jwt token expiration test
diff --git a/pom.xml b/pom.xml
index b8534ce..52043a2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -96,7 +96,6 @@
                 <directory>src/test/resources</directory>
                 <filtering>true</filtering>
                 <includes>
-
                     <include>**/*.prop</include>
                     <include>**/*.xml</include>
                     <include>**/*.conf</include>
@@ -107,11 +106,11 @@
                 <directory>src/main/resources</directory>
                 <filtering>true</filtering>
                 <includes>
-                    <include>**/*.prop</include>
-                    <include>**/*.xml</include>
-                    <include>**/*.conf</include>
+                    <!--<include>**/*.prop</include>-->
+                    <!--<include>**/*.xml</include>-->
+                    <!--<include>**/*.conf</include>-->
                     <include>**/*.properties</include>
-                    <include>**/*.sql</include>
+                    <!--<include>**/*.sql</include>-->
                 </includes>
             </testResource>
         </testResources>
diff --git a/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java b/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
index aa1e00b..6563563 100644
--- a/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
+++ b/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
@@ -117,7 +117,7 @@
         return signContent(username, "", "", ttl);
     }
 
-    private SignedJWT verifyToken(String token) throws KustvaktException {
+    public SignedJWT verifyToken(String token) throws KustvaktException {
         SignedJWT client;
         try {
             client = SignedJWT.parse(token);
diff --git a/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java b/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java
index 406d319..9f1bdee 100644
--- a/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java
+++ b/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java
@@ -92,6 +92,7 @@
      */
     protected Properties load(Properties properties)
             throws MalformedURLException {
+        properties.list(System.out);
         maxhits = new Integer(properties.getProperty("maxhits", "50000"));
         returnhits = new Integer(properties.getProperty("returnhits", "50000"));
         indexDir = properties.getProperty("lucene.indexDir", "");
diff --git a/src/main/java/de/ids_mannheim/korap/security/ac/PolicyDao.java b/src/main/java/de/ids_mannheim/korap/security/ac/PolicyDao.java
index 33dc18d..ec611e7 100644
--- a/src/main/java/de/ids_mannheim/korap/security/ac/PolicyDao.java
+++ b/src/main/java/de/ids_mannheim/korap/security/ac/PolicyDao.java
@@ -16,6 +16,7 @@
 import de.ids_mannheim.korap.utils.KustvaktLogger;
 import de.ids_mannheim.korap.utils.StringUtils;
 import de.ids_mannheim.korap.utils.TimeUtils;
+import org.slf4j.Logger;
 import org.springframework.dao.DataAccessException;
 import org.springframework.jdbc.core.ResultSetExtractor;
 import org.springframework.jdbc.core.RowCallbackHandler;
@@ -37,6 +38,9 @@
 // todo: transactions and exception management
 public class PolicyDao implements PolicyHandlerIface {
 
+    private static final Logger jlog = KustvaktLogger
+            .getLogger(PolicyDao.class);
+
     private NamedParameterJdbcTemplate jdbcTemplate;
 
     public PolicyDao(PersistenceClient client) {
@@ -90,9 +94,8 @@
             this.mapConstraints(policy);
             return policy.getID();
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (INSERT) not possible for '{}' for user '{}'",
-                            policy.toString(), user.getId());
+            jlog.error("Operation (INSERT) not possible for '{}' for user '{}'",
+                    policy.toString(), user.getId());
             throw new dbException(user.getId(), "policy_store",
                     StatusCodes.DB_INSERT_FAILED, policy.toString());
         }
@@ -141,9 +144,9 @@
             }
             policy.clear();
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (MAPPING POLICY CONDITIONS) not possible for '{}' for user '{}'",
-                            policy.toString(), policy.getCreator());
+            jlog.error(
+                    "Operation (MAPPING POLICY CONDITIONS) not possible for '{}' for user '{}'",
+                    policy.toString(), policy.getCreator());
             // throwing an error here is not recommended
             //            throw new dbException(policy.getCreator(), "policy_store",
             //                    StatusCodes.DB_INSERT_FAILED, policy.toString());
@@ -181,9 +184,9 @@
                     this.addToCondition(Arrays.asList(user.getUsername()), cond,
                             admin);
             }catch (DataAccessException e) {
-                KustvaktLogger.SECURITY_LOGGER
-                        .error("Operation (SELECT) not possible for '{}' for user '{}'",
-                                policy.getTarget(), user.getId());
+                jlog.error(
+                        "Operation (SELECT) not possible for '{}' for user '{}'",
+                        policy.getTarget(), user.getId());
                 throw new dbException(user.getId(), "policy_store",
                         StatusCodes.DB_GET_FAILED, policy.toString());
             }
@@ -228,9 +231,9 @@
                         }
                     });
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Permission Denied for policy retrieval for '{}' for user '{}'",
-                            target, user.getId());
+            jlog.error(
+                    "Permission Denied for policy retrieval for '{}' for user '{}'",
+                    target, user.getId());
             return new List[2];
         }
     }
@@ -273,9 +276,9 @@
                         }
                     });
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Permission Denied for policy retrieval for '{}' for user '{}'",
-                            target, user.getId());
+            jlog.error(
+                    "Permission Denied for policy retrieval for '{}' for user '{}'",
+                    target, user.getId());
             return new List[2];
         }
     }
@@ -316,9 +319,9 @@
                         }
                     });
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Permission Denied for retrieval for resource id '{}' for user '{}'",
-                            path, user.getId());
+            jlog.error(
+                    "Permission Denied for retrieval for resource id '{}' for user '{}'",
+                    path, user.getId());
             return new List[2];
         }
     }
@@ -396,9 +399,9 @@
             return this.jdbcTemplate.query(sql, param,
                     new SecurityRowMappers.HierarchicalResultExtractor());
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Permission Denied for retrieval for path '{}' for user '{}'",
-                            path, user.getId());
+            jlog.error(
+                    "Permission Denied for retrieval for path '{}' for user '{}'",
+                    path, user.getId());
             throw new dbException(user.getId(), "policy_store",
                     StatusCodes.DB_GET_FAILED, path, clazz.toString());
         }
@@ -470,9 +473,9 @@
             return this.jdbcTemplate.query(sql, param,
                     new SecurityRowMappers.HierarchicalResultExtractor());
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Permission Denied for retrieval for path '{}' for user '{}'",
-                            name, user.getId());
+            jlog.error(
+                    "Permission Denied for retrieval for path '{}' for user '{}'",
+                    name, user.getId());
             throw new dbException(user.getId(), "policy_store",
                     StatusCodes.DB_GET_FAILED, name, clazz.toString());
         }
@@ -495,9 +498,8 @@
             return this.jdbcTemplate
                     .update("DELETE FROM policy_store WHERE id=:id", param);
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (DELETE) not possible for '{}' for user '{}'",
-                            policy.toString(), user.getId());
+            jlog.error("Operation (DELETE) not possible for '{}' for user '{}'",
+                    policy.toString(), user.getId());
             throw new dbException(user.getId(), "policy_store, group_ref",
                     StatusCodes.DB_DELETE_FAILED, policy.toString());
         }
@@ -512,9 +514,8 @@
         try {
             this.jdbcTemplate.update(sql, param);
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (DELETE) not possible for '{}' for user '{}'",
-                            id, user.getId());
+            jlog.error("Operation (DELETE) not possible for '{}' for user '{}'",
+                    id, user.getId());
             throw new dbException(user.getId(), "policy_store",
                     StatusCodes.DB_DELETE_FAILED, id);
         }
@@ -536,9 +537,8 @@
             this.mapConstraints(policy);
             return result;
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (UPDATE) not possible for '{}' for user '{}'",
-                            policy.toString(), user.getId());
+            jlog.error("Operation (UPDATE) not possible for '{}' for user '{}'",
+                    policy.toString(), user.getId());
             throw new dbException(user.getId(), "policy_store",
                     StatusCodes.DB_UPDATE_FAILED, policy.toString());
         }
@@ -557,9 +557,8 @@
         try {
             return this.jdbcTemplate.queryForObject(sql1, param, Integer.class);
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (SELECT) not possible for '{}' for user '{}'",
-                            policy.getTarget(), user.getId());
+            jlog.error("Operation (SELECT) not possible for '{}' for user '{}'",
+                    policy.getTarget(), user.getId());
             throw new dbException(user.getId(), "policy_store",
                     StatusCodes.DB_GET_FAILED, policy.toString());
         }
@@ -597,9 +596,8 @@
         try {
             return this.jdbcTemplate.queryForObject(sql, param, Integer.class);
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (SELECT) not possible for '{}' for user '{}'",
-                            group, user.getId());
+            jlog.error("Operation (SELECT) not possible for '{}' for user '{}'",
+                    group, user.getId());
             throw new dbException(user.getId(), "policy_store",
                     StatusCodes.DB_GET_FAILED, group);
         }
@@ -621,9 +619,8 @@
                             + "VALUES (:name, :sy, :ex, :com);", param, key);
             return key.getKey().intValue();
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (INSERT) not possible for '{}'",
-                            condition.toString());
+            jlog.error("Operation (INSERT) not possible for '{}'",
+                    condition.toString());
             throw new dbException(user.getId(), "group_store",
                     StatusCodes.DB_INSERT_FAILED, condition.toString());
         }
@@ -644,9 +641,8 @@
             param.addValue("status", BooleanUtils.getBoolean(admin));
             return this.jdbcTemplate.update(insert, param);
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (INSERT) not possible for '{}' for user '{}'",
-                            condition.toString(), username);
+            jlog.error("Operation (INSERT) not possible for '{}' for user '{}'",
+                    condition.toString(), username);
             throw new dbException(null, "group_store",
                     StatusCodes.DB_INSERT_FAILED, condition.toString());
         }
@@ -698,9 +694,8 @@
             //fixme: problem - unique constraints throws exception. skip that user entry?!
             return this.jdbcTemplate.batchUpdate(insert, sources);
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (INSERT) not possible for '{}' for user '{}'",
-                            condition.toString(), usernames);
+            jlog.error("Operation (INSERT) not possible for '{}' for user '{}'",
+                    condition.toString(), usernames);
             throw new KustvaktException(e, StatusCodes.CONNECTION_ERROR);
         }
     }
@@ -725,9 +720,8 @@
         try {
             this.jdbcTemplate.batchUpdate(del, sources);
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (DELETE) not possible for '{}' for user '{}'",
-                            condition.toString(), usernames);
+            jlog.error("Operation (DELETE) not possible for '{}' for user '{}'",
+                    condition.toString(), usernames);
             throw new KustvaktException(e, StatusCodes.CONNECTION_ERROR);
         }
     }
@@ -748,9 +742,8 @@
         try {
             this.jdbcTemplate.update(insert, source);
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (INSERT) not possible for '{}",
-                            param.toString());
+            jlog.error("Operation (INSERT) not possible for '{}",
+                    param.toString());
             throw new KustvaktException(e, StatusCodes.CONNECTION_ERROR);
         }
     }
@@ -766,9 +759,8 @@
         try {
             return this.jdbcTemplate.queryForList(sql1, source, String.class);
         }catch (DataAccessException e) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation (SELECT) not possible for '{}'",
-                            condition.toString());
+            jlog.error("Operation (SELECT) not possible for '{}'",
+                    condition.toString());
             throw new KustvaktException(StatusCodes.CONNECTION_ERROR);
         }
     }
diff --git a/src/main/java/de/ids_mannheim/korap/security/ac/SecurityManager.java b/src/main/java/de/ids_mannheim/korap/security/ac/SecurityManager.java
index 09f48b5..d1fc2b9 100644
--- a/src/main/java/de/ids_mannheim/korap/security/ac/SecurityManager.java
+++ b/src/main/java/de/ids_mannheim/korap/security/ac/SecurityManager.java
@@ -16,7 +16,6 @@
 import de.ids_mannheim.korap.user.User;
 import de.ids_mannheim.korap.utils.KustvaktLogger;
 import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import java.util.*;
 
@@ -32,10 +31,12 @@
 @SuppressWarnings("all")
 public class SecurityManager<T extends KustvaktResource> {
 
-    private static final Logger secLogger = LoggerFactory
-            .getLogger(KustvaktLogger.SECURITY_LOG);
-    private static final Logger errorLogger = LoggerFactory
-            .getLogger(KustvaktLogger.ERROR_LOG);
+    //    private static final Logger errorLogger = LoggerFactory
+    //            .getLogger(KustvaktLogger.ERROR_LOG);
+
+    private static final Logger jlog = KustvaktLogger
+            .getLogger(SecurityManager.class);
+
     private static PolicyHandlerIface policydao;
     private static Map<Class<? extends KustvaktResource>, ResourceOperationIface> handlers;
     private static EncryptionIface crypto;
@@ -66,7 +67,7 @@
         SecurityManager.policydao = policyHandler;
         SecurityManager.crypto = crypto;
         SecurityManager.handlers = new HashMap<>();
-        secLogger.info("Registering handlers: {}", Arrays.asList(ifaces));
+        jlog.info("Registering handlers: {}", Arrays.asList(ifaces));
         for (ResourceOperationIface iface : ifaces)
             handlers.put(iface.getType(), iface);
     }
@@ -138,10 +139,8 @@
         if (evaluator.isAllowed(Permissions.PERMISSIONS.READ)) {
             return this.resource;
         }else {
-            secLogger
-                    .error("Reading the resource '{}' is not allowed for user '{}'",
-                            this.resource.getPersistentID(),
-                            this.user.getUsername());
+            jlog.error("Reading the resource '{}' is not allowed for user '{}'",
+                    this.resource.getPersistentID(), this.user.getUsername());
             throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
                     evaluator.getResourceID());
         }
@@ -157,10 +156,9 @@
                 handlers.get(KustvaktResource.class)
                         .updateResource(resource, this.user);
         }else {
-            secLogger
-                    .error("Updating the resource '{}' is not allowed for user '{}'",
-                            this.resource.getPersistentID(),
-                            this.user.getUsername());
+            jlog.error(
+                    "Updating the resource '{}' is not allowed for user '{}'",
+                    this.resource.getPersistentID(), this.user.getUsername());
             throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
                     this.evaluator.getResourceID());
         }
@@ -214,9 +212,8 @@
         this.evaluator = new PolicyEvaluator(this.user, this.policies);
 
         if (this.policies == null) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("No policies found for resource id '{}' for user '{}'",
-                            id, user.getId());
+            jlog.error("No policies found for resource id '{}' for user '{}'",
+                    id, user.getId());
             throw new EmptyResultException(String.valueOf(id));
         }
         return true;
@@ -226,9 +223,8 @@
     private T findResource(Class type)
             throws NotAuthorizedException, KustvaktException {
         if (!evaluator.isAllowed()) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Permission denied for resource id '{}' for user '{}'",
-                            this.evaluator.getResourceID(), user.getId());
+            jlog.error("Permission denied for resource id '{}' for user '{}'",
+                    this.evaluator.getResourceID(), user.getId());
             throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
                     this.evaluator.getResourceID());
         }
@@ -262,9 +258,9 @@
                     SecurityManager.findbyId(resource.getParentID(), user,
                             Permissions.PERMISSIONS.ALL);
                 }catch (EmptyResultException e) {
-                    KustvaktLogger.SECURITY_LOGGER
-                            .error("No policies found for parent '{}' for user '{}'",
-                                    resource.getParentID(), user.getId());
+                    jlog.error(
+                            "No policies found for parent '{}' for user '{}'",
+                            resource.getParentID(), user.getId());
                     throw new KustvaktException(StatusCodes.EMPTY_RESULTS);
                 }
             }
@@ -279,10 +275,9 @@
             if (newid | !p.checkResource(resource.getPersistentID(), user)) {
                 resource.setOwner(user.getId());
 
-                KustvaktLogger.SECURITY_LOGGER
-                        .info("Creating Access Control structure for resource '"
-                                + resource.getPersistentID() + "@" + resource
-                                .getId() + "'");
+                jlog.info("Creating Access Control structure for resource '"
+                        + resource.getPersistentID() + "@" + resource.getId()
+                        + "'");
                 // storing resource is called twice. first when this is register and later in idsbootstrap to create cstorage entry. how to unify this?
                 ResourceOperationIface iface = p.handlers
                         .get(resource.getClass());
@@ -301,9 +296,9 @@
                         Permissions.PERMISSIONS.READ_POLICY,
                         Permissions.PERMISSIONS.MODIFY_POLICY);
             }catch (EmptyResultException e) {
-                KustvaktLogger.SECURITY_LOGGER
-                        .error("No policies found for '{}' for user '{}'. Resource could not be registered!",
-                                resource.getPersistentID(), user.getId());
+                jlog.error(
+                        "No policies found for '{}' for user '{}'. Resource could not be registered!",
+                        resource.getPersistentID(), user.getId());
                 throw new KustvaktException(user.getId(),
                         StatusCodes.POLICY_CREATE_ERROR,
                         "Resource could not be registered",
@@ -349,17 +344,15 @@
     public void addPolicy(SecurityPolicy policy, Parameter... params)
             throws KustvaktException, NotAuthorizedException {
         if (policy.getConditions().isEmpty()) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("No conditions set for '{}' for user '{}'",
-                            policy.toString(), this.user.getId());
+            jlog.error("No conditions set for '{}' for user '{}'",
+                    policy.toString(), this.user.getId());
             throw new NotAuthorizedException(StatusCodes.ILLEGAL_ARGUMENT,
                     policy.getTarget());
         }
 
         if (this.policies[0] == null) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("No policies found for '{}' for user '{}'",
-                            this.evaluator.getResourceID(), this.user.getId());
+            jlog.error("No policies found for '{}' for user '{}'",
+                    this.evaluator.getResourceID(), this.user.getId());
             throw new NotAuthorizedException(StatusCodes.UNSUPPORTED_OPERATION,
                     policy.getTarget());
         }
@@ -372,9 +365,9 @@
         if (evaluator.isAllowed(Permissions.PERMISSIONS.CREATE_POLICY)) {
             policydao.createPolicy(policy, this.user);
         }else if (silent) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Permission Denied (CREATE_POLICY) on '{}' for user '{}'",
-                            this.evaluator.getResourceID(), this.user.getId());
+            jlog.error(
+                    "Permission Denied (CREATE_POLICY) on '{}' for user '{}'",
+                    this.evaluator.getResourceID(), this.user.getId());
             throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
                     policy.getTarget());
         }
@@ -411,9 +404,8 @@
                     this.evaluator.getResourceID());
 
         if (this.policies[0] == null) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("No policies found (DELETE_POLICY) on '{}' for '{}'",
-                            this.evaluator.getResourceID(), this.user.getId());
+            jlog.error("No policies found (DELETE_POLICY) on '{}' for '{}'",
+                    this.evaluator.getResourceID(), this.user.getId());
             throw new KustvaktException(user.getId(), StatusCodes.NO_POLICIES,
                     "no policy desicion possible",
                     this.evaluator.getResourceID());
@@ -422,9 +414,8 @@
                 .isAllowed(Permissions.PERMISSIONS.DELETE_POLICY))) {
             policydao.deletePolicy(policy, this.user);
         }else if (silent) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Permission Denied (DELETE_POLICY) on '{}' for '{}'",
-                            this.evaluator.getResourceID(), this.user.getId());
+            jlog.error("Permission Denied (DELETE_POLICY) on '{}' for '{}'",
+                    this.evaluator.getResourceID(), this.user.getId());
             throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
                     "no policy desicion possible",
                     this.evaluator.getResourceID());
@@ -440,9 +431,9 @@
             throw new NotAuthorizedException(StatusCodes.ILLEGAL_ARGUMENT);
 
         if (this.policies[0] == null) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Operation not possible (MODIFY_POLICY) on '{}' for '{}'",
-                            this.evaluator.getResourceID(), this.user.getId());
+            jlog.error(
+                    "Operation not possible (MODIFY_POLICY) on '{}' for '{}'",
+                    this.evaluator.getResourceID(), this.user.getId());
             throw new KustvaktException(user.getId(), StatusCodes.NO_POLICIES,
                     "no policy desicion possible",
                     this.evaluator.getResourceID());
@@ -452,9 +443,8 @@
                 .isAllowed(Permissions.PERMISSIONS.MODIFY_POLICY))) {
             policydao.updatePolicy(policy, this.user);
         }else if (silent) {
-            KustvaktLogger.SECURITY_LOGGER
-                    .error("Permission Denied (DELETE_POLICY) on '{}' for '{}'",
-                            this.evaluator.getResourceID(), this.user.getId());
+            jlog.error("Permission Denied (DELETE_POLICY) on '{}' for '{}'",
+                    this.evaluator.getResourceID(), this.user.getId());
             throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
                     this.evaluator.getResourceID());
         }
diff --git a/src/main/resources/log4j.properties b/src/main/resources/log4j.properties
index ff5d34c..ed7269f 100644
--- a/src/main/resources/log4j.properties
+++ b/src/main/resources/log4j.properties
@@ -15,6 +15,12 @@
 log4j.appender.errorLog.layout.ConversionPattern=%d{MMM dd, yyyy HH:mm:ss} %C{6} - %M %n %-5p: %m%n
 log4j.appender.errorLog.File=./logs/errors.log
 
+log4j.appender.policyLog=org.apache.log4j.RollingFileAppender
+log4j.appender.policyLog.layout=org.apache.log4j.PatternLayout
+log4j.appender.policyLog.layout.ConversionPattern=%d{MMM dd, yyyy HH:mm:ss} %C{6} - %M %n %-5p: %m%n
+log4j.appender.policyLog.File=./logs/policies.log
+
+log4j.logger.de.ids_mannheim.korap.security.ac = DEBUG, policyLog
 
 log4j.appender.debugLog=org.apache.log4j.RollingFileAppender
 log4j.appender.debugLog.layout=org.apache.log4j.PatternLayout
diff --git a/src/test/java/de/ids_mannheim/korap/config/ConfigTest.java b/src/test/java/de/ids_mannheim/korap/config/ConfigTest.java
index 4a2ca67..b86699c 100644
--- a/src/test/java/de/ids_mannheim/korap/config/ConfigTest.java
+++ b/src/test/java/de/ids_mannheim/korap/config/ConfigTest.java
@@ -44,7 +44,7 @@
 
         BeanConfiguration.getBeans().getConfiguration().setPropertiesAsStream(
                 ConfigTest.class.getClassLoader()
-                        .getResourceAsStream("kustvakt_test.conf"));
+                        .getResourceAsStream("kustvakt.conf"));
 
         Assert.assertEquals("token layer does not match", "tt",
                 BeanConfiguration.getBeans().getConfiguration()
@@ -61,7 +61,7 @@
 
         BeanConfiguration.getBeans().getConfiguration().setPropertiesAsStream(
                 ConfigTest.class.getClassLoader()
-                        .getResourceAsStream("kustvakt_test.conf"));
+                        .getResourceAsStream("kustvakt.conf"));
 
         String v = "testmail@ids-mannheim.de";
         BeanConfiguration.getBeans().getEncryption().validateEmail(v);
diff --git a/src/test/java/de/ids_mannheim/korap/web/service/KustvaktResourceServiceTest.java b/src/test/java/de/ids_mannheim/korap/web/service/KustvaktResourceServiceTest.java
index 6829064..d44f696 100644
--- a/src/test/java/de/ids_mannheim/korap/web/service/KustvaktResourceServiceTest.java
+++ b/src/test/java/de/ids_mannheim/korap/web/service/KustvaktResourceServiceTest.java
@@ -77,12 +77,14 @@
                 .get(ClientResponse.class);
         assert ClientResponse.Status.OK.getStatusCode() == response.getStatus();
         node = JsonUtils.readTree(response.getEntity(String.class));
-        System.out.println("STATS RESULT: ");
-        System.out.println(node);
+        assert node != null;
+        int docs = node.path("documents").asInt();
+        assert docs > 0 && docs < 15;
     }
 
     @Test
     public void testResourceStore() {
 
     }
+
 }
diff --git a/src/test/resources/test-config.xml b/src/test/resources/default-config.xml
similarity index 97%
rename from src/test/resources/test-config.xml
rename to src/test/resources/default-config.xml
index 082d616..a756340 100644
--- a/src/test/resources/test-config.xml
+++ b/src/test/resources/default-config.xml
@@ -69,9 +69,13 @@
         <property name="url" value="${jdbc.url}"/>
         <property name="username" value="${jdbc.username}"/>
         <property name="password" value="${jdbc.password}"/>
+        <!-- relevant for single connection datasource and sqlite -->
         <property name="suppressClose">
             <value>true</value>
         </property>
+        <!--<property name="initialSize" value="2"/>-->
+        <!--<property name="maxIdle" value="2"/>-->
+        <!--<property name="poolPreparedStatements" value="true"/>-->
     </bean>
 
     <!-- to configure database for sqlite, mysql, etc. migrations -->
@@ -99,7 +103,6 @@
         <constructor-arg ref="kustvakt_db"/>
     </bean>
 
-    <!-- deprecated : load via constructor -->
     <!--fixme: change name according to convention -->
     <bean id="collectionProvider"
           class="de.ids_mannheim.korap.handlers.CollectionDao">
diff --git a/src/test/resources/kustvakt_test.conf b/src/test/resources/kustvakt_test.conf
deleted file mode 100644
index 75e549a..0000000
--- a/src/test/resources/kustvakt_test.conf
+++ /dev/null
@@ -1,37 +0,0 @@
-## index dir
-lucene.indexDir	=	/Users/hanl/Projects/prep_corpus
-
-kustvakt.default.pos = tt
-kustvakt.default.lemma = tt
-kustvakt.default.token = tt
-kustvakt.default.dep = mate
-kustvakt.default.const = mate
-
-
-## options referring to the security module!
-
-## token expiration time in minutes!
-## decpricated, no function uses this anymore
-security.absoluteTimeoutDuration = 45M
-
-security.longTokenTTL = 230D
-security.tokenTTL = 72H
-security.shortTokenTTL = 5S
-
-## specifies the user data field that is used to salt user passwords
-security.passcode.salt=accountCreation
-
-security.idleTimeoutDuration = 25M
-security.multipleLogIn = true
-security.loginAttemptNum = 3
-security.authAttemptTTL = 45M
-
-security.encryption.loadFactor = 8
-security.validation.stringLength = 150
-security.validation.emailLength = 5
-security.encryption.algo=BCRYPT
-security.sharedSecret=nHim5JB-YqkX7sS55jayGBnga8WmqgpkzieGe8UhojE
-security.adminToken=f61d02c04a0f18d60172f7b990955824
-
-## applicable: rewrite, foundry, filter, deny
-security.rewrite.strategies=filter, foundry, rewrite
\ No newline at end of file