geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kl...@apache.org
Subject [05/50] [abbrv] incubator-geode git commit: GEODE-17: Shiro Integration
Date Tue, 03 May 2016 21:51:54 GMT
GEODE-17: Shiro Integration

GEODE-17: associate async request with correct shiro user

GEODE-17

GEODE-17: fix shiro dependency


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/c733f0c2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/c733f0c2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/c733f0c2

Branch: refs/heads/feature/GEODE-1255
Commit: c733f0c2da856103652a383b8611330b57ed8fc4
Parents: def78f1
Author: Jinmei Liao <jiliao@pivotal.io>
Authored: Mon Feb 29 07:47:47 2016 -0800
Committer: Jinmei Liao <jiliao@pivotal.io>
Committed: Thu Apr 21 10:17:18 2016 -0700

----------------------------------------------------------------------
 geode-assembly/build.gradle                     |   1 +
 geode-core/build.gradle                         |   4 +-
 .../cache/operations/OperationContext.java      |   8 +-
 .../internal/DistributionConfig.java            |   7 +
 .../internal/DistributionConfigImpl.java        |  13 +
 .../management/DistributedSystemMXBean.java     |  15 +-
 .../management/internal/AuthManager.java        | 305 -------------------
 .../management/internal/ManagementAgent.java    |  73 ++---
 .../internal/SystemManagementService.java       |  44 ++-
 .../internal/beans/MemberMBeanBridge.java       |  17 +-
 .../management/internal/cli/CommandManager.java |   3 -
 .../CreateAlterDestroyRegionCommands.java       |  43 +--
 .../internal/cli/commands/DataCommands.java     |  42 +--
 .../internal/cli/commands/RegionCommands.java   |  25 +-
 .../internal/cli/remote/CommandProcessor.java   |  25 +-
 .../internal/cli/result/ErrorResultData.java    |  10 +-
 .../internal/cli/result/ResultBuilder.java      |   7 +-
 .../internal/cli/shell/JmxOperationInvoker.java |   5 +-
 .../internal/security/AccessControlMBean.java   |  58 ----
 .../internal/security/CLIOperationContext.java  | 102 -------
 .../internal/security/MBeanServerWrapper.java   |  24 +-
 .../security/ManagementInterceptor.java         | 243 ---------------
 .../security/ResourceOperationContext.java      |  28 +-
 .../controllers/AbstractCommandsController.java |  37 +--
 .../controllers/ConfigCommandsController.java   |  28 +-
 .../web/controllers/DataCommandsController.java |  36 +--
 .../DiskStoreCommandsController.java            |  20 +-
 .../controllers/FunctionCommandsController.java |  14 +-
 .../MiscellaneousCommandsController.java        |  12 +-
 .../EnvironmentVariablesHandlerInterceptor.java |  74 +----
 .../gemfire/security/CustomAuthRealm.java       | 173 +++++++++++
 .../gemfire/security/JMXShiroAuthenticator.java |  66 ++++
 .../gemstone/gemfire/security/ShiroUtil.java    |  94 ++++++
 .../security/AccessControlMBeanJUnitTest.java   |   4 +-
 .../CacheServerMBeanAuthorizationJUnitTest.java |  30 +-
 .../CacheServerMBeanShiroJUnitTest.java         |  73 +++++
 .../security/CliCommandsSecurityTest.java       |   7 +-
 .../security/DataCommandsSecurityTest.java      |  25 +-
 .../DiskStoreMXBeanSecurityJUnitTest.java       |   6 +-
 .../GatewaySenderMBeanSecurityTest.java         |  34 +--
 .../security/GfshCommandsSecurityTest.java      | 121 ++++++--
 .../security/GfshShellConnectionRule.java       |  25 +-
 .../internal/security/JSONAuthorization.java    |  55 ++--
 .../JsonAuthorizationCacheStartRule.java        |   4 +-
 .../LockServiceMBeanAuthorizationJUnitTest.java |  16 +-
 .../security/MBeanServerConnectionRule.java     |  15 +-
 .../ManagerMBeanAuthorizationJUnitTest.java     |  16 +-
 .../security/MemberMBeanSecurityJUnitTest.java  |   8 +-
 .../internal/security/ShiroCacheStartRule.java  |  63 ++++
 .../internal/security/TestCommand.java          |  30 +-
 .../internal/security/cacheServer.json          |   4 +-
 geode-core/src/test/resources/shiro.ini         |  16 +
 .../gemfire/tools/pulse/tests/Server.java       |  36 +--
 gradle/dependency-versions.properties           |   1 +
 54 files changed, 1005 insertions(+), 1240 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-assembly/build.gradle
----------------------------------------------------------------------
diff --git a/geode-assembly/build.gradle b/geode-assembly/build.gradle
index b7d05e2..7faac14 100755
--- a/geode-assembly/build.gradle
+++ b/geode-assembly/build.gradle
@@ -152,6 +152,7 @@ def cp = {
       it.contains('log4j-jcl') ||
       it.contains('log4j-jul') ||
       it.contains('log4j-slf4j-impl') ||
+      it.contains('shiro') ||
       it.contains('slf4j-api') ||
       it.contains('spring-core') ||
       it.contains('spring-shell') ||

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/build.gradle
----------------------------------------------------------------------
diff --git a/geode-core/build.gradle b/geode-core/build.gradle
index 2206018..2c0e871 100755
--- a/geode-core/build.gradle
+++ b/geode-core/build.gradle
@@ -58,7 +58,7 @@ dependencies {
   compile ('mx4j:mx4j-remote:' + project.'mx4j.version') {
     ext.optional = true;
   }
-  compile ('mx4j:mx4j-tools:' + project.'mx4j.version') { 
+  compile ('mx4j:mx4j-tools:' + project.'mx4j.version') {
     ext.optional = true;
   }
   compile ('net.java.dev.jna:jna:' + project.'jna.version')
@@ -118,6 +118,8 @@ dependencies {
   compile ('org.xerial.snappy:snappy-java:' + project.'snappy-java.version') {
     ext.optional = true
   }
+
+  compile 'org.apache.shiro:shiro-core:' + project.'shiro.version'
  
   compile project(':geode-common')
   compile project(':geode-joptsimple')

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
index 1a41e83..dd290c5 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
@@ -17,6 +17,8 @@
 
 package com.gemstone.gemfire.cache.operations;
 
+import org.apache.shiro.authz.permission.WildcardPermission;
+
 /**
  * Encapsulates a cache operation and the data associated with it for both the
  * pre-operation and post-operation cases. Implementations for specific
@@ -28,7 +30,7 @@ package com.gemstone.gemfire.cache.operations;
  *
  * @since 5.5
  */
-public abstract class OperationContext {
+public abstract class OperationContext extends WildcardPermission{
 
   public enum Resource {
     CLUSTER,
@@ -299,6 +301,10 @@ public abstract class OperationContext {
     return Resource.DATA;
   }
 
+  public String getRegionName(){
+    return null;
+  }
+
   /**
    * True if the context is for post-operation.
    *

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java
index c1a96ea..c0e560c 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfig.java
@@ -3738,6 +3738,13 @@ public interface DistributionConfig extends Config, LogConfig {
   @ConfigAttributeSetter(name=LOCK_MEMORY_NAME)
   public void setLockMemory(boolean value);
 
+  @ConfigAttribute(type=String.class)
+  public String SHIRO_INIT_NAME="shiro-init";
+
+  @ConfigAttributeSetter(name=SHIRO_INIT_NAME)
+  public void setShiroInit(String value);
+  @ConfigAttributeGetter(name=SHIRO_INIT_NAME)
+  public String getShiroInit();
 
 
   //*************** Initializers to gather all the annotations in this class ************************

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java
index 2f0e1d9..bac66c6 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/distributed/internal/DistributionConfigImpl.java
@@ -387,6 +387,8 @@ public class DistributionConfigImpl
   
   /** Whether pages should be locked into memory or allowed to swap to disk */
   private boolean lockMemory = DEFAULT_LOCK_MEMORY;
+
+  private String shiroInit = "";
   
   //////////////////////  Constructors  //////////////////////
 
@@ -566,6 +568,7 @@ public class DistributionConfigImpl
     
     this.lockMemory = other.getLockMemory();
     this.distributedTransactions = other.getDistributedTransactions();
+    this.shiroInit = other.getShiroInit();
   }
 
   /**
@@ -2268,6 +2271,16 @@ public class DistributionConfigImpl
     this.lockMemory = value;
   }
 
+  @Override
+  public void setShiroInit(String value) {
+    this.shiroInit = value;
+  }
+
+  @Override
+  public String getShiroInit() {
+    return this.shiroInit;
+  }
+
   ///////////////////////  Utility Methods  ///////////////////////
   /**
    * Two instances of <code>DistributedConfigImpl</code> are equal if all of 

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
index 5232aed..de60e33 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/DistributedSystemMXBean.java
@@ -16,18 +16,17 @@
  */
 package com.gemstone.gemfire.management;
 
+import static com.gemstone.gemfire.cache.operations.OperationContext.*;
+
+import java.util.Map;
+import javax.management.ObjectName;
+
 import com.gemstone.gemfire.cache.DiskStore;
 import com.gemstone.gemfire.cache.Region;
 import com.gemstone.gemfire.distributed.DistributedMember;
 import com.gemstone.gemfire.distributed.DistributedSystem;
 import com.gemstone.gemfire.management.internal.security.ResourceOperation;
 
-import javax.management.ObjectName;
-import java.util.Map;
-
-import static com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import static com.gemstone.gemfire.cache.operations.OperationContext.Resource;
-
 /**
  * MBean that provides access to information and management operations for a
  * {@link DistributedSystem}.
@@ -73,7 +72,7 @@ import static com.gemstone.gemfire.cache.operations.OperationContext.Resource;
  * @since 7.0
  *
  */
-@ResourceOperation(resource = Resource.CLUSTER, operation = OperationCode.READ)
+//@ResourceOperation(resource = Resource.CLUSTER, operation = OperationCode.READ)
 public interface DistributedSystemMXBean {
 
   /**
@@ -101,7 +100,7 @@ public interface DistributedSystemMXBean {
    *          members.
    * @return a list of names for locator members.
    */
-  
+
   public String[] listLocatorMembers(boolean onlyStandAloneLocators);
 
   /**

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/AuthManager.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/AuthManager.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/AuthManager.java
deleted file mode 100644
index 31a5ab3..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/AuthManager.java
+++ /dev/null
@@ -1,305 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal;
-
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.ACCESS_DENIED_MESSAGE;
-
-import java.lang.reflect.Method;
-import java.security.Principal;
-import java.util.Map;
-import java.util.Properties;
-import java.util.concurrent.ConcurrentHashMap;
-
-import com.gemstone.gemfire.GemFireConfigException;
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.cache.operations.OperationContext;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.distributed.DistributedSystem;
-import com.gemstone.gemfire.distributed.internal.DistributionConfig;
-import com.gemstone.gemfire.i18n.LogWriterI18n;
-import com.gemstone.gemfire.internal.ClassLoadUtil;
-import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
-import com.gemstone.gemfire.internal.logging.InternalLogWriter;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.AuthenticationRequiredException;
-import com.gemstone.gemfire.security.Authenticator;
-import com.gemstone.gemfire.internal.lang.StringUtils;
-
-
-/**
- * This class acts as a single gateway to authorize and authenticate REST ADMIN
- * APIS. This stores credentials against CommandAuthZRequest object which is
- * used to identify a particular client. As REST requests are state less we need
- * to store this map to avoid re-authenticating same client on subsequent
- * requests. However this map needs to be purged and cleaned up on some expiry
- * policy.
- *
- *
- * @author rishim
- *
- */
-public class AuthManager {
-
-  private Map<Properties, CommandAuthZRequest> authMap = new ConcurrentHashMap<Properties, CommandAuthZRequest>();
-
-  private Cache cache;
-
-  private final LogWriterI18n logger;
-
-  private long DEFAULT_EXPIRY_TIME = 30; // in minutes
-
-  private long EXPIRY_TIME ;
-
-  String authzFactoryName;
-
-  String postAuthzFactoryName;
-
-  public static String EXPIRY_TIME_FOR_REST_ADMIN_AUTH = "gemfire.expriyTimeForRESTAdminAuth";
-
-  public AuthManager(Cache cache) {
-    this.cache = cache;
-    this.logger = cache.getSecurityLoggerI18n();
-    this.EXPIRY_TIME = Long.getLong(EXPIRY_TIME_FOR_REST_ADMIN_AUTH, DEFAULT_EXPIRY_TIME);
-    DistributedSystem system = cache.getDistributedSystem();
-    Properties sysProps = system.getProperties();
-    this.authzFactoryName = sysProps.getProperty(DistributionConfig.SECURITY_CLIENT_ACCESSOR_NAME);
-    this.postAuthzFactoryName = sysProps.getProperty(DistributionConfig.SECURITY_CLIENT_ACCESSOR_PP_NAME);
-  }
-
-  private Authenticator getAuthenticator(String authenticatorMethod, Properties securityProperties,
-      InternalLogWriter logWriter, InternalLogWriter securityLogWriter) throws AuthenticationFailedException {
-    Authenticator auth;
-    try {
-
-      Method instanceGetter = ClassLoadUtil.methodFromName(authenticatorMethod);
-      auth = (Authenticator) instanceGetter.invoke(null, (Object[]) null);
-    } catch (Exception ex) {
-      throw new AuthenticationFailedException(
-          LocalizedStrings.HandShake_FAILED_TO_ACQUIRE_AUTHENTICATOR_OBJECT.toLocalizedString(), ex);
-    }
-    if (auth == null) {
-      throw new AuthenticationFailedException(
-          LocalizedStrings.HandShake_AUTHENTICATOR_INSTANCE_COULD_NOT_BE_OBTAINED.toLocalizedString());
-    }
-    auth.init(securityProperties, logWriter, securityLogWriter);
-    return auth;
-
-  }
-
-  public void verifyCredentials(Properties credentials) {
-
-    DistributedSystem system = this.cache.getDistributedSystem();
-    Properties sysProps = system.getProperties();
-    String authenticator = sysProps.getProperty(DistributionConfig.SECURITY_CLIENT_AUTHENTICATOR_NAME);
-
-    if (authenticator != null && authenticator.length() > 0) {
-
-      CommandAuthZRequest authZRequest = authMap.get(credentials);
-
-      if (authZRequest != null && !authZRequest.hasExpired()) {
-        return; //Already existing credentials . Return from here
-
-      } else {
-        Principal principal = verifyCredentials(authenticator, credentials, system.getSecurityProperties(),
-            (InternalLogWriter) this.cache.getLogger(), (InternalLogWriter) this.cache.getSecurityLogger(), cache
-                .getDistributedSystem().getDistributedMember());
-
-        if(authZRequest != null){ //i.e its an expired credential
-          CommandAuthZRequest expiredAuth = authMap.remove(credentials);
-          try{
-            expiredAuth.close();
-          }catch(Exception e){
-            logger.error(e);//Don't throw an exception , just logs it
-          }
-        }
-
-        authZRequest = new CommandAuthZRequest(principal).init();
-        authMap.put(credentials, authZRequest);
-      }
-    }
-
-  }
-
-  public void expireAllAuthZ() {
-    for (CommandAuthZRequest auth : authMap.values()) {
-      try {
-        auth.close();
-
-      } catch (Exception e) {
-        logger.error(e);// Don't throw an exception , just log it, as it depends on the user code.
-      }finally{
-        authMap.clear();
-      }
-    }
-  }
-
-  public void authorize(Properties credentials, OperationContext context) {
-
-    if (!StringUtils.isBlank(authzFactoryName)) {
-      CommandAuthZRequest authZRequest = authMap.get(credentials);
-      boolean authorized = authZRequest.authorize(context);
-      if (!authorized)
-        throw new SecurityException(ACCESS_DENIED_MESSAGE);
-    }
-  }
-
-  public void postAuthorize(Properties credentials, OperationContext context) {
-    if (!StringUtils.isBlank(postAuthzFactoryName)) {
-      CommandAuthZRequest authZRequest = authMap.get(credentials);
-      boolean authorized = authZRequest.postAuthorize(context);
-      if (!authorized)
-        throw new SecurityException(ACCESS_DENIED_MESSAGE);
-    }
-
-  }
-
-  private Principal verifyCredentials(String authenticatorMethod, Properties credentials,
-      Properties securityProperties, InternalLogWriter logWriter, InternalLogWriter securityLogWriter,
-      DistributedMember member) throws AuthenticationRequiredException, AuthenticationFailedException {
-
-    Authenticator authenticator = getAuthenticator(authenticatorMethod, securityProperties, logWriter,
-        securityLogWriter);
-    Principal principal;
-
-    try {
-      principal = authenticator.authenticate(credentials, member);
-    } finally {
-      authenticator.close();
-    }
-
-    return principal;
-
-  }
-
-  public class CommandAuthZRequest {
-
-    private Principal principal;
-
-    private AccessControl authzCallback;
-
-    private AccessControl postAuthzCallback;
-
-    private long initTime = System.currentTimeMillis();
-
-    public CommandAuthZRequest(Principal principal) {
-      this.principal = principal;
-    }
-
-    public boolean authorize(OperationContext context) {
-      if (authzCallback != null) {
-        return authzCallback.authorizeOperation(null, context);
-      }
-      return true; // If no AccessControl is set then always return true
-    }
-
-    public boolean postAuthorize(OperationContext context) {
-      if (postAuthzCallback != null) {
-        return postAuthzCallback.authorizeOperation(null, context);
-      }
-      return true; // If no AccessControl is set then always return true
-    }
-
-    public boolean hasExpired(){
-      if(System.currentTimeMillis() - initTime >= EXPIRY_TIME * 60 * 1000){
-        return true;
-      }
-      return false;
-    }
-
-    public void close() {
-      if (authzCallback != null) {
-        authzCallback.close();
-      }
-      if (postAuthzCallback != null) {
-        postAuthzCallback.close();
-      }
-    }
-
-    private CommandAuthZRequest init() {
-      try {
-        if (!StringUtils.isBlank(authzFactoryName)) {
-          Method authzMethod = ClassLoadUtil.methodFromName(authzFactoryName);
-          this.authzCallback = (AccessControl) authzMethod.invoke(null, (Object[]) null);
-          this.authzCallback.init(principal, null, cache);
-        }
-        if (!StringUtils.isBlank(postAuthzFactoryName)) {
-          Method postAuthzMethod = ClassLoadUtil.methodFromName(postAuthzFactoryName);
-          this.postAuthzCallback = (AccessControl) postAuthzMethod.invoke(null, (Object[]) null);
-          this.postAuthzCallback.init(principal, null, cache);
-        }
-      } catch (IllegalAccessException e) {
-        logger.error(e);
-        throw new GemFireConfigException("Error while configuring accesscontrol for rest resource", e);
-      } catch (Exception e) {
-        logger.error(e);
-        throw new GemFireConfigException("Error while configuring accesscontrol for rest resource", e);
-      }
-      return this;
-    }
-
-    public AccessControl getAuthzCallback() {
-      return authzCallback;
-    }
-
-    public AccessControl getPostAuthzCallback() {
-      return postAuthzCallback;
-    }
-
-    @Override
-    public int hashCode() {
-      final int prime = 31;
-      int result = 1;
-      result = prime * result + getOuterType().hashCode();
-      result = prime * result + (int) (initTime ^ (initTime >>> 32));
-      result = prime * result + ((principal == null) ? 0 : principal.hashCode());
-      return result;
-    }
-
-    @Override
-    public boolean equals(Object obj) {
-      if (this == obj)
-        return true;
-      if (obj == null)
-        return false;
-      if (getClass() != obj.getClass())
-        return false;
-      CommandAuthZRequest other = (CommandAuthZRequest) obj;
-      if (!getOuterType().equals(other.getOuterType()))
-        return false;
-      if (initTime != other.initTime)
-        return false;
-      if (principal == null) {
-        if (other.principal != null)
-          return false;
-      } else if (!principal.equals(other.principal))
-        return false;
-      return true;
-    }
-
-    private AuthManager getOuterType() {
-      return AuthManager.this;
-    }
-
-  }
-
-  public Map<Properties, CommandAuthZRequest> getAuthMap() {
-    return this.authMap;
-  }
-
-}
-

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java
index 5dd2f80..0ba62e7 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java
@@ -38,7 +38,6 @@ import javax.management.remote.rmi.RMIJRMPServerImpl;
 import javax.management.remote.rmi.RMIServerImpl;
 import javax.rmi.ssl.SslRMIClientSocketFactory;
 
-import com.gemstone.gemfire.cache.Cache;
 import com.gemstone.gemfire.cache.CacheFactory;
 import com.gemstone.gemfire.distributed.internal.DistributionConfig;
 import com.gemstone.gemfire.distributed.internal.DistributionManager;
@@ -52,8 +51,8 @@ import com.gemstone.gemfire.management.ManagementException;
 import com.gemstone.gemfire.management.ManagementService;
 import com.gemstone.gemfire.management.ManagerMXBean;
 import com.gemstone.gemfire.management.internal.security.MBeanServerWrapper;
-import com.gemstone.gemfire.management.internal.security.ManagementInterceptor;
 import com.gemstone.gemfire.management.internal.unsafe.ReadOpFileAccessController;
+import com.gemstone.gemfire.security.JMXShiroAuthenticator;
 import org.apache.logging.log4j.Logger;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
@@ -80,10 +79,9 @@ public class ManagementAgent {
   private boolean running = false;
   private Registry registry;
   private JMXConnectorServer cs;
+  private JMXShiroAuthenticator shiroAuthenticator;
   private final DistributionConfig config;
   private boolean isHttpServiceRunning = false;
-  private ManagementInterceptor managementInterceptor = null;
-  private MBeanServerWrapper mBeanServerWrapper = null;
 
   /**
    * This system property is set to true when the embedded HTTP server is
@@ -100,14 +98,6 @@ public class ManagementAgent {
     return this.running;
   }
 
-  public ManagementInterceptor getManagementInterceptor() {
-    return managementInterceptor;
-  }
-
-  public MBeanServerWrapper getMBeanServerWrapper() {
-    return mBeanServerWrapper;
-  }
-
   public synchronized boolean isHttpServiceRunning() {
     return isHttpServiceRunning;
   }
@@ -307,10 +297,6 @@ public class ManagementAgent {
     }
   }
 
-  private boolean isRunningInTomcat() {
-    return (System.getProperty("catalina.base") != null || System.getProperty("catalina.home") != null);
-  }
-
   private void setStatusMessage(ManagerMXBean mBean, String message) {
     mBean.setPulseURL("");
     mBean.setStatusMessage(message);
@@ -398,29 +384,6 @@ public class ManagementAgent {
     // Environment map. KIRK: why is this declared as HashMap?
     final HashMap<String, Object> env = new HashMap<String, Object>();
 
-    Cache cache = CacheFactory.getAnyInstance();
-    if (isCustomAuthenticator()) {
-      managementInterceptor = new ManagementInterceptor(cache.getDistributedSystem().getProperties());
-      env.put(JMXConnectorServer.AUTHENTICATOR, managementInterceptor);
-    }
-    else {
-      /* Disable the old authenticator mechanism */
-      String pwFile = this.config.getJmxManagerPasswordFile();
-      if (pwFile != null && pwFile.length() > 0) {
-        env.put("jmx.remote.x.password.file", pwFile);
-      }
-
-      String accessFile = this.config.getJmxManagerAccessFile();
-      if (accessFile != null && accessFile.length() > 0) {
-        // Lets not use default connector based authorization
-        // env.put("jmx.remote.x.access.file", accessFile);
-        // Rewire the mbs hierarchy to set accessController
-        ReadOpFileAccessController controller = new ReadOpFileAccessController(accessFile);
-        controller.setMBeanServer(mbs);
-        mbs = controller;
-      }
-    }
-
     // Manually creates and binds a JMX RMI Connector Server stub with the
     // registry created above: the port we pass here is the port that can
     // be specified in "service:jmx:rmi://"+hostname+":"+port - where the
@@ -474,13 +437,33 @@ public class ManagementAgent {
       }
     };
 
-    if (isCustomAuthorizer()) {
-      if(managementInterceptor==null){
-        managementInterceptor = new ManagementInterceptor(cache.getDistributedSystem().getProperties());
+    String shiroConfig = this.config.getShiroInit();
+    if (! StringUtils.isBlank(shiroConfig) || isCustomAuthenticator()) {
+      shiroAuthenticator = new JMXShiroAuthenticator();
+      env.put(JMXConnectorServer.AUTHENTICATOR, shiroAuthenticator);
+      cs.addNotificationListener(shiroAuthenticator, null, cs.getAttributes());
+      if(! StringUtils.isBlank(shiroConfig) || isCustomAuthorizer()) {
+        MBeanServerWrapper mBeanServerWrapper = new MBeanServerWrapper();
+        cs.setMBeanServerForwarder(mBeanServerWrapper);
+      }
+    }
+
+    else {
+      /* Disable the old authenticator mechanism */
+      String pwFile = this.config.getJmxManagerPasswordFile();
+      if (pwFile != null && pwFile.length() > 0) {
+        env.put("jmx.remote.x.password.file", pwFile);
+      }
+
+      String accessFile = this.config.getJmxManagerAccessFile();
+      if (accessFile != null && accessFile.length() > 0) {
+        // Lets not use default connector based authorization
+        // env.put("jmx.remote.x.access.file", accessFile);
+        // Rewire the mbs hierarchy to set accessController
+        ReadOpFileAccessController controller = new ReadOpFileAccessController(accessFile);
+        controller.setMBeanServer(mbs);
+        mbs = controller;
       }
-      mBeanServerWrapper = new MBeanServerWrapper(managementInterceptor);
-      cs.setMBeanServerForwarder(mBeanServerWrapper);
-      logger.info("Starting RMI Connector with Security Interceptor");
     }
 
     cs.start();

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java
index 4a48430..45ec358 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/SystemManagementService.java
@@ -20,22 +20,21 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import java.util.concurrent.CopyOnWriteArrayList;
-
 import javax.management.Notification;
 import javax.management.ObjectName;
 
-import org.apache.logging.log4j.Logger;
-
 import com.gemstone.gemfire.CancelException;
 import com.gemstone.gemfire.cache.Cache;
 import com.gemstone.gemfire.cache.execute.FunctionService;
 import com.gemstone.gemfire.distributed.DistributedMember;
 import com.gemstone.gemfire.distributed.DistributedSystemDisconnectedException;
+import com.gemstone.gemfire.distributed.internal.DistributionConfig;
 import com.gemstone.gemfire.distributed.internal.InternalDistributedSystem;
 import com.gemstone.gemfire.distributed.internal.ResourceEvent;
 import com.gemstone.gemfire.distributed.internal.membership.InternalDistributedMember;
 import com.gemstone.gemfire.internal.cache.GemFireCacheImpl;
 import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
+import com.gemstone.gemfire.internal.lang.StringUtils;
 import com.gemstone.gemfire.internal.logging.LogService;
 import com.gemstone.gemfire.management.AlreadyRunningException;
 import com.gemstone.gemfire.management.AsyncEventQueueMXBean;
@@ -55,7 +54,14 @@ import com.gemstone.gemfire.management.RegionMXBean;
 import com.gemstone.gemfire.management.internal.beans.ManagementAdapter;
 import com.gemstone.gemfire.management.membership.MembershipEvent;
 import com.gemstone.gemfire.management.membership.MembershipListener;
-
+import com.gemstone.gemfire.security.CustomAuthRealm;
+import org.apache.logging.log4j.Logger;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.config.IniSecurityManagerFactory;
+import org.apache.shiro.mgt.DefaultSecurityManager;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.realm.Realm;
+import org.apache.shiro.util.ThreadContext;
 
 /**
  * This is the concrete implementation of ManagementService
@@ -130,9 +136,6 @@ public final class SystemManagementService extends BaseManagementService {
    */
   private List<ProxyListener> proxyListeners;
 
-  private AuthManager authManager;
-
-
   private UniversalListenerContainer universalListenerContainer = new UniversalListenerContainer();
   
   public static BaseManagementService newSystemManagementService(Cache cache) {
@@ -154,6 +157,21 @@ public final class SystemManagementService extends BaseManagementService {
     this.jmxAdapter = new MBeanJMXAdapter();      
     this.repo = new ManagementResourceRepo();
 
+    DistributionConfig config = system.getConfig();
+
+    // setup shiro for authentication and authorization if it's desired
+    String shiroConfig = config.getShiroInit();
+    String customAuthenticator = config.getSecurityClientAuthenticator();
+    if (!StringUtils.isBlank(shiroConfig)) {
+      IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:"+shiroConfig);
+      SecurityManager securityManager = factory.getInstance();
+      SecurityUtils.setSecurityManager(securityManager);
+    }
+    else if (!StringUtils.isBlank(customAuthenticator)) {
+      Realm realm = new CustomAuthRealm(config.toProperties());
+      SecurityManager securityManager = new DefaultSecurityManager(realm);
+      SecurityUtils.setSecurityManager(securityManager);
+    }
 
     this.notificationHub = new NotificationHub(repo);
     if (system.getConfig().getJmxManager()) {
@@ -181,7 +199,6 @@ public final class SystemManagementService extends BaseManagementService {
       this.listener = new ManagementMembershipListener(this);
       system.getDistributionManager().addMembershipListener(listener);
       isStarted = true;
-      this.authManager = new AuthManager(cache);
       return this;
     } catch (CancelException e) {
       // Rethrow all CancelExceptions (fix for defect 46339)
@@ -273,8 +290,11 @@ public final class SystemManagementService extends BaseManagementService {
       }
       if (this.agent != null && this.agent.isRunning()) {
         this.agent.stopAgent();
-      }     
-      this.authManager.expireAllAuthZ();
+      }
+
+      // clean out Shiro's thread local content
+      ThreadContext.remove();
+
       getGemFireCacheImpl().getJmxManagerAdvisor().broadcastChange();
       instances.remove(cache);
       localManager  = null;
@@ -837,8 +857,4 @@ public final class SystemManagementService extends BaseManagementService {
   public void removeMembershipListener(MembershipListener listener) {
     universalListenerContainer.removeMembershipListener(listener);    
   }
-
-  public AuthManager getAuthManager(){
-    return this.authManager;
-  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/beans/MemberMBeanBridge.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/beans/MemberMBeanBridge.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/beans/MemberMBeanBridge.java
index 1425572..cb69a80 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/beans/MemberMBeanBridge.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/beans/MemberMBeanBridge.java
@@ -32,17 +32,13 @@ import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
-import java.util.Properties;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
-
 import javax.management.JMRuntimeException;
 import javax.management.MBeanServer;
 import javax.management.MalformedObjectNameException;
 import javax.management.ObjectName;
 
-import org.apache.logging.log4j.Logger;
-
 import com.gemstone.gemfire.Statistics;
 import com.gemstone.gemfire.StatisticsType;
 import com.gemstone.gemfire.cache.CacheClosedException;
@@ -92,7 +88,6 @@ import com.gemstone.gemfire.internal.cache.lru.LRUStatistics;
 import com.gemstone.gemfire.internal.cache.persistence.BackupManager;
 import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
 import com.gemstone.gemfire.internal.logging.LogService;
-import com.gemstone.gemfire.internal.logging.ManagerLogWriter;
 import com.gemstone.gemfire.internal.logging.log4j.LocalizedMessage;
 import com.gemstone.gemfire.internal.logging.log4j.LogMarker;
 import com.gemstone.gemfire.internal.logging.log4j.LogWriterAppender;
@@ -129,8 +124,11 @@ import com.gemstone.gemfire.management.internal.cli.CommandResponseBuilder;
 import com.gemstone.gemfire.management.internal.cli.remote.CommandExecutionContext;
 import com.gemstone.gemfire.management.internal.cli.remote.MemberCommandService;
 import com.gemstone.gemfire.management.internal.cli.result.CommandResult;
+import com.gemstone.gemfire.management.internal.cli.result.ErrorResultData;
 import com.gemstone.gemfire.management.internal.cli.result.ResultBuilder;
 import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
+import com.gemstone.gemfire.security.GemFireSecurityException;
+import org.apache.logging.log4j.Logger;
 
 /**
  * This class acts as an Bridge between MemberMBean and GemFire Cache and
@@ -1758,7 +1756,6 @@ public class MemberMBeanBridge {
     if (isGfshRequest) {
       CommandExecutionContext.setShellRequest();
     }
-//    System.out.println("isGfshRequest :: "+isGfshRequest);
     
     Result result = ((MemberCommandService)commandService).processCommand(commandString, env);
     if (!(result instanceof CommandResult)) {// TODO - Abhishek - Shouldn't be needed
@@ -1766,11 +1763,19 @@ public class MemberMBeanBridge {
         result = ResultBuilder.createInfoResult(result.nextLine());
       }
     }
+
     if (isGfshRequest) {
       String responseJson = CommandResponseBuilder.createCommandResponseJson(getMember(), (CommandResult) result);
   //    System.out.println("responseJson :: "+responseJson);
       return responseJson;
     } else {
+      // throw GemFireSecurityException is the returned error code is 415
+      if(((CommandResult) result).getResultData() instanceof ErrorResultData){
+        ErrorResultData resultData = (ErrorResultData) ((CommandResult)result).getResultData();
+        if(resultData.getErrorCode()==ResultBuilder.ERRORCODE_UNAUTHORIZED){
+          throw new GemFireSecurityException(resultData.getGfJsonObject().toString());
+        }
+      }
       return ResultBuilder.resultAsString(result);
     }
   }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/CommandManager.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/CommandManager.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/CommandManager.java
index 42539db..46a8226 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/CommandManager.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/CommandManager.java
@@ -54,7 +54,6 @@ import com.gemstone.gemfire.management.internal.cli.parser.GfshOptionParser;
 import com.gemstone.gemfire.management.internal.cli.parser.Option;
 import com.gemstone.gemfire.management.internal.cli.parser.jopt.JoptOptionParser;
 import com.gemstone.gemfire.management.internal.cli.util.ClasspathScanLoadHelper;
-import com.gemstone.gemfire.management.internal.security.CLIOperationContext;
 
 /**
  * 
@@ -457,8 +456,6 @@ public class CommandManager {
           }
         }
         
-        CLIOperationContext.registerCommand(this, method, commandTarget);
-        
       } else if (method.getAnnotation(CliAvailabilityIndicator.class) != null) {
         // Now add this availability Indicator to the list of
         // availability Indicators

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
index 5977c10..cdbd3db 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/CreateAlterDestroyRegionCommands.java
@@ -16,6 +16,24 @@
  */
 package com.gemstone.gemfire.management.internal.cli.commands;
 
+import static com.gemstone.gemfire.cache.operations.OperationContext.*;
+
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.regex.Pattern;
+import javax.management.MBeanServer;
+import javax.management.MalformedObjectNameException;
+import javax.management.ObjectName;
+
 import com.gemstone.gemfire.LogWriter;
 import com.gemstone.gemfire.cache.Cache;
 import com.gemstone.gemfire.cache.CacheFactory;
@@ -61,29 +79,11 @@ import com.gemstone.gemfire.management.internal.cli.util.RegionPath;
 import com.gemstone.gemfire.management.internal.configuration.SharedConfigurationWriter;
 import com.gemstone.gemfire.management.internal.configuration.domain.XmlEntity;
 import com.gemstone.gemfire.management.internal.security.ResourceOperation;
+import com.gemstone.gemfire.security.ShiroUtil;
 import org.springframework.shell.core.annotation.CliAvailabilityIndicator;
 import org.springframework.shell.core.annotation.CliCommand;
 import org.springframework.shell.core.annotation.CliOption;
 
-import javax.management.MBeanServer;
-import javax.management.MalformedObjectNameException;
-import javax.management.ObjectName;
-import java.text.MessageFormat;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-import java.util.Set;
-import java.util.TreeSet;
-import java.util.regex.Pattern;
-
-import static com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import static com.gemstone.gemfire.cache.operations.OperationContext.Resource;
-
 /**
  *
  * @since 7.0
@@ -528,6 +528,9 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport {
                   specifiedDefaultValue = "0",
                   help = CliStrings.ALTER_REGION__EVICTIONMAX__HELP)
       Integer evictionMax) {
+
+    ShiroUtil.authorize("DATA", "MANAGE", regionPath);
+
     Result result = null;
     XmlEntity xmlEntity = null;
 
@@ -1004,6 +1007,8 @@ public class CreateAlterDestroyRegionCommands extends AbstractCommandsSupport {
           help = CliStrings.DESTROY_REGION__REGION__HELP)
       String regionPath) {
 
+    ShiroUtil.authorize("DATA", "MANAGE", regionPath);
+
     if (regionPath == null) {
       return ResultBuilder.createInfoResult(CliStrings.DESTROY_REGION__MSG__SPECIFY_REGIONPATH_TO_DESTROY);
     }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
index 18fcc16..c1c04a3 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/DataCommands.java
@@ -16,6 +16,22 @@
  */
 package com.gemstone.gemfire.management.internal.cli.commands;
 
+import static com.gemstone.gemfire.cache.operations.OperationContext.*;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.StringTokenizer;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
 import com.gemstone.gemfire.LogWriter;
 import com.gemstone.gemfire.cache.Cache;
 import com.gemstone.gemfire.cache.CacheClosedException;
@@ -57,28 +73,12 @@ import com.gemstone.gemfire.management.internal.cli.result.ResultBuilder;
 import com.gemstone.gemfire.management.internal.cli.result.TabularResultData;
 import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
 import com.gemstone.gemfire.management.internal.security.ResourceOperation;
+import com.gemstone.gemfire.security.ShiroUtil;
 import org.springframework.shell.core.CommandMarker;
 import org.springframework.shell.core.annotation.CliAvailabilityIndicator;
 import org.springframework.shell.core.annotation.CliCommand;
 import org.springframework.shell.core.annotation.CliOption;
 
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.StringTokenizer;
-import java.util.concurrent.Callable;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.TimeoutException;
-
-import static com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import static com.gemstone.gemfire.cache.operations.OperationContext.Resource;
-
 /**
  * 
  * @since 7.0
@@ -102,6 +102,7 @@ public class DataCommands implements CommandMarker {
       @CliOption(key = CliStrings.REBALANCE__EXCLUDEREGION, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, help = CliStrings.REBALANCE__EXCLUDEREGION__HELP) String[] excludeRegions,
       @CliOption(key = CliStrings.REBALANCE__TIMEOUT, unspecifiedDefaultValue = "-1", help = CliStrings.REBALANCE__TIMEOUT__HELP) long timeout,
       @CliOption(key = CliStrings.REBALANCE__SIMULATE, specifiedDefaultValue = "true", unspecifiedDefaultValue = "false", help = CliStrings.REBALANCE__SIMULATE__HELP) boolean simulate) {
+
     ExecutorService commandExecutors = Executors.newSingleThreadExecutor();
     List<Future<Result>> commandResult = new ArrayList<Future<Result>>();
     Result result = null;
@@ -839,6 +840,7 @@ public class DataCommands implements CommandMarker {
       @CliOption(key = CliStrings.EXPORT_DATA__FILE, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, mandatory = true, help = CliStrings.EXPORT_DATA__FILE__HELP) String filePath,
       @CliOption(key = CliStrings.EXPORT_DATA__MEMBER, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, optionContext = ConverterHint.MEMBERIDNAME, mandatory = true, help = CliStrings.EXPORT_DATA__MEMBER__HELP) String memberNameOrId) {
 
+    ShiroUtil.authorize("DATA", "READ", regionName);
     final Cache cache = CacheFactory.getAnyInstance();
     final DistributedMember targetMember = CliUtil
         .getDistributedMemberByNameOrId(memberNameOrId);
@@ -895,6 +897,8 @@ public class DataCommands implements CommandMarker {
       @CliOption(key = CliStrings.IMPORT_DATA__FILE, mandatory = true, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, help = CliStrings.IMPORT_DATA__FILE__HELP) String filePath,
       @CliOption(key = CliStrings.IMPORT_DATA__MEMBER, mandatory = true, unspecifiedDefaultValue = CliMetaData.ANNOTATION_NULL_VALUE, optionContext = ConverterHint.MEMBERIDNAME, help = CliStrings.IMPORT_DATA__MEMBER__HELP) String memberNameOrId) {
 
+    ShiroUtil.authorize("DATA", "WRITE", regionName);
+
     Result result = null;
 
     try {
@@ -954,6 +958,7 @@ public class DataCommands implements CommandMarker {
       @CliOption(key = { CliStrings.PUT__VALUEKLASS }, help = CliStrings.PUT__VALUEKLASS__HELP) String valueClass,
       @CliOption(key = { CliStrings.PUT__PUTIFABSENT }, help = CliStrings.PUT__PUTIFABSENT__HELP, unspecifiedDefaultValue = "false") boolean putIfAbsent) {
 
+    ShiroUtil.authorize("DATA", "WRITE", regionPath);
     Cache cache = CacheFactory.getAnyInstance();
     DataCommandResult dataResult = null;
     if (regionPath == null || regionPath.isEmpty()) {
@@ -1021,6 +1026,7 @@ public class DataCommands implements CommandMarker {
       @CliOption(key = { CliStrings.GET__VALUEKLASS }, help = CliStrings.GET__VALUEKLASS__HELP) String valueClass,
       @CliOption(key = CliStrings.GET__LOAD, unspecifiedDefaultValue = "true", specifiedDefaultValue = "true", help = CliStrings.GET__LOAD__HELP) Boolean loadOnCacheMiss)
   {
+    ShiroUtil.authorize("DATA", "READ", regionPath);
 
     Cache cache = CacheFactory.getAnyInstance();
     DataCommandResult dataResult = null;
@@ -1075,7 +1081,7 @@ public class DataCommands implements CommandMarker {
       @CliOption(key = { CliStrings.LOCATE_ENTRY__KEYCLASS }, help = CliStrings.LOCATE_ENTRY__KEYCLASS__HELP) String keyClass,
       @CliOption(key = { CliStrings.LOCATE_ENTRY__VALUEKLASS }, help = CliStrings.LOCATE_ENTRY__VALUEKLASS__HELP) String valueClass,
       @CliOption(key = { CliStrings.LOCATE_ENTRY__RECURSIVE }, help = CliStrings.LOCATE_ENTRY__RECURSIVE__HELP, unspecifiedDefaultValue = "false") boolean recursive) {
-
+    ShiroUtil.authorize("DATA", "READ", regionPath);
     // Cache cache = CacheFactory.getAnyInstance();
     DataCommandResult dataResult = null;
 

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
index fed5dbd..ac69d32 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/commands/RegionCommands.java
@@ -16,6 +16,16 @@
  */
 package com.gemstone.gemfire.management.internal.cli.commands;
 
+import static com.gemstone.gemfire.cache.operations.OperationContext.*;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeSet;
+
 import com.gemstone.gemfire.cache.Cache;
 import com.gemstone.gemfire.cache.CacheFactory;
 import com.gemstone.gemfire.cache.Region;
@@ -42,22 +52,12 @@ import com.gemstone.gemfire.management.internal.cli.result.TabularResultData;
 import com.gemstone.gemfire.management.internal.cli.shell.Gfsh;
 import com.gemstone.gemfire.management.internal.cli.util.RegionAttributesNames;
 import com.gemstone.gemfire.management.internal.security.ResourceOperation;
+import com.gemstone.gemfire.security.ShiroUtil;
 import org.springframework.shell.core.CommandMarker;
 import org.springframework.shell.core.annotation.CliAvailabilityIndicator;
 import org.springframework.shell.core.annotation.CliCommand;
 import org.springframework.shell.core.annotation.CliOption;
 
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.TreeSet;
-
-import static com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import static com.gemstone.gemfire.cache.operations.OperationContext.Resource;
-
 /***
  * Class containing implementation of commands based on region:
  * <ul>
@@ -87,8 +87,6 @@ public class RegionCommands implements CommandMarker {
       optionContext = ConverterHint.MEMBERIDNAME,
       help = CliStrings.LIST_REGION__MEMBER__HELP)
       String memberNameOrId) {
-    
-    
     Result result = null;
     try {
       Set<RegionInformation> regionInfoSet = new LinkedHashSet<RegionInformation>();
@@ -165,6 +163,7 @@ public class RegionCommands implements CommandMarker {
       mandatory = true)
       String regionName) {
 
+    ShiroUtil.authorize("CLUSTER", "READ", regionName);
     Result result = null;
     try {
       

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
index a8d1839..87053cc 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/remote/CommandProcessor.java
@@ -17,12 +17,10 @@
 package com.gemstone.gemfire.management.internal.cli.remote;
 
 import java.io.IOException;
+import java.lang.reflect.Method;
 import java.util.Map;
 import java.util.Properties;
 
-import org.springframework.shell.core.Parser;
-import org.springframework.shell.event.ParseResult;
-
 import com.gemstone.gemfire.management.cli.CommandProcessingException;
 import com.gemstone.gemfire.management.cli.CommandStatement;
 import com.gemstone.gemfire.management.cli.Result;
@@ -31,6 +29,11 @@ import com.gemstone.gemfire.management.internal.cli.GfshParser;
 import com.gemstone.gemfire.management.internal.cli.LogWrapper;
 import com.gemstone.gemfire.management.internal.cli.result.ResultBuilder;
 import com.gemstone.gemfire.management.internal.cli.util.CommentSkipHelper;
+import com.gemstone.gemfire.management.internal.security.ResourceOperation;
+import com.gemstone.gemfire.security.GemFireSecurityException;
+import com.gemstone.gemfire.security.ShiroUtil;
+import org.springframework.shell.core.Parser;
+import org.springframework.shell.event.ParseResult;
 
 /**
  * 
@@ -101,6 +104,14 @@ public class CommandProcessor {
           }
           ((CommandStatementImpl)cmdStmt).setParseResult(parseResult);
         }
+
+        //do general authorization check here
+        Method method = parseResult.getMethod();
+        ResourceOperation resourceOperation = method.getAnnotation(ResourceOperation.class);
+        if(resourceOperation!=null){
+          ShiroUtil.authorize(resourceOperation);
+        }
+
         result = executionStrategy.execute(parseResult);
         if (result instanceof Result) {
           commandResult = (Result) result;
@@ -116,7 +127,13 @@ public class CommandProcessor {
           logWrapper.info("Could not parse \""+cmdStmt.getCommandString()+"\".", e);
         }
         return ResultBuilder.createParsingErrorResult(e.getMessage());
-      } catch (RuntimeException e) {
+      } catch (GemFireSecurityException e) {
+        setLastExecutionStatus(1);
+        if (logWrapper.infoEnabled()) {
+          logWrapper.info("Could not execute \""+cmdStmt.getCommandString()+"\".", e);
+        }
+        return ResultBuilder.createGemFireUnAuthorizedErrorResult("Unauthorized while processing command <" +cmdStmt.getCommandString()+"> Reason : " + e.getMessage());
+      }catch (RuntimeException e) {
         setLastExecutionStatus(1);
         if (logWrapper.infoEnabled()) {
           logWrapper.info("Could not execute \""+cmdStmt.getCommandString()+"\".", e);

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ErrorResultData.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ErrorResultData.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ErrorResultData.java
index f8db1d3..b324c8e 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ErrorResultData.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ErrorResultData.java
@@ -37,8 +37,12 @@ public class ErrorResultData extends InfoResultData {
     super(gfJsonObject);
   }
   
-  public int getErrorCode(int errorCode) {
-    return (Integer) contentObject.get(ERROR_CODE);
+  public int getErrorCode() {
+    Integer code = (Integer) contentObject.get(ERROR_CODE);
+    if(code==null){
+      return ResultBuilder.ERRORCODE_DEFAULT;
+    }
+    return code;
   }
   
   /**
@@ -57,7 +61,7 @@ public class ErrorResultData extends InfoResultData {
     
     return this;
   }
-  
+
   /**
    * 
    * @param headerText

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ResultBuilder.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ResultBuilder.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ResultBuilder.java
index 16d3f70..6b435d3 100755
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ResultBuilder.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/result/ResultBuilder.java
@@ -38,7 +38,7 @@ public class ResultBuilder {
   public static final int ERRORCODE_DEFAULT           = 400;
   public static final int ERRORCODE_CONNECTION_ERROR  = 405;
   public static final int ERRORCODE_SHELLCLIENT_ERROR = 410;
-  //Error code for auth-error??
+  public static final int ERRORCODE_UNAUTHORIZED      = 415;
   
   // errors on member
   public static final int ERRORCODE_PARSING_ERROR     = 501;
@@ -115,6 +115,11 @@ public class ResultBuilder {
                   "Could not process command due to GemFire error. " + message);
   }
 
+  public static Result createGemFireUnAuthorizedErrorResult(String message) {
+    return createErrorResult(ERRORCODE_UNAUTHORIZED,
+        "Could not process command due to GemFire error. " + message);
+  }
+
   public static Result createUserErrorResult(String message) {
     return createErrorResult(ERRORCODE_USER_ERROR, message);
   }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/shell/JmxOperationInvoker.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/shell/JmxOperationInvoker.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/shell/JmxOperationInvoker.java
index 20f4ce8..3804111 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/shell/JmxOperationInvoker.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/shell/JmxOperationInvoker.java
@@ -151,19 +151,16 @@ public class JmxOperationInvoker implements OperationInvoker {
       this.connector = JMXConnectorFactory.connect(url, env);
       this.mbsc = connector.getMBeanServerConnection();
       this.connector.addConnectionNotificationListener(new JMXConnectionListener(this), null, null);
-      this.connector.connect(); // TODO this call to connect is not needed
       this.distributedSystemMXBeanProxy = JMX.newMXBeanProxy(mbsc, MBeanJMXAdapter.getDistributedSystemName(), DistributedSystemMXBean.class);
 
-      if (this.distributedSystemMXBeanProxy == null || !JMX.isMXBeanInterface(DistributedSystemMXBean.class)) {
+      if (this.distributedSystemMXBeanProxy == null ) {
         LogWrapper.getInstance().info("DistributedSystemMXBean is not present on member with endpoints : "+this.endpoints);
-        connector.close();
         throw new JMXConnectionException(JMXConnectionException.MANAGER_NOT_FOUND_EXCEPTION);
       }
       else {
         this.managerMemberObjectName = this.distributedSystemMXBeanProxy.getMemberObjectName();
         if (this.managerMemberObjectName == null || !JMX.isMXBeanInterface(MemberMXBean.class)) {
           LogWrapper.getInstance().info("MemberMXBean with ObjectName "+this.managerMemberObjectName+" is not present on member with endpoints : "+endpoints);
-          this.connector.close();
           throw new JMXConnectionException(JMXConnectionException.MANAGER_NOT_FOUND_EXCEPTION);
         }
         else {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
deleted file mode 100644
index ea83771..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/AccessControlMBean.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal.security;
-
-import com.gemstone.gemfire.security.AccessControl;
-
-import javax.management.remote.JMXPrincipal;
-import javax.security.auth.Subject;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.Set;
-
-/**
- * AccessControlMBean Implementation. This retrieves JMXPrincipal from AccessController
- * and performs authorization for given role using gemfire AccessControl Plugin
- *
- * @author tushark
- * @since 9.0
- */
-public class AccessControlMBean implements AccessControlMXBean {
-
-  private ManagementInterceptor interceptor;
-
-  public AccessControlMBean(ManagementInterceptor interceptor) {
-    this.interceptor = interceptor;
-  }
-
-  @Override
-  public boolean authorize(String resource, String permission) {
-    AccessControlContext acc = AccessController.getContext();
-    Subject subject = Subject.getSubject(acc);
-    Set<JMXPrincipal> principals = subject.getPrincipals(JMXPrincipal.class);
-    if (principals == null || principals.isEmpty()) {
-      throw new SecurityException("Access denied");
-    }
-    Principal principal = principals.iterator().next();
-    AccessControl gemAccControl = interceptor.getAccessControl(principal, false);
-    boolean authorized = gemAccControl.authorizeOperation(null,
-        new ResourceOperationContext(resource, permission));
-    return authorized;
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
deleted file mode 100644
index ad6be59..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal.security;
-
-import java.lang.annotation.Annotation;
-import java.lang.reflect.Method;
-import java.util.HashMap;
-import java.util.Map;
-
-import com.gemstone.gemfire.management.cli.CommandProcessingException;
-import com.gemstone.gemfire.management.internal.cli.CommandManager;
-import com.gemstone.gemfire.management.internal.cli.GfshParseResult;
-import com.gemstone.gemfire.management.internal.cli.GfshParser;
-import com.gemstone.gemfire.management.internal.cli.parser.CommandTarget;
-import org.springframework.shell.event.ParseResult;
-
-/**
- * It represents command being executed and all passed options and option-values.
- * ResourceOpCode returned by CLIOperationContext is retrieved from ResourceOperation
- * annotation on the target command
- *
- * @author tushark
- * @since 9.0
- */
-public class CLIOperationContext extends ResourceOperationContext {
-
-	private Map<String,String> commandOptions = null;
-	private String command = null;
-	
-	private static Map<String,ResourceOperation> commandToCodeMapping = new HashMap<String,ResourceOperation>();
-	private static CommandManager commandManager = null;
-	private static GfshParser parser = null;	
-	
-	private CLIOperationContext(String commandName, Map<String,String> commandOptions, ResourceOperation op) throws CommandProcessingException, IllegalStateException{
-		this.command = commandName;
-		this.commandOptions = commandOptions;
-		setResourceOperation(op);
-  }
-
-	public static CLIOperationContext getOperationContext(String commandString){
-		GfshParseResult parseResult = (GfshParseResult) parseCommand(commandString);
-		ResourceOperation op = findResourceCode(parseResult.getCommandName());
-		if(op==null)
-			return null;
-
-		return new CLIOperationContext(parseResult.getCommandName(), parseResult.getParamValueStrings(), op);
-	}
-	
-	private static ParseResult parseCommand(String commentLessLine) throws CommandProcessingException, IllegalStateException {
-    if (commentLessLine != null) {
-      return parser.parse(commentLessLine);
-    }
-    throw new IllegalStateException("Command String should not be null.");
-  }
-	
-	public static void registerCommand(CommandManager cmdManager, Method method, CommandTarget commandTarget){
-	  if(commandManager==null){
-	    commandManager = cmdManager;
-	    parser = new GfshParser(cmdManager);
-	  }
-		Annotation ans[] = method.getDeclaredAnnotations();
-		for(Annotation an : ans){
-			if(an instanceof ResourceOperation) {
-				commandToCodeMapping.put(commandTarget.getCommandName(), (ResourceOperation)an);
-			}
-		}
-	}
-
-	private static void cache(String commandName, ResourceOperation op) {
-		commandToCodeMapping.put(commandName, op);
-	}
-
-	public Map<String, String> getCommandOptions() {
-		return commandOptions;
-	}
-
-	public String getCommand(){
-		return command;
-	}
-
-	private static ResourceOperation findResourceCode(String commandName) {
-		return commandToCodeMapping.get(commandName);
-	}
-	
-	public String toString(){
-	  return super.toString() + " commmand=" + command + " options=" + commandOptions;
-	}
-}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
index e1c84a5..c7cb058 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/MBeanServerWrapper.java
@@ -46,6 +46,7 @@ import javax.management.remote.MBeanServerForwarder;
 
 import com.gemstone.gemfire.management.internal.ManagementConstants;
 import com.gemstone.gemfire.security.GemFireSecurityException;
+import com.gemstone.gemfire.security.ShiroUtil;
 
 /**
  * This class intercepts all MBean requests for GemFire MBeans and passed it to
@@ -55,11 +56,8 @@ import com.gemstone.gemfire.security.GemFireSecurityException;
  */
 public class MBeanServerWrapper implements MBeanServerForwarder {
   private MBeanServer mbs;
-  private ManagementInterceptor interceptor;
-
   
-  public MBeanServerWrapper(ManagementInterceptor interceptor){
-    this.interceptor = interceptor;
+  public MBeanServerWrapper(){
   }
 
   private void doAuthorization(ResourceOperationContext context){
@@ -67,14 +65,14 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
     if(context == null)
       return;
 
-    interceptor.authorize(context);
+    ShiroUtil.authorize(context);
   }
 
   private void doAuthorizationPost(ResourceOperationContext context){
     if(context == null)
       return;
 
-    interceptor.postAuthorize(context);
+    //interceptor.postAuthorize(context);
   }
 
   private void checkDomain(ObjectName name){
@@ -218,14 +216,12 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
   @Override
   public Object invoke(ObjectName name, String operationName, Object[] params, String[] signature)
       throws InstanceNotFoundException, MBeanException, ReflectionException {
+    // skip authorization check if operation is "processCommand" since we will check authorization in the command itself
     ResourceOperationContext ctx = null;
-    if("processCommand".equals(operationName) && params.length>=1){
-      ctx = CLIOperationContext.getOperationContext((String)params[0]);
-    }
-    else {
+    if(!"processCommand".equals(operationName)) {
       ctx = getOperationContext(name, operationName, true);
+      doAuthorization(ctx);
     }
-    doAuthorization(ctx);
 
     Object result = mbs.invoke(name, operationName, params, signature);
     if(ctx!=null)
@@ -271,7 +267,7 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
     String resource = (String)descriptor.getFieldValue("resource");
     String operationCode = (String)descriptor.getFieldValue("operation");
     if(resource!=null && operationCode!=null){
-      return new ResourceOperationContext(resource, operationCode);
+      return new ResourceOperationContext(resource, operationCode, null);
     }
     return defaultValue;
   }
@@ -397,10 +393,6 @@ public class MBeanServerWrapper implements MBeanServerForwarder {
     return mbs;
   }
 
-  public ManagementInterceptor getInterceptor() {
-    return interceptor;
-  }
-
   @Override
   public void setMBeanServer(MBeanServer mbs) {
     this.mbs = mbs;

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
deleted file mode 100644
index 6ee9da5..0000000
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ManagementInterceptor.java
+++ /dev/null
@@ -1,243 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gemstone.gemfire.management.internal.security;
-
-import com.gemstone.gemfire.GemFireConfigException;
-import com.gemstone.gemfire.distributed.internal.DistributionConfig;
-import com.gemstone.gemfire.internal.ClassLoadUtil;
-import com.gemstone.gemfire.internal.i18n.LocalizedStrings;
-import com.gemstone.gemfire.internal.lang.StringUtils;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.Authenticator;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
-
-import javax.management.InstanceAlreadyExistsException;
-import javax.management.MBeanRegistrationException;
-import javax.management.MBeanServer;
-import javax.management.MalformedObjectNameException;
-import javax.management.NotCompliantMBeanException;
-import javax.management.ObjectName;
-import javax.management.remote.JMXAuthenticator;
-import javax.management.remote.JMXPrincipal;
-import javax.security.auth.Subject;
-import java.lang.management.ManagementFactory;
-import java.lang.reflect.Method;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.Principal;
-import java.util.Collections;
-import java.util.Properties;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
-
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.ACCESS_DENIED_MESSAGE;
-import static com.gemstone.gemfire.management.internal.security.ResourceConstants.WRONGE_CREDENTIALS_MESSAGE;
-
-/**
- * ManagementInterceptor is central go-to place for all M&M Clients Authentication and Authorization
- * requests
- *
- * @since 9.0
- */
-public class ManagementInterceptor implements JMXAuthenticator {
-
-  // FIXME: Merged from GEODE-17. Are they necessary?
-  public static final String USER_NAME = "security-username";
-  public static final String PASSWORD = "security-password";
-  public static final String OBJECT_NAME_ACCESSCONTROL = "GemFire:service=AccessControl,type=Distributed";
-
-  private static final Logger logger = LogManager.getLogger(ManagementInterceptor.class);
-  //  private Cache cache;
-  private String authzFactoryName;
-  private String postAuthzFactoryName;
-  private String authenticatorFactoryName;
-  private ConcurrentMap<Principal, AccessControl> cachedAuthZCallback;
-  private ConcurrentMap<Principal, AccessControl> cachedPostAuthZCallback;
-  private Properties sysProps = null;
-
-  public ManagementInterceptor(Properties sysProps) {
-    this.sysProps = sysProps;
-    this.authzFactoryName = sysProps.getProperty(DistributionConfig.SECURITY_CLIENT_ACCESSOR_NAME);
-    this.postAuthzFactoryName = sysProps.getProperty(DistributionConfig.SECURITY_CLIENT_ACCESSOR_PP_NAME);
-    this.authenticatorFactoryName = sysProps.getProperty(DistributionConfig.SECURITY_CLIENT_AUTHENTICATOR_NAME);
-    this.cachedAuthZCallback = new ConcurrentHashMap<>();
-    this.cachedPostAuthZCallback = new ConcurrentHashMap<>();
-    registerAccessControlMBean();
-    logger.info("Started Management interceptor on JMX connector");
-  }
-
-  /**
-   * This method registers an AccessControlMBean which allows any remote JMX Client (for example Pulse) to check for
-   * access allowed for given Operation Code.
-   */
-  private void registerAccessControlMBean() {
-    try {
-      AccessControlMBean acc = new AccessControlMBean(this);
-      ObjectName accessControlMBeanON = new ObjectName(ResourceConstants.OBJECT_NAME_ACCESSCONTROL);
-      MBeanServer platformMBeanServer = ManagementFactory.getPlatformMBeanServer();
-
-      Set<ObjectName> names = platformMBeanServer.queryNames(accessControlMBeanON, null);
-      if (names.isEmpty()) {
-        try {
-          platformMBeanServer.registerMBean(acc, accessControlMBeanON);
-          logger.info("Registered AccessContorlMBean on " + accessControlMBeanON);
-        } catch (InstanceAlreadyExistsException e) {
-          throw new GemFireConfigException("Error while configuring accesscontrol for jmx resource", e);
-        } catch (MBeanRegistrationException e) {
-          throw new GemFireConfigException("Error while configuring accesscontrol for jmx resource", e);
-        } catch (NotCompliantMBeanException e) {
-          throw new GemFireConfigException("Error while configuring accesscontrol for jmx resource", e);
-        }
-      }
-    } catch (MalformedObjectNameException e) {
-      throw new GemFireConfigException("Error while configuring accesscontrol for jmx resource", e);
-    }
-  }
-
-  /**
-   * Delegates authentication to GemFire Authenticator
-   *
-   * @throws SecurityException if authentication fails
-   */
-  @Override
-  public Subject authenticate(Object credentials) {
-    String username = null, password = null;
-    Properties pr = new Properties();
-    if (credentials instanceof String[]) {
-      final String[] aCredentials = (String[]) credentials;
-      username = aCredentials[0];
-      password = aCredentials[1];
-      pr.put(USER_NAME, username);
-      pr.put(PASSWORD, password);
-    } else if (credentials instanceof Properties) {
-      pr = (Properties) credentials;
-    } else {
-      throw new SecurityException(WRONGE_CREDENTIALS_MESSAGE);
-    }
-
-    try {
-      Principal principal = getAuthenticator(sysProps).authenticate(pr);
-      return new Subject(true, Collections.singleton(new JMXPrincipal(principal.getName())), Collections.EMPTY_SET,
-          Collections.EMPTY_SET);
-    } catch (AuthenticationFailedException e) {
-      //wrap inside Security exception. AuthenticationFailedException is gemfire class
-      //which generic JMX client can't serialize
-      throw new SecurityException("Authentication Failed " + e.getMessage());
-    }
-
-  }
-
-  /**
-   * Builds ResourceOperationContext for the given JMX MBean Request for delegates Authorization to
-   * gemfire AccessControl plugin with context as parameter
-   *
-   * @throws SecurityException if access is not granted
-   */
-  public void authorize(ResourceOperationContext context) {
-    if (StringUtils.isBlank(authzFactoryName)) {
-      return;
-    }
-
-    AccessControlContext acc = AccessController.getContext();
-    Subject subject = Subject.getSubject(acc);
-    Set<JMXPrincipal> principals = subject.getPrincipals(JMXPrincipal.class);
-
-    if (principals == null || principals.isEmpty()) {
-      throw new SecurityException(ACCESS_DENIED_MESSAGE + ": No principal found.");
-    }
-
-    Principal principal = principals.iterator().next();
-
-    AccessControl accessControl = getAccessControl(principal, false);
-
-    if (!accessControl.authorizeOperation(null, context)) {
-      throw new SecurityException(ACCESS_DENIED_MESSAGE + ": Not authorized for " + context);
-    }
-  }
-
-  public AccessControl getAccessControl(Principal principal, boolean isPost) {
-    if (!isPost) {
-      if (cachedAuthZCallback.containsKey(principal)) {
-        return cachedAuthZCallback.get(principal);
-      } else if (!StringUtils.isBlank(authzFactoryName)) {
-        try {
-          Method authzMethod = ClassLoadUtil.methodFromName(authzFactoryName);
-          AccessControl authzCallback = (AccessControl) authzMethod.invoke(null, (Object[]) null);
-          authzCallback.init(principal);
-          cachedAuthZCallback.put(principal, authzCallback);
-          return authzCallback;
-        } catch (Exception ex) {
-          throw new AuthenticationFailedException(LocalizedStrings.HandShake_FAILED_TO_ACQUIRE_AUTHENTICATOR_OBJECT.toLocalizedString(), ex);
-        }
-      }
-    } else {
-      if (cachedPostAuthZCallback.containsKey(principal)) {
-        return cachedPostAuthZCallback.get(principal);
-      } else if (!StringUtils.isBlank(postAuthzFactoryName)) {
-        try {
-          Method authzMethod = ClassLoadUtil.methodFromName(postAuthzFactoryName);
-          AccessControl postAuthzCallback = (AccessControl) authzMethod.invoke(null, (Object[]) null);
-          postAuthzCallback.init(principal);
-          cachedPostAuthZCallback.put(principal, postAuthzCallback);
-          return postAuthzCallback;
-        } catch (Exception ex) {
-          throw new AuthenticationFailedException(LocalizedStrings.HandShake_FAILED_TO_ACQUIRE_AUTHENTICATOR_OBJECT.toLocalizedString(), ex);
-        }
-      }
-    }
-    return null;
-  }
-
-  private Authenticator getAuthenticator(Properties gfSecurityProperties) throws AuthenticationFailedException {
-    Authenticator auth;
-    try {
-      Method instanceGetter = ClassLoadUtil.methodFromName(this.authenticatorFactoryName);
-      auth = (Authenticator) instanceGetter.invoke(null, (Object[]) null);
-    } catch (Exception ex) {
-      throw new AuthenticationFailedException(
-          LocalizedStrings.HandShake_FAILED_TO_ACQUIRE_AUTHENTICATOR_OBJECT.toLocalizedString(), ex);
-    }
-    if (auth == null) {
-      throw new AuthenticationFailedException(
-          LocalizedStrings.HandShake_AUTHENTICATOR_INSTANCE_COULD_NOT_BE_OBTAINED.toLocalizedString());
-    }
-    auth.init(gfSecurityProperties);
-    return auth;
-  }
-
-  public void postAuthorize(ResourceOperationContext context) {
-    if (StringUtils.isBlank(postAuthzFactoryName)) {
-      return;
-    }
-
-    AccessControlContext acc = AccessController.getContext();
-    Subject subject = Subject.getSubject(acc);
-    Set<JMXPrincipal> principals = subject.getPrincipals(JMXPrincipal.class);
-    if (principals == null || principals.isEmpty()) {
-      throw new SecurityException(ACCESS_DENIED_MESSAGE);
-    }
-    Principal principal = principals.iterator().next();
-    AccessControl accessControl = getAccessControl(principal, true);
-    if (!accessControl.authorizeOperation(null, context)) {
-      throw new SecurityException(ACCESS_DENIED_MESSAGE);
-    }
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/c733f0c2/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
index 9ef458d..396cdac 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
@@ -27,24 +27,29 @@ public class ResourceOperationContext extends OperationContext {
   private Object opResult = null;
   private Resource resource = null;
   private OperationCode operation = null;
+  private String regionName = null;
 
   public ResourceOperationContext() {
   }
 
   public ResourceOperationContext(Resource resource, OperationCode operation) {
+    setParts(resource.name()+":"+operation.name(), false);
     this.resource = resource;
     this.operation = operation;
   }
 
-  public ResourceOperationContext(String resource, String operation) {
+  public ResourceOperationContext(String resource, String operation, String regionName) {
+    setParts(resource+":"+operation+":"+regionName, false);
     if (resource != null) this.resource = Resource.valueOf(resource);
     if (operation != null) this.operation = OperationCode.valueOf(operation);
+    this.regionName = regionName;
   }
 
   public void setResourceOperation(ResourceOperation op) {
     if (op != null) {
       resource = op.resource();
       operation = op.operation();
+      setParts(resource.name()+":"+operation.name(), false);
     }
   }
 
@@ -64,6 +69,11 @@ public class ResourceOperationContext extends OperationContext {
   }
 
   @Override
+  public String getRegionName(){
+    return this.regionName;
+  }
+
+  @Override
   public boolean isPostOperation() {
     return isPostOperation;
   }
@@ -77,4 +87,20 @@ public class ResourceOperationContext extends OperationContext {
     return this.opResult;
   }
 
+  public String toString(){
+    if(this.regionName==null)
+      return getResource() + ":"+ getOperationCode();
+    else
+      return getResource() + ":"+ getOperationCode()+ ":" +this.regionName;
+  }
+
+  public boolean equals(Object o){
+    if(! (o instanceof ResourceOperationContext))
+      return false;
+
+    ResourceOperationContext other = (ResourceOperationContext)o;
+    return (this.resource==other.getResource() && this.operation==other.getOperationCode());
+  }
+
+
 }
\ No newline at end of file


Mime
View raw message