From ed2f7f04e94f2d9a5892c853df584a81e4cde090 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Tue, 7 Mar 2017 19:12:31 +0100
Subject: [PATCH 1/7] Protector and ProtectedString support for hasing (PBKDF)

---
 .../midpoint/prism/PrismConstants.java        |   4 +
 .../midpoint/prism/crypto/BaseProtector.java  |   2 +-
 .../midpoint/prism/crypto/ProtectedData.java  |  14 +-
 .../midpoint/prism/crypto/Protector.java      |  41 +---
 .../{AESProtector.java => ProtectorImpl.java} | 212 ++++++++++++++--
 .../prism/marshaller/BeanMarshaller.java      |   6 +-
 .../prism/marshaller/XNodeProcessorUtil.java  |   9 +
 .../ns/_public/types_3/DigestMethodType.java  | 146 +++++++++++
 .../ns/_public/types_3/HashedDataType.java    | 107 +++++++++
 .../xml/ns/_public/types_3/ObjectFactory.java |  17 +-
 .../types_3/ProtectedByteArrayType.java       |   5 +
 .../ns/_public/types_3/ProtectedDataType.java | 165 +++++++------
 .../_public/types_3/ProtectedStringType.java  |  52 ++--
 .../main/resources/xml/ns/public/types-3.xsd  |  37 ++-
 .../midpoint/prism/PrismInternalTestUtil.java |  16 +-
 .../midpoint/prism/crypto/TestProtector.java  | 226 +++++++++++++++---
 .../prism/lex/TestProtectedString.java        |  33 ++-
 .../common/expression/ExpressionTestUtil.java |   8 +-
 .../common/expression/TestExpression.java     |   4 +-
 .../expression/script/AbstractScriptTest.java |   4 +-
 .../script/TestExpressionFunctions.java       |   4 +-
 .../expression/script/TestScriptCaching.java  |   4 +-
 .../common/mapping/MappingTestEvaluator.java  |   6 +-
 .../init/ConfigurableProtectorFactory.java    |   4 +-
 .../midpoint/tools/ninja/KeyStoreDumper.java  |  10 +-
 25 files changed, 917 insertions(+), 219 deletions(-)
 rename infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/{AESProtector.java => ProtectorImpl.java} (70%)
 create mode 100644 infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/DigestMethodType.java
 create mode 100644 infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/HashedDataType.java

diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismConstants.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismConstants.java
index 628acd24cef..f564669552e 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismConstants.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismConstants.java
@@ -48,6 +48,10 @@ public class PrismConstants {
 	
 	public static final String NS_MATCHING_RULE = NS_PREFIX + "matching-rule-3";
 	public static final String PREFIX_NS_MATCHING = "mr";
+	
+	public static final String NS_PREFIX_CRYPTO = NS_PREFIX + "crypto/";
+	public static final String NS_PREFIX_CRYPTO_ALGORITHM = NS_PREFIX_CRYPTO + "algorithm/";
+	public static final String NS_CRYPTO_ALGORITHM_PBKD = NS_PREFIX_CRYPTO_ALGORITHM + "pbkd-3";
 
 	// Annotations
 
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/BaseProtector.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/BaseProtector.java
index bea17186aca..cb71b26563d 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/BaseProtector.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/BaseProtector.java
@@ -68,5 +68,5 @@ public boolean isEncrypted(ProtectedStringType ps) {
         Validate.notNull(ps, "Protected string must not be null.");
         return ps.isEncrypted();
     }
-
+    
 }
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectedData.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectedData.java
index a3e425a15ba..2e40d9470e9 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectedData.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectedData.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2014 Evolveum
+ * Copyright (c) 2014-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 package com.evolveum.midpoint.prism.crypto;
 
 import com.evolveum.prism.xml.ns._public.types_3.EncryptedDataType;
+import com.evolveum.prism.xml.ns._public.types_3.HashedDataType;
 
 /**
  * @author Radovan Semancik
@@ -27,6 +28,10 @@ public interface ProtectedData<T> {
 	
 	abstract void setClearBytes(byte[] bytes);
 	
+	abstract T getClearValue();
+	
+	abstract void setClearValue(T data);
+	
 	abstract void destroyCleartext();
 
 	EncryptedDataType getEncryptedDataType();
@@ -35,4 +40,11 @@ public interface ProtectedData<T> {
 	
 	boolean isEncrypted();
 	
+	HashedDataType getHashedDataType();
+	
+	void setHashedData(HashedDataType hashedDataType);
+	
+	boolean isHashed();
+	
+	boolean canSupportType(Class<?> type);
 }
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java
index 53510b69758..6317d1b063a 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,19 +52,6 @@ public interface Protector {
 	 */
 	String decryptString(ProtectedStringType protectedString) throws EncryptionException;
 
-//	/**
-//	 * 
-//	 * @param protectedString
-//	 * @return decrypted DOM {@link Element}
-//	 * @throws EncryptionException
-//	 *             this is thrown probably in case JRE/JDK doesn't have JCE
-//	 *             installed
-//	 * @throws IllegalArgumentException
-//	 *             if protectedString argument is null or EncryptedData in
-//	 *             protectedString argument is null
-//	 */
-//	Element decrypt(ProtectedStringType protectedString) throws EncryptionException;
-
 	/**
 	 *
 	 * @param text
@@ -76,29 +63,15 @@ public interface Protector {
 	 */
 	ProtectedStringType encryptString(String text) throws EncryptionException;
 
-//	/**
-//	 * 
-//	 * @param plain
-//	 * @return {@link ProtectedStringType} with encrypted element inside it. If
-//	 *         input argument is null, method returns null.
-//	 * @throws EncryptionException
-//	 *             this is thrown probably in case JRE/JDK doesn't have JCE
-//	 *             installed
-//	 */
-//	ProtectedStringType encrypt(Element plain) throws EncryptionException;
-//
-//	/**
-//	 * Encrypts the ProtectedStringType "in place".
-//	 * @param ps
-//	 * @throws EncryptionException 
-//	 */
-//	void encrypt(ProtectedStringType ps) throws EncryptionException;
-//
 	/**
 	 * Returns true if protected string contains encrypted data that seems valid.
+	 * DEPRECATED. Use ProtectedStringType.isEncrypted() instead
 	 */
+	@Deprecated
 	boolean isEncrypted(ProtectedStringType ps);
-
-	boolean compare(ProtectedStringType a, ProtectedStringType b) throws EncryptionException;
+	
+	<T> void hash(ProtectedData<T> protectedData) throws EncryptionException, SchemaException;
+	
+	boolean compare(ProtectedStringType a, ProtectedStringType b) throws EncryptionException, SchemaException;
 
 }
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/AESProtector.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java
similarity index 70%
rename from infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/AESProtector.java
rename to infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java
index 6a4b725aa04..5f06de2728e 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/AESProtector.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2015 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,19 +26,26 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
+import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
+import java.security.spec.InvalidKeySpecException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.List;
+import java.util.Random;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
 import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.xml.namespace.QName;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.Validate;
@@ -47,31 +54,44 @@
 import org.apache.xml.security.encryption.XMLCipher;
 import org.apache.xml.security.utils.Base64;
 
+import com.evolveum.midpoint.prism.PrismConstants;
+import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SystemException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.prism.xml.ns._public.types_3.CipherDataType;
+import com.evolveum.prism.xml.ns._public.types_3.DigestMethodType;
 import com.evolveum.prism.xml.ns._public.types_3.EncryptedDataType;
 import com.evolveum.prism.xml.ns._public.types_3.EncryptionMethodType;
+import com.evolveum.prism.xml.ns._public.types_3.HashedDataType;
 import com.evolveum.prism.xml.ns._public.types_3.KeyInfoType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 
 /**
- * Class that manages encrypted string values. Java Cryptography Extension is
+ * Class that manages encrypted and hashed values. Java Cryptography Extension is
  * needed because this class is using AES-256 for encrypting/decrypting xml
  * data.
  *
  * @author Radovan Semancik
  * @author lazyman
  */
-public class AESProtector extends BaseProtector {
+public class ProtectorImpl extends BaseProtector {
+	
+	private static final String ALGORITHM_PKKDF2_NAME = "PBKDF2WithHmacSHA512";
+	private static final QName ALGORITH_PBKDF2_WITH_HMAC_SHA512_QNAME = new QName(PrismConstants.NS_CRYPTO_ALGORITHM_PBKD, ALGORITHM_PKKDF2_NAME);
+	private static final String ALGORITH_PBKDF2_WITH_HMAC_SHA512_URI = QNameUtil.qNameToUri(ALGORITH_PBKDF2_WITH_HMAC_SHA512_QNAME);
 	
 	private static final String KEY_DIGEST_TYPE = "SHA1";
 	private static final String DEFAULT_ENCRYPTION_ALGORITHM = XMLCipher.AES_128;
     private static final char[] KEY_PASSWORD = "midpoint".toCharArray();
 	
-	private static final Trace LOGGER = TraceManager.getTrace(AESProtector.class);
+    private static final String DEFAULT_DIGEST_ALGORITHM = ALGORITH_PBKDF2_WITH_HMAC_SHA512_URI;
+//    "http://www.w3.org/2009/xmlenc11#pbkdf2"
+    
+    private Random randomNumberGenerator;
+    
+	private static final Trace LOGGER = TraceManager.getTrace(ProtectorImpl.class);
 
 	private String keyStorePath;
     private String keyStorePassword;
@@ -79,6 +99,7 @@ public class AESProtector extends BaseProtector {
 	
 	private String requestedJceProviderName = null;
 	private String encryptionAlgorithm;
+	private String digestAlgorithm;
 	
 	private List<TrustManager> trustManagers;
     private static final KeyStore keyStore;
@@ -92,7 +113,7 @@ public class AESProtector extends BaseProtector {
     }
     
     /**
-     * @throws SystemException if jceks keystore is not available on {@link AESProtector#getKeyStorePath}
+     * @throws SystemException if jceks keystore is not available on {@link ProtectorImpl#getKeyStorePath}
      */
     public void init() {
         InputStream stream = null;
@@ -113,11 +134,11 @@ public void init() {
                 LOGGER.warn("Using default keystore from classpath ({}).", getKeyStorePath());
                 // Read from class path
 
-                stream = AESProtector.class.getClassLoader().getResourceAsStream(getKeyStorePath());
+                stream = ProtectorImpl.class.getClassLoader().getResourceAsStream(getKeyStorePath());
                 // ugly dirty hack to have second chance to find keystore on
                 // class path
                 if (stream == null) {
-                    stream = AESProtector.class.getClassLoader().getResourceAsStream(
+                    stream = ProtectorImpl.class.getClassLoader().getResourceAsStream(
                             "com/../../" + getKeyStorePath());
                 }
             }
@@ -147,6 +168,8 @@ public void init() {
                     new Object[]{getKeyStorePath(), ex.getMessage()}, ex);
             throw new SystemException(ex.getMessage(), ex);
         }
+        
+        randomNumberGenerator = new SecureRandom();
     }
 
 	public String getRequestedJceProviderName() {
@@ -173,6 +196,28 @@ private String getCipherAlgorithm() {
 		}
 	}
 	
+	private String getDigestAlgorithm() {
+		if (digestAlgorithm != null) {
+			return digestAlgorithm;
+		} else {
+			return DEFAULT_DIGEST_ALGORITHM;
+		}
+	}
+	
+	// TODO: make it configurable
+	
+	private int getPbkdKeyLength() {
+		return 256;
+	}
+
+	private int getPbkdIterations() {
+		return 10000;
+	}
+
+	private int getPbkdSaltLength() {
+		return 32;
+	}
+	
 	/**
      * @return the encryptionKeyAlias
      * @throws IllegalStateException if encryption key digest is null or empty string
@@ -428,24 +473,161 @@ private SecretKey getSecretKeyByDigest(String digest) throws EncryptionException
 
         throw new EncryptionException("Key '" + digest + "' is not in keystore.");
     }
+    
+    @Override
+	public <T> void hash(ProtectedData<T> protectedData) throws EncryptionException, SchemaException {
+    	if (protectedData.isHashed()) {
+			throw new IllegalArgumentException("Attempt to hash protected data that are already hashed");
+		}
+		String algorithmUri = getDigestAlgorithm();
+		QName algorithmQName = QNameUtil.uriToQName(algorithmUri);
+		String algorithmNamespace = algorithmQName.getNamespaceURI();
+		if (algorithmNamespace == null) {
+			throw new SchemaException("No algorithm namespace");
+		}
+		
+		HashedDataType hashedDataType;
+		switch (algorithmNamespace) {
+			case PrismConstants.NS_CRYPTO_ALGORITHM_PBKD:
+				if (!protectedData.canSupportType(String.class)) {
+					throw new SchemaException("Non-string proteted data");
+				}
+				hashedDataType = hashPbkd((ProtectedData<String>) protectedData, algorithmUri, algorithmQName.getLocalPart());
+				break;
+			default:
+				throw new SchemaException("Unkown namespace "+algorithmNamespace);
+		}
+		
+		protectedData.setHashedData(hashedDataType);
+		protectedData.destroyCleartext();
+    }
+    
+    private HashedDataType hashPbkd(ProtectedData<String> protectedData, String algorithmUri, String algorithmName) throws EncryptionException {	
+		
+    	char[] clearChars = protectedData.getClearValue().toCharArray();
+    	byte[] salt = generatePbkdSalt();
+    	int iterations = getPbkdIterations();
+		
+		SecretKeyFactory secretKeyFactory;
+		try {
+			secretKeyFactory = SecretKeyFactory.getInstance( algorithmName );
+		} catch (NoSuchAlgorithmException e) {
+			throw new EncryptionException(e.getMessage(), e);
+		}
+		PBEKeySpec keySpec = new PBEKeySpec( clearChars, salt, iterations, getPbkdKeyLength() );
+        SecretKey key;
+		try {
+			key = secretKeyFactory.generateSecret( keySpec );
+		} catch (InvalidKeySpecException e) {
+			throw new EncryptionException(e.getMessage(), e);
+		}
+        byte[] hashBytes = key.getEncoded( );
+
+        HashedDataType hashedDataType = new HashedDataType();
+        
+        DigestMethodType digestMethod = new DigestMethodType();
+        digestMethod.setAlgorithm(algorithmUri);
+        digestMethod.setSalt(salt);
+        digestMethod.setWorkFactor(iterations);
+		hashedDataType.setDigestMethod(digestMethod);
+		
+		hashedDataType.setDigestValue(hashBytes);
+		
+		return hashedDataType;
+	}
+
+	private byte[] generatePbkdSalt() {
+		byte[] salt = new byte[getPbkdSaltLength()/8];
+		randomNumberGenerator.nextBytes(salt);
+		return salt;
+	}
 
 	@Override
-	public boolean compare(ProtectedStringType a, ProtectedStringType b) throws EncryptionException {
+	public boolean compare(ProtectedStringType a, ProtectedStringType b) throws EncryptionException, SchemaException {
+		if (a == b) {
+			return true;
+		}
 		if (a == null && b == null) {
 			return true;
 		}
 		if (a == null || b == null) {
 			return false;
 		}
-		String aClear = decryptString(a);
-		String bClear = decryptString(b);
-		if (aClear == null && bClear == null) {
-			return true;
+		if (a.isHashed() && b.isHashed()) {
+			throw new SchemaException("Cannot compare two hased protected strings");
 		}
-		if (aClear == null || bClear == null) {
-			return false;
+		
+		if (a.isHashed() || b.isHashed()) {
+			String clear;
+			ProtectedStringType hashedPs;
+			if (a.isHashed()) {
+				hashedPs = a;
+				clear = decryptString(b);
+			} else {
+				hashedPs = b;
+				clear = decryptString(a);
+			}
+			return compareHashed(hashedPs, clear.toCharArray());
+			
+		} else {
+			String aClear = decryptString(a);
+			String bClear = decryptString(b);
+			if (aClear == null && bClear == null) {
+				return true;
+			}
+			if (aClear == null || bClear == null) {
+				return false;
+			}
+			return aClear.equals(bClear);
+		}
+	}
+
+	private boolean compareHashed(ProtectedStringType hashedPs, char[] clearChars) throws SchemaException, EncryptionException {
+		HashedDataType hashedDataType = hashedPs.getHashedDataType();
+		DigestMethodType digestMethodType = hashedDataType.getDigestMethod();
+		if (digestMethodType == null) {
+			throw new SchemaException("No digest type");
+		}
+		String algorithmUri = digestMethodType.getAlgorithm();
+		QName algorithmQName = QNameUtil.uriToQName(algorithmUri);
+		String algorithmNamespace = algorithmQName.getNamespaceURI();
+		if (algorithmNamespace == null) {
+			throw new SchemaException("No algorithm namespace");
+		}
+		
+		switch (algorithmNamespace) {
+			case PrismConstants.NS_CRYPTO_ALGORITHM_PBKD:
+				return compareHashedPbkd(hashedDataType, algorithmQName.getLocalPart(), clearChars);
+			default:
+				throw new SchemaException("Unkown namespace "+algorithmNamespace);
 		}
-		return aClear.equals(bClear);
 	}
+
+	private boolean compareHashedPbkd(HashedDataType hashedDataType, String algorithmName, char[] clearChars) throws EncryptionException {
+		DigestMethodType digestMethodType = hashedDataType.getDigestMethod();
+		byte[] salt = digestMethodType.getSalt();
+		Integer workFactor = digestMethodType.getWorkFactor();
+		byte[] digestValue = hashedDataType.getDigestValue();
+		int keyLen = digestValue.length * 8;
+		
+		SecretKeyFactory secretKeyFactory;
+		try {
+			secretKeyFactory = SecretKeyFactory.getInstance( algorithmName );
+		} catch (NoSuchAlgorithmException e) {
+			throw new EncryptionException(e.getMessage(), e);
+		}
+		PBEKeySpec keySpec = new PBEKeySpec( clearChars, salt, workFactor, keyLen );
+        SecretKey key;
+		try {
+			key = secretKeyFactory.generateSecret( keySpec );
+		} catch (InvalidKeySpecException e) {
+			throw new EncryptionException(e.getMessage(), e);
+		}
+        byte[] hashBytes = key.getEncoded( );
+        
+        return Arrays.equals(digestValue, hashBytes);
+	}
+
+	
     	
 }
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/marshaller/BeanMarshaller.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/marshaller/BeanMarshaller.java
index 1e093f34fc3..7f48c706c83 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/marshaller/BeanMarshaller.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/marshaller/BeanMarshaller.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -454,6 +454,10 @@ public <T> MapXNode marshalProtectedDataType(Object o, SerializationContext sc)
             EncryptedDataType encryptedDataType = protectedType.getEncryptedDataType();
             MapXNode xEncryptedDataType = (MapXNode) marshall(encryptedDataType);
             xmap.put(ProtectedDataType.F_ENCRYPTED_DATA, xEncryptedDataType);
+        } else if (protectedType.getHashedDataType() != null) {
+            HashedDataType hashedDataType = protectedType.getHashedDataType();
+            MapXNode xHashedDataType = (MapXNode) marshall(hashedDataType);
+            xmap.put(ProtectedDataType.F_HASHED_DATA, xHashedDataType);
         } else if (protectedType.getClearValue() != null){
             QName type = XsdTypeMapper.toXsdType(protectedType.getClearValue().getClass());
             PrimitiveXNode xClearValue = createPrimitiveXNode(protectedType.getClearValue(), type);
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/marshaller/XNodeProcessorUtil.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/marshaller/XNodeProcessorUtil.java
index deafc191db8..085fa747461 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/marshaller/XNodeProcessorUtil.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/marshaller/XNodeProcessorUtil.java
@@ -31,6 +31,7 @@
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.prism.xml.ns._public.types_3.EncryptedDataType;
+import com.evolveum.prism.xml.ns._public.types_3.HashedDataType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedDataType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 
@@ -84,6 +85,14 @@ public static <T> void parseProtectedType(ProtectedDataType<T> protectedType, Ma
                 }
             }
         }
+        RootXNode xHashedData = xmap.getEntryAsRoot(ProtectedDataType.F_HASHED_DATA);
+        if (xHashedData != null) {
+            if (!(xHashedData.getSubnode() instanceof MapXNode)) {
+                throw new SchemaException("Cannot parse hashedData from "+xHashedData);
+            }
+            HashedDataType hashedDataType = prismContext.parserFor(xHashedData).context(pc).parseRealValue(HashedDataType.class);
+            protectedType.setHashedData(hashedDataType);
+        }
         // protected data empty..check for clear value
         if (protectedType.isEmpty()){
             XNode xClearValue = xmap.get(ProtectedDataType.F_CLEAR_VALUE);
diff --git a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/DigestMethodType.java b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/DigestMethodType.java
new file mode 100644
index 00000000000..0db44b7aabb
--- /dev/null
+++ b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/DigestMethodType.java
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.prism.xml.ns._public.types_3;
+
+import java.io.Serializable;
+import java.util.Arrays;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlSchemaType;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * JAXB representation of DigestMethodType.
+ * Manually created (not generated)
+ * 
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "DigestMethodType", propOrder = {
+    "algorithm",
+	"salt",
+    "workFactor"
+})
+public class DigestMethodType  implements Serializable, Cloneable {
+
+    @XmlElement(required = true)
+    @XmlSchemaType(name = "anyURI")
+    protected String algorithm;
+    
+    @XmlElement(required = false)
+    protected byte[] salt;
+    
+    @XmlElement(required = false)
+    protected Integer workFactor;
+
+    /**
+     * Gets the value of the algorithm property.
+     * 
+     * @return
+     *     possible object is
+     *     {@link String }
+     *     
+     */
+    public String getAlgorithm() {
+        return algorithm;
+    }
+
+    /**
+     * Sets the value of the algorithm property.
+     * 
+     * @param value
+     *     allowed object is
+     *     {@link String }
+     *     
+     */
+    public void setAlgorithm(String value) {
+        this.algorithm = value;
+    }
+
+	public byte[] getSalt() {
+		return salt;
+	}
+
+	public void setSalt(byte[] salt) {
+		this.salt = salt;
+	}
+
+	public Integer getWorkFactor() {
+		return workFactor;
+	}
+
+	public void setWorkFactor(Integer workFactor) {
+		this.workFactor = workFactor;
+	}
+
+	@Override
+	public int hashCode() {
+		final int prime = 31;
+		int result = 1;
+		result = prime * result + ((algorithm == null) ? 0 : algorithm.hashCode());
+		result = prime * result + Arrays.hashCode(salt);
+		result = prime * result + ((workFactor == null) ? 0 : workFactor.hashCode());
+		return result;
+	}
+
+	@Override
+	public boolean equals(Object obj) {
+		if (this == obj) {
+			return true;
+		}
+		if (obj == null) {
+			return false;
+		}
+		if (getClass() != obj.getClass()) {
+			return false;
+		}
+		DigestMethodType other = (DigestMethodType) obj;
+		if (algorithm == null) {
+			if (other.algorithm != null) {
+				return false;
+			}
+		} else if (!algorithm.equals(other.algorithm)) {
+			return false;
+		}
+		if (!Arrays.equals(salt, other.salt)) {
+			return false;
+		}
+		if (workFactor == null) {
+			if (other.workFactor != null) {
+				return false;
+			}
+		} else if (!workFactor.equals(other.workFactor)) {
+			return false;
+		}
+		return true;
+	}
+
+	@Override
+	public String toString() {
+		return "DigestMethodType(algorithm=" + algorithm + ", salt=" + (salt==null?"null":"["+salt.length+" bytes]") + ", workFactor=" + workFactor + ")";
+	}
+
+    public DigestMethodType clone() {
+        DigestMethodType cloned = new DigestMethodType();
+        cloned.setAlgorithm(getAlgorithm());
+        cloned.setSalt(salt.clone());
+        cloned.setWorkFactor(getWorkFactor());
+        return cloned;
+    }
+
+}
diff --git a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/HashedDataType.java b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/HashedDataType.java
new file mode 100644
index 00000000000..9eac9a8c971
--- /dev/null
+++ b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/HashedDataType.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.prism.xml.ns._public.types_3;
+
+import java.io.Serializable;
+import java.util.Arrays;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * JAXB representation of HashedDataType.
+ * Manually created (not generated)
+ * 
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "HashedDataType", propOrder = {
+    "digestMethod",
+    "digestValue"
+})
+public class HashedDataType implements Serializable, Cloneable {
+
+	@XmlElement(required = true)
+    protected DigestMethodType digestMethod;
+    
+    @XmlElement(required = true)
+    protected byte[] digestValue;
+
+	public DigestMethodType getDigestMethod() {
+		return digestMethod;
+	}
+
+	public void setDigestMethod(DigestMethodType digestMethod) {
+		this.digestMethod = digestMethod;
+	}
+
+	public byte[] getDigestValue() {
+		return digestValue;
+	}
+
+	public void setDigestValue(byte[] digestValue) {
+		this.digestValue = digestValue;
+	}
+
+	@Override
+	public String toString() {
+		return "HashedDataType(digestMethod=" + digestMethod + ", digestValue=" + (digestValue==null?"null":"["+digestValue.length+" bytes])");
+	}
+
+    @Override
+	public int hashCode() {
+		final int prime = 31;
+		int result = 1;
+		result = prime * result + ((digestMethod == null) ? 0 : digestMethod.hashCode());
+		result = prime * result + Arrays.hashCode(digestValue);
+		return result;
+	}
+
+	@Override
+	public boolean equals(Object obj) {
+		if (this == obj) {
+			return true;
+		}
+		if (obj == null) {
+			return false;
+		}
+		if (getClass() != obj.getClass()) {
+			return false;
+		}
+		HashedDataType other = (HashedDataType) obj;
+		if (digestMethod == null) {
+			if (other.digestMethod != null) {
+				return false;
+			}
+		} else if (!digestMethod.equals(other.digestMethod)) {
+			return false;
+		}
+		if (!Arrays.equals(digestValue, other.digestValue)) {
+			return false;
+		}
+		return true;
+	}
+
+	@Override
+    public HashedDataType clone() {
+        HashedDataType cloned = new HashedDataType();
+        cloned.setDigestMethod(getDigestMethod().clone());
+        cloned.setDigestValue(digestValue.clone());
+        return cloned;
+    }
+}
diff --git a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ObjectFactory.java b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ObjectFactory.java
index b534ea9982e..dff1b211c30 100644
--- a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ObjectFactory.java
+++ b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ObjectFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -55,6 +55,7 @@ public class ObjectFactory implements Serializable {
     private final static QName _PolyStringTypeNorm_QNAME = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "norm");
     private final static QName _PolyStringTypeOrig_QNAME = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "orig");
     private final static QName _ProtectedDataTypeEncryptedData_QNAME = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "encryptedData");
+    private final static QName _ProtectedDataTypeHashedData_QNAME = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "hashedData");
     private final static QName _ItemPathType_QNAME = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "path");
     private final static QName _Object_QNAME = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "object");
 
@@ -241,6 +242,20 @@ public JAXBElement<EncryptedDataType> createProtectedStringTypeEncryptedData(Enc
         return new JAXBElement<EncryptedDataType>(_ProtectedDataTypeEncryptedData_QNAME, EncryptedDataType.class, ProtectedStringType.class, value);
     }
     
+    /**
+     * Create an instance of {@link JAXBElement }{@code <}{@link HashedDataType }{@code >}}
+     * 
+     */
+    @XmlElementDecl(namespace = "http://prism.evolveum.com/xml/ns/public/types-3", name = "hashedData", scope = ProtectedDataType.class)
+    public JAXBElement<HashedDataType> createProtectedDataTypeHashedData(HashedDataType value) {
+        return new JAXBElement<HashedDataType>(_ProtectedDataTypeHashedData_QNAME, HashedDataType.class, ProtectedDataType.class, value);
+    }
+    
+    @XmlElementDecl(namespace = "http://prism.evolveum.com/xml/ns/public/types-3", name = "hashedData", scope = ProtectedStringType.class)
+    public JAXBElement<HashedDataType> createProtectedStringTypeHashedData(HashedDataType value) {
+        return new JAXBElement<HashedDataType>(_ProtectedDataTypeHashedData_QNAME, HashedDataType.class, ProtectedStringType.class, value);
+    }
+    
     @XmlElementDecl(namespace = "http://prism.evolveum.com/xml/ns/public/types-3", name = "path", scope = ItemPathType.class)
     public JAXBElement<ItemPath> createItemPathType(ItemPath value) {
         return new JAXBElement<ItemPath>(_ItemPathType_QNAME, ItemPath.class, ItemPathType.class, value);
diff --git a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedByteArrayType.java b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedByteArrayType.java
index 1c937d9c61f..b7bc02e0060 100644
--- a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedByteArrayType.java
+++ b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedByteArrayType.java
@@ -52,5 +52,10 @@ public void setClearBytes(byte[] bytes) {
 		setClearValue(ArrayUtils.toObject(bytes));
 	}
 
+	@Override
+	public boolean canSupportType(Class<?> type) {
+		return byte[].class.isAssignableFrom(type);
+	}
+
 
 }
diff --git a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedDataType.java b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedDataType.java
index 0f526327bf4..b1d62f231f8 100644
--- a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedDataType.java
+++ b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedDataType.java
@@ -1,11 +1,18 @@
-//
-// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, v2.2.4 
-// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a> 
-// Any modifications to this file will be lost upon recompilation of the source schema. 
-// Generated on: 2014.02.04 at 01:34:24 PM CET 
-//
-
-
+/**
+ * Copyright (c) 2010-2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.evolveum.prism.xml.ns._public.types_3;
 
 import java.io.Serializable;
@@ -37,33 +44,7 @@
 
 
 /**
- * 
- * 				TODO
- * 				May be either encrypted or hashed or provided in the clear (e.g. for debugging).
- * 				
- * 				This type is marked as "mixed" because it may have alternative representation where
- * 				just the plaintext value is presented as the only value.
- * 				
- * 				This is considered to be primitive built-in type for prism objects.
- * 			
- * 
- * <p>Java class for ProtectedDataType complex type.
- * 
- * <p>The following schema fragment specifies the expected content contained within this class.
- * 
- * <pre>
- * &lt;complexType name="ProtectedDataType">
- *   &lt;complexContent>
- *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
- *       &lt;sequence>
- *         &lt;element name="encryptedData" type="{http://prism.evolveum.com/xml/ns/public/types-3}EncryptedDataType" minOccurs="0"/>
- *         &lt;any namespace='##other'/>
- *       &lt;/sequence>
- *     &lt;/restriction>
- *   &lt;/complexContent>
- * &lt;/complexType>
- * </pre>
- * 
+ * This class was originally generated. But it was heavily modified by hand.
  * 
  */
 @XmlAccessorType(XmlAccessType.FIELD)
@@ -78,6 +59,7 @@ public abstract class ProtectedDataType<T> implements ProtectedData<T>, Serializ
 	
 	public static final QName COMPLEX_TYPE = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "ProtectedDataType");
 	public final static QName F_ENCRYPTED_DATA = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "encryptedData");
+	public final static QName F_HASHED_DATA = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "hashedData");
 	public final static QName F_CLEAR_VALUE = new QName("http://prism.evolveum.com/xml/ns/public/types-3", "clearValue");
 	
 	public static final String NS_XML_ENC = "http://www.w3.org/2001/04/xmlenc#";
@@ -95,6 +77,9 @@ public abstract class ProtectedDataType<T> implements ProtectedData<T>, Serializ
 	@XmlTransient
 	private EncryptedDataType encryptedDataType;
 	
+	@XmlTransient
+	private HashedDataType hashedDataType;
+	
 	@XmlTransient
 	private T clearValue;
 
@@ -157,10 +142,27 @@ public boolean isEncrypted() {
 		return encryptedDataType != null;
 	}
     
+    @Override
+    public HashedDataType getHashedDataType() {
+		return hashedDataType;
+	}
+
+    @Override
+	public void setHashedData(HashedDataType hashedDataType) {
+		this.hashedDataType = hashedDataType;
+	}
+	
+    @Override
+	public boolean isHashed() {
+		return hashedDataType != null;
+	}
+    
+    @Override
     public T getClearValue() {
     	return clearValue;
     }
     
+    @Override
     public void setClearValue(T clearValue) {
     	this.clearValue = clearValue;
     }
@@ -175,8 +177,13 @@ private JAXBElement<EncryptedDataType> toJaxbElement(EncryptedDataType encrypted
     	return new JAXBElement<EncryptedDataType>(F_ENCRYPTED_DATA, EncryptedDataType.class, encryptedDataType);
     }
     
+    private JAXBElement<HashedDataType> toJaxbElement(HashedDataType hashedDataType) {
+    	return new JAXBElement<HashedDataType>(F_ENCRYPTED_DATA, HashedDataType.class, hashedDataType);
+    }
+    
     private void clearContent() {
     	encryptedDataType = null;
+    	hashedDataType = null;
     }
     
     private boolean addContent(Object newObject) {
@@ -192,6 +199,9 @@ private boolean addContent(Object newObject) {
     		if (QNameUtil.match(F_ENCRYPTED_DATA, jaxbElement.getName())) {
     			encryptedDataType = (EncryptedDataType) jaxbElement.getValue();
     			return true;
+    		} else if (QNameUtil.match(F_HASHED_DATA, jaxbElement.getName())) {
+    			hashedDataType = (HashedDataType) jaxbElement.getValue();
+        		return true;
     		} else {
     			throw new IllegalArgumentException("Attempt to add unknown JAXB element "+jaxbElement);
     		}
@@ -250,37 +260,52 @@ private EncryptedDataType convertXmlEncToEncryptedDate(Element eEncryptedData) {
 	}
     
     public boolean isEmpty() {
-    	return encryptedDataType == null && clearValue == null;
+    	return encryptedDataType == null && hashedDataType == null && clearValue == null;
     }
-    
+
 	@Override
 	public int hashCode() {
 		final int prime = 31;
 		int result = 1;
 		result = prime * result + ((clearValue == null) ? 0 : clearValue.hashCode());
 		result = prime * result + ((encryptedDataType == null) ? 0 : encryptedDataType.hashCode());
+		result = prime * result + ((hashedDataType == null) ? 0 : hashedDataType.hashCode());
 		return result;
 	}
 
 	@Override
 	public boolean equals(Object obj) {
-		if (this == obj)
+		if (this == obj) {
 			return true;
-		if (obj == null)
+		}
+		if (obj == null) {
 			return false;
-		if (getClass() != obj.getClass())
+		}
+		if (getClass() != obj.getClass()) {
 			return false;
+		}
 		ProtectedDataType other = (ProtectedDataType) obj;
 		if (clearValue == null) {
-			if (other.clearValue != null)
+			if (other.clearValue != null) {
 				return false;
-		} else if (!clearValue.equals(other.clearValue))
+			}
+		} else if (!clearValue.equals(other.clearValue)) {
 			return false;
+		}
 		if (encryptedDataType == null) {
-			if (other.encryptedDataType != null)
+			if (other.encryptedDataType != null) {
 				return false;
-		} else if (!encryptedDataType.equals(other.encryptedDataType))
+			}
+		} else if (!encryptedDataType.equals(other.encryptedDataType)) {
 			return false;
+		}
+		if (hashedDataType == null) {
+			if (other.hashedDataType != null) {
+				return false;
+			}
+		} else if (!hashedDataType.equals(other.hashedDataType)) {
+			return false;
+		}
 		return true;
 	}
 
@@ -292,6 +317,10 @@ public String toString() {
 			sb.append("encrypted=");
 			sb.append(encryptedDataType);
 		}
+		if (hashedDataType != null) {
+			sb.append("hashed=");
+			sb.append(hashedDataType);
+		}
 		if (clearValue != null) {
 			sb.append("clearValue=");
 			sb.append(clearValue);
@@ -303,36 +332,16 @@ public String toString() {
     protected void cloneTo(ProtectedDataType<T> cloned) {
         cloned.clearValue = CloneUtil.clone(clearValue);
         cloned.encryptedDataType = CloneUtil.clone(encryptedDataType);
-
+        cloned.hashedDataType = CloneUtil.clone(hashedDataType);
+        
         // content is virtual, there is no point in copying it
-
-//        for (Object o : getContent()) {
-//            if (o instanceof JAXBElement<?>) {
-//                JAXBElement<?> je = (JAXBElement) o;
-//                Object v = je.getValue();
-//                if (v == null) {
-//                    // do nothing
-//                } else if (v instanceof EncryptedDataType) {
-//                    EncryptedDataType edt = (EncryptedDataType) v;
-//                    cloned.addContent(new JAXBElement<EncryptedDataType>(je.getName(), (Class) je.getDeclaredType(), edt.clone()));
-//                } else {
-//                    throw new IllegalStateException("Unknown JAXB element "+je.getName()+" ("+je.getValue().getClass()+") in ProtectedDataType");
-//                }
-//            } else if (o instanceof Element) {
-//                cloned.addContent(((Element) o).cloneNode(true));
-//            } else if (o instanceof String) {
-//                cloned.addContent(o);           // will this work?
-//            } else {
-//                throw new IllegalStateException("Unknown object of type "+o.getClass()+ " in ProtectedDataType");
-//            }
-//        }
     }
 
     class ContentList implements List<Object>, Serializable {
 
 		@Override
 		public int size() {
-			if (encryptedDataType != null) {
+			if (encryptedDataType != null || hashedDataType != null) {
 				return 1;
 			} else {
 				return 0;
@@ -341,7 +350,7 @@ public int size() {
 
 		@Override
 		public boolean isEmpty() {
-			return encryptedDataType == null;
+			return encryptedDataType == null && hashedDataType == null;
 		}
 
 		@Override
@@ -363,7 +372,11 @@ public boolean hasNext() {
 				public Object next() {
 					if (index == 0) {
 						index++;
-						return toJaxbElement(encryptedDataType);
+						if (encryptedDataType == null) {
+							return toJaxbElement(hashedDataType);
+						} else {
+							return toJaxbElement(encryptedDataType);
+						}
 					} else {
 						return null;
 					}
@@ -378,11 +391,15 @@ public void remove() {
 
 		@Override
 		public Object[] toArray() {
-			if (encryptedDataType == null) {
+			if (encryptedDataType == null && hashedDataType == null) {
 				return new Object[0];
 			} else {
 				Object[] a = new Object[1];
-				a[0] = toJaxbElement(encryptedDataType);
+				if (encryptedDataType == null) {
+					a[0] = toJaxbElement(hashedDataType);
+				} else {
+					a[0] = toJaxbElement(encryptedDataType);
+				}
 				return a;
 			}
 		}
@@ -448,7 +465,11 @@ public void clear() {
 		public Object get(int index) {
 			if (index == 0) {
                 // what if encryptedDataType is null and clearValue is set? [pm]
-				return toJaxbElement(encryptedDataType);
+				if (encryptedDataType == null) {
+					return toJaxbElement(hashedDataType);
+				} else {
+					return toJaxbElement(encryptedDataType);
+				}
 			} else {
 				return null;
 			}
diff --git a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedStringType.java b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedStringType.java
index 332425e0e50..6ea2223c581 100644
--- a/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedStringType.java
+++ b/infra/prism/src/main/java/com/evolveum/prism/xml/ns/_public/types_3/ProtectedStringType.java
@@ -1,11 +1,18 @@
-//
-// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, v2.2.4 
-// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a> 
-// Any modifications to this file will be lost upon recompilation of the source schema. 
-// Generated on: 2014.02.04 at 01:34:24 PM CET 
-//
-
-
+/**
+ * Copyright (c) 2010-2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.evolveum.prism.xml.ns._public.types_3;
 
 import java.io.UnsupportedEncodingException;
@@ -19,27 +26,7 @@
 
 
 /**
- * 
- * 				Specific subtype for protected STRING data.
- * 			
- * 
- * <p>Java class for ProtectedStringType complex type.
- * 
- * <p>The following schema fragment specifies the expected content contained within this class.
- * 
- * <pre>
- * &lt;complexType name="ProtectedStringType">
- *   &lt;complexContent>
- *     &lt;extension base="{http://prism.evolveum.com/xml/ns/public/types-3}ProtectedDataType">
- *       &lt;sequence>
- *         &lt;element name="clearValue" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
- *       &lt;/sequence>
- *     &lt;/extension>
- *   &lt;/complexContent>
- * &lt;/complexType>
- * </pre>
- * 
- * 
+ * This class was originally generated. But it was heavily modified by hand.
  */
 @XmlAccessorType(XmlAccessType.FIELD)
 @XmlType(name = "ProtectedStringType")
@@ -71,6 +58,12 @@ public void setClearBytes(byte[] bytes) {
         }
 	}
 
+	@Override
+	public boolean canSupportType(Class<?> type) {
+		return String.class.isAssignableFrom(type);
+	}
+
+	
 	@Override
 	public boolean equals(Object obj) {
 		return super.equals(obj);
@@ -96,4 +89,5 @@ public static String bytesToString(byte[] clearBytes) {
             throw new SystemException("Unsupported charset '"+CHARSET+"', is this system from 19th century?", e);
         }
     }
+
 }
diff --git a/infra/prism/src/main/resources/xml/ns/public/types-3.xsd b/infra/prism/src/main/resources/xml/ns/public/types-3.xsd
index a2bcc23346f..a9e58143ccf 100644
--- a/infra/prism/src/main/resources/xml/ns/public/types-3.xsd
+++ b/infra/prism/src/main/resources/xml/ns/public/types-3.xsd
@@ -174,7 +174,7 @@
 		</xsd:annotation>
 		<xsd:sequence>
 			<xsd:element name="encryptedData" type="tns:EncryptedDataType" minOccurs="0"/>
-			<!-- TODO: hashing -->
+			<xsd:element name="hashedData" type="tns:HashedDataType" minOccurs="0"/>
 			
 			<xsd:any namespace="##other" minOccurs="0">
 				<xsd:annotation>
@@ -184,6 +184,7 @@
 					</xsd:documentation>
 				</xsd:annotation>
 			</xsd:any>
+
 		</xsd:sequence>
 	</xsd:complexType>
 	
@@ -250,6 +251,40 @@
 		</xsd:sequence>
 	</xsd:complexType>
 	
+    <xsd:complexType name="HashedDataType">
+		<xsd:annotation>
+			<xsd:documentation>
+				TODO
+				Contains data protected by (non-reversible) hashing (message digest).
+				
+				Loosely based on XML digital signature standard. But we cannot use full
+				standard as we are not bound to XML. We need this to work also for
+				JSON and YAML and other languages.
+			</xsd:documentation>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="digestMethod" type="tns:DigestMethodType" minOccurs="1"/>
+			<xsd:element name="digestValue" type="xsd:base64Binary" minOccurs="1"/>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="DigestMethodType">
+		<xsd:annotation>
+			<xsd:documentation>
+				TODO
+				
+				Loosely based on XML encryption standard. But we cannot use full
+				standard as we are not bound to XML. We need this to work also for
+				JSON and YAML and other languages.
+			</xsd:documentation>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="algorithm" type="xsd:anyURI" minOccurs="1"/>
+			<xsd:element name="salt" type="xsd:base64Binary" minOccurs="0"/>
+			<xsd:element name="workFactor" type="xsd:int" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+	
 	<xsd:complexType name="ObjectType">
 		<xsd:annotation>
 			<xsd:documentation>
diff --git a/infra/prism/src/test/java/com/evolveum/midpoint/prism/PrismInternalTestUtil.java b/infra/prism/src/test/java/com/evolveum/midpoint/prism/PrismInternalTestUtil.java
index 5621b2f3309..d206fb9a4da 100644
--- a/infra/prism/src/test/java/com/evolveum/midpoint/prism/PrismInternalTestUtil.java
+++ b/infra/prism/src/test/java/com/evolveum/midpoint/prism/PrismInternalTestUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,8 @@
 import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
 
+import com.evolveum.midpoint.prism.crypto.Protector;
+import com.evolveum.midpoint.prism.crypto.ProtectorImpl;
 import com.evolveum.midpoint.prism.foo.AccountConstructionType;
 
 import com.evolveum.midpoint.prism.schema.SchemaRegistryImpl;
@@ -211,6 +213,9 @@ public class PrismInternalTestUtil implements PrismContextFactory {
 	
 	public static final QName WEAPONS_WEAPON_BRAND_TYPE_QNAME = new QName(NS_WEAPONS, "WeaponBrandType");
 	
+	public static final String KEYSTORE_PATH = "src/test/resources/keystore.jceks";
+	public static final String KEYSTORE_PASSWORD = "changeit";
+	
 	public static PrismContextImpl constructInitializedPrismContext() throws SchemaException, SAXException, IOException {
 		PrismContextImpl context = constructPrismContext();
 		context.initialize();
@@ -483,4 +488,13 @@ public static void assertContainerDefinition(PrismContainer container, String co
 	public static PrismSchema getFooSchema(PrismContext prismContext) {
 		return prismContext.getSchemaRegistry().findSchemaByNamespace(NS_FOO);
 	}
+	
+	public static Protector createProtector(String xmlCipher){
+		ProtectorImpl protector = new ProtectorImpl();
+		protector.setKeyStorePassword(KEYSTORE_PASSWORD);
+		protector.setKeyStorePath(KEYSTORE_PATH);
+		protector.setEncryptionAlgorithm(xmlCipher);
+		protector.init();
+		return protector;
+	}
 }
diff --git a/infra/prism/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java b/infra/prism/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java
index 760f18b264c..85af21be71c 100644
--- a/infra/prism/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java
+++ b/infra/prism/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java
@@ -1,54 +1,206 @@
+/**
+ * Copyright (c) 2010-2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package com.evolveum.midpoint.prism.crypto;
 
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+import static org.testng.AssertJUnit.assertTrue;
+import static org.testng.AssertJUnit.assertFalse;
 import org.apache.xml.security.encryption.XMLCipher;
 import org.testng.AssertJUnit;
 import org.testng.annotations.Test;
 
 import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.PrismInternalTestUtil;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 
 public class TestProtector {
 	
-	public static final String KEYSTORE_PATH = "src/test/resources/keystore.jceks";
-	public static final String KEYSTORE_PASSWORD = "changeit";
-	
-	private PrismContext prismContext;
-	
 	private static transient Trace LOGGER = TraceManager.getTrace(TestProtector.class);	
 	
-	public static Protector createProtector(String xmlCipher){
-		AESProtector protector = new AESProtector();
-		protector.setKeyStorePassword(KEYSTORE_PASSWORD);
-		protector.setKeyStorePath(KEYSTORE_PATH);
-		protector.setEncryptionAlgorithm(xmlCipher);
-		protector.init();
-		return protector;
+	@Test
+	public void testProtectorEncryptionRoundTrip() throws Exception {
+		String value = "someValue";
+		
+		Protector protector256 = PrismInternalTestUtil.createProtector(XMLCipher.AES_256);
+		Protector protector128 = PrismInternalTestUtil.createProtector(XMLCipher.AES_128);
+		
+		ProtectedStringType pdt = new ProtectedStringType();
+		pdt.setClearValue(value);
+		assertFalse(pdt.isEmpty());
+		assertFalse(pdt.isHashed());
+		assertFalse(pdt.isEncrypted());
+		
+		// WHEN
+		protector256.encrypt(pdt);
+		
+		// THEN
+		assertFalse(pdt.isEmpty());
+		assertTrue(pdt.isEncrypted());
+		assertFalse(pdt.isHashed());
+		assertNull(pdt.getClearValue());
+		
+		// WHEN
+		protector128.decrypt(pdt);
+		
+		// THEN
+		assertFalse(pdt.isEmpty());
+		assertFalse(pdt.isEncrypted());
+		assertFalse(pdt.isHashed());
+		AssertJUnit.assertEquals(value, pdt.getClearValue());
+		  
+		// WHEN
+		ProtectedStringType pstEnc = protector256.encryptString(value);
+		  
+		// THEN
+		assertFalse(pstEnc.isEmpty());
+		assertTrue(pstEnc.isEncrypted());
+		assertFalse(pstEnc.isHashed());
+		  
+		// WHEN
+		String clear = protector256.decryptString(pstEnc);
+		assertNotNull(clear);
+		  
+		// THEN
+		AssertJUnit.assertEquals(value, clear);
+		  
+		// WHEN
+		boolean compare1 = protector256.compare(pdt, pstEnc);
+		  
+		// THEN
+		assertTrue("compare1 failed", compare1);
+		  
+		// WHEN
+		boolean compare2 = protector256.compare(pstEnc, pdt);
+		  
+		// THEN
+		assertTrue("compare2 failed", compare2);
+		
+		ProtectedStringType wrongPst = new ProtectedStringType();
+		wrongPst.setClearValue("nonono This is not it");
+		  
+		// WHEN
+		boolean compare5 = protector256.compare(pdt, wrongPst);
+		  
+		// THEN
+		assertFalse("compare5 unexpected success", compare5);
+		  
+		// WHEN
+		boolean compare6 = protector256.compare(wrongPst, pdt);
+			  
+		// THEN
+		assertFalse("compare6 unexpected success", compare6);
+	}
+  
+	@Test
+	public void testProtectorHashRoundTrip() throws Exception {
+		String value = "someValue";
+		ProtectedStringType pst = new ProtectedStringType();
+		pst.setClearValue(value);
+		assertFalse(pst.isEmpty());
+
+		Protector protector256 = PrismInternalTestUtil.createProtector(XMLCipher.AES_256);
+
+		// WHEN
+		protector256.hash(pst);
+
+		// THEN
+		assertFalse(pst.isEmpty());
+		assertTrue(pst.isHashed());
+		assertFalse(pst.isEncrypted());
+		assertNull(pst.getClearValue());
+
+		ProtectedStringType checkPstClear = new ProtectedStringType();
+		checkPstClear.setClearValue(value);
+
+		// WHEN
+		boolean compare1 = protector256.compare(pst, checkPstClear);
+
+		// THEN
+		assertTrue("compare1 failed", compare1);
+
+		// WHEN
+		boolean compare2 = protector256.compare(checkPstClear, pst);
+
+		// THEN
+		assertTrue("compare2 failed", compare2);
+
+		ProtectedStringType checkPstEnc = new ProtectedStringType();
+		checkPstEnc.setClearValue(value);
+		protector256.encrypt(checkPstEnc);
+
+		// WHEN
+		boolean compare3 = protector256.compare(pst, checkPstEnc);
+
+		// THEN
+		assertTrue("compare3 failed", compare3);
+
+		// WHEN
+		boolean compare4 = protector256.compare(checkPstEnc, pst);
+
+		// THEN
+		assertTrue("compare4 failed", compare4);
+
+		ProtectedStringType wrongPst = new ProtectedStringType();
+		wrongPst.setClearValue("nonono This is not it");
+
+		// WHEN
+		boolean compare5 = protector256.compare(pst, wrongPst);
+
+		// THEN
+		assertFalse("compare5 unexpected success", compare5);
+
+		// WHEN
+		boolean compare6 = protector256.compare(wrongPst, pst);
+
+		// THEN
+		assertFalse("compare6 unexpected success", compare6);
+
+		ProtectedStringType wrongPstEnc = new ProtectedStringType();
+		wrongPstEnc.setClearValue("nonono This is not it");
+		protector256.encrypt(wrongPstEnc);
+
+		// WHEN
+		boolean compare7 = protector256.compare(pst, wrongPstEnc);
+
+		// THEN
+		assertFalse("compare7 unexpected success", compare7);
+
+		// WHEN
+		boolean compare8 = protector256.compare(wrongPstEnc, pst);
+
+		// THEN
+		assertFalse("compare8 unexpected success", compare8);
+
+		// change the hash ... comparison should fail
+		pst.getHashedDataType().getDigestValue()[1] = 0x12;
+
+		// WHEN
+		boolean compare9 = protector256.compare(pst, checkPstClear);
+
+		// THEN
+		assertFalse("compare9 unexpected success", compare9);
+
+		// WHEN
+		boolean compare10 = protector256.compare(checkPstClear, pst);
+
+		// THEN
+		assertFalse("compare10 unexpected success", compare10);
+
 	}
-	
-	
-  @Test
-  public void testProtectorKeyStore() throws Exception{
-	  
-	
-	  String value = "someValue";
-	
-	  Protector protector256 = createProtector(XMLCipher.AES_256);
-	  
-	  ProtectedStringType pdt = new ProtectedStringType();
-	  pdt.setClearValue(value);
-	  protector256.encrypt(pdt);
-	  
-	  Protector protector128 = createProtector(XMLCipher.AES_128);
-	  protector128.decrypt(pdt);
-	  
-	  AssertJUnit.assertEquals(value, pdt.getClearValue());
-	  
-	  ProtectedStringType pst = protector256.encryptString(value);
-	  String clear = protector256.decryptString(pst);
-	  
-	  AssertJUnit.assertEquals(value, clear);
-	 
-  }
 }
diff --git a/infra/prism/src/test/java/com/evolveum/midpoint/prism/lex/TestProtectedString.java b/infra/prism/src/test/java/com/evolveum/midpoint/prism/lex/TestProtectedString.java
index 02338435e9d..5feec07e764 100644
--- a/infra/prism/src/test/java/com/evolveum/midpoint/prism/lex/TestProtectedString.java
+++ b/infra/prism/src/test/java/com/evolveum/midpoint/prism/lex/TestProtectedString.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,12 +52,12 @@ public void setupDebug() throws SchemaException, SAXException, IOException {
 	}
 	
 	@Test
-    public void testParseProtectedString() throws Exception {
-		final String TEST_NAME = "testParseProtectedString";
+    public void testParseProtectedStringEncrypted() throws Exception {
+		final String TEST_NAME = "testParseProtectedStringEncrypted";
 		displayTestTitle(TEST_NAME);
 		
 		// GIVEN
-        Protector protector = TestProtector.createProtector(XMLCipher.AES_128);     // TODO move to a util class
+        Protector protector = PrismInternalTestUtil.createProtector(XMLCipher.AES_128);
         ProtectedStringType protectedStringType = protector.encryptString("salalala");
 
         PrismContext prismContext = PrismTestUtil.getPrismContext();
@@ -67,6 +67,31 @@ public void testParseProtectedString() throws Exception {
         MapXNode protectedStringTypeXNode = ((PrismContextImpl) prismContext).getBeanMarshaller().marshalProtectedDataType(protectedStringType, null);
         System.out.println("Protected string type XNode: " + protectedStringTypeXNode.debugDump());
 
+        // THEN
+        ProtectedStringType unmarshalled = new ProtectedStringType();
+        XNodeProcessorUtil.parseProtectedType(unmarshalled, protectedStringTypeXNode, prismContext, ParsingContext.createDefault());
+        System.out.println("Unmarshalled value: " + unmarshalled);
+        assertEquals("Unmarshalled value differs from the original", protectedStringType, unmarshalled);
+    }
+	
+	@Test
+    public void testParseProtectedStringHashed() throws Exception {
+		final String TEST_NAME = "testParseProtectedStringHashed";
+		displayTestTitle(TEST_NAME);
+		
+		// GIVEN
+		ProtectedStringType protectedStringType = new ProtectedStringType();
+		protectedStringType.setClearValue("blabla");
+        Protector protector = PrismInternalTestUtil.createProtector(XMLCipher.AES_128);
+        protector.hash(protectedStringType);
+
+        PrismContext prismContext = PrismTestUtil.getPrismContext();
+
+        // WHEN
+
+        MapXNode protectedStringTypeXNode = ((PrismContextImpl) prismContext).getBeanMarshaller().marshalProtectedDataType(protectedStringType, null);
+        System.out.println("Protected string type XNode: " + protectedStringTypeXNode.debugDump());
+
         // THEN
         ProtectedStringType unmarshalled = new ProtectedStringType();
         XNodeProcessorUtil.parseProtectedType(unmarshalled, protectedStringTypeXNode, prismContext, ParsingContext.createDefault());
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/ExpressionTestUtil.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/ExpressionTestUtil.java
index af32213f130..532d3faa553 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/ExpressionTestUtil.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/ExpressionTestUtil.java
@@ -31,7 +31,7 @@
 import com.evolveum.midpoint.model.common.expression.script.xpath.XPathScriptEvaluator;
 import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyGenerator;
 import com.evolveum.midpoint.prism.PrismContext;
-import com.evolveum.midpoint.prism.crypto.AESProtector;
+import com.evolveum.midpoint.prism.crypto.ProtectorImpl;
 import com.evolveum.midpoint.schema.util.ObjectResolver;
 import com.evolveum.midpoint.security.api.SecurityEnforcer;
 import com.evolveum.midpoint.test.util.MidPointTestConstants;
@@ -42,8 +42,8 @@
  */
 public class ExpressionTestUtil {
 	
-	public static AESProtector createInitializedProtector(PrismContext prismContext) {
-		AESProtector protector = new AESProtector();
+	public static ProtectorImpl createInitializedProtector(PrismContext prismContext) {
+		ProtectorImpl protector = new ProtectorImpl();
         protector.setKeyStorePath(MidPointTestConstants.KEYSTORE_PATH);
         protector.setKeyStorePassword(MidPointTestConstants.KEYSTORE_PASSWORD);
         //protector.setPrismContext(prismContext);
@@ -51,7 +51,7 @@ public static AESProtector createInitializedProtector(PrismContext prismContext)
         return protector;
 	}
 	
-	public static ExpressionFactory createInitializedExpressionFactory(ObjectResolver resolver, AESProtector protector, 
+	public static ExpressionFactory createInitializedExpressionFactory(ObjectResolver resolver, ProtectorImpl protector, 
 			PrismContext prismContext, SecurityEnforcer securityEnforcer) {
     	ExpressionFactory expressionFactory = new ExpressionFactory(resolver, prismContext);
     	
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpression.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpression.java
index 44aa3968dbc..37558b35b8a 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpression.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/TestExpression.java
@@ -26,7 +26,7 @@
 import org.testng.annotations.Test;
 import org.xml.sax.SAXException;
 
-import com.evolveum.midpoint.prism.crypto.AESProtector;
+import com.evolveum.midpoint.prism.crypto.ProtectorImpl;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.schema.MidPointPrismContextFactory;
@@ -70,7 +70,7 @@ public void setup() throws SchemaException, SAXException, IOException {
 		
 		prismContext = PrismTestUtil.createInitializedPrismContext();
 		ObjectResolver resolver = new DirectoryFileObjectResolver(MidPointTestConstants.OBJECTS_DIR);
-		AESProtector protector = ExpressionTestUtil.createInitializedProtector(prismContext);
+		ProtectorImpl protector = ExpressionTestUtil.createInitializedProtector(prismContext);
     	expressionFactory = ExpressionTestUtil.createInitializedExpressionFactory(resolver, protector, prismContext, null);
 	}
 
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptTest.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptTest.java
index 13cc13c29fa..2680c88ecf0 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptTest.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/AbstractScriptTest.java
@@ -25,7 +25,7 @@
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
-import com.evolveum.midpoint.prism.crypto.AESProtector;
+import com.evolveum.midpoint.prism.crypto.ProtectorImpl;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.schema.MidPointPrismContextFactory;
@@ -90,7 +90,7 @@ public void setup() throws SchemaException, SAXException, IOException {
     public void setupFactory() {
     	PrismContext prismContext = PrismTestUtil.getPrismContext();
     	ObjectResolver resolver = new DirectoryFileObjectResolver(OBJECTS_DIR);
-    	Protector protector = new AESProtector();
+    	Protector protector = new ProtectorImpl();
         Collection<FunctionLibrary> functions = new ArrayList<FunctionLibrary>();
         functions.add(ExpressionUtil.createBasicFunctionLibrary(prismContext, protector));
 		scriptExpressionfactory = new ScriptExpressionFactory(resolver, prismContext, protector);
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestExpressionFunctions.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestExpressionFunctions.java
index 46bf8234d4d..6a34ecee024 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestExpressionFunctions.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestExpressionFunctions.java
@@ -18,7 +18,7 @@
 import com.evolveum.midpoint.model.common.expression.functions.BasicExpressionFunctions;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
-import com.evolveum.midpoint.prism.crypto.AESProtector;
+import com.evolveum.midpoint.prism.crypto.ProtectorImpl;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.polystring.PolyString;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
@@ -381,7 +381,7 @@ public void testParseDateTime() throws Exception {
     
 	private BasicExpressionFunctions createBasicFunctions() throws SchemaException, SAXException, IOException {
 		PrismContext prismContext = PrismTestUtil.createInitializedPrismContext();
-		Protector protector = new AESProtector();
+		Protector protector = new ProtectorImpl();
 		return new BasicExpressionFunctions(prismContext, protector);
 	}
 	
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestScriptCaching.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestScriptCaching.java
index 48f9ca9ecdb..2461d3c9dd3 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestScriptCaching.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/expression/script/TestScriptCaching.java
@@ -20,7 +20,7 @@
 import com.evolveum.midpoint.model.common.expression.functions.FunctionLibrary;
 import com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator;
 import com.evolveum.midpoint.prism.*;
-import com.evolveum.midpoint.prism.crypto.AESProtector;
+import com.evolveum.midpoint.prism.crypto.ProtectorImpl;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.schema.MidPointPrismContextFactory;
@@ -79,7 +79,7 @@ public void setupFactory() {
     	System.out.println("Setting up expression factory and evaluator");
     	PrismContext prismContext = PrismTestUtil.getPrismContext();
     	ObjectResolver resolver = new DirectoryFileObjectResolver(OBJECTS_DIR);
-    	Protector protector = new AESProtector();
+    	Protector protector = new ProtectorImpl();
         Collection<FunctionLibrary> functions = new ArrayList<FunctionLibrary>();
         functions.add(ExpressionUtil.createBasicFunctionLibrary(prismContext, protector));
 		scriptExpressionfactory = new ScriptExpressionFactory(resolver, prismContext, protector);
diff --git a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/MappingTestEvaluator.java b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/MappingTestEvaluator.java
index 0ce3b81d0d2..0fe06eb1bab 100644
--- a/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/MappingTestEvaluator.java
+++ b/model/model-common/src/test/java/com/evolveum/midpoint/model/common/mapping/MappingTestEvaluator.java
@@ -40,7 +40,7 @@
 import com.evolveum.midpoint.prism.PrismObjectDefinition;
 import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.PrismPropertyValue;
-import com.evolveum.midpoint.prism.crypto.AESProtector;
+import com.evolveum.midpoint.prism.crypto.ProtectorImpl;
 import com.evolveum.midpoint.prism.crypto.EncryptionException;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
@@ -84,7 +84,7 @@ public class MappingTestEvaluator {
     
     private PrismContext prismContext;
     private MappingFactory mappingFactory;
-    AESProtector protector;
+    ProtectorImpl protector;
     
     public PrismContext getPrismContext() {
 		return prismContext;
@@ -108,7 +108,7 @@ public void init() throws SchemaException, SAXException, IOException {
         mappingFactory.setProtector(protector);
     }
 	
-	public AESProtector getProtector() {
+	public ProtectorImpl getProtector() {
 		return protector;
 	}
 
diff --git a/repo/system-init/src/main/java/com/evolveum/midpoint/init/ConfigurableProtectorFactory.java b/repo/system-init/src/main/java/com/evolveum/midpoint/init/ConfigurableProtectorFactory.java
index cc715a89007..318911912a9 100644
--- a/repo/system-init/src/main/java/com/evolveum/midpoint/init/ConfigurableProtectorFactory.java
+++ b/repo/system-init/src/main/java/com/evolveum/midpoint/init/ConfigurableProtectorFactory.java
@@ -17,7 +17,7 @@
 package com.evolveum.midpoint.init;
 
 import com.evolveum.midpoint.common.configuration.api.MidpointConfiguration;
-import com.evolveum.midpoint.prism.crypto.AESProtector;
+import com.evolveum.midpoint.prism.crypto.ProtectorImpl;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.util.exception.SystemException;
 import com.evolveum.midpoint.util.logging.Trace;
@@ -82,7 +82,7 @@ public void init() {
     }
 
     public Protector getProtector() {
-        AESProtector protector = new AESProtector();
+        ProtectorImpl protector = new ProtectorImpl();
         protector.setEncryptionKeyAlias(protectorConfig.getEncryptionKeyAlias());
         protector.setKeyStorePassword(protectorConfig.getKeyStorePassword());
         protector.setKeyStorePath(protectorConfig.getKeyStorePath());
diff --git a/tools/repo-ninja/src/main/java/com/evolveum/midpoint/tools/ninja/KeyStoreDumper.java b/tools/repo-ninja/src/main/java/com/evolveum/midpoint/tools/ninja/KeyStoreDumper.java
index df4ebe9d191..79da8d35d54 100644
--- a/tools/repo-ninja/src/main/java/com/evolveum/midpoint/tools/ninja/KeyStoreDumper.java
+++ b/tools/repo-ninja/src/main/java/com/evolveum/midpoint/tools/ninja/KeyStoreDumper.java
@@ -15,7 +15,7 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
 
-import com.evolveum.midpoint.prism.crypto.AESProtector;
+import com.evolveum.midpoint.prism.crypto.ProtectorImpl;
 import com.evolveum.midpoint.prism.crypto.EncryptionException;
 import com.evolveum.midpoint.prism.crypto.Protector;
 
@@ -32,8 +32,8 @@ public void execute(){
 		System.out.println("###################################################");
 		System.out.println("Printing keys from key store");
 		
-		if (protector instanceof AESProtector){
-			AESProtector aesProtector = (AESProtector) protector;
+		if (protector instanceof ProtectorImpl){
+			ProtectorImpl aesProtector = (ProtectorImpl) protector;
 			System.out.println("Using key store from location: " + aesProtector.getKeyStorePath());
 //			System.out.println("Cipher: " + aesProtector.getXmlCipher());
 			
@@ -65,8 +65,8 @@ public void execute(){
 				System.out.println("	Algorithm: " + key.getAlgorithm());
 				System.out.println("	Format: " + key.getFormat());
 				System.out.println("	Key length: " + key.getEncoded().length * 8);
-				if (protector instanceof AESProtector) {
-					System.out.println("	Key name: " + ((AESProtector) protector).getSecretKeyDigest(key));
+				if (protector instanceof ProtectorImpl) {
+					System.out.println("	Key name: " + ((ProtectorImpl) protector).getSecretKeyDigest(key));
 				}
 //				Cipher cipher = Cipher.getInstance(key.getAlgorithm());
 //				System.out.println("	Cipher algorithm" + cipher.getAlgorithm());

From 89b5fbfb1a30fc4d754f88f40d416218aaeacc04 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Wed, 8 Mar 2017 18:55:32 +0100
Subject: [PATCH 2/7] Password hashing: refactoring password policy processor,
 switch everything to security policy. Preparing the tests.

---
 .../MidPointGuiAuthorizationEvaluator.java    |   6 +-
 .../midpoint/prism/delta/ObjectDelta.java     |  10 +-
 .../midpoint/prism/delta/ReferenceDelta.java  |  10 +
 .../xml/ns/public/common/common-core-3.xsd    | 138 ++++++++-
 .../model/impl/lens/AssignmentEvaluator.java  |   4 +-
 .../model/impl/lens/ChangeExecutor.java       | 150 +++++----
 .../midpoint/model/impl/lens/LensContext.java |  16 -
 .../model/impl/lens/LensFocusContext.java     |  12 +-
 .../impl/lens/LensProjectionContext.java      |  12 -
 .../midpoint/model/impl/lens/LensUtil.java    | 154 ----------
 .../model/impl/lens/ObjectDeltaWaves.java     |   6 +-
 .../impl/lens/projector/ContextLoader.java    |  17 +-
 .../lens/projector/CredentialsProcessor.java  | 118 ++++++-
 .../impl/lens/projector/InboundProcessor.java |  13 +-
 .../impl/lens/projector/MappingEvaluator.java | 182 ++++++++++-
 .../projector/ObjectTemplateProcessor.java    |  16 +-
 .../projector/PasswordPolicyProcessor.java    | 289 +++++++-----------
 .../security/AuthenticationEvaluatorImpl.java |  17 +-
 .../MidpointRestAuthenticationHandler.java    |  10 +-
 .../model/impl/security/SecurityHelper.java   | 137 ++++++++-
 ...ringAuthenticationInjectorInterceptor.java |  13 +-
 .../impl/security/UserProfileServiceImpl.java |  35 +--
 .../lens/TestPasswordPolicyProcessor.java     |  29 +-
 .../security/TestAuthenticationEvaluator.java |   6 +-
 ...bstractConfiguredModelIntegrationTest.java |   3 +
 .../midpoint/model/intest/TestAudit.java      |  14 +-
 .../intest/TestLoggingConfiguration.java      |   2 +
 .../model/intest/TestMultiResource.java       |   3 +-
 .../AbstractPasswordTest.java}                | 103 ++++---
 .../intest/password/TestPasswordDefault.java  |  49 +++
 .../password/TestPasswordDefaultHashing.java  |  48 +++
 .../src/test/resources/logback-test.xml       |   8 +-
 ...ecurity-policy-default-storage-hashing.xml |  39 +++
 .../security-policy-password-storage-none.xml |  39 +++
 model/model-intest/testng-integration.xml     |   7 +-
 .../test/AbstractModelIntegrationTest.java    |  22 +-
 .../security/api/SecurityEnforcer.java        |   6 +-
 .../security/api/UserProfileService.java      |   7 +-
 .../security/impl/SecurityEnforcerImpl.java   |   6 +-
 .../quartzimpl/TaskManagerQuartzImpl.java     |  11 +-
 .../quartzimpl/execution/JobExecutor.java     |   9 +-
 41 files changed, 1151 insertions(+), 625 deletions(-)
 rename model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/{TestPassword.java => password/AbstractPasswordTest.java} (90%)
 create mode 100644 model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefault.java
 create mode 100644 model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java
 create mode 100644 model/model-intest/src/test/resources/password/security-policy-default-storage-hashing.xml
 create mode 100644 model/model-intest/src/test/resources/password/security-policy-password-storage-none.xml

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
index 28dc4ce9515..df7cf9af7b1 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -77,7 +77,7 @@ public void setupPreAuthenticatedSecurityContext(Authentication authentication)
     }
 
     @Override
-    public void setupPreAuthenticatedSecurityContext(PrismObject<UserType> user) {
+    public void setupPreAuthenticatedSecurityContext(PrismObject<UserType> user) throws SchemaException {
 		securityEnforcer.setupPreAuthenticatedSecurityContext(user);
 	}
     
@@ -203,7 +203,7 @@ public <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObjec
 	}
 
 	@Override
-	public <T> T runAs(Producer<T> producer, PrismObject<UserType> user) {
+	public <T> T runAs(Producer<T> producer, PrismObject<UserType> user) throws SchemaException {
 		return securityEnforcer.runAs(producer, user);
 	}
 
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java
index 78ce5e8a039..c5899268aaa 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -414,6 +414,10 @@ private <D extends ItemDelta> void removeModification(QName itemName, Class<D> d
     public void removeReferenceModification(QName itemName) {
     	removeModification(itemName, ReferenceDelta.class);
     }
+    
+    public void removeReferenceModification(ItemPath itemPath) {
+    	removeModification(itemPath, ReferenceDelta.class);
+    }
 
     public void removeContainerModification(QName itemName) {
     	removeModification(itemName, ContainerDelta.class);
@@ -423,6 +427,10 @@ public void removePropertyModification(QName itemName) {
     	removeModification(itemName, PropertyDelta.class);
     }
     
+    public void removePropertyModification(ItemPath itemPath) {
+    	removeModification(itemPath, PropertyDelta.class);
+    }
+    
     public boolean isEmpty() {
     	if (getChangeType() == ChangeType.DELETE) {
     		// Delete delta is never empty
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ReferenceDelta.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ReferenceDelta.java
index aaef0a25004..23769e7a6ec 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ReferenceDelta.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ReferenceDelta.java
@@ -110,6 +110,16 @@ public static ReferenceDelta createModificationReplace(ItemPath path, PrismObjec
 		return createModificationReplace(path, objectDefinition, new PrismReferenceValue(oid));
 	}
 
+    public static <O extends Objectable> ReferenceDelta createModificationReplace(QName refName, Class<O> type, PrismContext ctx , String oid) {
+    	PrismObjectDefinition<O> objectDefinition = ctx.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(type);
+		return createModificationReplace(refName, objectDefinition, new PrismReferenceValue(oid));
+	}
+    
+    public static <O extends Objectable> ReferenceDelta createModificationReplace(ItemPath path, Class<O> type, PrismContext ctx, String oid) {
+    	PrismObjectDefinition<O> objectDefinition = ctx.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(type);
+		return createModificationReplace(path, objectDefinition, new PrismReferenceValue(oid));
+	}
+
     public static ReferenceDelta createModificationReplace(ItemPath path, PrismObjectDefinition<?> objectDefinition,
     		PrismReferenceValue refValue) {
     	PrismReferenceDefinition referenceDefinition = objectDefinition.findItemDefinition(path, PrismReferenceDefinition.class);
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
index c52dc6cef70..88598ba9e2c 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
@@ -9163,17 +9163,38 @@
                         </xsd:annotation>
                     </xsd:element>
                     
+                    <xsd:element name="securityPolicyRef" type="c:ObjectReferenceType" minOccurs="0" maxOccurs="1">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                            	<p>
+                                	Reference to the security policy settings which will be used for this organization.
+                                </p>
+                            </xsd:documentation>
+                            <xsd:appinfo>
+                    			<a:objectReferenceTargetType>tns:SecurityPolicyType</a:objectReferenceTargetType>
+                    			<a:displayName>OrgType.securityPolicy</a:displayName>
+                                <a:displayOrder>230</a:displayOrder>
+                                <a:since>3.6</a:since>
+                    		</xsd:appinfo>
+                        </xsd:annotation>
+                    </xsd:element>
+
                     <xsd:element name="passwordPolicyRef" type="c:ObjectReferenceType" minOccurs="0" maxOccurs="1">
                         <xsd:annotation>
                             <xsd:documentation>
                             	<p>
                                 	Reference to the password policy settings which will be used for generate/validate password for this organization.
+                                	Use either securityPolicyRef or passwordPolicyRef in orgs. Do not use both at the same time. This is not supported.
+                                </p>
+                            	<p>
+                                	DEPRECATED. Use securityPolicyRef instead.
                                 </p>
                             </xsd:documentation>
                             <xsd:appinfo>
                     			<a:objectReferenceTargetType>tns:ValuePolicyType</a:objectReferenceTargetType>
                     			<a:displayName>OrgType.passwordPolicy</a:displayName>
-                                <a:displayOrder>230</a:displayOrder>
+                                <a:displayOrder>240</a:displayOrder>
+                                <a:deprecated>true</a:deprecated>
                     		</xsd:appinfo>
                         </xsd:annotation>
                     </xsd:element>
@@ -9416,7 +9437,7 @@
                     	</xsd:annotation>
                     </xsd:element>
                     <xsd:element name="stringPolicy" type="c:StringPolicyType" minOccurs="1" maxOccurs="1"/>
-                    <xsd:element name="minOccurs" type="xsd:string" minOccurs="0">
+                    <xsd:element name="minOccurs" type="xsd:string" minOccurs="0" default="0">
                     	<xsd:annotation>
                     		<xsd:documentation>
                     			Minimal number of value occurences. minOccurs set to zero means that the value
@@ -9431,6 +9452,7 @@
                     	<xsd:annotation>
                     		<xsd:documentation>
                     			Maximal number of value occurences.
+                    			If not specified then the default schema limitation is imposed.
                     		</xsd:documentation>
                     	</xsd:annotation>
                     </xsd:element>
@@ -11265,11 +11287,26 @@
 			</xsd:appinfo>
 		</xsd:annotation>
 		<xsd:sequence>
+			<xsd:element name="default" type="tns:CredentialPolicyType" minOccurs="0">
+				<xsd:annotation>
+					<xsd:documentation>
+						Common setting applied to all other credetials type. Any of this
+						setting can be overridden in the individual credentials setting.
+					</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
 			<xsd:element name="password" type="tns:PasswordCredentialsPolicyType" minOccurs="0">
 			</xsd:element>
 			<xsd:element name="securityQuestions" type="tns:SecurityQuestionsCredentialsPolicyType" minOccurs="0">
              </xsd:element>
              <xsd:element name="nonce" type="tns:NonceCredentialsPolicyType" minOccurs="0" maxOccurs="unbounded">
+             	<xsd:annotation>
+					<xsd:documentation>
+						Nonce settings used to generate one-time random values.
+						Used in self-registration, e-mail-based password reset and possibly also
+						other scenarios.
+					</xsd:documentation>
+				</xsd:annotation>
              </xsd:element>
              <!-- More credential types may come here in the future. -->
 		</xsd:sequence>
@@ -11537,7 +11574,7 @@
 	</xsd:complexType>
 	
 	
-	 <xsd:complexType name="AbstractCredentialPolicyType" abstract="true">
+	 <xsd:complexType name="CredentialPolicyType">
 		<xsd:annotation>
 			<xsd:documentation>
 				Structure that specifies common elements to all the credential policies.
@@ -11547,6 +11584,8 @@
 			</xsd:appinfo>
 		</xsd:annotation>
 		<xsd:sequence>
+			<xsd:element name="storageMethod" type="c:CredentialsStorageMethodType" minOccurs="0" maxOccurs="1">
+			</xsd:element>
 			<xsd:element name="resetMethod" type="c:CredentialsResetMethodType" minOccurs="0" maxOccurs="1">
 			</xsd:element>
 			<xsd:element name="propagationUserControl" type="c:CredentialsPropagationUserControlType" minOccurs="0" maxOccurs="1" default="userChoice">
@@ -11607,7 +11646,16 @@
 					</xsd:documentation>
 				</xsd:annotation>
 			</xsd:element>
-			<!-- TODO: historyLength, similarity criteria (history vs new password) -->
+			<xsd:element name="historyLength" type="xsd:int" minOccurs="0" maxOccurs="1" default="0">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            The number of entries to keep in the credential history. Also specifies the
+			            number of past credential values that will be checked before accepting a new
+			            credential change.
+			        </xsd:documentation>
+			    </xsd:annotation>
+			</xsd:element>
+			<!-- TODO: similarity criteria (history vs new password) -->
 		</xsd:sequence>
 	</xsd:complexType>
 	
@@ -11728,6 +11776,77 @@
             </xsd:enumeration>
              </xsd:restriction>
     </xsd:simpleType>
+    
+    <xsd:complexType name="CredentialsStorageMethodType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies the method of storing the credential in midPoint.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="storageType" type="c:CredentialsStorageTypeType" minOccurs="0" maxOccurs="1" default="encryption">
+				<xsd:annotation>
+					<xsd:documentation>
+						The type of credential storage.
+					</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
+			<!-- Storage parameters (ciphers, digest methods, key lengths, ... -->
+		</xsd:sequence>
+	</xsd:complexType>
+	
+    <xsd:simpleType name="CredentialsStorageTypeType">
+        <xsd:annotation>
+            <xsd:appinfo>
+                <jaxb:typesafeEnumClass/>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="encryption">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		Credential will be stored in an ecrypted form.
+                		This is a symetric (reversible) encryption.
+                		MidPoint will be able to get a cleartext form of
+                		the credential if needed.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="ENCRYPTION"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="hashing">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		Credential will be stored in a hashed form.
+                		One-way (ireversible) cryptographic hash or key derivation function
+                		will be used to transform the credential before storage.
+                		MidPoint will NOT be able to get a cleartext form of
+                		the credential, but it can still compare credential values.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="HASHING"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="none">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		MidPoint will not store the credential at all.
+                		MidPoitn will only work with credential in the memory
+                		while it is needed to complete current operation.
+                		The credential will be discarded after the operation.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="NONE"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+    </xsd:restriction>
+    </xsd:simpleType>
 
 	 <xsd:complexType name="PasswordCredentialsPolicyType">
 		<xsd:annotation>
@@ -11740,7 +11859,7 @@
 			</xsd:appinfo>
 		</xsd:annotation>
 		<xsd:complexContent>
-			<xsd:extension base="tns:AbstractCredentialPolicyType">
+			<xsd:extension base="tns:CredentialPolicyType">
 				<xsd:sequence>
 					<xsd:element name="passwordPolicyRef" type="c:ObjectReferenceType" minOccurs="0" maxOccurs="1">
 					    <xsd:annotation>
@@ -11767,7 +11886,12 @@
 					            The number of entries to keep in the password history. Also specifies the
 					            number of past passwords that will be checked before accepting a new password
 					            change.
+					            DEPRECATED. use historyLength instead.
+					            This is not even implemented. It does not work.
 					        </xsd:documentation>
+					        <xsd:appinfo>
+					        	<a:deprecated>true</a:deprecated>
+					        </xsd:appinfo>
 					    </xsd:annotation>
 					</xsd:element>
 				</xsd:sequence>
@@ -11820,7 +11944,7 @@
 			</xsd:appinfo>
 		</xsd:annotation>
 		<xsd:complexContent>
-			<xsd:extension base="tns:AbstractCredentialPolicyType">
+			<xsd:extension base="tns:CredentialPolicyType">
 				<xsd:sequence>
 					   <xsd:element name="questionNumber" type="xsd:int" minOccurs="0"  maxOccurs="1">
 		                <xsd:annotation>
@@ -11905,7 +12029,7 @@
 			</xsd:appinfo>
 		</xsd:annotation>
 		<xsd:complexContent>
-			<xsd:extension base="tns:AbstractCredentialPolicyType">
+			<xsd:extension base="tns:CredentialPolicyType">
 				<xsd:sequence>
 					<xsd:element name="name" type="xsd:string" maxOccurs="1">
 		        	    <xsd:annotation>
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java
index f874646f321..d2e0deaef5d 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2015 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -451,7 +451,7 @@ private void evaluateFocusMappings(EvaluatedAssignmentImpl<F> evaluatedAssignmen
 		AssignmentPathVariables assignmentPathVariables = LensUtil.computeAssignmentPathVariables(assignmentPath);
 
 		for (MappingType mappingType: mappingsType.getMapping()) {
-			Mapping mapping = LensUtil.createFocusMapping(mappingFactory, lensContext, mappingType, source, focusOdo, 
+			Mapping mapping = mappingEvaluator.createFocusMapping(mappingFactory, lensContext, mappingType, source, focusOdo, 
 					assignmentPathVariables, systemConfiguration, now, sourceDescription, task, result);
 			if (mapping == null) {
 				continue;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ChangeExecutor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ChangeExecutor.java
index 0e42e9960de..ee983118527 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ChangeExecutor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ChangeExecutor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,10 +34,12 @@
 import com.evolveum.midpoint.model.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.model.impl.ModelObjectResolver;
 import com.evolveum.midpoint.model.impl.expr.ModelExpressionThreadLocalHolder;
+import com.evolveum.midpoint.model.impl.lens.projector.CredentialsProcessor;
 import com.evolveum.midpoint.model.impl.lens.projector.FocusConstraintsChecker;
 import com.evolveum.midpoint.model.impl.lens.projector.PolicyRuleProcessor;
 import com.evolveum.midpoint.model.impl.util.Utils;
 import com.evolveum.midpoint.prism.*;
+import com.evolveum.midpoint.prism.crypto.EncryptionException;
 import com.evolveum.midpoint.prism.delta.ChangeType;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
@@ -135,6 +137,9 @@ public class ChangeExecutor {
 
 	@Autowired
 	private PolicyRuleProcessor policyRuleProcessor;
+	
+	@Autowired
+	private CredentialsProcessor credentialsProcessor;
 
 	private PrismObjectDefinition<UserType> userDefinition = null;
 	private PrismObjectDefinition<ShadowType> shadowDefinition = null;
@@ -149,7 +154,7 @@ private void locateDefinitions() {
 
 	// returns true if current operation has to be restarted, see
 	// ObjectAlreadyExistsException handling (TODO specify more exactly)
-	public <O extends ObjectType> boolean executeChanges(LensContext<O> syncContext, Task task,
+	public <O extends ObjectType> boolean executeChanges(LensContext<O> context, Task task,
 			OperationResult parentResult) throws ObjectAlreadyExistsException, ObjectNotFoundException,
 					SchemaException, CommunicationException, ConfigurationException,
 					SecurityViolationException, ExpressionEvaluationException {
@@ -158,13 +163,13 @@ public <O extends ObjectType> boolean executeChanges(LensContext<O> syncContext,
 
 		// FOCUS
 
-		syncContext.checkAbortRequested();
+		context.checkAbortRequested();
 
-		LensFocusContext<O> focusContext = syncContext.getFocusContext();
+		LensFocusContext<O> focusContext = context.getFocusContext();
 		if (focusContext != null) {
-			ObjectDelta<O> focusDelta = focusContext.getWaveExecutableDelta(syncContext.getExecutionWave());
+			ObjectDelta<O> focusDelta = focusContext.getWaveExecutableDelta(context.getExecutionWave());
 
-			focusDelta = policyRuleProcessor.applyAssignmentSituation(syncContext, focusDelta);
+			focusDelta = policyRuleProcessor.applyAssignmentSituation(context, focusDelta);
 
 			if (focusDelta != null) {
 
@@ -174,15 +179,21 @@ public <O extends ObjectType> boolean executeChanges(LensContext<O> syncContext,
 
 				OperationResult subResult = result.createSubresult(
 						OPERATION_EXECUTE_FOCUS + "." + focusContext.getObjectTypeClass().getSimpleName());
+				
 				try {
-					syncContext.reportProgress(new ProgressInformation(FOCUS_OPERATION, ENTERING));
-					executeDelta(focusDelta, focusContext, syncContext, null, null, task, subResult);
+					// Will remove credential deltas or hash them
+					focusDelta = credentialsProcessor.transformFocusExectionDelta(context, focusDelta);
+				} catch (EncryptionException e) {
+					recordFatalError(subResult, result, null, e);
+					throw new SystemException(e.getMessage(), e);
+				}
+				try {
+					context.reportProgress(new ProgressInformation(FOCUS_OPERATION, ENTERING));
+					executeDelta(focusDelta, focusContext, context, null, null, task, subResult);
 					subResult.computeStatus();
 
-				} catch (SchemaException e) {
-					recordFatalError(subResult, result, null, e);
-					throw e;
-				} catch (ObjectNotFoundException e) {
+				} catch (SchemaException | ObjectNotFoundException | CommunicationException | ConfigurationException 
+						| SecurityViolationException | ExpressionEvaluationException e) {
 					recordFatalError(subResult, result, null, e);
 					throw e;
 				} catch (ObjectAlreadyExistsException e) {
@@ -192,23 +203,11 @@ public <O extends ObjectType> boolean executeChanges(LensContext<O> syncContext,
 					}
 					result.computeStatusComposite();
 					throw e;
-				} catch (CommunicationException e) {
-					recordFatalError(subResult, result, null, e);
-					throw e;
-				} catch (ConfigurationException e) {
-					recordFatalError(subResult, result, null, e);
-					throw e;
-				} catch (SecurityViolationException e) {
-					recordFatalError(subResult, result, null, e);
-					throw e;
-				} catch (ExpressionEvaluationException e) {
-					recordFatalError(subResult, result, null, e);
-					throw e;
 				} catch (RuntimeException e) {
 					recordFatalError(subResult, result, null, e);
 					throw e;
 				} finally {
-					syncContext.reportProgress(new ProgressInformation(FOCUS_OPERATION, subResult));
+					context.reportProgress(new ProgressInformation(FOCUS_OPERATION, subResult));
 				}
 			} else {
 				LOGGER.trace("Skipping focus change execute, because user delta is null");
@@ -217,89 +216,89 @@ public <O extends ObjectType> boolean executeChanges(LensContext<O> syncContext,
 
 		// PROJECTIONS
 
-		syncContext.checkAbortRequested();
+		context.checkAbortRequested();
 
 		boolean restartRequested = false;
 
-		for (LensProjectionContext accCtx : syncContext.getProjectionContexts()) {
-			if (accCtx.getWave() != syncContext.getExecutionWave()) {
+		for (LensProjectionContext projCtx : context.getProjectionContexts()) {
+			if (projCtx.getWave() != context.getExecutionWave()) {
 				continue;
 			}
 
-			if (!accCtx.isCanProject()) {
+			if (!projCtx.isCanProject()) {
 				continue;
 			}
 
 			// we should not get here, but just to be sure
-			if (accCtx.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.IGNORE) {
-				LOGGER.trace("Skipping ignored projection context {}", accCtx.toHumanReadableString());
+			if (projCtx.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.IGNORE) {
+				LOGGER.trace("Skipping ignored projection context {}", projCtx.toHumanReadableString());
 				continue;
 			}
 
 			OperationResult subResult = result.createSubresult(
-					OPERATION_EXECUTE_PROJECTION + "." + accCtx.getObjectTypeClass().getSimpleName());
-			subResult.addContext("discriminator", accCtx.getResourceShadowDiscriminator());
-			if (accCtx.getResource() != null) {
-				subResult.addParam("resource", accCtx.getResource().getName());
+					OPERATION_EXECUTE_PROJECTION + "." + projCtx.getObjectTypeClass().getSimpleName());
+			subResult.addContext("discriminator", projCtx.getResourceShadowDiscriminator());
+			if (projCtx.getResource() != null) {
+				subResult.addParam("resource", projCtx.getResource().getName());
 			}
 			try {
 
-				syncContext.checkAbortRequested();
+				context.checkAbortRequested();
 
-				syncContext.reportProgress(new ProgressInformation(RESOURCE_OBJECT_OPERATION,
-						accCtx.getResourceShadowDiscriminator(), ENTERING));
+				context.reportProgress(new ProgressInformation(RESOURCE_OBJECT_OPERATION,
+						projCtx.getResourceShadowDiscriminator(), ENTERING));
 
-				executeReconciliationScript(accCtx, syncContext, BeforeAfterType.BEFORE, task, subResult);
+				executeReconciliationScript(projCtx, context, BeforeAfterType.BEFORE, task, subResult);
 
-				ObjectDelta<ShadowType> accDelta = accCtx.getExecutableDelta();
+				ObjectDelta<ShadowType> projDelta = projCtx.getExecutableDelta();
 
-				if (shouldBeDeleted(accDelta, accCtx)) {
-					accDelta = ObjectDelta.createDeleteDelta(accCtx.getObjectTypeClass(), accCtx.getOid(),
+				if (shouldBeDeleted(projDelta, projCtx)) {
+					projDelta = ObjectDelta.createDeleteDelta(projCtx.getObjectTypeClass(), projCtx.getOid(),
 							prismContext);
 				}
 
-				if (accCtx.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.BROKEN) {
-					if (syncContext.getFocusContext() != null
-							&& syncContext.getFocusContext().getDelta() != null
-							&& syncContext.getFocusContext().getDelta().isDelete()
-							&& syncContext.getOptions() != null
-							&& ModelExecuteOptions.isForce(syncContext.getOptions())) {
-						if (accDelta == null) {
-							accDelta = ObjectDelta.createDeleteDelta(accCtx.getObjectTypeClass(),
-									accCtx.getOid(), prismContext);
+				if (projCtx.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.BROKEN) {
+					if (context.getFocusContext() != null
+							&& context.getFocusContext().getDelta() != null
+							&& context.getFocusContext().getDelta().isDelete()
+							&& context.getOptions() != null
+							&& ModelExecuteOptions.isForce(context.getOptions())) {
+						if (projDelta == null) {
+							projDelta = ObjectDelta.createDeleteDelta(projCtx.getObjectTypeClass(),
+									projCtx.getOid(), prismContext);
 						}
 					}
-					if (accDelta != null && accDelta.isDelete()) {
+					if (projDelta != null && projDelta.isDelete()) {
 
-						executeDelta(accDelta, accCtx, syncContext, null, accCtx.getResource(), task,
+						executeDelta(projDelta, projCtx, context, null, projCtx.getResource(), task,
 								subResult);
 
 					}
 				} else {
 
-					if (accDelta == null || accDelta.isEmpty()) {
+					if (projDelta == null || projDelta.isEmpty()) {
 						if (LOGGER.isTraceEnabled()) {
-							LOGGER.trace("No change for " + accCtx.getResourceShadowDiscriminator());
+							LOGGER.trace("No change for " + projCtx.getResourceShadowDiscriminator());
 						}
 						if (focusContext != null) {
-							updateLinks(focusContext, accCtx, task, subResult);
+							updateLinks(focusContext, projCtx, task, subResult);
 						}
 
 						// Make sure post-reconcile delta is always executed,
 						// even if there is no change
-						executeReconciliationScript(accCtx, syncContext, BeforeAfterType.AFTER, task,
+						executeReconciliationScript(projCtx, context, BeforeAfterType.AFTER, task,
 								subResult);
 
 						subResult.computeStatus();
 						subResult.recordNotApplicableIfUnknown();
 						continue;
 
-					} else if (accDelta.isDelete() && accCtx.getResourceShadowDiscriminator() != null
-							&& accCtx.getResourceShadowDiscriminator().getOrder() > 0) {
+					} else if (projDelta.isDelete() && projCtx.getResourceShadowDiscriminator() != null
+							&& projCtx.getResourceShadowDiscriminator().getOrder() > 0) {
 						// HACK ... for higher-order context check if this was
 						// already deleted
-						LensProjectionContext lowerOrderContext = LensUtil.findLowerOrderContext(syncContext,
-								accCtx);
+						LensProjectionContext lowerOrderContext = LensUtil.findLowerOrderContext(context,
+								projCtx);
 						if (lowerOrderContext != null && lowerOrderContext.isDelete()) {
 							// We assume that this was already executed
 							subResult.setStatus(OperationResultStatus.NOT_APPLICABLE);
@@ -307,25 +306,25 @@ public <O extends ObjectType> boolean executeChanges(LensContext<O> syncContext,
 						}
 					}
 
-					executeDelta(accDelta, accCtx, syncContext, null, accCtx.getResource(), task, subResult);
+					executeDelta(projDelta, projCtx, context, null, projCtx.getResource(), task, subResult);
 
 				}
 
 				if (focusContext != null) {
-					updateLinks(focusContext, accCtx, task, subResult);
+					updateLinks(focusContext, projCtx, task, subResult);
 				}
 
-				executeReconciliationScript(accCtx, syncContext, BeforeAfterType.AFTER, task, subResult);
+				executeReconciliationScript(projCtx, context, BeforeAfterType.AFTER, task, subResult);
 
 				subResult.computeStatus();
 				subResult.recordNotApplicableIfUnknown();
 
 			} catch (SchemaException e) {
-				recordProjectionExecutionException(e, accCtx, subResult,
+				recordProjectionExecutionException(e, projCtx, subResult,
 						SynchronizationPolicyDecision.BROKEN);
 				continue;
 			} catch (ObjectNotFoundException e) {
-				recordProjectionExecutionException(e, accCtx, subResult,
+				recordProjectionExecutionException(e, projCtx, subResult,
 						SynchronizationPolicyDecision.BROKEN);
 				continue;
 			} catch (ObjectAlreadyExistsException e) {
@@ -335,8 +334,8 @@ public <O extends ObjectType> boolean executeChanges(LensContext<O> syncContext,
 				// "Users" is SAM Account Name which is used by a built-in group
 				// - in such case, mark the context as broken
 
-				if (isRepeatedAlreadyExistsException(accCtx)) {
-					recordProjectionExecutionException(e, accCtx, subResult,
+				if (isRepeatedAlreadyExistsException(projCtx)) {
+					recordProjectionExecutionException(e, projCtx, subResult,
 							SynchronizationPolicyDecision.BROKEN);
 					continue;
 				}
@@ -355,28 +354,28 @@ public <O extends ObjectType> boolean executeChanges(LensContext<O> syncContext,
 				break; // we will process remaining projections when retrying
 						// the wave
 			} catch (CommunicationException e) {
-				recordProjectionExecutionException(e, accCtx, subResult,
+				recordProjectionExecutionException(e, projCtx, subResult,
 						SynchronizationPolicyDecision.BROKEN);
 				continue;
 			} catch (ConfigurationException e) {
-				recordProjectionExecutionException(e, accCtx, subResult,
+				recordProjectionExecutionException(e, projCtx, subResult,
 						SynchronizationPolicyDecision.BROKEN);
 				continue;
 			} catch (SecurityViolationException e) {
-				recordProjectionExecutionException(e, accCtx, subResult,
+				recordProjectionExecutionException(e, projCtx, subResult,
 						SynchronizationPolicyDecision.BROKEN);
 				continue;
 			} catch (ExpressionEvaluationException e) {
-				recordProjectionExecutionException(e, accCtx, subResult,
+				recordProjectionExecutionException(e, projCtx, subResult,
 						SynchronizationPolicyDecision.BROKEN);
 				continue;
 			} catch (RuntimeException e) {
-				recordProjectionExecutionException(e, accCtx, subResult,
+				recordProjectionExecutionException(e, projCtx, subResult,
 						SynchronizationPolicyDecision.BROKEN);
 				continue;
 			} finally {
-				syncContext.reportProgress(new ProgressInformation(RESOURCE_OBJECT_OPERATION,
-						accCtx.getResourceShadowDiscriminator(), subResult));
+				context.reportProgress(new ProgressInformation(RESOURCE_OBJECT_OPERATION,
+						projCtx.getResourceShadowDiscriminator(), subResult));
 			}
 		}
 
@@ -1372,7 +1371,6 @@ private <F extends ObjectType, T extends ObjectType> String modifyProvisioningOb
 					ProvisioningOperationTypeType.MODIFY, resource, task, result);
 		}
 		Utils.setRequestee(task, context);
-		LOGGER.info("MOD options {}", options);
 		String changedOid = provisioning.modifyObject(objectTypeClass, oid, modifications, scripts, options,
 				task, result);
 		Utils.clearRequestee(task);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java
index 58da4e5ae0c..8941a28fed1 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java
@@ -96,7 +96,6 @@ public class LensContext<F extends ObjectType> implements ModelContext<F> {
 
 	transient private ObjectTemplateType focusTemplate;
 	transient private ProjectionPolicyType accountSynchronizationSettings;
-	transient private ValuePolicyType globalPasswordPolicy;
 
 	transient private DeltaSetTriple<EvaluatedAssignmentImpl> evaluatedAssignmentTriple;
 
@@ -319,14 +318,6 @@ public void setAccountSynchronizationSettings(ProjectionPolicyType accountSynchr
 		this.accountSynchronizationSettings = accountSynchronizationSettings;
 	}
 
-	public ValuePolicyType getGlobalPasswordPolicy() {
-		return globalPasswordPolicy;
-	}
-
-	public void setGlobalPasswordPolicy(ValuePolicyType globalPasswordPolicy) {
-		this.globalPasswordPolicy = globalPasswordPolicy;
-	}
-
 	public int getProjectionWave() {
 		return projectionWave;
 	}
@@ -1141,13 +1132,6 @@ public String toString() {
 				+ focusContext + ", " + projectionContexts + ")";
 	}
 
-	public ValuePolicyType getEffectivePasswordPolicy() {
-		if (getFocusContext().getOrgPasswordPolicy() != null) {
-			return getFocusContext().getOrgPasswordPolicy();
-		}
-		return globalPasswordPolicy;
-	}
-
 	public void setProgressListeners(Collection<ProgressListener> progressListeners) {
 		this.progressListeners = progressListeners;
 	}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensFocusContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensFocusContext.java
index eb51c8aabdb..c795fdec349 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensFocusContext.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensFocusContext.java
@@ -44,7 +44,7 @@ public class LensFocusContext<O extends ObjectType> extends LensElementContext<O
 
 	private ObjectDeltaWaves<O> secondaryDeltas = new ObjectDeltaWaves<O>();
 	
-	transient private ValuePolicyType orgPasswordPolicy;
+	transient private SecurityPolicyType securityPolicy;
 	transient private ObjectPolicyConfigurationType objectPolicyConfigurationType;
 	
 	private int getProjectionWave() {
@@ -55,12 +55,12 @@ private int getExecutionWave() {
 		return getLensContext().getProjectionWave();
 	}
 	
-	public void setOrgPasswordPolicy(ValuePolicyType orgPasswordPolicy) {
-		this.orgPasswordPolicy = orgPasswordPolicy;
+	public SecurityPolicyType getSecurityPolicy() {
+		return securityPolicy;
 	}
-	
-	public ValuePolicyType getOrgPasswordPolicy() {
-		return orgPasswordPolicy;
+
+	public void setSecurityPolicy(SecurityPolicyType securityPolicy) {
+		this.securityPolicy = securityPolicy;
 	}
 
 	public ObjectPolicyConfigurationType getObjectPolicyConfigurationType() {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java
index 1d7c3521431..842eb03259a 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java
@@ -677,19 +677,7 @@ public boolean isCanProject() {
 	public void setAccountPasswordPolicy(ValuePolicyType accountPasswordPolicy) {
 		this.accountPasswordPolicy = accountPasswordPolicy;
 	}
-	
-	public ValuePolicyType getEffectivePasswordPolicy() {
-		if (accountPasswordPolicy != null) {
-			return accountPasswordPolicy;
-		}
-		
-		if (getLensContext().getFocusContext().getOrgPasswordPolicy() != null){
-			return getLensContext().getFocusContext().getOrgPasswordPolicy();
-		}
 		
-		return getLensContext().getGlobalPasswordPolicy();
-	}
-	
 	public AssignmentPolicyEnforcementType getAssignmentPolicyEnforcementType() {
 		// TODO: per-resource assignment enforcement
 		ResourceType resource = getResource();
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensUtil.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensUtil.java
index 16ba45f8d2a..4b7766d5a6c 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensUtil.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensUtil.java
@@ -868,160 +868,6 @@ private static boolean isValid(String lifecycleState, ActivationType activationT
 		return effectiveStatus == ActivationStatusType.ENABLED;
 	}
 
-    public static <V extends PrismValue, D extends ItemDefinition , F extends FocusType> Mapping<V, D> createFocusMapping(final MappingFactory mappingFactory,
-    		final LensContext<F> context, final MappingType mappingType, ObjectType originObject, 
-			ObjectDeltaObject<F> focusOdo, AssignmentPathVariables assignmentPathVariables, PrismObject<SystemConfigurationType> configuration,
-			XMLGregorianCalendar now, String contextDesc, Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException {
-    	Integer iteration = null;
-    	String iterationToken = null;
-    	if (focusOdo.getNewObject() != null) {
-    		F focusNewType = focusOdo.getNewObject().asObjectable();
-    		iteration = focusNewType.getIteration();
-    		iterationToken = focusNewType.getIterationToken();
-    	} else if (focusOdo.getOldObject() != null) {
-    		F focusOldType = focusOdo.getOldObject().asObjectable();
-    		iteration = focusOldType.getIteration();
-    		iterationToken = focusOldType.getIterationToken();
-    	}
-    	return createFocusMapping(mappingFactory, context, mappingType, originObject, focusOdo, assignmentPathVariables,
-    			iteration, iterationToken, configuration, now, contextDesc, task, result);
-    }
-    
-    public static <V extends PrismValue, D extends ItemDefinition, F extends FocusType> Mapping<V, D> createFocusMapping(final MappingFactory mappingFactory,
-    		final LensContext<F> context, final MappingType mappingType, ObjectType originObject, 
-			ObjectDeltaObject<F> focusOdo, AssignmentPathVariables assignmentPathVariables, 
-			Integer iteration, String iterationToken, PrismObject<SystemConfigurationType> configuration,
-			XMLGregorianCalendar now, String contextDesc, final Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException {
-
-		if (!Mapping.isApplicableToChannel(mappingType, context.getChannel())) {
-			LOGGER.trace("Mapping {} not applicable to channel {}, skipping.", mappingType, context.getChannel());
-			return null;
-		}
-
-		StringPolicyResolver stringPolicyResolver = new StringPolicyResolver() {
-			private ItemPath outputPath;
-			private ItemDefinition outputDefinition;
-			@Override
-			public void setOutputPath(ItemPath outputPath) {
-				this.outputPath = outputPath;
-			}
-
-			@Override
-			public void setOutputDefinition(ItemDefinition outputDefinition) {
-				this.outputDefinition = outputDefinition;
-			}
-
-			@Override
-			public StringPolicyType resolve() {
-				if (outputDefinition.getName().equals(PasswordType.F_VALUE)) {
-					ValuePolicyType passwordPolicy = context.getEffectivePasswordPolicy();
-					if (passwordPolicy == null) {
-						return null;
-					}
-					return passwordPolicy.getStringPolicy();
-				}
-				if (mappingType.getExpression() != null){
-					List<JAXBElement<?>> evaluators = mappingType.getExpression().getExpressionEvaluator();
-					if (evaluators != null) {
-						for (JAXBElement jaxbEvaluator : evaluators) {
-							Object object = jaxbEvaluator.getValue();
-							if (object instanceof GenerateExpressionEvaluatorType && ((GenerateExpressionEvaluatorType) object).getValuePolicyRef() != null) {
-								ObjectReferenceType ref = ((GenerateExpressionEvaluatorType) object).getValuePolicyRef();
-								try {
-									ValuePolicyType valuePolicyType = mappingFactory.getObjectResolver().resolve(ref, ValuePolicyType.class,
-											null, "resolving value policy for generate attribute "+ outputDefinition.getName()+" value", task, new OperationResult("Resolving value policy"));
-									if (valuePolicyType != null) {
-										return valuePolicyType.getStringPolicy();
-									}
-								} catch (CommonException ex) {
-									throw new SystemException(ex.getMessage(), ex);
-								}
-							}
-						}
-
-					}
-				}
-				return null;
-
-			}
-		};
-
-		ExpressionVariables variables = new ExpressionVariables();
-		variables.addVariableDefinition(ExpressionConstants.VAR_USER, focusOdo);
-		variables.addVariableDefinition(ExpressionConstants.VAR_FOCUS, focusOdo);
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION, iteration);
-		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION_TOKEN, iterationToken);
-		variables.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, configuration);
-
-		Collection<V> targetValues = computeTargetValues(mappingType.getTarget(), focusOdo, variables, mappingFactory.getObjectResolver(), contextDesc, task, result);
-
-		Mapping.Builder<V,D> mappingBuilder = mappingFactory.<V,D>createMappingBuilder(mappingType, contextDesc)
-				.sourceContext(focusOdo)
-				.targetContext(context.getFocusContext().getObjectDefinition())
-				.variables(variables)
-				.originalTargetValues(targetValues)
-				.originType(OriginType.USER_POLICY)
-				.originObject(originObject)
-				.stringPolicyResolver(stringPolicyResolver)
-				.rootNode(focusOdo)
-				.now(now);
-
-		mappingBuilder = addAssignmentPathVariables(mappingBuilder, assignmentPathVariables);
-
-		Mapping<V,D> mapping = mappingBuilder.build();
-
-		ItemPath itemPath = mapping.getOutputPath();
-        if (itemPath == null) {
-            // no output element, i.e. this is a "validation mapping"
-            return mapping;
-        }
-		
-		PrismObject<F> focusNew = focusOdo.getNewObject();
-		if (focusNew != null) {
-			Item<V,D> existingUserItem = (Item<V,D>) focusNew.findItem(itemPath);
-			if (existingUserItem != null && !existingUserItem.isEmpty() 
-					&& mapping.getStrength() == MappingStrengthType.WEAK) {
-				// This valueConstruction only applies if the property does not have a value yet.
-				// ... but it does
-				LOGGER.trace("Mapping {} is weak and focus already has a value {}, skipping.", mapping, existingUserItem);
-				return null;
-			}
-		}
-
-		return mapping;
-	}
-
-	private static <V extends PrismValue, F extends FocusType> Collection<V> computeTargetValues(VariableBindingDefinitionType target,
-			ObjectDeltaObject<F> defaultSource, ExpressionVariables variables, ObjectResolver objectResolver, String contextDesc,
-			Task task, OperationResult result) throws SchemaException, ObjectNotFoundException {
-		if (target == null) {
-			// Is this correct? What about default targets?
-			return null;
-		}
-
-		ItemPathType itemPathType = target.getPath();
-		if (itemPathType == null) {
-			// Is this correct? What about default targets?
-			return null;
-		}
-		ItemPath path = itemPathType.getItemPath();
-
-		Object object = ExpressionUtil.resolvePath(path, variables, defaultSource, objectResolver, contextDesc, task, result);
-		if (object == null) {
-			return new ArrayList<>();
-		} else if (object instanceof Item) {
-			return ((Item) object).getValues();
-		} else if (object instanceof PrismValue) {
-			return (List<V>) Collections.singletonList((PrismValue) object);
-		} else if (object instanceof ItemDeltaItem) {
-			ItemDeltaItem<V, ?> idi = (ItemDeltaItem<V, ?>) object;
-			PrismValueDeltaSetTriple<V> triple = idi.toDeltaSetTriple();
-			return triple != null ? triple.getNonNegativeValues() : new ArrayList<V>();
-		} else {
-			throw new IllegalStateException("Unsupported target value(s): " + object.getClass() + " (" + object + ")");
-		}
-	}
-
 	public static AssignmentPathVariables computeAssignmentPathVariables(AssignmentPathImpl assignmentPath) throws SchemaException {
     	if (assignmentPath == null || assignmentPath.isEmpty()) {
     		return null;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ObjectDeltaWaves.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ObjectDeltaWaves.java
index 2322582215a..63a221c0de4 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ObjectDeltaWaves.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ObjectDeltaWaves.java
@@ -402,12 +402,12 @@ public ObjectDeltaWavesType toObjectDeltaWavesType() throws SchemaException {
     }
 
     // don't forget to apply provisioning definitions to resulting deltas (it's the client responsibility)
-    public static ObjectDeltaWaves fromObjectDeltaWavesType(ObjectDeltaWavesType secondaryDeltas, PrismContext prismContext) throws SchemaException {
+    public static <O extends ObjectType> ObjectDeltaWaves<O> fromObjectDeltaWavesType(ObjectDeltaWavesType secondaryDeltas, PrismContext prismContext) throws SchemaException {
         if (secondaryDeltas == null) {
             return null;
         }
 
-        ObjectDeltaWaves retval = new ObjectDeltaWaves();
+        ObjectDeltaWaves<O> retval = new ObjectDeltaWaves<>();
 
         int max = 0;
         for (ObjectDeltaWaveType odwt : secondaryDeltas.getWave()) {
@@ -416,7 +416,7 @@ public static ObjectDeltaWaves fromObjectDeltaWavesType(ObjectDeltaWavesType sec
             }
         }
 
-        ObjectDelta[] wavesAsArray = new ObjectDelta[max+1];
+        ObjectDelta<O>[] wavesAsArray = new ObjectDelta[max+1];
         for (ObjectDeltaWaveType odwt : secondaryDeltas.getWave()) {
             wavesAsArray[odwt.getNumber()] = DeltaConvertor.createObjectDelta(odwt.getDelta(), prismContext);
         }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
index 09883176e62..9da968af79a 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -410,21 +410,6 @@ private <F extends ObjectType> void loadFromSystemConfig(LensContext<F> context,
 		    context.setAccountSynchronizationSettings(globalAccountSynchronizationSettings);
 		}
 		
-		if (context.getGlobalPasswordPolicy() == null){
-			
-			ValuePolicyType globalPasswordPolicy = systemConfigurationType.getGlobalPasswordPolicy();
-			
-			if (globalPasswordPolicy == null){
-				if (systemConfigurationType.getGlobalPasswordPolicyRef() != null){
-					PrismObject<ValuePolicyType> passwordPolicy = cacheRepositoryService.getObject(ValuePolicyType.class, systemConfigurationType.getGlobalPasswordPolicyRef().getOid(), null, result);
-					if (passwordPolicy != null){
-						globalPasswordPolicy = passwordPolicy.asObjectable();
-					}
-				}
-			}
-			
-			context.setGlobalPasswordPolicy(globalPasswordPolicy);
-		}
 	}
 
     // expects that object policy configuration is already set in focusContext
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java
index 71fc5812db4..5a60f512586 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,13 +22,17 @@
 import com.evolveum.midpoint.model.common.expression.StringPolicyResolver;
 import com.evolveum.midpoint.model.common.mapping.Mapping;
 import com.evolveum.midpoint.model.common.mapping.MappingFactory;
+import com.evolveum.midpoint.model.impl.ModelObjectResolver;
 import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
 import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
 import com.evolveum.midpoint.model.impl.lens.LensUtil;
 import com.evolveum.midpoint.model.impl.lens.OperationalDataManager;
+import com.evolveum.midpoint.model.impl.security.SecurityHelper;
 import com.evolveum.midpoint.model.impl.util.Utils;
 import com.evolveum.midpoint.prism.*;
+import com.evolveum.midpoint.prism.crypto.EncryptionException;
+import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.delta.*;
 import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
 import com.evolveum.midpoint.prism.path.ItemPath;
@@ -60,10 +64,6 @@
 
 /**
  * Processor that takes password from user and synchronizes it to accounts.
- * <p/>
- * The implementation is very simple now. It only cares about password value,
- * not expiration or other password facets. It completely ignores other
- * credential types.
  *
  * @author Radovan Semancik
  */
@@ -86,14 +86,41 @@ public class CredentialsProcessor {
 	
 	@Autowired(required=true)
 	private OperationalDataManager metadataManager;
+	
+	@Autowired(required = true)
+	private SecurityHelper securityHelper;
+	
+	@Autowired(required = true)
+	Protector protector;
 
 	public <F extends FocusType> void processFocusCredentials(LensContext<F> context,
 			XMLGregorianCalendar now, Task task, OperationResult result) throws ExpressionEvaluationException,
 					ObjectNotFoundException, SchemaException, PolicyViolationException {
+		processSecurityPolicy(context, now, task, result);
 		processFocusPassword(context, now, task, result);
 		processFocusNonce(context, now, task, result);
 	}
-
+	
+	private <F extends FocusType> void processSecurityPolicy(LensContext<F> context, XMLGregorianCalendar now,
+			Task task, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException,
+					SchemaException, PolicyViolationException {
+		LensFocusContext<F> focusContext = context.getFocusContext();
+		SecurityPolicyType securityPolicy = focusContext.getSecurityPolicy();
+		if (securityPolicy == null) {
+			securityPolicy = securityHelper.locateSecurityPolicy(focusContext.getObjectAny(), context.getSystemConfiguration(), task, result);
+			if (securityPolicy == null) {
+				// store empty policy to avoid repeated lookups
+				securityPolicy = new SecurityPolicyType();
+			}
+			focusContext.setSecurityPolicy(securityPolicy);
+		}
+		if (LOGGER.isTraceEnabled()) {
+			LOGGER.trace("Security policy:\n{}", securityPolicy==null?null:securityPolicy.asPrismObject().debugDump(1));
+		} else {
+			LOGGER.debug("Security policy: {}", securityPolicy);
+		}
+	}
+		
 	private <F extends FocusType> void processFocusPassword(LensContext<F> context, XMLGregorianCalendar now,
 			Task task, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException,
 					SchemaException, PolicyViolationException {
@@ -188,7 +215,7 @@ public void setOutputDefinition(ItemDefinition outputDefinition) {
 			}
 			@Override
 			public StringPolicyType resolve() {
-				ValuePolicyType passwordPolicy = projCtx.getEffectivePasswordPolicy();
+				ValuePolicyType passwordPolicy = passwordPolicyProcessor.determinePasswordPolicy(context, projCtx, task, result);
 				if (passwordPolicy == null) {
 					return null;
 				}
@@ -264,8 +291,7 @@ private void checkExistingDeltaSanity(LensProjectionContext projCtx,
 	}
 
 	private <F extends FocusType, R extends AbstractCredentialType> void processFocusCredentialsCommon(LensContext<F> context,
-			ItemPath credentialsPath, 
-			XMLGregorianCalendar now, Task task, OperationResult result)
+			ItemPath credentialsPath, XMLGregorianCalendar now, Task task, OperationResult result)
 					throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException {
 
 		LensFocusContext<F> focusContext = context.getFocusContext();
@@ -380,4 +406,78 @@ private <R extends AbstractCredentialType> boolean hasMetadata(PrismContainerVal
 		return false;
 	}
 
+	/**
+	 * Called from ChangeExecutor. Will modify the execution deltas to hash or remove credentials if needed.
+	 */
+	public <O extends ObjectType> ObjectDelta<O> transformFocusExectionDelta(LensContext<O> context, ObjectDelta<O> focusDelta) throws SchemaException, EncryptionException {
+		LensFocusContext<O> focusContext = context.getFocusContext();
+		SecurityPolicyType securityPolicy = focusContext.getSecurityPolicy();
+		if (securityPolicy == null) {
+			return focusDelta;
+		}
+		CredentialsPolicyType credsType = securityPolicy.getCredentials();
+		if (credsType == null) {
+			return focusDelta;
+		}
+		ObjectDelta<O> transformedDelta = focusDelta.clone();
+		transformFocusExectionDeltaCredential(context, credsType, credsType.getPassword(), SchemaConstants.PATH_PASSWORD_VALUE, transformedDelta);
+		// TODO: nonce and others
+		
+		return transformedDelta;
+	}
+
+	private <O extends ObjectType> void transformFocusExectionDeltaCredential(LensContext<O> context,
+			CredentialsPolicyType credsType, CredentialPolicyType credPolicyType,
+			ItemPath valuePropertyPath, ObjectDelta<O> delta) throws SchemaException, EncryptionException {
+		if (delta.isDelete()) {
+			return;
+		}
+		CredentialPolicyType defaltCredPolicyType = credsType.getDefault();
+		CredentialsStorageMethodType storageMethod = null;
+		if (credPolicyType != null && credPolicyType.getStorageMethod() != null) {
+			storageMethod = credPolicyType.getStorageMethod();
+		} else if (defaltCredPolicyType != null && defaltCredPolicyType.getStorageMethod() != null) {
+			storageMethod = defaltCredPolicyType.getStorageMethod();
+		}
+		if (storageMethod == null) {
+			return;
+		}
+		CredentialsStorageTypeType storageType = storageMethod.getStorageType();
+		if (storageType == null || storageType == CredentialsStorageTypeType.ENCRYPTION) {
+			return;
+		} else if (storageType == CredentialsStorageTypeType.HASHING) {
+			PrismPropertyValue<ProtectedStringType> pval = null;
+			if (delta.isAdd()) {
+				PrismProperty<ProtectedStringType> prop = delta.getObjectToAdd().findProperty(valuePropertyPath);
+				hashValues(prop.getValues(), storageMethod);
+			} else {
+				PropertyDelta<ProtectedStringType> propDelta = delta.findPropertyDelta(valuePropertyPath);
+				if (propDelta != null) {
+					hashValues(propDelta.getValuesToAdd(), storageMethod);
+					hashValues(propDelta.getValuesToReplace(), storageMethod);
+					hashValues(propDelta.getValuesToDelete(), storageMethod);
+				}
+			}
+		} else if (storageType == CredentialsStorageTypeType.NONE) {
+			if (delta.isAdd()) {
+				delta.getObjectToAdd().removeProperty(valuePropertyPath);
+			} else {
+				delta.removePropertyModification(valuePropertyPath);
+			}
+		} else {
+			throw new SchemaException("Unkwnon storage type "+storageType);
+		}
+		
+	}
+
+	private void hashValues(Collection<PrismPropertyValue<ProtectedStringType>> values,
+			CredentialsStorageMethodType storageMethod) throws SchemaException, EncryptionException {
+		if (values == null) {
+			return;
+		}
+		for (PrismPropertyValue<ProtectedStringType> pval: values) {
+			protector.hash(pval.getValue());
+		}
+	}
+
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/InboundProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/InboundProcessor.java
index 66b4138a534..ab98c672ad5 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/InboundProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/InboundProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -78,6 +78,9 @@ public class InboundProcessor {
     @Autowired
     private ContextLoader contextLoader;
     
+    @Autowired
+    private PasswordPolicyProcessor passwordPolicyProcessor;
+    
     @Autowired
     private MappingEvaluator mappingEvaluator;
     
@@ -423,7 +426,7 @@ private <A, F extends FocusType, V extends PrismValue,D extends ItemDefinition>
     			.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, account)
 				.addVariableDefinition(ExpressionConstants.VAR_SHADOW, account)
 				.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, resource)
-				.stringPolicyResolver(createStringPolicyResolver(context))
+				.stringPolicyResolver(createStringPolicyResolver(context, task, result))
 				.originType(OriginType.INBOUND)
 				.originObject(resource)
 				.build();
@@ -563,7 +566,7 @@ private <A, F extends FocusType, V extends PrismValue,D extends ItemDefinition>
         return outputFocusItemDelta.isEmpty() ? null : outputFocusItemDelta;
     }
 
-	private <F extends ObjectType> StringPolicyResolver createStringPolicyResolver(final LensContext<F> context) {
+	private <F extends ObjectType> StringPolicyResolver createStringPolicyResolver(final LensContext<F> context, final Task task, final OperationResult result) {
 		StringPolicyResolver stringPolicyResolver = new StringPolicyResolver() {
 			private ItemPath outputPath;
 			private ItemDefinition outputDefinition;
@@ -582,7 +585,7 @@ public StringPolicyType resolve() {
 				if (!outputDefinition.getName().equals(PasswordType.F_VALUE)) {
 					return null;
 				}
-				ValuePolicyType passwordPolicy = context.getEffectivePasswordPolicy();
+				ValuePolicyType passwordPolicy = passwordPolicyProcessor.determinePasswordPolicy(context.getFocusContext(), task, result);
 				if (passwordPolicy == null) {
 					return null;
 				}
@@ -704,7 +707,7 @@ public Mapping.Builder initialize(Mapping.Builder builder) throws SchemaExceptio
 				builder = builder.addVariableDefinition(ExpressionConstants.VAR_ACCOUNT, accountNew)
 						.addVariableDefinition(ExpressionConstants.VAR_SHADOW, accountNew)
 						.addVariableDefinition(ExpressionConstants.VAR_RESOURCE, accContext.getResource())
-						.stringPolicyResolver(createStringPolicyResolver(context))
+						.stringPolicyResolver(createStringPolicyResolver(context, task, opResult))
 						.originType(OriginType.INBOUND)
 						.originObject(accContext.getResource());
 				return builder;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java
index b9732e82c08..acb1bb004a5 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/MappingEvaluator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2015 Evolveum
+ * Copyright (c) 2013-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,26 +17,37 @@
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 
+import javax.xml.bind.JAXBElement;
 import javax.xml.datatype.DatatypeConstants;
 import javax.xml.datatype.XMLGregorianCalendar;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
+import com.evolveum.midpoint.model.common.expression.ExpressionUtil;
+import com.evolveum.midpoint.model.common.expression.ExpressionVariables;
+import com.evolveum.midpoint.model.common.expression.ItemDeltaItem;
+import com.evolveum.midpoint.model.common.expression.ObjectDeltaObject;
+import com.evolveum.midpoint.model.common.expression.StringPolicyResolver;
 import com.evolveum.midpoint.model.common.mapping.Mapping;
 import com.evolveum.midpoint.model.common.mapping.MappingFactory;
 import com.evolveum.midpoint.model.impl.expr.ExpressionEnvironment;
 import com.evolveum.midpoint.model.impl.expr.ModelExpressionThreadLocalHolder;
+import com.evolveum.midpoint.model.impl.lens.AssignmentPathVariables;
 import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.model.impl.lens.LensElementContext;
 import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
+import com.evolveum.midpoint.model.impl.lens.LensUtil;
 import com.evolveum.midpoint.model.impl.trigger.RecomputeTriggerHandler;
 import com.evolveum.midpoint.prism.Item;
 import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.OriginType;
 import com.evolveum.midpoint.prism.PrismContainerDefinition;
 import com.evolveum.midpoint.prism.PrismContainerValue;
 import com.evolveum.midpoint.prism.PrismContext;
@@ -47,18 +58,30 @@
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
 import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.ObjectResolver;
 import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.util.exception.CommonException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SystemException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.GenerateExpressionEvaluatorType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingStrengthType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.StringPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.TriggerType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType;
+import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
 
 /**
  * @author Radovan Semancik
@@ -74,6 +97,9 @@ public class MappingEvaluator {
 
     @Autowired
     private MappingFactory mappingFactory;
+    
+    @Autowired
+    private PasswordPolicyProcessor passwordPolicyProcessor;
 
     public <V extends PrismValue, D extends ItemDefinition, F extends ObjectType> void evaluateMapping(
 			Mapping<V,D> mapping, LensContext<F> lensContext, Task task, OperationResult parentResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException {
@@ -423,5 +449,159 @@ public void setStrongMappingWasUsed(boolean strongMappingWasUsed) {
 		
 		
 	}
+	
+    public <V extends PrismValue, D extends ItemDefinition , F extends FocusType> Mapping<V, D> createFocusMapping(final MappingFactory mappingFactory,
+    		final LensContext<F> context, final MappingType mappingType, ObjectType originObject, 
+			ObjectDeltaObject<F> focusOdo, AssignmentPathVariables assignmentPathVariables, PrismObject<SystemConfigurationType> configuration,
+			XMLGregorianCalendar now, String contextDesc, Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException {
+    	Integer iteration = null;
+    	String iterationToken = null;
+    	if (focusOdo.getNewObject() != null) {
+    		F focusNewType = focusOdo.getNewObject().asObjectable();
+    		iteration = focusNewType.getIteration();
+    		iterationToken = focusNewType.getIterationToken();
+    	} else if (focusOdo.getOldObject() != null) {
+    		F focusOldType = focusOdo.getOldObject().asObjectable();
+    		iteration = focusOldType.getIteration();
+    		iterationToken = focusOldType.getIterationToken();
+    	}
+    	return createFocusMapping(mappingFactory, context, mappingType, originObject, focusOdo, assignmentPathVariables,
+    			iteration, iterationToken, configuration, now, contextDesc, task, result);
+    }
+    
+    public <V extends PrismValue, D extends ItemDefinition, F extends FocusType> Mapping<V, D> createFocusMapping(final MappingFactory mappingFactory,
+    		final LensContext<F> context, final MappingType mappingType, ObjectType originObject, 
+			ObjectDeltaObject<F> focusOdo, AssignmentPathVariables assignmentPathVariables, 
+			Integer iteration, String iterationToken, PrismObject<SystemConfigurationType> configuration,
+			XMLGregorianCalendar now, String contextDesc, final Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException {
+
+		if (!Mapping.isApplicableToChannel(mappingType, context.getChannel())) {
+			LOGGER.trace("Mapping {} not applicable to channel {}, skipping.", mappingType, context.getChannel());
+			return null;
+		}
+
+		StringPolicyResolver stringPolicyResolver = new StringPolicyResolver() {
+			private ItemPath outputPath;
+			private ItemDefinition outputDefinition;
+			@Override
+			public void setOutputPath(ItemPath outputPath) {
+				this.outputPath = outputPath;
+			}
+
+			@Override
+			public void setOutputDefinition(ItemDefinition outputDefinition) {
+				this.outputDefinition = outputDefinition;
+			}
+
+			@Override
+			public StringPolicyType resolve() {
+				if (outputDefinition.getName().equals(PasswordType.F_VALUE)) {
+					ValuePolicyType passwordPolicy = passwordPolicyProcessor.determinePasswordPolicy(context.getFocusContext(), task, result);
+					if (passwordPolicy == null) {
+						return null;
+					}
+					return passwordPolicy.getStringPolicy();
+				}
+				if (mappingType.getExpression() != null){
+					List<JAXBElement<?>> evaluators = mappingType.getExpression().getExpressionEvaluator();
+					if (evaluators != null) {
+						for (JAXBElement jaxbEvaluator : evaluators) {
+							Object object = jaxbEvaluator.getValue();
+							if (object instanceof GenerateExpressionEvaluatorType && ((GenerateExpressionEvaluatorType) object).getValuePolicyRef() != null) {
+								ObjectReferenceType ref = ((GenerateExpressionEvaluatorType) object).getValuePolicyRef();
+								try {
+									ValuePolicyType valuePolicyType = mappingFactory.getObjectResolver().resolve(ref, ValuePolicyType.class,
+											null, "resolving value policy for generate attribute "+ outputDefinition.getName()+" value", task, new OperationResult("Resolving value policy"));
+									if (valuePolicyType != null) {
+										return valuePolicyType.getStringPolicy();
+									}
+								} catch (CommonException ex) {
+									throw new SystemException(ex.getMessage(), ex);
+								}
+							}
+						}
+
+					}
+				}
+				return null;
+
+			}
+		};
+
+		ExpressionVariables variables = new ExpressionVariables();
+		variables.addVariableDefinition(ExpressionConstants.VAR_USER, focusOdo);
+		variables.addVariableDefinition(ExpressionConstants.VAR_FOCUS, focusOdo);
+		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION, iteration);
+		variables.addVariableDefinition(ExpressionConstants.VAR_ITERATION_TOKEN, iterationToken);
+		variables.addVariableDefinition(ExpressionConstants.VAR_CONFIGURATION, configuration);
+
+		Collection<V> targetValues = computeTargetValues(mappingType.getTarget(), focusOdo, variables, mappingFactory.getObjectResolver(), contextDesc, task, result);
+
+		Mapping.Builder<V,D> mappingBuilder = mappingFactory.<V,D>createMappingBuilder(mappingType, contextDesc)
+				.sourceContext(focusOdo)
+				.targetContext(context.getFocusContext().getObjectDefinition())
+				.variables(variables)
+				.originalTargetValues(targetValues)
+				.originType(OriginType.USER_POLICY)
+				.originObject(originObject)
+				.stringPolicyResolver(stringPolicyResolver)
+				.rootNode(focusOdo)
+				.now(now);
+
+		mappingBuilder = LensUtil.addAssignmentPathVariables(mappingBuilder, assignmentPathVariables);
+
+		Mapping<V,D> mapping = mappingBuilder.build();
+
+		ItemPath itemPath = mapping.getOutputPath();
+        if (itemPath == null) {
+            // no output element, i.e. this is a "validation mapping"
+            return mapping;
+        }
+		
+		PrismObject<F> focusNew = focusOdo.getNewObject();
+		if (focusNew != null) {
+			Item<V,D> existingUserItem = (Item<V,D>) focusNew.findItem(itemPath);
+			if (existingUserItem != null && !existingUserItem.isEmpty() 
+					&& mapping.getStrength() == MappingStrengthType.WEAK) {
+				// This valueConstruction only applies if the property does not have a value yet.
+				// ... but it does
+				LOGGER.trace("Mapping {} is weak and focus already has a value {}, skipping.", mapping, existingUserItem);
+				return null;
+			}
+		}
+
+		return mapping;
+	}
+
+    private <V extends PrismValue, F extends FocusType> Collection<V> computeTargetValues(VariableBindingDefinitionType target,
+			ObjectDeltaObject<F> defaultSource, ExpressionVariables variables, ObjectResolver objectResolver, String contextDesc,
+			Task task, OperationResult result) throws SchemaException, ObjectNotFoundException {
+		if (target == null) {
+			// Is this correct? What about default targets?
+			return null;
+		}
+
+		ItemPathType itemPathType = target.getPath();
+		if (itemPathType == null) {
+			// Is this correct? What about default targets?
+			return null;
+		}
+		ItemPath path = itemPathType.getItemPath();
+
+		Object object = ExpressionUtil.resolvePath(path, variables, defaultSource, objectResolver, contextDesc, task, result);
+		if (object == null) {
+			return new ArrayList<>();
+		} else if (object instanceof Item) {
+			return ((Item) object).getValues();
+		} else if (object instanceof PrismValue) {
+			return (List<V>) Collections.singletonList((PrismValue) object);
+		} else if (object instanceof ItemDeltaItem) {
+			ItemDeltaItem<V, ?> idi = (ItemDeltaItem<V, ?>) object;
+			PrismValueDeltaSetTriple<V> triple = idi.toDeltaSetTriple();
+			return triple != null ? triple.getNonNegativeValues() : new ArrayList<V>();
+		} else {
+			throw new IllegalStateException("Unsupported target value(s): " + object.getClass() + " (" + object + ")");
+		}
+	}
 
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ObjectTemplateProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ObjectTemplateProcessor.java
index 0328f2710d5..e7798ffb5ba 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ObjectTemplateProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ObjectTemplateProcessor.java
@@ -22,6 +22,7 @@
 import java.util.Map;
 import java.util.Map.Entry;
 
+import javax.xml.bind.JAXBElement;
 import javax.xml.datatype.DatatypeConstants;
 import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
@@ -38,11 +39,14 @@
 
 import com.evolveum.midpoint.common.ActivationComputer;
 import com.evolveum.midpoint.model.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.model.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.model.common.expression.ObjectDeltaObject;
+import com.evolveum.midpoint.model.common.expression.StringPolicyResolver;
 import com.evolveum.midpoint.model.common.mapping.Mapping;
 import com.evolveum.midpoint.model.common.mapping.MappingFactory;
 import com.evolveum.midpoint.model.common.mapping.PrismValueDeltaSetTripleProducer;
 import com.evolveum.midpoint.model.impl.ModelObjectResolver;
+import com.evolveum.midpoint.model.impl.lens.AssignmentPathVariables;
 import com.evolveum.midpoint.model.impl.lens.ItemValueWithOrigin;
 import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
@@ -50,6 +54,7 @@
 import com.evolveum.midpoint.model.impl.trigger.RecomputeTriggerHandler;
 import com.evolveum.midpoint.prism.Item;
 import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.OriginType;
 import com.evolveum.midpoint.prism.PrismContainerDefinition;
 import com.evolveum.midpoint.prism.PrismContainerValue;
 import com.evolveum.midpoint.prism.PrismContext;
@@ -62,18 +67,23 @@
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.repo.api.RepositoryService;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.DebugUtil;
+import com.evolveum.midpoint.util.exception.CommonException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.PolicyViolationException;
 import com.evolveum.midpoint.util.exception.SchemaException;
+import com.evolveum.midpoint.util.exception.SystemException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.GenerateExpressionEvaluatorType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingStrengthType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateItemDefinitionType;
@@ -81,7 +91,11 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateMappingType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.StringPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.TriggerType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
 
 /**
  * Processor to handle object template.
@@ -427,7 +441,7 @@ private <V extends PrismValue, D extends ItemDefinition, F extends FocusType> XM
 			if (mappingPhase != phase) {
 				continue;
 			}
-			Mapping<V,D> mapping = LensUtil.createFocusMapping(mappingFactory, context, mappingType, objectTemplateType, focusOdo, 
+			Mapping<V,D> mapping = mappingEvaluator.createFocusMapping(mappingFactory, context, mappingType, objectTemplateType, focusOdo, 
 					null, iteration, iterationToken, context.getSystemConfiguration(), now, contextDesc, task, result);
 			if (mapping == null) {
 				continue;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java
index 078e84a2213..5ce5c208083 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java
@@ -69,6 +69,7 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CharacterClassType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CheckExpressionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
@@ -76,9 +77,11 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordHistoryEntryType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordLifeTimeType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.StringLimitType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.StringPolicyType;
@@ -173,22 +176,55 @@ <F extends FocusType> void processPasswordPolicy(LensFocusContext<F> focusContex
 			}
 		}
 		
-		ValuePolicyType passwordPolicy;
-		if (focusContext.getOrgPasswordPolicy() == null) {
-			passwordPolicy = determineValuePolicy(userDelta, focusContext.getObjectAny(), context, task, result);
-			focusContext.setOrgPasswordPolicy(passwordPolicy);
-		} else {
-			passwordPolicy = focusContext.getOrgPasswordPolicy();
-		}
-		
+		ValuePolicyType passwordPolicy = determinePasswordPolicy(focusContext, task, result);		
 		processPasswordPolicy(passwordPolicy, focusContext.getObjectOld(), null, passwordValueProperty, task, result);
 		
 		if (passwordValueProperty != null && isPasswordChange) {
-			processPasswordHistoryDeltas(focusContext, context, now, task, result);
+			processPasswordHistoryDeltas(focusContext, context, focusContext.getSecurityPolicy(), now, task, result);
 		}
 
 	}
 	
+	public <O extends ObjectType> ValuePolicyType determinePasswordPolicy(LensContext<O> context, LensProjectionContext projectionContext, Task task, OperationResult result) {
+		ValuePolicyType passwordPolicy = projectionContext.getAccountPasswordPolicy();
+		
+		if (passwordPolicy == null) {
+			passwordPolicy = determinePasswordPolicy(context.getFocusContext(), task, result);
+		}
+		
+		return passwordPolicy;
+	}
+	
+	public <O extends ObjectType> ValuePolicyType determinePasswordPolicy(LensFocusContext<O> focusContext, Task task, OperationResult result) {
+		SecurityPolicyType securityPolicy = focusContext.getSecurityPolicy();
+		if (securityPolicy == null) {
+			return null;
+		}
+		CredentialsPolicyType creds = securityPolicy.getCredentials();
+		if (creds == null) {
+			return null;
+		}
+		PasswordCredentialsPolicyType password = creds.getPassword();
+		if (password == null) {
+			return null;
+		}
+		ObjectReferenceType passwordPolicyRef = password.getPasswordPolicyRef();
+		if (passwordPolicyRef == null) {
+			return null;
+		}
+		PrismObject<ValuePolicyType> passwordPolicy = passwordPolicyRef.asReferenceValue().getObject();
+		if (passwordPolicy == null) {
+			try {
+				passwordPolicy = resolver.resolve(passwordPolicyRef.asReferenceValue(), "password policy", task, result);
+			} catch (ObjectNotFoundException e) {
+				LOGGER.error("Missing password policy {}", passwordPolicyRef, e);
+				return null;
+			}
+			passwordPolicyRef.asReferenceValue().setObject(passwordPolicy);
+		}
+		return passwordPolicy.asObjectable();
+	}
+
 	private <F extends FocusType> void processPasswordPolicy(ValuePolicyType passwordPolicy, PrismObject<F> focus, PrismObject<ShadowType> projection, PrismProperty<ProtectedStringType> passwordProperty, 
 			Task task, OperationResult result) throws PolicyViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
 
@@ -241,132 +277,8 @@ private <F extends FocusType> boolean wasExecuted(ObjectDelta<UserType> userDelt
 		
 		return false;
 	}
-	
-	//TODO: maybe some caching of orgs?????
-	protected <T extends ObjectType, F extends FocusType> ValuePolicyType determineValuePolicy(ObjectDelta<F> userDelta, PrismObject<T> object, LensContext<F> context, Task task, OperationResult result) throws SchemaException{
-		//check the modification of organization first
-		ValuePolicyType valuePolicy = determineValuePolicy(userDelta, task, result);
-		
-		//if null, check the existing organization
-		if (valuePolicy == null){
-			valuePolicy = determineValuePolicy(object, task, result);
-		}
-		
-		//if still null, just use global policy
-		if (valuePolicy == null){
-			valuePolicy = context.getEffectivePasswordPolicy();
-		}
-		
-		if (valuePolicy != null){
-			LOGGER.trace("Value policy {} will be user to check password.", valuePolicy.getName().getOrig());
-		}
-		
-		return valuePolicy;
-	}
-	
-	protected <F extends FocusType> ValuePolicyType determineValuePolicy(ObjectDelta<F> userDelta, Task task, OperationResult result)
-			throws SchemaException {
-		if (userDelta == null) {
-			return null;
-		}
-		ReferenceDelta orgDelta = userDelta.findReferenceModification(UserType.F_PARENT_ORG_REF);
-
-		LOGGER.trace("Determining password policy from org delta.");
-		if (orgDelta == null) {
-			return null;
-		}
-
-		PrismReferenceValue orgRefValue = orgDelta.getAnyValue();
-		if (orgRefValue == null) {		// delta may be of type "replace to null"
-			return null;
-		}
-
-		ValuePolicyType passwordPolicy = null;
-		try {
-			PrismObject<OrgType> org = resolver.resolve(orgRefValue,
-					"resolving parent org ref", null, null, result);
-			OrgType orgType = org.asObjectable();
-			ObjectReferenceType ref = orgType.getPasswordPolicyRef();
-			if (ref != null) {
-				LOGGER.trace("Org {} has specified password policy.", orgType);
-				passwordPolicy = resolver.resolve(ref, ValuePolicyType.class, null,
-						"resolving password policy for organization", task, result);
-				LOGGER.trace("Resolved password policy {}", passwordPolicy);
-			}
-
-			if (passwordPolicy == null) {
-				passwordPolicy = determineValuePolicy(org, task, result);
-			}
 
-		} catch (ObjectNotFoundException e) {
-			throw new IllegalStateException(e);
-		}
-
-		return passwordPolicy;
-	}
 	
-	private ValuePolicyType determineValuePolicy(PrismObject object, Task task, OperationResult result)
-			throws SchemaException {
-		LOGGER.trace("Determining password policies from object: {}", ObjectTypeUtil.toShortString(object));
-		PrismReference orgRef = object.findReference(ObjectType.F_PARENT_ORG_REF);
-		if (orgRef == null) {
-			return null;
-		}
-		List<PrismReferenceValue> orgRefValues = orgRef.getValues();
-		ValuePolicyType resultingValuePolicy = null;
-		List<PrismObject<OrgType>> orgs = new ArrayList<PrismObject<OrgType>>();
-		try {
-			for (PrismReferenceValue orgRefValue : orgRefValues) {
-				if (orgRefValue != null) {
-
-					PrismObject<OrgType> org = resolver.resolve(orgRefValue, "resolving parent org ref", null, null, result);
-					orgs.add(org);
-					ValuePolicyType valuePolicy = resolvePolicy(org, task, result);
-
-					if (valuePolicy != null) {
-						if (resultingValuePolicy == null) {
-							resultingValuePolicy = valuePolicy;
-						} else if (!StringUtils.equals(valuePolicy.getOid(), resultingValuePolicy.getOid())) {
-							throw new IllegalStateException(
-									"Found more than one policy while trying to validate user's password. Please check your configuration");
-						}
-					}
-				}
-			}
-		} catch (ObjectNotFoundException ex) {
-			throw new IllegalStateException(ex);
-		}
-		// go deeper
-		if (resultingValuePolicy == null) {
-			for (PrismObject<OrgType> orgType : orgs) {
-				resultingValuePolicy = determineValuePolicy(orgType, task, result);
-				if (resultingValuePolicy != null) {
-					return resultingValuePolicy;
-				}
-			}
-		}
-		return resultingValuePolicy;
-	}
-	
-	private ValuePolicyType resolvePolicy(PrismObject<OrgType> org, Task task, OperationResult result)
-			throws SchemaException {
-		try {
-			OrgType orgType = org.asObjectable();
-			ObjectReferenceType ref = orgType.getPasswordPolicyRef();
-			if (ref == null) {
-				return null;
-			}
-
-			return resolver.resolve(ref, ValuePolicyType.class, null,
-					"resolving password policy for organization", task, result);
-
-		} catch (ObjectNotFoundException e) {
-			// TODO Auto-generated catch block
-			e.printStackTrace();
-			throw new IllegalStateException(e);
-		}
-
-	}
 	
 	<F extends ObjectType> void processPasswordPolicy(LensProjectionContext projectionContext, 
 			LensContext<F> context, Task task, OperationResult result) throws SchemaException, PolicyViolationException, ObjectNotFoundException, ExpressionEvaluationException{
@@ -405,14 +317,7 @@ <F extends ObjectType> void processPasswordPolicy(LensProjectionContext projecti
 			password = (PrismProperty<ProtectedStringType>) passwordValueDelta.getItemNewMatchingPath(null);
 		}
 
-		ValuePolicyType passwordPolicy = null;
-		if (isCheckOrgPolicy(context)){
-			passwordPolicy = determineValuePolicy(context.getFocusContext().getObjectAny(), task, result);
-			context.getFocusContext().setOrgPasswordPolicy(passwordPolicy);
-		}
-		if (passwordPolicy == null) {
-			passwordPolicy = projectionContext.getEffectivePasswordPolicy();
-		}
+		ValuePolicyType passwordPolicy = determinePasswordPolicy(context, projectionContext, task, result);
 				
 		if (accountShadow == null) {
 			accountShadow = projectionContext.getObjectNew();
@@ -421,28 +326,7 @@ <F extends ObjectType> void processPasswordPolicy(LensProjectionContext projecti
 		processPasswordPolicy(passwordPolicy, null, accountShadow, password, task, result);
 	}
 	
-	private <F extends ObjectType> boolean isCheckOrgPolicy(LensContext<F> context) throws SchemaException{
-		LensFocusContext focusCtx = context.getFocusContext();
-		if (focusCtx == null) {
-			return false;			// TODO - ok?
-		}
 
-		if (focusCtx.getDelta() != null){
-			if (focusCtx.getDelta().isAdd()){
-				return false;
-			}
-			
-			if (focusCtx.getDelta().isModify() && focusCtx.getDelta().hasItemDelta(SchemaConstants.PATH_PASSWORD_VALUE)){
-				return false;
-			}
-		}
-		
-		if (focusCtx.getOrgPasswordPolicy() != null){
-			return false;
-		}
-		
-		return true;
-	}
 
 	public <O extends ObjectType> boolean validatePassword(String newPassword, PasswordType currentPasswordType, ValuePolicyType pp, 
 			PrismObject<O> object, String shortDesc, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
@@ -453,8 +337,8 @@ public <O extends ObjectType> boolean validatePassword(String newPassword, Passw
 		result.addParam("policyName", pp.getName());
 		normalize(pp);
 
-		if (newPassword == null && pp.getMinOccurs() != null
-				&& XsdTypeMapper.multiplicityToInteger(pp.getMinOccurs()) == 0) {
+		if (newPassword == null && 
+				(pp.getMinOccurs() == null || XsdTypeMapper.multiplicityToInteger(pp.getMinOccurs()) == 0)) {
 			// No password is allowed
 			result.recordSuccess();
 			return true;
@@ -472,8 +356,11 @@ public <O extends ObjectType> boolean validatePassword(String newPassword, Passw
 		testMaximalLength(newPassword, lims, result, message);
 
 		testMinimalUniqueCharacters(newPassword, lims, result, message);
-		testPasswordHistoryEntries(newPassword, currentPasswordType, pp, result, message);
-		
+		try {
+			testPasswordHistoryEntries(newPassword, currentPasswordType, pp, result, message);
+		} catch (EncryptionException e) {
+			throw new SystemException(e.getMessage(), e);
+		}
 
 		if (lims.getLimit() == null || lims.getLimit().isEmpty()) {
 			if (message.toString() == null || message.toString().isEmpty()) {
@@ -545,12 +432,18 @@ private void normalize(ValuePolicyType pp) {
 	}
 
 	private void testPasswordHistoryEntries(String newPassword, PasswordType currentPasswordType,
-			ValuePolicyType pp, OperationResult result, StringBuilder message) {
+			ValuePolicyType pp, OperationResult result, StringBuilder message) throws SchemaException, EncryptionException {
 
+		if (newPassword == null) {
+			return;
+		}
 		if (currentPasswordType == null) {
 			return;
 		}
 		
+		ProtectedStringType newPasswordPs = new ProtectedStringType();
+		newPasswordPs.setClearValue(newPassword);
+		
 		PasswordLifeTimeType lifetime = pp.getLifetime();
 		if (lifetime == null) {
 			return;
@@ -561,7 +454,7 @@ private void testPasswordHistoryEntries(String newPassword, PasswordType current
 			return;
 		}
 		
-		if (passwordEquals(newPassword, currentPasswordType.getValue())) {
+		if (passwordEquals(newPasswordPs, currentPasswordType.getValue())) {
 			appendHistoryViolationMessage(result, message);
 			return;
 		}
@@ -574,7 +467,7 @@ private void testPasswordHistoryEntries(String newPassword, PasswordType current
 				// success (history has more entries than needed)
 				return;
 			}
-			if (passwordEquals(newPassword, historyEntry.getValue())) {
+			if (passwordEquals(newPasswordPs, historyEntry.getValue())) {
 				LOGGER.trace("Password history entry #{} matched (changed {})", i, historyEntry.getChangeTimestamp());
 				appendHistoryViolationMessage(result, message);
 				return;
@@ -778,8 +671,11 @@ private <O extends ObjectType> void testCheckExpression(String newPassword, Limi
 
 	}
 
-	private boolean passwordEquals(String newPassword, ProtectedStringType currentPassword) {
-		return determinePasswordValue(currentPassword).equals(newPassword);
+	private boolean passwordEquals(ProtectedStringType newPasswordPs, ProtectedStringType currentPassword) throws SchemaException, EncryptionException {
+		if (currentPassword == null) {
+			return newPasswordPs == null;
+		}
+		return protector.compare(newPasswordPs, currentPassword);
 	}
 
 
@@ -815,7 +711,7 @@ private String determinePasswordValue(ProtectedStringType passValue) {
 
 
 	public <F extends FocusType> void processPasswordHistoryDeltas(LensFocusContext<F> focusContext,
-			LensContext<F> context, XMLGregorianCalendar now, Task task, OperationResult result)
+			LensContext<F> context, SecurityPolicyType securityPolicy, XMLGregorianCalendar now, Task task, OperationResult result)
 					throws SchemaException {
 		PrismObject<F> focus = focusContext.getObjectOld();
 		Validate.notNull(focus, "Focus object must not be null");
@@ -828,7 +724,7 @@ public <F extends FocusType> void processPasswordHistoryDeltas(LensFocusContext<
 			PrismContainer<PasswordHistoryEntryType> historyEntries = password
 					.findOrCreateContainer(PasswordType.F_HISTORY_ENTRY);
 
-			int maxPasswordsToSave = getMaxPasswordsToSave(context.getFocusContext(), context, task, result);
+			int maxPasswordsToSave = getMaxPasswordsToSave(context.getFocusContext(), context, securityPolicy, task, result);
 			
 			List<PasswordHistoryEntryType> historyEntryValues = getSortedHistoryList(historyEntries, true);
 			int newHistoryEntries = 0;
@@ -840,25 +736,50 @@ public <F extends FocusType> void processPasswordHistoryDeltas(LensFocusContext<
 	}
 	
 	private <F extends FocusType> int getMaxPasswordsToSave(LensFocusContext<F> focusContext,
-			LensContext<F> context, Task task, OperationResult result) throws SchemaException {
-		ValuePolicyType passwordPolicy;
-		if (focusContext.getOrgPasswordPolicy() == null) {
-			passwordPolicy = determineValuePolicy(focusContext.getDelta(),
-					focusContext.getObjectAny(), context, task, result);
-			focusContext.setOrgPasswordPolicy(passwordPolicy);
-		} else {
-			passwordPolicy = focusContext.getOrgPasswordPolicy();
-		}
+			LensContext<F> context, SecurityPolicyType securityPolicy, Task task, OperationResult result) throws SchemaException {
 
+		if (securityPolicy == null) {
+			return 0;
+		}
+		
+		CredentialsPolicyType creds = securityPolicy.getCredentials();
+		if (creds == null) {
+			return 0;
+		}
+		
+		PasswordCredentialsPolicyType passwordCredsType = creds.getPassword();
+		if (passwordCredsType == null) {
+			return 0;
+		}
+		
+		Integer historyLength = passwordCredsType.getHistoryLength();
+		if (historyLength != null) {
+			if (historyLength < 0) {
+				return 0;
+			}
+			// One less than the history. The "first" history entry is the current password itself.
+			return historyLength - 1;
+		}
+		
+		// LEGACY, deprecated
+		
+		ObjectReferenceType passwordPolicyRef = passwordCredsType.getPasswordPolicyRef();
+		if (passwordPolicyRef == null) {
+			return 0;
+		}
+		
+		PrismObject<ValuePolicyType> passwordPolicy = passwordPolicyRef.asReferenceValue().getObject();
 		if (passwordPolicy == null) {
 			return 0;
 		}
 		
-		if (passwordPolicy.getLifetime() == null) {
+		ValuePolicyType passwordPolicyType = passwordPolicy.asObjectable();
+		
+		if (passwordPolicyType.getLifetime() == null) {
 			return 0;
 		}
 
-		Integer passwordHistoryLength = passwordPolicy.getLifetime().getPasswordHistoryLength();
+		Integer passwordHistoryLength = passwordPolicyType.getLifetime().getPasswordHistoryLength();
 		if (passwordHistoryLength == null) {
 			return 0;
 		}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java
index 28d8e1898b3..1d089305d75 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2016 Evolveum
+ * Copyright (c) 2016-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.UserProfileService;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
@@ -241,8 +242,12 @@ private MidPointPrincipal getAndCheckPrincipal(ConnectionEnvironment connEnv, St
 		} catch (ObjectNotFoundException e) {
 			recordAuthenticationFailure(enteredUsername, connEnv, "no user");
 			throw new UsernameNotFoundException("web.security.provider.invalid");
+		} catch (SchemaException e) {
+			recordAuthenticationFailure(enteredUsername, connEnv, "schema error");
+			throw new AccessDeniedException("web.security.provider.invalid");
 		}
 		
+		
 		if (principal == null) {
 			recordAuthenticationFailure(enteredUsername, connEnv, "no user");
 			throw new UsernameNotFoundException("web.security.provider.invalid");
@@ -268,7 +273,7 @@ private boolean hasAnyAuthorization(MidPointPrincipal principal) {
 		return false;
 	}
 
-	private <T extends AbstractCredentialPolicyType> void checkPasswordValidityAndAge(ConnectionEnvironment connEnv, @NotNull MidPointPrincipal principal, ProtectedStringType protectedString, MetadataType passwordMetadata, 
+	private <T extends CredentialPolicyType> void checkPasswordValidityAndAge(ConnectionEnvironment connEnv, @NotNull MidPointPrincipal principal, ProtectedStringType protectedString, MetadataType passwordMetadata, 
 			T passwordCredentialsPolicy) {
 		if (protectedString == null) {
 			recordAuthenticationFailure(principal, connEnv, "no stored password value");
@@ -319,21 +324,21 @@ private String getPassword(ConnectionEnvironment connEnv, @NotNull MidPointPrinc
 		return decryptedPassword;
 	}
 
-	private boolean isLockedOut(AbstractCredentialType credentialsType, AbstractCredentialPolicyType credentialsPolicy) {
+	private boolean isLockedOut(AbstractCredentialType credentialsType, CredentialPolicyType credentialsPolicy) {
 		return isOverFailedLockoutAttempts(credentialsType, credentialsPolicy) && !isLockoutExpired(credentialsType, credentialsPolicy);
 	}
 	
-	private boolean isOverFailedLockoutAttempts(AbstractCredentialType credentialsType, AbstractCredentialPolicyType credentialsPolicy) {
+	private boolean isOverFailedLockoutAttempts(AbstractCredentialType credentialsType, CredentialPolicyType credentialsPolicy) {
 		int failedLogins = credentialsType.getFailedLogins() != null ? credentialsType.getFailedLogins() : 0;
 		return isOverFailedLockoutAttempts(failedLogins, credentialsPolicy);
 	}
 	
-	private boolean isOverFailedLockoutAttempts(int failedLogins, AbstractCredentialPolicyType credentialsPolicy) {
+	private boolean isOverFailedLockoutAttempts(int failedLogins, CredentialPolicyType credentialsPolicy) {
 		return credentialsPolicy != null && credentialsPolicy.getLockoutMaxFailedAttempts() != null &&
 				credentialsPolicy.getLockoutMaxFailedAttempts() > 0 && failedLogins >= credentialsPolicy.getLockoutMaxFailedAttempts();
 	}
 		
-	private boolean isLockoutExpired(AbstractCredentialType credentialsType, AbstractCredentialPolicyType credentialsPolicy) {
+	private boolean isLockoutExpired(AbstractCredentialType credentialsType, CredentialPolicyType credentialsPolicy) {
 		Duration lockoutDuration = credentialsPolicy.getLockoutDuration();
 		if (lockoutDuration == null) {
 			return false;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/MidpointRestAuthenticationHandler.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/MidpointRestAuthenticationHandler.java
index b2a62560b12..03ca374527f 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/MidpointRestAuthenticationHandler.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/MidpointRestAuthenticationHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2016 Evolveum
+ * Copyright (c) 2013-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -117,7 +117,13 @@ public void handleRequest(Message m, ContainerRequestContext requestCtx) {
         task.setOwner(user.asPrismObject());
         
         m.put(RestServiceUtil.MESSAGE_PROPERTY_TASK_NAME, task);
-        securityEnforcer.setupPreAuthenticatedSecurityContext(user.asPrismObject());
+        try {
+        	securityEnforcer.setupPreAuthenticatedSecurityContext(user.asPrismObject());
+        } catch (SchemaException e) {
+			securityHelper.auditLoginFailure(enteredUsername, user, connEnv, "Schema error: "+e.getMessage());
+			requestCtx.abortWith(Response.status(Status.BAD_REQUEST).build());
+			return;
+		}
         
         LOGGER.trace("Authenticated to REST service as {}", user);
            
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
index bed7732bd5d..07fcfa973cb 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2015-2016 Evolveum
+ * Copyright (c) 2015-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,15 +19,38 @@
 import com.evolveum.midpoint.audit.api.AuditEventStage;
 import com.evolveum.midpoint.audit.api.AuditEventType;
 import com.evolveum.midpoint.audit.api.AuditService;
+import com.evolveum.midpoint.model.impl.ModelObjectResolver;
+import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismReference;
+import com.evolveum.midpoint.prism.PrismReferenceValue;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.delta.ReferenceDelta;
+import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
+import com.evolveum.midpoint.schema.util.ObjectResolver;
+import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.security.api.ConnectionEnvironment;
+import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
+import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
 import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
+
+import org.apache.commons.lang3.StringUtils;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -40,6 +63,9 @@
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import javax.xml.soap.SOAPMessage;
 
 /**
@@ -55,8 +81,12 @@ public class SecurityHelper {
 
     @Autowired
     private TaskManager taskManager;
+    
     @Autowired
     private AuditService auditService;
+    
+    @Autowired(required = true)
+    private ModelObjectResolver objectResolver;
 
     public void auditLoginSuccess(@NotNull UserType user, @NotNull ConnectionEnvironment connEnv) {
         auditLogin(user.getName().getOrig(), user, connEnv, OperationResultStatus.SUCCESS, null);
@@ -150,4 +180,109 @@ public SOAPMessage getSOAPMessage(SoapMessage msg) {
         SAAJInInterceptor.INSTANCE.handleMessage(msg);
         return msg.getContent(SOAPMessage.class);
     }
+    
+    public <F extends FocusType> SecurityPolicyType locateSecurityPolicy(PrismObject<F> user, PrismObject<SystemConfigurationType> systemConfiguration, Task task, OperationResult result) throws SchemaException {
+    	SecurityPolicyType orgSecurityPolicy = determineOrgSecurityPolicy(user, task, result);
+    	if (orgSecurityPolicy != null) {
+    		return orgSecurityPolicy;
+    	}
+    	if (systemConfiguration == null) {
+			return null;
+		}
+		ObjectReferenceType globalSecurityPolicyRef = systemConfiguration.asObjectable().getGlobalSecurityPolicyRef();
+		if (globalSecurityPolicyRef == null) {
+			return null;
+		}
+		try {
+			return objectResolver.resolve(globalSecurityPolicyRef, SecurityPolicyType.class, null, "global security policy reference in system configuration", task, result);
+		} catch (ObjectNotFoundException | SchemaException e) {
+			LOGGER.error(e.getMessage(), e);
+			return null;
+		}
+	}
+
+	private <O extends ObjectType> SecurityPolicyType determineOrgSecurityPolicy(PrismObject<O> object, Task task, OperationResult result)
+			throws SchemaException {
+		LOGGER.trace("Determining security policies from object: {}", object);
+		PrismReference orgRef = object.findReference(ObjectType.F_PARENT_ORG_REF);
+		if (orgRef == null) {
+			return null;
+		}
+		List<PrismReferenceValue> orgRefValues = orgRef.getValues();
+		SecurityPolicyType resultingSecurityPolicy = null;
+		List<PrismObject<OrgType>> orgs = new ArrayList<PrismObject<OrgType>>();
+		try {
+			for (PrismReferenceValue orgRefValue : orgRefValues) {
+				if (orgRefValue != null) {
+
+					PrismObject<OrgType> org = objectResolver.resolve(orgRefValue, "resolving parent org ref", null, null, result);
+					orgs.add(org);
+					SecurityPolicyType securityPolicy = resolveOrgSecurityPolicy(org, task, result);
+
+					if (securityPolicy != null) {
+						if (resultingSecurityPolicy == null) {
+							resultingSecurityPolicy = securityPolicy;
+						} else if (!StringUtils.equals(securityPolicy.getOid(), resultingSecurityPolicy.getOid())) {
+							throw new SchemaException(
+									"Found more than one security policy for user. Please check your configuration");
+						}
+					}
+				}
+			}
+		} catch (ObjectNotFoundException ex) {
+			throw new IllegalStateException(ex);
+		}
+		// go deeper
+		if (resultingSecurityPolicy == null) {
+			for (PrismObject<OrgType> orgType : orgs) {
+				resultingSecurityPolicy = determineOrgSecurityPolicy(orgType, task, result);
+				if (resultingSecurityPolicy != null) {
+					return resultingSecurityPolicy;
+				}
+			}
+		}
+		return resultingSecurityPolicy;
+	}
+
+	private SecurityPolicyType resolveOrgSecurityPolicy(PrismObject<OrgType> org, Task task, OperationResult result)
+			throws SchemaException {
+		try {
+			SecurityPolicyType securityPolicy = null;
+			OrgType orgType = org.asObjectable();
+			ObjectReferenceType securityPolicyRef = orgType.getSecurityPolicyRef();
+			if (securityPolicyRef != null) {
+				LOGGER.trace("Org {} has specified security policy.", orgType);
+				securityPolicy = objectResolver.resolve(securityPolicyRef, SecurityPolicyType.class, null,
+						"resolving security policy for organization", task, result);
+				LOGGER.trace("Resolved security policy {}", securityPolicy);				
+			} else {
+				ObjectReferenceType paswordPolicyRef = orgType.getPasswordPolicyRef();
+				if (paswordPolicyRef != null) {
+					LOGGER.trace("Org {} has specified password policy.", orgType);
+					ValuePolicyType passordPolicy = objectResolver.resolve(paswordPolicyRef, ValuePolicyType.class, null,
+							"resolving password policy for organization", task, result);
+					LOGGER.trace("Resolved password policy {}", securityPolicy);
+					securityPolicy = createSecurityPolicy(passordPolicy);
+				}
+			}
+			
+			return securityPolicy;
+
+		} catch (ObjectNotFoundException e) {
+			LOGGER.error("Cannot find policy: {}", e.getMessage(), e);
+			return null;
+		}
+	}
+	
+	private SecurityPolicyType createSecurityPolicy(ValuePolicyType passordPolicy) {
+		SecurityPolicyType securityPolicy = new SecurityPolicyType();
+		CredentialsPolicyType creds = new CredentialsPolicyType();
+		PasswordCredentialsPolicyType passd = new PasswordCredentialsPolicyType();
+		ObjectReferenceType passwordPolicyRef = new ObjectReferenceType();
+		passwordPolicyRef.asReferenceValue().setObject(passordPolicy.asPrismObject());
+		passd.setPasswordPolicyRef(passwordPolicyRef);
+		creds.setPassword(passd);
+		securityPolicy.setCredentials(creds);
+		return securityPolicy;
+	}
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.java
index fde260fd76e..97a04a695fa 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -128,7 +128,16 @@ public void handleMessage(SoapMessage message) throws Fault {
             	throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
             }
             
-        	MidPointPrincipal principal = userDetailsService.getPrincipal(username);
+            MidPointPrincipal principal;
+            try {
+            	principal = userDetailsService.getPrincipal(username);
+            } catch (SchemaException e) {
+				LOGGER.debug("Access to web service denied for user '{}': schema error: {}",
+						username, e.getMessage(), e);
+				message.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
+				securityHelper.auditLoginFailure(username, null, connEnv, "Schema error: "+e.getMessage());
+				throw new Fault(e);
+			}
         	LOGGER.trace("Principal: {}", principal);
         	if (principal == null) {
         		message.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java
index 494b5d436c7..7077cae110b 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -94,6 +94,9 @@ public class UserProfileServiceImpl implements UserProfileService, UserDetailsSe
 
     @Autowired(required = true)
     private MappingEvaluator mappingEvaluator;
+    
+    @Autowired(required = true)
+    private SecurityHelper securityHelper;
 
     @Autowired(required = true)
     private UserComputer userComputer;
@@ -111,7 +114,7 @@ public class UserProfileServiceImpl implements UserProfileService, UserDetailsSe
     private TaskManager taskManager;
 
     @Override
-    public MidPointPrincipal getPrincipal(String username) throws ObjectNotFoundException {
+    public MidPointPrincipal getPrincipal(String username) throws ObjectNotFoundException, SchemaException {
     	OperationResult result = new OperationResult(OPERATION_GET_PRINCIPAL);
     	PrismObject<UserType> user = null;
         try {
@@ -130,12 +133,12 @@ public MidPointPrincipal getPrincipal(String username) throws ObjectNotFoundExce
     }
 
     @Override
-    public MidPointPrincipal getPrincipal(PrismObject<UserType> user) {
+    public MidPointPrincipal getPrincipal(PrismObject<UserType> user) throws SchemaException {
     	OperationResult result = new OperationResult(OPERATION_GET_PRINCIPAL);
     	return createPrincipal(user, result);
     }
     
-    private MidPointPrincipal createPrincipal(PrismObject<UserType> user, OperationResult result) {
+    private MidPointPrincipal createPrincipal(PrismObject<UserType> user, OperationResult result) throws SchemaException {
         if (user == null) {
             return null;
         }
@@ -180,7 +183,7 @@ private PrismObject<UserType> findByUsername(String username, OperationResult re
         return list.get(0);
     }
         
-	private void initializePrincipalFromAssignments(MidPointPrincipal principal, PrismObject<SystemConfigurationType> systemConfiguration) {
+	private void initializePrincipalFromAssignments(MidPointPrincipal principal, PrismObject<SystemConfigurationType> systemConfiguration) throws SchemaException {
 		UserType userType = principal.getUser();
 
 		Collection<Authorization> authorizations = principal.getAuthorities();
@@ -189,7 +192,7 @@ private void initializePrincipalFromAssignments(MidPointPrincipal principal, Pri
 		Task task = taskManager.createTaskInstance(UserProfileServiceImpl.class.getName() + ".addAuthorizations");
         OperationResult result = task.getResult();
 
-        principal.setApplicableSecurityPolicy(locateSecurityPolicy(principal, systemConfiguration, task, result));
+        principal.setApplicableSecurityPolicy(securityHelper.locateSecurityPolicy(userType.asPrismObject(), systemConfiguration, task, result));
 
 		if (!userType.getAssignment().isEmpty()) {
 			AssignmentEvaluator<UserType> assignmentEvaluator = new AssignmentEvaluator<>();
@@ -246,22 +249,6 @@ private void initializePrincipalFromAssignments(MidPointPrincipal principal, Pri
         principal.setAdminGuiConfiguration(AdminGuiConfigTypeUtil.compileAdminGuiConfiguration(adminGuiConfigurations, systemConfiguration));
 	}
 
-	private SecurityPolicyType locateSecurityPolicy(MidPointPrincipal principal, PrismObject<SystemConfigurationType> systemConfiguration, Task task, OperationResult result) {
-		if (systemConfiguration == null) {
-			return null;
-		}
-		ObjectReferenceType globalSecurityPolicyRef = systemConfiguration.asObjectable().getGlobalSecurityPolicyRef();
-		if (globalSecurityPolicyRef == null) {
-			return null;
-		}
-		try {
-			return objectResolver.resolve(globalSecurityPolicyRef, SecurityPolicyType.class, null, "global security policy reference in system configuration", task, result);
-		} catch (ObjectNotFoundException | SchemaException e) {
-			LOGGER.error(e.getMessage(), e);
-			return null;
-		}
-	}
-
 	private MidPointPrincipal save(MidPointPrincipal person, OperationResult result) throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException {
         UserType oldUserType = getUserByOid(person.getOid(), result);
         PrismObject<UserType> oldUser = oldUserType.asPrismObject();
@@ -323,6 +310,8 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
 			return getPrincipal(username);
 		} catch (ObjectNotFoundException e) {
 			throw new UsernameNotFoundException(e.getMessage(), e);
+		} catch (SchemaException e) {
+			throw new SystemException(e.getMessage(), e);
 		}
 	}
 
@@ -333,6 +322,8 @@ public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
 			return getPrincipal(username);
 		} catch (ObjectNotFoundException e) {
 			throw new UsernameNotFoundException(e.getMessage(), e);
+		} catch (SchemaException e) {
+			throw new SystemException(e.getMessage(), e);
 		}
 	}
 
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPasswordPolicyProcessor.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPasswordPolicyProcessor.java
index d316bc8b7f3..cc58ec7b4dc 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPasswordPolicyProcessor.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPasswordPolicyProcessor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,7 +30,6 @@
 import org.testng.annotations.Test;
 
 import com.evolveum.midpoint.prism.PrismObject;
-import com.evolveum.midpoint.prism.crypto.EncryptionException;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.result.OperationResult;
@@ -39,11 +38,13 @@
 import com.evolveum.midpoint.test.util.TestUtil;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.PolicyViolationException;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordHistoryEntryType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 
@@ -269,8 +270,8 @@ public void test202createUserJackNoPasswordHistory() throws Exception {
 	}
 
 	@Test
-	public void test203modifyUserJackPasswordNoPasswordHisotry() throws Exception {
-		final String TEST_NAME = "test202modifyUserJackPasswordNoPasswordHisotry";
+	public void test203modifyUserJackPasswordNoPasswordHistory() throws Exception {
+		final String TEST_NAME = "test203modifyUserJackPasswordNoPasswordHistory";
 		TestUtil.displayTestTile(TEST_NAME);
 		Task task = taskManager.createTaskInstance(TEST_NAME);
 		OperationResult result = task.getResult();
@@ -306,20 +307,10 @@ private void initPasswordPolicy(String title, String passwordPolicyOid) throws E
 		OperationResult result = task.getResult();
 
 		ObjectReferenceType passwordPolicyRef = ObjectTypeUtil.createObjectRef(passwordPolicyOid,
-				ObjectTypes.PASSWORD_POLICY);
-		modifyObjectReplaceReference(SystemConfigurationType.class, SYSTEM_CONFIGURATION_OID,
-				SystemConfigurationType.F_GLOBAL_PASSWORD_POLICY_REF, task, result,
-				passwordPolicyRef.asReferenceValue());
-
-		PrismObject<SystemConfigurationType> systemConfiguration = getObject(SystemConfigurationType.class,
-				SYSTEM_CONFIGURATION_OID);
-		assertNotNull("System configuration cannot be null", systemConfiguration);
-
-		SystemConfigurationType systemConfigurationType = systemConfiguration.asObjectable();
-		ObjectReferenceType globalPasswordPolicy = systemConfigurationType.getGlobalPasswordPolicyRef();
-		assertNotNull("Expected that global password policy is configured", globalPasswordPolicy);
-		assertEquals("Password policies don't match", passwordPolicyOid, globalPasswordPolicy.getOid());
-
+				ObjectTypes.PASSWORD_POLICY);		
+		modifyObjectReplaceReference(SecurityPolicyType.class, SECURITY_POLICY_OID,
+				new ItemPath(SecurityPolicyType.F_CREDENTIALS, CredentialsPolicyType.F_PASSWORD, PasswordCredentialsPolicyType.F_PASSWORD_POLICY_REF),
+        		task, result, passwordPolicyRef.asReferenceValue());
 	}
 
 }
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/security/TestAuthenticationEvaluator.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/security/TestAuthenticationEvaluator.java
index 45530f959c8..e9353697d00 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/security/TestAuthenticationEvaluator.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/security/TestAuthenticationEvaluator.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2016 Evolveum
+ * Copyright (c) 2016-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -114,14 +114,14 @@ public void updateUser(MidPointPrincipal principal) {
 			}
 			
 			@Override
-			public MidPointPrincipal getPrincipal(PrismObject<UserType> user) {
+			public MidPointPrincipal getPrincipal(PrismObject<UserType> user) throws SchemaException {
 				MidPointPrincipal principal = userProfileService.getPrincipal(user);
 				addFakeAuthorization(principal);
 				return principal;
 			}
 			
 			@Override
-			public MidPointPrincipal getPrincipal(String username) throws ObjectNotFoundException {
+			public MidPointPrincipal getPrincipal(String username) throws ObjectNotFoundException, SchemaException {
 				MidPointPrincipal principal = userProfileService.getPrincipal(username);
 				addFakeAuthorization(principal);
 				return principal;
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
index 1ff27272316..cf3594f67ec 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
@@ -28,6 +28,7 @@
 import com.evolveum.midpoint.prism.schema.PrismSchema;
 import com.evolveum.midpoint.schema.constants.MidPointConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.test.DummyResourceContoller;
@@ -467,6 +468,8 @@ public AbstractConfiguredModelIntegrationTest() {
 	@Override
 	public void initSystem(Task initTask,  OperationResult initResult) throws Exception {
 		LOGGER.trace("initSystem");
+		// We want logging config from logback-test.xml and not from system config object
+		InternalsConfig.avoidLoggingChange = true;
 		super.initSystem(initTask, initResult);
 			
 		modelService.postInit(initResult);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestAudit.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestAudit.java
index 763047a4a99..1654e9380df 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestAudit.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestAudit.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016 Evolveum
+ * Copyright (c) 2016-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -586,10 +586,10 @@ public void test300ConcurrentAudits() throws Exception {
 		for (int i = 0; i < NUM_THREADS; i++) {
 			final int index = i;
 			Thread thread = new Thread(() -> {
-				login(userAdministrator);
-				Task threadTask = taskManager.createTaskInstance(TestAudit.class.getName() + "." + TEST_NAME);
-				OperationResult threadResult = threadTask.getResult();
 				try {
+					login(userAdministrator);
+					Task threadTask = taskManager.createTaskInstance(TestAudit.class.getName() + "." + TEST_NAME);
+					OperationResult threadResult = threadTask.getResult();
 					for (int iteration = 0; iteration < ITERATIONS; iteration++) {
 						display("Executing iteration " + iteration + " on user " + index);
 						ObjectDelta delta = DeltaBuilder.deltaFor(UserType.class, prismContext)
@@ -657,10 +657,10 @@ public void test310ConcurrentAuditsRaw() throws Exception {
 		for (int i = 0; i < NUM_THREADS; i++) {
 			final int index = i;
 			Thread thread = new Thread(() -> {
-				login(userAdministrator);
-				Task threadTask = taskManager.createTaskInstance(TestAudit.class.getName() + "." + TEST_NAME);
-				OperationResult threadResult = threadTask.getResult();
 				try {
+					login(userAdministrator);
+					Task threadTask = taskManager.createTaskInstance(TestAudit.class.getName() + "." + TEST_NAME);
+					OperationResult threadResult = threadTask.getResult();				
 					for (int iteration = 0; iteration < ITERATIONS; iteration++) {
 						display("Executing iteration " + iteration + " in worker " + index);
 						AuditEventRecord record = new AuditEventRecord(AuditEventType.MODIFY_OBJECT, AuditEventStage.EXECUTION);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestLoggingConfiguration.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestLoggingConfiguration.java
index 11a78af6c41..cbb18f3f823 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestLoggingConfiguration.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestLoggingConfiguration.java
@@ -36,6 +36,7 @@
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.delta.PropertyDelta;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
+import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
@@ -65,6 +66,7 @@ public class TestLoggingConfiguration extends AbstractConfiguredModelIntegration
 	
 	@Override
 	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		InternalsConfig.avoidLoggingChange = false;
 		// DO NOT call super.initSystem() as this will install system config. We do not want that here.
 		userAdministrator = repoAddObjectFromFile(USER_ADMINISTRATOR_FILE, initResult);
 		repoAddObjectFromFile(ROLE_SUPERUSER_FILE, initResult);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java
index af8054d291a..6cff2b67752 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java
@@ -32,6 +32,7 @@
 import com.evolveum.icf.dummy.resource.DummyResource;
 import com.evolveum.icf.dummy.resource.SchemaViolationException;
 import com.evolveum.midpoint.model.api.ModelExecuteOptions;
+import com.evolveum.midpoint.model.intest.password.AbstractPasswordTest;
 import com.evolveum.midpoint.model.intest.rbac.TestRbac;
 import com.evolveum.midpoint.prism.PrismContainerValue;
 import com.evolveum.midpoint.prism.PrismObject;
@@ -1556,7 +1557,7 @@ public void test385ModifyUserJackPasswordA() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
         
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPassword.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
similarity index 90%
rename from model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPassword.java
rename to model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
index 0a3d0f80946..3b05b6e5539 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPassword.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package com.evolveum.midpoint.model.intest;
+package com.evolveum.midpoint.model.intest.password;
 
 import static com.evolveum.midpoint.test.IntegrationTestTools.display;
 import static org.testng.AssertJUnit.*;
@@ -38,11 +38,13 @@
 
 import com.evolveum.icf.dummy.resource.ConflictException;
 import com.evolveum.icf.dummy.resource.SchemaViolationException;
+import com.evolveum.midpoint.model.intest.AbstractInitializedModelIntegrationTest;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismReferenceValue;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
@@ -55,22 +57,22 @@
  */
 @ContextConfiguration(locations = {"classpath:ctx-model-intest-test-main.xml"})
 @DirtiesContext(classMode = ClassMode.AFTER_CLASS)
-public class TestPassword extends AbstractInitializedModelIntegrationTest {
+public abstract class AbstractPasswordTest extends AbstractInitializedModelIntegrationTest {
 		
-	private static final String USER_PASSWORD_1_CLEAR = "d3adM3nT3llN0Tal3s";
-	private static final String USER_PASSWORD_2_CLEAR = "bl4ckP3arl";
-	private static final String USER_PASSWORD_3_CLEAR = "wh3r3sTheRum?";
-	private static final String USER_PASSWORD_4_CLEAR = "sh1v3rM3T1mb3rs";
-	private static final String USER_PASSWORD_5_CLEAR = "s3tSa1al";
-	private static final String USER_PASSWORD_A_CLEAR = "A"; // too short
-	private static final String USER_PASSWORD_JACK_CLEAR = "12jAcK34"; // contains username
-	private static final String USER_PASSWORD_SPARROW_CLEAR = "saRRow123"; // contains familyName
-	private static final String USER_PASSWORD_VALID_1 = "abcd123";
-	private static final String USER_PASSWORD_VALID_2 = "abcd223";
-	private static final String USER_PASSWORD_VALID_3 = "abcd323";
-	private static final String USER_PASSWORD_VALID_4 = "abcd423";
-
-	private static final File TEST_DIR = new File(MidPointTestConstants.TEST_RESOURCES_DIR, "password");
+	protected static final String USER_PASSWORD_1_CLEAR = "d3adM3nT3llN0Tal3s";
+	protected static final String USER_PASSWORD_2_CLEAR = "bl4ckP3arl";
+	protected static final String USER_PASSWORD_3_CLEAR = "wh3r3sTheRum?";
+	protected static final String USER_PASSWORD_4_CLEAR = "sh1v3rM3T1mb3rs";
+	protected static final String USER_PASSWORD_5_CLEAR = "s3tSa1al";
+	protected static final String USER_PASSWORD_A_CLEAR = "A"; // too short
+	protected static final String USER_PASSWORD_JACK_CLEAR = "12jAcK34"; // contains username
+	protected static final String USER_PASSWORD_SPARROW_CLEAR = "saRRow123"; // contains familyName
+	protected static final String USER_PASSWORD_VALID_1 = "abcd123";
+	protected static final String USER_PASSWORD_VALID_2 = "abcd223";
+	protected static final String USER_PASSWORD_VALID_3 = "abcd323";
+	protected static final String USER_PASSWORD_VALID_4 = "abcd423";
+
+	protected static final File TEST_DIR = new File(MidPointTestConstants.TEST_RESOURCES_DIR, "password");
 
 	protected static final File RESOURCE_DUMMY_UGLY_FILE = new File(TEST_DIR, "resource-dummy-ugly.xml");
 	protected static final String RESOURCE_DUMMY_UGLY_OID = "10000000-0000-0000-0000-000000344104";
@@ -79,26 +81,36 @@ public class TestPassword extends AbstractInitializedModelIntegrationTest {
 	protected static final File PASSWORD_POLICY_UGLY_FILE = new File(TEST_DIR, "password-policy-ugly.xml");
 	protected static final String PASSWORD_POLICY_UGLY_OID = "cfb3fa9e-027a-11e7-8e2c-dbebaacaf4ee";
 	
-	private static final String USER_JACK_EMPLOYEE_NUMBER_NEW_BAD = "No1";
-	private static final String USER_JACK_EMPLOYEE_NUMBER_NEW_GOOD = "pir321";
+	protected static final File SECURITY_POLICY_DEFAULT_STORAGE_HASHING_FILE = new File(TEST_DIR, "security-policy-default-storage-hashing.xml");
+	protected static final String SECURITY_POLICY_DEFAULT_STORAGE_HASHING_OID = "0ea3b93c-0425-11e7-bbc1-73566dc53d59";
+	
+	protected static final File SECURITY_POLICY_PASSWORD_STORAGE_NONE_FILE = new File(TEST_DIR, "security-policy-password-storage-none.xml");
+	protected static final String SECURITY_POLICY_PASSWORD_STORAGE_NONE_OID = "2997a20a-0423-11e7-af65-a7ab7d19442c";
+	
+	protected static final String USER_JACK_EMPLOYEE_NUMBER_NEW_BAD = "No1";
+	protected static final String USER_JACK_EMPLOYEE_NUMBER_NEW_GOOD = "pir321";
 	
 	protected DummyResource dummyResourceUgly;
 	protected DummyResourceContoller dummyResourceCtlUgly;
 	protected ResourceType resourceDummyUglyType;
 	protected PrismObject<ResourceType> resourceDummyUgly;
 
-	private String accountOid;
-	private String accountRedOid;
-	private String accountUglyOid;
-	private String accountYellowOid;
-	private XMLGregorianCalendar lastPasswordChangeStart;
-	private XMLGregorianCalendar lastPasswordChangeEnd;
+	protected String accountOid;
+	protected String accountRedOid;
+	protected String accountUglyOid;
+	protected String accountYellowOid;
+	protected XMLGregorianCalendar lastPasswordChangeStart;
+	protected XMLGregorianCalendar lastPasswordChangeEnd;
 	
 	@Override
 	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
 		super.initSystem(initTask, initResult);
 		
 		importObjectFromFile(PASSWORD_POLICY_UGLY_FILE);
+		importObjectFromFile(SECURITY_POLICY_DEFAULT_STORAGE_HASHING_FILE);
+		importObjectFromFile(SECURITY_POLICY_PASSWORD_STORAGE_NONE_FILE);
+		
+		setGlobalSecurityPolicy(getSecurityPolicyOid(), initResult);
 
 		dummyResourceCtlUgly = DummyResourceContoller.create(RESOURCE_DUMMY_UGLY_NAME, resourceDummyUgly);
 		dummyResourceCtlUgly.extendSchemaPirate();
@@ -109,6 +121,8 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 
 		login(USER_ADMINISTRATOR_USERNAME);
 	}
+	
+	protected abstract String getSecurityPolicyOid();
 
 	@Test
     public void test010AddPasswordPolicy() throws Exception {
@@ -116,7 +130,7 @@ public void test010AddPasswordPolicy() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
         
@@ -144,7 +158,7 @@ public void test050CheckJackPassword() throws Exception {
         // this happens during test initialization when user-jack.xml is added
         
         // THEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         
         PrismObject<UserType> userJack = getUser(USER_JACK_OID);
@@ -161,7 +175,7 @@ public void test051ModifyUserJackPassword() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = createTask(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = createTask(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -194,7 +208,7 @@ public void test060CheckJackPasswordModelInteraction() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = createTask(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = createTask(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -226,7 +240,7 @@ public void test100ModifyUserJackAssignAccount() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -265,7 +279,7 @@ public void test110ModifyUserJackPassword() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -298,7 +312,7 @@ public void test111ModifyAccountJackPassword() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -331,7 +345,7 @@ public void test112ModifyJackPasswordUserAndAccount() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -378,7 +392,7 @@ public void test120ModifyUserJackAssignAccountDummyRedAndUgly() throws Exception
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -421,7 +435,7 @@ public void test121ModifyJackPasswordUserAndAccountRed() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -553,7 +567,7 @@ public void test130ModifyUserJackAssignAccountDummyYellow() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -599,7 +613,7 @@ public void test132ModifyUserJackPasswordA() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -649,8 +663,9 @@ public void test200ApplyPasswordPolicy() throws Exception {
         
 		PrismReferenceValue passPolicyRef = new PrismReferenceValue(PASSWORD_POLICY_GLOBAL_OID, ValuePolicyType.COMPLEX_TYPE);
 		// WHEN
-        modifyObjectReplaceReference(SystemConfigurationType.class, SystemObjectsType.SYSTEM_CONFIGURATION.value(),
-        		SystemConfigurationType.F_GLOBAL_PASSWORD_POLICY_REF, task, result, passPolicyRef);
+		modifyObjectReplaceReference(SecurityPolicyType.class, getSecurityPolicyOid(),
+				new ItemPath(SecurityPolicyType.F_CREDENTIALS, CredentialsPolicyType.F_PASSWORD, PasswordCredentialsPolicyType.F_PASSWORD_POLICY_REF),
+        		task, result, passPolicyRef);
 		
 		// THEN
 		result.computeStatus();
@@ -668,7 +683,7 @@ public void test202ReconcileUserJack() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -777,7 +792,7 @@ public void test222ModifyUserJackPasswordBadContainer() throws Exception {
         TestUtil.displayTestTile(this, TEST_NAME);
 
         // GIVEN
-        Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+        Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
         
@@ -983,7 +998,7 @@ public void test300TwoParentOrgRefs() throws Exception {
 		TestUtil.displayTestTile(this, TEST_NAME);
 
 		// GIVEN
-		Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+		Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
 		OperationResult result = task.getResult();
 		assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
 
@@ -1048,7 +1063,7 @@ public void test310RemovePassword() throws Exception {
 		TestUtil.displayTestTile(this, TEST_NAME);
 
 		// GIVEN
-		Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+		Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
 		OperationResult result = task.getResult();
 		assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
 
@@ -1086,7 +1101,7 @@ public void test320ChangeEmployeeNumber() throws Exception {
 		TestUtil.displayTestTile(this, TEST_NAME);
 
 		// GIVEN
-		Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+		Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
 		OperationResult result = task.getResult();
 		assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
 
@@ -1115,7 +1130,7 @@ public void test330RemoveEmployeeNumber() throws Exception {
 		TestUtil.displayTestTile(this, TEST_NAME);
 
 		// GIVEN
-		Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+		Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
 		OperationResult result = task.getResult();
 		assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
 
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefault.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefault.java
new file mode 100644
index 00000000000..53b183659aa
--- /dev/null
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefault.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2010-2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.intest.password;
+
+import static com.evolveum.midpoint.test.IntegrationTestTools.display;
+import static org.testng.AssertJUnit.*;
+
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+
+/**
+ * Password test with DEFAULT configuration of password storage.
+ * 
+ * @author semancik
+ *
+ */
+@ContextConfiguration(locations = {"classpath:ctx-model-intest-test-main.xml"})
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+public class TestPasswordDefault extends AbstractPasswordTest {
+			
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+		
+	}
+
+	@Override
+	protected String getSecurityPolicyOid() {
+		return SECURITY_POLICY_OID;
+	}
+	
+}
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java
new file mode 100644
index 00000000000..466200eb772
--- /dev/null
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2010-2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.intest.password;
+
+import static com.evolveum.midpoint.test.IntegrationTestTools.display;
+import static org.testng.AssertJUnit.*;
+
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+
+/**
+ * Password test with HASHING storage for all credential types.
+ * 
+ * @author semancik
+ *
+ */
+@ContextConfiguration(locations = {"classpath:ctx-model-intest-test-main.xml"})
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+public class TestPasswordDefaultHashing extends AbstractPasswordTest {
+			
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+	}
+
+	@Override
+	protected String getSecurityPolicyOid() {
+		return SECURITY_POLICY_DEFAULT_STORAGE_HASHING_OID;
+	}
+	
+}
diff --git a/model/model-intest/src/test/resources/logback-test.xml b/model/model-intest/src/test/resources/logback-test.xml
index 0494e15dcc5..6e74a791037 100644
--- a/model/model-intest/src/test/resources/logback-test.xml
+++ b/model/model-intest/src/test/resources/logback-test.xml
@@ -47,14 +47,16 @@
 	<logger name="com.evolveum.midpoint.model.impl.lens.Clockwork" level="TRACE" />
 	<logger name="com.evolveum.midpoint.model.impl.lens.projector" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.Projector" level="DEBUG" />
- 	<logger name="com.evolveum.midpoint.model.impl.lens.projector.ContextLoader" level="TRACE" />
+ 	<logger name="com.evolveum.midpoint.model.impl.lens.projector.ContextLoader" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.InboundProcessor" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.FocusConstraintsChecker" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.FocusPolicyProcessor" level="DEBUG" />
+    <logger name="com.evolveum.midpoint.model.impl.lens.projector.CredentialsProcessor" level="TRACE" />
+    <logger name="com.evolveum.midpoint.model.impl.lens.projector.PasswordPolicyProcessor" level="TRACE" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.ObjectTemplateProcessor" level="DEBUG" />
-    <logger name="com.evolveum.midpoint.model.impl.lens.projector.AssignmentProcessor" level="TRACE" />
+    <logger name="com.evolveum.midpoint.model.impl.lens.projector.AssignmentProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.ProjectionValuesProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.OutboundProcessor" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.lens.projector.ConsolidationProcessor" level="DEBUG" />
@@ -90,7 +92,7 @@
     <logger name="com.evolveum.midpoint.model.impl.util.AbstractSearchIterativeTaskHandler" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.sync.ReconciliationTaskHandler" level="DEBUG" />
-    <logger name="com.evolveum.midpoint.model.impl.sync.RecomputeTaskHandler" level="TRACE" />
+    <logger name="com.evolveum.midpoint.model.impl.sync.RecomputeTaskHandler" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.sync.FocusValidityScannerTaskHandler" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.controller.ModelController" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.controller.ModelInteractionServiceImpl" level="DEBUG" />
diff --git a/model/model-intest/src/test/resources/password/security-policy-default-storage-hashing.xml b/model/model-intest/src/test/resources/password/security-policy-default-storage-hashing.xml
new file mode 100644
index 00000000000..55dbc02dd45
--- /dev/null
+++ b/model/model-intest/src/test/resources/password/security-policy-default-storage-hashing.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2014-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<securityPolicy oid="0ea3b93c-0425-11e7-bbc1-73566dc53d59" 
+	xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
+	<name>Security Policy: default storage hashing</name>
+	<credentials>
+		<default>
+			<storageMethod>
+				<storageType>hashing</storageType>
+			</storageMethod>
+		</default>
+		<securityQuestions>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
+				<enabled>true</enabled>
+				<questionText>How much wood would a woodchuck chuck if woodchuck could chuck wood?</questionText>
+			</question>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</identifier>
+				<questionText>What is your mother's best friend's uncle's grandaughter's dog's mother maiden name?</questionText>
+			</question>
+		</securityQuestions>
+	</credentials>
+</securityPolicy>
diff --git a/model/model-intest/src/test/resources/password/security-policy-password-storage-none.xml b/model/model-intest/src/test/resources/password/security-policy-password-storage-none.xml
new file mode 100644
index 00000000000..38df37c8853
--- /dev/null
+++ b/model/model-intest/src/test/resources/password/security-policy-password-storage-none.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2014-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<securityPolicy oid="2997a20a-0423-11e7-af65-a7ab7d19442c" 
+	xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
+	<name>Security Policy: password storage none</name>
+	<credentials>
+		<password>
+			<storageMethod>
+				<storageType>none</storageType>
+			</storageMethod>
+		</password>
+		<securityQuestions>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
+				<enabled>true</enabled>
+				<questionText>How much wood would a woodchuck chuck if woodchuck could chuck wood?</questionText>
+			</question>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</identifier>
+				<questionText>What is your mother's best friend's uncle's grandaughter's dog's mother maiden name?</questionText>
+			</question>
+		</securityQuestions>
+	</credentials>
+</securityPolicy>
diff --git a/model/model-intest/testng-integration.xml b/model/model-intest/testng-integration.xml
index e63125f9593..a7c97b2a520 100644
--- a/model/model-intest/testng-integration.xml
+++ b/model/model-intest/testng-integration.xml
@@ -34,7 +34,6 @@
             <class name="com.evolveum.midpoint.model.intest.orgstruct.TestOrgStructMeta"/>
             <class name="com.evolveum.midpoint.model.intest.orgstruct.TestOrgStructCaribbean"/>
             <class name="com.evolveum.midpoint.model.intest.TestSchemalessResource"/>
-            <class name="com.evolveum.midpoint.model.intest.TestPassword"/>
             <class name="com.evolveum.midpoint.model.intest.TestActivation"/>
             <class name="com.evolveum.midpoint.model.intest.TestConnectorDummyFake"/>
             <class name="com.evolveum.midpoint.model.intest.TestStrangeCases"/>
@@ -92,6 +91,12 @@
             <class name="com.evolveum.midpoint.model.intest.scripting.TestScriptingBasic"/>
         </classes>
     </test>
+    <test name="Password" preserve-order="true" parallel="false" verbose="10" enabled="true">
+        <classes>
+            <class name="com.evolveum.midpoint.model.intest.password.TestPasswordDefault"/>
+            <class name="com.evolveum.midpoint.model.intest.password.TestPasswordDefaultHashing"/>
+        </classes>
+    </test>
     <!--
         Some tests moved to the end of suite, because they change logging configuration.
         TODO: Logging configuration should be refreshed from file during spring context reloading.
diff --git a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
index 4c28774c501..09b46910e83 100644
--- a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
+++ b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
@@ -2095,6 +2095,20 @@ protected void setDefaultObjectTemplate(QName objectType, String subType, String
 		
 	}
 	
+	protected void setGlobalSecurityPolicy(String securityPolicyOid, OperationResult parentResult)
+			throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException {
+
+		Collection modifications = new ArrayList<>();
+		
+		ReferenceDelta refDelta = ReferenceDelta.createModificationReplace(SystemConfigurationType.F_GLOBAL_SECURITY_POLICY_REF, 
+				SystemConfigurationType.class, prismContext, securityPolicyOid);
+		modifications.add(refDelta);
+		
+		modifySystemObjectInRepo(SystemConfigurationType.class,
+				SystemObjectsType.SYSTEM_CONFIGURATION.value(), modifications, parentResult);
+		
+	}
+	
 	protected <O extends ObjectType> void modifySystemObjectInRepo(Class<O> type, String oid, Collection<? extends ItemDelta> modifications, OperationResult parentResult)
 			throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException {
 		repositoryService.modifyObject(type, oid, modifications, parentResult);
@@ -3202,12 +3216,12 @@ protected void assertNoGroupMembers(DummyGroup group) {
 		IntegrationTestTools.assertNoGroupMembers(group);
 	}
 	
-	protected void login(String principalName) throws ObjectNotFoundException {
+	protected void login(String principalName) throws ObjectNotFoundException, SchemaException {
 		MidPointPrincipal principal = userProfileService.getPrincipal(principalName);
 		login(principal);
 	}
 	
-	protected void login(PrismObject<UserType> user) {
+	protected void login(PrismObject<UserType> user) throws SchemaException {
 		MidPointPrincipal principal = userProfileService.getPrincipal(user);
 		login(principal);
 	}
@@ -3521,7 +3535,7 @@ protected void assertNotAuthorized(MidPointPrincipal principal, String action, A
 		assertFalse("AuthorizationEvaluator.isAuthorized: Principal " + principal + " IS authorized for action " + action + " (" + phase + ") but he should not be", isAuthorized);
 	}
 	
-	protected void assertAuthorizations(PrismObject<UserType> user, String... expectedAuthorizations) throws ObjectNotFoundException {
+	protected void assertAuthorizations(PrismObject<UserType> user, String... expectedAuthorizations) throws ObjectNotFoundException, SchemaException {
 		MidPointPrincipal principal = userProfileService.getPrincipal(user);
 		assertNotNull("No principal for "+user, principal);
 		assertAuthorizations(principal, expectedAuthorizations);
@@ -3536,7 +3550,7 @@ protected void assertAuthorizations(MidPointPrincipal principal, String... expec
 	}
 
 	
-	protected void assertNoAuthorizations(PrismObject<UserType> user) throws ObjectNotFoundException {
+	protected void assertNoAuthorizations(PrismObject<UserType> user) throws ObjectNotFoundException, SchemaException {
 		MidPointPrincipal principal = userProfileService.getPrincipal(user);
 		assertNotNull("No principal for "+user, principal);
 		assertNoAuthorizations(principal);
diff --git a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityEnforcer.java b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityEnforcer.java
index 4e00c8baf51..d9138497ce7 100644
--- a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityEnforcer.java
+++ b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityEnforcer.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2014-2016 Evolveum
+ * Copyright (c) 2014-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,7 +41,7 @@ public interface SecurityEnforcer extends AccessDecisionManager {
 
     void setupPreAuthenticatedSecurityContext(Authentication authentication);
 
-	void setupPreAuthenticatedSecurityContext(PrismObject<UserType> user);
+	void setupPreAuthenticatedSecurityContext(PrismObject<UserType> user) throws SchemaException;
 	
 	boolean isAuthenticated();
 	
@@ -91,7 +91,7 @@ <O extends ObjectType, T extends ObjectType> void authorize(String operationUrl,
 	<T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObjectFilter(String operationUrl, AuthorizationPhaseType phase,
 			Class<T> objectType, PrismObject<O> object, ObjectFilter origFilter) throws SchemaException;
 	
-	<T> T runAs(Producer<T> producer, PrismObject<UserType> user);
+	<T> T runAs(Producer<T> producer, PrismObject<UserType> user) throws SchemaException ;
 	
 	<T> T runPrivileged(Producer<T> producer);
 
diff --git a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/UserProfileService.java b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/UserProfileService.java
index aabd9911fe4..aeaa766ce63 100644
--- a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/UserProfileService.java
+++ b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/UserProfileService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2015 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
+import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 
 
@@ -34,9 +35,9 @@ public interface UserProfileService extends OwnerResolver {
     String OPERATION_GET_PRINCIPAL = DOT_CLASS + "getPrincipal";
     String OPERATION_UPDATE_USER = DOT_CLASS + "updateUser";
 
-    public MidPointPrincipal getPrincipal(String username) throws ObjectNotFoundException;
+    public MidPointPrincipal getPrincipal(String username) throws ObjectNotFoundException, SchemaException;
     
-    public MidPointPrincipal getPrincipal(PrismObject<UserType> user);
+    public MidPointPrincipal getPrincipal(PrismObject<UserType> user) throws SchemaException;
 
     public void updateUser(MidPointPrincipal principal);
 }
diff --git a/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java b/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java
index 77e417a1cc8..52d58bea722 100644
--- a/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java
+++ b/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2014-2016 Evolveum
+ * Copyright (c) 2014-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -112,7 +112,7 @@ public void setupPreAuthenticatedSecurityContext(Authentication authentication)
     }
 
 	@Override
-	public void setupPreAuthenticatedSecurityContext(PrismObject<UserType> user) {
+	public void setupPreAuthenticatedSecurityContext(PrismObject<UserType> user) throws SchemaException {
 		MidPointPrincipal principal;
 		if (userProfileService == null) {
 			LOGGER.warn("No user profile service set up in SecurityEnforcer. "
@@ -1056,7 +1056,7 @@ private Object getUsername(MidPointPrincipal principal) {
 	}
 
 	@Override
-	public <T> T runAs(Producer<T> producer, PrismObject<UserType> user) {
+	public <T> T runAs(Producer<T> producer, PrismObject<UserType> user) throws SchemaException {
 		LOGGER.debug("Running {} as {}", producer, user);
 		Authentication origAuthentication = SecurityContextHolder.getContext().getAuthentication();
 		setupPreAuthenticatedSecurityContext(user);
diff --git a/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskManagerQuartzImpl.java b/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskManagerQuartzImpl.java
index e726abb6f34..cdba1274bef 100644
--- a/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskManagerQuartzImpl.java
+++ b/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskManagerQuartzImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -826,8 +826,13 @@ public void startLightweightTask(final TaskQuartzImpl task) {
                 public void run() {
                     LOGGER.debug("Lightweight task handler shell starting execution; task = {}", task);
 
-                    // Setup Spring Security context
-                    securityEnforcer.setupPreAuthenticatedSecurityContext(task.getOwner());
+                    try {
+	                    // Setup Spring Security context
+	                    securityEnforcer.setupPreAuthenticatedSecurityContext(task.getOwner());
+                    } catch (SchemaException e) {
+                        LoggingUtils.logUnexpectedException(LOGGER, "Couldn't set up task security context {}", e, task);
+                        throw new SystemException(e.getMessage(), e);
+                    }
 
                     try {
                         task.setLightweightHandlerExecuting(true);
diff --git a/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/execution/JobExecutor.java b/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/execution/JobExecutor.java
index bdf08c23eda..b06881b3cb6 100644
--- a/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/execution/JobExecutor.java
+++ b/repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/execution/JobExecutor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -165,7 +165,12 @@ public void execute(JobExecutionContext context) throws JobExecutionException {
 			
 			// Setup Spring Security context
 			PrismObject<UserType> taskOwner = task.getOwner();
-			taskManagerImpl.getSecurityEnforcer().setupPreAuthenticatedSecurityContext(taskOwner);
+			try {
+				taskManagerImpl.getSecurityEnforcer().setupPreAuthenticatedSecurityContext(taskOwner);
+			} catch (SchemaException e) {
+	            LoggingUtils.logUnexpectedException(LOGGER, "Task with OID {} cannot be executed: error setting security context", e, oid);
+	            return;
+			}
 		
 			if (task.isCycle()) {
 				executeRecurrentTask(handler);

From 3181b6a1a346949eaaa4ef0503be8d8e8c117793 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Wed, 8 Mar 2017 20:25:29 +0100
Subject: [PATCH 3/7] Password hashing fixes. More tests. Work in progress.

---
 .../midpoint/prism/crypto/BaseProtector.java  |  2 +-
 .../midpoint/prism/crypto/Protector.java      |  2 +-
 .../midpoint/prism/crypto/ProtectorImpl.java  | 14 +++-
 .../midpoint/prism/crypto/TestProtector.java  | 37 ++++++++++
 .../midpoint/schema/util/SchemaDebugUtil.java |  6 +-
 .../lens/projector/CredentialsProcessor.java  |  6 +-
 ...bstractConfiguredModelIntegrationTest.java |  3 +
 .../intest/password/AbstractPasswordTest.java | 68 ++++++++++++++-----
 .../password/TestPasswordDefaultHashing.java  |  6 ++
 .../intest/password/TestPasswordNone.java     | 54 +++++++++++++++
 model/model-intest/testng-integration.xml     |  3 +-
 .../test/AbstractModelIntegrationTest.java    | 39 ++++++++++-
 12 files changed, 215 insertions(+), 25 deletions(-)
 create mode 100644 model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordNone.java

diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/BaseProtector.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/BaseProtector.java
index cb71b26563d..eda7b5f1f11 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/BaseProtector.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/BaseProtector.java
@@ -42,7 +42,7 @@ public <T> void decrypt(ProtectedData<T> protectedData) throws EncryptionExcepti
     protected abstract <T> byte[] decryptBytes(ProtectedData<T> protectedData) throws SchemaException, EncryptionException;
 
     @Override
-    public String decryptString(ProtectedStringType protectedString) throws EncryptionException {
+    public String decryptString(ProtectedData<String> protectedString) throws EncryptionException {
         try {
             if (!protectedString.isEncrypted()) {
                 return protectedString.getClearValue();
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java
index 6317d1b063a..00c737d8141 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/Protector.java
@@ -50,7 +50,7 @@ public interface Protector {
 	 *             if protectedString argument is null or EncryptedData in
 	 *             protectedString argument is null
 	 */
-	String decryptString(ProtectedStringType protectedString) throws EncryptionException;
+	String decryptString(ProtectedData<String> protectedString) throws EncryptionException;
 
 	/**
 	 *
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java
index 5f06de2728e..03ec844fb6c 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java
@@ -500,11 +500,12 @@ public <T> void hash(ProtectedData<T> protectedData) throws EncryptionException,
 		
 		protectedData.setHashedData(hashedDataType);
 		protectedData.destroyCleartext();
+		protectedData.setEncryptedData(null);
     }
     
     private HashedDataType hashPbkd(ProtectedData<String> protectedData, String algorithmUri, String algorithmName) throws EncryptionException {	
 		
-    	char[] clearChars = protectedData.getClearValue().toCharArray();
+    	char[] clearChars = getClearChars(protectedData);
     	byte[] salt = generatePbkdSalt();
     	int iterations = getPbkdIterations();
 		
@@ -536,6 +537,14 @@ private HashedDataType hashPbkd(ProtectedData<String> protectedData, String algo
 		return hashedDataType;
 	}
 
+	private char[] getClearChars(ProtectedData<String> protectedData) throws EncryptionException {
+		if (protectedData.isEncrypted()) {
+			return decryptString(protectedData).toCharArray();
+		} else {
+			return protectedData.getClearValue().toCharArray();
+		}
+	}
+
 	private byte[] generatePbkdSalt() {
 		byte[] salt = new byte[getPbkdSaltLength()/8];
 		randomNumberGenerator.nextBytes(salt);
@@ -567,6 +576,9 @@ public boolean compare(ProtectedStringType a, ProtectedStringType b) throws Encr
 				hashedPs = b;
 				clear = decryptString(a);
 			}
+			if (clear == null) {
+				return false;
+			}
 			return compareHashed(hashedPs, clear.toCharArray());
 			
 		} else {
diff --git a/infra/prism/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java b/infra/prism/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java
index 85af21be71c..174c766a31a 100644
--- a/infra/prism/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java
+++ b/infra/prism/src/test/java/com/evolveum/midpoint/prism/crypto/TestProtector.java
@@ -201,6 +201,43 @@ public void testProtectorHashRoundTrip() throws Exception {
 
 		// THEN
 		assertFalse("compare10 unexpected success", compare10);
+		
+		ProtectedStringType pstEncHash = new ProtectedStringType();
+		pstEncHash.setClearValue(value);
+		assertFalse(pstEncHash.isEmpty());
+		protector256.encrypt(pstEncHash);
+		
+		// WHEN
+		protector256.hash(pstEncHash);
+		
+		// THEN
+		assertFalse(pstEncHash.isEmpty());
+		assertTrue(pstEncHash.isHashed());
+		assertFalse(pstEncHash.isEncrypted());
+		assertNull(pstEncHash.getClearValue());
+
+		// WHEN
+		boolean compare1e = protector256.compare(checkPstClear, pstEncHash);
+
+		// THEN
+		assertTrue("compare1e failed", compare1e);
+
+		// WHEN
+		boolean compare2e = protector256.compare(pstEncHash, checkPstClear);
+
+		// THEN
+		assertTrue("compare2e failed", compare2e);
+
+		// WHEN
+		boolean compare3e = protector256.compare(pstEncHash, checkPstEnc);
 
+		// THEN
+		assertTrue("compare3e failed", compare3e);
+
+		// WHEN
+		boolean compare4e = protector256.compare(checkPstEnc, pstEncHash);
+
+		// THEN
+		assertTrue("compare4e failed", compare4e);
 	}
 }
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/SchemaDebugUtil.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/SchemaDebugUtil.java
index 60fa985e235..f63059ab84e 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/SchemaDebugUtil.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/SchemaDebugUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -365,6 +365,10 @@ public static String prettyPrint(ProtectedStringType protectedStringType) {
 		if (protectedStringType.getEncryptedDataType() != null) {
 			sb.append("[encrypted data]");
 		}
+		
+		if (protectedStringType.getHashedDataType() != null) {
+			sb.append("[hashed data]");
+		}
 
 		if (protectedStringType.getClearValue() != null) {
 			sb.append("\"");
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java
index 5a60f512586..400419bee74 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java
@@ -462,7 +462,11 @@ private <O extends ObjectType> void transformFocusExectionDeltaCredential(LensCo
 			if (delta.isAdd()) {
 				delta.getObjectToAdd().removeProperty(valuePropertyPath);
 			} else {
-				delta.removePropertyModification(valuePropertyPath);
+				PropertyDelta<ProtectedStringType> propDelta = delta.findPropertyDelta(valuePropertyPath);
+				if (propDelta != null) {
+					// Replace with nothing. We need this to clear any existing value that there might be.
+					propDelta.setValueToReplace();
+				}
 			}
 		} else {
 			throw new SchemaException("Unkwnon storage type "+storageType);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
index cf3594f67ec..eb9ad5a92fa 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
@@ -285,7 +285,10 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	protected static final File USER_HERMAN_FILE = new File(COMMON_DIR, "user-herman.xml");
 	protected static final String USER_HERMAN_OID = "c0c010c0-d34d-b33f-f00d-111111111122";
 	protected static final String USER_HERMAN_USERNAME = "herman";
+	protected static final String USER_HERMAN_GIVEN_NAME = "Herman";
+	protected static final String USER_HERMAN_FAMILY_NAME = "Toothrot";
 	protected static final String USER_HERMAN_FULL_NAME = "Herman Toothrot";
+	protected static final String USER_HERMAN_PASSWORD = "m0nk3y";
 	protected static final Date USER_HERMAN_VALID_FROM_DATE = MiscUtil.asDate(1700, 5, 30, 11, 00, 00);
 	protected static final Date USER_HERMAN_VALID_TO_DATE = MiscUtil.asDate(2233, 3, 23, 18, 30, 00);
 
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
index 3b05b6e5539..b98da3b87e9 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
@@ -165,7 +165,8 @@ public void test050CheckJackPassword() throws Exception {
 		display("User after change execution", userJack);
 		assertUserJack(userJack, "Jack Sparrow");
         
-		assertEncryptedUserPassword(userJack, USER_JACK_PASSWORD);
+		// Password still encrypted. We haven't changed it yet.
+		assertUserPassword(userJack, USER_JACK_PASSWORD, CredentialsStorageTypeType.ENCRYPTION);
 	}
 	
 
@@ -196,7 +197,7 @@ public void test051ModifyUserJackPassword() throws Exception {
 		display("User after change execution", userJack);
 		assertUserJack(userJack, "Jack Sparrow");
         
-		assertEncryptedUserPassword(userJack, USER_PASSWORD_1_CLEAR);
+		assertUserPassword(userJack, USER_PASSWORD_1_CLEAR);
 		assertPasswordMetadata(userJack, false, startCal, endCal);
 		// Password policy is not active yet. No history should be kept.
 		assertPasswordHistoryEntries(userJack);
@@ -207,11 +208,14 @@ public void test060CheckJackPasswordModelInteraction() throws Exception {
 		final String TEST_NAME = "test060CheckJackPasswordModelInteraction";
         TestUtil.displayTestTile(this, TEST_NAME);
 
+        if (getPasswordStorageType() == CredentialsStorageTypeType.NONE) {
+        	// Nothing to check in this case
+        	return;
+        }
+        
         // GIVEN
         Task task = createTask(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
-        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
-        
         
 		// WHEN, THEN
         ProtectedStringType userPasswordPsGood = new ProtectedStringType();
@@ -233,6 +237,38 @@ public void test060CheckJackPasswordModelInteraction() throws Exception {
 
 	}
 	
+	@Test
+    public void test070AddUserHerman() throws Exception {
+		final String TEST_NAME = "test070AddUserHerman";
+        TestUtil.displayTestTile(this, TEST_NAME);
+
+        // GIVEN
+        Task task = createTask(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
+        OperationResult result = task.getResult();
+        
+        XMLGregorianCalendar startCal = clock.currentTimeXMLGregorianCalendar();
+        
+		// WHEN
+        TestUtil.displayWhen(TEST_NAME);
+        addObject(USER_HERMAN_FILE, task, result);
+		
+		// THEN
+        TestUtil.displayThen(TEST_NAME);
+		result.computeStatus();
+        TestUtil.assertSuccess("executeChanges result", result);
+        
+        XMLGregorianCalendar endCal = clock.currentTimeXMLGregorianCalendar();
+        
+        PrismObject<UserType> userAfter = getUser(USER_HERMAN_OID);
+		display("User after", userAfter);
+		assertUser(userAfter, USER_HERMAN_OID, USER_HERMAN_USERNAME, 
+				USER_HERMAN_FULL_NAME, USER_HERMAN_GIVEN_NAME, USER_HERMAN_FAMILY_NAME);
+        
+		assertUserPassword(userAfter, USER_HERMAN_PASSWORD);
+		assertPasswordMetadata(userAfter, true, startCal, endCal);
+		// Password policy is not active yet. No history should be kept.
+		assertPasswordHistoryEntries(userAfter);
+	}
 
 	@Test
     public void test100ModifyUserJackAssignAccount() throws Exception {
@@ -298,7 +334,7 @@ public void test110ModifyUserJackPassword() throws Exception {
 		display("User after change execution", userJack);
 		assertUserJack(userJack, "Jack Sparrow");
         
-		assertEncryptedUserPassword(userJack, USER_PASSWORD_2_CLEAR);
+		assertUserPassword(userJack, USER_PASSWORD_2_CLEAR);
 		assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_2_CLEAR);
 		assertPasswordMetadata(userJack, false, lastPasswordChangeStart, lastPasswordChangeEnd);
 	}
@@ -328,7 +364,7 @@ public void test111ModifyAccountJackPassword() throws Exception {
 		assertUserJack(userJack, "Jack Sparrow");
         
 		// User should still have old password
-		assertEncryptedUserPassword(userJack, USER_PASSWORD_2_CLEAR);
+		assertUserPassword(userJack, USER_PASSWORD_2_CLEAR);
 		// Account has new password
 		assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_3_CLEAR);
 		
@@ -376,7 +412,7 @@ public void test112ModifyJackPasswordUserAndAccount() throws Exception {
 		assertUserJack(userJack, "Jack Sparrow");
         
 		// User should still have old password
-		assertEncryptedUserPassword(userJack, USER_PASSWORD_4_CLEAR);
+		assertUserPassword(userJack, USER_PASSWORD_4_CLEAR);
 		// Account has new password
 		assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_5_CLEAR);
 		
@@ -419,7 +455,7 @@ public void test120ModifyUserJackAssignAccountDummyRedAndUgly() throws Exception
 		assertDummyPassword(RESOURCE_DUMMY_UGLY_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_JACK_EMPLOYEE_NUMBER);
 
 		// User and default dummy account should have unchanged passwords
-        assertEncryptedUserPassword(userJack, USER_PASSWORD_4_CLEAR);
+        assertUserPassword(userJack, USER_PASSWORD_4_CLEAR);
      	assertDummyPassword("jack", USER_PASSWORD_5_CLEAR);
      	
      	assertPasswordMetadata(userJack, false, lastPasswordChangeStart, lastPasswordChangeEnd);
@@ -466,7 +502,7 @@ public void test121ModifyJackPasswordUserAndAccountRed() throws Exception {
 		assertUserJack(userJack, USER_JACK_FULL_NAME);
         
 		// User should still have old password
-		assertEncryptedUserPassword(userJack, USER_PASSWORD_1_CLEAR);
+		assertUserPassword(userJack, USER_PASSWORD_1_CLEAR);
 		// Red account has the same account as user
 		assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 		// ... and default account has also the same password as user now. There was no other change on default dummy instance 
@@ -511,7 +547,7 @@ public void test125ModifyJackEmployeeNumberBad() throws Exception {
         PrismObject<UserType> userJack = getUser(USER_JACK_OID);
 		display("User after", userJack);
         
-		assertEncryptedUserPassword(userJack, USER_PASSWORD_1_CLEAR);
+		assertUserPassword(userJack, USER_PASSWORD_1_CLEAR);
 		assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 		assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 		// ugly password should be changed
@@ -547,7 +583,7 @@ public void test128ModifyJackEmployeeNumberGood() throws Exception {
         PrismObject<UserType> userJack = getUser(USER_JACK_OID);
 		display("User after", userJack);
         
-		assertEncryptedUserPassword(userJack, USER_PASSWORD_1_CLEAR);
+		assertUserPassword(userJack, USER_PASSWORD_1_CLEAR);
 		assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 		assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 		// ugly password should be changed
@@ -592,7 +628,7 @@ public void test130ModifyUserJackAssignAccountDummyYellow() throws Exception {
         assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
         
         // User and default dummy account should have unchanged passwords
-        assertEncryptedUserPassword(userJack, USER_PASSWORD_1_CLEAR);
+        assertUserPassword(userJack, USER_PASSWORD_1_CLEAR);
      	assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 
 		// this one is not changed
@@ -642,7 +678,7 @@ public void test132ModifyUserJackPasswordA() throws Exception {
         assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_A_CLEAR);
         
         // User and default dummy account should have unchanged passwords
-        assertEncryptedUserPassword(userJack, USER_PASSWORD_A_CLEAR);
+        assertUserPassword(userJack, USER_PASSWORD_A_CLEAR);
      	assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_A_CLEAR);
 
 		// this one is not changed
@@ -708,7 +744,7 @@ public void test202ReconcileUserJack() throws Exception {
         assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_A_CLEAR);
         
         // User and default dummy account should have unchanged passwords
-        assertEncryptedUserPassword(userJack, USER_PASSWORD_A_CLEAR);
+        assertUserPassword(userJack, USER_PASSWORD_A_CLEAR);
      	assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_A_CLEAR);
 
 		// this one is not changed
@@ -969,7 +1005,7 @@ private void assertJackPasswordsWithHistory(String expectedCurrentPassword, Stri
 		assertLinks(userJack, 4);
         accountYellowOid = getLinkRefOid(userJack, RESOURCE_DUMMY_YELLOW_OID);
 
-        assertEncryptedUserPassword(userJack, expectedCurrentPassword);
+        assertUserPassword(userJack, expectedCurrentPassword);
         assertPasswordMetadata(userJack, false, lastPasswordChangeStart, lastPasswordChangeEnd);
         
         assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, expectedCurrentPassword);
@@ -1039,7 +1075,7 @@ public void test300TwoParentOrgRefs() throws Exception {
 
 		// Make sure that the password is unchanged
 
-		assertEncryptedUserPassword(userJack, USER_PASSWORD_VALID_1);
+		assertUserPassword(userJack, USER_PASSWORD_VALID_1);
 		assertPasswordMetadata(userJack, false, lastPasswordChangeStart, lastPasswordChangeEnd);
 
 		assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_VALID_1);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java
index 466200eb772..79af8155586 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java
@@ -24,6 +24,7 @@
 
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
 
 /**
  * Password test with HASHING storage for all credential types.
@@ -45,4 +46,9 @@ protected String getSecurityPolicyOid() {
 		return SECURITY_POLICY_DEFAULT_STORAGE_HASHING_OID;
 	}
 	
+	@Override
+	protected CredentialsStorageTypeType getPasswordStorageType() {
+		return CredentialsStorageTypeType.HASHING;
+	}
+	
 }
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordNone.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordNone.java
new file mode 100644
index 00000000000..9263924396a
--- /dev/null
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordNone.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2010-2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.intest.password;
+
+import static com.evolveum.midpoint.test.IntegrationTestTools.display;
+import static org.testng.AssertJUnit.*;
+
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
+
+/**
+ * Password test with NONE password storage (default storage for other types)
+ * 
+ * @author semancik
+ *
+ */
+@ContextConfiguration(locations = {"classpath:ctx-model-intest-test-main.xml"})
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+public class TestPasswordNone extends AbstractPasswordTest {
+			
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+	}
+
+	@Override
+	protected String getSecurityPolicyOid() {
+		return SECURITY_POLICY_PASSWORD_STORAGE_NONE_OID;
+	}
+	
+	@Override
+	protected CredentialsStorageTypeType getPasswordStorageType() {
+		return CredentialsStorageTypeType.NONE;
+	}
+	
+}
diff --git a/model/model-intest/testng-integration.xml b/model/model-intest/testng-integration.xml
index a7c97b2a520..f733ac50372 100644
--- a/model/model-intest/testng-integration.xml
+++ b/model/model-intest/testng-integration.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2016 Evolveum
+  ~ Copyright (c) 2010-2017 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -95,6 +95,7 @@
         <classes>
             <class name="com.evolveum.midpoint.model.intest.password.TestPasswordDefault"/>
             <class name="com.evolveum.midpoint.model.intest.password.TestPasswordDefaultHashing"/>
+            <class name="com.evolveum.midpoint.model.intest.password.TestPasswordNone"/>
         </classes>
     </test>
     <!--
diff --git a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
index 09b46910e83..1e7a23fe380 100644
--- a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
+++ b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
@@ -105,6 +105,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ConstructionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType;
@@ -3670,11 +3671,43 @@ protected void assertEncryptedUserPassword(String userOid, String expectedClearP
 		assertEncryptedUserPassword(user, expectedClearPassword);
 	}
 	
-	protected void assertEncryptedUserPassword(PrismObject<UserType> user, String expectedClearPassword) throws EncryptionException {
+	protected void assertEncryptedUserPassword(PrismObject<UserType> user, String expectedClearPassword) throws EncryptionException, SchemaException {
+		assertUserPassword(user, expectedClearPassword, CredentialsStorageTypeType.ENCRYPTION);
+	}
+	
+	protected void assertUserPassword(PrismObject<UserType> user, String expectedClearPassword) throws EncryptionException, SchemaException {
+		assertUserPassword(user, expectedClearPassword, getPasswordStorageType());
+	}
+
+	protected CredentialsStorageTypeType getPasswordStorageType() {
+		return CredentialsStorageTypeType.ENCRYPTION;
+	}
+
+	protected void assertUserPassword(PrismObject<UserType> user, String expectedClearPassword, CredentialsStorageTypeType storageType) throws EncryptionException, SchemaException {
 		UserType userType = user.asObjectable();
 		ProtectedStringType protectedActualPassword = userType.getCredentials().getPassword().getValue();
-		String actualClearPassword = protector.decryptString(protectedActualPassword);
-		assertEquals("Wrong password for "+user, expectedClearPassword, actualClearPassword);
+		switch (storageType) {
+			
+			case NONE:
+				assertNull("Unexpected stored password "+protectedActualPassword+" in "+user, protectedActualPassword);
+				break;
+
+			case ENCRYPTION:
+				assertNotNull("No password for "+user, protectedActualPassword);
+				assertTrue("Unenctypted password for "+user+": "+protectedActualPassword, protectedActualPassword.isEncrypted());
+				String actualClearPassword = protector.decryptString(protectedActualPassword);
+				assertEquals("Wrong password for "+user, expectedClearPassword, actualClearPassword);
+				break;
+				
+			case HASHING:
+				assertNotNull("No password for "+user, protectedActualPassword);
+				assertTrue("Not hashed password for "+user+": "+protectedActualPassword, protectedActualPassword.isHashed());
+				ProtectedStringType expectedPs = new ProtectedStringType();
+				expectedPs.setClearValue(expectedClearPassword);
+				assertTrue("Wrong password for "+user+", expected "+expectedClearPassword+", but was "+protectedActualPassword, 
+						protector.compare(protectedActualPassword, expectedPs));
+		}
+		
 	}
 
 	protected void assertPasswordMetadata(PrismObject<UserType> user, boolean create, XMLGregorianCalendar start, XMLGregorianCalendar end, String actorOid, String channel) {

From e21fb205e7574cbf3b10410d7e359fdd485a84f9 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Wed, 8 Mar 2017 20:44:15 +0100
Subject: [PATCH 4/7] Two provisioning fixed (GuardedString handling). Password
 test update.

---
 .../intest/password/AbstractPasswordTest.java | 22 ++++++++++++++-----
 .../ucf/impl/ConnectorInstanceIcfImpl.java    |  9 +++++---
 .../provisioning/ucf/impl/IcfUtil.java        |  4 ++--
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
index b98da3b87e9..da60d69e58c 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
@@ -303,7 +303,7 @@ public void test100ModifyUserJackAssignAccount() throws Exception {
         // Check account in dummy resource
         assertDefaultDummyAccount(ACCOUNT_JACK_DUMMY_USERNAME, "Jack Sparrow", true);
         
-        assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
+        assertDummyPasswordConditional(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 	}
 	
 	/**
@@ -449,10 +449,10 @@ public void test120ModifyUserJackAssignAccountDummyRedAndUgly() throws Exception
 
         // Check account in dummy resource
         assertDummyAccount(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, "Jack Sparrow", true);
-        assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_4_CLEAR);
+        assertDummyPasswordConditional(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_4_CLEAR);
 
 		assertDummyAccount(RESOURCE_DUMMY_UGLY_NAME, ACCOUNT_JACK_DUMMY_USERNAME, null, true);
-		assertDummyPassword(RESOURCE_DUMMY_UGLY_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_JACK_EMPLOYEE_NUMBER);
+		assertDummyPasswordConditional(RESOURCE_DUMMY_UGLY_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_JACK_EMPLOYEE_NUMBER);
 
 		// User and default dummy account should have unchanged passwords
         assertUserPassword(userJack, USER_PASSWORD_4_CLEAR);
@@ -621,7 +621,7 @@ public void test130ModifyUserJackAssignAccountDummyYellow() throws Exception {
 
         // Check account in dummy resource (yellow)
         assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
-        assertDummyPassword(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
+        assertDummyPasswordConditional(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
         
         // Check account in dummy resource (red)
         assertDummyAccount(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
@@ -671,7 +671,7 @@ public void test132ModifyUserJackPasswordA() throws Exception {
 
         // Check account in dummy resource (yellow): password is too short for this, original password should remain there
         assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
-        assertDummyPassword(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
+        assertDummyPasswordConditional(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
         
         // Check account in dummy resource (red)
         assertDummyAccount(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
@@ -1194,4 +1194,16 @@ private void assertDummyPassword(String userId, String expectedClearPassword) th
 		assertDummyPassword(null, userId, expectedClearPassword);
 	}
 	
+	protected void assertDummyPasswordConditional(String userId, String expectedClearPassword) throws SchemaViolationException, ConflictException {
+		if (getPasswordStorageType() == CredentialsStorageTypeType.ENCRYPTION) {
+			assertDummyPassword(null, userId, expectedClearPassword);
+		}
+	}
+	
+	protected void assertDummyPasswordConditional(String instance, String userId, String expectedClearPassword) throws SchemaViolationException, ConflictException {
+		if (getPasswordStorageType() == CredentialsStorageTypeType.ENCRYPTION) {
+			super.assertDummyPassword(instance, userId, expectedClearPassword);
+		}
+	}
+	
 }
diff --git a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/ConnectorInstanceIcfImpl.java b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/ConnectorInstanceIcfImpl.java
index bd6d1ab0621..3615cdab28d 100644
--- a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/ConnectorInstanceIcfImpl.java
+++ b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/ConnectorInstanceIcfImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -1403,8 +1403,10 @@ public Collection<ResourceAttribute<?>> addObject(PrismObject<? extends ShadowTy
 				PasswordType password = shadowType.getCredentials().getPassword();
 				ProtectedStringType protectedString = password.getValue();
 				GuardedString guardedPassword = IcfUtil.toGuardedString(protectedString, "new password", protector);
-				attributes.add(AttributeBuilder.build(OperationalAttributes.PASSWORD_NAME,
+				if (guardedPassword != null) {
+					attributes.add(AttributeBuilder.build(OperationalAttributes.PASSWORD_NAME,
 						guardedPassword));
+				}
 			}
 			
 			if (ActivationUtil.hasAdministrativeActivation(shadowType)){
@@ -1426,12 +1428,13 @@ public Collection<ResourceAttribute<?>> addObject(PrismObject<? extends ShadowTy
 			if (LOGGER.isTraceEnabled()) {
 				LOGGER.trace("ICF attributes after conversion:\n{}", IcfUtil.dump(attributes));
 			}
-		} catch (SchemaException ex) {
+		} catch (SchemaException | RuntimeException ex) {
 			result.recordFatalError(
 					"Error while converting resource object attributes. Reason: " + ex.getMessage(), ex);
 			throw new SchemaException("Error while converting resource object attributes. Reason: "
 					+ ex.getMessage(), ex);
 		}
+		
 		if (attributes == null) {
 			result.recordFatalError("Couldn't set attributes for icf.");
 			throw new IllegalStateException("Couldn't set attributes for icf.");
diff --git a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/IcfUtil.java b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/IcfUtil.java
index 245fcbc03bd..f63cd3b47af 100644
--- a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/IcfUtil.java
+++ b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/IcfUtil.java
@@ -575,10 +575,10 @@ public static Collection<ResourceAttribute<?>> convertToIdentifiers(Uid uid,
 	}
 
 	public static GuardedString toGuardedString(ProtectedStringType ps, String propertyName, Protector protector) {
-		if (ps == null) {
+		if (ps == null || ps.isHashed()) {
 			return null;
 		}
-		if (!protector.isEncrypted(ps)) {
+		if (!ps.isEncrypted()) {
 			if (ps.getClearValue() == null) {
 				return null;
 			}

From f07569fc39abf5cb55427beda2f39efa0dc66fca Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Thu, 9 Mar 2017 17:01:49 +0100
Subject: [PATCH 5/7] Password history hashing. Fixes.

---
 .../xml/ns/public/common/common-core-3.xsd    |  29 ++++
 .../lens/projector/CredentialsProcessor.java  |   9 +-
 .../projector/PasswordPolicyProcessor.java    |  60 ++++++++-
 .../intest/password/AbstractPasswordTest.java |  19 +--
 .../password/TestPasswordDefaultHashing.java  |   2 +-
 .../intest/password/TestPasswordNone.java     |   7 +-
 .../src/test/resources/logback-test.xml       |   2 +-
 model/model-intest/testng-integration.xml     |   3 +-
 .../test/AbstractModelIntegrationTest.java    |  47 -------
 .../test/AbstractIntegrationTest.java         | 126 ++++++++++++++++--
 .../midpoint/security/api/SecurityUtil.java   |  18 +++
 11 files changed, 241 insertions(+), 81 deletions(-)

diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
index 88598ba9e2c..8d60189ac1d 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
@@ -11585,6 +11585,16 @@
 		</xsd:annotation>
 		<xsd:sequence>
 			<xsd:element name="storageMethod" type="c:CredentialsStorageMethodType" minOccurs="0" maxOccurs="1">
+				<xsd:annotation>
+					<xsd:documentation>
+						Method used to store the values of this credential (encrypted, hashed, ...)
+						If storage method is not specified it defaults to encryption
+						(due to compatibility and convenience reasons).
+					</xsd:documentation>
+					<xsd:appinfo>
+						<a:since>3.6</a:since>
+					</xsd:appinfo>
+				</xsd:annotation>
 			</xsd:element>
 			<xsd:element name="resetMethod" type="c:CredentialsResetMethodType" minOccurs="0" maxOccurs="1">
 			</xsd:element>
@@ -11655,6 +11665,18 @@
 			        </xsd:documentation>
 			    </xsd:annotation>
 			</xsd:element>
+			<xsd:element name="historyStorageMethod" type="c:CredentialsStorageMethodType" minOccurs="0" maxOccurs="1">
+				<xsd:annotation>
+					<xsd:documentation>
+						Method used to store historical values of the credential (encrypted, hashed, ...)
+						If storage type is not specified then it defaults to hashing.
+					</xsd:documentation>
+					<xsd:appinfo>
+						<a:since>3.6</a:since>
+					</xsd:appinfo>
+				</xsd:annotation>
+			</xsd:element>
+			
 			<!-- TODO: similarity criteria (history vs new password) -->
 		</xsd:sequence>
 	</xsd:complexType>
@@ -11839,6 +11861,13 @@
                 		MidPoitn will only work with credential in the memory
                 		while it is needed to complete current operation.
                 		The credential will be discarded after the operation.
+                		
+                		THIS IS ONLY PARTIALLY SUPPORTED
+                		
+                		MidPoint should be able not to store the credentials when
+                		this setting is used. But there may be side effects.
+                		This is not entirelly tests and not supported.
+                		Use at your own risk.
                 	</xsd:documentation>
                     <xsd:appinfo>
                         <jaxb:typesafeEnumMember name="NONE"/>
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java
index 400419bee74..b44c51a093d 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.java
@@ -40,6 +40,7 @@
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.security.api.SecurityUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.SchemaFailableProcessor;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -433,12 +434,8 @@ private <O extends ObjectType> void transformFocusExectionDeltaCredential(LensCo
 			return;
 		}
 		CredentialPolicyType defaltCredPolicyType = credsType.getDefault();
-		CredentialsStorageMethodType storageMethod = null;
-		if (credPolicyType != null && credPolicyType.getStorageMethod() != null) {
-			storageMethod = credPolicyType.getStorageMethod();
-		} else if (defaltCredPolicyType != null && defaltCredPolicyType.getStorageMethod() != null) {
-			storageMethod = defaltCredPolicyType.getStorageMethod();
-		}
+		CredentialsStorageMethodType storageMethod = 
+				SecurityUtil.getCredPolicyItem(defaltCredPolicyType, credPolicyType, pol -> pol.getStorageMethod());
 		if (storageMethod == null) {
 			return;
 		}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java
index 5ce5c208083..79d2137035a 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java
@@ -59,6 +59,7 @@
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
+import com.evolveum.midpoint.security.api.SecurityUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
@@ -70,6 +71,8 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CharacterClassType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CheckExpressionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageMethodType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
@@ -709,7 +712,6 @@ private String determinePasswordValue(ProtectedStringType passValue) {
 		return passwordStr;
 	}
 
-
 	public <F extends FocusType> void processPasswordHistoryDeltas(LensFocusContext<F> focusContext,
 			LensContext<F> context, SecurityPolicyType securityPolicy, XMLGregorianCalendar now, Task task, OperationResult result)
 					throws SchemaException {
@@ -729,7 +731,7 @@ public <F extends FocusType> void processPasswordHistoryDeltas(LensFocusContext<
 			List<PasswordHistoryEntryType> historyEntryValues = getSortedHistoryList(historyEntries, true);
 			int newHistoryEntries = 0;
 			if (maxPasswordsToSave > 0) {
-				newHistoryEntries = createAddHistoryDelta(context, password, now);
+				newHistoryEntries = createAddHistoryDelta(context, password, securityPolicy, now);
 			}
 			createDeleteHistoryDeltasIfNeeded(historyEntryValues, maxPasswordsToSave, newHistoryEntries, context, task, result);
 		}
@@ -794,9 +796,24 @@ private <F extends FocusType> int getMaxPasswordsToSave(LensFocusContext<F> focu
 	
 
 	private <F extends FocusType> int createAddHistoryDelta(LensContext<F> context,
-			PrismContainer<PasswordType> password, XMLGregorianCalendar now) throws SchemaException {
+			PrismContainer<PasswordType> password, SecurityPolicyType securityPolicy, XMLGregorianCalendar now) throws SchemaException {
 		PrismContainerValue<PasswordType> passwordValue = password.getValue();
-		PasswordType passwordRealValue = passwordValue.asContainerable();
+		PasswordType passwordType = passwordValue.asContainerable();
+		if (passwordType == null || passwordType.getValue() == null) {
+			return 0;
+		}
+		ProtectedStringType passwordPsForStorage = passwordType.getValue().clone();
+		
+		CredentialsStorageTypeType storageType = CredentialsStorageTypeType.HASHING;
+		CredentialsPolicyType creds = securityPolicy.getCredentials();
+		if (creds != null) {
+			CredentialsStorageMethodType storageMethod =  
+				SecurityUtil.getCredPolicyItem(creds.getDefault(), creds.getPassword(), pol -> pol.getStorageMethod());
+			if (storageMethod != null && storageMethod.getStorageType() != null) {
+				storageType = storageMethod.getStorageType();
+			}
+		}
+		prepareProtectedStringForStorage(passwordPsForStorage, storageType);
 		
 		PrismContainerDefinition<PasswordHistoryEntryType> historyEntryDefinition = password.getDefinition().findContainerDefinition(PasswordType.F_HISTORY_ENTRY);
 		PrismContainer<PasswordHistoryEntryType> historyEntry = historyEntryDefinition.instantiate();
@@ -804,8 +821,8 @@ private <F extends FocusType> int createAddHistoryDelta(LensContext<F> context,
 		PrismContainerValue<PasswordHistoryEntryType> hisotryEntryValue = historyEntry.createNewValue();
 		
 		PasswordHistoryEntryType entryType = hisotryEntryValue.asContainerable();
-		entryType.setValue(passwordRealValue.getValue());
-		entryType.setMetadata(passwordRealValue.getMetadata());
+		entryType.setValue(passwordPsForStorage);
+		entryType.setMetadata(passwordType.getMetadata());
 		entryType.setChangeTimestamp(now);
 	
 		ContainerDelta<PasswordHistoryEntryType> addHisotryDelta = ContainerDelta
@@ -815,6 +832,37 @@ private <F extends FocusType> int createAddHistoryDelta(LensContext<F> context,
 		return 1;
 
 	}
+	
+	private void prepareProtectedStringForStorage(ProtectedStringType ps, CredentialsStorageTypeType storageType) throws SchemaException {
+		try {
+			switch (storageType) {
+				case ENCRYPTION: 
+					if (ps.isEncrypted()) {
+						break;
+					}
+					if (ps.isHashed()) {
+						throw new SchemaException("Cannot store hashed value in an encrypted form");
+					}
+					protector.encrypt(ps);
+					break;
+					
+				case HASHING:
+					if (ps.isHashed()) {
+						break;
+					}
+					protector.hash(ps);
+					break;
+					
+				case NONE:
+					throw new SchemaException("Cannot store value on NONE storage form");
+					
+				default:
+					throw new SchemaException("Unknown storage type: "+storageType);
+			}
+		} catch (EncryptionException e) {
+			throw new SystemException(e.getMessage(), e);
+		}
+	}
 
 	private <F extends FocusType> void createDeleteHistoryDeltasIfNeeded(
 			List<PasswordHistoryEntryType> historyEntryValues, int maxPasswordsToSave, int newHistoryEntries, LensContext<F> context, Task task,
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
index da60d69e58c..1e5994d4b67 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
@@ -721,7 +721,10 @@ public void test202ReconcileUserJack() throws Exception {
         // GIVEN
         Task task = taskManager.createTaskInstance(AbstractPasswordTest.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
-        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
+        
+        PrismObject<UserType> userBefore = getUser(USER_JACK_OID);
+		display("User before", userBefore);
+		assertLinks(userBefore, 4);
         
 		// WHEN
         reconcileUser(USER_JACK_OID, task, result);
@@ -730,27 +733,27 @@ public void test202ReconcileUserJack() throws Exception {
 		result.computeStatus();
 		TestUtil.assertSuccess(result);
         
-		PrismObject<UserType> userJack = getUser(USER_JACK_OID);
-		display("User after change execution", userJack);
-		assertLinks(userJack, 4);
-        accountYellowOid = getLinkRefOid(userJack, RESOURCE_DUMMY_YELLOW_OID);
+		PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
+		display("User after", userAfter);
+		assertLinks(userAfter, 4);
+        accountYellowOid = getLinkRefOid(userAfter, RESOURCE_DUMMY_YELLOW_OID);
 
         // Check account in dummy resource (yellow): password is too short for this, original password should remain there
         assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
-        assertDummyPassword(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
+        assertDummyPasswordConditional(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
         
         // Check account in dummy resource (red)
         assertDummyAccount(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
         assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_A_CLEAR);
         
         // User and default dummy account should have unchanged passwords
-        assertUserPassword(userJack, USER_PASSWORD_A_CLEAR);
+        assertUserPassword(userAfter, USER_PASSWORD_A_CLEAR);
      	assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_A_CLEAR);
 
 		// this one is not changed
 		assertDummyPassword(RESOURCE_DUMMY_UGLY_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_JACK_EMPLOYEE_NUMBER_NEW_GOOD);
 		
-		assertPasswordHistoryEntries(userJack);
+		assertPasswordHistoryEntries(userAfter);
 	}
 	
 	/**
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java
index 79af8155586..e1d7993f8b8 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefaultHashing.java
@@ -49,6 +49,6 @@ protected String getSecurityPolicyOid() {
 	@Override
 	protected CredentialsStorageTypeType getPasswordStorageType() {
 		return CredentialsStorageTypeType.HASHING;
-	}
+	}	
 	
 }
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordNone.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordNone.java
index 9263924396a..0173cf133ba 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordNone.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordNone.java
@@ -29,6 +29,12 @@
 /**
  * Password test with NONE password storage (default storage for other types)
  * 
+ * This test is only partially working.
+ * IT IS NOT PART OF THE TEST SUITE. It is NOT executed automatically.
+ * 
+ * E.g. new password will be generated on every recompute because the
+ * weak inbound mapping is activated.
+ * 
  * @author semancik
  *
  */
@@ -50,5 +56,4 @@ protected String getSecurityPolicyOid() {
 	protected CredentialsStorageTypeType getPasswordStorageType() {
 		return CredentialsStorageTypeType.NONE;
 	}
-	
 }
diff --git a/model/model-intest/src/test/resources/logback-test.xml b/model/model-intest/src/test/resources/logback-test.xml
index 6e74a791037..13228f205c1 100644
--- a/model/model-intest/src/test/resources/logback-test.xml
+++ b/model/model-intest/src/test/resources/logback-test.xml
@@ -46,7 +46,7 @@
          if any of the following is set to "TRACE" then it was changed by mistake and should be changed back -->
 	<logger name="com.evolveum.midpoint.model.impl.lens.Clockwork" level="TRACE" />
 	<logger name="com.evolveum.midpoint.model.impl.lens.projector" level="DEBUG" />
- 	<logger name="com.evolveum.midpoint.model.impl.lens.projector.Projector" level="DEBUG" />
+ 	<logger name="com.evolveum.midpoint.model.impl.lens.projector.Projector" level="TRACE" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.ContextLoader" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor" level="DEBUG" />
  	<logger name="com.evolveum.midpoint.model.impl.lens.projector.InboundProcessor" level="DEBUG" />
diff --git a/model/model-intest/testng-integration.xml b/model/model-intest/testng-integration.xml
index f733ac50372..f4545204b2c 100644
--- a/model/model-intest/testng-integration.xml
+++ b/model/model-intest/testng-integration.xml
@@ -95,7 +95,8 @@
         <classes>
             <class name="com.evolveum.midpoint.model.intest.password.TestPasswordDefault"/>
             <class name="com.evolveum.midpoint.model.intest.password.TestPasswordDefaultHashing"/>
-            <class name="com.evolveum.midpoint.model.intest.password.TestPasswordNone"/>
+            <!-- TestPasswordNone works only partially. It needs to be updated. -->
+            <!-- <class name="com.evolveum.midpoint.model.intest.password.TestPasswordNone"/>  -->
         </classes>
     </test>
     <!--
diff --git a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
index 1e7a23fe380..412f8e14f66 100644
--- a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
+++ b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
@@ -3662,53 +3662,6 @@ protected void assertRoleTypes(RoleSelectionSpecification roleSpec, String... ex
         	}
         }
 	}
-	
-	protected void assertEncryptedUserPassword(String userOid, String expectedClearPassword) throws EncryptionException, ObjectNotFoundException, SchemaException {
-		OperationResult result = new OperationResult(AbstractIntegrationTest.class.getName()+".assertEncryptedUserPassword");
-		PrismObject<UserType> user = repositoryService.getObject(UserType.class, userOid, null, result);
-		result.computeStatus();
-		TestUtil.assertSuccess(result);
-		assertEncryptedUserPassword(user, expectedClearPassword);
-	}
-	
-	protected void assertEncryptedUserPassword(PrismObject<UserType> user, String expectedClearPassword) throws EncryptionException, SchemaException {
-		assertUserPassword(user, expectedClearPassword, CredentialsStorageTypeType.ENCRYPTION);
-	}
-	
-	protected void assertUserPassword(PrismObject<UserType> user, String expectedClearPassword) throws EncryptionException, SchemaException {
-		assertUserPassword(user, expectedClearPassword, getPasswordStorageType());
-	}
-
-	protected CredentialsStorageTypeType getPasswordStorageType() {
-		return CredentialsStorageTypeType.ENCRYPTION;
-	}
-
-	protected void assertUserPassword(PrismObject<UserType> user, String expectedClearPassword, CredentialsStorageTypeType storageType) throws EncryptionException, SchemaException {
-		UserType userType = user.asObjectable();
-		ProtectedStringType protectedActualPassword = userType.getCredentials().getPassword().getValue();
-		switch (storageType) {
-			
-			case NONE:
-				assertNull("Unexpected stored password "+protectedActualPassword+" in "+user, protectedActualPassword);
-				break;
-
-			case ENCRYPTION:
-				assertNotNull("No password for "+user, protectedActualPassword);
-				assertTrue("Unenctypted password for "+user+": "+protectedActualPassword, protectedActualPassword.isEncrypted());
-				String actualClearPassword = protector.decryptString(protectedActualPassword);
-				assertEquals("Wrong password for "+user, expectedClearPassword, actualClearPassword);
-				break;
-				
-			case HASHING:
-				assertNotNull("No password for "+user, protectedActualPassword);
-				assertTrue("Not hashed password for "+user+": "+protectedActualPassword, protectedActualPassword.isHashed());
-				ProtectedStringType expectedPs = new ProtectedStringType();
-				expectedPs.setClearValue(expectedClearPassword);
-				assertTrue("Wrong password for "+user+", expected "+expectedClearPassword+", but was "+protectedActualPassword, 
-						protector.compare(protectedActualPassword, expectedPs));
-		}
-		
-	}
 
 	protected void assertPasswordMetadata(PrismObject<UserType> user, boolean create, XMLGregorianCalendar start, XMLGregorianCalendar end, String actorOid, String channel) {
 		PrismContainer<MetadataType> metadataContainer = user.findContainer(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_METADATA));
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
index 83540936e25..9fe454fc8f1 100644
--- a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
@@ -1266,12 +1266,104 @@ protected void assertNotReached() {
 		AssertJUnit.fail("Unexpected success");
 	}
 	
+	protected CredentialsStorageTypeType getPasswordStorageType() {
+		return CredentialsStorageTypeType.ENCRYPTION;
+	}
+	
+	protected CredentialsStorageTypeType getPasswordHistoryStorageType() {
+		return CredentialsStorageTypeType.HASHING;
+	}
+	
+	protected void assertEncryptedUserPassword(String userOid, String expectedClearPassword) throws EncryptionException, ObjectNotFoundException, SchemaException {
+		OperationResult result = new OperationResult(AbstractIntegrationTest.class.getName()+".assertEncryptedUserPassword");
+		PrismObject<UserType> user = repositoryService.getObject(UserType.class, userOid, null, result);
+		result.computeStatus();
+		TestUtil.assertSuccess(result);
+		assertEncryptedUserPassword(user, expectedClearPassword);
+	}
+	
+	protected void assertEncryptedUserPassword(PrismObject<UserType> user, String expectedClearPassword) throws EncryptionException, SchemaException {
+		assertUserPassword(user, expectedClearPassword, CredentialsStorageTypeType.ENCRYPTION);
+	}
+	
+	protected void assertUserPassword(PrismObject<UserType> user, String expectedClearPassword) throws EncryptionException, SchemaException {
+		assertUserPassword(user, expectedClearPassword, getPasswordStorageType());
+	}
+
+	protected void assertUserPassword(PrismObject<UserType> user, String expectedClearPassword, CredentialsStorageTypeType storageType) throws EncryptionException, SchemaException {
+		UserType userType = user.asObjectable();
+		ProtectedStringType protectedActualPassword = userType.getCredentials().getPassword().getValue();
+		assertProtectedString("Password for "+user, expectedClearPassword, protectedActualPassword, storageType);
+	}
+	
+	protected void assertProtectedString(String message, String expectedClearValue, ProtectedStringType actualValue, CredentialsStorageTypeType storageType) throws EncryptionException, SchemaException {
+		switch (storageType) {
+			
+			case NONE:
+				assertNull(message+": unexpected value: "+actualValue, actualValue);
+				break;
+
+			case ENCRYPTION:
+				assertNotNull(message+": no value", actualValue);
+				assertTrue(message+": unenctypted value: "+actualValue, actualValue.isEncrypted());
+				String actualClearPassword = protector.decryptString(actualValue);
+				assertEquals(message+": wrong value", expectedClearValue, actualClearPassword);
+				break;
+				
+			case HASHING:
+				assertNotNull(message+": no value", actualValue);
+				assertTrue(message+": value not hashed: "+actualValue, actualValue.isHashed());
+				ProtectedStringType expectedPs = new ProtectedStringType();
+				expectedPs.setClearValue(expectedClearValue);
+				assertTrue(message+": hash does not match, expected "+expectedClearValue+", but was "+actualValue, 
+						protector.compare(actualValue, expectedPs));
+				break;
+				
+			default:
+				throw new IllegalArgumentException("Unknown storage "+storageType);
+		}
+		
+	}
+	
+	protected boolean compareProtectedString(String expectedClearValue, ProtectedStringType actualValue, CredentialsStorageTypeType storageType) throws EncryptionException, SchemaException {
+		switch (storageType) {
+			
+			case NONE:
+				return actualValue == null;
+
+			case ENCRYPTION:
+				if (actualValue == null) {
+					return false;
+				}
+				if (!actualValue.isEncrypted()) {
+					return false;
+				}
+				String actualClearPassword = protector.decryptString(actualValue);
+				return expectedClearValue.equals(actualClearPassword);
+				
+			case HASHING:
+				if (actualValue == null) {
+					return false;
+				}
+				if (!actualValue.isHashed()) {
+					return false;
+				}
+				ProtectedStringType expectedPs = new ProtectedStringType();
+				expectedPs.setClearValue(expectedClearValue);
+				return protector.compare(actualValue, expectedPs);
+				
+			default:
+				throw new IllegalArgumentException("Unknown storage "+storageType);
+		}
+		
+	}
+	
 	protected void assertPasswordHistoryEntries(PrismObject<UserType> user, String... changedPasswords) {
 		CredentialsType credentials = user.asObjectable().getCredentials();
 		assertNotNull("Null credentials in "+user, credentials);
 		PasswordType passwordType = credentials.getPassword();
 		assertNotNull("Null passwordType in "+user, passwordType);
-		assertPasswordHistoryEntries(user.toString(), passwordType.getHistoryEntry(), changedPasswords);
+		assertPasswordHistoryEntries(user.toString(), passwordType.getHistoryEntry(), getPasswordHistoryStorageType(), changedPasswords);
 	}
 	
 	protected void assertPasswordHistoryEntries(PasswordType passwordType, String... changedPasswords) {
@@ -1280,11 +1372,11 @@ protected void assertPasswordHistoryEntries(PasswordType passwordType, String...
 	
 	protected void assertPasswordHistoryEntries(List<PasswordHistoryEntryType> historyEntriesType,
 			String... changedPasswords) {
-		assertPasswordHistoryEntries(null, historyEntriesType, changedPasswords);
+		assertPasswordHistoryEntries(null, historyEntriesType, getPasswordHistoryStorageType(), changedPasswords);
 	}
 	
 	protected void assertPasswordHistoryEntries(String message, List<PasswordHistoryEntryType> historyEntriesType,
-			String... changedPasswords) {
+			CredentialsStorageTypeType storageType, String... changedPasswords) {
 		if (message == null) {
 			message = "";
 		} else {
@@ -1298,21 +1390,22 @@ protected void assertPasswordHistoryEntries(String message, List<PasswordHistory
 		assertEquals(message + "Unexpected number of history entries", changedPasswords.length, historyEntriesType.size());
 		for (PasswordHistoryEntryType historyEntry : historyEntriesType) {
 			boolean found = false;
-			try {
-				String clearValue = protector.decryptString(historyEntry.getValue());
+			try {				
 				for (String changedPassword : changedPasswords) {
-					if (changedPassword.equals(clearValue)) {
+					if (compareProtectedString(changedPassword, historyEntry.getValue(), storageType)) {
 						found = true;
+						break;
 					}
 				}
 
 				if (!found) {
-					AssertJUnit.fail(message + "Unexpected value saved in between password hisotry entries: " + clearValue
+					AssertJUnit.fail(message + "Unexpected value saved in between password hisotry entries: " 
+							+ getHumanReadablePassword(historyEntry.getValue())
 							+ ". Expected "+ Arrays.toString(changedPasswords)+"("+changedPasswords.length+"), was "
 							+ getPasswordHistoryHumanReadable(historyEntriesType) + "("+historyEntriesType.size()+")");
 				}
-			} catch (EncryptionException e) {
-				AssertJUnit.fail(message + "Could not encrypt password");
+			} catch (EncryptionException | SchemaException e) {
+				AssertJUnit.fail(message + "Could not encrypt password: "+e.getMessage());
 			}
 
 		}
@@ -1322,7 +1415,7 @@ protected String getPasswordHistoryHumanReadable(List<PasswordHistoryEntryType>
 		return historyEntriesType.stream()
 			.map(historyEntry -> {
 				try {
-					return protector.decryptString(historyEntry.getValue());
+					return getHumanReadablePassword(historyEntry.getValue());
 				} catch (EncryptionException e) {
 					throw new SystemException(e.getMessage(), e);
 				}
@@ -1330,6 +1423,19 @@ protected String getPasswordHistoryHumanReadable(List<PasswordHistoryEntryType>
 			.collect(Collectors.joining(", "));
 	}
 	
+	protected String getHumanReadablePassword(ProtectedStringType ps) throws EncryptionException {
+		if (ps == null) {
+			return null;
+		}
+		if (ps.isEncrypted()) {
+			return "[E:"+protector.decryptString(ps)+"]";
+		}
+		if (ps.isHashed()) {
+			return "[H:"+ps.getHashedDataType().getDigestValue().length*8+"bit]";
+		}
+		return ps.getClearValue();
+	}
+	
 	protected void logTrustManagers() throws NoSuchAlgorithmException, KeyStoreException {
 		TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 		trustManagerFactory.init((KeyStore)null);
diff --git a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityUtil.java b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityUtil.java
index bbe931f11a0..e5b35bb741c 100644
--- a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityUtil.java
+++ b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityUtil.java
@@ -17,6 +17,7 @@
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.function.Function;
 
 import com.evolveum.midpoint.util.MiscUtil;
 import org.springframework.security.access.ConfigAttribute;
@@ -26,6 +27,7 @@
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
 
 /**
  * @author Radovan Semancik
@@ -107,4 +109,20 @@ public static String getSubjectDescription() {
 		return ((MidPointPrincipal)principalObject).getUsername();
 	}
 	
+	public static <T> T getCredPolicyItem(CredentialPolicyType defaltCredPolicyType, CredentialPolicyType credPolicyType, Function<CredentialPolicyType, T> getter) {
+		if (credPolicyType != null) {
+			T val = getter.apply(credPolicyType);
+			if (val != null) {
+				return val;
+			}
+		}
+		if (defaltCredPolicyType != null) {
+			T val = getter.apply(defaltCredPolicyType);
+			if (val != null) {
+				return val;
+			}
+		}
+		return null;
+	}
+	
 }

From 73526afc961182becc9d0f14c63298d6ec4b5c8d Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Fri, 10 Mar 2017 19:56:40 +0100
Subject: [PATCH 6/7] Test cleanup (possible fix for test deadlock)

---
 ...bstractConfiguredModelIntegrationTest.java |  4 +--
 ...stractInitializedModelIntegrationTest.java | 30 ++++---------------
 .../midpoint/model/intest/TestActivation.java |  6 ++--
 .../intest/TestConnectorMultiInstance.java    | 30 +++++--------------
 .../model/intest/TestMultiResource.java       |  2 +-
 .../model/intest/TestPreviewChanges.java      | 22 ++++++--------
 .../model/intest/TestTolerantAttributes.java  | 24 +++++++--------
 ...my-yellow.xml => resource-dummy-lemon.xml} |  6 ++--
 .../test/AbstractModelIntegrationTest.java    |  6 ++++
 .../model/test/DummyResourceCollection.java   | 11 +++++++
 .../test/AbstractIntegrationTest.java         | 10 +++++++
 .../midpoint/test/DummyResourceContoller.java | 12 +++++++-
 12 files changed, 82 insertions(+), 81 deletions(-)
 rename model/model-intest/src/test/resources/preview/{resource-dummy-yellow.xml => resource-dummy-lemon.xml} (98%)

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
index eb9ad5a92fa..d956357bb4e 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
@@ -138,7 +138,7 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	protected static final String RESOURCE_DUMMY_WHITE_NAMESPACE = MidPointConstants.NS_RI;
 
     // YELLOW dummy resource is the same as default one but with strong asIs administrativeStatus mapping
-    protected static final String RESOURCE_DUMMY_YELLOW_FILENAME = COMMON_DIR + "/resource-dummy-yellow.xml";
+    protected static final File RESOURCE_DUMMY_YELLOW_FILE = new File(COMMON_DIR, "resource-dummy-yellow.xml");
     protected static final String RESOURCE_DUMMY_YELLOW_OID = "10000000-0000-0000-0000-000000000704";
     protected static final String RESOURCE_DUMMY_YELLOW_NAME = "yellow";
     protected static final String RESOURCE_DUMMY_YELLOW_NAMESPACE = MidPointConstants.NS_RI;
@@ -159,7 +159,7 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	protected static final String RESOURCE_DUMMY_EMERALD_NAMESPACE = MidPointConstants.NS_RI;
 
 	// Black dummy resource for testing tolerant attributes
-	protected static final String RESOURCE_DUMMY_BLACK_FILENAME = COMMON_DIR + "/resource-dummy-black.xml";
+	protected static final File RESOURCE_DUMMY_BLACK_FILE = new File(COMMON_DIR, "resource-dummy-black.xml");
 	protected static final String RESOURCE_DUMMY_BLACK_OID = "10000000-0000-0000-0000-000000000305";
 	protected static final String RESOURCE_DUMMY_BLACK_NAME = "black";
 	protected static final String RESOURCE_DUMMY_BLACK_NAMESPACE = MidPointConstants.NS_RI;
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractInitializedModelIntegrationTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractInitializedModelIntegrationTest.java
index 3334eaf08eb..cd104a88654 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractInitializedModelIntegrationTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractInitializedModelIntegrationTest.java
@@ -104,11 +104,6 @@ public class AbstractInitializedModelIntegrationTest extends AbstractConfiguredM
 	protected ResourceType resourceDummyWhiteType;
 	protected PrismObject<ResourceType> resourceDummyWhite;
 
-    protected DummyResource dummyResourceYellow;
-    protected DummyResourceContoller dummyResourceCtlYellow;
-    protected ResourceType resourceDummyYellowType;
-    protected PrismObject<ResourceType> resourceDummyYellow;
-
     protected DummyResource dummyResourceGreen;
 	protected DummyResourceContoller dummyResourceCtlGreen;
 	protected ResourceType resourceDummyGreenType;
@@ -119,11 +114,6 @@ public class AbstractInitializedModelIntegrationTest extends AbstractConfiguredM
 	protected ResourceType resourceDummyEmeraldType;
 	protected PrismObject<ResourceType> resourceDummyEmerald;
 	
-	protected DummyResource dummyResourceBlack;
-	protected DummyResourceContoller dummyResourceCtlBlack;
-	protected ResourceType resourceDummyBlackType;
-	protected PrismObject<ResourceType> resourceDummyBlack;
-
 	protected DummyResource dummyResourceOrange;
 	protected DummyResourceContoller dummyResourceCtlOrange;
 	protected ResourceType resourceDummyOrangeType;
@@ -164,6 +154,12 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		dummyResourceCtlRed = initDummyResourcePirate(RESOURCE_DUMMY_RED_NAME, 
 				RESOURCE_DUMMY_RED_FILE, RESOURCE_DUMMY_RED_OID, initTask, initResult);
 		
+		initDummyResourcePirate(RESOURCE_DUMMY_YELLOW_NAME, 
+				RESOURCE_DUMMY_YELLOW_FILE, RESOURCE_DUMMY_YELLOW_OID, initTask, initResult);
+		
+		initDummyResourcePirate(RESOURCE_DUMMY_BLACK_NAME, 
+				RESOURCE_DUMMY_BLACK_FILE, RESOURCE_DUMMY_BLACK_OID, initTask, initResult);
+		
 		dummyResourceCtlBlue = DummyResourceContoller.create(RESOURCE_DUMMY_BLUE_NAME, resourceDummyBlue);
 		dummyResourceCtlBlue.extendSchemaPirate();
 		dummyResourceBlue = dummyResourceCtlBlue.getDummyResource();
@@ -185,13 +181,6 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		resourceDummyWhiteType = resourceDummyWhite.asObjectable();
 		dummyResourceCtlWhite.setResource(resourceDummyWhite);
 
-        dummyResourceCtlYellow = DummyResourceContoller.create(RESOURCE_DUMMY_YELLOW_NAME, resourceDummyYellow);
-        dummyResourceCtlYellow.extendSchemaPirate();
-        dummyResourceYellow = dummyResourceCtlYellow.getDummyResource();
-        resourceDummyYellow = importAndGetObjectFromFile(ResourceType.class, RESOURCE_DUMMY_YELLOW_FILENAME, RESOURCE_DUMMY_YELLOW_OID, initTask, initResult);
-        resourceDummyYellowType = resourceDummyYellow.asObjectable();
-        dummyResourceCtlYellow.setResource(resourceDummyYellow);
-
         dummyResourceCtlGreen = DummyResourceContoller.create(RESOURCE_DUMMY_GREEN_NAME, resourceDummyGreen);
 		dummyResourceCtlGreen.extendSchemaPirate();
 		dummyResourceGreen = dummyResourceCtlGreen.getDummyResource();
@@ -206,13 +195,6 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		resourceDummyEmerald = importAndGetObjectFromFile(ResourceType.class, getResourceDummyEmeraldFile(), RESOURCE_DUMMY_EMERALD_OID, initTask, initResult); 
 		resourceDummyEmeraldType = resourceDummyEmerald.asObjectable();
 		dummyResourceCtlEmerald.setResource(resourceDummyEmerald);
-		
-		dummyResourceCtlBlack = DummyResourceContoller.create(RESOURCE_DUMMY_BLACK_NAME, resourceDummyBlack);
-		dummyResourceCtlBlack.extendSchemaPirate();
-		dummyResourceBlack = dummyResourceCtlBlack.getDummyResource();
-		resourceDummyBlack = importAndGetObjectFromFile(ResourceType.class, RESOURCE_DUMMY_BLACK_FILENAME, RESOURCE_DUMMY_BLACK_OID, initTask, initResult);
-		resourceDummyBlackType = resourceDummyBlack.asObjectable();
-		dummyResourceCtlBlack.setResource(resourceDummyBlack);
 
 		dummyResourceCtlOrange = DummyResourceContoller.create(RESOURCE_DUMMY_ORANGE_NAME, resourceDummyOrange);
 		dummyResourceCtlOrange.extendSchemaPirate();
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestActivation.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestActivation.java
index ed2f4110487..adddd7e1f81 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestActivation.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestActivation.java
@@ -999,7 +999,8 @@ public void test150ModifyUserJackAssignYellowAccount() throws Exception {
 
         // Check shadow
         PrismObject<ShadowType> accountShadowYellow = getShadowModel(accountYellowOid);
-        assertAccountShadowModel(accountShadowYellow, accountYellowOid, ACCOUNT_JACK_DUMMY_USERNAME, resourceDummyYellowType);
+        assertAccountShadowModel(accountShadowYellow, accountYellowOid, ACCOUNT_JACK_DUMMY_USERNAME, 
+        		getDummyResourceType(RESOURCE_DUMMY_YELLOW_NAME));
         assertAdministrativeStatusEnabled(accountShadowYellow);
         TestUtil.assertCreateTimestamp(accountShadowYellow, start, end);
         assertEnableTimestampShadow(accountShadowYellow, start, end);
@@ -1108,7 +1109,8 @@ private void checkAdminStatusFor15x(PrismObject<UserType> user, boolean userStat
         	assertDisableReasonShadow(account, SchemaConstants.MODEL_DISABLE_REASON_EXPLICIT);
         }
         
-        assertAccountShadowModel(accountYellow, accountYellowOid, ACCOUNT_JACK_DUMMY_USERNAME, resourceDummyYellowType);
+        assertAccountShadowModel(accountYellow, accountYellowOid, ACCOUNT_JACK_DUMMY_USERNAME, 
+        		getDummyResourceType(RESOURCE_DUMMY_YELLOW_NAME));
         assertAdministrativeStatus(accountYellow, accountStatusYellow ? ActivationStatusType.ENABLED : ActivationStatusType.DISABLED);
         if (!accountStatusYellow) {
         	assertDisableReasonShadow(accountYellow, SchemaConstants.MODEL_DISABLE_REASON_EXPLICIT);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorMultiInstance.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorMultiInstance.java
index 17d762c5453..74180891324 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorMultiInstance.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorMultiInstance.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -64,13 +64,6 @@ public class TestConnectorMultiInstance extends AbstractConfiguredModelIntegrati
 	
 	protected DummyResource dummyResourceYellow;
     protected DummyResourceContoller dummyResourceCtlYellow;
-    protected ResourceType resourceDummyYellowType;
-    protected PrismObject<ResourceType> resourceDummyYellow;
-    
-    protected DummyResource dummyResourceBlack;
-	protected DummyResourceContoller dummyResourceCtlBlack;
-	protected ResourceType resourceDummyBlackType;
-	protected PrismObject<ResourceType> resourceDummyBlack;
 	
 	private String accountJackYellowOid;
 	private String initialConnectorStaticVal;
@@ -82,19 +75,10 @@ public class TestConnectorMultiInstance extends AbstractConfiguredModelIntegrati
 	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
 		super.initSystem(initTask, initResult);
 		
-		dummyResourceCtlYellow = DummyResourceContoller.create(RESOURCE_DUMMY_YELLOW_NAME, resourceDummyYellow);
-        dummyResourceCtlYellow.extendSchemaPirate();
-        dummyResourceYellow = dummyResourceCtlYellow.getDummyResource();
-        resourceDummyYellow = importAndGetObjectFromFile(ResourceType.class, RESOURCE_DUMMY_YELLOW_FILENAME, RESOURCE_DUMMY_YELLOW_OID, initTask, initResult);
-        resourceDummyYellowType = resourceDummyYellow.asObjectable();
-        dummyResourceCtlYellow.setResource(resourceDummyYellow);
+		dummyResourceCtlYellow = initDummyResourcePirate(RESOURCE_DUMMY_YELLOW_NAME, RESOURCE_DUMMY_YELLOW_FILE, RESOURCE_DUMMY_YELLOW_OID, initTask, initResult);
+		dummyResourceYellow = dummyResourceCtlYellow.getDummyResource();
         
-        dummyResourceCtlBlack = DummyResourceContoller.create(RESOURCE_DUMMY_BLACK_NAME, resourceDummyBlack);
-		dummyResourceCtlBlack.extendSchemaPirate();
-		dummyResourceBlack = dummyResourceCtlBlack.getDummyResource();
-		resourceDummyBlack = importAndGetObjectFromFile(ResourceType.class, RESOURCE_DUMMY_BLACK_FILENAME, RESOURCE_DUMMY_BLACK_OID, initTask, initResult);
-		resourceDummyBlackType = resourceDummyBlack.asObjectable();
-		dummyResourceCtlBlack.setResource(resourceDummyBlack);
+		initDummyResourcePirate(RESOURCE_DUMMY_BLACK_NAME, RESOURCE_DUMMY_BLACK_FILE, RESOURCE_DUMMY_BLACK_OID, initTask, initResult);
         
         repoAddObjectFromFile(USER_JACK_FILE, true, initResult);
         repoAddObjectFromFile(USER_GUYBRUSH_FILE, true, initResult);
@@ -365,9 +349,9 @@ public void test200GuybrushAssignDummyBlack() throws Exception {
         assertConnectorInstances("black", RESOURCE_DUMMY_BLACK_OID, 0, 1);
         assertConnectorInstances("yellow", RESOURCE_DUMMY_YELLOW_OID, 0, 2);
         
-        assertConnectorToStringDifferent(shadowBlack, dummyResourceCtlBlack, initialConnectorStaticVal);
-        assertConnectorToStringDifferent(shadowBlack, dummyResourceCtlBlack, initialConnectorToString);
-        assertConnectorStaticVal(shadowBlack, dummyResourceCtlBlack, initialConnectorStaticVal);
+        assertConnectorToStringDifferent(shadowBlack, getDummyResourceController(RESOURCE_DUMMY_BLACK_NAME), initialConnectorStaticVal);
+        assertConnectorToStringDifferent(shadowBlack, getDummyResourceController(RESOURCE_DUMMY_BLACK_NAME), initialConnectorToString);
+        assertConnectorStaticVal(shadowBlack, getDummyResourceController(RESOURCE_DUMMY_BLACK_NAME), initialConnectorStaticVal);
 
 	}
 
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java
index 6cff2b67752..f0364dcf1b0 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestMultiResource.java
@@ -1523,7 +1523,7 @@ public void test382AddAccountYellow() throws Exception {
 		Task task = taskManager.createTaskInstance(TestRbac.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
         		
-        ObjectDelta<UserType> userDelta = createModifyUserAddAccount(USER_JACK_OID, resourceDummyYellow);
+        ObjectDelta<UserType> userDelta = createModifyUserAddAccount(USER_JACK_OID, getDummyResourceObject(RESOURCE_DUMMY_YELLOW_NAME));
         
         // WHEN
         TestUtil.displayWhen(TEST_NAME);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java
index 3e89d6fc1ae..99b35736c7a 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java
@@ -94,10 +94,10 @@ public class TestPreviewChanges extends AbstractInitializedModelIntegrationTest
 	public static final File TEST_DIR = new File("src/test/resources/preview");
 
 	// YELLOW dummy resource has a STRICT dependency on default dummy resource
-	protected static final File RESOURCE_DUMMY_YELLOW_FILE = new File(TEST_DIR, "resource-dummy-yellow.xml");
-	protected static final String RESOURCE_DUMMY_YELLOW_OID = "10000000-0000-0000-0000-000000000504";
-	protected static final String RESOURCE_DUMMY_YELLOW_NAME = "yellow";
-	protected static final String RESOURCE_DUMMY_YELLOW_NAMESPACE = MidPointConstants.NS_RI;
+	protected static final File RESOURCE_DUMMY_LEMON_FILE = new File(TEST_DIR, "resource-dummy-lemon.xml");
+	protected static final String RESOURCE_DUMMY_LEMON_OID = "10000000-0000-0000-0000-000000000504";
+	protected static final String RESOURCE_DUMMY_LEMON_NAME = "lemon";
+	protected static final String RESOURCE_DUMMY_LEMON_NAMESPACE = MidPointConstants.NS_RI;
 
 	private static final String USER_MORGAN_OID = "c0c010c0-d34d-b33f-f00d-171171117777";
 	private static final String USER_BLACKBEARD_OID = "c0c010c0-d34d-b33f-f00d-161161116666";
@@ -110,12 +110,8 @@ public class TestPreviewChanges extends AbstractInitializedModelIntegrationTest
 	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
 		super.initSystem(initTask, initResult);
 
-		dummyResourceCtlYellow = DummyResourceContoller.create(RESOURCE_DUMMY_YELLOW_NAME, resourceDummyYellow);
-		dummyResourceCtlYellow.extendSchemaPirate();
-		dummyResourceYellow = dummyResourceCtlYellow.getDummyResource();
-		resourceDummyYellow = importAndGetObjectFromFile(ResourceType.class, RESOURCE_DUMMY_YELLOW_FILE, RESOURCE_DUMMY_YELLOW_OID, initTask, initResult);
-		resourceDummyYellowType = resourceDummyYellow.asObjectable();
-		dummyResourceCtlYellow.setResource(resourceDummyYellow);
+		initDummyResourcePirate(RESOURCE_DUMMY_LEMON_NAME, 
+				RESOURCE_DUMMY_LEMON_FILE, RESOURCE_DUMMY_LEMON_OID, initTask, initResult);
 	}
 
 	@Test
@@ -1347,16 +1343,16 @@ public void test630AddUserRogers() throws Exception {
 		// administrativeStatus (ENABLED), enableTimestamp, ship (from organizationalUnit), name, gossip, water, iteration, iterationToken, password/value
 		PrismAsserts.assertModifications(accountSecondaryDelta, 9);
 		PrismAsserts.assertPropertyReplace(accountSecondaryDelta,
-				getAttributePath(resourceDummyYellow, DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_SHIP_NAME),
+				getAttributePath(getDummyResourceObject(RESOURCE_DUMMY_LEMON_NAME), DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_SHIP_NAME),
 				"The crew of The Sea Monkey");
 		PrismAsserts.assertPropertyReplace(accountSecondaryDelta,
 				new ItemPath(ShadowType.F_ATTRIBUTES, SchemaConstants.ICFS_NAME),
 				"rogers");
 		PrismAsserts.assertPropertyAdd(accountSecondaryDelta,
-				getAttributePath(resourceDummyYellow, DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_GOSSIP_NAME),
+				getAttributePath(getDummyResourceObject(RESOURCE_DUMMY_LEMON_NAME), DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_GOSSIP_NAME),
 				"Rum Rogers Sr. must be the best pirate the  has ever seen");
 		PrismAsserts.assertPropertyReplace(accountSecondaryDelta,
-				getAttributePath(resourceDummyYellow, DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_WATER_NAME),
+				getAttributePath(getDummyResourceObject(RESOURCE_DUMMY_LEMON_NAME), DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_WATER_NAME),
 				"pirate Rum Rogers Sr. drinks only rum!");
 	}
 	
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestTolerantAttributes.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestTolerantAttributes.java
index 9727701c2b5..f0de51fe68c 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestTolerantAttributes.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestTolerantAttributes.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -112,12 +112,12 @@ public void test100ModifyUserAddAccount() throws Exception {
         
 		// Check shadow
         PrismObject<ShadowType> accountShadow = repositoryService.getObject(ShadowType.class, accountOid, null, result);
-        assertAccountShadowRepo(accountShadow, accountOid, "jack", resourceDummyBlackType);
+        assertAccountShadowRepo(accountShadow, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
         assertEnableTimestampShadow(accountShadow, startTime, endTime);
         
         // Check account
         PrismObject<ShadowType> accountModel = modelService.getObject(ShadowType.class, accountOid, null, task, result);
-        assertAccountShadowModel(accountModel, accountOid, "jack", resourceDummyBlackType);
+        assertAccountShadowModel(accountModel, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
         
         accountDefinition = accountModel.getDefinition();
         
@@ -159,11 +159,11 @@ public void test101modifyAddAttributesIntolerantPattern() throws Exception{
 	        
 			// Check shadow
 	        PrismObject<ShadowType> accountShadow = repositoryService.getObject(ShadowType.class, accountOid, null, result);
-	        assertAccountShadowRepo(accountShadow, accountOid, "jack", resourceDummyBlackType);
+	        assertAccountShadowRepo(accountShadow, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
 	        
 	        // Check account
 	        PrismObject<ShadowType> accountModel = modelService.getObject(ShadowType.class, accountOid, null, task, result);
-	        assertAccountShadowModel(accountModel, accountOid, "jack", resourceDummyBlackType);
+	        assertAccountShadowModel(accountModel, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
 	        
 	        // Check account in dummy resource
 	        assertAccount(userJack, RESOURCE_DUMMY_BLACK_OID);
@@ -207,11 +207,11 @@ public void test102modifyAddAttributeTolerantPattern() throws Exception{
 	        
 			// Check shadow
 	        PrismObject<ShadowType> accountShadow = repositoryService.getObject(ShadowType.class, accountOid, null, result);
-	        assertAccountShadowRepo(accountShadow, accountOid, "jack", resourceDummyBlackType);
+	        assertAccountShadowRepo(accountShadow, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
 	        
 	        // Check account
 	        PrismObject<ShadowType> accountModel = modelService.getObject(ShadowType.class, accountOid, null, task, result);
-	        assertAccountShadowModel(accountModel, accountOid, "jack", resourceDummyBlackType);
+	        assertAccountShadowModel(accountModel, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
 	        
 	        // Check account in dummy resource
 	        assertAccount(userJack, RESOURCE_DUMMY_BLACK_OID);
@@ -255,11 +255,11 @@ public void test103modifyReplaceAttributeIntolerant() throws Exception{
 	        
 			// Check shadow
 	        PrismObject<ShadowType> accountShadow = repositoryService.getObject(ShadowType.class, accountOid, null, result);
-	        assertAccountShadowRepo(accountShadow, accountOid, "jack", resourceDummyBlackType);
+	        assertAccountShadowRepo(accountShadow, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
 	        
 	        // Check account
 	        PrismObject<ShadowType> accountModel = modelService.getObject(ShadowType.class, accountOid, null, task, result);
-	        assertAccountShadowModel(accountModel, accountOid, "jack", resourceDummyBlackType);
+	        assertAccountShadowModel(accountModel, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
 	        
 	        // Check account in dummy resource
 	        assertAccount(userJack, RESOURCE_DUMMY_BLACK_OID);
@@ -279,7 +279,7 @@ public void test104modifyReplaceAttributeTolerantPattern() throws Exception{
 	        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.POSITIVE);
 	        
 	        ObjectDelta<UserType> userDelta = ObjectDelta.createEmptyModifyDelta(UserType.class, USER_JACK_OID, prismContext);
-	        ItemPath drinkItemPath = new ItemPath(new QName(resourceDummyBlackType.getNamespace(), "drink"));
+	        ItemPath drinkItemPath = new ItemPath(new QName(getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME).getNamespace(), "drink"));
 	        PropertyDelta propertyDelta = PropertyDelta.createModificationReplaceProperty(new ItemPath(UserType.F_EMPLOYEE_NUMBER), getUserDefinition(), "thiIsOk");
 			userDelta.addModification(propertyDelta);
 			Collection<ObjectDelta<? extends ObjectType>> deltas = (Collection)MiscUtil.createCollection(userDelta);
@@ -303,11 +303,11 @@ public void test104modifyReplaceAttributeTolerantPattern() throws Exception{
 	        
 			// Check shadow
 	        PrismObject<ShadowType> accountShadow = repositoryService.getObject(ShadowType.class, accountOid, null, result);
-	        assertAccountShadowRepo(accountShadow, accountOid, "jack", resourceDummyBlackType);
+	        assertAccountShadowRepo(accountShadow, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
 	        
 	        // Check account
 	        PrismObject<ShadowType> accountModel = modelService.getObject(ShadowType.class, accountOid, null, task, result);
-	        assertAccountShadowModel(accountModel, accountOid, "jack", resourceDummyBlackType);
+	        assertAccountShadowModel(accountModel, accountOid, "jack", getDummyResourceType(RESOURCE_DUMMY_BLACK_NAME));
 	        
 	        // Check account in dummy resource
 	        assertAccount(userJack, RESOURCE_DUMMY_BLACK_OID);
diff --git a/model/model-intest/src/test/resources/preview/resource-dummy-yellow.xml b/model/model-intest/src/test/resources/preview/resource-dummy-lemon.xml
similarity index 98%
rename from model/model-intest/src/test/resources/preview/resource-dummy-yellow.xml
rename to model/model-intest/src/test/resources/preview/resource-dummy-lemon.xml
index c9f78b242f5..162b330e414 100644
--- a/model/model-intest/src/test/resources/preview/resource-dummy-yellow.xml
+++ b/model/model-intest/src/test/resources/preview/resource-dummy-lemon.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2015 Evolveum
+  ~ Copyright (c) 2010-2017 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -28,7 +28,7 @@
           xmlns:xsd="http://www.w3.org/2001/XMLSchema"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 								  
-	<name>Dummy Resource Yellow</name>
+	<name>Dummy Resource Lemon</name>
 	<connectorRef type="c:ConnectorType">
 		<filter>
 			<q:and>
@@ -47,7 +47,7 @@
 	               xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
 					   
 		<icfc:configurationProperties>
-			<icfi:instanceId>yellow</icfi:instanceId>
+			<icfi:instanceId>lemon</icfi:instanceId>
 		</icfc:configurationProperties>
 
 	</connectorConfiguration>
diff --git a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
index 412f8e14f66..31cd1adfb27 100644
--- a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
+++ b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
@@ -276,6 +276,12 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
             notificationManager.setDisabled(true);
         }
 	}
+	
+	@Override
+	public void postInitSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.postInitSystem(initTask, initResult);
+		dummyResourceCollection.resetResources();
+	}
 
 	protected void startResources() throws Exception {
 		// Nothing to do by default
diff --git a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/DummyResourceCollection.java b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/DummyResourceCollection.java
index 6e8a95b0ecc..b24c2172f6f 100644
--- a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/DummyResourceCollection.java
+++ b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/DummyResourceCollection.java
@@ -18,6 +18,7 @@
 import java.io.File;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.function.Consumer;
 
 import com.evolveum.icf.dummy.resource.DummyResource;
 import com.evolveum.midpoint.model.api.ModelService;
@@ -95,4 +96,14 @@ public DummyResource getDummyResource(String name) {
 		return get(name).getDummyResource();
 	}
 	
+	public void forEachResourceCtl(Consumer<DummyResourceContoller> lambda) {
+		map.forEach((k,v) -> lambda.accept(v));
+	}
+	
+	/**
+	 * Resets the blocking state, error simulation, etc.
+	 */
+	public void resetResources() {
+		forEachResourceCtl(c -> c.reset());
+	}
 }
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
index 9fe454fc8f1..417362f6201 100644
--- a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
@@ -208,6 +208,8 @@ public void initSystemConditional() throws Exception {
 			
 			initSystem(initTask, result);
 			
+			postInitSystem(initTask, result);
+			
 			result.computeStatus();
 			IntegrationTestTools.display("initSystem result", result);
 			TestUtil.assertSuccessOrWarning("initSystem failed (result)", result, 1);
@@ -230,6 +232,14 @@ protected void unsetSystemInitialized() {
 
 	abstract public void initSystem(Task initTask, OperationResult initResult) throws Exception;
 
+	/**
+	 * May be used to clean up initialized objects as all of the initialized objects should be
+	 * available at this time.
+	 */
+	protected void postInitSystem(Task initTask, OperationResult initResult) throws Exception {
+		// Nothing to do by default
+	};
+	
 	protected <T extends ObjectType> PrismObject<T> repoAddObjectFromFile(String filePath,
 			OperationResult parentResult) throws SchemaException, ObjectAlreadyExistsException, EncryptionException, IOException {
 		return repoAddObjectFromFile(new File(filePath), parentResult);
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyResourceContoller.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyResourceContoller.java
index acd10cb7e7c..b9d31db47a0 100644
--- a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyResourceContoller.java
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyResourceContoller.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
 
 import org.apache.commons.lang.StringUtils;
 
+import com.evolveum.icf.dummy.resource.BreakMode;
 import com.evolveum.icf.dummy.resource.ConflictException;
 import com.evolveum.icf.dummy.resource.DummyAccount;
 import com.evolveum.icf.dummy.resource.DummyAttributeDefinition;
@@ -405,4 +406,13 @@ public QName getAccountObjectClassQName() {
 		return new QName(getNamespace(), SchemaTestConstants.ACCOUNT_OBJECT_CLASS_LOCAL_NAME);
 	}
 
+	/**
+	 * Resets the blocking state, error simulation, etc.
+	 */
+	public void reset() {
+		dummyResource.setBreakMode(BreakMode.NONE);
+		dummyResource.setBlockOperations(false);
+		dummyResource.unblockAll();
+	}
+
 }

From 88df3880575518665573fa785d696719df7deeb9 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Mon, 13 Mar 2017 10:36:41 +0100
Subject: [PATCH 7/7] Fixing intests

---
 .../LayerRefinedAttributeDefinitionImpl.java       |  7 ++++++-
 .../evolveum/midpoint/prism/ItemDefinition.java    |  7 ++++++-
 .../midpoint/prism/ItemDefinitionImpl.java         |  3 ++-
 .../com/evolveum/midpoint/prism/PrismProperty.java |  4 ++--
 .../model/intest/TestConnectorMultiInstance.java   |  2 ++
 .../model/intest/TestModelServiceContract.java     |  2 +-
 .../midpoint/model/intest/TestPreviewChanges.java  | 14 +++++++-------
 .../model/test/AbstractModelIntegrationTest.java   |  4 +++-
 8 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/infra/common/src/main/java/com/evolveum/midpoint/common/refinery/LayerRefinedAttributeDefinitionImpl.java b/infra/common/src/main/java/com/evolveum/midpoint/common/refinery/LayerRefinedAttributeDefinitionImpl.java
index da51745b2bc..f0a8cae66cb 100644
--- a/infra/common/src/main/java/com/evolveum/midpoint/common/refinery/LayerRefinedAttributeDefinitionImpl.java
+++ b/infra/common/src/main/java/com/evolveum/midpoint/common/refinery/LayerRefinedAttributeDefinitionImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -588,6 +588,11 @@ public boolean isHeterogeneousListItem() {
 		return refinedAttributeDefinition.isHeterogeneousListItem();
 	}
 
+	@Override
+	public void debugDumpShortToString(StringBuilder sb) {
+		refinedAttributeDefinition.debugDumpShortToString(sb);
+	}
+
 	//endregion
 	
 }
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinition.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinition.java
index 09fa5d47590..d7a845fd6e4 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinition.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinition.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -143,4 +143,9 @@ public interface ItemDefinition<I extends Item> extends Definition {
 	@Override
 	void revive(PrismContext prismContext);
 
+	/**
+	 * Used in debugDumping items. Does not need to have name in it as item already has it. Does not need
+	 * to have class as that is just too much info that is almost anytime pretty obvious anyway.
+	 */
+	void debugDumpShortToString(StringBuilder sb);
 }
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinitionImpl.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinitionImpl.java
index 3b3cefeae6c..d8ad57d6e57 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinitionImpl.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinitionImpl.java
@@ -430,7 +430,8 @@ public String toString() {
 	 * Used in debugDumping items. Does not need to have name in it as item already has it. Does not need
 	 * to have class as that is just too much info that is almost anytime pretty obvious anyway.
 	 */
-	void debugDumpShortToString(StringBuilder sb) {
+	@Override
+	public void debugDumpShortToString(StringBuilder sb) {
 		sb.append(PrettyPrinter.prettyPrint(getTypeName()));
         debugMultiplicity(sb);
         debugFlags(sb);
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismProperty.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismProperty.java
index 8d4fd5e87cc..fcb3f1b8bf1 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismProperty.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismProperty.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -565,7 +565,7 @@ public String debugDump(int indent) {
         
         if (def != null && DebugUtil.isDetailedDebugDump()) {
             sb.append(" def(");
-			((PrismPropertyDefinitionImpl) def).debugDumpShortToString(sb);
+            def.debugDumpShortToString(sb);
 //            if (def.isIndexed() != null) {
 //                sb.append(def.isIndexed() ? ",i+" : ",i-");
 //            }
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorMultiInstance.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorMultiInstance.java
index 74180891324..cae51f52dbc 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorMultiInstance.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorMultiInstance.java
@@ -80,6 +80,8 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
         
 		initDummyResourcePirate(RESOURCE_DUMMY_BLACK_NAME, RESOURCE_DUMMY_BLACK_FILE, RESOURCE_DUMMY_BLACK_OID, initTask, initResult);
         
+		repoAddObjectFromFile(SECURITY_POLICY_FILE, initResult);
+		
         repoAddObjectFromFile(USER_JACK_FILE, true, initResult);
         repoAddObjectFromFile(USER_GUYBRUSH_FILE, true, initResult);
 	}
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestModelServiceContract.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestModelServiceContract.java
index 31be5bffe81..5df5f75c995 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestModelServiceContract.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestModelServiceContract.java
@@ -1132,7 +1132,7 @@ public void test131ModifyUserJackAssignAccount() throws Exception {
         TestUtil.assertSuccess("executeChanges result", result);
         XMLGregorianCalendar endTime = clock.currentTimeXMLGregorianCalendar();
         assertShadowFetchOperationCountIncrement(0);
-        assertPrismObjectCloneIncrement(63);
+        assertPrismObjectCloneIncrement(64);
         
 		PrismObject<UserType> userJack = getUser(USER_JACK_OID);
 		display("User after change execution", userJack);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java
index 99b35736c7a..cb065e1674a 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java
@@ -93,7 +93,7 @@ public class TestPreviewChanges extends AbstractInitializedModelIntegrationTest
 	
 	public static final File TEST_DIR = new File("src/test/resources/preview");
 
-	// YELLOW dummy resource has a STRICT dependency on default dummy resource
+	// LEMON dummy resource has a STRICT dependency on default dummy resource
 	protected static final File RESOURCE_DUMMY_LEMON_FILE = new File(TEST_DIR, "resource-dummy-lemon.xml");
 	protected static final String RESOURCE_DUMMY_LEMON_OID = "10000000-0000-0000-0000-000000000504";
 	protected static final String RESOURCE_DUMMY_LEMON_NAME = "lemon";
@@ -1264,7 +1264,7 @@ public void test620AddUserCapsize() throws Exception {
 		
 	}
 
-	// testing multiple resources with dependencies (dummy -> dummy yellow)
+	// testing multiple resources with dependencies (dummy -> dummy lemon)
 
 	@Test
 	public void test630AddUserRogers() throws Exception {
@@ -1298,7 +1298,7 @@ public void test630AddUserRogers() throws Exception {
 
 		ObjectDelta<UserType> userSecondaryDelta = focusContext.getSecondaryDelta();
 		// inbound from ship (explicitly specified) to organizationalUnit (dummy resource)
-		// inbound from gossip (computed via outbound) to description (yellow resource)
+		// inbound from gossip (computed via outbound) to description (lemon resource)
 		assertEffectualDeltas(userSecondaryDelta, "focus secondary delta", ActivationStatusType.ENABLED, 2);
 
 		PrismObject<UserType> finalUser = user.clone();
@@ -1328,10 +1328,10 @@ public void test630AddUserRogers() throws Exception {
 		PrismAsserts.assertNoItemDelta(accountSecondaryDelta,
 				getAttributePath(getDummyResourceObject(), DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_FULLNAME_NAME));
 
-		// YELLOW dummy resource
+		// LEMON dummy resource
 		accContext = modelContext.findProjectionContext(
-				new ResourceShadowDiscriminator(RESOURCE_DUMMY_YELLOW_OID, ShadowKindType.ACCOUNT, null));
-		assertNotNull("Null model projection context (yellow)", accContext);
+				new ResourceShadowDiscriminator(RESOURCE_DUMMY_LEMON_OID, ShadowKindType.ACCOUNT, null));
+		assertNotNull("Null model projection context (lemon)", accContext);
 
 		assertEquals("Wrong policy decision", SynchronizationPolicyDecision.ADD, accContext.getSynchronizationPolicyDecision());
 		accountPrimaryDelta = accContext.getPrimaryDelta();
@@ -1339,7 +1339,7 @@ public void test630AddUserRogers() throws Exception {
 		PrismAsserts.assertIsAdd(accountPrimaryDelta);
 
 		accountSecondaryDelta = accContext.getSecondaryDelta();
-		assertNotNull("No account secondary delta (yellow)", accountSecondaryDelta);
+		assertNotNull("No account secondary delta (lemon)", accountSecondaryDelta);
 		// administrativeStatus (ENABLED), enableTimestamp, ship (from organizationalUnit), name, gossip, water, iteration, iterationToken, password/value
 		PrismAsserts.assertModifications(accountSecondaryDelta, 9);
 		PrismAsserts.assertPropertyReplace(accountSecondaryDelta,
diff --git a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
index d54db04abb9..668c5f50f74 100644
--- a/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
+++ b/model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
@@ -280,7 +280,9 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 	@Override
 	public void postInitSystem(Task initTask, OperationResult initResult) throws Exception {
 		super.postInitSystem(initTask, initResult);
-		dummyResourceCollection.resetResources();
+		if (dummyResourceCollection != null) {
+			dummyResourceCollection.resetResources();
+		}
 	}
 
 	protected void startResources() throws Exception {