From bad1fb55e11c9ad1a0eaf0be67346db4995be2e8 Mon Sep 17 00:00:00 2001
From: Niels <nielsmeijer@hotmail.com>
Date: Wed, 16 Nov 2022 17:15:41 +0100
Subject: [PATCH] Make Spring Security configurable on servlet basis (#3991)

---
 core/pom.xml                                  |   5 +
 .../lifecycle/HttpSecurityConfigurer.java     | 119 +-----
 .../lifecycle/ServletManager.java             | 201 ++++++----
 .../lifecycle/VerifyServerSecurityBean.java   |   5 +-
 .../ActiveDirectoryAuthenticator.java         | 134 +++++++
 .../servlets/AuthenticationType.java          |  36 ++
 .../lifecycle/servlets/IAuthenticator.java    |  24 ++
 .../servlets/InMemoryAuthenticator.java       |  59 +++
 .../lifecycle/servlets/JeeAuthenticator.java  | 112 ++++++
 .../lifecycle/servlets/NoOpAuthenticator.java |  43 +++
 .../servlets/ServletAuthenticatorBase.java    | 130 +++++++
 .../servlets/ServletConfiguration.java        | 149 +++++++
 .../nn/adapterframework/util/ClassUtils.java  |  25 ++
 .../webcontrol/DummySSLSocketFactory.java     |   2 +-
 .../webcontrol/LoginFilter.java               | 362 ------------------
 .../main/resources/AppConstants.properties    |   7 +
 .../resources/SpringEnvironmentContext.xml    |   9 +-
 .../resources/ldap-role-mapping.properties    |   4 +
 core/src/main/resources/log4j4ibis.xml        |   4 +-
 core/src/main/resources/webSecurityConfig.xml |  77 ----
 .../lifecycle/ServletManagerTest.java         |  32 +-
 webapp/src/main/webapp/WEB-INF/web.xml        |  26 --
 22 files changed, 900 insertions(+), 665 deletions(-)
 create mode 100644 core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ActiveDirectoryAuthenticator.java
 create mode 100644 core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/AuthenticationType.java
 create mode 100644 core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/IAuthenticator.java
 create mode 100644 core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/InMemoryAuthenticator.java
 create mode 100644 core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/JeeAuthenticator.java
 create mode 100644 core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/NoOpAuthenticator.java
 create mode 100644 core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ServletAuthenticatorBase.java
 create mode 100644 core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ServletConfiguration.java
 delete mode 100644 core/src/main/java/nl/nn/adapterframework/webcontrol/LoginFilter.java
 create mode 100644 core/src/main/resources/ldap-role-mapping.properties
 delete mode 100644 core/src/main/resources/webSecurityConfig.xml

diff --git a/core/pom.xml b/core/pom.xml
index 011625988f3..d7cf1c6fbad 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -311,6 +311,11 @@
 			<artifactId>spring-security-config</artifactId>
 			<version>${spring-security.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-ldap</artifactId>
+			<version>${spring-security.version}</version>
+		</dependency>
 		<!-- not yet used, note that it depends on Spring 4.3.30 
 		<dependency>
 			<groupId>org.springframework.security.oauth</groupId>
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/HttpSecurityConfigurer.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/HttpSecurityConfigurer.java
index dd4dbc8a71e..ba3b4424abf 100644
--- a/core/src/main/java/nl/nn/adapterframework/lifecycle/HttpSecurityConfigurer.java
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/HttpSecurityConfigurer.java
@@ -15,130 +15,29 @@
 */
 package nl.nn.adapterframework.lifecycle;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.ApplicationContext;
-import org.springframework.context.ApplicationContextAware;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.ProviderManager;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.authority.mapping.MappableAttributesRetriever;
-import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
-import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
-import org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService;
-import org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource;
-import org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter;
-import org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever;
-import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 
 import lombok.Setter;
-import nl.nn.adapterframework.util.SpringUtils;
-
 
-/**
- * Programmatic configuration of the spring security configuration: webSecurityConfig.xml
- * 
- * <pre><code>
- * 
- * <http use-expressions="true" realm="Frank" authentication-manager-ref="authenticationManager" entry-point-ref="403EntryPoint" pattern="/**">
- * <security:csrf disabled="true" />
- * <security:headers>
- * 	<security:frame-options policy="SAMEORIGIN" />
- * 	<security:content-type-options disabled="true" />
- * </security:headers>
- * <security:custom-filter position="PRE_AUTH_FILTER" ref="jeePreAuthenticatedFilter" />
- * <security:logout />
- * </http>
- * 
- * <authentication-manager alias="authenticationManager">
- * 	<security:authentication-provider ref="j2eeAuthenticationProvider" />
- * </authentication-manager>
- * 
- * </code></pre>
- */
-@Configuration
-@EnableWebSecurity
-@EnableMethodSecurity(jsr250Enabled = true, prePostEnabled = false)
-public class HttpSecurityConfigurer implements ApplicationContextAware, InitializingBean {
+@Order(Ordered.LOWEST_PRECEDENCE)
+@IbisInitializer
+@EnableWebSecurity //Enables Spring Security (classpath)
+@EnableMethodSecurity(jsr250Enabled = true, prePostEnabled = false) //Enables JSR 250 (JAX-RS) annotations
+public class HttpSecurityConfigurer implements InitializingBean {
 
-	private static final String ROLE_PREFIX = "ROLE_"; //see AuthorityAuthorizationManager#ROLE_PREFIX
-	private @Setter ApplicationContext applicationContext;
 	private @Setter @Autowired ServletManager servletManager;
 
-	@Bean
-	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-		if(servletManager.isWebSecurityEnabled()) {
-			http.requestMatcher(AnyRequestMatcher.INSTANCE);
-			AuthenticationManager authManager = getAuthenticationManager(http);
-			http.addFilter(getProcessingFilter(authManager));
-			http.authenticationManager(authManager);
-		} else {
-			http.anonymous().authorities(getDefaultAuthorities());
-		}
-
-		http.headers().frameOptions().sameOrigin();
-		http.csrf().disable();
-		http.logout();
-		return http.build();
-	}
-
-	private List<GrantedAuthority> getDefaultAuthorities() {
-		List<String> ibisRoles = servletManager.getDefaultIbisRoles();
-		List<GrantedAuthority> grantedAuthorities = new ArrayList<>(ibisRoles.size());
-		for (String role : ibisRoles) {
-			grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX + role));
-		}
-		return grantedAuthorities;
-	}
-
-	//see AuthenticationManagerFactoryBean
-	private AuthenticationManager getAuthenticationManager(HttpSecurity http) {
-		AuthenticationProvider provider = getAuthenticationProvider(http);
-		return new ProviderManager(Arrays.<AuthenticationProvider>asList(provider));
-	}
-
-	//see JeeConfigurer.init
-	private PreAuthenticatedAuthenticationProvider getAuthenticationProvider(HttpSecurity http) {
-		PreAuthenticatedAuthenticationProvider authenticationProvider = new PreAuthenticatedAuthenticationProvider();
-		authenticationProvider.setPreAuthenticatedUserDetailsService(new PreAuthenticatedGrantedAuthoritiesUserDetailsService());
-		http.authenticationProvider(authenticationProvider).setSharedObject(AuthenticationEntryPoint.class, new Http403ForbiddenEntryPoint());
-		return authenticationProvider;
-	}
-
-	private J2eePreAuthenticatedProcessingFilter getProcessingFilter(AuthenticationManager authManager) {
-		J2eePreAuthenticatedProcessingFilter filter = new J2eePreAuthenticatedProcessingFilter();
-		filter.setAuthenticationDetailsSource(getAuthenticationDetailsSource());
-		filter.setAuthenticationManager(authManager);
-		return filter;
-	}
-
-	private J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource getAuthenticationDetailsSource() {
-		J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource authenticationDetailSource = new J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource();
-		authenticationDetailSource.setMappableRolesRetriever(getWebXmlSecurityRoles());
-		return authenticationDetailSource;
-	}
-
-	private MappableAttributesRetriever getWebXmlSecurityRoles() {
-		return SpringUtils.createBean(applicationContext, WebXmlMappableAttributesRetriever.class);
-	}
-
 	@Override
 	public void afterPropertiesSet() throws Exception {
 		if(servletManager == null) {
 			throw new IllegalStateException("unable to initialize Spring Security, ServletManager not set");
 		}
+
+		servletManager.startAuthenticators();
 	}
 }
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/ServletManager.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/ServletManager.java
index 28ec7d59250..15a262f1f75 100644
--- a/core/src/main/java/nl/nn/adapterframework/lifecycle/ServletManager.java
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/ServletManager.java
@@ -15,12 +15,15 @@
 */
 package nl.nn.adapterframework.lifecycle;
 
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
+import java.util.StringTokenizer;
 import java.util.TreeSet;
 
 import javax.servlet.HttpConstraintElement;
@@ -36,10 +39,20 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.Logger;
-
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
+
+import lombok.Setter;
+import nl.nn.adapterframework.lifecycle.servlets.AuthenticationType;
+import nl.nn.adapterframework.lifecycle.servlets.IAuthenticator;
+import nl.nn.adapterframework.lifecycle.servlets.JeeAuthenticator;
+import nl.nn.adapterframework.lifecycle.servlets.ServletConfiguration;
 import nl.nn.adapterframework.util.AppConstants;
+import nl.nn.adapterframework.util.ClassUtils;
 import nl.nn.adapterframework.util.EnumUtils;
 import nl.nn.adapterframework.util.LogUtil;
+import nl.nn.adapterframework.util.SpringUtils;
 
 /**
  * <p>
@@ -59,20 +72,23 @@
  * <code>servlet.servlet-name.urlMapping</code> - path the servlet listens to<br/>
  * <code>servlet.servlet-name.loadOnStartup</code> - automatically load or use lazy-loading (affects application startup time)<br/>
  * </p>
+ * NOTE:
+ * Both CONTAINER and NONE are non-configurable default authenticators.
  * 
  * @author Niels Meijer
  *
  */
-public class ServletManager {
+public class ServletManager implements ApplicationContextAware, InitializingBean {
 
 	private ServletContext servletContext = null;
 	private List<String> registeredRoles = new ArrayList<>();
 	private Logger log = LogUtil.getLogger(this);
-	private AppConstants appConstants;
 	private Set<String> servlets = new TreeSet<>();
+	private Map<String, IAuthenticator> authenticators = new HashMap<>();
 	private static boolean webSecurityEnabled = true;
 	private static TransportGuarantee defaultTransportGuarantee = TransportGuarantee.CONFIDENTIAL;
-	private static final List<String> DEFAULT_IBIS_ROLES = Arrays.asList("IbisObserver", "IbisAdmin", "IbisDataAdmin", "IbisTester", "IbisWebService");
+	public static final List<String> DEFAULT_IBIS_ROLES = Arrays.asList("IbisObserver", "IbisAdmin", "IbisDataAdmin", "IbisTester", "IbisWebService");
+	private @Setter ApplicationContext applicationContext;
 
 	protected static final String AUTH_ENABLED_KEY = "application.security.http.authentication";
 	protected static final String HTTPS_ENABLED_KEY = "application.security.http.transportGuarantee";
@@ -87,10 +103,76 @@ public ServletManager(ServletContext servletContext) {
 		//Add the default IBIS roles
 		registeredRoles.addAll(DEFAULT_IBIS_ROLES);
 
-		appConstants = AppConstants.getInstance();
+		AppConstants appConstants = AppConstants.getInstance();
 		setupDefaultSecuritySettings(appConstants);
 	}
 
+	@Override // After initialization but before other servlets are wired
+	public void afterPropertiesSet() throws Exception {
+		addDefaultAuthenticator(AuthenticationType.CONTAINER);
+		addDefaultAuthenticator(AuthenticationType.NONE);
+
+		resolveAuthenticators();
+		log.info("found Authenticators {}", authenticators::values);
+	}
+
+	private void addDefaultAuthenticator(AuthenticationType type) {
+		if(!authenticators.containsKey(type.name())) {
+			Class<? extends IAuthenticator> clazz = type.getAuthenticator().getClass();
+			IAuthenticator authenticator = SpringUtils.createBean(applicationContext, clazz);
+			authenticators.put(type.name(), authenticator);
+		}
+	}
+
+	public void startAuthenticators() {
+		log.info("starting Authenticators {}", authenticators::values);
+		for(IAuthenticator authenticator : authenticators.values()) {
+			authenticator.build();
+		}
+	}
+
+	private void resolveAuthenticators() {
+		StringTokenizer tokenizer = AppConstants.getInstance().getTokenizedProperty("application.security.http.authenticators");
+		while(tokenizer.hasMoreTokens()) {
+			String token = tokenizer.nextToken();
+			if(StringUtils.isNotEmpty(token)) {
+				resolveAndConfigureAuthenticator(token);
+			}
+		}
+	}
+
+	private void resolveAndConfigureAuthenticator(String authenticatorName) {
+		AppConstants appConstants = AppConstants.getInstance();
+		String properyPrefix = "application.security.http.authenticators."+authenticatorName+".";
+		String type = AppConstants.getInstance().getProperty(properyPrefix+"type");
+		AuthenticationType auth = null;
+		try {
+			auth = EnumUtils.parse(AuthenticationType.class, type);
+		} catch (IllegalArgumentException e) {
+			throw new IllegalStateException("invalid authenticator type", e);
+		}
+		Class<? extends IAuthenticator> clazz = auth.getAuthenticator().getClass();
+		IAuthenticator authenticator = SpringUtils.createBean(applicationContext, clazz);
+
+		for(Method method: clazz.getMethods()) {
+			if(!method.getName().startsWith("set") || method.getParameterTypes().length != 1)
+				continue;
+
+			String setter = firstCharToLower(method.getName().substring(3));
+			String value = appConstants.getProperty(properyPrefix+setter);
+			if(StringUtils.isEmpty(value))
+				continue;
+
+			ClassUtils.invokeSetter(authenticator, method, value);
+		}
+
+		authenticators.put(authenticatorName, authenticator);
+	}
+
+	private String firstCharToLower(String input) {
+		return input.substring(0, 1).toLowerCase() + input.substring(1);
+	}
+
 	protected static void setupDefaultSecuritySettings(Properties properties) {
 		boolean isDtapStageLoc = "LOC".equalsIgnoreCase(properties.getProperty("dtap.stage"));
 		String isAuthEnabled = properties.getProperty(AUTH_ENABLED_KEY);
@@ -108,10 +190,14 @@ protected static void setupDefaultSecuritySettings(Properties properties) {
 		}
 	}
 
-	public boolean isWebSecurityEnabled() {
+	public static boolean isWebSecurityEnabled() {
 		return webSecurityEnabled;
 	}
 
+	public static TransportGuarantee getDefaultTransportGuarantee() {
+		return defaultTransportGuarantee;
+	}
+
 	/**
 	 * Register a new role
 	 * @param roleNames String or multiple strings of roleNames to register
@@ -135,48 +221,43 @@ public void register(DynamicRegistration.Servlet servlet) {
 		registerServlet(servlet, parameters);
 	}
 
-	public void register(Servlet servletClass, String servletName, String urlMapping) {
-		registerServlet(servletClass, servletName, urlMapping, new String[0], -1, null);
-	}
-
 	private void registerServlet(DynamicRegistration.Servlet servlet, Map<String, String> parameters) {
-		registerServlet(servlet, servlet.getName(), servlet.getUrlMapping(), servlet.getAccessGrantingRoles(), servlet.loadOnStartUp(), parameters);
-	}
+		ServletConfiguration config = new ServletConfiguration(servlet);
 
-	private void registerServlet(Servlet servlet, String servletName, String urlMapping, String[] roles, int loadOnStartup, Map<String, String> initParameters) {
-		if(servletName.contains(" ")) {
-			throw new IllegalArgumentException("unable to instantiate servlet, servlet name may not contain spaces");
+		registerServlet(servlet, config, parameters);
+
+		String authenticatorName = config.getAuthenticatorName();
+		if(StringUtils.isNotEmpty(authenticatorName)) {
+			IAuthenticator authenticator = authenticators.get(authenticatorName);
+			if(authenticator == null) {
+				throw new IllegalStateException("unable to configure servlet security, authenticator ["+authenticatorName+"] does not exist");
+			}
+			authenticator.registerServlet(config);
 		}
+	}
+
+	private void registerServlet(Servlet servlet, ServletConfiguration config, Map<String, String> initParameters) {
+		String servletName = config.getName();
 		if(servlets.contains(servletName)) {
 			throw new IllegalArgumentException("unable to instantiate servlet, servlet name must be unique");
 		}
 
 		log.info("instantiating IbisInitializer servlet name [{}] servletClass [{}]", servletName, servlet);
 
-		String propertyPrefix = "servlet."+servletName+".";
-		if(!appConstants.getBoolean(propertyPrefix+"enabled", true))
+		if(!config.isEnabled()) {
+			log.info("skip instantiating servlet name [{}] not enabled", servletName);
 			return;
-
-		ServletSecurityElement security = getServletSecurity(propertyPrefix, roles);
-		StringBuilder builder = new StringBuilder("instantiating IbisInitializer servlet ["+servletName+"] using protocol ");
-		builder.append((security.getTransportGuarantee()==TransportGuarantee.CONFIDENTIAL)?"[HTTPS]":"[HTTP]");
-		if(security.getRolesAllowed().length > 0) {
-			builder.append(" and roles " + Arrays.asList(security.getRolesAllowed()));
-		} else if(!"LOC".equalsIgnoreCase(appConstants.getProperty("dtap.stage"))) {
-			builder.append(" with no authentication enabled!");
 		}
-		getServletContext().log(builder.toString());
 
 		ServletRegistration.Dynamic serv = getServletContext().addServlet(servletName, servlet);
 
-		int loadOnStartupCopy = appConstants.getInt(propertyPrefix+"loadOnStartup", loadOnStartup);
-		serv.setLoadOnStartup(loadOnStartupCopy);
-		serv.addMapping(getUrlMapping(propertyPrefix, urlMapping));
-		serv.setServletSecurity(security);
+		serv.setLoadOnStartup(config.getLoadOnStartup());
+		serv.addMapping(config.getUrlMapping().toArray(new String[0]));
+		serv.setServletSecurity(getServletSecurity(config));
 
 		if(initParameters != null && !initParameters.isEmpty()) {
 			//Manually loop through the map as serv.setInitParameters will fail all parameters even if only 1 fails...
-			for (String key : initParameters.keySet()) {
+			for(String key : initParameters.keySet()) {
 				String value = initParameters.get(key);
 				if(!serv.setInitParameter(key, value)) {
 					log("unable to set init-parameter ["+key+"] with value ["+value+"] for servlet ["+servletName+"]", Level.ERROR);
@@ -185,57 +266,29 @@ private void registerServlet(Servlet servlet, String servletName, String urlMapp
 		}
 
 		servlets.add(servletName);
-
-		if(log.isDebugEnabled()) logServletInfo(serv, loadOnStartupCopy);
+		logServletInfo(serv, config);
 	}
 
-	private void logServletInfo(Dynamic serv, int loadOnStartupCopy) {
+	private void logServletInfo(Dynamic serv, ServletConfiguration config) {
 		StringBuilder builder = new StringBuilder("registered");
 		builder.append(" servlet ["+serv.getName()+"]");
-		builder.append(" class ["+serv.getClassName()+"]");
-		builder.append(" url(s) "+serv.getMappings());
-		builder.append(" loadOnStartup ["+loadOnStartupCopy+"]");
-		log.debug(builder.toString());
-	}
+		builder.append(" configuration ");
+		builder.append(config);
 
-	private String[] getUrlMapping(String propertyPrefix, String defaultUrlMappings) {
-		String[] urlMappingsCopy = defaultUrlMappings.split(",");
-		String urlMappingOverride = appConstants.getString(propertyPrefix+"urlMapping", null);
-		if(StringUtils.isNotEmpty(urlMappingOverride)) {
-			urlMappingsCopy = urlMappingOverride.split(",");
-		}
-
-		List<String> mappings = new ArrayList<>();
-		for(String urlMapping : urlMappingsCopy) {
-			String mapping = urlMapping.trim();
-			if(!mapping.startsWith("/") && !mapping.startsWith("*")) {
-				mapping = "/"+mapping;
-			}
-			mappings.add(mapping);
-		}
+		getServletContext().log(builder.toString());
 
-		return mappings.toArray(new String[0]);
+		builder.append(" class ["+serv.getClassName()+"]");
+		log.debug(builder.toString());
 	}
 
-	private ServletSecurityElement getServletSecurity(String propertyPrefix, String[] defaultRoles) {
-		String[] rolesCopy = new String[0];
-		if(defaultRoles != null && webSecurityEnabled) {
-			rolesCopy = defaultRoles;
+	private ServletSecurityElement getServletSecurity(ServletConfiguration config) {
+		String[] roles = new String[0];
+		if(config.isAuthenticationEnabled() && authenticators.get(config.getAuthenticatorName()) instanceof JeeAuthenticator) {// Only add roles when using  Container Based Authentication
+			roles = config.getSecurityRoles().toArray(new String[0]);
+			declareRoles(roles);
 		}
+		HttpConstraintElement httpConstraintElement = new HttpConstraintElement(config.getTransportGuarantee(), roles);
 
-		String roleNames = appConstants.getString(propertyPrefix+"securityroles", null);
-		if(StringUtils.isNotEmpty(roleNames)) {
-			log.warn("property ["+propertyPrefix+"securityroles] has been replaced with ["+propertyPrefix+"securityRoles"+"]");
-		}
-		roleNames = appConstants.getString(propertyPrefix+"securityRoles", roleNames);
-
-		if(StringUtils.isNotEmpty(roleNames)) {
-			rolesCopy = roleNames.split(",");
-		}
-		declareRoles(rolesCopy);
-
-		TransportGuarantee transportGuarantee = getTransportGuarantee(propertyPrefix+"transportGuarantee");
-		HttpConstraintElement httpConstraintElement = new HttpConstraintElement(transportGuarantee, rolesCopy);
 		return new ServletSecurityElement(httpConstraintElement);
 	}
 
@@ -254,8 +307,4 @@ public static ServletSecurity.TransportGuarantee getTransportGuarantee(String pr
 		}
 		return defaultTransportGuarantee;
 	}
-
-	public List<String> getDefaultIbisRoles() {
-		return DEFAULT_IBIS_ROLES;
-	}
 }
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/VerifyServerSecurityBean.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/VerifyServerSecurityBean.java
index 624bd35a830..da9f616a2cb 100644
--- a/core/src/main/java/nl/nn/adapterframework/lifecycle/VerifyServerSecurityBean.java
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/VerifyServerSecurityBean.java
@@ -27,16 +27,15 @@
 public class VerifyServerSecurityBean implements InitializingBean {
 
 	private Logger log = LogUtil.getLogger(this);
-	private ServletManager servletManager;
 
 	@Autowired
 	public void setServletManager(ServletManager servletManager) {
-		this.servletManager = servletManager;
+		//Ensure this bean is loaded after the ServletManager has been instantiated
 	}
 
 	@Override
 	public void afterPropertiesSet() {
-		if(!servletManager.isWebSecurityEnabled()) {
+		if(!ServletManager.isWebSecurityEnabled()) {
 			AppConstants appConstants = AppConstants.getInstance();
 			boolean isDtapStageLoc = "LOC".equalsIgnoreCase(appConstants.getProperty("dtap.stage"));
 			if(appConstants.getBoolean("security.constraint.warning", !isDtapStageLoc)) {
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ActiveDirectoryAuthenticator.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ActiveDirectoryAuthenticator.java
new file mode 100644
index 00000000000..a96d496adc0
--- /dev/null
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ActiveDirectoryAuthenticator.java
@@ -0,0 +1,134 @@
+/*
+   Copyright 2022 WeAreFrank!
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+package nl.nn.adapterframework.lifecycle.servlets;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import javax.naming.Context;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
+import org.springframework.security.web.SecurityFilterChain;
+
+import lombok.Setter;
+import nl.nn.adapterframework.util.AppConstants;
+import nl.nn.adapterframework.util.ClassUtils;
+import nl.nn.adapterframework.util.StringResolver;
+
+public class ActiveDirectoryAuthenticator extends ServletAuthenticatorBase implements InitializingBean {
+
+	private @Setter String domainName = null;
+	/** LDAP server endpoint, eg: ldap://10.1.2.3 */
+	private @Setter String url = AppConstants.getInstance().getProperty("ldap.auth.url");
+	/** Domain root DN, eg: DC=company,DC=org */
+	private @Setter String baseDn = AppConstants.getInstance().getProperty("ldap.auth.user.base");
+	private @Setter boolean followReferrals = true;
+	/** defaults to (&(objectClass=user)(userPrincipalName={0})) */
+	private @Setter String searchFilter = null;
+
+	private @Setter String roleMappingFile = "ldap-role-mapping.properties";
+	private URL roleMappingURL = null;
+
+	@Override
+	public SecurityFilterChain configure(HttpSecurity http) throws Exception {
+		if(StringUtils.isEmpty(url)) {
+			throw new IllegalArgumentException("url may not be empty");
+		}
+
+		ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(domainName, url, baseDn);
+		provider.setConvertSubErrorCodesToExceptions(log.isDebugEnabled());
+
+		if(StringUtils.isNotEmpty(searchFilter)) provider.setSearchFilter(searchFilter);
+		Map<String, Object> environment = new HashMap<>();
+		if(followReferrals) environment.put(Context.REFERRAL, "follow");
+		provider.setContextEnvironmentProperties(environment);
+
+		LdapUserDetailsMapper roleMapper = new LdapUserDetailsMapper();
+		roleMapper.setRoleAttributes("memberOf".split(" "));
+		roleMapper.setConvertToUpperCase(false);
+		roleMapper.setRolePrefix("");
+		provider.setUserDetailsContextMapper(roleMapper);
+
+		provider.setAuthoritiesMapper(new LdapAuthorityMapper(roleMappingURL));
+
+		http.authenticationProvider(provider);
+		String realmName = StringUtils.isNotEmpty(domainName) ? domainName : url;
+		http.httpBasic().realmName(realmName);
+		return http.build();
+	}
+
+	public class LdapAuthorityMapper implements GrantedAuthoritiesMapper {
+		Map<String, SimpleGrantedAuthority> roleToAuthorityMapping = new HashMap<>();
+
+		public LdapAuthorityMapper(URL roleMappingURL) throws IOException {
+			Properties roleMappingProperties = new Properties();
+			try(InputStream stream = roleMappingURL.openStream()) {
+				roleMappingProperties.load(stream);
+			} catch (IOException e) {
+				throw new IOException("unable to open LDAP role-mapping file ["+roleMappingFile+"]", e);
+			}
+
+			for(String role : getSecurityRoles()) {
+				String value = roleMappingProperties.getProperty(role);
+				if(StringUtils.isEmpty(value)) {
+					log.warn("LDAP role [{}] has not been mapped to anything, ignoring this role", role);
+					continue;
+				}
+
+				String resolvedValue = StringResolver.substVars(value, AppConstants.getInstance());
+				if(StringUtils.isNotEmpty(role) && StringUtils.isNotEmpty(resolvedValue)) {
+					roleToAuthorityMapping.put(resolvedValue, new SimpleGrantedAuthority("ROLE_"+role));
+				}
+			}
+		}
+
+		@Override
+		public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
+			List<GrantedAuthority> mappedAuthorities = new ArrayList<>();
+			for(GrantedAuthority grantedAuthority : authorities) {
+				String canonicalRoleName = grantedAuthority.getAuthority();
+				SimpleGrantedAuthority authority = roleToAuthorityMapping.get(canonicalRoleName);
+				if(authority != null) {
+					mappedAuthorities.add(authority);
+				}
+			}
+			return mappedAuthorities;
+		}
+	}
+
+	@Override
+	public void afterPropertiesSet() throws FileNotFoundException {
+		roleMappingURL = ClassUtils.getResourceURL(roleMappingFile);
+		if(roleMappingURL == null) {
+			throw new FileNotFoundException("unable to find LDAP role-mapping file ["+roleMappingFile+"]");
+		}
+	}
+}
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/AuthenticationType.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/AuthenticationType.java
new file mode 100644
index 00000000000..4430391db46
--- /dev/null
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/AuthenticationType.java
@@ -0,0 +1,36 @@
+/*
+   Copyright 2022 WeAreFrank!
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+package nl.nn.adapterframework.lifecycle.servlets;
+
+import lombok.Getter;
+
+//LdapAuthenticationProvider
+public enum AuthenticationType {
+	AD(ActiveDirectoryAuthenticator.class),
+	CONTAINER(JeeAuthenticator.class),
+	IN_MEMORY(InMemoryAuthenticator.class),
+	NONE(NoOpAuthenticator.class);
+
+	private final @Getter IAuthenticator authenticator;
+
+	private AuthenticationType(Class<? extends IAuthenticator> clazz) {
+		try {
+			authenticator = clazz.newInstance();
+		} catch (InstantiationException | IllegalAccessException e) {
+			throw new IllegalStateException(e);
+		}
+	}
+}
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/IAuthenticator.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/IAuthenticator.java
new file mode 100644
index 00000000000..016499350a5
--- /dev/null
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/IAuthenticator.java
@@ -0,0 +1,24 @@
+/*
+   Copyright 2022 WeAreFrank!
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+ */
+package nl.nn.adapterframework.lifecycle.servlets;
+
+//SecurityContextHolder.getContext().getAuthentication(); can be used to retrieve the username (when available)
+public interface IAuthenticator {
+
+	void registerServlet(ServletConfiguration config);
+
+	void build();
+}
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/InMemoryAuthenticator.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/InMemoryAuthenticator.java
new file mode 100644
index 00000000000..ad398a3d897
--- /dev/null
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/InMemoryAuthenticator.java
@@ -0,0 +1,59 @@
+/*
+   Copyright 2022 WeAreFrank!
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+package nl.nn.adapterframework.lifecycle.servlets;
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+import lombok.Setter;
+
+/*
+	<authentication-manager alias="inMemoryAuthManager">
+		<security:authentication-provider>
+			<security:user-service>
+				<security:user name="IbisTester123" password="IbisTester" authorities="IbisTester"/>
+			</security:user-service>
+			<security:password-encoder ref="passwordEncoder" />
+		</security:authentication-provider>
+	</authentication-manager>
+	<beans:bean id="passwordEncoder" class = "org.springframework.security.crypto.password.NoOpPasswordEncoder" factory-method = "getInstance"/>
+ */
+public class InMemoryAuthenticator extends ServletAuthenticatorBase {
+	private @Setter String username = null;
+	private @Setter String password = null;
+
+	@Override
+	public SecurityFilterChain configure(HttpSecurity http) throws Exception {
+		http.httpBasic().realmName("InMemoryAuthenticator"); //BasicAuthenticationEntryPoint
+		http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+
+		UserDetails user = User.builder()
+				.username(username)
+				.password("{noop}"+password)
+				.roles(getSecurityRoles().toArray(new String[0]))
+				.build();
+
+		InMemoryUserDetailsManager udm = new InMemoryUserDetailsManager(user);
+		http.userDetailsService(udm);
+
+		return http.build();
+	}
+
+}
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/JeeAuthenticator.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/JeeAuthenticator.java
new file mode 100644
index 00000000000..2123d40591e
--- /dev/null
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/JeeAuthenticator.java
@@ -0,0 +1,112 @@
+/*
+   Copyright 2022 WeAreFrank!
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+package nl.nn.adapterframework.lifecycle.servlets;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.JeeConfigurer;
+import org.springframework.security.core.authority.mapping.MappableAttributesRetriever;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService;
+import org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource;
+import org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter;
+import org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever;
+
+import nl.nn.adapterframework.util.SpringUtils;
+
+/* https://docs.spring.io/spring-security/site/docs/3.0.x/reference/introduction.html
+ * https://stackoverflow.com/questions/9831268/how-to-use-j2eepreauthenticatedprocessingfilter-and-a-custom-authentication-prov
+ * https://docs.spring.io/spring-security/site/docs/3.0.x/reference/authz-arch.html
+ */
+public class JeeAuthenticator extends ServletAuthenticatorBase {
+
+	@Override
+	public SecurityFilterChain configure(HttpSecurity http) throws Exception {
+		AuthenticationManager authManager = getAuthenticationManager(http);
+		http.addFilter(getProcessingFilter(authManager));
+		http.authenticationManager(authManager);
+		return http.build();
+	}
+
+	//see AuthenticationManagerFactoryBean
+	private AuthenticationManager getAuthenticationManager(HttpSecurity http) {
+		AuthenticationProvider provider = getAuthenticationProvider(http);
+		return new ProviderManager(Arrays.asList(provider));
+	}
+
+	/**
+	 * The J2EE authentication provider. The JeeConfigurer isn't used because of the custom AuthenticationDetailsSource.
+	 * See {@link JeeConfigurer#init(org.springframework.security.config.annotation.web.HttpSecurityBuilder)}
+	 */
+	private PreAuthenticatedAuthenticationProvider getAuthenticationProvider(HttpSecurity http) {
+		PreAuthenticatedAuthenticationProvider authenticationProvider = new PreAuthenticatedAuthenticationProvider(); // Converts the AuthenticationToken into UserDetails
+		authenticationProvider.setPreAuthenticatedUserDetailsService(new PreAuthenticatedGrantedAuthoritiesUserDetailsService());
+		http.authenticationProvider(authenticationProvider).setSharedObject(AuthenticationEntryPoint.class, getEntryPoint());
+		return authenticationProvider;
+	}
+
+	//When using JEE the container authenticates clients (401) we therefore only have to authorize them. If not authorized, return a 403.
+	private AuthenticationEntryPoint getEntryPoint() {
+		return new Http403ForbiddenEntryPoint();
+	}
+
+	// Checks if the user has been logged in and returns the HttpRequest.getUserPrincipal
+	private J2eePreAuthenticatedProcessingFilter getProcessingFilter(AuthenticationManager authManager) {
+		J2eePreAuthenticatedProcessingFilter filter = new J2eePreAuthenticatedProcessingFilter();
+		filter.setAuthenticationDetailsSource(getAuthenticationDetailsSource());
+		filter.setAuthenticationManager(authManager);
+		return filter;
+	}
+
+	// Checks which roles the user(principal) has by performing HttpRequest.isUserInRole
+	private J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource getAuthenticationDetailsSource() {
+		J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource authenticationDetailSource = new J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource();
+		authenticationDetailSource.setMappableRolesRetriever(getWebXmlSecurityRoles());
+		return authenticationDetailSource;
+	}
+
+	// Reads the web.xml file 'security-roles'
+	private MappableAttributesRetriever getWebXmlSecurityRoles() {
+		DelegatedMappableAttributesRetriever attributeRetriever = new DelegatedMappableAttributesRetriever();
+		MappableAttributesRetriever webXml = SpringUtils.createBean(getApplicationContext(), WebXmlMappableAttributesRetriever.class);
+		attributeRetriever.addMappableAttributes(webXml.getMappableAttributes());
+		attributeRetriever.addMappableAttributes(new HashSet<>(getSecurityRoles()));
+		return attributeRetriever;
+	}
+
+	public static class DelegatedMappableAttributesRetriever implements MappableAttributesRetriever {
+
+		private Set<String> mappableAttributes = new HashSet<>();
+
+		@Override
+		public Set<String> getMappableAttributes() {
+			return mappableAttributes;
+		}
+
+		public void addMappableAttributes(Set<String> mappableAttributes) {
+			this.mappableAttributes.addAll(mappableAttributes);
+		}
+	}
+}
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/NoOpAuthenticator.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/NoOpAuthenticator.java
new file mode 100644
index 00000000000..13cb58d2bc9
--- /dev/null
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/NoOpAuthenticator.java
@@ -0,0 +1,43 @@
+/*
+   Copyright 2022 WeAreFrank!
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+package nl.nn.adapterframework.lifecycle.servlets;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.web.SecurityFilterChain;
+
+public class NoOpAuthenticator extends ServletAuthenticatorBase {
+	private static final String ROLE_PREFIX = "ROLE_"; //see AuthorityAuthorizationManager#ROLE_PREFIX
+
+	@Override
+	public SecurityFilterChain configure(HttpSecurity http) throws Exception {
+		http.anonymous().authorities(getAuthorities());
+		return http.build();
+	}
+
+	private List<GrantedAuthority> getAuthorities() {
+		List<String> securityRoles = getSecurityRoles();
+		List<GrantedAuthority> grantedAuthorities = new ArrayList<>(securityRoles.size());
+		for (String role : securityRoles) {
+			grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX + role));
+		}
+		return grantedAuthorities;
+	}
+}
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ServletAuthenticatorBase.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ServletAuthenticatorBase.java
new file mode 100644
index 00000000000..8c3c8a6979a
--- /dev/null
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ServletAuthenticatorBase.java
@@ -0,0 +1,130 @@
+/*
+   Copyright 2022 WeAreFrank!
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+package nl.nn.adapterframework.lifecycle.servlets;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.logging.log4j.Logger;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import lombok.Getter;
+import nl.nn.adapterframework.lifecycle.ServletManager;
+import nl.nn.adapterframework.util.LogUtil;
+
+public abstract class ServletAuthenticatorBase implements IAuthenticator, ApplicationContextAware {
+	private static final String HTTP_SECURITY_BEAN_NAME = "org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.httpSecurity";
+
+	protected final Logger log = LogUtil.getLogger(this);
+
+	private @Getter ApplicationContext applicationContext;
+	private @Getter Set<String> endpoints = new HashSet<>();
+	private @Getter List<String> securityRoles = new ArrayList<>();
+
+	@Override
+	public final void setApplicationContext(ApplicationContext applicationContext) {
+		this.applicationContext = applicationContext;
+	}
+
+	@Override
+	public final void registerServlet(ServletConfiguration config) {
+		setEndpoints(config.getUrlMapping());
+		setSecurityRoles(config.getSecurityRoles());
+	}
+
+	private void setSecurityRoles(List<String> securityRoles) {
+		if(securityRoles == null || securityRoles.isEmpty()) {
+			securityRoles = ServletManager.DEFAULT_IBIS_ROLES;
+		}
+		this.securityRoles.addAll(securityRoles);
+	}
+
+	private void setEndpoints(List<String> urlMappings) {
+		for(String url : urlMappings) {
+			String matcherUrl = url;
+			if(url.endsWith("*")) {
+				matcherUrl = url+"*";
+			}
+
+			if(endpoints.contains(matcherUrl)) {
+				throw new IllegalStateException("endpoint already configured");
+			}
+
+			log.info("registering url [{}] with lookup pattern [{}]", url, matcherUrl);
+			endpoints.add(matcherUrl);
+		}
+	}
+
+	@Override
+	public void build() {
+		if(applicationContext == null) {
+			throw new IllegalStateException("Authenticator is not wired through local BeanFactory");
+		}
+		if(endpoints.isEmpty()) { //No servlets registered so no need to build/enable this Authenticator
+			log.info("no url matchers found, ignoring Authenticator [{}]", this::getClass);
+			return;
+		}
+
+		ConfigurableListableBeanFactory beanFactory = ((ConfigurableApplicationContext)applicationContext).getBeanFactory();
+		String name = "HttpSecurityChain-"+this.getClass().getSimpleName();
+
+		//Register the SecurityFilter in the (WebXml)BeanFactory so the WebSecurityConfiguration can configure them
+		beanFactory.registerSingleton(name, createSecurityFilterChain());
+	}
+
+	private SecurityFilterChain createSecurityFilterChain() {
+		HttpSecurity httpSecurityConfigurer = applicationContext.getBean(HTTP_SECURITY_BEAN_NAME, HttpSecurity.class);
+		return configureHttpSecurity(httpSecurityConfigurer);
+	}
+
+	private SecurityFilterChain configureHttpSecurity(HttpSecurity http) {
+		try {
+			//Apply defaults to disable bloated filters, see DefaultSecurityFilterChain.getFilters for the actual list.
+			http.headers().frameOptions().sameOrigin(); //Allow same origin iframe request
+			http.csrf().disable();
+			http.requestMatcher(getRequestMatcher());
+			http.formLogin().disable(); //Disable the form login filter
+			http.anonymous().disable(); //Disable the default anonymous filter
+			http.logout().disable(); //Disable the logout endpoint on every filter
+//			http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); //Disables cookies
+
+			return configure(http);
+		} catch (Exception e) {
+			throw new IllegalStateException("unable to configure Spring Security", e);
+		}
+	}
+
+	/** Before building it configures the Chain. */
+	protected abstract SecurityFilterChain configure(HttpSecurity http) throws Exception;
+
+	private RequestMatcher getRequestMatcher() {
+		List<RequestMatcher> requestMatchers = new ArrayList<>();
+		for(String url : endpoints) {
+			requestMatchers.add(new AntPathRequestMatcher(url, null, false));
+		}
+		return (requestMatchers.size() == 1) ? requestMatchers.get(0) : new OrRequestMatcher(requestMatchers);
+	}
+}
diff --git a/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ServletConfiguration.java b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ServletConfiguration.java
new file mode 100644
index 00000000000..a0864e87c86
--- /dev/null
+++ b/core/src/main/java/nl/nn/adapterframework/lifecycle/servlets/ServletConfiguration.java
@@ -0,0 +1,149 @@
+/*
+   Copyright 2022 WeAreFrank!
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+package nl.nn.adapterframework.lifecycle.servlets;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.logging.log4j.Logger;
+
+import lombok.Getter;
+import nl.nn.adapterframework.lifecycle.DynamicRegistration.Servlet;
+import nl.nn.adapterframework.lifecycle.ServletManager;
+import nl.nn.adapterframework.util.AppConstants;
+import nl.nn.adapterframework.util.EnumUtils;
+import nl.nn.adapterframework.util.LogUtil;
+
+//servlets:
+//  IAF-API:
+//    transportGuarantee: NONE
+//    securityRoles:
+//      - IbisObserver
+//      - IbisDataAdmin
+//      - IbisAdmin
+//      - IbisTester
+//    urlMapping: iaf/api/*
+//    loadOnStartup: 0
+//    authenticator: myAuthenticatorID
+public class ServletConfiguration {
+	private AppConstants appConstants = AppConstants.getInstance();
+	private Logger log = LogUtil.getLogger(this);
+
+	private final @Getter String name;
+	private @Getter List<String> securityRoles;
+	private @Getter List<String> urlMapping;
+	private @Getter int loadOnStartup = -1;
+	private @Getter boolean enabled = true;
+	private @Getter TransportGuarantee transportGuarantee;
+	private @Getter String authenticatorName = null;
+
+	public ServletConfiguration(Servlet servlet) {
+		this.name = servlet.getName();
+		if(this.name.contains(" ")) {
+			throw new IllegalArgumentException("unable to instantiate servlet, servlet name may not contain spaces");
+		}
+
+		this.urlMapping = configureUrlMapping(servlet.getUrlMapping());
+		this.securityRoles = servlet.getAccessGrantingRoles() == null ? Collections.emptyList() : Arrays.asList(servlet.getAccessGrantingRoles());
+		this.loadOnStartup = servlet.loadOnStartUp();
+
+		defaultSecuritySettings();
+		loadProperties();
+
+		if(urlMapping.isEmpty()) {
+			throw new IllegalStateException("servlet must have an URL to map to");
+		}
+	}
+
+	public boolean isAuthenticationEnabled() {
+		return !securityRoles.isEmpty() && !"NONE".equals(authenticatorName);
+	}
+
+	private void defaultSecuritySettings() {
+		transportGuarantee = ServletManager.getDefaultTransportGuarantee();
+		AuthenticationType defaultType = ServletManager.isWebSecurityEnabled() ? AuthenticationType.CONTAINER : AuthenticationType.NONE;
+		authenticatorName = defaultType.name();
+	}
+
+	private void loadProperties() {
+		String propertyPrefix = "servlet."+name+".";
+
+		this.enabled = appConstants.getBoolean(propertyPrefix+"enabled", enabled);
+		configureServletSecurity(propertyPrefix);
+		String constraintType = appConstants.getString(propertyPrefix+"transportGuarantee", null);
+		if(StringUtils.isNotEmpty(constraintType)) {
+			this.transportGuarantee = EnumUtils.parse(TransportGuarantee.class, constraintType);
+		}
+		this.loadOnStartup = appConstants.getInt(propertyPrefix+"loadOnStartup", loadOnStartup);
+		String mapping = appConstants.getString(propertyPrefix+"urlMapping", null);
+		if(StringUtils.isNotEmpty(mapping)) {
+			this.urlMapping = configureUrlMapping(mapping);
+		}
+		this.authenticatorName = appConstants.getString(propertyPrefix+"authenticator", authenticatorName);
+	}
+
+	private void configureServletSecurity(String propertyPrefix) {
+		String roleNames = appConstants.getString(propertyPrefix+"securityroles", null);
+		if(StringUtils.isNotEmpty(roleNames)) {
+			log.warn("property ["+propertyPrefix+"securityroles] has been replaced with ["+propertyPrefix+"securityRoles"+"]");
+		}
+		roleNames = appConstants.getString(propertyPrefix+"securityRoles", roleNames);
+
+		if(StringUtils.isNotEmpty(roleNames)) {
+			String[] rolesCopy = roleNames.split(",");
+			securityRoles = Arrays.asList(rolesCopy);
+		}
+	}
+
+	private List<String> configureUrlMapping(String urlMappingArray) {
+		String[] urlMappingsCopy = new String[0];
+		if(StringUtils.isNotEmpty(urlMappingArray)) {
+			urlMappingsCopy = urlMappingArray.split(",");
+		}
+
+		List<String> mappings = new ArrayList<>();
+		for(String rawMapping : urlMappingsCopy) {
+			String mapping = rawMapping.trim();
+			if(!mapping.startsWith("/") && !mapping.startsWith("*")) {
+				mapping = "/"+mapping;
+			}
+			mappings.add(mapping);
+		}
+
+		return mappings;
+	}
+
+	@Override
+	public String toString() {
+		StringBuilder builder = new StringBuilder(" servlet ["+name+"]");
+		builder.append(" url(s) "+urlMapping);
+		builder.append(" loadOnStartup ["+loadOnStartup+"]");
+		builder.append(" protocol "+(transportGuarantee==TransportGuarantee.CONFIDENTIAL?"[HTTPS]":"[HTTP]"));
+		builder.append(" authenticatior ["+authenticatorName+"]");
+
+		if(isAuthenticationEnabled()) {
+			builder.append(" roles "+getSecurityRoles());
+		} else {
+			builder.append(" with no authentication enabled!");
+		}
+		return builder.toString();
+	}
+}
diff --git a/core/src/main/java/nl/nn/adapterframework/util/ClassUtils.java b/core/src/main/java/nl/nn/adapterframework/util/ClassUtils.java
index 3e17d842eae..36d0f7be7e4 100644
--- a/core/src/main/java/nl/nn/adapterframework/util/ClassUtils.java
+++ b/core/src/main/java/nl/nn/adapterframework/util/ClassUtils.java
@@ -294,6 +294,31 @@ public static String classNameOf(Object o) {
 		return simpleName;
 	}
 
+	public static void invokeSetter(Object bean, Method method, String valueToSet) {
+		if(!method.getName().startsWith("set") || method.getParameterTypes().length != 1) {
+			throw new IllegalArgumentException("method must start with [set] and may only contain [1] parameter");
+		}
+
+		try {//Only always grab the first value because we explicitly check method.getParameterTypes().length != 1
+			Object castValue = castAsType(method.getParameterTypes()[0], valueToSet);
+			if(log.isDebugEnabled()) log.debug("trying to set method ["+method.getName()+"] with value ["+valueToSet+"] of type ["+castValue.getClass().getCanonicalName()+"] on ["+ClassUtils.nameOf(bean)+"]");
+
+			method.invoke(bean, castValue);
+		} catch (Exception e) {
+			throw new IllegalArgumentException("error while calling method ["+method.getName()+"] on ["+ClassUtils.nameOf(bean)+"]", e);
+		}
+	}
+
+	private static Object castAsType(Class<?> type, String value) {
+		String className = type.getName().toLowerCase();
+		if("boolean".equals(className))
+			return Boolean.parseBoolean(value);
+		else if("int".equals(className) || "integer".equals(className))
+			return Integer.parseInt(value);
+		else
+			return value;
+	}
+
 	public static void invokeSetter(Object o, String name, Object value) throws SecurityException, NoSuchMethodException, IllegalArgumentException, IllegalAccessException, InvocationTargetException {
 		invokeSetter(o, name, value, value.getClass());
 	}
diff --git a/core/src/main/java/nl/nn/adapterframework/webcontrol/DummySSLSocketFactory.java b/core/src/main/java/nl/nn/adapterframework/webcontrol/DummySSLSocketFactory.java
index e31459de855..3acaed5264f 100644
--- a/core/src/main/java/nl/nn/adapterframework/webcontrol/DummySSLSocketFactory.java
+++ b/core/src/main/java/nl/nn/adapterframework/webcontrol/DummySSLSocketFactory.java
@@ -27,7 +27,7 @@
 import javax.net.ssl.X509TrustManager;
 
 /**
- * Dummy SSLSocketFactory for LoginFilter.
+ * Dummy SSLSocketFactory for LdapFindMemberPipe.
  * 
  * (to avoid java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty).
  * 
diff --git a/core/src/main/java/nl/nn/adapterframework/webcontrol/LoginFilter.java b/core/src/main/java/nl/nn/adapterframework/webcontrol/LoginFilter.java
deleted file mode 100644
index f7be1241615..00000000000
--- a/core/src/main/java/nl/nn/adapterframework/webcontrol/LoginFilter.java
+++ /dev/null
@@ -1,362 +0,0 @@
-/*
-   Copyright 2013 Nationale-Nederlanden
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
- */
-package nl.nn.adapterframework.webcontrol;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Hashtable;
-import java.util.List;
-
-import javax.naming.AuthenticationException;
-import javax.naming.CommunicationException;
-import javax.naming.Context;
-import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.DirContext;
-import javax.naming.directory.InitialDirContext;
-import javax.naming.ldap.InitialLdapContext;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import nl.nn.adapterframework.util.AppConstants;
-import nl.nn.adapterframework.util.FileUtils;
-import nl.nn.adapterframework.util.LogUtil;
-import nl.nn.adapterframework.util.Misc;
-
-import org.apache.commons.codec.binary.Base64;
-import org.apache.logging.log4j.Logger;
-
-/**
- * Java Servlet Filter as security constraints workaround for non Websphere
- * Application Servers.
- *
- * <p><b>Properties to set:</b>
- * <table border="1">
- * <tr><th>name</th><th>description</th><th>default</th></tr>
- * <tr><td>ldap.auth.mode</td><td>Defines security contraints behaviour. Possible values are:
- *   <table border="1">
- *   <tr><td>None</td><td>no security constraints, all pages are accessible</td></tr>
- *   <tr><td>Simple</td><td>all IbisObserver pages are accessible</td></tr>
- *   <tr><td>Basic</td><td>all IbisObserver pages are accessible, but only when the user has been authenticated</td></tr>
- *   <tr><td>Full</td><td>all IbisObserver and IbisDataAdmin pages are accessible, but only when the user has been authenticated and authorized</td></tr>
- *  </table></td><td>None</td></tr>
- * <tr><td>ldap.auth.url</td><td>URL to the LDAP server</td><td>&nbsp;</td></tr>
- * <tr><td>ldap.auth.user.base</td><td>LDAP DN for the username</td><td>&nbsp;</td></tr>
- * <tr><td>ldap.auth.observer.base</td><td>LDAP DN to authorize user for IbisObserver</td><td>&nbsp;</td></tr>
- * <tr><td>ldap.auth.dataadmin.base</td><td>LDAP DN to authorize user for IbisDataAdmin</td><td>&nbsp;</td></tr>
- * <tr><td>ldap.auth.tester.base</td><td>LDAP DN to authorize user for IbisTester</td><td>&nbsp;</td></tr>
- * </table>
- * </p>
- * 
- * @author Peter Leeuwenburgh
- */
-
-public class LoginFilter implements Filter {
-	protected Logger log = LogUtil.getLogger(this);
-
-	protected static final String LDAP_AUTH_MODE_NONE_STR = "None";
-	protected static final String LDAP_AUTH_MODE_SIMPLE_STR = "Simple";
-	protected static final String LDAP_AUTH_MODE_BASIC_STR = "Basic";
-	protected static final String LDAP_AUTH_MODE_FULL_STR = "Full";
-
-	protected static final int LDAP_AUTH_MODE_NONE = 0;
-	protected static final int LDAP_AUTH_MODE_SIMPLE = 1;
-	protected static final int LDAP_AUTH_MODE_BASIC = 2;
-	protected static final int LDAP_AUTH_MODE_FULL = 3;
-
-	protected static final String ldapAuthModes[] = { LDAP_AUTH_MODE_NONE_STR,
-			LDAP_AUTH_MODE_SIMPLE_STR, LDAP_AUTH_MODE_BASIC_STR,
-			LDAP_AUTH_MODE_FULL_STR };
-
-	protected static final int ldapAuthModeNums[] = { LDAP_AUTH_MODE_NONE,
-			LDAP_AUTH_MODE_SIMPLE, LDAP_AUTH_MODE_BASIC, LDAP_AUTH_MODE_FULL };
-
-	protected static final String AUTH_PATH_MODE_OBSERVER = "Observer";
-	protected static final String AUTH_PATH_MODE_DATAADMIN = "DataAdmin";
-	protected static final String AUTH_PATH_MODE_TESTER = "Tester";
-
-	protected String dtapStage;
-	protected String instanceName;
-	protected int ldapAuthModeNum;
-	protected String ldapAuthUrl;
-	protected String ldapAuthUserBase;
-	protected String ldapAuthObserverBase;
-	protected String ldapAuthDataAdminBase;
-	protected String ldapAuthTesterBase;
-	protected final List<String> allowedExtensions = new ArrayList<String>();
-	protected final List<String> allowedObserverPaths = new ArrayList<String>();
-	protected final List<String> allowedDataAdminPaths = new ArrayList<String>();
-	protected final List<String> allowedTesterPaths = new ArrayList<String>();
-
-	@Override
-	public void init(FilterConfig filterConfig) throws ServletException {
-		AppConstants appConstants = AppConstants.getInstance();
-		dtapStage = appConstants.getResolvedProperty("dtap.stage");
-		instanceName = appConstants.getResolvedProperty("instance.name");
-
-		String ldapAuthMode = appConstants.getString("ldap.auth.mode", LDAP_AUTH_MODE_NONE_STR);
-		ldapAuthModeNum = getLdapAuthModeNum(ldapAuthMode);
-		if (ldapAuthModeNum < 0) {
-			log.warn("Unknown ldapAuthMode [" + ldapAuthMode + "], will use [" + LDAP_AUTH_MODE_NONE_STR + "]");
-			ldapAuthModeNum = 0;
-		}
-
-		if (ldapAuthModeNum >= LDAP_AUTH_MODE_SIMPLE) {
-			String allowedExtensionsString = filterConfig.getInitParameter("allowedExtensions");
-			if (allowedExtensionsString != null) {
-				allowedExtensions.addAll(Arrays.asList(allowedExtensionsString.split("\\s+")));
-			}
-
-			String allowedObserverPathsString = filterConfig.getInitParameter("allowedObserverPaths");
-			if (allowedObserverPathsString != null) {
-				allowedObserverPaths.addAll(Arrays.asList(allowedObserverPathsString.split("\\s+")));
-			}
-
-			String allowedDataAdminPathsString = filterConfig.getInitParameter("allowedDataAdminPaths");
-			if (allowedDataAdminPathsString != null) {
-				allowedDataAdminPaths.addAll(Arrays.asList(allowedDataAdminPathsString.split("\\s+")));
-			}
-
-			String allowedTesterPathsString = filterConfig.getInitParameter("allowedTesterPaths");
-			if (allowedTesterPathsString != null) {
-				allowedTesterPaths.addAll(Arrays.asList(allowedTesterPathsString.split("\\s+")));
-			}
-
-			if (ldapAuthModeNum >= LDAP_AUTH_MODE_BASIC) {
-				ldapAuthUrl = appConstants.getResolvedProperty("ldap.auth.url");
-				if (ldapAuthUrl == null) {
-					String ldapAuthUrlProp = "ldap.auth." + dtapStage.toLowerCase() + ".url";
-					ldapAuthUrl = appConstants.getResolvedProperty(ldapAuthUrlProp);
-				}
-
-				ldapAuthUserBase = appConstants.getResolvedProperty("ldap.auth.user.base");
-				if (ldapAuthModeNum >= LDAP_AUTH_MODE_FULL) {
-					ldapAuthObserverBase = appConstants.getResolvedProperty("ldap.auth.observer.base");
-					if (ldapAuthObserverBase == null) {
-						throw new ServletException("property [ldap.auth.observer.base] should be set");
-					}
-					ldapAuthDataAdminBase = appConstants.getResolvedProperty("ldap.auth.dataadmin.base");
-					if (ldapAuthDataAdminBase == null) {
-						throw new ServletException("property [ldap.auth.dataadmin.base] should be set");
-					}
-					ldapAuthTesterBase = appConstants.getResolvedProperty("ldap.auth.tester.base");
-					if (ldapAuthTesterBase == null) {
-						throw new ServletException("property [ldap.auth.tester.base] should be set");
-					}
-				}
-			}
-		}
-	}
-
-	@Override
-	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
-		HttpServletRequest req = (HttpServletRequest) servletRequest;
-		HttpServletResponse res = (HttpServletResponse) servletResponse;
-
-		if (ldapAuthModeNum >= LDAP_AUTH_MODE_SIMPLE) {
-			String path = req.getServletPath();
-			if (hasAllowedExtension(path)) {
-				filterChain.doFilter(servletRequest, servletResponse);
-			} else {
-				if ("/rest-public".equals(path)) {
-					filterChain.doFilter(servletRequest, servletResponse);
-				} else {
-					if ("/rest".equals(path)) {
-						String info = req.getPathInfo();
-						if (info != null) {
-							path = path + info;
-							int i = ordinalIndexOf(path, "/", 2);
-							if (i > 0) {
-								path = path.substring(0, i);
-							}
-						}
-					}
-					boolean allowedObserverPath = isAllowedPath(path, allowedObserverPaths);
-					boolean allowedDataAdminPath = false;
-					boolean allowedTesterPath = false;
-					String authorizePathMode = null;
-					if (ldapAuthModeNum >= LDAP_AUTH_MODE_FULL) {
-						allowedDataAdminPath = isAllowedPath(path, allowedDataAdminPaths);
-						allowedTesterPath = isAllowedPath(path, allowedTesterPaths);
-						if (allowedObserverPath) {
-							authorizePathMode = AUTH_PATH_MODE_OBSERVER;
-						} else if (allowedDataAdminPath) {
-							authorizePathMode = AUTH_PATH_MODE_DATAADMIN;
-						} else if (allowedTesterPath) {
-							authorizePathMode = AUTH_PATH_MODE_TESTER;
-						}
-					}
-					if (allowedObserverPath || allowedDataAdminPath || allowedTesterPath) {
-						if (ldapAuthModeNum >= LDAP_AUTH_MODE_BASIC) {
-							String authenticated = askUsername(req, res, authorizePathMode);
-							if (authenticated == null) {
-								res.getWriter().write("<html>Not Allowed (" + path + ")</html>");
-							} else {
-								filterChain.doFilter(servletRequest, servletResponse);
-							}
-						} else {
-							filterChain.doFilter(servletRequest, servletResponse);
-						}
-					} else {
-						res.getWriter().write("<html>Not Allowed (" + path + ")</html>");
-					}
-				}
-			}
-		} else {
-			filterChain.doFilter(servletRequest, servletResponse);
-		}
-	}
-
-	private boolean hasAllowedExtension(String path) {
-		for (String allowedExtension : allowedExtensions) {
-			if (FileUtils.extensionEqualsIgnoreCase(path, allowedExtension)) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	private boolean isAllowedPath(String path, List<String> allowedPaths) {
-		for (String allowedPath : allowedPaths) {
-			if (path.equals(allowedPath)) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	private String askUsername(HttpServletRequest req, HttpServletResponse res, String authorizePathMode) {
-		String username = null;
-		String header = req.getHeader("Authorization");
-		if (header == null) {
-			log.debug("no Authorization header found yet, getting credentials");
-		} else {
-			String usernpassw = new String(Base64.decodeBase64(header.substring(6)));
-			if (usernpassw != null) {
-				String uname = usernpassw.substring(0, usernpassw.indexOf(":"));
-				String pword = usernpassw.substring(usernpassw.indexOf(":") + 1);
-				if (checkUsernamePassword(uname, pword, authorizePathMode)) {
-					username = uname;
-				}
-			}
-		}
-		if (header == null || username == null) {
-			res.setHeader("WWW-Authenticate", "BASIC realm=\"" + instanceName + "\"");
-			res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-		}
-		return username;
-	}
-
-	private boolean checkUsernamePassword(String username, String password, String authorizePathMode) {
-		String dnUser = Misc.replace(ldapAuthUserBase, "%UID%", username);
-
-		Hashtable env = new Hashtable();
-		env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
-		env.put(Context.PROVIDER_URL, ldapAuthUrl);
-		env.put(Context.SECURITY_AUTHENTICATION, "simple");
-		env.put(Context.SECURITY_PRINCIPAL, dnUser);
-		env.put(Context.SECURITY_CREDENTIALS, password);
-
-		DirContext ctx = null;
-		try {
-			try {
-				ctx = new InitialDirContext(env);
-			} catch (CommunicationException e) {
-				log.info("cannot create constructor for DirContext (" + e.getMessage() + "], will try again with dummy SocketFactory");
-				env.put("java.naming.ldap.factory.socket", DummySSLSocketFactory.class.getName());
-				ctx = new InitialLdapContext(env, null);
-			}
-
-			if (authorizePathMode == null) {
-				return true;
-			} else {
-				if (authorizePathMode.equals(AUTH_PATH_MODE_OBSERVER)) {
-					if (isMemberOf(ctx, dnUser, ldapAuthObserverBase)) {
-						return true;
-					}
-					if (isMemberOf(ctx, dnUser, ldapAuthDataAdminBase)) {
-						return true;
-					}
-				}
-				if (authorizePathMode.equals(AUTH_PATH_MODE_DATAADMIN)) {
-					if (isMemberOf(ctx, dnUser, ldapAuthDataAdminBase)) {
-						return true;
-					}
-				}
-				if (authorizePathMode.equals(AUTH_PATH_MODE_TESTER)) {
-					if (isMemberOf(ctx, dnUser, ldapAuthTesterBase)) {
-						return true;
-					}
-				}
-			}
-		} catch (AuthenticationException e) {
-			return false;
-		} catch (Exception e) {
-			log.warn("LoginFilter caught Exception", e);
-			return false;
-		} finally {
-			if (ctx != null) {
-				try {
-					ctx.close();
-				} catch (Exception e) {
-					log.warn("LoginFilter caught Exception", e);
-				}
-			}
-		}
-		return false;
-	}
-
-	private boolean isMemberOf(DirContext ctx, String dnUser, String dnGroup) throws NamingException {
-		DirContext lookedContext = (DirContext) (ctx.lookup(dnGroup));
-		Attribute attrs = lookedContext.getAttributes("").get("member");
-		for (int i = 0; i < attrs.size(); i++) {
-			String foundMember = (String) attrs.get(i);
-			if (foundMember.equalsIgnoreCase(dnUser)) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	private static int getLdapAuthModeNum(String ldapAuthMode) {
-		int i = ldapAuthModes.length - 1;
-		while (i >= 0 && !ldapAuthModes[i].equalsIgnoreCase(ldapAuthMode))
-			i--; // try next
-		if (i >= 0) {
-			return ldapAuthModeNums[i];
-		} else {
-			return i;
-		}
-	}
-
-	private int ordinalIndexOf(String str, String s, int n) {
-		int pos = str.indexOf(s, 0);
-		while (n-- > 0 && pos != -1)
-			pos = str.indexOf(s, pos+1);
-		return pos;
-	}
-
-	@Override
-	public void destroy() {
-	}
-}
diff --git a/core/src/main/resources/AppConstants.properties b/core/src/main/resources/AppConstants.properties
index 45a9467c5f8..cac479d73fc 100644
--- a/core/src/main/resources/AppConstants.properties
+++ b/core/src/main/resources/AppConstants.properties
@@ -25,6 +25,13 @@ application.security.http.authentication=
 # When left empty the default is CONFIDENTIAL, and NONE when dtap.stage == LOC
 application.security.http.transportGuarantee=
 
+# Authenticators for HTTP endpoints
+# application.security.http.authenticators=myADAuth
+# application.security.http.authenticators.myADAuth.type=AD
+# application.security.http.authenticators.myADAuth.baseDn=DC=company,DC=org
+# application.security.http.authenticators.myADAuth.url=ldap://10.1.2.3
+application.security.http.authenticators=
+
 application.name=IAF
 #Deprecated as we now use maven this can be determined dynamically
 application.version=${ibis-adapterframework-core.version}
diff --git a/core/src/main/resources/SpringEnvironmentContext.xml b/core/src/main/resources/SpringEnvironmentContext.xml
index c80db02ea5b..8d6e8b42474 100644
--- a/core/src/main/resources/SpringEnvironmentContext.xml
+++ b/core/src/main/resources/SpringEnvironmentContext.xml
@@ -42,15 +42,8 @@
 	<bean id="org.apache.cxf.bus.spring.BusExtensionPostProcessor" class="org.apache.cxf.bus.spring.BusExtensionPostProcessor"/>
 
 	<!-- Beans that should be loaded before the IbisContext starts -->
-	<bean
-		name="servletManager"
-		scope="singleton"
-		autowire="byName"
-		class="nl.nn.adapterframework.lifecycle.ServletManager"
-	/>
+	<bean id="servletManager" scope="singleton" class="nl.nn.adapterframework.lifecycle.ServletManager" autowire="byName" />
 
 	<bean id="MessageEventListener" class="nl.nn.adapterframework.lifecycle.MessageEventListener" scope="singleton" />
 
-<!-- 	<import resource="webSecurityConfig.xml"/> -->
-
 </beans>
diff --git a/core/src/main/resources/ldap-role-mapping.properties b/core/src/main/resources/ldap-role-mapping.properties
new file mode 100644
index 00000000000..b269a01343d
--- /dev/null
+++ b/core/src/main/resources/ldap-role-mapping.properties
@@ -0,0 +1,4 @@
+#Defaults for legacy LoginFilter
+IbisObserver=${ldap.auth.observer.base}
+IbisDataAdmin=${ldap.auth.dataadmin.base}
+IbisTester=${ldap.auth.tester.base}
\ No newline at end of file
diff --git a/core/src/main/resources/log4j4ibis.xml b/core/src/main/resources/log4j4ibis.xml
index fb2882b7a5d..6958f7206a0 100644
--- a/core/src/main/resources/log4j4ibis.xml
+++ b/core/src/main/resources/log4j4ibis.xml
@@ -5,7 +5,7 @@
 	<Appenders>
 		<Appender name="stdout" type="Console">
 			<Layout type="IbisPatternLayout">
-				<Pattern>%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%t] %X{mid,cid} %c{2} - %m%nxEx{short}</Pattern>
+				<Pattern>%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%t] %X{mid,cid} %c{2} - %m%n%xEx{short}</Pattern>
 			</Layout>
 		</Appender>
 		<Appender name="file" type="RollingFile" fileName="${ctx:log.dir}/${ctx:instance.name.lc}.log" filePattern="${ctx:log.dir}/${ctx:instance.name.lc}.log.%i">
@@ -102,6 +102,8 @@
 		<Logger name="org.quartz" level="WARN" />
 		<Logger name="nl.nn.adapterframework.configuration.digester" level="WARN" />
 		<Logger name="microsoft.exchange" level="INFO" />
+		<Logger name="org.springframework.security.web" level="INFO" />
+		<Logger name="org.springframework.security.ldap" level="WARN" />
 
 		<Logger name="liquibase.migrationLog" level="INFO">
 			<AppenderRef ref="stdout"/>
diff --git a/core/src/main/resources/webSecurityConfig.xml b/core/src/main/resources/webSecurityConfig.xml
deleted file mode 100644
index 3e5db089009..00000000000
--- a/core/src/main/resources/webSecurityConfig.xml
+++ /dev/null
@@ -1,77 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans:beans xmlns="http://www.springframework.org/schema/security" 
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
-	xmlns:beans="http://www.springframework.org/schema/beans"
-	xmlns:security="http://www.springframework.org/schema/security"
-	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
-						http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
-
-<!-- example use of a secured endpoint in tandum with the global authenticationManager
-	<http use-expressions="true" realm="Frank2" authentication-manager-ref="inMemoryAuthManager" create-session="stateless" pattern="/api/**">
-		<csrf disabled="true"/>
-
-		<http-basic entry-point-ref="authenticationEntryPoint" />
-		<security:logout />
-	</http>
-
-	<beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
-		<beans:property name="realmName" value="Frank" />
-	</beans:bean>
-
-	<authentication-manager alias="inMemoryAuthManager">
-		<security:authentication-provider>
-			<security:user-service>
-				<security:user name="IbisTester123" password="IbisTester" authorities="IbisTester"/>
-			</security:user-service>
-			<security:password-encoder ref="passwordEncoder" />
-		</security:authentication-provider>
-	</authentication-manager>
-	<beans:bean id="passwordEncoder" class = "org.springframework.security.crypto.password.NoOpPasswordEncoder" factory-method = "getInstance"/>
--->
-
-	<http use-expressions="true" realm="Frank" authentication-manager-ref="authenticationManager" entry-point-ref="403EntryPoint" pattern="/**">
-		<security:csrf disabled="true" />
-		<security:headers>
-			<security:frame-options policy="SAMEORIGIN" />
-		</security:headers>
-		<security:custom-filter position="PRE_AUTH_FILTER" ref="jeePreAuthenticatedFilter" />
-		<security:logout />
-	</http>
-
-	<!-- When using JEE the container authenticates clients (401) we therefore only have to authorize them. If not authorized, return a 403. -->
-	<beans:bean id="403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
-
-<!--
-https://docs.spring.io/spring-security/site/docs/3.0.x/reference/introduction.html
-https://stackoverflow.com/questions/9831268/how-to-use-j2eepreauthenticatedprocessingfilter-and-a-custom-authentication-prov
-https://docs.spring.io/spring-security/site/docs/3.0.x/reference/authz-arch.html
--->
-
-	<!-- Delegates requests to the container, holds configured users and roles in the application -->
-	<authentication-manager alias="authenticationManager">
-		<security:authentication-provider ref="j2eeAuthenticationProvider" />
-	</authentication-manager>
-
-	<!-- Checks if the user has been logged in and returns the HttpRequest.getUserPrincipal -->
-	<beans:bean id="jeePreAuthenticatedFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
-		<beans:property name="authenticationManager" ref="authenticationManager" />
-		<beans:property name="authenticationDetailsSource" ref="authenticationDetailsSource" />
-	</beans:bean>
-
-	<!-- Reads the web.xml file 'security-roles' -->
-	<beans:bean id="mappableAttributesRetriever" class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever" />
-
-	<!-- Checks which roles the user(principal) has by performing HttpRequest.isUserInRole -->
-	<beans:bean id="authenticationDetailsSource" class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
-		<beans:property name="mappableRolesRetriever" ref="mappableAttributesRetriever" />
-	</beans:bean>
-
-	<!-- The J2EE authentication provider -->
-	<!-- SecurityContextHolder.getContext().getAuthentication(); can be used to retrieve the username (when available) -->
-	<beans:bean id="j2eeAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
-		<beans:property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
-	</beans:bean>
-
-	<!-- Converts the AuthenticationToken into UserDetails -->
-	<beans:bean id="preAuthenticatedUserDetailsService" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
-</beans:beans>
\ No newline at end of file
diff --git a/core/src/test/java/nl/nn/adapterframework/lifecycle/ServletManagerTest.java b/core/src/test/java/nl/nn/adapterframework/lifecycle/ServletManagerTest.java
index 3c152ccb965..f1f232bb761 100644
--- a/core/src/test/java/nl/nn/adapterframework/lifecycle/ServletManagerTest.java
+++ b/core/src/test/java/nl/nn/adapterframework/lifecycle/ServletManagerTest.java
@@ -3,6 +3,10 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThrows;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.ArgumentMatchers.isA;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.mock;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -23,10 +27,14 @@
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
+import org.springframework.context.ApplicationContext;
 import org.springframework.mock.web.MockServletContext;
 
 import lombok.Getter;
 import lombok.Setter;
+import nl.nn.adapterframework.lifecycle.servlets.IAuthenticator;
+import nl.nn.adapterframework.lifecycle.servlets.ServletConfiguration;
 import nl.nn.adapterframework.util.AppConstants;
 import nl.nn.credentialprovider.util.Misc;
 
@@ -35,7 +43,7 @@ public class ServletManagerTest {
 	private static ServletManager manager;
 
 	@BeforeClass
-	public static void prepare() {
+	public static void prepare() throws Exception {
 		ServletContext context = new MockServletContext() {
 			private Map<String, Dynamic> dynamic = new HashMap<>();
 			@Override
@@ -48,6 +56,27 @@ public ServletRegistration getServletRegistration(String servletName) {
 			}
 		};
 		manager = new ServletManager(context);
+
+		ApplicationContext applicationContext = mock(ApplicationContext.class);
+		AutowireCapableBeanFactory beanFactory = mock(AutowireCapableBeanFactory.class);
+		doReturn(beanFactory).when(applicationContext).getAutowireCapableBeanFactory();
+		doReturn(new DummyAuthenticator()).when(beanFactory).createBean(isA(IAuthenticator.class.getClass()), eq(AutowireCapableBeanFactory.AUTOWIRE_BY_NAME), eq(false));
+		manager.setApplicationContext(applicationContext);
+
+		manager.afterPropertiesSet();
+	}
+
+	private static class DummyAuthenticator implements IAuthenticator {
+
+		@Override
+		public void registerServlet(ServletConfiguration config) {
+			// NOOP
+		}
+
+		@Override
+		public void build() {
+			// NOOP
+		}
 	}
 
 	@Before
@@ -55,6 +84,7 @@ public void setUp() {
 		Properties properties = new Properties();
 		properties.setProperty("dtap.stage", "ACC");
 		properties.setProperty(ServletManager.HTTPS_ENABLED_KEY, "confidential");
+		properties.setProperty(ServletManager.AUTH_ENABLED_KEY, "false");
 
 		ServletManager.setupDefaultSecuritySettings(properties);
 	}
diff --git a/webapp/src/main/webapp/WEB-INF/web.xml b/webapp/src/main/webapp/WEB-INF/web.xml
index 6a4261b26e6..675d33990f4 100644
--- a/webapp/src/main/webapp/WEB-INF/web.xml
+++ b/webapp/src/main/webapp/WEB-INF/web.xml
@@ -9,27 +9,6 @@
 		These actions are configured in an XML file. On the event several actions, called pipes, grouped in a pipeline, are fired.
 	</description>
 
-	<filter>
-		<filter-name>LoginFilter</filter-name>
-		<filter-class>nl.nn.adapterframework.webcontrol.LoginFilter</filter-class>
-		<init-param>
-			<param-name>allowedExtensions</param-name>
-			<param-value>css js gif jpg png svg</param-value>
-		</init-param>
-		<init-param>
-			<param-name>allowedObserverPaths</param-name>
-			<param-value>/index.jsp /FileViewerServlet /iaf/testtool</param-value>
-		</init-param>
-		<init-param>
-			<param-name>allowedDataAdminPaths</param-name>
-			<param-value>/iaf/testtool</param-value>
-		</init-param>
-		<init-param>
-			<param-name>allowedTesterPaths</param-name>
-			<param-value>/iaf/testtool</param-value>
-		</init-param>
-	</filter>
-
 	<filter>
 		<filter-name>CacheControlFilter</filter-name>
 		<filter-class>nl.nn.adapterframework.http.CacheControlFilter</filter-class>
@@ -61,11 +40,6 @@
 		<url-pattern>/iaf/api/*</url-pattern>
 	</filter-mapping>
 
-	<filter-mapping>
-		<filter-name>LoginFilter</filter-name>
-		<url-pattern>/*</url-pattern>
-	</filter-mapping>
-
 	<!--
 		First a 'ROOT' Spring WebApplicationContext is started. This in turn registers all dynamic servlets and IbisInitializers
 		After loading the ROOT context with all HTTP/CXF servlets (endpoints) all servlets will be initialized.