diff --git a/doc/en/user/source/community/jwt-headers/configuration.rst b/doc/en/user/source/community/jwt-headers/configuration.rst
index 2380f1b7f3d..b1e567a1644 100644
--- a/doc/en/user/source/community/jwt-headers/configuration.rst
+++ b/doc/en/user/source/community/jwt-headers/configuration.rst
@@ -156,6 +156,12 @@ For example, a conversion map like `GeoserverAdministrator=ROLE_ADMINISTRATOR` w
 
 In our example, the user has two roles "GeoserverAdministrator" and "GeonetworkAdministrator".  If the "Only allow External Roles that are explicitly named above" is checked, then GeoServer will only see the "ROLE_ADMINISTRATOR" role.  If unchecked, it will see "ROLE_ADMINISTRATOR" and "GeonetworkAdministrator".  In neither case will it see the converted "GeoserverAdministrator" roles.
 
+You can also have multiple GeoServer roles from one external (OIDC) role.  For example, this role conversion:
+
+`GeoserverAdministrator=ROLE_ADMINISTRATOR;GeoserverAdministrator=ADMIN`
+
+Will give users with the OIDC role `GeoserverAdministrator` two GeoServer roles - `ROLE_ADMINISTRATOR` and `ADMIN`.
+
 
 JWT Validation
 ^^^^^^^^^^^^^^
diff --git a/src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java b/src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java
index c9cbb245fa9..c36202c677e 100644
--- a/src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java
+++ b/src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java
@@ -116,7 +116,12 @@ public SecurityConfig clone(boolean allowEnvParametrization) {
     /** what formats we support for roles in the header. */
     public enum JWTHeaderRoleSource implements RoleSource {
         JSON,
-        JWT;
+        JWT,
+
+        // From: PreAuthenticatedUserNameFilterConfig
+        Header,
+        UserGroupService,
+        RoleService;
 
         @Override
         public boolean equals(RoleSource other) {
diff --git a/src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html b/src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html
index 1c242dee94d..434614ef2b4 100644
--- a/src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html
+++ b/src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html
@@ -45,16 +45,21 @@
                 visibilityDiv.style.display = "none";
         }
 
-        // When the page is loaded, we hide  the username "json path" input if its not needed.
-        window.addEventListener('load', function () {
+        function reset() {
             usernameFormatChanged();
             showTokenValidationChanged();
             toggleVisible(document.getElementById('validateTokenSignature'),'validateTokenSignatureURLDiv');
             toggleVisible(document.getElementById('validateTokenAgainstURL'),'validateTokenAgainstURLDiv');
             toggleVisible(document.getElementById('validateTokenAudience'),'validateTokenAudienceDiv');
+        }
 
-
+        // When the page is loaded, we hide  the username "json path" input if its not needed.
+        window.addEventListener('load', function () {
+                reset();
         });
+
+        // when creating a new jwt headers filter, we need to "kick" it.
+        setTimeout(reset,100);
     </script>
 </wicket:head>
 <wicket:extend>
diff --git a/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/JwtConfiguration.java b/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/JwtConfiguration.java
index 9ce5317b6f5..547df788a0b 100644
--- a/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/JwtConfiguration.java
+++ b/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/JwtConfiguration.java
@@ -1,7 +1,13 @@
+/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
+ * This code is licensed under the GPL 2.0 license, available at the root
+ * application directory.
+ */
 package org.geoserver.security.jwtheaders;
 
 import java.io.Serializable;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 public class JwtConfiguration implements Serializable {
@@ -58,8 +64,8 @@ public class JwtConfiguration implements Serializable {
     // convert string of the form:
     // "externalRoleName1=GeoServerRoleName1;externalRoleName2=GeoServerRoleName2"
     // To a Map<String,String>
-    public Map<String, String> getRoleConverterAsMap() {
-        Map<String, String> result = new HashMap<>();
+    public Map<String, List<String>> getRoleConverterAsMap() {
+        Map<String, List<String>> result = new HashMap<>();
 
         if (roleConverterString == null || roleConverterString.isBlank()) return result; // empty
 
@@ -72,7 +78,13 @@ public Map<String, String> getRoleConverterAsMap() {
             String key = goodCharacters(keyValue[0]);
             String val = goodCharacters(keyValue[1]);
             if (key.isBlank() || val.isBlank()) continue;
-            result.put(key, val);
+            if (!result.containsKey(key)) {
+                var list = new ArrayList<String>();
+                list.add(val);
+                result.put(key, list);
+            } else {
+                result.get(key).add(val);
+            }
         }
         return result;
     }
diff --git a/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java b/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java
index ba5ba46ca02..4a3672e3850 100644
--- a/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java
+++ b/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java
@@ -16,7 +16,7 @@
  */
 public class RoleConverter {
 
-    Map<String, String> conversionMap;
+    Map<String, List<String>> conversionMap;
 
     boolean externalNameMustBeListed;
 
@@ -39,11 +39,11 @@ public List<String> convert(List<String> externalRoles) {
         if (externalRoles == null) return result; // empty
 
         for (String externalRole : externalRoles) {
-            String gsRole = conversionMap.get(externalRole);
+            List<String> gsRole = conversionMap.get(externalRole);
             if (gsRole == null && !externalNameMustBeListed) {
                 result.add(externalRole);
             } else if (gsRole != null) {
-                result.add(gsRole);
+                result.addAll(gsRole);
             }
         }
         return result;
diff --git a/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java b/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java
index fc62834d330..dfcbfb4da80 100644
--- a/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java
+++ b/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java
@@ -31,6 +31,10 @@ public TokenValidator(JwtConfiguration config) {
 
     public void validate(String accessToken) throws Exception {
 
+        accessToken = accessToken.replaceFirst("^Bearer", "");
+        accessToken = accessToken.replaceFirst("^bearer", "");
+        accessToken = accessToken.trim();
+
         if (!jwtHeadersConfig.isValidateToken()) {
             return;
         }
diff --git a/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java b/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java
index fb7f0c38998..39e32a7d02e 100644
--- a/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java
+++ b/src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java
@@ -34,7 +34,12 @@ public static Object getClaim(Map<String, Object> map, String path) {
     // if this is trivial (single item in pathList), return the value.
     // otherwise, go into the map one level (pathList[0]) and recurse on the result.
     private static Object getClaim(Map<String, Object> map, List<String> pathList) {
-        if (pathList.size() == 1) return map.get(pathList.get(0));
+        if (map == null) {
+            return null;
+        }
+        if (pathList.size() == 1) {
+            return map.get(pathList.get(0));
+        }
 
         String first = pathList.get(0);
         pathList.remove(0);
diff --git a/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java b/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java
index 610fbc0a010..085791a5261 100644
--- a/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java
+++ b/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java
@@ -39,6 +39,24 @@ public void testSimpleJwt() throws ParseException {
         Assert.assertEquals("GeoserverAdministrator", roles.get(0));
     }
 
+    /**
+     * Test Tokens that start with "Bearer ".
+     *
+     * @throws ParseException
+     */
+    @Test
+    public void testSimpleJwtBearer() throws ParseException {
+        String accessToken =
+                "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItWEdld190TnFwaWRrYTl2QXNJel82WEQtdnJmZDVyMlNWTWkwcWMyR1lNIn0.eyJleHAiOjE3MDcxNTMxNDYsImlhdCI6MTcwNzE1Mjg0NiwiYXV0aF90aW1lIjoxNzA3MTUyNjQ1LCJqdGkiOiJlMzhjY2ZmYy0zMWNjLTQ0NmEtYmU1Yy04MjliNDE0NTkyZmQiLCJpc3MiOiJodHRwczovL2xvZ2luLWxpdmUtZGV2Lmdlb2NhdC5saXZlL3JlYWxtcy9kYXZlLXRlc3QyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImVhMzNlM2NjLWYwZTEtNDIxOC04OWNiLThkNDhjMjdlZWUzZCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImxpdmUta2V5MiIsIm5vbmNlIjoiQldzc2M3cTBKZ0tHZC1OdFc1QlFhVlROMkhSa25LQmVIY0ZMTHZ5OXpYSSIsInNlc3Npb25fc3RhdGUiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJhY3IiOiIwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtZGF2ZS10ZXN0MiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJsaXZlLWtleTIiOnsicm9sZXMiOlsiR2Vvc2VydmVyQWRtaW5pc3RyYXRvciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcGhvbmUgb2ZmbGluZV9hY2Nlc3MgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGFkZHJlc3MgZW1haWwiLCJzaWQiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJ1cG4iOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYWRkcmVzcyI6e30sIm5hbWUiOiJkYXZpZCBibGFzYnkiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy1kYXZlLXRlc3QyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImdpdmVuX25hbWUiOiJkYXZpZCIsImZhbWlseV9uYW1lIjoiYmxhc2J5IiwiZW1haWwiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCJ9.fHzXd7oISnqWb09ah9wikfP2UOBeiOA3vd_aDg3Bw-xcfv9aD3CWhAK5FUDPYSPyj4whAcknZbUgUzcm0qkaI8V_aS65F3Fug4jt4nC9YPL4zMSJ5an4Dp6jlQ3OQhrKFn4FwaoW61ndMmScsZZWEQyj6gzHnn5cknqySB26tVydT6q57iTO7KQFcXRdbXd6GWIoFGS-ud9XzxQMUdNfYmsDD7e6hoWhe9PJD9Zq4KT6JN13hUU4Dos-Z5SBHjRa6ieHoOe9gqkjKyA1jT1NU42Nqr-mTV-ql22nAoXuplpvOYc5-09-KDDzSDuVKFwLCNMN3ZyRF1wWuydJeU-gOQ";
+
+        List<String> roles =
+                getExtractor(JWT.toString(), "", "resource_access.live-key2.roles")
+                        .getRoles(accessToken).stream()
+                        .collect(Collectors.toList());
+        Assert.assertEquals(1, roles.size());
+        Assert.assertEquals("GeoserverAdministrator", roles.get(0));
+    }
+
     @Test
     public void testSimpleJson() throws ParseException {
         String json =
diff --git a/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/RoleConverterTest.java b/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/RoleConverterTest.java
index e9bf5553180..0153c9bb28e 100644
--- a/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/RoleConverterTest.java
+++ b/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/RoleConverterTest.java
@@ -24,7 +24,7 @@ public void testParseNull() {
         JwtConfiguration config = new JwtConfiguration();
 
         config.setRoleConverterString(null);
-        Map<String, String> map = config.getRoleConverterAsMap();
+        Map<String, List<String>> map = config.getRoleConverterAsMap();
         Assert.assertEquals(0, map.size());
 
         config.setRoleConverterString("");
@@ -50,18 +50,18 @@ public void testParseSimple() {
         JwtConfiguration config = new JwtConfiguration();
 
         config.setRoleConverterString("a=b");
-        Map<String, String> map = config.getRoleConverterAsMap();
+        Map<String, List<String>> map = config.getRoleConverterAsMap();
         Assert.assertEquals(1, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
+        Assert.assertEquals(Arrays.asList("b"), map.get("a"));
 
         config.setRoleConverterString("a=b;c=d");
         map = config.getRoleConverterAsMap();
         Assert.assertEquals(2, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
+        Assert.assertEquals(Arrays.asList("b"), map.get("a"));
         Assert.assertTrue(map.containsKey("c"));
-        Assert.assertEquals("d", map.get("c"));
+        Assert.assertEquals(Arrays.asList("d"), map.get("c"));
     }
 
     /**
@@ -75,24 +75,24 @@ public void testParseBad() {
 
         // bad format
         config.setRoleConverterString("a=b;c=;d");
-        Map<String, String> map = config.getRoleConverterAsMap();
+        Map<String, List<String>> map = config.getRoleConverterAsMap();
         Assert.assertEquals(1, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
+        Assert.assertEquals(Arrays.asList("b"), map.get("a"));
 
         // bad chars
         config.setRoleConverterString("a= b** ;c=**;d");
         map = config.getRoleConverterAsMap();
         Assert.assertEquals(1, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
+        Assert.assertEquals(Arrays.asList("b"), map.get("a"));
 
         // removes html tags
         config.setRoleConverterString("a= <script> ;c=**;d");
         map = config.getRoleConverterAsMap();
         Assert.assertEquals(1, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("script", map.get("a"));
+        Assert.assertEquals(Arrays.asList("script"), map.get("a"));
     }
 
     /** Tests simple conversion, with setOnlyExternalListedRoles(false); */
@@ -133,4 +133,23 @@ public void testConversionOnlyMapped() {
 
         Assert.assertEquals("d", internalRoles.get(0));
     }
+
+    /**
+     * Test for creating multiple roles. purpose - make sure that a user can get multiple GS roles
+     * from a single OIDC role.
+     */
+    @Test
+    public void testMultipleRoles() {
+        JwtConfiguration config = new JwtConfiguration();
+        config.setRoleConverterString("a=ROLE_ADMINISTRATOR;a=ADMIN");
+        config.setOnlyExternalListedRoles(true);
+
+        RoleConverter roleConverter = new RoleConverter(config);
+        List<String> externalRoles = Arrays.asList("a");
+        List<String> internalRoles = roleConverter.convert(externalRoles);
+        Assert.assertEquals(2, internalRoles.size());
+
+        Assert.assertEquals("ROLE_ADMINISTRATOR", internalRoles.get(0));
+        Assert.assertEquals("ADMIN", internalRoles.get(1));
+    }
 }
diff --git a/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractorTest.java b/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractorTest.java
index aa86931e59e..40033ecbcad 100644
--- a/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractorTest.java
+++ b/src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractorTest.java
@@ -31,10 +31,11 @@ public void testSimpleJwt() throws ParseException {
         Assert.assertEquals("david.blasby@geocat.net", username);
     }
 
+    String json =
+            "{\"exp\":1707155912,\"iat\":1707155612,\"jti\":\"888715ae-a79d-4633-83e5-9b97dee02bbc\",\"iss\":\"https://login-live-dev.geocat.live/realms/dave-test2\",\"aud\":\"account\",\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\",\"typ\":\"Bearer\",\"azp\":\"live-key2\",\"session_state\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"acr\":\"1\",\"realm_access\":{\"roles\":[\"default-roles-dave-test2\",\"offline_access\",\"uma_authorization\"]},\"resource_access\":{\"live-key2\":{\"roles\":[\"GeoserverAdministrator\"]},\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",\"view-profile\"]}},\"scope\":\"openidprofileemail\",\"sid\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"email_verified\":false,\"name\":\"davidblasby\",\"preferred_username\":\"david.blasby@geocat.net\",\"given_name\":\"david\",\"family_name\":\"blasby\",\"email\":\"david.blasby@geocat.net\"}";
+
     @Test
     public void testSimpleJson() throws ParseException {
-        String json =
-                "{\"exp\":1707155912,\"iat\":1707155612,\"jti\":\"888715ae-a79d-4633-83e5-9b97dee02bbc\",\"iss\":\"https://login-live-dev.geocat.live/realms/dave-test2\",\"aud\":\"account\",\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\",\"typ\":\"Bearer\",\"azp\":\"live-key2\",\"session_state\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"acr\":\"1\",\"realm_access\":{\"roles\":[\"default-roles-dave-test2\",\"offline_access\",\"uma_authorization\"]},\"resource_access\":{\"live-key2\":{\"roles\":[\"GeoserverAdministrator\"]},\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",\"view-profile\"]}},\"scope\":\"openidprofileemail\",\"sid\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"email_verified\":false,\"name\":\"davidblasby\",\"preferred_username\":\"david.blasby@geocat.net\",\"given_name\":\"david\",\"family_name\":\"blasby\",\"email\":\"david.blasby@geocat.net\"}";
         String username =
                 getExtractor(JwtConfiguration.UserNameHeaderFormat.JSON, "preferred_username")
                         .extractUserName(json);
@@ -49,4 +50,33 @@ public void testSimpleString() throws ParseException {
                         .extractUserName(json);
         Assert.assertEquals("david.blasby@geocat.net", username);
     }
+
+    @Test
+    public void testNonExistentClaim() {
+        String claimValue =
+                getExtractor(JwtConfiguration.UserNameHeaderFormat.JSON, "notThere")
+                        .extractUserName(json);
+        Assert.assertNull(claimValue);
+
+        claimValue =
+                getExtractor(
+                                JwtConfiguration.UserNameHeaderFormat.JSON,
+                                "resource_access.notThere.abc")
+                        .extractUserName(json);
+        Assert.assertNull(claimValue);
+
+        claimValue =
+                getExtractor(
+                                JwtConfiguration.UserNameHeaderFormat.JSON,
+                                "resource_access.live-key2.notThere")
+                        .extractUserName(json);
+        Assert.assertNull(claimValue);
+
+        claimValue =
+                getExtractor(
+                                JwtConfiguration.UserNameHeaderFormat.JSON,
+                                "resource_access.live-key2.roles.notThere")
+                        .extractUserName(json);
+        Assert.assertNull(claimValue);
+    }
 }
diff --git a/src/community/jwt-headers/src/main/java/applicationSecurityContext.xml b/src/community/jwt-headers/src/main/java/applicationSecurityContext.xml
deleted file mode 100644
index c3e4339bcdb..00000000000
--- a/src/community/jwt-headers/src/main/java/applicationSecurityContext.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--  <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">-->
-
-<!--
-  ~ (c) 2024 Open Source Geospatial Foundation - all rights reserved
-  ~ This code is licensed under the GPL 2.0 license, available at the root
-  ~ application directory.
-  ~
-  -->
-
-<beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:sec="http://www.springframework.org/schema/security"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans
-          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-          http://www.springframework.org/schema/security
-          http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">
-
-    <bean id="jwtHeadersSecurityProvider" class="org.geoserver.security.jwtheaders.filter.GeoserverJwtHeadersAuthenticationProvider"/>
-</beans>
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilter.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilter.java
deleted file mode 100644
index ddbe59a3ef6..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilter.java
+++ /dev/null
@@ -1,195 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.filter;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.logging.Logger;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import org.geoserver.security.config.SecurityNamedServiceConfig;
-import org.geoserver.security.filter.GeoServerPreAuthenticatedUserNameFilter;
-import org.geoserver.security.impl.GeoServerRole;
-import org.geoserver.security.jwtheaders.filter.details.JwtHeadersWebAuthDetailsSource;
-import org.geoserver.security.jwtheaders.filter.details.JwtHeadersWebAuthenticationDetails;
-import org.geoserver.security.jwtheaders.roles.JwtHeadersRolesExtractor;
-import org.geoserver.security.jwtheaders.token.TokenValidator;
-import org.geoserver.security.jwtheaders.username.JwtHeaderUserNameExtractor;
-import org.geotools.util.logging.Logging;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-
-/**
- * This is JWT Headers main class for authentication. Its just a simple subclass of
- * GeoServerPreAuthenticatedUserNameFilter that does a few things.
- *
- * <p>cf. GeoServerRequestHeaderAuthenticationFilter
- *
- * <p>1. UserName extractor to pull the username out of the request header (i.e. SIMPLESTRING, JWT,
- * JSON). 2. RoleExtractor to pull roles out of the request header (i.e. JWT, JSON, + standard
- * geoserver ones) 3. Handles "logout" (i.e. request with correct headers, then request without
- * correct headers) 4. Handles "username" switchs (i.e. request one user name, then another request
- * with different username) 5. Authentication with this filter will "mark" the Authentication object
- * with the JWT Headers filter configuration that was used. This to support logout. cf.
- * JwtHeadersWebAuthDetailsSource
- */
-public class GeoServerJwtHeadersFilter extends GeoServerPreAuthenticatedUserNameFilter {
-
-    private static final Logger LOG = Logging.getLogger(GeoServerJwtHeadersFilter.class);
-
-    // when we authenticate a username, we mark this with the configuration ID.
-    // We do this so that we know it's ok to extract roles.
-    private static final String HTTP_ATTRIBUTE_CONFIG_ID = "GeoServerJwtHeadersFilter.configid";
-
-    protected GeoServerJwtHeadersFilterConfig filterConfig;
-
-    protected TokenValidator tokenValidator;
-
-    @Override
-    public void initializeFromConfig(SecurityNamedServiceConfig config) throws IOException {
-        super.initializeFromConfig(config);
-
-        GeoServerJwtHeadersFilterConfig authConfig = (GeoServerJwtHeadersFilterConfig) config;
-        filterConfig = (GeoServerJwtHeadersFilterConfig) authConfig.clone(true);
-        setAuthenticationDetailsSource(new JwtHeadersWebAuthDetailsSource(filterConfig.id));
-        tokenValidator = new TokenValidator(filterConfig);
-    }
-
-    /**
-     * true - we already have an auth, and it was created by a JwtHeader Auth, and its the same
-     * config as this one. i.e. we (this exact config) created existing auth.
-     *
-     * @param existingAuth - existing auth (from security context)
-     * @return
-     */
-    public boolean existingAuthIsFromThisConfig(Authentication existingAuth) {
-        if (existingAuth == null || existingAuth.getDetails() == null)
-            return false; // not existing auth, or no details
-        if (!(existingAuth.getDetails() instanceof JwtHeadersWebAuthenticationDetails))
-            return false; // details isn't from us, so this isn't our auth
-
-        JwtHeadersWebAuthenticationDetails details =
-                (JwtHeadersWebAuthenticationDetails) existingAuth.getDetails();
-        return details.getJwtHeadersConfigId() == this.filterConfig.id;
-    }
-
-    /**
-     * true - the JwtHeaders (in request) will change the currently existing authentication
-     *
-     * @param existingAuth - from security context
-     * @param requestPrincipleName
-     * @return
-     */
-    public boolean principleHasChanged(Authentication existingAuth, String requestPrincipleName) {
-        if (existingAuth == null) return false; // no existing auth, so it cannot be a change
-        if (requestPrincipleName == null)
-            return false; // request doesn't contain an auth, so it cannot change
-
-        return !requestPrincipleName.equals(existingAuth.getPrincipal().toString());
-    }
-
-    /**
-     * Almost all the real work is done by the super class
-     * (GeoServerPreAuthenticatedUserNameFilter). However, this handles 2 cases; 1. logout 2.
-     * username changes
-     */
-    @Override
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-            throws IOException, ServletException {
-        String principalName = getPreAuthenticatedPrincipalName((HttpServletRequest) request);
-        Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
-
-        // cf. GeoServerRequestHeaderAuthenticationFilter#doFilter
-        // if there is a preAuth, we might have to get rid of it.
-        // This can happen if the user adds the JWT Headers to a request, and get a JSESSION
-        // back.  If the JWT Headers are no longer attached (i.e. logout), we want the user to
-        // be logged out (i.e. no existingAuth).
-        // However, sometime there will be a JSESSION, and that will keep the use logged in.
-        // We have to prevent this.
-        if (existingAuthIsFromThisConfig(existingAuth) && principalName == null) {
-            // logout current user - this was someone we previously logged on, but now they no
-            // longer have the headers
-            SecurityContextHolder.getContext().setAuthentication(null);
-            SecurityContextHolder.clearContext();
-
-            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
-            httpServletRequest.getSession(false).invalidate();
-        }
-
-        if (principleHasChanged(existingAuth, principalName)) {
-            // logout current user - the user switched.
-            SecurityContextHolder.getContext().setAuthentication(null);
-            SecurityContextHolder.clearContext();
-
-            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
-            httpServletRequest.getSession(false).invalidate();
-        }
-
-        if (request.getAttribute(UserName) == null) {
-            request.removeAttribute(UserNameAlreadyRetrieved);
-        }
-        super.doFilter(request, response, chain);
-    }
-
-    public GeoServerJwtHeadersFilterConfig getFilterConfig() {
-        return filterConfig;
-    }
-
-    public void setFilterConfig(GeoServerJwtHeadersFilterConfig filterConfig) {
-        this.filterConfig = filterConfig;
-    }
-
-    /** extracts the username from the request (cf JwtHeaderUserNameExtractor) */
-    @Override
-    protected String getPreAuthenticatedPrincipalName(HttpServletRequest request) {
-        String headerValue = request.getHeader(filterConfig.getUserNameHeaderAttributeName());
-        JwtHeaderUserNameExtractor extractor = new JwtHeaderUserNameExtractor(getFilterConfig());
-        String userName = extractor.extractUserName(headerValue);
-
-        if (userName == null) return null;
-
-        try {
-            tokenValidator.validate(headerValue);
-        } catch (Exception e) {
-            return null;
-        }
-
-        if (userName != null) {
-            request.setAttribute(HTTP_ATTRIBUTE_CONFIG_ID, filterConfig.getId());
-        }
-
-        return userName;
-    }
-
-    /**
-     * extracts the roles from the request (cf JwtHeadersRolesExtractor). It uses the standard
-     * Geoserver infrastructure (superclass) for getting the "standard" roles (i.e. Header,
-     * UserGroupService, RoleService)
-     */
-    @Override
-    protected Collection<GeoServerRole> getRoles(HttpServletRequest request, String principal)
-            throws IOException {
-        // validate if we validated the user - if so process roles
-        String id = (String) request.getAttribute(HTTP_ATTRIBUTE_CONFIG_ID);
-        if (id == null || !id.equals(filterConfig.getId())) {
-            return new ArrayList<GeoServerRole>();
-        }
-
-        if (filterConfig.getRoleSource() == GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JWT
-                || filterConfig.getRoleSource()
-                        == GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JSON) {
-            String headerValue = request.getHeader(filterConfig.getRolesHeaderName());
-            JwtHeadersRolesExtractor extractor = new JwtHeadersRolesExtractor(filterConfig);
-            return extractor.getRoles(headerValue);
-        }
-
-        return super.getRoles(request, principal);
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java
deleted file mode 100644
index a325e7a2bdc..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java
+++ /dev/null
@@ -1,326 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.filter;
-
-import java.util.HashMap;
-import java.util.Map;
-import java.util.logging.Logger;
-import org.geoserver.platform.GeoServerEnvironment;
-import org.geoserver.platform.GeoServerExtensions;
-import org.geoserver.security.config.*;
-import org.geotools.util.logging.Logging;
-
-/** configuration of the JWT Header Filter. */
-public class GeoServerJwtHeadersFilterConfig extends PreAuthenticatedUserNameFilterConfig
-        implements SecurityAuthFilterConfig, SecurityAuthProviderConfig, Cloneable {
-
-    private static final Logger LOG = Logging.getLogger(GeoServerJwtHeadersFilterConfig.class);
-
-    private static final long serialVersionUID = 1L;
-
-    // generic required for saving config
-    protected String id;
-    protected String name;
-    protected String className;
-
-    // used by super-class
-    protected String userGroupServiceName;
-
-    // --- user name extraction
-    // how is the username stored in the header
-    // i.e. text, JSON string, or JWT?
-    protected UserNameHeaderFormat userNameFormatChoice;
-    // If the username is stored as json (JSON or JWT), then where
-    // in the JSON is the username?
-    protected String userNameJsonPath;
-    // name of the HTTP header that the roles information is stored in
-    protected String rolesHeaderName;
-
-    // ---roles
-    // The roles will be either in a JWT or JSON object - where in that
-    // object is the list of roles
-    protected String rolesJsonPath;
-    // string in the format of
-    // "externalRoleName1=GeoServerRoleName1;externalRoleName2=GeoServerRoleName2"
-    protected String roleConverterString;
-    // if true, then any external role must be in the roleConverterString map.
-    //      If its not in the map, then it will be ignored.
-    // if false, then external roles not listed in the roleConverterString will be passed
-    // on to GeoServer
-    protected boolean onlyExternalListedRoles;
-    // show a token be validated?
-    protected boolean validateToken;
-
-    protected boolean validateTokenExpiry;
-
-    protected boolean validateTokenSignature;
-    protected String validateTokenSignatureURL;
-
-    protected boolean validateTokenAgainstURL;
-    protected String validateTokenAgainstURLEndpoint;
-
-    protected boolean validateSubjectWithEndpoint;
-
-    protected boolean validateTokenAudience;
-    protected String validateTokenAudienceClaimName;
-    protected String validateTokenAudienceClaimValue;
-
-    // --token validation
-    // what HTTP header is the user's name stored in
-    private String userNameHeaderAttributeName;
-
-    // ------------------ getters/setters ----------------------------
-
-    public boolean isValidateSubjectWithEndpoint() {
-        return validateSubjectWithEndpoint;
-    }
-
-    public void setValidateSubjectWithEndpoint(boolean validateSubjectWithEndpoint) {
-        this.validateSubjectWithEndpoint = validateSubjectWithEndpoint;
-    }
-
-    public boolean isValidateTokenExpiry() {
-        return validateTokenExpiry;
-    }
-
-    public void setValidateTokenExpiry(boolean validateTokenExpiry) {
-        this.validateTokenExpiry = validateTokenExpiry;
-    }
-
-    public boolean isValidateTokenAudience() {
-        return validateTokenAudience;
-    }
-
-    public void setValidateTokenAudience(boolean validateTokenAudience) {
-        this.validateTokenAudience = validateTokenAudience;
-    }
-
-    public String getValidateTokenAudienceClaimName() {
-        return validateTokenAudienceClaimName;
-    }
-
-    public void setValidateTokenAudienceClaimName(String validateTokenAudienceClaimName) {
-        this.validateTokenAudienceClaimName = validateTokenAudienceClaimName;
-    }
-
-    public String getValidateTokenAudienceClaimValue() {
-        return validateTokenAudienceClaimValue;
-    }
-
-    public void setValidateTokenAudienceClaimValue(String validateTokenAudienceClaimValue) {
-        this.validateTokenAudienceClaimValue = validateTokenAudienceClaimValue;
-    }
-
-    public boolean isValidateTokenAgainstURL() {
-        return validateTokenAgainstURL;
-    }
-
-    public void setValidateTokenAgainstURL(boolean validateTokenAgainstURL) {
-        this.validateTokenAgainstURL = validateTokenAgainstURL;
-    }
-
-    public String getValidateTokenAgainstURLEndpoint() {
-        return validateTokenAgainstURLEndpoint;
-    }
-
-    public void setValidateTokenAgainstURLEndpoint(String validateTokenAgainstURLEndpoint) {
-        this.validateTokenAgainstURLEndpoint = validateTokenAgainstURLEndpoint;
-    }
-
-    public String getValidateTokenSignatureURL() {
-        return validateTokenSignatureURL;
-    }
-
-    public void setValidateTokenSignatureURL(String validateTokenSignatureURL) {
-        this.validateTokenSignatureURL = validateTokenSignatureURL;
-    }
-
-    public boolean isValidateTokenSignature() {
-        return validateTokenSignature;
-    }
-
-    public void setValidateTokenSignature(boolean validateTokenSignature) {
-        this.validateTokenSignature = validateTokenSignature;
-    }
-
-    public boolean isValidateToken() {
-        return validateToken;
-    }
-
-    public void setValidateToken(boolean validateToken) {
-        this.validateToken = validateToken;
-    }
-
-    public boolean isOnlyExternalListedRoles() {
-        return onlyExternalListedRoles;
-    }
-
-    public void setOnlyExternalListedRoles(boolean onlyExternalListedRoles) {
-        this.onlyExternalListedRoles = onlyExternalListedRoles;
-    }
-
-    public String getRoleConverterString() {
-        return roleConverterString;
-    }
-
-    public void setRoleConverterString(String roleConverterString) {
-        this.roleConverterString = roleConverterString;
-    }
-
-    public String getRolesHeaderName() {
-        return rolesHeaderName;
-    }
-
-    public void setRolesHeaderName(String rolesHeaderName) {
-        this.rolesHeaderName = rolesHeaderName;
-    }
-
-    public UserNameHeaderFormat getUserNameFormatChoice() {
-        return userNameFormatChoice;
-    }
-
-    public void setUserNameFormatChoice(UserNameHeaderFormat userNameFormatChoice) {
-        this.userNameFormatChoice = userNameFormatChoice;
-    }
-
-    public String getUserNameJsonPath() {
-        return userNameJsonPath;
-    }
-
-    public void setUserNameJsonPath(String userNameJsonPath) {
-        this.userNameJsonPath = userNameJsonPath;
-    }
-
-    public String getRolesJsonPath() {
-        return rolesJsonPath;
-    }
-
-    public void setRolesJsonPath(String rolesJsonPath) {
-        this.rolesJsonPath = rolesJsonPath;
-    }
-
-    public String getUserNameHeaderAttributeName() {
-        return userNameHeaderAttributeName;
-    }
-
-    public void setUserNameHeaderAttributeName(String userNameHeaderAttributeName) {
-        this.userNameHeaderAttributeName = userNameHeaderAttributeName;
-    }
-
-    @Override
-    public String getId() {
-        return id;
-    }
-
-    @Override
-    public void setId(String id) {
-        this.id = id;
-    }
-
-    @Override
-    public String getName() {
-        return name;
-    }
-
-    @Override
-    public void setName(String name) {
-        this.name = name;
-    }
-
-    @Override
-    public String getClassName() {
-        return className;
-    }
-
-    @Override
-    public void setClassName(String className) {
-        this.className = className;
-    }
-
-    @Override
-    public String getUserGroupServiceName() {
-        return userGroupServiceName;
-    }
-
-    @Override
-    public void setUserGroupServiceName(String userGroupServiceName) {
-        this.userGroupServiceName = userGroupServiceName;
-    }
-
-    @Override
-    public void initBeforeSave() {
-        // no-op
-    }
-
-    // NOTE: This implementation does a soft-copy only, and is generally pretty garbage. It isn't
-    // clear if a real deep-copy is needed, or what (if anything) relies on this cloning-capability,
-    // so the (rather significant) effort of manually setting all the properties has been skipped.
-    // Don't be surprised if the copies behave badly though.
-    @Override
-    public SecurityConfig clone(boolean allowEnvParametrization) {
-        final GeoServerEnvironment gsEnvironment =
-                GeoServerExtensions.bean(GeoServerEnvironment.class);
-        GeoServerJwtHeadersFilterConfig target;
-        try {
-            target = (GeoServerJwtHeadersFilterConfig) this.clone();
-        } catch (CloneNotSupportedException e) {
-            throw new UnsupportedOperationException(e);
-        }
-
-        if (target != null
-                && allowEnvParametrization
-                && gsEnvironment != null
-                && GeoServerEnvironment.allowEnvParametrization()) {
-            target.setName((String) gsEnvironment.resolveValue(name));
-        }
-
-        return target;
-    }
-
-    // convert string of the form:
-    // "externalRoleName1=GeoServerRoleName1;externalRoleName2=GeoServerRoleName2"
-    // To a Map<String,String>
-    public Map<String, String> getRoleConverterAsMap() {
-        Map<String, String> result = new HashMap<>();
-
-        if (roleConverterString == null || roleConverterString.isBlank()) return result; // empty
-
-        String[] parts = roleConverterString.split(";");
-        for (String part : parts) {
-            String[] keyValue = part.split("=");
-            if (keyValue.length != 2) {
-                continue; // invalid
-            }
-            String key = goodCharacters(keyValue[0]);
-            String val = goodCharacters(keyValue[1]);
-            if (key.isBlank() || val.isBlank()) continue;
-            result.put(key, val);
-        }
-        return result;
-    }
-
-    public String goodCharacters(String str) {
-        return str.replaceAll("[^a-zA-Z0-9_\\-\\.]", "");
-    }
-
-    /** what formats we support of the header the username is contained in. */
-    public enum UserNameHeaderFormat {
-        STRING,
-        JSON,
-        JWT
-    }
-
-    /** what formats we support for roles in the header. */
-    public enum JWTHeaderRoleSource implements RoleSource {
-        JSON,
-        JWT;
-
-        @Override
-        public boolean equals(RoleSource other) {
-            return other != null && other.toString().equals(toString());
-        }
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfigValidator.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfigValidator.java
deleted file mode 100644
index 11d32814da6..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfigValidator.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.filter;
-
-import java.util.logging.Logger;
-import org.geoserver.security.GeoServerSecurityManager;
-import org.geoserver.security.config.SecurityNamedServiceConfig;
-import org.geoserver.security.validation.FilterConfigException;
-import org.geoserver.security.validation.FilterConfigValidator;
-import org.geotools.util.logging.Logging;
-
-/** Validate the configuration. */
-public class GeoServerJwtHeadersFilterConfigValidator extends FilterConfigValidator {
-
-    private static final Logger LOG =
-            Logging.getLogger(GeoServerJwtHeadersFilterConfigValidator.class);
-
-    /**
-     * Default constructor.
-     *
-     * @param securityManager the active security manager for the context
-     */
-    public GeoServerJwtHeadersFilterConfigValidator(GeoServerSecurityManager securityManager) {
-        super(securityManager);
-    }
-
-    /** Validates the configuration type and content. */
-    @Override
-    public void validateFilterConfig(SecurityNamedServiceConfig config)
-            throws FilterConfigException {
-        if (config instanceof GeoServerJwtHeadersFilterConfig) {
-            validateGeoServerJwtHeadersFilterConfig((GeoServerJwtHeadersFilterConfig) config);
-            super.validateFilterConfig(config);
-        } else {
-            throw new FilterConfigException(
-                    FilterConfigException.CLASS_WRONG_TYPE_$2,
-                    "configuration type is not appropriate for the requested filter type",
-                    config.getClass().getName(),
-                    GeoServerJwtHeadersFilterConfig.class.getName());
-        }
-    }
-
-    public void validateGeoServerJwtHeadersFilterConfig(GeoServerJwtHeadersFilterConfig config)
-            throws FilterConfigException {
-        try {
-            // todo
-        } catch (RuntimeException e) {
-            throw new FilterConfigException(null, e.getLocalizedMessage());
-        }
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoserverJwtHeadersAuthenticationProvider.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoserverJwtHeadersAuthenticationProvider.java
deleted file mode 100644
index d021cd2f623..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoserverJwtHeadersAuthenticationProvider.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.filter;
-
-import java.util.logging.Level;
-import java.util.logging.Logger;
-import org.geoserver.config.util.XStreamPersister;
-import org.geoserver.security.GeoServerSecurityManager;
-import org.geoserver.security.config.SecurityNamedServiceConfig;
-import org.geoserver.security.filter.AbstractFilterProvider;
-import org.geoserver.security.filter.GeoServerSecurityFilter;
-import org.geoserver.security.validation.SecurityConfigValidator;
-import org.geotools.util.logging.Logging;
-import org.springframework.beans.factory.annotation.Autowired;
-
-/**
- * FilterProvider from JWT Headers filter. This sets up the infrastructure for the JWT Header
- * filters.
- */
-public class GeoserverJwtHeadersAuthenticationProvider extends AbstractFilterProvider {
-
-    private static final Logger LOG =
-            Logging.getLogger(GeoserverJwtHeadersAuthenticationProvider.class);
-
-    @Autowired
-    public GeoserverJwtHeadersAuthenticationProvider() {}
-
-    @Override
-    public void configure(XStreamPersister xp) {
-        LOG.log(Level.FINER, "GeoserverJwtHeadersAuthenticationProvider.configure ENTRY");
-        super.configure(xp);
-        xp.getXStream().alias("JwtHeadersAuthentication", GeoServerJwtHeadersFilterConfig.class);
-    }
-
-    @Override
-    public Class<? extends GeoServerSecurityFilter> getFilterClass() {
-        LOG.log(Level.FINER, "GeoserverJwtHeadersAuthenticationProvider.getFilterClass ENTRY");
-        return GeoServerJwtHeadersFilter.class;
-    }
-
-    @Override
-    public GeoServerSecurityFilter createFilter(SecurityNamedServiceConfig config) {
-        LOG.log(Level.FINER, "GeoserverJwtHeadersAuthenticationProvider.createFilter ENTRY");
-        return new GeoServerJwtHeadersFilter();
-    }
-
-    @Override
-    public SecurityConfigValidator createConfigurationValidator(
-            GeoServerSecurityManager securityManager) {
-        LOG.log(
-                Level.FINER,
-                "GeoserverJwtHeadersAuthenticationProvider.createConfigurationValidator ENTRY");
-        return new GeoServerJwtHeadersFilterConfigValidator(securityManager);
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/details/JwtHeadersWebAuthDetailsSource.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/details/JwtHeadersWebAuthDetailsSource.java
deleted file mode 100644
index 18a8728bef1..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/details/JwtHeadersWebAuthDetailsSource.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.filter.details;
-
-import javax.servlet.http.HttpServletRequest;
-import org.springframework.security.web.authentication.WebAuthenticationDetails;
-import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
-
-/**
- * We are marking our (JWT Headers) security context authentication's with the ID of the header it
- * came from. This allows for easily detecting when to loggout the user. NOTE: we logout a user when
- * the previously logged in (JWT Header), but then the headers are no longer there.
- */
-public class JwtHeadersWebAuthDetailsSource extends WebAuthenticationDetailsSource {
-
-    String jwtHeadersConfigId;
-
-    public JwtHeadersWebAuthDetailsSource(String jwtHeadersConfigId) {
-        this.jwtHeadersConfigId = jwtHeadersConfigId;
-    }
-
-    @Override
-    public WebAuthenticationDetails buildDetails(HttpServletRequest context) {
-        return new JwtHeadersWebAuthenticationDetails(jwtHeadersConfigId, context);
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/details/JwtHeadersWebAuthenticationDetails.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/details/JwtHeadersWebAuthenticationDetails.java
deleted file mode 100644
index 664005f007c..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/details/JwtHeadersWebAuthenticationDetails.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.filter.details;
-
-import javax.servlet.http.HttpServletRequest;
-import org.springframework.security.web.authentication.WebAuthenticationDetails;
-
-/**
- * This will be in Authentication#getDetails() This contains the jwtHeadersConfigId. See
- * JwtHeadersWebAuthDetailsSource
- */
-public class JwtHeadersWebAuthenticationDetails extends WebAuthenticationDetails {
-
-    public String jwtHeadersConfigId;
-
-    public JwtHeadersWebAuthenticationDetails(
-            String jwtHeadersConfigId, HttpServletRequest request) {
-        super(request);
-        this.jwtHeadersConfigId = jwtHeadersConfigId;
-    }
-
-    public String getJwtHeadersConfigId() {
-        return jwtHeadersConfigId;
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractor.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractor.java
deleted file mode 100644
index b8f459b8da4..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractor.java
+++ /dev/null
@@ -1,101 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.roles;
-
-import com.nimbusds.jose.JWSObject;
-import java.text.ParseException;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
-import net.minidev.json.JSONArray;
-import org.geoserver.security.impl.GeoServerRole;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geoserver.security.jwtheaders.username.JwtHeaderUserNameExtractor;
-
-/**
- * Extracts roles from the header value (JWT and JSON). JSON -> use the rolesJsonPath to extract
- * either a string or list of strings from the json. JWT -> convert to a JSON claim-set, then use
- * the rolesJsonPath to extract either a string or list of strings from the json. Will also do
- * RoleConversion (cf RoleConverter).
- */
-public class JwtHeadersRolesExtractor {
-
-    GeoServerJwtHeadersFilterConfig jwtHeadersConfig;
-    RoleConverter roleConverter;
-
-    public JwtHeadersRolesExtractor(GeoServerJwtHeadersFilterConfig config) {
-        jwtHeadersConfig = config;
-        roleConverter = new RoleConverter(config);
-    }
-
-    /**
-     * do actual conversion (JWT or JSON) given the value in the header.
-     *
-     * @param headerValue
-     * @return
-     */
-    public Collection<GeoServerRole> getRoles(String headerValue) {
-        if (headerValue == null || headerValue.isBlank()) {
-            return null;
-        }
-
-        headerValue = headerValue.replaceFirst("^Bearer", "");
-        headerValue = headerValue.replaceFirst("^bearer", "");
-        headerValue = headerValue.trim();
-
-        // JWT - convert JWT to JSON, then extract
-        if (jwtHeadersConfig.getRoleSource()
-                == GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JWT) {
-            JWSObject jwsObject = null;
-            try {
-                jwsObject = JWSObject.parse(headerValue);
-            } catch (ParseException e) {
-                throw new RuntimeException(e);
-            }
-            Map<String, Object> claims = jwsObject.getPayload().toJSONObject();
-            List<String> roleNames =
-                    asStringList(
-                            JwtHeaderUserNameExtractor.getClaim(
-                                    claims, jwtHeadersConfig.getRolesJsonPath()));
-            List<GeoServerRole> roles = this.roleConverter.convert(roleNames);
-            return roles;
-        }
-
-        // Simple JSON (extract by path)
-        if (jwtHeadersConfig.getRoleSource()
-                == GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JSON) {
-            List<String> roleNames =
-                    asStringList(
-                            JwtHeaderUserNameExtractor.extractFromJSON(
-                                    headerValue, jwtHeadersConfig.getRolesJsonPath()));
-            List<GeoServerRole> roles = this.roleConverter.convert(roleNames);
-            return roles;
-        }
-        return null;
-    }
-
-    /**
-     * handles conversion of either a JSON string or list-of-string (JSONArray) for consistency.
-     *
-     * @param obj - json string or json list-of-string (JSONArray)
-     * @return
-     */
-    public static List<String> asStringList(Object obj) {
-        if (obj instanceof String) {
-            return Arrays.asList((String) obj);
-        }
-        if (obj instanceof JSONArray) {
-            return ((JSONArray) obj).stream().map(x -> x.toString()).collect(Collectors.toList());
-        }
-        if (obj instanceof List) {
-            List<Object> list = ((List) obj);
-            return list.stream().map(x -> x.toString()).collect(Collectors.toList());
-        }
-        return null;
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java
deleted file mode 100644
index 47a32ea18ac..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.roles;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import org.geoserver.security.impl.GeoServerRole;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-
-/**
- * Provides conversion between External and Internal (GS) roles. See
- * GeoServerJwtHeadersFilterConfig#getRoleConverterAsMap (and #RoleConverterString)
- */
-public class RoleConverter {
-
-    Map<String, String> conversionMap;
-
-    boolean externalNameMustBeListed;
-
-    public RoleConverter(GeoServerJwtHeadersFilterConfig config) {
-        conversionMap = config.getRoleConverterAsMap();
-        externalNameMustBeListed = config.isOnlyExternalListedRoles();
-    }
-
-    /**
-     * convert a list of external roles (i.e. from and IDP) into internal (GS) roles using the
-     * roleConverter in the configuration. Also, pays attention to the
-     * config#isOnlyExternalListedRoles setting.
-     *
-     * @param externalRoles
-     * @return
-     */
-    public List<GeoServerRole> convert(List<String> externalRoles) {
-        List<GeoServerRole> result = new ArrayList<>();
-
-        if (externalRoles == null) return result; // empty
-
-        for (String externalRole : externalRoles) {
-            String gsRole = conversionMap.get(externalRole);
-            if (gsRole == null && !externalNameMustBeListed) {
-                result.add(new GeoServerRole(externalRole));
-            } else if (gsRole != null) {
-                result.add(new GeoServerRole(gsRole));
-            }
-        }
-        return result;
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenAudienceValidator.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenAudienceValidator.java
deleted file mode 100644
index d4fbb7b9de1..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenAudienceValidator.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import static org.geoserver.security.jwtheaders.roles.JwtHeadersRolesExtractor.asStringList;
-
-import com.nimbusds.jose.JWSObject;
-import java.util.List;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-
-/**
- * validates the Audience of an accesstoken. The OAUTH2/OIDC spec recommends validating this.
- * Security concern - the AccessToken was retrieved for a different client (not ours).
- */
-public class TokenAudienceValidator {
-
-    GeoServerJwtHeadersFilterConfig jwtHeadersConfig;
-
-    public TokenAudienceValidator(GeoServerJwtHeadersFilterConfig config) {
-        jwtHeadersConfig = config;
-    }
-
-    public void validate(JWSObject jwsToken) throws Exception {
-        if (!jwtHeadersConfig.isValidateTokenAudience()) return; // nothing to do
-
-        String aud_claimName = jwtHeadersConfig.getValidateTokenAudienceClaimName();
-        List<String> aud = asStringList(jwsToken.getPayload().toJSONObject().get(aud_claimName));
-
-        if (!aud.contains(jwtHeadersConfig.getValidateTokenAudienceClaimValue()))
-            throw new Exception("token audience didn't match");
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenEndpointValidator.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenEndpointValidator.java
deleted file mode 100644
index c776833b1d7..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenEndpointValidator.java
+++ /dev/null
@@ -1,104 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import static org.geoserver.security.jwtheaders.username.JwtHeaderUserNameExtractor.extractFromJSON;
-
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
-import com.nimbusds.jose.JWSObject;
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.net.HttpURLConnection;
-import java.net.URL;
-import java.net.URLConnection;
-import java.util.concurrent.TimeUnit;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-
-/**
- * This validates the token against the OIDC userinfo_endpoint ("check token"). This allows an
- * official server to validate the token (not just us).
- *
- * <p>It also CAN verify that the userinfo and access token refer to the same user (SUBject). The
- * OIDC spec recommends this validation.
- *
- * <p>NOTE - we cache results for 1 hour for performance. TokenExpiryValidator will catch a token
- * expiring.
- */
-public class TokenEndpointValidator {
-
-    GeoServerJwtHeadersFilterConfig jwtHeadersConfig;
-
-    public static Cache<Object, Object> validEndpoints =
-            CacheBuilder.newBuilder()
-                    .maximumSize(50000)
-                    .expireAfterWrite(1, TimeUnit.HOURS)
-                    .build();
-
-    public TokenEndpointValidator(GeoServerJwtHeadersFilterConfig config) {
-        jwtHeadersConfig = config;
-    }
-
-    public void validate(String accessToken) throws Exception {
-        if (!jwtHeadersConfig.isValidateTokenAgainstURL()) return; // nothing to do
-
-        if (validEndpoints.getIfPresent(accessToken) != null)
-            return; // we already know this is a good accessToken
-
-        validateEndpoint(accessToken);
-
-        // its good - put in cache, so we don't do the endpoint validation all the time.
-        validEndpoints.put(accessToken, Boolean.TRUE);
-    }
-
-    public void validateEndpoint(String accessToken) throws Exception {
-        URL url = new URL(jwtHeadersConfig.getValidateTokenAgainstURLEndpoint());
-        String result = download(url, accessToken);
-        if (result == null) throw new Exception("ValidateTokenAgainstURLEndpoint - failed");
-
-        validateSubject(accessToken, result);
-    }
-
-    private void validateSubject(String accessToken, String result) throws Exception {
-        if (!jwtHeadersConfig.isValidateSubjectWithEndpoint()) return; // nothing to do
-
-        JWSObject jwsToken = JWSObject.parse(accessToken);
-        String subject_userinfo = (String) extractFromJSON(result, "sub");
-        String subject_accesstoken = (String) jwsToken.getPayload().toJSONObject().get("sub");
-        if (subject_userinfo == null || subject_accesstoken == null)
-            throw new Exception("couldn't extract subject from token or userinfo");
-        if (!subject_userinfo.equals(subject_accesstoken))
-            throw new Exception("subject of token and userinfo dont match");
-    }
-
-    public String download(URL url, String accessToken) throws IOException {
-        URLConnection connection = url.openConnection();
-        HttpURLConnection httpConn = (HttpURLConnection) connection;
-        httpConn.setRequestProperty("Authorization", "Bearer " + accessToken);
-
-        int responseCode = httpConn.getResponseCode();
-        if (responseCode == HttpURLConnection.HTTP_OK) {
-            String data = readStream(httpConn.getInputStream());
-            return data;
-        }
-        return null;
-    }
-
-    private String readStream(InputStream inputStream) {
-        StringBuilder sb = new StringBuilder();
-        try (BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream)); ) {
-            String nextLine = "";
-            while ((nextLine = reader.readLine()) != null) {
-                sb.append(nextLine + "\n");
-            }
-        } catch (IOException e) {
-            e.printStackTrace();
-        }
-        return sb.toString();
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenExpiryValidator.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenExpiryValidator.java
deleted file mode 100644
index ae5d3652761..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenExpiryValidator.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import com.nimbusds.jose.JWSObject;
-import java.time.Instant;
-import java.util.Date;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-
-/**
- * this tests the access token to ensure its still valid (hasn't expired).
- *
- * <p>We look at the "exp" claim and make sure its in the future.
- */
-public class TokenExpiryValidator {
-
-    GeoServerJwtHeadersFilterConfig jwtHeadersConfig;
-
-    public TokenExpiryValidator(GeoServerJwtHeadersFilterConfig config) {
-        jwtHeadersConfig = config;
-    }
-
-    public void validate(JWSObject jwsToken) throws Exception {
-        if (!jwtHeadersConfig.isValidateTokenExpiry()) return; // nothing to do
-
-        Long exp = (Long) jwsToken.getPayload().toJSONObject().get("exp");
-        long exp_ms = exp.longValue() * 1000;
-        Instant exp_instant = (new Date(exp_ms)).toInstant();
-        if (exp_instant.isBefore(Instant.now())) throw new Exception("token has expired!");
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenSignatureValidator.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenSignatureValidator.java
deleted file mode 100644
index 32d91f71f20..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenSignatureValidator.java
+++ /dev/null
@@ -1,96 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
-import com.google.common.cache.CacheLoader;
-import com.google.common.cache.LoadingCache;
-import com.nimbusds.jose.JWSObject;
-import com.nimbusds.jose.JWSVerifier;
-import com.nimbusds.jose.crypto.RSASSAVerifier;
-import com.nimbusds.jose.jwk.JWKSet;
-import com.nimbusds.jose.jwk.RSAKey;
-import java.net.URL;
-import java.util.concurrent.TimeUnit;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-
-/**
- * This validates the signature of the JWT.
- *
- * <p>We cache to things (both for 1 hour) for performance reasons; 1. The JWKSet enpoint (set of
- * public keys we use to check the signature). 2. The validated token
- *
- * <p>This will ensure that the token hasn't been tampered with.
- */
-public class TokenSignatureValidator {
-
-    public static LoadingCache<String, JWKSet> jwks =
-            CacheBuilder.newBuilder()
-                    .maximumSize(50000)
-                    .expireAfterWrite(1, TimeUnit.HOURS)
-                    .build(
-                            new CacheLoader<String, JWKSet>() {
-                                public JWKSet load(String urlStr) throws Exception {
-
-                                    return loadJWKSet(urlStr);
-                                }
-                            });
-
-    public static Cache<Object, Object> validAccessKeys =
-            CacheBuilder.newBuilder()
-                    .maximumSize(50000)
-                    .expireAfterWrite(1, TimeUnit.HOURS)
-                    .build();
-
-    GeoServerJwtHeadersFilterConfig jwtHeadersConfig;
-
-    public static JWKSet loadJWKSet(String urlStr) throws Exception {
-        URL url = new URL(urlStr);
-        return JWKSet.load(url);
-    }
-
-    public TokenSignatureValidator(GeoServerJwtHeadersFilterConfig config) {
-        jwtHeadersConfig = config;
-    }
-
-    public void validate(String accessToken) throws Exception {
-        if (!jwtHeadersConfig.isValidateTokenSignature()) return; // don't validate
-
-        if (validAccessKeys.getIfPresent(accessToken) != null)
-            return; // we already know this is a good accessToken
-
-        JWSObject jwsToken = JWSObject.parse(accessToken);
-        String keyId = jwsToken.getHeader().getKeyID();
-
-        var publicKeys = jwks.get(jwtHeadersConfig.getValidateTokenSignatureURL());
-
-        RSAKey rsaKey = (RSAKey) publicKeys.getKeyByKeyId(keyId);
-        validateSignature(rsaKey, jwsToken);
-
-        // its good - put in cache, so we don't do the signature validation all the time.
-        validAccessKeys.put(accessToken, Boolean.TRUE);
-    }
-
-    /**
-     * Given a publickey and a (parsed) token, verify that the signature is correct. Throws if the
-     * signature is bad.
-     *
-     * @param rsaPublicKey Public key used to validate token signature
-     * @param token three part token
-     * @throws Exception
-     */
-    public void validateSignature(RSAKey rsaPublicKey, JWSObject token) throws Exception {
-
-        JWSVerifier verifier = new RSASSAVerifier(rsaPublicKey);
-
-        var valid = token.verify(verifier);
-        if (!valid) {
-            throw new Exception(
-                    "Could not verify signature of the JWT with the given RSA Public Key");
-        }
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java
deleted file mode 100644
index 5c1c90269ab..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java
+++ /dev/null
@@ -1,67 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import com.nimbusds.jose.JWSObject;
-import java.util.logging.Logger;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geotools.util.logging.Logging;
-
-/**
- * validates a token - according to the GeoServerJwtHeadersFilterConfig. This will use the various
- * Token...Validator classes to do the actual validation.
- */
-public class TokenValidator {
-
-    private static final Logger LOG = Logging.getLogger(TokenValidator.class);
-
-    public GeoServerJwtHeadersFilterConfig jwtHeadersConfig;
-    public TokenEndpointValidator tokenEndpointValidator;
-    public TokenAudienceValidator tokenAudienceValidator;
-    public TokenExpiryValidator tokenExpiryValidator;
-    public TokenSignatureValidator tokenSignatureValidator;
-
-    public TokenValidator(GeoServerJwtHeadersFilterConfig config) {
-        jwtHeadersConfig = config;
-
-        tokenAudienceValidator = new TokenAudienceValidator(jwtHeadersConfig);
-        tokenEndpointValidator = new TokenEndpointValidator(jwtHeadersConfig);
-        tokenExpiryValidator = new TokenExpiryValidator(jwtHeadersConfig);
-        tokenSignatureValidator = new TokenSignatureValidator(jwtHeadersConfig);
-    }
-
-    public void validate(String accessToken) throws Exception {
-
-        if (!jwtHeadersConfig.isValidateToken()) {
-            return;
-        }
-
-        validateSignature(accessToken);
-
-        JWSObject jwsToken = JWSObject.parse(accessToken);
-
-        validateExpiry(jwsToken);
-        validateEndpoint(accessToken);
-        validateAudience(jwsToken);
-    }
-
-    private void validateAudience(JWSObject accessToken) throws Exception {
-
-        tokenAudienceValidator.validate(accessToken);
-    }
-
-    private void validateEndpoint(String token) throws Exception {
-        tokenEndpointValidator.validate(token);
-    }
-
-    private void validateExpiry(JWSObject jwsToken) throws Exception {
-        tokenExpiryValidator.validate(jwsToken);
-    }
-
-    private void validateSignature(String accessToken) throws Exception {
-        tokenSignatureValidator.validate(accessToken);
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java
deleted file mode 100644
index f523d88e029..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.username;
-
-import static org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat.*;
-
-import com.jayway.jsonpath.JsonPath;
-import com.nimbusds.jose.JWSObject;
-import java.text.ParseException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-
-/** Extracts the username given the value of the request's header. */
-public class JwtHeaderUserNameExtractor {
-
-    GeoServerJwtHeadersFilterConfig jwtHeadersConfig;
-
-    public JwtHeaderUserNameExtractor(GeoServerJwtHeadersFilterConfig config) {
-        jwtHeadersConfig = config;
-    }
-
-    // get a claim from the JWT Payload - which is a Map.
-    public static Object getClaim(Map<String, Object> map, String path) {
-        return getClaim(map, new ArrayList<>(Arrays.asList(path.split("\\."))));
-    }
-
-    // recursive.
-    // if this is trivial (single item in pathList), return the value.
-    // otherwise, go into the map one level (pathList[0]) and recurse on the result.
-    private static Object getClaim(Map<String, Object> map, List<String> pathList) {
-        if (pathList.size() == 1) return map.get(pathList.get(0));
-
-        String first = pathList.get(0);
-        pathList.remove(0);
-
-        return getClaim((Map<String, Object>) map.get(first), pathList);
-    }
-
-    // given json string + path into the json, extract the value.
-    public static Object extractFromJSON(String json, String path) {
-        try {
-            return JsonPath.read(json, path);
-        } catch (Exception e) {
-            return null;
-        }
-    }
-
-    /**
-     * given a value of a request header, extract the username value. Handles: STRING (no conversion
-     * needed) JSON (use userNameJsonPath to get the username from inside the JSON) JWT (decoded the
-     * JWT to a JSON claimset, then use userNameJsonPath to get the username from inside the JSON)
-     *
-     * @param userNameHeader
-     * @return
-     */
-    public String extractUserName(String userNameHeader) {
-        if (userNameHeader == null) {
-            return null;
-        }
-
-        // STRING - trivial case
-        if (jwtHeadersConfig.getUserNameFormatChoice() == STRING) {
-            String userName = userNameHeader.trim();
-            if (userName.isBlank()) {
-                return null;
-            }
-            return userName;
-        }
-
-        userNameHeader = userNameHeader.replaceFirst("^Bearer", "");
-        userNameHeader = userNameHeader.replaceFirst("^bearer", "");
-        userNameHeader = userNameHeader.trim();
-
-        // JWT - convert JWT to JSON, then extract
-        if (jwtHeadersConfig.getUserNameFormatChoice() == JWT) {
-            JWSObject jwsObject = null;
-            try {
-                jwsObject = JWSObject.parse(userNameHeader);
-            } catch (ParseException e) {
-                throw new RuntimeException(e);
-            }
-            Map<String, Object> claims = jwsObject.getPayload().toJSONObject();
-            String userName = (String) getClaim(claims, jwtHeadersConfig.getUserNameJsonPath());
-            return userName;
-        }
-
-        // Simple JSON (extract by path)
-        if (jwtHeadersConfig.getUserNameFormatChoice() == JSON) {
-            return (String) extractFromJSON(userNameHeader, jwtHeadersConfig.getUserNameJsonPath());
-        }
-
-        return null; // unknown type
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel$JsonClaimPanel.html b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel$JsonClaimPanel.html
deleted file mode 100644
index 3d4265f8952..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel$JsonClaimPanel.html
+++ /dev/null
@@ -1,148 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
-        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
-<html xmlns="http://www.w3.org/1999/xhtml"
-      xmlns:wicket="http://wicket.apache.org/">
-<!--
-  ~ (c) 2024 Open Source Geospatial Foundation - all rights reserved
-  ~ This code is licensed under the GPL 2.0 license, available at the root
-  ~ application directory.
-  ~
-  -->
-<wicket:head>
-    <style>
-        #roleConverterStringTable table, th, td {
-            border: black 1px solid !important;
-        }
-
-    </style>
-    <script>
-
-        //takes the converter string (in "att1=val1;att2=val2" format)
-        //and adds rows to the roleConverterStringTbody.
-        //If there aren't any items in the converter string, then
-        //hide the table.
-        function roleConverterStringChanged() {
-            //actual (string) value of the att1=val1;att2=val2 map
-            var strElement = document.getElementById("roleConverterString");
-            if (strElement == null) {
-                //loading
-                return;
-            }
-            var str = strElement.value;
-
-            //body of the table - under the <th>s
-            var tbody = document.getElementById("roleConverterStringTbody");
-
-            //div containing the table (and title).
-            //we only display it if there are conversions
-            var div = document.getElementById("roleConverterStringDiv");
-
-            if (str == null) {
-                div.style.display = "none";
-                return; //nothing to do
-            }
-            str = str.trim();
-            if (str === "") {
-                div.style.display = "none";
-                return; //nothing to do
-            }
-
-            //one for each of the items in the Map
-            var items = str.split(";");
-            var body = "";
-            for (var i = 0; i < items.length; i++) {
-                //parts[0]=key, parts[1]=value
-                var parts = items[i].split("=");
-                if (parts.length != 2) {
-                    continue; // invalid
-                }
-                var externalRole = removeBadChars(parts[0]);
-                var gsRole = removeBadChars(parts[1]);
-                var tr = "<tr><td>" + externalRole + "</td><td>" + gsRole + "</td></tr>";
-                body += tr;
-            }
-            tbody.innerHTML = body;
-            div.style.display = "block";
-        }
-
-        //we don't want to put user input into the dom, so we
-        //make sure there isn't anything "bad" (like "script") in the
-        //input
-        function removeBadChars(inputString) {
-            var regex = new RegExp('[^0-9a-zA-Z_.\-]', 'g');
-            return inputString.replace(regex, '');
-        }
-
-    </script>
-
-</wicket:head>
-
-<body>
-
-
-<wicket:panel>
-
-    <label>
-        <wicket:message key="rolesHeaderName"></wicket:message>
-    </label>
-    <input class="field text" wicket:id="rolesHeaderName"/>
-
-    <label>
-        <wicket:message key="jsonPath"></wicket:message>
-    </label>
-    <input class="field text" wicket:id="rolesJsonPath"/>
-
-    <label style="padding-top: 20px;">
-        <wicket:message key="roleConverterTitle"></wicket:message>
-    </label>
-    <!--
-      `oninput` fires when user changes the value - this will
-      update the summary table.
-    -->
-    <input class="field text" id="roleConverterString" oninput="roleConverterStringChanged(this)"
-           style="width: 95%;" wicket:id="roleConverterString"/>
-
-    <label>
-        <wicket:message key="roleConverterHint"></wicket:message>
-    </label>
-    <div style="display:flex">
-        <input class="field checkbox" id="onlyExternalListedRoles"
-               style="margin-top:auto;margin-bottom:auto" type="checkbox" wicket:id="onlyExternalListedRoles"/>
-        <label style="padding-left:5px">
-            <wicket:message key="roleConverterOnlyListedExternalRoles"></wicket:message>
-        </label>
-    </div>
-
-    <div id="roleConverterStringDiv" style="display:none;padding-top:10px;width:55%">
-        <table id="roleConverterStringTable">
-            <thead>
-            <tr>
-                <th style="text-align: center;">
-                    <wicket:message key="externalRoleTitle"/>
-                </th>
-                <th style="text-align: center;">
-                    <wicket:message key="gsRoleTitle"/>
-                </th>
-            </tr>
-            </thead>
-            <tbody id="roleConverterStringTbody">
-
-            </tbody>
-        </table>
-
-        <div style="justify-content: center;display: flex;font-size: 10px">
-            <div>
-                <wicket:message key="roleConverterTableTitle"/>
-            </div>
-        </div>
-    </div>
-    <script>
-        //when wicket loads the page, we want this to fire AFTER the
-        //above elements are in the dom.  This is so the converter is run
-        //when the page first loads (and table is updated).
-        roleConverterStringChanged();
-    </script>
-</wicket:panel>
-</body>
-</html>
\ No newline at end of file
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html
deleted file mode 100644
index 9ef8a29979b..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html
+++ /dev/null
@@ -1,188 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
-        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"
-      xmlns:wicket="http://wicket.apache.org/">
-<!--
-  ~ (c) 2024 Open Source Geospatial Foundation - all rights reserved
-  ~ This code is licensed under the GPL 2.0 license, available at the root
-  ~ application directory.
-  ~
-  -->
-<body>
-<wicket:head>
-    <style type="text/css">
-        ul.horizontal div {
-            display: inline;
-        }
-    </style>
-    <script>
-        // When the user name format dropdown is changed, we hide
-        // the "json path" input if its not needed.
-        function usernameFormatChanged() {
-            var elem = document.getElementById("userNameFormatSelect")
-            if (elem.value === "JSON" || elem.value === "JWT") {
-                document.getElementById("userNamePathDiv").style.display = "block";
-            } else {
-                document.getElementById("userNamePathDiv").style.display = "none";
-            }
-        }
-
-        function showTokenValidationChanged() {
-            var elem = document.getElementById("validateToken")
-            var div = document.getElementById("validateTokenDiv");
-            if (elem.checked) {
-                div.style.display = "block";
-            } else {
-                div.style.display = "none";
-            }
-        }
-
-        function toggleVisible(element,id) {
-            var visibilityDiv = document.getElementById(id);
-            if (element.checked)
-                visibilityDiv.style.display = "block";
-            else
-                visibilityDiv.style.display = "none";
-        }
-
-        // When the page is loaded, we hide  the username "json path" input if its not needed.
-        window.addEventListener('load', function () {
-            usernameFormatChanged();
-            showTokenValidationChanged();
-            toggleVisible(document.getElementById('validateToken'),'validateTokenSignatureURLDiv');
-            toggleVisible(document.getElementById('validateTokenAgainstURL'),'validateTokenAgainstURLDiv');
-            toggleVisible(document.getElementById('validateTokenAudience'),'validateTokenAudienceDiv');
-
-
-        });
-    </script>
-</wicket:head>
-<wicket:extend>
-    <fieldset>
-        <legend>
-            <span><wicket:message key="UsernameHeader"></wicket:message></span>
-            <a class="help-link" href="#" wicket:id="UsernameHelp"></a>
-        </legend>
-        <label>
-            <wicket:message key="userNameHeaderAttributeName"></wicket:message>
-        </label>
-        <input class="field text" wicket:id="userNameHeaderAttributeName"/>
-        <br>
-        <label>
-            <wicket:message key="formatUserName"></wicket:message>
-        </label>
-        <select class="select" id="userNameFormatSelect" onchange="usernameFormatChanged()"
-                wicket:id="userNameFormatChoice"></select>
-        <br>
-        <!-- visibility of this DIV is control with JS, above.
-              If formatUserName = "STRING" - don't show
-              Otherwise (JSON or JWT), then show.
-         -->
-        <div id="userNamePathDiv">
-            <label>
-                <wicket:message key="userNamePath"></wicket:message>
-            </label>
-            <input class="field text" wicket:id="userNameJsonPath"/>
-        </div>
-
-        <br>
-        <legend>
-            <span><wicket:message key="validateTokenHeader"></wicket:message></span>
-            <a class="help-link" href="#" wicket:id="validateTokenHelp"></a>
-        </legend>
-
-        <div style="display:flex">
-            <input class="field checkbox" id="validateToken" onchange="showTokenValidationChanged()"
-                   style="margin-top:auto;margin-bottom:auto" type="checkbox" wicket:id="validateToken"/>
-            <label style="padding-left:5px">
-                <wicket:message key="showTokenValidation"></wicket:message>
-            </label>
-        </div>
-
-        <div  style="padding-top:20px">
-            <div style="display:flex">
-                <input class="field checkbox" id="validateTokenExpiry"
-                       style="margin-top:auto;margin-bottom:auto" type="checkbox" wicket:id="validateTokenExpiry"/>
-                <label style="padding-left:5px">
-                    <wicket:message key="validateTokenExpiry"></wicket:message>
-                </label>
-            </div>
-
-        </div>
-
-
-        <div id="validateTokenDiv" style="padding-top:20px">
-            <div style="display:flex">
-                <input class="field checkbox" id="validateTokenSignature" onchange="toggleVisible(this,'validateTokenSignatureURLDiv')"
-                       style="margin-top:auto;margin-bottom:auto" type="checkbox" wicket:id="validateTokenSignature"/>
-                <label style="padding-left:5px">
-                    <wicket:message key="validateTokenSignatureText"></wicket:message>
-                </label>
-            </div>
-            <div id="validateTokenSignatureURLDiv">
-                <label>
-                    <wicket:message key="validateTokenSignatureURL"></wicket:message>
-                </label>
-                <input class="field text" wicket:id="validateTokenSignatureURL"/>
-            </div>
-        </div>
-
-        <div  style="padding-top:20px">
-            <div style="display:flex">
-                <input class="field checkbox" id="validateTokenAgainstURL" onchange="toggleVisible(this,'validateTokenAgainstURLDiv')"
-                       style="margin-top:auto;margin-bottom:auto" type="checkbox" wicket:id="validateTokenAgainstURL"/>
-                <label style="padding-left:5px">
-                    <wicket:message key="validateTokenAgainstURL"></wicket:message>
-                </label>
-            </div>
-            <div id="validateTokenAgainstURLDiv" style="display: flex">
-
-                <label>
-                    <wicket:message key="validateTokenAgainstURLText"></wicket:message>
-                </label>
-                <div>
-                    <input class="field text" wicket:id="validateTokenAgainstURLEndpoint"/>
-                </div>
-                <div style="display:flex">
-                    <input class="field checkbox" id="validateSubjectWithEndpoint"
-                           style="margin-top:auto;margin-bottom:auto" type="checkbox" wicket:id="validateSubjectWithEndpoint"/>
-                    <label style="padding-left:5px">
-                        <wicket:message key="validateTokenAgainstURLSubject"></wicket:message>
-                    </label>
-                </div>
-
-            </div>
-        </div>
-
-
-        <div  style="padding-top:20px">
-            <div style="display:flex">
-                <input class="field checkbox" id="validateTokenAudience" onchange="toggleVisible(this,'validateTokenAudienceDiv')"
-                       style="margin-top:auto;margin-bottom:auto" type="checkbox" wicket:id="validateTokenAudience"/>
-                <label style="padding-left:5px">
-                    <wicket:message key="validateTokenAudience"></wicket:message>
-                </label>
-            </div>
-            <div id="validateTokenAudienceDiv" style="display: flex">
-                <label>
-                    <wicket:message key="validateTokenAudienceClaimName"></wicket:message>
-                </label>
-                <div>
-                    <input class="field text" wicket:id="validateTokenAudienceClaimName"/>
-                </div>
-                <label>
-                    <wicket:message key="validateTokenAudienceClaimValue"></wicket:message>
-                </label>
-                <div>
-                    <input class="field text" wicket:id="validateTokenAudienceClaimValue"/>
-                </div>
-
-
-            </div>
-        </div>
-
-
-    </fieldset>
-</wicket:extend>
-</body>
-</html>
\ No newline at end of file
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.java
deleted file mode 100644
index 290e7f750a0..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.java
+++ /dev/null
@@ -1,98 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.web;
-
-import static org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JSON;
-import static org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JWT;
-
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import org.apache.wicket.markup.html.form.CheckBox;
-import org.apache.wicket.markup.html.form.DropDownChoice;
-import org.apache.wicket.markup.html.form.TextField;
-import org.apache.wicket.markup.html.panel.Panel;
-import org.apache.wicket.model.IModel;
-import org.apache.wicket.model.Model;
-import org.geoserver.security.config.PreAuthenticatedUserNameFilterConfig;
-import org.geoserver.security.config.RoleSource;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geoserver.security.web.auth.PreAuthenticatedUserNameFilterPanel;
-import org.geoserver.security.web.auth.RoleSourceChoiceRenderer;
-import org.geoserver.web.wicket.HelpLink;
-
-/** Jwt Headers auth panel Wicket */
-public class JwtHeadersAuthFilterPanel
-        extends PreAuthenticatedUserNameFilterPanel<GeoServerJwtHeadersFilterConfig> {
-
-    protected DropDownChoice<GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat>
-            userNameFormatChoice;
-
-    public JwtHeadersAuthFilterPanel(String id, IModel<GeoServerJwtHeadersFilterConfig> model) {
-        super(id, model);
-
-        add(new HelpLink("UsernameHelp", this).setDialog(dialog));
-        add(new TextField("userNameHeaderAttributeName").setRequired(true));
-
-        add(new TextField("userNameJsonPath").setRequired(false));
-
-        add(new CheckBox("validateToken").setRequired(false));
-        add(new HelpLink("validateTokenHelp", this).setDialog(dialog));
-
-        add(new CheckBox("validateTokenExpiry").setRequired(false));
-
-        add(new CheckBox("validateTokenSignature").setRequired(false));
-        add(new TextField("validateTokenSignatureURL").setRequired(false));
-
-        add(new CheckBox("validateTokenAgainstURL").setRequired(false));
-        add(new TextField("validateTokenAgainstURLEndpoint").setRequired(false));
-        add(new CheckBox("validateSubjectWithEndpoint").setRequired(false));
-
-        add(new CheckBox("validateTokenAudience").setRequired(false));
-        add(new TextField("validateTokenAudienceClaimName").setRequired(false));
-        add(new TextField("validateTokenAudienceClaimValue").setRequired(false));
-
-        userNameFormatChoice =
-                new DropDownChoice(
-                        "userNameFormatChoice",
-                        Arrays.asList(
-                                GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat.values()),
-                        new UserNameFormatChoiceRenderer());
-
-        add(userNameFormatChoice);
-    }
-
-    @Override
-    protected DropDownChoice<RoleSource> createRoleSourceDropDown() {
-        List<RoleSource> sources =
-                new ArrayList<>(
-                        Arrays.asList(
-                                GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.values()));
-        sources.addAll(
-                Arrays.asList(
-                        PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource
-                                .values()));
-        return new DropDownChoice<>("roleSource", sources, new RoleSourceChoiceRenderer());
-    }
-
-    @Override
-    protected Panel getRoleSourcePanel(RoleSource model) {
-        if (JSON.equals(model) || JWT.equals(model)) {
-            return new JsonClaimPanel("panel");
-        }
-        return super.getRoleSourcePanel(model);
-    }
-
-    static class JsonClaimPanel extends Panel {
-        public JsonClaimPanel(String id) {
-            super(id, new Model<>());
-            add(new TextField<String>("rolesJsonPath").setRequired(true));
-            add(new TextField<String>("rolesHeaderName").setRequired(true));
-            add(new TextField<String>("roleConverterString").setRequired(false));
-            add(new CheckBox("onlyExternalListedRoles").setRequired(false));
-        }
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanelInfo.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanelInfo.java
deleted file mode 100644
index fa4d51417a5..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanelInfo.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.web;
-
-import org.geoserver.security.filter.GeoServerRequestHeaderAuthenticationFilter;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilter;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geoserver.security.web.auth.AuthenticationFilterPanelInfo;
-
-/** Configuration panel extension for {@link GeoServerRequestHeaderAuthenticationFilter}. */
-public class JwtHeadersAuthFilterPanelInfo
-        extends AuthenticationFilterPanelInfo<
-                GeoServerJwtHeadersFilterConfig, JwtHeadersAuthFilterPanel> {
-
-    public JwtHeadersAuthFilterPanelInfo() {
-        setComponentClass(JwtHeadersAuthFilterPanel.class);
-        setServiceClass(GeoServerJwtHeadersFilter.class);
-        setServiceConfigClass(GeoServerJwtHeadersFilterConfig.class);
-    }
-}
diff --git a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/UserNameFormatChoiceRenderer.java b/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/UserNameFormatChoiceRenderer.java
deleted file mode 100644
index 62f48d3a9d7..00000000000
--- a/src/community/jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/UserNameFormatChoiceRenderer.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.web;
-
-import org.apache.wicket.Application;
-import org.apache.wicket.markup.html.form.ChoiceRenderer;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-
-/** Wicket support class for the UserNameHeaderFormat displayed on the config page. */
-public class UserNameFormatChoiceRenderer
-        extends ChoiceRenderer<GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat> {
-
-    /** serialVersionUID */
-    private static final long serialVersionUID = 1L;
-
-    @Override
-    public Object getDisplayValue(GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat rs) {
-        String key = "UserNameHeaderFormat." + rs.toString();
-        return Application.get().getResourceSettings().getLocalizer().getString(key, null);
-    }
-
-    @Override
-    public String getIdValue(GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat rs, int index) {
-        return rs.toString();
-    }
-}
diff --git a/src/community/jwt-headers/src/main/resources/GeoServerApplication.properties b/src/community/jwt-headers/src/main/resources/GeoServerApplication.properties
deleted file mode 100644
index 3a67fe5d85f..00000000000
--- a/src/community/jwt-headers/src/main/resources/GeoServerApplication.properties
+++ /dev/null
@@ -1,43 +0,0 @@
-JwtHeadersAuthFilterPanel.short=JWT Headers
-JwtHeadersAuthFilterPanel.title=HTTP JWT Request Header Authentication
-JwtHeadersAuthFilterPanel.description=Authenticates by checking existence of a JWT HTTP request header
-
-org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilter.name=HTTP JWT Header
-org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilter.title=HTTP request JWT header authentication
-JwtHeadersAuthFilterPanel.userNameHeaderAttributeName=Request header attribute for User Name
-JwtHeadersAuthFilterPanel.UsernameHeader=User Name Extraction From Header
-JwtHeadersAuthFilterPanel.UsernameHelp.title=User Name Extraction from HTTP Headers
-JwtHeadersAuthFilterPanel.UsernameHelp=\
-Where to extract the User Name from the HTTP request.
-RoleSource.JWT=Header Containing JWT
-RoleSource.JSON=Header Containing JSON String
-JwtHeadersAuthFilterPanel.jsonPath=JSON Path (i.e. property1.property2)
-JwtHeadersAuthFilterPanel.rolesHeaderName=Request Header attribute for Roles
-UserNameHeaderFormat.STRING=Simple String
-UserNameHeaderFormat.JSON=JSON
-UserNameHeaderFormat.JWT=JWT
-JwtHeadersAuthFilterPanel.formatUserName=Format the Header value is in
-JwtHeadersAuthFilterPanel.userNamePath=JSON path for the User Name
-JwtHeadersAuthFilterPanel.roleConverterTitle=Role Converter Map from External Roles to Geoserver Roles
-JwtHeadersAuthFilterPanel.roleConverterHint=eg. ExternalRole1=GeoServerRole1;ExternalRole2=GeoServerRole2
-JwtHeadersAuthFilterPanel.externalRoleTitle=External Role Name
-JwtHeadersAuthFilterPanel.gsRoleTitle=GeoServer Role Name
-JwtHeadersAuthFilterPanel.roleConverterTableTitle=Role Conversion Summary
-JwtHeadersAuthFilterPanel.roleConverterOnlyListedExternalRoles=Only allow External Roles that are explicitly named above
-JwtHeadersAuthFilterPanel.showTokenValidation=Validate JWT (Access Token)
-JwtHeadersAuthFilterPanel.validateTokenSignatureText=Validate JWT (Access Token) Signature
-JwtHeadersAuthFilterPanel.validateTokenSignatureURL=JSON Web Key Set URL (jwks_uri)
-JwtHeadersAuthFilterPanel.validateTokenAgainstURL=Validate JWT (Access Token) Against Endpoint 
-JwtHeadersAuthFilterPanel.validateTokenAgainstURLText=URL (userinfo_endpoint)
-JwtHeadersAuthFilterPanel.validateTokenAgainstURLSubject=Also validate Subject
-JwtHeadersAuthFilterPanel.validateTokenAudience=Validate JWT (Access Token) Audience 
-JwtHeadersAuthFilterPanel.validateTokenAudienceClaimName=Claim Name (usually 'aud', 'azp', or 'appid')
-JwtHeadersAuthFilterPanel.validateTokenAudienceClaimValue=Required Claim Value
-JwtHeadersAuthFilterPanel.validateTokenHeader=Header Attached JWT Validation
-JwtHeadersAuthFilterPanel.validateTokenExpiry=Validate Token Expiry
-JwtHeadersAuthFilterPanel.validateTokenHelp= \
-Options for validating a JWT Token.\
-Typically only required for Access Token validation (Bearer Tokens).
-JwtHeadersAuthFilterPanel.validateTokenHelp.title=JWT Validation Options
-
-
diff --git a/src/community/jwt-headers/src/main/resources/applicationContext.xml b/src/community/jwt-headers/src/main/resources/applicationContext.xml
deleted file mode 100644
index 97b4b7d779c..00000000000
--- a/src/community/jwt-headers/src/main/resources/applicationContext.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  ~ (c) 2024 Open Source Geospatial Foundation - all rights reserved
-  ~ This code is licensed under the GPL 2.0 license, available at the root
-  ~ application directory.
-  ~
-  -->
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:sec="http://www.springframework.org/schema/security"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans
-          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-          http://www.springframework.org/schema/security
-          http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">
-
-	<bean class="org.geoserver.platform.ModuleStatusImpl">
-		<constructor-arg index="0" value="jwt-headers" />
-		<constructor-arg index="1" value="GeoServer JWT Headers Security" />
-	</bean>
-
-	<!-- enables JWT Headers as an auth-provider -->
-	<bean id="jwtHeadersFilterProvider"
-		class="org.geoserver.security.jwtheaders.filter.GeoserverJwtHeadersAuthenticationProvider" />
-
-
-	<bean id="jwtHeadersAuthPanelInfo" class="org.geoserver.security.jwtheaders.web.JwtHeadersAuthFilterPanelInfo">
-		<property name="id" value="security.jwtheader.headerAuthFilter" />
-		<property name="shortTitleKey" value="JwtHeadersAuthFilterPanel.short"/>
-		<property name="titleKey" value="JwtHeadersAuthFilterPanel.title"/>
-		<property name="descriptionKey" value="JwtHeadersAuthFilterPanel.description"/>
-	</bean>
-
-
-</beans>
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/JwtHeadersIntegrationTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/JwtHeadersIntegrationTest.java
deleted file mode 100644
index 1bd347c74ee..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/JwtHeadersIntegrationTest.java
+++ /dev/null
@@ -1,344 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders;
-
-import static org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JSON;
-import static org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JWT;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.SortedSet;
-import java.util.stream.Collectors;
-import javax.servlet.Filter;
-import javax.servlet.ServletRequestEvent;
-import javax.servlet.http.HttpSession;
-import org.geoserver.data.test.SystemTestData;
-import org.geoserver.platform.GeoServerExtensions;
-import org.geoserver.security.*;
-import org.geoserver.security.config.SecurityFilterConfig;
-import org.geoserver.security.config.SecurityManagerConfig;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilter;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geoserver.security.jwtheaders.filter.details.JwtHeadersWebAuthenticationDetails;
-import org.geoserver.test.GeoServerSystemTestSupport;
-import org.junit.Assert;
-import org.junit.Test;
-import org.springframework.mock.web.MockFilterChain;
-import org.springframework.mock.web.MockHttpServletRequest;
-import org.springframework.mock.web.MockHttpServletResponse;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
-import org.springframework.security.web.context.HttpRequestResponseHolder;
-import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
-import org.springframework.web.context.request.RequestContextHolder;
-import org.springframework.web.context.request.RequestContextListener;
-import org.springframework.web.context.request.ServletRequestAttributes;
-
-public class JwtHeadersIntegrationTest extends GeoServerSystemTestSupport {
-
-    @Override
-    protected void onSetUp(SystemTestData testData) throws Exception {
-        super.onSetUp(testData);
-    }
-
-    protected GeoServerJwtHeadersFilterConfig injectConfig1() throws Exception {
-        GeoServerSecurityManager manager = getSecurityManager();
-
-        SortedSet<String> filters = manager.listFilters();
-        if (filters.contains("JwtHeaders1")) {
-            SecurityFilterConfig config = manager.loadFilterConfig("JwtHeaders1", false);
-            manager.removeFilter(config);
-        }
-        if (filters.contains("JwtHeaders2")) {
-            SecurityFilterConfig config = manager.loadFilterConfig("JwtHeaders2", false);
-            manager.removeFilter(config);
-        }
-
-        GeoServerJwtHeadersFilterConfig filterConfig = new GeoServerJwtHeadersFilterConfig();
-        filterConfig.setName("JwtHeaders1");
-
-        filterConfig.setClassName(GeoServerJwtHeadersFilter.class.getName());
-
-        // username
-        filterConfig.setUserNameJsonPath("preferred_username");
-        filterConfig.setUserNameFormatChoice(
-                GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat.JSON);
-        filterConfig.setUserNameHeaderAttributeName("json-header");
-
-        // roles
-        filterConfig.setRoleSource(JSON);
-        filterConfig.setRoleConverterString("GeoserverAdministrator=ROLE_ADMINISTRATOR");
-        filterConfig.setRolesJsonPath("resource_access.live-key2.roles");
-        filterConfig.setRolesHeaderName("json-header");
-        filterConfig.setOnlyExternalListedRoles(true);
-
-        manager.saveFilter(filterConfig);
-
-        SecurityManagerConfig config = manager.getSecurityConfig();
-        GeoServerSecurityFilterChain chain = config.getFilterChain();
-        RequestFilterChain www = chain.getRequestChainByName("web");
-        //  www.setFilterNames("JwtHeaders1", "anonymous");
-        www.setFilterNames("JwtHeaders1");
-
-        manager.saveSecurityConfig(config);
-        return filterConfig;
-    }
-
-    protected GeoServerJwtHeadersFilterConfig injectConfig2() throws Exception {
-        GeoServerSecurityManager manager = getSecurityManager();
-
-        SortedSet<String> filters = manager.listFilters();
-        if (filters.contains("JwtHeaders1")) {
-            SecurityFilterConfig config = manager.loadFilterConfig("JwtHeaders1", false);
-            manager.removeFilter(config);
-        }
-        if (filters.contains("JwtHeaders2")) {
-            SecurityFilterConfig config = manager.loadFilterConfig("JwtHeaders2", false);
-            manager.removeFilter(config);
-        }
-
-        GeoServerJwtHeadersFilterConfig filterConfig = new GeoServerJwtHeadersFilterConfig();
-        filterConfig.setName("JwtHeaders2");
-
-        filterConfig.setClassName(GeoServerJwtHeadersFilter.class.getName());
-
-        // username
-        filterConfig.setUserNameJsonPath("preferred_username");
-        filterConfig.setUserNameFormatChoice(
-                GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat.JWT);
-        filterConfig.setUserNameHeaderAttributeName("json-header");
-
-        // roles
-        filterConfig.setRoleSource(JWT);
-        filterConfig.setRoleConverterString("GeoserverAdministrator=ROLE_ADMINISTRATOR");
-        filterConfig.setRolesJsonPath("resource_access.live-key2.roles");
-        filterConfig.setRolesHeaderName("json-header");
-        filterConfig.setOnlyExternalListedRoles(true);
-
-        manager.saveFilter(filterConfig);
-
-        SecurityManagerConfig config = manager.getSecurityConfig();
-        GeoServerSecurityFilterChain chain = config.getFilterChain();
-        RequestFilterChain www = chain.getRequestChainByName("web");
-
-        www.setFilterNames("JwtHeaders2");
-
-        manager.saveSecurityConfig(config);
-        return filterConfig;
-    }
-
-    /**
-     * Enable the Spring Security authentication filters, we want the test to be complete and
-     * realistic
-     */
-    @Override
-    protected List<Filter> getFilters() {
-
-        SecurityManagerConfig mconfig = getSecurityManager().getSecurityConfig();
-        GeoServerSecurityFilterChain filterChain = mconfig.getFilterChain();
-        VariableFilterChain chain = (VariableFilterChain) filterChain.getRequestChainByName("web");
-        List<Filter> result = new ArrayList<>();
-        for (String filterName : chain.getCompiledFilterNames()) {
-            try {
-                result.add(getSecurityManager().loadFilter(filterName));
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-        return result;
-    }
-
-    String json =
-            "{\"exp\":1707155912,\"iat\":1707155612,\"jti\":\"888715ae-a79d-4633-83e5-9b97dee02bbc\",\"iss\":\"https://login-live-dev.geocat.live/realms/dave-test2\",\"aud\":\"account\",\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\",\"typ\":\"Bearer\",\"azp\":\"live-key2\",\"session_state\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"acr\":\"1\",\"realm_access\":{\"roles\":[\"default-roles-dave-test2\",\"offline_access\",\"uma_authorization\"]},\"resource_access\":{\"live-key2\":{\"roles\":[\"GeoserverAdministrator\"]},\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",\"view-profile\"]}},\"scope\":\"openidprofileemail\",\"sid\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"email_verified\":false,\"name\":\"davidblasby\",\"preferred_username\":\"david.blasby@geocat.net\",\"given_name\":\"david\",\"family_name\":\"blasby\",\"email\":\"david.blasby@geocat.net\"}";
-
-    @Test
-    public void testSimpleJSON() throws Exception {
-        GeoServerJwtHeadersFilterConfig filterConfig = injectConfig1();
-        // mimick user pressing on login button
-        MockHttpServletRequest webRequest = createRequest("web/");
-        MockHttpServletResponse webResponse = executeOnSecurityFilters(webRequest);
-
-        int responseStatus = webResponse.getStatus();
-
-        Assert.assertTrue(responseStatus > 400); // access denied
-
-        webRequest = createRequest("web/");
-        webRequest.addHeader("json-header", json);
-
-        webResponse = executeOnSecurityFilters(webRequest);
-
-        responseStatus = webResponse.getStatus();
-
-        Assert.assertEquals(responseStatus, 200); // good request
-
-        // get the security context
-        Authentication auth = getAuthentication(webRequest, webResponse);
-
-        Assert.assertNotNull(auth);
-        Assert.assertEquals(PreAuthenticatedAuthenticationToken.class, auth.getClass());
-        Assert.assertEquals(JwtHeadersWebAuthenticationDetails.class, auth.getDetails().getClass());
-
-        String authFilterId =
-                ((JwtHeadersWebAuthenticationDetails) auth.getDetails()).getJwtHeadersConfigId();
-        Assert.assertEquals(filterConfig.getId(), authFilterId);
-
-        List<String> roles =
-                auth.getAuthorities().stream()
-                        .map(x -> x.getAuthority())
-                        .collect(Collectors.toList());
-        Assert.assertEquals(2, roles.size());
-        Assert.assertTrue(roles.contains("ROLE_ADMINISTRATOR"));
-        Assert.assertTrue(roles.contains("ROLE_AUTHENTICATED"));
-        int tt = 0;
-    }
-
-    String accessToken =
-            "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItWEdld190TnFwaWRrYTl2QXNJel82WEQtdnJmZDVyMlNWTWkwcWMyR1lNIn0.eyJleHAiOjE3MDcxNTMxNDYsImlhdCI6MTcwNzE1Mjg0NiwiYXV0aF90aW1lIjoxNzA3MTUyNjQ1LCJqdGkiOiJlMzhjY2ZmYy0zMWNjLTQ0NmEtYmU1Yy04MjliNDE0NTkyZmQiLCJpc3MiOiJodHRwczovL2xvZ2luLWxpdmUtZGV2Lmdlb2NhdC5saXZlL3JlYWxtcy9kYXZlLXRlc3QyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImVhMzNlM2NjLWYwZTEtNDIxOC04OWNiLThkNDhjMjdlZWUzZCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImxpdmUta2V5MiIsIm5vbmNlIjoiQldzc2M3cTBKZ0tHZC1OdFc1QlFhVlROMkhSa25LQmVIY0ZMTHZ5OXpYSSIsInNlc3Npb25fc3RhdGUiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJhY3IiOiIwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtZGF2ZS10ZXN0MiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJsaXZlLWtleTIiOnsicm9sZXMiOlsiR2Vvc2VydmVyQWRtaW5pc3RyYXRvciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcGhvbmUgb2ZmbGluZV9hY2Nlc3MgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGFkZHJlc3MgZW1haWwiLCJzaWQiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJ1cG4iOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYWRkcmVzcyI6e30sIm5hbWUiOiJkYXZpZCBibGFzYnkiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy1kYXZlLXRlc3QyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImdpdmVuX25hbWUiOiJkYXZpZCIsImZhbWlseV9uYW1lIjoiYmxhc2J5IiwiZW1haWwiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCJ9.fHzXd7oISnqWb09ah9wikfP2UOBeiOA3vd_aDg3Bw-xcfv9aD3CWhAK5FUDPYSPyj4whAcknZbUgUzcm0qkaI8V_aS65F3Fug4jt4nC9YPL4zMSJ5an4Dp6jlQ3OQhrKFn4FwaoW61ndMmScsZZWEQyj6gzHnn5cknqySB26tVydT6q57iTO7KQFcXRdbXd6GWIoFGS-ud9XzxQMUdNfYmsDD7e6hoWhe9PJD9Zq4KT6JN13hUU4Dos-Z5SBHjRa6ieHoOe9gqkjKyA1jT1NU42Nqr-mTV-ql22nAoXuplpvOYc5-09-KDDzSDuVKFwLCNMN3ZyRF1wWuydJeU-gOQ";
-
-    @Test
-    public void testSimpleJWT() throws Exception {
-        GeoServerJwtHeadersFilterConfig filterConfig = injectConfig2();
-        // mimick user pressing on login button
-        MockHttpServletRequest webRequest = createRequest("web/");
-        MockHttpServletResponse webResponse = executeOnSecurityFilters(webRequest);
-
-        int responseStatus = webResponse.getStatus();
-
-        Assert.assertTrue(responseStatus > 400); // access denied
-
-        webRequest = createRequest("web/");
-        webRequest.addHeader("json-header", accessToken);
-
-        webResponse = executeOnSecurityFilters(webRequest);
-
-        responseStatus = webResponse.getStatus();
-
-        Assert.assertEquals(responseStatus, 200); // good request
-
-        Authentication auth = getAuthentication(webRequest, webResponse);
-
-        Assert.assertNotNull(auth);
-        Assert.assertEquals(PreAuthenticatedAuthenticationToken.class, auth.getClass());
-        Assert.assertEquals(JwtHeadersWebAuthenticationDetails.class, auth.getDetails().getClass());
-
-        String authFilterId =
-                ((JwtHeadersWebAuthenticationDetails) auth.getDetails()).getJwtHeadersConfigId();
-        Assert.assertEquals(filterConfig.getId(), authFilterId);
-
-        List<String> roles =
-                auth.getAuthorities().stream()
-                        .map(x -> x.getAuthority())
-                        .collect(Collectors.toList());
-        Assert.assertEquals(2, roles.size());
-        Assert.assertTrue(roles.contains("ROLE_ADMINISTRATOR"));
-        Assert.assertTrue(roles.contains("ROLE_AUTHENTICATED"));
-        int tt = 0;
-    }
-
-    @Test
-    public void testLogout() throws Exception {
-        GeoServerJwtHeadersFilterConfig filterConfig = injectConfig2();
-        MockHttpServletRequest webRequest = createRequest("web/");
-        MockHttpServletResponse webResponse = executeOnSecurityFilters(webRequest);
-
-        // no token, no access
-        int responseStatus = webResponse.getStatus();
-        Assert.assertTrue(responseStatus > 400);
-        HttpSession session = webRequest.getSession();
-
-        // add token - should have access
-        webRequest = createRequest("web/");
-        webRequest.setSession(session);
-        webRequest.addHeader("json-header", accessToken);
-
-        webResponse = executeOnSecurityFilters(webRequest);
-        responseStatus = webResponse.getStatus();
-        Assert.assertEquals(responseStatus, 200);
-
-        session = webRequest.getSession();
-        // remove token - should not have access
-        webRequest = createRequest("web/");
-        webRequest.setSession(session);
-
-        webResponse = executeOnSecurityFilters(webRequest);
-        responseStatus = webResponse.getStatus();
-        Assert.assertTrue(responseStatus > 400);
-    }
-
-    String json2 =
-            "{\"exp\":1707155912,\"iat\":1707155612,\"jti\":\"888715ae-a79d-4633-83e5-9b97dee02bbc\",\"iss\":\"https://login-live-dev.geocat.live/realms/dave-test2\",\"aud\":\"account\",\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\",\"typ\":\"Bearer\",\"azp\":\"live-key2\",\"session_state\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"acr\":\"1\",\"realm_access\":{\"roles\":[\"default-roles-dave-test2\",\"offline_access\",\"uma_authorization\"]},\"resource_access\":{\"live-key2\":{\"roles\":[\"GeoserverAdministrator\"]},\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",\"view-profile\"]}},\"scope\":\"openidprofileemail\",\"sid\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"email_verified\":false,\"name\":\"davidblasby\",\"preferred_username\":\"david.blasby22@geocat.net\",\"given_name\":\"david\",\"family_name\":\"blasby\",\"email\":\"david.blasby@geocat.net\"}";
-
-    @Test
-    public void testUserNameChange() throws Exception {
-        GeoServerJwtHeadersFilterConfig filterConfig = injectConfig1();
-        MockHttpServletRequest webRequest = createRequest("web/");
-        MockHttpServletResponse webResponse = executeOnSecurityFilters(webRequest);
-
-        // no token, no access
-        int responseStatus = webResponse.getStatus();
-        Assert.assertTrue(responseStatus > 400);
-        HttpSession session = webRequest.getSession();
-
-        // add token - should have access
-        webRequest = createRequest("web/");
-        webRequest.setSession(session);
-        webRequest.addHeader("json-header", json);
-
-        webResponse = executeOnSecurityFilters(webRequest);
-        responseStatus = webResponse.getStatus();
-        Assert.assertEquals(responseStatus, 200);
-
-        Authentication auth = getAuthentication(webRequest, webResponse);
-
-        Assert.assertEquals("david.blasby@geocat.net", auth.getPrincipal());
-
-        // use different json with different username!
-        webRequest = createRequest("web/");
-        webRequest.setSession(session);
-        webRequest.addHeader("json-header", json2);
-        webResponse = executeOnSecurityFilters(webRequest);
-        responseStatus = webResponse.getStatus();
-        Assert.assertEquals(responseStatus, 200);
-
-        auth = getAuthentication(webRequest, webResponse);
-
-        Assert.assertEquals("david.blasby22@geocat.net", auth.getPrincipal());
-    }
-
-    public Authentication getAuthentication(
-            MockHttpServletRequest request, MockHttpServletResponse response) {
-        SecurityContext context =
-                new HttpSessionSecurityContextRepository()
-                        .loadContext(new HttpRequestResponseHolder(request, response));
-        Authentication auth = context.getAuthentication();
-        return auth;
-    }
-
-    public HttpSession getSession() {
-        ServletRequestAttributes attr =
-                (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
-        HttpSession session = attr.getRequest().getSession();
-        return session;
-    }
-
-    private MockHttpServletResponse executeOnSecurityFilters(MockHttpServletRequest request)
-            throws IOException, javax.servlet.ServletException {
-        // for session local support in Spring
-        new RequestContextListener()
-                .requestInitialized(new ServletRequestEvent(request.getServletContext(), request));
-
-        // run on the
-        MockFilterChain chain = new MockFilterChain();
-        MockHttpServletResponse response = new MockHttpServletResponse();
-        GeoServerSecurityFilterChainProxy filterChainProxy =
-                GeoServerExtensions.bean(GeoServerSecurityFilterChainProxy.class);
-        filterChainProxy.doFilter(request, response, chain);
-
-        return response;
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/filter/JwtHeadersFilterTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/filter/JwtHeadersFilterTest.java
deleted file mode 100644
index 0a2c5a796bc..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/filter/JwtHeadersFilterTest.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.filter;
-
-import java.io.IOException;
-import org.geoserver.security.jwtheaders.filter.details.JwtHeadersWebAuthenticationDetails;
-import org.geoserver.test.GeoServerAbstractTestSupport;
-import org.junit.Test;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.web.authentication.WebAuthenticationDetails;
-import org.springframework.util.Assert;
-
-public class JwtHeadersFilterTest {
-
-    @Test
-    public void testExistingAuthIsFromThisConfig() throws IOException {
-        GeoServerJwtHeadersFilterConfig config1 = new GeoServerJwtHeadersFilterConfig();
-        config1.setId("abc123");
-        GeoServerJwtHeadersFilter filter1 = new GeoServerJwtHeadersFilter();
-        filter1.initializeFromConfig(config1);
-
-        GeoServerJwtHeadersFilterConfig config2 = new GeoServerJwtHeadersFilterConfig();
-        config2.setId("aaaaaaaaaaa111111111111111");
-        GeoServerJwtHeadersFilter filter2 = new GeoServerJwtHeadersFilter();
-        filter2.initializeFromConfig(config1);
-
-        // trivial cases
-
-        // no existing auth
-        Assert.isTrue(!filter1.existingAuthIsFromThisConfig(null));
-        // not from us
-        UsernamePasswordAuthenticationToken auth =
-                new UsernamePasswordAuthenticationToken(null, null, null);
-        Assert.isTrue(!filter1.existingAuthIsFromThisConfig(auth));
-
-        // details, but wrong type
-        auth.setDetails(new WebAuthenticationDetails(null, null));
-        Assert.isTrue(!filter1.existingAuthIsFromThisConfig(auth));
-
-        // more complex cases
-        // details is JwtHeaders, but wrong id
-        auth.setDetails(
-                new JwtHeadersWebAuthenticationDetails(
-                        config2.getId(),
-                        new GeoServerAbstractTestSupport.GeoServerMockHttpServletRequest("", "")));
-        Assert.isTrue(!filter1.existingAuthIsFromThisConfig(auth));
-
-        // details is JwtHeaders,right id
-        auth.setDetails(
-                new JwtHeadersWebAuthenticationDetails(
-                        config1.getId(),
-                        new GeoServerAbstractTestSupport.GeoServerMockHttpServletRequest("", "")));
-        Assert.isTrue(filter1.existingAuthIsFromThisConfig(auth));
-    }
-
-    @Test
-    public void testPrincipleHasChanged() throws IOException {
-        GeoServerJwtHeadersFilterConfig config1 = new GeoServerJwtHeadersFilterConfig();
-        config1.setId("abc123");
-        GeoServerJwtHeadersFilter filter1 = new GeoServerJwtHeadersFilter();
-        filter1.initializeFromConfig(config1);
-
-        // trivial cases
-        Assert.isTrue(!filter1.principleHasChanged(null, null));
-        Assert.isTrue(!filter1.principleHasChanged(null, "aaa"));
-
-        UsernamePasswordAuthenticationToken auth_aaa =
-                new UsernamePasswordAuthenticationToken("aaa", null, null);
-        UsernamePasswordAuthenticationToken auth_bbb =
-                new UsernamePasswordAuthenticationToken("bbb", null, null);
-
-        // aaa->aaa
-        Assert.isTrue(!filter1.principleHasChanged(auth_aaa, "aaa"));
-
-        /// bbb->aaa
-        Assert.isTrue(filter1.principleHasChanged(auth_bbb, "aaa"));
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java
deleted file mode 100644
index 5e704003300..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.roles;
-
-import static org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JSON;
-import static org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JWT;
-
-import java.text.ParseException;
-import java.util.List;
-import java.util.stream.Collectors;
-import org.geoserver.security.impl.GeoServerRole;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.junit.Assert;
-import org.junit.Test;
-
-public class JwtHeadersRolesExtractorTest {
-
-    public JwtHeadersRolesExtractor getExtractor(
-            GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource roleSource,
-            String roleConverterMapString,
-            String path) {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-        config.setRoleSource(roleSource);
-        config.setRoleConverterString(roleConverterMapString);
-        config.setRolesJsonPath(path);
-        return new JwtHeadersRolesExtractor(config);
-    }
-
-    @Test
-    public void testSimpleJwt() throws ParseException {
-        String accessToken =
-                "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItWEdld190TnFwaWRrYTl2QXNJel82WEQtdnJmZDVyMlNWTWkwcWMyR1lNIn0.eyJleHAiOjE3MDcxNTMxNDYsImlhdCI6MTcwNzE1Mjg0NiwiYXV0aF90aW1lIjoxNzA3MTUyNjQ1LCJqdGkiOiJlMzhjY2ZmYy0zMWNjLTQ0NmEtYmU1Yy04MjliNDE0NTkyZmQiLCJpc3MiOiJodHRwczovL2xvZ2luLWxpdmUtZGV2Lmdlb2NhdC5saXZlL3JlYWxtcy9kYXZlLXRlc3QyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImVhMzNlM2NjLWYwZTEtNDIxOC04OWNiLThkNDhjMjdlZWUzZCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImxpdmUta2V5MiIsIm5vbmNlIjoiQldzc2M3cTBKZ0tHZC1OdFc1QlFhVlROMkhSa25LQmVIY0ZMTHZ5OXpYSSIsInNlc3Npb25fc3RhdGUiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJhY3IiOiIwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtZGF2ZS10ZXN0MiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJsaXZlLWtleTIiOnsicm9sZXMiOlsiR2Vvc2VydmVyQWRtaW5pc3RyYXRvciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcGhvbmUgb2ZmbGluZV9hY2Nlc3MgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGFkZHJlc3MgZW1haWwiLCJzaWQiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJ1cG4iOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYWRkcmVzcyI6e30sIm5hbWUiOiJkYXZpZCBibGFzYnkiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy1kYXZlLXRlc3QyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImdpdmVuX25hbWUiOiJkYXZpZCIsImZhbWlseV9uYW1lIjoiYmxhc2J5IiwiZW1haWwiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCJ9.fHzXd7oISnqWb09ah9wikfP2UOBeiOA3vd_aDg3Bw-xcfv9aD3CWhAK5FUDPYSPyj4whAcknZbUgUzcm0qkaI8V_aS65F3Fug4jt4nC9YPL4zMSJ5an4Dp6jlQ3OQhrKFn4FwaoW61ndMmScsZZWEQyj6gzHnn5cknqySB26tVydT6q57iTO7KQFcXRdbXd6GWIoFGS-ud9XzxQMUdNfYmsDD7e6hoWhe9PJD9Zq4KT6JN13hUU4Dos-Z5SBHjRa6ieHoOe9gqkjKyA1jT1NU42Nqr-mTV-ql22nAoXuplpvOYc5-09-KDDzSDuVKFwLCNMN3ZyRF1wWuydJeU-gOQ";
-
-        List<GeoServerRole> roles =
-                getExtractor(JWT, "", "resource_access.live-key2.roles").getRoles(accessToken)
-                        .stream()
-                        .collect(Collectors.toList());
-        Assert.assertEquals(1, roles.size());
-        Assert.assertEquals("GeoserverAdministrator", roles.get(0).getAuthority());
-    }
-
-    @Test
-    public void testSimpleJson() throws ParseException {
-        String json =
-                "{\"exp\":1707155912,\"iat\":1707155612,\"jti\":\"888715ae-a79d-4633-83e5-9b97dee02bbc\",\"iss\":\"https://login-live-dev.geocat.live/realms/dave-test2\",\"aud\":\"account\",\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\",\"typ\":\"Bearer\",\"azp\":\"live-key2\",\"session_state\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"acr\":\"1\",\"realm_access\":{\"roles\":[\"default-roles-dave-test2\",\"offline_access\",\"uma_authorization\"]},\"resource_access\":{\"live-key2\":{\"roles\":[\"GeoserverAdministrator\"]},\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",\"view-profile\"]}},\"scope\":\"openidprofileemail\",\"sid\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"email_verified\":false,\"name\":\"davidblasby\",\"preferred_username\":\"david.blasby@geocat.net\",\"given_name\":\"david\",\"family_name\":\"blasby\",\"email\":\"david.blasby@geocat.net\"}";
-        List<GeoServerRole> roles =
-                getExtractor(JSON, "", "resource_access.live-key2.roles").getRoles(json).stream()
-                        .collect(Collectors.toList());
-        Assert.assertEquals(1, roles.size());
-        Assert.assertEquals("GeoserverAdministrator", roles.get(0).getAuthority());
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/roles/RoleConverterTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/roles/RoleConverterTest.java
deleted file mode 100644
index 12917b3f375..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/roles/RoleConverterTest.java
+++ /dev/null
@@ -1,137 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.roles;
-
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
-import org.geoserver.security.impl.GeoServerRole;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.junit.Assert;
-import org.junit.Test;
-
-public class RoleConverterTest {
-
-    /**
-     * tests parsing of the roleConverter string
-     * format:externalRoleName1=GeoServerRoleName1;externalRoleName2=GeoServerRoleName2" These check
-     * for empty maps
-     */
-    @Test
-    public void testParseNull() {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setRoleConverterString(null);
-        Map<String, String> map = config.getRoleConverterAsMap();
-        Assert.assertEquals(0, map.size());
-
-        config.setRoleConverterString("");
-        map = config.getRoleConverterAsMap();
-        Assert.assertEquals(0, map.size());
-
-        config.setRoleConverterString("adadadfafdasdf");
-        map = config.getRoleConverterAsMap();
-        Assert.assertEquals(0, map.size());
-
-        config.setRoleConverterString("adadadfafdasdf=");
-        map = config.getRoleConverterAsMap();
-        Assert.assertEquals(0, map.size());
-    }
-
-    /**
-     * tests parsing of the roleConverter string
-     * format:externalRoleName1=GeoServerRoleName1;externalRoleName2=GeoServerRoleName2" These
-     * checks simple (correct) inputs
-     */
-    @Test
-    public void testParseSimple() {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setRoleConverterString("a=b");
-        Map<String, String> map = config.getRoleConverterAsMap();
-        Assert.assertEquals(1, map.size());
-        Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
-
-        config.setRoleConverterString("a=b;c=d");
-        map = config.getRoleConverterAsMap();
-        Assert.assertEquals(2, map.size());
-        Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
-        Assert.assertTrue(map.containsKey("c"));
-        Assert.assertEquals("d", map.get("c"));
-    }
-
-    /**
-     * tests parsing of the roleConverter string
-     * format:externalRoleName1=GeoServerRoleName1;externalRoleName2=GeoServerRoleName2" These
-     * checks bad inputs
-     */
-    @Test
-    public void testParseBad() {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        // bad format
-        config.setRoleConverterString("a=b;c=;d");
-        Map<String, String> map = config.getRoleConverterAsMap();
-        Assert.assertEquals(1, map.size());
-        Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
-
-        // bad chars
-        config.setRoleConverterString("a= b** ;c=**;d");
-        map = config.getRoleConverterAsMap();
-        Assert.assertEquals(1, map.size());
-        Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
-
-        // removes html tags
-        config.setRoleConverterString("a= <script> ;c=**;d");
-        map = config.getRoleConverterAsMap();
-        Assert.assertEquals(1, map.size());
-        Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("script", map.get("a"));
-    }
-
-    /** Tests simple conversion, with setOnlyExternalListedRoles(false); */
-    @Test
-    public void testConversionAllExternals() {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-        config.setRoleConverterString("a=b;c=d");
-        config.setOnlyExternalListedRoles(false);
-
-        RoleConverter roleConverter = new RoleConverter(config);
-        List<String> externalRoles = Arrays.asList("a", "c");
-        List<GeoServerRole> internalRoles = roleConverter.convert(externalRoles);
-        Assert.assertEquals(2, internalRoles.size());
-        Assert.assertEquals("b", internalRoles.get(0).getAuthority());
-        Assert.assertEquals("d", internalRoles.get(1).getAuthority());
-
-        // dddddd = non-existant internal roles (but thats okay -
-        // config.setOnlyExternalListedRoles(false);)
-        externalRoles = Arrays.asList("ddddddd", "c");
-        internalRoles = roleConverter.convert(externalRoles);
-        Assert.assertEquals(2, internalRoles.size());
-
-        Assert.assertEquals("ddddddd", internalRoles.get(0).getAuthority());
-        Assert.assertEquals("d", internalRoles.get(1).getAuthority());
-    }
-
-    /** Tests simple conversion, with setOnlyExternalListedRoles(true); */
-    @Test
-    public void testConversionOnlyMapped() {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-        config.setRoleConverterString("a=b;c=d");
-        config.setOnlyExternalListedRoles(true);
-
-        RoleConverter roleConverter = new RoleConverter(config);
-        List<String> externalRoles = Arrays.asList("ddddddd", "c");
-        List<GeoServerRole> internalRoles = roleConverter.convert(externalRoles);
-        Assert.assertEquals(1, internalRoles.size());
-
-        Assert.assertEquals("d", internalRoles.get(0).getAuthority());
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenAudienceValidatorTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenAudienceValidatorTest.java
deleted file mode 100644
index ac54ad05e77..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenAudienceValidatorTest.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geoserver.security.jwtheaders.username.JwtHeaderUserNameExtractorTest;
-import org.junit.Test;
-
-/** tests the TokenAudienceValidator class */
-public class TokenAudienceValidatorTest {
-
-    /**
-     * simple test - the access token has an "azp" claim that is "live-key2". - We test that the
-     * token has this value.
-     *
-     * @throws Exception
-     */
-    @Test
-    public void test_simple() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenAudience(true);
-        config.setValidateTokenAudienceClaimName("azp");
-        config.setValidateTokenAudienceClaimValue("live-key2"); // this is correct
-
-        TokenValidator validator = new TokenValidator(config);
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-
-    /**
-     * simple test - the access token has an "azp" claim that is "live-key2". - We test that the
-     * token has a different value (i.e. fail). - We expect an exception
-     *
-     * @throws Exception
-     */
-    @Test(expected = Exception.class)
-    public void test_simple_fail() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenAudience(true);
-        config.setValidateTokenAudienceClaimName("azp");
-        config.setValidateTokenAudienceClaimValue("ABCD"); // doesnt match
-
-        TokenValidator validator = new TokenValidator(config);
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenEndpointValidatorTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenEndpointValidatorTest.java
deleted file mode 100644
index 9f8df91fa7f..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenEndpointValidatorTest.java
+++ /dev/null
@@ -1,123 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import static org.mockito.Mockito.*;
-
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geoserver.security.jwtheaders.username.JwtHeaderUserNameExtractorTest;
-import org.junit.Test;
-import org.mockito.ArgumentMatchers;
-
-/** tests TokenEndpointValidator class */
-public class TokenEndpointValidatorTest {
-
-    /**
-     * tests a good endpoint - we use a mock to return this json; {
-     * "sub":"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d" }
-     *
-     * @throws Exception
-     */
-    @Test
-    public void testGoodEndpoint() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenAgainstURL(true);
-        config.setValidateTokenAgainstURLEndpoint("http://myendpointurl.com");
-
-        TokenValidator validator = new TokenValidator(config);
-
-        validator.tokenEndpointValidator = spy(validator.tokenEndpointValidator);
-
-        doReturn(" {\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\"}")
-                .when(validator.tokenEndpointValidator)
-                .download(ArgumentMatchers.any(), ArgumentMatchers.any());
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-
-    /**
-     * tests a bad endpoint - we use a mock to return empty.
-     *
-     * @throws Exception
-     */
-    @Test(expected = Exception.class)
-    public void testBadEndpoint() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenAgainstURL(true);
-        config.setValidateTokenAgainstURLEndpoint("http://myendpointurl.com");
-
-        TokenValidator validator = new TokenValidator(config);
-
-        validator.tokenEndpointValidator = spy(validator.tokenEndpointValidator);
-
-        doReturn(null)
-                .when(validator.tokenEndpointValidator)
-                .download(ArgumentMatchers.any(), ArgumentMatchers.any());
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-
-    /**
-     * tests a good endpoint - we use a mock to return this json; {
-     * "sub":"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d" } The access token also has this as the subject
-     * (sub), so its good!
-     *
-     * @throws Exception
-     */
-    @Test
-    public void testGoodEndpointGoodSubject() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenAgainstURL(true);
-        config.setValidateSubjectWithEndpoint(true);
-        config.setValidateTokenAgainstURLEndpoint("http://myendpointurl.com");
-
-        TokenValidator validator = new TokenValidator(config);
-
-        validator.tokenEndpointValidator = spy(validator.tokenEndpointValidator);
-
-        doReturn(" {\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\"}")
-                .when(validator.tokenEndpointValidator)
-                .download(ArgumentMatchers.any(), ArgumentMatchers.any());
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-
-    /**
-     * tests a good endpoint - we use a mock to return this json; { "sub":"BAD-SUBJECT" } The access
-     * token has a different subject, so this should throw
-     *
-     * @throws Exception
-     */
-    @Test(expected = Exception.class)
-    public void testGoodEndpointBadSubject() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenAgainstURL(true);
-        config.setValidateSubjectWithEndpoint(true);
-        config.setValidateTokenAgainstURLEndpoint("http://myendpointurl.com");
-
-        TokenValidator validator = new TokenValidator(config);
-
-        validator.tokenEndpointValidator = spy(validator.tokenEndpointValidator);
-
-        doReturn(" {\"sub\":\"BAD-SUBJECT\"}")
-                .when(validator.tokenEndpointValidator)
-                .download(ArgumentMatchers.any(), ArgumentMatchers.any());
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenExpiryValidatorTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenExpiryValidatorTest.java
deleted file mode 100644
index d64fc2b76b7..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenExpiryValidatorTest.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import com.nimbusds.jose.JWSObject;
-import com.nimbusds.jose.Payload;
-import java.util.Calendar;
-import java.util.Map;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geoserver.security.jwtheaders.username.JwtHeaderUserNameExtractorTest;
-import org.junit.Test;
-
-/** tests TokenExpiryValidator class */
-public class TokenExpiryValidatorTest {
-
-    /**
-     * uses an old access token that has already expired. should throw.
-     *
-     * @throws Exception
-     */
-    @Test(expected = Exception.class)
-    public void test_already_expired() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenExpiry(true);
-
-        TokenValidator validator = new TokenValidator(config);
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-
-    /**
-     * we create a new access token that expires tomorrow - this should pass.
-     *
-     * <p>NOTE: the token's signature will fail validation.
-     *
-     * @throws Exception
-     */
-    @Test
-    public void test_not_expired() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenExpiry(true);
-
-        TokenValidator validator = new TokenValidator(config);
-
-        String token = getNotExpiredToken(JwtHeaderUserNameExtractorTest.accessToken);
-        validator.validate(token);
-    }
-
-    /**
-     * creates a token that expires tomorrow. NOTE: signature will be invalid.
-     *
-     * @return
-     * @throws Exception
-     */
-    public static String getNotExpiredToken(String token) throws Exception {
-        // this one is expired
-
-        JWSObject jwsToken_expired = JWSObject.parse(token);
-
-        Payload payload = jwsToken_expired.getPayload();
-        Map<String, Object> claims = payload.toJSONObject();
-
-        // expire tomorrow
-        Calendar cal = Calendar.getInstance();
-        cal.add(Calendar.DATE, 1);
-        cal.getTime().toInstant().getEpochSecond();
-        claims.put("exp", cal.getTime().toInstant().getEpochSecond());
-
-        payload = new Payload(claims);
-
-        return jwsToken_expired.getHeader().toBase64URL()
-                + "."
-                + payload.toBase64URL()
-                + "."
-                + jwsToken_expired.getParsedParts()[2];
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenSignatureValidatorTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenSignatureValidatorTest.java
deleted file mode 100644
index 3fec6cc5748..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenSignatureValidatorTest.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import static org.geoserver.security.jwtheaders.token.TokenExpiryValidatorTest.getNotExpiredToken;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.spy;
-
-import com.nimbusds.jose.jwk.JWKSet;
-import java.text.ParseException;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.junit.Test;
-import org.mockito.MockedStatic;
-import org.mockito.Mockito;
-
-/** tests TokenSignatureValidator calss */
-public class TokenSignatureValidatorTest {
-
-    /**
-     * tests a good signature
-     *
-     * @throws Exception
-     */
-    @Test
-    public void testGoodSignature() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenSignature(true);
-        config.setValidateTokenSignatureURL("myurl");
-
-        TokenValidator validator = new TokenValidator(config);
-
-        validator.tokenSignatureValidator = spy(validator.tokenSignatureValidator);
-
-        MockedStatic<TokenSignatureValidator> mocked =
-                Mockito.mockStatic(TokenSignatureValidator.class, Mockito.CALLS_REAL_METHODS);
-
-        mocked.when(() -> TokenSignatureValidator.loadJWKSet(anyString())).thenReturn(getJWKSet());
-
-        String token = accessToken;
-        try {
-            validator.validate(token);
-        } finally {
-            mocked.close();
-        }
-    }
-
-    /**
-     * tests a bad signature.
-     *
-     * <p>We modify an existing access token (cf TokenExpiryValidatorTest) and don't update the
-     * signature. The signature check should fail (throw).
-     *
-     * @throws Exception
-     */
-    @Test(expected = Exception.class)
-    public void testBadSignature() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-
-        config.setValidateToken(true);
-        config.setValidateTokenSignature(true);
-        config.setValidateTokenSignatureURL("myurl");
-
-        TokenValidator validator = new TokenValidator(config);
-
-        validator.tokenSignatureValidator = spy(validator.tokenSignatureValidator);
-
-        MockedStatic<TokenSignatureValidator> mocked =
-                Mockito.mockStatic(TokenSignatureValidator.class, Mockito.CALLS_REAL_METHODS);
-
-        mocked.when(() -> TokenSignatureValidator.loadJWKSet(anyString())).thenReturn(getJWKSet());
-
-        String token = getNotExpiredToken(accessToken);
-        try {
-            validator.validate(token);
-        } finally {
-            mocked.close();
-        }
-    }
-
-    String accessToken =
-            "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItb0QyZXphcjF3ZHBUUmZCS0NqMFY4cm5ZVkJGQmxJLW5ldzFEREJCNTJrIn0.eyJleHAiOjE3MDg1NDgwOTYsImlhdCI6MTcwODU0Nzc5NiwiYXV0aF90aW1lIjoxNzA4NTQ3Nzk2LCJqdGkiOiI4YmU0ZjEzYy1lYTc5LTQ5YTYtOTU3Yy00MzEwMTViYTA3ZmQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojc3NzcvcmVhbG1zL2RhdmUtdGVzdDIiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiOThjZmUwNjAtZjk4MC00YTA1LTg2MTItNmM2MDkyMTlmZmU5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibGl2ZS1rZXkyIiwibm9uY2UiOiJNSm83NzRQRHU0Q2hSaVFHTmJWcHFZcTcwN21pMnZudDZ6dHJBX1RZZ3NvIiwic2Vzc2lvbl9zdGF0ZSI6IjQwNTExNzdhLTg4MjEtNGJmMi05MWEyLWI5NThlNTA4ZTJkMiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1kYXZlLXRlc3QyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImxpdmUta2V5MiI6eyJyb2xlcyI6WyJHZW9uZXR3b3JrQWRtaW5pc3RyYXRvciIsIkdlb3NlcnZlckFkbWluaXN0cmF0b3IiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHBob25lIG9mZmxpbmVfYWNjZXNzIG1pY3JvcHJvZmlsZS1qd3QgcHJvZmlsZSBhZGRyZXNzIGVtYWlsIiwic2lkIjoiNDA1MTE3N2EtODgyMS00YmYyLTkxYTItYjk1OGU1MDhlMmQyIiwidXBuIjoiZGF2aWQuYmxhc2J5QGdlb2NhdC5uZXQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImFkZHJlc3MiOnt9LCJuYW1lIjoiZGF2aWQgYmxhc2J5IiwiZ3JvdXBzIjpbImRlZmF1bHQtcm9sZXMtZGF2ZS10ZXN0MiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGF2aWQuYmxhc2J5QGdlb2NhdC5uZXQiLCJnaXZlbl9uYW1lIjoiZGF2aWQiLCJmYW1pbHlfbmFtZSI6ImJsYXNieSIsImVtYWlsIjoiZGF2aWQuYmxhc2J5QGdlb2NhdC5uZXQifQ.qRqmeV-iu4wvY2YK_gB-EnfBQiyXPg3WkfNJBurMtM9GG0LtvQGztIKTxhRGH91VLG6DGR1t1aHo1NIkb5RkJj9wmv7TX5Eyemu8KtkQ-a5ZWnpxcfGWPZQ5iKa_9aob_wY2Z5PXSLaxCGcaZPcC-nWxENeXokQWw63Y-B3PY8_ODV10OMyHQoLKfzoxZwZdh2WJsGhI2d_Ia5Sp4V0Hd03-19g5aksyO4a_M99ScHsMw0qPMJwMS5yPmFMxsvlAk36RdX-4Ru4nS_Vl76gPvbDKilqcmC7N3ODWWjrDwtqIvsfCZ-Msll4m73Qy-XM4X3kOYrpRP9PDTF6xjqZmMQ";
-
-    String jwkset =
-            "{\"keys\":[{\"kid\":\"-oD2ezar1wdpTRfBKCj0V8rnYVBFBlI-new1DDBB52k\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"vGDQI9y9ivho67l73doYHvMTVdori6DqlGUTfDQbmCKGN5qtsDr-17M-g8PIgnpSmFJzLd7VkF9_kqUImzh9O_QBndwAwNt9VNL5NIhrYzqJfncvywPD6aImg85RzfujrRczq5HhAorEUjEqZCPZ7XNgTcQ8s0_-gPPvVArAHyOUD2F6rj_M6MLS6jyi3HWdlcNKQOb-3a_VBtDaCOJcwGrxu-RVgIUREY_Ymbi_S-F5Zl4qet6PIERGiWhPpVdzCi491o0vOaoYTKliwR3B0K39IuPUNwhyD_LbdbUwjpL5cUFzyTpdaFBwWio_ds1Q_syGWf4NjlD8cptk15HZZQ\",\"e\":\"AQAB\",\"x5c\":[\"MIICozCCAYsCBgGNngEiKzANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApkYXZlLXRlc3QyMB4XDTI0MDIxMjE1NDYzMFoXDTM0MDIxMjE1NDgxMFowFTETMBEGA1UEAwwKZGF2ZS10ZXN0MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALxg0CPcvYr4aOu5e93aGB7zE1XaK4ug6pRlE3w0G5gihjearbA6/tezPoPDyIJ6UphScy3e1ZBff5KlCJs4fTv0AZ3cAMDbfVTS+TSIa2M6iX53L8sDw+miJoPOUc37o60XM6uR4QKKxFIxKmQj2e1zYE3EPLNP/oDz71QKwB8jlA9heq4/zOjC0uo8otx1nZXDSkDm/t2v1QbQ2gjiXMBq8bvkVYCFERGP2Jm4v0vheWZeKnrejyBERoloT6VXcwouPdaNLzmqGEypYsEdwdCt/SLj1DcIcg/y23W1MI6S+XFBc8k6XWhQcFoqP3bNUP7Mhln+DY5Q/HKbZNeR2WUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAi/9ygiQzEOKMaeBqubsQvdY2HX2FDda903KII0lmI+xx6FRbLx6XAR2Y1nkvoXIN3rdQ82QgOl12FxCDP6f0Rx8JyovqYs2Okocdh8O4txq+eBIDnCRYg188ApcINflo5MRtdgQeOCpTl3T5siGuzCkwZwguz3PMmdCxtnaPKpUkev+/MQHzfTPOIq+H5YN4Qzx+239J32JtB1l4EpDepZ0B1MFyR4NtPdQTZSwv4kCdzHcf7wWqjEzKolPQKObSV44r/6gKYC0p2i7oNTOBAcdknlj/RCnLVPfd9Ezdlzrv4DPlokMDQL8CyTLkqyoLqJRXJucNglFfhENqUDxT1A==\"],\"x5t\":\"ey0zf4HBdrCE5E7n5NE0cYAiMqE\",\"x5t#S256\":\"ELydiVBoUfckES_Q-QVzVRc2S0iDXLsHXrHGW5iJTBc\"},{\"kid\":\"FmPsEbsilhjFclDsgyEtzjHzICdcQV83OAf4n3Pdgvc\",\"kty\":\"RSA\",\"alg\":\"RSA-OAEP\",\"use\":\"enc\",\"n\":\"0-cEytoDW41T7UqPBdxIYpBGMwBUch0UXqvFI8wveDYp2il-XjuJIImWuqAJB9BxZkUPuUzH93oY486H6ZR90JcRJx9C4oMemuku-pVzuB1rO7FgrVfKOe1KoJARcpvXLI92XORynp9-Ildw7yIa9XaI-Fy-mPIfwq5M0Q2AGNVnaXu0TVNLPI9Tb1jwQo5SWx37kC-zYnq51dey1KAya8-5GF0Q6CJDvzCZ9UPfj37rU9rj2QwvRRlDYGMTH-lZaPryE5UQDiSUpWsrY9w-BOv3QksvCf_DOJ7Lx3j5g3v0ITplXu3lAOtuWs0TgBnjZKBi1Bkni6MJqGLZGhJDZQ\",\"e\":\"AQAB\",\"x5c\":[\"MIICozCCAYsCBgGNngEi+DANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApkYXZlLXRlc3QyMB4XDTI0MDIxMjE1NDYzMVoXDTM0MDIxMjE1NDgxMVowFTETMBEGA1UEAwwKZGF2ZS10ZXN0MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANPnBMraA1uNU+1KjwXcSGKQRjMAVHIdFF6rxSPML3g2Kdopfl47iSCJlrqgCQfQcWZFD7lMx/d6GOPOh+mUfdCXEScfQuKDHprpLvqVc7gdazuxYK1XyjntSqCQEXKb1yyPdlzkcp6ffiJXcO8iGvV2iPhcvpjyH8KuTNENgBjVZ2l7tE1TSzyPU29Y8EKOUlsd+5Avs2J6udXXstSgMmvPuRhdEOgiQ78wmfVD349+61Pa49kML0UZQ2BjEx/pWWj68hOVEA4klKVrK2PcPgTr90JLLwn/wziey8d4+YN79CE6ZV7t5QDrblrNE4AZ42SgYtQZJ4ujCahi2RoSQ2UCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAkFI6dLASOnuD8zTx1JvXDvQvlCWkvEhQCMXbaBSoQlBHfbT+qgNmF8Yge5CWBED7pDN1w4SMjoKGWh++sXIvk53a1cFPzwRG0c+/XFkWv6scj7BYdp/tW7gnipCFWvrrC2VOQ3L7Va6qYlIHSEuN01IaVvDM7KUBbwCokjEbqPgP6aRfltYoDUS/cMhixYA5BN1721eNLRJCJsognyoO7tpn5TUbMgo5I0wxeZ3J0ZyDY+MdK9zoylC44FEkwWXgZODkfb+rzNdTuqXuos36xDsRHgmG5hk+go2diejYbrsAdf4Gk2cqKqDAjpKucQfEiq2tULDMOegkqCN5CDkUaA==\"],\"x5t\":\"06stWmvLczzaaBWnLYWiarf9PCc\",\"x5t#S256\":\"d0wADfnb_ZLNFeoV8nEmn_WFrA-hqWLVcHsV7WRpZSQ\"}]}";
-
-    public JWKSet getJWKSet() throws ParseException {
-        return JWKSet.parse(jwkset);
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenValidatorTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenValidatorTest.java
deleted file mode 100644
index d4547e4d6e3..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/token/TokenValidatorTest.java
+++ /dev/null
@@ -1,155 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.token;
-
-import static org.mockito.Mockito.*;
-
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geoserver.security.jwtheaders.username.JwtHeaderUserNameExtractorTest;
-import org.junit.Test;
-import org.mockito.ArgumentMatchers;
-import org.mockito.Mockito;
-
-public class TokenValidatorTest {
-
-    /**
-     * quick test - make sure that the individual validators are being called
-     *
-     * @throws Exception
-     */
-    @Test
-    public void testValidator() throws Exception {
-
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-        config.setValidateToken(true);
-
-        TokenValidator validator = new TokenValidator(config);
-
-        // mock the actual validators
-        validator.tokenSignatureValidator = Mockito.mock(TokenSignatureValidator.class);
-        validator.tokenExpiryValidator = Mockito.mock(TokenExpiryValidator.class);
-        validator.tokenEndpointValidator = Mockito.mock(TokenEndpointValidator.class);
-        validator.tokenAudienceValidator = Mockito.mock(TokenAudienceValidator.class);
-
-        // make sure they are being called
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-
-        verify(validator.tokenSignatureValidator).validate(ArgumentMatchers.any());
-        verify(validator.tokenExpiryValidator).validate(ArgumentMatchers.any());
-        verify(validator.tokenEndpointValidator).validate(ArgumentMatchers.any());
-        verify(validator.tokenAudienceValidator).validate(ArgumentMatchers.any());
-    }
-
-    /**
-     * quick test - make sure that when an individual validator failed. - tokenSignatureValidator
-     * will fail --> throw exception
-     *
-     * @throws Exception
-     */
-    @Test(expected = Exception.class)
-    public void testValidator_fail_tokenSignatureValidator() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-        config.setValidateToken(true);
-
-        TokenValidator validator = new TokenValidator(config);
-
-        // mock the actual validators
-        validator.tokenSignatureValidator = Mockito.mock(TokenSignatureValidator.class);
-        validator.tokenExpiryValidator = Mockito.mock(TokenExpiryValidator.class);
-        validator.tokenEndpointValidator = Mockito.mock(TokenEndpointValidator.class);
-        validator.tokenAudienceValidator = Mockito.mock(TokenAudienceValidator.class);
-
-        doThrow(new Exception("boom"))
-                .when(validator.tokenSignatureValidator)
-                .validate(ArgumentMatchers.any());
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-
-    /**
-     * quick test - make sure that when an individual validator failed. - tokenExpiryValidator will
-     * fail --> throw exception
-     *
-     * @throws Exception
-     */
-    @Test(expected = Exception.class)
-    public void testValidator_fail_tokenExpiryValidator() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-        config.setValidateToken(true);
-
-        TokenValidator validator = new TokenValidator(config);
-
-        // mock the actual validators
-        validator.tokenSignatureValidator = Mockito.mock(TokenSignatureValidator.class);
-        validator.tokenExpiryValidator = Mockito.mock(TokenExpiryValidator.class);
-        validator.tokenEndpointValidator = Mockito.mock(TokenEndpointValidator.class);
-        validator.tokenAudienceValidator = Mockito.mock(TokenAudienceValidator.class);
-
-        doThrow(new Exception("boom"))
-                .when(validator.tokenExpiryValidator)
-                .validate(ArgumentMatchers.any());
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-
-    /**
-     * quick test - make sure that when an individual validator failed. - tokenEndpointValidator
-     * will fail --> throw exception
-     *
-     * @throws Exception
-     */
-    @Test(expected = Exception.class)
-    public void testValidator_fail_tokenEndpointValidator() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-        config.setValidateToken(true);
-
-        TokenValidator validator = new TokenValidator(config);
-
-        // mock the actual validators
-        validator.tokenSignatureValidator = Mockito.mock(TokenSignatureValidator.class);
-        validator.tokenExpiryValidator = Mockito.mock(TokenExpiryValidator.class);
-        validator.tokenEndpointValidator = Mockito.mock(TokenEndpointValidator.class);
-        validator.tokenAudienceValidator = Mockito.mock(TokenAudienceValidator.class);
-
-        doThrow(new Exception("boom"))
-                .when(validator.tokenEndpointValidator)
-                .validate(ArgumentMatchers.any());
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-
-    /**
-     * quick test - make sure that when an individual validator failed. - tokenAudienceValidator
-     * will fail --> throw exception
-     *
-     * @throws Exception
-     */
-    @Test(expected = Exception.class)
-    public void testValidator_fail_tokenAudienceValidator() throws Exception {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-        config.setValidateToken(true);
-
-        TokenValidator validator = new TokenValidator(config);
-
-        // mock the actual validators
-        validator.tokenSignatureValidator = Mockito.mock(TokenSignatureValidator.class);
-        validator.tokenExpiryValidator = Mockito.mock(TokenExpiryValidator.class);
-        validator.tokenEndpointValidator = Mockito.mock(TokenEndpointValidator.class);
-        validator.tokenAudienceValidator = Mockito.mock(TokenAudienceValidator.class);
-
-        doThrow(new Exception("boom"))
-                .when(validator.tokenAudienceValidator)
-                .validate(ArgumentMatchers.any());
-
-        String token = JwtHeaderUserNameExtractorTest.accessToken;
-        validator.validate(token);
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractorTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractorTest.java
deleted file mode 100644
index 89826785733..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractorTest.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-
-package org.geoserver.security.jwtheaders.username;
-
-import java.text.ParseException;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.junit.Assert;
-import org.junit.Test;
-
-public class JwtHeaderUserNameExtractorTest {
-
-    public JwtHeaderUserNameExtractor getExtractor(
-            GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat format, String path) {
-        GeoServerJwtHeadersFilterConfig config = new GeoServerJwtHeadersFilterConfig();
-        config.setUserNameFormatChoice(format);
-        config.setUserNameJsonPath(path);
-        return new JwtHeaderUserNameExtractor(config);
-    }
-
-    public static String accessToken =
-            "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItWEdld190TnFwaWRrYTl2QXNJel82WEQtdnJmZDVyMlNWTWkwcWMyR1lNIn0.eyJleHAiOjE3MDcxNTMxNDYsImlhdCI6MTcwNzE1Mjg0NiwiYXV0aF90aW1lIjoxNzA3MTUyNjQ1LCJqdGkiOiJlMzhjY2ZmYy0zMWNjLTQ0NmEtYmU1Yy04MjliNDE0NTkyZmQiLCJpc3MiOiJodHRwczovL2xvZ2luLWxpdmUtZGV2Lmdlb2NhdC5saXZlL3JlYWxtcy9kYXZlLXRlc3QyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImVhMzNlM2NjLWYwZTEtNDIxOC04OWNiLThkNDhjMjdlZWUzZCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImxpdmUta2V5MiIsIm5vbmNlIjoiQldzc2M3cTBKZ0tHZC1OdFc1QlFhVlROMkhSa25LQmVIY0ZMTHZ5OXpYSSIsInNlc3Npb25fc3RhdGUiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJhY3IiOiIwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtZGF2ZS10ZXN0MiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJsaXZlLWtleTIiOnsicm9sZXMiOlsiR2Vvc2VydmVyQWRtaW5pc3RyYXRvciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcGhvbmUgb2ZmbGluZV9hY2Nlc3MgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGFkZHJlc3MgZW1haWwiLCJzaWQiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJ1cG4iOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYWRkcmVzcyI6e30sIm5hbWUiOiJkYXZpZCBibGFzYnkiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy1kYXZlLXRlc3QyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImdpdmVuX25hbWUiOiJkYXZpZCIsImZhbWlseV9uYW1lIjoiYmxhc2J5IiwiZW1haWwiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCJ9.fHzXd7oISnqWb09ah9wikfP2UOBeiOA3vd_aDg3Bw-xcfv9aD3CWhAK5FUDPYSPyj4whAcknZbUgUzcm0qkaI8V_aS65F3Fug4jt4nC9YPL4zMSJ5an4Dp6jlQ3OQhrKFn4FwaoW61ndMmScsZZWEQyj6gzHnn5cknqySB26tVydT6q57iTO7KQFcXRdbXd6GWIoFGS-ud9XzxQMUdNfYmsDD7e6hoWhe9PJD9Zq4KT6JN13hUU4Dos-Z5SBHjRa6ieHoOe9gqkjKyA1jT1NU42Nqr-mTV-ql22nAoXuplpvOYc5-09-KDDzSDuVKFwLCNMN3ZyRF1wWuydJeU-gOQ";
-
-    @Test
-    public void testSimpleJwt() throws ParseException {
-        String username =
-                getExtractor(
-                                GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat.JWT,
-                                "preferred_username")
-                        .extractUserName(accessToken);
-        Assert.assertEquals("david.blasby@geocat.net", username);
-    }
-
-    @Test
-    public void testSimpleJson() throws ParseException {
-        String json =
-                "{\"exp\":1707155912,\"iat\":1707155612,\"jti\":\"888715ae-a79d-4633-83e5-9b97dee02bbc\",\"iss\":\"https://login-live-dev.geocat.live/realms/dave-test2\",\"aud\":\"account\",\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\",\"typ\":\"Bearer\",\"azp\":\"live-key2\",\"session_state\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"acr\":\"1\",\"realm_access\":{\"roles\":[\"default-roles-dave-test2\",\"offline_access\",\"uma_authorization\"]},\"resource_access\":{\"live-key2\":{\"roles\":[\"GeoserverAdministrator\"]},\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",\"view-profile\"]}},\"scope\":\"openidprofileemail\",\"sid\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"email_verified\":false,\"name\":\"davidblasby\",\"preferred_username\":\"david.blasby@geocat.net\",\"given_name\":\"david\",\"family_name\":\"blasby\",\"email\":\"david.blasby@geocat.net\"}";
-        String username =
-                getExtractor(
-                                GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat.JSON,
-                                "preferred_username")
-                        .extractUserName(json);
-        Assert.assertEquals("david.blasby@geocat.net", username);
-    }
-
-    @Test
-    public void testSimpleString() throws ParseException {
-        String json = "david.blasby@geocat.net";
-        String username =
-                getExtractor(GeoServerJwtHeadersFilterConfig.UserNameHeaderFormat.STRING, "xxxyyy")
-                        .extractUserName(json);
-        Assert.assertEquals("david.blasby@geocat.net", username);
-    }
-}
diff --git a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanelTest.java b/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanelTest.java
deleted file mode 100644
index 6882e849f79..00000000000
--- a/src/community/jwt-headers/src/test/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanelTest.java
+++ /dev/null
@@ -1,109 +0,0 @@
-/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
- * This code is licensed under the GPL 2.0 license, available at the root
- * application directory.
- */
-package org.geoserver.security.jwtheaders.web;
-
-import org.apache.wicket.Component;
-import org.apache.wicket.model.Model;
-import org.geoserver.security.jwtheaders.filter.GeoServerJwtHeadersFilterConfig;
-import org.geoserver.security.web.AbstractSecurityNamedServicePanelTest;
-import org.geoserver.security.web.AbstractSecurityPage;
-import org.geoserver.security.web.SecurityNamedServiceNewPage;
-import org.geoserver.security.web.auth.AuthenticationPage;
-import org.geoserver.web.FormTestPage;
-import org.junit.Test;
-
-public class JwtHeadersAuthFilterPanelTest extends AbstractSecurityNamedServicePanelTest {
-
-    @Test
-    public void smokeTest() {
-        Model<GeoServerJwtHeadersFilterConfig> model =
-                new Model<>(new GeoServerJwtHeadersFilterConfig());
-        FormTestPage testPage = new FormTestPage(id -> new JwtHeadersAuthFilterPanel(id, model));
-        tester.startPage(testPage);
-    }
-
-    // trivial test - jus set the name and userNameHeaderAttributeName
-    // make sure it comes back
-    @Test
-    public void webtest0() throws Exception {
-        navigateToJwtHeadersPanel("JwtHeaderFilter1");
-
-        formTester.setValue("panel:content:name", "JwtHeaderFilter1");
-        formTester.setValue(
-                "panel:content:userNameHeaderAttributeName", "userNameHeaderAttributeName111");
-
-        clickSave();
-        tester.assertNoErrorMessage();
-        clickNamedServiceConfig("JwtHeaderFilter1");
-        tester.assertModelValue("panel:panel:form:panel:name", "JwtHeaderFilter1");
-        tester.assertModelValue(
-                "panel:panel:form:panel:userNameHeaderAttributeName",
-                "userNameHeaderAttributeName111");
-    }
-
-    @Test
-    public void webtest1_roles() throws Exception {
-        navigateToJwtHeadersPanel("JwtHeaderFilter1");
-
-        formTester.setValue("panel:content:name", "JwtHeaderFilter1");
-        formTester.setValue(
-                "panel:content:userNameHeaderAttributeName", "userNameHeaderAttributeName111");
-
-        formTester.setValue("panel:content:roleSource", "JWT");
-
-        clickSave();
-        tester.assertNoErrorMessage();
-        clickNamedServiceConfig("JwtHeaderFilter1");
-        tester.assertModelValue("panel:panel:form:panel:name", "JwtHeaderFilter1");
-        tester.assertModelValue(
-                "panel:panel:form:panel:userNameHeaderAttributeName",
-                "userNameHeaderAttributeName111");
-
-        tester.assertModelValue(
-                "panel:panel:form:panel:roleSource",
-                GeoServerJwtHeadersFilterConfig.JWTHeaderRoleSource.JWT);
-    }
-
-    // ----------------------------------------------
-    @Override
-    protected AbstractSecurityPage getBasePage() {
-        return new AuthenticationPage();
-    }
-
-    @Override
-    protected String getBasePanelId() {
-        return "form:authFilters";
-    }
-
-    @Override
-    protected Integer getTabIndex() {
-        return 2;
-    }
-
-    @Override
-    protected Class<? extends Component> getNamedServicesClass() {
-        return JwtHeadersAuthFilterPanel.class;
-    }
-
-    @Override
-    protected String getDetailsFormComponentId() {
-        return "authenticationFilterPanel:namedConfig";
-    }
-
-    protected void navigateToJwtHeadersPanel(String name) throws Exception {
-        initializeForXML();
-
-        activatePanel();
-
-        // Test simple add
-        clickAddNew();
-
-        tester.assertRenderedPage(SecurityNamedServiceNewPage.class);
-        setSecurityConfigClassName(JwtHeadersAuthFilterPanelInfo.class);
-
-        newFormTester();
-        setSecurityConfigName(name);
-    }
-}