diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/application/DescriptorLoader.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/application/DescriptorLoader.java
index 46349bef831..72eeca108d2 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/application/DescriptorLoader.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/application/DescriptorLoader.java
@@ -185,11 +185,28 @@ private void scanPackagesForPages(List<String> packages, MidPointApplication app
     private void loadActions(PageDescriptor descriptor) {
         for (String url : descriptor.url()) {
             List<AuthorizationActionValue> actions = new ArrayList<>();
+            
+          //avoid of setting guiAll authz for "public" pages (e.g. login page)
+            if (descriptor.action() == null || descriptor.action().length == 0){
+            	return;            	
+            }
+            
+            boolean canAccess = true;
+            
             for (AuthorizationAction action : descriptor.action()) {
                 actions.add(new AuthorizationActionValue(action.actionUri(), action.label(), action.description()));
+                if (AuthorizationConstants.AUTZ_NO_ACCESS_URL.equals(action.actionUri())){
+                	canAccess = false;
+                	break;
+                }
             }
-            actions.add(new AuthorizationActionValue(AuthorizationConstants.AUTZ_GUI_ALL_URI,
+            
+            //add http://.../..#guAll authorization only for displayable pages, not for pages used for development..
+            if (canAccess){  
+            	
+            	actions.add(new AuthorizationActionValue(AuthorizationConstants.AUTZ_GUI_ALL_URI,
                     AuthorizationConstants.AUTZ_GUI_ALL_LABEL, AuthorizationConstants.AUTZ_GUI_ALL_DESCRIPTION));
+            }
             this.actions.put(url, actions.toArray(new DisplayableValue[actions.size()]));
         }
     }
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest.java
index cc0e429e592..6bfced82ed7 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest.java
@@ -31,7 +31,7 @@
 /**
  * @author lazyman
  */
-@PageDescriptor(url = "/admin/test", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
+@PageDescriptor(url = "/admin/test", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_NO_ACCESS_URL)})
 public class PageTest extends PageBase {
 
     public PageTest() {
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest2.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest2.java
index 001b17a520d..ab06869a7a7 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest2.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest2.java
@@ -33,7 +33,7 @@
  *
  *  @author shood
  */
-@PageDescriptor(url = "/capability", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
+@PageDescriptor(url = "/capability", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_NO_ACCESS_URL)})
 public class PageTest2 extends PageBase {
 
     private static final String ID_CAPABILITY = "capability";
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
index 29009292c83..cc0f6c18588 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
@@ -37,7 +37,7 @@
 //                label = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_LABEL, description = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_DESCRIPTION),
 //        @AuthorizationAction(actionUri = AuthorizationConstants.NS_AUTHORIZATION + "#bulkAction",
 //                label = "PageBulkAction.auth.bulkAction.label", description = "PageBulkAction.auth.bulkAction.description")
-        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)
+        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_NO_ACCESS_URL)
 })
 public class PageBulkAction extends PageAdminConfiguration {
 
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceWizard.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceWizard.java
index 3d687977d41..e919d7da8dd 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceWizard.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceWizard.java
@@ -44,7 +44,7 @@
 //        PageAdminResources.AUTHORIZATION_RESOURCE_ALL,
 //        AuthorizationConstants.NS_AUTHORIZATION + "#resourceWizard"})
 @PageDescriptor(url = "/admin/resources/wizard",
-        action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
+        action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_NO_ACCESS_URL)})
 public class PageResourceWizard extends PageAdminResources {
 
     private static final String ID_WIZARD = "wizard";
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/content/PageContentEntitlements.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/content/PageContentEntitlements.java
index 41ac3fdd714..24c4af07f82 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/content/PageContentEntitlements.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/content/PageContentEntitlements.java
@@ -35,7 +35,7 @@
  * @author lazyman
  */
 @PageDescriptor(url = "/admin/resources/content/entitlements", encoder = OnePageParameterEncoder.class, action = {
-        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
+        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_NO_ACCESS_URL)})
 public class PageContentEntitlements extends PageAdminResources {
 
     private IModel<PrismObject<ResourceType>> resourceModel;
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/PageFindUsers.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/PageFindUsers.java
index 763508c785e..124a2a63be8 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/PageFindUsers.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/PageFindUsers.java
@@ -25,7 +25,7 @@
 /**
  * @author lazyman
  */
-@PageDescriptor(url = "/admin/users/find", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
+@PageDescriptor(url = "/admin/users/find", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_NO_ACCESS_URL)})
 public class PageFindUsers extends PageAdminUsers {
 
     private static final Trace LOGGER = TraceManager.getTrace(PageFindUsers.class);
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageLogin.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageLogin.java
index 4b2327a88fd..65b5552493a 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageLogin.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageLogin.java
@@ -16,12 +16,15 @@
 
 package com.evolveum.midpoint.web.page.login;
 
+import com.evolveum.midpoint.security.api.AuthorizationConstants;
+import com.evolveum.midpoint.web.application.AuthorizationAction;
 import com.evolveum.midpoint.web.application.PageDescriptor;
 import com.evolveum.midpoint.web.component.menu.top.LocalePanel;
 import com.evolveum.midpoint.web.component.menu.top.TopMenuBar;
 import com.evolveum.midpoint.web.page.PageBase;
 import com.evolveum.midpoint.web.page.admin.home.PageDashboard;
 import com.evolveum.midpoint.web.security.MidPointAuthWebSession;
+
 import org.apache.wicket.markup.html.form.Form;
 import org.apache.wicket.markup.html.form.PasswordTextField;
 import org.apache.wicket.markup.html.form.RequiredTextField;
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
index a52fbfbe548..8485b3fe6a0 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
@@ -118,7 +118,7 @@ public void decide(Authentication authentication, Object object, Collection<Conf
             addSecurityConfig(filterInvocation, guiConfigAttr, entry.getKey(), entry.getValue());
         }
 
-        if (configAttributes == null && guiConfigAttr.isEmpty()) {
+        if (configAttributes == null || guiConfigAttr.isEmpty()) {
             return;
         }
 
diff --git a/gui/admin-gui/src/main/webapp/WEB-INF/ctx-web-security.xml b/gui/admin-gui/src/main/webapp/WEB-INF/ctx-web-security.xml
index d460a97d486..8c9002ba51d 100644
--- a/gui/admin-gui/src/main/webapp/WEB-INF/ctx-web-security.xml
+++ b/gui/admin-gui/src/main/webapp/WEB-INF/ctx-web-security.xml
@@ -39,9 +39,10 @@ http://www.springframework.org/schema/security/spring-security-3.1.xsd">
         <intercept-url pattern="/j_spring_security_check" />
         <intercept-url pattern="/spring_security_login" />
 
-        <intercept-url pattern="/login" />
+        <intercept-url pattern="/login"/>
 
         <intercept-url pattern="/bootstrap" />
+        
 
         <intercept-url pattern="/admin/**" access="isFullyAuthenticated()"/>  <!--  access="isAuthenticated()"/> -->
 
@@ -54,7 +55,7 @@ http://www.springframework.org/schema/security/spring-security-3.1.xsd">
         <!-- <custom-filter position="PRE_AUTH_FILTER" ref="requestHeaderAuthenticationFilter" />  -->
 
         <form-login login-page="/login" default-target-url="/home" />
-         
+        <intercept-url pattern="/**" access="isFullyAuthenticated()"/> 
     </http>
 
     <beans:bean id="accessDecisionManager" class="com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator">
diff --git a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
index cb50e815e39..fd97cddf9f3 100644
--- a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
+++ b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
@@ -36,8 +36,8 @@ public class AuthorizationConstants {
 	public static final QName AUTZ_ALL_QNAME = new QName(NS_AUTHORIZATION, "all");
 	public static final String AUTZ_ALL_URL = QNameUtil.qNameToUri(AUTZ_ALL_QNAME);
 	
-	public static final QName AUTZ_DEVEL_QNAME = new QName(NS_AUTHORIZATION, "devel");
-	public static final String AUTZ_DEVEL_URL = NS_AUTHORIZATION + "#devel";
+//	public static final QName AUTZ_DEVEL_QNAME = new QName(NS_AUTHORIZATION, "devel");
+	public static final String AUTZ_NO_ACCESS_URL = NS_AUTHORIZATION + "#noAccess";
 //	public static final String AUTZ_DEVEL_URL = QNameUtil.qNameToUri(AUTZ_DEVEL_QNAME);
 	
 	public static final QName AUTZ_DENY_ALL_QNAME = new QName(NS_AUTHORIZATION, "denyAll");
diff --git a/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java b/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java
index 96cdf8e6bcf..715846f8b29 100644
--- a/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java
+++ b/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java
@@ -168,6 +168,11 @@ public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String
 	private <O extends ObjectType, T extends ObjectType> boolean isAuthorizedInternal(MidPointPrincipal midPointPrincipal, String operationUrl, AuthorizationPhaseType phase,
 			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver)
 			throws SchemaException {	
+		
+		if (AuthorizationConstants.AUTZ_NO_ACCESS_URL.equals(operationUrl)){
+			return false;
+		}
+		
 		if (phase == null) {
 			throw new IllegalArgumentException("No phase");
 		}
@@ -181,6 +186,7 @@ private <O extends ObjectType, T extends ObjectType> boolean isAuthorizedInterna
 				if (authority instanceof Authorization) {
 					Authorization autz = (Authorization)authority;
 					LOGGER.trace("Evaluating authorization {}", autz);
+					
 					// First check if the authorization is applicable.
 					
 					// action