merge

2014-07-23 15:10:36 -04:00 · 2014-07-23 15:10:36 -04:00 · eec582e704
commit eec582e704
parent f1d72d0b6d 38b575d91b
40 changed files with 911 additions and 1347 deletions
--- a/audit/jpa/src/main/java/org/keycloak/audit/jpa/EventEntity.java
+++ b/audit/jpa/src/main/java/org/keycloak/audit/jpa/EventEntity.java
@ -3,34 +3,44 @@ package org.keycloak.audit.jpa;
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.Id;
 import javax.persistence.Table;
 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
 */
@Entity
@Table(name="EVENT_ENTITY")
 public class EventEntity {
    @Id
-    @Column(length = 36)
+    @Column(name="ID", length = 36)
    private String id;
    @Column(name="TIME")
    private long time;
    @Column(name="EVENT")
    private String event;
    @Column(name="REALM_ID")
    private String realmId;
    @Column(name="CLIENT_ID")
    private String clientId;
    @Column(name="USER_ID")
    private String userId;
    @Column(name="SESSION_ID")
    private String sessionId;
    @Column(name="IP_ADDRESS")
    private String ipAddress;
    @Column(name="ERROR")
    private String error;
-    @Column(length = 2550)
+    @Column(name="DETAILS_JSON", length = 2550)
    private String detailsJson;
    public String getId() {
--- a/connections/jpa/src/main/resources/META-INF/persistence.xml
+++ b/connections/jpa/src/main/resources/META-INF/persistence.xml
@ -28,5 +28,9 @@
        <class>org.keycloak.audit.jpa.EventEntity</class>
        <exclude-unlisted-classes>true</exclude-unlisted-classes>
        <properties>
            <property name="jboss.as.jpa.managed" value="false"/>
        </properties>
    </persistence-unit>
 </persistence>
--- a/core/src/main/java/org/keycloak/representations/AccessCode.java
+++ b/core/src/main/java/org/keycloak/representations/AccessCode.java
@ -1,6 +1,5 @@
 package org.keycloak.representations;
 import java.util.HashSet;
 import java.util.Set;
 /**
@ -10,15 +9,18 @@ import java.util.Set;
 */
 public class AccessCode {
    protected String id;
    protected String clientId;
    protected String userId;
    protected String usernameUsed;
    protected String state;
    protected String sessionState;
    protected String redirectUri;
    protected boolean rememberMe;
    protected String authMethod;
    protected int timestamp;
    protected int expiration;
    protected AccessToken accessToken;
    protected Set<String> requiredActions;
    protected Set<String> requestedRoles;
    public String getId() {
        return id;
@ -28,6 +30,22 @@ public class AccessCode {
        this.id = id;
    }
    public String getClientId() {
        return clientId;
    }
    public void setClientId(String clientId) {
        this.clientId = clientId;
    }
    public String getUserId() {
        return userId;
    }
    public void setUserId(String userId) {
        this.userId = userId;
    }
    public String getState() {
        return state;
    }
@ -36,6 +54,14 @@ public class AccessCode {
        this.state = state;
    }
    public String getSessionState() {
        return sessionState;
    }
    public void setSessionState(String sessionState) {
        this.sessionState = sessionState;
    }
    public String getRedirectUri() {
        return redirectUri;
    }
@ -68,14 +94,6 @@ public class AccessCode {
        this.expiration = expiration;
    }
    public AccessToken getAccessToken() {
        return accessToken;
    }
    public void setAccessToken(AccessToken accessToken) {
        this.accessToken = accessToken;
    }
    public int getTimestamp() {
        return timestamp;
    }
@ -99,4 +117,12 @@ public class AccessCode {
    public void setUsernameUsed(String usernameUsed) {
        this.usernameUsed = usernameUsed;
    }
    public Set<String> getRequestedRoles() {
        return requestedRoles;
    }
    public void setRequestedRoles(Set<String> requestedRoles) {
        this.requestedRoles = requestedRoles;
    }
 }
--- a/dependencies/pom.xml
+++ b/dependencies/pom.xml
@ -0,0 +1,32 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <parent>
        <artifactId>keycloak-parent</artifactId>
        <groupId>org.keycloak</groupId>
        <version>1.0-beta-4-SNAPSHOT</version>
    </parent>
    <modelVersion>4.0.0</modelVersion>
    <artifactId>keycloak-dependencies-parent</artifactId>
    <packaging>pom</packaging>
    <name>Keycloak Dependencies Parent</name>
    <description/>
    <modules>
        <module>server-min</module>
        <module>server-all</module>
    </modules>
    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-deploy-plugin</artifactId>
                <configuration>
                    <skip>true</skip>
                </configuration>
            </plugin>
        </plugins>
    </build>
 </project>
--- a/dependencies/server-all/pom.xml
+++ b/dependencies/server-all/pom.xml
@ -0,0 +1,159 @@
 <?xml version="1.0"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 	<parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
 		<version>1.0-beta-4-SNAPSHOT</version>
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
 	<artifactId>keycloak-dependencies-server-all</artifactId>
    <packaging>pom</packaging>
    <name>Keycloak Dependencies Server All</name>
 	<description />
    <dependencies>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-dependencies-server-min</artifactId>
            <version>${project.version}</version>
            <type>pom</type>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-connections-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-sessions-mem</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-sessions-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-sessions-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jboss-logging</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-email</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- social -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-github</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-google</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-twitter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.twitter4j</groupId>
            <artifactId>twitter4j-core</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-facebook</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- authentication api -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-picketlink</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-common</artifactId>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-idm-api</artifactId>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-idm-impl</artifactId>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-idm-simple-schema</artifactId>
        </dependency>
        <!-- picketlink -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-picketlink-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-picketlink-realm</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- mongo -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-connections-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.mongodb</groupId>
            <artifactId>mongo-java-driver</artifactId>
        </dependency>
        <!-- export/import -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-zip</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>de.idyl</groupId>
            <artifactId>winzipaes</artifactId>
        </dependency>
    </dependencies>
 </project>
--- a/dependencies/server-min/pom.xml
+++ b/dependencies/server-min/pom.xml
@ -0,0 +1,157 @@
 <?xml version="1.0"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 	<parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
 		<version>1.0-beta-4-SNAPSHOT</version>
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
 	<artifactId>keycloak-dependencies-server-min</artifactId>
    <packaging>pom</packaging>
    <name>Keycloak Dependencies Server Min</name>
 	<description />
    <dependencies>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-core</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>net.iharder</groupId>
            <artifactId>base64</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-core-jaxrs</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-services</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.zxing</groupId>
            <artifactId>javase</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-invalidation-cache-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-js-adapter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- social -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-core</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- forms -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.freemarker</groupId>
            <artifactId>freemarker</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-themes</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- authentication api -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- timer -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-basic</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- export/import -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-dir</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-single-file</artifactId>
            <version>${project.version}</version>
        </dependency>
    </dependencies>
 </project>
--- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ApplicationAdapter.java
+++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ApplicationAdapter.java
@ -184,6 +184,20 @@ public class ApplicationAdapter extends ClientAdapter implements ApplicationMode
        return roles;
    }
    @Override
    public boolean hasScope(RoleModel role) {
        if (super.hasScope(role)) {
            return true;
        }
        Set<RoleModel> roles = getRoles();
        if (roles.contains(role)) return true;
        for (RoleModel mapping : roles) {
            if (mapping.hasRole(role)) return true;
        }
        return false;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) return true;
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/ApplicationAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/ApplicationAdapter.java
@ -166,6 +166,20 @@ public class ApplicationAdapter extends ClientAdapter implements ApplicationMode
        return list;
    }
    @Override
    public boolean hasScope(RoleModel role) {
        if (super.hasScope(role)) {
            return true;
        }
        Set<RoleModel> roles = getRoles();
        if (roles.contains(role)) return true;
        for (RoleModel mapping : roles) {
            if (mapping.hasRole(role)) return true;
        }
        return false;
    }
    @Override
    public Set<RoleModel> getApplicationScopeMappings(ClientModel client) {
        Set<RoleModel> roleMappings = client.getScopeMappings();
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ApplicationEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ApplicationEntity.java
@ -4,6 +4,7 @@ import javax.persistence.CascadeType;
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
 import javax.persistence.JoinColumn;
 import javax.persistence.JoinTable;
 import javax.persistence.OneToMany;
 import javax.persistence.Table;
@ -33,7 +34,7 @@ public class ApplicationEntity extends ClientEntity {
    Collection<RoleEntity> roles = new ArrayList<RoleEntity>();
    @OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true)
-    @JoinTable(name="APPLICATION_DEFAULT_ROLES")
+    @JoinTable(name="APPLICATION_DEFAULT_ROLES", joinColumns = { @JoinColumn(name="APPLICATION_ID")}, inverseJoinColumns = { @JoinColumn(name="ROLE_ID")})
    Collection<RoleEntity> defaultRoles = new ArrayList<RoleEntity>();
    public boolean isSurrogateAuthRequired() {
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/AuthenticationProviderEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/AuthenticationProviderEntity.java
@ -1,127 +1,129 @@
-package org.keycloak.models.jpa.entities;
+package org.keycloak.models.jpa.entities;
-
+
-import javax.persistence.CollectionTable;
+import javax.persistence.CollectionTable;
-import javax.persistence.Column;
+import javax.persistence.Column;
-import javax.persistence.ElementCollection;
+import javax.persistence.ElementCollection;
-import javax.persistence.Entity;
+import javax.persistence.Entity;
-import javax.persistence.FetchType;
+import javax.persistence.FetchType;
-import javax.persistence.Id;
+import javax.persistence.Id;
-import javax.persistence.IdClass;
+import javax.persistence.IdClass;
-import javax.persistence.JoinColumn;
+import javax.persistence.JoinColumn;
-import javax.persistence.ManyToOne;
+import javax.persistence.ManyToOne;
-import javax.persistence.MapKeyColumn;
+import javax.persistence.MapKeyColumn;
-import javax.persistence.Table;
+import javax.persistence.Table;
-import java.io.Serializable;
+import java.io.Serializable;
-import java.util.Map;
+import java.util.Map;
-
+
-/**
+/**
- * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
- */
+ */
-@Entity
+@Entity
-@Table(name="AUTH_PROVIDER")
+@Table(name="AUTH_PROVIDER")
-@IdClass(AuthenticationProviderEntity.Key.class)
+@IdClass(AuthenticationProviderEntity.Key.class)
-public class AuthenticationProviderEntity {
+public class AuthenticationProviderEntity {
-
+
-    @Id
+    @Id
-    @ManyToOne(fetch = FetchType.LAZY)
+    @ManyToOne(fetch = FetchType.LAZY)
-    @JoinColumn(name = "REALM_ID")
+    @JoinColumn(name = "REALM_ID")
-    protected RealmEntity realm;
+    protected RealmEntity realm;
-
+
-    @Id
+    @Id
-    @Column(name="PROVIDER_NAME")
+    @Column(name="PROVIDER_NAME")
-    private String providerName;
+    private String providerName;
-    @Column(name="PASSWORD_UPDATE_SUPPORTED")
+    @Column(name="PASSWORD_UPDATE_SUPPORTED")
-    private boolean passwordUpdateSupported;
+    private boolean passwordUpdateSupported;
-    @Column(name="PRIORITY")
+    @Column(name="PRIORITY")
-    private int priority;
+    private int priority;
-
+
-    @ElementCollection
+    @ElementCollection
-    @MapKeyColumn(name="name")
+    @MapKeyColumn(name="NAME")
-    @Column(name="value")
+    @Column(name="VALUE")
-    @CollectionTable(name="AUTH_PROVIDER_CONFIG")
+    @CollectionTable(name="AUTH_PROVIDER_CONFIG", joinColumns = {
-    private Map<String, String> config;
+            @JoinColumn(name="REALM_ID", referencedColumnName = "REALM_ID"),
-
+            @JoinColumn(name="AUTH_PROVIDER_NAME", referencedColumnName = "PROVIDER_NAME")})
-    public RealmEntity getRealm() {
+    private Map<String, String> config;
-        return realm;
+
-    }
+    public RealmEntity getRealm() {
-
+        return realm;
-    public void setRealm(RealmEntity realm) {
+    }
-        this.realm = realm;
+
-    }
+    public void setRealm(RealmEntity realm) {
-
+        this.realm = realm;
-    public String getProviderName() {
+    }
-        return providerName;
+
-    }
+    public String getProviderName() {
-
+        return providerName;
-    public void setProviderName(String providerName) {
+    }
-        this.providerName = providerName;
+
-    }
+    public void setProviderName(String providerName) {
-
+        this.providerName = providerName;
-    public boolean isPasswordUpdateSupported() {
+    }
-        return passwordUpdateSupported;
+
-    }
+    public boolean isPasswordUpdateSupported() {
-
+        return passwordUpdateSupported;
-    public void setPasswordUpdateSupported(boolean passwordUpdateSupported) {
+    }
-        this.passwordUpdateSupported = passwordUpdateSupported;
+
-    }
+    public void setPasswordUpdateSupported(boolean passwordUpdateSupported) {
-
+        this.passwordUpdateSupported = passwordUpdateSupported;
-    public int getPriority() {
+    }
-        return priority;
+
-    }
+    public int getPriority() {
-
+        return priority;
-    public void setPriority(int priority) {
+    }
-        this.priority = priority;
+
-    }
+    public void setPriority(int priority) {
-
+        this.priority = priority;
-    public Map<String, String> getConfig() {
+    }
-        return config;
+
-    }
+    public Map<String, String> getConfig() {
-
+        return config;
-    public void setConfig(Map<String, String> config) {
+    }
-        this.config = config;
+
-    }
+    public void setConfig(Map<String, String> config) {
-
+        this.config = config;
-    public static class Key implements Serializable {
+    }
-
+
-        protected RealmEntity realm;
+    public static class Key implements Serializable {
-
+
-        protected String providerName;
+        protected RealmEntity realm;
-
+
-        public Key() {
+        protected String providerName;
-        }
+
-
+        public Key() {
-        public Key(RealmEntity realm, String providerName) {
+        }
-            this.realm = realm;
+
-            this.providerName = providerName;
+        public Key(RealmEntity realm, String providerName) {
-        }
+            this.realm = realm;
-
+            this.providerName = providerName;
-        public RealmEntity getRealm() {
+        }
-            return realm;
+
-        }
+        public RealmEntity getRealm() {
-
+            return realm;
-        public String getProviderName() {
+        }
-            return providerName;
+
-        }
+        public String getProviderName() {
-
+            return providerName;
-        @Override
+        }
-        public boolean equals(Object o) {
+
-            if (this == o) return true;
+        @Override
-            if (o == null || getClass() != o.getClass()) return false;
+        public boolean equals(Object o) {
-
+            if (this == o) return true;
-            Key key = (Key) o;
+            if (o == null || getClass() != o.getClass()) return false;
-
+
-            if (providerName != null ? !providerName.equals(key.providerName) : key.providerName != null) return false;
+            Key key = (Key) o;
-            if (realm != null ? !realm.getId().equals(key.realm != null ? key.realm.getId() : null) : key.realm != null) return false;
+
-
+            if (providerName != null ? !providerName.equals(key.providerName) : key.providerName != null) return false;
-            return true;
+            if (realm != null ? !realm.getId().equals(key.realm != null ? key.realm.getId() : null) : key.realm != null) return false;
-        }
+
-
+            return true;
-        @Override
+        }
-        public int hashCode() {
+
-            int result = realm != null ? realm.getId().hashCode() : 0;
+        @Override
-            result = 31 * result + (providerName != null ? providerName.hashCode() : 0);
+        public int hashCode() {
-            return result;
+            int result = realm != null ? realm.getId().hashCode() : 0;
-        }
+            result = 31 * result + (providerName != null ? providerName.hashCode() : 0);
-    }
+            return result;
-
+        }
-}
+    }
 }
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java
@ -44,11 +44,13 @@ public abstract class ClientEntity {
    protected RealmEntity realm;
    @ElementCollection
-    @CollectionTable(name = "WEB_ORIGINS")
+    @Column(name="VALUE")
    @CollectionTable(name = "WEB_ORIGINS", joinColumns={ @JoinColumn(name="CLIENT_ID") })
    protected Set<String> webOrigins = new HashSet<String>();
    @ElementCollection
-    @CollectionTable(name = "REDIRECT_URIS")
+    @Column(name="VALUE")
    @CollectionTable(name = "REDIRECT_URIS", joinColumns={ @JoinColumn(name="CLIENT_ID") })
    protected Set<String> redirectUris = new HashSet<String>();
    public RealmEntity getRealm() {
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/CredentialEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/CredentialEntity.java
@ -25,7 +25,7 @@ import java.io.Serializable;
@Entity
 public class CredentialEntity {
    @Id
-    @Column(length = 36)
+    @Column(name="ID", length = 36)
    protected String id;
    @Column(name="TYPE")
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
@ -108,13 +108,11 @@ public class RealmEntity {
    @Column(name="EMAIL_THEME")
    protected String emailTheme;
-    @OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true)
+    @OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
    @JoinTable(name="USER_REQUIRED_CREDS")
    Collection<RequiredCredentialEntity> requiredCredentials = new ArrayList<RequiredCredentialEntity>();
-    @OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true)
+    @OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
    @JoinTable(name="AUTH_PROVIDERS")
    List<AuthenticationProviderEntity> authenticationProviders = new ArrayList<AuthenticationProviderEntity>();
    @OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true)
@ -122,31 +120,32 @@ public class RealmEntity {
    List<FederationProviderEntity> federationProviders = new ArrayList<FederationProviderEntity>();
    @OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true)
    @JoinTable(name="REALM_APPLICATION", joinColumns={ @JoinColumn(name="APPLICATION_ID") }, inverseJoinColumns={ @JoinColumn(name="REALM_ID") })
    Collection<ApplicationEntity> applications = new ArrayList<ApplicationEntity>();
    @OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
    Collection<RoleEntity> roles = new ArrayList<RoleEntity>();
    @ElementCollection
-    @MapKeyColumn(name="name")
+    @MapKeyColumn(name="NAME")
-    @Column(name="value")
+    @Column(name="VALUE")
-    @CollectionTable(name="REALM_SMTP_CONFIG")
+    @CollectionTable(name="REALM_SMTP_CONFIG", joinColumns={ @JoinColumn(name="REALM_ID") })
    protected Map<String, String> smtpConfig = new HashMap<String, String>();
    @ElementCollection
-    @MapKeyColumn(name="name")
+    @MapKeyColumn(name="NAME")
-    @Column(name="value")
+    @Column(name="VALUE")
-    @CollectionTable(name="REALM_SOCIAL_CONFIG")
+    @CollectionTable(name="REALM_SOCIAL_CONFIG", joinColumns={ @JoinColumn(name="REALM_ID") })
    protected Map<String, String> socialConfig = new HashMap<String, String>();
    @ElementCollection
-    @MapKeyColumn(name="name")
+    @MapKeyColumn(name="NAME")
-    @Column(name="value")
+    @Column(name="VALUE")
-    @CollectionTable(name="REALM_LDAP_CONFIG")
+    @CollectionTable(name="REALM_LDAP_CONFIG", joinColumns={ @JoinColumn(name="REALM_ID") })
    protected Map<String, String> ldapServerConfig = new HashMap<String, String>();
    @OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true)
-    @JoinTable(name="REALM_DEFAULT_ROLES")
+    @JoinTable(name="REALM_DEFAULT_ROLES", joinColumns = { @JoinColumn(name="REALM_ID")}, inverseJoinColumns = { @JoinColumn(name="ROLE_ID")})
    protected Collection<RoleEntity> defaultRoles = new ArrayList<RoleEntity>();
    @Column(name="AUDIT_ENABLED")
@ -155,7 +154,8 @@ public class RealmEntity {
    protected long auditExpiration;
    @ElementCollection
-    @CollectionTable(name="REALM_AUDIT_LISTENERS")
+    @Column(name="VALUE")
    @CollectionTable(name="REALM_AUDIT_LISTENERS", joinColumns={ @JoinColumn(name="REALM_ID") })
    protected Set<String> auditListeners= new HashSet<String>();
    @OneToOne
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java
@ -42,7 +42,7 @@ import java.util.Set;
        @NamedQuery(name="deleteUsersByRealm", query="delete from UserEntity u where u.realmId = :realmId")
 })
@Entity
-@Table(name="USER", uniqueConstraints = {
+@Table(name="USER_ENTITY", uniqueConstraints = {
        @UniqueConstraint(columnNames = { "REALM_ID", "USERNAME" }),
        @UniqueConstraint(columnNames = { "REALM_ID", "EMAIL_CONSTRAINT" })
 })
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserRequiredActionEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserRequiredActionEntity.java
@ -2,6 +2,7 @@ package org.keycloak.models.jpa.entities;
 import org.keycloak.models.UserModel;
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
 import javax.persistence.Id;
@ -10,6 +11,8 @@ import javax.persistence.JoinColumn;
 import javax.persistence.ManyToOne;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
 import javax.persistence.Table;
 import java.io.Serializable;
 /**
@ -20,15 +23,17 @@ import java.io.Serializable;
        @NamedQuery(name="deleteUserRequiredActionsByRealm", query="delete from UserRequiredActionEntity action where action.user IN (select u from UserEntity u where realm=:realm)")
 })
@Entity
@Table(name="USER_REQUIRED_ACTION")
@IdClass(UserRequiredActionEntity.Key.class)
 public class UserRequiredActionEntity {
    @Id
    @ManyToOne(fetch= FetchType.LAZY)
-    @JoinColumn(name="userId")
+    @JoinColumn(name="USER_ID")
    protected UserEntity user;
    @Id
    @Column(name="ACTION")
    protected UserModel.RequiredAction action;
    public UserModel.RequiredAction getAction() {
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java
@ -160,6 +160,20 @@ public class ApplicationAdapter extends ClientAdapter<MongoApplicationEntity> im
        return result;
    }
    @Override
    public boolean hasScope(RoleModel role) {
        if (super.hasScope(role)) {
            return true;
        }
        Set<RoleModel> roles = getRoles();
        if (roles.contains(role)) return true;
        for (RoleModel mapping : roles) {
            if (mapping.hasRole(role)) return true;
        }
        return false;
    }
    @Override
    public Set<RoleModel> getApplicationScopeMappings(ClientModel client) {
        Set<RoleModel> result = new HashSet<RoleModel>();
@ -204,6 +218,7 @@ public class ApplicationAdapter extends ClientAdapter<MongoApplicationEntity> im
        updateMongoEntity();
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) return true;
--- a/model/sessions-jpa/src/main/java/org/keycloak/models/sessions/jpa/entities/ClientUserSessionAssociationEntity.java
+++ b/model/sessions-jpa/src/main/java/org/keycloak/models/sessions/jpa/entities/ClientUserSessionAssociationEntity.java
@ -5,6 +5,7 @@ import javax.persistence.Entity;
 import javax.persistence.FetchType;
 import javax.persistence.Id;
 import javax.persistence.IdClass;
 import javax.persistence.JoinColumn;
 import javax.persistence.ManyToOne;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
@ -16,7 +17,7 @@ import java.io.Serializable;
 * @version $Revision: 1 $
 */
@Entity
-@Table(name = "ClientUserSessionAscEntity")
+@Table(name = "CLIENT_USERSESSION")
@NamedQueries({
        @NamedQuery(name = "removeClientUserSessionByRealm", query = "delete from ClientUserSessionAssociationEntity a where a.session IN (select s from UserSessionEntity s where s.realmId = :realmId)"),
        @NamedQuery(name = "removeClientUserSessionByUser", query = "delete from ClientUserSessionAssociationEntity a where a.session IN (select s from UserSessionEntity s where s.realmId = :realmId and s.userId = :userId)"),
@ -28,10 +29,11 @@ public class ClientUserSessionAssociationEntity {
    @Id
    @ManyToOne(fetch = FetchType.LAZY)
    @JoinColumn(name = "SESSION_ID")
    protected UserSessionEntity session;
    @Id
-    @Column(length = 36)
+    @Column(name="CLIENT_ID",length = 36)
    protected String clientId;
    public UserSessionEntity getSession() {
--- a/model/sessions-jpa/src/main/java/org/keycloak/models/sessions/jpa/entities/UserSessionEntity.java
+++ b/model/sessions-jpa/src/main/java/org/keycloak/models/sessions/jpa/entities/UserSessionEntity.java
@ -1,16 +1,15 @@
 package org.keycloak.models.sessions.jpa.entities;
 import org.hibernate.annotations.GenericGenerator;
 import javax.persistence.CascadeType;
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
 import javax.persistence.GeneratedValue;
 import javax.persistence.Id;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
 import javax.persistence.OneToMany;
 import javax.persistence.Table;
 import java.util.ArrayList;
 import java.util.Collection;
@ -18,6 +17,7 @@ import java.util.Collection;
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
 */
@Entity
@Table(name = "USER_SESSION")
@NamedQueries({
        @NamedQuery(name = "getUserSessionByUser", query = "select s from UserSessionEntity s where s.realmId = :realmId and s.userId = :userId order by s.started, s.id"),
        @NamedQuery(name = "getUserSessionByClient", query = "select s from UserSessionEntity s join s.clients c where s.realmId = :realmId and c.clientId = :clientId order by s.started, s.id"),
@ -29,16 +29,22 @@ import java.util.Collection;
 public class UserSessionEntity {
    @Id
-    @Column(length = 36)
+    @Column(name="ID",length = 36)
    protected String id;
    @Column(name="USER_ID")
    protected String userId;
    @Column(name="REALM_ID")
    protected String realmId;
    @Column(name="IP_ADDRESS")
    protected String ipAddress;
    @Column(name="STARTED")
    protected int started;
    @Column(name="LAST_SESSION_REFRESH")
    protected int lastSessionRefresh;
    @OneToMany(fetch = FetchType.LAZY, cascade = CascadeType.REMOVE, orphanRemoval = true, mappedBy="session")
--- a/model/sessions-jpa/src/main/java/org/keycloak/models/sessions/jpa/entities/UsernameLoginFailureEntity.java
+++ b/model/sessions-jpa/src/main/java/org/keycloak/models/sessions/jpa/entities/UsernameLoginFailureEntity.java
@ -6,6 +6,8 @@ import javax.persistence.Id;
 import javax.persistence.IdClass;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
 import javax.persistence.Table;
 import java.io.Serializable;
 /**
@ -13,6 +15,7 @@ import java.io.Serializable;
 * @version $Revision: 1 $
 */
@Entity
@Table(name="USERNAME_LOGIN_FAILURE")
@NamedQueries({
        @NamedQuery(name="getAllFailures", query="select failure from UsernameLoginFailureEntity failure"),
        @NamedQuery(name = "removeLoginFailuresByRealm", query = "delete from UsernameLoginFailureEntity f where f.realmId = :realmId"),
@ -22,16 +25,23 @@ import java.io.Serializable;
 public class UsernameLoginFailureEntity {
    @Id
-    @Column(length = 200)
+    @Column(name="USERNAME",length = 200)
    protected String username;
    @Id
-    @Column(length = 36)
+    @Column(name="REALM_ID",length = 36)
    protected String realmId;
    @Column(name="FAILED_LOGIN_NOT_BEFORE")
    protected int failedLoginNotBefore;
    @Column(name="NUM_FAILURES")
    protected int numFailures;
    @Column(name="LAST_FAILURE")
    protected long lastFailure;
    @Column(name="LAST_IP_FAILURE")
    protected String lastIPFailure;
    public String getUsername() {
--- a/pom.xml
+++ b/pom.xml
@ -100,6 +100,7 @@
        <module>core</module>
        <module>core-jaxrs</module>
        <module>connections</module>
        <module>dependencies</module>
        <module>model</module>
        <module>integration</module>
        <module>picketlink</module>
@ -628,42 +629,5 @@
                <module>distribution</module>
            </modules>
        </profile>
        <!-- MySQL -->
        <profile>
            <activation>
                <property>
                    <name>hibernate.connection.driver_class</name>
                    <value>com.mysql.jdbc.Driver</value>
                </property>
            </activation>
            <id>mysql</id>
            <dependencies>
                <dependency>
                    <groupId>mysql</groupId>
                    <artifactId>mysql-connector-java</artifactId>
                    <version>${mysql.version}</version>
                </dependency>
            </dependencies>
        </profile>
        <!-- PostgreSQL -->
        <profile>
            <activation>
                <property>
                    <name>hibernate.connection.driver_class</name>
                    <value>org.postgresql.Driver</value>
                </property>
            </activation>
            <id>postgresql</id>
            <dependencies>
                <dependency>
                    <groupId>org.postgresql</groupId>
                    <artifactId>postgresql</artifactId>
                    <version>${postgresql.version}</version>
                </dependency>
            </dependencies>
        </profile>
    </profiles>
 </project>
--- a/project-integrations/aerogear-ups/auth-server/pom.xml
+++ b/project-integrations/aerogear-ups/auth-server/pom.xml
@ -15,41 +15,28 @@
    <description/>
    <dependencies>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk16</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-core</artifactId>
+            <artifactId>keycloak-dependencies-server-min</artifactId>
            <version>${project.version}</version>
            <type>pom</type>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-jaxrs</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
-            <groupId>net.iharder</groupId>
+            <groupId>org.jboss.spec.javax.servlet</groupId>
-            <artifactId>base64</artifactId>
+            <artifactId>jboss-servlet-api_3.0_spec</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-core-jaxrs</artifactId>
+            <artifactId>keycloak-connections-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-services</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.zxing</groupId>
            <artifactId>javase</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-invalidation-cache-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
@ -67,154 +54,6 @@
            <artifactId>keycloak-model-sessions-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jboss-logging</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- social -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-core</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- forms -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.freemarker</groupId>
            <artifactId>freemarker</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-themes</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-js-adapter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- authentication api -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- timer -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-basic</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-dir</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-single-file</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.jboss.spec.javax.servlet</groupId>
            <artifactId>jboss-servlet-api_3.0_spec</artifactId>
            <scope>provided</scope>
        </dependency>
        <!-- resteasy -->
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-jaxrs</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-multipart-provider</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>async-http-servlet-3.0</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>jaxrs-api</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-jackson-provider</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
    </dependencies>
    <build>
--- a/project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/classes/META-INF/keycloak-server.json
+++ b/project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/classes/META-INF/keycloak-server.json
@ -3,31 +3,24 @@
        "realm": "master"
    },
    "audit": {
        "provider": "jpa",
        "jpa": {
            "exclude-events": [ "REFRESH_TOKEN" ]
        }
    },
    "realm": {
        "provider": "jpa"
    },
    "user": {
-        "provider": "${keycloak.user.provider:jpa}"
+        "provider": "jpa"
    },
    "userSessions": {
-        "provider" : "${keycloak.userSessions.provider:mem}"
+        "provider" : "mem"
    },
    "realmCache": {
-        "provider": "${keycloak.realm.cache.provider:mem}"
+        "provider": "mem"
    },
    "userCache": {
-        "provider": "${keycloak.user.cache.provider:mem}",
+        "provider": "mem",
        "mem": {
            "maxSize": 20000
        }
--- a/server/pom.xml
+++ b/server/pom.xml
@ -16,292 +16,10 @@
    <dependencies>
        <dependency>
            <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-core</artifactId>
+            <artifactId>keycloak-dependencies-server-all</artifactId>
            <version>${project.version}</version>
            <type>pom</type>
        </dependency>
        <dependency>
            <groupId>net.iharder</groupId>
            <artifactId>base64</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-core-jaxrs</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-services</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.zxing</groupId>
            <artifactId>javase</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-invalidation-cache-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-sessions-mem</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-sessions-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-sessions-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jboss-logging</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-email</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- social -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-core</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-github</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-google</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-twitter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.twitter4j</groupId>
            <artifactId>twitter4j-core</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-facebook</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- forms -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.freemarker</groupId>
            <artifactId>freemarker</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-themes</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-js-adapter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- authentication api -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-picketlink</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-common</artifactId>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-idm-api</artifactId>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-idm-impl</artifactId>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-idm-simple-schema</artifactId>
        </dependency>
        <!-- timer -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-basic</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- picketlink -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-picketlink-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-picketlink-realm</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.jboss.spec.javax.servlet</groupId>
            <artifactId>jboss-servlet-api_3.0_spec</artifactId>
            <scope>provided</scope>
        </dependency>
        <!-- resteasy -->
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-jaxrs</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-multipart-provider</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>async-http-servlet-3.0</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>jaxrs-api</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-jackson-provider</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <!-- Mongo dependencies -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.mongodb</groupId>
            <artifactId>mongo-java-driver</artifactId>
        </dependency>
        <!-- export/import -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-dir</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-zip</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-single-file</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>de.idyl</groupId>
            <artifactId>winzipaes</artifactId>
        </dependency>
    </dependencies>
    <build>
--- a/services/src/main/java/org/keycloak/services/managers/AccessCodeEntry.java
+++ b/services/src/main/java/org/keycloak/services/managers/AccessCodeEntry.java
@ -1,9 +1,11 @@
 package org.keycloak.services.managers;
 import org.keycloak.OAuthErrorException;
 import org.keycloak.jose.jws.JWSBuilder;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserModel.RequiredAction;
 import org.keycloak.representations.AccessCode;
@ -33,29 +35,45 @@ public class AccessCodeEntry {
    }
    public UserModel getUser() {
-        return keycloakSession.users().getUserById(accessCode.getAccessToken().getSubject(), realm);
+        return keycloakSession.users().getUserById(accessCode.getUserId(), realm);
    }
    public String getSessionState() {
-        return accessCode.getAccessToken().getSessionState();
+        return accessCode.getSessionState();
    }
    public void setSessionState(String state) {
        accessCode.setSessionState(state);
    }
    public boolean isExpired() {
        return accessCode.getExpiration() != 0 && Time.currentTime() > accessCode.getExpiration();
    }
-    public AccessToken getToken() {
+    public Set<RoleModel> getRequestedRoles() {
-        return accessCode.getAccessToken();
+        Set<RoleModel> requestedRoles = new HashSet<RoleModel>();
        for (String roleId : accessCode.getRequestedRoles()) {
            RoleModel role = realm.getRoleById(roleId);
            if (role == null) {
                new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid role " + roleId);
            }
            requestedRoles.add(realm.getRoleById(roleId));
        }
        return requestedRoles;
    }
    public ClientModel getClient() {
-        return realm.findClient(accessCode.getAccessToken().getIssuedFor());
+        return realm.findClient(accessCode.getClientId());
    }
    public String getState() {
        return accessCode.getState();
    }
    public void setState(String state) {
        accessCode.setState(state);
    }
    public String getRedirectUri() {
        return accessCode.getRedirectUri();
    }
--- a/services/src/main/java/org/keycloak/services/managers/TokenManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/TokenManager.java
@ -1,7 +1,6 @@
 package org.keycloak.services.managers;
 import org.jboss.logging.Logger;
 import org.jboss.resteasy.specimpl.MultivaluedMapImpl;
 import org.keycloak.OAuthErrorException;
 import org.keycloak.audit.Audit;
 import org.keycloak.audit.Details;
@ -24,12 +23,9 @@ import org.keycloak.representations.IDToken;
 import org.keycloak.representations.RefreshToken;
 import org.keycloak.util.Time;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.UriInfo;
 import java.io.IOException;
 import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
@ -80,21 +76,24 @@ public class TokenManager {
    }
    private AccessCodeEntry createAccessCodeEntry(String scopeParam, String state, String redirect, KeycloakSession keycloakSession, RealmModel realm, ClientModel client, UserModel user, UserSessionModel session) {
        List<RoleModel> realmRolesRequested = new LinkedList<RoleModel>();
        MultivaluedMap<String, RoleModel> resourceRolesRequested = new MultivaluedMapImpl<String, RoleModel>();
        AccessToken token = createClientAccessToken(scopeParam, realm, client, user, session, realmRolesRequested, resourceRolesRequested);
        if (session != null) token.setSessionState(session.getId());
        AccessCode code = new AccessCode();
        code.setId(UUID.randomUUID().toString() + System.currentTimeMillis());
-        code.setAccessToken(token);
+        code.setClientId(client.getClientId());
        code.setUserId(user.getId());
        code.setTimestamp(Time.currentTime());
        code.setExpiration(Time.currentTime() + realm.getAccessCodeLifespan());
-        code.setState(state);
+        code.setSessionState(session != null ? session.getId() : null);
        code.setRedirectUri(redirect);
        code.setState(state);
        Set<String> requestedRoles = new HashSet<String>();
        for (RoleModel r : getAccess(scopeParam, client, user)) {
            requestedRoles.add(r.getId());
        }
        code.setRequestedRoles(requestedRoles);
        AccessCodeEntry entry = new AccessCodeEntry(keycloakSession, realm, code);
        return entry;
    }
    public AccessToken refreshAccessToken(KeycloakSession session, UriInfo uriInfo, RealmModel realm, ClientModel client, String encodedRefreshToken, Audit audit) throws OAuthErrorException {
@ -142,11 +141,54 @@ public class TokenManager {
            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale refresh token");
        }
        verifyAccess(refreshToken, realm, client, user);
        AccessToken accessToken = initToken(realm, client, user, userSession);
        accessToken.setRealmAccess(refreshToken.getRealmAccess());
        accessToken.setResourceAccess(refreshToken.getResourceAccess());
        // only refresh session if next token refresh will be after idle timeout
        if (currentTime + realm.getAccessTokenLifespan() > userSession.getLastSessionRefresh() + realm.getSsoSessionIdleTimeout()) {
            userSession.setLastSessionRefresh(currentTime);
        }
        return accessToken;
    }
    public AccessToken createClientAccessToken(Set<RoleModel> requestedRoles, RealmModel realm, ClientModel client, UserModel user, UserSessionModel session) {
        AccessToken token = initToken(realm, client, user, session);
        for (RoleModel role : requestedRoles) {
            addComposites(token, role);
        }
        return token;
    }
    public Set<RoleModel> getAccess(String scopeParam, ClientModel client, UserModel user) {
        // todo scopeParam is ignored until we figure out a scheme that fits with openid connect
        Set<RoleModel> requestedRoles = new HashSet<RoleModel>();
        Set<RoleModel> roleMappings = user.getRoleMappings();
        Set<RoleModel> scopeMappings = client.getScopeMappings();
        if (client instanceof ApplicationModel) {
            scopeMappings.addAll(((ApplicationModel) client).getRoles());
        }
        for (RoleModel role : roleMappings) {
            for (RoleModel desiredRole : scopeMappings) {
                Set<RoleModel> visited = new HashSet<RoleModel>();
                applyScope(role, desiredRole, visited, requestedRoles);
            }
        }
        return requestedRoles;
    }
    public void verifyAccess(AccessToken token, RealmModel realm, ClientModel client, UserModel user) throws OAuthErrorException {
        ApplicationModel clientApp = (client instanceof ApplicationModel) ? (ApplicationModel)client : null;
-        if (refreshToken.getRealmAccess() != null) {
+        if (token.getRealmAccess() != null) {
-            for (String roleName : refreshToken.getRealmAccess().getRoles()) {
+            for (String roleName : token.getRealmAccess().getRoles()) {
                RoleModel role = realm.getRole(roleName);
                if (role == null) {
                    throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid realm role " + roleName);
@ -159,8 +201,8 @@ public class TokenManager {
                }
            }
        }
-        if (refreshToken.getResourceAccess() != null) {
+        if (token.getResourceAccess() != null) {
-            for (Map.Entry<String, AccessToken.Access> entry : refreshToken.getResourceAccess().entrySet()) {
+            for (Map.Entry<String, AccessToken.Access> entry : token.getResourceAccess().entrySet()) {
                ApplicationModel app = realm.getApplicationByName(entry.getKey());
                if (app == null) {
                    throw new OAuthErrorException(OAuthErrorException.INVALID_SCOPE, "Application no longer exists", "Application no longer exists: " + app.getName());
@ -180,67 +222,6 @@ public class TokenManager {
            }
        }
        AccessToken accessToken = initToken(realm, client, user, userSession);
        accessToken.setRealmAccess(refreshToken.getRealmAccess());
        accessToken.setResourceAccess(refreshToken.getResourceAccess());
        // only refresh session if next token refresh will be after idle timeout
        if (currentTime + realm.getAccessTokenLifespan() > userSession.getLastSessionRefresh() + realm.getSsoSessionIdleTimeout()) {
            userSession.setLastSessionRefresh(currentTime);
        }
        return accessToken;
    }
    public AccessToken createClientAccessToken(String scopeParam, RealmModel realm, ClientModel client, UserModel user, UserSessionModel session) {
        return createClientAccessToken(scopeParam, realm, client, user, session, new LinkedList<RoleModel>(), new MultivaluedMapImpl<String, RoleModel>());
    }
    public AccessToken createClientAccessToken(String scopeParam, RealmModel realm, ClientModel client, UserModel user, UserSessionModel session, List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested) {
        // todo scopeParam is ignored until we figure out a scheme that fits with openid connect
        Set<RoleModel> roleMappings = user.getRoleMappings();
        Set<RoleModel> scopeMappings = client.getScopeMappings();
        ApplicationModel clientApp = (client instanceof ApplicationModel) ? (ApplicationModel)client : null;
        Set<RoleModel> clientAppRoles = clientApp == null ? null : clientApp.getRoles();
        if (clientAppRoles != null) scopeMappings.addAll(clientAppRoles);
        Set<RoleModel> requestedRoles = new HashSet<RoleModel>();
        for (RoleModel role : roleMappings) {
            if (clientApp != null && role.getContainer().equals(clientApp)) requestedRoles.add(role);
            for (RoleModel desiredRole : scopeMappings) {
                Set<RoleModel> visited = new HashSet<RoleModel>();
                applyScope(role, desiredRole, visited, requestedRoles);
            }
        }
        for (RoleModel role : requestedRoles) {
            if (role.getContainer() instanceof RealmModel) {
                realmRolesRequested.add(role);
            } else if (role.getContainer() instanceof ApplicationModel) {
                ApplicationModel app = (ApplicationModel)role.getContainer();
                resourceRolesRequested.add(app.getName(), role);
            }
        }
        AccessToken token = initToken(realm, client, user, session);
        if (realmRolesRequested.size() > 0) {
            for (RoleModel role : realmRolesRequested) {
                addComposites(token, role);
            }
        }
        if (resourceRolesRequested.size() > 0) {
            for (List<RoleModel> roles : resourceRolesRequested.values()) {
                for (RoleModel role : roles) {
                    addComposites(token, role);
                }
            }
        }
        return token;
    }
    public void initClaims(IDToken token, ClientModel model, UserModel user) {
@ -363,7 +344,8 @@ public class TokenManager {
        }
        public AccessTokenResponseBuilder generateAccessToken(String scopeParam, ClientModel client, UserModel user, UserSessionModel session) {
-            accessToken = createClientAccessToken(scopeParam, realm, client, user, session);
+            Set<RoleModel> requestedRoles = getAccess(scopeParam, client, user);
            accessToken = createClientAccessToken(requestedRoles, realm, client, user, session);
            return this;
        }
--- a/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java
+++ b/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java
@ -227,7 +227,7 @@ public class RequiredActionsService {
        // Password reset through email won't have an associated session
        if (accessCode.getSessionState() == null) {
            UserSessionModel userSession = session.sessions().createUserSession(realm, session.users().getUserById(accessCode.getUser().getId(), realm), clientConnection.getRemoteAddr());
-            accessCode.getToken().setSessionState(userSession.getId());
+            accessCode.setSessionState(userSession.getId());
            audit.session(userSession);
        }
--- a/services/src/main/java/org/keycloak/services/resources/TokenService.java
+++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java
@ -23,6 +23,7 @@ import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RequiredCredentialModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
@ -641,14 +642,6 @@ public class TokenService {
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
                    .build();
        }
        if (!accessCode.getToken().isActive()) {
            Map<String, String> res = new HashMap<String, String>();
            res.put(OAuth2Constants.ERROR, "invalid_grant");
            res.put(OAuth2Constants.ERROR_DESCRIPTION, "Token expired");
            audit.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
                    .build();
        }
        audit.user(accessCode.getUser());
        audit.session(accessCode.getSessionState());
@ -698,8 +691,20 @@ public class TokenService {
        userSession.associateClient(client);
        AccessToken token = tokenManager.createClientAccessToken(accessCode.getRequestedRoles(), realm, client, user, userSession);
        try {
            tokenManager.verifyAccess(token, realm, client, user);
        } catch (OAuthErrorException e) {
            Map<String, String> error = new HashMap<String, String>();
            error.put(OAuth2Constants.ERROR, e.getError());
            if (e.getDescription() != null) error.put(OAuth2Constants.ERROR_DESCRIPTION, e.getDescription());
            audit.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
        }
        AccessTokenResponse res = tokenManager.responseBuilder(realm, client, audit)
-                .accessToken(accessCode.getToken())
+                .accessToken(token)
                .generateIDToken()
                .generateRefreshToken().build();
--- a/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java
+++ b/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java
@ -157,32 +157,22 @@ public class OAuthFlows {
        if (!isResource) {
            accessCode.resetExpiration();
            List<RoleModel> realmRolesRequested = new LinkedList<RoleModel>();
            MultivaluedMap<String, RoleModel> appRolesRequested = new MultivaluedMapImpl<String, RoleModel>();
            if (accessCode.getToken().getRealmAccess() != null) {
                if (accessCode.getToken().getRealmAccess().getRoles() != null) {
                    for (String role : accessCode.getToken().getRealmAccess().getRoles()) {
                        RoleModel roleModel = realm.getRole(role);
                        if (roleModel != null) realmRolesRequested.add(roleModel);
                    }
                }
            }
            if (accessCode.getToken().getResourceAccess().size() > 0) {
                for (Map.Entry<String, AccessToken.Access> entry : accessCode.getToken().getResourceAccess().entrySet()) {
                    ApplicationModel app = realm.getApplicationByName(entry.getKey());
                    if (app == null) continue;
                    if (entry.getValue().getRoles() != null) {
                        for (String role : entry.getValue().getRoles()) {
                            RoleModel roleModel = app.getRole(role);
                            if (roleModel != null) appRolesRequested.add(entry.getKey(), roleModel);
                        }
-                    }
+            List<RoleModel> realmRoles = new LinkedList<RoleModel>();
            MultivaluedMap<String, RoleModel> resourceRoles = new MultivaluedMapImpl<String, RoleModel>();
            for (RoleModel r : accessCode.getRequestedRoles()) {
                if (r.getContainer() instanceof RealmModel) {
                    realmRoles.add(r);
                } else {
                    resourceRoles.add(((ApplicationModel) r.getContainer()).getName(), r);
                }
            }
-            return Flows.forms(this.session, realm, uriInfo).setAccessCode(accessCode.getCode()).
+
-                    setAccessRequest(realmRolesRequested, appRolesRequested).
+            return Flows.forms(this.session, realm, uriInfo)
-                    setClient(client).createOAuthGrant();
+                    .setAccessCode(accessCode.getCode())
                    .setAccessRequest(realmRoles, resourceRoles)
                    .setClient(client)
                    .createOAuthGrant();
        }
        if (redirect != null) {
--- a/testsuite/integration/README.md
+++ b/testsuite/integration/README.md
@ -11,7 +11,8 @@ To run the tests with Firefox add `-Dbrowser=firefox` or for Chrome add `-Dbrows
 Mongo
 -----
-The testsuite is executed with JPA model implementation with data saved in H2 database by default. To run testsuite with Mongo model, just add property `-Dkeycloak.model.provider=mongo` when executing it.
+The testsuite is executed with JPA model implementation with data saved in H2 database by default. To run testsuite with Mongo model, just add property `-Dkeycloak.realm.provider=mongo` when executing it.
 This single property will cause that mongo will be used for realm-model, user-model and audit.
 Note that this will automatically run embedded Mongo database on localhost/27018 and it will stop it after whole testsuite is finished.
 So you don't need to have Mongo installed on your laptop to run mongo execution tests.
@ -52,11 +53,11 @@ For example to use the example themes run the server with:
 To start a Keycloak server with identity model data persisted in Mongo database instead of default JPA/H2 you can run:
-    mvn exec:java -Pkeycloak-server -Dkeycloak.model.provider=mongo
+    mvn exec:java -Pkeycloak-server -Dkeycloak.realm.provider=mongo -Dkeycloak.user.provider=mongo -Dkeycloak.audit.provider=mongo
 By default it's using database `keycloak` on localhost/27017 and it uses already existing data from this DB (no cleanup of existing data during bootstrap). Assumption is that you already have DB running on localhost/27017 . Use system properties to configure things differently:
-    mvn exec:java -Pkeycloak-server -Dkeycloak.model.provider=mongo -Dkeycloak.model.mongo.host=localhost -Dkeycloak.model.mongo.port=27017 -Dkeycloak.model.mongo.db=keycloak -Dkeycloak.model.mongo.clearOnStartup=false
+    mvn exec:java -Pkeycloak-server -Dkeycloak.realm.provider=mongo -Dkeycloak.user.provider=mongo -Dkeycloak.audit.provider=mongo -Dkeycloak.connectionsMongo.host=localhost -Dkeycloak.connectionsMongo.port=27017 -Dkeycloak.connectionsMongo.db=keycloak -Dkeycloak.connectionsMongo.clearOnStartup=false
 Note that if you are using Mongo model, it would mean that Mongo will be used for audit as well. You may need to use audit related properties for configuration of Mongo if you want to override default ones (For example keycloak.audit.mongo.host, keycloak.audit.mongo.port etc)
--- a/testsuite/integration/pom.xml
+++ b/testsuite/integration/pom.xml
@ -24,6 +24,13 @@
    </dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-dependencies-server-all</artifactId>
            <version>${project.version}</version>
            <type>pom</type>
        </dependency>
        <dependency>
            <groupId>org.jboss.spec.javax.servlet</groupId>
            <artifactId>jboss-servlet-api_3.0_spec</artifactId>
@ -86,223 +93,15 @@
            <artifactId>bcprov-jdk16</artifactId>
        </dependency>
        <dependency>
-            <groupId>org.keycloak</groupId>
+            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>keycloak-audit-api</artifactId>
+            <artifactId>httpclient</artifactId>
-            <version>${project.version}</version>
+            <version>${keycloak.apache.httpcomponents.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jboss-logging</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-email</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-core</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-core-jaxrs</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-services</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-connections-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-connections-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-sessions-mem</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-sessions-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-sessions-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-invalidation-cache-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-basic</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-js-adapter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-undertow-adapter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.httpcomponents</groupId>
            <artifactId>httpclient</artifactId>
            <version>${keycloak.apache.httpcomponents.version}</version>
        </dependency>
        <!--
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-picketlink</artifactId>
            <version>${project.version}</version>
        </dependency>
        -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-core</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-github</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-google</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-twitter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.twitter4j</groupId>
            <artifactId>twitter4j-core</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-facebook</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.freemarker</groupId>
            <artifactId>freemarker</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-themes</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-picketlink-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-picketlink-realm</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-dir</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-single-file</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-zip</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.jboss.logging</groupId>
            <artifactId>jboss-logging</artifactId>
@ -374,35 +173,12 @@
            <artifactId>selenium-chrome-driver</artifactId>
        </dependency>
        <!-- Mongo dependencies specified here and not in mongo profile, just to allow running tests from IDE -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.mongodb</groupId>
            <artifactId>mongo-java-driver</artifactId>
        </dependency>
        <!-- Encrypted ZIP -->
        <dependency>
            <groupId>de.idyl</groupId>
            <artifactId>winzipaes</artifactId>
        </dependency>
        <!-- This adds couple of other dependencies (like picketlink) -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-tests</artifactId>
            <version>${project.version}</version>
        </dependency>
    </dependencies>
    <build>
        <plugins>
@ -560,5 +336,42 @@
            </build>
        </profile>
        <!-- MySQL -->
        <profile>
            <activation>
                <property>
                    <name>keycloak.connectionsJpa.driver</name>
                    <value>com.mysql.jdbc.Driver</value>
                </property>
            </activation>
            <id>mysql</id>
            <dependencies>
                <dependency>
                    <groupId>mysql</groupId>
                    <artifactId>mysql-connector-java</artifactId>
                    <version>${mysql.version}</version>
                </dependency>
            </dependencies>
        </profile>
        <!-- PostgreSQL -->
        <profile>
            <activation>
                <property>
                    <name>keycloak.connectionsJpa.driver</name>
                    <value>org.postgresql.Driver</value>
                </property>
            </activation>
            <id>postgresql</id>
            <dependencies>
                <dependency>
                    <groupId>org.postgresql</groupId>
                    <artifactId>postgresql</artifactId>
                    <version>${postgresql.version}</version>
                </dependency>
            </dependencies>
        </profile>
    </profiles>
 </project>
--- a/testsuite/integration/src/main/resources/META-INF/keycloak-server.json
+++ b/testsuite/integration/src/main/resources/META-INF/keycloak-server.json
@ -66,7 +66,9 @@
            "driverDialect": "${keycloak.connectionsJpa.driverDialect:}",
            "user": "${keycloak.connectionsJpa.user:sa}",
            "password": "${keycloak.connectionsJpa.password:}",
-            "databaseSchema": "${keycloak.connectionsJpa.databaseSchema:create-drop}"
+            "databaseSchema": "${keycloak.connectionsJpa.databaseSchema:create-drop}",
            "showSql": "${keycloak.connectionsJpa.showSql:false}",
            "formatSql": "${keycloak.connectionsJpa.formatSql:true}"
        }
    },
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java
@ -21,7 +21,6 @@
 */
 package org.keycloak.testsuite;
 import net.iharder.Base64;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpResponse;
 import org.apache.http.NameValuePair;
@ -32,21 +31,18 @@ import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.utils.URLEncodedUtils;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.message.BasicNameValuePair;
 import org.jboss.resteasy.security.PemUtils;
 import org.json.JSONObject;
 import org.junit.Assert;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.RSATokenVerifier;
 import org.keycloak.VerificationException;
 import org.keycloak.audit.Details;
 import org.keycloak.audit.Event;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.crypto.RSAProvider;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.representations.RefreshToken;
 import org.keycloak.services.resources.TokenService;
 import org.keycloak.util.BasicAuthHelper;
 import org.keycloak.util.PemUtils;
 import org.openqa.selenium.By;
 import org.openqa.selenium.WebDriver;
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/AdapterTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/AdapterTest.java
@ -21,7 +21,7 @@
 */
 package org.keycloak.testsuite.adapter;
-import org.jboss.resteasy.util.BasicAuthHelper;
+import org.keycloak.util.BasicAuthHelper;
 import org.junit.Assert;
 import org.junit.ClassRule;
 import org.junit.Rule;
@ -101,7 +101,7 @@ public class AdapterTest {
            TokenManager tm = new TokenManager();
            UserModel admin = session.users().getUserByUsername("admin", adminRealm);
            UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, null);
-            AccessToken token = tm.createClientAccessToken(null, adminRealm, adminConsole, admin, userSession);
+            AccessToken token = tm.createClientAccessToken(tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession);
            return tm.encodeToken(adminRealm, token);
        } finally {
            keycloakRule.stopSession(session, true);
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/RelativeUriAdapterTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/RelativeUriAdapterTest.java
@ -88,7 +88,7 @@ public class RelativeUriAdapterTest {
            TokenManager tm = new TokenManager();
            UserModel admin = session.users().getUserByUsername("admin", adminRealm);
            UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, null);
-            AccessToken token = tm.createClientAccessToken(null, adminRealm, adminConsole, admin, userSession);
+            AccessToken token = tm.createClientAccessToken(tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession);
            adminToken = tm.encodeToken(adminRealm, token);
        }
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java
@ -80,7 +80,7 @@ public class AdminAPITest {
            TokenManager tm = new TokenManager();
            UserModel admin = session.users().getUserByUsername("admin", adminRealm);
            UserSessionModel userSession = session.sessions().createUserSession(adminRealm, admin, null);
-            AccessToken token = tm.createClientAccessToken(null, adminRealm, adminConsole, admin, userSession);
+            AccessToken token = tm.createClientAccessToken(tm.getAccess(null, adminConsole, admin), adminRealm, adminConsole, admin, userSession);
            return tm.encodeToken(adminRealm, token);
        } finally {
            keycloakRule.stopSession(session, true);
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java
@ -184,6 +184,9 @@ public class CompositeRoleTest {
        Assert.assertEquals(1, token.getRealmAccess().getRoles().size());
        Assert.assertTrue(token.getResourceAccess("APP_ROLE_APPLICATION").isUserInRole("APP_ROLE_1"));
        Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_ROLE_1"));
        AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
        Assert.assertEquals(200, refreshResponse.getStatusCode());
    }
@ -207,10 +210,11 @@ public class CompositeRoleTest {
        Assert.assertEquals(1, token.getResourceAccess("APP_ROLE_APPLICATION").getRoles().size());
        Assert.assertTrue(token.getResourceAccess("APP_ROLE_APPLICATION").isUserInRole("APP_ROLE_1"));
        AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
        Assert.assertEquals(200, refreshResponse.getStatusCode());
    }
    @Test
    public void testRealmOnlyWithUserCompositeAppComposite() throws Exception {
        oauth.realm("Test");
@ -232,6 +236,9 @@ public class CompositeRoleTest {
        Assert.assertEquals(2, token.getRealmAccess().getRoles().size());
        Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_COMPOSITE_1"));
        Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_ROLE_1"));
        AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
        Assert.assertEquals(200, refreshResponse.getStatusCode());
    }
    @Test
@ -254,6 +261,9 @@ public class CompositeRoleTest {
        Assert.assertEquals(1, token.getRealmAccess().getRoles().size());
        Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_ROLE_1"));
        AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
        Assert.assertEquals(200, refreshResponse.getStatusCode());
    }
    @Test
@ -276,6 +286,9 @@ public class CompositeRoleTest {
        Assert.assertEquals(1, token.getRealmAccess().getRoles().size());
        Assert.assertTrue(token.getRealmAccess().isUserInRole("REALM_ROLE_1"));
        AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
        Assert.assertEquals(200, refreshResponse.getStatusCode());
    }
 }
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/exportimport/ExportImportTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/exportimport/ExportImportTest.java
@ -1,17 +1,21 @@
 package org.keycloak.testsuite.exportimport;
 import java.io.File;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
 import java.util.regex.Matcher;
 import org.junit.Assert;
 import org.junit.ClassRule;
 import org.junit.FixMethodOrder;
 import org.junit.Test;
 import org.junit.rules.ExternalResource;
 import org.junit.rules.RuleChain;
 import org.junit.rules.TestRule;
 import org.junit.runners.MethodSorters;
 import org.keycloak.Config;
 import org.keycloak.exportimport.ExportImportConfig;
 import org.keycloak.exportimport.dir.DirExportProvider;
@ -33,15 +37,20 @@ import org.keycloak.testsuite.rule.KeycloakRule;
 */
 public class ExportImportTest {
    private static SystemPropertiesHelper propsHelper = new SystemPropertiesHelper();
    private static final String JPA_CONNECTION_URL = "keycloak.connectionsJpa.url";
    private static final String JPA_DB_SCHEMA = "keycloak.connectionsJpa.databaseSchema";
    private static final String MONGO_CLEAR_ON_STARTUP = "keycloak.connectionsMongo.clearOnStartup";
    // We want data to be persisted among server restarts
-    private static ExternalResource hibernateSetupRule = new ExternalResource() {
+    private static ExternalResource persistenceSetupRule = new ExternalResource() {
-        private boolean setupDone = false;
+        private boolean connectionURLSet = false;
        @Override
        protected void before() throws Throwable {
-            if (System.getProperty("keycloak.connectionsJpa.url") == null) {
+            if (System.getProperty(JPA_CONNECTION_URL) == null) {
                String baseExportImportDir = getExportImportTestDirectory();
                File oldDBFile = new File(baseExportImportDir, "keycloakDB.h2.db");
@ -50,43 +59,33 @@ public class ExportImportTest {
                }
                String dbDir = baseExportImportDir + "/keycloakDB";
-                System.setProperty("keycloak.connectionsJpa.url", "jdbc:h2:file:" + dbDir + ";DB_CLOSE_DELAY=-1");
+                propsHelper.pushProperty(JPA_CONNECTION_URL, "jdbc:h2:file:" + dbDir + ";DB_CLOSE_DELAY=-1");
-                System.setProperty("keycloak.connectionsJpa.databaseSchema", "update");
+                connectionURLSet = true;
                setupDone = true;
            }
            propsHelper.pushProperty(JPA_DB_SCHEMA, "create");
        }
        @Override
        protected void after() {
-            if (setupDone) {
+            if (connectionURLSet) {
-                Properties sysProps = System.getProperties();
+                propsHelper.pullProperty(JPA_CONNECTION_URL);
                sysProps.remove("keycloak.connectionsJpa.url");
                sysProps.remove("keycloak.connectionsJpa.databaseSchema");
            }
        }
    };
-    // We want data to be persisted among server restarts
+    private static ExternalResource outerPersistenceSetupRule = new ExternalResource() {
    private static ExternalResource mongoRule = new ExternalResource() {
        private static final String MONGO_CLEAR_ON_STARTUP_PROP_NAME = "keycloak.connectionsMongo.clearOnStartup";
        private String previousMongoClearOnStartup;
        @Override
        protected void before() throws Throwable {
-            previousMongoClearOnStartup = System.getProperty(MONGO_CLEAR_ON_STARTUP_PROP_NAME);
+            System.setProperty(JPA_DB_SCHEMA, "update");
-            System.setProperty(MONGO_CLEAR_ON_STARTUP_PROP_NAME, "false");
+            propsHelper.pushProperty(MONGO_CLEAR_ON_STARTUP, "false");
        }
        @Override
        protected void after() {
-            if (previousMongoClearOnStartup != null) {
+            propsHelper.pullProperty(JPA_DB_SCHEMA);
-                System.setProperty(MONGO_CLEAR_ON_STARTUP_PROP_NAME, previousMongoClearOnStartup);
+            propsHelper.pullProperty(MONGO_CLEAR_ON_STARTUP);
            } else {
                System.getProperties().remove(MONGO_CLEAR_ON_STARTUP_PROP_NAME);
            }
        }
    };
    private static KeycloakRule keycloakRule = new KeycloakRule( new KeycloakRule.KeycloakSetup() {
@ -124,9 +123,9 @@ public class ExportImportTest {
    @ClassRule
    public static TestRule chain = RuleChain
-            .outerRule(hibernateSetupRule)
+            .outerRule(persistenceSetupRule)
-            .around(mongoRule)
+            .around(keycloakRule)
-            .around(keycloakRule);
+            .around(outerPersistenceSetupRule);
    @Test
    public void testDirFullExportImport() throws Throwable {
@ -357,4 +356,28 @@ public class ExportImportTest {
        return absolutePath;
    }
    private static class SystemPropertiesHelper {
        private Map<String,String> previousValues = new HashMap<String,String>();
        private void pushProperty(String name, String value) {
            String currentValue = System.getProperty(name);
            if (currentValue != null) {
                previousValues.put(name, currentValue);
            }
            System.setProperty(name, value);
        }
        private void pullProperty(String name) {
            String prevValue = previousValues.get(name);
            if (prevValue == null) {
                System.getProperties().remove(name);
            }  else {
                System.setProperty(name, prevValue);
            }
        }
    }
 }
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/AbstractKeycloakRule.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/AbstractKeycloakRule.java
@ -10,9 +10,9 @@ import org.keycloak.Config;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.utils.ModelToRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.models.utils.ModelToRepresentation;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.testsuite.Retry;
 import org.keycloak.testutils.KeycloakServer;
@ -22,7 +22,6 @@ import javax.servlet.Servlet;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.ConnectException;
 import java.net.Socket;
 /**
@ -45,7 +44,9 @@ public abstract class AbstractKeycloakRule extends ExternalResource {
        try {
            RealmModel realmByName = session.realms().getRealmByName(realm);
            UserModel user = session.users().getUserByUsername(name, realmByName);
-            return user != null ? ModelToRepresentation.toRepresentation(user) : null;
+            UserRepresentation userRep = user != null ? ModelToRepresentation.toRepresentation(user) : null;
            session.getTransaction().commit();
            return userRep;
        } finally {
            session.close();
        }
@ -56,7 +57,9 @@ public abstract class AbstractKeycloakRule extends ExternalResource {
        session.getTransaction().begin();
        try {
            RealmModel realmByName = session.realms().getRealmByName(realm);
-            return ModelToRepresentation.toRepresentation(session.users().getUserById(id, realmByName));
+            UserRepresentation userRep = ModelToRepresentation.toRepresentation(session.users().getUserById(id, realmByName));
            session.getTransaction().commit();
            return userRep;
        } finally {
            session.close();
        }
--- a/testsuite/tools/pom.xml
+++ b/testsuite/tools/pom.xml
@ -15,6 +15,28 @@
    <description/>
    <dependencies>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-dependencies-server-all</artifactId>
            <version>${project.version}</version>
            <type>pom</type>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>jaxrs-api</artifactId>
            <version>${resteasy.version.latest}</version>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-jaxrs</artifactId>
            <version>${resteasy.version.latest}</version>
        </dependency>
        <dependency>
            <groupId>org.jboss.spec.javax.servlet</groupId>
            <artifactId>jboss-servlet-api_3.0_spec</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>com.icegreen</groupId>
@ -26,281 +48,6 @@
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-core</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>net.iharder</groupId>
            <artifactId>base64</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-core-jaxrs</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-services</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.zxing</groupId>
            <artifactId>javase</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-invalidation-cache-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jpa</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-jboss-logging</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-email</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- social -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-core</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-github</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-google</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-twitter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.twitter4j</groupId>
            <artifactId>twitter4j-core</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-social-facebook</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- forms -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.freemarker</groupId>
            <artifactId>freemarker</artifactId>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-forms-common-themes</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-account-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-email-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-login-freemarker</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-js-adapter</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- authentication api -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-model</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-authentication-picketlink</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-common</artifactId>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-idm-api</artifactId>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-idm-impl</artifactId>
        </dependency>
        <dependency>
            <groupId>org.picketlink</groupId>
            <artifactId>picketlink-idm-simple-schema</artifactId>
        </dependency>
        <!-- timer -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-timer-basic</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- picketlink -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-picketlink-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-picketlink-realm</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.jboss.spec.javax.servlet</groupId>
            <artifactId>jboss-servlet-api_3.0_spec</artifactId>
            <scope>provided</scope>
        </dependency>
        <!-- resteasy -->
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-jaxrs</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-multipart-provider</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>async-http-servlet-3.0</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>jaxrs-api</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.resteasy</groupId>
            <artifactId>resteasy-jackson-provider</artifactId>
            <version>${resteasy.version}</version>
            <scope>provided</scope>
        </dependency>
        <!-- Mongo dependencies -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-model-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-audit-mongo</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.mongodb</groupId>
            <artifactId>mongo-java-driver</artifactId>
        </dependency>
        <!-- export/import -->
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-api</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-dir</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-zip</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-export-import-single-file</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>de.idyl</groupId>
            <artifactId>winzipaes</artifactId>
        </dependency>
    </dependencies>
    <build>
--- a/testsuite/tools/src/main/java/org/keycloak/test/tools/KeycloakTestApplication.java
+++ b/testsuite/tools/src/main/java/org/keycloak/test/tools/KeycloakTestApplication.java
@ -5,8 +5,6 @@ import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.services.resources.KeycloakApplication;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletContextEvent;
 import javax.servlet.ServletContextListener;
 import javax.ws.rs.core.Application;
 import javax.ws.rs.core.Context;
 import java.util.HashSet;