refactoring; test inits
diff --git a/src/main/.DS_Store b/src/main/.DS_Store
index d4fd3e7..6f2c378 100644
--- a/src/main/.DS_Store
+++ b/src/main/.DS_Store
Binary files differ
diff --git a/src/main/java/.DS_Store b/src/main/java/.DS_Store
index e282944..175efa1 100644
--- a/src/main/java/.DS_Store
+++ b/src/main/java/.DS_Store
Binary files differ
diff --git a/src/main/java/de/.DS_Store b/src/main/java/de/.DS_Store
index b276992..dcbce40 100644
--- a/src/main/java/de/.DS_Store
+++ b/src/main/java/de/.DS_Store
Binary files differ
diff --git a/src/main/java/de/ids_mannheim/.DS_Store b/src/main/java/de/ids_mannheim/.DS_Store
index 07256f1..f61ad44 100644
--- a/src/main/java/de/ids_mannheim/.DS_Store
+++ b/src/main/java/de/ids_mannheim/.DS_Store
Binary files differ
diff --git a/src/main/java/de/ids_mannheim/korap/.DS_Store b/src/main/java/de/ids_mannheim/korap/.DS_Store
index e540d83..f8811c7 100644
--- a/src/main/java/de/ids_mannheim/korap/.DS_Store
+++ b/src/main/java/de/ids_mannheim/korap/.DS_Store
Binary files differ
diff --git a/src/main/java/de/ids_mannheim/korap/config/BeanConfiguration.java b/src/main/java/de/ids_mannheim/korap/config/BeanConfiguration.java
index 028a9f4..c308e34 100644
--- a/src/main/java/de/ids_mannheim/korap/config/BeanConfiguration.java
+++ b/src/main/java/de/ids_mannheim/korap/config/BeanConfiguration.java
@@ -24,8 +24,13 @@
     public static final String KUSTVAKT_AUDITING = "kustvakt_auditing";
     public static final String KUSTVAKT_CONFIG = "kustvakt_config";
 
+    public static final String KUSTVAKT_AUTHENTICATION_MANAGER = "kustvakt_authenticationmanager";
+    public static final String KUSTVAKT_USERDB = "kustvakt_userdb";
+    public static final String KUSTVAKT_POLICIES = "kustvakt_policies";
+
     private static BeanHolderHelper beans;
 
+    //todo: allow this for external plugin systems that are not kustvakt specific
     public static void setCustomBeansHolder(BeanHolderHelper holder) {
         ApplicationContext context = beans.context;
         holder.context = context;
@@ -136,18 +141,37 @@
             return getBean(KUSTVAKT_DB);
         }
 
-        public AuthenticationManagerIface getAuthenticationManager() {
-            throw new RuntimeException("!Stub");
-        }
+        //        public AuthenticationManagerIface getAuthenticationManager() {
+        //            throw new RuntimeException("!Stub");
+        //        }
 
-        public EntityHandlerIface getUserDBHandler() {
-            throw new RuntimeException("!Stub");
-        }
+        //        public EntityHandlerIface getUserDBHandler() {
+        //            throw new RuntimeException("!Stub");
+        //        }
 
         public EncryptionIface getEncryption() {
             return getBean(KUSTVAKT_ENCRYPTION);
         }
 
+        public AuthenticationManagerIface getAuthenticationManager() {
+            return getBean(KUSTVAKT_AUTHENTICATION_MANAGER);
+        }
+
+        public EntityHandlerIface getUserDBHandler() {
+            return getBean(KUSTVAKT_USERDB);
+        }
+
+        public PolicyHandlerIface getPolicyDbProvider() {
+            return getBean(KUSTVAKT_POLICIES);
+        }
+
+        // todo: more specific --> collection provider, document provider, etc.
+        public ResourceOperationIface getResourceProvider() {
+            return getBean("resourceProvider");
+        }
+
+
+
         public void finish() {
             this.getAuditingProvider().finish();
             context = null;
diff --git a/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java b/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
index be9e9ce..aa1e00b 100644
--- a/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
+++ b/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
@@ -137,8 +137,8 @@
     }
 
     // does not care about expiration times
-    public String retrieveContent(String signedContent) throws
-            KustvaktException {
+    public String retrieveContent(String signedContent)
+            throws KustvaktException {
         SignedJWT jwt;
         try {
             jwt = SignedJWT.parse(signedContent);
@@ -155,8 +155,8 @@
             throws ParseException, JOSEException, KustvaktException {
         SignedJWT signedJWT = verifyToken(idtoken);
 
-        TokenContext c = new TokenContext(
-                signedJWT.getJWTClaimsSet().getSubjectClaim());
+        TokenContext c = new TokenContext();
+        c.setUsername(signedJWT.getJWTClaimsSet().getSubjectClaim());
         if (signedJWT.getJWTClaimsSet().getAudienceClaim() != null)
             c.addContextParameter(Attributes.CLIENT_ID,
                     signedJWT.getJWTClaimsSet().getAudienceClaim()[0]);
diff --git a/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java b/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java
index 49eb4df..36f5bb2 100644
--- a/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java
+++ b/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java
@@ -1,6 +1,8 @@
 package de.ids_mannheim.korap.config;
 
+import de.ids_mannheim.korap.interfaces.EncryptionIface;
 import de.ids_mannheim.korap.utils.KustvaktLogger;
+import de.ids_mannheim.korap.utils.TimeUtils;
 import lombok.Getter;
 import org.apache.log4j.PropertyConfigurator;
 import org.slf4j.Logger;
@@ -23,22 +25,42 @@
 @Getter
 public class KustvaktConfiguration {
 
-    private final Logger jlog = KustvaktLogger
+    private static final Logger jlog = KustvaktLogger
             .initiate(KustvaktConfiguration.class);
     private String indexDir;
     private int port;
     // todo: make exclusive so that the containg languages can really only be used then
     private List<String> queryLanguages;
 
-    private int maxhits;
-
-    private int returnhits;
     private String serverHost;
-
-    private String host;
-
     private URL issuer;
 
+    private int maxhits;
+    private int returnhits;
+    private String keystoreLocation;
+    private String keystorePassword;
+    private Properties mailProperties;
+    private String host;
+    private String shibUserMapping;
+    private String userConfig;
+    private int inactiveTime;
+    private int loginAttemptTTL;
+    private long loginAttemptNum;
+    private boolean allowMultiLogIn;
+    private int expiration;
+    private int loadFactor;
+    private int validationStringLength;
+    private int validationEmaillength;
+    // fixme: should move to base config?!
+    private EncryptionIface.Encryption encryption;
+    private byte[] sharedSecret;
+    private String adminToken;
+    private int longTokenTTL;
+    private int tokenTTL;
+    private int shortTokenTTL;
+    private String[] rewrite_strategies;
+    private String passcodeSaltField;
+
     private String default_pos;
     private String default_lemma;
     private String default_surface;
@@ -51,35 +73,71 @@
     /**
      * loading of the properties and mapping to parameter variables
      *
-     * @param korap
+     * @param properties
      * @return
      */
-    protected Properties load(Properties korap) {
-        String log4jconfig = korap
+    protected Properties load(Properties properties) {
+        String log4jconfig = properties
                 .getProperty("log4jconfig", "log4j.properties");
         loadLog4jLogger(log4jconfig);
-        maxhits = new Integer(korap.getProperty("maxhits", "50000"));
-        returnhits = new Integer(korap.getProperty("returnhits", "50000"));
-        indexDir = korap.getProperty("lucene.indexDir", "");
-        port = new Integer(korap.getProperty("server.port", "8080"));
+        maxhits = new Integer(properties.getProperty("maxhits", "50000"));
+        returnhits = new Integer(properties.getProperty("returnhits", "50000"));
+        indexDir = properties.getProperty("lucene.indexDir", "");
+        port = new Integer(properties.getProperty("server.port", "8080"));
         // server options
         serverHost = String
-                .valueOf(korap.getProperty("server.host", "localhost"));
-        String queries = korap.getProperty("korap.ql", "");
+                .valueOf(properties.getProperty("server.host", "localhost"));
+        String queries = properties.getProperty("korap.ql", "");
         String[] qls = queries.split(",");
         queryLanguages = new ArrayList<>();
         for (String querylang : qls)
             queryLanguages.add(querylang.trim().toUpperCase());
         //        issuer = new URL(korap.getProperty("korap.issuer", ""));
 
-        default_const = korap.getProperty("kustvakt.default.const", "mate");
-        default_dep = korap.getProperty("kustvakt.default.dep", "mate");
-        default_lemma = korap.getProperty("kustvakt.default.lemma", "tt");
-        default_pos = korap.getProperty("kustvakt.default.pos", "tt");
-        default_surface = korap
+        default_const = properties
+                .getProperty("kustvakt.default.const", "mate");
+        default_dep = properties.getProperty("kustvakt.default.dep", "mate");
+        default_lemma = properties.getProperty("kustvakt.default.lemma", "tt");
+        default_pos = properties.getProperty("kustvakt.default.pos", "tt");
+        default_surface = properties
                 .getProperty("kustvakt.default.opennlp", "opennlp");
 
-        return korap;
+        // security configuration
+        expiration = TimeUtils.convertTimeToSeconds(properties
+                .getProperty("security.absoluteTimeoutDuration", "25M"));
+        inactiveTime = TimeUtils.convertTimeToSeconds(
+                properties.getProperty("security.idleTimeoutDuration", "10M"));
+        allowMultiLogIn = Boolean
+                .valueOf(properties.getProperty("security.multipleLogIn"));
+
+        loginAttemptNum = Long.parseLong(
+                properties.getProperty("security.loginAttemptNum", "3"));
+        loginAttemptTTL = TimeUtils.convertTimeToSeconds(
+                properties.getProperty("security.authAttemptTTL", "30M"));
+
+        loadFactor = Integer.valueOf(
+                properties.getProperty("security.encryption.loadFactor", "15"));
+        validationStringLength = Integer.valueOf(properties
+                .getProperty("security.validation.stringLength", "150"));
+        validationEmaillength = Integer.valueOf(properties
+                .getProperty("security.validation.emailLength", "40"));
+        encryption = Enum.valueOf(EncryptionIface.Encryption.class,
+                properties.getProperty("security.encryption", "BCRYPT"));
+        sharedSecret = properties.getProperty("security.sharedSecret", "")
+                .getBytes();
+        adminToken = properties.getProperty("security.adminToken");
+
+        longTokenTTL = TimeUtils.convertTimeToSeconds(
+                properties.getProperty("security.longTokenTTL", "100D"));
+        tokenTTL = TimeUtils.convertTimeToSeconds(
+                properties.getProperty("security.tokenTTL", "72H"));
+        shortTokenTTL = TimeUtils.convertTimeToSeconds(
+                properties.getProperty("security.shortTokenTTL", "3H"));
+
+        passcodeSaltField = properties
+                .getProperty("security.passcode.salt", "accountCreation");
+
+        return properties;
     }
 
     /**
@@ -124,14 +182,15 @@
                 jlog.info(
                         "using local logging properties file ({}) to configure logging system",
                         log4jconfig);
-            }else
-                loadClassLogger();
+                return;
+            }
         }catch (Exception e) {
-            loadClassLogger();
+            // do nothing
         }
+        loadClassLogger();
     }
 
-    public void loadClassLogger() {
+    private void loadClassLogger() {
         Properties log4j = new Properties();
         jlog.info(
                 "using class path logging properties file to configure logging system");
diff --git a/src/main/java/de/ids_mannheim/korap/exceptions/EmptyResultException.java b/src/main/java/de/ids_mannheim/korap/exceptions/EmptyResultException.java
index 5541695..07acf8d 100644
--- a/src/main/java/de/ids_mannheim/korap/exceptions/EmptyResultException.java
+++ b/src/main/java/de/ids_mannheim/korap/exceptions/EmptyResultException.java
@@ -4,10 +4,14 @@
  * @author hanl
  * @date 25/03/2014
  */
-public class EmptyResultException extends BaseException {
+public class EmptyResultException extends KustvaktException {
+
+    public EmptyResultException(String message, String entity) {
+        super(StatusCodes.EMPTY_RESULTS, message, entity);
+    }
 
     public EmptyResultException(String entity) {
-        super(StatusCodes.EMPTY_RESULTS, entity);
+        super(StatusCodes.EMPTY_RESULTS, "", entity);
     }
 
 }
diff --git a/src/main/java/de/ids_mannheim/korap/exceptions/KustvaktException.java b/src/main/java/de/ids_mannheim/korap/exceptions/KustvaktException.java
index 1c0c5aa..3b078ff 100644
--- a/src/main/java/de/ids_mannheim/korap/exceptions/KustvaktException.java
+++ b/src/main/java/de/ids_mannheim/korap/exceptions/KustvaktException.java
@@ -11,8 +11,6 @@
  * @author hanl
  * @date 11/12/2013
  */
-//fixme: redundant with baseexception
-@Deprecated
 @Setter
 @Getter
 public class KustvaktException extends Exception {
@@ -22,31 +20,37 @@
     private Integer statusCode;
     private String entity;
 
-    public KustvaktException(Integer status) {
+    public KustvaktException(int status) {
         this.statusCode = status;
     }
 
-    public KustvaktException(Object userid, Integer status) {
+    public KustvaktException(Object userid, int status) {
         this(status);
         this.userid = String.valueOf(userid);
     }
 
-    public KustvaktException(Object userid, Integer status, String message,
+    public KustvaktException(Object userid, int status, String message,
             String entity) {
-        super(status, message, entity);
+        super(message);
+        this.statusCode = status;
+        this.entity = entity;
         this.userid = String.valueOf(userid);
     }
 
-    public KustvaktException(Integer status, String message, String entity) {
-        super(status, message, entity);
+    public KustvaktException(int status, String message, String entity) {
+        super(message);
+        this.statusCode = status;
+        this.entity = entity;
     }
 
-    public KustvaktException(Throwable cause, Integer status) {
-        super(cause, status);
+    public KustvaktException(Throwable cause, int status) {
+        super(cause);
+        this.statusCode = status;
     }
 
-    public KustvaktException(String message, Throwable cause, Integer status) {
-        super(message, cause, status);
+    public KustvaktException(String message, Throwable cause, int status) {
+        super(message, cause);
+        this.statusCode = status;
     }
 
     @Override
diff --git a/src/main/java/de/ids_mannheim/korap/exceptions/NotAuthorizedException.java b/src/main/java/de/ids_mannheim/korap/exceptions/NotAuthorizedException.java
index 2b499c7..8b8d2c5 100644
--- a/src/main/java/de/ids_mannheim/korap/exceptions/NotAuthorizedException.java
+++ b/src/main/java/de/ids_mannheim/korap/exceptions/NotAuthorizedException.java
@@ -9,7 +9,7 @@
 // a security table registers all these exceptions (failed authentication, failed access to a resource, etc.)
 @Data
 @Deprecated
-public class NotAuthorizedException extends BaseException {
+public class NotAuthorizedException extends KustvaktException {
 
     public NotAuthorizedException(int status) {
         super(status);
diff --git a/src/main/java/de/ids_mannheim/korap/exceptions/WrappedException.java b/src/main/java/de/ids_mannheim/korap/exceptions/WrappedException.java
index c180f1b..70702b7 100644
--- a/src/main/java/de/ids_mannheim/korap/exceptions/WrappedException.java
+++ b/src/main/java/de/ids_mannheim/korap/exceptions/WrappedException.java
@@ -10,7 +10,7 @@
  */
 // should be a http exception that responds to a service point
 // is the extension of the notauthorized exception!
-public class WrappedException extends KorAPException {
+public class WrappedException extends KustvaktException {
 
     private WrappedException(Object userid, Integer status, String message,
             String args) {
@@ -23,7 +23,7 @@
         this.records.add(record);
     }
 
-    public WrappedException(KorAPException e, Integer status, String... args) {
+    public WrappedException(KustvaktException e, Integer status, String... args) {
         this(e.getUserid(), e.getStatusCode(), e.getMessage(), e.getEntity());
         AuditRecord record = AuditRecord
                 .serviceRecord(e.getUserid(), status, args);
diff --git a/src/main/java/de/ids_mannheim/korap/exceptions/dbException.java b/src/main/java/de/ids_mannheim/korap/exceptions/dbException.java
index d505e13..9818648 100644
--- a/src/main/java/de/ids_mannheim/korap/exceptions/dbException.java
+++ b/src/main/java/de/ids_mannheim/korap/exceptions/dbException.java
@@ -8,7 +8,7 @@
  * @author hanl
  * @date 08/04/2015
  */
-public class dbException extends KorAPException {
+public class dbException extends KustvaktException {
 
     private dbException(Object userid, Integer status, String message,
             String args) {
@@ -27,7 +27,7 @@
         this.records.add(record);
     }
 
-    public dbException(KorAPException e, Integer status, String... args) {
+    public dbException(KustvaktException e, Integer status, String... args) {
         this(e.getUserid(), e.getStatusCode(), e.getMessage(), e.getEntity());
         AuditRecord record = AuditRecord
                 .dbRecord(e.getUserid(), status, args);
diff --git a/src/main/java/de/ids_mannheim/korap/handlers/CollectionDao.java b/src/main/java/de/ids_mannheim/korap/handlers/CollectionDao.java
index 7f4fb22..fceaf89 100644
--- a/src/main/java/de/ids_mannheim/korap/handlers/CollectionDao.java
+++ b/src/main/java/de/ids_mannheim/korap/handlers/CollectionDao.java
@@ -2,10 +2,10 @@
 
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
-import de.ids_mannheim.korap.ext.interfaces.ResourceOperationIface;
-import de.ids_mannheim.korap.ext.resource.KorAPResource;
-import de.ids_mannheim.korap.ext.resource.VirtualCollection;
 import de.ids_mannheim.korap.interfaces.PersistenceClient;
+import de.ids_mannheim.korap.interfaces.ResourceOperationIface;
+import de.ids_mannheim.korap.resources.KustvaktResource;
+import de.ids_mannheim.korap.resources.VirtualCollection;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.KustvaktLogger;
 import org.slf4j.Logger;
@@ -42,7 +42,7 @@
 
     // fixme: persistentid can be done, persistence is achieved by specifing a date until which documents
     // are to be included. this excludes documents that are part of the "sperreinträge"
-    public <T extends KorAPResource> T findbyId(String id, User user)
+    public <T extends KustvaktResource> T findbyId(String id, User user)
             throws KustvaktException {
         MapSqlParameterSource source = new MapSqlParameterSource();
         source.addValue("id", id);
diff --git a/src/main/java/de/ids_mannheim/korap/handlers/DocumentDao.java b/src/main/java/de/ids_mannheim/korap/handlers/DocumentDao.java
index 111c282..ce0475e 100644
--- a/src/main/java/de/ids_mannheim/korap/handlers/DocumentDao.java
+++ b/src/main/java/de/ids_mannheim/korap/handlers/DocumentDao.java
@@ -2,9 +2,9 @@
 
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
-import de.ids_mannheim.korap.ext.interfaces.ResourceOperationIface;
-import de.ids_mannheim.korap.ext.resource.Document;
 import de.ids_mannheim.korap.interfaces.PersistenceClient;
+import de.ids_mannheim.korap.interfaces.ResourceOperationIface;
+import de.ids_mannheim.korap.resources.Document;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.BooleanUtils;
 import org.springframework.dao.DataAccessException;
diff --git a/src/main/java/de/ids_mannheim/korap/handlers/OAuth2Handler.java b/src/main/java/de/ids_mannheim/korap/handlers/OAuth2Handler.java
index 71ecbaf..c8d8281 100644
--- a/src/main/java/de/ids_mannheim/korap/handlers/OAuth2Handler.java
+++ b/src/main/java/de/ids_mannheim/korap/handlers/OAuth2Handler.java
@@ -9,6 +9,9 @@
 import net.sf.ehcache.Element;
 
 /**
+ * extends OAuthDb to allow temporary caching of tokens
+ * and authorizations (authorizations are not persisted in db)
+ *
  * @author hanl
  * @date 04/05/2015
  */
@@ -28,22 +31,26 @@
         return null;
     }
 
-    public void authorize(AuthCodeInfo code, User user) throws
-            KustvaktException {
+    public void authorize(AuthCodeInfo code, User user)
+            throws KustvaktException {
         code.setUserId(user.getId());
         cache.put(new Element(code.getCode(), code));
     }
 
-    public boolean addToken(String code, String token, int ttl)
+    public boolean addToken(String code, String token, String refresh, int ttl)
             throws KustvaktException {
         Element e = cache.get(code);
         if (e != null) {
             AuthCodeInfo info = (AuthCodeInfo) e.getObjectValue();
             cache.remove(code);
-            return super.addToken(token, info.getUserId(), info.getClientId(),
+            return super.addToken(token, refresh, info.getUserId(), info.getClientId(),
                     info.getScopes(), ttl);
         }
         return false;
     }
 
+    public void exchangeToken(String refresh) {
+
+    }
+
 }
diff --git a/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java b/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java
index b0bee5a..63485c9 100644
--- a/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java
+++ b/src/main/java/de/ids_mannheim/korap/handlers/OAuthDb.java
@@ -103,10 +103,12 @@
         return true;
     }
 
-    public boolean addToken(String token, Integer userid, String client_id,
-            String scopes, int expiration) throws KustvaktException {
+    public boolean addToken(String token, String refresh, Integer userid,
+            String client_id, String scopes, int expiration)
+            throws KustvaktException {
         MapSqlParameterSource s = new MapSqlParameterSource();
         s.addValue("token", token);
+        s.addValue("rt", refresh);
         s.addValue("ex",
                 new Timestamp(TimeUtils.plusSeconds(expiration).getMillis()));
         s.addValue("us", userid);
@@ -114,8 +116,8 @@
         s.addValue("st", BooleanUtils.getBoolean(true));
         s.addValue("cli", client_id);
         String sql =
-                "insert into oauth2_access_token (access_token, scopes, client_id, user_id, expiration, status) "
-                        + "values (:token, :sc, :cli, :us, :ex, :st);";
+                "insert into oauth2_access_token (access_token, refresh_token, scopes, client_id, user_id, expiration, status) "
+                        + "values (:token, :rt, :sc, :cli, :us, :ex, :st);";
         try {
             return this.jdbcTemplate.update(sql, s) == 1;
         }catch (DataAccessException e) {
@@ -151,6 +153,10 @@
                 "select cl.* from oauth2_client as cl where cl.client_id in (select cd.client_id from oauth2_access_token as cd "
                         + "where cd.user_id=:user) or cl.is_confidential=:conf;";
 
+        //todo: test query
+        //        "select cl.* from oauth2_client as cl inner join oauth2_access_token as cd "
+        //                + "on cd.client_id=cl.client_id where cd.user_id=:user or cl.is_confidential=:conf;"
+
         MapSqlParameterSource s = new MapSqlParameterSource();
         s.addValue("user", userid);
         s.addValue("conf", BooleanUtils.getBoolean(true));
@@ -177,8 +183,9 @@
 
     }
 
-    public TokenContext getContext(final String token) throws
-            KustvaktException {
+    // todo: expired token must trigger an invalid token exception to trigger a refresh token
+    public TokenContext getContext(final String token)
+            throws KustvaktException {
         String sql =
                 "select ko.username, oa.expiration, oa.scopes from oauth2_access_token as oa inner join korap_users as ko "
                         + "on ko.id=oa.user_id where oa.access_token=:token and oa.expiration > :now;";
@@ -193,8 +200,8 @@
                         public TokenContext mapRow(ResultSet rs, int rowNum)
                                 throws SQLException {
                             long exp = rs.getTimestamp("expiration").getTime();
-                            TokenContext c = new TokenContext(
-                                    rs.getString(Attributes.USERNAME));
+                            TokenContext c = new TokenContext();
+                            c.setUsername(rs.getString(Attributes.USERNAME));
                             c.setExpirationTime(exp);
                             c.setToken(token);
                             c.setTokenType(Attributes.OAUTH2_AUTHORIZATION);
@@ -217,8 +224,8 @@
     }
 
     // subsequently delete all access and auth code tokens associated!
-    public void removeClient(ClientInfo info, User user) throws
-            KustvaktException {
+    public void removeClient(ClientInfo info, User user)
+            throws KustvaktException {
         MapSqlParameterSource p = new MapSqlParameterSource();
         p.addValue("url", info.getUrl());
         p.addValue("cls", info.getClient_secret());
diff --git a/src/main/java/de/ids_mannheim/korap/handlers/ResourceDao.java b/src/main/java/de/ids_mannheim/korap/handlers/ResourceDao.java
index 6039c79..3b51f5c 100644
--- a/src/main/java/de/ids_mannheim/korap/handlers/ResourceDao.java
+++ b/src/main/java/de/ids_mannheim/korap/handlers/ResourceDao.java
@@ -3,10 +3,10 @@
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.exceptions.dbException;
-import de.ids_mannheim.korap.ext.interfaces.ResourceOperationIface;
-import de.ids_mannheim.korap.ext.resource.KorAPResource;
-import de.ids_mannheim.korap.ext.resource.ResourceFactory;
 import de.ids_mannheim.korap.interfaces.PersistenceClient;
+import de.ids_mannheim.korap.interfaces.ResourceOperationIface;
+import de.ids_mannheim.korap.resources.KustvaktResource;
+import de.ids_mannheim.korap.resources.ResourceFactory;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.KustvaktLogger;
 import de.ids_mannheim.korap.utils.TimeUtils;
@@ -26,7 +26,7 @@
  * Created by hanl on 7/21/14.
  */
 //todo: auditing // testing
-public class ResourceDao<T extends KorAPResource>
+public class ResourceDao<T extends KustvaktResource>
         implements ResourceOperationIface<T> {
 
     private static Logger log = KustvaktLogger.initiate(ResourceDao.class);
@@ -38,7 +38,7 @@
 
     @Override
     public Class<T> getType() {
-        return (Class<T>) KorAPResource.class;
+        return (Class<T>) KustvaktResource.class;
     }
 
     @Override
@@ -71,7 +71,7 @@
     }
 
     @Override
-    public <T extends KorAPResource> T findbyId(String id, User user)
+    public <T extends KustvaktResource> T findbyId(String id, User user)
             throws KustvaktException {
         MapSqlParameterSource source = new MapSqlParameterSource();
         source.addValue("pid", id);
@@ -86,7 +86,7 @@
         }
     }
 
-    public KorAPResource findbyPath(String path, User user)
+    public KustvaktResource findbyPath(String path, User user)
             throws KustvaktException {
         MapSqlParameterSource source = new MapSqlParameterSource();
         source.addValue("path", path);
@@ -103,7 +103,7 @@
     }
 
     @Override
-    public <T extends KorAPResource> T findbyId(Integer id, User user)
+    public <T extends KustvaktResource> T findbyId(Integer id, User user)
             throws KustvaktException {
         MapSqlParameterSource source = new MapSqlParameterSource();
         source.addValue("id", id);
diff --git a/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationIface.java b/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationIface.java
index 600981f..82d6737 100644
--- a/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationIface.java
+++ b/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationIface.java
@@ -1,6 +1,6 @@
 package de.ids_mannheim.korap.interfaces;
 
-import de.ids_mannheim.korap.exceptions.KorAPException;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.user.User;
 
@@ -8,15 +8,16 @@
 
 public interface AuthenticationIface {
 
-    public TokenContext getUserStatus(String authToken) throws KorAPException;
+    TokenContext getUserStatus(String authToken) throws
+            KustvaktException;
 
-    public TokenContext createUserSession(User user, Map<String, Object> attr)
-            throws KorAPException;
+    TokenContext createUserSession(User user, Map<String, Object> attr)
+            throws KustvaktException;
 
-    public void removeUserSession(String token) throws KorAPException;
+    void removeUserSession(String token) throws KustvaktException;
 
-    public TokenContext refresh(TokenContext context) throws KorAPException;
+    TokenContext refresh(TokenContext context) throws KustvaktException;
 
-    public String getIdentifier();
+    String getIdentifier();
 
 }
diff --git a/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationManagerIface.java b/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationManagerIface.java
index 45e5143..c6d1bee 100644
--- a/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationManagerIface.java
+++ b/src/main/java/de/ids_mannheim/korap/interfaces/AuthenticationManagerIface.java
@@ -1,6 +1,6 @@
 package de.ids_mannheim.korap.interfaces;
 
-import de.ids_mannheim.korap.exceptions.KorAPException;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.user.*;
 
 import java.util.HashMap;
@@ -34,48 +34,49 @@
     }
 
     public abstract TokenContext getTokenStatus(String token, String host,
-            String useragent) throws KorAPException;
+            String useragent) throws KustvaktException;
 
-    public abstract User getUser(String username) throws KorAPException;
+    public abstract User getUser(String username) throws KustvaktException;
 
     public abstract User authenticate(int type, String username,
             String password, Map<String, Object> attributes)
-            throws KorAPException;
+            throws KustvaktException;
 
     public abstract TokenContext createTokenContext(User user,
             Map<String, Object> attr, String provider_key)
-            throws KorAPException;
+            throws KustvaktException;
 
-    public abstract void logout(TokenContext context) throws KorAPException;
+    public abstract void logout(TokenContext context) throws KustvaktException;
 
-    public abstract void lockAccount(User user) throws KorAPException;
+    public abstract void lockAccount(User user) throws KustvaktException;
 
     public abstract User createUserAccount(Map<String, Object> attributes)
-            throws KorAPException;
+            throws KustvaktException;
 
-    public abstract boolean updateAccount(User user) throws KorAPException;
+    public abstract boolean updateAccount(User user) throws KustvaktException;
 
-    public abstract boolean deleteAccount(User user) throws KorAPException;
+    public abstract boolean deleteAccount(User user) throws KustvaktException;
 
-    public abstract UserDetails getUserDetails(User user) throws KorAPException;
+    public abstract UserDetails getUserDetails(User user) throws
+            KustvaktException;
 
     public abstract UserSettings getUserSettings(User user)
-            throws KorAPException;
+            throws KustvaktException;
 
     public abstract void updateUserDetails(User user, UserDetails details)
-            throws KorAPException;
+            throws KustvaktException;
 
     public abstract void updateUserSettings(User user, UserSettings settings)
-            throws KorAPException;
+            throws KustvaktException;
 
     public abstract Object[] validateResetPasswordRequest(String username,
-            String email) throws KorAPException;
+            String email) throws KustvaktException;
 
     public abstract void resetPassword(String uriFragment, String username,
-            String newPassphrase) throws KorAPException;
+            String newPassphrase) throws KustvaktException;
 
     public abstract void confirmRegistration(String uriFragment,
-            String username) throws KorAPException;
+            String username) throws KustvaktException;
 
     @Override
     public String toString() {
diff --git a/src/main/java/de/ids_mannheim/korap/interfaces/EncryptionIface.java b/src/main/java/de/ids_mannheim/korap/interfaces/EncryptionIface.java
index 0b00b31..1dc864c 100644
--- a/src/main/java/de/ids_mannheim/korap/interfaces/EncryptionIface.java
+++ b/src/main/java/de/ids_mannheim/korap/interfaces/EncryptionIface.java
@@ -1,6 +1,6 @@
 package de.ids_mannheim.korap.interfaces;
 
-import de.ids_mannheim.korap.exceptions.KorAPException;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.user.User;
 
 import java.io.UnsupportedEncodingException;
@@ -24,11 +24,11 @@
      */
     public String produceSecureHash(String input, String salt)
             throws NoSuchAlgorithmException, UnsupportedEncodingException,
-            KorAPException;
+            KustvaktException;
 
     public String produceSecureHash(String input)
             throws NoSuchAlgorithmException, UnsupportedEncodingException,
-            KorAPException;
+            KustvaktException;
 
     public String hash(String value);
 
@@ -62,17 +62,17 @@
 
     public String encodeBase();
 
-    public String validateIPAddress(String ipaddress) throws KorAPException;
+    public String validateIPAddress(String ipaddress) throws KustvaktException;
 
-    public String validateEmail(String email) throws KorAPException;
+    public String validateEmail(String email) throws KustvaktException;
 
     public Map<String, Object> validateMap(Map<String, Object> map)
-            throws KorAPException;
+            throws KustvaktException;
 
-    public String validateString(String input) throws KorAPException;
+    public String validateString(String input) throws KustvaktException;
 
-    public void validate(Object instance) throws KorAPException;
+    public void validate(Object instance) throws KustvaktException;
 
-    public String validatePassphrase(String pw) throws KorAPException;
+    public String validatePassphrase(String pw) throws KustvaktException;
 
 }
diff --git a/src/main/java/de/ids_mannheim/korap/interfaces/EntityHandlerIface.java b/src/main/java/de/ids_mannheim/korap/interfaces/EntityHandlerIface.java
index fb8048b..aed2871 100644
--- a/src/main/java/de/ids_mannheim/korap/interfaces/EntityHandlerIface.java
+++ b/src/main/java/de/ids_mannheim/korap/interfaces/EntityHandlerIface.java
@@ -1,7 +1,7 @@
 package de.ids_mannheim.korap.interfaces;
 
 import de.ids_mannheim.korap.exceptions.EmptyResultException;
-import de.ids_mannheim.korap.exceptions.KorAPException;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.user.UserDetails;
 import de.ids_mannheim.korap.user.UserSettings;
@@ -12,13 +12,13 @@
  * Time: 11:04 AM
  */
 public interface EntityHandlerIface {
-    UserSettings getUserSettings(Integer userid) throws KorAPException;
+    UserSettings getUserSettings(Integer userid) throws KustvaktException;
 
-    int updateSettings(UserSettings settings) throws KorAPException;
+    int updateSettings(UserSettings settings) throws KustvaktException;
 
-    UserDetails getUserDetails(Integer userid) throws KorAPException;
+    UserDetails getUserDetails(Integer userid) throws KustvaktException;
 
-    int updateUserDetails(UserDetails details) throws KorAPException;
+    int updateUserDetails(UserDetails details) throws KustvaktException;
 
     //    List<UserQuery> getUserQueries(User user) throws KorAPException;
 
@@ -27,18 +27,18 @@
     //    void updateUserQueries(User user, List<UserQuery> newOnes) throws KorAPException;
 
     User getAccount(String username) throws
-            EmptyResultException, KorAPException;
+            EmptyResultException, KustvaktException;
 
-    int updateAccount(User user) throws KorAPException;
+    int updateAccount(User user) throws KustvaktException;
 
-    int createAccount(User user) throws KorAPException;
+    int createAccount(User user) throws KustvaktException;
 
-    int deleteAccount(Integer userid) throws KorAPException;
+    int deleteAccount(Integer userid) throws KustvaktException;
 
     int resetPassphrase(String username, String uriToken,
-            String passphrase) throws KorAPException;
+            String passphrase) throws KustvaktException;
 
     int activateAccount(String username, String uriToken)
-            throws KorAPException;
+            throws KustvaktException;
 
 }
diff --git a/src/main/java/de/ids_mannheim/korap/interfaces/defaults/DefaultEncryption.java b/src/main/java/de/ids_mannheim/korap/interfaces/defaults/DefaultEncryption.java
index a79c82f..1465c06 100644
--- a/src/main/java/de/ids_mannheim/korap/interfaces/defaults/DefaultEncryption.java
+++ b/src/main/java/de/ids_mannheim/korap/interfaces/defaults/DefaultEncryption.java
@@ -2,7 +2,7 @@
 
 import de.ids_mannheim.korap.config.BeanConfiguration;
 import de.ids_mannheim.korap.config.Configurable;
-import de.ids_mannheim.korap.exceptions.KorAPException;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.interfaces.EncryptionIface;
 import de.ids_mannheim.korap.user.User;
 
@@ -28,14 +28,14 @@
     @Override
     public String produceSecureHash(String input, String salt)
             throws NoSuchAlgorithmException, UnsupportedEncodingException,
-            KorAPException {
+            KustvaktException {
         return null;
     }
 
     @Override
     public String produceSecureHash(String input)
             throws NoSuchAlgorithmException, UnsupportedEncodingException,
-            KorAPException {
+            KustvaktException {
         return null;
     }
 
@@ -81,33 +81,33 @@
     }
 
     @Override
-    public String validateIPAddress(String ipaddress) throws KorAPException {
+    public String validateIPAddress(String ipaddress) throws KustvaktException {
         return null;
     }
 
     @Override
-    public String validateEmail(String email) throws KorAPException {
+    public String validateEmail(String email) throws KustvaktException {
         return null;
     }
 
     @Override
     public Map<String, Object> validateMap(Map<String, Object> map)
-            throws KorAPException {
+            throws KustvaktException {
         return null;
     }
 
     @Override
-    public String validateString(String input) throws KorAPException {
+    public String validateString(String input) throws KustvaktException {
         return null;
     }
 
     @Override
-    public void validate(Object instance) throws KorAPException {
+    public void validate(Object instance) throws KustvaktException {
 
     }
 
     @Override
-    public String validatePassphrase(String pw) throws KorAPException {
+    public String validatePassphrase(String pw) throws KustvaktException {
         return null;
     }
 }
diff --git a/src/main/java/de/ids_mannheim/korap/resource/CollectionProcessor.java b/src/main/java/de/ids_mannheim/korap/resource/CollectionProcessor.java
index db1b995..b1e13d4 100644
--- a/src/main/java/de/ids_mannheim/korap/resource/CollectionProcessor.java
+++ b/src/main/java/de/ids_mannheim/korap/resource/CollectionProcessor.java
@@ -4,5 +4,6 @@
  * @author hanl
  * @date 19/06/2015
  */
+@Deprecated
 public class CollectionProcessor {
 }
diff --git a/src/main/java/de/ids_mannheim/korap/resource/LayerProcessor.java b/src/main/java/de/ids_mannheim/korap/resource/LayerProcessor.java
index 952e308..dab1914 100644
--- a/src/main/java/de/ids_mannheim/korap/resource/LayerProcessor.java
+++ b/src/main/java/de/ids_mannheim/korap/resource/LayerProcessor.java
@@ -10,6 +10,7 @@
  * @author hanl
  * @date 19/06/2015
  */
+@Deprecated
 public class LayerProcessor extends NodeProcessor {
 
     private LayerMapper mapper;
diff --git a/src/main/java/de/ids_mannheim/korap/resource/NodeProcessor.java b/src/main/java/de/ids_mannheim/korap/resource/NodeProcessor.java
index c7a9451..c2ed5b1 100644
--- a/src/main/java/de/ids_mannheim/korap/resource/NodeProcessor.java
+++ b/src/main/java/de/ids_mannheim/korap/resource/NodeProcessor.java
@@ -6,6 +6,7 @@
  * @author hanl
  * @date 19/06/2015
  */
+@Deprecated
 public abstract class NodeProcessor {
 
     public abstract JsonNode process(JsonNode node);
diff --git a/src/main/java/de/ids_mannheim/korap/resource/RewriteProcessor.java b/src/main/java/de/ids_mannheim/korap/resource/RewriteProcessor.java
index 4d2a2a4..af44cb8 100644
--- a/src/main/java/de/ids_mannheim/korap/resource/RewriteProcessor.java
+++ b/src/main/java/de/ids_mannheim/korap/resource/RewriteProcessor.java
@@ -11,6 +11,7 @@
  * @author hanl
  * @date 19/06/2015
  */
+@Deprecated
 public class RewriteProcessor {
 
     private KustvaktConfiguration config;
diff --git a/src/main/java/de/ids_mannheim/korap/security/auth/KustvaktAuthenticationManager.java b/src/main/java/de/ids_mannheim/korap/security/auth/KustvaktAuthenticationManager.java
index a703e39..d5e22da 100644
--- a/src/main/java/de/ids_mannheim/korap/security/auth/KustvaktAuthenticationManager.java
+++ b/src/main/java/de/ids_mannheim/korap/security/auth/KustvaktAuthenticationManager.java
@@ -111,7 +111,6 @@
      * @return User
      * @throws KustvaktException
      */
-
     public User authenticate(int type, String username, String password,
             Map<String, Object> attributes) throws KustvaktException {
         User user;
diff --git a/src/main/java/de/ids_mannheim/korap/user/TokenContext.java b/src/main/java/de/ids_mannheim/korap/user/TokenContext.java
index 8f244d3..e877846 100644
--- a/src/main/java/de/ids_mannheim/korap/user/TokenContext.java
+++ b/src/main/java/de/ids_mannheim/korap/user/TokenContext.java
@@ -25,19 +25,13 @@
     // either "session_token " / "api_token
     private String tokenType;
     private String token;
-
     private boolean secureRequired;
 
     private Map<String, Object> parameters;
     private String hostAddress;
     private String userAgent;
 
-    public TokenContext(String username) {
-        this();
-        this.username = username;
-    }
-
-    private TokenContext() {
+    public TokenContext() {
         this.parameters = new HashMap<>();
         this.setUsername("");
         this.setToken("");
@@ -75,20 +69,28 @@
         this.expirationTime = new Date(date);
     }
 
+    //todo: complete
     public static TokenContext fromJSON(String s) {
         JsonNode node = JsonUtils.readTree(s);
-        TokenContext c = new TokenContext(
-                node.path(Attributes.USERNAME).asText());
-        c.setToken(node.path(Attributes.TOKEN).asText());
+        TokenContext c = new TokenContext();
+        if (node != null) {
+            c.setUsername(node.path(Attributes.USERNAME).asText());
+            c.setToken(node.path(Attributes.TOKEN).asText());
+        }
         return c;
     }
 
-    public static TokenContext fromOAuth(String s) {
+    public static TokenContext fromOAuth2(String s) {
         JsonNode node = JsonUtils.readTree(s);
         TokenContext c = new TokenContext();
-        c.setToken(node.path("token").asText());
-        c.setTokenType(node.path("token_type").asText());
-        c.setExpirationTime(node.path("expires_in").asLong());
+        if (node != null) {
+            c.setToken(node.path("token").asText());
+            c.setTokenType(node.path("token_type").asText());
+            c.setExpirationTime(node.path("expires_in").asLong());
+            c.addContextParameter("refresh_token",
+                    node.path("refresh_token").asText());
+
+        }
         return c;
     }
 
diff --git a/src/main/java/de/ids_mannheim/korap/utils/Benchmarker.java b/src/main/java/de/ids_mannheim/korap/utils/Benchmarker.java
index 2a4761a..309578d 100644
--- a/src/main/java/de/ids_mannheim/korap/utils/Benchmarker.java
+++ b/src/main/java/de/ids_mannheim/korap/utils/Benchmarker.java
@@ -1,14 +1,10 @@
 package de.ids_mannheim.korap.utils;
 
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
 /**
  * @author hanl
  * @date 29/04/2014
  */
 
+@Deprecated
 public class Benchmarker {
 }
diff --git a/src/main/java/de/ids_mannheim/korap/utils/CollectionQueryBuilder3.java b/src/main/java/de/ids_mannheim/korap/utils/CollectionQueryBuilder3.java
index 4d012b2..6b1ee91 100644
--- a/src/main/java/de/ids_mannheim/korap/utils/CollectionQueryBuilder3.java
+++ b/src/main/java/de/ids_mannheim/korap/utils/CollectionQueryBuilder3.java
@@ -1,10 +1,10 @@
 package de.ids_mannheim.korap.utils;
 
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import de.ids_mannheim.korap.query.serialize.CollectionQueryProcessor;
 
-import java.io.IOException;
-import java.util.*;
-
 /**
  * convenience builder class for collection query
  *
@@ -13,8 +13,12 @@
  */
 public class CollectionQueryBuilder3 {
 
+    public enum EQ {
+        EQUAL, UNEQUAL
+    }
+
     private boolean verbose;
-    private List<Map> rq;
+    private JsonNode base;
     private StringBuilder builder;
 
     public CollectionQueryBuilder3() {
@@ -24,12 +28,18 @@
     public CollectionQueryBuilder3(boolean verbose) {
         this.verbose = verbose;
         this.builder = new StringBuilder();
-        this.rq = new LinkedList<>();
+        this.base = null;
     }
 
-    public CollectionQueryBuilder3 addSegment(String field, String value) {
-        String f = field + "=" + value;
-        this.builder.append(f);
+    public CollectionQueryBuilder3 addSegment(String field, EQ eq,
+            String value) {
+        if (base == null)
+            this.builder
+                    .append(field + (eq.equals(EQ.EQUAL) ? "=" : "!=") + value);
+        else {
+            JsonNode node = Utils.buildDoc(field, value, eq);
+            appendToBaseGroup(node);
+        }
         return this;
     }
 
@@ -42,7 +52,16 @@
     public CollectionQueryBuilder3 addSub(String query) {
         if (!query.startsWith("(") && !query.endsWith(")"))
             query = "(" + query + ")";
-        this.builder.append(query);
+
+        if (base != null) {
+            CollectionQueryProcessor tree = new CollectionQueryProcessor(
+                    this.verbose);
+            tree.process(query);
+            JsonNode map = JsonUtils
+                    .valueToTree(tree.getRequestMap().get("collection"));
+            appendToBaseGroup(map);
+        }else
+            this.builder.append(query);
         return this;
     }
 
@@ -56,33 +75,70 @@
         return this;
     }
 
+    @Deprecated
     public CollectionQueryBuilder3 addRaw(String collection) {
-        try {
-            Map v = JsonUtils.read(collection, HashMap.class);
-            v.get("collection");
-        }catch (IOException e) {
-            throw new IllegalArgumentException("Conversion went wrong!");
-        }
         return this;
     }
 
-    public Map getRequest() {
-        //todo: adding another resource query doesnt work
+    public Object getRequest() {
+        Object request = base;
+        if (request == null) {
+            CollectionQueryProcessor tree = new CollectionQueryProcessor(
+                    this.verbose);
+            tree.process(this.builder.toString());
 
-        CollectionQueryProcessor tree = new CollectionQueryProcessor(
-                this.verbose);
-        tree.process(this.builder.toString());
-
-        Map request = tree.getRequestMap();
-        if (!this.rq.isEmpty()) {
-            List coll = (List) request.get("collection");
-            coll.addAll(this.rq);
+            request = tree.getRequestMap();
         }
         return request;
     }
 
+    /**
+     * sets base query. All consequent queries are added to the first koral:docGroup within the collection base query
+     * If no group in base query, consequent queries are skipped.
+     *
+     * @param query
+     */
+    public void setBaseQuery(String query) {
+        this.base = JsonUtils.readTree(query);
+    }
+
     public String toJSON() {
         return JsonUtils.toJSON(getRequest());
     }
 
+
+
+    private void appendToBaseGroup(JsonNode node) {
+        if (base.at("/collection/@type").asText().equals("koral:docGroup")) {
+            ArrayNode group = (ArrayNode) base.at("/collection/operands");
+            if (node instanceof ArrayNode)
+                group.addAll((ArrayNode) node);
+            else
+                group.add(node);
+        }else
+            throw new IllegalArgumentException("No group found to add to!");
+        // fixme: if base is a doc only, this function is not supported. requirement is a koral:docGroup, since
+        // combination operator is unknown otherwise
+    }
+
+    public static class Utils {
+
+        public static JsonNode buildDoc(String key, String value, EQ eq) {
+            ObjectNode node = JsonUtils.createObjectNode();
+            node.put("@type", "koral:doc");
+            node.put("match", eq.equals(EQ.EQUAL) ? "match:eq" : "match:ne");
+            node.put("key", key);
+            node.put("value", value);
+
+            return node;
+        }
+
+        public static JsonNode buildDocGroup() {
+            ObjectNode node = JsonUtils.createObjectNode();
+
+            return node;
+        }
+
+    }
+
 }
diff --git a/src/main/java/de/ids_mannheim/korap/web/.DS_Store b/src/main/java/de/ids_mannheim/korap/web/.DS_Store
index 32f11f9..1383f97 100644
--- a/src/main/java/de/ids_mannheim/korap/web/.DS_Store
+++ b/src/main/java/de/ids_mannheim/korap/web/.DS_Store
Binary files differ
diff --git a/src/main/java/de/ids_mannheim/korap/web/ClientsHandler.java b/src/main/java/de/ids_mannheim/korap/web/ClientsHandler.java
index 8b846eb..65fdafa 100644
--- a/src/main/java/de/ids_mannheim/korap/web/ClientsHandler.java
+++ b/src/main/java/de/ids_mannheim/korap/web/ClientsHandler.java
@@ -6,7 +6,7 @@
 import com.sun.jersey.api.client.config.ClientConfig;
 import com.sun.jersey.api.client.config.DefaultClientConfig;
 import com.sun.jersey.core.util.MultivaluedMapImpl;
-import de.ids_mannheim.korap.exceptions.KorAPException;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 
 import javax.ws.rs.core.MultivaluedMap;
@@ -27,17 +27,19 @@
         this.service = client.resource(address);
     }
 
-    public String getResponse(String path, String key, Object value) throws KorAPException {
+    public String getResponse(String path, String key, Object value) throws
+            KustvaktException {
         MultivaluedMap map = new MultivaluedMapImpl();
         map.add(key, value);
         try {
             return service.path(path).queryParams(map).get(String.class);
         } catch (UniformInterfaceException e) {
-            throw new KorAPException(StatusCodes.REQUEST_INVALID);
+            throw new KustvaktException(StatusCodes.REQUEST_INVALID);
         }
     }
 
-    public String getResponse(MultivaluedMap map, String... paths) throws KorAPException {
+    public String getResponse(MultivaluedMap map, String... paths) throws
+            KustvaktException {
         try {
             WebResource resource = service;
             for (String p : paths)
@@ -45,7 +47,7 @@
             resource = resource.queryParams(map);
             return resource.get(String.class);
         } catch (UniformInterfaceException e) {
-            throw new KorAPException(StatusCodes.REQUEST_INVALID);
+            throw new KustvaktException(StatusCodes.REQUEST_INVALID);
         }
     }
 
diff --git a/src/main/java/de/ids_mannheim/korap/web/KustvaktBaseServer.java b/src/main/java/de/ids_mannheim/korap/web/KustvaktBaseServer.java
index 1e97bd8..c8961932 100644
--- a/src/main/java/de/ids_mannheim/korap/web/KustvaktBaseServer.java
+++ b/src/main/java/de/ids_mannheim/korap/web/KustvaktBaseServer.java
@@ -28,7 +28,7 @@
         else
             BeanConfiguration.loadClasspathContext();
 
-        kargs.setRootClasses(
+        kargs.setRootPackages(
                 new String[] { "de.ids_mannheim.korap.web.service.light" });
         startServer(kargs);
     }
@@ -71,7 +71,7 @@
 
             // http://stackoverflow.com/questions/9670363/how-do-i-programmatically-configure-jersey-to-use-jackson-for-json-deserializa
             final ResourceConfig rc = new PackagesResourceConfig(
-                    kargs.rootClasses);
+                    kargs.rootPackages);
 
             // from http://stackoverflow.com/questions/7421574/embedded-jetty-with-jersey-or-resteasy
             contextHandler
@@ -106,7 +106,7 @@
         private String config;
         private int port;
         private SslContextFactory sslContext;
-        private String[] rootClasses;
+        private String[] rootPackages;
 
         public KustvaktArgs() {
             this.port = -1;
diff --git a/src/main/java/de/ids_mannheim/korap/web/filter/AuthFilter.java b/src/main/java/de/ids_mannheim/korap/web/filter/AuthFilter.java
index 8346e1f..eff8b57 100644
--- a/src/main/java/de/ids_mannheim/korap/web/filter/AuthFilter.java
+++ b/src/main/java/de/ids_mannheim/korap/web/filter/AuthFilter.java
@@ -9,6 +9,7 @@
 import de.ids_mannheim.korap.interfaces.AuthenticationManagerIface;
 import de.ids_mannheim.korap.user.TokenContext;
 import de.ids_mannheim.korap.web.utils.KorAPContext;
+import de.ids_mannheim.korap.web.utils.KustvaktResponseHandler;
 
 import javax.ws.rs.ext.Provider;
 
@@ -40,7 +41,7 @@
                         .getTokenStatus(authentication, host, ua);
 
             }catch (KustvaktException e) {
-                throw BeanConfiguration.getResponseHandler().throwit(e);
+                throw KustvaktResponseHandler.throwit(e);
             }
 
             if (context != null && (
diff --git a/src/main/java/de/ids_mannheim/korap/web/filter/DefaultFilter.java b/src/main/java/de/ids_mannheim/korap/web/filter/DefaultFilter.java
index a8ffe89..e28be03 100644
--- a/src/main/java/de/ids_mannheim/korap/web/filter/DefaultFilter.java
+++ b/src/main/java/de/ids_mannheim/korap/web/filter/DefaultFilter.java
@@ -39,7 +39,8 @@
 
     private TokenContext createShorterToken(String host, String agent) {
         User demo = User.UserFactory.getDemoUser();
-        TokenContext c = new TokenContext(demo.getUsername());
+        TokenContext c = new TokenContext();
+        c.setUsername(demo.getUsername());
         c.setHostAddress(host);
         c.setUserAgent(agent);
         c.setExpirationTime(TimeUtils.plusSeconds(
diff --git a/src/main/java/de/ids_mannheim/korap/web/service/AuthService.java b/src/main/java/de/ids_mannheim/korap/web/service/AuthService.java
index 5e76016..d4b98fc 100644
--- a/src/main/java/de/ids_mannheim/korap/web/service/AuthService.java
+++ b/src/main/java/de/ids_mannheim/korap/web/service/AuthService.java
@@ -18,6 +18,7 @@
 import de.ids_mannheim.korap.web.filter.AuthFilter;
 import de.ids_mannheim.korap.web.filter.DefaultFilter;
 import de.ids_mannheim.korap.web.filter.PiwikFilter;
+import de.ids_mannheim.korap.web.utils.KustvaktResponseHandler;
 import org.slf4j.Logger;
 
 import javax.ws.rs.*;
@@ -82,6 +83,7 @@
         return Response.ok(ctx.toJSON()).build();
     }
 
+    // todo: rename scope to scopes!
     @GET
     @Path("apiToken")
     public Response requestAPIToken(@Context HttpHeaders headers,
@@ -89,29 +91,29 @@
             @HeaderParam(ContainerRequest.USER_AGENT) String agent,
             @HeaderParam(ContainerRequest.HOST) String host,
             @HeaderParam("referer-url") String referer,
-            @QueryParam("scope") String scope) {
+            @QueryParam("scopes") String scopes) {
         List<String> auth = headers
                 .getRequestHeader(ContainerRequest.AUTHORIZATION);
 
         if (auth == null)
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.PERMISSION_DENIED);
         String[] values = BasicHttpAuth.decode(auth.get(0));
 
         // "Invalid syntax for username and password"
         if (values == null)
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.PERMISSION_DENIED);
 
         if (values[0].equalsIgnoreCase("null") | values[1]
                 .equalsIgnoreCase("null"))
             // is actual an invalid request
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.REQUEST_INVALID);
 
         Map<String, Object> attr = new HashMap<>();
-        if (scope != null && !scope.isEmpty())
-            attr.put(Attributes.SCOPES, scope);
+        if (scopes != null && !scopes.isEmpty())
+            attr.put(Attributes.SCOPES, scopes);
         attr.put(Attributes.HOST, host);
         attr.put(Attributes.USER_AGENT, agent);
         TokenContext context;
@@ -121,7 +123,7 @@
             context = controller.createTokenContext(user, attr,
                     Attributes.API_AUTHENTICATION);
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
 
         return Response.ok(context.toResponse()).build();
@@ -140,7 +142,7 @@
         //            newContext = controller.refresh(ctx);
         //        }catch (KorAPException e) {
         //            KorAPLogger.ERROR_LOGGER.error("Exception encountered!", e);
-        //            throw BeanConfiguration.getResponseHandler().throwit(e);
+        //            throw KustvaktResponseHandler.throwit(e);
         //        }
         //        return Response.ok().entity(newContext.getToken()).build();
         return null;
@@ -156,7 +158,7 @@
                 .getRequestHeader(ContainerRequest.AUTHORIZATION);
 
         if (auth == null)
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.PERMISSION_DENIED);
 
         String[] values = BasicHttpAuth.decode(auth.get(0));
@@ -167,12 +169,12 @@
 
         // "Invalid syntax for username and password"
         if (values == null)
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.PERMISSION_DENIED);
 
         if (values[0].equalsIgnoreCase("null") | values[1]
                 .equalsIgnoreCase("null"))
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.REQUEST_INVALID);
 
         Map<String, Object> attr = new HashMap<>();
@@ -184,7 +186,7 @@
             context = controller.createTokenContext(user, attr,
                     Attributes.SESSION_AUTHENTICATION);
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok().entity(context.toJSON()).build();
     }
@@ -215,7 +217,7 @@
             User user = controller.authenticate(1, null, null, attr);
             context = controller.createTokenContext(user, attr, null);
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok().entity(context.toJSON()).build();
     }
diff --git a/src/main/java/de/ids_mannheim/korap/web/service/OAuthService.java b/src/main/java/de/ids_mannheim/korap/web/service/OAuthService.java
index 525eca9..ae4c57e 100644
--- a/src/main/java/de/ids_mannheim/korap/web/service/OAuthService.java
+++ b/src/main/java/de/ids_mannheim/korap/web/service/OAuthService.java
@@ -15,10 +15,11 @@
 import de.ids_mannheim.korap.utils.StringUtils;
 import de.ids_mannheim.korap.web.KustvaktServer;
 import de.ids_mannheim.korap.web.filter.AuthFilter;
-import de.ids_mannheim.korap.web.filter.BlockFilter;
+import de.ids_mannheim.korap.web.filter.BlockingFilter;
 import de.ids_mannheim.korap.web.filter.DefaultFilter;
 import de.ids_mannheim.korap.web.filter.PiwikFilter;
 import de.ids_mannheim.korap.web.utils.FormRequestWrapper;
+import de.ids_mannheim.korap.web.utils.KustvaktResponseHandler;
 import org.apache.oltu.oauth2.as.issuer.MD5Generator;
 import org.apache.oltu.oauth2.as.issuer.OAuthIssuer;
 import org.apache.oltu.oauth2.as.issuer.OAuthIssuerImpl;
@@ -75,7 +76,7 @@
 
     @POST
     @Path("unregister")
-    @ResourceFilters({ AuthFilter.class, BlockFilter.class })
+    @ResourceFilters({ AuthFilter.class, BlockingFilter.class })
     public Response unregisterClient(@Context SecurityContext context,
             @HeaderParam("Host") String host,
             @QueryParam("client_secret") String secret,
@@ -87,14 +88,14 @@
             this.handler.removeClient(info,
                     this.controller.getUser(ctx.getUsername()));
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok().build();
     }
 
     @POST
     @Path("register")
-    @ResourceFilters({ AuthFilter.class, BlockFilter.class })
+    @ResourceFilters({ AuthFilter.class, BlockingFilter.class })
     public Response registerClient(@Context SecurityContext context,
             @HeaderParam("Host") String host,
             @QueryParam("redirect_url") String rurl) {
@@ -102,7 +103,7 @@
                 crypto.createToken());
         info.setUrl(host);
         if (rurl == null)
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.ILLEGAL_ARGUMENT, "Missing parameter!",
                             "redirect_url");
         info.setRedirect_uri(rurl);
@@ -111,17 +112,18 @@
             this.handler.registerClient(info,
                     this.controller.getUser(ctx.getUsername()));
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok(info.toJSON()).build();
     }
 
+    // todo: change parameter to scopes!
     @GET
     @Path("info")
     @ResourceFilters({ AuthFilter.class, DefaultFilter.class,
             PiwikFilter.class })
     public Response getStatus(@Context SecurityContext context,
-            @QueryParam("scope") String scopes) {
+            @QueryParam("scopes") String scopes) {
         TokenContext ctx = (TokenContext) context.getUserPrincipal();
         User user;
         try {
@@ -133,7 +135,7 @@
             base_scope.retainAll(StringUtils.toSet(scopes));
             scopes = StringUtils.toString(base_scope);
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         // json format with scope callback parameter
         return Response.ok(JsonUtils.toJSON(Scopes
@@ -142,7 +144,7 @@
 
     @GET
     @Path("authorizations")
-    @ResourceFilters({ AuthFilter.class, BlockFilter.class })
+    @ResourceFilters({ AuthFilter.class, BlockingFilter.class })
     public Response getAuthorizations(@Context SecurityContext context,
             @HeaderParam(ContainerRequest.USER_AGENT) String agent,
             @HeaderParam(ContainerRequest.HOST) String host) {
@@ -156,18 +158,18 @@
                 return Response.noContent().build();
             return Response.ok(JsonUtils.toJSON(auths)).build();
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
     }
 
     // todo: scopes for access_token are defined here
-    // todo: if user already has an access token registered for client and application, then redirect to token endpoint to retrive that token
+    // todo: if user already has an access token registered for client and application, then redirect to token endpoint to retrieve that token
     // todo: demo account should be disabled for this function --> if authentication failed, client must redirect to login url (little login window)
     @POST
     @Path("authorize")
     @Consumes("application/x-www-form-urlencoded")
     @Produces("application/json")
-    @ResourceFilters({ BlockFilter.class })
+    @ResourceFilters({ BlockingFilter.class })
     public Response authorize(@Context HttpServletRequest request,
             @Context SecurityContext context,
             @HeaderParam(ContainerRequest.USER_AGENT) String agent,
@@ -200,17 +202,13 @@
                 user = controller.getUser(c.getUsername());
                 controller.getUserDetails(user);
             }catch (KustvaktException e) {
-                throw BeanConfiguration.getResponseHandler().throwit(e);
+                throw KustvaktResponseHandler.throwit(e);
             }
 
             // register response according to response_type
             String responseType = oauthRequest
                     .getParam(OAuth.OAUTH_RESPONSE_TYPE);
 
-            OAuthASResponse.OAuthAuthorizationResponseBuilder builder = OAuthASResponse
-                    .authorizationResponse(request,
-                            HttpServletResponse.SC_FOUND);
-
             final String authorizationCode = oauthIssuerImpl
                     .authorizationCode();
             ClientInfo info = this.handler
@@ -240,8 +238,12 @@
 
             String accessToken = this.handler
                     .getToken(oauthRequest.getClientId(), user.getId());
-            //todo: test this with parameters
+
+            //todo: test correct redirect and parameters
             if (accessToken != null) {
+                // fixme: correct status code?
+                OAuthASResponse.OAuthResponseBuilder builder = OAuthASResponse
+                        .status(HttpServletResponse.SC_FOUND);
                 final OAuthResponse response = builder.location("/oauth2/token")
                         .setParam(OAuth.OAUTH_CLIENT_ID,
                                 oauthRequest.getClientId())
@@ -252,7 +254,21 @@
                         .location(new URI(response.getLocationUri())).build();
             }
 
+            final OAuthResponse response;
+            String redirectURI = oauthRequest.getRedirectURI();
+            if (OAuthUtils.isEmpty(redirectURI)) {
+                throw new WebApplicationException(
+                        Response.status(HttpServletResponse.SC_BAD_REQUEST)
+                                .entity("OAuth callback url needs to be provided by client!!!\n")
+                                .build());
+            }
+
             if (responseType.equals(ResponseType.CODE.toString())) {
+                OAuthASResponse.OAuthAuthorizationResponseBuilder builder = OAuthASResponse
+                        .authorizationResponse(request,
+                                HttpServletResponse.SC_FOUND);
+                builder.location(redirectURI);
+
                 try {
                     AuthCodeInfo codeInfo = new AuthCodeInfo(
                             info.getClient_id(), authorizationCode);
@@ -260,32 +276,30 @@
                             .toString(oauthRequest.getScopes(), " "));
                     this.handler.authorize(codeInfo, user);
                 }catch (KustvaktException e) {
-                    throw BeanConfiguration.getResponseHandler().throwit(e);
+                    throw KustvaktResponseHandler.throwit(e);
                 }
                 builder.setParam(OAuth.OAUTH_RESPONSE_TYPE,
                         ResponseType.CODE.toString());
                 builder.setCode(authorizationCode);
+                response = builder.buildBodyMessage();
 
             }else if (responseType.contains(ResponseType.TOKEN.toString())) {
-                try {
-                    AuthCodeInfo codeInfo = new AuthCodeInfo(
-                            info.getClient_id(), authorizationCode);
-                    codeInfo.setScopes(StringUtils
-                            .toString(oauthRequest.getScopes(), " "));
-                    this.handler.authorize(codeInfo, user);
-                }catch (KustvaktException e) {
-                    throw BeanConfiguration.getResponseHandler().throwit(e);
-                }
-
+                OAuthASResponse.OAuthTokenResponseBuilder builder = OAuthASResponse
+                        .tokenResponse(HttpServletResponse.SC_OK);
                 builder.setParam(OAuth.OAUTH_RESPONSE_TYPE,
                         ResponseType.TOKEN.toString());
-                builder.setCode(authorizationCode);
+                builder.location(redirectURI);
 
                 String token = oauthIssuerImpl.accessToken();
-                this.handler.addToken(authorizationCode, token,
+                String refresh = oauthIssuerImpl.refreshToken();
+
+                this.handler.addToken(token, refresh, user.getId(),
+                        oauthRequest.getClientId(),
+                        StringUtils.toString(oauthRequest.getScopes(), " "),
                         config.getLongTokenTTL());
                 builder.setAccessToken(token);
-                builder.setExpiresIn((long) config.getLongTokenTTL());
+                builder.setRefreshToken(refresh);
+                builder.setExpiresIn(String.valueOf(config.getLongTokenTTL()));
 
                 // skips authorization code type and returns id_token and access token directly
                 if (oauthRequest.getScopes().contains("openid")) {
@@ -295,9 +309,10 @@
                         builder.setParam(new_context.getTokenType(),
                                 new_context.getToken());
                     }catch (KustvaktException e) {
-                        throw BeanConfiguration.getResponseHandler().throwit(e);
+                        throw KustvaktResponseHandler.throwit(e);
                     }
                 }
+                response = builder.buildBodyMessage();
             }else {
                 OAuthResponse res = OAuthASResponse
                         .errorResponse(HttpServletResponse.SC_BAD_REQUEST)
@@ -308,23 +323,22 @@
                 return Response.status(res.getResponseStatus())
                         .entity(res.getBody()).build();
             }
-
-            String redirectURI = oauthRequest.getRedirectURI();
-
-            // enables state parameter to disable cross-site scripting attacks
-            final OAuthResponse response = builder.location(redirectURI)
-                    .buildQueryMessage();
-            if (OAuthUtils.isEmpty(redirectURI)) {
-                throw new WebApplicationException(
-                        Response.status(HttpServletResponse.SC_BAD_REQUEST)
-                                .entity("OAuth callback url needs to be provided by client!!!\n")
-                                .build());
-            }
+            //
+            //            String redirectURI = oauthRequest.getRedirectURI();
+            //
+            //            // enables state parameter to disable cross-site scripting attacks
+            //            final OAuthResponse response = builder.location(redirectURI)
+            //                    .buildQueryMessage();
+            //            if (OAuthUtils.isEmpty(redirectURI)) {
+            //                throw new WebApplicationException(
+            //                        Response.status(HttpServletResponse.SC_BAD_REQUEST)
+            //                                .entity("OAuth callback url needs to be provided by client!!!\n")
+            //                                .build());
+            //            }
 
             return Response.status(response.getResponseStatus())
                     .location(new URI(response.getLocationUri())).build();
         }catch (OAuthProblemException e) {
-            e.printStackTrace();
             final Response.ResponseBuilder responseBuilder = Response
                     .status(HttpServletResponse.SC_BAD_REQUEST);
             String redirectUri = e.getRedirectUri();
@@ -454,18 +468,20 @@
                     }else {
                         openid_valid = codeInfo.getScopes().contains("openid");
                         String accessToken = oauthIssuerImpl.accessToken();
+                        String refreshToken = oauthIssuerImpl.refreshToken();
                         // auth code posesses the user reference. native apps access_tokens are directly associated with the user
                         this.handler
                                 .addToken(oauthRequest.getCode(), accessToken,
-                                        config.getTokenTTL());
+                                        refreshToken, config.getTokenTTL());
 
                         builder.setTokenType(TokenType.BEARER.toString());
                         builder.setExpiresIn(
                                 String.valueOf(config.getLongTokenTTL()));
                         builder.setAccessToken(accessToken);
+                        builder.setRefreshToken(refreshToken);
                     }
                 }catch (KustvaktException e) {
-                    throw BeanConfiguration.getResponseHandler().throwit(e);
+                    throw KustvaktResponseHandler.throwit(e);
                 }
                 // todo: errors for invalid scopes or different scopes then during authorization request?
                 //todo ??
@@ -492,18 +508,22 @@
                             .authenticate(0, oauthRequest.getUsername(),
                                     oauthRequest.getPassword(), attr);
                 }catch (KustvaktException e) {
-                    throw BeanConfiguration.getResponseHandler().throwit(e);
+                    throw KustvaktResponseHandler.throwit(e);
                 }
 
                 try {
                     String accessToken = this.handler
                             .getToken(oauthRequest.getClientId(), user.getId());
                     if (accessToken == null) {
+                        String refresh = oauthIssuerImpl.refreshToken();
                         accessToken = oauthIssuerImpl.accessToken();
-                        this.handler.addToken(accessToken, user.getId(),
-                                oauthRequest.getClientId(), StringUtils
-                                        .toString(oauthRequest.getScopes(),
-                                                " "), config.getLongTokenTTL());
+                        this.handler
+                                .addToken(accessToken, refresh, user.getId(),
+                                        oauthRequest.getClientId(), StringUtils
+                                                .toString(oauthRequest
+                                                        .getScopes(), " "),
+                                        config.getLongTokenTTL());
+                        builder.setRefreshToken(refresh);
                     }
                     builder.setTokenType(TokenType.BEARER.toString());
                     builder.setExpiresIn(
@@ -511,7 +531,7 @@
                     builder.setAccessToken(accessToken);
 
                 }catch (KustvaktException e) {
-                    throw BeanConfiguration.getResponseHandler().throwit(e);
+                    throw KustvaktResponseHandler.throwit(e);
                 }
             }
 
@@ -529,7 +549,7 @@
                             Attributes.OPENID_AUTHENTICATION);
                     builder.setParam(c.getTokenType(), c.getToken());
                 }catch (KustvaktException e) {
-                    throw BeanConfiguration.getResponseHandler().throwit(e);
+                    throw KustvaktResponseHandler.throwit(e);
                 }
             }
 
diff --git a/src/main/java/de/ids_mannheim/korap/web/service/UserService.java b/src/main/java/de/ids_mannheim/korap/web/service/UserService.java
index befa736..d3bc6a2 100644
--- a/src/main/java/de/ids_mannheim/korap/web/service/UserService.java
+++ b/src/main/java/de/ids_mannheim/korap/web/service/UserService.java
@@ -20,9 +20,11 @@
 import de.ids_mannheim.korap.web.filter.AuthFilter;
 import de.ids_mannheim.korap.web.filter.DefaultFilter;
 import de.ids_mannheim.korap.web.filter.PiwikFilter;
-import de.ids_mannheim.korap.web.utils.FormWrapper;
+import de.ids_mannheim.korap.web.utils.FormRequestWrapper;
+import de.ids_mannheim.korap.web.utils.KustvaktResponseHandler;
 import org.slf4j.Logger;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.*;
 import javax.ws.rs.core.*;
 import java.io.IOException;
@@ -60,18 +62,19 @@
     @Path("register")
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     public Response signUp(
+            @Context HttpServletRequest request,
             @HeaderParam(ContainerRequest.USER_AGENT) String agent,
             @HeaderParam(ContainerRequest.HOST) String host,
             @Context Locale locale, MultivaluedMap form_values) {
 
-        FormWrapper wrapper = new FormWrapper(form_values);
+        FormRequestWrapper wrapper = new FormRequestWrapper(request, form_values);
 
         wrapper.put(Attributes.HOST, host);
         wrapper.put(Attributes.USER_AGENT, agent);
         UriBuilder uriBuilder;
         User user;
-        if (wrapper.get(Attributes.EMAIL) == null)
-            throw BeanConfiguration.getResponseHandler()
+        if (wrapper.getParameter(Attributes.EMAIL) == null)
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.ILLEGAL_ARGUMENT, "parameter missing",
                             "email");
 
@@ -80,10 +83,10 @@
             uriBuilder.path(KustvaktServer.API_VERSION).path("user")
                     .path("confirm");
 
-            user = controller.createUserAccount(wrapper);
+            user = controller.createUserAccount(wrapper.toMap(true));
 
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         URIParam uri = user.getField(URIParam.class);
         if (uri.hasValues()) {
@@ -124,7 +127,7 @@
             //                            node.path("new_password").asText());
             controller.updateAccount(user);
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok().build();
     }
@@ -135,18 +138,19 @@
     public Response confirmRegistration(@QueryParam("uri") String uritoken,
             @Context Locale locale, @QueryParam("user") String username) {
         if (uritoken == null)
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.ILLEGAL_ARGUMENT, "parameter missing",
                             "Uri-Token");
         if (username == null)
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.ILLEGAL_ARGUMENT, "parameter missing",
                             "Username");
 
         try {
             controller.confirmRegistration(uritoken, username);
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler
+                    .throwit(e);
         }
         return Response.ok("success").build();
     }
@@ -184,7 +188,7 @@
                     .append(username);
         }catch (KustvaktException e) {
             error.error("Eoxception encountered!", e);
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
 
         ObjectNode obj = JsonUtils.createObjectNode();
@@ -215,7 +219,7 @@
     @ResourceFilters({ AuthFilter.class, DefaultFilter.class,
             PiwikFilter.class })
     public Response getStatus(@Context SecurityContext context,
-            @QueryParam("scope") String scope) {
+            @QueryParam("scopes") String scope) {
         TokenContext ctx = (TokenContext) context.getUserPrincipal();
         User user;
         try {
@@ -227,7 +231,7 @@
             base_scope.retainAll(StringUtils.toSet(scope));
             scope = StringUtils.toString(base_scope);
         }catch (KustvaktException e) {
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok(JsonUtils.toJSON(Scopes
                 .mapOpenIDConnectScopes(scope, user.getDetails()))).build();
@@ -247,7 +251,7 @@
 
         }catch (KustvaktException e) {
             error.error("Exception encountered!", e);
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok(JsonUtils.toJSON(user.getSettings().toObjectMap()))
                 .build();
@@ -266,7 +270,7 @@
         try {
             settings = JsonUtils.read(values, Map.class);
         }catch (IOException e) {
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.REQUEST_INVALID,
                             "Could not read parameters", values);
         }
@@ -285,7 +289,7 @@
                 return Response.notModified().build();
         }catch (KustvaktException e) {
             error.error("Exception encountered!", e);
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
 
         return Response.ok().build();
@@ -304,7 +308,7 @@
             controller.getUserDetails(user);
         }catch (KustvaktException e) {
             error.error("Exception encountered!", e);
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
 
         return Response.ok(JsonUtils.toJSON(user.getDetails().toMap())).build();
@@ -325,7 +329,7 @@
             details = JsonUtils.read(values, Map.class);
         }catch (IOException e) {
             error.error("Exception encountered!", e);
-            throw BeanConfiguration.getResponseHandler()
+            throw KustvaktResponseHandler
                     .throwit(StatusCodes.REQUEST_INVALID,
                             "Could not read parameters", values);
         }
@@ -339,7 +343,7 @@
                 return Response.notModified().build();
         }catch (KustvaktException e) {
             error.error("Exception encountered!", e);
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
 
         return Response.ok().build();
@@ -394,7 +398,7 @@
             //            }
         }catch (KustvaktException e) {
             error.error("Exception encountered!", e);
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok(JsonUtils.toJSON(add)).build();
     }
@@ -411,7 +415,7 @@
             controller.deleteAccount(user);
         }catch (KustvaktException e) {
             error.error("Exception encountered!", e);
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok().build();
     }
@@ -433,7 +437,7 @@
             queryStr = "";
         }catch (KustvaktException e) {
             error.error("Exception encountered!", e);
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok(queryStr).build();
     }
@@ -449,7 +453,7 @@
             controller.logout(context);
         }catch (KustvaktException e) {
             error.error("Logout Exception", e);
-            throw BeanConfiguration.getResponseHandler().throwit(e);
+            throw KustvaktResponseHandler.throwit(e);
         }
         return Response.ok().build();
     }
diff --git a/src/main/java/de/ids_mannheim/korap/web/service/light/LightService.java b/src/main/java/de/ids_mannheim/korap/web/service/light/LightService.java
index 2f300be..b7463d9 100644
--- a/src/main/java/de/ids_mannheim/korap/web/service/light/LightService.java
+++ b/src/main/java/de/ids_mannheim/korap/web/service/light/LightService.java
@@ -8,7 +8,9 @@
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.query.serialize.MetaQueryBuilder;
 import de.ids_mannheim.korap.query.serialize.QuerySerializer;
-import de.ids_mannheim.korap.resource.RewriteProcessor;
+import de.ids_mannheim.korap.resource.rewrite.FoundryInject;
+import de.ids_mannheim.korap.resource.rewrite.PublicCollection;
+import de.ids_mannheim.korap.resource.rewrite.RewriteHandler;
 import de.ids_mannheim.korap.utils.KustvaktLogger;
 import de.ids_mannheim.korap.web.ClientsHandler;
 import de.ids_mannheim.korap.web.SearchKrill;
@@ -37,7 +39,7 @@
 
     private SearchKrill searchKrill;
     private ClientsHandler graphDBhandler;
-    private RewriteProcessor processor;
+    private RewriteHandler processor;
     private KustvaktConfiguration config;
 
     public LightService() {
@@ -45,7 +47,9 @@
         this.searchKrill = new SearchKrill(config.getIndexDir());
         UriBuilder builder = UriBuilder.fromUri("http://10.0.10.13").port(9997);
         this.graphDBhandler = new ClientsHandler(builder.build());
-        this.processor = new RewriteProcessor(this.config);
+        this.processor = new RewriteHandler();
+        this.processor.add(new FoundryInject(this.config));
+        this.processor.add(new PublicCollection());
     }
 
     /**
@@ -92,14 +96,14 @@
         ss.setMeta(meta);
         if (cq != null)
             ss.setCollection(cq);
-        return Response.ok(processor.process(ss.toJSON())).build();
+        return Response.ok(processor.apply(ss.toJSON(), null)).build();
     }
 
     @POST
     @Path("search")
     public Response queryRaw(@QueryParam("engine") String engine,
             String jsonld) {
-        jsonld = processor.process(jsonld);
+        jsonld = processor.apply(jsonld, null);
         // todo: should be possible to add the meta part to the query serialization
         jlog.info("Serialized search: {}", jsonld);
 
@@ -133,7 +137,7 @@
         if (cq != null)
             serializer.setCollection(cq);
 
-        String query = processor.process(serializer.toJSON());
+        String query = processor.apply(serializer.toJSON(), null);
         jlog.info("the serialized query {}", query);
 
         // This may not work with the the KoralQuery
@@ -200,7 +204,7 @@
             //                meta.addEntry("itemsPerResource", 1);
             QuerySerializer s = new QuerySerializer().setQuery(query, ql, v)
                     .setMeta(meta);
-            query = processor.process(s.toJSON());
+            query = processor.apply(s.toJSON(), null);
         }
         String result;
         try {
diff --git a/src/main/java/de/ids_mannheim/korap/web/utils/FormRequestWrapper.java b/src/main/java/de/ids_mannheim/korap/web/utils/FormRequestWrapper.java
index 143aa04..05a1bb5 100644
--- a/src/main/java/de/ids_mannheim/korap/web/utils/FormRequestWrapper.java
+++ b/src/main/java/de/ids_mannheim/korap/web/utils/FormRequestWrapper.java
@@ -3,9 +3,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 import javax.ws.rs.core.MultivaluedMap;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 /**
  * Helper class to wrapp multivaluedmap into a hashmap. Depending on the strict parameter,
@@ -59,6 +57,14 @@
         return map;
     }
 
+    public void put(String key, String value) {
+        this.form.putSingle(key, value);
+    }
+
+    public void put(String key, String... values) {
+        this.form.put(key, Arrays.asList(values));
+    }
+
 }
 
 
diff --git a/src/main/java/de/ids_mannheim/korap/web/utils/FormWrapper.java b/src/main/java/de/ids_mannheim/korap/web/utils/FormWrapper.java
index 913c848..f099158 100644
--- a/src/main/java/de/ids_mannheim/korap/web/utils/FormWrapper.java
+++ b/src/main/java/de/ids_mannheim/korap/web/utils/FormWrapper.java
@@ -12,6 +12,7 @@
  * @author hanl
  * @date 18/05/2015
  */
+@Deprecated
 public class FormWrapper extends HashMap<String, Object> {
 
     public FormWrapper(MultivaluedMap form, boolean strict) {
diff --git a/src/main/java/de/ids_mannheim/korap/web/utils/KustvaktResponseHandler.java b/src/main/java/de/ids_mannheim/korap/web/utils/KustvaktResponseHandler.java
index c35ce5b..1a52c3d 100644
--- a/src/main/java/de/ids_mannheim/korap/web/utils/KustvaktResponseHandler.java
+++ b/src/main/java/de/ids_mannheim/korap/web/utils/KustvaktResponseHandler.java
@@ -1,8 +1,7 @@
 package de.ids_mannheim.korap.web.utils;
 
 import de.ids_mannheim.korap.auditing.AuditRecord;
-import de.ids_mannheim.korap.exceptions.BaseException;
-import de.ids_mannheim.korap.exceptions.KorAPException;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.interfaces.AuditingIface;
 import de.ids_mannheim.korap.response.Notifications;
@@ -32,32 +31,24 @@
             throw new RuntimeException("Auditing handler must be set!");
     }
 
-    public static WebApplicationException throwit(BaseException e) {
-        //fixme: ??!
-        e.printStackTrace();
+    public static WebApplicationException throwit(KustvaktException e) {
         return new WebApplicationException(
                 Response.status(Response.Status.BAD_REQUEST)
                         .entity(buildNotification(e)).build());
     }
 
-    @Deprecated
     public static WebApplicationException throwit(int code) {
-        KorAPException e = new KorAPException(code);
-        return new WebApplicationException(
-                Response.status(Response.Status.OK).entity(buildNotification(e))
-                        .build());
+        return new WebApplicationException(Response.status(Response.Status.OK)
+                .entity(buildNotification(code, "", "")).build());
     }
 
-    @Deprecated
     public static WebApplicationException throwit(int code, String message,
             String entity) {
-        KorAPException e = new KorAPException(code, message, entity);
-        return new WebApplicationException(
-                Response.status(Response.Status.OK).entity(buildNotification(e))
-                        .build());
+        return new WebApplicationException(Response.status(Response.Status.OK)
+                .entity(buildNotification(code, message, entity)).build());
     }
 
-    private static String buildNotification(BaseException e) {
+    private static String buildNotification(KustvaktException e) {
         register(e.getRecords());
         return buildNotification(e.getStatusCode(), e.getMessage(),
                 e.getEntity());
@@ -71,7 +62,8 @@
     }
 
     public static WebApplicationException throwAuthenticationException() {
-        KorAPException e = new KorAPException(StatusCodes.BAD_CREDENTIALS);
+        KustvaktException e = new KustvaktException(
+                StatusCodes.BAD_CREDENTIALS);
         return new WebApplicationException(
                 Response.status(Response.Status.UNAUTHORIZED)
                         .header(HttpHeaders.WWW_AUTHENTICATE,
diff --git a/src/main/resources/.DS_Store b/src/main/resources/.DS_Store
index 51b3007..0f6288e 100644
--- a/src/main/resources/.DS_Store
+++ b/src/main/resources/.DS_Store
Binary files differ
diff --git a/src/main/resources/db/mysql/V1.2__oauth2_tables_mysql.sql b/src/main/resources/db/mysql/V1.2__oauth2_tables_mysql.sql
index 5e9c968..227d660 100644
--- a/src/main/resources/db/mysql/V1.2__oauth2_tables_mysql.sql
+++ b/src/main/resources/db/mysql/V1.2__oauth2_tables_mysql.sql
@@ -9,37 +9,6 @@
 url VARCHAR(200) UNIQUE
 );
 
-create table oauth2_auth_codes (
-id INTEGER PRIMARY KEY AUTO_INCREMENT,
-client_id VARCHAR(100),
-auth_code VARCHAR(250),
-status INTEGER DEFAULT 1,
-scopes VARCHAR (150),
-created TIMESTAMP DEFAULT CURRENT_TIMESTAMP
-);
-
--- define scopes?!
-create table oauth2_client_authorization (
-id INTEGER PRIMARY KEY AUTO_INCREMENT,
-fk_client_id VARCHAR(100),
-user_id INTEGER,
-FOREIGN KEY (fk_client_id)
-REFERENCES oauth2_client(client_id)
-ON DELETE CASCADE
-);
-
----- status 1 = valid, 0 = revoked
---create table oauth2_access_token (
---id INTEGER PRIMARY KEY AUTO_INCREMENT,
---access_token VARCHAR(300),
---auth_code VARCHAR(250),
---userID INTEGER,
---status INTEGER DEFAULT 1,
---expiration TIMESTAMP,
---scopes VARCHAR (150),
---FOREIGN KEY (userID)
---REFERENCES korap_users(id)
---);
 
 -- status 1 = valid, 0 = revoked, -1 = disabled
 create table oauth2_access_token (
@@ -61,3 +30,19 @@
 REFERENCES oauth2_client(client_id)
 ON DELETE CASCADE
 );
+
+
+-- also scopes?
+create table oauth2_refresh_token (
+id INTEGER PRIMARY KEY AUTO_INCREMENT,
+client_id VARCHAR(100),
+user_id INTEGER,
+expiration TIMESTAMP,
+scopes VARCHAR(350),
+FOREIGN KEY (user_id)
+REFERENCES korap_users(id)
+ON DELETE CASCADE,
+FOREIGN KEY (client_id)
+REFERENCES oauth2_client(client_id)
+ON DELETE CASCADE
+);
\ No newline at end of file
diff --git a/src/main/resources/db/sqlite/V1__Initial_version.sql b/src/main/resources/db/sqlite/V1__Initial_version.sql
index fbe252d..912e699 100644
--- a/src/main/resources/db/sqlite/V1__Initial_version.sql
+++ b/src/main/resources/db/sqlite/V1__Initial_version.sql
@@ -226,11 +226,17 @@
 url VARCHAR(200) UNIQUE
 );
 
+
+-- refresh token doesn't care about expiration.
+-- also narrower scopes for new access token with the refresh token are not supported
+-- otherwise i would require a comparison of all access_token to get the maximum scopes and compare to request
+
 -- status 1 = valid, 0 = revoked, -1 = disabled
 create table IF NOT EXISTS oauth2_access_token (
 id INTEGER PRIMARY KEY AUTOINCREMENT,
 access_token VARCHAR(300),
 auth_code VARCHAR(250),
+refresh_token VARCHAR(250),
 client_id VARCHAR(100),
 user_id INTEGER,
 -- make boolean --
@@ -240,10 +246,29 @@
 scopes VARCHAR(350),
 expiration TIMESTAMP,
 FOREIGN KEY (user_id)
-REFERENCES korap_users(id)
+REFERENCES korap_users(id),
+FOREIGN KEY (client_id)
+REFERENCES oauth2_client(client_id)
 );
 
 
+-- fixme: also scopes?
+create table oauth2_refresh_token (
+id INTEGER PRIMARY KEY AUTOINCREMENT,
+client_id VARCHAR(100),
+user_id INTEGER,
+expiration TIMESTAMP,
+scopes VARCHAR(350),
+FOREIGN KEY (user_id)
+REFERENCES korap_users(id)
+ON DELETE CASCADE,
+FOREIGN KEY (client_id)
+REFERENCES oauth2_client(client_id)
+ON DELETE CASCADE
+);
+
+
+
 -- a bit confusing. 1. creator is policy creator, 2. creator is resource creator --> different implications
 -- insert resource data from resource_store alltogether, so i dont have to retrieve anything from there?!
 create view if not exists policy_view as
diff --git a/src/main/resources/default-config.xml b/src/main/resources/default-config.xml
index 023f671..4f7d23b 100644
--- a/src/main/resources/default-config.xml
+++ b/src/main/resources/default-config.xml
@@ -64,29 +64,31 @@
     </bean>
 
     <bean id="kustvakt_db"
-          class="de.ids_mannheim.korap.ext.database.JDBCClient">
+          class="de.ids_mannheim.korap.handlers.JDBCClient">
         <constructor-arg index="0" ref="dataSource"/>
         <!-- deprecated property -->
         <property name="database" value="${jdbc.database}"/>
     </bean>
 
     <bean id="kustvakt_auditing"
-          class="de.ids_mannheim.korap.ext.database.JDBCAuditing">
+          class="de.ids_mannheim.korap.handlers.JDBCAuditing">
         <constructor-arg ref="kustvakt_db"/>
     </bean>
 
     <bean id="kustvakt_userdb"
-          class="de.ids_mannheim.korap.ext.database.EntityDao">
+          class="de.ids_mannheim.korap.handlers.EntityDao">
         <constructor-arg ref="kustvakt_db"/>
     </bean>
 
+    <!--fixme: change name according to convention -->
     <bean id="collectionProvider"
-          class="de.ids_mannheim.korap.ext.database.CollectionDao">
+          class="de.ids_mannheim.korap.handlers.CollectionDao">
         <constructor-arg ref="kustvakt_db"/>
     </bean>
 
+    <!--fixme: change name according to convention -->
     <bean id="resourceProvider"
-          class="de.ids_mannheim.korap.ext.database.ResourceDao">
+          class="de.ids_mannheim.korap.handlers.ResourceDao">
         <constructor-arg ref="kustvakt_db"/>
     </bean>
 
@@ -100,12 +102,7 @@
         <constructor-arg ref="kustvakt_config"/>
     </bean>
 
-    <bean id="resourceHandler"
-          class="de.ids_mannheim.korap.ext.security.accessControl.ResourceHandler"/>
-
-
     <!-- authentication providers to use -->
-
     <bean id="api_auth"
           class="de.ids_mannheim.korap.ext.security.authentication.APIAuthentication">
         <constructor-arg
@@ -160,14 +157,6 @@
         <property name="providers" ref="auth_providers"/>
     </bean>
 
-    <!--
-    <util:list id="providers"
-               value-type="de.ids_mannheim.korap.ext.interfaces.ResourceOperationIface">
-        <ref bean="resourceProvider"/>
-        <ref bean="collectionProvider"/>
-    </util:list>
--->
-
     <!-- todo: if db interfaces not loaded via spring, does transaction even work then? -->
     <!-- the transactional advice (i.e. what 'happens'; see the <aop:advisor/> bean below) -->
     <tx:advice id="txAdvice" transaction-manager="txManager">