diff --git a/build.gradle b/build.gradle
index dd8f4f6..4875563 100644
--- a/build.gradle
+++ b/build.gradle
@@ -66,6 +66,15 @@ allprojects { subproject ->
         }
     }
 
+    pluginManager.withPlugin('jacoco') {
+        test {
+            finalizedBy jacocoTestReport
+        }
+        jacocoTestReport {
+            dependsOn test
+        }
+    }
+
     pluginManager.withPlugin(catalog.plugins.kotlin.jvm.get().pluginId) {
         tasks.withType(KotlinCompile.class) {
             compilerOptions.jvmTarget = JvmTarget.JVM_21
diff --git a/gbcs-server/build.gradle b/gbcs-server/build.gradle
index 3ba4dcc..3254f1a 100644
--- a/gbcs-server/build.gradle
+++ b/gbcs-server/build.gradle
@@ -1,6 +1,7 @@
 plugins {
     id 'java-library'
     alias catalog.plugins.kotlin.jvm
+    id 'jacoco'
     id 'maven-publish'
 }
 
diff --git a/gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/auth/ClientCertificateValidator.kt b/gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/auth/ClientCertificateValidator.kt
index bb05165..8689de2 100644
--- a/gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/auth/ClientCertificateValidator.kt
+++ b/gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/auth/ClientCertificateValidator.kt
@@ -19,8 +19,9 @@ import javax.net.ssl.X509TrustManager
 
 
 class ClientCertificateValidator private constructor(
-    private val sslHandler : SslHandler,
-    private val x509TrustManager: X509TrustManager) : ChannelInboundHandlerAdapter() {
+    private val sslHandler: SslHandler,
+    private val x509TrustManager: X509TrustManager
+) : ChannelInboundHandlerAdapter() {
     override fun userEventTriggered(ctx: ChannelHandlerContext, evt: Any) {
         if (evt is SslHandshakeCompletionEvent) {
             if (evt.isSuccess) {
@@ -36,13 +37,14 @@ class ClientCertificateValidator private constructor(
     }
 
     companion object {
-        fun getTrustManager(trustStore : KeyStore?, certificateRevocationEnabled : Boolean) : X509TrustManager {
-            return if(trustStore != null) {
+        fun getTrustManager(trustStore: KeyStore?, certificateRevocationEnabled: Boolean): X509TrustManager {
+            return if (trustStore != null) {
                 val certificateFactory = CertificateFactory.getInstance("X.509")
                 val validator = CertPathValidator.getInstance("PKIX").apply {
                     val rc = revocationChecker as PKIXRevocationChecker
                     rc.options = EnumSet.of(
-                        PKIXRevocationChecker.Option.NO_FALLBACK)
+                        PKIXRevocationChecker.Option.NO_FALLBACK
+                    )
                 }
                 val params = PKIXParameters(trustStore).apply {
                     isRevocationEnabled = certificateRevocationEnabled
@@ -52,7 +54,7 @@ class ClientCertificateValidator private constructor(
                         val clientCertificateChain = certificateFactory.generateCertPath(chain.toList())
                         try {
                             validator.validate(clientCertificateChain, params)
-                        } catch (ex : CertPathValidatorException) {
+                        } catch (ex: CertPathValidatorException) {
                             throw CertificateException(ex)
                         }
                     }
@@ -62,7 +64,7 @@ class ClientCertificateValidator private constructor(
                     }
 
                     private val acceptedIssuers = trustStore.aliases().asSequence()
-                        .filter (trustStore::isCertificateEntry)
+                        .filter(trustStore::isCertificateEntry)
                         .map(trustStore::getCertificate)
                         .map { it as X509Certificate }
                         .toList()
@@ -72,11 +74,16 @@ class ClientCertificateValidator private constructor(
                 }
             } else {
                 val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
-                trustManagerFactory.trustManagers.asSequence().filter { it is X509TrustManager }.single() as X509TrustManager
+                trustManagerFactory.trustManagers.asSequence().filter { it is X509TrustManager }
+                    .single() as X509TrustManager
             }
         }
 
-        fun of(sslHandler : SslHandler, trustStore : KeyStore?, certificateRevocationEnabled : Boolean) : ClientCertificateValidator {
+        fun of(
+            sslHandler: SslHandler,
+            trustStore: KeyStore?,
+            certificateRevocationEnabled: Boolean
+        ): ClientCertificateValidator {
             return ClientCertificateValidator(sslHandler, getTrustManager(trustStore, certificateRevocationEnabled))
         }
     }
diff --git a/gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/configuration/Parser.kt b/gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/configuration/Parser.kt
index c9282ef..e64ee92 100644
--- a/gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/configuration/Parser.kt
+++ b/gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/configuration/Parser.kt
@@ -200,8 +200,12 @@ object Parser {
     }.toSet()
 
     private fun parseUserRefs(root: Element) = root.asIterable().asSequence().map {
-        it.renderAttribute("ref")
-    }.toSet()
+        when(it.localName) {
+            "user" -> it.renderAttribute("ref")
+            "anonymous" -> ""
+            else -> ConfigurationException("Unrecognized tag '${it.localName}'")
+        }
+    }
 
     private fun parseUsers(root: Element): Sequence<User> {
         return root.asIterable().asSequence().filter {