diff --git a/jeeutil/pom.xml b/jeeutil/pom.xml
index a56310a..0f21b79 100644
--- a/jeeutil/pom.xml
+++ b/jeeutil/pom.xml
@@ -15,11 +15,20 @@
     <name>shared-jeeutil</name>
 
     <properties>
-        <endorsed.dir>${project.build.directory}/endorsed</endorsed.dir>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
 
     <dependencies>
+        <dependency>
+            <groupId>com.inversoft</groupId>
+            <artifactId>prime-jwt</artifactId>
+            <version>1.3.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax</groupId>
+            <artifactId>javaee-api</artifactId>            
+            <scope>provided</scope>
+        </dependency>        
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
@@ -35,12 +44,12 @@
             <artifactId>primefaces</artifactId>
             <type>jar</type>
             <scope>provided</scope>
-        </dependency>
+        </dependency>        
         <dependency>
-            <groupId>javax</groupId>
-            <artifactId>javaee-api</artifactId>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-web</artifactId>
             <scope>provided</scope>
-        </dependency>
+        </dependency>                
     </dependencies>
 
     <build>
@@ -52,31 +61,6 @@
                     <ejbVersion>3.1</ejbVersion>
                 </configuration>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-dependency-plugin</artifactId>
-                <version>2.1</version>
-                <executions>
-                    <execution>
-                        <phase>validate</phase>
-                        <goals>
-                            <goal>copy</goal>
-                        </goals>
-                        <configuration>
-                            <outputDirectory>${endorsed.dir}</outputDirectory>
-                            <silent>true</silent>
-                            <artifactItems>
-                                <artifactItem>
-                                    <groupId>javax</groupId>
-                                    <artifactId>javaee-endorsed-api</artifactId>
-                                    <version>6.0</version>
-                                    <type>jar</type>
-                                </artifactItem>
-                            </artifactItems>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
         </plugins>
     </build>
 
diff --git a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTDecoder.java b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTDecoder.java
new file mode 100644
index 0000000..f5dc43a
--- /dev/null
+++ b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTDecoder.java
@@ -0,0 +1,84 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package de.muehlencord.shared.jeeutil.jwt;
+
+import java.time.ZonedDateTime;
+import org.primeframework.jwt.Verifier;
+import org.primeframework.jwt.domain.JWT;
+import org.primeframework.jwt.domain.JWTException;
+import org.primeframework.jwt.hmac.HMACVerifier;
+
+/**
+ *
+ * @author Joern Muehlencord <joern at muehlencord.de>
+ */
+public class JWTDecoder {
+
+    private boolean parsedSuccessfully = false;
+    private JWT jwt = null;
+
+    public JWTDecoder(String password, String issuer, String jwtString) throws JWTException {
+        if ((password == null) || (issuer == null) || (jwtString == null)) {
+            throw new JWTException("password, issuer and jwt must not be null");
+        }
+        Verifier verifier = HMACVerifier.newVerifier(password);
+//        Verifier verifier = RSAVerifier.newVerifier(new String(Files.readAllBytes(Paths.get("public_key.pem"))));
+        try {
+            jwt = JWT.getDecoder().decode(jwtString, verifier);
+            parsedSuccessfully = jwt.issuer.equals(issuer);
+        } catch (JWTException ex) {
+            jwt = null;
+        }
+    }
+
+    public String getIssuer() {
+        if (jwt == null) {
+            return null;
+        } else {
+            return jwt.issuer;
+        }
+    }
+
+    public ZonedDateTime getIssuedAt() {
+        if (jwt == null) {
+            return null;
+        } else {
+            return jwt.issuedAt;
+        }
+    }
+
+    public String getSubject() {
+        if (jwt == null) {
+            return null;
+        } else {
+            return jwt.subject;
+        }
+    }
+
+    public String getUniqueId() {
+        if (jwt == null) {
+            return null;
+        } else {
+            return jwt.uniqueId;
+        }
+    }
+
+    public ZonedDateTime getExpiration() {
+        if (jwt == null) {
+            return null;
+        } else {
+            return jwt.expiration;
+        }
+    }
+
+    public boolean isValid() {
+        if ((jwt == null) || (jwt.isExpired())) {
+            return false;
+        } else {
+            return this.parsedSuccessfully;
+        }
+    }
+}
diff --git a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTEncoder.java b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTEncoder.java
new file mode 100644
index 0000000..fb938da
--- /dev/null
+++ b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTEncoder.java
@@ -0,0 +1,36 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package de.muehlencord.shared.jeeutil.jwt;
+
+import java.time.ZonedDateTime;
+import org.primeframework.jwt.Signer;
+import org.primeframework.jwt.domain.JWT;
+import org.primeframework.jwt.hmac.HMACSigner;
+
+/**
+ *
+ * @author Joern Muehlencord <joern at muehlencord.de>
+ */
+public abstract class JWTEncoder {
+
+    public static String encode(String password, String issuer, ZonedDateTime issuedAt, String subject, String uniqueId, short expirationInMinutes ) throws JWTException {
+        if ((password == null) || (issuer == null)) {
+            throw new JWTException("password and issuer must not be null");
+        }        
+        Signer signer = HMACSigner.newSHA256Signer(password);
+//        Signer signer = RSASigner.newSHA256Signer(new String(Files.readAllBytes(Paths.get("private_key.pem"))));
+
+       
+        JWT jwt = new JWT().setIssuer(issuer) // FIXME - make configurable
+                .setIssuedAt(issuedAt)
+                .setSubject(subject)
+                .setUniqueId(uniqueId)
+                .setExpiration(issuedAt.plusMinutes(expirationInMinutes));
+        return JWT.getEncoder().encode(jwt, signer);
+
+    }
+
+}
diff --git a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTException.java b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTException.java
new file mode 100644
index 0000000..594dbd7
--- /dev/null
+++ b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTException.java
@@ -0,0 +1,40 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package de.muehlencord.shared.jeeutil.jwt;
+
+/**
+ *
+ * @author Joern Muehlencord <joern at muehlencord.de>
+ */
+public class JWTException extends Exception {
+
+    private static final long serialVersionUID = 423992803027530544L;
+
+    /**
+     * Creates a new instance of <code>JWTException</code> without detail message.
+     */
+    public JWTException() {
+    }
+
+
+    /**
+     * Constructs an instance of <code>JWTException</code> with the specified detail message.
+     * @param msg the detail message.
+     */
+    public JWTException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Constructs an instance of <code>JWTException</code> with the specified detail message and root cause.
+     * @param msg the detail message.
+     * @param th the root cause
+     */
+    public JWTException(String msg, Throwable th) {
+        super(msg,th);
+    }
+}
diff --git a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTGuard.java b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTGuard.java
new file mode 100644
index 0000000..25ee84e
--- /dev/null
+++ b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/jwt/JWTGuard.java
@@ -0,0 +1,25 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package de.muehlencord.shared.jeeutil.jwt;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.shiro.web.filter.authc.AuthenticationFilter;
+
+/**
+ *
+ * @author Joern Muehlencord <joern at muehlencord.de>
+ */
+public class JWTGuard extends AuthenticationFilter {
+
+    @Override
+    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+        return false;
+    }
+}