CCM NG: Annotations for authorization are now added to all repository and and manager beans in ccm-core

git-svn-id: https://svn.libreccm.org/ccm/ccm_ng@4166 8810af33-2d31-482b-a856-94f89814c4df
2016-06-17 19:46:50 +00:00 · 2016-06-17 19:46:50 +00:00 · 864094a5dd
parent 9f66872c80
commit 864094a5dd
39 changed files with 1484 additions and 574 deletions
--- a/ccm-core/src/main/java/org/libreccm/categorization/CategorizationConstants.java
+++ b/ccm-core/src/main/java/org/libreccm/categorization/CategorizationConstants.java
@ -23,13 +23,15 @@ package org.libreccm.categorization;
 * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
 */
 public final class CategorizationConstants {
-    
+
    public static final String CAT_XML_NS = "http://categorization.libreccm.org";
-    public static final String MANAGE_CATEGORIES_PRIVILEGE = "manage_categories";
+    public static final String MANAGE_CATEGORY_PRIVILEGE = "manage_category";
    public static final String MANAGE_CATEGORY_OBJECTS_PRIVILEGE
                               = "manage_category_objects";
    public static final String MANAGE_DOMAINS_PRIVILEGE = "manage_domains";
-    
+
    private CategorizationConstants() {
        //Nothing
    }
-    
+
 }
--- a/ccm-core/src/main/java/org/libreccm/categorization/Category.java
+++ b/ccm-core/src/main/java/org/libreccm/categorization/Category.java
@ -24,6 +24,7 @@ import org.hibernate.validator.constraints.NotBlank;
 import org.libreccm.core.CcmObject;
 import org.libreccm.core.DefaultEntityGraph;
 import org.libreccm.l10n.LocalizedString;
 import org.libreccm.security.InheritsPermissions;
 import java.io.Serializable;
 import java.util.ArrayList;
@ -90,7 +91,8 @@ import javax.validation.constraints.Pattern;
    )
 })
@DefaultEntityGraph("Category.withSubCategoriesAndObjects")
-public class Category extends CcmObject implements Serializable {
+public class Category extends CcmObject implements InheritsPermissions, 
                                                   Serializable {
    private static final long serialVersionUID = -7250208963391878547L;
@ -317,6 +319,12 @@ public class Category extends CcmObject implements Serializable {
    public void setCategoryOrder(final long categoryOrder) {
        this.categoryOrder = categoryOrder;
    }
    @Override
    public CcmObject getParent() {
        return getParentCategory();
    }
    @Override
    public int hashCode() {
--- a/ccm-core/src/main/java/org/libreccm/categorization/CategoryManager.java
+++ b/ccm-core/src/main/java/org/libreccm/categorization/CategoryManager.java
@ -18,10 +18,15 @@
 */
 package org.libreccm.categorization;
 import static org.libreccm.categorization.CategorizationConstants.*;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.libreccm.core.CcmObject;
 import org.libreccm.core.CcmObjectRepository;
 import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
 import org.libreccm.security.Shiro;
 import java.util.ArrayList;
 import java.util.List;
@ -57,6 +62,9 @@ public class CategoryManager {
    @Inject
    private EntityManager entityManager;
    @Inject
    private Shiro shiro;
    /**
     * Assigns an category to an object.
     *
@ -74,9 +82,13 @@ public class CategoryManager {
     * @param category The category to which the object should be assigned. Can
     *                 never be {@code null}.
     */
    @AuthorizationRequired
    @Transactional(Transactional.TxType.REQUIRED)
-    public void addObjectToCategory(final CcmObject object,
+    public void addObjectToCategory(
-                                    final Category category) {
+        final CcmObject object,
        @RequiresPrivilege(MANAGE_CATEGORY_OBJECTS_PRIVILEGE)
        final Category category) {
        if (object == null) {
            throw new IllegalArgumentException(
                "Null can't be added to a category.");
@ -96,9 +108,15 @@ public class CategoryManager {
        object.addCategory(categorization);
        category.addObject(categorization);
-        entityManager.persist(categorization);
+        // To saving a category requires the manage_category privilege which
-        categoryRepo.save(category);
+        // may has not been granted to a user which is allowed to assign objects
-        ccmObjectRepo.save(object);
+        // to a category. Therefore we bypass the this authorisation check here
        // by executing CategoryRepository#save(Category) as the system user.
        shiro.getSystemUser().execute(() -> {
            entityManager.persist(categorization);
            categoryRepo.save(category);
            ccmObjectRepo.save(object);
        });
    }
    /**
@ -121,9 +139,12 @@ public class CategoryManager {
     *                                              object is <em>not</em>
     * assigned to the provided category.
     */
    @AuthorizationRequired
    @Transactional(Transactional.TxType.REQUIRED)
-    public void removeObjectFromCategory(final CcmObject object,
+    public void removeObjectFromCategory(
-                                         final Category category)
+        final CcmObject object,
        @RequiresPrivilege(MANAGE_CATEGORY_OBJECTS_PRIVILEGE)
        final Category category)
        throws ObjectNotAssignedToCategoryException {
        if (object == null) {
@ -154,23 +175,25 @@ public class CategoryManager {
            return;
        }
-        object.removeCategory(categorization);
+        shiro.getSystemUser().execute(() -> {
-        category.removeObject(categorization);
+            object.removeCategory(categorization);
-        entityManager.remove(categorization);
+            category.removeObject(categorization);
-        categoryRepo.save(category);
+            entityManager.remove(categorization);
-        ccmObjectRepo.save(object);
+            categoryRepo.save(category);
            ccmObjectRepo.save(object);
-        final List<Categorization> categories = object.getCategories();
+            final List<Categorization> categories = object.getCategories();
-        for (int i = 0; i < categories.size(); i++) {
+            for (int i = 0; i < categories.size(); i++) {
-            categories.get(i).setCategoryOrder(i);
+                categories.get(i).setCategoryOrder(i);
-            entityManager.merge(categories.get(i));
+                entityManager.merge(categories.get(i));
-        }
+            }
-        final List<Categorization> objects = category.getObjects();
+            final List<Categorization> objects = category.getObjects();
-        for (int i = 0; i < objects.size(); i++) {
+            for (int i = 0; i < objects.size(); i++) {
-            objects.get(i).setObjectOrder(i);
+                objects.get(i).setObjectOrder(i);
-            entityManager.merge(objects.get(i));
+                entityManager.merge(objects.get(i));
-        }
+            }
        });
    }
    /**
@ -187,9 +210,12 @@ public class CategoryManager {
     *                                              object is not assigned to
     *                                              the provided category.
     */
    @AuthorizationRequired
    @Transactional(Transactional.TxType.REQUIRED)
-    public void increaseObjectOrder(final CcmObject object,
+    public void increaseObjectOrder(
-                                    final Category category)
+        final CcmObject object,
        @RequiresPrivilege(MANAGE_CATEGORY_OBJECTS_PRIVILEGE)
        final Category category)
        throws ObjectNotAssignedToCategoryException {
        if (object == null) {
@ -241,7 +267,7 @@ public class CategoryManager {
        categorization.setObjectOrder(nextOrder);
        nextCategorization.setObjectOrder(order);
-        categoryRepo.save(category);
+        shiro.getSystemUser().execute(() -> categoryRepo.save(category));
    }
    /**
@ -258,9 +284,12 @@ public class CategoryManager {
     *                                              object is not assigned to
     *                                              the provided category.
     */
    @AuthorizationRequired
    @Transactional(Transactional.TxType.REQUIRED)
-    public void decreaseObjectOrder(final CcmObject object,
+    public void decreaseObjectOrder(
-                                    final Category category)
+        final CcmObject object,
        @RequiresPrivilege(MANAGE_CATEGORY_OBJECTS_PRIVILEGE)
        final Category category)
        throws ObjectNotAssignedToCategoryException {
        if (object == null) {
@ -312,7 +341,7 @@ public class CategoryManager {
        categorization.setObjectOrder(prevOrder);
        prevCategorization.setObjectOrder(order);
-        categoryRepo.save(category);
+        shiro.getSystemUser().execute(() -> categoryRepo.save(category));
    }
    /**
@ -346,9 +375,13 @@ public class CategoryManager {
     * @param parentCategory The category to which the category is added as
     *                       subcategory. Can't be {@code null}.
     */
    @AuthorizationRequired
    @Transactional(Transactional.TxType.REQUIRED)
-    public void addSubCategoryToCategory(final Category subCategory,
+    public void addSubCategoryToCategory(
-                                         final Category parentCategory) {
+        final Category subCategory,
        @RequiresPrivilege(MANAGE_CATEGORY_PRIVILEGE)
        final Category parentCategory) {
        final Category sub = categoryRepo.findById(subCategory.getObjectId());
        final Category parent = categoryRepo.findById(parentCategory
            .getObjectId());
@ -363,8 +396,10 @@ public class CategoryManager {
        sub.setParentCategory(parent);
        sub.setCategoryOrder(order);
-        categoryRepo.save(parent);
+        shiro.getSystemUser().execute(() -> {
-        categoryRepo.save(sub);
+            categoryRepo.save(parent);
            categoryRepo.save(sub);
        });
    }
    /**
@ -380,9 +415,12 @@ public class CategoryManager {
     *                                  assigned to the provided parent
     *                                  category.
     */
    @AuthorizationRequired
    @Transactional(Transactional.TxType.REQUIRED)
-    public void removeSubCategoryFromCategory(final Category subCategory,
+    public void removeSubCategoryFromCategory(
-                                              final Category parentCategory) {
+        final Category subCategory,
        @RequiresPrivilege(MANAGE_CATEGORY_PRIVILEGE)
        final Category parentCategory) {
        if (subCategory.getParentCategory() == null
                || !subCategory.getParentCategory().equals(parentCategory)) {
@ -401,8 +439,10 @@ public class CategoryManager {
            categoryRepo.save(subCategories.get(i));
        }
-        categoryRepo.save(parentCategory);
+        shiro.getSystemUser().execute(() -> {
-        categoryRepo.save(subCategory);
+            categoryRepo.save(parentCategory);
            categoryRepo.save(subCategory);
        });
    }
    /**
@ -420,9 +460,12 @@ public class CategoryManager {
     *                                  subcategory of the provided parent
     *                                  category.
     */
    @AuthorizationRequired
    @Transactional(Transactional.TxType.REQUIRED)
-    public void increaseCategoryOrder(final Category subCategory,
+    public void increaseCategoryOrder(
-                                      final Category parentCategory) {
+        final Category subCategory,
        @RequiresPrivilege(MANAGE_CATEGORY_PRIVILEGE)
        final Category parentCategory) {
        if (parentCategory == null) {
            throw new IllegalArgumentException("parentCategory can't be null.");
@ -471,8 +514,10 @@ public class CategoryManager {
        subCategory.setCategoryOrder(nextOrder);
        nextCategory.setCategoryOrder(order);
-        categoryRepo.save(subCategory);
+        shiro.getSystemUser().execute(() -> {
-        categoryRepo.save(nextCategory);
+            categoryRepo.save(subCategory);
            categoryRepo.save(nextCategory);
        });
    }
    /**
@ -490,8 +535,12 @@ public class CategoryManager {
     *                                  subcategory of the provided parent
     *                                  category.
     */
-    public void decreaseCategoryOrder(final Category subCategory,
+    @AuthorizationRequired
-                                      final Category parentCategory) {
+    @Transactional(Transactional.TxType.REQUIRED)
    public void decreaseCategoryOrder(
        final Category subCategory,
        @RequiresPrivilege(MANAGE_CATEGORY_PRIVILEGE)
        final Category parentCategory) {
        if (parentCategory == null) {
            throw new IllegalArgumentException("parentCategory can't be null.");
@ -540,26 +589,10 @@ public class CategoryManager {
        subCategory.setCategoryOrder(prevOrder);
        prevCategory.setCategoryOrder(order);
-        categoryRepo.save(subCategory);
+        shiro.getSystemUser().execute(() -> {
-        categoryRepo.save(prevCategory);
+            categoryRepo.save(subCategory);
            categoryRepo.save(prevCategory);
        });
    }
    /**
     * Swaps the values of the {@code order} properties of two categories.
     *
     * @param subCategoryA   The first category. Can't be {@code null}.
     * @param subCategoryB   The second category. Can't be {@code null}.
     * @param parentCategory The parent category of both subcategories. Can't be
     *                       {@code null}.
     *
     * @throws IllegalArgumentException If one or both categories are not
     *                                  subcategories of the provided parent
     *                                  category.qq
     */
 //    public void swapCategories(final Category subCategoryA,
 //                               final Category subCategoryB,
 //                               final Category parentCategory) {
 //        // TODO implement method
 //        throw new UnsupportedOperationException();
 //    }
 }
--- a/ccm-core/src/main/java/org/libreccm/categorization/CategoryRepository.java
+++ b/ccm-core/src/main/java/org/libreccm/categorization/CategoryRepository.java
@ -168,15 +168,20 @@ public class CategoryRepository extends AbstractEntityRepository<Long, Category>
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void save(
-        @RequiresPrivilege("manage_categories") final Category category) {
+        @RequiresPrivilege(CategorizationConstants.MANAGE_CATEGORY_PRIVILEGE) 
        final Category category) {
        super.save(category);
    }
    @AuthorizationRequired
-    @RequiresPrivilege("manage_categories")
+
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
-    public void delete(final Category category) {
+    public void delete(
        @RequiresPrivilege(CategorizationConstants.MANAGE_CATEGORY_PRIVILEGE) 
        final Category category) {
        super.save(category);
    }
--- a/ccm-core/src/main/java/org/libreccm/configuration/ConfigurationManager.java
+++ b/ccm-core/src/main/java/org/libreccm/configuration/ConfigurationManager.java
@ -27,8 +27,11 @@ import javax.transaction.Transactional;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.util.Strings;
 import org.libreccm.core.CoreConstants;
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.Module;
 import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
 import java.util.Arrays;
 import java.util.ServiceLoader;
@ -123,6 +126,9 @@ public class ConfigurationManager {
     *                                  provided object is not annotation with
     *                                  {@link Configuration}.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void saveConfiguration(final Object configuration) {
        if (configuration == null) {
            throw new IllegalArgumentException("Configuration can't be null");
@ -266,6 +272,8 @@ public class ConfigurationManager {
     * @param valueType     The type of the value of the setting.
     * @param value         The value to set.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    private <T> void setSettingValue(final Object configuration,
                                     final String settingName,
--- a/ccm-core/src/main/java/org/libreccm/configuration/SettingManager.java
+++ b/ccm-core/src/main/java/org/libreccm/configuration/SettingManager.java
@ -30,6 +30,9 @@ import javax.transaction.Transactional;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.util.Strings;
 import org.libreccm.core.CoreConstants;
 import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
 import java.util.ArrayList;
 import java.util.Objects;
@ -220,6 +223,8 @@ public class SettingManager {
     *
     * @param setting The setting to save.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void saveSetting(final AbstractSetting<?> setting) {
        if (setting.getSettingId() == 0) {
--- a/ccm-core/src/main/java/org/libreccm/core/CoreConstants.java
+++ b/ccm-core/src/main/java/org/libreccm/core/CoreConstants.java
@ -42,6 +42,16 @@ public final class CoreConstants {
     * in the security API.
     */
    public static final String ACCESS_DENIED = "Access denied";
    /**
     * Constant for the {@code admin} privilege.
     */
    public static final String ADMIN_PRIVILEGE = "admin";
    /**
     * Constant for the {@code system} privilege.
     */
    public static final String SYSTEM_PRIVILEGE = "system";
    private CoreConstants() {
        //Nothing
--- a/ccm-core/src/main/java/org/libreccm/security/ChallengeManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/ChallengeManager.java
@ -29,6 +29,7 @@ import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.libreccm.configuration.ConfigurationManager;
 import org.libreccm.configuration.LocalizedStringSetting;
 import org.libreccm.core.CoreConstants;
 import org.libreccm.l10n.GlobalizationHelper;
 import org.libreccm.l10n.LocalizedString;
@ -108,6 +109,8 @@ public class ChallengeManager {
     *
     * @return The text of the challenge mail.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public String createEmailVerification(final User user) {
        if (user == null) {
            throw new IllegalArgumentException(
@ -125,6 +128,8 @@ public class ChallengeManager {
     * @throws MessagingException If there is a problem sending the email to the
     *                            user.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public void sendEmailVerification(final User user)
        throws MessagingException {
        final String text = createEmailVerification(user);
@ -145,6 +150,8 @@ public class ChallengeManager {
     * @throws ChallengeFailedException If the provided token does not match the
     *                                  stored token.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public void finishEmailVerification(final User user,
                                        final String submittedToken)
        throws ChallengeFailedException {
@ -172,6 +179,8 @@ public class ChallengeManager {
     *
     * @return The challenge message.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public String createAccountActivation(final User user) {
        if (user == null) {
            throw new IllegalArgumentException(
@ -188,6 +197,8 @@ public class ChallengeManager {
     * @throws MessagingException If something goes wrong when sending the
     *                            message.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public void sendAccountActivation(final User user)
        throws MessagingException {
        final String text = createAccountActivation(user);
@ -208,6 +219,8 @@ public class ChallengeManager {
     * @throws ChallengeFailedException If the submitted token does not match
     *                                  the stored token.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public void finishAccountActivation(final User user,
                                        final String submittedToken)
        throws ChallengeFailedException {
@ -233,6 +246,8 @@ public class ChallengeManager {
     *
     * @return The challenge message.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public String createPasswordRecover(final User user) {
        if (user == null) {
            throw new IllegalArgumentException(
@ -250,6 +265,8 @@ public class ChallengeManager {
     * @throws MessagingException If something goes wrong when sending the
     *                            message.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public void sendPasswordRecover(final User user)
        throws MessagingException {
        final String text = createPasswordRecover(user);
@ -271,6 +288,8 @@ public class ChallengeManager {
     * @throws ChallengeFailedException If the submitted token does not match
     *                                  the stored token.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public void finishPasswordRecover(final User user,
                                      final String submittedToken,
                                      final String newPassword)
--- a/ccm-core/src/main/java/org/libreccm/security/GroupManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/GroupManager.java
@ -18,6 +18,8 @@
 */
 package org.libreccm.security;
 import org.libreccm.core.CoreConstants;
 import java.util.List;
 import javax.enterprise.context.RequestScoped;
@ -53,6 +55,8 @@ public class GroupManager {
     * @param user The user to add to a group.
     * @param group  The group to which the user is added.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void addMemberToGroup(final User user, final Group group) {
        if (user == null) {
@ -90,6 +94,8 @@ public class GroupManager {
     * @param member The user to remove from the group.
     * @param group The group from which the user is removed.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void removeMemberFromGroup(final User member, final Group group) {
        if (member == null) {
--- a/ccm-core/src/main/java/org/libreccm/security/GroupRepository.java
+++ b/ccm-core/src/main/java/org/libreccm/security/GroupRepository.java
@ -24,6 +24,7 @@ import javax.enterprise.context.RequestScoped;
 import javax.persistence.TypedQuery;
 import org.libreccm.core.AbstractEntityRepository;
 import org.libreccm.core.CoreConstants;
 import javax.transaction.Transactional;
@ -92,7 +93,7 @@ public class GroupRepository extends AbstractEntityRepository<Long, Group> {
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void save(final Group group) {
@ -100,7 +101,7 @@ public class GroupRepository extends AbstractEntityRepository<Long, Group> {
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void delete(final Group entity) {
--- a/ccm-core/src/main/java/org/libreccm/security/InheritsPermissions.java
+++ b/ccm-core/src/main/java/org/libreccm/security/InheritsPermissions.java
@ -22,16 +22,26 @@ import org.libreccm.core.CcmObject;
 /**
 * Subclasses of {@link CcmObject} can implement this interface to inherit 
- * the permissions of their parent object. This annotation is processed by the 
+ * the permissions of their parent object. This interface is processed by the 
 * {@link PermissionChecker}. 
 * 
- * @see PermissionChecker#checkPermission(java.lang.String, org.libreccm.core.CcmObject) 
+ * @see PermissionChecker#checkPermission(java.lang.String, 
- * @see PermissionChecker#isPermitted(java.lang.String, org.libreccm.core.CcmObject) 
+ *                                        org.libreccm.core.CcmObject) 
 * @see PermissionChecker#isPermitted(java.lang.String, 
 *                                    org.libreccm.core.CcmObject) 
 * 
 * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
 */
 public interface InheritsPermissions {
    /**
     * This method needs to be overwritten by implementers of interface
     * 
     * @return The parent object of the implementing object. The 
     * {@link PermissionChecker} will use the permissions granted on the parent
     * object in addition to the permissions granted on the object itself to 
     * determine if a user is granted a specific privilege on the object.
     */
    CcmObject getParent();
 }
--- a/ccm-core/src/main/java/org/libreccm/security/OneTimeAuthManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/OneTimeAuthManager.java
@ -43,6 +43,7 @@ import org.apache.shiro.crypto.hash.format.HashFormat;
 import org.apache.shiro.crypto.hash.format.HashFormatFactory;
 import org.apache.shiro.crypto.hash.format.Shiro1CryptFormat;
 import org.apache.shiro.util.ByteSource;
 import org.libreccm.core.CoreConstants;
 /**
 * This class manages the generation and delation of {@link OneTimeAuthToken}s.
@ -77,6 +78,8 @@ public class OneTimeAuthManager {
     *
     * @return The one time authentication token with the not hashed token.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public OneTimeAuthToken createForUser(
        final User user, final OneTimeAuthTokenPurpose purpose) {
@ -144,6 +147,8 @@ public class OneTimeAuthManager {
     * @return The one time auth token for the provided user and purpose or
     *         {@code null} if there is no such token.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public List<OneTimeAuthToken> retrieveForUser(
        final User user, final OneTimeAuthTokenPurpose purpose) {
        if (user == null || purpose == null) {
@ -171,6 +176,8 @@ public class OneTimeAuthManager {
     * @return {@code true} if there is a valid token for the provided user and
     *         purpose, {@code false} if not.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public boolean validTokenExistsForUser(
        final User user, final OneTimeAuthTokenPurpose purpose) {
        if (user == null || purpose == null) {
@ -201,6 +208,8 @@ public class OneTimeAuthManager {
     *
     * @return {@code true} if the token is valid, {@code false} if not.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public boolean isValid(final OneTimeAuthToken token) {
        if (token == null) {
            throw new IllegalArgumentException("Can't validate a token null");
@ -224,6 +233,8 @@ public class OneTimeAuthManager {
     * @return {@code true} if the submitted token is valid and matches {@link token},
     * {@code false} if not.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public boolean verify(final OneTimeAuthToken token,
                          final String submittedToken) {
        if (token == null || submittedToken == null) {
@ -253,6 +264,8 @@ public class OneTimeAuthManager {
     *
     * @param token The token to invalidate.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void invalidate(final OneTimeAuthToken token) {
        if (token == null) {
--- a/ccm-core/src/main/java/org/libreccm/security/PartyRepository.java
+++ b/ccm-core/src/main/java/org/libreccm/security/PartyRepository.java
@ -21,6 +21,7 @@ package org.libreccm.security;
 import javax.enterprise.context.RequestScoped;
 import org.libreccm.core.AbstractEntityRepository;
 import org.libreccm.core.CoreConstants;
 import java.util.List;
@ -76,7 +77,7 @@ public class PartyRepository extends AbstractEntityRepository<Long, Party> {
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void save(final Party party) {
@ -84,7 +85,7 @@ public class PartyRepository extends AbstractEntityRepository<Long, Party> {
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void delete(final Party party) {
--- a/ccm-core/src/main/java/org/libreccm/security/PermissionChecker.java
+++ b/ccm-core/src/main/java/org/libreccm/security/PermissionChecker.java
@ -138,15 +138,19 @@ public class PermissionChecker {
        if (object instanceof InheritsPermissions) {
            final boolean result = isPermitted(privilege, object);
-            if (result) {
+            if (!result) {
-                subject.checkPermission(generatePermissionString(privilege,
+                if (((InheritsPermissions) object).getParent() == null) {
-                                                                 object));
+                    if (subject.isAuthenticated()) {
-            } else if (((InheritsPermissions) object).getParent() == null) {
+                        subject.checkPermission(generatePermissionString(
-                subject.checkPermission(generatePermissionString(privilege,
+                            privilege, object));
-                                                                 object));
+                    } else {
-            } else {
+                        shiro.getPublicUser().checkPermission(
-                checkPermission(privilege,
+                            generatePermissionString(privilege, object));
-                                ((InheritsPermissions) object).getParent());
+                    }
                } else {
                    checkPermission(privilege,
                                    ((InheritsPermissions) object).getParent());
                }
            }
        } else if (subject.isAuthenticated()) {
            subject.checkPermission(generatePermissionString(privilege, object));
--- a/ccm-core/src/main/java/org/libreccm/security/PermissionManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/PermissionManager.java
@ -26,13 +26,14 @@ import javax.persistence.Query;
 import javax.persistence.TypedQuery;
 import org.libreccm.core.CcmObject;
 import org.libreccm.core.CoreConstants;
 import javax.enterprise.context.RequestScoped;
 import javax.transaction.Transactional;
 /**
 * Manager class for granting and revoking permissions.
- * 
+ *
 * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
 */
@RequestScoped
@ -45,28 +46,30 @@ public class PermissionManager {
    @SuppressWarnings("PMD.LongVariable")
    private static final String QUERY_PARAM_PRIVILEGE = "privilege";
    @Inject
    private EntityManager entityManager;
    /**
     * Retrieves a permission by its ID. Useful for UI classes.
-     * 
+     *
     * @param permissionId The id of the permission to retrieve.
     *
     * @return The permission identified by the provided {@code permissionId).
     */
    public Permission findById(final long permissionId) {
        return entityManager.find(Permission.class, permissionId);
    }
-    
+
    /**
-     * Grants a privilege on an object to a role.  If the privilege was already 
+     * Grants a privilege on an object to a role. If the privilege was already
     * granted, the method does nothing.
-     * 
+     *
     * @param privilege The privilege to grant.
-     * @param grantee The role to which the privilege is granted.
+     * @param grantee   The role to which the privilege is granted.
-     * @param object The object on which the privilege is granted.
+     * @param object    The object on which the privilege is granted.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void grantPrivilege(final String privilege,
                               final Role grantee,
@ -80,7 +83,7 @@ public class PermissionManager {
            throw new IllegalArgumentException(
                "Can't grant a permission to grantee null.");
        }
-        
+
        if (object == null) {
            throw new IllegalArgumentException(
                "Can't grant a permission on object NULL.");
@ -97,12 +100,14 @@ public class PermissionManager {
    }
    /**
-     * Grants a privilege to a role. If the privilege was already granted, the 
+     * Grants a privilege to a role. If the privilege was already granted, the
     * method does nothing.
-     * 
+     *
     * @param privilege The privilege to grant.
-     * @param grantee The role to which the privilege is granted.
+     * @param grantee   The role to which the privilege is granted.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void grantPrivilege(final String privilege,
                               final Role grantee) {
@ -127,13 +132,15 @@ public class PermissionManager {
    }
    /**
-     * Revokes the permissions granting a privilege on an object from a role.
+     * Revokes the permissions granting a privilege on an object from a role. If
-     * If no matching permission exists the method will do nothing.
+     * no matching permission exists the method will do nothing.
-     * 
+     *
     * @param privilege The privilege granted by the permission to revoke.
-     * @param grantee The role to which the privilege was granted.
+     * @param grantee   The role to which the privilege was granted.
-     * @param object The object on which the privilege was granted.
+     * @param object    The object on which the privilege was granted.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void revokePrivilege(final String privilege,
                                final Role grantee,
@ -147,7 +154,7 @@ public class PermissionManager {
            throw new IllegalArgumentException(
                "Can't revoke a permission from grantee null.");
        }
-        
+
        if (object == null) {
            throw new IllegalArgumentException(
                "Can't revoke a permission from object NULL.");
@ -165,14 +172,16 @@ public class PermissionManager {
            query.executeUpdate();
        }
    }
-    
+
-     /**
+    /**
-     * Revokes the permissions granting a privilege from a role.
+     * Revokes the permissions granting a privilege from a role. If no matching
-     * If no matching permission exists the method will do nothing.
+     * permission exists the method will do nothing.
-     * 
+     *
     * @param privilege The privilege granted by the permission to revoke.
-     * @param grantee The role to which the privilege was granted.
+     * @param grantee   The role to which the privilege was granted.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void revokePrivilege(final String privilege,
                                final Role grantee) {
@ -199,15 +208,17 @@ public class PermissionManager {
    }
    /**
-     * Copy the permissions from on {@link CcmObject} to another. The 
+     * Copy the permissions from on {@link CcmObject} to another. The
-     * permissions granted on the {@code target} object will not be removed. 
+     * permissions granted on the {@code target} object will not be removed.
-     * Instead the permissions from {@code source} object are added the the 
+     * Instead the permissions from {@code source} object are added the the
     * permissions.
-     * 
+     *
-     * 
+     *
     * @param source
-     * @param target 
+     * @param target
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void copyPermissions(final CcmObject source,
                                final CcmObject target) {
@ -215,7 +226,7 @@ public class PermissionManager {
            throw new IllegalArgumentException(
                "Can't copy permissions from source NULL.");
        }
-        
+
        if (target == null) {
            throw new IllegalArgumentException(
                "Can't copy permissions to target NULL.");
@ -236,12 +247,13 @@ public class PermissionManager {
    /**
     * Checks if a permission granting the provided {@code privilege} on the
     * provided {@code object} to the provided {@code role} exists.
-     * 
+     *
     * @param privilege The privilege granted by the permission.
-     * @param grantee The role to which the privilege was granted.
+     * @param grantee   The role to which the privilege was granted.
-     * @param object The object on which the privilege is granted.
+     * @param object    The object on which the privilege is granted.
     *
     * @return {@code true} if there is a matching permission, {@code false} if
-     * not.
+     *         not.
     */
    private boolean existsPermission(final String privilege,
                                     final Role grantee,
@ -256,13 +268,14 @@ public class PermissionManager {
    }
    /**
-     * Checks if a permission granting the provided {@code privilege}to the 
+     * Checks if a permission granting the provided {@code privilege}to the
     * provided {@code role} exists.
-     * 
+     *
     * @param privilege The privilege granted by the permission.
-     * @param grantee The role to which the privilege was granted.
+     * @param grantee   The role to which the privilege was granted.
     *
     * @return {@code true} if there is a matching permission, {@code false} if
-     * not.
+     *         not.
     */
    private boolean existsPermission(final String privilege,
                                     final Role grantee) {
--- a/ccm-core/src/main/java/org/libreccm/security/RegistrationManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/RegistrationManager.java
@ -18,17 +18,15 @@
 */
 package org.libreccm.security;
 import com.arsdigita.bebop.FormProcessException;
 import com.arsdigita.globalization.GlobalizedMessage;
 import com.arsdigita.ui.login.UserNewForm;
 import org.apache.logging.log4j.util.Strings;
 import org.libreccm.core.CoreConstants;
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
 import javax.mail.MessagingException;
 import static com.arsdigita.ui.login.LoginConstants.*;
 /**
 * The CDI bean encapsulates all steps for registering a user, for example by a
@ -83,6 +81,8 @@ public class RegistrationManager {
     *                                  activation challenge to the new user.
     * @throws IllegalArgumentException If the provided {@code user} is
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.SYSTEM_PRIVILEGE)
    public void registerUser(final String userName,
                             final String familyName,
                             final String givenName,
--- a/ccm-core/src/main/java/org/libreccm/security/RoleManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/RoleManager.java
@ -18,6 +18,8 @@
 */
 package org.libreccm.security;
 import org.libreccm.core.CoreConstants;
 import java.util.List;
 import javax.enterprise.context.RequestScoped;
@ -53,6 +55,8 @@ public class RoleManager {
     * @param role  The role to assign.
     * @param party The party which to which to role is assigned.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void assignRoleToParty(final Role role, final Party party) {
        if (role == null) {
@ -87,6 +91,8 @@ public class RoleManager {
     * @param role
     * @param party
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void removeRoleFromParty(final Role role, final Party party) {
        if (role == null) {
--- a/ccm-core/src/main/java/org/libreccm/security/RoleRepository.java
+++ b/ccm-core/src/main/java/org/libreccm/security/RoleRepository.java
@ -24,6 +24,7 @@ import javax.enterprise.context.RequestScoped;
 import javax.persistence.TypedQuery;
 import org.libreccm.core.AbstractEntityRepository;
 import org.libreccm.core.CoreConstants;
 import javax.transaction.Transactional;
@ -82,7 +83,7 @@ public class RoleRepository extends AbstractEntityRepository<Long, Role> {
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void save(final Role role) {
@ -90,7 +91,7 @@ public class RoleRepository extends AbstractEntityRepository<Long, Role> {
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Override
    @Transactional(Transactional.TxType.REQUIRED)
    public void delete(final Role role) {
--- a/ccm-core/src/main/java/org/libreccm/security/UserManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/UserManager.java
@ -18,6 +18,7 @@
 */
 package org.libreccm.security;
 import com.arsdigita.kernel.KernelConfig;
 import com.arsdigita.kernel.security.SecurityConfig;
 import javax.enterprise.context.RequestScoped;
@ -34,9 +35,14 @@ import org.apache.shiro.crypto.hash.format.DefaultHashFormatFactory;
 import org.apache.shiro.crypto.hash.format.HashFormat;
 import org.apache.shiro.crypto.hash.format.HashFormatFactory;
 import org.apache.shiro.crypto.hash.format.Shiro1CryptFormat;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.util.ByteSource;
 import org.libreccm.configuration.ConfigurationManager;
 import org.libreccm.core.CoreConstants;
 import org.libreccm.core.EmailAddress;
 import javax.transaction.Transactional;
 /**
 * Provides various operations for user objects.
 *
@ -49,6 +55,18 @@ public class UserManager {
    @Inject
    private UserRepository userRepository;
    @Inject
    private Subject subject;
    @Inject
    private Shiro shiro;
    @Inject
    private PermissionChecker permissionChecker;
    @Inject
    private ConfigurationManager confManager;
    /**
     * Creates a new user and saves the user in the database. The method also
     * creates the password hash.
@ -63,7 +81,10 @@ public class UserManager {
     *
     * @return The new user.
     */
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @ValidateOnExecution
    @Transactional(Transactional.TxType.REQUIRED)
    public User createUser(final String givenName,
                           final String familyName,
                           @Pattern(regexp = "[a-zA-Z0-9\\-_]*")
@ -93,17 +114,38 @@ public class UserManager {
     * Updates the password of a user. This method allows {@code null} as
     * password value. If a user has no password in the database this means that
     * the user can't login or that the authentication for this user is done by
-     * an external system.
+     * an external system. Only the user itself or user to which the
     * {@code admin} privilege has been granted can update the password of user.
     *
     * @param user        The user which password should be upgraded.
     * @param newPassword The new password. The password is hashed using the
     *                    algorithm configured in the {@link SecurityConfig}.
     */
    @Transactional(Transactional.TxType.REQUIRED)
    public void updatePassword(@NotNull final User user,
                               final String newPassword) {
-        user.setPassword(hashPassword(newPassword));
+        // We can't use the authorisation annotations here because we have two 
        // options. First we check if the current subject is the user whos
        // password is updated. If not we check if the current subject has admin
        // privileges.
        final String userIdentifier;
        final KernelConfig kernelConfig = confManager.findConfiguration(
            KernelConfig.class);
        if (kernelConfig.emailIsPrimaryIdentifier()) {
            userIdentifier = user.getPrimaryEmailAddress().getAddress();
        } else {
            userIdentifier = user.getName();
        }
-        userRepository.save(user);
+        if (subject.isAuthenticated()
                && userIdentifier.equals(subject.getPrincipal())) {
            user.setPassword(hashPassword(newPassword));
            shiro.getSystemUser().execute(() -> userRepository.save(user));
        } else {
            permissionChecker.checkPermission(CoreConstants.ADMIN_PRIVILEGE);
            user.setPassword(hashPassword(newPassword));
            shiro.getSystemUser().execute(() -> userRepository.save(user));
        }
    }
    /**
@ -149,7 +191,7 @@ public class UserManager {
        //format includes the algorithm used, the salt, the number of 
        //iterations used and the hashed password in special formatted string.
        final HashFormatFactory hashFormatFactory
-                                = new DefaultHashFormatFactory();
+                                    = new DefaultHashFormatFactory();
        final HashFormat hashFormat = hashFormatFactory.getInstance(
            Shiro1CryptFormat.class.getName());
@ -171,7 +213,7 @@ public class UserManager {
        }
        final SecureRandomNumberGenerator generator
-                                          = new SecureRandomNumberGenerator();
+                                              = new SecureRandomNumberGenerator();
        final int byteSize = generatedSaltSize / 8; //generatedSaltSize is in *bits* - convert to byte size:
        return generator.nextBytes(byteSize);
    }
--- a/ccm-core/src/main/java/org/libreccm/security/UserRepository.java
+++ b/ccm-core/src/main/java/org/libreccm/security/UserRepository.java
@ -19,6 +19,7 @@
 package org.libreccm.security;
 import org.libreccm.core.AbstractEntityRepository;
 import org.libreccm.core.CoreConstants;
 import java.util.List;
@ -161,7 +162,7 @@ public class UserRepository extends AbstractEntityRepository<Long, User> {
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void save(final User entity) {
@ -169,7 +170,7 @@ public class UserRepository extends AbstractEntityRepository<Long, User> {
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void delete(final User entity) {
--- a/ccm-core/src/main/java/org/libreccm/web/ApplicationManager.java
+++ b/ccm-core/src/main/java/org/libreccm/web/ApplicationManager.java
@ -21,9 +21,12 @@ package org.libreccm.web;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.util.Strings;
 import org.libreccm.core.CoreConstants;
 import org.libreccm.l10n.GlobalizationHelper;
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.Module;
 import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
 import java.util.Collections;
 import java.util.HashMap;
@ -34,12 +37,14 @@ import java.util.ResourceBundle;
 import java.util.ServiceLoader;
 import javax.annotation.PostConstruct;
 import javax.ejb.TransactionAttribute;
 import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Inject;
 import javax.persistence.EntityManager;
 import javax.persistence.TypedQuery;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
 import javax.transaction.Transactional;
 /**
 *
@ -80,10 +85,14 @@ public class ApplicationManager {
        return Collections.unmodifiableMap(applicationTypes);
    }
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public <T extends CcmApplication> T createInstance(
        final ApplicationType type,
        final String path,
        final Class<T> applicationClass) throws ApplicationCreateException {
        try {
            @SuppressWarnings("unchecked")
            final ApplicationCreator<T> creator = type.creator().newInstance();
@ -98,6 +107,9 @@ public class ApplicationManager {
        }
    }
    @AuthorizationRequired
    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    public void deleteInstance(final CcmApplication application) {
        entityManager.remove(application);
    }
--- a/ccm-core/src/main/java/org/libreccm/web/ApplicationRepository.java
+++ b/ccm-core/src/main/java/org/libreccm/web/ApplicationRepository.java
@ -20,6 +20,7 @@ package org.libreccm.web;
 import org.apache.shiro.authz.annotation.RequiresAuthentication;
 import org.libreccm.core.AbstractEntityRepository;
 import org.libreccm.core.CoreConstants;
 import org.libreccm.security.AuthorizationRequired;
 import org.libreccm.security.RequiresPrivilege;
@ -86,7 +87,7 @@ public class ApplicationRepository
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void save(final CcmApplication application) {
@ -94,7 +95,7 @@ public class ApplicationRepository
    }
    @AuthorizationRequired
-    @RequiresPrivilege("admin")
+    @RequiresPrivilege(CoreConstants.ADMIN_PRIVILEGE)
    @Transactional(Transactional.TxType.REQUIRED)
    @Override
    public void delete(final CcmApplication application) {
--- a/ccm-core/src/test/java/org/libreccm/categorization/CategoryManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/categorization/CategoryManagerTest.java
@ -18,7 +18,11 @@
 */
 package org.libreccm.categorization;
 import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.authz.UnauthorizedException;
 import org.apache.shiro.subject.Subject;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.ShouldThrowException;
 import org.jboss.arquillian.junit.Arquillian;
 import org.jboss.arquillian.junit.InSequence;
 import org.jboss.arquillian.persistence.CreateSchema;
@ -28,7 +32,6 @@ import org.jboss.arquillian.persistence.UsingDataSet;
 import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
 import org.jboss.arquillian.transaction.api.annotation.Transactional;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.asset.EmptyAsset;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.jboss.shrinkwrap.resolver.api.maven.Maven;
 import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
@ -40,9 +43,11 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.libreccm.core.CcmObject;
 import org.libreccm.core.CcmObjectRepository;
 import org.libreccm.security.Shiro;
 import org.libreccm.tests.categories.IntegrationTest;
 import java.io.File;
 import java.util.concurrent.Callable;
 import javax.inject.Inject;
 import javax.persistence.EntityManager;
@ -75,6 +80,12 @@ public class CategoryManagerTest {
    @Inject
    private DomainRepository domainRepo;
    @Inject
    private Shiro shiro;
    @Inject
    private Subject subject;
    @PersistenceContext(name = "LibreCCM")
    private EntityManager entityManager;
@ -125,16 +136,21 @@ public class CategoryManagerTest {
                .getPackage())
            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage())
            .addPackage(org.libreccm.security.Permission.class.getPackage())
-            .addPackage(org.libreccm.testutils.EqualsVerifier.class.getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class
                .getPackage())
            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
                .getPackage())
            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
            .addClass(com.arsdigita.kernel.KernelConfig.class)
            .addClass(com.arsdigita.kernel.security.SecurityConfig.class)
            .addAsLibraries(libs)
            .addAsResource("configs/shiro.ini", "shiro.ini")
            .addAsResource("test-persistence.xml",
                           "META-INF/persistence.xml")
-            .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
+            .addAsWebInfResource("test-web.xml", "web.xml")
-            .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+            .addAsWebInfResource("META-INF/beans.xml", "beans.xml");
    }
    @Test
@ -165,7 +181,73 @@ public class CategoryManagerTest {
                    + "after-add-obj-to-category.yml",
        excludeColumns = {"categorization_id"})
    @InSequence(1100)
-    public void addObjectToCategory() {
+    public void addObjectToCategoryBySystemUser() {
        final CcmObject object2 = ccmObjectRepo.findById(-3200L);
        final Category foo = categoryRepo.findById(-2100L);
        assertThat(object2, is(not(nullValue())));
        assertThat(foo, is(not(nullValue())));
        shiro.getSystemUser().execute(() -> categoryManager.addObjectToCategory(
            object2, foo));
    }
    @Test
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldMatchDataSet(
        value = "datasets/org/libreccm/categorization/CategoryManagerTest/"
                    + "after-add-obj-to-category.yml",
        excludeColumns = {"categorization_id"})
    @InSequence(1200)
    public void addObjectToCategoryAuthByDomain() {
        final CcmObject object2 = ccmObjectRepo.findById(-3200L);
        final Category foo = categoryRepo.findById(-2100L);
        assertThat(object2, is(not(nullValue())));
        assertThat(foo, is(not(nullValue())));
        final UsernamePasswordToken token = new UsernamePasswordToken(
            "jane.doe@example.org", "foo123");
        token.setRememberMe(true);
        subject.login(token);
        categoryManager.addObjectToCategory(object2, foo);
        subject.logout();
    }
    @Test
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldMatchDataSet(
        value = "datasets/org/libreccm/categorization/CategoryManagerTest/"
                    + "after-add-obj-to-category.yml",
        excludeColumns = {"categorization_id"})
    @InSequence(1300)
    public void addObjectToCategoryAuthByCategory() {
        final CcmObject object2 = ccmObjectRepo.findById(-3200L);
        final Category foo = categoryRepo.findById(-2100L);
        assertThat(object2, is(not(nullValue())));
        assertThat(foo, is(not(nullValue())));
        final UsernamePasswordToken token = new UsernamePasswordToken(
            "mmuster@example.com", "foo123");
        token.setRememberMe(true);
        subject.login(token);
        categoryManager.addObjectToCategory(object2, foo);
        subject.logout();
    }
    @Test(expected = UnauthorizedException.class)
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldThrowException(UnauthorizedException.class)
    @InSequence(1400)
    public void addObjectToCategoryNotAuthorized() {
        final CcmObject object2 = ccmObjectRepo.findById(-3200L);
        final Category foo = categoryRepo.findById(-2100L);
@ -178,11 +260,86 @@ public class CategoryManagerTest {
    @Test
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
-    @ShouldMatchDataSet(value
+    @ShouldMatchDataSet(
-                            = "datasets/org/libreccm/categorization/CategoryManagerTest/after-remove-obj-from-category.yml",
+        value = "datasets/org/libreccm/categorization/CategoryManagerTest/"
-                        excludeColumns = {"categorization_id"})
+                    + "after-remove-obj-from-category.yml",
-    @InSequence(1200)
+        excludeColumns = {"categorization_id"})
-    public void removeObjectFromCategory()
+    @InSequence(2000)
    public void removeObjectFromCategoryBySystemUser()
        throws ObjectNotAssignedToCategoryException {
        final CcmObject object1 = ccmObjectRepo.findById(-3100L);
        final Category foo = categoryRepo.findById(-2100L);
        assertThat(object1, is(not(nullValue())));
        assertThat(foo, is(not(nullValue())));
        shiro.getSystemUser().execute(() -> {
            categoryManager.removeObjectFromCategory(object1, foo);
            return null;
        });
    }
    @Test
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldMatchDataSet(
        value = "datasets/org/libreccm/categorization/CategoryManagerTest/"
                    + "after-remove-obj-from-category.yml",
        excludeColumns = {"categorization_id"})
    @InSequence(2100)
    public void removeObjectFromCategoryAuthByDomain()
        throws ObjectNotAssignedToCategoryException {
        final CcmObject object1 = ccmObjectRepo.findById(-3100L);
        final Category foo = categoryRepo.findById(-2100L);
        assertThat(object1, is(not(nullValue())));
        assertThat(foo, is(not(nullValue())));
        final UsernamePasswordToken token = new UsernamePasswordToken(
            "jane.doe@example.org", "foo123");
        token.setRememberMe(true);
        subject.login(token);
        categoryManager.removeObjectFromCategory(object1, foo);
        subject.logout();
    }
    @Test
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldMatchDataSet(
        value = "datasets/org/libreccm/categorization/CategoryManagerTest/"
                    + "after-remove-obj-from-category.yml",
        excludeColumns = {"categorization_id"})
    @InSequence(2200)
    public void removeObjectFromCategoryAuthByCategory()
        throws ObjectNotAssignedToCategoryException {
        final CcmObject object1 = ccmObjectRepo.findById(-3100L);
        final Category foo = categoryRepo.findById(-2100L);
        assertThat(object1, is(not(nullValue())));
        assertThat(foo, is(not(nullValue())));
        final UsernamePasswordToken token = new UsernamePasswordToken(
            "mmuster@example.com", "foo123");
        token.setRememberMe(true);
        subject.login(token);
        categoryManager.removeObjectFromCategory(object1, foo);
        subject.logout();
    }
    @Test(expected = UnauthorizedException.class)
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldThrowException(UnauthorizedException.class)
    @InSequence(2300)
    public void removeObjectFromCategoryNotAuthorized()
        throws ObjectNotAssignedToCategoryException {
        final CcmObject object1 = ccmObjectRepo.findById(-3100L);
@ -201,8 +358,98 @@ public class CategoryManagerTest {
        value = "datasets/org/libreccm/categorization/"
                    + "CategoryManagerTest/after-add-subcategory.yml",
        excludeColumns = {"object_id", "uuid"})
-    @InSequence(2100)
+    @InSequence(3000)
-    public void addSubCategoryToCategory() {
+    public void addSubCategoryToCategoryBySystemUser() {
        final Category category = new Category();
        category.setName("category-new");
        category.setDisplayName("category-new");
        category.setUniqueId("catnew");
        shiro.getSystemUser().execute(() -> categoryRepo.save(category));
        final TypedQuery<Category> query = entityManager.createQuery(
            "SELECT c FROM Category c WHERE c.name = :name",
            Category.class);
        query.setParameter("name", "category-new");
        final Category sub = query.getSingleResult();
        final Category foo = categoryRepo.findById(-2100L);
        shiro.getSystemUser().execute(
            () -> categoryManager.addSubCategoryToCategory(sub, foo));
    }
    @Test
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldMatchDataSet(
        value = "datasets/org/libreccm/categorization/"
                    + "CategoryManagerTest/after-add-subcategory.yml",
        excludeColumns = {"object_id", "uuid"})
    @InSequence(3000)
    public void addSubCategoryToCategoryAuthByDomain() {
        final Category category = new Category();
        category.setName("category-new");
        category.setDisplayName("category-new");
        category.setUniqueId("catnew");
        shiro.getSystemUser().execute(() -> categoryRepo.save(category));
        final TypedQuery<Category> query = entityManager.createQuery(
            "SELECT c FROM Category c WHERE c.name = :name",
            Category.class);
        query.setParameter("name", "category-new");
        final Category sub = query.getSingleResult();
        final Category foo = categoryRepo.findById(-2100L);
        final UsernamePasswordToken token = new UsernamePasswordToken(
            "jane.doe@example.org", "foo123");
        token.setRememberMe(true);
        subject.login(token);
        categoryManager.addSubCategoryToCategory(sub, foo);
        subject.logout();
    }
    @Test
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldMatchDataSet(
        value = "datasets/org/libreccm/categorization/"
                    + "CategoryManagerTest/after-add-subcategory.yml",
        excludeColumns = {"object_id", "uuid"})
    @InSequence(3000)
    public void addSubCategoryToCategoryAuthByCategory() {
        final Category category = new Category();
        category.setName("category-new");
        category.setDisplayName("category-new");
        category.setUniqueId("catnew");
        shiro.getSystemUser().execute(() -> categoryRepo.save(category));
        final TypedQuery<Category> query = entityManager.createQuery(
            "SELECT c FROM Category c WHERE c.name = :name",
            Category.class);
        query.setParameter("name", "category-new");
        final Category sub = query.getSingleResult();
        final Category foo = categoryRepo.findById(-2100L);
        final UsernamePasswordToken token = new UsernamePasswordToken(
            "mmuster@example.com", "foo123");
        token.setRememberMe(true);
        subject.login(token);
        categoryManager.addSubCategoryToCategory(sub, foo);
        subject.logout();
    }
    @Test(expected = UnauthorizedException.class)
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldThrowException(UnauthorizedException.class)
    @InSequence(3000)
    public void addSubCategoryToCategoryNotAuthorized() {
        final Category category = new Category();
        category.setName("category-new");
        category.setDisplayName("category-new");
@ -216,7 +463,6 @@ public class CategoryManagerTest {
        final Category sub = query.getSingleResult();
        final Category foo = categoryRepo.findById(-2100L);
 //        final Category sub = categoryRepo.findById(-2200L);
        categoryManager.addSubCategoryToCategory(sub, foo);
    }
@ -228,8 +474,65 @@ public class CategoryManagerTest {
        value = "datasets/org/libreccm/categorization/"
                    + "CategoryManagerTest/after-remove-subcategory.yml",
        excludeColumns = {"categorization_id", "object_id"})
-    @InSequence(2200)
+    @InSequence(4000)
-    public void removeSubCategoryFromCategory() {
+    public void removeSubCategoryFromCategoryBySystemUser() {
        final Category foo = categoryRepo.findById(-2100L);
        final Category bar = categoryRepo.findById(-2200L);
        shiro.getSystemUser().execute(
            () -> categoryManager.removeSubCategoryFromCategory(bar, foo));
    }
    @Test
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldMatchDataSet(
        value = "datasets/org/libreccm/categorization/"
                    + "CategoryManagerTest/after-remove-subcategory.yml",
        excludeColumns = {"categorization_id", "object_id"})
    @InSequence(4000)
    public void removeSubCategoryFromCategoryAuthByDomain() {
        final Category foo = categoryRepo.findById(-2100L);
        final Category bar = categoryRepo.findById(-2200L);
        final UsernamePasswordToken token = new UsernamePasswordToken(
            "jane.doe@example.org", "foo123");
        token.setRememberMe(true);
        subject.login(token);
        categoryManager.removeSubCategoryFromCategory(bar, foo);
        subject.logout();
    }
    @Test
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldMatchDataSet(
        value = "datasets/org/libreccm/categorization/"
                    + "CategoryManagerTest/after-remove-subcategory.yml",
        excludeColumns = {"categorization_id", "object_id"})
    @InSequence(4000)
    public void removeSubCategoryFromCategoryAuthByCategory() {
        final Category foo = categoryRepo.findById(-2100L);
        final Category bar = categoryRepo.findById(-2200L);
        final UsernamePasswordToken token = new UsernamePasswordToken(
            "mmuster@example.com", "foo123");
        token.setRememberMe(true);
        subject.login(token);
        categoryManager.removeSubCategoryFromCategory(bar, foo);
        subject.logout();
    }
    @Test(expected = UnauthorizedException.class)
    @UsingDataSet(
        "datasets/org/libreccm/categorization/CategoryManagerTest/data.yml")
    @ShouldThrowException(UnauthorizedException.class)
    @InSequence(4000)
    public void removeSubCategoryFromCategoryNotAuthorized() {
        final Category foo = categoryRepo.findById(-2100L);
        final Category bar = categoryRepo.findById(-2200L);
@ -243,38 +546,41 @@ public class CategoryManagerTest {
        value = "datasets/org/libreccm/categorization/CategoryManagerTest/"
                    + "after-create-multiple-categories.yml",
        excludeColumns = {"object_id", "uuid"})
-    @InSequence(3100)
+    @InSequence(5000)
    public void createMultipleCategories() {
        final Domain domain = domainRepo.findByDomainKey("test");
        final Category root = domain.getRoot();
-        final Category com = new Category();
+        shiro.getSystemUser().execute(() -> {
-        com.setName("com");
+            final Domain domain = domainRepo.findByDomainKey("test");
-        com.setDisplayName("com");
+            final Category root = domain.getRoot();
        com.setUniqueId("com");
        categoryRepo.save(com);
        categoryManager.addSubCategoryToCategory(com, root);
-        final Category example = new Category();
+            final Category com = new Category();
-        example.setName("example");
+            com.setName("com");
-        example.setDisplayName("example");
+            com.setDisplayName("com");
-        example.setUniqueId("example");
+            com.setUniqueId("com");
-        categoryRepo.save(example);
+            categoryRepo.save(com);
-        categoryManager.addSubCategoryToCategory(example, com);
+            categoryManager.addSubCategoryToCategory(com, root);
-        final Category categories = new Category();
+            final Category example = new Category();
-        categories.setName("categories");
+            example.setName("example");
-        categories.setDisplayName("categories");
+            example.setDisplayName("example");
-        categories.setUniqueId("categories");
+            example.setUniqueId("example");
-        categoryRepo.save(categories);
+            categoryRepo.save(example);
-        categoryManager.addSubCategoryToCategory(categories, example);
+            categoryManager.addSubCategoryToCategory(example, com);
-        final Category test = new Category();
+            final Category categories = new Category();
-        test.setName("test");
+            categories.setName("categories");
-        test.setDisplayName("test");
+            categories.setDisplayName("categories");
-        test.setUniqueId("test");
+            categories.setUniqueId("categories");
-        categoryRepo.save(test);
+            categoryRepo.save(categories);
-        categoryManager.addSubCategoryToCategory(test, categories);
+            categoryManager.addSubCategoryToCategory(categories, example);
            final Category test = new Category();
            test.setName("test");
            test.setDisplayName("test");
            test.setUniqueId("test");
            categoryRepo.save(test);
            categoryManager.addSubCategoryToCategory(test, categories);
        });
    }
 }
--- a/ccm-core/src/test/java/org/libreccm/categorization/CategoryRepositoryTest.java
+++ b/ccm-core/src/test/java/org/libreccm/categorization/CategoryRepositoryTest.java
@ -38,7 +38,6 @@ import org.jboss.arquillian.persistence.ShouldMatchDataSet;
 import org.jboss.arquillian.persistence.UsingDataSet;
 import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
 import org.jboss.arquillian.transaction.api.annotation.Transactional;
 import org.jboss.sasl.util.UsernamePasswordHashUtil;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.jboss.shrinkwrap.resolver.api.maven.Maven;
@ -52,8 +51,6 @@ import org.junit.runner.RunWith;
 import org.libreccm.security.Shiro;
 import org.libreccm.tests.categories.IntegrationTest;
 import javax.ws.rs.NotAuthorizedException;
 import static org.hamcrest.Matchers.*;
 import static org.junit.Assert.*;
--- a/ccm-core/src/test/java/org/libreccm/categorization/DatasetsTest.java
+++ b/ccm-core/src/test/java/org/libreccm/categorization/DatasetsTest.java
@ -46,7 +46,6 @@ public class DatasetsTest extends DatasetsVerifier {
            "/datasets/org/libreccm/categorization/CategoryManagerTest/after-remove-obj-from-category.yml",
            "/datasets/org/libreccm/categorization/CategoryManagerTest/after-remove-subcategory.yml",
            "/datasets/org/libreccm/categorization/CategoryManagerTest/data.yml",
            "/datasets/org/libreccm/categorization/CategoryManagerTest/data2.yml",
            "/datasets/org/libreccm/categorization/CategoryRepositoryTest/data.yml",
            "/datasets/org/libreccm/categorization/CategoryRepositoryTest/after-save-new-category.yml"
        });
--- a/ccm-core/src/test/java/org/libreccm/configuration/ConfigurationManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/configuration/ConfigurationManagerTest.java
@ -19,9 +19,12 @@
 package org.libreccm.configuration;
 import com.example.TestConfiguration;
 import java.io.File;
 import java.math.BigDecimal;
 import javax.inject.Inject;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.junit.Arquillian;
 import org.jboss.arquillian.junit.InSequence;
@ -43,6 +46,7 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
 import org.libreccm.security.Shiro;
 import org.libreccm.tests.categories.IntegrationTest;
 import static org.hamcrest.Matchers.*;
@ -62,6 +66,9 @@ public class ConfigurationManagerTest {
    @Inject
    private ConfigurationManager configurationManager;
    @Inject
    private Shiro shiro;
    public ConfigurationManagerTest() {
    }
@ -85,10 +92,10 @@ public class ConfigurationManagerTest {
    @Deployment
    public static WebArchive createDeployment() {
        final PomEquippedResolveStage pom = Maven
-                .resolver()
+            .resolver()
-                .loadPomFromFile("pom.xml");
+            .loadPomFromFile("pom.xml");
        final PomEquippedResolveStage dependencies = pom
-                .importCompileAndRuntimeDependencies();
+            .importCompileAndRuntimeDependencies();
        final File[] libs = dependencies.resolve().withTransitivity().asFile();
        for (File lib : libs) {
@ -97,37 +104,41 @@ public class ConfigurationManagerTest {
        }
        return ShrinkWrap
-                .create(WebArchive.class,
+            .create(WebArchive.class,
-                        "LibreCCM-org.libreccm.configuration."
+                    "LibreCCM-org.libreccm.configuration."
-                                + "ConfigurationManagerTest.war")
+                        + "ConfigurationManagerTest.war")
-                .addPackage(org.libreccm.categorization.Categorization.class.
+            .addPackage(org.libreccm.categorization.Categorization.class
-                        getPackage())
+                .getPackage())
-                .addPackage(org.libreccm.configuration.Configuration.class.
+            .addPackage(org.libreccm.configuration.Configuration.class
-                        getPackage())
+                .getPackage())
-                .addPackage(org.libreccm.core.CcmObject.class.getPackage())
+            .addPackage(org.libreccm.core.CcmObject.class.getPackage())
-                .addPackage(org.libreccm.jpa.EntityManagerProducer.class.
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
-                        getPackage())
+                .getPackage())
-                .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class.
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
-                        getPackage())
+                .getPackage())
-                .addPackage(org.libreccm.l10n.LocalizedString.class
+            .addPackage(org.libreccm.l10n.LocalizedString.class
-                        .getPackage())
+                .getPackage())
-                .addPackage(org.libreccm.security.Permission.class.getPackage())
+            .addPackage(org.libreccm.security.Permission.class.getPackage())
-                .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
-                .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
+            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
-                .addPackage(org.libreccm.tests.categories.IntegrationTest.class.
+            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
-                        getPackage())
+                .getPackage())
-                .addPackage(org.libreccm.testutils.EqualsVerifier.class.
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class.
-                        getPackage())
+                getPackage())
-                .addClass(com.example.TestConfiguration.class)
+            .addClass(com.example.TestConfiguration.class)
-                .addAsLibraries(libs)
+            .addClass(com.arsdigita.kernel.KernelConfig.class)
-                .addAsResource("test-persistence.xml",
+            .addClass(com.arsdigita.kernel.security.SecurityConfig.class)
-                               "META-INF/persistence.xml")
+            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
-                .addAsResource(
+            .addAsLibraries(libs)
-                        "configs/org/libreccm/configuration/ConfigurationManagerTest/"
+            .addAsResource("configs/shiro.ini", "shiro.ini")
-                        + "log4j2.xml",
+            .addAsResource("test-persistence.xml",
-                        "log4j2.xml")
+                           "META-INF/persistence.xml")
-                .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
+            .addAsResource(
-                .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+                "configs/org/libreccm/configuration/ConfigurationManagerTest/"
                    + "log4j2.xml",
                "log4j2.xml")
            .addAsWebInfResource("test-web.xml", "web.xml")
            .addAsWebInfResource("META-INF/beans.xml", "beans.xml");
    }
    @Test
@ -138,7 +149,7 @@ public class ConfigurationManagerTest {
    @Test
    @UsingDataSet(
-            "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
+        "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
    @InSequence(2)
    public void datasetOnly() {
        System.out.println("Dataset loaded successfully.");
@ -146,11 +157,11 @@ public class ConfigurationManagerTest {
    @Test
    @UsingDataSet(
-            "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
+        "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
    @InSequence(1100)
    public void loadConfiguration() {
        final ExampleConfiguration configuration = configurationManager
-                .findConfiguration(ExampleConfiguration.class);
+            .findConfiguration(ExampleConfiguration.class);
        assertThat(configuration, is(not(nullValue())));
        assertThat(configuration.getPrice(),
@ -167,29 +178,30 @@ public class ConfigurationManagerTest {
    @Test
    @UsingDataSet(
-            "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
+        "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
    @ShouldMatchDataSet(
-            "datasets/org/libreccm/configuration/ConfigurationManagerTest/"
+        "datasets/org/libreccm/configuration/ConfigurationManagerTest/"
-                    + "after-save-changed.yml")
+            + "after-save-changed.yml")
    @InSequence(1200)
    public void saveConfiguration() {
        final ExampleConfiguration configuration = configurationManager
-                .findConfiguration(ExampleConfiguration.class);
+            .findConfiguration(ExampleConfiguration.class);
        configuration.setPrice(new BigDecimal("109.99"));
        configuration.setItemsPerPage(30L);
        configuration.addLanguage("es");
-        configurationManager.saveConfiguration(configuration);
+        shiro.getSystemUser().execute(
            () -> configurationManager.saveConfiguration(configuration));
    }
    @Test
    @UsingDataSet(
-            "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
+        "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
    @InSequence(2100)
    public void loadNewConfiguration() {
        final TestConfiguration configuration = configurationManager
-                .findConfiguration(TestConfiguration.class);
+            .findConfiguration(TestConfiguration.class);
        assertThat(configuration, is(not(nullValue())));
        assertThat(configuration.getEnabled(), is(false));
@ -198,14 +210,16 @@ public class ConfigurationManagerTest {
    @Test
    @UsingDataSet(
-            "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
+        "datasets/org/libreccm/configuration/ConfigurationManagerTest/data.yml")
    @ShouldMatchDataSet(
-            value = "datasets/org/libreccm/configuration/"
+        value = "datasets/org/libreccm/configuration/"
-                            + "ConfigurationManagerTest/after-save-new.yml",
+                    + "ConfigurationManagerTest/after-save-new.yml",
-            excludeColumns = {"setting_id"})
+        excludeColumns = {"setting_id"})
    @InSequence(2200)
    public void saveNewConfiguration() {
-        configurationManager.saveConfiguration(new TestConfiguration());
+        shiro.getSystemUser().execute(
            () -> configurationManager.saveConfiguration(
                new TestConfiguration()));
    }
 }
--- a/ccm-core/src/test/java/org/libreccm/security/ChallengeManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/ChallengeManagerTest.java
@ -18,6 +18,7 @@
 */
 package org.libreccm.security;
 import org.apache.shiro.subject.ExecutionException;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.ShouldThrowException;
 import org.jboss.arquillian.junit.Arquillian;
@ -73,6 +74,9 @@ public class ChallengeManagerTest {
    @Inject
    private ServletContext servletContext;
    @Inject
    private Shiro shiro;
    public ChallengeManagerTest() {
    }
@ -113,33 +117,37 @@ public class ChallengeManagerTest {
            .addPackage(com.arsdigita.util.Assert.class.getPackage())
            .addClass(com.arsdigita.util.servlet.HttpHost.class)
            .addPackage(com.arsdigita.web.URL.class.getPackage())
-            .addPackage(org.libreccm.security.OneTimeAuthManager.class.
+            .addPackage(org.libreccm.security.OneTimeAuthManager.class
-                getPackage())
+                .getPackage())
            .addPackage(org.libreccm.core.CcmObject.class.getPackage())
-            .addPackage(org.libreccm.categorization.Categorization.class.
+            .addPackage(org.libreccm.categorization.Categorization.class
-                getPackage())
+                .getPackage())
            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
            .addPackage(
-                org.libreccm.configuration.ConfigurationManager.class.
+                org.libreccm.configuration.ConfigurationManager.class
-                getPackage())
+                .getPackage())
            .addClass(com.arsdigita.kernel.KernelConfig.class)
            .addClass(com.arsdigita.kernel.security.SecurityConfig.class)
            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage())
            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
-            .addPackage(org.libreccm.jpa.EntityManagerProducer.class.
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
-                getPackage())
+                .getPackage())
-            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class.
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
-                getPackage())
+                .getPackage())
-            .addPackage(org.libreccm.testutils.EqualsVerifier.class.
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class
-                getPackage())
+                .getPackage())
-            .addPackage(org.libreccm.tests.categories.IntegrationTest.class.
+            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
-                getPackage())
+                .getPackage())
            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
            .addClass(com.arsdigita.kernel.KernelConfig.class)
            .addClass(com.arsdigita.kernel.security.SecurityConfig.class)
            .addAsLibraries(libs)
            .addAsResource("configs/shiro.ini", "shiro.ini")
            .addAsResource("test-persistence.xml",
                           "META-INF/persistence.xml")
-            .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
+            .addAsWebInfResource("test-web.xml", "web.xml")
-            .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+            .addAsWebInfResource("META-INF/beans.xml", "beans.xml");
    }
    @Test
@ -176,7 +184,9 @@ public class ChallengeManagerTest {
 //            path);
        final User user = userRepository.findByName("mmuster");
-        final String mail = challengeManager.createEmailVerification(user);
+        final String mail = shiro.getSystemUser().execute(() -> {
            return challengeManager.createEmailVerification(user);
        });
        assertThat(mail, is(not(nullValue())));
        assertThat(mail.isEmpty(), is(false));
@ -192,8 +202,13 @@ public class ChallengeManagerTest {
    @UsingDataSet("datasets/org/libreccm/security/ChallengeManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(1200)
-    public void createEmailVerificationNullUser() {
+    public void createEmailVerificationNullUser() throws Throwable {
-        challengeManager.createEmailVerification(null);
+        try {
            shiro.getSystemUser().execute(
                () -> challengeManager.createEmailVerification(null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -205,9 +220,12 @@ public class ChallengeManagerTest {
    @InSequence(1300)
    public void finishEmailVerification() throws ChallengeFailedException {
        final User user = userRepository.findByName("mmuster");
-        challengeManager.finishEmailVerification(
+        shiro.getSystemUser().execute(() -> {
-            user,
+            challengeManager.finishEmailVerification(
-            "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi");
+                user,
                "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi");
            return null;
        });
    }
    @Test(expected = IllegalArgumentException.class)
@ -219,11 +237,18 @@ public class ChallengeManagerTest {
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(1400)
    public void finishEmailVerificationNullUser()
-        throws ChallengeFailedException {
+        throws Throwable {
-        challengeManager.finishEmailVerification(
+        try {
-            null,
+            shiro.getSystemUser().execute(() -> {
-            "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi");
+                challengeManager.finishEmailVerification(
                    null,
                    "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi");
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -235,11 +260,17 @@ public class ChallengeManagerTest {
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(1500)
    public void finishEmailVerificationNullToken()
-        throws ChallengeFailedException {
+        throws Throwable {
        final User user = userRepository.findByName("mmuster");
-        challengeManager.finishEmailVerification(
+        try {
-            user, null);
+            shiro.getSystemUser().execute(() -> {
                challengeManager.finishEmailVerification(user, null);
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -262,7 +293,9 @@ public class ChallengeManagerTest {
 //            path);
        final User user = userRepository.findByName("mmuster");
-        final String mail = challengeManager.createAccountActivation(user);
+        final String mail = shiro.getSystemUser().execute(() -> {
            return challengeManager.createAccountActivation(user);
        });
        assertThat(mail, is(not(nullValue())));
        assertThat(mail.isEmpty(), is(false));
@ -273,8 +306,13 @@ public class ChallengeManagerTest {
    @UsingDataSet("datasets/org/libreccm/security/ChallengeManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(2200)
-    public void createAccountActivationNullUser() {
+    public void createAccountActivationNullUser() throws Throwable {
-        challengeManager.createAccountActivation(null);
+        try {
            shiro.getSystemUser().execute(
                () -> challengeManager.createAccountActivation(null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -284,11 +322,18 @@ public class ChallengeManagerTest {
        value = "datasets/org/libreccm/security/ChallengeManagerTest/"
                    + "after-finish-account-activation.xml")
    @InSequence(2300)
-    public void finishAccountActivation() throws ChallengeFailedException {
+    public void finishAccountActivation() throws Throwable {
        final User user = userRepository.findByName("mmuster");
-        challengeManager.finishAccountActivation(
+        try {
-            user,
+            shiro.getSystemUser().execute(() -> {
-            "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi");
+                challengeManager.finishAccountActivation(
                    user,
                    "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi");
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -299,11 +344,17 @@ public class ChallengeManagerTest {
                    + "finish-account-activation.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(2400)
-    public void finishAccountActivationNullUser() throws
+    public void finishAccountActivationNullUser() throws Throwable {
-        ChallengeFailedException {
+        try {
-        challengeManager.finishAccountActivation(
+            shiro.getSystemUser().execute(() -> {
-            null,
+                challengeManager.finishAccountActivation(
-            "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi");
+                    null,
                    "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi");
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -314,12 +365,17 @@ public class ChallengeManagerTest {
                    + "finish-account-activation.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(2400)
-    public void finishAccountActivationNullToken() throws
+    public void finishAccountActivationNullToken() throws Throwable {
        ChallengeFailedException {
-        final User user = userRepository.findByName("mmuster");
+        try {
-        challengeManager.finishAccountActivation(
+            final User user = userRepository.findByName("mmuster");
-            user, null);
+            shiro.getSystemUser().execute(() -> {
                challengeManager.finishAccountActivation(user, null);
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -343,7 +399,9 @@ public class ChallengeManagerTest {
 //            path);
        final User user = userRepository.findByName("mmuster");
-        final String mail = challengeManager.createPasswordRecover(user);
+        final String mail = shiro.getSystemUser().execute(() -> {
            return challengeManager.createPasswordRecover(user);
        });
        assertThat(mail, is(not(nullValue())));
        assertThat(mail.isEmpty(), is(false));
@ -354,8 +412,15 @@ public class ChallengeManagerTest {
    @UsingDataSet("datasets/org/libreccm/security/ChallengeManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(3200)
-    public void createPasswordRecoverNullUser() {
+    public void createPasswordRecoverNullUser() throws Throwable {
-        challengeManager.createPasswordRecover(null);
+        try {
            shiro.getSystemUser().execute(() -> {
                challengeManager.createPasswordRecover(null);
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -368,10 +433,13 @@ public class ChallengeManagerTest {
    @InSequence(3300)
    public void finishPasswordRecover() throws ChallengeFailedException {
        final User user = userRepository.findByName("mmuster");
-        challengeManager.finishPasswordRecover(
+        shiro.getSystemUser().execute(() -> {
-            user,
+            challengeManager.finishPasswordRecover(
-            "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi",
+                user,
-            "new-password");
+                "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi",
                "new-password");
            return null;
        });
        final User after = userRepository.findByName("mmuster");
        assertThat(userManager.verifyPassword(after, "new-password"), is(true));
@ -385,11 +453,18 @@ public class ChallengeManagerTest {
                    + "finish-password-recovery.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(3400)
-    public void finishPasswordRecoverNullUser() throws ChallengeFailedException {
+    public void finishPasswordRecoverNullUser() throws Throwable {
-        challengeManager.finishPasswordRecover(
+        try {
-            null,
+            shiro.getSystemUser().execute(() -> {
-            "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi",
+                challengeManager.finishPasswordRecover(
-            "new-password");
+                    null,
                    "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi",
                    "new-password");
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -400,11 +475,18 @@ public class ChallengeManagerTest {
                    + "finish-password-recovery.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(3400)
-    public void finishPasswordRecoverNullToken()
+    public void finishPasswordRecoverNullToken() throws Throwable {
-        throws ChallengeFailedException {
+
        final User user = userRepository.findByName("mmuster");
-        challengeManager.finishPasswordRecover(
+        try {
-            user, null, "new-password");
+            shiro.getSystemUser().execute(() -> {
                challengeManager.finishPasswordRecover(
                    user, null, "new-password");
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -415,13 +497,20 @@ public class ChallengeManagerTest {
                    + "finish-password-recovery.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(3500)
-    public void finishPasswordRecoverNullPassword()
+    public void finishPasswordRecoverNullPassword() throws Throwable {
        throws ChallengeFailedException {
        final User user = userRepository.findByName("mmuster");
-        challengeManager.finishPasswordRecover(
+
-            user,
+        try {
-            "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi",
+            shiro.getSystemUser().execute(() -> {
-            null);
+                challengeManager.finishPasswordRecover(
                    user,
                    "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi",
                    null);
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -432,13 +521,19 @@ public class ChallengeManagerTest {
                    + "finish-password-recovery.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(3600)
-    public void finishPasswordRecoverEmptyPassword()
+    public void finishPasswordRecoverEmptyPassword() throws Throwable {
        throws ChallengeFailedException {
        final User user = userRepository.findByName("mmuster");
-        challengeManager.finishPasswordRecover(
+        try {
-            user,
+            shiro.getSystemUser().execute(() -> {
-            "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi",
+                challengeManager.finishPasswordRecover(
-            "");
+                    user,
                    "biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi",
                    "");
                return null;
            });
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
 }
--- a/ccm-core/src/test/java/org/libreccm/security/GroupManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/GroupManagerTest.java
@ -18,6 +18,7 @@
 */
 package org.libreccm.security;
 import org.apache.shiro.subject.ExecutionException;
 import java.io.File;
@ -70,6 +71,9 @@ public class GroupManagerTest {
    @Inject
    private UserRepository userRepository;
    @Inject
    private Shiro shiro;
    public GroupManagerTest() {
    }
@ -119,19 +123,23 @@ public class GroupManagerTest {
            .addPackage(org.libreccm.security.User.class.getPackage())
            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
                .getPackage())
-            .addPackage(org.libreccm.testutils.EqualsVerifier.class.getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class
                .getPackage())
            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
            .addPackage(com.arsdigita.kernel.security.SecurityConfig.class
                .getPackage())
            .addPackage(com.arsdigita.util.UncheckedWrapperException.class
                .getPackage())
            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
            .addClass(com.arsdigita.kernel.KernelConfig.class)
            .addClass(com.arsdigita.kernel.security.SecurityConfig.class)
            .addAsLibraries(libs)
            .addAsResource("test-persistence.xml",
                           "META-INF/persistence.xml")
            .addAsWebInfResource("test-web.xml", "web.xml")
            .addAsResource("configs/shiro.ini", "shiro.ini")
-            .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+            .addAsWebInfResource("META-INF/beans.xml", "beans.xml");
    }
    @Test
@ -165,28 +173,40 @@ public class GroupManagerTest {
        final User jdoe = userRepository.findByName("jdoe");
        final User mmuster = userRepository.findByName("mmuster");
-        groupManager.addMemberToGroup(mmuster, admins);
+        shiro.getSystemUser().execute(() -> {
-        groupManager.addMemberToGroup(jdoe, editors);
+            groupManager.addMemberToGroup(mmuster, admins);
            groupManager.addMemberToGroup(jdoe, editors);
        });
    }
    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(210)
-    public void addNullUserToGroup() {
+    public void addNullUserToGroup() throws Throwable {
        final Group admins = groupRepository.findByName("admins");
-        groupManager.addMemberToGroup(null, admins);
+        try {
            shiro.getSystemUser().execute(
                () -> groupManager.addMemberToGroup(null, admins));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(220)
-    public void addUserToGroupNull() {
+    public void addUserToGroupNull() throws Throwable {
        final User jdoe = userRepository.findByName("jdoe");
-        groupManager.addMemberToGroup(jdoe, null);
+        try {
            shiro.getSystemUser().execute(
                () -> groupManager.addMemberToGroup(jdoe, null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -198,7 +218,8 @@ public class GroupManagerTest {
        final Group admins = groupRepository.findByName("admins");
        final User jdoe = userRepository.findByName("jdoe");
-        groupManager.addMemberToGroup(jdoe, admins);
+        shiro.getSystemUser().execute(
            () -> groupManager.addMemberToGroup(jdoe, admins));
    }
    @Test
@ -216,28 +237,40 @@ public class GroupManagerTest {
        assertThat(admins.getMemberships().size(), is(1));
        assertThat(users.getMemberships().size(), is(2));
-        groupManager.removeMemberFromGroup(jdoe, admins);
+        shiro.getSystemUser().execute(() -> {
-        groupManager.removeMemberFromGroup(mmuster, users);
+            groupManager.removeMemberFromGroup(jdoe, admins);
            groupManager.removeMemberFromGroup(mmuster, users);
        });
    }
    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(310)
-    public void removeUserNullFromGroup() {
+    public void removeUserNullFromGroup() throws Throwable {
        final Group admins = groupRepository.findByName("admins");
-        groupManager.removeMemberFromGroup(null, admins);
+        try {
            shiro.getSystemUser().execute(
                () -> groupManager.removeMemberFromGroup(null, admins));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(320)
-    public void removeUserFromGroupNull() {
+    public void removeUserFromGroupNull() throws Throwable {
        final User jdoe = userRepository.findByName("jdoe");
-        groupManager.removeMemberFromGroup(jdoe, null);
+        try {
            shiro.getSystemUser().execute(
                () -> groupManager.removeMemberFromGroup(jdoe, null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -249,7 +282,8 @@ public class GroupManagerTest {
        final Group admins = groupRepository.findByName("admins");
        final User mmuster = userRepository.findByName("mmuster");
-        groupManager.removeMemberFromGroup(mmuster, admins);
+        shiro.getSystemUser().execute(
            () -> groupManager.removeMemberFromGroup(mmuster, admins));
    }
 }
--- a/ccm-core/src/test/java/org/libreccm/security/OneTimeAuthManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/OneTimeAuthManagerTest.java
@ -18,6 +18,8 @@
 */
 package org.libreccm.security;
 import org.apache.shiro.subject.ExecutionException;
 import java.io.File;
 import java.time.LocalDateTime;
 import java.time.ZoneOffset;
@ -72,6 +74,9 @@ public class OneTimeAuthManagerTest {
    @Inject
    private UserRepository userRepository;
    @Inject
    private Shiro shiro;
    public OneTimeAuthManagerTest() {
    }
@ -109,31 +114,34 @@ public class OneTimeAuthManagerTest {
        return ShrinkWrap
            .create(WebArchive.class,
                    "LibreCCM-org.libreccm.security.OneTimeAuthManagerTest.war")
-            .addPackage(org.libreccm.security.OneTimeAuthManager.class.
+            .addPackage(org.libreccm.security.OneTimeAuthManager.class
-                getPackage())
+                .getPackage())
            .addPackage(org.libreccm.core.CcmObject.class.getPackage())
-            .addPackage(org.libreccm.categorization.Categorization.class.
+            .addPackage(org.libreccm.categorization.Categorization.class
-                getPackage())
+                .getPackage())
-            .addPackage(
+            .addPackage(org.libreccm.configuration.ConfigurationManager.class
-                org.libreccm.configuration.ConfigurationManager.class.
+                .getPackage())
-                getPackage())
+            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage())
-            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage()).
+            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
            addPackage(org.libreccm.web.CcmApplication.class.getPackage())
            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
-            .addPackage(org.libreccm.jpa.EntityManagerProducer.class.
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
-                getPackage())
+                .getPackage())
-            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class.
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
-                getPackage())
+                .getPackage())
            .addClass(com.arsdigita.kernel.security.SecurityConfig.class)
            .addPackage(org.libreccm.testutils.EqualsVerifier.class
                .getPackage())
            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
                .getPackage())
            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
            .addClass(com.arsdigita.kernel.KernelConfig.class)
            .addClass(com.arsdigita.kernel.security.SecurityConfig.class)
            .addPackage(org.libreccm.testutils.EqualsVerifier.class.
                getPackage())
            .addPackage(org.libreccm.tests.categories.IntegrationTest.class.
                getPackage())
            .addAsLibraries(libs)
            .addAsResource("configs/shiro.ini", "shiro.ini")
            .addAsResource("test-persistence.xml",
                           "META-INF/persistence.xml")
-            .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
+            .addAsWebInfResource("test-web.xml", "web.xml")
-            .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+            .addAsWebInfResource("META-INF/beans.xml", "beans.xml");
    }
    @Test
@ -152,9 +160,11 @@ public class OneTimeAuthManagerTest {
    @InSequence(100)
    public void createTokenForUser() {
        final User mmuster = userRepository.findByName("mmuster");
-        final OneTimeAuthToken token = oneTimeAuthManager.createForUser(
+        final OneTimeAuthToken token = shiro.getSystemUser().execute(() -> {
-            mmuster,
+            return oneTimeAuthManager.createForUser(
-            OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
+                mmuster,
                OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
        });
        final LocalDateTime now = LocalDateTime.now(ZoneOffset.UTC);
        final LocalDateTime tokenValidUntil = LocalDateTime.ofInstant(
@ -176,9 +186,14 @@ public class OneTimeAuthManagerTest {
        "datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(200)
-    public void createTokenNullUser() {
+    public void createTokenNullUser() throws Throwable {
-        oneTimeAuthManager.createForUser(
+        try {
-            null, OneTimeAuthTokenPurpose.RECOVER_PASSWORD);
+            shiro.getSystemUser().execute(
                () -> oneTimeAuthManager.createForUser(
                    null, OneTimeAuthTokenPurpose.RECOVER_PASSWORD));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -186,9 +201,14 @@ public class OneTimeAuthManagerTest {
        "datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(300)
-    public void createTokenNullPurpose() {
+    public void createTokenNullPurpose() throws Throwable {
        final User user = new User();
-        oneTimeAuthManager.createForUser(user, null);
+        try {
            shiro.getSystemUser().execute(() -> oneTimeAuthManager
                .createForUser(user, null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -198,9 +218,11 @@ public class OneTimeAuthManagerTest {
    public void retrieveTokenForUser() {
        final User jdoe = userRepository.findByName("jdoe");
-        final List<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = shiro.getSystemUser().execute(
-            retrieveForUser(
+            () -> {
-                jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
+                return oneTimeAuthManager.retrieveForUser(
                    jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
            });
        assertThat(result, is(not(nullValue())));
        assertThat(result, is(not(empty())));
@ -219,9 +241,11 @@ public class OneTimeAuthManagerTest {
    public void retrieveNotExistingTokenForUser() {
        final User mmuster = userRepository.findByName("mmuster");
-        final List<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = shiro.getSystemUser().execute(
-            retrieveForUser(
+            () -> {
-                mmuster, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
+                return oneTimeAuthManager.retrieveForUser(
                    mmuster, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
            });
        assertThat(result, is(empty()));
    }
@ -231,9 +255,14 @@ public class OneTimeAuthManagerTest {
        "datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(600)
-    public void retrieveTokenNullUser() {
+    public void retrieveTokenNullUser() throws Throwable {
-        oneTimeAuthManager.retrieveForUser(
+        try {
-            null, OneTimeAuthTokenPurpose.RECOVER_PASSWORD);
+            shiro.getSystemUser().execute(
                () -> oneTimeAuthManager.retrieveForUser(
                    null, OneTimeAuthTokenPurpose.RECOVER_PASSWORD));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -241,10 +270,15 @@ public class OneTimeAuthManagerTest {
        "datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(700)
-    public void retrieveTokenNullPurpose() {
+    public void retrieveTokenNullPurpose() throws Throwable {
        final User mmuster = userRepository.findByName("mmuster");
-        oneTimeAuthManager.retrieveForUser(mmuster, null);
+        try {
            shiro.getSystemUser().execute(
                () -> oneTimeAuthManager.retrieveForUser(mmuster, null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -254,10 +288,11 @@ public class OneTimeAuthManagerTest {
    public void validTokenExistsForUser() {
        final User user = userRepository.findByName("jdoe");
-        assertThat(
+        shiro.getSystemUser().execute(
-            oneTimeAuthManager.validTokenExistsForUser(
+            () -> assertThat(
-                user, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION),
+                oneTimeAuthManager.validTokenExistsForUser(
-            is(true));
+                    user, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION),
                is(true)));
    }
    @Test
@ -267,10 +302,11 @@ public class OneTimeAuthManagerTest {
    public void validTokenDoesNotExist() {
        final User user = userRepository.findByName("mmuster");
-        assertThat(
+        shiro.getSystemUser().execute(
-            oneTimeAuthManager.validTokenExistsForUser(
+            () -> assertThat(
-                user, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION),
+                oneTimeAuthManager.validTokenExistsForUser(
-            is(false));
+                    user, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION),
                is(false)));
    }
    @Test(expected = IllegalArgumentException.class)
@ -278,9 +314,14 @@ public class OneTimeAuthManagerTest {
        "datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(1000)
-    public void validTokenNullUser() {
+    public void validTokenNullUser() throws Throwable {
-        oneTimeAuthManager.validTokenExistsForUser(
+        try {
-            null, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
+            shiro.getSystemUser().execute(
                () -> oneTimeAuthManager.validTokenExistsForUser(
                    null, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -288,10 +329,14 @@ public class OneTimeAuthManagerTest {
        "datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(1100)
-    public void validTokenNullPurpose() {
+    public void validTokenNullPurpose() throws Throwable {
-        final User user = userRepository.findByName("mmuster");
+        try {
-        oneTimeAuthManager.validTokenExistsForUser(
+            final User user = userRepository.findByName("mmuster");
-            user, null);
+            shiro.getSystemUser().execute(
                () -> oneTimeAuthManager.validTokenExistsForUser(user, null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -301,12 +346,15 @@ public class OneTimeAuthManagerTest {
    public void isValid() {
        final User jdoe = userRepository.findByName("jdoe");
-        final List<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = shiro.getSystemUser().execute(
-            retrieveForUser(
+            () -> {
-                jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
+                return oneTimeAuthManager.retrieveForUser(
-
+                    jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
            });
        assertThat(result, is(not(empty())));
-        assertThat(oneTimeAuthManager.isValid(result.get(0)), is(true));
+        shiro.getSystemUser().execute(
            () -> assertThat(oneTimeAuthManager.isValid(result.get(0)),
                             is(true)));
    }
    @Test
@ -316,9 +364,11 @@ public class OneTimeAuthManagerTest {
    public void isInvalid() {
        final User jdoe = userRepository.findByName("jdoe");
-        final List<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = shiro.getSystemUser().execute(
-            retrieveForUser(
+            () -> {
-                jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
+                return oneTimeAuthManager.retrieveForUser(
                    jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
            });
        assertThat(result, is(not(empty())));
        final OneTimeAuthToken token = result.get(0);
@ -327,7 +377,8 @@ public class OneTimeAuthManagerTest {
            .now(ZoneOffset.UTC).minus(1800, ChronoUnit.SECONDS);
        token.setValidUntil(Date.from(date.toInstant(ZoneOffset.UTC)));
-        assertThat(oneTimeAuthManager.isValid(token), is(false));
+        shiro.getSystemUser().execute(
            () -> assertThat(oneTimeAuthManager.isValid(token), is(false)));
    }
@ -336,8 +387,13 @@ public class OneTimeAuthManagerTest {
        "datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(1400)
-    public void isValidNullToken() {
+    public void isValidNullToken() throws Throwable {
-        oneTimeAuthManager.isValid(null);
+        try {
            shiro.getSystemUser().execute(
                () -> oneTimeAuthManager.isValid(null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -350,12 +406,15 @@ public class OneTimeAuthManagerTest {
    public void invalidateToken() {
        final User jdoe = userRepository.findByName("jdoe");
-        final List<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = shiro.getSystemUser().execute(
-            retrieveForUser(
+            () -> {
-                jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
+                return oneTimeAuthManager.retrieveForUser(
                    jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
            });
        assertThat(result, is(not(empty())));
-        oneTimeAuthManager.invalidate(result.get(0));
+        shiro.getSystemUser().execute(
            () -> oneTimeAuthManager.invalidate(result.get(0)));
    }
    @Test(expected = IllegalArgumentException.class)
@ -364,7 +423,8 @@ public class OneTimeAuthManagerTest {
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(1400)
    public void invalidateNullToken() {
-        oneTimeAuthManager.invalidate(null);
+        shiro.getSystemUser().execute(
            () -> oneTimeAuthManager.invalidate(null));
    }
 }
--- a/ccm-core/src/test/java/org/libreccm/security/PermissionManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/PermissionManagerTest.java
@ -18,7 +18,7 @@
 */
 package org.libreccm.security;
-
+import org.apache.shiro.subject.ExecutionException;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.ShouldThrowException;
 import org.jboss.arquillian.junit.Arquillian;
@ -76,6 +76,9 @@ public class PermissionManagerTest {
    @Inject
    private EntityManager entityManager;
    @Inject
    private Shiro shiro;
    public PermissionManagerTest() {
    }
@ -125,7 +128,8 @@ public class PermissionManagerTest {
            .addPackage(org.libreccm.security.User.class.getPackage())
            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
                .getPackage())
-            .addPackage(org.libreccm.testutils.EqualsVerifier.class.getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class
                .getPackage())
            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
            .addPackage(com.arsdigita.kernel.KernelConfig.class.getPackage())
@ -133,12 +137,13 @@ public class PermissionManagerTest {
                .getPackage())
            .addPackage(com.arsdigita.util.UncheckedWrapperException.class
                .getPackage())
            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
            .addAsLibraries(libs)
            .addAsResource("test-persistence.xml",
                           "META-INF/persistence.xml")
            .addAsResource("configs/shiro.ini", "shiro.ini")
            .addAsWebInfResource("test-web.xml", "web.xml")
-            .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+            .addAsWebInfResource("META-INF/beans.xml", "beans.xml");
    }
    @Test
@ -171,8 +176,10 @@ public class PermissionManagerTest {
        final Role role2 = roleRepository.findByName("role2");
        final CcmObject object3 = ccmObjectRepository.findById(-20003L);
-        permissionManager.grantPrivilege("privilege2", role2, object3);
+        shiro.getSystemUser().execute(() -> {
-        permissionManager.grantPrivilege("privilege3", role2);
+            permissionManager.grantPrivilege("privilege2", role2, object3);
            permissionManager.grantPrivilege("privilege3", role2);
        });
    }
    @Test
@ -186,8 +193,10 @@ public class PermissionManagerTest {
        final Role role1 = roleRepository.findByName("role1");
        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
-        permissionManager.grantPrivilege("privilege1", role1);
+        shiro.getSystemUser().execute(() -> {
-        permissionManager.grantPrivilege("privilege2", role1, object1);
+            permissionManager.grantPrivilege("privilege1", role1);
            permissionManager.grantPrivilege("privilege2", role1, object1);
        });
    }
    @Test(expected = IllegalArgumentException.class)
@ -195,10 +204,15 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(220)
-    public void grantPermissionPrivilegeNull() {
+    public void grantPermissionPrivilegeNull() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
-        permissionManager.grantPrivilege(null, role1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.grantPrivilege(null, role1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -206,11 +220,16 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(225)
-    public void grantPermissionOnObjectPrivilegeNull() {
+    public void grantPermissionOnObjectPrivilegeNull() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
-        permissionManager.grantPrivilege(null, role1, object1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.grantPrivilege(null, role1, object1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -218,10 +237,15 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(230)
-    public void grantPermissionEmptyPrivilege() {
+    public void grantPermissionEmptyPrivilege() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
-        permissionManager.grantPrivilege("", role1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.grantPrivilege("", role1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -229,11 +253,16 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(235)
-    public void grantPermissionOnObjectEmptyPrivilege() {
+    public void grantPermissionOnObjectEmptyPrivilege() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
-        permissionManager.grantPrivilege("", role1, object1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.grantPrivilege("", role1, object1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -241,8 +270,13 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(240)
-    public void grantPermissionToRoleNull() {
+    public void grantPermissionToRoleNull() throws Throwable {
-        permissionManager.grantPrivilege("privilege", null);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.grantPrivilege("privilege", null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -250,10 +284,17 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(240)
-    public void grantPermissionOnObjectToRoleNull() {
+    public void grantPermissionOnObjectToRoleNull() throws Throwable {
        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
-        permissionManager.grantPrivilege("privilege", null, object1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.grantPrivilege("privilege",
                                                       null,
                                                       object1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -261,10 +302,17 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(250)
-    public void grantPermissionNullObject() {
+    public void grantPermissionNullObject() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
-        permissionManager.grantPrivilege("privilege1", role1, null);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.grantPrivilege("privilege1",
                                                       role1,
                                                       null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -279,8 +327,10 @@ public class PermissionManagerTest {
        final Role role1 = roleRepository.findByName("role1");
        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
-        permissionManager.revokePrivilege("privilege1", role1);
+        shiro.getSystemUser().execute(() -> {
-        permissionManager.revokePrivilege("privilege2", role1, object1);
+            permissionManager.revokePrivilege("privilege1", role1);
            permissionManager.revokePrivilege("privilege2", role1, object1);
        });
    }
    @Test
@ -290,10 +340,11 @@ public class PermissionManagerTest {
        value = "datasets/org/libreccm/security/PermissionManagerTest/"
                    + "data.yml")
    @InSequence(310)
-    public void revokeNotExistingPermission() {
+    public void revokeNotExistingPermission() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
-        permissionManager.revokePrivilege("privilege999", role1);
+        shiro.getSystemUser().execute(
            () -> permissionManager.revokePrivilege("privilege999", role1));
    }
    @Test
@ -307,7 +358,10 @@ public class PermissionManagerTest {
        final Role role1 = roleRepository.findByName("role1");
        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
-        permissionManager.revokePrivilege("privilege999", role1, object1);
+        shiro.getSystemUser().execute(
            () -> permissionManager.revokePrivilege("privilege999",
                                                    role1,
                                                    object1));
    }
    @Test(expected = IllegalArgumentException.class)
@ -315,10 +369,15 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(320)
-    public void revokePermissionPrivilegeNull() {
+    public void revokePermissionPrivilegeNull() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
-        permissionManager.revokePrivilege(null, role1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.revokePrivilege(null, role1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -326,11 +385,16 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(320)
-    public void revokePermissionOnObjectPrivilegeNull() {
+    public void revokePermissionOnObjectPrivilegeNull() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
-        permissionManager.revokePrivilege(null, role1, object1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.revokePrivilege(null, role1, object1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -338,31 +402,48 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(330)
-    public void revokePermissionEmptyPrivilege() {
+    public void revokePermissionEmptyPrivilege() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
-        permissionManager.revokePrivilege("", role1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.revokePrivilege("", role1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
-    @Test(expected = IllegalArgumentException.class)
+    @Test(expected
              = IllegalArgumentException.class)
    @UsingDataSet(
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(320)
-    public void revokePermissionOnObjectEmptyPrivilege() {
+    public void revokePermissionOnObjectEmptyPrivilege() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
-        permissionManager.revokePrivilege("", role1, object1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.revokePrivilege("", role1, object1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
-    @Test(expected = IllegalArgumentException.class)
+    @Test(expected
              = IllegalArgumentException.class)
    @UsingDataSet(
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(340)
-    public void revokePermissionFromRoleNull() {
+    public void revokePermissionFromRoleNull() throws Throwable {
-        permissionManager.revokePrivilege("privilege1", null);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.revokePrivilege("privilege1", null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
@ -370,22 +451,36 @@ public class PermissionManagerTest {
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(345)
-    public void revokePermissionOnObjectFromRoleNull() {
+    public void revokePermissionOnObjectFromRoleNull() throws Throwable {
        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
-        permissionManager.revokePrivilege("privilege1", null, object1);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.revokePrivilege("privilege1",
                                                        null,
                                                        object1));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
-    @Test(expected = IllegalArgumentException.class)
+    @Test(expected
              = IllegalArgumentException.class)
    @UsingDataSet(
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(350)
-    public void revokePermissionNullObject() {
+    public void revokePermissionNullObject() throws Throwable {
        final Role role1 = roleRepository.findByName("role1");
-        permissionManager.revokePrivilege("privilege2", role1, null);
+        try {
-
+            shiro.getSystemUser().execute(
                () -> permissionManager.revokePrivilege("privilege2",
                                                        role1,
                                                        null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -396,33 +491,46 @@ public class PermissionManagerTest {
                    + "after-copy.yml",
        excludeColumns = {"permission_id"})
    @InSequence(400)
-    public void copyPermissions() {
+    public void copyPermissions() throws Throwable {
        final CcmObject object2 = ccmObjectRepository.findById(-20002L);
        final CcmObject object3 = ccmObjectRepository.findById(-20003L);
-        permissionManager.copyPermissions(object2, object3);
+        shiro.getSystemUser().execute(
            () -> permissionManager.copyPermissions(object2, object3));
    }
-    @Test(expected = IllegalArgumentException.class)
+    @Test(expected
              = IllegalArgumentException.class)
    @UsingDataSet(
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(410)
-    public void copyPermissionsNullSource() {
+    public void copyPermissionsNullSource() throws Throwable {
        final CcmObject object3 = ccmObjectRepository.findById(-20003L);
-        permissionManager.copyPermissions(null, object3);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.copyPermissions(null, object3));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
-    @Test(expected = IllegalArgumentException.class)
+    @Test(expected
              = IllegalArgumentException.class)
    @UsingDataSet(
        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(420)
-    public void copyPermissionsNullTarget() {
+    public void copyPermissionsNullTarget() throws Throwable {
        final CcmObject object2 = ccmObjectRepository.findById(-20002L);
-        permissionManager.copyPermissions(object2, null);
+        try {
            shiro.getSystemUser().execute(
                () -> permissionManager.copyPermissions(object2, null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
 }
--- a/ccm-core/src/test/java/org/libreccm/security/RoleManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/RoleManagerTest.java
@ -18,6 +18,7 @@
 */
 package org.libreccm.security;
 import org.apache.shiro.subject.ExecutionException;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.ShouldThrowException;
 import org.jboss.arquillian.junit.Arquillian;
@ -29,7 +30,6 @@ import org.jboss.arquillian.persistence.UsingDataSet;
 import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
 import org.jboss.arquillian.transaction.api.annotation.Transactional;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.asset.EmptyAsset;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.jboss.shrinkwrap.resolver.api.maven.Maven;
 import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
@ -69,6 +69,9 @@ public class RoleManagerTest {
    @Inject
    private PartyRepository partyRepository;
    @Inject
    private Shiro shiro;
    public RoleManagerTest() {
    }
@ -118,7 +121,8 @@ public class RoleManagerTest {
            .addPackage(org.libreccm.security.User.class.getPackage())
            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
-            .addPackage(org.libreccm.testutils.EqualsVerifier.class.getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class
                .getPackage())
            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
                .getPackage())
            .addPackage(com.arsdigita.kernel.KernelConfig.class.getPackage())
@ -126,12 +130,13 @@ public class RoleManagerTest {
                .getPackage())
            .addPackage(com.arsdigita.util.UncheckedWrapperException.class
                .getPackage())
            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
            .addAsLibraries(libs)
            .addAsResource("test-persistence.xml",
                           "META-INF/persistence.xml")
            .addAsResource("configs/shiro.ini", "shiro.ini")
            .addAsWebInfResource("test-web.xml", "web.xml")
-            .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+            .addAsWebInfResource("META-INF/beans.xml", "beans.xml");
    }
    @Test
@ -153,28 +158,40 @@ public class RoleManagerTest {
        final Party joe = partyRepository.findByName("joe");
        final Party group1 = partyRepository.findByName("group1");
-        roleManager.assignRoleToParty(role1, joe);
+        shiro.getSystemUser().execute(() -> {
-        roleManager.assignRoleToParty(role3, group1);
+            roleManager.assignRoleToParty(role1, joe);
            roleManager.assignRoleToParty(role3, group1);
        });
    }
    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(210)
-    public void assignRoleNullToParty() {
+    public void assignRoleNullToParty() throws Throwable {
        final Party party = partyRepository.findByName("jdoe");
-        roleManager.assignRoleToParty(null, party);
+        try {
            shiro.getSystemUser().execute(
                () -> roleManager.assignRoleToParty(null, party));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(220)
-    public void assignRoleToPartyNull() {
+    public void assignRoleToPartyNull() throws Throwable {
        final Role role = roleRepository.findByName("role1");
-        roleManager.assignRoleToParty(role, null);
+        try {
            shiro.getSystemUser().execute(
                () -> roleManager.assignRoleToParty(role, null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -186,7 +203,8 @@ public class RoleManagerTest {
        final Party jdoe = partyRepository.findByName("jdoe");
        final Role role1 = roleRepository.findByName("role1");
-        roleManager.assignRoleToParty(role1, jdoe);
+        shiro.getSystemUser().execute(
            () -> roleManager.assignRoleToParty(role1, jdoe));
    }
    @Test
@ -203,28 +221,39 @@ public class RoleManagerTest {
        final Party jdoe = partyRepository.findByName("jdoe");
        final Party group1 = partyRepository.findByName("group1");
-        roleManager.removeRoleFromParty(role1, jdoe);
+        shiro.getSystemUser().execute(() -> {
-        roleManager.removeRoleFromParty(role2, group1);
+            roleManager.removeRoleFromParty(role1, jdoe);
            roleManager.removeRoleFromParty(role2, group1);
        });
    }
    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(310)
-    public void removeRoleNullFromParty() {
+    public void removeRoleNullFromParty() throws Throwable {
        final Party party = partyRepository.findByName("jdoe");
-        roleManager.removeRoleFromParty(null, party);
+        try {
            shiro.getSystemUser().execute(
                () -> roleManager.removeRoleFromParty(null, party));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test(expected = IllegalArgumentException.class)
    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
    @ShouldThrowException(IllegalArgumentException.class)
    @InSequence(220)
-    public void removeRoleFromPartyNull() {
+    public void removeRoleFromPartyNull() throws Throwable {
        final Role role = roleRepository.findByName("role1");
-
+        try {
-        roleManager.removeRoleFromParty(role, null);
+            shiro.getSystemUser().execute(
                () -> roleManager.removeRoleFromParty(role, null));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
    }
    @Test
@ -236,7 +265,8 @@ public class RoleManagerTest {
        final Role role2 = roleRepository.findByName("role2");
        final Party jdoe = partyRepository.findByName("jdoe");
-        roleManager.removeRoleFromParty(role2, jdoe);
+        shiro.getSystemUser().execute(
            () -> roleManager.removeRoleFromParty(role2, jdoe));
    }
 }
--- a/ccm-core/src/test/java/org/libreccm/security/UserManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/UserManagerTest.java
@ -18,6 +18,7 @@
 */
 package org.libreccm.security;
 import org.apache.shiro.subject.ExecutionException;
 import java.io.File;
@ -39,7 +40,6 @@ import org.jboss.arquillian.test.spi.ArquillianProxyException;
 import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
 import org.jboss.arquillian.transaction.api.annotation.Transactional;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.asset.EmptyAsset;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.jboss.shrinkwrap.resolver.api.maven.Maven;
 import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
@ -71,6 +71,9 @@ public class UserManagerTest {
    @Inject
    private UserRepository userRepository;
    @Inject
    private Shiro shiro;
    public UserManagerTest() {
    }
@ -123,18 +126,20 @@ public class UserManagerTest {
            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
                .getPackage())
-            .addPackage(org.libreccm.testutils.EqualsVerifier.class.getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class
                .getPackage())
            .addPackage(com.arsdigita.kernel.KernelConfig.class.getPackage())
            .addPackage(com.arsdigita.kernel.security.SecurityConfig.class
                .getPackage())
            .addPackage(com.arsdigita.util.UncheckedWrapperException.class
                .getPackage())
            .addPackage(org.libreccm.cdi.utils.CdiUtil.class.getPackage())
            .addAsLibraries(libs)
            .addAsResource("test-persistence.xml",
                           "META-INF/persistence.xml")
            .addAsResource("configs/shiro.ini", "shiro.ini")
            .addAsWebInfResource("test-web.xml", "web.xml")
-            .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+            .addAsWebInfResource("META-INF/beans.xml", "beans.xml");
    }
    @Test
@ -170,11 +175,12 @@ public class UserManagerTest {
        excludeColumns = {"party_id", "password"})
    @InSequence(300)
    public void createUser() {
-        userManager.createUser("Jane",
+        shiro.getSystemUser().execute(
-                               "Doe",
+            () -> userManager.createUser("Jane",
-                               "jane",
+                                         "Doe",
-                               "jane.doe@example.org",
+                                         "jane",
-                               "foo456");
+                                         "jane.doe@example.org",
                                         "foo456"));
        final User jane2 = userRepository.findByName("jane");
        assertThat(userManager.verifyPassword(jane2, "foo456"), is(true));
@ -184,12 +190,17 @@ public class UserManagerTest {
    @UsingDataSet("datasets/org/libreccm/security/UserManagerTest/data.yml")
    @ShouldThrowException(ConstraintViolationException.class)
    @InSequence(400)
-    public void createUserWithInValidName() {
+    public void createUserWithInValidName() throws Throwable {
-        userManager.createUser("Jane",
+        try {
-                               "Doe",
+            shiro.getSystemUser().execute(
-                               "j#ne",
+                () -> userManager.createUser("Jane",
-                               "jane.doe@example.org",
+                                             "Doe",
-                               "foo456");
+                                             "j#ne",
                                             "jane.doe@example.org",
                                             "foo456"));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
        fail();
    }
@ -198,7 +209,8 @@ public class UserManagerTest {
    @InSequence(500)
    public void updatePassword() {
        final User jdoe = userRepository.findByName("jdoe");
-        userManager.updatePassword(jdoe, "foo456");
+        shiro.getSystemUser().execute(
            () -> userManager.updatePassword(jdoe, "foo456"));
        final User jdoe2 = userRepository.findByName("jdoe");
        assertThat(userManager.verifyPassword(jdoe, "foo456"), is(true));
@ -212,8 +224,13 @@ public class UserManagerTest {
    @UsingDataSet("datasets/org/libreccm/security/UserManagerTest/data.yml")
    @ShouldThrowException(ConstraintViolationException.class)
    @InSequence(600)
-    public void updatePasswordNullUser() {
+    public void updatePasswordNullUser() throws Throwable {
-        userManager.updatePassword(null, "foo");
+        try {
            shiro.getSystemUser().execute(
                () -> userManager.updatePassword(null, "foo"));
        } catch (ExecutionException ex) {
            throw ex.getCause();
        }
        fail();
    }
--- a/ccm-core/src/test/resources/datasets/org/libreccm/categorization/CategoryManagerTest/data.yml
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/categorization/CategoryManagerTest/data.yml
@ -65,4 +65,74 @@ ccm_core.categorizations:
      object_id: -3300
      category_order: 1
      object_order: 1
-      category_index: false
+      category_index: false
 ccm_core.parties:
    - party_id: -3000
      name: public-user
    - party_id: -3100
      name: jdoe
    - party_id: -3200
      name: mmuster
 ccm_core.users:
    - party_id: -3000
      given_name: public
      family_name: user
      email_address: public-user@localhost
      banned: false
      bouncing: false
      verified: true
      password_reset_required: false
    - party_id: -3100
      given_name: Jane
      family_name: Doe
      email_address: jane.doe@example.org
      # foo123
      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
      banned: false
      bouncing: false
      verified: true
      password_reset_required: false
    - party_id: -3200
      given_name: Maria
      family_name: Muster
      email_address: mmuster@example.com
      # foo123
      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
      banned: false
      bouncing: false
      verified: true
      password_reset_required: false
 ccm_core.ccm_roles:
    - role_id: -4000
      name: domain_test_category_manager
    - role_id: -4100
      name: category_foo_manager
 ccm_core.role_memberships:
    - membership_id: -5000
      role_id: -4000
      member_id: -3100
    - membership_id: 5100
      role_id: -4100
      member_id: -3200
 ccm_core.permissions:
    - permission_id: -6000
      granted_privilege: manage_category
      grantee_id: -4000
      object_id: -2000
    - permission_id: -6100
      granted_privilege: manage_category_objects
      grantee_id: -4000
      object_id: -2000
    - permission_id: -6200
      granted_privilege: manage_category
      grantee_id: -4100
      object_id: -2100
    - permission_id: -6300
      granted_privilege: manage_category_objects
      grantee_id: -4100
      object_id: -2100
--- a/ccm-core/src/test/resources/datasets/org/libreccm/categorization/CategoryManagerTest/data2.yml
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/categorization/CategoryManagerTest/data2.yml
@ -1,79 +0,0 @@
 ccm_core.ccm_objects:
        - object_id: -1000
          display_name: test
          uuid: dc1788a7-79b3-4298-94f2-e23cba97301d
        - object_id: -2000
          display_name: test_root
          uuid: c78a2311-3751-4b69-b6ed-358b29571407
        - object_id: -2100
          display_name: foo
          uuid: 6b25f081-0144-419f-886c-1fcdfba2aa54
        - object_id: -2200
          display_name: bar
          uuid: dc76f9b8-f69f-408d-918a-bd80d4755166
        - object_id: -3100
          display_name: object1
          uuid: 2cd8b84e-3dc5-4268-98eb-e297f7f93cd4
        - object_id: -3200
          display_name: object2
          uuid: ce0c5964-f3ce-4d9e-93c8-7d57ce03a505
        - object_id: -3300
          display_name: object3
          uuid: c66c5063-8912-4dec-8195-a0b45161419d
        - object_id: -2300
          display_name: category-new
          uuid: 2b801a2c-0c0e-4a52-b17b-58fb5b775b09
 ccm_core.categories:
        - object_id: -2000
          unique_id: test0001
          name: test-root
          enabled: true
          visible: true
          abstract_category: false
          category_order: 0
        - object_id: -2100
          unique_id: test0002
          name: foo
          parent_category_id: -2000
          enabled: true
          visible: true
          abstract_category: false
          category_order: 0
        - object_id: -2200
          unique_id: test0003
          name: bar
          parent_category_id: -2100
          enabled: true
          visible: true
          abstract_category: false
          category_order: 0
        - object_id: -2300
          unique_id: catnew
          name: category-new
          enabled: true
          visible: true
          abstract_category: false
          category_order: 1
 ccm_core.category_domains:
        - object_id: -1000
          domain_key: test
          root_category_id: -2000
          uri: http://libreccm.org/test
          version: 1.0
 ccm_core.categorizations:
    - categorization_id: -10000
      category_id: -2100
      object_id: -3100
      object_order: 1
      category_order: 1
      category_index: false
    - categorization_id: -10100
      category_id: -2200
      object_id: -3300
      category_order: 1
      object_order: 1
      category_index: false
--- a/ccm-core/src/test/resources/datasets/org/libreccm/categorization/CategoryRepositoryTest/after-save-new-category.yml
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/categorization/CategoryRepositoryTest/after-save-new-category.yml
@ -54,4 +54,62 @@ ccm_core.category_domains:
          uri: http://libreccm.org/test
          version: 1.0
 ccm_core.parties:
    - party_id: -100
      name: public-user
    - party_id: -200
      name: jdoe
    - party_id: -300
      name: mmuster
 ccm_core.users:
    - party_id: -100
      given_name: public
      family_name: user
      email_address: public-user@localhost
      banned: false
      bouncing: false
      verified: true
      password_reset_required: false
    - party_id: -200
      given_name: John
      family_name: Doe
      email_address: john.doe@example.org
      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
      banned: false
      bouncing: false
      verified: true
      password_reset_required: false
    - party_id: -300
      given_name: Max
      family_name: Mustermann
      email_address: max.mustermann@example.org
      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
      banned: false
      bouncing: false
      verified: true
      password_reset_required: false
 ccm_core.ccm_roles:
    - role_id: -500
      name: category_manager
    - role_id: -510
      name: category_manager_domain_test
 ccm_core.role_memberships:
    - membership_id: -600
      role_id: -500
      member_id: -200
    - membership_id: -610
      role_id: -510
      member_id: -300
 ccm_core.permissions:
    - permission_id: -700
      granted_privilege: manage_category
      grantee_id: -500
    - permission_id: -710
      granted_privilege: manage_category
      grantee_id: -510
      object_id: -1000
--- a/ccm-core/src/test/resources/datasets/org/libreccm/categorization/CategoryRepositoryTest/data.yml
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/categorization/CategoryRepositoryTest/data.yml
@ -96,9 +96,9 @@ ccm_core.role_memberships:
 ccm_core.permissions:
    - permission_id: -700
-      granted_privilege: manage_categories
+      granted_privilege: manage_category
      grantee_id: -500
    - permission_id: -710
-      granted_privilege: manage_categories
+      granted_privilege: manage_category
      grantee_id: -510
      object_id: -1000
--- a/ccm-shortcuts/src/test/java/org/libreccm/shortcuts/ShortcutRepositoryTest.java
+++ b/ccm-shortcuts/src/test/java/org/libreccm/shortcuts/ShortcutRepositoryTest.java
@ -172,18 +172,18 @@ public class ShortcutRepositoryTest {
        final Optional<Shortcut> shop = shortcutRepository.findByUrlKey("shop");
        assertThat(members.isPresent(), is(true));
-        assertThat(members.get().getUrlKey(), is(equalTo("members")));
+        assertThat(members.get().getUrlKey(), is(equalTo("/members/")));
        assertThat(members.get().getRedirect(),
                   is(equalTo("/ccm/navigation/members")));
        assertThat(mitglieder.isPresent(), is(true));
-        assertThat(mitglieder.get().getUrlKey(), is(equalTo("mitglieder")));
+        assertThat(mitglieder.get().getUrlKey(), is(equalTo("/mitglieder/")));
        assertThat(mitglieder.get().getRedirect(),
                   is(equalTo("/ccm/navigation/members")));
        assertThat(shop.isPresent(), is(true));
        assertThat(shop.get().getUrlKey(),
-                   is(equalTo("shop")));
+                   is(equalTo("/shop/")));
        assertThat(shop.get().getRedirect(),
                   is(equalTo("http://www.example.com")));
    }
@ -209,17 +209,17 @@ public class ShortcutRepositoryTest {
        final List<Shortcut> toMembers = shortcutRepository.findByRedirect(
                "/ccm/navigation/members");
        assertThat(toMembers.size(), is(2));
-        assertThat(toMembers.get(0).getUrlKey(), is(equalTo("members")));
+        assertThat(toMembers.get(0).getUrlKey(), is(equalTo("/members/")));
        assertThat(toMembers.get(0).getRedirect(),
                   is(equalTo("/ccm/navigation/members")));
-        assertThat(toMembers.get(1).getUrlKey(), is(equalTo("mitglieder")));
+        assertThat(toMembers.get(1).getUrlKey(), is(equalTo("/mitglieder/")));
        assertThat(toMembers.get(1).getRedirect(),
                   is(equalTo("/ccm/navigation/members")));
        final List<Shortcut> toExampleCom = shortcutRepository.findByRedirect(
                "http://www.example.com");
        assertThat(toExampleCom.size(), is(1));
-        assertThat(toExampleCom.get(0).getUrlKey(), is(equalTo("shop")));
+        assertThat(toExampleCom.get(0).getUrlKey(), is(equalTo("/shop/")));
        assertThat(toExampleCom.get(0).getRedirect(),
                   is(equalTo("http://www.example.com")));
    }
--- a/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml
+++ b/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutManagerTest/data.xml
@ -32,8 +32,8 @@
                               member_id="-110" />
    <ccm_core.permissions permission_id="-400"
-                           granted_privilege="manage_shortcuts"
+                          granted_privilege="manage_shortcuts"
-                           grantee_id="-200" />
+                          grantee_id="-200" />
    <ccm_shortcuts.shortcuts shortcut_id="-10"
                             url_key="/mitglieder/"
--- a/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutRepositoryTest/data.xml
+++ b/ccm-shortcuts/src/test/resources/datasets/org/libreccm/shortcuts/ShortcutRepositoryTest/data.xml
@ -1,15 +1,15 @@
 <?xml version="1.0" encoding="utf-8"?>
 <dataset>
    <ccm_shortcuts.shortcuts shortcut_id="-10"
-                             url_key="mitglieder"
+                             url_key="/mitglieder/"
                             redirect="/ccm/navigation/members" />
    <ccm_shortcuts.shortcuts shortcut_id="-20"
-                             url_key="members"
+                             url_key="/members/"
                             redirect="/ccm/navigation/members" />
    <ccm_shortcuts.shortcuts shortcut_id="-30"
-                             url_key="privacy"
+                             url_key="/privacy/"
                             redirect="/ccm/navigation/privacy" />
    <ccm_shortcuts.shortcuts shortcut_id="-40"
-                             url_key="shop"
+                             url_key="/shop/"
                             redirect="http://www.example.com" />
 </dataset>