diff --git a/gateway-adapter/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealmTest.java b/gateway-adapter/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealmTest.java
index fbcc96d835..8be53aae46 100644
--- a/gateway-adapter/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealmTest.java
+++ b/gateway-adapter/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealmTest.java
@@ -30,35 +30,35 @@ public class KnoxLdapRealmTest {
   public void setGetSearchBase() {
     KnoxLdapRealm realm = new KnoxLdapRealm();
     realm.setSearchBase("dc=hadoop,dc=apache,dc=org");
-    assertEquals(realm.getSearchBase(), "dc=hadoop,dc=apache,dc=org");
+    assertEquals("dc=hadoop,dc=apache,dc=org", realm.getSearchBase());
   }
 
   @Test
   public void setGetGroupObjectClass() {
     KnoxLdapRealm realm = new KnoxLdapRealm();
     realm.setGroupObjectClass("groupOfMembers");
-    assertEquals(realm.getGroupObjectClass(), "groupOfMembers");
+    assertEquals("groupOfMembers", realm.getGroupObjectClass());
   }
 
   @Test
   public void setGetUniqueMemberAttribute() {
     KnoxLdapRealm realm = new KnoxLdapRealm();
     realm.setMemberAttribute("member");
-    assertEquals(realm.getMemberAttribute(), "member");
+    assertEquals("member", realm.getMemberAttribute());
   }
 
   @Test
   public void setGetUserSearchAttributeName() {
     KnoxLdapRealm realm = new KnoxLdapRealm();
     realm.setUserSearchAttributeName("uid");
-    assertEquals(realm.getUserSearchAttributeName(), "uid");
+    assertEquals("uid", realm.getUserSearchAttributeName());
   }
 
   @Test
   public void setGetUserObjectClass() {
     KnoxLdapRealm realm = new KnoxLdapRealm();
     realm.setUserObjectClass("inetuser");
-    assertEquals(realm.getUserObjectClass(), "inetuser");
+    assertEquals("inetuser", realm.getUserObjectClass());
   }
 
   @Test
@@ -74,7 +74,7 @@ public void setGetGroupSearchBase() {
     KnoxLdapRealm realm = new KnoxLdapRealm();
     realm.setSearchBase("dc=example,dc=com");
     realm.setGroupSearchBase("dc=knox,dc=example,dc=com");
-    assertEquals(realm.getGroupSearchBase(), "dc=knox,dc=example,dc=com");
+    assertEquals("dc=knox,dc=example,dc=com", realm.getGroupSearchBase());
   }
 
   @Test
@@ -86,20 +86,20 @@ public void verifyDefaultUserSearchAttributeName() {
   @Test
   public void verifyDefaultGetUserObjectClass() {
     KnoxLdapRealm realm = new KnoxLdapRealm();
-    assertEquals(realm.getUserObjectClass(), "person");
+    assertEquals("person", realm.getUserObjectClass());
   }
 
   @Test
   public void verifyDefaultUserSearchBase() {
     KnoxLdapRealm realm = new KnoxLdapRealm();
     realm.setSearchBase("dc=knox,dc=example,dc=com");
-    assertEquals(realm.getUserSearchBase(), "dc=knox,dc=example,dc=com");
+    assertEquals("dc=knox,dc=example,dc=com", realm.getUserSearchBase());
   }
 
   @Test
   public void verifyDefaultGroupSearchBase() {
     KnoxLdapRealm realm = new KnoxLdapRealm();
     realm.setSearchBase("dc=knox,dc=example,dc=com");
-    assertEquals(realm.getGroupSearchBase(), "dc=knox,dc=example,dc=com");
+    assertEquals("dc=knox,dc=example,dc=com", realm.getGroupSearchBase());
   }
 }
diff --git a/gateway-adapter/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealmTest.java b/gateway-adapter/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealmTest.java
index d87e89dc31..a099534044 100644
--- a/gateway-adapter/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealmTest.java
+++ b/gateway-adapter/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealmTest.java
@@ -37,7 +37,7 @@ public class KnoxPamRealmTest {
   public void setService() {
     KnoxPamRealm realm = new KnoxPamRealm();
     realm.setService("knox-pam-os-service");
-    assertEquals(realm.getService(), "knox-pam-os-service");
+    assertEquals("knox-pam-os-service", realm.getService());
   }
 
   @Test
diff --git a/gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/monitor/PollingConfigurationAnalyzer.java b/gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/monitor/PollingConfigurationAnalyzer.java
index d7c06b2114..727b9cc512 100644
--- a/gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/monitor/PollingConfigurationAnalyzer.java
+++ b/gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/monitor/PollingConfigurationAnalyzer.java
@@ -521,7 +521,6 @@ private List<RelevantEvent> getRelevantEvents(final String address, final String
     return relevantEvents;
   }
 
-  @SuppressWarnings("unchecked")
   private boolean isStartEvent(ApiEvent event) {
     final Map<String, Object> attributeMap = getAttributeMap(event.getAttributes());
     final String command = getAttribute(attributeMap, COMMAND);
diff --git a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.java b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.java
index 8acd260fef..b4fafe30e3 100644
--- a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.java
+++ b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.java
@@ -18,7 +18,6 @@
 package org.apache.knox.gateway.identityasserter.common.filter;
 
 import java.io.IOException;
-import java.security.AccessController;
 import java.security.Principal;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
@@ -52,8 +51,6 @@
 import org.apache.knox.gateway.security.PrimaryPrincipal;
 import org.apache.knox.gateway.security.SubjectUtils;
 
-import de.thetaphi.forbiddenapis.SuppressForbidden;
-
 public abstract class AbstractIdentityAssertionFilter extends
   AbstractIdentityAssertionBase implements Filter {
 
@@ -89,7 +86,6 @@ public AbstractIdentityAssertionFilter() {
    */
   public abstract String mapUserPrincipal(String principalName);
 
-  @SuppressForbidden
   protected void continueChainAsPrincipal(HttpServletRequestWrapper request, ServletResponse response,
       FilterChain chain, String mappedPrincipalName, String[] groups) throws IOException,
       ServletException {
@@ -102,7 +98,7 @@ protected void continueChainAsPrincipal(HttpServletRequestWrapper request, Servl
         boolean groupsMapped;
 
         // look up the current Java Subject and assosciated group principals
-        Subject currentSubject = Subject.getSubject(AccessController.getContext());
+        Subject currentSubject = SubjectUtils.getCurrentSubject();
         if (currentSubject == null) {
           LOG.subjectNotAvailable();
           throw new IllegalStateException("Required Subject Missing");
diff --git a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
index 4792640e47..a9a3d154c5 100644
--- a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
+++ b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java
@@ -23,7 +23,6 @@
 import static org.apache.knox.gateway.util.AuthFilterUtils.PROXYGROUP_PREFIX;
 
 import java.io.IOException;
-import java.security.AccessController;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -45,7 +44,6 @@
 import javax.servlet.http.HttpServletRequestWrapper;
 import javax.servlet.http.HttpServletResponse;
 
-import de.thetaphi.forbiddenapis.SuppressForbidden;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.knox.gateway.IdentityAsserterMessages;
@@ -222,11 +220,10 @@ public void destroy() {
      * to the identity to be asserted as appropriate and create the provider specific
      * assertion token. Add the assertion token to the request.
      */
-    @SuppressForbidden
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
             throws IOException, ServletException {
-        Subject subject = Subject.getSubject(AccessController.getContext());
+        Subject subject = SubjectUtils.getCurrentSubject();
 
         if (subject == null) {
             LOG.subjectNotAvailable();
diff --git a/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/common/filter/VirtualGroupMapperTest.java b/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/common/filter/VirtualGroupMapperTest.java
index 8227aebe11..d72de073df 100644
--- a/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/common/filter/VirtualGroupMapperTest.java
+++ b/gateway-provider-identity-assertion-common/src/test/java/org/apache/knox/gateway/identityasserter/common/filter/VirtualGroupMapperTest.java
@@ -39,7 +39,6 @@
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServletRequest;
 
-@SuppressWarnings("PMD.NonStaticInitializer")
 public class VirtualGroupMapperTest {
     private Parser parser = new Parser();
     private VirtualGroupMapper mapper;
@@ -159,4 +158,4 @@ private Set<String> virtualGroups(String user1, List<String> ldapGroups, Servlet
     private static Set<String> setOf(String... strings) {
         return new HashSet<>(Arrays.asList(strings));
     }
-}
\ No newline at end of file
+}
diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
index 8e49ad1bbf..39848a23e3 100644
--- a/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
+++ b/gateway-provider-identity-assertion-hadoop-groups/src/test/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderFilterTest.java
@@ -142,7 +142,6 @@ public void testUnknownUser() throws ServletException {
    * {@link LdapGroupsMapping} and in case of bad config we get empty groups
    * (Hadoop way).
    */
-  @SuppressWarnings({ "unchecked", "rawtypes" })
   @Test
   public void badConfigTest() throws ServletException {
 
diff --git a/gateway-provider-rewrite-common/src/main/java/org/apache/knox/gateway/filter/rewrite/impl/UrlRewriteRulesDescriptorImpl.java b/gateway-provider-rewrite-common/src/main/java/org/apache/knox/gateway/filter/rewrite/impl/UrlRewriteRulesDescriptorImpl.java
index 2d31fbf7ef..de1c9f8b3d 100644
--- a/gateway-provider-rewrite-common/src/main/java/org/apache/knox/gateway/filter/rewrite/impl/UrlRewriteRulesDescriptorImpl.java
+++ b/gateway-provider-rewrite-common/src/main/java/org/apache/knox/gateway/filter/rewrite/impl/UrlRewriteRulesDescriptorImpl.java
@@ -91,14 +91,12 @@ public <T extends UrlRewriteFunctionDescriptor<?>> T getFunction( String name )
   }
 
   @Override
-  @SuppressWarnings("unchecked")
   public <T extends UrlRewriteFunctionDescriptor<?>> T addFunction( String name ) {
     T descriptor = newFunction( name );
     addFunction( descriptor );
     return descriptor;
   }
 
-  @SuppressWarnings("unchecked")
   protected <T extends UrlRewriteFunctionDescriptor<?>> T newFunction( String name ) {
     return UrlRewriteFunctionDescriptorFactory.create( name );
   }
diff --git a/gateway-provider-rewrite-common/src/main/java/org/apache/knox/gateway/filter/rewrite/spi/UrlRewriteFlowDescriptorBase.java b/gateway-provider-rewrite-common/src/main/java/org/apache/knox/gateway/filter/rewrite/spi/UrlRewriteFlowDescriptorBase.java
index fd63798194..7aa8c35fad 100644
--- a/gateway-provider-rewrite-common/src/main/java/org/apache/knox/gateway/filter/rewrite/spi/UrlRewriteFlowDescriptorBase.java
+++ b/gateway-provider-rewrite-common/src/main/java/org/apache/knox/gateway/filter/rewrite/spi/UrlRewriteFlowDescriptorBase.java
@@ -105,7 +105,6 @@ public List<UrlRewriteStepDescriptor> steps() {
 //    return step;
 //  }
 
-  @SuppressWarnings( "unchecked" )
   @Override
   public <T extends UrlRewriteStepDescriptor<?>> T addStep( String type ) {
     T step = UrlRewriteStepDescriptorFactory.create( type );
diff --git a/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/HadoopAuthDeploymentContributorTest.java b/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/HadoopAuthDeploymentContributorTest.java
index 1c64874109..c0abf893f2 100644
--- a/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/HadoopAuthDeploymentContributorTest.java
+++ b/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/HadoopAuthDeploymentContributorTest.java
@@ -46,11 +46,10 @@
 
 public class HadoopAuthDeploymentContributorTest {
 
-  @SuppressWarnings("rawtypes")
   @Test
   public void testServiceLoader() {
-    ServiceLoader loader = ServiceLoader.load( ProviderDeploymentContributor.class );
-    Iterator iterator = loader.iterator();
+    ServiceLoader<ProviderDeploymentContributor> loader = ServiceLoader.load( ProviderDeploymentContributor.class );
+    Iterator<ProviderDeploymentContributor> iterator = loader.iterator();
     assertThat( "Service iterator empty.", iterator.hasNext() );
     while( iterator.hasNext() ) {
       Object object = iterator.next();
diff --git a/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java b/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
index adc554bb94..352c3c9ef6 100644
--- a/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
+++ b/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
@@ -33,13 +33,13 @@
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
-import de.thetaphi.forbiddenapis.SuppressForbidden;
 import org.apache.knox.gateway.GatewayFilter;
 import org.apache.knox.gateway.config.GatewayConfig;
 import org.apache.knox.gateway.context.ContextAttributes;
 import org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter;
 import org.apache.knox.gateway.provider.federation.jwt.filter.JWTFederationFilter;
 import org.apache.knox.gateway.provider.federation.jwt.filter.SignatureVerificationCache;
+import org.apache.knox.gateway.security.SubjectUtils;
 import org.apache.knox.gateway.services.GatewayServices;
 import org.apache.knox.gateway.services.security.AliasService;
 import org.apache.knox.gateway.topology.Topology;
@@ -59,7 +59,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.security.AccessController;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -548,12 +547,11 @@ public static class DummyFilterChain implements FilterChain {
     boolean doFilterCalled;
     Subject subject;
 
-    @SuppressForbidden
     @Override
     public void doFilter(ServletRequest request, ServletResponse response)
         throws IOException {
       doFilterCalled = true;
-      subject = Subject.getSubject( AccessController.getContext() );
+      subject = SubjectUtils.getCurrentSubject();
     }
   }
 
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
index b357e10a87..b5eaf69da3 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
@@ -375,11 +375,11 @@ public Subject createSubjectFromTokenIdentifier(final String tokenId) throws Unk
     return null;
   }
 
+  @SuppressWarnings("rawtypes")
   protected Subject createSubjectFromTokenData(final String principal, final String expectedPrincipalClaimValue) {
     String claimValue =
               (expectedPrincipalClaimValue != null) ? expectedPrincipalClaimValue.toLowerCase(Locale.ROOT) : null;
 
-    @SuppressWarnings("rawtypes")
     HashSet emptySet = new HashSet();
     Set<Principal> principals = new HashSet<>();
     Principal p = new PrimaryPrincipal(claimValue != null ? claimValue : principal);
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
index 4d6b56a547..073f90d7d9 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
@@ -18,7 +18,6 @@
 package org.apache.knox.gateway.provider.federation.jwt.filter;
 
 import java.io.IOException;
-import java.security.AccessController;
 import java.text.ParseException;
 import java.util.HashMap;
 
@@ -31,11 +30,11 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import de.thetaphi.forbiddenapis.SuppressForbidden;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.knox.gateway.filter.security.AbstractIdentityAssertionFilter;
 import org.apache.knox.gateway.i18n.messages.MessagesFactory;
 import org.apache.knox.gateway.provider.federation.jwt.JWTMessages;
+import org.apache.knox.gateway.security.SubjectUtils;
 import org.apache.knox.gateway.services.GatewayServices;
 import org.apache.knox.gateway.services.ServiceType;
 import org.apache.knox.gateway.services.registry.ServiceRegistry;
@@ -78,7 +77,6 @@ public void init( FilterConfig filterConfig ) throws ServletException {
             : filterConfig.getInitParameter(JWTAccessTokenAssertionFilter.ISSUER);
   }
 
-  @SuppressForbidden
   @Override
   public void doFilter(ServletRequest request, ServletResponse response,
       FilterChain chain) throws IOException, ServletException {
@@ -111,7 +109,7 @@ public void doFilter(ServletRequest request, ServletResponse response,
       // the JWTFederationFilter - once we get here we can assume that it is authorized and we just need
       // to assert the identity via an access token
 
-      Subject subject = Subject.getSubject(AccessController.getContext());
+      Subject subject = SubjectUtils.getCurrentSubject();
       String principalName = getPrincipalName(subject);
       principalName = mapper.mapUserPrincipal(principalName);
 
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
index 8aed952518..a1591e4cb2 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
@@ -18,7 +18,6 @@
 package org.apache.knox.gateway.provider.federation.jwt.filter;
 
 import java.io.IOException;
-import java.security.AccessController;
 import java.util.HashMap;
 
 import javax.security.auth.Subject;
@@ -28,9 +27,9 @@
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 
-import de.thetaphi.forbiddenapis.SuppressForbidden;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.knox.gateway.filter.security.AbstractIdentityAssertionFilter;
+import org.apache.knox.gateway.security.SubjectUtils;
 import org.apache.knox.gateway.services.ServiceType;
 import org.apache.knox.gateway.services.GatewayServices;
 import org.apache.knox.gateway.services.registry.ServiceRegistry;
@@ -65,11 +64,10 @@ public void init( FilterConfig filterConfig ) throws ServletException {
             : filterConfig.getInitParameter(JWTAccessTokenAssertionFilter.ISSUER);
   }
 
-  @SuppressForbidden
   @Override
   public void doFilter(ServletRequest request, ServletResponse response,
                        FilterChain chain) throws IOException {
-    Subject subject = Subject.getSubject(AccessController.getContext());
+    Subject subject = SubjectUtils.getCurrentSubject();
     String principalName = getPrincipalName(subject);
     principalName = mapper.mapUserPrincipal(principalName);
     JWT authCode;
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
index 6e292370d3..978e49931e 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
@@ -438,8 +438,7 @@ private void continueWithAnonymousSubject(final ServletRequest request,
    * An exception indicating that cookies are present, but none of them contain a
    * valid JWT.
    */
-  @SuppressWarnings("serial")
-  private class NoValidCookiesException extends Exception {
+  private static class NoValidCookiesException extends Exception {
     NoValidCookiesException() {
       super("None of the presented cookies are valid.");
     }
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
index dfa55a7d68..84eb5144b7 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
@@ -26,13 +26,13 @@
 import com.nimbusds.jose.crypto.RSASSAVerifier;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
-import de.thetaphi.forbiddenapis.SuppressForbidden;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.knox.gateway.config.GatewayConfig;
 import org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter;
 import org.apache.knox.gateway.provider.federation.jwt.filter.SSOCookieFederationFilter;
 import org.apache.knox.gateway.provider.federation.jwt.filter.SignatureVerificationCache;
 import org.apache.knox.gateway.security.PrimaryPrincipal;
+import org.apache.knox.gateway.security.SubjectUtils;
 import org.apache.knox.gateway.services.security.token.JWTokenAttributes;
 import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
 import org.apache.knox.gateway.services.security.token.TokenServiceException;
@@ -60,7 +60,6 @@
 import java.net.InetAddress;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
-import java.security.AccessController;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.Principal;
@@ -1477,12 +1476,11 @@ protected static class TestFilterChain implements FilterChain {
     boolean doFilterCalled;
     Subject subject;
 
-    @SuppressForbidden
     @Override
     public void doFilter(ServletRequest request, ServletResponse response) {
       doFilterCalled = true;
 
-      subject = Subject.getSubject( AccessController.getContext() );
+      subject = SubjectUtils.getCurrentSubject();
     }
 
     public Subject getSubject() {
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/CommonJWTFilterTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/CommonJWTFilterTest.java
index d29b8e380d..9442a55172 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/CommonJWTFilterTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/CommonJWTFilterTest.java
@@ -16,10 +16,10 @@
  */
 package org.apache.knox.gateway.provider.federation;
 
-import de.thetaphi.forbiddenapis.SuppressForbidden;
 import org.apache.knox.gateway.config.GatewayConfig;
 import org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter;
 import org.apache.knox.gateway.provider.federation.jwt.filter.JWTFederationFilter;
+import org.apache.knox.gateway.security.SubjectUtils;
 import org.apache.knox.gateway.services.security.token.TokenStateService;
 import org.apache.knox.gateway.services.security.token.TokenUtils;
 import org.apache.knox.gateway.services.security.token.UnknownTokenException;
@@ -43,7 +43,6 @@
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
-import java.security.AccessController;
 import java.util.UUID;
 
 import static org.easymock.EasyMock.anyObject;
@@ -176,12 +175,11 @@ public static class DummyFilterChain implements FilterChain {
     boolean doFilterCalled;
     Subject subject;
 
-    @SuppressForbidden
     @Override
     public void doFilter(ServletRequest request, ServletResponse response)
         throws IOException {
       doFilterCalled = true;
-      subject = Subject.getSubject( AccessController.getContext() );
+      subject = SubjectUtils.getCurrentSubject();
     }
   }
 
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java
index 864160b890..6f5ae49033 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java
@@ -41,7 +41,6 @@
 
 import com.nimbusds.jwt.SignedJWT;
 
-@SuppressWarnings("PMD.TestClassWithoutTestCases")
 public class JWTFederationFilterTest extends AbstractJWTFilterTest {
 
   @Before
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/GatewayFilter.java b/gateway-server/src/main/java/org/apache/knox/gateway/GatewayFilter.java
index 3f7adf8807..a46fa8e486 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/GatewayFilter.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/GatewayFilter.java
@@ -111,7 +111,6 @@ public void doFilter( ServletRequest servletRequest, ServletResponse servletResp
     }
   }
 
-  @SuppressWarnings("unchecked")
   public void doFilter( ServletRequest servletRequest, ServletResponse servletResponse ) throws IOException, ServletException {
     HttpServletRequest httpRequest = (HttpServletRequest)servletRequest;
     HttpServletResponse httpResponse = (HttpServletResponse)servletResponse;
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/deploy/DeploymentException.java b/gateway-server/src/main/java/org/apache/knox/gateway/deploy/DeploymentException.java
index 53ffe44e04..b8d234117e 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/deploy/DeploymentException.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/deploy/DeploymentException.java
@@ -17,7 +17,6 @@
  */
 package org.apache.knox.gateway.deploy;
 
-@SuppressWarnings("serial")
 public class DeploymentException extends RuntimeException {
 
   public DeploymentException(String message, Exception e) {
diff --git a/gateway-service-knoxtoken/pom.xml b/gateway-service-knoxtoken/pom.xml
index f957f9bfca..be10f78b27 100644
--- a/gateway-service-knoxtoken/pom.xml
+++ b/gateway-service-knoxtoken/pom.xml
@@ -108,6 +108,7 @@
         <dependency>
             <groupId>de.thetaphi</groupId>
             <artifactId>forbiddenapis</artifactId>
+            <scope>test</scope>
         </dependency>
 
         <dependency>
diff --git a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index b7122706e0..082ad1ff8d 100644
--- a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -18,7 +18,6 @@
 package org.apache.knox.gateway.service.knoxtoken;
 
 import java.nio.charset.StandardCharsets;
-import java.security.AccessController;
 import java.security.KeyStoreException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
@@ -66,8 +65,6 @@
 import com.nimbusds.jose.crypto.MACSigner;
 import com.nimbusds.jose.util.ByteUtils;
 
-import de.thetaphi.forbiddenapis.SuppressForbidden;
-
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.knox.gateway.config.GatewayConfig;
@@ -1103,9 +1100,8 @@ private boolean shouldIncludeGroups() {
     return Boolean.parseBoolean(request.getParameter(KNOX_TOKEN_INCLUDE_GROUPS));
   }
 
-  @SuppressForbidden
   protected Set<String> groups() {
-    Subject subject = Subject.getSubject(AccessController.getContext());
+    Subject subject = SubjectUtils.getCurrentSubject();
     Set<String> groups = subject.getPrincipals(GroupPrincipal.class).stream()
             .map(GroupPrincipal::getName)
             .collect(Collectors.toSet());
diff --git a/gateway-shell/src/main/java/org/apache/knox/gateway/shell/commands/SelectCommand.java b/gateway-shell/src/main/java/org/apache/knox/gateway/shell/commands/SelectCommand.java
index da654e84a4..6f8ca169d8 100644
--- a/gateway-shell/src/main/java/org/apache/knox/gateway/shell/commands/SelectCommand.java
+++ b/gateway-shell/src/main/java/org/apache/knox/gateway/shell/commands/SelectCommand.java
@@ -100,7 +100,6 @@ public Object execute(List<String> args) {
     }
 
     String dsName = (String) getVariables().get(KNOXDATASOURCE);
-    @SuppressWarnings("unchecked")
     Map<String, KnoxDataSource> dataSources = getDataSources();
     KnoxDataSource ds = null;
     if (dsName == null || dsName.isEmpty()) {
diff --git a/gateway-test-utils/src/main/java/org/apache/knox/test/mock/MockServletContext.java b/gateway-test-utils/src/main/java/org/apache/knox/test/mock/MockServletContext.java
index 1f8b216b42..d2937f2474 100644
--- a/gateway-test-utils/src/main/java/org/apache/knox/test/mock/MockServletContext.java
+++ b/gateway-test-utils/src/main/java/org/apache/knox/test/mock/MockServletContext.java
@@ -34,7 +34,6 @@
 import java.util.EventListener;
 import java.util.Map;
 import java.util.Set;
-@SuppressWarnings("PMD")
 public class MockServletContext implements ServletContext {
 
   @Override
@@ -98,19 +97,16 @@ public RequestDispatcher getNamedDispatcher( String s ) {
   }
 
   @Override
-  @SuppressWarnings("deprecation")
   public Servlet getServlet( String s ) throws ServletException {
     return null;
   }
 
   @Override
-  @SuppressWarnings("deprecation")
   public Enumeration<Servlet> getServlets() {
     return null;
   }
 
   @Override
-  @SuppressWarnings("deprecation")
   public Enumeration<String> getServletNames() {
     return null;
   }
@@ -120,7 +116,6 @@ public void log( String s ) {
   }
 
   @Override
-  @SuppressWarnings("deprecation")
   public void log( Exception e, String s ) {
   }
 
diff --git a/gateway-util-common/src/main/java/org/apache/knox/gateway/util/NoClassNameMultiLineToStringStyle.java b/gateway-util-common/src/main/java/org/apache/knox/gateway/util/NoClassNameMultiLineToStringStyle.java
index dcc56246a2..8437213b88 100644
--- a/gateway-util-common/src/main/java/org/apache/knox/gateway/util/NoClassNameMultiLineToStringStyle.java
+++ b/gateway-util-common/src/main/java/org/apache/knox/gateway/util/NoClassNameMultiLineToStringStyle.java
@@ -24,7 +24,6 @@
  * See https://github.com/apache/commons-lang/pull/308 (at the time of this
  * class being written the PR is not merged)
  */
-@SuppressWarnings("serial")
 public class NoClassNameMultiLineToStringStyle extends ToStringStyle {
 
   public NoClassNameMultiLineToStringStyle() {
diff --git a/pom.xml b/pom.xml
index a6c45fd68c..7b5c18c431 100644
--- a/pom.xml
+++ b/pom.xml
@@ -704,7 +704,7 @@
                     <!-- if the used Java version is too new, don't fail, just do nothing: -->
                     <failOnUnsupportedJava>false</failOnUnsupportedJava>
                     <!-- prevent failing if a module doesn't have all signature dependencies like commons-io -->
-                    <failOnUnresolvableSignatures>false</failOnUnresolvableSignatures>
+                    <ignoreSignaturesOfMissingClasses>true</ignoreSignaturesOfMissingClasses>
                     <bundledSignatures>
                         <!--
                           This will automatically choose the right