Mailing-List: contact commits-help@directory.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@directory.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: smckinney@apache.org
To: commits@directory.apache.org
Date: Tue, 11 Nov 2014 20:16:28 -0000
Message-Id: <18babf535227447bbb285102ec94637a@git.apache.org>
In-Reply-To: <61050accc8274bebbbab2bcf7895b573@git.apache.org>
References: <61050accc8274bebbbab2bcf7895b573@git.apache.org>
Subject: [4/5] directory-fortress-realm git commit: change package structure,
 names, license, and pom improvements

http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/J2eePolicyMgrImpl.java
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/J2eePolicyMgrImpl.java b/impl/src/main/java/org/apache/directory/fortress/realm/J2eePolicyMgrImpl.java
new file mode 100644
index 0000000..2f3790a
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/J2eePolicyMgrImpl.java
@@ -0,0 +1,575 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.realm;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.security.Principal;
+import java.util.Set;
+
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ReviewMgr;
+import org.apache.directory.fortress.core.ReviewMgrFactory;
+import org.apache.directory.fortress.core.AccessMgr;
+import org.apache.directory.fortress.core.AccessMgrFactory;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.rbac.User;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.realm.tomcat.TcPrincipal;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+
+/**
+ * This class is for components that use Websphere and Tomcat Container SPI's to provide
+ * Java EE Security capabilities.  These APIs may be called by external programs as needed though the recommended
+ * practice is to use Fortress Core APIs like {@link org.apache.directory.fortress.core.AccessMgr} and {@link org.apache.directory.fortress.core.ReviewMgr}.
+ *
+ * @author Shawn McKinney
+ */
+public class J2eePolicyMgrImpl implements J2eePolicyMgr
+{
+    private static final String CLS_NM = J2eePolicyMgrImpl.class.getName();
+    private static final Logger log = Logger.getLogger( CLS_NM );
+    private static AccessMgr accessMgr;
+    private static ReviewMgr reviewMgr;
+    private static final String SESSION = "session";
+    private static int CONTEXT_SERIALIZATION_FAILED = 102;
+
+    static
+    {
+        try
+        {
+            accessMgr = AccessMgrFactory.createInstance( GlobalIds.HOME );
+            reviewMgr = ReviewMgrFactory.createInstance( GlobalIds.HOME );
+            log.info( J2eePolicyMgrImpl.class.getName() + " - Initialized successfully" );
+        }
+        catch ( SecurityException se )
+        {
+            String error = CLS_NM + " caught SecurityException=" + se;
+            log.fatal( error );
+        }
+    }
+
+
+    /**
+     * Perform user authentication and evaluate password policies.
+     *
+     * @param userId   Contains the userid of the user signing on.
+     * @param password Contains the user's password.
+     * @return boolean true if succeeds, false otherwise.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data validation failure, security policy violation or DAO error.
+     */
+    @Override
+    public boolean authenticate( String userId, char[] password ) throws SecurityException
+    {
+        boolean result = false;
+        Session session = accessMgr.authenticate( userId, password );
+        if ( session != null )
+        {
+            result = true;
+            if ( log.isEnabledFor( Level.DEBUG ) )
+            {
+                log.debug( CLS_NM + ".authenticate userId [" + userId + "] successful" );
+            }
+        }
+        else
+        {
+            if ( log.isEnabledFor( Level.DEBUG ) )
+            {
+                log.debug( CLS_NM + ".authenticate userId [" + userId + "] failed" );
+            }
+        }
+
+        return result;
+    }
+
+
+    /**
+     * Perform user authentication {@link org.apache.directory.fortress.core.rbac.User#password} and role activations.<br />
+     * This method must be called once per user prior to calling other methods within this class.
+     * The successful result is {@link org.apache.directory.fortress.core.rbac.Session} that contains target user's RBAC {@link
+     * User#roles} and Admin role {@link User#adminRoles}.<br />
+     * In addition to checking user password validity it will apply configured password policy checks {@link org.openldap
+     * .fortress.rbac.User#pwPolicy}..<br />
+     * Method may also store parms passed in for audit trail {@link org.apache.directory.fortress.core.rbac.FortEntity}.
+     * <h4> This API will...</h4>
+     * <ul>
+     * <li> authenticate user password if trusted == false.
+     * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf
+     * .org/html/draft-behera-ldap-password-policy-10/">password policy evaluation</a>.
+     * <li> fail for any user who is locked by OpenLDAP's policies {@link org.apache.directory.fortress.core.rbac.User#isLocked()},
+     * regardless of trusted flag being set as parm on API.
+     * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link org.apache.directory.fortress.core.rbac.User},
+     * {@link org.apache.directory.fortress.core.rbac.UserRole} and {@link org.apache.directory.fortress.core.rbac.UserAdminRole} entities.
+     * <li> process selective role activations into User RBAC Session {@link User#roles}.
+     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.rbac.DSDChecker#validate(org.apache.directory.fortress.core.rbac.Session,
+     * org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core
+     * .rbac.User#roles}.
+     * <li> process selective administrative role activations {@link User#adminRoles}.
+     * <li> return a {@link org.apache.directory.fortress.core.rbac.Session} containing {@link org.apache.directory.fortress.core.rbac.Session#getUser()},
+     * {@link org.apache.directory.fortress.core.rbac.Session#getRoles()} and {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()} if
+     * everything checks out good.
+     * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException} or its derivation.
+     * <li> throw a {@link SecurityException} for system failures.
+     * <li> throw a {@link org.apache.directory.fortress.core.PasswordException} for authentication and password policy violations.
+     * <li> throw a {@link org.apache.directory.fortress.core.ValidationException} for data validation errors.
+     * <li> throw a {@link org.apache.directory.fortress.core.FinderException} if User id not found.
+     * </ul>
+     * <h4>
+     * The function is valid if and only if:
+     * </h4>
+     * <ul>
+     * <li> the user is a member of the USERS data set
+     * <li> the password is supplied (unless trusted).
+     * <li> the (optional) active role set is a subset of the roles authorized for that user.
+     * </ul>
+     * <h4>
+     * The following attributes may be set when calling this method
+     * </h4>
+     * <ul>
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#userId} - required
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#password}
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#roles} contains a list of RBAC role names authorized for user and
+     * targeted for activation within this session.  Default is all authorized RBAC roles will be activated into this
+     * Session.
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#adminRoles} contains a list of Admin role names authorized for user and
+     * targeted for activation.  Default is all authorized ARBAC roles will be activated into this Session.
+     * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon.  For example
+     * hostname:myservername or ip:192.168.1.99
+     * </ul>
+     * <h4>
+     * Notes:
+     * </h4>
+     * <ul>
+     * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
+     * <li> role activations will proceed in same order as supplied to User entity setter,
+     * see {@link org.apache.directory.fortress.core.rbac.User#setRole(String)}.
+     * </ul>
+     * </p>
+     *
+     * @param userId   maps to {@link org.apache.directory.fortress.core.rbac.User#userId}.
+     * @param password maps to {@link org.apache.directory.fortress.core.rbac.User#password}.
+     * @return TcPrincipal which contains the User's RBAC Session data formatted into a java.security.Principal that
+     * is used by Tomcat runtime.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data validation failure, security policy violation or DAO error.
+     */
+    @Override
+    public TcPrincipal createSession( String userId, char[] password ) throws SecurityException
+    {
+        User user = new User( userId, password );
+        return createSession( user );
+    }
+
+
+    /**
+     * Perform user authentication {@link User#password} and role activations.<br />
+     * This method must be called once per user prior to calling other methods within this class.
+     * The successful result is {@link org.apache.directory.fortress.core.rbac.Session} that contains target user's RBAC {@link User#roles} and Admin role {@link User#adminRoles}.<br />
+     * In addition to checking user password validity it will apply configured password policy checks {@link org.apache.directory.fortress.core.rbac.User#pwPolicy}..<br />
+     * Method may also store parms passed in for audit trail {@link org.apache.directory.fortress.core.rbac.FortEntity}.
+     * <h4> This API will...</h4>
+     * <ul>
+     * <li> authenticate user password if trusted == false.
+     * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">password policy evaluation</a>.
+     * <li> fail for any user who is locked by OpenLDAP's policies {@link org.apache.directory.fortress.core.rbac.User#isLocked()}, regardless of trusted flag being set as parm on API.
+     * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link User}, {@link org.apache.directory.fortress.core.rbac.UserRole} and {@link org.apache.directory.fortress.core.rbac.UserAdminRole} entities.
+     * <li> process selective role activations into User RBAC Session {@link User#roles}.
+     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.rbac.DSDChecker#validate(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core.rbac.User#roles}.
+     * <li> process selective administrative role activations {@link User#adminRoles}.
+     * <li> return a {@link org.apache.directory.fortress.core.rbac.Session} containing {@link org.apache.directory.fortress.core.rbac.Session#getUser()}, {@link org.apache.directory.fortress.core.rbac.Session#getRoles()} and {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()} if everything checks out good.
+     * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException} or its derivation.
+     * <li> throw a {@link SecurityException} for system failures.
+     * <li> throw a {@link org.apache.directory.fortress.core.PasswordException} for authentication and password policy violations.
+     * <li> throw a {@link org.apache.directory.fortress.core.ValidationException} for data validation errors.
+     * <li> throw a {@link org.apache.directory.fortress.core.FinderException} if User id not found.
+     * </ul>
+     * <h4>
+     * The function is valid if and only if:
+     * </h4>
+     * <ul>
+     * <li> the user is a member of the USERS data set
+     * <li> the password is supplied (unless trusted).
+     * <li> the (optional) active role set is a subset of the roles authorized for that user.
+     * </ul>
+     * <h4>
+     * The following attributes may be set when calling this method
+     * </h4>
+     * <ul>
+     * <li> {@link User#userId} - required
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#password}
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#roles} contains a list of RBAC role names authorized for user and targeted for activation within this session.  Default is all authorized RBAC roles will be activated into this Session.
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#adminRoles} contains a list of Admin role names authorized for user and targeted for activation.  Default is all authorized ARBAC roles will be activated into this Session.
+     * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon.  For example hostname:myservername or ip:192.168.1.99
+     * </ul>
+     * <h4>
+     * Notes:
+     * </h4>
+     * <ul>
+     * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
+     * <li> role activations will proceed in same order as supplied to User entity setter, see {@link User#setRole(String)}.
+     * </ul>
+     * </p>
+     *
+     * @param userId   maps to {@link org.apache.directory.fortress.core.rbac.User#userId}.
+     * @param password maps to {@link org.apache.directory.fortress.core.rbac.User#password}.
+     * @param roles constains list of role names to activate.
+     * @return TcPrincipal which contains the User's RBAC Session data formatted into a java.security.Principal that is used by Tomcat runtime.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data validation failure, security policy violation or DAO error.
+     */
+    public TcPrincipal createSession(String userId, char[] password, List<String> roles)
+        throws SecurityException
+    {
+        User user = new User( userId, password );
+        // Load the passed in role list into list of User requested roles:
+        if(VUtil.isNotNullOrEmpty( roles ))
+        {
+            for(String role : roles)
+            {
+                user.setRole( role );
+            }
+        }
+        return createSession( user );
+    }
+
+
+    /**
+     * Utility function to call Fortress createSession, build the principal on behalf of caller.
+     *
+     * @param user
+     * @return
+     * @throws SecurityException
+     */
+    private TcPrincipal createSession( User user ) throws SecurityException
+    {
+        Session session = accessMgr.createSession( user, false );
+        if ( log.isEnabledFor( Level.DEBUG ) )
+        {
+            log.debug( CLS_NM + ".createSession userId [" + user.getUserId() + "] successful" );
+        }
+        HashMap context = new HashMap<String, Session>();
+        context.put( SESSION, session );
+
+        // now serialize the principal:
+        String ser = serialize( session );
+
+        // Store the serialized principal inside the context hashmap
+        // which allows overriden toString to return it later, from within an application thread.
+        // This facilitates assertion of rbac session from the tomcat realm into the web application session.
+        context.put( TcPrincipal.SERIALIZED, ser );
+        return new TcPrincipal( user.getUserId(), context );
+    }
+
+    /**
+     * Perform user authentication {@link org.apache.directory.fortress.core.rbac.User#password} and role activations.<br />
+     * This method must be called once per user prior to calling other methods within this class.
+     * The successful result is {@link org.apache.directory.fortress.core.rbac.Session} that contains target user's RBAC {@link
+     * User#roles} and Admin role {@link User#adminRoles}.<br />
+     * In addition to checking user password validity it will apply configured password policy checks {@link org.openldap
+     * .fortress.rbac.User#pwPolicy}..<br />
+     * Method may also store parms passed in for audit trail {@link org.apache.directory.fortress.core.rbac.FortEntity}.
+     * <h4> This API will...</h4>
+     * <ul>
+     * <li> authenticate user password if trusted == false.
+     * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf
+     * .org/html/draft-behera-ldap-password-policy-10/">password policy evaluation</a>.
+     * <li> fail for any user who is locked by OpenLDAP's policies {@link org.apache.directory.fortress.core.rbac.User#isLocked()},
+     * regardless of trusted flag being set as parm on API.
+     * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link org.apache.directory.fortress.core.rbac.User},
+     * {@link org.apache.directory.fortress.core.rbac.UserRole} and {@link org.apache.directory.fortress.core.rbac.UserAdminRole} entities.
+     * <li> process selective role activations into User RBAC Session {@link User#roles}.
+     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.rbac.DSDChecker#validate(org.apache.directory.fortress.core.rbac.Session,
+     * org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core
+     * .rbac.User#roles}.
+     * <li> process selective administrative role activations {@link User#adminRoles}.
+     * <li> return a {@link org.apache.directory.fortress.core.rbac.Session} containing {@link org.apache.directory.fortress.core.rbac.Session#getUser()},
+     * {@link org.apache.directory.fortress.core.rbac.Session#getRoles()} and {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()} if
+     * everything checks out good.
+     * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException} or its derivation.
+     * <li> throw a {@link SecurityException} for system failures.
+     * <li> throw a {@link org.apache.directory.fortress.core.PasswordException} for authentication and password policy violations.
+     * <li> throw a {@link org.apache.directory.fortress.core.ValidationException} for data validation errors.
+     * <li> throw a {@link org.apache.directory.fortress.core.FinderException} if User id not found.
+     * </ul>
+     * <h4>
+     * The function is valid if and only if:
+     * </h4>
+     * <ul>
+     * <li> the user is a member of the USERS data set
+     * <li> the password is supplied (unless trusted).
+     * <li> the (optional) active role set is a subset of the roles authorized for that user.
+     * </ul>
+     * <h4>
+     * The following attributes may be set when calling this method
+     * </h4>
+     * <ul>
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#userId} - required
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#password}
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#roles} contains a list of RBAC role names authorized for user and
+     * targeted for activation within this session.  Default is all authorized RBAC roles will be activated into this
+     * Session.
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#adminRoles} contains a list of Admin role names authorized for user and
+     * targeted for activation.  Default is all authorized ARBAC roles will be activated into this Session.
+     * <li> {@link org.apache.directory.fortress.core.rbac.User#props} collection of name value pairs collected on behalf of User during
+     * signon.  For example hostname:myservername or ip:192.168.1.99
+     * </ul>
+     * <h4>
+     * Notes:
+     * </h4>
+     * <ul>
+     * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
+     * <li> role activations will proceed in same order as supplied to User entity setter,
+     * see {@link org.apache.directory.fortress.core.rbac.User#setRole(String)}.
+     * </ul>
+     * </p>
+     *
+     * @param user      Contains {@link org.apache.directory.fortress.core.rbac.User#userId}, {@link org.apache.directory.fortress.core.rbac.User#password}
+     *                  (optional if {@code isTrusted} is 'true'), optional {@link org.apache.directory.fortress.core.rbac.User#roles},
+     *                  optional {@link org.apache.directory.fortress.core.rbac.User#adminRoles}
+     * @param isTrusted if true password is not required.
+     * @return Session object will contain authentication result code {@link org.apache.directory.fortress.core.rbac.Session#errorId},
+     * RBAC role activations {@link org.apache.directory.fortress.core.rbac.Session#getRoles()}, Admin Role activations {@link org.openldap
+     * .fortress.rbac.Session#getAdminRoles()},OpenLDAP pw policy codes {@link org.apache.directory.fortress.core.rbac
+     * .Session#warningId}, {@link org.apache.directory.fortress.core.rbac.Session#expirationSeconds},
+     * {@link org.apache.directory.fortress.core.rbac.Session#graceLogins} and more.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data validation failure, security policy violation or DAO error.
+     */
+    @Override
+    public Session createSession( User user, boolean isTrusted ) throws SecurityException
+    {
+        if ( log.isDebugEnabled() )
+        {
+            log.debug( CLS_NM + ".createSession userId [" + user.getUserId() + "] " );
+        }
+        return accessMgr.createSession( user, isTrusted );
+    }
+
+
+    /**
+     * Determine if given Role is contained within User's Tomcat Principal object.  This method does not need to hit
+     * the ldap server as the User's activated Roles are loaded into {@link org.apache.directory.fortress.realm.tomcat
+     * .TcPrincipal#setContext(java.util.HashMap)}
+     *
+     * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
+     * @param roleName  Maps to {@link org.apache.directory.fortress.core.rbac.Role#name}.
+     * @return True if Role is found in TcPrincipal, false otherwise.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          data validation failure or system error..
+     */
+    @Override
+    public boolean hasRole( Principal principal, String roleName ) throws SecurityException
+    {
+        String fullMethodName = CLS_NM + ".hasRole";
+        if ( log.isDebugEnabled() )
+        {
+            log.debug( fullMethodName + " userId [" + principal.getName() + "] role [" + roleName + "]" );
+        }
+
+        // Fail closed
+        boolean result = false;
+
+        // Principal must contain a HashMap that contains a Fortress session object.
+        HashMap<String, Session> context = ( ( TcPrincipal ) principal ).getContext();
+        VUtil.assertNotNull( context, GlobalErrIds.SESS_CTXT_NULL, fullMethodName );
+
+        // This Map must contain a Fortress Session:
+        Session session = context.get( SESSION );
+        VUtil.assertNotNull( session, GlobalErrIds.USER_SESS_NULL, fullMethodName );
+
+        Set<String> authZRoles = accessMgr.authorizedRoles( session );
+        if ( authZRoles != null && authZRoles.size() > 0 )
+        {
+            // Does the set of authorized roles contain a name matched to the one passed in?
+            if ( authZRoles.contains( roleName ) )
+            {
+                // Yes, we have a match.
+                if ( log.isEnabledFor( Level.DEBUG ) )
+                {
+                    log.debug( fullMethodName + " userId [" + principal.getName() + "] role [" + roleName + "] " +
+                        "successful" );
+                }
+                result = true;
+            }
+            else
+            {
+                if ( log.isEnabledFor( Level.DEBUG ) )
+                {
+                    // User is not authorized in their Session..
+                    log.debug( fullMethodName + " userId [" + principal.getName() + "] is not authorized role [" +
+                        roleName + "]" );
+                }
+            }
+        }
+        else
+        {
+            // User does not have any authorized Roles in their Session..
+            log.info( fullMethodName + " userId [" + principal.getName() + "], role [" + roleName + "], has no authorized roles" );
+        }
+        return result;
+    }
+
+
+    /**
+     * Method reads Role entity from the role container in directory.
+     *
+     * @param roleName maps to {@link org.apache.directory.fortress.core.rbac.Role#name}, to be read.
+     * @return Role entity that corresponds with role name.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          will be thrown if role not found or system error occurs.
+     */
+    @Override
+    public Role readRole( String roleName ) throws SecurityException
+    {
+        return reviewMgr.readRole( new Role( roleName ) );
+    }
+
+
+    /**
+     * Search for Roles assigned to given User.
+     *
+     * @param searchString Maps to {@link org.apache.directory.fortress.core.rbac.User#userId}.
+     * @param limit        controls the size of ldap result set returned.
+     * @return List of type String containing the {@link org.apache.directory.fortress.core.rbac.Role#name} of all assigned Roles.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data validation failure or DAO error.
+     */
+    @Override
+    public List<String> searchRoles( String searchString, int limit ) throws SecurityException
+    {
+        return reviewMgr.findRoles( searchString, limit );
+    }
+
+
+    /**
+     * Method returns matching User entity that is contained within the people container in the directory.
+     *
+     * @param userId maps to {@link org.apache.directory.fortress.core.rbac.User#userId} that matches record in the directory.  userId
+     *               is globally unique in
+     *               people container.
+     * @return entity containing matching user data.
+     * @throws SecurityException if record not found or system error occurs.
+     */
+    @Override
+    public User readUser( String userId ) throws SecurityException
+    {
+        return reviewMgr.readUser( new User( userId ) );
+    }
+
+
+    /**
+     * Return a list of type String of all users in the people container that match the userId field passed in User
+     * entity.
+     * This method is used by the Websphere sentry component.  The max number of returned users may be set by the
+     * integer limit arg.
+     *
+     * @param searchString contains all or some leading chars that correspond to users stored in the directory.
+     * @param limit        integer value sets the max returned records.
+     * @return List of type String containing matching userIds.
+     * @throws SecurityException in the event of system error.
+     */
+    @Override
+    public List<String> searchUsers( String searchString, int limit ) throws SecurityException
+    {
+        return reviewMgr.findUsers( new User( searchString ), limit );
+    }
+
+
+    /**
+     * This function returns the set of users assigned to a given role. The function is valid if and
+     * only if the role is a member of the ROLES data set.
+     * The max number of users returned is constrained by limit argument.
+     * This method is used by the Websphere sentry component.  This method does NOT use hierarchical rbac.
+     *
+     * @param roleName maps to {@link org.apache.directory.fortress.core.rbac.Role#name} of Role entity assigned to user.
+     * @param limit    integer value sets the max returned records.
+     * @return List of type String containing userIds assigned to a particular role.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data validation or system error.
+     */
+    @Override
+    public List<String> assignedUsers( String roleName, int limit ) throws SecurityException
+    {
+        return reviewMgr.assignedUsers( new Role( roleName ), limit );
+    }
+
+
+    /**
+     * This function returns the set of roles authorized for a given user. The function is valid if
+     * and only if the user is a member of the USERS data set.
+     *
+     * @param userId maps to {@link org.apache.directory.fortress.core.rbac.User#userId} matching User entity stored in the directory.
+     * @return Set of type String containing the roles assigned and roles inherited.
+     * @throws SecurityException If user not found or system error occurs.
+     */
+    @Override
+    public List<String> authorizedRoles( String userId ) throws SecurityException
+    {
+        List<String> list = null;
+        // This will check temporal constraints on User and Roles.
+        Session session = createSession( new User( userId ), true );
+        // Get the Set of authorized Roles.
+        Set<String> authZRoleSet = accessMgr.authorizedRoles( session );
+        // If User has authorized roles.
+        if ( authZRoleSet != null && authZRoleSet.size() > 0 )
+        {
+            // Convert the Set into a List before returning:
+            list = new ArrayList<String>( authZRoleSet );
+        }
+        return list;
+    }
+
+    /**
+     * Utility to write any object into a Base64 string.  Used by this class to serialize {@link TcPrincipal} object to be returned by its toString method..
+     */
+    private String serialize( Object obj ) throws SecurityException
+    {
+        String szRetVal = null;
+        if( obj != null )
+        {
+            try
+            {
+                ByteArrayOutputStream bo = new ByteArrayOutputStream();
+                ObjectOutputStream so = new ObjectOutputStream( bo );
+                so.writeObject( obj );
+                so.flush();
+                // This encoding induces a bijection between byte[] and String (unlike UTF-8)
+                szRetVal = bo.toString( "ISO-8859-1" );
+            }
+            catch ( IOException ioe )
+            {
+                String error = "serialize caught IOException: " + ioe;
+                throw new SecurityException(CONTEXT_SERIALIZATION_FAILED, error);
+            }
+        }
+        return szRetVal;
+    }
+}
+

http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/package.html
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/package.html b/impl/src/main/java/org/apache/directory/fortress/realm/package.html
new file mode 100644
index 0000000..d3ee7a1
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/package.html
@@ -0,0 +1,27 @@
+<!--
+  ~ This work is part of OpenLDAP Software <http://www.openldap.org/>.
+  ~
+  ~ Copyright 1998-2014 The OpenLDAP Foundation.
+  ~ All rights reserved.
+  ~
+  ~ Redistribution and use in source and binary forms, with or without
+  ~ modification, are permitted only as authorized by the OpenLDAP
+  ~ Public License.
+  ~
+  ~ A copy of this license is available in the file LICENSE in the
+  ~ top-level directory of the distribution or, alternatively, at
+  ~ <http://www.OpenLDAP.org/license.html>.
+  -->
+<html>
+   <head>
+      <title>Package Documentation for Fortress Sentry</title>
+   </head>
+   <body>
+      <p>
+         This package is the Java Sentry component.  The Fortress Java Sentry provides APIs that are used by
+          Java EE applications to perform authentication, authorization and audit within runtime
+          application server environments.  The APIs are not called directly by outside client programs rather they
+          are called by the application servers during runtime policy enforcement.
+      </p>
+   </body>
+</html>

http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TC7AccessMgrFascade.java
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TC7AccessMgrFascade.java b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TC7AccessMgrFascade.java
new file mode 100644
index 0000000..dccf5c0
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TC7AccessMgrFascade.java
@@ -0,0 +1,238 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.tomcat;
+
+import org.apache.directory.fortress.realm.util.CpUtil;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Wrapper;
+import org.apache.catalina.realm.RealmBase;
+
+import java.net.URL;
+import java.security.Principal;
+import java.net.URLClassLoader;
+import java.util.logging.Logger;
+
+import org.apache.directory.fortress.realm.util.ChildFirstUrlClassLoader;
+
+/**
+ * This class extends the Tomcat 7 and beyond RealmBase class and provides Java EE security services within the Tomcat container.
+ * This class is a "proxy" for the {@link org.apache.directory.fortress.realm.tomcat.TcAccessMgrImpl} class which isolates dependencies from the Tomcat
+ * runtime environment by loading the implementation on a URLClassLoader.
+ *
+ * @author Shawn McKinney
+ */
+public class TC7AccessMgrFascade extends RealmBase
+{
+    private static final String CLS_NM = TC7AccessMgrFascade.class.getName();
+    private static final Logger log = Logger.getLogger(CLS_NM);
+    private static final String REALM_IMPL = "org.apache.directory.fortress.realm.tomcat.TcAccessMgrImpl";
+    private static final String REALM_CLASSPATH = "REALM_CLASSPATH";
+    private static final String JBOSS_AGENT = "jboss";
+    private static String container = "Catalina7";
+    private static String defaultRoles;
+    private String realmClasspath;
+    private TcAccessMgr realm = new TcAccessMgrImpl();
+
+    /**
+     * Gets the info attribute of the TcAccessMgrProxy object
+     *
+     * @return The info value
+     */
+    @Override
+    public String getInfo()
+    {
+        return info;
+    }
+
+
+    /**
+     * Perform user authentication and evaluate password policies.
+     *
+     * @param userId   Contains the userid of the user signing on.
+     * @param password Contains the user's password.
+     * @return Principal whic     * This method will load the Fortress Tomcat implementation on a URL classloader.  Methods on the implementation are
+     * wrapped by methods on this class and are accessed via the {@code realm} instance variable of this class.
+     */
+    @Override
+    public Principal authenticate(String userId, String password)
+    {
+        if(realm == null)
+        {
+            throw new RuntimeException(CLS_NM + "authenticate detected Fortress Tomcat7 Realm not initialized correctly.  Check your Fortress Realm configuration");
+        }
+        return realm.authenticate(userId, password.toCharArray());
+    }
+
+
+    /**
+     * Determine if given Role is contained within User's Tomcat Principal object.  This method does not need to hit
+     * the ldap server as the User's activated Roles are loaded into {@link org.apache.directory.fortress.realm.tomcat.TcPrincipal#setContext(java.util.HashMap)}
+     *
+     * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
+     * @param role  Maps to {@code org.apache.directory.fortress.core.rbac.Role#name}.
+     * @return True if Role is found in TcPrincipal, false otherwise.
+     */
+    @Override
+    public boolean hasRole(Wrapper wrapper, Principal principal, String role)
+    {
+        if(realm == null)
+        {
+            throw new RuntimeException(CLS_NM + "authenticate detected Fortress Tomcat7 Realm not initialized correctly.  Check your Fortress Realm configuration");
+        }
+        return realm.hasRole(principal, role);
+    }
+
+    /**
+     * Gets the name attribute of the TcAccessMgrProxy object
+     *
+     * @return The name value
+     */
+    @Override
+    protected String getName()
+    {
+        return (CLS_NM);
+    }
+
+
+    /**
+     * Gets the password attribute of the TcAccessMgrProxy object
+     *
+     * @param username Description of the Parameter
+     * @return The password value
+     */
+    @Override
+    protected String getPassword(String username)
+    {
+        return (null);
+    }
+
+
+    /**
+     * Gets the principal attribute of the TcAccessMgrProxy object
+     *
+     * @param username Description of the Parameter
+     * @return The principal value
+     */
+    @Override
+    protected Principal getPrincipal(String username)
+    {
+        return (null);
+    }
+
+
+    /**
+     * Prepare for the beginning of active use of the public methods of this
+     * component and implement the requirements of
+     * {@link org.apache.catalina.util.LifecycleBase#startInternal()}.
+     *
+     * @throws LifecycleException if this component detects a fatal error
+     *                            that prevents this component from being used
+     */
+    @Override
+    protected void startInternal() throws LifecycleException
+    {
+        super.startInternal();
+    }
+
+    /**
+     * Gracefully terminate the active use of the public methods of this
+     * component and implement the requirements of
+     * {@link org.apache.catalina.util.LifecycleBase#stopInternal()}.
+     *
+     * @throws LifecycleException if this component detects a fatal error
+     *                            that needs to be reported
+     */
+    @Override
+    protected void stopInternal() throws LifecycleException
+    {
+
+        // Perform normal superclass finalization
+        super.stopInternal();
+
+        // Release reference to our sentry impl
+        realm = null;
+
+    }
+
+    /**
+     * Gets the containerType attribute of the TcAccessMgrProxy object
+     *
+     * @return The containerType value
+     */
+    public String getContainerType()
+    {
+        return container;
+    }
+
+    /**
+     * Sets the containerType attribute of the TcAccessMgrProxy object
+     *
+     * @param container The new containerType value
+     */
+    public void setContainerType(String container)
+    {
+        log.info(CLS_NM + ".setContainerType <" + container + ">");
+        this.container = container;
+    }
+
+    /**
+     * Gets the realmClasspath attribute of the TcAccessMgrProxy object
+     *
+     * @return The realmClasspath value
+     */
+    public String getRealmClasspath()
+    {
+        log.info(CLS_NM + ".getRealmClasspath <" + realmClasspath + ">");
+        return realmClasspath;
+    }
+
+    /**
+     * Sets the realmClasspath attribute of the TcAccessMgrProxy object
+     *
+     * @param rCpth The new realmClasspath value
+     */
+    public void setRealmClasspath(String rCpth)
+    {
+        log.info(CLS_NM + ".setRealmClasspath <" + rCpth + ">");
+        this.realmClasspath = rCpth;
+    }
+
+    /**
+     * Gets the defaultRoles attribute of the TcAccessMgrProxy object.  When set, it will be passed into all subsequent calls to Fortress createSession.
+     *
+     * @return String containing comma delimited list of role names.
+     */
+    public static String getDefaultRoles()
+    {
+        log.info(CLS_NM + ".getDefaultRoles <" + defaultRoles + ">");
+        return defaultRoles;
+    }
+
+    /**
+     * Sets the defaultRoles attribute of the TcAccessMgrProxy object.  When set, it will be passed into all subsequent calls to Fortress createSession.
+     *
+     * @param defaultRoles containing comma delimited list of role names.
+     */
+    public static void setDefaultRoles( String defaultRoles )
+    {
+        log.info(CLS_NM + ".setDefaultRoles <" + defaultRoles + ">");
+        TC7AccessMgrFascade.defaultRoles = defaultRoles;
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgrImpl.java b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgrImpl.java
new file mode 100644
index 0000000..c0628ec
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgrImpl.java
@@ -0,0 +1,156 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.tomcat;
+
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.realm.J2eePolicyMgr;
+import org.apache.directory.fortress.realm.J2eePolicyMgrFactory;
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * This class runs on a URL classloader and provides Fortress runtime security services for the Tomcat container.
+ *
+ * @author Shawn McKinney
+ */
+public class TcAccessMgrImpl implements TcAccessMgr
+{
+    private static final String CLS_NM = TcAccessMgrImpl.class.getName();
+    private static final Logger log = Logger.getLogger(CLS_NM);
+    private static int count = 0;
+    private J2eePolicyMgr j2eeMgr;
+    // If this field gets set, use for all subsequent calls to authenticate:
+    private List<String> defaultRoles;
+
+    /**
+     * Constructor for the TcAccessMgrImpl object
+     */
+    public TcAccessMgrImpl()
+    {
+        try
+        {
+            j2eeMgr = J2eePolicyMgrFactory.createInstance();
+            log.info(CLS_NM + " constructor <" + count++ + ">");
+        }
+        catch (SecurityException se)
+        {
+            String error = CLS_NM + " constructor caught SecurityException=" + se;
+            log.fatal(error);
+            se.printStackTrace();
+            throw new java.lang.RuntimeException(error, se);
+        }
+    }
+
+    /**
+     * Perform user authentication and evaluate password policies.
+     *
+     * @param userId   Contains the userid of the user signing on.
+     * @param password Contains the user's password.
+     * @return Principal which contains the Fortress RBAC session data.
+     */
+    public Principal authenticate(String userId, char[] password)
+    {
+        TcPrincipal prin = null;
+        try
+        {
+            // If a 'default.roles' property set in config, user them
+            if( VUtil.isNotNullOrEmpty( defaultRoles ))
+            {
+                prin = j2eeMgr.createSession( userId, password, defaultRoles );
+                if (log.isEnabledFor(Level.DEBUG))
+                {
+                    log.debug(CLS_NM + ".authenticate userId [" + userId + "], with default roles [" + defaultRoles + "], successful");
+                }
+            }
+            else
+            {
+                prin = j2eeMgr.createSession(userId, password);
+                if (log.isEnabledFor(Level.DEBUG))
+                {
+                    log.debug(CLS_NM + ".authenticate userId [" + userId + "] successful");
+                }
+            }
+        }
+        catch (SecurityException se)
+        {
+            String warning = CLS_NM + ".authenticate userId <" + userId + "> caught SecurityException=" + se;
+            log.warn(warning);
+        }
+        return prin;
+    }
+
+    /**
+     * Determine if given Role is contained within User's Tomcat Principal object.  This method does not need to hit
+     * the ldap server as the User's activated Roles are loaded into {@link TcPrincipal#setContext(java.util.HashMap)}
+     *
+     * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
+     * @param roleName  Maps to {@code org.apache.directory.fortress.core.rbac.Role#name}.
+     * @return True if Role is found in TcPrincipal, false otherwise.
+     */
+    public boolean hasRole(Principal principal, String roleName)
+    {
+        boolean result = false;
+        String userId = principal.getName();
+        try
+        {
+            if (j2eeMgr.hasRole(principal, roleName))
+            {
+                if (log.isEnabledFor(Level.DEBUG))
+                {
+                    log.debug(CLS_NM + ".hasRole userId <" + principal.getName() + "> role <" + roleName + "> successful");
+                }
+                result = true;
+            }
+            else
+            {
+                if (log.isEnabledFor(Level.DEBUG))
+                {
+                    log.debug(CLS_NM + ".hasRole userId <" + principal.getName() + "> role <" + roleName + "> failed");
+                }
+            }
+        }
+        catch (SecurityException se)
+        {
+            String warning = CLS_NM + ".hasRole userId <" + userId + "> role <" + roleName + "> caught SecurityException=" + se;
+            log.warn(warning);
+		}
+		return result;
+	}
+
+    /**
+     * When the 'defaultRoles' parameter is set on realm proxy config (e.g. in server.xml or context.xml) it will be used to pass into
+     * createSession calls into Fortress.  This will scope the roles to be considered for activation to this particular set.
+     *
+     * @param szDefaultRoles contains a String containing comma delimited roles names.
+     */
+    public void setDefaultRoles(String szDefaultRoles)
+    {
+        if( VUtil.isNotNullOrEmpty( szDefaultRoles ))
+        {
+            defaultRoles = Arrays.asList(szDefaultRoles.split("\\s*,\\s*"));
+            log.info( "DEFAULT ROLES: " + defaultRoles );
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcPrincipal.java
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcPrincipal.java b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcPrincipal.java
new file mode 100644
index 0000000..0c430c1
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcPrincipal.java
@@ -0,0 +1,146 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.tomcat;
+
+import org.apache.directory.fortress.core.rbac.Session;
+
+import java.util.HashMap;
+
+/**
+ * Contains the Fortress RBAC session that has been created on behalf of an end user who has
+ * signed onto Tomcat system.  The session contains the User's active roles and other security attributes.
+ *
+ * @author Shawn McKinney
+ */
+public class TcPrincipal implements java.security.Principal, java.io.Serializable
+{
+    public static final String SERIALIZED = "SERIALIZED";
+    private HashMap<String, Session> context;
+    private String name;
+
+
+    /**
+     * Constructor for the TcPrincipal object.  Accepts a HashMap which
+     * contains the Fortress session.
+     *
+     * @param name    contains the userId of User who signed onto Tomcat.
+     * @param context Instantiated HashMap that contains the User's Fortress session data.
+     */
+    public TcPrincipal( String name, HashMap<String, Session> context )
+    {
+        if ( context == null || name == null )
+        {
+            throw new NullPointerException( TcPrincipal.class.getName() + " Null Map passed to constructor" );
+        }
+        this.context = context;
+        this.name = name;
+    }
+
+
+    /**
+     * Return the HashMap to the caller.  This HashMap contains the User's Fortress session data.
+     *
+     * @return HashMap reference to security session data.
+     */
+    public final HashMap<String, Session> getContext()
+    {
+        return context;
+    }
+
+
+    /**
+     * Return the userId of the end User who has signed onto Tomcat and is represented by this principal object.
+     *
+     * @return Contains the end userId.
+     */
+    public final String getName()
+    {
+        return name;
+    }
+
+
+    /**
+     * Set a new HashMap reference into this Principal object.
+     *
+     * @param context HashMap reference to security session data.
+     */
+    public final void setContext( HashMap<String, Session> context )
+    {
+        this.context = context;
+    }
+
+
+    /**
+     * This method returns a string containing the serialized instance of this object.
+     *
+     * @return Return this object in serialized format.
+     */
+    public final String toString()
+    {
+        String ser = null;
+        HashMap context = getContext();
+        if ( context != null )
+        {
+            ser = (String)context.get( SERIALIZED );
+        }
+        return ser;
+    }
+
+    /**
+     * Determine if the caller supplied a reference to a security Principal that is equal to the current value.
+     *
+     * @param o Contains reference to the Principal.
+     * @return true if the userId on both Principal objects is equal, false otherwise.
+     */
+    public final boolean equals( Object o )
+    {
+        if ( o == null )
+        {
+            return false;
+        }
+        if ( this == o )
+        {
+            return true;
+        }
+        if ( !( o instanceof TcPrincipal ) )
+        {
+            return false;
+        }
+        TcPrincipal that = ( TcPrincipal ) o;
+
+        if ( this.getName().equals( that.getName() ) )
+        {
+            return true;
+        }
+        return false;
+    }
+
+
+    /**
+     * Compute the hashcode for the current userId asserted into this Principal object.
+     *
+     * @return Description of the Return Value
+     */
+    public final int hashCode()
+    {
+        return name.hashCode();
+    }
+}
+

http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/ivy.xml
----------------------------------------------------------------------
diff --git a/ivy.xml b/ivy.xml
index bc145e9..fba7e48 100644
--- a/ivy.xml
+++ b/ivy.xml
@@ -1,21 +1,26 @@
 <!--
-  ~ This work is part of OpenLDAP Software <http://www.openldap.org/>.
-  ~
-  ~ Copyright 1998-2014 The OpenLDAP Foundation.
-  ~ All rights reserved.
-  ~
-  ~ Redistribution and use in source and binary forms, with or without
-  ~ modification, are permitted only as authorized by the OpenLDAP
-  ~ Public License.
-  ~
-  ~ A copy of this license is available in the file LICENSE in the
-  ~ top-level directory of the distribution or, alternatively, at
-  ~ <http://www.OpenLDAP.org/license.html>.
-  -->
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
 <ivy-module version="2.0">
-    <info organisation="org.apache" module="openldap-fortress-realm"/>
+    <info organisation="org.apache" module="fortress-core-realm"/>
     <dependencies>
-        <dependency org="org.openldap" name="fortress" rev="1.0-RC39"  conf="default->master"/>
+        <dependency org="org.apache.directory" name="fortress-core" rev="1.0-RC40"  conf="default->master"/>
+<!--        <dependency org="org.openldap" name="fortress" rev="1.0-RC39"  conf="default->master"/>-->
         <dependency org="commons-lang" name="commons-lang" rev="2.4" conf="default->master"/>
         <dependency org="commons-configuration" name="commons-configuration" rev="1.6" conf="default->master"/>
         <dependency org="commons-lang" name="commons-lang" rev="2.4" conf="default->master"/>

http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 4dad5df..bcd9df3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,49 +1,405 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ This work is part of OpenLDAP Software <http://www.openldap.org/>.
-  ~
-  ~ Copyright 1998-2014 The OpenLDAP Foundation.
-  ~ All rights reserved.
-  ~
-  ~ Redistribution and use in source and binary forms, with or without
-  ~ modification, are permitted only as authorized by the OpenLDAP
-  ~ Public License.
-  ~
-  ~ A copy of this license is available in the file LICENSE in the
-  ~ top-level directory of the distribution or, alternatively, at
-  ~ <http://www.OpenLDAP.org/license.html>.
-  -->
-<project>
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
-    <groupId>org.openldap</groupId>
-    <artifactId>sentry</artifactId>
-    <packaging>jar</packaging>
-    <name>Fortress Sentry</name>
-    <version>1.0-RC39</version>
-    <description>Sentry is an ANSI RBAC INCITS 359 compliant policy enforcement engine.</description>
-    <url>http://www.openldap.org/fortress/</url>
+    <groupId>org.apache.directory</groupId>
+    <artifactId>fortress-realm</artifactId>
+    <packaging>pom</packaging>
+    <name>Apache Fortress Realm</name>
+    <description>Fortress Realm is an ANSI RBAC INCITS 359 compliant policy enforcement engine.</description>
+    <url>http://directory.apache.org/foress/</url>
+    <version>1.0-RC40</version>
+
+    <properties>
+        <projectName>apache-directory-fortress-realm</projectName>
+        <distMgmtSiteUrl>scpexe://people.apache.org/www/directory.apache.org/api/gen-docs/${project.version}/
+        </distMgmtSiteUrl>
+
+        <!-- Set versions for depending projects -->
+        <skin.version>1.0.2</skin.version>
+        <org.apache.directory.junit.junit-addons.version>0.1</org.apache.directory.junit.junit-addons.version>
+        <org.apache.directory.checkstyle-configuration.version>0.1</org.apache.directory.checkstyle-configuration.version>
+        <slf4j.api.version>1.7.5</slf4j.api.version>
+        <slf4j.log4j12.version>1.7.5</slf4j.log4j12.version>
+        <junit.version>4.11</junit.version>
+
+        <!-- Set versions for depending jars -->
+        <fortress-core.version>1.0-RC40</fortress-core.version>
+
+        <!-- Set versions for depending jars -->
+        <findbugs.annotations.version>1.0.0</findbugs.annotations.version>
+    </properties>
+
     <licenses>
         <license>
-            <name>OpenLDAP Public License</name>
-            <url>http://www.OpenLDAP.org/license.html</url>
-            <distribution>repo</distribution>
+            <name>Apache License 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0</url>
         </license>
     </licenses>
     <scm>
-        <url>http://www.openldap.org/software/repo/openldap-fortress-realm.git</url>
-        <connection>git://git.openldap.org/openldap-fortress-realm.git</connection>
+        <connection>scm:git:http://git-wip-us.apache.org/repos/asf/directory-fortress-realm.git</connection>
+        <developerConnection>scm:git:https://git-wip-us.apache.org/repos/asf/directory-fortress-realm.git</developerConnection>
+        <tag>HEAD</tag>
     </scm>
+
+    <issueManagement>
+        <system>jira</system>
+        <url>https://issues.apache.org/jira/browse/DIRREALM</url>
+    </issueManagement>
+
+    <parent>
+        <groupId>org.sonatype.oss</groupId>
+        <artifactId>oss-parent</artifactId>
+        <version>7</version>
+    </parent>
+
+    <mailingLists>
+        <mailingList>
+            <name>Apache Directory -- Fortress List</name>
+            <post>fortress@directory.apache.org</post>
+            <archive>http://mail-archives.apache.org/mod_mbox/directory-fortress/</archive>
+        </mailingList>
+    </mailingLists>
+
     <developers>
         <developer>
+            <id>elecharny</id>
+            <name>Emmanuel Lecharny</name>
+            <email>elecharny@@apache.org</email>
+            <roles>
+                <role>Developer</role>
+            </roles>
+            <organization>Apache Software Foundation</organization>
+            <timezone>+1</timezone>
+        </developer>
+        <developer>
             <id>smckinney</id>
             <name>Shawn McKinney</name>
-            <email>smckinney@symas.com</email>
+            <email>smckinney@apache.org</email>
+            <timezone>-6</timezone>
         </developer>
     </developers>
+
+    <modules>
+        <module>impl</module>
+        <module>proxy</module>
+    </modules>
+
+    <build>
+
+        <finalName>${project.artifactId}-${version}</finalName>
+
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-release-plugin</artifactId>
+                    <configuration>
+                        <tagNameFormat>@{project.version}</tagNameFormat>
+                    </configuration>
+                </plugin>
+
+            </plugins>
+        </pluginManagement>
+        <plugins>
+            <!-- Assemble a realm distro archive -->
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <version>2.4</version>
+                <executions>
+                    <execution>
+                        <id>make-assembly</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                        <configuration>
+                            <descriptors>
+                                <descriptor>src/main/assembly/distsrc.xml</descriptor>
+                            </descriptors>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-source-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-sources</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>jar-no-fork</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-site-plugin</artifactId>
+                <dependencies>
+                    <!-- Add support for 'scp'/'sftp' -->
+                    <dependency>
+                        <groupId>org.apache.maven.wagon</groupId>
+                        <artifactId>wagon-ssh</artifactId>
+                        <version>2.1</version>
+                    </dependency>
+                    <!-- Add support for 'scpexe' -->
+                    <dependency>
+                        <groupId>org.apache.maven.wagon</groupId>
+                        <artifactId>wagon-ssh-external</artifactId>
+                        <version>2.1</version>
+                    </dependency>
+                </dependencies>
+                <configuration>
+                    <reportPlugins>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-jxr-plugin</artifactId>
+                            <configuration>
+                                <aggregate>true</aggregate>
+                            </configuration>
+                        </plugin>
+
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-surefire-report-plugin</artifactId>
+                            <configuration>
+                                <aggregate>true</aggregate>
+                            </configuration>
+                        </plugin>
+
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-project-info-reports-plugin</artifactId>
+                        </plugin>
+
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>taglist-maven-plugin</artifactId>
+                            <configuration>
+                                <tags>
+                                    <tag>TODO</tag>
+                                    <tag>@todo</tag>
+                                    <tag>@deprecated</tag>
+                                    <tag>FIXME</tag>
+                                </tags>
+                            </configuration>
+                        </plugin>
+
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-javadoc-plugin</artifactId>
+                            <configuration>
+                                <minmemory>512m</minmemory>
+                                <maxmemory>1g</maxmemory>
+                                <linksource>true</linksource>
+                                <tags>
+                                    <tag>
+                                        <name>todo</name>
+                                        <!-- todo tag for all places -->
+                                        <placement>a</placement>
+                                        <head>To do:</head>
+                                    </tag>
+                                </tags>
+                                <source>1.6</source>
+                            </configuration>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>aggregate</report>
+                                        <report>test-aggregate</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>versions-maven-plugin</artifactId>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>dependency-updates-report</report>
+                                        <report>plugin-updates-report</report>
+                                        <report>property-updates-report</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+
+                        <plugin>
+                            <groupId>org.apache.rat</groupId>
+                            <artifactId>apache-rat-plugin</artifactId>
+                            <!-- must add configuration here too, it isn't inherited from <pluginConfiguration> :-( -->
+                            <configuration>
+                                <excludeSubProjects>false</excludeSubProjects>
+                                <excludes>
+                                    <!-- MAVEN_DEFAULT_EXCLUDES -->
+                                    <exclude>**/target/**/*</exclude>
+                                    <exclude>**/cobertura.ser</exclude>
+                                    <!-- ECLIPSE_DEFAULT_EXCLUDES -->
+                                    <exclude>**/.classpath</exclude>
+                                    <exclude>**/.project</exclude>
+                                    <exclude>**/.settings/**/*</exclude>
+                                    <!-- IDEA_DEFAULT_EXCLUDES -->
+                                    <exclude>**/*.iml</exclude>
+                                    <exclude>**/*.ipr</exclude>
+                                    <exclude>**/*.iws</exclude>
+                                    <!-- MANIFEST_MF_EXCLUDES -->
+                                    <exclude>**/MANIFEST.MF</exclude>
+                                    <!-- 3RD_PARTY_LICENSES -->
+                                    <exclude>distribution/src/main/release/licenses/*</exclude>
+                                    <exclude>src/main/release/licenses/*</exclude>
+                                    <!-- Missing license header in dependency reduced pom, see http://jira.codehaus.org/browse/MSHADE-48 -->
+                                    <exclude>**/dependency-reduced-pom.xml</exclude>
+                                    <!-- Generated ldif files -->
+                                    <exclude>**/src/main/resources/schema/**/*.ldif</exclude>
+                                    <exclude>**/src/main/resources/schema-all.ldif</exclude>
+                                    <exclude>**/src/main/resources/schema/**/*.ldif</exclude>
+                                    <exclude>**/src/main/resources/schema-all.ldif</exclude>
+                                    <!-- Files having a Bouncy Castle license -->
+                                    <exclude>ldap/src/main/java/org/apache/directory/api/asn1/der/*.java</exclude>
+                                    <exclude>src/main/java/org/apache/directory/api/asn1/der/*.java</exclude>
+                                </excludes>
+                            </configuration>
+                        </plugin>
+
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>javancss-maven-plugin</artifactId>
+                        </plugin>
+
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>jdepend-maven-plugin</artifactId>
+                        </plugin>
+
+                        <!--
+                                    <plugin>
+                                      <groupId>org.apache.maven.plugins</groupId>
+                                      <artifactId>maven-changes-plugin</artifactId>
+                                      <configuration>
+                                        <onlyCurrentVersion>true</onlyCurrentVersion>
+                                        <resolutionIds>Fixed</resolutionIds>
+                                        <statusIds>Resolved,Closed</statusIds>
+                                        <columnNames>Type,Key,Summary,Status,Resolution,Fix Version</columnNames>
+                                      </configuration>
+                                      <reportSets>
+                                        <reportSet>
+                                          <reports>
+                                            <report>jira-report</report>
+                                          </reports>
+                                        </reportSet>
+                                      </reportSets>
+                                    </plugin>
+                        -->
+                    </reportPlugins>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- Project sub-modules dependencies -->
+            <dependency>
+                <groupId>org.apache.directory</groupId>
+                <artifactId>fortress-core</artifactId>
+                <version>${fortress-core.version}</version>
+            </dependency>
+
+            <dependency>
+                <groupId>org.apache.tomcat</groupId>
+                <artifactId>tomcat-catalina</artifactId>
+                <version>7.0.22</version>
+            </dependency>
+
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
+        <!-- for Java5 findbugs annotations are required in each module at compile time -->
+        <dependency>
+            <groupId>findbugs</groupId>
+            <artifactId>annotations</artifactId>
+            <scope>provided</scope>
+            <version>1.0.0</version>
+        </dependency>
+
+        <!-- common logging interface -->
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <version>${slf4j.api.version}</version>
+        </dependency>
+
+        <!-- logging implementation used for unit tests -->
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-log4j12</artifactId>
+            <scope>test</scope>
+            <version>${slf4j.log4j12.version}</version>
+        </dependency>
+
         <dependency>
-            <groupId>org.openldap</groupId>
-            <artifactId>fortress</artifactId>
-            <version>1.0-RC39</version>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+            <version>4.11</version>
         </dependency>
     </dependencies>
-</project>
\ No newline at end of file
+
+    <profiles>
+        <profile>
+            <id>release-sign-artifacts</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+                <property>
+                    <name>performRelease</name>
+                    <value>true</value>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-gpg-plugin</artifactId>
+                        <version>1.4</version>
+                        <executions>
+                            <execution>
+                                <id>sign-artifacts</id>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
+
+</project>

http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/pom.xml
----------------------------------------------------------------------
diff --git a/proxy/pom.xml b/proxy/pom.xml
new file mode 100644
index 0000000..876e755
--- /dev/null
+++ b/proxy/pom.xml
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.directory</groupId>
+        <artifactId>fortress-realm</artifactId>
+        <version>1.0-RC40</version>
+    </parent>
+
+    <artifactId>fortress-realm-proxy</artifactId>
+    <name>Apache Fortress Realm Proxy</name>
+    <packaging>jar</packaging>
+<!--    <packaging>bundle</packaging>-->
+    <description>
+        Proxy classes for the Fortress Realm Component.
+    </description>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.directory.junit</groupId>
+            <artifactId>junit-addons</artifactId>
+            <scope>test</scope>
+            <version>0.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.directory.api</groupId>
+            <artifactId>api-all</artifactId>
+            <version>1.0.0-M24</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-catalina</artifactId>
+            <version>7.0.22</version>
+        </dependency>
+
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <source>1.7</source>
+                    <target>1.7</target>
+                </configuration>
+            </plugin>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>2.5</version>
+            </plugin>
+        </plugins>
+    </build>
+</project>

http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/src/main/java/fortress-javadoc.css
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/fortress-javadoc.css b/proxy/src/main/java/fortress-javadoc.css
new file mode 100644
index 0000000..44ace3f
--- /dev/null
+++ b/proxy/src/main/java/fortress-javadoc.css
@@ -0,0 +1,32 @@
+BODY  { color: #000000;
+        background-color: #FFFFFF;
+        font-family: sans-serif }
+
+A:link  { color: #0101DF;
+          text-decoration: underline }
+
+A:visited  { color: #610B38;
+             text-decoration: underline }
+
+A:hover { color: #0B3B0B;
+          text-decoration: underline }
+
+PRE  { background-color: #99CC66;
+       margin: 15px 30px;
+       padding: 10px 10px;
+       border: 1px solid #000000 }
+
+# the following will add space between list items:
+#LI  { margin: 10px 0px }
+
+TH  { background-color: #FFFFFF;  color: #003300;
+      font-size: 125%;
+      font-weight: bold }
+
+
+# Classes defined specifically for Javadoc
+.TableHeadingColor  { background-color: #D8D8D8 }
+
+.NavBarCell1  { background-color: #99CC66 }
+
+.FrameItemFont  { font-size: 90% }