diff --git a/ccm-core/src/main/java/org/libreccm/security/ChallengeFailedException.java b/ccm-core/src/main/java/org/libreccm/security/ChallengeFailedException.java
new file mode 100644
index 000000000..1aea8dc9d
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/ChallengeFailedException.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2016 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+
+package org.libreccm.security;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+public class ChallengeFailedException extends Exception {
+
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates a new instance of <code>ChallengeFailedException</code> without detail message.
+     */
+    public ChallengeFailedException() {
+        super();
+    }
+
+
+    /**
+     * Constructs an instance of <code>ChallengeFailedException</code> with the specified detail message.
+     *
+     * @param msg The detail message.
+     */
+    public ChallengeFailedException(final String msg) {
+        super(msg);
+    }
+
+    /**
+      * Constructs an instance of <code>ChallengeFailedException</code> which wraps the 
+      * specified exception.
+      *
+      * @param exception The exception to wrap.
+      */
+    public ChallengeFailedException(final Exception exception) {
+        super(exception);
+    }
+
+    /**
+      * Constructs an instance of <code>ChallengeFailedException</code> with the specified message which also wraps the 
+      * specified exception.
+      *
+      * @param msg The detail message.
+      * @param exception The exception to wrap.
+      */
+    public ChallengeFailedException(final String msg, final Exception exception) {
+        super(msg, exception);
+    }
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/ChallengeManager.java b/ccm-core/src/main/java/org/libreccm/security/ChallengeManager.java
index ed5c121bc..d683647fc 100644
--- a/ccm-core/src/main/java/org/libreccm/security/ChallengeManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/ChallengeManager.java
@@ -18,7 +18,23 @@
  */
 package org.libreccm.security;
 
+import com.arsdigita.kernel.KernelConfig;
+
+import org.apache.commons.lang.text.StrSubstitutor;
+import org.libreccm.configuration.ConfigurationManager;
+import org.libreccm.configuration.LocalizedStringSetting;
+import org.libreccm.l10n.GlobalizationHelper;
+import org.libreccm.l10n.LocalizedString;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Objects;
+
 import javax.enterprise.context.RequestScoped;
+import javax.inject.Inject;
+import javax.servlet.ServletContext;
 
 /**
  *
@@ -27,44 +43,217 @@ import javax.enterprise.context.RequestScoped;
 @RequestScoped
 public class ChallengeManager {
 
+    @Inject
+    private GlobalizationHelper globalizationHelper;
+
+    @Inject
+    private ConfigurationManager configurationManager;
+
+    @Inject
+    private OneTimeAuthManager oneTimeAuthManager;
+
+    @Inject
+    private UserRepository userRepository;
+
+    @Inject
+    private UserManager userManager;
+
+    @Inject
+    private ServletContext servletContext;
+
     public String createEmailVerification(final User user) {
-        throw new UnsupportedOperationException();
+        if (user == null) {
+            throw new IllegalArgumentException(
+                "Can't create an email verification challenge for user null.");
+        }
+        return createMail(user, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
     }
-    
+
     public void sendEmailVerification(final User user) {
         throw new UnsupportedOperationException();
     }
 
     public void finishEmailVerification(final User user,
-                                        final String submittedToken) {
+                                        final String submittedToken)
+        throws ChallengeFailedException {
+
+        if (finishChallenge(user,
+                            submittedToken,
+                            OneTimeAuthTokenPurpose.EMAIL_VERIFICATION)) {
+
+            user.getPrimaryEmailAddress().setVerified(true);
+            userRepository.save(user);
+
+        } else {
+            //No matching token
+            throw new ChallengeFailedException(
+                "Submitted token does not match any active email verification "
+                    + "challenges.");
+        }
+    }
+
+    public String createAccountActivation(final User user) {
+        if (user == null) {
+            throw new IllegalArgumentException(
+                "Can't create an user activation challenge for user null.");
+        }
+        return createMail(user, OneTimeAuthTokenPurpose.ACCOUNT_ACTIVATION);
+    }
+
+    public void sendAccountActivation(final User user) {
         throw new UnsupportedOperationException();
     }
 
-    public String createEmailActivation(final User user) {
-        throw new UnsupportedOperationException();
-    }
-    
-    public void sendUserActivation(final User user) {
-        throw new UnsupportedOperationException();
+    public void finishAccountActivation(final User user,
+                                        final String submittedToken)
+        throws ChallengeFailedException {
+
+        if (finishChallenge(user,
+                            submittedToken,
+                            OneTimeAuthTokenPurpose.ACCOUNT_ACTIVATION)) {
+
+            user.setBanned(false);
+            userRepository.save(user);
+        } else {
+            //Not matching token
+            throw new ChallengeFailedException(
+                "Submitted token does not match any active account activation "
+                    + "challenges.");
+        }
     }
 
-    public void finishUserActivation(final User user,
-                                     final String submittedToken) {
-        throw new UnsupportedOperationException();
+    public String createPasswordRecover(final User user) {
+        if (user == null) {
+            throw new IllegalArgumentException(
+                "Can't create a password recover challenge for user null.");
+        }
+        return createMail(user, OneTimeAuthTokenPurpose.RECOVER_PASSWORD);
     }
-    
+
     public void sendPasswordRecover(final User user) {
-        throw new UnsupportedOperationException();
+
     }
-    
-    public void sendPasswordRevover(final User user) {
-        throw new UnsupportedOperationException();
-    }
-    
-    public void finishPasswordRecover(final User user, 
+
+    public void finishPasswordRecover(final User user,
                                       final String submittedToken,
-                                      final String newPassword) {
-        throw new UnsupportedOperationException();
+                                      final String newPassword)
+        throws ChallengeFailedException {
+
+        if (newPassword == null || newPassword.isEmpty()) {
+            throw new IllegalArgumentException("New password can't be empty");
+        }
+
+        if (finishChallenge(user,
+                            submittedToken,
+                            OneTimeAuthTokenPurpose.RECOVER_PASSWORD)) {
+            userManager.updatePassword(user, newPassword);
+        } else {
+            //Not matching token
+            throw new ChallengeFailedException(
+                "Submitted token does not match any active password recover "
+                    + "challenges.");
+        }
+    }
+
+    private String createMail(final User user,
+                              final OneTimeAuthTokenPurpose purpose) {
+        final OneTimeAuthToken token = oneTimeAuthManager.createForUser(
+            user, purpose);
+
+        final String template = retrieveEmailTemplate(purpose);
+        final Map<String, String> values = new HashMap<>();
+        values.put("expires_date", token.getValidUntil().toString());
+        final String path;
+        switch (purpose) {
+            case ACCOUNT_ACTIVATION:
+                path = "activate-account";
+                break;
+            case EMAIL_VERIFICATION:
+                path = "verify-email";
+                break;
+            case RECOVER_PASSWORD:
+                path = "recover-password";
+                break;
+            default:
+                throw new IllegalArgumentException(String.format(
+                    "Unsupported value \"%s\" for purpose.",
+                    purpose.toString()));
+        }
+        values.put("link",
+                   String.format("%s/%s/register/%s",
+                                 servletContext.getVirtualServerName(),
+                                 servletContext.getContextPath(),
+                                 path));
+
+        final StrSubstitutor substitutor = new StrSubstitutor(values);
+        return substitutor.replace(template);
+    }
+
+    private String retrieveEmailTemplate(
+        final OneTimeAuthTokenPurpose purpose) {
+
+        final Locale locale = globalizationHelper.getNegotiatedLocale();
+
+        final EmailTemplates emailTemplates = configurationManager
+            .findConfiguration(EmailTemplates.class);
+        final LocalizedStringSetting setting;
+        switch (purpose) {
+            case ACCOUNT_ACTIVATION:
+                setting = emailTemplates.getAccountActivationMail();
+                break;
+            case EMAIL_VERIFICATION:
+                setting = emailTemplates.getEmailVerificationMail();
+                break;
+            case RECOVER_PASSWORD:
+                setting = emailTemplates.getPasswordRecoverMail();
+                break;
+            default:
+                throw new IllegalArgumentException(String.format(
+                    "Unsupported value \"%s\" for purpose.",
+                    purpose.toString()));
+        }
+
+        final LocalizedString localizedString = setting.getValue();
+        if (localizedString.hasValue(locale)) {
+            return localizedString.getValue(locale);
+        } else {
+            final KernelConfig kernelConfig = configurationManager
+                .findConfiguration(KernelConfig.class);
+            final Locale defaultLocale = new Locale(kernelConfig
+                .getDefaultLanguage());
+            return localizedString.getValue(defaultLocale);
+        }
+    }
+
+    private boolean finishChallenge(final User user,
+                                    final String submittedToken,
+                                    final OneTimeAuthTokenPurpose purpose)
+        throws ChallengeFailedException {
+
+        if (user == null || submittedToken == null) {
+            throw new IllegalArgumentException(
+                "User and/or submitted token can't be null.");
+        }
+
+        final List<OneTimeAuthToken> tokens = oneTimeAuthManager
+            .retrieveForUser(user, purpose);
+        if (tokens == null || tokens.isEmpty()) {
+            throw new ChallengeFailedException(String.format(
+                "No active %s challenge for user \"%s\".",
+                purpose.toString(),
+                Objects.toString(user)));
+        }
+
+        for (OneTimeAuthToken token : tokens) {
+            if (oneTimeAuthManager.isValid(token)) {
+                oneTimeAuthManager.invalidate(token);
+                return true;
+            } else {
+                oneTimeAuthManager.invalidate(token);
+            }
+        }
+
+        return false;
     }
 
 }
diff --git a/ccm-core/src/main/java/org/libreccm/security/EmailTemplates.java b/ccm-core/src/main/java/org/libreccm/security/EmailTemplates.java
new file mode 100644
index 000000000..b0d62275a
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/EmailTemplates.java
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) 2016 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.libreccm.configuration.Configuration;
+import org.libreccm.configuration.LocalizedStringSetting;
+import org.libreccm.configuration.Setting;
+import org.libreccm.l10n.LocalizedString;
+
+import java.util.Locale;
+import java.util.Objects;
+
+/**
+ * Provides several templates for emails send by CCM.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Configuration
+public final class EmailTemplates {
+
+    @Setting
+    private LocalizedStringSetting emailVerificationMail;
+
+    @Setting
+    private LocalizedStringSetting passwordRecoverMail;
+
+    @Setting
+    private LocalizedStringSetting accountActivationMail;
+
+    public EmailTemplates() {
+        emailVerificationMail = new LocalizedStringSetting();
+        emailVerificationMail.setValue(new LocalizedString());
+        emailVerificationMail.getValue().addValue(
+            Locale.ENGLISH,
+            "Please follow the following link to finish the email verfication "
+                + "process:\n"
+                + "\n"
+                + "${link}"
+                + "\n\n"
+                + "Please be aware that your verification token expires"
+                + "at ${expires_date}.");
+        emailVerificationMail.getValue().addValue(
+            Locale.GERMAN,
+            "Bitte folgen Sie dem folgenden Link, um die Überprüfung ihrer E-"
+                + "Mail-Adresse abzuschließen:\n"
+                + "\n"
+                + "${link}"
+                + "\n\n"
+                + "Bitte beachten Sie, dass Sie den Prozess bis zu folgendem "
+                + "Zeitpunkt abschließen müssen: ${expires_date}");
+
+        passwordRecoverMail = new LocalizedStringSetting();
+        passwordRecoverMail.setValue(new LocalizedString());
+        passwordRecoverMail.getValue().addValue(
+            Locale.ENGLISH,
+            "Please follow the following link to complete the password recover "
+                + "process:\n"
+                + "\n"
+                + "${link}"
+                + "\n\n"
+                + "Please be aware that you must complete the process until "
+                + "${expires_date}");
+        passwordRecoverMail.getValue().addValue(
+            Locale.GERMAN,
+            "Bitte folgen Sie dem folgenden Link um ein neues Passwort "
+                + "einzugeben:\n"
+                + "\n"
+                + "${link}"
+                + "\n\n"
+                + "Bitte beachten Sie, dass den den Prozess bis zu folgenden "
+                + "Zeitpunkt abschließen müsssen: ${expires_date}");
+
+        accountActivationMail = new LocalizedStringSetting();
+        accountActivationMail.setValue(new LocalizedString());
+        accountActivationMail.getValue().addValue(
+            Locale.ENGLISH,
+            "Please follow the following link to enable your new account:\n"
+                + "\n"
+                + "${link}"
+                + "\n\n"
+                + "Please be aware that you must activate your account before "
+                + "${expires_date}.");
+        accountActivationMail.getValue().addValue(
+            Locale.GERMAN,
+            "Bitte folgen Sie den folgendem Link, um ihr Benutzerkonto zu "
+                + "aktivieren:\n"
+                + "\n"
+                + "${link}"
+                + "\n\n"
+                + "Bitte beachten Sie, dass Sie ihr Benutzerkonto spätestens"
+                + "bis zu folgendem Zeitpunkt aktivieren müssen: ${expires_date}");
+
+    }
+
+    public LocalizedStringSetting getEmailVerificationMail() {
+        return emailVerificationMail;
+    }
+
+    public void setEmailVerificationMail(
+        LocalizedStringSetting emailVerificationMail) {
+        this.emailVerificationMail = emailVerificationMail;
+    }
+
+    public LocalizedStringSetting getPasswordRecoverMail() {
+        return passwordRecoverMail;
+    }
+
+    public void setPasswordRecoverMail(
+        LocalizedStringSetting passwordRecoverMail) {
+        this.passwordRecoverMail = passwordRecoverMail;
+    }
+
+    public LocalizedStringSetting getAccountActivationMail() {
+        return accountActivationMail;
+    }
+
+    public void setAccountActivationMail(
+        LocalizedStringSetting accountActivationMail) {
+        this.accountActivationMail = accountActivationMail;
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 5;
+        hash = 53 * hash + Objects.hashCode(emailVerificationMail);
+        hash = 53 * hash + Objects.hashCode(passwordRecoverMail);
+        hash = 53 * hash + Objects.hashCode(accountActivationMail);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (this == obj) {
+            return true;
+        }
+        if (obj == null) {
+            return false;
+        }
+        if (!(obj instanceof EmailTemplates)) {
+            return false;
+        }
+        final EmailTemplates other = (EmailTemplates) obj;
+        if (!Objects.equals(emailVerificationMail,
+                            other.getEmailVerificationMail())) {
+            return false;
+        }
+        if (!Objects.equals(passwordRecoverMail,
+                            other.getPasswordRecoverMail())) {
+            return false;
+        }
+        return Objects.equals(accountActivationMail,
+                              other.getAccountActivationMail());
+    }
+
+    @Override
+    public String toString() {
+        return String.format("%s{ "
+                                 + "emailVerificationMail = { %s }, "
+                                 + "passwordRecoverMail = { %s }, "
+                                 + "accountActivationMail = { %s }"
+                                 + " }",
+                             super.toString(),
+                             Objects.toString(emailVerificationMail),
+                             Objects.toString(passwordRecoverMail),
+                             Objects.toString(accountActivationMail));
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/OneTimeAuthManager.java b/ccm-core/src/main/java/org/libreccm/security/OneTimeAuthManager.java
index eb22ba951..3a9e797dc 100644
--- a/ccm-core/src/main/java/org/libreccm/security/OneTimeAuthManager.java
+++ b/ccm-core/src/main/java/org/libreccm/security/OneTimeAuthManager.java
@@ -51,28 +51,28 @@ public class OneTimeAuthManager {
      *
      * This method generates the token <em>and</em> saves it in the database.
      *
-     * @param user The user for which the one time auth token is generated.
+     * @param user    The user for which the one time auth token is generated.
      * @param purpose The purpose for which the token is generated.
      *
      * @return The one time auth token.
      */
     public OneTimeAuthToken createForUser(
-            final User user, final OneTimeAuthTokenPurpose purpose) {
+        final User user, final OneTimeAuthTokenPurpose purpose) {
         if (user == null || purpose == null) {
             throw new IllegalArgumentException(
-                    "user and purpose and mandatory for creating a one "
-                            + "time auth token.");
+                "user and purpose and mandatory for creating a one "
+                    + "time auth token.");
         }
 
         final OneTimeAuthConfig config = configurationManager.findConfiguration(
-                OneTimeAuthConfig.class);
+            OneTimeAuthConfig.class);
 
         final OneTimeAuthToken token = new OneTimeAuthToken();
         token.setUser(user);
         token.setPurpose(purpose);
 
         final String tokenStr = RandomStringUtils.randomAscii(config.
-                getTokenLength());
+            getTokenLength());
         token.setToken(tokenStr);
 
         final LocalDateTime now = LocalDateTime.now(ZoneOffset.UTC);
@@ -90,64 +90,67 @@ public class OneTimeAuthManager {
      * Retrieves the one time auth token for the provided user and purpose. This
      * method does <strong>not</strong> not check of the token is still valid!
      *
-     * @param user The user for which the token is retrieved.
+     * @param user    The user for which the token is retrieved.
      * @param purpose The purpose of the token to retrieve.
      *
      * @return The one time auth token for the provided user and purpose or
-     * {@code null} if there is no such token.
+     *         {@code null} if there is no such token.
      */
-    public Optional<OneTimeAuthToken> retrieveForUser(
-            final User user, final OneTimeAuthTokenPurpose purpose) {
+    public List<OneTimeAuthToken> retrieveForUser(
+        final User user, final OneTimeAuthTokenPurpose purpose) {
         if (user == null || purpose == null) {
             throw new IllegalArgumentException(
-                    "user and purpose and mandatory for retrieving a one "
-                            + "time auth token.");
+                "user and purpose and mandatory for retrieving a one "
+                    + "time auth token.");
         }
 
-        final TypedQuery query = entityManager.createNamedQuery(
-                "OneTimeAuthToken.findByUserAndPurpose", OneTimeAuthToken.class);
+        final TypedQuery<OneTimeAuthToken> query = entityManager
+            .createNamedQuery("OneTimeAuthToken.findByUserAndPurpose",
+                              OneTimeAuthToken.class);
         query.setParameter("user", user);
         query.setParameter("purpose", purpose);
 
-        final List<OneTimeAuthToken> queryResult = query.getResultList();
-        if (queryResult.isEmpty()) {
-            return Optional.empty();
-        } else {
-            return Optional.of(queryResult.get(0));
-        }
+        return query.getResultList();
     }
 
     /**
-     * Checks of there is a valid one time auth token for the provided user and
-     * purpose.
+     * Checks of there is a {@link OneTimeAuthToken} which has not been expired
+     * for the provided user and purpose.
      *
-     * @param user The user.
+     * @param user    The user.
      * @param purpose The purpose of the token.
      *
      * @return {@code true} if there is a valid token for the provided user and
-     * purpose, {@code false} if not.
+     *         purpose, {@code false} if not.
      */
     public boolean validTokenExistsForUser(
-            final User user, final OneTimeAuthTokenPurpose purpose) {
+        final User user, final OneTimeAuthTokenPurpose purpose) {
         if (user == null || purpose == null) {
             throw new IllegalArgumentException(
-                    "user and purpose and mandatory for validiting a one time "
-                            + "auth token.");
+                "user and purpose and mandatory for validiting a one time "
+                    + "auth token.");
         }
 
-        final Optional<OneTimeAuthToken> token = retrieveForUser(user, purpose);
-        if (token.isPresent()) {
-            return isValid(token.get());
-        } else {
+        final List<OneTimeAuthToken> tokens = retrieveForUser(user, purpose);
+        if (tokens == null || tokens.isEmpty()) {
             return false;
+        } else {
+            boolean result = false;
+            for(OneTimeAuthToken token : tokens) {
+                if (isValid(token)) {
+                    result = true;
+                    break;
+                }
+            }
+            return result;
         }
     }
 
     /**
-     * Validates a {@link OneTimeAuthToken}.
-     * 
-     * @param token The token to valid.
-     * 
+     * Checks of the provided @link OneTimeAuthToken} is not expired.
+     *
+     * @param token The token to validate.
+     *
      * @return {@code true} if the token is valid, {@code false} if not.
      */
     public boolean isValid(final OneTimeAuthToken token) {
@@ -156,22 +159,22 @@ public class OneTimeAuthManager {
         }
 
         final LocalDateTime validUntil = LocalDateTime.
-                ofInstant(token.getValidUntil().toInstant(),
-                          ZoneOffset.UTC);
+            ofInstant(token.getValidUntil().toInstant(),
+                      ZoneOffset.UTC);
         final LocalDateTime now = LocalDateTime.now(ZoneOffset.UTC);
         return validUntil.isAfter(now);
     }
 
     /**
      * Invalides (deletes) a {@link OneTimeAuthToken}.
-     * 
+     *
      * @param token The token to invalidate.
      */
     public void invalidate(final OneTimeAuthToken token) {
         if (token == null) {
             throw new IllegalArgumentException("Can't invalidate a token null");
         }
-        
+
         entityManager.remove(token);
     }
 
diff --git a/ccm-core/src/test/java/org/libreccm/security/DatasetsXmlTest.java b/ccm-core/src/test/java/org/libreccm/security/DatasetsXmlTest.java
index 8f97c96c2..7a2624e8d 100644
--- a/ccm-core/src/test/java/org/libreccm/security/DatasetsXmlTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/DatasetsXmlTest.java
@@ -41,6 +41,11 @@ public class DatasetsXmlTest extends DatasetsVerifier {
     @Parameterized.Parameters(name = "Dataset {0}")
     public static Collection<String> data() {
         return Arrays.asList(new String[]{
+            "/datasets/org/libreccm/security/ChallengeManagerTest/data.xml",
+            "/datasets/org/libreccm/security/ChallengeManagerTest/after-create-email-verification.xml",
+            "/datasets/org/libreccm/security/ChallengeManagerTest/after-create-account-activation.xml",
+            "/datasets/org/libreccm/security/ChallengeManagerTest/after-create-password-recovery.xml",
+            
             "/datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml",
             "/datasets/org/libreccm/security/OneTimeAuthManagerTest/after-create.xml",
             "/datasets/org/libreccm/security/OneTimeAuthManagerTest/after-invalidate.xml",});
diff --git a/ccm-core/src/test/java/org/libreccm/security/GroupManagerTest.java b/ccm-core/src/test/java/org/libreccm/security/GroupManagerTest.java
index db1161291..8328df651 100644
--- a/ccm-core/src/test/java/org/libreccm/security/GroupManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/GroupManagerTest.java
@@ -18,18 +18,11 @@
  */
 package org.libreccm.security;
 
-import com.arsdigita.kernel.security.SecurityConfig;
-import com.arsdigita.util.UncheckedWrapperException;
-import com.arsdigita.util.parameter.AbstractParameterContext;
-import com.arsdigita.web.CCMApplicationContextListener;
-import com.arsdigita.xml.XML;
-import com.arsdigita.xml.formatters.DateTimeFormatter;
 
 import java.io.File;
 
 import javax.inject.Inject;
 
-import nl.jqno.equalsverifier.EqualsVerifier;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.ShouldThrowException;
 import org.jboss.arquillian.junit.Arquillian;
@@ -52,14 +45,7 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
-import org.libreccm.categorization.Categorization;
-import org.libreccm.core.CcmObject;
-import org.libreccm.jpa.EntityManagerProducer;
-import org.libreccm.jpa.utils.MimeTypeConverter;
-import org.libreccm.l10n.LocalizedString;
 import org.libreccm.tests.categories.IntegrationTest;
-import org.libreccm.web.CcmApplication;
-import org.libreccm.workflow.Workflow;
 
 import static org.hamcrest.Matchers.*;
 import static org.junit.Assert.*;
@@ -122,6 +108,8 @@ public class GroupManagerTest {
                     "LibreCCM-org.libreccm.security.GroupManagerTest.war")
             .addPackage(org.libreccm.categorization.Categorization.class
                 .getPackage())
+            .addPackage(org.libreccm.configuration.ConfigurationManager.class
+                .getPackage())
             .addPackage(org.libreccm.core.CcmObject.class.getPackage())
             .addPackage(org.libreccm.jpa.EntityManagerProducer.class
                 .getPackage())
diff --git a/ccm-core/src/test/java/org/libreccm/security/GroupRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/security/GroupRepositoryTest.java
index 50903e59d..b0fda54da 100644
--- a/ccm-core/src/test/java/org/libreccm/security/GroupRepositoryTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/GroupRepositoryTest.java
@@ -52,15 +52,7 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
-import org.libreccm.categorization.Categorization;
-import org.libreccm.core.CcmObject;
-import org.libreccm.jpa.EntityManagerProducer;
-import org.libreccm.jpa.utils.MimeTypeConverter;
-import org.libreccm.l10n.LocalizedString;
 import org.libreccm.tests.categories.IntegrationTest;
-import org.libreccm.testutils.EqualsVerifier;
-import org.libreccm.web.CcmApplication;
-import org.libreccm.workflow.Workflow;
 
 /**
  *
@@ -121,16 +113,22 @@ public class GroupRepositoryTest {
         return ShrinkWrap
             .create(WebArchive.class,
                     "LibreCCM-org.libreccm.security.UserRepositoryTest.war")
-            .addPackage(User.class.getPackage())
-            .addPackage(CcmObject.class.getPackage())
-            .addPackage(Categorization.class.getPackage())
-            .addPackage(LocalizedString.class.getPackage())
-            .addPackage(CcmApplication.class.getPackage())
-            .addPackage(Workflow.class.getPackage())
-            .addPackage(EntityManagerProducer.class.getPackage())
-            .addPackage(MimeTypeConverter.class.getPackage())
-            .addPackage(EqualsVerifier.class.getPackage())
-            .addPackage(IntegrationTest.class.getPackage())
+            .addPackage(org.libreccm.security.User.class.getPackage())
+            .addPackage(org.libreccm.core.CcmObject.class.getPackage())
+            .addPackage(org.libreccm.categorization.Categorization.class
+                .getPackage())
+            .addPackage(org.libreccm.configuration.ConfigurationManager.class
+                .getPackage())
+            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage())
+            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                .getPackage())
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
+                .getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class.getPackage())
+            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
+                .getPackage())
             .addAsLibraries(libs)
             .addAsResource("test-persistence.xml",
                            "META-INF/persistence.xml")
diff --git a/ccm-core/src/test/java/org/libreccm/security/OneTimeAuthManagerTest.java b/ccm-core/src/test/java/org/libreccm/security/OneTimeAuthManagerTest.java
index cc3622d0f..3dc8a2c2d 100644
--- a/ccm-core/src/test/java/org/libreccm/security/OneTimeAuthManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/OneTimeAuthManagerTest.java
@@ -24,8 +24,10 @@ import java.time.ZoneOffset;
 import java.time.temporal.ChronoUnit;
 import java.util.Date;
 import java.util.Optional;
+
 import javax.inject.Inject;
 import javax.persistence.EntityManager;
+
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.ShouldThrowException;
 import org.jboss.arquillian.junit.Arquillian;
@@ -48,15 +50,9 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
-import org.libreccm.categorization.Categorization;
-import org.libreccm.core.CcmObject;
-import org.libreccm.jpa.EntityManagerProducer;
-import org.libreccm.jpa.utils.MimeTypeConverter;
-import org.libreccm.l10n.LocalizedString;
 import org.libreccm.tests.categories.IntegrationTest;
-import org.libreccm.testutils.EqualsVerifier;
-import org.libreccm.web.CcmApplication;
-import org.libreccm.workflow.Workflow;
+
+import java.util.List;
 
 import static org.hamcrest.Matchers.*;
 import static org.junit.Assert.*;
@@ -78,9 +74,6 @@ public class OneTimeAuthManagerTest {
     @Inject
     private UserRepository userRepository;
 
-    @Inject
-    private EntityManager entityManager;
-
     public OneTimeAuthManagerTest() {
 
     }
@@ -206,13 +199,14 @@ public class OneTimeAuthManagerTest {
     public void retrieveTokenForUser() {
         final User jdoe = userRepository.findByName("jdoe");
 
-        final Optional<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = oneTimeAuthManager.
             retrieveForUser(
                 jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
 
-        assertThat(result.isPresent(), is(true));
+        assertThat(result, is(not(nullValue())));
+        assertThat(result, is(not(empty())));
 
-        final OneTimeAuthToken token = result.get();
+        final OneTimeAuthToken token = result.get(0);
         assertThat(token.getUser(), is(not(nullValue())));
         assertThat(token.getUser().getName(), is(equalTo("jdoe")));
         assertThat(token.getToken(), is(equalTo(
@@ -226,11 +220,11 @@ public class OneTimeAuthManagerTest {
     public void retrieveNotExistingTokenForUser() {
         final User mmuster = userRepository.findByName("mmuster");
 
-        final Optional<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = oneTimeAuthManager.
             retrieveForUser(
                 mmuster, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
 
-        assertThat(result.isPresent(), is(false));
+        assertThat(result, is(empty()));
     }
 
     @Test(expected = IllegalArgumentException.class)
@@ -308,12 +302,12 @@ public class OneTimeAuthManagerTest {
     public void isValid() {
         final User jdoe = userRepository.findByName("jdoe");
 
-        final Optional<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = oneTimeAuthManager.
             retrieveForUser(
                 jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
 
-        assertThat(result.isPresent(), is(true));
-        assertThat(oneTimeAuthManager.isValid(result.get()), is(true));
+        assertThat(result, is(not(empty())));
+        assertThat(oneTimeAuthManager.isValid(result.get(0)), is(true));
     }
 
     @Test
@@ -323,12 +317,12 @@ public class OneTimeAuthManagerTest {
     public void isInvalid() {
         final User jdoe = userRepository.findByName("jdoe");
 
-        final Optional<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = oneTimeAuthManager.
             retrieveForUser(
                 jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
 
-        assertThat(result.isPresent(), is(true));
-        final OneTimeAuthToken token = result.get();
+        assertThat(result, is(not(empty())));
+        final OneTimeAuthToken token = result.get(0);
 
         final LocalDateTime date = LocalDateTime
             .now(ZoneOffset.UTC).minus(1800, ChronoUnit.SECONDS);
@@ -357,12 +351,12 @@ public class OneTimeAuthManagerTest {
     public void invalidateToken() {
         final User jdoe = userRepository.findByName("jdoe");
 
-        final Optional<OneTimeAuthToken> result = oneTimeAuthManager.
+        final List<OneTimeAuthToken> result = oneTimeAuthManager.
             retrieveForUser(
                 jdoe, OneTimeAuthTokenPurpose.EMAIL_VERIFICATION);
 
-        assertThat(result.isPresent(), is(true));
-        oneTimeAuthManager.invalidate(result.get());
+        assertThat(result, is(not(empty())));
+        oneTimeAuthManager.invalidate(result.get(0));
     }
 
     @Test(expected = IllegalArgumentException.class)
diff --git a/ccm-core/src/test/java/org/libreccm/security/PartyRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/security/PartyRepositoryTest.java
index 2f6ec4dea..f03d7cdd2 100644
--- a/ccm-core/src/test/java/org/libreccm/security/PartyRepositoryTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/PartyRepositoryTest.java
@@ -42,16 +42,8 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
-import org.libreccm.categorization.Categorization;
-import org.libreccm.core.CcmObject;
 import org.libreccm.core.EmailAddress;
-import org.libreccm.jpa.EntityManagerProducer;
-import org.libreccm.jpa.utils.MimeTypeConverter;
-import org.libreccm.l10n.LocalizedString;
 import org.libreccm.tests.categories.IntegrationTest;
-import org.libreccm.testutils.EqualsVerifier;
-import org.libreccm.web.CcmApplication;
-import org.libreccm.workflow.Workflow;
 
 import java.io.File;
 import java.util.List;
@@ -120,16 +112,22 @@ public class PartyRepositoryTest {
         return ShrinkWrap
             .create(WebArchive.class,
                     "LibreCCM-org.libreccm.security.UserRepositoryTest.war")
-            .addPackage(User.class.getPackage())
-            .addPackage(CcmObject.class.getPackage())
-            .addPackage(Categorization.class.getPackage())
-            .addPackage(LocalizedString.class.getPackage())
-            .addPackage(CcmApplication.class.getPackage())
-            .addPackage(Workflow.class.getPackage())
-            .addPackage(EntityManagerProducer.class.getPackage())
-            .addPackage(MimeTypeConverter.class.getPackage())
-            .addPackage(EqualsVerifier.class.getPackage())
-            .addPackage(IntegrationTest.class.getPackage())
+            .addPackage(org.libreccm.security.User.class.getPackage())
+            .addPackage(org.libreccm.core.CcmObject.class.getPackage())
+            .addPackage(org.libreccm.categorization.Categorization.class
+                .getPackage())
+            .addPackage(org.libreccm.configuration.ConfigurationManager.class
+                .getPackage())
+            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage())
+            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                .getPackage())
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
+                .getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class.getPackage())
+            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
+                .getPackage())
             .addAsLibraries(libs)
             .addAsResource("test-persistence.xml",
                            "META-INF/persistence.xml")
diff --git a/ccm-core/src/test/java/org/libreccm/security/RoleRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/security/RoleRepositoryTest.java
index bb6a8ce99..3d6b52367 100644
--- a/ccm-core/src/test/java/org/libreccm/security/RoleRepositoryTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/RoleRepositoryTest.java
@@ -40,15 +40,7 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
-import org.libreccm.categorization.Categorization;
-import org.libreccm.core.CcmObject;
-import org.libreccm.jpa.EntityManagerProducer;
-import org.libreccm.jpa.utils.MimeTypeConverter;
-import org.libreccm.l10n.LocalizedString;
 import org.libreccm.tests.categories.IntegrationTest;
-import org.libreccm.testutils.EqualsVerifier;
-import org.libreccm.web.CcmApplication;
-import org.libreccm.workflow.Workflow;
 
 import java.io.File;
 import java.util.List;
@@ -117,16 +109,22 @@ public class RoleRepositoryTest {
         return ShrinkWrap
             .create(WebArchive.class,
                     "LibreCCM-org.libreccm.security.RoleRepositoryTest.war")
-            .addPackage(User.class.getPackage())
-            .addPackage(CcmObject.class.getPackage())
-            .addPackage(Categorization.class.getPackage())
-            .addPackage(LocalizedString.class.getPackage())
-            .addPackage(CcmApplication.class.getPackage())
-            .addPackage(Workflow.class.getPackage())
-            .addPackage(EntityManagerProducer.class.getPackage())
-            .addPackage(MimeTypeConverter.class.getPackage())
-            .addPackage(EqualsVerifier.class.getPackage())
-            .addPackage(IntegrationTest.class.getPackage())
+            .addPackage(org.libreccm.security.User.class.getPackage())
+            .addPackage(org.libreccm.core.CcmObject.class.getPackage())
+            .addPackage(org.libreccm.categorization.Categorization.class
+                .getPackage())
+            .addPackage(org.libreccm.configuration.ConfigurationManager.class
+                .getPackage())
+            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage())
+            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                .getPackage())
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
+                .getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class.getPackage())
+            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
+                .getPackage())
             .addAsLibraries(libs)
             .addAsResource("test-persistence.xml",
                            "META-INF/persistence.xml")
diff --git a/ccm-core/src/test/java/org/libreccm/security/SecuredCollectionTest.java b/ccm-core/src/test/java/org/libreccm/security/SecuredCollectionTest.java
index 36c6a14c6..6cdcda8e1 100644
--- a/ccm-core/src/test/java/org/libreccm/security/SecuredCollectionTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/SecuredCollectionTest.java
@@ -18,12 +18,6 @@
  */
 package org.libreccm.security;
 
-import com.arsdigita.kernel.security.SecurityConfig;
-import com.arsdigita.util.UncheckedWrapperException;
-import com.arsdigita.util.parameter.AbstractParameterContext;
-import com.arsdigita.web.CCMApplicationContextListener;
-import com.arsdigita.xml.XML;
-import com.arsdigita.xml.formatters.DateTimeFormatter;
 
 import java.io.File;
 import java.util.ArrayList;
@@ -54,19 +48,10 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
-import org.libreccm.categorization.Categorization;
-import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.core.CcmObject;
 import org.libreccm.core.CcmObjectRepository;
-import org.libreccm.jpa.EntityManagerProducer;
-import org.libreccm.jpa.utils.MimeTypeConverter;
-import org.libreccm.l10n.LocalizedString;
 import org.libreccm.tests.categories.IntegrationTest;
 
-import org.libreccm.testutils.EqualsVerifier;
-import org.libreccm.web.CcmApplication;
-import org.libreccm.workflow.Workflow;
-
 import static org.hamcrest.Matchers.*;
 import static org.junit.Assert.*;
 
diff --git a/ccm-core/src/test/java/org/libreccm/security/UserManagerTest.java b/ccm-core/src/test/java/org/libreccm/security/UserManagerTest.java
index c318eb0ee..832c0a5c7 100644
--- a/ccm-core/src/test/java/org/libreccm/security/UserManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/UserManagerTest.java
@@ -18,18 +18,11 @@
  */
 package org.libreccm.security;
 
-import com.arsdigita.kernel.security.SecurityConfig;
-import com.arsdigita.util.UncheckedWrapperException;
-import com.arsdigita.util.parameter.AbstractParameterContext;
-import com.arsdigita.web.CCMApplicationContextListener;
-import com.arsdigita.xml.XML;
-import com.arsdigita.xml.formatters.DateTimeFormatter;
 
 import java.io.File;
 
 import javax.inject.Inject;
 
-import nl.jqno.equalsverifier.EqualsVerifier;
 import org.hibernate.exception.ConstraintViolationException;
 
 import static org.hamcrest.Matchers.*;
@@ -57,14 +50,7 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
-import org.libreccm.categorization.Categorization;
-import org.libreccm.core.CcmObject;
-import org.libreccm.jpa.EntityManagerProducer;
-import org.libreccm.jpa.utils.MimeTypeConverter;
-import org.libreccm.l10n.LocalizedString;
 import org.libreccm.tests.categories.IntegrationTest;
-import org.libreccm.web.CcmApplication;
-import org.libreccm.workflow.Workflow;
 
 import static org.junit.Assert.*;
 
diff --git a/ccm-core/src/test/java/org/libreccm/security/UserRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/security/UserRepositoryTest.java
index c1ba3117d..c6f4bd6a2 100644
--- a/ccm-core/src/test/java/org/libreccm/security/UserRepositoryTest.java
+++ b/ccm-core/src/test/java/org/libreccm/security/UserRepositoryTest.java
@@ -46,16 +46,8 @@ import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
-import org.libreccm.categorization.Categorization;
-import org.libreccm.core.CcmObject;
 import org.libreccm.core.EmailAddress;
-import org.libreccm.jpa.EntityManagerProducer;
-import org.libreccm.jpa.utils.MimeTypeConverter;
-import org.libreccm.l10n.LocalizedString;
 import org.libreccm.tests.categories.IntegrationTest;
-import org.libreccm.testutils.EqualsVerifier;
-import org.libreccm.web.CcmApplication;
-import org.libreccm.workflow.Workflow;
 
 import java.io.File;
 import java.util.List;
@@ -122,16 +114,22 @@ public class UserRepositoryTest {
         return ShrinkWrap
             .create(WebArchive.class,
                     "LibreCCM-org.libreccm.security.UserRepositoryTest.war")
-            .addPackage(User.class.getPackage())
-            .addPackage(CcmObject.class.getPackage())
-            .addPackage(Categorization.class.getPackage())
-            .addPackage(LocalizedString.class.getPackage())
-            .addPackage(CcmApplication.class.getPackage())
-            .addPackage(Workflow.class.getPackage())
-            .addPackage(EntityManagerProducer.class.getPackage())
-            .addPackage(MimeTypeConverter.class.getPackage())
-            .addPackage(EqualsVerifier.class.getPackage())
-            .addPackage(IntegrationTest.class.getPackage())
+            .addPackage(org.libreccm.security.User.class.getPackage())
+            .addPackage(org.libreccm.core.CcmObject.class.getPackage())
+            .addPackage(org.libreccm.categorization.Categorization.class
+                .getPackage())
+            .addPackage(org.libreccm.configuration.Configuration.class
+                .getPackage())
+            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage())
+            .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.workflow.Workflow.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                .getPackage())
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
+                .getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class.getPackage())
+            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
+                .getPackage())
             .addAsLibraries(libs)
             .addAsResource("test-persistence.xml",
                            "META-INF/persistence.xml")
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-create-account-activation.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-create-account-activation.xml
new file mode 100644
index 000000000..5bfeb11d1
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-create-account-activation.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="true"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="true"/>
+
+    <ccm_core.one_time_auth_tokens 
+        token_id="-100"
+        user_id="-20"
+        token="biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi"
+        valid_until="2032-04-01 12:00:00"
+        purpose="ACCOUNT_ACTIVATION"/>
+    
+</dataset>
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-create-email-verification.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-create-email-verification.xml
new file mode 100644
index 000000000..5b8725013
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-create-email-verification.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="true"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="true"/>
+
+    <ccm_core.one_time_auth_tokens 
+        token_id="-100"
+        user_id="-20"
+        token="biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi"
+        valid_until="2032-04-01 12:00:00"
+        purpose="EMAIL_VERIFICATION"/>
+    
+</dataset>
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-create-password-recover.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-create-password-recover.xml
new file mode 100644
index 000000000..2ba18e807
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-create-password-recover.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="true"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="true"/>
+
+    <ccm_core.one_time_auth_tokens 
+        token_id="-100"
+        user_id="-20"
+        token="biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi"
+        valid_until="2032-04-01 12:00:00"
+        purpose="RECOVER_PASSWORD"/>
+    
+</dataset>
+
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-finish-account-activation.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-finish-account-activation.xml
new file mode 100644
index 000000000..2883d5d13
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-finish-account-activation.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="false"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="false"/>
+
+</dataset>
+
+
+
+
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-finish-email-verification.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-finish-email-verification.xml
new file mode 100644
index 000000000..ebf9bc0d5
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-finish-email-verification.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="false"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="true"/>
+
+</dataset>
+
+
+
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-finish-password-recover.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-finish-password-recover.xml
new file mode 100644
index 000000000..0635fe54c
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/after-finish-password-recover.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="false"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="true"
+                    password_reset_required="false"
+                    verified="false"/>
+</dataset>
+
+
+
+
+
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/data.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/data.xml
new file mode 100644
index 000000000..9b731407a
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/data.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="true"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="true"/>
+    
+</dataset>
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/finish-account-activation.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/finish-account-activation.xml
new file mode 100644
index 000000000..438f18037
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/finish-account-activation.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="false"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="true"
+                    password_reset_required="false"
+                    verified="false"/>
+
+    <ccm_core.one_time_auth_tokens 
+        token_id="-100"
+        user_id="-20"
+        token="biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi"
+        valid_until="2032-04-01 12:00:00"
+        purpose="ACCOUNT_ACTIVATION"/>
+    
+</dataset>
+
+
+
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/finish-email-verification.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/finish-email-verification.xml
new file mode 100644
index 000000000..b4fd5f738
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/finish-email-verification.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="false"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="false"/>
+
+    <ccm_core.one_time_auth_tokens 
+        token_id="-100"
+        user_id="-20"
+        token="biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi"
+        valid_until="2032-04-01 12:00:00"
+        purpose="EMAIL_VERIFICATION"/>
+    
+</dataset>
+
+
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/finish-password-recover.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/finish-password-recover.xml
new file mode 100644
index 000000000..4dab91ddb
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ChallengeManagerTest/finish-password-recover.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    
+    <ccm_core.ccm_objects object_id="-1000"
+                          display_name="registry"
+                          uuid="f815d6f8-f915-4399-b16c-2e2dd76f4128"/>
+    <ccm_core.ccm_objects object_id="-2000"
+                          display_name="registry_root"
+                          uuid="1e5b1732-0a15-49b8-b4a6-8aae1a003147"/>
+    
+    <ccm_core.categories object_id="-2000"
+                         unique_id="bb93a964-bf66-424c-a22d-074d001db3b8"
+                         name="registry-root"
+                         enabled="true"
+                         visible="true"
+                         abstract_category="false"
+                         category_order="0"/>
+    
+    <ccm_core.category_domains object_id="-1000"
+                               domain_key="registry"
+                               root_category_id="-2000"
+                               version="1.0"/>
+    
+    <ccm_core.parties party_id="-10"
+                      name="jdoe"/>
+    <ccm_core.parties party_id="-20"
+                      name="mmuster"/>
+    
+    <ccm_core.users party_id="-10"
+                    family_name="Doe"
+                    given_name="John"
+                    email_address="john.doe@example.com"
+                    password="$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA=="
+                    bouncing="false"
+                    banned="false"
+                    password_reset_required="false"
+                    verified="false"/>
+    <ccm_core.users party_id="-20"
+                    family_name="Mustermann"
+                    given_name="Max"
+                    email_address="max.muster@example.org"
+                    password="$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q=="
+                    bouncing="false"
+                    banned="true"
+                    password_reset_required="false"
+                    verified="false"/>
+
+    <ccm_core.one_time_auth_tokens 
+        token_id="-100"
+        user_id="-20"
+        token="biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi"
+        valid_until="2032-04-01 12:00:00"
+        purpose="RECOVER_PASSWORD"/>
+    
+</dataset>
+
+
+
+
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml b/ccm-core/src/test/resources/datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml
index 2987c8027..660c55b34 100644
--- a/ccm-core/src/test/resources/datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/OneTimeAuthManagerTest/data.xml
@@ -45,9 +45,10 @@
                     password_reset_required="false"
                     verified="true"/>
      
-    <ccm_core.one_time_auth_tokens token_id="-100"
-                                   user_id="-10"
-                                   token="biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi"
-                                   valid_until="2032-04-01 12:00:00"
-                                   purpose="EMAIL_VERIFICATION"/>
+    <ccm_core.one_time_auth_tokens 
+        token_id="-100"
+        user_id="-10"
+        token="biXOpuxIPXuRgx9jhk1PzZVIeKGaTmg2qTKoTQ4tl9iiweQ0e5mfmdFI1KjDwjPi"
+        valid_until="2032-04-01 12:00:00"
+        purpose="EMAIL_VERIFICATION"/>
 </dataset>
\ No newline at end of file