidator">
+	<bean id="clientAssertionValidator" class="cz.muni.ics.jwt.assertion.impl.WhitelistedIssuerAssertionValidator">
 		<property name="whitelist">
 			<map>
 				<entry key="http://artemesia.local" value="http://localhost:8080/openid-connect-server-webapp/jwk" />
@@ -47,4 +47,4 @@
 	</bean>
 
 
-</beans>
+</beans>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml

@@ -52,7 +52,7 @@
 
 	<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
 
-	<bean id="oauthRequestValidator" class="org.mitre.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
+	<bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
 
 	<!-- Error page handler. -->
 	<mvc:view-controller path="/error" view-name="error" />

perun-oidc-server-webapp/src/main/webapp/WEB-INF/classes/db/mysql/acrs.sql

@@ -0,0 +1,22 @@
+CREATE TABLE IF NOT EXISTS acrs (
+    id BIGINT AUTO_INCREMENT,
+    client_id VARCHAR(2048) NOT NULL,
+    sub VARCHAR(2048) NOT NULL,
+    state VARCHAR(2048) NOT NULL,
+    shib_authn_context_class VARCHAR(2048) NOT NULL,
+    expiration BIGINT NOT NULL,
+    PRIMARY KEY (id)
+);
+
+ALTER TABLE  acrs MODIFY COLUMN expiration BIGINT;
+
+CREATE TABLE IF NOT EXISTS device_code_acrs (
+    id BIGINT AUTO_INCREMENT,
+    device_code VARCHAR(2048) NOT NULL,
+    user_code VARCHAR(2048) NOT NULL,
+    shib_authn_context_class VARCHAR(2048),
+    expiration BIGINT NOT NULL,
+    PRIMARY KEY (id)
+);
+
+ALTER TABLE device_code_acrs MODIFY COLUMN expiration BIGINT;

perun-oidc-server-webapp/src/main/webapp/WEB-INF/classes/db/mysql/db_update.sql

@@ -0,0 +1,10 @@
+ALTER TABLE authentication_holder_request_parameter
+MODIFY COLUMN val TEXT;
+
+CREATE TABLE shedlock(
+    name VARCHAR(64),
+    lock_until TIMESTAMP(3) NULL,
+    locked_at TIMESTAMP(3) NULL,
+    locked_by  VARCHAR(255),
+    PRIMARY KEY (name)
+);

perun-oidc-server-webapp/src/main/webapp/WEB-INF/classes/db/mysql/scopes.sql

@@ -0,0 +1,39 @@
+--
+-- Turn off autocommit and start a transaction so that we can use the temp tables
+--
+
+SET AUTOCOMMIT = 0;
+
+START TRANSACTION;
+
+CREATE TEMPORARY TABLE IF NOT EXISTS system_scope_TEMP (
+  scope VARCHAR(256),
+  description VARCHAR(4096),
+  icon VARCHAR(256),
+  restricted BOOLEAN,
+  default_scope BOOLEAN
+);
+--
+-- Insert scope information into the temporary tables.
+-- 
+
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
+  ('openid', 'log in using your identity', 'user', false, true),
+  ('profile', 'basic profile information', 'list-alt', false, true),
+  ('email', 'email address', 'envelope', false, true),
+  ('address', 'physical address', 'home', false, true),
+  ('phone', 'telephone number', 'bell', false, true),
+  ('offline_access', 'offline access', 'time', false, false),
+  ('perun_api', 'calls to Perun API in your roles', 'cog', true, false);
+  
+--
+-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
+--
+
+INSERT INTO system_scope (scope, description, icon, restricted, default_scope)
+  SELECT scope, description, icon, restricted, default_scope FROM system_scope_TEMP
+  ON DUPLICATE KEY UPDATE system_scope.scope = system_scope.scope;
+
+COMMIT;
+
+SET AUTOCOMMIT = 1;

perun-oidc-server-webapp/src/main/webapp/WEB-INF/classes/db/psql/acrs.sql

@@ -0,0 +1,12 @@
+CREATE TABLE IF NOT EXISTS acrs (
+    id BIGINT AUTO_INCREMENT,
+    client_id VARCHAR(2048) NOT NULL,
+    sub VARCHAR(2048) NOT NULL,
+    acr_values VARCHAR(2048) NOT NULL,
+    state VARCHAR(2048) NOT NULL,
+    shib_authn_context_class VARCHAR(2048) NOT NULL,
+    expiration BIGINT NOT NULL,
+    PRIMARY KEY (id)
+);
+
+ALTER TABLE  acrs MODIFY COLUMN expiration BIGINT;

perun-oidc-server-webapp/src/main/webapp/WEB-INF/classes/db/psql/db_update.sql

@@ -0,0 +1,7 @@
+CREATE TABLE shedlock(
+    name VARCHAR(64),
+    lock_until TIMESTAMP(3) NULL,
+    locked_at TIMESTAMP(3) NULL,
+    locked_by  VARCHAR(255),
+    PRIMARY KEY (name)
+);

perun-oidc-server-webapp/src/main/webapp/WEB-INF/classes/db/psql/loading_temp_tables.sql

@@ -0,0 +1,73 @@
+--
+-- Temporary tables used during the bootstrapping process to safely load users and clients.
+-- These are not needed if you're not using the users.sql/clients.sql files to bootstrap the database.
+--
+
+CREATE TEMPORARY TABLE IF NOT EXISTS authorities_TEMP (
+      username varchar(50) not null,
+      authority varchar(50) not null,
+      constraint ix_authority_TEMP unique (username,authority));
+      
+CREATE TEMPORARY TABLE IF NOT EXISTS users_TEMP (
+      username varchar(50) not null primary key,
+      password varchar(50) not null,
+      enabled boolean not null);
+
+CREATE TEMPORARY TABLE IF NOT EXISTS user_info_TEMP (
+	sub VARCHAR(256) not null primary key,
+	preferred_username VARCHAR(256),
+	name VARCHAR(256),
+	given_name VARCHAR(256),
+	family_name VARCHAR(256),
+	middle_name VARCHAR(256),
+	nickname VARCHAR(256),
+	profile VARCHAR(256),
+	picture VARCHAR(256),
+	website VARCHAR(256),
+	email VARCHAR(256),
+	email_verified BOOLEAN,
+	gender VARCHAR(256),
+	zone_info VARCHAR(256),
+	locale VARCHAR(256),
+	phone_number VARCHAR(256),
+	address_id VARCHAR(256),
+	updated_time VARCHAR(256),
+	birthdate VARCHAR(256)
+);
+
+CREATE TEMPORARY TABLE IF NOT EXISTS client_details_TEMP (
+	client_description VARCHAR(256),
+	dynamically_registered BOOLEAN,
+	id_token_validity_seconds BIGINT,
+	
+	client_id VARCHAR(256),
+	client_secret VARCHAR(2048),
+	access_token_validity_seconds BIGINT,
+	refresh_token_validity_seconds BIGINT,
+	allow_introspection BOOLEAN,
+	
+	client_name VARCHAR(256)
+);
+
+CREATE TEMPORARY TABLE IF NOT EXISTS client_scope_TEMP (
+	owner_id VARCHAR(256),
+	scope VARCHAR(2048)
+);
+
+CREATE TEMPORARY TABLE IF NOT EXISTS client_redirect_uri_TEMP (
+	owner_id VARCHAR(256),
+	redirect_uri VARCHAR(2048) 
+);
+
+CREATE TEMPORARY TABLE IF NOT EXISTS client_grant_type_TEMP (
+	owner_id VARCHAR(256),
+	grant_type VARCHAR(2000)
+);
+
+CREATE TEMPORARY TABLE IF NOT EXISTS system_scope_TEMP (
+	scope VARCHAR(256),
+	description VARCHAR(4096),
+	icon VARCHAR(256),
+	restricted BOOLEAN,
+	default_scope BOOLEAN
+);

perun-oidc-server-webapp/src/main/webapp/WEB-INF/classes/db/psql/psql_database_tables.sql

@@ -0,0 +1,384 @@
+--
+-- Tables for OIDC Server functionality, PostgreSQL
+--
+
+CREATE TABLE IF NOT EXISTS access_token (
+	id SERIAL PRIMARY KEY,
+	token_value VARCHAR(4096),
+	expiration TIMESTAMP,
+	token_type VARCHAR(256),
+	refresh_token_id BIGINT,
+	client_id BIGINT,
+	auth_holder_id BIGINT,
+	approved_site_id BIGINT,
+	UNIQUE(token_value)
+);
+
+CREATE TABLE IF NOT EXISTS access_token_permissions (
+	access_token_id BIGINT NOT NULL,
+	permission_id BIGINT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS address (
+	id SERIAL PRIMARY KEY,
+	formatted VARCHAR(256),
+	street_address VARCHAR(256),
+	locality VARCHAR(256),
+	region VARCHAR(256),
+	postal_code VARCHAR(256),
+	country VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS approved_site (
+	id SERIAL PRIMARY KEY,
+	user_id VARCHAR(256),
+	client_id VARCHAR(256),
+	creation_date TIMESTAMP,
+	access_date TIMESTAMP,
+	timeout_date TIMESTAMP,
+	whitelisted_site_id BIGINT
+);
+
+CREATE TABLE IF NOT EXISTS approved_site_scope (
+	owner_id BIGINT,
+	scope VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS authentication_holder (
+	id SERIAL PRIMARY KEY,
+	user_auth_id BIGINT,
+	approved BOOLEAN,
+	redirect_uri VARCHAR(2048),
+	client_id VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS authentication_holder_authority (
+	owner_id BIGINT,
+	authority VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS authentication_holder_resource_id (
+	owner_id BIGINT,
+	resource_id VARCHAR(2048)
+);
+
+CREATE TABLE IF NOT EXISTS authentication_holder_response_type (
+	owner_id BIGINT,
+	response_type VARCHAR(2048)
+);
+
+CREATE TABLE IF NOT EXISTS authentication_holder_extension (
+	owner_id BIGINT,
+	extension VARCHAR(2048),
+	val VARCHAR(2048)
+);
+
+CREATE TABLE IF NOT EXISTS authentication_holder_scope (
+	owner_id BIGINT,
+	scope VARCHAR(2048)
+);
+
+CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
+	owner_id BIGINT,
+	param VARCHAR(2048),
+	val TEXT
+);
+
+CREATE TABLE IF NOT EXISTS saved_user_auth (
+	id SERIAL PRIMARY KEY,
+	name VARCHAR(1024),
+	authenticated BOOLEAN,
+	source_class VARCHAR(2048)
+);
+
+CREATE TABLE IF NOT EXISTS saved_user_auth_authority (
+	owner_id BIGINT,
+	authority VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS client_authority (
+	owner_id BIGINT,
+	authority VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS authorization_code (
+	id SERIAL PRIMARY KEY,
+	code VARCHAR(256),
+	auth_holder_id BIGINT,
+	expiration TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS client_grant_type (
+	owner_id BIGINT,
+	grant_type VARCHAR(2000)
+);
+
+CREATE TABLE IF NOT EXISTS client_response_type (
+	owner_id BIGINT,
+	response_type VARCHAR(2000)
+);
+
+CREATE TABLE IF NOT EXISTS blacklisted_site (
+	id SERIAL PRIMARY KEY,
+	uri VARCHAR(2048)
+);
+
+CREATE TABLE IF NOT EXISTS client_details (
+	id SERIAL PRIMARY KEY,
+
+	client_description VARCHAR(1024),
+	reuse_refresh_tokens BOOLEAN DEFAULT true NOT NULL,
+	dynamically_registered BOOLEAN DEFAULT false NOT NULL,
+	allow_introspection BOOLEAN DEFAULT false NOT NULL,
+	id_token_validity_seconds BIGINT DEFAULT 600 NOT NULL,
+	device_code_validity_seconds BIGINT,
+	
+	client_id VARCHAR(256),
+	client_secret VARCHAR(2048),
+	access_token_validity_seconds BIGINT,
+	refresh_token_validity_seconds BIGINT,
+	
+	application_type VARCHAR(256),
+	client_name VARCHAR(256),
+	token_endpoint_auth_method VARCHAR(256),
+	subject_type VARCHAR(256),
+	
+	logo_uri VARCHAR(2048),
+	policy_uri VARCHAR(2048),
+	client_uri VARCHAR(2048),
+	tos_uri VARCHAR(2048),
+
+	jwks_uri VARCHAR(2048),
+	jwks VARCHAR(8192),
+	sector_identifier_uri VARCHAR(2048),
+	
+	request_object_signing_alg VARCHAR(256),
+	
+	user_info_signed_response_alg VARCHAR(256),
+	user_info_encrypted_response_alg VARCHAR(256),
+	user_info_encrypted_response_enc VARCHAR(256),
+	
+	id_token_signed_response_alg VARCHAR(256),
+	id_token_encrypted_response_alg VARCHAR(256),
+	id_token_encrypted_response_enc VARCHAR(256),
+	
+	token_endpoint_auth_signing_alg VARCHAR(256),
+	
+	default_max_age BIGINT,
+	require_auth_time BOOLEAN,
+	created_at TIMESTAMP,
+	initiate_login_uri VARCHAR(2048),
+	clear_access_tokens_on_refresh BOOLEAN DEFAULT true NOT NULL,
+	
+	software_statement VARCHAR(4096),
+	software_id VARCHAR(2048),
+	software_version VARCHAR(2048),
+	
+	code_challenge_method VARCHAR(256),
+	
+	UNIQUE (client_id)
+);
+
+CREATE TABLE IF NOT EXISTS client_request_uri (
+	owner_id BIGINT,
+	request_uri VARCHAR(2000)
+);
+
+CREATE TABLE IF NOT EXISTS client_post_logout_redirect_uri (
+	owner_id BIGINT,
+	post_logout_redirect_uri VARCHAR(2000)
+);
+
+CREATE TABLE IF NOT EXISTS client_default_acr_value (
+	owner_id BIGINT,
+	default_acr_value VARCHAR(2000)
+);
+
+CREATE TABLE IF NOT EXISTS client_contact (
+	owner_id BIGINT,
+	contact VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS client_redirect_uri (
+	owner_id BIGINT, 
+	redirect_uri VARCHAR(2048) 
+);
+
+CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
+	owner_id BIGINT, 
+	redirect_uri VARCHAR(2048) 
+);
+
+CREATE TABLE IF NOT EXISTS refresh_token (
+	id SERIAL PRIMARY KEY,
+	token_value VARCHAR(4096),
+	expiration TIMESTAMP,
+	auth_holder_id BIGINT,
+	client_id BIGINT
+);
+
+CREATE TABLE IF NOT EXISTS client_resource (
+	owner_id BIGINT, 
+	resource_id VARCHAR(256) 
+);
+
+CREATE TABLE IF NOT EXISTS client_scope (
+	owner_id BIGINT,
+	scope VARCHAR(2048)
+);
+
+CREATE TABLE IF NOT EXISTS token_scope (
+	owner_id BIGINT,
+	scope VARCHAR(2048)
+);
+
+CREATE TABLE IF NOT EXISTS system_scope (
+	id SERIAL PRIMARY KEY,
+	scope VARCHAR(256) NOT NULL,
+	description VARCHAR(4096),
+	icon VARCHAR(256),
+	restricted BOOLEAN DEFAULT false NOT NULL,
+	default_scope BOOLEAN DEFAULT false NOT NULL,
+	UNIQUE (scope)
+);
+
+CREATE TABLE IF NOT EXISTS user_info (
+	id SERIAL PRIMARY KEY,
+	sub VARCHAR(256),
+	preferred_username VARCHAR(256),
+	name VARCHAR(256),
+	given_name VARCHAR(256),
+	family_name VARCHAR(256),
+	middle_name VARCHAR(256),
+	nickname VARCHAR(256),
+	profile VARCHAR(256),
+	picture VARCHAR(256),
+	website VARCHAR(256),
+	email VARCHAR(256),
+	email_verified BOOLEAN,
+	gender VARCHAR(256),
+	zone_info VARCHAR(256),
+	locale VARCHAR(256),
+	phone_number VARCHAR(256),
+	phone_number_verified BOOLEAN,
+	address_id VARCHAR(256),
+	updated_time VARCHAR(256),
+	birthdate VARCHAR(256),
+	src VARCHAR(4096)
+);
+
+CREATE TABLE IF NOT EXISTS whitelisted_site (
+	id SERIAL PRIMARY KEY,
+	creator_user_id VARCHAR(256),
+	client_id VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS whitelisted_site_scope (
+	owner_id BIGINT,
+	scope VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS pairwise_identifier (
+	id SERIAL PRIMARY KEY,
+	identifier VARCHAR(256),
+	sub VARCHAR(256),
+	sector_identifier VARCHAR(2048)
+);
+
+CREATE TABLE IF NOT EXISTS resource_set (
+	id SERIAL PRIMARY KEY,
+	name VARCHAR(1024) NOT NULL,
+	uri VARCHAR(1024),
+	icon_uri VARCHAR(1024),
+	rs_type VARCHAR(256),
+	owner VARCHAR(256) NOT NULL,
+	client_id VARCHAR(256)
+);
+
+CREATE TABLE IF NOT EXISTS resource_set_scope (
+	owner_id BIGINT NOT NULL,
+	scope VARCHAR(256) NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS permission_ticket (
+	id SERIAL PRIMARY KEY,
+	ticket VARCHAR(256) NOT NULL,
+	permission_id BIGINT NOT NULL,
+	expiration TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS permission (
+	id SERIAL PRIMARY KEY,
+	resource_set_id BIGINT
+);
+
+CREATE TABLE IF NOT EXISTS permission_scope (
+	owner_id BIGINT NOT NULL,
+	scope VARCHAR(256) NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS claim (
+	id SERIAL PRIMARY KEY,
+	name VARCHAR(256),
+	friendly_name VARCHAR(1024),
+	claim_type VARCHAR(1024),
+	claim_value VARCHAR(1024)
+);
+
+CREATE TABLE IF NOT EXISTS claim_to_policy (
+	policy_id BIGINT NOT NULL,
+	claim_id BIGINT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS claim_to_permission_ticket (
+	permission_ticket_id BIGINT NOT NULL,
+	claim_id BIGINT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS policy (
+	id SERIAL PRIMARY KEY,
+	name VARCHAR(1024),
+	resource_set_id BIGINT
+);
+
+CREATE TABLE IF NOT EXISTS policy_scope (
+	owner_id BIGINT NOT NULL,
+	scope VARCHAR(256) NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS claim_token_format (
+	owner_id BIGINT NOT NULL,
+	claim_token_format VARCHAR(1024)
+);
+
+CREATE TABLE IF NOT EXISTS claim_issuer (
+	owner_id BIGINT NOT NULL,
+	issuer VARCHAR(1024)
+);
+
+CREATE TABLE IF NOT EXISTS saved_registered_client (
+	id SERIAL PRIMARY KEY,
+	issuer VARCHAR(1024),
+	registered_client VARCHAR(8192)
+);
+
+CREATE TABLE IF NOT EXISTS device_code (
+	id BIGSERIAL PRIMARY KEY,
+	device_code VARCHAR(1024),
+	user_code VARCHAR(1024),
+	expiration TIMESTAMP NULL,
+	client_id VARCHAR(256),
+	approved BOOLEAN,
+	auth_holder_id BIGINT	
+);
+
+CREATE TABLE IF NOT EXISTS device_code_scope (
+	owner_id BIGINT NOT NULL,
+	scope VARCHAR(256) NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS device_code_request_parameter (
+	owner_id BIGINT,
+	param VARCHAR(2048),
+	val VARCHAR(2048)
+);

perun-oidc-server-webapp/src/main/webapp/WEB-INF/classes/db/psql/scopes.sql

@@ -0,0 +1,35 @@
+--
+-- Turn off autocommit and start a transaction so that we can use the temp tables
+--
+
+--SET AUTOCOMMIT = OFF;
+
+START TRANSACTION;
+
+--
+-- Insert scope information into the temporary tables.
+-- 
+
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
+  ('openid', 'log in using your identity', 'user', false, true),
+  ('profile', 'basic profile information', 'list-alt', false, true),
+  ('email', 'email address', 'envelope', false, true),
+  ('address', 'physical address', 'home', false, true),
+  ('phone', 'telephone number', 'bell', false, true),
+  ('offline_access', 'offline access', 'time', false, false),
+  ('perun_api', 'calls to Perun API in your roles', 'cog', true, false)
+  ;
+  
+--
+-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
+--
+
+INSERT INTO system_scope (scope, description, icon, restricted, default_scope)
+  SELECT scope, description, icon, restricted, default_scope FROM system_scope_TEMP
+  ON CONFLICT(scope)
+  DO NOTHING;
+
+COMMIT;
+
+--SET AUTOCOMMIT = ON;
+

perun-oidc-server-webapp/src/main/webapp/WEB-INF/crypto-config.xml

@@ -30,17 +30,17 @@
 		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
 
-	<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
+	<bean id="defaultKeyStore" class="cz.muni.ics.jose.keystore.JWKSetKeyStore">
 		<property name="location" value="classpath:keystore.jwks" />
 	</bean>
 	
-	<bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
+	<bean id="defaultsignerService" class="cz.muni.ics.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
 		<constructor-arg name="keyStore" ref="defaultKeyStore" />
 		<property name="defaultSignerKeyId" value="rsa1" />
  		<property name="defaultSigningAlgorithmName" value="RS256" />
 	</bean>
 
-	<bean id="defaultEncryptionService" class="org.mitre.jwt.encryption.service.impl.DefaultJWTEncryptionAndDecryptionService">
+	<bean id="defaultEncryptionService" class="cz.muni.ics.jwt.encryption.service.impl.DefaultJWTEncryptionAndDecryptionService">
 		<constructor-arg name="keyStore" ref="defaultKeyStore" />
 		<property name="defaultAlgorithm" value="RSA1_5" />
 		<property name="defaultDecryptionKeyId" value="rsa1" />

perun-oidc-server-webapp/src/main/webapp/WEB-INF/data-context.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright 2018 The MIT Internet Trust Consortium
+   
+    Portions copyright 2011-2013 The MITRE Corporation
+   
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+   
+      http://www.apache.org/licenses/LICENSE-2.0
+   
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+ -->
+<beans xmlns="http://www.springframework.org/schema/beans"
+	   xmlns:jdbc="http://www.springframework.org/schema/jdbc"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+       						http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-4.3.xsd">
+
+	<!--  The following is for connecting to a PostgreSQL database that has been initialized with
+			src/main/resources/db/psql/psql_database_tables.sql -->
+	<bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close">
+		<property name="driverClassName" value="${jdbc.driver}" />
+		<property name="jdbcUrl" value="${jdbc.url}" />
+		<property name="username" value="${jdbc.user}" />
+		<property name="password" value="${jdbc.password}" />
+		<property name="maximumPoolSize" value="50" />
+	</bean>
+
+	<bean id="mitreIdStats" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close">
+		<property name="driverClassName" value="${jdbc.driver}" />
+		<property name="jdbcUrl" value="${stats.jdbc.url}" />
+		<property name="username" value="${stats.jdbc.user}" />
+		<property name="password" value="${stats.jdbc.password}" />
+	</bean>
+
+	<bean id="jpaAdapter" class="org.springframework.orm.jpa.vendor.EclipseLinkJpaVendorAdapter">
+		<property name="databasePlatform" value="${jdbc.platform}" />
+		<property name="showSql" value="false" />
+	</bean>
+	<!-- Initialize the database
+ 	<jdbc:initialize-database data-source="dataSource">
+ 		<jdbc:script location="classpath:/db/mysql/mysql_database_tables.sql"/>
+ 		<jdbc:script location="classpath:/db/mysql/scopes.sql"/>
+ 	</jdbc:initialize-database>
+ 	-->
+
+</beans>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml

@@ -29,6 +29,18 @@
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
 
 
-<!-- This file allows you to define additional endpoints, it's normally empty in the OIDC server and has entries in the UMA server -->
+	<security:http pattern="/devicecodeMFA/**"
+				   use-expressions="true"
+				   entry-point-ref="oauthAuthenticationEntryPoint"
+				   create-session="stateless"
+				   authentication-manager-ref="clientAuthenticationManager">
+		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+		<!-- include this only if you need to authenticate clients via request parameters -->
+		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
+		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
+		<security:csrf disabled="true"/>
+	</security:http>
 
 </beans>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/jpa-config.xml

@@ -34,7 +34,7 @@
 	</bean>
 
 	<bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
-		<property name="packagesToScan" value="org.mitre" />
+		<property name="packagesToScan" value="cz.muni.ics" />
 		<property name="persistenceProviderClass" value="org.eclipse.persistence.jpa.PersistenceProvider" />
 		<property name="dataSource" ref="dataSource" />
 		<property name="jpaVendorAdapter" ref="jpaAdapter" />

perun-oidc-server-webapp/src/main/webapp/WEB-INF/locale-config.xml

@@ -19,11 +19,11 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<bean id="messageSource" class="org.mitre.openid.connect.config.JsonMessageSource">
+	<bean id="messageSource" class="cz.muni.ics.openid.connect.config.JsonMessageSource">
 		<property name="baseDirectory" value="/resources/js/locale/" />
 		<property name="useCodeAsDefaultMessage" value="true" />
 	</bean>
 
-	<bean id="localeResolver" class="org.mitre.openid.connect.config.ConfigurationBeanLocaleResolver" />
+	<bean id="localeResolver" class="cz.muni.ics.openid.connect.config.ConfigurationBeanLocaleResolver" />
 
 </beans>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/server-config.xml

@@ -30,29 +30,18 @@
 		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
 
-	<security:authentication-manager id="authenticationManager">
-		<security:authentication-provider>
-			<security:jdbc-user-service data-source-ref="dataSource"/>
-		</security:authentication-provider>
-	</security:authentication-manager>
-		
-	<mvc:view-controller path="/login" view-name="login" />
-
-	<security:http authentication-manager-ref="authenticationManager"> 
+	<bean id="configBean" class="cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean">
+		<!-- This property sets the root URL of the server, known as the issuer -->
+		<property name="issuer" value="${main.oidc.issuer.url}" />
+		<!-- This property is a URL pointing to a logo image 24px high to be used in the top bar -->
+		<property name="logoImageUrl" value="${logo.image.url}" />
+		<!-- This property sets the display name of the server, displayed in the topbar and page title -->
+		<property name="topbarTitle" value="${topbar.title}" />
+		<!-- This property forces the issuer value to start with "https", recommended on production servers -->
+		<property name="forceHttps" value="true" />
+		<!-- This property allows the server to create and accept fully-composed
+			 user URIs (with the user-code emebedded) for the device flow -->
+		<property name="allowCompleteDeviceCodeUri" value="true" />
+	</bean>
 	
-		<security:intercept-url pattern="/authorize" access="hasRole('ROLE_USER')" />
-		<security:intercept-url pattern="/**" access="permitAll" />
-		
-		<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
-		<security:custom-filter ref="authRequestFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:logout logout-url="/logout" />
-		<security:anonymous />
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:headers>
-			<security:frame-options policy="DENY" />
-		</security:headers>
-		<security:csrf />
-		<security:custom-filter ref="mdcFilter" before="FIRST"/>
-	</security:http>	
-
 </beans>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/bbmri/footer.tag

@@ -0,0 +1,25 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ attribute name="js" required="false"%>
+<%@ attribute name="baseURL" required="true"%>
+<%@ attribute name="samlResourcesURL" required="true"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+<jsp:useBean id="date" class="java.util.Date" />
+
+<div id="footer">
+    <div style="margin: 0px auto; max-width: 1000px;">
+        <div style="float: left;">
+            <img src="${samlResourcesURL}/module.php/bbmri/res/img/BBMRI-ERIC-gateway-for-health_216.png" alt="BBMRI-ERIC Logo">
+        </div>
+
+        <div style="float: left;">
+            <p>BBMRI-ERIC, Neue Stiftingtalstrasse 2/B/6, 8010 Graz, Austria
+                &nbsp; &nbsp; +43 316 34 99 17-0 &nbsp;
+                <a href="mailto:contact@bbmri-eric.eu">contact@bbmri-eric.eu</a>
+            </p>
+            <p>Copyright &copy; BBMRI-ERIC <fmt:formatDate value="${date}" pattern="yyyy" /></p>
+        </div>
+    </div>
+</div><!-- #footer -->

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/bbmri/header.tag

@@ -0,0 +1,22 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags/common" %>
+<%@ attribute name="title" required="true" %>
+<%@ attribute name="reqURL" required="true" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="samlResourcesURL" required="true" %>
+<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
+
+<c:set var="logoURL" value="${samlResourcesURL}/module.php/bbmri/res/img/BBMRI-ERIC-gateway-for-health_430.png"/>
+
+<o:headerInit title="${title}" reqURL="${reqURL}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}" />
+
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/bbmri/res/bootstrap/css/bootstrap.min.css" />
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/bbmri/res/css/bbmri.css" />
+
+<o:headerCssLinks cssLinks="${cssLinks}"/>
+
+</head>
+
+<o:headerBody logoURL="${logoURL}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/ceitec/footer.tag

@@ -0,0 +1,26 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ attribute name="js" required="false"%>
+<%@ attribute name="baseURL" required="true"%>
+<%@ attribute name="samlResourcesURL" required="true"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+<jsp:useBean id="date" class="java.util.Date" />
+
+<c:set var="issuer" value="${config.issuer}" />
+
+<div id="footer">
+    <div style="margin: 0px auto; max-width: 1000px;">
+        <div style="float: left;">
+            <img src="${samlResourcesURL}/module.php/ceitec/res/img/logo_64.png" alt="CEITEC Logo">
+        </div>
+        <div style="float: left;">
+            <p>CEITEC, Masaryk University, Žerotínovo nám. 9, 601 77 Brno, Czech Republic
+                &nbsp; &nbsp; +420 549 498 732 &nbsp;
+                <a href="mailto:is.ceitec@ceitec.cz">is.ceitec@ceitec.cz</a>
+            </p>
+            <p>Copyright &copy; CEITEC <fmt:formatDate value="${date}" pattern="yyyy" /></p>
+        </div>
+    </div>
+</div>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/ceitec/header.tag

@@ -0,0 +1,22 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags/common" %>
+<%@ attribute name="title" required="true" %>
+<%@ attribute name="reqURL" required="true" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="samlResourcesURL" required="true" %>
+<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
+
+<c:set var="logoURL" value="${samlResourcesURL}/module.php/ceitec/res/img/logo_512.png"/>
+
+<o:headerInit title="${title}" reqURL="${reqURL}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/ceitec/res/bootstrap/css/bootstrap.min.css" />
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/ceitec/res/css/ceitec.css" />
+
+<o:headerCssLinks cssLinks="${cssLinks}"/>
+
+</head>
+
+<o:headerBody logoURL="${logoURL}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/cesnet/footer.tag

@@ -0,0 +1,50 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ attribute name="js" required="false"%>
+<%@ attribute name="baseURL" required="true"%>
+<%@ attribute name="samlResourcesURL" required="true"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+<jsp:useBean id="date" class="java.util.Date" />
+
+<div id="footer">
+    <footer>
+        <div class="container">
+            <div class="row">
+                <div class="col-md-4 logo">
+                    <a href="http://www.cesnet.cz/">
+                        <img src="${samlResourcesURL}/module.php/cesnet/res/img/logo-cesnet.png" alt="CESNET logo" style="width: 250px;">
+                    </a>
+                </div>
+                <div class="col-md-8">
+                    <div class="row">
+                        <div class="col col-sm-6">
+                            <h2>${langProps['footer_other_projects']}</h2>
+                            <ul>
+                                <li><a href="http://www.cesnet.cz/wp-content/uploads/2014/04/CzechLight-family_Posp%C3%ADchal.pdf">CzechLight</a></li>
+                                <li><a href="http://www.ultragrid.cz/en">UltraGrid</a></li>
+                                <li><a href="http://www.4kgateway.com/">4k Gateway</a></li>
+                                <li><a href="http://shongo.cesnet.cz/">Shongo</a></li>
+                                <li><a href="http://www.cesnet.cz/sluzby/sledovani-provozu-site/sledovani-infrastruktury/">FTAS a G3</a></li>
+                                <li><a href="https://www.liberouter.org/">Librerouter</a></li>
+                            </ul>
+                        </div>
+                        <div class="col col-sm-6">
+                            <h2>${langProps['footer_helpdesk']}</h2>
+                            TEL: +420 224 352 994<br>
+                            GSM: +420 602 252 531<br>
+                            FAX: +420 224 313 211<br>
+                            <a href="mailto:perun@cesnet.cz">perun@cesnet.cz</a>
+                        </div>
+                    </div>
+                </div>
+            </div>
+            <div class="row">
+                <div class="col col-sm-12 copyright">
+                    &copy; 1991–<fmt:formatDate value="${date}" pattern="yyyy" /> | CESNET, z. s. p. o.
+                </div>
+            </div>
+        </div>
+    </footer>
+</div>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/cesnet/header.tag

@@ -0,0 +1,22 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags/common" %>
+<%@ attribute name="title" required="true" %>
+<%@ attribute name="reqURL" required="true" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="samlResourcesURL" required="true" %>
+<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
+
+<c:set var="logoURL" value="${samlResourcesURL}/module.php/cesnet/res/img/cesnet_RGB.png"/>
+
+<o:headerInit title="${title}" reqURL="${reqURL}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}" />
+
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/cesnet/res/bootstrap/css/bootstrap.min.css" />
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/cesnet/res/css/cesnet.css" />
+
+<o:headerCssLinks cssLinks="${cssLinks}"/>
+
+</head>
+
+<o:headerBody logoURL="${logoURL}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/attributesConsent.tag

@@ -0,0 +1,82 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true"
+        import="cz.muni.ics.oidc.server.elixir.GA4GHClaimSource" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags" %>
+
+<c:if test="${empty scopes}">
+    <p>${langProps['no_scopes']}</p>
+</c:if>
+<c:if test="${not empty scopes}">
+    <ul id="perun-table_with_attributes" class="perun-attributes">
+        <c:forEach var="scope" items="${scopes}">
+            <c:set var="scopeValue" value="${langProps[scope.value]}"/>
+            <c:if test="${empty fn:trim(scopeValue)}">
+                <c:set var="scopeValue" value="${scope.value}"/>
+            </c:if>
+            <c:set var="singleClaim" value="${fn:length(claims[scope.value]) eq 1}" />
+            <li class="scope-item scope_${fn:escapeXml(scope.value)} ${' '} ${fn:length(claims[scope.value]) eq 0 ? 'hidden' : ''}">
+                <div class="row">
+                    <div class="col-sm-5">
+                        <div class="checkbox-wrapper">
+                            <input class="mt-0 mr-half" type="checkbox" name="scope_${ fn:escapeXml(scope.value) }" checked="checked"
+                                   id="scope_${fn:escapeXml(scope.value)}" value="${fn:escapeXml(scope.value)}">
+                        </div>
+                        <h2 class="perun-attrname <c:out value="${classes['perun-attrname.h2.class']}"/>">
+                            <label for="scope_${fn:escapeXml(scope.value)}"
+                                   class="<c:out value="${classes['perun-attrname.h2.class']}"/>">${scopeValue}</label>
+                        </h2>
+                    </div>
+                    <div class="perun-attrcontainer col-sm-7">
+                        <span class="perun-attrvalue">
+                            <ul class="perun-attrlist <c:out value="${classes['perun-attrcontainer.ul.class']}"/>">
+                                <c:forEach var="claim" items="${claims[scope.value]}">
+                                    <c:choose>
+                                        <c:when test="${not singleClaim}">
+                                            <li class="subclaim subclaim_${fn:escapeXml(claim.key)}">
+                                                <c:set var="claimKey" value="${langProps[claim.key]}"/>
+                                                <c:if test="${empty fn:trim(claimKey)}">
+                                                    <c:set var="claimKey" value="${claim.key}"/>
+                                                </c:if>
+                                                <h3 class="visible-xs-block visible-sm-inline-block visible-md-inline-block
+                                                    visible-lg-inline-block <c:out value="${classes['perun-attrlist.h3.class']}"/>">
+                                                    ${claimKey}:
+                                                </h3>
+                                                <c:if test="${claim.value.getClass().name eq 'java.util.ArrayList'}">
+                                                    <ul class="subclaim-value">visible-md-inline-block
+                                                        <c:forEach var="subValue" items="${claim.value}">
+                                                            <li>${subValue}</li>
+                                                        </c:forEach>
+                                                    </ul>
+                                                </c:if>
+                                                <c:if test="${not(claim.value.getClass().name eq 'java.util.ArrayList')}">
+                                                    <span class="subclaim-value">${claim.value}</span>
+                                                </c:if>
+                                            </li>
+                                        </c:when>
+                                        <c:when test="${claim.value.getClass().name eq 'java.util.ArrayList'}">
+                                            <c:forEach var="subValue" items="${claim.value}">
+                                                <c:choose>
+                                                    <c:when test="${claim.key=='ga4gh_passport_v1'}">
+                                                        <li><%= GA4GHClaimSource.parseAndVerifyVisa(
+                                                                (String) jspContext.findAttribute("subValue")).getPrettyString() %></li>
+                                                    </c:when>
+                                                    <c:otherwise>
+                                                        <li>${subValue}</li>
+                                                    </c:otherwise>
+                                                </c:choose>
+                                            </c:forEach>
+                                        </c:when>
+                                        <c:otherwise>
+                                            <li>${claim.value}</li>
+                                        </c:otherwise>
+                                    </c:choose>
+                                </c:forEach>
+                            </ul>
+                        </span>
+                    </div>
+                </div>
+            </li>
+        </c:forEach>
+    </ul>
+</c:if>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/consentButtons.tag

@@ -0,0 +1,22 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags" %>
+
+<div class="row">
+    <div class="col-sm-6">
+        <div id="yesform">
+            <button id="yesbutton" name="yes" type="submit" class="btn btn-success btn-lg btn-block btn-primary"
+                    onclick="$('#user_oauth_approval').attr('value', true);">
+                <span>${langProps['yes']}</span>
+            </button>
+        </div>
+    </div>
+    <div class="col-sm-6">
+        <div>
+            <button id="nobutton" name="no" type="submit" class="btn btn-lg btn-default btn-block btn-no"
+                    onclick="$('#user_oauth_approval').attr('value', false);">
+                <span>${langProps['no']}</span>
+            </button>
+        </div>
+    </div>
+</div>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/footer.tag

@@ -0,0 +1,38 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags" %>
+<%@ taglib prefix="elixir" tagdir="/WEB-INF/tags/elixir" %>
+<%@ taglib prefix="cesnet" tagdir="/WEB-INF/tags/cesnet" %>
+<%@ taglib prefix="bbmri" tagdir="/WEB-INF/tags/bbmri" %>
+<%@ taglib prefix="ceitec" tagdir="/WEB-INF/tags/ceitec" %>
+<%@ taglib prefix="europdx" tagdir="/WEB-INF/tags/europdx" %>
+<%@ taglib prefix="muni" tagdir="/WEB-INF/tags/muni" %>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="theme" required="true" %>
+
+<c:choose>
+    <c:when test="${theme eq 'elixir'}">
+        <elixir:footer baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'cesnet'}">
+        <cesnet:footer baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'bbmri'}">
+        <bbmri:footer baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'ceitec'}">
+        <ceitec:footer baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'europdx'}">
+        <europdx:footer baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'muni'}">
+        <muni:footer/>
+    </c:when>
+    <c:otherwise>
+        <o:footer />
+    </c:otherwise>
+</c:choose>
+
+<script type="text/javascript" src="resources/js/jquery-3-3-1.min.js"></script>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/header.tag

@@ -0,0 +1,38 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags" %>
+<%@ taglib prefix="elixir" tagdir="/WEB-INF/tags/elixir" %>
+<%@ taglib prefix="cesnet" tagdir="/WEB-INF/tags/cesnet" %>
+<%@ taglib prefix="bbmri" tagdir="/WEB-INF/tags/bbmri" %>
+<%@ taglib prefix="ceitec" tagdir="/WEB-INF/tags/ceitec" %>
+<%@ taglib prefix="europdx" tagdir="/WEB-INF/tags/europdx" %>
+<%@ taglib prefix="muni" tagdir="/WEB-INF/tags/muni" %>
+<%@ attribute name="title" required="true" %>
+<%@ attribute name="reqURL" required="true" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="theme" required="true" %>
+<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
+
+<c:choose>
+    <c:when test="${theme eq 'elixir'}">
+        <elixir:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'cesnet'}">
+        <cesnet:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'bbmri'}">
+        <bbmri:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'ceitec'}">
+        <ceitec:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'europdx'}">
+        <europdx:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:when test="${theme eq 'muni'}">
+        <muni:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
+    <c:otherwise>
+        <o:header title="${title}"/>
+    </c:otherwise>
+</c:choose>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/headerBody.tag

@@ -0,0 +1,14 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags/common" %>
+<%@ attribute name="logoURL" required="true" %>
+
+<body>
+
+    <div id="wrap">
+        <c:if test="${ langsMap.size() > 1 }">
+            <o:langbar lang="${lang}" langsMap="${langsMap}" reqURL="${reqURL}"/>
+        </c:if>
+        <div id="header">
+            <img src="${logoURL}" alt="logo">

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/headerCssLinks.tag

@@ -0,0 +1,7 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
+
+<c:forEach var="link" items="${cssLinks}">
+    <link rel="stylesheet" type="text/css" href="${link}" />
+</c:forEach>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/headerInit.tag

@@ -0,0 +1,22 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ attribute name="title" required="true" %>
+<%@ attribute name="reqURL" required="true" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="samlResourcesURL" required="true" %>
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="${lang}" xml:lang="${lang}">
+
+<head>
+
+    <base href="${config.issuer}">
+    <title>${config.topbarTitle} - ${title}</title>
+
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta name="viewport" content="width=device-width, height=device-height, initial-scale=1.0" />
+    <meta name="robots" content="noindex, nofollow" />
+
+    <link rel="stylesheet" type="text/css" href="${samlResourcesURL}/resources/default.css" />
+    <link rel="stylesheet" type="text/css" href="resources/css/customs.css">

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/langbar.tag

@@ -0,0 +1,34 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ attribute name="lang" required="true" %>
+<%@ attribute name="langsMap" required="true" type="java.util.Map" %>
+<%@ attribute name="reqURL" required="true" %>
+
+<c:set var="i" value="0"/>
+<div id="languagebar_line">
+    <div id="languagebar">
+    <c:choose>
+        <c:when test="${fn:contains(reqURL, '?')}">
+            <c:set var="requestURL" value="${reqURL}${'&lang='}"/>
+        </c:when>
+        <c:otherwise>
+            <c:set var="requestURL" value="${reqURL}${'?lang='}"/>
+        </c:otherwise>
+    </c:choose>
+        <c:forEach var="langEntry" items="${langsMap}">
+            <c:choose>
+                <c:when test="${ langEntry.key.equalsIgnoreCase(lang)}">
+                    <c:out value="${langEntry.value}" />
+                </c:when>
+                <c:otherwise>
+                    <a href="${requestURL}${langEntry.key}">${langEntry.value}</a>
+                </c:otherwise>
+            </c:choose>
+            <c:if test="${ i < (langsMap.size() - 1) }">
+                <c:out value=" | "/>
+            </c:if>
+            <c:set var="i" value="${ i + 1 }"/>
+        </c:forEach>
+    </div>
+</div>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/copyright.tag

@@ -0,0 +1,11 @@
+<%@ tag pageEncoding="UTF-8" import="cz.muni.ics.oidc.server.configurations.PerunOidcConfig" trimDirectiveWhitespaces="true" %>
+<%@ tag import="org.springframework.web.context.support.WebApplicationContextUtils" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<c:if test="${ config.heartMode }"><span class="pull-left"><img src="resources/images/heart_mode.png" alt="HEART Mode" title="This server is running in HEART Compliance Mode" /></span> </c:if>
+<%
+    PerunOidcConfig perunOidcConfig = WebApplicationContextUtils.getWebApplicationContext(application).getBean("perunOidcConfig", PerunOidcConfig.class);
+%>
+Powered by
+<a href="https://github.com/CESNET/perun-mitreid">Perun MITREid</a> <span class="label"><%=perunOidcConfig.getPerunOIDCVersion()%></span>
+<span class="pull-right">&copy; 2017 The MIT Internet Trust Consortium.</span>.

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/elixir/footer.tag

@@ -0,0 +1,27 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ attribute name="js" required="false"%>
+<%@ attribute name="baseURL" required="true"%>
+<%@ attribute name="samlResourcesURL" required="true"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+<jsp:useBean id="date" class="java.util.Date" />
+
+<div id="footer">
+    <div style="margin: 0 auto; max-width: 1000px;">
+        <div style="float: left;">
+            <img src="${samlResourcesURL}/module.php/elixir/res/img/logo_64.png" alt="ELIXIR Logo">
+        </div>
+        <div style="float: left;">
+            <p>ELIXIR, Welcome Trust Genome Campus, Hinxton, Cambridgeshire, CB10 1SD, UK&nbsp; &nbsp; +44&nbsp;(0)1223&nbsp;492-670&nbsp;&nbsp;
+                <a href="mailto:info@elixir-europe.org">info@elixir-europe.org</a>
+            </p>
+            <p>Copyright &copy; ELIXIR <fmt:formatDate value="${date}" pattern="yyyy" /> |
+                <a href="https://www.elixir-europe.org/legal/privacy">Privacy</a> |
+                <a href="https://www.elixir-europe.org/legal/cookies">Cookies</a> |
+                <a href="https://www.elixir-europe.org/legal/terms-of-use">Terms of use</a>
+            </p>
+        </div>
+    </div>
+</div>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/elixir/header.tag

@@ -0,0 +1,22 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags/common" %>
+<%@ attribute name="title" required="true" %>
+<%@ attribute name="reqURL" required="true" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="samlResourcesURL" required="true" %>
+<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
+
+<c:set var="logoURL" value="${samlResourcesURL}/module.php/elixir/res/img/logo_256.png"/>
+
+<o:headerInit title="${title}" reqURL="${reqURL}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/elixir/res/bootstrap/css/bootstrap.min.css" />
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/elixir/res/css/elixir.css" />
+
+<o:headerCssLinks cssLinks="${cssLinks}"/>
+
+</head>
+
+<o:headerBody logoURL="${logoURL}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/europdx/footer.tag

@@ -0,0 +1,35 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ attribute name="js" required="false"%>
+<%@ attribute name="baseURL" required="true"%>
+<%@ attribute name="samlResourcesURL" required="true"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+<jsp:useBean id="date" class="java.util.Date" />
+
+<div id="footer">
+    <div class="row" style="margin: 0 auto; max-width: 1000px;">
+        <div class="col-md-6" style="float: left">
+            <img src="${samlResourcesURL}/module.php/europdx/res/img/eu_flag_128.png">
+            <p>The EDIReX project has received funding from the European Union’s Horizon 2020 research and innovation programme, grant agreement no. #731105</p>
+        </div>
+
+        <div class="col-md-6" style="float: right;">
+            <ul>
+                <li>
+                    <a href="http://www.twitter.com/EurOPDX"> Follow @EUROPDX</a>
+                </li>
+                <li>
+                    <a href="https://europdx.eu/#"> TERMS OF USE</a>
+                </li>
+            </ul>
+        </div>
+    </div>
+
+    <div class="row" style="text-align: center">
+        <div class="col-md-12 copyright">
+            <p> © 1991– 2019 | EuroPDX - <a href="mailto:contact@europdx.eu"> contact@europdx.eu </a></p>
+        </div>
+    </div>
+</div>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/europdx/header.tag

@@ -0,0 +1,22 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags/common" %>
+<%@ attribute name="title" required="true" %>
+<%@ attribute name="reqURL" required="true" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="samlResourcesURL" required="true" %>
+<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
+
+<c:set var="logoURL" value="${samlResourcesURL}/module.php/europdx/res/img/europdx_logo.png"/>
+
+<o:headerInit title="${title}" reqURL="${reqURL}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}" />
+
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/europdx/res/bootstrap/css/bootstrap.min.css" />
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/europdx/res/css/europdx.css" />
+
+<o:headerCssLinks cssLinks="${cssLinks}"/>
+
+</head>
+
+<o:headerBody logoURL="${logoURL}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/muni/footer.tag

@@ -0,0 +1,17 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+
+        </div>
+    </div>
+</main>
+
+<footer class="footer">
+    <div class="row-main">
+        <p class="footer__copyrights">
+            ${langProps['masaryk_university']}<br />
+            ${langProps['service']}${" "}<a href="https://it.muni.cz/sluzby/jednotne-prihlaseni-na-muni" target="_blank">${langProps['unified_login']}</a>${" "}${langProps['provided']}${" "}<a href="https://www.ics.muni.cz" target="_blank">${langProps['ics']}</a>
+        </p>
+    </div>
+</footer>
+
+</body>
+</html>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/muni/header.tag

@@ -0,0 +1,84 @@
+<%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags/common" %>
+<%@ attribute name="title" required="true" %>
+<%@ attribute name="reqURL" required="true" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="samlResourcesURL" required="true" %>
+<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html class="no-js touch no-touch" lang="${langProps['other_lang']}">
+<head>
+    <meta cahrset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="author" content="Masarykova univerzita" />
+
+    <title>${langProps['unified_login']} | ${title}</title>
+
+    <link rel="stylesheet" type="text/css" href="https://id.muni.cz/simplesaml/module.php/muni/css/bootstrap.min.css">
+    <link rel="stylesheet" type="text/css" href="https://id.muni.cz/simplesaml/module.php/muni/css/style-ie.css?1.2">
+    <link rel="stylesheet" type="text/css" href="https://id.muni.cz/simplesaml/module.php/muni/css/style.css?1.2">
+    <link rel="stylesheet" type="text/css" href="https://id.muni.cz/simplesaml/module.php/muni/css/style2.css?1.2">
+
+    <style type="text/css">
+        .checkbox-wrapper {
+            float: left;
+        }
+        .attrname-formatter {
+            display: block;
+            margin-left: 2em !important;
+        }
+    </style>
+
+    <o:headerCssLinks cssLinks="${cssLinks}"/>
+
+</head>
+
+<body>
+    <c:set var="alternateURL" value="${reqURL}&lang=${langProps['other_lang']}"/>
+    <p class="menu-accessibility">
+        <a title="${langProps['go_to_login_title']}" accesskey="2" href="#main">
+            ${langProps['go_to_login_text']}
+        </a>
+    </p>
+    <div class="header u-mb-0">
+        <div class="row-main">
+            <div class="header__wrap">
+                <h1 class="header__logo">
+                    <img src="${samlResourcesURL}/module.php/${theme}/img/${langProps['img_name']}.png"
+                         width="${langProps['img_width']}" height="${langProps['img_height']}" alt="${langProps['muni_logo']}"/>
+                </h1>
+                <div class="header__side">
+                    <div class="menu-lang" role="navigation">
+                        <p class="menu-lang__selected">
+                            <a href="${alternateURL}" rel="alternate" hreflang="${langProps['other_lang']}"
+                               lang="${langProps['other_lang']}" class="menu-lang__selected__link">
+                                ${langProps['other_language']}
+                            </a>
+                        </p>
+                    </div>
+                    <nav class="menu-mobile" role="navigation">
+                        <div class="menu-mobile__wrap">
+                            <div class="row-main">
+                                <ul class="menu-mobile__list">
+                                    <li class="menu-mobile__item">
+                                        <a href="${alternateURL}" rel="alternate" hreflang="${langProps['other_lang']}"
+                                            class="menu-mobile__link menu-mobile__link--lang" lang="${langProps['other_lang']}">
+                                            ${langProps['other_language']}
+                                        </a>
+                                    </li>
+                                </ul>
+                            </div>
+                        </div>
+                    </nav>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <!-- END MU HEADER -->
+    <main class="main">
+        <div class="box-hero box-hero--particles box-hero--login u-mb-0 u-pt-50">
+            <div class="row-main">
+                <div>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml

@@ -22,17 +22,4 @@
 	xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.3.xsd
 		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">
 
-	<!-- Configuration for scheduled tasks -->
-	<task:scheduler id="taskScheduler" pool-size="10" /> 
-	<task:executor id="taskExecutor" pool-size="5" /> 
-	<task:annotation-driven scheduler="taskScheduler" executor="taskExecutor" /> 
-	
-	<!-- Schedule the token service and approved site service to clear out expired tokens and sites every 5 minutes -->
-	<task:scheduled-tasks scheduler="taskScheduler">
-	    <task:scheduled ref="defaultOAuth2ProviderTokenService" method="clearExpiredTokens" fixed-delay="300000" initial-delay="600000"/>
-	    <task:scheduled ref="defaultApprovedSiteService" method="clearExpiredSites" fixed-delay="300000" initial-delay="600000"/>
-	    <task:scheduled ref="defaultOAuth2AuthorizationCodeService" method="clearExpiredAuthorizationCodes" fixed-delay="300000" initial-delay="600000"/>
-	    <task:scheduled ref="defaultDeviceCodeService" method="clearExpiredDeviceCodes" fixed-delay="300000" initial-delay="600000"/>
-	</task:scheduled-tasks>
-
 </beans>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/ui-config.xml

@@ -31,7 +31,7 @@
 
 <!-- This file allows you to define components to the UI -->
 
-	<bean class="org.mitre.openid.connect.config.UIConfiguration" id="uiConfiguration">
+	<bean class="cz.muni.ics.openid.connect.config.UIConfiguration" id="uiConfiguration">
 		<property name="jsFiles">
 			<set>
 				<value>resources/js/client.js</value>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml

@@ -0,0 +1,824 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Replaces (overlays) the same-name file from project org.server.openid-connect-server-webapp.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xmlns:security="http://www.springframework.org/schema/security"
+	   xmlns:context="http://www.springframework.org/schema/context"
+	   xmlns:aop="http://www.springframework.org/schema/aop"
+	   xmlns:mvc="http://www.springframework.org/schema/mvc"
+	   xsi:schemaLocation="http://www.springframework.org/schema/security
+		 http://www.springframework.org/schema/security/spring-security.xsd
+		 http://www.springframework.org/schema/beans
+		 http://www.springframework.org/schema/beans/spring-beans.xsd
+		 http://www.springframework.org/schema/context
+		 http://www.springframework.org/schema/context/spring-context.xsd
+		 http://www.springframework.org/schema/aop
+		 http://www.springframework.org/schema/aop/spring-aop.xsd
+		 http://www.springframework.org/schema/mvc
+		 http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd">
+
+	<context:property-placeholder properties-ref="nonOverwrittenAttributeProperties" ignore-unresolvable="true" order="0"/>
+	<context:property-placeholder properties-ref="userAttrMappingsProperties" ignore-unresolvable="true" order="1"/>
+	<context:property-placeholder properties-ref="facilityAttrMappingsProperties" ignore-unresolvable="true" order="2"/>
+	<context:property-placeholder properties-ref="groupAttrMappingsProperties" ignore-unresolvable="true" order="3"/>
+	<context:property-placeholder properties-ref="voAttrMappingsProperties" ignore-unresolvable="true" order="4"/>
+	<context:property-placeholder properties-ref="resourceAttrMappingsProperties" ignore-unresolvable="true" order="5"/>
+	<context:property-placeholder properties-ref="coreProperties" order="6"/>
+
+	<context:component-scan base-package="cz.muni.ics.oidc"/>
+
+	<aop:aspectj-autoproxy proxy-target-class="true"/>
+
+	<mvc:interceptors>
+		<mvc:interceptor>
+			<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
+			<mvc:mapping path="/**" />
+			<mvc:exclude-mapping path="/token**"/>
+			<mvc:exclude-mapping path="/resources/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
+			<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
+			<mvc:exclude-mapping path="/saml**" />
+			<!-- Inject the UserInfo into the response -->
+			<ref bean="userInfoInterceptor" />
+		</mvc:interceptor>
+		<mvc:interceptor>
+			<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
+			<mvc:mapping path="/**" />
+			<mvc:exclude-mapping path="/token**"/>
+			<mvc:exclude-mapping path="/resources/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).URL}/**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
+			<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
+			<!-- Inject the server configuration into the response -->
+			<ref bean="serverConfigInterceptor"/>
+		</mvc:interceptor>
+	</mvc:interceptors>
+
+	<!-- default config values, by default override in file /etc/perun/perun-mitreid.properties -->
+	<bean id="defaultCoreProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties">
+			<props>
+				<prop key="main.oidc.issuer.url">https://perun-dev.meta.zcu.cz/oidc/</prop>
+				<prop key="logo.image.url">resources/images/perun_24px.png</prop>
+				<prop key="topbar.title">Perun OIDC</prop>
+				<prop key="admins">3197,59835</prop>
+				<prop key="perun.adapter.callFallback">true</prop>
+				<prop key="fill.missing.user.attrs">true</prop>
+				<prop key="perun.adapter.primary">RPC</prop>
+				<!-- RPC -->
+				<prop key="perun.rpc.enabled">true</prop>
+				<prop key="perun.rpc.url">https://perun.elixir-czech.cz/krb/rpc</prop>
+				<prop key="perun.rpc.user">xxxxx</prop>
+				<prop key="perun.rpc.password">yyyyy</prop>
+				<prop key="perun.rpc.serializer">json</prop>
+				<!-- LDAP -->
+				<prop key="ldap.host">perun.cesnet.cz</prop>
+				<prop key="ldap.user">xxxxx</prop>
+				<prop key="ldap.password">yyyyyyy</prop>
+				<prop key="ldap.port">636</prop>
+				<prop key="ldap.starttls">true</prop>
+				<prop key="ldap.ssl">true</prop>
+				<prop key="ldap.password">yyyyyyy</prop>
+				<prop key="ldap.timeoutSecs">120</prop>
+				<prop key="ldap.baseDN">dc=perun,dc=cesnet,dc=cz</prop>
+				<prop key="ldap.allowUntrustedSsl">false</prop>
+				<!-- JDBC -->
+				<prop key="jdbc.driver">org.mariadb.jdbc.Driver</prop>
+				<prop key="jdbc.url">jdbc:mariadb://localhost:3306/oidc</prop>
+				<prop key="jdbc.user">oidc</prop>
+				<prop key="jdbc.password">oidc</prop>
+				<prop key="jdbc.platform">org.eclipse.persistence.platform.database.MySQLPlatform</prop>
+				<!-- SAML AUTH -->
+				<prop key="saml.entityID">https://login.cesnet.cz/oidc/</prop>
+				<prop key="saml.keystore.location">/etc/perun/perun-mitreid-saml-keystore.jks</prop>
+				<prop key="saml.keystore.password">pass</prop>
+				<prop key="saml.keystore.defaultKey">pass</prop>
+				<prop key="saml.keystore.defaultKeyPass">pass</prop>
+				<prop key="saml.idp.defaultIdpEntityId">https://login.cesnet.cz/idp/</prop>
+				<prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml -->
+				<prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata -->
+				<prop key="saml.proxy.enabled">true</prop>
+				<prop key="saml.proxy.spEntityId">https://login.cesnet.cz/proxy/</prop>
+				<prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop>
+				<prop key="saml.acrs.enableComparison">false</prop>
+				<!-- STATS JDBC -->
+				<prop key="stats.jdbc.url">jdbc:mariadb://localhost:3306/STATS</prop>
+				<prop key="stats.jdbc.user">user</prop>
+				<prop key="stats.jdbc.password">password</prop>
+				<!-- WEB INTERFACE -->
+				<prop key="web.theme">default</prop>
+				<prop key="web.langs">EN</prop> <!-- EN,CS,SK -->
+				<prop key="web.langs.customfiles.path">/etc/perun</prop>
+				<prop key="web.classes.path">/etc/perun/web/classes.properties</prop>
+				<prop key="web.baseURL">https://login.cesnet.cz/proxy</prop>
+				<prop key="email.contact">login@cesnet.cz</prop>
+				<!-- LOGIN -->
+				<prop key="idpFilters.askPerun.enabled">false</prop>
+				<prop key="registrar.url">https://perun-dev.cesnet.cz/allfed/registrar/</prop>
+				<prop key="proxy.extSource.name"/>
+				<prop key="proxy.base.url"/>
+				<prop key="proxy.login.url"/>
+				<prop key="proxy.logout.url"/>
+				<prop key="proxy.add_client_id_to_acrs">false</prop>
+				<!-- OIDC STUFF -->
+				<prop key="jwk">file:///etc/perun/perun-oidc-keystore.jwks</prop>
+				<prop key="id_token.scopes">openid,profile,email,phone,address</prop>
+				<prop key="custom.claims">organization,eppns</prop>
+				<prop key="accessTokenClaimsModifier">cz.muni.ics.oidc.server.PerunAccessTokenEnhancer.NoOpAccessTokenClaimsModifier</prop>
+				<prop key="force.regenerate.userinfo.custom.claims" />
+				<prop key="force.regenerate.userinfo.standard.claims" />
+				<!-- UES ATTRS -->
+				<prop key="ues.orgUrl.attr">urn:perun:ues:attribute-def:def:organizationURL</prop>
+				<prop key="ues.affiliations.attr">urn:perun:ues:attribute-def:def:affiliation</prop>
+				<!-- USERINFO MODIFIERS -->
+				<prop key="userInfo.modifiers"/>
+				<!-- REQUEST FILTERS -->
+				<prop key="filter.names">stats</prop>
+				<prop key="filter.stats.class">cz.muni.ics.oidc.server.filters.impl.ProxyStatisticsFilter</prop>
+				<prop key="filter.stats.idpNameAttributeName">sourceIdPName</prop>
+				<prop key="filter.stats.idpEntityIdAttributeName">sourceIdPEntityID</prop>
+				<prop key="filter.stats.statisticsTableName">statistics_per_user</prop>
+				<prop key="filter.stats.identityProvidersMapTableName">statistics_idp</prop>
+				<prop key="filter.stats.serviceProvidersMapTableName">statistics_sp</prop>
+			</props>
+		</property>
+	</bean>
+
+	<bean id="coreProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties" ref="defaultCoreProperties"/>
+		<property name="locations">
+			<list>
+				<!-- PASSED FROM POM.XML / MAVEN BUILD PROPS -->
+				<value>file://${config.location}/perun-mitreid.properties</value>
+			</list>
+		</property>
+		<property name="ignoreResourceNotFound" value="false"/>
+	</bean>
+
+	<bean id="samlProperties" class="cz.muni.ics.oidc.saml.SamlProperties">
+		<property name="entityID" value="${saml.idp.defaultIdpEntityId}"/>
+		<property name="keystoreLocation" value="${saml.keystore.location}"/>
+		<property name="keystorePassword" value="${saml.keystore.password}"/>
+		<property name="keystoreDefaultKey" value="${saml.keystore.defaultKey}"/>
+		<property name="keystoreDefaultKeyPassword" value="${saml.keystore.defaultKeyPass}"/>
+		<property name="defaultIdpEntityId" value="${saml.idp.defaultIdpEntityId}"/>
+		<property name="idpMetadataFile" value="${saml.idp.metadataLocation}"/>
+		<property name="idpMetadataUrl" value="${saml.idp.metadataUrl}"/>
+		<property name="acrReservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
+	</bean>
+
+	<bean id="nonOverwrittenAttributeProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties">
+			<props>
+				<prop key="user.attribute_names.fixedList">openid_sub,profile_preferred_username,profile_given_name,profile_middle_name,profile_family_name,profile_name,profile_zoneinfo,profile_locale,email_email,address_address_formatted,phone_phone,aups</prop>
+				<prop key="facility.attribute_names.fixedList">checkGroupMembership,allowRegistration,registrationUrl,dynamicRegistration,clientId,voShortNames,wayfFilter,wayfEFilter,requestedAups,capabilities,testSp</prop>
+				<prop key="group.attribute_names.fixedList"/>
+				<prop key="vo.attribute_names.fixedList">aup</prop>
+				<prop key="resource.attribute_names.fixedList">capabilities</prop>
+			</props>
+		</property>
+	</bean>
+
+	<bean id="defaultUserAttrProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties">
+			<props>
+				<prop key="user.attribute_names.customList"/>
+				<!-- ATTRIBUTES MAPPINGS -->
+				<prop key="openid_sub.mapping.ldap">login;x-ns-einfraid-persistent-shadow</prop>
+				<prop key="openid_sub.mapping.rpc">urn:perun:user:attribute-def:core:id</prop>
+				<prop key="openid_sub.type">STRING</prop>
+				<prop key="profile_preferred_username.mapping.ldap">login;x-ns-einfra</prop>
+				<prop key="profile_preferred_username.mapping.rpc">urn:perun:user:attribute-def:def:login-namespace:einfra</prop>
+				<prop key="profile_preferred_username.type">STRING</prop>
+				<prop key="profile_given_name.mapping.ldap">givenName</prop>
+				<prop key="profile_given_name.mapping.rpc">urn:perun:user:attribute-def:core:firstName</prop>
+				<prop key="profile_given_name.type">STRING</prop>
+				<prop key="profile_middle_name.mapping.ldap">middleName</prop>
+				<prop key="profile_middle_name.mapping.rpc">urn:perun:user:attribute-def:core:middleName</prop>
+				<prop key="profile_middle_name.type">STRING</prop>
+				<prop key="profile_family_name.mapping.ldap">sn</prop>
+				<prop key="profile_family_name.mapping.rpc">urn:perun:user:attribute-def:core:lastName</prop>
+				<prop key="profile_family_name.type">STRING</prop>
+				<prop key="profile_name.mapping.ldap">displayName</prop>
+				<prop key="profile_name.mapping.rpc">urn:perun:user:attribute-def:core:displayName</prop>
+				<prop key="profile_name.type">STRING</prop>
+				<prop key="profile_zoneinfo.mapping.ldap">timezone</prop>
+				<prop key="profile_zoneinfo.mapping.rpc">urn:perun:user:attribute-def:def:timezone</prop>
+				<prop key="profile_zoneinfo.type">STRING</prop>
+				<prop key="profile_locale.mapping.ldap">preferredLanguage</prop>
+				<prop key="profile_locale.mapping.rpc">urn:perun:user:attribute-def:def:preferredLanguage</prop>
+				<prop key="profile_locale.type">STRING</prop>
+				<prop key="email_email.mapping.ldap">preferredMail</prop>
+				<prop key="email_email.mapping.rpc">urn:perun:user:attribute-def:def:preferredMail</prop>
+				<prop key="email_email.type">STRING</prop>
+				<prop key="phone_phone.mapping.ldap">telephoneNumber</prop>
+				<prop key="phone_phone.mapping.rpc">urn:perun:user:attribute-def:def:phone</prop>
+				<prop key="phone_phone.type">STRING</prop>
+				<prop key="address_address_formatted.mapping.ldap">postalAddress</prop>
+				<prop key="address_address_formatted.mapping.rpc">urn:perun:user:attribute-def:def:address</prop>
+				<prop key="address_address_formatted.type">STRING</prop>
+				<prop key="aups.mapping.ldap">aups</prop>
+				<prop key="aups.mapping.rpc">urn:perun:user:attribute-def:def:aups</prop>
+				<prop key="aups.type">MAP_KEY_VALUE</prop>
+				<prop key="aups.separator">=</prop>
+			</props>
+		</property>
+	</bean>
+
+	<bean id="userAttrMappingsProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties" ref="defaultUserAttrProperties" />
+		<property name="locations">
+			<list>
+				<!-- PASSED FROM POM.XML / MAVEN BUILD PROPS -->
+				<value>file://${config.location}/user-attribute-mappings.properties</value>
+			</list>
+		</property>
+		<property name="ignoreResourceNotFound" value="true"/>
+	</bean>
+
+	<bean id="defaultFacilityAttrProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties">
+			<props>
+				<prop key="facility.attribute_names.customList"/>
+				<!-- ATTRIBUTES MAPPINGS -->
+				<prop key="checkGroupMembership.mapping.ldap">checkGroupMembership</prop>
+				<prop key="checkGroupMembership.mapping.rpc">urn:perun:facility:attribute-def:def:checkGroupMembership</prop>
+				<prop key="checkGroupMembership.type">BOOLEAN</prop>
+				<prop key="allowRegistration.mapping.ldap">allowRegistration</prop>
+				<prop key="allowRegistration.mapping.rpc">urn:perun:facility:attribute-def:def:allowRegistration</prop>
+				<prop key="allowRegistration.type">BOOLEAN</prop>
+				<prop key="registrationUrl.mapping.ldap">registrationURL</prop>
+				<prop key="registrationUrl.mapping.rpc">urn:perun:facility:attribute-def:def:registrationURL</prop>
+				<prop key="registrationUrl.type">STRING</prop>
+				<prop key="dynamicRegistration.mapping.ldap">dynamicRegistration</prop>
+				<prop key="dynamicRegistration.mapping.rpc">urn:perun:facility:attribute-def:def:dynamicRegistration</prop>
+				<prop key="dynamicRegistration.type">BOOLEAN</prop>
+				<prop key="clientId.mapping.ldap">OIDCClientID</prop>
+				<prop key="clientId.mapping.rpc">urn:perun:facility:attribute-def:def:OIDCClientID</prop>
+				<prop key="clientId.type">STRING</prop>
+				<prop key="voShortNames.mapping.ldap">voShortNames</prop>
+				<prop key="voShortNames.mapping.rpc">urn:perun:facility:attribute-def:virt:voShortNames</prop>
+				<prop key="voShortNames.type">ARRAY</prop>
+				<prop key="wayfFilter.mapping.ldap">wayfFilter</prop>
+				<prop key="wayfFilter.mapping.rpc">urn:perun:facility:attribute-def:def:wayfFilter</prop>
+				<prop key="wayfFilter.type">STRING</prop>
+				<prop key="wayfEFilter.mapping.ldap">wayfEFilter</prop>
+				<prop key="wayfEFilter.mapping.rpc">urn:perun:facility:attribute-def:def:wayfEFilter</prop>
+				<prop key="wayfEFilter.type">STRING</prop>
+				<prop key="requestedAups.mapping.ldap">requiredAups</prop>
+				<prop key="requestedAups.mapping.rpc">urn:perun:facility:attribute-def:def:reqAups</prop>
+				<prop key="requestedAups.type">ARRAY</prop>
+				<prop key="capabilities.mapping.ldap">capabilities</prop>
+				<prop key="capabilities.mapping.rpc">urn:perun:facility:attribute-def:def:capabilities</prop>
+				<prop key="capabilities.type">ARRAY</prop>
+				<prop key="testSp.mapping.ldap">isTestSp</prop>
+				<prop key="testSp.mapping.rpc">urn:perun:facility:attribute-def:def:isTestSp</prop>
+				<prop key="testSp.type">BOOLEAN</prop>
+			</props>
+		</property>
+	</bean>
+
+	<bean id="facilityAttrMappingsProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties" ref="defaultFacilityAttrProperties" />
+		<property name="locations">
+			<list>
+				<!-- PASSED FROM POM.XML / MAVEN BUILD PROPS -->
+				<value>file://${config.location}/facility-attribute-mappings.properties</value>
+			</list>
+		</property>
+		<property name="ignoreResourceNotFound" value="true"/>
+	</bean>
+
+	<bean id="defaultGroupAttrProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties">
+			<props>
+				<prop key="group.attribute_names.customList"/>
+			</props>
+		</property>
+	</bean>
+
+	<bean id="groupAttrMappingsProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties" ref="defaultGroupAttrProperties" />
+		<property name="locations">
+			<list>
+				<!-- PASSED FROM POM.XML / MAVEN BUILD PROPS -->
+				<value>file://${config.location}/group-attribute-mappings.properties</value>
+			</list>
+		</property>
+		<property name="ignoreResourceNotFound" value="true"/>
+	</bean>
+
+	<bean id="defaultVoAttrProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties">
+			<props>
+				<prop key="vo.attribute_names.customList"/>
+				<!-- ATTRIBUTES MAPPINGS -->
+				<prop key="aup.mapping.ldap">aup</prop>
+				<prop key="aup.mapping.rpc">urn:perun:vo:attribute-def:def:aup</prop>
+				<prop key="aup.type">LARGE_STRING</prop>
+			</props>
+		</property>
+	</bean>
+
+	<bean id="voAttrMappingsProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties" ref="defaultVoAttrProperties" />
+		<property name="locations">
+			<list>
+				<!-- PASSED FROM POM.XML / MAVEN BUILD PROPS -->
+				<value>file://${config.location}/vo-attribute-mappings.properties</value>
+			</list>
+		</property>
+		<property name="ignoreResourceNotFound" value="true"/>
+	</bean>
+
+	<bean id="defaultResourceAttrProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties">
+			<props>
+				<prop key="resource.attribute_names.customList"/>
+				<!-- ATTRIBUTES MAPPINGS -->
+				<prop key="capabilities.mapping.ldap">capabilities</prop>
+				<prop key="capabilities.mapping.rpc">urn:perun:resource:attribute-def:def:capabilities</prop>
+				<prop key="capabilities.type">ARRAY</prop>
+			</props>
+		</property>
+	</bean>
+
+	<bean id="resourceAttrMappingsProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
+		<property name="properties" ref="defaultResourceAttrProperties" />
+		<property name="locations">
+			<list>
+				<!-- PASSED FROM POM.XML / MAVEN BUILD PROPS -->
+				<value>file://${config.location}/resource-attribute-mappings.properties</value>
+			</list>
+		</property>
+		<property name="ignoreResourceNotFound" value="true"/>
+	</bean>
+
+	<!-- defines our own user info service -->
+	<bean id="userInfoService" primary="true" class="cz.muni.ics.oidc.server.userInfo.PerunUserInfoService">
+		<property name="perunAdapter" ref="perunAdapter"/>
+		<property name="subAttribute" value="openid_sub"/>
+		<property name="preferredUsernameAttribute" value="profile_preferred_username"/>
+		<property name="givenNameAttribute" value="profile_given_name"/>
+		<property name="familyNameAttribute" value="profile_family_name"/>
+		<property name="middleNameAttribute" value="profile_middle_name"/>
+		<property name="fullNameAttribute" value="profile_name"/>
+		<property name="emailAttribute" value="email_email"/>
+		<property name="addressAttribute" value="address_address_formatted"/>
+		<property name="phoneAttribute" value="phone_phone"/>
+		<property name="zoneinfoAttribute" value="profile_zoneinfo"/>
+		<property name="localeAttribute" value="profile_locale"/>
+		<property name="properties" ref="coreProperties"/>
+		<property name="customClaimNames" value="#{'${custom.claims}'.split('\s*,\s*')}"/>
+		<property name="forceRegenerateUserinfoCustomClaims" value="#{'${force.regenerate.userinfo.custom.claims}'.split('\s*,\s*')}"/>
+		<property name="forceRegenerateUserinfoStandardClaims" value="#{'${force.regenerate.userinfo.standard.claims}'.split('\s*,\s*')}"/>
+	</bean>
+
+	<!-- replaces default translation service with our own for custom scope with custom claims. -->
+	<bean id="scopeClaimTranslator" primary="true" class="cz.muni.ics.oidc.server.PerunScopeClaimTranslationService">
+		<property name="perunUserInfoService" ref="userInfoService"/>
+	</bean>
+
+	<bean id="introspectionResultAssembler" class="cz.muni.ics.oidc.server.PerunIntrospectionResultAssembler" primary="true">
+		<constructor-arg name="configBean" ref="configBean"/>
+		<constructor-arg name="translator" ref="scopeClaimTranslator"/>
+	</bean>
+
+	<bean id="perunOidcConfig" class="cz.muni.ics.oidc.server.configurations.PerunOidcConfig">
+		<property name="rpcEnabled" value="${perun.rpc.enabled}"/>
+		<property name="rpcUrl" value="${perun.rpc.url}"/>
+		<property name="configBean" ref="configBean"/>
+		<property name="jwk" value="${jwk}"/>
+		<property name="jdbcUrl" value="${jdbc.url}"/>
+		<property name="theme" value="${web.theme}"/>
+		<property name="samlLoginURL" value="${proxy.login.url}"/>
+		<property name="samlLogoutURL" value="${proxy.logout.url}"/>
+		<property name="samlResourcesURL" value="${proxy.base.url}"/>
+		<property name="baseURL" value="${web.baseURL}"/>
+		<property name="registrarUrl" value="${registrar.url}"/>
+		<property name="fillMissingUserAttrs" value="${fill.missing.user.attrs}"/>
+		<property name="askPerunForIdpFiltersEnabled" value="${idpFilters.askPerun.enabled}"/>
+		<property name="proxyExtSourceName" value="${proxy.extSource.name}"/>
+		<property name="idTokenScopes" value="#{'${id_token.scopes}'.split('\s*,\s*')}"/>
+		<property name="availableLangs" value="#{'${web.langs}'.split('\s*,\s*')}"/>
+		<property name="localizationFilesPath" value="${web.langs.customfiles.path}"/>
+		<property name="webClassesFilePath" value="${web.classes.path}"/>
+		<property name="emailContact" value="${email.contact}"/>
+		<property name="addClientIdToAcrs" value="${proxy.add_client_id_to_acrs}"/>
+	</bean>
+
+	<bean id="facilityAttrsConfig" class="cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig">
+		<property name="checkGroupMembershipAttr" value="checkGroupMembership" />
+		<property name="allowRegistrationAttr" value="allowRegistration" />
+		<property name="registrationURLAttr" value="registrationURL" />
+		<property name="dynamicRegistrationAttr" value="dynamicRegistration" />
+		<property name="voShortNamesAttr" value="voShortNames" />
+		<property name="wayfFilterAttr" value="wayfFilter" />
+		<property name="wayfEFilterAttr" value="wayfEFilter" />
+		<property name="testSpAttr" value="testSp" />
+	</bean>
+
+	<!-- authentication -->
+
+	<!--suppress SpringXmlModelInspection -->
+	<security:http auto-config="false"
+				   use-expressions="true"
+				   entry-point-ref="samlEntryPoint"
+				   create-session="always"
+				   authentication-manager-ref="authenticationManager">
+		<security:csrf disabled="true"/>
+		<security:intercept-url pattern="/saml/**" access="permitAll()"/>
+		<security:intercept-url pattern="/logout" access="permitAll()"/>
+		<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
+		<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" access="permitAll()"/>
+		<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
+		<security:custom-filter ref="mdcMuFilter" before="FIRST"/>
+		<security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
+		<security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
+		<security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
+		<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
+		<security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
+		<security:logout logout-url="/saml/logout"/>
+	</security:http>
+
+	<security:authentication-manager id="authenticationManager">
+		<security:authentication-provider ref="authenticationProvider"/>
+	</security:authentication-manager>
+
+	<bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
+
+	<!-- SAML -->
+
+	<bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
+		<constructor-arg name="pattern" value="/authorize**"/>
+		<constructor-arg name="oidcIssuer" value="${main.oidc.issuer.url}"/>
+		<constructor-arg name="idpEntityId" value="${saml.idp.defaultIdpEntityId}"/>
+		<constructor-arg name="proxyEnabled" value="${saml.proxy.enabled}"/>
+		<constructor-arg name="proxySpEntityId" value="${saml.proxy.spEntityId}"/>
+		<constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
+	</bean>
+	<bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
+		<property name="contextProvider" ref="samlContextProvider"/>
+		<property name="samlEntryPoint" ref="samlEntryPoint"/>
+		<property name="metadata" ref="metadata"/>
+	</bean>
+
+	<bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
+		<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
+	</bean>
+
+	<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
+		<property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
+		<property name="useForward" value="true"/>
+	</bean>
+
+	<bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
+		<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
+		<property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
+	</bean>
+
+	<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
+		<property name="clearAuthentication" value="true"/>
+		<property name="invalidateHttpSession" value="true"/>
+	</bean>
+
+	<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
+		<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
+		<constructor-arg name="handlers" ref="logoutHandler"/>
+	</bean>
+
+	<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
+		<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
+		<constructor-arg name="localHandler" ref="logoutHandler"/>
+		<constructor-arg name="globalHandlers" ref="logoutHandler"/>
+	</bean>
+
+	<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
+		<constructor-arg name="storeFile">
+			<bean class="org.springframework.core.io.FileSystemResource">
+				<constructor-arg name="path" value="${saml.keystore.location}"/>
+			</bean>
+		</constructor-arg>
+		<constructor-arg name="storePass" value="${saml.keystore.password}"/>
+		<constructor-arg name="passwords">
+			<map>
+				<entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
+			</map>
+		</constructor-arg>
+		<constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
+	</bean>
+
+	<bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
+		<property name="idpDiscoveryEnabled" value="false"/>
+	</bean>
+
+	<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
+		<constructor-arg name="generator">
+			<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
+				<property name="includeDiscoveryExtension" value="false"/>
+				<property name="entityId" value="${saml.entityID}"/>
+				<property name="extendedMetadata" ref="extendedMetadata"/>
+				<property name="wantAssertionSigned" value="true"/>
+				<property name="requestSigned" value="true"/>
+			</bean>
+		</constructor-arg>
+		<property name="normalizeBaseUrl" value="true"/>
+	</bean>
+
+	<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
+
+	<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
+		<property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
+		<property name="refreshCheckInterval" value="60000"/>
+		<property name="refreshRequired" value="false"/>
+		<constructor-arg name="providers">
+			<list>
+				<ref bean="idpMetadata"/>
+			</list>
+		</constructor-arg>
+	</bean>
+
+	<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
+
+	<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
+
+	<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
+		<constructor-arg name="bindings">
+			<list>
+				<bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
+					<constructor-arg name="parserPool" ref="parserPool"/>
+					<constructor-arg name="velocityEngine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
+				</bean>
+				<bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
+					<constructor-arg name="parserPool" ref="parserPool"/>
+				</bean>
+			</list>
+		</constructor-arg>
+	</bean>
+
+	<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
+		<property name="authenticationManager" ref="authenticationManager"/>
+		<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
+		<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
+	</bean>
+
+	<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
+		<constructor-arg name="filterChains">
+			<list>
+				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+					<constructor-arg name="requestMatcher">
+						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+							<constructor-arg name="pattern"
+											 value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
+						</bean>
+					</constructor-arg>
+					<constructor-arg name="filters">
+						<list>
+							<ref bean="metadataDisplayFilter"/>
+						</list>
+					</constructor-arg>
+				</bean>
+				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+					<constructor-arg name="requestMatcher">
+						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+							<constructor-arg name="pattern"
+											 value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
+						</bean>
+					</constructor-arg>
+					<constructor-arg name="filters">
+						<list>
+							<ref bean="samlWebSSOProcessingFilter"/>
+						</list>
+					</constructor-arg>
+				</bean>
+				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+					<constructor-arg name="requestMatcher">
+						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+							<constructor-arg name="pattern"
+											 value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
+						</bean>
+					</constructor-arg>
+					<constructor-arg name="filters">
+						<list>
+							<ref bean="samlDiscovery"/>
+						</list>
+					</constructor-arg>
+				</bean>
+				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+					<constructor-arg name="requestMatcher">
+						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+							<constructor-arg name="pattern"
+											 value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
+						</bean>
+					</constructor-arg>
+					<constructor-arg name="filters">
+						<list>
+							<ref bean="samlEntryPoint"/>
+						</list>
+					</constructor-arg>
+				</bean>
+				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+					<constructor-arg name="requestMatcher">
+						<bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
+							<constructor-arg name="requestMatchers">
+								<list>
+									<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+										<constructor-arg name="pattern"
+														 value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
+									</bean>
+									<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+										<constructor-arg name="pattern" value="/logout"/>
+									</bean>
+								</list>
+							</constructor-arg>
+						</bean>
+					</constructor-arg>
+					<constructor-arg name="filters">
+						<list>
+							<ref bean="samlLogoutFilter"/>
+						</list>
+					</constructor-arg>
+				</bean>
+				<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+					<constructor-arg name="requestMatcher">
+						<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+							<constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
+						</bean>
+					</constructor-arg>
+					<constructor-arg name="filters">
+						<list>
+							<ref bean="samlLogoutProcessingFilter"/>
+						</list>
+					</constructor-arg>
+				</bean>
+			</list>
+		</constructor-arg>
+	</bean>
+
+	<bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
+		<property name="includeScoping" value="false"/>
+	</bean>
+
+	<bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
+		<property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
+	</bean>
+
+	<bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
+
+	<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
+		<property name="logMessagesOnException" value="true"/>
+		<property name="logErrors" value="true"/>
+	</bean>
+
+	<bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
+
+	<bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
+		<property name="enableComparison" value="${saml.acrs.enableComparison}"/>
+		<property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
+		<property name="maxAuthenticationAge" value="360"/>
+	</bean>
+
+	<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
+
+	<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
+
+	<bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
+
+	<bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
+		<constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
+	</bean>
+
+	<bean class="org.springframework.security.saml.SAMLBootstrap"/>
+
+	<!-- END SAML -->
+
+	<bean id="accessTokenClaimsModifier" class="${accessTokenClaimsModifier}"/>
+
+	<bean id="tokenEnhancer" class="cz.muni.ics.oidc.server.PerunAccessTokenEnhancer" primary="true">
+		<property name="accessTokenClaimsModifier" ref="accessTokenClaimsModifier"/>
+		<constructor-arg name="configBean" ref="configBean"/>
+		<constructor-arg name="clientService" ref="defaultOAuth2ClientDetailsEntityService"/>
+		<constructor-arg name="jwtService" ref="defaultsignerService"/>
+		<constructor-arg name="connectTokenService" ref="oidcTokenService"/>
+		<constructor-arg name="userInfoService" ref="userInfoService"/>
+	</bean>
+
+	<bean id="oidcTokenService" class="cz.muni.ics.oidc.server.PerunOIDCTokenService" primary="true"/>
+
+	<bean id="callPerunFiltersFilter" class="cz.muni.ics.oidc.server.filters.CallPerunFiltersFilter"/>
+
+	<bean id="localization" class="cz.muni.ics.oidc.web.langs.Localization">
+		<constructor-arg name="perunOidcConfig" ref="perunOidcConfig"/>
+	</bean>
+
+	<bean id="htmlClasses" class="cz.muni.ics.oidc.web.WebHtmlClasses">
+		<constructor-arg name="perunOidcConfig" ref="perunOidcConfig"/>
+	</bean>
+
+	<!-- communicates with Perun -->
+
+	<bean id="perunConnectorRpc" class="cz.muni.ics.oidc.server.connectors.PerunConnectorRpc">
+		<constructor-arg name="perunUrl" value="${perun.rpc.url}"/>
+		<constructor-arg name="perunUser" value="${perun.rpc.user}"/>
+		<constructor-arg name="perunPassword" value="${perun.rpc.password}"/>
+		<constructor-arg name="enabled" value="${perun.rpc.enabled}"/>
+		<constructor-arg name="serializer" value="${perun.rpc.serializer}"/>
+	</bean>
+
+	<bean id="perunAdapterMethodsRpc" class="cz.muni.ics.oidc.server.adapters.impl.PerunAdapterRpc">
+		<property name="connectorRpc" ref="perunConnectorRpc"/>
+		<property name="oidcClientIdAttr" value="clientId" />
+		<property name="oidcCheckMembershipAttr" value="checkGroupMembership"/>
+		<property name="affiliationsAttr" value="${ues.affiliations.attr}"/>
+		<property name="orgUrlAttr" value="${ues.orgUrl.attr}"/>
+	</bean>
+
+	<bean id="perunConnectorLdap" class="cz.muni.ics.oidc.server.connectors.PerunConnectorLdap">
+		<constructor-arg name="ldapHost" value="${ldap.host}"/>
+		<constructor-arg name="ldapUser" value="${ldap.user}"/>
+		<constructor-arg name="ldapPassword" value="${ldap.password}"/>
+		<constructor-arg name="port" value="${ldap.port}"/>
+		<constructor-arg name="useTLS" value="${ldap.starttls}"/>
+		<constructor-arg name="useSSL" value="${ldap.ssl}"/>
+		<constructor-arg name="timeoutSecs" value="${ldap.timeoutSecs}"/>
+		<constructor-arg name="baseDN" value="${ldap.baseDN}"/>
+		<constructor-arg name="allowUntrustedSsl" value="${ldap.allowUntrustedSsl}"/>
+	</bean>
+
+	<bean id="perunAdapterMethodsLdap" class="cz.muni.ics.oidc.server.adapters.impl.PerunAdapterLdap">
+		<property name="connectorLdap" ref="perunConnectorLdap"/>
+		<property name="oidcClientIdAttr" value="clientId" />
+		<property name="oidcCheckMembershipAttr" value="checkGroupMembership"/>
+	</bean>
+
+	<bean id="userAttributesMappingService" class="cz.muni.ics.oidc.server.AttributeMappingsService">
+		<constructor-arg name="attrIdentifiersFixed" value="#{'${user.attribute_names.fixedList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrIdentifiersCustom" value="#{'${user.attribute_names.customList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrMappingsProperties" ref="userAttrMappingsProperties" />
+	</bean>
+
+	<bean id="facilityAttributesMappingService" class="cz.muni.ics.oidc.server.AttributeMappingsService">
+		<constructor-arg name="attrIdentifiersFixed" value="#{'${facility.attribute_names.fixedList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrIdentifiersCustom" value="#{'${facility.attribute_names.customList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrMappingsProperties" ref="facilityAttrMappingsProperties" />
+	</bean>
+
+	<bean id="groupAttributesMappingService" class="cz.muni.ics.oidc.server.AttributeMappingsService">
+		<constructor-arg name="attrIdentifiersFixed" value="#{'${group.attribute_names.fixedList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrIdentifiersCustom" value="#{'${group.attribute_names.customList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrMappingsProperties" ref="groupAttrMappingsProperties" />
+	</bean>
+
+	<bean id="voAttributesMappingService" class="cz.muni.ics.oidc.server.AttributeMappingsService">
+		<constructor-arg name="attrIdentifiersFixed" value="#{'${vo.attribute_names.fixedList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrIdentifiersCustom" value="#{'${vo.attribute_names.customList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrMappingsProperties" ref="voAttrMappingsProperties" />
+	</bean>
+
+	<bean id="resourceAttributesMappingService" class="cz.muni.ics.oidc.server.AttributeMappingsService">
+		<constructor-arg name="attrIdentifiersFixed" value="#{'${resource.attribute_names.fixedList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrIdentifiersCustom" value="#{'${resource.attribute_names.customList}'.split('\s*,\s*')}" />
+		<constructor-arg name="attrMappingsProperties" ref="resourceAttrMappingsProperties" />
+	</bean>
+
+	<bean id="perunAdapter" class="cz.muni.ics.oidc.server.adapters.impl.PerunAdapterImpl">
+		<property name="adapterLdap" ref="perunAdapterMethodsLdap"/>
+		<property name="adapterRpc" ref="perunAdapterMethodsRpc"/>
+		<property name="adapterFallback" ref="perunAdapterMethodsRpc"/>
+		<property name="adapterPrimary" ref="#{ '${perun.adapter.primary}' == 'LDAP' ? 'perunAdapterMethodsLdap' : 'perunAdapterMethodsRpc'}"/>
+		<property name="callFallback" value="${perun.adapter.callFallback}"/>
+	</bean>
+
+</beans>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/aup.jsp

@@ -0,0 +1,39 @@
+<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ page import="java.util.ArrayList" %>
+<%@ page import="java.util.List" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+
+<%
+
+List<String> cssLinks = new ArrayList<>();
+
+pageContext.setAttribute("cssLinks", cssLinks);
+
+%>
+
+<t:header title="${langProps['aup_header']}" reqURL="${reqURL}" baseURL="${baseURL}" cssLinks="${cssLinks}" theme="${theme}"/>
+
+<h1>${langProps['aup_header']}</h1>
+
+</div> <%-- header --%>
+
+<div id="content">
+    <h3>${langProps['must_agree_aup']}</h3>
+    <form method="POST" action="">
+        <c:forEach var="aup" items="${newAups}">
+            <div>
+                <p style="font-size: 16px; padding: 0; margin: 0;">${langProps['org_vo']} ${" "}<strong><c:out value="${aup.key}"/></strong></p>
+                <p>${langProps['see_aup']}${" "}${aup.value.version}${" "}<a href="<c:out value="${aup.value.link}"/>">${langProps['here']}</a></p>
+            </div>
+        </c:forEach>
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
+        <div class="form-group">
+            <input type="submit" value="${langProps['agree_aup']}" class="btn btn-lg btn-primary btn-block">
+        </div>
+    </form>
+</div>
+</div><!-- wrap -->
+
+<t:footer baseURL="${baseURL}" theme="${theme}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/continue_direct.jsp

@@ -0,0 +1,34 @@
+<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ page import="java.util.ArrayList" %>
+<%@ page import="java.util.List" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+
+<%
+
+List<String> cssLinks = new ArrayList<>();
+
+pageContext.setAttribute("cssLinks", cssLinks);
+
+%>
+
+<t:header title="${langProps['continue_direct_title']}" reqURL="${reqURL}" baseURL="${baseURL}"
+          cssLinks="${cssLinks}" theme="${theme}"/>
+
+<h1>${langProps['continue_direct_header']}</h1>
+
+</div> <%-- header --%>
+
+<div id="content">
+    <div id="head">
+        <h1>${langProps['continue_direct_heading']}</h1>
+    </div>
+    <p>${langProps['continue_direct_text']}</p>
+    <hr/>
+    <br/>
+    <a href="${fn:escapeXml(target)} "class="btn btn-lg btn-primary btn-block">${langProps['continue_direct_btn']}</a>
+</div>
+</div><!-- wrap -->
+
+<t:footer baseURL="${baseURL}" theme="${theme}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/isTestSpWarning.jsp

@@ -0,0 +1,39 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8" trimDirectiveWhitespaces="true" %>
+<%@ page import="java.util.ArrayList" %>
+<%@ page import="java.util.List" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common"%>
+
+
+<c:set var="baseURL" value="${baseURL}"/>
+<c:set var="samlResourcesURL" value="${samlResourcesURL}"/>
+
+<%
+    List<String> cssLinks = new ArrayList<>();
+    pageContext.setAttribute("cssLinks", cssLinks);
+%>
+
+<t:header title="${langProps['is_test_sp_warning_title']}" reqURL="${reqURL}"
+          baseURL="${baseURL}" cssLinks="${cssLinks}" theme="${theme}"/>
+
+</div> <%-- header --%>
+
+<div id="content">
+    <div id="head">
+        <h1>${langProps['is_test_sp_warning_header']}</h1>
+    </div>
+    <p>${langProps['is_test_sp_warning_text']}</p>
+
+    <form method="GET" action="${action}">
+        <hr/>
+        <br/>
+        <input type="hidden" name="target" value="${fn:escapeXml(target)}">
+        <input type="hidden" name="accepted" value="true">
+        <input type="submit" name="continue" value="${langProps['is_test_sp_warning_continue']}"
+               class="btn btn-lg btn-primary btn-block">
+    </form>
+</div>
+</div><!-- ENDWRAP -->
+
+<t:footer baseURL="${baseURL}" theme="${theme}"/>