DAO layer, services, configuration and UI

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.config;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+import org.thingsboard.server.service.security.model.token.JwtToken;
+
+@Configuration
+@ConfigurationProperties(prefix = "security.jwt")
+public class JwtSettings {
+    /**
+     * {@link JwtToken} will expire after this time.
+     */
+    private Integer tokenExpirationTime;
+
+    /**
+     * Token issuer.
+     */
+    private String tokenIssuer;
+
+    /**
+     * Key is used to sign {@link JwtToken}.
+     */
+    private String tokenSigningKey;
+
+    /**
+     * {@link JwtToken} can be refreshed during this timeframe.
+     */
+    private Integer refreshTokenExpTime;
+
+    public Integer getRefreshTokenExpTime() {
+        return refreshTokenExpTime;
+    }
+
+    public void setRefreshTokenExpTime(Integer refreshTokenExpTime) {
+        this.refreshTokenExpTime = refreshTokenExpTime;
+    }
+
+    public Integer getTokenExpirationTime() {
+        return tokenExpirationTime;
+    }
+
+    public void setTokenExpirationTime(Integer tokenExpirationTime) {
+        this.tokenExpirationTime = tokenExpirationTime;
+    }
+
+    public String getTokenIssuer() {
+        return tokenIssuer;
+    }
+    public void setTokenIssuer(String tokenIssuer) {
+        this.tokenIssuer = tokenIssuer;
+    }
+
+    public String getTokenSigningKey() {
+        return tokenSigningKey;
+    }
+
+    public void setTokenSigningKey(String tokenSigningKey) {
+        this.tokenSigningKey = tokenSigningKey;
+    }
+}
\ No newline at end of file

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.config;
+
+import org.springframework.context.MessageSource;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.support.ResourceBundleMessageSource;
+
+@Configuration
+public class ThingsboardMessageConfiguration {
+
+    @Bean
+    public MessageSource messageSource() {
+        ResourceBundleMessageSource messageSource = new ResourceBundleMessageSource();
+        messageSource.setBasename("i18n/messages");
+        messageSource.setDefaultEncoding("UTF-8");
+        return messageSource;
+    }
+    
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.config;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.boot.autoconfigure.security.SecurityProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.thingsboard.server.exception.ThingsboardErrorResponseHandler;
+import org.thingsboard.server.service.security.auth.rest.RestAuthenticationProvider;
+import org.thingsboard.server.service.security.auth.rest.RestLoginProcessingFilter;
+import org.thingsboard.server.service.security.auth.jwt.*;
+import org.thingsboard.server.service.security.auth.jwt.extractor.TokenExtractor;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled=true)
+@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
+public class ThingsboardSecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+    public static final String JWT_TOKEN_HEADER_PARAM = "X-Authorization";
+    public static final String JWT_TOKEN_QUERY_PARAM = "token";
+
+    public static final String DEVICE_API_ENTRY_POINT = "/api/v1/**";
+    public static final String FORM_BASED_LOGIN_ENTRY_POINT = "/api/auth/login";
+    public static final String TOKEN_REFRESH_ENTRY_POINT = "/api/auth/token";
+    public static final String[] NON_TOKEN_BASED_AUTH_ENTRY_POINTS = new String[] {"/index.html", "/static/**", "/api/noauth/**"};
+    public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/api/**";
+    public static final String WS_TOKEN_BASED_AUTH_ENTRY_POINT = "/api/ws/**";
+
+    @Autowired private ThingsboardErrorResponseHandler restAccessDeniedHandler;
+    @Autowired private AuthenticationSuccessHandler successHandler;
+    @Autowired private AuthenticationFailureHandler failureHandler;
+    @Autowired private RestAuthenticationProvider restAuthenticationProvider;
+    @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;
+    @Autowired private RefreshTokenAuthenticationProvider refreshTokenAuthenticationProvider;
+
+    @Autowired
+    @Qualifier("jwtHeaderTokenExtractor")
+    private TokenExtractor jwtHeaderTokenExtractor;
+
+    @Autowired
+    @Qualifier("jwtQueryTokenExtractor")
+    private TokenExtractor jwtQueryTokenExtractor;
+
+    @Autowired private AuthenticationManager authenticationManager;
+
+    @Autowired private ObjectMapper objectMapper;
+
+    @Bean
+    protected RestLoginProcessingFilter buildRestLoginProcessingFilter() throws Exception {
+        RestLoginProcessingFilter filter = new RestLoginProcessingFilter(FORM_BASED_LOGIN_ENTRY_POINT, successHandler, failureHandler, objectMapper);
+        filter.setAuthenticationManager(this.authenticationManager);
+        return filter;
+    }
+
+    @Bean
+    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter() throws Exception {
+        List<String> pathsToSkip = new ArrayList(Arrays.asList(NON_TOKEN_BASED_AUTH_ENTRY_POINTS));
+        pathsToSkip.addAll(Arrays.asList(WS_TOKEN_BASED_AUTH_ENTRY_POINT, TOKEN_REFRESH_ENTRY_POINT, FORM_BASED_LOGIN_ENTRY_POINT, DEVICE_API_ENTRY_POINT));
+        SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, TOKEN_BASED_AUTH_ENTRY_POINT);
+        JwtTokenAuthenticationProcessingFilter filter
+                = new JwtTokenAuthenticationProcessingFilter(failureHandler, jwtHeaderTokenExtractor, matcher);
+        filter.setAuthenticationManager(this.authenticationManager);
+        return filter;
+    }
+
+    @Bean
+    protected RefreshTokenProcessingFilter buildRefreshTokenProcessingFilter() throws Exception {
+        RefreshTokenProcessingFilter filter = new RefreshTokenProcessingFilter(TOKEN_REFRESH_ENTRY_POINT, successHandler, failureHandler, objectMapper);
+        filter.setAuthenticationManager(this.authenticationManager);
+        return filter;
+    }
+
+    @Bean
+    protected JwtTokenAuthenticationProcessingFilter buildWsJwtTokenAuthenticationProcessingFilter() throws Exception {
+        AntPathRequestMatcher matcher = new AntPathRequestMatcher(WS_TOKEN_BASED_AUTH_ENTRY_POINT);
+        JwtTokenAuthenticationProcessingFilter filter
+                = new JwtTokenAuthenticationProcessingFilter(failureHandler, jwtQueryTokenExtractor, matcher);
+        filter.setAuthenticationManager(this.authenticationManager);
+        return filter;
+    }
+
+    @Bean
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) {
+        auth.authenticationProvider(restAuthenticationProvider);
+        auth.authenticationProvider(jwtAuthenticationProvider);
+        auth.authenticationProvider(refreshTokenAuthenticationProvider);
+    }
+
+    @Bean
+    protected BCryptPasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.headers().frameOptions().disable()
+                .and()
+                .csrf().disable()
+                .exceptionHandling()
+                .and()
+                .sessionManagement()
+                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                .and()
+                .authorizeRequests()
+                .antMatchers(DEVICE_API_ENTRY_POINT).permitAll() // Device HTTP Transport API
+                .antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll() // Login end-point
+                .antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point
+                .antMatchers(NON_TOKEN_BASED_AUTH_ENTRY_POINTS).permitAll() // static resources, user activation and password reset end-points
+                .and()
+                .authorizeRequests()
+                .antMatchers(WS_TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected WebSocket API End-points
+                .antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API End-points
+                .and()
+                .exceptionHandling().accessDeniedHandler(restAccessDeniedHandler)
+                .and()
+                .addFilterBefore(buildRestLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
+                .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
+                .addFilterBefore(buildRefreshTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
+                .addFilterBefore(buildWsJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class);
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.config;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+public class WebConfig {
+
+    @RequestMapping(value = "/{path:^(?!api$)(?!static$)[^\\.]*}/**")
+    public String redirect() {
+        return "forward:/index.html";
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.config;
+
+import java.util.Map;
+
+import org.thingsboard.server.exception.ThingsboardErrorCode;
+import org.thingsboard.server.exception.ThingsboardException;
+import org.thingsboard.server.controller.plugin.PluginWebSocketHandler;
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.http.server.ServerHttpResponse;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.socket.WebSocketHandler;
+import org.springframework.web.socket.config.annotation.EnableWebSocket;
+import org.springframework.web.socket.config.annotation.WebSocketConfigurer;
+import org.springframework.web.socket.config.annotation.WebSocketHandlerRegistry;
+import org.springframework.web.socket.server.HandshakeInterceptor;
+import org.springframework.web.socket.server.standard.ServletServerContainerFactoryBean;
+import org.springframework.web.socket.server.support.HttpSessionHandshakeInterceptor;
+
+@Configuration
+@EnableWebSocket
+public class WebSocketConfiguration implements WebSocketConfigurer {
+
+    public static final String WS_PLUGIN_PREFIX = "/api/ws/plugins/";
+    public static final String WS_SECURITY_USER_ATTRIBUTE = "SECURITY_USER";
+    private static final String WS_PLUGIN_MAPPING = WS_PLUGIN_PREFIX + "**";
+
+    @Bean
+    public ServletServerContainerFactoryBean createWebSocketContainer() {
+        ServletServerContainerFactoryBean container = new ServletServerContainerFactoryBean();
+        container.setMaxTextMessageBufferSize(8192);
+        container.setMaxBinaryMessageBufferSize(8192);
+        return container;
+    }
+
+    @Override
+    public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
+        registry.addHandler(pluginWsHandler(), WS_PLUGIN_MAPPING).setAllowedOrigins("*")
+                .addInterceptors(new HttpSessionHandshakeInterceptor(), new HandshakeInterceptor() {
+
+                    @Override
+                    public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler,
+                            Map<String, Object> attributes) throws Exception {
+                        SecurityUser user = null;
+                        try {
+                            user = getCurrentUser();
+                        } catch (ThingsboardException ex) {}
+                        if (user == null) {
+                            response.setStatusCode(HttpStatus.UNAUTHORIZED);
+                            return false;
+                        } else {
+                            attributes.put(WS_SECURITY_USER_ATTRIBUTE, user);
+                            return true;
+                        }
+                    }
+
+                    @Override
+                    public void afterHandshake(ServerHttpRequest request, ServerHttpResponse response, WebSocketHandler wsHandler,
+                            Exception exception) {
+                    }
+                });
+    }
+
+    @Bean
+    public WebSocketHandler pluginWsHandler() {
+        return new PluginWebSocketHandler();
+    }
+
+    protected SecurityUser getCurrentUser() throws ThingsboardException {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (authentication != null && authentication.getPrincipal() instanceof SecurityUser) {
+            return (SecurityUser) authentication.getPrincipal();
+        } else {
+            throw new ThingsboardException("You aren't authorized to perform this operation!", ThingsboardErrorCode.AUTHENTICATION);
+        }
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.AdminSettings;
+import org.thingsboard.server.dao.settings.AdminSettingsService;
+import org.thingsboard.server.exception.ThingsboardException;
+import org.thingsboard.server.service.mail.MailService;
+
+@RestController
+@RequestMapping("/api/admin")
+public class AdminController extends BaseController {
+
+    @Autowired
+    private MailService mailService;
+    
+    @Autowired
+    private AdminSettingsService adminSettingsService;
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/settings/{key}", method = RequestMethod.GET)
+    @ResponseBody
+    public AdminSettings getAdminSettings(@PathVariable("key") String key) throws ThingsboardException {
+        try {
+            return checkNotNull(adminSettingsService.findAdminSettingsByKey(key));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/settings", method = RequestMethod.POST)
+    @ResponseBody 
+    public AdminSettings saveAdminSettings(@RequestBody AdminSettings adminSettings) throws ThingsboardException {
+        try {
+            adminSettings = checkNotNull(adminSettingsService.saveAdminSettings(adminSettings));
+            if (adminSettings.getKey().equals("mail")) {
+                mailService.updateMailConfiguration();
+            }
+            return adminSettings;
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/settings/testMail", method = RequestMethod.POST)
+    public void sendTestMail(@RequestBody AdminSettings adminSettings) throws ThingsboardException {
+        try {
+            adminSettings = checkNotNull(adminSettings);
+            if (adminSettings.getKey().equals("mail")) {
+               String email = getCurrentUser().getEmail();
+               mailService.sendTestMail(adminSettings.getJsonValue(), email);
+            }
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import lombok.extern.slf4j.Slf4j;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.User;
+import org.thingsboard.server.common.data.security.UserCredentials;
+import org.thingsboard.server.dao.user.UserService;
+import org.thingsboard.server.exception.ThingsboardErrorCode;
+import org.thingsboard.server.exception.ThingsboardException;
+import org.thingsboard.server.service.mail.MailService;
+import org.thingsboard.server.service.security.auth.jwt.RefreshTokenRepository;
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.thingsboard.server.service.security.model.token.JwtToken;
+import org.thingsboard.server.service.security.model.token.JwtTokenFactory;
+
+import javax.servlet.http.HttpServletRequest;
+import java.net.URI;
+import java.net.URISyntaxException;
+
+@RestController
+@RequestMapping("/api")
+@Slf4j
+public class AuthController extends BaseController {
+
+
+
+    @Autowired
+    private BCryptPasswordEncoder passwordEncoder;
+
+    @Autowired
+    private JwtTokenFactory tokenFactory;
+
+    @Autowired
+    private RefreshTokenRepository refreshTokenRepository;
+
+    @Autowired
+    private UserService userService;
+
+    @Autowired
+    private MailService mailService;
+
+    @PreAuthorize("isAuthenticated()")
+    @RequestMapping(value = "/auth/user", method = RequestMethod.GET)
+    public @ResponseBody User getUser() throws ThingsboardException {
+        try {
+            SecurityUser securityUser = getCurrentUser();
+            return userService.findUserById(securityUser.getId());
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("isAuthenticated()")
+    @RequestMapping(value = "/auth/changePassword", method = RequestMethod.POST)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void changePassword (
+            @RequestParam(value = "currentPassword") String currentPassword,
+            @RequestParam(value = "newPassword") String newPassword) throws ThingsboardException {
+        try {
+            SecurityUser securityUser = getCurrentUser();
+            UserCredentials userCredentials = userService.findUserCredentialsByUserId(securityUser.getId());
+            if (!passwordEncoder.matches(currentPassword, userCredentials.getPassword())) {
+                throw new ThingsboardException("Current password doesn't match!", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
+            }
+            userCredentials.setPassword(passwordEncoder.encode(newPassword));
+            userService.saveUserCredentials(userCredentials);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+    
+    @RequestMapping(value = "/noauth/activate", params = { "activateToken" }, method = RequestMethod.GET)
+    public ResponseEntity<String> checkActivateToken(
+            @RequestParam(value = "activateToken") String activateToken) {
+        HttpHeaders headers = new HttpHeaders();
+        HttpStatus responseStatus;
+        UserCredentials userCredentials = userService.findUserCredentialsByActivateToken(activateToken);
+        if (userCredentials != null) {
+            String createPasswordURI = "/login/createPassword";
+            try {
+                URI location = new URI(createPasswordURI + "?activateToken=" + activateToken);
+                headers.setLocation(location);
+                responseStatus = HttpStatus.PERMANENT_REDIRECT;
+            } catch (URISyntaxException e) {
+                log.error("Unable to create URI with address [{}]", createPasswordURI);
+                responseStatus = HttpStatus.BAD_REQUEST;
+            }
+        } else {
+            responseStatus = HttpStatus.CONFLICT;
+        }
+        return new ResponseEntity<>(headers, responseStatus);
+    }
+    
+    @RequestMapping(value = "/noauth/resetPasswordByEmail", method = RequestMethod.POST)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void requestResetPasswordByEmail (
+            @RequestParam(value = "email") String email,
+            HttpServletRequest request) throws ThingsboardException {
+        try {
+            UserCredentials userCredentials = userService.requestPasswordReset(email);
+            
+            String baseUrl = String.format("%s://%s:%d",
+                    request.getScheme(),  
+                    request.getServerName(), 
+                    request.getServerPort());             
+            String resetPasswordUrl = String.format("%s/api/noauth/resetPassword?resetToken=%s", baseUrl,
+                    userCredentials.getResetToken());
+            
+            mailService.sendResetPasswordEmail(resetPasswordUrl, email);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+    
+    @RequestMapping(value = "/noauth/resetPassword", params = { "resetToken" }, method = RequestMethod.GET)
+    public ResponseEntity<String> checkResetToken(
+            @RequestParam(value = "resetToken") String resetToken) {
+        HttpHeaders headers = new HttpHeaders();
+        HttpStatus responseStatus;
+        String resetPasswordURI = "/login/resetPassword";
+        UserCredentials userCredentials = userService.findUserCredentialsByResetToken(resetToken);
+        if (userCredentials != null) {
+            try {
+                URI location = new URI(resetPasswordURI + "?resetToken=" + resetToken);
+                headers.setLocation(location);
+                responseStatus = HttpStatus.PERMANENT_REDIRECT;
+            } catch (URISyntaxException e) {
+                log.error("Unable to create URI with address [{}]", resetPasswordURI);
+                responseStatus = HttpStatus.BAD_REQUEST;
+            }
+        } else {
+            responseStatus = HttpStatus.CONFLICT;
+        }
+        return new ResponseEntity<>(headers, responseStatus);
+    }
+    
+    @RequestMapping(value = "/noauth/activate", method = RequestMethod.POST)
+    @ResponseStatus(value = HttpStatus.OK)
+    @ResponseBody
+    public JsonNode activateUser(
+            @RequestParam(value = "activateToken") String activateToken,
+            @RequestParam(value = "password") String password,
+            HttpServletRequest request) throws ThingsboardException {
+        try {
+            String encodedPassword = passwordEncoder.encode(password);
+            UserCredentials credentials = userService.activateUserCredentials(activateToken, encodedPassword);
+            User user = userService.findUserById(credentials.getUserId());
+            SecurityUser securityUser = new SecurityUser(user, credentials.isEnabled());
+            String baseUrl = String.format("%s://%s:%d",
+                    request.getScheme(),  
+                    request.getServerName(), 
+                    request.getServerPort());             
+            String loginUrl = String.format("%s/login", baseUrl);
+            String email = user.getEmail();
+            mailService.sendAccountActivatedEmail(loginUrl, email);
+
+            JwtToken accessToken = tokenFactory.createAccessJwtToken(securityUser);
+            JwtToken refreshToken = refreshTokenRepository.requestRefreshToken(securityUser);
+
+            ObjectMapper objectMapper = new ObjectMapper();
+            ObjectNode tokenObject = objectMapper.createObjectNode();
+            tokenObject.put("token", accessToken.getToken());
+            tokenObject.put("refreshToken", refreshToken.getToken());
+            return tokenObject;
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+    
+    @RequestMapping(value = "/noauth/resetPassword", method = RequestMethod.POST)
+    @ResponseStatus(value = HttpStatus.OK)
+    @ResponseBody
+    public JsonNode resetPassword(
+            @RequestParam(value = "resetToken") String resetToken,
+            @RequestParam(value = "password") String password,
+            HttpServletRequest request) throws ThingsboardException {
+        try {
+            UserCredentials userCredentials = userService.findUserCredentialsByResetToken(resetToken);
+            if (userCredentials != null) {
+                String encodedPassword = passwordEncoder.encode(password);
+                userCredentials.setPassword(encodedPassword);
+                userCredentials.setResetToken(null);
+                userCredentials = userService.saveUserCredentials(userCredentials);
+                User user = userService.findUserById(userCredentials.getUserId());
+                SecurityUser securityUser = new SecurityUser(user, userCredentials.isEnabled());
+                String baseUrl = String.format("%s://%s:%d",
+                        request.getScheme(),  
+                        request.getServerName(), 
+                        request.getServerPort());             
+                String loginUrl = String.format("%s/login", baseUrl);
+                String email = user.getEmail();
+                mailService.sendPasswordWasResetEmail(loginUrl, email);
+
+                JwtToken accessToken = tokenFactory.createAccessJwtToken(securityUser);
+                JwtToken refreshToken = refreshTokenRepository.requestRefreshToken(securityUser);
+
+                ObjectMapper objectMapper = new ObjectMapper();
+                ObjectNode tokenObject = objectMapper.createObjectNode();
+                tokenObject.put("token", accessToken.getToken());
+                tokenObject.put("refreshToken", refreshToken.getToken());
+                return tokenObject;
+            } else {
+                throw new ThingsboardException("Invalid reset token!", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
+            }
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.thingsboard.server.actors.service.ActorService;
+import org.thingsboard.server.common.data.Customer;
+import org.thingsboard.server.common.data.Dashboard;
+import org.thingsboard.server.common.data.Device;
+import org.thingsboard.server.common.data.User;
+import org.thingsboard.server.common.data.id.*;
+import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.common.data.page.TimePageLink;
+import org.thingsboard.server.common.data.plugin.ComponentDescriptor;
+import org.thingsboard.server.common.data.plugin.ComponentType;
+import org.thingsboard.server.common.data.plugin.PluginMetaData;
+import org.thingsboard.server.common.data.rule.RuleMetaData;
+import org.thingsboard.server.common.data.security.Authority;
+import org.thingsboard.server.common.data.widget.WidgetType;
+import org.thingsboard.server.common.data.widget.WidgetsBundle;
+import org.thingsboard.server.dao.customer.CustomerService;
+import org.thingsboard.server.dao.dashboard.DashboardService;
+import org.thingsboard.server.dao.device.DeviceCredentialsService;
+import org.thingsboard.server.dao.device.DeviceService;
+import org.thingsboard.server.dao.exception.DataValidationException;
+import org.thingsboard.server.dao.exception.IncorrectParameterException;
+import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.dao.plugin.PluginService;
+import org.thingsboard.server.dao.rule.RuleService;
+import org.thingsboard.server.dao.user.UserService;
+import org.thingsboard.server.dao.widget.WidgetTypeService;
+import org.thingsboard.server.dao.widget.WidgetsBundleService;
+import org.thingsboard.server.exception.ThingsboardErrorCode;
+import org.thingsboard.server.exception.ThingsboardErrorResponseHandler;
+import org.thingsboard.server.exception.ThingsboardException;
+import org.thingsboard.server.service.component.ComponentDiscoveryService;
+import org.thingsboard.server.service.security.model.SecurityUser;
+
+import javax.mail.MessagingException;
+import javax.servlet.http.HttpServletResponse;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+import static org.thingsboard.server.dao.service.Validator.validateId;
+
+@Slf4j
+public abstract class BaseController {
+
+    @Autowired
+    private ThingsboardErrorResponseHandler errorResponseHandler;
+
+    @Autowired
+    protected CustomerService customerService;
+
+    @Autowired
+    protected UserService userService;
+
+    @Autowired
+    protected DeviceService deviceService;
+
+    @Autowired
+    protected DeviceCredentialsService deviceCredentialsService;
+
+    @Autowired
+    protected WidgetsBundleService widgetsBundleService;
+
+    @Autowired
+    protected WidgetTypeService widgetTypeService;
+
+    @Autowired
+    protected DashboardService dashboardService;
+
+    @Autowired
+    protected ComponentDiscoveryService componentDescriptorService;
+
+    @Autowired
+    protected RuleService ruleService;
+
+    @Autowired
+    protected PluginService pluginService;
+
+    @Autowired
+    protected ActorService actorService;
+
+
+    @ExceptionHandler(ThingsboardException.class)
+    public void handleThingsboardException(ThingsboardException ex, HttpServletResponse response) {
+        errorResponseHandler.handle(ex, response);
+    }
+
+    ThingsboardException handleException(Exception exception) {
+        return handleException(exception, true);
+    }
+
+    private ThingsboardException handleException(Exception exception, boolean logException) {
+        if (logException) {
+            log.error("Error [{}]", exception.getMessage());
+        }
+
+        String cause = "";
+        if (exception.getCause() != null) {
+            cause = exception.getCause().getClass().getCanonicalName();
+        }
+
+        if (exception instanceof ThingsboardException) {
+            return (ThingsboardException) exception;
+        } else if (exception instanceof IllegalArgumentException || exception instanceof IncorrectParameterException
+                || exception instanceof DataValidationException || cause.contains("IncorrectParameterException")) {
+            return new ThingsboardException(exception.getMessage(), ThingsboardErrorCode.BAD_REQUEST_PARAMS);
+        } else if (exception instanceof MessagingException) {
+            return new ThingsboardException("Unable to send mail: " + exception.getMessage(), ThingsboardErrorCode.GENERAL);
+        } else {
+            return new ThingsboardException(exception.getMessage(), ThingsboardErrorCode.GENERAL);
+        }
+    }
+
+    <T> T checkNotNull(T reference) throws ThingsboardException {
+        if (reference == null) {
+            throw new ThingsboardException("Requested item wasn't found!", ThingsboardErrorCode.ITEM_NOT_FOUND);
+        }
+        return reference;
+    }
+
+    <T> T checkNotNull(Optional<T> reference) throws ThingsboardException {
+        if (reference.isPresent()) {
+            return reference.get();
+        } else {
+            throw new ThingsboardException("Requested item wasn't found!", ThingsboardErrorCode.ITEM_NOT_FOUND);
+        }
+    }
+
+    void checkParameter(String name, String param) throws ThingsboardException {
+        if (StringUtils.isEmpty(param)) {
+            throw new ThingsboardException("Parameter '" + name + "' can't be empty!", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
+        }
+    }
+
+    UUID toUUID(String id) {
+        return UUID.fromString(id);
+    }
+
+    TimePageLink createPageLink(int limit, Long startTime, Long endTime, boolean ascOrder, String idOffset) {
+        UUID idOffsetUuid = null;
+        if (StringUtils.isNotEmpty(idOffset)) {
+            idOffsetUuid = toUUID(idOffset);
+        }
+        return new TimePageLink(limit, startTime, endTime, ascOrder, idOffsetUuid);
+    }
+
+
+    TextPageLink createPageLink(int limit, String textSearch, String idOffset, String textOffset) {
+        UUID idOffsetUuid = null;
+        if (StringUtils.isNotEmpty(idOffset)) {
+            idOffsetUuid = toUUID(idOffset);
+        }
+        return new TextPageLink(limit, textSearch, idOffsetUuid, textOffset);
+    }
+
+    protected SecurityUser getCurrentUser() throws ThingsboardException {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (authentication != null && authentication.getPrincipal() instanceof SecurityUser) {
+            return (SecurityUser) authentication.getPrincipal();
+        } else {
+            throw new ThingsboardException("You aren't authorized to perform this operation!", ThingsboardErrorCode.AUTHENTICATION);
+        }
+    }
+
+    void checkTenantId(TenantId tenantId) throws ThingsboardException {
+        validateId(tenantId, "Incorrect tenantId " + tenantId);
+        SecurityUser authUser = getCurrentUser();
+        if (authUser.getAuthority() != Authority.SYS_ADMIN &&
+                (authUser.getTenantId() == null || !authUser.getTenantId().equals(tenantId))) {
+            throw new ThingsboardException("You don't have permission to perform this operation!",
+                    ThingsboardErrorCode.PERMISSION_DENIED);
+        }
+    }
+
+    protected TenantId getTenantId() throws ThingsboardException {
+        return getCurrentUser().getTenantId();
+    }
+
+    Customer checkCustomerId(CustomerId customerId) throws ThingsboardException {
+        try {
+            validateId(customerId, "Incorrect customerId " + customerId);
+            SecurityUser authUser = getCurrentUser();
+            if (authUser.getAuthority() == Authority.SYS_ADMIN ||
+                    (authUser.getAuthority() != Authority.TENANT_ADMIN &&
+                            (authUser.getCustomerId() == null || !authUser.getCustomerId().equals(customerId)))) {
+                throw new ThingsboardException("You don't have permission to perform this operation!",
+                        ThingsboardErrorCode.PERMISSION_DENIED);
+            }
+            Customer customer = customerService.findCustomerById(customerId);
+            checkCustomer(customer);
+            return customer;
+        } catch (Exception e) {
+            throw handleException(e, false);
+        }
+    }
+
+    private void checkCustomer(Customer customer) throws ThingsboardException {
+        checkNotNull(customer);
+        checkTenantId(customer.getTenantId());
+    }
+
+    User checkUserId(UserId userId) throws ThingsboardException {
+        try {
+            validateId(userId, "Incorrect userId " + userId);
+            User user = userService.findUserById(userId);
+            checkUser(user);
+            return user;
+        } catch (Exception e) {
+            throw handleException(e, false);
+        }
+    }
+
+    private void checkUser(User user) throws ThingsboardException {
+        checkNotNull(user);
+        checkTenantId(user.getTenantId());
+        if (user.getAuthority() == Authority.CUSTOMER_USER) {
+            checkCustomerId(user.getCustomerId());
+        }
+    }
+
+    Device checkDeviceId(DeviceId deviceId) throws ThingsboardException {
+        try {
+            validateId(deviceId, "Incorrect deviceId " + deviceId);
+            Device device = deviceService.findDeviceById(deviceId);
+            checkDevice(device);
+            return device;
+        } catch (Exception e) {
+            throw handleException(e, false);
+        }
+    }
+
+    private void checkDevice(Device device) throws ThingsboardException {
+        checkNotNull(device);
+        checkTenantId(device.getTenantId());
+        if (device.getCustomerId() != null && !device.getCustomerId().getId().equals(ModelConstants.NULL_UUID)) {
+            checkCustomerId(device.getCustomerId());
+        }
+    }
+
+    WidgetsBundle checkWidgetsBundleId(WidgetsBundleId widgetsBundleId, boolean modify) throws ThingsboardException {
+        try {
+            validateId(widgetsBundleId, "Incorrect widgetsBundleId " + widgetsBundleId);
+            WidgetsBundle widgetsBundle = widgetsBundleService.findWidgetsBundleById(widgetsBundleId);
+            checkWidgetsBundle(widgetsBundle, modify);
+            return widgetsBundle;
+        } catch (Exception e) {
+            throw handleException(e, false);
+        }
+    }
+
+    private void checkWidgetsBundle(WidgetsBundle widgetsBundle, boolean modify) throws ThingsboardException {
+        checkNotNull(widgetsBundle);
+        if (widgetsBundle.getTenantId() != null && !widgetsBundle.getTenantId().getId().equals(ModelConstants.NULL_UUID)) {
+            checkTenantId(widgetsBundle.getTenantId());
+        } else if (modify && getCurrentUser().getAuthority() != Authority.SYS_ADMIN) {
+            throw new ThingsboardException("You don't have permission to perform this operation!",
+                    ThingsboardErrorCode.PERMISSION_DENIED);
+        }
+    }
+
+    WidgetType checkWidgetTypeId(WidgetTypeId widgetTypeId, boolean modify) throws ThingsboardException {
+        try {
+            validateId(widgetTypeId, "Incorrect widgetTypeId " + widgetTypeId);
+            WidgetType widgetType = widgetTypeService.findWidgetTypeById(widgetTypeId);
+            checkWidgetType(widgetType, modify);
+            return widgetType;
+        } catch (Exception e) {
+            throw handleException(e, false);
+        }
+    }
+
+    void checkWidgetType(WidgetType widgetType, boolean modify) throws ThingsboardException {
+        checkNotNull(widgetType);
+        if (widgetType.getTenantId() != null && !widgetType.getTenantId().getId().equals(ModelConstants.NULL_UUID)) {
+            checkTenantId(widgetType.getTenantId());
+        } else if (modify && getCurrentUser().getAuthority() != Authority.SYS_ADMIN) {
+            throw new ThingsboardException("You don't have permission to perform this operation!",
+                    ThingsboardErrorCode.PERMISSION_DENIED);
+        }
+    }
+
+    Dashboard checkDashboardId(DashboardId dashboardId) throws ThingsboardException {
+        try {
+            validateId(dashboardId, "Incorrect dashboardId " + dashboardId);
+            Dashboard dashboard = dashboardService.findDashboardById(dashboardId);
+            checkDashboard(dashboard);
+            return dashboard;
+        } catch (Exception e) {
+            throw handleException(e, false);
+        }
+    }
+
+    private void checkDashboard(Dashboard dashboard) throws ThingsboardException {
+        checkNotNull(dashboard);
+        checkTenantId(dashboard.getTenantId());
+        if (dashboard.getCustomerId() != null && !dashboard.getCustomerId().getId().equals(ModelConstants.NULL_UUID)) {
+            checkCustomerId(dashboard.getCustomerId());
+        }
+    }
+
+    ComponentDescriptor checkComponentDescriptorByClazz(String clazz) throws ThingsboardException {
+        try {
+            log.debug("[{}] Lookup component descriptor", clazz);
+            ComponentDescriptor componentDescriptor = checkNotNull(componentDescriptorService.getComponent(clazz));
+            return componentDescriptor;
+        } catch (Exception e) {
+            throw handleException(e, false);
+        }
+    }
+
+    List<ComponentDescriptor> checkComponentDescriptorsByType(ComponentType type) throws ThingsboardException {
+        try {
+            log.debug("[{}] Lookup component descriptors", type);
+            return componentDescriptorService.getComponents(type);
+        } catch (Exception e) {
+            throw handleException(e, false);
+        }
+    }
+
+    List<ComponentDescriptor> checkPluginActionsByPluginClazz(String pluginClazz) throws ThingsboardException {
+        try {
+            checkComponentDescriptorByClazz(pluginClazz);
+            log.debug("[{}] Lookup plugin actions", pluginClazz);
+            return componentDescriptorService.getPluginActions(pluginClazz);
+        } catch (Exception e) {
+            throw handleException(e, false);
+        }
+    }
+
+    protected PluginMetaData checkPlugin(PluginMetaData plugin) throws ThingsboardException {
+        checkNotNull(plugin);
+        SecurityUser authUser = getCurrentUser();
+        TenantId tenantId = plugin.getTenantId();
+        validateId(tenantId, "Incorrect tenantId " + tenantId);
+        if (authUser.getAuthority() != Authority.SYS_ADMIN) {
+            if (authUser.getTenantId() == null ||
+                    !tenantId.getId().equals(ModelConstants.NULL_UUID) && !authUser.getTenantId().equals(tenantId)) {
+                throw new ThingsboardException("You don't have permission to perform this operation!",
+                        ThingsboardErrorCode.PERMISSION_DENIED);
+
+            } else if (tenantId.getId().equals(ModelConstants.NULL_UUID)) {
+                plugin.setConfiguration(null);
+            }
+        }
+        return plugin;
+    }
+
+    protected RuleMetaData checkRule(RuleMetaData rule) throws ThingsboardException {
+        checkNotNull(rule);
+        checkTenantId(rule.getTenantId());
+        return rule;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.plugin.ComponentDescriptor;
+import org.thingsboard.server.common.data.plugin.ComponentType;
+import org.thingsboard.server.exception.ThingsboardException;
+
+import java.util.List;
+
+@RestController
+@RequestMapping("/api")
+public class ComponentDescriptorController extends BaseController {
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN','TENANT_ADMIN')")
+    @RequestMapping(value = "/component/{componentDescriptorClazz:.+}", method = RequestMethod.GET)
+    @ResponseBody
+    public ComponentDescriptor getComponentDescriptorByClazz(@PathVariable("componentDescriptorClazz") String strComponentDescriptorClazz) throws ThingsboardException {
+        checkParameter("strComponentDescriptorClazz", strComponentDescriptorClazz);
+        try {
+            return checkComponentDescriptorByClazz(strComponentDescriptorClazz);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN','TENANT_ADMIN')")
+    @RequestMapping(value = "/components/{componentType}", method = RequestMethod.GET)
+    @ResponseBody
+    public List<ComponentDescriptor> getComponentDescriptorsByType(@PathVariable("componentType") String strComponentType) throws ThingsboardException {
+        checkParameter("componentType", strComponentType);
+        try {
+            return checkComponentDescriptorsByType(ComponentType.valueOf(strComponentType));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN','TENANT_ADMIN')")
+    @RequestMapping(value = "/components/actions/{pluginClazz:.+}", method = RequestMethod.GET)
+    @ResponseBody
+    public List<ComponentDescriptor> getPluginActionsByPluginClazz(@PathVariable("pluginClazz") String pluginClazz) throws ThingsboardException {
+        checkParameter("pluginClazz", pluginClazz);
+        try {
+            return checkPluginActionsByPluginClazz(pluginClazz);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.Customer;
+import org.thingsboard.server.common.data.id.CustomerId;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.page.TextPageData;
+import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.exception.ThingsboardException;
+
+@RestController
+@RequestMapping("/api")
+public class CustomerController extends BaseController {
+
+    @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/customer/{customerId}", method = RequestMethod.GET)
+    @ResponseBody
+    public Customer getCustomerById(@PathVariable("customerId") String strCustomerId) throws ThingsboardException {
+        checkParameter("customerId", strCustomerId);
+        try {
+            CustomerId customerId = new CustomerId(toUUID(strCustomerId));
+            return checkCustomerId(customerId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/customer", method = RequestMethod.POST)
+    @ResponseBody 
+    public Customer saveCustomer(@RequestBody Customer customer) throws ThingsboardException {
+        try {
+            customer.setTenantId(getCurrentUser().getTenantId());
+            return checkNotNull(customerService.saveCustomer(customer));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/customer/{customerId}", method = RequestMethod.DELETE)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void deleteCustomer(@PathVariable("customerId") String strCustomerId) throws ThingsboardException {
+        checkParameter("customerId", strCustomerId);
+        try {
+            CustomerId customerId = new CustomerId(toUUID(strCustomerId));
+            checkCustomerId(customerId);
+            customerService.deleteCustomer(customerId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/customers", params = { "limit" }, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<Customer> getCustomers(@RequestParam int limit,
+                                               @RequestParam(required = false) String textSearch,
+                                               @RequestParam(required = false) String idOffset,
+                                               @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        try {
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            TenantId tenantId = getCurrentUser().getTenantId();
+            return checkNotNull(customerService.findCustomersByTenantId(tenantId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.Dashboard;
+import org.thingsboard.server.common.data.id.CustomerId;
+import org.thingsboard.server.common.data.id.DashboardId;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.page.TextPageData;
+import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.dao.exception.IncorrectParameterException;
+import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.exception.ThingsboardException;
+
+@RestController
+@RequestMapping("/api")
+public class DashboardController extends BaseController {
+
+    @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/dashboard/{dashboardId}", method = RequestMethod.GET)
+    @ResponseBody
+    public Dashboard getDashboardById(@PathVariable("dashboardId") String strDashboardId) throws ThingsboardException {
+        checkParameter("dashboardId", strDashboardId);
+        try {
+            DashboardId dashboardId = new DashboardId(toUUID(strDashboardId));
+            return checkDashboardId(dashboardId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/dashboard", method = RequestMethod.POST)
+    @ResponseBody 
+    public Dashboard saveDashboard(@RequestBody Dashboard dashboard) throws ThingsboardException {
+        try {
+            dashboard.setTenantId(getCurrentUser().getTenantId());
+            return checkNotNull(dashboardService.saveDashboard(dashboard));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/dashboard/{dashboardId}", method = RequestMethod.DELETE)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void deleteDashboard(@PathVariable("dashboardId") String strDashboardId) throws ThingsboardException {
+        checkParameter("dashboardId", strDashboardId);
+        try {
+            DashboardId dashboardId = new DashboardId(toUUID(strDashboardId));
+            checkDashboardId(dashboardId);
+            dashboardService.deleteDashboard(dashboardId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/customer/{customerId}/dashboard/{dashboardId}", method = RequestMethod.POST)
+    @ResponseBody 
+    public Dashboard assignDashboardToCustomer(@PathVariable("customerId") String strCustomerId,
+                                         @PathVariable("dashboardId") String strDashboardId) throws ThingsboardException {
+        checkParameter("customerId", strCustomerId);
+        checkParameter("dashboardId", strDashboardId);
+        try {
+            CustomerId customerId = new CustomerId(toUUID(strCustomerId));
+            checkCustomerId(customerId);
+
+            DashboardId dashboardId = new DashboardId(toUUID(strDashboardId));
+            checkDashboardId(dashboardId);
+            
+            return checkNotNull(dashboardService.assignDashboardToCustomer(dashboardId, customerId));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/customer/dashboard/{dashboardId}", method = RequestMethod.DELETE)
+    @ResponseBody 
+    public Dashboard unassignDashboardFromCustomer(@PathVariable("dashboardId") String strDashboardId) throws ThingsboardException {
+        checkParameter("dashboardId", strDashboardId);
+        try {
+            DashboardId dashboardId = new DashboardId(toUUID(strDashboardId));
+            Dashboard dashboard = checkDashboardId(dashboardId);
+            if (dashboard.getCustomerId() == null || dashboard.getCustomerId().getId().equals(ModelConstants.NULL_UUID)) {
+                throw new IncorrectParameterException("Dashboard isn't assigned to any customer!");
+            }
+            return checkNotNull(dashboardService.unassignDashboardFromCustomer(dashboardId));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/tenant/dashboards", params = { "limit" }, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<Dashboard> getTenantDashboards(
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        try {
+            TenantId tenantId = getCurrentUser().getTenantId();
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(dashboardService.findDashboardsByTenantId(tenantId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/customer/{customerId}/dashboards", params = { "limit" }, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<Dashboard> getCustomerDashboards(
+            @PathVariable("customerId") String strCustomerId,
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        checkParameter("customerId", strCustomerId);
+        try {
+            TenantId tenantId = getCurrentUser().getTenantId();
+            CustomerId customerId = new CustomerId(toUUID(strCustomerId));
+            checkCustomerId(customerId);
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(dashboardService.findDashboardsByTenantIdAndCustomerId(tenantId, customerId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.Device;
+import org.thingsboard.server.common.data.id.CustomerId;
+import org.thingsboard.server.common.data.id.DeviceId;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.page.TextPageData;
+import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.common.data.security.DeviceCredentials;
+import org.thingsboard.server.dao.exception.IncorrectParameterException;
+import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.exception.ThingsboardException;
+
+@RestController
+@RequestMapping("/api")
+public class DeviceController extends BaseController {
+
+    @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/device/{deviceId}", method = RequestMethod.GET)
+    @ResponseBody
+    public Device getDeviceById(@PathVariable("deviceId") String strDeviceId) throws ThingsboardException {
+        checkParameter("deviceId", strDeviceId);
+        try {
+            DeviceId deviceId = new DeviceId(toUUID(strDeviceId));
+            return checkDeviceId(deviceId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/device", method = RequestMethod.POST)
+    @ResponseBody 
+    public Device saveDevice(@RequestBody Device device) throws ThingsboardException {
+        try {
+            device.setTenantId(getCurrentUser().getTenantId());
+            return checkNotNull(deviceService.saveDevice(device));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/device/{deviceId}", method = RequestMethod.DELETE)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void deleteDevice(@PathVariable("deviceId") String strDeviceId) throws ThingsboardException {
+        checkParameter("deviceId", strDeviceId);
+        try {
+            DeviceId deviceId = new DeviceId(toUUID(strDeviceId));
+            checkDeviceId(deviceId);
+            deviceService.deleteDevice(deviceId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/customer/{customerId}/device/{deviceId}", method = RequestMethod.POST)
+    @ResponseBody 
+    public Device assignDeviceToCustomer(@PathVariable("customerId") String strCustomerId,
+                                         @PathVariable("deviceId") String strDeviceId) throws ThingsboardException {
+        checkParameter("customerId", strCustomerId);
+        checkParameter("deviceId", strDeviceId);
+        try {
+            CustomerId customerId = new CustomerId(toUUID(strCustomerId));
+            checkCustomerId(customerId);
+
+            DeviceId deviceId = new DeviceId(toUUID(strDeviceId));
+            checkDeviceId(deviceId);
+            
+            return checkNotNull(deviceService.assignDeviceToCustomer(deviceId, customerId));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/customer/device/{deviceId}", method = RequestMethod.DELETE)
+    @ResponseBody 
+    public Device unassignDeviceFromCustomer(@PathVariable("deviceId") String strDeviceId) throws ThingsboardException {
+        checkParameter("deviceId", strDeviceId);
+        try {
+            DeviceId deviceId = new DeviceId(toUUID(strDeviceId));
+            Device device = checkDeviceId(deviceId);
+            if (device.getCustomerId() == null || device.getCustomerId().getId().equals(ModelConstants.NULL_UUID)) {
+                throw new IncorrectParameterException("Device isn't assigned to any customer!");
+            }
+            return checkNotNull(deviceService.unassignDeviceFromCustomer(deviceId));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/device/{deviceId}/credentials", method = RequestMethod.GET)
+    @ResponseBody
+    public DeviceCredentials getDeviceCredentialsByDeviceId(@PathVariable("deviceId") String strDeviceId) throws ThingsboardException {
+        checkParameter("deviceId", strDeviceId);
+        try {
+            DeviceId deviceId = new DeviceId(toUUID(strDeviceId));
+            checkDeviceId(deviceId);
+            return checkNotNull(deviceCredentialsService.findDeviceCredentialsByDeviceId(deviceId));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/device/credentials", method = RequestMethod.POST)
+    @ResponseBody 
+    public DeviceCredentials saveDeviceCredentials(@RequestBody DeviceCredentials deviceCredentials) throws ThingsboardException {
+        checkNotNull(deviceCredentials);
+        try {
+            checkDeviceId(deviceCredentials.getDeviceId());
+            return checkNotNull(deviceCredentialsService.updateDeviceCredentials(deviceCredentials));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/tenant/devices", params = { "limit" }, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<Device> getTenantDevices(
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        try {
+            TenantId tenantId = getCurrentUser().getTenantId();
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(deviceService.findDevicesByTenantId(tenantId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/customer/{customerId}/devices", params = { "limit" }, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<Device> getCustomerDevices(
+            @PathVariable("customerId") String strCustomerId,
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        checkParameter("customerId", strCustomerId);
+        try {
+            TenantId tenantId = getCurrentUser().getTenantId();
+            CustomerId customerId = new CustomerId(toUUID(strCustomerId));
+            checkCustomerId(customerId);
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(deviceService.findDevicesByTenantIdAndCustomerId(tenantId, customerId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.EntityType;
+import org.thingsboard.server.common.data.Event;
+import org.thingsboard.server.common.data.id.*;
+import org.thingsboard.server.common.data.page.TimePageData;
+import org.thingsboard.server.common.data.page.TimePageLink;
+import org.thingsboard.server.dao.event.EventService;
+import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.exception.ThingsboardErrorCode;
+import org.thingsboard.server.exception.ThingsboardException;
+
+@RestController
+@RequestMapping("/api")
+public class EventController extends BaseController {
+
+    @Autowired
+    private EventService eventService;
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/events/{entityType}/{entityId}/{eventType}", method = RequestMethod.GET)
+    @ResponseBody
+    public TimePageData<Event> getEvents(
+            @PathVariable("entityType") String strEntityType,
+            @PathVariable("entityId") String strEntityId,
+            @PathVariable("eventType") String eventType,
+            @RequestParam("tenantId") String strTenantId,
+            @RequestParam int limit,
+            @RequestParam(required = false) Long startTime,
+            @RequestParam(required = false) Long endTime,
+            @RequestParam(required = false, defaultValue = "false") boolean ascOrder,
+            @RequestParam(required = false) String offset
+    ) throws ThingsboardException {
+        checkParameter("EntityId", strEntityId);
+        checkParameter("EntityType", strEntityType);
+        try {
+            TenantId tenantId = new TenantId(toUUID(strTenantId));
+            if (!tenantId.getId().equals(ModelConstants.NULL_UUID) &&
+                    !tenantId.equals(getCurrentUser().getTenantId())) {
+                throw new ThingsboardException("You don't have permission to perform this operation!",
+                        ThingsboardErrorCode.PERMISSION_DENIED);
+            }
+            TimePageLink pageLink = createPageLink(limit, startTime, endTime, ascOrder, offset);
+            return checkNotNull(eventService.findEvents(tenantId, getEntityId(strEntityType, strEntityId), eventType, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/events/{entityType}/{entityId}", method = RequestMethod.GET)
+    @ResponseBody
+    public TimePageData<Event> getEvents(
+            @PathVariable("entityType") String strEntityType,
+            @PathVariable("entityId") String strEntityId,
+            @RequestParam("tenantId") String strTenantId,
+            @RequestParam int limit,
+            @RequestParam(required = false) Long startTime,
+            @RequestParam(required = false) Long endTime,
+            @RequestParam(required = false, defaultValue = "false") boolean ascOrder,
+            @RequestParam(required = false) String offset
+    ) throws ThingsboardException {
+        checkParameter("EntityId", strEntityId);
+        checkParameter("EntityType", strEntityType);
+        try {
+            TenantId tenantId = new TenantId(toUUID(strTenantId));
+            if (!tenantId.getId().equals(ModelConstants.NULL_UUID) &&
+                    !tenantId.equals(getCurrentUser().getTenantId())) {
+                throw new ThingsboardException("You don't have permission to perform this operation!",
+                        ThingsboardErrorCode.PERMISSION_DENIED);
+            }
+            TimePageLink pageLink = createPageLink(limit, startTime, endTime, ascOrder, offset);
+            return checkNotNull(eventService.findEvents(tenantId, getEntityId(strEntityType, strEntityId), pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+
+    private EntityId getEntityId(String strEntityType, String strEntityId) throws ThingsboardException {
+        EntityId entityId;
+        EntityType entityType = EntityType.valueOf(strEntityType);
+        switch (entityType) {
+            case RULE:
+                entityId = new RuleId(toUUID(strEntityId));
+                break;
+            case PLUGIN:
+                entityId = new PluginId(toUUID(strEntityId));
+                break;
+            case DEVICE:
+                entityId = new DeviceId(toUUID(strEntityId));
+                break;
+            default:
+                throw new ThingsboardException("EntityType ['" + entityType + "'] is incorrect!", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
+        }
+        return entityId;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.id.PluginId;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.page.TextPageData;
+import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.common.data.plugin.ComponentLifecycleEvent;
+import org.thingsboard.server.common.data.plugin.PluginMetaData;
+import org.thingsboard.server.common.data.security.Authority;
+import org.thingsboard.server.common.data.widget.WidgetsBundle;
+import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.exception.ThingsboardException;
+
+import java.util.List;
+
+@RestController
+@RequestMapping("/api")
+public class PluginController extends BaseController {
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/plugin/{pluginId}", method = RequestMethod.GET)
+    @ResponseBody
+    public PluginMetaData getPluginById(@PathVariable("pluginId") String strPluginId) throws ThingsboardException {
+        checkParameter("pluginId", strPluginId);
+        try {
+            PluginId pluginId = new PluginId(toUUID(strPluginId));
+            return checkPlugin(pluginService.findPluginById(pluginId));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/plugin/token/{pluginToken}", method = RequestMethod.GET)
+    @ResponseBody
+    public PluginMetaData getPluginByToken(@PathVariable("pluginToken") String pluginToken) throws ThingsboardException {
+        checkParameter("pluginToken", pluginToken);
+        try {
+            return checkPlugin(pluginService.findPluginByApiToken(pluginToken));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/plugin", method = RequestMethod.POST)
+    @ResponseBody
+    public PluginMetaData savePlugin(@RequestBody PluginMetaData source) throws ThingsboardException {
+        try {
+            boolean created = source.getId() == null;
+            source.setTenantId(getCurrentUser().getTenantId());
+            PluginMetaData plugin = checkNotNull(pluginService.savePlugin(source));
+            actorService.onPluginStateChange(plugin.getTenantId(), plugin.getId(),
+                    created ? ComponentLifecycleEvent.CREATED : ComponentLifecycleEvent.UPDATED);
+            return plugin;
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/plugin/{pluginId}/activate", method = RequestMethod.POST)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void activatePluginById(@PathVariable("pluginId") String strPluginId) throws ThingsboardException {
+        checkParameter("pluginId", strPluginId);
+        try {
+            PluginId pluginId = new PluginId(toUUID(strPluginId));
+            PluginMetaData plugin = checkPlugin(pluginService.findPluginById(pluginId));
+            pluginService.activatePluginById(pluginId);
+            actorService.onPluginStateChange(plugin.getTenantId(), plugin.getId(), ComponentLifecycleEvent.ACTIVATED);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/plugin/{pluginId}/suspend", method = RequestMethod.POST)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void suspendPluginById(@PathVariable("pluginId") String strPluginId) throws ThingsboardException {
+        checkParameter("pluginId", strPluginId);
+        try {
+            PluginId pluginId = new PluginId(toUUID(strPluginId));
+            PluginMetaData plugin = checkPlugin(pluginService.findPluginById(pluginId));
+            pluginService.suspendPluginById(pluginId);
+            actorService.onPluginStateChange(plugin.getTenantId(), plugin.getId(), ComponentLifecycleEvent.SUSPENDED);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/plugin/system", params = {"limit"}, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<PluginMetaData> getSystemPlugins(
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        try {
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(pluginService.findSystemPlugins(pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/plugin/tenant/{tenantId}", params = {"limit"}, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<PluginMetaData> getTenantPlugins(
+            @PathVariable("tenantId") String strTenantId,
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        checkParameter("tenantId", strTenantId);
+        try {
+            TenantId tenantId = new TenantId(toUUID(strTenantId));
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(pluginService.findTenantPlugins(tenantId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/plugins", method = RequestMethod.GET)
+    @ResponseBody
+    public List<PluginMetaData> getPlugins() throws ThingsboardException {
+        try {
+            if (getCurrentUser().getAuthority() == Authority.SYS_ADMIN) {
+                return checkNotNull(pluginService.findSystemPlugins());
+            } else {
+                TenantId tenantId = getCurrentUser().getTenantId();
+                List<PluginMetaData> plugins = checkNotNull(pluginService.findAllTenantPluginsByTenantId(tenantId));
+                plugins.stream()
+                        .filter(plugin -> plugin.getTenantId().getId().equals(ModelConstants.NULL_UUID))
+                        .forEach(plugin -> plugin.setConfiguration(null));
+                return plugins;
+            }
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/plugin", params = {"limit"}, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<PluginMetaData> getTenantPlugins(
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        try {
+            TenantId tenantId = getCurrentUser().getTenantId();
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(pluginService.findTenantPlugins(tenantId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/plugin/{pluginId}", method = RequestMethod.DELETE)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void deletePlugin(@PathVariable("pluginId") String strPluginId) throws ThingsboardException {
+        checkParameter("pluginId", strPluginId);
+        try {
+            PluginId pluginId = new PluginId(toUUID(strPluginId));
+            PluginMetaData plugin = checkPlugin(pluginService.findPluginById(pluginId));
+            pluginService.deletePluginById(pluginId);
+            actorService.onPluginStateChange(plugin.getTenantId(), plugin.getId(), ComponentLifecycleEvent.DELETED);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.id.RuleId;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.page.TextPageData;
+import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.common.data.plugin.ComponentLifecycleEvent;
+import org.thingsboard.server.common.data.plugin.PluginMetaData;
+import org.thingsboard.server.common.data.rule.RuleMetaData;
+import org.thingsboard.server.common.data.security.Authority;
+import org.thingsboard.server.exception.ThingsboardException;
+
+import java.util.List;
+
+@RestController
+@RequestMapping("/api")
+public class RuleController extends BaseController {
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/rule/{ruleId}", method = RequestMethod.GET)
+    @ResponseBody
+    public RuleMetaData getRuleById(@PathVariable("ruleId") String strRuleId) throws ThingsboardException {
+        checkParameter("ruleId", strRuleId);
+        try {
+            RuleId ruleId = new RuleId(toUUID(strRuleId));
+            return checkRule(ruleService.findRuleById(ruleId));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/rule/token/{pluginToken}", method = RequestMethod.GET)
+    @ResponseBody
+    public List<RuleMetaData> getRulesByPluginToken(@PathVariable("pluginToken") String pluginToken) throws ThingsboardException {
+        checkParameter("pluginToken", pluginToken);
+        try {
+            PluginMetaData plugin = checkPlugin(pluginService.findPluginByApiToken(pluginToken));
+            return ruleService.findPluginRules(plugin.getApiToken());
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/rule", method = RequestMethod.POST)
+    @ResponseBody
+    public RuleMetaData saveRule(@RequestBody RuleMetaData source) throws ThingsboardException {
+        try {
+            boolean created = source.getId() == null;
+            source.setTenantId(getCurrentUser().getTenantId());
+            RuleMetaData rule = checkNotNull(ruleService.saveRule(source));
+            actorService.onRuleStateChange(rule.getTenantId(), rule.getId(),
+                    created ? ComponentLifecycleEvent.CREATED : ComponentLifecycleEvent.UPDATED);
+            return rule;
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/rule/{ruleId}/activate", method = RequestMethod.POST)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void activateRuleById(@PathVariable("ruleId") String strRuleId) throws ThingsboardException {
+        checkParameter("ruleId", strRuleId);
+        try {
+            RuleId ruleId = new RuleId(toUUID(strRuleId));
+            RuleMetaData rule = checkRule(ruleService.findRuleById(ruleId));
+            ruleService.activateRuleById(ruleId);
+            actorService.onRuleStateChange(rule.getTenantId(), rule.getId(), ComponentLifecycleEvent.ACTIVATED);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/rule/{ruleId}/suspend", method = RequestMethod.POST)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void suspendRuleById(@PathVariable("ruleId") String strRuleId) throws ThingsboardException {
+        checkParameter("ruleId", strRuleId);
+        try {
+            RuleId ruleId = new RuleId(toUUID(strRuleId));
+            RuleMetaData rule = checkRule(ruleService.findRuleById(ruleId));
+            ruleService.suspendRuleById(ruleId);
+            actorService.onRuleStateChange(rule.getTenantId(), rule.getId(), ComponentLifecycleEvent.SUSPENDED);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/rule/system", params = {"limit"}, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<RuleMetaData> getSystemRules(
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        try {
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(ruleService.findSystemRules(pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/rule/tenant/{tenantId}", params = {"limit"}, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<RuleMetaData> getTenantRules(
+            @PathVariable("tenantId") String strTenantId,
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        checkParameter("tenantId", strTenantId);
+        try {
+            TenantId tenantId = new TenantId(toUUID(strTenantId));
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(ruleService.findTenantRules(tenantId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/rules", method = RequestMethod.GET)
+    @ResponseBody
+    public List<RuleMetaData> getRules() throws ThingsboardException {
+        try {
+            if (getCurrentUser().getAuthority() == Authority.SYS_ADMIN) {
+                return checkNotNull(ruleService.findSystemRules());
+            } else {
+                TenantId tenantId = getCurrentUser().getTenantId();
+                return checkNotNull(ruleService.findAllTenantRulesByTenantId(tenantId));
+            }
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/rule", params = {"limit"}, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<RuleMetaData> getTenantRules(
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        try {
+            TenantId tenantId = getCurrentUser().getTenantId();
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(ruleService.findTenantRules(tenantId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/rule/{ruleId}", method = RequestMethod.DELETE)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void deleteRule(@PathVariable("ruleId") String strRuleId) throws ThingsboardException {
+        checkParameter("ruleId", strRuleId);
+        try {
+            RuleId ruleId = new RuleId(toUUID(strRuleId));
+            RuleMetaData rule = checkRule(ruleService.findRuleById(ruleId));
+            ruleService.deleteRuleById(ruleId);
+            actorService.onRuleStateChange(rule.getTenantId(), rule.getId(), ComponentLifecycleEvent.DELETED);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.Tenant;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.page.TextPageData;
+import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.dao.tenant.TenantService;
+import org.thingsboard.server.exception.ThingsboardException;
+
+@RestController
+@RequestMapping("/api")
+public class TenantController extends BaseController {
+    
+    @Autowired
+    private TenantService tenantService;
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/tenant/{tenantId}", method = RequestMethod.GET)
+    @ResponseBody
+    public Tenant getTenantById(@PathVariable("tenantId") String strTenantId) throws ThingsboardException {
+        checkParameter("tenantId", strTenantId);
+        try {
+            TenantId tenantId = new TenantId(toUUID(strTenantId));
+            checkTenantId(tenantId);
+            return checkNotNull(tenantService.findTenantById(tenantId));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/tenant", method = RequestMethod.POST)
+    @ResponseBody 
+    public Tenant saveTenant(@RequestBody Tenant tenant) throws ThingsboardException {
+        try {
+            return checkNotNull(tenantService.saveTenant(tenant));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/tenant/{tenantId}", method = RequestMethod.DELETE)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void deleteTenant(@PathVariable("tenantId") String strTenantId) throws ThingsboardException {
+        checkParameter("tenantId", strTenantId);
+        try {
+            TenantId tenantId = new TenantId(toUUID(strTenantId));
+            tenantService.deleteTenant(tenantId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/tenants", params = { "limit" }, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<Tenant> getTenants(@RequestParam int limit,
+                                           @RequestParam(required = false) String textSearch,
+                                           @RequestParam(required = false) String idOffset,
+                                           @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        try {
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(tenantService.findTenants(pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+    
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.User;
+import org.thingsboard.server.common.data.id.CustomerId;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.id.UserId;
+import org.thingsboard.server.common.data.page.TextPageData;
+import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.common.data.security.Authority;
+import org.thingsboard.server.common.data.security.UserCredentials;
+import org.thingsboard.server.exception.ThingsboardErrorCode;
+import org.thingsboard.server.exception.ThingsboardException;
+import org.thingsboard.server.service.mail.MailService;
+import org.thingsboard.server.service.security.model.SecurityUser;
+
+import javax.servlet.http.HttpServletRequest;
+
+@RestController
+@RequestMapping("/api")
+public class UserController extends BaseController {
+
+    @Autowired
+    private MailService mailService;
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/user/{userId}", method = RequestMethod.GET)
+    @ResponseBody
+    public User getUserById(@PathVariable("userId") String strUserId) throws ThingsboardException {
+        checkParameter("userId", strUserId);
+        try {
+            UserId userId = new UserId(toUUID(strUserId));
+            SecurityUser authUser = getCurrentUser();
+            if (authUser.getAuthority() == Authority.CUSTOMER_USER && !authUser.getId().equals(userId)) {
+                throw new ThingsboardException("You don't have permission to perform this operation!",
+                        ThingsboardErrorCode.PERMISSION_DENIED);
+            }
+            return checkUserId(userId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/user", method = RequestMethod.POST)
+    @ResponseBody 
+    public User saveUser(@RequestBody User user,
+            HttpServletRequest request) throws ThingsboardException {
+        try {
+            SecurityUser authUser = getCurrentUser();
+            if (authUser.getAuthority() == Authority.CUSTOMER_USER && !authUser.getId().equals(user.getId())) {
+                throw new ThingsboardException("You don't have permission to perform this operation!",
+                        ThingsboardErrorCode.PERMISSION_DENIED);
+            }
+            boolean sendEmail = user.getId() == null;
+            if (getCurrentUser().getAuthority() == Authority.TENANT_ADMIN) {
+                user.setTenantId(getCurrentUser().getTenantId());
+            }
+            User savedUser = checkNotNull(userService.saveUser(user));
+            if (sendEmail) {
+                UserCredentials userCredentials = userService.findUserCredentialsByUserId(savedUser.getId());
+                String baseUrl = String.format("%s://%s:%d",
+                        request.getScheme(),  
+                        request.getServerName(), 
+                        request.getServerPort());             
+                String activateUrl = String.format("%s/api/noauth/activate?activateToken=%s", baseUrl,
+                        userCredentials.getActivateToken());
+                String email = savedUser.getEmail();
+                try {
+                    mailService.sendActivationEmail(activateUrl, email);
+                } catch (ThingsboardException e) {
+                    userService.deleteUser(savedUser.getId());
+                    throw e;
+                }
+            }
+            return savedUser;
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/user/sendActivationMail", method = RequestMethod.POST)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void sendActivationEmail(
+            @RequestParam(value = "email") String email,
+            HttpServletRequest request) throws ThingsboardException {
+        try {
+            User user = checkNotNull(userService.findUserByEmail(email));
+            UserCredentials userCredentials = userService.findUserCredentialsByUserId(user.getId());
+            if (!userCredentials.isEnabled()) {
+                String baseUrl = String.format("%s://%s:%d",
+                        request.getScheme(),  
+                        request.getServerName(), 
+                        request.getServerPort());             
+                String activateUrl = String.format("%s/api/noauth/activate?activateToken=%s", baseUrl,
+                        userCredentials.getActivateToken());
+                mailService.sendActivationEmail(activateUrl, email);
+            } else {
+                throw new ThingsboardException("User is already active!", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
+            }
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/user/{userId}", method = RequestMethod.DELETE)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void deleteUser(@PathVariable("userId") String strUserId) throws ThingsboardException {
+        checkParameter("userId", strUserId);
+        try {
+            UserId userId = new UserId(toUUID(strUserId));
+            checkUserId(userId);
+            userService.deleteUser(userId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('SYS_ADMIN')")
+    @RequestMapping(value = "/tenant/{tenantId}/users", params = { "limit" }, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<User> getTenantAdmins(
+            @PathVariable("tenantId") String strTenantId,
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        checkParameter("tenantId", strTenantId);
+        try {
+            TenantId tenantId = new TenantId(toUUID(strTenantId));
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            return checkNotNull(userService.findTenantAdmins(tenantId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAuthority('TENANT_ADMIN')")
+    @RequestMapping(value = "/customer/{customerId}/users", params = { "limit" }, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<User> getCustomerUsers(
+            @PathVariable("customerId") String strCustomerId,
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        checkParameter("customerId", strCustomerId);
+        try {
+            CustomerId customerId = new CustomerId(toUUID(strCustomerId));
+            checkCustomerId(customerId);
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            TenantId tenantId = getCurrentUser().getTenantId();
+            return checkNotNull(userService.findCustomerUsers(tenantId, customerId, pageLink));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+    
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.id.WidgetTypeId;
+import org.thingsboard.server.common.data.security.Authority;
+import org.thingsboard.server.common.data.widget.WidgetType;
+import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.exception.ThingsboardException;
+
+import java.util.List;
+
+@RestController
+@RequestMapping("/api")
+public class WidgetTypeController extends BaseController {
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/widgetType/{widgetTypeId}", method = RequestMethod.GET)
+    @ResponseBody
+    public WidgetType getWidgetTypeById(@PathVariable("widgetTypeId") String strWidgetTypeId) throws ThingsboardException {
+        checkParameter("widgetTypeId", strWidgetTypeId);
+        try {
+            WidgetTypeId widgetTypeId = new WidgetTypeId(toUUID(strWidgetTypeId));
+            return checkWidgetTypeId(widgetTypeId, false);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/widgetType", method = RequestMethod.POST)
+    @ResponseBody
+    public WidgetType saveWidgetType(@RequestBody WidgetType widgetType) throws ThingsboardException {
+        try {
+            if (getCurrentUser().getAuthority() == Authority.SYS_ADMIN) {
+                widgetType.setTenantId(new TenantId(ModelConstants.NULL_UUID));
+            } else {
+                widgetType.setTenantId(getCurrentUser().getTenantId());
+            }
+            return checkNotNull(widgetTypeService.saveWidgetType(widgetType));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/widgetType/{widgetTypeId}", method = RequestMethod.DELETE)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void deleteWidgetType(@PathVariable("widgetTypeId") String strWidgetTypeId) throws ThingsboardException {
+        checkParameter("widgetTypeId", strWidgetTypeId);
+        try {
+            WidgetTypeId widgetTypeId = new WidgetTypeId(toUUID(strWidgetTypeId));
+            checkWidgetTypeId(widgetTypeId, true);
+            widgetTypeService.deleteWidgetType(widgetTypeId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/widgetTypes", params = { "isSystem", "bundleAlias"}, method = RequestMethod.GET)
+    @ResponseBody
+    public List<WidgetType> getBundleWidgetTypes(
+            @RequestParam boolean isSystem,
+            @RequestParam String bundleAlias) throws ThingsboardException {
+        try {
+            TenantId tenantId;
+            if (isSystem) {
+                tenantId = new TenantId(ModelConstants.NULL_UUID);
+            } else {
+                tenantId = getCurrentUser().getTenantId();
+            }
+            return checkNotNull(widgetTypeService.findWidgetTypesByTenantIdAndBundleAlias(tenantId, bundleAlias));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/widgetType", params = { "isSystem", "bundleAlias", "alias" }, method = RequestMethod.GET)
+    @ResponseBody
+    public WidgetType getWidgetType(
+            @RequestParam boolean isSystem,
+            @RequestParam String bundleAlias,
+            @RequestParam String alias) throws ThingsboardException {
+        try {
+            TenantId tenantId;
+            if (isSystem) {
+                tenantId = new TenantId(ModelConstants.NULL_UUID);
+            } else {
+                tenantId = getCurrentUser().getTenantId();
+            }
+            WidgetType widgetType = widgetTypeService.findWidgetTypeByTenantIdBundleAliasAndAlias(tenantId, bundleAlias, alias);
+            checkWidgetType(widgetType, false);
+            return widgetType;
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.id.WidgetsBundleId;
+import org.thingsboard.server.common.data.page.TextPageData;
+import org.thingsboard.server.common.data.page.TextPageLink;
+import org.thingsboard.server.common.data.security.Authority;
+import org.thingsboard.server.common.data.widget.WidgetsBundle;
+import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.exception.ThingsboardException;
+
+import java.util.List;
+
+@RestController
+@RequestMapping("/api")
+public class WidgetsBundleController extends BaseController {
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/widgetsBundle/{widgetsBundleId}", method = RequestMethod.GET)
+    @ResponseBody
+    public WidgetsBundle getWidgetsBundleById(@PathVariable("widgetsBundleId") String strWidgetsBundleId) throws ThingsboardException {
+        checkParameter("widgetsBundleId", strWidgetsBundleId);
+        try {
+            WidgetsBundleId widgetsBundleId = new WidgetsBundleId(toUUID(strWidgetsBundleId));
+            return checkWidgetsBundleId(widgetsBundleId, false);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/widgetsBundle", method = RequestMethod.POST)
+    @ResponseBody
+    public WidgetsBundle saveWidgetsBundle(@RequestBody WidgetsBundle widgetsBundle) throws ThingsboardException {
+        try {
+            if (getCurrentUser().getAuthority() == Authority.SYS_ADMIN) {
+                widgetsBundle.setTenantId(new TenantId(ModelConstants.NULL_UUID));
+            } else {
+                widgetsBundle.setTenantId(getCurrentUser().getTenantId());
+            }
+            return checkNotNull(widgetsBundleService.saveWidgetsBundle(widgetsBundle));
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/widgetsBundle/{widgetsBundleId}", method = RequestMethod.DELETE)
+    @ResponseStatus(value = HttpStatus.OK)
+    public void deleteWidgetsBundle(@PathVariable("widgetsBundleId") String strWidgetsBundleId) throws ThingsboardException {
+        checkParameter("widgetsBundleId", strWidgetsBundleId);
+        try {
+            WidgetsBundleId widgetsBundleId = new WidgetsBundleId(toUUID(strWidgetsBundleId));
+            checkWidgetsBundleId(widgetsBundleId, true);
+            widgetsBundleService.deleteWidgetsBundle(widgetsBundleId);
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/widgetsBundles", params = { "limit" }, method = RequestMethod.GET)
+    @ResponseBody
+    public TextPageData<WidgetsBundle> getWidgetsBundles(
+            @RequestParam int limit,
+            @RequestParam(required = false) String textSearch,
+            @RequestParam(required = false) String idOffset,
+            @RequestParam(required = false) String textOffset) throws ThingsboardException {
+        try {
+            TextPageLink pageLink = createPageLink(limit, textSearch, idOffset, textOffset);
+            if (getCurrentUser().getAuthority() == Authority.SYS_ADMIN) {
+                return checkNotNull(widgetsBundleService.findSystemWidgetsBundlesByPageLink(pageLink));
+            } else {
+                TenantId tenantId = getCurrentUser().getTenantId();
+                return checkNotNull(widgetsBundleService.findAllTenantWidgetsBundlesByTenantIdAndPageLink(tenantId, pageLink));
+            }
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN')")
+    @RequestMapping(value = "/widgetsBundles", method = RequestMethod.GET)
+    @ResponseBody
+    public List<WidgetsBundle> getWidgetsBundles() throws ThingsboardException {
+        try {
+            if (getCurrentUser().getAuthority() == Authority.SYS_ADMIN) {
+                return checkNotNull(widgetsBundleService.findSystemWidgetsBundles());
+            } else {
+                TenantId tenantId = getCurrentUser().getTenantId();
+                return checkNotNull(widgetsBundleService.findAllTenantWidgetsBundlesByTenantId(tenantId));
+            }
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller.plugin;
+
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.request.async.DeferredResult;
+import org.thingsboard.server.actors.service.ActorService;
+import org.thingsboard.server.common.data.id.CustomerId;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.plugin.PluginMetaData;
+import org.thingsboard.server.controller.BaseController;
+import org.thingsboard.server.dao.model.ModelConstants;
+import org.thingsboard.server.dao.plugin.PluginService;
+import org.thingsboard.server.exception.ThingsboardException;
+import org.thingsboard.server.extensions.api.plugins.PluginApiCallSecurityContext;
+import org.thingsboard.server.extensions.api.plugins.PluginConstants;
+import org.thingsboard.server.extensions.api.plugins.rest.BasicPluginRestMsg;
+import org.thingsboard.server.extensions.api.plugins.rest.RestRequest;
+
+import javax.servlet.http.HttpServletRequest;
+
+@RestController
+@RequestMapping(PluginConstants.PLUGIN_URL_PREFIX)
+@Slf4j
+public class PluginApiController extends BaseController {
+
+    @Autowired
+    private ActorService actorService;
+
+    @Autowired
+    private PluginService pluginService;
+
+    @SuppressWarnings("rawtypes")
+    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
+    @RequestMapping(value = "/{pluginToken}/**")
+    @ResponseStatus(value = HttpStatus.OK)
+    public DeferredResult<ResponseEntity> processRequest(
+            @PathVariable("pluginToken") String pluginToken,
+            RequestEntity<byte[]> requestEntity,
+            HttpServletRequest request)
+            throws ThingsboardException {
+        log.debug("[{}] Going to process requst uri: {}", pluginToken, requestEntity.getUrl());
+        DeferredResult<ResponseEntity> result = new DeferredResult<ResponseEntity>();
+        PluginMetaData pluginMd = pluginService.findPluginByApiToken(pluginToken);
+        if (pluginMd == null) {
+            result.setErrorResult(new PluginNotFoundException("Plugin with token: " + pluginToken + " not found!"));
+        } else {
+            TenantId tenantId = getCurrentUser().getTenantId();
+            CustomerId customerId = getCurrentUser().getCustomerId();
+            if (validatePluginAccess(pluginMd, tenantId, customerId)) {
+                if(ModelConstants.NULL_UUID.equals(tenantId.getId())){
+                    tenantId = null;
+                }
+                PluginApiCallSecurityContext securityCtx = new PluginApiCallSecurityContext(pluginMd.getTenantId(), pluginMd.getId(), tenantId, customerId);
+                actorService.process(new BasicPluginRestMsg(securityCtx, new RestRequest(requestEntity, request), result));
+            } else {
+                result.setResult(new ResponseEntity<>(HttpStatus.FORBIDDEN));
+            }
+
+        }
+        return result;
+    }
+
+    public static boolean validatePluginAccess(PluginMetaData pluginMd, TenantId tenantId, CustomerId customerId) {
+        boolean systemAdministrator = tenantId == null || ModelConstants.NULL_UUID.equals(tenantId.getId());
+        boolean tenantAdministrator = !systemAdministrator && (customerId == null || ModelConstants.NULL_UUID.equals(customerId.getId()));
+        boolean systemPlugin = ModelConstants.NULL_UUID.equals(pluginMd.getTenantId().getId());
+
+        boolean validUser = false;
+        if (systemPlugin) {
+            if (pluginMd.isPublicAccess() || systemAdministrator) {
+                // All users can access public system plugins. Only system
+                // users can access private system plugins
+                validUser = true;
+            }
+        } else {
+            if ((pluginMd.isPublicAccess() || tenantAdministrator) && tenantId.equals(pluginMd.getTenantId())) {
+                // All tenant users can access public tenant plugins. Only tenant
+                // administrator can access private tenant plugins
+                validUser = true;
+            }
+        }
+        return validUser;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller.plugin;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.NOT_FOUND)
+public class PluginNotFoundException extends RuntimeException {
+
+    private static final long serialVersionUID = 1L;
+    
+    public PluginNotFoundException(String message){
+        super(message);
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller.plugin;
+
+import java.io.IOException;
+import java.net.URI;
+import java.security.InvalidParameterException;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.annotation.Lazy;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.thingsboard.server.actors.service.ActorService;
+import org.thingsboard.server.config.WebSocketConfiguration;
+import org.thingsboard.server.extensions.api.plugins.PluginConstants;
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.thingsboard.server.common.data.id.CustomerId;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.plugin.PluginMetaData;
+import org.thingsboard.server.dao.plugin.PluginService;
+import org.thingsboard.server.extensions.api.plugins.PluginApiCallSecurityContext;
+import org.thingsboard.server.extensions.api.plugins.ws.BasicPluginWebsocketSessionRef;
+import org.thingsboard.server.extensions.api.plugins.ws.PluginWebsocketSessionRef;
+import org.thingsboard.server.extensions.api.plugins.ws.SessionEvent;
+import org.thingsboard.server.extensions.api.plugins.ws.msg.PluginWebsocketMsg;
+import org.thingsboard.server.extensions.api.plugins.ws.msg.SessionEventPluginWebSocketMsg;
+import org.thingsboard.server.extensions.api.plugins.ws.msg.TextPluginWebSocketMsg;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import org.springframework.web.socket.CloseStatus;
+import org.springframework.web.socket.TextMessage;
+import org.springframework.web.socket.WebSocketSession;
+import org.springframework.web.socket.handler.TextWebSocketHandler;
+
+@Service
+@Slf4j
+public class PluginWebSocketHandler extends TextWebSocketHandler implements PluginWebSocketMsgEndpoint {
+
+    private static final ConcurrentMap<String, SessionMetaData> internalSessionMap = new ConcurrentHashMap<>();
+    private static final ConcurrentMap<String, String> externalSessionMap = new ConcurrentHashMap<>();
+
+    @Autowired @Lazy
+    private ActorService actorService;
+
+    @Autowired @Lazy
+    private PluginService pluginService;
+
+    @Override
+    public void handleTextMessage(WebSocketSession session, TextMessage message) {
+        try {
+            log.info("[{}] Processing {}", session.getId(), message);
+            SessionMetaData sessionMd = internalSessionMap.get(session.getId());
+            if (sessionMd != null) {
+                actorService.process(new TextPluginWebSocketMsg(sessionMd.sessionRef, message.getPayload()));
+            } else {
+                log.warn("[{}] Failed to find session", session.getId());
+                session.close(CloseStatus.SERVER_ERROR.withReason("Session not found!"));
+            }
+            session.sendMessage(message);
+        } catch (IOException e) {
+            log.warn("IO error", e);
+        }
+    }
+
+    @Override
+    public void afterConnectionEstablished(WebSocketSession session) throws Exception {
+        super.afterConnectionEstablished(session);
+        try {
+            String internalSessionId = session.getId();
+            PluginWebsocketSessionRef sessionRef = toRef(session);
+            String externalSessionId = sessionRef.getSessionId();
+            internalSessionMap.put(internalSessionId, new SessionMetaData(session, sessionRef));
+            externalSessionMap.put(externalSessionId, internalSessionId);
+            actorService.process(new SessionEventPluginWebSocketMsg(sessionRef, SessionEvent.onEstablished()));
+            log.info("[{}][{}] Session is started", externalSessionId, session.getId());
+        } catch (InvalidParameterException e) {
+            log.warn("[[{}] Failed to start session", session.getId(), e);
+            session.close(CloseStatus.BAD_DATA.withReason(e.getMessage()));
+        } catch (Exception e) {
+            log.warn("[{}] Failed to start session", session.getId(), e);
+            session.close(CloseStatus.SERVER_ERROR.withReason(e.getMessage()));
+        }
+    }
+
+    @Override
+    public void handleTransportError(WebSocketSession session, Throwable tError) throws Exception {
+        super.handleTransportError(session, tError);
+        SessionMetaData sessionMd = internalSessionMap.get(session.getId());
+        if (sessionMd != null) {
+            actorService.process(new SessionEventPluginWebSocketMsg(sessionMd.sessionRef, SessionEvent.onError(tError)));
+        } else {
+            log.warn("[{}] Failed to find session", session.getId());
+        }
+        log.trace("[{}] Session transport error", session.getId(), tError);
+    }
+
+    @Override
+    public void afterConnectionClosed(WebSocketSession session, CloseStatus closeStatus) throws Exception {
+        super.afterConnectionClosed(session, closeStatus);
+        SessionMetaData sessionMd = internalSessionMap.remove(session.getId());
+        if (sessionMd != null) {
+            externalSessionMap.remove(sessionMd.sessionRef.getSessionId());
+            actorService.process(new SessionEventPluginWebSocketMsg(sessionMd.sessionRef, SessionEvent.onClosed()));
+        }
+        log.info("[{}] Session is closed", session.getId());
+    }
+
+    private PluginWebsocketSessionRef toRef(WebSocketSession session) throws IOException {
+        URI sessionUri = session.getUri();
+        String path = sessionUri.getPath();
+        path = path.substring(WebSocketConfiguration.WS_PLUGIN_PREFIX.length());
+        if (path.length() == 0) {
+            throw new IllegalArgumentException("URL should contain plugin token!");
+        }
+        String[] pathElements = path.split("/");
+        String pluginToken = pathElements[0];
+        // TODO: cache
+        PluginMetaData pluginMd = pluginService.findPluginByApiToken(pluginToken);
+        if (pluginMd == null) {
+            throw new InvalidParameterException("Can't find plugin with specified token!");
+        } else {
+            SecurityUser currentUser = (SecurityUser) session.getAttributes().get(WebSocketConfiguration.WS_SECURITY_USER_ATTRIBUTE);
+            TenantId tenantId = currentUser.getTenantId();
+            CustomerId customerId = currentUser.getCustomerId();
+            if (PluginApiController.validatePluginAccess(pluginMd, tenantId, customerId)) {
+                PluginApiCallSecurityContext securityCtx = new PluginApiCallSecurityContext(pluginMd.getTenantId(), pluginMd.getId(), tenantId,
+                        currentUser.getCustomerId());
+                return new BasicPluginWebsocketSessionRef(UUID.randomUUID().toString(), securityCtx, session.getUri(), session.getAttributes(),
+                        session.getLocalAddress(), session.getRemoteAddress());
+            } else {
+                throw new SecurityException("Current user is not allowed to use this plugin!");
+            }
+        }
+    }
+
+    private static class SessionMetaData {
+        private final WebSocketSession session;
+        private final PluginWebsocketSessionRef sessionRef;
+
+        public SessionMetaData(WebSocketSession session, PluginWebsocketSessionRef sessionRef) {
+            super();
+            this.session = session;
+            this.sessionRef = sessionRef;
+        }
+    }
+
+    @Override
+    public void send(PluginWebsocketMsg<?> wsMsg) throws IOException {
+        PluginWebsocketSessionRef sessionRef = wsMsg.getSessionRef();
+        String externalId = sessionRef.getSessionId();
+        log.debug("[{}] Processing {}", externalId, wsMsg);
+        String internalId = externalSessionMap.get(externalId);
+        if (internalId != null) {
+            SessionMetaData sessionMd = internalSessionMap.get(internalId);
+            if (sessionMd != null) {
+                if (wsMsg instanceof TextPluginWebSocketMsg) {
+                    String payload = ((TextPluginWebSocketMsg) wsMsg).getPayload();
+                    sessionMd.session.sendMessage(new TextMessage(payload));
+                }
+            } else {
+                log.warn("[{}][{}] Failed to find session by internal id", externalId, internalId);
+            }
+        } else {
+            log.warn("[{}] Failed to find session by external id", externalId);
+        }
+    }
+
+    @Override
+    public void close(PluginWebsocketSessionRef sessionRef) throws IOException {
+        String externalId = sessionRef.getSessionId();
+        log.debug("[{}] Processing close request", externalId);
+        String internalId = externalSessionMap.get(externalId);
+        if (internalId != null) {
+            SessionMetaData sessionMd = internalSessionMap.get(internalId);
+            if (sessionMd != null) {
+                sessionMd.session.close(CloseStatus.NORMAL);
+            } else {
+                log.warn("[{}][{}] Failed to find session by internal id", externalId, internalId);
+            }
+        } else {
+            log.warn("[{}] Failed to find session by external id", externalId);
+        }
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.controller.plugin;
+
+import java.io.IOException;
+
+import org.thingsboard.server.extensions.api.plugins.ws.PluginWebsocketSessionRef;
+import org.thingsboard.server.extensions.api.plugins.ws.msg.PluginWebsocketMsg;
+
+public interface PluginWebSocketMsgEndpoint {
+
+    void send(PluginWebsocketMsg<?> wsMsg) throws IOException;
+
+    void close(PluginWebsocketSessionRef sessionRef) throws IOException;
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.exception;
+
+import com.fasterxml.jackson.annotation.JsonValue;
+
+public enum ThingsboardErrorCode {
+
+    GENERAL(2),
+    AUTHENTICATION(10),
+    JWT_TOKEN_EXPIRED(11),
+    PERMISSION_DENIED(20),
+    INVALID_ARGUMENTS(30),
+    BAD_REQUEST_PARAMS(31),
+    ITEM_NOT_FOUND(32);
+
+    private int errorCode;
+
+    ThingsboardErrorCode(int errorCode) {
+        this.errorCode = errorCode;
+    }
+
+    @JsonValue
+    public int getErrorCode() {
+        return errorCode;
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.exception;
+
+import org.springframework.http.HttpStatus;
+
+import java.util.Date;
+
+public class ThingsboardErrorResponse {
+    // HTTP Response Status Code
+    private final HttpStatus status;
+
+    // General Error message
+    private final String message;
+
+    // Error code
+    private final ThingsboardErrorCode errorCode;
+
+    private final Date timestamp;
+
+    protected ThingsboardErrorResponse(final String message, final ThingsboardErrorCode errorCode, HttpStatus status) {
+        this.message = message;
+        this.errorCode = errorCode;
+        this.status = status;
+        this.timestamp = new java.util.Date();
+    }
+
+    public static ThingsboardErrorResponse of(final String message, final ThingsboardErrorCode errorCode, HttpStatus status) {
+        return new ThingsboardErrorResponse(message, errorCode, status);
+    }
+
+    public Integer getStatus() {
+        return status.value();
+    }
+
+    public String getMessage() {
+        return message;
+    }
+
+    public ThingsboardErrorCode getErrorCode() {
+        return errorCode;
+    }
+
+    public Date getTimestamp() {
+        return timestamp;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.exception;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.extern.slf4j.Slf4j;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.service.security.exception.AuthMethodNotSupportedException;
+import org.thingsboard.server.service.security.exception.JwtExpiredTokenException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+@Component
+@Slf4j
+public class ThingsboardErrorResponseHandler implements AccessDeniedHandler {
+
+    @Autowired
+    private ObjectMapper mapper;
+
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response,
+                       AccessDeniedException accessDeniedException) throws IOException,
+            ServletException {
+        if (!response.isCommitted()) {
+            response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+            response.setStatus(HttpStatus.FORBIDDEN.value());
+            mapper.writeValue(response.getWriter(),
+                    ThingsboardErrorResponse.of("You don't have permission to perform this operation!",
+                            ThingsboardErrorCode.PERMISSION_DENIED, HttpStatus.FORBIDDEN));
+        }
+    }
+
+    public void handle(Exception exception, HttpServletResponse response) {
+        log.debug("Processing exception {}", exception.getMessage(), exception);
+        if (!response.isCommitted()) {
+            try {
+                response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+
+                if (exception instanceof ThingsboardException) {
+                    handleThingsboardException((ThingsboardException) exception, response);
+                } else if (exception instanceof AccessDeniedException) {
+                    handleAccessDeniedException(response);
+                } else if (exception instanceof AuthenticationException) {
+                    handleAuthenticationException((AuthenticationException) exception, response);
+                } else {
+                    response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
+                    mapper.writeValue(response.getWriter(), ThingsboardErrorResponse.of(exception.getMessage(),
+                            ThingsboardErrorCode.GENERAL, HttpStatus.INTERNAL_SERVER_ERROR));
+                }
+            } catch (IOException e) {
+                log.error("Can't handle exception", e);
+            }
+        }
+    }
+
+    private void handleThingsboardException(ThingsboardException thingsboardException, HttpServletResponse response) throws IOException {
+
+        ThingsboardErrorCode errorCode = thingsboardException.getErrorCode();
+        HttpStatus status;
+
+        switch (errorCode) {
+            case AUTHENTICATION:
+                status = HttpStatus.UNAUTHORIZED;
+                break;
+            case PERMISSION_DENIED:
+                status = HttpStatus.FORBIDDEN;
+                break;
+            case INVALID_ARGUMENTS:
+                status = HttpStatus.BAD_REQUEST;
+                break;
+            case ITEM_NOT_FOUND:
+                status = HttpStatus.NOT_FOUND;
+                break;
+            case BAD_REQUEST_PARAMS:
+                status = HttpStatus.BAD_REQUEST;
+                break;
+            case GENERAL:
+                status = HttpStatus.INTERNAL_SERVER_ERROR;
+                break;
+            default:
+                status = HttpStatus.INTERNAL_SERVER_ERROR;
+                break;
+        }
+
+        response.setStatus(status.value());
+        mapper.writeValue(response.getWriter(), ThingsboardErrorResponse.of(thingsboardException.getMessage(), errorCode, status));
+    }
+
+    private void handleAccessDeniedException(HttpServletResponse response) throws IOException {
+        response.setStatus(HttpStatus.FORBIDDEN.value());
+        mapper.writeValue(response.getWriter(),
+                ThingsboardErrorResponse.of("You don't have permission to perform this operation!",
+                        ThingsboardErrorCode.PERMISSION_DENIED, HttpStatus.FORBIDDEN));
+
+    }
+
+    private void handleAuthenticationException(AuthenticationException authenticationException, HttpServletResponse response) throws IOException {
+        response.setStatus(HttpStatus.UNAUTHORIZED.value());
+        if (authenticationException instanceof BadCredentialsException) {
+            mapper.writeValue(response.getWriter(), ThingsboardErrorResponse.of("Invalid username or password", ThingsboardErrorCode.AUTHENTICATION, HttpStatus.UNAUTHORIZED));
+        } else if (authenticationException instanceof JwtExpiredTokenException) {
+            mapper.writeValue(response.getWriter(), ThingsboardErrorResponse.of("Token has expired", ThingsboardErrorCode.JWT_TOKEN_EXPIRED, HttpStatus.UNAUTHORIZED));
+        } else if (authenticationException instanceof AuthMethodNotSupportedException) {
+            mapper.writeValue(response.getWriter(), ThingsboardErrorResponse.of(authenticationException.getMessage(), ThingsboardErrorCode.AUTHENTICATION, HttpStatus.UNAUTHORIZED));
+        }
+        mapper.writeValue(response.getWriter(), ThingsboardErrorResponse.of("Authentication failed", ThingsboardErrorCode.AUTHENTICATION, HttpStatus.UNAUTHORIZED));
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.exception;
+
+public class ThingsboardException extends Exception {
+
+    private static final long serialVersionUID = 1L;
+
+    private ThingsboardErrorCode errorCode;
+
+    public ThingsboardException() {
+        super();
+    }
+
+    public ThingsboardException(ThingsboardErrorCode errorCode) {
+        this.errorCode = errorCode;
+    }
+
+    public ThingsboardException(String message, ThingsboardErrorCode errorCode) {
+        super(message);
+        this.errorCode = errorCode;
+    }
+
+    public ThingsboardException(String message, Throwable cause, ThingsboardErrorCode errorCode) {
+        super(message, cause);
+        this.errorCode = errorCode;
+    }
+
+    public ThingsboardException(Throwable cause, ThingsboardErrorCode errorCode) {
+        super(cause);
+        this.errorCode = errorCode;
+    }
+
+    public ThingsboardErrorCode getErrorCode() {
+        return errorCode;
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.environment;
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.zookeeper.Environment;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.stereotype.Service;
+
+import javax.annotation.PostConstruct;
+
+/**
+ * Created by igor on 11/24/16.
+ */
+
+@Service("environmentLogService")
+@ConditionalOnProperty(prefix = "zk", value = "enabled", havingValue = "false", matchIfMissing = true)
+@Slf4j
+public class EnvironmentLogService {
+
+    @PostConstruct
+    public void init() {
+        Environment.logEnv("Thingsboard server environment: ", log);
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.mail;
+
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Properties;
+
+import javax.annotation.PostConstruct;
+import javax.mail.internet.MimeMessage;
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.velocity.app.VelocityEngine;
+import org.thingsboard.server.exception.ThingsboardErrorCode;
+import org.thingsboard.server.exception.ThingsboardException;
+import org.thingsboard.server.common.data.AdminSettings;
+import org.thingsboard.server.dao.settings.AdminSettingsService;
+import org.thingsboard.server.dao.exception.IncorrectParameterException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.MessageSource;
+import org.springframework.core.NestedRuntimeException;
+import org.springframework.mail.javamail.JavaMailSenderImpl;
+import org.springframework.mail.javamail.MimeMessageHelper;
+import org.springframework.stereotype.Service;
+import org.springframework.ui.velocity.VelocityEngineUtils;
+
+import com.fasterxml.jackson.databind.JsonNode;
+@Service
+@Slf4j
+public class DefaultMailService implements MailService {
+
+    @Autowired
+    private MessageSource messages;
+    
+    @Autowired
+    private VelocityEngine engine;
+    
+    private JavaMailSenderImpl mailSender;
+    
+    private String mailFrom;
+    
+    @Autowired
+    private AdminSettingsService adminSettingsService; 
+    
+    @PostConstruct
+    private void init() {
+        updateMailConfiguration();
+    }
+
+    @Override
+    public void updateMailConfiguration() {
+        AdminSettings settings = adminSettingsService.findAdminSettingsByKey("mail");
+        JsonNode jsonConfig = settings.getJsonValue();
+        mailSender = createMailSender(jsonConfig);
+        mailFrom = jsonConfig.get("mailFrom").asText();
+    }
+    
+    private JavaMailSenderImpl createMailSender(JsonNode jsonConfig) {
+        JavaMailSenderImpl mailSender = new JavaMailSenderImpl();
+        mailSender.setHost(jsonConfig.get("smtpHost").asText());
+        mailSender.setPort(parsePort(jsonConfig.get("smtpPort").asText()));
+        mailSender.setUsername(jsonConfig.get("username").asText());
+        mailSender.setPassword(jsonConfig.get("password").asText());
+        mailSender.setJavaMailProperties(createJavaMailProperties(jsonConfig));
+        return mailSender;
+    }
+
+    private Properties createJavaMailProperties(JsonNode jsonConfig) {
+        Properties javaMailProperties = new Properties();
+        String protocol = jsonConfig.get("smtpProtocol").asText();
+        javaMailProperties.put("mail.transport.protocol", protocol);
+        javaMailProperties.put("mail." + protocol + ".host", jsonConfig.get("smtpHost").asText());
+        javaMailProperties.put("mail." + protocol + ".port", jsonConfig.get("smtpPort").asText());
+        javaMailProperties.put("mail." + protocol + ".timeout", jsonConfig.get("timeout").asText());
+        javaMailProperties.put("mail." + protocol + ".auth", String.valueOf(StringUtils.isNotEmpty(jsonConfig.get("username").asText())));
+        javaMailProperties.put("mail." + protocol + ".starttls.enable", jsonConfig.get("enableTls"));
+        return javaMailProperties;
+    }
+    
+    private int parsePort(String strPort) {
+        try {
+            return Integer.valueOf(strPort);
+        } catch (NumberFormatException e) {
+            throw new IncorrectParameterException(String.format("Invalid smtp port value: %s", strPort));
+        }
+    }
+    
+    @Override
+    public void sendTestMail(JsonNode jsonConfig, String email) throws ThingsboardException {
+        JavaMailSenderImpl testMailSender = createMailSender(jsonConfig);
+        String mailFrom = jsonConfig.get("mailFrom").asText();
+        String subject = messages.getMessage("test.message.subject", null, Locale.US);
+        
+        Map<String, Object> model = new HashMap<String, Object>();
+        model.put("targetEmail", email);
+        
+        String message = VelocityEngineUtils.mergeTemplateIntoString(this.engine,
+                "test.vm", "UTF-8", model);
+        
+        sendMail(testMailSender, mailFrom, email, subject, message); 
+    }
+
+    @Override
+    public void sendActivationEmail(String activationLink, String email) throws ThingsboardException {
+        
+        String subject = messages.getMessage("activation.subject", null, Locale.US);
+        
+        Map<String, Object> model = new HashMap<String, Object>();
+        model.put("activationLink", activationLink);
+        model.put("targetEmail", email);
+        
+        String message = VelocityEngineUtils.mergeTemplateIntoString(this.engine,
+                "activation.vm", "UTF-8", model);
+        
+        sendMail(mailSender, mailFrom, email, subject, message); 
+    }
+    
+    @Override
+    public void sendAccountActivatedEmail(String loginLink, String email) throws ThingsboardException {
+        
+        String subject = messages.getMessage("account.activated.subject", null, Locale.US);
+        
+        Map<String, Object> model = new HashMap<String, Object>();
+        model.put("loginLink", loginLink);
+        model.put("targetEmail", email);
+        
+        String message = VelocityEngineUtils.mergeTemplateIntoString(this.engine,
+                "account.activated.vm", "UTF-8", model);
+        
+        sendMail(mailSender, mailFrom, email, subject, message); 
+    }
+
+    @Override
+    public void sendResetPasswordEmail(String passwordResetLink, String email) throws ThingsboardException {
+        
+        String subject = messages.getMessage("reset.password.subject", null, Locale.US);
+        
+        Map<String, Object> model = new HashMap<String, Object>();
+        model.put("passwordResetLink", passwordResetLink);
+        model.put("targetEmail", email);
+        
+        String message = VelocityEngineUtils.mergeTemplateIntoString(this.engine,
+                "reset.password.vm", "UTF-8", model);
+        
+        sendMail(mailSender, mailFrom, email, subject, message); 
+    }
+    
+    @Override
+    public void sendPasswordWasResetEmail(String loginLink, String email) throws ThingsboardException {
+        
+        String subject = messages.getMessage("password.was.reset.subject", null, Locale.US);
+        
+        Map<String, Object> model = new HashMap<String, Object>();
+        model.put("loginLink", loginLink);
+        model.put("targetEmail", email);
+        
+        String message = VelocityEngineUtils.mergeTemplateIntoString(this.engine,
+                "password.was.reset.vm", "UTF-8", model);
+        
+        sendMail(mailSender, mailFrom, email, subject, message); 
+    }
+
+
+    private void sendMail(JavaMailSenderImpl mailSender, 
+            String mailFrom, String email, 
+            String subject, String message) throws ThingsboardException {
+        try {
+            MimeMessage mimeMsg = mailSender.createMimeMessage();
+            MimeMessageHelper helper = new MimeMessageHelper(mimeMsg, "UTF-8");
+            helper.setFrom(mailFrom);
+            helper.setTo(email);
+            helper.setSubject(subject);
+            helper.setText(message, true);
+            mailSender.send(helper.getMimeMessage());
+        } catch (Exception e) {
+            throw handleException(e);
+        }
+    }
+
+    protected ThingsboardException handleException(Exception exception) {
+        String message;
+        if (exception instanceof NestedRuntimeException) {
+            message = ((NestedRuntimeException)exception).getMostSpecificCause().getMessage();
+        } else {
+            message = exception.getMessage();
+        }
+        return new ThingsboardException(String.format("Unable to send mail: %s", message),
+                ThingsboardErrorCode.GENERAL);
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.mail;
+
+import org.thingsboard.server.exception.ThingsboardException;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+public interface MailService {
+
+    void updateMailConfiguration();
+    
+    void sendTestMail(JsonNode config, String email) throws ThingsboardException;
+    
+    void sendActivationEmail(String activationLink, String email) throws ThingsboardException;
+    
+    void sendAccountActivatedEmail(String loginLink, String email) throws ThingsboardException;
+    
+    void sendResetPasswordEmail(String passwordResetLink, String email) throws ThingsboardException;
+    
+    void sendPasswordWasResetEmail(String loginLink, String email) throws ThingsboardException;
+    
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.thingsboard.server.service.security.model.token.RawAccessJwtToken;
+
+public abstract class AbstractJwtAuthenticationToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = -6212297506742428406L;
+
+    private RawAccessJwtToken rawAccessToken;
+    private SecurityUser securityUser;
+
+    public AbstractJwtAuthenticationToken(RawAccessJwtToken unsafeToken) {
+        super(null);
+        this.rawAccessToken = unsafeToken;
+        this.setAuthenticated(false);
+    }
+
+    public AbstractJwtAuthenticationToken(SecurityUser securityUser) {
+        super(securityUser.getAuthorities());
+        this.eraseCredentials();
+        this.securityUser = securityUser;
+        super.setAuthenticated(true);
+    }
+
+    @Override
+    public void setAuthenticated(boolean authenticated) {
+        if (authenticated) {
+            throw new IllegalArgumentException(
+                    "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
+        }
+        super.setAuthenticated(false);
+    }
+
+    @Override
+    public Object getCredentials() {
+        return rawAccessToken;
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return this.securityUser;
+    }
+
+    @Override
+    public void eraseCredentials() {
+        super.eraseCredentials();
+        this.rawAccessToken = null;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth;
+
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.thingsboard.server.service.security.model.token.RawAccessJwtToken;
+
+public class JwtAuthenticationToken extends AbstractJwtAuthenticationToken {
+
+    private static final long serialVersionUID = -8487219769037942225L;
+
+    public JwtAuthenticationToken(RawAccessJwtToken unsafeToken) {
+        super(unsafeToken);
+    }
+
+    public JwtAuthenticationToken(SecurityUser securityUser) {
+        super(securityUser);
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth;
+
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.thingsboard.server.service.security.model.token.RawAccessJwtToken;
+
+public class RefreshAuthenticationToken extends AbstractJwtAuthenticationToken {
+
+    private static final long serialVersionUID = -1311042791508924523L;
+
+    public RefreshAuthenticationToken(RawAccessJwtToken unsafeToken) {
+        super(unsafeToken);
+    }
+
+    public RefreshAuthenticationToken(SecurityUser securityUser) {
+        super(securityUser);
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jws;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.config.JwtSettings;
+import org.thingsboard.server.service.security.auth.JwtAuthenticationToken;
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.thingsboard.server.service.security.model.token.JwtTokenFactory;
+import org.thingsboard.server.service.security.model.token.RawAccessJwtToken;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+@Component
+@SuppressWarnings("unchecked")
+public class JwtAuthenticationProvider implements AuthenticationProvider {
+
+    private final JwtTokenFactory tokenFactory;
+
+    @Autowired
+    public JwtAuthenticationProvider(JwtTokenFactory tokenFactory) {
+        this.tokenFactory = tokenFactory;
+    }
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        RawAccessJwtToken rawAccessToken = (RawAccessJwtToken) authentication.getCredentials();
+        SecurityUser securityUser = tokenFactory.parseAccessJwtToken(rawAccessToken);
+        return new JwtAuthenticationToken(securityUser);
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return (JwtAuthenticationToken.class.isAssignableFrom(authentication));
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.thingsboard.server.config.ThingsboardSecurityConfiguration;
+import org.thingsboard.server.service.security.auth.JwtAuthenticationToken;
+import org.thingsboard.server.service.security.auth.jwt.extractor.TokenExtractor;
+import org.thingsboard.server.service.security.model.token.RawAccessJwtToken;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class JwtTokenAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter {
+    private final AuthenticationFailureHandler failureHandler;
+    private final TokenExtractor tokenExtractor;
+
+    @Autowired
+    public JwtTokenAuthenticationProcessingFilter(AuthenticationFailureHandler failureHandler,
+                                                  TokenExtractor tokenExtractor, RequestMatcher matcher) {
+        super(matcher);
+        this.failureHandler = failureHandler;
+        this.tokenExtractor = tokenExtractor;
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+            throws AuthenticationException, IOException, ServletException {
+        RawAccessJwtToken token = new RawAccessJwtToken(tokenExtractor.extract(request));
+        return getAuthenticationManager().authenticate(new JwtAuthenticationToken(token));
+    }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
+                                            Authentication authResult) throws IOException, ServletException {
+        SecurityContext context = SecurityContextHolder.createEmptyContext();
+        context.setAuthentication(authResult);
+        SecurityContextHolder.setContext(context);
+        chain.doFilter(request, response);
+    }
+
+    @Override
+    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
+                                              AuthenticationException failed) throws IOException, ServletException {
+        SecurityContextHolder.clearContext();
+        failureHandler.onAuthenticationFailure(request, response, failed);
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.DisabledException;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Component;
+import org.springframework.util.Assert;
+import org.thingsboard.server.common.data.User;
+import org.thingsboard.server.common.data.security.UserCredentials;
+import org.thingsboard.server.dao.user.UserService;
+import org.thingsboard.server.service.security.auth.RefreshAuthenticationToken;
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.thingsboard.server.service.security.model.token.JwtTokenFactory;
+import org.thingsboard.server.service.security.model.token.RawAccessJwtToken;
+
+@Component
+public class RefreshTokenAuthenticationProvider implements AuthenticationProvider {
+
+    private final JwtTokenFactory tokenFactory;
+    private final UserService userService;
+
+    @Autowired
+    public RefreshTokenAuthenticationProvider(final UserService userService, final JwtTokenFactory tokenFactory) {
+        this.userService = userService;
+        this.tokenFactory = tokenFactory;
+    }
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        Assert.notNull(authentication, "No authentication data provided");
+        RawAccessJwtToken rawAccessToken = (RawAccessJwtToken) authentication.getCredentials();
+        SecurityUser unsafeUser = tokenFactory.parseRefreshToken(rawAccessToken);
+
+        User user = userService.findUserById(unsafeUser.getId());
+        if (user == null) {
+            throw new UsernameNotFoundException("User not found by refresh token");
+        }
+
+        UserCredentials userCredentials = userService.findUserCredentialsByUserId(user.getId());
+        if (userCredentials == null) {
+            throw new UsernameNotFoundException("User credentials not found");
+        }
+
+        if (!userCredentials.isEnabled()) {
+            throw new DisabledException("User is not active");
+        }
+
+        if (user.getAuthority() == null) throw new InsufficientAuthenticationException("User has no authority assigned");
+
+        SecurityUser securityUser = new SecurityUser(user, userCredentials.isEnabled());
+
+        return new RefreshAuthenticationToken(securityUser);
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return (RefreshAuthenticationToken.class.isAssignableFrom(authentication));
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.thingsboard.server.service.security.auth.RefreshAuthenticationToken;
+import org.thingsboard.server.service.security.exception.AuthMethodNotSupportedException;
+import org.thingsboard.server.service.security.model.token.RawAccessJwtToken;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class RefreshTokenProcessingFilter extends AbstractAuthenticationProcessingFilter {
+    private static Logger logger = LoggerFactory.getLogger(RefreshTokenProcessingFilter.class);
+
+    private final AuthenticationSuccessHandler successHandler;
+    private final AuthenticationFailureHandler failureHandler;
+
+    private final ObjectMapper objectMapper;
+
+    public RefreshTokenProcessingFilter(String defaultProcessUrl, AuthenticationSuccessHandler successHandler,
+                                        AuthenticationFailureHandler failureHandler, ObjectMapper mapper) {
+        super(defaultProcessUrl);
+        this.successHandler = successHandler;
+        this.failureHandler = failureHandler;
+        this.objectMapper = mapper;
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+            throws AuthenticationException, IOException, ServletException {
+        if (!HttpMethod.POST.name().equals(request.getMethod())) {
+            if(logger.isDebugEnabled()) {
+                logger.debug("Authentication method not supported. Request method: " + request.getMethod());
+            }
+            throw new AuthMethodNotSupportedException("Authentication method not supported");
+        }
+
+        RefreshTokenRequest refreshTokenRequest;
+        try {
+            refreshTokenRequest = objectMapper.readValue(request.getReader(), RefreshTokenRequest.class);
+        } catch (Exception e) {
+            throw new AuthenticationServiceException("Invalid refresh token request payload");
+        }
+
+        if (StringUtils.isBlank(refreshTokenRequest.getRefreshToken())) {
+            throw new AuthenticationServiceException("Refresh token is not provided");
+        }
+
+        RawAccessJwtToken token = new RawAccessJwtToken(refreshTokenRequest.getRefreshToken());
+
+        return this.getAuthenticationManager().authenticate(new RefreshAuthenticationToken(token));
+    }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
+                                            Authentication authResult) throws IOException, ServletException {
+        successHandler.onAuthenticationSuccess(request, response, authResult);
+    }
+
+    @Override
+    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
+                                              AuthenticationException failed) throws IOException, ServletException {
+        SecurityContextHolder.clearContext();
+        failureHandler.onAuthenticationFailure(request, response, failed);
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.thingsboard.server.service.security.model.token.JwtToken;
+import org.thingsboard.server.service.security.model.token.JwtTokenFactory;
+
+@Component
+public class RefreshTokenRepository {
+
+    private final JwtTokenFactory tokenFactory;
+
+    @Autowired
+    public RefreshTokenRepository(final JwtTokenFactory tokenFactory) {
+        this.tokenFactory = tokenFactory;
+    }
+
+    public JwtToken requestRefreshToken(SecurityUser user) {
+        return tokenFactory.createRefreshToken(user);
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class RefreshTokenRequest {
+    private String refreshToken;
+
+    @JsonCreator
+    public RefreshTokenRequest(@JsonProperty("refreshToken") String refreshToken) {
+        this.refreshToken = refreshToken;
+    }
+
+    public String getRefreshToken() {
+        return refreshToken;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt;
+
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.List;
+import java.util.stream.Collectors;
+
+public class SkipPathRequestMatcher implements RequestMatcher {
+    private OrRequestMatcher matchers;
+    private RequestMatcher processingMatcher;
+
+    public SkipPathRequestMatcher(List<String> pathsToSkip, String processingPath) {
+        Assert.notNull(pathsToSkip);
+        List<RequestMatcher> m = pathsToSkip.stream().map(path -> new AntPathRequestMatcher(path)).collect(Collectors.toList());
+        matchers = new OrRequestMatcher(m);
+        processingMatcher = new AntPathRequestMatcher(processingPath);
+    }
+
+    @Override
+    public boolean matches(HttpServletRequest request) {
+        if (matchers.matches(request)) {
+            return false;
+        }
+        return processingMatcher.matches(request) ? true : false;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt.extractor;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.config.ThingsboardSecurityConfiguration;
+
+import javax.servlet.http.HttpServletRequest;
+
+@Component(value="jwtHeaderTokenExtractor")
+public class JwtHeaderTokenExtractor implements TokenExtractor {
+    public static String HEADER_PREFIX = "Bearer ";
+
+    @Override
+    public String extract(HttpServletRequest request) {
+        String header = request.getHeader(ThingsboardSecurityConfiguration.JWT_TOKEN_HEADER_PARAM);
+        if (StringUtils.isBlank(header)) {
+            throw new AuthenticationServiceException("Authorization header cannot be blank!");
+        }
+
+        if (header.length() < HEADER_PREFIX.length()) {
+            throw new AuthenticationServiceException("Invalid authorization header size.");
+        }
+
+        return header.substring(HEADER_PREFIX.length(), header.length());
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt.extractor;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.config.ThingsboardSecurityConfiguration;
+
+import javax.servlet.http.HttpServletRequest;
+
+@Component(value="jwtQueryTokenExtractor")
+public class JwtQueryTokenExtractor implements TokenExtractor {
+
+    @Override
+    public String extract(HttpServletRequest request) {
+        String token = null;
+        if (request.getParameterMap() != null && !request.getParameterMap().isEmpty()) {
+            String[] tokenParamValue = request.getParameterMap().get(ThingsboardSecurityConfiguration.JWT_TOKEN_QUERY_PARAM);
+            if (tokenParamValue != null && tokenParamValue.length == 1) {
+                token = tokenParamValue[0];
+            }
+        }
+        if (StringUtils.isBlank(token)) {
+            throw new AuthenticationServiceException("Authorization query parameter cannot be blank!");
+        }
+
+        return token;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.jwt.extractor;
+
+import javax.servlet.http.HttpServletRequest;
+
+public interface TokenExtractor {
+    public String extract(HttpServletRequest request);
+}
\ No newline at end of file

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.rest;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class LoginRequest {
+    private String username;
+    private String password;
+
+    @JsonCreator
+    public LoginRequest(@JsonProperty("username") String username, @JsonProperty("password") String password) {
+        this.username = username;
+        this.password = password;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.rest;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.*;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.stereotype.Component;
+import org.springframework.util.Assert;
+import org.thingsboard.server.common.data.User;
+import org.thingsboard.server.common.data.security.UserCredentials;
+import org.thingsboard.server.dao.user.UserService;
+import org.thingsboard.server.service.security.model.SecurityUser;
+
+@Component
+public class RestAuthenticationProvider implements AuthenticationProvider {
+
+    private final BCryptPasswordEncoder encoder;
+    private final UserService userService;
+
+    @Autowired
+    public RestAuthenticationProvider(final UserService userService, final BCryptPasswordEncoder encoder) {
+        this.userService = userService;
+        this.encoder = encoder;
+    }
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        Assert.notNull(authentication, "No authentication data provided");
+
+        String username = (String) authentication.getPrincipal();
+        String password = (String) authentication.getCredentials();
+
+        User user = userService.findUserByEmail(username);
+        if (user == null) {
+            throw new UsernameNotFoundException("User not found: " + username);
+        }
+
+        UserCredentials userCredentials = userService.findUserCredentialsByUserId(user.getId());
+        if (userCredentials == null) {
+            throw new UsernameNotFoundException("User credentials not found");
+        }
+
+        if (!userCredentials.isEnabled()) {
+            throw new DisabledException("User is not active");
+        }
+
+        if (!encoder.matches(password, userCredentials.getPassword())) {
+            throw new BadCredentialsException("Authentication Failed. Username or Password not valid.");
+        }
+
+        if (user.getAuthority() == null) throw new InsufficientAuthenticationException("User has no authority assigned");
+
+        SecurityUser securityUser = new SecurityUser(user, userCredentials.isEnabled());
+
+        return new UsernamePasswordAuthenticationToken(securityUser, null, securityUser.getAuthorities());
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.rest;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.exception.ThingsboardErrorResponseHandler;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Component
+public class RestAwareAuthenticationFailureHandler implements AuthenticationFailureHandler {
+
+    private final ThingsboardErrorResponseHandler errorResponseHandler;
+
+    @Autowired
+    public RestAwareAuthenticationFailureHandler(ThingsboardErrorResponseHandler errorResponseHandler) {
+        this.errorResponseHandler = errorResponseHandler;
+    }
+
+    @Override
+    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
+                                        AuthenticationException e) throws IOException, ServletException {
+        errorResponseHandler.handle(e, response);
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.rest;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.WebAttributes;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.service.security.auth.jwt.RefreshTokenRepository;
+import org.thingsboard.server.service.security.model.SecurityUser;
+import org.thingsboard.server.service.security.model.token.JwtToken;
+import org.thingsboard.server.service.security.model.token.JwtTokenFactory;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+@Component
+public class RestAwareAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
+    private final ObjectMapper mapper;
+    private final JwtTokenFactory tokenFactory;
+    private final RefreshTokenRepository refreshTokenRepository;
+
+    @Autowired
+    public RestAwareAuthenticationSuccessHandler(final ObjectMapper mapper, final JwtTokenFactory tokenFactory, final RefreshTokenRepository refreshTokenRepository) {
+        this.mapper = mapper;
+        this.tokenFactory = tokenFactory;
+        this.refreshTokenRepository = refreshTokenRepository;
+    }
+
+    @Override
+    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
+                                        Authentication authentication) throws IOException, ServletException {
+        SecurityUser securityUser = (SecurityUser) authentication.getPrincipal();
+
+        JwtToken accessToken = tokenFactory.createAccessJwtToken(securityUser);
+        JwtToken refreshToken = refreshTokenRepository.requestRefreshToken(securityUser);
+
+        Map<String, String> tokenMap = new HashMap<String, String>();
+        tokenMap.put("token", accessToken.getToken());
+        tokenMap.put("refreshToken", refreshToken.getToken());
+
+        response.setStatus(HttpStatus.OK.value());
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        mapper.writeValue(response.getWriter(), tokenMap);
+
+        clearAuthenticationAttributes(request);
+    }
+
+    /**
+     * Removes temporary authentication-related data which may have been stored
+     * in the session during the authentication process..
+     *
+     */
+    protected final void clearAuthenticationAttributes(HttpServletRequest request) {
+        HttpSession session = request.getSession(false);
+
+        if (session == null) {
+            return;
+        }
+
+        session.removeAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.auth.rest;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.thingsboard.server.service.security.exception.AuthMethodNotSupportedException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class RestLoginProcessingFilter extends AbstractAuthenticationProcessingFilter {
+    private static Logger logger = LoggerFactory.getLogger(RestLoginProcessingFilter.class);
+
+    private final AuthenticationSuccessHandler successHandler;
+    private final AuthenticationFailureHandler failureHandler;
+
+    private final ObjectMapper objectMapper;
+
+    public RestLoginProcessingFilter(String defaultProcessUrl, AuthenticationSuccessHandler successHandler,
+                                     AuthenticationFailureHandler failureHandler, ObjectMapper mapper) {
+        super(defaultProcessUrl);
+        this.successHandler = successHandler;
+        this.failureHandler = failureHandler;
+        this.objectMapper = mapper;
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+            throws AuthenticationException, IOException, ServletException {
+        if (!HttpMethod.POST.name().equals(request.getMethod())) {
+            if(logger.isDebugEnabled()) {
+                logger.debug("Authentication method not supported. Request method: " + request.getMethod());
+            }
+            throw new AuthMethodNotSupportedException("Authentication method not supported");
+        }
+
+        LoginRequest loginRequest;
+        try {
+            loginRequest = objectMapper.readValue(request.getReader(), LoginRequest.class);
+        } catch (Exception e) {
+            throw new AuthenticationServiceException("Invalid login request payload");
+        }
+
+        if (StringUtils.isBlank(loginRequest.getUsername()) || StringUtils.isBlank(loginRequest.getPassword())) {
+            throw new AuthenticationServiceException("Username or Password not provided");
+        }
+
+        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword());
+
+        return this.getAuthenticationManager().authenticate(token);
+    }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
+                                            Authentication authResult) throws IOException, ServletException {
+        successHandler.onAuthenticationSuccess(request, response, authResult);
+    }
+
+    @Override
+    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
+                                              AuthenticationException failed) throws IOException, ServletException {
+        SecurityContextHolder.clearContext();
+        failureHandler.onAuthenticationFailure(request, response, failed);
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.device;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import org.thingsboard.server.common.data.Device;
+import org.thingsboard.server.common.data.id.DeviceId;
+import org.thingsboard.server.common.data.security.DeviceCredentials;
+import org.thingsboard.server.common.data.security.DeviceCredentialsFilter;
+import org.thingsboard.server.common.transport.auth.DeviceAuthResult;
+import org.thingsboard.server.common.transport.auth.DeviceAuthService;
+import org.thingsboard.server.dao.device.DeviceCredentialsService;
+import org.thingsboard.server.dao.device.DeviceService;
+
+import java.util.Optional;
+
+@Service
+@Slf4j
+public class DefaultDeviceAuthService implements DeviceAuthService {
+
+    @Autowired
+    DeviceService deviceService;
+
+    @Autowired
+    DeviceCredentialsService deviceCredentialsService;
+
+    @Override
+    public DeviceAuthResult process(DeviceCredentialsFilter credentialsFilter) {
+        log.trace("Lookup device credentials using filter {}", credentialsFilter);
+        DeviceCredentials credentials = deviceCredentialsService.findDeviceCredentialsByCredentialsId(credentialsFilter.getCredentialsId());
+        if (credentials != null) {
+            log.trace("Credentials found {}", credentials);
+            if (credentials.getCredentialsType() == credentialsFilter.getCredentialsType()) {
+                switch (credentials.getCredentialsType()) {
+                    case ACCESS_TOKEN:
+                        // Credentials ID matches Credentials value in this
+                        // primitive case;
+                        return DeviceAuthResult.of(credentials.getDeviceId());
+                    default:
+                        return DeviceAuthResult.of("Credentials Type is not supported yet!");
+                }
+            } else {
+                return DeviceAuthResult.of("Credentials Type mismatch!");
+            }
+        } else {
+            log.trace("Credentials not found!");
+            return DeviceAuthResult.of("Credentials Not Found!");
+        }
+    }
+
+    @Override
+    public Optional<Device> findDeviceById(DeviceId deviceId) {
+        return Optional.ofNullable(deviceService.findDeviceById(deviceId));
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.exception;
+
+import org.springframework.security.authentication.AuthenticationServiceException;
+
+public class AuthMethodNotSupportedException extends AuthenticationServiceException {
+    private static final long serialVersionUID = 3705043083010304496L;
+
+    public AuthMethodNotSupportedException(String msg) {
+        super(msg);
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.exception;
+
+import org.springframework.security.core.AuthenticationException;
+import org.thingsboard.server.service.security.model.token.JwtToken;
+
+public class JwtExpiredTokenException extends AuthenticationException {
+    private static final long serialVersionUID = -5959543783324224864L;
+
+    private JwtToken token;
+
+    public JwtExpiredTokenException(String msg) {
+        super(msg);
+    }
+
+    public JwtExpiredTokenException(JwtToken token, String msg, Throwable t) {
+        super(msg, t);
+        this.token = token;
+    }
+
+    public String token() {
+        return this.token.getToken();
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.model;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.thingsboard.server.common.data.User;
+import org.thingsboard.server.common.data.id.UserId;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.stream.Collectors;
+
+public class SecurityUser extends User {
+
+    private static final long serialVersionUID = -797397440703066079L;
+
+    private Collection<GrantedAuthority> authorities;
+    private boolean enabled;
+
+    public SecurityUser() {
+        super();
+    }
+
+    public SecurityUser(UserId id) {
+        super(id);
+    }
+
+    public SecurityUser(User user, boolean enabled) {
+        super(user);
+        this.enabled = enabled;
+    }
+
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        if (authorities == null) {
+            authorities = Arrays.asList(SecurityUser.this.getAuthority()).stream()
+                    .map(authority -> new SimpleGrantedAuthority(authority.name()))
+                    .collect(Collectors.toList());
+        }
+        return authorities;
+    }
+
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.model.token;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import io.jsonwebtoken.Claims;
+
+public final class AccessJwtToken implements JwtToken {
+    private final String rawToken;
+    @JsonIgnore
+    private Claims claims;
+
+    protected AccessJwtToken(final String token, Claims claims) {
+        this.rawToken = token;
+        this.claims = claims;
+    }
+
+    public String getToken() {
+        return this.rawToken;
+    }
+
+    public Claims getClaims() {
+        return claims;
+    }
+}

+/**
+ * Copyright © 2016 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.security.model.token;
+
+public interface JwtToken {
+    String getToken();
+}