geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hiteshkhame...@apache.org
Subject [03/15] incubator-geode git commit: GEODE-37 Renamed security related stuff
Date Tue, 13 Sep 2016 22:56:05 GMT
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/generator/AuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/generator/AuthzCredentialGenerator.java b/geode-core/src/test/java/org/apache/geode/security/generator/AuthzCredentialGenerator.java
new file mode 100755
index 0000000..1a99974
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/generator/AuthzCredentialGenerator.java
@@ -0,0 +1,447 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.generator;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import org.apache.logging.log4j.Logger;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.templates.DummyAuthorization;
+import com.gemstone.gemfire.security.templates.XmlAuthorization;
+
+/**
+ * Encapsulates obtaining authorized and unauthorized credentials for a given
+ * operation in a region. Implementations will be for different kinds of
+ * authorization scheme and authentication scheme combos.
+ * 
+ * @since GemFire 5.5
+ */
+public abstract class AuthzCredentialGenerator {
+  
+  private static final Logger logger = LogService.getLogger();
+
+  /**
+   * The {@link CredentialGenerator} being used.
+   */
+  protected CredentialGenerator generator;
+
+  /**
+   * A set of system properties that should be added to the gemfire system
+   * properties before using the authorization module.
+   */
+  private Properties systemProperties;
+
+  /**
+   * A factory method to create a new instance of an
+   * {@link AuthzCredentialGenerator} for the given {@link ClassCode}. Caller
+   * is supposed to invoke {@link AuthzCredentialGenerator#init} immediately
+   * after obtaining the instance.
+   * 
+   * @param  classCode
+   *         the {@code ClassCode} of the {@code AuthzCredentialGenerator}
+   *         implementation
+   * 
+   * @return an instance of {@code AuthzCredentialGenerator} for the given
+   *         class code
+   */
+  public static AuthzCredentialGenerator create(final ClassCode classCode) {
+    switch (classCode.classType) {
+      case ClassCode.ID_DUMMY:
+        return new DummyAuthzCredentialGenerator();
+      case ClassCode.ID_XML:
+        return new XmlAuthzCredentialGenerator();
+      default:
+        return null;
+    }
+  }
+
+  /**
+   * Initialize the authorized credential generator.
+   * 
+   * @param  generator
+   *         an instance of {@link CredentialGenerator} of the credential
+   *         implementation for which to obtain authorized/unauthorized
+   *         credentials.
+   * 
+   * @return false when the given {@link CredentialGenerator} is incompatible
+   *         with this authorization module.
+   */
+  public boolean init(final CredentialGenerator generator) {
+    this.generator = generator;
+    try {
+      this.systemProperties = init();
+    } catch (IllegalArgumentException ex) {
+      return false;
+    }
+    return true;
+  }
+
+  /**
+   * 
+   * @return A set of extra properties that should be added to Gemfire system
+   *         properties when not null.
+   */
+  public Properties getSystemProperties() {
+    return this.systemProperties;
+  }
+
+  /**
+   * Get the {@link CredentialGenerator} being used by this instance.
+   */
+  public CredentialGenerator getCredentialGenerator() {
+    return this.generator;
+  }
+
+  /**
+   * Initialize the authorized credential generator.
+   *
+   * Required to be implemented by concrete classes that implement this abstract
+   * class.
+   *
+   * @return A set of extra properties that should be added to Gemfire system
+   *         properties when not null.
+   *
+   * @throws IllegalArgumentException when the {@link CredentialGenerator} is
+   *         incompatible with this authorization module.
+   */
+  protected abstract Properties init() throws IllegalArgumentException;
+
+  /**
+   * The {@link ClassCode} of the particular implementation.
+   * 
+   * @return the {@code ClassCode}
+   */
+  public abstract ClassCode classCode();
+
+  /**
+   * The name of the {@link AccessControl} factory function that should be used
+   * as the authorization module on the server side.
+   * 
+   * @return name of the {@code AccessControl} factory function
+   */
+  public abstract String getAuthorizationCallback();
+
+  /**
+   * Get a set of credentials generated using the given index allowed to perform
+   * the given {@link OperationCode}s for the given regions.
+   * 
+   * @param  opCodes
+   *         the list of {@link OperationCode}s of the operations requiring
+   *         authorization; should not be null
+   * @param  regionNames
+   *         list of the region names requiring authorization; a value of
+   *         null indicates all regions
+   * @param  index
+   *         used to generate multiple such credentials by passing different
+   *         values for this
+   * 
+   * @return the set of credentials authorized to perform the given operation in
+   *         the given regions
+   */
+  public Properties getAllowedCredentials(final OperationCode[] opCodes, final String[] regionNames, final int index) {
+    int numTries = getNumPrincipalTries(opCodes, regionNames);
+    if (numTries <= 0) {
+      numTries = 1;
+    }
+
+    for (int tries = 0; tries < numTries; tries++) {
+      final Principal principal = getAllowedPrincipal(opCodes, regionNames, (index + tries) % numTries);
+      try {
+        return this.generator.getValidCredentials(principal);
+      } catch (IllegalArgumentException ex) {
+      }
+    }
+    return null;
+  }
+
+  /**
+   * Get a set of credentials generated using the given index not allowed to
+   * perform the given {@link OperationCode}s for the given regions. The
+   * credentials are required to be valid for authentication.
+   * 
+   * @param  opCodes
+   *         the {@link OperationCode}s of the operations requiring
+   *         authorization failure; should not be null
+   * @param  regionNames
+   *         list of the region names requiring authorization failure; a value
+   *         of null indicates all regions
+   * @param  index
+   *         used to generate multiple such credentials by passing different
+   *         values for this
+   * 
+   * @return the set of credentials that are not authorized to perform the given
+   *         operation in the given region
+   */
+  public Properties getDisallowedCredentials(final OperationCode[] opCodes, final String[] regionNames, final int index) {
+    // This may not be very correct since we use the value of
+    // getNumPrincipalTries() but is used to avoid adding another method.
+    // Also something like getNumDisallowedPrincipals() will be normally always
+    // infinite, and the number here is just to perform some number of tries
+    // before giving up.
+
+    int numTries = getNumPrincipalTries(opCodes, regionNames);
+    if (numTries <= 0) {
+      numTries = 1;
+    }
+
+    for (int tries = 0; tries < numTries; tries++) {
+      final Principal principal = getDisallowedPrincipal(opCodes, regionNames, (index + tries) % numTries);
+      try {
+        return this.generator.getValidCredentials(principal);
+      } catch (IllegalArgumentException ex) {
+      }
+    }
+    return null;
+  }
+
+  /**
+   * Get the number of tries to be done for obtaining valid credentials for the
+   * given operations in the given region. It is required that
+   * {@link #getAllowedPrincipal} method returns valid principals for values of
+   * {@code index} from 0 through (n-1) where {@code n} is the
+   * value returned by this method. It is recommended that the principals so
+   * returned be unique for efficiency.
+   * 
+   * This will be used by {@link #getAllowedCredentials} to step through
+   * different principals and obtain a set of valid credentials.
+   * 
+   * Required to be implemented by concrete classes that implement this abstract
+   * class.
+   * 
+   * @param  opCodes
+   *         the {@link OperationCode}s of the operations requiring
+   *         authorization
+   * @param  regionNames
+   *         list of the region names requiring authorization; a value of null
+   *         indicates all regions
+   * 
+   * @return the number of principals allowed to perform the given operation in
+   *         the given region
+   */
+  protected abstract int getNumPrincipalTries(final OperationCode[] opCodes, final String[] regionNames);
+
+  /**
+   * Get a {@link Principal} generated using the given index allowed to perform
+   * the given {@link OperationCode}s for the given region.
+   * 
+   * Required to be implemented by concrete classes that implement this abstract
+   * class.
+   * 
+   * @param  opCodes
+   *         the {@link OperationCode}s of the operations requiring
+   *         authorization
+   * @param  regionNames
+   *         list of the region names requiring authorization; a value of null
+   *         indicates all regions
+   * @param  index
+   *         used to generate multiple such principals by passing different
+   *         values for this
+   * 
+   * @return the {@link Principal} authorized to perform the given operation in
+   *         the given region
+   */
+  protected abstract Principal getAllowedPrincipal(final OperationCode[] opCodes, final String[] regionNames, final int index);
+
+  /**
+   * Get a {@link Principal} generated using the given index not allowed to
+   * perform the given {@link OperationCode}s for the given region.
+   * 
+   * Required to be implemented by concrete classes that implement this abstract
+   * class.
+   * 
+   * @param  opCodes
+   *         the {@link OperationCode}s of the operations requiring
+   *         authorization failure
+   * @param  regionNames
+   *         list of the region names requiring authorization failure; a value
+   *         of null indicates all regions
+   * @param  index
+   *         used to generate multiple such principals by passing different
+   *         values for this
+   * 
+   * @return a {@link Principal} not authorized to perform the given operation
+   *         in the given region
+   */
+  protected abstract Principal getDisallowedPrincipal(final OperationCode[] opCodes, final String[] regionNames, final int index);
+
+  /**
+   * Enumeration for various {@link AuthzCredentialGenerator} implementations.
+   *
+   * <p>The following schemes are supported as of now:
+   * <ul>
+   * <li>{@code DummyAuthorization} with {@code DummyAuthenticator}</li>
+   * <li>{@code XMLAuthorization} with {@code DummyAuthenticator}</li>
+   * <li>{@code XMLAuthorization} with {@code LDAPAuthenticator}</li>
+   * <li>{@code XMLAuthorization} with {@code PKCSAuthenticator}</li>
+   * <li>{@code XMLAuthorization} when using SSL sockets</li>
+   * </ul>
+   *
+   * <p>To add a new authorization scheme the following needs to be done:
+   * <ul>
+   * <li>Add implementation for {@link AccessControl}.</li>
+   * <li>Choose the authentication schemes that it shall work with from
+   * {@link CredentialGenerator.ClassCode}</li>
+   * <li>Add a new enumeration value for the scheme in this class. Notice the
+   * size of {@code VALUES} array and increase that if it is getting
+   * overflowed. Note the methods and fields for existing schemes and add for
+   * the new one in a similar manner.</li>
+   * <li>Add an implementation for {@link AuthzCredentialGenerator}. Note the
+   * {@link AuthzCredentialGenerator#init} method where different authentication
+   * schemes can be passed and initialize differently for the authentication
+   * schemes that shall be handled.</li>
+   * <li>Modify the {@link AuthzCredentialGenerator#create} method to add
+   * creation of an instance of the new implementation for the
+   * {@code ClassCode} enumeration value.</li>
+   * </ul>
+   *
+   * <p>All dunit tests will automagically start testing the new implementation
+   * after this.
+   *
+   * @since GemFire 5.5
+   */
+  public static final class ClassCode {
+
+    private static byte nextOrdinal = 0;
+
+    private static final byte ID_DUMMY = 1;
+    private static final byte ID_XML = 2;
+
+    private static final ClassCode[] VALUES = new ClassCode[10];
+    private static final Map CODE_NAME_MAP = new HashMap();
+
+    public static final ClassCode DUMMY = new ClassCode(DummyAuthorization.class.getName() + ".create", ID_DUMMY);
+    public static final ClassCode XML = new ClassCode(XmlAuthorization.class.getName() + ".create", ID_XML);
+
+    /** The name of this class. */
+    private final String name;
+
+    /** byte used as ordinal to represent this class */
+    private final byte ordinal;
+
+    /**
+     * One of the following: ID_DUMMY, ID_LDAP, ID_PKI
+     */
+    private final byte classType;
+
+    /** Creates a new instance of class code. */
+    private ClassCode(final String name, final byte classType) {
+      this.name = name;
+      this.classType = classType;
+      this.ordinal = nextOrdinal++;
+      VALUES[this.ordinal] = this;
+      CODE_NAME_MAP.put(name, this);
+    }
+
+    public boolean isDummy() {
+      return this.classType == ID_DUMMY;
+    }
+
+    public boolean isXml() {
+      return this.classType == ID_XML;
+    }
+
+    /**
+     * Returns the {@code ClassCode} represented by specified ordinal.
+     */
+    public static ClassCode fromOrdinal(final byte ordinal) {
+      return VALUES[ordinal];
+    }
+
+    /**
+     * Returns the {@code ClassCode} represented by specified string.
+     */
+    public static ClassCode parse(final String operationName) {
+      return (ClassCode) CODE_NAME_MAP.get(operationName);
+    }
+
+    /**
+     * Returns all the possible values.
+     */
+    public static List getAll() {
+      final List codes = new ArrayList();
+      for (Iterator iter = CODE_NAME_MAP.values().iterator(); iter.hasNext();) {
+        codes.add(iter.next());
+      }
+      return codes;
+    }
+
+    /**
+     * Returns the ordinal for this class code.
+     *
+     * @return the ordinal of this class code.
+     */
+    public byte toOrdinal() {
+      return this.ordinal;
+    }
+
+    /**
+     * Returns a string representation for this class code.
+     *
+     * @return the name of this class code.
+     */
+    @Override
+    public final String toString() {
+      return this.name;
+    }
+
+    /**
+     * Indicates whether other object is same as this one.
+     *
+     * @return true if other object is same as this one.
+     */
+    @Override
+    public final boolean equals(final Object obj) {
+      if (obj == this) {
+        return true;
+      }
+      if (!(obj instanceof ClassCode)) {
+        return false;
+      }
+      final ClassCode other = (ClassCode)obj;
+      return other.ordinal == this.ordinal;
+    }
+
+    /**
+     * Indicates whether other {@code ClassCode} is same as this one.
+     *
+     * @return true if other {@code ClassCode} is same as this one.
+     */
+    public final boolean equals(final ClassCode opCode) {
+      return opCode != null && opCode.ordinal == this.ordinal;
+    }
+
+    /**
+     * Returns a hash code value for this {@code ClassCode} which is the
+     * same as its ordinal.
+     *
+     * @return the ordinal of this {@code ClassCode}.
+     */
+    @Override
+    public final int hashCode() {
+      return this.ordinal;
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/generator/CredentialGenerator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/generator/CredentialGenerator.java b/geode-core/src/test/java/org/apache/geode/security/generator/CredentialGenerator.java
new file mode 100755
index 0000000..90584cd
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/generator/CredentialGenerator.java
@@ -0,0 +1,333 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.generator;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import org.apache.logging.log4j.Logger;
+
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.security.AuthInitialize;
+import com.gemstone.gemfire.security.Authenticator;
+import com.gemstone.gemfire.security.templates.DummyAuthenticator;
+import com.gemstone.gemfire.security.templates.LdapUserAuthenticator;
+import com.gemstone.gemfire.security.templates.PKCSAuthenticator;
+
+/**
+ * Encapsulates obtaining valid and invalid credentials. Implementations will be
+ * for different kinds of authentication schemes.
+ * 
+ * @since GemFire 5.5
+ */
+public abstract class CredentialGenerator {
+
+  private static final Logger logger = LogService.getLogger();
+
+  /**
+   * A set of properties that should be added to the Gemfire system properties
+   * before using the authentication module.
+   */
+  private Properties systemProperties = null;
+
+  /**
+   * A set of properties that should be added to the java system properties
+   * before using the authentication module.
+   */
+  protected Properties javaProperties = null;
+
+  /**
+   * A factory method to create a new instance of an {@link CredentialGenerator}
+   * for the given {@link ClassCode}. Caller is supposed to invoke
+   * {@link CredentialGenerator#init} immediately after obtaining the instance.
+   * 
+   * @param  classCode
+   *         the {@code ClassCode} of the {@code CredentialGenerator}
+   *         implementation
+   * 
+   * @return an instance of {@code CredentialGenerator} for the given class
+   *         code
+   */
+  public static CredentialGenerator create(final ClassCode classCode) {
+    switch (classCode.classType) {
+      // Removing dummy one to reduce test run times
+      // case ClassCode.ID_DUMMY:
+      // return new DummyCredentialGenerator();
+      case ClassCode.ID_LDAP:
+        return new LdapUserCredentialGenerator();
+        // case ClassCode.ID_SSL:ΓΈ
+        // return new SSLCredentialGenerator();
+      case ClassCode.ID_PKCS:
+        return new PKCSCredentialGenerator();
+      default:
+        return null;
+    }
+  }
+
+  /**
+   * Initialize the credential generator.
+   *
+   * @throws IllegalArgumentException when there is a problem during
+   *         initialization
+   */
+  public void init() throws IllegalArgumentException {
+    this.systemProperties = initialize();
+    logger.info("Generating CredentialGenerator with {}", this.systemProperties);
+  }
+
+  /**
+   * @return A set of extra properties that should be added to Gemfire system
+   *         properties when not null.
+   */
+  public Properties getSystemProperties() {
+    return this.systemProperties;
+  }
+
+  /**
+   * @return A set of extra properties that should be added to Gemfire system
+   *         properties when not null.
+   */
+  public Properties getJavaProperties() {
+    return this.javaProperties;
+  }
+
+  /**
+   * The {@link ClassCode} of this particular implementation.
+   * 
+   * @return the {@code ClassCode}
+   */
+  public abstract ClassCode classCode();
+
+  /**
+   * The name of the {@link AuthInitialize} factory function that should be used
+   * in conjunction with the credentials generated by this generator.
+   * 
+   * @return name of the {@code AuthInitialize} factory function
+   */
+  public abstract String getAuthInit();
+
+  /**
+   * The name of the {@link Authenticator} factory function that should be used
+   * in conjunction with the credentials generated by this generator.
+   * 
+   * @return name of the {@code Authenticator} factory function
+   */
+  public abstract String getAuthenticator();
+
+  /**
+   * Get a set of valid credentials generated using the given index.
+   */
+  public abstract Properties getValidCredentials(final int index);
+
+  /**
+   * Get a set of valid credentials for the given {@link Principal}.
+   * 
+   * @return credentials for the given {@code Principal} or null if none
+   *         possible.
+   */
+  public abstract Properties getValidCredentials(final Principal principal);
+
+  /**
+   * Get a set of invalid credentials generated using the given index.
+   */
+  public abstract Properties getInvalidCredentials(final int index);
+
+  /**
+   * Initialize the credential generator. This is provided separately from the
+   * {@link #init()} method for convenience of implementations so that they do not
+   * need to store in {@link #systemProperties}. The latter is convenient for the users
+   * who do not need to store these properties rather can obtain it later by
+   * invoking {@link #getSystemProperties()}
+   *
+   * <p>Required to be implemented by concrete classes that implement this abstract
+   * class.
+   *
+   * @return A set of extra properties that should be added to Gemfire system
+   *         properties when not null.
+   *
+   * @throws IllegalArgumentException when there is a problem during
+   *         initialization
+   */
+  protected abstract Properties initialize() throws IllegalArgumentException;
+
+  /**
+   * Enumeration for various {@link CredentialGenerator} implementations.
+   *
+   * <p>The following schemes are supported as of now:
+   * {@code DummyAuthenticator}, {@code LdapUserAuthenticator},
+   * {@code PKCSAuthenticator}. In addition SSL socket mode with mutual
+   * authentication is also supported.
+   *
+   * <p>To add a new authentication scheme the following needs to be done:
+   * <ul>
+   * <li>Add implementations for {@link AuthInitialize} and
+   * {@link Authenticator} classes for clients/peers.</li>
+   * <li>Add a new enumeration value for the scheme in this class. Notice the
+   * size of {@code VALUES} array and increase that if it is getting
+   * overflowed. Note the methods and fields for existing schemes and add for
+   * the new one in a similar manner.</li>
+   * <li>Add an implementation for {@link CredentialGenerator}.</li>
+   * <li>Modify the CredentialGenerator.Factory#create [no such Factory exists] method to add
+   * creation of an instance of the new implementation for the
+   * {@code ClassCode} enumeration value.</li>
+   * </ul>
+   *
+   * <p>All security dunit tests will automagically start testing the new
+   * implementation after this.
+   *
+   * @since GemFire 5.5
+   */
+  public static final class ClassCode {
+
+    private static byte nextOrdinal = 0;
+
+    private static final byte ID_DUMMY = 1;
+    private static final byte ID_LDAP = 2;
+    private static final byte ID_PKCS = 3;
+    private static final byte ID_SSL = 4;
+
+    private static final ClassCode[] VALUES = new ClassCode[10];
+    private static final Map CODE_NAME_MAP = new HashMap();
+
+    public static final ClassCode DUMMY = new ClassCode(DummyAuthenticator.class.getName() + ".create", ID_DUMMY);
+    public static final ClassCode LDAP = new ClassCode(LdapUserAuthenticator.class.getName() + ".create", ID_LDAP);
+    public static final ClassCode PKCS = new ClassCode(PKCSAuthenticator.class.getName() + ".create", ID_PKCS);
+    public static final ClassCode SSL = new ClassCode("SSL", ID_SSL);
+
+    /** The name of this class. */
+    private final String name;
+
+    /** byte used as ordinal to represent this class */
+    private final byte ordinal;
+
+    /**
+     * One of the following: ID_DUMMY, ID_LDAP, ID_PKCS
+     */
+    private final byte classType;
+
+    /** Creates a new instance of class code. */
+    private ClassCode(final String name, final byte classType) {
+      this.name = name;
+      this.classType = classType;
+      this.ordinal = nextOrdinal++;
+      VALUES[this.ordinal] = this;
+      CODE_NAME_MAP.put(name, this);
+    }
+
+    public boolean isDummy() {
+      return this.classType == ID_DUMMY;
+    }
+
+    public boolean isLDAP() {
+      return this.classType == ID_LDAP;
+    }
+
+    public boolean isPKCS() {
+      return this.classType == ID_PKCS;
+    }
+
+    public boolean isSSL() {
+      return this.classType == ID_SSL;
+    }
+
+    /**
+     * Returns the {@code ClassCode} represented by specified ordinal.
+     */
+    public static ClassCode fromOrdinal(final byte ordinal) {
+      return VALUES[ordinal];
+    }
+
+    /**
+     * Returns the {@code ClassCode} represented by specified string.
+     */
+    public static ClassCode parse(final String operationName) {
+      return (ClassCode) CODE_NAME_MAP.get(operationName);
+    }
+
+    /**
+     * Returns all the possible values.
+     */
+    public static List getAll() {
+      final List codes = new ArrayList();
+      for (Iterator iter = CODE_NAME_MAP.values().iterator(); iter.hasNext();) {
+        codes.add(iter.next());
+      }
+      return codes;
+    }
+
+    /**
+     * Returns the ordinal for this operation code.
+     *
+     * @return the ordinal of this operation.
+     */
+    public byte toOrdinal() {
+      return this.ordinal;
+    }
+
+    /**
+     * Returns a string representation for this operation.
+     *
+     * @return the name of this operation.
+     */
+    @Override
+    public final String toString() {
+      return this.name;
+    }
+
+    /**
+     * Indicates whether other object is same as this one.
+     *
+     * @return true if other object is same as this one.
+     */
+    @Override
+    public final boolean equals(final Object obj) {
+      if (obj == this) {
+        return true;
+      }
+      if (!(obj instanceof ClassCode)) {
+        return false;
+      }
+      final ClassCode other = (ClassCode)obj;
+      return other.ordinal == this.ordinal;
+    }
+
+    /**
+     * Indicates whether other {@code ClassCode} is same as this one.
+     *
+     * @return true if other {@code ClassCode} is same as this one.
+     */
+    public final boolean equals(final ClassCode opCode) {
+      return opCode != null && opCode.ordinal == this.ordinal;
+    }
+
+    /**
+     * Returns a hash code value for this {@code ClassCode} which is the
+     * same as its ordinal.
+     *
+     * @return the ordinal of this operation.
+     */
+    @Override
+    public final int hashCode() {
+      return this.ordinal;
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/generator/DummyAuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/generator/DummyAuthzCredentialGenerator.java b/geode-core/src/test/java/org/apache/geode/security/generator/DummyAuthzCredentialGenerator.java
new file mode 100755
index 0000000..64fb84a
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/generator/DummyAuthzCredentialGenerator.java
@@ -0,0 +1,129 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.generator;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Properties;
+import java.util.Set;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.security.templates.DummyAuthorization;
+import com.gemstone.gemfire.security.templates.UsernamePrincipal;
+
+public class DummyAuthzCredentialGenerator extends AuthzCredentialGenerator {
+
+  public static final byte READER_ROLE = 1;
+  public static final byte WRITER_ROLE = 2;
+  public static final byte ADMIN_ROLE = 3;
+
+  private static Set readerOpsSet;
+  private static Set writerOpsSet;
+
+  static {
+    readerOpsSet = new HashSet();
+    for (int index = 0; index < DummyAuthorization.READER_OPS.length; index++) {
+      readerOpsSet.add(DummyAuthorization.READER_OPS[index]);
+    }
+
+    writerOpsSet = new HashSet();
+    for (int index = 0; index < DummyAuthorization.WRITER_OPS.length; index++) {
+      writerOpsSet.add(DummyAuthorization.WRITER_OPS[index]);
+    }
+  }
+
+  public static byte getRequiredRole(final OperationCode[] opCodes) {
+    byte roleType = ADMIN_ROLE;
+    boolean requiresReader = true;
+    boolean requiresWriter = true;
+
+    for (int opNum = 0; opNum < opCodes.length; opNum++) {
+      if (requiresReader && !readerOpsSet.contains(opCodes[opNum])) {
+        requiresReader = false;
+      }
+      if (requiresWriter && !writerOpsSet.contains(opCodes[opNum])) {
+        requiresWriter = false;
+      }
+    }
+    if (requiresReader) {
+      roleType = READER_ROLE;
+    }
+    else if (requiresWriter) {
+      roleType = WRITER_ROLE;
+    }
+    return roleType;
+  }
+
+  @Override
+  protected Properties init() throws IllegalArgumentException {
+    if (!this.generator.classCode().isDummy()) {
+      throw new IllegalArgumentException("DummyAuthorization module only works with DummyAuthenticator");
+    }
+    return null;
+  }
+
+  @Override
+  public ClassCode classCode() {
+    return ClassCode.DUMMY;
+  }
+
+  @Override
+  public String getAuthorizationCallback() {
+    return DummyAuthorization.class.getName() + ".create";
+  }
+
+  @Override
+  protected Principal getAllowedPrincipal(final OperationCode[] opCodes, final String[] regionNames, final int index) {
+    final byte roleType = getRequiredRole(opCodes);
+    return getPrincipal(roleType, index);
+  }
+
+  @Override
+  protected Principal getDisallowedPrincipal(final OperationCode[] opCodes, final String[] regionNames, final int index) {
+    byte roleType = getRequiredRole(opCodes);
+    byte disallowedRoleType;
+    switch (roleType) {
+      case READER_ROLE:
+        disallowedRoleType = WRITER_ROLE;
+        break;
+      case WRITER_ROLE:
+        disallowedRoleType = READER_ROLE;
+        break;
+      default:
+        disallowedRoleType = READER_ROLE;
+        break;
+    }
+    return getPrincipal(disallowedRoleType, index);
+  }
+
+  @Override
+  protected int getNumPrincipalTries(final OperationCode[] opCodes,  final String[] regionNames) {
+    return 5;
+  }
+
+  private Principal getPrincipal(final byte roleType, final int index) {
+    String[] admins = new String[] { "root", "admin", "administrator" };
+    switch (roleType) {
+      case READER_ROLE:
+        return new UsernamePrincipal("reader" + index);
+      case WRITER_ROLE:
+        return new UsernamePrincipal("writer" + index);
+      default:
+        return new UsernamePrincipal(admins[index % admins.length]);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/generator/DummyCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/generator/DummyCredentialGenerator.java b/geode-core/src/test/java/org/apache/geode/security/generator/DummyCredentialGenerator.java
new file mode 100755
index 0000000..77ffbd9
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/generator/DummyCredentialGenerator.java
@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.generator;
+
+import java.security.Principal;
+import java.util.Properties;
+
+import com.gemstone.gemfire.security.templates.DummyAuthenticator;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
+
+public class DummyCredentialGenerator extends CredentialGenerator {
+
+  @Override
+  protected Properties initialize() throws IllegalArgumentException {
+    return null;
+  }
+
+  @Override
+  public ClassCode classCode() {
+    return ClassCode.DUMMY;
+  }
+
+  @Override
+  public String getAuthInit() {
+    return UserPasswordAuthInit.class.getName() + ".create";
+  }
+
+  @Override
+  public String getAuthenticator() {
+    return DummyAuthenticator.class.getName() + ".create";
+  }
+
+  @Override
+  public Properties getValidCredentials(final int index) {
+    final String[] validGroups = new String[] { "admin", "user", "reader", "writer" };
+    final String[] admins = new String[] { "root", "admin", "administrator" };
+
+    final Properties props = new Properties();
+    final int groupNum = index % validGroups.length;
+
+    String userName;
+    if (groupNum == 0) {
+      userName = admins[index % admins.length];
+    } else {
+      userName = validGroups[groupNum] + (index / validGroups.length);
+    }
+
+    props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+    props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+    return props;
+  }
+
+  @Override
+  public Properties getValidCredentials(final Principal principal) {
+    final String userName = principal.getName();
+
+    if (DummyAuthenticator.checkValidName(userName)) {
+      Properties props = new Properties();
+      props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+      props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+      return props;
+
+    } else {
+      throw new IllegalArgumentException("Dummy: [" + userName + "] is not a valid user");
+    }
+  }
+
+  @Override
+  public Properties getInvalidCredentials(int index) {
+    Properties props = new Properties();
+    props.setProperty(UserPasswordAuthInit.USER_NAME, "invalid" + index);
+    props.setProperty(UserPasswordAuthInit.PASSWORD, "none");
+    return props;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/generator/LdapUserCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/generator/LdapUserCredentialGenerator.java b/geode-core/src/test/java/org/apache/geode/security/generator/LdapUserCredentialGenerator.java
new file mode 100755
index 0000000..7cde86d
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/generator/LdapUserCredentialGenerator.java
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.generator;
+
+import com.gemstone.gemfire.distributed.internal.DistributionConfig;
+import com.gemstone.gemfire.internal.cache.tier.sockets.HandShake;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.security.templates.LdapUserAuthenticator;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
+import com.gemstone.gemfire.test.dunit.Assert;
+import com.gemstone.gemfire.util.test.TestUtil;
+import org.apache.logging.log4j.Logger;
+
+import java.security.Principal;
+import java.util.Properties;
+import java.util.Random;
+
+import static com.gemstone.gemfire.distributed.ConfigurationProperties.*;
+
+public class LdapUserCredentialGenerator extends CredentialGenerator {
+
+  private static final Logger logger = LogService.getLogger();
+
+  private static final String USER_PREFIX = "gemfire";
+  private static final Random RANDOM = new Random();
+  private static final String[] CIPHERS = new String[] { "", "DESede", "AES:128", "Blowfish:128" };
+
+  private static boolean enableServerAuthentication = false;
+
+  private boolean serverAuthEnabled = false;
+
+  public LdapUserCredentialGenerator() {
+    // Toggle server authentication enabled for each test
+    // This is done instead of running all the tests with both
+    // server auth enabled/disabled to reduce test run time.
+    enableServerAuthentication = !enableServerAuthentication;
+    this.serverAuthEnabled = enableServerAuthentication;
+  }
+
+  @Override
+  protected Properties initialize() throws IllegalArgumentException {
+    final String ldapServer = System.getProperty("gf.ldap.server", "ldap");
+    final String ldapBaseDN = System.getProperty("gf.ldap.basedn", "ou=ldapTesting,dc=pune,dc=gemstone,dc=com");
+    final String ldapUseSSL = System.getProperty("gf.ldap.usessl");
+
+    final Properties extraProps = new Properties();
+    extraProps.setProperty(LdapUserAuthenticator.LDAP_SERVER_NAME, ldapServer);
+    extraProps.setProperty(LdapUserAuthenticator.LDAP_BASEDN_NAME, ldapBaseDN);
+
+    if (ldapUseSSL != null && ldapUseSSL.length() > 0) {
+      extraProps.setProperty(LdapUserAuthenticator.LDAP_SSL_NAME, ldapUseSSL);
+    }
+
+    if (serverAuthEnabled) {
+      String keyStoreFile = TestUtil.getResourcePath(LdapUserCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/gemfire1.keystore");
+      extraProps.setProperty(HandShake.PRIVATE_KEY_FILE_PROP, keyStoreFile);
+      extraProps.setProperty(HandShake.PRIVATE_KEY_ALIAS_PROP, DistributionConfig.GEMFIRE_PREFIX);
+      extraProps.setProperty(HandShake.PRIVATE_KEY_PASSWD_PROP, "gemfire");
+    }
+
+    Assert.assertNotNull(extraProps.getProperty(LdapUserAuthenticator.LDAP_BASEDN_NAME));
+
+    logger.info("Generating LdapUserCredentialGenerator with {}", extraProps);
+
+    return extraProps;
+  }
+
+  @Override
+  public ClassCode classCode() {
+    return ClassCode.LDAP;
+  }
+
+  @Override
+  public String getAuthInit() {
+    return UserPasswordAuthInit.class.getName() + ".create";
+  }
+
+  @Override
+  public String getAuthenticator() {
+    return LdapUserAuthenticator.class.getName() + ".create";
+  }
+
+  @Override
+  public Properties getValidCredentials(final int index) {
+    final Properties props = new Properties();
+    props.setProperty(UserPasswordAuthInit.USER_NAME, USER_PREFIX + ((index % 10) + 1));
+    props.setProperty(UserPasswordAuthInit.PASSWORD, USER_PREFIX + ((index % 10) + 1));
+    props.setProperty(SECURITY_CLIENT_DHALGO, CIPHERS[RANDOM.nextInt(CIPHERS.length)]);
+
+    if (serverAuthEnabled) {
+      final String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
+      props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
+      props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
+    }
+
+    return props;
+  }
+
+  @Override
+  public Properties getValidCredentials(final Principal principal) {
+    Properties props = null;
+    final String userName = principal.getName();
+
+    if (userName != null && userName.startsWith(USER_PREFIX)) {
+      boolean isValid;
+
+      try {
+        final int suffix = Integer.parseInt(userName.substring(USER_PREFIX.length()));
+        isValid = (suffix >= 1 && suffix <= 10);
+      } catch (Exception ex) {
+        isValid = false;
+      }
+
+      if (isValid) {
+        props = new Properties();
+        props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+        props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+      }
+    }
+
+    if (props == null) {
+      throw new IllegalArgumentException("LDAP: [" + userName + "] not a valid user");
+    }
+
+    props.setProperty(SECURITY_CLIENT_DHALGO, CIPHERS[RANDOM.nextInt(CIPHERS.length)]);
+
+    if (serverAuthEnabled) {
+      final String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
+      props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
+      props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
+    }
+
+    return props;
+  }
+
+  @Override
+  public Properties getInvalidCredentials(final int index) {
+    final Properties props = new Properties();
+    props.setProperty(UserPasswordAuthInit.USER_NAME, "invalid" + index);
+    props.setProperty(UserPasswordAuthInit.PASSWORD, "none");
+    props.setProperty(SECURITY_CLIENT_DHALGO, CIPHERS[RANDOM.nextInt(CIPHERS.length)]);
+
+    if (serverAuthEnabled) {
+      final String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
+      props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
+      props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
+    }
+
+    return props;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/generator/PKCSCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/generator/PKCSCredentialGenerator.java b/geode-core/src/test/java/org/apache/geode/security/generator/PKCSCredentialGenerator.java
new file mode 100755
index 0000000..09381b8
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/generator/PKCSCredentialGenerator.java
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.generator;
+
+import java.security.Principal;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Properties;
+
+import com.gemstone.gemfire.security.templates.PKCSAuthInit;
+import com.gemstone.gemfire.security.templates.PKCSAuthenticator;
+import com.gemstone.gemfire.util.test.TestUtil;
+
+public class PKCSCredentialGenerator extends CredentialGenerator {
+
+  public static String keyStoreDir = getKeyStoreDir();
+  public static boolean usesIBMJSSE;
+
+  // Checks if the current JVM uses only IBM JSSE providers.
+  private static boolean usesIBMProviders() {
+    final Provider[] providers = Security.getProviders();
+    for (int index = 0; index < providers.length; ++index) {
+      if (!providers[index].getName().toLowerCase().startsWith("ibm")) {
+        return false;
+      }
+    }
+    return true;
+  }
+
+  private static String getKeyStoreDir() {
+    usesIBMJSSE = usesIBMProviders();
+    if (usesIBMJSSE) {
+      return "/com/gemstone/gemfire/security/generator/keys/ibm";
+    } else {
+      return "/com/gemstone/gemfire/security/generator/keys";
+    }
+  }
+
+  @Override
+  protected Properties initialize() throws IllegalArgumentException {
+    final String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/publickeyfile");
+
+    final Properties props = new Properties();
+    props.setProperty(PKCSAuthenticator.PUBLIC_KEY_FILE, keyStoreFile);
+    props.setProperty(PKCSAuthenticator.PUBLIC_KEYSTORE_PASSWORD, "gemfire");
+
+    return props;
+  }
+
+  @Override
+  public ClassCode classCode() {
+    return ClassCode.PKCS;
+  }
+
+  @Override
+  public String getAuthInit() {
+    return PKCSAuthInit.class.getName() + ".create";
+  }
+
+  @Override
+  public String getAuthenticator() {
+    return PKCSAuthenticator.class.getName() + ".create";
+  }
+
+  @Override
+  public Properties getInvalidCredentials(int index) {
+    final String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/gemfire11.keystore");
+
+    final Properties props = new Properties();
+    props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
+    props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, "gemfire11");
+    props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
+
+    return props;
+  }
+
+  @Override
+  public Properties getValidCredentials(int index) {
+    final int aliasnum = (index % 10) + 1;
+    final String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/gemfire" + aliasnum + ".keystore");
+
+    final Properties props = new Properties();
+    props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
+    props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, "gemfire" + aliasnum);
+    props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
+
+    return props;
+  }
+
+  @Override
+  public Properties getValidCredentials(Principal principal) {
+    final String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + principal.getName() + ".keystore");
+
+    final Properties props = new Properties();
+    props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
+    props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, principal.getName());
+    props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
+
+    return props;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/generator/SSLCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/generator/SSLCredentialGenerator.java b/geode-core/src/test/java/org/apache/geode/security/generator/SSLCredentialGenerator.java
new file mode 100755
index 0000000..6b6e3de
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/generator/SSLCredentialGenerator.java
@@ -0,0 +1,123 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.generator;
+
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import org.apache.logging.log4j.Logger;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Properties;
+
+import static com.gemstone.gemfire.distributed.ConfigurationProperties.*;
+
+public class SSLCredentialGenerator extends CredentialGenerator {
+
+  private static final Logger logger = LogService.getLogger();
+
+  @Override
+  protected Properties initialize() throws IllegalArgumentException {
+    this.javaProperties = getValidJavaSSLProperties();
+    return getSSLProperties();
+  }
+
+  @Override
+  public ClassCode classCode() {
+    return ClassCode.SSL;
+  }
+
+  @Override
+  public String getAuthInit() {
+    return null;
+  }
+
+  @Override
+  public String getAuthenticator() {
+    return null;
+  }
+
+  @Override
+  public Properties getValidCredentials(int index) {
+    this.javaProperties = getValidJavaSSLProperties();
+    return getSSLProperties();
+  }
+
+  @Override
+  public Properties getValidCredentials(final Principal principal) {
+    this.javaProperties = getValidJavaSSLProperties();
+    return getSSLProperties();
+  }
+
+  @Override
+  public Properties getInvalidCredentials(final int index) {
+    this.javaProperties = getInvalidJavaSSLProperties();
+    return getSSLProperties();
+  }
+
+  private File findTrustedJKS() {
+    final File ssldir = new File(System.getProperty("JTESTS") + "/ssl");
+    return new File(ssldir, "trusted.keystore");
+  }
+
+  private File findUntrustedJKS() {
+    final File ssldir = new File(System.getProperty("JTESTS") + "/ssl");
+    return new File(ssldir, "untrusted.keystore");
+  }
+
+  private Properties getValidJavaSSLProperties() {
+    final File jks = findTrustedJKS();
+
+    try {
+      final Properties props = new Properties();
+      props.setProperty("javax.net.ssl.trustStore", jks.getCanonicalPath());
+      props.setProperty("javax.net.ssl.trustStorePassword", "password");
+      props.setProperty("javax.net.ssl.keyStore", jks.getCanonicalPath());
+      props.setProperty("javax.net.ssl.keyStorePassword", "password");
+      return props;
+
+    } catch (IOException ex) {
+      throw new AuthenticationFailedException("SSL: Exception while opening the key store: " + ex.getMessage(), ex);
+    }
+  }
+
+  private Properties getInvalidJavaSSLProperties() {
+    final File jks = findUntrustedJKS();
+
+    try {
+      final Properties props = new Properties();
+      props.setProperty("javax.net.ssl.trustStore", jks.getCanonicalPath());
+      props.setProperty("javax.net.ssl.trustStorePassword", "password");
+      props.setProperty("javax.net.ssl.keyStore", jks.getCanonicalPath());
+      props.setProperty("javax.net.ssl.keyStorePassword", "password");
+      return props;
+
+    } catch (IOException ex) {
+      throw new AuthenticationFailedException("SSL: Exception while opening the key store: " + ex.getMessage(), ex);
+    }
+  }
+
+  private Properties getSSLProperties() {
+    Properties props = new Properties();
+    props.setProperty(CLUSTER_SSL_CIPHERS, "true");
+    props.setProperty(CLUSTER_SSL_REQUIRE_AUTHENTICATION, "true");
+    props.setProperty(CLUSTER_SSL_CIPHERS, "SSL_RSA_WITH_3DES_EDE_CBC_SHA");
+    props.setProperty(CLUSTER_SSL_PROTOCOLS, "TLSv1");
+    return props;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/generator/UserPasswordWithExtraPropsAuthInit.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/generator/UserPasswordWithExtraPropsAuthInit.java b/geode-core/src/test/java/org/apache/geode/security/generator/UserPasswordWithExtraPropsAuthInit.java
new file mode 100755
index 0000000..1240533
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/generator/UserPasswordWithExtraPropsAuthInit.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.generator;
+
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.distributed.internal.DistributionConfig;
+import com.gemstone.gemfire.security.AuthInitialize;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
+
+import java.util.Iterator;
+import java.util.Properties;
+
+/**
+ * An {@link AuthInitialize} implementation that obtains the user name and
+ * password as the credentials from the given set of properties. If 
+ * keep-extra-props property exits, it will copy rest of the
+ * properties provided in getCredential props argument will also be 
+ * copied as new credentials.
+ * 
+ * @since GemFire 5.5
+ */
+public class UserPasswordWithExtraPropsAuthInit extends UserPasswordAuthInit {
+
+  public static final String SECURITY_PREFIX = DistributionConfig.SECURITY_PREFIX_NAME;
+  public static final String EXTRA_PROPS = "security-keep-extra-props";
+
+  public static AuthInitialize create() {
+    return new UserPasswordWithExtraPropsAuthInit();
+  }
+
+  public UserPasswordWithExtraPropsAuthInit() {
+    super();
+  }
+
+  @Override
+  public Properties getCredentials(final Properties securityProperties, final DistributedMember server, final boolean isPeer) throws AuthenticationFailedException {
+    final Properties securityPropertiesCopy = super.getCredentials(securityProperties, server, isPeer);
+    final String extraProps = securityProperties.getProperty(EXTRA_PROPS);
+
+    if (extraProps != null) {
+    	for (Iterator it = securityProperties.keySet().iterator(); it.hasNext();) {
+    		final String key = (String) it.next();
+    		if (key.startsWith(SECURITY_PREFIX) &&
+    		    key.equalsIgnoreCase(USER_NAME) == false &&
+    		    key.equalsIgnoreCase(PASSWORD) == false &&
+    		    key.equalsIgnoreCase(EXTRA_PROPS) == false) {
+    			securityPropertiesCopy.setProperty(key, securityProperties.getProperty(key));
+    		}
+    	}
+    	this.securityLogWriter.fine("got everything and now have: " + securityPropertiesCopy.keySet().toString());
+    }
+
+    return securityPropertiesCopy;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/generator/XmlAuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/generator/XmlAuthzCredentialGenerator.java b/geode-core/src/test/java/org/apache/geode/security/generator/XmlAuthzCredentialGenerator.java
new file mode 100755
index 0000000..7dcf5ae
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/generator/XmlAuthzCredentialGenerator.java
@@ -0,0 +1,257 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.generator;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Properties;
+import java.util.Set;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.security.templates.UsernamePrincipal;
+import com.gemstone.gemfire.security.templates.XmlAuthorization;
+import com.gemstone.gemfire.util.test.TestUtil;
+
+public class XmlAuthzCredentialGenerator extends AuthzCredentialGenerator {
+
+  private static final String dummyXml = "authz-dummy.xml";
+  private static final String ldapXml = "authz-ldap.xml";
+  private static final String pkcsXml = "authz-pkcs.xml";
+  private static final String sslXml = "authz-ssl.xml";
+
+  private static final String[] QUERY_REGIONS = { "/Portfolios", "/Positions", "/AuthRegion" };
+
+  public static OperationCode[] READER_OPS = {
+      OperationCode.GET,
+      OperationCode.REGISTER_INTEREST,
+      OperationCode.UNREGISTER_INTEREST,
+      OperationCode.KEY_SET,
+      OperationCode.CONTAINS_KEY,
+      OperationCode.EXECUTE_FUNCTION };
+
+  public static OperationCode[] WRITER_OPS = {
+      OperationCode.PUT,
+      OperationCode.DESTROY,
+      OperationCode.INVALIDATE,
+      OperationCode.REGION_CLEAR };
+
+  public static OperationCode[] QUERY_OPS = {
+      OperationCode.QUERY,
+      OperationCode.EXECUTE_CQ,
+      OperationCode.STOP_CQ,
+      OperationCode.CLOSE_CQ };
+
+  private static final byte READER_ROLE = 1;
+  private static final byte WRITER_ROLE = 2;
+  private static final byte QUERY_ROLE = 3;
+  private static final byte ADMIN_ROLE = 4;
+
+  private static Set readerOpsSet;
+  private static Set writerOpsSet;
+  private static Set queryOpsSet;
+  private static Set queryRegionSet;
+
+  static {
+    readerOpsSet = new HashSet();
+    for (int index = 0; index < READER_OPS.length; index++) {
+      readerOpsSet.add(READER_OPS[index]);
+    }
+
+    writerOpsSet = new HashSet();
+    for (int index = 0; index < WRITER_OPS.length; index++) {
+      writerOpsSet.add(WRITER_OPS[index]);
+    }
+
+    queryOpsSet = new HashSet();
+    for (int index = 0; index < QUERY_OPS.length; index++) {
+      queryOpsSet.add(QUERY_OPS[index]);
+    }
+
+    queryRegionSet = new HashSet();
+    for (int index = 0; index < QUERY_REGIONS.length; index++) {
+      queryRegionSet.add(QUERY_REGIONS[index]);
+    }
+  }
+
+  @Override
+  protected Properties init() throws IllegalArgumentException {
+    final Properties sysProps = new Properties();
+    final String dirName = "/com/gemstone/gemfire/security/generator/";
+
+    if (this.generator.classCode().isDummy()) {
+      final String xmlFilename = TestUtil.getResourcePath(XmlAuthzCredentialGenerator.class, dirName + dummyXml);
+      sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, xmlFilename);
+
+    } else if (this.generator.classCode().isLDAP()) {
+      final String xmlFilename = TestUtil.getResourcePath(XmlAuthzCredentialGenerator.class, dirName + ldapXml);
+      sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, xmlFilename);
+
+      // } else if (this.generator.classCode().isPKCS()) {
+      //   sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, dirName + pkcsXml);
+      // }
+      // } else if (this.generator.classCode().isSSL()) {
+      //   sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, dirName + sslXml);
+      // }
+
+    } else {
+      throw new IllegalArgumentException("No XML defined for XmlAuthorization module to work with " + this.generator.getAuthenticator());
+    }
+    return sysProps;
+  }
+
+  @Override
+  public ClassCode classCode() {
+    return ClassCode.XML;
+  }
+
+  @Override
+  public String getAuthorizationCallback() {
+    return XmlAuthorization.class.getName() + ".create";
+  }
+
+  private Principal getDummyPrincipal(final byte roleType, final int index) {
+    final String[] admins = new String[] { "root", "admin", "administrator" };
+    final int numReaders = 3;
+    final int numWriters = 3;
+
+    switch (roleType) {
+      case READER_ROLE:
+        return new UsernamePrincipal("reader" + (index % numReaders));
+      case WRITER_ROLE:
+        return new UsernamePrincipal("writer" + (index % numWriters));
+      case QUERY_ROLE:
+        return new UsernamePrincipal("reader" + ((index % 2) + 3));
+      default:
+        return new UsernamePrincipal(admins[index % admins.length]);
+    }
+  }
+
+  @Override
+  protected Principal getAllowedPrincipal(final OperationCode[] opCodes, final String[] regionNames, final int index) {
+    if (this.generator.classCode().isDummy()) {
+      final byte roleType = getRequiredRole(opCodes, regionNames);
+      return getDummyPrincipal(roleType, index);
+
+    } else if (this.generator.classCode().isLDAP()) {
+      final byte roleType = getRequiredRole(opCodes, regionNames);
+      return getLdapPrincipal(roleType, index);
+    }
+
+    return null;
+  }
+
+  @Override
+  protected Principal getDisallowedPrincipal(final OperationCode[] opCodes, final String[] regionNames, final int index) {
+    final byte roleType = getRequiredRole(opCodes, regionNames);
+
+    byte disallowedRoleType = READER_ROLE;
+    switch (roleType) {
+      case READER_ROLE:
+        disallowedRoleType = WRITER_ROLE;
+        break;
+      case WRITER_ROLE:
+        disallowedRoleType = READER_ROLE;
+        break;
+      case QUERY_ROLE:
+        disallowedRoleType = READER_ROLE;
+        break;
+      case ADMIN_ROLE:
+        disallowedRoleType = READER_ROLE;
+        break;
+    }
+
+    if (this.generator.classCode().isDummy()) {
+      return getDummyPrincipal(disallowedRoleType, index);
+
+    } else if (this.generator.classCode().isLDAP()) {
+      return getLdapPrincipal(disallowedRoleType, index);
+    }
+
+    return null;
+  }
+
+  @Override
+  protected int getNumPrincipalTries(final OperationCode[] opCodes, final String[] regionNames) {
+    return 5;
+  }
+
+  private Principal getLdapPrincipal(final byte roleType, final int index) {
+    final String userPrefix = "gemfire";
+    final int[] readerIndices = { 3, 4, 5 };
+    final int[] writerIndices = { 6, 7, 8 };
+    final int[] queryIndices = { 9, 10 };
+    final int[] adminIndices = { 1, 2 };
+
+    switch (roleType) {
+      case READER_ROLE:
+        int readerIndex = readerIndices[index % readerIndices.length];
+        return new UsernamePrincipal(userPrefix + readerIndex);
+      case WRITER_ROLE:
+        int writerIndex = writerIndices[index % writerIndices.length];
+        return new UsernamePrincipal(userPrefix + writerIndex);
+      case QUERY_ROLE:
+        int queryIndex = queryIndices[index % queryIndices.length];
+        return new UsernamePrincipal(userPrefix + queryIndex);
+      default:
+        int adminIndex = adminIndices[index % adminIndices.length];
+        return new UsernamePrincipal(userPrefix + adminIndex);
+    }
+  }
+
+  private byte getRequiredRole(final OperationCode[] opCodes, final String[] regionNames) {
+    byte roleType = ADMIN_ROLE;
+    boolean requiresReader = true;
+    boolean requiresWriter = true;
+    boolean requiresQuery = true;
+
+    for (int opNum = 0; opNum < opCodes.length; opNum++) {
+      final OperationCode opCode = opCodes[opNum];
+      if (requiresReader && !readerOpsSet.contains(opCode)) {
+        requiresReader = false;
+      }
+      if (requiresWriter && !writerOpsSet.contains(opCode)) {
+        requiresWriter = false;
+      }
+      if (requiresQuery && !queryOpsSet.contains(opCode)) {
+        requiresQuery = false;
+      }
+    }
+
+    if (requiresReader) {
+      roleType = READER_ROLE;
+
+    } else if (requiresWriter) {
+      roleType = WRITER_ROLE;
+
+    } else if (requiresQuery) {
+      if (regionNames != null && regionNames.length > 0) {
+        for (int index = 0; index < regionNames.length; index++) {
+          final String regionName = XmlAuthorization.normalizeRegionName(regionNames[index]);
+          if (requiresQuery && !queryRegionSet.contains(regionName)) {
+            requiresQuery = false;
+            break;
+          }
+        }
+        if (requiresQuery) {
+          roleType = QUERY_ROLE;
+        }
+      }
+    }
+
+    return roleType;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/DummyAuthenticator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/DummyAuthenticator.java b/geode-core/src/test/java/org/apache/geode/security/templates/DummyAuthenticator.java
new file mode 100755
index 0000000..f086b67
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/templates/DummyAuthenticator.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.security.Principal;
+import java.util.Properties;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+
+/**
+ * A dummy implementation of the {@link Authenticator} interface that expects a
+ * user name and password allowing authentication depending on the format of the
+ * user name.
+ *
+ * @since GemFire 5.5
+ */
+public class DummyAuthenticator implements Authenticator {
+
+  public static Authenticator create() {
+    return new DummyAuthenticator();
+  }
+
+  public static boolean checkValidName(final String userName) {
+    return userName.startsWith("user") ||
+           userName.startsWith("reader") ||
+           userName.startsWith("writer") ||
+           userName.equals("admin") ||
+           userName.equals("root") ||
+           userName.equals("administrator");
+  }
+
+  @Override
+  public void init(final Properties securityProperties, final LogWriter systemLogWriter, final LogWriter securityLogWriter) throws AuthenticationFailedException {
+  }
+
+  @Override
+  public Principal authenticate(final Properties credentials, final DistributedMember member) throws AuthenticationFailedException {
+    final String userName = credentials.getProperty(UserPasswordAuthInit.USER_NAME);
+    if (userName == null) {
+      throw new AuthenticationFailedException("DummyAuthenticator: user name property [" + UserPasswordAuthInit.USER_NAME + "] not provided");
+    }
+
+    final String password = credentials.getProperty(UserPasswordAuthInit.PASSWORD);
+    if (password == null) {
+      throw new AuthenticationFailedException( "DummyAuthenticator: password property [" + UserPasswordAuthInit.PASSWORD + "] not provided");
+    }
+
+    if (userName.equals(password) && checkValidName(userName)) {
+      return new UsernamePrincipal(userName);
+    } else {
+      throw new AuthenticationFailedException("DummyAuthenticator: Invalid user name [" + userName + "], password supplied.");
+    }
+  }
+
+  @Override
+  public void close() {
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/DummyAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/DummyAuthorization.java b/geode-core/src/test/java/org/apache/geode/security/templates/DummyAuthorization.java
new file mode 100755
index 0000000..df08676
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/templates/DummyAuthorization.java
@@ -0,0 +1,122 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.cache.operations.OperationContext;
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.NotAuthorizedException;
+
+/**
+ * A dummy implementation of the {@code AccessControl} interface that
+ * allows authorization depending on the format of the {@code Principal}
+ * string.
+ * 
+ * @since GemFire 5.5
+ */
+public class DummyAuthorization implements AccessControl {
+
+  private Set allowedOps;
+  private DistributedMember remoteMember;
+  private LogWriter securityLogWriter;
+
+  public static final OperationCode[] READER_OPS = {
+      OperationCode.GET,
+      OperationCode.QUERY,
+      OperationCode.EXECUTE_CQ,
+      OperationCode.CLOSE_CQ,
+      OperationCode.STOP_CQ,
+      OperationCode.REGISTER_INTEREST,
+      OperationCode.UNREGISTER_INTEREST,
+      OperationCode.KEY_SET,
+      OperationCode.CONTAINS_KEY,
+      OperationCode.EXECUTE_FUNCTION };
+
+  public static final OperationCode[] WRITER_OPS = {
+      OperationCode.PUT,
+      OperationCode.PUTALL,
+      OperationCode.DESTROY,
+      OperationCode.INVALIDATE,
+      OperationCode.REGION_CLEAR };
+
+  public static AccessControl create() {
+    return new DummyAuthorization();
+  }
+
+  public DummyAuthorization() {
+    this.allowedOps = new HashSet(20);
+  }
+
+  @Override
+  public void init(final Principal principal, final DistributedMember remoteMember, final Cache cache) throws NotAuthorizedException {
+    if (principal != null) {
+
+      final String name = principal.getName().toLowerCase();
+
+      if (name != null) {
+
+        if (name.equals("root") || name.equals("admin") || name.equals("administrator")) {
+          addReaderOps();
+          addWriterOps();
+          this.allowedOps.add(OperationCode.REGION_CREATE);
+          this.allowedOps.add(OperationCode.REGION_DESTROY);
+
+        } else if (name.startsWith("writer")) {
+          addWriterOps();
+
+        } else if (name.startsWith("reader")) {
+          addReaderOps();
+        }
+
+      }
+    }
+
+    this.remoteMember = remoteMember;
+    this.securityLogWriter = cache.getSecurityLogger();
+  }
+
+  @Override
+  public boolean authorizeOperation(String regionName, OperationContext context) {
+    final OperationCode opCode = context.getOperationCode();
+    this.securityLogWriter.fine("Invoked authorize operation for [" + opCode + "] in region [" + regionName + "] for client: " + remoteMember);
+    return this.allowedOps.contains(opCode);
+  }
+
+  @Override
+  public void close() {
+    this.allowedOps.clear();
+  }
+
+  private void addReaderOps() {
+    for (int index = 0; index < READER_OPS.length; index++) {
+      this.allowedOps.add(READER_OPS[index]);
+    }
+  }
+
+  private void addWriterOps() {
+    for (int index = 0; index < WRITER_OPS.length; index++) {
+      this.allowedOps.add(WRITER_OPS[index]);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/FunctionSecurityPrmsHolder.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/FunctionSecurityPrmsHolder.java b/geode-core/src/test/java/org/apache/geode/security/templates/FunctionSecurityPrmsHolder.java
new file mode 100755
index 0000000..275a4ad
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/templates/FunctionSecurityPrmsHolder.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.util.Set;
+
+/**
+ * This is a sample class for objects which hold information of the authorized
+ * function names and authorized value for the {@code optimizeForWrite}.
+ * 
+ * @since GemFire 6.0
+ */
+public class FunctionSecurityPrmsHolder {
+
+  private final Boolean optimizeForWrite;
+  private final Set<String> functionIds;
+  private final Set<String> keySet;
+
+  public FunctionSecurityPrmsHolder(final Boolean optimizeForWrite, final Set<String> functionIds, final Set<String> keySet) {
+    this.optimizeForWrite = optimizeForWrite;
+    this.functionIds = functionIds;
+    this.keySet = keySet;
+  }
+
+  public Boolean isOptimizeForWrite() {
+    return this.optimizeForWrite;
+  }
+
+  public Set<String> getFunctionIds() {
+    return this.functionIds;
+  }
+
+  public Set<String> getKeySet() {
+    return this.keySet;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/LdapUserAuthenticator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/LdapUserAuthenticator.java b/geode-core/src/test/java/org/apache/geode/security/templates/LdapUserAuthenticator.java
new file mode 100755
index 0000000..a9e875e
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/templates/LdapUserAuthenticator.java
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.security.Principal;
+import java.util.Properties;
+import javax.naming.Context;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+
+import org.apache.logging.log4j.Logger;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+
+/**
+ * An implementation of {@link Authenticator} that uses LDAP.
+ *
+ * @since GemFire 5.5
+ */
+public class LdapUserAuthenticator implements Authenticator {
+
+  private static final Logger logger = LogService.getLogger();
+
+  public static final String LDAP_SERVER_NAME = "security-ldap-server";
+  public static final String LDAP_BASEDN_NAME = "security-ldap-basedn";
+  public static final String LDAP_SSL_NAME = "security-ldap-usessl";
+
+  private String ldapServer = null;
+  private String baseDomainName = null;
+  private String ldapUrlScheme = null;
+
+  public static Authenticator create() {
+    return new LdapUserAuthenticator();
+  }
+
+  @Override
+  public void init(final Properties securityProps, final LogWriter systemLogWriter, final LogWriter securityLogWriter) throws AuthenticationFailedException {
+    logger.info("Initializing LdapUserAuthenticator with {}", securityProps);
+
+    this.ldapServer = securityProps.getProperty(LDAP_SERVER_NAME);
+    if (this.ldapServer == null || this.ldapServer.length() == 0) {
+      throw new AuthenticationFailedException("LdapUserAuthenticator: LDAP server property [" + LDAP_SERVER_NAME + "] not specified");
+    }
+
+    this.baseDomainName = securityProps.getProperty(LDAP_BASEDN_NAME);
+    if (this.baseDomainName == null || this.baseDomainName.length() == 0) {
+      throw new AuthenticationFailedException("LdapUserAuthenticator: LDAP base DN property [" + LDAP_BASEDN_NAME + "] not specified");
+    }
+
+    final String sslName = securityProps.getProperty(LDAP_SSL_NAME);
+    if (sslName != null && sslName.toLowerCase().equals("true")) {
+      this.ldapUrlScheme = "ldaps://";
+    } else {
+      this.ldapUrlScheme = "ldap://";
+    }
+  }
+
+  @Override
+  public Principal authenticate(final Properties credentials, final DistributedMember member) {
+    final String userName = credentials.getProperty(UserPasswordAuthInit.USER_NAME);
+    if (userName == null) {
+      throw new AuthenticationFailedException("LdapUserAuthenticator: user name property [" + UserPasswordAuthInit.USER_NAME + "] not provided");
+    }
+
+    String password = credentials.getProperty(UserPasswordAuthInit.PASSWORD);
+    if (password == null) {
+      password = "";
+    }
+
+    final Properties env = new Properties();
+    env.put(Context.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory.class.getName());
+    env.put(Context.PROVIDER_URL, this.ldapUrlScheme + this.ldapServer + '/' + this.baseDomainName);
+    env.put(Context.SECURITY_PRINCIPAL, "uid=" + userName + "," + this.baseDomainName);
+    env.put(Context.SECURITY_CREDENTIALS, password);
+
+    try {
+      final DirContext ctx = new InitialDirContext(env);
+      ctx.close();
+    } catch (Exception e) {
+      throw new AuthenticationFailedException("LdapUserAuthenticator: Failure with provided username, password combination for user name: " + userName, e);
+    }
+
+    return new UsernamePrincipal(userName);
+  }
+
+  @Override
+  public void close() {
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/templates/PKCSAuthInit.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/templates/PKCSAuthInit.java b/geode-core/src/test/java/org/apache/geode/security/templates/PKCSAuthInit.java
new file mode 100755
index 0000000..f58d305
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/templates/PKCSAuthInit.java
@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.io.FileInputStream;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.cert.X509Certificate;
+import java.util.Properties;
+
+import org.apache.logging.log4j.Logger;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.internal.logging.LogService;
+import com.gemstone.gemfire.security.AuthInitialize;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+
+/**
+ * An {@link AuthInitialize} implementation that obtains the digital signature
+ * for use with PKCS scheme on server from the given set of properties.
+ * 
+ * To use this class the {@code security-client-auth-init} property should be
+ * set to the fully qualified name the static {@code create} function
+ * viz. {@code com.gemstone.gemfire.security.templates.PKCSAuthInit.create}
+ * 
+ * @since GemFire 5.5
+ */
+public class PKCSAuthInit implements AuthInitialize {
+
+  private static final Logger logger = LogService.getLogger();
+
+  public static final String KEYSTORE_FILE_PATH = "security-keystorepath";
+  public static final String KEYSTORE_ALIAS = "security-alias";
+  public static final String KEYSTORE_PASSWORD = "security-keystorepass";
+  public static final String SIGNATURE_DATA = "security-signature";
+
+  protected LogWriter systemLogWriter;
+  protected LogWriter securityLogWriter;
+
+  public static AuthInitialize create() {
+    return new PKCSAuthInit();
+  }
+
+  @Override
+  public void init(final LogWriter systemLogWriter, final LogWriter securityLogWriter) throws AuthenticationFailedException {
+    this.systemLogWriter = systemLogWriter;
+    this.securityLogWriter = securityLogWriter;
+  }
+
+  @Override
+  public Properties getCredentials(final Properties securityProperties, final DistributedMember server, final boolean isPeer) throws AuthenticationFailedException {
+    final String keyStorePath = securityProperties.getProperty(KEYSTORE_FILE_PATH);
+    if (keyStorePath == null) {
+      throw new AuthenticationFailedException("PKCSAuthInit: key-store file path property [" + KEYSTORE_FILE_PATH + "] not set.");
+    }
+
+    final String alias = securityProperties.getProperty(KEYSTORE_ALIAS);
+    if (alias == null) {
+      throw new AuthenticationFailedException("PKCSAuthInit: key alias name property [" + KEYSTORE_ALIAS + "] not set.");
+    }
+
+    final String keyStorePass = securityProperties.getProperty(KEYSTORE_PASSWORD);
+
+    try {
+      final KeyStore ks = KeyStore.getInstance("PKCS12");
+      final char[] passPhrase = (keyStorePass != null ? keyStorePass.toCharArray() : null);
+      final FileInputStream certificatefile = new FileInputStream(keyStorePath);
+
+      try {
+        ks.load(certificatefile, passPhrase);
+      } finally {
+        certificatefile.close();
+      }
+
+      final Key key = ks.getKey(alias, passPhrase);
+
+      if (key instanceof PrivateKey) {
+        final PrivateKey privKey = (PrivateKey)key;
+        final X509Certificate cert = (X509Certificate)ks.getCertificate(alias);
+        final Signature sig = Signature.getInstance(cert.getSigAlgName());
+
+        sig.initSign(privKey);
+        sig.update(alias.getBytes("UTF-8"));
+        final byte[] signatureBytes = sig.sign();
+
+        final Properties newprops = new Properties();
+        newprops.put(KEYSTORE_ALIAS, alias);
+        newprops.put(SIGNATURE_DATA, signatureBytes);
+        return newprops;
+
+      } else {
+        throw new AuthenticationFailedException("PKCSAuthInit: " + "Failed to load private key from the given file: " + keyStorePath);
+      }
+
+    } catch (Exception ex) {
+      throw new AuthenticationFailedException("PKCSAuthInit: Exception while getting credentials: " + ex, ex);
+    }
+  }
+
+  @Override
+  public void close() {
+  }
+}



Mime
View raw message