diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/ScopeAPI.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/ScopeAPI.java
index 823674b85..0cae172d0 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/ScopeAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/ScopeAPI.java
@@ -25,6 +25,7 @@ import com.google.gson.Gson;
  */
 @Controller
 @RequestMapping("/api/scopes")
+@PreAuthorize("hasRole('ROLE_USER')")
 public class ScopeAPI {
 
 	
@@ -92,6 +93,7 @@ public class ScopeAPI {
 		}
 	}
 	
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(value = "", method = RequestMethod.POST, produces = "application/json", consumes = "application/json")
 	public String createScope(@RequestBody String json, ModelMap m) {
 		SystemScope scope = gson.fromJson(json, SystemScope.class);
@@ -111,6 +113,7 @@ public class ScopeAPI {
 		}
 	}
 	
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(value = "/{id}", method = RequestMethod.DELETE)
 	public String deleteScope(@PathVariable("id") Long id, ModelMap m) {
 		SystemScope existing = scopeService.getById(id);
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
index 563b70a99..cdda3d980 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
@@ -54,7 +54,7 @@ import com.google.gson.JsonParser;
 
 @Controller
 @RequestMapping("/api/clients")
-@PreAuthorize("hasRole('ROLE_ADMIN')")
+@PreAuthorize("hasRole('ROLE_USER')")
 public class ClientAPI {
 
     @Autowired
@@ -120,6 +120,7 @@ public class ClientAPI {
      * @param principal
      * @return
      */
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @RequestMapping(method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
     public String apiAddClient(@RequestBody String jsonString, Model m, Authentication auth) {
 
@@ -160,6 +161,7 @@ public class ClientAPI {
      * @param principal
      * @return
      */
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @RequestMapping(value="/{id}", method = RequestMethod.PUT, consumes = "application/json", produces = "application/json")
     public String apiUpdateClient(@PathVariable("id") Long id, @RequestBody String jsonString, Model m, Authentication auth) {
     	
@@ -204,6 +206,7 @@ public class ClientAPI {
      * @param modelAndView
      * @return
      */
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @RequestMapping(value="/{id}", method=RequestMethod.DELETE)
     public String apiDeleteClient(@PathVariable("id") Long id, ModelAndView modelAndView) {
 
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java
index bc936bf2d..6a4f299b7 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java
@@ -28,7 +28,7 @@ import com.google.gson.JsonParser;
  */
 @Controller
 @RequestMapping("/api/whitelist")
-@PreAuthorize("hasRole('ROLE_ADMIN')")
+@PreAuthorize("hasRole('ROLE_USER')")
 public class WhitelistAPI {
 
 	@Autowired
@@ -59,6 +59,7 @@ public class WhitelistAPI {
 	 * @param p
 	 * @return
 	 */
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
 	public String addNewWhitelistedSite(@RequestBody String jsonString, ModelMap m, Principal p) {
 		
@@ -80,6 +81,7 @@ public class WhitelistAPI {
 	/**
 	 * Update an existing whitelisted site
 	 */
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(value="/{id}", method = RequestMethod.PUT, consumes = "application/json", produces = "application/json")
 	public String updateWhitelistedSite(@PathVariable("id") Long id, @RequestBody String jsonString, ModelMap m, Principal p) {
 		
@@ -106,6 +108,7 @@ public class WhitelistAPI {
 	 * Delete a whitelisted site
 	 * 
 	 */
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(value="/{id}", method = RequestMethod.DELETE)
 	public String deleteWhitelistedSite(@PathVariable("id") Long id, ModelMap m) {
 		WhitelistedSite whitelist = whitelistService.getById(id);
diff --git a/openid-connect-server/src/main/webapp/resources/template/client.html b/openid-connect-server/src/main/webapp/resources/template/client.html
index 03553c371..b0f619711 100644
--- a/openid-connect-server/src/main/webapp/resources/template/client.html
+++ b/openid-connect-server/src/main/webapp/resources/template/client.html
@@ -258,19 +258,19 @@
 			<div class="control-group" id="tokenEndpointAuthMethod">
 				<label class="control-label"><span class="label label-default nyi"><i class="icon-road icon-white"></i> NYI </span> Token Endpoint Authentication Method</label>
 				<div class="controls">
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="SECRET_BASIC" <%=(tokenEndpointAuthMethod == 'SECRET_BASIC' ? 'checked' : '')%>> Client Secret over HTTP Basic
 					</label>
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="SECRET_POST" <%=(tokenEndpointAuthMethod == 'SECRET_POST' ? 'checked' : '')%>> Client Secret over HTTP POST
 					</label>
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="SECRET_JWT" <%=(tokenEndpointAuthMethod == 'SECRET_JWT' ? 'checked' : '')%>> Client Secret via symmetrically-signed JWT assertion
 					</label>
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="PRIVATE_KEY_JWT" <%=(tokenEndpointAuthMethod == 'PRIVATE_KEY_JWT' ? 'checked' : '')%>> Asymmetrically-signed JWT assertion
 					</label>
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="NONE" <%=(tokenEndpointAuthMethod == 'NONE' ? 'checked' : '')%>> No authentication
 					</label>
 				</div>