Mailing-List: contact commits-help@directory.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@directory.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: smckinney@apache.org
To: commits@directory.apache.org
Date: Tue, 09 Jun 2015 03:16:10 -0000
Message-Id: <5aa2f7de0df7440d9d3bbf4f0b8826a1@git.apache.org>
In-Reply-To: <f1a4c7598cca4803961210ce7362dae2@git.apache.org>
References: <f1a4c7598cca4803961210ce7362dae2@git.apache.org>
Subject: [64/75] [abbrv] directory-fortress-core git commit: FC-109 - move a
 couple utils to model

FC-109 - move a couple utils to model


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/559c280e
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/559c280e
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/559c280e

Branch: refs/heads/master
Commit: 559c280e40fbfffe945c20ec1d898463a1668f13
Parents: f88771a
Author: Shawn McKinney <smckinney@apache.org>
Authored: Wed Jun 3 21:34:04 2015 -0500
Committer: Shawn McKinney <smckinney@apache.org>
Committed: Wed Jun 3 21:34:04 2015 -0500

----------------------------------------------------------------------
 .../directory/fortress/core/AccelMgr.java       |   4 +-
 .../directory/fortress/core/AccessMgr.java      |   4 +-
 .../directory/fortress/core/AdminMgr.java       |   2 +-
 .../directory/fortress/core/ant/UserAnt.java    |   2 +-
 .../core/cli/CommandLineInterpreter.java        |   2 +-
 .../directory/fortress/core/cli/Options.java    |   2 +-
 .../fortress/core/impl/AccelMgrImpl.java        |   4 +-
 .../fortress/core/impl/AccessMgrImpl.java       |  23 +-
 .../fortress/core/impl/AdminMgrImpl.java        |   6 +-
 .../fortress/core/impl/AdminRoleDAO.java        |   6 +-
 .../directory/fortress/core/impl/ConfigDAO.java |   2 +-
 .../fortress/core/impl/DSDChecker.java          |   6 +-
 .../fortress/core/impl/DelAccessMgrImpl.java    |   5 +-
 .../fortress/core/impl/DelAdminMgrImpl.java     |   6 +-
 .../directory/fortress/core/impl/GroupDAO.java  |   2 +-
 .../directory/fortress/core/impl/PermDAO.java   |   2 +-
 .../directory/fortress/core/impl/RoleDAO.java   |   6 +-
 .../directory/fortress/core/impl/SDUtil.java    |   2 +-
 .../directory/fortress/core/impl/UserDAO.java   |  12 +-
 .../directory/fortress/core/impl/UserP.java     |  14 +-
 .../core/ldap/ApacheDsDataProvider.java         |   8 +-
 .../fortress/core/model/AdminRole.java          |   4 +-
 .../fortress/core/model/Constraint.java         | 244 ++++++++
 .../fortress/core/model/ConstraintUtil.java     | 351 ++++++++++++
 .../directory/fortress/core/model/Group.java    |   2 -
 .../directory/fortress/core/model/PropUtil.java | 128 +++++
 .../directory/fortress/core/model/Role.java     |   9 +-
 .../directory/fortress/core/model/User.java     |   2 -
 .../fortress/core/model/UserAdminRole.java      |   6 +-
 .../directory/fortress/core/model/UserRole.java |   6 +-
 .../apache/directory/fortress/core/package.html |   2 +-
 .../fortress/core/rest/AccessMgrRestImpl.java   |   4 +-
 .../fortress/core/rest/AdminMgrRestImpl.java    |   2 +-
 .../directory/fortress/core/util/PropUtil.java  | 128 -----
 .../directory/fortress/core/util/VUtil.java     | 180 +++++-
 .../fortress/core/util/time/CUtil.java          | 553 -------------------
 .../fortress/core/util/time/ClockTime.java      |   9 +-
 .../fortress/core/util/time/Constraint.java     | 242 --------
 .../directory/fortress/core/util/time/Date.java |   3 +-
 .../directory/fortress/core/util/time/Day.java  |   5 +-
 .../fortress/core/util/time/LockDate.java       |   7 +-
 .../fortress/core/util/time/TUtil.java          |   2 +-
 .../directory/fortress/core/util/time/Time.java |   2 +-
 .../fortress/core/util/time/Timeout.java        |   5 +-
 .../fortress/core/util/time/Validator.java      |   1 +
 .../fortress/core/AdminMgrConsole.java          |   2 +-
 .../fortress/core/ReviewMgrConsole.java         |   2 +-
 .../fortress/core/example/Example.java          |   2 +-
 .../fortress/core/example/ExampleDAO.java       |   6 +-
 .../fortress/core/impl/AdminMgrImplTest.java    |   6 +-
 .../fortress/core/impl/AdminRoleTestData.java   |   2 +-
 .../fortress/core/impl/RoleTestData.java        |   2 +-
 .../directory/fortress/core/impl/TestUtils.java |   2 +-
 .../fortress/core/impl/UserTestData.java        |   2 +-
 54 files changed, 1004 insertions(+), 1039 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/AccelMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/AccelMgr.java b/src/main/java/org/apache/directory/fortress/core/AccelMgr.java
index e3504de..56b08dd 100644
--- a/src/main/java/org/apache/directory/fortress/core/AccelMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/AccelMgr.java
@@ -83,9 +83,9 @@ public interface AccelMgr extends Manageable
      * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">password policy evaluation</a>.
      *
      * <li> fail for any user who is locked by OpenLDAP's policies {@link org.apache.directory.fortress.core.model.User#isLocked()}, regardless of trusted flag being set as parm on API.
-     * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link User}, {@link UserRole} and {@link org.apache.directory.fortress.core.model.UserAdminRole} entities.
+     * <li> evaluate temporal {@link org.apache.directory.fortress.core.model.Constraint}(s) on {@link User}, {@link UserRole} and {@link org.apache.directory.fortress.core.model.UserAdminRole} entities.
      * <li> process selective role activations into User RBAC Session {@link User#roles}.
-     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.impl.DSDChecker#validate(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core.model.User#roles}.
+     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.impl.DSDChecker#validate(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core.model.User#roles}.
      * <li> process selective administrative role activations {@link User#adminRoles}.
      * <li> return a {@link org.apache.directory.fortress.core.model.Session} containing {@link org.apache.directory.fortress.core.model.Session#getUser()}, {@link org.apache.directory.fortress.core.model.Session#getRoles()} and (if admin user) {@link org.apache.directory.fortress.core.model.Session#getAdminRoles()} if everything checks out good.
      * <li> throw a checked exception that will be {@link SecurityException} or its derivation.

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
index 4b773fc..1a19f18 100755
--- a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
@@ -92,9 +92,9 @@ public interface AccessMgr extends Manageable
      * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">password policy evaluation</a>.
      *
      * <li> fail for any user who is locked by OpenLDAP's policies {@link org.apache.directory.fortress.core.model.User#isLocked()}, regardless of trusted flag being set as parm on API.
-     * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link User}, {@link UserRole} and {@link org.apache.directory.fortress.core.model.UserAdminRole} entities.
+     * <li> evaluate temporal {@link org.apache.directory.fortress.core.model.Constraint}(s) on {@link User}, {@link UserRole} and {@link org.apache.directory.fortress.core.model.UserAdminRole} entities.
      * <li> process selective role activations into User RBAC Session {@link User#roles}.
-     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.impl.DSDChecker#validate(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core.model.User#roles}.
+     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.impl.DSDChecker#validate(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core.model.User#roles}.
      * <li> process selective administrative role activations {@link User#adminRoles}.
      * <li> return a {@link org.apache.directory.fortress.core.model.Session} containing {@link org.apache.directory.fortress.core.model.Session#getUser()}, {@link org.apache.directory.fortress.core.model.Session#getRoles()} and (if admin user) {@link org.apache.directory.fortress.core.model.Session#getAdminRoles()} if everything checks out good.
      * <li> throw a checked exception that will be {@link SecurityException} or its derivation.

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/AdminMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/AdminMgr.java b/src/main/java/org/apache/directory/fortress/core/AdminMgr.java
index 80f535d..523289e 100755
--- a/src/main/java/org/apache/directory/fortress/core/AdminMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/AdminMgr.java
@@ -328,7 +328,7 @@ public interface AdminMgr extends Manageable
      * <li>{@link Role#endLockDate} - YYYYMMDD - determines end of enforced inactive status</li>
      * <li>{@link Role#dayMask} - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day role may be activated into user's RBAC session</li>
      * </ul>
-     * @param role Must contains {@link Role#name} and may contain new description or {@link org.apache.directory.fortress.core.util.time.Constraint}
+     * @param role Must contains {@link Role#name} and may contain new description or {@link org.apache.directory.fortress.core.model.Constraint}
      * @return Role contains reference to entity operated on.
      * @throws SecurityException in the event of validation or system error.
      */

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/ant/UserAnt.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ant/UserAnt.java b/src/main/java/org/apache/directory/fortress/core/ant/UserAnt.java
index 0f36d49..d062e32 100755
--- a/src/main/java/org/apache/directory/fortress/core/ant/UserAnt.java
+++ b/src/main/java/org/apache/directory/fortress/core/ant/UserAnt.java
@@ -23,7 +23,7 @@ package org.apache.directory.fortress.core.ant;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.PropUtil;
+import org.apache.directory.fortress.core.model.PropUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.directory.fortress.core.model.User;

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/cli/CommandLineInterpreter.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/cli/CommandLineInterpreter.java b/src/main/java/org/apache/directory/fortress/core/cli/CommandLineInterpreter.java
index 079d42b..d7098a1 100755
--- a/src/main/java/org/apache/directory/fortress/core/cli/CommandLineInterpreter.java
+++ b/src/main/java/org/apache/directory/fortress/core/cli/CommandLineInterpreter.java
@@ -51,7 +51,7 @@ import org.apache.directory.fortress.core.model.AdminRole;
 import org.apache.directory.fortress.core.model.OrgUnit;
 import org.apache.directory.fortress.core.model.UserAdminRole;
 import org.apache.directory.fortress.core.model.Relationship;
-import org.apache.directory.fortress.core.util.time.Constraint;
+import org.apache.directory.fortress.core.model.Constraint;
 
 
 /**

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/cli/Options.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/cli/Options.java b/src/main/java/org/apache/directory/fortress/core/cli/Options.java
index 2b54978..f229766 100755
--- a/src/main/java/org/apache/directory/fortress/core/cli/Options.java
+++ b/src/main/java/org/apache/directory/fortress/core/cli/Options.java
@@ -31,7 +31,7 @@ import org.apache.directory.fortress.core.model.Relationship;
 import org.apache.directory.fortress.core.model.Role;
 import org.apache.directory.fortress.core.model.SDSet;
 import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.util.time.Constraint;
+import org.apache.directory.fortress.core.model.Constraint;
 
 import java.util.Vector;
 

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/AccelMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AccelMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AccelMgrImpl.java
index 46186f6..192f3c2 100644
--- a/src/main/java/org/apache/directory/fortress/core/impl/AccelMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AccelMgrImpl.java
@@ -95,9 +95,9 @@ public class AccelMgrImpl extends Manageable implements AccelMgr
      * <li> authenticate user password if trusted == false.
      * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">password policy evaluation</a>.
      * <li> fail for any user who is locked by OpenLDAP's policies {@link org.apache.directory.fortress.core.model.User#isLocked()}, regardless of trusted flag being set as parm on API.
-     * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link org.apache.directory.fortress.core.model.User}, {@link org.apache.directory.fortress.core.model.UserRole} and {@link org.apache.directory.fortress.core.model.UserAdminRole} entities.
+     * <li> evaluate temporal {@link org.apache.directory.fortress.core.model.Constraint}(s) on {@link org.apache.directory.fortress.core.model.User}, {@link org.apache.directory.fortress.core.model.UserRole} and {@link org.apache.directory.fortress.core.model.UserAdminRole} entities.
      * <li> process selective role activations into User RBAC Session {@link org.apache.directory.fortress.core.model.User#roles}.
-     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.impl.DSDChecker#validate(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core.model.User#roles}.
+     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.impl.DSDChecker#validate(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core.model.User#roles}.
      * <li> process selective administrative role activations {@link org.apache.directory.fortress.core.model.User#adminRoles}.
      * <li> return a {@link org.apache.directory.fortress.core.model.Session} that contains a reference to an object stored on the RBAC server..
      * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException} or its derivation.

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
index 04d79d4..7e53547 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
@@ -32,7 +32,6 @@ import org.apache.directory.fortress.core.model.User;
 import org.apache.directory.fortress.core.model.UserRole;
 import org.apache.directory.fortress.core.util.VUtil;
 import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
 
 
 /**
@@ -119,9 +118,9 @@ public class AccessMgrImpl extends Manageable implements AccessMgr
      * <li> authenticate user password if trusted == false.
      * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">password policy evaluation</a>.
      * <li> fail for any user who is locked by OpenLDAP's policies {@link User#isLocked()}, regardless of trusted flag being set as parm on API.
-     * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link User}, {@link org.apache.directory.fortress.core.model.UserRole} and {@link org.apache.directory.fortress.core.model.UserAdminRole} entities.
+     * <li> evaluate temporal {@link org.apache.directory.fortress.core.model.Constraint}(s) on {@link User}, {@link org.apache.directory.fortress.core.model.UserRole} and {@link org.apache.directory.fortress.core.model.UserAdminRole} entities.
      * <li> process selective role activations into User RBAC Session {@link User#roles}.
-     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.impl.DSDChecker#validate(Session, org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link User#roles}.
+     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.impl.DSDChecker#validate(Session, org.apache.directory.fortress.core.model.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link User#roles}.
      * <li> process selective administrative role activations {@link User#adminRoles}.
      * <li> return a {@link Session} containing {@link Session#getUser()}, {@link Session#getRoles()} and (if admin user) {@link Session#getAdminRoles()} if everything checks out good.
      * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException} or its derivation.
@@ -198,8 +197,8 @@ public class AccessMgrImpl extends Manageable implements AccessMgr
             getFullMethodName( CLS_NM, methodName ) );
         VUtil.assertNotNullOrEmpty( perm.getObjName(), GlobalErrIds.PERM_OBJECT_NULL,
             getFullMethodName( CLS_NM, methodName ) );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.USER, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.ROLE, false );
         return permP.checkPermission( session, perm );
     }
 
@@ -218,8 +217,8 @@ public class AccessMgrImpl extends Manageable implements AccessMgr
     {
         String methodName = "sessionPermissions";
         assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.USER, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.ROLE, false );
         return permP.search( session );
     }
 
@@ -239,8 +238,8 @@ public class AccessMgrImpl extends Manageable implements AccessMgr
     {
         String methodName = "sessionRoles";
         assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.USER, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.ROLE, false );
         return session.getRoles();
     }
 
@@ -260,8 +259,8 @@ public class AccessMgrImpl extends Manageable implements AccessMgr
         String methodName = "authorizedRoles";
         assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
         VUtil.assertNotNull( session.getUser(), GlobalErrIds.USER_NULL, CLS_NM + ".authorizedRoles" );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.USER, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.ROLE, false );
         return RoleUtil.getInheritedRoles( session.getRoles(), this.contextId );
     }
 
@@ -322,7 +321,7 @@ public class AccessMgrImpl extends Manageable implements AccessMgr
         session.setRole( uRoles.get( indx ) );
 
         // Check role temporal constraints & DSD:
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.ROLE, false );
     }
 
 
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
index d6b5d3e..44b431d 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
@@ -24,6 +24,7 @@ import java.util.List;
 import java.util.Set;
 
 import org.apache.directory.fortress.core.model.AdminRole;
+import org.apache.directory.fortress.core.model.ConstraintUtil;
 import org.apache.directory.fortress.core.model.Hier;
 import org.apache.directory.fortress.core.model.PermObj;
 import org.apache.directory.fortress.core.model.Permission;
@@ -41,7 +42,6 @@ import org.apache.directory.fortress.core.GlobalErrIds;
 import org.apache.directory.fortress.core.GlobalIds;
 import org.apache.directory.fortress.core.SecurityException;
 import org.apache.directory.fortress.core.util.VUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
 
 
 /**
@@ -488,7 +488,7 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr
      * </ul>
      *
      * @param role must contains {@link Role#name} and may contain new description or
-     * {@link org.apache.directory.fortress.core.util.time.Constraint}
+     * {@link org.apache.directory.fortress.core.model.Constraint}
      * @return Role contains reference to entity operated on.
      * @throws org.apache.directory.fortress.core.SecurityException
      *          in the event of validation or system error.
@@ -573,7 +573,7 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr
         role.setContextId( this.contextId );
         Role validRole = roleP.read( role );
         // if the input role entity attribute doesn't have temporal constraints set, copy from the role declaration:
-        CUtil.validateOrCopy( validRole, uRole );
+        ConstraintUtil.validateOrCopy( validRole, uRole );
 
         // Assign the Role data to User:
         String dn = userP.assign( uRole );

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleDAO.java
index 3a8d128..eb4d02c 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleDAO.java
@@ -40,6 +40,7 @@ import org.apache.directory.fortress.core.CreateException;
 import org.apache.directory.fortress.core.FinderException;
 import org.apache.directory.fortress.core.GlobalErrIds;
 import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.model.ConstraintUtil;
 import org.apache.directory.fortress.core.model.ObjectFactory;
 import org.apache.directory.fortress.core.RemoveException;
 import org.apache.directory.fortress.core.UpdateException;
@@ -48,7 +49,6 @@ import org.apache.directory.fortress.core.model.AdminRole;
 import org.apache.directory.fortress.core.model.Graphable;
 import org.apache.directory.fortress.core.model.Role;
 import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
 import org.apache.directory.ldap.client.api.LdapConnection;
 
 
@@ -172,7 +172,7 @@ final class AdminRoleDAO extends ApacheDsDataProvider
 
             // CN attribute is required for this object class:
             entry.add( SchemaConstants.CN_AT, entity.getName() );
-            entry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
+            entry.add( GlobalIds.CONSTRAINT, ConstraintUtil.setConstraint( entity ) );
             loadAttrs( entity.getOsP(), entry, ROLE_OSP );
             loadAttrs( entity.getOsU(), entry, ROLE_OSU );
             String szRaw = entity.getRoleRangeRaw();
@@ -237,7 +237,7 @@ final class AdminRoleDAO extends ApacheDsDataProvider
 
             if ( entity.isTemporalSet() )
             {
-                String szRawData = CUtil.setConstraint( entity );
+                String szRawData = ConstraintUtil.setConstraint( entity );
 
                 if ( StringUtils.isNotEmpty( szRawData ) )
                 {

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/ConfigDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/ConfigDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/ConfigDAO.java
index 72ce674..b25ccda 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/ConfigDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/ConfigDAO.java
@@ -34,7 +34,7 @@ import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
 import org.apache.directory.fortress.core.CreateException;
 import org.apache.directory.fortress.core.util.Config;
 import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.PropUtil;
+import org.apache.directory.fortress.core.model.PropUtil;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
 import org.slf4j.Logger;

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java b/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java
index 6a127d1..21431fd 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java
@@ -32,14 +32,14 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.directory.fortress.core.GlobalErrIds;
 import org.apache.directory.fortress.core.model.ObjectFactory;
-import org.apache.directory.fortress.core.util.time.Constraint;
+import org.apache.directory.fortress.core.model.Constraint;
 import org.apache.directory.fortress.core.util.time.Time;
 import org.apache.directory.fortress.core.util.time.Validator;
 
 
 /**
  * This class performs Dynamic Separation of Duty checking on a collection of roles targeted for
- * activation within a particular user's session.  This method is called from {@link org.apache.directory.fortress.core.util.time.CUtil#validateConstraints} during createSession
+ * activation within a particular user's session.  This method is called from {@link org.apache.directory.fortress.core.util.VUtil#validateConstraints} during createSession
  * sequence for users.  If DSD constraint violation is detected for a particular role method will remove the role
  * from collection of activation candidates and log a warning.  This proc will also consider hierarchical relations
  * between roles (RBAC spec calls these authorized roles).
@@ -64,7 +64,7 @@ public class DSDChecker
 
 
     /**
-     * This method is called during entity activation, {@link org.apache.directory.fortress.core.util.time.CUtil#validateConstraints} and ensures the role does not violate dynamic separation of duty constraints.
+     * This method is called during entity activation, {@link org.apache.directory.fortress.core.util.VUtil#validateConstraints} and ensures the role does not violate dynamic separation of duty constraints.
      *
      * @param session    contains list of RBAC roles {@link org.apache.directory.fortress.core.model.UserRole} targeted for activation.
      * @param constraint required for Validator interface, not used here..

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java
index 148f0d4..7ea0854 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java
@@ -31,7 +31,6 @@ import org.apache.directory.fortress.core.model.UserAdminRole;
 import org.apache.directory.fortress.core.util.VUtil;
 import org.apache.directory.fortress.core.SecurityException;
 import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
 
 import java.util.List;
 import java.util.Set;
@@ -306,8 +305,8 @@ public class DelAccessMgrImpl extends AccessMgrImpl implements DelAccessMgr
     {
         String methodName = "sessionPermissions";
         assertContext(CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL);
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.USER, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.ROLE, false );
         return permP.search( session, true );
     }
 

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/DelAdminMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/DelAdminMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/DelAdminMgrImpl.java
index 8fb9add..e8aef36 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/DelAdminMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/DelAdminMgrImpl.java
@@ -25,6 +25,7 @@ import org.apache.directory.fortress.core.DelAdminMgr;
 import org.apache.directory.fortress.core.SecurityException;
 import org.apache.directory.fortress.core.GlobalErrIds;
 import org.apache.directory.fortress.core.model.AdminRole;
+import org.apache.directory.fortress.core.model.ConstraintUtil;
 import org.apache.directory.fortress.core.model.Hier;
 import org.apache.directory.fortress.core.model.OrgUnit;
 import org.apache.directory.fortress.core.model.PermObj;
@@ -33,7 +34,6 @@ import org.apache.directory.fortress.core.model.Relationship;
 import org.apache.directory.fortress.core.model.User;
 import org.apache.directory.fortress.core.model.UserAdminRole;
 import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
 import org.apache.directory.fortress.core.util.VUtil;
 
 import java.util.List;
@@ -213,7 +213,7 @@ public final class DelAdminMgrImpl extends Manageable implements DelAdminMgr
                 chgRole.setOsP(role.getOsP());
                 chgRole.setOsU(role.getOsU());
                 uaRoles.remove(chgRole);
-                CUtil.copy(re, chgRole);
+                ConstraintUtil.copy( re, chgRole );
                 uaRoles.add(chgRole);
                 upUe.setUserId(ue.getUserId());
                 upUe.setAdminRole(chgRole);
@@ -278,7 +278,7 @@ public final class DelAdminMgrImpl extends Manageable implements DelAdminMgr
 
         // if the UserAdminRole entity doesn't have temporal constraints set already, copy from the AdminRole declaration:
         // if the input role entity attribute doesn't have temporal constraints set, copy from the role declaration:
-        CUtil.validateOrCopy(validRole, uAdminRole);
+        ConstraintUtil.validateOrCopy( validRole, uAdminRole );
 
         // copy the ARBAC AdminRole attributes to UserAdminRole:
         userP.copyAdminAttrs( validRole, uAdminRole );

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java
index 8a19089..c3e577b 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java
@@ -35,7 +35,7 @@ import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueEx
 import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
 import org.apache.directory.api.ldap.model.message.SearchScope;
 import org.apache.directory.fortress.core.model.Group;
-import org.apache.directory.fortress.core.util.PropUtil;
+import org.apache.directory.fortress.core.model.PropUtil;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.apache.directory.fortress.core.FinderException;
 import org.apache.directory.fortress.core.model.ObjectFactory;

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
index 85d09dd..496cda3 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
@@ -49,7 +49,7 @@ import org.apache.directory.fortress.core.model.Role;
 import org.apache.directory.fortress.core.model.Session;
 import org.apache.directory.fortress.core.model.User;
 import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.PropUtil;
+import org.apache.directory.fortress.core.model.PropUtil;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.apache.directory.fortress.core.CreateException;
 import org.apache.directory.fortress.core.FinderException;

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/RoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/RoleDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/RoleDAO.java
index 0898911..ec17bb7 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/RoleDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/RoleDAO.java
@@ -36,6 +36,7 @@ import org.apache.directory.api.ldap.model.exception.LdapException;
 import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
 import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
 import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.fortress.core.model.ConstraintUtil;
 import org.apache.directory.fortress.core.model.Graphable;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.apache.directory.fortress.core.CreateException;
@@ -47,7 +48,6 @@ import org.apache.directory.fortress.core.RemoveException;
 import org.apache.directory.fortress.core.UpdateException;
 import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
 import org.apache.directory.fortress.core.model.Role;
-import org.apache.directory.fortress.core.util.time.CUtil;
 
 
 /**
@@ -157,7 +157,7 @@ final class RoleDAO extends ApacheDsDataProvider
 
             // CN attribute is required for this object class:
             entry.add( SchemaConstants.CN_AT, entity.getName() );
-            entry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
+            entry.add( GlobalIds.CONSTRAINT, ConstraintUtil.setConstraint( entity ) );
 
             // These multi-valued attributes are optional.  The utility function will return quietly if items are not loaded into collection:
             loadAttrs( entity.getParents(), entry, GlobalIds.PARENT_NODES );
@@ -202,7 +202,7 @@ final class RoleDAO extends ApacheDsDataProvider
 
             if ( entity.isTemporalSet() )
             {
-                String szRawData = CUtil.setConstraint( entity );
+                String szRawData = ConstraintUtil.setConstraint( entity );
 
                 if ( StringUtils.isNotEmpty( szRawData ) )
                 {

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java b/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java
index da7be48..f848087 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java
@@ -36,7 +36,7 @@ import org.apache.directory.fortress.core.util.ObjUtil;
 import org.apache.directory.fortress.core.util.cache.Cache;
 import org.apache.directory.fortress.core.util.cache.CacheMgr;
 import org.apache.directory.fortress.core.util.cache.DsdCacheEntry;
-import org.apache.directory.fortress.core.util.time.Constraint;
+import org.apache.directory.fortress.core.model.Constraint;
 
 import net.sf.ehcache.search.Attribute;
 import net.sf.ehcache.search.Query;

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java
index 21ed464..2709831 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java
@@ -49,6 +49,7 @@ import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
 import org.apache.directory.api.ldap.model.message.SearchScope;
 import org.apache.directory.fortress.core.model.Address;
 import org.apache.directory.fortress.core.model.AdminRole;
+import org.apache.directory.fortress.core.model.ConstraintUtil;
 import org.apache.directory.fortress.core.model.OrgUnit;
 import org.apache.directory.fortress.core.model.PwMessage;
 import org.apache.directory.fortress.core.model.Role;
@@ -58,7 +59,7 @@ import org.apache.directory.fortress.core.model.UserAdminRole;
 import org.apache.directory.fortress.core.model.UserRole;
 import org.apache.directory.fortress.core.model.Warning;
 import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.PropUtil;
+import org.apache.directory.fortress.core.model.PropUtil;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -73,7 +74,6 @@ import org.apache.directory.fortress.core.SecurityException;
 import org.apache.directory.fortress.core.UpdateException;
 import org.apache.directory.fortress.core.util.Config;
 import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.util.time.CUtil;
 
 
 /**
@@ -510,7 +510,7 @@ final class UserDAO extends ApacheDsDataProvider
             loadProperties( entity.getProperties(), myEntry, GlobalIds.PROPS );
             // map the userid to the name field in constraint:
             entity.setName( entity.getUserId() );
-            myEntry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
+            myEntry.add( GlobalIds.CONSTRAINT, ConstraintUtil.setConstraint( entity ) );
             loadAddress( entity.getAddress(), myEntry );
 
             if ( ObjUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
@@ -610,7 +610,7 @@ final class UserDAO extends ApacheDsDataProvider
             {
                 // map the userid to the name field in constraint:
                 entity.setName( entity.getUserId() );
-                String szRawData = CUtil.setConstraint( entity );
+                String szRawData = ConstraintUtil.setConstraint( entity );
 
                 if ( StringUtils.isNotEmpty( szRawData ) )
                 {
@@ -2438,7 +2438,7 @@ final class UserDAO extends ApacheDsDataProvider
     /**
      * Given an ldap entry containing ARBAC roles assigned to user, retrieve the raw data and convert to a collection
      * of {@link UserAdminRole}
-     * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
+     * including {@link org.apache.directory.fortress.core.model.Constraint}.
      *
      * @param entry     contains ldap entry to retrieve admin roles from.
      * @param userId    attribute maps to {@link UserAdminRole#userId}.
@@ -2483,7 +2483,7 @@ final class UserDAO extends ApacheDsDataProvider
     /**
      * Given an ldap entry containing RBAC roles assigned to user, retrieve the raw data and convert to a collection
      * of {@link UserRole}
-     * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
+     * including {@link org.apache.directory.fortress.core.model.Constraint}.
      *
      * @param entry     contains ldap entry to retrieve roles from.
      * @param userId    attribute maps to {@link UserRole#userId}.

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/UserP.java b/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
index f67ec09..d755475 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
@@ -27,6 +27,7 @@ import java.util.Set;
 import org.apache.commons.lang.StringUtils;
 import org.apache.directory.fortress.core.model.AdminRole;
 import org.apache.directory.fortress.core.model.Administrator;
+import org.apache.directory.fortress.core.model.ConstraintUtil;
 import org.apache.directory.fortress.core.model.OrgUnit;
 import org.apache.directory.fortress.core.model.PwPolicy;
 import org.apache.directory.fortress.core.model.Role;
@@ -45,7 +46,6 @@ import org.apache.directory.fortress.core.PasswordException;
 import org.apache.directory.fortress.core.SecurityException;
 import org.apache.directory.fortress.core.ValidationException;
 import org.apache.directory.fortress.core.util.VUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
 
 
 /**
@@ -390,7 +390,7 @@ final class UserP
             throw new PasswordException( session.getErrorId(), info );
         }
 
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.USER, false );
 
         return session;
     }
@@ -453,7 +453,7 @@ final class UserP
             // Create the impl session without authentication of password.
             session = createSessionTrusted( user );
             // Check user temporal constraints.  This op usually performed during authentication.
-            CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
+            VUtil.validateConstraints( session, VUtil.ConstraintType.USER, false );
         }
         else
         {
@@ -480,7 +480,7 @@ final class UserP
             }
         }
         // Check role temporal constraints + activate roles:
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, true );
+        VUtil.validateConstraints( session, VUtil.ConstraintType.ROLE, true );
         return session;
     }
 
@@ -834,7 +834,7 @@ final class UserP
         }
 
         // 2 Validate constraints on User object:
-        CUtil.validate( entity );
+        ConstraintUtil.validate( entity );
 
         // 3 Validate or copy constraints on RBAC roles:
         if ( ObjUtil.isNotNullOrEmpty( entity.getRoles() ) )
@@ -846,7 +846,7 @@ final class UserP
                 Role inRole = new Role( ure.getName() );
                 inRole.setContextId( entity.getContextId() );
                 Role role = rp.read( inRole );
-                CUtil.validateOrCopy( role, ure );
+                ConstraintUtil.validateOrCopy( role, ure );
             }
         }
 
@@ -859,7 +859,7 @@ final class UserP
                 AdminRole inRole = new AdminRole( uare.getName() );
                 inRole.setContextId( entity.getContextId() );
                 AdminRole outRole = admRoleP.read( inRole );
-                CUtil.validateOrCopy( outRole, uare );
+                ConstraintUtil.validateOrCopy( outRole, uare );
 
                 // copy the ARBAC AdminRole attributes to UserAdminRole:
                 copyAdminAttrs( outRole, uare );

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
index 3d8fe36..bfd989c 100644
--- a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
+++ b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
@@ -68,6 +68,7 @@ import org.apache.directory.api.ldap.model.message.controls.ProxiedAuthz;
 import org.apache.directory.api.ldap.model.message.controls.ProxiedAuthzImpl;
 
 import org.apache.directory.api.ldap.model.name.Dn;
+import org.apache.directory.fortress.core.model.ConstraintUtil;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.apache.directory.ldap.client.api.LdapConnectionConfig;
 import org.apache.directory.ldap.client.api.LdapConnectionPool;
@@ -79,8 +80,7 @@ import org.apache.directory.fortress.core.model.FortEntity;
 import org.apache.directory.fortress.core.model.Hier;
 import org.apache.directory.fortress.core.model.Relationship;
 import org.apache.directory.fortress.core.util.crypto.EncryptUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-import org.apache.directory.fortress.core.util.time.Constraint;
+import org.apache.directory.fortress.core.model.Constraint;
 import org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -1079,7 +1079,7 @@ public abstract class ApacheDsDataProvider
      * Convert constraint from raw ldap format to application entity.
      *
      * @param le         ldap entry containing constraint.
-     * @param ftDateTime reference to {@link org.apache.directory.fortress.core.util.time.Constraint} containing formatted data.
+     * @param ftDateTime reference to {@link org.apache.directory.fortress.core.model.Constraint} containing formatted data.
      * @throws LdapInvalidAttributeValueException
      *
      * @throws LdapException in the event of ldap client error.
@@ -1090,7 +1090,7 @@ public abstract class ApacheDsDataProvider
 
         if ( szRawData != null && szRawData.length() > 0 )
         {
-            CUtil.setConstraint( szRawData, ftDateTime );
+            ConstraintUtil.setConstraint( szRawData, ftDateTime );
         }
     }
 

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/model/AdminRole.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/AdminRole.java b/src/main/java/org/apache/directory/fortress/core/model/AdminRole.java
index 08b8b17..cee0cc9 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/AdminRole.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/AdminRole.java
@@ -29,8 +29,6 @@ import javax.xml.bind.annotation.XmlRootElement;
 import javax.xml.bind.annotation.XmlType;
 
 import org.apache.commons.lang.StringUtils;
-import org.apache.directory.fortress.core.util.time.CUtil;
-import org.apache.directory.fortress.core.util.time.Constraint;
 
 
 /**
@@ -204,7 +202,7 @@ public class AdminRole extends Role implements Administrator
      */
     public AdminRole( Constraint con )
     {
-        CUtil.copy( con, this );
+        ConstraintUtil.copy( con, this );
     }
 
 
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/model/Constraint.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Constraint.java b/src/main/java/org/apache/directory/fortress/core/model/Constraint.java
new file mode 100755
index 0000000..3f350a9
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/Constraint.java
@@ -0,0 +1,244 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+
+/**
+ * The Fortress Constraint interface prescribes attributes that are used to store, process and retrieve temporal validation attributes on
+ * {@link org.apache.directory.fortress.core.model.User}, {@link org.apache.directory.fortress.core.model.UserRole}, {@link org.apache.directory.fortress.core.model.Role},
+ * {@link org.apache.directory.fortress.core.model.AdminRole}, {@link org.apache.directory.fortress.core.model.UserAdminRole} entities.
+ * <p/>
+ * <img src="../../doc-files/TemporalRbac.png">
+ * <p/>
+ * <h3>Temporal Constraints on User and Role Assignments</h3>
+ * In addition to the standard RBAC support, Fortress provides coverage for temporal constraints on role and user activation into session.
+ * Temporal constraints affect when Users may activate Roles within runtime system at a particular point in time.  For example a nurse may be assigned to the "ChargeNurse" role but be limited as to when she is permitted to perform those duties, i.e. weekend graveyard shift.  Another example is a bank teller who is assigned to a "Teller" role but may only act within role between the hours of 9:00 to 5:00 on Monday thru Friday during normal business hours.
+ * Additionally Fortress temporal constraints are checked during user authentication to control when a user is actually permitted to sign-on to a system.  The constraints may also be applied to enforce temporary blackout periods to cover vacations, leave of absences, sabbaticals, etc.
+ * <p/>
+ * <h4>Constraint Schema</h4>
+ * The entity maps to Fortress LDAP Schema object classes:
+ * <p/>
+ * 1. ftRls Structural objectclass is used to store the Role information like name and temporal constraint attributes.
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass    ( 1.3.6.1.4.1.38088.2.1</code>
+ * <li> <code>NAME 'ftRls'</code>
+ * <li> <code>DESC 'Fortress Role Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftRoleName )</code>
+ * <li> <code>MAY ( description $ ftCstr ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * 2. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity.
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.1</code>
+ * <li> <code>NAME 'ftUserAttrs'</code>
+ * <li> <code>DESC 'Fortress User Attribute AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MUST ( ftId )</code>
+ * <li> <code>MAY ( ftRC $ ftRA $ ftARC $ ftARA $ ftCstr</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public interface Constraint
+{
+    /**
+     * temporal boolean flag is used by internal Fortress components.
+     *
+     * @return boolean indicating if temporal constraints are placed on user.
+     */
+    boolean isTemporalSet();
+
+
+    /**
+     * Set the integer timeout that contains max time (in seconds) that entity may remain inactive.
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param timeout maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    void setTimeout( Integer timeout );
+
+
+    /**
+     * Set the begin time of day entity is allowed to be activated in system.  The format is military time - HHMM, i.e. 0800 (8:00 am) or 1700 (5:00 p.m.).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param beginTime maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    void setBeginTime( String beginTime );
+
+
+    /**
+     * Set the end time of day entity is allowed to be activated in system.  The format is military time - HHMM, i.e. 0000 (12:00 am) or 2359 (11:59 p.m.).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param endTime maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    void setEndTime( String endTime );
+
+
+    /**
+     * Set the beginDate when entity is allowed to be activated in system.  The format is - YYYYMMDD, i.e. 20100101 (January 1, 2001).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param beginDate maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    void setBeginDate( String beginDate );
+
+
+    /**
+     * Set the end date when entity is not allowed to be activated in system.  The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param endDate maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    void setEndDate( String endDate );
+
+
+    /**
+     * Set the daymask that specifies what days of week entity is allowed to be activated in system.  The format is 1234567, i.e. 23456 (Monday, Tuesday, Wednesday, Thursday, Friday).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param dayMask maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    void setDayMask( String dayMask );
+
+
+    /**
+     * Set the begin lock date when entity is temporarily not allowed to be activated in system.  The format is - YYYYMMDD, 20100101 (January 1, 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param beginLockDate maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    void setBeginLockDate( String beginLockDate );
+
+
+    /**
+     * Set the end lock date when entity is allowed to be activated in system once again.  The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param endLockDate maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    void setEndLockDate( String endLockDate );
+
+
+    /**
+     * This is used internally by Fortress for Constraint operations.  Values set here by external caller will be ignored.
+     *
+     * @param name contains attribute used internally for constraint checking.
+     */
+    void setName( String name );
+
+
+    /**
+     * Required on DAO classes convert from raw data to object format.  Not intended for external use.
+     *
+     * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    String getRawData();
+
+
+    /**
+     * Return the integer timeout that contains total time (in seconds) that entity may remain inactive.
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return int that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    Integer getTimeout();
+
+
+    /**
+     * Contains the begin time of day entity is allowed to be activated in system.  The format is military time - HHMM, i.e. 0800 (8:00 am) or 1700 (5:00 p.m.).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return String that maps to 'ftCstr', 'ftRC', 'ftARC' attributes in 'ftUserAttrs' object class and 'ftCstr' attribute in 'ftRls' object class.
+     */
+    String getBeginTime();
+
+
+    /**
+     * Contains the end time of day entity is allowed to be activated in system.  The format is military time - HHMM, i.e. 0000 (12:00 am) or 2359 (11:59 p.m.).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    String getEndTime();
+
+
+    /**
+     * Contains the begin date when entity is allowed to be activated in system.  The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    String getBeginDate();
+
+
+    /**
+     * Contains the end date when entity is allowed to be activated in system.  The format is - YYYYMMDD, i.e. 20101231 (December 31, 2011).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    String getEndDate();
+
+
+    /**
+     * Contains the begin lock date when entity is temporarily not allowed to activated in system.  The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    String getBeginLockDate();
+
+
+    /**
+     * Contains the end lock date when entity is allowed to be activated in system once again.  The format is - YYYYMMDD, i.e. 20100101 (January 1, 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    String getEndLockDate();
+
+
+    /**
+     * Get the daymask that indicates what days of week entity is allowed to be activated in system.  The format is 1234567, i.e. 23456 (Monday, Tuesday, Wednesday, Thursday, Friday).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    String getDayMask();
+
+
+    /**
+     * This is used internally by Fortress for Constraint operations.
+     *
+     * @return String that maps to {@code ftCstr}, {@code ftRC}, {@code ftARC} attributes in {@code ftUserAttrs} object class and {@code ftCstr} attribute in {@code ftRls} object class.
+     */
+    String getName();
+
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/model/ConstraintUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/ConstraintUtil.java b/src/main/java/org/apache/directory/fortress/core/model/ConstraintUtil.java
new file mode 100644
index 0000000..cfd88d7
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/ConstraintUtil.java
@@ -0,0 +1,351 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ValidationException;
+import org.apache.directory.fortress.core.util.ObjUtil;
+import org.apache.directory.fortress.core.util.VUtil;
+
+import java.util.StringTokenizer;
+
+/**
+ *  Utilities to copy constraints attributes between entities.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class ConstraintUtil
+{
+    /**
+     * Copy source constraint to target. Both must be created before calling this utility.
+     *
+     * @param srcC contains constraint source.
+     * @param trgC contains target constraint.
+     */
+    public static void copy( Constraint srcC, Constraint trgC )
+    {
+        // Both variables must be instantiated before being passed in to this method.
+        trgC.setTimeout( srcC.getTimeout() );
+
+        if ( StringUtils.isNotEmpty( srcC.getName() ) )
+        {
+            trgC.setName( srcC.getName() );
+        }
+        if ( StringUtils.isNotEmpty( srcC.getBeginTime() ) )
+        {
+            trgC.setBeginTime( srcC.getBeginTime() );
+        }
+        if ( StringUtils.isNotEmpty( srcC.getEndTime() ) )
+        {
+            trgC.setEndTime( srcC.getEndTime() );
+        }
+        if ( StringUtils.isNotEmpty( srcC.getDayMask() ) )
+        {
+            trgC.setDayMask( srcC.getDayMask() );
+        }
+        if ( StringUtils.isNotEmpty( srcC.getBeginDate() ) )
+        {
+            trgC.setBeginDate( srcC.getBeginDate() );
+        }
+        if ( StringUtils.isNotEmpty( srcC.getEndDate() ) )
+        {
+            trgC.setEndDate( srcC.getEndDate() );
+        }
+        if ( StringUtils.isNotEmpty( srcC.getBeginLockDate() ) )
+        {
+            trgC.setBeginLockDate( srcC.getBeginLockDate() );
+        }
+        if ( StringUtils.isNotEmpty( srcC.getEndLockDate() ) )
+        {
+            trgC.setEndLockDate( srcC.getEndLockDate() );
+        }
+    }
+
+
+    /**
+     * Validate the non-null attributes on the constraint.
+     *
+     * @param c1 contains the temporal values associated with an entity.
+     * @throws org.apache.directory.fortress.core.ValidationException on first invalid attribute found.
+     */
+    public static void validate( Constraint c1 )
+        throws ValidationException
+    {
+        if ( ObjUtil.isNotNullOrEmpty( c1.getTimeout() ) )
+        {
+            VUtil.timeout( c1.getTimeout() );
+        }
+        if ( StringUtils.isNotEmpty( c1.getBeginTime() ) )
+        {
+            VUtil.beginTime( c1.getBeginTime() );
+        }
+        if ( StringUtils.isNotEmpty( c1.getEndTime() ) )
+        {
+            VUtil.endTime( c1.getEndTime() );
+        }
+        if ( StringUtils.isNotEmpty( c1.getBeginDate() ) )
+        {
+            VUtil.beginDate( c1.getBeginDate() );
+        }
+        if ( StringUtils.isNotEmpty( c1.getEndDate() ) )
+        {
+            VUtil.endDate( c1.getEndDate() );
+        }
+        if ( StringUtils.isNotEmpty( c1.getDayMask() ) )
+        {
+            VUtil.dayMask( c1.getDayMask() );
+        }
+        if ( StringUtils.isNotEmpty( c1.getBeginLockDate() ) )
+        {
+            VUtil.beginDate( c1.getBeginLockDate() );
+        }
+        if ( StringUtils.isNotEmpty( c1.getEndLockDate() ) )
+        {
+            VUtil.endDate( c1.getEndLockDate() );
+        }
+    }
+    /**
+     * Used by DAO utilities to convert from a string with comma delimited values to fortress internal format {@link Constraint}.
+     *
+     * @param inputString contains raw data format which is comma delimited containing temporal data.
+     * @param constraint  used by internal processing to perform validations.
+     */
+    public static void setConstraint( String inputString, Constraint constraint )
+    {
+        if ( StringUtils.isNotEmpty( inputString ) )
+        {
+            StringTokenizer tkn = new StringTokenizer( inputString, GlobalIds.DELIMITER, true );
+            if ( tkn.countTokens() > 0 )
+            {
+                int count = tkn.countTokens();
+                int index = 0;
+                boolean previousTokenWasDelimiter = false;
+                for ( int i = 0; i < count; i++ )
+                {
+                    String szValue = tkn.nextToken();
+                    if ( szValue.equals( GlobalIds.DELIMITER ) && !previousTokenWasDelimiter )
+                    {
+                        previousTokenWasDelimiter = true;
+                    }
+                    else if ( szValue.equals( GlobalIds.DELIMITER ) )
+                    {
+                        previousTokenWasDelimiter = true;
+                        index++;
+                    }
+                    else
+                    {
+                        previousTokenWasDelimiter = false;
+                        switch ( index++ )
+                        {
+                            case 0:
+                                // only set the name attr if it isn't already set:
+                                if ( ( constraint.getName() == null ) || ( constraint.getName().length() == 0 ) )
+                                {
+                                    constraint.setName( szValue );
+                                }
+
+                                break;
+                            case 1:
+                                constraint.setTimeout( Integer.parseInt( szValue ) );
+                                break;
+                            case 2:
+                                constraint.setBeginTime( szValue );
+                                break;
+                            case 3:
+                                constraint.setEndTime( szValue );
+                                break;
+                            case 4:
+                                constraint.setBeginDate( szValue );
+                                break;
+                            case 5:
+                                constraint.setEndDate( szValue );
+                                break;
+                            case 6:
+                                constraint.setBeginLockDate( szValue );
+                                break;
+                            case 7:
+                                constraint.setEndLockDate( szValue );
+                                break;
+                            case 8:
+                                constraint.setDayMask( szValue );
+                                break;
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+
+    /**
+     * Convert from fortress {@link Constraint} to comma delimited ldap format.
+     *
+     * @param constraint contains the temporal data.
+     * @return string containing raw data bound for ldap.
+     */
+    public static String setConstraint( Constraint constraint )
+    {
+        String szConstraint = null;
+        if ( constraint != null )
+        {
+            StringBuilder sb = new StringBuilder();
+            sb.append( constraint.getName() );
+            sb.append( GlobalIds.DELIMITER );
+
+            if ( constraint.getTimeout() != null )
+            {
+                sb.append( constraint.getTimeout() );
+            }
+
+            sb.append( GlobalIds.DELIMITER );
+
+            if ( constraint.getBeginTime() != null )
+            {
+                sb.append( constraint.getBeginTime() );
+            }
+
+            sb.append( GlobalIds.DELIMITER );
+
+            if ( constraint.getEndTime() != null )
+            {
+                sb.append( constraint.getEndTime() );
+            }
+
+            sb.append( GlobalIds.DELIMITER );
+
+            if ( constraint.getBeginDate() != null )
+            {
+                sb.append( constraint.getBeginDate() );
+            }
+
+            sb.append( GlobalIds.DELIMITER );
+
+            if ( constraint.getEndDate() != null )
+            {
+                sb.append( constraint.getEndDate() );
+            }
+
+            sb.append( GlobalIds.DELIMITER );
+
+            if ( constraint.getBeginLockDate() != null )
+            {
+                sb.append( constraint.getBeginLockDate() );
+            }
+
+            sb.append( GlobalIds.DELIMITER );
+
+            if ( constraint.getEndLockDate() != null )
+            {
+                sb.append( constraint.getEndLockDate() );
+            }
+
+            sb.append( GlobalIds.DELIMITER );
+
+            if ( constraint.getDayMask() != null )
+            {
+                sb.append( constraint.getDayMask() );
+            }
+
+            szConstraint = sb.toString();
+        }
+        return szConstraint;
+    }
+
+
+    /**
+     * Utility is used during processing of constraint values.  The rule used here is if the target constraint will
+     * accept the source constraint attribute only when not set initially.  If target constraint's attribute is set,
+     * validation on the constraint will be performed.
+     *
+     * @param srcC Contains instantiated constraint with one or more attributes to be copied.
+     * @param trgC instantiated object may contain zero or more attributes set.  Copy will not be performed on set attrs.
+     * @throws org.apache.directory.fortress.core.ValidationException on first invalid attribute found.
+     */
+    public static void validateOrCopy( Constraint srcC, Constraint trgC )
+        throws ValidationException
+    {
+        //VUtil.timeout(trgC.getTimeout());
+        if ( ObjUtil.isNotNullOrEmpty( trgC.getTimeout() ) )
+        {
+            srcC.setTimeout( trgC.getTimeout() );
+        }
+        else if ( ObjUtil.isNotNullOrEmpty( srcC.getTimeout() ) )
+        {
+            trgC.setTimeout( srcC.getTimeout() );
+        }
+        if ( StringUtils.isNotEmpty( trgC.getBeginTime() ) )
+        {
+            VUtil.beginTime( trgC.getBeginTime() );
+        }
+        else if ( StringUtils.isNotEmpty( srcC.getBeginTime() ) )
+        {
+            trgC.setBeginTime( srcC.getBeginTime() );
+        }
+        if ( StringUtils.isNotEmpty( trgC.getEndTime() ) )
+        {
+            VUtil.endTime( trgC.getEndTime() );
+        }
+        else if ( StringUtils.isNotEmpty( srcC.getEndTime() ) )
+        {
+            trgC.setEndTime( srcC.getEndTime() );
+        }
+        if ( StringUtils.isNotEmpty( trgC.getBeginDate() ) )
+        {
+            VUtil.beginDate( trgC.getBeginDate() );
+        }
+        else if ( StringUtils.isNotEmpty( srcC.getBeginDate() ) )
+        {
+            trgC.setBeginDate( srcC.getBeginDate() );
+        }
+        if ( StringUtils.isNotEmpty( trgC.getEndDate() ) )
+        {
+            VUtil.endDate( trgC.getEndDate() );
+        }
+        else if ( StringUtils.isNotEmpty( srcC.getEndDate() ) )
+        {
+            trgC.setEndDate( srcC.getEndDate() );
+        }
+        if ( StringUtils.isNotEmpty( trgC.getDayMask() ) )
+        {
+            VUtil.dayMask( trgC.getDayMask() );
+        }
+        else if ( StringUtils.isNotEmpty( srcC.getDayMask() ) )
+        {
+            trgC.setDayMask( srcC.getDayMask() );
+        }
+        if ( StringUtils.isNotEmpty( trgC.getBeginLockDate() ) )
+        {
+            VUtil.beginDate( trgC.getBeginLockDate() );
+        }
+        else if ( StringUtils.isNotEmpty( srcC.getBeginLockDate() ) )
+        {
+            trgC.setBeginLockDate( srcC.getBeginLockDate() );
+        }
+        if ( StringUtils.isNotEmpty( trgC.getEndLockDate() ) )
+        {
+            VUtil.endDate( trgC.getEndLockDate() );
+        }
+        else if ( StringUtils.isNotEmpty( srcC.getEndLockDate() ) )
+        {
+            trgC.setEndLockDate( srcC.getEndLockDate() );
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/model/Group.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Group.java b/src/main/java/org/apache/directory/fortress/core/model/Group.java
index f3ae25a..9e03bf7 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/Group.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/Group.java
@@ -20,8 +20,6 @@
 package org.apache.directory.fortress.core.model;
 
 
-import org.apache.directory.fortress.core.util.PropUtil;
-
 import javax.xml.bind.annotation.XmlAccessType;
 import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlRootElement;

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/model/PropUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/PropUtil.java b/src/main/java/org/apache/directory/fortress/core/model/PropUtil.java
new file mode 100644
index 0000000..899c6ab
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/PropUtil.java
@@ -0,0 +1,128 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+import org.apache.directory.fortress.core.GlobalIds;
+
+import java.util.List;
+import java.util.Properties;
+import java.util.StringTokenizer;
+
+/**
+ *  Utilities to convert to/from property formats.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public final class PropUtil
+{
+    /**
+     * Convert from a {@link java.util.List} of properties stored as name:value pairs to
+     * a {@link java.util.Properties}.
+     *
+     * @param propList contains a list of name-value pairs separated by a ':'.
+     * @return reference to a Properties collection.
+     */
+    public static Properties getProperties(List<String> propList)
+    {
+        return getProperties(propList, GlobalIds.PROP_SEP );
+    }
+
+    /**
+     * Convert from a {@link java.util.List} of properties stored as name:value pairs to
+     * a {@link java.util.Properties}.
+     *
+     * @param propList contains a list of name-value pairs separated by a ':'.
+     * @param separator contains char to be used to separate key and value.
+     * @return reference to a Properties collection.
+     */
+    public static Properties getProperties( List<String> propList, char separator )
+    {
+        Properties props = null;
+        if (propList != null && propList.size() > 0)
+        {
+            props = new Properties();
+            propList.size();
+            for (String raw : propList)
+            {
+                int indx = raw.indexOf(separator);
+                if (indx >= 1)
+                {
+                    props.setProperty(raw.substring(0, indx), raw.substring(indx + 1));
+                }
+            }
+        }
+        return props;
+    }
+
+    /**
+     * Convert from a comma delimited list of name-value pairs separated by a ':'.  Return the pros as {@link java.util.Properties}.
+     *
+     * @param inputString contains comma delimited list of properties.
+     * @return java collection class containing props.
+     */
+    public static Properties getProperties( String inputString )
+    {
+        return getProperties( inputString, GlobalIds.PROP_SEP );
+    }
+
+    /**
+     * Convert from a comma delimited list of name-value pairs separated by a ':'.  Return the pros as {@link java.util.Properties}.
+     *
+     * @param inputString contains comma delimited list of properties.
+     * @param separator contains char to be used to separate key and value.
+     * @return java collection class containing props.
+     */
+    public static Properties getProperties( String inputString, char separator )
+    {
+        return getProperties( inputString, separator, GlobalIds.DELIMITER );
+    }
+
+    /**
+     * Convert from a comma delimited list of name-value pairs separated by a ':'.  Return the pros as {@link java.util.Properties}.
+     *
+     * @param inputString contains comma delimited list of properties.
+     * @param separator contains char to be used to separate key and value.
+     * @param delimiter contains a single char specifying delimiter between properties.
+     * @return java collection class containing props.
+     */
+    public static Properties getProperties( String inputString, char separator, String delimiter )
+    {
+        Properties props = new Properties();
+        if (inputString != null && inputString.length() > 0)
+        {
+            StringTokenizer maxTkn = new StringTokenizer(inputString, delimiter);
+            if (maxTkn.countTokens() > 0)
+            {
+                while (maxTkn.hasMoreTokens())
+                {
+                    String val = maxTkn.nextToken();
+                    int indx = val.indexOf(separator);
+                    if (indx >= 1)
+                    {
+                        String name = val.substring(0, indx).trim();
+                        String value = val.substring(indx + 1).trim();
+                        props.setProperty(name, value);
+                    }
+                }
+            }
+        }
+        return props;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/model/Role.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Role.java b/src/main/java/org/apache/directory/fortress/core/model/Role.java
index eca7a79..2dda299 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/Role.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/Role.java
@@ -33,9 +33,6 @@ import javax.xml.bind.annotation.XmlSeeAlso;
 import javax.xml.bind.annotation.XmlTransient;
 import javax.xml.bind.annotation.XmlType;
 
-import org.apache.directory.fortress.core.util.time.CUtil;
-import org.apache.directory.fortress.core.util.time.Constraint;
-
 
 /**
  * All entities ({@link User}, {@link Role}, {@link org.apache.directory.fortress.core.model.Permission},
@@ -56,8 +53,8 @@ import org.apache.directory.fortress.core.util.time.Constraint;
  * <h4>Role entity attribute usages include</h4>
  * <ul>
  * <li>{@link #setName} attribute must be set before calling {@link org.apache.directory.fortress.core.impl.AdminMgrImpl#addRole(Role)}, {@link org.apache.directory.fortress.core.impl.AdminMgrImpl#updateRole(Role)} or  {@link org.apache.directory.fortress.core.impl.AdminMgrImpl#deleteRole(Role)}
- * <li>{@link org.apache.directory.fortress.core.util.time.Constraint} may be set <b>before</b> calling method {@link org.apache.directory.fortress.core.impl.AdminMgrImpl#addRole(Role)}.
- * <li>{@link org.apache.directory.fortress.core.util.time.Constraint} will be <b>returned</b> to caller on methods like {@link org.apache.directory.fortress.core.impl.ReviewMgrImpl#readRole(Role)} or {@link org.apache.directory.fortress.core.impl.ReviewMgrImpl#findRoles(String)} iff persisted to entity prior to call.
+ * <li>{@link Constraint} may be set <b>before</b> calling method {@link org.apache.directory.fortress.core.impl.AdminMgrImpl#addRole(Role)}.
+ * <li>{@link Constraint} will be <b>returned</b> to caller on methods like {@link org.apache.directory.fortress.core.impl.ReviewMgrImpl#readRole(Role)} or {@link org.apache.directory.fortress.core.impl.ReviewMgrImpl#findRoles(String)} iff persisted to entity prior to call.
  * </ul>
  * <p/>
  * This entity is used to store the RBAC Role assignments that comprise the many-to-many relationships between {@link User}s and {@link org.apache.directory.fortress.core.model.Permission}s.
@@ -237,7 +234,7 @@ public Role( String name )
  */
 public Role( Constraint con )
 {
-    CUtil.copy( con, this );
+    ConstraintUtil.copy( con, this );
 }
 
 
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/model/User.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/User.java b/src/main/java/org/apache/directory/fortress/core/model/User.java
index 88092ae..d4c0e8d 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/User.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/User.java
@@ -34,8 +34,6 @@ import javax.xml.bind.annotation.XmlRootElement;
 import javax.xml.bind.annotation.XmlTransient;
 import javax.xml.bind.annotation.XmlType;
 
-import org.apache.directory.fortress.core.util.time.Constraint;
-
 
 /**
  * All entities ({@link User}, {@link org.apache.directory.fortress.core.model.Role}, {@link org.apache.directory.fortress.core.model.Permission},

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/559c280e/src/main/java/org/apache/directory/fortress/core/model/UserAdminRole.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/UserAdminRole.java b/src/main/java/org/apache/directory/fortress/core/model/UserAdminRole.java
index 7bb12a3..21ef097 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/UserAdminRole.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/UserAdminRole.java
@@ -31,15 +31,13 @@ import javax.xml.bind.annotation.XmlType;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.util.time.CUtil;
-import org.apache.directory.fortress.core.util.time.Constraint;
 
 
 /**
  * The UserAdminRole entity extends the UserRole and is used to store ARBAC User to AdminRole assignment along with temporal and
  * ARBAC contraint values.
  * The contents of the UserAdminRole entity will be stored on the User entity in the 'ftARA' (AdminRole name) and 'ftARC' (Temporal and ARBAC Constraints) attributes on the 'ftUserAttrs' object class.
- * The UserAdminRole entity carries elements of {@link org.apache.directory.fortress.core.util.time.Constraint}.  Any attributes of Constraint not set within this entity
+ * The UserAdminRole entity carries elements of {@link Constraint}.  Any attributes of Constraint not set within this entity
  * will use same attribute from the {@link AdminRole} entity.  Thus the UserAdminRole can override Constraint attributes from it's corresponding AdminRole if required by caller.
  * <p/>
  * <h4>UserAdminRole Schema</h4>
@@ -148,7 +146,7 @@ public class UserAdminRole extends UserRole implements Administrator
     public UserAdminRole( String userId, Constraint con )
     {
         this.userId = userId;
-        CUtil.copy( con, this );
+        ConstraintUtil.copy( con, this );
     }