geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jinmeil...@apache.org
Subject [5/5] incubator-geode git commit: GEODE-17: enhance the GeodeSecurityUtil and review changes
Date Fri, 29 Apr 2016 15:40:18 GMT
GEODE-17: enhance the GeodeSecurityUtil and review changes

* allow operations that does not require any authorizations
* put/get, import/export and locate entry will check region access
* rename EnvronmentVariablesHandlerInterceptor
* rename ShiroUtil to GeodeSecurityUtil
* reformat code and review changes


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/7c38f0d8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/7c38f0d8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/7c38f0d8

Branch: refs/heads/feature/GEODE-17-2
Commit: 7c38f0d8811874509ae93dbd9a4a9f7b05ce0d01
Parents: 0c0825a
Author: Jinmei Liao <jiliao@pivotal.io>
Authored: Tue Apr 26 07:30:27 2016 -0700
Committer: Jinmei Liao <jiliao@pivotal.io>
Committed: Fri Apr 29 08:29:28 2016 -0700

----------------------------------------------------------------------
 .../cache/operations/OperationContext.java      |  13 +-
 .../management/DistributedSystemMXBean.java     |   6 +-
 .../gemfire/management/MemberMXBean.java        |  10 +-
 .../CreateAlterDestroyRegionCommands.java       |  12 +-
 .../internal/cli/commands/DataCommands.java     |  22 +-
 .../internal/cli/commands/RegionCommands.java   |   3 +-
 .../internal/cli/remote/CommandProcessor.java   |   7 +-
 .../internal/security/AccessControlMBean.java   |   4 +-
 .../internal/security/MBeanServerWrapper.java   |  23 +-
 .../internal/security/ResourceOperation.java    |  13 +-
 .../security/ResourceOperationContext.java      |  45 +-
 .../controllers/AbstractCommandsController.java |  17 +-
 .../EnvironmentVariablesHandlerInterceptor.java | 121 ---
 .../support/LoginHandlerInterceptor.java        | 122 +++
 .../web/shell/RestHttpOperationInvoker.java     |   4 -
 .../gemfire/security/CustomAuthRealm.java       |   7 +-
 .../gemfire/security/GeodeSecurityUtil.java     | 163 ++++
 .../gemfire/security/JMXShiroAuthenticator.java |   4 +-
 .../gemstone/gemfire/security/ShiroUtil.java    | 116 ---
 .../CacheServerMBeanAuthorizationJUnitTest.java |  26 +-
 .../CacheServerMBeanShiroJUnitTest.java         |  36 +-
 .../security/CliCommandsSecurityTest.java       |  17 +-
 .../security/DataCommandsSecurityTest.java      |   7 +-
 .../DiskStoreMXBeanSecurityJUnitTest.java       |  20 +-
 .../GatewayReceiverMBeanSecurityTest.java       |  17 +-
 .../GatewaySenderMBeanSecurityTest.java         |  24 +-
 .../GeodeSecurityUtilCustomRealmJUnitTest.java  |  52 ++
 .../GeodeSecurityUtilWithIniFileJUnitTest.java  | 147 +++
 .../security/GfshCommandsSecurityTest.java      |   6 +-
 .../internal/security/JSONAuthorization.java    |  77 +-
 .../LockServiceMBeanAuthorizationJUnitTest.java |  10 +-
 .../ManagerMBeanAuthorizationJUnitTest.java     |   4 +-
 .../security/MemberMBeanSecurityJUnitTest.java  |  30 +-
 .../ResourceOperationContextJUnitTest.java      |  88 ++
 .../internal/security/TestCommand.java          | 178 ++--
 .../management/internal/security/auth3.json     |   2 +-
 .../internal/security/cacheServer.json          |  10 +-
 .../management/internal/security/shiro-ini.json |  87 ++
 .../internal/security/testInheritRole.json      |  40 -
 .../security/testSimpleUserAndRole.json         |  18 -
 .../testUserAndRoleRegionServerGroup.json       |  20 -
 .../internal/security/testUserMultipleRole.json |  26 -
 geode-core/src/test/resources/shiro.ini         |  13 +-
 .../junit/rules/DescribedExternalResource.java  |  11 +-
 .../security/GemFireAuthentication.java         | 114 +--
 .../security/GemFireAuthenticationProvider.java |   9 +-
 .../pulse/internal/security/LogoutHandler.java  |  12 +-
 .../tools/pulse/tests/PulseAbstractTest.java    | 904 ++++++++++---------
 .../gemfire/tools/pulse/tests/Region.java       |   2 +-
 .../src/main/webapp/WEB-INF/gemfire-servlet.xml |   2 +-
 ...entVariablesHandlerInterceptorJUnitTest.java | 272 ------
 .../LoginHandlerInterceptorJUnitTest.java       | 274 ++++++
 52 files changed, 1758 insertions(+), 1509 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
index dd290c5..b632edb 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
@@ -33,6 +33,7 @@ import org.apache.shiro.authz.permission.WildcardPermission;
 public abstract class OperationContext extends WildcardPermission{
 
   public enum Resource {
+    NULL,
     CLUSTER,
     DATA
   };
@@ -76,6 +77,7 @@ public abstract class OperationContext extends WildcardPermission{
     EXECUTE_FUNCTION,
     @Deprecated
     GET_DURABLE_CQS,
+    NULL,
     MANAGE,
     WRITE,
     READ;
@@ -298,11 +300,15 @@ public abstract class OperationContext extends WildcardPermission{
   public abstract OperationCode getOperationCode();
 
   public Resource getResource(){
-    return Resource.DATA;
+    return Resource.NULL;
   }
 
+  /**
+   *
+   * @return
+   */
   public String getRegionName(){
-    return null;
+    return "NULL";
   }
 
   /**
@@ -356,7 +362,4 @@ public abstract class OperationContext extends WildcardPermission{
         || opCode.isRegionDestroy() || opCode.isRegionClear());
   }
 
-  public String toString(){
-    return getResource() + ":"+ getOperationCode();
-  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
index a27d92f..6dac6af 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
@@ -72,14 +72,16 @@ import com.gemstone.gemfire.management.internal.security.ResourceOperation;
  * @since 7.0
  *
  */
-//@ResourceOperation(resource = Resource.CLUSTER, operation = OperationCode.READ)
+@ResourceOperation(resource = Resource.CLUSTER, operation = OperationCode.READ)
 public interface DistributedSystemMXBean {
 
   /**
    * Returns the ID of thie DistributedSystem.
+   * allow anyone to access this method
    *
    * @return The DistributedSystem ID or -1 if not set.
    */
+  @ResourceOperation()
   public int getDistributedSystemId();
 
   /**
@@ -351,7 +353,9 @@ public interface DistributedSystemMXBean {
   /**
    * Returns the object name for a {@link MemberMXBean} used to access
    * this distributed member.
+   * allow anyone to access this method
    */
+  @ResourceOperation()
   public ObjectName getMemberObjectName();
 
   /**

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java
index 5f656a9..c5d9933 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/MemberMXBean.java
@@ -16,13 +16,12 @@
  */
 package com.gemstone.gemfire.management;
 
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.management.internal.security.ResourceOperation;
+import static com.gemstone.gemfire.cache.operations.OperationContext.*;
 
 import java.util.Map;
 
-import static com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import static com.gemstone.gemfire.cache.operations.OperationContext.Resource;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.management.internal.security.ResourceOperation;
 
 /**
  * MBean that provides access to information and management functionality for a
@@ -199,6 +198,7 @@ public interface MemberMXBean {
    * 
    * @return Result of the execution in JSON format.
    */
+  @ResourceOperation()
   String processCommand(String commandString);
   
   /**
@@ -210,6 +210,7 @@ public interface MemberMXBean {
    *          Environmental properties to use during command execution.
    * @return Result of the execution in JSON format.
    */
+  @ResourceOperation()
   String processCommand(String commandString, Map<String, String> env);
   
   /**
@@ -223,6 +224,7 @@ public interface MemberMXBean {
    *          Binary data specific to the command being executed.
    * @return Result of the execution in JSON format.
    */
+  @ResourceOperation()
   String processCommand(String commandString, Map<String, String> env, Byte[][] binaryData);
 
   /**

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
index cdbd3db..06c096f 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
@@ -79,7 +79,7 @@ import com.gemstone.gemfire.management.internal.cli.util.RegionPath;
 import com.gemstone.gemfire.management.internal.configuration.SharedConfigurationWriter;
 import com.gemstone.gemfire.management.internal.configuration.domain.XmlEntity;
 import com.gemstone.gemfire.management.internal.security.ResourceOperation;
-import com.gemstone.gemfire.security.ShiroUtil;
+
 import org.springframework.shell.core.annotation.CliAvailabilityIndicator;
 import org.springframework.shell.core.annotation.CliCommand;
 import org.springframework.shell.core.annotation.CliOption;
@@ -437,7 +437,7 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport {
   
   @CliCommand (value = CliStrings.ALTER_REGION, help = CliStrings.ALTER_REGION__HELP)
   @CliMetaData (relatedTopic = CliStrings.TOPIC_GEMFIRE_REGION, writesToSharedConfiguration = true)
-  @ResourceOperation(resource = Resource.DATA, operation = OperationCode.MANAGE)
+  @ResourceOperation(resource=Resource.DATA, operation = OperationCode.MANAGE)
   public Result alterRegion(
       @CliOption (key = CliStrings.ALTER_REGION__REGION,
                   mandatory = true,
@@ -528,9 +528,6 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport {
                   specifiedDefaultValue = "0",
                   help = CliStrings.ALTER_REGION__EVICTIONMAX__HELP)
       Integer evictionMax) {
-
-    ShiroUtil.authorize("DATA", "MANAGE", regionPath);
-
     Result result = null;
     XmlEntity xmlEntity = null;
 
@@ -999,16 +996,13 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport {
 
   @CliCommand(value = { CliStrings.DESTROY_REGION }, help = CliStrings.DESTROY_REGION__HELP)
   @CliMetaData(shellOnly = false, relatedTopic = CliStrings.TOPIC_GEMFIRE_REGION, writesToSharedConfiguration = true)
-  @ResourceOperation(resource = Resource.DATA, operation = OperationCode.MANAGE)
+  @ResourceOperation(resource=Resource.DATA, operation = OperationCode.MANAGE)
   public Result destroyRegion(
       @CliOption(key = CliStrings.DESTROY_REGION__REGION,
           optionContext = ConverterHint.REGIONPATH,
           mandatory = true,
           help = CliStrings.DESTROY_REGION__REGION__HELP)
       String regionPath) {
-
-    ShiroUtil.authorize("DATA", "MANAGE", regionPath);
-
     if (regionPath == null) {
       return ResultBuilder.createInfoResult(CliStrings.DESTROY_REGION__MSG__SPECIFY_REGIONPATH_TO_DESTROY);
     }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
index c1c04a3..61803fe 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
@@ -73,7 +73,8 @@ import com.gemstone.gemfire.management.internal.cli.result.ResultBuilder;
 import com.gemstone.gemfire.management.internal.cli.result.TabularResultData;
 import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
 import com.gemstone.gemfire.management.internal.security.ResourceOperation;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
+
 import org.springframework.shell.core.CommandMarker;
 import org.springframework.shell.core.annotation.CliAvailabilityIndicator;
 import org.springframework.shell.core.annotation.CliCommand;
@@ -834,13 +835,12 @@ public class DataCommands implements CommandMarker {
   @CliCommand(value = CliStrings.EXPORT_DATA, help = CliStrings.EXPORT_DATA__HELP)
   @CliMetaData(relatedTopic = { CliStrings.TOPIC_GEMFIRE_DATA,
       CliStrings.TOPIC_GEMFIRE_REGION })
-  @ResourceOperation(resource = Resource.DATA, operation = OperationCode.READ)
   public Result exportData(
       @CliOption(key = CliStrings.EXPORT_DATA__REGION, mandatory = true, optionContext = ConverterHint.REGIONPATH, help = CliStrings.EXPORT_DATA__REGION__HELP) String regionName,
       @CliOption(key = CliStrings.EXPORT_DATA__FILE, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, mandatory = true, help = CliStrings.EXPORT_DATA__FILE__HELP) String filePath,
       @CliOption(key = CliStrings.EXPORT_DATA__MEMBER, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, optionContext = ConverterHint.MEMBERIDNAME, mandatory = true, help = CliStrings.EXPORT_DATA__MEMBER__HELP) String memberNameOrId) {
 
-    ShiroUtil.authorize("DATA", "READ", regionName);
+    GeodeSecurityUtil.authorizeRegionRead(regionName);
     final Cache cache = CacheFactory.getAnyInstance();
     final DistributedMember targetMember = CliUtil
         .getDistributedMemberByNameOrId(memberNameOrId);
@@ -891,13 +891,12 @@ public class DataCommands implements CommandMarker {
   @CliCommand(value = CliStrings.IMPORT_DATA, help = CliStrings.IMPORT_DATA__HELP)
   @CliMetaData(relatedTopic = { CliStrings.TOPIC_GEMFIRE_DATA,
       CliStrings.TOPIC_GEMFIRE_REGION })
-  @ResourceOperation(resource = Resource.DATA, operation = OperationCode.WRITE)
   public Result importData(
       @CliOption(key = CliStrings.IMPORT_DATA__REGION, optionContext = ConverterHint.REGIONPATH, mandatory = true, help = CliStrings.IMPORT_DATA__REGION__HELP) String regionName,
       @CliOption(key = CliStrings.IMPORT_DATA__FILE, mandatory = true, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, help = CliStrings.IMPORT_DATA__FILE__HELP) String filePath,
       @CliOption(key = CliStrings.IMPORT_DATA__MEMBER, mandatory = true, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, optionContext = ConverterHint.MEMBERIDNAME, help = CliStrings.IMPORT_DATA__MEMBER__HELP) String memberNameOrId) {
 
-    ShiroUtil.authorize("DATA", "WRITE", regionName);
+    GeodeSecurityUtil.authorizeRegionWrite(regionName);
 
     Result result = null;
 
@@ -949,7 +948,6 @@ public class DataCommands implements CommandMarker {
   @CliMetaData(shellOnly = false, relatedTopic = {
       CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION })
   @CliCommand(value = { CliStrings.PUT }, help = CliStrings.PUT__HELP)
-  @ResourceOperation(resource = Resource.DATA, operation = OperationCode.WRITE)
   public Result put(
       @CliOption(key = { CliStrings.PUT__KEY }, mandatory = true, help = CliStrings.PUT__KEY__HELP) String key,
       @CliOption(key = { CliStrings.PUT__VALUE }, mandatory = true, help = CliStrings.PUT__VALUE__HELP) String value,
@@ -958,7 +956,7 @@ public class DataCommands implements CommandMarker {
       @CliOption(key = { CliStrings.PUT__VALUEKLASS }, help = CliStrings.PUT__VALUEKLASS__HELP) String valueClass,
       @CliOption(key = { CliStrings.PUT__PUTIFABSENT }, help = CliStrings.PUT__PUTIFABSENT__HELP, unspecifiedDefaultValue = "false") boolean putIfAbsent) {
 
-    ShiroUtil.authorize("DATA", "WRITE", regionPath);
+    GeodeSecurityUtil.authorizeRegionWrite(regionPath);
     Cache cache = CacheFactory.getAnyInstance();
     DataCommandResult dataResult = null;
     if (regionPath == null || regionPath.isEmpty()) {
@@ -1018,7 +1016,6 @@ public class DataCommands implements CommandMarker {
   @CliMetaData(shellOnly = false, relatedTopic = {
       CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION })
   @CliCommand(value = { CliStrings.GET }, help = CliStrings.GET__HELP)
-  @ResourceOperation(resource = Resource.DATA, operation= OperationCode.READ)
   public Result get(
       @CliOption(key = { CliStrings.GET__KEY }, mandatory = true, help = CliStrings.GET__KEY__HELP) String key,
       @CliOption(key = { CliStrings.GET__REGIONNAME }, mandatory = true, help = CliStrings.GET__REGIONNAME__HELP, optionContext = ConverterHint.REGIONPATH) String regionPath,
@@ -1026,7 +1023,7 @@ public class DataCommands implements CommandMarker {
       @CliOption(key = { CliStrings.GET__VALUEKLASS }, help = CliStrings.GET__VALUEKLASS__HELP) String valueClass,
       @CliOption(key = CliStrings.GET__LOAD, unspecifiedDefaultValue = "true", specifiedDefaultValue = "true", help = CliStrings.GET__LOAD__HELP) Boolean loadOnCacheMiss)
   {
-    ShiroUtil.authorize("DATA", "READ", regionPath);
+    GeodeSecurityUtil.authorizeRegionRead(regionPath);
 
     Cache cache = CacheFactory.getAnyInstance();
     DataCommandResult dataResult = null;
@@ -1074,14 +1071,14 @@ public class DataCommands implements CommandMarker {
   @CliMetaData(shellOnly = false, relatedTopic = {
       CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION })
   @CliCommand(value = { CliStrings.LOCATE_ENTRY }, help = CliStrings.LOCATE_ENTRY__HELP)
-  @ResourceOperation(resource = Resource.DATA, operation = OperationCode.READ)
   public Result locateEntry(
       @CliOption(key = { CliStrings.LOCATE_ENTRY__KEY }, mandatory = true, help = CliStrings.LOCATE_ENTRY__KEY__HELP) String key,
       @CliOption(key = { CliStrings.LOCATE_ENTRY__REGIONNAME }, mandatory = true, help = CliStrings.LOCATE_ENTRY__REGIONNAME__HELP, optionContext = ConverterHint.REGIONPATH) String regionPath,
       @CliOption(key = { CliStrings.LOCATE_ENTRY__KEYCLASS }, help = CliStrings.LOCATE_ENTRY__KEYCLASS__HELP) String keyClass,
       @CliOption(key = { CliStrings.LOCATE_ENTRY__VALUEKLASS }, help = CliStrings.LOCATE_ENTRY__VALUEKLASS__HELP) String valueClass,
       @CliOption(key = { CliStrings.LOCATE_ENTRY__RECURSIVE }, help = CliStrings.LOCATE_ENTRY__RECURSIVE__HELP, unspecifiedDefaultValue = "false") boolean recursive) {
-    ShiroUtil.authorize("DATA", "READ", regionPath);
+
+    GeodeSecurityUtil.authorizeRegionRead(regionPath);
     // Cache cache = CacheFactory.getAnyInstance();
     DataCommandResult dataResult = null;
 
@@ -1122,13 +1119,12 @@ public class DataCommands implements CommandMarker {
   @CliMetaData(shellOnly = false, relatedTopic = {
       CliStrings.TOPIC_GEMFIRE_DATA, CliStrings.TOPIC_GEMFIRE_REGION })
   @CliCommand(value = { CliStrings.REMOVE }, help = CliStrings.REMOVE__HELP)
-  @ResourceOperation(resource = Resource.DATA, operation = OperationCode.MANAGE)
+  @ResourceOperation(resource=Resource.DATA, operation = OperationCode.MANAGE)
   public Result remove(
       @CliOption(key = { CliStrings.REMOVE__KEY }, help = CliStrings.REMOVE__KEY__HELP) String key,
       @CliOption(key = { CliStrings.REMOVE__REGION }, mandatory = true, help = CliStrings.REMOVE__REGION__HELP, optionContext = ConverterHint.REGIONPATH) String regionPath,
       @CliOption(key = CliStrings.REMOVE__ALL, help = CliStrings.REMOVE__ALL__HELP, specifiedDefaultValue = "true", unspecifiedDefaultValue = "false") boolean removeAllKeys,
       @CliOption(key = { CliStrings.REMOVE__KEYCLASS }, help = CliStrings.REMOVE__KEYCLASS__HELP) String keyClass) {
-
     Cache cache = CacheFactory.getAnyInstance();
     DataCommandResult dataResult = null;
 

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
index ac69d32..0408675 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
@@ -52,7 +52,7 @@ import com.gemstone.gemfire.management.internal.cli.result.TabularResultData;
 import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
 import com.gemstone.gemfire.management.internal.cli.util.RegionAttributesNames;
 import com.gemstone.gemfire.management.internal.security.ResourceOperation;
-import com.gemstone.gemfire.security.ShiroUtil;
+
 import org.springframework.shell.core.CommandMarker;
 import org.springframework.shell.core.annotation.CliAvailabilityIndicator;
 import org.springframework.shell.core.annotation.CliCommand;
@@ -163,7 +163,6 @@ public class RegionCommands implements CommandMarker {
       mandatory = true)
       String regionName) {
 
-    ShiroUtil.authorize("CLUSTER", "READ", regionName);
     Result result = null;
     try {
       

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
index 87053cc..c3b0b7f 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
@@ -31,7 +31,8 @@ import com.gemstone.gemfire.management.internal.cli.result.ResultBuilder;
 import com.gemstone.gemfire.management.internal.cli.util.CommentSkipHelper;
 import com.gemstone.gemfire.management.internal.security.ResourceOperation;
 import com.gemstone.gemfire.security.GemFireSecurityException;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
+
 import org.springframework.shell.core.Parser;
 import org.springframework.shell.event.ParseResult;
 
@@ -108,9 +109,7 @@ public class CommandProcessor {
         //do general authorization check here
         Method method = parseResult.getMethod();
         ResourceOperation resourceOperation = method.getAnnotation(ResourceOperation.class);
-        if(resourceOperation!=null){
-          ShiroUtil.authorize(resourceOperation);
-        }
+        GeodeSecurityUtil.authorize(resourceOperation);
 
         result = executionStrategy.execute(parseResult);
         if (result instanceof Result) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
index 9921538..33b80e2 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
@@ -17,7 +17,7 @@
 package com.gemstone.gemfire.management.internal.security;
 
 import com.gemstone.gemfire.security.GemFireSecurityException;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
 
 /**
  * AccessControlMBean Implementation. This retrieves JMXPrincipal from AccessController
@@ -30,7 +30,7 @@ public class AccessControlMBean implements AccessControlMXBean {
   @Override
   public boolean authorize(String resource, String permission) {
     try {
-      ShiroUtil.authorize(resource, permission);
+      GeodeSecurityUtil.authorize(resource, permission);
       return true;
     }
     catch (GemFireSecurityException e){

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
index bbc0442..8d1031a 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
@@ -46,7 +46,7 @@ import javax.management.remote.MBeanServerForwarder;
 
 import com.gemstone.gemfire.management.internal.ManagementConstants;
 import com.gemstone.gemfire.security.GemFireSecurityException;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
 
 /**
  * This class intercepts all MBean requests for GemFire MBeans and passed it to
@@ -60,14 +60,6 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
   public MBeanServerWrapper(){
   }
 
-  private void doAuthorization(ResourceOperationContext context){
-    // allow operations which requires no permissions
-    if(context == null)
-      return;
-
-    ShiroUtil.authorize(context);
-  }
-
   private void doAuthorizationPost(ResourceOperationContext context){
     if(context == null)
       return;
@@ -161,7 +153,7 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
   public Object getAttribute(ObjectName name, String attribute) throws MBeanException, InstanceNotFoundException,
       ReflectionException {
     ResourceOperationContext ctx = getOperationContext(name, attribute, false);
-    doAuthorization(ctx);
+    GeodeSecurityUtil.authorize(ctx);
     Object result;
     try {
       result = mbs.getAttribute(name, attribute);
@@ -195,7 +187,7 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
   public void setAttribute(ObjectName name, Attribute attribute) throws InstanceNotFoundException,
       AttributeNotFoundException, InvalidAttributeValueException, MBeanException, ReflectionException {
     ResourceOperationContext ctx = getOperationContext(name, attribute.getName(), false);
-    doAuthorization(ctx);
+    GeodeSecurityUtil.authorize(ctx);
     mbs.setAttribute(name, attribute);
   }
 
@@ -216,12 +208,9 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
   @Override
   public Object invoke(ObjectName name, String operationName, Object[] params, String[] signature)
       throws InstanceNotFoundException, MBeanException, ReflectionException {
-    // skip authorization check if operation is "processCommand" since we will check authorization in the command itself
-    ResourceOperationContext ctx = null;
-    if(!"processCommand".equals(operationName)) {
-      ctx = getOperationContext(name, operationName, true);
-      doAuthorization(ctx);
-    }
+
+    ResourceOperationContext ctx = getOperationContext(name, operationName, true);
+    GeodeSecurityUtil.authorize(ctx);
 
     Object result = mbs.invoke(name, operationName, params, signature);
     if(ctx!=null)

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java
index f72a835..8b50183 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperation.java
@@ -16,25 +16,22 @@
  */
 package com.gemstone.gemfire.management.internal.security;
 
-import javax.management.DescriptorKey;
+import static com.gemstone.gemfire.cache.operations.OperationContext.*;
+
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Inherited;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
-
-import static com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import static com.gemstone.gemfire.cache.operations.OperationContext.Resource;
+import javax.management.DescriptorKey;
 
 @Target({ElementType.METHOD, ElementType.TYPE})
 @Retention(RetentionPolicy.RUNTIME)
 @Inherited
 public @interface ResourceOperation {
   @DescriptorKey("resource")
-  Resource resource();
-
-  String label() default ResourceConstants.DEFAULT_LABEL;
+  Resource resource() default Resource.NULL;
 
   @DescriptorKey("operation")
-  OperationCode operation();
+  OperationCode operation() default OperationCode.NULL;
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
index 396cdac..50f9b78 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
@@ -18,6 +18,8 @@ package com.gemstone.gemfire.management.internal.security;
 
 import com.gemstone.gemfire.cache.operations.OperationContext;
 
+import org.apache.shiro.authz.Permission;
+
 /**
  * This is base class for OperationContext for resource (JMX and CLI) operations
  */
@@ -25,32 +27,25 @@ public class ResourceOperationContext extends OperationContext {
 
   private boolean isPostOperation = false;
   private Object opResult = null;
-  private Resource resource = null;
-  private OperationCode operation = null;
-  private String regionName = null;
+  private Resource resource = Resource.NULL;
+  private OperationCode operation = OperationCode.NULL;
+
+  private String regionName = "NULL";
 
   public ResourceOperationContext() {
+    this(null, null, null);
   }
 
-  public ResourceOperationContext(Resource resource, OperationCode operation) {
-    setParts(resource.name()+":"+operation.name(), false);
-    this.resource = resource;
-    this.operation = operation;
+  public ResourceOperationContext(String resource, String operation) {
+    this(resource, operation, null);
   }
 
   public ResourceOperationContext(String resource, String operation, String regionName) {
-    setParts(resource+":"+operation+":"+regionName, false);
     if (resource != null) this.resource = Resource.valueOf(resource);
     if (operation != null) this.operation = OperationCode.valueOf(operation);
-    this.regionName = regionName;
-  }
+    if (regionName !=null ) this.regionName = regionName;
 
-  public void setResourceOperation(ResourceOperation op) {
-    if (op != null) {
-      resource = op.resource();
-      operation = op.operation();
-      setParts(resource.name()+":"+operation.name(), false);
-    }
+    setParts(this.resource.name()+":"+this.operation.name()+":"+regionName);
   }
 
   @Override
@@ -87,20 +82,8 @@ public class ResourceOperationContext extends OperationContext {
     return this.opResult;
   }
 
-  public String toString(){
-    if(this.regionName==null)
-      return getResource() + ":"+ getOperationCode();
-    else
-      return getResource() + ":"+ getOperationCode()+ ":" +this.regionName;
-  }
-
-  public boolean equals(Object o){
-    if(! (o instanceof ResourceOperationContext))
-      return false;
-
-    ResourceOperationContext other = (ResourceOperationContext)o;
-    return (this.resource==other.getResource() && this.operation==other.getOperationCode());
+  @Override
+  public boolean implies(Permission p){
+    return super.implies(p);
   }
-
-
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
index 211d0b1..08865b4 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/AbstractCommandsController.java
@@ -47,10 +47,11 @@ import com.gemstone.gemfire.management.internal.ManagementConstants;
 import com.gemstone.gemfire.management.internal.SystemManagementService;
 import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
 import com.gemstone.gemfire.management.internal.cli.util.CommandStringBuilder;
-import com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor;
+import com.gemstone.gemfire.management.internal.web.controllers.support.LoginHandlerInterceptor;
 import com.gemstone.gemfire.management.internal.web.controllers.support.MemberMXBeanAdapter;
 import com.gemstone.gemfire.management.internal.web.util.UriUtils;
-import com.gemstone.gemfire.security.ShiroUtil;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
+
 import org.apache.logging.log4j.Logger;
 import org.springframework.beans.propertyeditors.StringArrayPropertyEditor;
 import org.springframework.http.HttpStatus;
@@ -488,12 +489,12 @@ public abstract class AbstractCommandsController {
    * Gets the environment setup during this HTTP/command request for the current command process execution.
    * 
    * @return a mapping of environment variables to values.
-   * @see com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor#getEnvironment()
+   * @see LoginHandlerInterceptor#getEnvironment()
    */
   protected Map<String, String> getEnvironment() {
     final Map<String, String> environment = new HashMap<String, String>();
 
-    environment.putAll(EnvironmentVariablesHandlerInterceptor.getEnvironment());
+    environment.putAll(LoginHandlerInterceptor.getEnvironment());
     environment.put(Gfsh.ENV_APP_NAME, Gfsh.GFSH_APP_NAME);
 
     return environment;
@@ -541,7 +542,7 @@ public abstract class AbstractCommandsController {
    * @param command a String value containing a valid command String as would be entered by the user in Gfsh.
    * @return a result of the command execution as a String, typically marshalled in JSON to be serialized back to Gfsh.
    * @see com.gemstone.gemfire.management.internal.cli.shell.Gfsh
-   * @see com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor#getEnvironment()
+   * @see LoginHandlerInterceptor#getEnvironment()
    * @see #getEnvironment()
    * @see #processCommand(String, java.util.Map, byte[][])
    */
@@ -558,7 +559,7 @@ public abstract class AbstractCommandsController {
         return new ResponseEntity<String>(processCommand(command, fileData), HttpStatus.OK);
       }
     };
-    return ShiroUtil.associateWith(callable);
+    return GeodeSecurityUtil.associateWith(callable);
   }
 
 
@@ -571,7 +572,7 @@ public abstract class AbstractCommandsController {
    * the Manager, usually for the 'deploy' Gfsh command.
    * @return a result of the command execution as a String, typically marshalled in JSON to be serialized back to Gfsh.
    * @see com.gemstone.gemfire.management.internal.cli.shell.Gfsh
-   * @see com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor#getEnvironment()
+   * @see LoginHandlerInterceptor#getEnvironment()
    * @see #getEnvironment()
    * @see #processCommand(String, java.util.Map, byte[][])
    */
@@ -590,7 +591,7 @@ public abstract class AbstractCommandsController {
    * between Gfsh and the Manager, and thus need to specify this key/value pair mapping.
    * @return a result of the command execution as a String, typically marshalled in JSON to be serialized back to Gfsh.
    * @see com.gemstone.gemfire.management.internal.cli.shell.Gfsh
-   * @see com.gemstone.gemfire.management.internal.web.controllers.support.EnvironmentVariablesHandlerInterceptor#getEnvironment()
+   * @see LoginHandlerInterceptor#getEnvironment()
    * @see #processCommand(String, java.util.Map, byte[][])
    */
   protected String processCommand(final String command, final Map<String, String> environment) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
deleted file mode 100644
index bb7a27d..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/EnvironmentVariablesHandlerInterceptor.java
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal.web.controllers.support;
-
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.internal.logging.LogService;
-import com.gemstone.gemfire.management.internal.security.ResourceConstants;
-import com.gemstone.gemfire.security.Authenticator;
-import com.gemstone.gemfire.security.ShiroUtil;
-import org.apache.logging.log4j.Logger;
-import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
-
-/**
- * The GetEnvironmentHandlerInterceptor class handles extracting Gfsh environment variables encoded in the HTTP request
- * message as request parameters.
- * <p/>
- * @see javax.servlet.http.HttpServletRequest
- * @see javax.servlet.http.HttpServletResponse
- * @see org.springframework.web.servlet.handler.HandlerInterceptorAdapter
- * @since 8.0
- */
-@SuppressWarnings("unused")
-public class EnvironmentVariablesHandlerInterceptor extends HandlerInterceptorAdapter {
-
-  private static final Logger logger = LogService.getLogger();
-
-  private Cache cache;
-
-  private Authenticator auth = null;
-
-  private static final ThreadLocal<Map<String, String>> ENV = new ThreadLocal<Map<String, String>>() {
-    @Override
-    protected Map<String, String> initialValue() {
-      return Collections.emptyMap();
-    }
-  };
-
-  protected static final String ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX = "vf.gf.env.";
-
-  protected static final String SECURITY_VARIABLE_REQUEST_HEADER_PREFIX = "security-";
-
-  public static Map<String, String> getEnvironment() {
-    return ENV.get();
-  }
-
-  @Override
-  public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler)
-    throws Exception
-  {
-    final Map<String, String> requestParameterValues = new HashMap<String, String>();
-
-    for (Enumeration<String> requestParameters = request.getParameterNames(); requestParameters.hasMoreElements(); ) {
-      final String requestParameter = requestParameters.nextElement();
-
-      if (requestParameter.startsWith(ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX)) {
-        requestParameterValues.put(requestParameter.substring(ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX.length()),
-          request.getParameter(requestParameter));
-      }
-    }
-
-
-
-    for (Enumeration<String> requestHeaders = request.getHeaderNames(); requestHeaders.hasMoreElements();) {
-
-      final String requestHeader = requestHeaders.nextElement();
-
-      if (requestHeader.startsWith(SECURITY_VARIABLE_REQUEST_HEADER_PREFIX)) {
-        requestParameterValues.put(requestHeader, request.getHeader(requestHeader));
-      }
-
-    }
-
-    String username = requestParameterValues.get(ResourceConstants.USER_NAME);
-    String password = requestParameterValues.get(ResourceConstants.PASSWORD);
-    ShiroUtil.login(username, password);
-
-    ENV.set(requestParameterValues);
-
-    return true;
-  }
-
-
-  @Override
-  public void afterCompletion(final HttpServletRequest request,
-                              final HttpServletResponse response,
-                              final Object handler,
-                              final Exception ex)
-    throws Exception
-  {
-    afterConcurrentHandlingStarted(request, response, handler);
-    ShiroUtil.logout();
-  }
-
-  @Override
-  public void afterConcurrentHandlingStarted(
-    HttpServletRequest request, HttpServletResponse response, Object handler)
-    throws Exception {
-    ENV.remove();
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
new file mode 100644
index 0000000..5465ea3
--- /dev/null
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/controllers/support/LoginHandlerInterceptor.java
@@ -0,0 +1,122 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.web.controllers.support;
+
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.management.internal.security.ResourceConstants;
+import com.gemstone.gemfire.security.Authenticator;
+import com.gemstone.gemfire.security.GeodeSecurityUtil;
+
+import org.apache.logging.log4j.Logger;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+/**
+ * The GetEnvironmentHandlerInterceptor class handles extracting Gfsh environment variables encoded in the HTTP request
+ * message as request parameters.
+ * <p/>
+ * @see javax.servlet.http.HttpServletRequest
+ * @see javax.servlet.http.HttpServletResponse
+ * @see org.springframework.web.servlet.handler.HandlerInterceptorAdapter
+ * @since 8.0
+ */
+@SuppressWarnings("unused")
+public class LoginHandlerInterceptor extends HandlerInterceptorAdapter {
+
+  private static final Logger logger = LogService.getLogger();
+
+  private Cache cache;
+
+  private Authenticator auth = null;
+
+  private static final ThreadLocal<Map<String, String>> ENV = new ThreadLocal<Map<String, String>>() {
+    @Override
+    protected Map<String, String> initialValue() {
+      return Collections.emptyMap();
+    }
+  };
+
+  protected static final String ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX = "vf.gf.env.";
+
+  protected static final String SECURITY_VARIABLE_REQUEST_HEADER_PREFIX = "security-";
+
+  public static Map<String, String> getEnvironment() {
+    return ENV.get();
+  }
+
+  @Override
+  public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler)
+    throws Exception
+  {
+    final Map<String, String> requestParameterValues = new HashMap<String, String>();
+
+    for (Enumeration<String> requestParameters = request.getParameterNames(); requestParameters.hasMoreElements(); ) {
+      final String requestParameter = requestParameters.nextElement();
+
+      if (requestParameter.startsWith(ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX)) {
+        requestParameterValues.put(requestParameter.substring(ENVIRONMENT_VARIABLE_REQUEST_PARAMETER_PREFIX.length()),
+          request.getParameter(requestParameter));
+      }
+    }
+
+
+
+    for (Enumeration<String> requestHeaders = request.getHeaderNames(); requestHeaders.hasMoreElements();) {
+
+      final String requestHeader = requestHeaders.nextElement();
+
+      if (requestHeader.startsWith(SECURITY_VARIABLE_REQUEST_HEADER_PREFIX)) {
+        requestParameterValues.put(requestHeader, request.getHeader(requestHeader));
+      }
+
+    }
+
+    String username = requestParameterValues.get(ResourceConstants.USER_NAME);
+    String password = requestParameterValues.get(ResourceConstants.PASSWORD);
+    GeodeSecurityUtil.login(username, password);
+
+    ENV.set(requestParameterValues);
+
+    return true;
+  }
+
+
+  @Override
+  public void afterCompletion(final HttpServletRequest request,
+                              final HttpServletResponse response,
+                              final Object handler,
+                              final Exception ex)
+    throws Exception
+  {
+    afterConcurrentHandlingStarted(request, response, handler);
+    GeodeSecurityUtil.logout();
+  }
+
+  @Override
+  public void afterConcurrentHandlingStarted(
+    HttpServletRequest request, HttpServletResponse response, Object handler)
+    throws Exception {
+    ENV.remove();
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java
index 439e2b4..0ead2d7 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/web/shell/RestHttpOperationInvoker.java
@@ -33,7 +33,6 @@ import com.gemstone.gemfire.internal.util.CollectionUtils;
 import com.gemstone.gemfire.management.internal.cli.CommandRequest;
 import com.gemstone.gemfire.management.internal.cli.i18n.CliStrings;
 import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
-import com.gemstone.gemfire.management.internal.security.ResourceConstants;
 import com.gemstone.gemfire.management.internal.web.domain.Link;
 import com.gemstone.gemfire.management.internal.web.domain.LinkIndex;
 import com.gemstone.gemfire.management.internal.web.http.ClientHttpRequest;
@@ -230,9 +229,6 @@ public class RestHttpOperationInvoker extends AbstractHttpOperationInvoker imple
   protected ClientHttpRequest createHttpRequest(final CommandRequest command) {
     ClientHttpRequest request = createHttpRequest(findLink(command));
 
-    //request.getParameters().setAll(new HashMap<String, Object>(CollectionUtils.removeKeys(
-    //  new HashMap<String, String>(command.getParameters()), ExcludeNoValueFilter.INSTANCE)));
-
     Map<String, String> commandParameters = command.getParameters();
 
     for (Map.Entry<String, String> entry : commandParameters.entrySet()) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java b/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java
index 76fc852..706a7cc 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/security/CustomAuthRealm.java
@@ -35,7 +35,7 @@ import com.gemstone.gemfire.internal.ClassLoadUtil;
 import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
 import com.gemstone.gemfire.internal.lang.StringUtils;
 import com.gemstone.gemfire.management.internal.security.ResourceConstants;
-import com.gemstone.gemfire.management.internal.security.ResourceOperationContext;
+
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.shiro.authc.AuthenticationException;
@@ -66,7 +66,6 @@ public class CustomAuthRealm extends AuthorizingRealm{
     this.authenticatorFactoryName = securityProps.getProperty(DistributionConfig.SECURITY_CLIENT_AUTHENTICATOR_NAME);
     this.cachedAuthZCallback = new ConcurrentHashMap<>();
     this.cachedPostAuthZCallback = new ConcurrentHashMap<>();
-    logger.info("Started Management interceptor on JMX connector");
   }
 
   @Override
@@ -93,13 +92,13 @@ public class CustomAuthRealm extends AuthorizingRealm{
 
   @Override
   public boolean isPermitted(PrincipalCollection principals, Permission permission) {
-    ResourceOperationContext context =(ResourceOperationContext)permission;
+    OperationContext context =(OperationContext)permission;
     Principal principal = (Principal)principals.getPrimaryPrincipal();
     // if no access control is specified, then we allow all
     if(StringUtils.isBlank(authzFactoryName))
       return true;
     AccessControl accessControl = getAccessControl(principal, false);
-    return accessControl.authorizeOperation(null, context);
+    return accessControl.authorizeOperation(context.getRegionName(), context);
   }
 
   public AccessControl getAccessControl(Principal principal, boolean isPost) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/security/GeodeSecurityUtil.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/GeodeSecurityUtil.java b/geode-core/src/main/java/com/gemstone/gemfire/security/GeodeSecurityUtil.java
new file mode 100644
index 0000000..148a963
--- /dev/null
+++ b/geode-core/src/main/java/com/gemstone/gemfire/security/GeodeSecurityUtil.java
@@ -0,0 +1,163 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.gemstone.gemfire.security;
+
+import java.util.concurrent.Callable;
+
+import com.gemstone.gemfire.cache.operations.OperationContext;
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.cache.operations.OperationContext.Resource;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.management.internal.security.ResourceOperation;
+import com.gemstone.gemfire.management.internal.security.ResourceOperationContext;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.logging.log4j.Logger;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.ShiroException;
+import org.apache.shiro.UnavailableSecurityManagerException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.util.ThreadContext;
+
+public class GeodeSecurityUtil {
+
+  private static Logger logger = LogService.getLogger();
+
+  public static void login(String username, String password){
+    if(!isShiroConfigured())
+      return;
+
+    Subject currentUser = SecurityUtils.getSubject();
+
+    UsernamePasswordToken token =
+        new UsernamePasswordToken(username, password);
+    try {
+      logger.info("Logging in "+username+"/"+password);
+      currentUser.login(token);
+    } catch (ShiroException e) {
+      throw new AuthenticationFailedException(e.getMessage(), e);
+    }
+  }
+
+  public static void logout(){
+    if(!isShiroConfigured())
+      return;
+
+    Subject currentUser = SecurityUtils.getSubject();
+    try {
+      logger.info("Logging out "+currentUser.getPrincipal());
+      currentUser.logout();
+    }
+    catch(ShiroException e){
+      throw new AuthenticationFailedException(e.getMessage(), e);
+    }
+    // clean out Shiro's thread local content
+    ThreadContext.remove();
+  }
+
+  public static Callable associateWith(Callable callable){
+    if(!isShiroConfigured())
+      return callable;
+
+    Subject currentUser = SecurityUtils.getSubject();
+    return currentUser.associateWith(callable);
+  }
+
+  public static void authorize(ResourceOperation resourceOperation) {
+    if(resourceOperation==null)
+      return;
+
+    authorize(resourceOperation.resource().name(),
+      resourceOperation.operation().name(),
+      null);
+  }
+
+  public static void authorizeClusterManage(){
+    authorize("CLUSTER", "MANAGE");
+  }
+
+  public static void authorizeClusterWrite(){
+    authorize("CLUSTER", "WRITE");
+  }
+
+  public static void authorizeClusterRead(){
+    authorize("CLUSTER", "READ");
+  }
+
+  public static void authorizeDataManage(){
+    authorize("DATA", "MANAGE");
+  }
+
+  public static void authorizeDataWrite(){
+    authorize("DATA", "WRITE");
+  }
+
+  public static void authorizeDataRead(){
+    authorize("DATA", "READ");
+  }
+
+  public static void authorizeRegionWrite(String regionName){
+    authorize("DATA", "WRITE", regionName);
+  }
+
+  public static void authorizeRegionRead(String regionName){
+    authorize("DATA", "READ", regionName);
+  }
+
+  public static void authorize(String resource, String operation){
+    authorize(resource, operation, null);
+  }
+
+  private static void authorize(String resource, String operation, String regionName){
+    regionName = StringUtils.stripStart(regionName, "/");
+    authorize(new ResourceOperationContext(resource, operation, regionName));
+  }
+
+  public static void authorize(OperationContext context) {
+    if(context==null)
+      return;
+
+    if(context.getResource()== Resource.NULL && context.getOperationCode()== OperationCode.NULL)
+      return;
+
+    if(!isShiroConfigured())
+      return;
+
+
+    Subject currentUser = SecurityUtils.getSubject();
+    try {
+      currentUser.checkPermission(context);
+    }
+    catch(ShiroException e){
+      logger.info(currentUser.getPrincipal() + " not authorized for " + context);
+      throw new GemFireSecurityException(e.getMessage(), e);
+    }
+  }
+
+  private static boolean isShiroConfigured(){
+    try{
+      SecurityUtils.getSecurityManager();
+    }
+    catch(UnavailableSecurityManagerException e){
+      return false;
+    }
+    return true;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java b/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java
index 8f86c38..c55e700 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/security/JMXShiroAuthenticator.java
@@ -49,7 +49,7 @@ public class JMXShiroAuthenticator implements JMXAuthenticator, NotificationList
       throw new SecurityException(WRONGE_CREDENTIALS_MESSAGE);
     }
 
-    ShiroUtil.login(username, password);
+    GeodeSecurityUtil.login(username, password);
 
     return new Subject(true, Collections.singleton(new JMXPrincipal(username)), Collections.EMPTY_SET,
       Collections.EMPTY_SET);
@@ -61,7 +61,7 @@ public class JMXShiroAuthenticator implements JMXAuthenticator, NotificationList
       JMXConnectionNotification cxNotification = (JMXConnectionNotification) notification;
       String type = cxNotification.getType();
       if (JMXConnectionNotification.CLOSED.equals(type)) {
-        ShiroUtil.logout();
+        GeodeSecurityUtil.logout();
       }
     }
   }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/main/java/com/gemstone/gemfire/security/ShiroUtil.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/security/ShiroUtil.java b/geode-core/src/main/java/com/gemstone/gemfire/security/ShiroUtil.java
deleted file mode 100644
index 01914e4..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/security/ShiroUtil.java
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.gemstone.gemfire.security;
-
-import java.util.concurrent.Callable;
-
-import com.gemstone.gemfire.internal.logging.LogService;
-import com.gemstone.gemfire.management.internal.security.ResourceOperation;
-import com.gemstone.gemfire.management.internal.security.ResourceOperationContext;
-
-import org.apache.logging.log4j.Logger;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.ShiroException;
-import org.apache.shiro.UnavailableSecurityManagerException;
-import org.apache.shiro.authc.UsernamePasswordToken;
-import org.apache.shiro.subject.Subject;
-import org.apache.shiro.util.ThreadContext;
-
-public class ShiroUtil {
-
-  private static Logger logger = LogService.getLogger();
-
-  public static void login(String username, String password){
-    if(!isShiroConfigured())
-      return;
-
-    Subject currentUser = SecurityUtils.getSubject();
-
-    UsernamePasswordToken token =
-        new UsernamePasswordToken(username, password);
-    try {
-      logger.info("Logging in "+username+"/"+password);
-      currentUser.login(token);
-    } catch (ShiroException e) {
-      throw new AuthenticationFailedException(e.getMessage(), e);
-    }
-  }
-
-  public static void logout(){
-    if(!isShiroConfigured())
-      return;
-
-    Subject currentUser = SecurityUtils.getSubject();
-    try {
-      logger.info("Logging out "+currentUser.getPrincipal());
-      currentUser.logout();
-    }
-    catch(ShiroException e){
-      throw new AuthenticationFailedException(e.getMessage(), e);
-    }
-    // clean out Shiro's thread local content
-    ThreadContext.remove();
-  }
-
-  public static Callable associateWith(Callable callable){
-    if(!isShiroConfigured())
-      return callable;
-
-    Subject currentUser = SecurityUtils.getSubject();
-    return currentUser.associateWith(callable);
-  }
-
-  public static void authorize(ResourceOperationContext context) {
-    authorize(context.getResource().name(), context.getOperationCode().name(), context.getRegionName());
-  }
-
-  public static void authorize(ResourceOperation resourceOperation) {
-    authorize(resourceOperation.resource().name(), resourceOperation.operation().name());
-  }
-
-  public static void authorize(String resource, String operation){
-    authorize(resource, operation, null);
-  }
-
-  public static void authorize(String resource, String operation, String regionName){
-    if(!isShiroConfigured())
-      return;
-
-    ResourceOperationContext permission = new ResourceOperationContext(resource, operation, regionName);
-    Subject currentUser = SecurityUtils.getSubject();
-    try {
-      currentUser.checkPermission(permission);
-    }
-    catch(ShiroException e){
-      logger.info(currentUser.getPrincipal() + " not authorized for "+resource+":"+operation+":"+regionName);
-      throw new GemFireSecurityException(e.getMessage(), e);
-    }
-  }
-
-  private static boolean isShiroConfigured(){
-    try{
-      SecurityUtils.getSecurityManager();
-    }
-    catch(UnavailableSecurityManagerException e){
-      return false;
-    }
-    return true;
-  }
-
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
index baa8393..3ded1dc 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
@@ -49,7 +49,7 @@ public class CacheServerMBeanAuthorizationJUnitTest {
   @JMXConnectionConfiguration(user = "data-admin", password = "1234567")
   public void testDataAdmin() throws Exception {
     bean.removeIndex("foo");
-    assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining("DATA:READ");
+    assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
     bean.fetchLoadProbe();
     bean.getActiveCQCount();
     bean.stopContinuousQuery("bar");
@@ -61,8 +61,8 @@ public class CacheServerMBeanAuthorizationJUnitTest {
   @Test
   @JMXConnectionConfiguration(user = "cluster-admin", password = "1234567")
   public void testClusterAdmin() throws Exception {
-    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining("DATA:READ");
+    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
     bean.fetchLoadProbe();
   }
 
@@ -70,21 +70,21 @@ public class CacheServerMBeanAuthorizationJUnitTest {
   @Test
   @JMXConnectionConfiguration(user = "data-user", password = "1234567")
   public void testDataUser() throws Exception {
-    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining("DATA:MANAGE");
+    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
     bean.executeContinuousQuery("bar");
-    assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining("CLUSTER:READ");
+    assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
   }
 
   @Test
   @JMXConnectionConfiguration(user = "stranger", password = "1234567")
   public void testNoAccess() throws Exception {
-    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining("DATA:READ");
-    assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.stopContinuousQuery("bar")).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.closeAllContinuousQuery("bar")).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.isRunning()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.showClientQueueDetails("bar")).hasMessageContaining("CLUSTER:READ");
+    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
+    assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.stopContinuousQuery("bar")).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.closeAllContinuousQuery("bar")).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.isRunning()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.showClientQueueDetails("bar")).hasMessageContaining(TestCommand.clusterRead.toString());
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java
index e55623d..85a55a7 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CacheServerMBeanShiroJUnitTest.java
@@ -61,13 +61,33 @@ public class CacheServerMBeanShiroJUnitTest {
   @Test
   @JMXConnectionConfiguration(user = "guest", password = "guest")
   public void testNoAccess() throws Exception {
-    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining("DATA:READ");
-    assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.stopContinuousQuery("bar")).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.closeAllContinuousQuery("bar")).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.isRunning()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.showClientQueueDetails("bar")).hasMessageContaining("CLUSTER:READ");
+    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
+    assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.stopContinuousQuery("bar")).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.closeAllContinuousQuery("bar")).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.isRunning()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.showClientQueueDetails("bar")).hasMessageContaining(TestCommand.clusterRead.toString());
+  }
+
+  @Test
+  @JMXConnectionConfiguration(user = "regionAReader", password = "password")
+  public void testRegionAccess() throws Exception{
+    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining(TestCommand.clusterRead.toString());
+
+    assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
+  }
+
+  @Test
+  @JMXConnectionConfiguration(user = "dataReader", password = "12345")
+  public void testDataRead() throws Exception{
+    assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getActiveCQCount()).hasMessageContaining(TestCommand.clusterRead.toString());
+
+    bean.executeContinuousQuery("bar");
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java
index 5e49f92..0864e52 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/CliCommandsSecurityTest.java
@@ -24,21 +24,17 @@ import com.gemstone.gemfire.internal.AvailablePort;
 import com.gemstone.gemfire.internal.logging.LogService;
 import com.gemstone.gemfire.management.MemberMXBean;
 import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+
 import org.junit.Before;
 import org.junit.ClassRule;
-import org.junit.FixMethodOrder;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
-import org.junit.runners.MethodSorters;
 
 /**
- * tests will be run alphabetically, in this test class, we run non-admin test first,
- * since we don't want to have the server stopped for the rest of the tests.
  */
 
 @Category(IntegrationTest.class)
-@FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class CliCommandsSecurityTest {
   private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
 
@@ -60,11 +56,8 @@ public class CliCommandsSecurityTest {
 
   @Test
   @JMXConnectionConfiguration(user = "stranger", password = "1234567")
-  // the tests are run in alphabetical order, so the naming of the tests do matter
-  public void a_testNoAccess(){
-//    List<TestCommand> clusterReads = new ArrayList<>();
-//    clusterReads.add(new TestCommand("deploy --jar=group1_functions.jar --group=Group1", "CLUSTER:MANAGE"));
-    for (TestCommand command:commands) {
+  public void testNoAccess(){
+   for (TestCommand command:commands) {
       LogService.getLogger().info("processing: "+command.getCommand());
       // for those commands that don't require any permission, any user can execute them
       if(command.getPermission()==null){
@@ -72,14 +65,14 @@ public class CliCommandsSecurityTest {
       }
       else {
         assertThatThrownBy(() -> bean.processCommand(command.getCommand()))
-            .hasMessageContaining(command.getPermission());
+            .hasMessageContaining(command.getPermission().toString());
       }
     }
   }
 
   @Test
   @JMXConnectionConfiguration(user = "super-user", password = "1234567")
-  public void b_testAdminUser() throws Exception {
+  public void testAdminUser() throws Exception {
     for (TestCommand command:commands) {
       LogService.getLogger().info("processing: "+command.getCommand());
       bean.processCommand(command.getCommand());

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
index 7517f49..97260d8 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
@@ -68,15 +68,16 @@ public class DataCommandsSecurityTest {
   @Test
   public void testRegionAcess(){
     assertThatThrownBy(() -> bean.processCommand("rebalance --include-region=region2")).isInstanceOf(GemFireSecurityException.class)
-        .hasMessageContaining("DATA:MANAGE");
+        .hasMessageContaining(TestCommand.dataManage.toString());
 
     assertThatThrownBy(() -> bean.processCommand("export data --region=region2 --file=foo.txt --member=value")).isInstanceOf(GemFireSecurityException.class);
     assertThatThrownBy(() -> bean.processCommand("import data --region=region2 --file=foo.txt --member=value")).isInstanceOf(GemFireSecurityException.class);
 
     assertThatThrownBy(() -> bean.processCommand("put --key=key1 --value=value1 --region=region2")).isInstanceOf(GemFireSecurityException.class)
-        .hasMessageContaining("DATA:WRITE");
+        .hasMessageContaining("[data]:[write]:[region2]");
 
-    assertThatThrownBy(() -> bean.processCommand("get --key=key1 --region=region2")).isInstanceOf(GemFireSecurityException.class);
+    assertThatThrownBy(() -> bean.processCommand("get --key=key1 --region=region2")).isInstanceOf(GemFireSecurityException.class)
+        .hasMessageContaining("[data]:[read]:[region2]");
     }
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
index f248736..05d3e3d 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
@@ -69,15 +69,15 @@ public class DiskStoreMXBeanSecurityJUnitTest {
   @Test
   @JMXConnectionConfiguration(user = "data-user", password = "1234567")
   public void testNoAccess() throws Exception {
-    assertThatThrownBy(() -> bean.flush()).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.forceCompaction()).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.forceRoll()).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.getCompactionThreshold()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.getDiskDirectories()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.getDiskReadsRate()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.isAutoCompact()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.isForceCompactionAllowed()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.setDiskUsageCriticalPercentage(0.5f)).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.setDiskUsageWarningPercentage(0.5f)).hasMessageContaining("DATA:MANAGE");
+    assertThatThrownBy(() -> bean.flush()).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.forceCompaction()).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.forceRoll()).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.getCompactionThreshold()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getDiskDirectories()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getDiskReadsRate()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.isAutoCompact()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.isForceCompactionAllowed()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.setDiskUsageCriticalPercentage(0.5f)).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.setDiskUsageWarningPercentage(0.5f)).hasMessageContaining(TestCommand.dataManage.toString());
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java
index b28069f..6c97694 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewayReceiverMBeanSecurityTest.java
@@ -16,10 +16,16 @@
  */
 package com.gemstone.gemfire.management.internal.security;
 
+import static org.assertj.core.api.Assertions.*;
+import static org.mockito.Mockito.*;
+
+import javax.management.ObjectName;
+
 import com.gemstone.gemfire.internal.AvailablePort;
 import com.gemstone.gemfire.management.GatewayReceiverMXBean;
 import com.gemstone.gemfire.management.ManagementService;
 import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
@@ -28,11 +34,6 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
-import javax.management.ObjectName;
-
-import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.mockito.Mockito.mock;
-
 @Category(IntegrationTest.class)
 public class GatewayReceiverMBeanSecurityTest {
   private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
@@ -81,9 +82,9 @@ public class GatewayReceiverMBeanSecurityTest {
   @Test
   @JMXConnectionConfiguration(user = "data-user", password = "1234567")
   public void testNoAccess() throws Exception {
-    assertThatThrownBy(() -> bean.getTotalConnectionsTimedOut()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.start()).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.stop()).hasMessageContaining("DATA:MANAGE");
+    assertThatThrownBy(() -> bean.getTotalConnectionsTimedOut()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.start()).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.stop()).hasMessageContaining(TestCommand.dataManage.toString());
   }
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/7c38f0d8/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java
index 3a9412d..4806464 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/GatewaySenderMBeanSecurityTest.java
@@ -88,18 +88,18 @@ public class GatewaySenderMBeanSecurityTest {
   @Test
   @JMXConnectionConfiguration(user = "stranger", password = "1234567")
   public void testNoAccess() throws Exception {
-    assertThatThrownBy(() -> bean.getAlertThreshold()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.getAverageDistributionTimePerBatch()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.getBatchSize()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.getMaximumQueueMemory()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.getOrderPolicy()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.isBatchConflationEnabled()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.isManualStart()).hasMessageContaining("CLUSTER:READ");
-    assertThatThrownBy(() -> bean.pause()).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.rebalance()).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.resume()).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.start()).hasMessageContaining("DATA:MANAGE");
-    assertThatThrownBy(() -> bean.stop()).hasMessageContaining("DATA:MANAGE");
+    assertThatThrownBy(() -> bean.getAlertThreshold()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getAverageDistributionTimePerBatch()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getBatchSize()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getMaximumQueueMemory()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.getOrderPolicy()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.isBatchConflationEnabled()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.isManualStart()).hasMessageContaining(TestCommand.clusterRead.toString());
+    assertThatThrownBy(() -> bean.pause()).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.rebalance()).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.resume()).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.start()).hasMessageContaining(TestCommand.dataManage.toString());
+    assertThatThrownBy(() -> bean.stop()).hasMessageContaining(TestCommand.dataManage.toString());
   }
 
 }


Mime
View raw message