CCM NG: Migrated more configuration classes to the new system

git-svn-id: https://svn.libreccm.org/ccm/ccm_ng@3793 8810af33-2d31-482b-a856-94f89814c4df
2016-01-13 18:11:56 +00:00 · 2016-01-13 18:11:56 +00:00 · 361ba65ed8
parent b35e44a867
commit 361ba65ed8
34 changed files with 461 additions and 535 deletions
--- a/ccm-core/src/main/java/com/arsdigita/formbuilder/FormBuilderConfig.java
+++ b/ccm-core/src/main/java/com/arsdigita/formbuilder/FormBuilderConfig.java
@ -1,89 +1,121 @@
 /*
- * Copyright (C) 2004 Red Hat Inc. All Rights Reserved.
+ * Copyright (C) 2016 LibreCCM Foundation.
 *
 * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
+ * modify it under the terms of the GNU Lesser General Public
- * as published by the Free Software Foundation; either version 2.1 of
+ * License as published by the Free Software Foundation; either
- * the License, or (at your option) any later version.
+ * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- *
+ * MA 02110-1301  USA
 */
 package com.arsdigita.formbuilder;
-import com.arsdigita.runtime.AbstractConfig;
+import org.libreccm.cdi.utils.CdiUtil;
-import com.arsdigita.util.parameter.BooleanParameter;
+import org.libreccm.configuration.Configuration;
-import com.arsdigita.util.parameter.Parameter;
+import org.libreccm.configuration.ConfigurationManager;
-import com.arsdigita.util.parameter.StringParameter;
+import org.libreccm.configuration.Setting;
 import org.apache.log4j.Logger;
 import java.util.Objects;
 /**
- * @see com.arsdigita.bebop.Bebop
+ *
- * @author Justin Ross
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
 * @version $Id: FormBuilderConfig.java 1498 2007-03-19 16:22:15Z apevec $
 */
-public final class FormBuilderConfig extends AbstractConfig {
+@Configuration(
    descBundle = "com.arsdigita.formbuilder.FormBuilderConfigDescription",
    descKey = "formbuilder.config.description")
 public final class FormBuilderConfig {
-    private static final Logger s_log = Logger.getLogger(FormBuilderConfig.class);
+    @Setting(descKey = "formbuilder.config.actions_help_url")
    private String actionsHelpUrl;
-    private final Parameter m_actionsHelp;
+    @Setting(descKey = "formbuilder.config.controls_help_url")
-    private final Parameter m_controlsHelp;
+    private String controlsHelpUrl;
    private final BooleanParameter m_interpolateEmailActionsToAddress;
-    public FormBuilderConfig() {
+    @Setting(descKey = "formbuilder.config.interpolate_email_actions")
-        m_actionsHelp = new StringParameter
+    private Boolean interpolateEmailActions;
            ("waf.formbuilder.actions_help_url", Parameter.REQUIRED, "");
-        m_controlsHelp = new StringParameter
+    public static FormBuilderConfig getConfig() {
-            ("waf.formbuilder.controls_help_url", Parameter.REQUIRED, "");
+        final CdiUtil cdiUtil = new CdiUtil();
-
+        final ConfigurationManager confManager = cdiUtil.findBean(
-        m_interpolateEmailActionsToAddress = new BooleanParameter
+            ConfigurationManager.class);
-            ("waf.formbuilder.interpolate_email_actions_to_address",
+        return confManager.findConfiguration(FormBuilderConfig.class);
             Parameter.OPTIONAL, Boolean.FALSE);
        register(m_actionsHelp);
        register(m_controlsHelp);
        register(m_interpolateEmailActionsToAddress);
        loadInfo();
    }
-    /**
+    public String getActionsHelpUrl() {
-     *  This returns the string that can be used to create the URL to
+        return actionsHelpUrl;
     *  point to the help page.  If it starts with "/" then it is
     *  assumed to be located on this server.  If it starts with
     *  anything else, it is assumed to be a link to a foreign site.
     *  This can be null if no help link should appear.
     * 
     * NOTE: As of version 6.6 and earlier the help function is not working.
     * Returns null to deactivate the help link.
     */
    public String getActionsHelpLink() {
        //  return (String) get(m_actionsHelp);
        return null;
    }
-    /**
+    public void setActionsHelpUrl(final String actionsHelpUrl) {
-     *  This returns the string that can be used to create the URL to
+        this.actionsHelpUrl = actionsHelpUrl;
     *  point to the help page.  
     *  This can be null is no help link should appear
     * 
     * NOTE: See deactivated help system above.
     */
    public String getControlsHelpLink() {
        // return (String)get(m_controlsHelp);
        return null;
    }
-    public boolean getInterpolateEmailActionsToAddress() {
+    public String getControlsHelpUrl() {
-        return get(m_interpolateEmailActionsToAddress).equals(Boolean.TRUE);
+        return controlsHelpUrl;
    }
    public void setControlsHelpUrl(final String controlsHelpUrl) {
        this.controlsHelpUrl = controlsHelpUrl;
    }
    public Boolean getInterpolateEmailActions() {
        return interpolateEmailActions;
    }
    public void setInterpolateEmailActions(final Boolean interpolateEmailActions) {
        this.interpolateEmailActions = interpolateEmailActions;
    }
    @Override
    public int hashCode() {
        int hash = 5;
        hash = 71 * hash + Objects.hashCode(actionsHelpUrl);
        hash = 71 * hash + Objects.hashCode(controlsHelpUrl);
        hash = 71 * hash + Objects.hashCode(interpolateEmailActions);
        return hash;
    }
    @Override
    public boolean equals(final Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null) {
            return false;
        }
        if (!(obj instanceof FormBuilderConfig)) {
            return false;
        }
        final FormBuilderConfig other = (FormBuilderConfig) obj;
        if (!Objects.equals(actionsHelpUrl, other.getActionsHelpUrl())) {
            return false;
        }
        if (!Objects.equals(controlsHelpUrl, other.getControlsHelpUrl())) {
            return false;
        }
        return Objects.equals(interpolateEmailActions,
                              other.getInterpolateEmailActions());
    }
    @Override
    public String toString() {
        return String.format("%s{ "
                                 + "actionsHelpUrl = \"%s\", "
                                 + "controlsHelpUrl = \"%s\", "
                                 + "interpolateEmailActions = %b"
                                 + " }",
                             super.toString(),
                             actionsHelpUrl,
                             controlsHelpUrl,
                             interpolateEmailActions);
    }
 }
--- a/ccm-core/src/main/java/com/arsdigita/kernel/security/SecurityConfig.java
+++ b/ccm-core/src/main/java/com/arsdigita/kernel/security/SecurityConfig.java
@ -1,239 +1,183 @@
 /*
- * Copyright (C) 2003-2004 Red Hat Inc. All Rights Reserved.
+ * Copyright (C) 2016 LibreCCM Foundation.
 *
 * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
+ * modify it under the terms of the GNU Lesser General Public
- * as published by the Free Software Foundation; either version 2.1 of
+ * License as published by the Free Software Foundation; either
- * the License, or (at your option) any later version.
+ * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- *
+ * MA 02110-1301  USA
 */
 package com.arsdigita.kernel.security;
-import com.arsdigita.runtime.AbstractConfig;
+import org.libreccm.cdi.utils.CdiUtil;
-import com.arsdigita.util.parameter.BooleanParameter;
+import org.libreccm.configuration.Configuration;
-import com.arsdigita.util.parameter.IntegerParameter;
+import org.libreccm.configuration.ConfigurationManager;
-import com.arsdigita.util.parameter.Parameter;
+import org.libreccm.configuration.Setting;
 import com.arsdigita.util.parameter.SpecificClassParameter;
 import com.arsdigita.util.parameter.StringArrayParameter;
 import com.arsdigita.util.parameter.StringParameter;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Objects;
 import java.util.StringJoiner;
 /**
 * A record containing server-session scoped security configuration properties.
 *
 * Accessors of this class may return null. Developers should take care to trap
 * null return values in their code.
 *
 *
 * @author Rafael H. Schloming &lt;rhs@mit.edu&gt;
 * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
 */
-public class SecurityConfig extends AbstractConfig {
+@Configuration(
    descBundle = "com.arsdigita.kernel.security.SecurityConfigDescription",
    descKey = "security.config.description")
 public final class SecurityConfig {
-    private static SecurityConfig s_config = null;
+    @Setting(descKey = "security.confg.excluded_extensions")
-
+    private List<String> excludedExtensions = Arrays.asList(
    private static String s_systemAdministratorEmailAddress = null;
    /**
     * Size of secret key in bytes. *
     */
    @SuppressWarnings("PublicField")
    public static int SECRET_KEY_BYTES = 16;
    /**
     * The class name of the SecurityHelper implementation. Must implement
     * SecurityHelper interface
     */
    private final Parameter m_securityHelperClass = new SpecificClassParameter(
        "waf.security_helper_class", Parameter.REQUIRED,
        com.arsdigita.kernel.security.DefaultSecurityHelper.class,
        com.arsdigita.kernel.security.SecurityHelper.class);
    /**
     * List of extensions excluded from authentication cookies. Authentication
     * is checked for all requests, but requests with one of these extensions
     * will never cause a new cookie to be set. Include a leading dot for each
     * extension.
     */
    private final Parameter m_excludedExtensions = new StringArrayParameter(
        "waf.excluded_extensions", Parameter.REQUIRED,
        new String[]{".jpg", ".gif", ".png", ".pdf"});
-    private final Parameter m_cookieDurationMinutes = new IntegerParameter(
+    @Setting(descKey = "security.config.auto_registration_enabled")
-        "waf.pagemap.cookies_duration_minutes", Parameter.OPTIONAL, null);
+    private Boolean autoRegistrationEnabled = false;
-    private final Parameter m_cookieDomain = new StringParameter(
+    @Setting(descKey = "security.config.password_recovery_enabled")
-        "waf.cookie_domain", Parameter.OPTIONAL, null);
+    private Boolean passwordRecoveryEnabled = true;
-    private final Parameter m_adminEmail = new StringParameter(
+    @Setting(descKey = "security.config.hash_algorithm")
-        "waf.admin.contact_email", Parameter.OPTIONAL, null);
+    private String hashAlgorithm = "SHA-512";
-    private final Parameter m_autoRegistrationOn = new BooleanParameter(
+    @Setting(descKey = "security.config.salt_length")
-        "waf.auto_registration_on", Parameter.REQUIRED, Boolean.TRUE);
+    private Integer saltLength = 256;
-    private final Parameter m_userBanOn = new BooleanParameter(
+    @Setting(descKey = "security.config.hash_iterations")
-        "waf.user_ban_on",
+    private Integer hashIterations = 50000;
        Parameter.REQUIRED,
        Boolean.FALSE);
-    private final Parameter m_enableQuestion = new BooleanParameter(
+    public static SecurityConfig getConfig() {
-        "waf.user_question.enable", Parameter.REQUIRED, Boolean.FALSE);
+        final CdiUtil cdiUtil = new CdiUtil();
-
+        final ConfigurationManager confManager = cdiUtil.findBean(
-    /**
+            ConfigurationManager.class);
-     * The default hash algorithm used for new passwords. Default is SHA-512
+        return confManager.findConfiguration(SecurityConfig.class);
     * which should sufficient for good security.
     */
    private final Parameter m_hashAlgorithm = new StringParameter(
        "waf.security.hash_algorithm", Parameter.REQUIRED, "SHA-512");
    /**
     * Default length of the salt for new passwords.
     */
    private final Parameter m_saltLength = new IntegerParameter(
        "waf.security.salt_length", Parameter.REQUIRED, 256);
    /**
     * Default number of hash iterations for new passwords.
     */
    private final Parameter m_hashIterations = new IntegerParameter(
            "waf.security.hash_iterations", Parameter.REQUIRED, 50000);
    /**
     * Constructs an empty SecurityConfig object
     */
    public SecurityConfig() {
        register(m_securityHelperClass);
        register(m_excludedExtensions);
        register(m_cookieDomain);
        register(m_cookieDurationMinutes);
        register(m_adminEmail);
        register(m_autoRegistrationOn);
        register(m_userBanOn);
        register(m_enableQuestion);
        register(m_hashAlgorithm);
        register(m_saltLength);
        register(m_hashIterations);
        loadInfo();
    }
-    /**
+    public List<String> getExcludedExtensions() {
-     * Returns the singleton configuration record for the runtime environment.
+        return new ArrayList<>(excludedExtensions);
     *
     * @return The <code>RuntimeConfig</code> record; it cannot be null
     */
    public static final synchronized SecurityConfig getConfig() {
        if (s_config == null) {
            s_config = new SecurityConfig();
            s_config.load();
        }
        return s_config;
    }
-    /**
+    public void setExcludedExtensions(final List<String> excludedExtensions) {
-     *
+        this.excludedExtensions = excludedExtensions;
     * @return
     */
    public final Class getSecurityHelperClass() {
        return (Class) get(m_securityHelperClass);
    }
-//  /**
+    public Boolean isAutoRegistrationEnabled() {
-//   * Obsolete!
+        return autoRegistrationEnabled;
 //   * @return
 //   */
 //  public final String getSessionTrackingMethod() {
 //      return (String) get(m_sessionTrackingMethod);
 //  }
    /**
     *
     * @return
     */
    public final List<String> getExcludedExtensions() {
        return Arrays.asList((String[]) get(m_excludedExtensions));
    }
-    public String getCookieDomain() {
+    public void setAutoRegistrationEnabled(
-        return (String) get(m_cookieDomain);
+        final Boolean autoRegistrationEnabled) {
        this.autoRegistrationEnabled = autoRegistrationEnabled;
    }
-    Integer getCookieDurationMinutes() {
+    public boolean isPasswordRecoveryEnabled() {
-        return (Integer) get(m_cookieDurationMinutes);
+        return passwordRecoveryEnabled;
    }
-    boolean isUserBanOn() {
+    public void setPasswordRecoveryEnabled(
-        return ((Boolean) get(m_userBanOn)).booleanValue();
+        final boolean passwordRecoveryEnabled) {
-    }
+        this.passwordRecoveryEnabled = passwordRecoveryEnabled;
    public String getAdminContactEmail() {
        String email = (String) get(m_adminEmail);
        // Return empty string instead of looking up into the database. If no
        // email if configured for the admin we consider that as a configuration
        // issue.
        if (email == null || email.isEmpty()) {
            return "";
        } else {
            return email;
        }
 //        if (email == null || email.trim().length() == 0) {
 //            email = getSystemAdministratorEmailAddress();
 //        }
 //        return email;
    }
    public Boolean getEnableQuestion() {
        return (Boolean) get(m_enableQuestion);
    }
 //    private static synchronized String getSystemAdministratorEmailAddress() {
 //        if (s_systemAdministratorEmailAddress == null) {
 //            ObjectPermissionCollection perms = PermissionService.
 //                getGrantedUniversalPermissions();
 //            perms.addEqualsFilter("granteeIsUser", Boolean.TRUE);
 //            perms.clearOrder();
 //            perms.addOrder("granteeID");
 //            if (perms.next()) {
 //                s_systemAdministratorEmailAddress = perms.getGranteeEmail().
 //                    toString();
 //                perms.close();
 //            } else {
 //                // Haven't found anything.  We don't want to repeat this query
 //                // over and over again.
 //                s_systemAdministratorEmailAddress = "";
 //            }
 //        }
 //        return s_systemAdministratorEmailAddress;
 //    }
    public final boolean isAutoRegistrationOn() {
        return ((Boolean) get(m_autoRegistrationOn)).booleanValue();
    }
    public String getHashAlgorithm() {
-        return (String) get(m_hashAlgorithm);
+        return hashAlgorithm;
    }
    public void setHashAlgorithm(final String hashAlgorithm) {
        this.hashAlgorithm = hashAlgorithm;
    }
    public Integer getSaltLength() {
-        return (Integer) get(m_saltLength);
+        return saltLength;
    }
    public void setSaltLength(Integer saltLength) {
        this.saltLength = saltLength;
    }
    public Integer getHashIterations() {
-        return (Integer) get(m_hashIterations);
+        return hashIterations;
    }
    public void setHashIterations(final Integer hashIterations) {
        this.hashIterations = hashIterations;
    }
    @Override
    public int hashCode() {
        int hash = 7;
        hash = 97 * hash + Objects.hashCode(excludedExtensions);
        hash = 97 * hash + Objects.hashCode(autoRegistrationEnabled);
        hash = 97 * hash + Objects.hashCode(passwordRecoveryEnabled);
        hash = 97 * hash + Objects.hashCode(hashAlgorithm);
        hash = 97 * hash + Objects.hashCode(saltLength);
        hash = 97 * hash + Objects.hashCode(hashIterations);
        return hash;
    }
    @Override
    public boolean equals(final Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null) {
            return false;
        }
        if (!(obj instanceof SecurityConfig)) {
            return false;
        }
        final SecurityConfig other = (SecurityConfig) obj;
        if (!Objects.equals(hashAlgorithm, other.getHashAlgorithm())) {
            return false;
        }
        if (!Objects.equals(excludedExtensions, other.getExcludedExtensions())) {
            return false;
        }
        if (!Objects.equals(autoRegistrationEnabled,
                            other.isAutoRegistrationEnabled())) {
            return false;
        }
        if (!(Objects.equals(passwordRecoveryEnabled,
                             other.isPasswordRecoveryEnabled()))) {
            return false;
        }
        if (!Objects.equals(saltLength, other.getSaltLength())) {
            return false;
        }
        return Objects.equals(hashIterations, other.getHashIterations());
    }
    @Override
    public String toString() {
        final StringJoiner joiner = new StringJoiner(", ");
        excludedExtensions.forEach(s -> joiner.add(s));
        return String.format("%s{ "
                                 + "excludedExtensions = { %s }, "
                                 + "autoRegistrationEnabled = %b, "
                                 + "passwordRecoveryEnabled = %b, "
                                 + "hashAlgorithm = \"%s\", "
                                 + "saltLength = %d, "
                                 + "hashIterations = %d"
                                 + " }",
                             super.toString(),
                             joiner.toString(),
                             autoRegistrationEnabled,
                             passwordRecoveryEnabled,
                             hashAlgorithm,
                             saltLength,
                             hashIterations);
    }
 }
--- a/ccm-core/src/main/java/com/arsdigita/kernel/security/Util.java
+++ b/ccm-core/src/main/java/com/arsdigita/kernel/security/Util.java
@ -23,9 +23,6 @@ import com.arsdigita.util.Classes;
 import java.util.Iterator;
 import java.util.List;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.login.LoginException;
 import javax.servlet.http.HttpServletRequest;
 /**
 *
@ -33,7 +30,7 @@ import javax.servlet.http.HttpServletRequest;
 */
 public class Util {
-    private static SecurityConfig s_conf = SecurityConfig.getConfig();
+    private static final SecurityConfig s_conf = SecurityConfig.getConfig();
    private static SecurityHelper s_helper = null;
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/UserForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/UserForm.java
@ -122,7 +122,7 @@ class UserForm extends Form implements FormValidationListener, AdminConstants {
            = new TextField(new StringParameter(USER_FORM_INPUT_QUESTION));
        m_question.setSize(50);
-        if (securityConfig.getEnableQuestion()) {
+        if (securityConfig.isPasswordRecoveryEnabled()) {
            add(USER_FORM_LABEL_QUESTION);
            add(m_question);
        }
@ -131,7 +131,7 @@ class UserForm extends Form implements FormValidationListener, AdminConstants {
        m_answer = new TextField(new StringParameter(USER_FORM_INPUT_ANSWER));
        m_answer.setSize(50);
-        if (securityConfig.getEnableQuestion()) {
+        if (securityConfig.isPasswordRecoveryEnabled()) {
            add(USER_FORM_LABEL_ANSWER);
            add(m_answer);
        }
@ -211,7 +211,7 @@ class UserForm extends Form implements FormValidationListener, AdminConstants {
            }
        }
-        if (securityConfig.getEnableQuestion()) {
+        if (securityConfig.isPasswordRecoveryEnabled()) {
            // If the password answer is anything but null, make sure it
            // contains some non-whitespace characters
            String answer = (String) m_answer.getValue(ps);
@ -285,14 +285,14 @@ class UserForm extends Form implements FormValidationListener, AdminConstants {
        USER_FORM_LABEL_PASSWORD.setVisible(state, isVisible);
        USER_FORM_LABEL_PASSWORD_CONFIRMATION.setVisible(state, isVisible);
-        if (securityConfig.getEnableQuestion()) {
+        if (securityConfig.isPasswordRecoveryEnabled()) {
            USER_FORM_LABEL_QUESTION.setVisible(state, isVisible);
            USER_FORM_LABEL_ANSWER.setVisible(state, isVisible);
        }
        m_password.setVisible(state, isVisible);
        m_confirmPassword.setVisible(state, isVisible);
-        if (securityConfig.getEnableQuestion()) {
+        if (securityConfig.isPasswordRecoveryEnabled()) {
            m_question.setVisible(state, isVisible);
            m_answer.setVisible(state, isVisible);
        }
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/LoginServlet.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/LoginServlet.java
@ -48,12 +48,12 @@ import static com.arsdigita.ui.login.LoginConstants.*;
 * the Login application UI.
 *
 * It manages user registration page, new user page, user workspace, logout, and
- permissions admin pages.
+ * permissions admin pages.
-
+ *
- It just defines a mapping URL_MSG <-> various pages and uses the super class to
+ * It just defines a mapping URL_MSG <-> various pages and uses the super class
- actually server the pages. Additionally is provides service methods to expose
+ * to actually server the pages. Additionally is provides service methods to
- various properties, especially the URL_MSG's of public subpages (e.g. logout) and
+ * expose various properties, especially the URL_MSG's of public subpages (e.g.
- initializes the creation of the UI.
+ * logout) and initializes the creation of the UI.
 *
 * @author Peter Boy <pboy@barkhof.uni-bremen.de>
 */
@ -116,8 +116,8 @@ public class LoginServlet extends BebopApplicationServlet {
    public static final String LOGOUT_PATH_INFO = "/logout/";
    /**
-     * Base URL_MSG of the Login application for internal use, fetched from Login
+     * Base URL_MSG of the Login application for internal use, fetched from
- domain class.
+     * Login domain class.
     */
    private final static String s_loginURL = LOGIN_PAGE_URL;
@ -127,8 +127,8 @@ public class LoginServlet extends BebopApplicationServlet {
    public static final String APPLICATION_NAME = "login";
    /**
-     * User extension point used to create the pages to server and setup a URL_MSG -
+     * User extension point used to create the pages to server and setup a
- page mapping.
+     * URL_MSG - page mapping.
     *
     * @throws ServletException
     */
@ -144,10 +144,11 @@ public class LoginServlet extends BebopApplicationServlet {
         * page map. KernelSecurityConfig determines whether to create a link
         * to a NewUserRegistrationForm or to skip.*/
        put("/",
-            buildSimplePage("login.userRegistrationForm.title",
+            buildSimplePage(
-                            new UserLoginForm(SecurityConfig.getConfig()
+                "login.userRegistrationForm.title",
-                                .isAutoRegistrationOn()),
+                new UserLoginForm(SecurityConfig.getConfig()
-                            "login"));
+                    .isAutoRegistrationEnabled()),
                "login"));
        disableClientCaching("/");
        /* Create and add userEditPage to the page map.                       */
@ -158,7 +159,7 @@ public class LoginServlet extends BebopApplicationServlet {
        /* Determines if a NewUserRegistrationForm has to be created by quering
         * Kernel.getSecurityConfig() and acts appropriately                  */
-        if (SecurityConfig.getConfig().isAutoRegistrationOn()) {
+        if (SecurityConfig.getConfig().isAutoRegistrationEnabled()) {
            put(NEW_USER_PATH_INFO,
                buildSimplePage("login.userNewForm.title",
                                new UserNewForm(),
@ -189,7 +190,6 @@ public class LoginServlet extends BebopApplicationServlet {
 //            buildSimplePage("login.recoverPasswordPage.title",
 //                            new RecoverPasswordPanel(),
 //                            "recoverpassword"));
        // Build the login expire page, retrieve its URL_MSG and store in map
        put(LOGIN_EXPIRED_PATH_INFO, buildExpiredPage());
@ -319,15 +319,16 @@ public class LoginServlet extends BebopApplicationServlet {
    }
    /**
-     * Provides an (absolute) URL_MSG to a user profile editig page. It is relative
+     * Provides an (absolute) URL_MSG to a user profile editig page. It is
- to document root without any constant prefix if there is one configured.
+     * relative to document root without any constant prefix if there is one
-
+     * configured.
- XXX This implementation starts with a leading slash and ends with a
+     *
- slash. In previous configurations String urls began without a slash in
+     * XXX This implementation starts with a leading slash and ends with a
- order to be able to provide a full URL_MSG which also contains the context
+     * slash. In previous configurations String urls began without a slash in
- part. Since version 5.2 the context part is handled by (new) dispatcher.
+     * order to be able to provide a full URL_MSG which also contains the
- The leading slash it API change! It's impacts have to be checked.
+     * context part. Since version 5.2 the context part is handled by (new)
- (2011-02)
+     * dispatcher. The leading slash it API change! It's impacts have to be
     * checked. (2011-02)
     *
     * @return url to EditUserProfile page as String
     */
@ -341,15 +342,15 @@ public class LoginServlet extends BebopApplicationServlet {
    /**
     * Provides an (absolute URL_MSG) to an optional new user registration page
- (accessible only if activated). It is relative to document root without
+     * (accessible only if activated). It is relative to document root without
- any constant prefix if there is one configured.
+     * any constant prefix if there is one configured.
-
+     *
- XXX This implementation starts with a leading slash and ends with a
+     * XXX This implementation starts with a leading slash and ends with a
- slash. In previous configurations String urls began without a slash in
+     * slash. In previous configurations String urls began without a slash in
- order to be able to provide a full URL_MSG which also contains the context
+     * order to be able to provide a full URL_MSG which also contains the
- part. Since version 5.2 the context part is handled by (new) dispatcher.
+     * context part. Since version 5.2 the context part is handled by (new)
- The leading slash it API change! It's impacts have to be checked.
+     * dispatcher. The leading slash it API change! It's impacts have to be
- (2011-02)
+     * checked. (2011-02)
     *
     * @return url to new user registration page as String
     */
@ -358,16 +359,16 @@ public class LoginServlet extends BebopApplicationServlet {
    }
    /**
-     * Provides an absolute URL_MSG (leading slash) for a password recovery page. It
+     * Provides an absolute URL_MSG (leading slash) for a password recovery
- is relative to document root without any constant prefix if there is one
+     * page. It is relative to document root without any constant prefix if
- configured.
+     * there is one configured.
-
+     *
- XXX This implementation starts with a leading slash and ends with a
+     * XXX This implementation starts with a leading slash and ends with a
- slash. In previous configurations String urls began without a slash in
+     * slash. In previous configurations String urls began without a slash in
- order to be able to provide a full URL_MSG which also contains the context
+     * order to be able to provide a full URL_MSG which also contains the
- part. Since version 5.2 the context part is handled by (new) dispatcher.
+     * context part. Since version 5.2 the context part is handled by (new)
- The leading slash it API change! It's impacts have tp be checked.
+     * dispatcher. The leading slash it API change! It's impacts have tp be
- (2011-02)
+     * checked. (2011-02)
     *
     * @return url String for new user registration page as String
     */
@ -376,16 +377,16 @@ public class LoginServlet extends BebopApplicationServlet {
    }
    /**
-     * Provides an absolute URL_MSG (leading slash) for a cookie explanation page.
+     * Provides an absolute URL_MSG (leading slash) for a cookie explanation
-     * It is relative to document root without any constant prefix if there is
+     * page. It is relative to document root without any constant prefix if
- one configured.
+     * there is one configured.
-
+     *
- XXX This implementation starts with a leading slash and ends with a
+     * XXX This implementation starts with a leading slash and ends with a
- slash. In previous configurations String urls began without a slash in
+     * slash. In previous configurations String urls began without a slash in
- order to be able to provide a full URL_MSG which also contains the context
+     * order to be able to provide a full URL_MSG which also contains the
- part. Since version 5.2 the context part is handled by (new) dispatcher.
+     * context part. Since version 5.2 the context part is handled by (new)
- The leading slash it API change! It's impacts have tp be checked.
+     * dispatcher. The leading slash it API change! It's impacts have tp be
- (2011-02)
+     * checked. (2011-02)
     *
     * @return url String for new user registration page as String
     */
@ -394,16 +395,16 @@ public class LoginServlet extends BebopApplicationServlet {
    }
    /**
-     * Provides an absolute URL_MSG (leading slash) for a login expired info page.
+     * Provides an absolute URL_MSG (leading slash) for a login expired info
-     * It is relative to document root without any constant prefix if there is
+     * page. It is relative to document root without any constant prefix if
- one configured.
+     * there is one configured.
-
+     *
- XXX This implementation starts with a leading slash and ends with a
+     * XXX This implementation starts with a leading slash and ends with a
- slash. In previous configurations String urls began without a slash in
+     * slash. In previous configurations String urls began without a slash in
- order to be able to provide a full URL_MSG which also contains the context
+     * order to be able to provide a full URL_MSG which also contains the
- part. Since version 5.2 the context part is handled by (new) dispatcher.
+     * context part. Since version 5.2 the context part is handled by (new)
- The leading slash it API change! It's impacts have tp be checked.
+     * dispatcher. The leading slash it API change! It's impacts have tp be
- (2011-02)
+     * checked. (2011-02)
     *
     * @return url String for new user registration page as String
     */
@ -412,16 +413,16 @@ public class LoginServlet extends BebopApplicationServlet {
    }
    /**
-     * Provides an absolute URL_MSG (leading slash) for the system logout page. It
+     * Provides an absolute URL_MSG (leading slash) for the system logout page.
- is relative to document root without any constant prefix if there is one
+     * It is relative to document root without any constant prefix if there is
- configured.
+     * one configured.
-
+     *
- XXX This implementation starts with a leading slash and ends with a
+     * XXX This implementation starts with a leading slash and ends with a
- slash. In previous configurations String urls began without a slash in
+     * slash. In previous configurations String urls began without a slash in
- order to be able to provide a full URL_MSG which also contains the context
+     * order to be able to provide a full URL_MSG which also contains the
- part. Since version 5.2 the context part is handled by (new) dispatcher.
+     * context part. Since version 5.2 the context part is handled by (new)
- The leading slash it API change! It's impacts have tp be checked.
+     * dispatcher. The leading slash it API change! It's impacts have tp be
- (2011-02)
+     * checked. (2011-02)
     *
     * @return URL_MSG for logout page as String
     */
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/UserLoginForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/UserLoginForm.java
@ -61,7 +61,6 @@ import org.apache.shiro.authc.UsernamePasswordToken;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.apache.shiro.subject.Subject;
 import org.libreccm.configuration.ConfigurationManager;
 /**
 * A Bebop form that accepts login and password from the user and attempts to
@ -173,7 +172,7 @@ public class UserLoginForm extends Form implements LoginConstants,
        add(new Submit(SUBMIT), ColumnPanel.CENTER | ColumnPanel.FULL_WIDTH);
-        if (securityConfig.getEnableQuestion()) {
+        if (securityConfig.isPasswordRecoveryEnabled()) {
            add(new DynamicLink("login.userRegistrationForm.forgotPasswordLink",
                                LoginServlet.getRecoverPasswordPageURL()));
        }
--- a/ccm-core/src/main/java/com/arsdigita/xml/formatters/DateFormatter.java
+++ b/ccm-core/src/main/java/com/arsdigita/xml/formatters/DateFormatter.java
@ -36,8 +36,7 @@ public class DateFormatter implements Formatter {
    public static final DateFormatterConfig getConfig() {
        if (m_config == null) {
-            m_config = new DateFormatterConfig();
+            m_config = DateFormatterConfig.getConfig();
            m_config.load();
        }
        return m_config;
    }
--- a/ccm-core/src/main/java/com/arsdigita/xml/formatters/DateFormatterConfig.java
+++ b/ccm-core/src/main/java/com/arsdigita/xml/formatters/DateFormatterConfig.java
@ -1,21 +1,86 @@
 /*
 * Copyright (C) 2016 LibreCCM Foundation.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02110-1301  USA
 */
 package com.arsdigita.xml.formatters;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.configuration.Configuration;
 import org.libreccm.configuration.ConfigurationManager;
 import org.libreccm.configuration.Setting;
-import com.arsdigita.runtime.AbstractConfig;
+import java.util.Objects;
 import com.arsdigita.util.parameter.Parameter;
 import com.arsdigita.util.parameter.StringParameter;
-public final class DateFormatterConfig extends AbstractConfig {
+/**
 *
 * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
 */
@Configuration(
    descBundle = "com.arsdigita.xml.formatters.DataFormatterDescription",
    descKey = "dataformatter.config.description")
 public final class DateFormatterConfig {
-	private final Parameter m_locale;
+    @Setting(descKey = "dateformatter.config.locale")
    private String locale = null;
-	public DateFormatterConfig() {
+    public static DateFormatterConfig getConfig() {
-		m_locale = new StringParameter("waf.xml.formatters.locale", Parameter.OPTIONAL, null);
+        final CdiUtil cdiUtil = new CdiUtil();
-		register(m_locale);
+        final ConfigurationManager confManager = cdiUtil.findBean(
-		loadInfo();
+            ConfigurationManager.class);
-	}
+        return confManager.findConfiguration(DateFormatterConfig.class);
    }
    public String getLocale() {
        return locale;
    }
    public void setLocale(final String locale) {
        this.locale = locale;
    }
    @Override
    public int hashCode() {
        int hash = 5;
        hash = 13 * hash + Objects.hashCode(this.locale);
        return hash;
    }
    @Override
    public boolean equals(final Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null) {
            return false;
        }
        if (!(obj instanceof DateFormatterConfig)) {
            return false;
        }
        final DateFormatterConfig other = (DateFormatterConfig) obj;
        return Objects.equals(this.locale, other.getLocale());
    }
    @Override
    public String toString() {
        return String.format("%s{ "
                                 + "locale = %s"
                                 + " }",
                             super.toString(),
                             locale);
    }
 	public final String getLocale() {
 		return (String) get (m_locale);
 	}
 }
--- a/ccm-core/src/main/java/com/arsdigita/xml/formatters/DateFormatterConfig_parameter.properties
+++ b/ccm-core/src/main/java/com/arsdigita/xml/formatters/DateFormatterConfig_parameter.properties
@ -1,4 +0,0 @@
 waf.xml.formatters.locale.title=Locale language code (see http://ftp.ics.uci.edu/pub/ietf/http/related/iso639.txt)
 waf.xml.formatters.locale.purpose=If set will use this rather than the contexts locale. Useful for things that may be formatted differently in other locales, eg dates.
 waf.xml.formatters.locale.example=en
 waf.xml.formatters.locale.format=[string]
--- a/ccm-core/src/main/java/org/libreccm/security/UserManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/UserManager.java
@ -19,11 +19,13 @@
 package org.libreccm.security;
 import com.arsdigita.kernel.security.SecurityConfig;
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
 import javax.validation.constraints.NotNull;
 import javax.validation.constraints.Pattern;
 import javax.validation.executable.ValidateOnExecution;
 import org.apache.shiro.authc.credential.PasswordMatcher;
 import org.apache.shiro.authc.credential.PasswordService;
 import org.apache.shiro.crypto.SecureRandomNumberGenerator;
@ -127,7 +129,7 @@ public class UserManager {
     * @return The hashed password.b
     */
    private String hashPassword(final String password) {
-        //Get the values from the SecurityConfig
+        //Get the values from the LegacySecurityConfig
        final String hashAlgo = SecurityConfig.getConfig().getHashAlgorithm();
        final int iterations = SecurityConfig.getConfig().getHashIterations();
@ -149,7 +151,7 @@ public class UserManager {
    /**
     * Helper method for generating a random salt. The length of the generated
-     * salt is configured in the {@link SecurityConfig}.
+     * salt is configured in the {@link LegacySecurityConfig}.
     *
     * @return A new random salt.
     */
--- a/ccm-core/src/main/resources/com/arsdigita/formbuilder/FormBuilderConfig_parameter.properties
+++ b/ccm-core/src/main/resources/com/arsdigita/formbuilder/FormBuilderConfig_parameter.properties
@ -1,12 +0,0 @@
 waf.formbuilder.controls_help_url.title=Help link for creating FormBuilder controls
 waf.formbuilder.controls_help_url.purpose=This is a string that can be used to create the URL to point to the help page that explains how to create controls within the formbuilder.  If it starts with "/" then it is assumed to be located on this server.  If it starts with anything else, it is assumed to be a link to a foreign site.
 waf.formbuilder.controls_help_url.example=/help/formbuilder/creations-controls.jsp
 waf.formbuilder.controls_help_url.format=[string]
 waf.formbuilder.actions_help_url.title=Help link for creating FormBuilder actions
 waf.formbuilder.actions_help_url.purpose=This is a string that can be used to create the URL to point to the help page that explains how to create actions within the formbuilder.  If it starts with "/" then it is assumed to be located on this server.  If it starts with anything else, it is assumed to be a link to a foreign site.
 waf.formbuilder.actions_help_url.example=/help/formbuilder/creations-actions.jsp
 waf.formbuilder.actions_help_url.format=[string]
 waf.formbuilder.interpolate_email_actions_to_address.title=Interpolate the to: field
 waf.formbuilder.interpolate_email_actions_to_address.purpose=Should the to: field of email actions be interpolated, ie translated using submitted form values
 waf.formbuilder.interpolate_email_actions_to_address.example=boolean
 waf.formbuilder.interpolate_email_actions_to_address.format=[true]
--- a/ccm-core/src/main/resources/com/arsdigita/formbuilder/FormBuilderDescription.properties
+++ b/ccm-core/src/main/resources/com/arsdigita/formbuilder/FormBuilderDescription.properties
@ -0,0 +1,22 @@
 # Copyright (C) 2016 LibreCCM Foundation.
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # This library is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 # Lesser General Public License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 # MA 02110-1301  USA
 formbuilder.config.description = Configuration parameters for the FormBuilder
 formbuilder.config.actions_help_url = This is a string that can be used to create the URL to point to the help page that explains how to create actions within the formbuilder.  If it starts with "/" then it is assumed to be located on this server.  If it starts with anything else, it is assumed to be a link to a foreign site.
 formbuilder.config.controls_help_url = This is a string that can be used to create the URL to point to the help page that explains how to create controls within the formbuilder.  If it starts with "/" then it is assumed to be located on this server.  If it starts with anything else, it is assumed to be a link to a foreign site.
 formbuilder.config.interpolate_email_actions = Should the to: field of email actions be interpolated, ie translated using submitted form values
--- a/ccm-core/src/main/resources/com/arsdigita/kernel/security/SecurityConfigDescription.properties
+++ b/ccm-core/src/main/resources/com/arsdigita/kernel/security/SecurityConfigDescription.properties
@ -0,0 +1,25 @@
 # Copyright (C) 2016 LibreCCM Foundation.
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # This library is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 # Lesser General Public License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 # MA 02110-1301  USA
 security.config.description = A record containing server-session scoped security configuration properties.
 security.confg.excluded_extensions = List of extensions excluded from authentication cookies.
 security.config.auto_registration_enabled = Wether new users get automatically redirected to the create new user form
 security.config.password_recovery_enabled = Enables or disables the password recovery function for users.
 security.config.hash_algorithm = Sets the Hash Algorithm to use for new passwords. The available algorithms depend on the Java Runtime.
 security.config.salt_length = Sets the length of the salt for new passwords
 security.config.hash_iterations = Number of iterations when hashing new passwords
--- a/ccm-core/src/main/resources/com/arsdigita/kernel/security/SecurityConfig_parameter.properties
+++ b/ccm-core/src/main/resources/com/arsdigita/kernel/security/SecurityConfig_parameter.properties
@ -1,44 +0,0 @@
 waf.login_config.title=Login Configuration
 waf.login_config.purpose=Enter JAAS login configuration, using the syntax described in Javadoc for com.arsdigita.kernel.security.LoginConfig
 waf.login_config.example=Request:com.arsdigita.kernel.security.AdminLoginModule:sufficient,Register:com.arsdigita.kernel.security.LocalLoginModule:requisite
 waf.login_config.format=[string,string,...]
 waf.cookie_domain.title=Cookie Domain
 waf.cookie_domain.purpose=Enter the domain to which the Aplaws authentication cookie is presented
 waf.cookie_domain.example=.example.com
 waf.cookie_domain.format=[string]
 waf.admin.contact_email.title=System administrator email address
 waf.admin.contact_email.purpose=Email address that will be displayed on footer of login/admin pages, if empty then site-wide admin email will be substituted
 waf.admin.contact_email.example=ccmadmin@example.com
 waf.admin.contact_email.format=[string]
 waf.auto_registration_on.title=Auto Registration
 waf.auto_registration_on.purpose=New users get automatically redirected to the create new user form
 waf.auto_registration_on.example=true
 waf.auto_registration_on.format=true|false
 waf.user_ban_on.title=User Ban
 waf.user_ban_on.purpose=Check on each access if user has been banned from the site.
 waf.user_ban_on.example=false
 waf.user_ban_on.format=true|false
 waf.user_question_enable.title=Enable question
 waf.user_question_enable.purpose=Enable question if a user has forgotten its password
 waf.user_question_enable.example=false
 waf.user_question_enable.format=true|false
 waf.security.hash_algorithm.title=Default Hash Algorithm for new passwords
 waf.security.hash_algorithm.purpose=Sets the Hash Algorithm to use for new passwords. The available algorithms depend on the Java Runtime.
 waf.security.hash_algorithm.example=SHA-512
 waf.security.hash_algorithm.format=[string]
 waf.security.salt_length.title=Default Salt Length for new passwords
 waf.security.salt_length.purpose=Sets the length of the salt for new passwords
 waf.security.salt_length.example=256
 waf.security.salt_length.format=[int]
 waf.security.hash_iterations.title=Number of hash iterations for new passwords
 waf.security.hash_iterations.purpose=Number of iterations when hashing new passwords
 waf.security.hash_iterations.example=50000
 waf.security.hash_iterations.format=[int]
--- a/ccm-core/src/main/resources/com/arsdigita/xml/formatters/DateFormatterConfigDescription.properties
+++ b/ccm-core/src/main/resources/com/arsdigita/xml/formatters/DateFormatterConfigDescription.properties
@ -0,0 +1,19 @@
 # Copyright (C) 2016 LibreCCM Foundation.
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # This library is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 # Lesser General Public License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 # MA 02110-1301  USA
 dateformatter.config.description = Configuration for date formatters
 dateformatter.config.locale = If set will use this rather than the contexts locale. Useful for things that may be formatted differently in other locales, eg dates.
--- a/ccm-core/src/main/resources/com/arsdigita/xml/formatters/DateFormatterConfig_parameter.properties
+++ b/ccm-core/src/main/resources/com/arsdigita/xml/formatters/DateFormatterConfig_parameter.properties
@ -1,4 +0,0 @@
 waf.xml.formatters.locale.title=Locale language code (see http://ftp.ics.uci.edu/pub/ietf/http/related/iso639.txt)
 waf.xml.formatters.locale.purpose=If set will use this rather than the contexts locale. Useful for things that may be formatted differently in other locales, eg dates.
 waf.xml.formatters.locale.example=en
 waf.xml.formatters.locale.format=[string]
--- a/ccm-core/src/test/java/com/arsdigita/kernel/security/SecurityConfigTest.java
+++ b/ccm-core/src/test/java/com/arsdigita/kernel/security/SecurityConfigTest.java
@ -156,23 +156,15 @@ public class SecurityConfigTest {
        assertThat(excludedExtensions.get(2), is(equalTo(".png")));
        assertThat(excludedExtensions.get(3), is(equalTo(".pdf")));
-        assertThat(securityConfig.getCookieDurationMinutes(), is(nullValue()));
+        assertThat(securityConfig.isAutoRegistrationEnabled(), is(false));
-        assertThat(securityConfig.getCookieDomain(),
+        assertThat(securityConfig.isPasswordRecoveryEnabled(), is(true));
                   is(equalTo(".example.org")));
-        assertThat(securityConfig.getAdminContactEmail(),
+        assertThat(securityConfig.getHashAlgorithm(), is(equalTo("SHA-512")));
                   is(equalTo("admin@example.org")));
-        assertThat(securityConfig.isAutoRegistrationOn(), is(false));
+        assertThat(securityConfig.getSaltLength(), is(256));
-        assertThat(securityConfig.isUserBanOn(), is(true));
+        assertThat(securityConfig.getHashIterations(), is(50000));
        assertThat(securityConfig.getEnableQuestion(), is(false));
        assertThat(securityConfig.getHashAlgorithm(), is(equalTo("SHA-256")));
        assertThat(securityConfig.getSaltLength(), is(128));
    }
 }
--- a/ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/ccm-core.config
+++ b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/ccm-core.config
@ -1,5 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <registry>
    <config class="com.arsdigita.kernel.KernelConfig"
            storage="ccm-core/kernel.properties"/>
 </registry>
--- a/ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/kernel.properties
+++ b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/kernel.properties
@ -1,5 +0,0 @@
 waf.kernel.supported_languages=de,en
 waf.debug=true
 waf.kernel.language_independent_items=true
 waf.kernel.primary_user_identifier=email
 waf.kernel.data_permission_check_enabled=false
--- a/ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/registry.properties
+++ b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/registry.properties
@ -1 +0,0 @@
 waf.config.packages=ccm-core
--- a/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/ccm-core.config
+++ b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/ccm-core.config
@ -1,8 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <registry>
    <config class="com.arsdigita.kernel.KernelConfig"
            storage="ccm-core/kernel.properties"/>
    <config class="com.arsdigita.kernel.security.SecurityConfig"
            storage="ccm-core/security.properties"/>
 </registry>
--- a/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/kernel.properties
+++ b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/kernel.properties
@ -1 +0,0 @@
 # this file is empty by purpose.
--- a/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/registry.properties
+++ b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/registry.properties
@ -1 +0,0 @@
 waf.config.packages=ccm-core
--- a/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/security.properties
+++ b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/security.properties
@ -1,15 +0,0 @@
 waf.login_config=Register:com.arsdigita.kernel.security.LocalLoginModule:requisite
 waf.cookie_domain=.example.org
 waf.admin.contact_email=admin@example.org
 waf.auto_registration_on=false
 waf.user_ban_on=true
 waf.user_question_enable=false
 waf.security.hash_algorithm=SHA-256
 waf.security.salt_length=128
--- a/ccm-core/src/test/resources/configs/org/libreccm/configuration/ConfigurationManagerTest/log4j2.xml
+++ b/ccm-core/src/test/resources/configs/org/libreccm/configuration/ConfigurationManagerTest/log4j2.xml
@ -1,21 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Configuration status="DEBUG">
    <Appenders>
        <Console name="Console" target="SYSTEM_OUT">
            <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"/>
        </Console>
    </Appenders>
    <Loggers>
        <Root level="error">
            <AppenderRef ref="Console"/>
        </Root>
        <Logger name="org.libreccm.configuration.ConfigurationManager"
                level="debug">
            <AppenderRef ref="Console"/>
        </Logger>
        <Logger name="org.libreccm.categorization.CategoryRepository"
                level="debug">
            <AppenderRef ref="Console"/>
        </Logger>
    </Loggers>
 </Configuration>
--- a/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/kernel.properties
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/kernel.properties
@ -1 +0,0 @@
 waf.kernel.primary_user_identifier=screen_name
--- a/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/log4j2.xml
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/log4j2.xml
@ -1,17 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Configuration status="WARN">
    <Appenders>
        <Console name="Console" target="SYSTEM_OUT">
            <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"/>
        </Console>
    </Appenders>
    <Loggers>
        <Root level="error">
            <AppenderRef ref="Console"/>
        </Root>
        <Logger name="org.libreccm.security.Shiro"
                level="debug">
            <AppenderRef ref="Console"/>
        </Logger>
    </Loggers>
 </Configuration>
--- a/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/security.properties
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/security.properties
@ -1 +0,0 @@
 # Empty
--- a/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/shiro.ini
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/shiro.ini
@ -1,10 +0,0 @@
 [main]
 passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
 passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
 passwordMatcher.passwordService = $passwordService
 ccmRealm = org.libreccm.security.CcmShiroRealm
 ccmRealm.credentialsMatcher = $passwordMatcher
 securityManager.realms = $ccmRealm
--- a/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/ccm-core.config
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/ccm-core.config
@ -1,8 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <registry>
    <config class="com.arsdigita.kernel.KernelConfig"
            storage="ccm-core/kernel.properties"/>
    <config class="com.arsdigita.kernel.security.SecurityConfig"
            storage="ccm-core/security.properties"/>
 </registry>
--- a/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/kernel.properties
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/kernel.properties
@ -1 +0,0 @@
 # this file is empty by purpose.
--- a/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/registry.properties
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/registry.properties
@ -1 +0,0 @@
 waf.config.packages=ccm-core
--- a/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/security.properties
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/security.properties
@ -1 +0,0 @@
 # Empty
--- a/ccm-core/src/test/resources/configs/shiro.ini
+++ b/ccm-core/src/test/resources/configs/shiro.ini
@ -1,10 +0,0 @@
 [main]
 passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
 passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
 passwordMatcher.passwordService = $passwordService
 ccmRealm = org.libreccm.security.CcmShiroRealm
 ccmRealm.credentialsMatcher = $passwordMatcher
 securityManager.realms = $ccmRealm
		`@ -1 +0,0 @@`
			`waf.kernel.primary_user_identifier=screen_name`