From dc74de3b4435f0fb66f808330fa0ead9ff48e740 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Thu, 21 May 2020 13:41:01 +0200
Subject: [PATCH 01/13] added ClusterRestController, migrated from
 ClusterRestService

---
 .../rest/impl/ClusterRestController.java      | 311 ++++++++++++++++++
 1 file changed, 311 insertions(+)
 create mode 100644 model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java

diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
new file mode 100644
index 00000000000..431d1b49447
--- /dev/null
+++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
@@ -0,0 +1,311 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.rest.impl;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.nio.file.Paths;
+import java.util.List;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.bind.annotation.*;
+
+import com.evolveum.midpoint.CacheInvalidationContext;
+import com.evolveum.midpoint.TerminateSessionEvent;
+import com.evolveum.midpoint.common.configuration.api.MidpointConfiguration;
+import com.evolveum.midpoint.model.api.ModelPublicConstants;
+import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
+import com.evolveum.midpoint.model.impl.security.NodeAuthenticationToken;
+import com.evolveum.midpoint.repo.api.CacheDispatcher;
+import com.evolveum.midpoint.schema.constants.ObjectTypes;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.task.api.TaskConstants;
+import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.TerminateSessionEventType;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.UserSessionManagementListType;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.UserSessionManagementType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SchedulerInformationType;
+
+/**
+ * REST service used for inter-cluster communication.
+ * <p>
+ * These methods are NOT to be called generally by clients.
+ * They are to be called internally by midPoint running on other cluster nodes.
+ * <p>
+ * So the usual form of authentication will be CLUSTER (a.k.a. node authentication).
+ * However, for diagnostic purposes we might allow also administrator access sometimes in the future.
+ */
+@RestController
+@RequestMapping("/cluster") // TODO: /ws/cluster
+public class ClusterRestController extends AbstractRestController {
+
+    public static final String CLASS_DOT = ClusterRestController.class.getName() + ".";
+
+    private static final String OPERATION_EXECUTE_CLUSTER_CACHE_INVALIDATION_EVENT = CLASS_DOT + "executeClusterCacheInvalidationEvent";
+    private static final String OPERATION_EXECUTE_CLUSTER_TERMINATE_SESSION_EVENT = CLASS_DOT + "executeClusterTerminateSessionEvent";
+    private static final String OPERATION_GET_LOCAL_SCHEDULER_INFORMATION = CLASS_DOT + "getLocalSchedulerInformation";
+    private static final String OPERATION_STOP_LOCAL_SCHEDULER = CLASS_DOT + "stopLocalScheduler";
+    private static final String OPERATION_START_LOCAL_SCHEDULER = CLASS_DOT + "startLocalScheduler";
+    private static final String OPERATION_STOP_LOCAL_TASK = CLASS_DOT + "stopLocalTask";
+
+    private static final String OPERATION_GET_REPORT_FILE = CLASS_DOT + "getReportFile";
+    private static final String OPERATION_DELETE_REPORT_FILE = CLASS_DOT + "deleteReportFile";
+
+    private static final String EXPORT_DIR = "export/";
+
+    public static final String EVENT_INVALIDATION = "/event/invalidation/";
+    public static final String EVENT_TERMINATE_SESSION = "/event/terminateSession/";
+    public static final String EVENT_LIST_USER_SESSION = "/event/listUserSession";
+
+    @Autowired private MidpointConfiguration midpointConfiguration;
+    @Autowired private GuiProfiledPrincipalManager focusProfileService;
+
+    @Autowired private CacheDispatcher cacheDispatcher;
+
+    public ClusterRestController() {
+        // nothing to do
+    }
+
+    @PostMapping(EVENT_INVALIDATION + "{type}")
+    public ResponseEntity<?> executeClusterCacheInvalidationEvent(
+            @PathVariable("type") String type) {
+        return executeClusterCacheInvalidationEvent(type, null);
+    }
+
+    @PostMapping(EVENT_INVALIDATION + "{type}/{oid}")
+    public ResponseEntity<?> executeClusterCacheInvalidationEvent(
+            @PathVariable("type") String type,
+            @PathVariable("oid") String oid) {
+        Task task = initRequest();
+        OperationResult result = createSubresult(task, OPERATION_EXECUTE_CLUSTER_CACHE_INVALIDATION_EVENT);
+
+        ResponseEntity<?> response;
+        try {
+            checkNodeAuthentication();
+
+            Class<? extends ObjectType> clazz = type != null ? ObjectTypes.getClassFromRestType(type) : null;
+
+            // clusterwide is false: we got this from another node so we don't need to redistribute it
+            cacheDispatcher.dispatchInvalidation(clazz, oid, false, new CacheInvalidationContext(true, null));
+
+            result.recordSuccess();
+            response = createResponse(HttpStatus.OK, result);
+        } catch (Throwable t) {
+            response = handleException(result, t);
+        }
+        finishRequest();
+        return response;
+    }
+
+    @PostMapping(EVENT_TERMINATE_SESSION)
+    public ResponseEntity<?> executeClusterTerminateSessionEvent(
+            @RequestBody TerminateSessionEventType event) {
+        Task task = initRequest();
+        OperationResult result = createSubresult(task, OPERATION_EXECUTE_CLUSTER_TERMINATE_SESSION_EVENT);
+
+        ResponseEntity<?> response;
+        try {
+            checkNodeAuthentication();
+
+            focusProfileService.terminateLocalSessions(TerminateSessionEvent.fromEventType(event));
+
+            result.recordSuccess();
+            response = createResponse(HttpStatus.OK, result);
+        } catch (Throwable t) {
+            response = handleException(result, t);
+        }
+        finishRequest();
+        return response;
+    }
+
+    @GetMapping(EVENT_LIST_USER_SESSION)
+    public ResponseEntity<?> listUserSession() {
+        Task task = initRequest();
+        OperationResult result = createSubresult(task, OPERATION_GET_LOCAL_SCHEDULER_INFORMATION);
+
+        ResponseEntity<?> response;
+        try {
+            checkNodeAuthentication();
+            List<UserSessionManagementType> principals = focusProfileService.getLocalLoggedInPrincipals();
+
+            UserSessionManagementListType list = new UserSessionManagementListType();
+            list.getSession().addAll(principals);
+
+            response = createResponse(HttpStatus.OK, list, result);
+        } catch (Throwable t) {
+            response = handleException(result, t);
+        }
+        result.computeStatus();
+        finishRequest();
+        return response;
+    }
+
+    @GetMapping(TaskConstants.GET_LOCAL_SCHEDULER_INFORMATION_REST_PATH)
+    public ResponseEntity<?> getLocalSchedulerInformation() {
+        Task task = initRequest();
+        OperationResult result = createSubresult(task, OPERATION_GET_LOCAL_SCHEDULER_INFORMATION);
+
+        ResponseEntity<?> response;
+        try {
+            checkNodeAuthentication();
+            SchedulerInformationType schedulerInformation = taskManager.getLocalSchedulerInformation(result);
+            response = createResponse(HttpStatus.OK, schedulerInformation, result);
+        } catch (Throwable t) {
+            response = handleException(result, t);
+        }
+        result.computeStatus();
+        finishRequest();
+        return response;
+    }
+
+    @PostMapping(TaskConstants.STOP_LOCAL_SCHEDULER_REST_PATH)
+    public ResponseEntity<?> stopLocalScheduler() {
+        Task task = initRequest();
+        OperationResult result = createSubresult(task, OPERATION_STOP_LOCAL_SCHEDULER);
+
+        ResponseEntity<?> response;
+        try {
+            checkNodeAuthentication();
+            taskManager.stopLocalScheduler(result);
+            response = createResponse(HttpStatus.OK, result);
+        } catch (Throwable t) {
+            response = handleException(result, t);
+        }
+        result.computeStatus();
+        finishRequest();
+        return response;
+    }
+
+    @PostMapping(TaskConstants.START_LOCAL_SCHEDULER_REST_PATH)
+    public ResponseEntity<?> startLocalScheduler() {
+        Task task = initRequest();
+        OperationResult result = createSubresult(task, OPERATION_START_LOCAL_SCHEDULER);
+
+        ResponseEntity<?> response;
+        try {
+            checkNodeAuthentication();
+            taskManager.startLocalScheduler(result);
+            response = createResponse(HttpStatus.OK, result);
+        } catch (Throwable t) {
+            response = handleException(result, t);
+        }
+        result.computeStatus();
+        finishRequest();
+        return response;
+    }
+
+    @PostMapping(TaskConstants.STOP_LOCAL_TASK_REST_PATH_PREFIX + "{oid}" + TaskConstants.STOP_LOCAL_TASK_REST_PATH_SUFFIX)
+    public ResponseEntity<?> stopLocalTask(@PathVariable("oid") String oid) {
+        Task task = initRequest();
+        OperationResult result = createSubresult(task, OPERATION_STOP_LOCAL_TASK);
+
+        ResponseEntity<?> response;
+        try {
+            checkNodeAuthentication();
+            taskManager.stopLocalTask(oid, result);
+            response = createResponse(HttpStatus.OK, result);
+        } catch (Throwable t) {
+            response = handleException(result, t);
+        }
+        result.computeStatus();
+        finishRequest();
+        return response;
+    }
+
+    @GetMapping(
+            value = ModelPublicConstants.CLUSTER_REPORT_FILE_PATH,
+            produces = "application/octet-stream")
+    public ResponseEntity<?> getReportFile(
+            @RequestParam(ModelPublicConstants.CLUSTER_REPORT_FILE_FILENAME_PARAMETER) String fileName) {
+        Task task = initRequest();
+        OperationResult result = createSubresult(task, OPERATION_GET_REPORT_FILE);
+
+        ResponseEntity<?> response;
+        try {
+            checkNodeAuthentication();
+            FileResolution resolution = resolveFile(fileName);
+            if (resolution.status == null) {
+                // we are only interested in the content, not in its type nor length
+                // TODO how to test this?
+                response = ResponseEntity.ok(new FileInputStream(resolution.file));
+            } else {
+                response = ResponseEntity.status(resolution.status).build();
+            }
+            result.computeStatus();
+        } catch (Throwable t) {
+            response = handleException(null, t); // we don't return the operation result
+        }
+        finishRequest();
+        return response;
+    }
+
+    @DeleteMapping(ModelPublicConstants.CLUSTER_REPORT_FILE_PATH)
+    public ResponseEntity<?> deleteReportFile(
+            @RequestParam(ModelPublicConstants.CLUSTER_REPORT_FILE_FILENAME_PARAMETER) String fileName) {
+        Task task = initRequest();
+        OperationResult result = createSubresult(task, OPERATION_DELETE_REPORT_FILE);
+
+        ResponseEntity<?> response;
+        try {
+            checkNodeAuthentication();
+            FileResolution resolution = resolveFile(fileName);
+            if (resolution.status == null) {
+                if (!resolution.file.delete()) {
+                    logger.warn("Couldn't delete report output file {}", resolution.file);
+                }
+                response = ResponseEntity.ok().build();
+            } else {
+                response = ResponseEntity.status(resolution.status).build();
+            }
+            result.computeStatus();
+        } catch (Throwable t) {
+            response = handleException(null, t); // we don't return the operation result
+        }
+        finishRequest();
+        return response;
+    }
+
+    static class FileResolution {
+        File file;
+        HttpStatus status;
+    }
+
+    private FileResolution resolveFile(String fileName) {
+        FileResolution rv = new FileResolution();
+        rv.file = Paths.get(midpointConfiguration.getMidpointHome(), EXPORT_DIR, fileName).toFile();
+
+        if (forbiddenFileName(fileName)) {
+            logger.warn("File name '{}' is forbidden", fileName);
+            rv.status = HttpStatus.FORBIDDEN;
+        } else if (!rv.file.exists()) {
+            logger.warn("Report output file '{}' does not exist", rv.file);
+            rv.status = HttpStatus.NOT_FOUND;
+        } else if (rv.file.isDirectory()) {
+            logger.warn("Report output file '{}' is a directory", rv.file);
+            rv.status = HttpStatus.FORBIDDEN;
+        }
+        return rv;
+    }
+
+    private boolean forbiddenFileName(String fileName) {
+        return fileName.contains("/../");
+    }
+
+    private void checkNodeAuthentication() throws SecurityViolationException {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (!(authentication instanceof NodeAuthenticationToken)) {
+            throw new SecurityViolationException("Node authentication is expected but not present");
+        }
+        // TODO consider allowing administrator access here as well
+    }
+}

From 1687f4831ef719d8bc90e509ad22730faaf45e73 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Thu, 21 May 2020 13:41:39 +0200
Subject: [PATCH 02/13] AbstractRestController: removed import of
 ModelRestService constant

---
 .../evolveum/midpoint/rest/impl/AbstractRestController.java   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
index 219d40a8a15..fdcc7fea614 100644
--- a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
+++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
@@ -14,7 +14,6 @@
 import com.evolveum.midpoint.audit.api.AuditEventStage;
 import com.evolveum.midpoint.audit.api.AuditEventType;
 import com.evolveum.midpoint.audit.api.AuditService;
-import com.evolveum.midpoint.model.impl.ModelRestService;
 import com.evolveum.midpoint.model.impl.security.SecurityHelper;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
@@ -36,6 +35,7 @@
 class AbstractRestController {
 
     protected final Trace logger = TraceManager.getTrace(getClass());
+
     private final String opNamePrefix = getClass().getName() + ".";
 
     @Autowired protected AuditService auditService;
@@ -44,7 +44,7 @@ class AbstractRestController {
 
     protected Task initRequest() {
         // No need to audit login. it was already audited during authentication
-        Task task = taskManager.createTaskInstance(ModelRestService.OPERATION_REST_SERVICE);
+        Task task = taskManager.createTaskInstance(opNamePrefix + "restService");
         task.setChannel(SchemaConstants.CHANNEL_REST_URI);
         return task;
     }

From 45c1b3c039e1b9970a241f46df8dfb643191f37d Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 13:07:15 +0200
Subject: [PATCH 03/13] AbstractSpringBootApplication.java: removing cxfServlet
 + cleanup

---
 gui/admin-gui/pom.xml                         |  4 ---
 .../boot/AbstractSpringBootApplication.java   | 29 ++-----------------
 2 files changed, 2 insertions(+), 31 deletions(-)

diff --git a/gui/admin-gui/pom.xml b/gui/admin-gui/pom.xml
index 364faef3c7a..e3ccd05a572 100644
--- a/gui/admin-gui/pom.xml
+++ b/gui/admin-gui/pom.xml
@@ -81,10 +81,6 @@
             <artifactId>spring-boot-starter-security</artifactId>
             <scope>runtime</scope>
         </dependency>
-        <dependency>
-            <groupId>org.apache.cxf</groupId>
-            <artifactId>cxf-rt-transports-http</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-core</artifactId>
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/AbstractSpringBootApplication.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/AbstractSpringBootApplication.java
index 66eedb9783f..00c5c2a6451 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/AbstractSpringBootApplication.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/AbstractSpringBootApplication.java
@@ -8,7 +8,6 @@
 
 import javax.servlet.DispatcherType;
 
-import org.apache.cxf.transport.servlet.CXFServlet;
 import org.apache.wicket.Application;
 import org.apache.wicket.protocol.http.WicketFilter;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -21,11 +20,7 @@
 import org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.management.HeapDumpWebEndpointAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.management.ThreadDumpEndpointAutoConfiguration;
-import org.springframework.boot.actuate.autoconfigure.metrics.CompositeMeterRegistryAutoConfiguration;
-import org.springframework.boot.actuate.autoconfigure.metrics.JvmMetricsAutoConfiguration;
-import org.springframework.boot.actuate.autoconfigure.metrics.MetricsAutoConfiguration;
-import org.springframework.boot.actuate.autoconfigure.metrics.MetricsEndpointAutoConfiguration;
-import org.springframework.boot.actuate.autoconfigure.metrics.SystemMetricsAutoConfiguration;
+import org.springframework.boot.actuate.autoconfigure.metrics.*;
 import org.springframework.boot.actuate.autoconfigure.metrics.export.simple.SimpleMetricsExportAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.metrics.web.servlet.WebMvcMetricsAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.metrics.web.tomcat.TomcatMetricsAutoConfiguration;
@@ -41,25 +36,20 @@
 import org.springframework.boot.web.server.ErrorPageRegistrar;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
-import org.springframework.boot.web.servlet.ServletRegistrationBean;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.web.context.request.RequestContextListener;
 import org.springframework.web.filter.DelegatingFilterProxy;
+import ro.isdc.wro.http.WroFilter;
 
 import com.evolveum.midpoint.init.StartupConfiguration;
 import com.evolveum.midpoint.model.api.authentication.NodeAuthenticationEvaluator;
-import com.evolveum.midpoint.util.logging.Trace;
-import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.web.util.MidPointProfilingServletFilter;
 
-import ro.isdc.wro.http.WroFilter;
-
 /**
  * @author katka
- *
  */
 @ImportAutoConfiguration(classes = {
         EmbeddedTomcatAutoConfiguration.class,
@@ -91,12 +81,9 @@
 })
 public abstract class AbstractSpringBootApplication extends SpringBootServletInitializer {
 
-    private static final Trace LOGGER = TraceManager.getTrace(MidPointSpringApplication.class);
-
     @Autowired StartupConfiguration startupConfiguration;
     @Autowired NodeAuthenticationEvaluator nodeAuthenticator;
 
-
     @Bean
     public ServletListenerRegistrationBean<RequestContextListener> requestContextListener() {
         return new ServletListenerRegistrationBean<>(new RequestContextListener());
@@ -106,7 +93,6 @@ public ServletListenerRegistrationBean<RequestContextListener> requestContextLis
     public FilterRegistrationBean<MidPointProfilingServletFilter> midPointProfilingServletFilter() {
         FilterRegistrationBean<MidPointProfilingServletFilter> registration = new FilterRegistrationBean<>();
         registration.setFilter(new MidPointProfilingServletFilter());
-        //            registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
         registration.addUrlPatterns("/*");
         return registration;
     }
@@ -144,17 +130,6 @@ public FilterRegistrationBean<WroFilter> webResourceOptimizer(WroFilter wroFilte
         return registration;
     }
 
-    @Bean
-    public ServletRegistrationBean<CXFServlet> cxfServlet() {
-        ServletRegistrationBean<CXFServlet> registration = new ServletRegistrationBean<>();
-        registration.setServlet(new CXFServlet());
-        registration.addInitParameter("service-list-path", "midpointservices");
-        registration.setLoadOnStartup(1);
-        registration.addUrlMappings("/model/*", "/ws/*");
-
-        return registration;
-    }
-
     @Bean
     public ErrorPageRegistrar errorPageRegistrar() {
         return new MidPointErrorPageRegistrar();

From 3d3efc17ecfc62eb1d4d75752514d9430909299e Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 13:09:32 +0200
Subject: [PATCH 04/13] admin-gui: mapping for rest on /ws, but also /rest or
 /api

---
 .../web/security/BasicWebSecurityConfig.java  | 75 +++---------------
 .../midpoint/web/security/PageUrlMapping.java | 79 ++++++++-----------
 .../web/security/util/SecurityUtils.java      | 12 +--
 3 files changed, 55 insertions(+), 111 deletions(-)

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java
index b7f2e2900fa..f0936ad47e5 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java
@@ -6,33 +6,19 @@
  */
 package com.evolveum.midpoint.web.security;
 
-import com.evolveum.midpoint.model.common.SystemObjectCache;
-import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.schema.util.SystemConfigurationTypeUtil;
-import com.evolveum.midpoint.security.api.SecurityContextManager;
-import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
-import com.evolveum.midpoint.task.api.TaskManager;
-import com.evolveum.midpoint.util.exception.SchemaException;
-import com.evolveum.midpoint.util.logging.Trace;
-import com.evolveum.midpoint.util.logging.TraceManager;
-import com.evolveum.midpoint.web.security.factory.channel.AuthChannelRegistryImpl;
-import com.evolveum.midpoint.web.security.factory.module.AuthModuleRegistryImpl;
-import com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter;
-import com.evolveum.midpoint.web.security.filter.MidpointRequestAttributeAuthenticationFilter;
-import com.evolveum.midpoint.web.security.filter.configurers.AuthFilterConfigurer;
-import org.jasig.cas.client.session.SingleSignOutFilter;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.UUID;
+
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Profile;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
-import org.springframework.security.cas.web.CasAuthenticationFilter;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
@@ -42,18 +28,16 @@
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
-import org.springframework.security.web.authentication.logout.LogoutFilter;
-import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
-import org.springframework.security.web.authentication.preauth.RequestAttributeAuthenticationFilter;
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
-import org.springframework.security.web.util.matcher.RequestMatcher;
-import org.springframework.util.AntPathMatcher;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.UUID;
+import com.evolveum.midpoint.security.api.SecurityContextManager;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
+import com.evolveum.midpoint.task.api.TaskManager;
+import com.evolveum.midpoint.web.security.factory.channel.AuthChannelRegistryImpl;
+import com.evolveum.midpoint.web.security.factory.module.AuthModuleRegistryImpl;
+import com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter;
+import com.evolveum.midpoint.web.security.filter.configurers.AuthFilterConfigurer;
 
 /**
  * @author skublik
@@ -63,20 +47,12 @@
 @EnableWebSecurity
 public class BasicWebSecurityConfig extends WebSecurityConfigurerAdapter {
 
-    private static final Trace LOGGER = TraceManager.getTrace(BasicWebSecurityConfig.class);
-
     @Autowired
     private AuthModuleRegistryImpl authRegistry;
 
     @Autowired
     AuthChannelRegistryImpl authChannelRegistry;
 
-    @Autowired
-    private AuthenticationManager authenticationManager;
-
-    @Autowired
-    private SystemObjectCache systemObjectCache;
-
     @Autowired
     private SessionRegistry sessionRegistry;
 
@@ -94,8 +70,8 @@ public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcess
 
     @Bean
     public MidPointGuiAuthorizationEvaluator accessDecisionManager(SecurityEnforcer securityEnforcer,
-                                                                   SecurityContextManager securityContextManager,
-                                                                   TaskManager taskManager) {
+            SecurityContextManager securityContextManager,
+            TaskManager taskManager) {
         return new MidPointGuiAuthorizationEvaluator(securityEnforcer, securityContextManager, taskManager);
     }
 
@@ -132,30 +108,6 @@ public void configure(WebSecurity web) throws Exception {
         // Web (SOAP) services
         web.ignoring().antMatchers("/model/**");
 
-        // REST service
-        web.ignoring().requestMatchers(new RequestMatcher() {
-            @Override
-            public boolean matches(HttpServletRequest httpServletRequest) {
-                AntPathMatcher mather = new AntPathMatcher();
-                boolean isExperimentalEnabled = false;
-                try {
-                    isExperimentalEnabled = SystemConfigurationTypeUtil.isExperimentalCodeEnabled(
-                            systemObjectCache.getSystemConfiguration(new OperationResult("Load System Config")).asObjectable());
-                } catch (SchemaException e) {
-                    LOGGER.error("Couldn't load system configuration", e);
-                }
-                if (isExperimentalEnabled
-                        && mather.match("/ws/rest/**", httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length()))) {
-                    return false;
-                }
-                if (mather.match("/ws/**", httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length()))) {
-                    return true;
-                }
-                return false;
-            }
-        });
-        web.ignoring().antMatchers("/rest/**");
-
         // Special intra-cluster service to download and delete report outputs
         web.ignoring().antMatchers("/report");
 
@@ -175,7 +127,6 @@ public boolean matches(HttpServletRequest httpServletRequest) {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-
         AnonymousAuthenticationFilter anonymousFilter = new MidpointAnonymousAuthenticationFilter(authRegistry, authChannelRegistry, UUID.randomUUID().toString(), "anonymousUser",
                 AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
 
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/PageUrlMapping.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/PageUrlMapping.java
index 81141c75875..5e8f8681756 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/PageUrlMapping.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/PageUrlMapping.java
@@ -7,17 +7,17 @@
 
 package com.evolveum.midpoint.web.security;
 
+import static com.evolveum.midpoint.security.api.AuthorizationConstants.*;
+
 import com.evolveum.midpoint.util.DisplayableValue;
 import com.evolveum.midpoint.web.application.AuthorizationActionValue;
 
-import static com.evolveum.midpoint.security.api.AuthorizationConstants.*;
-
 /**
  * @author lazyman
  */
 public enum PageUrlMapping {
 
-    ADMIN_USER_DETAILS("/admin/user/**", new DisplayableValue[]{
+    ADMIN_USER_DETAILS("/admin/user/**",
             new AuthorizationActionValue(AUTZ_UI_USER_DETAILS_URL,
                     "PageAdminUsers.authUri.userDetails.label", "PageAdminUsers.authUri.userDetails.description"),
             new AuthorizationActionValue(AUTZ_UI_USERS_ALL_URL,
@@ -25,9 +25,8 @@ public enum PageUrlMapping {
             new AuthorizationActionValue(AUTZ_GUI_ALL_URL,
                     "PageAdminUsers.authUri.usersAll.label", "PageAdminUsers.authUri.guiAll.description"),
             new AuthorizationActionValue(AUTZ_GUI_ALL_DEPRECATED_URL,
-                    "PageAdminUsers.authUri.usersAll.label", "PageAdminUsers.authUri.guiAll.description")
-    }),
-    TASK_DETAILS("/admin/task/**", new DisplayableValue[]{
+                    "PageAdminUsers.authUri.usersAll.label", "PageAdminUsers.authUri.guiAll.description")),
+    TASK_DETAILS("/admin/task/**",
             new AuthorizationActionValue(AUTZ_UI_TASK_DETAIL_URL,
                     "PageAdminTasks.authUri.taskDetails.label", "PageAdminTasks.authUri.taskDetails.description"),
             new AuthorizationActionValue(AUTZ_UI_TASKS_ALL_URL,
@@ -35,9 +34,8 @@ public enum PageUrlMapping {
             new AuthorizationActionValue(AUTZ_GUI_ALL_URL,
                     "PageAdminTasks.authUri.tasksAll.label", "PageAdminTasks.authUri.guiAll.description"),
             new AuthorizationActionValue(AUTZ_GUI_ALL_DEPRECATED_URL,
-                    "PageAdminTasks.authUri.tasksAll.label", "PageAdminTasks.authUri.guiAll.description")
-    }),
-    ROLE_DETAILS("/admin/role/**", new DisplayableValue[]{
+                    "PageAdminTasks.authUri.tasksAll.label", "PageAdminTasks.authUri.guiAll.description")),
+    ROLE_DETAILS("/admin/role/**",
             new AuthorizationActionValue(AUTZ_UI_ROLE_DETAILS_URL,
                     "PageAdminRoles.authUri.roleDetails.label", "PageAdminRoles.authUri.roleDetails.description"),
             new AuthorizationActionValue(AUTZ_UI_ROLES_ALL_URL,
@@ -45,9 +43,8 @@ public enum PageUrlMapping {
             new AuthorizationActionValue(AUTZ_GUI_ALL_URL,
                     "PageAdminRoles.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description"),
             new AuthorizationActionValue(AUTZ_GUI_ALL_DEPRECATED_URL,
-                    "PageAdminRoles.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description")
-    }),
-    RESOURCE_DETAILS("/admin/resource/**", new DisplayableValue[]{
+                    "PageAdminRoles.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description")),
+    RESOURCE_DETAILS("/admin/resource/**",
             new AuthorizationActionValue(AUTZ_UI_RESOURCE_DETAILS_URL,
                     "PageAdminResources.authUri.resourceDetails.label", "PageAdminResources.authUri.resourceDetails.description"),
             new AuthorizationActionValue(AUTZ_UI_RESOURCES_ALL_URL,
@@ -55,9 +52,8 @@ public enum PageUrlMapping {
             new AuthorizationActionValue(AUTZ_GUI_ALL_URL,
                     "PageAdminRoles.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description"),
             new AuthorizationActionValue(AUTZ_GUI_ALL_DEPRECATED_URL,
-                    "PageAdminRoles.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description")
-    }),
-    CASE_DETAILS("/admin/workItem/**", new DisplayableValue[]{
+                    "PageAdminRoles.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description")),
+    CASE_DETAILS("/admin/workItem/**",
             new AuthorizationActionValue(AUTZ_UI_WORK_ITEM_URL,
                     "PageCaseWorkItem.authUri.workItemDetails.label", "PageCaseWorkItem.authUri.workItemDetails.description"),
             new AuthorizationActionValue(AUTZ_UI_WORK_ITEMS_ALL_URL,
@@ -65,46 +61,41 @@ public enum PageUrlMapping {
             new AuthorizationActionValue(AUTZ_GUI_ALL_URL,
                     "PageCaseWorkItems.authUri.guiAll.label", "PageAdminRoles.authUri.guiAll.description"),
             new AuthorizationActionValue(AUTZ_GUI_ALL_DEPRECATED_URL,
-                    "PageCaseWorkItems.authUri.guiAll.label", "PageAdminRoles.authUri.guiAll.description")
-    }),
-    ACTUATOR("/actuator/**", new DisplayableValue[]{
+                    "PageCaseWorkItems.authUri.guiAll.label", "PageAdminRoles.authUri.guiAll.description")),
+    ACTUATOR("/actuator/**",
             new AuthorizationActionValue(AUTZ_ACTUATOR_ALL_URL,
-                    "ActuatorEndpoint.authActuator.all.label", "ActuatorEndpoint.authActuator.all.description")
-    }),
-    ACTUATOR_THREAD_DUMP("/actuator/threaddump", new DisplayableValue[]{
+                    "ActuatorEndpoint.authActuator.all.label", "ActuatorEndpoint.authActuator.all.description")),
+    ACTUATOR_THREAD_DUMP("/actuator/threaddump",
             new AuthorizationActionValue(AUTZ_ACTUATOR_THREAD_DUMP_URL,
-                    "ActuatorEndpoint.authActuator.threadDump.label", "ActuatorEndpoint.authActuator.threadDump.description")
-    }),
-    ACTUATOR_HEAP_DUMP("/actuator/heapdump", new DisplayableValue[]{
+                    "ActuatorEndpoint.authActuator.threadDump.label", "ActuatorEndpoint.authActuator.threadDump.description")),
+    ACTUATOR_HEAP_DUMP("/actuator/heapdump",
             new AuthorizationActionValue(AUTZ_ACTUATOR_HEAP_DUMP_URL,
-                    "ActuatorEndpoint.authActuator.heapDump.label", "ActuatorEndpoint.authActuator.heapDump.description")
-    }),
-    ACTUATOR_ENV("/actuator/env/**", new DisplayableValue[]{
+                    "ActuatorEndpoint.authActuator.heapDump.label", "ActuatorEndpoint.authActuator.heapDump.description")),
+    ACTUATOR_ENV("/actuator/env/**",
             new AuthorizationActionValue(AUTZ_ACTUATOR_ENV_URL,
-                    "ActuatorEndpoint.authActuator.env.label", "ActuatorEndpoint.authActuator.env.description")
-    }),
-    ACTUATOR_INFO("/actuator/info", new DisplayableValue[]{
+                    "ActuatorEndpoint.authActuator.env.label", "ActuatorEndpoint.authActuator.env.description")),
+    ACTUATOR_INFO("/actuator/info",
             new AuthorizationActionValue(AUTZ_ACTUATOR_INFO_URL,
-                    "ActuatorEndpoint.authActuator.info.label", "ActuatorEndpoint.authActuator.info.description")
-    }),
-    ACTUATOR_METRICS("/actuator/metrics/**", new DisplayableValue[]{
+                    "ActuatorEndpoint.authActuator.info.label", "ActuatorEndpoint.authActuator.info.description")),
+    ACTUATOR_METRICS("/actuator/metrics/**",
             new AuthorizationActionValue(AUTZ_ACTUATOR_METRICS_URL,
-                    "ActuatorEndpoint.authActuator.metrics.label", "ActuatorEndpoint.authActuator.metrics.description")
-    }),
-    REST("/ws/rest/**", new DisplayableValue[]{
+                    "ActuatorEndpoint.authActuator.metrics.label", "ActuatorEndpoint.authActuator.metrics.description")),
+    REST("/ws/**",
+            new AuthorizationActionValue(AUTZ_REST_ALL_URL,
+                    "RestEndpoint.authRest.all.label", "RestEndpoint.authRest.all.description")),
+    REST2("/rest/**",
             new AuthorizationActionValue(AUTZ_REST_ALL_URL,
-                    "RestEndpoint.authRest.all.label", "RestEndpoint.authRest.all.description")
-    }),
-    REST2("/rest2/**", new DisplayableValue[]{
+                    "RestEndpoint.authRest.all.label", "RestEndpoint.authRest.all.description")),
+    REST3("/api/**",
             new AuthorizationActionValue(AUTZ_REST_ALL_URL,
-                    "RestEndpoint.authRest.all.label", "RestEndpoint.authRest.all.description")
-    });
+                    "RestEndpoint.authRest.all.label", "RestEndpoint.authRest.all.description"));
 
-    private String url;
+    private final String url;
 
-    private DisplayableValue[] action;
+    // final, but array is still mutable
+    private final DisplayableValue[] action;
 
-    private PageUrlMapping(String url, DisplayableValue[] action) {
+    PageUrlMapping(String url, DisplayableValue... action) {
         this.url = url;
         this.action = action;
     }
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/util/SecurityUtils.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/util/SecurityUtils.java
index 30a9105556a..98cf28ecfd7 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/util/SecurityUtils.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/util/SecurityUtils.java
@@ -87,8 +87,9 @@ public static GuiProfiledPrincipal getPrincipalUser() {
 
     static {
         Map<String, String> map = new HashMap<>();
-        map.put("ws/rest", SchemaConstants.CHANNEL_REST_URI);
-        map.put("rest2", SchemaConstants.CHANNEL_REST_URI);
+        map.put("ws", SchemaConstants.CHANNEL_REST_URI);
+        map.put("rest", SchemaConstants.CHANNEL_REST_URI);
+        map.put("api", SchemaConstants.CHANNEL_REST_URI);
         map.put("actuator", SchemaConstants.CHANNEL_ACTUATOR_URI);
         map.put("resetPassword", SchemaConstants.CHANNEL_GUI_RESET_PASSWORD_URI);
         map.put("registration", SchemaConstants.CHANNEL_GUI_SELF_REGISTRATION_URI);
@@ -198,7 +199,7 @@ public static AuthenticationSequenceType getSequenceByPath(HttpServletRequest ht
         if (partsOfLocalPath.length >= 2 && partsOfLocalPath[0].equals(ModuleWebSecurityConfigurationImpl.DEFAULT_PREFIX_OF_MODULE)) {
             AuthenticationSequenceType sequence = searchSequence(partsOfLocalPath[1], false, authenticationPolicy);
             if (sequence == null) {
-                LOGGER.debug("Couldn't find sequence by preffix {}, so try default channel", partsOfLocalPath[1]);
+                LOGGER.debug("Couldn't find sequence by prefix {}, so try default channel", partsOfLocalPath[1]);
                 sequence = searchSequence(SecurityPolicyUtil.DEFAULT_CHANNEL, true, authenticationPolicy);
             }
             return sequence;
@@ -240,7 +241,8 @@ public static String findChannelByRequest(HttpServletRequest httpRequest) {
     private static AuthenticationSequenceType getSpecificSequence(HttpServletRequest httpRequest) {
         String localePath = httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
         String channel = searchChannelByPath(localePath);
-        if (LOCAL_PATH_AND_CHANNEL.get("ws/rest").equals(channel)) {
+        // TODO: what exactly does this do, can't it be channel.equals(SchemaConstants.CHANNEL_REST_URI)?
+        if (LOCAL_PATH_AND_CHANNEL.get("ws").equals(channel)) {
             String header = httpRequest.getHeader("Authorization");
             if (header != null) {
                 String type = header.split(" ")[0];
@@ -333,7 +335,7 @@ private static List<AuthModule> getSpecificModuleFilter(String urlSuffix, HttpSe
             AuthenticationModulesType authenticationModulesType, CredentialsPolicyType credentialPolicy) {
         String localePath = httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
         String channel = searchChannelByPath(localePath);
-        if (LOCAL_PATH_AND_CHANNEL.get("ws/rest").equals(channel)) {
+        if (LOCAL_PATH_AND_CHANNEL.get("ws").equals(channel)) {
             String header = httpRequest.getHeader("Authorization");
             if (header != null) {
                 String type = header.split(" ")[0];

From 03cd3a7f155393b07f5f52848d7302e973395414 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 13:12:03 +0200
Subject: [PATCH 05/13] added ClusterServiceConsts.java with shared consts for
 service+client

---
 .../model/impl/ClusterCacheListener.java      | 22 ++++++++--------
 .../model/impl/ClusterServiceConsts.java      | 11 ++++++++
 .../ClusterwideUserSessionManagerImpl.java    | 25 ++++++++++---------
 3 files changed, 34 insertions(+), 24 deletions(-)
 create mode 100644 model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterServiceConsts.java

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterCacheListener.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterCacheListener.java
index 787f7af9099..22ddd153323 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterCacheListener.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterCacheListener.java
@@ -6,28 +6,26 @@
  */
 package com.evolveum.midpoint.model.impl;
 
+import javax.annotation.PostConstruct;
+import javax.ws.rs.core.Response;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
 import com.evolveum.midpoint.CacheInvalidationContext;
-import com.evolveum.midpoint.TerminateSessionEvent;
 import com.evolveum.midpoint.model.impl.security.NodeAuthenticationToken;
 import com.evolveum.midpoint.repo.api.CacheDispatcher;
-import com.evolveum.midpoint.repo.api.CacheInvalidationDetails;
 import com.evolveum.midpoint.repo.api.CacheListener;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.ClusterExecutionHelper;
-import com.evolveum.midpoint.task.api.ClusterExecutionOptions;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.stereotype.Component;
-
-import javax.annotation.PostConstruct;
-import javax.ws.rs.core.Response;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 
 @Component
 public class ClusterCacheListener implements CacheListener {
@@ -59,7 +57,7 @@ public <O extends ObjectType> void invalidate(Class<O> type, String oid, boolean
         // Regular cache invalidation can be skipped for nodes not checking in. Cache entries will expire on such nodes
         // eventually. (We can revisit this design decision if needed.)
         clusterExecutionHelper.execute((client, node, result1) -> {
-            client.path(ClusterRestService.EVENT_INVALIDATION +
+            client.path(ClusterServiceConsts.EVENT_INVALIDATION +
                     ObjectTypes.getRestTypeFromClass(type) + (oid != null ? "/" + oid : ""));
             Response response = client.post(null);
             Response.StatusType statusInfo = response.getStatusInfo();
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterServiceConsts.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterServiceConsts.java
new file mode 100644
index 00000000000..fcf8e24c812
--- /dev/null
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterServiceConsts.java
@@ -0,0 +1,11 @@
+package com.evolveum.midpoint.model.impl;
+
+/**
+ * URL pattern constants shared by cluster client and REST service.
+ */
+public class ClusterServiceConsts {
+
+    public static final String EVENT_INVALIDATION = "/event/invalidation/";
+    public static final String EVENT_TERMINATE_SESSION = "/event/terminateSession/";
+    public static final String EVENT_LIST_USER_SESSION = "/event/listUserSession";
+}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/ClusterwideUserSessionManagerImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/ClusterwideUserSessionManagerImpl.java
index cef48ef0284..e30b3690eff 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/ClusterwideUserSessionManagerImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/ClusterwideUserSessionManagerImpl.java
@@ -7,10 +7,20 @@
 
 package com.evolveum.midpoint.model.impl.security;
 
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import javax.ws.rs.core.Response;
+
+import org.jetbrains.annotations.NotNull;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
 import com.evolveum.midpoint.TerminateSessionEvent;
 import com.evolveum.midpoint.model.api.authentication.ClusterwideUserSessionManager;
 import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
-import com.evolveum.midpoint.model.impl.ClusterRestService;
+import com.evolveum.midpoint.model.impl.ClusterServiceConsts;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.ClusterExecutionHelper;
 import com.evolveum.midpoint.task.api.ClusterExecutionOptions;
@@ -20,15 +30,6 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.UserSessionManagementListType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.UserSessionManagementType;
-import org.jetbrains.annotations.NotNull;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Component;
-
-import javax.ws.rs.core.Response;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
 
 /**
  * Takes care for clusterwide user session management.
@@ -49,7 +50,7 @@ public void terminateSessions(TerminateSessionEvent terminateSessionEvent, Task
         // We try to invoke this call also on nodes that are in transition. It is quite important
         // that terminate session is executed on as wide scale as realistically possible.
         clusterExecutionHelper.execute((client, node, result1) -> {
-            client.path(ClusterRestService.EVENT_TERMINATE_SESSION);
+            client.path(ClusterServiceConsts.EVENT_TERMINATE_SESSION);
             Response response = client.post(terminateSessionEvent.toEventType());
             LOGGER.info("Remote-node user session termination finished on {} with status {}, {}", node.getNodeIdentifier(),
                     response.getStatusInfo().getStatusCode(), response.getStatusInfo().getReasonPhrase());
@@ -69,7 +70,7 @@ public List<UserSessionManagementType> getLoggedInPrincipals(Task task, Operatio
         // We try to invoke this call also on nodes that are in transition. We want to get
         // information as complete as realistically possible.
         clusterExecutionHelper.execute((client, node, result1) -> {
-            client.path(ClusterRestService.EVENT_LIST_USER_SESSION);
+            client.path(ClusterServiceConsts.EVENT_LIST_USER_SESSION);
             Response response = client.get();
             LOGGER.info("Remote-node retrieval of user sessions finished on {} with status {}, {}", node.getNodeIdentifier(),
                     response.getStatusInfo().getStatusCode(), response.getStatusInfo().getReasonPhrase());

From b70c95581cbf245da105943dec0628b7a3a49a33 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 13:15:05 +0200
Subject: [PATCH 06/13] ctx-model.xml: removed /ws mappings and all traces of
 jaxrs

---
 .../src/main/resources/ctx-model.xml          | 54 +------------------
 1 file changed, 2 insertions(+), 52 deletions(-)

diff --git a/model/model-impl/src/main/resources/ctx-model.xml b/model/model-impl/src/main/resources/ctx-model.xml
index c367c974e66..8e517b8d8c7 100644
--- a/model/model-impl/src/main/resources/ctx-model.xml
+++ b/model/model-impl/src/main/resources/ctx-model.xml
@@ -10,15 +10,11 @@
 <beans xmlns="http://www.springframework.org/schema/beans"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:context="http://www.springframework.org/schema/context"
-        xmlns:jaxrs="http://cxf.apache.org/jaxrs"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
             http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
             http://www.springframework.org/schema/context
-            http://www.springframework.org/schema/context/spring-context-3.0.xsd
-            http://cxf.apache.org/jaxrs
-            http://cxf.apache.org/schemas/jaxrs.xsd"
-        default-lazy-init="false"
-        default-autowire="byName">
+            http://www.springframework.org/schema/context/spring-context-3.0.xsd"
+        default-lazy-init="false">
 
     <!-- enabling annotation driven configuration -->
     <context:annotation-config/>
@@ -227,7 +223,6 @@
                     <value type="java.lang.Class">com.evolveum.midpoint.model.impl.sync.action.InactivateFocusAction</value>
                 </entry>
 
-
                 <!-- DEPRECATED. for compatibility only. -->
                 <entry key="http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount">
                     <value type="java.lang.Class">com.evolveum.midpoint.model.impl.sync.action.LinkAction</value>
@@ -256,16 +251,6 @@
                 <entry key="http://midpoint.evolveum.com/xml/ns/public/model/action-3#disableUser">
                     <value type="java.lang.Class">com.evolveum.midpoint.model.impl.sync.action.InactivateFocusAction</value>
                 </entry>
-
-                <!-- TODO -->
-                <!--
-                <entry key="http://midpoint.evolveum.com/xml/ns/public/model/action-3#enableUser">
-                    <value type="java.lang.Class">com.evolveum.midpoint.model.impl.sync.action.EnableUserAction</value>
-                </entry>
-                <entry key="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addAccount">
-                    <value type="java.lang.Class">com.evolveum.midpoint.model.impl.sync.action.AddAccountAction</value>
-                </entry>
-                 -->
             </map>
         </property>
         <property name="modelObjectResolver" ref="modelObjectResolver"/>
@@ -276,39 +261,4 @@
         <property name="provisioningService" ref="provisioningService"/>
         <property name="contextFactory" ref="contextFactory"/>
     </bean>
-
-    <bean id="loggingFeature" class="com.evolveum.midpoint.model.impl.util.LoggingFeature"/>
-
-    <jaxrs:server id="restService" address="/rest/">
-        <jaxrs:serviceBeans>
-            <ref bean="modelRestService"/>
-            <ref bean="extensionSchemaRestService"/>
-        </jaxrs:serviceBeans>
-        <jaxrs:providers>
-            <ref bean="jaxbProvider"/>
-            <ref bean="jsonProvider"/>
-            <ref bean="yamlProvider"/>
-            <ref bean="restAuthenticationHandler"/>
-        </jaxrs:providers>
-        <jaxrs:features>
-            <ref bean="loggingFeature"/>
-        </jaxrs:features>
-    </jaxrs:server>
-
-    <jaxrs:server id="clusterRestServer" address="/cluster/">
-        <jaxrs:serviceBeans>
-            <ref bean="clusterRestService"/>
-        </jaxrs:serviceBeans>
-        <jaxrs:providers>
-            <ref bean="jaxbProvider"/>
-            <ref bean="jsonProvider"/>
-            <ref bean="yamlProvider"/>
-            <ref bean="restAuthenticationHandler"/>
-        </jaxrs:providers>
-        <jaxrs:features>
-            <ref bean="loggingFeature"/>
-        </jaxrs:features>
-    </jaxrs:server>
-
-    <bean id="restAuthenticationHandler" class="com.evolveum.midpoint.model.impl.security.MidpointRestAuthenticationHandler"/>
 </beans>

From f733432a0e743633f975b31739938df13f5a2134 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 13:15:36 +0200
Subject: [PATCH 07/13] testing/rest system-configuration.xml: experimental
 code turned off

---
 testing/rest/src/test/resources/repo/system-configuration.xml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/testing/rest/src/test/resources/repo/system-configuration.xml b/testing/rest/src/test/resources/repo/system-configuration.xml
index f2836f17b36..7e8c8805f29 100644
--- a/testing/rest/src/test/resources/repo/system-configuration.xml
+++ b/testing/rest/src/test/resources/repo/system-configuration.xml
@@ -47,9 +47,5 @@
         <rootLoggerAppender>IDM_LOG</rootLoggerAppender>
         <rootLoggerLevel>INFO</rootLoggerLevel>
     </logging>
-<!--     <globalPasswordPolicyRef oid="81818181-76e0-59e2-8888-3d4f02d3fffb" type="ValuePolicyType"/> -->
     <globalSecurityPolicyRef oid="28bf845a-b107-11e3-85bc-001e8c717e5b" type="SecurityPolicyType"/>
-    <internals>
-        <enableExperimentalCode>true</enableExperimentalCode>
-    </internals>
 </systemConfiguration>

From 58260c73d28d5767555552b873eb92fad13a8c44 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 13:17:35 +0200
Subject: [PATCH 08/13] rest-impl: multi mapping of REST to /ws, /rest and /api
 + 404 fallback

---
 .../rest/impl/AbstractRestController.java     | 27 +++++++++++
 .../rest/impl/ClusterRestController.java      | 15 +++----
 .../impl/ExtensionSchemaRestController.java   |  2 +-
 .../rest/impl/ModelRestController.java        |  5 +--
 .../midpoint/rest/impl/RestApiIndex.java      | 45 ++++++++++++-------
 5 files changed, 66 insertions(+), 28 deletions(-)

diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
index fdcc7fea614..db3fa74bac9 100644
--- a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
+++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
@@ -3,12 +3,17 @@
 import static org.springframework.http.ResponseEntity.status;
 
 import java.net.URI;
+import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 import com.evolveum.midpoint.audit.api.AuditEventRecord;
 import com.evolveum.midpoint.audit.api.AuditEventStage;
@@ -179,4 +184,26 @@ private void auditEvent() {
 
         auditService.audit(record, task);
     }
+
+    private final String[] requestMappingPaths =
+            getClass().getAnnotation(RequestMapping.class).value();
+
+    /**
+     * Returns base path (without servlet context) reflecting currently used request.
+     * This solves the problem of base path being one of multiple possible mappings.
+     */
+    protected String controllerBasePath() {
+        RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+        if (requestAttributes instanceof ServletRequestAttributes) {
+            HttpServletRequest request = ((ServletRequestAttributes) requestAttributes).getRequest();
+            String servletPath = request.getServletPath();
+            for (String requestMappingPath : requestMappingPaths) {
+                if (servletPath.startsWith(requestMappingPath)) {
+                    return requestMappingPath;
+                }
+            }
+        }
+
+        throw new NullPointerException("Base controller URL could not be determined.");
+    }
 }
diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
index 431d1b49447..ff5a93bcd70 100644
--- a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
+++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
@@ -23,6 +23,7 @@
 import com.evolveum.midpoint.common.configuration.api.MidpointConfiguration;
 import com.evolveum.midpoint.model.api.ModelPublicConstants;
 import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
+import com.evolveum.midpoint.model.impl.ClusterServiceConsts;
 import com.evolveum.midpoint.model.impl.security.NodeAuthenticationToken;
 import com.evolveum.midpoint.repo.api.CacheDispatcher;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
@@ -46,7 +47,7 @@
  * However, for diagnostic purposes we might allow also administrator access sometimes in the future.
  */
 @RestController
-@RequestMapping("/cluster") // TODO: /ws/cluster
+@RequestMapping({"/ws/cluster", "/rest/cluster", "/api/cluster"})
 public class ClusterRestController extends AbstractRestController {
 
     public static final String CLASS_DOT = ClusterRestController.class.getName() + ".";
@@ -63,10 +64,6 @@ public class ClusterRestController extends AbstractRestController {
 
     private static final String EXPORT_DIR = "export/";
 
-    public static final String EVENT_INVALIDATION = "/event/invalidation/";
-    public static final String EVENT_TERMINATE_SESSION = "/event/terminateSession/";
-    public static final String EVENT_LIST_USER_SESSION = "/event/listUserSession";
-
     @Autowired private MidpointConfiguration midpointConfiguration;
     @Autowired private GuiProfiledPrincipalManager focusProfileService;
 
@@ -76,13 +73,13 @@ public ClusterRestController() {
         // nothing to do
     }
 
-    @PostMapping(EVENT_INVALIDATION + "{type}")
+    @PostMapping(ClusterServiceConsts.EVENT_INVALIDATION + "{type}")
     public ResponseEntity<?> executeClusterCacheInvalidationEvent(
             @PathVariable("type") String type) {
         return executeClusterCacheInvalidationEvent(type, null);
     }
 
-    @PostMapping(EVENT_INVALIDATION + "{type}/{oid}")
+    @PostMapping(ClusterServiceConsts.EVENT_INVALIDATION + "{type}/{oid}")
     public ResponseEntity<?> executeClusterCacheInvalidationEvent(
             @PathVariable("type") String type,
             @PathVariable("oid") String oid) {
@@ -107,7 +104,7 @@ public ResponseEntity<?> executeClusterCacheInvalidationEvent(
         return response;
     }
 
-    @PostMapping(EVENT_TERMINATE_SESSION)
+    @PostMapping(ClusterServiceConsts.EVENT_TERMINATE_SESSION)
     public ResponseEntity<?> executeClusterTerminateSessionEvent(
             @RequestBody TerminateSessionEventType event) {
         Task task = initRequest();
@@ -128,7 +125,7 @@ public ResponseEntity<?> executeClusterTerminateSessionEvent(
         return response;
     }
 
-    @GetMapping(EVENT_LIST_USER_SESSION)
+    @GetMapping(ClusterServiceConsts.EVENT_LIST_USER_SESSION)
     public ResponseEntity<?> listUserSession() {
         Task task = initRequest();
         OperationResult result = createSubresult(task, OPERATION_GET_LOCAL_SCHEDULER_INFORMATION);
diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ExtensionSchemaRestController.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ExtensionSchemaRestController.java
index d1a534e9bae..b03caeadebb 100644
--- a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ExtensionSchemaRestController.java
+++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ExtensionSchemaRestController.java
@@ -35,7 +35,7 @@
 import com.evolveum.midpoint.util.logging.LoggingUtils;
 
 @RestController
-@RequestMapping(value = "/rest2/schema")
+@RequestMapping({ "/ws/schema", "/rest/schema", "/api/schema" })
 public class ExtensionSchemaRestController extends AbstractRestController {
 
     @Autowired private PrismContext prismContext;
diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ModelRestController.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ModelRestController.java
index 89fd9afc104..625063c1af3 100644
--- a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ModelRestController.java
+++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ModelRestController.java
@@ -45,10 +45,9 @@
 import com.evolveum.prism.xml.ns._public.query_3.QueryType;
 
 @RestController
-@RequestMapping(value = ModelRestController.BASE_PATH)
+@RequestMapping({ "/ws/rest", "/rest/model", "/api/model" })
 public class ModelRestController extends AbstractRestController {
 
-    public static final String BASE_PATH = "/rest2";
     public static final String GET_OBJECT_PATH = "/{type}/{id}";
 
     private static final String CURRENT = "current";
@@ -345,7 +344,7 @@ public <T extends ObjectType> ResponseEntity<?> addObject(
     @NotNull
     public URI uriGetObject(@PathVariable("type") String type, String oid) {
         return ServletUriComponentsBuilder.fromCurrentContextPath()
-                .path(BASE_PATH + GET_OBJECT_PATH)
+                .path(controllerBasePath() + GET_OBJECT_PATH)
                 .build(type, oid);
     }
 
diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/RestApiIndex.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/RestApiIndex.java
index edd3b2eab4e..2645530b442 100644
--- a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/RestApiIndex.java
+++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/RestApiIndex.java
@@ -3,8 +3,11 @@
 import java.util.*;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
+import javax.servlet.ServletContext;
+import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -12,44 +15,48 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.mvc.condition.MediaTypeExpression;
 import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
 import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;
 import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
-import org.springframework.web.util.UriComponentsBuilder;
 
 /**
  * Support for simple index page with REST API endpoints (HTML and JSON).
  */
 @RestController
-@RequestMapping("/rest2")
-public class RestApiIndex {
+@RequestMapping({ "/ws", "/rest", "/api" })
+public class RestApiIndex extends AbstractRestController {
 
+    private final String contextPath;
     private final List<OperationInfo> uiRestInfo;
 
-    public RestApiIndex(RequestMappingHandlerMapping handlerMapping) {
+    public RestApiIndex(RequestMappingHandlerMapping handlerMapping, ServletContext servletContext) {
+        contextPath = servletContext.getContextPath();
         uiRestInfo = operationInfoStream(handlerMapping)
                 .filter(info -> info.handler.getBeanType().getName()
                         .startsWith("com.evolveum.midpoint.rest."))
                 .collect(Collectors.toList());
     }
 
-    private Stream<OperationInfo> operationInfoStream(RequestMappingHandlerMapping handlerMapping) {
+    private Stream<OperationInfo> operationInfoStream(
+            RequestMappingHandlerMapping handlerMapping) {
         return handlerMapping.getHandlerMethods().entrySet().stream()
                 .map(entry -> new OperationInfo(entry.getKey(), entry.getValue()));
     }
 
     @GetMapping()
-    public List<OperationJson> index() {
+    public List<OperationJson> index(HttpServletRequest request) {
+        String uri = request.getRequestURI();
         return uiRestInfo.stream()
-                .flatMap(OperationInfo::operationJsonStream)
+                .flatMap(operationInfo -> operationInfo.operationJsonStream(contextPath, uri))
                 .sorted(Comparator.comparing(json -> json.urlPattern))
                 .collect(Collectors.toList());
     }
 
     @GetMapping(produces = "text/html")
-    public String indexHtml() {
+    public String indexHtml(HttpServletRequest request) {
         StringBuilder html = new StringBuilder("<!DOCTYPE html><html>"
                 + "<head><meta charset='UTF-8'><title>REST-ish API</title>"
                 + "<style>body {font-family: sans-serif;} form,li,p,h1 {margin: 0.4em;}"
@@ -57,9 +64,11 @@ public String indexHtml() {
                 + " #result {padding: 1em; border: solid thin red;}</style>"
                 + "</head>"
                 + "<body><h1>REST operations</h1>This is NOT Swagger! Click at your own risk!<ul>");
-        for (OperationJson operationJson : index()) {
+        for (OperationJson operationJson : index(request)) {
             html.append("<li>")
-                    .append(Arrays.toString(operationJson.methods))
+                    .append(operationJson.methods != null
+                            ? Arrays.toString(operationJson.methods)
+                            : "*")
                     .append(" <a href=\"")
                     .append(operationJson.urlPattern)
                     .append("\">")
@@ -79,12 +88,13 @@ private static class OperationInfo {
             this.handler = handler;
         }
 
-        Stream<OperationJson> operationJsonStream() {
+        Stream<OperationJson> operationJsonStream(String contextPath, String prefix) {
             return mappingInfo.getPatternsCondition().getPatterns().stream()
-                    .map(pattern -> new OperationJson(pattern,
+                    .map(pattern -> new OperationJson(contextPath + pattern,
                             mappingInfo.getMethodsCondition().getMethods(),
                             mappingInfo.getConsumesCondition().getConsumableMediaTypes(),
-                            mappingInfo.getProducesCondition().getExpressions()));
+                            mappingInfo.getProducesCondition().getExpressions()))
+                    .filter(operationJson -> operationJson.urlPattern.startsWith(prefix));
         }
     }
 
@@ -114,6 +124,12 @@ private String[] toStringArray(Collection<?> collection) {
         }
     }
 
+    // Fallback for all unmapped resources under /ws
+    @RequestMapping(value = "/**")
+    public void notFoundFallback() {
+        throw new ResponseStatusException(HttpStatus.NOT_FOUND);
+    }
+
     // DEBUG area
     @Autowired(required = false)
     private List<WebMvcConfigurer> configurers;
@@ -125,8 +141,7 @@ private String[] toStringArray(Collection<?> collection) {
     private RequestMappingHandlerAdapter requestMappingHandlerAdapter;
 
     @GetMapping("/config")
-    public Map<?, ?> config(
-            UriComponentsBuilder uriComponentsBuilder) {
+    public Map<?, ?> config() {
         Map<String, Object> result = new LinkedHashMap<>();
         result.put("configurers", toStrings(configurers));
         result.put("converters", toStrings(converters));

From 7714ea86529533837e9c6c10893fc8c94e88f12e Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 14:36:49 +0200
Subject: [PATCH 09/13] old REST/CXF: removal of LoggingFeature and
 *RestServices

---
 .../model/impl/ClusterRestService.java        |  352 ------
 .../impl/ExtensionSchemaRestService.java      |  157 ---
 .../midpoint/model/impl/ModelRestService.java | 1098 -----------------
 .../model/impl/util/LoggingFeature.java       |   85 --
 4 files changed, 1692 deletions(-)
 delete mode 100644 model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterRestService.java
 delete mode 100644 model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ExtensionSchemaRestService.java
 delete mode 100644 model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
 delete mode 100644 model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/LoggingFeature.java

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterRestService.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterRestService.java
deleted file mode 100644
index 3ebb5bab4b9..00000000000
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterRestService.java
+++ /dev/null
@@ -1,352 +0,0 @@
-/*
- * Copyright (c) 2010-2019 Evolveum and contributors
- *
- * This work is dual-licensed under the Apache License 2.0
- * and European Union Public License. See LICENSE file for details.
- */
-package com.evolveum.midpoint.model.impl;
-
-import com.evolveum.midpoint.CacheInvalidationContext;
-import com.evolveum.midpoint.TerminateSessionEvent;
-import com.evolveum.midpoint.common.configuration.api.MidpointConfiguration;
-import com.evolveum.midpoint.model.api.ModelPublicConstants;
-import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
-import com.evolveum.midpoint.model.impl.security.NodeAuthenticationToken;
-import com.evolveum.midpoint.model.impl.security.SecurityHelper;
-import com.evolveum.midpoint.model.impl.util.RestServiceUtil;
-import com.evolveum.midpoint.repo.api.CacheDispatcher;
-import com.evolveum.midpoint.schema.constants.ObjectTypes;
-import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.task.api.Task;
-import com.evolveum.midpoint.task.api.TaskConstants;
-import com.evolveum.midpoint.task.api.TaskManager;
-import com.evolveum.midpoint.util.exception.SecurityViolationException;
-import com.evolveum.midpoint.util.logging.Trace;
-import com.evolveum.midpoint.util.logging.TraceManager;
-import com.evolveum.midpoint.xml.ns._public.common.api_types_3.TerminateSessionEventType;
-import com.evolveum.midpoint.xml.ns._public.common.api_types_3.UserSessionManagementListType;
-import com.evolveum.midpoint.xml.ns._public.common.api_types_3.UserSessionManagementType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SchedulerInformationType;
-import org.apache.commons.io.IOUtils;
-import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.stereotype.Service;
-
-import javax.ws.rs.*;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-import javax.ws.rs.core.Response.Status;
-import javax.ws.rs.core.StreamingOutput;
-import java.io.File;
-import java.io.FileInputStream;
-import java.nio.file.Paths;
-import java.util.List;
-
-/**
- * REST service used for inter-cluster communication.
- *
- * These methods are NOT to be called generally by clients.
- * They are to be called internally by midPoint running on other cluster nodes.
- *
- * So the usual form of authentication will be CLUSTER (a.k.a. node authentication).
- * However, for diagnostic purposes we might allow also administrator access sometimes in the future.
- */
-@Service
-@Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-public class ClusterRestService {
-
-    public static final String CLASS_DOT = ClusterRestService.class.getName() + ".";
-
-    private static final String OPERATION_EXECUTE_CLUSTER_CACHE_INVALIDATION_EVENT = CLASS_DOT + "executeClusterCacheInvalidationEvent";
-    private static final String OPERATION_EXECUTE_CLUSTER_TERMINATE_SESSION_EVENT = CLASS_DOT + "executeClusterTerminateSessionEvent";
-    private static final String OPERATION_GET_LOCAL_SCHEDULER_INFORMATION = CLASS_DOT + "getLocalSchedulerInformation";
-    private static final String OPERATION_STOP_LOCAL_SCHEDULER = CLASS_DOT + "stopLocalScheduler";
-    private static final String OPERATION_START_LOCAL_SCHEDULER = CLASS_DOT + "startLocalScheduler";
-    private static final String OPERATION_STOP_LOCAL_TASK = CLASS_DOT + "stopLocalTask";
-
-    private static final String OPERATION_GET_REPORT_FILE = CLASS_DOT + "getReportFile";
-    private static final String OPERATION_DELETE_REPORT_FILE = CLASS_DOT + "deleteReportFile";
-
-    private static final String EXPORT_DIR = "export/";
-
-    public static final String EVENT_INVALIDATION = "/event/invalidation/";
-    public static final String EVENT_TERMINATE_SESSION = "/event/terminateSession/";
-    public static final String EVENT_LIST_USER_SESSION = "/event/listUserSession";
-
-    @Autowired private SecurityHelper securityHelper;
-    @Autowired private TaskManager taskManager;
-    @Autowired private MidpointConfiguration midpointConfiguration;
-    @Autowired private GuiProfiledPrincipalManager focusProfileService;
-
-    @Autowired private CacheDispatcher cacheDispatcher;
-
-    private static final Trace LOGGER = TraceManager.getTrace(ClusterRestService.class);
-
-    public ClusterRestService() {
-        // nothing to do
-    }
-
-    @POST
-    @Path(EVENT_INVALIDATION + "{type}")
-    @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    public Response executeClusterCacheInvalidationEvent(@PathParam("type") String type, @Context MessageContext mc) {
-        return executeClusterCacheInvalidationEvent(type, null, mc);
-    }
-
-    @POST
-    @Path(EVENT_INVALIDATION + "{type}/{oid}")
-    @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    public Response executeClusterCacheInvalidationEvent(@PathParam("type") String type, @PathParam("oid") String oid, @Context MessageContext mc) {
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = new OperationResult(OPERATION_EXECUTE_CLUSTER_CACHE_INVALIDATION_EVENT);
-
-        Response response;
-        try {
-            checkNodeAuthentication();
-
-            Class<? extends ObjectType> clazz = type != null ? ObjectTypes.getClassFromRestType(type) : null;
-
-            // clusterwide is false: we got this from another node so we don't need to redistribute it
-            cacheDispatcher.dispatchInvalidation(clazz, oid, false, new CacheInvalidationContext(true, null));
-
-            result.recordSuccess();
-            response = RestServiceUtil.createResponse(Status.OK, result);
-        } catch (Throwable t) {
-            response = RestServiceUtil.handleException(result, t);
-        }
-        finishRequest(task);
-        return response;
-    }
-
-    @POST
-    @Path(EVENT_TERMINATE_SESSION)
-    @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    public Response executeClusterTerminateSessionEvent(TerminateSessionEventType event, @Context MessageContext mc) {
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = new OperationResult(OPERATION_EXECUTE_CLUSTER_TERMINATE_SESSION_EVENT);
-
-        Response response;
-        try {
-            checkNodeAuthentication();
-
-            focusProfileService.terminateLocalSessions(TerminateSessionEvent.fromEventType(event));
-
-            result.recordSuccess();
-            response = RestServiceUtil.createResponse(Status.OK, result);
-        } catch (Throwable t) {
-            response = RestServiceUtil.handleException(result, t);
-        }
-        finishRequest(task);
-        return response;
-    }
-
-    @GET
-    @Path(EVENT_LIST_USER_SESSION)
-    @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    public Response listUserSession(@Context MessageContext mc) {
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = new OperationResult(OPERATION_GET_LOCAL_SCHEDULER_INFORMATION);
-
-        Response response;
-        try {
-            checkNodeAuthentication();
-            List<UserSessionManagementType> principals = focusProfileService.getLocalLoggedInPrincipals();
-
-            UserSessionManagementListType list = new UserSessionManagementListType();
-            list.getSession().addAll(principals);
-
-            response = RestServiceUtil.createResponse(Status.OK, list, result);
-        } catch (Throwable t) {
-            response = RestServiceUtil.handleException(result, t);
-        }
-        result.computeStatus();
-        finishRequest(task);
-        return response;
-    }
-
-    @GET
-    @Path(TaskConstants.GET_LOCAL_SCHEDULER_INFORMATION_REST_PATH)
-    @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    public Response getLocalSchedulerInformation(@Context MessageContext mc) {
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = new OperationResult(OPERATION_GET_LOCAL_SCHEDULER_INFORMATION);
-
-        Response response;
-        try {
-            checkNodeAuthentication();
-            SchedulerInformationType schedulerInformation = taskManager.getLocalSchedulerInformation(result);
-            response = RestServiceUtil.createResponse(Status.OK, schedulerInformation, result);
-        } catch (Throwable t) {
-            response = RestServiceUtil.handleException(result, t);
-        }
-        result.computeStatus();
-        finishRequest(task);
-        return response;
-    }
-
-    @POST
-    @Path(TaskConstants.STOP_LOCAL_SCHEDULER_REST_PATH)
-    @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    public Response stopLocalScheduler(@Context MessageContext mc) {
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = new OperationResult(OPERATION_STOP_LOCAL_SCHEDULER);
-
-        Response response;
-        try {
-            checkNodeAuthentication();
-            taskManager.stopLocalScheduler(result);
-            response = RestServiceUtil.createResponse(Status.OK, result);
-        } catch (Throwable t) {
-            response = RestServiceUtil.handleException(result, t);
-        }
-        result.computeStatus();
-        finishRequest(task);
-        return response;
-    }
-
-    @POST
-    @Path(TaskConstants.START_LOCAL_SCHEDULER_REST_PATH)
-    @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    public Response startLocalScheduler(@Context MessageContext mc) {
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = new OperationResult(OPERATION_START_LOCAL_SCHEDULER);
-
-        Response response;
-        try {
-            checkNodeAuthentication();
-            taskManager.startLocalScheduler(result);
-            response = RestServiceUtil.createResponse(Status.OK, result);
-        } catch (Throwable t) {
-            response = RestServiceUtil.handleException(result, t);
-        }
-        result.computeStatus();
-        finishRequest(task);
-        return response;
-    }
-
-    @POST
-    @Path(TaskConstants.STOP_LOCAL_TASK_REST_PATH_PREFIX + "{oid}" + TaskConstants.STOP_LOCAL_TASK_REST_PATH_SUFFIX)
-    @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML})
-    public Response stopLocalTask(@PathParam("oid") String oid, @Context MessageContext mc) {
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = new OperationResult(OPERATION_STOP_LOCAL_TASK);
-
-        Response response;
-        try {
-            checkNodeAuthentication();
-            taskManager.stopLocalTask(oid, result);
-            response = RestServiceUtil.createResponse(Status.OK, result);
-        } catch (Throwable t) {
-            response = RestServiceUtil.handleException(result, t);
-        }
-        result.computeStatus();
-        finishRequest(task);
-        return response;
-    }
-
-    @GET
-    @Path(ModelPublicConstants.CLUSTER_REPORT_FILE_PATH)
-    @Produces("application/octet-stream")
-    public Response getReportFile(@QueryParam(ModelPublicConstants.CLUSTER_REPORT_FILE_FILENAME_PARAMETER) String fileName, @Context MessageContext mc) {
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = new OperationResult(OPERATION_GET_REPORT_FILE);
-
-        Response response;
-        try {
-            checkNodeAuthentication();
-            FileResolution resolution = resolveFile(fileName);
-            if (resolution.status == null) {
-                StreamingOutput streaming = outputStream -> {
-                    try (FileInputStream fileInputStream = new FileInputStream(resolution.file)) {
-                        IOUtils.copy(fileInputStream, outputStream);
-                    }
-                };
-                response = Response.ok(streaming).build();          // we are only interested in the content, not in its type nor length
-            } else {
-                response = Response.status(resolution.status).build();
-            }
-            result.computeStatus();
-        } catch (Throwable t) {
-            response = RestServiceUtil.handleException(null, t);        // we don't return the operation result
-        }
-        finishRequest(task);
-        return response;
-    }
-
-    @DELETE
-    @Path(ModelPublicConstants.CLUSTER_REPORT_FILE_PATH)
-    public Response deleteReportFile(@QueryParam(ModelPublicConstants.CLUSTER_REPORT_FILE_FILENAME_PARAMETER) String fileName, @Context MessageContext mc) {
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = new OperationResult(OPERATION_DELETE_REPORT_FILE);
-
-        Response response;
-        try {
-            checkNodeAuthentication();
-            FileResolution resolution = resolveFile(fileName);
-            if (resolution.status == null) {
-                if (!resolution.file.delete()) {
-                    LOGGER.warn("Couldn't delete report output file {}", resolution.file);
-                }
-                response = Response.ok().build();
-            } else {
-                response = Response.status(resolution.status).build();
-            }
-            result.computeStatus();
-        } catch (Throwable t) {
-            response = RestServiceUtil.handleException(null, t);          // we don't return the operation result
-        }
-        finishRequest(task);
-        return response;
-    }
-
-    static class FileResolution {
-        File file;
-        Status status;
-    }
-
-    private FileResolution resolveFile(String fileName) {
-        FileResolution rv = new FileResolution();
-        rv.file = Paths.get(midpointConfiguration.getMidpointHome(), EXPORT_DIR, fileName).toFile();
-
-        if (forbiddenFileName(fileName)) {
-            LOGGER.warn("File name '{}' is forbidden", fileName);
-            rv.status = Status.FORBIDDEN;
-        } else if (!rv.file.exists()) {
-            LOGGER.warn("Report output file '{}' does not exist", rv.file);
-            rv.status = Status.NOT_FOUND;
-        } else if (rv.file.isDirectory()) {
-            LOGGER.warn("Report output file '{}' is a directory", rv.file);
-            rv.status = Status.FORBIDDEN;
-        }
-        return rv;
-    }
-
-    private void finishRequest(Task task) {
-        RestServiceUtil.finishRequest(task, securityHelper);
-    }
-
-    private boolean forbiddenFileName(String fileName) {
-        return fileName.contains("/../");
-    }
-
-    private void checkNodeAuthentication() throws SecurityViolationException {
-        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (!(authentication instanceof NodeAuthenticationToken)) {
-            throw new SecurityViolationException("Node authentication is expected but not present");
-        }
-        // TODO consider allowing administrator access here as well
-    }
-
-}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ExtensionSchemaRestService.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ExtensionSchemaRestService.java
deleted file mode 100644
index 307e70178be..00000000000
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ExtensionSchemaRestService.java
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * Copyright (c) 2010-2017 Evolveum and contributors
- *
- * This work is dual-licensed under the Apache License 2.0
- * and European Union Public License. See LICENSE file for details.
- */
-
-package com.evolveum.midpoint.model.impl;
-
-import com.evolveum.midpoint.common.configuration.api.MidpointConfiguration;
-import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
-import com.evolveum.midpoint.model.impl.security.SecurityHelper;
-import com.evolveum.midpoint.model.impl.util.RestServiceUtil;
-import com.evolveum.midpoint.prism.PrismContext;
-import com.evolveum.midpoint.prism.schema.SchemaDescription;
-import com.evolveum.midpoint.prism.schema.SchemaRegistry;
-import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
-import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
-import com.evolveum.midpoint.task.api.Task;
-import com.evolveum.midpoint.util.logging.LoggingUtils;
-import com.evolveum.midpoint.util.logging.Trace;
-import com.evolveum.midpoint.util.logging.TraceManager;
-
-import org.apache.commons.lang3.StringUtils;
-import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Service;
-
-import javax.ws.rs.*;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-import java.io.File;
-import java.nio.file.Paths;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
-/**
- * Created by Viliam Repan (lazyman).
- */
-@Service
-@Path("/schema")
-@Consumes(MediaType.WILDCARD)
-public class ExtensionSchemaRestService {
-
-    private static final Trace LOGGER = TraceManager.getTrace(ExtensionSchemaRestService.class);
-
-    @Autowired private PrismContext prismContext;
-    @Autowired private SecurityEnforcer securityEnforcer;
-    @Autowired private SecurityHelper securityHelper;
-
-    public static final String CLASS_DOT = ExtensionSchemaRestService.class.getName() + ".";
-    private static final String OPERATION_LIST_SCHEMAS = CLASS_DOT +  "listSchemas";
-    private static final String OPERATION_GET_SCHEMA = CLASS_DOT +  "getSchema";
-
-    @GET
-    @Produces(MediaType.TEXT_PLAIN)
-    public Response listSchemas(@Context MessageContext mc) {
-
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_LIST_SCHEMAS);
-
-        Response response;
-        try {
-            securityEnforcer.authorize(ModelAuthorizationAction.GET_EXTENSION_SCHEMA.getUrl(), null, AuthorizationParameters.EMPTY, null, task, result);
-
-            SchemaRegistry registry = prismContext.getSchemaRegistry();
-            Collection<SchemaDescription> descriptions = registry.getSchemaDescriptions();
-
-            List<String> names = new ArrayList<>();
-
-            for (SchemaDescription description : descriptions) {
-                String name = computeName(description);
-                if (name != null) {
-                    names.add(name);
-                }
-            }
-
-            String output = StringUtils.join(names, "\n");
-            response = Response.ok(output).build();
-        } catch (Exception ex) {
-            // we avoid RestServiceUtil.handleException because we cannot serialize OperationResultType into text/plain
-            LoggingUtils.logUnexpectedException(LOGGER, "Got exception while servicing REST request: {}", ex, result.getOperation());
-            response = Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(ex.getMessage()).build();              // TODO handle this somehow better
-        }
-
-        RestServiceUtil.finishRequest(task, securityHelper);
-        return response;
-    }
-
-    private String computeName(SchemaDescription description) {
-        String path = description.getPath();
-        if (path == null) {
-            return null;
-        }
-
-        File file = new File(path);
-        if (!file.exists()) {
-            return null;
-        }
-
-        String midpointHome = System.getProperty(MidpointConfiguration.MIDPOINT_HOME_PROPERTY);
-        java.nio.file.Path homePath = Paths.get(midpointHome, "schema");
-        java.nio.file.Path relative = homePath.relativize(file.toPath());
-
-        return relative.toString();
-    }
-
-    @GET
-    @Path("/{name}")
-    @Produces({MediaType.TEXT_XML, MediaType.TEXT_PLAIN})
-    public Response getSchema(@PathParam("name") String name, @Context MessageContext mc) {
-
-        Task task = RestServiceUtil.initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_GET_SCHEMA);
-
-        Response response;
-        try {
-            securityEnforcer.authorize(ModelAuthorizationAction.GET_EXTENSION_SCHEMA.getUrl(), null, AuthorizationParameters.EMPTY, null, task, result);
-
-            if (name == null) {
-                response = Response.status(Response.Status.BAD_REQUEST).type(MediaType.TEXT_PLAIN_TYPE)
-                        .entity("Name not defined").build();
-            } else if (!name.toLowerCase().endsWith(".xsd") && name.length() > 4) {
-                response = Response.status(Response.Status.BAD_REQUEST).type(MediaType.TEXT_PLAIN_TYPE)
-                        .entity("Name must be an xsd schema (.xsd extension expected)").build();
-            } else {
-                SchemaRegistry registry = prismContext.getSchemaRegistry();
-                Collection<SchemaDescription> descriptions = registry.getSchemaDescriptions();
-
-                SchemaDescription description = null;
-                for (SchemaDescription desc : descriptions) {
-                    String descName = computeName(desc);
-                    if (descName != null && descName.equals(name)) {
-                        description = desc;
-                        break;
-                    }
-                }
-
-                if (description != null) {
-                    response = Response.ok(new File(description.getPath())).build();
-                } else {
-                    response = Response.status(Response.Status.NOT_FOUND).type(MediaType.TEXT_PLAIN_TYPE)
-                            .entity("Unknown name").build();
-                }
-            }
-        } catch (Exception ex) {
-            result.computeStatus();
-            response = RestServiceUtil.handleException(result, ex);
-        }
-
-        RestServiceUtil.finishRequest(task, securityHelper);
-        return response;
-    }
-}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
deleted file mode 100644
index 902d9045b09..00000000000
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
+++ /dev/null
@@ -1,1098 +0,0 @@
-/*
- * Copyright (c) 2013-2019 Evolveum and contributors
- *
- * This work is dual-licensed under the Apache License 2.0
- * and European Union Public License. See LICENSE file for details.
- */
-package com.evolveum.midpoint.model.impl;
-
-import java.net.URI;
-import java.util.Collection;
-import java.util.List;
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.*;
-import javax.ws.rs.core.*;
-import javax.ws.rs.core.Response.ResponseBuilder;
-import javax.ws.rs.core.Response.Status;
-import javax.xml.namespace.QName;
-
-import com.evolveum.midpoint.schema.util.ScriptingBeansUtil;
-import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang.Validate;
-import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.jetbrains.annotations.NotNull;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.stereotype.Service;
-
-import com.evolveum.midpoint.audit.api.AuditEventRecord;
-import com.evolveum.midpoint.audit.api.AuditEventStage;
-import com.evolveum.midpoint.audit.api.AuditEventType;
-import com.evolveum.midpoint.audit.api.AuditService;
-import com.evolveum.midpoint.common.rest.Converter;
-import com.evolveum.midpoint.common.rest.ConverterInterface;
-import com.evolveum.midpoint.model.api.*;
-import com.evolveum.midpoint.model.api.validator.ResourceValidator;
-import com.evolveum.midpoint.model.api.validator.Scope;
-import com.evolveum.midpoint.model.api.validator.ValidationResult;
-import com.evolveum.midpoint.model.common.SystemObjectCache;
-import com.evolveum.midpoint.model.impl.rest.PATCH;
-import com.evolveum.midpoint.model.impl.scripting.PipelineData;
-import com.evolveum.midpoint.model.impl.security.SecurityHelper;
-import com.evolveum.midpoint.model.impl.util.RestServiceUtil;
-import com.evolveum.midpoint.prism.PrismContext;
-import com.evolveum.midpoint.prism.PrismObject;
-import com.evolveum.midpoint.prism.delta.ItemDelta;
-import com.evolveum.midpoint.prism.path.ItemPath;
-import com.evolveum.midpoint.prism.path.ItemPathCollectionsUtil;
-import com.evolveum.midpoint.prism.query.ObjectQuery;
-import com.evolveum.midpoint.schema.DefinitionProcessingOption;
-import com.evolveum.midpoint.schema.DeltaConvertor;
-import com.evolveum.midpoint.schema.GetOperationOptions;
-import com.evolveum.midpoint.schema.SelectorOptions;
-import com.evolveum.midpoint.schema.constants.MidPointConstants;
-import com.evolveum.midpoint.schema.constants.ObjectTypes;
-import com.evolveum.midpoint.schema.constants.SchemaConstants;
-import com.evolveum.midpoint.schema.expression.VariablesMap;
-import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.schema.result.OperationResultStatus;
-import com.evolveum.midpoint.schema.util.SystemConfigurationTypeUtil;
-import com.evolveum.midpoint.security.api.MidPointPrincipal;
-import com.evolveum.midpoint.security.api.SecurityUtil;
-import com.evolveum.midpoint.task.api.Task;
-import com.evolveum.midpoint.task.api.TaskManager;
-import com.evolveum.midpoint.util.exception.*;
-import com.evolveum.midpoint.util.logging.LoggingUtils;
-import com.evolveum.midpoint.util.logging.Trace;
-import com.evolveum.midpoint.util.logging.TraceManager;
-import com.evolveum.midpoint.xml.ns._public.common.api_types_3.*;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
-import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ExecuteScriptOutputType;
-import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ExecuteScriptType;
-import com.evolveum.midpoint.xml.ns._public.model.scripting_3.ScriptingExpressionType;
-import com.evolveum.prism.xml.ns._public.query_3.QueryType;
-
-/**
- * @author katkav
- * @author semancik
- */
-@Service
-@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-public class ModelRestService {
-
-    public static final String CLASS_DOT = ModelRestService.class.getName() + ".";
-
-    public static final String OPERATION_REST_SERVICE = CLASS_DOT + "restService";
-    public static final String OPERATION_GET = CLASS_DOT + "get";
-    public static final String OPERATION_SELF = CLASS_DOT + "self";
-    public static final String OPERATION_ADD_OBJECT = CLASS_DOT + "addObject";
-    public static final String OPERATION_DELETE_OBJECT = CLASS_DOT + "deleteObject";
-    public static final String OPERATION_MODIFY_OBJECT = CLASS_DOT + "modifyObject";
-    public static final String OPERATION_NOTIFY_CHANGE = CLASS_DOT + "notifyChange";
-    public static final String OPERATION_FIND_SHADOW_OWNER = CLASS_DOT + "findShadowOwner";
-    public static final String OPERATION_SEARCH_OBJECTS = CLASS_DOT + "searchObjects";
-    public static final String OPERATION_IMPORT_FROM_RESOURCE = CLASS_DOT + "importFromResource";
-    public static final String OPERATION_IMPORT_SHADOW_FROM_RESOURCE = CLASS_DOT + "importShadowFromResource";
-    public static final String OPERATION_TEST_RESOURCE = CLASS_DOT + "testResource";
-    public static final String OPERATION_SUSPEND_TASK = CLASS_DOT + "suspendTask";
-    public static final String OPERATION_SUSPEND_AND_DELETE_TASK = CLASS_DOT + "suspendAndDeleteTask";
-    public static final String OPERATION_RESUME_TASK = CLASS_DOT + "resumeTask";
-    public static final String OPERATION_SCHEDULE_TASK_NOW = CLASS_DOT + "scheduleTaskNow";
-    public static final String OPERATION_EXECUTE_SCRIPT = CLASS_DOT + "executeScript";
-    public static final String OPERATION_COMPARE = CLASS_DOT + "compare";
-    public static final String OPERATION_GET_LOG_FILE_CONTENT = CLASS_DOT + "getLogFileContent";
-    public static final String OPERATION_GET_LOG_FILE_SIZE = CLASS_DOT + "getLogFileSize";
-    public static final String OPERATION_VALIDATE_VALUE = CLASS_DOT + "validateValue";
-    public static final String OPERATION_VALIDATE_VALUE_RPC = CLASS_DOT + "validateValueRpc";
-    public static final String OPERATION_GENERATE_VALUE = CLASS_DOT + "generateValue";
-    public static final String OPERATION_GENERATE_VALUE_RPC = CLASS_DOT + "generateValueRpc";
-    public static final String OPERATION_EXECUTE_CREDENTIAL_RESET = CLASS_DOT + "executeCredentialReset";
-    public static final String OPERATION_EXECUTE_CLUSTER_EVENT = CLASS_DOT + "executeClusterCacheInvalidationEvent";
-    public static final String OPERATION_GET_LOCAL_SCHEDULER_INFORMATION = CLASS_DOT + "getLocalSchedulerInformation";
-    public static final String OPERATION_STOP_LOCAL_SCHEDULER = CLASS_DOT + "stopScheduler";
-    public static final String OPERATION_START_LOCAL_SCHEDULER = CLASS_DOT + "startScheduler";
-    public static final String OPERATION_STOP_LOCAL_TASK = CLASS_DOT + "stopLocalTask";
-    public static final String OPERATION_GET_THREADS_DUMP = CLASS_DOT + "getThreadsDump";
-    public static final String OPERATION_GET_RUNNING_TASKS_THREADS_DUMP = CLASS_DOT + "getRunningTasksThreadsDump";
-    public static final String OPERATION_GET_TASK_THREADS_DUMP = CLASS_DOT + "getTaskThreadsDump";
-
-    private static final String CURRENT = "current";
-    private static final String VALIDATE = "validate";
-
-    @Autowired private ModelCrudService model;
-    @Autowired private ScriptingService scriptingService;
-    @Autowired private ModelService modelService;
-    @Autowired private ModelDiagnosticService modelDiagnosticService;
-    @Autowired private ModelInteractionService modelInteraction;
-    @Autowired private PrismContext prismContext;
-    @Autowired private SecurityHelper securityHelper;
-    @Autowired private TaskManager taskManager;
-    @Autowired private TaskService taskService;
-    @Autowired private ResourceValidator resourceValidator;
-
-    @Autowired private SystemObjectCache systemObjectCache;
-    @Autowired private AuditService auditService;
-
-    private static final Trace LOGGER = TraceManager.getTrace(ModelRestService.class);
-
-    private static final long WAIT_FOR_TASK_STOP = 2000L;
-
-    public ModelRestService() {
-        // nothing to do
-    }
-
-    @POST
-    @Path("/{type}/{oid}/generate")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response generateValue(@PathParam("type") String type,
-            @PathParam("oid") String oid, PolicyItemsDefinitionType policyItemsDefinition,
-            @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_GENERATE_VALUE);
-
-        Class<? extends ObjectType> clazz = ObjectTypes.getClassFromRestType(type);
-
-        Response response;
-        try {
-            PrismObject<? extends ObjectType> object = model.getObject(clazz, oid, null, task, parentResult);
-            response = generateValue(object, policyItemsDefinition, task, parentResult);
-        } catch (Exception ex) {
-            parentResult.computeStatus();
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-
-    }
-
-    @POST
-    @Path("/rpc/generate")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response generateValue(PolicyItemsDefinitionType policyItemsDefinition,
-            @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_GENERATE_VALUE_RPC);
-
-        Response response = generateValue(null, policyItemsDefinition, task, parentResult);
-        finishRequest(task, mc.getHttpServletRequest());
-
-        return response;
-    }
-
-    private <O extends ObjectType> Response generateValue(PrismObject<O> object, PolicyItemsDefinitionType policyItemsDefinition, Task task, OperationResult parentResult) {
-        Response response;
-        if (policyItemsDefinition == null) {
-            response = createBadPolicyItemsDefinitionResponse("Policy items definition must not be null", parentResult);
-        } else {
-            try {
-                modelInteraction.generateValue(object, policyItemsDefinition, task, parentResult);
-                parentResult.computeStatusIfUnknown();
-                if (parentResult.isSuccess()) {
-                    response = RestServiceUtil.createResponse(Response.Status.OK, policyItemsDefinition, parentResult, true);
-                } else {
-                    response = RestServiceUtil.createResponse(Response.Status.BAD_REQUEST, parentResult, parentResult);
-                }
-
-            } catch (Exception ex) {
-                parentResult.recordFatalError("Failed to generate value, " + ex.getMessage(), ex);
-                response = RestServiceUtil.handleException(parentResult, ex);
-            }
-        }
-        return response;
-    }
-
-    @POST
-    @Path("/{type}/{oid}/validate")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response validateValue(@PathParam("type") String type, @PathParam("oid") String oid, PolicyItemsDefinitionType policyItemsDefinition, @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_VALIDATE_VALUE);
-
-        Class<? extends ObjectType> clazz = ObjectTypes.getClassFromRestType(type);
-        Response response;
-        try {
-            PrismObject<? extends ObjectType> object = model.getObject(clazz, oid, null, task, parentResult);
-            response = validateValue(object, mc.getHttpServletRequest(), policyItemsDefinition, task, parentResult);
-        } catch (Exception ex) {
-            parentResult.computeStatus();
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/rpc/validate")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response validateValue(PolicyItemsDefinitionType policyItemsDefinition, @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_VALIDATE_VALUE);
-
-        Response response = validateValue(null, mc.getHttpServletRequest(), policyItemsDefinition, task, parentResult);
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-
-    }
-
-    private <O extends ObjectType> Response validateValue(PrismObject<O> object, HttpServletRequest httpRequest, PolicyItemsDefinitionType policyItemsDefinition, Task task, OperationResult parentResult) {
-        Response response;
-        if (policyItemsDefinition == null) {
-            response = createBadPolicyItemsDefinitionResponse("Policy items definition must not be null", parentResult);
-            finishRequest(task, httpRequest);
-            return response;
-
-        }
-
-        if (CollectionUtils.isEmpty(policyItemsDefinition.getPolicyItemDefinition())) {
-            response = createBadPolicyItemsDefinitionResponse("No definitions for items", parentResult);
-            finishRequest(task, httpRequest);
-            return response;
-        }
-
-        try {
-            modelInteraction.validateValue(object, policyItemsDefinition, task, parentResult);
-
-            parentResult.computeStatusIfUnknown();
-            ResponseBuilder responseBuilder;
-            if (parentResult.isAcceptable()) {
-                response = RestServiceUtil.createResponse(Response.Status.OK, policyItemsDefinition, parentResult, true);
-            } else {
-                responseBuilder = Response.status(Status.CONFLICT).entity(parentResult);
-                response = responseBuilder.build();
-            }
-
-        } catch (Exception ex) {
-            parentResult.computeStatus();
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        return response;
-    }
-
-    private Response createBadPolicyItemsDefinitionResponse(String message, OperationResult parentResult) {
-        LOGGER.error(message);
-        parentResult.recordFatalError(message);
-        return Response.status(Status.BAD_REQUEST).entity(parentResult).build();
-    }
-
-    @GET
-    @Path("/users/{id}/policy")
-    public Response getValuePolicyForUser(@PathParam("id") String oid, @Context MessageContext mc) {
-        LOGGER.debug("getValuePolicyForUser start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_GET);
-
-        Response response;
-        try {
-
-            Collection<SelectorOptions<GetOperationOptions>> options =
-                    SelectorOptions.createCollection(GetOperationOptions.createRaw());
-            PrismObject<UserType> user = model.getObject(UserType.class, oid, options, task, parentResult);
-
-            CredentialsPolicyType policy = modelInteraction.getCredentialsPolicy(user, task, parentResult);
-
-            response = RestServiceUtil.createResponse(Response.Status.OK, policy, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-
-        LOGGER.debug("getValuePolicyForUser finish");
-
-        return response;
-    }
-
-    @GET
-    @Path("/{type}/{id}")
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response getObject(@PathParam("type") String type, @PathParam("id") String id,
-            @QueryParam("options") List<String> options,
-            @QueryParam("include") List<String> include,
-            @QueryParam("exclude") List<String> exclude,
-            @QueryParam("resolveNames") List<String> resolveNames,
-            @Context MessageContext mc) {
-        LOGGER.debug("model rest service for get operation start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_GET);
-
-        Class<? extends ObjectType> clazz = ObjectTypes.getClassFromRestType(type);
-        Collection<SelectorOptions<GetOperationOptions>> getOptions = GetOperationOptions.fromRestOptions(options, include,
-                exclude, resolveNames, DefinitionProcessingOption.ONLY_IF_EXISTS, prismContext);
-        Response response;
-
-        try {
-            PrismObject<? extends ObjectType> object;
-            if (NodeType.class.equals(clazz) && CURRENT.equals(id)) {
-                String nodeId = taskManager.getNodeId();
-                ObjectQuery query = prismContext.queryFor(NodeType.class)
-                        .item(NodeType.F_NODE_IDENTIFIER).eq(nodeId)
-                        .build();
-                List<PrismObject<NodeType>> objects = model.searchObjects(NodeType.class, query, getOptions, task, parentResult);
-                if (objects.isEmpty()) {
-                    throw new ObjectNotFoundException("Current node (id " + nodeId + ") couldn't be found.");
-                } else if (objects.size() > 1) {
-                    throw new IllegalStateException("More than one 'current' node (id " + nodeId + ") found.");
-                } else {
-                    object = objects.get(0);
-                }
-            } else {
-                object = model.getObject(clazz, id, getOptions, task, parentResult);
-            }
-            removeExcludes(object, exclude);        // temporary measure until fixed in repo
-
-            response = RestServiceUtil.createResponse(Response.Status.OK, object, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @GET
-    @Path("/self")
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response getSelf(@Context MessageContext mc) {
-        LOGGER.debug("model rest service for get operation start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_SELF);
-
-        Response response;
-
-        try {
-            FocusType loggedInUser = SecurityUtil.getPrincipal().getFocus();
-            PrismObject<? extends FocusType> user = model.getObject(loggedInUser.getClass(), loggedInUser.getOid(), null, task, parentResult);
-            response = RestServiceUtil.createResponse(Response.Status.OK, user, parentResult, true);
-            parentResult.recordSuccessIfUnknown();
-        } catch (SecurityViolationException | ObjectNotFoundException | SchemaException | CommunicationException | ConfigurationException | ExpressionEvaluationException e) {
-            response = RestServiceUtil.handleException(parentResult, e);
-        }
-
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/{type}")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public <T extends ObjectType> Response addObject(@PathParam("type") String type, PrismObject<T> object,
-            @QueryParam("options") List<String> options,
-            @Context UriInfo uriInfo, @Context MessageContext mc) {
-        LOGGER.debug("model rest service for add operation start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_ADD_OBJECT);
-
-        Class<?> clazz = ObjectTypes.getClassFromRestType(type);
-        if (!object.getCompileTimeClass().equals(clazz)) {
-            finishRequest(task, mc.getHttpServletRequest());
-            parentResult.recordFatalError("Request to add object of type "
-                    + object.getCompileTimeClass().getSimpleName() + " to the collection of " + type);
-            return RestServiceUtil.createErrorResponseBuilder(Status.BAD_REQUEST, parentResult).build();
-        }
-
-        ModelExecuteOptions modelExecuteOptions = ModelExecuteOptions.fromRestOptions(options);
-
-        String oid;
-        Response response;
-        try {
-            oid = model.addObject(object, modelExecuteOptions, task, parentResult);
-            LOGGER.debug("returned oid :  {}", oid);
-
-            if (oid != null) {
-                URI resourceURI = uriInfo.getAbsolutePathBuilder().path(oid).build(oid);
-                response = clazz.isAssignableFrom(TaskType.class) ?        // TODO not the other way around?
-                        RestServiceUtil.createResponse(Response.Status.ACCEPTED, resourceURI, parentResult) : RestServiceUtil.createResponse(Response.Status.CREATED, resourceURI, parentResult);
-            } else {
-                // OID might be null e.g. if the object creation is a subject of workflow approval
-                response = RestServiceUtil.createResponse(Response.Status.ACCEPTED, parentResult);
-            }
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @GET
-    @Path("/{type}")
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public <T extends ObjectType> Response searchObjectsByType(@PathParam("type") String type, @QueryParam("options") List<String> options,
-            @QueryParam("include") List<String> include, @QueryParam("exclude") List<String> exclude,
-            @QueryParam("resolveNames") List<String> resolveNames,
-            @Context UriInfo uriInfo, @Context MessageContext mc) {
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_SEARCH_OBJECTS);
-
-        //noinspection unchecked
-        Class<T> clazz = (Class<T>) ObjectTypes.getClassFromRestType(type);
-        Response response;
-        try {
-
-            Collection<SelectorOptions<GetOperationOptions>> searchOptions = GetOperationOptions.fromRestOptions(options, include,
-                    exclude, resolveNames, DefinitionProcessingOption.ONLY_IF_EXISTS, prismContext);
-
-            List<PrismObject<T>> objects = modelService.searchObjects(clazz, null, searchOptions, task, parentResult);
-            ObjectListType listType = new ObjectListType();
-            for (PrismObject<T> object : objects) {
-                listType.getObject().add(object.asObjectable());
-            }
-
-            response = RestServiceUtil.createResponse(Response.Status.OK, listType, parentResult, true);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    // currently unused; but potentially useful in future
-    @SuppressWarnings("unused")
-    private void validateIfRequested(PrismObject<?> object,
-            List<String> options, ResponseBuilder builder, Task task,
-            OperationResult parentResult) {
-        if (options != null && options.contains(VALIDATE) && object.asObjectable() instanceof ResourceType) {
-            ValidationResult validationResult = resourceValidator
-                    .validate((PrismObject<ResourceType>) object, Scope.THOROUGH, null, task, parentResult);
-            builder.entity(validationResult.toValidationResultType());            // TODO move to parentResult, and return the result!
-        }
-    }
-
-    @PUT
-    @Path("/{type}/{id}")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public <T extends ObjectType> Response addObject(@PathParam("type") String type, @PathParam("id") String id,
-            PrismObject<T> object, @QueryParam("options") List<String> options, @Context UriInfo uriInfo,
-            @Context Request request, @Context MessageContext mc) {
-
-        LOGGER.debug("model rest service for add operation start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_ADD_OBJECT);
-
-        Class<?> clazz = ObjectTypes.getClassFromRestType(type);
-        if (!object.getCompileTimeClass().equals(clazz)) {
-            finishRequest(task, mc.getHttpServletRequest());
-            parentResult.recordFatalError("Request to add object of type "
-                    + object.getCompileTimeClass().getSimpleName()
-                    + " to the collection of " + type);
-            return RestServiceUtil.createErrorResponseBuilder(Status.BAD_REQUEST, parentResult).build();
-        }
-
-        ModelExecuteOptions modelExecuteOptions = ModelExecuteOptions.fromRestOptions(options);
-        if (modelExecuteOptions == null) {
-            modelExecuteOptions = ModelExecuteOptions.createOverwrite();
-        } else if (!ModelExecuteOptions.isOverwrite(modelExecuteOptions)) {
-            modelExecuteOptions.setOverwrite(Boolean.TRUE);
-        }
-
-        String oid;
-        Response response;
-        try {
-            oid = model.addObject(object, modelExecuteOptions, task, parentResult);
-            LOGGER.debug("returned oid : {}", oid);
-
-            URI resourceURI = uriInfo.getAbsolutePathBuilder().path(oid).build(oid);
-            response = clazz.isAssignableFrom(TaskType.class) ?
-                    RestServiceUtil.createResponse(Response.Status.ACCEPTED, resourceURI, parentResult) : RestServiceUtil.createResponse(Response.Status.CREATED, resourceURI, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-        parentResult.computeStatus();
-
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @DELETE
-    @Path("/{type}/{id}")
-    public Response deleteObject(@PathParam("type") String type, @PathParam("id") String id,
-            @QueryParam("options") List<String> options, @Context MessageContext mc) {
-
-        LOGGER.debug("model rest service for delete operation start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_DELETE_OBJECT);
-
-        Class<? extends ObjectType> clazz = ObjectTypes.getClassFromRestType(type);
-        Response response;
-        try {
-            if (clazz.isAssignableFrom(TaskType.class)) {
-                taskService.suspendAndDeleteTask(id, WAIT_FOR_TASK_STOP, true, task, parentResult);
-                parentResult.computeStatus();
-                finishRequest(task, mc.getHttpServletRequest());
-                if (parentResult.isSuccess()) {
-                    return Response.noContent().build();
-                }
-                return Response.serverError().entity(parentResult.getMessage()).build();
-            }
-
-            ModelExecuteOptions modelExecuteOptions = ModelExecuteOptions.fromRestOptions(options);
-
-            model.deleteObject(clazz, id, modelExecuteOptions, task, parentResult);
-            response = RestServiceUtil.createResponse(Response.Status.NO_CONTENT, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/{type}/{oid}")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response modifyObjectPost(@PathParam("type") String type, @PathParam("oid") String oid,
-            ObjectModificationType modificationType, @QueryParam("options") List<String> options, @Context MessageContext mc) {
-        return modifyObjectPatch(type, oid, modificationType, options, mc);
-    }
-
-    @PATCH
-    @Path("/{type}/{oid}")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response modifyObjectPatch(@PathParam("type") String type, @PathParam("oid") String oid,
-            ObjectModificationType modificationType, @QueryParam("options") List<String> options, @Context MessageContext mc) {
-
-        LOGGER.debug("model rest service for modify operation start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_MODIFY_OBJECT);
-
-        Class<? extends ObjectType> clazz = ObjectTypes.getClassFromRestType(type);
-        Response response;
-        try {
-            ModelExecuteOptions modelExecuteOptions = ModelExecuteOptions.fromRestOptions(options);
-            Collection<? extends ItemDelta> modifications = DeltaConvertor.toModifications(modificationType, clazz, prismContext);
-            model.modifyObject(clazz, oid, modifications, modelExecuteOptions, task, parentResult);
-            response = RestServiceUtil.createResponse(Response.Status.NO_CONTENT, parentResult);
-        } catch (Exception ex) {
-            parentResult.recordFatalError("Could not modify object. " + ex.getMessage(), ex);
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/notifyChange")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response notifyChange(ResourceObjectShadowChangeDescriptionType changeDescription,
-            @Context UriInfo uriInfo, @Context MessageContext mc) {
-        LOGGER.debug("model rest service for notify change operation start");
-        Validate.notNull(changeDescription, "Chnage description must not be null");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_NOTIFY_CHANGE);
-
-        Response response;
-        try {
-            modelService.notifyChange(changeDescription, task, parentResult);
-            response = RestServiceUtil.createResponse(Response.Status.OK, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @GET
-    @Path("/shadows/{oid}/owner")
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response findShadowOwner(@PathParam("oid") String shadowOid, @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_FIND_SHADOW_OWNER);
-
-        Response response;
-        try {
-            PrismObject<? extends FocusType> focus = modelService.searchShadowOwner(shadowOid, null, task, parentResult);
-            response = RestServiceUtil.createResponse(Response.Status.OK, focus, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/shadows/{oid}/import")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response importShadow(@PathParam("oid") String shadowOid, @Context MessageContext mc, @Context UriInfo uriInfo) {
-        LOGGER.debug("model rest service for import shadow from resource operation start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_IMPORT_SHADOW_FROM_RESOURCE);
-
-        Response response;
-        try {
-            modelService.importFromResource(shadowOid, task, parentResult);
-
-            response = RestServiceUtil.createResponse(Response.Status.OK, parentResult, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/{type}/search")
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response searchObjects(@PathParam("type") String type, QueryType queryType,
-            @QueryParam("options") List<String> options,
-            @QueryParam("include") List<String> include,
-            @QueryParam("exclude") List<String> exclude,
-            @QueryParam("resolveNames") List<String> resolveNames,
-            @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_SEARCH_OBJECTS);
-
-        Class<? extends ObjectType> clazz = ObjectTypes.getClassFromRestType(type);
-        Response response;
-        try {
-            ObjectQuery query = prismContext.getQueryConverter().createObjectQuery(clazz, queryType);
-            Collection<SelectorOptions<GetOperationOptions>> searchOptions = GetOperationOptions.fromRestOptions(options, include,
-                    exclude, resolveNames, DefinitionProcessingOption.ONLY_IF_EXISTS, prismContext);
-            List<? extends PrismObject<? extends ObjectType>> objects =
-                    model.searchObjects(clazz, query, searchOptions, task, parentResult);
-
-            ObjectListType listType = new ObjectListType();
-            for (PrismObject<? extends ObjectType> o : objects) {
-                removeExcludes(o, exclude);        // temporary measure until fixed in repo
-                listType.getObject().add(o.asObjectable());
-            }
-
-            response = RestServiceUtil.createResponse(Response.Status.OK, listType, parentResult, true);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    private void removeExcludes(PrismObject<? extends ObjectType> object, List<String> exclude) throws SchemaException {
-        object.getValue().removePaths(ItemPathCollectionsUtil.pathListFromStrings(exclude, prismContext));
-    }
-
-    @POST
-    @Path("/resources/{resourceOid}/import/{objectClass}")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response importFromResource(@PathParam("resourceOid") String resourceOid, @PathParam("objectClass") String objectClass,
-            @Context MessageContext mc, @Context UriInfo uriInfo) {
-        LOGGER.debug("model rest service for import from resource operation start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_IMPORT_FROM_RESOURCE);
-
-        QName objClass = new QName(MidPointConstants.NS_RI, objectClass);
-        Response response;
-        try {
-            modelService.importFromResource(resourceOid, objClass, task, parentResult);
-            response = RestServiceUtil.createResponse(
-                    Response.Status.SEE_OTHER,
-                    uriInfo.getBaseUriBuilder().path(this.getClass(), "getObject")
-                            .build(ObjectTypes.TASK.getRestType(), task.getOid()),
-                    parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        parentResult.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/resources/{resourceOid}/test")
-    public Response testResource(@PathParam("resourceOid") String resourceOid, @Context MessageContext mc) {
-        LOGGER.debug("model rest service for test resource operation start");
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_TEST_RESOURCE);
-
-        Response response;
-        OperationResult testResult = null;
-        try {
-            testResult = modelService.testResource(resourceOid, task);
-            response = RestServiceUtil.createResponse(Response.Status.OK, testResult, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        if (testResult != null) {
-            parentResult.getSubresults().add(testResult);
-        }
-
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/tasks/{oid}/suspend")
-    public Response suspendTask(@PathParam("oid") String taskOid, @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_SUSPEND_TASK);
-
-        Response response;
-        try {
-            taskService.suspendTask(taskOid, WAIT_FOR_TASK_STOP, task, parentResult);
-            parentResult.computeStatus();
-            response = RestServiceUtil.createResponse(Response.Status.NO_CONTENT, task, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/tasks/{oid}/resume")
-    public Response resumeTask(@PathParam("oid") String taskOid, @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_RESUME_TASK);
-
-        Response response;
-        try {
-            taskService.resumeTask(taskOid, task, parentResult);
-            parentResult.computeStatus();
-            response = RestServiceUtil.createResponse(Response.Status.ACCEPTED, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("tasks/{oid}/run")
-    public Response scheduleTaskNow(@PathParam("oid") String taskOid, @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult parentResult = task.getResult().createSubresult(OPERATION_SCHEDULE_TASK_NOW);
-
-        Response response;
-        try {
-            taskService.scheduleTaskNow(taskOid, task, parentResult);
-            parentResult.computeStatus();
-            response = RestServiceUtil.createResponse(Response.Status.NO_CONTENT, parentResult);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(parentResult, ex);
-        }
-
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    public static class ExecuteScriptConverter implements ConverterInterface {
-        public ExecuteScriptType convert(@NotNull Object input) {
-            if (input instanceof ExecuteScriptType) {
-                return (ExecuteScriptType) input;
-            } else if (input instanceof ScriptingExpressionType) {
-                return ScriptingBeansUtil.createExecuteScriptCommand((ScriptingExpressionType) input);
-            } else {
-                throw new IllegalArgumentException("Wrong input value: " + input);
-            }
-        }
-    }
-
-    @POST
-    @Path("/rpc/executeScript")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response executeScript(@Converter(ExecuteScriptConverter.class) ExecuteScriptType command,
-            @QueryParam("asynchronous") Boolean asynchronous, @Context UriInfo uriInfo, @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_EXECUTE_SCRIPT);
-
-        Response response;
-        try {
-            if (Boolean.TRUE.equals(asynchronous)) {
-                scriptingService.evaluateExpressionInBackground(command, task, result);
-                URI resourceUri = uriInfo.getAbsolutePathBuilder().path(task.getOid()).build(task.getOid());
-                response = RestServiceUtil.createResponse(Response.Status.CREATED, resourceUri, result);
-            } else {
-                ScriptExecutionResult executionResult = scriptingService.evaluateExpression(command, VariablesMap.emptyMap(),
-                        false, task, result);
-                ExecuteScriptResponseType responseData = new ExecuteScriptResponseType()
-                        .result(result.createOperationResultType())
-                        .output(new ExecuteScriptOutputType()
-                                .consoleOutput(executionResult.getConsoleOutput())
-                                .dataOutput(PipelineData.prepareXmlData(executionResult.getDataOutput(), command.getOptions())));
-                response = RestServiceUtil.createResponse(Response.Status.OK, responseData, result);
-            }
-        } catch (Exception ex) {
-            LoggingUtils.logUnexpectedException(LOGGER, "Couldn't execute script.", ex);
-            response = RestServiceUtil.handleExceptionNoLog(result, ex);
-        }
-        result.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/rpc/compare")
-    @Consumes({ "application/xml" })
-    public <T extends ObjectType> Response compare(PrismObject<T> clientObject,
-            @QueryParam("readOptions") List<String> restReadOptions,
-            @QueryParam("compareOptions") List<String> restCompareOptions,
-            @QueryParam("ignoreItems") List<String> restIgnoreItems,
-            @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_COMPARE);
-
-        Response response;
-        try {
-            List<ItemPath> ignoreItemPaths = ItemPathCollectionsUtil.pathListFromStrings(restIgnoreItems, prismContext);
-            final GetOperationOptions getOpOptions = GetOperationOptions.fromRestOptions(restReadOptions, DefinitionProcessingOption.ONLY_IF_EXISTS);
-            Collection<SelectorOptions<GetOperationOptions>> readOptions =
-                    getOpOptions != null ? SelectorOptions.createCollection(getOpOptions) : null;
-            ModelCompareOptions compareOptions = ModelCompareOptions.fromRestOptions(restCompareOptions);
-            CompareResultType compareResult = modelService.compareObject(clientObject, readOptions, compareOptions, ignoreItemPaths, task, result);
-
-            response = RestServiceUtil.createResponse(Response.Status.OK, compareResult, result);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(result, ex);
-        }
-
-        result.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @GET
-    @Path("/log/size")
-    @Produces({ "text/plain" })
-    public Response getLogFileSize(@Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_GET_LOG_FILE_SIZE);
-
-        Response response;
-        try {
-            long size = modelDiagnosticService.getLogFileSize(task, result);
-
-            response = RestServiceUtil.createResponse(Response.Status.OK, String.valueOf(size), result);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(result, ex);
-        }
-
-        result.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @GET
-    @Path("/log")
-    @Produces({ "text/plain" })
-    public Response getLog(@QueryParam("fromPosition") Long fromPosition, @QueryParam("maxSize") Long maxSize, @Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_GET_LOG_FILE_CONTENT);
-
-        Response response;
-        try {
-            LogFileContentType content = modelDiagnosticService.getLogFileContent(fromPosition, maxSize, task, result);
-
-            ResponseBuilder builder = Response.ok();
-            builder.entity(content.getContent());
-            builder.header("ReturnedDataPosition", content.getAt());
-            builder.header("ReturnedDataComplete", content.isComplete());
-            builder.header("CurrentLogFileSize", content.getLogFileSize());
-
-            response = builder.build();
-
-        } catch (Exception ex) {
-            LoggingUtils.logUnexpectedException(LOGGER, "Cannot get log file content: fromPosition={}, maxSize={}", ex, fromPosition, maxSize);
-            response = RestServiceUtil.handleExceptionNoLog(result, ex);
-        }
-
-        result.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @POST
-    @Path("/users/{oid}/credential")
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, RestServiceUtil.APPLICATION_YAML })
-    public Response executeCredentialReset(@PathParam("oid") String oid, ExecuteCredentialResetRequestType executeCredentialResetRequest, @Context MessageContext mc) {
-        Task task = initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_EXECUTE_CREDENTIAL_RESET);
-
-        Response response;
-        try {
-            PrismObject<UserType> user = modelService.getObject(UserType.class, oid, null, task, result);
-
-            ExecuteCredentialResetResponseType executeCredentialResetResponse = modelInteraction.executeCredentialsReset(user, executeCredentialResetRequest, task, result);
-            response = RestServiceUtil.createResponse(Response.Status.OK, executeCredentialResetResponse, result);
-        } catch (Exception ex) {
-            response = RestServiceUtil.handleException(result, ex);
-        }
-
-        result.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-
-    }
-
-    @GET
-    @Path("/threads")
-    @Produces({ "text/plain" })
-    public Response getThreadsDump(@Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_GET_THREADS_DUMP);
-
-        Response response;
-        try {
-            String dump = taskService.getThreadsDump(task, result);
-            response = Response.ok(dump).build();
-        } catch (Exception ex) {
-            LoggingUtils.logUnexpectedException(LOGGER, "Cannot get threads dump", ex);
-            response = RestServiceUtil.handleExceptionNoLog(result, ex);
-        }
-        result.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @GET
-    @Path("/tasks/threads")
-    @Produces({ "text/plain" })
-    public Response getRunningTasksThreadsDump(@Context MessageContext mc) {
-
-        Task task = initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_GET_RUNNING_TASKS_THREADS_DUMP);
-
-        Response response;
-        try {
-            String dump = taskService.getRunningTasksThreadsDump(task, result);
-            response = Response.ok(dump).build();
-        } catch (Exception ex) {
-            LoggingUtils.logUnexpectedException(LOGGER, "Cannot get running tasks threads dump", ex);
-            response = RestServiceUtil.handleExceptionNoLog(result, ex);
-        }
-        result.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    @GET
-    @Path("/tasks/{oid}/threads")
-    @Produces({ "text/plain" })
-    public Response getTaskThreadsDump(@PathParam("oid") String oid, @Context MessageContext mc) {
-        Task task = initRequest(mc);
-        OperationResult result = task.getResult().createSubresult(OPERATION_GET_TASK_THREADS_DUMP);
-
-        Response response;
-        try {
-            String dump = taskService.getTaskThreadsDump(oid, task, result);
-            response = Response.ok(dump).build();
-        } catch (Exception ex) {
-            LoggingUtils.logUnexpectedException(LOGGER, "Cannot get task threads dump for task " + oid, ex);
-            response = RestServiceUtil.handleExceptionNoLog(result, ex);
-        }
-        result.computeStatus();
-        finishRequest(task, mc.getHttpServletRequest());
-        return response;
-    }
-
-    private void finishRequest(Task task, HttpServletRequest request) {
-        if (isExperimentalEnabled()) {
-            auditEvent(request);
-            SecurityContextHolder.getContext().setAuthentication(null);
-        } else {
-            RestServiceUtil.finishRequest(task, securityHelper);
-        }
-    }
-
-    private Task initRequest(MessageContext mc) {
-        if (isExperimentalEnabled()) {
-            return RestServiceUtil.initRequest(taskManager);
-        } else {
-            return RestServiceUtil.initRequest(mc);
-        }
-    }
-
-    private boolean isExperimentalEnabled() {
-        boolean isExperimentalEnabled = false;
-        try {
-            isExperimentalEnabled = SystemConfigurationTypeUtil.isExperimentalCodeEnabled(
-                    systemObjectCache.getSystemConfiguration(new OperationResult("Load System Config")).asObjectable());
-        } catch (SchemaException e) {
-            LOGGER.error("Couldn't load system configuration", e);
-        }
-        return isExperimentalEnabled;
-    }
-
-    public void auditEvent(HttpServletRequest request) {
-        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        Object principal = authentication.getPrincipal();
-        String name = null;
-        if (principal instanceof MidPointPrincipal) {
-            name = ((MidPointPrincipal) principal).getUsername();
-        } else if (principal != null) {
-            return;
-        }
-        PrismObject<? extends FocusType> user = principal != null ? ((MidPointPrincipal) principal).getFocus().asPrismObject() : null;
-
-        Task task = taskManager.createTaskInstance();
-        task.setOwner(user);
-        task.setChannel(SchemaConstants.CHANNEL_REST_URI);
-
-        AuditEventRecord record = new AuditEventRecord(AuditEventType.TERMINATE_SESSION, AuditEventStage.REQUEST);
-        record.setInitiator(user);
-        record.setParameter(name);
-
-        record.setChannel(SchemaConstants.CHANNEL_REST_URI);
-        record.setTimestamp(System.currentTimeMillis());
-        record.setOutcome(OperationResultStatus.SUCCESS);
-
-        // probably not needed, as audit service would take care of it; but it doesn't hurt so let's keep it here
-        record.setHostIdentifier(request.getLocalName());
-        record.setRemoteHostAddress(request.getLocalAddr());
-        record.setNodeIdentifier(taskManager.getNodeId());
-        record.setSessionIdentifier(request.getRequestedSessionId());
-
-        auditService.audit(record, task);
-    }
-}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/LoggingFeature.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/LoggingFeature.java
deleted file mode 100644
index a61e4742378..00000000000
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/util/LoggingFeature.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (c) 2010-2017 Evolveum and contributors
- *
- * This work is dual-licensed under the Apache License 2.0
- * and European Union Public License. See LICENSE file for details.
- */
-
-package com.evolveum.midpoint.model.impl.util;
-
-import org.apache.cxf.Bus;
-import org.apache.cxf.feature.AbstractFeature;
-import org.apache.cxf.interceptor.AbstractLoggingInterceptor;
-import org.apache.cxf.interceptor.InterceptorProvider;
-
-import java.util.logging.Level;
-import java.util.logging.LogRecord;
-import java.util.logging.Logger;
-
-/**
- * Created by Viliam Repan (lazyman).
- */
-public class LoggingFeature extends AbstractFeature {
-
-    public static final String MESSAGE_LOGGER = "org.apache.cxf.services.midpoint";
-
-    private static final Logger LOG = Logger.getLogger(MESSAGE_LOGGER);
-
-    private static final LoggingInInterceptor IN = new LoggingInInterceptor(AbstractLoggingInterceptor.DEFAULT_LIMIT);
-
-    private static final LoggingOutInterceptor OUT = new LoggingOutInterceptor(AbstractLoggingInterceptor.DEFAULT_LIMIT);
-
-    @Override
-    protected void initializeProvider(InterceptorProvider provider, Bus bus) {
-        provider.getInInterceptors().add(IN);
-        provider.getInFaultInterceptors().add(IN);
-        provider.getOutInterceptors().add(OUT);
-        provider.getOutFaultInterceptors().add(OUT);
-    }
-
-    private static void logMessage(Logger logger, String message) {
-        if (!logger.isLoggable(Level.FINE)) {
-            return;
-        }
-
-        LogRecord lr = new LogRecord(Level.FINE, message);
-        lr.setSourceClassName(logger.getName());
-        lr.setSourceMethodName(null);
-        lr.setLoggerName(logger.getName());
-        logger.log(lr);
-    }
-
-    public static class LoggingInInterceptor extends org.apache.cxf.interceptor.LoggingInInterceptor {
-
-        public LoggingInInterceptor(int lim) {
-            super(lim);
-        }
-
-        @Override
-        protected void log(Logger logger, String message) {
-            logMessage(logger, message);
-        }
-
-        @Override
-        protected Logger getLogger() {
-            return LOG;
-        }
-    }
-
-    public static class LoggingOutInterceptor extends org.apache.cxf.interceptor.LoggingOutInterceptor {
-
-        public LoggingOutInterceptor(int lim) {
-            super(lim);
-        }
-
-        @Override
-        protected void log(Logger logger, String message) {
-            logMessage(logger, message);
-        }
-
-        @Override
-        protected Logger getLogger() {
-            return LOG;
-        }
-    }
-}

From cde4196471b88ed2aa5aaa9298a8330d7e9b5729 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 14:37:38 +0200
Subject: [PATCH 10/13] RestAuthenticationChannel.java: cleanup/reformat

---
 .../channel/RestAuthenticationChannel.java    | 33 -------------------
 1 file changed, 33 deletions(-)

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/channel/RestAuthenticationChannel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/channel/RestAuthenticationChannel.java
index 0451dc59011..acf5d6ebe5f 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/channel/RestAuthenticationChannel.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/channel/RestAuthenticationChannel.java
@@ -7,24 +7,13 @@
 package com.evolveum.midpoint.web.security.channel;
 
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
-import com.evolveum.midpoint.security.api.Authorization;
-import com.evolveum.midpoint.security.api.AuthorizationConstants;
-import com.evolveum.midpoint.web.page.forgetpassword.PageResetPassword;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
-
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
 
 /**
  * @author skublik
  */
-
 public class RestAuthenticationChannel extends AuthenticationChannelImpl {
 
-
     public RestAuthenticationChannel(AuthenticationSequenceChannelType channel) {
         super(channel);
     }
@@ -36,26 +25,4 @@ public String getChannelId() {
     public String getPathAfterSuccessfulAuthentication() {
         return "/ws/rest/self";
     }
-
-//    public Collection<Authorization> resolveAuthorities(Collection<Authorization> authorities) {
-//        ArrayList<Authorization> newAuthorities = new ArrayList<Authorization>();
-//        for (GrantedAuthority authority : authorities) {
-//            List<String> authoritiesString = new ArrayList<String>();
-//                Authorization clone = ((Authorization) authority).clone();
-//                authoritiesString = clone.getAction();
-//                List<String> newAction = new ArrayList<String>();
-//                for (String authorityString : authoritiesString) {
-//                    if (authorityString.startsWith(AuthorizationConstants.NS_AUTHORIZATION_REST)
-//                    || authorityString.equals(AuthorizationConstants.AUTZ_ALL_URL)) {
-//                        newAction.add(authorityString);
-//                    }
-//                }
-//                if (!newAction.isEmpty()) {
-//                    clone.getAction().clear();
-//                    clone.getAction().addAll(newAction);
-//                    newAuthorities.add(clone);
-//                }
-//        }
-//        return newAuthorities;
-//    }
 }

From cf709057b6f68b08d30978a267482a21114a3d39 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 14:38:06 +0200
Subject: [PATCH 11/13] model-test/ctx-model-test.xml: cleanup + reformat

---
 .../src/main/resources/ctx-model-test.xml     | 27 +++++--------------
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/model/model-test/src/main/resources/ctx-model-test.xml b/model/model-test/src/main/resources/ctx-model-test.xml
index 165ce87603c..86c16f0dc4f 100644
--- a/model/model-test/src/main/resources/ctx-model-test.xml
+++ b/model/model-test/src/main/resources/ctx-model-test.xml
@@ -8,26 +8,13 @@
   -->
 
 <beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xmlns:context="http://www.springframework.org/schema/context"
-       xmlns:jaxws="http://cxf.apache.org/jaxws"
-       xmlns:jaxrs="http://cxf.apache.org/jaxrs"
-       xmlns:util="http://www.springframework.org/schema/util"
-       xmlns:ssec="http://cxf.apache.org/spring-security"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans
-     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-     http://www.springframework.org/schema/context
-     http://www.springframework.org/schema/context/spring-context-3.0.xsd
-     http://www.springframework.org/schema/util
-     http://www.springframework.org/schema/util/spring-util-3.0.xsd
-     http://cxf.apache.org/jaxws
-     http://cxf.apache.org/schemas/jaxws.xsd
-     http://cxf.apache.org/jaxrs
-     http://cxf.apache.org/schemas/jaxrs.xsd
-     http://cxf.apache.org/spring-security
-     http://cxf-spring-security.googlecode.com/svn/trunk/cxf-spring-security/src/main/resources/schemas/spring-security.xsd"
-       default-lazy-init="false"
-       default-autowire="byName">
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns:context="http://www.springframework.org/schema/context"
+        xsi:schemaLocation="http://www.springframework.org/schema/beans
+            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+            http://www.springframework.org/schema/context
+            http://www.springframework.org/schema/context/spring-context-3.0.xsd"
+        default-lazy-init="false">
 
     <!-- enabling annotation driven configuration -->
     <context:annotation-config/>

From a2f7c0cf5881103092b45f35dd2f632d6faf1058 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 17:04:10 +0200
Subject: [PATCH 12/13] MidpointXmlHttpMessageConverter: added
 application/*+xml support

---
 .../midpoint/rest/impl/MidpointXmlHttpMessageConverter.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/MidpointXmlHttpMessageConverter.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/MidpointXmlHttpMessageConverter.java
index 885ccda9d52..6d7d8836842 100644
--- a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/MidpointXmlHttpMessageConverter.java
+++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/MidpointXmlHttpMessageConverter.java
@@ -19,7 +19,7 @@
 public class MidpointXmlHttpMessageConverter extends MidpointAbstractHttpMessageConverter<Object> {
 
     public static final MediaType[] MEDIA_TYPES = {
-            MediaType.APPLICATION_XML, MediaType.TEXT_XML
+            MediaType.APPLICATION_XML, MediaType.TEXT_XML, MediaType.valueOf("application/*+xml")
     };
 
     protected MidpointXmlHttpMessageConverter(

From 8aa69168ac3b439beacd68763376d0504909ed79 Mon Sep 17 00:00:00 2001
From: Richard Richter <richard.richter@evolveum.com>
Date: Fri, 22 May 2020 17:04:48 +0200
Subject: [PATCH 13/13] MidpointYamlHttpMessageConverter: fixes of *+yaml media
 types

---
 .../midpoint/rest/impl/MidpointYamlHttpMessageConverter.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/MidpointYamlHttpMessageConverter.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/MidpointYamlHttpMessageConverter.java
index 6ee1b581368..a0481c5c86c 100644
--- a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/MidpointYamlHttpMessageConverter.java
+++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/MidpointYamlHttpMessageConverter.java
@@ -21,7 +21,7 @@ public class MidpointYamlHttpMessageConverter extends MidpointAbstractHttpMessag
     public static final MediaType[] MEDIA_TYPES = {
             MediaType.valueOf("application/yaml"), MediaType.valueOf("text/yaml"),
             MediaType.valueOf("application/yml"), MediaType.valueOf("text/yml"),
-            MediaType.valueOf("application/*-yaml"), MediaType.valueOf("text/*-yaml"),
+            MediaType.valueOf("application/*+yaml"), MediaType.valueOf("text/*+yaml"),
             MediaType.valueOf("application/*.yaml"), MediaType.valueOf("text/*.yaml")
     };