diff --git a/ccm-cms-archetype-contenttype/src/site/apt/index.apt b/ccm-cms-archetype-contenttype/src/site/apt/index.apt
index 15a777c90..194683571 100644
--- a/ccm-cms-archetype-contenttype/src/site/apt/index.apt
+++ b/ccm-cms-archetype-contenttype/src/site/apt/index.apt
@@ -32,22 +32,26 @@ LibreCMS Archetype for Content Types
     content type. The following properties are required:
 
     [groupId] The <<<groupId>>> of the new content type module
+
     [artifactId] The <<<artifactId>>> of the new content type module. It is
                  recommended (for official modules mandatory) to use the 
                  following pattern for the <<<artifactId>>>: 
                  <<<ccm-cms-types-$typename>>>. For special branches like
                  APLAWS+ or ScientificCMS the pattern might differ.
+    
     [package] The package for the classes of the new content type module. 
               Defaults to the <<<groupId>>>. It is recommanded to place all 
               classes belonging to a content type into a separate package. For 
               example for the content <<<ccm-cms-types-foo>>> all classes 
               belonging to that content type should be placed into the package
               <<<org.librecms.contenttypes.foo>>>.
+    
     [typeName] The name of the type. Must be a valid class name. If the 
                recommended pattern for the <<<artifactId>>> is used the last 
                token of the <<<artifactId>>> (with a capitalised
                first letter) should be used. For instance the type name of
                <<<ccm-cms-types-foo>>> should be <<<Foo>>>.
+    
     [schemaName] The name of the database schema used to store the tables for
                  the module. Defaults to the <<<artifactId>>>. It is recommended
                  to customise the <<<schemaName>>> to avoid problems with SQL. 
@@ -58,4 +62,4 @@ LibreCMS Archetype for Content Types
                  <<<cms_types_foo>>>.
 
 
-    
\ No newline at end of file
+    
diff --git a/ccm-cms-types-agenda/pom.xml b/ccm-cms-types-agenda/pom.xml
index d3aac8967..c30c6d4fa 100644
--- a/ccm-cms-types-agenda/pom.xml
+++ b/ccm-cms-types-agenda/pom.xml
@@ -4,10 +4,10 @@
     <modelVersion>4.0.0</modelVersion>
 
     <parent>
-    <artifactId>libreccm-parent</artifactId>
-    <groupId>org.libreccm</groupId>
-    <version>7.0.0-SNAPSHOT</version>
-  </parent>
+        <artifactId>libreccm-parent</artifactId>
+        <groupId>org.libreccm</groupId>
+        <version>7.0.0-SNAPSHOT</version>
+    </parent>
  
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -139,7 +139,7 @@
                 </configuration>
             </plugin>
 
-             <plugin>
+            <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
                 <version>0.7.5.201505241946</version>
@@ -313,7 +313,7 @@
                     <reportSet>
                         <reports>
                             <report>dependencies</report>
-                           <report>license</report>
+                            <report>license</report>
                         </reports>
                     </reportSet>
                 </reportSets>
diff --git a/ccm-cms/src/main/java/org/librecms/contentsection/ContentSection.java b/ccm-cms/src/main/java/org/librecms/contentsection/ContentSection.java
index 687d297ec..b6957f043 100644
--- a/ccm-cms/src/main/java/org/librecms/contentsection/ContentSection.java
+++ b/ccm-cms/src/main/java/org/librecms/contentsection/ContentSection.java
@@ -20,7 +20,7 @@ package org.librecms.contentsection;
 
 import static org.librecms.CmsConstants.*;
 
-import org.libreccm.core.Group;
+import org.libreccm.security.Role;
 import org.libreccm.web.CcmApplication;
 
 import java.io.Serializable;
@@ -57,10 +57,10 @@ public class ContentSection extends CcmApplication implements Serializable {
     private String xmlGeneratorClass;
 
     @OneToOne
-    private Group staffGroup;
+    private Role staffGroup;
 
     @OneToOne
-    private Group viewersGroup;
+    private Role viewersGroup;
 
     @Column(name = "default_locale", length = 10)
     private String defaultLocale;
@@ -107,19 +107,19 @@ public class ContentSection extends CcmApplication implements Serializable {
         this.xmlGeneratorClass = xmlGeneratorClass;
     }
 
-    public Group getStaffGroup() {
+    public Role getStaffGroup() {
         return staffGroup;
     }
 
-    public void setStaffGroup(final Group staffGroup) {
+    public void setStaffGroup(final Role staffGroup) {
         this.staffGroup = staffGroup;
     }
 
-    public Group getViewersGroup() {
+    public Role getViewersGroup() {
         return viewersGroup;
     }
 
-    public void setViewersGroup(final Group viewersGroup) {
+    public void setViewersGroup(final Role viewersGroup) {
         this.viewersGroup = viewersGroup;
     }
 
diff --git a/ccm-core/pom.xml b/ccm-core/pom.xml
index 885570d96..8454e1322 100644
--- a/ccm-core/pom.xml
+++ b/ccm-core/pom.xml
@@ -39,12 +39,6 @@
             <scope>provided</scope>
         </dependency>
 
-        <dependency>
-            <groupId>org.libreccm</groupId>
-            <artifactId>ccm-docrepo</artifactId>
-            <version>${project.parent.version}</version>
-        </dependency>
-
         <dependency>
             <groupId>org.hibernate</groupId>
             <artifactId>hibernate-entitymanager</artifactId>
@@ -174,12 +168,17 @@
             <artifactId>maven-artifact</artifactId>
         </dependency>
         
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-core</artifactId>
+        </dependency>
+        
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
             <scope>test</scope>
         </dependency>
-
+        
     </dependencies>
     
     <build>
@@ -968,11 +967,11 @@
                     <!--<version>0.7.5.201505241946</version>-->
                     <scope>test</scope>
                 </dependency>
-                <!--<dependency>
+                <dependency>
                     <groupId>org.jboss.arquillian.extension</groupId>
                     <artifactId>arquillian-jacoco</artifactId>
                     <version>1.0.0.Alpha8</version>
-                </dependency>-->
+                </dependency>
             </dependencies>
             
             <build>
diff --git a/ccm-core/src/main/java/com/arsdigita/kernel/security/SecurityConfig.java b/ccm-core/src/main/java/com/arsdigita/kernel/security/SecurityConfig.java
index dea1471a3..17c1ee6e0 100644
--- a/ccm-core/src/main/java/com/arsdigita/kernel/security/SecurityConfig.java
+++ b/ccm-core/src/main/java/com/arsdigita/kernel/security/SecurityConfig.java
@@ -26,8 +26,6 @@ import com.arsdigita.util.parameter.SpecificClassParameter;
 import com.arsdigita.util.parameter.StringArrayParameter;
 import com.arsdigita.util.parameter.StringParameter;
 
-import org.libreccm.core.authentication.LocalLoginModule;
-
 import java.util.Arrays;
 import java.util.List;
 
@@ -78,12 +76,6 @@ public class SecurityConfig extends AbstractConfig {
     private final Parameter m_cookieDomain = new StringParameter(
         "waf.cookie_domain", Parameter.OPTIONAL, null);
 
-    private final Parameter m_loginConfig = new StringArrayParameter(
-        "waf.login_config", Parameter.REQUIRED,
-        new String[]{
-            String.format("Register:%s:requisite",
-                          LocalLoginModule.class.getName())});
-
     private final Parameter m_adminEmail = new StringParameter(
         "waf.admin.contact_email", Parameter.OPTIONAL, null);
 
@@ -111,6 +103,12 @@ public class SecurityConfig extends AbstractConfig {
     private final Parameter m_saltLength = new IntegerParameter(
         "waf.security.salt_length", Parameter.REQUIRED, 256);
 
+    /**
+     * Default number of hash iterations for new passwords.
+     */
+    private final Parameter m_hashIterations = new IntegerParameter(
+            "waf.security.hash_iterations", Parameter.REQUIRED, 50000);
+    
     /**
      * Constructs an empty SecurityConfig object
      */
@@ -120,7 +118,6 @@ public class SecurityConfig extends AbstractConfig {
         register(m_excludedExtensions);
 
         register(m_cookieDomain);
-        register(m_loginConfig);
         register(m_cookieDurationMinutes);
         register(m_adminEmail);
         register(m_autoRegistrationOn);
@@ -129,6 +126,7 @@ public class SecurityConfig extends AbstractConfig {
 
         register(m_hashAlgorithm);
         register(m_saltLength);
+        register(m_hashIterations);
 
         loadInfo();
     }
@@ -174,10 +172,6 @@ public class SecurityConfig extends AbstractConfig {
         return (String) get(m_cookieDomain);
     }
 
-    String[] getLoginConfig() {
-        return (String[]) get(m_loginConfig);
-    }
-
     Integer getCookieDurationMinutes() {
         return (Integer) get(m_cookieDurationMinutes);
     }
@@ -237,5 +231,9 @@ public class SecurityConfig extends AbstractConfig {
     public Integer getSaltLength() {
         return (Integer) get(m_saltLength);
     }
+    
+    public Integer getHashIterations() {
+        return (Integer) get(m_hashIterations);
+    }
 
 }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/AdminServlet.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/AdminServlet.java
index f0aec7898..3cce0f158 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/AdminServlet.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/AdminServlet.java
@@ -32,11 +32,6 @@ import com.arsdigita.xml.Document;
 
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.CcmSessionContext;
-import org.libreccm.core.PermissionManager;
-import org.libreccm.core.Privilege;
-import org.libreccm.core.PrivilegeRepository;
-import org.libreccm.core.Subject;
 import org.libreccm.web.CcmApplication;
 
 import java.io.IOException;
@@ -107,40 +102,40 @@ public class AdminServlet extends BaseApplicationServlet implements
         // ///////    Some preparational steps                   ///////////////
         /* Determine access privilege: only logged in users may access DS   */
         final CdiUtil cdiUtil = new CdiUtil();
-        final CcmSessionContext sessionContext;
-        try {
-            sessionContext = cdiUtil.findBean(
-                CcmSessionContext.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup session context", ex);
-        }
-        final Subject subject = sessionContext.getCurrentSubject();
-        if (subject == null) {
-            throw new LoginSignal(sreq);
-        }
-
-        final PrivilegeRepository privilegeRepository;
-        try {
-            privilegeRepository = cdiUtil.findBean(PrivilegeRepository.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup PrivilegeRepository", ex);
-        }
-        final Privilege adminPrivilege = privilegeRepository.retrievePrivilege(
-            "admin");
-
-        final PermissionManager permissionManager;
-        try {
-            permissionManager = cdiUtil.findBean(PermissionManager.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to look up PermissionManager", ex);
-        }
+//        final CcmSessionContext sessionContext;
+//        try {
+//            sessionContext = cdiUtil.findBean(
+//                CcmSessionContext.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup session context", ex);
+//        }
+//        final Subject subject = sessionContext.getCurrentSubject();
+//        if (subject == null) {
+//            throw new LoginSignal(sreq);
+//        }
+//
+//        final PrivilegeRepository privilegeRepository;
+//        try {
+//            privilegeRepository = cdiUtil.findBean(PrivilegeRepository.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup PrivilegeRepository", ex);
+//        }
+//        final Privilege adminPrivilege = privilegeRepository.retrievePrivilege(
+//            "admin");
+//
+//        final PermissionManager permissionManager;
+//        try {
+//            permissionManager = cdiUtil.findBean(PermissionManager.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to look up PermissionManager", ex);
+//        }
         
-        if (!permissionManager.isPermitted(adminPrivilege, null, subject)) {
-            throw new AccessDeniedException("User is not an administrator");
-        }
+//        if (!permissionManager.isPermitted(adminPrivilege, null, subject)) {
+//            throw new AccessDeniedException("User is not an administrator");
+//        }
 
         /* Want admin to always show the latest stuff...                     */
         DispatcherHelper.cacheDisable(sresp);
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/EmailList.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/EmailList.java
index cc430a840..e259e7ba5 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/EmailList.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/EmailList.java
@@ -35,8 +35,6 @@ import com.arsdigita.util.UncheckedWrapperException;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.core.EmailAddress;
-import org.libreccm.core.User;
-import org.libreccm.core.UserRepository;
 
 import static com.arsdigita.ui.admin.AdminConstants.*;
 
@@ -105,28 +103,28 @@ class EmailList extends List
 
         final Long userId = (Long) state.getValue(USER_ID_PARAM);
         if (userId != null) {
-            final CdiUtil cdiUtil = new CdiUtil();
-            final UserRepository userRepository;
-            try {
-                userRepository = cdiUtil.findBean(UserRepository.class);
-            } catch(CdiLookupException ex) {
-                throw new UncheckedWrapperException(ex);
-            }
-            
-            final User user = userRepository.findById(userId);
-            if (user == null) {
-                return;
-            } else {
-                final String email = (String) getSelectedKey(state);
-                
-                for(EmailAddress addr : user.getEmailAddresses()) {
-                    if (addr.getAddress().equals(email)) {
-                        user.removeEmailAddress(addr);
-                    }
-                }
-                
-                userRepository.save(user);
-            }
+//            final CdiUtil cdiUtil = new CdiUtil();
+//            final UserRepository userRepository;
+//            try {
+//                userRepository = cdiUtil.findBean(UserRepository.class);
+//            } catch(CdiLookupException ex) {
+//                throw new UncheckedWrapperException(ex);
+//            }
+//            
+//            final User user = userRepository.findById(userId);
+//            if (user == null) {
+//                return;
+//            } else {
+//                final String email = (String) getSelectedKey(state);
+//                
+//                for(EmailAddress addr : user.getEmailAddresses()) {
+//                    if (addr.getAddress().equals(email)) {
+//                        user.removeEmailAddress(addr);
+//                    }
+//                }
+//                
+//                userRepository.save(user);
+//            }
         }
     }
 }
@@ -192,20 +190,22 @@ class EmailListModelBuilder extends LockableImpl
     @Override
     public ListModel makeModel(List l, PageState state) {
 
-        final Long userId = (Long) state.getValue(USER_ID_PARAM);
-        if (userId == null) {
-            return null;
-        } else {
-            final CdiUtil cdiUtil = new CdiUtil();
-            final UserRepository userRepository;
-            try {
-                userRepository = cdiUtil.findBean(UserRepository.class);
-            } catch(CdiLookupException ex) {
-                throw new UncheckedWrapperException(ex);
-            }
-            final User user = userRepository.findById(userId);
-            
-            return new EmailListModel(user.getEmailAddresses().iterator());
-        }
+        return null;
+        
+//        final Long userId = (Long) state.getValue(USER_ID_PARAM);
+//        if (userId == null) {
+//            return null;
+//        } else {
+//            final CdiUtil cdiUtil = new CdiUtil();
+//            final UserRepository userRepository;
+//            try {
+//                userRepository = cdiUtil.findBean(UserRepository.class);
+//            } catch(CdiLookupException ex) {
+//                throw new UncheckedWrapperException(ex);
+//            }
+//            final User user = userRepository.findById(userId);
+//            
+//            return new EmailListModel(user.getEmailAddresses().iterator());
+//        }
     }
 }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/ExistingGroupAddPane.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/ExistingGroupAddPane.java
index 33b68162d..2823a381c 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/ExistingGroupAddPane.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/ExistingGroupAddPane.java
@@ -18,8 +18,8 @@ import com.arsdigita.util.UncheckedWrapperException;
 
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.Group;
-import org.libreccm.core.GroupRepository;
+//import org.libreccm.core.Group;
+//import org.libreccm.core.GroupRepository;
 
 import static com.arsdigita.ui.admin.AdminConstants.*;
 
@@ -52,25 +52,27 @@ public class ExistingGroupAddPane extends SimpleContainer implements
         @Override
         protected Object initialValue(final PageState ps) {
             String key = (String) groupTree.getSelectedKey(ps);
-
-            Group group = null;
-
-            if (key != null) {
-                final Long id = new Long(key);
-
-                final CdiUtil cdiUtil = new CdiUtil();
-                final GroupRepository groupRepository;
-                try {
-                    groupRepository = cdiUtil.findBean(GroupRepository.class);
-                } catch (CdiLookupException ex) {
-                    throw new UncheckedWrapperException(
-                        "Failed to lookup GroupRepository", ex);
-                }
-                
-                group = groupRepository.findById(id);
-            }
+//
+//            Group group = null;
+//
+//            if (key != null) {
+//                final Long id = new Long(key);
+//
+//                final CdiUtil cdiUtil = new CdiUtil();
+//                final GroupRepository groupRepository;
+//                try {
+//                    groupRepository = cdiUtil.findBean(GroupRepository.class);
+//                } catch (CdiLookupException ex) {
+//                    throw new UncheckedWrapperException(
+//                        "Failed to lookup GroupRepository", ex);
+//                }
+//                
+//                group = groupRepository.findById(id);
+//            }
+//            
+//            return group;
             
-            return group;
+            return null;
         }
 
     };
@@ -197,8 +199,8 @@ public class ExistingGroupAddPane extends SimpleContainer implements
      *
      * @return
      */
-    public Group getParentGroup(PageState ps) {
-        return (Group) parentGroup.get(ps);
-    }
+//    public Group getParentGroup(PageState ps) {
+//        return (Group) parentGroup.get(ps);
+//    }
 
 }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupAddForm.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupAddForm.java
index 3967d0f4f..acf5317ef 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupAddForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupAddForm.java
@@ -28,8 +28,6 @@ import com.arsdigita.util.UncheckedWrapperException;
 
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.Group;
-import org.libreccm.core.GroupRepository;
 
 import static com.arsdigita.ui.admin.AdminConstants.*;
 
@@ -63,56 +61,58 @@ class GroupAddForm extends GroupForm implements FormProcessListener {
     public void process(final FormSectionEvent event)
         throws FormProcessException {
 
-        PageState ps = event.getPageState();
-
-        // Get super parent group.
-        String key = (String) m_groupTree.getSelectedKey(ps);
-
-        final Group parentGroup = null;
-//        if (key != null) {
-//            BigDecimal parentID = new BigDecimal(key);
+//        PageState ps = event.getPageState();
 //
-//            try {
-//                parentGroup = new Group(parentID);
-//            } catch (DataObjectNotFoundException exc) {
-//                // Parent group does not exist.
-//                // This is normal behavior with the new group
-//                // been add with no parent.
-//            }
+//        // Get super parent group.
+//        String key = (String) m_groupTree.getSelectedKey(ps);
+//
+//        final Group parentGroup = null;
+////        if (key != null) {
+////            BigDecimal parentID = new BigDecimal(key);
+////
+////            try {
+////                parentGroup = new Group(parentID);
+////            } catch (DataObjectNotFoundException exc) {
+////                // Parent group does not exist.
+////                // This is normal behavior with the new group
+////                // been add with no parent.
+////            }
+////        }
+//
+//        final Group group = new Group();
+//
+//        String name = (String) m_name.getValue(ps);
+//        group.setName(name);
+//
+//        // Workaround for bug #189720: there is no way to remove a
+//        // Party's primary email address, so we set it directly to
+//        // null if it's value on the form is null.
+////        InternetAddress email = (InternetAddress) m_email.getValue(ps);
+////        if (email != null) {
+////            group.setPrimaryEmail(new EmailAddress(email.getAddress()));
+////        } else {
+////            //group.set("primaryEmail", null);
+////            group.setPrimaryEmail(null);
+////        }
+//        final CdiUtil cdiUtil = new CdiUtil();
+//        final GroupRepository groupRepository;
+//        try {
+//            groupRepository = cdiUtil.findBean(GroupRepository.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup GroupRepository", ex);
 //        }
-
-        final Group group = new Group();
-
-        String name = (String) m_name.getValue(ps);
-        group.setName(name);
-
-        // Workaround for bug #189720: there is no way to remove a
-        // Party's primary email address, so we set it directly to
-        // null if it's value on the form is null.
-//        InternetAddress email = (InternetAddress) m_email.getValue(ps);
-//        if (email != null) {
-//            group.setPrimaryEmail(new EmailAddress(email.getAddress()));
-//        } else {
-//            //group.set("primaryEmail", null);
-//            group.setPrimaryEmail(null);
+//        groupRepository.save(group);
+//
+////        if (parentGroup != null) {
+////            parentGroup.addSubgroup(group);
+////            parentGroup.save();
+////        }
+//        if (m_groupTab != null) {
+//            m_groupTab.setGroup(ps, group);
 //        }
-        final CdiUtil cdiUtil = new CdiUtil();
-        final GroupRepository groupRepository;
-        try {
-            groupRepository = cdiUtil.findBean(GroupRepository.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup GroupRepository", ex);
-        }
-        groupRepository.save(group);
-
-//        if (parentGroup != null) {
-//            parentGroup.addSubgroup(group);
-//            parentGroup.save();
-//        }
-        if (m_groupTab != null) {
-            m_groupTab.setGroup(ps, group);
-        }
+        
+        throw new UnsupportedOperationException();
     }
 
 }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupAdministrationTab.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupAdministrationTab.java
index 713e1253c..774b28002 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupAdministrationTab.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupAdministrationTab.java
@@ -53,8 +53,6 @@ import java.util.ArrayList;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.Group;
-import org.libreccm.core.GroupRepository;
 
 /**
  * Constructs the panel for administration of groups.
@@ -102,31 +100,31 @@ class GroupAdministrationTab extends LayoutPanel implements AdminConstants,
      *
      * @return
      */
-    public Group getGroup(final PageState state) {
-        return (Group) requestLocalGroup.get(state);
-    }
+//    public Group getGroup(final PageState state) {
+//        return (Group) requestLocalGroup.get(state);
+//    }
 
-    public void setGroup(final PageState state, final Group group) {
-        final String groupId = Long.toString(group.getSubjectId());
-        requestLocalGroup.set(state, group);
-        groupTree.setSelectedKey(state, groupId);
-
-        if (!"-1".equals(groupId)) {
-            expandGroups(state, group);
-            groupTree.expand("-1", state);
-        }
-    }
-
-    private void expandGroups(final PageState state, final Group group) {
-//        groupTree.expand(Long.toString(group.getSubjectId()), state);
+//    public void setGroup(final PageState state, final Group group) {
+//        final String groupId = Long.toString(group.getSubjectId());
+//        requestLocalGroup.set(state, group);
+//        groupTree.setSelectedKey(state, groupId);
 //
-//        final List< superGroups = group.getSupergroups();
-//        Group superGroup;
-//        while (superGroups.next()) {
-//            superGroup = (Group) superGroups.getDomainObject();
-//            expandGroups(state, superGroup);
+//        if (!"-1".equals(groupId)) {
+//            expandGroups(state, group);
+//            groupTree.expand("-1", state);
 //        }
-    }
+//    }
+
+//    private void expandGroups(final PageState state, final Group group) {
+////        groupTree.expand(Long.toString(group.getSubjectId()), state);
+////
+////        final List< superGroups = group.getSupergroups();
+////        Group superGroup;
+////        while (superGroups.next()) {
+////            superGroup = (Group) superGroups.getDomainObject();
+////            expandGroups(state, superGroup);
+////        }
+//    }
 
     /**
      * Constructor
@@ -141,26 +139,26 @@ class GroupAdministrationTab extends LayoutPanel implements AdminConstants,
 
             @Override
             protected Object initialValue(final PageState state) {
-                String key = (String) groupTree.getSelectedKey(state);
+//                String key = (String) groupTree.getSelectedKey(state);
 
-                Group group;
-                if (key != null) {
-                    final long id = Long.parseLong(key);
-
-                    final CdiUtil cdiUtil = new CdiUtil();
-                    final GroupRepository groupRepository;
-                    try {
-                        groupRepository = cdiUtil
-                            .findBean(GroupRepository.class);
-                    } catch (CdiLookupException ex) {
-                        throw new UncheckedWrapperException(
-                            "Failed to lookup GroupRepository", ex);
-                    }
-
-                    group = groupRepository.findById(id);
-
-                    return group;
-                }
+//                Group group;
+//                if (key != null) {
+//                    final long id = Long.parseLong(key);
+//
+//                    final CdiUtil cdiUtil = new CdiUtil();
+//                    final GroupRepository groupRepository;
+//                    try {
+//                        groupRepository = cdiUtil
+//                            .findBean(GroupRepository.class);
+//                    } catch (CdiLookupException ex) {
+//                        throw new UncheckedWrapperException(
+//                            "Failed to lookup GroupRepository", ex);
+//                    }
+//
+//                    group = groupRepository.findById(id);
+//
+//                    return group;
+//                }
                 return null;
             }
 
@@ -268,11 +266,11 @@ class GroupAdministrationTab extends LayoutPanel implements AdminConstants,
 
             @Override
             public void prepare(final PrintEvent event) {
-                final Label target = (Label) event.getTarget();
-                final PageState state = event.getPageState();
-                final Group group = getGroup(state);
-
-                target.setLabel(group.getName());
+//                final Label target = (Label) event.getTarget();
+//                final PageState state = event.getPageState();
+//                final Group group = getGroup(state);
+//
+//                target.setLabel(group.getName());
             }
 
         });
@@ -351,13 +349,14 @@ class GroupAdministrationTab extends LayoutPanel implements AdminConstants,
                                           final String key,
                                           final int index,
                                           final boolean isSelected) {
-                final BoxPanel b = new BoxPanel(BoxPanel.HORIZONTAL);
-                b.add(new Label(((Group) value).getName()));
-                final ControlLink removeLink = new ControlLink(
-                    REMOVE_SUBGROUP_LABEL);
-                removeLink.setClassAttr("actionLink");
-                b.add(removeLink);
-                return b;
+                throw new UnsupportedOperationException();
+//                final BoxPanel b = new BoxPanel(BoxPanel.HORIZONTAL);
+//                b.add(new Label(((Group) value).getName()));
+//                final ControlLink removeLink = new ControlLink(
+//                    REMOVE_SUBGROUP_LABEL);
+//                removeLink.setClassAttr("actionLink");
+//                b.add(removeLink);
+//                return b;
             }
 
         });
@@ -371,24 +370,24 @@ class GroupAdministrationTab extends LayoutPanel implements AdminConstants,
                     .getSelectedKey(state);
 
                 if (key != null) {
-                    final Long groupId = Long.parseLong(key);
-                    final CdiUtil cdiUtil = new CdiUtil();
-                    final GroupRepository groupRepository;
-                    try {
-                        groupRepository = cdiUtil
-                            .findBean(GroupRepository.class);
-                    } catch (CdiLookupException ex) {
-                        throw new UncheckedWrapperException(
-                            "Failed to lookup GroupRepository", ex);
-                    }
-
-                    final Group group = groupRepository.findById(groupId);
-                    final Group parent = getGroup(state);
-                    if (parent != null) {
-                        groupRepository.save(parent);
-                    }
-
-                    final BigDecimal groupID = new BigDecimal(key);
+//                    final Long groupId = Long.parseLong(key);
+//                    final CdiUtil cdiUtil = new CdiUtil();
+//                    final GroupRepository groupRepository;
+//                    try {
+//                        groupRepository = cdiUtil
+//                            .findBean(GroupRepository.class);
+//                    } catch (CdiLookupException ex) {
+//                        throw new UncheckedWrapperException(
+//                            "Failed to lookup GroupRepository", ex);
+//                    }
+//
+//                    final Group group = groupRepository.findById(groupId);
+//                    final Group parent = getGroup(state);
+//                    if (parent != null) {
+//                        groupRepository.save(parent);
+//                    }
+//
+//                    final BigDecimal groupID = new BigDecimal(key);
 //                    try {
 //                        final Group group = new Group(groupID);
 //                        final Group parent = getGroup(state);
@@ -530,24 +529,24 @@ class GroupAdministrationTab extends LayoutPanel implements AdminConstants,
         final ActionLink deleteLink = new ActionLink(DELETE_GROUP_LABEL);
         deleteLink.setClassAttr("actionLink");
         deleteLink.setConfirmation(GROUP_DELETE_CONFIRMATION);
-        deleteLink.addActionListener(new ActionListener() {
+//        deleteLink.addActionListener(new ActionListener() {
+//
+//            @Override
+//            public void actionPerformed(final ActionEvent event) {
+//
+//                PageState ps = event.getPageState();
 
-            @Override
-            public void actionPerformed(final ActionEvent event) {
-
-                PageState ps = event.getPageState();
-
-                final Group group = (Group) requestLocalGroup.get(ps);
-                if (group != null) {
-                    final CdiUtil cdiUtil = new CdiUtil();
-                    final GroupRepository groupRepository;
-                    try {
-                        groupRepository = cdiUtil.findBean(GroupRepository.class);
-                    } catch(CdiLookupException ex) {
-                        throw new UncheckedWrapperException(ex);
-                    }
+//                final Group group = (Group) requestLocalGroup.get(ps);
+//                if (group != null) {
+//                    final CdiUtil cdiUtil = new CdiUtil();
+//                    final GroupRepository groupRepository;
+//                    try {
+//                        groupRepository = cdiUtil.findBean(GroupRepository.class);
+//                    } catch(CdiLookupException ex) {
+//                        throw new UncheckedWrapperException(ex);
+//                    }
                     
-                    groupRepository.delete(group);
+//                    groupRepository.delete(group);
                     
 //                    try {
 //                        group.delete();
@@ -556,16 +555,17 @@ class GroupAdministrationTab extends LayoutPanel implements AdminConstants,
 //                        LOGGER.warn("Error deleting subgroup", exc);
 //                        displayDeleteFailedPanel(ps);
 //                    }
-                }
+//                }
                 // Select root node
 
-            }
-
-        });
-        body.add(deleteLink);
-        return main.addSegment(GROUP_EXTREME_ACTIONS_HEADER,
-                               body);
-
+//            }
+//
+//        });
+//        body.add(deleteLink);
+//        return main.addSegment(GROUP_EXTREME_ACTIONS_HEADER,
+//                               body);
+        
+        throw new UnsupportedOperationException();
     }
 
     /**
@@ -624,7 +624,7 @@ class SubGroupListModelBuilder extends LockableImpl implements ListModelBuilder
     }
 
     public ListModel makeModel(final List list, final PageState state) {
-        final Group group = parent.getGroup(state);
+//        final Group group = parent.getGroup(state);
 
 //        if (group != null) {
 //            return new SubGroupListModel(group.getSubgroups());
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupEditForm.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupEditForm.java
index 3dd748832..4b659fd71 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupEditForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupEditForm.java
@@ -32,8 +32,8 @@ import com.arsdigita.util.UncheckedWrapperException;
 
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.Group;
-import org.libreccm.core.GroupRepository;
+//import org.libreccm.core.Group;
+//import org.libreccm.core.GroupRepository;
 
 import static com.arsdigita.ui.admin.AdminConstants.*;
 
@@ -68,22 +68,22 @@ class GroupEditForm extends GroupForm implements FormInitListener,
         final PageState state = event.getPageState();
         final Long id = (Long) state.getValue(USER_ID_PARAM);
 
-        if (id != null) {
-            final CdiUtil cdiUtil = new CdiUtil();
-            final GroupRepository groupRepository;
-
-            try {
-                groupRepository = cdiUtil.findBean(
-                    GroupRepository.class);
-            } catch (CdiLookupException ex) {
-                throw new UncheckedWrapperException(
-                    "Failed to lookup GroupRepository", ex);
-            }
-
-            final Group group = groupRepository.findById(id);
-
-            m_name.setValue(state, group.getName());
-        }
+//        if (id != null) {
+//            final CdiUtil cdiUtil = new CdiUtil();
+//            final GroupRepository groupRepository;
+//
+//            try {
+//                groupRepository = cdiUtil.findBean(
+//                    GroupRepository.class);
+//            } catch (CdiLookupException ex) {
+//                throw new UncheckedWrapperException(
+//                    "Failed to lookup GroupRepository", ex);
+//            }
+//
+//            final Group group = groupRepository.findById(id);
+//
+//            m_name.setValue(state, group.getName());
+//        }
     }
 
     /**
@@ -96,31 +96,31 @@ class GroupEditForm extends GroupForm implements FormInitListener,
         final PageState state = event.getPageState();
         final Long id = (Long) state.getValue(GROUP_ID_PARAM);
         final CdiUtil cdiUtil = new CdiUtil();
-        final GroupRepository groupRepository;
-        try {
-            groupRepository = cdiUtil.findBean(GroupRepository.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup GroupRepository", ex);
-        }
+//        final GroupRepository groupRepository;
+//        try {
+//            groupRepository = cdiUtil.findBean(GroupRepository.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup GroupRepository", ex);
+//        }
 
         if (id == null) {
             throw new FormProcessException(GlobalizationUtil.globalize(
                 "ui.admin.groups.ID_is_null"));
         }
 
-        final Group group = groupRepository.findById(id);
-        if (group == null) {
-            throw new FormProcessException(GlobalizationUtil.globalize(
-                "ui.admin.groups.couldnt_find_specified_group"));
-        }
-        
-
-        final String name = (String) m_name.getValue(state);
-        group.setName(name);
-
-        groupRepository.save(group);
-
+//        final Group group = groupRepository.findById(id);
+//        if (group == null) {
+//            throw new FormProcessException(GlobalizationUtil.globalize(
+//                "ui.admin.groups.couldnt_find_specified_group"));
+//        }
+//        
+//
+//        final String name = (String) m_name.getValue(state);
+//        group.setName(name);
+//
+//        groupRepository.save(group);
+//
         if (m_parent != null) {
             m_parent.displayGroupInfoPanel(state);
         }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupSearchForm.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupSearchForm.java
index 3e5b5bcf3..feae2eb33 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupSearchForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupSearchForm.java
@@ -42,8 +42,6 @@ import com.arsdigita.util.UncheckedWrapperException;
 
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.Group;
-import org.libreccm.core.GroupRepository;
 
 import java.util.Collections;
 
@@ -60,7 +58,7 @@ public class GroupSearchForm extends Form implements FormProcessListener,
 
     private ExistingGroupAddPane parentPane;
     private TextField m_search;
-    private List<Group> results = null;
+//    private List<Group> results = null;
 
     private static final Logger s_log = Logger.getLogger(GroupSearchForm.class);
 
@@ -91,27 +89,27 @@ public class GroupSearchForm extends Form implements FormProcessListener,
         throws FormProcessException {
         PageState state = event.getPageState();
 
-        Group parent = parentPane.getParentGroup(state);
-        String search = (String) m_search.getValue(state);
-
-        final CdiUtil cdiUtil = new CdiUtil();
-        final GroupRepository groupRepository;
-        try {
-            groupRepository = cdiUtil.findBean(GroupRepository.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup GroupRepository", ex);
-        }
-        results = groupRepository.searchGroupByName(search);
-        
-
-        if (results.isEmpty()) {
-            parentPane.showNoResults(state);
-        } else {
-            // put search string into Page
-            state.setValue(getSearchString(), m_search.getValue(state));
-            parentPane.showGroups(state);
-        }
+//        Group parent = parentPane.getParentGroup(state);
+//        String search = (String) m_search.getValue(state);
+//
+//        final CdiUtil cdiUtil = new CdiUtil();
+//        final GroupRepository groupRepository;
+//        try {
+//            groupRepository = cdiUtil.findBean(GroupRepository.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup GroupRepository", ex);
+//        }
+//        results = groupRepository.searchGroupByName(search);
+//        
+//
+//        if (results.isEmpty()) {
+//            parentPane.showNoResults(state);
+//        } else {
+//            // put search string into Page
+//            state.setValue(getSearchString(), m_search.getValue(state));
+//            parentPane.showGroups(state);
+//        }
 
     }
 
@@ -122,9 +120,9 @@ public class GroupSearchForm extends Form implements FormProcessListener,
      *
      * @return 
      */
-    public List<Group> getResults() {
-        return Collections.unmodifiableList(results);
-    }
+//    public List<Group> getResults() {
+//        return Collections.unmodifiableList(results);
+//    }
 
     private ParameterModel getSearchString() {
         return parentPane.getSearchString();
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupTreeModel.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupTreeModel.java
index f8d81ba31..0ede8822a 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupTreeModel.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/GroupTreeModel.java
@@ -26,8 +26,7 @@ import com.arsdigita.util.UncheckedWrapperException;
 
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.Group;
-import org.libreccm.core.GroupRepository;
+import org.libreccm.security.Group;
 
 import java.math.BigDecimal;
 
@@ -106,25 +105,27 @@ public class GroupTreeModel implements TreeModel {
     @Override
     public Iterator<Group> getChildren(final TreeNode node,
                                        final PageState state) {
-
-        if (node instanceof RootTreeNode) {
-
-            final CdiUtil cdiUtil = new CdiUtil();
-            final GroupRepository groupRepository;
-            try {
-                groupRepository = cdiUtil.findBean(GroupRepository.class);
-            } catch (CdiLookupException ex) {
-                throw new UncheckedWrapperException(
-                    "Failed to lookup GroupRepository", ex);
-            }
-            final List<Group> groups = groupRepository.findAll();
-
-            return groups.iterator();
-        } else {
-            return null;
-        }
+//
+//        if (node instanceof RootTreeNode) {
+//
+//            final CdiUtil cdiUtil = new CdiUtil();
+//            final GroupRepository groupRepository;
+//            try {
+//                groupRepository = cdiUtil.findBean(GroupRepository.class);
+//            } catch (CdiLookupException ex) {
+//                throw new UncheckedWrapperException(
+//                    "Failed to lookup GroupRepository", ex);
+//            }
+//            final List<Group> groups = groupRepository.findAll();
+//
+//            return groups.iterator();
+//        } else {
+//            return null;
+//        }
+        
+        throw new UnsupportedOperationException();
     }
-
+//
 }
 
 class RootTreeNode implements TreeNode {
@@ -147,7 +148,7 @@ class GroupTreeNode implements TreeNode {
     private String m_name;
 
     public GroupTreeNode(Group group) {
-        m_key = Long.toString(group.getSubjectId());
+//        m_key = Long.toString(group.getSubjectId());
         m_name = group.getName();
     }
 
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/PartyListModel.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/PartyListModel.java
index 15bb039a2..2d8ad76df 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/PartyListModel.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/PartyListModel.java
@@ -20,7 +20,7 @@ package com.arsdigita.ui.admin;
 
 import com.arsdigita.bebop.list.ListModel;
 
-import org.libreccm.core.Subject;
+import org.libreccm.security.Party;
 
 import java.util.List;
 
@@ -31,8 +31,8 @@ import java.util.List;
  */ 
 class PartyListModel implements ListModel {
 
-    private final List<Subject> m_parties;
-    private Subject m_currentParty = null;
+    private final List<Party> m_parties;
+    private Party m_currentParty = null;
     private int index = 0;
 
     /**
@@ -41,7 +41,7 @@ class PartyListModel implements ListModel {
      *
      * @param partys the partyCollection
      **/
-    public PartyListModel(final List<Subject> parties) {
+    public PartyListModel(final List<Party> parties) {
         m_parties = parties;
     }
 
@@ -68,7 +68,7 @@ class PartyListModel implements ListModel {
      **/
     @Override
     public String getKey() {
-        return Long.toString(m_currentParty.getSubjectId());
+        return Long.toString(m_currentParty.getPartyId());
     }
 
     /**
@@ -78,6 +78,6 @@ class PartyListModel implements ListModel {
      **/
     @Override
     public Object getElement() {
-        return m_currentParty.getSubjectId();
+        return m_currentParty.getPartyId();
     }
 }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/SelectGroups.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/SelectGroups.java
index d6cd30700..a3bd5554b 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/SelectGroups.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/SelectGroups.java
@@ -37,7 +37,7 @@ import com.arsdigita.bebop.form.Option;
 import com.arsdigita.bebop.form.OptionGroup;
 import com.arsdigita.bebop.form.Submit;
 
-import org.libreccm.core.Group;
+import org.libreccm.security.Group;
 
 import java.util.List;
 
@@ -147,18 +147,18 @@ public class SelectGroups {
             PageState state = e.getPageState();
             OptionGroup cbg = (CheckboxGroup) e.getTarget();
 
-            List<Group> results = searchForm.getResults();
+//            List<Group> results = searchForm.getResults();
 
             String groupID;
             String groupName;
             Group child;
             
-            for(Group group : results) {
-                child = group;
-                groupID = Long.toString(child.getSubjectId());
-                groupName = child.getName();
-                cbg.addOption(new Option(groupID, groupName));
-            }
+//            for(Group group : results) {
+//                child = group;
+//                groupID = Long.toString(child.getSubjectId());
+//                groupName = child.getName();
+//                cbg.addOption(new Option(groupID, groupName));
+//            }
         }
 
     }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/SubMemberPanel.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/SubMemberPanel.java
index c7e9d3781..64ce8449e 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/SubMemberPanel.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/SubMemberPanel.java
@@ -34,12 +34,6 @@ import com.arsdigita.util.UncheckedWrapperException;
 
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.Group;
-import org.libreccm.core.GroupManager;
-import org.libreccm.core.GroupMembership;
-import org.libreccm.core.GroupRepository;
-import org.libreccm.core.User;
-import org.libreccm.core.UserRepository;
 
 import static com.arsdigita.ui.admin.AdminConstants.*;
 
@@ -71,8 +65,8 @@ class SubMemberPanel extends BoxPanel {
                     
                     final BoxPanel panel = new BoxPanel(BoxPanel.HORIZONTAL);
 
-                    Label label = new Label(((User) value).getScreenName());
-                    panel.add(label);
+//                    Label label = new Label(((User) value).getScreenName());
+//                    panel.add(label);
 
                     ControlLink removeLink = new ControlLink(REMOVE_SUBMEMBER_LABEL);
                     removeLink.setClassAttr("actionLink");
@@ -91,23 +85,23 @@ class SubMemberPanel extends BoxPanel {
                     if (key != null) {
                         final Long userID = new Long(key);
                         final CdiUtil cdiUtil = new CdiUtil();
-                        final UserRepository userRepository;
-                        final GroupManager groupManager;
-                        final GroupRepository groupRepository;
-                        try {
-                            userRepository = cdiUtil.findBean(UserRepository.class);
-                            groupManager = cdiUtil.findBean(GroupManager.class);
-                            groupRepository = cdiUtil.findBean(GroupRepository.class);
-                        } catch(CdiLookupException ex) {
-                            throw new UncheckedWrapperException(ex);
-                        }
-                        
-                        final User user = userRepository.findById(userID);
-                        final Group group = m_mainTab.getGroup(state);
-                        if (group != null) {
-                            groupManager.removeUserFromGroup(user, group);
-                            groupRepository.save(group);
-                        }
+//                        final UserRepository userRepository;
+//                        final GroupManager groupManager;
+//                        final GroupRepository groupRepository;
+//                        try {
+//                            userRepository = cdiUtil.findBean(UserRepository.class);
+//                            groupManager = cdiUtil.findBean(GroupManager.class);
+//                            groupRepository = cdiUtil.findBean(GroupRepository.class);
+//                        } catch(CdiLookupException ex) {
+//                            throw new UncheckedWrapperException(ex);
+//                        }
+//                        
+//                        final User user = userRepository.findById(userID);
+//                        final Group group = m_mainTab.getGroup(state);
+//                        if (group != null) {
+//                            groupManager.removeUserFromGroup(user, group);
+//                            groupRepository.save(group);
+//                        }
                     }
 
                 }
@@ -127,47 +121,47 @@ class SubMemberListModelBuilder extends LockableImpl
     @Override
     public ListModel makeModel(final List list, final PageState state) {
 
-        final Group group = m_mainTab.getGroup(state);
-        final java.util.List<GroupMembership> members;
-        if (group == null) {
-            members = null;
-        } else {
-            members = group.getMembers();
-        }
+//        final Group group = m_mainTab.getGroup(state);
+//        final java.util.List<GroupMembership> members;
+//        if (group == null) {
+//            members = null;
+//        } else {
+//            members = group.getMembers();
+//        }
         
-        return new SubMemberListModel(members);
-
+//        return new SubMemberListModel(members);
+        throw new UnsupportedOperationException();
 
     }
 }
 
-class SubMemberListModel implements ListModel {
-
-    private final java.util.List<GroupMembership> members;
-    private int index;
-    
-
-    public SubMemberListModel(final java.util.List<GroupMembership> members) {
-        this.members = members;
-    }
-
-    @Override
-    public Object getElement() {
-        return members.get(index);
-    }
-
-    @Override
-    public String getKey() {
-        return Long.toString(members.get(index).getMembershipId());
-    }
-
-    @Override
-    public boolean next() {
-        if (index < members.size()) {
-            index++;
-            return true;
-        } else {
-            return false;
-        }
-    }
-}
+//class SubMemberListModel implements ListModel {
+//
+////    private final java.util.List<GroupMembership> members;
+//    private int index;
+//    
+//
+//    public SubMemberListModel(final java.util.List<GroupMembership> members) {
+//        this.members = members;
+//    }
+//
+//    @Override
+//    public Object getElement() {
+//        return members.get(index);
+//    }
+//
+//    @Override
+//    public String getKey() {
+//        return Long.toString(members.get(index).getMembershipId());
+//    }
+//
+//    @Override
+//    public boolean next() {
+//        if (index < members.size()) {
+//            index++;
+//            return true;
+//        } else {
+//            return false;
+//        }
+//    }
+//}
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/UserBrowsePane.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/UserBrowsePane.java
index 402753708..be8a5006e 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/UserBrowsePane.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/UserBrowsePane.java
@@ -64,13 +64,7 @@ import java.util.ArrayList;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.CcmSessionContext;
-import org.libreccm.core.Group;
-import org.libreccm.core.GroupMembership;
-import org.libreccm.core.GroupRepository;
-import org.libreccm.core.Subject;
-import org.libreccm.core.User;
-import org.libreccm.core.UserRepository;
+import org.libreccm.security.User;
 
 /**
  * This pane contains three main segmented panel which only one is visible at
@@ -120,27 +114,27 @@ class UserBrowsePane extends SegmentedPanel
 
     @Override
     public void actionPerformed(final ActionEvent event) {
-        final PageState state = event.getPageState();
-        final CdiUtil cdiUtil = new CdiUtil();
-        final CcmSessionContext sessionContext;
-        try {
-            sessionContext = cdiUtil.findBean(CcmSessionContext.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(ex);
-        }
-
-        final Subject subject = sessionContext.getCurrentSubject();
-
-        final Long userID = (Long) state.getValue(USER_ID_PARAM);
-
-        // Bug #167607 remove link for current user
-        if (m_userInfoPanel.isVisible(state)) {
-            if (subject.getSubjectId() == userID) {
-                m_extremeActionPanel.setVisible(state, false);
-            } else {
-                m_extremeActionPanel.setVisible(state, true);
-            }
-        }
+//        final PageState state = event.getPageState();
+//        final CdiUtil cdiUtil = new CdiUtil();
+//        final CcmSessionContext sessionContext;
+//        try {
+//            sessionContext = cdiUtil.findBean(CcmSessionContext.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(ex);
+//        }
+//
+//        final Subject subject = sessionContext.getCurrentSubject();
+//
+//        final Long userID = (Long) state.getValue(USER_ID_PARAM);
+//
+//        // Bug #167607 remove link for current user
+//        if (m_userInfoPanel.isVisible(state)) {
+//            if (subject.getSubjectId() == userID) {
+//                m_extremeActionPanel.setVisible(state, false);
+//            } else {
+//                m_extremeActionPanel.setVisible(state, true);
+//            }
+//        }
     }
 
     /**
@@ -154,20 +148,22 @@ class UserBrowsePane extends SegmentedPanel
             protected Object initialValue(final PageState state) {
                 final Long id = (Long) state.getValue(USER_ID_PARAM);
 
-                final CdiUtil cdiUtil = new CdiUtil();
-                final UserRepository userRepository;
-                try {
-                    userRepository = cdiUtil.findBean(UserRepository.class);
-                } catch (CdiLookupException ex) {
-                    throw new UncheckedWrapperException(ex);
-                }
-
-                final User user = userRepository.findById(id);
-                if (user == null) {
-                    throw new UncheckedWrapperException(String.format(
-                        "Failed to retrieve user: %d", id));
-                }
-                return user;
+//                final CdiUtil cdiUtil = new CdiUtil();
+//                final UserRepository userRepository;
+//                try {
+//                    userRepository = cdiUtil.findBean(UserRepository.class);
+//                } catch (CdiLookupException ex) {
+//                    throw new UncheckedWrapperException(ex);
+//                }
+//
+//                final User user = userRepository.findById(id);
+//                if (user == null) {
+//                    throw new UncheckedWrapperException(String.format(
+//                        "Failed to retrieve user: %d", id));
+//                }
+//                return user;
+                
+                throw new UnsupportedOperationException();
             }
 
         };
@@ -240,7 +236,7 @@ class UserBrowsePane extends SegmentedPanel
                 final PageState state = event.getPageState();
                 final User user = getUser(state);
 
-                target.setLabel(user.getScreenName());
+                target.setLabel(user.getName());
             }
 
         });
@@ -258,7 +254,7 @@ class UserBrowsePane extends SegmentedPanel
                 final PageState state = event.getPageState();
                 final User user = getUser(state);
 
-                target.setLabel(user.getScreenName());
+                target.setLabel(user.getName());
             }
 
         });
@@ -436,15 +432,15 @@ class UserBrowsePane extends SegmentedPanel
                 final PageState state = event.getPageState();
                 final User user = getUser(state);
 
-                final CdiUtil cdiUtil = new CdiUtil();
-                final UserRepository userRepository;
-                try {
-                    userRepository = cdiUtil.findBean(UserRepository.class);
-                } catch (CdiLookupException ex) {
-                    throw new UncheckedWrapperException(ex);
-                }
+//                final CdiUtil cdiUtil = new CdiUtil();
+//                final UserRepository userRepository;
+//                try {
+//                    userRepository = cdiUtil.findBean(UserRepository.class);
+//                } catch (CdiLookupException ex) {
+//                    throw new UncheckedWrapperException(ex);
+//                }
 
-                userRepository.delete(user);
+//                userRepository.delete(user);
 
                 displayUserBrowsePanel(state);
 
@@ -475,18 +471,18 @@ class UserBrowsePane extends SegmentedPanel
 
             @Override
             public void actionPerformed(ActionEvent e) {
-                PageState state = e.getPageState();
-                User user = getUser(state);
-                user.setBanned(true);
-
-                final CdiUtil cdiUtil = new CdiUtil();
-                final UserRepository userRepository;
-                try {
-                    userRepository = cdiUtil.findBean(UserRepository.class);
-                } catch (CdiLookupException ex) {
-                    throw new UncheckedWrapperException(ex);
-                }
-                userRepository.save(user);
+//                PageState state = e.getPageState();
+//                User user = getUser(state);
+//                user.setBanned(true);
+//
+//                final CdiUtil cdiUtil = new CdiUtil();
+//                final UserRepository userRepository;
+//                try {
+//                    userRepository = cdiUtil.findBean(UserRepository.class);
+//                } catch (CdiLookupException ex) {
+//                    throw new UncheckedWrapperException(ex);
+//                }
+//                userRepository.save(user);
             } // End ActionPerformed method
 
         } // End of new ActionListener definition
@@ -509,18 +505,18 @@ class UserBrowsePane extends SegmentedPanel
         unbanLink.addActionListener(new ActionListener() {
 
             public void actionPerformed(ActionEvent e) {
-                PageState state = e.getPageState();
-                User user = getUser(state);
-                user.setBanned(false);
-
-                final CdiUtil cdiUtil = new CdiUtil();
-                final UserRepository userRepository;
-                try {
-                    userRepository = cdiUtil.findBean(UserRepository.class);
-                } catch (CdiLookupException ex) {
-                    throw new UncheckedWrapperException(ex);
-                }
-                userRepository.save(user);
+//                PageState state = e.getPageState();
+//                User user = getUser(state);
+//                user.setBanned(false);
+//
+//                final CdiUtil cdiUtil = new CdiUtil();
+//                final UserRepository userRepository;
+//                try {
+//                    userRepository = cdiUtil.findBean(UserRepository.class);
+//                } catch (CdiLookupException ex) {
+//                    throw new UncheckedWrapperException(ex);
+//                }
+//                userRepository.save(user);
             } // End ActionPerformed method
 
         } // End of new ActionListener definition
@@ -581,14 +577,15 @@ class UserBrowsePane extends SegmentedPanel
         @Override
         public ListModel makeModel(final List list, final PageState state) {
             final User user = getUser(state);
-            final java.util.List<GroupMembership> memberships = user
-                .getGroupMemberships();
-            final java.util.List<Subject> groups = new ArrayList<>();
-            for (GroupMembership membership : memberships) {
-                groups.add(membership.getGroup());
-            }
+//            final java.util.List<GroupMembership> memberships = user
+//                .getGroupMemberships();
+//            final java.util.List<Subject> groups = new ArrayList<>();
+//            for (GroupMembership membership : memberships) {
+//                groups.add(membership.getGroup());
+//            }
 
-            return new PartyListModel(groups);
+//            return new PartyListModel(groups);
+            throw new UnsupportedOperationException();
         }
 
     }
@@ -696,16 +693,16 @@ class UserBrowsePane extends SegmentedPanel
                 String id = (String) m_groupList.getSelectedKey(ps);
                 if (id != null) {
                     final CdiUtil cdiUtil = new CdiUtil();
-                    final GroupRepository groupRepository;
-                    try {
-                        groupRepository = cdiUtil
-                            .findBean(GroupRepository.class);
-                    } catch (CdiLookupException ex) {
-                        throw new UncheckedWrapperException(ex);
-                    }
-                    final Group group = groupRepository.findById(Long.parseLong(
-                        id));
-                    m_groupAdministrationTab.setGroup(ps, group);
+//                    final GroupRepository groupRepository;
+//                    try {
+//                        groupRepository = cdiUtil
+//                            .findBean(GroupRepository.class);
+//                    } catch (CdiLookupException ex) {
+//                        throw new UncheckedWrapperException(ex);
+//                    }
+//                    final Group group = groupRepository.findById(Long.parseLong(
+//                        id));
+//                    m_groupAdministrationTab.setGroup(ps, group);
                     m_groupAdministrationTab.displayGroupInfoPanel(ps);
                     m_tabbedPane.setSelectedIndex(ps, GROUP_TAB_INDEX);
                 } else {
@@ -733,14 +730,16 @@ class UserTableModel implements TableModel {
 
     public UserTableModel() {
         final CdiUtil cdiUtil = new CdiUtil();
-        final UserRepository userRepository;
-        try {
-            userRepository = cdiUtil.findBean(UserRepository.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(ex);
-        }
+//        final UserRepository userRepository;
+//        try {
+//            userRepository = cdiUtil.findBean(UserRepository.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(ex);
+//        }
 
-        users = userRepository.findAll();
+//        users = userRepository.findAll();
+        
+        users = null;
     }
 
     @Override
@@ -752,26 +751,28 @@ class UserTableModel implements TableModel {
     public Object getElementAt(final int columnIndex) {
         final User user = users.get(index);
         
-        if (columnIndex == 0) {
-            return user.getSubjectId();
-        } else if (columnIndex == 1) {
-            return String.format("%s %s", 
-                                 user.getName().getGivenName(), 
-                                 user.getName().getFamilyName());
-        } else if (columnIndex == 2) {
-            return user.getScreenName();
-        } else if (columnIndex == 3) {
-            return user.getEmailAddresses().get(0).getAddress();
-        } else if (columnIndex == 4) {
-            return user.getSsoLogin();
-        } else {
-            return null;
-        }
+//        if (columnIndex == 0) {
+//            return user.getSubjectId();
+//        } else if (columnIndex == 1) {
+//            return String.format("%s %s", 
+//                                 user.getName().getGivenName(), 
+//                                 user.getName().getFamilyName());
+//        } else if (columnIndex == 2) {
+//            return user.getScreenName();
+//        } else if (columnIndex == 3) {
+//            return user.getEmailAddresses().get(0).getAddress();
+//        } else if (columnIndex == 4) {
+//            return user.getSsoLogin();
+//        } else {
+//            return null;
+//        }
+        
+        return null;
     }
 
     @Override
     public Object getKeyAt(final int columnIndex) {
-        return users.get(index).getSubjectId();
+        return users.get(index).getPartyId();
     }
 
     @Override
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/UserEditForm.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/UserEditForm.java
index 3704ebc7c..d60ade917 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/UserEditForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/UserEditForm.java
@@ -23,21 +23,13 @@ import com.arsdigita.bebop.PageState;
 import com.arsdigita.bebop.event.FormInitListener;
 import com.arsdigita.bebop.event.FormProcessListener;
 import com.arsdigita.bebop.event.FormSectionEvent;
-import com.arsdigita.util.UncheckedWrapperException;
 
 import static com.arsdigita.ui.admin.AdminConstants.*;
 
-import javax.mail.internet.InternetAddress;
-
 import org.apache.log4j.Logger;
-import org.libreccm.cdi.utils.CdiLookupException;
-import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.core.EmailAddress;
-import org.libreccm.core.PersonName;
-import org.libreccm.core.User;
-import org.libreccm.core.UserRepository;
 
-import java.io.UncheckedIOException;
+import org.libreccm.security.User;
 
 /**
  * Form used to edit the information for a user.
@@ -73,19 +65,19 @@ class UserEditForm extends UserForm
 
         hideSecurityInfo(state);
 
-        final User user = m_browsePane.getUser(state);
-
-        final PersonName name = user.getName();
-        m_firstName.setValue(state, name.getGivenName());
-        m_lastName.setValue(state, name.getFamilyName());
-
-        m_primaryEmail.setValue(state, user.getEmailAddresses().get(
-                                0).getAddress());
-
-        m_screenName.setValue(state, user.getScreenName());
-
-        USER_FORM_LABEL_ADDITIONAL_EMAIL_LIST.setVisible(state, true);
-        m_emailList.setVisible(state, true);
+//        final User user = m_browsePane.getUser(state);
+//
+//        final PersonName name = user.getName();
+//        m_firstName.setValue(state, name.getGivenName());
+//        m_lastName.setValue(state, name.getFamilyName());
+//
+//        m_primaryEmail.setValue(state, user.getEmailAddresses().get(
+//                                0).getAddress());
+//
+//        m_screenName.setValue(state, user.getScreenName());
+//
+//        USER_FORM_LABEL_ADDITIONAL_EMAIL_LIST.setVisible(state, true);
+//        m_emailList.setVisible(state, true);
     }
 
     /**
@@ -97,20 +89,20 @@ class UserEditForm extends UserForm
         final PageState state = event.getPageState();
 
         final User user = m_browsePane.getUser(state);
-
-        final PersonName name = user.getName();
-        name.setGivenName((String) m_firstName.getValue(state));
-        name.setFamilyName((String) m_lastName.getValue(state));
-
-        user.setScreenName((String) m_screenName.getValue(state));
-
-        InternetAddress additional = (InternetAddress) m_additionalEmail
-            .getValue(state);
-        if (additional != null) {
-            final EmailAddress additionalEmail = new EmailAddress();
-            additional.setAddress(additional.getAddress());
-            user.addEmailAddress(additionalEmail);
-        }
+//
+//        final PersonName name = user.getName();
+//        name.setGivenName((String) m_firstName.getValue(state));
+//        name.setFamilyName((String) m_lastName.getValue(state));
+//
+//        user.setScreenName((String) m_screenName.getValue(state));
+//
+//        InternetAddress additional = (InternetAddress) m_additionalEmail
+//            .getValue(state);
+//        if (additional != null) {
+//            final EmailAddress additionalEmail = new EmailAddress();
+//            additional.setAddress(additional.getAddress());
+//            user.addEmailAddress(additionalEmail);
+//        }
 
         // Check to see if the primary email address has changed, and
         // if so set it to the new value and delete the association
@@ -124,19 +116,19 @@ class UserEditForm extends UserForm
                 s_log.debug("Changing primary email " + oaddr + " to " + naddr);
             }
 
-            user.addEmailAddress(naddr);
-            user.removeEmailAddress(oaddr);
+//            user.addEmailAddress(naddr);
+//            user.removeEmailAddress(oaddr);
         }
 
-        final CdiUtil cdiUtil = new CdiUtil();
-        final UserRepository userRepository;
-        try {
-            userRepository = cdiUtil.findBean(UserRepository.class);
-        } catch(CdiLookupException ex) {
-            throw new UncheckedWrapperException(ex);
-        }
-        
-        userRepository.save(user);
+//        final CdiUtil cdiUtil = new CdiUtil();
+//        final UserRepository userRepository;
+//        try {
+//            userRepository = cdiUtil.findBean(UserRepository.class);
+//        } catch(CdiLookupException ex) {
+//            throw new UncheckedWrapperException(ex);
+//        }
+//        
+//        userRepository.save(user);
 
         m_browsePane.displayUserInfoPanel(state);
     }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/UserForm.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/UserForm.java
index c098c4f46..31d31f1f5 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/UserForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/UserForm.java
@@ -45,8 +45,6 @@ import com.arsdigita.util.UncheckedWrapperException;
 
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.User;
-import org.libreccm.core.UserRepository;
 
 import java.io.UncheckedIOException;
 import java.math.BigDecimal;
@@ -245,36 +243,36 @@ class UserForm extends Form implements FormValidationListener, AdminConstants {
          * Verify that primary email and screen name are unique
          */
         final CdiUtil cdiUtil = new CdiUtil();
-        final UserRepository userRepository;
-        try {
-            userRepository = cdiUtil.findBean(UserRepository.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(ex);
-        }
-
-        final String screenName = (String) m_screenName.getValue(ps);
-        final User userByScreenname = userRepository.findByScreenName(
-            screenName);
-        final String email;
-        if (m_primaryEmail.getValue(ps) != null) {
-            email = ((InternetAddress) m_primaryEmail.getValue(ps)).getAddress();
-        } else {
-            email = null;
-        }
-        final User userByEmail = userRepository.findByEmailAddress(email);
-
-        if (userByScreenname != null && screenName != null && screenName.equals(
-            userByScreenname.getScreenName())) {
-            data.addError(USER_FORM_INPUT_SCREEN_NAME,
-                          USER_FORM_ERROR_SCREEN_NAME_NOT_UNIQUE);
-        }
-        
-        if (userByEmail != null 
-            && email != null 
-            && email.equals(userByEmail.getEmailAddresses().get(0).getAddress())) {
-             data.addError(USER_FORM_INPUT_PRIMARY_EMAIL,
-                           USER_FORM_ERROR_PRIMARY_EMAIL_NOT_UNIQUE);
-        }
+//        final UserRepository userRepository;
+//        try {
+//            userRepository = cdiUtil.findBean(UserRepository.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(ex);
+//        }
+//
+//        final String screenName = (String) m_screenName.getValue(ps);
+//        final User userByScreenname = userRepository.findByScreenName(
+//            screenName);
+//        final String email;
+//        if (m_primaryEmail.getValue(ps) != null) {
+//            email = ((InternetAddress) m_primaryEmail.getValue(ps)).getAddress();
+//        } else {
+//            email = null;
+//        }
+//        final User userByEmail = userRepository.findByEmailAddress(email);
+//
+//        if (userByScreenname != null && screenName != null && screenName.equals(
+//            userByScreenname.getScreenName())) {
+//            data.addError(USER_FORM_INPUT_SCREEN_NAME,
+//                          USER_FORM_ERROR_SCREEN_NAME_NOT_UNIQUE);
+//        }
+//        
+//        if (userByEmail != null 
+//            && email != null 
+//            && email.equals(userByEmail.getEmailAddresses().get(0).getAddress())) {
+//             data.addError(USER_FORM_INPUT_PRIMARY_EMAIL,
+//                           USER_FORM_ERROR_PRIMARY_EMAIL_NOT_UNIQUE);
+//        }
     }
 
     /**
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/admin/UserPasswordForm.java b/ccm-core/src/main/java/com/arsdigita/ui/admin/UserPasswordForm.java
index 0dcf7d0ea..ab817dd7a 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/admin/UserPasswordForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/admin/UserPasswordForm.java
@@ -47,9 +47,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.User;
-import org.libreccm.core.UserManager;
-import org.libreccm.core.UserRepository;
+import org.libreccm.security.User;
 
 /**
  * Form used to update a user's password. It just provides form elements to
@@ -137,19 +135,19 @@ class UserPasswordForm extends Form
 
         final PageState state = event.getPageState();
 
-        final CdiUtil cdiUtil = new CdiUtil();
-        final UserRepository userRepository;
-        try {
-            userRepository = cdiUtil.findBean(UserRepository.class);
-        } catch(CdiLookupException ex) {
-            throw new UncheckedWrapperException(ex);
-        }
-        final User user = userRepository.findById((Long) state.getValue(
-            USER_ID_PARAM));
+//        final CdiUtil cdiUtil = new CdiUtil();
+//        final UserRepository userRepository;
+//        try {
+//            userRepository = cdiUtil.findBean(UserRepository.class);
+//        } catch(CdiLookupException ex) {
+//            throw new UncheckedWrapperException(ex);
+//        }
+//        final User user = userRepository.findById((Long) state.getValue(
+//            USER_ID_PARAM));
+//        
         
-        
-        m_question.setValue(state, user.getPasswordQuestion());
-        m_ssoLogin.setValue(state, user.getSsoLogin());
+//        m_question.setValue(state, user.getPasswordQuestion());
+//        m_ssoLogin.setValue(state, user.getSsoLogin());
 
         m_answer.setValue(state, "");
     }
@@ -164,18 +162,18 @@ class UserPasswordForm extends Form
         FormData data = event.getFormData();
         HttpServletRequest req = state.getRequest();
 
-        final CdiUtil cdiUtil = new CdiUtil();
-        final UserRepository userRepository;
-        try {
-            userRepository = cdiUtil.findBean(UserRepository.class);
-        } catch(CdiLookupException ex) {
-            throw new UncheckedWrapperException(ex);
-        }
-        final User user = userRepository.findById((Long) state.getValue(
-            USER_ID_PARAM));
-        if (user == null) {
-            return;
-        }
+//        final CdiUtil cdiUtil = new CdiUtil();
+//        final UserRepository userRepository;
+//        try {
+//            userRepository = cdiUtil.findBean(UserRepository.class);
+//        } catch(CdiLookupException ex) {
+//            throw new UncheckedWrapperException(ex);
+//        }
+//        final User user = userRepository.findById((Long) state.getValue(
+//            USER_ID_PARAM));
+//        if (user == null) {
+//            return;
+//        }
 
         try {
             // get parameter values
@@ -217,36 +215,36 @@ class UserPasswordForm extends Form
         final FormData data = event.getFormData();
 
         final CdiUtil cdiUtil = new CdiUtil();
-        final UserRepository userRepository;
-        final UserManager userManager;
-        try {
-            userRepository = cdiUtil.findBean(UserRepository.class);
-            userManager = cdiUtil.findBean(UserManager.class);
-        } catch(CdiLookupException ex) {
-            throw new UncheckedWrapperException(ex);
-        }
-        final User user = userRepository.findById((Long) state.getValue(
-            USER_ID_PARAM));
-        if (user == null) {
-            throw new FormProcessException(GlobalizationUtil.globalize(
-                "ui.admin.user.userpasswordform.retrieving_user_failed"));
-        }
+//        final UserRepository userRepository;
+//        final UserManager userManager;
+//        try {
+//            userRepository = cdiUtil.findBean(UserRepository.class);
+//            userManager = cdiUtil.findBean(UserManager.class);
+//        } catch(CdiLookupException ex) {
+//            throw new UncheckedWrapperException(ex);
+//        }
+//        final User user = userRepository.findById((Long) state.getValue(
+//            USER_ID_PARAM));
+//        if (user == null) {
+//            throw new FormProcessException(GlobalizationUtil.globalize(
+//                "ui.admin.user.userpasswordform.retrieving_user_failed"));
+//        }
         
-        userManager.updatePassword(user, (String) data.get(NEW_PASSWORD_PARAM_NAME));
-        user.setPasswordQuestion((String) m_question.getValue(state));
-        final String answer = (String) m_answer.getValue(state);
-        if (answer != null && answer.length() > 0) {
-            user.setPasswordAnswer(answer);
-        }
-        user.setSsoLogin((String) m_ssoLogin.getValue(state));
-        
-        userRepository.save(user);
+//        userManager.updatePassword(user, (String) data.get(NEW_PASSWORD_PARAM_NAME));
+//        user.setPasswordQuestion((String) m_question.getValue(state));
+//        final String answer = (String) m_answer.getValue(state);
+//        if (answer != null && answer.length() > 0) {
+//            user.setPasswordAnswer(answer);
+//        }
+//        user.setSsoLogin((String) m_ssoLogin.getValue(state));
+//        
+//        userRepository.save(user);
         
         BigDecimal id = (BigDecimal) state.getValue(USER_ID_PARAM);
 
         s_log.debug("Committed password change");
 
-        notifyUser(user);
+//        notifyUser(user);
         m_userBrowsePane.displayUserInfoPanel(state);
     }
 
@@ -269,7 +267,7 @@ class UserPasswordForm extends Form
 
         StringBuffer sb = new StringBuffer();
         sb.append("Dear ");
-        sb.append(user.getName().getGivenName());
+        sb.append(user.getGivenName());
         sb.append(":");
         sb.append(nl).append(nl);
         sb.append("Your password has been changed by the ");
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/ChangePasswordForm.java b/ccm-core/src/main/java/com/arsdigita/ui/login/ChangePasswordForm.java
index ee5e6bf75..a79bc5f2c 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/ChangePasswordForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/ChangePasswordForm.java
@@ -52,12 +52,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.CcmSessionContext;
-import org.libreccm.core.Subject;
-import org.libreccm.core.User;
-import org.libreccm.core.UserManager;
-import org.libreccm.core.UserRepository;
-import org.libreccm.core.authentication.LoginManager;
+import org.libreccm.security.User;
 
 import java.util.logging.Level;
 
@@ -132,25 +127,25 @@ public class ChangePasswordForm extends Form
         add(m_returnURL);
 
         final CdiUtil cdiUtil = new CdiUtil();
-        final CcmSessionContext sessionContext;
-        try {
-            sessionContext = cdiUtil.findBean(CcmSessionContext.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException("");
-        }
-        final Subject subject = sessionContext.getCurrentSubject();
-        if (subject != null && subject instanceof User) {
-            final User user = (User) subject;
-            final Label greeting = new Label(
-                LoginHelper.getMessage(
-                    "login.changePasswortForm.greeting",
-                    new Object[]{String.format("%s %s",
-                                               user.getName().getGivenName(),
-                                               user.getName().getFamilyName())}));
-            greeting.setFontWeight(Label.BOLD);
-            greeting.setClassAttr("greeting");
-            add(greeting);
-        }
+//        final CcmSessionContext sessionContext;
+//        try {
+//            sessionContext = cdiUtil.findBean(CcmSessionContext.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException("");
+//        }
+//        final Subject subject = sessionContext.getCurrentSubject();
+//        if (subject != null && subject instanceof User) {
+//            final User user = (User) subject;
+//            final Label greeting = new Label(
+//                LoginHelper.getMessage(
+//                    "login.changePasswortForm.greeting",
+//                    new Object[]{String.format("%s %s",
+//                                               user.getName().getGivenName(),
+//                                               user.getName().getFamilyName())}));
+//            greeting.setFontWeight(Label.BOLD);
+//            greeting.setClassAttr("greeting");
+//            add(greeting);
+//        }
 
         add(new Label(LoginHelper.getMessage(
             "login.changePasswortForm.introText")));
@@ -199,7 +194,7 @@ public class ChangePasswordForm extends Form
                     state.getRequest()));
                 return;
             }
-            User user = m_listener.getUser(state);
+//            User user = m_listener.getUser(state);
 
             // get parameter values
             String oldPassword = (String) m_oldPassword.getValue(state);
@@ -207,33 +202,33 @@ public class ChangePasswordForm extends Form
             String confirmPassword = (String) m_confirmPassword.getValue(state);
 
             // check old password unless recovering
-            try {
-                    // The old password can never be null or contain leading or
-                // trailing slashes.
-                if (oldPassword == null
-                        || !oldPassword.trim().equals(oldPassword)) {
-                    data.addError(OLD_PASSWORD_PARAM_NAME, LoginHelper
-                                  .localize(
-                                      "login.changePasswordForm.badPasswordError",
-                                      state.getRequest()));
-                    return;
-                }
-
-                final CdiUtil cdiUtil = new CdiUtil();
-                final UserManager userManager = cdiUtil.findBean(
-                    UserManager.class);
-                if (!userManager.verifyPasswordForUser(
-                    user, oldPassword)) {
-                    data.addError(OLD_PASSWORD_PARAM_NAME,
-                                  LoginHelper.localize(
-                                      "login.changePasswordForm.badPasswordError",
-                                      state.getRequest()));
-                    return;
-                }
-            } catch (CdiLookupException ex) {
-                throw new UncheckedWrapperException(
-                    "Failed to lookup UserManager", ex);
-            }
+//            try {
+//                    // The old password can never be null or contain leading or
+//                // trailing slashes.
+//                if (oldPassword == null
+//                        || !oldPassword.trim().equals(oldPassword)) {
+//                    data.addError(OLD_PASSWORD_PARAM_NAME, LoginHelper
+//                                  .localize(
+//                                      "login.changePasswordForm.badPasswordError",
+//                                      state.getRequest()));
+//                    return;
+//                }
+//
+//                final CdiUtil cdiUtil = new CdiUtil();
+////                final UserManager userManager = cdiUtil.findBean(
+////                    UserManager.class);
+////                if (!userManager.verifyPasswordForUser(
+////                    user, oldPassword)) {
+////                    data.addError(OLD_PASSWORD_PARAM_NAME,
+////                                  LoginHelper.localize(
+////                                      "login.changePasswordForm.badPasswordError",
+////                                      state.getRequest()));
+////                    return;
+////                }
+//            } catch (CdiLookupException ex) {
+//                throw new UncheckedWrapperException(
+//                    "Failed to lookup UserManager", ex);
+//            }
 
             // check new password
             if (newPassword.equals(oldPassword)) {
@@ -272,54 +267,54 @@ public class ChangePasswordForm extends Form
                 state.getRequest()));
             return;
         }
-        User user = m_listener.getUser(state);
-
-        // set new password
-        try {
-            final CdiUtil cdiUtil = new CdiUtil();
-            final UserManager userManager = cdiUtil.findBean(UserManager.class);
-            final UserRepository userRepository = cdiUtil.findBean(
-                UserRepository.class);
-
-            String newPassword = (String) m_newPassword.getValue(state);
-            userManager.updatePassword(user, newPassword);
-            userRepository.save(user);
-
-            s_log.debug("committing password change");
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup UserManager or UserRepository", ex);
-        }
+//        User user = m_listener.getUser(state);
+//
+//        // set new password
+//        try {
+//            final CdiUtil cdiUtil = new CdiUtil();
+//            final UserManager userManager = cdiUtil.findBean(UserManager.class);
+//            final UserRepository userRepository = cdiUtil.findBean(
+//                UserRepository.class);
+//
+//            String newPassword = (String) m_newPassword.getValue(state);
+//            userManager.updatePassword(user, newPassword);
+//            userRepository.save(user);
+//
+//            s_log.debug("committing password change");
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup UserManager or UserRepository", ex);
+//        }
 
         // mail report to user
-        if (!user.getEmailAddresses().isEmpty()) {
-
-            final HttpServletRequest req = state.getRequest();
-
-            final String to = user.getEmailAddresses().get(0).getAddress();
-            final String from = SecurityConfig.getConfig()
-                .getAdminContactEmail();
-            final String name = user.getName().getGivenName();
-            final String subject = LoginHelper.localize(
-                "login.changePasswordForm.mailSubject", req);
-            final String body = LoginHelper.localize(
-                "login.changePasswordForm.mailBody",
-                new Object[]{name},
-                req);
-
-            // try to send the message, but don't throw the exception
-            // if it fails so that the password change is comitted
-            // anyway.
-            try {
-                Mail.send(to, from, subject, body);
-            } catch (javax.mail.MessagingException e) {
-                s_log.error("Could not notify user of password change", e);
-            }
-        } else {
-            s_log.debug("Could not notify user of password change: "
-                            + "null email, user ID: "
-                            + user.getSubjectId());
-        }
+//        if (!user.getEmailAddresses().isEmpty()) {
+//
+//            final HttpServletRequest req = state.getRequest();
+//
+//            final String to = user.getEmailAddresses().get(0).getAddress();
+//            final String from = SecurityConfig.getConfig()
+//                .getAdminContactEmail();
+//            final String name = user.getName().getGivenName();
+//            final String subject = LoginHelper.localize(
+//                "login.changePasswordForm.mailSubject", req);
+//            final String body = LoginHelper.localize(
+//                "login.changePasswordForm.mailBody",
+//                new Object[]{name},
+//                req);
+//
+//            // try to send the message, but don't throw the exception
+//            // if it fails so that the password change is comitted
+//            // anyway.
+//            try {
+//                Mail.send(to, from, subject, body);
+//            } catch (javax.mail.MessagingException e) {
+//                s_log.error("Could not notify user of password change", e);
+//            }
+//        } else {
+//            s_log.debug("Could not notify user of password change: "
+//                            + "null email, user ID: "
+//                            + user.getSubjectId());
+//        }
 
         final HttpServletRequest req = state.getRequest();
 
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/EmailInitListener.java b/ccm-core/src/main/java/com/arsdigita/ui/login/EmailInitListener.java
index 4eb8a2aeb..40bf1cee8 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/EmailInitListener.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/EmailInitListener.java
@@ -28,8 +28,6 @@ import javax.mail.internet.AddressException;
 import javax.mail.internet.InternetAddress;
 
 import org.apache.log4j.Logger;
-import org.libreccm.core.CcmSessionContext;
-import org.libreccm.core.User;
 
 /**
  * Initializes the value of the given parameter to the current user's email
@@ -55,40 +53,40 @@ public class EmailInitListener implements FormInitListener {
 
         s_log.debug("START");
 
-        final CcmSessionContext ctx = Web.getUserContext();
+//        final CcmSessionContext ctx = Web.getUserContext();
 
-        if (!ctx.isLoggedIn()) {
-            s_log.debug("FAILURE not logged in");
-            return;
-        }
+//        if (!ctx.isLoggedIn()) {
+//            s_log.debug("FAILURE not logged in");
+//            return;
+//        }
+//
+//        User user = (User) ctx.getCurrentSubject();
 
-        User user = (User) ctx.getCurrentSubject();
-
-        if (user == null) {
-            s_log.debug("FAILURE no such user");
-            return;
-        }
-
-        if (user.getEmailAddresses().isEmpty()
-                || user.getEmailAddresses().get(0) == null) {
-            s_log.debug("FAILURE null primary email");
-            return;
-        }
-
-        if (user.getEmailAddresses().get(0).getAddress() == null
-                || user.getEmailAddresses().get(0).getAddress().isEmpty()) {
-            s_log.debug("FAILURE null email address");
-            return;
-        }
-
-        try {
-            InternetAddress addr = new InternetAddress(user.getEmailAddresses()
-                .get(0).getAddress());
-            data.put(m_param.getName(), addr);
-        } catch (AddressException e) {
-            s_log.debug("FAILURE badly formed address");
-            return;
-        }
+//        if (user == null) {
+//            s_log.debug("FAILURE no such user");
+//            return;
+//        }
+//
+//        if (user.getEmailAddresses().isEmpty()
+//                || user.getEmailAddresses().get(0) == null) {
+//            s_log.debug("FAILURE null primary email");
+//            return;
+//        }
+//
+//        if (user.getEmailAddresses().get(0).getAddress() == null
+//                || user.getEmailAddresses().get(0).getAddress().isEmpty()) {
+//            s_log.debug("FAILURE null email address");
+//            return;
+//        }
+//
+//        try {
+//            InternetAddress addr = new InternetAddress(user.getEmailAddresses()
+//                .get(0).getAddress());
+//            data.put(m_param.getName(), addr);
+//        } catch (AddressException e) {
+//            s_log.debug("FAILURE badly formed address");
+//            return;
+//        }
 
         s_log.debug("SUCCESS");
     }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/RecoverPasswordPanel.java b/ccm-core/src/main/java/com/arsdigita/ui/login/RecoverPasswordPanel.java
index 4a408ec09..80cb50cae 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/RecoverPasswordPanel.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/RecoverPasswordPanel.java
@@ -62,9 +62,6 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.User;
-import org.libreccm.core.UserManager;
-import org.libreccm.core.UserRepository;
 
 import java.security.SecureRandom;
 
@@ -167,31 +164,31 @@ public class RecoverPasswordPanel extends SimpleContainer
             final String email = ((InternetAddress) data.get(FORM_EMAIL))
                 .getAddress();
             final long userID;
-            try {
-                final CdiUtil cdiUtil = new CdiUtil();
-                final UserRepository userRepository = cdiUtil.findBean(
-                    UserRepository.class);
-                final User user = userRepository.findByEmailAddress(email);
-                if (user == null) {
-                    data.addError(FORM_EMAIL,
-                                  (String) ERROR_BAD_EMAIL.localize(event
-                                      .getPageState().getRequest()));
-                    return;
-                }
-                userID = user.getSubjectId();
-                event.getPageState().setValue(USERID_PARAM, userID);
-
-                if (userID != 0) {
-                    if (user.isBanned()) {
-                        data.addError(FORM_EMAIL, (String) ERROR_BANNED_EMAIL
-                                      .localize(event.getPageState()
-                                          .getRequest()));
-                    }
-                }
-            } catch (CdiLookupException ex) {
-                throw new UncheckedWrapperException(
-                    "Failed to lookup UserRepository", ex);
-            }
+//            try {
+//                final CdiUtil cdiUtil = new CdiUtil();
+//                final UserRepository userRepository = cdiUtil.findBean(
+//                    UserRepository.class);
+//                final User user = userRepository.findByEmailAddress(email);
+//                if (user == null) {
+//                    data.addError(FORM_EMAIL,
+//                                  (String) ERROR_BAD_EMAIL.localize(event
+//                                      .getPageState().getRequest()));
+//                    return;
+//                }
+//                userID = user.getSubjectId();
+//                event.getPageState().setValue(USERID_PARAM, userID);
+//
+//                if (userID != 0) {
+//                    if (user.isBanned()) {
+//                        data.addError(FORM_EMAIL, (String) ERROR_BANNED_EMAIL
+//                                      .localize(event.getPageState()
+//                                          .getRequest()));
+//                    }
+//                }
+//            } catch (CdiLookupException ex) {
+//                throw new UncheckedWrapperException(
+//                    "Failed to lookup UserRepository", ex);
+//            }
             // if the user exists, we need to make sure they are not banned.
 
         }
@@ -228,27 +225,27 @@ public class RecoverPasswordPanel extends SimpleContainer
                         throw new IllegalStateException(
                             "userID must not be 0");
                     }
-                    try {
-                        final CdiUtil cdiUtil = new CdiUtil();
-                        final UserRepository userRepository = cdiUtil.findBean(
-                            UserRepository.class);
-                        final User user = userRepository.findById(userID);
-                        if (user == null) {
-                            throw new IllegalStateException(
-                                "userID must be a valid user");
-                        }
-
-                        String theQuestion = user.getPasswordQuestion();
-                        if (theQuestion == null) {
-                            throw new IllegalStateException(
-                                "password question must not be null "
-                                    + "(userID == " + userID + ")");
-                        }
-                        label.setLabel(theQuestion);
-                    } catch (CdiLookupException ex) {
-                        throw new UncheckedWrapperException(
-                            "Failed to lookup user repository", ex);
-                    }
+//                    try {
+//                        final CdiUtil cdiUtil = new CdiUtil();
+////                        final UserRepository userRepository = cdiUtil.findBean(
+////                            UserRepository.class);
+////                        final User user = userRepository.findById(userID);
+////                        if (user == null) {
+////                            throw new IllegalStateException(
+////                                "userID must be a valid user");
+////                        }
+//
+//                        String theQuestion = user.getPasswordQuestion();
+//                        if (theQuestion == null) {
+//                            throw new IllegalStateException(
+//                                "password question must not be null "
+//                                    + "(userID == " + userID + ")");
+//                        }
+//                        label.setLabel(theQuestion);
+//                    } catch (CdiLookupException ex) {
+//                        throw new UncheckedWrapperException(
+//                            "Failed to lookup user repository", ex);
+//                    }
                 }
 
             });
@@ -276,25 +273,25 @@ public class RecoverPasswordPanel extends SimpleContainer
                 throw new IllegalStateException("userID must not be 0");
             }
 
-            try {
-                final CdiUtil cdiUtil = new CdiUtil();
-                final UserRepository userRepository = cdiUtil.findBean(
-                    UserRepository.class);
-                final User user = userRepository.findById(userID);
-                if (user == null) {
-                    throw new IllegalStateException(
-                        "userID must be a valid user");
-                }
-                final String correctAnswer = user.getPasswordAnswer();
-                if (!correctAnswer.equals(answer)) {
-                    data.addError(FORM_PASSWORD_ANSWER,
-                                  (String) ERROR_BAD_ANSWER.localize(event
-                                      .getPageState().getRequest()));
-                }
-            } catch (CdiLookupException ex) {
-                throw new UncheckedWrapperException(
-                    "Failed to lookup UserRepository", ex);
-            }
+//            try {
+//                final CdiUtil cdiUtil = new CdiUtil();
+//                final UserRepository userRepository = cdiUtil.findBean(
+//                    UserRepository.class);
+//                final User user = userRepository.findById(userID);
+//                if (user == null) {
+//                    throw new IllegalStateException(
+//                        "userID must be a valid user");
+//                }
+//                final String correctAnswer = user.getPasswordAnswer();
+//                if (!correctAnswer.equals(answer)) {
+//                    data.addError(FORM_PASSWORD_ANSWER,
+//                                  (String) ERROR_BAD_ANSWER.localize(event
+//                                      .getPageState().getRequest()));
+//                }
+//            } catch (CdiLookupException ex) {
+//                throw new UncheckedWrapperException(
+//                    "Failed to lookup UserRepository", ex);
+//            }
 
         }
 
@@ -310,40 +307,40 @@ public class RecoverPasswordPanel extends SimpleContainer
                 throw new IllegalStateException("userID must not be 0");
             }
 
-            final CdiUtil cdiUtil = new CdiUtil();
-            final UserRepository userRepository;
-            try {
-                userRepository = cdiUtil.findBean(UserRepository.class);
-            } catch (CdiLookupException ex) {
-                throw new UncheckedWrapperException(
-                    "Failed to lookup UserRepository", ex);
-            }
-            final User user = userRepository.findById(userID);
-            if (user == null) {
-                throw new IllegalStateException("userID must be a valid user");
-            }
-
-            if (user.getEmailAddresses().isEmpty()) {
-                mailFailed(event, "null email, user ID: " + user.getSubjectId());
-                return;
-            }
-
-            String to = user.getEmailAddresses().get(0).getAddress();
-            String from = Mail.getConfig().getDefaultFrom();
-            // AFAICT this value below is hard coded to "" !
-            //KernelHelper.getSystemAdministratorEmailAddress();
-            String subject = LoginHelper.localize(
-                "login.recoverPassword.mailSubject", req);
-            String body = getNotification(user, event, req);
+//            final CdiUtil cdiUtil = new CdiUtil();
+//            final UserRepository userRepository;
+//            try {
+//                userRepository = cdiUtil.findBean(UserRepository.class);
+//            } catch (CdiLookupException ex) {
+//                throw new UncheckedWrapperException(
+//                    "Failed to lookup UserRepository", ex);
+//            }
+//            final User user = userRepository.findById(userID);
+//            if (user == null) {
+//                throw new IllegalStateException("userID must be a valid user");
+//            }
 
+//            if (user.getEmailAddresses().isEmpty()) {
+//                mailFailed(event, "null email, user ID: " + user.getSubjectId());
+//                return;
+//            }
+//
+//            String to = user.getEmailAddresses().get(0).getAddress();
+//            String from = Mail.getConfig().getDefaultFrom();
+//            // AFAICT this value below is hard coded to "" !
+//            //KernelHelper.getSystemAdministratorEmailAddress();
+//            String subject = LoginHelper.localize(
+//                "login.recoverPassword.mailSubject", req);
+//            String body = getNotification(user, event, req);
+//
             // send the message and set next panel to "mail sent" page
-            try {
-                Mail.send(to, from, subject, body);
-                event.getPageState().setValue(DISPLAY_PARAM, MailSentPane.class
-                                              .getName());
-            } catch (MessagingException e) {
-                mailFailed(event, e.toString());
-            }
+//            try {
+//                Mail.send(to, from, subject, body);
+//                event.getPageState().setValue(DISPLAY_PARAM, MailSentPane.class
+//                                              .getName());
+//            } catch (MessagingException e) {
+//                mailFailed(event, e.toString());
+//            }
         }
 
     }
@@ -376,32 +373,32 @@ public class RecoverPasswordPanel extends SimpleContainer
      * Constructs the notification to send users when recovering a password.
      *
      */
-    private static String getNotification(final User user,
-                                          final FormSectionEvent event,
-                                          final HttpServletRequest req) {
-        final CdiUtil cdiUtil = new CdiUtil();
-        final UserManager userManager;
-        final UserRepository userRepository;
-        try {
-            userManager = cdiUtil.findBean(UserManager.class);
-            userRepository = cdiUtil.findBean(UserRepository.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup UserRepository or UserManager", ex);
-        }
-
-        final String name = user.getName().getGivenName();
-        String tmpPassword = RandomStringUtils.random(
-            16, 0, 0, false, false, null, new SecureRandom());
-
-        userManager.updatePassword(user, tmpPassword);
-        user.setPasswordResetRequired(true);
-        userRepository.save(user);
-
-        return LoginHelper.localize("login.recoverPassword.mailBody",
-                                    new Object[]{name, tmpPassword},
-                                    req);
-    }
+//    private static String getNotification(final User user,
+//                                          final FormSectionEvent event,
+//                                          final HttpServletRequest req) {
+//        final CdiUtil cdiUtil = new CdiUtil();
+//        final UserManager userManager;
+//        final UserRepository userRepository;
+//        try {
+//            userManager = cdiUtil.findBean(UserManager.class);
+//            userRepository = cdiUtil.findBean(UserRepository.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup UserRepository or UserManager", ex);
+//        }
+//
+//        final String name = user.getName().getGivenName();
+//        String tmpPassword = RandomStringUtils.random(
+//            16, 0, 0, false, false, null, new SecureRandom());
+//
+//        userManager.updatePassword(user, tmpPassword);
+//        user.setPasswordResetRequired(true);
+//        userRepository.save(user);
+//
+//        return LoginHelper.localize("login.recoverPassword.mailBody",
+//                                    new Object[]{name, tmpPassword},
+//                                    req);
+//    }
 
     /**
      * Displays a message that password recovery information couldn't be sent.
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/ScreenNameInitListener.java b/ccm-core/src/main/java/com/arsdigita/ui/login/ScreenNameInitListener.java
index f60e049e4..9676f6148 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/ScreenNameInitListener.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/ScreenNameInitListener.java
@@ -26,8 +26,6 @@ import com.arsdigita.bebop.parameters.StringParameter;
 import com.arsdigita.web.Web;
 
 import org.apache.log4j.Logger;
-import org.libreccm.core.CcmSessionContext;
-import org.libreccm.core.User;
 
 
 // Note: Previously used SiteNodeRequestContext, nows using KernelRequestContext
@@ -62,17 +60,17 @@ public class ScreenNameInitListener implements FormInitListener {
         PageState state = event.getPageState();
         FormData data = event.getFormData();
         s_log.debug("START");
-        final CcmSessionContext ctx = Web.getUserContext();
-        if (!ctx.isLoggedIn()) {
-            s_log.debug("FAILURE not logged in");
-            return;
-        }
-        final User user = (User) ctx.getCurrentSubject();
-        if (user.getScreenName() == null) {
-            s_log.debug("FAILURE null screen name");
-            return;
-        }
-        data.put(m_param.getName(), user.getScreenName());
-        s_log.debug("SUCCESS");
+//        final CcmSessionContext ctx = Web.getUserContext();
+//        if (!ctx.isLoggedIn()) {
+//            s_log.debug("FAILURE not logged in");
+//            return;
+//        }
+//        final User user = (User) ctx.getCurrentSubject();
+//        if (user.getScreenName() == null) {
+//            s_log.debug("FAILURE null screen name");
+//            return;
+//        }
+//        data.put(m_param.getName(), user.getScreenName());
+//        s_log.debug("SUCCESS");
     }
 }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/UserAuthenticationListener.java b/ccm-core/src/main/java/com/arsdigita/ui/login/UserAuthenticationListener.java
index 0c7b887d5..ca9005db0 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/UserAuthenticationListener.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/UserAuthenticationListener.java
@@ -30,8 +30,7 @@ import com.arsdigita.util.UncheckedWrapperException;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.CcmSessionContext;
-import org.libreccm.core.User;
+import org.libreccm.security.User;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -72,15 +71,17 @@ public class UserAuthenticationListener implements RequestListener {
         // Note: aborts processing with an internal error if user not logged in!
         //       Not suiteable just to check log in status.
         final CdiUtil cdiUtil = new CdiUtil();
-        try {
-            final CcmSessionContext context = cdiUtil.findBean(
-                CcmSessionContext.class);
-
-            return (User) context.getCurrentSubject();
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed get get CcmSessionContext.", ex);
-        }
+//        try {
+//            final CcmSessionContext context = cdiUtil.findBean(
+//                CcmSessionContext.class);
+//
+//            return (User) context.getCurrentSubject();
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed get get CcmSessionContext.", ex);
+//        }
+        
+        throw new UnsupportedOperationException();
     }
 
     /**
@@ -91,7 +92,8 @@ public class UserAuthenticationListener implements RequestListener {
      * @return true if the user is logged in
      */
     public boolean isLoggedIn(final PageState state) {
-        return Web.getUserContext().isLoggedIn();
+//        return Web.getUserContext().isLoggedIn();
+        return false;
     }
 
     /**
@@ -104,19 +106,19 @@ public class UserAuthenticationListener implements RequestListener {
     public void pageRequested(final RequestEvent event) {
         PageState state = event.getPageState();
 
-        final CcmSessionContext sessionContext;
-        try {
-            final CdiUtil cdiUtil = new CdiUtil();
-            sessionContext = cdiUtil.findBean(
-                CcmSessionContext.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup CcmSessionContext", ex);
-        }
-        if (!sessionContext.isLoggedIn()) {
-            s_log.debug("User is not logged in");
-            redirectToLoginPage(state);
-        }
+//        final CcmSessionContext sessionContext;
+//        try {
+//            final CdiUtil cdiUtil = new CdiUtil();
+//            sessionContext = cdiUtil.findBean(
+//                CcmSessionContext.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup CcmSessionContext", ex);
+//        }
+//        if (!sessionContext.isLoggedIn()) {
+//            s_log.debug("User is not logged in");
+//            redirectToLoginPage(state);
+//        }
     }
 
     /**
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/UserEditForm.java b/ccm-core/src/main/java/com/arsdigita/ui/login/UserEditForm.java
index c00878c91..881df7cab 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/UserEditForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/UserEditForm.java
@@ -40,9 +40,7 @@ import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
 import org.libreccm.core.EmailAddress;
-import org.libreccm.core.PersonName;
-import org.libreccm.core.User;
-import org.libreccm.core.UserRepository;
+import org.libreccm.security.User;
 
 import java.util.logging.Level;
 
@@ -69,19 +67,20 @@ public class UserEditForm extends UserForm
         @Override
         public Object initialValue(final PageState ps) {
             User result;
-            final long userId = m_listener.getUser(ps).getSubjectId();
-            final CdiUtil cdiUtil = new CdiUtil();
-            final UserRepository userRepository;
-            try {
-                userRepository = cdiUtil.findBean(UserRepository.class);
-            } catch (CdiLookupException ex) {
-                throw new UncheckedWrapperException(
-                    "Failed to lookup UserRepository.", ex);
-            }
-
-            result = userRepository.findById(userId);
-
-            return result;
+            final long userId = m_listener.getUser(ps).getPartyId();
+//            final CdiUtil cdiUtil = new CdiUtil();
+//            final UserRepository userRepository;
+//            try {
+//                userRepository = cdiUtil.findBean(UserRepository.class);
+//            } catch (CdiLookupException ex) {
+//                throw new UncheckedWrapperException(
+//                    "Failed to lookup UserRepository.", ex);
+//            }
+//
+//            result = userRepository.findById(userId);
+//
+//            return result;
+            throw new UnsupportedOperationException();
         }
 
     };
@@ -122,30 +121,30 @@ public class UserEditForm extends UserForm
                 "Failed to retrieve user from page state");
         }
 
-        final PersonName name = user.getName();
-        name.setGivenName((String) m_firstName.getValue(state));
-        name.setFamilyName((String) m_lastName.getValue(state));
-
-        user.setScreenName((String) m_screenName.getValue(state));
-
-        final EmailAddress newAddress = new EmailAddress();
-        newAddress.setAddress(data.get(FORM_EMAIL).toString());
-        if (user.getEmailAddresses().isEmpty()) {
-            user.addEmailAddress(newAddress);
-        } else {
-            if (!user.getEmailAddresses().get(0).equals(newAddress)) {
-                user.getEmailAddresses().get(0).setAddress(newAddress.getAddress());
-            }
-        }
-        
-        final CdiUtil cdiUtil = new CdiUtil();
-        final UserRepository userRepository;
-        try {
-            userRepository = cdiUtil.findBean(UserRepository.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup UserRepository", ex);
-        }
+//        final PersonName name = user.getName();
+//        name.setGivenName((String) m_firstName.getValue(state));
+//        name.setFamilyName((String) m_lastName.getValue(state));
+//
+//        user.setScreenName((String) m_screenName.getValue(state));
+//
+//        final EmailAddress newAddress = new EmailAddress();
+//        newAddress.setAddress(data.get(FORM_EMAIL).toString());
+//        if (user.getEmailAddresses().isEmpty()) {
+//            user.addEmailAddress(newAddress);
+//        } else {
+//            if (!user.getEmailAddresses().get(0).equals(newAddress)) {
+//                user.getEmailAddresses().get(0).setAddress(newAddress.getAddress());
+//            }
+//        }
+//        
+//        final CdiUtil cdiUtil = new CdiUtil();
+//        final UserRepository userRepository;
+//        try {
+//            userRepository = cdiUtil.findBean(UserRepository.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup UserRepository", ex);
+//        }
         
         // redirect to workspace or return URL, if specified
         final HttpServletRequest req = state.getRequest();
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/UserForm.java b/ccm-core/src/main/java/com/arsdigita/ui/login/UserForm.java
index 9ffab3f9d..88a9f40d6 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/UserForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/UserForm.java
@@ -45,9 +45,7 @@ import javax.mail.internet.InternetAddress;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.PersonName;
-import org.libreccm.core.User;
-import org.libreccm.core.UserRepository;
+import org.libreccm.security.User;
 
 /**
  * Common code for user new / add / edit forms.
@@ -245,10 +243,8 @@ public abstract class UserForm extends Form
             throw new FormProcessException(LoginGlobalizationUtil.globalize(
                 "login.userForm.couldnt_load_user"));
         }
-
-        PersonName name = user.getName();
-        m_firstName.setValue(state, name.getGivenName());
-        m_lastName.setValue(state, name.getFamilyName());
+        m_firstName.setValue(state, user.getGivenName());
+        m_lastName.setValue(state, user.getFamilyName());
 
         InternetAddress address;
         try {
@@ -264,7 +260,7 @@ public abstract class UserForm extends Form
         }
 
         m_email.setValue(state, address);
-        m_screenName.setValue(state, user.getScreenName());
+        m_screenName.setValue(state, user.getName());
 
     }
 
@@ -319,24 +315,24 @@ public abstract class UserForm extends Form
             final boolean checkPrimaryEmail = KernelConfig.getConfig()
                 .emailIsPrimaryIdentifier();
 
-            final UserRepository userRepo;
-            try {
-                final CdiUtil cdiUtil = new CdiUtil();
-                userRepo = cdiUtil.findBean(
-                    UserRepository.class);
-            } catch (CdiLookupException ex) {
-                throw new FormProcessException(ex);
-            }
+//            final UserRepository userRepo;
+//            try {
+//                final CdiUtil cdiUtil = new CdiUtil();
+//                userRepo = cdiUtil.findBean(
+//                    UserRepository.class);
+//            } catch (CdiLookupException ex) {
+//                throw new FormProcessException(ex);
+//            }
 
-            final User userByEmail = userRepo.findByEmailAddress(email);
-            if (userByEmail != null && checkPrimaryEmail) {
-                data.addError(FORM_EMAIL, ERROR_DUPLICATE_EMAIL);
-            }
-
-            final User userByScreenname = userRepo.findByScreenName(screenName);
-            if (userByScreenname != null) {
-                data.addError(FORM_SCREEN_NAME, ERROR_DUPLICATE_SN);
-            }
+//            final User userByEmail = userRepo.findByEmailAddress(email);
+//            if (userByEmail != null && checkPrimaryEmail) {
+//                data.addError(FORM_EMAIL, ERROR_DUPLICATE_EMAIL);
+//            }
+//
+//            final User userByScreenname = userRepo.findByScreenName(screenName);
+//            if (userByScreenname != null) {
+//                data.addError(FORM_SCREEN_NAME, ERROR_DUPLICATE_SN);
+//            }
 
         } finally {
             // if the form has errors, clear the password fields so we don't
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/UserInfo.java b/ccm-core/src/main/java/com/arsdigita/ui/login/UserInfo.java
index 8c61924f9..c116a1087 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/UserInfo.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/UserInfo.java
@@ -34,7 +34,7 @@ import java.util.List;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.User;
+import org.libreccm.security.User;
 import org.libreccm.web.ApplicationRepository;
 import org.libreccm.web.CcmApplication;
 
@@ -157,7 +157,7 @@ public class UserInfo extends SimpleContainer {
 
                 // in any case: add basic user attributes
                 userElement.addAttribute("id",
-                                         Long.toString(user.getSubjectId()));
+                                         Long.toString(user.getPartyId()));
                 if (!user.getEmailAddresses().isEmpty()) {
                     userElement.addAttribute("email",
                                              user.getEmailAddresses().get(0)
@@ -165,9 +165,9 @@ public class UserInfo extends SimpleContainer {
                 }
                 userElement.addAttribute(
                     "name", String.format("%s %s",
-                                          user.getName().getGivenName(),
-                                          user.getName().getFamilyName()));
-                userElement.addAttribute("screenName", user.getScreenName());
+                                          user.getGivenName(),
+                                          user.getFamilyName()));
+                userElement.addAttribute("screenName", user.getName());
 
                 parent.addContent(userElement);
             }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/UserLoginForm.java b/ccm-core/src/main/java/com/arsdigita/ui/login/UserLoginForm.java
index ad6c6509e..1ccdb45e3 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/UserLoginForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/UserLoginForm.java
@@ -63,8 +63,6 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.CcmSessionContext;
-import org.libreccm.core.authentication.LoginManager;
 
 import java.util.logging.Level;
 
@@ -334,35 +332,35 @@ public class UserLoginForm extends Form
         throws FormProcessException {
         PageState state = event.getPageState();
 
-        try {
-            final CcmSessionContext ctx = Web.getUserContext();
-            final String username;
-            if (KernelConfig.getConfig().emailIsPrimaryIdentifier()) {
-                username = ((InternetAddress) m_loginName.getValue(state)).
-                    getAddress();
-            } else {
-                username = (String) m_loginName.getValue(state);
-            }
-
-            final String password = ((String)m_password.getValue(state)).trim();
-            boolean forever = getPersistentLoginValue(event.getPageState(),
-                                                      false);
-            // attempt to log in user
-            final CdiUtil cdiUtil = new CdiUtil();
-            final LoginManager loginManager;
-            try {
-                loginManager = cdiUtil.findBean(LoginManager.class);
-            } catch (CdiLookupException ex) {
-                throw new UncheckedWrapperException(
-                    "Failed to lookup LoginManager", ex);
-            }
-            loginManager.login(username, password);
-            onLoginSuccess(event);
-        } catch (FailedLoginException e) {
-            onLoginFail(event, e);
-        } catch (LoginException e) {
-            onLoginException(event, e);
-        }
+//        try {
+//            final CcmSessionContext ctx = Web.getUserContext();
+//            final String username;
+//            if (KernelConfig.getConfig().emailIsPrimaryIdentifier()) {
+//                username = ((InternetAddress) m_loginName.getValue(state)).
+//                    getAddress();
+//            } else {
+//                username = (String) m_loginName.getValue(state);
+//            }
+//
+//            final String password = ((String)m_password.getValue(state)).trim();
+//            boolean forever = getPersistentLoginValue(event.getPageState(),
+//                                                      false);
+//            // attempt to log in user
+//            final CdiUtil cdiUtil = new CdiUtil();
+//            final LoginManager loginManager;
+//            try {
+//                loginManager = cdiUtil.findBean(LoginManager.class);
+//            } catch (CdiLookupException ex) {
+//                throw new UncheckedWrapperException(
+//                    "Failed to lookup LoginManager", ex);
+//            }
+//            loginManager.login(username, password);
+//            onLoginSuccess(event);
+//        } catch (FailedLoginException e) {
+//            onLoginFail(event, e);
+//        } catch (LoginException e) {
+//            onLoginException(event, e);
+//        }
     }
 
     /**
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/UserLogoutListener.java b/ccm-core/src/main/java/com/arsdigita/ui/login/UserLogoutListener.java
index d5c48431b..2bb13cce7 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/UserLogoutListener.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/UserLogoutListener.java
@@ -25,7 +25,6 @@ import com.arsdigita.util.UncheckedWrapperException;
 import org.apache.log4j.Logger;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.authentication.LoginManager;
 
 /**
  * An ActionListener that logs out the user.
@@ -47,14 +46,14 @@ public class UserLogoutListener implements ActionListener {
     @Override
     public void actionPerformed(final ActionEvent event) {
         final CdiUtil cdiUtil = new CdiUtil();
-        final LoginManager loginManager;
-        try {
-            loginManager = cdiUtil.findBean(LoginManager.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException("Failed to lookup LoginManager",
-                                                ex);
-        }
-        loginManager.logout();
+//        final LoginManager loginManager;
+//        try {
+//            loginManager = cdiUtil.findBean(LoginManager.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException("Failed to lookup LoginManager",
+//                                                ex);
+//        }
+//        loginManager.logout();
     }
 
 }
diff --git a/ccm-core/src/main/java/com/arsdigita/ui/login/UserNewForm.java b/ccm-core/src/main/java/com/arsdigita/ui/login/UserNewForm.java
index 751494ce1..3ff6f3a9b 100644
--- a/ccm-core/src/main/java/com/arsdigita/ui/login/UserNewForm.java
+++ b/ccm-core/src/main/java/com/arsdigita/ui/login/UserNewForm.java
@@ -47,14 +47,9 @@ import org.apache.log4j.Logger;
 import org.dom4j.util.UserDataDocumentFactory;
 import org.libreccm.cdi.utils.CdiLookupException;
 import org.libreccm.cdi.utils.CdiUtil;
-import org.libreccm.core.CcmSessionContext;
+
 import org.libreccm.core.EmailAddress;
-import org.libreccm.core.PermissionManager;
-import org.libreccm.core.PersonName;
-import org.libreccm.core.User;
-import org.libreccm.core.UserManager;
-import org.libreccm.core.UserRepository;
-import org.libreccm.core.authentication.LoginManager;
+import org.libreccm.security.User;
 
 /**
  * Creates a new user. Collects user's basic info, such as email, password,
@@ -155,88 +150,88 @@ public class UserNewForm extends UserForm implements FormInitListener,
 
         final Exception[] formExceptions = new Exception[]{null};
 
-        final CdiUtil cdiUtil = new CdiUtil();
-        final CcmSessionContext sessionContext;
-        try {
-            sessionContext = cdiUtil.findBean(CcmSessionContext.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup CcmSessionContext", ex);
-        }
+//        final CdiUtil cdiUtil = new CdiUtil();
+//        final CcmSessionContext sessionContext;
+//        try {
+//            sessionContext = cdiUtil.findBean(CcmSessionContext.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup CcmSessionContext", ex);
+//        }
+//
+//        final UserRepository userRepository;
+//        try {
+//            userRepository = cdiUtil.findBean(UserRepository.class);
+//        } catch (CdiLookupException ex) {
+//            throw new UncheckedWrapperException(
+//                "Failed to lookup UserRepository", ex);
+//        }
+//
+//        final User systemUser = userRepository.retrieveSystemUser();
+//
+//        sessionContext.sudo(systemUser, new Runnable() {
 
-        final UserRepository userRepository;
-        try {
-            userRepository = cdiUtil.findBean(UserRepository.class);
-        } catch (CdiLookupException ex) {
-            throw new UncheckedWrapperException(
-                "Failed to lookup UserRepository", ex);
-        }
-
-        final User systemUser = userRepository.retrieveSystemUser();
-
-        sessionContext.sudo(systemUser, new Runnable() {
-
-            @Override
-            public void run() {
-                final User user = new User();
-                final PersonName userName = new PersonName();
-                userName.setGivenName(firstName);
-                userName.setFamilyName(lastName);
-                final EmailAddress emailAddress = new EmailAddress();
-                emailAddress.setAddress(email);
-                user.addEmailAddress(emailAddress);
-                if (!KernelConfig.getConfig().emailIsPrimaryIdentifier()) {
-                    user.setScreenName(screenName);
-                }
-                userRepository.save(user);
-
-//                final PermissionManager permissionManager;
+//            @Override
+//            public void run() {
+//                final User user = new User();
+//                final PersonName userName = new PersonName();
+//                userName.setGivenName(firstName);
+//                userName.setFamilyName(lastName);
+//                final EmailAddress emailAddress = new EmailAddress();
+//                emailAddress.setAddress(email);
+//                user.addEmailAddress(emailAddress);
+//                if (!KernelConfig.getConfig().emailIsPrimaryIdentifier()) {
+//                    user.setScreenName(screenName);
+//                }
+//                userRepository.save(user);
+//
+////                final PermissionManager permissionManager;
+////                try {
+////                    permissionManager = cdiUtil
+////                        .findBean(PermissionManager.class);
+////                } catch (CdiLookupException ex) {
+////                    throw new UncheckedWrapperException(
+////                        "Failed to lookup PermissionManager", ex);
+////                }
+////                
+////                permissionManager.grantPermission(null, null, user);
+//                final UserManager userManager;
 //                try {
-//                    permissionManager = cdiUtil
-//                        .findBean(PermissionManager.class);
+//                    userManager = cdiUtil.findBean(UserManager.class);
 //                } catch (CdiLookupException ex) {
 //                    throw new UncheckedWrapperException(
-//                        "Failed to lookup PermissionManager", ex);
+//                        "Failed to lookup UserManager", ex);
 //                }
-//                
-//                permissionManager.grantPermission(null, null, user);
-                final UserManager userManager;
-                try {
-                    userManager = cdiUtil.findBean(UserManager.class);
-                } catch (CdiLookupException ex) {
-                    throw new UncheckedWrapperException(
-                        "Failed to lookup UserManager", ex);
-                }
-                userManager.updatePassword(user, password);
-                user.setPasswordQuestion(question);
-                user.setPasswordAnswer(answer);
-            }
+//                userManager.updatePassword(user, password);
+//                user.setPasswordQuestion(question);
+//                user.setPasswordAnswer(answer);
+//            }
+//
+//        });
 
-        });
-
-        try {
-            // finally log the user in (sets the
-            // appropriate session or permanent cookie)
-            String loginName = email;
-            if (!KernelConfig.getConfig().emailIsPrimaryIdentifier()) {
-                loginName = screenName;
-            }
-
-            final LoginManager loginManager;
-            try {
-                loginManager = cdiUtil.findBean(LoginManager.class);
-            } catch (CdiLookupException ex) {
-                throw new UncheckedWrapperException(
-                    "Failed to lookup LoginManager", ex);
-            }
-
-            loginManager.login(loginName, password);
-            
-        } catch (LoginException e) {
-            // ERROR: login failed for new user
-            s_log.error("login failed for new user", e);
-            throw new FormProcessException(e);
-        }
+//        try {
+//            // finally log the user in (sets the
+//            // appropriate session or permanent cookie)
+//            String loginName = email;
+//            if (!KernelConfig.getConfig().emailIsPrimaryIdentifier()) {
+//                loginName = screenName;
+//            }
+//
+//            final LoginManager loginManager;
+//            try {
+//                loginManager = cdiUtil.findBean(LoginManager.class);
+//            } catch (CdiLookupException ex) {
+//                throw new UncheckedWrapperException(
+//                    "Failed to lookup LoginManager", ex);
+//            }
+//
+//            loginManager.login(loginName, password);
+//            
+//        } catch (LoginException e) {
+//            // ERROR: login failed for new user
+//            s_log.error("login failed for new user", e);
+//            throw new FormProcessException(e);
+//        }
 
         // redirect to workspace or return URL, if specified
         final HttpServletRequest req = state.getRequest();
diff --git a/ccm-core/src/main/java/com/arsdigita/web/CCMDispatcherServlet.java b/ccm-core/src/main/java/com/arsdigita/web/CCMDispatcherServlet.java
index 812c00e1b..a247e000f 100644
--- a/ccm-core/src/main/java/com/arsdigita/web/CCMDispatcherServlet.java
+++ b/ccm-core/src/main/java/com/arsdigita/web/CCMDispatcherServlet.java
@@ -35,7 +35,6 @@ import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
-import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
diff --git a/ccm-core/src/main/java/com/arsdigita/web/Web.java b/ccm-core/src/main/java/com/arsdigita/web/Web.java
index d9b28505e..b63d2565a 100644
--- a/ccm-core/src/main/java/com/arsdigita/web/Web.java
+++ b/ccm-core/src/main/java/com/arsdigita/web/Web.java
@@ -30,7 +30,6 @@ import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.log4j.Logger;
-import org.libreccm.core.CcmSessionContext;
 
 /**
  * An entry point for functions of the web package.
@@ -78,17 +77,14 @@ public class Web {
      * Static Initializer block.
      */
     static void init(final HttpServletRequest sreq,
-                     final ServletContext sc,
-                     final CcmSessionContext uc) {
+                     final ServletContext sc) {
 
         Assert.exists(sreq, HttpServletRequest.class);
         Assert.exists(sc, ServletContext.class);
-        Assert.exists(uc, CcmSessionContext.class);
 
         s_request.set(sreq);
         s_servletContext.set(sc);
         s_contextPath = CCMDispatcherServlet.getContextPath();
-        s_userContext.set(uc);
     }
 
     /**
@@ -131,15 +127,6 @@ public class Web {
         return (ServletContext) s_servletContext.get();
     }
 
-    /**
-     * Gets the user context object of the current thread.
-     *
-     * @return The current <code>UserContext</code> object; it can be null
-     */
-    public static CcmSessionContext getUserContext() {
-        return (CcmSessionContext) s_userContext.get();
-    }
-
         /**
      * Gets the webapp context path portion of the WEB application where this 
      * CCM instance is executed. (I.e. where the WEB-INF directory is located 
diff --git a/ccm-core/src/main/java/com/arsdigita/web/WebContext.java b/ccm-core/src/main/java/com/arsdigita/web/WebContext.java
index 17b625f39..82364a7a5 100644
--- a/ccm-core/src/main/java/com/arsdigita/web/WebContext.java
+++ b/ccm-core/src/main/java/com/arsdigita/web/WebContext.java
@@ -23,8 +23,6 @@ import com.arsdigita.util.Assert;
 import com.arsdigita.util.Record;
 
 import org.apache.log4j.Logger;
-import org.libreccm.core.CcmSessionContext;
-import org.libreccm.core.User;
 import org.libreccm.web.CcmApplication;
 
 /**
@@ -100,16 +98,6 @@ public final class WebContext extends Record {
         m_requestURL = null;
     }
 
-    public final User getUser() {
-        CcmSessionContext context = Web.getUserContext();
-
-        if (context == null || !context.isLoggedIn()) {
-            return null;
-        } else {
-            return (User) context.getCurrentSubject();
-        }
-    }
-
     /**
      *
      * @return
diff --git a/ccm-core/src/main/java/org/libreccm/auditing/CcmRevisionListener.java b/ccm-core/src/main/java/org/libreccm/auditing/CcmRevisionListener.java
index c581f39c3..edda54666 100644
--- a/ccm-core/src/main/java/org/libreccm/auditing/CcmRevisionListener.java
+++ b/ccm-core/src/main/java/org/libreccm/auditing/CcmRevisionListener.java
@@ -19,9 +19,6 @@
 package org.libreccm.auditing;
 
 import org.hibernate.envers.RevisionListener;
-import org.libreccm.core.CcmSessionContext;
-import org.libreccm.core.Subject;
-import org.libreccm.core.User;
 
 import javax.inject.Inject;
 
@@ -32,8 +29,8 @@ import javax.inject.Inject;
  */
 public class CcmRevisionListener implements RevisionListener {
 
-    @Inject
-    private transient CcmSessionContext sessionContext;
+//    @Inject
+//    private transient CcmSessionContext sessionContext;
 
     @Override
     public void newRevision(final Object revisionEntity) {
@@ -44,11 +41,13 @@ public class CcmRevisionListener implements RevisionListener {
         }
 
         final CcmRevision revision = (CcmRevision) revisionEntity;
-        final Subject subject = sessionContext.getCurrentSubject();
-        if (subject instanceof User) {
-            final User user = (User) subject;
-            revision.setUserName(user.getScreenName());
-        }
+        //ToDo: Add code using Shiro Subject
+        
+//        final Subject subject = sessionContext.getCurrentSubject();
+//        if (subject instanceof User) {
+//            final User user = (User) subject;
+//            revision.setUserName(user.getScreenName());
+//        }
     }
 
 }
diff --git a/ccm-core/src/main/java/org/libreccm/categorization/Category.java b/ccm-core/src/main/java/org/libreccm/categorization/Category.java
index f079e8323..2fb315d32 100644
--- a/ccm-core/src/main/java/org/libreccm/categorization/Category.java
+++ b/ccm-core/src/main/java/org/libreccm/categorization/Category.java
@@ -91,7 +91,7 @@ public class Category extends CcmObject implements Serializable {
      */
     @Embedded
     @AssociationOverride(
-            name = "VALUES",
+            name = "values",
             joinTable = @JoinTable(name = "CATEGORY_TITLES", 
                                    schema = DB_SCHEMA,
                                    joinColumns = {
@@ -104,7 +104,7 @@ public class Category extends CcmObject implements Serializable {
      */
     @Embedded
     @AssociationOverride(
-            name = "VALUES",
+            name = "values",
             joinTable = @JoinTable(name = "CATEGORY_DESCRIPTIONS",
                                    schema = DB_SCHEMA,
                                    joinColumns = {
diff --git a/ccm-core/src/main/java/org/libreccm/categorization/Domain.java b/ccm-core/src/main/java/org/libreccm/categorization/Domain.java
index 341373198..a16187794 100644
--- a/ccm-core/src/main/java/org/libreccm/categorization/Domain.java
+++ b/ccm-core/src/main/java/org/libreccm/categorization/Domain.java
@@ -115,7 +115,7 @@ public class Domain extends CcmObject implements Serializable {
      */
     @Embedded
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(name = "DOMAIN_TITLES",
                                schema = DB_SCHEMA,
                                joinColumns = {
@@ -128,7 +128,7 @@ public class Domain extends CcmObject implements Serializable {
      */
     @Embedded
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(name = "DOMAIN_DESCRIPTIONS",
                                schema = DB_SCHEMA,
                                joinColumns = {
diff --git a/ccm-core/src/main/java/org/libreccm/core/CcmCore.java b/ccm-core/src/main/java/org/libreccm/core/CcmCore.java
index cedfb06a3..dcde25a5a 100644
--- a/ccm-core/src/main/java/org/libreccm/core/CcmCore.java
+++ b/ccm-core/src/main/java/org/libreccm/core/CcmCore.java
@@ -24,6 +24,8 @@ import org.libreccm.modules.InstallEvent;
 import org.libreccm.modules.Module;
 import org.libreccm.modules.ShutdownEvent;
 import org.libreccm.modules.UnInstallEvent;
+import org.libreccm.security.SystemUsersSetup;
+import org.libreccm.security.User;
 
 import javax.persistence.EntityManager;
 
@@ -37,15 +39,8 @@ import javax.persistence.EntityManager;
                     org.libreccm.categorization.Domain.class,
                     org.libreccm.categorization.DomainOwnership.class,
                     org.libreccm.core.CcmObject.class,
-                    org.libreccm.core.Group.class,
-                    org.libreccm.core.GroupMembership.class,
-                    org.libreccm.core.Permission.class,
-                    org.libreccm.core.Privilege.class,
                     org.libreccm.core.Resource.class,
                     org.libreccm.core.ResourceType.class,
-                    org.libreccm.core.Role.class,
-                    org.libreccm.core.Subject.class,
-                    org.libreccm.core.User.class,
                     org.libreccm.modules.InstalledModule.class,
                     org.libreccm.formbuilder.Component.class,
                     org.libreccm.formbuilder.DataDrivenSelect.class,
@@ -86,17 +81,8 @@ public class CcmCore implements CcmModule {
     public void install(final InstallEvent event) {
         final EntityManager entityManager = event.getEntityManager();
 
-        final User user = new User();
-        user.setScreenName("public-user");
-        final PersonName name = new PersonName();
-        name.setFamilyName("ccm");
-        name.setGivenName("public user");
-        user.setName(name);
-        final EmailAddress email = new EmailAddress();
-        email.setAddress("public-user@localhost");
-        user.addEmailAddress(email);
-
-        entityManager.persist(user);
+        final SystemUsersSetup systemUsersSetup = new SystemUsersSetup(entityManager);
+        systemUsersSetup.setupSystemUsers();
     }
 
     @Override
diff --git a/ccm-core/src/main/java/org/libreccm/core/CcmObject.java b/ccm-core/src/main/java/org/libreccm/core/CcmObject.java
index 10b3fd960..ed59b9db2 100644
--- a/ccm-core/src/main/java/org/libreccm/core/CcmObject.java
+++ b/ccm-core/src/main/java/org/libreccm/core/CcmObject.java
@@ -23,6 +23,7 @@ import static org.libreccm.core.CoreConstants.*;
 import org.libreccm.categorization.Categorization;
 import org.libreccm.categorization.Category;
 import org.libreccm.categorization.CategoryManager;
+import org.libreccm.security.Permission;
 
 import java.io.Serializable;
 import java.util.ArrayList;
diff --git a/ccm-core/src/main/java/org/libreccm/core/CcmSessionContext.java b/ccm-core/src/main/java/org/libreccm/core/CcmSessionContext.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/CcmSessionContext.java
rename to ccm-core/src/main/java/org/libreccm/core/CcmSessionContext.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/Group.java b/ccm-core/src/main/java/org/libreccm/core/Group.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/Group.java
rename to ccm-core/src/main/java/org/libreccm/core/Group.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/GroupManager.java b/ccm-core/src/main/java/org/libreccm/core/GroupManager.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/GroupManager.java
rename to ccm-core/src/main/java/org/libreccm/core/GroupManager.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/GroupMembership.java b/ccm-core/src/main/java/org/libreccm/core/GroupMembership.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/GroupMembership.java
rename to ccm-core/src/main/java/org/libreccm/core/GroupMembership.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/GroupRepository.java b/ccm-core/src/main/java/org/libreccm/core/GroupRepository.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/GroupRepository.java
rename to ccm-core/src/main/java/org/libreccm/core/GroupRepository.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/Permission.java b/ccm-core/src/main/java/org/libreccm/core/Permission.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/Permission.java
rename to ccm-core/src/main/java/org/libreccm/core/Permission.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/PermissionManager.java b/ccm-core/src/main/java/org/libreccm/core/PermissionManager.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/PermissionManager.java
rename to ccm-core/src/main/java/org/libreccm/core/PermissionManager.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/PermissionRepository.java b/ccm-core/src/main/java/org/libreccm/core/PermissionRepository.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/PermissionRepository.java
rename to ccm-core/src/main/java/org/libreccm/core/PermissionRepository.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/PersonName.java b/ccm-core/src/main/java/org/libreccm/core/PersonName.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/PersonName.java
rename to ccm-core/src/main/java/org/libreccm/core/PersonName.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/Privilege.java b/ccm-core/src/main/java/org/libreccm/core/Privilege.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/Privilege.java
rename to ccm-core/src/main/java/org/libreccm/core/Privilege.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/PrivilegeRepository.java b/ccm-core/src/main/java/org/libreccm/core/PrivilegeRepository.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/PrivilegeRepository.java
rename to ccm-core/src/main/java/org/libreccm/core/PrivilegeRepository.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/Resource.java b/ccm-core/src/main/java/org/libreccm/core/Resource.java
index 9b743fa61..8fa8fa71d 100644
--- a/ccm-core/src/main/java/org/libreccm/core/Resource.java
+++ b/ccm-core/src/main/java/org/libreccm/core/Resource.java
@@ -66,7 +66,7 @@ public class Resource extends CcmObject implements Serializable {
      */
     @Embedded
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(name = "RESOURCE_TITLES",
                                schema = DB_SCHEMA,
                                joinColumns = {
@@ -78,7 +78,7 @@ public class Resource extends CcmObject implements Serializable {
      */
     @Embedded
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(name = "RESOURCE_DESCRIPTIONS",
                                schema = DB_SCHEMA,
                                joinColumns = {
diff --git a/ccm-core/src/main/java/org/libreccm/core/ResourceType.java b/ccm-core/src/main/java/org/libreccm/core/ResourceType.java
index d9b741c32..fa44d6227 100644
--- a/ccm-core/src/main/java/org/libreccm/core/ResourceType.java
+++ b/ccm-core/src/main/java/org/libreccm/core/ResourceType.java
@@ -70,7 +70,7 @@ public class ResourceType implements Serializable {
 
     @Embedded
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(name = "RESOURCE_TYPE_DESCRIPTIONS",
                                schema = DB_SCHEMA,
                                joinColumns = {
diff --git a/ccm-core/src/main/java/org/libreccm/core/Role.java b/ccm-core/src/main/java/org/libreccm/core/Role.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/Role.java
rename to ccm-core/src/main/java/org/libreccm/core/Role.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/RoleRepository.java b/ccm-core/src/main/java/org/libreccm/core/RoleRepository.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/RoleRepository.java
rename to ccm-core/src/main/java/org/libreccm/core/RoleRepository.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/Subject.java b/ccm-core/src/main/java/org/libreccm/core/Subject.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/Subject.java
rename to ccm-core/src/main/java/org/libreccm/core/Subject.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/SubjectRepository.java b/ccm-core/src/main/java/org/libreccm/core/SubjectRepository.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/SubjectRepository.java
rename to ccm-core/src/main/java/org/libreccm/core/SubjectRepository.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/User.java b/ccm-core/src/main/java/org/libreccm/core/User.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/User.java
rename to ccm-core/src/main/java/org/libreccm/core/User.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/UserManager.java b/ccm-core/src/main/java/org/libreccm/core/UserManager.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/UserManager.java
rename to ccm-core/src/main/java/org/libreccm/core/UserManager.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/UserNotFoundException.java b/ccm-core/src/main/java/org/libreccm/core/UserNotFoundException.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/UserNotFoundException.java
rename to ccm-core/src/main/java/org/libreccm/core/UserNotFoundException.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/UserRepository.java b/ccm-core/src/main/java/org/libreccm/core/UserRepository.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/UserRepository.java
rename to ccm-core/src/main/java/org/libreccm/core/UserRepository.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/authentication/AbstractPasswordLoginModule.java b/ccm-core/src/main/java/org/libreccm/core/authentication/AbstractPasswordLoginModule.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/authentication/AbstractPasswordLoginModule.java
rename to ccm-core/src/main/java/org/libreccm/core/authentication/AbstractPasswordLoginModule.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/authentication/LocalLoginModule.java b/ccm-core/src/main/java/org/libreccm/core/authentication/LocalLoginModule.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/authentication/LocalLoginModule.java
rename to ccm-core/src/main/java/org/libreccm/core/authentication/LocalLoginModule.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/authentication/LoginConfig.java b/ccm-core/src/main/java/org/libreccm/core/authentication/LoginConfig.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/authentication/LoginConfig.java
rename to ccm-core/src/main/java/org/libreccm/core/authentication/LoginConfig.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/authentication/LoginConfigBuilder.java b/ccm-core/src/main/java/org/libreccm/core/authentication/LoginConfigBuilder.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/authentication/LoginConfigBuilder.java
rename to ccm-core/src/main/java/org/libreccm/core/authentication/LoginConfigBuilder.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/authentication/LoginManager.java b/ccm-core/src/main/java/org/libreccm/core/authentication/LoginManager.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/authentication/LoginManager.java
rename to ccm-core/src/main/java/org/libreccm/core/authentication/LoginManager.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/core/authentication/UserPrincipal.java b/ccm-core/src/main/java/org/libreccm/core/authentication/UserPrincipal.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/main/java/org/libreccm/core/authentication/UserPrincipal.java
rename to ccm-core/src/main/java/org/libreccm/core/authentication/UserPrincipal.java.nolongerinuse
diff --git a/ccm-core/src/main/java/org/libreccm/formbuilder/Component.java b/ccm-core/src/main/java/org/libreccm/formbuilder/Component.java
index 06593dc86..9524b9df0 100644
--- a/ccm-core/src/main/java/org/libreccm/formbuilder/Component.java
+++ b/ccm-core/src/main/java/org/libreccm/formbuilder/Component.java
@@ -58,7 +58,7 @@ public class Component extends CcmObject implements Serializable {
 
     @Embedded
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(name = "FORMBUILDER_COMPONENT_DESCRIPTIONS",
                                schema = DB_SCHEMA,
                                joinColumns = {
diff --git a/ccm-core/src/main/java/org/libreccm/formbuilder/Option.java b/ccm-core/src/main/java/org/libreccm/formbuilder/Option.java
index b146460f1..7350b3123 100644
--- a/ccm-core/src/main/java/org/libreccm/formbuilder/Option.java
+++ b/ccm-core/src/main/java/org/libreccm/formbuilder/Option.java
@@ -46,7 +46,7 @@ public class Option extends Component implements Serializable {
     private String parameterValue;
 
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(name = "FORMBUILDER_OPTION_LABELS",
                                schema = DB_SCHEMA,
                                joinColumns = {
diff --git a/ccm-core/src/main/java/org/libreccm/formbuilder/PersistentDataQuery.java b/ccm-core/src/main/java/org/libreccm/formbuilder/PersistentDataQuery.java
index 819884f2f..1219e0f7c 100644
--- a/ccm-core/src/main/java/org/libreccm/formbuilder/PersistentDataQuery.java
+++ b/ccm-core/src/main/java/org/libreccm/formbuilder/PersistentDataQuery.java
@@ -48,7 +48,7 @@ public class PersistentDataQuery extends CcmObject implements Serializable {
     private String queryId;
 
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(
             name = "FORMBUILDER_DATA_QUERY_NAMES",
             schema = DB_SCHEMA,
@@ -57,7 +57,7 @@ public class PersistentDataQuery extends CcmObject implements Serializable {
     private LocalizedString name;
 
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(
             name = "FORMBUILDER_DATA_QUERY_DESCRIPTIONS",
             schema = DB_SCHEMA,
diff --git a/ccm-core/src/main/java/org/libreccm/formbuilder/ProcessListener.java b/ccm-core/src/main/java/org/libreccm/formbuilder/ProcessListener.java
index 4f903ce74..070fbc110 100644
--- a/ccm-core/src/main/java/org/libreccm/formbuilder/ProcessListener.java
+++ b/ccm-core/src/main/java/org/libreccm/formbuilder/ProcessListener.java
@@ -46,7 +46,7 @@ public class ProcessListener extends CcmObject implements Serializable {
     private static final long serialVersionUID = -3029184333026605708L;
 
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(
             name = "FORMBUILDER_PROCESS_LISTENER_NAMES",
             schema = DB_SCHEMA,
@@ -55,7 +55,7 @@ public class ProcessListener extends CcmObject implements Serializable {
     private LocalizedString name;
 
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(
             name = "FORMBUILDER_PROCESS_LISTENER_DESCRIPTIONS",
             schema = DB_SCHEMA,
diff --git a/ccm-core/src/main/java/org/libreccm/messaging/Message.java b/ccm-core/src/main/java/org/libreccm/messaging/Message.java
index dc0ec79e8..0e8881bd4 100644
--- a/ccm-core/src/main/java/org/libreccm/messaging/Message.java
+++ b/ccm-core/src/main/java/org/libreccm/messaging/Message.java
@@ -22,8 +22,8 @@ import org.libreccm.core.CcmObject;
 
 import static org.libreccm.core.CoreConstants.*;
 
-import org.libreccm.core.Subject;
 import org.libreccm.jpa.utils.MimeTypeConverter;
+import org.libreccm.security.User;
 
 import java.io.Serializable;
 import java.util.Collections;
@@ -59,7 +59,7 @@ public class Message extends CcmObject implements Serializable {
 
     @OneToOne
     @JoinColumn(name = "SENDER_ID")
-    private Subject sender;
+    private User sender;
 
     @Column(name = "SUBJECT")
     private String subject;
@@ -85,11 +85,11 @@ public class Message extends CcmObject implements Serializable {
     @OneToMany(mappedBy = "message")
     private List<Attachment> attachments;
 
-    public Subject getSender() {
+    public User getSender() {
         return sender;
     }
 
-    protected void setSender(final Subject sender) {
+    protected void setSender(final User sender) {
         this.sender = sender;
     }
 
diff --git a/ccm-core/src/main/java/org/libreccm/notification/Digest.java b/ccm-core/src/main/java/org/libreccm/notification/Digest.java
index 10b2865ed..cf254f202 100644
--- a/ccm-core/src/main/java/org/libreccm/notification/Digest.java
+++ b/ccm-core/src/main/java/org/libreccm/notification/Digest.java
@@ -22,7 +22,7 @@ import org.libreccm.core.CcmObject;
 
 import static org.libreccm.core.CoreConstants.*;
 
-import org.libreccm.core.Subject;
+import org.libreccm.security.Party;
 
 import java.io.Serializable;
 import java.util.Date;
@@ -60,7 +60,7 @@ public class Digest extends CcmObject implements Serializable {
 
     @OneToOne
     @JoinColumn(name = "FROM_PARTY_ID")
-    private Subject fromParty;
+    private Party fromParty;
 
     @Column(name = "SUBJECT", length = 255, nullable = false)
     private String subject;
@@ -81,19 +81,19 @@ public class Digest extends CcmObject implements Serializable {
     @Temporal(TemporalType.TIMESTAMP)
     private Date nextRun;
 
-    public Subject getFromParty() {
+    public Party getFromParty() {
         return fromParty;
     }
 
-    public void setFromParty(final Subject fromParty) {
+    public void setFromParty(final Party fromParty) {
         this.fromParty = fromParty;
     }
 
-    public String getSubject() {
+    public String getParty() {
         return subject;
     }
 
-    public void setSubject(final String subject) {
+    public void setParty(final String subject) {
         this.subject = subject;
     }
 
@@ -185,7 +185,7 @@ public class Digest extends CcmObject implements Serializable {
         if (!Objects.equals(fromParty, other.getFromParty())) {
             return false;
         }
-        if (!Objects.equals(subject, other.getSubject())) {
+        if (!Objects.equals(subject, other.getParty())) {
             return false;
         }
         if (!Objects.equals(header, other.getHeader())) {
diff --git a/ccm-core/src/main/java/org/libreccm/notification/Notification.java b/ccm-core/src/main/java/org/libreccm/notification/Notification.java
index 1161996f2..93278aea0 100644
--- a/ccm-core/src/main/java/org/libreccm/notification/Notification.java
+++ b/ccm-core/src/main/java/org/libreccm/notification/Notification.java
@@ -22,8 +22,8 @@ import org.libreccm.core.CcmObject;
 
 import static org.libreccm.core.CoreConstants.*;
 
-import org.libreccm.core.Subject;
 import org.libreccm.messaging.Message;
+import org.libreccm.security.Party;
 
 import java.io.Serializable;
 import java.util.Date;
@@ -83,7 +83,7 @@ public class Notification extends CcmObject implements Serializable {
 
     @OneToOne
     @JoinColumn(name = "RECEIVER_ID")
-    private Subject receiver;
+    private Party receiver;
 
     @OneToOne
     @JoinColumn(name = "DIGEST_ID")
@@ -122,11 +122,11 @@ public class Notification extends CcmObject implements Serializable {
     @Column(name = "EXPUNGE_MESSAGE")
     private boolean expungeMessage;
 
-    public Subject getReceiver() {
+    public Party getReceiver() {
         return receiver;
     }
 
-    public void setReceiver(final Subject receiver) {
+    public void setReceiver(final Party receiver) {
         this.receiver = receiver;
     }
 
diff --git a/ccm-core/src/main/java/org/libreccm/notification/QueueItem.java b/ccm-core/src/main/java/org/libreccm/notification/QueueItem.java
index 2aa239238..cc27dea31 100644
--- a/ccm-core/src/main/java/org/libreccm/notification/QueueItem.java
+++ b/ccm-core/src/main/java/org/libreccm/notification/QueueItem.java
@@ -20,8 +20,8 @@ package org.libreccm.notification;
 
 import static org.libreccm.core.CoreConstants.*;
 
-import org.libreccm.core.Subject;
 import org.libreccm.messaging.Message;
+import org.libreccm.security.Party;
 
 import java.io.Serializable;
 import java.util.Objects;
@@ -62,7 +62,7 @@ public class QueueItem implements Serializable {
 
     @OneToOne
     @JoinColumn(name = "RECEIVER_ID")
-    private Subject receiver;
+    private Party receiver;
 
     @Column(name = "RETRY_COUNT")
     private long retryCount;
@@ -91,11 +91,11 @@ public class QueueItem implements Serializable {
         this.queueItemId = queueItemId;
     }
 
-    public Subject getReceiver() {
+    public Party getReceiver() {
         return receiver;
     }
 
-    public void setReceiver(final Subject receiver) {
+    public void setReceiver(final Party receiver) {
         this.receiver = receiver;
     }
 
diff --git a/ccm-core/src/main/java/org/libreccm/search/lucene/Document.java b/ccm-core/src/main/java/org/libreccm/search/lucene/Document.java
index 8863b11d6..6313acdc2 100644
--- a/ccm-core/src/main/java/org/libreccm/search/lucene/Document.java
+++ b/ccm-core/src/main/java/org/libreccm/search/lucene/Document.java
@@ -20,7 +20,7 @@ package org.libreccm.search.lucene;
 
 import static org.libreccm.core.CoreConstants.*;
 
-import org.libreccm.core.Subject;
+import org.libreccm.security.User;
 
 import java.io.Serializable;
 import java.util.Date;
@@ -94,7 +94,7 @@ public class Document implements Serializable {
 
     @OneToOne
     @JoinColumn(name = "CREATED_BY_PARTY_ID")
-    private Subject createdBy;
+    private User createdBy;
 
     @Column(name = "LAST_MODIFIED")
     @Temporal(TemporalType.TIMESTAMP)
@@ -102,7 +102,7 @@ public class Document implements Serializable {
 
     @OneToOne
     @JoinColumn(name = "LAST_MODIFIED_BY")
-    private Subject lastModifiedBy;
+    private User lastModifiedBy;
 
     @Column(name = "CONTENT_SECTION", length = 512)
     private String contentSection;
@@ -215,11 +215,11 @@ public class Document implements Serializable {
         }
     }
 
-    public Subject getCreatedBy() {
+    public User getCreatedBy() {
         return createdBy;
     }
 
-    public void setCreatedBy(final Subject createdBy) {
+    public void setCreatedBy(final User createdBy) {
         this.createdBy = createdBy;
     }
 
@@ -239,11 +239,11 @@ public class Document implements Serializable {
         }
     }
 
-    public Subject getLastModifiedBy() {
+    public User getLastModifiedBy() {
         return lastModifiedBy;
     }
 
-    public void setLastModifiedBy(final Subject lastModifiedBy) {
+    public void setLastModifiedBy(final User lastModifiedBy) {
         this.lastModifiedBy = lastModifiedBy;
     }
 
diff --git a/ccm-core/src/main/java/org/libreccm/security/CcmShiroRealm.java b/ccm-core/src/main/java/org/libreccm/security/CcmShiroRealm.java
new file mode 100644
index 000000000..0f0e9b984
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/CcmShiroRealm.java
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import com.arsdigita.kernel.KernelConfig;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.authz.SimpleAuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+import javax.enterprise.context.spi.CreationalContext;
+import javax.enterprise.inject.spi.Bean;
+import javax.enterprise.inject.spi.BeanManager;
+import javax.enterprise.inject.spi.CDI;
+
+/**
+ * Implementation of the Shiro's {@link AuthorizingRealm} to provide Shiro with
+ * the users, groups, roles and permissions stored in CCM's database.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+public class CcmShiroRealm extends AuthorizingRealm {
+
+    @Override
+    protected AuthorizationInfo doGetAuthorizationInfo(
+            final PrincipalCollection principals) {
+
+        // Get the pricipal (object identifing the user).
+        final Object principal = principals.getPrimaryPrincipal();
+
+        // This realm expects the principal to be a string.
+        if (!(principal instanceof String)) {
+            throw new AuthenticationException(String.format(
+                    "Can' process principal of "
+                            + "type \"%s\".",
+                    principal.getClass().getName()));
+        }
+        // Convert the pricipal to a string.
+        final String userIdentifier = (String) principal;
+
+        // Return the permissions of the system user
+        if ("system-user".equals(userIdentifier)) {
+            // The system user is a virtual user which has all roles and all
+            // privileges
+            final RoleRepository roleRepository;
+            final BeanManager beanManager = CDI.current().getBeanManager();
+            final Set<Bean<?>> beans = beanManager.
+                    getBeans(RoleRepository.class);
+            final Iterator<Bean<?>> iterator = beans.iterator();
+            if (iterator.hasNext()) {
+                @SuppressWarnings("unchecked")
+                final Bean<RoleRepository> bean = (Bean<RoleRepository>) iterator.
+                        next();
+                final CreationalContext<RoleRepository> ctx = beanManager.
+                        createCreationalContext(bean);
+
+                roleRepository = (RoleRepository) beanManager.getReference(
+                        bean, RoleRepository.class, ctx);
+            } else {
+                throw new AuthenticationException(
+                        "Failed to retrieve RoleRepository");
+            }
+            
+            final List<Role> roles = roleRepository.findAll();
+            
+            final SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
+            for(final Role role : roles) {
+                info.addRole(role.getName());
+            }
+            info.addStringPermission("*");
+            
+            return info;
+        }
+
+        //Find the user identified by the provided pricipal.
+        final User user = findUser(userIdentifier);
+
+        // Create a SimpleAuthorizationInfo instance. Contains the information
+        // from the database in the format expected by Shiro.
+        final SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
+        // Get the Roles directly assigned to the user.
+        for (final RoleMembership roleMembership : user.getRoleMemberships()) {
+            // Add the role to the AuthorizationInfo object.
+            info.addRole(roleMembership.getRole().getName());
+
+            // Add the permissions assigned to the role to the AuthorizatonInfo. 
+            for (final Permission permission : roleMembership.getRole()
+                    .getPermissions()) {
+                info.addStringPermission(permissionToString(permission));
+            }
+        }
+
+        //Get the Roles assigned to the groups of which the user is member of.
+        for (final GroupMembership membership : user.getGroupMemberships()) {
+            // Get the roles assigned to the group
+            for (final RoleMembership roleMembership : membership.getGroup()
+                    .getRoleMemberships()) {
+                // Add the role to the AuthorizationInfo
+                info.addRole(roleMembership.getRole().getName());
+                // Add the permissions assigned to the role to the 
+                // AuthorizationInfo
+                for (final Permission permission : roleMembership.getRole()
+                        .getPermissions()) {
+                    info.addStringPermission(permissionToString(permission));
+                }
+            }
+        }
+
+        return info;
+    }
+
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(
+            final AuthenticationToken token)
+            throws AuthenticationException {
+
+        // Get the pricipal identifing the user
+        final Object principal = token.getPrincipal();
+
+        // This realm expects the pricipal to be a string
+        if (!(principal instanceof String)) {
+            throw new AuthenticationException(String.format(
+                    "Can' process authentication token with a principal of "
+                            + "type \"%s\".",
+                    principal.getClass().getName()));
+        }
+
+        // Convert the pricipal to a string.
+        final String userIdentifier = (String) principal;
+        // Find the user identified by the pricipal.
+        final User user = findUser(userIdentifier);
+
+        // Return a SimpleAuthenticationInfo with the information relevant
+        // for Shiro
+        return new SimpleAuthenticationInfo(token.getPrincipal(),
+                                            user.getPassword(),
+                                            "CcmShiroRealm");
+    }
+
+    /**
+     * Helper method for finding a user by its identifier. Depending on the
+     * configuration of CCM this is either the name of the user or the email
+     * address of the user.
+     *
+     * @param userIdentifier The identifier of the user.
+     * @return The User identified by the provided {@code userIdentifier}.
+     * @throws AuthenticationException if no user for the provided identifier
+     * could be retrieved.
+     */
+    private User findUser(final String userIdentifier) {
+        // For some reason we can't use the the CdiUtil class here, therefore
+        // we have to do the lookup for the UserRepository be ourself.
+        final UserRepository userRepository;
+        final BeanManager beanManager = CDI.current().getBeanManager();
+        final Set<Bean<?>> beans = beanManager.getBeans(
+                UserRepository.class);
+        final Iterator<Bean<?>> iterator = beans.iterator();
+        if (iterator.hasNext()) {
+            @SuppressWarnings("unchecked")
+            final Bean<UserRepository> bean = (Bean<UserRepository>) iterator
+                    .next();
+            final CreationalContext<UserRepository> ctx = beanManager
+                    .createCreationalContext(bean);
+
+            userRepository = (UserRepository) beanManager.getReference(
+                    bean, UserRepository.class, ctx);
+        } else {
+            throw new AuthenticationException(
+                    "Failed to retrieve UserRepository.");
+        }
+
+        // Depending of the configuration of CCM use the appropriate method
+        // for finding the user in the database.
+        final KernelConfig config = KernelConfig.getConfig();
+        final User user;
+        if ("email".equals(config.getPrimaryUserIdentifier())) {
+            user = userRepository.findByEmailAddress(userIdentifier);
+        } else {
+            user = userRepository.findByName(userIdentifier);
+        }
+
+        // If no matching user is found throw an AuthenticationException
+        if (user == null) {
+            throw new AuthenticationException(String.format(
+                    "No user identified by principal \"%s\" was found. Primary user "
+                    + "identifier is \"%s\".",
+                    userIdentifier, config.getPrimaryUserIdentifier()));
+        }
+
+        return user;
+    }
+
+    /**
+     * Helper method for converting a {@link Permission} to the string format
+     * used by Shiro.
+     *
+     * @param permission The permission to convert.
+     * @return A Shiro permission string.
+     */
+    private String permissionToString(final Permission permission) {
+        if (permission.getObject() == null) {
+            return permission.getGrantedPrivilege();
+        } else {
+            return String.format("%s:%d",
+                                 permission.getGrantedPrivilege(),
+                                 permission.getObject().getObjectId());
+        }
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/Group.java b/ccm-core/src/main/java/org/libreccm/security/Group.java
new file mode 100644
index 000000000..f2590e383
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/Group.java
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import static org.libreccm.core.CoreConstants.*;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+
+import javax.persistence.Entity;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.OneToMany;
+import javax.persistence.Table;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElementWrapper;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * A group is bascially a collection of users. 
+ * 
+ * Group extends the {@link Party} class. Therefore {@link Role}s can be 
+ * assigned to a group. When a {@link Role} is assigned to a group each member
+ * of the group gets the role and the permissions associated with that role.
+ * 
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Entity
+@Table(name = "GROUPS", schema = DB_SCHEMA)
+@NamedQueries({
+    @NamedQuery(name = "Group.findByName",
+                query = "SELECT g FROM Group g WHERE g.name = :name"),
+    @NamedQuery(name = "Group.searchByName",
+                query = "SELECT g FROM Group g "
+                            + "WHERE LOWER(g.name) LIKE '%:name%'")
+})
+@XmlRootElement(name = "user-group", namespace = CORE_XML_NS)
+public class Group extends Party implements Serializable {
+
+    private static final long serialVersionUID = -4800759206452780739L;
+
+    /**
+     * The memberships of the group. For adding or removing memberships the
+     * methods provided by the {@link GroupManager} should be used.
+     */
+    @OneToMany(mappedBy = "group")
+    @XmlElementWrapper(name = "group-memberships", namespace = CORE_XML_NS)
+    @XmlElement(name = "group-membership", namespace = CORE_XML_NS)
+    private List<GroupMembership> memberships = new ArrayList<>();
+
+    protected Group() {
+        super();
+    }
+
+    public List<GroupMembership> getMemberships() {
+        if (memberships == null) {
+            return null;
+        } else {
+            return Collections.unmodifiableList(memberships);
+        }
+    }
+
+    protected void setMemberships(final List<GroupMembership> memberships) {
+        this.memberships = memberships;
+    }
+
+    protected void addMembership(final GroupMembership member) {
+        memberships.add(member);
+    }
+
+    protected void removeMembership(final GroupMembership member) {
+        memberships.remove(member);
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (obj == null) {
+            return false;
+        }
+
+        if (!super.equals(obj)) {
+            return false;
+        }
+
+        if (!(obj instanceof Group)) {
+            return false;
+        }
+        final Group other = (Group) obj;
+        return other.canEqual(this);
+    }
+
+    @Override
+    public boolean canEqual(final Object obj) {
+        return obj instanceof Group;
+    }
+
+    @Override
+    public String toString(final String data) {
+        return super.toString(String.format(", members = { %s }%s",
+                                            Objects.toString(memberships),
+                                            data));
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/GroupManager.java b/ccm-core/src/main/java/org/libreccm/security/GroupManager.java
new file mode 100644
index 000000000..c2e2581a2
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/GroupManager.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import java.util.List;
+
+import javax.enterprise.context.RequestScoped;
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
+import javax.persistence.NoResultException;
+import javax.persistence.TypedQuery;
+
+/**
+ * Manager class providing methods for adding and removing members to and from
+ * a group.
+ * 
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RequestScoped
+public class GroupManager {
+
+    @Inject
+    private GroupRepository groupRepository;
+
+    @Inject
+    private UserRepository userRepository;
+
+    @Inject
+    private EntityManager entityManager;
+
+    /**
+     * Adds a member to group and saves the changed group and user entities.
+     * 
+     * If the user is already a member of the group the method will do nothing.
+     * 
+     * @param user The user to add to a group.
+     * @param group  The group to which the user is added.
+     */
+    public void addMemberToGroup(final User user, final Group group) {
+        if (user == null) {
+            throw new IllegalArgumentException(
+                "Can't add null as user to a group.");
+        }
+
+        if (group == null) {
+            throw new IllegalArgumentException("Can't add a user to group null");
+        }
+
+        if (isMemberOfGroup(user, group)) {
+            return;
+        }
+
+        final GroupMembership membership = new GroupMembership();
+        membership.setGroup(group);
+        membership.setMember(user);
+
+        group.addMembership(membership);
+        user.addGroupMembership(membership);
+
+        entityManager.persist(membership);
+        groupRepository.save(group);
+        userRepository.save(user);
+    }
+
+    /**
+     * Removes a member from a group and saves the changed group an user 
+     * entities. 
+     * 
+     * If the provided {@code User} is not a member of the provided 
+     * {@code Group} the method does nothing.
+     * 
+     * @param member The user to remove from the group.
+     * @param group The group from which the user is removed.
+     */
+    public void removeMemberFromGroup(final User member, final Group group) {
+        if (member == null) {
+            throw new IllegalArgumentException(
+                "Can't add null as user to a group.");
+        }
+
+        if (group == null) {
+            throw new IllegalArgumentException("Can't add a user to group null");
+        }
+        
+        final TypedQuery<GroupMembership> query = entityManager
+            .createNamedQuery("GroupMembership.findByGroupAndUser",
+                              GroupMembership.class);
+        query.setParameter("member", member);
+        query.setParameter("group", group);
+
+        final GroupMembership delete;
+        try {
+            delete = query.getSingleResult();
+        } catch (NoResultException ex) {
+            return;
+        }
+
+        group.removeMembership(delete);
+        member.removeGroupMembership(delete);
+        entityManager.remove(delete);
+        groupRepository.save(group);
+        userRepository.save(member);
+    }
+
+    /**
+     * Determins if the provided {@link User} is a member of the provided
+     * {@code Group}.
+     * 
+     * @param member 
+     * @param group
+     * @return {@code true} if the provided {@code User} is member of the 
+     * provided {@code Group}, {@code false} if not.
+     */
+    public boolean isMemberOfGroup(final User member, final Group group) {
+
+        final TypedQuery<GroupMembership> query = entityManager
+            .createNamedQuery("GroupMembership.findByGroupAndUser",
+                              GroupMembership.class);
+        query.setParameter("member", member);
+        query.setParameter("group", group);
+
+        final List<GroupMembership> result = query.getResultList();
+        return !result.isEmpty();
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/GroupMembership.java b/ccm-core/src/main/java/org/libreccm/security/GroupMembership.java
new file mode 100644
index 000000000..f8cd0644b
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/GroupMembership.java
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import static org.libreccm.core.CoreConstants.*;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlTransient;
+
+/**
+ * A association class representing the assoication between a {@link User} and
+ * a {@code Group}.
+ * 
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Entity
+@Table(name = "GROUP_MEMBERSHIPS", schema = DB_SCHEMA)
+@NamedQueries({
+    @NamedQuery(name = "GroupMembership.findByGroupAndUser",
+                query = "SELECT m FROM GroupMembership m "
+                            + "WHERE m.member = :member AND m.group = :group")})
+@XmlRootElement(name = "group-membership", namespace = CORE_XML_NS)
+public class GroupMembership implements Serializable {
+
+    private static final long serialVersionUID = 83192968306850665L;
+
+    @Id
+    @Column(name = "MEMBERSHIP_ID")
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    @XmlElement(name = "membership-id", namespace = CORE_XML_NS)
+    private long membershipId;
+
+    @ManyToOne
+    @JoinColumn(name = "GROUP_ID")
+    @XmlTransient
+    private Group group;
+
+    @ManyToOne
+    @JoinColumn(name = "MEMBER_ID")
+    @XmlTransient
+    private User member;
+
+    public long getMembershipId() {
+        return membershipId;
+    }
+
+    protected void setMembershipId(final long membershipId) {
+        this.membershipId = membershipId;
+    }
+
+    public Group getGroup() {
+        return group;
+    }
+
+    protected void setGroup(final Group group) {
+        this.group = group;
+    }
+
+    public User getMember() {
+        return member;
+    }
+
+    protected void setMember(final User member) {
+        this.member = member;
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 3;
+        hash = 37 * hash
+                   + (int) (this.membershipId ^ (this.membershipId >>> 32));
+        hash = 37 * hash + Objects.hashCode(this.group);
+        hash = 37 * hash + Objects.hashCode(this.member);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (!(obj instanceof GroupMembership)) {
+            return false;
+        }
+        final GroupMembership other = (GroupMembership) obj;
+        if (!other.canEqual(this)) {
+            return false;
+        }
+
+        if (this.membershipId != other.getMembershipId()) {
+            return false;
+        }
+        if (!Objects.equals(this.group, other.getGroup())) {
+            return false;
+        }
+        return Objects.equals(this.member, other.getMember());
+    }
+
+    public boolean canEqual(final Object obj) {
+        return obj instanceof GroupMembership;
+    }
+
+    @Override
+    public String toString() {
+        return String.format("%s{ "
+                                 + "membershipId = %d, "
+                                 + "user = %s, "
+                                 + "group = %s, "
+                                 + " },",
+                             super.toString(),
+                             membershipId,
+                             Objects.toString(member),
+                             Objects.toString(group));
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/GroupRepository.java b/ccm-core/src/main/java/org/libreccm/security/GroupRepository.java
new file mode 100644
index 000000000..7e3652c25
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/GroupRepository.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import java.util.List;
+import javax.enterprise.context.RequestScoped;
+import javax.persistence.TypedQuery;
+import org.libreccm.core.AbstractEntityRepository;
+
+/**
+ * Repository for groups.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RequestScoped
+public class GroupRepository extends AbstractEntityRepository<Long, Group> {
+
+    @Override
+    public Class<Group> getEntityClass() {
+        return Group.class;
+    }
+
+    @Override
+    public boolean isNew(final Group entity) {
+        if (entity == null) {
+            throw new IllegalArgumentException("Can't save null");
+        }
+
+        return entity.getPartyId() == 0;
+    }
+
+    /**
+     * Finds a group by its name.
+     *
+     * @param name The name of the group to find.
+     *
+     * @return The group identified by the provided name. If there multiple
+     *         groups with the provided name only the first one is returned. If
+     *         there is no group identified by the provided name {@code null} is
+     *         returned.
+     */
+    public Group findByName(final String name) {
+        final TypedQuery<Group> query = getEntityManager().createNamedQuery(
+            "Group.findByName", Group.class);
+        query.setParameter("name", name);
+        final List<Group> result = query.getResultList();
+        if (result.isEmpty()) {
+            return null;
+        } else {
+            return result.get(0);
+        }
+    }
+
+    /**
+     * Tries to find a group which name contains a provided token.
+     *
+     * @param name The name or part of the name of the group to find.
+     *
+     * @return A list of a matching groups.
+     */
+    public List<Group> searchGroupByName(final String name) {
+        final TypedQuery<Group> query = getEntityManager().createNamedQuery(
+            "Group.searchByName", Group.class);
+        query.setParameter("name", name);
+        return query.getResultList();
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/InheritsPermissions.java b/ccm-core/src/main/java/org/libreccm/security/InheritsPermissions.java
new file mode 100644
index 000000000..abab64f3c
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/InheritsPermissions.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.libreccm.core.CcmObject;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+public interface InheritsPermissions {
+    
+    CcmObject getParent();
+    
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/Party.java b/ccm-core/src/main/java/org/libreccm/security/Party.java
new file mode 100644
index 000000000..c5cba8d6b
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/Party.java
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import static org.libreccm.core.CoreConstants.*;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Inheritance;
+import javax.persistence.InheritanceType;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.OneToMany;
+import javax.persistence.Table;
+import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElementWrapper;
+
+/**
+ * Party is a base class for {@link User} and {@link Group} defining some common
+ * characteristics and associations, especially the association to
+ * {@link Role}s.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Entity
+@Table(name = "PARTIES", schema = DB_SCHEMA)
+@Inheritance(strategy = InheritanceType.JOINED)
+@NamedQueries({
+    @NamedQuery(name = "Party.findByName",
+                query = "SELECT p FROM Party p WHERE p.name = :name")
+})
+public class Party implements Serializable {
+
+    private static final long serialVersionUID = 3319997992281332204L;
+
+    @Id
+    @Column(name = "PARTY_ID")
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    private long partyId;
+
+    /**
+     * The name of the party. Must only contain the letters a to z and A to Z, 
+     * the numbers 0 to 9 the {@code -} (dash) and the {@code _} (underscore).
+     */
+    @Column(name = "NAME", length = 256, nullable = false)
+    @NotNull
+    @Pattern(regexp = "[a-zA-Z0-9\\-_]*")
+    private String name;
+
+    /**
+     * The role memberships the party.
+     */
+    @OneToMany(mappedBy = "member")
+    @XmlElementWrapper(name = "role-memberships", namespace = CORE_XML_NS)
+    @XmlElement(name = "role-membership", namespace = CORE_XML_NS)
+    private List<RoleMembership> roleMemberships = new ArrayList<>();
+
+    protected Party() {
+        super();
+    }
+
+    public long getPartyId() {
+        return partyId;
+    }
+
+    protected void setPartyId(final long partyId) {
+        this.partyId = partyId;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(final String name) {
+        this.name = name;
+    }
+
+    public List<RoleMembership> getRoleMemberships() {
+        if (roleMemberships == null) {
+            return null;
+        } else {
+            return Collections.unmodifiableList(roleMemberships);
+        }
+    }
+
+    protected void setRoleMemberships(final List<RoleMembership> roleMemberships) {
+        this.roleMemberships = roleMemberships;
+    }
+
+    protected void addRoleMembership(final RoleMembership roleMembership) {
+        roleMemberships.add(roleMembership);
+    }
+
+    protected void removeRoleMembership(final RoleMembership roleMembership) {
+        roleMemberships.remove(roleMembership);
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 3;
+        hash = 37 * hash + (int) (partyId ^ (partyId >>> 32));
+        hash = 37 * hash + Objects.hashCode(name);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (!(obj instanceof Party)) {
+            return false;
+        }
+        final Party other = (Party) obj;
+        if (!other.canEqual(this)) {
+            return false;
+        }
+
+        if (partyId != other.getPartyId()) {
+            return false;
+        }
+
+        return Objects.equals(name, other.getName());
+    }
+
+    public boolean canEqual(final Object obj) {
+        return obj instanceof Party;
+    }
+
+    @Override
+    public final String toString() {
+        return toString("");
+    }
+
+    public String toString(final String data) {
+        return String.format("%s{ "
+                                 + "partyId = %d, "
+                                 + "name = \"%s\", "
+                                 + "roles = { %s }%s"
+                                 + " }",
+                             super.toString(),
+                             partyId,
+                             name,
+                             Objects.toString(roleMemberships),
+                             data);
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/PartyRepository.java b/ccm-core/src/main/java/org/libreccm/security/PartyRepository.java
new file mode 100644
index 000000000..e94961561
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/PartyRepository.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import javax.enterprise.context.RequestScoped;
+
+import org.libreccm.core.AbstractEntityRepository;
+
+import java.util.List;
+
+import javax.persistence.TypedQuery;
+
+/**
+ * Repository class for parties.
+ * 
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RequestScoped
+public class PartyRepository extends AbstractEntityRepository<Long, Party> {
+
+    @Override
+    public Class<Party> getEntityClass() {
+        return Party.class;
+    }
+
+    @Override
+    public boolean isNew(final Party entity) {
+        if (entity == null) {
+            throw new IllegalArgumentException("Can't save null");
+        }
+        return entity.getPartyId() == 0;
+    }
+
+    /**
+     * Finds a party (which can be a user or group) by its name.
+     * 
+     * @param name
+     * @return 
+     */
+    public Party findByName(final String name) {
+        final TypedQuery<Party> query = getEntityManager().createNamedQuery(
+            "Party.findByName", Party.class);
+        query.setParameter("name", name);
+        
+        final List<Party> result = query.getResultList();
+        if (result.isEmpty()) {
+            return null;
+        } else {
+            return result.get(0);
+        }
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/Permission.java b/ccm-core/src/main/java/org/libreccm/security/Permission.java
new file mode 100644
index 000000000..f32a7f79b
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/Permission.java
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import static org.libreccm.core.CoreConstants.*;
+
+import org.libreccm.core.CcmObject;
+
+import java.io.Serializable;
+import java.util.Date;
+import java.util.Objects;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.OneToOne;
+import javax.persistence.Table;
+import javax.persistence.Temporal;
+import javax.persistence.TemporalType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * A permission grants a privilege on an object or systemwide to {@link Role}.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Entity
+@Table(name = "PERMISSIONS", schema = DB_SCHEMA)
+@NamedQueries({
+    @NamedQuery(name = "Permission.existsForPrivilegeRoleObject",
+                query = "SELECT COUNT(p) FROM Permission p "
+                            + "WHERE p.grantedPrivilege = :privilege "
+                            + "AND p.grantee = :grantee "
+                            + "AND p.object = :object"),
+    @NamedQuery(name = "Permission.existsForPrivilegeAndRole",
+                query = "SELECT count(p) FROM Permission p "
+                            + "WHERE p.grantedPrivilege = :privilege "
+                            + "AND p.grantee = :grantee "
+                            + "AND p.object IS NULL"),
+    @NamedQuery(name = "Permission.findPermissionsForRole",
+                query = "SELECT p FROM Permission p "
+                            + "WHERE p.grantee = :grantee"),
+    @NamedQuery(name = "Permission.findPermissionsForCcmObject",
+                query = "SELECT p FROM Permission p "
+                            + "WHERE p.object = :object")
+})
+@XmlRootElement(name = "permission", namespace = CORE_XML_NS)
+public class Permission implements Serializable {
+
+    private static final long serialVersionUID = -5178045844045517958L;
+
+    /**
+     * The database id of the permission.
+     */
+    @Id
+    @Column(name = "PERMISSION_ID")
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    @XmlElement(name = "permission-id", namespace = CORE_XML_NS)
+    private long permissionId;
+
+    /**
+     * The granted privilege.
+     */
+    @Column(name = "granted_privilege")
+    @XmlElement(name = "privilege", namespace = CORE_XML_NS)
+    private String grantedPrivilege;
+
+    /**
+     * The object on which the privilege is granted. My be {@code null}.
+     */
+    @OneToOne
+    @JoinColumn(name = "OBJECT_ID")
+    private CcmObject object;
+
+    /**
+     * The role to which the permission is granted.
+     */
+    @ManyToOne
+    @JoinColumn(name = "GRANTEE_ID")
+    private Role grantee;
+
+    /**
+     * The {@link User} which created this {@code Permission}. The property can
+     * be {@code null} if this {@code Permission} was created by a system
+     * process.
+     */
+    @ManyToOne
+    @JoinColumn(name = "CREATION_USER_ID")
+    @XmlElement(name = "creation-user", namespace = CORE_XML_NS)
+    private User creationUser;
+
+    /**
+     * The date and time on which this {@code Permission} was created. This
+     * property can be {@code null} if this {@code Permission} was created by a
+     * system process.
+     */
+    @Column(name = "CREATION_DATE")
+    @Temporal(TemporalType.TIMESTAMP)
+    @XmlElement(name = "creation-date", namespace = CORE_XML_NS)
+    private Date creationDate;
+
+    /**
+     * The IP of the system from which this {@code Permission} was created. This
+     * property can be {@code null} if this {@code Permission} was created by a
+     * system process.
+     */
+    @Column(name = "CREATION_IP")
+    @XmlElement(name = "creation-ip", namespace = CORE_XML_NS)
+    private String creationIp;
+
+    protected Permission() {
+        //Nothing
+    }
+
+    public long getPermissionId() {
+        return permissionId;
+    }
+
+    protected void setPermissionId(final long permissionId) {
+        this.permissionId = permissionId;
+    }
+
+    public String getGrantedPrivilege() {
+        return grantedPrivilege;
+    }
+
+    public void setGrantedPrivilege(final String grantedPrivilege) {
+        this.grantedPrivilege = grantedPrivilege;
+    }
+
+    public CcmObject getObject() {
+        return object;
+    }
+
+    public void setObject(final CcmObject object) {
+        this.object = object;
+    }
+
+    public Role getGrantee() {
+        return grantee;
+    }
+
+    public void setGrantee(final Role grantee) {
+        this.grantee = grantee;
+    }
+
+    public User getCreationUser() {
+        return creationUser;
+    }
+
+    public void setCreationUser(final User creationUser) {
+        this.creationUser = creationUser;
+    }
+
+    public Date getCreationDate() {
+        if (creationDate == null) {
+            return null;
+        } else {
+            return new Date(creationDate.getTime());
+        }
+    }
+
+    public void setCreationDate(final Date creationDate) {
+        this.creationDate = new Date(creationDate.getTime());
+    }
+
+    public String getCreationIp() {
+        return creationIp;
+    }
+
+    public void setCreationIp(final String creationIp) {
+        this.creationIp = creationIp;
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 3;
+        hash = 97 * hash + (int) (permissionId ^ (permissionId >>> 32));
+        hash = 97 * hash + Objects.hashCode(grantedPrivilege);
+        hash = 97 * hash + Objects.hashCode(creationDate);
+        hash = 97 * hash + Objects.hashCode(creationIp);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (!(obj instanceof Permission)) {
+            return false;
+        }
+        final Permission other = (Permission) obj;
+        if (!other.canEqual(this)) {
+            return false;
+        }
+
+        if (permissionId != other.getPermissionId()) {
+            return false;
+        }
+        if (!Objects.equals(grantedPrivilege, other.getGrantedPrivilege())) {
+            return false;
+        }
+        if (!Objects.equals(creationDate, other.getCreationDate())) {
+            return false;
+        }
+        
+        return Objects.equals(creationIp, other.getCreationIp());
+    }
+
+    public boolean canEqual(final Object obj) {
+        return obj instanceof Permission;
+    }
+
+    @Override
+    public String toString() {
+        return String.format("%s{ "
+                                 + "permissionId = %d, "
+                                 + "grantedPrivilege = { %s }, "
+                                 + "creationDate = %tF %<tT, "
+                                 + "creationIp = %s }",
+                             super.toString(),
+                             permissionId,
+                             Objects.toString(grantedPrivilege),
+                             creationDate,
+                             creationIp);
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/PermissionChecker.java b/ccm-core/src/main/java/org/libreccm/security/PermissionChecker.java
new file mode 100644
index 000000000..5e0ec81ff
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/PermissionChecker.java
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.subject.Subject;
+import org.libreccm.core.CcmObject;
+
+import javax.enterprise.context.RequestScoped;
+import javax.inject.Inject;
+
+/**
+ * An utility class for checking permissions. Uses the current {@link Subject}
+ * as provided by the {@link Shiro} bean.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RequestScoped
+public class PermissionChecker {
+
+    /**
+     * The current subject as provided by {@link Shiro#getSubject()}.
+     */
+    @Inject
+    private transient Subject subject;
+
+    @Inject
+    private transient Shiro shiro;
+
+    /**
+     * Checks if the current subject has a permission granting the provided
+     * privilege.
+     *
+     * @param privilege The privilege granted by the permission.
+     *
+     * @return {@code true} if the current subject has as permission granting
+     * the provided {@code privilege}, {@code false} otherwise.
+     */
+    public boolean isPermitted(final String privilege) {
+        if (subject.isAuthenticated()) {
+            return subject.isPermitted(generatePermissionString(privilege));
+        } else {
+            return shiro.getPublicUser().isPermitted(generatePermissionString(
+                    privilege));
+        }
+    }
+
+    /**
+     * Checks if the current subject has a permission granting the provided
+     * privilege on the provided object or its parent object(s) if the object
+     * implements the {@link InheritsPermissions} interface.
+     *
+     * @param privilege The granted privilege.
+     * @param object The object on which the privilege is granted.
+     *
+     * @return {@code true} if the there is a permission granting the provided
+     * {@code privilege} on the provided {@code subject}.
+     */
+    public boolean isPermitted(final String privilege, final CcmObject object) {
+        final boolean result;
+        if (subject.isAuthenticated()) {
+            result = subject.isPermitted(generatePermissionString(
+                    privilege, object));
+        } else {
+            result = shiro.getPublicUser().isPermitted(generatePermissionString(
+                    privilege, object));
+        }
+        if (result) {
+            return result;
+        } else if (object instanceof InheritsPermissions) {
+            if (((InheritsPermissions) object).getParent() == null) {
+                return result;
+            } else {
+                return isPermitted(privilege,
+                                   ((InheritsPermissions) object).getParent());
+            }
+        } else {
+            return result;
+        }
+    }
+
+    /**
+     * Checks if the current subject has a permission granting the provided
+     * privilege. If the current subject does not have a permission granting the
+     * privilege an {@link AuthorizationExeeption} is thrown.
+     *
+     * @param privilege The privilege to check for.
+     * @throws AuthorizationException If the current subject has not permission
+     * granting the provided privilege.
+     */
+    public void checkPermission(final String privilege)
+            throws AuthorizationException {
+        if (subject.isAuthenticated()) {
+            subject.checkPermission(generatePermissionString(privilege));
+        } else {
+            shiro.getPublicUser().checkPermission(generatePermissionString(
+                    privilege));
+        }
+    }
+
+    /**
+     * Checks if the current subject has a permission granting the provided
+     * privilege on the provided object. If there is a permission which grants
+     * the current subject the provided privilege on the provided object the
+     * method returns the object. Otherwise an {@link AuthorizationException} is
+     * thrown. This also the use this method in methods which are loading
+     * objects from the database like this
+     * <pre>
+     *    public CcmObject findBy(...) {
+     *        // Do JPA stuff
+     *
+     *        return permissionChecker.checkPermission($privilege, object);
+     *    }
+     * </pre>
+     *
+     * If the object implements the {@link InheritsPermissions} interface the
+     * method also checks the parent objects for a permission granting the
+     * provided privilege.
+     *
+     * @param privilege The privilige to check for.
+     * @param object The object on which the privilege is granted.
+     * @return Th provided object if there is permission granting the current
+     * subject the provided privilege on the object.
+     * @throws AuthorizationException If there is not permission granting the
+     * current subject the provided privilege on the provided object.
+     */
+    public CcmObject checkPermission(final String privilege,
+                                     final CcmObject object)
+            throws AuthorizationException {
+        if (object instanceof InheritsPermissions) {
+            final boolean result = isPermitted(privilege, object);
+
+            if (result) {
+                subject.checkPermission(generatePermissionString(privilege,
+                                                                 object));
+            } else if (((InheritsPermissions) object).getParent() == null) {
+                subject.checkPermission(generatePermissionString(privilege,
+                                                                 object));
+            } else {
+                checkPermission(privilege,
+                                ((InheritsPermissions) object).getParent());
+            }
+        } else if (subject.isAuthenticated()) {
+            subject.checkPermission(generatePermissionString(privilege, object));
+        } else {
+            shiro.getPublicUser().checkPermission(generatePermissionString(
+                    privilege, object));
+        }
+
+        return object;
+    }
+
+    /**
+     * Helper method for converting a privilege into a permission string.
+     *
+     * @param privilege
+     * @return
+     */
+    public String generatePermissionString(final String privilege) {
+        return privilege;
+    }
+
+    /**
+     * Helper method for converting a privilege into a permission string.
+     *
+     * @param privilege
+     * @param object
+     * @return
+     */
+    public String generatePermissionString(final String privilege,
+                                           final CcmObject object) {
+        return String.format("%s:%d", privilege, object.getObjectId());
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/PermissionManager.java b/ccm-core/src/main/java/org/libreccm/security/PermissionManager.java
new file mode 100644
index 000000000..cd892004f
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/PermissionManager.java
@@ -0,0 +1,258 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import java.util.List;
+
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
+import javax.persistence.Query;
+import javax.persistence.TypedQuery;
+
+import org.libreccm.core.CcmObject;
+
+import javax.enterprise.context.RequestScoped;
+
+/**
+ * Manager class for granting and revoking permissions.
+ * 
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RequestScoped
+public class PermissionManager {
+
+    private static final String QUERY_PARAM_OBJECT = "object";
+    private static final String QUERY_PARAM_GRANTEE = "grantee";
+    private static final String QUERY_PARAM_PRIVILEGE = "privilege";
+
+    
+    @Inject
+    private EntityManager entityManager;
+
+    /**
+     * Grants a privilege on an object to a role.  If the privilege was already 
+     * granted, the method does nothing.
+     * 
+     * @param privilege The privilege to grant.
+     * @param grantee The role to which the privilege is granted.
+     * @param object The object on which the privilege is granted.
+     */
+    public void grantPrivilege(final String privilege,
+                               final Role grantee,
+                               final CcmObject object) {
+        if (privilege == null || privilege.isEmpty()) {
+            throw new IllegalArgumentException(
+                "Can't grant a permission without a privilege.");
+        }
+
+        if (grantee == null) {
+            throw new IllegalArgumentException(
+                "Can't grant a permission to grantee null.");
+        }
+        
+        if (object == null) {
+            throw new IllegalArgumentException(
+                "Can't grant a permission on object NULL.");
+        }
+
+        if (!existsPermission(privilege, grantee, object)) {
+            final Permission permission = new Permission();
+            permission.setGrantee(grantee);
+            permission.setGrantedPrivilege(privilege);
+            permission.setObject(object);
+
+            entityManager.persist(permission);
+        }
+    }
+
+    /**
+     * Grants a privilege to a role. If the privilege was already granted, the 
+     * method does nothing.
+     * 
+     * @param privilege The privilege to grant.
+     * @param grantee The role to which the privilege is granted.
+     */
+    public void grantPrivilege(final String privilege,
+                               final Role grantee) {
+        if (privilege == null || privilege.isEmpty()) {
+            throw new IllegalArgumentException(
+                "Can't grant a permission without a privilege.");
+        }
+
+        if (grantee == null) {
+            throw new IllegalArgumentException(
+                "Can't grant a permission to grantee null.");
+        }
+
+        if (!existsPermission(privilege, grantee)) {
+            final Permission permission = new Permission();
+            permission.setGrantee(grantee);
+            permission.setGrantedPrivilege(privilege);
+            permission.setObject(null);
+
+            entityManager.persist(permission);
+        }
+    }
+
+    /**
+     * Revokes the permissions granting a privilege on an object from a role.
+     * If no matching permission exists the method will do nothing.
+     * 
+     * @param privilege The privilege granted by the permission to revoke.
+     * @param grantee The role to which the privilege was granted.
+     * @param object The object on which the privilege was granted.
+     */
+    public void revokePrivilege(final String privilege,
+                                final Role grantee,
+                                final CcmObject object) {
+        if (privilege == null || privilege.isEmpty()) {
+            throw new IllegalArgumentException(
+                "Can't revoke a permission without a privilege.");
+        }
+
+        if (grantee == null) {
+            throw new IllegalArgumentException(
+                "Can't revoke a permission from grantee null.");
+        }
+        
+        if (object == null) {
+            throw new IllegalArgumentException(
+                "Can't revoke a permission from object NULL.");
+        }
+
+        if (existsPermission(privilege, grantee, object)) {
+            final Query query = entityManager.createQuery(
+                "DELETE FROM Permission p "
+                    + "WHERE p.grantedPrivilege = :privilege "
+                    + "AND p.grantee = :grantee "
+                    + "AND p.object = :object");
+            query.setParameter(QUERY_PARAM_PRIVILEGE, privilege);
+            query.setParameter(QUERY_PARAM_GRANTEE, grantee);
+            query.setParameter(QUERY_PARAM_OBJECT, object);
+            query.executeUpdate();
+        }
+    }
+    
+     /**
+     * Revokes the permissions granting a privilege from a role.
+     * If no matching permission exists the method will do nothing.
+     * 
+     * @param privilege The privilege granted by the permission to revoke.
+     * @param grantee The role to which the privilege was granted.
+     */
+    public void revokePrivilege(final String privilege,
+                                final Role grantee) {
+        if (privilege == null || privilege.isEmpty()) {
+            throw new IllegalArgumentException(
+                "Can't revoke a permission without a privilege.");
+        }
+
+        if (grantee == null) {
+            throw new IllegalArgumentException(
+                "Can't revoke a permission from grantee null.");
+        }
+
+        if (existsPermission(privilege, grantee)) {
+            final Query query = entityManager.createQuery(
+                "DELETE FROM Permission p "
+                    + "WHERE p.grantedPrivilege = :privilege "
+                    + "AND p.grantee = :grantee "
+                    + "AND p.object IS NULL");
+            query.setParameter(QUERY_PARAM_PRIVILEGE, privilege);
+            query.setParameter(QUERY_PARAM_GRANTEE, grantee);
+            query.executeUpdate();
+        }
+    }
+
+    /**
+     * Copy the permissions from on {@link CcmObject} to another. The 
+     * permissions granted on the {@code target} object will not be removed. 
+     * Instead the permissions from {@code source} object are added the the 
+     * permissions.
+     * 
+     * 
+     * @param source
+     * @param target 
+     */
+    public void copyPermissions(final CcmObject source,
+                                final CcmObject target) {
+        if (source == null) {
+            throw new IllegalArgumentException(
+                "Can't copy permissions from source NULL.");
+        }
+        
+        if (target == null) {
+            throw new IllegalArgumentException(
+                "Can't copy permissions to target NULL.");
+        }
+
+        final TypedQuery<Permission> query = entityManager.createNamedQuery(
+            "Permission.findPermissionsForCcmObject", Permission.class);
+        query.setParameter(QUERY_PARAM_OBJECT, source);
+        final List<Permission> result = query.getResultList();
+
+        for (final Permission permission : result) {
+            grantPrivilege(permission.getGrantedPrivilege(),
+                           permission.getGrantee(),
+                           target);
+        }
+    }
+
+    /**
+     * Checks if a permission granting the provided {@code privilege} on the
+     * provided {@code object} to the provided {@code role} exists.
+     * 
+     * @param privilege The privilege granted by the permission.
+     * @param grantee The role to which the privilege was granted.
+     * @param object The object on which the privilege is granted.
+     * @return {@code true} if there is a matching permission, {@code false} if
+     * not.
+     */
+    private boolean existsPermission(final String privilege,
+                                     final Role grantee,
+                                     final CcmObject object) {
+        final TypedQuery<Long> query = entityManager.createNamedQuery(
+            "Permission.existsForPrivilegeRoleObject", Long.class);
+        query.setParameter(QUERY_PARAM_PRIVILEGE, privilege);
+        query.setParameter(QUERY_PARAM_GRANTEE, grantee);
+        query.setParameter(QUERY_PARAM_OBJECT, object);
+
+        return query.getSingleResult() > 0;
+    }
+
+    /**
+     * Checks if a permission granting the provided {@code privilege}to the 
+     * provided {@code role} exists.
+     * 
+     * @param privilege The privilege granted by the permission.
+     * @param grantee The role to which the privilege was granted.
+     * @return {@code true} if there is a matching permission, {@code false} if
+     * not.
+     */
+    private boolean existsPermission(final String privilege,
+                                     final Role grantee) {
+        final TypedQuery<Long> query = entityManager.createNamedQuery(
+            "Permission.existsForPrivilegeAndRole", Long.class);
+        query.setParameter(QUERY_PARAM_PRIVILEGE, privilege);
+        query.setParameter(QUERY_PARAM_GRANTEE, grantee);
+
+        return query.getSingleResult() > 0;
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/Role.java b/ccm-core/src/main/java/org/libreccm/security/Role.java
new file mode 100644
index 000000000..a8a0705c5
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/Role.java
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import static org.libreccm.core.CoreConstants.*;
+
+import org.hibernate.validator.constraints.NotBlank;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.OneToMany;
+import javax.persistence.Table;
+import javax.validation.constraints.Pattern;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElementWrapper;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * A role is basically a collection a {@link Permission}s and {@code Task}s.
+ * 
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Entity
+@Table(name = "CCM_ROLES", schema = DB_SCHEMA)
+@NamedQueries({
+    @NamedQuery(name = "Role.findByName",
+                query = "SELECT r FROM Role r "
+                            + "WHERE r.name = :name")
+})
+@XmlRootElement(name = "role", namespace = CORE_XML_NS)
+@SuppressWarnings({"PMD.ShortClassName"})
+public class Role implements Serializable {
+
+    private static final long serialVersionUID = -7121296514181469687L;
+
+    @Id
+    @Column(name = "ROLE_ID")
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    @XmlElement(name = "role-id", namespace = CORE_XML_NS)
+    private long roleId;
+
+    /**
+     * The name of the role. May only contain the letters a to z, A to Z, the
+     * numbers 0 to 9, the {@code -} (dash) and the {@code _} (underscore).
+     */
+    @Column(name = "NAME", length = 512, nullable = false)
+    @NotBlank
+    @Pattern(regexp = "[a-zA-Z0-9\\-_]*")
+    @XmlElement(name = "name", namespace = CORE_XML_NS)
+    private String name;
+
+    /**
+     * All memberships of the roles.
+     */
+    @OneToMany(mappedBy = "role")
+    @XmlElementWrapper(name = "role-memberships", namespace = CORE_XML_NS)
+    @XmlElement(name = "role-membership", namespace = CORE_XML_NS)
+    private List<RoleMembership> memberships = new ArrayList<>();
+    
+    /**
+     * Permissions granted to the role.
+     */
+    @OneToMany(mappedBy = "grantee")
+    @XmlElementWrapper(name = "permissions", namespace = CORE_XML_NS)
+    @XmlElement(name = "permission", namespace = CORE_XML_NS)
+    private List<Permission> permissions = new ArrayList<>();
+
+    protected Role() {
+        super();
+    }
+
+    public long getRoleId() {
+        return roleId;
+    }
+
+    protected void setRoleId(final long roleId) {
+        this.roleId = roleId;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(final String name) {
+        this.name = name;
+    }
+
+    public List<RoleMembership> getMemberships() {
+        if (memberships == null) {
+            return null;
+        } else {
+            return Collections.unmodifiableList(memberships);
+        }
+    }
+    
+    protected void setMemberships(final List<RoleMembership> memberships) {
+        this.memberships = memberships;
+    }
+    
+    protected void addMembership(final RoleMembership membership) {
+        memberships.add(membership);
+    }
+    
+    protected void removeMembership(final RoleMembership membership) {
+        memberships.remove(membership);
+    }
+    
+    public List<Permission> getPermissions() {
+        if (permissions == null) {
+            return null;
+        } else {
+            return Collections.unmodifiableList(permissions);
+        }
+    }
+
+    protected void setPermissions(final List<Permission> permissions) {
+        this.permissions = permissions;
+    }
+
+    protected void addPermission(final Permission permission) {
+        permissions.add(permission);
+    }
+
+    protected void removePermission(final Permission permission) {
+        permissions.remove(permission);
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 7;
+        hash = 53 * hash + (int) (roleId ^ (roleId >>> 32));
+        hash = 53 * hash + Objects.hashCode(name);
+        hash = 53 * hash + Objects.hashCode(permissions);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (!(obj instanceof Role)) {
+            return false;
+        }
+        final Role other = (Role) obj;
+        if (!other.canEqual(this)) {
+            return false;
+        }
+
+        if (roleId != other.getRoleId()) {
+            return false;
+        }
+        if (!Objects.equals(name, other.getName())) {
+            return false;
+        }
+        return Objects.equals(permissions, other.getPermissions());
+    }
+
+    public boolean canEqual(final Object obj) {
+        return obj instanceof Role;
+    }
+
+    @Override
+    public String toString() {
+        return String.format("%s{ "
+                                 + "roldId = %d, "
+                                 + "name = \"%s\", "
+                                 + "permissions = { %s }"
+                                 + " }",
+                             super.toString(),
+                             roleId,
+                             name,
+                             Objects.toString(permissions));
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/RoleManager.java b/ccm-core/src/main/java/org/libreccm/security/RoleManager.java
new file mode 100644
index 000000000..6eaf01cfa
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/RoleManager.java
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import java.util.List;
+
+import javax.enterprise.context.RequestScoped;
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
+import javax.persistence.NoResultException;
+import javax.persistence.TypedQuery;
+
+/**
+ * Manager for roles providing methods for assigning the role the {@link Party}
+ * entities and for removing them.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RequestScoped
+public class RoleManager {
+
+    @Inject
+    private RoleRepository roleRepository;
+
+    @Inject
+    private PartyRepository partyRepository;
+
+    @Inject
+    private EntityManager entityManager;
+
+    /**
+     * Assigns a role to a party and saves the changed {@code Role} and
+     * {@code Party} entities. If the provided {@code role} has already been
+     * assigned to the provided {@code party} the method will to nothing.
+     *
+     * @param role  The role to assign.
+     * @param party The party which to which to role is assigned.
+     */
+    public void assignRoleToParty(final Role role, final Party party) {
+        if (role == null) {
+            throw new IllegalArgumentException("Can't add party to null role");
+        }
+
+        if (party == null) {
+            throw new IllegalArgumentException("Can't add party null to role");
+        }
+
+        if (hasRole(party, role)) {
+            return;
+        }
+
+        final RoleMembership membership = new RoleMembership();
+        membership.setRole(role);
+        membership.setMember(party);
+
+        role.addMembership(membership);
+        party.addRoleMembership(membership);
+
+        entityManager.persist(membership);
+        roleRepository.save(role);
+        partyRepository.save(party);
+    }
+
+    /**
+     * Removes a role from a party and saves the changed {@code Role} and
+     * {@code Party} entities. If the provided {@code role} is not assigned to
+     * the provided {@code party} the method does nothing.
+     *
+     * @param role
+     * @param party
+     */
+    public void removeRoleFromParty(final Role role, final Party party) {
+        if (role == null) {
+            throw new IllegalArgumentException("Can't add party to null role");
+        }
+
+        if (party == null) {
+            throw new IllegalArgumentException("Can't add party null to role");
+        }
+
+        final TypedQuery<RoleMembership> query = entityManager
+            .createNamedQuery("RoleMembership.findByRoleAndMember",
+                              RoleMembership.class);
+        query.setParameter("member", party);
+        query.setParameter("role", role);
+
+        final RoleMembership delete;
+        try {
+            delete = query.getSingleResult();
+        } catch (NoResultException ex) {
+            return;
+        }
+
+        role.removeMembership(delete);
+        party.removeRoleMembership(delete);
+        entityManager.remove(delete);
+        roleRepository.save(role);
+        partyRepository.save(party);
+    }
+
+    /**
+     * Determines if a role is assigned to a party.
+     *  
+     * @param party The party to check.
+     * @param role The role to check.
+     * @return {@code true} if the provided {@code role} is assigned to the
+     * provided {@code party}.
+     */
+    public boolean hasRole(final Party party, final Role role) {
+        final TypedQuery<RoleMembership> query = entityManager
+            .createNamedQuery("RoleMembership.findByRoleAndMember",
+                              RoleMembership.class);
+        query.setParameter("member", party);
+        query.setParameter("role", role);
+
+        final List<RoleMembership> result = query.getResultList();
+        return !result.isEmpty();
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/RoleMembership.java b/ccm-core/src/main/java/org/libreccm/security/RoleMembership.java
new file mode 100644
index 000000000..954e2cf75
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/RoleMembership.java
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import static org.libreccm.core.CoreConstants.*;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToOne;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlTransient;
+
+/**
+ * Association class representing the association between a {@link Role} and a
+ * {@code Party}.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Entity
+@Table(name = "ROLE_MEMBERSHIPS", schema = DB_SCHEMA)
+@NamedQueries({
+    @NamedQuery(name = "RoleMembership.findByRoleAndMember",
+                query = "SELECT m FROM RoleMembership m "
+                            + "WHERE m.member = :member AND m.role = :role")
+})
+@XmlRootElement(name = "role-membership", namespace = CORE_XML_NS)
+public class RoleMembership implements Serializable {
+
+    private static final long serialVersionUID = -3049727720697964793L;
+
+    @Id
+    @Column(name = "MEMBERSHIP_ID")
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    @XmlElement(name = "membership-id", namespace = CORE_XML_NS)
+    private long membershipId;
+
+    @ManyToOne
+    @JoinColumn(name = "ROLE_ID")
+    @XmlTransient
+    private Role role;
+
+    @ManyToOne
+    @JoinColumn(name = "MEMBER_ID")
+    @XmlTransient
+    private Party member;
+
+    public long getMembershipId() {
+        return membershipId;
+    }
+
+    protected void setMembershipId(final long membershipId) {
+        this.membershipId = membershipId;
+    }
+
+    public Role getRole() {
+        return role;
+    }
+
+    protected void setRole(final Role role) {
+        this.role = role;
+    }
+
+    public Party getMember() {
+        return member;
+    }
+
+    protected void setMember(final Party member) {
+        this.member = member;
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 5;
+        hash = 37 * hash
+                   + (int) (membershipId ^ (membershipId >>> 32));
+        hash = 37 * hash + Objects.hashCode(role);
+        hash = 37 * hash + Objects.hashCode(member);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (obj == null) {
+            return false;
+        }
+
+        if (!(obj instanceof RoleMembership)) {
+            return false;
+        }
+        final RoleMembership other = (RoleMembership) obj;
+        if (!other.canEqual(this)) {
+            return false;
+        }
+
+        if (membershipId != other.getMembershipId()) {
+            return false;
+        }
+        if (!Objects.equals(role, other.getRole())) {
+            return false;
+        }
+        return Objects.equals(member, other.getMember());
+    }
+
+    public boolean canEqual(final Object obj) {
+        return obj instanceof RoleMembership;
+    }
+
+    @Override
+    public String toString() {
+        return String.format("%s{ "
+                                 + "membershipId = %d, "
+                                 + "user = %s, "
+                                 + "role = %s, "
+                                 + " },",
+                             super.toString(),
+                             membershipId,
+                             Objects.toString(member),
+                             Objects.toString(role));
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/RoleRepository.java b/ccm-core/src/main/java/org/libreccm/security/RoleRepository.java
new file mode 100644
index 000000000..4225c1522
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/RoleRepository.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import java.util.List;
+import javax.enterprise.context.RequestScoped;
+import javax.persistence.TypedQuery;
+import org.libreccm.core.AbstractEntityRepository;
+
+/**
+ * Repository class for {@link Role} entities.
+ * 
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RequestScoped
+public class RoleRepository extends AbstractEntityRepository<Long, Role> {
+
+    @Override
+    public Class<Role> getEntityClass() {
+        return Role.class;
+    }
+
+    @Override
+    public boolean isNew(final Role entity) {
+        if (entity == null) {
+            throw new IllegalArgumentException("Can't save null.");
+        }
+        return entity.getRoleId() == 0;
+    }
+
+    /**
+     * Finds a role a its name.
+     * 
+     * @param name The name of the role to retrieve.
+     * @return The role identified by the provided {@code name} or {@code null}
+     * if there is no matching role.
+     */
+    public Role findByName(final String name) {
+        final TypedQuery<Role> query = getEntityManager().createNamedQuery(
+                "Role.findByName", Role.class);
+        query.setParameter("name", name);
+        final List<Role> result = query.getResultList();
+        if (result.isEmpty()) {
+            return null;
+        } else {
+            return result.get(0);
+        }
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/Shiro.java b/ccm-core/src/main/java/org/libreccm/security/Shiro.java
new file mode 100644
index 000000000..b25ff893a
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/Shiro.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import javax.annotation.PostConstruct;
+import javax.enterprise.context.ApplicationScoped;
+import javax.enterprise.inject.Produces;
+import javax.inject.Named;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.config.IniSecurityManagerFactory;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+import org.apache.shiro.subject.Subject;
+
+/**
+ * This application scoped CDI bean acts as bridge between CDI and Shiro. It
+ * initialises the Shiro environment and provides the Shiro
+ * {@link SecurityManager} and the current Shiro {@link Subject} via CDI
+ * producer methods.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@ApplicationScoped
+public class Shiro {
+
+    private static final Logger LOGGER = LogManager.getLogger(
+            Shiro.class);
+
+    /**
+     * Path to the Shiro INI file.
+     */
+    private static final String INI_FILE = "classpath:shiro.ini";
+
+    /**
+     * The Shiro {@code SecurityManager}.
+     */
+    private SecurityManager securityManager;
+
+    /**
+     * Initialises Shiro. The CDI container will call this method after creating
+     * an instance of this bean.
+     */
+    @PostConstruct
+    public void init() {
+        LOGGER.debug("Shiro initialising...");
+        securityManager = new IniSecurityManagerFactory(INI_FILE)
+                .createInstance();
+        LOGGER.debug("Shiro SecurityManager created sucessfully.");
+        SecurityUtils.setSecurityManager(securityManager);
+        LOGGER.debug("Shiro initialised successfully.");
+    }
+
+    /**
+     * Provides access Shiro's {@link SecurityManager}.
+     *
+     * @return The Shiro {@link SecurityManager}.
+     */
+    @Produces
+    @Named("securityManager")
+    public SecurityManager getSecurityManager() {
+        return securityManager;
+    }
+
+    /**
+     * Provides access the the current Shiro {@link Subject}.
+     *
+     * @return The current {@link Subject}.
+     *
+     */
+    @Produces
+    public Subject getSubject() {
+        return SecurityUtils.getSubject();
+    }
+
+    public Subject getPublicUser() {
+        return buildInternalSubject("public-user");
+    }
+
+    public Subject getSystemUser() {
+        return buildInternalSubject("system-user");
+    }
+
+    private Subject buildInternalSubject(final String userName) {
+        final PrincipalCollection principals = new SimplePrincipalCollection(
+                userName, "CcmShiroRealm");
+        final Subject publicUser = new Subject.Builder()
+                .principals(principals)
+                .authenticated(true)
+                .buildSubject();
+
+        return publicUser;
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/SystemUsersSetup.java b/ccm-core/src/main/java/org/libreccm/security/SystemUsersSetup.java
new file mode 100644
index 000000000..55eff0cb3
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/SystemUsersSetup.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.libreccm.core.CcmCore;
+import org.libreccm.core.EmailAddress;
+
+import javax.persistence.EntityManager;
+
+/**
+ * Class used by {@link CcmCore#install(org.libreccm.modules.InstallEvent)} to
+ * create the system users.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+public class SystemUsersSetup {
+
+    private final EntityManager entityManager;
+
+    public SystemUsersSetup(final EntityManager entityManager) {
+        this.entityManager = entityManager;
+    }
+
+    public void setupSystemUsers() {
+        final User user = new User();
+        user.setName("public-user");
+        user.setFamilyName("ccm");
+        user.setGivenName("public user");
+        final EmailAddress email = new EmailAddress();
+        email.setAddress("public-user@localhost");
+        user.addEmailAddress(email);
+
+        entityManager.persist(user);
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/User.java b/ccm-core/src/main/java/org/libreccm/security/User.java
new file mode 100644
index 000000000..dc4901dac
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/User.java
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import static org.libreccm.core.CoreConstants.*;
+
+import org.libreccm.core.EmailAddress;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+
+import javax.persistence.AssociationOverride;
+import javax.persistence.CollectionTable;
+import javax.persistence.Column;
+import javax.persistence.ElementCollection;
+import javax.persistence.Embedded;
+import javax.persistence.Entity;
+import javax.persistence.FetchType;
+import javax.persistence.JoinColumn;
+import javax.persistence.JoinTable;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.OneToMany;
+import javax.persistence.Table;
+import javax.validation.constraints.NotNull;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElementWrapper;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlTransient;
+
+/**
+ * A user is a person (or a system) accessing CCM. A user authenticates itself
+ * using a password or other credentials.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Entity
+@Table(name = "USERS", schema = DB_SCHEMA)
+@NamedQueries({
+    @NamedQuery(name = "User.findByName",
+                query = "SELECT u FROM User u WHERE u.name = :name"),
+    @NamedQuery(name = "User.findByEmailAddress",
+                query = "SELECT u FROM User u "
+                            + "WHERE u.primaryEmailAddress.address = :emailAddress"
+    )})
+@XmlRootElement(name = "user", namespace = CORE_XML_NS)
+//Supressing a few warnings from PMD because they misleading here.
+//User is perfectly fine class name, and the complexity is not to high...
+@SuppressWarnings({"PMD.ShortClassName"})
+public class User extends Party implements Serializable {
+
+    private static final long serialVersionUID = 4035223413596611393L;
+
+    /**
+     * The given name of the user.
+     */
+    @Column(name = "GIVEN_NAME", length = 512)
+    @XmlElement(name = "given-name", namespace = CORE_XML_NS)
+    private String givenName;
+
+    /**
+     * The family name of the user.
+     */
+    @Column(name = "FAMILY_NAME", length = 512)
+    @XmlElement(name = "family-name", namespace = CORE_XML_NS)
+    private String familyName;
+
+    /**
+     * The primary email address of the user.
+     */
+    @Embedded
+    @AssociationOverride(
+        name = "USER_PRIMARY_EMAIL_ADDRESSES",
+        joinTable = @JoinTable(name = "USER_PRIMARY_EMAIL_ADDRESSES",
+                               schema = DB_SCHEMA,
+                               joinColumns = {
+                                   @JoinColumn(name = "USER_ID")
+                               }))
+    @NotNull
+    @XmlElement(name = "primary-email-address", namespace = CORE_XML_NS)
+    @SuppressWarnings("PMD.LongVariable")
+    private EmailAddress primaryEmailAddress;
+
+    /**
+     * Additional email addresses of the user.
+     */
+    @ElementCollection(fetch = FetchType.EAGER)
+    @CollectionTable(name = "USER_EMAIL_ADDRESSES",
+                     schema = DB_SCHEMA,
+                     joinColumns = {
+                         @JoinColumn(name = "USER_ID")})
+    @XmlElementWrapper(name = "email-addresses", namespace = CORE_XML_NS)
+    @XmlElement(name = "email-address", namespace = CORE_XML_NS)
+    private List<EmailAddress> emailAddresses;
+
+    /**
+     * A user can be banned which means that he or she can't login into
+     * the system anymore. We use this approach rather than simply deleting users
+     * to preserve the edit history of several objects.
+     */
+    @Column(name = "BANNED")
+    @XmlElement(name = "banned", namespace = CORE_XML_NS)
+    private boolean banned;
+
+    /**
+     * The hashed password of the user. The algorithm used is determined by the
+     * Shiro configuration. The hash is stored in Shiros hash format which also
+     * contains the algorithm used, the number of iterations and the salt used.
+     */
+    @Column(name = "PASSWORD", length = 2048)
+    @XmlTransient
+    private String password;
+
+    /**
+     * Indicates that the user should be forced to change his or her password on
+     * the next login.
+     */
+    @Column(name = "PASSWORD_RESET_REQUIRED")
+    //Can't shorten the name without making the name cryptic.
+    @SuppressWarnings("PMD.LongVariable")
+    private boolean passwordResetRequired;
+
+    /**
+     * The groups of which the user is a member.
+     */
+    @OneToMany(mappedBy = "member")
+    @XmlElementWrapper(name = "group-memberships", namespace = CORE_XML_NS)
+    @XmlElement(name = "group-membership", namespace = CORE_XML_NS)
+    private List<GroupMembership> groupMemberships = new ArrayList<>();
+
+    protected User() {
+        super();
+        emailAddresses = new ArrayList<>();
+    }
+
+    public String getGivenName() {
+        return givenName;
+    }
+
+    public void setGivenName(final String givenName) {
+        this.givenName = givenName;
+    }
+
+    public String getFamilyName() {
+        return familyName;
+    }
+
+    public void setFamilyName(final String familyName) {
+        this.familyName = familyName;
+    }
+
+    public EmailAddress getPrimaryEmailAddress() {
+        return primaryEmailAddress;
+    }
+
+    public void setPrimaryEmailAddress(final EmailAddress primaryEmailAddress) {
+        this.primaryEmailAddress = primaryEmailAddress;
+    }
+
+    public List<EmailAddress> getEmailAddresses() {
+        if (emailAddresses == null) {
+            return null;
+        } else {
+            return Collections.unmodifiableList(emailAddresses);
+        }
+    }
+
+    protected void setEmailAddresses(final List<EmailAddress> emailAddresses) {
+        this.emailAddresses = emailAddresses;
+    }
+
+    protected void addEmailAddress(final EmailAddress emailAddress) {
+        emailAddresses.add(emailAddress);
+    }
+
+    protected void removeEmailAddress(final EmailAddress emailAddress) {
+        emailAddresses.remove(emailAddress);
+    }
+
+    public boolean isBanned() {
+        return banned;
+    }
+
+    protected void setBanned(final boolean banned) {
+        this.banned = banned;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+    protected void setPassword(final String password) {
+        this.password = password;
+    }
+
+    public boolean isPasswordResetRequired() {
+        return passwordResetRequired;
+    }
+
+    @SuppressWarnings("PMD.LongVariable")
+    protected void setPasswordResetRequired(final boolean passwordResetRequired) {
+        this.passwordResetRequired = passwordResetRequired;
+    }
+
+    public List<GroupMembership> getGroupMemberships() {
+        return Collections.unmodifiableList(groupMemberships);
+    }
+
+    protected void setGroupMemberships(
+        final List<GroupMembership> groupMemberships) {
+        this.groupMemberships = groupMemberships;
+    }
+
+    protected void addGroupMembership(final GroupMembership groupMembership) {
+        groupMemberships.add(groupMembership);
+    }
+
+    protected void removeGroupMembership(
+        final GroupMembership groupMembership) {
+        groupMemberships.remove(groupMembership);
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = super.hashCode();
+        hash = 31 * hash + Objects.hashCode(givenName);
+        hash = 31 * hash + Objects.hashCode(familyName);
+        hash = 31 * hash + Objects.hashCode(primaryEmailAddress);
+        hash = 31 * hash + (banned ? 1 : 0);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (obj == null) {
+            return false;
+        }
+
+        if (!super.equals(obj)) {
+            return false;
+        }
+
+        if (!(obj instanceof User)) {
+            return false;
+        }
+        final User other = (User) obj;
+        if (!Objects.equals(givenName, other.getGivenName())) {
+            return false;
+        }
+        if (!Objects.equals(familyName, other.getFamilyName())) {
+            return false;
+        }
+        if (!Objects.equals(primaryEmailAddress, other.getPrimaryEmailAddress())) {
+            return false;
+        }
+        return banned == other.isBanned();
+    }
+
+    @Override
+    public boolean canEqual(final Object obj) {
+        return obj instanceof User;
+    }
+
+    @Override
+    public String toString(final String data) {
+        return super.toString(String.format(
+            ", givenName = \"%s\", "
+                + "familyName = \"%s\", "
+                + "primaryEmailAddress = { %s }, "
+                + "emailAddresses = { %s }, "
+                + "banned = %b, "
+                + "passwordResetRequired = %b%s",
+            givenName,
+            familyName,
+            Objects.toString(primaryEmailAddress),
+            Objects.toString(emailAddresses),
+            banned,
+            passwordResetRequired,
+            data
+        ));
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/UserManager.java b/ccm-core/src/main/java/org/libreccm/security/UserManager.java
new file mode 100644
index 000000000..e365175bc
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/UserManager.java
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import com.arsdigita.kernel.security.SecurityConfig;
+import javax.enterprise.context.RequestScoped;
+import javax.inject.Inject;
+import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
+import javax.validation.executable.ValidateOnExecution;
+import org.apache.shiro.authc.credential.PasswordMatcher;
+import org.apache.shiro.authc.credential.PasswordService;
+import org.apache.shiro.crypto.SecureRandomNumberGenerator;
+import org.apache.shiro.crypto.hash.SimpleHash;
+import org.apache.shiro.crypto.hash.format.DefaultHashFormatFactory;
+import org.apache.shiro.crypto.hash.format.HashFormat;
+import org.apache.shiro.crypto.hash.format.HashFormatFactory;
+import org.apache.shiro.crypto.hash.format.Shiro1CryptFormat;
+import org.apache.shiro.util.ByteSource;
+import org.libreccm.core.EmailAddress;
+
+/**
+ * Provides various operations for user objects.
+ *
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RequestScoped
+public class UserManager {
+
+    @Inject
+    private UserRepository userRepository;
+
+    /**
+     * Creates a new user and saves the user in the database. The method also
+     * creates the password hash.
+     *
+     * @param givenName The given name of the new user.
+     * @param familyName The family name of the new user.
+     * @param name The name of the new user.
+     * @param emailAddress The email address of the new user.
+     * @param password The password of the new user. The password is hashed
+     * using the algorithm configured in the {@link SecurityConfig}.
+     *
+     * @return The new user.
+     */
+    @ValidateOnExecution
+    public User createUser(final String givenName,
+                           final String familyName,
+                           @Pattern(regexp = "[a-zA-Z0-9\\-_]*")
+                           final String name,
+                           final String emailAddress,
+                           final String password) {
+        final User user = new User();
+        user.setGivenName(givenName);
+        user.setFamilyName(familyName);
+        user.setName(name);
+        final EmailAddress email = new EmailAddress();
+        email.setAddress(emailAddress);
+        user.setPrimaryEmailAddress(email);
+        email.setVerified(true);
+        user.setPassword(hashPassword(password));
+
+        userRepository.save(user);
+
+        return user;
+    }
+
+    /**
+     * Updates the password of a user. This method allows {@code null} as
+     * password value. If a user has no password in the database this means that
+     * the user can't login or that the authentication for this user is done by
+     * an external system.
+     *
+     * @param user The user which password should be upgraded.
+     * @param newPassword The new password. The password is hashed using the
+     * algorithm configured in the {@link SecurityConfig}.
+     */
+    public void updatePassword(@NotNull final User user, 
+                               final String newPassword) {
+        user.setPassword(hashPassword(newPassword));
+
+        userRepository.save(user);
+    }
+
+    /**
+     * Verifies the password of a user. This can be useful if you want to verify
+     * the password of a user already logged in again.
+     *
+     * @param user The user against which the password is verified.
+     * @param password The password to verify.
+     *
+     * @return {@code true} if the provided passworda matches the password from
+     * the database, {@code false} otherwise.
+     */
+    public boolean verifyPassword(final User user, final String password) {
+        //Create a new Shiro PasswordMatcher instance
+        final PasswordMatcher matcher = new PasswordMatcher();
+        //Get the PasswordService instance from the matcher (the PasswordService
+        //class provides the methods we need here).
+        final PasswordService service = matcher.getPasswordService();
+
+        return service.passwordsMatch(password, user.getPassword());
+    }
+
+    /**
+     * Helper method for creating the hash of a password.
+     *
+     * @param password The password to hash.
+     *
+     * @return The hashed password.b
+     */
+    private String hashPassword(final String password) {
+        //Get the values from the SecurityConfig
+        final String hashAlgo = SecurityConfig.getConfig().getHashAlgorithm();
+        final int iterations = SecurityConfig.getConfig().getHashIterations();
+
+        //Create the hash using Shiro's SimpleHash class
+        final SimpleHash hash = new SimpleHash(hashAlgo,
+                                               password.toCharArray(),
+                                               generateSalt(),
+                                               iterations);
+
+        //We want to use the Shiro1 format for storing the password. This
+        //format includes the algorithm used, the salt and the number of 
+        //iterations used and the hashed password in special formatted string.
+        final HashFormatFactory hashFormatFactory = new DefaultHashFormatFactory();
+        final HashFormat hashFormat = hashFormatFactory.getInstance(
+                Shiro1CryptFormat.class.getName());
+
+        return hashFormat.format(hash);
+    }
+
+    /**
+     * Helper method for generating a random salt. The length of the generated
+     * salt is configured in the {@link SecurityConfig}.
+     *
+     * @return A new random salt.
+     */
+    private ByteSource generateSalt() {
+        final int generatedSaltSize = SecurityConfig.getConfig().getSaltLength();
+
+        if (generatedSaltSize % 8 != 0) {
+            throw new IllegalArgumentException(
+                    "Salt length is not a multipe of 8");
+        }
+
+        final SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
+        final int byteSize = generatedSaltSize / 8; //generatedSaltSize is in *bits* - convert to byte size:
+        return generator.nextBytes(byteSize);
+    }
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/UserRepository.java b/ccm-core/src/main/java/org/libreccm/security/UserRepository.java
new file mode 100644
index 000000000..c027d147b
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/UserRepository.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.libreccm.core.AbstractEntityRepository;
+
+import java.util.List;
+
+import javax.enterprise.context.RequestScoped;
+import javax.persistence.TypedQuery;
+
+/**
+ * Repository for user objects.
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RequestScoped
+public class UserRepository extends AbstractEntityRepository<Long, User> {
+
+    @Override
+    public Class<User> getEntityClass() {
+        return User.class;
+    }
+
+    @Override
+    public boolean isNew(final User user) {
+        if (user == null) {
+            throw new IllegalArgumentException("Can't save null");
+        }
+        return user.getPartyId() == 0;
+    }
+
+    /**
+     * Finds a user by its user name.
+     *
+     * @param name The name of the user to find.
+     *
+     * @return The user identified by the provided name. If there are multiple
+     * user matching the user name (should be possible) the first one is
+     * returned. If there is no matching user {@code null} is returned.
+     */
+    public User findByName(final String name) {
+        final TypedQuery<User> query = getEntityManager().createNamedQuery(
+                "User.findByName",
+                User.class);
+        query.setParameter("name", name);
+        final List<User> result = query.getResultList();
+        if (result.isEmpty()) {
+            return null;
+        } else {
+            return result.get(0);
+        }
+    }
+
+    /**
+     * Finds user by the primary email address.
+     *
+     * @param emailAddress The email address which identifies the user.
+     *
+     * @return The user identified by the provided email address. If there are
+     * multiple matching users only the first one is returned. If there is no
+     * matching user {@code null} is returned.
+     */
+    public User findByEmailAddress(final String emailAddress) {
+        final TypedQuery<User> query = getEntityManager().createNamedQuery(
+                "User.findByEmailAddress", User.class);
+        query.setParameter("emailAddress", emailAddress);
+        final List<User> result = query.getResultList();
+        if (result.isEmpty()) {
+            return null;
+        } else {
+            return result.get(0);
+        }
+    }
+
+}
diff --git a/ccm-core/src/main/java/org/libreccm/security/package-info.java b/ccm-core/src/main/java/org/libreccm/security/package-info.java
new file mode 100644
index 000000000..874390218
--- /dev/null
+++ b/ccm-core/src/main/java/org/libreccm/security/package-info.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA 
+*/
+/**
+ * This package contains all classes dealing with authentication and 
+ * authorisation in LibreCCM.
+ * 
+ * Most of this classes are only relevant for the developers of the core part
+ * of LibreCCM and and core administration UI. For developers of modules the
+ * primary interface is the Apache Shiro Library. Module developers usually have
+ * the use these classes only in the {@code CcmModule#install(InstallEvent) 
+ * method to create roles and privileges for their module. Therefore most 
+ * methods of these classes can only be invoked by the System user. 
+ * 
+ * The check if the current user is logged in and/or has a certain permission
+ * you have to obtain the current {@link Subject} from Shiro. In LibreCCM the
+ * subject is provided using CDI. In classes eligible for injection you simply
+ * inject the current subject. In other classes you can use the {@link CdiUtil}
+ * class.
+ * 
+ * Another option for method of CDI beans is to use the interceptors provided by 
+ * this package.
+ * 
+ * @see CcmModule
+ */
+package org.libreccm.security;
diff --git a/ccm-core/src/main/java/org/libreccm/web/CcmApplication.java b/ccm-core/src/main/java/org/libreccm/web/CcmApplication.java
index 4bb58485b..c1a25e32b 100644
--- a/ccm-core/src/main/java/org/libreccm/web/CcmApplication.java
+++ b/ccm-core/src/main/java/org/libreccm/web/CcmApplication.java
@@ -27,7 +27,6 @@ import org.libreccm.categorization.DomainOwnership;
 import static org.libreccm.core.CoreConstants.*;
 
 import org.libreccm.core.Resource;
-import org.libreccm.core.Group;
 
 import java.io.Serializable;
 import java.util.ArrayList;
@@ -74,11 +73,10 @@ public class CcmApplication extends Resource implements Serializable {
     @XmlElement(name = "primary-url", namespace = WEB_XML_NS)
     private String primaryUrl;
 
-    @OneToOne
-    @JoinColumn(name = "CONTAINER_GROUP_ID")
-    @XmlElement(name = "container-group", namespace = WEB_XML_NS)
-    private Group containerGroup;
-
+//    @OneToOne
+//    @JoinColumn(name = "CONTAINER_GROUP_ID")
+//    @XmlElement(name = "container-group", namespace = WEB_XML_NS)
+//    private Group containerGroup;
     /**
      * Category Domains owned by this {@code CcmObject}.
      */
@@ -108,14 +106,13 @@ public class CcmApplication extends Resource implements Serializable {
         this.primaryUrl = primaryUrl;
     }
 
-    public Group getContainerGroup() {
-        return containerGroup;
-    }
-
-    public void setContainerGroup(final Group containerGroup) {
-        this.containerGroup = containerGroup;
-    }
-
+//    public Group getContainerGroup() {
+//        return containerGroup;
+//    }
+//
+//    public void setContainerGroup(final Group containerGroup) {
+//        this.containerGroup = containerGroup;
+//    }
     /**
      * Gets an <strong>unmodifiable</strong> list of the domains which are owned
      * by the {@code CcmApplication}.
@@ -162,7 +159,7 @@ public class CcmApplication extends Resource implements Serializable {
     public int hashCode() {
         int hash = super.hashCode();
         hash = 97 * hash + Objects.hashCode(primaryUrl);
-        hash = 97 * hash + Objects.hashCode(containerGroup);
+//        hash = 97 * hash + Objects.hashCode(containerGroup);
         return hash;
     }
 
@@ -185,10 +182,7 @@ public class CcmApplication extends Resource implements Serializable {
             return false;
         }
 
-        if (!Objects.equals(primaryUrl, other.getPrimaryUrl())) {
-            return false;
-        }
-        return Objects.equals(containerGroup, other.getContainerGroup());
+        return Objects.equals(primaryUrl, other.getPrimaryUrl());
     }
 
     @Override
@@ -198,11 +192,15 @@ public class CcmApplication extends Resource implements Serializable {
 
     @Override
     public String toString(final String data) {
-        return super.toString(String.format(", primaryUrl = \"%s\", "
-                                                + "containerGroup = %s%s",
+        return super.toString(String.format(", primaryUrl = \"%s\"%s",
                                             primaryUrl,
-                                            Objects.toString(containerGroup),
                                             data));
+
+//        return super.toString(String.format(", primaryUrl = \"%s\", "
+//                                                + "containerGroup = %s%s",
+//                                            primaryUrl,
+//                                            Objects.toString(containerGroup),
+//                                            data));
     }
 
 }
diff --git a/ccm-core/src/main/java/org/libreccm/workflow/Task.java b/ccm-core/src/main/java/org/libreccm/workflow/Task.java
index 4e9084722..eaaebaabf 100644
--- a/ccm-core/src/main/java/org/libreccm/workflow/Task.java
+++ b/ccm-core/src/main/java/org/libreccm/workflow/Task.java
@@ -70,7 +70,7 @@ public class Task implements Serializable {
 
     @Embedded
     @AssociationOverride(
-            name = "VALUES",
+            name = "values",
             joinTable = @JoinTable(name = "WORKFLOW_TASK_LABELS",
                                    schema = DB_SCHEMA,
                                    joinColumns = {
@@ -79,7 +79,7 @@ public class Task implements Serializable {
 
     @Embedded
     @AssociationOverride(
-            name = "VALUES",
+            name = "values",
             joinTable = @JoinTable(name = "WORKFLOW_TASKS_DESCRIPTIONS",
                                    schema = DB_SCHEMA,
                                    joinColumns = {
diff --git a/ccm-core/src/main/java/org/libreccm/workflow/UserTask.java b/ccm-core/src/main/java/org/libreccm/workflow/UserTask.java
index 8b3295efa..d38570501 100644
--- a/ccm-core/src/main/java/org/libreccm/workflow/UserTask.java
+++ b/ccm-core/src/main/java/org/libreccm/workflow/UserTask.java
@@ -20,8 +20,8 @@ package org.libreccm.workflow;
 
 import static org.libreccm.core.CoreConstants.*;
 
-import org.libreccm.core.User;
-import org.libreccm.core.Group;
+import org.libreccm.security.Group;
+import org.libreccm.security.User;
 
 import java.io.Serializable;
 import java.util.ArrayList;
diff --git a/ccm-core/src/main/java/org/libreccm/workflow/Workflow.java b/ccm-core/src/main/java/org/libreccm/workflow/Workflow.java
index f6cf20d3b..4cf787483 100644
--- a/ccm-core/src/main/java/org/libreccm/workflow/Workflow.java
+++ b/ccm-core/src/main/java/org/libreccm/workflow/Workflow.java
@@ -57,7 +57,7 @@ public class Workflow implements Serializable {
 
     @Embedded
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(name = "WORKFLOW_NAMES",
                                schema = DB_SCHEMA,
                                joinColumns = {
@@ -66,7 +66,7 @@ public class Workflow implements Serializable {
 
     @Embedded
     @AssociationOverride(
-        name = "VALUES",
+        name = "values",
         joinTable = @JoinTable(name = "WORKFLOW_DESCRIPTIONS",
                                schema = DB_SCHEMA,
                                joinColumns = {
diff --git a/ccm-core/src/main/resources/com/arsdigita/kernel/security/SecurityConfig_parameter.properties b/ccm-core/src/main/resources/com/arsdigita/kernel/security/SecurityConfig_parameter.properties
index cde439644..8574f3fff 100755
--- a/ccm-core/src/main/resources/com/arsdigita/kernel/security/SecurityConfig_parameter.properties
+++ b/ccm-core/src/main/resources/com/arsdigita/kernel/security/SecurityConfig_parameter.properties
@@ -28,12 +28,17 @@ waf.user_question_enable.purpose=Enable question if a user has forgotten its pas
 waf.user_question_enable.example=false
 waf.user_question_enable.format=true|false
 
-waf.security.hash_algorithm.title=Default Hash Algorithm
+waf.security.hash_algorithm.title=Default Hash Algorithm for new passwords
 waf.security.hash_algorithm.purpose=Sets the Hash Algorithm to use for new passwords. The available algorithms depend on the Java Runtime.
 waf.security.hash_algorithm.example=SHA-512
 waf.security.hash_algorithm.format=[string]
 
-waf.security.salt_length.title=Default Salt Length
+waf.security.salt_length.title=Default Salt Length for new passwords
 waf.security.salt_length.purpose=Sets the length of the salt for new passwords
 waf.security.salt_length.example=256
-waf.security.salt_length.format=[int]
\ No newline at end of file
+waf.security.salt_length.format=[int]
+
+waf.security.hash_iterations.title=Number of hash iterations for new passwords
+waf.security.hash_iterations.purpose=Number of iterations when hashing new passwords
+waf.security.hash_iterations.example=50000
+waf.security.hash_iterations.format=[int]
\ No newline at end of file
diff --git a/ccm-core/src/test/java/com/arsdigita/kernel/KernelConfigTest.java b/ccm-core/src/test/java/com/arsdigita/kernel/KernelConfigTest.java
index 0db685d37..a2585901b 100644
--- a/ccm-core/src/test/java/com/arsdigita/kernel/KernelConfigTest.java
+++ b/ccm-core/src/test/java/com/arsdigita/kernel/KernelConfigTest.java
@@ -18,6 +18,13 @@
  */
 package com.arsdigita.kernel;
 
+import com.arsdigita.runtime.AbstractConfig;
+import com.arsdigita.util.JavaPropertyReader;
+import com.arsdigita.util.parameter.AbstractParameter;
+import com.arsdigita.web.CCMApplicationContextListener;
+import com.arsdigita.xml.XML;
+import com.arsdigita.xml.formatters.DateFormatter;
+
 import java.io.File;
 
 import static org.hamcrest.Matchers.*;
@@ -36,7 +43,14 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.jpa.EntityManagerProducer;
+import org.libreccm.jpa.utils.UriConverter;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.security.Permission;
 import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.ApplicationRepository;
 
 import java.util.StringTokenizer;
 
@@ -86,33 +100,37 @@ public class KernelConfigTest {
         return ShrinkWrap
             .create(WebArchive.class,
                     "LibreCCM-com.arsdigita.kernel.KernelConfigTest.war")
-            //.addPackage(CcmObject.class.getPackage())
-            .addPackage(com.arsdigita.kernel.KernelConfig.class.getPackage())
-            .addPackage(com.arsdigita.runtime.AbstractConfig.class.getPackage())
-            .addPackage(com.arsdigita.util.parameter.AbstractParameter.class.
-                getPackage())
-            .addPackage(com.arsdigita.util.JavaPropertyReader.class.
-                getPackage())
-            .addPackage(com.arsdigita.web.CCMApplicationContextListener.class
-                .getPackage())
-            .addPackage(com.arsdigita.xml.XML.class.getPackage())
-            .addPackage(com.arsdigita.xml.formatters.DateFormatter.class
-                .getPackage())
-            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
-                .getPackage())
+            .addPackage(CcmObject.class.getPackage())
+            .addPackage(Categorization.class.getPackage())
+            .addPackage(Permission.class.getPackage())
+            .addPackage(LocalizedString.class.getPackage())
+            .addPackage(UriConverter.class.getPackage())
+            .addPackage(ApplicationRepository.class.getPackage())
+            .addPackage(EntityManagerProducer.class.getPackage())
+            .addPackage(KernelConfig.class.getPackage())
+            .addPackage(AbstractConfig.class.getPackage())
+            .addPackage(AbstractParameter.class.getPackage())
+            .addPackage(JavaPropertyReader.class.getPackage())
+            .addPackage(CCMApplicationContextListener.class.getPackage())
+            .addPackage(XML.class.getPackage())
+            .addPackage(DateFormatter.class.getPackage())
+            .addPackage(IntegrationTest.class.getPackage())
             .addAsLibraries(libs)
             .addAsResource(
-                "configtests/com/arsdigita/kernel/KernelConfigTest/ccm-core.config",
+                "configs/com/arsdigita/kernel/KernelConfigTest/ccm-core.config",
                 "ccm-core.config")
             .addAsWebInfResource(
-                "configtests/com/arsdigita/kernel/KernelConfigTest/registry.properties",
+                "configs/com/arsdigita/kernel/KernelConfigTest/registry.properties",
                 "conf/registry/registry.properties")
             .addAsWebInfResource(
-                "configtests/com/arsdigita/kernel/KernelConfigTest/kernel.properties",
+                "configs/com/arsdigita/kernel/KernelConfigTest/kernel.properties",
                 "conf/registry/ccm-core/kernel.properties")
             .addAsResource(
                 "com/arsdigita/kernel/KernelConfig_parameter.properties",
                 "com/arsdigita/kernel/KernelConfig_parameter.properties")
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
             .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
     }
 
diff --git a/ccm-core/src/test/java/com/arsdigita/kernel/security/SecurityConfigTest.java b/ccm-core/src/test/java/com/arsdigita/kernel/security/SecurityConfigTest.java
index c37b5e395..985c76e9b 100644
--- a/ccm-core/src/test/java/com/arsdigita/kernel/security/SecurityConfigTest.java
+++ b/ccm-core/src/test/java/com/arsdigita/kernel/security/SecurityConfigTest.java
@@ -18,6 +18,14 @@
  */
 package com.arsdigita.kernel.security;
 
+import com.arsdigita.kernel.KernelConfig;
+import com.arsdigita.runtime.AbstractConfig;
+import com.arsdigita.util.JavaPropertyReader;
+import com.arsdigita.util.parameter.AbstractParameter;
+import com.arsdigita.web.CCMApplicationContextListener;
+import com.arsdigita.xml.XML;
+import com.arsdigita.xml.formatters.DateFormatter;
+
 import static org.hamcrest.Matchers.*;
 
 import org.jboss.arquillian.container.test.api.Deployment;
@@ -37,7 +45,14 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.jpa.EntityManagerProducer;
+import org.libreccm.jpa.utils.UriConverter;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.security.Permission;
 import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.ApplicationRepository;
 
 import java.io.File;
 import java.util.List;
@@ -87,35 +102,34 @@ public class SecurityConfigTest {
         return ShrinkWrap
             .create(WebArchive.class,
                     "LibreCCM-com.arsdigita.kernel.security.SecurityConfigTest.war")
-            //.addPackage(CcmObject.class.getPackage())
-            .addPackage(com.arsdigita.kernel.KernelConfig.class.getPackage())
-            .addPackage(com.arsdigita.kernel.security.SecurityConfig.class
-                .getPackage())
-            .addPackage(com.arsdigita.runtime.AbstractConfig.class.getPackage())
-            .addPackage(com.arsdigita.util.parameter.AbstractParameter.class.
-                getPackage())
-            .addPackage(com.arsdigita.util.JavaPropertyReader.class.
-                getPackage())
-            .addPackage(com.arsdigita.web.CCMApplicationContextListener.class
-                .getPackage())
-            .addPackage(com.arsdigita.xml.XML.class.getPackage())
-            .addPackage(com.arsdigita.xml.formatters.DateFormatter.class
-                .getPackage())
-            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
-                .getPackage())
-            .addPackage(org.libreccm.core.authentication.LocalLoginModule.class.getPackage())
+            .addPackage(CcmObject.class.getPackage())
+            .addPackage(Categorization.class.getPackage())
+            .addPackage(Permission.class.getPackage())
+            .addPackage(LocalizedString.class.getPackage())
+            .addPackage(UriConverter.class.getPackage())
+            .addPackage(ApplicationRepository.class.getPackage())
+            .addPackage(EntityManagerProducer.class.getPackage())
+            .addPackage(KernelConfig.class.getPackage())
+            .addPackage(SecurityConfig.class.getPackage())
+            .addPackage(AbstractConfig.class.getPackage())
+            .addPackage(AbstractParameter.class.getPackage())
+            .addPackage(JavaPropertyReader.class.getPackage())
+            .addPackage(CCMApplicationContextListener.class.getPackage())
+            .addPackage(XML.class.getPackage())
+            .addPackage(DateFormatter.class.getPackage())
+            .addPackage(IntegrationTest.class.getPackage())
             .addAsLibraries(libs)
             .addAsResource(
-                "configtests/com/arsdigita/kernel/security/SecurityConfigTest/ccm-core.config",
+                "configs/com/arsdigita/kernel/security/SecurityConfigTest/ccm-core.config",
                 "ccm-core.config")
             .addAsWebInfResource(
-                "configtests/com/arsdigita/kernel/security/SecurityConfigTest/registry.properties",
+                "configs/com/arsdigita/kernel/security/SecurityConfigTest/registry.properties",
                 "conf/registry/registry.properties")
             .addAsWebInfResource(
-                "configtests/com/arsdigita/kernel/security/SecurityConfigTest/kernel.properties",
+                "configs/com/arsdigita/kernel/security/SecurityConfigTest/kernel.properties",
                 "conf/registry/ccm-core/kernel.properties")
             .addAsWebInfResource(
-                "configtests/com/arsdigita/kernel/security/SecurityConfigTest/security.properties",
+                "configs/com/arsdigita/kernel/security/SecurityConfigTest/security.properties",
                 "conf/registry/ccm-core/security.properties")
             .addAsResource(
                 "com/arsdigita/kernel/KernelConfig_parameter.properties",
@@ -123,6 +137,9 @@ public class SecurityConfigTest {
             .addAsResource(
                 "com/arsdigita/kernel/security/SecurityConfig_parameter.properties",
                 "com/arsdigita/kernel/security/SecurityConfig_parameter.properties")
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
             .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
     }
 
@@ -130,20 +147,20 @@ public class SecurityConfigTest {
     public void verifySecurityConfig() {
         final SecurityConfig securityConfig = SecurityConfig.getConfig();
 
-        final String[] loginConfig = securityConfig.getLoginConfig();
-        assertThat(loginConfig.length, is(1));
-        assertThat(loginConfig[0], is(equalTo(
-                   "Register:com.arsdigita.kernel.security.LocalLoginModule:requisite")));
-
-        final List<String> excludedExtensions = securityConfig.getExcludedExtensions();
+//        final String[] loginConfig = securityConfig.getLoginConfig();
+//        assertThat(loginConfig.length, is(1));
+//        assertThat(loginConfig[0], is(equalTo(
+//                   "Register:com.arsdigita.kernel.security.LocalLoginModule:requisite")));
+        final List<String> excludedExtensions = securityConfig
+            .getExcludedExtensions();
         assertThat(excludedExtensions.size(), is(4));
         assertThat(excludedExtensions.get(0), is(equalTo(".jpg")));
         assertThat(excludedExtensions.get(1), is(equalTo(".gif")));
         assertThat(excludedExtensions.get(2), is(equalTo(".png")));
         assertThat(excludedExtensions.get(3), is(equalTo(".pdf")));
-        
+
         assertThat(securityConfig.getCookieDurationMinutes(), is(nullValue()));
-        
+
         assertThat(securityConfig.getCookieDomain(),
                    is(equalTo(".example.org")));
 
@@ -153,11 +170,11 @@ public class SecurityConfigTest {
         assertThat(securityConfig.isAutoRegistrationOn(), is(false));
 
         assertThat(securityConfig.isUserBanOn(), is(true));
-        
+
         assertThat(securityConfig.getEnableQuestion(), is(false));
 
         assertThat(securityConfig.getHashAlgorithm(), is(equalTo("SHA-256")));
-        
+
         assertThat(securityConfig.getSaltLength(), is(128));
     }
 
diff --git a/ccm-core/src/test/java/org/libreccm/core/CcmObjectRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/core/CcmObjectRepositoryTest.java
index 1700aa403..3ca62c3ef 100644
--- a/ccm-core/src/test/java/org/libreccm/core/CcmObjectRepositoryTest.java
+++ b/ccm-core/src/test/java/org/libreccm/core/CcmObjectRepositoryTest.java
@@ -63,32 +63,32 @@ import static org.junit.Assert.*;
 @Transactional(TransactionMode.COMMIT)
 @CreateSchema({"create_ccm_core_schema.sql"})
 public class CcmObjectRepositoryTest {
-
+    
     @Inject
     private transient CcmObjectRepository ccmObjectRepository;
-
+    
     @PersistenceContext(name = "LibreCCM")
     private transient EntityManager entityManager;
-
+    
     public CcmObjectRepositoryTest() {
     }
-
+    
     @BeforeClass
     public static void setUpClass() {
     }
-
+    
     @AfterClass
     public static void tearDownClass() {
     }
-
+    
     @Before
     public void setUp() {
     }
-
+    
     @After
     public void tearDown() {
     }
-
+    
     @Deployment
     public static WebArchive createDeployment() {
         final PomEquippedResolveStage pom = Maven
@@ -97,21 +97,22 @@ public class CcmObjectRepositoryTest {
         final PomEquippedResolveStage dependencies = pom
             .importCompileAndRuntimeDependencies();
         final File[] libs = dependencies.resolve().withTransitivity().asFile();
-
+        
         for (File lib : libs) {
             System.err.printf("Adding file '%s' to test archive...%n",
                               lib.getName());
         }
-
+        
         return ShrinkWrap
             .create(WebArchive.class,
                     "LibreCCM-org.libreccm.core.CcmObjectRepositoryTest.war")
             .addPackage(CcmObject.class.getPackage())
+            .addPackage(org.libreccm.security.Permission.class.getPackage())
             .addPackage(org.libreccm.web.CcmApplication.class.getPackage())
             .addPackage(org.libreccm.categorization.Category.class.
                 getPackage())
-            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage()).
-            addPackage(org.libreccm.jpa.EntityManagerProducer.class
+            .addPackage(org.libreccm.l10n.LocalizedString.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
                 .getPackage())
             .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
                 .getPackage())
@@ -125,19 +126,19 @@ public class CcmObjectRepositoryTest {
             .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
             .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
     }
-
+    
     @Test
     @InSequence(1)
     public void repoIsInjected() {
         assertThat(ccmObjectRepository, is(not((nullValue()))));
     }
-
+    
     @Test
     @InSequence(2)
     public void entityManagerIsInjected() {
         assertThat(entityManager, is(not((nullValue()))));
     }
-
+    
     @Test
     @UsingDataSet(
         "datasets/org/libreccm/core/CcmObjectRepositoryTest/data.yml")
@@ -145,7 +146,7 @@ public class CcmObjectRepositoryTest {
     public void datasetOnly() {
         System.out.println("Dataset loaded successfully.");
     }
-
+    
     @Test
     @UsingDataSet(
         "datasets/org/libreccm/core/CcmObjectRepositoryTest/after-save-changed.yml")
@@ -153,7 +154,7 @@ public class CcmObjectRepositoryTest {
     public void datasetOnly2() {
         System.out.println("Dataset loaded successfully.");
     }
-
+    
     @Test
     @UsingDataSet(
         "datasets/org/libreccm/core/CcmObjectRepositoryTest/data.yml")
@@ -163,22 +164,22 @@ public class CcmObjectRepositoryTest {
         final CcmObject obj2 = entityManager.find(CcmObject.class, -20L);
         final CcmObject obj3 = entityManager.find(CcmObject.class, -30L);
         final CcmObject none = entityManager.find(CcmObject.class, -999L);
-
+        
         assertThat(obj1, is(not(nullValue())));
         assertThat(obj1.getObjectId(), is(-10L));
         assertThat(obj1.getDisplayName(), is(equalTo("Test Object 1")));
-
+        
         assertThat(obj2, is(not(nullValue())));
         assertThat(obj2.getObjectId(), is(-20L));
         assertThat(obj2.getDisplayName(), is(equalTo("Test Object 2")));
-
+        
         assertThat(obj3, is(not(nullValue())));
         assertThat(obj3.getObjectId(), is(-30L));
         assertThat(obj3.getDisplayName(), is(equalTo("Test Object 3")));
-
+        
         assertThat(none, is(nullValue()));
     }
-
+    
     @Test
     @UsingDataSet(
         "datasets/org/libreccm/core/CcmObjectRepositoryTest/data.yml")
@@ -192,22 +193,22 @@ public class CcmObjectRepositoryTest {
                                                   new Long(-30L));
         final CcmObject none = entityManager.find(CcmObject.class, new Long(
                                                   -999L));
-
+        
         assertThat(obj1, is(not(nullValue())));
         assertThat(obj1.getObjectId(), is(-10L));
         assertThat(obj1.getDisplayName(), is(equalTo("Test Object 1")));
-
+        
         assertThat(obj2, is(not(nullValue())));
         assertThat(obj2.getObjectId(), is(-20L));
         assertThat(obj2.getDisplayName(), is(equalTo("Test Object 2")));
-
+        
         assertThat(obj3, is(not(nullValue())));
         assertThat(obj3.getObjectId(), is(-30L));
         assertThat(obj3.getDisplayName(), is(equalTo("Test Object 3")));
-
+        
         assertThat(none, is(nullValue()));
     }
-
+    
     @Test
     @UsingDataSet(
         "datasets/org/libreccm/core/CcmObjectRepositoryTest/data.yml")
@@ -217,32 +218,32 @@ public class CcmObjectRepositoryTest {
         final CcmObject obj2 = ccmObjectRepository.findById(-20L);
         final CcmObject obj3 = ccmObjectRepository.findById(-30L);
         final CcmObject none = ccmObjectRepository.findById(-999L);
-
+        
         assertThat(obj1, is(not(nullValue())));
         assertThat(obj1.getObjectId(), is(-10L));
         assertThat(obj1.getDisplayName(), is(equalTo("Test Object 1")));
-
+        
         assertThat(obj2, is(not(nullValue())));
         assertThat(obj2.getObjectId(), is(-20L));
         assertThat(obj2.getDisplayName(), is(equalTo("Test Object 2")));
-
+        
         assertThat(obj3, is(not(nullValue())));
         assertThat(obj3.getObjectId(), is(-30L));
         assertThat(obj3.getDisplayName(), is(equalTo("Test Object 3")));
-
+        
         assertThat(none, is(nullValue()));
     }
-
+    
     @Test
     @UsingDataSet(
         "datasets/org/libreccm/core/CcmObjectRepositoryTest/data.yml")
     @InSequence(10)
     public void findAllCcmObjects() {
         final List<CcmObject> objects = ccmObjectRepository.findAll();
-
+        
         assertThat(objects.size(), is(3));
     }
-
+    
     @Test
     @UsingDataSet(
         "datasets/org/libreccm/core/CcmObjectRepositoryTest/data.yml")
@@ -253,10 +254,10 @@ public class CcmObjectRepositoryTest {
     public void saveNewCcmObject() {
         final CcmObject obj = new CcmObject();
         obj.setDisplayName("Test Object 4");
-
+        
         ccmObjectRepository.save(obj);
     }
-
+    
     @Test
     @UsingDataSet(
         "datasets/org/libreccm/core/CcmObjectRepositoryTest/data.yml")
@@ -267,17 +268,17 @@ public class CcmObjectRepositoryTest {
     public void saveChangedCcmObject() {
         final CcmObject obj = ccmObjectRepository.findById(-20L);
         obj.setDisplayName("Second Test Object");
-
+        
         ccmObjectRepository.save(obj);
     }
-
+    
     @Test(expected = IllegalArgumentException.class)
     @ShouldThrowException(IllegalArgumentException.class)
     @InSequence(500)
     public void saveNullValue() {
         ccmObjectRepository.save(null);
     }
-
+    
     @Test
     @UsingDataSet(
         "datasets/org/libreccm/core/CcmObjectRepositoryTest/data.yml")
@@ -287,15 +288,15 @@ public class CcmObjectRepositoryTest {
     @InSequence(600)
     public void deleteCcmObject() {
         final CcmObject obj = ccmObjectRepository.findById(-20L);
-
+        
         ccmObjectRepository.delete(obj);
     }
-
+    
     @Test(expected = IllegalArgumentException.class)
     @ShouldThrowException(IllegalArgumentException.class)
     @InSequence(700)
     public void deleteNullValue() {
         ccmObjectRepository.delete(null);
     }
-
+    
 }
diff --git a/ccm-core/src/test/java/org/libreccm/core/DatasetsTest.java b/ccm-core/src/test/java/org/libreccm/core/DatasetsTest.java
index f0371866a..f0b5dbd38 100644
--- a/ccm-core/src/test/java/org/libreccm/core/DatasetsTest.java
+++ b/ccm-core/src/test/java/org/libreccm/core/DatasetsTest.java
@@ -42,38 +42,38 @@ public class DatasetsTest extends DatasetsVerifier {
     @Parameterized.Parameters(name = "Dataset {0}")
     public static Collection<String> data() {
         return Arrays.asList(new String[]{
-            "/datasets/org/libreccm/core/authentication/LoginManagerTest/data.json",
+//            "/datasets/org/libreccm/core/authentication/LoginManagerTest/data.json",
             "/datasets/org/libreccm/core/CcmObjectRepositoryTest/data.json",
             "/datasets/org/libreccm/core/CcmObjectRepositoryTest/after-delete.json",
             "/datasets/org/libreccm/core/CcmObjectRepositoryTest/after-save-changed.json",
             "/datasets/org/libreccm/core/CcmObjectRepositoryTest/after-save-new.json",
-            "/datasets/org/libreccm/core/GroupManagerTest/after-add-to-group.json",
-            "/datasets/org/libreccm/core/GroupManagerTest/after-remove-from-group.json",
-            "/datasets/org/libreccm/core/GroupManagerTest/users-groups.json",
-            "/datasets/org/libreccm/core/GroupRepositoryTest/data.json",
-            "/datasets/org/libreccm/core/GroupRepositoryTest/after-delete.json",
-            "/datasets/org/libreccm/core/GroupRepositoryTest/after-save-changed.json",
-            "/datasets/org/libreccm/core/GroupRepositoryTest/after-save-new.json",
-            "/datasets/org/libreccm/core/PermissionManagerTest/after-grant.json",
-            "/datasets/org/libreccm/core/PermissionManagerTest/after-grant-wildcard.json",
-            "/datasets/org/libreccm/core/PermissionManagerTest/after-revoke.json",
-            "/datasets/org/libreccm/core/PermissionManagerTest/data.json",
-            "/datasets/org/libreccm/core/PermissionRepositoryTest/after-save-changed.json",
-            "/datasets/org/libreccm/core/PermissionRepositoryTest/after-save-new.json",
-            "/datasets/org/libreccm/core/PermissionRepositoryTest/after-delete.json",
-            "/datasets/org/libreccm/core/PermissionRepositoryTest/data.json",
-            "/datasets/org/libreccm/core/PrivilegeRepositoryTest/after-create.json",
-            "/datasets/org/libreccm/core/PrivilegeRepositoryTest/after-delete.json",
-            "/datasets/org/libreccm/core/PrivilegeRepositoryTest/data.json",
-            "/datasets/org/libreccm/core/RoleRepositoryTest/data.json",
-            "/datasets/org/libreccm/core/RoleRepositoryTest/after-delete.json",
-            "/datasets/org/libreccm/core/RoleRepositoryTest/after-save-changed.json",
-            "/datasets/org/libreccm/core/RoleRepositoryTest/after-save-new.json",
-            "/datasets/org/libreccm/core/UserManagerTest/verify-password.json",
-            "/datasets/org/libreccm/core/UserRepositoryTest/data.json",
-            "/datasets/org/libreccm/core/UserRepositoryTest/after-delete.json",
-            "/datasets/org/libreccm/core/UserRepositoryTest/after-save-changed.json",
-            "/datasets/org/libreccm/core/UserRepositoryTest/after-save-new.json"
+//            "/datasets/org/libreccm/core/GroupManagerTest/after-add-to-group.json",
+//            "/datasets/org/libreccm/core/GroupManagerTest/after-remove-from-group.json",
+//            "/datasets/org/libreccm/core/GroupManagerTest/users-groups.json",
+//            "/datasets/org/libreccm/core/GroupRepositoryTest/data.json",
+//            "/datasets/org/libreccm/core/GroupRepositoryTest/after-delete.json",
+//            "/datasets/org/libreccm/core/GroupRepositoryTest/after-save-changed.json",
+//            "/datasets/org/libreccm/core/GroupRepositoryTest/after-save-new.json",
+//            "/datasets/org/libreccm/core/PermissionManagerTest/after-grant.json",
+//            "/datasets/org/libreccm/core/PermissionManagerTest/after-grant-wildcard.json",
+//            "/datasets/org/libreccm/core/PermissionManagerTest/after-revoke.json",
+//            "/datasets/org/libreccm/core/PermissionManagerTest/data.json",
+//            "/datasets/org/libreccm/core/PermissionRepositoryTest/after-save-changed.json",
+//            "/datasets/org/libreccm/core/PermissionRepositoryTest/after-save-new.json",
+//            "/datasets/org/libreccm/core/PermissionRepositoryTest/after-delete.json",
+//            "/datasets/org/libreccm/core/PermissionRepositoryTest/data.json",
+//            "/datasets/org/libreccm/core/PrivilegeRepositoryTest/after-create.json",
+//            "/datasets/org/libreccm/core/PrivilegeRepositoryTest/after-delete.json",
+//            "/datasets/org/libreccm/core/PrivilegeRepositoryTest/data.json",
+//            "/datasets/org/libreccm/core/RoleRepositoryTest/data.json",
+//            "/datasets/org/libreccm/core/RoleRepositoryTest/after-delete.json",
+//            "/datasets/org/libreccm/core/RoleRepositoryTest/after-save-changed.json",
+//            "/datasets/org/libreccm/core/RoleRepositoryTest/after-save-new.json",
+//            "/datasets/org/libreccm/core/UserManagerTest/verify-password.json",
+//            "/datasets/org/libreccm/core/UserRepositoryTest/data.json",
+//            "/datasets/org/libreccm/core/UserRepositoryTest/after-delete.json",
+//            "/datasets/org/libreccm/core/UserRepositoryTest/after-save-changed.json",
+//            "/datasets/org/libreccm/core/UserRepositoryTest/after-save-new.json"
         });
     }
     
diff --git a/ccm-core/src/test/java/org/libreccm/core/EqualsAndHashCodeTest.java b/ccm-core/src/test/java/org/libreccm/core/EqualsAndHashCodeTest.java
index 40795048c..107c4c705 100644
--- a/ccm-core/src/test/java/org/libreccm/core/EqualsAndHashCodeTest.java
+++ b/ccm-core/src/test/java/org/libreccm/core/EqualsAndHashCodeTest.java
@@ -40,15 +40,16 @@ public class EqualsAndHashCodeTest extends EqualsVerifier {
         return Arrays.asList(new Class<?>[]{
             CcmObject.class,
             EmailAddress.class,
-            GroupMembership.class,
-            Subject.class,
-            Permission.class,
-            PersonName.class,
-            Privilege.class,
+//            GroupMembership.class,
+//            Subject.class,
+//            Permission.class,
+//            PersonName.class,
+//            Privilege.class,
             ResourceType.class,
-            Role.class,
-            User.class,
-            Group.class});
+//            Role.class,
+//            User.class,
+//            Group.class
+        });
     }
 
     public EqualsAndHashCodeTest(final Class<?> entityClass) {
diff --git a/ccm-core/src/test/java/org/libreccm/core/GroupManagerTest.java b/ccm-core/src/test/java/org/libreccm/core/GroupManagerTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/GroupManagerTest.java
rename to ccm-core/src/test/java/org/libreccm/core/GroupManagerTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/core/GroupRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/core/GroupRepositoryTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/GroupRepositoryTest.java
rename to ccm-core/src/test/java/org/libreccm/core/GroupRepositoryTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/core/PermissionManagerTest.java b/ccm-core/src/test/java/org/libreccm/core/PermissionManagerTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/PermissionManagerTest.java
rename to ccm-core/src/test/java/org/libreccm/core/PermissionManagerTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/core/PermissionRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/core/PermissionRepositoryTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/PermissionRepositoryTest.java
rename to ccm-core/src/test/java/org/libreccm/core/PermissionRepositoryTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/core/PrivilegeRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/core/PrivilegeRepositoryTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/PrivilegeRepositoryTest.java
rename to ccm-core/src/test/java/org/libreccm/core/PrivilegeRepositoryTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/core/ToStringTest.java b/ccm-core/src/test/java/org/libreccm/core/ToStringTest.java
index c8ebdd5cd..6e5c0c4cf 100644
--- a/ccm-core/src/test/java/org/libreccm/core/ToStringTest.java
+++ b/ccm-core/src/test/java/org/libreccm/core/ToStringTest.java
@@ -40,16 +40,17 @@ public class ToStringTest extends ToStringVerifier {
         return Arrays.asList(new Class<?>[]{
             CcmObject.class,
             EmailAddress.class,
-            GroupMembership.class,
-            Subject.class,
-            Permission.class,
-            PersonName.class,
-            Privilege.class,
+//            GroupMembership.class,
+//            Subject.class,
+//            Permission.class,
+//            PersonName.class,
+//            Privilege.class,
             Resource.class,
             ResourceType.class,
-            Role.class,
-            User.class,
-            Group.class});
+//            Role.class,
+//            User.class,
+//            Group.class
+        });
     }
 
     public ToStringTest(final Class<?> entityClass) {
diff --git a/ccm-core/src/test/java/org/libreccm/core/UserManagerTest.java b/ccm-core/src/test/java/org/libreccm/core/UserManagerTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/UserManagerTest.java
rename to ccm-core/src/test/java/org/libreccm/core/UserManagerTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/core/UserRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/core/UserRepositoryTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/UserRepositoryTest.java
rename to ccm-core/src/test/java/org/libreccm/core/UserRepositoryTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/core/authentication/EqualsAndHashCodeTest.java b/ccm-core/src/test/java/org/libreccm/core/authentication/EqualsAndHashCodeTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/authentication/EqualsAndHashCodeTest.java
rename to ccm-core/src/test/java/org/libreccm/core/authentication/EqualsAndHashCodeTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/core/authentication/LoginManagerTest.java b/ccm-core/src/test/java/org/libreccm/core/authentication/LoginManagerTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/authentication/LoginManagerTest.java
rename to ccm-core/src/test/java/org/libreccm/core/authentication/LoginManagerTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/core/authentication/UserPrincipalToStringTest.java b/ccm-core/src/test/java/org/libreccm/core/authentication/UserPrincipalToStringTest.java.nolongerinuse
similarity index 100%
rename from ccm-core/src/test/java/org/libreccm/core/authentication/UserPrincipalToStringTest.java
rename to ccm-core/src/test/java/org/libreccm/core/authentication/UserPrincipalToStringTest.java.nolongerinuse
diff --git a/ccm-core/src/test/java/org/libreccm/modules/DependencyTreeManagerCycleTest.java b/ccm-core/src/test/java/org/libreccm/modules/DependencyTreeManagerCycleTest.java
index 10c9ac597..c2ea1ffc0 100644
--- a/ccm-core/src/test/java/org/libreccm/modules/DependencyTreeManagerCycleTest.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/DependencyTreeManagerCycleTest.java
@@ -18,19 +18,6 @@
  */
 package org.libreccm.modules;
 
-import org.libreccm.modules.CcmModule;
-import org.libreccm.modules.Module;
-import org.libreccm.modules.ModuleStatus;
-import org.libreccm.modules.TreeNode;
-import org.libreccm.modules.DependencyException;
-import org.libreccm.modules.UnInstallEvent;
-import org.libreccm.modules.InitEvent;
-import org.libreccm.modules.ShutdownEvent;
-import org.libreccm.modules.ModuleInfo;
-import org.libreccm.modules.IntegrationException;
-import org.libreccm.modules.InstallEvent;
-import org.libreccm.modules.RequiredModule;
-import org.libreccm.modules.DependencyTreeManager;
 
 import static org.hamcrest.Matchers.*;
 
@@ -52,11 +39,12 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
-import org.libreccm.core.modules.dependencytree.test.cycle.TestModuleA;
-import org.libreccm.core.modules.dependencytree.test.cycle.TestModuleB;
-import org.libreccm.core.modules.dependencytree.test.cycle.TestModuleC;
-import org.libreccm.core.modules.dependencytree.test.cycle.TestModuleRoot;
+import org.libreccm.modules.dependencytree.test.cycle.TestModuleA;
+import org.libreccm.modules.dependencytree.test.cycle.TestModuleB;
+import org.libreccm.modules.dependencytree.test.cycle.TestModuleC;
+import org.libreccm.modules.dependencytree.test.cycle.TestModuleRoot;
 import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.ApplicationType;
 
 import java.io.File;
 import java.util.ArrayList;
@@ -133,21 +121,22 @@ public class DependencyTreeManagerCycleTest {
             .addClass(TestModuleA.class)
             .addClass(TestModuleB.class)
             .addClass(TestModuleC.class)
+            .addClass(ApplicationType.class)
             .addAsLibraries(libs)
             .addAsWebInfResource("test-web.xml", "web.xml")
             .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml")
             .addAsResource(
                 "module-info/dependency-tree-manager-cycle-test/module-root.properties",
-                "module-info/org.libreccm.core.modules.dependencytree.test.cycle.TestModuleRoot.properties")
+                "module-info/org.libreccm.modules.dependencytree.test.cycle.TestModuleRoot.properties")
             .addAsResource(
                 "module-info/dependency-tree-manager-cycle-test/module-a.properties",
-                "module-info/org.libreccm.core.modules.dependencytree.test.cycle.TestModuleA.properties")
+                "module-info/org.libreccm.modules.dependencytree.test.cycle.TestModuleA.properties")
             .addAsResource(
                 "module-info/dependency-tree-manager-cycle-test/module-b.properties",
-                "module-info/org.libreccm.core.modules.dependencytree.test.cycle.TestModuleB.properties")
+                "module-info/org.libreccm.modules.dependencytree.test.cycle.TestModuleB.properties")
             .addAsResource(
                 "module-info/dependency-tree-manager-cycle-test/module-c.properties",
-                "module-info/org.libreccm.core.modules.dependencytree.test.cycle.TestModuleC.properties");
+                "module-info/org.libreccm.modules.dependencytree.test.cycle.TestModuleC.properties");
     }
 
     @Test
diff --git a/ccm-core/src/test/java/org/libreccm/modules/DependencyTreeManagerTest.java b/ccm-core/src/test/java/org/libreccm/modules/DependencyTreeManagerTest.java
index 8e629b157..2cf90503c 100644
--- a/ccm-core/src/test/java/org/libreccm/modules/DependencyTreeManagerTest.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/DependencyTreeManagerTest.java
@@ -18,23 +18,10 @@
  */
 package org.libreccm.modules;
 
-import org.libreccm.modules.CcmModule;
-import org.libreccm.modules.Module;
-import org.libreccm.modules.ModuleStatus;
-import org.libreccm.modules.TreeNode;
-import org.libreccm.modules.DependencyException;
-import org.libreccm.modules.UnInstallEvent;
-import org.libreccm.modules.InitEvent;
-import org.libreccm.modules.ShutdownEvent;
-import org.libreccm.modules.ModuleInfo;
-import org.libreccm.modules.IntegrationException;
-import org.libreccm.modules.InstallEvent;
-import org.libreccm.modules.RequiredModule;
-import org.libreccm.modules.DependencyTreeManager;
-import org.libreccm.core.modules.dependencytree.test.valid.TestModuleB;
-import org.libreccm.core.modules.dependencytree.test.valid.TestModuleC;
-import org.libreccm.core.modules.dependencytree.test.valid.TestModuleA;
-import org.libreccm.core.modules.dependencytree.test.valid.TestModuleRoot;
+import org.libreccm.modules.dependencytree.test.valid.TestModuleB;
+import org.libreccm.modules.dependencytree.test.valid.TestModuleC;
+import org.libreccm.modules.dependencytree.test.valid.TestModuleA;
+import org.libreccm.modules.dependencytree.test.valid.TestModuleRoot;
 
 import static org.hamcrest.Matchers.*;
 
@@ -56,6 +43,7 @@ import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
 import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.ApplicationType;
 
 import java.io.File;
 import java.util.ArrayList;
@@ -133,21 +121,22 @@ public class DependencyTreeManagerTest {
             .addClass(TestModuleA.class)
             .addClass(TestModuleB.class)
             .addClass(TestModuleC.class)
+            .addClass(ApplicationType.class)
             .addAsLibraries(libs)
             .addAsWebInfResource("test-web.xml", "web.xml")
             .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml")
             .addAsResource(
                 "module-info/dependency-tree-manager-test/module-root.properties",
-                "module-info/org.libreccm.core.modules.dependencytree.test.valid.TestModuleRoot.properties")
+                "module-info/org.libreccm.modules.dependencytree.test.valid.TestModuleRoot.properties")
             .addAsResource(
                 "module-info/dependency-tree-manager-test/module-a.properties",
-                "module-info/org.libreccm.core.modules.dependencytree.test.valid.TestModuleA.properties")
+                "module-info/org.libreccm.modules.dependencytree.test.valid.TestModuleA.properties")
             .addAsResource(
                 "module-info/dependency-tree-manager-test/module-b.properties",
-                "module-info/org.libreccm.core.modules.dependencytree.test.valid.TestModuleB.properties")
+                "module-info/org.libreccm.modules.dependencytree.test.valid.TestModuleB.properties")
             .addAsResource(
                 "module-info/dependency-tree-manager-test/module-c.properties",
-                "module-info/org.libreccm.core.modules.dependencytree.test.valid.TestModuleC.properties");
+                "module-info/org.libreccm.modules.dependencytree.test.valid.TestModuleC.properties");
     }
 
     @Test
diff --git a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleA.java b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleA.java
similarity index 96%
rename from ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleA.java
rename to ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleA.java
index 11bbd07dc..e9e59b206 100644
--- a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleA.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleA.java
@@ -16,7 +16,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  * MA 02110-1301  USA
  */
-package org.libreccm.core.modules.dependencytree.test.cycle;
+package org.libreccm.modules.dependencytree.test.cycle;
 
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.InitEvent;
diff --git a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleB.java b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleB.java
similarity index 96%
rename from ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleB.java
rename to ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleB.java
index 595229fda..e9a5c0283 100644
--- a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleB.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleB.java
@@ -16,7 +16,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  * MA 02110-1301  USA
  */
-package org.libreccm.core.modules.dependencytree.test.cycle;
+package org.libreccm.modules.dependencytree.test.cycle;
 
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.InitEvent;
diff --git a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleC.java b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleC.java
similarity index 87%
rename from ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleC.java
rename to ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleC.java
index aeaba6e23..678543537 100644
--- a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleC.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleC.java
@@ -16,7 +16,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  * MA 02110-1301  USA
  */
-package org.libreccm.core.modules.dependencytree.test.cycle;
+package org.libreccm.modules.dependencytree.test.cycle;
 
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.InitEvent;
@@ -30,9 +30,10 @@ import org.libreccm.modules.UnInstallEvent;
  *
  * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
  */
-@Module(requiredModules = {
-    @RequiredModule(module = TestModuleRoot.class),
-    @RequiredModule(module = TestModuleA.class)})
+@Module(version = "1.0.0",
+        requiredModules = {
+            @RequiredModule(module = TestModuleRoot.class),
+            @RequiredModule(module = TestModuleA.class)})
 public class TestModuleC implements CcmModule {
 
     @Override
diff --git a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleRoot.java b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleRoot.java
similarity index 96%
rename from ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleRoot.java
rename to ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleRoot.java
index 394caefa0..e2c894ff7 100644
--- a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/cycle/TestModuleRoot.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/cycle/TestModuleRoot.java
@@ -16,7 +16,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  * MA 02110-1301  USA
  */
-package org.libreccm.core.modules.dependencytree.test.cycle;
+package org.libreccm.modules.dependencytree.test.cycle;
 
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.InitEvent;
diff --git a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleA.java b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleA.java
similarity index 96%
rename from ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleA.java
rename to ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleA.java
index 6e741d8c4..6e7a0c860 100644
--- a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleA.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleA.java
@@ -16,7 +16,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  * MA 02110-1301  USA
  */
-package org.libreccm.core.modules.dependencytree.test.valid;
+package org.libreccm.modules.dependencytree.test.valid;
 
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.InitEvent;
diff --git a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleB.java b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleB.java
similarity index 92%
rename from ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleB.java
rename to ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleB.java
index 31510ca10..104c80992 100644
--- a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleB.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleB.java
@@ -16,7 +16,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  * MA 02110-1301  USA
  */
-package org.libreccm.core.modules.dependencytree.test.valid;
+package org.libreccm.modules.dependencytree.test.valid;
 
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.InitEvent;
@@ -31,7 +31,7 @@ import org.libreccm.modules.UnInstallEvent;
  * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
  */
 @Module(requiredModules = {
-    @RequiredModule(module = TestModuleRoot.class, minVersion = "1.0.0")})
+            @RequiredModule(module = TestModuleRoot.class, minVersion = "1.0.0")})
 public class TestModuleB implements CcmModule {
 
     @Override
diff --git a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleC.java b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleC.java
similarity index 96%
rename from ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleC.java
rename to ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleC.java
index b7dbad0e0..520a1ed96 100644
--- a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleC.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleC.java
@@ -16,7 +16,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  * MA 02110-1301  USA
  */
-package org.libreccm.core.modules.dependencytree.test.valid;
+package org.libreccm.modules.dependencytree.test.valid;
 
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.InitEvent;
diff --git a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleRoot.java b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleRoot.java
similarity index 96%
rename from ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleRoot.java
rename to ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleRoot.java
index 35b7276b6..da7e73588 100644
--- a/ccm-core/src/test/java/org/libreccm/core/modules/dependencytree/test/valid/TestModuleRoot.java
+++ b/ccm-core/src/test/java/org/libreccm/modules/dependencytree/test/valid/TestModuleRoot.java
@@ -16,7 +16,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  * MA 02110-1301  USA
  */
-package org.libreccm.core.modules.dependencytree.test.valid;
+package org.libreccm.modules.dependencytree.test.valid;
 
 import org.libreccm.modules.CcmModule;
 import org.libreccm.modules.InitEvent;
diff --git a/ccm-core/src/test/java/org/libreccm/security/DatasetsTest.java b/ccm-core/src/test/java/org/libreccm/security/DatasetsTest.java
new file mode 100644
index 000000000..ce9e8d0c4
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/DatasetsTest.java
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.libreccm.tests.categories.UnitTest;
+
+import static org.libreccm.testutils.DatasetType.*;
+
+import org.libreccm.testutils.DatasetType;
+import org.libreccm.testutils.DatasetsVerifier;
+
+import java.util.Arrays;
+import java.util.Collection;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RunWith(Parameterized.class)
+@Category(UnitTest.class)
+public class DatasetsTest extends DatasetsVerifier {
+
+    @Parameterized.Parameters(name = "Dataset {0}")
+    public static Collection<String> data() {
+        return Arrays.asList(new String[]{
+            "/datasets/org/libreccm/security/GroupManagerTest/data.yml",
+            "/datasets/org/libreccm/security/GroupManagerTest/after-add.yml",
+            "/datasets/org/libreccm/security/GroupManagerTest/after-remove.yml",
+            
+            "/datasets/org/libreccm/security/GroupRepositoryTest/data.yml",
+            "/datasets/org/libreccm/security/GroupRepositoryTest/after-delete.yml",
+            "/datasets/org/libreccm/security/GroupRepositoryTest/after-save-changed.yml",
+            "/datasets/org/libreccm/security/GroupRepositoryTest/after-save-new.yml",
+
+            "/datasets/org/libreccm/security/PartyRepositoryTest/data.yml",
+            "/datasets/org/libreccm/security/PartyRepositoryTest/after-delete.yml",
+            "/datasets/org/libreccm/security/PartyRepositoryTest/after-save-changed.yml",
+            "/datasets/org/libreccm/security/PartyRepositoryTest/after-save-new.yml",
+
+            "/datasets/org/libreccm/security/PermissionManagerTest/data.yml",
+            "/datasets/org/libreccm/security/PermissionManagerTest/after-grant.yml",
+            "/datasets/org/libreccm/security/PermissionManagerTest/after-revoke.yml",
+            "/datasets/org/libreccm/security/PermissionManagerTest/after-copy.yml",
+            
+            "/datasets/org/libreccm/security/RoleManagerTest/data.yml",
+            "/datasets/org/libreccm/security/RoleManagerTest/after-add.yml",
+            "/datasets/org/libreccm/security/RoleManagerTest/after-remove.yml",
+            
+            "/datasets/org/libreccm/security/RoleRepositoryTest/data.yml",
+            "/datasets/org/libreccm/security/RoleRepositoryTest/after-delete.yml",
+            "/datasets/org/libreccm/security/RoleRepositoryTest/after-save-changed.yml",
+            "/datasets/org/libreccm/security/RoleRepositoryTest/after-save-new.yml",
+
+            "/datasets/org/libreccm/security/ShiroTest/data.yml",
+            
+            "/datasets/org/libreccm/security/UserManagerTest/data.yml",
+            "/datasets/org/libreccm/security/UserManagerTest/after-create-user.yml",
+
+            "/datasets/org/libreccm/security/UserRepositoryTest/data.yml",
+            "/datasets/org/libreccm/security/UserRepositoryTest/data-email-duplicate.yml",
+            "/datasets/org/libreccm/security/UserRepositoryTest/after-delete.yml",
+            "/datasets/org/libreccm/security/UserRepositoryTest/after-save-changed.yml",
+            "/datasets/org/libreccm/security/UserRepositoryTest/after-save-new.yml"
+        });
+    }
+
+    public DatasetsTest(final String datasetPath) {
+        super(datasetPath);
+    }
+
+    @Override
+    public DatasetType getDatasetType() {
+        return YAML;
+    }
+
+    @Override
+    public String[] getSchemas() {
+        return new String[]{"ccm_core"};
+    }
+
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/EqualsAndHashCodeTest.java b/ccm-core/src/test/java/org/libreccm/security/EqualsAndHashCodeTest.java
new file mode 100644
index 000000000..96b988f7e
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/EqualsAndHashCodeTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.libreccm.tests.categories.UnitTest;
+import org.libreccm.testutils.EqualsVerifier;
+
+import java.util.Arrays;
+import java.util.Collection;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RunWith(Parameterized.class)
+@Category(UnitTest.class)
+public class EqualsAndHashCodeTest extends EqualsVerifier {
+    
+    @Parameterized.Parameters(name = "{0}")
+    public static Collection<Class<?>> data() {
+        return Arrays.asList(new Class<?>[] {
+            Group.class,
+            GroupMembership.class,
+            Party.class,
+            Permission.class,
+            Role.class,
+            RoleMembership.class,
+            User.class
+        });
+    }
+    
+    public EqualsAndHashCodeTest(final Class<?> entityClass) {
+        super(entityClass);
+    }
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/GroupManagerTest.java b/ccm-core/src/test/java/org/libreccm/security/GroupManagerTest.java
new file mode 100644
index 000000000..1332ab23b
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/GroupManagerTest.java
@@ -0,0 +1,280 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import com.arsdigita.kernel.KernelConfig;
+import com.arsdigita.kernel.security.SecurityConfig;
+import com.arsdigita.runtime.AbstractConfig;
+import com.arsdigita.util.UncheckedWrapperException;
+import com.arsdigita.util.parameter.AbstractParameterContext;
+import com.arsdigita.web.CCMApplicationContextListener;
+import com.arsdigita.xml.XML;
+import com.arsdigita.xml.formatters.DateTimeFormatter;
+
+import java.io.File;
+
+import javax.inject.Inject;
+
+import nl.jqno.equalsverifier.EqualsVerifier;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.ShouldMatchDataSet;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.jpa.EntityManagerProducer;
+import org.libreccm.jpa.utils.MimeTypeConverter;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.CcmApplication;
+
+import static org.hamcrest.Matchers.*;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema({"create_ccm_core_schema.sql"})
+public class GroupManagerTest {
+
+    @Inject
+    private GroupManager groupManager;
+
+    @Inject
+    private GroupRepository groupRepository;
+
+    @Inject
+    private UserRepository userRepository;
+
+    public GroupManagerTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+            .resolver()
+            .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+            importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+            .create(WebArchive.class,
+                    "LibreCCM-org.libreccm.security.GroupManagerTest.war")
+            .addPackage(User.class.getPackage())
+            .addPackage(CcmObject.class.getPackage())
+            .addPackage(Categorization.class.getPackage())
+            .addPackage(LocalizedString.class.getPackage())
+            .addPackage(CcmApplication.class.getPackage())
+            .addPackage(EntityManagerProducer.class.getPackage())
+            .addPackage(MimeTypeConverter.class.getPackage())
+            .addPackage(EqualsVerifier.class.getPackage())
+            .addPackage(IntegrationTest.class.getPackage())
+            .addPackage(KernelConfig.class.getPackage())
+            .addPackage(SecurityConfig.class.getPackage())
+            .addPackage(AbstractConfig.class.getPackage())
+            .addPackage(AbstractParameterContext.class.getPackage())
+            .addPackage(UncheckedWrapperException.class.getPackage())
+            .addPackage(CCMApplicationContextListener.class.getPackage())
+            .addPackage(XML.class.getPackage())
+            .addPackage(DateTimeFormatter.class.getPackage())
+            .addAsLibraries(libs)
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsResource("com/arsdigita/kernel/security/"
+                               + "SecurityConfig_parameter.properties",
+                           "com/arsdigita/kernel/security/"
+                               + "SecurityConfig_parameter.properties")
+            .addAsWebInfResource(
+                "configs/org/libreccm/security/UserManagerTest/"
+                    + "registry.properties",
+                "conf/registry/registry.properties")
+            .addAsResource(
+                "configs/org/libreccm/security/UserManagerTest/ccm-core.config",
+                "ccm-core.config")
+            //                .addAsWebInfResource(
+            //                        "datasets/org/libreccm//security/UserManagerTest/"
+            //                                + "security.properties",
+            //                        "conf/registry/ccm-core/security.properties")
+            .addAsWebInfResource("test-web.xml", "web.xml")
+            .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+    }
+
+    @Test
+    @InSequence(100)
+    public void groupManagerIsInjected() {
+        assertThat(groupManager, is(not(nullValue())));
+    }
+
+    @Test
+    @InSequence(110)
+    public void groupRepositoryIsInjected() {
+        assertThat(groupRepository, is(not(nullValue())));
+    }
+
+    @Test
+    @InSequence(120)
+    public void userRepositoryIsInjected() {
+        assertThat(userRepository, is(not(nullValue())));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/GroupManagerTest/after-add.yml",
+        excludeColumns = {"membership_id"})
+    @InSequence(200)
+    public void addUserToGroup() {
+        final Group admins = groupRepository.findByName("admins");
+        final Group editors = groupRepository.findByName("editors");
+
+        final User jdoe = userRepository.findByName("jdoe");
+        final User mmuster = userRepository.findByName("mmuster");
+
+        groupManager.addMemberToGroup(mmuster, admins);
+        groupManager.addMemberToGroup(jdoe, editors);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(210)
+    public void addNullUserToGroup() {
+        final Group admins = groupRepository.findByName("admins");
+
+        groupManager.addMemberToGroup(null, admins);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(220)
+    public void addUserToGroupNull() {
+        final User jdoe = userRepository.findByName("jdoe");
+
+        groupManager.addMemberToGroup(jdoe, null);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @InSequence(230)
+    public void addUserToGroupAgain() {
+        final Group admins = groupRepository.findByName("admins");
+        final User jdoe = userRepository.findByName("jdoe");
+
+        groupManager.addMemberToGroup(jdoe, admins);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @ShouldMatchDataSet("datasets/org/libreccm/security/GroupManagerTest/"
+                            + "after-remove.yml")
+    @InSequence(300)
+    public void removeUserFromGroup() {
+        final Group admins = groupRepository.findByName("admins");
+        final Group users = groupRepository.findByName("users");
+
+        final User jdoe = userRepository.findByName("jdoe");
+        final User mmuster = userRepository.findByName("mmuster");
+
+        assertThat(admins.getMemberships().size(), is(1));
+        assertThat(users.getMemberships().size(), is(2));
+
+        groupManager.removeMemberFromGroup(jdoe, admins);
+        groupManager.removeMemberFromGroup(mmuster, users);
+    }
+    
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(310)
+    public void removeUserNullFromGroup() {
+        final Group admins = groupRepository.findByName("admins");
+        
+        groupManager.removeMemberFromGroup(null, admins);
+    }
+    
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(320)
+    public void removeUserFromGroupNull() {
+        final User jdoe = userRepository.findByName("jdoe");
+        
+        groupManager.removeMemberFromGroup(jdoe, null);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/GroupManagerTest/data.yml")
+    @InSequence(330)
+    public void removeUserGroupNotAMember() {
+        final Group admins = groupRepository.findByName("admins");
+        final User mmuster = userRepository.findByName("mmuster");
+        
+        groupManager.removeMemberFromGroup(mmuster, admins);
+    }
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/GroupRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/security/GroupRepositoryTest.java
new file mode 100644
index 000000000..bb543f762
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/GroupRepositoryTest.java
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import java.io.File;
+import java.util.List;
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
+import javax.persistence.PersistenceContext;
+
+import static org.hamcrest.Matchers.*;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.ShouldMatchDataSet;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.CcmApplication;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema("create_ccm_core_schema.sql")
+public class GroupRepositoryTest {
+
+    private static final String ADMINS = "admins";
+    private static final String USERS = "users";
+    private static final String EDITORS = "editors";
+    private static final String NONE = "none";
+
+    @Inject
+    private transient GroupRepository groupRepository;
+
+    @PersistenceContext
+    private transient EntityManager entityManager;
+
+    public GroupRepositoryTest() {
+
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+                .resolver()
+                .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+                importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+                .create(WebArchive.class,
+                        "LibreCCM-org.libreccm.security.UserRepositoryTest.war")
+                .addPackage(User.class.getPackage())
+                .addPackage(CcmObject.class.getPackage())
+                .addPackage(Categorization.class.getPackage())
+                .addPackage(LocalizedString.class.getPackage())
+                .addPackage(CcmApplication.class.getPackage())
+                .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                        .getPackage())
+                .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
+                        .getPackage())
+                .addPackage(org.libreccm.testutils.EqualsVerifier.class.
+                        getPackage())
+                .addPackage(org.libreccm.tests.categories.IntegrationTest.class
+                        .getPackage())
+                .addAsLibraries(libs)
+                .addAsResource("test-persistence.xml",
+                               "META-INF/persistence.xml")
+                .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
+                .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+    }
+
+    @Test
+    @InSequence(10)
+    public void repoIsInjected() {
+        assertThat(groupRepository, is(not(nullValue())));
+    }
+
+    @Test
+    @InSequence(20)
+    public void entityManagerIsInjected() {
+        assertThat(entityManager, is(not(nullValue())));
+    }
+
+    private void checkGroups(final Group admins,
+                             final Group users,
+                             final Group editors,
+                             final Group none) {
+        assertThat(admins, is(not(nullValue())));
+        assertThat(admins.getPartyId(), is(-10L));
+        assertThat(admins.getName(), is(equalTo(ADMINS)));
+
+        assertThat(users, is(not(nullValue())));
+        assertThat(users.getPartyId(), is(-20L));
+        assertThat(users.getName(), is(equalTo(USERS)));
+
+        assertThat(editors, is(not(nullValue())));
+        assertThat(editors.getPartyId(), is(-30L));
+        assertThat(editors.getName(), is(equalTo(EDITORS)));
+
+        assertThat(none, is(nullValue()));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupRepositoryTest/data.yml")
+    @InSequence(100)
+    public void findGroupById() {
+        final Group admins = groupRepository.findById(-10L);
+        final Group users = groupRepository.findById(-20L);
+        final Group editors = groupRepository.findById(-30L);
+        final Group none = groupRepository.findById(-999L);
+
+        checkGroups(admins, users, editors, none);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupRepositoryTest/data.yml")
+    @InSequence(200)
+    public void findGroupByName() {
+        final Group admins = groupRepository.findByName(ADMINS);
+        final Group users = groupRepository.findByName(USERS);
+        final Group editors = groupRepository.findByName(EDITORS);
+        final Group none = groupRepository.findByName(NONE);
+
+        checkGroups(admins, users, editors, none);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupRepositoryTest/data.yml")
+    @InSequence(300)
+    public void findAllGroups() {
+        final List<Group> groups = groupRepository.findAll();
+
+        assertThat(groups.size(), is(3));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                        + "GroupRepositoryTest/after-save-new.yml",
+                        excludeColumns = {"party_id"})
+    @InSequence(400)
+    public void saveNewGroup() {
+        final Group authors = new Group();
+        authors.setName("authors");
+
+        groupRepository.save(authors);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                        + "GroupRepositoryTest/after-save-changed.yml",
+                        excludeColumns = {"party_id"})
+    @InSequence(500)
+    public void saveChangedGroup() {
+        final Group group = groupRepository.findById(-30L);
+        group.setName("authors");
+
+        groupRepository.save(group);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(600)
+    public void saveNullValue() {
+        groupRepository.save(null);
+    }
+    
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/GroupRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                        + "GroupRepositoryTest/after-delete.yml",
+                        excludeColumns = {"party_id"})
+    @InSequence(700)
+    public void deleteUser() {
+        final Group group = groupRepository.findByName(USERS);
+        
+        groupRepository.delete(group);
+    }
+    
+    
+    @Test(expected = IllegalArgumentException.class)
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(800)
+    public void deleteNullValue() {
+        groupRepository.delete(null);
+    }
+
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/ListContainsTest.java b/ccm-core/src/test/java/org/libreccm/security/ListContainsTest.java
new file mode 100644
index 000000000..827602255
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/ListContainsTest.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.libreccm.core.EmailAddress;
+import org.libreccm.tests.categories.UnitTest;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.hamcrest.Matchers.*;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(UnitTest.class)
+public class ListContainsTest {
+    
+    public ListContainsTest() {
+    }
+    
+    @BeforeClass
+    public static void setUpClass() {
+    }
+    
+    @AfterClass
+    public static void tearDownClass() {
+    }
+    
+    @Before
+    public void setUp() {
+    }
+    
+    @After
+    public void tearDown() {
+    }
+    
+    @Test
+    public void listOfUsers() {
+        final User user1 = new User();
+        user1.setName("user1");
+        user1.setGivenName("User");
+        user1.setFamilyName("One");
+        final EmailAddress user1mail = new EmailAddress();
+        user1mail.setAddress("user.one@example.org");
+        user1.setPrimaryEmailAddress(user1mail);
+        
+        final User user2 = new User();
+        user2.setName("user2");
+        user2.setGivenName("User");
+        user2.setFamilyName("Two");
+        final EmailAddress user2mail = new EmailAddress();
+        user2mail.setAddress("user.two@example.org");
+        user2.setPrimaryEmailAddress(user1mail);
+        
+        final User user3 = new User();
+        user3.setName("user3");
+        user3.setGivenName("User");
+        user3.setFamilyName("Three");
+        final EmailAddress user3mail = new EmailAddress();
+        user3mail.setAddress("user.three@example.org");
+        user3.setPrimaryEmailAddress(user1mail);
+        
+        final List<User> users = new ArrayList<>();
+        users.add(user1);
+        users.add(user2);
+        users.add(user3);
+        
+        assertThat(users.size(), is(3));
+        assertThat(users.contains(user1), is(true));
+        assertThat(users.contains(user2), is(true));
+        assertThat(users.contains(user3), is(true));
+    }
+    
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/PartyConstraintTest.java b/ccm-core/src/test/java/org/libreccm/security/PartyConstraintTest.java
new file mode 100644
index 000000000..88e59e3cd
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/PartyConstraintTest.java
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import static org.hamcrest.Matchers.*;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.libreccm.tests.categories.UnitTest;
+
+import java.util.Set;
+
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(UnitTest.class)
+public class PartyConstraintTest {
+
+    public PartyConstraintTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Test
+    public void validPartyName1() {
+        final Party party = new Party();
+        party.setName("test");
+        final Validator validator = Validation.buildDefaultValidatorFactory()
+            .getValidator();
+
+        final Set<ConstraintViolation<Party>> violations = validator.validate(
+            party);
+        
+        assertThat(violations, is(empty()));
+    }
+    
+    @Test
+    public void validPartyName2() {
+        final Party party = new Party();
+        party.setName("party_test-02");
+        final Validator validator = Validation.buildDefaultValidatorFactory()
+            .getValidator();
+
+        final Set<ConstraintViolation<Party>> violations = validator.validate(
+            party);
+        
+        assertThat(violations, is(empty()));
+    }
+    
+    @Test
+    public void invalidPartyName1() {
+        final Party party = new Party();
+        party.setName("x#tw153");
+        final Validator validator = Validation.buildDefaultValidatorFactory()
+            .getValidator();
+
+        final Set<ConstraintViolation<Party>> violations = validator.validate(
+            party);
+        
+        assertThat(violations, is(not(empty())));
+    }
+    
+    @Test
+    public void invalidPartyName2() {
+        final Party party = new Party();
+        party.setName("günther");
+        final Validator validator = Validation.buildDefaultValidatorFactory()
+            .getValidator();
+
+        final Set<ConstraintViolation<Party>> violations = validator.validate(
+            party);
+        
+        assertThat(violations, is(not(empty())));
+    }
+
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/PartyRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/security/PartyRepositoryTest.java
new file mode 100644
index 000000000..6ba5c1114
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/PartyRepositoryTest.java
@@ -0,0 +1,274 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import static org.hamcrest.Matchers.*;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.ShouldMatchDataSet;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.core.EmailAddress;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.CcmApplication;
+
+import java.io.File;
+import java.util.List;
+
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
+import javax.persistence.PersistenceContext;
+
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema({"create_ccm_core_schema.sql"})
+public class PartyRepositoryTest {
+
+    private static final String MMUSTER = "mmuster";
+    private static final String JDOE = "jdoe";
+    private static final String ADMINS = "admins";
+    private static final String MANAGERS = "managers";
+
+    @Inject
+    private transient PartyRepository partyRepository;
+
+    @PersistenceContext
+    private transient EntityManager entityManager;
+
+    public PartyRepositoryTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+            .resolver()
+            .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+            importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+            .create(WebArchive.class,
+                    "LibreCCM-org.libreccm.security.UserRepositoryTest.war")
+            .addPackage(User.class.getPackage())
+            .addPackage(CcmObject.class.getPackage())
+            .addPackage(Categorization.class.getPackage())
+            .addPackage(LocalizedString.class.getPackage())
+            .addPackage(CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                .getPackage())
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
+                .getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class.
+                getPackage())
+            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
+                .getPackage())
+            .addAsLibraries(libs)
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
+            .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+    }
+
+    @Test
+    public void repoIsInjected() {
+        assertThat(partyRepository, is(not(nullValue())));
+    }
+
+    @Test
+    public void entityManagerIsInjected() {
+        assertThat(entityManager, is(not(nullValue())));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/PartyRepositoryTest/data.yml")
+    @InSequence(100)
+    public void findPartyById() {
+        final User jdoe = (User) partyRepository.findById(-10L);
+        final Group admins = (Group) partyRepository.findById(-20L);
+
+        assertThat(jdoe, is(not(nullValue())));
+        assertThat(jdoe.getPartyId(), is(-10L));
+        assertThat(jdoe.getName(), is(equalTo(JDOE)));
+        assertThat(jdoe.getFamilyName(), is(equalTo("Doe")));
+        assertThat(jdoe.getGivenName(), is(equalTo("John")));
+        assertThat(jdoe.getPassword(),
+                   is(equalTo(
+                           "$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==")));
+
+        assertThat(admins, is(not(nullValue())));
+        assertThat(admins.getPartyId(), is(-20L));
+        assertThat(admins.getName(), is(equalTo(ADMINS)));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/PartyRepositoryTest/data.yml")
+    @InSequence(110)
+    public void findByName() {
+        final User jdoe = (User) partyRepository.findByName(JDOE);
+        final Group admins = (Group) partyRepository.findByName(ADMINS);
+
+        assertThat(jdoe, is(not(nullValue())));
+        assertThat(jdoe.getPartyId(), is(-10L));
+        assertThat(jdoe.getName(), is(equalTo(JDOE)));
+        assertThat(jdoe.getFamilyName(), is(equalTo("Doe")));
+        assertThat(jdoe.getGivenName(), is(equalTo("John")));
+        assertThat(jdoe.getPassword(),
+                   is(equalTo(
+                           "$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==")));
+
+        assertThat(admins, is(not(nullValue())));
+        assertThat(admins.getPartyId(), is(-20L));
+        assertThat(admins.getName(), is(equalTo(ADMINS)));
+    }
+    
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/PartyRepositoryTest/data.yml")
+    @InSequence(200)
+    public void findAllParties() {
+        final List<Party> parties = partyRepository.findAll();
+
+        assertThat(parties.size(), is(2));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/PartyRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                    + "PartyRepositoryTest/after-save-new.yml",
+                        excludeColumns = {"party_id", "password"}
+    )
+    @InSequence(300)
+    public void saveNewParty() {
+        final User mmuster = new User();
+
+        final EmailAddress emailAddress = new EmailAddress();
+        emailAddress.setAddress("max.mustermann@example.org");
+        emailAddress.setBouncing(false);
+        emailAddress.setVerified(true);
+
+        mmuster.setName("mmuster");
+        mmuster.setGivenName("Max");
+        mmuster.setFamilyName("Mustermann");
+        mmuster.setPrimaryEmailAddress(emailAddress);
+        mmuster.setPassword(
+            "$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==");
+        mmuster.setPasswordResetRequired(false);
+
+        partyRepository.save(mmuster);
+
+        final Group users = new Group();
+        users.setName("users");
+
+        partyRepository.save(users);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/PartyRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                    + "PartyRepositoryTest/after-save-changed.yml",
+                        excludeColumns = {"party_id", "password"}
+    )
+    @InSequence(400)
+    public void saveChangedParty() {
+        final Party user = partyRepository.findById(-10L);
+        final Party group = partyRepository.findById(-20L);
+        
+        user.setName("johndoe");
+        group.setName("managers");
+        
+        partyRepository.save(user);
+        partyRepository.save(group);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(500)
+    public void saveNullValue() {
+        partyRepository.save(null);
+    }
+    
+        @Test
+    @UsingDataSet("datasets/org/libreccm/security/PartyRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                    + "PartyRepositoryTest/after-delete.yml",
+                        excludeColumns = {"party_id"})
+    @InSequence(600)
+    public void deleteParty() {
+        final Party user = partyRepository.findById(-10L);
+
+        partyRepository.delete(user);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(700)
+    public void deleteNullValue() {
+        partyRepository.delete(null);
+    }
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/PermissionCheckerTest.java b/ccm-core/src/test/java/org/libreccm/security/PermissionCheckerTest.java
new file mode 100644
index 000000000..1523eb05c
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/PermissionCheckerTest.java
@@ -0,0 +1,353 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import com.arsdigita.kernel.KernelConfig;
+import com.arsdigita.kernel.security.SecurityConfig;
+import com.arsdigita.runtime.AbstractConfig;
+import com.arsdigita.util.UncheckedWrapperException;
+import com.arsdigita.util.parameter.AbstractParameterContext;
+import com.arsdigita.web.CCMApplicationContextListener;
+import com.arsdigita.xml.XML;
+import com.arsdigita.xml.formatters.DateTimeFormatter;
+import java.io.File;
+import java.util.concurrent.Callable;
+import javax.inject.Inject;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.subject.Subject;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.core.CcmObjectRepository;
+import org.libreccm.jpa.EntityManagerProducer;
+import org.libreccm.jpa.utils.MimeTypeConverter;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+
+import org.libreccm.testutils.EqualsVerifier;
+import org.libreccm.web.CcmApplication;
+
+import static org.hamcrest.Matchers.*;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema({"create_ccm_core_schema.sql"})
+public class PermissionCheckerTest {
+
+    @Inject
+    private transient Subject subject;
+
+    @Inject
+    private transient Shiro shiro;
+
+    @Inject
+    private transient PermissionChecker permissionChecker;
+
+    @Inject
+    private transient CcmObjectRepository objectRepository;
+
+    public PermissionCheckerTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+                .resolver()
+                .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+                importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+                .create(WebArchive.class,
+                        "LibreCCM-org.libreccm.security.PermissionCheckerTest.war")
+                .addPackage(User.class.getPackage())
+                .addPackage(CcmObject.class.getPackage())
+                .addPackage(Categorization.class.getPackage())
+                .addPackage(LocalizedString.class.getPackage())
+                .addPackage(CcmApplication.class.getPackage())
+                .addPackage(EntityManagerProducer.class.getPackage())
+                .addPackage(MimeTypeConverter.class.getPackage())
+                .addPackage(EqualsVerifier.class.getPackage())
+                .addPackage(IntegrationTest.class.getPackage())
+                .addPackage(KernelConfig.class.getPackage())
+                .addPackage(SecurityConfig.class.getPackage())
+                .addPackage(AbstractConfig.class.getPackage())
+                .addPackage(AbstractParameterContext.class.getPackage())
+                .addPackage(UncheckedWrapperException.class.getPackage())
+                .addPackage(CCMApplicationContextListener.class.getPackage())
+                .addPackage(XML.class.getPackage())
+                .addPackage(DateTimeFormatter.class.getPackage())
+                .addAsLibraries(libs)
+                .addAsResource("test-persistence.xml",
+                               "META-INF/persistence.xml")
+                .addAsResource("com/arsdigita/kernel/"
+                                       + "KernelConfig_parameter.properties",
+                               "com/arsdigita/kernel/"
+                                       + "KernelConfig_parameter.properties")
+                .addAsResource("com/arsdigita/kernel/security/"
+                                       + "SecurityConfig_parameter.properties",
+                               "com/arsdigita/kernel/security/"
+                                       + "SecurityConfig_parameter.properties")
+                .addAsWebInfResource(
+                        "configs/org/libreccm/security/UserManagerTest/"
+                                + "registry.properties",
+                        "conf/registry/registry.properties")
+                .addAsResource(
+                        "configs/org/libreccm/security/UserManagerTest/ccm-core.config",
+                        "ccm-core.config")
+                .addAsResource(
+                        "configs/org/libreccm/security/ShiroTest/shiro.ini",
+                        "shiro.ini")
+                .addAsResource(
+                        "configs/org/libreccm/security/ShiroTest/log4j2.xml",
+                        "log4j2.xml")
+                .addAsWebInfResource(
+                        "configs/org/libreccm/security/ShiroTest/"
+                                + "kernel.properties",
+                        "conf/registry/ccm-core/kernel.properties")
+                .addAsWebInfResource(
+                        "configs/org/libreccm//security/ShiroTest/"
+                                + "security.properties",
+                        "conf/registry/ccm-core/security.properties")
+                .addAsWebInfResource("test-web.xml", "web.xml")
+                .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(100)
+    public void isPermittedAuthenticatedUser() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("jdoe",
+                                                                      "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
+        assertThat(permissionChecker.isPermitted("privilege1"), is(false));
+        assertThat(permissionChecker.isPermitted("privilege2"), is(false));
+        assertThat(permissionChecker.isPermitted("privilege3"), is(false));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(200)
+    public void isPermittedUnAuthenticatedUser() {
+        assertThat(permissionChecker.isPermitted("privilege1"), is(false));
+        assertThat(permissionChecker.isPermitted("privilege2"), is(false));
+        assertThat(permissionChecker.isPermitted("privilege3"), is(false));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(200)
+    public void isPermittedSystemUser() {
+        final CcmObject object1 = objectRepository.findById(-20001L);
+        final CcmObject object2 = objectRepository.findById(-20002L);
+        final CcmObject object3 = objectRepository.findById(-20003L);
+
+        shiro.getSystemUser().execute(new Callable<Boolean>() {
+            @Override
+            public Boolean call() {
+                assertThat(permissionChecker.isPermitted("privilege1"),
+                           is(true));
+                assertThat(permissionChecker.isPermitted("privilege2"),
+                           is(true));
+                assertThat(permissionChecker.isPermitted("privilege3"),
+                           is(true));
+
+                assertThat(permissionChecker.isPermitted("privilege1",
+                                                         object2),
+                           is(true));
+                assertThat(permissionChecker.isPermitted("privilege2",
+                                                         object1),
+                           is(true));
+                assertThat(permissionChecker.isPermitted("privilege3",
+                                                         object3),
+                           is(true));
+
+                return false;
+            }
+        });
+
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(400)
+    public void isPermittedObjectAuthenticatedUser() {
+        final CcmObject object1 = objectRepository.findById(-20001L);
+        final CcmObject object2 = objectRepository.findById(-20002L);
+
+        final UsernamePasswordToken token = new UsernamePasswordToken("jdoe",
+                                                                      "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
+        assertThat(permissionChecker.isPermitted("privilege1", object1),
+                   is(false));
+        assertThat(permissionChecker.isPermitted("privilege2", object1),
+                   is(false));
+        assertThat(permissionChecker.isPermitted("privilege2", object2),
+                   is(true));
+
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(500)
+    public void isPermittedObjectUnAuthenticatedUser() {
+        final CcmObject object1 = objectRepository.findById(-20001L);
+        final CcmObject object2 = objectRepository.findById(-20002L);
+
+        assertThat(permissionChecker.isPermitted("privilege1", object1),
+                   is(false));
+        assertThat(permissionChecker.isPermitted("privilege2", object1),
+                   is(false));
+        assertThat(permissionChecker.isPermitted("privilege2", object2),
+                   is(false));
+        assertThat(permissionChecker.isPermitted("privilege3", object1),
+                   is(true));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(600)
+    public void checkPermissionAuthenticatedUser() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("mmuster",
+                                                                      "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
+        permissionChecker.checkPermission("privilege1");
+    }
+
+    @Test(expected = AuthorizationException.class)
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @ShouldThrowException(AuthorizationException.class)
+    @InSequence(600)
+    public void checkPermissionUnAuthenticatedUser() {
+        permissionChecker.checkPermission("privilege1");
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(600)
+    public void checkPermissionObjectAuthenticatedUser() {
+        final CcmObject object2 = objectRepository.findById(-20002L);
+
+        final UsernamePasswordToken token = new UsernamePasswordToken("jdoe",
+                                                                      "foo123");
+        token.setRememberMe(true);
+        subject.login(token);
+
+        permissionChecker.checkPermission("privilege2", object2);
+    }
+
+    @Test(expected = AuthorizationException.class)
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @ShouldThrowException(AuthorizationException.class)
+    @InSequence(600)
+    public void checkPermissionObjectUnAuthenticatedUser() {
+        final CcmObject object2 = objectRepository.findById(-20002L);
+
+        permissionChecker.checkPermission("privilege2", object2);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(600)
+    public void checkPermissionObjectPublicUser() {
+        final CcmObject object1 = objectRepository.findById(-20001L);
+
+        permissionChecker.checkPermission("privilege3", object1);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(600)
+    public void checkPermissionObjectSystemUser() {
+        final CcmObject object1 = objectRepository.findById(-20001L);
+        final CcmObject object2 = objectRepository.findById(-20002L);
+        final CcmObject object3 = objectRepository.findById(-20003L);
+
+        shiro.getSystemUser().execute(new Callable<Boolean>() {
+            @Override
+            public Boolean call() {
+                permissionChecker.checkPermission("privilege1");
+                permissionChecker.checkPermission("privilege2");
+                permissionChecker.checkPermission("privilege3");
+                
+                permissionChecker.checkPermission("privilege1", object3);
+                permissionChecker.checkPermission("privilege2", object1);
+                permissionChecker.checkPermission("privilege3", object2);
+
+                return false;
+            }
+        });
+    }
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/PermissionManagerTest.java b/ccm-core/src/test/java/org/libreccm/security/PermissionManagerTest.java
new file mode 100644
index 000000000..bf80d4da3
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/PermissionManagerTest.java
@@ -0,0 +1,453 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import com.arsdigita.kernel.KernelConfig;
+import com.arsdigita.kernel.security.SecurityConfig;
+import com.arsdigita.runtime.AbstractConfig;
+import com.arsdigita.util.UncheckedWrapperException;
+import com.arsdigita.util.parameter.AbstractParameterContext;
+import com.arsdigita.web.CCMApplicationContextListener;
+import com.arsdigita.xml.XML;
+import com.arsdigita.xml.formatters.DateTimeFormatter;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.ShouldMatchDataSet;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.core.CcmObjectRepository;
+import org.libreccm.jpa.EntityManagerProducer;
+import org.libreccm.jpa.utils.MimeTypeConverter;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.testutils.EqualsVerifier;
+import org.libreccm.web.CcmApplication;
+
+import java.io.File;
+
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
+import javax.persistence.TypedQuery;
+
+import static org.hamcrest.Matchers.*;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema({"create_ccm_core_schema.sql"})
+public class PermissionManagerTest {
+
+    @Inject
+    private PermissionManager permissionManager;
+
+    @Inject
+    private RoleRepository roleRepository;
+
+    @Inject
+    private CcmObjectRepository ccmObjectRepository;
+
+    @Inject
+    private EntityManager entityManager;
+
+    public PermissionManagerTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+            .resolver()
+            .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+            importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+            .create(WebArchive.class,
+                    "LibreCCM-org.libreccm.security.PermissionManagerTest.war")
+            .addPackage(User.class.getPackage())
+            .addPackage(CcmObject.class.getPackage())
+            .addPackage(Categorization.class.getPackage())
+            .addPackage(LocalizedString.class.getPackage())
+            .addPackage(CcmApplication.class.getPackage())
+            .addPackage(EntityManagerProducer.class.getPackage())
+            .addPackage(MimeTypeConverter.class.getPackage())
+            .addPackage(EqualsVerifier.class.getPackage())
+            .addPackage(IntegrationTest.class.getPackage())
+            .addPackage(KernelConfig.class.getPackage())
+            .addPackage(SecurityConfig.class.getPackage())
+            .addPackage(AbstractConfig.class.getPackage())
+            .addPackage(AbstractParameterContext.class.getPackage())
+            .addPackage(UncheckedWrapperException.class.getPackage())
+            .addPackage(CCMApplicationContextListener.class.getPackage())
+            .addPackage(XML.class.getPackage())
+            .addPackage(DateTimeFormatter.class.getPackage())
+            .addAsLibraries(libs)
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsResource("com/arsdigita/kernel/security/"
+                               + "SecurityConfig_parameter.properties",
+                           "com/arsdigita/kernel/security/"
+                               + "SecurityConfig_parameter.properties")
+            .addAsWebInfResource(
+                "configs/org/libreccm/security/UserManagerTest/"
+                    + "registry.properties",
+                "conf/registry/registry.properties")
+            .addAsResource(
+                "configs/org/libreccm/security/UserManagerTest/ccm-core.config",
+                "ccm-core.config")
+            //                .addAsWebInfResource(
+            //                        "datasets/org/libreccm//security/UserManagerTest/"
+            //                                + "security.properties",
+            //                        "conf/registry/ccm-core/security.properties")
+            .addAsWebInfResource("test-web.xml", "web.xml")
+            .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+    }
+
+    @Test
+    @InSequence(100)
+    public void permissionManagerIsInjected() {
+        assertThat(permissionManager, is(not(nullValue())));
+    }
+
+    @Test
+    @InSequence(110)
+    public void roleRepositoryIsInjected() {
+        assertThat(roleRepository, is(not(nullValue())));
+    }
+
+    @Test
+    @InSequence(120)
+    public void ccmObjectRepositoryIsInjected() {
+        assertThat(ccmObjectRepository, is(not(nullValue())));
+    }
+
+    @Test
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/PermissionManagerTest/"
+                    + "after-grant.yml",
+        excludeColumns = {"permission_id"})
+    @InSequence(200)
+    public void grantPermission() {
+        final Role role2 = roleRepository.findByName("role2");
+        final CcmObject object3 = ccmObjectRepository.findById(-20003L);
+
+        permissionManager.grantPrivilege("privilege2", role2, object3);
+        permissionManager.grantPrivilege("privilege3", role2);
+    }
+
+    @Test
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/PermissionManagerTest/"
+                    + "data.yml")
+    @InSequence(210)
+    public void grantPermissionAgain() {
+        final Role role1 = roleRepository.findByName("role1");
+        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
+
+        permissionManager.grantPrivilege("privilege1", role1);
+        permissionManager.grantPrivilege("privilege2", role1, object1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(220)
+    public void grantPermissionPrivilegeNull() {
+        final Role role1 = roleRepository.findByName("role1");
+
+        permissionManager.grantPrivilege(null, role1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(225)
+    public void grantPermissionOnObjectPrivilegeNull() {
+        final Role role1 = roleRepository.findByName("role1");
+        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
+
+        permissionManager.grantPrivilege(null, role1, object1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(230)
+    public void grantPermissionEmptyPrivilege() {
+        final Role role1 = roleRepository.findByName("role1");
+
+        permissionManager.grantPrivilege("", role1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(235)
+    public void grantPermissionOnObjectEmptyPrivilege() {
+        final Role role1 = roleRepository.findByName("role1");
+        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
+
+        permissionManager.grantPrivilege("", role1, object1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(240)
+    public void grantPermissionToRoleNull() {
+        permissionManager.grantPrivilege("privilege", null);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(240)
+    public void grantPermissionOnObjectToRoleNull() {
+        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
+
+        permissionManager.grantPrivilege("privilege", null, object1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(250)
+    public void grantPermissionNullObject() {
+        final Role role1 = roleRepository.findByName("role1");
+
+        permissionManager.grantPrivilege("privilege1", role1, null);
+    }
+
+    @Test
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/PermissionManagerTest/"
+                    + "after-revoke.yml",
+        excludeColumns = {"permission_id"})
+    @InSequence(300)
+    public void revokePermission() {
+        final Role role1 = roleRepository.findByName("role1");
+        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
+
+        permissionManager.revokePrivilege("privilege1", role1);
+        permissionManager.revokePrivilege("privilege2", role1, object1);
+    }
+
+    @Test
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/PermissionManagerTest/"
+                    + "data.yml")
+    @InSequence(310)
+    public void revokeNotExistingPermission() {
+        final Role role1 = roleRepository.findByName("role1");
+
+        permissionManager.revokePrivilege("privilege999", role1);
+    }
+
+    @Test
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/PermissionManagerTest/"
+                    + "data.yml")
+    @InSequence(310)
+    public void revokeNotExistingPermissionOnObject() {
+        final Role role1 = roleRepository.findByName("role1");
+        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
+
+        permissionManager.revokePrivilege("privilege999", role1, object1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(320)
+    public void revokePermissionPrivilegeNull() {
+        final Role role1 = roleRepository.findByName("role1");
+
+        permissionManager.revokePrivilege(null, role1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(320)
+    public void revokePermissionOnObjectPrivilegeNull() {
+        final Role role1 = roleRepository.findByName("role1");
+        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
+
+        permissionManager.revokePrivilege(null, role1, object1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(330)
+    public void revokePermissionEmptyPrivilege() {
+        final Role role1 = roleRepository.findByName("role1");
+
+        permissionManager.revokePrivilege("", role1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(320)
+    public void revokePermissionOnObjectEmptyPrivilege() {
+        final Role role1 = roleRepository.findByName("role1");
+        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
+
+        permissionManager.revokePrivilege("", role1, object1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(340)
+    public void revokePermissionFromRoleNull() {
+        permissionManager.revokePrivilege("privilege1", null);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(345)
+    public void revokePermissionOnObjectFromRoleNull() {
+        final CcmObject object1 = ccmObjectRepository.findById(-20001L);
+
+        permissionManager.revokePrivilege("privilege1", null, object1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(350)
+    public void revokePermissionNullObject() {
+        final Role role1 = roleRepository.findByName("role1");
+
+        permissionManager.revokePrivilege("privilege2", role1, null);
+
+    }
+
+    @Test
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/PermissionManagerTest/"
+                    + "after-copy.yml",
+        excludeColumns = {"permission_id"})
+    @InSequence(400)
+    public void copyPermissions() {
+        final CcmObject object2 = ccmObjectRepository.findById(-20002L);
+        final CcmObject object3 = ccmObjectRepository.findById(-20003L);
+
+        permissionManager.copyPermissions(object2, object3);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(410)
+    public void copyPermissionsNullSource() {
+        final CcmObject object3 = ccmObjectRepository.findById(-20003L);
+
+        permissionManager.copyPermissions(null, object3);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet(
+        "datasets/org/libreccm/security/PermissionManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(420)
+    public void copyPermissionsNullTarget() {
+        final CcmObject object2 = ccmObjectRepository.findById(-20002L);
+
+        permissionManager.copyPermissions(object2, null);
+    }
+
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/RoleManagerTest.java b/ccm-core/src/test/java/org/libreccm/security/RoleManagerTest.java
new file mode 100644
index 000000000..b09316cab
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/RoleManagerTest.java
@@ -0,0 +1,267 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import com.arsdigita.kernel.KernelConfig;
+import com.arsdigita.kernel.security.SecurityConfig;
+import com.arsdigita.runtime.AbstractConfig;
+import com.arsdigita.util.UncheckedWrapperException;
+import com.arsdigita.util.parameter.AbstractParameterContext;
+import com.arsdigita.web.CCMApplicationContextListener;
+import com.arsdigita.xml.XML;
+import com.arsdigita.xml.formatters.DateTimeFormatter;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.ShouldMatchDataSet;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.jpa.EntityManagerProducer;
+import org.libreccm.jpa.utils.MimeTypeConverter;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.testutils.EqualsVerifier;
+import org.libreccm.web.CcmApplication;
+
+import java.io.File;
+
+import javax.inject.Inject;
+
+import static org.hamcrest.Matchers.*;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema({"create_ccm_core_schema.sql"})
+public class RoleManagerTest {
+
+    @Inject
+    private RoleManager roleManager;
+
+    @Inject
+    private RoleRepository roleRepository;
+
+    @Inject
+    private PartyRepository partyRepository;
+
+    public RoleManagerTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+            .resolver()
+            .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+            importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+            .create(WebArchive.class,
+                    "LibreCCM-org.libreccm.security.RoleManagerTest.war")
+            .addPackage(User.class.getPackage())
+            .addPackage(CcmObject.class.getPackage())
+            .addPackage(Categorization.class.getPackage())
+            .addPackage(LocalizedString.class.getPackage())
+            .addPackage(CcmApplication.class.getPackage())
+            .addPackage(EntityManagerProducer.class.getPackage())
+            .addPackage(MimeTypeConverter.class.getPackage())
+            .addPackage(EqualsVerifier.class.getPackage())
+            .addPackage(IntegrationTest.class.getPackage())
+            .addPackage(KernelConfig.class.getPackage())
+            .addPackage(SecurityConfig.class.getPackage())
+            .addPackage(AbstractConfig.class.getPackage())
+            .addPackage(AbstractParameterContext.class.getPackage())
+            .addPackage(UncheckedWrapperException.class.getPackage())
+            .addPackage(CCMApplicationContextListener.class.getPackage())
+            .addPackage(XML.class.getPackage())
+            .addPackage(DateTimeFormatter.class.getPackage())
+            .addAsLibraries(libs)
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsResource("com/arsdigita/kernel/security/"
+                               + "SecurityConfig_parameter.properties",
+                           "com/arsdigita/kernel/security/"
+                               + "SecurityConfig_parameter.properties")
+            .addAsWebInfResource(
+                "configs/org/libreccm/security/UserManagerTest/"
+                    + "registry.properties",
+                "conf/registry/registry.properties")
+            .addAsResource(
+                "configs/org/libreccm/security/UserManagerTest/ccm-core.config",
+                "ccm-core.config")
+            //                .addAsWebInfResource(
+            //                        "datasets/org/libreccm//security/UserManagerTest/"
+            //                                + "security.properties",
+            //                        "conf/registry/ccm-core/security.properties")
+            .addAsWebInfResource("test-web.xml", "web.xml")
+            .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+    }
+
+    @Test
+    @InSequence(100)
+    public void roleManagerIsInjected() {
+        assertThat(roleManager, is(not(nullValue())));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/RoleManagerTest/after-add.yml",
+        excludeColumns = {"membership_id"})
+    @InSequence(200)
+    public void assignRoleToParty() {
+        final Role role1 = roleRepository.findByName("role1");
+        final Role role3 = roleRepository.findByName("role3");
+
+        final Party joe = partyRepository.findByName("joe");
+        final Party group1 = partyRepository.findByName("group1");
+
+        roleManager.assignRoleToParty(role1, joe);
+        roleManager.assignRoleToParty(role3, group1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(210)
+    public void assignRoleNullToParty() {
+        final Party party = partyRepository.findByName("jdoe");
+
+        roleManager.assignRoleToParty(null, party);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(220)
+    public void assignRoleToPartyNull() {
+        final Role role = roleRepository.findByName("role1");
+
+        roleManager.assignRoleToParty(role, null);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @InSequence(230)
+    public void assignRoleToPartyAgain() {
+        final Party jdoe = partyRepository.findByName("jdoe");
+        final Role role1 = roleRepository.findByName("role1");
+
+        roleManager.assignRoleToParty(role1, jdoe);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value
+        = "datasets/org/libreccm/security/RoleManagerTest/after-remove.yml",
+        excludeColumns = {"membership_id"})
+    @InSequence(300)
+    public void removeRoleFromParty() {
+        final Role role1 = roleRepository.findByName("role1");
+        final Role role2 = roleRepository.findByName("role2");
+
+        final Party jdoe = partyRepository.findByName("jdoe");
+        final Party group1 = partyRepository.findByName("group1");
+
+        roleManager.removeRoleFromParty(role1, jdoe);
+        roleManager.removeRoleFromParty(role2, group1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(310)
+    public void removeRoleNullFromParty() {
+        final Party party = partyRepository.findByName("jdoe");
+
+        roleManager.removeRoleFromParty(null, party);
+    }
+    
+    @Test(expected = IllegalArgumentException.class)
+    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(220)
+    public void removeRoleFromPartyNull() {
+        final Role role = roleRepository.findByName("role1");
+
+        roleManager.removeRoleFromParty(role, null);
+    }
+    
+     @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @ShouldMatchDataSet(
+        value = "datasets/org/libreccm/security/RoleManagerTest/data.yml")
+    @InSequence(330)
+    public void removeNotAssignedRoleFromParty() {
+         final Role role2 = roleRepository.findByName("role2");
+         final Party jdoe = partyRepository.findByName("jdoe");
+         
+         roleManager.removeRoleFromParty(role2, jdoe);
+    }
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/RoleRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/security/RoleRepositoryTest.java
new file mode 100644
index 000000000..f367c4d15
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/RoleRepositoryTest.java
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.ShouldMatchDataSet;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.CcmApplication;
+
+import java.io.File;
+import java.util.List;
+
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
+import javax.persistence.PersistenceContext;
+
+import static org.hamcrest.Matchers.*;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema({"create_ccm_core_schema.sql"})
+public class RoleRepositoryTest {
+
+    private static final String ADMINISTRATOR = "administrator";
+    private static final String USER = "user";
+    private static final String READER = "reader";
+
+    @Inject
+    private transient RoleRepository roleRepository;
+
+    @PersistenceContext
+    private transient EntityManager entityManager;
+
+    public RoleRepositoryTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+            .resolver()
+            .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+            importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+            .create(WebArchive.class,
+                    "LibreCCM-org.libreccm.security.RoleRepositoryTest.war")
+            .addPackage(User.class.getPackage())
+            .addPackage(CcmObject.class.getPackage())
+            .addPackage(Categorization.class.getPackage())
+            .addPackage(LocalizedString.class.getPackage())
+            .addPackage(CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                .getPackage())
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
+                .getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class.
+                getPackage())
+            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
+                .getPackage())
+            .addAsLibraries(libs)
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
+            .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+    }
+
+    @Test
+    public void repoIsInjected() {
+        assertThat(roleRepository, is(not(nullValue())));
+    }
+
+    @Test
+    public void entityManagerIsInjected() {
+        assertThat(entityManager, is(not(nullValue())));
+    }
+
+    private void checkRoles(final Role administrator,
+                            final Role user,
+                            final Role reader) {
+        assertThat(administrator, is(not((nullValue()))));
+        assertThat(administrator.getRoleId(), is(-10L));
+        assertThat(administrator.getName(), is(equalTo(ADMINISTRATOR)));
+
+        assertThat(user, is(not((nullValue()))));
+        assertThat(user.getRoleId(), is(-20L));
+        assertThat(user.getName(), is(equalTo(USER)));
+
+        assertThat(reader, is(not((nullValue()))));
+        assertThat(reader.getRoleId(), is(-30L));
+        assertThat(reader.getName(), is(equalTo(READER)));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleRepositoryTest/data.yml")
+    @InSequence(100)
+    public void findRoleById() {
+        final Role administrator = roleRepository.findById(-10L);
+        final Role user = roleRepository.findById(-20L);
+        final Role reader = roleRepository.findById(-30L);
+
+        checkRoles(administrator, user, reader);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleRepositoryTest/data.yml")
+    @InSequence(200)
+    public void findRoleByName() {
+        final Role administrator = roleRepository.findByName(ADMINISTRATOR);
+        final Role user = roleRepository.findByName(USER);
+        final Role reader = roleRepository.findByName(READER);
+
+        checkRoles(administrator, user, reader);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleRepositoryTest/data.yml")
+    @InSequence(300)
+    public void findAllRoles() {
+        final List<Role> roles = roleRepository.findAll();
+
+        assertThat(roles.size(), is(3));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                    + "RoleRepositoryTest/after-save-new.yml",
+                        excludeColumns = {"role_id"})
+    @InSequence(400)
+    public void saveNewRole() {
+        final Role role = new Role();
+        role.setName("editor");
+
+        roleRepository.save(role);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                    + "RoleRepositoryTest/after-save-changed.yml",
+                        excludeColumns = {"role_id"})
+    @InSequence(500)
+    public void saveChangedRole() {
+        final Role role = roleRepository.findById(-20L);
+        role.setName("writer");
+
+        roleRepository.save(role);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(600)
+    public void saveNullValue() {
+        roleRepository.save(null);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/RoleRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                    + "RoleRepositoryTest/after-delete.yml",
+                        excludeColumns = {"role_id"})
+    @InSequence(700)
+    public void deleteRole() {
+        final Role role = roleRepository.findByName(USER);
+        
+        roleRepository.delete(role);
+    }
+    
+    @Test(expected = IllegalArgumentException.class)
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(800)
+    public void deleteNullValue() {
+        roleRepository.delete(null);
+    }
+
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/ShiroTest.java b/ccm-core/src/test/java/org/libreccm/security/ShiroTest.java
new file mode 100644
index 000000000..722b14b94
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/ShiroTest.java
@@ -0,0 +1,389 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import com.arsdigita.kernel.KernelConfig;
+import com.arsdigita.kernel.security.SecurityConfig;
+import com.arsdigita.runtime.AbstractConfig;
+import com.arsdigita.util.UncheckedWrapperException;
+import com.arsdigita.util.parameter.AbstractParameterContext;
+import com.arsdigita.web.CCMApplicationContextListener;
+import com.arsdigita.xml.XML;
+import com.arsdigita.xml.formatters.DateTimeFormatter;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+
+import java.io.File;
+
+import javax.inject.Inject;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+
+import org.apache.shiro.subject.Subject;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.jpa.EntityManagerProducer;
+import org.libreccm.jpa.utils.MimeTypeConverter;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.testutils.EqualsVerifier;
+import org.libreccm.web.CcmApplication;
+
+import static org.hamcrest.Matchers.*;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema({"create_ccm_core_schema.sql"})
+public class ShiroTest {
+
+    @Inject
+    private Subject subject;
+
+    public ShiroTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+                .resolver()
+                .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+                importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+                .create(WebArchive.class,
+                        "LibreCCM-org.libreccm.security.ShiroTest.war")
+                .addPackage(User.class.getPackage())
+                .addPackage(CcmObject.class.getPackage())
+                .addPackage(Categorization.class.getPackage())
+                .addPackage(LocalizedString.class.getPackage())
+                .addPackage(CcmApplication.class.getPackage())
+                .addPackage(EntityManagerProducer.class.getPackage())
+                .addPackage(MimeTypeConverter.class.getPackage())
+                .addPackage(EqualsVerifier.class.getPackage())
+                .addPackage(IntegrationTest.class.getPackage())
+                .addPackage(KernelConfig.class.getPackage())
+                .addPackage(SecurityConfig.class.getPackage())
+                .addPackage(AbstractConfig.class.getPackage())
+                .addPackage(AbstractParameterContext.class.getPackage())
+                .addPackage(UncheckedWrapperException.class.getPackage())
+                .addPackage(CCMApplicationContextListener.class.getPackage())
+                .addPackage(XML.class.getPackage())
+                .addPackage(DateTimeFormatter.class.getPackage())
+                .addAsLibraries(libs)
+                .addAsResource("test-persistence.xml",
+                               "META-INF/persistence.xml")
+                .addAsResource("com/arsdigita/kernel/"
+                                       + "KernelConfig_parameter.properties",
+                               "com/arsdigita/kernel/"
+                                       + "KernelConfig_parameter.properties")
+                .addAsResource("com/arsdigita/kernel/security/"
+                                       + "SecurityConfig_parameter.properties",
+                               "com/arsdigita/kernel/security/"
+                                       + "SecurityConfig_parameter.properties")
+                .addAsWebInfResource(
+                        "configs/org/libreccm/security/UserManagerTest/"
+                                + "registry.properties",
+                        "conf/registry/registry.properties")
+                .addAsResource(
+                        "configs/org/libreccm/security/UserManagerTest/ccm-core.config",
+                        "ccm-core.config")
+                .addAsResource(
+                        "configs/org/libreccm/security/ShiroTest/shiro.ini",
+                        "shiro.ini")
+                .addAsResource(
+                        "configs/org/libreccm/security/ShiroTest/log4j2.xml",
+                        "log4j2.xml")
+                .addAsWebInfResource(
+                        "configs/org/libreccm/security/ShiroTest/"
+                                + "kernel.properties",
+                        "conf/registry/ccm-core/kernel.properties")
+                .addAsWebInfResource(
+                        "configs/org/libreccm//security/ShiroTest/"
+                                + "security.properties",
+                        "conf/registry/ccm-core/security.properties")
+                .addAsWebInfResource("test-web.xml", "web.xml")
+                .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+    }
+
+    @Test
+    @InSequence(100)
+    public void subjectIsInjected() {
+        assertThat(subject, is(not(nullValue())));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(200)
+    public void loginUser() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("jdoe",
+                                                                      "foo123");
+        token.setRememberMe(true);
+
+        subject.login(token);
+
+        assertThat(subject.isAuthenticated(), is(true));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(300)
+    public void logoutUser() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("jdoe",
+                                                                      "foo123");
+        token.setRememberMe(true);
+
+        subject.login(token);
+
+        assertThat(subject.isAuthenticated(), is(true));
+
+        subject.logout();
+
+        assertThat(subject.isAuthenticated(), is(false));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(300)
+    public void checkRolesAndPermissionsJdoe() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("jdoe",
+                                                                      "foo123");
+        token.setRememberMe(true);
+
+        subject.login(token);
+
+        assertThat(subject.isAuthenticated(), is(true));
+
+        assertThat(subject.hasRole("role1"), is(false));
+        assertThat(subject.hasRole("role2"), is(true));
+
+        assertThat(subject.isPermitted("privilege1"), is(false));
+        assertThat(subject.isPermitted("privilege2:-20001"), is(false));
+        assertThat(subject.isPermitted("privilege2:-20002"), is(true));
+
+        assertThat(subject.isPermitted("privilege2"), is(false));
+        assertThat(subject.isPermitted("privilege1:999"), is(false));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(300)
+    public void checkRolesAndPermissionsMmuster() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("mmuster",
+                                                                      "foo123");
+        token.setRememberMe(true);
+
+        subject.login(token);
+
+        assertThat(subject.isAuthenticated(), is(true));
+
+        assertThat(subject.hasRole("role1"), is(true));
+        assertThat(subject.hasRole("role2"), is(false));
+
+        assertThat(subject.isPermitted("privilege1"), is(true));
+        assertThat(subject.isPermitted("privilege2:-20001"), is(true));
+        assertThat(subject.isPermitted("privilege2:-20002"), is(false));
+
+        assertThat(subject.isPermitted("privilege2"), is(false));
+        assertThat(subject.isPermitted("privilege1"), is(true));
+    }
+
+    @Test(expected = AuthenticationException.class)
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @ShouldThrowException(AuthenticationException.class)
+    @InSequence(400)
+    public void userCantLoginWithWrongPassword() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("mmuster",
+                                                                      "pw");
+        token.setRememberMe(true);
+
+        subject.login(token);
+    }
+
+    @Test(expected = AuthenticationException.class)
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @ShouldThrowException(AuthenticationException.class)
+    @InSequence(500)
+    public void userCantLoginWithEmptyPassword() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("mmuster",
+                                                                      "");
+        token.setRememberMe(true);
+
+        subject.login(token);
+    }
+
+    @Test(expected = AuthenticationException.class)
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @ShouldThrowException(AuthenticationException.class)
+    @InSequence(600)
+    public void userWithoutPasswordCantLogin() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+                "public-user",
+                "foo123");
+        token.setRememberMe(true);
+
+        subject.login(token);
+    }
+
+    @Test(expected = AuthenticationException.class)
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @ShouldThrowException(AuthenticationException.class)
+    @InSequence(700)
+    public void userWithoutPasswordCantLoginWithEmptyPassword() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+                "public-user",
+                "");
+        token.setRememberMe(true);
+
+        subject.login(token);
+    }
+
+    @Test(expected = AuthenticationException.class)
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @ShouldThrowException(AuthenticationException.class)
+    @InSequence(800)
+    public void unknownUser() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+                "unknown-user",
+                "foo123");
+        token.setRememberMe(true);
+
+        subject.login(token);
+    }
+
+    @Test(expected = AuthenticationException.class)
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @ShouldThrowException(AuthenticationException.class)
+    @InSequence(810)
+    public void nullUser() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+                null,
+                "foo123");
+        token.setRememberMe(true);
+
+        subject.login(token);
+    }
+
+    @Test(expected = AuthenticationException.class)
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @ShouldThrowException(AuthenticationException.class)
+    @InSequence(820)
+    public void emptyUser() {
+        final UsernamePasswordToken token = new UsernamePasswordToken(
+                "",
+                "foo123");
+        token.setRememberMe(true);
+
+        subject.login(token);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(900)
+    public void publicUser() {
+        final PrincipalCollection principals = new SimplePrincipalCollection(
+                "public-user", "CcmShiroRealm");
+        final Subject publicUser = new Subject.Builder()
+                .principals(principals)
+                .authenticated(true)
+                .buildSubject();
+        
+        assertThat(publicUser.hasRole("role1"), is(false));
+        assertThat(publicUser.hasRole("role2"), is(false));
+        assertThat(publicUser.hasRole("public-role"), is(true));
+        
+        assertThat(publicUser.isPermitted("privilege1"), is(false));
+        assertThat(publicUser.isPermitted("privilege2:-20001"), is(false));
+        assertThat(publicUser.isPermitted("privilege2:-20002"), is(false));
+        assertThat(publicUser.isPermitted("privilege3:-20001"), is(true));
+    }
+    
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/ShiroTest/data.yml")
+    @InSequence(910)
+    public void systemUser() {
+        final PrincipalCollection principals = new SimplePrincipalCollection(
+                "system-user", "CcmShiroRealm");
+        final Subject publicUser = new Subject.Builder()
+                .principals(principals)
+                .authenticated(true)
+                .buildSubject();
+        
+        assertThat(publicUser.hasRole("role1"), is(true));
+        assertThat(publicUser.hasRole("role2"), is(true));
+        assertThat(publicUser.hasRole("public-role"), is(true));
+        
+        assertThat(publicUser.isPermitted("privilege1"), is(true));
+        assertThat(publicUser.isPermitted("privilege2:-20001"), is(true));
+        assertThat(publicUser.isPermitted("privilege2:-20002"), is(true));
+        assertThat(publicUser.isPermitted("privilege3:-20001"), is(true));
+        
+    }
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/ToStringTest.java b/ccm-core/src/test/java/org/libreccm/security/ToStringTest.java
new file mode 100644
index 000000000..b5e057af0
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/ToStringTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.libreccm.tests.categories.UnitTest;
+import org.libreccm.testutils.ToStringVerifier;
+
+import java.util.Arrays;
+import java.util.Collection;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@RunWith(Parameterized.class)
+@Category(UnitTest.class)
+public class ToStringTest extends ToStringVerifier {
+    
+    @Parameterized.Parameters(name = "{0}")
+    public static Collection<Class<?>> data() {
+        return Arrays.asList(new Class<?>[]{
+            Group.class,
+            GroupMembership.class,
+            Party.class,
+            Permission.class,
+            Role.class,
+            RoleMembership.class,
+            User.class
+        });
+    }
+    
+    public ToStringTest(final Class<?> entityClass) {
+        super(entityClass);
+    }
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/UserManagerTest.java b/ccm-core/src/test/java/org/libreccm/security/UserManagerTest.java
new file mode 100644
index 000000000..b8ee9dc9c
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/UserManagerTest.java
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import com.arsdigita.kernel.KernelConfig;
+import com.arsdigita.kernel.security.SecurityConfig;
+import com.arsdigita.runtime.AbstractConfig;
+import com.arsdigita.util.UncheckedWrapperException;
+import com.arsdigita.util.parameter.AbstractParameterContext;
+import com.arsdigita.web.CCMApplicationContextListener;
+import com.arsdigita.xml.XML;
+import com.arsdigita.xml.formatters.DateTimeFormatter;
+import java.io.File;
+import javax.inject.Inject;
+import nl.jqno.equalsverifier.EqualsVerifier;
+import org.hibernate.exception.ConstraintViolationException;
+
+import static org.hamcrest.Matchers.*;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.ShouldMatchDataSet;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.test.spi.ArquillianProxyException;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.jpa.EntityManagerProducer;
+import org.libreccm.jpa.utils.MimeTypeConverter;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.CcmApplication;
+
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema({"create_ccm_core_schema.sql"})
+public class UserManagerTest {
+
+    @Inject
+    private UserManager userManager;
+
+    @Inject
+    private UserRepository userRepository;
+
+    public UserManagerTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+                .resolver()
+                .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+                importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+                .create(WebArchive.class,
+                        "LibreCCM-org.libreccm.security.UserManagerTest.war")
+                .addPackage(User.class.getPackage())
+                .addPackage(CcmObject.class.getPackage())
+                .addPackage(Categorization.class.getPackage())
+                .addPackage(LocalizedString.class.getPackage())
+                .addPackage(CcmApplication.class.getPackage())
+                .addPackage(EntityManagerProducer.class.getPackage())
+                .addPackage(MimeTypeConverter.class.getPackage())
+                .addPackage(EqualsVerifier.class.getPackage())
+                .addPackage(IntegrationTest.class.getPackage())
+                .addPackage(KernelConfig.class.getPackage())
+                .addPackage(SecurityConfig.class.getPackage())
+                .addPackage(AbstractConfig.class.getPackage())
+                .addPackage(AbstractParameterContext.class.getPackage())
+                .addPackage(UncheckedWrapperException.class.getPackage())
+                .addPackage(CCMApplicationContextListener.class.getPackage())
+                .addPackage(XML.class.getPackage())
+                .addPackage(DateTimeFormatter.class.getPackage())
+                .addAsLibraries(libs)
+                .addAsResource("test-persistence.xml",
+                               "META-INF/persistence.xml")
+                .addAsResource("com/arsdigita/kernel/security/"
+                                       + "SecurityConfig_parameter.properties",
+                               "com/arsdigita/kernel/security/"
+                                       + "SecurityConfig_parameter.properties")
+                .addAsWebInfResource(
+                        "configs/org/libreccm/security/UserManagerTest/"
+                                + "registry.properties",
+                        "conf/registry/registry.properties")
+                .addAsResource(
+                "configs/org/libreccm/security/UserManagerTest/ccm-core.config",
+                "ccm-core.config")
+//                .addAsWebInfResource(
+//                        "datasets/org/libreccm//security/UserManagerTest/"
+//                                + "security.properties",
+//                        "conf/registry/ccm-core/security.properties")
+                .addAsWebInfResource("test-web.xml", "web.xml")
+                .addAsWebInfResource(EmptyAsset.INSTANCE, "beans.xml");
+    }
+
+    @Test
+    @InSequence(100)
+    public void userManagerIsInjected() {
+        assertThat(userManager, is(not(nullValue())));
+    }
+
+    @Test
+    @InSequence(110)
+    public void userRepositoryIsInjected() {
+        assertThat(userRepository, is(not(nullValue())));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserManagerTest/data.yml")
+    @InSequence(200)
+    public void verifyPassword() {
+        final User jdoe = userRepository.findByName("jdoe");
+        final User mmuster = userRepository.findByName("mmuster");
+        final User joe = userRepository.findByName("joe");
+
+        assertThat(userManager.verifyPassword(jdoe, "foo123"), is(true));
+        assertThat(userManager.verifyPassword(mmuster, "foo123"), is(true));
+        assertThat(userManager.verifyPassword(joe, "foo123"), is(true));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserManagerTest/data.yml")
+    @ShouldMatchDataSet(
+            value = "datasets/org/libreccm/security/UserManagerTest/"
+                            + "after-create-user.yml",
+            excludeColumns = {"party_id", "password"})
+    @InSequence(300)
+    public void createUser() {
+        userManager.createUser("Jane",
+                               "Doe",
+                               "jane",
+                               "jane.doe@example.org",
+                               "foo456");
+
+        final User jane2 = userRepository.findByName("jane");
+        assertThat(userManager.verifyPassword(jane2, "foo456"), is(true));
+    }
+
+    @Test(expected = ArquillianProxyException.class)
+    @UsingDataSet("datasets/org/libreccm/security/UserManagerTest/data.yml")
+    @ShouldThrowException(ConstraintViolationException.class)
+    @InSequence(400)
+    public void createUserWithInValidName() {
+        userManager.createUser("Jane",
+                               "Doe",
+                               "j#ne",
+                               "jane.doe@example.org",
+                               "foo456");
+        fail();
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserManagerTest/data.yml")
+    @InSequence(500)
+    public void updatePassword() {
+        final User jdoe = userRepository.findByName("jdoe");
+        userManager.updatePassword(jdoe, "foo456");
+
+        final User jdoe2 = userRepository.findByName("jdoe");
+        assertThat(userManager.verifyPassword(jdoe, "foo456"), is(true));
+        assertThat(userManager.verifyPassword(jdoe2, "foo456"), is(true));
+        
+        assertThat(userManager.verifyPassword(jdoe, "foo123"), is(false));
+        assertThat(userManager.verifyPassword(jdoe2, "foo123"), is(false));
+    }
+    
+    @Test(expected = ArquillianProxyException.class)
+    @UsingDataSet("datasets/org/libreccm/security/UserManagerTest/data.yml")
+    @ShouldThrowException(ConstraintViolationException.class)
+    @InSequence(600)
+    public void updatePasswordNullUser() {
+        userManager.updatePassword(null, "foo");
+        fail();
+    }
+
+}
diff --git a/ccm-core/src/test/java/org/libreccm/security/UserRepositoryTest.java b/ccm-core/src/test/java/org/libreccm/security/UserRepositoryTest.java
new file mode 100644
index 000000000..d5d63d280
--- /dev/null
+++ b/ccm-core/src/test/java/org/libreccm/security/UserRepositoryTest.java
@@ -0,0 +1,319 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.security;
+
+import org.junit.Test;
+
+import static org.hamcrest.Matchers.*;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.ShouldThrowException;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.persistence.CreateSchema;
+import org.jboss.arquillian.persistence.PersistenceTest;
+import org.jboss.arquillian.persistence.ShouldMatchDataSet;
+import org.jboss.arquillian.persistence.UsingDataSet;
+import org.jboss.arquillian.transaction.api.annotation.TransactionMode;
+import org.jboss.arquillian.transaction.api.annotation.Transactional;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.jboss.shrinkwrap.resolver.api.maven.PomEquippedResolveStage;
+import org.junit.After;
+import org.junit.AfterClass;
+
+import static org.junit.Assert.*;
+
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.libreccm.categorization.Categorization;
+import org.libreccm.core.CcmObject;
+import org.libreccm.core.EmailAddress;
+import org.libreccm.l10n.LocalizedString;
+import org.libreccm.tests.categories.IntegrationTest;
+import org.libreccm.web.CcmApplication;
+
+import java.io.File;
+import java.util.List;
+
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
+import javax.persistence.PersistenceContext;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+@Category(IntegrationTest.class)
+@RunWith(Arquillian.class)
+@PersistenceTest
+@Transactional(TransactionMode.COMMIT)
+@CreateSchema({"create_ccm_core_schema.sql"})
+public class UserRepositoryTest {
+
+    private static final String NOBODY = "nobody";
+    private static final String JOE = "joe";
+    private static final String MMUSTER = "mmuster";
+    private static final String JDOE = "jdoe";
+
+    @Inject
+    private transient UserRepository userRepository;
+
+    @PersistenceContext
+    private transient EntityManager entityManager;
+
+    public UserRepositoryTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Deployment
+    public static WebArchive createDeployment() {
+        final PomEquippedResolveStage pom = Maven
+            .resolver()
+            .loadPomFromFile("pom.xml");
+        final PomEquippedResolveStage dependencies = pom.
+            importCompileAndRuntimeDependencies();
+        final File[] libs = dependencies.resolve().withTransitivity().asFile();
+
+        for (File lib : libs) {
+            System.err.printf("Adding file '%s' to test archive...%n",
+                              lib.getName());
+        }
+
+        return ShrinkWrap
+            .create(WebArchive.class,
+                    "LibreCCM-org.libreccm.security.UserRepositoryTest.war")
+            .addPackage(User.class.getPackage())
+            .addPackage(CcmObject.class.getPackage())
+            .addPackage(Categorization.class.getPackage())
+            .addPackage(LocalizedString.class.getPackage())
+            .addPackage(CcmApplication.class.getPackage())
+            .addPackage(org.libreccm.jpa.EntityManagerProducer.class
+                .getPackage())
+            .addPackage(org.libreccm.jpa.utils.MimeTypeConverter.class
+                .getPackage())
+            .addPackage(org.libreccm.testutils.EqualsVerifier.class.
+                getPackage())
+            .addPackage(org.libreccm.tests.categories.IntegrationTest.class
+                .getPackage())
+            .addAsLibraries(libs)
+            .addAsResource("test-persistence.xml",
+                           "META-INF/persistence.xml")
+            .addAsWebInfResource("test-web.xml", "WEB-INF/web.xml")
+            .addAsWebInfResource(EmptyAsset.INSTANCE, "WEB-INF/beans.xml");
+    }
+
+    @Test
+    public void repoIsInjected() {
+        assertThat(userRepository, is(not(nullValue())));
+    }
+
+    @Test
+    public void entityManagerIsInjected() {
+        assertThat(entityManager, is(not(nullValue())));
+    }
+
+    private void checkUsers(final User jdoe,
+                            final User mmuster,
+                            final User joe,
+                            final User nobody) {
+        assertThat(jdoe, is(not(nullValue())));
+        assertThat(jdoe.getPartyId(), is(-10L));
+        assertThat(jdoe.getName(), is(equalTo(JDOE)));
+        assertThat(jdoe.getFamilyName(), is(equalTo("Doe")));
+        assertThat(jdoe.getGivenName(), is(equalTo("John")));
+        assertThat(jdoe.getPassword(),
+                   is(equalTo(
+                       "$shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==")));
+
+        assertThat(mmuster, is(not(nullValue())));
+        assertThat(mmuster.getPartyId(), is(-20L));
+        assertThat(mmuster.getName(), is(equalTo(MMUSTER)));
+        assertThat(mmuster.getFamilyName(), is(equalTo("Mustermann")));
+        assertThat(mmuster.getGivenName(), is(equalTo("Max")));
+        assertThat(mmuster.getPassword(),
+                   is(equalTo(
+                       "$shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==")));
+
+        assertThat(joe, is(not(nullValue())));
+        assertThat(joe.getPartyId(), is(-30L));
+        assertThat(joe.getName(), is(equalTo(JOE)));
+        assertThat(joe.getFamilyName(), is(equalTo("Public")));
+        assertThat(joe.getGivenName(), is(equalTo("Joe")));
+        assertThat(joe.getPassword(),
+                   is(equalTo(
+                       "$shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==")));
+
+        assertThat(nobody, is(nullValue()));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserRepositoryTest/data.yml")
+    @InSequence(100)
+    public void findUserById() {
+        final User jdoe = userRepository.findById(-10L);
+        final User mmuster = userRepository.findById(-20L);
+        final User joe = userRepository.findById(-30L);
+        final User nobody = userRepository.findById(-999L);
+
+        checkUsers(jdoe, mmuster, joe, nobody);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserRepositoryTest/data.yml")
+    @InSequence(200)
+    public void findUserByScreenName() {
+        final User jdoe = userRepository.findByName(JDOE);
+        final User mmuster = userRepository.findByName(MMUSTER);
+        final User joe = userRepository.findByName(JOE);
+        final User nobody = userRepository.findByName(NOBODY);
+
+        checkUsers(jdoe, mmuster, joe, nobody);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserRepositoryTest/data.yml")
+    @InSequence(300)
+    public void findUserByEmail() {
+        final User jdoe = userRepository.findByEmailAddress(
+            "john.doe@example.com");
+        final User mmuster1 = userRepository.findByEmailAddress(
+            "max.mustermann@example.org");
+        final User joe = userRepository.findByEmailAddress(
+            "joe.public@example.com");
+        final User nobody = userRepository
+            .findByEmailAddress("nobody@example.org");
+
+        checkUsers(jdoe, mmuster1, joe, nobody);
+    }
+
+    @Test
+    @UsingDataSet(
+        "datasets/org/libreccm/security/UserRepositoryTest/data-email-duplicate.yml")
+    @InSequence(350)
+    public void findByEmailAddressDuplicate() {
+        final User user = userRepository.findByEmailAddress(
+            "max.mustermann@example.org");
+
+        assertThat(user.getPartyId(), is(-20L));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserRepositoryTest/data.yml")
+    @InSequence(400)
+    public void findAllUsers() {
+        final List<User> users = userRepository.findAll();
+
+        assertThat(users.size(), is(3));
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                    + "UserRepositoryTest/after-save-new.yml",
+                        excludeColumns = {"party_id"}
+    )
+    @InSequence(500)
+    public void saveNewUser() {
+        final User user = new User();
+
+        final EmailAddress emailAddress = new EmailAddress();
+        emailAddress.setAddress("jane.doe@example.org");
+        emailAddress.setBouncing(false);
+        emailAddress.setVerified(false);
+
+        user.setName("jane");
+        user.setGivenName("Jane");
+        user.setFamilyName("Doe");
+        user.setPrimaryEmailAddress(emailAddress);
+        user.setPassword(
+            "$shiro1$SHA-512$500000$24lA090z7GKYr4VFlZ6t4A==$/heoTHPA5huT1UfJ8Q+waXEG6AjUKhFYLFrj7KW/l0/z9O+QkiZTtfPfbcPblgjcEvrROMEIoQY4Z65S7rFLQg==");
+        user.setPasswordResetRequired(false);
+
+        userRepository.save(user);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                    + "UserRepositoryTest/after-save-changed.yml",
+                        excludeColumns = {"party_id"})
+    @InSequence(600)
+    public void saveChangedUser() {
+        final User user = userRepository.findById(-10L);
+
+        //foo456
+        user.setPassword(
+            "$shiro1$SHA-512$500000$AH1llRaMHE8W31Q7VG6jsA==$XXgKeyDCsrN23NvszQ5wt+uViQUlVqTAM+05LrE7Bd9sc0eaJT8HlAGvSdY+rqTLbiGm9YS4pohzoUt1x3kmKg==");
+
+        final EmailAddress emailAddress = new EmailAddress();
+        emailAddress.setAddress("jd@example.com");
+        emailAddress.setBouncing(false);
+        emailAddress.setVerified(true);
+        user.setPrimaryEmailAddress(emailAddress);
+
+        userRepository.save(user);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(700)
+    public void saveNullValue() {
+        userRepository.save(null);
+    }
+
+    @Test
+    @UsingDataSet("datasets/org/libreccm/security/UserRepositoryTest/data.yml")
+    @ShouldMatchDataSet(value = "datasets/org/libreccm/security/"
+                                    + "UserRepositoryTest/after-delete.yml",
+                        excludeColumns = {"party_id"})
+    @InSequence(800)
+    public void deleteUser() {
+        final User user = userRepository.findByName("mmuster");
+
+        userRepository.delete(user);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    @ShouldThrowException(IllegalArgumentException.class)
+    @InSequence(900)
+    public void deleteNullValue() {
+        userRepository.delete(null);
+    }
+
+}
diff --git a/ccm-core/src/test/resources-wildfly8-remote-h2-mem/scripts/create_ccm_core_schema.sql b/ccm-core/src/test/resources-wildfly8-remote-h2-mem/scripts/create_ccm_core_schema.sql
index d4f3a382b..93470dec6 100644
--- a/ccm-core/src/test/resources-wildfly8-remote-h2-mem/scripts/create_ccm_core_schema.sql
+++ b/ccm-core/src/test/resources-wildfly8-remote-h2-mem/scripts/create_ccm_core_schema.sql
@@ -4,1078 +4,1025 @@ DROP SEQUENCE IF EXISTS hibernate_sequence;
 
 CREATE SCHEMA ccm_core;
 
-    create table ccm_core.application_types (
-        resource_type_id bigint not null,
-        container_group_id bigint,
-        provider_app_type_id bigint,
-        primary key (resource_type_id)
+
+    create table CCM_CORE.APPLICATIONS (
+        APPLICATION_TYPE varchar(1024) not null,
+        PRIMARY_URL varchar(1024) not null,
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.applications (
-        primary_url varchar(1024) not null,
-        object_id bigint not null,
-        container_group_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.ATTACHMENTS (
+        ATTACHMENT_ID bigint not null,
+        ATTACHMENT_DATA blob,
+        DESCRIPTION varchar(255),
+        MIME_TYPE varchar(255),
+        TITLE varchar(255),
+        MESSAGE_ID bigint,
+        primary key (ATTACHMENT_ID)
     );
 
-    create table ccm_core.attachments (
-        attachment_id bigint not null,
-        attachment_data blob,
-        description varchar(255),
-        mime_type varchar(255),
-        title varchar(255),
-        primary key (attachment_id)
+    create table CCM_CORE.CATEGORIES (
+        ABSTRACT_CATEGORY boolean,
+        CATEGORY_ORDER bigint,
+        ENABLED boolean,
+        NAME varchar(255) not null,
+        UNIQUE_ID varchar(255) not null,
+        VISIBLE boolean,
+        OBJECT_ID bigint not null,
+        PARENT_CATEGORY_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.categories (
-        abstract_category boolean,
-        category_order bigint,
-        enabled boolean,
-        name varchar(255) not null,
-        unique_id varchar(255) not null,
-        visible boolean,
-        object_id bigint not null,
-        parent_category_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.CATEGORIZATIONS (
+        CATEGORIZATION_ID bigint not null,
+        CATEGORY_ORDER bigint,
+        CATEGORY_INDEX boolean,
+        OBJECT_ORDER bigint,
+        OBJECT_ID bigint,
+        CATEGORY_ID bigint,
+        primary key (CATEGORIZATION_ID)
     );
 
-    create table ccm_core.categorizations (
-        categorization_id bigint not null,
-        category_order bigint,
-        category_index boolean,
-        object_order bigint,
-        object_id bigint,
-        category_id bigint,
-        primary key (categorization_id)
+    create table CCM_CORE.CATEGORY_DESCRIPTIONS (
+        OBJECT_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.category_descriptions (
-        object_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.CATEGORY_DOMAINS (
+        DOMAIN_KEY varchar(255) not null,
+        RELEASED timestamp,
+        URI varchar(1024) not null,
+        VERSION varchar(255) not null,
+        OBJECT_ID bigint not null,
+        ROOT_CATEGORY_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.category_domains (
-        domain_key varchar(255) not null,
-        released timestamp,
-        uri varchar(2048) not null,
-        version varchar(255) not null,
-        object_id bigint not null,
-        root_category_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.CATEGORY_TITLES (
+        OBJECT_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.category_titles (
-        object_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.CCM_OBJECTS (
+        OBJECT_ID bigint not null,
+        DISPLAY_NAME varchar(255),
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.ccm_groups (
-        name varchar(512) not null,
-        subject_id bigint not null,
-        primary key (subject_id)
-    );
-
-    create table ccm_core.ccm_objects (
-        object_id bigint not null,
-        display_name varchar(255),
-        primary key (object_id)
-    );
-
-    create table ccm_core.ccm_privileges (
-        privilege_id bigint not null,
-        label varchar(255) not null,
-        relevant_privilege_id bigint,
-        primary key (privilege_id)
-    );
-
-    create table ccm_core.ccm_revisions (
+    create table CCM_CORE.CCM_REVISIONS (
         id integer not null,
         timestamp bigint not null,
-        user_name varchar(255),
+        USER_NAME varchar(255),
         primary key (id)
     );
 
-    create table ccm_core.ccm_roles (
-        role_id bigint not null,
-        description varchar(255),
-        name varchar(512),
-        implicit_group_id bigint,
-        source_group_id bigint,
-        primary key (role_id)
+    create table CCM_CORE.CCM_ROLES (
+        ROLE_ID bigint not null,
+        name varchar(512) not null,
+        primary key (ROLE_ID)
     );
 
-    create table ccm_core.ccm_users (
-        banned boolean,
-        hash_algorithm varchar(64),
-        family_name varchar(512),
-        given_name varchar(512),
-        middle_name varchar(512),
-        title_post varchar(512),
-        title_pre varchar(512),
-        password varchar(2048),
-        password_answer varchar(2048),
-        password_question varchar(2048),
-        password_reset_required boolean,
-        salt varchar(2048),
-        screen_name varchar(255) not null,
-        sso_login varchar(512),
-        subject_id bigint not null,
-        primary key (subject_id)
+    create table CCM_CORE.DIGESTS (
+        FREQUENCY integer,
+        HEADER varchar(4096) not null,
+        NEXT_RUN timestamp,
+        DIGEST_SEPARATOR varchar(128) not null,
+        SIGNATURE varchar(4096) not null,
+        SUBJECT varchar(255) not null,
+        OBJECT_ID bigint not null,
+        FROM_PARTY_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.digests (
-        frequency integer,
-        header varchar(4096) not null,
-        next_run timestamp,
-        digest_separator varchar(128) not null,
-        signature varchar(4096) not null,
-        subject varchar(255) not null,
-        object_id bigint not null,
-        from_party_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.DOMAIN_DESCRIPTIONS (
+        OBJECT_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.domain_descriptions (
-        object_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.DOMAIN_OWNERSHIPS (
+        OWNERSHIP_ID bigint not null,
+        CONTEXT varchar(255),
+        DOMAIN_ORDER bigint,
+        OWNER_ORDER bigint,
+        domain_OBJECT_ID bigint not null,
+        owner_OBJECT_ID bigint not null,
+        primary key (OWNERSHIP_ID)
     );
 
-    create table ccm_core.domain_ownerships (
-        ownership_id bigint not null,
-        context varchar(255),
-        domain_order bigint,
-        owner_order bigint,
-        domain_object_id bigint not null,
-        owner_object_id bigint not null,
-        primary key (ownership_id)
+    create table CCM_CORE.DOMAIN_TITLES (
+        OBJECT_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.domain_titles (
-        object_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.FORMBUILDER_COMPONENTS (
+        ACTIVE boolean,
+        ADMIN_NAME varchar(255),
+        ATTRIBUTE_STRING varchar(255),
+        COMPONENT_ORDER bigint,
+        SELECTED boolean,
+        OBJECT_ID bigint not null,
+        parentComponent_OBJECT_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_component_descriptions (
-        component_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (component_id, locale)
+    create table CCM_CORE.FORMBUILDER_COMPONENT_DESCRIPTIONS (
+        COMPONENT_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (COMPONENT_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_components (
-        active boolean,
-        admin_name varchar(255),
-        attribute_string varchar(255),
-        component_order bigint,
-        selected boolean,
-        object_id bigint not null,
-        parentComponent_object_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_CONFIRM_EMAIL_LISTENER (
+        BODY clob,
+        FROM_EMAIL varchar(255),
+        SUBJECT varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_confirm_email_listener (
-        body clob,
-        from_email varchar(255),
-        subject varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_CONFIRM_REDIRECT_LISTENERS (
+        URL varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_confirm_redirect_listeners (
-        url varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_DATA_DRIVEN_SELECTS (
+        MULTIPLE boolean,
+        QUERY varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_data_driven_selects (
-        multiple boolean,
-        query varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_DATA_QUERIES (
+        QUERY_ID varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_data_queries (
-        query_id varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_DATA_QUERY_DESCRIPTIONS (
+        DATA_QUERY_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (DATA_QUERY_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_data_query_descriptions (
-        data_query_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (data_query_id, locale)
+    create table CCM_CORE.FORMBUILDER_DATA_QUERY_NAMES (
+        DATA_QUERY_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (DATA_QUERY_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_data_query_names (
-        data_query_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (data_query_id, locale)
+    create table CCM_CORE.FORMBUILDER_FORMSECTIONS (
+        FORMSECTION_ACTION varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_formsections (
-        formsection_action varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_LISTENERS (
+        ATTRIBUTE_STRING varchar(255),
+        CLASS_NAME varchar(255),
+        OBJECT_ID bigint not null,
+        widget_OBJECT_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_listeners (
-        attribute_string varchar(255),
-        class_name varchar(255),
-        object_id bigint not null,
-        widget_object_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_METAOBJECTS (
+        CLASS_NAME varchar(255),
+        PRETTY_NAME varchar(255),
+        PRETTY_PLURAL varchar(255),
+        PROPERTIES_FORM varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_metaobjects (
-        class_name varchar(255),
-        pretty_name varchar(255),
-        pretty_plural varchar(255),
-        properties_form varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_OBJECT_TYPES (
+        APP_NAME varchar(255),
+        CLASS_NAME varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_object_types (
-        app_name varchar(255),
-        class_name varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_OPTIONS (
+        PARAMETER_VALUE varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_option_labels (
-        option_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (option_id, locale)
+    create table CCM_CORE.FORMBUILDER_OPTION_LABELS (
+        OPTION_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (OPTION_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_options (
-        parameter_value varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_PROCESS_LISTENERS (
+        LISTENER_CLASS varchar(255),
+        PROCESS_LISTENER_ORDER bigint,
+        OBJECT_ID bigint not null,
+        formSection_OBJECT_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_process_listener_descriptions (
-        process_listener_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (process_listener_id, locale)
+    create table CCM_CORE.FORMBUILDER_PROCESS_LISTENER_DESCRIPTIONS (
+        PROCESS_LISTENER_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (PROCESS_LISTENER_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_process_listener_names (
-        process_listener_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (process_listener_id, locale)
+    create table CCM_CORE.FORMBUILDER_PROCESS_LISTENER_NAMES (
+        PROCESS_LISTENER_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (PROCESS_LISTENER_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_process_listeners (
-        listener_class varchar(255),
-        process_listener_order bigint,
-        object_id bigint not null,
-        formSection_object_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_REMOTE_SERVER_POST_LISTENER (
+        REMOTE_URL varchar(2048),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_remote_server_post_listener (
-        remoteUrl varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_SIMPLE_EMAIL_LISTENERS (
+        RECIPIENT varchar(255),
+        SUBJECT varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_simple_email_listeners (
-        recipient varchar(255),
-        subject varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_TEMPLATE_EMAIL_LISTENERS (
+        BODY clob,
+        RECIPIENT varchar(255),
+        SUBJECT varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_template_email_listeners (
-        body clob,
-        recipient varchar(255),
-        subject varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_WIDGETS (
+        DEFAULT_VALUE varchar(255),
+        PARAMETER_MODEL varchar(255),
+        PARAMETER_NAME varchar(255),
+        OBJECT_ID bigint not null,
+        label_OBJECT_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_widget_labels (
-        object_id bigint not null,
-        widget_object_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_WIDGET_LABELS (
+        OBJECT_ID bigint not null,
+        widget_OBJECT_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_widgets (
-        default_value varchar(255),
-        parameter_model varchar(255),
-        parameter_name varchar(255),
-        object_id bigint not null,
-        label_object_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_XML_EMAIL_LISTENERS (
+        RECIPIENT varchar(255),
+        SUBJECT varchar(255),
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_xml_email_listeners (
-        recipient varchar(255),
-        subject varchar(255),
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.GROUPS (
+        PARTY_ID bigint not null,
+        primary key (PARTY_ID)
     );
 
-    create table ccm_core.group_memberships (
-        membership_id bigint not null,
-        group_subject_id bigint,
-        user_subject_id bigint,
-        primary key (membership_id)
+    create table CCM_CORE.GROUP_MEMBERSHIPS (
+        MEMBERSHIP_ID bigint not null,
+        GROUP_ID bigint,
+        MEMBER_ID bigint,
+        primary key (MEMBERSHIP_ID)
     );
 
-    create table ccm_core.hosts (
-        host_id bigint not null,
-        server_name varchar(512),
-        server_port bigint,
-        primary key (host_id)
+    create table CCM_CORE.HOSTS (
+        HOST_ID bigint not null,
+        SERVER_NAME varchar(512),
+        SERVER_PORT bigint,
+        primary key (HOST_ID)
     );
 
-    create table ccm_core.inits (
-        initializer_id bigint not null,
-        class_name varchar(255),
-        required_by_id bigint,
-        primary key (initializer_id)
+    create table CCM_CORE.INITS (
+        INITIALIZER_ID bigint not null,
+        CLASS_NAME varchar(255),
+        REQUIRED_BY_ID bigint,
+        primary key (INITIALIZER_ID)
     );
 
-    create table ccm_core.installed_modules (
-        module_id integer not null,
-        module_class_name varchar(2048),
-        status varchar(255),
-        primary key (module_id)
+    create table CCM_CORE.INSTALLED_MODULES (
+        MODULE_ID integer not null,
+        MODULE_CLASS_NAME varchar(2048),
+        STATUS varchar(255),
+        primary key (MODULE_ID)
     );
 
-    create table ccm_core.lucene_documents (
-        document_id bigint not null,
-        content clob,
-        content_section varchar(512),
-        country varchar(8),
-        created timestamp,
-        dirty bigint,
-        document_language varchar(8),
-        last_modified timestamp,
-        summary varchar(4096),
-        document_timestamp timestamp,
-        title varchar(4096),
-        type varchar(255),
-        type_specific_info varchar(512),
-        created_by_party_id bigint,
-        last_modified_by bigint,
-        primary key (document_id)
+    create table CCM_CORE.LUCENE_DOCUMENTS (
+        DOCUMENT_ID bigint not null,
+        CONTENT clob,
+        CONTENT_SECTION varchar(512),
+        COUNTRY varchar(8),
+        CREATED timestamp,
+        DIRTY bigint,
+        DOCUMENT_LANGUAGE varchar(8),
+        LAST_MODIFIED timestamp,
+        SUMMARY varchar(4096),
+        DOCUMENT_TIMESTAMP timestamp,
+        TITLE varchar(4096),
+        TYPE varchar(255),
+        TYPE_SPECIFIC_INFO varchar(512),
+        CREATED_BY_PARTY_ID bigint,
+        LAST_MODIFIED_BY bigint,
+        primary key (DOCUMENT_ID)
     );
 
-    create table ccm_core.lucene_indexes (
-        index_id bigint not null,
-        lucene_index_id bigint,
-        host_id bigint,
-        primary key (index_id)
+    create table CCM_CORE.LUCENE_INDEXES (
+        INDEX_ID bigint not null,
+        LUCENE_INDEX_ID bigint,
+        HOST_ID bigint,
+        primary key (INDEX_ID)
     );
 
-    create table ccm_core.messages (
-        body varchar(255),
-        body_mime_type varchar(255),
-        sent timestamp,
-        subject varchar(255),
-        object_id bigint not null,
-        in_reply_to_id bigint,
-        sender_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.MESSAGES (
+        BODY varchar(255),
+        BODY_MIME_TYPE varchar(255),
+        SENT timestamp,
+        SUBJECT varchar(255),
+        OBJECT_ID bigint not null,
+        IN_REPLY_TO_ID bigint,
+        SENDER_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.notifications (
-        expand_group boolean,
-        expunge boolean,
-        expunge_message boolean,
-        fulfill_date timestamp,
-        header varchar(4096),
-        max_retries bigint,
-        request_date timestamp,
-        signature varchar(4096),
-        status varchar(32),
-        object_id bigint not null,
-        digest_id bigint,
-        message_id bigint,
-        receiver_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.NOTIFICATIONS (
+        EXPAND_GROUP boolean,
+        EXPUNGE boolean,
+        EXPUNGE_MESSAGE boolean,
+        FULFILL_DATE timestamp,
+        HEADER varchar(4096),
+        MAX_RETRIES bigint,
+        REQUEST_DATE timestamp,
+        SIGNATURE varchar(4096),
+        STATUS varchar(32),
+        OBJECT_ID bigint not null,
+        DIGEST_ID bigint,
+        MESSAGE_ID bigint,
+        RECEIVER_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.permissions (
-        permission_id bigint not null,
-        creation_date timestamp,
-        creation_ip varchar(255),
-        creation_user_id bigint,
-        granted_privilege_id bigint,
-        grantee_id bigint,
-        object_id bigint,
-        primary key (permission_id)
+    create table CCM_CORE.PARTIES (
+        PARTY_ID bigint not null,
+        NAME varchar(256) not null,
+        primary key (PARTY_ID)
     );
 
-    create table ccm_core.portals (
-        template boolean,
-        object_id bigint not null,
-        primary key (object_id)
+    create table CCM_CORE.PERMISSIONS (
+        PERMISSION_ID bigint not null,
+        CREATION_DATE timestamp,
+        CREATION_IP varchar(255),
+        granted_privilege varchar(255),
+        CREATION_USER_ID bigint,
+        GRANTEE_ID bigint,
+        OBJECT_ID bigint,
+        primary key (PERMISSION_ID)
     );
 
-    create table ccm_core.portlets (
-        cell_number bigint,
-        sort_key bigint,
-        object_id bigint not null,
-        portal_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.PORTALS (
+        TEMPLATE boolean,
+        OBJECT_ID bigint not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.queue_items (
-        queue_item_id bigint not null,
-        header varchar(4096),
-        receiver_address varchar(512),
-        retry_count bigint,
-        signature varchar(4096),
-        successful_sended boolean,
-        message_id bigint,
-        receiver_id bigint,
-        primary key (queue_item_id)
+    create table CCM_CORE.PORTLETS (
+        CELL_NUMBER bigint,
+        SORT_KEY bigint,
+        OBJECT_ID bigint not null,
+        PORTAL_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.resource_descriptions (
-        object_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.QUEUE_ITEMS (
+        QUEUE_ITEM_ID bigint not null,
+        HEADER varchar(4096),
+        RECEIVER_ADDRESS varchar(512),
+        RETRY_COUNT bigint,
+        SIGNATURE varchar(4096),
+        SUCCESSFUL_SENDED boolean,
+        MESSAGE_ID bigint,
+        RECEIVER_ID bigint,
+        primary key (QUEUE_ITEM_ID)
     );
 
-    create table ccm_core.resource_titles (
-        object_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.RESOURCES (
+        CREATED timestamp,
+        OBJECT_ID bigint not null,
+        parent_OBJECT_ID bigint,
+        resourceType_RESOURCE_TYPE_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.resource_type_descriptions (
-        resource_type_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (resource_type_id, locale)
+    create table CCM_CORE.RESOURCE_DESCRIPTIONS (
+        OBJECT_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.resource_types (
-        resource_type_id bigint not null,
-        singleton boolean,
-        title varchar(254) not null,
-        embedded_view boolean,
-        full_page_view boolean,
-        workspace_app boolean,
-        primary key (resource_type_id)
+    create table CCM_CORE.RESOURCE_TITLES (
+        OBJECT_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.resources (
-        created timestamp,
-        object_id bigint not null,
-        parent_object_id bigint,
-        resourceType_resource_type_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.RESOURCE_TYPES (
+        RESOURCE_TYPE_ID bigint not null,
+        SINGLETON boolean,
+        TITLE varchar(254) not null,
+        EMBEDDED_VIEW boolean,
+        FULL_PAGE_VIEW boolean,
+        WORKSPACE_APP boolean,
+        primary key (RESOURCE_TYPE_ID)
     );
 
-    create table ccm_core.subjects (
-        subject_id bigint not null,
-        primary key (subject_id)
+    create table CCM_CORE.RESOURCE_TYPE_DESCRIPTIONS (
+        RESOURCE_TYPE_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (RESOURCE_TYPE_ID, LOCALE)
     );
 
-    create table ccm_core.threads (
-        object_id bigint not null,
-        root_id bigint,
-        primary key (object_id)
+    create table CCM_CORE.ROLE_MEMBERSHIPS (
+        MEMBERSHIP_ID bigint not null,
+        MEMBER_ID bigint,
+        ROLE_ID bigint,
+        primary key (MEMBERSHIP_ID)
     );
 
-    create table ccm_core.user_email_addresses (
-        user_id bigint not null,
-        email_address varchar(512) not null,
-        bouncing boolean,
-        verified boolean
+    create table CCM_CORE.THREADS (
+        OBJECT_ID bigint not null,
+        ROOT_ID bigint,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.workflow_descriptions (
-        workflow_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (workflow_id, locale)
+    create table CCM_CORE.USERS (
+        BANNED boolean,
+        FAMILY_NAME varchar(512),
+        GIVEN_NAME varchar(512),
+        PASSWORD varchar(2048),
+        PASSWORD_RESET_REQUIRED boolean,
+        EMAIL_ADDRESS varchar(512) not null,
+        BOUNCING boolean,
+        VERIFIED boolean,
+        PARTY_ID bigint not null,
+        primary key (PARTY_ID)
     );
 
-    create table ccm_core.workflow_names (
-        workflow_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (workflow_id, locale)
+    create table CCM_CORE.USER_EMAIL_ADDRESSES (
+        USER_ID bigint not null,
+        EMAIL_ADDRESS varchar(512) not null,
+        BOUNCING boolean,
+        VERIFIED boolean
     );
 
-    create table ccm_core.workflow_task_comments (
-        task_id bigint not null,
-        comment clob
+    create table CCM_CORE.WORKFLOWS (
+        WORKFLOW_ID bigint not null,
+        primary key (WORKFLOW_ID)
     );
 
-    create table ccm_core.workflow_task_dependencies (
-        depends_on_task_id bigint not null,
-        dependent_task_id bigint not null
+    create table CCM_CORE.WORKFLOW_DESCRIPTIONS (
+        WORKFLOW_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (WORKFLOW_ID, LOCALE)
     );
 
-    create table ccm_core.workflow_task_labels (
-        task_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (task_id, locale)
+    create table CCM_CORE.WORKFLOW_NAMES (
+        WORKFLOW_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (WORKFLOW_ID, LOCALE)
     );
 
-    create table ccm_core.workflow_tasks (
-        task_id bigint not null,
-        active boolean,
-        task_state varchar(512),
-        workflow_id bigint,
-        primary key (task_id)
+    create table CCM_CORE.WORKFLOW_TASKS (
+        TASK_ID bigint not null,
+        ACTIVE boolean,
+        TASK_STATE varchar(512),
+        WORKFLOW_ID bigint,
+        primary key (TASK_ID)
     );
 
-    create table ccm_core.workflow_tasks_descriptions (
-        task_id bigint not null,
-        localized_value clob,
-        locale varchar(255) not null,
-        primary key (task_id, locale)
+    create table CCM_CORE.WORKFLOW_TASKS_DESCRIPTIONS (
+        TASK_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (TASK_ID, LOCALE)
     );
 
-    create table ccm_core.workflow_user_task_assigned_groups (
-        user_task_id bigint not null,
-        assigned_group_id bigint not null
+    create table CCM_CORE.WORKFLOW_TASK_COMMENTS (
+        TASK_ID bigint not null,
+        COMMENT clob
     );
 
-    create table ccm_core.workflow_user_task_assigned_users (
-        user_task_id bigint not null,
-        assigned_user_id bigint not null
+    create table CCM_CORE.WORKFLOW_TASK_DEPENDENCIES (
+        DEPENDS_ON_TASK_ID bigint not null,
+        DEPENDENT_TASK_ID bigint not null
     );
 
-    create table ccm_core.workflow_user_tasks (
-        task_id bigint not null,
-        active boolean,
-        task_state varchar(512),
-        workflow_id bigint,
-        due_date timestamp,
-        duration_minutes bigint,
-        locked boolean,
-        start_date timestamp,
-        locking_user_id bigint,
-        notification_sender bigint,
-        primary key (task_id)
+    create table CCM_CORE.WORKFLOW_TASK_LABELS (
+        TASK_ID bigint not null,
+        LOCALIZED_VALUE clob,
+        LOCALE varchar(255) not null,
+        primary key (TASK_ID, LOCALE)
     );
 
-    create table ccm_core.workflows (
-        workflow_id bigint not null,
-        primary key (workflow_id)
+    create table CCM_CORE.WORKFLOW_USER_TASKS (
+        TASK_ID bigint not null,
+        ACTIVE boolean,
+        TASK_STATE varchar(512),
+        WORKFLOW_ID bigint,
+        DUE_DATE timestamp,
+        DURATION_MINUTES bigint,
+        LOCKED boolean,
+        START_DATE timestamp,
+        LOCKING_USER_ID bigint,
+        NOTIFICATION_SENDER bigint,
+        primary key (TASK_ID)
     );
 
-    alter table ccm_core.category_domains 
-        add constraint UK_mrgij5fr1sglxyab9ryl1vx37  unique (domain_key);
-
-    alter table ccm_core.category_domains 
-        add constraint UK_a9hmskgn6yfbw134mvjy9ixak  unique (uri);
-
-    alter table ccm_core.ccm_groups 
-        add constraint UK_9142ut4o9kwqmqjgqynl4xvc6  unique (name);
-
-    alter table ccm_core.ccm_privileges 
-        add constraint UK_ir9u47mfn3qds0toon7n5hlai  unique (label);
-
-    alter table ccm_core.ccm_users 
-        add constraint UK_3oj1rsneufkapevq9f32y4el0  unique (screen_name);
-
-    alter table ccm_core.hosts 
-        add constraint UK_2m0m4m0dhx256d04x2cg3194s  unique (server_name, server_port);
-
-    alter table ccm_core.installed_modules 
-        add constraint UK_c2ix7lp01ypyb6jf7b1ieptlm  unique (module_class_name);
-
-    alter table ccm_core.workflow_user_task_assigned_groups 
-        add constraint UK_g58x45aybw2yjtwnr9b9itg6c  unique (assigned_group_id);
-
-    alter table ccm_core.workflow_user_task_assigned_users 
-        add constraint UK_h62r6cqjp2tdnhscfkgwfupwj  unique (assigned_user_id);
-
-    alter table ccm_core.application_types 
-        add constraint FK_r9rd4iekfy3m8r1a1gto4t39 
-        foreign key (container_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.application_types 
-        add constraint FK_i44k6al7mr4u1c76iudglds39 
-        foreign key (provider_app_type_id) 
-        references ccm_core.application_types;
-
-    alter table ccm_core.application_types 
-        add constraint FK_41e4vrshljdkymnhb4cbkroa1 
-        foreign key (resource_type_id) 
-        references ccm_core.resource_types;
-
-    alter table ccm_core.applications 
-        add constraint FK_kr3wur06hmironiamv0rn38nu 
-        foreign key (container_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.applications 
-        add constraint FK_18qjyi037fk2lnx6t9fwljmx0 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.attachments 
-        add constraint FK_r3hibvgfo1dmawqig8c563xau 
-        foreign key (attachment_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.categories 
-        add constraint FK_hfr9rd0rv1jv730afoi2n0qb7 
-        foreign key (parent_category_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.categories 
-        add constraint FK_hct54n9h1moa76f44g6cw3lpc 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.categorizations 
-        add constraint FK_2xymec7oxsvoflm4pyw03qxrw 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.categorizations 
-        add constraint FK_spxdunplw881gx7ay4rcuueht 
-        foreign key (category_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.category_descriptions 
-        add constraint FK_gvqskqclt5nsi6x87163ydldr 
-        foreign key (object_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.category_domains 
-        add constraint FK_kh4n7uqv126lb1upk45giadxu 
-        foreign key (root_category_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.category_domains 
-        add constraint FK_irk58v7vtdgx0bfh8yarl5pte 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.category_titles 
-        add constraint FK_ygak8bqmh94jjtgs6vg945rd 
-        foreign key (object_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.ccm_groups 
-        add constraint FK_7a2nhf8gj3lns0preesnlok8o 
-        foreign key (subject_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.ccm_privileges 
-        add constraint FK_g06a7mpltqti17tvibm2j7ti8 
-        foreign key (relevant_privilege_id) 
-        references ccm_core.application_types;
-
-    alter table ccm_core.ccm_roles 
-        add constraint FK_ice2oswni34d2xx80cf81v2cv 
-        foreign key (implicit_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.ccm_roles 
-        add constraint FK_kbq9nkjwsvvkt6db59v2c1eb2 
-        foreign key (source_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.ccm_users 
-        add constraint FK_i9x5hcjowqc0aygna4wte5447 
-        foreign key (subject_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.digests 
-        add constraint FK_riucjho1m4x84l528d4b0xexh 
-        foreign key (from_party_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.digests 
-        add constraint FK_jslyikag80b9qhvvg4ui3r6li 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.domain_descriptions 
-        add constraint FK_anq6lql9qv1wov2hoq59i9pfs 
-        foreign key (object_id) 
-        references ccm_core.category_domains;
-
-    alter table ccm_core.domain_ownerships 
-        add constraint FK_nvdejc0jxmru3ax7v0su83wi7 
-        foreign key (domain_object_id) 
-        references ccm_core.category_domains;
-
-    alter table ccm_core.domain_ownerships 
-        add constraint FK_jiilo1lcqv8g7b16cviqhnepy 
-        foreign key (owner_object_id) 
-        references ccm_core.applications;
-
-    alter table ccm_core.domain_titles 
-        add constraint FK_p3w39o4hwcppwotw8ndjey6sl 
-        foreign key (object_id) 
-        references ccm_core.category_domains;
-
-    alter table ccm_core.formbuilder_component_descriptions 
-        add constraint FK_miw32na0kj3r3vx0yd9nmacu3 
-        foreign key (component_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_components 
-        add constraint FK_ompdvc6pul5xbhn5r2aqv7knb 
-        foreign key (parentComponent_object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_components 
-        add constraint FK_2fhckbkcdrahmp1pnnm5p12pf 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_confirm_email_listener 
-        add constraint FK_t24egwvbo23ak7ga4cnsmn428 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_confirm_redirect_listeners 
-        add constraint FK_7xtmk3ij9uj2f6nybhprm5eh0 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_data_driven_selects 
-        add constraint FK_g0cfdd0rrt4akmibhdlejpb9u 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_widgets;
-
-    alter table ccm_core.formbuilder_data_queries 
-        add constraint FK_p2awj0f115oxg1re4nr7wgsvj 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_data_query_descriptions 
-        add constraint FK_6vi3n0g1gfjrxd3vvlarrn584 
-        foreign key (data_query_id) 
-        references ccm_core.formbuilder_data_queries;
-
-    alter table ccm_core.formbuilder_data_query_names 
-        add constraint FK_tgnk7hsrmtqxnhvfcefe936v9 
-        foreign key (data_query_id) 
-        references ccm_core.formbuilder_data_queries;
-
-    alter table ccm_core.formbuilder_formsections 
-        add constraint FK_endc2bmlb7orkk4l5x3fkmy2l 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_listeners 
-        add constraint FK_fidonwyc6s36a51lilys791ot 
-        foreign key (widget_object_id) 
-        references ccm_core.formbuilder_widgets;
-
-    alter table ccm_core.formbuilder_listeners 
-        add constraint FK_c0gkh6b1dsyp0xh1pvnd6tijr 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_metaobjects 
-        add constraint FK_fn61u2xdqraclu9j0y2lxqqp8 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_object_types 
-        add constraint FK_pvcmankfvwpvg0lqe6wio4rnc 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_option_labels 
-        add constraint FK_e8fy2g61cd7qn8ar1t48g7p1m 
-        foreign key (option_id) 
-        references ccm_core.formbuilder_options;
-
-    alter table ccm_core.formbuilder_options 
-        add constraint FK_f7fgwaysg76tnx2xtfjnpt8a3 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_process_listener_descriptions 
-        add constraint FK_p1e4ygtc3ke9r4gotkc5k8dmv 
-        foreign key (process_listener_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_process_listener_names 
-        add constraint FK_e3uy4vdqbely8oybcfc0ef7tn 
-        foreign key (process_listener_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_process_listeners 
-        add constraint FK_8b4m881ppfw6m13clxu4cp1o0 
-        foreign key (formSection_object_id) 
-        references ccm_core.formbuilder_formsections;
-
-    alter table ccm_core.formbuilder_process_listeners 
-        add constraint FK_a539g6h1xtndr87oov42wvdl4 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_remote_server_post_listener 
-        add constraint FK_n4ymnx1dtjqedvta4e8hqfxpp 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_simple_email_listeners 
-        add constraint FK_4phpnsgkmvblh5pgiej11aj9y 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_template_email_listeners 
-        add constraint FK_cevp55p98seugf2368sc7yqqq 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_widget_labels 
-        add constraint FK_tftgfd24vbwfhas20m20xt5e7 
-        foreign key (widget_object_id) 
-        references ccm_core.formbuilder_widgets;
-
-    alter table ccm_core.formbuilder_widget_labels 
-        add constraint FK_isff794p53xtpr1261vet6nhn 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_widgets 
-        add constraint FK_lv8wd5tad9t12m1qigj200hp2 
-        foreign key (label_object_id) 
-        references ccm_core.formbuilder_widget_labels;
-
-    alter table ccm_core.formbuilder_widgets 
-        add constraint FK_rgbe1klt8ktw2okc5lfbp7nkl 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_xml_email_listeners 
-        add constraint FK_n6fdsiv02im6d6wyj5l799uh2 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.group_memberships 
-        add constraint FK_gg62l9f6d82rl3h57r03y1f6y 
-        foreign key (group_subject_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.group_memberships 
-        add constraint FK_qm940kapbbc0ywyhkwh06wg48 
-        foreign key (user_subject_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.inits 
-        add constraint FK_skqpgijaiv5idanah0e1hjoa 
-        foreign key (required_by_id) 
-        references ccm_core.inits;
-
-    alter table ccm_core.lucene_documents 
-        add constraint FK_n421djw91ggdmvsglk8t6tvk1 
-        foreign key (created_by_party_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.lucene_documents 
-        add constraint FK_qa9tey3vy1xrpxkyqo9us25s3 
-        foreign key (last_modified_by) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.lucene_indexes 
-        add constraint FK_7dqbase0oyxl83byea4hfdake 
-        foreign key (host_id) 
-        references ccm_core.hosts;
-
-    alter table ccm_core.messages 
-        add constraint FK_3l74b1gch8skj8t84emd65e3y 
-        foreign key (in_reply_to_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.messages 
-        add constraint FK_2tgrsfo79pwvrwk6lbdy32701 
-        foreign key (sender_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.messages 
-        add constraint FK_ipx9bvlxhd3q9aqs3kmq2kayc 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.notifications 
-        add constraint FK_k88btnwbdswv5ef360xxp8cn1 
-        foreign key (digest_id) 
-        references ccm_core.digests;
-
-    alter table ccm_core.notifications 
-        add constraint FK_fy4pjr1vlslocsi7d6vwku2yj 
-        foreign key (message_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.notifications 
-        add constraint FK_ajptmh33lr07i00e7j4pgheqe 
-        foreign key (receiver_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.notifications 
-        add constraint FK_s4xvw4ebw2tq41i0kex5pyo5k 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.permissions 
-        add constraint FK_aqw7r1c62xehp58uxwojun8xq 
-        foreign key (creation_user_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.permissions 
-        add constraint FK_ilie616laommyrii7ecjbj521 
-        foreign key (granted_privilege_id) 
-        references ccm_core.ccm_privileges;
-
-    alter table ccm_core.permissions 
-        add constraint FK_g94li5wexu57n0mosdks1abuv 
-        foreign key (grantee_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.permissions 
-        add constraint FK_r2p8pfvr7k5lth4bem2s0xqdv 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.portals 
-        add constraint FK_mubhpxf8uf40wu2tc3ekkrqkc 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.portlets 
-        add constraint FK_i6o1tgre6iuc3yf7tk4jhmj6 
-        foreign key (portal_id) 
-        references ccm_core.portals;
-
-    alter table ccm_core.portlets 
-        add constraint FK_hvqa10v1thdr4riwt2unryk1y 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.queue_items 
-        add constraint FK_14jyt63f6cs84pangjcnphlps 
-        foreign key (message_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.queue_items 
-        add constraint FK_ojc2cc1yqd2htu88gxu16t11e 
-        foreign key (receiver_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.resource_descriptions 
-        add constraint FK_ayx5lyxreydtjbvdugoff7mox 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.resource_titles 
-        add constraint FK_aer0mvcddder3150jlq0552nn 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.resource_type_descriptions 
-        add constraint FK_fp5rutbl3lvv5c322l87ma0ae 
-        foreign key (resource_type_id) 
-        references ccm_core.resource_types;
-
-    alter table ccm_core.resources 
-        add constraint FK_7bwjikili5hr55of80yvjlocc 
-        foreign key (parent_object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.resources 
-        add constraint FK_2o0qb7opah9rt9ww8ydvp7cxv 
-        foreign key (resourceType_resource_type_id) 
-        references ccm_core.resource_types;
-
-    alter table ccm_core.resources 
-        add constraint FK_e6rvkh4kw8agtkvjqqdbiu0db 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.threads 
-        add constraint FK_2d6ht9nsikaebakyppgtm8p2k 
-        foreign key (root_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.threads 
-        add constraint FK_jf5k6sucih0qp7l3ih2moeuha 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.user_email_addresses 
-        add constraint FK_m0hymqadkrd9o5eixeurjpifx 
-        foreign key (user_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.workflow_descriptions 
-        add constraint FK_7grengdpx5d99jkyjlsa3pe6k 
-        foreign key (workflow_id) 
-        references ccm_core.workflows;
-
-    alter table ccm_core.workflow_names 
-        add constraint FK_sjqjarc88yvdrw3yd6swg7uqs 
-        foreign key (workflow_id) 
-        references ccm_core.workflows;
-
-    alter table ccm_core.workflow_tasks 
-        add constraint FK_mvuhbl6ikm44oxxtkv0s2y9iu 
-        foreign key (workflow_id) 
-        references ccm_core.workflows;
-
-    alter table ccm_core.workflow_user_task_assigned_groups 
-        add constraint FK_g58x45aybw2yjtwnr9b9itg6c 
-        foreign key (assigned_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.workflow_user_task_assigned_groups 
-        add constraint FK_jiogatex4mifbgji1og4rri9o 
-        foreign key (user_task_id) 
-        references ccm_core.workflow_user_tasks;
-
-    alter table ccm_core.workflow_user_task_assigned_users 
-        add constraint FK_h62r6cqjp2tdnhscfkgwfupwj 
-        foreign key (assigned_user_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.workflow_user_task_assigned_users 
-        add constraint FK_ltihq91dcigqixb6ulhkphrix 
-        foreign key (user_task_id) 
-        references ccm_core.workflow_user_tasks;
-
-    alter table ccm_core.workflow_user_tasks 
-        add constraint FK_5nryb3wmian7oqttwqpa3wwll 
-        foreign key (locking_user_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.workflow_user_tasks 
-        add constraint FK_s4tgjfnpvyhtpu0h4l72sht9g 
-        foreign key (notification_sender) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.workflow_user_tasks 
-        add constraint FK_4nmt8xkbfog6dhq2mpt8m3skf 
-        foreign key (workflow_id) 
-        references ccm_core.workflows;
+    create table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_GROUPS (
+        USER_TASK_ID bigint not null,
+        ASSIGNED_GROUP_ID bigint not null
+    );
+
+    create table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_USERS (
+        USER_TASK_ID bigint not null,
+        ASSIGNED_USER_ID bigint not null
+    );
+
+    alter table CCM_CORE.CATEGORY_DOMAINS 
+        add constraint UK_mb1riernf8a88u3mwl0bgfj8y  unique (DOMAIN_KEY);
+
+    alter table CCM_CORE.CATEGORY_DOMAINS 
+        add constraint UK_i1xqotjvml7i6ro2jq22fxf5g  unique (URI);
+
+    alter table CCM_CORE.HOSTS 
+        add constraint UK_9ramlv6uxwt13v0wj7q0tucsx  unique (SERVER_NAME, SERVER_PORT);
+
+    alter table CCM_CORE.INSTALLED_MODULES 
+        add constraint UK_11imwgfojyi4hpr18uw9g3jvx  unique (MODULE_CLASS_NAME);
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_GROUPS 
+        add constraint UK_q9evs4qcfhr79fha7xgk057wo  unique (ASSIGNED_GROUP_ID);
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_USERS 
+        add constraint UK_bb9rm595xsbrpyx95lmwnlg76  unique (ASSIGNED_USER_ID);
+
+    alter table CCM_CORE.APPLICATIONS 
+        add constraint FK_sn1sqtx94nhxgv282ymoqiock 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.ATTACHMENTS 
+        add constraint FK_fwm2uvhmqg8bmo1d66g0b6be9 
+        foreign key (MESSAGE_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.CATEGORIES 
+        add constraint FK_4sghd3hxh69xgu68m8uh2axej 
+        foreign key (PARENT_CATEGORY_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.CATEGORIES 
+        add constraint FK_pvjwyfbuwafc1mlyevgwwyg49 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.CATEGORIZATIONS 
+        add constraint FK_2onruptfmyn5mu8f5j2o4h8i3 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.CATEGORIZATIONS 
+        add constraint FK_k43sltpj69u3y5eltkjhumc4p 
+        foreign key (CATEGORY_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.CATEGORY_DESCRIPTIONS 
+        add constraint FK_55equbyl81ut4yyt6jms57jwr 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.CATEGORY_DOMAINS 
+        add constraint FK_jyt6c67quitehuh5xe7ulhqvu 
+        foreign key (ROOT_CATEGORY_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.CATEGORY_DOMAINS 
+        add constraint FK_40h1mx7tdlmjvb6x2e04jqgi7 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.CATEGORY_TITLES 
+        add constraint FK_954p2g6kwhef5h41pfcda812u 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.DIGESTS 
+        add constraint FK_3xrcpufumqnh4ke4somt89rvh 
+        foreign key (FROM_PARTY_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.DIGESTS 
+        add constraint FK_4sxl35dvaj54ck0ikf850h58x 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.DOMAIN_DESCRIPTIONS 
+        add constraint FK_12rneohwyp6p66ioyoyobvkxr 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CATEGORY_DOMAINS;
+
+    alter table CCM_CORE.DOMAIN_OWNERSHIPS 
+        add constraint FK_m53bm8ecspukj3qj99q9xa8ox 
+        foreign key (domain_OBJECT_ID) 
+        references CCM_CORE.CATEGORY_DOMAINS;
+
+    alter table CCM_CORE.DOMAIN_OWNERSHIPS 
+        add constraint FK_ce4xhu9ilpdvjsmrsjb739t64 
+        foreign key (owner_OBJECT_ID) 
+        references CCM_CORE.APPLICATIONS;
+
+    alter table CCM_CORE.DOMAIN_TITLES 
+        add constraint FK_98kfhafuv6lmhnpkhurwp9bgm 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CATEGORY_DOMAINS;
+
+    alter table CCM_CORE.FORMBUILDER_COMPONENTS 
+        add constraint FK_72108sd6vsqt88g3fb4kl6o81 
+        foreign key (parentComponent_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_COMPONENTS 
+        add constraint FK_f9xo42yrxdjxqedrk3t2upm9e 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_COMPONENT_DESCRIPTIONS 
+        add constraint FK_2njuft67tbfnkxsr62r0bmhh3 
+        foreign key (COMPONENT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_CONFIRM_EMAIL_LISTENER 
+        add constraint FK_qm4q6qc2p81e349jgpoyxpq10 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_CONFIRM_REDIRECT_LISTENERS 
+        add constraint FK_cq44p887dqh2ycd0htku119wf 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_DATA_DRIVEN_SELECTS 
+        add constraint FK_qeyxu4t8aqosmoup7ho9qrtae 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_WIDGETS;
+
+    alter table CCM_CORE.FORMBUILDER_DATA_QUERIES 
+        add constraint FK_6xtng7pfv18ixfpid57grfh4 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_DATA_QUERY_DESCRIPTIONS 
+        add constraint FK_2rlo453aslip0ng1fpyv022ld 
+        foreign key (DATA_QUERY_ID) 
+        references CCM_CORE.FORMBUILDER_DATA_QUERIES;
+
+    alter table CCM_CORE.FORMBUILDER_DATA_QUERY_NAMES 
+        add constraint FK_9nqk2rpq4exw708vobkmdcr1s 
+        foreign key (DATA_QUERY_ID) 
+        references CCM_CORE.FORMBUILDER_DATA_QUERIES;
+
+    alter table CCM_CORE.FORMBUILDER_FORMSECTIONS 
+        add constraint FK_anavw6ab288yo2d90axcebv1p 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_LISTENERS 
+        add constraint FK_lnlrrafk9r9v072vqtmnkwkou 
+        foreign key (widget_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_WIDGETS;
+
+    alter table CCM_CORE.FORMBUILDER_LISTENERS 
+        add constraint FK_2ynw5cse8kayvi9wqdgg477w0 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_METAOBJECTS 
+        add constraint FK_9bx162hal2lqub5m5c21hh31r 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_OBJECT_TYPES 
+        add constraint FK_qaj6yd47l5trvvxtnxeao1c33 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_OPTIONS 
+        add constraint FK_6s1dxx8lfky4l5ibtd20ouvuj 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_OPTION_LABELS 
+        add constraint FK_90c86qtfefh98jcche7rtk5ms 
+        foreign key (OPTION_ID) 
+        references CCM_CORE.FORMBUILDER_OPTIONS;
+
+    alter table CCM_CORE.FORMBUILDER_PROCESS_LISTENERS 
+        add constraint FK_2a4hflqpujuxvx90bsnie3s33 
+        foreign key (formSection_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_FORMSECTIONS;
+
+    alter table CCM_CORE.FORMBUILDER_PROCESS_LISTENERS 
+        add constraint FK_dth0onqirda98fvvpo1rtpjxi 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_PROCESS_LISTENER_DESCRIPTIONS 
+        add constraint FK_cynaaq1405ih7epmt4k6vv5m1 
+        foreign key (PROCESS_LISTENER_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_PROCESS_LISTENER_NAMES 
+        add constraint FK_gpc3rhvwhy9038k7or5ud8mim 
+        foreign key (PROCESS_LISTENER_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_REMOTE_SERVER_POST_LISTENER 
+        add constraint FK_b6b0wn2j0mps0ml4jh8s46y4r 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_SIMPLE_EMAIL_LISTENERS 
+        add constraint FK_33n9b1q1goybwbvvaotnq4n7 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_TEMPLATE_EMAIL_LISTENERS 
+        add constraint FK_iqwglkvml7y4yevaq8s1936im 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_WIDGETS 
+        add constraint FK_nei20rvwsnawx4u0ywrh22df1 
+        foreign key (label_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_WIDGET_LABELS;
+
+    alter table CCM_CORE.FORMBUILDER_WIDGETS 
+        add constraint FK_rr1oge60scu4a564h7rcra507 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_WIDGET_LABELS 
+        add constraint FK_7lp5ywog1suhe11jr3bl28cwg 
+        foreign key (widget_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_WIDGETS;
+
+    alter table CCM_CORE.FORMBUILDER_WIDGET_LABELS 
+        add constraint FK_ieiewnctdo2hdqeuxiv7cl1ru 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_XML_EMAIL_LISTENERS 
+        add constraint FK_kcfevkdytrk81gj08f4aeh3qu 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.GROUPS 
+        add constraint FK_bm1g1sp4aav32ghhbo04gkakl 
+        foreign key (PARTY_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.GROUP_MEMBERSHIPS 
+        add constraint FK_8fitvs176l2fpsoplbbsaxpjo 
+        foreign key (GROUP_ID) 
+        references CCM_CORE.GROUPS;
+
+    alter table CCM_CORE.GROUP_MEMBERSHIPS 
+        add constraint FK_7ttmeu1wo1bhgnxvqm5hksbwm 
+        foreign key (MEMBER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.INITS 
+        add constraint FK_jm1ulcmd86shcy83907ojny4q 
+        foreign key (REQUIRED_BY_ID) 
+        references CCM_CORE.INITS;
+
+    alter table CCM_CORE.LUCENE_DOCUMENTS 
+        add constraint FK_hhbqgpg0ocewhlr2cclrtsj7r 
+        foreign key (CREATED_BY_PARTY_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.LUCENE_DOCUMENTS 
+        add constraint FK_mp7nlc3u4t38x0cevx0bg022s 
+        foreign key (LAST_MODIFIED_BY) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.LUCENE_INDEXES 
+        add constraint FK_f5ddcxpneculqmctmixjus42k 
+        foreign key (HOST_ID) 
+        references CCM_CORE.HOSTS;
+
+    alter table CCM_CORE.MESSAGES 
+        add constraint FK_pymp95s2bsv5dke8dxbdmdx1d 
+        foreign key (IN_REPLY_TO_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.MESSAGES 
+        add constraint FK_7w5nh4eo1l5idhvfwvkv02yyi 
+        foreign key (SENDER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.MESSAGES 
+        add constraint FK_t98lp1382qxby5c7b34j238pc 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.NOTIFICATIONS 
+        add constraint FK_a2hr4wa8qqnoj0njlrkuak3s6 
+        foreign key (DIGEST_ID) 
+        references CCM_CORE.DIGESTS;
+
+    alter table CCM_CORE.NOTIFICATIONS 
+        add constraint FK_ck8hytjcms2iwen7q538n49nu 
+        foreign key (MESSAGE_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.NOTIFICATIONS 
+        add constraint FK_lp67f9mq0basheao3o81xj0xh 
+        foreign key (RECEIVER_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.NOTIFICATIONS 
+        add constraint FK_2aqx4bgfyhhh4g3pvvjh8hy0w 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.PERMISSIONS 
+        add constraint FK_7f7dd6k54fi1vy3llbvrer061 
+        foreign key (CREATION_USER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.PERMISSIONS 
+        add constraint FK_cnt8ay16396ldn10w9yqfvtib 
+        foreign key (GRANTEE_ID) 
+        references CCM_CORE.CCM_ROLES;
+
+    alter table CCM_CORE.PERMISSIONS 
+        add constraint FK_5d855uu7512wakcver0bvdc3f 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.PORTALS 
+        add constraint FK_2san7d6vxf5jhesvar5hq57v4 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.PORTLETS 
+        add constraint FK_46ty07r54th9qc87pyi31jdqs 
+        foreign key (PORTAL_ID) 
+        references CCM_CORE.PORTALS;
+
+    alter table CCM_CORE.PORTLETS 
+        add constraint FK_r0tybwnahtdoo68tbna9q3s75 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.QUEUE_ITEMS 
+        add constraint FK_kskdba7a8ytgc5fxen06peg7 
+        foreign key (MESSAGE_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.QUEUE_ITEMS 
+        add constraint FK_iccfxv2glwbqa465s8125ftgm 
+        foreign key (RECEIVER_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.RESOURCES 
+        add constraint FK_ceqi7mfjyk4vdoiyie09kmgj 
+        foreign key (parent_OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.RESOURCES 
+        add constraint FK_eodj9xd1rmdokm4c3ir1l7s4d 
+        foreign key (resourceType_RESOURCE_TYPE_ID) 
+        references CCM_CORE.RESOURCE_TYPES;
+
+    alter table CCM_CORE.RESOURCES 
+        add constraint FK_f600trvtav1r0n6oy7nri9wry 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.RESOURCE_DESCRIPTIONS 
+        add constraint FK_pcahs6vr1ajb3a4mh0vi4stuy 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.RESOURCE_TITLES 
+        add constraint FK_brvlxvpy2f1n67562twvvux7s 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.RESOURCE_TYPE_DESCRIPTIONS 
+        add constraint FK_7860pdhhck6opa22gc9u0pgfu 
+        foreign key (RESOURCE_TYPE_ID) 
+        references CCM_CORE.RESOURCE_TYPES;
+
+    alter table CCM_CORE.ROLE_MEMBERSHIPS 
+        add constraint FK_hueyk522he8t6fa1blnpcslap 
+        foreign key (MEMBER_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.ROLE_MEMBERSHIPS 
+        add constraint FK_eykbm84ndwgpqsr48wekhdoqj 
+        foreign key (ROLE_ID) 
+        references CCM_CORE.CCM_ROLES;
+
+    alter table CCM_CORE.THREADS 
+        add constraint FK_oopqroe5a8fg932teo0cyifcv 
+        foreign key (ROOT_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.THREADS 
+        add constraint FK_n86cmt6poesgsr4g4c4q07i9f 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.USERS 
+        add constraint FK_9gwih54tm0rn63e536f6s9oti 
+        foreign key (PARTY_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.USER_EMAIL_ADDRESSES 
+        add constraint FK_tp5wms6tgfl827ihqbcgskusy 
+        foreign key (USER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.WORKFLOW_DESCRIPTIONS 
+        add constraint FK_sp01mgi5mi5wbwrh8ivnfpw2n 
+        foreign key (WORKFLOW_ID) 
+        references CCM_CORE.WORKFLOWS;
+
+    alter table CCM_CORE.WORKFLOW_NAMES 
+        add constraint FK_rmkgykysvk7su7h5tij67p2r3 
+        foreign key (WORKFLOW_ID) 
+        references CCM_CORE.WORKFLOWS;
+
+    alter table CCM_CORE.WORKFLOW_TASKS 
+        add constraint FK_bawikoiw1k0bil1bvwq5qpa0j 
+        foreign key (WORKFLOW_ID) 
+        references CCM_CORE.WORKFLOWS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASKS 
+        add constraint FK_byuic3urkanoiqjnf6awfqmyk 
+        foreign key (LOCKING_USER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASKS 
+        add constraint FK_2dtlvmuapubq81quny4elndh 
+        foreign key (NOTIFICATION_SENDER) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASKS 
+        add constraint FK_bg60xxg9kerqsxyphbfxulg8y 
+        foreign key (WORKFLOW_ID) 
+        references CCM_CORE.WORKFLOWS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_GROUPS 
+        add constraint FK_q9evs4qcfhr79fha7xgk057wo 
+        foreign key (ASSIGNED_GROUP_ID) 
+        references CCM_CORE.GROUPS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_GROUPS 
+        add constraint FK_lqtfvnswn0k8kjghoi4jk3qfe 
+        foreign key (USER_TASK_ID) 
+        references CCM_CORE.WORKFLOW_USER_TASKS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_USERS 
+        add constraint FK_bb9rm595xsbrpyx95lmwnlg76 
+        foreign key (ASSIGNED_USER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_USERS 
+        add constraint FK_7qgn3rbw4wgpd77hhqogfh53x 
+        foreign key (USER_TASK_ID) 
+        references CCM_CORE.WORKFLOW_USER_TASKS;
 
     create sequence hibernate_sequence start with 1 increment by 1;
\ No newline at end of file
diff --git a/ccm-core/src/test/resources-wildfly8-remote-pgsql/scripts/create_ccm_core_schema.sql b/ccm-core/src/test/resources-wildfly8-remote-pgsql/scripts/create_ccm_core_schema.sql
index 0c743274a..464364622 100644
--- a/ccm-core/src/test/resources-wildfly8-remote-pgsql/scripts/create_ccm_core_schema.sql
+++ b/ccm-core/src/test/resources-wildfly8-remote-pgsql/scripts/create_ccm_core_schema.sql
@@ -4,1078 +4,1025 @@ DROP SEQUENCE IF EXISTS hibernate_sequence;
 
 CREATE SCHEMA ccm_core;
 
-    create table ccm_core.application_types (
-        resource_type_id int8 not null,
-        container_group_id int8,
-        provider_app_type_id int8,
-        primary key (resource_type_id)
+
+    create table CCM_CORE.APPLICATIONS (
+        APPLICATION_TYPE varchar(1024) not null,
+        PRIMARY_URL varchar(1024) not null,
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.applications (
-        primary_url varchar(1024) not null,
-        object_id int8 not null,
-        container_group_id int8,
-        primary key (object_id)
+    create table CCM_CORE.ATTACHMENTS (
+        ATTACHMENT_ID int8 not null,
+        ATTACHMENT_DATA oid,
+        DESCRIPTION varchar(255),
+        MIME_TYPE varchar(255),
+        TITLE varchar(255),
+        MESSAGE_ID int8,
+        primary key (ATTACHMENT_ID)
     );
 
-    create table ccm_core.attachments (
-        attachment_id int8 not null,
-        attachment_data oid,
-        description varchar(255),
-        mime_type varchar(255),
-        title varchar(255),
-        primary key (attachment_id)
+    create table CCM_CORE.CATEGORIES (
+        ABSTRACT_CATEGORY boolean,
+        CATEGORY_ORDER int8,
+        ENABLED boolean,
+        NAME varchar(255) not null,
+        UNIQUE_ID varchar(255) not null,
+        VISIBLE boolean,
+        OBJECT_ID int8 not null,
+        PARENT_CATEGORY_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.categories (
-        abstract_category boolean,
-        category_order int8,
-        enabled boolean,
-        name varchar(255) not null,
-        unique_id varchar(255) not null,
-        visible boolean,
-        object_id int8 not null,
-        parent_category_id int8,
-        primary key (object_id)
+    create table CCM_CORE.CATEGORIZATIONS (
+        CATEGORIZATION_ID int8 not null,
+        CATEGORY_ORDER int8,
+        CATEGORY_INDEX boolean,
+        OBJECT_ORDER int8,
+        OBJECT_ID int8,
+        CATEGORY_ID int8,
+        primary key (CATEGORIZATION_ID)
     );
 
-    create table ccm_core.categorizations (
-        categorization_id int8 not null,
-        category_order int8,
-        category_index boolean,
-        object_order int8,
-        object_id int8,
-        category_id int8,
-        primary key (categorization_id)
+    create table CCM_CORE.CATEGORY_DESCRIPTIONS (
+        OBJECT_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.category_descriptions (
-        object_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.CATEGORY_DOMAINS (
+        DOMAIN_KEY varchar(255) not null,
+        RELEASED timestamp,
+        URI varchar(1024) not null,
+        VERSION varchar(255) not null,
+        OBJECT_ID int8 not null,
+        ROOT_CATEGORY_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.category_domains (
-        domain_key varchar(255) not null,
-        released timestamp,
-        uri varchar(1024) not null,
-        version varchar(255) not null,
-        object_id int8 not null,
-        root_category_id int8,
-        primary key (object_id)
+    create table CCM_CORE.CATEGORY_TITLES (
+        OBJECT_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.category_titles (
-        object_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.CCM_OBJECTS (
+        OBJECT_ID int8 not null,
+        DISPLAY_NAME varchar(255),
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.ccm_groups (
-        name varchar(512) not null,
-        subject_id int8 not null,
-        primary key (subject_id)
-    );
-
-    create table ccm_core.ccm_objects (
-        object_id int8 not null,
-        display_name varchar(255),
-        primary key (object_id)
-    );
-
-    create table ccm_core.ccm_privileges (
-        privilege_id int8 not null,
-        label varchar(255) not null,
-        relevant_privilege_id int8,
-        primary key (privilege_id)
-    );
-
-    create table ccm_core.ccm_revisions (
+    create table CCM_CORE.CCM_REVISIONS (
         id int4 not null,
         timestamp int8 not null,
-        user_name varchar(255),
+        USER_NAME varchar(255),
         primary key (id)
     );
 
-    create table ccm_core.ccm_roles (
-        role_id int8 not null,
-        description varchar(255),
-        name varchar(512),
-        implicit_group_id int8,
-        source_group_id int8,
-        primary key (role_id)
+    create table CCM_CORE.CCM_ROLES (
+        ROLE_ID int8 not null,
+        name varchar(512) not null,
+        primary key (ROLE_ID)
     );
 
-    create table ccm_core.ccm_users (
-        banned boolean,
-        hash_algorithm varchar(64),
-        family_name varchar(512),
-        given_name varchar(512),
-        middle_name varchar(512),
-        title_post varchar(512),
-        title_pre varchar(512),
-        password varchar(2048),
-        password_answer varchar(2048),
-        password_question varchar(2048),
-        password_reset_required boolean,
-        salt varchar(2048),
-        screen_name varchar(255) not null,
-        sso_login varchar(512),
-        subject_id int8 not null,
-        primary key (subject_id)
+    create table CCM_CORE.DIGESTS (
+        FREQUENCY int4,
+        HEADER varchar(4096) not null,
+        NEXT_RUN timestamp,
+        DIGEST_SEPARATOR varchar(128) not null,
+        SIGNATURE varchar(4096) not null,
+        SUBJECT varchar(255) not null,
+        OBJECT_ID int8 not null,
+        FROM_PARTY_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.digests (
-        frequency int4,
-        header varchar(4096) not null,
-        next_run timestamp,
-        digest_separator varchar(128) not null,
-        signature varchar(4096) not null,
-        subject varchar(255) not null,
-        object_id int8 not null,
-        from_party_id int8,
-        primary key (object_id)
+    create table CCM_CORE.DOMAIN_DESCRIPTIONS (
+        OBJECT_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.domain_descriptions (
-        object_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.DOMAIN_OWNERSHIPS (
+        OWNERSHIP_ID int8 not null,
+        CONTEXT varchar(255),
+        DOMAIN_ORDER int8,
+        OWNER_ORDER int8,
+        domain_OBJECT_ID int8 not null,
+        owner_OBJECT_ID int8 not null,
+        primary key (OWNERSHIP_ID)
     );
 
-    create table ccm_core.domain_ownerships (
-        ownership_id int8 not null,
-        context varchar(255),
-        domain_order int8,
-        owner_order int8,
-        domain_object_id int8 not null,
-        owner_object_id int8 not null,
-        primary key (ownership_id)
+    create table CCM_CORE.DOMAIN_TITLES (
+        OBJECT_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.domain_titles (
-        object_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.FORMBUILDER_COMPONENTS (
+        ACTIVE boolean,
+        ADMIN_NAME varchar(255),
+        ATTRIBUTE_STRING varchar(255),
+        COMPONENT_ORDER int8,
+        SELECTED boolean,
+        OBJECT_ID int8 not null,
+        parentComponent_OBJECT_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_component_descriptions (
-        component_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (component_id, locale)
+    create table CCM_CORE.FORMBUILDER_COMPONENT_DESCRIPTIONS (
+        COMPONENT_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (COMPONENT_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_components (
-        active boolean,
-        admin_name varchar(255),
-        attribute_string varchar(255),
-        component_order int8,
-        selected boolean,
-        object_id int8 not null,
-        parentComponent_object_id int8,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_CONFIRM_EMAIL_LISTENER (
+        BODY text,
+        FROM_EMAIL varchar(255),
+        SUBJECT varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_confirm_email_listener (
-        body text,
-        from_email varchar(255),
-        subject varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_CONFIRM_REDIRECT_LISTENERS (
+        URL varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_confirm_redirect_listeners (
-        url varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_DATA_DRIVEN_SELECTS (
+        MULTIPLE boolean,
+        QUERY varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_data_driven_selects (
-        multiple boolean,
-        query varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_DATA_QUERIES (
+        QUERY_ID varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_data_queries (
-        query_id varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_DATA_QUERY_DESCRIPTIONS (
+        DATA_QUERY_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (DATA_QUERY_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_data_query_descriptions (
-        data_query_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (data_query_id, locale)
+    create table CCM_CORE.FORMBUILDER_DATA_QUERY_NAMES (
+        DATA_QUERY_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (DATA_QUERY_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_data_query_names (
-        data_query_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (data_query_id, locale)
+    create table CCM_CORE.FORMBUILDER_FORMSECTIONS (
+        FORMSECTION_ACTION varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_formsections (
-        formsection_action varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_LISTENERS (
+        ATTRIBUTE_STRING varchar(255),
+        CLASS_NAME varchar(255),
+        OBJECT_ID int8 not null,
+        widget_OBJECT_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_listeners (
-        attribute_string varchar(255),
-        class_name varchar(255),
-        object_id int8 not null,
-        widget_object_id int8,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_METAOBJECTS (
+        CLASS_NAME varchar(255),
+        PRETTY_NAME varchar(255),
+        PRETTY_PLURAL varchar(255),
+        PROPERTIES_FORM varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_metaobjects (
-        class_name varchar(255),
-        pretty_name varchar(255),
-        pretty_plural varchar(255),
-        properties_form varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_OBJECT_TYPES (
+        APP_NAME varchar(255),
+        CLASS_NAME varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_object_types (
-        app_name varchar(255),
-        class_name varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_OPTIONS (
+        PARAMETER_VALUE varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_option_labels (
-        option_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (option_id, locale)
+    create table CCM_CORE.FORMBUILDER_OPTION_LABELS (
+        OPTION_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (OPTION_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_options (
-        parameter_value varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_PROCESS_LISTENERS (
+        LISTENER_CLASS varchar(255),
+        PROCESS_LISTENER_ORDER int8,
+        OBJECT_ID int8 not null,
+        formSection_OBJECT_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_process_listener_descriptions (
-        process_listener_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (process_listener_id, locale)
+    create table CCM_CORE.FORMBUILDER_PROCESS_LISTENER_DESCRIPTIONS (
+        PROCESS_LISTENER_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (PROCESS_LISTENER_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_process_listener_names (
-        process_listener_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (process_listener_id, locale)
+    create table CCM_CORE.FORMBUILDER_PROCESS_LISTENER_NAMES (
+        PROCESS_LISTENER_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (PROCESS_LISTENER_ID, LOCALE)
     );
 
-    create table ccm_core.formbuilder_process_listeners (
-        listener_class varchar(255),
-        process_listener_order int8,
-        object_id int8 not null,
-        formSection_object_id int8,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_REMOTE_SERVER_POST_LISTENER (
+        REMOTE_URL varchar(2048),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_remote_server_post_listener (
-        remoteUrl varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_SIMPLE_EMAIL_LISTENERS (
+        RECIPIENT varchar(255),
+        SUBJECT varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_simple_email_listeners (
-        recipient varchar(255),
-        subject varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_TEMPLATE_EMAIL_LISTENERS (
+        BODY text,
+        RECIPIENT varchar(255),
+        SUBJECT varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_template_email_listeners (
-        body text,
-        recipient varchar(255),
-        subject varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_WIDGETS (
+        DEFAULT_VALUE varchar(255),
+        PARAMETER_MODEL varchar(255),
+        PARAMETER_NAME varchar(255),
+        OBJECT_ID int8 not null,
+        label_OBJECT_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_widget_labels (
-        object_id int8 not null,
-        widget_object_id int8,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_WIDGET_LABELS (
+        OBJECT_ID int8 not null,
+        widget_OBJECT_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_widgets (
-        default_value varchar(255),
-        parameter_model varchar(255),
-        parameter_name varchar(255),
-        object_id int8 not null,
-        label_object_id int8,
-        primary key (object_id)
+    create table CCM_CORE.FORMBUILDER_XML_EMAIL_LISTENERS (
+        RECIPIENT varchar(255),
+        SUBJECT varchar(255),
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.formbuilder_xml_email_listeners (
-        recipient varchar(255),
-        subject varchar(255),
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.GROUPS (
+        PARTY_ID int8 not null,
+        primary key (PARTY_ID)
     );
 
-    create table ccm_core.group_memberships (
-        membership_id int8 not null,
-        group_subject_id int8,
-        user_subject_id int8,
-        primary key (membership_id)
+    create table CCM_CORE.GROUP_MEMBERSHIPS (
+        MEMBERSHIP_ID int8 not null,
+        GROUP_ID int8,
+        MEMBER_ID int8,
+        primary key (MEMBERSHIP_ID)
     );
 
-    create table ccm_core.hosts (
-        host_id int8 not null,
-        server_name varchar(512),
-        server_port int8,
-        primary key (host_id)
+    create table CCM_CORE.HOSTS (
+        HOST_ID int8 not null,
+        SERVER_NAME varchar(512),
+        SERVER_PORT int8,
+        primary key (HOST_ID)
     );
 
-    create table ccm_core.inits (
-        initializer_id int8 not null,
-        class_name varchar(255),
-        required_by_id int8,
-        primary key (initializer_id)
+    create table CCM_CORE.INITS (
+        INITIALIZER_ID int8 not null,
+        CLASS_NAME varchar(255),
+        REQUIRED_BY_ID int8,
+        primary key (INITIALIZER_ID)
     );
 
-    create table ccm_core.installed_modules (
-        module_id int4 not null,
-        module_class_name varchar(2048),
-        status varchar(255),
-        primary key (module_id)
+    create table CCM_CORE.INSTALLED_MODULES (
+        MODULE_ID int4 not null,
+        MODULE_CLASS_NAME varchar(2048),
+        STATUS varchar(255),
+        primary key (MODULE_ID)
     );
 
-    create table ccm_core.lucene_documents (
-        document_id int8 not null,
-        content text,
-        content_section varchar(512),
-        country varchar(8),
-        created timestamp,
-        dirty int8,
-        document_language varchar(8),
-        last_modified timestamp,
-        summary varchar(4096),
-        document_timestamp timestamp,
-        title varchar(4096),
-        type varchar(255),
-        type_specific_info varchar(512),
-        created_by_party_id int8,
-        last_modified_by int8,
-        primary key (document_id)
+    create table CCM_CORE.LUCENE_DOCUMENTS (
+        DOCUMENT_ID int8 not null,
+        CONTENT text,
+        CONTENT_SECTION varchar(512),
+        COUNTRY varchar(8),
+        CREATED timestamp,
+        DIRTY int8,
+        DOCUMENT_LANGUAGE varchar(8),
+        LAST_MODIFIED timestamp,
+        SUMMARY varchar(4096),
+        DOCUMENT_TIMESTAMP timestamp,
+        TITLE varchar(4096),
+        TYPE varchar(255),
+        TYPE_SPECIFIC_INFO varchar(512),
+        CREATED_BY_PARTY_ID int8,
+        LAST_MODIFIED_BY int8,
+        primary key (DOCUMENT_ID)
     );
 
-    create table ccm_core.lucene_indexes (
-        index_id int8 not null,
-        lucene_index_id int8,
-        host_id int8,
-        primary key (index_id)
+    create table CCM_CORE.LUCENE_INDEXES (
+        INDEX_ID int8 not null,
+        LUCENE_INDEX_ID int8,
+        HOST_ID int8,
+        primary key (INDEX_ID)
     );
 
-    create table ccm_core.messages (
-        body varchar(255),
-        body_mime_type varchar(255),
-        sent timestamp,
-        subject varchar(255),
-        object_id int8 not null,
-        in_reply_to_id int8,
-        sender_id int8,
-        primary key (object_id)
+    create table CCM_CORE.MESSAGES (
+        BODY varchar(255),
+        BODY_MIME_TYPE varchar(255),
+        SENT timestamp,
+        SUBJECT varchar(255),
+        OBJECT_ID int8 not null,
+        IN_REPLY_TO_ID int8,
+        SENDER_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.notifications (
-        expand_group boolean,
-        expunge boolean,
-        expunge_message boolean,
-        fulfill_date timestamp,
-        header varchar(4096),
-        max_retries int8,
-        request_date timestamp,
-        signature varchar(4096),
-        status varchar(32),
-        object_id int8 not null,
-        digest_id int8,
-        message_id int8,
-        receiver_id int8,
-        primary key (object_id)
+    create table CCM_CORE.NOTIFICATIONS (
+        EXPAND_GROUP boolean,
+        EXPUNGE boolean,
+        EXPUNGE_MESSAGE boolean,
+        FULFILL_DATE timestamp,
+        HEADER varchar(4096),
+        MAX_RETRIES int8,
+        REQUEST_DATE timestamp,
+        SIGNATURE varchar(4096),
+        STATUS varchar(32),
+        OBJECT_ID int8 not null,
+        DIGEST_ID int8,
+        MESSAGE_ID int8,
+        RECEIVER_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.permissions (
-        permission_id int8 not null,
-        creation_date timestamp,
-        creation_ip varchar(255),
-        creation_user_id int8,
-        granted_privilege_id int8,
-        grantee_id int8,
-        object_id int8,
-        primary key (permission_id)
+    create table CCM_CORE.PARTIES (
+        PARTY_ID int8 not null,
+        NAME varchar(256) not null,
+        primary key (PARTY_ID)
     );
 
-    create table ccm_core.portals (
-        template boolean,
-        object_id int8 not null,
-        primary key (object_id)
+    create table CCM_CORE.PERMISSIONS (
+        PERMISSION_ID int8 not null,
+        CREATION_DATE timestamp,
+        CREATION_IP varchar(255),
+        granted_privilege varchar(255),
+        CREATION_USER_ID int8,
+        GRANTEE_ID int8,
+        OBJECT_ID int8,
+        primary key (PERMISSION_ID)
     );
 
-    create table ccm_core.portlets (
-        cell_number int8,
-        sort_key int8,
-        object_id int8 not null,
-        portal_id int8,
-        primary key (object_id)
+    create table CCM_CORE.PORTALS (
+        TEMPLATE boolean,
+        OBJECT_ID int8 not null,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.queue_items (
-        queue_item_id int8 not null,
-        header varchar(4096),
-        receiver_address varchar(512),
-        retry_count int8,
-        signature varchar(4096),
-        successful_sended boolean,
-        message_id int8,
-        receiver_id int8,
-        primary key (queue_item_id)
+    create table CCM_CORE.PORTLETS (
+        CELL_NUMBER int8,
+        SORT_KEY int8,
+        OBJECT_ID int8 not null,
+        PORTAL_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.resource_descriptions (
-        object_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.QUEUE_ITEMS (
+        QUEUE_ITEM_ID int8 not null,
+        HEADER varchar(4096),
+        RECEIVER_ADDRESS varchar(512),
+        RETRY_COUNT int8,
+        SIGNATURE varchar(4096),
+        SUCCESSFUL_SENDED boolean,
+        MESSAGE_ID int8,
+        RECEIVER_ID int8,
+        primary key (QUEUE_ITEM_ID)
     );
 
-    create table ccm_core.resource_titles (
-        object_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (object_id, locale)
+    create table CCM_CORE.RESOURCES (
+        CREATED timestamp,
+        OBJECT_ID int8 not null,
+        parent_OBJECT_ID int8,
+        resourceType_RESOURCE_TYPE_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.resource_type_descriptions (
-        resource_type_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (resource_type_id, locale)
+    create table CCM_CORE.RESOURCE_DESCRIPTIONS (
+        OBJECT_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.resource_types (
-        resource_type_id int8 not null,
-        singleton boolean,
-        title varchar(254) not null,
-        embedded_view boolean,
-        full_page_view boolean,
-        workspace_app boolean,
-        primary key (resource_type_id)
+    create table CCM_CORE.RESOURCE_TITLES (
+        OBJECT_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (OBJECT_ID, LOCALE)
     );
 
-    create table ccm_core.resources (
-        created timestamp,
-        object_id int8 not null,
-        parent_object_id int8,
-        resourceType_resource_type_id int8,
-        primary key (object_id)
+    create table CCM_CORE.RESOURCE_TYPES (
+        RESOURCE_TYPE_ID int8 not null,
+        SINGLETON boolean,
+        TITLE varchar(254) not null,
+        EMBEDDED_VIEW boolean,
+        FULL_PAGE_VIEW boolean,
+        WORKSPACE_APP boolean,
+        primary key (RESOURCE_TYPE_ID)
     );
 
-    create table ccm_core.subjects (
-        subject_id int8 not null,
-        primary key (subject_id)
+    create table CCM_CORE.RESOURCE_TYPE_DESCRIPTIONS (
+        RESOURCE_TYPE_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (RESOURCE_TYPE_ID, LOCALE)
     );
 
-    create table ccm_core.threads (
-        object_id int8 not null,
-        root_id int8,
-        primary key (object_id)
+    create table CCM_CORE.ROLE_MEMBERSHIPS (
+        MEMBERSHIP_ID int8 not null,
+        MEMBER_ID int8,
+        ROLE_ID int8,
+        primary key (MEMBERSHIP_ID)
     );
 
-    create table ccm_core.user_email_addresses (
-        user_id int8 not null,
-        email_address varchar(512) not null,
-        bouncing boolean,
-        verified boolean
+    create table CCM_CORE.THREADS (
+        OBJECT_ID int8 not null,
+        ROOT_ID int8,
+        primary key (OBJECT_ID)
     );
 
-    create table ccm_core.workflow_descriptions (
-        workflow_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (workflow_id, locale)
+    create table CCM_CORE.USERS (
+        BANNED boolean,
+        FAMILY_NAME varchar(512),
+        GIVEN_NAME varchar(512),
+        PASSWORD varchar(2048),
+        PASSWORD_RESET_REQUIRED boolean,
+        EMAIL_ADDRESS varchar(512) not null,
+        BOUNCING boolean,
+        VERIFIED boolean,
+        PARTY_ID int8 not null,
+        primary key (PARTY_ID)
     );
 
-    create table ccm_core.workflow_names (
-        workflow_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (workflow_id, locale)
+    create table CCM_CORE.USER_EMAIL_ADDRESSES (
+        USER_ID int8 not null,
+        EMAIL_ADDRESS varchar(512) not null,
+        BOUNCING boolean,
+        VERIFIED boolean
     );
 
-    create table ccm_core.workflow_task_comments (
-        task_id int8 not null,
-        comment text
+    create table CCM_CORE.WORKFLOWS (
+        WORKFLOW_ID int8 not null,
+        primary key (WORKFLOW_ID)
     );
 
-    create table ccm_core.workflow_task_dependencies (
-        depends_on_task_id int8 not null,
-        dependent_task_id int8 not null
+    create table CCM_CORE.WORKFLOW_DESCRIPTIONS (
+        WORKFLOW_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (WORKFLOW_ID, LOCALE)
     );
 
-    create table ccm_core.workflow_task_labels (
-        task_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (task_id, locale)
+    create table CCM_CORE.WORKFLOW_NAMES (
+        WORKFLOW_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (WORKFLOW_ID, LOCALE)
     );
 
-    create table ccm_core.workflow_tasks (
-        task_id int8 not null,
-        active boolean,
-        task_state varchar(512),
-        workflow_id int8,
-        primary key (task_id)
+    create table CCM_CORE.WORKFLOW_TASKS (
+        TASK_ID int8 not null,
+        ACTIVE boolean,
+        TASK_STATE varchar(512),
+        WORKFLOW_ID int8,
+        primary key (TASK_ID)
     );
 
-    create table ccm_core.workflow_tasks_descriptions (
-        task_id int8 not null,
-        localized_value text,
-        locale varchar(255) not null,
-        primary key (task_id, locale)
+    create table CCM_CORE.WORKFLOW_TASKS_DESCRIPTIONS (
+        TASK_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (TASK_ID, LOCALE)
     );
 
-    create table ccm_core.workflow_user_task_assigned_groups (
-        user_task_id int8 not null,
-        assigned_group_id int8 not null
+    create table CCM_CORE.WORKFLOW_TASK_COMMENTS (
+        TASK_ID int8 not null,
+        COMMENT text
     );
 
-    create table ccm_core.workflow_user_task_assigned_users (
-        user_task_id int8 not null,
-        assigned_user_id int8 not null
+    create table CCM_CORE.WORKFLOW_TASK_DEPENDENCIES (
+        DEPENDS_ON_TASK_ID int8 not null,
+        DEPENDENT_TASK_ID int8 not null
     );
 
-    create table ccm_core.workflow_user_tasks (
-        task_id int8 not null,
-        active boolean,
-        task_state varchar(512),
-        workflow_id int8,
-        due_date timestamp,
-        duration_minutes int8,
-        locked boolean,
-        start_date timestamp,
-        locking_user_id int8,
-        notification_sender int8,
-        primary key (task_id)
+    create table CCM_CORE.WORKFLOW_TASK_LABELS (
+        TASK_ID int8 not null,
+        LOCALIZED_VALUE text,
+        LOCALE varchar(255) not null,
+        primary key (TASK_ID, LOCALE)
     );
 
-    create table ccm_core.workflows (
-        workflow_id int8 not null,
-        primary key (workflow_id)
+    create table CCM_CORE.WORKFLOW_USER_TASKS (
+        TASK_ID int8 not null,
+        ACTIVE boolean,
+        TASK_STATE varchar(512),
+        WORKFLOW_ID int8,
+        DUE_DATE timestamp,
+        DURATION_MINUTES int8,
+        LOCKED boolean,
+        START_DATE timestamp,
+        LOCKING_USER_ID int8,
+        NOTIFICATION_SENDER int8,
+        primary key (TASK_ID)
     );
 
-    alter table ccm_core.category_domains 
-        add constraint UK_mrgij5fr1sglxyab9ryl1vx37  unique (domain_key);
-
-    alter table ccm_core.category_domains 
-        add constraint UK_a9hmskgn6yfbw134mvjy9ixak  unique (uri);
-
-    alter table ccm_core.ccm_groups 
-        add constraint UK_9142ut4o9kwqmqjgqynl4xvc6  unique (name);
-
-    alter table ccm_core.ccm_privileges 
-        add constraint UK_ir9u47mfn3qds0toon7n5hlai  unique (label);
-
-    alter table ccm_core.ccm_users 
-        add constraint UK_3oj1rsneufkapevq9f32y4el0  unique (screen_name);
-
-    alter table ccm_core.hosts 
-        add constraint UK_2m0m4m0dhx256d04x2cg3194s  unique (server_name, server_port);
-
-    alter table ccm_core.installed_modules 
-        add constraint UK_c2ix7lp01ypyb6jf7b1ieptlm  unique (module_class_name);
-
-    alter table ccm_core.workflow_user_task_assigned_groups 
-        add constraint UK_g58x45aybw2yjtwnr9b9itg6c  unique (assigned_group_id);
-
-    alter table ccm_core.workflow_user_task_assigned_users 
-        add constraint UK_h62r6cqjp2tdnhscfkgwfupwj  unique (assigned_user_id);
-
-    alter table ccm_core.application_types 
-        add constraint FK_r9rd4iekfy3m8r1a1gto4t39 
-        foreign key (container_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.application_types 
-        add constraint FK_i44k6al7mr4u1c76iudglds39 
-        foreign key (provider_app_type_id) 
-        references ccm_core.application_types;
-
-    alter table ccm_core.application_types 
-        add constraint FK_41e4vrshljdkymnhb4cbkroa1 
-        foreign key (resource_type_id) 
-        references ccm_core.resource_types;
-
-    alter table ccm_core.applications 
-        add constraint FK_kr3wur06hmironiamv0rn38nu 
-        foreign key (container_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.applications 
-        add constraint FK_18qjyi037fk2lnx6t9fwljmx0 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.attachments 
-        add constraint FK_r3hibvgfo1dmawqig8c563xau 
-        foreign key (attachment_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.categories 
-        add constraint FK_hfr9rd0rv1jv730afoi2n0qb7 
-        foreign key (parent_category_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.categories 
-        add constraint FK_hct54n9h1moa76f44g6cw3lpc 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.categorizations 
-        add constraint FK_2xymec7oxsvoflm4pyw03qxrw 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.categorizations 
-        add constraint FK_spxdunplw881gx7ay4rcuueht 
-        foreign key (category_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.category_descriptions 
-        add constraint FK_gvqskqclt5nsi6x87163ydldr 
-        foreign key (object_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.category_domains 
-        add constraint FK_kh4n7uqv126lb1upk45giadxu 
-        foreign key (root_category_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.category_domains 
-        add constraint FK_irk58v7vtdgx0bfh8yarl5pte 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.category_titles 
-        add constraint FK_ygak8bqmh94jjtgs6vg945rd 
-        foreign key (object_id) 
-        references ccm_core.categories;
-
-    alter table ccm_core.ccm_groups 
-        add constraint FK_7a2nhf8gj3lns0preesnlok8o 
-        foreign key (subject_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.ccm_privileges 
-        add constraint FK_g06a7mpltqti17tvibm2j7ti8 
-        foreign key (relevant_privilege_id) 
-        references ccm_core.application_types;
-
-    alter table ccm_core.ccm_roles 
-        add constraint FK_ice2oswni34d2xx80cf81v2cv 
-        foreign key (implicit_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.ccm_roles 
-        add constraint FK_kbq9nkjwsvvkt6db59v2c1eb2 
-        foreign key (source_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.ccm_users 
-        add constraint FK_i9x5hcjowqc0aygna4wte5447 
-        foreign key (subject_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.digests 
-        add constraint FK_riucjho1m4x84l528d4b0xexh 
-        foreign key (from_party_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.digests 
-        add constraint FK_jslyikag80b9qhvvg4ui3r6li 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.domain_descriptions 
-        add constraint FK_anq6lql9qv1wov2hoq59i9pfs 
-        foreign key (object_id) 
-        references ccm_core.category_domains;
-
-    alter table ccm_core.domain_ownerships 
-        add constraint FK_nvdejc0jxmru3ax7v0su83wi7 
-        foreign key (domain_object_id) 
-        references ccm_core.category_domains;
-
-    alter table ccm_core.domain_ownerships 
-        add constraint FK_jiilo1lcqv8g7b16cviqhnepy 
-        foreign key (owner_object_id) 
-        references ccm_core.applications;
-
-    alter table ccm_core.domain_titles 
-        add constraint FK_p3w39o4hwcppwotw8ndjey6sl 
-        foreign key (object_id) 
-        references ccm_core.category_domains;
-
-    alter table ccm_core.formbuilder_component_descriptions 
-        add constraint FK_miw32na0kj3r3vx0yd9nmacu3 
-        foreign key (component_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_components 
-        add constraint FK_ompdvc6pul5xbhn5r2aqv7knb 
-        foreign key (parentComponent_object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_components 
-        add constraint FK_2fhckbkcdrahmp1pnnm5p12pf 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_confirm_email_listener 
-        add constraint FK_t24egwvbo23ak7ga4cnsmn428 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_confirm_redirect_listeners 
-        add constraint FK_7xtmk3ij9uj2f6nybhprm5eh0 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_data_driven_selects 
-        add constraint FK_g0cfdd0rrt4akmibhdlejpb9u 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_widgets;
-
-    alter table ccm_core.formbuilder_data_queries 
-        add constraint FK_p2awj0f115oxg1re4nr7wgsvj 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_data_query_descriptions 
-        add constraint FK_6vi3n0g1gfjrxd3vvlarrn584 
-        foreign key (data_query_id) 
-        references ccm_core.formbuilder_data_queries;
-
-    alter table ccm_core.formbuilder_data_query_names 
-        add constraint FK_tgnk7hsrmtqxnhvfcefe936v9 
-        foreign key (data_query_id) 
-        references ccm_core.formbuilder_data_queries;
-
-    alter table ccm_core.formbuilder_formsections 
-        add constraint FK_endc2bmlb7orkk4l5x3fkmy2l 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_listeners 
-        add constraint FK_fidonwyc6s36a51lilys791ot 
-        foreign key (widget_object_id) 
-        references ccm_core.formbuilder_widgets;
-
-    alter table ccm_core.formbuilder_listeners 
-        add constraint FK_c0gkh6b1dsyp0xh1pvnd6tijr 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_metaobjects 
-        add constraint FK_fn61u2xdqraclu9j0y2lxqqp8 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_object_types 
-        add constraint FK_pvcmankfvwpvg0lqe6wio4rnc 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_option_labels 
-        add constraint FK_e8fy2g61cd7qn8ar1t48g7p1m 
-        foreign key (option_id) 
-        references ccm_core.formbuilder_options;
-
-    alter table ccm_core.formbuilder_options 
-        add constraint FK_f7fgwaysg76tnx2xtfjnpt8a3 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_process_listener_descriptions 
-        add constraint FK_p1e4ygtc3ke9r4gotkc5k8dmv 
-        foreign key (process_listener_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_process_listener_names 
-        add constraint FK_e3uy4vdqbely8oybcfc0ef7tn 
-        foreign key (process_listener_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_process_listeners 
-        add constraint FK_8b4m881ppfw6m13clxu4cp1o0 
-        foreign key (formSection_object_id) 
-        references ccm_core.formbuilder_formsections;
-
-    alter table ccm_core.formbuilder_process_listeners 
-        add constraint FK_a539g6h1xtndr87oov42wvdl4 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.formbuilder_remote_server_post_listener 
-        add constraint FK_n4ymnx1dtjqedvta4e8hqfxpp 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_simple_email_listeners 
-        add constraint FK_4phpnsgkmvblh5pgiej11aj9y 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_template_email_listeners 
-        add constraint FK_cevp55p98seugf2368sc7yqqq 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.formbuilder_widget_labels 
-        add constraint FK_tftgfd24vbwfhas20m20xt5e7 
-        foreign key (widget_object_id) 
-        references ccm_core.formbuilder_widgets;
-
-    alter table ccm_core.formbuilder_widget_labels 
-        add constraint FK_isff794p53xtpr1261vet6nhn 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_widgets 
-        add constraint FK_lv8wd5tad9t12m1qigj200hp2 
-        foreign key (label_object_id) 
-        references ccm_core.formbuilder_widget_labels;
-
-    alter table ccm_core.formbuilder_widgets 
-        add constraint FK_rgbe1klt8ktw2okc5lfbp7nkl 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_components;
-
-    alter table ccm_core.formbuilder_xml_email_listeners 
-        add constraint FK_n6fdsiv02im6d6wyj5l799uh2 
-        foreign key (object_id) 
-        references ccm_core.formbuilder_process_listeners;
-
-    alter table ccm_core.group_memberships 
-        add constraint FK_gg62l9f6d82rl3h57r03y1f6y 
-        foreign key (group_subject_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.group_memberships 
-        add constraint FK_qm940kapbbc0ywyhkwh06wg48 
-        foreign key (user_subject_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.inits 
-        add constraint FK_skqpgijaiv5idanah0e1hjoa 
-        foreign key (required_by_id) 
-        references ccm_core.inits;
-
-    alter table ccm_core.lucene_documents 
-        add constraint FK_n421djw91ggdmvsglk8t6tvk1 
-        foreign key (created_by_party_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.lucene_documents 
-        add constraint FK_qa9tey3vy1xrpxkyqo9us25s3 
-        foreign key (last_modified_by) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.lucene_indexes 
-        add constraint FK_7dqbase0oyxl83byea4hfdake 
-        foreign key (host_id) 
-        references ccm_core.hosts;
-
-    alter table ccm_core.messages 
-        add constraint FK_3l74b1gch8skj8t84emd65e3y 
-        foreign key (in_reply_to_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.messages 
-        add constraint FK_2tgrsfo79pwvrwk6lbdy32701 
-        foreign key (sender_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.messages 
-        add constraint FK_ipx9bvlxhd3q9aqs3kmq2kayc 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.notifications 
-        add constraint FK_k88btnwbdswv5ef360xxp8cn1 
-        foreign key (digest_id) 
-        references ccm_core.digests;
-
-    alter table ccm_core.notifications 
-        add constraint FK_fy4pjr1vlslocsi7d6vwku2yj 
-        foreign key (message_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.notifications 
-        add constraint FK_ajptmh33lr07i00e7j4pgheqe 
-        foreign key (receiver_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.notifications 
-        add constraint FK_s4xvw4ebw2tq41i0kex5pyo5k 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.permissions 
-        add constraint FK_aqw7r1c62xehp58uxwojun8xq 
-        foreign key (creation_user_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.permissions 
-        add constraint FK_ilie616laommyrii7ecjbj521 
-        foreign key (granted_privilege_id) 
-        references ccm_core.ccm_privileges;
-
-    alter table ccm_core.permissions 
-        add constraint FK_g94li5wexu57n0mosdks1abuv 
-        foreign key (grantee_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.permissions 
-        add constraint FK_r2p8pfvr7k5lth4bem2s0xqdv 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.portals 
-        add constraint FK_mubhpxf8uf40wu2tc3ekkrqkc 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.portlets 
-        add constraint FK_i6o1tgre6iuc3yf7tk4jhmj6 
-        foreign key (portal_id) 
-        references ccm_core.portals;
-
-    alter table ccm_core.portlets 
-        add constraint FK_hvqa10v1thdr4riwt2unryk1y 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.queue_items 
-        add constraint FK_14jyt63f6cs84pangjcnphlps 
-        foreign key (message_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.queue_items 
-        add constraint FK_ojc2cc1yqd2htu88gxu16t11e 
-        foreign key (receiver_id) 
-        references ccm_core.subjects;
-
-    alter table ccm_core.resource_descriptions 
-        add constraint FK_ayx5lyxreydtjbvdugoff7mox 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.resource_titles 
-        add constraint FK_aer0mvcddder3150jlq0552nn 
-        foreign key (object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.resource_type_descriptions 
-        add constraint FK_fp5rutbl3lvv5c322l87ma0ae 
-        foreign key (resource_type_id) 
-        references ccm_core.resource_types;
-
-    alter table ccm_core.resources 
-        add constraint FK_7bwjikili5hr55of80yvjlocc 
-        foreign key (parent_object_id) 
-        references ccm_core.resources;
-
-    alter table ccm_core.resources 
-        add constraint FK_2o0qb7opah9rt9ww8ydvp7cxv 
-        foreign key (resourceType_resource_type_id) 
-        references ccm_core.resource_types;
-
-    alter table ccm_core.resources 
-        add constraint FK_e6rvkh4kw8agtkvjqqdbiu0db 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.threads 
-        add constraint FK_2d6ht9nsikaebakyppgtm8p2k 
-        foreign key (root_id) 
-        references ccm_core.messages;
-
-    alter table ccm_core.threads 
-        add constraint FK_jf5k6sucih0qp7l3ih2moeuha 
-        foreign key (object_id) 
-        references ccm_core.ccm_objects;
-
-    alter table ccm_core.user_email_addresses 
-        add constraint FK_m0hymqadkrd9o5eixeurjpifx 
-        foreign key (user_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.workflow_descriptions 
-        add constraint FK_7grengdpx5d99jkyjlsa3pe6k 
-        foreign key (workflow_id) 
-        references ccm_core.workflows;
-
-    alter table ccm_core.workflow_names 
-        add constraint FK_sjqjarc88yvdrw3yd6swg7uqs 
-        foreign key (workflow_id) 
-        references ccm_core.workflows;
-
-    alter table ccm_core.workflow_tasks 
-        add constraint FK_mvuhbl6ikm44oxxtkv0s2y9iu 
-        foreign key (workflow_id) 
-        references ccm_core.workflows;
-
-    alter table ccm_core.workflow_user_task_assigned_groups 
-        add constraint FK_g58x45aybw2yjtwnr9b9itg6c 
-        foreign key (assigned_group_id) 
-        references ccm_core.ccm_groups;
-
-    alter table ccm_core.workflow_user_task_assigned_groups 
-        add constraint FK_jiogatex4mifbgji1og4rri9o 
-        foreign key (user_task_id) 
-        references ccm_core.workflow_user_tasks;
-
-    alter table ccm_core.workflow_user_task_assigned_users 
-        add constraint FK_h62r6cqjp2tdnhscfkgwfupwj 
-        foreign key (assigned_user_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.workflow_user_task_assigned_users 
-        add constraint FK_ltihq91dcigqixb6ulhkphrix 
-        foreign key (user_task_id) 
-        references ccm_core.workflow_user_tasks;
-
-    alter table ccm_core.workflow_user_tasks 
-        add constraint FK_5nryb3wmian7oqttwqpa3wwll 
-        foreign key (locking_user_id) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.workflow_user_tasks 
-        add constraint FK_s4tgjfnpvyhtpu0h4l72sht9g 
-        foreign key (notification_sender) 
-        references ccm_core.ccm_users;
-
-    alter table ccm_core.workflow_user_tasks 
-        add constraint FK_4nmt8xkbfog6dhq2mpt8m3skf 
-        foreign key (workflow_id) 
-        references ccm_core.workflows;
+    create table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_GROUPS (
+        USER_TASK_ID int8 not null,
+        ASSIGNED_GROUP_ID int8 not null
+    );
+
+    create table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_USERS (
+        USER_TASK_ID int8 not null,
+        ASSIGNED_USER_ID int8 not null
+    );
+
+    alter table CCM_CORE.CATEGORY_DOMAINS 
+        add constraint UK_mb1riernf8a88u3mwl0bgfj8y  unique (DOMAIN_KEY);
+
+    alter table CCM_CORE.CATEGORY_DOMAINS 
+        add constraint UK_i1xqotjvml7i6ro2jq22fxf5g  unique (URI);
+
+    alter table CCM_CORE.HOSTS 
+        add constraint UK_9ramlv6uxwt13v0wj7q0tucsx  unique (SERVER_NAME, SERVER_PORT);
+
+    alter table CCM_CORE.INSTALLED_MODULES 
+        add constraint UK_11imwgfojyi4hpr18uw9g3jvx  unique (MODULE_CLASS_NAME);
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_GROUPS 
+        add constraint UK_q9evs4qcfhr79fha7xgk057wo  unique (ASSIGNED_GROUP_ID);
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_USERS 
+        add constraint UK_bb9rm595xsbrpyx95lmwnlg76  unique (ASSIGNED_USER_ID);
+
+    alter table CCM_CORE.APPLICATIONS 
+        add constraint FK_sn1sqtx94nhxgv282ymoqiock 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.ATTACHMENTS 
+        add constraint FK_fwm2uvhmqg8bmo1d66g0b6be9 
+        foreign key (MESSAGE_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.CATEGORIES 
+        add constraint FK_4sghd3hxh69xgu68m8uh2axej 
+        foreign key (PARENT_CATEGORY_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.CATEGORIES 
+        add constraint FK_pvjwyfbuwafc1mlyevgwwyg49 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.CATEGORIZATIONS 
+        add constraint FK_2onruptfmyn5mu8f5j2o4h8i3 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.CATEGORIZATIONS 
+        add constraint FK_k43sltpj69u3y5eltkjhumc4p 
+        foreign key (CATEGORY_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.CATEGORY_DESCRIPTIONS 
+        add constraint FK_55equbyl81ut4yyt6jms57jwr 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.CATEGORY_DOMAINS 
+        add constraint FK_jyt6c67quitehuh5xe7ulhqvu 
+        foreign key (ROOT_CATEGORY_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.CATEGORY_DOMAINS 
+        add constraint FK_40h1mx7tdlmjvb6x2e04jqgi7 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.CATEGORY_TITLES 
+        add constraint FK_954p2g6kwhef5h41pfcda812u 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CATEGORIES;
+
+    alter table CCM_CORE.DIGESTS 
+        add constraint FK_3xrcpufumqnh4ke4somt89rvh 
+        foreign key (FROM_PARTY_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.DIGESTS 
+        add constraint FK_4sxl35dvaj54ck0ikf850h58x 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.DOMAIN_DESCRIPTIONS 
+        add constraint FK_12rneohwyp6p66ioyoyobvkxr 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CATEGORY_DOMAINS;
+
+    alter table CCM_CORE.DOMAIN_OWNERSHIPS 
+        add constraint FK_m53bm8ecspukj3qj99q9xa8ox 
+        foreign key (domain_OBJECT_ID) 
+        references CCM_CORE.CATEGORY_DOMAINS;
+
+    alter table CCM_CORE.DOMAIN_OWNERSHIPS 
+        add constraint FK_ce4xhu9ilpdvjsmrsjb739t64 
+        foreign key (owner_OBJECT_ID) 
+        references CCM_CORE.APPLICATIONS;
+
+    alter table CCM_CORE.DOMAIN_TITLES 
+        add constraint FK_98kfhafuv6lmhnpkhurwp9bgm 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CATEGORY_DOMAINS;
+
+    alter table CCM_CORE.FORMBUILDER_COMPONENTS 
+        add constraint FK_72108sd6vsqt88g3fb4kl6o81 
+        foreign key (parentComponent_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_COMPONENTS 
+        add constraint FK_f9xo42yrxdjxqedrk3t2upm9e 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_COMPONENT_DESCRIPTIONS 
+        add constraint FK_2njuft67tbfnkxsr62r0bmhh3 
+        foreign key (COMPONENT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_CONFIRM_EMAIL_LISTENER 
+        add constraint FK_qm4q6qc2p81e349jgpoyxpq10 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_CONFIRM_REDIRECT_LISTENERS 
+        add constraint FK_cq44p887dqh2ycd0htku119wf 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_DATA_DRIVEN_SELECTS 
+        add constraint FK_qeyxu4t8aqosmoup7ho9qrtae 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_WIDGETS;
+
+    alter table CCM_CORE.FORMBUILDER_DATA_QUERIES 
+        add constraint FK_6xtng7pfv18ixfpid57grfh4 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_DATA_QUERY_DESCRIPTIONS 
+        add constraint FK_2rlo453aslip0ng1fpyv022ld 
+        foreign key (DATA_QUERY_ID) 
+        references CCM_CORE.FORMBUILDER_DATA_QUERIES;
+
+    alter table CCM_CORE.FORMBUILDER_DATA_QUERY_NAMES 
+        add constraint FK_9nqk2rpq4exw708vobkmdcr1s 
+        foreign key (DATA_QUERY_ID) 
+        references CCM_CORE.FORMBUILDER_DATA_QUERIES;
+
+    alter table CCM_CORE.FORMBUILDER_FORMSECTIONS 
+        add constraint FK_anavw6ab288yo2d90axcebv1p 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_LISTENERS 
+        add constraint FK_lnlrrafk9r9v072vqtmnkwkou 
+        foreign key (widget_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_WIDGETS;
+
+    alter table CCM_CORE.FORMBUILDER_LISTENERS 
+        add constraint FK_2ynw5cse8kayvi9wqdgg477w0 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_METAOBJECTS 
+        add constraint FK_9bx162hal2lqub5m5c21hh31r 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_OBJECT_TYPES 
+        add constraint FK_qaj6yd47l5trvvxtnxeao1c33 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_OPTIONS 
+        add constraint FK_6s1dxx8lfky4l5ibtd20ouvuj 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_OPTION_LABELS 
+        add constraint FK_90c86qtfefh98jcche7rtk5ms 
+        foreign key (OPTION_ID) 
+        references CCM_CORE.FORMBUILDER_OPTIONS;
+
+    alter table CCM_CORE.FORMBUILDER_PROCESS_LISTENERS 
+        add constraint FK_2a4hflqpujuxvx90bsnie3s33 
+        foreign key (formSection_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_FORMSECTIONS;
+
+    alter table CCM_CORE.FORMBUILDER_PROCESS_LISTENERS 
+        add constraint FK_dth0onqirda98fvvpo1rtpjxi 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.FORMBUILDER_PROCESS_LISTENER_DESCRIPTIONS 
+        add constraint FK_cynaaq1405ih7epmt4k6vv5m1 
+        foreign key (PROCESS_LISTENER_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_PROCESS_LISTENER_NAMES 
+        add constraint FK_gpc3rhvwhy9038k7or5ud8mim 
+        foreign key (PROCESS_LISTENER_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_REMOTE_SERVER_POST_LISTENER 
+        add constraint FK_b6b0wn2j0mps0ml4jh8s46y4r 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_SIMPLE_EMAIL_LISTENERS 
+        add constraint FK_33n9b1q1goybwbvvaotnq4n7 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_TEMPLATE_EMAIL_LISTENERS 
+        add constraint FK_iqwglkvml7y4yevaq8s1936im 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.FORMBUILDER_WIDGETS 
+        add constraint FK_nei20rvwsnawx4u0ywrh22df1 
+        foreign key (label_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_WIDGET_LABELS;
+
+    alter table CCM_CORE.FORMBUILDER_WIDGETS 
+        add constraint FK_rr1oge60scu4a564h7rcra507 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_WIDGET_LABELS 
+        add constraint FK_7lp5ywog1suhe11jr3bl28cwg 
+        foreign key (widget_OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_WIDGETS;
+
+    alter table CCM_CORE.FORMBUILDER_WIDGET_LABELS 
+        add constraint FK_ieiewnctdo2hdqeuxiv7cl1ru 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_COMPONENTS;
+
+    alter table CCM_CORE.FORMBUILDER_XML_EMAIL_LISTENERS 
+        add constraint FK_kcfevkdytrk81gj08f4aeh3qu 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.FORMBUILDER_PROCESS_LISTENERS;
+
+    alter table CCM_CORE.GROUPS 
+        add constraint FK_bm1g1sp4aav32ghhbo04gkakl 
+        foreign key (PARTY_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.GROUP_MEMBERSHIPS 
+        add constraint FK_8fitvs176l2fpsoplbbsaxpjo 
+        foreign key (GROUP_ID) 
+        references CCM_CORE.GROUPS;
+
+    alter table CCM_CORE.GROUP_MEMBERSHIPS 
+        add constraint FK_7ttmeu1wo1bhgnxvqm5hksbwm 
+        foreign key (MEMBER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.INITS 
+        add constraint FK_jm1ulcmd86shcy83907ojny4q 
+        foreign key (REQUIRED_BY_ID) 
+        references CCM_CORE.INITS;
+
+    alter table CCM_CORE.LUCENE_DOCUMENTS 
+        add constraint FK_hhbqgpg0ocewhlr2cclrtsj7r 
+        foreign key (CREATED_BY_PARTY_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.LUCENE_DOCUMENTS 
+        add constraint FK_mp7nlc3u4t38x0cevx0bg022s 
+        foreign key (LAST_MODIFIED_BY) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.LUCENE_INDEXES 
+        add constraint FK_f5ddcxpneculqmctmixjus42k 
+        foreign key (HOST_ID) 
+        references CCM_CORE.HOSTS;
+
+    alter table CCM_CORE.MESSAGES 
+        add constraint FK_pymp95s2bsv5dke8dxbdmdx1d 
+        foreign key (IN_REPLY_TO_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.MESSAGES 
+        add constraint FK_7w5nh4eo1l5idhvfwvkv02yyi 
+        foreign key (SENDER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.MESSAGES 
+        add constraint FK_t98lp1382qxby5c7b34j238pc 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.NOTIFICATIONS 
+        add constraint FK_a2hr4wa8qqnoj0njlrkuak3s6 
+        foreign key (DIGEST_ID) 
+        references CCM_CORE.DIGESTS;
+
+    alter table CCM_CORE.NOTIFICATIONS 
+        add constraint FK_ck8hytjcms2iwen7q538n49nu 
+        foreign key (MESSAGE_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.NOTIFICATIONS 
+        add constraint FK_lp67f9mq0basheao3o81xj0xh 
+        foreign key (RECEIVER_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.NOTIFICATIONS 
+        add constraint FK_2aqx4bgfyhhh4g3pvvjh8hy0w 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.PERMISSIONS 
+        add constraint FK_7f7dd6k54fi1vy3llbvrer061 
+        foreign key (CREATION_USER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.PERMISSIONS 
+        add constraint FK_cnt8ay16396ldn10w9yqfvtib 
+        foreign key (GRANTEE_ID) 
+        references CCM_CORE.CCM_ROLES;
+
+    alter table CCM_CORE.PERMISSIONS 
+        add constraint FK_5d855uu7512wakcver0bvdc3f 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.PORTALS 
+        add constraint FK_2san7d6vxf5jhesvar5hq57v4 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.PORTLETS 
+        add constraint FK_46ty07r54th9qc87pyi31jdqs 
+        foreign key (PORTAL_ID) 
+        references CCM_CORE.PORTALS;
+
+    alter table CCM_CORE.PORTLETS 
+        add constraint FK_r0tybwnahtdoo68tbna9q3s75 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.QUEUE_ITEMS 
+        add constraint FK_kskdba7a8ytgc5fxen06peg7 
+        foreign key (MESSAGE_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.QUEUE_ITEMS 
+        add constraint FK_iccfxv2glwbqa465s8125ftgm 
+        foreign key (RECEIVER_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.RESOURCES 
+        add constraint FK_ceqi7mfjyk4vdoiyie09kmgj 
+        foreign key (parent_OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.RESOURCES 
+        add constraint FK_eodj9xd1rmdokm4c3ir1l7s4d 
+        foreign key (resourceType_RESOURCE_TYPE_ID) 
+        references CCM_CORE.RESOURCE_TYPES;
+
+    alter table CCM_CORE.RESOURCES 
+        add constraint FK_f600trvtav1r0n6oy7nri9wry 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.RESOURCE_DESCRIPTIONS 
+        add constraint FK_pcahs6vr1ajb3a4mh0vi4stuy 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.RESOURCE_TITLES 
+        add constraint FK_brvlxvpy2f1n67562twvvux7s 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.RESOURCES;
+
+    alter table CCM_CORE.RESOURCE_TYPE_DESCRIPTIONS 
+        add constraint FK_7860pdhhck6opa22gc9u0pgfu 
+        foreign key (RESOURCE_TYPE_ID) 
+        references CCM_CORE.RESOURCE_TYPES;
+
+    alter table CCM_CORE.ROLE_MEMBERSHIPS 
+        add constraint FK_hueyk522he8t6fa1blnpcslap 
+        foreign key (MEMBER_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.ROLE_MEMBERSHIPS 
+        add constraint FK_eykbm84ndwgpqsr48wekhdoqj 
+        foreign key (ROLE_ID) 
+        references CCM_CORE.CCM_ROLES;
+
+    alter table CCM_CORE.THREADS 
+        add constraint FK_oopqroe5a8fg932teo0cyifcv 
+        foreign key (ROOT_ID) 
+        references CCM_CORE.MESSAGES;
+
+    alter table CCM_CORE.THREADS 
+        add constraint FK_n86cmt6poesgsr4g4c4q07i9f 
+        foreign key (OBJECT_ID) 
+        references CCM_CORE.CCM_OBJECTS;
+
+    alter table CCM_CORE.USERS 
+        add constraint FK_9gwih54tm0rn63e536f6s9oti 
+        foreign key (PARTY_ID) 
+        references CCM_CORE.PARTIES;
+
+    alter table CCM_CORE.USER_EMAIL_ADDRESSES 
+        add constraint FK_tp5wms6tgfl827ihqbcgskusy 
+        foreign key (USER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.WORKFLOW_DESCRIPTIONS 
+        add constraint FK_sp01mgi5mi5wbwrh8ivnfpw2n 
+        foreign key (WORKFLOW_ID) 
+        references CCM_CORE.WORKFLOWS;
+
+    alter table CCM_CORE.WORKFLOW_NAMES 
+        add constraint FK_rmkgykysvk7su7h5tij67p2r3 
+        foreign key (WORKFLOW_ID) 
+        references CCM_CORE.WORKFLOWS;
+
+    alter table CCM_CORE.WORKFLOW_TASKS 
+        add constraint FK_bawikoiw1k0bil1bvwq5qpa0j 
+        foreign key (WORKFLOW_ID) 
+        references CCM_CORE.WORKFLOWS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASKS 
+        add constraint FK_byuic3urkanoiqjnf6awfqmyk 
+        foreign key (LOCKING_USER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASKS 
+        add constraint FK_2dtlvmuapubq81quny4elndh 
+        foreign key (NOTIFICATION_SENDER) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASKS 
+        add constraint FK_bg60xxg9kerqsxyphbfxulg8y 
+        foreign key (WORKFLOW_ID) 
+        references CCM_CORE.WORKFLOWS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_GROUPS 
+        add constraint FK_q9evs4qcfhr79fha7xgk057wo 
+        foreign key (ASSIGNED_GROUP_ID) 
+        references CCM_CORE.GROUPS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_GROUPS 
+        add constraint FK_lqtfvnswn0k8kjghoi4jk3qfe 
+        foreign key (USER_TASK_ID) 
+        references CCM_CORE.WORKFLOW_USER_TASKS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_USERS 
+        add constraint FK_bb9rm595xsbrpyx95lmwnlg76 
+        foreign key (ASSIGNED_USER_ID) 
+        references CCM_CORE.USERS;
+
+    alter table CCM_CORE.WORKFLOW_USER_TASK_ASSIGNED_USERS 
+        add constraint FK_7qgn3rbw4wgpd77hhqogfh53x 
+        foreign key (USER_TASK_ID) 
+        references CCM_CORE.WORKFLOW_USER_TASKS;
 
     create sequence hibernate_sequence start 1 increment 1;
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/configtests/com/arsdigita/kernel/KernelConfigTest/ccm-core.config b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/ccm-core.config
similarity index 100%
rename from ccm-core/src/test/resources/configtests/com/arsdigita/kernel/KernelConfigTest/ccm-core.config
rename to ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/ccm-core.config
diff --git a/ccm-core/src/test/resources/configtests/com/arsdigita/kernel/KernelConfigTest/kernel.properties b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/kernel.properties
similarity index 100%
rename from ccm-core/src/test/resources/configtests/com/arsdigita/kernel/KernelConfigTest/kernel.properties
rename to ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/kernel.properties
diff --git a/ccm-core/src/test/resources/configtests/com/arsdigita/kernel/KernelConfigTest/registry.properties b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/registry.properties
similarity index 100%
rename from ccm-core/src/test/resources/configtests/com/arsdigita/kernel/KernelConfigTest/registry.properties
rename to ccm-core/src/test/resources/configs/com/arsdigita/kernel/KernelConfigTest/registry.properties
diff --git a/ccm-core/src/test/resources/configtests/com/arsdigita/kernel/security/SecurityConfigTest/ccm-core.config b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/ccm-core.config
similarity index 100%
rename from ccm-core/src/test/resources/configtests/com/arsdigita/kernel/security/SecurityConfigTest/ccm-core.config
rename to ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/ccm-core.config
diff --git a/ccm-core/src/test/resources/configtests/com/arsdigita/kernel/security/SecurityConfigTest/kernel.properties b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/kernel.properties
similarity index 100%
rename from ccm-core/src/test/resources/configtests/com/arsdigita/kernel/security/SecurityConfigTest/kernel.properties
rename to ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/kernel.properties
diff --git a/ccm-core/src/test/resources/configtests/com/arsdigita/kernel/security/SecurityConfigTest/registry.properties b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/registry.properties
similarity index 100%
rename from ccm-core/src/test/resources/configtests/com/arsdigita/kernel/security/SecurityConfigTest/registry.properties
rename to ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/registry.properties
diff --git a/ccm-core/src/test/resources/configtests/com/arsdigita/kernel/security/SecurityConfigTest/security.properties b/ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/security.properties
similarity index 100%
rename from ccm-core/src/test/resources/configtests/com/arsdigita/kernel/security/SecurityConfigTest/security.properties
rename to ccm-core/src/test/resources/configs/com/arsdigita/kernel/security/SecurityConfigTest/security.properties
diff --git a/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/kernel.properties b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/kernel.properties
new file mode 100644
index 000000000..fd51d8d97
--- /dev/null
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/kernel.properties
@@ -0,0 +1 @@
+waf.kernel.primary_user_identifier=screen_name
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/log4j2.xml b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/log4j2.xml
new file mode 100644
index 000000000..06af4b536
--- /dev/null
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/log4j2.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration status="WARN">
+    <Appenders>
+        <Console name="Console" target="SYSTEM_OUT">
+            <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"/>
+        </Console>
+    </Appenders>
+    <Loggers>
+        <Root level="error">
+            <AppenderRef ref="Console"/>
+        </Root>
+        <Logger name="org.libreccm.security.Shiro"
+                level="debug">
+            <AppenderRef ref="Console"/>
+        </Logger>
+    </Loggers>
+</Configuration>
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/security.properties b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/security.properties
new file mode 100644
index 000000000..b1cfe267e
--- /dev/null
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/security.properties
@@ -0,0 +1 @@
+# Empty
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/shiro.ini b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/shiro.ini
new file mode 100644
index 000000000..f313a39e8
--- /dev/null
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/ShiroTest/shiro.ini
@@ -0,0 +1,10 @@
+[main]
+
+passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
+passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
+passwordMatcher.passwordService = $passwordService
+
+ccmRealm = org.libreccm.security.CcmShiroRealm
+ccmRealm.credentialsMatcher = $passwordMatcher
+
+securityManager.realms = $ccmRealm
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/ccm-core.config b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/ccm-core.config
new file mode 100644
index 000000000..dd5c4baf7
--- /dev/null
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/ccm-core.config
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<registry>
+    <config class="com.arsdigita.kernel.KernelConfig"
+            storage="ccm-core/kernel.properties"/>
+
+    <config class="com.arsdigita.kernel.security.SecurityConfig"
+            storage="ccm-core/security.properties"/>
+</registry>
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/kernel.properties b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/kernel.properties
new file mode 100644
index 000000000..f0ebc0b58
--- /dev/null
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/kernel.properties
@@ -0,0 +1 @@
+# this file is empty by purpose.
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/registry.properties b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/registry.properties
new file mode 100644
index 000000000..9bb7b6ea9
--- /dev/null
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/registry.properties
@@ -0,0 +1 @@
+waf.config.packages=ccm-core
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/security.properties b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/security.properties
new file mode 100644
index 000000000..b1cfe267e
--- /dev/null
+++ b/ccm-core/src/test/resources/configs/org/libreccm/security/UserManagerTest/security.properties
@@ -0,0 +1 @@
+# Empty
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupManagerTest/after-add.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupManagerTest/after-add.yml
new file mode 100644
index 000000000..7f9160f82
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupManagerTest/after-add.yml
@@ -0,0 +1,84 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # Max Muster
+    - party_id: -20
+      name: mmuster
+    # Joe Public
+    - party_id: -30
+      name: joe
+    # admins
+    - party_id: -40
+      name: admins
+    # users
+    - party_id: -50
+      name: users
+    # editors
+    - party_id: -60
+      name: editors
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+ccm_core.groups:
+    # admins
+    - party_id: -40
+    # users
+    - party_id: -50
+    # editors
+    - party_id: -60
+ccm_core.group_memberships:
+    # admins <-> jdoe
+    - membership_id: -100
+      group_id: -40
+      member_id: -10
+    # users <-> mmuster
+    - membership_id: -200
+      group_id: -50
+      member_id: -20
+    # users <-> joe
+    - membership_id: -300
+      group_id: -50
+      member_id: -30
+    # editors <-> joe
+    - membership_id: -400
+      group_id: -60
+      member_id: -30
+    # admins <-> mmuster
+    - membership_id: -500
+      group_id: -40
+      member_id: -20
+    # editors <-> jdoe
+    - membership_id: -600
+      group_id: -60
+      member_id: -10
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupManagerTest/after-remove.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupManagerTest/after-remove.yml
new file mode 100644
index 000000000..cc793c680
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupManagerTest/after-remove.yml
@@ -0,0 +1,68 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # Max Muster
+    - party_id: -20
+      name: mmuster
+    # Joe Public
+    - party_id: -30
+      name: joe
+    # admins
+    - party_id: -40
+      name: admins
+    # users
+    - party_id: -50
+      name: users
+    # editors
+    - party_id: -60
+      name: editors
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+ccm_core.groups:
+    # admins
+    - party_id: -40
+    # users
+    - party_id: -50
+    # editors
+    - party_id: -60
+ccm_core.group_memberships:
+    # users <-> joe
+    - membership_id: -300
+      group_id: -50
+      member_id: -30
+    # editors <-> joe
+    - membership_id: -400
+      group_id: -60
+      member_id: -30
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupManagerTest/data.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupManagerTest/data.yml
new file mode 100644
index 000000000..b226fad50
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupManagerTest/data.yml
@@ -0,0 +1,76 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # Max Muster
+    - party_id: -20
+      name: mmuster
+    # Joe Public
+    - party_id: -30
+      name: joe
+    # admins
+    - party_id: -40
+      name: admins
+    # users
+    - party_id: -50
+      name: users
+    # editors
+    - party_id: -60
+      name: editors
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+ccm_core.groups:
+    # admins
+    - party_id: -40
+    # users
+    - party_id: -50
+    # editors
+    - party_id: -60
+ccm_core.group_memberships:
+    # admins <-> jdoe
+    - membership_id: -100
+      group_id: -40
+      member_id: -10
+    # users <-> mmuster
+    - membership_id: -200
+      group_id: -50
+      member_id: -20
+    # users <-> joe
+    - membership_id: -300
+      group_id: -50
+      member_id: -30
+    # editors <-> joe
+    - membership_id: -400
+      group_id: -60
+      member_id: -30
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/after-delete.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/after-delete.yml
new file mode 100644
index 000000000..08a265163
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/after-delete.yml
@@ -0,0 +1,8 @@
+ccm_core.parties:
+    - party_id: -10
+      name: admins
+    - party_id: -30
+      name: editors
+ccm_core.groups:
+    - party_id: -10
+    - party_id: -30
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/after-save-changed.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/after-save-changed.yml
new file mode 100644
index 000000000..6dd4d2f5a
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/after-save-changed.yml
@@ -0,0 +1,11 @@
+ccm_core.parties:
+    - party_id: -10
+      name: admins
+    - party_id: -20
+      name: users
+    - party_id: -30
+      name: authors
+ccm_core.groups:
+    - party_id: -10
+    - party_id: -20
+    - party_id: -30
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/after-save-new.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/after-save-new.yml
new file mode 100644
index 000000000..b2e1886d2
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/after-save-new.yml
@@ -0,0 +1,14 @@
+ccm_core.parties:
+    - party_id: -10
+      name: admins
+    - party_id: -20
+      name: users
+    - party_id: -30
+      name: editors
+    - party_id: -40
+      name: authors
+ccm_core.groups:
+    - party_id: -10
+    - party_id: -20
+    - party_id: -30
+    - party_id: -40
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/data.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/data.yml
new file mode 100644
index 000000000..d83c512e1
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/GroupRepositoryTest/data.yml
@@ -0,0 +1,11 @@
+ccm_core.parties:
+    - party_id: -10
+      name: admins
+    - party_id: -20
+      name: users
+    - party_id: -30
+      name: editors
+ccm_core.groups:
+    - party_id: -10
+    - party_id: -20
+    - party_id: -30
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/after-delete.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/after-delete.yml
new file mode 100644
index 000000000..aea40940e
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/after-delete.yml
@@ -0,0 +1,7 @@
+ccm_core.parties:
+    - party_id: -20
+      name: admins
+ccm_core.groups:
+    - party_id: -20
+ccm_core.users:
+    
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/after-save-changed.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/after-save-changed.yml
new file mode 100644
index 000000000..dc8aa6ef9
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/after-save-changed.yml
@@ -0,0 +1,20 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: johndoe
+    - party_id: -20
+      name: managers
+ccm_core.groups:
+    - party_id: -20
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/after-save-new.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/after-save-new.yml
new file mode 100644
index 000000000..047162b78
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/after-save-new.yml
@@ -0,0 +1,36 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    - party_id: -20
+      name: admins
+    - party_id: -30
+      name: mmuster
+    - party_id: -40
+      name: users
+ccm_core.groups:
+    - party_id: -20
+    - party_id: -40
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -30
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/data.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/data.yml
new file mode 100644
index 000000000..a9f4b4aa9
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/PartyRepositoryTest/data.yml
@@ -0,0 +1,20 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    - party_id: -20
+      name: admins
+ccm_core.groups:
+    - party_id: -20
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/after-copy.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/after-copy.yml
new file mode 100644
index 000000000..824a8b503
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/after-copy.yml
@@ -0,0 +1,29 @@
+ccm_core.ccm_roles:
+    - role_id: -10001
+      name: role1
+    - role_id: -10002
+      name: role2
+ccm_core.ccm_objects:
+    - object_id: -20001
+      display_name: object1
+    - object_id: -20002
+      display_name: object2
+    - object_id: -20003
+      display_name: object3
+ccm_core.permissions:
+    - permission_id: -30001
+      granted_privilege: privilege1
+      grantee_id: -10001
+    - permission_id: -30002
+      granted_privilege: privilege2
+      object_id: -20001
+      grantee_id: -10001
+    - permission_id: -30003
+      granted_privilege: privilege2
+      object_id: -20002
+      grantee_id: -10002
+    - permission_id: -30004
+      granted_privilege: privilege2
+      object_id: -20003
+      grantee_id: -10002
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/after-grant.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/after-grant.yml
new file mode 100644
index 000000000..6ef94b200
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/after-grant.yml
@@ -0,0 +1,32 @@
+ccm_core.ccm_roles:
+    - role_id: -10001
+      name: role1
+    - role_id: -10002
+      name: role2
+ccm_core.ccm_objects:
+    - object_id: -20001
+      display_name: object1
+    - object_id: -20002
+      display_name: object2
+    - object_id: -20003
+      display_name: object3
+ccm_core.permissions:
+    - permission_id: -30001
+      granted_privilege: privilege1
+      grantee_id: -10001
+    - permission_id: -30002
+      granted_privilege: privilege2
+      object_id: -20001
+      grantee_id: -10001
+    - permission_id: -30003
+      granted_privilege: privilege2
+      object_id: -20002
+      grantee_id: -10002
+    - permission_id: -30004
+      granted_privilege: privilege2
+      object_id: -20003
+      grantee_id: -10002
+    - permission_id: -30005
+      granted_privilege: privilege3
+      grantee_id: -10002
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/after-revoke.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/after-revoke.yml
new file mode 100644
index 000000000..ba6d1b312
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/after-revoke.yml
@@ -0,0 +1,18 @@
+ccm_core.ccm_roles:
+    - role_id: -10001
+      name: role1
+    - role_id: -10002
+      name: role2
+ccm_core.ccm_objects:
+    - object_id: -20001
+      display_name: object1
+    - object_id: -20002
+      display_name: object2
+    - object_id: -20003
+      display_name: object3
+ccm_core.permissions:
+    - permission_id: -30003
+      granted_privilege: privilege2
+      object_id: -20002
+      grantee_id: -10002
+
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/data.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/data.yml
new file mode 100644
index 000000000..b14c08a6a
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/PermissionManagerTest/data.yml
@@ -0,0 +1,24 @@
+ccm_core.ccm_roles:
+    - role_id: -10001
+      name: role1
+    - role_id: -10002
+      name: role2
+ccm_core.ccm_objects:
+    - object_id: -20001
+      display_name: object1
+    - object_id: -20002
+      display_name: object2
+    - object_id: -20003
+      display_name: object3
+ccm_core.permissions:
+    - permission_id: -30001
+      granted_privilege: privilege1
+      grantee_id: -10001
+    - permission_id: -30002
+      granted_privilege: privilege2
+      object_id: -20001
+      grantee_id: -10001
+    - permission_id: -30003
+      granted_privilege: privilege2
+      object_id: -20002
+      grantee_id: -10002
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleManagerTest/after-add.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleManagerTest/after-add.yml
new file mode 100644
index 000000000..e39baf5bb
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleManagerTest/after-add.yml
@@ -0,0 +1,108 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # Max Muster
+    - party_id: -20
+      name: mmuster
+    # Joe Public
+    - party_id: -30
+      name: joe
+    # group1
+    - party_id: -100
+      name: group1
+    # group2
+    - party_id: -200
+      name: group2
+    # group3
+    - party_id: -300
+      name: group3
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+ccm_core.groups:
+    # group1
+    - party_id: -100
+    # group2
+    - party_id: -200
+    # group3
+    - party_id: -300
+ccm_core.group_memberships:
+    # group1 <-> mmuster
+    - membership_id: -1000
+      group_id: -100
+      member_id: -20
+    # group2 <-> jdoe
+    - membership_id: -1100
+      group_id: -200
+      member_id: -10
+    # group3 <-> mmuster
+    - membership_id: -1200
+      group_id: -300
+      member_id: -20
+    # group3 <-> joe
+    - membership_id: -1300
+      group_id: -300
+      member_id: -30
+ccm_core.ccm_roles: 
+    - role_id: -2000
+      name: role1
+    - role_id: -2100
+      name: role2
+    - role_id: -2200
+      name: role3
+ccm_core.role_memberships:
+    # role1 <-> jdoe
+    - membership_id: -3000
+      role_id: -2000
+      member_id: -10
+    # role1 <-> group3
+    - membership_id: -3100
+      role_id: -2000
+      member_id: -300
+    # role2 <-> group1
+    - membership_id: -3200
+      role_id: -2100
+      member_id: -100
+    # role3 <-> joe
+    - membership_id: -3300
+      role_id: -2200
+      member_id: -30
+    # role1 <-> joe
+    - membership_id: -3400
+      role_id: -2000
+      member_id: -30
+    # role3 <-> group1
+    - membership_id: -3500
+      role_id: -2200
+      member_id: -100
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleManagerTest/after-remove.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleManagerTest/after-remove.yml
new file mode 100644
index 000000000..f4d4764d8
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleManagerTest/after-remove.yml
@@ -0,0 +1,92 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # Max Muster
+    - party_id: -20
+      name: mmuster
+    # Joe Public
+    - party_id: -30
+      name: joe
+    # group1
+    - party_id: -100
+      name: group1
+    # group2
+    - party_id: -200
+      name: group2
+    # group3
+    - party_id: -300
+      name: group3
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+ccm_core.groups:
+    # group1
+    - party_id: -100
+    # group2
+    - party_id: -200
+    # group3
+    - party_id: -300
+ccm_core.group_memberships:
+    # group1 <-> mmuster
+    - membership_id: -1000
+      group_id: -100
+      member_id: -20
+    # group2 <-> jdoe
+    - membership_id: -1100
+      group_id: -200
+      member_id: -10
+    # group3 <-> mmuster
+    - membership_id: -1200
+      group_id: -300
+      member_id: -20
+    # group3 <-> joe
+    - membership_id: -1300
+      group_id: -300
+      member_id: -30
+ccm_core.ccm_roles: 
+    - role_id: -2000
+      name: role1
+    - role_id: -2100
+      name: role2
+    - role_id: -2200
+      name: role3
+ccm_core.role_memberships:
+    # role1 <-> group3
+    - membership_id: -3100
+      role_id: -2000
+      member_id: -300
+    # role3 <-> joe
+    - membership_id: -3300
+      role_id: -2200
+      member_id: -30
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleManagerTest/data.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleManagerTest/data.yml
new file mode 100644
index 000000000..8d729c846
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleManagerTest/data.yml
@@ -0,0 +1,100 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # Max Muster
+    - party_id: -20
+      name: mmuster
+    # Joe Public
+    - party_id: -30
+      name: joe
+    # group1
+    - party_id: -100
+      name: group1
+    # group2
+    - party_id: -200
+      name: group2
+    # group3
+    - party_id: -300
+      name: group3
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+ccm_core.groups:
+    # group1
+    - party_id: -100
+    # group2
+    - party_id: -200
+    # group3
+    - party_id: -300
+ccm_core.group_memberships:
+    # group1 <-> mmuster
+    - membership_id: -1000
+      group_id: -100
+      member_id: -20
+    # group2 <-> jdoe
+    - membership_id: -1100
+      group_id: -200
+      member_id: -10
+    # group3 <-> mmuster
+    - membership_id: -1200
+      group_id: -300
+      member_id: -20
+    # group3 <-> joe
+    - membership_id: -1300
+      group_id: -300
+      member_id: -30
+ccm_core.ccm_roles: 
+    - role_id: -2000
+      name: role1
+    - role_id: -2100
+      name: role2
+    - role_id: -2200
+      name: role3
+ccm_core.role_memberships:
+    # role1 <-> jdoe
+    - membership_id: -3000
+      role_id: -2000
+      member_id: -10
+    # role1 <-> group3
+    - membership_id: -3100
+      role_id: -2000
+      member_id: -300
+    # role2 <-> group1
+    - membership_id: -3200
+      role_id: -2100
+      member_id: -100
+    # role3 <-> joe
+    - membership_id: -3300
+      role_id: -2200
+      member_id: -30
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/after-delete.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/after-delete.yml
new file mode 100644
index 000000000..b93a68a20
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/after-delete.yml
@@ -0,0 +1,5 @@
+ccm_core.ccm_roles:
+    - role_id: -10
+      name: administrator
+    - role_id: -30
+      name: reader
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/after-save-changed.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/after-save-changed.yml
new file mode 100644
index 000000000..5201f806a
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/after-save-changed.yml
@@ -0,0 +1,7 @@
+ccm_core.ccm_roles:
+    - role_id: -10
+      name: administrator
+    - role_id: -20
+      name: writer
+    - role_id: -30
+      name: reader
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/after-save-new.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/after-save-new.yml
new file mode 100644
index 000000000..19a433b63
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/after-save-new.yml
@@ -0,0 +1,9 @@
+ccm_core.ccm_roles:
+    - role_id: -10
+      name: administrator
+    - role_id: -20
+      name: user
+    - role_id: -30
+      name: reader
+    - role_id: -40
+      name: editor
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/data.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/data.yml
new file mode 100644
index 000000000..e2a3bde33
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/RoleRepositoryTest/data.yml
@@ -0,0 +1,7 @@
+ccm_core.ccm_roles:
+    - role_id: -10
+      name: administrator
+    - role_id: -20
+      name: user
+    - role_id: -30
+      name: reader
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/ShiroTest/data.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/ShiroTest/data.yml
new file mode 100644
index 000000000..3230063e8
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/ShiroTest/data.yml
@@ -0,0 +1,137 @@
+ccm_core.parties:
+    - party_id: -41001
+      name: jdoe
+    - party_id: -41002
+      name: mmuster
+    - party_id: -41003
+      name: joe
+    - party_id: -41004
+      name: public-user
+    - party_id: -41005
+      name: emuster
+    - party_id: -42001
+      name: group1
+    - party_id: -42002
+      name: group2
+    - party_id: -42003
+      name: group3
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -41001
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -41002
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -41003
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+    # Public user
+    - banned: false
+      bouncing: false
+      email_address: public-user@example.org
+      family_name: user
+      given_name: public
+      party_id: -41004
+      password_reset_required: false
+      verified: true
+    # Erik Mustermann (banned)
+    - banned: true
+      bouncing: false
+      email_address: erik.mustermann@example.org
+      family_name: Musterman
+      given_name: Erik
+      party_id: -41005
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+ccm_core.groups:
+    - party_id: -42001
+    - party_id: -42002
+    - party_id: -42003
+ccm_core.group_memberships:
+    # group1 <-> mmuster
+    - membership_id: -50001
+      group_id: -42001
+      member_id: -41002
+    # group2 <-> jdoe
+    - membership_id: -50002
+      group_id: -42002
+      member_id: -41001
+    # group3 <-> mmuster
+    - membership_id: -50003
+      group_id: -42003
+      member_id: -41002
+    # group3 <-> joe
+    - membership_id: -50004
+      group_id: -42003
+      member_id: -41003
+ccm_core.ccm_roles:
+    - role_id: -10001
+      name: role1
+    - role_id: -10002
+      name: role2
+    - role_id: -10003
+      name: public-role
+ccm_core.role_memberships:
+    # role1 <-> group1
+    - membership_id: -60001
+      role_id: -10001
+      member_id: -42001
+    # role2 <-> jdoe
+    - membership_id: -60002
+      role_id: -10002
+      member_id: -41001
+    # public-role <-> public-user
+    - membership_id: -60003
+      role_id: -10003
+      member_id: -41004
+ccm_core.ccm_objects:
+    - object_id: -20001
+      display_name: object1
+    - object_id: -20002
+      display_name: object2
+    - object_id: -20003
+      display_name: object3
+ccm_core.permissions:
+    # permission for privilege1 granted to role1
+    - permission_id: -30001
+      granted_privilege: privilege1
+      grantee_id: -10001
+    # permission for privilege2 granted on object1 to role1
+    - permission_id: -30002
+      granted_privilege: privilege2
+      object_id: -20001
+      grantee_id: -10001
+    # permission for privilege2 granted on object2 to role2
+    - permission_id: -30003
+      granted_privilege: privilege2
+      object_id: -20002
+      grantee_id: -10002
+    # permission for privilege3 granted on object1 to public-role
+    - permission_id: -30004
+      granted_privilege: privilege3
+      object_id: -20001
+      grantee_id: -10003
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/UserManagerTest/after-create-user.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserManagerTest/after-create-user.yml
new file mode 100644
index 000000000..a9bbd7c47
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserManagerTest/after-create-user.yml
@@ -0,0 +1,56 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # mmuster
+    - party_id: -20
+      name: mmuster
+    # Jdoe Public
+    - party_id: -30
+      name: joe
+    # Jane Doe
+    - party_id: -40
+      name: jane
+ccm_core.users:
+    # John Doe
+    - party_id: -10
+      banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - party_id: -20
+      banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - party_id: -30
+      banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+    # Jane Doe
+    - party_id: -40
+      banned: false
+      bouncing: false
+      email_address: jane.doe@example.org
+      family_name: Doe
+      given_name: Jane
+      password: $shiro1$SHA-512$500000$24lA090z7GKYr4VFlZ6t4A==$/heoTHPA5huT1UfJ8Q+waXEG6AjUKhFYLFrj7KW/l0/z9O+QkiZTtfPfbcPblgjcEvrROMEIoQY4Z65S7rFLQg==
+      password_reset_required: false
+      verified: true
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/UserManagerTest/data.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserManagerTest/data.yml
new file mode 100644
index 000000000..04abe71be
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserManagerTest/data.yml
@@ -0,0 +1,43 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # mmuster
+    - party_id: -20
+      name: mmuster
+    # Jdoe Public
+    - party_id: -30
+      name: joe
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/after-delete.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/after-delete.yml
new file mode 100644
index 000000000..915e4472e
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/after-delete.yml
@@ -0,0 +1,29 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # JoePublic
+    - party_id: -30
+      name: joe
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/after-save-changed.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/after-save-changed.yml
new file mode 100644
index 000000000..3eed9064d
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/after-save-changed.yml
@@ -0,0 +1,43 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # mmuster
+    - party_id: -20
+      name: mmuster
+    # Jdoe Public
+    - party_id: -30
+      name: joe
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: jd@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo1456
+      password: $shiro1$SHA-512$500000$AH1llRaMHE8W31Q7VG6jsA==$XXgKeyDCsrN23NvszQ5wt+uViQUlVqTAM+05LrE7Bd9sc0eaJT8HlAGvSdY+rqTLbiGm9YS4pohzoUt1x3kmKg==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/after-save-new.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/after-save-new.yml
new file mode 100644
index 000000000..c0cde85bb
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/after-save-new.yml
@@ -0,0 +1,56 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # mmuster
+    - party_id: -20
+      name: mmuster
+    # Jdoe Public
+    - party_id: -30
+      name: joe
+    # Jane Doe
+    - party_id: -40
+      name: jane
+ccm_core.users:
+    # John Doe
+    - party_id: -10
+      banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - party_id: -20
+      banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - party_id: -30
+      banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
+    # Jane Doe
+    - party_id: -40
+      banned: false
+      bouncing: false
+      email_address: jane.doe@example.org
+      family_name: Doe
+      given_name: Jane
+      password: $shiro1$SHA-512$500000$24lA090z7GKYr4VFlZ6t4A==$/heoTHPA5huT1UfJ8Q+waXEG6AjUKhFYLFrj7KW/l0/z9O+QkiZTtfPfbcPblgjcEvrROMEIoQY4Z65S7rFLQg==
+      password_reset_required: false
+      verified: false
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/data-email-duplicate.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/data-email-duplicate.yml
new file mode 100644
index 000000000..4b1cf7619
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/data-email-duplicate.yml
@@ -0,0 +1,43 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # mmuster
+    - party_id: -20
+      name: mmuster
+    # Jdoe Public
+    - party_id: -30
+      name: joe
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/data.yml b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/data.yml
new file mode 100644
index 000000000..f8f58d4df
--- /dev/null
+++ b/ccm-core/src/test/resources/datasets/org/libreccm/security/UserRepositoryTest/data.yml
@@ -0,0 +1,43 @@
+ccm_core.parties:
+    # John Doe
+    - party_id: -10
+      name: jdoe
+    # Max Muster
+    - party_id: -20
+      name: mmuster
+    # Joe Public
+    - party_id: -30
+      name: joe
+ccm_core.users:
+    # John Doe
+    - banned: false
+      bouncing: false
+      email_address: john.doe@example.com
+      family_name: Doe
+      given_name: John
+      party_id: -10
+      # foo123
+      password: $shiro1$SHA-512$500000$7xkDcZUN0/whJInHIvGsDw==$WhelBVmJU/cLV7lAkMOrE5B/mqCW0bUuid1WX+xBwzzAaekC5bYn9eeOFGJWhiDgmaC50ZCUmM96/iGsRoc4uA==
+      password_reset_required: false
+      verified: true
+    # Max Mustermann
+    - banned: false
+      bouncing: false
+      email_address: max.mustermann@example.org
+      family_name: Mustermann
+      given_name: Max
+      party_id: -20
+      # foo123
+      password: $shiro1$SHA-512$500000$Y7CnccN1h25sR7KCElMOXg==$CVLWBhetodaEzzhDfGjRcCFZtSW02xOnjH7xhBx0lbxO66grKIt6LWmXoUhLEydce1JZ7cbzNLYOxIwwTeqi5Q==
+      password_reset_required: false
+      verified: true
+    # Joe Public
+    - banned: false
+      bouncing: false
+      email_address: joe.public@example.com
+      family_name: Public
+      given_name: Joe
+      party_id: -30
+      password: $shiro1$SHA-512$500000$RUCYXAQt+XzUmj3x8oG5gw==$qU+lX160Jc6sNUOI9X85wlf2lzn4/hLJNURtjmw9LOYJ7vAqUFFmhyNCMxpzuHIpzeMELr+A0XReoSmtcZnOOw==
+      password_reset_required: false
+      verified: true
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/scripts/h2-cleanup.sql b/ccm-core/src/test/resources/scripts/h2-cleanup.sql
index 04e4086bb..e5c3503e2 100644
--- a/ccm-core/src/test/resources/scripts/h2-cleanup.sql
+++ b/ccm-core/src/test/resources/scripts/h2-cleanup.sql
@@ -1,17 +1,17 @@
 DELETE FROM ccm_core.permissions;
 
-DELETE FROM ccm_core.ccm_privileges;
-
 DELETE FROM ccm_core.ccm_objects;
 
-DELETE FROM ccm_core.ccm_roles;
+DELETE FROM ccm_core.role_memberships;
 
 DELETE FROM ccm_core.group_memberships;
 
-DELETE FROM ccm_core.ccm_groups;
+DELETE FROM ccm_core.groups;
+
+DELETE FROM ccm_core.users;
 
 DELETE FROM ccm_core.user_email_addresses;
 
-DELETE FROM ccm_core.ccm_users;
+DELETE FROM ccm_core.parties;
 
-DELETE FROM ccm_core.subjects;
\ No newline at end of file
+DELETE FROM ccm_core.ccm_roles;
\ No newline at end of file
diff --git a/ccm-core/src/test/resources/scripts/pgsql-cleanup.sql b/ccm-core/src/test/resources/scripts/pgsql-cleanup.sql
index 04e4086bb..66da066ef 100644
--- a/ccm-core/src/test/resources/scripts/pgsql-cleanup.sql
+++ b/ccm-core/src/test/resources/scripts/pgsql-cleanup.sql
@@ -4,14 +4,6 @@ DELETE FROM ccm_core.ccm_privileges;
 
 DELETE FROM ccm_core.ccm_objects;
 
-DELETE FROM ccm_core.ccm_roles;
-
-DELETE FROM ccm_core.group_memberships;
-
-DELETE FROM ccm_core.ccm_groups;
-
 DELETE FROM ccm_core.user_email_addresses;
 
-DELETE FROM ccm_core.ccm_users;
-
-DELETE FROM ccm_core.subjects;
\ No newline at end of file
+DELETE FROM ccm_core.parties;
\ No newline at end of file
diff --git a/ccm-docrepo/src/main/java/org/libreccm/docrepo/Repository.java b/ccm-docrepo/src/main/java/org/libreccm/docrepo/Repository.java
index 0f62f5bf3..917065a7e 100644
--- a/ccm-docrepo/src/main/java/org/libreccm/docrepo/Repository.java
+++ b/ccm-docrepo/src/main/java/org/libreccm/docrepo/Repository.java
@@ -18,7 +18,7 @@
  */
 package org.libreccm.docrepo;
 
-import org.libreccm.core.User;
+import org.libreccm.security.User;
 import org.libreccm.web.CcmApplication;
 
 import javax.persistence.Column;
@@ -57,8 +57,8 @@ public class Repository extends CcmApplication {
     /**
      * The owner of the {@code Repository}.
      */
-    @ManyToOne
-    @JoinColumn(name = "OWNER")
+    @OneToOne
+    @JoinColumn(name = "OWNER_ID")
     private User owner;
 
     /**
diff --git a/ccm-docrepo/src/main/java/org/libreccm/docrepo/Resource.java b/ccm-docrepo/src/main/java/org/libreccm/docrepo/Resource.java
index 2b1272954..1ea8713a6 100644
--- a/ccm-docrepo/src/main/java/org/libreccm/docrepo/Resource.java
+++ b/ccm-docrepo/src/main/java/org/libreccm/docrepo/Resource.java
@@ -20,7 +20,7 @@ package org.libreccm.docrepo;
 
 import org.hibernate.validator.constraints.NotBlank;
 import org.libreccm.core.CcmObject;
-import org.libreccm.core.User;
+import org.libreccm.security.User;
 
 import javax.persistence.Column;
 import javax.persistence.Entity;
@@ -33,6 +33,7 @@ import javax.persistence.OneToOne;
 import javax.persistence.Table;
 import javax.persistence.Temporal;
 import javax.persistence.TemporalType;
+
 import java.util.Date;
 import java.util.List;
 
diff --git a/ccm-docrepo/src/main/java/org/libreccm/docrepo/ResourceRepository.java b/ccm-docrepo/src/main/java/org/libreccm/docrepo/ResourceRepository.java
index 991b64484..accb75197 100644
--- a/ccm-docrepo/src/main/java/org/libreccm/docrepo/ResourceRepository.java
+++ b/ccm-docrepo/src/main/java/org/libreccm/docrepo/ResourceRepository.java
@@ -20,12 +20,13 @@ package org.libreccm.docrepo;
 
 
 import org.libreccm.auditing.AbstractAuditedEntityRepository;
-import org.libreccm.core.User;
+import org.libreccm.security.User;
 
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
 import javax.persistence.EntityManager;
 import javax.persistence.TypedQuery;
+
 import java.util.List;
 
 /**
diff --git a/ccm-test-bundle-wildfly8/src/test/java/org/libreccm/CcmModulesTest.java b/ccm-test-bundle-wildfly8/src/test/java/org/libreccm/CcmModulesTest.java
index 592c0532d..a7b4f1a21 100644
--- a/ccm-test-bundle-wildfly8/src/test/java/org/libreccm/CcmModulesTest.java
+++ b/ccm-test-bundle-wildfly8/src/test/java/org/libreccm/CcmModulesTest.java
@@ -56,8 +56,8 @@ import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.runner.RunWith;
 import org.libreccm.core.CcmCore;
-import org.libreccm.core.User;
 import org.libreccm.modules.ModuleStatus;
+import org.libreccm.security.User;
 import org.libreccm.tests.categories.IntegrationTest;
 
 import javax.persistence.TypedQuery;
@@ -230,10 +230,10 @@ public class CcmModulesTest {
         final List<User> users = userQuery.getResultList();
 
         assertThat(users.size(), is(1));
-        assertThat(users.get(0).getScreenName(), is(equalTo("public-user")));
+        assertThat(users.get(0).getName(), is(equalTo("public-user")));
         assertThat(users.get(0).getName(), is(not(nullValue())));
-        assertThat(users.get(0).getName().getFamilyName(), is(equalTo("ccm")));
-        assertThat(users.get(0).getName().getGivenName(),
+        assertThat(users.get(0).getFamilyName(), is(equalTo("ccm")));
+        assertThat(users.get(0).getGivenName(),
                    is(equalTo("public user")));
         assertThat(users.get(0).getEmailAddresses().size(), is(1));
         assertThat(users.get(0).getEmailAddresses().get(0).getAddress(),
diff --git a/ccm-testutils/src/main/java/org/libreccm/testutils/DatasetType.java b/ccm-testutils/src/main/java/org/libreccm/testutils/DatasetType.java
new file mode 100644
index 000000000..3720cc2d2
--- /dev/null
+++ b/ccm-testutils/src/main/java/org/libreccm/testutils/DatasetType.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2015 LibreCCM Foundation.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301  USA
+ */
+package org.libreccm.testutils;
+
+/**
+ *
+ * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
+ */
+public enum DatasetType {
+    JSON,
+    YAML
+}
diff --git a/ccm-testutils/src/main/java/org/libreccm/testutils/DatasetsVerifier.java b/ccm-testutils/src/main/java/org/libreccm/testutils/DatasetsVerifier.java
index 4867ee7bd..d6954bf44 100644
--- a/ccm-testutils/src/main/java/org/libreccm/testutils/DatasetsVerifier.java
+++ b/ccm-testutils/src/main/java/org/libreccm/testutils/DatasetsVerifier.java
@@ -40,8 +40,11 @@ import org.h2.tools.RunScript;
 import org.jboss.arquillian.persistence.dbunit.dataset.json.JsonDataSet;
 import org.junit.runners.Parameterized;
 
+import static org.libreccm.testutils.DatasetType.*;
+
+import org.jboss.arquillian.persistence.dbunit.dataset.yaml.YamlDataSet;
+
 import java.nio.charset.StandardCharsets;
-import java.sql.Statement;
 
 /**
  *
@@ -85,6 +88,10 @@ public class DatasetsVerifier {
         return new String[]{};
     }
 
+    public DatasetType getDatasetType() {
+        return JSON;
+    }
+
     @Test
     @edu.umd.cs.findbugs.annotations.SuppressWarnings(
         value = "DMI_EMPTY_DB_PASSWORD",
@@ -97,10 +104,10 @@ public class DatasetsVerifier {
         //try-with-resources block to ensure that the connection is closed.
         final StringBuffer buffer = new StringBuffer("jdbc:h2:mem:testdatabase");
         //Create schema if necssary
-        if(getSchemas().length > 0) {
+        if (getSchemas().length > 0) {
             buffer.append(";INIT=");
-            for(final String schema : getSchemas()) {
-                buffer.append(String.format("CREATE SCHEMA IF NOT EXISTS %s;", 
+            for (final String schema : getSchemas()) {
+                buffer.append(String.format("CREATE SCHEMA IF NOT EXISTS %s;",
                                             schema));
             }
         }
@@ -115,8 +122,21 @@ public class DatasetsVerifier {
             connection.commit();
 
             //Get dataset to test
-            final IDataSet dataSet = new JsonDataSet(getClass()
-                .getResourceAsStream(datasetPath));
+            final IDataSet dataSet;
+            switch(getDatasetType()) {
+                case JSON:
+                    dataSet = new JsonDataSet(getClass()
+                    .getResourceAsStream(datasetPath));
+                    break;
+                case YAML:
+                    dataSet = new YamlDataSet(getClass()
+                    .getResourceAsStream(datasetPath));
+                    break;
+                default:
+                    throw new IllegalArgumentException(String.format(
+                    "Unsupported DatasetType \"%s\"",
+                    getDatasetType()));
+            }
 
             //Create DBUnit DB connection
             final IDatabaseConnection dbUnitConn
diff --git a/ccm-testutils/src/main/java/org/libreccm/testutils/ToStringVerifier.java b/ccm-testutils/src/main/java/org/libreccm/testutils/ToStringVerifier.java
index c51622122..db2fbd169 100644
--- a/ccm-testutils/src/main/java/org/libreccm/testutils/ToStringVerifier.java
+++ b/ccm-testutils/src/main/java/org/libreccm/testutils/ToStringVerifier.java
@@ -25,6 +25,7 @@ import org.junit.runners.Parameterized;
 import java.beans.IntrospectionException;
 import java.io.PrintWriter;
 import java.io.StringWriter;
+import java.lang.reflect.Constructor;
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Modifier;
@@ -53,19 +54,20 @@ import java.lang.reflect.Modifier;
  * }
  * </code>
  * </pre>
- * 
- * An example can be found in the ccm-core module: <a href="../../../../../ccm-core/xref-test/org/libreccm/core/ToStringTest.html"><code>ToStringTest</code></a>
+ *
+ * An example can be found in the ccm-core module:
+ * <a href="../../../../../ccm-core/xref-test/org/libreccm/core/ToStringTest.html"><code>ToStringTest</code></a>
  *
  * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
  */
 public class ToStringVerifier {
-
+    
     private final transient Class<?> entityClass;
-
+    
     public ToStringVerifier(final Class<?> entityClass) {
         this.entityClass = entityClass;
     }
-
+    
     @Test
     //We want to test if there occurs an NPE therefore we need catch the NPE.
     @SuppressWarnings({"PMD.AvoidCatchingNPE",
@@ -75,8 +77,25 @@ public class ToStringVerifier {
                                         IllegalAccessException,
                                         IllegalArgumentException,
                                         InvocationTargetException {
-        final Object obj = entityClass.newInstance();
-
+        final Object obj;
+        try {
+            final Constructor<?> constructor = entityClass
+                .getDeclaredConstructor();
+            constructor.setAccessible(true);
+            
+            obj = constructor.newInstance();
+        } catch (NoSuchMethodException ex) {
+            final StringWriter stringWriter = new StringWriter();
+            final PrintWriter printWriter = new PrintWriter(stringWriter);
+            ex.printStackTrace(printWriter);
+            
+            Assert.fail(String.format("Class \"%s\" does not provide a "
+                                          + "parameterless constructor:%n%s",
+                                      entityClass.getName(),
+                                      stringWriter.toString()));
+            return;
+        }
+        
         final Field[] fields = entityClass.getDeclaredFields();
         for (final Field field : fields) {
             if (!Modifier.isStatic(field.getModifiers())
@@ -85,7 +104,7 @@ public class ToStringVerifier {
                 field.set(obj, null);
             }
         }
-
+        
         try {
             obj.toString();
         } catch (NullPointerException ex) {
@@ -97,8 +116,8 @@ public class ToStringVerifier {
                     + "is not null safe:%n %s",
                 entityClass.getName(),
                 strWriter.toString()));
-
+            
         }
     }
-
+    
 }
diff --git a/pom.xml b/pom.xml
index 85befdd47..b83fc701c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,23 +38,23 @@
         <module>ccm-core</module>
         <module>ccm-shortcuts</module>
         <module>ccm-testutils</module>
-        <module>ccm-docrepo</module>
+        <!--<module>ccm-docrepo</module>-->
         
         <!-- Bundle modules -->
         <module>ccm-test-bundle-wildfly8</module>
 
         <!-- Archetypes -->
         <module>ccm-archetype-module</module>
-    <module>ccm-cms</module>
-    <module>ccm-cms-archetype-contenttype</module>
-    <module>ccm-cms-types-article</module>
-    <module>ccm-cms-types-agenda</module>
-    <module>ccm-cms-types-bookmark</module>
-    <module>ccm-cms-types-event</module>
-    <module>ccm-cms-types-minutes</module>
-	<module>ccm-cms-types-decisiontree</module>
-    <module>ccm-cms-types-mparticle</module>
-  </modules>
+        <module>ccm-cms</module>
+        <module>ccm-cms-archetype-contenttype</module>
+        <module>ccm-cms-types-article</module>
+        <module>ccm-cms-types-agenda</module>
+        <module>ccm-cms-types-bookmark</module>
+        <module>ccm-cms-types-event</module>
+        <module>ccm-cms-types-minutes</module>
+        <!--<module>ccm-cms-types-decisiontree</module>-->
+        <module>ccm-cms-types-mparticle</module>
+    </modules>
 
     <!--<repositories>
         <repository>
@@ -220,7 +220,7 @@
                 <plugin>
                     <groupId>de.jpdigital</groupId>
                     <artifactId>hibernate4-ddl-maven-plugin</artifactId>
-                    <version>1.0.0-beta.1</version>
+                    <version>1.0.0-beta.2</version>
                 </plugin>
                 <!--<plugin>
                     <groupId>org.jboss.tattletale</groupId>
@@ -290,6 +290,13 @@
                 <version>3.2.1</version>
             </dependency>
             
+            <!-- Shiro lib for security stuff -->
+            <dependency>
+                <groupId>org.apache.shiro</groupId>
+                <artifactId>shiro-core</artifactId>
+                <version>1.2.4</version>
+            </dependency>
+            
             <!-- 
                 *********************
                 Libraries used by CCM