From 491e5cf812c0a5d3727e4e25e39032c15bb236ac Mon Sep 17 00:00:00 2001
From: Erich Bremer <erich@ebremer.com>
Date: Tue, 7 Mar 2023 12:05:03 -0500
Subject: [PATCH 1/4] set next version 0.1.0

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 272a0617..e91eef22 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.ebremer</groupId>
     <artifactId>Halcyon</artifactId>
-    <version>0.0.0</version>
+    <version>0.1.0</version>
     <packaging>jar</packaging>
     <name>Halcyon</name>
     <description>A whole slide image annotation, management, and visualization system</description>

From 724424e04cfaf6a581e56a2450386ac2e5e0298d Mon Sep 17 00:00:00 2001
From: Erich Bremer <erich@ebremer.com>
Date: Wed, 8 Mar 2023 17:03:17 -0500
Subject: [PATCH 2/4] fix X2OA progs

---
 dependency-reduced-pom.xml                    | 72 +++++++++----------
 .../ebremer/halcyon/converters/Engine.java    | 24 +++++--
 .../halcyon/converters/HeatMap2OA.java        | 10 +--
 .../com/ebremer/halcyon/converters/NS2OA.java |  2 +-
 4 files changed, 59 insertions(+), 49 deletions(-)

diff --git a/dependency-reduced-pom.xml b/dependency-reduced-pom.xml
index 6b84da0d..1965c286 100644
--- a/dependency-reduced-pom.xml
+++ b/dependency-reduced-pom.xml
@@ -10,7 +10,7 @@
   <groupId>com.ebremer</groupId>
   <artifactId>Halcyon</artifactId>
   <name>Halcyon</name>
-  <version>0.0.0</version>
+  <version>0.1.0</version>
   <description>A whole slide image annotation, management, and visualization system</description>
   <issueManagement>
     <system>github</system>
@@ -342,7 +342,6 @@
         <plugins>
           <plugin>
             <artifactId>maven-shade-plugin</artifactId>
-            <version>3.2.4</version>
             <executions>
               <execution>
                 <phase>package</phase>
@@ -368,43 +367,9 @@
                       <mainClass>com.ebremer.halcyon.converters.NS2OA</mainClass>
                     </transformer>
                   </transformers>
-                  <keepDependenciesWithProvidedScope>true</keepDependenciesWithProvidedScope>
-                  <createDependencyReducedPom>true</createDependencyReducedPom>
-                  <filters>
-                    <filter>
-                      <artifact>*:*</artifact>
-                      <excludes>
-                        <exclude>META-INF/*.SF</exclude>
-                        <exclude>META-INF/*.DSA</exclude>
-                        <exclude>META-INF/*.RSA</exclude>
-                      </excludes>
-                    </filter>
-                  </filters>
                 </configuration>
               </execution>
             </executions>
-            <dependencies>
-              <dependency>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-                <version>2.6.13</version>
-                <scope>compile</scope>
-              </dependency>
-            </dependencies>
-            <configuration>
-              <keepDependenciesWithProvidedScope>true</keepDependenciesWithProvidedScope>
-              <createDependencyReducedPom>true</createDependencyReducedPom>
-              <filters>
-                <filter>
-                  <artifact>*:*</artifact>
-                  <excludes>
-                    <exclude>META-INF/*.SF</exclude>
-                    <exclude>META-INF/*.DSA</exclude>
-                    <exclude>META-INF/*.RSA</exclude>
-                  </excludes>
-                </filter>
-              </filters>
-            </configuration>
           </plugin>
         </plugins>
       </build>
@@ -455,6 +420,7 @@
         <plugins>
           <plugin>
             <artifactId>maven-shade-plugin</artifactId>
+            <version>3.2.4</version>
             <executions>
               <execution>
                 <phase>package</phase>
@@ -480,9 +446,43 @@
                       <mainClass>com.ebremer.halcyon.converters.Ingest</mainClass>
                     </transformer>
                   </transformers>
+                  <keepDependenciesWithProvidedScope>true</keepDependenciesWithProvidedScope>
+                  <createDependencyReducedPom>true</createDependencyReducedPom>
+                  <filters>
+                    <filter>
+                      <artifact>*:*</artifact>
+                      <excludes>
+                        <exclude>META-INF/*.SF</exclude>
+                        <exclude>META-INF/*.DSA</exclude>
+                        <exclude>META-INF/*.RSA</exclude>
+                      </excludes>
+                    </filter>
+                  </filters>
                 </configuration>
               </execution>
             </executions>
+            <dependencies>
+              <dependency>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+                <version>2.6.13</version>
+                <scope>compile</scope>
+              </dependency>
+            </dependencies>
+            <configuration>
+              <keepDependenciesWithProvidedScope>true</keepDependenciesWithProvidedScope>
+              <createDependencyReducedPom>true</createDependencyReducedPom>
+              <filters>
+                <filter>
+                  <artifact>*:*</artifact>
+                  <excludes>
+                    <exclude>META-INF/*.SF</exclude>
+                    <exclude>META-INF/*.DSA</exclude>
+                    <exclude>META-INF/*.RSA</exclude>
+                  </excludes>
+                </filter>
+              </filters>
+            </configuration>
           </plugin>
         </plugins>
       </build>
diff --git a/src/main/java/com/ebremer/halcyon/converters/Engine.java b/src/main/java/com/ebremer/halcyon/converters/Engine.java
index b6529ca9..f924cf4d 100644
--- a/src/main/java/com/ebremer/halcyon/converters/Engine.java
+++ b/src/main/java/com/ebremer/halcyon/converters/Engine.java
@@ -40,6 +40,7 @@
 import org.apache.jena.rdf.model.Property;
 import org.apache.jena.rdf.model.Resource;
 import org.apache.jena.riot.Lang;
+import org.apache.jena.riot.RDFDataMgr;
 import org.apache.jena.riot.RDFParserBuilder;
 import org.apache.jena.riot.RDFWriter;
 import org.apache.jena.riot.RIOT;
@@ -239,7 +240,7 @@ public void HilbertPhase(BeakWriter bw) {
             list.forEach(f->{
                 if (f.isDone()) {
                     try {
-                        System.out.println("Adding : "+(engine.getQueue().size()+engine.getActiveCount()));
+                        //System.out.println("Adding : "+(engine.getQueue().size()+engine.getActiveCount()));
                         bw.Add(f.get());
                         list.remove(f);
                     } catch (InterruptedException ex) {
@@ -428,7 +429,7 @@ public static Model getMeta(Model m, Resource r) {
             """
             construct where {
                 ?roc
-                    a hal:HalcyonROCrate;
+                    a so:Dataset;
                     hal:hasCreateAction ?ca;
                     ?rocp ?roco .
                 ?ca
@@ -437,13 +438,15 @@ public static Model getMeta(Model m, Resource r) {
             }
             """, Standard.getStandardPrefixes());
         pss.setIri("newroc", r.getURI());
-        //System.out.println("================== META 1 ===============================");
-        //System.out.println(pss.toString());
+        pss.setNsPrefix("hal", HAL.NS);
+        pss.setNsPrefix("so", SchemaDO.NS);
+        System.out.println("================== META 1 ===============================");
+        System.out.println(pss.toString());
         QueryExecution qe = QueryExecutionFactory.create(pss.toString(),m);
         Model k = qe.execConstruct();
-        //System.out.println("================== META 1 dump ===============================");
-        //RDFDataMgr.write(System.out, k, Lang.TURTLE);
-        //System.out.println("================== META 1 dump end ===============================");
+        System.out.println("================== META 1 dump ===============================");
+        RDFDataMgr.write(System.out, k, Lang.TURTLE);
+        System.out.println("================== META 1 dump end ===============================");
         UpdateRequest update = UpdateFactory.create();
         pss = new ParameterizedSparqlString(
         """
@@ -471,11 +474,18 @@ public static Model getMeta(Model m, Resource r) {
         }
         """, Standard.getStandardPrefixes());
         pss.setIri("newroc", r.getURI());
+        pss.setNsPrefix("hal", HAL.NS);
+        pss.setNsPrefix("so", SchemaDO.NS);
         update.add(pss.toString());
         pss = new ParameterizedSparqlString("delete where {?roc a hal:HalcyonROCrate}", Standard.getStandardPrefixes());
         pss.setIri("newroc", r.getURI());
+        pss.setNsPrefix("hal", HAL.NS);
+        pss.setNsPrefix("so", SchemaDO.NS);
         update.add(pss.toString());
         UpdateAction.execute(update, k);
+        System.out.println("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
+        RDFDataMgr.write(System.out, k, Lang.TURTLE);
+        System.out.println("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
         return k;
     }
     
diff --git a/src/main/java/com/ebremer/halcyon/converters/HeatMap2OA.java b/src/main/java/com/ebremer/halcyon/converters/HeatMap2OA.java
index 225ae848..5f4dc56a 100644
--- a/src/main/java/com/ebremer/halcyon/converters/HeatMap2OA.java
+++ b/src/main/java/com/ebremer/halcyon/converters/HeatMap2OA.java
@@ -196,13 +196,13 @@ public void AddPolygons(Model m) {
                 //body.addProperty(HAL.assertedClass, classuri)
                 Float yay = (Float)p.neovalue;
                 int clazz = yay.intValue();
-                Resource blah = m.createResource("urn:gmm:"+clazz);
+                //Resource blah = m.createResource("urn:gmm:"+clazz);
                 //Resource blah = m.createResource("urn:kmeans:"+clazz);
-                //body.addProperty(HAL.assertedClass, classuri)
-                body.addProperty(HAL.assertedClass, blah)
+                body.addProperty(HAL.assertedClass, classuri)
+                //body.addProperty(HAL.assertedClass, blah)
                     .addProperty(RDF.type, HAL.ProbabilityBody)
-                    //.addLiteral(HAL.hasCertainty, (Float) p.neovalue);
-                    .addLiteral(HAL.hasCertainty, (Float) 1.0f);
+                    .addLiteral(HAL.hasCertainty, (Float) p.neovalue);
+                    //.addLiteral(HAL.hasCertainty, (Float) 1.0f);
             });
         } catch (IOException ex) {
             Logger.getLogger(HeatMap2OA.class.getName()).log(Level.SEVERE, null, ex);
diff --git a/src/main/java/com/ebremer/halcyon/converters/NS2OA.java b/src/main/java/com/ebremer/halcyon/converters/NS2OA.java
index d936d36d..2fa3c674 100644
--- a/src/main/java/com/ebremer/halcyon/converters/NS2OA.java
+++ b/src/main/java/com/ebremer/halcyon/converters/NS2OA.java
@@ -132,7 +132,7 @@ class FileProcessor implements Callable<Model> {
                     so:license <https://creativecommons.org/licenses/by-nc-sa/3.0/au/>;
                     so:name "cnn-nuclear-segmentations-2019";
                     hal:hasCreateAction <https://bmi.stonybrookmedicine.edu/nuclearsegmentation/tcga/2019>;
-                    a hal:HalcyonROCrate;
+                    a so:Dataset, hal:HalcyonROCrate;
                     so:publisher <https://ror.org/05qghxh33>, <https://ror.org/01882y777> .
                         
                     <https://bmi.stonybrookmedicine.edu/nuclearsegmentation/tcga/2019> a so:CreateAction;

From d5580f6e8ff172614b485dce3c134dead8feb915 Mon Sep 17 00:00:00 2001
From: Erich Bremer <erich@ebremer.com>
Date: Sun, 12 Mar 2023 19:29:12 -0400
Subject: [PATCH 3/4] Add user-security access to SPARQL endpoint with JWT

Implement Shiro classes to support JWT
---
 pom.xml                                       | 119 ++++++++++++--
 .../com/ebremer/halcyon/FL/FLPoolFactory.java |   2 -
 .../com/ebremer/halcyon/HalcyonDefaults.java  |  13 --
 .../com/ebremer/halcyon/HalcyonSettings.java  |  13 +-
 .../ebremer/halcyon/converters/Ingest.java    |   4 +-
 .../halcyon/datum/AddParamsToHeader.java      |  63 ++++++++
 .../datum/CustomShiroConfigurator.java        |  31 ++++
 .../com/ebremer/halcyon/datum/DataCore.java   |  35 +----
 .../com/ebremer/halcyon/datum/HalSec.java     |   4 -
 .../halcyon/datum/HalcyonPrincipal.java       |  25 ++-
 .../com/ebremer/halcyon/datum/Patterns.java   |   9 +-
 .../ebremer/halcyon/datum/SecureCoreTest.java |  54 -------
 .../halcyon/datum/SecuredDatasetGraph.java    |   1 +
 .../halcyon/datum/SessionsManager.java        |  30 ++++
 .../halcyon/datum/WACSecurityEvaluator.java   |  25 +--
 .../filesystem/DirectoryProcessor.java        |  55 ++-----
 .../halcyon/filesystem/FileManager.java       |  53 +++++++
 .../halcyon/filesystem/FileMetaExtractor.java |  30 ++--
 .../halcyon/fuseki/HalcyonProxyServlet.java   |  34 ++++
 .../fuseki/HalcyonSecurityHandler.java        |  49 ++++++
 .../halcyon/fuseki/SPARQLEndPoint.java        | 148 ++++++++++++++++++
 .../halcyon/fuseki/jwt/GetPublicKey.java      |  62 ++++++++
 .../fuseki/jwt/JwtAuthenticatingFilter.java   |  23 +++
 .../ebremer/halcyon/fuseki/jwt/JwtRealm.java  |  73 +++++++++
 .../ebremer/halcyon/fuseki/jwt/JwtToken.java  |  32 ++++
 .../halcyon/fuseki/jwt/JwtVerifier.java       |  30 ++++
 .../fuseki/jwt/KeycloakPublicKeyFetcher.java  |  85 ++++++++++
 .../com/ebremer/halcyon/fuseki/jwt/Test.java  |  30 ++++
 .../ebremer/halcyon/gui/CollectionPanel.java  |   9 +-
 .../halcyon/gui/HalcyonApplication.java       |  29 +++-
 .../ebremer/halcyon/gui/HalcyonSession.java   | 114 ++++++++------
 .../com/ebremer/halcyon/gui/HomePage.html     |  11 +-
 .../java/com/ebremer/halcyon/gui/Public.html  |  62 ++++++++
 .../java/com/ebremer/halcyon/gui/Public.java  |  14 ++
 .../halcyon/imagebox/ImageReaderPool.java     |   9 +-
 .../imagebox/ImageReaderPoolFactory.java      |   4 +-
 .../halcyon/imagebox/JwtInterceptor.java      |  42 +++++
 .../com/ebremer/halcyon/imagebox/Main.java    |  86 ++++++----
 .../ebremer/halcyon/imagebox/NeoTiler.java    |  77 +++++----
 .../experimental/MinimalTiffReader.java       |   4 -
 .../imagebox/experimental/TiffParser.java     |   4 -
 .../imagebox/experimental/TiffReader.java     |   4 -
 .../ebremer/halcyon/imagebox/iboxServlet.java |  10 +-
 .../keycloak/HALInMemorySessionIdMapper.java  |  16 ++
 .../HALKeycloakOIDCFilter.java                |  62 ++++++--
 .../keycloak/KeycloakOIDCFilterConfig.java    |  51 ++++++
 .../KeycloakTokenFilter.java                  |   6 +-
 .../com/ebremer/halcyon/sparql/Sparql.html    |  14 +-
 .../com/ebremer/halcyon/sparql/Sparql.java    |  54 ++++++-
 .../halcyon/wicket/FeatureManager.java        |  14 +-
 .../ebremer/halcyon/wicket/ListFeatures.java  |   6 +-
 .../ebremer/halcyon/wicket/ListImages.java    |  29 +---
 .../com/ebremer/halycon/shiro/JWTGuard.java   |  16 ++
 .../halycon/shiro/JWTVerifyingFilter.java     |  54 +++++++
 src/main/java/com/ebremer/ns/HAL.java         |   3 +-
 src/main/resources/keycloak.json              |   2 +-
 src/main/resources/shiro.ini                  |  15 ++
 57 files changed, 1532 insertions(+), 421 deletions(-)
 delete mode 100644 src/main/java/com/ebremer/halcyon/HalcyonDefaults.java
 create mode 100644 src/main/java/com/ebremer/halcyon/datum/AddParamsToHeader.java
 create mode 100644 src/main/java/com/ebremer/halcyon/datum/CustomShiroConfigurator.java
 delete mode 100644 src/main/java/com/ebremer/halcyon/datum/SecureCoreTest.java
 create mode 100644 src/main/java/com/ebremer/halcyon/datum/SessionsManager.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/HalcyonProxyServlet.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/HalcyonSecurityHandler.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/SPARQLEndPoint.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/jwt/GetPublicKey.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtAuthenticatingFilter.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtRealm.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtToken.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtVerifier.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/jwt/KeycloakPublicKeyFetcher.java
 create mode 100644 src/main/java/com/ebremer/halcyon/fuseki/jwt/Test.java
 create mode 100644 src/main/java/com/ebremer/halcyon/gui/Public.html
 create mode 100644 src/main/java/com/ebremer/halcyon/gui/Public.java
 create mode 100644 src/main/java/com/ebremer/halcyon/imagebox/JwtInterceptor.java
 create mode 100644 src/main/java/com/ebremer/halcyon/keycloak/HALInMemorySessionIdMapper.java
 rename src/main/java/com/ebremer/halcyon/{imagebox => keycloak}/HALKeycloakOIDCFilter.java (63%)
 create mode 100644 src/main/java/com/ebremer/halcyon/keycloak/KeycloakOIDCFilterConfig.java
 rename src/main/java/com/ebremer/halcyon/{gui => keycloak}/KeycloakTokenFilter.java (80%)
 create mode 100644 src/main/java/com/ebremer/halycon/shiro/JWTGuard.java
 create mode 100644 src/main/java/com/ebremer/halycon/shiro/JWTVerifyingFilter.java
 create mode 100644 src/main/resources/shiro.ini

diff --git a/pom.xml b/pom.xml
index e91eef22..1b1ff4b8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -73,7 +73,7 @@
         <commons-pool2.ver>2.11.1</commons-pool2.ver>
         <jakarta.json.version>2.0.1</jakarta.json.version> 
         <titanium-json-ld.ver>1.3.0</titanium-json-ld.ver>
-        <dcm4che.ver>5.29.1</dcm4che.ver>
+        <dcm4che.ver>5.29.2</dcm4che.ver>
         <resteasy.version>4.7.4.Final</resteasy.version>
         <infinispan.version>13.0.12.Final</infinispan.version>
         <jgroups.version>4.2.21.Final</jgroups.version>
@@ -232,7 +232,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-enforcer-plugin</artifactId>
-                        <version>3.1.0</version>
+                        <version>3.2.1</version>
                         <configuration>
                             <rules><dependencyConvergence/></rules>
                         </configuration>
@@ -284,7 +284,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-enforcer-plugin</artifactId>
-                        <version>3.1.0</version>
+                        <version>3.2.1</version>
                         <configuration>
                             <rules><dependencyConvergence/></rules>
                         </configuration>
@@ -292,7 +292,7 @@
                     <plugin>
                         <groupId>org.springframework.experimental</groupId>
                         <artifactId>spring-aot-maven-plugin</artifactId>
-                        <version>0.12.1</version>
+                        <version>0.12.2</version>
                         <executions>
                             <execution>
                                 <id>generate</id>
@@ -305,7 +305,7 @@
                     <plugin>
                         <groupId>org.graalvm.buildtools</groupId>
                         <artifactId>native-maven-plugin</artifactId>
-                        <version>0.9.13</version>
+                        <version>0.9.20</version>
                         <extensions>true</extensions>
                         <executions>
                             <execution>
@@ -375,7 +375,7 @@
                 <dependency>
                     <groupId>org.springframework.experimental</groupId>
                     <artifactId>spring-native</artifactId>
-                    <version>0.12.1</version>
+                    <version>0.12.2</version>
                 </dependency>
             </dependencies>
         </profile>
@@ -386,7 +386,7 @@
                     <plugin>
                         <groupId>org.graalvm.buildtools</groupId>
                         <artifactId>native-maven-plugin</artifactId>
-                        <version>0.9.19</version>
+                        <version>0.9.20</version>
                         <extensions>true</extensions>
                         <executions>
                             <execution>
@@ -661,13 +661,12 @@
             <version>${jena.ver}</version>
             <type>jar</type>
         </dependency>
-        <!--
         <dependency>
             <groupId>org.apache.jena</groupId>
             <artifactId>jena-querybuilder</artifactId>
             <version>${jena.ver}</version>
             <type>jar</type>
-        </dependency>-->
+        </dependency>
         <dependency>
             <groupId>org.apache.jena</groupId>
             <artifactId>jena-permissions</artifactId>
@@ -685,6 +684,12 @@
             <artifactId>jena-fuseki-main</artifactId>
             <version>${jena.ver}</version>
         </dependency>
+        <!--
+        <dependency>
+            <groupId>org.apache.jena</groupId>
+            <artifactId>jena-fuseki-fulljar</artifactId>
+            <version>${jena.ver}</version>
+        </dependency>-->
         <!--  OTHER DEPENDENCIES -->
         <dependency>
             <groupId>com.github.davidmoten</groupId>
@@ -759,6 +764,102 @@
             <artifactId>BeakGraph</artifactId>
             <version>0.0.0</version>
         </dependency>
+        <!-- DICOM DCM4CHEE
+        <dependency>
+            <groupId>org.dcm4che</groupId>
+            <artifactId>dcm4che-core</artifactId>
+            <version>${dcm4che.ver}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.dcm4che</groupId>
+            <artifactId>dcm4che-json</artifactId>
+            <version>${dcm4che.ver}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.dcm4che</groupId>
+            <artifactId>dcm4che-dict</artifactId>
+            <version>${dcm4che.ver}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.dcm4che.tool</groupId>
+            <artifactId>dcm4che-tool-common</artifactId>
+            <version>${dcm4che.ver}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.dcm4che.tool</groupId>
+            <artifactId>dcm4che-tool-dcm2jpg</artifactId>
+            <version>${dcm4che.ver}</version>
+        </dependency>        
+        <dependency>
+            <groupId>org.dcm4che</groupId>
+            <artifactId>dcm4che-imageio</artifactId>
+            <version>${dcm4che.ver}</version>
+        </dependency>    
+        <dependency>
+            <groupId>org.dcm4che</groupId>
+            <artifactId>dcm4che-imageio-opencv</artifactId>
+            <version>${dcm4che.ver}</version>
+        </dependency> 
+        <dependency>
+            <groupId>org.dcm4che</groupId>
+            <artifactId>dcm4che-image</artifactId>
+            <version>${dcm4che.ver}</version>
+        </dependency> -->
+        <!-- Shiro -->
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-core</artifactId>
+            <version>1.11.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-web</artifactId>
+            <version>1.11.0</version>
+        </dependency>
+        <!--
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>1.18.26</version>
+            <type>jar</type>
+        </dependency>
+                -->
+        <dependency>
+            <groupId>com.jcabi</groupId>
+            <artifactId>jcabi-aspects</artifactId>
+            <version>0.24.1</version>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jena</groupId>
+            <artifactId>jena-tdb</artifactId>
+            <version>${jena.ver}</version>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.11.5</version>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.11.5</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <version>0.11.5</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>1.18.26</version>
+            <type>jar</type>
+        </dependency>
     </dependencies>
     <pluginRepositories>
         <pluginRepository>
diff --git a/src/main/java/com/ebremer/halcyon/FL/FLPoolFactory.java b/src/main/java/com/ebremer/halcyon/FL/FLPoolFactory.java
index bbb9f627..35681d36 100644
--- a/src/main/java/com/ebremer/halcyon/FL/FLPoolFactory.java
+++ b/src/main/java/com/ebremer/halcyon/FL/FLPoolFactory.java
@@ -17,7 +17,6 @@ public class FLPoolFactory extends BaseKeyedPooledObjectFactory<URI, FL> {
     private final String base;
     
     public FLPoolFactory(String base) {
-        System.out.println("Building FL Factory X...");
         this.base = base;
     }
 
@@ -32,7 +31,6 @@ public FL create(URI uri) throws Exception {
     
     @Override
     public PooledObject<FL> wrap(FL value) {
-        //System.out.println("wrap FL...");
         return new DefaultPooledObject<>(value);
     }
 
diff --git a/src/main/java/com/ebremer/halcyon/HalcyonDefaults.java b/src/main/java/com/ebremer/halcyon/HalcyonDefaults.java
deleted file mode 100644
index 6822aab4..00000000
--- a/src/main/java/com/ebremer/halcyon/HalcyonDefaults.java
+++ /dev/null
@@ -1,13 +0,0 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
-package com.ebremer.halcyon;
-
-/**
- *
- * @author erich
- */
-public class HalcyonDefaults {
-    public static String VERSION = "0.0.0";
-}
diff --git a/src/main/java/com/ebremer/halcyon/HalcyonSettings.java b/src/main/java/com/ebremer/halcyon/HalcyonSettings.java
index 15dfcf91..cca21548 100644
--- a/src/main/java/com/ebremer/halcyon/HalcyonSettings.java
+++ b/src/main/java/com/ebremer/halcyon/HalcyonSettings.java
@@ -27,6 +27,7 @@
 import org.apache.jena.rdf.model.Property;
 import org.apache.jena.rdf.model.ResIterator;
 import org.apache.jena.rdf.model.Resource;
+import org.apache.jena.rdf.model.ResourceFactory;
 import org.apache.jena.riot.Lang;
 import org.apache.jena.riot.RDFDataMgr;
 import org.apache.jena.vocabulary.RDF;
@@ -47,15 +48,17 @@ public class HalcyonSettings {
     private Property RDFStoreLocation = null;
     private Property RDFSecurityStoreLocation = null;
     private Model m;
-    public static String realm = "master";
+    public static final String realm = "master";
     private final Property urlpathprefix;
     private static final int DEFAULTSPARQLPORT = 8887;
     private final Property SPARQLPORT;
     private final Property MULTIVIEWERLOCATION;
-    private final String Version = "0.0.0";
+    public static final String VERSION = "0.1.0";
+    public static Resource HALCYONAGENT = ResourceFactory.createResource(HAL.NS+"/VERSION/"+VERSION);
     private static final String MasterSettingsLocation = "settings.ttl";
     private Resource Master;
     private final HashMap<String,String> mappings;
+    private final String Realm = "master";
     
     private HalcyonSettings() {
         File f = new File(MasterSettingsLocation);
@@ -84,7 +87,11 @@ public String getwebfiles() {
     }
     
     public String getVersion() {
-        return Version;
+        return VERSION;
+    }
+    
+    public String getRealm() {
+        return Realm;
     }
 
     public String getHostName() {
diff --git a/src/main/java/com/ebremer/halcyon/converters/Ingest.java b/src/main/java/com/ebremer/halcyon/converters/Ingest.java
index 4072fe3d..449e456d 100644
--- a/src/main/java/com/ebremer/halcyon/converters/Ingest.java
+++ b/src/main/java/com/ebremer/halcyon/converters/Ingest.java
@@ -1,7 +1,7 @@
 package com.ebremer.halcyon.converters;
 
 import com.ebremer.beakgraph.rdf.BeakWriter;
-import com.ebremer.halcyon.HalcyonDefaults;
+import com.ebremer.halcyon.HalcyonSettings;
 import com.ebremer.ns.EXIF;
 import com.ebremer.ns.HAL;
 import com.ebremer.rocrate4j.ROCrate;
@@ -107,7 +107,7 @@ public static void main(String[] args) throws FileNotFoundException, IOException
             new Ingest().Process(src, optimize, dest);
         } else {
             System.out.println("Halcyon ----------------------------------------------------");
-            System.out.println("ingest - version : "+HalcyonDefaults.VERSION);
+            System.out.println("ingest - version : "+HalcyonSettings.VERSION);
             System.out.println("""
                                 Usage:
                                 ingest <source> <destination> (heatmap|segmentation)
diff --git a/src/main/java/com/ebremer/halcyon/datum/AddParamsToHeader.java b/src/main/java/com/ebremer/halcyon/datum/AddParamsToHeader.java
new file mode 100644
index 00000000..ae551a8d
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/datum/AddParamsToHeader.java
@@ -0,0 +1,63 @@
+package com.ebremer.halcyon.datum;
+
+import com.ebremer.halcyon.gui.HalcyonSession;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.List;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+/**
+ *
+ * @author erich
+ */
+public class AddParamsToHeader extends HttpServletRequestWrapper {
+    public static final String HID = "HALCYONPRINCIPAL";
+    
+    public AddParamsToHeader(HttpServletRequest request) {
+        super(request);
+    }
+
+    public AddParamsToHeader(HttpServletRequest request, HashMap list) {
+        super(request);
+        //this.list = list;
+    }
+    
+    @Override
+    public String getHeader(String name) {
+        if (HID.equals(name)) {
+            return HalcyonSession.get().getHalcyonPrincipal().getURNUUID();
+        }
+        /*
+        if (list.containsKey(name)) {
+            return list.get(name);
+        }*/
+        String header = super.getHeader(name);
+        return (header != null) ? header : super.getParameter(name);
+    }
+
+    @Override
+    public Enumeration getHeaderNames() {
+        List<String> names = Collections.list(super.getHeaderNames());
+        names.add(HID);
+        /*
+        list.keySet().forEach(i->{
+            names.add(i);
+        });
+*/
+        names.addAll(Collections.list(super.getParameterNames()));
+        return Collections.enumeration(names);
+    }
+    
+    @Override
+    public Enumeration getHeaders(String name) {
+        if (HID.equals(name)) {
+            List<String> values = new ArrayList<>(1);
+            values.add(HalcyonSession.get().getHalcyonPrincipal().getURNUUID());
+            return Collections.enumeration(values);
+        }
+        return super.getHeaders(name);
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/datum/CustomShiroConfigurator.java b/src/main/java/com/ebremer/halcyon/datum/CustomShiroConfigurator.java
new file mode 100644
index 00000000..543109c0
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/datum/CustomShiroConfigurator.java
@@ -0,0 +1,31 @@
+package com.ebremer.halcyon.datum;
+
+import org.apache.shiro.config.ConfigurationException;
+import org.apache.shiro.config.Ini;
+import org.apache.shiro.mgt.DefaultSecurityManager;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.realm.text.IniRealm;
+
+public class CustomShiroConfigurator {
+
+    private final SecurityManager securityManager;
+
+    public CustomShiroConfigurator(Ini ini) {
+        try {
+            IniRealm iniRealm = new IniRealm(ini);
+            securityManager = createDefaultSecurityManager(iniRealm);
+        } catch (ConfigurationException e) {
+            throw new RuntimeException("Failed to configure Shiro", e);
+        }
+    }
+
+    private SecurityManager createDefaultSecurityManager(IniRealm iniRealm) {
+        DefaultSecurityManager dsm = new DefaultSecurityManager();
+        dsm.setRealm(iniRealm);
+        return securityManager;
+    }
+
+    public SecurityManager getSecurityManager() {
+        return securityManager;
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/datum/DataCore.java b/src/main/java/com/ebremer/halcyon/datum/DataCore.java
index b66b2c49..7fbd18dd 100644
--- a/src/main/java/com/ebremer/halcyon/datum/DataCore.java
+++ b/src/main/java/com/ebremer/halcyon/datum/DataCore.java
@@ -1,9 +1,8 @@
 package com.ebremer.halcyon.datum;
 
+import com.ebremer.halcyon.fuseki.SPARQLEndPoint;
 import com.ebremer.halcyon.HalcyonSettings;
 import com.ebremer.halcyon.filesystem.FileManager;
-import com.ebremer.halcyon.gui.HalcyonSession;
-import org.apache.jena.fuseki.main.FusekiServer;
 import org.apache.jena.query.Dataset;
 import org.apache.jena.query.DatasetFactory;
 import org.apache.jena.query.Query;
@@ -25,23 +24,11 @@ public class DataCore {
     private static DataCore core = null;
     private static Dataset ds = null;
     private static HalcyonSettings hs = null;
-    private FusekiServer server = null;
-    private final FileManager fm;
-    
+
     private DataCore() {
         hs = HalcyonSettings.getSettings();
         System.out.println("Starting TDB2...");
         ds = TDB2Factory.connectDataset(hs.getRDFStoreLocation());
-       
-        System.out.println("Starting Fuseki...");
-        server = FusekiServer.create()
-                .add("/rdf", ds)
-                .enableCors(true)
-                .port(HalcyonSettings.getSettings().GetSPARQLPort())
-                .build();
-        server.start();
-        System.out.println("Starting File Manager...");
-        fm = FileManager.getInstance();
     }
     
     public synchronized static DataCore getInstance() {
@@ -52,22 +39,14 @@ public synchronized static DataCore getInstance() {
     }
     
     public synchronized void shutdown() {
+        FileManager.getInstance().pause();
+        SPARQLEndPoint.getSPARQLEndPoint().shutdown();
         ds.close();
-        if (server!=null) {
-            server.stop();
-        }
     }
+
     
-    //public synchronized Dataset getSecuredDataset(String uuid) {
-//        WACSecurityEvaluator evaluator = new WACSecurityEvaluator();
-//        evaluator.setPrincipal(uuid);
-//        return DatasetFactory.wrap(new SecuredDatasetGraph(getDataset().asDatasetGraph(),evaluator));
-//    }
-    
-    public synchronized Dataset getSecuredDataset() {
-        WACSecurityEvaluator evaluator = new WACSecurityEvaluator();
-        evaluator.setPrincipal(HalcyonSession.get().getHalcyonPrincipal());
-        return DatasetFactory.wrap(new SecuredDatasetGraph(getDataset().asDatasetGraph(),evaluator));
+    public Dataset getSecuredDataset() {
+        return DatasetFactory.wrap(new SecuredDatasetGraph(getDataset().asDatasetGraph(), new WACSecurityEvaluator()));
     }
     
     public void replaceNamedGraph(Resource k, Model m) {
diff --git a/src/main/java/com/ebremer/halcyon/datum/HalSec.java b/src/main/java/com/ebremer/halcyon/datum/HalSec.java
index a745d52c..234a9575 100644
--- a/src/main/java/com/ebremer/halcyon/datum/HalSec.java
+++ b/src/main/java/com/ebremer/halcyon/datum/HalSec.java
@@ -1,7 +1,3 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
 package com.ebremer.halcyon.datum;
 
 import com.ebremer.halcyon.wicket.DatabaseLocator;
diff --git a/src/main/java/com/ebremer/halcyon/datum/HalcyonPrincipal.java b/src/main/java/com/ebremer/halcyon/datum/HalcyonPrincipal.java
index 240ce29c..419b68f4 100644
--- a/src/main/java/com/ebremer/halcyon/datum/HalcyonPrincipal.java
+++ b/src/main/java/com/ebremer/halcyon/datum/HalcyonPrincipal.java
@@ -1,5 +1,6 @@
 package com.ebremer.halcyon.datum;
 
+import io.jsonwebtoken.Claims;
 import java.io.Serializable;
 import java.security.Principal;
 
@@ -10,22 +11,36 @@
 public class HalcyonPrincipal implements Principal, Serializable {
     private final String uuid;
     private String webid;
+    private boolean anonymous;
     
-    public HalcyonPrincipal(String uuid) {
-        System.out.println("CREATING HalcyonPrincipal : "+uuid);
+    public HalcyonPrincipal(String uuid, boolean anonymous) {
         this.uuid = uuid;
+        this.anonymous = anonymous;
+    }
+    
+    public HalcyonPrincipal(Claims claims) {
+        uuid = "urn:uuid:"+claims.getId();
+        this.anonymous = false;
     }
 
     public String getURNUUID() {
         return uuid;
-    }   
+    }
+    
+    public boolean isAnon() {
+        return anonymous;
+    }
+    
+    public void setAnonymous(boolean anonymous) {
+        this.anonymous = anonymous;
+    }
     
     public String getWebID2() {
         return webid;
-    }    
+    }
 
     @Override
     public String getName() {
-        throw new UnsupportedOperationException("Not supported yet.");
+        return "Erich Bremer";
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/datum/Patterns.java b/src/main/java/com/ebremer/halcyon/datum/Patterns.java
index 194cb121..986eb775 100644
--- a/src/main/java/com/ebremer/halcyon/datum/Patterns.java
+++ b/src/main/java/com/ebremer/halcyon/datum/Patterns.java
@@ -1,7 +1,6 @@
 package com.ebremer.halcyon.datum;
 
 import com.ebremer.ethereal.MakeList;
-//import com.ebremer.halcyon.utils.StopWatch;
 import com.ebremer.ns.HAL;
 import java.util.List;
 import org.apache.jena.graph.Node;
@@ -21,7 +20,6 @@
 public class Patterns {
     
     public static List<Node> getCollectionList() {
-        //StopWatch w = new StopWatch(true);
         ParameterizedSparqlString pss = new ParameterizedSparqlString( """
             select ?s ?name
             where {graph ?s {?s a so:Collection; so:name ?name}}
@@ -34,12 +32,10 @@ public static List<Node> getCollectionList() {
         ResultSet rs = qe.execSelect();
         List<Node> list = MakeList.Of(rs, "s");
         ds.end();
-        //w.getTime("time to get getCollectionList()");
         return list;
     }
     
     public static List<Node> getCollectionList(Model m) {
-        //StopWatch w = new StopWatch(true);
         ParameterizedSparqlString pss = new ParameterizedSparqlString( """
             select ?s ?name
             where {?s a so:Collection; so:name ?name}
@@ -52,7 +48,6 @@ public static List<Node> getCollectionList(Model m) {
         ResultSet rs = qe.execSelect();
         List<Node> list = MakeList.Of(rs, "s");
         ds.end();
-        //w.getTime("getCollectionList(Model m)");
         return list;
     }
     
@@ -72,19 +67,17 @@ public static List<Node> getCollectionList(Dataset ds) {
     }
     
     public static Model getCollectionRDF() {
-        //StopWatch w = new StopWatch(true);
         ParameterizedSparqlString pss = new ParameterizedSparqlString( """
             construct {?s a so:Collection; so:name ?name}
             where {graph ?s {?s a so:Collection; so:name ?name}}
         """);
         pss.setNsPrefix("hal", HAL.NS);
         pss.setNsPrefix("so", SchemaDO.NS);
-        Dataset ds = DataCore.getInstance().getDataset();
+        Dataset ds = DataCore.getInstance().getSecuredDataset();
         QueryExecution qe = QueryExecutionFactory.create(pss.toString(), ds);
         ds.begin(ReadWrite.READ);
         Model m = qe.execConstruct();
         ds.end();
-        //w.getTime("getCollectionRDF()");
         return m;
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/datum/SecureCoreTest.java b/src/main/java/com/ebremer/halcyon/datum/SecureCoreTest.java
deleted file mode 100644
index 0af4a7fd..00000000
--- a/src/main/java/com/ebremer/halcyon/datum/SecureCoreTest.java
+++ /dev/null
@@ -1,54 +0,0 @@
-package com.ebremer.halcyon.datum;
-
-import com.ebremer.ns.EXIF;
-import com.ebremer.ns.HAL;
-import java.util.List;
-import org.apache.jena.graph.Node;
-import org.apache.jena.query.Dataset;
-import org.apache.jena.query.ParameterizedSparqlString;
-import org.apache.jena.query.QueryExecutionFactory;
-import org.apache.jena.query.ReadWrite;
-import org.apache.jena.query.ResultSet;
-import org.apache.jena.query.ResultSetFormatter;
-import org.apache.jena.vocabulary.OWL;
-import org.apache.jena.vocabulary.SchemaDO;
-import org.apache.jena.vocabulary.WAC;
-
-/**
- *
- * @author erich
- */
-public class SecureCoreTest {
-    
-    public static void main(String[] args) {
-        loci.common.DebugTools.setRootLevel("WARN");
-        DataCore datacore = DataCore.getInstance();
-       // Dataset ds = datacore.getSecuredDataset("urn:uuid:48c07c4e-c092-4180-b67b-b57b6ec60d3d");
-        //Dataset ds = datacore.getDataset();
-        /*
-        DataCore datacore = DataCore.getInstance();
-        Dataset ds = datacore.getSecuredDataset("urn:uuid:48c07c4e-c092-4180-b67b-b57b6ec60d3d");
-        ds.begin(ReadWrite.READ);
-        ParameterizedSparqlString pss = new ParameterizedSparqlString(
-            """
-            select *
-            where {graph ?g {?s ?p ?o}}
-            """);
-        pss.setNsPrefix("acl", WAC.NS);
-        pss.setNsPrefix("owl", OWL.NS);
-        pss.setNsPrefix("hal", HAL.NS);
-        pss.setNsPrefix("so", SchemaDO.NS);
-        pss.setNsPrefix("exif", EXIF.NS);
-        pss.setIri("g", HAL.SecurityGraph.getURI());
-        ResultSet results = QueryExecutionFactory.create(pss.toString(), ds).execSelect();
-        ResultSetFormatter.out(System.out,results);
-        ds.end();
-        ds.close();
-        datacore.shutdown();*/
-        //List<Node> list = Patterns.getCollectionList(ds);
-  //      System.out.println("DUMP COLLECTIONS...");
-        //list.forEach(f->{
-//            System.out.println(f);
-//        });
-    }
-}
diff --git a/src/main/java/com/ebremer/halcyon/datum/SecuredDatasetGraph.java b/src/main/java/com/ebremer/halcyon/datum/SecuredDatasetGraph.java
index 7a9e096d..79469fc2 100644
--- a/src/main/java/com/ebremer/halcyon/datum/SecuredDatasetGraph.java
+++ b/src/main/java/com/ebremer/halcyon/datum/SecuredDatasetGraph.java
@@ -46,6 +46,7 @@ private List<Node> getBaseGraphNodes() {
     
     private boolean hasReadAccess(Node node) {
         return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), SecurityEvaluator.Action.Read, node);
+        //return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), SecurityEvaluator.Action.Read, node);
     }
 
     @Override
diff --git a/src/main/java/com/ebremer/halcyon/datum/SessionsManager.java b/src/main/java/com/ebremer/halcyon/datum/SessionsManager.java
new file mode 100644
index 00000000..51b76b70
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/datum/SessionsManager.java
@@ -0,0 +1,30 @@
+package com.ebremer.halcyon.datum;
+
+import com.ebremer.halcyon.keycloak.HALInMemorySessionIdMapper;
+import org.keycloak.adapters.spi.SessionIdMapper;
+
+/**
+ *
+ * @author erich
+ */
+public class SessionsManager {
+    private static SessionsManager sm = null;
+    private static SessionIdMapper idMapper = null;
+    
+    private SessionsManager() {
+        
+    }
+    
+    public SessionIdMapper getSessionIdMapper() {
+        getSessionsManager();
+        return idMapper;
+    }
+    
+    public static SessionsManager getSessionsManager() {
+        if (sm==null) {
+            sm = new SessionsManager();
+            idMapper = new HALInMemorySessionIdMapper();
+        }
+        return sm;
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/datum/WACSecurityEvaluator.java b/src/main/java/com/ebremer/halcyon/datum/WACSecurityEvaluator.java
index d5dd04f5..4b9f091a 100644
--- a/src/main/java/com/ebremer/halcyon/datum/WACSecurityEvaluator.java
+++ b/src/main/java/com/ebremer/halcyon/datum/WACSecurityEvaluator.java
@@ -1,6 +1,8 @@
 package com.ebremer.halcyon.datum;
 
+import com.ebremer.halcyon.gui.HalcyonSession;
 import com.ebremer.ns.HAL;
+import io.jsonwebtoken.Claims;
 import java.security.Principal;
 import java.util.HashMap;
 import java.util.Set;
@@ -14,15 +16,17 @@
 import org.apache.jena.rdf.model.Model;
 import org.apache.jena.rdf.model.ModelFactory;
 import org.apache.jena.shared.AuthenticationRequiredException;
+import org.apache.jena.vocabulary.RDF;
 import org.apache.jena.vocabulary.SchemaDO;
 import org.apache.jena.vocabulary.WAC;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
 
 /**
  * 
  * @author erich
  */
 public class WACSecurityEvaluator implements SecurityEvaluator {
-    private HalcyonPrincipal principal;
     private final Model secm;
     private final HashMap<Node,HashMap> cache;
     
@@ -38,29 +42,21 @@ public WACSecurityEvaluator() {
         ds.end();
     }
     
-    public void setPrincipal( HalcyonPrincipal principal ) {
-        this.principal = principal;
-    }
-    
     public Model getSecurityModel() {
         return secm;
     }
 
     @Override
     public boolean evaluate(Object principal, Action action, Node graphIRI) {
-        return true;
-        /*
         HalcyonPrincipal hp = (HalcyonPrincipal) principal;
         if (graphIRI.matches(HAL.CollectionsAndResources.asNode())) {
             return true;
         }
         if (cache.containsKey(graphIRI)) {
             if (cache.get(graphIRI).containsKey(action)) {
-                //System.out.println("CACHE HIT!!!");
                 return true;
             }
         }
-        //System.out.println("CACHE MISS!!!");
         HashMap<Action,Boolean> set = new HashMap<>();
         cache.put(graphIRI, set);
         ParameterizedSparqlString pss = new ParameterizedSparqlString("""
@@ -78,7 +74,7 @@ public boolean evaluate(Object principal, Action action, Node graphIRI) {
         pss.setIri("member", hp.getURNUUID());
         boolean ha = QueryExecutionFactory.create(pss.toString(), secm).execAsk();
         set.put(action, ha);
-        return ha;*/
+        return ha;
     }
     
     private boolean evaluate( Object principal, Triple triple ) {
@@ -121,7 +117,14 @@ public boolean evaluateUpdate(Object principal, Node graphIRI, Triple from, Trip
 
     @Override
     public Principal getPrincipal() {
-        return principal;
+        try {
+            Claims dc = (Claims) SecurityUtils.getSubject().getPrincipal();
+  //          System.out.println(dc.getId());
+            return new HalcyonPrincipal(dc);
+        } catch (org.apache.shiro.UnavailableSecurityManagerException ex) {
+            //System.out.println(ex.toString());
+        }
+        return HalcyonSession.get().getHalcyonPrincipal();
     }
 
     @Override
diff --git a/src/main/java/com/ebremer/halcyon/filesystem/DirectoryProcessor.java b/src/main/java/com/ebremer/halcyon/filesystem/DirectoryProcessor.java
index 2803794e..e31c3a92 100644
--- a/src/main/java/com/ebremer/halcyon/filesystem/DirectoryProcessor.java
+++ b/src/main/java/com/ebremer/halcyon/filesystem/DirectoryProcessor.java
@@ -4,6 +4,7 @@
 import com.ebremer.halcyon.datum.EB;
 import com.ebremer.halcyon.datum.Scan;
 import com.ebremer.ns.HAL;
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -43,19 +44,14 @@ public class DirectoryProcessor {
     public static final int TIF = 6;
     public static final int NDPI = 7;
     public static final int DFIX = 1701;
-    public int cores = 5;
+    public final int cores;
     private final Dataset buffer;
     private CopyOnWriteArrayList list = null;
     
     public DirectoryProcessor(Dataset buffer) {
         this.buffer = buffer;
         list = GetExisting();
-    }    
-    
-    public DirectoryProcessor(Dataset buffer, int numcores) {
-        this.buffer = buffer;
-        cores = numcores;
-        list = GetExisting();
+        cores = 4;
     }
     
     public Model PathInfo(String s) {
@@ -85,8 +81,7 @@ public void Traverse(Path src, String[] ext, int ftype) {
             Stream<Path> yay = Files.walk(src);
             ForkJoinPool fjp = null;
             try {
-                //fjp = new ForkJoinPool(cores);
-                fjp = new ForkJoinPool(1);
+                fjp = new ForkJoinPool(cores);
                 fjp.submit(()->yay.collect(toList()).parallelStream()
                     .filter(Objects::nonNull)
                     .filter(fff -> {
@@ -108,19 +103,14 @@ public void Traverse(Path src, String[] ext, int ftype) {
                         System.out.println("Processing : "+xxx);
                         FileMetaExtractor fe = new FileMetaExtractor(e.toFile());
                         Model m = fe.getDataset().getNamedModel(xxx);
-                        //System.out.println("SIZE : "+m.size());
-                        
-                        if (m!=null) {
-                            buffer.begin(ReadWrite.WRITE);
-                            buffer.getDefaultModel().add(fe.getCoreMeta());
-                            Model pathinfo = PathInfo(xxx);
-                            buffer.addNamedModel(HAL.CollectionsAndResources, pathinfo);
-                            buffer.addNamedModel(xxx, m);
-                            buffer.commit();
-                            buffer.end();                            
-                        } else {
-                            System.out.println("NULLLLLLLLLLLLLLLLL");
-                        }
+                        m.createResource(xxx).addProperty(RDF.type, HAL.FileManagerArtifact);
+                        buffer.begin(ReadWrite.WRITE);
+                        buffer.getDefaultModel().add(fe.getCoreMeta());
+                        Model pathinfo = PathInfo(xxx);
+                        buffer.addNamedModel(HAL.CollectionsAndResources, pathinfo);
+                        buffer.addNamedModel(xxx, m);
+                        buffer.commit();
+                        buffer.end();                            
                     })
                 ).get();
             } catch (InterruptedException | ExecutionException ex) {
@@ -160,27 +150,8 @@ public final CopyOnWriteArrayList GetExisting() {
         while (results.hasNext()) {
             QuerySolution sol = results.nextSolution();
             cur.add(sol.get("g").toString());
-            //System.out.println("existing : "+sol.get("g").toString());
         }
         ds.end();
         return cur;
     }
-    
-    /*
-    
-    public static void main(String[] args) throws FileNotFoundException {
-        ch.qos.logback.classic.Logger root = (ch.qos.logback.classic.Logger)(org.slf4j.Logger)LoggerFactory.getLogger(org.slf4j.Logger.ROOT_LOGGER_NAME);
-        root.setLevel(ch.qos.logback.classic.Level.OFF);       
-        String[] tmp = {"D:\\HalcyonStorage", "D:\\legacy\\images.nq"};
-        args = tmp;
-        Dataset ds = DatasetFactory.createTxnMem();
-        DirectoryProcessor dp = new DirectoryProcessor(ds);
-        dp.Traverse(Path.of(args[0]), GetExtensions(DirectoryProcessor.ZIP), DirectoryProcessor.ZIP);
-        FileOutputStream fos = new FileOutputStream(new File(args[1]));
-        ds.begin();
-        RDFDataMgr.write(fos, ds, RDFFormat.TRIG_PRETTY);
-        ds.end();
-        //dc.shutdown();
-        System.out.println("DONE.");
-    }*/
-}
\ No newline at end of file
+}
diff --git a/src/main/java/com/ebremer/halcyon/filesystem/FileManager.java b/src/main/java/com/ebremer/halcyon/filesystem/FileManager.java
index e4501752..da464ff2 100644
--- a/src/main/java/com/ebremer/halcyon/filesystem/FileManager.java
+++ b/src/main/java/com/ebremer/halcyon/filesystem/FileManager.java
@@ -3,12 +3,25 @@
 import com.ebremer.halcyon.HalcyonSettings;
 import com.ebremer.halcyon.datum.DataCore;
 import static com.ebremer.halcyon.filesystem.DirectoryProcessor.GetExtensions;
+import java.io.FileNotFoundException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.Timer;
 import java.util.TimerTask;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.apache.jena.query.Dataset;
+import org.apache.jena.query.ParameterizedSparqlString;
+import org.apache.jena.query.QueryExecution;
+import org.apache.jena.query.QueryExecutionFactory;
+import org.apache.jena.query.ReadWrite;
+import org.apache.jena.query.ResultSet;
+import org.apache.jena.update.UpdateAction;
+import org.apache.jena.update.UpdateFactory;
+import org.apache.jena.update.UpdateRequest;
 
 /**
  *
@@ -46,6 +59,7 @@ public void run() {
                     dp.Traverse(p, GetExtensions(DirectoryProcessor.TIF), DirectoryProcessor.TIF);
                     dp.Traverse(p, GetExtensions(DirectoryProcessor.NDPI), DirectoryProcessor.NDPI);
                 }
+                ValidateData();
                 resume();
             }
         };
@@ -55,6 +69,7 @@ public void run() {
 
     public synchronized static FileManager getInstance() {
         if (fm==null) {
+            System.out.println("Starting File Manager...");
             fm = new FileManager();
         }
         return fm;
@@ -67,4 +82,42 @@ public void ListStorageAreas() {
             Path p = i.next().path;
         }
     }
+    
+    public void ValidateData() {
+        Dataset ds = DataCore.getInstance().getDataset();
+        ds.begin(ReadWrite.READ);
+        QueryExecution qe = QueryExecutionFactory.create("select distinct ?g where {graph ?g {?g ?p ?o}}", ds);
+        ResultSet results = qe.execSelect().materialise();
+        ds.end();
+        results.forEachRemaining(qs->{
+            String r = qs.get("g").toString();
+            if (r.startsWith("file:/")) {
+                try {
+                    URI uri = new URI(r);
+                    Path path = Path.of(uri);
+                    if (!path.toFile().exists()) {
+                        UpdateRequest request = UpdateFactory.create();
+                        ParameterizedSparqlString pss = new ParameterizedSparqlString("delete where {graph ?g {?s ?p ?o}}");
+                        pss.setIri("g", r);
+                        request.add(pss.toString());
+                        ds.begin(ReadWrite.WRITE);
+                        UpdateAction.execute(request, ds);
+                        ds.commit();
+                        ds.end();
+                        System.out.println("DELETED : "+r);
+                    }
+                } catch (URISyntaxException ex) {
+                    System.out.println("NG --> "+r);
+                    Logger.getLogger(FileManager.class.getName()).log(Level.SEVERE, null, ex);
+                }
+            }
+        });
+    }
+    
+    public static void main(String[] args) throws FileNotFoundException {
+        loci.common.DebugTools.setRootLevel("WARN");
+        DataCore dc = DataCore.getInstance();
+        //while (true) {}
+        //FileManager fm = FileManager.getInstance();
+    }
 }
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/filesystem/FileMetaExtractor.java b/src/main/java/com/ebremer/halcyon/filesystem/FileMetaExtractor.java
index ba3fe54e..e894ab52 100644
--- a/src/main/java/com/ebremer/halcyon/filesystem/FileMetaExtractor.java
+++ b/src/main/java/com/ebremer/halcyon/filesystem/FileMetaExtractor.java
@@ -1,5 +1,6 @@
 package com.ebremer.halcyon.filesystem;
 
+import com.ebremer.halcyon.HalcyonSettings;
 import com.ebremer.halcyon.datum.EB;
 import com.ebremer.ns.HAL;
 import com.ebremer.ns.LOC;
@@ -82,10 +83,10 @@ private void Process() {
                     ROCrateReader roc = new ROCrateReader(file.toURI());
                     //z = roc.getManifest(fixe);
                     z = roc.getManifest();
-                    System.out.println("LOADED : "+z.size());
-                    System.out.println("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
-                    RDFDataMgr.write(System.out, z, RDFFormat.TURTLE_PRETTY);
-                    System.out.println("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
+                    //System.out.println("LOADED : "+z.size());
+                    //System.out.println("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
+                    //RDFDataMgr.write(System.out, z, RDFFormat.TURTLE_PRETTY);
+                    //System.out.println("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
                     UpdateRequest update = UpdateFactory.create();
                     ParameterizedSparqlString pss = new ParameterizedSparqlString("""
                         delete {?s ?p ?o}
@@ -109,9 +110,9 @@ private void Process() {
                     update.add(pss.toString());
                     UpdateAction.execute(update, z);
                     m.add(z);
-                    System.out.println("Extracted ========================================================\n");
-                    RDFDataMgr.write(System.out, m, Lang.TURTLE);
-                    System.out.println("Extracted END END END ============================================");
+                    //System.out.println("Extracted ========================================================\n");
+                    //RDFDataMgr.write(System.out, m, Lang.TURTLE);
+                    //System.out.println("Extracted END END END ============================================");
                    // roc.close();
                 } catch (IOException ex) {
                     Logger.getLogger(FileMetaExtractor.class.getName()).log(Level.SEVERE, null, ex);
@@ -130,9 +131,10 @@ private void Process() {
                 System.out.println("Unknown file type : "+extension);
         }
         ZonedDateTime dateTime = ZonedDateTime.now();
-        m.addLiteral(s, HAL.dateRegistered, dateTime.format(formatter));
+        m.addLiteral(s, SchemaDO.datePublished, dateTime.format(formatter));
         m.add(s, SchemaDO.name, s.getLocalName());
         m.addLiteral(s,SchemaDO.contentSize,file.length());
+        s.addProperty(SchemaDO.instrument, HalcyonSettings.HALCYONAGENT);
     }
     
     public void CalculateMD5() {
@@ -161,18 +163,10 @@ public Model ImageFileExtractor() {
             m.add(ss,RDF.type,SchemaDO.ImageObject);
             m.addLiteral(ss,EXIF.width,reader.getSizeX());
             m.addLiteral(ss,EXIF.height,reader.getSizeY());
+            reader.close();
         } catch (FormatException | IOException ex) {
             
         }
         return m;
     }
-    
-    /*
-    public static void main(String[] args) {
-        DebugTools.setRootLevel("WARN");
-        File f = new File("D:\\HalcyonStorage\\demo2\\coad_CM-5348\\Cdysplasia_heatmap_TCGA-CM-5348-01Z-00-DX1.2ad0b8f6-684a-41a7-b568-26e97675cce9.zip");
-        FileMetaExtractor fe = new FileMetaExtractor(f);
-        RDFDataMgr.write(System.out, fe.getDataset(), RDFFormat.TRIG_PRETTY);     
-    } 
-*/
-}
\ No newline at end of file
+}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/HalcyonProxyServlet.java b/src/main/java/com/ebremer/halcyon/fuseki/HalcyonProxyServlet.java
new file mode 100644
index 00000000..97c75278
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/HalcyonProxyServlet.java
@@ -0,0 +1,34 @@
+package com.ebremer.halcyon.fuseki;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.keycloak.KeycloakSecurityContext;
+import org.mitre.dsmiley.httpproxy.ProxyServlet;
+
+/**
+ *
+ * @author erich
+ */
+public class HalcyonProxyServlet extends ProxyServlet {
+    
+    private KeycloakSecurityContext getKeycloakSecurityContext(HttpServletRequest request) {
+        return (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
+    } 
+    
+    @Override
+    protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        super.service(request, response);
+        /*
+        KeycloakSecurityContext securityContext = getKeycloakSecurityContext(request);
+        String token = securityContext.getIdTokenString();
+        HashMap<String,String> list = new HashMap<>();
+        list.put("token", token);
+        System.out.println("======================================================================");
+        System.out.println(token);
+        System.out.println("======================================================================");
+*/
+        //super.service(new AddParamsToHeader(request), response);
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/HalcyonSecurityHandler.java b/src/main/java/com/ebremer/halcyon/fuseki/HalcyonSecurityHandler.java
new file mode 100644
index 00000000..4d1939ad
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/HalcyonSecurityHandler.java
@@ -0,0 +1,49 @@
+package com.ebremer.halcyon.fuseki;
+
+import com.ebremer.halcyon.datum.AddParamsToHeader;
+import java.io.IOException;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+import org.eclipse.jetty.security.RoleInfo;
+import org.eclipse.jetty.security.SecurityHandler;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Response;
+import org.eclipse.jetty.server.UserIdentity;
+
+/**
+ *
+ * @author erich
+ */
+public class HalcyonSecurityHandler extends SecurityHandler {
+    
+    public HalcyonSecurityHandler() {
+        
+    }
+
+    @Override
+    protected RoleInfo prepareConstraintInfo(String string, Request rqst) {
+        System.out.println("prepareConstraintInfo");
+        RoleInfo ri = new RoleInfo();
+        return ri;
+    }
+
+    @Override
+    protected boolean checkUserDataPermissions(String string, Request rqst, Response rspns, RoleInfo ri) throws IOException {
+        System.out.println("checkUserDataPermissions");       
+        System.out.println("YES!!!!! ---> "+rqst.getHeader(AddParamsToHeader.HID));
+        Subject s = SecurityUtils.getSubject();
+        return true;
+    }
+
+    @Override
+    protected boolean isAuthMandatory(Request rqst, Response rspns, Object o) {
+        System.out.println("isAuthMandatory");
+        return false;
+    }
+
+    @Override
+    protected boolean checkWebResourcePermissions(String string, Request rqst, Response rspns, Object o, UserIdentity ui) throws IOException {
+        System.out.println("checkWebResourcePermissions");
+        return true;
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/SPARQLEndPoint.java b/src/main/java/com/ebremer/halcyon/fuseki/SPARQLEndPoint.java
new file mode 100644
index 00000000..5d8f4a6d
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/SPARQLEndPoint.java
@@ -0,0 +1,148 @@
+package com.ebremer.halcyon.fuseki;
+
+import com.ebremer.halcyon.HalcyonSettings;
+import com.ebremer.halcyon.datum.DataCore;
+import com.ebremer.halcyon.datum.SessionsManager;
+import com.ebremer.halcyon.keycloak.HALKeycloakOIDCFilter;
+import com.ebremer.halcyon.keycloak.KeycloakOIDCFilterConfig;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.EnumSet;
+import java.util.List;
+import javax.servlet.DispatcherType;
+import org.apache.jena.fuseki.main.FusekiServer;
+import org.keycloak.adapters.servlet.KeycloakOIDCFilter;
+import org.apache.shiro.web.env.EnvironmentLoaderListener;
+import org.apache.shiro.web.servlet.ShiroFilter;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.SessionIdManager;
+import org.eclipse.jetty.server.session.DefaultSessionIdManager;
+import org.eclipse.jetty.server.session.SessionHandler;
+import org.eclipse.jetty.servlet.FilterHolder;
+import org.eclipse.jetty.servlet.FilterMapping;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlet.ServletHandler;
+
+/**
+ *
+ * @author erich
+ */
+public class SPARQLEndPoint {
+    private static SPARQLEndPoint sep = null;
+    private static FusekiServer server = null;
+    
+    private SPARQLEndPoint() {       
+        System.out.println("Starting Fuseki...");
+        KeycloakOIDCFilterConfig config = new KeycloakOIDCFilterConfig("keycloak");
+        config.setInitParameter(KeycloakOIDCFilter.CONFIG_FILE_PARAM, "keycloak.json");
+        HALKeycloakOIDCFilter filter = new HALKeycloakOIDCFilter();
+        filter.setSessionIdMapper(SessionsManager.getSessionsManager().getSessionIdMapper());
+        filter.setConfig(config);
+        server = FusekiServer.create()
+            .add("/rdf", DataCore.getInstance().getSecuredDataset())
+           // .loopback(true)
+          //  .securityHandler(new HalcyonSecurityHandler())
+            
+            .enableCors(true)
+            .port(HalcyonSettings.getSettings().GetSPARQLPort())
+           // .addFilter("/*", filter)
+            .build();
+        config.setContext(server.getServletContext());
+        //SessionHandler sessionHandler = new SessionHandler();
+        //DefaultSessionCache sessionCache = new DefaultSessionCache(sessionHandler);
+        //DefaultSessionIdManager sim = new DefaultSessionIdManager(server.getJettyServer());
+        //server.getJettyServer().setSessionIdManager(sim);
+        
+        Server jettyServer = server.getJettyServer();
+        ServletContextHandler servletContextHandler = (ServletContextHandler) jettyServer.getHandler();
+        
+        ServletHandler servletHandler = servletContextHandler.getServletHandler();
+        
+        EnvironmentLoaderListener ell = new EnvironmentLoaderListener();
+        servletContextHandler.addEventListener(ell);
+        
+        List<FilterMapping> mappings = new ArrayList<>(Arrays.asList(servletHandler.getFilterMappings()));
+        List<FilterHolder> holders = new ArrayList<>(Arrays.asList(servletHandler.getFilters()));
+        {
+            FilterHolder holder1 = new FilterHolder();
+            holder1.setName("halcyonfusekifilter");
+            
+            FilterHolder keycloakholder1 = new FilterHolder();
+            keycloakholder1.setName("halcyonkeycloakfilter");
+            
+            holder1.setFilter(new ShiroFilter());
+            keycloakholder1.setFilter(filter);
+            
+            FilterMapping mapping1 = new FilterMapping();
+            mapping1.setFilterName(holder1.getName());
+            mapping1.setPathSpec("/*");
+            mapping1.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
+
+            FilterMapping keycloakmapping1 = new FilterMapping();
+            keycloakmapping1.setFilterName(keycloakholder1.getName());
+            keycloakmapping1.setPathSpec("/rdf");
+            keycloakmapping1.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
+            
+            
+            mappings.add(0, mapping1);
+            holders.add(0, holder1);
+            
+            //mappings.add(0, keycloakmapping1);
+            //holders.add(0, keycloakholder1);
+        }
+        
+        FilterMapping[] mappings3 = new FilterMapping[mappings.size()];
+        mappings3 = mappings.toArray(mappings3);
+        FilterHolder[] holders3 = new FilterHolder[holders.size()];
+        holders3 = holders.toArray(holders3);
+        servletHandler.setFilters(holders3);
+        servletHandler.setFilterMappings(mappings3);
+        
+        SessionIdManager idmanager = new DefaultSessionIdManager(jettyServer);
+        jettyServer.setSessionIdManager(idmanager);
+        
+        SessionHandler sessionsHandler = new SessionHandler();
+        //sessionsHandler.setUsingCookies(false);
+        servletHandler.setHandler(sessionsHandler);
+        sessionsHandler.getSessionCookieConfig().setName("JETTYFUSEKISESSION");
+                
+        server.start();
+    }
+    
+    public static FusekiServer getFusekiServer() {
+        return server;
+    }
+    
+    /*
+    
+    private static void configureShiro() {
+        String iniConfig =
+            """
+            [users]
+            admin=admin,administrator
+            user=user,user
+            [roles]
+            administrator=admin:*,read:*,write:*,execute:*,create:*,delete:*
+            user=read:*,write:*,execute:*
+            """;
+        InputStream input = new ByteArrayInputStream(iniConfig.getBytes());
+        Ini ini = new Ini();
+        ini.load(input);
+        CustomShiroConfigurator shiroConfigurator = new CustomShiroConfigurator(ini);
+        SecurityManager securityManager = shiroConfigurator.getSecurityManager();
+        SecurityUtils.setSecurityManager(securityManager);
+    }*/
+    
+    public static SPARQLEndPoint getSPARQLEndPoint() {
+        if (sep==null) {
+            sep = new SPARQLEndPoint();
+        }
+        return sep;
+    }
+    
+    public void shutdown() {
+        if (server!=null) {
+            server.stop();
+        }
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/GetPublicKey.java b/src/main/java/com/ebremer/halcyon/fuseki/jwt/GetPublicKey.java
new file mode 100644
index 00000000..deacac8e
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/jwt/GetPublicKey.java
@@ -0,0 +1,62 @@
+/*
+ * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
+ * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
+ */
+package com.ebremer.halcyon.fuseki.jwt;
+
+import com.ebremer.halcyon.HalcyonSettings;
+import jakarta.json.Json;
+import jakarta.json.JsonObject;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringReader;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+
+/**
+ *
+ * @author erich
+ */
+public class GetPublicKey {
+    private String oidcConfigurationUrl = "http://localhost:"+HalcyonSettings.getSettings().GetHostPort() + "/auth/realms/master/.well-known/openid-configuration";
+    private PublicKey publicKey;
+    
+    public GetPublicKey() {
+        try {
+            publicKey = fetchPublicKeyFromKeycloak();
+        } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
+            throw new RuntimeException("Error fetching public key from Keycloak server", e);
+        }
+    }
+    
+    public PublicKey getPublicKey() {
+        return publicKey;
+    }
+    
+    private PublicKey fetchPublicKeyFromKeycloak() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
+        InputStream inputStream = new URL(oidcConfigurationUrl).openStream();
+        String oidcConfiguration = new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
+        JsonObject configJson = Json.createReader(new StringReader(oidcConfiguration)).readObject();
+
+        String jwksUrl = configJson.getString("jwks_uri");
+        inputStream = new URL(jwksUrl).openStream();
+        String jwksJson = new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
+        JsonObject jwks = Json.createReader(new StringReader(jwksJson)).readObject();
+
+        String publicKeyPem = jwks.getJsonArray("keys").getJsonObject(0).getJsonArray("x5c").getString(0);
+        String publicKeyDer = "-----BEGIN CERTIFICATE-----\n" + publicKeyPem + "\n-----END CERTIFICATE-----";
+        publicKeyDer = publicKeyDer.replace("-----BEGIN CERTIFICATE-----\n", "").replace("\n-----END CERTIFICATE-----", "");
+        byte[] publicKeyBytes = Base64.getDecoder().decode(publicKeyDer);
+        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
+        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+        return keyFactory.generatePublic(keySpec);
+    }
+    
+}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtAuthenticatingFilter.java b/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtAuthenticatingFilter.java
new file mode 100644
index 00000000..65a685a2
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtAuthenticatingFilter.java
@@ -0,0 +1,23 @@
+package com.ebremer.halcyon.fuseki.jwt;
+
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+public class JwtAuthenticatingFilter extends AuthenticatingFilter {
+    private static final String TOKEN_HEADER = "token";
+
+    @Override
+    protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) throws Exception {
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        String jwt = httpRequest.getHeader(TOKEN_HEADER);
+        return new JwtToken(jwt);
+    }
+
+    @Override
+    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
+        return executeLogin(request, response);
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtRealm.java b/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtRealm.java
new file mode 100644
index 00000000..693509c8
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtRealm.java
@@ -0,0 +1,73 @@
+package com.ebremer.halcyon.fuseki.jwt;
+
+import io.jsonwebtoken.Claims;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+
+public class JwtRealm extends AuthorizingRealm {
+    
+    public JwtRealm() {
+        
+    }
+
+    @Override
+    public boolean supports(AuthenticationToken token) {
+        return token instanceof JwtToken;
+    }
+
+    @Override
+    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+        System.out.println("Implement your authorization logic here based on the user's roles and permissions.");
+        return null;
+    }
+
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
+        JwtToken jwtToken = (JwtToken) token;
+        Claims claims = jwtToken.getClaims();
+        SimplePrincipalCollection principalCollection = new SimplePrincipalCollection(claims, getName());
+        return new SimpleAuthenticationInfo(principalCollection, token.getCredentials());
+    }
+}
+
+
+/*
+public class JwtRealm extends AuthenticatingRealm {
+    private PublicKey publicKey = null;
+    
+    public JwtRealm() {
+        System.out.println("JWT Realm initialized...");
+    }
+
+    @Override
+    public boolean supports(AuthenticationToken token) {
+        return token instanceof JwtToken;
+    }
+
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
+        System.out.println("doGetAuthenticationInfo(AuthenticationToken token) "+publicKey);
+        if (publicKey==null) {
+            GetPublicKey gpk = new GetPublicKey();
+            publicKey = gpk.getPublicKey();
+        }
+        JwtToken jwtToken = (JwtToken) token;
+        String jwt = jwtToken.getToken();
+        try {
+            Jws<Claims> jws = Jwts.parserBuilder()
+                    .setSigningKey(publicKey)
+                    .build()
+                    .parseClaimsJws(jwt);
+            String subject = jws.getBody().getSubject();
+            return new SimpleAuthenticationInfo(subject, jwt, getName());
+        } catch (JwtException e) {
+            throw new AuthenticationException("Invalid JWT", e);
+        }
+    }
+}
+*/
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtToken.java b/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtToken.java
new file mode 100644
index 00000000..2256f37e
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtToken.java
@@ -0,0 +1,32 @@
+package com.ebremer.halcyon.fuseki.jwt;
+
+import io.jsonwebtoken.Claims;
+import java.security.PublicKey;
+import org.apache.shiro.authc.AuthenticationToken;
+
+public class JwtToken implements AuthenticationToken {
+
+    private final String token;
+    private final Claims claims;
+
+    public JwtToken(String token) {
+        this.token = token;
+        PublicKey publicKey = KeycloakPublicKeyFetcher.getKeycloakPublicKeyFetcher().getPublicKey();
+        this.claims = new JwtVerifier(publicKey).verify(token);
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return getClaims().getSubject();
+    }
+
+    @Override
+    public Object getCredentials() {
+        return token;
+    }
+
+    public Claims getClaims() {
+        return claims;
+    }
+}
+
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtVerifier.java b/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtVerifier.java
new file mode 100644
index 00000000..b80cb7fd
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtVerifier.java
@@ -0,0 +1,30 @@
+package com.ebremer.halcyon.fuseki.jwt;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.JwtParserBuilder;
+import io.jsonwebtoken.Jwts;
+import java.security.PublicKey;
+
+public class JwtVerifier {
+    private final PublicKey publicKey;
+
+    public JwtVerifier(PublicKey publicKey) {
+        this.publicKey = publicKey;
+    }
+
+    public Claims verify(String token) {
+        JwtParserBuilder b = Jwts.parserBuilder();
+        Jws<Claims> claimx;
+        try {
+            claimx = b
+                .setAllowedClockSkewSeconds(86400)
+                .setSigningKey(publicKey)
+                .build().parseClaimsJws(token);
+            return claimx.getBody();
+        } catch (io.jsonwebtoken.ExpiredJwtException ex) {
+            System.out.println("ARRRGGGG JWT expired!!!!");
+        }
+        return null;
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/KeycloakPublicKeyFetcher.java b/src/main/java/com/ebremer/halcyon/fuseki/jwt/KeycloakPublicKeyFetcher.java
new file mode 100644
index 00000000..2a52909b
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/jwt/KeycloakPublicKeyFetcher.java
@@ -0,0 +1,85 @@
+package com.ebremer.halcyon.fuseki.jwt;
+
+import com.ebremer.halcyon.HalcyonSettings;
+import jakarta.json.Json;
+import jakarta.json.JsonArray;
+import jakarta.json.JsonObject;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringReader;
+import java.math.BigInteger;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.RSAPublicKeySpec;
+import java.util.Base64;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+public class KeycloakPublicKeyFetcher {
+    private static KeycloakPublicKeyFetcher kpkf = null; 
+    private final String oidcConfigurationUrl = "http://localhost:"+HalcyonSettings.getSettings().GetHostPort() + "/auth/realms/master/protocol/openid-connect/certs";
+    private static PublicKey publicKey = null;
+    
+    private KeycloakPublicKeyFetcher() {
+
+    }
+    
+    public PublicKey getPublicKey() {
+        return publicKey;
+    }
+    
+    public static KeycloakPublicKeyFetcher getKeycloakPublicKeyFetcher() {
+        if (kpkf==null) {
+            kpkf = new KeycloakPublicKeyFetcher();
+            try {
+                publicKey = kpkf.fetchPublicKey();
+            } catch (IOException ex) {
+                Logger.getLogger(KeycloakPublicKeyFetcher.class.getName()).log(Level.SEVERE, null, ex);
+            } catch (NoSuchAlgorithmException ex) {
+                Logger.getLogger(KeycloakPublicKeyFetcher.class.getName()).log(Level.SEVERE, null, ex);
+            } catch (InvalidKeySpecException ex) {
+                Logger.getLogger(KeycloakPublicKeyFetcher.class.getName()).log(Level.SEVERE, null, ex);
+            }
+        }
+        return kpkf;
+    }
+
+    private PublicKey fetchPublicKey() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
+        URL url = new URL(oidcConfigurationUrl);
+
+        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
+        connection.setRequestMethod("GET");
+        connection.setRequestProperty("Accept", "application/json");
+
+        if (connection.getResponseCode() != 200) {
+            throw new IOException("Failed to fetch public key from Keycloak: " + connection.getResponseMessage());
+        }
+
+        try (InputStream inputStream = connection.getInputStream()) {
+            String oidcConfiguration = new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
+            JsonObject configJson = Json.createReader(new StringReader(oidcConfiguration)).readObject();
+            JsonArray keysArray = configJson.getJsonArray("keys");
+            if (!keysArray.isEmpty()) {
+                JsonObject keyObject = keysArray.getJsonObject(0);
+                String modulusBase64 = keyObject.getString("n");
+                String exponentBase64 = keyObject.getString("e");
+
+                BigInteger modulus = new BigInteger(1, Base64.getUrlDecoder().decode(modulusBase64));
+                BigInteger publicExponent = new BigInteger(1, Base64.getUrlDecoder().decode(exponentBase64));
+
+                RSAPublicKeySpec rsaPublicKeySpec = new RSAPublicKeySpec(modulus, publicExponent);
+                KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+                return keyFactory.generatePublic(rsaPublicKeySpec);
+            } else {
+                throw new IllegalArgumentException("No public keys found in the provided JSON.");
+            }
+        } finally {
+            connection.disconnect();
+        }
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/Test.java b/src/main/java/com/ebremer/halcyon/fuseki/jwt/Test.java
new file mode 100644
index 00000000..a105b229
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/fuseki/jwt/Test.java
@@ -0,0 +1,30 @@
+package com.ebremer.halcyon.fuseki.jwt;
+
+import io.jsonwebtoken.Jwts;
+import java.security.PublicKey;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+
+/**
+ *
+ * @author erich
+ */
+public class Test {
+    public static void main(String[] args) {
+        try {
+            Subject subject = SecurityUtils.getSubject();
+        } catch (org.apache.shiro.UnavailableSecurityManagerException ex) {
+            System.out.println(ex.toString());
+        }
+        //String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVNk1TS0gyZmxSS3ZPVGs0OUtFeUVmZmVlNG5Oc2l3YUVZUTZDNmhNS1c0In0.eyJleHAiOjE2ODAzNzQ2NDIsImlhdCI6MTY4MDM3NDU4MiwiYXV0aF90aW1lIjoxNjgwMzc0NTgyLCJqdGkiOiI5NGFhZjQ2NS1lMWU3LTQ0YzgtYmE5Ny1hZDE1ZmFmMDgxOTMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojg4ODgvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibWFzdGVyLXJlYWxtIiwic3ViIjoiYTQ2NGNmMmQtNjJjMy00MzkzLTk0NzctNDU1NjZhM2NmYmU1IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWNjb3VudCIsInNlc3Npb25fc3RhdGUiOiI3NDQxM2RkZi1jNzc3LTRiZDItYThiZS1iOGZlMGNiMTczYmUiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiNzQ0MTNkZGYtYzc3Ny00YmQyLWE4YmUtYjhmZTBjYjE3M2JlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWlzdGVyIFNwb2NrIiwiZ3JvdXBzIjpbImNyZWF0ZS1yZWFsbSIsImFkbWluIl0sIkhhbGN5b25Hcm91cHMiOlsiL2FkbWluIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6Ik1pc3RlciIsImZhbWlseV9uYW1lIjoiU3BvY2sifQ.Jv8uM9jnNkh2r7wVWcReVorxowZHaHfSVgP3gRKLlV8e2vPBf7HE2OpTGffGiXVuJXxFVaY8ExbJ469g7jSIVhPgqZvPqw9sR2YrbhoUIXNuTNWTgK7HfbI8xxiaNzXkxc2G__prltOEGURtHK_Q2XwQjsdct_X8peSTWq6AZnFTqEf3cuVyOBOXQlvUGVr_1vhe8qZ_1QSAOins1Pc4zA7KBrOAWRQHn20qmMkR0Et4K6a62iZoIx36sSuwssegS2iM4RRgrtdKlB7p8B0Lrbj4PPU02QVhfSas900QgQ4Sm2Zx6r9COzXKdEevJr6-NduB9uWWDGbfdTqj7XtJmA";
+        //String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVNk1TS0gyZmxSS3ZPVGs0OUtFeUVmZmVlNG5Oc2l3YUVZUTZDNmhNS1c0In0.eyJleHAiOjE2ODA1NDYyMDQsImlhdCI6MTY4MDU0NjE0NCwiYXV0aF90aW1lIjoxNjgwNTQ2MTQ0LCJqdGkiOiJiZWMxMTRkMi1lMzFjLTRjYTUtOGI2ZC01YjczYmNkN2RlNmQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojg4ODgvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibWFzdGVyLXJlYWxtIiwic3ViIjoiYTQ2NGNmMmQtNjJjMy00MzkzLTk0NzctNDU1NjZhM2NmYmU1IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWNjb3VudCIsInNlc3Npb25fc3RhdGUiOiI3YWZlNmI1Yi03Y2JiLTQxOWQtOThiMy04NDZmMGFhMDhkNzciLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiN2FmZTZiNWItN2NiYi00MTlkLTk4YjMtODQ2ZjBhYTA4ZDc3IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWlzdGVyIFNwb2NrIiwiZ3JvdXBzIjpbImNyZWF0ZS1yZWFsbSIsImFkbWluIl0sIkhhbGN5b25Hcm91cHMiOlsiL2FkbWluIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6Ik1pc3RlciIsImZhbWlseV9uYW1lIjoiU3BvY2sifQ.GnT3eqDnIeQJtx7vAptoXoVSJ__7FfiWZN9bROheZB5_7zLalZdYuBgeMqNZ5eCVuYTTzEdK_cpHtxmcb0Tmidel5CzJdudoycHDHlTpzylMgta7740qS0kPLQV9dOPEt3xoRDmUA4D9NhvoKWH6pTdXvyql22eHUAIoJ-POgCuuEmZ6x80HmQRHntRXtUma391asqiDWfkMbyBpyE3ASvzYsmIVww0AvhfWsWIfoSunm2aDGGMwAXyzJMPsCxFac63UtqxQ0qvFSpqzvz9GIV46UleziRZ_63MBfqxBiKG6QCfl3GsRY45qIe5iF_i_Be4_y8HHk1WEesq-k4YNTA";
+        String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVNk1TS0gyZmxSS3ZPVGs0OUtFeUVmZmVlNG5Oc2l3YUVZUTZDNmhNS1c0In0.eyJleHAiOjE2ODA1NDYyMDQsImlhdCI6MTY4MDU0NjE0NCwiYXV0aF90aW1lIjoxNjgwNTQ2MTQ0LCJqdGkiOiJiZWMxMTRkMi1lMzFjLTRjYTUtOGI2ZC01YjczYmNkN2RlNmQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojg4ODgvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibWFzdGVyLXJlYWxtIiwic3ViIjoiYTQ2NGNmMmQtNjJjMy00MzkzLTk0NzctNDU1NjZhM2NmYmU1IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWNjb3VudCIsInNlc3Npb25fc3RhdGUiOiI3YWZlNmI1Yi03Y2JiLTQxOWQtOThiMy04NDZmMGFhMDhkNzciLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiN2FmZTZiNWItN2NiYi00MTlkLTk4YjMtODQ2ZjBhYTA4ZDc3IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWlzdGVyIFNwb2NrIiwiZ3JvdXBzIjpbImNyZWF0ZS1yZWFsbSIsImFkbWluIl0sIkhhbGN5b25Hcm91cHMiOlsiL2FkbWluIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6Ik1pc3RlciIsImZhbWlseV9uYW1lIjoiU3BvY2sifQ.GnT3eqDnIeQJtx7vAptoXoVSJ__7FfiWZN9bROheZB5_7zLalZdYuBgeMqNZ5eCVuYTTzEdK_cpHtxmcb0Tmidel5CzJdudoycHDHlTpzylMgta7740qS0kPLQV9dOPEt3xoRDmUA4D9NhvoKWH6pTdXvyql22eHUAIoJ-POgCuuEmZ6x80HmQRHntRXtUma391asqiDWfkMbyBpyE3ASvzYsmIVww0AvhfWsWIfoSunm2aDGGMwAXyzJMPsCxFac63UtqxQ0qvFSpqzvz9GIV46UleziRZ_63MBfqxBiKG6QCfl3GsRY45qIe5iF_i_Be4_y8HHk1WEesq-k4YNTA";
+        PublicKey pk = KeycloakPublicKeyFetcher.getKeycloakPublicKeyFetcher().getPublicKey();
+        Jwts.parserBuilder()
+                .setSigningKey(pk)
+                .setAllowedClockSkewSeconds(600)
+                .build()
+                .parseClaimsJws(jwt);
+    }
+    
+}
diff --git a/src/main/java/com/ebremer/halcyon/gui/CollectionPanel.java b/src/main/java/com/ebremer/halcyon/gui/CollectionPanel.java
index 9e6fddde..0508d374 100644
--- a/src/main/java/com/ebremer/halcyon/gui/CollectionPanel.java
+++ b/src/main/java/com/ebremer/halcyon/gui/CollectionPanel.java
@@ -1,16 +1,12 @@
 package com.ebremer.halcyon.gui;
 
 import com.ebremer.ethereal.LDModel;
-import com.ebremer.ns.HAL;
 import com.ebremer.halcyon.wicket.DatabaseLocator;
 import com.ebremer.ethereal.RDFTextField;
-import org.apache.jena.graph.Triple;
 import org.apache.jena.query.Dataset;
 import org.apache.jena.query.ReadWrite;
 import org.apache.jena.rdf.model.Model;
 import org.apache.jena.rdf.model.Resource;
-import org.apache.jena.riot.RDFDataMgr;
-import org.apache.jena.riot.RDFFormat;
 import org.apache.jena.vocabulary.RDFS;
 import org.apache.wicket.markup.html.form.Button;
 import org.apache.wicket.markup.html.form.Form;
@@ -23,11 +19,10 @@ public class CollectionPanel extends Form<Model> {
     
     public CollectionPanel(String name, LDModel mo) {
         super(name, new LDModel<>(mo));
-        Model m = (Model) mo.getInnermostModelOrObject();
+        //Model m = (Model) mo.getInnermostModelOrObject();
         Resource s = null;
        // Resource s = m.createResource(mo.GetIRI());
        // Triple wow = m.getRequiredProperty(s, RDFS.label).asTriple();
-        System.out.println("Number of triples #### : "+m.size());
         add(new RDFTextField<String>("CollectionName", s, RDFS.label));
         add(new Button("saveButton"));
         add(new Button("resetButton") {
@@ -43,7 +38,7 @@ public void onSubmit() {
         System.out.println("SAVING!");
         Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset();
         ds.begin(ReadWrite.READ);
-        RDFDataMgr.write(System.out, ds.getNamedModel(HAL.Collections.getURI()), RDFFormat.TURTLE_PRETTY);
+        //RDFDataMgr.write(System.out, ds.getNamedModel(HAL.Collections.getURI()), RDFFormat.TURTLE_PRETTY);
         ds.end();
     }   
 }
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/gui/HalcyonApplication.java b/src/main/java/com/ebremer/halcyon/gui/HalcyonApplication.java
index ae7df637..16a27ece 100644
--- a/src/main/java/com/ebremer/halcyon/gui/HalcyonApplication.java
+++ b/src/main/java/com/ebremer/halcyon/gui/HalcyonApplication.java
@@ -4,12 +4,16 @@
 import com.ebremer.halcyon.wicket.ListImages;
 import com.ebremer.halcyon.HalcyonSettings;
 import com.ebremer.halcyon.datum.DataCore;
+import com.ebremer.halcyon.fuseki.SPARQLEndPoint;
+import com.ebremer.halcyon.filesystem.FileManager;
 import com.ebremer.halcyon.wicket.AccountPage;
 import com.ebremer.halcyon.wicket.AdminPage;
 import com.ebremer.halcyon.wicket.BasePage;
 import com.ebremer.halcyon.wicket.ethereal.Graph3D;
 import com.ebremer.halcyon.wicket.ethereal.Zephyr;
 import com.ebremer.multiviewer.MultiViewer;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RuntimeConfigurationType;
 import org.apache.wicket.Session;
 import org.apache.wicket.devutils.stateless.StatelessChecker;
@@ -17,10 +21,19 @@
 import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.Request;
 import org.apache.wicket.request.Response;
+import org.apache.wicket.request.cycle.RequestCycle;
 
 public class HalcyonApplication extends WebApplication {
     private static final HalcyonSettings settings = HalcyonSettings.getSettings();
-    private final DataCore datacore = DataCore.getInstance();
+    private final DataCore datacore;
+    private final FileManager fm;
+    private final SPARQLEndPoint sep;
+    
+    public HalcyonApplication() {
+        datacore = DataCore.getInstance();
+        fm = FileManager.getInstance();
+        sep = SPARQLEndPoint.getSPARQLEndPoint();
+    }
     
     public HalcyonSettings getSettings() {
         return settings;
@@ -37,8 +50,13 @@ public Class<? extends WebPage> getHomePage() {
     
     @Override
     public Session newSession(Request request, Response response) {
-        System.out.println("NEW SESSION CREATED!!!!!!!");
-        return new HalcyonSession(request);
+        HalcyonSession hs = new HalcyonSession(request);
+        HttpServletRequest req = (HttpServletRequest) request.getContainerRequest();
+        Cookie[] cookies = req.getCookies();
+        for (Cookie cookie: cookies) {
+            System.out.println("NR : "+cookie.getName()+" ==== "+cookie.getValue());
+        }
+        return hs;
     }
 
     @Override
@@ -50,10 +68,6 @@ public void init() {
         jena.setLevel(ch.qos.logback.classic.Level.ERROR);
         ch.qos.logback.classic.Logger XX = (ch.qos.logback.classic.Logger) org.slf4j.LoggerFactory.getLogger(org.apache.wicket.util.thread.Task.class);
         XX.setLevel(ch.qos.logback.classic.Level.ERROR);
-        
-        //System.setProperty("arrow.memory.debug.allocator", "true");
-        //ch.qos.logback.classic.Logger arrow = (ch.qos.logback.classic.Logger) org.slf4j.LoggerFactory.getLogger("org.apache.arrow");
-        //arrow.setLevel(ch.qos.logback.classic.Level.TRACE);
               
         this.getRequestLoggerSettings().setRequestLoggerEnabled(true);
         this.getRequestLoggerSettings().setRecordSessionSize(true);
@@ -74,6 +88,7 @@ public void init() {
         mountPage("/gui/about", About.class);
         mountPage("/gui/threed", Graph3D.class);
         mountPage("/gui/zephyr", Zephyr.class);
+        mountPage("/gui/public", Public.class);
         //mountPage("/gui/dicom", DICOM.class);
         //mountPage("/gui/dicom2", DCM.class);
     }
diff --git a/src/main/java/com/ebremer/halcyon/gui/HalcyonSession.java b/src/main/java/com/ebremer/halcyon/gui/HalcyonSession.java
index b1831ea7..f4e84837 100644
--- a/src/main/java/com/ebremer/halcyon/gui/HalcyonSession.java
+++ b/src/main/java/com/ebremer/halcyon/gui/HalcyonSession.java
@@ -1,5 +1,6 @@
 package com.ebremer.halcyon.gui;
 
+import com.ebremer.halcyon.keycloak.KeycloakTokenFilter;
 import com.ebremer.halcyon.HalcyonSettings;
 import com.ebremer.halcyon.datum.DataCore;
 import com.ebremer.halcyon.datum.HalcyonPrincipal;
@@ -10,7 +11,7 @@
 import jakarta.json.JsonReader;
 import java.io.StringReader;
 import java.util.Locale;
-import java.util.Map;
+import java.util.UUID;
 import javax.ws.rs.client.ClientBuilder;
 import javax.ws.rs.client.Invocation;
 import javax.ws.rs.core.Response;
@@ -20,6 +21,8 @@
 import org.apache.jena.rdf.model.Model;
 import org.apache.jena.rdf.model.ModelFactory;
 import org.apache.jena.rdf.model.Resource;
+import org.apache.jena.riot.RDFDataMgr;
+import org.apache.jena.riot.RDFFormat;
 import org.apache.jena.vocabulary.RDF;
 import org.apache.jena.vocabulary.SchemaDO;
 import org.apache.wicket.Session;
@@ -45,61 +48,70 @@ public HalcyonSession(Request request) {
         setLocale(Locale.ENGLISH);
         ServletWebRequest req = (ServletWebRequest) request;
         KeycloakSecurityContext securityContext = (KeycloakSecurityContext) req.getContainerRequest().getAttribute(KeycloakSecurityContext.class.getName());
-        AccessToken token2 = securityContext.getToken();
-        this.token = securityContext.getTokenString();
-        //realm = securityContext.getRealm();
-        //uid = token2.getSubject();
-        //name = token2.getName();
-        //email = token2.getEmail(); 
-        uuid = "urn:uuid:"+token2.getSubject();
-        principal = new HalcyonPrincipal(uuid);
-        //Map<String, Object> other = token2.getOtherClaims();
-        //webid = (String) other.get("webid");
-        ResteasyClientBuilder builder =  (ResteasyClientBuilder) ClientBuilder.newBuilder();
-        builder.disableTrustManager();
-	ResteasyClient client = builder.build();
-	client.register(KeycloakTokenFilter.class);
-        String cmd = s.getProxyHostName()+"/auth/admin/realms/"+HalcyonSettings.realm+"/users";
-        ResteasyWebTarget target = client.target(cmd);
-        Invocation.Builder zam = target.request();
-        Response r = zam.get();
-        Model da = ModelFactory.createDefaultModel();
-        if (r.getStatus()==200) {
-            String json = r.readEntity(String.class);
-            da.add(ParseUsers(json));    
+        if (securityContext==null) {
+            uuid = "urn:uuid:"+UUID.randomUUID().toString();
+            token = null;
+            principal = new HalcyonPrincipal(uuid, true);
         } else {
-            System.out.println("not able to update/Parse users...");
+            AccessToken token2 = securityContext.getToken();
+            this.token = securityContext.getTokenString();
+            uuid = "urn:uuid:"+token2.getSubject();
+            principal = new HalcyonPrincipal(uuid, false);
         }
-        r = client.target(s.getProxyHostName()+"/auth/admin/realms/"+HalcyonSettings.realm+"/groups").request().get();
-        if (r.getStatus()==200) {
-            String json = r.readEntity(String.class);
-            da.add(ParseGroups(json));
-            ParameterizedSparqlString pss = new ParameterizedSparqlString("select distinct ?s where {?s a so:Organization}");
-            pss.setNsPrefix("so", SchemaDO.NS);
-            ResultSet rs = QueryExecutionFactory.create(pss.toString(),da).execSelect();
-            rs.forEachRemaining(qs ->{
-                Resource gg = qs.getResource("s");
-                Response rr = client.target(s.getProxyHostName()+"/auth/admin/realms/"+HalcyonSettings.realm+"/groups/"+gg.getURI().substring(9)+"/members").request().get();
-                if (rr.getStatus()==200) {
-                    String json2 = rr.readEntity(String.class);
-                    JsonReader jr = Json.createReader(new StringReader(json2));
-                    JsonArray ja = jr.readArray();
-                    ja.forEach(p->{
-                        Resource pp = da.createResource("urn:uuid:"+p.asJsonObject().getString("id"));
-                        da.add(gg,SchemaDO.member,pp);
-                        da.add(pp,SchemaDO.memberOf,gg);
-                    });
+
+        if (securityContext!=null) {
+            ResteasyClientBuilder builder =  (ResteasyClientBuilder) ClientBuilder.newBuilder();
+            builder.disableTrustManager();
+            ResteasyClient client = builder.build();
+            client.register(KeycloakTokenFilter.class);        
+            String cmd = s.getProxyHostName()+"/auth/admin/realms/"+HalcyonSettings.realm+"/users";
+            ResteasyWebTarget target = client.target(cmd);
+            Invocation.Builder zam = target.request();
+            Response r = zam.get();
+            Model da = ModelFactory.createDefaultModel();
+            if (r.getStatus()==200) {
+                String json = r.readEntity(String.class);
+                da.add(ParseUsers(json));    
+            } else {
+                System.out.println("not able to update/Parse users...");
+            }
+            r = client.target(s.getProxyHostName()+"/auth/admin/realms/"+HalcyonSettings.realm+"/groups").request().get();
+            if (r.getStatus()==200) {
+                String json = r.readEntity(String.class);
+                da.add(ParseGroups(json));
+                ParameterizedSparqlString pss = new ParameterizedSparqlString("select distinct ?s where {?s a so:Organization}");
+                pss.setNsPrefix("so", SchemaDO.NS);
+                ResultSet rs = QueryExecutionFactory.create(pss.toString(),da).execSelect();
+                rs.forEachRemaining(qs ->{
+                    Resource gg = qs.getResource("s");
+                    Response rr = client.target(s.getProxyHostName()+"/auth/admin/realms/"+HalcyonSettings.realm+"/groups/"+gg.getURI().substring(9)+"/members").request().get();
+                    if (rr.getStatus()==200) {
+                        String json2 = rr.readEntity(String.class);
+                        JsonReader jr = Json.createReader(new StringReader(json2));
+                        JsonArray ja = jr.readArray();
+                        ja.forEach(p->{
+                            Resource pp = da.createResource("urn:uuid:"+p.asJsonObject().getString("id"));
+                            da.add(gg,SchemaDO.member,pp);
+                            da.add(pp,SchemaDO.memberOf,gg);
+                        });
+                    }
+                });
+                da.createResource(HAL.Anonymous.toString())
+                        .addProperty(RDF.type, SchemaDO.Organization)
+                        .addProperty(SchemaDO.name, "Anonymous Sessions");
+                System.out.println("================================");
+                RDFDataMgr.write(System.out, da, RDFFormat.TURTLE_PRETTY);
+                System.out.println("================================");
+                DataCore dc = DataCore.getInstance();
+                if (dc.getDataset()!=null) {
+                    System.out.println("DataCore online....\nUpdating Groups and Users...");
+                    DataCore.getInstance().replaceNamedGraph(HAL.GroupsAndUsers, da);
+                } else {
+                    System.out.println("DataCore NOT online....");
                 }
-            });
-            DataCore dc = DataCore.getInstance();
-            if (dc.getDataset()!=null) {
-                System.out.println("DataCore online....\nUpdating Groups and Users...");
-                DataCore.getInstance().replaceNamedGraph(HAL.GroupsAndUsers, da);
             } else {
-                System.out.println("DataCore NOT online....");
+                System.out.println("not able to update/Parse groups...");
             }
-        } else {
-            System.out.println("not able to update/Parse groups...");
         }
     }
     
diff --git a/src/main/java/com/ebremer/halcyon/gui/HomePage.html b/src/main/java/com/ebremer/halcyon/gui/HomePage.html
index e4ce6b60..15e291a9 100644
--- a/src/main/java/com/ebremer/halcyon/gui/HomePage.html
+++ b/src/main/java/com/ebremer/halcyon/gui/HomePage.html
@@ -20,12 +20,19 @@ <h1><center>Halcyon</center></h1>
             <h4><center>Version 0.0.0</center></h4>
             <hr>
         <br>
-        <h3>Version 0.0.0</h3>
+       <h3>Version 0.1.0</h3>
             ??/??/????<br>
+            <ul>
+                <li></li>
+            </ul>
+            <hr>
+        <h3>Version 0.0.0</h3>
+            03/07/2023<br>
             <ul>
                 <li>Text-based (<a href="https://www.w3.org/TR/turtle/" target="_blank">RDF Turtle</a>) annotations files using <a href="https://www.w3.org/TR/annotation-model/" target="_blank">W3 Open Annotations</a> (OA)</li>
                 <li>RDF data validation using <a href="https://www.w3.org/TR/shacl/" target="_blank">SHACL</a></li>
                 <li>Separate OA compiler (ingest) for OA to <a href="https://www.researchobject.org/ro-crate/1.1/" target="_blank">Research Object Crate</a> (ROC) files</li>
+                <li>POC WebGL Zephyr Viewer</li>
                 <li>Image and Feature Tiling Engines access based on <a href="https://iiif.io/" target="_blank">IIIF</a></li>
                 <li>Image Tiling Engine currently supports TIFF, SVS, NDPI</li>
                 <li>Image libraries based on <a href="https://www.openmicroscopy.org/bio-formats/" target="_blank">OME Bioformats</a></li>
@@ -35,7 +42,7 @@ <h3>Version 0.0.0</h3>
                 <li>Viewer code based on <a href="https://openseadragon.github.io/" target="_blank">OpenSeadragon</a></li>
                 <li>Server UX built with <a href="https://wicket.apache.org/" target="_blank">Apache Wicket</a></li>
                 <li>Main data storage based on <a href="https://jena.apache.org" target="_blank">Apache Jena TDB2</a></li>
-                <li>Java environment based on <a href="https://www.graalvm.org/" target="_blank">GraalVM 22.2.0 (JDK 17)</a></li>
+                <li>Java environment based on <a href="https://www.graalvm.org/" target="_blank">GraalVM 22.3.1 (JDK 17)</a></li>
                 <li><a href="https://semver.org/" target="_blank">Semantic versioning</a></li>
             </ul>
             <hr>
diff --git a/src/main/java/com/ebremer/halcyon/gui/Public.html b/src/main/java/com/ebremer/halcyon/gui/Public.html
new file mode 100644
index 00000000..15e291a9
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/gui/Public.html
@@ -0,0 +1,62 @@
+<html>
+    <body>
+        <wicket:extend>
+            <style>
+                #banner {
+                    position: relative;
+                    left: 30px;
+                    top: 30px;
+                    width:800px;
+                    background-color: #EEEEEE;
+                    border: 3px solid #0000AB;
+                    padding-top: 15px;
+                    padding-right: 20px;
+                    padding-bottom: 20px;
+                    padding-left: 20px;
+                }
+            </style>
+            <div id="banner">
+                <h1><center>Halcyon</center></h1>
+            <h4><center>Version 0.0.0</center></h4>
+            <hr>
+        <br>
+       <h3>Version 0.1.0</h3>
+            ??/??/????<br>
+            <ul>
+                <li></li>
+            </ul>
+            <hr>
+        <h3>Version 0.0.0</h3>
+            03/07/2023<br>
+            <ul>
+                <li>Text-based (<a href="https://www.w3.org/TR/turtle/" target="_blank">RDF Turtle</a>) annotations files using <a href="https://www.w3.org/TR/annotation-model/" target="_blank">W3 Open Annotations</a> (OA)</li>
+                <li>RDF data validation using <a href="https://www.w3.org/TR/shacl/" target="_blank">SHACL</a></li>
+                <li>Separate OA compiler (ingest) for OA to <a href="https://www.researchobject.org/ro-crate/1.1/" target="_blank">Research Object Crate</a> (ROC) files</li>
+                <li>POC WebGL Zephyr Viewer</li>
+                <li>Image and Feature Tiling Engines access based on <a href="https://iiif.io/" target="_blank">IIIF</a></li>
+                <li>Image Tiling Engine currently supports TIFF, SVS, NDPI</li>
+                <li>Image libraries based on <a href="https://www.openmicroscopy.org/bio-formats/" target="_blank">OME Bioformats</a></li>
+                <li>Identity management via embedded <a href="https://www.keycloak.org/" target="_blank">Keycloak</a></li>
+                <li>Security Model based on <a href="https://solid.github.io/web-access-control-spec/" target="_blank">Web Access Control</a></li>
+                <li>Data accessible via <a href="https://www.w3.org/TR/sparql11-query/" target="_blank">SPARQL</a> Endpoint</li>
+                <li>Viewer code based on <a href="https://openseadragon.github.io/" target="_blank">OpenSeadragon</a></li>
+                <li>Server UX built with <a href="https://wicket.apache.org/" target="_blank">Apache Wicket</a></li>
+                <li>Main data storage based on <a href="https://jena.apache.org" target="_blank">Apache Jena TDB2</a></li>
+                <li>Java environment based on <a href="https://www.graalvm.org/" target="_blank">GraalVM 22.3.1 (JDK 17)</a></li>
+                <li><a href="https://semver.org/" target="_blank">Semantic versioning</a></li>
+            </ul>
+            <hr>
+            <h2>noun:</h2>
+                1. a tropical Asian and African kingfisher with brightly colored plumage.<br>
+                2. a mythical bird said by ancient writers to breed in a nest floating at sea at the winter solstice, charming the wind and waves into calm.<br>
+                3. a software system to manage, annotate, and display Whole Slide Images and their Deep Learning Pipeline results.
+            <h2>adjective:</h2>
+                denoting a period of time in the past that was idyllically happy and peaceful.
+                "the halcyon days of the mid-1980s, when profits were soaring"
+
+                Similar - serene, calm, pleasant, balmy, tranquil, peaceful, temperate, mild, quiet, gentle, placid, still, windless, stormless, happy, carefree, blissful, golden, joyful, joyous, contented, idyllic, palmy, flourishing, thriving, prosperous, successful
+                Opposite - stormy, troubled
+            </div>
+        </wicket:extend>
+    </body>
+</html>
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/gui/Public.java b/src/main/java/com/ebremer/halcyon/gui/Public.java
new file mode 100644
index 00000000..236cc8e2
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/gui/Public.java
@@ -0,0 +1,14 @@
+package com.ebremer.halcyon.gui;
+
+import com.ebremer.halcyon.wicket.BasePage;
+import org.apache.wicket.devutils.stateless.StatelessComponent;
+
+@StatelessComponent
+public class Public extends BasePage {
+    private static final long serialVersionUID = 1L;
+        
+    public Public() { 
+
+    }
+
+}
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/ImageReaderPool.java b/src/main/java/com/ebremer/halcyon/imagebox/ImageReaderPool.java
index cdacbc38..c75d9ec5 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/ImageReaderPool.java
+++ b/src/main/java/com/ebremer/halcyon/imagebox/ImageReaderPool.java
@@ -16,13 +16,14 @@ public ImageReaderPool() {}
     public static synchronized ImageReaderKeyedPool<String, NeoTiler> getPool() {
         if (pool == null) {
             GenericKeyedObjectPoolConfig<NeoTiler> config = new GenericKeyedObjectPoolConfig<>();
-            config.setMaxTotalPerKey(6);
+            config.setMaxTotalPerKey(1);
             config.setMinIdlePerKey(0);
-            config.setMaxWait(Duration.ofMillis(10000));
+            config.setMaxWait(Duration.ofMillis(60000));
             config.setBlockWhenExhausted(true);
-            config.setTimeBetweenEvictionRuns(Duration.ofMillis(10000));
+            config.setMinEvictableIdleTime(Duration.ofMillis(60000));
+            config.setTimeBetweenEvictionRuns(Duration.ofMillis(60000));
             pool = new ImageReaderKeyedPool<>(new ImageReaderPoolFactory(),config);
         }
         return pool;
     }   
-}
\ No newline at end of file
+}
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/ImageReaderPoolFactory.java b/src/main/java/com/ebremer/halcyon/imagebox/ImageReaderPoolFactory.java
index 6321bb9e..ad774acc 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/ImageReaderPoolFactory.java
+++ b/src/main/java/com/ebremer/halcyon/imagebox/ImageReaderPoolFactory.java
@@ -23,7 +23,9 @@ public PooledObject<NeoTiler> wrap(NeoTiler value) {
 
     @Override
     public void destroyObject(String key, PooledObject p, DestroyMode mode) throws Exception {
-        //System.out.println("Destroying Image Reader ");
+        System.out.println("Destroying Image Reader ---> "+key);
+        NeoTiler nt = (NeoTiler) p.getObject();
+        nt.close();
         super.destroyObject(key, p, mode);
     }   
 }
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/JwtInterceptor.java b/src/main/java/com/ebremer/halcyon/imagebox/JwtInterceptor.java
new file mode 100644
index 00000000..3c00ce98
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/imagebox/JwtInterceptor.java
@@ -0,0 +1,42 @@
+package com.ebremer.halcyon.imagebox;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+public class JwtInterceptor implements Filter {
+    
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        //System.out.println("--------------------> postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) ");
+        //httpResponse.setHeader("Custom-Header", "Custom-Value");
+        
+        /*
+            KeycloakSecurityContext securityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
+            if (securityContext != null) {
+                System.out.println("ADDING TOKEN!!!");
+                String jwtToken = securityContext.getTokenString();
+                httpResponse.setHeader("token", jwtToken);
+            } else {
+                System.out.println("NOTHING TO ADD!!!");
+            }
+       */
+        chain.doFilter(request, response);
+    }
+    
+    @Override
+    public void destroy() {
+    }
+    
+}
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/Main.java b/src/main/java/com/ebremer/halcyon/imagebox/Main.java
index a44d105f..3b8aeb8f 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/Main.java
+++ b/src/main/java/com/ebremer/halcyon/imagebox/Main.java
@@ -1,13 +1,22 @@
 package com.ebremer.halcyon.imagebox;
 
+import com.ebremer.halcyon.keycloak.HALKeycloakOIDCFilter;
 import com.ebremer.halcyon.HalcyonSettings;
 import com.ebremer.halcyon.INIT;
+import com.ebremer.halcyon.fuseki.HalcyonProxyServlet;
+import com.ebremer.halcyon.datum.SessionsManager;
+import com.ebremer.halcyon.fuseki.jwt.GetPublicKey;
+import com.ebremer.halcyon.fuseki.jwt.KeycloakPublicKeyFetcher;
 import com.ebremer.halcyon.gui.HalcyonApplication;
 import io.undertow.UndertowOptions;
+import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -21,6 +30,7 @@
 import org.apache.wicket.protocol.http.ContextParamWebApplicationFactory;
 import org.apache.wicket.protocol.http.WicketFilter;
 import org.keycloak.adapters.servlet.KeycloakOIDCFilter;
+import org.keycloak.adapters.spi.SessionIdMapper;
 import org.mitre.dsmiley.httpproxy.ProxyServlet;
 import org.springframework.boot.Banner.Mode;
 import org.springframework.boot.SpringApplication;
@@ -29,21 +39,32 @@
 import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.boot.web.servlet.ServletRegistrationBean;
+import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @SpringBootApplication(exclude = LiquibaseAutoConfiguration.class)
 public class Main {
     private final HalcyonSettings settings = HalcyonSettings.getSettings();
+    private static final SessionIdMapper sessionidmapper = SessionsManager.getSessionsManager().getSessionIdMapper();
+    
+    public static SessionIdMapper getSessionIdMapper() {
+        return sessionidmapper;
+    }
 
     @Bean
+    @Order(Ordered.HIGHEST_PRECEDENCE)
     public ServletRegistrationBean proxyServletRegistrationBean() {
-        ServletRegistrationBean bean = new ServletRegistrationBean(new ProxyServlet(), "/sparql/*");
+        ServletRegistrationBean bean = new ServletRegistrationBean(new HalcyonProxyServlet(), "/sparql/*");
         bean.addInitParameter("targetUri", "http://localhost:8887/rdf");
+        //bean.addInitParameter("targetUri", "https://e1d0d1f2f7f7ecfb2e5ff7faef143702.m.pipedream.net");
+        bean.addInitParameter(ProxyServlet.P_PRESERVECOOKIES, "true");
+        bean.addInitParameter(ProxyServlet.P_HANDLEREDIRECTS, "true");
+        //bean.addInitParameter(ProxyServlet.P_HANDLECOMPRESSION, "true");
         return bean;
     }
     
@@ -78,7 +99,6 @@ public UndertowServletWebServerFactory embeddedServletContainerFactory() {
     }  
     
     @Bean
-    @Order(Ordered.LOWEST_PRECEDENCE)
     ServletRegistrationBean iboxServletRegistration () {
         System.out.println("iboxServletRegistration order: "+Ordered.LOWEST_PRECEDENCE);
         ServletRegistrationBean srb = new ServletRegistrationBean();
@@ -86,33 +106,34 @@ ServletRegistrationBean iboxServletRegistration () {
         srb.setUrlMappings(Arrays.asList("/iiif/*"));
         return srb;
     }
-
-    @Bean
-    @Order(20)
-    ServletRegistrationBean HalcyonServletRegistration () {
-        ServletRegistrationBean srb = new ServletRegistrationBean();
-        srb.setServlet(new HalcyonServlet());
-        srb.setUrlMappings(Arrays.asList("/halcyon/*"));
-        return srb;
-    }
     
     @Bean
-    @Order(Ordered.HIGHEST_PRECEDENCE)
     public FilterRegistrationBean<HALKeycloakOIDCFilter> KeycloakOIDCFilterFilterRegistration(){
         System.out.println("KeycloakOIDCFilterFilterRegistration order: "+Ordered.HIGHEST_PRECEDENCE);
+            HALKeycloakOIDCFilter filter = new HALKeycloakOIDCFilter();
+            //filter.setSessionIdMapper(SessionsManager.getSessionsManager().getSessionIdMapper());
+            filter.setSessionIdMapper(getSessionIdMapper());
 	    FilterRegistrationBean<HALKeycloakOIDCFilter> registration = new FilterRegistrationBean<>();
-	    registration.setFilter(new HALKeycloakOIDCFilter());
+	    registration.setFilter(filter);
             registration.setName("keycloak");
 	    registration.addUrlPatterns("/*");
+            registration.setOrder(0);
             registration.addInitParameter(KeycloakOIDCFilter.CONFIG_FILE_PARAM, "keycloak.json");
-            //registration.addInitParameter(KeycloakOIDCFilter.SKIP_PATTERN_PARAM, "(^/HalcyonStorage/.*svs$|^/gui/vendor/openseadragon/.*|^/auth/.*|^/favicon.ico|^/iiif/.*|^/auth/.*|^/halcyon/.*|^/HalcyonStorage/.*$)");
-            registration.addInitParameter(KeycloakOIDCFilter.SKIP_PATTERN_PARAM, "(^/gui/vendor/openseadragon/.*|^/auth/.*|^/favicon.ico|^/auth/.*$)");
+            registration.addInitParameter(KeycloakOIDCFilter.SKIP_PATTERN_PARAM, "(^/sparql.*|^/wicket/resource/com.*\\.css|^/gui/public|^/gui/vendor/openseadragon/.*|^/auth/.*|^/favicon.ico|^/auth/.*$)");
             registration.setEnabled(true);
         return registration;
     }
     
     @Bean
-    @Order(1)
+    public FilterRegistrationBean<JwtInterceptor> headerAddingFilter() {
+        FilterRegistrationBean<JwtInterceptor> registrationBean = new FilterRegistrationBean<>();
+        registrationBean.setFilter(new JwtInterceptor());
+        registrationBean.addUrlPatterns("/*");
+        registrationBean.setOrder(1);
+        return registrationBean;
+    }
+    
+    @Bean
     public FilterRegistrationBean<WicketFilter> wicketFilterRegistration(){
         HalcyonApplication hal = new HalcyonApplication();
         hal.setConfigurationType(RuntimeConfigurationType.DEPLOYMENT);
@@ -120,15 +141,25 @@ public FilterRegistrationBean<WicketFilter> wicketFilterRegistration(){
         filter.setFilterPath("/");
         FilterRegistrationBean<WicketFilter> registration = new FilterRegistrationBean<>();
         registration.setFilter(filter);
+        registration.setOrder(2);
         registration.addInitParameter(ContextParamWebApplicationFactory.APP_CLASS_PARAM, HalcyonApplication.class.getName());
         registration.addInitParameter(WicketFilter.FILTER_MAPPING_PARAM, "/");
         registration.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.FORWARD);
         return registration;
     }
-            
+    
+    @Bean
+    ServletRegistrationBean HalcyonServletRegistration () {
+        ServletRegistrationBean srb = new ServletRegistrationBean();
+        srb.setServlet(new HalcyonServlet());
+        srb.setOrder(20);
+        srb.setUrlMappings(Arrays.asList("/halcyon/*"));
+        return srb;
+    }
     
     @Configuration
-    public class StaticResourceConfiguration extends WebMvcConfigurerAdapter {
+    public class HalcyonResourceConfiguration implements WebMvcConfigurer {
+        
         @Override
         public void addResourceHandlers(ResourceHandlerRegistry registry) {
             String mv = settings.getMultiewerLocation();
@@ -183,16 +214,17 @@ private static KeyStore loadKeyStore(final String storeLoc, final String storePw
         }
     }
 
-    public static void main(String[] args) {
-        //ch.qos.logback.classic.Logger root = (ch.qos.logback.classic.Logger)LoggerFactory.getLogger(org.slf4j.Logger.ROOT_LOGGER_NAME);
-        //root.setLevel(ch.qos.logback.classic.Level.ALL);
-     //   System.setProperty("org.slf4j.simpleLogger.defaultLogLevel", "debug");
-      //  System.setProperty("org.slf4j.simpleLogger.defaultLogLevel", "debug");
-
+    public static void main(String[] args) throws NoSuchAlgorithmException {
         INIT i = new INIT();
         i.init();
         SpringApplication app = new SpringApplication(Main.class);
         app.setBannerMode(Mode.CONSOLE);
-        app.run(args);
+        ApplicationContext yay = app.run(args);
+        System.out.println("===================== " +app.getWebApplicationType());
+        //ApplicationContext ha = (ApplicationContext) yay;
+        //WebServerApplicationContext webContext = (WebServerApplicationContext) ha;
+        //System.out.println(webContext.getWebServer());
+        //UndertowServletWebServer ut = (UndertowServletWebServer) webContext.getWebServer();
+        //SessionManager sm = ut.getDeploymentManager().getDeployment().getSessionManager();
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/NeoTiler.java b/src/main/java/com/ebremer/halcyon/imagebox/NeoTiler.java
index d4175aa3..ce272b60 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/NeoTiler.java
+++ b/src/main/java/com/ebremer/halcyon/imagebox/NeoTiler.java
@@ -41,11 +41,9 @@
 import loci.formats.gui.AWTImageTools;
 import loci.formats.in.NDPIReader;
 import loci.formats.in.SVSReader;
-//import loci.formats.in.TiffReader;
 import com.ebremer.halcyon.imagebox.experimental.TiffReader;
 import java.nio.file.Path;
 import java.util.HashMap;
-import java.util.Iterator;
 import loci.formats.meta.IMetadata;
 import loci.formats.meta.MetadataStore;
 import loci.formats.services.OMEXMLService;
@@ -88,21 +86,16 @@ public class NeoTiler {
     private String cookie = null;
     
     public NeoTiler(String f) {
-        //System.out.println("NEOTILER : "+f);
         DebugTools.enableLogging("ERROR");
-        //DebugTools.enableLogging("ALL");
         lastaccessed = System.nanoTime();
         String getthis;
-        //HalcyonSession session = HalcyonSession.get();
         HalcyonSettings settings = HalcyonSettings.getSettings();
         String mainpath = settings.getHostName();
         Path x = null;
         if (f.startsWith(mainpath)) {
             String cut = f.substring(mainpath.length());
             HashMap<String, String> mappings = settings.getmappings();
-            Iterator<String> i = mappings.keySet().iterator();
-            while (i.hasNext()) {
-                String key = i.next();
+            for (String key : mappings.keySet()) {
                 if (cut.startsWith(key)) {
                     String chunk = cut.substring(key.length());
                     x = Path.of(mappings.get(key), chunk);
@@ -110,17 +103,13 @@ public NeoTiler(String f) {
             }
         }
         if (x !=null) {
-            //System.out.println("SUPER LOCAL PROTOCOL ACCESS");
             getthis = x.toString();
         } else if ((f.startsWith("https://")||f.startsWith("http://"))) {
-            //System.out.println("WEB PROTOCOL ACCESS : "+f);
             HTTPIRandomAccess bbb = new HTTPIRandomAccess(f);
-            //bbb.setCookie(cookie);
             bbb.init();
             getthis = "charm";
             Location.mapFile(getthis, bbb); 
         } else {
-            //System.out.println("LOCAL PROTOCOL ACCESS");
             getthis = f;
         }
         String fileType = f.substring(f.lastIndexOf('.') + 1);
@@ -153,6 +142,7 @@ public NeoTiler(String f) {
         if (!borked) {
             newRoot = (OMEXMLMetadataRoot) meta.getRoot();
             numi = reader.getSeriesCount();
+         //   System.out.println("getSeriesCount : "+numi);
             if (getthis.endsWith(".vsi")) {
                 lowerbound = MaxImage(reader);
             }
@@ -167,9 +157,9 @@ public NeoTiler(String f) {
             py = new int[numi];
             pr = new int[numi];
             pi = new int[numi];
-            for (int j=0;j<reader.getSeriesCount()-1;j++) {
+            for (int j=0;j<numi;j++) {
                 big = reader.getCoreMetadataList().get(j);
-                //System.out.println(j+" >>> "+big.sizeX+","+big.sizeY+" aspect ratio : "+(((float) big.sizeX)/((float)big.sizeY)));
+               // System.out.println(j+" >>> "+big.sizeX+","+big.sizeY+" aspect ratio : "+(((float) big.sizeX)/((float)big.sizeY)));
             }
             big = reader.getCoreMetadataList().get(lowerbound);
             float ratio = ((float) big.sizeX)/((float) big.sizeY);
@@ -209,6 +199,27 @@ public NeoTiler(String f) {
         }
     }
     
+    public void SortImages() {
+        boolean sorted = false;
+        while (!sorted) {
+            sorted = true;
+            for (int i = 0; i<numi-1; i++) {
+                if (px[i]<px[i+1]) {
+                    int temp = px[i];
+                    px[i] = px[i+1];
+                    px[i+1] = temp;
+                    temp = py[i];
+                    py[i] = py[i+1];
+                    py[i+1] = temp;
+                    temp = pi[i];
+                    pi[i] = pi[i+1];
+                    pi[i+1] = temp;
+                    sorted = false;
+                }
+            }
+        }
+    }
+    
     public void setCookie(String cookie) {
         this.cookie = cookie;
     }
@@ -218,6 +229,14 @@ public void setURL(String r) {
         url = r;
     }
     
+    public void close() {
+        try {
+            reader.close();
+        } catch (IOException ex) {
+            Logger.getLogger(NeoTiler.class.getName()).log(Level.SEVERE, null, ex);
+        }
+    }
+    
     public int GetWidth() {
         return iWidth;
     }
@@ -253,28 +272,7 @@ public int MaxImage(IFormatReader SReader) {
             }
             ii++;
         }
-    return maxseries;
-  }
-
-    public void SortImages() {
-        boolean sorted = false;
-        while (!sorted) {
-            sorted = true;
-            for (int i = 0; i<numi-1; i++) {
-                if (px[i]<px[i+1]) {
-                    int temp = px[i];
-                    px[i] = px[i+1];
-                    px[i+1] = temp;
-                    temp = py[i];
-                    py[i] = py[i+1];
-                    py[i+1] = temp;
-                    temp = pi[i];
-                    pi[i] = pi[i+1];
-                    pi[i+1] = temp;
-                    sorted = false;
-                }
-            }
-        }
+        return maxseries;
     }
 
     public String GetImageInfo() {
@@ -286,7 +284,7 @@ public String GetImageInfo() {
         m.addLiteral(s, EXIF.yResolution, Math.round(10000/mppy));
         m.addLiteral(s, EXIF.resolutionUnit, 3);
         Resource scale = m.createResource();
-        for (int j=numi;j>=0;j--) {
+        for (int j=upperbound;j>=0;j--) {
             reader.setSeries(j);
             Resource size = m.createResource();
             m.addLiteral(size,IIIF.width,reader.getSizeX());
@@ -347,6 +345,7 @@ public BufferedImage FetchImage(int x, int y, int w, int h, int tx, int ty, Stri
             jj++;
         }
         if (jj>numi) {jj--;}
+        //System.out.println("selecting series : "+pi[jj]);
        	reader.setSeries(pi[jj]);
        	double rr = ((double) reader.getSizeX())/((double) iWidth);
         int gx=(int) (x*rr);
@@ -369,7 +368,7 @@ public BufferedImage FetchImage(int x, int y, int w, int h, int tx, int ty, Stri
     }
     
     private BufferedImage GrabImage(int xpos, int ypos, int width, int height, String type) {
-        //System.out.println("grab image : "+xpos+ " "+ypos+" "+width+" "+height+"=== "+type);
+        //System.out.println("grab image : "+xpos+ " "+ypos+" "+width+" "+height+" === "+type);
         meta.setRoot(newRoot);
         meta.setPixelsSizeX(new PositiveInteger(width), 0);
         meta.setPixelsSizeY(new PositiveInteger(height), 0);
@@ -384,4 +383,4 @@ private BufferedImage GrabImage(int xpos, int ypos, int width, int height, Strin
         } 
         return bb;
     }
-}
\ No newline at end of file
+}
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/experimental/MinimalTiffReader.java b/src/main/java/com/ebremer/halcyon/imagebox/experimental/MinimalTiffReader.java
index f6774741..0112e9fe 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/experimental/MinimalTiffReader.java
+++ b/src/main/java/com/ebremer/halcyon/imagebox/experimental/MinimalTiffReader.java
@@ -1,7 +1,3 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
 package com.ebremer.halcyon.imagebox.experimental;
 
 
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/experimental/TiffParser.java b/src/main/java/com/ebremer/halcyon/imagebox/experimental/TiffParser.java
index bd20c385..e1281f5b 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/experimental/TiffParser.java
+++ b/src/main/java/com/ebremer/halcyon/imagebox/experimental/TiffParser.java
@@ -1,7 +1,3 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
 package com.ebremer.halcyon.imagebox.experimental;
 
 import java.io.Closeable;
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/experimental/TiffReader.java b/src/main/java/com/ebremer/halcyon/imagebox/experimental/TiffReader.java
index cec426a4..65073852 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/experimental/TiffReader.java
+++ b/src/main/java/com/ebremer/halcyon/imagebox/experimental/TiffReader.java
@@ -1,7 +1,3 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
 package com.ebremer.halcyon.imagebox.experimental;
 
 import java.io.IOException;
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/iboxServlet.java b/src/main/java/com/ebremer/halcyon/imagebox/iboxServlet.java
index 7097a4d3..847e8072 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/iboxServlet.java
+++ b/src/main/java/com/ebremer/halcyon/imagebox/iboxServlet.java
@@ -108,7 +108,7 @@ protected void doGet( HttpServletRequest request, HttpServletResponse response )
                     JPEGImageWriteParam jpegParams = new JPEGImageWriteParam(null);
                     jpegParams.setCompressionMode(ImageWriteParam.MODE_EXPLICIT);
                     jpegParams.setCompressionQuality(0.7f);
-                    ImageOutputStream imageOut=ImageIO.createImageOutputStream(baos);
+                    ImageOutputStream imageOut = ImageIO.createImageOutputStream(baos);
                     writer.setOutput(imageOut);
                     writer.write(null,new IIOImage(originalImage,null,null),jpegParams);                
                     baos.flush();
@@ -140,10 +140,10 @@ protected void doGet( HttpServletRequest request, HttpServletResponse response )
                 nt.setURL(settings.getProxyHostName()+request.getRequestURI()+"?"+request.getQueryString());
                 response.setContentType("application/json");
                 response.setHeader("Access-Control-Allow-Origin", "*");
-                PrintWriter writer = response.getWriter();
-                writer.append(nt.GetImageInfo());
-                writer.flush();
-                writer.close();
+                try (PrintWriter writer = response.getWriter()) {
+                    writer.append(nt.GetImageInfo());
+                    writer.flush();
+                }
             } else {
                 System.out.println("unknown IIIF request");
             }
diff --git a/src/main/java/com/ebremer/halcyon/keycloak/HALInMemorySessionIdMapper.java b/src/main/java/com/ebremer/halcyon/keycloak/HALInMemorySessionIdMapper.java
new file mode 100644
index 00000000..cf211fa8
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/keycloak/HALInMemorySessionIdMapper.java
@@ -0,0 +1,16 @@
+package com.ebremer.halcyon.keycloak;
+
+import org.keycloak.adapters.spi.InMemorySessionIdMapper;
+
+/**
+ *
+ * @author erich
+ */
+public class HALInMemorySessionIdMapper extends InMemorySessionIdMapper {
+
+    @Override
+    public boolean hasSession(String id) {
+        System.out.println("HASSESSION --> "+id+"  "+super.hasSession(id));
+        return super.hasSession(id);
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/HALKeycloakOIDCFilter.java b/src/main/java/com/ebremer/halcyon/keycloak/HALKeycloakOIDCFilter.java
similarity index 63%
rename from src/main/java/com/ebremer/halcyon/imagebox/HALKeycloakOIDCFilter.java
rename to src/main/java/com/ebremer/halcyon/keycloak/HALKeycloakOIDCFilter.java
index 2fc6b019..ec142020 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/HALKeycloakOIDCFilter.java
+++ b/src/main/java/com/ebremer/halcyon/keycloak/HALKeycloakOIDCFilter.java
@@ -1,19 +1,17 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
-package com.ebremer.halcyon.imagebox;
+package com.ebremer.halcyon.keycloak;
 
 import java.io.IOException;
 import java.util.List;
 import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 import javax.servlet.http.HttpServletResponse;
+import org.eclipse.jetty.servlet.FilterHolder;
+import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.adapters.AuthenticatedActionsHandler;
 import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.PreAuthActionsHandler;
@@ -23,6 +21,7 @@
 import org.keycloak.adapters.servlet.OIDCServletHttpFacade;
 import org.keycloak.adapters.spi.AuthChallenge;
 import org.keycloak.adapters.spi.AuthOutcome;
+import org.keycloak.adapters.spi.SessionIdMapper;
 import org.keycloak.adapters.spi.UserSessionManagement;
 
 /**
@@ -30,7 +29,8 @@
  * @author erich
  */
 public class HALKeycloakOIDCFilter extends KeycloakOIDCFilter {
-    
+    private KeycloakOIDCFilterConfig config = null;
+
     private boolean shouldSkip(HttpServletRequest request) {
         if (skipPattern == null) {
             return false;
@@ -39,17 +39,42 @@ private boolean shouldSkip(HttpServletRequest request) {
         return skipPattern.matcher(requestPath).matches();
     }
     
+    public void setConfig(KeycloakOIDCFilterConfig config) {
+        this.config = config;
+    }
+    
+    public void setSessionIdMapper(SessionIdMapper mapper) {
+        idMapper = mapper;
+    }
+    
+    @Override
+    public void init(final FilterConfig filterConfig) throws ServletException {
+        filterConfig.getInitParameterNames().asIterator().forEachRemaining(p->{
+            System.out.println("PARAM --> "+p);
+        });
+        
+        if (!filterConfig.getInitParameterNames().hasMoreElements()) {
+            super.init(config);
+        } else {
+        System.out.println("INIT -------------------> "+filterConfig.getClass().toGenericString());
+        if (filterConfig instanceof FilterHolder fh) {
+            if (fh.getInitParameter(KeycloakOIDCFilter.CONFIG_FILE_PARAM)==null) {
+                fh.setInitParameter(KeycloakOIDCFilter.CONFIG_FILE_PARAM, "keycloak.json");
+            }
+        }
+        super.init(filterConfig);
+        }
+    }
+    
     @Override
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
-
+        System.out.println("doFilter =======> "+request.getRequestURI());
         boolean skipme = shouldSkip(request);
         if (skipme) {
             chain.doFilter(req, res);
             return;
-        } else {
-            //System.out.println("SKIPME : "+skipme+" ===> "+request.getRequestURI());
         }
 
         OIDCServletHttpFacade facade = new OIDCServletHttpFacade(request, response);
@@ -69,14 +94,14 @@ public void logoutAll() {
 
             @Override
             public void logoutHttpSessions(List<String> ids) {
-                //System.err.println("**************** logoutHttpSessions");
+                System.err.println("**************** logoutHttpSessions");
                 for (String id : ids) {
                     idMapper.removeSession(id);
                 }
             }
         }, deploymentContext, facade);
         if (preActions.handleRequest()) {
-            //System.err.println("**************** preActions.handleRequest happened!");
+            System.err.println("**************** preActions.handleRequest happened!");
             return;
         }
         nodesRegistrationManagement.tryRegister(deployment);
@@ -92,6 +117,19 @@ public void logoutHttpSessions(List<String> ids) {
             if (actions.handledRequest()) {
                 return;
             } else {
+                /*
+                KeycloakSecurityContext securityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
+                if (securityContext != null) {
+                    
+                    String jwtToken = securityContext.getTokenString();
+                    System.out.println("ADDING TOKEN!!! "+jwtToken);
+                    HttpServletResponse httpResponse = (HttpServletResponse) response;
+                    httpResponse.setHeader("token", jwtToken);
+                } else {
+                    System.out.println("NOTHING TO ADD!!!");
+                }
+                */
+                
                 HttpServletRequestWrapper wrapper = tokenStore.buildWrapper();
                 chain.doFilter(wrapper, res);
                 return;
diff --git a/src/main/java/com/ebremer/halcyon/keycloak/KeycloakOIDCFilterConfig.java b/src/main/java/com/ebremer/halcyon/keycloak/KeycloakOIDCFilterConfig.java
new file mode 100644
index 00000000..b6952d43
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/keycloak/KeycloakOIDCFilterConfig.java
@@ -0,0 +1,51 @@
+package com.ebremer.halcyon.keycloak;
+
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+
+/**
+ *
+ * @author erich
+ */
+public class KeycloakOIDCFilterConfig implements FilterConfig {
+    private final String name;
+    private final HashMap<String,String> params;
+    private ServletContext context;
+            
+    public KeycloakOIDCFilterConfig(String name) {
+        this.name = name;
+        params = new HashMap<>();
+    }
+
+    @Override
+    public String getFilterName() {
+        return name;
+    }
+
+    @Override
+    public ServletContext getServletContext() {
+        return context;
+    }
+    
+    public void setContext(ServletContext context) {
+        this.context = context;
+    }
+    
+    @Override
+    public String getInitParameter(String name) {
+        return params.get(name);
+    }
+
+    public KeycloakOIDCFilterConfig setInitParameter(String name, String value) {
+        params.put(name, value);
+        return this;
+    }
+    
+    @Override
+    public Enumeration<String> getInitParameterNames() {
+        return Collections.enumeration(params.keySet());
+    }   
+}
diff --git a/src/main/java/com/ebremer/halcyon/gui/KeycloakTokenFilter.java b/src/main/java/com/ebremer/halcyon/keycloak/KeycloakTokenFilter.java
similarity index 80%
rename from src/main/java/com/ebremer/halcyon/gui/KeycloakTokenFilter.java
rename to src/main/java/com/ebremer/halcyon/keycloak/KeycloakTokenFilter.java
index 145968e2..9e55f468 100644
--- a/src/main/java/com/ebremer/halcyon/gui/KeycloakTokenFilter.java
+++ b/src/main/java/com/ebremer/halcyon/keycloak/KeycloakTokenFilter.java
@@ -1,8 +1,4 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
-package com.ebremer.halcyon.gui;
+package com.ebremer.halcyon.keycloak;
 
 import java.io.IOException;
 import javax.servlet.http.HttpServletRequest;
diff --git a/src/main/java/com/ebremer/halcyon/sparql/Sparql.html b/src/main/java/com/ebremer/halcyon/sparql/Sparql.html
index 879df738..15e665c4 100644
--- a/src/main/java/com/ebremer/halcyon/sparql/Sparql.html
+++ b/src/main/java/com/ebremer/halcyon/sparql/Sparql.html
@@ -12,13 +12,13 @@ <h2>SPARQL Endpoint</h2>
         <script>
             Yasgui.defaults.tabName = "Query";
             Yasgui.defaults.yasqe.value =  "select *\nwhere {graph ?g {?s ?p ?o}}\nlimit 20";
-            const yasgui = new Yasgui(document.getElementById("yasgui"), {
-                requestConfig: {
-                    //endpoint: 'http://localhost:8887/rdf' },
-                    //endpoint: host+":8887/rdf" },
-                    endpoint: "/sparql" },
-                    copyEndpointOnNewTab: false
-                });
+            Yasgui.defaults.requestConfig.headers = {'token': token};
+            const yasgui = new Yasgui(document.getElementById("yasgui"),
+                {   requestConfig: {
+                        endpoint: "/sparql"},
+                        copyEndpointOnNewTab: false
+                }
+            );
             var tab = yasgui.getTab();
             //tab.setQuery("select *\nwhere {graph ?g {?s ?p ?o}}\nlimit 20");
             tab.yasqe.addPrefixes({ so: "https://schema.org/" });
diff --git a/src/main/java/com/ebremer/halcyon/sparql/Sparql.java b/src/main/java/com/ebremer/halcyon/sparql/Sparql.java
index f9254571..0968defa 100644
--- a/src/main/java/com/ebremer/halcyon/sparql/Sparql.java
+++ b/src/main/java/com/ebremer/halcyon/sparql/Sparql.java
@@ -1,17 +1,29 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
 package com.ebremer.halcyon.sparql;
 
 import com.ebremer.halcyon.HalcyonSettings;
+import com.ebremer.halcyon.gui.HalcyonSession;
 import com.ebremer.halcyon.wicket.BasePage;
+import io.undertow.server.session.SessionManager;
+import io.undertow.servlet.api.DeploymentInfo;
+import io.undertow.servlet.api.SessionManagerFactory;
+import io.undertow.servlet.handlers.ServletRequestContext;
+import java.util.List;
+import java.util.Set;
+import javax.servlet.ServletContext;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.wicket.Application;
 import org.apache.wicket.markup.head.CssHeaderItem;
 import org.apache.wicket.markup.head.IHeaderResponse;
 import org.apache.wicket.markup.head.JavaScriptHeaderItem;
 import org.apache.wicket.markup.html.panel.FeedbackPanel;
+import org.apache.wicket.protocol.http.WebApplication;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebRequest;
 import org.apache.wicket.request.resource.CssResourceReference;
 import org.apache.wicket.request.resource.JavaScriptResourceReference;
+import org.apache.wicket.session.HttpSessionStore;
+import org.apache.wicket.session.ISessionStore;
 
 /**
  *
@@ -24,6 +36,35 @@ public class Sparql extends BasePage {
     
     public Sparql() {
         add(new FeedbackPanel("feedback"));
+
+        //WebRequest webRequest = (WebRequest) RequestCycle.get().getRequest();
+       
+        /*
+        List<Cookie> cookies = webRequest.getCookies();
+        cookies.forEach(c->{
+            System.out.println("Cookie: " + c.getName() + "=" + c.getValue());
+        });
+        */
+        //HttpServletRequest req = ((HttpServletRequest) getRequest().getContainerRequest());
+        //ServletContext servletContext = req.getServletContext();
+        //DeploymentInfo deploymentInfo = ServletRequestContext.requireCurrent().getDeployment().getDeploymentInfo();
+        //SessionManagerFactory sessionManagerFactory = deploymentInfo.getSessionManagerFactory();
+        //System.out.println("Session Manager Factory: " + sessionManagerFactory);
+        
+        //SessionManager sm = sessionManagerFactory.createSessionManager(ServletRequestContext.requireCurrent().getDeployment());
+       /*
+        Set<String> sess = sm.getAllSessions();
+        System.out.println(sess.size());
+        sess.forEach(s->{
+            System.out.println("SESSION --> "+s);
+        });
+        
+        System.out.println("Wicket session store : "+Application.get().getSessionStore().getClass().toGenericString());
+        ISessionStore iss = Application.get().getSessionStore();
+        HttpSessionStore hss = (HttpSessionStore) iss;
+        
+*/
+
     }
     
     @Override
@@ -31,8 +72,9 @@ public void renderHead(IHeaderResponse response) {
         super.renderHead(response);
         response.render(CssHeaderItem.forReference(new CssResourceReference(Sparql.class, "yasgui.min.css")));
         response.render(JavaScriptHeaderItem.forReference(new JavaScriptResourceReference(Sparql.class, "yasgui.min.js")));
-        HalcyonSettings s = HalcyonSettings.getSettings();
+  //      HalcyonSettings s = HalcyonSettings.getSettings();
         //response.render(JavaScriptHeaderItem.forScript("var host = '"+s.getProxyHostName()+":"+s.GetSPARQLPort()+"'", "hostme"));
-        //response.render(JavaScriptHeaderItem.forScript("var host = 'http://localhost'", "hostme"));
+//        HttpServletRequest request = ((HttpServletRequest) getRequest().getContainerRequest());
+        response.render(JavaScriptHeaderItem.forScript("var token = '"+HalcyonSession.get().getToken()+"'", "token"));
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/wicket/FeatureManager.java b/src/main/java/com/ebremer/halcyon/wicket/FeatureManager.java
index cf5d1302..243e5937 100644
--- a/src/main/java/com/ebremer/halcyon/wicket/FeatureManager.java
+++ b/src/main/java/com/ebremer/halcyon/wicket/FeatureManager.java
@@ -62,9 +62,9 @@ public FeatureManager() {
 
     public String getFeatures(HashSet<String> features, String urn) {
         System.out.println("getFeatures : "+urn);
-        features.forEach(d->{
-            System.out.println("YAH  : "+d);
-        });
+       // features.forEach(d->{
+         //   System.out.println("YAH  : "+d);
+        //});
         Iterator<String> ii = features.iterator();
         Model wow = ModelFactory.createDefaultModel();
         ArrayList<RDFNode> createactions = new ArrayList<>();
@@ -236,7 +236,7 @@ public String getFeatures(HashSet<String> features, String urn) {
                 layer.addProperty(HAL.colorscheme,COLORSCHEME);
                 LayerSet.addProperty(HAL.haslayer, layer);
             }
-            System.out.println("Add a color class layer "+COLORSCHEME.toString()+"  "+qs.get("label").asLiteral().getString()+"  "+qs.get("value").asLiteral().getInt());
+            //System.out.println("Add a color class layer "+COLORSCHEME.toString()+"  "+qs.get("label").asLiteral().getString()+"  "+qs.get("value").asLiteral().getInt());
             COLORSCHEME.addProperty(HAL.colors, m.createResource()
                     .addLiteral(SchemaDO.name, qs.get("label").asLiteral().getString())
                     .addLiteral(HAL.classid, qs.get("value").asLiteral().getInt())
@@ -244,9 +244,9 @@ public String getFeatures(HashSet<String> features, String urn) {
             );
         }
         ds.end();
-        System.out.println("===================================================== Features ======================================");
-        RDFDataMgr.write(System.out, m, Lang.TURTLE);
-        System.out.println("==========XXXXXXXXXXXXXXXXXX======================== Features ============XXXXXXXXXXXXX==============");
+        //System.out.println("===================================================== Features ======================================");
+        //RDFDataMgr.write(System.out, m, Lang.TURTLE);
+        //System.out.println("==========XXXXXXXXXXXXXXXXXX======================== Features ============XXXXXXXXXXXXX==============");
         Dataset dss = DatasetFactory.createGeneral();
         dss.getDefaultModel().add(m);
         RdfDataset rds = JenaTitanium.convert(dss.asDatasetGraph());
diff --git a/src/main/java/com/ebremer/halcyon/wicket/ListFeatures.java b/src/main/java/com/ebremer/halcyon/wicket/ListFeatures.java
index b1a34220..3b900c4f 100644
--- a/src/main/java/com/ebremer/halcyon/wicket/ListFeatures.java
+++ b/src/main/java/com/ebremer/halcyon/wicket/ListFeatures.java
@@ -83,8 +83,8 @@ public void populateItem(Item<ICellPopulator<Solution>> cellItem, String compone
         pss.setNsPrefix("so", SchemaDO.NS);
         pss.setNsPrefix("exif", EXIF.NS);
         pss.setIri("car", HAL.CollectionsAndResources.getURI());
-        //Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset();
-        Dataset ds = DatabaseLocator.getDatabase().getDataset();
+        Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset();
+        //Dataset ds = DatabaseLocator.getDatabase().getDataset();
         //System.out.println("F1 ---> "+pss.toString());
         rdfsdf = new SelectDataProvider(ds,pss.toString());
         ParameterizedSparqlString pss2 = rdfsdf.getPSS();
@@ -116,7 +116,7 @@ protected List<Node> load() {
             protected void onAfterSubmit(AjaxRequestTarget target) {
                 ParameterizedSparqlString pss = rdfsdf.getPSS();
                 pss.setIri("collection", ddc.getModelObject().toString());
-                System.out.println("F2X ---> "+pss.toString());
+                //System.out.println("F2X ---> "+pss.toString());
                 rdfsdf.SetSPARQL(pss.toString());
                 target.add(table);
             }
diff --git a/src/main/java/com/ebremer/halcyon/wicket/ListImages.java b/src/main/java/com/ebremer/halcyon/wicket/ListImages.java
index 64328c41..fd520673 100644
--- a/src/main/java/com/ebremer/halcyon/wicket/ListImages.java
+++ b/src/main/java/com/ebremer/halcyon/wicket/ListImages.java
@@ -9,7 +9,6 @@
 import com.ebremer.ns.HAL;
 import com.ebremer.ethereal.NodeColumn;
 import com.ebremer.halcyon.gui.HalcyonSession;
-//import com.ebremer.halcyon.utils.StopWatch;
 import com.ebremer.multiviewer.MultiViewer;
 import com.ebremer.ns.EXIF;
 import java.util.HashSet;
@@ -50,7 +49,7 @@ public class ListImages extends BasePage {
     private static final long serialVersionUID = 1L;
     private SelectDataProvider rdfsdf;
     private final ListFeatures lf;
-    private boolean FeatureFilter = false;
+    //private boolean FeatureFilter = false;
     
     public ListImages() {
         List<IColumn<Solution, String>> columns = new LinkedList<>();
@@ -83,21 +82,21 @@ public void populateItem(Item<ICellPopulator<Solution>> cellItem, String compone
         pss.setNsPrefix("so", SchemaDO.NS);
         pss.setNsPrefix("exif", EXIF.NS);
         pss.setIri("car", HAL.CollectionsAndResources.getURI());
-        //Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset();
-        Dataset ds = DatabaseLocator.getDatabase().getDataset();
+        Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset();
+        //Dataset ds = DatabaseLocator.getDatabase().getDataset();
         rdfsdf = new SelectDataProvider(ds,pss.toString());
         rdfsdf.SetSPARQL(pss.toString());
         AjaxFallbackDefaultDataTable table = new AjaxFallbackDefaultDataTable<>("table", columns, rdfsdf, 25);
         add(table);
         RDFDetachableModel rdg = new RDFDetachableModel(Patterns.getCollectionRDF());
         LDModel ldm = new LDModel(rdg);
-        //StopWatch ddct = new StopWatch(true);
         DropDownChoice<Node> ddc = 
             new DropDownChoice<>("collection", ldm,
                     new LoadableDetachableModel<List<Node>>() {
                         @Override
                         protected List<Node> load() {
                             List<Node> list = Patterns.getCollectionList(rdg.load());
+                            list.add(NodeFactory.createURI("urn:halcyon:nocollections"));
                             return list;
                         }
                     },
@@ -176,23 +175,3 @@ public void onClick() {
         }
     }
 }
-                /*
-                Query q = rdfsdf.getQuery();
-                Q.removeAllFilters(q);
-                WhereHandler wh = new WhereHandler(q);
-                try {   
-                    String filter;
-                    switch (ddc.getModelObject().toString()) {
-                        case "urn:halcyon:nocollections":
-                            filter = "!bound(?collection)";
-                            wh.addFilter(filter);
-                            break;
-                        case "urn:halcyon:allcollections":
-                            break;
-                        default:
-                            filter = "(?collection=<"+ddc.getModelObject().toString()+">)";   // "bound(?collection)&&(?collection=<"+ddc.getModelObject().toString()+">)"
-                            wh.addFilter(filter);
-                            break;
-                    }
-                    rdfsdf.setQuery(q);
-*/
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halycon/shiro/JWTGuard.java b/src/main/java/com/ebremer/halycon/shiro/JWTGuard.java
new file mode 100644
index 00000000..5e2a6cc5
--- /dev/null
+++ b/src/main/java/com/ebremer/halycon/shiro/JWTGuard.java
@@ -0,0 +1,16 @@
+package com.ebremer.halycon.shiro;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.shiro.web.filter.authc.AuthenticationFilter;
+ 
+public class JWTGuard extends AuthenticationFilter {
+ 
+    @Override
+    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+        return false;
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halycon/shiro/JWTVerifyingFilter.java b/src/main/java/com/ebremer/halycon/shiro/JWTVerifyingFilter.java
new file mode 100644
index 00000000..056cbfc9
--- /dev/null
+++ b/src/main/java/com/ebremer/halycon/shiro/JWTVerifyingFilter.java
@@ -0,0 +1,54 @@
+package com.ebremer.halycon.shiro;
+
+import io.jsonwebtoken.JwtException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.web.filter.AccessControlFilter;
+import io.jsonwebtoken.Jwts;
+
+ 
+public class JWTVerifyingFilter extends AccessControlFilter {
+    
+    private boolean validateJwt(String jwt) {
+    try {
+        Jwts.parserBuilder()
+                //.setSigningKey(publicKey)
+                .build()
+                .parseClaimsJws(jwt);
+        return true;
+    } catch (JwtException e) {
+        return false;
+    }
+}
+ 
+    @Override
+    protected boolean isAccessAllowed(ServletRequest request, ServletResponse arg1, Object arg2) throws Exception {
+        boolean accessAllowed = false;
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        String jwt = httpRequest.getHeader("Authorization");
+        if (jwt == null || !jwt.startsWith("Bearer ")) {
+            return accessAllowed;
+        }
+        jwt = jwt.substring(jwt.indexOf(" "));
+        //String username = 
+        
+        
+        String subjectName = (String) SecurityUtils.getSubject().getPrincipal();
+        System.out.println("subjectName = "+subjectName);
+       // if (username.equals(subjectName)) {
+         //   accessAllowed = true;
+        //}
+        return accessAllowed;
+    }
+ 
+    @Override
+    protected boolean onAccessDenied(ServletRequest arg0, ServletResponse arg1) throws Exception {
+        HttpServletResponse response = (HttpServletResponse) arg1;
+        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        return false;
+    }
+ 
+}
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/ns/HAL.java b/src/main/java/com/ebremer/ns/HAL.java
index 97806c78..fddf1a64 100644
--- a/src/main/java/com/ebremer/ns/HAL.java
+++ b/src/main/java/com/ebremer/ns/HAL.java
@@ -16,7 +16,9 @@ public class HAL {
  */
     private static final Model m = ModelFactory.createDefaultModel();
     public static final String NS = "https://www.ebremer.com/halcyon/ns/";
+    public static final Resource Anonymous = m.createResource(NS+"Anonymous");  // Identifier for a group of unidentified things
     public static final Resource DataFile = m.createResource(NS+"DataFile");
+    public static final Resource FileManagerArtifact = m.createResource(NS+"FileManagerArtifact");
     public static final Resource LayerSet = m.createResource(NS+"LayerSet");
     public static final Resource ProbabilityBody = m.createResource(NS+"ProbabilityBody");
     public static final Resource SecurityGraph = m.createResource(NS+"SecurityGraph");
@@ -55,7 +57,6 @@ public class HAL {
     public static final Property object = m.createProperty(NS+"object");
     public static final Property ascending = m.createProperty(NS+"ascending");
     public static final Property gspo = m.createProperty(NS+"gspo");
-    public static final Property dateRegistered = m.createProperty(NS+"dateRegistered");
     public static final Property columns = m.createProperty(NS+"columns");
     public static final Property begin = m.createProperty(NS+"begin");
     public static final Property hasCertainty = m.createProperty(NS+"hasCertainty");
diff --git a/src/main/resources/keycloak.json b/src/main/resources/keycloak.json
index 87c1262f..9129751e 100644
--- a/src/main/resources/keycloak.json
+++ b/src/main/resources/keycloak.json
@@ -1,6 +1,6 @@
 {
   "realm": "master",
-  "auth-server-url": "/auth/",
+  "auth-server-url": "http://localhost:8888/auth/",
   "ssl-required": "none",
   "resource": "account",
   "public-client": true,
diff --git a/src/main/resources/shiro.ini b/src/main/resources/shiro.ini
new file mode 100644
index 00000000..b683a4fa
--- /dev/null
+++ b/src/main/resources/shiro.ini
@@ -0,0 +1,15 @@
+[main]
+halcyonfilter=com.ebremer.halcyon.fuseki.jwt.JwtAuthenticatingFilter
+realm=com.ebremer.halcyon.fuseki.jwt.JwtRealm
+sessionManager=org.apache.shiro.web.session.mgt.DefaultWebSessionManager
+sessionManager.sessionIdCookieEnabled=true
+securityManager.realms=$realm,$iniRealm
+securityManager.sessionManager=$sessionManager
+#securityManager.rememberMeManager=null
+
+[users]
+admin=pw
+
+[urls]
+/$/**=authcBasic
+/**=halcyonfilter

From 62a5f1424a4a53fb06378de54e44095b09726246 Mon Sep 17 00:00:00 2001
From: Erich Bremer <erich@ebremer.com>
Date: Tue, 4 Apr 2023 08:41:15 -0400
Subject: [PATCH 4/4] Add OpenID Connect authentication to SPARQL Endpoint

bug fixes.
UX rearrangement
---
 realm-export.json                             | 2282 +++++++++++++++++
 .../java/com/ebremer/ethereal/MakeList.java   |    4 -
 .../com/ebremer/ethereal/RDFRenderer.java     |    4 -
 .../com/ebremer/halcyon/datum/DataCore.java   |    8 +-
 .../halcyon/datum/HalcyonPrincipal.java       |   81 +-
 .../com/ebremer/halcyon/datum/Patterns.java   |   16 +-
 .../halcyon/datum/SecuredDatasetGraph.java    |   11 +-
 .../halcyon/datum/WACSecurityEvaluator.java   |   43 +-
 .../halcyon/fuseki/SPARQLEndPoint.java        |    1 +
 .../halcyon/fuseki/jwt/GetPublicKey.java      |   62 -
 .../com/ebremer/halcyon/fuseki/jwt/Test.java  |   30 -
 .../JwtAuthenticatingFilter.java              |   17 +-
 .../fuseki/{jwt => shiro}/JwtRealm.java       |   28 +-
 .../fuseki/{jwt => shiro}/JwtToken.java       |   22 +-
 .../fuseki/{jwt => shiro}/JwtVerifier.java    |    4 +-
 .../KeycloakPublicKeyFetcher.java             |    2 +-
 .../ebremer/halcyon/gui/CollectionPanel.java  |   11 +-
 .../com/ebremer/halcyon/gui/Collections.java  |    2 +-
 .../ebremer/halcyon/gui/EditCollection.java   |    2 +-
 .../halcyon/gui/HalcyonApplication.java       |   14 +-
 .../ebremer/halcyon/gui/HalcyonSession.java   |   18 +-
 .../com/ebremer/halcyon/gui/HomePage.html     |   44 +-
 .../com/ebremer/halcyon/gui/HomePage.java     |    2 +-
 .../java/com/ebremer/halcyon/gui/LogHal.html  |    7 +
 .../java/com/ebremer/halcyon/gui/LogHal.java  |   22 +
 .../java/com/ebremer/halcyon/gui/Login.java   |    1 +
 .../com/ebremer/halcyon/gui/LogoutLink.java   |   30 +
 .../java/com/ebremer/halcyon/gui/Public.java  |   14 -
 .../gui/{Public.html => RevisionHistory.html} |    2 +-
 .../ebremer/halcyon/gui/RevisionHistory.java  |   20 +
 .../com/ebremer/halcyon/imagebox/Main.java    |    9 +-
 .../keycloak/HALInMemorySessionIdMapper.java  |    2 +-
 .../com/ebremer/halcyon/sparql/Sparql.html    |    2 +-
 .../com/ebremer/halcyon/sparql/Sparql.java    |   51 +-
 .../ebremer/halcyon/wicket/ListFeatures.java  |    6 +-
 .../ebremer/halcyon/wicket/ListImages.java    |   10 +-
 .../com/ebremer/halcyon/wicket/MenuPanel.html |   14 +-
 .../com/ebremer/halcyon/wicket/MenuPanel.java |   67 +-
 .../com/ebremer/halycon/shiro/JWTGuard.java   |   16 -
 .../halycon/shiro/JWTVerifyingFilter.java     |   54 -
 src/main/resources/keycloak-realm-config.json |    6 +-
 src/main/resources/shiro.ini                  |    7 +-
 42 files changed, 2659 insertions(+), 389 deletions(-)
 create mode 100644 realm-export.json
 delete mode 100644 src/main/java/com/ebremer/halcyon/fuseki/jwt/GetPublicKey.java
 delete mode 100644 src/main/java/com/ebremer/halcyon/fuseki/jwt/Test.java
 rename src/main/java/com/ebremer/halcyon/fuseki/{jwt => shiro}/JwtAuthenticatingFilter.java (50%)
 rename src/main/java/com/ebremer/halcyon/fuseki/{jwt => shiro}/JwtRealm.java (73%)
 rename src/main/java/com/ebremer/halcyon/fuseki/{jwt => shiro}/JwtToken.java (56%)
 rename src/main/java/com/ebremer/halcyon/fuseki/{jwt => shiro}/JwtVerifier.java (94%)
 rename src/main/java/com/ebremer/halcyon/fuseki/{jwt => shiro}/KeycloakPublicKeyFetcher.java (98%)
 create mode 100644 src/main/java/com/ebremer/halcyon/gui/LogHal.html
 create mode 100644 src/main/java/com/ebremer/halcyon/gui/LogHal.java
 create mode 100644 src/main/java/com/ebremer/halcyon/gui/LogoutLink.java
 delete mode 100644 src/main/java/com/ebremer/halcyon/gui/Public.java
 rename src/main/java/com/ebremer/halcyon/gui/{Public.html => RevisionHistory.html} (98%)
 create mode 100644 src/main/java/com/ebremer/halcyon/gui/RevisionHistory.java
 delete mode 100644 src/main/java/com/ebremer/halycon/shiro/JWTGuard.java
 delete mode 100644 src/main/java/com/ebremer/halycon/shiro/JWTVerifyingFilter.java

diff --git a/realm-export.json b/realm-export.json
new file mode 100644
index 00000000..50974d3a
--- /dev/null
+++ b/realm-export.json
@@ -0,0 +1,2282 @@
+{
+  "id": "master",
+  "realm": "master",
+  "displayName": "Halcyon",
+  "displayNameHtml": "H A L C Y O N",
+  "notBefore": 1680204939,
+  "defaultSignatureAlgorithm": "RS256",
+  "revokeRefreshToken": false,
+  "refreshTokenMaxReuse": 0,
+  "accessTokenLifespan": 60,
+  "accessTokenLifespanForImplicitFlow": 900,
+  "ssoSessionIdleTimeout": 86400,
+  "ssoSessionMaxLifespan": 604800,
+  "ssoSessionIdleTimeoutRememberMe": 0,
+  "ssoSessionMaxLifespanRememberMe": 0,
+  "offlineSessionIdleTimeout": 2592000,
+  "offlineSessionMaxLifespanEnabled": false,
+  "offlineSessionMaxLifespan": 5184000,
+  "clientSessionIdleTimeout": 0,
+  "clientSessionMaxLifespan": 0,
+  "clientOfflineSessionIdleTimeout": 0,
+  "clientOfflineSessionMaxLifespan": 0,
+  "accessCodeLifespan": 60,
+  "accessCodeLifespanUserAction": 300,
+  "accessCodeLifespanLogin": 1800,
+  "actionTokenGeneratedByAdminLifespan": 43200,
+  "actionTokenGeneratedByUserLifespan": 300,
+  "oauth2DeviceCodeLifespan": 600,
+  "oauth2DevicePollingInterval": 5,
+  "enabled": true,
+  "sslRequired": "none",
+  "registrationAllowed": false,
+  "registrationEmailAsUsername": true,
+  "rememberMe": false,
+  "verifyEmail": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": false,
+  "editUsernameAllowed": false,
+  "bruteForceProtected": false,
+  "permanentLockout": false,
+  "maxFailureWaitSeconds": 900,
+  "minimumQuickLoginWaitSeconds": 60,
+  "waitIncrementSeconds": 60,
+  "quickLoginCheckMilliSeconds": 1000,
+  "maxDeltaTimeSeconds": 43200,
+  "failureFactor": 30,
+  "roles": {
+    "realm": [
+      {
+        "id": "db43a81e-55f0-495f-bb10-b2897886e6c1",
+        "name": "default-roles-master",
+        "description": "${role_default-roles}",
+        "composite": true,
+        "composites": {
+          "realm": [
+            "offline_access",
+            "uma_authorization"
+          ],
+          "client": {
+            "account": [
+              "manage-account",
+              "view-profile"
+            ]
+          }
+        },
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "ba948bb5-7632-4efc-bf3f-840474d00fd5",
+        "name": "create-realm",
+        "description": "${role_create-realm}",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "a7d3d99d-e84c-4116-a334-c9608bc76d85",
+        "name": "offline_access",
+        "description": "${role_offline-access}",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "9eb710dd-4d98-40e0-ad73-162102401e4b",
+        "name": "admin",
+        "description": "${role_admin}",
+        "composite": true,
+        "composites": {
+          "realm": [
+            "create-realm"
+          ],
+          "client": {
+            "master-realm": [
+              "view-clients",
+              "manage-events",
+              "view-realm",
+              "query-clients",
+              "manage-realm",
+              "manage-identity-providers",
+              "view-identity-providers",
+              "manage-users",
+              "impersonation",
+              "view-authorization",
+              "query-realms",
+              "view-events",
+              "manage-authorization",
+              "query-groups",
+              "create-client",
+              "view-users",
+              "manage-clients",
+              "query-users"
+            ]
+          }
+        },
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "1d1d6634-162d-4e1f-9120-d31b7adae4d3",
+        "name": "uma_authorization",
+        "description": "${role_uma_authorization}",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      }
+    ],
+    "client": {
+      "security-admin-console": [],
+      "admin-cli": [],
+      "account-console": [],
+      "broker": [
+        {
+          "id": "ccc1d2f3-9a90-47dc-8821-939ac7aa9917",
+          "name": "read-token",
+          "description": "${role_read-token}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "add69182-4588-4087-a1e6-0d9a59d8d81c",
+          "attributes": {}
+        }
+      ],
+      "master-realm": [
+        {
+          "id": "4d681622-fb1b-448c-a14f-757885ae177c",
+          "name": "view-clients",
+          "description": "${role_view-clients}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "master-realm": [
+                "query-clients"
+              ]
+            }
+          },
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "18d8b8d6-4b9c-4e62-8a9f-7cbb74b59e3c",
+          "name": "manage-events",
+          "description": "${role_manage-events}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "04ecb1b3-b44b-44d5-bcff-62b19a285e6c",
+          "name": "view-realm",
+          "description": "${role_view-realm}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "97c45eba-c008-4a4a-800d-6d36f3f17b5c",
+          "name": "query-clients",
+          "description": "${role_query-clients}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "8790557a-5269-4177-b8d7-2961e64e9e3c",
+          "name": "manage-realm",
+          "description": "${role_manage-realm}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "559dc49f-eed9-4d70-a12b-88ce32745933",
+          "name": "manage-identity-providers",
+          "description": "${role_manage-identity-providers}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "46074624-f2e9-4e7f-b3b2-04636bfb93fb",
+          "name": "view-identity-providers",
+          "description": "${role_view-identity-providers}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "21ea52fd-3c7d-460c-b3ce-c0360caf7c52",
+          "name": "manage-users",
+          "description": "${role_manage-users}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "791dcc5f-9aae-41fa-a36b-b3c7bcb175a6",
+          "name": "impersonation",
+          "description": "${role_impersonation}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "aad4a9a5-00d5-4de3-894f-e9b5ad99bc28",
+          "name": "query-realms",
+          "description": "${role_query-realms}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "54b94dcf-b2ac-4a3d-97f8-9b50f8326fc6",
+          "name": "view-authorization",
+          "description": "${role_view-authorization}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "dfdd2271-3739-41d7-b088-8954bf0b91ed",
+          "name": "view-events",
+          "description": "${role_view-events}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "cbc59c22-d07b-4606-8406-c75b63b32413",
+          "name": "manage-authorization",
+          "description": "${role_manage-authorization}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "d1374727-f085-41a1-8ae8-f675f5c0fcf5",
+          "name": "query-groups",
+          "description": "${role_query-groups}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "1afc8117-cf6c-4e35-8427-ba40fae6431d",
+          "name": "create-client",
+          "description": "${role_create-client}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "87ca302d-9010-402a-a4d2-1d31c0e19613",
+          "name": "view-users",
+          "description": "${role_view-users}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "master-realm": [
+                "query-groups",
+                "query-users"
+              ]
+            }
+          },
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "28977c95-a4c1-4400-a828-36c626026298",
+          "name": "manage-clients",
+          "description": "${role_manage-clients}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        },
+        {
+          "id": "bc60194d-1c23-4a94-bb55-738d7389faab",
+          "name": "query-users",
+          "description": "${role_query-users}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+          "attributes": {}
+        }
+      ],
+      "account": [
+        {
+          "id": "d1c18f80-771f-4df2-ade9-d70e75e32ecf",
+          "name": "manage-account",
+          "description": "${role_manage-account}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "account": [
+                "manage-account-links"
+              ]
+            }
+          },
+          "clientRole": true,
+          "containerId": "fa64a2d4-66d2-4ff6-af84-d59ede0320c0",
+          "attributes": {}
+        },
+        {
+          "id": "e057f536-3ca1-4c91-bc28-4a2f77bcedcb",
+          "name": "manage-consent",
+          "description": "${role_manage-consent}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "account": [
+                "view-consent"
+              ]
+            }
+          },
+          "clientRole": true,
+          "containerId": "fa64a2d4-66d2-4ff6-af84-d59ede0320c0",
+          "attributes": {}
+        },
+        {
+          "id": "7d6c2511-1e91-41d3-bcd0-51f079dca2ee",
+          "name": "delete-account",
+          "description": "${role_delete-account}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "fa64a2d4-66d2-4ff6-af84-d59ede0320c0",
+          "attributes": {}
+        },
+        {
+          "id": "69bff3e2-eae4-4b03-a400-89a1f99b4094",
+          "name": "view-applications",
+          "description": "${role_view-applications}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "fa64a2d4-66d2-4ff6-af84-d59ede0320c0",
+          "attributes": {}
+        },
+        {
+          "id": "75f420a7-e7b3-48a0-a1bd-08948be9867c",
+          "name": "view-consent",
+          "description": "${role_view-consent}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "fa64a2d4-66d2-4ff6-af84-d59ede0320c0",
+          "attributes": {}
+        },
+        {
+          "id": "d003da96-499c-400b-9d95-c6d3b29f0f76",
+          "name": "manage-account-links",
+          "description": "${role_manage-account-links}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "fa64a2d4-66d2-4ff6-af84-d59ede0320c0",
+          "attributes": {}
+        },
+        {
+          "id": "532cc3ac-1590-474c-a303-1738cd33ecaa",
+          "name": "view-profile",
+          "description": "${role_view-profile}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "fa64a2d4-66d2-4ff6-af84-d59ede0320c0",
+          "attributes": {}
+        }
+      ]
+    }
+  },
+  "groups": [
+    {
+      "id": "2c20a6b5-6551-4491-8ba8-727306bc46eb",
+      "name": "Bremer Lab",
+      "path": "/Bremer Lab",
+      "attributes": {},
+      "realmRoles": [],
+      "clientRoles": {},
+      "subGroups": []
+    },
+    {
+      "id": "90679840-5e71-4256-afde-cdb708e6c428",
+      "name": "admin",
+      "path": "/admin",
+      "attributes": {},
+      "realmRoles": [],
+      "clientRoles": {},
+      "subGroups": []
+    }
+  ],
+  "defaultRole": {
+    "id": "db43a81e-55f0-495f-bb10-b2897886e6c1",
+    "name": "default-roles-master",
+    "description": "${role_default-roles}",
+    "composite": true,
+    "clientRole": false,
+    "containerId": "master"
+  },
+  "requiredCredentials": [
+    "password"
+  ],
+  "otpPolicyType": "totp",
+  "otpPolicyAlgorithm": "HmacSHA1",
+  "otpPolicyInitialCounter": 0,
+  "otpPolicyDigits": 6,
+  "otpPolicyLookAheadWindow": 1,
+  "otpPolicyPeriod": 30,
+  "otpSupportedApplications": [
+    "FreeOTP",
+    "Google Authenticator"
+  ],
+  "webAuthnPolicyRpEntityName": "keycloak",
+  "webAuthnPolicySignatureAlgorithms": [
+    "ES256"
+  ],
+  "webAuthnPolicyRpId": "",
+  "webAuthnPolicyAttestationConveyancePreference": "not specified",
+  "webAuthnPolicyAuthenticatorAttachment": "not specified",
+  "webAuthnPolicyRequireResidentKey": "not specified",
+  "webAuthnPolicyUserVerificationRequirement": "not specified",
+  "webAuthnPolicyCreateTimeout": 0,
+  "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
+  "webAuthnPolicyAcceptableAaguids": [],
+  "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
+  "webAuthnPolicyPasswordlessSignatureAlgorithms": [
+    "ES256"
+  ],
+  "webAuthnPolicyPasswordlessRpId": "",
+  "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
+  "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
+  "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
+  "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
+  "webAuthnPolicyPasswordlessCreateTimeout": 0,
+  "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
+  "webAuthnPolicyPasswordlessAcceptableAaguids": [],
+  "scopeMappings": [
+    {
+      "clientScope": "offline_access",
+      "roles": [
+        "offline_access"
+      ]
+    }
+  ],
+  "clientScopeMappings": {
+    "account": [
+      {
+        "client": "account-console",
+        "roles": [
+          "manage-account"
+        ]
+      }
+    ]
+  },
+  "clients": [
+    {
+      "id": "fa64a2d4-66d2-4ff6-af84-d59ede0320c0",
+      "clientId": "account",
+      "name": "${client_account}",
+      "rootUrl": "${authBaseUrl}",
+      "baseUrl": "/realms/master/account/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "redirectUris": [
+        "*"
+      ],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "saml.multivalued.roles": "false",
+        "saml.force.post.binding": "false",
+        "post.logout.redirect.uris": "+",
+        "frontchannel.logout.session.required": "false",
+        "oauth2.device.authorization.grant.enabled": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "use.refresh.tokens": "true",
+        "oidc.ciba.grant.enabled": "false",
+        "backchannel.logout.session.required": "false",
+        "client_credentials.use_refresh_token": "false",
+        "saml.client.signature": "false",
+        "require.pushed.authorization.requests": "false",
+        "saml.allow.ecp.flow": "false",
+        "saml.assertion.signature": "false",
+        "id.token.as.detached.signature": "false",
+        "saml.encrypt": "false",
+        "saml.server.signature": "false",
+        "exclude.session.state.from.auth.response": "false",
+        "saml.artifact.binding": "false",
+        "saml_force_name_id_format": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "acr.loa.map": "{}",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "token.response.type.bearer.lower-case": "false",
+        "saml.onetimeuse.condition": "false"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": 0,
+      "protocolMappers": [
+        {
+          "id": "7537de68-443f-43bc-94e4-46164093aed7",
+          "name": "email",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "email",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "email",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "097b836d-74c8-4c32-a550-035ae515c2f4",
+          "name": "webid",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "multivalued": "false",
+            "user.attribute": "webid",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "webid",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "ccca6b2b-0b2d-48db-b290-15da39215c45",
+          "name": "memberOf",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-group-membership-mapper",
+          "consentRequired": false,
+          "config": {
+            "full.path": "true",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "HalcyonGroups",
+            "userinfo.token.claim": "true"
+          }
+        },
+        {
+          "id": "adeac42c-ce72-47f2-8ab9-50d9c674fe0a",
+          "name": "username",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "username",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "preferred_username",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "62eab4b3-358a-423e-a898-9cfa660c2d1a",
+          "name": "groupwebid",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "aggregate.attrs": "true",
+            "userinfo.token.claim": "true",
+            "multivalued": "true",
+            "user.attribute": "groupwebid",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "groupwebid",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "8c58c860-8cf7-4a6f-89e9-f98f1745d9da",
+          "name": "client roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "foo",
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        },
+        {
+          "id": "43549103-9c75-40ae-938c-a690f7a26bce",
+          "name": "groups",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "true",
+            "user.attribute": "foo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "groups",
+            "jsonType.label": "String"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+      ]
+    },
+    {
+      "id": "43443219-b1ba-4bda-8295-4f0d21bf030a",
+      "clientId": "account-console",
+      "name": "${client_account-console}",
+      "rootUrl": "${authBaseUrl}",
+      "baseUrl": "/realms/master/account/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "redirectUris": [
+        "/realms/master/account/*"
+      ],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "post.logout.redirect.uris": "+",
+        "pkce.code.challenge.method": "S256"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "protocolMappers": [
+        {
+          "id": "6ebe150a-a9e3-41e8-816e-b25a853ccaed",
+          "name": "audience resolve",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-resolve-mapper",
+          "consentRequired": false,
+          "config": {}
+        }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+      ]
+    },
+    {
+      "id": "ae6950e9-7a85-4970-8cdd-4c6b2e4b8d6f",
+      "clientId": "admin-cli",
+      "name": "${client_admin-cli}",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "redirectUris": [],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+      ]
+    },
+    {
+      "id": "add69182-4588-4087-a1e6-0d9a59d8d81c",
+      "clientId": "broker",
+      "name": "${client_broker}",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "redirectUris": [],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": true,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+      ]
+    },
+    {
+      "id": "efa03508-c135-4dc8-a471-eed108cdfc6c",
+      "clientId": "master-realm",
+      "name": "master Realm",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "redirectUris": [],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": true,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+      ]
+    },
+    {
+      "id": "f3b244a4-2280-4125-ac81-4abc7caebf57",
+      "clientId": "security-admin-console",
+      "name": "${client_security-admin-console}",
+      "rootUrl": "${authAdminUrl}",
+      "baseUrl": "/admin/master/console/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "redirectUris": [
+        "/admin/master/console/*"
+      ],
+      "webOrigins": [
+        "+"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "post.logout.redirect.uris": "+",
+        "pkce.code.challenge.method": "S256"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "protocolMappers": [
+        {
+          "id": "7f0699b0-db56-403c-b0c3-d239e4d7cbf9",
+          "name": "locale",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "locale",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "locale",
+            "jsonType.label": "String"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+      ]
+    }
+  ],
+  "clientScopes": [
+    {
+      "id": "77536af6-5352-42cd-aff0-9f0ed0c2e636",
+      "name": "address",
+      "description": "OpenID Connect built-in scope: address",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${addressScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "8dcab95e-fa00-414c-8c3f-7927764af6e5",
+          "name": "address",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-address-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute.formatted": "formatted",
+            "user.attribute.country": "country",
+            "user.attribute.postal_code": "postal_code",
+            "userinfo.token.claim": "true",
+            "user.attribute.street": "street",
+            "id.token.claim": "true",
+            "user.attribute.region": "region",
+            "access.token.claim": "true",
+            "user.attribute.locality": "locality"
+          }
+        }
+      ]
+    },
+    {
+      "id": "43cd72f4-541a-4ce3-8657-615cd05d675c",
+      "name": "acr",
+      "description": "OpenID Connect scope for add acr (authentication context class reference) to the token",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "false",
+        "display.on.consent.screen": "false"
+      },
+      "protocolMappers": [
+        {
+          "id": "fc2a9442-5c90-4fad-b577-245b23800f74",
+          "name": "acr loa level",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-acr-mapper",
+          "consentRequired": false,
+          "config": {
+            "id.token.claim": "true",
+            "access.token.claim": "true"
+          }
+        }
+      ]
+    },
+    {
+      "id": "99e38304-3ee1-4c5a-8925-4506f74696ee",
+      "name": "offline_access",
+      "description": "OpenID Connect built-in scope: offline_access",
+      "protocol": "openid-connect",
+      "attributes": {
+        "consent.screen.text": "${offlineAccessScopeConsentText}",
+        "display.on.consent.screen": "true"
+      }
+    },
+    {
+      "id": "395b3d90-81c3-4838-a824-24074d9a085d",
+      "name": "microprofile-jwt",
+      "description": "Microprofile - JWT built-in scope",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "false"
+      },
+      "protocolMappers": [
+        {
+          "id": "d48a6085-1b80-4fd9-8190-e6da48378e2d",
+          "name": "upn",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "username",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "upn",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "91e33380-5d98-4b46-b394-9b59e372a494",
+          "name": "groups",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "true",
+            "user.attribute": "foo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "groups",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "e260ddc8-9ab5-4cfb-86cc-863b4cb59117",
+      "name": "email",
+      "description": "OpenID Connect built-in scope: email",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${emailScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "21b7539e-791b-4b1e-895f-edaab639c5ef",
+          "name": "email verified",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "emailVerified",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "email_verified",
+            "jsonType.label": "boolean"
+          }
+        },
+        {
+          "id": "211d42d9-f436-4b6a-a5e3-931507746247",
+          "name": "email",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "email",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "email",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "bd3f2e46-be00-4352-a704-4acb72823ca2",
+      "name": "profile",
+      "description": "OpenID Connect built-in scope: profile",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${profileScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "6246d22e-e8f4-4c1a-b8c7-85d967bc440a",
+          "name": "website",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "website",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "website",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "9385e7ca-45ad-4c4b-a56a-8217aead6e16",
+          "name": "middle name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "middleName",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "middle_name",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "a2be1cec-f7c0-4b9f-b3a6-b94bdd8174e9",
+          "name": "locale",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "locale",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "locale",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "71ad7a22-c923-4822-8930-0a2342c0195b",
+          "name": "gender",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "gender",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "gender",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "220b5b4e-6c86-404b-92d8-ccc92075b0ec",
+          "name": "nickname",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "nickname",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "nickname",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "f5d0f9ee-906f-432b-8169-5c23601f4dd2",
+          "name": "username",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "username",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "preferred_username",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "19962845-92c4-4ef5-b5e5-780c53fd8181",
+          "name": "family name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "lastName",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "family_name",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "54fe8868-1ac4-4906-bb96-a0431f11f801",
+          "name": "birthdate",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "birthdate",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "birthdate",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "cf5d88d9-c70e-47d9-9eeb-b0d05bee4df3",
+          "name": "full name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-full-name-mapper",
+          "consentRequired": false,
+          "config": {
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "true"
+          }
+        },
+        {
+          "id": "b0fc93e7-ccd2-44c0-bf7b-7d3db935f980",
+          "name": "zoneinfo",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "zoneinfo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "zoneinfo",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "77f20845-32dd-4651-9c5c-07e8acbdfac0",
+          "name": "picture",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "picture",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "picture",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "e9a0cdc2-43bd-4734-b455-0d2e11698de8",
+          "name": "profile",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "profile",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "profile",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "35cf7657-3fa4-4569-871c-2060a11c5e4b",
+          "name": "updated at",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "updatedAt",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "updated_at",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "3d697e57-2bd7-4667-a904-d6452354e0ea",
+          "name": "given name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "firstName",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "given_name",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "258a3c9d-abdd-4880-b169-3f90bcb59609",
+      "name": "web-origins",
+      "description": "OpenID Connect scope for add allowed web origins to the access token",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "false",
+        "display.on.consent.screen": "false",
+        "consent.screen.text": ""
+      },
+      "protocolMappers": [
+        {
+          "id": "5e55df72-1128-423c-bb7e-efd59b303992",
+          "name": "allowed web origins",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-allowed-origins-mapper",
+          "consentRequired": false,
+          "config": {}
+        }
+      ]
+    },
+    {
+      "id": "e2519dd7-181b-4061-96e4-51ad793c21a0",
+      "name": "role_list",
+      "description": "SAML role list",
+      "protocol": "saml",
+      "attributes": {
+        "consent.screen.text": "${samlRoleListScopeConsentText}",
+        "display.on.consent.screen": "true"
+      },
+      "protocolMappers": [
+        {
+          "id": "5d6a5eb2-de50-47de-886b-c285723f9928",
+          "name": "role list",
+          "protocol": "saml",
+          "protocolMapper": "saml-role-list-mapper",
+          "consentRequired": false,
+          "config": {
+            "single": "false",
+            "attribute.nameformat": "Basic",
+            "attribute.name": "Role"
+          }
+        }
+      ]
+    },
+    {
+      "id": "925f1f40-cc22-4829-afae-7765ac2cdb14",
+      "name": "phone",
+      "description": "OpenID Connect built-in scope: phone",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${phoneScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "8e0f8453-a375-493f-8d96-57a8154c052d",
+          "name": "phone number verified",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "phoneNumberVerified",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "phone_number_verified",
+            "jsonType.label": "boolean"
+          }
+        },
+        {
+          "id": "8efae8d2-77a1-46c4-8de9-51a6781fb8f7",
+          "name": "phone number",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "phoneNumber",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "phone_number",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "0b27e77a-3487-4a0a-91bc-9d5501e1b431",
+      "name": "roles",
+      "description": "OpenID Connect scope for add user roles to the access token",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "false",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${rolesScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "f02997a9-12dc-490d-9af7-2aa217874359",
+          "name": "audience resolve",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-resolve-mapper",
+          "consentRequired": false,
+          "config": {}
+        },
+        {
+          "id": "af14fbf1-81f4-4e38-9dcd-8a328dc48619",
+          "name": "realm roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "foo",
+            "access.token.claim": "true",
+            "claim.name": "realm_access.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        },
+        {
+          "id": "b8166372-96a6-4d9c-b47c-30bc29fef4a8",
+          "name": "client roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "foo",
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        }
+      ]
+    }
+  ],
+  "defaultDefaultClientScopes": [
+    "role_list",
+    "profile",
+    "email",
+    "roles",
+    "web-origins",
+    "acr"
+  ],
+  "defaultOptionalClientScopes": [
+    "offline_access",
+    "address",
+    "phone",
+    "microprofile-jwt"
+  ],
+  "browserSecurityHeaders": {
+    "contentSecurityPolicyReportOnly": "",
+    "xContentTypeOptions": "nosniff",
+    "xRobotsTag": "none",
+    "xFrameOptions": "SAMEORIGIN",
+    "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+    "xXSSProtection": "1; mode=block",
+    "strictTransportSecurity": "max-age=31536000; includeSubDomains"
+  },
+  "smtpServer": {},
+  "eventsEnabled": false,
+  "eventsListeners": [
+    "jboss-logging"
+  ],
+  "enabledEventTypes": [],
+  "adminEventsEnabled": false,
+  "adminEventsDetailsEnabled": false,
+  "identityProviders": [],
+  "identityProviderMappers": [],
+  "components": {
+    "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
+      {
+        "id": "86c28e25-74c1-476b-8723-6d0f799b15df",
+        "name": "Full Scope Disabled",
+        "providerId": "scope",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {}
+      },
+      {
+        "id": "3cb73dd9-c955-4fba-9bc5-abb6ccd29bb6",
+        "name": "Allowed Client Scopes",
+        "providerId": "allowed-client-templates",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "allow-default-scopes": [
+            "true"
+          ]
+        }
+      },
+      {
+        "id": "3e7e1b97-82c5-4b1a-9c5a-ef0657799252",
+        "name": "Allowed Protocol Mapper Types",
+        "providerId": "allowed-protocol-mappers",
+        "subType": "authenticated",
+        "subComponents": {},
+        "config": {
+          "allowed-protocol-mapper-types": [
+            "saml-user-attribute-mapper",
+            "oidc-full-name-mapper",
+            "oidc-usermodel-attribute-mapper",
+            "saml-role-list-mapper",
+            "saml-user-property-mapper",
+            "oidc-address-mapper",
+            "oidc-sha256-pairwise-sub-mapper",
+            "oidc-usermodel-property-mapper"
+          ]
+        }
+      },
+      {
+        "id": "d6a971eb-ad45-4bfd-a8c5-cd426c593768",
+        "name": "Consent Required",
+        "providerId": "consent-required",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {}
+      },
+      {
+        "id": "ed09d054-e0b1-48cb-ab73-0119b21a8b3a",
+        "name": "Max Clients Limit",
+        "providerId": "max-clients",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "max-clients": [
+            "200"
+          ]
+        }
+      },
+      {
+        "id": "568cebd6-bc86-4f14-ae91-112a34176e32",
+        "name": "Allowed Client Scopes",
+        "providerId": "allowed-client-templates",
+        "subType": "authenticated",
+        "subComponents": {},
+        "config": {
+          "allow-default-scopes": [
+            "true"
+          ]
+        }
+      },
+      {
+        "id": "1a1c22b5-4be6-417b-b5cf-4d2b0b2ee24d",
+        "name": "Allowed Protocol Mapper Types",
+        "providerId": "allowed-protocol-mappers",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "allowed-protocol-mapper-types": [
+            "oidc-usermodel-attribute-mapper",
+            "saml-role-list-mapper",
+            "oidc-sha256-pairwise-sub-mapper",
+            "oidc-address-mapper",
+            "saml-user-property-mapper",
+            "oidc-usermodel-property-mapper",
+            "saml-user-attribute-mapper",
+            "oidc-full-name-mapper"
+          ]
+        }
+      },
+      {
+        "id": "82aaab32-c500-45bd-8c74-def1d2012ba1",
+        "name": "Trusted Hosts",
+        "providerId": "trusted-hosts",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "host-sending-registration-request-must-match": [
+            "true"
+          ],
+          "client-uris-must-match": [
+            "true"
+          ]
+        }
+      }
+    ],
+    "org.keycloak.keys.KeyProvider": [
+      {
+        "id": "1a5101b2-1068-4587-8a00-3f19ba2a82f7",
+        "name": "rsa-generated",
+        "providerId": "rsa-generated",
+        "subComponents": {},
+        "config": {
+          "priority": [
+            "100"
+          ]
+        }
+      },
+      {
+        "id": "c8d75e7a-1a73-4080-be95-9062291310cb",
+        "name": "aes-generated",
+        "providerId": "aes-generated",
+        "subComponents": {},
+        "config": {
+          "priority": [
+            "100"
+          ]
+        }
+      },
+      {
+        "id": "c752ea78-9018-4357-a720-587aefc6054f",
+        "name": "hmac-generated",
+        "providerId": "hmac-generated",
+        "subComponents": {},
+        "config": {
+          "priority": [
+            "100"
+          ],
+          "algorithm": [
+            "HS256"
+          ]
+        }
+      }
+    ]
+  },
+  "internationalizationEnabled": false,
+  "supportedLocales": [],
+  "authenticationFlows": [
+    {
+      "id": "5ed3d9a5-2ad0-44c0-a623-9a481c60ce27",
+      "alias": "Account verification options",
+      "description": "Method with which to verity the existing account",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "idp-email-verification",
+          "authenticatorFlow": false,
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "ALTERNATIVE",
+          "priority": 20,
+          "autheticatorFlow": true,
+          "flowAlias": "Verify Existing Account by Re-authentication",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "54bc8205-ee68-4a6f-b639-0944a37a3c75",
+      "alias": "Authentication Options",
+      "description": "Authentication options.",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "basic-auth",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "basic-auth-otp",
+          "authenticatorFlow": false,
+          "requirement": "DISABLED",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "auth-spnego",
+          "authenticatorFlow": false,
+          "requirement": "DISABLED",
+          "priority": 30,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "d04905ec-09af-4e95-b4bd-9ed4ce963364",
+      "alias": "Browser - Conditional OTP",
+      "description": "Flow to determine if the OTP is required for the authentication",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "auth-otp-form",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "dc6e420c-52d5-4221-8320-4d1604434053",
+      "alias": "Direct Grant - Conditional OTP",
+      "description": "Flow to determine if the OTP is required for the authentication",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "direct-grant-validate-otp",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "1ead146e-8539-4c31-8df0-3e65caeee5d0",
+      "alias": "First broker login - Conditional OTP",
+      "description": "Flow to determine if the OTP is required for the authentication",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "auth-otp-form",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "8d58fe02-e3f6-4227-930d-a88b72aaa44e",
+      "alias": "Handle Existing Account",
+      "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "idp-confirm-link",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": true,
+          "flowAlias": "Account verification options",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "f5e8fd4a-86d8-4bfc-b36f-7c5e927fd935",
+      "alias": "Reset - Conditional OTP",
+      "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "reset-otp",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "4a25a163-1ab8-416f-a8ba-c23d889f9f6f",
+      "alias": "User creation or linking",
+      "description": "Flow for the existing/non-existing user alternatives",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticatorConfig": "create unique user config",
+          "authenticator": "idp-create-user-if-unique",
+          "authenticatorFlow": false,
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "ALTERNATIVE",
+          "priority": 20,
+          "autheticatorFlow": true,
+          "flowAlias": "Handle Existing Account",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "acc44799-a775-433e-b20f-0e5473df1f2a",
+      "alias": "Verify Existing Account by Re-authentication",
+      "description": "Reauthentication of existing account",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "idp-username-password-form",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "CONDITIONAL",
+          "priority": 20,
+          "autheticatorFlow": true,
+          "flowAlias": "First broker login - Conditional OTP",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "b5c47f32-f572-4a59-bbd9-95cfa242b680",
+      "alias": "browser",
+      "description": "browser based authentication",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "auth-cookie",
+          "authenticatorFlow": false,
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "auth-spnego",
+          "authenticatorFlow": false,
+          "requirement": "DISABLED",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "identity-provider-redirector",
+          "authenticatorFlow": false,
+          "requirement": "ALTERNATIVE",
+          "priority": 25,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "ALTERNATIVE",
+          "priority": 30,
+          "autheticatorFlow": true,
+          "flowAlias": "forms",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "1b0f26df-6272-43fd-8645-f8f3235733c9",
+      "alias": "clients",
+      "description": "Base authentication for clients",
+      "providerId": "client-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "client-secret",
+          "authenticatorFlow": false,
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "client-jwt",
+          "authenticatorFlow": false,
+          "requirement": "ALTERNATIVE",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "client-secret-jwt",
+          "authenticatorFlow": false,
+          "requirement": "ALTERNATIVE",
+          "priority": 30,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "client-x509",
+          "authenticatorFlow": false,
+          "requirement": "ALTERNATIVE",
+          "priority": 40,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "54cedac9-a26e-4042-af0b-e489bbe20028",
+      "alias": "direct grant",
+      "description": "OpenID Connect Resource Owner Grant",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "direct-grant-validate-username",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "direct-grant-validate-password",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "CONDITIONAL",
+          "priority": 30,
+          "autheticatorFlow": true,
+          "flowAlias": "Direct Grant - Conditional OTP",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "fc8a4081-14cf-441b-b32e-b777a6c099c3",
+      "alias": "docker auth",
+      "description": "Used by Docker clients to authenticate against the IDP",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "docker-http-basic-authenticator",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "0622b1f0-60fe-47c9-bdc0-46a07f046d89",
+      "alias": "first broker login",
+      "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticatorConfig": "review profile config",
+          "authenticator": "idp-review-profile",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": true,
+          "flowAlias": "User creation or linking",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "7e270b16-443d-4245-8acf-3efeff61bb20",
+      "alias": "forms",
+      "description": "Username, password, otp and other auth forms.",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "auth-username-password-form",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "CONDITIONAL",
+          "priority": 20,
+          "autheticatorFlow": true,
+          "flowAlias": "Browser - Conditional OTP",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "7b53ff6a-c58b-4502-8cd8-2c1ac07b6559",
+      "alias": "http challenge",
+      "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "no-cookie-redirect",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": true,
+          "flowAlias": "Authentication Options",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "36dcec4a-2aa0-4034-a71e-4121ad489d4f",
+      "alias": "registration",
+      "description": "registration flow",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "registration-page-form",
+          "authenticatorFlow": true,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": true,
+          "flowAlias": "registration form",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "7953629c-bbb1-450e-a8bf-0c8230c86f35",
+      "alias": "registration form",
+      "description": "registration form",
+      "providerId": "form-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "registration-user-creation",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "registration-profile-action",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 40,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "registration-password-action",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 50,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "registration-recaptcha-action",
+          "authenticatorFlow": false,
+          "requirement": "DISABLED",
+          "priority": 60,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "682e128e-b00c-46d1-b5e0-0f2e83c70e0c",
+      "alias": "reset credentials",
+      "description": "Reset credentials for a user if they forgot their password or something",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "reset-credentials-choose-user",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "reset-credential-email",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticator": "reset-password",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 30,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        },
+        {
+          "authenticatorFlow": true,
+          "requirement": "CONDITIONAL",
+          "priority": 40,
+          "autheticatorFlow": true,
+          "flowAlias": "Reset - Conditional OTP",
+          "userSetupAllowed": false
+        }
+      ]
+    },
+    {
+      "id": "85504ca7-485f-40c9-b093-c286fc8ae9cf",
+      "alias": "saml ecp",
+      "description": "SAML ECP Profile Authentication Flow",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "http-basic-authenticator",
+          "authenticatorFlow": false,
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "autheticatorFlow": false,
+          "userSetupAllowed": false
+        }
+      ]
+    }
+  ],
+  "authenticatorConfig": [
+    {
+      "id": "9942228c-2408-4783-b209-d739b7b5f144",
+      "alias": "create unique user config",
+      "config": {
+        "require.password.update.after.registration": "false"
+      }
+    },
+    {
+      "id": "c90c245d-e7e4-4ba2-89bd-40db9898824b",
+      "alias": "review profile config",
+      "config": {
+        "update.profile.on.first.login": "missing"
+      }
+    }
+  ],
+  "requiredActions": [
+    {
+      "alias": "CONFIGURE_TOTP",
+      "name": "Configure OTP",
+      "providerId": "CONFIGURE_TOTP",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 10,
+      "config": {}
+    },
+    {
+      "alias": "terms_and_conditions",
+      "name": "Terms and Conditions",
+      "providerId": "terms_and_conditions",
+      "enabled": false,
+      "defaultAction": false,
+      "priority": 20,
+      "config": {}
+    },
+    {
+      "alias": "UPDATE_PASSWORD",
+      "name": "Update Password",
+      "providerId": "UPDATE_PASSWORD",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 30,
+      "config": {}
+    },
+    {
+      "alias": "UPDATE_PROFILE",
+      "name": "Update Profile",
+      "providerId": "UPDATE_PROFILE",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 40,
+      "config": {}
+    },
+    {
+      "alias": "VERIFY_EMAIL",
+      "name": "Verify Email",
+      "providerId": "VERIFY_EMAIL",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 50,
+      "config": {}
+    },
+    {
+      "alias": "delete_account",
+      "name": "Delete Account",
+      "providerId": "delete_account",
+      "enabled": false,
+      "defaultAction": false,
+      "priority": 60,
+      "config": {}
+    },
+    {
+      "alias": "update_user_locale",
+      "name": "Update User Locale",
+      "providerId": "update_user_locale",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 1000,
+      "config": {}
+    }
+  ],
+  "browserFlow": "browser",
+  "registrationFlow": "registration",
+  "directGrantFlow": "direct grant",
+  "resetCredentialsFlow": "reset credentials",
+  "clientAuthenticationFlow": "clients",
+  "dockerAuthenticationFlow": "docker auth",
+  "attributes": {
+    "cibaBackchannelTokenDeliveryMode": "poll",
+    "cibaExpiresIn": "120",
+    "cibaAuthRequestedUserHint": "login_hint",
+    "oauth2DeviceCodeLifespan": "600",
+    "clientOfflineSessionMaxLifespan": "0",
+    "oauth2DevicePollingInterval": "5",
+    "clientSessionIdleTimeout": "0",
+    "userProfileEnabled": "false",
+    "parRequestUriLifespan": "60",
+    "clientSessionMaxLifespan": "0",
+    "clientOfflineSessionIdleTimeout": "0",
+    "cibaInterval": "5"
+  },
+  "keycloakVersion": "18.0.2",
+  "userManagedAccessAllowed": true,
+  "clientProfiles": {
+    "profiles": []
+  },
+  "clientPolicies": {
+    "policies": []
+  }
+}
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/ethereal/MakeList.java b/src/main/java/com/ebremer/ethereal/MakeList.java
index 72d434c3..22a85982 100644
--- a/src/main/java/com/ebremer/ethereal/MakeList.java
+++ b/src/main/java/com/ebremer/ethereal/MakeList.java
@@ -1,7 +1,3 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
 package com.ebremer.ethereal;
 
 import java.util.LinkedList;
diff --git a/src/main/java/com/ebremer/ethereal/RDFRenderer.java b/src/main/java/com/ebremer/ethereal/RDFRenderer.java
index b0e5a422..c621f9d9 100644
--- a/src/main/java/com/ebremer/ethereal/RDFRenderer.java
+++ b/src/main/java/com/ebremer/ethereal/RDFRenderer.java
@@ -1,7 +1,3 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
 package com.ebremer.ethereal;
 
 import org.apache.jena.graph.Node;
diff --git a/src/main/java/com/ebremer/halcyon/datum/DataCore.java b/src/main/java/com/ebremer/halcyon/datum/DataCore.java
index 7fbd18dd..b6f99972 100644
--- a/src/main/java/com/ebremer/halcyon/datum/DataCore.java
+++ b/src/main/java/com/ebremer/halcyon/datum/DataCore.java
@@ -2,6 +2,7 @@
 
 import com.ebremer.halcyon.fuseki.SPARQLEndPoint;
 import com.ebremer.halcyon.HalcyonSettings;
+import static com.ebremer.halcyon.datum.DataCore.Level.CLOSED;
 import com.ebremer.halcyon.filesystem.FileManager;
 import org.apache.jena.query.Dataset;
 import org.apache.jena.query.DatasetFactory;
@@ -24,6 +25,7 @@ public class DataCore {
     private static DataCore core = null;
     private static Dataset ds = null;
     private static HalcyonSettings hs = null;
+    public static enum Level { CLOSED, OPEN };
 
     private DataCore() {
         hs = HalcyonSettings.getSettings();
@@ -46,7 +48,11 @@ public synchronized void shutdown() {
 
     
     public Dataset getSecuredDataset() {
-        return DatasetFactory.wrap(new SecuredDatasetGraph(getDataset().asDatasetGraph(), new WACSecurityEvaluator()));
+        return DatasetFactory.wrap(new SecuredDatasetGraph(getDataset().asDatasetGraph(), new WACSecurityEvaluator(CLOSED)));
+    }
+
+    public Dataset getSecuredDataset(Level level) {
+        return DatasetFactory.wrap(new SecuredDatasetGraph(getDataset().asDatasetGraph(), new WACSecurityEvaluator(level)));
     }
     
     public void replaceNamedGraph(Resource k, Model m) {
diff --git a/src/main/java/com/ebremer/halcyon/datum/HalcyonPrincipal.java b/src/main/java/com/ebremer/halcyon/datum/HalcyonPrincipal.java
index 419b68f4..6e033fd7 100644
--- a/src/main/java/com/ebremer/halcyon/datum/HalcyonPrincipal.java
+++ b/src/main/java/com/ebremer/halcyon/datum/HalcyonPrincipal.java
@@ -1,8 +1,14 @@
 package com.ebremer.halcyon.datum;
 
+import com.ebremer.halcyon.fuseki.shiro.JwtToken;
+import com.ebremer.halcyon.fuseki.shiro.JwtVerifier;
+import com.ebremer.halcyon.fuseki.shiro.KeycloakPublicKeyFetcher;
+import com.ebremer.ns.HAL;
 import io.jsonwebtoken.Claims;
 import java.io.Serializable;
 import java.security.Principal;
+import java.security.PublicKey;
+import java.util.ArrayList;
 
 /**
  *
@@ -11,36 +17,91 @@
 public class HalcyonPrincipal implements Principal, Serializable {
     private final String uuid;
     private String webid;
-    private boolean anonymous;
-    
+    private final boolean anonymous;
+    private String name = "Anonymous User";
+    private String token;
+    private String lastname;
+    private String firstname;
+    private ArrayList<String> groups;
+ 
+   
     public HalcyonPrincipal(String uuid, boolean anonymous) {
         this.uuid = uuid;
+        System.out.println("BUUID --> "+uuid);
         this.anonymous = anonymous;
+        groups = new ArrayList<>();
+        groups.add(HAL.Anonymous.toString());
     }
     
-    public HalcyonPrincipal(Claims claims) {
-        uuid = "urn:uuid:"+claims.getId();
-        this.anonymous = false;
+    public HalcyonPrincipal(JwtToken jwttoken, boolean anonymous) {
+        this.token = (String) jwttoken.getCredentials();
+        Claims claims = getClaims(token);
+        //claims.keySet().forEach(k->{
+          //  System.out.println("CLAIM : "+k+" ==== "+claims.get(k));
+        //});
+        uuid = "urn:uuid:"+claims.get("sub");
+        //System.out.println("AUUID --> "+uuid);
+        this.anonymous = anonymous;
+        /*
+        claims.keySet().forEach(f->{
+            System.out.println("CLAIM : "+f+" ===> "+claims.get(f));
+        });
+*/
+        if (claims.keySet().contains("family_name")) {
+            lastname = (String) claims.get("family_name");
+        } else {
+            lastname = "";
+        }
+        if (claims.keySet().contains("given_name")) {
+            firstname = (String) claims.get("given_name");
+        } else {
+            firstname = "";
+        }
+        if (claims.keySet().contains("HalcyonGroups")) {
+           // Object wow = claims.get("HalcyonGroups");
+            //System.out.println("HalcyonGroups : "+wow.getClass().toGenericString());
+            groups = (ArrayList) claims.get("HalcyonGroups");
+        } else {
+            firstname = "";
+        }
+        if (!anonymous) {
+            name = firstname+" "+lastname;
+        }
+    }
+    
+    private Claims getClaims(String tokenx) {
+        PublicKey publicKey = KeycloakPublicKeyFetcher.getKeycloakPublicKeyFetcher().getPublicKey();
+        Claims claimsx = null;
+        try {
+            claimsx = new JwtVerifier(publicKey).verify(tokenx);
+        } catch (Exception ex) {
+            System.out.println(ex.toString());
+        }
+        return claimsx;
     }
 
     public String getURNUUID() {
         return uuid;
     }
     
+    public String getToken() {
+        return token;
+    }
+    
     public boolean isAnon() {
         return anonymous;
     }
     
-    public void setAnonymous(boolean anonymous) {
-        this.anonymous = anonymous;
+    public String getWebID() {
+        return webid;
     }
     
-    public String getWebID2() {
-        return webid;
+    public ArrayList getGroups() {
+        return groups;
     }
 
     @Override
     public String getName() {
-        return "Erich Bremer";
+        return name;
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/datum/Patterns.java b/src/main/java/com/ebremer/halcyon/datum/Patterns.java
index 986eb775..7cc789a1 100644
--- a/src/main/java/com/ebremer/halcyon/datum/Patterns.java
+++ b/src/main/java/com/ebremer/halcyon/datum/Patterns.java
@@ -1,6 +1,7 @@
 package com.ebremer.halcyon.datum;
 
 import com.ebremer.ethereal.MakeList;
+import static com.ebremer.halcyon.datum.DataCore.Level.OPEN;
 import com.ebremer.ns.HAL;
 import java.util.List;
 import org.apache.jena.graph.Node;
@@ -11,6 +12,8 @@
 import org.apache.jena.query.ReadWrite;
 import org.apache.jena.query.ResultSet;
 import org.apache.jena.rdf.model.Model;
+import org.apache.jena.riot.Lang;
+import org.apache.jena.riot.RDFDataMgr;
 import org.apache.jena.vocabulary.SchemaDO;
 
 /**
@@ -42,12 +45,12 @@ public static List<Node> getCollectionList(Model m) {
         """);
         pss.setNsPrefix("hal", HAL.NS);
         pss.setNsPrefix("so", SchemaDO.NS);
-        Dataset ds = DataCore.getInstance().getSecuredDataset();
+        //Dataset ds = DataCore.getInstance().getSecuredDataset(OPEN);
         QueryExecution qe = QueryExecutionFactory.create(pss.toString(), m);
-        ds.begin(ReadWrite.READ);
+        //ds.begin(ReadWrite.READ);
         ResultSet rs = qe.execSelect();
         List<Node> list = MakeList.Of(rs, "s");
-        ds.end();
+        //ds.end();
         return list;
     }
     
@@ -58,9 +61,10 @@ public static List<Node> getCollectionList(Dataset ds) {
         """);
         pss.setNsPrefix("hal", HAL.NS);
         pss.setNsPrefix("so", SchemaDO.NS);
+        System.out.println(pss.toString());
         QueryExecution qe = QueryExecutionFactory.create(pss.toString(), ds);
         ds.begin(ReadWrite.READ);
-        ResultSet rs = qe.execSelect();
+        ResultSet rs = qe.execSelect().materialise();
         List<Node> list = MakeList.Of(rs, "s");
         ds.end();
         return list;
@@ -73,11 +77,13 @@ public static Model getCollectionRDF() {
         """);
         pss.setNsPrefix("hal", HAL.NS);
         pss.setNsPrefix("so", SchemaDO.NS);
-        Dataset ds = DataCore.getInstance().getSecuredDataset();
+        System.out.println("getCollectionRDF()\n"+pss.toString());
+        Dataset ds = DataCore.getInstance().getSecuredDataset(OPEN);
         QueryExecution qe = QueryExecutionFactory.create(pss.toString(), ds);
         ds.begin(ReadWrite.READ);
         Model m = qe.execConstruct();
         ds.end();
+        RDFDataMgr.write(System.out, m, Lang.TURTLE);
         return m;
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/datum/SecuredDatasetGraph.java b/src/main/java/com/ebremer/halcyon/datum/SecuredDatasetGraph.java
index 79469fc2..6fb32c4e 100644
--- a/src/main/java/com/ebremer/halcyon/datum/SecuredDatasetGraph.java
+++ b/src/main/java/com/ebremer/halcyon/datum/SecuredDatasetGraph.java
@@ -46,7 +46,6 @@ private List<Node> getBaseGraphNodes() {
     
     private boolean hasReadAccess(Node node) {
         return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), SecurityEvaluator.Action.Read, node);
-        //return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), SecurityEvaluator.Action.Read, node);
     }
 
     @Override
@@ -73,7 +72,7 @@ public Graph getGraph(Node graphNode) {
 
     @Override
     public Graph getUnionGraph() {
-        throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+        throw new UnsupportedOperationException("Not supported yet.");
     }
 
     @Override
@@ -87,7 +86,7 @@ public void addGraph(Node node, Graph graph) {
         if (HalSec.canCreateCollection(hp.getURNUUID())) {
             base.addGraph(node, graph);
         } else {
-            throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+            throw new UnsupportedOperationException("Not supported yet.");
         }
     }
 
@@ -145,7 +144,7 @@ public void delete(Node g, Node s, Node p, Node o) {
 
     @Override
     public void deleteAny(Node node, Node node1, Node node2, Node node3) {
-        throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+        throw new UnsupportedOperationException("Not supported yet.");
     }
 
     @Override
@@ -228,7 +227,7 @@ public Context getContext() {
 
     @Override
     public long size() {
-        throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+        throw new UnsupportedOperationException("Not supported yet.");
     }
 
     @Override
@@ -302,6 +301,6 @@ public void add(Node g, Node s, Node p, Node o) {
 
     @Override
     public void setDefaultGraph(Graph g) {
-        throw new UnsupportedOperationException("Not supported yet."); // Generated from nbfs://nbhost/SystemFileSystem/Templates/Classes/Code/GeneratedMethodBody
+        throw new UnsupportedOperationException("Not supported yet.");
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/datum/WACSecurityEvaluator.java b/src/main/java/com/ebremer/halcyon/datum/WACSecurityEvaluator.java
index 4b9f091a..482c94d5 100644
--- a/src/main/java/com/ebremer/halcyon/datum/WACSecurityEvaluator.java
+++ b/src/main/java/com/ebremer/halcyon/datum/WACSecurityEvaluator.java
@@ -1,8 +1,10 @@
 package com.ebremer.halcyon.datum;
 
+import com.ebremer.halcyon.datum.DataCore.Level;
+import static com.ebremer.halcyon.datum.DataCore.Level.OPEN;
+import com.ebremer.halcyon.fuseki.shiro.JwtToken;
 import com.ebremer.halcyon.gui.HalcyonSession;
 import com.ebremer.ns.HAL;
-import io.jsonwebtoken.Claims;
 import java.security.Principal;
 import java.util.HashMap;
 import java.util.Set;
@@ -15,8 +17,8 @@
 import org.apache.jena.query.ReadWrite;
 import org.apache.jena.rdf.model.Model;
 import org.apache.jena.rdf.model.ModelFactory;
+import org.apache.jena.rdf.model.Resource;
 import org.apache.jena.shared.AuthenticationRequiredException;
-import org.apache.jena.vocabulary.RDF;
 import org.apache.jena.vocabulary.SchemaDO;
 import org.apache.jena.vocabulary.WAC;
 import org.apache.shiro.SecurityUtils;
@@ -29,12 +31,14 @@
 public class WACSecurityEvaluator implements SecurityEvaluator {
     private final Model secm;
     private final HashMap<Node,HashMap> cache;
+    private final Level level;
     
-    public WACSecurityEvaluator() {
-        DataCore dc = DataCore.getInstance();
+    public WACSecurityEvaluator(Level level) {
+        this.level = level;
+        System.out.println("==================================== WACSecurityEvaluator ======================================================");
         cache = new HashMap<>();
         secm = ModelFactory.createDefaultModel();
-        Dataset ds = dc.getDataset();
+        Dataset ds = DataCore.getInstance().getDataset();
         ds.begin(ReadWrite.READ);
         secm.add(ds.getNamedModel(HAL.SecurityGraph.getURI()));
         secm.add(ds.getNamedModel(HAL.CollectionsAndResources.getURI()));
@@ -49,9 +53,12 @@ public Model getSecurityModel() {
     @Override
     public boolean evaluate(Object principal, Action action, Node graphIRI) {
         HalcyonPrincipal hp = (HalcyonPrincipal) principal;
-        if (graphIRI.matches(HAL.CollectionsAndResources.asNode())) {
-            return true;
+        if (level == OPEN) {
+            if (graphIRI.matches(HAL.CollectionsAndResources.asNode())) {
+                return true;
+            }
         }
+         /*
         if (cache.containsKey(graphIRI)) {
             if (cache.get(graphIRI).containsKey(action)) {
                 return true;
@@ -59,6 +66,7 @@ public boolean evaluate(Object principal, Action action, Node graphIRI) {
         }
         HashMap<Action,Boolean> set = new HashMap<>();
         cache.put(graphIRI, set);
+*/
         ParameterizedSparqlString pss = new ParameterizedSparqlString("""
             ASK {?rule acl:accessTo/so:hasPart* ?target;
                        acl:mode ?mode;
@@ -73,7 +81,8 @@ public boolean evaluate(Object principal, Action action, Node graphIRI) {
         pss.setIri("mode", WACUtil.WAC(action));
         pss.setIri("member", hp.getURNUUID());
         boolean ha = QueryExecutionFactory.create(pss.toString(), secm).execAsk();
-        set.put(action, ha);
+      //  set.put(action, ha);
+      //System.out.println(graphIRI+" ---> "+ha);
         return ha;
     }
     
@@ -118,13 +127,21 @@ public boolean evaluateUpdate(Object principal, Node graphIRI, Triple from, Trip
     @Override
     public Principal getPrincipal() {
         try {
-            Claims dc = (Claims) SecurityUtils.getSubject().getPrincipal();
-  //          System.out.println(dc.getId());
-            return new HalcyonPrincipal(dc);
+            Subject subject = SecurityUtils.getSubject();
+            JwtToken jwttoken = (JwtToken) subject.getPrincipal();
+            //Claims dc = (Claims) SecurityUtils.getSubject().getPrincipal();
+            return new HalcyonPrincipal(jwttoken,false);
         } catch (org.apache.shiro.UnavailableSecurityManagerException ex) {
-            //System.out.println(ex.toString());
+            // assume and try for a Keycloak Servlet Filter Auth
+        }
+        HalcyonPrincipal p = HalcyonSession.get().getHalcyonPrincipal();
+        if (p.isAnon()) {
+            Resource au = secm.createResource(p.getURNUUID());
+            Resource as = secm.createResource(HAL.Anonymous.toString()).addProperty(SchemaDO.member,au);
+            au.addProperty(SchemaDO.memberOf, as);
         }
-        return HalcyonSession.get().getHalcyonPrincipal();
+        //System.out.println("PRINCIPAL --> "+p.getURNUUID());
+        return p;
     }
 
     @Override
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/SPARQLEndPoint.java b/src/main/java/com/ebremer/halcyon/fuseki/SPARQLEndPoint.java
index 5d8f4a6d..9296df59 100644
--- a/src/main/java/com/ebremer/halcyon/fuseki/SPARQLEndPoint.java
+++ b/src/main/java/com/ebremer/halcyon/fuseki/SPARQLEndPoint.java
@@ -40,6 +40,7 @@ private SPARQLEndPoint() {
         filter.setConfig(config);
         server = FusekiServer.create()
             .add("/rdf", DataCore.getInstance().getSecuredDataset())
+            //.add("/rdf", DataCore.getInstance().getDataset())
            // .loopback(true)
           //  .securityHandler(new HalcyonSecurityHandler())
             
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/GetPublicKey.java b/src/main/java/com/ebremer/halcyon/fuseki/jwt/GetPublicKey.java
deleted file mode 100644
index deacac8e..00000000
--- a/src/main/java/com/ebremer/halcyon/fuseki/jwt/GetPublicKey.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Click nbfs://nbhost/SystemFileSystem/Templates/Licenses/license-default.txt to change this license
- * Click nbfs://nbhost/SystemFileSystem/Templates/Classes/Class.java to edit this template
- */
-package com.ebremer.halcyon.fuseki.jwt;
-
-import com.ebremer.halcyon.HalcyonSettings;
-import jakarta.json.Json;
-import jakarta.json.JsonObject;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.StringReader;
-import java.net.URL;
-import java.nio.charset.StandardCharsets;
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.PublicKey;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.X509EncodedKeySpec;
-import java.util.Base64;
-
-/**
- *
- * @author erich
- */
-public class GetPublicKey {
-    private String oidcConfigurationUrl = "http://localhost:"+HalcyonSettings.getSettings().GetHostPort() + "/auth/realms/master/.well-known/openid-configuration";
-    private PublicKey publicKey;
-    
-    public GetPublicKey() {
-        try {
-            publicKey = fetchPublicKeyFromKeycloak();
-        } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
-            throw new RuntimeException("Error fetching public key from Keycloak server", e);
-        }
-    }
-    
-    public PublicKey getPublicKey() {
-        return publicKey;
-    }
-    
-    private PublicKey fetchPublicKeyFromKeycloak() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
-        InputStream inputStream = new URL(oidcConfigurationUrl).openStream();
-        String oidcConfiguration = new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
-        JsonObject configJson = Json.createReader(new StringReader(oidcConfiguration)).readObject();
-
-        String jwksUrl = configJson.getString("jwks_uri");
-        inputStream = new URL(jwksUrl).openStream();
-        String jwksJson = new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
-        JsonObject jwks = Json.createReader(new StringReader(jwksJson)).readObject();
-
-        String publicKeyPem = jwks.getJsonArray("keys").getJsonObject(0).getJsonArray("x5c").getString(0);
-        String publicKeyDer = "-----BEGIN CERTIFICATE-----\n" + publicKeyPem + "\n-----END CERTIFICATE-----";
-        publicKeyDer = publicKeyDer.replace("-----BEGIN CERTIFICATE-----\n", "").replace("\n-----END CERTIFICATE-----", "");
-        byte[] publicKeyBytes = Base64.getDecoder().decode(publicKeyDer);
-        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
-        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-        return keyFactory.generatePublic(keySpec);
-    }
-    
-}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/Test.java b/src/main/java/com/ebremer/halcyon/fuseki/jwt/Test.java
deleted file mode 100644
index a105b229..00000000
--- a/src/main/java/com/ebremer/halcyon/fuseki/jwt/Test.java
+++ /dev/null
@@ -1,30 +0,0 @@
-package com.ebremer.halcyon.fuseki.jwt;
-
-import io.jsonwebtoken.Jwts;
-import java.security.PublicKey;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.subject.Subject;
-
-/**
- *
- * @author erich
- */
-public class Test {
-    public static void main(String[] args) {
-        try {
-            Subject subject = SecurityUtils.getSubject();
-        } catch (org.apache.shiro.UnavailableSecurityManagerException ex) {
-            System.out.println(ex.toString());
-        }
-        //String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVNk1TS0gyZmxSS3ZPVGs0OUtFeUVmZmVlNG5Oc2l3YUVZUTZDNmhNS1c0In0.eyJleHAiOjE2ODAzNzQ2NDIsImlhdCI6MTY4MDM3NDU4MiwiYXV0aF90aW1lIjoxNjgwMzc0NTgyLCJqdGkiOiI5NGFhZjQ2NS1lMWU3LTQ0YzgtYmE5Ny1hZDE1ZmFmMDgxOTMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojg4ODgvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibWFzdGVyLXJlYWxtIiwic3ViIjoiYTQ2NGNmMmQtNjJjMy00MzkzLTk0NzctNDU1NjZhM2NmYmU1IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWNjb3VudCIsInNlc3Npb25fc3RhdGUiOiI3NDQxM2RkZi1jNzc3LTRiZDItYThiZS1iOGZlMGNiMTczYmUiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiNzQ0MTNkZGYtYzc3Ny00YmQyLWE4YmUtYjhmZTBjYjE3M2JlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWlzdGVyIFNwb2NrIiwiZ3JvdXBzIjpbImNyZWF0ZS1yZWFsbSIsImFkbWluIl0sIkhhbGN5b25Hcm91cHMiOlsiL2FkbWluIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6Ik1pc3RlciIsImZhbWlseV9uYW1lIjoiU3BvY2sifQ.Jv8uM9jnNkh2r7wVWcReVorxowZHaHfSVgP3gRKLlV8e2vPBf7HE2OpTGffGiXVuJXxFVaY8ExbJ469g7jSIVhPgqZvPqw9sR2YrbhoUIXNuTNWTgK7HfbI8xxiaNzXkxc2G__prltOEGURtHK_Q2XwQjsdct_X8peSTWq6AZnFTqEf3cuVyOBOXQlvUGVr_1vhe8qZ_1QSAOins1Pc4zA7KBrOAWRQHn20qmMkR0Et4K6a62iZoIx36sSuwssegS2iM4RRgrtdKlB7p8B0Lrbj4PPU02QVhfSas900QgQ4Sm2Zx6r9COzXKdEevJr6-NduB9uWWDGbfdTqj7XtJmA";
-        //String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVNk1TS0gyZmxSS3ZPVGs0OUtFeUVmZmVlNG5Oc2l3YUVZUTZDNmhNS1c0In0.eyJleHAiOjE2ODA1NDYyMDQsImlhdCI6MTY4MDU0NjE0NCwiYXV0aF90aW1lIjoxNjgwNTQ2MTQ0LCJqdGkiOiJiZWMxMTRkMi1lMzFjLTRjYTUtOGI2ZC01YjczYmNkN2RlNmQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojg4ODgvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibWFzdGVyLXJlYWxtIiwic3ViIjoiYTQ2NGNmMmQtNjJjMy00MzkzLTk0NzctNDU1NjZhM2NmYmU1IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWNjb3VudCIsInNlc3Npb25fc3RhdGUiOiI3YWZlNmI1Yi03Y2JiLTQxOWQtOThiMy04NDZmMGFhMDhkNzciLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiN2FmZTZiNWItN2NiYi00MTlkLTk4YjMtODQ2ZjBhYTA4ZDc3IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWlzdGVyIFNwb2NrIiwiZ3JvdXBzIjpbImNyZWF0ZS1yZWFsbSIsImFkbWluIl0sIkhhbGN5b25Hcm91cHMiOlsiL2FkbWluIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6Ik1pc3RlciIsImZhbWlseV9uYW1lIjoiU3BvY2sifQ.GnT3eqDnIeQJtx7vAptoXoVSJ__7FfiWZN9bROheZB5_7zLalZdYuBgeMqNZ5eCVuYTTzEdK_cpHtxmcb0Tmidel5CzJdudoycHDHlTpzylMgta7740qS0kPLQV9dOPEt3xoRDmUA4D9NhvoKWH6pTdXvyql22eHUAIoJ-POgCuuEmZ6x80HmQRHntRXtUma391asqiDWfkMbyBpyE3ASvzYsmIVww0AvhfWsWIfoSunm2aDGGMwAXyzJMPsCxFac63UtqxQ0qvFSpqzvz9GIV46UleziRZ_63MBfqxBiKG6QCfl3GsRY45qIe5iF_i_Be4_y8HHk1WEesq-k4YNTA";
-        String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVNk1TS0gyZmxSS3ZPVGs0OUtFeUVmZmVlNG5Oc2l3YUVZUTZDNmhNS1c0In0.eyJleHAiOjE2ODA1NDYyMDQsImlhdCI6MTY4MDU0NjE0NCwiYXV0aF90aW1lIjoxNjgwNTQ2MTQ0LCJqdGkiOiJiZWMxMTRkMi1lMzFjLTRjYTUtOGI2ZC01YjczYmNkN2RlNmQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojg4ODgvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibWFzdGVyLXJlYWxtIiwic3ViIjoiYTQ2NGNmMmQtNjJjMy00MzkzLTk0NzctNDU1NjZhM2NmYmU1IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWNjb3VudCIsInNlc3Npb25fc3RhdGUiOiI3YWZlNmI1Yi03Y2JiLTQxOWQtOThiMy04NDZmMGFhMDhkNzciLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiN2FmZTZiNWItN2NiYi00MTlkLTk4YjMtODQ2ZjBhYTA4ZDc3IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWlzdGVyIFNwb2NrIiwiZ3JvdXBzIjpbImNyZWF0ZS1yZWFsbSIsImFkbWluIl0sIkhhbGN5b25Hcm91cHMiOlsiL2FkbWluIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6Ik1pc3RlciIsImZhbWlseV9uYW1lIjoiU3BvY2sifQ.GnT3eqDnIeQJtx7vAptoXoVSJ__7FfiWZN9bROheZB5_7zLalZdYuBgeMqNZ5eCVuYTTzEdK_cpHtxmcb0Tmidel5CzJdudoycHDHlTpzylMgta7740qS0kPLQV9dOPEt3xoRDmUA4D9NhvoKWH6pTdXvyql22eHUAIoJ-POgCuuEmZ6x80HmQRHntRXtUma391asqiDWfkMbyBpyE3ASvzYsmIVww0AvhfWsWIfoSunm2aDGGMwAXyzJMPsCxFac63UtqxQ0qvFSpqzvz9GIV46UleziRZ_63MBfqxBiKG6QCfl3GsRY45qIe5iF_i_Be4_y8HHk1WEesq-k4YNTA";
-        PublicKey pk = KeycloakPublicKeyFetcher.getKeycloakPublicKeyFetcher().getPublicKey();
-        Jwts.parserBuilder()
-                .setSigningKey(pk)
-                .setAllowedClockSkewSeconds(600)
-                .build()
-                .parseClaimsJws(jwt);
-    }
-    
-}
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtAuthenticatingFilter.java b/src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtAuthenticatingFilter.java
similarity index 50%
rename from src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtAuthenticatingFilter.java
rename to src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtAuthenticatingFilter.java
index 65a685a2..565605b6 100644
--- a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtAuthenticatingFilter.java
+++ b/src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtAuthenticatingFilter.java
@@ -1,23 +1,32 @@
-package com.ebremer.halcyon.fuseki.jwt;
+package com.ebremer.halcyon.fuseki.shiro;
 
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.core.HttpHeaders;
 
 public class JwtAuthenticatingFilter extends AuthenticatingFilter {
-    private static final String TOKEN_HEADER = "token";
 
     @Override
     protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) throws Exception {
+        //System.out.println("createToken(ServletRequest request, ServletResponse response)");
         HttpServletRequest httpRequest = (HttpServletRequest) request;
-        String jwt = httpRequest.getHeader(TOKEN_HEADER);
-        return new JwtToken(jwt);
+        String jwt = httpRequest.getHeader(HttpHeaders.AUTHORIZATION);
+        if (jwt!=null) {
+            if (jwt.substring(0, "Bearer ".length()).equals("Bearer ")) {
+                jwt = jwt.substring("Bearer ".length(), jwt.length());
+                //System.out.println("createToken -------> "+jwt);
+                return new JwtToken(jwt);
+            }
+        }
+        return null;
     }
 
     @Override
     protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
+        //System.out.println("onAccessDenied(ServletRequest request, ServletResponse response)");
         return executeLogin(request, response);
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtRealm.java b/src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtRealm.java
similarity index 73%
rename from src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtRealm.java
rename to src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtRealm.java
index 693509c8..13e988bf 100644
--- a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtRealm.java
+++ b/src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtRealm.java
@@ -1,6 +1,8 @@
-package com.ebremer.halcyon.fuseki.jwt;
+package com.ebremer.halcyon.fuseki.shiro;
 
 import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.Jwts;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.SimpleAuthenticationInfo;
@@ -29,12 +31,32 @@ protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principal
     @Override
     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
         JwtToken jwtToken = (JwtToken) token;
-        Claims claims = jwtToken.getClaims();
+        String jwt = jwtToken.getJwt();
+        try {
+            Jws<Claims> jws = Jwts.parserBuilder()
+                    .setSigningKey(KeycloakPublicKeyFetcher.getKeycloakPublicKeyFetcher().getPublicKey())
+                    .build()
+                    .parseClaimsJws(jwt);
+
+            String subject = jws.getBody().getSubject();
+            Claims claims = jws.getBody();
+            SimplePrincipalCollection principalCollection = new SimplePrincipalCollection(jwtToken, getName());
+            return new SimpleAuthenticationInfo(principalCollection, jwt);
+        } catch (Exception e) {
+            throw new Error("Invalid JWT token", e);
+        }
+    }
+    
+}
+
+        /*
+        
+        //Claims claims = jwtToken.getClaims();
         SimplePrincipalCollection principalCollection = new SimplePrincipalCollection(claims, getName());
         return new SimpleAuthenticationInfo(principalCollection, token.getCredentials());
     }
 }
-
+*/
 
 /*
 public class JwtRealm extends AuthenticatingRealm {
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtToken.java b/src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtToken.java
similarity index 56%
rename from src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtToken.java
rename to src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtToken.java
index 2256f37e..854e31d9 100644
--- a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtToken.java
+++ b/src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtToken.java
@@ -1,4 +1,5 @@
-package com.ebremer.halcyon.fuseki.jwt;
+package com.ebremer.halcyon.fuseki.shiro;
+
 
 import io.jsonwebtoken.Claims;
 import java.security.PublicKey;
@@ -17,7 +18,11 @@ public JwtToken(String token) {
 
     @Override
     public Object getPrincipal() {
-        return getClaims().getSubject();
+        return token; //getClaims().getSubject();
+    }
+    
+    public String getJwt() {
+        return token;
     }
 
     @Override
@@ -30,3 +35,16 @@ public Claims getClaims() {
     }
 }
 
+
+
+/*
+        this.token = token;
+        PublicKey publicKey = KeycloakPublicKeyFetcher.getKeycloakPublicKeyFetcher().getPublicKey();
+        Claims claimsx = null;
+        try {
+            claimsx = new JwtVerifier(publicKey).verify(token);
+        } catch (Exception ex) {
+            System.out.println(ex.toString());
+        }
+        this.claims = claimsx;
+*/
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtVerifier.java b/src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtVerifier.java
similarity index 94%
rename from src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtVerifier.java
rename to src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtVerifier.java
index b80cb7fd..c3279327 100644
--- a/src/main/java/com/ebremer/halcyon/fuseki/jwt/JwtVerifier.java
+++ b/src/main/java/com/ebremer/halcyon/fuseki/shiro/JwtVerifier.java
@@ -1,4 +1,4 @@
-package com.ebremer.halcyon.fuseki.jwt;
+package com.ebremer.halcyon.fuseki.shiro;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jws;
@@ -27,4 +27,4 @@ public Claims verify(String token) {
         }
         return null;
     }
-}
+}
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/fuseki/jwt/KeycloakPublicKeyFetcher.java b/src/main/java/com/ebremer/halcyon/fuseki/shiro/KeycloakPublicKeyFetcher.java
similarity index 98%
rename from src/main/java/com/ebremer/halcyon/fuseki/jwt/KeycloakPublicKeyFetcher.java
rename to src/main/java/com/ebremer/halcyon/fuseki/shiro/KeycloakPublicKeyFetcher.java
index 2a52909b..3c65624c 100644
--- a/src/main/java/com/ebremer/halcyon/fuseki/jwt/KeycloakPublicKeyFetcher.java
+++ b/src/main/java/com/ebremer/halcyon/fuseki/shiro/KeycloakPublicKeyFetcher.java
@@ -1,4 +1,4 @@
-package com.ebremer.halcyon.fuseki.jwt;
+package com.ebremer.halcyon.fuseki.shiro;
 
 import com.ebremer.halcyon.HalcyonSettings;
 import jakarta.json.Json;
diff --git a/src/main/java/com/ebremer/halcyon/gui/CollectionPanel.java b/src/main/java/com/ebremer/halcyon/gui/CollectionPanel.java
index 0508d374..9cb86269 100644
--- a/src/main/java/com/ebremer/halcyon/gui/CollectionPanel.java
+++ b/src/main/java/com/ebremer/halcyon/gui/CollectionPanel.java
@@ -1,10 +1,7 @@
 package com.ebremer.halcyon.gui;
 
 import com.ebremer.ethereal.LDModel;
-import com.ebremer.halcyon.wicket.DatabaseLocator;
 import com.ebremer.ethereal.RDFTextField;
-import org.apache.jena.query.Dataset;
-import org.apache.jena.query.ReadWrite;
 import org.apache.jena.rdf.model.Model;
 import org.apache.jena.rdf.model.Resource;
 import org.apache.jena.vocabulary.RDFS;
@@ -36,9 +33,9 @@ public void onSubmit() {
     @Override
     public void onSubmit() {
         System.out.println("SAVING!");
-        Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset();
-        ds.begin(ReadWrite.READ);
+        //Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset();
+        //ds.begin(ReadWrite.READ);
         //RDFDataMgr.write(System.out, ds.getNamedModel(HAL.Collections.getURI()), RDFFormat.TURTLE_PRETTY);
-        ds.end();
+        //ds.end();
     }   
-}
\ No newline at end of file
+}
diff --git a/src/main/java/com/ebremer/halcyon/gui/Collections.java b/src/main/java/com/ebremer/halcyon/gui/Collections.java
index 532e31f1..4b6a5b26 100644
--- a/src/main/java/com/ebremer/halcyon/gui/Collections.java
+++ b/src/main/java/com/ebremer/halcyon/gui/Collections.java
@@ -38,7 +38,7 @@
  * @author erich
  */
 public class Collections extends BasePage {
-    private SelectDataProvider rdfsdf;
+    private final SelectDataProvider rdfsdf;
     
     public Collections() {
         add(new FeedbackPanel("feedback"));
diff --git a/src/main/java/com/ebremer/halcyon/gui/EditCollection.java b/src/main/java/com/ebremer/halcyon/gui/EditCollection.java
index a1a423ee..d17d8dc3 100644
--- a/src/main/java/com/ebremer/halcyon/gui/EditCollection.java
+++ b/src/main/java/com/ebremer/halcyon/gui/EditCollection.java
@@ -49,7 +49,7 @@ public EditCollection(final PageParameters parameters) {
         ds.begin(ReadWrite.READ);
         m.add(ds.getNamedModel(uuid));
         ds.end();
-        RDFDataMgr.write(System.out, m, RDFFormat.TURTLE_PRETTY);
+        //RDFDataMgr.write(System.out, m, RDFFormat.TURTLE_PRETTY);
         Resource s = ResourceFactory.createResource(uuid);
         mod = new RDFDetachableModel(m);
         LDModel ldm = new LDModel(mod);
diff --git a/src/main/java/com/ebremer/halcyon/gui/HalcyonApplication.java b/src/main/java/com/ebremer/halcyon/gui/HalcyonApplication.java
index 16a27ece..d451e44e 100644
--- a/src/main/java/com/ebremer/halcyon/gui/HalcyonApplication.java
+++ b/src/main/java/com/ebremer/halcyon/gui/HalcyonApplication.java
@@ -12,8 +12,6 @@
 import com.ebremer.halcyon.wicket.ethereal.Graph3D;
 import com.ebremer.halcyon.wicket.ethereal.Zephyr;
 import com.ebremer.multiviewer.MultiViewer;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RuntimeConfigurationType;
 import org.apache.wicket.Session;
 import org.apache.wicket.devutils.stateless.StatelessChecker;
@@ -21,7 +19,6 @@
 import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.Request;
 import org.apache.wicket.request.Response;
-import org.apache.wicket.request.cycle.RequestCycle;
 
 public class HalcyonApplication extends WebApplication {
     private static final HalcyonSettings settings = HalcyonSettings.getSettings();
@@ -50,13 +47,14 @@ public Class<? extends WebPage> getHomePage() {
     
     @Override
     public Session newSession(Request request, Response response) {
-        HalcyonSession hs = new HalcyonSession(request);
+        return new HalcyonSession(request);
+        /*
         HttpServletRequest req = (HttpServletRequest) request.getContainerRequest();
         Cookie[] cookies = req.getCookies();
         for (Cookie cookie: cookies) {
             System.out.println("NR : "+cookie.getName()+" ==== "+cookie.getValue());
-        }
-        return hs;
+        }*/
+
     }
 
     @Override
@@ -87,8 +85,9 @@ public void init() {
         mountPage("/gui/sparql", Sparql.class);
         mountPage("/gui/about", About.class);
         mountPage("/gui/threed", Graph3D.class);
+        mountPage("/gui/revisionhistory", RevisionHistory.class);
         mountPage("/gui/zephyr", Zephyr.class);
-        mountPage("/gui/public", Public.class);
+        mountPage("/gui/login", LogHal.class);
         //mountPage("/gui/dicom", DICOM.class);
         //mountPage("/gui/dicom2", DCM.class);
     }
@@ -96,6 +95,5 @@ public void init() {
     @Override
     public RuntimeConfigurationType getConfigurationType() {
         return RuntimeConfigurationType.DEVELOPMENT;
-        //return RuntimeConfigurationType.DEPLOYMENT;
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/gui/HalcyonSession.java b/src/main/java/com/ebremer/halcyon/gui/HalcyonSession.java
index f4e84837..b39ed5fa 100644
--- a/src/main/java/com/ebremer/halcyon/gui/HalcyonSession.java
+++ b/src/main/java/com/ebremer/halcyon/gui/HalcyonSession.java
@@ -4,12 +4,17 @@
 import com.ebremer.halcyon.HalcyonSettings;
 import com.ebremer.halcyon.datum.DataCore;
 import com.ebremer.halcyon.datum.HalcyonPrincipal;
+import com.ebremer.halcyon.fuseki.shiro.JwtToken;
+import com.ebremer.halcyon.fuseki.shiro.JwtVerifier;
+import com.ebremer.halcyon.fuseki.shiro.KeycloakPublicKeyFetcher;
 import com.ebremer.ns.HAL;
+import io.jsonwebtoken.Claims;
 import jakarta.json.Json;
 import jakarta.json.JsonArray;
 import jakarta.json.JsonObject;
 import jakarta.json.JsonReader;
 import java.io.StringReader;
+import java.security.PublicKey;
 import java.util.Locale;
 import java.util.UUID;
 import javax.ws.rs.client.ClientBuilder;
@@ -39,7 +44,7 @@ public final class HalcyonSession extends WebSession {
     private String user;
     private String mv;
     private final String uuid;
-    private final String token;
+    //private final String token;
     private final HalcyonPrincipal principal;
 
     public HalcyonSession(Request request) {
@@ -50,13 +55,14 @@ public HalcyonSession(Request request) {
         KeycloakSecurityContext securityContext = (KeycloakSecurityContext) req.getContainerRequest().getAttribute(KeycloakSecurityContext.class.getName());
         if (securityContext==null) {
             uuid = "urn:uuid:"+UUID.randomUUID().toString();
-            token = null;
+      //      token = null;
             principal = new HalcyonPrincipal(uuid, true);
         } else {
             AccessToken token2 = securityContext.getToken();
-            this.token = securityContext.getTokenString();
+        //    this.token = securityContext.getTokenString();
             uuid = "urn:uuid:"+token2.getSubject();
-            principal = new HalcyonPrincipal(uuid, false);
+            principal = new HalcyonPrincipal(new JwtToken(securityContext.getTokenString()),false);
+            //principal = new HalcyonPrincipal(uuid, false);
         }
 
         if (securityContext!=null) {
@@ -115,10 +121,6 @@ public HalcyonSession(Request request) {
         }
     }
     
-    public String getToken() {
-        return token;
-    }
-    
     public String getUUID() {
         return uuid;
     }
diff --git a/src/main/java/com/ebremer/halcyon/gui/HomePage.html b/src/main/java/com/ebremer/halcyon/gui/HomePage.html
index 15e291a9..d3ab4f8a 100644
--- a/src/main/java/com/ebremer/halcyon/gui/HomePage.html
+++ b/src/main/java/com/ebremer/halcyon/gui/HomePage.html
@@ -9,53 +9,15 @@
                     width:800px;
                     background-color: #EEEEEE;
                     border: 3px solid #0000AB;
-                    padding-top: 15px;
+                    padding-top: 10px;
                     padding-right: 20px;
-                    padding-bottom: 20px;
+                    padding-bottom: 10px;
                     padding-left: 20px;
                 }
             </style>
             <div id="banner">
                 <h1><center>Halcyon</center></h1>
-            <h4><center>Version 0.0.0</center></h4>
-            <hr>
-        <br>
-       <h3>Version 0.1.0</h3>
-            ??/??/????<br>
-            <ul>
-                <li></li>
-            </ul>
-            <hr>
-        <h3>Version 0.0.0</h3>
-            03/07/2023<br>
-            <ul>
-                <li>Text-based (<a href="https://www.w3.org/TR/turtle/" target="_blank">RDF Turtle</a>) annotations files using <a href="https://www.w3.org/TR/annotation-model/" target="_blank">W3 Open Annotations</a> (OA)</li>
-                <li>RDF data validation using <a href="https://www.w3.org/TR/shacl/" target="_blank">SHACL</a></li>
-                <li>Separate OA compiler (ingest) for OA to <a href="https://www.researchobject.org/ro-crate/1.1/" target="_blank">Research Object Crate</a> (ROC) files</li>
-                <li>POC WebGL Zephyr Viewer</li>
-                <li>Image and Feature Tiling Engines access based on <a href="https://iiif.io/" target="_blank">IIIF</a></li>
-                <li>Image Tiling Engine currently supports TIFF, SVS, NDPI</li>
-                <li>Image libraries based on <a href="https://www.openmicroscopy.org/bio-formats/" target="_blank">OME Bioformats</a></li>
-                <li>Identity management via embedded <a href="https://www.keycloak.org/" target="_blank">Keycloak</a></li>
-                <li>Security Model based on <a href="https://solid.github.io/web-access-control-spec/" target="_blank">Web Access Control</a></li>
-                <li>Data accessible via <a href="https://www.w3.org/TR/sparql11-query/" target="_blank">SPARQL</a> Endpoint</li>
-                <li>Viewer code based on <a href="https://openseadragon.github.io/" target="_blank">OpenSeadragon</a></li>
-                <li>Server UX built with <a href="https://wicket.apache.org/" target="_blank">Apache Wicket</a></li>
-                <li>Main data storage based on <a href="https://jena.apache.org" target="_blank">Apache Jena TDB2</a></li>
-                <li>Java environment based on <a href="https://www.graalvm.org/" target="_blank">GraalVM 22.3.1 (JDK 17)</a></li>
-                <li><a href="https://semver.org/" target="_blank">Semantic versioning</a></li>
-            </ul>
-            <hr>
-            <h2>noun:</h2>
-                1. a tropical Asian and African kingfisher with brightly colored plumage.<br>
-                2. a mythical bird said by ancient writers to breed in a nest floating at sea at the winter solstice, charming the wind and waves into calm.<br>
-                3. a software system to manage, annotate, and display Whole Slide Images and their Deep Learning Pipeline results.
-            <h2>adjective:</h2>
-                denoting a period of time in the past that was idyllically happy and peaceful.
-                "the halcyon days of the mid-1980s, when profits were soaring"
-
-                Similar - serene, calm, pleasant, balmy, tranquil, peaceful, temperate, mild, quiet, gentle, placid, still, windless, stormless, happy, carefree, blissful, golden, joyful, joyous, contented, idyllic, palmy, flourishing, thriving, prosperous, successful
-                Opposite - stormy, troubled
+            <h4><center>Version 0.1.0</center></h4>
             </div>
         </wicket:extend>
     </body>
diff --git a/src/main/java/com/ebremer/halcyon/gui/HomePage.java b/src/main/java/com/ebremer/halcyon/gui/HomePage.java
index cedac858..8aacf91f 100644
--- a/src/main/java/com/ebremer/halcyon/gui/HomePage.java
+++ b/src/main/java/com/ebremer/halcyon/gui/HomePage.java
@@ -5,7 +5,7 @@
 import org.apache.wicket.devutils.stateless.StatelessComponent;
 import org.apache.wicket.markup.IMarkupCacheKeyProvider;
 
-@StatelessComponent
+//@StatelessComponent
 public class HomePage extends BasePage implements IMarkupCacheKeyProvider {  // IMarkupResourceStreamProvider, 
     private static final long serialVersionUID = 1L;
         
diff --git a/src/main/java/com/ebremer/halcyon/gui/LogHal.html b/src/main/java/com/ebremer/halcyon/gui/LogHal.html
new file mode 100644
index 00000000..582d042e
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/gui/LogHal.html
@@ -0,0 +1,7 @@
+<html>
+    <body>
+        <wicket:extend>
+            LOGIN
+        </wicket:extend>
+    </body>
+</html>
diff --git a/src/main/java/com/ebremer/halcyon/gui/LogHal.java b/src/main/java/com/ebremer/halcyon/gui/LogHal.java
new file mode 100644
index 00000000..dbd5c6f2
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/gui/LogHal.java
@@ -0,0 +1,22 @@
+package com.ebremer.halcyon.gui;
+
+import com.ebremer.halcyon.wicket.BasePage;
+import org.apache.wicket.MarkupContainer;
+import org.apache.wicket.devutils.stateless.StatelessComponent;
+import org.apache.wicket.markup.IMarkupCacheKeyProvider;
+
+@StatelessComponent
+public class LogHal extends BasePage implements IMarkupCacheKeyProvider {  // IMarkupResourceStreamProvider, 
+    private static final long serialVersionUID = 1L;
+        
+    public LogHal() { 
+
+    }
+   
+    @Override
+    public String getCacheKey(MarkupContainer container, Class<?> containerClass) {
+        final String classname = containerClass.isAnonymousClass() ? containerClass.getSuperclass().getSimpleName() : containerClass.getSimpleName();
+        return classname;
+        //return classname + '_' + lClass + '_' + rClass + '_' + (isSimple() ? 1 : 0) + '_';
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/gui/Login.java b/src/main/java/com/ebremer/halcyon/gui/Login.java
index 34e3c043..e9401181 100644
--- a/src/main/java/com/ebremer/halcyon/gui/Login.java
+++ b/src/main/java/com/ebremer/halcyon/gui/Login.java
@@ -35,6 +35,7 @@ public Login(PageParameters parameters) {
             System.out.println("===============");
             System.out.println(securityContext!=null);
             System.out.println("===============");
+            getSession().invalidate();
     }
     
     
diff --git a/src/main/java/com/ebremer/halcyon/gui/LogoutLink.java b/src/main/java/com/ebremer/halcyon/gui/LogoutLink.java
new file mode 100644
index 00000000..56e82b13
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/gui/LogoutLink.java
@@ -0,0 +1,30 @@
+package com.ebremer.halcyon.gui;
+
+import com.ebremer.halcyon.HalcyonSettings;
+import org.apache.wicket.markup.html.link.StatelessLink;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.handler.RedirectRequestHandler;
+
+
+public class LogoutLink extends StatelessLink<Void> {
+
+    private final String keycloakLogoutUrl = HalcyonSettings.getSettings().getHostName()+"/auth/realms/"+HalcyonSettings.getSettings().getRealm()+"/protocol/openid-connect/logout?client_id=account";
+
+    public LogoutLink(String id) {
+        super(id);
+    }
+
+    @Override
+    public void onClick() {
+        //System.out.println(keycloakLogoutUrl);
+        //HalcyonSession.get().getHalcyonPrincipal()
+        //String token = HalcyonSession.get().getToken();
+        String x = keycloakLogoutUrl;
+        //x=x+"&id_token_hint="+token;
+        //x = x + "&post_logout_redirect_uri=http://localhost:8888";
+        System.out.println("LOGOUT : "+x);
+        //String ha = OIDCLoginProtocol.CLIENT_ID_PARAM;
+        getSession().invalidate();
+        RequestCycle.get().scheduleRequestHandlerAfterCurrent(new RedirectRequestHandler(x));
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/gui/Public.java b/src/main/java/com/ebremer/halcyon/gui/Public.java
deleted file mode 100644
index 236cc8e2..00000000
--- a/src/main/java/com/ebremer/halcyon/gui/Public.java
+++ /dev/null
@@ -1,14 +0,0 @@
-package com.ebremer.halcyon.gui;
-
-import com.ebremer.halcyon.wicket.BasePage;
-import org.apache.wicket.devutils.stateless.StatelessComponent;
-
-@StatelessComponent
-public class Public extends BasePage {
-    private static final long serialVersionUID = 1L;
-        
-    public Public() { 
-
-    }
-
-}
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/gui/Public.html b/src/main/java/com/ebremer/halcyon/gui/RevisionHistory.html
similarity index 98%
rename from src/main/java/com/ebremer/halcyon/gui/Public.html
rename to src/main/java/com/ebremer/halcyon/gui/RevisionHistory.html
index 15e291a9..3de7b00b 100644
--- a/src/main/java/com/ebremer/halcyon/gui/Public.html
+++ b/src/main/java/com/ebremer/halcyon/gui/RevisionHistory.html
@@ -17,7 +17,7 @@
             </style>
             <div id="banner">
                 <h1><center>Halcyon</center></h1>
-            <h4><center>Version 0.0.0</center></h4>
+            <h4><center>Version 0.1.0</center></h4>
             <hr>
         <br>
        <h3>Version 0.1.0</h3>
diff --git a/src/main/java/com/ebremer/halcyon/gui/RevisionHistory.java b/src/main/java/com/ebremer/halcyon/gui/RevisionHistory.java
new file mode 100644
index 00000000..4a52ceb9
--- /dev/null
+++ b/src/main/java/com/ebremer/halcyon/gui/RevisionHistory.java
@@ -0,0 +1,20 @@
+package com.ebremer.halcyon.gui;
+
+import com.ebremer.halcyon.wicket.BasePage;
+import org.apache.wicket.MarkupContainer;
+import org.apache.wicket.markup.IMarkupCacheKeyProvider;
+
+public class RevisionHistory extends BasePage implements IMarkupCacheKeyProvider {
+    private static final long serialVersionUID = 1L;
+        
+    public RevisionHistory() { 
+
+    }
+   
+    @Override
+    public String getCacheKey(MarkupContainer container, Class<?> containerClass) {
+        final String classname = containerClass.isAnonymousClass() ? containerClass.getSuperclass().getSimpleName() : containerClass.getSimpleName();
+        return classname;
+        //return classname + '_' + lClass + '_' + rClass + '_' + (isSimple() ? 1 : 0) + '_';
+    }
+}
diff --git a/src/main/java/com/ebremer/halcyon/imagebox/Main.java b/src/main/java/com/ebremer/halcyon/imagebox/Main.java
index 3b8aeb8f..7b536ff6 100644
--- a/src/main/java/com/ebremer/halcyon/imagebox/Main.java
+++ b/src/main/java/com/ebremer/halcyon/imagebox/Main.java
@@ -5,18 +5,13 @@
 import com.ebremer.halcyon.INIT;
 import com.ebremer.halcyon.fuseki.HalcyonProxyServlet;
 import com.ebremer.halcyon.datum.SessionsManager;
-import com.ebremer.halcyon.fuseki.jwt.GetPublicKey;
-import com.ebremer.halcyon.fuseki.jwt.KeycloakPublicKeyFetcher;
 import com.ebremer.halcyon.gui.HalcyonApplication;
 import io.undertow.UndertowOptions;
-import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
-import java.security.PublicKey;
-import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -61,10 +56,8 @@ public static SessionIdMapper getSessionIdMapper() {
     public ServletRegistrationBean proxyServletRegistrationBean() {
         ServletRegistrationBean bean = new ServletRegistrationBean(new HalcyonProxyServlet(), "/sparql/*");
         bean.addInitParameter("targetUri", "http://localhost:8887/rdf");
-        //bean.addInitParameter("targetUri", "https://e1d0d1f2f7f7ecfb2e5ff7faef143702.m.pipedream.net");
         bean.addInitParameter(ProxyServlet.P_PRESERVECOOKIES, "true");
         bean.addInitParameter(ProxyServlet.P_HANDLEREDIRECTS, "true");
-        //bean.addInitParameter(ProxyServlet.P_HANDLECOMPRESSION, "true");
         return bean;
     }
     
@@ -119,7 +112,7 @@ public FilterRegistrationBean<HALKeycloakOIDCFilter> KeycloakOIDCFilterFilterReg
 	    registration.addUrlPatterns("/*");
             registration.setOrder(0);
             registration.addInitParameter(KeycloakOIDCFilter.CONFIG_FILE_PARAM, "keycloak.json");
-            registration.addInitParameter(KeycloakOIDCFilter.SKIP_PATTERN_PARAM, "(^/sparql.*|^/wicket/resource/com.*\\.css|^/gui/public|^/gui/vendor/openseadragon/.*|^/auth/.*|^/favicon.ico|^/auth/.*$)");
+            registration.addInitParameter(KeycloakOIDCFilter.SKIP_PATTERN_PARAM, "(^/multi-viewer.*|^/iiif.*|^/gui/viewer.*|^/gui|^/gui/about|^/gui/ListImages.*|^/sparql.*|^/wicket/resource/com.*\\.css|^/gui/public|^/gui/vendor/openseadragon/.*|^/auth/.*|^/favicon.ico|^/auth/.*$)");
             registration.setEnabled(true);
         return registration;
     }
diff --git a/src/main/java/com/ebremer/halcyon/keycloak/HALInMemorySessionIdMapper.java b/src/main/java/com/ebremer/halcyon/keycloak/HALInMemorySessionIdMapper.java
index cf211fa8..02b551cc 100644
--- a/src/main/java/com/ebremer/halcyon/keycloak/HALInMemorySessionIdMapper.java
+++ b/src/main/java/com/ebremer/halcyon/keycloak/HALInMemorySessionIdMapper.java
@@ -13,4 +13,4 @@ public boolean hasSession(String id) {
         System.out.println("HASSESSION --> "+id+"  "+super.hasSession(id));
         return super.hasSession(id);
     }
-}
+}
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halcyon/sparql/Sparql.html b/src/main/java/com/ebremer/halcyon/sparql/Sparql.html
index 15e665c4..c8485b13 100644
--- a/src/main/java/com/ebremer/halcyon/sparql/Sparql.html
+++ b/src/main/java/com/ebremer/halcyon/sparql/Sparql.html
@@ -12,7 +12,7 @@ <h2>SPARQL Endpoint</h2>
         <script>
             Yasgui.defaults.tabName = "Query";
             Yasgui.defaults.yasqe.value =  "select *\nwhere {graph ?g {?s ?p ?o}}\nlimit 20";
-            Yasgui.defaults.requestConfig.headers = {'token': token};
+            Yasgui.defaults.requestConfig.headers = {'AUTHORIZATION': 'Bearer '+token};
             const yasgui = new Yasgui(document.getElementById("yasgui"),
                 {   requestConfig: {
                         endpoint: "/sparql"},
diff --git a/src/main/java/com/ebremer/halcyon/sparql/Sparql.java b/src/main/java/com/ebremer/halcyon/sparql/Sparql.java
index 0968defa..e355c896 100644
--- a/src/main/java/com/ebremer/halcyon/sparql/Sparql.java
+++ b/src/main/java/com/ebremer/halcyon/sparql/Sparql.java
@@ -1,29 +1,14 @@
 package com.ebremer.halcyon.sparql;
 
-import com.ebremer.halcyon.HalcyonSettings;
+import com.ebremer.halcyon.datum.HalcyonPrincipal;
 import com.ebremer.halcyon.gui.HalcyonSession;
 import com.ebremer.halcyon.wicket.BasePage;
-import io.undertow.server.session.SessionManager;
-import io.undertow.servlet.api.DeploymentInfo;
-import io.undertow.servlet.api.SessionManagerFactory;
-import io.undertow.servlet.handlers.ServletRequestContext;
-import java.util.List;
-import java.util.Set;
-import javax.servlet.ServletContext;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import org.apache.wicket.Application;
 import org.apache.wicket.markup.head.CssHeaderItem;
 import org.apache.wicket.markup.head.IHeaderResponse;
 import org.apache.wicket.markup.head.JavaScriptHeaderItem;
 import org.apache.wicket.markup.html.panel.FeedbackPanel;
-import org.apache.wicket.protocol.http.WebApplication;
-import org.apache.wicket.request.cycle.RequestCycle;
-import org.apache.wicket.request.http.WebRequest;
 import org.apache.wicket.request.resource.CssResourceReference;
 import org.apache.wicket.request.resource.JavaScriptResourceReference;
-import org.apache.wicket.session.HttpSessionStore;
-import org.apache.wicket.session.ISessionStore;
 
 /**
  *
@@ -36,35 +21,6 @@ public class Sparql extends BasePage {
     
     public Sparql() {
         add(new FeedbackPanel("feedback"));
-
-        //WebRequest webRequest = (WebRequest) RequestCycle.get().getRequest();
-       
-        /*
-        List<Cookie> cookies = webRequest.getCookies();
-        cookies.forEach(c->{
-            System.out.println("Cookie: " + c.getName() + "=" + c.getValue());
-        });
-        */
-        //HttpServletRequest req = ((HttpServletRequest) getRequest().getContainerRequest());
-        //ServletContext servletContext = req.getServletContext();
-        //DeploymentInfo deploymentInfo = ServletRequestContext.requireCurrent().getDeployment().getDeploymentInfo();
-        //SessionManagerFactory sessionManagerFactory = deploymentInfo.getSessionManagerFactory();
-        //System.out.println("Session Manager Factory: " + sessionManagerFactory);
-        
-        //SessionManager sm = sessionManagerFactory.createSessionManager(ServletRequestContext.requireCurrent().getDeployment());
-       /*
-        Set<String> sess = sm.getAllSessions();
-        System.out.println(sess.size());
-        sess.forEach(s->{
-            System.out.println("SESSION --> "+s);
-        });
-        
-        System.out.println("Wicket session store : "+Application.get().getSessionStore().getClass().toGenericString());
-        ISessionStore iss = Application.get().getSessionStore();
-        HttpSessionStore hss = (HttpSessionStore) iss;
-        
-*/
-
     }
     
     @Override
@@ -75,6 +31,9 @@ public void renderHead(IHeaderResponse response) {
   //      HalcyonSettings s = HalcyonSettings.getSettings();
         //response.render(JavaScriptHeaderItem.forScript("var host = '"+s.getProxyHostName()+":"+s.GetSPARQLPort()+"'", "hostme"));
 //        HttpServletRequest request = ((HttpServletRequest) getRequest().getContainerRequest());
-        response.render(JavaScriptHeaderItem.forScript("var token = '"+HalcyonSession.get().getToken()+"'", "token"));
+        HalcyonSession hs = HalcyonSession.get();
+        HalcyonPrincipal hp = hs.getHalcyonPrincipal();
+        String token = hp.getToken();
+        response.render(JavaScriptHeaderItem.forScript("var token = '"+token+"'", "token"));
     }
 }
diff --git a/src/main/java/com/ebremer/halcyon/wicket/ListFeatures.java b/src/main/java/com/ebremer/halcyon/wicket/ListFeatures.java
index 3b900c4f..a1d73190 100644
--- a/src/main/java/com/ebremer/halcyon/wicket/ListFeatures.java
+++ b/src/main/java/com/ebremer/halcyon/wicket/ListFeatures.java
@@ -84,12 +84,9 @@ public void populateItem(Item<ICellPopulator<Solution>> cellItem, String compone
         pss.setNsPrefix("exif", EXIF.NS);
         pss.setIri("car", HAL.CollectionsAndResources.getURI());
         Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset();
-        //Dataset ds = DatabaseLocator.getDatabase().getDataset();
-        //System.out.println("F1 ---> "+pss.toString());
         rdfsdf = new SelectDataProvider(ds,pss.toString());
         ParameterizedSparqlString pss2 = rdfsdf.getPSS();
         pss2.setIri("collection", "urn:halcyon:nothing");
-        //System.out.println("F2 ---> "+pss2.toString());
         rdfsdf.SetSPARQL(pss2.toString());
         AjaxFallbackDefaultDataTable table = new AjaxFallbackDefaultDataTable<>("table", columns, rdfsdf, 25);
         add(table);
@@ -116,7 +113,6 @@ protected List<Node> load() {
             protected void onAfterSubmit(AjaxRequestTarget target) {
                 ParameterizedSparqlString pss = rdfsdf.getPSS();
                 pss.setIri("collection", ddc.getModelObject().toString());
-                //System.out.println("F2X ---> "+pss.toString());
                 rdfsdf.SetSPARQL(pss.toString());
                 target.add(table);
             }
@@ -242,4 +238,4 @@ public IResourceStream getMarkupResourceStream(MarkupContainer container, Class<
             """);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/main/java/com/ebremer/halcyon/wicket/ListImages.java b/src/main/java/com/ebremer/halcyon/wicket/ListImages.java
index fd520673..83b3ea86 100644
--- a/src/main/java/com/ebremer/halcyon/wicket/ListImages.java
+++ b/src/main/java/com/ebremer/halcyon/wicket/ListImages.java
@@ -8,6 +8,8 @@
 import com.ebremer.halcyon.datum.Patterns;
 import com.ebremer.ns.HAL;
 import com.ebremer.ethereal.NodeColumn;
+import com.ebremer.halcyon.datum.DataCore;
+import static com.ebremer.halcyon.datum.DataCore.Level.OPEN;
 import com.ebremer.halcyon.gui.HalcyonSession;
 import com.ebremer.multiviewer.MultiViewer;
 import com.ebremer.ns.EXIF;
@@ -82,7 +84,7 @@ public void populateItem(Item<ICellPopulator<Solution>> cellItem, String compone
         pss.setNsPrefix("so", SchemaDO.NS);
         pss.setNsPrefix("exif", EXIF.NS);
         pss.setIri("car", HAL.CollectionsAndResources.getURI());
-        Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset();
+        Dataset ds = DatabaseLocator.getDatabase().getSecuredDataset(OPEN);
         //Dataset ds = DatabaseLocator.getDatabase().getDataset();
         rdfsdf = new SelectDataProvider(ds,pss.toString());
         rdfsdf.SetSPARQL(pss.toString());
@@ -95,8 +97,10 @@ public void populateItem(Item<ICellPopulator<Solution>> cellItem, String compone
                     new LoadableDetachableModel<List<Node>>() {
                         @Override
                         protected List<Node> load() {
-                            List<Node> list = Patterns.getCollectionList(rdg.load());
-                            list.add(NodeFactory.createURI("urn:halcyon:nocollections"));
+                            //List<Node> list = Patterns.getCollectionList(rdg.load());
+                            Dataset ww = DataCore.getInstance().getSecuredDataset(OPEN);
+                            List<Node> list = Patterns.getCollectionList(ww);
+                            //list.add(NodeFactory.createURI("urn:halcyon:nocollections"));
                             return list;
                         }
                     },
diff --git a/src/main/java/com/ebremer/halcyon/wicket/MenuPanel.html b/src/main/java/com/ebremer/halcyon/wicket/MenuPanel.html
index 1d08ed5d..be067277 100644
--- a/src/main/java/com/ebremer/halcyon/wicket/MenuPanel.html
+++ b/src/main/java/com/ebremer/halcyon/wicket/MenuPanel.html
@@ -4,14 +4,8 @@
             <div class="navbar">
                 <a wicket:id="home">Home</a>
                 <a wicket:id="security">Security</a>
-                <div class="dropdown">
-                    <button class="dropbtn">Collections<i class="fa fa-caret-down"></i>
-                    </button>
-                    <div class="dropdown-content">
-                        <a wicket:id="collections">List Collections</a>
-                        <a wicket:id="images">List Images</a>
-                    </div>
-                </div>
+                <a wicket:id="collections">List Collections</a>
+                <a wicket:id="images">List Images</a>
                 <a wicket:id="sparql">SPARQL</a>
                 <a wicket:id="threed">3D</a>
                 <a wicket:id="account">Account</a> 
@@ -19,10 +13,12 @@
                     <button class="dropbtn">Help<i class="fa fa-caret-down"></i>
                     </button>
                     <div class="dropdown-content">
+                        <a wicket:id="revisionhistory">Revision History</a>
                         <a wicket:id="about">About</a>
                     </div>
                 </div>
-                <a wicket:id="logout">Logout</a>
+                <a wicket:id="loginLink">Login</a>
+                <a wicket:id="logoutLink">Logout</a>
             </div>
         </wicket:panel>
     </body>
diff --git a/src/main/java/com/ebremer/halcyon/wicket/MenuPanel.java b/src/main/java/com/ebremer/halcyon/wicket/MenuPanel.java
index 71fff349..902f793f 100644
--- a/src/main/java/com/ebremer/halcyon/wicket/MenuPanel.java
+++ b/src/main/java/com/ebremer/halcyon/wicket/MenuPanel.java
@@ -1,9 +1,14 @@
 package com.ebremer.halcyon.wicket;
 
 import com.ebremer.halcyon.HalcyonSettings;
+import com.ebremer.halcyon.datum.HalcyonPrincipal;
+import com.ebremer.halcyon.gui.HalcyonSession;
+import com.ebremer.halcyon.gui.LogoutLink;
+import com.ebremer.halcyon.sparql.Sparql;
 import org.apache.wicket.markup.head.CssReferenceHeaderItem;
 import org.apache.wicket.markup.head.IHeaderResponse;
 import org.apache.wicket.markup.html.link.ExternalLink;
+import org.apache.wicket.markup.html.link.Link;
 import org.apache.wicket.markup.html.panel.Panel;
 import org.apache.wicket.request.resource.CssResourceReference;
 
@@ -15,20 +20,60 @@ public class MenuPanel extends Panel {
     
     public MenuPanel(String id) {
         super(id);
+        HalcyonPrincipal hp = HalcyonSession.get().getHalcyonPrincipal();
         String host = HalcyonSettings.getSettings().getProxyHostName();
         add(new ExternalLink("home", host+"/gui","Home"));
-        add(new ExternalLink("collections", host+"/gui/collections","Collections"));
-        //add(new ExternalLink("addcollection", host+"/gui/add/collection","Add Collection"));
         add(new ExternalLink("images", host+"/gui/ListImages","Images"));
-        add(new ExternalLink("sparql", host+"/gui/sparql","SPARQL"));
-        //add(new ExternalLink("features", host+"/gui/ListFeatures","Features"));
-        //add(new ExternalLink("viewer", host+"/gui/viewer","Viewer"));
-        add(new ExternalLink("threed", host+"/gui/threed","3D"));
-        add(new ExternalLink("security", host+"/gui/adminme","Security"));
-        add(new ExternalLink("account", host+"/gui/accountpage","Account"));
         add(new ExternalLink("about", host+"/gui/about","About"));
-        //add(new ExternalLink("logout", host+"/auth/realms/master/protocol/openid-connect/logout?redirect_uri="+host+"/","Logout"));
-        add(new ExternalLink("logout", host+"/auth/realms/master/protocol/openid-connect/logout","Logout"));
+        ExternalLink security = new ExternalLink("security", host+"/gui/adminme","Security");
+        ExternalLink sparql = new ExternalLink("sparql", host+"/gui/sparql","SPARQL");
+        ExternalLink account = new ExternalLink("account", host+"/gui/accountpage","Account");
+        ExternalLink threed = new ExternalLink("threed", host+"/gui/threed","3D");
+        ExternalLink collections = new ExternalLink("collections", host+"/gui/collections","Collections");
+        ExternalLink revisionhistory = new ExternalLink("revisionhistory", host+"/gui/revisionhistory","Revision History");
+        //ExternalLink login = new ExternalLink("loginLink", host+"/gui/login","Login");
+        Link login = new Link<Void>("loginLink") {
+            @Override
+            public void onClick() {
+                getSession().invalidate();
+                setResponsePage(Sparql.class);
+            }
+        };
+        LogoutLink logout = new LogoutLink("logoutLink");
+        add(account);
+        add(security);
+        add(sparql);
+        add(collections);
+        add(threed);
+        add(logout);
+        add(login);
+        add(revisionhistory);
+        security.setVisible(false);
+        threed.setVisible(false);
+        account.setVisible(false);
+        collections.setVisible(false);
+        sparql.setVisible(false);
+        logout.setVisible(false);
+        login.setVisible(false);
+        revisionhistory.setVisible(false);
+        if (hp.isAnon()) {
+            login.setVisible(true);
+        } else {
+            revisionhistory.setVisible(true);
+            login.setVisible(false);
+            logout.setVisible(true);
+            sparql.setVisible(true);
+            hp.getGroups().forEach(k->{
+                System.out.println("GROUP : "+k);
+            });
+            if (hp.getGroups().contains("/admin")) {
+                System.out.println("ADMIN DETECTED");
+                security.setVisible(true);
+                threed.setVisible(true);
+                account.setVisible(true);
+                collections.setVisible(true);
+            }
+        } 
     }
     
     @Override
@@ -36,4 +81,4 @@ public void renderHead(IHeaderResponse response) {
 	super.renderHead(response);
         response.render(CssReferenceHeaderItem.forReference(new CssResourceReference(getClass(), "MenuPanel.css")));
     }
-}
\ No newline at end of file
+}
diff --git a/src/main/java/com/ebremer/halycon/shiro/JWTGuard.java b/src/main/java/com/ebremer/halycon/shiro/JWTGuard.java
deleted file mode 100644
index 5e2a6cc5..00000000
--- a/src/main/java/com/ebremer/halycon/shiro/JWTGuard.java
+++ /dev/null
@@ -1,16 +0,0 @@
-package com.ebremer.halycon.shiro;
-
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-import org.apache.shiro.web.filter.authc.AuthenticationFilter;
- 
-public class JWTGuard extends AuthenticationFilter {
- 
-    @Override
-    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
-        HttpServletResponse httpResponse = (HttpServletResponse) response;
-        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
-        return false;
-    }
-}
\ No newline at end of file
diff --git a/src/main/java/com/ebremer/halycon/shiro/JWTVerifyingFilter.java b/src/main/java/com/ebremer/halycon/shiro/JWTVerifyingFilter.java
deleted file mode 100644
index 056cbfc9..00000000
--- a/src/main/java/com/ebremer/halycon/shiro/JWTVerifyingFilter.java
+++ /dev/null
@@ -1,54 +0,0 @@
-package com.ebremer.halycon.shiro;
-
-import io.jsonwebtoken.JwtException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.web.filter.AccessControlFilter;
-import io.jsonwebtoken.Jwts;
-
- 
-public class JWTVerifyingFilter extends AccessControlFilter {
-    
-    private boolean validateJwt(String jwt) {
-    try {
-        Jwts.parserBuilder()
-                //.setSigningKey(publicKey)
-                .build()
-                .parseClaimsJws(jwt);
-        return true;
-    } catch (JwtException e) {
-        return false;
-    }
-}
- 
-    @Override
-    protected boolean isAccessAllowed(ServletRequest request, ServletResponse arg1, Object arg2) throws Exception {
-        boolean accessAllowed = false;
-        HttpServletRequest httpRequest = (HttpServletRequest) request;
-        String jwt = httpRequest.getHeader("Authorization");
-        if (jwt == null || !jwt.startsWith("Bearer ")) {
-            return accessAllowed;
-        }
-        jwt = jwt.substring(jwt.indexOf(" "));
-        //String username = 
-        
-        
-        String subjectName = (String) SecurityUtils.getSubject().getPrincipal();
-        System.out.println("subjectName = "+subjectName);
-       // if (username.equals(subjectName)) {
-         //   accessAllowed = true;
-        //}
-        return accessAllowed;
-    }
- 
-    @Override
-    protected boolean onAccessDenied(ServletRequest arg0, ServletResponse arg1) throws Exception {
-        HttpServletResponse response = (HttpServletResponse) arg1;
-        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-        return false;
-    }
- 
-}
\ No newline at end of file
diff --git a/src/main/resources/keycloak-realm-config.json b/src/main/resources/keycloak-realm-config.json
index 66720790..d5cb38ee 100644
--- a/src/main/resources/keycloak-realm-config.json
+++ b/src/main/resources/keycloak-realm-config.json
@@ -9,8 +9,8 @@
   "refreshTokenMaxReuse": 0,
   "accessTokenLifespan": 60,
   "accessTokenLifespanForImplicitFlow": 900,
-  "ssoSessionIdleTimeout": 1800,
-  "ssoSessionMaxLifespan": 36000,
+  "ssoSessionIdleTimeout": 86400,
+  "ssoSessionMaxLifespan": 604800,
   "ssoSessionIdleTimeoutRememberMe": 0,
   "ssoSessionMaxLifespanRememberMe": 0,
   "offlineSessionIdleTimeout": 2592000,
@@ -521,7 +521,7 @@
       "consentRequired": false,
       "standardFlowEnabled": true,
       "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": false,
+      "directAccessGrantsEnabled": true,
       "serviceAccountsEnabled": false,
       "publicClient": true,
       "frontchannelLogout": false,
diff --git a/src/main/resources/shiro.ini b/src/main/resources/shiro.ini
index b683a4fa..13d34b4b 100644
--- a/src/main/resources/shiro.ini
+++ b/src/main/resources/shiro.ini
@@ -1,9 +1,10 @@
 [main]
-halcyonfilter=com.ebremer.halcyon.fuseki.jwt.JwtAuthenticatingFilter
-realm=com.ebremer.halcyon.fuseki.jwt.JwtRealm
+halcyonfilter=com.ebremer.halcyon.fuseki.shiro.JwtAuthenticatingFilter
+realm=com.ebremer.halcyon.fuseki.shiro.JwtRealm
 sessionManager=org.apache.shiro.web.session.mgt.DefaultWebSessionManager
 sessionManager.sessionIdCookieEnabled=true
-securityManager.realms=$realm,$iniRealm
+#securityManager.realms=$realm,$iniRealm
+securityManager.realms=$realm
 securityManager.sessionManager=$sessionManager
 #securityManager.rememberMeManager=null